VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 100364

Last change on this file since 100364 was 100364, checked in by vboxsync, 11 months ago

IPRT: Added some OIDs related to EV certs and ECDSA. bugref:10479
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 64.5 KB
Line 
1/* $Id: x509-core.cpp 100364 2023-07-04 09:40:08Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Core APIs.
4 */
5
6/*
7 * Copyright (C) 2006-2023 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#include "internal/iprt.h"
42#include <iprt/crypto/x509.h>
43
44#include <iprt/err.h>
45#include <iprt/string.h>
46#include <iprt/uni.h>
47
48#include "x509-internal.h"
49
50
51/*
52 * Generate the code.
53 */
54#include <iprt/asn1-generator-core.h>
55
56
57/*
58 * X.509 Validity.
59 */
60
61RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
62{
63 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
64 return false;
65 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
66 return false;
67 return true;
68}
69
70
71/*
72 * One X.509 Algorithm Identifier.
73 */
74
75RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
76{
77 AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
78 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
79 return RTDIGESTTYPE_MD5;
80 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
81 return RTDIGESTTYPE_SHA1;
82 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
83 return RTDIGESTTYPE_SHA256;
84 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
85 return RTDIGESTTYPE_SHA512;
86
87 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
88 return RTDIGESTTYPE_SHA384;
89 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
90 return RTDIGESTTYPE_SHA224;
91 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
92 return RTDIGESTTYPE_SHA512T224;
93 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
94 return RTDIGESTTYPE_SHA512T256;
95
96 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
97 return RTDIGESTTYPE_SHA3_224;
98 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
99 return RTDIGESTTYPE_SHA3_256;
100 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
101 return RTDIGESTTYPE_SHA3_384;
102 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
103 return RTDIGESTTYPE_SHA3_512;
104 return RTDIGESTTYPE_INVALID;
105}
106
107
108RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
109{
110 AssertPtrReturn(pThis, UINT32_MAX);
111
112 /* common */
113 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
114 return 128 / 8;
115 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
116 return 160 / 8;
117 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
118 return 256 / 8;
119 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
120 return 512 / 8;
121
122 /* Less common. */
123 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
124 return 128 / 8;
125 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
126 return 128 / 8;
127 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
128 return 384 / 8;
129 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
130 return 224 / 8;
131 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
132 return 224 / 8;
133 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
134 return 256 / 8;
135 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
136 return 224 / 8;
137 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
138 return 256 / 8;
139 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
140 return 384 / 8;
141 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
142 return 512 / 8;
143 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
144 return 512 / 8;
145
146 return UINT32_MAX;
147}
148
149
150RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
151{
152 return strcmp(pThis->Algorithm.szObjId, pszObjId);
153}
154
155
156RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
157 const char *pszEncryptedDigestOid)
158{
159 /* common */
160 if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
161 {
162 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
163 return 0;
164 }
165 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
166 {
167 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
168 return 0;
169 }
170 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
171 {
172 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
173 return 0;
174 }
175 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
176 {
177 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
178 return 0;
179 }
180 /* Less common. */
181 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
182 {
183 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
184 return 0;
185 }
186 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
187 {
188 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
189 return 0;
190 }
191 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
192 {
193 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
194 return 0;
195 }
196 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
197 {
198 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
199 return 0;
200 }
201 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
202 {
203 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
204 return 0;
205 }
206 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
207 {
208 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
209 return 0;
210 }
211 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
212 {
213 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
214 return 0;
215 }
216 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
217 {
218 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
219 return 0;
220 }
221 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
222 {
223 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
224 return 0;
225 }
226 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
227 {
228 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
229 return 0;
230 }
231 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
232 {
233 /* ?? */
234 }
235 else
236 return -1;
237 return 1;
238}
239
240RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
241 PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
242{
243 return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
244 pEncryptedDigest->Algorithm.szObjId);
245}
246
247
248RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
249 const char *pszDigestOid)
250{
251 /* RSA: */
252 if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
253 {
254 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
255 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
256 return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
257 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
258 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
259 return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
260 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
261 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
262 return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
263 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
264 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
265 return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
266 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
267 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
268 return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
269 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
270 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
271 return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
272 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
273 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
274 return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
275 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
276 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
277 return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
278 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224)
279 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
280 return RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA;
281 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256)
282 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
283 return RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA;
284 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224)
285 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
286 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA;
287 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256)
288 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
289 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA;
290 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384)
291 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
292 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA;
293 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512)
294 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
295 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA;
296
297 /* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
298 return ???; */
299 }
300 else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
301 return pszEncryptionOid;
302
303 AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
304 return NULL;
305}
306
307
308RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
309 PCRTCRX509ALGORITHMIDENTIFIER pDigest)
310{
311 return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
312 pDigest->Algorithm.szObjId);
313}
314
315
316/*
317 * Set of X.509 Algorithm Identifiers.
318 */
319
320
321/*
322 * One X.509 AttributeTypeAndValue.
323 */
324
325
326/*
327 * Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
328 */
329
330/**
331 * Slow code path of rtCrX509CanNameIsNothing.
332 *
333 * @returns true if @uc maps to nothing, false if not.
334 * @param uc The unicode code point.
335 */
336static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
337{
338 switch (uc)
339 {
340 /* 2.2 Map - Paragraph 1: */
341 case 0x00ad:
342 case 0x1806:
343 case 0x034f:
344 case 0x180b: case 0x180c: case 0x180d:
345
346 case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
347 case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
348 case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
349 case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
350
351 case 0xfffc:
352
353 /* 2.2 Map - Paragraph 3 (control code/function): */
354 case 0x0000: case 0x0001: case 0x0002: case 0x0003:
355 case 0x0004: case 0x0005: case 0x0006: case 0x0007:
356 case 0x0008:
357
358 case 0x000e: case 0x000f:
359 case 0x0010: case 0x0011: case 0x0012: case 0x0013:
360 case 0x0014: case 0x0015: case 0x0016: case 0x0017:
361 case 0x0018: case 0x0019: case 0x001a: case 0x001b:
362 case 0x001c: case 0x001d: case 0x001e: case 0x001f:
363
364 case 0x007f:
365 case 0x0080: case 0x0081: case 0x0082: case 0x0083:
366 case 0x0084: /*case 0x0085:*/ case 0x0086: case 0x0087:
367 case 0x0088: case 0x0089: case 0x008a: case 0x008b:
368 case 0x008c: case 0x008d: case 0x008e: case 0x008f:
369 case 0x0090: case 0x0091: case 0x0092: case 0x0093:
370 case 0x0094: case 0x0095: case 0x0096: case 0x0097:
371 case 0x0098: case 0x0099: case 0x009a: case 0x009b:
372 case 0x009c: case 0x009d: case 0x009e: case 0x009f:
373
374 case 0x06dd:
375 case 0x070f:
376 case 0x180e:
377 case 0x200c: case 0x200d: case 0x200e: case 0x200f:
378 case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
379 case 0x2060: case 0x2061: case 0x2062: case 0x2063:
380 case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
381 case 0xfeff:
382 case 0xfff9: case 0xfffa: case 0xfffb:
383 case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
384 case 0xe0001:
385 case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
386 case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
387 case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
388 case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
389 case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
390 case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
391 case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
392 case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
393 case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
394 case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
395 case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
396 case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
397 case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
398 case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
399 case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
400 case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
401 case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
402 case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
403 case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
404 case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
405 case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
406 case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
407 case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
408 case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
409
410 /* 2.2 Map - Paragraph 4. */
411 case 0x200b:
412 return true;
413 }
414 return false;
415}
416
417
418/**
419 * Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
420 * RFC-4518.
421 *
422 * @returns true if @uc maps to nothing, false if not.
423 * @param uc The unicode code point.
424 */
425DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
426{
427 if (uc > 0x001f && uc < 0x00ad)
428 return false;
429 return rtCrX509CanNameIsNothingSlow(uc);
430}
431
432
433/**
434 * Slow code path of rtCrX509CanNameIsSpace.
435 *
436 * @returns true if space, false if not.
437 * @param uc The unicode code point.
438 */
439static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
440{
441 switch (uc)
442 {
443 /* 2.2 Map - Paragraph 2. */
444 case 0x09:
445 case 0x0a:
446 case 0x0b:
447 case 0x0c:
448 case 0x0d:
449 case 0x20:
450 case 0x0085:
451 case 0x00a0:
452 case 0x1680:
453 case 0x2000: case 0x2001: case 0x2002: case 0x2003:
454 case 0x2004: case 0x2005: case 0x2006: case 0x2007:
455 case 0x2008: case 0x2009: case 0x200a:
456 case 0x2028: case 0x2029:
457 case 0x202f:
458 case 0x205f:
459 case 0x3000:
460 return true;
461 }
462 return false;
463}
464
465
466/**
467 * Checks if @a uc is a space character according to the mapping rules of
468 * RFC-5280 and RFC-4518.
469 *
470 * @returns true if space, false if not.
471 * @param uc The unicode code point.
472 */
473DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
474{
475 if (uc < 0x0085)
476 {
477 if (uc > 0x0020)
478 return false;
479 if (uc == 0x0020) /* space */
480 return true;
481 }
482 return rtCrX509CanNameIsSpaceSlow(uc);
483}
484
485
486static const char *rtCrX509CanNameStripLeft(const char *psz, size_t *pcch)
487{
488 /*
489 * Return space when we've encountered the first non-space-non-nothing code point.
490 */
491 const char * const pszStart = psz;
492 const char *pszPrev;
493 for (;;)
494 {
495 pszPrev = psz;
496 RTUNICP uc;
497 int rc = RTStrGetCpEx(&psz, &uc);
498 AssertRCBreak(rc);
499 if (!uc)
500 {
501 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
502 break;
503 /* NUL inside the string, maps to nothing => ignore it. */
504 }
505 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
506 break;
507 }
508 *pcch -= (size_t)(pszPrev - pszStart);
509 return pszPrev;
510}
511
512
513static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char **ppsz, size_t *pcch)
514{
515 /*
516 * Return space when we've encountered the first non-space-non-nothing code point.
517 */
518 RTUNICP uc;
519 const char *psz = *ppsz;
520 const char * const pszStart = psz;
521 const char *pszPrev;
522 for (;;)
523 {
524 pszPrev = psz;
525 int rc = RTStrGetCpEx(&psz, &uc);
526 AssertRCBreakStmt(rc, uc = 0x20);
527 if (!uc)
528 {
529 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
530 {
531 uc = 0; /* End of string: Ignore trailing spaces. */
532 break;
533 }
534 /* NUL inside the string, maps to nothing => ignore it. */
535 }
536 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
537 {
538 uc = 0x20; /* Return space before current char. */
539 break;
540 }
541 }
542
543 *ppsz = pszPrev;
544 *pcch -= (size_t)(pszPrev - pszStart);
545 return uc;
546}
547
548
549DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char **ppsz, size_t *pcch)
550{
551 while (*pcch > 0)
552 {
553 const char *psz = *ppsz;
554 RTUNICP uc = (RTUNICP)*psz;
555 if (uc < 0x80)
556 {
557 *pcch -= 1;
558 *ppsz = psz + 1;
559 }
560 else
561 {
562 int rc = RTStrGetCpEx(ppsz, &uc);
563 AssertRCReturn(rc, uc);
564 size_t cchCp = (size_t)(*ppsz - psz);
565 AssertReturn(cchCp <= *pcch, 0);
566 *pcch -= cchCp;
567 }
568 if (uc != 0)
569 return uc;
570 }
571 return 0;
572}
573
574
575static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char **ppsz, size_t *pcch)
576{
577 /*
578 * Return first code point which doesn't map to nothing. If we encounter
579 * a space, we defer to the mapping-after-space routine above.
580 */
581 for (;;)
582 {
583 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
584 if (rtCrX509CanNameIsSpace(uc))
585 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
586 if (!rtCrX509CanNameIsNothing(uc) || uc == 0)
587 return uc;
588 }
589}
590
591
592DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char **ppsz, size_t *pcch)
593{
594 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
595 if (uc)
596 {
597 if (!rtCrX509CanNameIsSpace(uc))
598 {
599 if (!rtCrX509CanNameIsNothing(uc))
600 return uc;
601 return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
602 }
603 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
604 }
605 return uc;
606}
607
608
609RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
610 PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
611{
612 if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
613 {
614 /*
615 * Try for perfect match in case we get luck.
616 */
617#ifdef DEBUG_bird /* Want to test the complicated code path first */
618 if (pLeft->Value.enmType != RTASN1TYPE_STRING || pRight->Value.enmType != RTASN1TYPE_STRING)
619#endif
620 if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
621 return true;
622
623 /*
624 * If both are string types, we can compare them according to RFC-5280.
625 */
626 if ( pLeft->Value.enmType == RTASN1TYPE_STRING
627 && pRight->Value.enmType == RTASN1TYPE_STRING)
628 {
629 size_t cchLeft;
630 const char *pszLeft;
631 int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
632 if (RT_SUCCESS(rc))
633 {
634 size_t cchRight;
635 const char *pszRight;
636 rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
637 if (RT_SUCCESS(rc))
638 {
639 /*
640 * Perform a simplified RFC-5280 comparsion.
641 * The algorithm as be relaxed on the following counts:
642 * 1. No unicode normalization.
643 * 2. Prohibited characters not checked for.
644 * 3. Bidirectional characters are not ignored.
645 */
646 pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
647 pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
648 while (*pszLeft && *pszRight)
649 {
650 RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
651 RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
652 if (ucLeft != ucRight)
653 {
654 ucLeft = RTUniCpToLower(ucLeft);
655 ucRight = RTUniCpToLower(ucRight);
656 if (ucLeft != ucRight)
657 return false;
658 }
659 }
660
661 return cchRight == 0 && cchLeft == 0;
662 }
663 }
664 }
665 }
666 return false;
667}
668
669
670RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
671 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
672{
673 /*
674 * No match if the attribute count differs.
675 */
676 uint32_t const cItems = pLeft->cItems;
677 if (cItems == pRight->cItems)
678 {
679 /*
680 * Compare each attribute, but don't insist on the same order nor
681 * bother checking for duplicates (too complicated).
682 */
683 for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
684 {
685 PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
686 bool fFound = false;
687 for (uint32_t iRight = 0; iRight < cItems; iRight++)
688 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
689 {
690 fFound = true;
691 break;
692 }
693 if (!fFound)
694 return false;
695 }
696 return true;
697 }
698 return false;
699
700}
701
702
703/*
704 * X.509 Name.
705 */
706
707RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
708{
709 uint32_t const cItems = pLeft->cItems;
710 if (cItems == pRight->cItems)
711 {
712 /* Require exact order. */
713 for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
714 if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
715 return false;
716 return true;
717 }
718 return false;
719}
720
721
722RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
723{
724 /*
725 * Check that the constraint is a prefix of the name. This means that
726 * the name must have at least as many components and the constraint.
727 */
728 if (pName->cItems >= pConstraint->cItems)
729 {
730 /*
731 * Parallel crawl of the two RDNs arrays.
732 */
733 for (uint32_t i = 0; pConstraint->cItems; i++)
734 {
735 PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
736 PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
737
738 /*
739 * Walk the constraint attribute & value array.
740 */
741 for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
742 {
743 PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
744
745 /*
746 * Find matching attribute & value in the name.
747 */
748 bool fFound = false;
749 for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
750 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
751 {
752 fFound = true;
753 break;
754 }
755 if (fFound)
756 return false;
757 }
758 }
759 return true;
760 }
761 return false;
762}
763
764
765/**
766 * Mapping between X.500 object IDs and short and long names.
767 *
768 * See RFC-1327, RFC-4519 ...
769 */
770static struct
771{
772 const char *pszOid;
773 const char *pszShortNm;
774 size_t cchShortNm;
775 const char *pszLongNm;
776} const g_aRdnMap[] =
777{
778 { "0.9.2342.19200300.100.1.1", RT_STR_TUPLE("uid"), "userid" },
779 { "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
780 { "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
781 { "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /*nonstandard*/,"EmailAddress" },
782 { "1.3.6.1.4.1.311.60.2.1.1", RT_STR_TUPLE("JdxIncL") /*nonstd*/, "JdxOfIncLocalityName" },
783 { "1.3.6.1.4.1.311.60.2.1.2", RT_STR_TUPLE("JdxIncST") /*nonstd*/, "JdxOfIncStateOrProvinceName" },
784 { "1.3.6.1.4.1.311.60.2.1.3", RT_STR_TUPLE("JdxIncC") /*nonstd*/, "JdxOfIncCountryName" },
785 { "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
786 { "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
787 { "2.5.4.5", RT_STR_TUPLE("SRN") /*nonstandard*/, "SerialNumber" },
788 { "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
789 { "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
790 { "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
791 { "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
792 { "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
793 { "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
794 { "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
795 { "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
796 { "2.5.4.15", RT_STR_TUPLE("BC") /*nonstandard*/, "BusinessCategory" },
797 { "2.5.4.17", RT_STR_TUPLE("ZIP") /*nonstandard*/, "PostalCode" },
798 { "2.5.4.18", RT_STR_TUPLE("POBox") /*nonstandard*/,"PostOfficeBox" },
799 { "2.5.4.20", RT_STR_TUPLE("PN") /*nonstandard*/, "TelephoneNumber" },
800 { "2.5.4.33", RT_STR_TUPLE("RO") /*nonstandard*/, "RoleOccupant" },
801 { "2.5.4.34", RT_STR_TUPLE("SA") /*nonstandard*/, "StreetAddress" },
802 { "2.5.4.41", RT_STR_TUPLE("N") /*nonstandard*/, "Name" },
803 { "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
804 { "2.5.4.43", RT_STR_TUPLE("I") /*nonstandard*/, "Initials" },
805 { "2.5.4.44", RT_STR_TUPLE("GQ") /*nonstandard*/, "GenerationQualifier" },
806 { "2.5.4.46", RT_STR_TUPLE("DNQ") /*nonstandard*/, "DNQualifier" },
807 { "2.5.4.51", RT_STR_TUPLE("HID") /*nonstandard*/, "HouseIdentifier" },
808};
809
810
811RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
812{
813 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
814 while (iName-- > 0)
815 if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
816 return g_aRdnMap[iName].pszShortNm;
817 return NULL;
818}
819
820
821RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
822{
823 /* Keep track of the string length. */
824 size_t cchString = strlen(pszString);
825
826 /*
827 * The usual double loop for walking the components.
828 */
829 for (uint32_t i = 0; i < pThis->cItems; i++)
830 {
831 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
832 for (uint32_t j = 0; j < pRdn->cItems; j++)
833 {
834 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
835
836 /*
837 * Must be a string.
838 */
839 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
840 return false;
841
842 /*
843 * Look up the component name prefix and check whether it's also in the string.
844 */
845 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
846 while (iName-- > 0)
847 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
848 break;
849 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
850
851 if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
852 || pszString[g_aRdnMap[iName].cchShortNm] != '=')
853 return false;
854
855 pszString += g_aRdnMap[iName].cchShortNm + 1;
856 cchString -= g_aRdnMap[iName].cchShortNm + 1;
857
858 /*
859 * Compare the component string.
860 */
861 size_t cchComponent;
862 int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
863 AssertRCReturn(rc, false);
864
865 if (cchComponent > cchString)
866 return false;
867 if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
868 return false;
869
870 cchString -= cchComponent;
871 pszString += cchComponent;
872
873 /*
874 * Check separator comma + space and skip extra spaces before the next component.
875 */
876 if (cchString)
877 {
878 if (pszString[0] != ',')
879 return false;
880 if (pszString[1] != ' ' && pszString[1] != '\t')
881 return false;
882 pszString += 2;
883 cchString -= 2;
884
885 while (*pszString == ' ' || *pszString == '\t')
886 {
887 pszString++;
888 cchString--;
889 }
890 }
891 }
892 }
893
894 /*
895 * If we got thru the whole name and the whole string, we're good.
896 */
897 return *pszString == '\0';
898}
899
900
901RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual)
902{
903 /*
904 * The usual double loop for walking the components.
905 */
906 size_t off = 0;
907 int rc = VINF_SUCCESS;
908 for (uint32_t i = 0; i < pThis->cItems; i++)
909 {
910 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
911 for (uint32_t j = 0; j < pRdn->cItems; j++)
912 {
913 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
914
915 /*
916 * Must be a string.
917 */
918 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
919 return VERR_CR_X509_NAME_NOT_STRING;
920
921 /*
922 * Look up the component name prefix.
923 */
924 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
925 while (iName-- > 0)
926 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
927 break;
928 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
929 VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
930
931 /*
932 * Append the prefix.
933 */
934 if (off)
935 {
936 if (off + 2 < cbBuf)
937 {
938 pszBuf[off] = ',';
939 pszBuf[off + 1] = ' ';
940 }
941 else
942 rc = VERR_BUFFER_OVERFLOW;
943 off += 2;
944 }
945
946 if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
947 {
948 memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
949 pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
950 }
951 else
952 rc = VERR_BUFFER_OVERFLOW;
953 off += g_aRdnMap[iName].cchShortNm + 1;
954
955 /*
956 * Add the component string.
957 */
958 const char *pszUtf8;
959 size_t cchUtf8;
960 int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
961 AssertRCReturn(rc2, rc2);
962 if (off + cchUtf8 < cbBuf)
963 memcpy(&pszBuf[off], pszUtf8, cchUtf8);
964 else
965 rc = VERR_BUFFER_OVERFLOW;
966 off += cchUtf8;
967 }
968 }
969
970 if (pcbActual)
971 *pcbActual = off + 1;
972 if (off < cbBuf)
973 pszBuf[off] = '\0';
974 return rc;
975}
976
977
978
979/*
980 * One X.509 GeneralName.
981 */
982
983/**
984 * Name constraint matching (RFC-5280): DNS Name.
985 *
986 * @returns true on match, false on mismatch.
987 * @param pConstraint The constraint name.
988 * @param pName The name to match against the constraint.
989 */
990static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
991{
992 /*
993 * Empty constraint string is taken to match everything.
994 */
995 if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
996 return true;
997
998 /*
999 * Get the UTF-8 strings for the two.
1000 */
1001 size_t cchConstraint;
1002 char const *pszConstraint;
1003 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
1004 if (RT_SUCCESS(rc))
1005 {
1006 size_t cchFull;
1007 char const *pszFull;
1008 rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
1009 if (RT_SUCCESS(rc))
1010 {
1011 /*
1012 * No match if the constraint is longer.
1013 */
1014 if (cchConstraint > cchFull)
1015 return false;
1016
1017 /*
1018 * No match if the constraint and name tail doesn't match
1019 * in a case-insensitive compare.
1020 */
1021 size_t offFull = cchFull - cchConstraint;
1022 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1023 return false;
1024 if (!offFull)
1025 return true;
1026
1027 /*
1028 * The matching constraint must be delimited by a dot in the full
1029 * name. There seems to be some discussion whether ".oracle.com"
1030 * should match "www..oracle.com". This implementation does choose
1031 * to not succeed in that case.
1032 */
1033 if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
1034 return true;
1035
1036 return false;
1037 }
1038 }
1039
1040 /* fall back. */
1041 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1042}
1043
1044
1045/**
1046 * Name constraint matching (RFC-5280): RFC-822 (email).
1047 *
1048 * @returns true on match, false on mismatch.
1049 * @param pConstraint The constraint name.
1050 * @param pName The name to match against the constraint.
1051 */
1052static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1053{
1054 /*
1055 * Empty constraint string is taken to match everything.
1056 */
1057 if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
1058 return true;
1059
1060 /*
1061 * Get the UTF-8 strings for the two.
1062 */
1063 size_t cchConstraint;
1064 char const *pszConstraint;
1065 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
1066 if (RT_SUCCESS(rc))
1067 {
1068 size_t cchFull;
1069 char const *pszFull;
1070 rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
1071 if (RT_SUCCESS(rc))
1072 {
1073 /*
1074 * No match if the constraint is longer.
1075 */
1076 if (cchConstraint > cchFull)
1077 return false;
1078
1079 /*
1080 * A lone dot matches everything.
1081 */
1082 if (cchConstraint == 1 && *pszConstraint == '.')
1083 return true;
1084
1085 /*
1086 * If there is a '@' in the constraint, the entire address must match.
1087 */
1088 const char *pszConstraintAt = (const char *)memchr(pszConstraint, '@', cchConstraint);
1089 if (pszConstraintAt)
1090 return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1091
1092 /*
1093 * No match if the constraint and name tail doesn't match
1094 * in a case-insensitive compare.
1095 */
1096 size_t offFull = cchFull - cchConstraint;
1097 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1098 return false;
1099
1100 /*
1101 * If the constraint starts with a dot, we're supposed to be
1102 * satisfied with a tail match.
1103 */
1104 /** @todo Check if this should match even if offFull == 0. */
1105 if (*pszConstraint == '.')
1106 return true;
1107
1108 /*
1109 * Otherwise, we require a hostname match and thus expect an '@'
1110 * immediatly preceding the constraint match.
1111 */
1112 if (pszFull[offFull - 1] == '@')
1113 return true;
1114
1115 return false;
1116 }
1117 }
1118
1119 /* fall back. */
1120 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1121}
1122
1123
1124/**
1125 * Extracts the hostname from an URI.
1126 *
1127 * @returns true if successfully extract, false if no hostname present.
1128 * @param pszUri The URI.
1129 * @param pchHostName .
1130 * @param pcchHostName .
1131 */
1132static bool rtCrX509GeneralName_ExtractHostName(const char *pszUri, const char **pchHostName, size_t *pcchHostName)
1133{
1134 /*
1135 * Skip the schema name.
1136 */
1137 const char *pszStart = strchr(pszUri, ':');
1138 while (pszStart && (pszStart[1] != '/' || pszStart[2] != '/'))
1139 pszStart = strchr(pszStart + 1, ':');
1140 if (pszStart)
1141 {
1142 pszStart += 3;
1143
1144 /*
1145 * The name ends with the first slash or ":port".
1146 */
1147 const char *pszEnd = strchr(pszStart, '/');
1148 if (!pszEnd)
1149 pszEnd = strchr(pszStart, '\0');
1150 if (memchr(pszStart, ':', (size_t)(pszEnd - pszStart)))
1151 do
1152 pszEnd--;
1153 while (*pszEnd != ':');
1154 if (pszEnd != pszStart)
1155 {
1156 /*
1157 * Drop access credentials at the front of the string if present.
1158 */
1159 const char *pszAt = (const char *)memchr(pszStart, '@', (size_t)(pszEnd - pszStart));
1160 if (pszAt)
1161 pszStart = pszAt + 1;
1162
1163 /*
1164 * If there is still some string left, that's the host name.
1165 */
1166 if (pszEnd != pszStart)
1167 {
1168 *pcchHostName = (size_t)(pszEnd - pszStart);
1169 *pchHostName = pszStart;
1170 return true;
1171 }
1172 }
1173 }
1174
1175 *pcchHostName = 0;
1176 *pchHostName = NULL;
1177 return false;
1178}
1179
1180
1181/**
1182 * Name constraint matching (RFC-5280): URI.
1183 *
1184 * @returns true on match, false on mismatch.
1185 * @param pConstraint The constraint name.
1186 * @param pName The name to match against the constraint.
1187 */
1188static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1189{
1190 /*
1191 * Empty constraint string is taken to match everything.
1192 */
1193 if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1194 return true;
1195
1196 /*
1197 * Get the UTF-8 strings for the two.
1198 */
1199 size_t cchConstraint;
1200 char const *pszConstraint;
1201 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1202 if (RT_SUCCESS(rc))
1203 {
1204 size_t cchFull;
1205 char const *pszFull;
1206 rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1207 if (RT_SUCCESS(rc))
1208 {
1209 /*
1210 * Isolate the hostname in the name.
1211 */
1212 size_t cchHostName;
1213 const char *pchHostName;
1214 if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1215 {
1216 /*
1217 * Domain constraint.
1218 */
1219 if (*pszConstraint == '.')
1220 {
1221 if (cchHostName >= cchConstraint)
1222 {
1223 size_t offHostName = cchHostName - cchConstraint;
1224 if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1225 {
1226 /* "http://www..oracle.com" does not match ".oracle.com".
1227 It's debatable whether "http://.oracle.com/" should match. */
1228 if ( !offHostName
1229 || pchHostName[offHostName - 1] != '.')
1230 return true;
1231 }
1232 }
1233 }
1234 /*
1235 * Host name constraint. Full match required.
1236 */
1237 else if ( cchHostName == cchConstraint
1238 && RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1239 return true;
1240 }
1241 return false;
1242 }
1243 }
1244
1245 /* fall back. */
1246 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1247}
1248
1249
1250/**
1251 * Name constraint matching (RFC-5280): IP address.
1252 *
1253 * @returns true on match, false on mismatch.
1254 * @param pConstraint The constraint name.
1255 * @param pName The name to match against the constraint.
1256 */
1257static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1258{
1259 uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1260 uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1261
1262 /*
1263 * IPv4.
1264 */
1265 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1266 && pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1267 return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1268 && ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1269 && ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1270 && ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1271
1272 /*
1273 * IPv6.
1274 */
1275 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1276 && pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1277 {
1278 for (uint32_t i = 0; i < 16; i++)
1279 if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1280 return false;
1281 return true;
1282 }
1283
1284 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1285}
1286
1287
1288RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1289{
1290 if (pConstraint->enmChoice == pName->enmChoice)
1291 {
1292 if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1293 return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1294
1295 if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1296 return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1297
1298 if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1299 return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1300
1301 if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1302 return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1303
1304 if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1305 return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1306
1307 AssertFailed();
1308 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1309 }
1310 return false;
1311}
1312
1313
1314/*
1315 * Sequence of X.509 GeneralNames.
1316 */
1317
1318
1319/*
1320 * X.509 UniqueIdentifier.
1321 */
1322
1323
1324/*
1325 * X.509 SubjectPublicKeyInfo.
1326 */
1327
1328
1329/*
1330 * X.509 AuthorityKeyIdentifier (IPRT representation).
1331 */
1332
1333
1334/*
1335 * One X.509 PolicyQualifierInfo.
1336 */
1337
1338
1339/*
1340 * Sequence of X.509 PolicyQualifierInfo.
1341 */
1342
1343
1344/*
1345 * One X.509 PolicyInformation.
1346 */
1347
1348
1349/*
1350 * Sequence of X.509 CertificatePolicies.
1351 */
1352
1353
1354/*
1355 * One X.509 PolicyMapping (IPRT representation).
1356 */
1357
1358
1359/*
1360 * Sequence of X.509 PolicyMappings (IPRT representation).
1361 */
1362
1363
1364/*
1365 * X.509 BasicConstraints (IPRT representation).
1366 */
1367
1368
1369/*
1370 * X.509 GeneralSubtree (IPRT representation).
1371 */
1372
1373
1374RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1375{
1376 return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1377}
1378
1379
1380/*
1381 * Sequence of X.509 GeneralSubtrees (IPRT representation).
1382 */
1383
1384
1385/*
1386 * X.509 NameConstraints (IPRT representation).
1387 */
1388
1389
1390/*
1391 * X.509 PolicyConstraints (IPRT representation).
1392 */
1393
1394
1395/*
1396 * One X.509 Extension.
1397 */
1398
1399
1400/*
1401 * Sequence of X.509 Extensions.
1402 */
1403
1404
1405/*
1406 * X.509 TbsCertificate.
1407 */
1408
1409static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1410{
1411 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1412 /* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1413 AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1414 pThis->T3.fKeyUsage |= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1415}
1416
1417
1418static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1419{
1420 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1421 PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1422 uint32_t i = pObjIds->cItems;
1423 while (i-- > 0)
1424 {
1425
1426 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1427 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_ANY;
1428 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1429 {
1430 if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1431 switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1432 {
1433 case 1: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1434 case 2: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1435 case 3: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1436 case 4: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1437 case 5: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1438 case 6: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1439 case 7: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1440 case 8: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1441 case 9: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1442 case 10: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_DVCS; break;
1443 case 11: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1444 case 13: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1445 case 14: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1446 default: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER; break;
1447 }
1448 else
1449 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1450 }
1451 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1452 {
1453 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1454 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1455 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1456 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1457 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1458 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1459 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1460 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1461 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1462 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1463 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1464 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1465 else
1466 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1467 }
1468 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1469 {
1470 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1471 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1472 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_WHQL_CRYPTO_OID) == 0)
1473 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO;
1474 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID) == 0)
1475 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO;
1476 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1477 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1478 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1479 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1480 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1481 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1482 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1483 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1484 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1485 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1486 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1487 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM;
1488 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1489 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1490 else
1491 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1492 }
1493 else
1494 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1495 }
1496}
1497
1498
1499/**
1500 * (Re-)Process the certificate extensions.
1501 *
1502 * Will fail if duplicate extensions are encountered.
1503 *
1504 * @returns IPRT status code.
1505 * @param pThis The to-be-signed certificate part.
1506 * @param pErrInfo Where to return extended error details,
1507 * optional.
1508 */
1509RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1510{
1511 /*
1512 * Clear all variables we will set.
1513 */
1514 pThis->T3.fFlags = 0;
1515 pThis->T3.fKeyUsage = 0;
1516 pThis->T3.fExtKeyUsage = 0;
1517 pThis->T3.pAuthorityKeyIdentifier = NULL;
1518 pThis->T3.pSubjectKeyIdentifier = NULL;
1519 pThis->T3.pAltSubjectName = NULL;
1520 pThis->T3.pAltIssuerName = NULL;
1521 pThis->T3.pCertificatePolicies = NULL;
1522 pThis->T3.pPolicyMappings = NULL;
1523 pThis->T3.pBasicConstraints = NULL;
1524 pThis->T3.pNameConstraints = NULL;
1525 pThis->T3.pPolicyConstraints = NULL;
1526 pThis->T3.pInhibitAnyPolicy = NULL;
1527
1528#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1529 do { \
1530 if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1531 return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1532 "Duplicate extension " #a_fPresentFlag); \
1533 (a_pThis)->T3.fFlags |= (a_fPresentFlag); \
1534 } while (0)
1535
1536 /*
1537 * Process all the extensions.
1538 */
1539 for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1540 {
1541 PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1542 PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1543 if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1544 {
1545 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1546 rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1547 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1548 }
1549 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1550 {
1551 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1552 rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1553 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1554 }
1555 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1556 {
1557 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1558 pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1559 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1560 }
1561 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1562 {
1563 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1564 pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1565 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1566 }
1567 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1568 {
1569 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1570 pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1571 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1572 }
1573 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1574 {
1575 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1576 pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1577 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1578 }
1579 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1580 {
1581 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1582 pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1583 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1584 }
1585 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1586 {
1587 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1588 pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1589 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1590 }
1591 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1592 {
1593 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1594 pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1595 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1596 }
1597 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1598 {
1599 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1600 pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1601 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1602 }
1603 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1604 {
1605 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1606 pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1607 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1608 }
1609 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1610 {
1611 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1612 pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1613 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1614 }
1615 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1616 {
1617 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1618 pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1619 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1620 }
1621 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1622 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1623 else
1624 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1625 }
1626
1627 if (!pThis->T3.fFlags)
1628 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1629
1630#undef CHECK_SET_PRESENT_RET_ON_DUP
1631 return VINF_SUCCESS;
1632}
1633
1634
1635
1636/*
1637 * One X.509 Certificate.
1638 */
1639
1640RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1641 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1642{
1643 if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1644 && RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1645 return true;
1646 return false;
1647}
1648
1649
1650RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1651{
1652 if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1653 return true;
1654
1655 if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1656 for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1657 {
1658 PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1659 if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1660 && RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1661 {
1662 PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1663 for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1664 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1665 && RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1666 return true;
1667 }
1668 }
1669 return false;
1670}
1671
1672
1673RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1674{
1675 if (RTCrX509Certificate_IsPresent(pCertificate))
1676 {
1677 return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1678 &pCertificate->TbsCertificate.Issuer);
1679 }
1680 return false;
1681}
1682
1683
1684/*
1685 * Set of X.509 Certificates.
1686 */
1687
1688RTDECL(PCRTCRX509CERTIFICATE)
1689RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1690 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1691{
1692 for (uint32_t i = 0; i < pCertificates->cItems; i++)
1693 if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1694 return pCertificates->papItems[i];
1695 return NULL;
1696}
1697
Note: See TracBrowser for help on using the repository browser.

© 2023 Oracle
ContactPrivacy policyTerms of Use