Changeset 84230 in vbox

Timestamp:

May 10, 2020 12:52:05 AM (5 years ago)

Author:

vboxsync

Message:

IPRT,openssl: Adding RTCrPkcs7SimpleSignSignedData as a feeble start at PKCS#7/CMS signing. bugref:9699

Location:

trunk

Files:

: 1 added
: 14 edited

include/iprt/crypto/pem.h (modified) (1 diff)
include/iprt/crypto/pkcs7.h (modified) (2 diffs)
include/iprt/crypto/store.h (modified) (1 diff)
include/iprt/mangling.h (modified) (2 diffs)
src/VBox/Runtime/Makefile.kmk (modified) (2 diffs)
src/VBox/Runtime/common/crypto/iprt-openssl.cpp (modified) (3 diffs)
src/VBox/Runtime/common/crypto/key-openssl.cpp (modified) (1 diff)
src/VBox/Runtime/common/crypto/pemfile-write.cpp (modified) (2 diffs)
src/VBox/Runtime/common/crypto/pkcs7-sign.cpp (added)
src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (modified) (2 diffs)
src/VBox/Runtime/common/crypto/pkix-sign.cpp (modified) (1 diff)
src/VBox/Runtime/common/crypto/pkix-verify.cpp (modified) (2 diffs)
src/VBox/Runtime/common/crypto/store.cpp (modified) (2 diffs)
src/VBox/Runtime/include/internal/iprt-openssl.h (modified) (1 diff)
src/libs/openssl-1.1.1g/Config.kmk (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/include/iprt/crypto/pem.h

-              r84172
+              r84230
                                 const void *pvContent, size_t cbContent, const char *pszMarker);
+RTDECL(ssize_t) RTCrPemWriteBlobToVfsIoStrm(RTVFSIOSTREAM hVfsIos, const void *pvContent, size_t cbContent, const char *pszMarker);
+RTDECL(ssize_t) RTCrPemWriteBlobToVfsFile(RTVFSFILE hVfsFile, const void *pvContent, size_t cbContent, const char *pszMarker);
 /**
  * PEM formatter for a generic ASN.1 structure.

trunk/include/iprt/crypto/pkcs7.h

-              r82968
+              r84230
  *  timestamp counter sigantures. */
 #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT     RT_BIT_32(1)
 /** Only use signging time attributes from counter signatures. */
+/** Only use signing time attributes from counter signatures. */
 #define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY    RT_BIT_32(2)
 /** Don't validate the counter signature containing the signing time, just use
 …
 /** @} */
+/** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign.
+ * @{ */
+/** Detached data. */
+#define RTCRPKCS7SIGN_SD_F_DEATCHED      RT_BIT_32(0)
+/** No SMIME capabilities attribute. */
+#define RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP  RT_BIT_32(1)
+/** Valid flag mask.   */
+#define RTCRPKCS7SIGN_SD_F_VALID_MASK    UINT32_C(0x00000003)
 /** @} */
+RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
+                                          void const *pvData, size_t cbData, RTCRSTORE hAdditionalCerts,
+                                          void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo);
+/** @} */
 RT_C_DECLS_END

trunk/include/iprt/crypto/store.h

-              r82968
+              r84230
 RTDECL(int) RTCrStoreCertSearchDestroy(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch);
 RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore);
 RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack);
+RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore, PRTERRINFO pErrInfo);
+RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack, PRTERRINFO pErrInfo);

trunk/include/iprt/mangling.h

-              r84205
+              r84230
 # define RTCrPemReadFile                                RT_MANGLER(RTCrPemReadFile)
 # define RTCrPemWriteBlob                               RT_MANGLER(RTCrPemWriteBlob)
+# define RTCrPemWriteBlobToVfsIoStrm                    RT_MANGLER(RTCrPemWriteBlobToVfsIoStrm)
+# define RTCrPemWriteBlobToVfsFile                      RT_MANGLER(RTCrPemWriteBlobToVfsFile)
 # define RTCrPemWriteAsn1                               RT_MANGLER(RTCrPemWriteAsn1)
 # define RTCrPemWriteAsn1ToVfsIoStrm                    RT_MANGLER(RTCrPemWriteAsn1ToVfsIoStrm)
 …
 # define RTCrPkcs7SignerInfo_CheckSanity                RT_MANGLER(RTCrPkcs7SignerInfo_CheckSanity)
 # define RTCrPkcs7SignerInfos_CheckSanity               RT_MANGLER(RTCrPkcs7SignerInfos_CheckSanity)
+# define RTCrPkcs7SimpleSignSignedData                  RT_MANGLER(RTCrPkcs7SimpleSignSignedData)
 # define RTCrPkcs7VerifyCertCallbackCodeSigning         RT_MANGLER(RTCrPkcs7VerifyCertCallbackCodeSigning)
 # define RTCrPkcs7VerifyCertCallbackDefault             RT_MANGLER(RTCrPkcs7VerifyCertCallbackDefault)

trunk/src/VBox/Runtime/Makefile.kmk

-              r84163
+              r84230
         common/crypto/pkcs7-init.cpp \
         common/crypto/pkcs7-sanity.cpp \
+        common/crypto/pkcs7-sign.cpp \
         common/crypto/pkcs7-verify.cpp \
         common/crypto/pkix-sign.cpp \
 …
         common/crypto/digest-core.cpp \
         common/crypto/pemfile-read.cpp \
-        common/crypto/pemfile-write.cpp \
         common/crypto/pkcs7-asn1-decoder.cpp \
         common/crypto/pkcs7-core.cpp \

trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp

-              r82968
+              r84230
 # include <iprt/err.h>
 # include <iprt/string.h>
+# include <iprt/mem.h>
+# include <iprt/asn1.h>
 # include "internal/iprt-openssl.h"
 …
 DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert)
+DECLHIDDEN(int) rtCrOpenSslConvertX509Cert(void **ppvOsslCert, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo)
+{
+    int                  rc;
+    const unsigned char *pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core);
+    uint32_t             cbEncoded  = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core);
+    X509                *pOsslCert  = NULL;
+    if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+    const unsigned char *pabEncoded;
+    /*
+     * ASSUME that if the certificate has data pointers, it's been parsed out
+     * of a binary blob and we can safely access that here.
+     */
+    if (pCert->SeqCore.Asn1Core.uData.pv)
+    {
+        pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core);
+        uint32_t cbEncoded  = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core);
+        X509    *pOsslCert  = NULL;
+        if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+        {
+            *ppvOsslCert = pOsslCert;
+            return VINF_SUCCESS;
+        }
+    }
+    /*
+     * Otherwise, we'll have to encode it into a temporary buffer that openssl
+     * can decode into its structures.
+     */
+    else
+    {
+        PRTASN1CORE pNonConstCore = (PRTASN1CORE)&pCert->SeqCore.Asn1Core;
+        uint32_t    cbEncoded     = 0;
+        int rc = RTAsn1EncodePrepare(pNonConstCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
+        AssertRCReturn(rc, rc);
+        void * const pvEncoded = RTMemTmpAllocZ(cbEncoded);
+        AssertReturn(pvEncoded, VERR_NO_TMP_MEMORY);
+        rc = RTAsn1EncodeToBuffer(pNonConstCore, RTASN1ENCODE_F_DER, pvEncoded, cbEncoded, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            pabEncoded = (const unsigned char *)pvEncoded;
+            X509 *pOsslCert = NULL;
+            if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+            {
+                *ppvOsslCert = pOsslCert;
+                RTMemTmpFree(pvEncoded);
+                return VINF_SUCCESS;
+            }
+        }
+        else
+        {
+            RTMemTmpFree(pvEncoded);
+            return rc;
+        }
+    }
+    *ppvOsslCert = NULL;
+    return RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
+}
+DECLHIDDEN(void) rtCrOpenSslFreeConvertedX509Cert(void *pvOsslCert)
+{
+    X509_free((X509 *)pvOsslCert);
+}
+DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo)
+{
+    X509 *pOsslCert = NULL;
+    int rc = rtCrOpenSslConvertX509Cert((void **)&pOsslCert, pCert, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
         if (sk_X509_push((STACK_OF(X509) *)pvOsslStack, pOsslCert))
 …
         else
+        {
             rc = VERR_NO_MEMORY;
             X509_free(pOsslCert);
+            rtCrOpenSslFreeConvertedX509Cert(pOsslCert);
+            rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "sk_X509_push");
+        }
+    }
-    else
-        rc = VERR_CR_X509_OSSL_D2I_FAILED;
     return rc;
+}

trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp

-              r82968
+              r84230
  * @param   pErrInfo        Where to optionally return more error details.
  */
+DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId,
+                                    void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo)
+DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, void /*EVP_PKEY*/ **ppEvpKey, PRTERRINFO pErrInfo)
+{
+    *ppEvpKey = NULL;
+    AssertReturn(hKey->u32Magic == RTCRKEYINT_MAGIC, VERR_INVALID_HANDLE);
+    AssertReturn(fNeedPublic == !(hKey->fFlags & RTCRKEYINT_F_PRIVATE), VERR_WRONG_TYPE);
+    rtCrOpenSslInit();
+    /*
+     * Translate the key type from IPRT to EVP speak.
+     */
+    int         idKeyType;
+    switch (hKey->enmType)
+    {
+        case RTCRKEYTYPE_RSA_PRIVATE:
+        case RTCRKEYTYPE_RSA_PUBLIC:
+            idKeyType = EVP_PKEY_RSA;
+            break;
+        default:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported key type: %d", hKey->enmType);
+    }
+    /*
+     * Allocate a new key structure and set its type.
+     */
+    EVP_PKEY *pEvpNewKey = EVP_PKEY_new();
+    if (!pEvpNewKey)
+        return RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new/%d failed", idKeyType);
+    /*
+     * Load the key into the structure.
+     */
+    const unsigned char *puchPublicKey = hKey->pbEncoded;
+    EVP_PKEY *pRet;
+    if (fNeedPublic)
+        *ppEvpKey = pRet = d2i_PublicKey(idKeyType, &pEvpNewKey, &puchPublicKey, hKey->cbEncoded);
+    else
+        *ppEvpKey = pRet = d2i_PrivateKey(idKeyType, &pEvpNewKey, &puchPublicKey, hKey->cbEncoded);
+    if (pRet)
+        return VINF_SUCCESS;
+    /* Bail out: */
+    EVP_PKEY_free(pEvpNewKey);
+    return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED,
+                        fNeedPublic ? "d2i_PublicKey failed" : "d2i_PrivateKey failed");
+}
+/**
+ * Creates an OpenSSL key for the given IPRT one, returning the message digest
+ * algorithm if desired.
+ *
+ * @returns IRPT status code.
+ * @param   hKey            The key to convert to an OpenSSL key.
+ * @param   fNeedPublic     Set if we need the public side of the key.
+ * @param   pszAlgoObjId    Alogrithm stuff we currently need.
+ * @param   ppEvpKey        Where to return the pointer to the key structure.
+ * @param   ppEvpMdType     Where to optionally return the message digest type.
+ * @param   pErrInfo        Where to optionally return more error details.
+ */
+DECLHIDDEN(int) rtCrKeyToOpenSslKeyEx(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId,
+                                      void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo)
+{
     *ppEvpKey = NULL;

trunk/src/VBox/Runtime/common/crypto/pemfile-write.cpp

-              r84211
+              r84230
     cchRet += pfnOutput(pvUser, NULL, 0);
+    return cchRet;
+}
+RTDECL(ssize_t) RTCrPemWriteBlobToVfsIoStrm(RTVFSIOSTREAM hVfsIos, const void *pvContent, size_t cbContent, const char *pszMarker)
+{
+    VFSIOSTRMOUTBUF Buf;
+    VFSIOSTRMOUTBUF_INIT(&Buf, hVfsIos);
+    size_t cchRet = RTCrPemWriteBlob(RTVfsIoStrmStrOutputCallback, &Buf, pvContent, cbContent, pszMarker);
+    Assert(Buf.offBuf == 0);
+    return RT_SUCCESS(Buf.rc) ? (ssize_t)cchRet : Buf.rc;
+}
+RTDECL(ssize_t) RTCrPemWriteBlobToVfsFile(RTVFSFILE hVfsFile, const void *pvContent, size_t cbContent, const char *pszMarker)
+{
+    RTVFSIOSTREAM hVfsIos = RTVfsFileToIoStream(hVfsFile);
+    AssertReturn(hVfsIos != NIL_RTVFSIOSTREAM, VERR_INVALID_HANDLE);
+    ssize_t cchRet = RTCrPemWriteBlobToVfsIoStrm(hVfsIos, pvContent, cbContent, pszMarker);
+    RTVfsIoStrmRelease(hVfsIos);
     return cchRet;
+}
 …
+}

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

-              r82968
+              r84230
         STACK_OF(X509) *pAddCerts = NULL;
         if (hAdditionalCerts != NIL_RTCRSTORE)
             rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts);
+            rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts, pErrInfo);
         else
+        {
 …
             for (uint32_t i = 0; i < pCerts->cItems; i++)
                 if (pCerts->papItems[i]->enmChoice == RTCRPKCS7CERTCHOICE_X509)
                     rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert);
+                    rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert, NULL);
             X509_STORE *pTrustedCerts = NULL;
             if (hTrustedCerts != NIL_RTCRSTORE)
                 rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts);
+                rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts, pErrInfo);
             if (RT_SUCCESS(rcOssl))
+            {

trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp

-              r82968
+              r84230
     EVP_PKEY     *pEvpPrivateKey = NULL;
     const EVP_MD *pEvpMdType = NULL;
     int rcOssl = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId,
                                      (void **)&pEvpPrivateKey, (const void **)&pEvpMdType, pErrInfo);
+    int rcOssl = rtCrKeyToOpenSslKeyEx(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId,
+                                       (void **)&pEvpPrivateKey, (const void **)&pEvpMdType, pErrInfo);
     if (RT_SUCCESS(rcOssl))
+    {

trunk/src/VBox/Runtime/common/crypto/pkix-verify.cpp

-              r82968
+              r84230
     EVP_PKEY     *pEvpPublicKey = NULL;
     const EVP_MD *pEvpMdType = NULL;
     int rcOssl = rtCrKeyToOpenSslKey(hPublicKey, true /*fNeedPublic*/, pAlgorithm->szObjId,
                                      (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo);
+    int rcOssl = rtCrKeyToOpenSslKeyEx(hPublicKey, true /*fNeedPublic*/, pAlgorithm->szObjId,
+                                       (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo);
     if (RT_SUCCESS(rcOssl))
+    {
 …
     EVP_PKEY     *pEvpPublicKey = NULL;
     const EVP_MD *pEvpMdType = NULL;
     int rcOssl = rtCrKeyToOpenSslKey(hPublicKey, true /*fNeedPublic*/, pszAlgObjId,
                                      (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo);
+    int rcOssl = rtCrKeyToOpenSslKeyEx(hPublicKey, true /*fNeedPublic*/, pszAlgObjId,
+                                       (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo);
     if (RT_SUCCESS(rcOssl))
+    {

trunk/src/VBox/Runtime/common/crypto/store.cpp

-              r82968
+              r84230
  */
+RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore)
+{
+RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore, PRTERRINFO pErrInfo)
+{
+    RT_NOREF(pErrInfo);
     PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
     AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
 …
+RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack)
+{
+RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack, PRTERRINFO pErrInfo)
+{
+    RT_NOREF(pErrInfo);
     PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
     AssertPtrReturn(pThis, VERR_INVALID_HANDLE);

trunk/src/VBox/Runtime/include/internal/iprt-openssl.h

-              r82968
+              r84230
 DECLHIDDEN(void) rtCrOpenSslInit(void);
 DECLHIDDEN(int)  rtCrOpenSslErrInfoCallback(const char *pach, size_t cch, void *pvUser);
+DECLHIDDEN(int)  rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert);
+DECLHIDDEN(int)  rtCrOpenSslConvertX509Cert(void **ppvOsslCert, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo);
+DECLHIDDEN(void) rtCrOpenSslFreeConvertedX509Cert(void *pvOsslCert);
+DECLHIDDEN(int)  rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo);
+DECLHIDDEN(int)  rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId,
+                                     void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo);
+DECLHIDDEN(int)  rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, void /*EVP_PKEY*/ **ppEvpKey, PRTERRINFO pErrInfo);
+DECLHIDDEN(int)  rtCrKeyToOpenSslKeyEx(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId,
+                                       void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo);
 RT_C_DECLS_END

trunk/src/libs/openssl-1.1.1g/Config.kmk

r84229	r84230
78	78	include/openssl/cmac.h=>cmac.h \
79	79	include/openssl/cms.h=>cms.h \
	80	include/openssl/cmserr.h=>cmserr.h \
80	81	include/openssl/comp.h=>comp.h \
81	82	include/openssl/comperr.h=>comperr.h \

Note: See TracChangeset for help on using the changeset viewer.

Changeset 84230 in vbox

Legend:

Download in other formats: