x509-core.cpp@ 85121

最後變更在這個檔案從85121是 84248,由 vboxsync 提交於 5 年前
IPRT/crypto: Adding functions for checking whether a key or certificate can handle a given digest (size wise). Also, added OIDs, padding variants and stuff for sha512-224WithRSAEncryption and sha512-256WithRSAEncryption (RFC-8017). Note that OpenSSL does not implement these yet. bugref:9699
屬性 svn:eol-style 設為 `native` 屬性 svn:keywords 設為 `Author Date Id Revision`
檔案大小: 60.8 KB

行
1	/* $Id: x509-core.cpp 84248 2020-05-11 11:46:40Z vboxsync $ */
2	/** @file
3	* IPRT - Crypto - X.509, Core APIs.
4	*/
5
6	/*
7	* Copyright (C) 2006-2020 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.alldomusa.eu.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#include "internal/iprt.h"
32	#include <iprt/crypto/x509.h>
33
34	#include <iprt/err.h>
35	#include <iprt/string.h>
36	#include <iprt/uni.h>
37
38	#include "x509-internal.h"
39
40
41	/*
42	* Generate the code.
43	*/
44	#include <iprt/asn1-generator-core.h>
45
46
47	/*
48	* X.509 Validity.
49	*/
50
51	RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
52	{
53	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
54	return false;
55	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
56	return false;
57	return true;
58	}
59
60
61	/*
62	* One X.509 Algorithm Identifier.
63	*/
64
65	RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
66	{
67	AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
68	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
69	return RTDIGESTTYPE_MD5;
70	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
71	return RTDIGESTTYPE_SHA1;
72	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
73	return RTDIGESTTYPE_SHA256;
74	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
75	return RTDIGESTTYPE_SHA512;
76
77	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
78	return RTDIGESTTYPE_SHA384;
79	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
80	return RTDIGESTTYPE_SHA224;
81	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
82	return RTDIGESTTYPE_SHA512T224;
83	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
84	return RTDIGESTTYPE_SHA512T256;
85	return RTDIGESTTYPE_INVALID;
86	}
87
88
89	RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
90	{
91	AssertPtrReturn(pThis, UINT32_MAX);
92
93	/* common */
94	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
95	return 128 / 8;
96	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
97	return 160 / 8;
98	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
99	return 256 / 8;
100	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
101	return 512 / 8;
102
103	/* Less common. */
104	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
105	return 128 / 8;
106	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
107	return 128 / 8;
108	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
109	return 384 / 8;
110	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
111	return 224 / 8;
112	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
113	return 224 / 8;
114	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
115	return 256 / 8;
116	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
117	return 512 / 8;
118
119	return UINT32_MAX;
120	}
121
122
123	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
124	{
125	return strcmp(pThis->Algorithm.szObjId, pszObjId);
126	}
127
128
129	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
130	const char *pszEncryptedDigestOid)
131	{
132	/* common */
133	if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
134	{
135	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
136	return 0;
137	}
138	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
139	{
140	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
141	return 0;
142	}
143	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
144	{
145	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
146	return 0;
147	}
148	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
149	{
150	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
151	return 0;
152	}
153	/* Less common. */
154	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
155	{
156	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
157	return 0;
158	}
159	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
160	{
161	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
162	return 0;
163	}
164	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
165	{
166	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
167	return 0;
168	}
169	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
170	{
171	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
172	return 0;
173	}
174	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
175	{
176	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
177	return 0;
178	}
179	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
180	{
181	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
182	return 0;
183	}
184	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
185	{
186	/* ?? */
187	}
188	else
189	return -1;
190	return 1;
191	}
192
193	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
194	PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
195	{
196	return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
197	pEncryptedDigest->Algorithm.szObjId);
198	}
199
200
201	RTDECL(const char ) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char pszEncryptionOid,
202	const char *pszDigestOid)
203	{
204	/* RSA: */
205	if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
206	{
207	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
208	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
209	return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
210	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
211	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
212	return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
213	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
214	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
215	return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
216	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
217	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
218	return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
219	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
220	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
221	return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
222	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
223	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
224	return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
225	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
226	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
227	return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
228	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
229	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
230	return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
231	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224)
232	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
233	return RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA;
234	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256)
235	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
236	return RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA;
237
238	/* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
239	return ???; */
240	}
241	else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
242	return pszEncryptionOid;
243
244	AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
245	return NULL;
246	}
247
248
249	RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
250	PCRTCRX509ALGORITHMIDENTIFIER pDigest)
251	{
252	return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
253	pDigest->Algorithm.szObjId);
254	}
255
256
257	/*
258	* Set of X.509 Algorithm Identifiers.
259	*/
260
261
262	/*
263	* One X.509 AttributeTypeAndValue.
264	*/
265
266
267	/*
268	* Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
269	*/
270
271	/**
272	* Slow code path of rtCrX509CanNameIsNothing.
273	*
274	* @returns true if @uc maps to nothing, false if not.
275	* @param uc The unicode code point.
276	*/
277	static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
278	{
279	switch (uc)
280	{
281	/* 2.2 Map - Paragraph 1: */
282	case 0x00ad:
283	case 0x1806:
284	case 0x034f:
285	case 0x180b: case 0x180c: case 0x180d:
286
287	case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
288	case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
289	case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
290	case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
291
292	case 0xfffc:
293
294	/* 2.2 Map - Paragraph 3 (control code/function): */
295	case 0x0000: case 0x0001: case 0x0002: case 0x0003:
296	case 0x0004: case 0x0005: case 0x0006: case 0x0007:
297	case 0x0008:
298
299	case 0x000e: case 0x000f:
300	case 0x0010: case 0x0011: case 0x0012: case 0x0013:
301	case 0x0014: case 0x0015: case 0x0016: case 0x0017:
302	case 0x0018: case 0x0019: case 0x001a: case 0x001b:
303	case 0x001c: case 0x001d: case 0x001e: case 0x001f:
304
305	case 0x007f:
306	case 0x0080: case 0x0081: case 0x0082: case 0x0083:
307	case 0x0084: /case 0x0085:/ case 0x0086: case 0x0087:
308	case 0x0088: case 0x0089: case 0x008a: case 0x008b:
309	case 0x008c: case 0x008d: case 0x008e: case 0x008f:
310	case 0x0090: case 0x0091: case 0x0092: case 0x0093:
311	case 0x0094: case 0x0095: case 0x0096: case 0x0097:
312	case 0x0098: case 0x0099: case 0x009a: case 0x009b:
313	case 0x009c: case 0x009d: case 0x009e: case 0x009f:
314
315	case 0x06dd:
316	case 0x070f:
317	case 0x180e:
318	case 0x200c: case 0x200d: case 0x200e: case 0x200f:
319	case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
320	case 0x2060: case 0x2061: case 0x2062: case 0x2063:
321	case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
322	case 0xfeff:
323	case 0xfff9: case 0xfffa: case 0xfffb:
324	case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
325	case 0xe0001:
326	case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
327	case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
328	case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
329	case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
330	case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
331	case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
332	case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
333	case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
334	case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
335	case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
336	case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
337	case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
338	case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
339	case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
340	case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
341	case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
342	case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
343	case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
344	case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
345	case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
346	case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
347	case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
348	case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
349	case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
350
351	/* 2.2 Map - Paragraph 4. */
352	case 0x200b:
353	return true;
354	}
355	return false;
356	}
357
358
359	/**
360	* Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
361	* RFC-4518.
362	*
363	* @returns true if @uc maps to nothing, false if not.
364	* @param uc The unicode code point.
365	*/
366	DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
367	{
368	if (uc > 0x001f && uc < 0x00ad)
369	return false;
370	return rtCrX509CanNameIsNothingSlow(uc);
371	}
372
373
374	/**
375	* Slow code path of rtCrX509CanNameIsSpace.
376	*
377	* @returns true if space, false if not.
378	* @param uc The unicode code point.
379	*/
380	static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
381	{
382	switch (uc)
383	{
384	/* 2.2 Map - Paragraph 2. */
385	case 0x09:
386	case 0x0a:
387	case 0x0b:
388	case 0x0c:
389	case 0x0d:
390	case 0x20:
391	case 0x0085:
392	case 0x00a0:
393	case 0x1680:
394	case 0x2000: case 0x2001: case 0x2002: case 0x2003:
395	case 0x2004: case 0x2005: case 0x2006: case 0x2007:
396	case 0x2008: case 0x2009: case 0x200a:
397	case 0x2028: case 0x2029:
398	case 0x202f:
399	case 0x205f:
400	case 0x3000:
401	return true;
402	}
403	return false;
404	}
405
406
407	/**
408	* Checks if @a uc is a space character according to the mapping rules of
409	* RFC-5280 and RFC-4518.
410	*
411	* @returns true if space, false if not.
412	* @param uc The unicode code point.
413	*/
414	DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
415	{
416	if (uc < 0x0085)
417	{
418	if (uc > 0x0020)
419	return false;
420	if (uc == 0x0020) /* space */
421	return true;
422	}
423	return rtCrX509CanNameIsSpaceSlow(uc);
424	}
425
426
427	static const char rtCrX509CanNameStripLeft(const char psz, size_t *pcch)
428	{
429	/*
430	* Return space when we've encountered the first non-space-non-nothing code point.
431	*/
432	const char * const pszStart = psz;
433	const char *pszPrev;
434	for (;;)
435	{
436	pszPrev = psz;
437	RTUNICP uc;
438	int rc = RTStrGetCpEx(&psz, &uc);
439	AssertRCBreak(rc);
440	if (!uc)
441	{
442	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
443	break;
444	/* NUL inside the string, maps to nothing => ignore it. */
445	}
446	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
447	break;
448	}
449	*pcch -= pszPrev - pszStart;
450	return pszPrev;
451	}
452
453
454	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char *ppsz, size_t pcch)
455	{
456	/*
457	* Return space when we've encountered the first non-space-non-nothing code point.
458	*/
459	RTUNICP uc;
460	const char psz = ppsz;
461	const char * const pszStart = psz;
462	const char *pszPrev;
463	for (;;)
464	{
465	pszPrev = psz;
466	int rc = RTStrGetCpEx(&psz, &uc);
467	AssertRCBreakStmt(rc, uc = 0x20);
468	if (!uc)
469	{
470	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
471	{
472	uc = 0; /* End of string: Ignore trailing spaces. */
473	break;
474	}
475	/* NUL inside the string, maps to nothing => ignore it. */
476	}
477	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
478	{
479	uc = 0x20; /* Return space before current char. */
480	break;
481	}
482	}
483
484	*ppsz = pszPrev;
485	*pcch -= pszPrev - pszStart;
486	return uc;
487	}
488
489
490	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char *ppsz, size_t pcch)
491	{
492	while (*pcch > 0)
493	{
494	const char psz = ppsz;
495	RTUNICP uc = *psz;
496	if (uc < 0x80)
497	{
498	*pcch -= 1;
499	*ppsz = psz + 1;
500	}
501	else
502	{
503	int rc = RTStrGetCpEx(ppsz, &uc);
504	AssertRCReturn(rc, uc);
505	size_t cchCp = *ppsz - psz;
506	AssertReturn(cchCp <= *pcch, 0);
507	*pcch -= cchCp;
508	}
509	if (uc != 0)
510	return uc;
511	}
512	return 0;
513	}
514
515
516	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char *ppsz, size_t pcch)
517	{
518	/*
519	* Return first code point which doesn't map to nothing. If we encounter
520	* a space, we defer to the mapping-after-space routine above.
521	*/
522	for (;;)
523	{
524	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
525	if (rtCrX509CanNameIsSpace(uc))
526	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
527	if (!rtCrX509CanNameIsNothing(uc) \|\| uc == 0)
528	return uc;
529	}
530	}
531
532
533	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char *ppsz, size_t pcch)
534	{
535	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
536	if (uc)
537	{
538	if (!rtCrX509CanNameIsSpace(uc))
539	{
540	if (!rtCrX509CanNameIsNothing(uc))
541	return uc;
542	return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
543	}
544	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
545	}
546	return uc;
547	}
548
549
550	RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
551	PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
552	{
553	if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
554	{
555	/*
556	* Try for perfect match in case we get luck.
557	*/
558	#ifdef DEBUG_bird /* Want to test the complicated code path first */
559	if (pLeft->Value.enmType != RTASN1TYPE_STRING \|\| pRight->Value.enmType != RTASN1TYPE_STRING)
560	#endif
561	if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
562	return true;
563
564	/*
565	* If both are string types, we can compare them according to RFC-5280.
566	*/
567	if ( pLeft->Value.enmType == RTASN1TYPE_STRING
568	&& pRight->Value.enmType == RTASN1TYPE_STRING)
569	{
570	size_t cchLeft;
571	const char *pszLeft;
572	int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
573	if (RT_SUCCESS(rc))
574	{
575	size_t cchRight;
576	const char *pszRight;
577	rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
578	if (RT_SUCCESS(rc))
579	{
580	/*
581	* Perform a simplified RFC-5280 comparsion.
582	* The algorithm as be relaxed on the following counts:
583	* 1. No unicode normalization.
584	* 2. Prohibited characters not checked for.
585	* 3. Bidirectional characters are not ignored.
586	*/
587	pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
588	pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
589	while (pszLeft && pszRight)
590	{
591	RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
592	RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
593	if (ucLeft != ucRight)
594	{
595	ucLeft = RTUniCpToLower(ucLeft);
596	ucRight = RTUniCpToLower(ucRight);
597	if (ucLeft != ucRight)
598	return false;
599	}
600	}
601
602	return cchRight == 0 && cchLeft == 0;
603	}
604	}
605	}
606	}
607	return false;
608	}
609
610
611	RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
612	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
613	{
614	/*
615	* No match if the attribute count differs.
616	*/
617	uint32_t const cItems = pLeft->cItems;
618	if (cItems == pRight->cItems)
619	{
620	/*
621	* Compare each attribute, but don't insist on the same order nor
622	* bother checking for duplicates (too complicated).
623	*/
624	for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
625	{
626	PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
627	bool fFound = false;
628	for (uint32_t iRight = 0; iRight < cItems; iRight++)
629	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
630	{
631	fFound = true;
632	break;
633	}
634	if (!fFound)
635	return false;
636	}
637	return true;
638	}
639	return false;
640
641	}
642
643
644	/*
645	* X.509 Name.
646	*/
647
648	RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
649	{
650	uint32_t const cItems = pLeft->cItems;
651	if (cItems == pRight->cItems)
652	{
653	/* Require exact order. */
654	for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
655	if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
656	return false;
657	return true;
658	}
659	return false;
660	}
661
662
663	RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
664	{
665	/*
666	* Check that the constraint is a prefix of the name. This means that
667	* the name must have at least as many components and the constraint.
668	*/
669	if (pName->cItems >= pConstraint->cItems)
670	{
671	/*
672	* Parallel crawl of the two RDNs arrays.
673	*/
674	for (uint32_t i = 0; pConstraint->cItems; i++)
675	{
676	PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
677	PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
678
679	/*
680	* Walk the constraint attribute & value array.
681	*/
682	for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
683	{
684	PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
685
686	/*
687	* Find matching attribute & value in the name.
688	*/
689	bool fFound = false;
690	for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
691	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
692	{
693	fFound = true;
694	break;
695	}
696	if (fFound)
697	return false;
698	}
699	}
700	return true;
701	}
702	return false;
703	}
704
705
706	/**
707	* Mapping between X.500 object IDs and short and long names.
708	*
709	* See RFC-1327, RFC-4519 ...
710	*/
711	static struct
712	{
713	const char *pszOid;
714	const char *pszShortNm;
715	size_t cchShortNm;
716	const char *pszLongNm;
717	} const g_aRdnMap[] =
718	{
719	{ "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
720	{ "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
721	{ "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /nonstandard/,"EmailAddress" },
722	{ "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
723	{ "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
724	{ "2.5.4.5", RT_STR_TUPLE("SRN") /nonstandard/, "SerialNumber" },
725	{ "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
726	{ "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
727	{ "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
728	{ "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
729	{ "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
730	{ "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
731	{ "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
732	{ "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
733	{ "2.5.4.15", RT_STR_TUPLE("BC") /nonstandard/, "BusinessCategory" },
734	{ "2.5.4.17", RT_STR_TUPLE("ZIP") /nonstandard/, "PostalCode" },
735	{ "2.5.4.18", RT_STR_TUPLE("POBox") /nonstandard/,"PostOfficeBox" },
736	{ "2.5.4.20", RT_STR_TUPLE("PN") /nonstandard/, "TelephoneNumber" },
737	{ "2.5.4.33", RT_STR_TUPLE("RO") /nonstandard/, "RoleOccupant" },
738	{ "2.5.4.34", RT_STR_TUPLE("SA") /nonstandard/, "StreetAddress" },
739	{ "2.5.4.41", RT_STR_TUPLE("N") /nonstandard/, "Name" },
740	{ "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
741	{ "2.5.4.43", RT_STR_TUPLE("I") /nonstandard/, "Initials" },
742	{ "2.5.4.44", RT_STR_TUPLE("GQ") /nonstandard/, "GenerationQualifier" },
743	{ "2.5.4.46", RT_STR_TUPLE("DNQ") /nonstandard/, "DNQualifier" },
744	{ "2.5.4.51", RT_STR_TUPLE("HID") /nonstandard/, "HouseIdentifier" },
745	};
746
747
748	RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
749	{
750	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
751	while (iName-- > 0)
752	if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
753	return g_aRdnMap[iName].pszShortNm;
754	return NULL;
755	}
756
757
758	RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
759	{
760	/* Keep track of the string length. */
761	size_t cchString = strlen(pszString);
762
763	/*
764	* The usual double loop for walking the components.
765	*/
766	for (uint32_t i = 0; i < pThis->cItems; i++)
767	{
768	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
769	for (uint32_t j = 0; j < pRdn->cItems; j++)
770	{
771	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
772
773	/*
774	* Must be a string.
775	*/
776	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
777	return false;
778
779	/*
780	* Look up the component name prefix and check whether it's also in the string.
781	*/
782	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
783	while (iName-- > 0)
784	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
785	break;
786	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
787
788	if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
789	\|\| pszString[g_aRdnMap[iName].cchShortNm] != '=')
790	return false;
791
792	pszString += g_aRdnMap[iName].cchShortNm + 1;
793	cchString -= g_aRdnMap[iName].cchShortNm + 1;
794
795	/*
796	* Compare the component string.
797	*/
798	size_t cchComponent;
799	int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
800	AssertRCReturn(rc, false);
801
802	if (cchComponent > cchString)
803	return false;
804	if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
805	return false;
806
807	cchString -= cchComponent;
808	pszString += cchComponent;
809
810	/*
811	* Check separator comma + space and skip extra spaces before the next component.
812	*/
813	if (cchString)
814	{
815	if (pszString[0] != ',')
816	return false;
817	if (pszString[1] != ' ' && pszString[1] != '\t')
818	return false;
819	pszString += 2;
820	cchString -= 2;
821
822	while (pszString == ' ' \|\| pszString == '\t')
823	{
824	pszString++;
825	cchString--;
826	}
827	}
828	}
829	}
830
831	/*
832	* If we got thru the whole name and the whole string, we're good.
833	*/
834	return *pszString == '\0';
835	}
836
837
838	RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char pszBuf, size_t cbBuf, size_t pcbActual)
839	{
840	/*
841	* The usual double loop for walking the components.
842	*/
843	size_t off = 0;
844	int rc = VINF_SUCCESS;
845	for (uint32_t i = 0; i < pThis->cItems; i++)
846	{
847	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
848	for (uint32_t j = 0; j < pRdn->cItems; j++)
849	{
850	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
851
852	/*
853	* Must be a string.
854	*/
855	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
856	return VERR_CR_X509_NAME_NOT_STRING;
857
858	/*
859	* Look up the component name prefix.
860	*/
861	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
862	while (iName-- > 0)
863	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
864	break;
865	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
866	VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
867
868	/*
869	* Append the prefix.
870	*/
871	if (off)
872	{
873	if (off + 2 < cbBuf)
874	{
875	pszBuf[off] = ',';
876	pszBuf[off + 1] = ' ';
877	}
878	else
879	rc = VERR_BUFFER_OVERFLOW;
880	off += 2;
881	}
882
883	if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
884	{
885	memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
886	pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
887	}
888	else
889	rc = VERR_BUFFER_OVERFLOW;
890	off += g_aRdnMap[iName].cchShortNm + 1;
891
892	/*
893	* Add the component string.
894	*/
895	const char *pszUtf8;
896	size_t cchUtf8;
897	int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
898	AssertRCReturn(rc2, rc2);
899	if (off + cchUtf8 < cbBuf)
900	memcpy(&pszBuf[off], pszUtf8, cchUtf8);
901	else
902	rc = VERR_BUFFER_OVERFLOW;
903	off += cchUtf8;
904	}
905	}
906
907	if (pcbActual)
908	*pcbActual = off + 1;
909	if (off < cbBuf)
910	pszBuf[off] = '\0';
911	return rc;
912	}
913
914
915
916	/*
917	* One X.509 GeneralName.
918	*/
919
920	/**
921	* Name constraint matching (RFC-5280): DNS Name.
922	*
923	* @returns true on match, false on mismatch.
924	* @param pConstraint The constraint name.
925	* @param pName The name to match against the constraint.
926	*/
927	static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
928	{
929	/*
930	* Empty constraint string is taken to match everything.
931	*/
932	if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
933	return true;
934
935	/*
936	* Get the UTF-8 strings for the two.
937	*/
938	size_t cchConstraint;
939	char const *pszConstraint;
940	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
941	if (RT_SUCCESS(rc))
942	{
943	size_t cchFull;
944	char const *pszFull;
945	rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
946	if (RT_SUCCESS(rc))
947	{
948	/*
949	* No match if the constraint is longer.
950	*/
951	if (cchConstraint > cchFull)
952	return false;
953
954	/*
955	* No match if the constraint and name tail doesn't match
956	* in a case-insensitive compare.
957	*/
958	size_t offFull = cchFull - cchConstraint;
959	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
960	return false;
961	if (!offFull)
962	return true;
963
964	/*
965	* The matching constraint must be delimited by a dot in the full
966	* name. There seems to be some discussion whether ".oracle.com"
967	* should match "www..oracle.com". This implementation does choose
968	* to not succeed in that case.
969	*/
970	if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
971	return true;
972
973	return false;
974	}
975	}
976
977	/* fall back. */
978	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
979	}
980
981
982	/**
983	* Name constraint matching (RFC-5280): RFC-822 (email).
984	*
985	* @returns true on match, false on mismatch.
986	* @param pConstraint The constraint name.
987	* @param pName The name to match against the constraint.
988	*/
989	static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
990	{
991	/*
992	* Empty constraint string is taken to match everything.
993	*/
994	if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
995	return true;
996
997	/*
998	* Get the UTF-8 strings for the two.
999	*/
1000	size_t cchConstraint;
1001	char const *pszConstraint;
1002	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
1003	if (RT_SUCCESS(rc))
1004	{
1005	size_t cchFull;
1006	char const *pszFull;
1007	rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
1008	if (RT_SUCCESS(rc))
1009	{
1010	/*
1011	* No match if the constraint is longer.
1012	*/
1013	if (cchConstraint > cchFull)
1014	return false;
1015
1016	/*
1017	* A lone dot matches everything.
1018	*/
1019	if (cchConstraint == 1 && *pszConstraint == '.')
1020	return true;
1021
1022	/*
1023	* If there is a '@' in the constraint, the entire address must match.
1024	*/
1025	const char pszConstraintAt = (const char )memchr(pszConstraint, '@', cchConstraint);
1026	if (pszConstraintAt)
1027	return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1028
1029	/*
1030	* No match if the constraint and name tail doesn't match
1031	* in a case-insensitive compare.
1032	*/
1033	size_t offFull = cchFull - cchConstraint;
1034	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1035	return false;
1036
1037	/*
1038	* If the constraint starts with a dot, we're supposed to be
1039	* satisfied with a tail match.
1040	*/
1041	/** @todo Check if this should match even if offFull == 0. */
1042	if (*pszConstraint == '.')
1043	return true;
1044
1045	/*
1046	* Otherwise, we require a hostname match and thus expect an '@'
1047	* immediatly preceding the constraint match.
1048	*/
1049	if (pszFull[offFull - 1] == '@')
1050	return true;
1051
1052	return false;
1053	}
1054	}
1055
1056	/* fall back. */
1057	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1058	}
1059
1060
1061	/**
1062	* Extracts the hostname from an URI.
1063	*
1064	* @returns true if successfully extract, false if no hostname present.
1065	* @param pszUri The URI.
1066	* @param pchHostName .
1067	* @param pcchHostName .
1068	*/
1069	static bool rtCrX509GeneralName_ExtractHostName(const char pszUri, const char pchHostName, size_t pcchHostName)
1070	{
1071	/*
1072	* Skip the schema name.
1073	*/
1074	const char *pszStart = strchr(pszUri, ':');
1075	while (pszStart && (pszStart[1] != '/' \|\| pszStart[2] != '/'))
1076	pszStart = strchr(pszStart + 1, ':');
1077	if (pszStart)
1078	{
1079	pszStart += 3;
1080
1081	/*
1082	* The name ends with the first slash or ":port".
1083	*/
1084	const char *pszEnd = strchr(pszStart, '/');
1085	if (!pszEnd)
1086	pszEnd = strchr(pszStart, '\0');
1087	if (memchr(pszStart, ':', pszEnd - pszStart))
1088	do
1089	pszEnd--;
1090	while (*pszEnd != ':');
1091	if (pszEnd != pszStart)
1092	{
1093	/*
1094	* Drop access credentials at the front of the string if present.
1095	*/
1096	const char pszAt = (const char )memchr(pszStart, '@', pszEnd - pszStart);
1097	if (pszAt)
1098	pszStart = pszAt + 1;
1099
1100	/*
1101	* If there is still some string left, that's the host name.
1102	*/
1103	if (pszEnd != pszStart)
1104	{
1105	*pcchHostName = pszEnd - pszStart;
1106	*pchHostName = pszStart;
1107	return true;
1108	}
1109	}
1110	}
1111
1112	*pcchHostName = 0;
1113	*pchHostName = NULL;
1114	return false;
1115	}
1116
1117
1118	/**
1119	* Name constraint matching (RFC-5280): URI.
1120	*
1121	* @returns true on match, false on mismatch.
1122	* @param pConstraint The constraint name.
1123	* @param pName The name to match against the constraint.
1124	*/
1125	static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1126	{
1127	/*
1128	* Empty constraint string is taken to match everything.
1129	*/
1130	if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1131	return true;
1132
1133	/*
1134	* Get the UTF-8 strings for the two.
1135	*/
1136	size_t cchConstraint;
1137	char const *pszConstraint;
1138	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1139	if (RT_SUCCESS(rc))
1140	{
1141	size_t cchFull;
1142	char const *pszFull;
1143	rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1144	if (RT_SUCCESS(rc))
1145	{
1146	/*
1147	* Isolate the hostname in the name.
1148	*/
1149	size_t cchHostName;
1150	const char *pchHostName;
1151	if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1152	{
1153	/*
1154	* Domain constraint.
1155	*/
1156	if (*pszConstraint == '.')
1157	{
1158	if (cchHostName >= cchConstraint)
1159	{
1160	size_t offHostName = cchHostName - cchConstraint;
1161	if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1162	{
1163	/* "http://www..oracle.com" does not match ".oracle.com".
1164	It's debatable whether "http://.oracle.com/" should match. */
1165	if ( !offHostName
1166	\|\| pchHostName[offHostName - 1] != '.')
1167	return true;
1168	}
1169	}
1170	}
1171	/*
1172	* Host name constraint. Full match required.
1173	*/
1174	else if ( cchHostName == cchConstraint
1175	&& RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1176	return true;
1177	}
1178	return false;
1179	}
1180	}
1181
1182	/* fall back. */
1183	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1184	}
1185
1186
1187	/**
1188	* Name constraint matching (RFC-5280): IP address.
1189	*
1190	* @returns true on match, false on mismatch.
1191	* @param pConstraint The constraint name.
1192	* @param pName The name to match against the constraint.
1193	*/
1194	static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1195	{
1196	uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1197	uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1198
1199	/*
1200	* IPv4.
1201	*/
1202	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1203	&& pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1204	return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1205	&& ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1206	&& ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1207	&& ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1208
1209	/*
1210	* IPv6.
1211	*/
1212	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1213	&& pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1214	{
1215	for (uint32_t i = 0; i < 16; i++)
1216	if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1217	return false;
1218	return true;
1219	}
1220
1221	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1222	}
1223
1224
1225	RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1226	{
1227	if (pConstraint->enmChoice == pName->enmChoice)
1228	{
1229	if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1230	return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1231
1232	if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1233	return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1234
1235	if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1236	return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1237
1238	if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1239	return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1240
1241	if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1242	return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1243
1244	AssertFailed();
1245	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1246	}
1247	return false;
1248	}
1249
1250
1251	/*
1252	* Sequence of X.509 GeneralNames.
1253	*/
1254
1255
1256	/*
1257	* X.509 UniqueIdentifier.
1258	*/
1259
1260
1261	/*
1262	* X.509 SubjectPublicKeyInfo.
1263	*/
1264
1265
1266	/*
1267	* X.509 AuthorityKeyIdentifier (IPRT representation).
1268	*/
1269
1270
1271	/*
1272	* One X.509 PolicyQualifierInfo.
1273	*/
1274
1275
1276	/*
1277	* Sequence of X.509 PolicyQualifierInfo.
1278	*/
1279
1280
1281	/*
1282	* One X.509 PolicyInformation.
1283	*/
1284
1285
1286	/*
1287	* Sequence of X.509 CertificatePolicies.
1288	*/
1289
1290
1291	/*
1292	* One X.509 PolicyMapping (IPRT representation).
1293	*/
1294
1295
1296	/*
1297	* Sequence of X.509 PolicyMappings (IPRT representation).
1298	*/
1299
1300
1301	/*
1302	* X.509 BasicConstraints (IPRT representation).
1303	*/
1304
1305
1306	/*
1307	* X.509 GeneralSubtree (IPRT representation).
1308	*/
1309
1310
1311	RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1312	{
1313	return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1314	}
1315
1316
1317	/*
1318	* Sequence of X.509 GeneralSubtrees (IPRT representation).
1319	*/
1320
1321
1322	/*
1323	* X.509 NameConstraints (IPRT representation).
1324	*/
1325
1326
1327	/*
1328	* X.509 PolicyConstraints (IPRT representation).
1329	*/
1330
1331
1332	/*
1333	* One X.509 Extension.
1334	*/
1335
1336
1337	/*
1338	* Sequence of X.509 Extensions.
1339	*/
1340
1341
1342	/*
1343	* X.509 TbsCertificate.
1344	*/
1345
1346	static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1347	{
1348	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1349	/* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1350	AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1351	pThis->T3.fKeyUsage \|= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1352	}
1353
1354
1355	static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1356	{
1357	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1358	PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1359	uint32_t i = pObjIds->cItems;
1360	while (i-- > 0)
1361	{
1362
1363	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1364	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_ANY;
1365	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1366	{
1367	if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1368	switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1369	{
1370	case 1: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1371	case 2: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1372	case 3: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1373	case 4: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1374	case 5: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1375	case 6: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1376	case 7: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1377	case 8: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1378	case 9: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1379	case 10: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_DVCS; break;
1380	case 11: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1381	case 13: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1382	case 14: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1383	default: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER; break;
1384	}
1385	else
1386	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1387	}
1388	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1389	{
1390	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1391	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1392	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1393	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1394	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1395	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1396	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1397	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1398	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1399	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1400	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1401	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1402	else
1403	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1404	}
1405	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1406	{
1407	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1408	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1409	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1410	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1411	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1412	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1413	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1414	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1415	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1416	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1417	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1418	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1419	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1420	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM;
1421	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1422	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1423	else
1424	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1425	}
1426	else
1427	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1428	}
1429	}
1430
1431
1432	/**
1433	* (Re-)Process the certificate extensions.
1434	*
1435	* Will fail if duplicate extensions are encountered.
1436	*
1437	* @returns IPRT status code.
1438	* @param pThis The to-be-signed certificate part.
1439	* @param pErrInfo Where to return extended error details,
1440	* optional.
1441	*/
1442	RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1443	{
1444	/*
1445	* Clear all variables we will set.
1446	*/
1447	pThis->T3.fFlags = 0;
1448	pThis->T3.fKeyUsage = 0;
1449	pThis->T3.fExtKeyUsage = 0;
1450	pThis->T3.pAuthorityKeyIdentifier = NULL;
1451	pThis->T3.pSubjectKeyIdentifier = NULL;
1452	pThis->T3.pAltSubjectName = NULL;
1453	pThis->T3.pAltIssuerName = NULL;
1454	pThis->T3.pCertificatePolicies = NULL;
1455	pThis->T3.pPolicyMappings = NULL;
1456	pThis->T3.pBasicConstraints = NULL;
1457	pThis->T3.pNameConstraints = NULL;
1458	pThis->T3.pPolicyConstraints = NULL;
1459	pThis->T3.pInhibitAnyPolicy = NULL;
1460
1461	#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1462	do { \
1463	if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1464	return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1465	"Duplicate extension " #a_fPresentFlag); \
1466	(a_pThis)->T3.fFlags \|= (a_fPresentFlag); \
1467	} while (0)
1468
1469	/*
1470	* Process all the extensions.
1471	*/
1472	for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1473	{
1474	PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1475	PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1476	if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1477	{
1478	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1479	rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1480	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1481	}
1482	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1483	{
1484	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1485	rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1486	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1487	}
1488	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1489	{
1490	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1491	pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1492	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1493	}
1494	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1495	{
1496	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1497	pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1498	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1499	}
1500	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1501	{
1502	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1503	pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1504	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1505	}
1506	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1507	{
1508	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1509	pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1510	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1511	}
1512	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1513	{
1514	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1515	pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1516	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1517	}
1518	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1519	{
1520	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1521	pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1522	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1523	}
1524	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1525	{
1526	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1527	pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1528	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1529	}
1530	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1531	{
1532	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1533	pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1534	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1535	}
1536	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1537	{
1538	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1539	pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1540	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1541	}
1542	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1543	{
1544	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1545	pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1546	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1547	}
1548	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1549	{
1550	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1551	pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1552	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1553	}
1554	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1555	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1556	else
1557	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1558	}
1559
1560	if (!pThis->T3.fFlags)
1561	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1562
1563	#undef CHECK_SET_PRESENT_RET_ON_DUP
1564	return VINF_SUCCESS;
1565	}
1566
1567
1568
1569	/*
1570	* One X.509 Certificate.
1571	*/
1572
1573	RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1574	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1575	{
1576	if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1577	&& RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1578	return true;
1579	return false;
1580	}
1581
1582
1583	RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1584	{
1585	if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1586	return true;
1587
1588	if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1589	for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1590	{
1591	PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1592	if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1593	&& RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1594	{
1595	PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1596	for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1597	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1598	&& RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1599	return true;
1600	}
1601	}
1602	return false;
1603	}
1604
1605
1606	RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1607	{
1608	if (RTCrX509Certificate_IsPresent(pCertificate))
1609	{
1610	return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1611	&pCertificate->TbsCertificate.Issuer);
1612	}
1613	return false;
1614	}
1615
1616
1617	/*
1618	* Set of X.509 Certificates.
1619	*/
1620
1621	RTDECL(PCRTCRX509CERTIFICATE)
1622	RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1623	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1624	{
1625	for (uint32_t i = 0; i < pCertificates->cItems; i++)
1626	if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1627	return pCertificates->papItems[i];
1628	return NULL;
1629	}
1630

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 85121

以其他格式下載: