VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp@ 59676

最後變更 在這個檔案從59676是 59676,由 vboxsync 提交於 9 年 前

RTCrX509CertPaths: Don't use ValidTime unless it's actually set.
  • 屬性 svn:eol-style 設為 native
  • 屬性 svn:keywords 設為 Author Date Id Revision
檔案大小: 105.4 KB
 
1/* $Id: x509-certpaths.cpp 59676 2016-02-15 12:14:31Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
4 */
5
6/*
7 * Copyright (C) 2006-2015 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.alldomusa.eu.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#define LOG_GROUP RTLOGGROUP_CRYPTO
32#include "internal/iprt.h"
33#include <iprt/crypto/x509.h>
34
35#include <iprt/asm.h>
36#include <iprt/ctype.h>
37#include <iprt/err.h>
38#include <iprt/mem.h>
39#include <iprt/string.h>
40#include <iprt/list.h>
41#include <iprt/log.h>
42#include <iprt/time.h>
43#include <iprt/crypto/pkcs7.h> /* PCRTCRPKCS7SETOFCERTS */
44#include <iprt/crypto/store.h>
45
46#include "x509-internal.h"
47
48
49/*********************************************************************************************************************************
50* Structures and Typedefs *
51*********************************************************************************************************************************/
52/**
53 * X.509 certificate path node.
54 */
55typedef struct RTCRX509CERTPATHNODE
56{
57 /** Sibling list entry. */
58 RTLISTNODE SiblingEntry;
59 /** List of children or leaf list entry. */
60 RTLISTANCHOR ChildListOrLeafEntry;
61 /** Pointer to the parent node. NULL for root. */
62 struct RTCRX509CERTPATHNODE *pParent;
63
64 /** The distance between this node and the target. */
65 uint32_t uDepth : 8;
66 /** Indicates the source of this certificate. */
67 uint32_t uSrc : 3;
68 /** Set if this is a leaf node. */
69 uint32_t fLeaf : 1;
70 /** Makes sure it's a 32-bit bitfield. */
71 uint32_t uReserved : 20;
72
73 /** Leaf only: The result of the last path vertification. */
74 int rcVerify;
75
76 /** Pointer to the certificate. This can be NULL only for trust anchors. */
77 PCRTCRX509CERTIFICATE pCert;
78
79 /** If the certificate or trust anchor was obtained from a store, this is the
80 * associated certificate context (referenced of course). This is used to
81 * access the trust anchor information, if present.
82 *
83 * (If this is NULL it's from a certificate array or some such given directly to
84 * the path building code. It's assumed the caller doesn't free these until the
85 * path validation/whatever is done with and the paths destroyed.) */
86 PCRTCRCERTCTX pCertCtx;
87} RTCRX509CERTPATHNODE;
88/** Pointer to a X.509 path node. */
89typedef RTCRX509CERTPATHNODE *PRTCRX509CERTPATHNODE;
90
91/** @name RTCRX509CERTPATHNODE::uSrc values.
92 * The trusted and untrusted sources ordered in priority order, where higher
93 * number means high priority in case of duplicates.
94 * @{ */
95#define RTCRX509CERTPATHNODE_SRC_NONE 0
96#define RTCRX509CERTPATHNODE_SRC_TARGET 1
97#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET 2
98#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY 3
99#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE 4
100#define RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE 5
101#define RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT 6
102#define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
103/** @} */
104
105
106/**
107 * Policy tree node.
108 */
109typedef struct RTCRX509CERTPATHSPOLICYNODE
110{
111 /** Sibling list entry. */
112 RTLISTNODE SiblingEntry;
113 /** Tree depth list entry. */
114 RTLISTNODE DepthEntry;
115 /** List of children or leaf list entry. */
116 RTLISTANCHOR ChildList;
117 /** Pointer to the parent. */
118 struct RTCRX509CERTPATHSPOLICYNODE *pParent;
119
120 /** The policy object ID. */
121 PCRTASN1OBJID pValidPolicy;
122
123 /** Optional sequence of policy qualifiers. */
124 PCRTCRX509POLICYQUALIFIERINFOS pPolicyQualifiers;
125
126 /** The first policy ID in the exepcted policy set. */
127 PCRTASN1OBJID pExpectedPolicyFirst;
128 /** Set if we've already mapped pExpectedPolicyFirst. */
129 bool fAlreadyMapped;
130 /** Number of additional items in the expected policy set. */
131 uint32_t cMoreExpectedPolicySet;
132 /** Additional items in the expected policy set. */
133 PCRTASN1OBJID *papMoreExpectedPolicySet;
134} RTCRX509CERTPATHSPOLICYNODE;
135/** Pointer to a policy tree node. */
136typedef RTCRX509CERTPATHSPOLICYNODE *PRTCRX509CERTPATHSPOLICYNODE;
137
138
139/**
140 * Path builder and validator instance.
141 *
142 * The path builder creates a tree of certificates by forward searching from the
143 * end-entity towards a trusted source. The leaf nodes are inserted into list
144 * ordered by the source of the leaf certificate and the path length (i.e. tree
145 * depth).
146 *
147 * The path validator works the tree from the leaf end and validates each
148 * potential path found by the builder. It is generally happy with one working
149 * path, but may be told to verify all of them.
150 */
151typedef struct RTCRX509CERTPATHSINT
152{
153 /** Magic number. */
154 uint32_t u32Magic;
155 /** Reference counter. */
156 uint32_t volatile cRefs;
157
158 /** @name Input
159 * @{ */
160 /** The target certificate (end entity) to build a trusted path for. */
161 PCRTCRX509CERTIFICATE pTarget;
162
163 /** Lone trusted certificate. */
164 PCRTCRX509CERTIFICATE pTrustedCert;
165 /** Store of trusted certificates. */
166 RTCRSTORE hTrustedStore;
167
168 /** Store of untrusted certificates. */
169 RTCRSTORE hUntrustedStore;
170 /** Array of untrusted certificates, typically from the protocol. */
171 PCRTCRX509CERTIFICATE paUntrustedCerts;
172 /** Number of entries in paUntrusted. */
173 uint32_t cUntrustedCerts;
174 /** Set of untrusted PKCS \#7 / CMS certificatess. */
175 PCRTCRPKCS7SETOFCERTS pUntrustedCertsSet;
176
177 /** UTC time we're going to validate the path at, requires
178 * RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
179 RTTIMESPEC ValidTime;
180 /** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
181 uint32_t cInitialUserPolicySet;
182 /** The user initial policy set. As with all other user provided data, we
183 * assume it's immutable and remains valid for the usage period of the path
184 * builder & validator. */
185 PCRTASN1OBJID *papInitialUserPolicySet;
186 /** Number of certificates before the user wants an explicit policy result.
187 * Set to UINT32_MAX no explicit policy restriction required by the user. */
188 uint32_t cInitialExplicitPolicy;
189 /** Number of certificates before the user wants policy mapping to be
190 * inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
191 * desired by the user. */
192 uint32_t cInitialPolicyMappingInhibit;
193 /** Number of certificates before the user wants the anyPolicy to be rejected.
194 * Set to UINT32_MAX no explicit policy restriction required by the user. */
195 uint32_t cInitialInhibitAnyPolicy;
196 /** Initial name restriction: Permitted subtrees. */
197 PCRTCRX509GENERALSUBTREES pInitialPermittedSubtrees;
198 /** Initial name restriction: Excluded subtrees. */
199 PCRTCRX509GENERALSUBTREES pInitialExcludedSubtrees;
200
201 /** Flags RTCRX509CERTPATHSINT_F_XXX. */
202 uint32_t fFlags;
203 /** @} */
204
205 /** Sticky status for remembering allocation errors and the like. */
206 int32_t rc;
207 /** Where to store extended error info (optional). */
208 PRTERRINFO pErrInfo;
209
210 /** @name Path Builder Output
211 * @{ */
212 /** Pointer to the root of the tree. This will always be non-NULL after path
213 * building and thus can be reliably used to tell if path building has taken
214 * place or not. */
215 PRTCRX509CERTPATHNODE pRoot;
216 /** List of working leaf tree nodes. */
217 RTLISTANCHOR LeafList;
218 /** The number of paths (leafs). */
219 uint32_t cPaths;
220 /** @} */
221
222 /** Path Validator State. */
223 struct
224 {
225 /** Number of nodes in the certificate path we're validating (aka 'n'). */
226 uint32_t cNodes;
227 /** The current node (0 being the trust anchor). */
228 uint32_t iNode;
229
230 /** The root node of the valid policy tree. */
231 PRTCRX509CERTPATHSPOLICYNODE pValidPolicyTree;
232 /** An array of length cNodes + 1 which tracks all nodes at the given (index)
233 * tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
234 PRTLISTANCHOR paValidPolicyDepthLists;
235
236 /** Number of entries in paPermittedSubtrees (name constraints).
237 * If zero, no permitted name constrains currently in effect. */
238 uint32_t cPermittedSubtrees;
239 /** The allocated size of papExcludedSubtrees */
240 uint32_t cPermittedSubtreesAlloc;
241 /** Array of permitted subtrees we've collected so far (name constraints). */
242 PCRTCRX509GENERALSUBTREE *papPermittedSubtrees;
243 /** Set if we end up with an empty set after calculating a name constraints
244 * union. */
245 bool fNoPermittedSubtrees;
246
247 /** Number of entries in paExcludedSubtrees (name constraints).
248 * If zero, no excluded name constrains currently in effect. */
249 uint32_t cExcludedSubtrees;
250 /** Array of excluded subtrees we've collected so far (name constraints). */
251 PCRTCRX509GENERALSUBTREES *papExcludedSubtrees;
252
253 /** Number of non-self-issued certificates to be processed before a non-NULL
254 * paValidPolicyTree is required. */
255 uint32_t cExplicitPolicy;
256 /** Number of non-self-issued certificates to be processed we stop processing
257 * policy mapping extensions. */
258 uint32_t cInhibitPolicyMapping;
259 /** Number of non-self-issued certificates to be processed before a the
260 * anyPolicy is rejected. */
261 uint32_t cInhibitAnyPolicy;
262 /** Number of non-self-issued certificates we're allowed to process. */
263 uint32_t cMaxPathLength;
264
265 /** The working issuer name. */
266 PCRTCRX509NAME pWorkingIssuer;
267 /** The working public key algorithm ID. */
268 PCRTASN1OBJID pWorkingPublicKeyAlgorithm;
269 /** The working public key algorithm parameters. */
270 PCRTASN1DYNTYPE pWorkingPublicKeyParameters;
271 /** A bit string containing the public key. */
272 PCRTASN1BITSTRING pWorkingPublicKey;
273 } v;
274
275 /** An object identifier initialized to anyPolicy. */
276 RTASN1OBJID AnyPolicyObjId;
277
278 /** Temporary scratch space. */
279 char szTmp[1024];
280} RTCRX509CERTPATHSINT;
281typedef RTCRX509CERTPATHSINT *PRTCRX509CERTPATHSINT;
282
283/** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
284#define RTCRX509CERTPATHSINT_MAGIC UINT32_C(0x19630115)
285
286/** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
287 * @{ */
288#define RTCRX509CERTPATHSINT_F_VALID_TIME RT_BIT_32(0)
289#define RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS RT_BIT_32(1)
290#define RTCRX509CERTPATHSINT_F_VALID_MASK UINT32_C(0x00000003)
291/** @} */
292
293
294/*********************************************************************************************************************************
295* Internal Functions *
296*********************************************************************************************************************************/
297static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis);
298static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis);
299
300
301/** @name Path Builder and Validator Config APIs
302 * @{
303 */
304
305RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget)
306{
307 AssertPtrReturn(phCertPaths, VERR_INVALID_POINTER);
308
309 PRTCRX509CERTPATHSINT pThis = (PRTCRX509CERTPATHSINT)RTMemAllocZ(sizeof(*pThis));
310 if (pThis)
311 {
312 int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
313 if (RT_SUCCESS(rc))
314 {
315 pThis->u32Magic = RTCRX509CERTPATHSINT_MAGIC;
316 pThis->cRefs = 1;
317 pThis->pTarget = pTarget;
318 pThis->hTrustedStore = NIL_RTCRSTORE;
319 pThis->hUntrustedStore = NIL_RTCRSTORE;
320 pThis->cInitialExplicitPolicy = UINT32_MAX;
321 pThis->cInitialPolicyMappingInhibit = UINT32_MAX;
322 pThis->cInitialInhibitAnyPolicy = UINT32_MAX;
323 pThis->rc = VINF_SUCCESS;
324 RTListInit(&pThis->LeafList);
325 *phCertPaths = pThis;
326 return VINF_SUCCESS;
327 }
328 return rc;
329 }
330 return VERR_NO_MEMORY;
331}
332
333
334RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths)
335{
336 PRTCRX509CERTPATHSINT pThis = hCertPaths;
337 AssertPtrReturn(pThis, UINT32_MAX);
338
339 uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
340 Assert(cRefs > 0 && cRefs < 64);
341 return cRefs;
342}
343
344
345RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths)
346{
347 uint32_t cRefs;
348 if (hCertPaths != NIL_RTCRX509CERTPATHS)
349 {
350 PRTCRX509CERTPATHSINT pThis = hCertPaths;
351 AssertPtrReturn(pThis, UINT32_MAX);
352 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
353
354 cRefs = ASMAtomicDecU32(&pThis->cRefs);
355 Assert(cRefs < 64);
356 if (!cRefs)
357 {
358 /*
359 * No more references, destroy the whole thing.
360 */
361 ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRX509CERTPATHSINT_MAGIC);
362
363 /* config */
364 pThis->pTarget = NULL; /* Referencing user memory. */
365 pThis->pTrustedCert = NULL; /* Referencing user memory. */
366 RTCrStoreRelease(pThis->hTrustedStore);
367 pThis->hTrustedStore = NIL_RTCRSTORE;
368 RTCrStoreRelease(pThis->hUntrustedStore);
369 pThis->hUntrustedStore = NIL_RTCRSTORE;
370 pThis->paUntrustedCerts = NULL; /* Referencing user memory. */
371 pThis->pUntrustedCertsSet = NULL; /* Referencing user memory. */
372 pThis->papInitialUserPolicySet = NULL; /* Referencing user memory. */
373 pThis->pInitialPermittedSubtrees = NULL; /* Referencing user memory. */
374 pThis->pInitialExcludedSubtrees = NULL; /* Referencing user memory. */
375
376 /* builder */
377 rtCrX509CertPathsDestroyTree(pThis);
378
379 /* validator */
380 rtCrX509CpvCleanup(pThis);
381
382 /* misc */
383 RTAsn1VtDelete(&pThis->AnyPolicyObjId.Asn1Core);
384
385 /* Finally, the instance itself. */
386 RTMemFree(pThis);
387 }
388 }
389 else
390 cRefs = 0;
391 return cRefs;
392}
393
394
395
396RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore)
397{
398 PRTCRX509CERTPATHSINT pThis = hCertPaths;
399 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
400 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
401 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
402
403 if (pThis->hTrustedStore != NIL_RTCRSTORE)
404 {
405 RTCrStoreRelease(pThis->hTrustedStore);
406 pThis->hTrustedStore = NIL_RTCRSTORE;
407 }
408 if (hTrustedStore != NIL_RTCRSTORE)
409 {
410 AssertReturn(RTCrStoreRetain(hTrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
411 pThis->hTrustedStore = hTrustedStore;
412 }
413 return VINF_SUCCESS;
414}
415
416
417RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
418{
419 PRTCRX509CERTPATHSINT pThis = hCertPaths;
420 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
421 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
422 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
423
424 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
425 {
426 RTCrStoreRelease(pThis->hUntrustedStore);
427 pThis->hUntrustedStore = NIL_RTCRSTORE;
428 }
429 if (hUntrustedStore != NIL_RTCRSTORE)
430 {
431 AssertReturn(RTCrStoreRetain(hUntrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
432 pThis->hUntrustedStore = hUntrustedStore;
433 }
434 return VINF_SUCCESS;
435}
436
437
438RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
439{
440 PRTCRX509CERTPATHSINT pThis = hCertPaths;
441 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
442 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
443
444 pThis->paUntrustedCerts = paCerts;
445 pThis->cUntrustedCerts = cCerts;
446 return VINF_SUCCESS;
447}
448
449
450RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
451{
452 PRTCRX509CERTPATHSINT pThis = hCertPaths;
453 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
454 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
455
456 pThis->pUntrustedCertsSet = pSetOfCerts;
457 return VINF_SUCCESS;
458}
459
460
461RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime)
462{
463 PRTCRX509CERTPATHSINT pThis = hCertPaths;
464 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
465 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
466 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
467
468 if (pTime)
469 {
470 if (RTTimeImplode(&pThis->ValidTime, pTime))
471 return VERR_INVALID_PARAMETER;
472 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
473 }
474 else
475 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
476 return VINF_SUCCESS;
477}
478
479
480RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec)
481{
482 PRTCRX509CERTPATHSINT pThis = hCertPaths;
483 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
484 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
485 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
486
487 if (pTimeSpec)
488 {
489 pThis->ValidTime = *pTimeSpec;
490 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
491 }
492 else
493 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
494 return VINF_SUCCESS;
495}
496
497
498RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
499 RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
500 PCRTTIMESPEC pValidTime)
501{
502 int rc = RTCrX509CertPathsCreate(phCertPaths, pTarget);
503 if (RT_SUCCESS(rc))
504 {
505 PRTCRX509CERTPATHSINT pThis = *phCertPaths;
506
507 rc = RTCrX509CertPathsSetTrustedStore(pThis, hTrustedStore);
508 if (RT_SUCCESS(rc))
509 {
510 rc = RTCrX509CertPathsSetUntrustedStore(pThis, hUntrustedStore);
511 if (RT_SUCCESS(rc))
512 {
513 rc = RTCrX509CertPathsSetUntrustedArray(pThis, paUntrustedCerts, cUntrustedCerts);
514 if (RT_SUCCESS(rc))
515 {
516 rc = RTCrX509CertPathsSetValidTimeSpec(pThis, pValidTime);
517 if (RT_SUCCESS(rc))
518 {
519 return VINF_SUCCESS;
520 }
521 }
522 RTCrStoreRelease(pThis->hUntrustedStore);
523 }
524 RTCrStoreRelease(pThis->hTrustedStore);
525 }
526 RTMemFree(pThis);
527 *phCertPaths = NIL_RTCRX509CERTPATHS;
528 }
529 return rc;
530}
531
532/** @} */
533
534
535
536/** @name Path Builder and Validator Common Utility Functions.
537 * @{
538 */
539
540/**
541 * Checks if the certificate is self-issued.
542 *
543 * @returns true / false.
544 * @param pNode The path node to check..
545 */
546static bool rtCrX509CertPathsIsSelfIssued(PRTCRX509CERTPATHNODE pNode)
547{
548 return pNode->pCert
549 && RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
550}
551
552/** @} */
553
554
555
556/** @name Path Builder Functions.
557 * @{
558 */
559
560/**
561 *
562 * @returns
563 * @param pThis .
564 */
565static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
566{
567 PRTCRX509CERTPATHNODE pNode = (PRTCRX509CERTPATHNODE)RTMemAllocZ(sizeof(*pNode));
568 if (RT_LIKELY(pNode))
569 {
570 RTListInit(&pNode->SiblingEntry);
571 RTListInit(&pNode->ChildListOrLeafEntry);
572 pNode->rcVerify = VERR_CR_X509_NOT_VERIFIED;
573
574 return pNode;
575 }
576
577 pThis->rc = RTErrInfoSet(pThis->pErrInfo, VERR_NO_MEMORY, "No memory for path node");
578 return NULL;
579}
580
581
582static void rtCrX509CertPathsDestroyNode(PRTCRX509CERTPATHNODE pNode)
583{
584 if (pNode->pCertCtx)
585 {
586 RTCrCertCtxRelease(pNode->pCertCtx);
587 pNode->pCertCtx = NULL;
588 }
589 RT_ZERO(*pNode);
590 RTMemFree(pNode);
591}
592
593
594static void rtCrX509CertPathsAddIssuer(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pParent,
595 PCRTCRX509CERTIFICATE pCert, PCRTCRCERTCTX pCertCtx, uint8_t uSrc)
596{
597 /*
598 * Check if we've seen this certificate already in the current path or
599 * among the already gathered issuers.
600 */
601 if (pCert)
602 {
603 /* No duplicate certificates in the path. */
604 PRTCRX509CERTPATHNODE pTmpNode = pParent;
605 while (pTmpNode)
606 {
607 Assert(pTmpNode->pCert);
608 if ( pTmpNode->pCert == pCert
609 || RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
610 return;
611 pTmpNode = pTmpNode->pParent;
612 }
613
614 /* No duplicate tree branches. */
615 RTListForEach(&pParent->ChildListOrLeafEntry, pTmpNode, RTCRX509CERTPATHNODE, SiblingEntry)
616 {
617 if (RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
618 return;
619 }
620 }
621 else
622 Assert(pCertCtx);
623
624 /*
625 * Reference the context core before making the allocation.
626 */
627 if (pCertCtx)
628 AssertReturnVoidStmt(RTCrCertCtxRetain(pCertCtx) != UINT32_MAX,
629 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_CR_X509_CPB_BAD_CERT_CTX,
630 "Bad pCertCtx=%p", pCertCtx));
631
632 /*
633 * We haven't see it, append it as a child.
634 */
635 PRTCRX509CERTPATHNODE pNew = rtCrX509CertPathsNewNode(pThis);
636 if (pNew)
637 {
638 pNew->pParent = pParent;
639 pNew->pCert = pCert;
640 pNew->pCertCtx = pCertCtx;
641 pNew->uSrc = uSrc;
642 pNew->uDepth = pParent->uDepth + 1;
643 RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
644 }
645 else
646 RTCrCertCtxRelease(pCertCtx);
647}
648
649
650static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
651 PCRTCRX509NAME pIssuer, RTCRSTORE hStore, uint8_t uSrc)
652{
653 RTCRSTORECERTSEARCH Search;
654 int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hStore, pIssuer, &Search);
655 if (RT_SUCCESS(rc))
656 {
657 PCRTCRCERTCTX pCertCtx;
658 while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
659 {
660 if ( pCertCtx->pCert
661 || ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
662 && pCertCtx->pTaInfo) )
663 rtCrX509CertPathsAddIssuer(pThis, pNode, pCertCtx->pCert, pCertCtx, uSrc);
664 RTCrCertCtxRelease(pCertCtx);
665 }
666 RTCrStoreCertSearchDestroy(hStore, &Search);
667 }
668}
669
670
671static void rtCrX509CertPathsGetIssuers(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
672{
673 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
674 Assert(!pNode->fLeaf);
675 Assert(pNode->pCert);
676
677 /*
678 * Don't recurse infintely.
679 */
680 if (RT_UNLIKELY(pNode->uDepth >= 50))
681 return;
682
683 PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
684
685 /*
686 * Trusted certificate.
687 */
688 if ( pThis->pTrustedCert
689 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pThis->pTrustedCert, pIssuer))
690 rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
691
692 /*
693 * Trusted certificate store.
694 */
695 if (pThis->hTrustedStore != NIL_RTCRSTORE)
696 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
697 RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE);
698
699 /*
700 * Untrusted store.
701 */
702 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
703 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
704 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE);
705
706 /*
707 * Untrusted array.
708 */
709 if (pThis->paUntrustedCerts)
710 for (uint32_t i = 0; i < pThis->cUntrustedCerts; i++)
711 if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(&pThis->paUntrustedCerts[i], pIssuer))
712 rtCrX509CertPathsAddIssuer(pThis, pNode, &pThis->paUntrustedCerts[i], NULL,
713 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY);
714
715 /** @todo Rainy day: Should abstract the untrusted array and set so we don't get
716 * unnecessary PKCS7/CMS header dependencies. */
717
718 /*
719 * Untrusted set.
720 */
721 if (pThis->pUntrustedCertsSet)
722 {
723 uint32_t const cCerts = pThis->pUntrustedCertsSet->cItems;
724 PCRTCRPKCS7CERT paCerts = pThis->pUntrustedCertsSet->paItems;
725 for (uint32_t i = 0; i < cCerts; i++)
726 if ( paCerts[i].enmChoice == RTCRPKCS7CERTCHOICE_X509
727 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(paCerts[i].u.pX509Cert, pIssuer))
728 rtCrX509CertPathsAddIssuer(pThis, pNode, paCerts[i].u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
729 }
730}
731
732
733static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
734{
735 for (;;)
736 {
737 /* The root node has no siblings. */
738 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
739 if (!pNode->pParent)
740 return NULL;
741
742 /* Try go to the right. */
743 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
744 if (pNext)
745 return pNext;
746
747 /* Up. */
748 pNode = pParent;
749 }
750}
751
752
753static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
754{
755 for (;;)
756 {
757 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
758
759 /* Don't remove the root node. */
760 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
761 if (!pParent)
762 return NULL;
763
764 /* Before removing and deleting the node check if there is sibling
765 right to it that we should continue processing from. */
766 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
767 RTListNodeRemove(&pNode->SiblingEntry);
768 rtCrX509CertPathsDestroyNode(pNode);
769
770 if (pNext)
771 return pNext;
772
773 /* If the parent node cannot be removed, do a normal get-next-rigth-up
774 to find the continuation point for the tree loop. */
775 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
776 return rtCrX509CertPathsGetNextRightUp(pThis, pParent);
777
778 pNode = pParent;
779 }
780}
781
782
783/**
784 * Destroys the whole path tree.
785 *
786 * @param pThis The path builder and verifier instance.
787 */
788static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis)
789{
790 PRTCRX509CERTPATHNODE pNode, pNextLeaf;
791 RTListForEachSafe(&pThis->LeafList, pNode, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
792 {
793 RTListNodeRemove(&pNode->ChildListOrLeafEntry);
794 RTListInit(&pNode->ChildListOrLeafEntry);
795
796 for (;;)
797 {
798 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
799
800 RTListNodeRemove(&pNode->SiblingEntry);
801 rtCrX509CertPathsDestroyNode(pNode);
802
803 if (!pParent)
804 {
805 pThis->pRoot = NULL;
806 break;
807 }
808
809 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
810 break;
811
812 pNode = pParent;
813 }
814 }
815 Assert(!pThis->pRoot);
816}
817
818
819/**
820 * Adds a leaf node.
821 *
822 * This should normally be a trusted certificate, but the caller can also
823 * request the incomplete paths, in which case this will be an untrusted
824 * certificate.
825 *
826 * @returns Pointer to the next node in the tree to process.
827 * @param pThis The path builder instance.
828 * @param pNode The leaf node.
829 */
830static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
831{
832 pNode->fLeaf = true;
833
834 /*
835 * Priority insert by source and depth.
836 */
837 PRTCRX509CERTPATHNODE pCurLeaf;
838 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
839 {
840 if ( pNode->uSrc > pCurLeaf->uSrc
841 || ( pNode->uSrc == pCurLeaf->uSrc
842 && pNode->uDepth < pCurLeaf->uDepth) )
843 {
844 RTListNodeInsertBefore(&pCurLeaf->ChildListOrLeafEntry, &pNode->ChildListOrLeafEntry);
845 pThis->cPaths++;
846 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
847 }
848 }
849
850 RTListAppend(&pThis->LeafList, &pNode->ChildListOrLeafEntry);
851 pThis->cPaths++;
852 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
853}
854
855
856
857RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo)
858{
859 /*
860 * Validate the input.
861 */
862 PRTCRX509CERTPATHSINT pThis = hCertPaths;
863 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
864 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
865 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
866 AssertReturn( (pThis->paUntrustedCerts == NULL && pThis->cUntrustedCerts == 0)
867 || (pThis->paUntrustedCerts != NULL && pThis->cUntrustedCerts > 0),
868 VERR_INVALID_PARAMETER);
869 AssertReturn(RTListIsEmpty(&pThis->LeafList), VERR_INVALID_PARAMETER);
870 AssertReturn(pThis->pRoot == NULL, VERR_INVALID_PARAMETER);
871 AssertReturn(pThis->rc == VINF_SUCCESS, pThis->rc);
872 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
873 Assert(RT_SUCCESS(RTCrX509Certificate_CheckSanity(pThis->pTarget, 0, NULL, NULL)));
874
875 /*
876 * Set up the target.
877 */
878 PRTCRX509CERTPATHNODE pCur;
879 pThis->pRoot = pCur = rtCrX509CertPathsNewNode(pThis);
880 if (pThis->pRoot)
881 {
882 pCur->pCert = pThis->pTarget;
883 pCur->uDepth = 0;
884 pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TARGET;
885
886 pThis->pErrInfo = pErrInfo;
887
888 /*
889 * The tree construction loop.
890 * Walks down, up, and right as the tree is constructed.
891 */
892 do
893 {
894 /*
895 * Check for the two leaf cases first.
896 */
897 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCur->uSrc))
898 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
899#if 0 /* This isn't right.*/
900 else if (rtCrX509CertPathsIsSelfIssued(pCur))
901 {
902 if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
903 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
904 else
905 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
906 }
907#endif
908 /*
909 * Not a leaf, find all potential issuers and decend into these.
910 */
911 else
912 {
913 rtCrX509CertPathsGetIssuers(pThis, pCur);
914 if (RT_FAILURE(pThis->rc))
915 break;
916
917 if (!RTListIsEmpty(&pCur->ChildListOrLeafEntry))
918 pCur = RTListGetFirst(&pCur->ChildListOrLeafEntry, RTCRX509CERTPATHNODE, SiblingEntry);
919 else if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
920 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
921 else
922 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
923 }
924 if (pCur)
925 Log2(("RTCrX509CertPathsBuild: pCur=%p fLeaf=%d pParent=%p pNext=%p pPrev=%p\n",
926 pCur, pCur->fLeaf, pCur->pParent,
927 pCur->pParent ? RTListGetNext(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL,
928 pCur->pParent ? RTListGetPrev(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL));
929 } while (pCur);
930
931 pThis->pErrInfo = NULL;
932 if (RT_SUCCESS(pThis->rc))
933 return VINF_SUCCESS;
934 }
935 else
936 Assert(RT_FAILURE_NP(pThis->rc));
937 return pThis->rc;
938}
939
940
941/**
942 * Looks up path by leaf/path index.
943 *
944 * @returns Pointer to the leaf node of the path.
945 * @param pThis The path builder & validator instance.
946 * @param iPath The oridnal of the path to get.
947 */
948static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
949{
950 Assert(iPath < pThis->cPaths);
951
952 uint32_t iCurPath = 0;
953 PRTCRX509CERTPATHNODE pCurLeaf;
954 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
955 {
956 if (iCurPath == iPath)
957 return pCurLeaf;
958 iCurPath++;
959 }
960
961 AssertFailedReturn(NULL);
962}
963
964
965static void rtDumpPrintf(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, const char *pszFormat, ...)
966{
967 va_list va;
968 va_start(va, pszFormat);
969 pfnPrintfV(pvUser, pszFormat, va);
970 va_end(va);
971}
972
973
974static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, uint32_t cchSpaces, const char *pszFormat, ...)
975{
976 static const char s_szSpaces[] = " ";
977 while (cchSpaces > 0)
978 {
979 uint32_t cchBurst = RT_MIN(sizeof(s_szSpaces) - 1, cchSpaces);
980 rtDumpPrintf(pfnPrintfV, pvUser, &s_szSpaces[sizeof(s_szSpaces) - cchBurst - 1]);
981 cchSpaces -= cchBurst;
982 }
983
984 va_list va;
985 va_start(va, pszFormat);
986 pfnPrintfV(pvUser, pszFormat, va);
987 va_end(va);
988}
989
990/** @name X.500 attribute types
991 * See RFC-4519 among others.
992 * @{ */
993#define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
994#define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
995#define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
996#define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
997#define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
998#define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
999#define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
1000#define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
1001#define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
1002#define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
1003#define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
1004#define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
1005#define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
1006#define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
1007#define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
1008#define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
1009#define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
1010#define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
1011#define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
1012#define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
1013#define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
1014#define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
1015#define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
1016#define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
1017#define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
1018#define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
1019#define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
1020#define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
1021#define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
1022#define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
1023#define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
1024#define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
1025#define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
1026#define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
1027#define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
1028#define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
1029#define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
1030#define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
1031#define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
1032#define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
1033#define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
1034#define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
1035#define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
1036#define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
1037#define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
1038#define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
1039#define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
1040#define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
1041#define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
1042#define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
1043#define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
1044#define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
1045#define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
1046#define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
1047#define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
1048#define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
1049/** @} */
1050
1051
1052static void rtCrX509NameDump(PCRTCRX509NAME pName, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1053{
1054 for (uint32_t i = 0; i < pName->cItems; i++)
1055 for (uint32_t j = 0; j < pName->paItems[i].cItems; j++)
1056 {
1057 PRTCRX509ATTRIBUTETYPEANDVALUE pAttrib = &pName->paItems[i].paItems[j];
1058
1059 const char *pszType = pAttrib->Type.szObjId;
1060 if ( !strncmp(pAttrib->Type.szObjId, "2.5.4.", 6)
1061 && (pAttrib->Type.szObjId[8] == '\0' || pAttrib->Type.szObjId[9] == '\0'))
1062 {
1063 switch (RTStrToUInt8(&pAttrib->Type.szObjId[6]))
1064 {
1065 case 3: pszType = "cn"; break;
1066 case 4: pszType = "sn"; break;
1067 case 5: pszType = "serialNumber"; break;
1068 case 6: pszType = "c"; break;
1069 case 7: pszType = "l"; break;
1070 case 8: pszType = "st"; break;
1071 case 9: pszType = "street"; break;
1072 case 10: pszType = "o"; break;
1073 case 11: pszType = "ou"; break;
1074 case 13: pszType = "description"; break;
1075 case 15: pszType = "businessCategory"; break;
1076 case 16: pszType = "postalAddress"; break;
1077 case 17: pszType = "postalCode"; break;
1078 case 18: pszType = "postOfficeBox"; break;
1079 case 20: pszType = "telephoneNumber"; break;
1080 case 26: pszType = "registeredAddress"; break;
1081 case 31: pszType = "member"; break;
1082 case 41: pszType = "name"; break;
1083 case 42: pszType = "givenName"; break;
1084 case 43: pszType = "initials"; break;
1085 case 45: pszType = "x500UniqueIdentifier"; break;
1086 case 50: pszType = "uniqueMember"; break;
1087 }
1088 }
1089 rtDumpPrintf(pfnPrintfV, pvUser, "/%s=", pszType);
1090 if (pAttrib->Value.enmType == RTASN1TYPE_STRING)
1091 {
1092 if (pAttrib->Value.u.String.pszUtf8)
1093 rtDumpPrintf(pfnPrintfV, pvUser, "%s", pAttrib->Value.u.String.pszUtf8);
1094 else
1095 {
1096 const char *pch = pAttrib->Value.u.String.Asn1Core.uData.pch;
1097 uint32_t cch = pAttrib->Value.u.String.Asn1Core.cb;
1098 int rc = RTStrValidateEncodingEx(pch, cch, 0);
1099 if (RT_SUCCESS(rc) && cch)
1100 rtDumpPrintf(pfnPrintfV, pvUser, "%.*s", (size_t)cch, pch);
1101 else
1102 while (cch > 0)
1103 {
1104 if (RT_C_IS_PRINT(*pch))
1105 rtDumpPrintf(pfnPrintfV, pvUser, "%c", *pch);
1106 else
1107 rtDumpPrintf(pfnPrintfV, pvUser, "\\x%02x", *pch);
1108 cch--;
1109 pch++;
1110 }
1111 }
1112 }
1113 else
1114 rtDumpPrintf(pfnPrintfV, pvUser, "<not-string: uTag=%#x>", pAttrib->Value.u.Core.uTag);
1115 }
1116}
1117
1118
1119static const char *rtCrX509CertPathsNodeGetSourceName(PRTCRX509CERTPATHNODE pNode)
1120{
1121 switch (pNode->uSrc)
1122 {
1123 case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
1124 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
1125 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
1126 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
1127 case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
1128 case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
1129 default: return "invalid";
1130 }
1131}
1132
1133
1134static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
1135 uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1136{
1137 rtDumpPrintf(pfnPrintfV, pvUser, "Path #%u: %s, %u deep, rcVerify=%Rrc\n",
1138 iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
1139 pCurLeaf->rcVerify);
1140
1141 for (uint32_t iIndent = 2; pCurLeaf; iIndent += 2, pCurLeaf = pCurLeaf->pParent)
1142 {
1143 if (pCurLeaf->pCert)
1144 {
1145 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Issuer : ");
1146 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Issuer, pfnPrintfV, pvUser);
1147 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1148
1149 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1150 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Subject, pfnPrintfV, pvUser);
1151 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1152
1153 if (uVerbosity >= 4)
1154 RTAsn1Dump(&pCurLeaf->pCert->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1155 else if (uVerbosity >= 3)
1156 RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1157 }
1158 else
1159 {
1160 Assert(pCurLeaf->pCertCtx); Assert(pCurLeaf->pCertCtx->pTaInfo);
1161 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1162 rtCrX509NameDump(&pCurLeaf->pCertCtx->pTaInfo->CertPath.TaName, pfnPrintfV, pvUser);
1163
1164 if (uVerbosity >= 4)
1165 RTAsn1Dump(&pCurLeaf->pCertCtx->pTaInfo->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1166 }
1167
1168 const char *pszSrc = rtCrX509CertPathsNodeGetSourceName(pCurLeaf);
1169 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Source : %s\n", pszSrc);
1170 }
1171}
1172
1173
1174RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1175 PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1176{
1177 /*
1178 * Validate the input.
1179 */
1180 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1181 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1182 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1183 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1184 int rc;
1185 if (iPath < pThis->cPaths)
1186 {
1187 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
1188 if (pLeaf)
1189 {
1190 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pLeaf, uVerbosity, pfnPrintfV, pvUser);
1191 rc = VINF_SUCCESS;
1192 }
1193 else
1194 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
1195 }
1196 else
1197 rc = VERR_NOT_FOUND;
1198 return rc;
1199}
1200
1201
1202RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1203{
1204 /*
1205 * Validate the input.
1206 */
1207 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1208 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1209 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1210 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1211
1212 /*
1213 * Dump all the paths.
1214 */
1215 rtDumpPrintf(pfnPrintfV, pvUser, "%u paths, rc=%Rrc\n", pThis->cPaths, pThis->rc);
1216 uint32_t iPath = 0;
1217 PRTCRX509CERTPATHNODE pCurLeaf, pNextLeaf;
1218 RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1219 {
1220 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pCurLeaf, uVerbosity, pfnPrintfV, pvUser);
1221 iPath++;
1222 }
1223
1224 return VINF_SUCCESS;
1225}
1226
1227
1228/** @} */
1229
1230
1231/** @name Path Validator Functions.
1232 * @{
1233 */
1234
1235
1236static void *rtCrX509CpvAllocZ(PRTCRX509CERTPATHSINT pThis, size_t cb, const char *pszWhat)
1237{
1238 void *pv = RTMemAllocZ(cb);
1239 if (!pv)
1240 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
1241 return pv;
1242}
1243
1244
1245DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
1246{
1247 va_list va;
1248 va_start(va, pszFormat);
1249 pThis->rc = RTErrInfoSetV(pThis->pErrInfo, rc, pszFormat, va);
1250 va_end(va);
1251 return false;
1252}
1253
1254
1255/**
1256 * Adds a sequence of excluded sub-trees.
1257 *
1258 * Don't waste time optimizing the output if this is supposed to be a union.
1259 * Unless the path is very long, it's a lot more work to optimize and the result
1260 * will be the same anyway.
1261 *
1262 * @returns success indicator.
1263 * @param pThis The validator instance.
1264 * @param pSubtrees The sequence of sub-trees to add.
1265 */
1266static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1267{
1268 if (((pThis->v.cExcludedSubtrees + 1) & 0xf) == 0)
1269 {
1270 void *pvNew = RTMemRealloc(pThis->v.papExcludedSubtrees,
1271 (pThis->v.cExcludedSubtrees + 16) * sizeof(pThis->v.papExcludedSubtrees[0]));
1272 if (RT_UNLIKELY(!pvNew))
1273 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
1274 pThis->v.cExcludedSubtrees + 16);
1275 pThis->v.papExcludedSubtrees = (PCRTCRX509GENERALSUBTREES *)pvNew;
1276 }
1277 pThis->v.papExcludedSubtrees[pThis->v.cExcludedSubtrees] = pSubtrees;
1278 pThis->v.cExcludedSubtrees++;
1279 return true;
1280}
1281
1282
1283/**
1284 * Checks if a sub-tree is according to RFC-5280.
1285 *
1286 * @returns Success indiciator.
1287 * @param pThis The validator instance.
1288 * @param pSubtree The subtree to check.
1289 */
1290static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1291{
1292 if ( pSubtree->Base.enmChoice <= RTCRX509GENERALNAMECHOICE_INVALID
1293 || pSubtree->Base.enmChoice >= RTCRX509GENERALNAMECHOICE_END)
1294 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_CHOICE,
1295 "Unexpected GeneralSubtree choice %#x", pSubtree->Base.enmChoice);
1296
1297 if (RTAsn1Integer_UnsignedCompareWithU32(&pSubtree->Minimum, 0) != 0)
1298 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MIN,
1299 "Unexpected GeneralSubtree Minimum value: %#llx",
1300 pSubtree->Minimum.uValue);
1301
1302 if (RTAsn1Integer_IsPresent(&pSubtree->Maximum))
1303 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MAX,
1304 "Unexpected GeneralSubtree Maximum value: %#llx",
1305 pSubtree->Maximum.uValue);
1306
1307 return true;
1308}
1309
1310
1311/**
1312 * Grows the array of permitted sub-trees.
1313 *
1314 * @returns success indiciator.
1315 * @param pThis The validator instance.
1316 * @param cAdding The number of subtrees we should grow by
1317 * (relative to the current number of valid
1318 * entries).
1319 */
1320static bool rtCrX509CpvGrowPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cAdding)
1321{
1322 uint32_t cNew = RT_ALIGN_32(pThis->v.cPermittedSubtrees + cAdding, 16);
1323 if (cNew > pThis->v.cPermittedSubtreesAlloc)
1324 {
1325 if (cNew >= _4K)
1326 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Too many permitted subtrees: %u (cur %u)",
1327 cNew, pThis->v.cPermittedSubtrees);
1328 void *pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew * sizeof(pThis->v.papPermittedSubtrees[0]));
1329 if (RT_UNLIKELY(!pvNew))
1330 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
1331 pThis->v.cPermittedSubtreesAlloc, cNew);
1332 pThis->v.papPermittedSubtrees = (PCRTCRX509GENERALSUBTREE *)pvNew;
1333 }
1334 return true;
1335}
1336
1337
1338/**
1339 * Adds a sequence of permitted sub-trees.
1340 *
1341 * We store reference to each individual sub-tree because we must support
1342 * intersection calculation.
1343 *
1344 * @returns success indiciator.
1345 * @param pThis The validator instance.
1346 * @param cSubtrees The number of sub-trees to add.
1347 * @param paSubtrees Array of sub-trees to add.
1348 */
1349static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees, PCRTCRX509GENERALSUBTREE paSubtrees)
1350{
1351 /*
1352 * If the array is empty, assume no permitted names.
1353 */
1354 if (!cSubtrees)
1355 {
1356 pThis->v.fNoPermittedSubtrees = true;
1357 return true;
1358 }
1359
1360 /*
1361 * Grow the array if necessary.
1362 */
1363 if (!rtCrX509CpvGrowPermittedSubtrees(pThis, cSubtrees))
1364 return false;
1365
1366 /*
1367 * Append each subtree to the array.
1368 */
1369 uint32_t iDst = pThis->v.cPermittedSubtrees;
1370 for (uint32_t iSrc = 0; iSrc < cSubtrees; iSrc++)
1371 {
1372 if (!rtCrX509CpvCheckSubtreeValidity(pThis, &paSubtrees[iSrc]))
1373 return false;
1374 pThis->v.papPermittedSubtrees[iDst] = &paSubtrees[iSrc];
1375 iDst++;
1376 }
1377 pThis->v.cPermittedSubtrees = iDst;
1378
1379 return true;
1380}
1381
1382
1383/**
1384 * Calculates the intersection between @a pSubtrees and the current permitted
1385 * sub-trees.
1386 *
1387 * @returns Success indicator.
1388 * @param pThis The validator instance.
1389 * @param pSubtrees The sub-tree sequence to intersect with.
1390 */
1391static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1392{
1393 /*
1394 * Deal with special cases first.
1395 */
1396 if (pThis->v.fNoPermittedSubtrees)
1397 {
1398 Assert(pThis->v.cPermittedSubtrees == 0);
1399 return true;
1400 }
1401
1402 uint32_t cRight = pSubtrees->cItems;
1403 PCRTCRX509GENERALSUBTREE paRight = pSubtrees->paItems;
1404 if (cRight == 0)
1405 {
1406 pThis->v.cPermittedSubtrees = 0;
1407 pThis->v.fNoPermittedSubtrees = true;
1408 return true;
1409 }
1410
1411 uint32_t cLeft = pThis->v.cPermittedSubtrees;
1412 PCRTCRX509GENERALSUBTREE *papLeft = pThis->v.papPermittedSubtrees;
1413 if (!cLeft) /* first name constraint, no initial constraint */
1414 return rtCrX509CpvAddPermittedSubtrees(pThis, cRight, paRight);
1415
1416 /*
1417 * Create a new array with the intersection, freeing the old (left) array
1418 * once we're done.
1419 */
1420 bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1421
1422 pThis->v.cPermittedSubtrees = 0;
1423 pThis->v.cPermittedSubtreesAlloc = 0;
1424 pThis->v.papPermittedSubtrees = NULL;
1425
1426 for (uint32_t iRight = 0; iRight < cRight; iRight++)
1427 {
1428 if (!rtCrX509CpvCheckSubtreeValidity(pThis, &paRight[iRight]))
1429 return false;
1430
1431 RTCRX509GENERALNAMECHOICE const enmRightChoice = paRight[iRight].Base.enmChoice;
1432 afRightTags[enmRightChoice] = true;
1433
1434 bool fHaveRight = false;
1435 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1436 if (papLeft[iLeft]->Base.enmChoice == enmRightChoice)
1437 {
1438 if (RTCrX509GeneralSubtree_Compare(papLeft[iLeft], &paRight[iRight]) == 0)
1439 {
1440 if (!fHaveRight)
1441 {
1442 fHaveRight = true;
1443 rtCrX509CpvAddPermittedSubtrees(pThis, 1, papLeft[iLeft]);
1444 }
1445 }
1446 else if (RTCrX509GeneralSubtree_ConstraintMatch(papLeft[iLeft], &paRight[iRight]))
1447 {
1448 if (!fHaveRight)
1449 {
1450 fHaveRight = true;
1451 rtCrX509CpvAddPermittedSubtrees(pThis, 1, &paRight[iRight]);
1452 }
1453 }
1454 else if (RTCrX509GeneralSubtree_ConstraintMatch(&paRight[iRight], papLeft[iLeft]))
1455 rtCrX509CpvAddPermittedSubtrees(pThis, 1, papLeft[iLeft]);
1456 }
1457 }
1458
1459 /*
1460 * Add missing types not specified in the right set.
1461 */
1462 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1463 if (!afRightTags[papLeft[iLeft]->Base.enmChoice])
1464 rtCrX509CpvAddPermittedSubtrees(pThis, 1, papLeft[iLeft]);
1465
1466 /*
1467 * If we ended up with an empty set, no names are permitted any more.
1468 */
1469 if (pThis->v.cPermittedSubtrees == 0)
1470 pThis->v.fNoPermittedSubtrees = true;
1471
1472 RTMemFree(papLeft);
1473 return RT_SUCCESS(pThis->rc);
1474}
1475
1476
1477/**
1478 * Check if the given X.509 name is permitted by current name constraints.
1479 *
1480 * @returns true is permitteded, false if not (caller set error info).
1481 * @param pThis The validator instance.
1482 * @param pName The name to match.
1483 */
1484static bool rtCrX509CpvIsNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1485{
1486 uint32_t i = pThis->v.cPermittedSubtrees;
1487 if (i == 0)
1488 return !pThis->v.fNoPermittedSubtrees;
1489
1490 while (i-- > 0)
1491 {
1492 PCRTCRX509GENERALSUBTREE pConstraint = pThis->v.papPermittedSubtrees[i];
1493 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pConstraint->Base)
1494 && RTCrX509Name_ConstraintMatch(&pConstraint->Base.u.pT4->DirectoryName, pName))
1495 return true;
1496 }
1497 return false;
1498}
1499
1500
1501/**
1502 * Check if the given X.509 general name is permitted by current name
1503 * constraints.
1504 *
1505 * @returns true is permitteded, false if not (caller sets error info).
1506 * @param pThis The validator instance.
1507 * @param pGeneralName The name to match.
1508 */
1509static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1510{
1511 uint32_t i = pThis->v.cPermittedSubtrees;
1512 if (i == 0)
1513 return !pThis->v.fNoPermittedSubtrees;
1514
1515 while (i-- > 0)
1516 if (RTCrX509GeneralName_ConstraintMatch(&pThis->v.papPermittedSubtrees[i]->Base, pGeneralName))
1517 return true;
1518 return false;
1519}
1520
1521
1522/**
1523 * Check if the given X.509 name is excluded by current name constraints.
1524 *
1525 * @returns true if excluded (caller sets error info), false if not explicitly
1526 * excluded.
1527 * @param pThis The validator instance.
1528 * @param pName The name to match.
1529 */
1530static bool rtCrX509CpvIsNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1531{
1532 uint32_t i = pThis->v.cExcludedSubtrees;
1533 while (i-- > 0)
1534 {
1535 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1536 uint32_t j = pSubTrees->cItems;
1537 while (j-- > 0)
1538 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pSubTrees->paItems[j].Base)
1539 && RTCrX509Name_ConstraintMatch(&pSubTrees->paItems[j].Base.u.pT4->DirectoryName, pName))
1540 return true;
1541 }
1542 return false;
1543}
1544
1545
1546/**
1547 * Check if the given X.509 general name is excluded by current name
1548 * constraints.
1549 *
1550 * @returns true if excluded (caller sets error info), false if not explicitly
1551 * excluded.
1552 * @param pThis The validator instance.
1553 * @param pGeneralName The name to match.
1554 */
1555static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1556{
1557 uint32_t i = pThis->v.cExcludedSubtrees;
1558 while (i-- > 0)
1559 {
1560 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1561 uint32_t j = pSubTrees->cItems;
1562 while (j-- > 0)
1563 if (RTCrX509GeneralName_ConstraintMatch(&pSubTrees->paItems[j].Base, pGeneralName))
1564 return true;
1565 }
1566 return false;
1567}
1568
1569
1570/**
1571 * Creates a new node and inserts it.
1572 *
1573 * @param pThis The path builder & validator instance.
1574 * @param pParent The parent node. NULL for the root node.
1575 * @param iDepth The tree depth to insert at.
1576 * @param pValidPolicy The valid policy of the new node.
1577 * @param pQualifiers The qualifiers of the new node.
1578 * @param pExpectedPolicy The (first) expected polcy of the new node.
1579 */
1580static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
1581 PCRTASN1OBJID pValidPolicy, PCRTCRX509POLICYQUALIFIERINFOS pQualifiers,
1582 PCRTASN1OBJID pExpectedPolicy)
1583{
1584 Assert(iDepth <= pThis->v.cNodes);
1585
1586 PRTCRX509CERTPATHSPOLICYNODE pNode;
1587 pNode = (PRTCRX509CERTPATHSPOLICYNODE)rtCrX509CpvAllocZ(pThis, sizeof(*pNode), "policy tree node");
1588 if (pNode)
1589 {
1590 pNode->pParent = pParent;
1591 if (pParent)
1592 RTListAppend(&pParent->ChildList, &pNode->SiblingEntry);
1593 else
1594 {
1595 Assert(pThis->v.pValidPolicyTree == NULL);
1596 pThis->v.pValidPolicyTree = pNode;
1597 RTListInit(&pNode->SiblingEntry);
1598 }
1599 RTListInit(&pNode->ChildList);
1600 RTListAppend(&pThis->v.paValidPolicyDepthLists[iDepth], &pNode->DepthEntry);
1601
1602 pNode->pValidPolicy = pValidPolicy;
1603 pNode->pPolicyQualifiers = pQualifiers;
1604 pNode->pExpectedPolicyFirst = pExpectedPolicy;
1605 pNode->cMoreExpectedPolicySet = 0;
1606 pNode->papMoreExpectedPolicySet = NULL;
1607 return true;
1608 }
1609 return false;
1610}
1611
1612
1613/**
1614 * Unlinks and frees a node in the valid policy tree.
1615 *
1616 * @param pThis The path builder & validator instance.
1617 * @param pNode The node to destroy.
1618 */
1619static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1620{
1621 Assert(RTListIsEmpty(&pNode->ChildList));
1622 if (pNode->pParent)
1623 RTListNodeRemove(&pNode->SiblingEntry);
1624 else
1625 pThis->v.pValidPolicyTree = NULL;
1626 RTListNodeRemove(&pNode->DepthEntry);
1627 pNode->pParent = NULL;
1628
1629 if (pNode->papMoreExpectedPolicySet)
1630 {
1631 RTMemFree(pNode->papMoreExpectedPolicySet);
1632 pNode->papMoreExpectedPolicySet = NULL;
1633 }
1634 RTMemFree(pNode);
1635}
1636
1637
1638/**
1639 * Unlinks and frees a sub-tree in the valid policy tree.
1640 *
1641 * @param pThis The path builder & validator instance.
1642 * @param pNode The node that is the root of the subtree.
1643 */
1644static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1645{
1646 if (!RTListIsEmpty(&pNode->ChildList))
1647 {
1648 PRTCRX509CERTPATHSPOLICYNODE pCur = pNode;
1649 do
1650 {
1651 Assert(!RTListIsEmpty(&pCur->ChildList));
1652
1653 /* Decend until we find a leaf. */
1654 do
1655 pCur = RTListGetFirst(&pCur->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1656 while (!RTListIsEmpty(&pCur->ChildList));
1657
1658 /* Remove it and all leafy siblings. */
1659 PRTCRX509CERTPATHSPOLICYNODE pParent = pCur->pParent;
1660 do
1661 {
1662 Assert(pCur != pNode);
1663 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1664 pCur = RTListGetFirst(&pParent->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1665 if (!pCur)
1666 {
1667 pCur = pParent;
1668 pParent = pParent->pParent;
1669 }
1670 } while (RTListIsEmpty(&pCur->ChildList) && pCur != pNode);
1671 } while (pCur != pNode);
1672 }
1673
1674 rtCrX509CpvPolicyTreeDestroyNode(pThis, pNode);
1675}
1676
1677
1678
1679/**
1680 * Destroys the entire policy tree.
1681 *
1682 * @param pThis The path builder & validator instance.
1683 */
1684static void rtCrX509CpvPolicyTreeDestroy(PRTCRX509CERTPATHSINT pThis)
1685{
1686 uint32_t i = pThis->v.cNodes + 1;
1687 while (i-- > 0)
1688 {
1689 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1690 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1691 {
1692 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1693 }
1694 }
1695}
1696
1697
1698/**
1699 * Removes all leaf nodes at level @a iDepth and above.
1700 *
1701 * @param pThis The path builder & validator instance.
1702 * @param iDepth The depth to start pruning at.
1703 */
1704static void rtCrX509CpvPolicyTreePrune(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth)
1705{
1706 do
1707 {
1708 PRTLISTANCHOR pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1709 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1710 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1711 {
1712 if (RTListIsEmpty(&pCur->ChildList))
1713 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1714 }
1715
1716 } while (iDepth-- > 0);
1717}
1718
1719
1720/**
1721 * Checks if @a pPolicy is the valid policy of a child of @a pNode.
1722 *
1723 * @returns true if in child node, false if not.
1724 * @param pNode The node which children to check.
1725 * @param pPolicy The valid policy to look for among the children.
1726 */
1727static bool rtCrX509CpvPolicyTreeIsChild(PRTCRX509CERTPATHSPOLICYNODE pNode, PCRTASN1OBJID pPolicy)
1728{
1729 PRTCRX509CERTPATHSPOLICYNODE pChild;
1730 RTListForEach(&pNode->ChildList, pChild, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry)
1731 {
1732 if (RTAsn1ObjId_Compare(pChild->pValidPolicy, pPolicy) == 0)
1733 return true;
1734 }
1735 return true;
1736}
1737
1738
1739/**
1740 * Prunes the valid policy tree according to the specified user policy set.
1741 *
1742 * @returns Pointer to the policy object from @a papPolicies if found, NULL if
1743 * no match.
1744 * @param pObjId The object ID to locate at match in the set.
1745 * @param cPolicies The number of policies in @a papPolicies.
1746 * @param papPolicies The policy set to search.
1747 */
1748static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1749{
1750 uint32_t i = cPolicies;
1751 while (i-- > 0)
1752 if (RTAsn1ObjId_Compare(pObjId, papPolicies[i]) == 0)
1753 return papPolicies[i];
1754 return NULL;
1755}
1756
1757
1758/**
1759 * Prunes the valid policy tree according to the specified user policy set.
1760 *
1761 * @returns success indicator (allocates memory)
1762 * @param pThis The path builder & validator instance.
1763 * @param cPolicies The number of policies in @a papPolicies.
1764 * @param papPolicies The user initial policies.
1765 */
1766static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1767{
1768 /*
1769 * 4.1.6.g.i - NULL tree remains NULL.
1770 */
1771 if (!pThis->v.pValidPolicyTree)
1772 return true;
1773
1774 /*
1775 * 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
1776 * result of the intersection.
1777 */
1778 uint32_t i = cPolicies;
1779 while (i-- > 0)
1780 if (RTAsn1ObjId_CompareWithString(papPolicies[i], RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1781 return true;
1782
1783 /*
1784 * 4.1.6.g.iii - Complicated.
1785 */
1786 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1787 PRTLISTANCHOR pList;
1788
1789 /* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
1790 valid policy is neither anyPolicy nor a member of papszPolicies.
1791 While doing so, construct a set of unused user policies that
1792 we'll replace anyPolicy nodes with in step 3. */
1793 uint32_t cPoliciesLeft = 0;
1794 PCRTASN1OBJID *papPoliciesLeft = NULL;
1795 if (cPolicies)
1796 {
1797 papPoliciesLeft = (PCRTASN1OBJID *)rtCrX509CpvAllocZ(pThis, cPolicies * sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
1798 if (!papPoliciesLeft)
1799 return false;
1800 for (i = 0; i < cPolicies; i++)
1801 papPoliciesLeft[i] = papPolicies[i];
1802 }
1803
1804 for (uint32_t iDepth = 1; iDepth <= pThis->v.cNodes; iDepth++)
1805 {
1806 pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1807 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1808 {
1809 Assert(pCur->pParent);
1810 if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
1811 && RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) != 0)
1812 {
1813 PCRTASN1OBJID pFound = rtCrX509CpvFindObjIdInPolicySet(pCur->pValidPolicy, cPolicies, papPolicies);
1814 if (!pFound)
1815 rtCrX509CpvPolicyTreeDestroySubtree(pThis, pCur);
1816 else
1817 for (i = 0; i < cPoliciesLeft; i++)
1818 if (papPoliciesLeft[i] == pFound)
1819 {
1820 cPoliciesLeft--;
1821 if (i < cPoliciesLeft)
1822 papPoliciesLeft[i] = papPoliciesLeft[cPoliciesLeft];
1823 papPoliciesLeft[cPoliciesLeft] = NULL;
1824 break;
1825 }
1826 }
1827 }
1828 }
1829
1830 /*
1831 * 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
1832 * the policies in papPoliciesLeft.
1833 */
1834 pList = &pThis->v.paValidPolicyDepthLists[pThis->v.cNodes];
1835 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1836 {
1837 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1838 {
1839 for (i = 0; i < cPoliciesLeft; i++)
1840 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, pThis->v.cNodes - 1,
1841 papPoliciesLeft[i], pCur->pPolicyQualifiers, papPoliciesLeft[i]);
1842 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1843 }
1844 }
1845
1846 RTMemFree(papPoliciesLeft);
1847
1848 /*
1849 * 4.1.5.g.iii.4 - Prune the tree
1850 */
1851 rtCrX509CpvPolicyTreePrune(pThis, pThis->v.cNodes - 1);
1852
1853 return RT_SUCCESS(pThis->rc);
1854}
1855
1856
1857
1858/**
1859 * Frees the path validator state.
1860 *
1861 * @param pThis The path builder & validator instance.
1862 */
1863static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis)
1864{
1865 /*
1866 * Destroy the policy tree and all its nodes. We do this from the bottom
1867 * up via the depth lists, saving annoying tree traversal.
1868 */
1869 if (pThis->v.paValidPolicyDepthLists)
1870 {
1871 rtCrX509CpvPolicyTreeDestroy(pThis);
1872
1873 RTMemFree(pThis->v.paValidPolicyDepthLists);
1874 pThis->v.paValidPolicyDepthLists = NULL;
1875 }
1876
1877 Assert(pThis->v.pValidPolicyTree == NULL);
1878 pThis->v.pValidPolicyTree = NULL;
1879
1880 /*
1881 * Destroy the name constraint arrays.
1882 */
1883 if (pThis->v.papPermittedSubtrees)
1884 {
1885 RTMemFree(pThis->v.papPermittedSubtrees);
1886 pThis->v.papPermittedSubtrees = NULL;
1887 }
1888 pThis->v.cPermittedSubtrees = 0;
1889 pThis->v.cPermittedSubtreesAlloc = 0;
1890 pThis->v.fNoPermittedSubtrees = false;
1891
1892 if (pThis->v.papExcludedSubtrees)
1893 {
1894 RTMemFree(pThis->v.papExcludedSubtrees);
1895 pThis->v.papExcludedSubtrees = NULL;
1896 }
1897 pThis->v.cExcludedSubtrees = 0;
1898
1899 /*
1900 * Clear other pointers.
1901 */
1902 pThis->v.pWorkingIssuer = NULL;
1903 pThis->v.pWorkingPublicKey = NULL;
1904 pThis->v.pWorkingPublicKeyAlgorithm = NULL;
1905 pThis->v.pWorkingPublicKeyParameters = NULL;
1906}
1907
1908
1909
1910/**
1911 * Initializes the state.
1912 *
1913 * Caller must check pThis->rc.
1914 *
1915 * @param pThis The path builder & validator instance.
1916 * @param pTrustAnchor The trust anchor node for the path that we're about
1917 * to validate.
1918 */
1919static void rtCrX509CpvInit(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
1920{
1921 rtCrX509CpvCleanup(pThis);
1922
1923 /*
1924 * The node count does not include the trust anchor.
1925 */
1926 pThis->v.cNodes = pTrustAnchor->uDepth;
1927
1928 /*
1929 * Valid policy tree starts with an anyPolicy node.
1930 */
1931 uint32_t i = pThis->v.cNodes + 1;
1932 pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
1933 "paValidPolicyDepthLists");
1934 if (RT_UNLIKELY(!pThis->v.paValidPolicyDepthLists))
1935 return;
1936 while (i-- > 0)
1937 RTListInit(&pThis->v.paValidPolicyDepthLists[i]);
1938
1939 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
1940 return;
1941 Assert(!RTListIsEmpty(&pThis->v.paValidPolicyDepthLists[0])); Assert(pThis->v.pValidPolicyTree);
1942
1943 /*
1944 * Name constrains.
1945 */
1946 if (pThis->pInitialPermittedSubtrees)
1947 rtCrX509CpvAddPermittedSubtrees(pThis, pThis->pInitialPermittedSubtrees->cItems,
1948 pThis->pInitialPermittedSubtrees->paItems);
1949 if (pThis->pInitialExcludedSubtrees)
1950 rtCrX509CpvAddExcludedSubtrees(pThis, pThis->pInitialExcludedSubtrees);
1951
1952 /*
1953 * Counters.
1954 */
1955 pThis->v.cExplicitPolicy = pThis->cInitialExplicitPolicy;
1956 pThis->v.cInhibitPolicyMapping = pThis->cInitialPolicyMappingInhibit;
1957 pThis->v.cInhibitAnyPolicy = pThis->cInitialInhibitAnyPolicy;
1958 pThis->v.cMaxPathLength = pThis->v.cNodes;
1959
1960 /*
1961 * Certificate info from the trust anchor.
1962 */
1963 if (pTrustAnchor->pCert)
1964 {
1965 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pTrustAnchor->pCert->TbsCertificate;
1966 pThis->v.pWorkingIssuer = &pTbsCert->Subject;
1967 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
1968 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
1969 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
1970 }
1971 else
1972 {
1973 Assert(pTrustAnchor->pCertCtx); Assert(pTrustAnchor->pCertCtx->pTaInfo);
1974
1975 PCRTCRTAFTRUSTANCHORINFO const pTaInfo = pTrustAnchor->pCertCtx->pTaInfo;
1976 pThis->v.pWorkingIssuer = &pTaInfo->CertPath.TaName;
1977 pThis->v.pWorkingPublicKey = &pTaInfo->PubKey.SubjectPublicKey;
1978 pThis->v.pWorkingPublicKeyAlgorithm = &pTaInfo->PubKey.Algorithm.Algorithm;
1979 pThis->v.pWorkingPublicKeyParameters = &pTaInfo->PubKey.Algorithm.Parameters;
1980 }
1981 if ( !RTASN1CORE_IS_PRESENT(&pThis->v.pWorkingPublicKeyParameters->u.Core)
1982 || pThis->v.pWorkingPublicKeyParameters->enmType == RTASN1TYPE_NULL)
1983 pThis->v.pWorkingPublicKeyParameters = NULL;
1984}
1985
1986
1987/**
1988 * Step 6.1.3.a.
1989 */
1990static bool rtCrX509CpvCheckBasicCertInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
1991{
1992 /*
1993 * 6.1.3.a.1 - Verify the certificate signature.
1994 */
1995 int rc = RTCrX509Certificate_VerifySignature(pNode->pCert, pThis->v.pWorkingPublicKeyAlgorithm,
1996 pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
1997 pThis->pErrInfo);
1998 if (RT_FAILURE(rc))
1999 {
2000 pThis->rc = rc;
2001 return false;
2002 }
2003
2004 /*
2005 * 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
2006 */
2007 AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2008 if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2009 && !RTCrX509Validity_IsValidAtTimeSpec(&pNode->pCert->TbsCertificate.Validity, &pThis->ValidTime))
2010 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2011 "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2012 RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2013 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2014 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2015
2016 /*
2017 * 6.1.3.a.3 - Verified that the certficiate is not revoked.
2018 */
2019 /** @todo rainy day. */
2020
2021 /*
2022 * 6.1.3.a.4 - Check the issuer name.
2023 */
2024 if (!RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Issuer, pThis->v.pWorkingIssuer))
2025 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ISSUER_MISMATCH, "Issuer mismatch");
2026
2027 return true;
2028}
2029
2030
2031/**
2032 * Step 6.1.3.b-c.
2033 */
2034static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2035{
2036 if (pThis->v.fNoPermittedSubtrees)
2037 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_PERMITTED_NAMES, "No permitted subtrees");
2038
2039 if ( pNode->pCert->TbsCertificate.Subject.cItems > 0
2040 && ( !rtCrX509CpvIsNamePermitted(pThis, &pNode->pCert->TbsCertificate.Subject)
2041 || rtCrX509CpvIsNameExcluded(pThis, &pNode->pCert->TbsCertificate.Subject)) )
2042 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NAME_NOT_PERMITTED,
2043 "Subject name is not permitted by current name constraints");
2044
2045 PCRTCRX509GENERALNAMES pAltSubjectName = pNode->pCert->TbsCertificate.T3.pAltSubjectName;
2046 if (pAltSubjectName)
2047 {
2048 uint32_t i = pAltSubjectName->cItems;
2049 while (i-- > 0)
2050 if ( !rtCrX509CpvIsGeneralNamePermitted(pThis, &pAltSubjectName->paItems[i])
2051 || rtCrX509CpvIsGeneralNameExcluded(pThis, &pAltSubjectName->paItems[i]))
2052 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ALT_NAME_NOT_PERMITTED,
2053 "Alternative name #%u is is not permitted by current name constraints", i);
2054 }
2055
2056 return true;
2057}
2058
2059
2060/**
2061 * Step 6.1.3.d-f.
2062 */
2063static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
2064 bool fSelfIssued)
2065{
2066 PCRTCRX509CERTIFICATEPOLICIES pPolicies = pNode->pCert->TbsCertificate.T3.pCertificatePolicies;
2067 if (pPolicies)
2068 {
2069 /*
2070 * 6.1.3.d.1 - Work the certiciate policies into the tree.
2071 */
2072 PRTCRX509CERTPATHSPOLICYNODE pCur;
2073 PRTLISTANCHOR pListAbove = &pThis->v.paValidPolicyDepthLists[iDepth - 1];
2074 uint32_t iAnyPolicy = UINT32_MAX;
2075 uint32_t i = pPolicies->cItems;
2076 while (i-- > 0)
2077 {
2078 PCRTCRX509POLICYQUALIFIERINFOS const pQualifiers = &pPolicies->paItems[i].PolicyQualifiers;
2079 PCRTASN1OBJID const pIdP = &pPolicies->paItems[i].PolicyIdentifier;
2080 if (RTAsn1ObjId_CompareWithString(pIdP, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2081 {
2082 iAnyPolicy++;
2083 continue;
2084 }
2085
2086 /*
2087 * 6.1.3.d.1.i - Create children for matching policies.
2088 */
2089 uint32_t cMatches = 0;
2090 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2091 {
2092 bool fMatch = RTAsn1ObjId_Compare(pCur->pExpectedPolicyFirst, pIdP) == 0;
2093 if (!fMatch && pCur->cMoreExpectedPolicySet)
2094 for (uint32_t j = 0; !fMatch && j < pCur->cMoreExpectedPolicySet; j++)
2095 fMatch = RTAsn1ObjId_Compare(pCur->papMoreExpectedPolicySet[j], pIdP) == 0;
2096 if (fMatch)
2097 {
2098 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2099 return false;
2100 cMatches++;
2101 }
2102 }
2103
2104 /*
2105 * 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
2106 * nodes, only match with valid policy this time.
2107 */
2108 if (cMatches == 0)
2109 {
2110 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2111 {
2112 if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2113 {
2114 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2115 return false;
2116 }
2117 }
2118 }
2119 }
2120
2121 /*
2122 * 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
2123 * are propagated to the current depth.
2124 */
2125 if ( iAnyPolicy < pPolicies->cItems
2126 && ( pThis->v.cInhibitAnyPolicy > 0
2127 || (pNode->pParent && fSelfIssued) ) )
2128 {
2129 PCRTCRX509POLICYQUALIFIERINFOS pApQ = &pPolicies->paItems[iAnyPolicy].PolicyQualifiers;
2130 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2131 {
2132 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->pExpectedPolicyFirst))
2133 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->pExpectedPolicyFirst, pApQ,
2134 pCur->pExpectedPolicyFirst);
2135 for (uint32_t j = 0; j < pCur->cMoreExpectedPolicySet; j++)
2136 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->papMoreExpectedPolicySet[j]))
2137 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->papMoreExpectedPolicySet[j], pApQ,
2138 pCur->papMoreExpectedPolicySet[j]);
2139 }
2140 }
2141 /*
2142 * 6.1.3.d.3 - Prune the tree.
2143 */
2144 else
2145 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2146 }
2147 else
2148 {
2149 /*
2150 * 6.1.3.e - No policy extension present, set tree to NULL.
2151 */
2152 rtCrX509CpvPolicyTreeDestroy(pThis);
2153 }
2154
2155 /*
2156 * 6.1.3.f - NULL tree check.
2157 */
2158 if ( pThis->v.pValidPolicyTree == NULL
2159 && pThis->v.cExplicitPolicy == 0)
2160 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY,
2161 "An explicit policy is called for but the valid policy tree is NULL.");
2162 return RT_SUCCESS(pThis->rc);
2163}
2164
2165
2166/**
2167 * Step 6.1.4.a-b.
2168 */
2169static bool rtCrX509CpvSoakUpPolicyMappings(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth,
2170 PCRTCRX509POLICYMAPPINGS pPolicyMappings)
2171{
2172 /*
2173 * 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
2174 * allow an evil intermediate certificate to expand the policy
2175 * scope of a certiciate chain without regard to upstream.
2176 */
2177 uint32_t i = pPolicyMappings->cItems;
2178 while (i-- > 0)
2179 {
2180 if (RTAsn1ObjId_CompareWithString(&pPolicyMappings->paItems[i].IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2181 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2182 "Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
2183
2184 if (RTAsn1ObjId_CompareWithString(&pPolicyMappings->paItems[i].SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2185 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2186 "Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
2187 }
2188
2189 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
2190 if (pThis->v.cInhibitPolicyMapping > 0)
2191 {
2192 /*
2193 * 6.1.4.b.1 - Do the policy mapping.
2194 */
2195 i = pPolicyMappings->cItems;
2196 while (i-- > 0)
2197 {
2198 uint32_t cFound = 0;
2199 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2200 {
2201 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pPolicyMappings->paItems[i].IssuerDomainPolicy))
2202 {
2203 if (!pCur->fAlreadyMapped)
2204 {
2205 pCur->fAlreadyMapped = true;
2206 pCur->pExpectedPolicyFirst = &pPolicyMappings->paItems[i].SubjectDomainPolicy;
2207 }
2208 else
2209 {
2210 uint32_t iExpected = pCur->cMoreExpectedPolicySet;
2211 void *pvNew = RTMemRealloc(pCur->papMoreExpectedPolicySet,
2212 sizeof(pCur->papMoreExpectedPolicySet[0]) * (iExpected + 1));
2213 if (!pvNew)
2214 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY,
2215 "Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
2216 pCur->cMoreExpectedPolicySet, iDepth);
2217 pCur->papMoreExpectedPolicySet = (PCRTASN1OBJID *)pvNew;
2218 pCur->papMoreExpectedPolicySet[iExpected] = &pPolicyMappings->paItems[i].SubjectDomainPolicy;
2219 pCur->cMoreExpectedPolicySet = iExpected + 1;
2220 }
2221 cFound++;
2222 }
2223 }
2224
2225 /*
2226 * If no mapping took place, look for an anyPolicy node.
2227 */
2228 if (!cFound)
2229 {
2230 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2231 {
2232 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2233 {
2234 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, iDepth,
2235 &pPolicyMappings->paItems[i].IssuerDomainPolicy,
2236 pCur->pPolicyQualifiers,
2237 &pPolicyMappings->paItems[i].SubjectDomainPolicy))
2238 return false;
2239 break;
2240 }
2241 }
2242 }
2243 }
2244 }
2245 else
2246 {
2247 /*
2248 * 6.1.4.b.2 - Remove matching policies from the tree if mapping is
2249 * inhibited and prune the tree.
2250 */
2251 uint32_t cRemoved = 0;
2252 i = pPolicyMappings->cItems;
2253 while (i-- > 0)
2254 {
2255 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2256 {
2257 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pPolicyMappings->paItems[i].IssuerDomainPolicy))
2258 {
2259 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
2260 cRemoved++;
2261 }
2262 }
2263 }
2264 if (cRemoved)
2265 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2266 }
2267
2268 return true;
2269}
2270
2271
2272/**
2273 * Step 6.1.4.d-f & 6.1.5.c-e.
2274 */
2275static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2276{
2277 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2278
2279 /*
2280 * 6.1.4.d - The public key.
2281 */
2282 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2283
2284 /*
2285 * 6.1.4.e - The public key parameters. Use new ones if present, keep old
2286 * if the algorithm remains the same.
2287 */
2288 if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
2289 && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
2290 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2291 else if ( pThis->v.pWorkingPublicKeyParameters
2292 && RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
2293 pThis->v.pWorkingPublicKeyParameters = NULL;
2294
2295 /*
2296 * 6.1.4.f - The public algorithm.
2297 */
2298 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2299}
2300
2301
2302/**
2303 * Step 6.1.4.g.
2304 */
2305static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
2306{
2307 if (pNameConstraints->T0.PermittedSubtrees.cItems > 0)
2308 if (!rtCrX509CpvIntersectionPermittedSubtrees(pThis, &pNameConstraints->T0.PermittedSubtrees))
2309 return false;
2310
2311 if (pNameConstraints->T1.ExcludedSubtrees.cItems > 0)
2312 if (!rtCrX509CpvAddExcludedSubtrees(pThis, &pNameConstraints->T1.ExcludedSubtrees))
2313 return false;
2314
2315 return true;
2316}
2317
2318
2319/**
2320 * Step 6.1.4.i.
2321 */
2322static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
2323{
2324 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy))
2325 {
2326 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
2327 pThis->v.cExplicitPolicy = pPolicyConstraints->RequireExplicitPolicy.uValue.s.Lo;
2328 }
2329
2330 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->InhibitPolicyMapping))
2331 {
2332 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
2333 pThis->v.cInhibitPolicyMapping = pPolicyConstraints->InhibitPolicyMapping.uValue.s.Lo;
2334 }
2335 return true;
2336}
2337
2338
2339/**
2340 * Step 6.1.4.j.
2341 */
2342static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
2343{
2344 if (RTAsn1Integer_UnsignedCompareWithU32(pInhibitAnyPolicy, pThis->v.cInhibitAnyPolicy) < 0)
2345 pThis->v.cInhibitAnyPolicy = pInhibitAnyPolicy->uValue.s.Lo;
2346 return true;
2347}
2348
2349
2350/**
2351 * Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
2352 */
2353static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
2354 bool fSelfIssued)
2355{
2356 /* 6.1.4.k - If basic constraints present, CA must be set. */
2357 if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2358 {
2359 /* Note! Add flags if support for older certificates is needed later. */
2360 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2361 "Only version 3 certificates are supported (Version=%llu)",
2362 pNode->pCert->TbsCertificate.T0.Version.uValue);
2363 }
2364 PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pNode->pCert->TbsCertificate.T3.pBasicConstraints;
2365 if (pBasicConstraints)
2366 {
2367 if (!pBasicConstraints->CA.fValue)
2368 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2369 "Intermediate certificate (#%u) is not marked as a CA", pThis->v.iNode);
2370 }
2371
2372 /* 6.1.4.l - Work cMaxPathLength. */
2373 if (!fSelfIssued)
2374 {
2375 if (pThis->v.cMaxPathLength > 0)
2376 pThis->v.cMaxPathLength--;
2377 else
2378 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MAX_PATH_LENGTH,
2379 "Hit max path length at node #%u", pThis->v.iNode);
2380 }
2381
2382 /* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
2383 if (pBasicConstraints)
2384 {
2385 if (RTAsn1Integer_IsPresent(&pBasicConstraints->PathLenConstraint))
2386 if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
2387 pThis->v.cMaxPathLength = pBasicConstraints->PathLenConstraint.uValue.s.Lo;
2388 }
2389
2390 /* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
2391 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2392 if ( (pTbsCert->T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE)
2393 && !(pTbsCert->T3.fKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN))
2394 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MISSING_KEY_CERT_SIGN,
2395 "Node #%u does not have KeyCertSign set (keyUsage=%#x)",
2396 pThis->v.iNode, pTbsCert->T3.fKeyUsage);
2397
2398 return true;
2399}
2400
2401
2402/**
2403 * Step 6.1.4.o - check out critical extensions.
2404 */
2405static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2406{
2407 uint32_t cLeft = pNode->pCert->TbsCertificate.T3.Extensions.cItems;
2408 PCRTCRX509EXTENSION pCur = pNode->pCert->TbsCertificate.T3.Extensions.paItems;
2409 while (cLeft-- > 0)
2410 {
2411 if (pCur->Critical.fValue)
2412 {
2413 if ( RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) != 0
2414 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) != 0
2415 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) != 0
2416 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) != 0
2417 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) != 0
2418 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) != 0
2419 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) != 0
2420 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) != 0
2421 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) != 0
2422 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) != 0
2423 )
2424 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
2425 "Node #%u has an unknown critical extension: %s", pThis->v.iNode, pCur->ExtnId.szObjId);
2426 }
2427
2428 pCur++;
2429 }
2430
2431 return true;
2432}
2433
2434
2435/**
2436 * Step 6.1.5 - The wrapping up.
2437 */
2438static bool rtCrX509CpvWrapUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2439{
2440 Assert(!pNode->pParent); Assert(pThis->pTarget == pNode->pCert);
2441
2442 /*
2443 * 6.1.5.a - Decrement explicit policy.
2444 */
2445 if (pThis->v.cExplicitPolicy > 0)
2446 pThis->v.cExplicitPolicy--;
2447
2448 /*
2449 * 6.1.5.b - Policy constraints and explicit policy.
2450 */
2451 PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
2452 if ( pPolicyConstraints
2453 && RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy)
2454 && RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, 0) == 0)
2455 pThis->v.cExplicitPolicy = 0;
2456
2457 /*
2458 * 6.1.5.c-e - Update working public key info.
2459 */
2460 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode);
2461
2462 /*
2463 * 6.1.5.f - Critical extensions.
2464 */
2465 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode))
2466 return false;
2467
2468 /*
2469 * 6.1.5.g - Calculate the intersection between the user initial policy set
2470 * and the valid policy tree.
2471 */
2472 rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
2473
2474 if ( pThis->v.cExplicitPolicy == 0
2475 && pThis->v.pValidPolicyTree == NULL)
2476 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY, "No valid policy (wrap-up).");
2477
2478 return true;
2479}
2480
2481
2482/**
2483 * Worker that validates one path.
2484 *
2485 * This implements the the algorithm in RFC-5280, section 6.1, with exception of
2486 * the CRL checks in 6.1.3.a.3.
2487 *
2488 * @returns success indicator.
2489 * @param pThis The path builder & validator instance.
2490 * @param pTrustAnchor The trust anchor node.
2491 */
2492static bool rtCrX509CpvOneWorker(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2493{
2494 /*
2495 * Special case, target certificate is trusted.
2496 */
2497 if (!pTrustAnchor->pParent)
2498 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CERTPATHS_INTERNAL_ERROR, "Target certificate is trusted.");
2499
2500 /*
2501 * Normal processing.
2502 */
2503 rtCrX509CpvInit(pThis, pTrustAnchor);
2504 if (RT_SUCCESS(pThis->rc))
2505 {
2506 PRTCRX509CERTPATHNODE pNode = pTrustAnchor->pParent;
2507 uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
2508 while (pNode && RT_SUCCESS(pThis->rc))
2509 {
2510 /*
2511 * Basic certificate processing.
2512 */
2513 if (!rtCrX509CpvCheckBasicCertInfo(pThis, pNode)) /* Step 6.1.3.a */
2514 break;
2515
2516 bool const fSelfIssued = rtCrX509CertPathsIsSelfIssued(pNode);
2517 if (!fSelfIssued || !pNode->pParent) /* Step 6.1.3.b-c */
2518 if (!rtCrX509CpvCheckNameConstraints(pThis, pNode))
2519 break;
2520
2521 if (!rtCrX509CpvWorkValidPolicyTree(pThis, iNode, pNode, fSelfIssued)) /* Step 6.1.3.d-f */
2522 break;
2523
2524 /*
2525 * If it's the last certificate in the path, do wrap-ups.
2526 */
2527 if (!pNode->pParent) /* Step 6.1.5 */
2528 {
2529 Assert(iNode == pThis->v.cNodes);
2530 if (!rtCrX509CpvWrapUp(pThis, pNode))
2531 break;
2532 AssertRCBreak(pThis->rc);
2533 return true;
2534 }
2535
2536 /*
2537 * Preparations for the next certificate.
2538 */
2539 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2540 if ( pTbsCert->T3.pPolicyMappings
2541 && !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
2542 break;
2543
2544 pThis->v.pWorkingIssuer = &pTbsCert->Subject; /* Step 6.1.4.c */
2545
2546 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode); /* Step 6.1.4.d-f */
2547
2548 if ( pTbsCert->T3.pNameConstraints /* Step 6.1.4.g */
2549 && !rtCrX509CpvSoakUpNameConstraints(pThis, pTbsCert->T3.pNameConstraints))
2550 break;
2551
2552 if (!fSelfIssued) /* Step 6.1.4.h */
2553 {
2554 if (pThis->v.cExplicitPolicy > 0)
2555 pThis->v.cExplicitPolicy--;
2556 if (pThis->v.cInhibitPolicyMapping > 0)
2557 pThis->v.cInhibitPolicyMapping--;
2558 if (pThis->v.cInhibitAnyPolicy > 0)
2559 pThis->v.cInhibitAnyPolicy--;
2560 }
2561
2562 if ( pTbsCert->T3.pPolicyConstraints /* Step 6.1.4.j */
2563 && !rtCrX509CpvSoakUpPolicyConstraints(pThis, pTbsCert->T3.pPolicyConstraints))
2564 break;
2565
2566 if ( pTbsCert->T3.pInhibitAnyPolicy /* Step 6.1.4.j */
2567 && !rtCrX509CpvSoakUpInhibitAnyPolicy(pThis, pTbsCert->T3.pInhibitAnyPolicy))
2568 break;
2569
2570 if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
2571 break;
2572
2573 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode)) /* Step 6.1.4.o */
2574 break;
2575
2576 /*
2577 * Advance to the next certificate.
2578 */
2579 pNode = pNode->pParent;
2580 pThis->v.iNode = ++iNode;
2581 }
2582 AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2583 }
2584 return false;
2585}
2586
2587
2588RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
2589{
2590 /*
2591 * Validate the input.
2592 */
2593 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2594 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2595 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2596 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2597 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2598 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2599 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2600
2601 /*
2602 * Locate the path and validate it.
2603 */
2604 int rc;
2605 if (iPath < pThis->cPaths)
2606 {
2607 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2608 if (pLeaf)
2609 {
2610 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc))
2611 {
2612 pThis->pErrInfo = pErrInfo;
2613 rtCrX509CpvOneWorker(pThis, pLeaf);
2614 pThis->pErrInfo = NULL;
2615 rc = pThis->rc;
2616 pThis->rc = VINF_SUCCESS;
2617 }
2618 else
2619 rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
2620 iPath, rtCrX509CertPathsNodeGetSourceName(pLeaf));
2621 pLeaf->rcVerify = rc;
2622 }
2623 else
2624 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
2625 }
2626 else
2627 rc = VERR_NOT_FOUND;
2628 return rc;
2629}
2630
2631
2632RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
2633{
2634 /*
2635 * Validate the input.
2636 */
2637 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2638 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2639 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2640 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2641 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2642 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2643 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2644 AssertPtrNullReturn(pcValidPaths, VERR_INVALID_POINTER);
2645
2646 /*
2647 * Validate the paths.
2648 */
2649 pThis->pErrInfo = pErrInfo;
2650
2651 int rcLastFailure = VINF_SUCCESS;
2652 uint32_t cValidPaths = 0;
2653 uint32_t iPath = 0;
2654 PRTCRX509CERTPATHNODE pCurLeaf;
2655 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
2656 {
2657 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc))
2658 {
2659 rtCrX509CpvOneWorker(hCertPaths, pCurLeaf);
2660 if (RT_SUCCESS(pThis->rc))
2661 cValidPaths++;
2662 else
2663 rcLastFailure = pThis->rc;
2664 pCurLeaf->rcVerify = pThis->rc;
2665 pThis->rc = VINF_SUCCESS;
2666 }
2667 else
2668 pCurLeaf->rcVerify = VERR_CR_X509_NO_TRUST_ANCHOR;
2669 }
2670
2671 pThis->pErrInfo = NULL;
2672
2673 if (pcValidPaths)
2674 *pcValidPaths = cValidPaths;
2675 if (cValidPaths > 0)
2676 return VINF_SUCCESS;
2677 if (RT_SUCCESS_NP(rcLastFailure))
2678 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CPV_NO_TRUSTED_PATHS,
2679 "None of the %u path(s) have a trust anchor.", pThis->cPaths);
2680 return rcLastFailure;
2681}
2682
2683
2684RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths)
2685{
2686 /*
2687 * Validate the input.
2688 */
2689 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2690 AssertPtrReturn(pThis, UINT32_MAX);
2691 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2692 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2693
2694 /*
2695 * Return data.
2696 */
2697 return pThis->cPaths;
2698}
2699
2700
2701RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
2702 bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
2703 PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
2704 PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx,
2705 int *prcVerify)
2706{
2707 /*
2708 * Validate the input.
2709 */
2710 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2711 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2712 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2713 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2714 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2715
2716 /*
2717 * Get the data.
2718 */
2719 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2720 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2721
2722 if (pfTrusted)
2723 *pfTrusted = RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc);
2724
2725 if (pcNodes)
2726 *pcNodes = pLeaf->uDepth + 1; /* Includes both trust anchor and target. */
2727
2728 if (ppSubject)
2729 *ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
2730
2731 if (ppPublicKeyInfo)
2732 *ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
2733
2734 if (ppCert)
2735 *ppCert = pLeaf->pCert;
2736
2737 if (ppCertCtx)
2738 {
2739 if (pLeaf->pCertCtx)
2740 {
2741 uint32_t cRefs = RTCrCertCtxRetain(pLeaf->pCertCtx);
2742 AssertReturn(cRefs != UINT32_MAX, VERR_CR_X509_INTERNAL_ERROR);
2743 }
2744 *ppCertCtx = pLeaf->pCertCtx;
2745 }
2746
2747 if (prcVerify)
2748 *prcVerify = pLeaf->rcVerify;
2749
2750 return VINF_SUCCESS;
2751}
2752
2753
2754RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2755{
2756 /*
2757 * Validate the input.
2758 */
2759 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2760 AssertPtrReturn(pThis, UINT32_MAX);
2761 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2762 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2763 AssertReturn(iPath < pThis->cPaths, UINT32_MAX);
2764
2765 /*
2766 * Get the data.
2767 */
2768 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2769 AssertReturn(pLeaf, UINT32_MAX);
2770 return pLeaf->uDepth + 1;
2771}
2772
2773
2774RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2775{
2776 /*
2777 * Validate the input.
2778 */
2779 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2780 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2781 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2782 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2783 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2784
2785 /*
2786 * Get the data.
2787 */
2788 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2789 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2790
2791 return pLeaf->rcVerify;
2792}
2793
2794
2795static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
2796{
2797 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2798 Assert(pNode);
2799 if (pNode)
2800 {
2801 if (iNode <= pNode->uDepth)
2802 {
2803 uint32_t uCertDepth = pNode->uDepth - iNode;
2804 while (pNode->uDepth > uCertDepth)
2805 pNode = pNode->pParent;
2806 Assert(pNode);
2807 Assert(pNode && pNode->uDepth == uCertDepth);
2808 return pNode;
2809 }
2810 }
2811
2812 return NULL;
2813}
2814
2815
2816RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
2817{
2818 /*
2819 * Validate the input.
2820 */
2821 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2822 AssertPtrReturn(pThis, NULL);
2823 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, NULL);
2824 AssertPtrReturn(pThis->pRoot, NULL);
2825 AssertReturn(iPath < pThis->cPaths, NULL);
2826
2827 /*
2828 * Get the data.
2829 */
2830 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetPathNodeByIndexes(pThis, iPath, iNode);
2831 if (pNode)
2832 return pNode->pCert;
2833 return NULL;
2834}
2835
2836
2837/** @} */
2838
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette