VirtualBox

Changeset 84330 in vbox


Ignore:
Timestamp:
May 18, 2020 1:37:00 PM (5 years ago)
Author:
vboxsync
Message:

IPRT: Adding some new flags to the PKCS#7/CMS verification routines. bugref:9699

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/iprt/crypto/pkcs7.h

    r84310 r84330  
    527527 *                              certificates chains at.  Ignored for signatures
    528528 *                              with valid signing time attributes.
     529 *                              When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
     530 *                              is set, this is updated to the actual validation
     531 *                              time used.
    529532 * @param   pfnVerifyCert       Callback for checking that a certificate used
    530533 *                              for signing the data is suitable.
     
    554557 *                              certificates chains at.  Ignored for signatures
    555558 *                              with valid signing time attributes.
     559 *                              When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
     560 *                              is set, this is updated to the actual validation
     561 *                              time used.
    556562 * @param   pfnVerifyCert       Callback for checking that a certificate used
    557563 *                              for signing the data is suitable.
     
    597603 * certificates to be trustworthy. */
    598604#define RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS                        RT_BIT_32(7)
     605/** Update @a pValidationTime with the actual validation time used.
     606 * This requires RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX to get a consistent
     607 * result.  And yeah, it unconst the parameter, which is patently ugly. */
     608#define RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME                 RT_BIT_32(8)
     609
     610/** This can be used to only verify one given signer info.
     611 * Max index value is 15.  */
     612#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX(a_idxSignerInfo) \
     613    (  RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX \
     614     | (((a_idxSignerInfo) & RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX) << RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT) )
     615/** Has a valid value in RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK. */
     616#define RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX                       RT_BIT_32(23)
     617/** Signer index shift value. */
     618#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT                     24
     619/** Signer index mask. */
     620#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK                      UINT32_C(0x0f000000)
     621/** Max signer index value (inclusive). */
     622#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX \
     623    (RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK >> RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT)
    599624
    600625/** Indicates internally that we're validating a counter signature and should

  • trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

    r84310 r84330  
    441441    int rc = VINF_SUCCESS;
    442442    if (   (   hSignerCertSrc == NIL_RTCRSTORE
    443             || hSignerCertSrc != hTrustedCerts)
     443            || hSignerCertSrc != hTrustedCerts ) /** @todo 'hSignerCertSrc != hTrustedCerts' ain't making sense wrt pValidationTime */
    444444        && !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
    445445    {
     
    659659        {
    660660            /*
    661              * Validate the signed infos.
     661             * Validate the signed infos.  The flags may select one particular entry.
    662662             */
     663            RTTIMESPEC const GivenValidationTime = *pValidationTime;
    663664            uint32_t fPrimaryVccFlags = !(fFlags & RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING)
    664665                                      ? RTCRPKCS7VCC_F_SIGNED_DATA : RTCRPKCS7VCC_F_TIMESTAMP;
     666            uint32_t cItems           = pSignedData->SignerInfos.cItems;
     667            i                         = 0;
     668            if (fFlags & RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX)
     669            {
     670                i      = (fFlags & RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK) >> RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT;
     671                cItems = RT_MIN(cItems, i + 1);
     672            }
    665673            rc = VERR_CR_PKCS7_NO_SIGNER_INFOS;
    666             for (i = 0; i < pSignedData->SignerInfos.cItems; i++)
     674            for (; i < cItems; i++)
    667675            {
    668676                PCRTCRPKCS7SIGNERINFO   pSignerInfo = pSignedData->SignerInfos.papItems[i];
     
    699707                            rc = VINF_SUCCESS;
    700708                            if (!(fFlags & RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED))
    701                                 rc = rtCrPkcs7VerifyCounterSignerInfo(pSigningTimeSigner, pSignerInfo, pSignedData, fFlags,
     709                                rc = rtCrPkcs7VerifyCounterSignerInfo(pSigningTimeSigner, pSignerInfo, pSignedData,
     710                                                                      fFlags & ~RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME,
    702711                                                                      hAdditionalCerts, hTrustedCerts, &ThisValidationTime,
    703712                                                                      pfnVerifyCert, RTCRPKCS7VCC_F_TIMESTAMP, pvUser, pErrInfo);
     
    709718                        fDone = RT_SUCCESS(rc)
    710719                             || (fFlags & RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT);
     720                        if ((fFlags & RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME) && fDone)
     721                            *(PRTTIMESPEC)pValidationTime = ThisValidationTime;
    711722                    }
    712723                    else
     
    743754                            fDone = RT_SUCCESS(rc)
    744755                                 || (fFlags & RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT);
     756                            if ((fFlags & RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME) && fDone)
     757                                *(PRTTIMESPEC)pValidationTime = ThisValidationTime;
    745758                        }
    746759                        else
     
    758771                if (!fDone)
    759772                    rc = rtCrPkcs7VerifySignerInfo(pSignerInfo, pSignedData, hThisDigest, fFlags, hAdditionalCerts, hTrustedCerts,
    760                                                    pValidationTime, pfnVerifyCert, fPrimaryVccFlags, pvUser, pErrInfo);
     773                                                   &GivenValidationTime, pfnVerifyCert, fPrimaryVccFlags, pvUser, pErrInfo);
    761774                RTCrDigestRelease(hThisDigest);
    762775                if (RT_FAILURE(rc))
     
    785798    if (fFlags & RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING)
    786799        return rc;
     800    /** @todo figure out if we can verify just one signer info item using OpenSSL. */
     801    if (!(fFlags & RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX) && pSignedData->SignerInfos.cItems > 1)
     802        return rc;
     803
    787804    int rcOssl = rtCrPkcs7VerifySignedDataUsingOpenSsl(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts,
    788805                                                       pvContent, cbContent, RT_SUCCESS(rc) ? pErrInfo : NULL);
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette