Index: /trunk/include/iprt/crypto/pem.h =================================================================== --- /trunk/include/iprt/crypto/pem.h (revision 84229) +++ /trunk/include/iprt/crypto/pem.h (revision 84230) @@ -224,4 +224,7 @@ const void *pvContent, size_t cbContent, const char *pszMarker); +RTDECL(ssize_t) RTCrPemWriteBlobToVfsIoStrm(RTVFSIOSTREAM hVfsIos, const void *pvContent, size_t cbContent, const char *pszMarker); +RTDECL(ssize_t) RTCrPemWriteBlobToVfsFile(RTVFSFILE hVfsFile, const void *pvContent, size_t cbContent, const char *pszMarker); + /** * PEM formatter for a generic ASN.1 structure. Index: /trunk/include/iprt/crypto/pkcs7.h =================================================================== --- /trunk/include/iprt/crypto/pkcs7.h (revision 84229) +++ /trunk/include/iprt/crypto/pkcs7.h (revision 84230) @@ -561,5 +561,5 @@ * timestamp counter sigantures. */ #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1) -/** Only use signging time attributes from counter signatures. */ +/** Only use signing time attributes from counter signatures. */ #define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2) /** Don't validate the counter signature containing the signing time, just use @@ -584,6 +584,21 @@ /** @} */ + +/** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign. + * @{ */ +/** Detached data. */ +#define RTCRPKCS7SIGN_SD_F_DEATCHED RT_BIT_32(0) +/** No SMIME capabilities attribute. */ +#define RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP RT_BIT_32(1) +/** Valid flag mask. */ +#define RTCRPKCS7SIGN_SD_F_VALID_MASK UINT32_C(0x00000003) /** @} */ +RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey, + void const *pvData, size_t cbData, RTCRSTORE hAdditionalCerts, + void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo); + +/** @} */ + RT_C_DECLS_END Index: /trunk/include/iprt/crypto/store.h =================================================================== --- /trunk/include/iprt/crypto/store.h (revision 84229) +++ /trunk/include/iprt/crypto/store.h (revision 84230) @@ -310,6 +310,6 @@ RTDECL(int) RTCrStoreCertSearchDestroy(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch); -RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore); -RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack); +RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore, PRTERRINFO pErrInfo); +RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack, PRTERRINFO pErrInfo); Index: /trunk/include/iprt/mangling.h =================================================================== --- /trunk/include/iprt/mangling.h (revision 84229) +++ /trunk/include/iprt/mangling.h (revision 84230) @@ -3348,4 +3348,6 @@ # define RTCrPemReadFile RT_MANGLER(RTCrPemReadFile) # define RTCrPemWriteBlob RT_MANGLER(RTCrPemWriteBlob) +# define RTCrPemWriteBlobToVfsIoStrm RT_MANGLER(RTCrPemWriteBlobToVfsIoStrm) +# define RTCrPemWriteBlobToVfsFile RT_MANGLER(RTCrPemWriteBlobToVfsFile) # define RTCrPemWriteAsn1 RT_MANGLER(RTCrPemWriteAsn1) # define RTCrPemWriteAsn1ToVfsIoStrm RT_MANGLER(RTCrPemWriteAsn1ToVfsIoStrm) @@ -3411,4 +3413,5 @@ # define RTCrPkcs7SignerInfo_CheckSanity RT_MANGLER(RTCrPkcs7SignerInfo_CheckSanity) # define RTCrPkcs7SignerInfos_CheckSanity RT_MANGLER(RTCrPkcs7SignerInfos_CheckSanity) +# define RTCrPkcs7SimpleSignSignedData RT_MANGLER(RTCrPkcs7SimpleSignSignedData) # define RTCrPkcs7VerifyCertCallbackCodeSigning RT_MANGLER(RTCrPkcs7VerifyCertCallbackCodeSigning) # define RTCrPkcs7VerifyCertCallbackDefault RT_MANGLER(RTCrPkcs7VerifyCertCallbackDefault) Index: /trunk/src/VBox/Runtime/Makefile.kmk =================================================================== --- /trunk/src/VBox/Runtime/Makefile.kmk (revision 84229) +++ /trunk/src/VBox/Runtime/Makefile.kmk (revision 84230) @@ -399,4 +399,5 @@ common/crypto/pkcs7-init.cpp \ common/crypto/pkcs7-sanity.cpp \ + common/crypto/pkcs7-sign.cpp \ common/crypto/pkcs7-verify.cpp \ common/crypto/pkix-sign.cpp \ @@ -1684,5 +1685,4 @@ common/crypto/digest-core.cpp \ common/crypto/pemfile-read.cpp \ - common/crypto/pemfile-write.cpp \ common/crypto/pkcs7-asn1-decoder.cpp \ common/crypto/pkcs7-core.cpp \ Index: /trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp (revision 84230) @@ -34,4 +34,6 @@ # include # include +# include +# include # include "internal/iprt-openssl.h" @@ -64,11 +66,72 @@ -DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert) +DECLHIDDEN(int) rtCrOpenSslConvertX509Cert(void **ppvOsslCert, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo) { - int rc; - const unsigned char *pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core); - uint32_t cbEncoded = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core); - X509 *pOsslCert = NULL; - if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert) + const unsigned char *pabEncoded; + + /* + * ASSUME that if the certificate has data pointers, it's been parsed out + * of a binary blob and we can safely access that here. + */ + if (pCert->SeqCore.Asn1Core.uData.pv) + { + pabEncoded = (const unsigned char *)RTASN1CORE_GET_RAW_ASN1_PTR(&pCert->SeqCore.Asn1Core); + uint32_t cbEncoded = RTASN1CORE_GET_RAW_ASN1_SIZE(&pCert->SeqCore.Asn1Core); + X509 *pOsslCert = NULL; + if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert) + { + *ppvOsslCert = pOsslCert; + return VINF_SUCCESS; + } + } + /* + * Otherwise, we'll have to encode it into a temporary buffer that openssl + * can decode into its structures. + */ + else + { + PRTASN1CORE pNonConstCore = (PRTASN1CORE)&pCert->SeqCore.Asn1Core; + uint32_t cbEncoded = 0; + int rc = RTAsn1EncodePrepare(pNonConstCore, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo); + AssertRCReturn(rc, rc); + + void * const pvEncoded = RTMemTmpAllocZ(cbEncoded); + AssertReturn(pvEncoded, VERR_NO_TMP_MEMORY); + + rc = RTAsn1EncodeToBuffer(pNonConstCore, RTASN1ENCODE_F_DER, pvEncoded, cbEncoded, pErrInfo); + if (RT_SUCCESS(rc)) + { + pabEncoded = (const unsigned char *)pvEncoded; + X509 *pOsslCert = NULL; + if (d2i_X509(&pOsslCert, &pabEncoded, cbEncoded) == pOsslCert) + { + *ppvOsslCert = pOsslCert; + RTMemTmpFree(pvEncoded); + return VINF_SUCCESS; + } + } + else + { + RTMemTmpFree(pvEncoded); + return rc; + } + } + + *ppvOsslCert = NULL; + return RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509"); +} + + +DECLHIDDEN(void) rtCrOpenSslFreeConvertedX509Cert(void *pvOsslCert) +{ + X509_free((X509 *)pvOsslCert); +} + + +DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo) +{ + X509 *pOsslCert = NULL; + int rc = rtCrOpenSslConvertX509Cert((void **)&pOsslCert, pCert, pErrInfo); + if (RT_SUCCESS(rc)) { if (sk_X509_push((STACK_OF(X509) *)pvOsslStack, pOsslCert)) @@ -76,10 +139,8 @@ else { - rc = VERR_NO_MEMORY; - X509_free(pOsslCert); + rtCrOpenSslFreeConvertedX509Cert(pOsslCert); + rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "sk_X509_push"); } } - else - rc = VERR_CR_X509_OSSL_D2I_FAILED; return rc; } Index: /trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp (revision 84230) @@ -60,6 +60,66 @@ * @param pErrInfo Where to optionally return more error details. */ -DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId, - void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo) +DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, void /*EVP_PKEY*/ **ppEvpKey, PRTERRINFO pErrInfo) +{ + *ppEvpKey = NULL; + AssertReturn(hKey->u32Magic == RTCRKEYINT_MAGIC, VERR_INVALID_HANDLE); + AssertReturn(fNeedPublic == !(hKey->fFlags & RTCRKEYINT_F_PRIVATE), VERR_WRONG_TYPE); + + rtCrOpenSslInit(); + + /* + * Translate the key type from IPRT to EVP speak. + */ + int idKeyType; + switch (hKey->enmType) + { + case RTCRKEYTYPE_RSA_PRIVATE: + case RTCRKEYTYPE_RSA_PUBLIC: + idKeyType = EVP_PKEY_RSA; + break; + default: + return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported key type: %d", hKey->enmType); + } + + /* + * Allocate a new key structure and set its type. + */ + EVP_PKEY *pEvpNewKey = EVP_PKEY_new(); + if (!pEvpNewKey) + return RTErrInfoSetF(pErrInfo, VERR_NO_MEMORY, "EVP_PKEY_new/%d failed", idKeyType); + + /* + * Load the key into the structure. + */ + const unsigned char *puchPublicKey = hKey->pbEncoded; + EVP_PKEY *pRet; + if (fNeedPublic) + *ppEvpKey = pRet = d2i_PublicKey(idKeyType, &pEvpNewKey, &puchPublicKey, hKey->cbEncoded); + else + *ppEvpKey = pRet = d2i_PrivateKey(idKeyType, &pEvpNewKey, &puchPublicKey, hKey->cbEncoded); + if (pRet) + return VINF_SUCCESS; + + /* Bail out: */ + EVP_PKEY_free(pEvpNewKey); + return RTErrInfoSet(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, + fNeedPublic ? "d2i_PublicKey failed" : "d2i_PrivateKey failed"); +} + + +/** + * Creates an OpenSSL key for the given IPRT one, returning the message digest + * algorithm if desired. + * + * @returns IRPT status code. + * @param hKey The key to convert to an OpenSSL key. + * @param fNeedPublic Set if we need the public side of the key. + * @param pszAlgoObjId Alogrithm stuff we currently need. + * @param ppEvpKey Where to return the pointer to the key structure. + * @param ppEvpMdType Where to optionally return the message digest type. + * @param pErrInfo Where to optionally return more error details. + */ +DECLHIDDEN(int) rtCrKeyToOpenSslKeyEx(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId, + void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo) { *ppEvpKey = NULL; Index: /trunk/src/VBox/Runtime/common/crypto/pemfile-write.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pemfile-write.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/pemfile-write.cpp (revision 84230) @@ -110,4 +110,24 @@ cchRet += pfnOutput(pvUser, NULL, 0); + return cchRet; +} + + +RTDECL(ssize_t) RTCrPemWriteBlobToVfsIoStrm(RTVFSIOSTREAM hVfsIos, const void *pvContent, size_t cbContent, const char *pszMarker) +{ + VFSIOSTRMOUTBUF Buf; + VFSIOSTRMOUTBUF_INIT(&Buf, hVfsIos); + size_t cchRet = RTCrPemWriteBlob(RTVfsIoStrmStrOutputCallback, &Buf, pvContent, cbContent, pszMarker); + Assert(Buf.offBuf == 0); + return RT_SUCCESS(Buf.rc) ? (ssize_t)cchRet : Buf.rc; +} + + +RTDECL(ssize_t) RTCrPemWriteBlobToVfsFile(RTVFSFILE hVfsFile, const void *pvContent, size_t cbContent, const char *pszMarker) +{ + RTVFSIOSTREAM hVfsIos = RTVfsFileToIoStream(hVfsFile); + AssertReturn(hVfsIos != NIL_RTVFSIOSTREAM, VERR_INVALID_HANDLE); + ssize_t cchRet = RTCrPemWriteBlobToVfsIoStrm(hVfsIos, pvContent, cbContent, pszMarker); + RTVfsIoStrmRelease(hVfsIos); return cchRet; } @@ -236,2 +256,3 @@ } + Index: /trunk/src/VBox/Runtime/common/crypto/pkcs7-sign.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkcs7-sign.cpp (revision 84230) +++ /trunk/src/VBox/Runtime/common/crypto/pkcs7-sign.cpp (revision 84230) @@ -0,0 +1,187 @@ +/* $Id$ */ +/** @file + * IPRT - Crypto - PKCS \#7, Signing + */ + +/* + * Copyright (C) 2006-2020 Oracle Corporation + * + * This file is part of VirtualBox Open Source Edition (OSE), as + * available from http://www.virtualbox.org. This file is free software; + * you can redistribute it and/or modify it under the terms of the GNU + * General Public License (GPL) as published by the Free Software + * Foundation, in version 2 as it comes in the "COPYING" file of the + * VirtualBox OSE distribution. VirtualBox OSE is distributed in the + * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind. + * + * The contents of this file may alternatively be used under the terms + * of the Common Development and Distribution License Version 1.0 + * (CDDL) only, as it comes in the "COPYING.CDDL" file of the + * VirtualBox OSE distribution, in which case the provisions of the + * CDDL are applicable instead of those of the GPL. + * + * You may elect to license modified versions of this file under the + * terms and conditions of either the GPL or the CDDL or both. + */ + + +/********************************************************************************************************************************* +* Header Files * +*********************************************************************************************************************************/ +#include "internal/iprt.h" +#include + +#include +#include +#include +#include +#include +#include +#include + +#ifdef IPRT_WITH_OPENSSL +# include "internal/iprt-openssl.h" +# include +# include +# include +# include +#endif + + +/********************************************************************************************************************************* +* Structures and Typedefs * +*********************************************************************************************************************************/ +/** + * PKCS\#7 / CMS signing operation instance. + */ +typedef struct RTCRPKCS7SIGNINGJOBINT +{ + /** Magic value (RTCRPKCS7SIGNINGJOBINT). */ + uint32_t u32Magic; + /** Reference counter. */ + uint32_t volatile cRefs; + /** RTCRPKCS7SIGN_F_XXX. */ + uint64_t fFlags; + /** Set if finalized. */ + bool fFinallized; + + //.... +} RTCRPKCS7SIGNINGJOBINT; + +/** Magic value for RTCRPKCS7SIGNINGJOBINT (Jonathan Lethem). */ +#define RTCRPKCS7SIGNINGJOBINT_MAGIC UINT32_C(0x19640219) + +/** Handle to PKCS\#7/CMS signing operation. */ +typedef struct RTCRPKCS7SIGNINGJOBINT *RTCRPKCS7SIGNINGJOB; +/** Pointer to a PKCS\#7/CMS signing operation handle. */ +typedef RTCRPKCS7SIGNINGJOB *PRTCRPKCS7SIGNINGJOB; + +//// CMS_sign +//RTDECL(int) RTCrPkcs7Sign(PRTCRPKCS7SIGNINGJOB *phJob, uint64_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey, +// RTCRSTORE hAdditionalCerts, +// + + + +RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey, + void const *pvData, size_t cbData, RTCRSTORE hAdditionalCerts, + void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo) +{ + size_t const cbResultBuf = *pcbResult; + *pcbResult = 0; + AssertReturn(!(fFlags & ~RTCRPKCS7SIGN_SD_F_VALID_MASK), VERR_INVALID_FLAGS); +#if defined(IPRT_WITH_OPENSSL) && (OPENSSL_VERSION_NUMBER > 0x10000000L) /* 0.9.8 doesn't seem to have EVP_PKEY_CTX_set_signature_md. */ + AssertReturn((int)cbData >= 0 && (unsigned)cbData == cbData, VERR_TOO_MUCH_DATA); + + /* + * Convert the private key. + */ + EVP_PKEY *pEvpPrivateKey = NULL; + int rc = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, (void **)&pEvpPrivateKey, pErrInfo); + if (RT_SUCCESS(rc)) + { + /* + * Convert the signing certificate. + */ + X509 *pOsslSigner = NULL; + rc = rtCrOpenSslConvertX509Cert((void **)&pOsslSigner, pSigner, pErrInfo); + if (RT_SUCCESS(rc)) + { + /* + * Convert any additional certificates. + */ + STACK_OF(X509) *pOsslAdditionalCerts = NULL; + if (hAdditionalCerts != NIL_RTCRSTORE) + rc = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0 /*fFlags*/, (void **)&pOsslAdditionalCerts, pErrInfo); + if (RT_SUCCESS(rc)) + { + /* + * Create a BIO for the data buffer. + */ + BIO *pOsslData = BIO_new_mem_buf(pvData, (int)cbData); + if (pOsslData) + { + /* + * Do the signing. + */ + unsigned int fOsslSign = CMS_BINARY; + if (fFlags & RTCRPKCS7SIGN_SD_F_DEATCHED) + fOsslSign |= CMS_DETACHED; + if (fFlags & RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP) + fOsslSign |= CMS_NOSMIMECAP; + CMS_ContentInfo *pCms = CMS_sign(pOsslSigner, pEvpPrivateKey, pOsslAdditionalCerts, pOsslData, fOsslSign); + if (pCms) + { + /* + * Get the output and copy it into the result buffer. + */ + BIO *pOsslResult = BIO_new(BIO_s_mem()); + if (pOsslResult) + { + rc = i2d_CMS_bio(pOsslResult, pCms); + if (rc > 0) + { + BUF_MEM *pBuf = NULL; + rc = (int)BIO_get_mem_ptr(pOsslResult, &pBuf); + if (rc > 0) + { + AssertPtr(pBuf); + size_t const cbResult = pBuf->length; + if ( cbResultBuf >= cbResult + && pvResult != NULL) + { + memcpy(pvResult, pBuf->data, cbResult); + rc = VINF_SUCCESS; + } + else + rc = VERR_BUFFER_OVERFLOW; + *pcbResult = cbResult; + } + else + rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "BIO_get_mem_ptr"); + } + else + rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "i2d_CMS_bio"); + BIO_free(pOsslResult); + } + else + rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "BIO_new/BIO_s_mem"); + CMS_ContentInfo_free(pCms); + } + else + rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_sign"); + BIO_free(pOsslData); + } + } + rtCrOpenSslFreeConvertedX509Cert(pOsslSigner); + } + EVP_PKEY_free(pEvpPrivateKey); + } + return rc; +#else + RT_NOREF(fFlags, pSigner, hPrivateKey, pvData, cbData, hAdditionalCerts, pvResult, pErrInfo); + *pcbResult = 0; + return VERR_NOT_IMPLEMENTED; +#endif +} + Index: /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (revision 84230) @@ -68,5 +68,5 @@ STACK_OF(X509) *pAddCerts = NULL; if (hAdditionalCerts != NIL_RTCRSTORE) - rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts); + rcOssl = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0, (void **)&pAddCerts, pErrInfo); else { @@ -79,9 +79,9 @@ for (uint32_t i = 0; i < pCerts->cItems; i++) if (pCerts->papItems[i]->enmChoice == RTCRPKCS7CERTCHOICE_X509) - rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert); + rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert, NULL); X509_STORE *pTrustedCerts = NULL; if (hTrustedCerts != NIL_RTCRSTORE) - rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts); + rcOssl = RTCrStoreConvertToOpenSslCertStore(hTrustedCerts, 0, (void **)&pTrustedCerts, pErrInfo); if (RT_SUCCESS(rcOssl)) { Index: /trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/pkix-sign.cpp (revision 84230) @@ -155,6 +155,6 @@ EVP_PKEY *pEvpPrivateKey = NULL; const EVP_MD *pEvpMdType = NULL; - int rcOssl = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId, - (void **)&pEvpPrivateKey, (const void **)&pEvpMdType, pErrInfo); + int rcOssl = rtCrKeyToOpenSslKeyEx(hPrivateKey, false /*fNeedPublic*/, pszAlgObjId, + (void **)&pEvpPrivateKey, (const void **)&pEvpMdType, pErrInfo); if (RT_SUCCESS(rcOssl)) { Index: /trunk/src/VBox/Runtime/common/crypto/pkix-verify.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkix-verify.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/pkix-verify.cpp (revision 84230) @@ -116,6 +116,6 @@ EVP_PKEY *pEvpPublicKey = NULL; const EVP_MD *pEvpMdType = NULL; - int rcOssl = rtCrKeyToOpenSslKey(hPublicKey, true /*fNeedPublic*/, pAlgorithm->szObjId, - (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo); + int rcOssl = rtCrKeyToOpenSslKeyEx(hPublicKey, true /*fNeedPublic*/, pAlgorithm->szObjId, + (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo); if (RT_SUCCESS(rcOssl)) { @@ -230,6 +230,6 @@ EVP_PKEY *pEvpPublicKey = NULL; const EVP_MD *pEvpMdType = NULL; - int rcOssl = rtCrKeyToOpenSslKey(hPublicKey, true /*fNeedPublic*/, pszAlgObjId, - (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo); + int rcOssl = rtCrKeyToOpenSslKeyEx(hPublicKey, true /*fNeedPublic*/, pszAlgObjId, + (void **)&pEvpPublicKey, (const void **)&pEvpMdType, pErrInfo); if (RT_SUCCESS(rcOssl)) { Index: /trunk/src/VBox/Runtime/common/crypto/store.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/store.cpp (revision 84229) +++ /trunk/src/VBox/Runtime/common/crypto/store.cpp (revision 84230) @@ -318,6 +318,7 @@ */ -RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore) -{ +RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore, PRTERRINFO pErrInfo) +{ + RT_NOREF(pErrInfo); PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore; AssertPtrReturn(pThis, VERR_INVALID_HANDLE); @@ -372,6 +373,7 @@ -RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack) -{ +RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack, PRTERRINFO pErrInfo) +{ + RT_NOREF(pErrInfo); PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore; AssertPtrReturn(pThis, VERR_INVALID_HANDLE); Index: /trunk/src/VBox/Runtime/include/internal/iprt-openssl.h =================================================================== --- /trunk/src/VBox/Runtime/include/internal/iprt-openssl.h (revision 84229) +++ /trunk/src/VBox/Runtime/include/internal/iprt-openssl.h (revision 84230) @@ -39,8 +39,11 @@ DECLHIDDEN(void) rtCrOpenSslInit(void); DECLHIDDEN(int) rtCrOpenSslErrInfoCallback(const char *pach, size_t cch, void *pvUser); -DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert); +DECLHIDDEN(int) rtCrOpenSslConvertX509Cert(void **ppvOsslCert, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo); +DECLHIDDEN(void) rtCrOpenSslFreeConvertedX509Cert(void *pvOsslCert); +DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo); -DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId, - void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo); +DECLHIDDEN(int) rtCrKeyToOpenSslKey(RTCRKEY hKey, bool fNeedPublic, void /*EVP_PKEY*/ **ppEvpKey, PRTERRINFO pErrInfo); +DECLHIDDEN(int) rtCrKeyToOpenSslKeyEx(RTCRKEY hKey, bool fNeedPublic, const char *pszAlgoObjId, + void /*EVP_PKEY*/ **ppEvpKey, const void /*EVP_MD*/ **ppEvpMdType, PRTERRINFO pErrInfo); RT_C_DECLS_END Index: /trunk/src/libs/openssl-1.1.1g/Config.kmk =================================================================== --- /trunk/src/libs/openssl-1.1.1g/Config.kmk (revision 84229) +++ /trunk/src/libs/openssl-1.1.1g/Config.kmk (revision 84230) @@ -78,4 +78,5 @@ include/openssl/cmac.h=>cmac.h \ include/openssl/cms.h=>cms.h \ + include/openssl/cmserr.h=>cmserr.h \ include/openssl/comp.h=>comp.h \ include/openssl/comperr.h=>comperr.h \