Changeset 84380 in vbox for trunk/src/VBox/Runtime/common

Timestamp:

May 19, 2020 7:42:11 PM (5 years ago)

Author:

vboxsync

Message:

IPRT/RTCrPkcs7: Added RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS. Cleaned up @todo from r138008. bugref:9699

File:

• trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (modified) (3 diffs)

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

@@ -409 +409 @@
     PCRTCRCERTCTX           pSignerCertCtx = NULL;
     PCRTCRX509CERTIFICATE   pSignerCert = NULL;
-    RTCRSTORE               hSignerCertSrc = hTrustedCerts;
-    if (hSignerCertSrc != NIL_RTCRSTORE)
-        pSignerCertCtx = RTCrStoreCertByIssuerAndSerialNo(hSignerCertSrc, &pSignerInfo->IssuerAndSerialNumber.Name,
+    if (hTrustedCerts != NIL_RTCRSTORE)
+        pSignerCertCtx = RTCrStoreCertByIssuerAndSerialNo(hTrustedCerts, &pSignerInfo->IssuerAndSerialNumber.Name,
                                                           &pSignerInfo->IssuerAndSerialNumber.SerialNumber);
-    if (!pSignerCertCtx)
-    {
-        hSignerCertSrc = hAdditionalCerts;
-        if (hSignerCertSrc != NIL_RTCRSTORE)
-            pSignerCertCtx = RTCrStoreCertByIssuerAndSerialNo(hSignerCertSrc, &pSignerInfo->IssuerAndSerialNumber.Name,
-                                                              &pSignerInfo->IssuerAndSerialNumber.SerialNumber);
-    }
+    if (!pSignerCertCtx && hAdditionalCerts != NIL_RTCRSTORE)
+        pSignerCertCtx = RTCrStoreCertByIssuerAndSerialNo(hAdditionalCerts, &pSignerInfo->IssuerAndSerialNumber.Name,
+                                                          &pSignerInfo->IssuerAndSerialNumber.SerialNumber);
     if (pSignerCertCtx)
         pSignerCert = pSignerCertCtx->pCert;
     else
     {
-        hSignerCertSrc = NULL;
         pSignerCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
                                                                           &pSignerInfo->IssuerAndSerialNumber.Name,
@@ -436 +430 @@
 
     /*
-     * If not a trusted certificate, we'll have to build certificate paths
-     * and verify them.  If no valid paths are found, this step will fail.
-     */
-    int rc = VINF_SUCCESS;
-    if (   /*(   hSignerCertSrc == NIL_RTCRSTORE
-            || hSignerCertSrc != hTrustedCerts )
-        &&*/ /** @todo 'hSignerCertSrc != hTrustedCerts' ain't making sense wrt pValidationTime */
-        !(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS) )
+     * Unless caller requesed all certificates to be trusted fully, we always
+     * pass it on to the certificate path builder so it can do the requested
+     * checks on trust anchors.   (We didn't used to do this as the path
+     * builder could handle trusted targets.  A benefit here is that
+     * pfnVerifyCert can assume a hCertPaths now, and get the validation time
+     * from it if it wants it.)
+     *
+     * If no valid paths are found, this step will fail.
+     */
+    int rc;
+    if (!(fFlags & RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS))
     {
         RTCRX509CERTPATHS hCertPaths;
@@ -456 +453 @@
             if (pSignedData->Certificates.cItems > 0 && RT_SUCCESS(rc))
                 rc = RTCrX509CertPathsSetUntrustedSet(hCertPaths, &pSignedData->Certificates);
+            if ((fFlags & RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS) && RT_SUCCESS(rc))
+                rc = RTCrX509CertPathsSetTrustAnchorChecks(hCertPaths, true /*fEnable*/);
             if (RT_SUCCESS(rc))
             {