- Timestamp:
- May 11, 2020 11:49:53 AM (5 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp
r84233 r84250 2049 2049 * format. 2050 2050 */ 2051 static int doAddPkcs7Signature(PCRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey, 2051 static int doAddPkcs7Signature(PCRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey, RTDIGESTTYPE enmDigestType, 2052 2052 unsigned cIntermediateCerts, const char **papszIntermediateCerts, RTVFSFILE hVfsFileManifest, 2053 2053 unsigned iVerbosity, PRTERRINFOSTATIC pErrInfo, RTVFSFILE hVfsFileSignature) … … 2107 2107 size_t cbResult = 0; 2108 2108 rc = RTCrPkcs7SimpleSignSignedData(RTCRPKCS7SIGN_SD_F_DEATCHED | RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP, 2109 pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, 2109 pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, enmDigestType, 2110 2110 hIntermediateCerts, NULL /*pvResult*/, &cbResult, RTErrInfoInitStatic(pErrInfo)); 2111 2111 if (rc == VERR_BUFFER_OVERFLOW) … … 2118 2118 { 2119 2119 rc = RTCrPkcs7SimpleSignSignedData(RTCRPKCS7SIGN_SD_F_DEATCHED | RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP, 2120 pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, 2121 NIL_RTCRSTORE, pvResult, &cbResult, RTErrInfoInitStatic(pErrInfo));2120 pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, enmDigestType, 2121 hIntermediateCerts, pvResult, &cbResult, RTErrInfoInitStatic(pErrInfo)); 2122 2122 if (RT_SUCCESS(rc)) 2123 2123 { … … 2165 2165 { 2166 2166 /* 2167 * Instantiate the digest algorithm. 2167 * Determine the digest types, preferring SHA-256 for the OVA signature 2168 * and SHA-512 for the PKCS#7/CMS one. Try use different hashes for the two. 2168 2169 */ 2169 /** @todo fall back on SHA-1 if the key is too small for SHA-256 or SHA-512? */ 2170 PCRTASN1OBJID const pObjId = &pCertificate->TbsCertificate.SubjectPublicKeyInfo.Algorithm.Algorithm; 2171 RTCRDIGEST hDigest = NIL_RTCRDIGEST; 2172 int rc = RTCrDigestCreateByType(&hDigest, enmDigestType); 2173 if (RT_FAILURE(rc)) 2174 return RTMsgErrorRc(rc, "Failed to create digest for %s: %Rrc", pObjId->szObjId, rc); 2175 2176 /* Figure out the digest type name for the .cert file: */ 2170 if (enmDigestType == RTDIGESTTYPE_UNKNOWN) 2171 { 2172 if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA256, NULL)) 2173 enmDigestType = RTDIGESTTYPE_SHA256; 2174 else 2175 enmDigestType = RTDIGESTTYPE_SHA1; 2176 } 2177 2178 RTDIGESTTYPE enmPkcs7DigestType; 2179 if ( enmDigestType == RTDIGESTTYPE_SHA1 2180 || enmDigestType == RTDIGESTTYPE_SHA256 2181 || enmDigestType == RTDIGESTTYPE_SHA224) 2182 { 2183 /* Use a SHA-512 variant: */ 2184 if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512, NULL)) 2185 enmPkcs7DigestType = RTDIGESTTYPE_SHA512; 2186 else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA384, NULL)) 2187 enmPkcs7DigestType = RTDIGESTTYPE_SHA384; 2188 /// @todo openssl misses these in check_padding_md() in rsa_pmeth.c, causing 2189 /// failure in EVP_PKEY_CTX_set_signature_md() and CMS_final(). 2190 //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T256, NULL)) 2191 // enmPkcs7DigestType = RTDIGESTTYPE_SHA512T256; 2192 //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T224, NULL)) 2193 // enmPkcs7DigestType = RTDIGESTTYPE_SHA512T224; 2194 else 2195 enmPkcs7DigestType = RTDIGESTTYPE_SHA1; 2196 } 2197 else /* The .cert file uses SHA-512, pick SHA-256 for diversity. */ 2198 enmPkcs7DigestType = RTDIGESTTYPE_SHA256; 2199 2200 /* 2201 * Figure the string name for the .cert file. 2202 */ 2177 2203 const char *pszDigestType; 2178 2204 switch (enmDigestType) … … 2180 2206 case RTDIGESTTYPE_SHA1: pszDigestType = "SHA1"; break; 2181 2207 case RTDIGESTTYPE_SHA256: pszDigestType = "SHA256"; break; 2208 case RTDIGESTTYPE_SHA224: pszDigestType = "SHA224"; break; 2182 2209 case RTDIGESTTYPE_SHA512: pszDigestType = "SHA512"; break; 2183 2210 default: 2184 RTCrDigestRelease(hDigest);2185 2211 return RTMsgErrorRc(VERR_INVALID_PARAMETER, 2186 2212 "Unsupported digest type: %s", RTCrDigestTypeToName(enmDigestType)); … … 2190 2216 * Digest the manifest file. 2191 2217 */ 2218 RTCRDIGEST hDigest = NIL_RTCRDIGEST; 2219 int rc = RTCrDigestCreateByType(&hDigest, enmDigestType); 2220 if (RT_FAILURE(rc)) 2221 return RTMsgErrorRc(rc, "Failed to create digest for %s: %Rrc", RTCrDigestTypeToName(enmDigestType), rc); 2222 2192 2223 rc = RTCrDigestUpdateFromVfsFile(hDigest, hVfsFileManifest, true /*fRewindFile*/); 2193 2224 if (RT_SUCCESS(rc)) … … 2241 2272 { 2242 2273 if (fPkcs7) 2243 rc = doAddPkcs7Signature(pCertificate, hPrivateKey, cIntermediateCerts,2244 papszIntermediateCerts, hVfsFileManifest, iVerbosity,2245 pErrInfo, hVfsFileSignature);2274 rc = doAddPkcs7Signature(pCertificate, hPrivateKey, enmPkcs7DigestType, 2275 cIntermediateCerts, papszIntermediateCerts, hVfsFileManifest, 2276 iVerbosity, pErrInfo, hVfsFileSignature); 2246 2277 if (RT_SUCCESS(rc)) 2247 2278 { … … 2316 2347 const char *pszPrivateKey = NULL; 2317 2348 Utf8Str strPrivateKeyPassword; 2318 RTDIGESTTYPE enmDigestType = RTDIGESTTYPE_ SHA256;2349 RTDIGESTTYPE enmDigestType = RTDIGESTTYPE_UNKNOWN; 2319 2350 bool fPkcs7 = false; 2320 2351 unsigned cIntermediateCerts = 0;
Note:
See TracChangeset
for help on using the changeset viewer.