Changeset 74760 in vbox for trunk/src/VBox/Runtime/common/crypto

Timestamp:

Oct 11, 2018 11:25:24 AM (6 years ago)

Author:

vboxsync

Message:

IPRT/ldr/asn1/pkcs7: Ironed out issues in decoding indefinite ASN.1 length records and successfully verified the first Mach-O signature. bugref:9232

Location:

trunk/src/VBox/Runtime/common/crypto

Files:

• pkcs7-asn1-decoder.cpp (modified) (1 diff)
• pkcs7-verify.cpp (modified) (7 diffs)

trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp

@@ -144 +144 @@
                 }
                 if (RT_SUCCESS(rc))
-                    rc = RTAsn1CursorCheckEnd(&ContentCursor);
+                    rc = RTAsn1CursorCheckOctStrEnd(&ContentCursor, &pThis->Content);
                 if (RT_SUCCESS(rc))
                     return VINF_SUCCESS;

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

@@ -52 +52 @@
 static int rtCrPkcs7VerifySignedDataUsingOpenSsl(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
                                                  RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
-                                                 void const *pvContent, uint32_t cbContent, PRTERRINFO pErrInfo)
+                                                 void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo)
 {
     RT_NOREF_PV(fFlags);
 
     /*
-     * Verify using OpenSSL.
+     * Verify using OpenSSL.          ERR_PUT_error
      */
     int rcOssl;
     unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
+    uint32_t             cbRawContent = RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)
+                                      + (pContentInfo->SeqCore.Asn1Core.fFlags & RTASN1CORE_F_INDEFINITE_LENGTH ? 2 : 0);
     PKCS7 *pOsslPkcs7 = NULL;
-    if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)) == pOsslPkcs7)
+    if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent) != NULL)
     {
         STACK_OF(X509) *pAddCerts = NULL;
@@ -78 +80 @@
                 if (pCerts->papItems[i]->enmChoice == RTCRPKCS7CERTCHOICE_X509)
                     rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert);
-
 
             X509_STORE *pTrustedCerts = NULL;
@@ -87 +88 @@
                 rtCrOpenSslInit();
 
-                BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, cbContent);
+                BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, (int)cbContent);
                 if (pBioContent)
                 {
@@ -115 +116 @@
     }
     else
+    {
         rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_D2I_FAILED, "d2i_PKCS7 failed");
+        if (pErrInfo)
+            ERR_print_errors_cb(rtCrOpenSslErrInfoCallback, pErrInfo);
+    }
 
     return rcOssl;
@@ -575 +580 @@
 
 
-RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
-                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
-                                      PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
-                                      PRTERRINFO pErrInfo)
-{
-    /*
-     * Check the input.
+/**
+ * Worker.
+ */
+static int rtCrPkcs7VerifySignedDataEx(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                       RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                       PCRTTIMESPEC pValidationTime,
+                                       PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                       void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo)
+{
+    /*
+     * Check and adjust the input.
      */
     if (pfnVerifyCert)
@@ -598 +607 @@
      * Hash the content info.
      */
-    /* Exactly what the content is, for some stupid reason unnecessarily
-       complicated.  Figure it out here as we'll need it for the OpenSSL code
-       path as well. */
-    void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv;
-    uint32_t    cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb;
-    if (pSignedData->ContentInfo.Content.pEncapsulated)
-    {
-        pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv;
-        cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb;
-    }
-
     /* Check that there aren't too many or too few hash algorithms for our
        implementation and purposes. */
@@ -784 +782 @@
 }
 
+
+RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                      PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                      PRTERRINFO pErrInfo)
+{
+    /*
+     * Find the content and pass it on to common worker.
+     */
+    if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
+        return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData.");
+
+    /* Exactly what the content is, is for some stupid reason unnecessarily complicated. */
+    PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
+    void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv;
+    uint32_t    cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb;
+    if (pSignedData->ContentInfo.Content.pEncapsulated)
+    {
+        pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv;
+        cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb;
+    }
+
+    return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime,
+                                       pfnVerifyCert, pvUser, pvContent, cbContent, pErrInfo);
+}
+
+
+RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                                      PCRTTIMESPEC pValidationTime,
+                                                      PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                                      void const *pvData, size_t cbData, PRTERRINFO pErrInfo)
+{
+    /*
+     * Require 'data' as inner content type.
+     */
+    if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
+        return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData.");
+    PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
+
+    if (RTAsn1ObjId_CompareWithString(&pSignedData->ContentInfo.ContentType, RTCR_PKCS7_DATA_OID) != 0)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_NOT_DATA,
+                             "The signedData content type is %s, expected 'data' (%s)",
+                             pSignedData->ContentInfo.ContentType.szObjId, RTCR_PKCS7_DATA_OID);
+
+    return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime,
+                                       pfnVerifyCert, pvUser, pvData, cbData, pErrInfo);
+}
+
+