Changeset 84310 in vbox for trunk/src/VBox/Runtime/common/crypto

Timestamp:

May 14, 2020 5:40:35 PM (5 years ago)

Author:

vboxsync

Message:

IPRT/crypto: Adding RTAsn1EncodeQueryRawBits to deal with getting encoded bytes cheaply if possible and always safely. Fixed another place using RTASN1CORE_GET_RAW_ASN1_PTR and assuming input was decoded and had valid data pointers. Added RTCrStoreCertAddPkcs7 and RTCrStoreCertAddX509 for more conveniently adding decoded certs to stores. Added RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS to the PKCS7 verification code. Added RTCrPkcs7_ReadFromBuffer. bugref:9699

Location:

trunk/src/VBox/Runtime/common/crypto

Files:

• iprt-openssl.cpp (modified) (1 diff)
• pkcs7-file.cpp (added)
• pkcs7-verify.cpp (modified) (4 diffs)
• store.cpp (modified) (2 diffs)
• x509-verify.cpp (modified) (1 diff)

trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp

@@ -70 +70 @@
 {
     const unsigned char *pabEncoded;
-
-    /*
-     * ASSUME that if the certificate has data pointers, it's been parsed out
-     * of a binary blob and we can safely access that here.
-     */
-    if (pCert->SeqCore.Asn1Core.uData.pv)
+    uint32_t             cbEncoded;
+    void                *pvFree;
+    int rc = RTAsn1EncodeQueryRawBits(RTCrX509Certificate_GetAsn1Core(pCert),
+                                      (const uint8_t **)&pabEncoded, &cbEncoded, &pvFree, pErrInfo);
+    if (RT_SUCCESS(rc))
     {
-        pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core);
-        uint32_t cbEncoded  = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core);
-        X509    *pOsslCert  = NULL;
-        if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
+        X509 *pOsslCert = NULL;
+        X509 *pOsslCertRet = d2i_X509(&pOsslCert, &pabEncoded, cbEncoded);
+        RTMemTmpFree(pvFree);
+        if (pOsslCertRet == pOsslCert)
         {
             *ppvOsslCert = pOsslCert;
             return VINF_SUCCESS;
         }
+        rc = RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
+
     }
-    /*
-     * Otherwise, we'll have to encode it into a temporary buffer that openssl
-     * can decode into its structures.
-     */
-    else
-    {
-        PRTASN1CORE pNonConstCore = (PRTASN1CORE)&pCert->SeqCore.Asn1Core;
-        uint32_t    cbEncoded     = 0;
-        int rc = RTAsn1EncodePrepare(pNonConstCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
-        AssertRCReturn(rc, rc);
-
-        void * const pvEncoded = RTMemTmpAllocZ(cbEncoded);
-        AssertReturn(pvEncoded, VERR_NO_TMP_MEMORY);
-
-        rc = RTAsn1EncodeToBuffer(pNonConstCore, RTASN1ENCODE_F_DER, pvEncoded, cbEncoded, pErrInfo);
-        if (RT_SUCCESS(rc))
-        {
-            pabEncoded = (const unsigned char *)pvEncoded;
-            X509 *pOsslCert = NULL;
-            if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert)
-            {
-                *ppvOsslCert = pOsslCert;
-                RTMemTmpFree(pvEncoded);
-                return VINF_SUCCESS;
-            }
-        }
-        else
-        {
-            RTMemTmpFree(pvEncoded);
-            return rc;
-        }
-    }
-
     *ppvOsslCert = NULL;
-    return RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
+    return rc;
 }
 

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

@@ -33 +33 @@
 
 #include <iprt/err.h>
+#include <iprt/mem.h>
 #include <iprt/string.h>
 #include <iprt/crypto/digest.h>
@@ -59 +60 @@
      * Verify using OpenSSL.          ERR_PUT_error
      */
-    int rcOssl;
-    unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
-    uint32_t             cbRawContent = RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)
-                                      + (pContentInfo->SeqCore.Asn1Core.fFlags & RTASN1CORE_F_INDEFINITE_LENGTH ? 2 : 0);
-    PKCS7 *pOsslPkcs7 = NULL;
-    if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent) != NULL)
+    unsigned char const *pbRawContent;
+    uint32_t             cbRawContent;
+    void                *pvFree;
+    int rcOssl = RTAsn1EncodeQueryRawBits(RTCrPkcs7ContentInfo_GetAsn1Core(pContentInfo),
+                                          (const uint8_t **)&pbRawContent, &cbRawContent, &pvFree, pErrInfo);
+    AssertRCReturn(rcOssl, rcOssl);
+
+    PKCS7 *pOsslPkcs7   = NULL;
+    PKCS7 *pOsslPkcs7Ret = d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent);
+
+    RTMemTmpFree(pvFree);
+
+    if (pOsslPkcs7Ret != NULL)
     {
         STACK_OF(X509) *pAddCerts = NULL;
@@ -317 +325 @@
 
         /* ASSUMES that the attributes are encoded according to DER. */
-        uint8_t const  *pbData = (uint8_t const *)RTASN1CORE_GET_RAW_ASN1_PTR(&pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core);
-        uint32_t        cbData = RTASN1CORE_GET_RAW_ASN1_SIZE(&pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core);
-        uint8_t         bSetOfTag = ASN1_TAG_SET | ASN1_TAGCLASS_UNIVERSAL | ASN1_TAGFLAG_CONSTRUCTED;
-        rc = RTCrDigestUpdate(hDigest, &bSetOfTag, sizeof(bSetOfTag)); /* Replace the implict tag with a SET-OF tag. */
+        uint8_t const  *pbData;
+        uint32_t        cbData;
+        void           *pvFree = NULL;
+        rc = RTAsn1EncodeQueryRawBits(RTCrPkcs7Attributes_GetAsn1Core(&pSignerInfo->AuthenticatedAttributes),
+                                      &pbData, &cbData, &pvFree, pErrInfo);
         if (RT_SUCCESS(rc))
-            rc = RTCrDigestUpdate(hDigest, pbData + sizeof(bSetOfTag), cbData - sizeof(bSetOfTag)); /* Skip the implicit tag. */
-        if (RT_SUCCESS(rc))
-            rc = RTCrDigestFinal(hDigest, NULL, 0);
+        {
+            uint8_t bSetOfTag = ASN1_TAG_SET | ASN1_TAGCLASS_UNIVERSAL | ASN1_TAGFLAG_CONSTRUCTED;
+            rc = RTCrDigestUpdate(hDigest, &bSetOfTag, sizeof(bSetOfTag)); /* Replace the implict tag with a SET-OF tag. */
+            if (RT_SUCCESS(rc))
+                rc = RTCrDigestUpdate(hDigest, pbData + sizeof(bSetOfTag), cbData - sizeof(bSetOfTag)); /* Skip the implicit tag. */
+            if (RT_SUCCESS(rc))
+                rc = RTCrDigestFinal(hDigest, NULL, 0);
+            RTMemTmpFree(pvFree);
+        }
     }
     return rc;
@@ -425 +440 @@
      */
     int rc = VINF_SUCCESS;
-    if (   hSignerCertSrc == NIL_RTCRSTORE
-        || hSignerCertSrc != hTrustedCerts)
+    if (   (   hSignerCertSrc == NIL_RTCRSTORE
+            || hSignerCertSrc != hTrustedCerts)
+        && !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
     {
         RTCRX509CERTPATHS hCertPaths;

trunk/src/VBox/Runtime/common/crypto/store.cpp

@@ -37 +37 @@
 #include <iprt/string.h>
 
+#include <iprt/crypto/pkcs7.h>
 #include <iprt/crypto/x509.h>
 
@@ -188 +189 @@
 }
 
+
+RTDECL(int) RTCrStoreCertAddX509(RTCRSTORE hStore, uint32_t fFlags, PRTCRX509CERTIFICATE pCertificate, PRTERRINFO pErrInfo)
+{
+    /*
+     * Validate.
+     */
+    PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
+    AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
+    AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
+
+    AssertPtrReturn(pCertificate, VERR_INVALID_POINTER);
+    AssertReturn(RTCrX509Certificate_IsPresent(pCertificate), VERR_INVALID_PARAMETER);
+    int rc = RTCrX509Certificate_CheckSanity(pCertificate, 0, pErrInfo, "Cert");
+    AssertRCReturn(rc, rc);
+
+    AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ENC_MASK)), VERR_INVALID_FLAGS);
+    AssertCompile(RTCRCERTCTX_F_ENC_X509_DER == 0);
+    AssertMsgReturn((fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER,
+                    ("Invalid encoding: %#x\n", fFlags), VERR_INVALID_FLAGS);
+
+    /*
+     * Encode and add it using pfnCertAddEncoded.
+     */
+    if (pThis->pProvider->pfnCertAddEncoded)
+    {
+        PRTASN1CORE pCore     = RTCrX509Certificate_GetAsn1Core(pCertificate);
+        uint32_t    cbEncoded = 0;
+        rc = RTAsn1EncodePrepare(pCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            uint8_t * const pbEncoded = (uint8_t *)RTMemTmpAllocZ(cbEncoded);
+            if (pbEncoded)
+            {
+                rc = RTAsn1EncodeToBuffer(pCore, RTASN1ENCODE_F_DER, pbEncoded, cbEncoded, pErrInfo);
+                if (RT_SUCCESS(rc))
+                    rc = pThis->pProvider->pfnCertAddEncoded(pThis->pvProvider, fFlags, pbEncoded, cbEncoded, pErrInfo);
+                RTMemTmpFree(pbEncoded);
+            }
+            else
+                rc = VERR_NO_TMP_MEMORY;
+        }
+    }
+    else
+        rc = VERR_WRITE_PROTECT;
+
+    return rc;
+}
+
+
+RTDECL(int) RTCrStoreCertAddPkcs7(RTCRSTORE hStore, uint32_t fFlags, PRTCRPKCS7CERT pCertificate, PRTERRINFO pErrInfo)
+{
+    AssertPtrReturn(pCertificate, VERR_INVALID_POINTER);
+    AssertReturn(RTCrPkcs7Cert_IsPresent(pCertificate), VERR_INVALID_PARAMETER);
+    switch (pCertificate->enmChoice)
+    {
+        case RTCRPKCS7CERTCHOICE_X509:
+            return RTCrStoreCertAddX509(hStore, fFlags, pCertificate->u.pX509Cert, pErrInfo);
+
+        case RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement EXTENDED_PKCS6");
+        case RTCRPKCS7CERTCHOICE_AC_V1:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement AC_V1");
+        case RTCRPKCS7CERTCHOICE_AC_V2:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement AC_V2");
+        case RTCRPKCS7CERTCHOICE_OTHER:
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_IMPLEMENTED, "RTCrStoreCertAddPkcs7 does not implement OTHER");
+        case RTCRPKCS7CERTCHOICE_END:
+        case RTCRPKCS7CERTCHOICE_INVALID:
+        case RTCRPKCS7CERTCHOICE_32BIT_HACK:
+            break;
+        /* no default */
+    }
+    return RTErrInfoSetF(pErrInfo, VERR_INVALID_PARAMETER, "Invalid RTCRPKCS7CERT enmChoice value: %d", pCertificate->enmChoice);
+}
 
 

trunk/src/VBox/Runtime/common/crypto/x509-verify.cpp

@@ -89 +89 @@
      * encoded bits are missing.
      */
-    if (   pThis->TbsCertificate.SeqCore.Asn1Core.uData.pu8
-        && pThis->TbsCertificate.SeqCore.Asn1Core.cb > 0)
+    const uint8_t  *pbRaw;
+    uint32_t        cbRaw;
+    void           *pvFree = NULL;
+    rc = RTAsn1EncodeQueryRawBits(RTCrX509TbsCertificate_GetAsn1Core(&pThis->TbsCertificate), &pbRaw, &cbRaw, &pvFree, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
         rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters, &pThis->SignatureValue,
-                                           RTASN1CORE_GET_RAW_ASN1_PTR(&pThis->TbsCertificate.SeqCore.Asn1Core),
-                                           RTASN1CORE_GET_RAW_ASN1_SIZE(&pThis->TbsCertificate.SeqCore.Asn1Core),
-                                           pErrInfo);
-    else
-    {
-        uint32_t cbEncoded;
-        rc = RTAsn1EncodePrepare((PRTASN1CORE)&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
-        if (RT_SUCCESS(rc))
-        {
-            void *pvTbsBits = RTMemTmpAlloc(cbEncoded);
-            if (pvTbsBits)
-            {
-                rc = RTAsn1EncodeToBuffer(&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER,
-                                          pvTbsBits, cbEncoded, pErrInfo);
-                if (RT_SUCCESS(rc))
-                    rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters,
-                                                       &pThis->SignatureValue, pvTbsBits, cbEncoded, pErrInfo);
-                else
-                    AssertRC(rc);
-                RTMemTmpFree(pvTbsBits);
-            }
-            else
-                rc = VERR_NO_TMP_MEMORY;
-        }
+                                           pbRaw, cbRaw, pErrInfo);
+        RTMemTmpFree(pvFree);
     }