VirtualBox

Ignore:
Timestamp:
May 11, 2020 11:49:53 AM (5 years ago)
Author:
vboxsync
Message:

VBoxManage/signova: Improved the digest algortihm selection for the signatures. bugref:9699

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp

    r84233 r84250  
    20492049 * format.
    20502050 */
    2051 static int doAddPkcs7Signature(PCRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey,
     2051static int doAddPkcs7Signature(PCRTCRX509CERTIFICATE pCertificate, RTCRKEY hPrivateKey, RTDIGESTTYPE enmDigestType,
    20522052                               unsigned cIntermediateCerts, const char **papszIntermediateCerts, RTVFSFILE hVfsFileManifest,
    20532053                               unsigned iVerbosity, PRTERRINFOSTATIC pErrInfo, RTVFSFILE hVfsFileSignature)
     
    21072107            size_t cbResult = 0;
    21082108            rc = RTCrPkcs7SimpleSignSignedData(RTCRPKCS7SIGN_SD_F_DEATCHED | RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP,
    2109                                                pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest,
     2109                                               pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, enmDigestType,
    21102110                                               hIntermediateCerts, NULL /*pvResult*/, &cbResult, RTErrInfoInitStatic(pErrInfo));
    21112111            if (rc == VERR_BUFFER_OVERFLOW)
     
    21182118                {
    21192119                    rc = RTCrPkcs7SimpleSignSignedData(RTCRPKCS7SIGN_SD_F_DEATCHED | RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP,
    2120                                                        pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest,
    2121                                                        NIL_RTCRSTORE, pvResult, &cbResult, RTErrInfoInitStatic(pErrInfo));
     2120                                                       pCertificate, hPrivateKey, pvManifest, (size_t)cbManifest, enmDigestType,
     2121                                                       hIntermediateCerts, pvResult, &cbResult, RTErrInfoInitStatic(pErrInfo));
    21222122                    if (RT_SUCCESS(rc))
    21232123                    {
     
    21652165{
    21662166    /*
    2167      * Instantiate the digest algorithm.
     2167     * Determine the digest types, preferring SHA-256 for the OVA signature
     2168     * and SHA-512 for the PKCS#7/CMS one.  Try use different hashes for the two.
    21682169     */
    2169     /** @todo fall back on SHA-1 if the key is too small for SHA-256 or SHA-512? */
    2170     PCRTASN1OBJID const pObjId  = &pCertificate->TbsCertificate.SubjectPublicKeyInfo.Algorithm.Algorithm;
    2171     RTCRDIGEST          hDigest = NIL_RTCRDIGEST;
    2172     int rc = RTCrDigestCreateByType(&hDigest, enmDigestType);
    2173     if (RT_FAILURE(rc))
    2174         return RTMsgErrorRc(rc, "Failed to create digest for %s: %Rrc", pObjId->szObjId, rc);
    2175 
    2176     /* Figure out the digest type name for the .cert file: */
     2170    if (enmDigestType == RTDIGESTTYPE_UNKNOWN)
     2171    {
     2172        if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA256, NULL))
     2173            enmDigestType = RTDIGESTTYPE_SHA256;
     2174        else
     2175            enmDigestType = RTDIGESTTYPE_SHA1;
     2176    }
     2177
     2178    RTDIGESTTYPE enmPkcs7DigestType;
     2179    if (   enmDigestType == RTDIGESTTYPE_SHA1
     2180        || enmDigestType == RTDIGESTTYPE_SHA256
     2181        || enmDigestType == RTDIGESTTYPE_SHA224)
     2182    {
     2183        /* Use a SHA-512 variant: */
     2184        if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512, NULL))
     2185            enmPkcs7DigestType = RTDIGESTTYPE_SHA512;
     2186        else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA384, NULL))
     2187            enmPkcs7DigestType = RTDIGESTTYPE_SHA384;
     2188        /// @todo openssl misses these in check_padding_md() in rsa_pmeth.c, causing
     2189        /// failure in EVP_PKEY_CTX_set_signature_md() and CMS_final().
     2190        //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T256, NULL))
     2191        //    enmPkcs7DigestType = RTDIGESTTYPE_SHA512T256;
     2192        //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T224, NULL))
     2193        //    enmPkcs7DigestType = RTDIGESTTYPE_SHA512T224;
     2194        else
     2195            enmPkcs7DigestType = RTDIGESTTYPE_SHA1;
     2196    }
     2197    else /* The .cert file uses SHA-512, pick SHA-256 for diversity. */
     2198        enmPkcs7DigestType = RTDIGESTTYPE_SHA256;
     2199
     2200    /*
     2201     * Figure the string name for the .cert file.
     2202     */
    21772203    const char *pszDigestType;
    21782204    switch (enmDigestType)
     
    21802206        case RTDIGESTTYPE_SHA1:         pszDigestType = "SHA1"; break;
    21812207        case RTDIGESTTYPE_SHA256:       pszDigestType = "SHA256"; break;
     2208        case RTDIGESTTYPE_SHA224:       pszDigestType = "SHA224"; break;
    21822209        case RTDIGESTTYPE_SHA512:       pszDigestType = "SHA512"; break;
    21832210        default:
    2184             RTCrDigestRelease(hDigest);
    21852211            return RTMsgErrorRc(VERR_INVALID_PARAMETER,
    21862212                                "Unsupported digest type: %s", RTCrDigestTypeToName(enmDigestType));
     
    21902216     * Digest the manifest file.
    21912217     */
     2218    RTCRDIGEST hDigest = NIL_RTCRDIGEST;
     2219    int rc = RTCrDigestCreateByType(&hDigest, enmDigestType);
     2220    if (RT_FAILURE(rc))
     2221        return RTMsgErrorRc(rc, "Failed to create digest for %s: %Rrc", RTCrDigestTypeToName(enmDigestType), rc);
     2222
    21922223    rc = RTCrDigestUpdateFromVfsFile(hDigest, hVfsFileManifest, true /*fRewindFile*/);
    21932224    if (RT_SUCCESS(rc))
     
    22412272                                {
    22422273                                    if (fPkcs7)
    2243                                         rc = doAddPkcs7Signature(pCertificate, hPrivateKey, cIntermediateCerts,
    2244                                                                  papszIntermediateCerts, hVfsFileManifest, iVerbosity,
    2245                                                                  pErrInfo, hVfsFileSignature);
     2274                                        rc = doAddPkcs7Signature(pCertificate, hPrivateKey, enmPkcs7DigestType,
     2275                                                                 cIntermediateCerts, papszIntermediateCerts, hVfsFileManifest,
     2276                                                                 iVerbosity, pErrInfo, hVfsFileSignature);
    22462277                                    if (RT_SUCCESS(rc))
    22472278                                    {
     
    23162347    const char     *pszPrivateKey       = NULL;
    23172348    Utf8Str         strPrivateKeyPassword;
    2318     RTDIGESTTYPE    enmDigestType       = RTDIGESTTYPE_SHA256;
     2349    RTDIGESTTYPE    enmDigestType       = RTDIGESTTYPE_UNKNOWN;
    23192350    bool            fPkcs7              = false;
    23202351    unsigned        cIntermediateCerts  = 0;
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette