/* $Id$ */
/** @file
* IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
*/
/*
* Copyright (C) 2006-2014 Oracle Corporation
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*
* The contents of this file may alternatively be used under the terms
* of the Common Development and Distribution License Version 1.0
* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
* VirtualBox OSE distribution, in which case the provisions of the
* CDDL are applicable instead of those of the GPL.
*
* You may elect to license modified versions of this file under the
* terms and conditions of either the GPL or the CDDL or both.
*/
/*******************************************************************************
* Header Files *
*******************************************************************************/
#include "x509-internal.h"
/*******************************************************************************
* Structures and Typedefs *
*******************************************************************************/
/**
* X.509 certificate path node.
*/
typedef struct RTCRX509CERTPATHNODE
{
/** Sibling list entry. */
/** List of children or leaf list entry. */
/** Pointer to the parent node. NULL for root. */
/** The distance between this node and the target. */
/** Indicates the source of this certificate. */
/** Set if this is a leaf node. */
/** Makes sure it's a 32-bit bitfield. */
/** Leaf only: The result of the last path vertification. */
int rcVerify;
/** Pointer to the certificate. This can be NULL only for trust anchors. */
/** If the certificate or trust anchor was obtained from a store, this is the
* associated certificate context (referenced of course). This is used to
* access the trust anchor information, if present.
*
* (If this is NULL it's from a certificate array or some such given directly to
* the path building code. It's assumed the caller doesn't free these until the
* path validation/whatever is done with and the paths destroyed.) */
/** Pointer to a X.509 path node. */
/** @name RTCRX509CERTPATHNODE::uSrc values.
* The trusted and untrusted sources ordered in priority order, where higher
* number means high priority in case of duplicates.
* @{ */
#define RTCRX509CERTPATHNODE_SRC_NONE 0
#define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
/** @} */
/**
* Policy tree node.
*/
typedef struct RTCRX509CERTPATHSPOLICYNODE
{
/** Sibling list entry. */
/** Tree depth list entry. */
/** List of children or leaf list entry. */
/** Pointer to the parent. */
/** The policy object ID. */
/** Optional sequence of policy qualifiers. */
/** The first policy ID in the exepcted policy set. */
/** Set if we've already mapped pExpectedPolicyFirst. */
bool fAlreadyMapped;
/** Number of additional items in the expected policy set. */
/** Additional items in the expected policy set. */
/** Pointer to a policy tree node. */
/**
* Path builder and validator instance.
*
* The path builder creates a tree of certificates by forward searching from the
* end-entity towards a trusted source. The leaf nodes are inserted into list
* ordered by the source of the leaf certificate and the path length (i.e. tree
* depth).
*
* The path validator works the tree from the leaf end and validates each
* potential path found by the builder. It is generally happy with one working
* path, but may be told to verify all of them.
*/
typedef struct RTCRX509CERTPATHSINT
{
/** Magic number. */
/** Reference counter. */
/** @name Input
* @{ */
/** The target certificate (end entity) to build a trusted path for. */
/** Lone trusted certificate. */
/** Store of trusted certificates. */
/** Store of untrusted certificates. */
/** Array of untrusted certificates, typically from the protocol. */
/** Number of entries in paUntrusted. */
/** Set of untrusted PKCS \#7 / CMS certificatess. */
/** UTC time we're going to validate the path at, requires
* RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
/** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
/** The user initial policy set. As with all other user provided data, we
* assume it's immutable and remains valid for the usage period of the path
* builder & validator. */
/** Number of certificates before the user wants an explicit policy result.
* Set to UINT32_MAX no explicit policy restriction required by the user. */
/** Number of certificates before the user wants policy mapping to be
* inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
* desired by the user. */
/** Number of certificates before the user wants the anyPolicy to be rejected.
* Set to UINT32_MAX no explicit policy restriction required by the user. */
/** Initial name restriction: Permitted subtrees. */
/** Initial name restriction: Excluded subtrees. */
/** Flags RTCRX509CERTPATHSINT_F_XXX. */
/** @} */
/** Sticky status for remembering allocation errors and the like. */
/** Where to store extended error info (optional). */
/** @name Path Builder Output
* @{ */
/** Pointer to the root of the tree. This will always be non-NULL after path
* building and thus can be reliably used to tell if path building has taken
* place or not. */
/** List of working leaf tree nodes. */
/** The number of paths (leafs). */
/** @} */
/** Path Validator State. */
struct
{
/** Number of nodes in the certificate path we're validating (aka 'n'). */
/** The current node (0 being the trust anchor). */
/** The root node of the valid policy tree. */
/** An array of length cNodes + 1 which tracks all nodes at the given (index)
* tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
/** Number of entries in paPermittedSubtrees (name constraints).
* If zero, no permitted name constrains currently in effect. */
/** The allocated size of papExcludedSubtrees */
/** Array of permitted subtrees we've collected so far (name constraints). */
/** Set if we end up with an empty set after calculating a name constraints
* union. */
bool fNoPermittedSubtrees;
/** Number of entries in paExcludedSubtrees (name constraints).
* If zero, no excluded name constrains currently in effect. */
/** Array of excluded subtrees we've collected so far (name constraints). */
/** Number of non-self-issued certificates to be processed before a non-NULL
* paValidPolicyTree is required. */
/** Number of non-self-issued certificates to be processed we stop processing
* policy mapping extensions. */
/** Number of non-self-issued certificates to be processed before a the
* anyPolicy is rejected. */
/** Number of non-self-issued certificates we're allowed to process. */
/** The working issuer name. */
/** The working public key algorithm ID. */
/** The working public key algorithm parameters. */
/** A bit string containing the public key. */
} v;
/** An object identifier initialized to anyPolicy. */
/** Temporary scratch space. */
/** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
/** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
* @{ */
/** @} */
/*******************************************************************************
* Internal Functions *
*******************************************************************************/
/** @name Path Builder and Validator Config APIs
* @{
*/
{
if (pThis)
{
int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
if (RT_SUCCESS(rc))
{
*phCertPaths = pThis;
return VINF_SUCCESS;
}
return rc;
}
return VERR_NO_MEMORY;
}
{
return cRefs;
}
{
if (hCertPaths != NIL_RTCRX509CERTPATHS)
{
if (!cRefs)
{
/*
* No more references, destroy the whole thing.
*/
/* config */
/* builder */
/* validator */
/* misc */
/* Finally, the instance itself. */
}
}
else
cRefs = 0;
return cRefs;
}
{
{
}
if (hTrustedStore != NIL_RTCRSTORE)
{
}
return VINF_SUCCESS;
}
RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
{
{
}
if (hUntrustedStore != NIL_RTCRSTORE)
{
}
return VINF_SUCCESS;
}
RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
{
return VINF_SUCCESS;
}
RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
{
return VINF_SUCCESS;
}
{
if (pTime)
{
return VERR_INVALID_PARAMETER;
}
else
return VINF_SUCCESS;
}
{
if (pTimeSpec)
{
}
else
return VINF_SUCCESS;
}
RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
{
if (RT_SUCCESS(rc))
{
if (RT_SUCCESS(rc))
{
if (RT_SUCCESS(rc))
{
if (RT_SUCCESS(rc))
{
if (RT_SUCCESS(rc))
{
return VINF_SUCCESS;
}
}
}
}
}
return rc;
}
/** @} */
/** @name Path Builder and Validator Common Utility Functions.
* @{
*/
/**
* Checks if the certificate is self-issued.
*
* @returns true / false.
* @param pNode The path node to check..
*/
{
&& RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
}
/** @} */
/** @name Path Builder Functions.
* @{
*/
/**
*
* @returns
* @param pThis .
*/
{
{
return pNode;
}
return NULL;
}
{
{
}
}
{
/*
* Check if we've seen this certificate already in the current path or
* among the already gathered issuers.
*/
if (pCert)
{
/* No duplicate certificates in the path. */
while (pTmpNode)
{
return;
}
/* No duplicate tree branches. */
{
return;
}
}
else
/*
* Reference the context core before making the allocation.
*/
if (pCertCtx)
"Bad pCertCtx=%p", pCertCtx));
/*
* We haven't see it, append it as a child.
*/
if (pNew)
{
}
else
}
static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
{
if (RT_SUCCESS(rc))
{
{
}
}
}
{
/*
* Don't recurse infintely.
*/
return;
/*
* Trusted certificate.
*/
if ( pThis->pTrustedCert
rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
/*
* Trusted certificate store.
*/
/*
* Untrusted store.
*/
/*
* Untrusted array.
*/
if (pThis->paUntrustedCerts)
/** @todo Rainy day: Should abstract the untrusted array and set so we don't get
/*
* Untrusted set.
*/
if (pThis->pUntrustedCertsSet)
{
rtCrX509CertPathsAddIssuer(pThis, pNode, paCerts[i].u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
}
}
static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
for (;;)
{
/* The root node has no siblings. */
return NULL;
/* Try go to the right. */
PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
if (pNext)
return pNext;
/* Up. */
}
}
static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
for (;;)
{
/* Don't remove the root node. */
if (!pParent)
return NULL;
/* Before removing and deleting the node check if there is sibling
right to it that we should continue processing from. */
PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
if (pNext)
return pNext;
/* If the parent node cannot be removed, do a normal get-next-rigth-up
to find the continuation point for the tree loop. */
}
}
/**
* Destroys the whole path tree.
*
* @param pThis The path builder and verifier instance.
*/
{
{
for (;;)
{
if (!pParent)
{
break;
}
break;
}
}
}
/**
* Adds a leaf node.
*
* This should normally be a trusted certificate, but the caller can also
* request the incomplete paths, in which case this will be an untrusted
* certificate.
*
* @returns Pointer to the next node in the tree to process.
* @param pThis The path builder instance.
* @param pNode The leaf node.
*/
static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
/*
* Priority insert by source and depth.
*/
{
{
}
}
}
{
/*
* Validate the input.
*/
/*
* Set up the target.
*/
{
/*
* The tree construction loop.
* Walks down, up, and right as the tree is constructed.
*/
do
{
/*
* Check for the two leaf cases first.
*/
#if 0 /* This isn't right.*/
else if (rtCrX509CertPathsIsSelfIssued(pCur))
{
else
}
#endif
/*
* Not a leaf, find all potential issuers and decend into these.
*/
else
{
break;
else
}
} while (pCur);
return VINF_SUCCESS;
}
else
}
/**
*
* @returns Pointer to the leaf node of the path.
* @param pThis The path builder & validator instance.
* @param iPath The oridnal of the path to get.
*/
static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
{
{
return pCurLeaf;
iCurPath++;
}
}
{
}
static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, uint32_t cchSpaces, const char *pszFormat, ...)
{
static const char s_szSpaces[] = " ";
while (cchSpaces > 0)
{
}
}
/** @name X.500 attribute types
* See RFC-4519 among others.
* @{ */
#define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
#define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
#define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
#define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
#define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
#define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
#define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
#define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
#define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
#define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
#define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
#define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
#define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
#define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
#define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
#define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
#define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
#define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
#define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
#define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
#define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
#define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
#define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
#define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
#define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
#define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
#define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
#define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
#define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
#define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
#define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
#define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
#define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
#define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
#define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
#define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
#define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
#define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
#define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
#define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
#define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
#define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
#define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
#define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
#define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
#define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
#define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
#define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
#define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
#define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
#define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
#define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
#define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
#define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
#define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
#define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
/** @} */
{
{
{
{
}
}
{
else
{
else
while (cch > 0)
{
if (RT_C_IS_PRINT(*pch))
else
cch--;
pch++;
}
}
}
else
}
}
{
{
case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
default: return "invalid";
}
}
static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
{
iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
{
{
if (uVerbosity >= 4)
else if (uVerbosity >= 3)
RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
}
else
{
if (uVerbosity >= 4)
}
}
}
RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
{
/*
* Validate the input.
*/
int rc;
{
if (pLeaf)
{
rc = VINF_SUCCESS;
}
else
}
else
rc = VERR_NOT_FOUND;
return rc;
}
RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
{
/*
* Validate the input.
*/
/*
* Dump all the paths.
*/
RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
{
iPath++;
}
return VINF_SUCCESS;
}
/** @} */
/** @name Path Validator Functions.
* @{
*/
{
if (!pv)
pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
return pv;
}
DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
{
return false;
}
/**
* Adds a sequence of excluded sub-trees.
*
* Don't waste time optimizing the output if this is supposed to be a union.
* Unless the path is very long, it's a lot more work to optimize and the result
* will be the same anyway.
*
* @returns success indicator.
* @param pThis The validator instance.
* @param pSubtrees The sequence of sub-trees to add.
*/
static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
{
{
if (RT_UNLIKELY(!pvNew))
return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
}
pThis->v.cExcludedSubtrees++;
return true;
}
/**
* Checks if a sub-tree is according to RFC-5280.
*
* @returns Success indiciator.
* @param pThis The validator instance.
* @param pSubtree The subtree to check.
*/
static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
{
"Unexpected GeneralSubtree Minimum value: %#llx",
"Unexpected GeneralSubtree Maximum value: %#llx",
return true;
}
/**
* Grows the array of permitted sub-trees.
*
* @returns success indiciator.
* @param pThis The validator instance.
* @param cAdding The number of subtrees we should grow by
* (relative to the current number of valid
* entries).
*/
{
{
void *pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew * sizeof(pThis->v.papPermittedSubtrees[0]));
if (RT_UNLIKELY(!pvNew))
return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
}
return true;
}
/**
* Adds a sequence of permitted sub-trees.
*
* We store reference to each individual sub-tree because we must support
* intersection calculation.
*
* @returns success indiciator.
* @param pThis The validator instance.
* @param cSubtrees The number of sub-trees to add.
* @param paSubtrees Array of sub-trees to add.
*/
static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees, PCRTCRX509GENERALSUBTREE paSubtrees)
{
/*
* If the array is empty, assume no permitted names.
*/
if (!cSubtrees)
{
pThis->v.fNoPermittedSubtrees = true;
return true;
}
/*
* Grow the array if necessary.
*/
return false;
/*
* Append each subtree to the array.
*/
{
return false;
iDst++;
}
return true;
}
/**
* Calculates the intersection between @a pSubtrees and the current permitted
* sub-trees.
*
* @returns Success indicator.
* @param pThis The validator instance.
* @param pSubtrees The sub-tree sequence to intersect with.
*/
static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
{
/*
* Deal with special cases first.
*/
if (pThis->v.fNoPermittedSubtrees)
{
return true;
}
if (cRight == 0)
{
pThis->v.cPermittedSubtrees = 0;
pThis->v.fNoPermittedSubtrees = true;
return true;
}
if (!cLeft) /* first name constraint, no initial constraint */
/*
* Create a new array with the intersection, freeing the old (left) array
* once we're done.
*/
bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
pThis->v.cPermittedSubtrees = 0;
pThis->v.cPermittedSubtreesAlloc = 0;
{
return false;
afRightTags[enmRightChoice] = true;
bool fHaveRight = false;
{
{
if (!fHaveRight)
{
fHaveRight = true;
}
}
{
if (!fHaveRight)
{
fHaveRight = true;
}
}
}
}
/*
* Add missing types not specified in the right set.
*/
/*
* If we ended up with an empty set, no names are permitted any more.
*/
if (pThis->v.cPermittedSubtrees == 0)
pThis->v.fNoPermittedSubtrees = true;
}
/**
* Check if the given X.509 name is permitted by current name constraints.
*
* @returns true is permitteded, false if not (caller set error info).
* @param pThis The validator instance.
* @param pName The name to match.
*/
{
if (i == 0)
return !pThis->v.fNoPermittedSubtrees;
while (i-- > 0)
{
return true;
}
return false;
}
/**
* Check if the given X.509 general name is permitted by current name
* constraints.
*
* @returns true is permitteded, false if not (caller sets error info).
* @param pThis The validator instance.
* @param pGeneralName The name to match.
*/
static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
{
if (i == 0)
return !pThis->v.fNoPermittedSubtrees;
while (i-- > 0)
return true;
return false;
}
/**
* Check if the given X.509 name is excluded by current name constraints.
*
* @returns true if excluded (caller sets error info), false if not explicitly
* excluded.
* @param pThis The validator instance.
* @param pName The name to match.
*/
{
while (i-- > 0)
{
while (j-- > 0)
return true;
}
return false;
}
/**
* Check if the given X.509 general name is excluded by current name
* constraints.
*
* @returns true if excluded (caller sets error info), false if not explicitly
* excluded.
* @param pThis The validator instance.
* @param pGeneralName The name to match.
*/
static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
{
while (i-- > 0)
{
while (j-- > 0)
return true;
}
return false;
}
/**
* Creates a new node and inserts it.
*
* @param pThis The path builder & validator instance.
* @param pParent The parent node. NULL for the root node.
* @param iDepth The tree depth to insert at.
* @param pValidPolicy The valid policy of the new node.
* @param pQualifiers The qualifiers of the new node.
* @param pExpectedPolicy The (first) expected polcy of the new node.
*/
static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
{
if (pNode)
{
if (pParent)
else
{
}
pNode->cMoreExpectedPolicySet = 0;
return true;
}
return false;
}
/**
* Unlinks and frees a node in the valid policy tree.
*
* @param pThis The path builder & validator instance.
* @param pNode The node to destroy.
*/
static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
{
else
{
}
}
/**
* Unlinks and frees a sub-tree in the valid policy tree.
*
* @param pThis The path builder & validator instance.
* @param pNode The node that is the root of the subtree.
*/
static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
{
{
do
{
/* Decend until we find a leaf. */
do
/* Remove it and all leafy siblings. */
do
{
if (!pCur)
{
}
}
}
/**
* Destroys the entire policy tree.
*
* @param pThis The path builder & validator instance.
*/
{
while (i-- > 0)
{
RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
{
}
}
}
/**
* Removes all leaf nodes at level @a iDepth and above.
*
* @param pThis The path builder & validator instance.
* @param iDepth The depth to start pruning at.
*/
{
do
{
{
}
} while (iDepth-- > 0);
}
/**
* Checks if @a pPolicy is the valid policy of a child of @a pNode.
*
* @returns true if in child node, false if not.
* @param pNode The node which children to check.
* @param pPolicy The valid policy to look for among the children.
*/
{
{
return true;
}
return true;
}
/**
* Prunes the valid policy tree according to the specified user policy set.
*
* @returns Pointer to the policy object from @a papPolicies if found, NULL if
* no match.
* @param pObjId The object ID to locate at match in the set.
* @param cPolicies The number of policies in @a papPolicies.
* @param papPolicies The policy set to search.
*/
static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
{
while (i-- > 0)
return papPolicies[i];
return NULL;
}
/**
* Prunes the valid policy tree according to the specified user policy set.
*
* @returns success indicator (allocates memory)
* @param pThis The path builder & validator instance.
* @param cPolicies The number of policies in @a papPolicies.
* @param papPolicies The user initial policies.
*/
static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
{
/*
* 4.1.6.g.i - NULL tree remains NULL.
*/
if (!pThis->v.pValidPolicyTree)
return true;
/*
* 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
* result of the intersection.
*/
while (i-- > 0)
return true;
/*
* 4.1.6.g.iii - Complicated.
*/
/* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
valid policy is neither anyPolicy nor a member of papszPolicies.
While doing so, construct a set of unused user policies that
we'll replace anyPolicy nodes with in step 3. */
uint32_t cPoliciesLeft = 0;
if (cPolicies)
{
papPoliciesLeft = (PCRTASN1OBJID *)rtCrX509CpvAllocZ(pThis, cPolicies * sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
if (!papPoliciesLeft)
return false;
for (i = 0; i < cPolicies; i++)
papPoliciesLeft[i] = papPolicies[i];
}
{
{
if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
{
if (!pFound)
else
for (i = 0; i < cPoliciesLeft; i++)
if (papPoliciesLeft[i] == pFound)
{
if (i < cPoliciesLeft)
break;
}
}
}
}
/*
* 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
* the policies in papPoliciesLeft.
*/
{
{
for (i = 0; i < cPoliciesLeft; i++)
}
}
/*
* 4.1.5.g.iii.4 - Prune the tree
*/
}
/**
* Frees the path validator state.
*
* @param pThis The path builder & validator instance.
*/
{
/*
* Destroy the policy tree and all its nodes. We do this from the bottom
* up via the depth lists, saving annoying tree traversal.
*/
if (pThis->v.paValidPolicyDepthLists)
{
}
/*
* Destroy the name constraint arrays.
*/
if (pThis->v.papPermittedSubtrees)
{
}
pThis->v.cPermittedSubtrees = 0;
pThis->v.cPermittedSubtreesAlloc = 0;
pThis->v.fNoPermittedSubtrees = false;
if (pThis->v.papExcludedSubtrees)
{
}
pThis->v.cExcludedSubtrees = 0;
/*
* Clear other pointers.
*/
}
/**
* Initializes the state.
*
* Caller must check pThis->rc.
*
* @param pThis The path builder & validator instance.
* @param pTrustAnchor The trust anchor node for the path that we're about
* to validate.
*/
{
/*
* The node count does not include the trust anchor.
*/
/*
* Valid policy tree starts with an anyPolicy node.
*/
pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
"paValidPolicyDepthLists");
return;
while (i-- > 0)
if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
return;
/*
* Name constrains.
*/
/*
* Counters.
*/
/*
* Certificate info from the trust anchor.
*/
if (pTrustAnchor->pCert)
{
}
else
{
}
}
/**
* Step 6.1.3.a.
*/
{
/*
* 6.1.3.a.1 - Verify the certificate signature.
*/
if (RT_FAILURE(rc))
{
return false;
}
/*
* 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
*/
"Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
/*
* 6.1.3.a.3 - Verified that the certficiate is not revoked.
*/
/** @todo rainy day. */
/*
* 6.1.3.a.4 - Check the issuer name.
*/
return true;
}
/**
* Step 6.1.3.b-c.
*/
static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
if (pThis->v.fNoPermittedSubtrees)
"Subject name is not permitted by current name constraints");
if (pAltSubjectName)
{
while (i-- > 0)
"Alternative name #%u is is not permitted by current name constraints", i);
}
return true;
}
/**
* Step 6.1.3.d-f.
*/
static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
bool fSelfIssued)
{
if (pPolicies)
{
/*
* 6.1.3.d.1 - Work the certiciate policies into the tree.
*/
while (i-- > 0)
{
{
iAnyPolicy++;
continue;
}
/*
* 6.1.3.d.1.i - Create children for matching policies.
*/
{
if (fMatch)
{
return false;
cMatches++;
}
}
/*
* 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
* nodes, only match with valid policy this time.
*/
if (cMatches == 0)
{
{
if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
{
return false;
}
}
}
}
/*
* 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
* are propagated to the current depth.
*/
&& ( pThis->v.cInhibitAnyPolicy > 0
{
{
pCur->papMoreExpectedPolicySet[j]);
}
}
/*
* 6.1.3.d.3 - Prune the tree.
*/
else
}
else
{
/*
* 6.1.3.e - No policy extension present, set tree to NULL.
*/
}
/*
* 6.1.3.f - NULL tree check.
*/
&& pThis->v.cExplicitPolicy == 0)
"An explicit policy is called for but the valid policy tree is NULL.");
}
/**
* Step 6.1.4.a-b.
*/
{
/*
* 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
* allow an evil intermediate certificate to expand the policy
* scope of a certiciate chain without regard to upstream.
*/
while (i-- > 0)
{
if (RTAsn1ObjId_CompareWithString(&pPolicyMappings->paItems[i].IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
"Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
if (RTAsn1ObjId_CompareWithString(&pPolicyMappings->paItems[i].SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
"Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
}
if (pThis->v.cInhibitPolicyMapping > 0)
{
/*
* 6.1.4.b.1 - Do the policy mapping.
*/
i = pPolicyMappings->cItems;
while (i-- > 0)
{
RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
{
{
if (!pCur->fAlreadyMapped)
{
pCur->fAlreadyMapped = true;
}
else
{
if (!pvNew)
"Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
}
cFound++;
}
}
/*
* If no mapping took place, look for an anyPolicy node.
*/
if (!cFound)
{
RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
{
{
return false;
break;
}
}
}
}
}
else
{
/*
* 6.1.4.b.2 - Remove matching policies from the tree if mapping is
* inhibited and prune the tree.
*/
i = pPolicyMappings->cItems;
while (i-- > 0)
{
RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
{
{
cRemoved++;
}
}
}
if (cRemoved)
}
return true;
}
/**
* Step 6.1.4.d-f & 6.1.5.c-e.
*/
static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
/*
* 6.1.4.d - The public key.
*/
/*
* 6.1.4.e - The public key parameters. Use new ones if present, keep old
* if the algorithm remains the same.
*/
else if ( pThis->v.pWorkingPublicKeyParameters
&& RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
/*
* 6.1.4.f - The public algorithm.
*/
}
/**
* Step 6.1.4.g.
*/
static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
{
return false;
return false;
return true;
}
/**
* Step 6.1.4.i.
*/
static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
{
{
if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
}
{
if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
}
return true;
}
/**
* Step 6.1.4.j.
*/
static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
{
return true;
}
/**
* Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
*/
static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
bool fSelfIssued)
{
/* 6.1.4.k - If basic constraints present, CA must be set. */
if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
{
/* Note! Add flags if support for older certificates is needed later. */
"Only version 3 certificates are supported (Version=%llu)",
}
if (pBasicConstraints)
{
}
/* 6.1.4.l - Work cMaxPathLength. */
if (!fSelfIssued)
{
if (pThis->v.cMaxPathLength > 0)
pThis->v.cMaxPathLength--;
else
}
/* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
if (pBasicConstraints)
{
if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
}
/* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
"Node #%u does not have KeyCertSign set (keyUsage=%#x)",
return true;
}
/**
* Step 6.1.4.o - check out critical extensions.
*/
static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
{
while (cLeft-- > 0)
{
{
)
}
pCur++;
}
return true;
}
/**
* Step 6.1.5 - The wrapping up.
*/
{
/*
* 6.1.5.a - Decrement explicit policy.
*/
if (pThis->v.cExplicitPolicy > 0)
pThis->v.cExplicitPolicy--;
/*
* 6.1.5.b - Policy constraints and explicit policy.
*/
PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
if ( pPolicyConstraints
pThis->v.cExplicitPolicy = 0;
/*
* 6.1.5.c-e - Update working public key info.
*/
/*
* 6.1.5.f - Critical extensions.
*/
return false;
/*
* 6.1.5.g - Calculate the intersection between the user initial policy set
* and the valid policy tree.
*/
rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
if ( pThis->v.cExplicitPolicy == 0
return true;
}
/**
* Worker that validates one path.
*
* This implements the the algorithm in RFC-5280, section 6.1, with exception of
* the CRL checks in 6.1.3.a.3.
*
* @returns success indicator.
* @param pThis The path builder & validator instance.
* @param pTrustAnchor The trust anchor node.
*/
{
/*
* Special case, target certificate is trusted.
*/
if (!pTrustAnchor->pParent)
return rtCrX509CpvFailed(pThis, VERR_CR_X509_CERTPATHS_INTERNAL_ERROR, "Target certificate is trusted.");
/*
* Normal processing.
*/
{
uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
{
/*
* Basic certificate processing.
*/
break;
break;
break;
/*
* If it's the last certificate in the path, do wrap-ups.
*/
{
break;
return true;
}
/*
* Preparations for the next certificate.
*/
&& !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
break;
break;
if (!fSelfIssued) /* Step 6.1.4.h */
{
if (pThis->v.cExplicitPolicy > 0)
pThis->v.cExplicitPolicy--;
if (pThis->v.cInhibitPolicyMapping > 0)
pThis->v.cInhibitPolicyMapping--;
if (pThis->v.cInhibitAnyPolicy > 0)
pThis->v.cInhibitAnyPolicy--;
}
break;
break;
if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
break;
break;
/*
* Advance to the next certificate.
*/
}
}
return false;
}
RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
{
/*
* Validate the input.
*/
/*
* Locate the path and validate it.
*/
int rc;
{
if (pLeaf)
{
{
}
else
rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
}
else
}
else
rc = VERR_NOT_FOUND;
return rc;
}
RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
{
/*
* Validate the input.
*/
/*
* Validate the paths.
*/
int rcLastFailure = VINF_SUCCESS;
uint32_t cValidPaths = 0;
{
{
cValidPaths++;
else
}
else
}
if (pcValidPaths)
if (cValidPaths > 0)
return VINF_SUCCESS;
if (RT_SUCCESS_NP(rcLastFailure))
return rcLastFailure;
}
{
/*
* Validate the input.
*/
/*
* Return data.
*/
}
int *prcVerify)
{
/*
* Validate the input.
*/
/*
* Get the data.
*/
if (pfTrusted)
if (pcNodes)
if (ppSubject)
*ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
if (ppPublicKeyInfo)
*ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
if (ppCert)
if (ppCertCtx)
{
{
}
}
if (prcVerify)
return VINF_SUCCESS;
}
{
/*
* Validate the input.
*/
/*
* Get the data.
*/
}
{
/*
* Validate the input.
*/
/*
* Get the data.
*/
}
static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
{
if (pNode)
{
{
return pNode;
}
}
return NULL;
}
RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
{
/*
* Validate the input.
*/
/*
* Get the data.
*/
if (pNode)
return NULL;
}
/** @} */