Index: /trunk/include/iprt/err.h =================================================================== --- /trunk/include/iprt/err.h (revision 50831) +++ /trunk/include/iprt/err.h (revision 50832) @@ -1879,4 +1879,27 @@ /** @} */ +/** @name RTX509 status codes + * @{ */ +/** Error during reading a certificate in PEM format from BIO */ +#define VERR_READING_CERT_FROM_BIO (-22800) +/** Error extract a public key from the certificate */ +#define VERR_EXTRACT_PUBKEY_FROM_CERT (-22801) +/** Error extract RSA from the public key */ +#define VERR_EXTRACT_RSA_FROM_PUBLIC_KEY (-22802) +/** Error the signature verification */ +#define VERR_RSA_VERIFICATION_FUILURE (-22803) +/** Error basic constraints were not found */ +#define VERR_NO_BASIC_CONSTARAINTS (-22804) +/** Error getting extensions from the certificate */ +#define VERR_GETTING_EXTENSION_FROM_CERT (-22805) +/** Error getting a data from the extension */ +#define VERR_GETTING_DATA_FROM_EXTENSION (-22806) +/** Error print out an extension to BIO */ +#define VERR_PRINT_EXTENSION_TO_BIO (-22807) +/** Error X509 certificate verification */ +#define VERR_X509_CERTIFICATE_VERIFICATION_FAILURE (-22808) +/** Error X509 certificate isn't self signed */ +#define VERR_NOT_SELFSIGNED_X509_CERTIFICATE (-22809) +/** @} */ /* SED-END */ Index: /trunk/include/iprt/mangling.h =================================================================== --- /trunk/include/iprt/mangling.h (revision 50831) +++ /trunk/include/iprt/mangling.h (revision 50832) @@ -1199,4 +1199,5 @@ # define RTReqRetain RT_MANGLER(RTReqRetain) # define RTReqWait RT_MANGLER(RTReqWait) +# define RTRSAVerify RT_MANGLER(RTRSAVerify) # define RTReqGetStatus RT_MANGLER(RTReqGetStatus) # define RTS3BucketsDestroy RT_MANGLER(RTS3BucketsDestroy) @@ -1882,4 +1883,7 @@ # define RTVfsUtilDummyPollOne RT_MANGLER(RTVfsUtilDummyPollOne) # define RTVfsUtilPumpIoStreams RT_MANGLER(RTVfsUtilPumpIoStreams) +# define RTX509PrepareOpenSSL RT_MANGLER(RTX509PrepareOpenSSL) +# define RTX509CertificateVerify RT_MANGLER(RTX509CertificateVerify) +# define RTX509GetErrorDescription RT_MANGLER(RTX509GetErrorDescription) # define RTZipBlockCompress RT_MANGLER(RTZipBlockCompress) # define RTZipBlockDecompress RT_MANGLER(RTZipBlockDecompress) Index: /trunk/src/VBox/Main/Makefile.kmk =================================================================== --- /trunk/src/VBox/Main/Makefile.kmk (revision 50831) +++ /trunk/src/VBox/Main/Makefile.kmk (revision 50832) @@ -318,5 +318,6 @@ $(PATH_STAGE_LIB)/SSMStandalone$(VBOX_SUFF_LIB) \ $(LIB_DDU) -VBoxSVC_SDKS = VBOX_LIBPNG VBOX_ZLIB + +VBoxSVC_SDKS = VBOX_LIBPNG VBOX_ZLIB VBOX_OPENSSL VBoxSVC_LIBS.solaris = \ adm \ Index: /trunk/src/VBox/Main/include/ApplianceImpl.h =================================================================== --- /trunk/src/VBox/Main/include/ApplianceImpl.h (revision 50831) +++ /trunk/src/VBox/Main/include/ApplianceImpl.h (revision 50832) @@ -181,4 +181,6 @@ PSHASTORAGE pStorage); HRESULT i_verifyManifestFile(const Utf8Str &strFile, ImportStack &stack, void *pvBuf, size_t cbSize); + + HRESULT i_verifyCertificateFile(void *pvBuf, size_t cbSize, PSHASTORAGE pStorage); void i_convertDiskAttachmentValues(const ovf::HardDiskController &hdc, Index: /trunk/src/VBox/Main/src-server/ApplianceImplImport.cpp =================================================================== --- /trunk/src/VBox/Main/src-server/ApplianceImplImport.cpp (revision 50831) +++ /trunk/src/VBox/Main/src-server/ApplianceImplImport.cpp (revision 50832) @@ -47,4 +47,5 @@ #include +#include #include @@ -1517,4 +1518,6 @@ /* verify Certificate */ + rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, &storage); + if (FAILED(rc)) throw rc; } } @@ -1588,4 +1591,5 @@ void *pvCertBuf = NULL; Utf8Str OVFfilename; + void *pSignatureRSA = NULL; writeLock.release(); @@ -1693,5 +1697,7 @@ if (pvCertBuf) { - /* verify the certificate */ + /* verify the certificate */ + rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, pStorage); + if (FAILED(rc)) throw rc; } } @@ -1738,5 +1744,7 @@ if (pvCertBuf) { - /* verify the certificate */ + /* verify the certificate */ + rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, pStorage); + if (FAILED(rc)) throw rc; } } @@ -2037,4 +2045,6 @@ HRESULT Appliance::i_verifyManifestFile(const Utf8Str &strFile, ImportStack &stack, void *pvBuf, size_t cbSize) { + LogFlowFuncEnter(); + LogFlowFunc(("Appliance %p\n", this)); HRESULT rc = S_OK; @@ -2064,5 +2074,99 @@ RTMemFree(paTests); - + LogFlowFuncLeave(); + + return rc; +} + +HRESULT Appliance::i_verifyCertificateFile(void *pvBuf, size_t cbSize, PSHASTORAGE pStorage) +{ + LogFlowFuncEnter(); + LogFlowFunc(("Appliance %p\n", this)); + HRESULT rc = S_OK; + + int vrc = 0; + RTDIGESTTYPE digestType; + void * pvCertBuf = pvBuf; + size_t cbCertSize = cbSize; + Utf8Str manifestDigest = pStorage->strDigest; + + vrc = RTManifestVerifyDigestType(pvCertBuf, cbCertSize, &digestType); + if (RT_FAILURE(vrc)) + { + rc = setError(VBOX_E_FILE_ERROR, tr("Digest type of certificate is unknown")); + } + else + { + RTX509PrepareOpenSSL(); + + vrc = RTRSAVerify(pvCertBuf, (unsigned int)cbCertSize, manifestDigest.c_str(), digestType); + if (RT_SUCCESS(vrc)) + { + vrc = RTX509CertificateVerify(pvCertBuf, (unsigned int)cbCertSize); + } + + /* After first unsuccessful operation */ + if (RT_FAILURE(vrc)) + { + { + /* first stage for getting possible error code and it's description using native openssl method */ + char* errStrDesc = NULL; + unsigned long errValue = RTX509GetErrorDescription(&errStrDesc); + + if(errValue != 0) + { + rc = setError(VBOX_E_FILE_ERROR, tr(errStrDesc)); + LogFlowFunc(("Error during verifying X509 certificate(internal openssl description): %s\n", errStrDesc)); + } + + RTMemFree(errStrDesc); + } + + { + /* second stage for getting possible error code using our defined errors codes. The original error description + will be replaced by our description */ + + Utf8Str errStrDesc; + switch(vrc) + { + case VERR_READING_CERT_FROM_BIO: + errStrDesc = "Error during reading a certificate in PEM format from BIO "; + break; + case VERR_EXTRACT_PUBKEY_FROM_CERT: + errStrDesc = "Error during extraction a public key from the certificate "; + break; + case VERR_EXTRACT_RSA_FROM_PUBLIC_KEY: + errStrDesc = "Error during extraction RSA from the public key "; + break; + case VERR_RSA_VERIFICATION_FUILURE: + errStrDesc = "RSA verification failure "; + break; + case VERR_NO_BASIC_CONSTARAINTS: + errStrDesc = "Basic constraints were not found "; + break; + case VERR_GETTING_EXTENSION_FROM_CERT: + errStrDesc = "Error during getting extensions from the certificate "; + break; + case VERR_GETTING_DATA_FROM_EXTENSION: + errStrDesc = "Error during extraction data from the extension "; + break; + case VERR_PRINT_EXTENSION_TO_BIO: + errStrDesc = "Error during print out an extension to BIO "; + break; + case VERR_X509_CERTIFICATE_VERIFICATION_FAILURE: + errStrDesc = "X509 certificate verification failure "; + break; + case VERR_NOT_SELFSIGNED_X509_CERTIFICATE: + errStrDesc = "Only self signed X509 certificates are supported at moment"; + break; + default: + errStrDesc = "Unknown error during X509 certificate verification"; + } + rc = setError(VBOX_E_FILE_ERROR, tr(errStrDesc.c_str())); + } + } + } + + LogFlowFuncLeave(); return rc; } Index: /trunk/src/VBox/Runtime/Makefile.kmk =================================================================== --- /trunk/src/VBox/Runtime/Makefile.kmk (revision 50831) +++ /trunk/src/VBox/Runtime/Makefile.kmk (revision 50832) @@ -282,4 +282,5 @@ common/checksum/sha512.cpp \ common/checksum/sha512str.cpp \ + common/checksum/x509.cpp \ common/dbg/dbg.cpp \ common/dbg/dbgas.cpp \