certrust.c

老外写的加密库cryptlib(版本3.1)

				/* We've found the OID (with 1.1e-12 error probability), skip
				   the critical flag if necessary */
				if( extensionPtr[ i ] == BER_BOOLEAN )
					i += 3;

				/* Check for the OCTET STRING and a reasonable length */
				if( extensionPtr[ i++ ] != BER_OCTETSTRING || \
					extensionPtr[ i ] & 0x80 )
					continue;

				/* Extract the key ID */
				if( i + extensionPtr[ i ] <= extensionSize )
					{
					subjectKeyIDsize = extensionPtr[ i++ ];
					subjectKeyIDptr = extensionPtr + i;
					}
				}

			/* Generate the checksum and hash of the encoded cert's subject 
			   name and key ID */
			newElement->sCheck = checksumData( subjectDNptr, subjectDNsize );
			hashData( newElement->sHash, subjectDNptr, subjectDNsize );
			newElement->kCheck = checksumData( subjectKeyIDptr, subjectKeyIDsize );
			hashData( newElement->kHash, subjectKeyIDptr, subjectKeyIDsize );
			}

		/* Remember the trusted cert for later use */
		if( ( newElement->certObject = clAlloc( "addEntry", 
												objectLength ) ) == NULL )
			{
			clFree( "addEntry", newElement );
			if( recreateCert )
				dynDestroy( &certDB );
			return( CRYPT_ERROR_MEMORY );
			}
		memcpy( newElement->certObject, certObject, objectLength );
		newElement->certObjectLength = objectLength;
		newElement->iCryptCert = CRYPT_ERROR;

		/* Clean up */
		if( recreateCert )
			dynDestroy( &certDB );
		}
	else
		{
		/* The trusted key exists as a context, remember it for later */
		krnlSendNotifier( iCryptContext, IMESSAGE_INCREFCOUNT );
		newElement->iCryptCert = iCryptContext;
		}

	/* Add it to the list */
	trustInfoEntry = newElement->sCheck & ( TRUSTINFO_SIZE - 1 );
	if( trustInfoIndex[ trustInfoEntry ] == NULL )
		trustInfoIndex[ trustInfoEntry ] = newElement;
	else
		{
		TRUST_INFO *trustInfoCursor;

		/* Add the new element to the end of the list */
		for( trustInfoCursor = trustInfoIndex[ trustInfoEntry ];
			 trustInfoCursor->next != NULL; 
			 trustInfoCursor = trustInfoCursor->next );
		trustInfoCursor->next = newElement;
		}

	return( CRYPT_OK );
	}

int addTrustEntry( void *trustInfoPtr, const CRYPT_CERTIFICATE iCryptCert, 
				   const void *certObject, const int certObjectLength, 
				   const BOOLEAN addSingleCert )
	{
	BOOLEAN seenNonDuplicate = FALSE;
	int status;

	assert( ( checkHandleRange( iCryptCert ) && certObject == NULL ) || \
			( iCryptCert == CRYPT_UNUSED && certObject != NULL ) );

	/* If we're adding encoded data, we can add it directly */
	if( certObject != NULL )
		return( addEntry( trustInfoPtr, CRYPT_UNUSED, certObject, 
						  certObjectLength ) );

	/* Make the cert/each cert in the trust list trusted */
	status = krnlSendMessage( iCryptCert, IMESSAGE_SETATTRIBUTE,
							  MESSAGE_VALUE_TRUE, CRYPT_IATTRIBUTE_LOCKED );
	if( cryptStatusError( status ) )
		return( status );
	if( !addSingleCert )
		/* It's a trust list, move to the start of the list */
		krnlSendMessage( iCryptCert, IMESSAGE_SETATTRIBUTE,
						 MESSAGE_VALUE_CURSORFIRST,
						 CRYPT_CERTINFO_CURRENT_CERTIFICATE );
	do
		{
		/* Add the certificate info if it's not already present */
		if( findTrustEntry( trustInfoPtr, iCryptCert, FALSE ) == NULL )
			{
			seenNonDuplicate = TRUE;
			status = addEntry( trustInfoPtr, iCryptCert, NULL, 0 );
			}
		}
	while( cryptStatusOK( status ) && !addSingleCert && \
		   krnlSendMessage( iCryptCert, IMESSAGE_SETATTRIBUTE,
							MESSAGE_VALUE_CURSORNEXT,
							CRYPT_CERTINFO_CURRENT_CERTIFICATE ) == CRYPT_OK );
	krnlSendMessage( iCryptCert, IMESSAGE_SETATTRIBUTE, 
					 MESSAGE_VALUE_FALSE, CRYPT_IATTRIBUTE_LOCKED );
	if( cryptStatusOK( status ) && !seenNonDuplicate )
		/* There were no new certs to add present, return an inited error */
		status = CRYPT_ERROR_INITED;
	
	return( status );
	}

void deleteTrustEntry( void *trustInfoPtr, void *trustEntry )
	{
	TRUST_INFO **trustInfoIndex = ( TRUST_INFO ** ) trustInfoPtr;
	TRUST_INFO *entryToDelete = ( TRUST_INFO * ) trustEntry, *prevInfoPtr;
	const int trustInfoEntry = entryToDelete->sCheck & ( TRUSTINFO_SIZE - 1 );

	assert( trustInfoIndex[ trustInfoEntry ] != NULL );

	/* Unlink the trust info index */
	prevInfoPtr = trustInfoIndex[ trustInfoEntry ];
	if( prevInfoPtr == entryToDelete )
		/* Unlink from the start of the list */
		trustInfoIndex[ trustInfoEntry ] = entryToDelete->next;
	else
		{
		/* Unlink from the middle/end of the list */
		while( prevInfoPtr->next != entryToDelete )
			prevInfoPtr = prevInfoPtr->next;
		prevInfoPtr->next = entryToDelete->next;
		}

	/* Free the trust info entry */
	if( entryToDelete->iCryptCert != CRYPT_ERROR )
		krnlSendNotifier( entryToDelete->iCryptCert, IMESSAGE_DECREFCOUNT );
	if( entryToDelete->certObject != NULL )
		{
		zeroise( entryToDelete->certObject, entryToDelete->certObjectLength );
		clFree( "deleteTrustEntry", entryToDelete->certObject );
		}
	memset( entryToDelete, 0, sizeof( TRUST_INFO ) );
	clFree( "deleteTrustEntry", entryToDelete );
	}

/* Retrieve trusted certificates */

CRYPT_CERTIFICATE getTrustedCert( void *trustInfoPtr )
	{
	TRUST_INFO *trustInfo = trustInfoPtr;
	MESSAGE_CREATEOBJECT_INFO createInfo;
	int status;

	/* If the cert has already been instantiated, return it */
	if( trustInfo->iCryptCert != CRYPT_ERROR )
		return( trustInfo->iCryptCert );

	/* Instantiate the cert */
	setMessageCreateObjectIndirectInfo( &createInfo, trustInfo->certObject,
										trustInfo->certObjectLength,
										CRYPT_CERTTYPE_CERTIFICATE );
	status = krnlSendMessage( SYSTEM_OBJECT_HANDLE,
							  IMESSAGE_DEV_CREATEOBJECT_INDIRECT,
							  &createInfo, OBJECT_TYPE_CERTIFICATE );
	assert( cryptStatusOK( status ) );
	if( cryptStatusError( status ) )
		return( status );

	/* The cert was successfully instantiated, free its encoded form */
	zeroise( trustInfo->certObject, trustInfo->certObjectLength );
	clFree( "getTrustedCert", trustInfo->certObject );
	trustInfo->certObject = NULL;
	trustInfo->certObjectLength = 0;
	trustInfo->iCryptCert = createInfo.cryptHandle;

	return( createInfo.cryptHandle );
	}

int enumTrustedCerts( void *trustInfoPtr, const CRYPT_CERTIFICATE iCryptCtl, 
					  const CRYPT_KEYSET iCryptKeyset )
	{
	TRUST_INFO **trustInfoIndex = ( TRUST_INFO ** ) trustInfoPtr;
	int i;

	assert( iCryptCtl == CRYPT_UNUSED || iCryptKeyset == CRYPT_UNUSED );

	/* If there's no destination for the trusted certs supplied, it's a 
	   presence check only */
	if( iCryptCtl == CRYPT_UNUSED && iCryptKeyset == CRYPT_UNUSED )
		{
		for( i = 0; i < TRUSTINFO_SIZE; i++ )
			if( trustInfoIndex[ i ] != NULL )
				return( CRYPT_OK );

		return( CRYPT_ERROR_NOTFOUND );
		}

	for( i = 0; i < TRUSTINFO_SIZE; i++ )
		{
		TRUST_INFO *trustInfoCursor;

		for( trustInfoCursor = trustInfoIndex[ i ]; trustInfoCursor != NULL; \
			 trustInfoCursor = trustInfoCursor->next )	
			{
			const CRYPT_CERTIFICATE iCryptCert = \
								getTrustedCert( trustInfoCursor );
			int status;

			if( cryptStatusError( iCryptCert ) )
				return( iCryptCert );
			if( iCryptCtl != CRYPT_UNUSED )
				{
				/* We're sending trusted certs to a cert trust list */
				status = krnlSendMessage( iCryptCtl, IMESSAGE_SETATTRIBUTE,
										  ( void * ) &iCryptCert,
										  CRYPT_IATTRIBUTE_CERTCOLLECTION );
				if( cryptStatusError( status ) )
					return( status );
				}
			else
				{
				MESSAGE_KEYMGMT_INFO setkeyInfo;

				/* We're sending trusted certs to a keyset */
				setMessageKeymgmtInfo( &setkeyInfo, CRYPT_KEYID_NONE, NULL, 0,
									   NULL, 0, KEYMGMT_FLAG_NONE );
				setkeyInfo.cryptHandle = iCryptCert;
				status = krnlSendMessage( iCryptKeyset, IMESSAGE_KEY_SETKEY, 
										  &setkeyInfo, 
										  KEYMGMT_ITEM_PUBLICKEY );
				}
			if( cryptStatusError( status ) )
				return( status );
			}
		}
	
	return( CRYPT_OK );
	}

/* Initialise and shut down the trust information */

int initTrustInfo( void **trustInfoPtrPtr )
	{
	TRUST_INFO *trustInfoIndex;

	/* Initialise the trust information table */
	if( ( trustInfoIndex = \
			clAlloc( "initTrustInfo", TRUSTINFO_SIZE * \
									  sizeof( TRUST_INFO * ) ) ) == NULL )
		return( CRYPT_ERROR_MEMORY );
	memset( trustInfoIndex, 0, TRUSTINFO_SIZE * sizeof( TRUST_INFO * ) );
	*trustInfoPtrPtr = trustInfoIndex;
	return( CRYPT_OK );
	}

void endTrustInfo( void *trustInfoPtr )
	{
	TRUST_INFO **trustInfoIndex = ( TRUST_INFO ** ) trustInfoPtr;
	int i;

	if( trustInfoIndex == NULL )
		return;

	/* Destroy the chain of items at each table position */
	for( i = 0; i < TRUSTINFO_SIZE; i++ )
		{
		TRUST_INFO *trustInfoCursor = trustInfoIndex[ i ];

		/* Destroy any items in the list */
		while( trustInfoCursor != NULL )
			{
			TRUST_INFO *itemToFree = trustInfoCursor;

			trustInfoCursor = trustInfoCursor->next;
			deleteTrustEntry( trustInfoIndex, itemToFree );
			}
		}
	memset( trustInfoIndex, 0, TRUSTINFO_SIZE * sizeof( TRUST_INFO * ) );
	clFree( "endTrustInfo", trustInfoIndex );
	}