certrust.c

来自「提供了很多种加密算法和CA认证及相关服务如CMP、OCSP等的开发」· C语言 代码 · 共 548 行 · 第 1/2 页

		return( NULL );

	/* Check to see whether something with the issuers DN is present */
	hashName( sHash, name, nameLength );
	while( trustInfoPtr != NULL )
		{
		if( !memcmp( trustInfoPtr->sHash, sHash, 20 ) )
			return( trustInfoPtr );
		trustInfoPtr = trustInfoPtr->next;
		}

	return( NULL );
	}

/* Get a trusted cert from the trust info.  To save having to instantiate 
   dozens of certs every time we start, we only instantiate them on demand */

static CRYPT_CERTIFICATE getTrustedCert( TRUST_INFO *trustInfoPtr )
	{
	MESSAGE_CREATEOBJECT_INFO createInfo;
	int status;

	/* If the cert has already been instantiated, return it */
	if( trustInfoPtr->iCryptCert != CRYPT_ERROR )
		return( trustInfoPtr->iCryptCert );

	/* Instantiate the cert */
	setMessageCreateObjectIndirectInfo( &createInfo, trustInfoPtr->certObject,
										trustInfoPtr->certObjectLength );
	status = krnlSendMessage( SYSTEM_OBJECT_HANDLE,
							  RESOURCE_IMESSAGE_DEV_CREATEOBJECT_INDIRECT,
							  &createInfo, OBJECT_TYPE_CERTIFICATE );
	assert( cryptStatusOK( status ) );
	if( cryptStatusError( status ) )
		return( CRYPT_ERROR );

	/* The cert was successfully instantiated, free its encoded form */
	zeroise( trustInfoPtr->certObject, trustInfoPtr->certObjectLength );
	free( trustInfoPtr->certObject );
	trustInfoPtr->certObject = NULL;
	trustInfoPtr->certObjectLength = 0;
	trustInfoPtr->iCryptCert = createInfo.cryptHandle;

	return( createInfo.cryptHandle );
	}

/* Initialise and shut down the trust information */

int initTrustInfo( void )
	{
	/* Initialise the trust information table */
	memset( trustInfoIndex, 0, sizeof( trustInfoIndex ) );

	return( CRYPT_OK );
	}

void endTrustInfo( void )
	{
	int i;

	enterMutex( MUTEX_TRUSTINFO );

	/* Destroy the chain of items at each table position */
	for( i = 0; i < 256; i++ )
		{
		TRUST_INFO *trustInfoPtr = trustInfoIndex[ i ];

		/* Destroy any items in the list */
		while( trustInfoPtr != NULL )
			{
			TRUST_INFO *itemToFree = trustInfoPtr;

			trustInfoPtr = trustInfoPtr->next;
			deleteTrustEntry( itemToFree );
			}
		}
	memset( trustInfoIndex, 0, sizeof( trustInfoIndex ) );

	exitMutex( MUTEX_TRUSTINFO );
	}

/* Check whether we have trust information present for the issuer of this
   cert.  If there's an entry, return the associated cert.  The 
   interpretation of what represents a "trusted cert" is somewhat complex
   and open-ended, it's not clear whether what's being trusted is the key
   in the cert, the cert, or the owner of the cert (corresponding to
   subjectKeyIdentifier, issuerAndSerialNumber, or subject DN).  The 
   generally accepted form is to trust the subject, so we check for this in
   the cert.  The modification for trusting the key in the cert or one 
   particular cert is fairly simple to make if required */

BOOLEAN checkCertTrusted( const CERT_INFO *certInfoPtr )
	{
	TRUST_INFO *trustInfoPtr;

	/* A non-cert can never be implicitly trusted */
	if( certInfoPtr->type != CRYPT_CERTTYPE_CERTIFICATE )
		return( FALSE );

	/* Check whether the cert is present in the trusted certs collection */
	enterMutex( MUTEX_TRUSTINFO );
	trustInfoPtr = findTrustEntry( certInfoPtr->subjectDNptr, 
								   certInfoPtr->subjectDNsize );

	exitMutex( MUTEX_TRUSTINFO );

	return( ( trustInfoPtr != NULL ) ? TRUE : FALSE );
	}

CRYPT_CERTIFICATE findTrustedCert( const void *dn, const int dnSize )
	{
	CRYPT_CERTIFICATE iCryptCert;
	TRUST_INFO *trustInfoPtr;

	enterMutex( MUTEX_TRUSTINFO );

	/* If there's no entry present, return an error */
	if( ( trustInfoPtr = findTrustEntry( dn, dnSize ) ) == NULL )
		{
		exitMutex( MUTEX_TRUSTINFO );
		return( CRYPT_ERROR );
		}

	/* Get the trusted cert from the trust info */
	iCryptCert = getTrustedCert( trustInfoPtr );

	exitMutex( MUTEX_TRUSTINFO );

	return( iCryptCert );
	}

/* Add trust information for a cert */

int addTrustInfo( const CERT_INFO *certInfoPtr )
	{
	int status;

	enterMutex( MUTEX_TRUSTINFO );

	/* Make sure that trust information for this cert isn't already present */
	if( findTrustEntry( certInfoPtr->subjectDNptr,
						certInfoPtr->subjectDNsize ) != NULL )
		{
		exitMutex( MUTEX_TRUSTINFO );
		return( CRYPT_ERROR_INITED );
		}

	status = addTrustEntry( certInfoPtr, NULL, 0 );
	exitMutex( MUTEX_TRUSTINFO );
	if( cryptStatusOK( status ) )
		/* Touch the config data to let the config subsystem know that a 
		   trust option has changed */
		touchConfigData( certInfoPtr->ownerHandle );
	return( status );
	}

/* Delete trust information for a cert */

int deleteTrustInfo( const CERT_INFO *certInfoPtr )
	{
	TRUST_INFO *entryToDelete;
	const int trustInfoPos = checksumName( certInfoPtr->subjectDNptr,
										   certInfoPtr->subjectDNsize );
	int status = CRYPT_OK;

	enterMutex( MUTEX_TRUSTINFO );

	/* Find the entry to delete and remove it */
	entryToDelete = findTrustEntry( certInfoPtr->subjectDNptr,
									certInfoPtr->subjectDNsize );
	if( entryToDelete == NULL )
		{
		exitMutex( MUTEX_TRUSTINFO );
		return( CRYPT_ERROR_NOTFOUND );
		}

	/* Delete the entry and touch the config data to let the config subsystem 
	   know that a trust option has changed */
	deleteTrustEntry( entryToDelete );
	touchConfigData( certInfoPtr->ownerHandle );

	exitMutex( MUTEX_TRUSTINFO );
	return( CRYPT_OK );
	}

/****************************************************************************
*																			*
*								Add/Get Trusted Certs						*
*																			*
****************************************************************************/

/* Add a trusted cert */

int setTrustedCert( void *certObject, const int certObjectLength )
	{
	int status;

	enterMutex( MUTEX_TRUSTINFO );
	status = addTrustEntry( NULL, certObject, certObjectLength );
	exitMutex( MUTEX_TRUSTINFO );
	return( status );
	}

/* Enumerate trusted certificates */

static CRYPT_CERTIFICATE getTrustedCertNext( void **statePtr, int *stateIndex )
	{
	TRUST_INFO *trustInfoPtr = ( TRUST_INFO * ) *statePtr;
	int trustInfoPos = *stateIndex;

	do
		{
		/* If there's nothing left in the current chain of entries, move on
		   to the next chain */
		if( trustInfoPtr == NULL && trustInfoPos < 255 )
			trustInfoPtr = trustInfoIndex[ ++trustInfoPos ];

		/* If there's an entry present, return it to the caller */
		if( trustInfoPtr != NULL )
			{
			const CRYPT_CERTIFICATE iCryptCert = \
								getTrustedCert( trustInfoPtr );

			/* Update the state and exit */
			*statePtr = trustInfoPtr->next;
			*stateIndex = trustInfoPos;
			return( iCryptCert );
			}
		}
	while( trustInfoPos < 255 );

	return( CRYPT_ERROR );
	}

CRYPT_CERTIFICATE getFirstTrustedCert( void **statePtr, int *stateIndex )
	{
	CRYPT_CERTIFICATE iCryptCert = CRYPT_ERROR;
	int trustInfoPos;

	/* Clear return value */
	*statePtr = NULL;
	*stateIndex = CRYPT_ERROR;

	enterMutex( MUTEX_TRUSTINFO );
	for( trustInfoPos = 0; trustInfoPos < 256; trustInfoPos++ )
		if( trustInfoIndex[ trustInfoPos ] != NULL )
			{
			/* Remember how far we got */
			*statePtr = trustInfoIndex[ trustInfoPos ];
			*stateIndex = trustInfoPos;

			/* Get the cert from the trust info.  If there's a problem, we
			   try for the next cert (there's not much we can do in terms of
			   error recovery) */
			iCryptCert = getTrustedCertNext( statePtr, stateIndex );
			if( iCryptCert != CRYPT_ERROR )
				break;
			}
	exitMutex( MUTEX_TRUSTINFO );

	return( iCryptCert );
	}

CRYPT_CERTIFICATE getNextTrustedCert( void **statePtr, int *stateIndex )
	{
	CRYPT_CERTIFICATE iCryptCert;

	enterMutex( MUTEX_TRUSTINFO );
	iCryptCert = getTrustedCertNext( statePtr, stateIndex );
	exitMutex( MUTEX_TRUSTINFO );

	return( iCryptCert );
	}