Changeset 95690 in vbox

Timestamp:

Jul 18, 2022 12:59:34 AM (3 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

152340

Message:

RTSignTool: Don't add the dummy timestamp certificate we feed to OpenSSL when using a certificate with a private key in a windows crypto store. Cleaned up that real vs dummy cert thing a little better. bugref:8691

File:

• trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (7 diffs)

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -780 +780 @@
     }
 
+    /** Returns the real certificate. */
+    PCRTCRX509CERTIFICATE getRealCertificate() const
+    {
+#ifdef RT_OS_WINDOWS
+        if (pCertificateReal)
+            return pCertificateReal;
+#endif
+        return pCertificate;
+    }
+
 #ifdef RT_OS_WINDOWS
     RTEXITCODE loadFakePrivateKeyAndCert()
@@ -2007 +2017 @@
      */
     PRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
-    unsigned iCert = pSignedData->Certificates.cItems;
+    unsigned             iCert       = pSignedData->Certificates.cItems;
+    unsigned             cErased     = 0;
     while (iCert-- > 0)
     {
@@ -2015 +2026 @@
                                                               &pCertKeyPair->pCertificate->TbsCertificate.Issuer,
                                                               &pCertKeyPair->pCertificate->TbsCertificate.SerialNumber))
+        {
             RTCrPkcs7SetOfCerts_Erase(&pSignedData->Certificates, iCert);
-    }
+            cErased++;
+        }
+    }
+    if (cErased == 0)
+        return RTMsgErrorExitFailure("(%s) Failed to find temporary signing certificate in PKCS#7 from OpenSSL: %u certs",
+                                     pszWhat, pSignedData->Certificates.cItems);
 
     /* Then insert the real signing certificate. */
-    RTEXITCODE rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pCertKeyPair->pCertificateReal);
+    PCRTCRX509CERTIFICATE const pRealCertificate = pCertKeyPair->getRealCertificate();
+    RTEXITCODE rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pRealCertificate);
     if (rcExit != RTEXITCODE_SUCCESS)
         return rcExit;
@@ -2029 +2047 @@
     RTCrX509Name_Delete(&pSignerInfo->IssuerAndSerialNumber.Name);
     int rc = RTCrX509Name_Clone(&pSignerInfo->IssuerAndSerialNumber.Name,
-                                &pCertKeyPair->pCertificateReal->TbsCertificate.Issuer, &g_RTAsn1DefaultAllocator);
+                                &pRealCertificate->TbsCertificate.Issuer, &g_RTAsn1DefaultAllocator);
     if (RT_FAILURE(rc))
         return RTMsgErrorExitFailure("(%s) RTCrX509Name_Clone failed: %Rrc", pszWhat, rc);
@@ -2035 +2053 @@
     RTAsn1Integer_Delete(&pSignerInfo->IssuerAndSerialNumber.SerialNumber);
     rc = RTAsn1Integer_Clone(&pSignerInfo->IssuerAndSerialNumber.SerialNumber,
-                             &pCertKeyPair->pCertificateReal->TbsCertificate.SerialNumber, &g_RTAsn1DefaultAllocator);
+                             &pRealCertificate->TbsCertificate.SerialNumber, &g_RTAsn1DefaultAllocator);
     if (RT_FAILURE(rc))
         return RTMsgErrorExitFailure("(%s) RTAsn1Integer_Clone failed: %Rrc", pszWhat, rc);
@@ -2273 +2291 @@
 
     RTEXITCODE rcExit = SignToolPkcs7_AddAuthAttribsForTimestamp(&AuthAttribs, fTimestampTypeOld, SigningTime,
-                                                                 pTimestampPair->pCertificate);
+                                                                 pTimestampPair->getRealCertificate());
     if (rcExit == RTEXITCODE_SUCCESS)
     {
@@ -2322 +2340 @@
             if (rcExit == RTEXITCODE_SUCCESS)
             {
-                rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pTimestampPair->pCertificate);
+                rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pTimestampPair->getRealCertificate());
 
                 PCRTCRCERTCTX pInterCaCtx = NULL;