📄 dbx_wr.c
字号:
encKeyID, msgData.length );
if( cryptStatusOK( status ) )
status = makeKeyID( certIdData->keyID, ENCODED_DBXKEYID_SIZE,
&certIdData->keyIDlength, CRYPT_IKEYID_KEYID,
binaryKeyID, binaryKeyIDlength );
if( cryptStatusOK( status ) )
status = getKeyID( certIdData->nameID, ENCODED_DBXKEYID_SIZE,
&certIdData->nameIDlength, iCryptHandle,
CRYPT_IATTRIBUTE_SUBJECT );
return( status );
}
return( CRYPT_OK );
}
/* Extract certificate identification data from a CRL */
CHECK_RETVAL STDC_NONNULL_ARG( ( 3 ) ) \
static int extractCrlIdData( IN_HANDLE const CRYPT_CERTIFICATE iCryptCRL,
IN_HANDLE_OPT \
const CRYPT_CERTIFICATE iCryptRevokeCert,
OUT CERT_ID_DATA *crlIdData )
{
int status;
assert( isWritePtr( crlIdData, sizeof( CERT_ID_DATA ) ) );
REQUIRES( isHandleRangeValid( iCryptCRL ) );
REQUIRES( iCryptRevokeCert == CRYPT_UNUSED || \
isHandleRangeValid( iCryptRevokeCert ) );
/* Clear return value */
memset( crlIdData, 0, sizeof( CERT_ID_DATA ) );
/* Get general ID information */
status = getKeyID( crlIdData->issuerID, ENCODED_DBXKEYID_SIZE,
&crlIdData->issuerIDlength, iCryptCRL,
CRYPT_IATTRIBUTE_ISSUERANDSERIALNUMBER );
if( cryptStatusError( status ) )
return( status );
/* If there's no certificate being revoked present (i.e. we're just
adding a set of CRL entries), we're done */
if( iCryptRevokeCert == CRYPT_UNUSED )
return( CRYPT_OK );
/* Get the certificate ID and the name ID of the issuer from the
certificate being revoked */
status = getKeyID( crlIdData->certID, ENCODED_DBXKEYID_SIZE,
&crlIdData->certIDlength, iCryptRevokeCert,
CRYPT_CERTINFO_FINGERPRINT_SHA );
if( cryptStatusOK( status ) )
status = getKeyID( crlIdData->nameID, ENCODED_DBXKEYID_SIZE,
&crlIdData->nameIDlength, iCryptRevokeCert,
CRYPT_IATTRIBUTE_ISSUER );
return( status );
}
/****************************************************************************
* *
* Database Add Routines *
* *
****************************************************************************/
/* Add a certificate object (certificate, certificate request, PKI user) to
a certificate store. Normally existing rows would be overwritten if we
added duplicate entries but the UNIQUE constraint on the indices will
catch this */
CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 6 ) ) \
int addCert( INOUT DBMS_INFO *dbmsInfo,
IN_HANDLE const CRYPT_HANDLE iCryptHandle,
IN_ENUM( CRYPT_CERTTYPE ) const CRYPT_CERTTYPE_TYPE certType,
IN_ENUM( CERTADD ) const CERTADD_TYPE addType,
IN_ENUM( DBMS_UPDATE ) const DBMS_UPDATE_TYPE updateType,
INOUT ERROR_INFO *errorInfo )
{
MESSAGE_DATA msgData;
BOUND_DATA boundData[ BOUND_DATA_MAXITEMS ], *boundDataPtr = boundData;
CERT_ID_DATA certIdData;
BYTE certData[ MAX_CERT_SIZE + 8 ];
char encodedCertData[ MAX_ENCODED_CERT_SIZE + 8 ];
const char *sqlString;
time_t boundDate;
int certDataLength = DUMMY_INIT, boundDataIndex, status;
assert( isWritePtr( dbmsInfo, sizeof( DBMS_INFO ) ) );
REQUIRES( isHandleRangeValid( iCryptHandle ) );
REQUIRES( certType == CRYPT_CERTTYPE_CERTIFICATE || \
certType == CRYPT_CERTTYPE_REQUEST_CERT || \
certType == CRYPT_CERTTYPE_PKIUSER );
REQUIRES( addType > CERTADD_NONE && addType < CERTADD_LAST );
REQUIRES( updateType > DBMS_UPDATE_NONE && \
updateType < DBMS_UPDATE_LAST );
REQUIRES( errorInfo != NULL );
/* Extract name-related information from the certificate */
status = extractCertNameData( iCryptHandle, certType, &certIdData );
if( ( cryptStatusOK( status ) || status == CRYPT_ERROR_NOTFOUND ) && \
( certType == CRYPT_CERTTYPE_CERTIFICATE ) )
{
setMessageData( &msgData, &boundDate, sizeof( time_t ) );
status = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_CERTINFO_VALIDTO );
}
else
{
if( status == CRYPT_ERROR_NOTFOUND )
status = CRYPT_OK;
}
if( cryptStatusError( status ) )
{
/* Convert any low-level certificate-specific error into something
generic that makes a bit more sense to the caller */
retExtArg( CRYPT_ARGERROR_NUM1,
( CRYPT_ARGERROR_NUM1, errorInfo,
"Couldn't extract user identification information "
"from certificate" ) );
}
/* Get the ID information and certificate data from the certificate */
status = extractCertIdData( iCryptHandle, certType, &certIdData );
if( cryptStatusOK( status ) )
{
status = extractCertData( iCryptHandle,
( certType == CRYPT_CERTTYPE_PKIUSER ) ? \
CRYPT_ICERTFORMAT_DATA : \
CRYPT_CERTFORMAT_CERTIFICATE,
certData, MAX_CERT_SIZE, &certDataLength );
}
if( cryptStatusError( status ) )
{
/* Convert any low-level certificate-specific error into something
generic that makes a bit more sense to the caller */
retExtArg( CRYPT_ARGERROR_NUM1,
( CRYPT_ARGERROR_NUM1, errorInfo,
"Couldn't extract certificate data from "
"certificate" ) );
}
/* If this is a partial add (in which we add a certificate item which is
in the initial stages of the creation process so that although the
item may be physically present in the store it can't be accessed
directly) we set the first byte to 0xFF to indicate this. In
addition we set the first two bytes of the IDs that have uniqueness
constraints to an out-of-band value to prevent a clash with the
finished entry when we complete the issue process and replace the
partial version with the full version */
if( addType == CERTADD_PARTIAL || addType == CERTADD_PARTIAL_RENEWAL )
{
const char *escapeStr = ( addType == CERTADD_PARTIAL ) ? \
KEYID_ESC1 : KEYID_ESC2;
certData[ 0 ] = 0xFF;
memcpy( certIdData.issuerID, escapeStr, KEYID_ESC_SIZE );
memcpy( certIdData.keyID, escapeStr, KEYID_ESC_SIZE );
memcpy( certIdData.certID, escapeStr, KEYID_ESC_SIZE );
}
/* Set up the certificate object data to be written and send it to the
database */
initBoundData( boundDataPtr );
setBoundData( boundDataPtr, 0, certIdData.C, certIdData.Clength );
setBoundData( boundDataPtr, 1, certIdData.SP, certIdData.SPlength );
setBoundData( boundDataPtr, 2, certIdData.L, certIdData.Llength );
setBoundData( boundDataPtr, 3, certIdData.O, certIdData.Olength );
setBoundData( boundDataPtr, 4, certIdData.OU, certIdData.OUlength );
setBoundData( boundDataPtr, 5, certIdData.CN, certIdData.CNlength );
switch( certType )
{
case CRYPT_CERTTYPE_CERTIFICATE:
setBoundData( boundDataPtr, 6, certIdData.uri,
certIdData.uriLength );
setBoundDataDate( boundDataPtr, 7, &boundDate );
setBoundData( boundDataPtr, 8, certIdData.nameID,
certIdData.nameIDlength );
setBoundData( boundDataPtr, 9, certIdData.issuerID,
certIdData.issuerIDlength );
setBoundData( boundDataPtr, 10, certIdData.keyID,
certIdData.keyIDlength );
boundDataIndex = 11;
sqlString = \
"INSERT INTO certificates VALUES (?, ?, ?, ?, ?, ?, ?,"
"?, ?, ?, ?, ?, ?)";
break;
case CRYPT_CERTTYPE_REQUEST_CERT:
setBoundData( boundDataPtr, 6, certIdData.uri,
certIdData.uriLength );
boundDataIndex = 7;
sqlString = \
"INSERT INTO certRequests VALUES ('" TEXT_CERTTYPE_REQUEST_CERT "', "
"?, ?, ?, ?, ?, ?, ?, ?, ?)";
break;
case CRYPT_CERTTYPE_PKIUSER:
setBoundData( boundDataPtr, 6, certIdData.nameID,
certIdData.nameIDlength );
setBoundData( boundDataPtr, 7, certIdData.keyID,
certIdData.keyIDlength );
boundDataIndex = 8;
sqlString = \
"INSERT INTO pkiUsers VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
break;
default:
retIntError();
}
setBoundData( boundDataPtr, boundDataIndex++, certIdData.certID,
certIdData.certIDlength );
if( hasBinaryBlobs( dbmsInfo ) )
{
setBoundDataBlob( boundDataPtr, boundDataIndex,
certData, certDataLength );
}
else
{
int encodedCertDataLength;
status = base64encode( encodedCertData, MAX_ENCODED_CERT_SIZE,
&encodedCertDataLength, certData,
certDataLength, CRYPT_CERTTYPE_NONE );
if( cryptStatusError( status ) )
{
assert( DEBUG_WARN );
retIntError();
}
setBoundData( boundDataPtr, boundDataIndex, encodedCertData,
encodedCertDataLength );
}
status = dbmsUpdate( sqlString, boundDataPtr, updateType );
if( cryptStatusError( status ) )
{
retExtErr( status,
( status, errorInfo, getDbmsErrorInfo( dbmsInfo ),
"Certificate add operation failed: " ) );
}
return( CRYPT_OK );
}
/* Add a CRL to a certificate store */
CHECK_RETVAL STDC_NONNULL_ARG( ( 1, 5 ) ) \
int addCRL( INOUT DBMS_INFO *dbmsInfo,
IN_HANDLE const CRYPT_CERTIFICATE iCryptCRL,
IN_HANDLE_OPT const CRYPT_CERTIFICATE iCryptRevokeCert,
IN_ENUM( DBMS_UPDATE ) const DBMS_UPDATE_TYPE updateType,
INOUT ERROR_INFO *errorInfo )
{
BOUND_DATA boundData[ BOUND_DATA_MAXITEMS ], *boundDataPtr = boundData;
CERT_ID_DATA crlIdData;
BYTE certData[ MAX_CERT_SIZE + 8 ];
char encodedCertData[ MAX_ENCODED_CERT_SIZE + 8 ];
const char *sqlString;
time_t expiryDate = 0;
int certDataLength = DUMMY_INIT, boundDataIndex, status;
assert( isWritePtr( dbmsInfo, sizeof( DBMS_INFO ) ) );
REQUIRES( isHandleRangeValid( iCryptCRL ) );
REQUIRES( ( isCertStore( dbmsInfo ) && \
isHandleRangeValid( iCryptRevokeCert ) ) || \
( !isCertStore( dbmsInfo ) && \
iCryptRevokeCert == CRYPT_UNUSED ) );
REQUIRES( updateType > DBMS_UPDATE_NONE && \
updateType < DBMS_UPDATE_LAST );
REQUIRES( errorInfo != NULL );
/* Get the ID information for the current CRL entry */
status = extractCrlIdData( iCryptCRL, iCryptRevokeCert, &crlIdData );
if( cryptStatusOK( status ) )
status = extractCertData( iCryptCRL, CRYPT_IATTRIBUTE_CRLENTRY,
certData, MAX_CERT_SIZE, &certDataLength );
if( cryptStatusOK( status ) && isCertStore( dbmsInfo ) )
{
MESSAGE_DATA msgData;
setMessageData( &msgData, &expiryDate, sizeof( time_t ) );
status = krnlSendMessage( iCryptRevokeCert, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_CERTINFO_VALIDTO );
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -