|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1995 - 1999
//
// File: revfunc.cpp
//
// Contents: Certificate Revocation Dispatch Functions
//
// Functions: I_CertRevFuncDllMain
// CertVerifyRevocation
//
// History: 12-Dec-96 philh created
// 11-Mar-97 philh changed signature of CertVerifyRevocation
//--------------------------------------------------------------------------
#include "global.hxx"
#include <dbgdef.h>
static HCRYPTOIDFUNCSET hRevFuncSet;
typedef BOOL (WINAPI *PFN_CERT_DLL_VERIFY_REVOCATION)( IN DWORD dwEncodingType, IN DWORD dwRevType, IN DWORD cContext, IN PVOID rgpvContext[], IN DWORD dwFlags, IN OPTIONAL PCERT_REVOCATION_PARA pRevPara, IN OUT PCERT_REVOCATION_STATUS pRevStatus );
//+-------------------------------------------------------------------------
// Dll initialization
//--------------------------------------------------------------------------
BOOLWINAPII_CertRevFuncDllMain( HMODULE hModule, ULONG ulReason, LPVOID lpReserved){ BOOL fRet;
switch (ulReason) { case DLL_PROCESS_ATTACH: if (NULL == (hRevFuncSet = CryptInitOIDFunctionSet( CRYPT_OID_VERIFY_REVOCATION_FUNC, 0))) // dwFlags
goto CryptInitOIDFunctionSetError; break;
case DLL_PROCESS_DETACH: case DLL_THREAD_DETACH: default: break; }
fRet = TRUE;CommonReturn: return fRet;
ErrorReturn: fRet = FALSE; goto CommonReturn;TRACE_ERROR(CryptInitOIDFunctionSetError)}
static inline void ZeroRevStatus(OUT PCERT_REVOCATION_STATUS pRevStatus){ DWORD cbSize = pRevStatus->cbSize; memset(pRevStatus, 0, cbSize); pRevStatus->cbSize = cbSize;}
// Remember the first "interesting" error. *pdwError is initialized to
// CRYPT_E_NO_REVOCATION_DLL.
static void UpdateNoRevocationCheckStatus( IN PCERT_REVOCATION_STATUS pRevStatus, IN OUT DWORD *pdwError, IN OUT DWORD *pdwReason, IN OUT BOOL *pfHasFreshnessTime, IN OUT DWORD *pdwFreshnessTime ){ if (pRevStatus->dwError && (*pdwError == (DWORD) CRYPT_E_NO_REVOCATION_DLL || *pdwError == (DWORD) CRYPT_E_NO_REVOCATION_CHECK)) { *pdwError = pRevStatus->dwError; *pdwReason = pRevStatus->dwReason;
if (pRevStatus->cbSize >= STRUCT_CBSIZE(CERT_REVOCATION_STATUS, dwFreshnessTime)) { *pfHasFreshnessTime = pRevStatus->fHasFreshnessTime; *pdwFreshnessTime = pRevStatus->dwFreshnessTime; } }}
static BOOL VerifyDefaultRevocation( IN DWORD dwEncodingType, IN DWORD dwRevType, IN DWORD cContext, IN PVOID rgpvContext[], IN DWORD dwFlags, IN FILETIME *pftEndUrlRetrieval, IN OPTIONAL PCERT_REVOCATION_PARA pRevPara, IN OUT PCERT_REVOCATION_STATUS pRevStatus ){ BOOL fResult; DWORD dwError = (DWORD) CRYPT_E_NO_REVOCATION_DLL; DWORD dwReason = 0; BOOL fHasFreshnessTime = FALSE; DWORD dwFreshnessTime = 0; LPWSTR pwszDllList; // _alloca'ed
DWORD cchDllList; DWORD cchDll; void *pvFuncAddr; HCRYPTOIDFUNCADDR hFuncAddr;
// Iterate through the installed default functions.
// Setting pwszDll to NULL searches the installed list. Setting
// hFuncAddr to NULL starts the search at the beginning.
hFuncAddr = NULL; while (CryptGetDefaultOIDFunctionAddress( hRevFuncSet, dwEncodingType, NULL, // pwszDll
0, // dwFlags
&pvFuncAddr, &hFuncAddr)) { ZeroRevStatus(pRevStatus);
if (dwFlags & CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG) { pRevPara->dwUrlRetrievalTimeout = I_CryptRemainingMilliseconds(pftEndUrlRetrieval); if (0 == pRevPara->dwUrlRetrievalTimeout) pRevPara->dwUrlRetrievalTimeout = 1; }
fResult = ((PFN_CERT_DLL_VERIFY_REVOCATION) pvFuncAddr)( dwEncodingType, dwRevType, cContext, rgpvContext, dwFlags, pRevPara, pRevStatus); if (fResult || CRYPT_E_REVOKED == pRevStatus->dwError || 0 < pRevStatus->dwIndex) { // All contexts successfully checked, one of the contexts
// was revoked or successfully able to check at least one
// of the contexts.
CryptFreeOIDFunctionAddress(hFuncAddr, 0); goto CommonReturn; } else // Unable to check revocation for this installed
// function. However, remember any "interesting"
// errors such as, offline.
UpdateNoRevocationCheckStatus(pRevStatus, &dwError, &dwReason, &fHasFreshnessTime, &dwFreshnessTime); }
if (!CryptGetDefaultOIDDllList( hRevFuncSet, dwEncodingType, NULL, // pszDllList
&cchDllList)) goto GetDllListError; __try { pwszDllList = (LPWSTR) _alloca(cchDllList * sizeof(WCHAR)); } __except(EXCEPTION_EXECUTE_HANDLER) { goto OutOfMemory; } if (!CryptGetDefaultOIDDllList( hRevFuncSet, dwEncodingType, pwszDllList, &cchDllList)) goto GetDllListError;
for (; 0 != (cchDll = wcslen(pwszDllList)); pwszDllList += cchDll + 1) { if (CryptGetDefaultOIDFunctionAddress( hRevFuncSet, dwEncodingType, pwszDllList, 0, // dwFlags
&pvFuncAddr, &hFuncAddr)) { ZeroRevStatus(pRevStatus);
if (dwFlags & CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG) { pRevPara->dwUrlRetrievalTimeout = I_CryptRemainingMilliseconds(pftEndUrlRetrieval); if (0 == pRevPara->dwUrlRetrievalTimeout) pRevPara->dwUrlRetrievalTimeout = 1; }
fResult = ((PFN_CERT_DLL_VERIFY_REVOCATION) pvFuncAddr)( dwEncodingType, dwRevType, cContext, rgpvContext, dwFlags, pRevPara, pRevStatus); CryptFreeOIDFunctionAddress(hFuncAddr, 0); if (fResult || CRYPT_E_REVOKED == pRevStatus->dwError || 0 < pRevStatus->dwIndex) // All contexts successfully checked, one of the contexts
// was revoked or successfully able to check at least one
// of the contexts.
goto CommonReturn; else // Unable to check revocation for this registered
// function. However, remember any "interesting"
// errors such as, offline.
UpdateNoRevocationCheckStatus(pRevStatus, &dwError, &dwReason, &fHasFreshnessTime, &dwFreshnessTime); } }
goto ErrorReturn;
CommonReturn: return fResult;ErrorReturn: pRevStatus->dwIndex = 0; pRevStatus->dwError = dwError; pRevStatus->dwReason = dwReason;
if (pRevStatus->cbSize >= STRUCT_CBSIZE(CERT_REVOCATION_STATUS, dwFreshnessTime)) { pRevStatus->fHasFreshnessTime = fHasFreshnessTime; pRevStatus->dwFreshnessTime = dwFreshnessTime; }
fResult = FALSE; goto CommonReturn;TRACE_ERROR(GetDllListError)TRACE_ERROR(OutOfMemory)}
//+-------------------------------------------------------------------------
// Verifies the array of contexts for revocation. The dwRevType parameter
// indicates the type of the context data structure passed in rgpvContext.
// Currently only the revocation of certificates is defined.
//
// If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
// is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
// of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
// about the order of the contexts.
//
// To assist in finding the issuer, the pRevPara may optionally be set. See
// the CERT_REVOCATION_PARA data structure for details.
//
// The contexts must contain enough information to allow the
// installable or registered revocation DLLs to find the revocation server. For
// certificates, this information would normally be conveyed in an
// extension such as the IETF's AuthorityInfoAccess extension.
//
// CertVerifyRevocation returns TRUE if all of the contexts were successfully
// checked and none were revoked. Otherwise, returns FALSE and updates the
// returned pRevStatus data structure as follows:
// dwIndex
// Index of the first context that was revoked or unable to
// be checked for revocation
// dwError
// Error status. LastError is also set to this error status.
// dwError can be set to one of the following error codes defined
// in winerror.h:
// ERROR_SUCCESS - good context
// CRYPT_E_REVOKED - context was revoked. dwReason contains the
// reason for revocation
// CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
// revocation server
// CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
// was not found in the revocation server's database.
// CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
// wasn't able to do a revocation check on the context
// CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
// found to verify revocation
// dwReason
// The dwReason is currently only set for CRYPT_E_REVOKED and contains
// the reason why the context was revoked. May be one of the following
// CRL reasons defined by the CRL Reason Code extension ("2.5.29.21")
// CRL_REASON_UNSPECIFIED 0
// CRL_REASON_KEY_COMPROMISE 1
// CRL_REASON_CA_COMPROMISE 2
// CRL_REASON_AFFILIATION_CHANGED 3
// CRL_REASON_SUPERSEDED 4
// CRL_REASON_CESSATION_OF_OPERATION 5
// CRL_REASON_CERTIFICATE_HOLD 6
//
// For each entry in rgpvContext, CertVerifyRevocation iterates
// through the CRYPT_OID_VERIFY_REVOCATION_FUNC
// function set's list of installed DEFAULT functions.
// CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
// installed functions are found capable of doing the revocation verification,
// CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
// list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
// get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
//
// The called functions have the same signature as CertVerifyRevocation. A
// called function returns TRUE if it was able to successfully check all of
// the contexts and none were revoked. Otherwise, the called function returns
// FALSE and updates pRevStatus. dwIndex is set to the index of
// the first context that was found to be revoked or unable to be checked.
// dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
// is updated. Upon input to the called function, dwIndex, dwError and
// dwReason have been zero'ed. cbSize has been checked to be >=
// sizeof(CERT_REVOCATION_STATUS).
//
// If the called function returns FALSE, and dwError isn't set to
// CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
// next DLL in the list for a returned dwIndex of 0 or for a returned
// dwIndex > 0, restarts the process of finding a verify function by
// advancing the start of the context array to the returned dwIndex and
// decrementing the count of remaining contexts.
//--------------------------------------------------------------------------
BOOLWINAPICertVerifyRevocation( IN DWORD dwEncodingType, IN DWORD dwRevType, IN DWORD cContext, IN PVOID rgpvContext[], IN DWORD dwFlags, IN OPTIONAL PCERT_REVOCATION_PARA pRevPara, IN OUT PCERT_REVOCATION_STATUS pRevStatus ){ BOOL fResult = FALSE; DWORD dwIndex;
// Following are only used for CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG
CERT_REVOCATION_PARA RevPara; FILETIME ftEndUrlRetrieval;
assert(pRevStatus->cbSize >= STRUCT_CBSIZE(CERT_REVOCATION_STATUS, dwReason)); if (pRevStatus->cbSize < STRUCT_CBSIZE(CERT_REVOCATION_STATUS, dwReason)) goto InvalidArg;
if (dwFlags & CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG) { // RevPara.dwUrlRetrievalTimeout will be updated with the remaining
// timeout
memset(&RevPara, 0, sizeof(RevPara)); if (pRevPara != NULL) memcpy(&RevPara, pRevPara, min(pRevPara->cbSize, sizeof(RevPara))); RevPara.cbSize = sizeof(RevPara); if (0 == RevPara.dwUrlRetrievalTimeout) dwFlags &= ~CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG; else { FILETIME ftCurrent;
GetSystemTimeAsFileTime(&ftCurrent); I_CryptIncrementFileTimeByMilliseconds( &ftCurrent, RevPara.dwUrlRetrievalTimeout, &ftEndUrlRetrieval);
pRevPara = &RevPara; } }
dwIndex = 0; while (dwIndex < cContext) { fResult = VerifyDefaultRevocation( dwEncodingType, dwRevType, cContext - dwIndex, &rgpvContext[dwIndex], dwFlags, &ftEndUrlRetrieval, pRevPara, pRevStatus ); if (fResult) // All contexts successfully checked.
break; else if (CRYPT_E_REVOKED == pRevStatus->dwError || 0 == pRevStatus->dwIndex) { // One of the contexts was revoked or unable to check the
// dwIndex context.
pRevStatus->dwIndex += dwIndex; SetLastError(pRevStatus->dwError); break; } else // Advance past the checked contexts
dwIndex += pRevStatus->dwIndex; }
if (dwIndex >= cContext) { // Able to check all the contexts
fResult = TRUE; pRevStatus->dwIndex = 0; pRevStatus->dwError = 0; pRevStatus->dwReason = 0; }
CommonReturn: return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)}
|
