archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pki/certstor/rootlist.cpp

376 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. // Microsoft Windows
  3. //
  4. // Copyright (C) Microsoft Corporation, 1999 - 1999
  5. //
  6. // File: rootlist.cpp
  7. //
  8. // Contents: Signed List of Trusted Roots Helper Functions
  9. //
  10. //
  11. // Functions: IRL_VerifyAuthRootAutoUpdateCtl
  12. //
  13. // History: 01-Aug-99 philh created
  14. //--------------------------------------------------------------------------
  16. #include "global.hxx"
  17. #include <dbgdef.h>
  19. #ifdef STATIC
  20. #undef STATIC
  21. #endif
  22. #define STATIC
  24. //+-------------------------------------------------------------------------
  25. // If the certificate has an EKU extension, returns an allocated and
  26. // decoded EKU. Otherwise, returns NULL.
  27. //
  28. // PkiFree() must be called to free the returned EKU.
  29. //--------------------------------------------------------------------------
  30. STATIC
  31. PCERT_ENHKEY_USAGE
  32. WINAPI
  33. GetAndAllocCertEKUExt(
  34. IN PCCERT_CONTEXT pCert
  35. )
  36. {
  37. PCERT_ENHKEY_USAGE pUsage = NULL;
  38. DWORD cbUsage;
  40. cbUsage = 0;
  41. if (!CertGetEnhancedKeyUsage(
  42. pCert,
  43. CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
  44. NULL, // pUsage
  45. &cbUsage) || 0 == cbUsage)
  46. goto GetEnhancedKeyUsageError;
  47. if (NULL == (pUsage = (PCERT_ENHKEY_USAGE) PkiNonzeroAlloc(cbUsage)))
  48. goto OutOfMemory;
  49. if (!CertGetEnhancedKeyUsage(
  50. pCert,
  51. CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
  52. pUsage,
  53. &cbUsage))
  54. goto GetEnhancedKeyUsageError;
  56. CommonReturn:
  57. return pUsage;
  58. ErrorReturn:
  59. if (pUsage) {
  60. PkiFree(pUsage);
  61. pUsage = NULL;
  62. }
  63. goto CommonReturn;
  65. SET_ERROR(GetEnhancedKeyUsageError, CERT_E_WRONG_USAGE)
  66. TRACE_ERROR(OutOfMemory)
  67. }
  70. //+-------------------------------------------------------------------------
  71. // The signature of the CTL is verified. The signer of the CTL is verified
  72. // up to a trusted root containing the predefined Microsoft public key.
  73. //
  74. // The signer and intermediate certificates must have the
  75. // szOID_ROOT_LIST_SIGNER enhanced key usage extension.
  76. //--------------------------------------------------------------------------
  77. STATIC
  78. BOOL
  79. WINAPI
  80. VerifyAuthRootAutoUpdateCtlSigner(
  81. IN HCRYPTMSG hCryptMsg
  82. )
  83. {
  84. BOOL fResult;
  85. DWORD dwLastError = 0;
  86. HCERTSTORE hMsgStore = NULL;
  87. PCCERT_CONTEXT pSignerCert = NULL;
  88. LPSTR pszUsageOID;
  89. CERT_CHAIN_PARA ChainPara;
  90. PCCERT_CHAIN_CONTEXT pChainContext = NULL;
  91. PCERT_SIMPLE_CHAIN pChain;
  92. DWORD cChainElement;
  93. CERT_CHAIN_POLICY_PARA BasePolicyPara;
  94. CERT_CHAIN_POLICY_STATUS BasePolicyStatus;
  95. CERT_CHAIN_POLICY_PARA MicrosoftRootPolicyPara;
  96. CERT_CHAIN_POLICY_STATUS MicrosoftRootPolicyStatus;
  97. PCERT_ENHKEY_USAGE pUsage = NULL;
  98. DWORD i;
  100. if (NULL == (hMsgStore = CertOpenStore(
  101. CERT_STORE_PROV_MSG,
  102. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  103. 0, // hCryptProv
  104. 0, // dwFlags
  105. hCryptMsg // pvPara
  106. )))
  107. goto OpenMsgStoreError;
  109. if (!CryptMsgGetAndVerifySigner(
  110. hCryptMsg,
  111. 0, // cSignerStore
  112. NULL, // rghSignerStore
  113. 0, // dwFlags
  114. &pSignerCert,
  115. NULL // pdwSignerIndex
  116. ))
  117. goto CryptMsgGetAndVerifySignerError;
  119. pszUsageOID = szOID_ROOT_LIST_SIGNER;
  120. memset(&ChainPara, 0, sizeof(ChainPara));
  121. ChainPara.cbSize = sizeof(ChainPara);
  122. ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
  123. ChainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
  124. ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = &pszUsageOID;
  126. if (!CertGetCertificateChain(
  127. NULL, // hChainEngine
  128. pSignerCert,
  129. NULL, // pTime
  130. hMsgStore,
  131. &ChainPara,
  132. CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE,
  133. NULL, // pvReserved
  134. &pChainContext
  135. ))
  136. goto GetChainError;
  138. // Do the basic chain policy verification
  139. memset(&BasePolicyPara, 0, sizeof(BasePolicyPara));
  140. BasePolicyPara.cbSize = sizeof(BasePolicyPara);
  142. // We explicitly check for the Microsoft Root below. It doesn't need
  143. // to be in the root store.
  144. BasePolicyPara.dwFlags =
  145. CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
  146. CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
  148. memset(&BasePolicyStatus, 0, sizeof(BasePolicyStatus));
  149. BasePolicyStatus.cbSize = sizeof(BasePolicyStatus);
  151. if (!CertVerifyCertificateChainPolicy(
  152. CERT_CHAIN_POLICY_BASE,
  153. pChainContext,
  154. &BasePolicyPara,
  155. &BasePolicyStatus
  156. ))
  157. goto VerifyChainBasePolicyError;
  158. if (0 != BasePolicyStatus.dwError)
  159. goto ChainBasePolicyError;
  161. // Check that we have more than just the signer cert.
  162. pChain = pChainContext->rgpChain[0];
  163. cChainElement = pChain->cElement;
  164. if (2 > cChainElement)
  165. goto MissingSignerChainCertsError;
  167. // Check that the top level certificate contains the public
  168. // key for the Microsoft root.
  169. memset(&MicrosoftRootPolicyPara, 0, sizeof(MicrosoftRootPolicyPara));
  170. MicrosoftRootPolicyPara.cbSize = sizeof(MicrosoftRootPolicyPara);
  171. memset(&MicrosoftRootPolicyStatus, 0, sizeof(MicrosoftRootPolicyStatus));
  172. MicrosoftRootPolicyStatus.cbSize = sizeof(MicrosoftRootPolicyStatus);
  174. if (!CertVerifyCertificateChainPolicy(
  175. CERT_CHAIN_POLICY_MICROSOFT_ROOT,
  176. pChainContext,
  177. &MicrosoftRootPolicyPara,
  178. &MicrosoftRootPolicyStatus
  179. ))
  180. goto VerifyChainMicrosoftRootPolicyError;
  181. if (0 != MicrosoftRootPolicyStatus.dwError)
  182. goto ChainMicrosoftRootPolicyError;
  185. // Check that the signer and intermediate certs have the RootListSigner
  186. // Usage extension
  187. for (i = 0; i < cChainElement - 1; i++) {
  188. PCCERT_CONTEXT pCert; // not refCount'ed
  189. DWORD j;
  191. pCert = pChain->rgpElement[i]->pCertContext;
  193. pUsage = GetAndAllocCertEKUExt(pCert);
  194. if (NULL == pUsage)
  195. goto GetAndAllocCertEKUExtError;
  197. for (j = 0; j < pUsage->cUsageIdentifier; j++) {
  198. if (0 == strcmp(szOID_ROOT_LIST_SIGNER,
  199. pUsage->rgpszUsageIdentifier[j]))
  200. break;
  201. }
  203. if (j == pUsage->cUsageIdentifier)
  204. goto MissingRootListSignerUsageError;
  206. PkiFree(pUsage);
  207. pUsage = NULL;
  208. }
  210. fResult = TRUE;
  211. CommonReturn:
  212. if (pChainContext)
  213. CertFreeCertificateChain(pChainContext);
  214. if (pUsage)
  215. PkiFree(pUsage);
  217. if (pSignerCert)
  218. CertFreeCertificateContext(pSignerCert);
  220. if (hMsgStore)
  221. CertCloseStore(hMsgStore, 0);
  223. SetLastError(dwLastError);
  224. return fResult;
  225. ErrorReturn:
  226. dwLastError = GetLastError();
  227. fResult = FALSE;
  228. goto CommonReturn;
  230. TRACE_ERROR(OpenMsgStoreError)
  231. TRACE_ERROR(CryptMsgGetAndVerifySignerError)
  232. TRACE_ERROR(GetChainError)
  233. TRACE_ERROR(VerifyChainBasePolicyError)
  234. SET_ERROR_VAR(ChainBasePolicyError, BasePolicyStatus.dwError)
  235. TRACE_ERROR(VerifyChainMicrosoftRootPolicyError)
  236. SET_ERROR_VAR(ChainMicrosoftRootPolicyError, MicrosoftRootPolicyStatus.dwError)
  237. SET_ERROR(MissingSignerChainCertsError, CERT_E_CHAINING)
  238. TRACE_ERROR(GetAndAllocCertEKUExtError)
  239. SET_ERROR(MissingRootListSignerUsageError, CERT_E_WRONG_USAGE)
  240. }
  242. //+-------------------------------------------------------------------------
  243. // Returns TRUE if all the CTL fields are valid. Checks for the following:
  244. // - The SubjectUsage is szOID_ROOT_LIST_SIGNER
  245. // - If NextUpdate isn't NULL, that the CTL is still time valid
  246. // - Only allow roots identified by their sha1 hash
  247. //--------------------------------------------------------------------------
  248. STATIC
  249. BOOL
  250. WINAPI
  251. VerifyAuthRootAutoUpdateCtlFields(
  252. IN PCTL_INFO pCtlInfo
  253. )
  254. {
  255. BOOL fResult;
  257. // Must have the szOID_ROOT_LIST_SIGNER usage
  258. if (1 != pCtlInfo->SubjectUsage.cUsageIdentifier ||
  259. 0 != strcmp(szOID_ROOT_LIST_SIGNER,
  260. pCtlInfo->SubjectUsage.rgpszUsageIdentifier[0]))
  261. goto InvalidSubjectUsageError;
  264. // If NextUpdate is present, verify that the CTL hasn't expired.
  265. if (pCtlInfo->NextUpdate.dwLowDateTime ||
  266. pCtlInfo->NextUpdate.dwHighDateTime) {
  267. SYSTEMTIME SystemTime;
  268. FILETIME FileTime;
  270. GetSystemTime(&SystemTime);
  271. SystemTimeToFileTime(&SystemTime, &FileTime);
  273. if (CompareFileTime(&FileTime, &pCtlInfo->NextUpdate) > 0)
  274. goto ExpiredCtlError;
  275. }
  277. // Only allow roots identified by their sha1 hash
  278. if (0 != strcmp(szOID_OIWSEC_sha1,
  279. pCtlInfo->SubjectAlgorithm.pszObjId))
  280. goto InvalidSubjectAlgorithm;
  282. fResult = TRUE;
  283. CommonReturn:
  284. return fResult;
  285. ErrorReturn:
  286. fResult = FALSE;
  287. goto CommonReturn;
  289. SET_ERROR(InvalidSubjectUsageError, ERROR_INVALID_DATA)
  290. SET_ERROR(ExpiredCtlError, CERT_E_EXPIRED)
  291. SET_ERROR(InvalidSubjectAlgorithm, ERROR_INVALID_DATA)
  292. }
  294. //+-------------------------------------------------------------------------
  295. // Returns TRUE if the CTL doesn't have any critical extensions.
  296. //--------------------------------------------------------------------------
  297. STATIC
  298. BOOL
  299. WINAPI
  300. VerifyAuthRootAutoUpdateCtlExtensions(
  301. IN PCTL_INFO pCtlInfo
  302. )
  303. {
  304. BOOL fResult;
  305. PCERT_EXTENSION pExt;
  306. DWORD cExt;
  308. // Verify the extensions
  309. for (cExt = pCtlInfo->cExtension,
  310. pExt = pCtlInfo->rgExtension; 0 < cExt; cExt--, pExt++)
  311. {
  312. if (pExt->fCritical) {
  313. goto CriticalExtensionError;
  314. }
  315. }
  317. fResult = TRUE;
  319. CommonReturn:
  320. return fResult;
  321. ErrorReturn:
  322. fResult = FALSE;
  323. goto CommonReturn;
  325. SET_ERROR(CriticalExtensionError, ERROR_INVALID_DATA)
  326. }
  330. //+-------------------------------------------------------------------------
  331. // Verifies that the CTL contains a valid list of AuthRoots used for
  332. // Auto Update.
  333. //
  334. // The signature of the CTL is verified. The signer of the CTL is verified
  335. // up to a trusted root containing the predefined Microsoft public key.
  336. // The signer and intermediate certificates must have the
  337. // szOID_ROOT_LIST_SIGNER enhanced key usage extension.
  338. //
  339. // The CTL fields are validated as follows:
  340. // - The SubjectUsage is szOID_ROOT_LIST_SIGNER
  341. // - If NextUpdate isn't NULL, that the CTL is still time valid
  342. // - Only allow roots identified by their sha1 hash
  343. //
  344. // If the CTL contains any critical extensions, then, the
  345. // CTL verification fails.
  346. //--------------------------------------------------------------------------
  347. BOOL
  348. WINAPI
  349. IRL_VerifyAuthRootAutoUpdateCtl(
  350. IN PCCTL_CONTEXT pCtl
  351. )
  352. {
  353. BOOL fResult;
  354. PCTL_INFO pCtlInfo; // not allocated
  356. if (!VerifyAuthRootAutoUpdateCtlSigner(pCtl->hCryptMsg))
  357. goto VerifyCtlSignerError;
  359. pCtlInfo = pCtl->pCtlInfo;
  361. if (!VerifyAuthRootAutoUpdateCtlFields(pCtlInfo))
  362. goto VerifyCtlFieldsError;
  363. if (!VerifyAuthRootAutoUpdateCtlExtensions(pCtlInfo))
  364. goto VerifyCtlExtensionsError;
  366. fResult = TRUE;
  367. CommonReturn:
  368. return fResult;
  369. ErrorReturn:
  370. fResult = FALSE;
  371. goto CommonReturn;
  373. TRACE_ERROR(VerifyCtlSignerError)
  374. TRACE_ERROR(VerifyCtlFieldsError)
  375. TRACE_ERROR(VerifyCtlExtensionsError)
  376. }