Changeset 84310 in vbox

Timestamp:

May 14, 2020 5:40:35 PM (5 years ago)

Author:

vboxsync

Message:

IPRT/crypto: Adding RTAsn1EncodeQueryRawBits to deal with getting encoded bytes cheaply if possible and always safely. Fixed another place using RTASN1CORE_GET_RAW_ASN1_PTR and assuming input was decoded and had valid data pointers. Added RTCrStoreCertAddPkcs7 and RTCrStoreCertAddX509 for more conveniently adding decoded certs to stores. Added RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS to the PKCS7 verification code. Added RTCrPkcs7_ReadFromBuffer. bugref:9699

Location:

trunk

Files:

: 1 added
: 10 edited

include/iprt/asn1.h (modified) (1 diff)
include/iprt/crypto/pkcs7.h (modified) (6 diffs)
include/iprt/crypto/store.h (modified) (1 diff)
include/iprt/mangling.h (modified) (4 diffs)
src/VBox/Runtime/Makefile.kmk (modified) (1 diff)
src/VBox/Runtime/common/asn1/asn1-encode.cpp (modified) (2 diffs)
src/VBox/Runtime/common/crypto/iprt-openssl.cpp (modified) (1 diff)
src/VBox/Runtime/common/crypto/pkcs7-file.cpp (added)
src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (modified) (4 diffs)
src/VBox/Runtime/common/crypto/store.cpp (modified) (2 diffs)
src/VBox/Runtime/common/crypto/x509-verify.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/include/iprt/asn1.h

-              r82968
+              r84310
 RTDECL(int) RTAsn1EncodeToBuffer(PCRTASN1CORE pRoot, uint32_t fFlags, void *pvBuf, size_t cbBuf, PRTERRINFO pErrInfo);
+/**
+ * Helper for when DER encoded ASN.1 is needed for something.
+ *
+ * Handy when interfacing with OpenSSL and the many d2i_Xxxxx OpenSSL functions,
+ * but also handy when structures needs to be digested or similar during signing
+ * or verification.
+ *
+ * We sometimes can use the data we've decoded directly, but often we have
+ * encode it into a temporary heap buffer.
+ *
+ * @returns IPRT status code, details in @a pErrInfo if present.
+ * @param   pRoot       The ASN.1 root of the structure to be passed to OpenSSL.
+ * @param   ppbRaw      Where to return the pointer to raw encoded data.
+ * @param   pcbRaw      Where to return the size of the raw encoded data.
+ * @param   ppvFree     Where to return what to pass to RTMemTmpFree, i.e. NULL
+ *                      if we use the previously decoded data directly and
+ *                      non-NULL if we had to allocate heap and encode it.
+ * @param   pErrInfo    Where to return details about encoding issues. Optional.
+ */
+RTDECL(int) RTAsn1EncodeQueryRawBits(PRTASN1CORE pRoot, const uint8_t **ppbRaw, uint32_t *pcbRaw,
+                                     void **ppvFree, PRTERRINFO pErrInfo);
 /** @} */

trunk/include/iprt/crypto/pkcs7.h

-              r84248
+              r84310
 /** @} */
+/** PKCS\#7/CMS (content info) markers. */
+extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrPkcs7Markers[];
+/** Number of entries in g_aRTCrPkcs7Markers. */
+extern RTDATADECL(uint32_t const)      g_cRTCrPkcs7Markers;
+/** @name Flags for RTCrPkcs7ContentInfo_ReadFromBuffer
+ * @{ */
+/** Only allow PEM certificates, not binary ones.
+ * @sa RTCRPEMREADFILE_F_ONLY_PEM  */
+#define RTCRPKCS7_READ_F_PEM_ONLY        RT_BIT(1)
+/** @} */
+RTDECL(int) RTCrPkcs7_ReadFromBuffer(PRTCRPKCS7CONTENTINFO pContentInfo, const void *pvBuf, size_t cbBuf,
+                                     uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
+                                     bool *pfCmsLabeled, PRTERRINFO pErrInfo, const char *pszErrorTag);
 /**
 …
                                                       void const *pvData, size_t cbData, PRTERRINFO pErrInfo);
+/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData
+/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData and
+ *                                   RTCrPkcs7VerifySignedDataWithExternalData
  * @{ */
 /** Always use the signing time attribute if present, requiring it to be
 …
 #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT     RT_BIT_32(0)
 /** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
  *  timestamp counter sigantures. */
+ *  timestamp counter signatures. */
 #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT     RT_BIT_32(1)
 /** Only use signing time attributes from counter signatures. */
 …
  * signatures. */
 #define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING                     RT_BIT_32(6)
+/** Skip the verification of the certificate trust paths, taking all
+ * certificates to be trustworthy. */
+#define RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS                        RT_BIT_32(7)
 /** Indicates internally that we're validating a counter signature and should
 …
 /** @} */
+RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
+                                          void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
+                                          RTCRSTORE hAdditionalCerts, void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo);
 /** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign.
 …
 /** @} */
-RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
-                                          void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
-                                          RTCRSTORE hAdditionalCerts, void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo);
 /** @} */

trunk/include/iprt/crypto/store.h

-              r84230
+              r84310
 /**
+ * Add an X.509 packaged certificate to the store.
+ *
+ * @returns IPRT status code.
+ * @retval  VWRN_ALREADY_EXISTS if the certificate is already present and
+ *          RTCRCERTCTX_F_ADD_IF_NOT_FOUND was specified.
+ * @retval  VERR_WRITE_PROTECT if the store doesn't support adding.
+ * @param   hStore              The store to add the certificate to.
+ * @param   fFlags              RTCRCERTCTX_F_XXX. Encoding must is optional,
+ *                              but must be RTCRCERTCTX_F_ENC_X509_DER if given.
+ *                              RTCRCERTCTX_F_ADD_IF_NOT_FOUND is supported.
+ * @param   pCertificate        The certificate to add.  We may have to encode
+ *                              it, thus not const.
+ * @param   pErrInfo            Where to return additional error/warning info.
+ *                              Optional.
+ */
+RTDECL(int) RTCrStoreCertAddX509(RTCRSTORE hStore, uint32_t fFlags, PRTCRX509CERTIFICATE pCertificate, PRTERRINFO pErrInfo);
+/**
  * Adds certificates from files in the specified directory.
+ *

trunk/include/iprt/mangling.h

-              r84296
+              r84310
 # define RTAsn1EncodeRecalcHdrSize                      RT_MANGLER(RTAsn1EncodeRecalcHdrSize)
 # define RTAsn1EncodeToBuffer                           RT_MANGLER(RTAsn1EncodeToBuffer)
+# define RTAsn1EncodeQueryRawBits                       RT_MANGLER(RTAsn1EncodeQueryRawBits)
 # define RTAsn1EncodeWrite                              RT_MANGLER(RTAsn1EncodeWrite)
 # define RTAsn1EncodeWriteHeader                        RT_MANGLER(RTAsn1EncodeWriteHeader)
 …
 # define RTCrPemWriteAsn1ToVfsFile                      RT_MANGLER(RTCrPemWriteAsn1ToVfsFile)
 # define RTCrPkcs5Pbkdf2Hmac                            RT_MANGLER(RTCrPkcs5Pbkdf2Hmac)
+# define RTCrPkcs7_ReadFromBuffer                       RT_MANGLER(RTCrPkcs7_ReadFromBuffer)
 # define RTCrPkcs7Attribute_DecodeAsn1                  RT_MANGLER(RTCrPkcs7Attribute_DecodeAsn1)
 # define RTCrPkcs7Attributes_DecodeAsn1                 RT_MANGLER(RTCrPkcs7Attributes_DecodeAsn1)
 …
 # define RTCrCertCtxRetain                              RT_MANGLER(RTCrCertCtxRetain)
 # define RTCrStoreCertAddEncoded                        RT_MANGLER(RTCrStoreCertAddEncoded)
+# define RTCrStoreCertAddX509                           RT_MANGLER(RTCrStoreCertAddX509)
 # define RTCrStoreCertByIssuerAndSerialNo               RT_MANGLER(RTCrStoreCertByIssuerAndSerialNo)
 # define RTCrStoreCertCount                             RT_MANGLER(RTCrStoreCertCount)
 …
 # define g_RTAsn1EFenceAllocator                        RT_MANGLER(g_RTAsn1EFenceAllocator)
 # define g_RTAsn1SaferAllocator                         RT_MANGLER(g_RTAsn1SaferAllocator)
+# define g_aRTCrPkcs7Markers                            RT_MANGLER(g_aRTCrPkcs7Markers)
+# define g_cRTCrPkcs7Markers                            RT_MANGLER(g_cRTCrPkcs7Markers)
 # define g_aRTCrX509CertificateMarkers                  RT_MANGLER(g_aRTCrX509CertificateMarkers)
 # define g_cRTCrX509CertificateMarkers                  RT_MANGLER(g_cRTCrX509CertificateMarkers)

trunk/src/VBox/Runtime/Makefile.kmk

r84293	r84310
397	397	common/crypto/pkcs7-asn1-decoder.cpp \
398	398	common/crypto/pkcs7-core.cpp \
	399	common/crypto/pkcs7-file.cpp \
399	400	common/crypto/pkcs7-init.cpp \
400	401	common/crypto/pkcs7-sanity.cpp \

trunk/src/VBox/Runtime/common/asn1/asn1-encode.cpp

-              r82968
+              r84310
 #include <iprt/ctype.h>
 #include <iprt/err.h>
+#include <iprt/mem.h>
 #include <iprt/string.h>
 …
+}
+RTDECL(int) RTAsn1EncodeQueryRawBits(PRTASN1CORE pRoot, const uint8_t **ppbRaw, uint32_t *pcbRaw,
+                                     void **ppvFree, PRTERRINFO pErrInfo)
+{
+    /*
+     * ASSUME that if we've got pointers here, they are valid...
+     */
+    if (   pRoot->uData.pv
+        && !(pRoot->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH) /* BER, not DER. */
+        && (pRoot->fFlags & RTASN1CORE_F_DECODED_CONTENT) )
+    {
+        /** @todo Check that it's DER encoding. */
+        *ppbRaw  = RTASN1CORE_GET_RAW_ASN1_PTR(pRoot);
+        *pcbRaw  = RTASN1CORE_GET_RAW_ASN1_SIZE(pRoot);
+        *ppvFree = NULL;
+        return VINF_SUCCESS;
+    }
+    /*
+     * Encode it into a temporary heap buffer.
+     */
+    uint32_t cbEncoded = 0;
+    int rc = RTAsn1EncodePrepare(pRoot, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
+        void *pvEncoded = RTMemTmpAllocZ(cbEncoded);
+        if (pvEncoded)
+        {
+            rc = RTAsn1EncodeToBuffer(pRoot, RTASN1ENCODE_F_DER, pvEncoded, cbEncoded, pErrInfo);
+            if (RT_SUCCESS(rc))
+            {
+                *ppvFree = pvEncoded;
+                *ppbRaw  = (unsigned char *)pvEncoded;
+                *pcbRaw  = cbEncoded;
+                return VINF_SUCCESS;
+            }
+            RTMemTmpFree(pvEncoded);
+        }
+        else
+            rc = RTErrInfoSetF(pErrInfo, VERR_NO_TMP_MEMORY, "RTMemTmpAllocZ(%u)", cbEncoded);
+    }
+    *ppvFree = NULL;
+    *ppbRaw  = NULL;
+    *pcbRaw  = 0;
+    return rc;
+}

trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp

-              r84248
+              r84310
+{
     const unsigned char *pabEncoded;
+    /*
+     * ASSUME that if the certificate has data pointers, it's been parsed out
+     * of a binary blob and we can safely access that here.
+     */
+    if (pCert->SeqCore.Asn1Core.uData.pv)
+    uint32_t             cbEncoded;
+    void                *pvFree;
+    int rc = RTAsn1EncodeQueryRawBits(RTCrX509Certificate_GetAsn1Core(pCert),
+                                      (const uint8_t **)&pabEncoded, &cbEncoded, &pvFree, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
         pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core);
         uint32_t cbEncoded  = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core);
         X509    *pOsslCert  = NULL;
         if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+        X509 *pOsslCert = NULL;
+        X509 *pOsslCertRet = d2i_X509(&pOsslCert, &pabEncoded, cbEncoded);
+        RTMemTmpFree(pvFree);
+        if (pOsslCertRet == pOsslCert)
+        {
             *ppvOsslCert = pOsslCert;
             return VINF_SUCCESS;
+        }
+        rc = RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
+    }
-    /*
-     * Otherwise, we'll have to encode it into a temporary buffer that openssl
-     * can decode into its structures.
-     */
-    else
+    {
-        PRTASN1CORE pNonConstCore = (PRTASN1CORE)&pCert->SeqCore.Asn1Core;
-        uint32_t    cbEncoded     = 0;
-        int rc = RTAsn1EncodePrepare(pNonConstCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
-        AssertRCReturn(rc, rc);
-        void * const pvEncoded = RTMemTmpAllocZ(cbEncoded);
-        AssertReturn(pvEncoded, VERR_NO_TMP_MEMORY);
-        rc = RTAsn1EncodeToBuffer(pNonConstCore, RTASN1ENCODE_F_DER, pvEncoded, cbEncoded, pErrInfo);
-        if (RT_SUCCESS(rc))
+        {
-            pabEncoded = (const unsigned char *)pvEncoded;
-            X509 *pOsslCert = NULL;
-            if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+            {
-                *ppvOsslCert = pOsslCert;
-                RTMemTmpFree(pvEncoded);
-                return VINF_SUCCESS;
+            }
+        }
-        else
+        {
-            RTMemTmpFree(pvEncoded);
-            return rc;
+        }
+    }
     *ppvOsslCert = NULL;
     return RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
+    return rc;
+}

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

-              r84230
+              r84310
 #include <iprt/err.h>
+#include <iprt/mem.h>
 #include <iprt/string.h>
 #include <iprt/crypto/digest.h>
 …
      * Verify using OpenSSL.          ERR_PUT_error
      */
+    int rcOssl;
+    unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
+    uint32_t             cbRawContent = RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)
+                                      + (pContentInfo->SeqCore.Asn1Core.fFlags & RTASN1CORE_F_INDEFINITE_LENGTH ? 2 : 0);
+    PKCS7 *pOsslPkcs7 = NULL;
+    if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent) != NULL)
+    unsigned char const *pbRawContent;
+    uint32_t             cbRawContent;
+    void                *pvFree;
+    int rcOssl = RTAsn1EncodeQueryRawBits(RTCrPkcs7ContentInfo_GetAsn1Core(pContentInfo),
+                                          (const uint8_t **)&pbRawContent, &cbRawContent, &pvFree, pErrInfo);
+    AssertRCReturn(rcOssl, rcOssl);
+    PKCS7 *pOsslPkcs7   = NULL;
+    PKCS7 *pOsslPkcs7Ret = d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent);
+    RTMemTmpFree(pvFree);
+    if (pOsslPkcs7Ret != NULL)
+    {
         STACK_OF(X509) *pAddCerts = NULL;
 …
         /* ASSUMES that the attributes are encoded according to DER. */
+        uint8_t const  *pbData = (uint8_t const *)RTASN1CORE_GET_RAW_ASN1_PTR(&pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core);
+        uint32_t        cbData = RTASN1CORE_GET_RAW_ASN1_SIZE(&pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core);
+        uint8_t         bSetOfTag = ASN1_TAG_SET | ASN1_TAGCLASS_UNIVERSAL | ASN1_TAGFLAG_CONSTRUCTED;
+        rc = RTCrDigestUpdate(hDigest, &bSetOfTag, sizeof(bSetOfTag)); /* Replace the implict tag with a SET-OF tag. */
+        uint8_t const  *pbData;
+        uint32_t        cbData;
+        void           *pvFree = NULL;
+        rc = RTAsn1EncodeQueryRawBits(RTCrPkcs7Attributes_GetAsn1Core(&pSignerInfo->AuthenticatedAttributes),
+                                      &pbData, &cbData, &pvFree, pErrInfo);
         if (RT_SUCCESS(rc))
+            rc = RTCrDigestUpdate(hDigest, pbData + sizeof(bSetOfTag), cbData - sizeof(bSetOfTag)); /* Skip the implicit tag. */
+        if (RT_SUCCESS(rc))
+            rc = RTCrDigestFinal(hDigest, NULL, 0);
+        {
+            uint8_t bSetOfTag = ASN1_TAG_SET | ASN1_TAGCLASS_UNIVERSAL | ASN1_TAGFLAG_CONSTRUCTED;
+            rc = RTCrDigestUpdate(hDigest, &bSetOfTag, sizeof(bSetOfTag)); /* Replace the implict tag with a SET-OF tag. */
+            if (RT_SUCCESS(rc))
+                rc = RTCrDigestUpdate(hDigest, pbData + sizeof(bSetOfTag), cbData - sizeof(bSetOfTag)); /* Skip the implicit tag. */
+            if (RT_SUCCESS(rc))
+                rc = RTCrDigestFinal(hDigest, NULL, 0);
+            RTMemTmpFree(pvFree);
+        }
+    }
     return rc;
 …
      */
     int rc = VINF_SUCCESS;
+    if (   hSignerCertSrc == NIL_RTCRSTORE
+        || hSignerCertSrc != hTrustedCerts)
+    if (   (   hSignerCertSrc == NIL_RTCRSTORE
+            || hSignerCertSrc != hTrustedCerts)
+        && !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
+    {
         RTCRX509CERTPATHS hCertPaths;

trunk/src/VBox/Runtime/common/crypto/store.cpp

-              r84253
+              r84310
 #include <iprt/string.h>
+#include <iprt/crypto/pkcs7.h>
 #include <iprt/crypto/x509.h>
 …
+}
+RTDECL(int) RTCrStoreCertAddX509(RTCRSTORE hStore, uint32_t fFlags, PRTCRX509CERTIFICATE pCertificate, PRTERRINFO pErrInfo)
+{
+    /*
+     * Validate.
+     */
+    PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
+    AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
+    AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
+    AssertPtrReturn(pCertificate, VERR_INVALID_POINTER);
+    AssertReturn(RTCrX509Certificate_IsPresent(pCertificate), VERR_INVALID_PARAMETER);
+    int rc = RTCrX509Certificate_CheckSanity(pCertificate, 0, pErrInfo, "Cert");
+    AssertRCReturn(rc, rc);
+    AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ENC_MASK)), VERR_INVALID_FLAGS);
+    AssertCompile(RTCRCERTCTX_F_ENC_X509_DER == 0);
+    AssertMsgReturn((fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER,
+                    ("Invalid encoding: %#x\n", fFlags), VERR_INVALID_FLAGS);
+    /*
+     * Encode and add it using pfnCertAddEncoded.
+     */
+    if (pThis->pProvider->pfnCertAddEncoded)
+    {
+        PRTASN1CORE pCore     = RTCrX509Certificate_GetAsn1Core(pCertificate);
+        uint32_t    cbEncoded = 0;
+        rc = RTAsn1EncodePrepare(pCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            uint8_t * const pbEncoded = (uint8_t *)RTMemTmpAllocZ(cbEncoded);
+            if (pbEncoded)
+            {
+                rc = RTAsn1EncodeToBuffer(pCore, RTASN1ENCODE_F_DER, pbEncoded, cbEncoded, pErrInfo);
+                if (RT_SUCCESS(rc))
+                    rc = pThis->pProvider->pfnCertAddEncoded(pThis->pvProvider, fFlags, pbEncoded, cbEncoded, pErrInfo);
+                RTMemTmpFree(pbEncoded);
+            }
+            else
+                rc = VERR_NO_TMP_MEMORY;
+        }
+    }
+    else
+        rc = VERR_WRITE_PROTECT;
+    return rc;
+}
+RTDECL(int) RTCrStoreCertAddPkcs7(RTCRSTORE hStore, uint32_t fFlags, PRTCRPKCS7CERT pCertificate, PRTERRINFO pErrInfo)
+{
+    AssertPtrReturn(pCertificate, VERR_INVALID_POINTER);
+    AssertReturn(RTCrPkcs7Cert_IsPresent(pCertificate), VERR_INVALID_PARAMETER);
+    switch (pCertificate->enmChoice)
+    {
+        case RTCRPKCS7CERTCHOICE_X509:
+            return RTCrStoreCertAddX509(hStore, fFlags, pCertificate->u.pX509Cert, pErrInfo);
+        case RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement EXTENDED_PKCS6");
+        case RTCRPKCS7CERTCHOICE_AC_V1:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement AC_V1");
+        case RTCRPKCS7CERTCHOICE_AC_V2:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement AC_V2");
+        case RTCRPKCS7CERTCHOICE_OTHER:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement OTHER");
+        case RTCRPKCS7CERTCHOICE_END:
+        case RTCRPKCS7CERTCHOICE_INVALID:
+        case RTCRPKCS7CERTCHOICE_32BIT_HACK:
+            break;
+        /* no default */
+    }
+    return RTErrInfoSetF(pErrInfo, VERR_INVALID_PARAMETER, "Invalid RTCRPKCS7CERT enmChoice value: %d", pCertificate->enmChoice);
+}

trunk/src/VBox/Runtime/common/crypto/x509-verify.cpp

-              r82968
+              r84310
      * encoded bits are missing.
      */
+    if (   pThis->TbsCertificate.SeqCore.Asn1Core.uData.pu8
+        && pThis->TbsCertificate.SeqCore.Asn1Core.cb > 0)
+    const uint8_t  *pbRaw;
+    uint32_t        cbRaw;
+    void           *pvFree = NULL;
+    rc = RTAsn1EncodeQueryRawBits(RTCrX509TbsCertificate_GetAsn1Core(&pThis->TbsCertificate), &pbRaw, &cbRaw, &pvFree, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
         rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters, &pThis->SignatureValue,
+                                           RTASN1CORE_GET_RAW_ASN1_PTR(&pThis->TbsCertificate.SeqCore.Asn1Core),
+                                           RTASN1CORE_GET_RAW_ASN1_SIZE(&pThis->TbsCertificate.SeqCore.Asn1Core),
+                                           pErrInfo);
+    else
+    {
+        uint32_t cbEncoded;
+        rc = RTAsn1EncodePrepare((PRTASN1CORE)&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            void *pvTbsBits = RTMemTmpAlloc(cbEncoded);
+            if (pvTbsBits)
+            {
+                rc = RTAsn1EncodeToBuffer(&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER,
+                                          pvTbsBits, cbEncoded, pErrInfo);
+                if (RT_SUCCESS(rc))
+                    rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters,
+                                                       &pThis->SignatureValue, pvTbsBits, cbEncoded, pErrInfo);
+                else
+                    AssertRC(rc);
+                RTMemTmpFree(pvTbsBits);
+            }
+            else
+                rc = VERR_NO_TMP_MEMORY;
+        }
+                                           pbRaw, cbRaw, pErrInfo);
+        RTMemTmpFree(pvFree);
+    }

Note: See TracChangeset for help on using the changeset viewer.

Changeset 84310 in vbox

Legend:

Download in other formats: