📄 ca_misc.c
字号:
/****************************************************************************
* *
* cryptlib DBMS CA Cert Misc Interface *
* Copyright Peter Gutmann 1996-2004 *
* *
****************************************************************************/
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#if defined( INC_ALL )
#include "crypt.h"
#include "keyset.h"
#include "dbms.h"
#include "asn1.h"
#include "rpc.h"
#elif defined( INC_CHILD )
#include "../crypt.h"
#include "../keyset/keyset.h"
#include "../keyset/dbms.h"
#include "../misc/asn1.h"
#include "../misc/rpc.h"
#else
#include "crypt.h"
#include "keyset/keyset.h"
#include "keyset/dbms.h"
#include "misc/asn1.h"
#include "misc/rpc.h"
#endif /* Compiler-specific includes */
#ifdef USE_DBMS
/****************************************************************************
* *
* Utility Functions *
* *
****************************************************************************/
#if 0
/* Get the ultimate successor cert for one that's been superseded */
static int getSuccessorCert( DBMS_INFO *dbmsInfo,
CRYPT_CERTIFICATE *iCertificate,
const char *initialCertID )
{
char certID[ DBXKEYID_BUFFER_SIZE ];
int status;
/* Walk through the chain of renewals in the cert log until we find the
ultimate successor cert to the current one */
strcpy( certID, initialCertID );
do
{
BYTE keyCertID[ DBXKEYID_SIZE + BASE64_OVFL_SIZE ];
char certData[ MAX_QUERY_RESULT_SIZE ];
int certDataLength, length, dummy;
/* Find the request to renew this certificate */
status = dbmsQuery(
"SELECT certID FROM certLog WHERE subjCertID = ? "
"AND action = " TEXT_CERTACTION_REQUEST_RENEWAL,
certData, &certDataLength, certID,
strlen( certID ), 0, DBMS_CACHEDQUERY_NONE,
DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
return( status );
/* Find the resulting certificate */
memcpy( certID, certData,
min( certDataLength, MAX_ENCODED_DBXKEYID_SIZE + 1 ) );
certID[ MAX_ENCODED_DBXKEYID_SIZE ] = '\0';
status = dbmsQuery(
"SELECT certID FROM certLog WHERE reqCertID = ? "
"AND action = " TEXT_CERTACTION_CERT_CREATION,
certData, &certDataLength, certID,
strlen( certID ), 0, DBMS_CACHEDQUERY_NONE,
DBMS_QUERY_NORMAL );
if( cryptStatusOK( status ) )
{
status = length = \
base64decode( keyCertID, certData,
min( certDataLength, MAX_ENCODED_DBXKEYID_SIZE ),
CRYPT_CERTFORMAT_NONE );
assert( !cryptStatusError( status ) );
}
if( cryptStatusError( status ) )
return( status );
/* Try and get the replacement cert */
status = getItemData( dbmsInfo, iCertificate, &dummy,
getKeyName( CRYPT_IKEYID_CERTID ),
keyCertID, length, KEYMGMT_ITEM_PUBLICKEY,
KEYMGMT_FLAG_NONE );
}
while( status == CRYPT_ERROR_NOTFOUND );
return( status );
}
#endif /* 0 */
/* Get the PKI user that originally authorised the issuance of a cert. This
can involve chaining back through multiple generations of certificates,
for example to check authorisation on a revocation request we might have
to go through:
rev_req: get reqCertID = update_req
update_req: get reqCertID = cert_req
cert_req: get reqCertID = init_req
init_req: get reqCertID = pki_user */
static int getIssuingUser( DBMS_INFO *dbmsInfo, CRYPT_CERTIFICATE *iPkiUser,
const char *initialCertID,
const int initialCertIDlength )
{
char certID[ DBXKEYID_BUFFER_SIZE ];
int certIDlength, chainingLevel, dummy, status;
/* Walk through the chain of updates in the cert log until we find the
PKI user that authorised the first cert issue */
memcpy( certID, initialCertID, initialCertIDlength );
certIDlength = initialCertIDlength;
for( chainingLevel = 0; chainingLevel < 25; chainingLevel++ )
{
char certData[ MAX_QUERY_RESULT_SIZE ];
int certDataLength;
/* Find out whether this is a PKI user. The comparison for the
action type is a bit odd since some back-ends will return the
action as text and some as a binary numeric value. Rather than
relying on the back-end glue code to perform the appropriate
conversion we just check for either value type */
status = dbmsQuery(
"SELECT action FROM certLog WHERE certID = ?",
certData, &certDataLength, certID, certIDlength,
0, DBMS_CACHEDQUERY_NONE, DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
return( status );
if( certData[ 0 ] == CRYPT_CERTACTION_ADDUSER || \
certData[ 0 ] == TEXTCH_CERTACTION_ADDUSER )
/* We've found the PKI user, we're done */
break;
/* Find the certificate that was issued, recorded either as a
CERTACTION_CERT_CREATION for a multi-phase CMP-based cert
creation or a CERTACTION_ISSUE_CERT for a one-step creation */
status = dbmsQuery(
"SELECT reqCertID FROM certLog WHERE certID = ?",
certData, &certDataLength, certID, certIDlength,
0, DBMS_CACHEDQUERY_NONE, DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
return( status );
certIDlength = min( certDataLength, MAX_ENCODED_DBXKEYID_SIZE );
memcpy( certID, certData, certIDlength );
/* Find the request to issue this certificate. For a CMP-based issue
this will have an authorising object (found in the next iteration
through the loop), for a one-step issue it won't */
status = dbmsQuery(
"SELECT reqCertID FROM certLog WHERE certID = ?",
certData, &certDataLength, certID, certIDlength,
0, DBMS_CACHEDQUERY_NONE, DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
return( status );
certIDlength = min( certDataLength, MAX_ENCODED_DBXKEYID_SIZE );
memcpy( certID, certData, certIDlength );
}
/* If we've chained through too many entries, bail out */
if( chainingLevel >= 25 )
return( CRYPT_ERROR_OVERFLOW );
/* We've found the original PKI user, get the user info */
return( getItemData( dbmsInfo, iPkiUser, &dummy, CRYPT_IKEYID_CERTID,
certID, certIDlength, KEYMGMT_ITEM_PKIUSER,
KEYMGMT_FLAG_NONE ) );
}
/* Get a partially-issued certificate. We have to perform the import
ourselves since it's marked as an incompletely-issued cert and so is
invisible to access via the standard cert fetch routines */
static int getNextPartialCert( DBMS_INFO *dbmsInfo,
CRYPT_CERTIFICATE *iCertificate,
BYTE *prevCertData, const BOOLEAN isRenewal )
{
MESSAGE_CREATEOBJECT_INFO createInfo;
BYTE certificate[ MAX_QUERY_RESULT_SIZE ];
char encodedCertData[ MAX_QUERY_RESULT_SIZE ];
void *certPtr = hasBinaryBlobs( dbmsInfo ) ? \
( void * ) certificate : encodedCertData;
int certSize, status; /* Cast needed for gcc */
*iCertificate = CRYPT_ERROR;
/* Find the next cert and import it. Although this would appear to be
fetching the same cert over and over again, the caller will be
deleting the currently-fetched cert after we return it to them, so
in practice it fetches a new cert each time */
status = dbmsQuery( isRenewal ? \
"SELECT certData FROM certificates WHERE keyID LIKE '" KEYID_ESC2 "%'" : \
"SELECT certData FROM certificates WHERE keyID LIKE '" KEYID_ESC1 "%'",
certPtr, &certSize, NULL, 0, 0,
DBMS_CACHEDQUERY_NONE, DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
return( status );
if( !hasBinaryBlobs( dbmsInfo ) )
{
certSize = base64decode( certificate, MAX_CERT_SIZE,
encodedCertData, certSize,
CRYPT_CERTFORMAT_NONE );
if( cryptStatusError( certSize ) )
{
assert( NOTREACHED );
return( certSize );
}
}
/* If we're stuck in a loop fetching the same value over and over, make
an emergency exit */
if( !memcmp( prevCertData, certificate, 128 ) )
{
assert( NOTREACHED );
return( CRYPT_ERROR_DUPLICATE );
}
memcpy( prevCertData, certificate, 128 );
/* Reset the first byte of the cert data from the not-present magic
value to allow it to be imported and create a certificate from it */
certificate[ 0 ] = BER_SEQUENCE;
setMessageCreateObjectIndirectInfo( &createInfo, certificate, certSize,
CRYPT_CERTTYPE_CERTIFICATE );
status = krnlSendMessage( SYSTEM_OBJECT_HANDLE,
IMESSAGE_DEV_CREATEOBJECT_INDIRECT,
&createInfo, OBJECT_TYPE_CERTIFICATE );
if( cryptStatusOK( status ) )
*iCertificate = createInfo.cryptHandle;
return( status );
}
/****************************************************************************
* *
* Logging Functions *
* *
****************************************************************************/
/* Add an entry to the CA log */
int updateCertLog( DBMS_INFO *dbmsInfo, const int action, const char *certID,
const char *reqCertID, const char *subjCertID,
const void *data, const int dataLength,
const DBMS_UPDATE_TYPE updateType )
{
char sqlFormatBuffer[ MAX_SQL_QUERY_SIZE ];
char sqlBuffer[ MAX_SQL_QUERY_SIZE ], actionString[ 5 ];
char certIDbuffer[ DBXKEYID_BUFFER_SIZE ];
char encodedCertData[ MAX_ENCODED_CERT_SIZE ];
char *certIDptr = ( char * ) certID;
const void *dataPtr = data;
const void *param1ptr, *param2ptr = "", *param3ptr = "";
const time_t boundDate = getApproxTime();
int dataPtrLength = dataLength;
/* Build up the necessary SQL format string required to insert the log
entry. This is complicated somewhat by the fact that some of the
values may be NULL, so we have to insert them by naming the columns
(some databases allow the use of the DEFAULT keyword but this isn't
standardised enough to be safe) */
strcpy( sqlFormatBuffer,
"INSERT INTO certLog (action, actionTime, certID" );
if( reqCertID != NULL )
strcat( sqlFormatBuffer, ", reqCertID" );
if( subjCertID != NULL )
strcat( sqlFormatBuffer, ", subjCertID" );
if( data != NULL )
strcat( sqlFormatBuffer, ", certData" );
strcat( sqlFormatBuffer, ") VALUES ($, ?, '$'" );
if( reqCertID != NULL )
strcat( sqlFormatBuffer, ", '$'" );
if( subjCertID != NULL )
strcat( sqlFormatBuffer, ", '$'" );
if( data != NULL )
strcat( sqlFormatBuffer, hasBinaryBlobs( dbmsInfo ) ? ", ?" : ", '$'" );
strcat( sqlFormatBuffer, ")" );
/* Set up the appropriate parameter pointers to build the SQL command */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -