VirtualBox

Changeset 57581 in vbox


Ignore:
Timestamp:
Aug 29, 2015 12:07:06 AM (9 years ago)
Author:
vboxsync
Message:

UINetworkReply.cpp: Quick hack: Mark the ancient certificate as non-mandator (what do we need it for anyway?) because it's not there on ElCapitan.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp

    r57578 r57581  
    8080        uint16_t    cbEncoded;
    8181        /** Gives the s_aCerts index this certificate is an alternative edition of,
    82          * UINT16_MAX if no alternative.  This is a complication caused by VeriSign
     82         * UINT8_MAX if no alternative.  This is a complication caused by VeriSign
    8383         * reissuing certificates signed with md2WithRSAEncryption using
    8484         * sha1WithRSAEncryption, since MD2 is comprimised.  (Public key unmodified.)
    8585         * It has no practical meaning for the trusted root anchor use we put it to.  */
    86         uint16_t    iAlternativeTo;
     86        uint8_t     iAlternativeTo;
     87        /** Set if mandatory. */
     88        bool        fMandatory;
    8789        /** The SHA-1 fingerprint (of the encoded data).   */
    8890        uint8_t     abSha1[RTSHA1_HASH_SIZE];
     
    112114    static int applyProxyRules(RTHTTP hHttp, const QString &strHostName, int iPort);
    113115    static int applyRawHeaders(RTHTTP hHttp, const QList<QByteArray> &headers, const QNetworkRequest &request);
    114     static uint64_t certAllFoundMask(void);
     116    static bool allCertsFound(uint64_t fFoundCerts, bool fOnlyMandatory);
    115117    static uint64_t certEntryFoundMask(uint32_t iCert);
    116118    static bool checkCertificatesInFile(const char *pszCaCertFile);
     
    143145{
    144146    /*[0] =*/   /* The reissued version with the SHA-1 signature. */
     147/** @todo r=bird: Why do we need this certificate? Neither update.virtualbox.org nor www.virtualbox.org uses it...  ElCapitan doesn't ship this. */
    145148    {
    146149        /*.pszSubject =*/
     
    148151        /*.cbEncoded      =*/   0x240,
    149152        /*.iAlternativeTo =*/   1,
     153        /*.fMandatory     =*/   false,
    150154        /*.abSha1         =*/
    151155        {
     
    180184        /*.cbEncoded      =*/   0x240,
    181185        /*.iAlternativeTo =*/   0,
     186        /*.fMandatory     =*/   false,
    182187        /*.abSha1         =*/
    183188        {
     
    205210        "CN=VeriSign Class 3 Public Primary Certification Authority - G5",
    206211        /*.cbEncoded      =*/   0x4d7,
    207         /*.iAlternativeTo =*/   UINT16_MAX,
     212        /*.iAlternativeTo =*/   UINT8_MAX,
     213        /*.fMandatory     =*/   true,
    208214        /*.abSha1         =*/
    209215        {
     
    476482
    477483/**
    478  * Calculates the 64-bit all-certs found mask.
     484 * Checks if we've found all the necessary certificates or not.
    479485 *
    480  * @returns 64-bit mask.
     486 * @returns true if we have, false if we haven't.
     487 * @param   fFoundCerts         The mask of found certificates (see
     488 *                              certEntryFoundMask).
     489 * @param   fOnlyMandatory      Only require mandatory certificates to be
     490 *                              present.  If false, all certificates must be
     491 *                              found before we return true.
    481492 */
    482 /*static*/ uint64_t
    483 UINetworkReplyPrivateThread::certAllFoundMask()
     493/*static*/ bool
     494UINetworkReplyPrivateThread::allCertsFound(uint64_t fFoundCerts, bool fOnlyMandatory)
    484495{
    485496    AssertCompile(RT_ELEMENTS(s_aCerts) < 64);
    486     return RT_BIT_64(RT_ELEMENTS(s_aCerts)) - UINT64_C(1);
     497
     498    /* Add non-mandatory flags before comparing. */
     499    if (   fOnlyMandatory
     500        && fFoundCerts != RT_BIT_64(RT_ELEMENTS(s_aCerts)) - UINT64_C(1))
     501        for (uint32_t i = 0; i < RT_ELEMENTS(s_aCerts); i++)
     502            if (!s_aCerts[i].fMandatory)
     503                fFoundCerts |= RT_BIT_64(i);
     504
     505    return fFoundCerts == RT_BIT_64(RT_ELEMENTS(s_aCerts)) - UINT64_C(1);
    487506}
    488507
     
    503522     *         the public key once.
    504523     */
    505     uint16_t iAlt = s_aCerts[iCert].iAlternativeTo;
    506     if (iAlt != UINT16_MAX)
     524    uint8_t iAlt = s_aCerts[iCert].iAlternativeTo;
     525    if (iAlt != UINT8_MAX)
    507526    {
    508527        unsigned cMax = 10;
     
    582601         * Did we locate all of them?
    583602         */
    584         if (fFoundCerts == certAllFoundMask())
     603        if (allCertsFound(fFoundCerts, true /* fOnlyMandatory */)) /** @todo combine the two certificate retrieval approaches */
    585604            return true;
    586605    }
     
    635654                }
    636655            RTHttpFreeResponse(pvRootsZip);
    637             if (fFoundCerts == certAllFoundMask())
     656            if (allCertsFound(fFoundCerts, false /* fOnlyMandatory */))
    638657                break;
    639658        }
     
    643662     * Fallback: Try download certificates separately.
    644663     */
    645     if (fFoundCerts != certAllFoundMask())
     664    if (allCertsFound(fFoundCerts, false /* fOnlyMandatory */))
    646665        for (uint32_t i = 0; i < RT_ELEMENTS(s_aCerts); i++)
    647666            if (!(fFoundCerts & RT_BIT_64(i)))
     
    667686     * See if we've got the certificates we want, save it we do.
    668687     */
    669     if (fFoundCerts == certAllFoundMask())
     688    if (allCertsFound(fFoundCerts, true /*fOnlyMandatory*/))
    670689        rc = RTCrStoreCertExportAsPem(hStore, 0 /*fFlags*/, pszCaCertFile);
    671690    else if (RT_SUCCESS(rc))
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette