archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pkitrust/tools/mscrlrev/mscrlrev.cpp

466 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. // Microsoft Windows
  3. //
  4. // Copyright (C) Microsoft Corporation, 2001 - 2001
  5. //
  6. // File: mscrlrev.cpp
  7. //
  8. // Contents: Check CRLs in CA store version of CertDllVerifyRevocation.
  9. //
  10. // Restrictions:
  11. // - Only support CRYPT_ASN_ENCODING
  12. // - CRL must already be in the CA system store
  13. // - CRL must be issued and signed by the issuer of the
  14. // certificate
  15. // - CRL must not have any critical extensions
  16. //
  17. // Functions: DllMain
  18. // DllRegisterServer
  19. // DllUnregisterServer
  20. // CertDllVerifyRevocation
  21. //
  22. // History: 15-Mar-01 philh created
  23. //--------------------------------------------------------------------------
  26. #include "global.hxx"
  27. #include <dbgdef.h>
  30. //+-------------------------------------------------------------------------
  31. // Default stores searched to find an issuer of the subject certificate
  32. //--------------------------------------------------------------------------
  33. struct {
  34. LPCWSTR pwszStore;
  35. DWORD dwFlags;
  36. } rgDefaultIssuerStores[] = {
  37. L"CA", CERT_SYSTEM_STORE_CURRENT_USER,
  38. L"ROOT", CERT_SYSTEM_STORE_CURRENT_USER
  39. };
  40. #define NUM_DEFAULT_ISSUER_STORES (sizeof(rgDefaultIssuerStores) / \
  41. sizeof(rgDefaultIssuerStores[0]))
  43. //+-------------------------------------------------------------------------
  44. // Dll initialization
  45. //--------------------------------------------------------------------------
  46. BOOL
  47. WINAPI
  48. DllMain(
  49. HMODULE hInst,
  50. ULONG ulReason,
  51. LPVOID lpReserved)
  52. {
  53. switch (ulReason) {
  54. case DLL_PROCESS_ATTACH:
  55. break;
  56. case DLL_PROCESS_DETACH:
  57. case DLL_THREAD_DETACH:
  58. default:
  59. break;
  60. }
  62. return TRUE;
  63. }
  65. HRESULT HError()
  66. {
  67. DWORD dw = GetLastError();
  69. HRESULT hr;
  70. if ( dw <= 0xFFFF )
  71. hr = HRESULT_FROM_WIN32 ( dw );
  72. else
  73. hr = dw;
  75. if ( ! FAILED ( hr ) )
  76. {
  77. // somebody failed a call without properly setting an error condition
  79. hr = E_UNEXPECTED;
  80. }
  81. return hr;
  82. }
  84. //+-------------------------------------------------------------------------
  85. // DllRegisterServer
  86. //--------------------------------------------------------------------------
  87. STDAPI DllRegisterServer(void)
  88. {
  89. if (!CryptRegisterDefaultOIDFunction(
  90. X509_ASN_ENCODING,
  91. CRYPT_OID_VERIFY_REVOCATION_FUNC,
  92. CRYPT_REGISTER_FIRST_INDEX,
  93. L"mscrlrev.dll"
  94. )) {
  95. if (ERROR_FILE_EXISTS != GetLastError())
  96. return HError();
  97. }
  99. return S_OK;
  100. }
  102. //+-------------------------------------------------------------------------
  103. // DllUnregisterServer
  104. //--------------------------------------------------------------------------
  105. STDAPI DllUnregisterServer(void)
  106. {
  107. if (!CryptUnregisterDefaultOIDFunction(
  108. X509_ASN_ENCODING,
  109. CRYPT_OID_VERIFY_REVOCATION_FUNC,
  110. L"mscrlrev.dll"
  111. )) {
  112. if (ERROR_FILE_NOT_FOUND != GetLastError())
  113. return HError();
  114. }
  116. return S_OK;
  117. }
  119. //+-------------------------------------------------------------------------
  120. // Local functions called by CertDllVerifyRevocation
  121. //--------------------------------------------------------------------------
  122. PCCERT_CONTEXT GetIssuerCert(
  123. IN DWORD cCert,
  124. IN PCCERT_CONTEXT rgpCert[],
  125. IN DWORD dwFlags,
  126. IN PCERT_REVOCATION_PARA pRevPara
  127. );
  129. BOOL GetSubjectCrl (
  130. IN PCCERT_CONTEXT pSubject,
  131. IN PCCERT_CONTEXT pIssuer,
  132. OUT PCCRL_CONTEXT* ppCrl
  133. );
  135. PCRL_ENTRY FindCertInCrl(
  136. IN PCCERT_CONTEXT pCert,
  137. IN PCCRL_CONTEXT pCrl,
  138. IN PCERT_REVOCATION_PARA pRevPara
  139. );
  141. DWORD GetCrlReason(
  142. IN PCRL_ENTRY pCrlEntry
  143. );
  145. //+-------------------------------------------------------------------------
  146. // CertDllVerifyRevocation using pre-loaded CRLs in the CA store
  147. //--------------------------------------------------------------------------
  148. BOOL
  149. WINAPI
  150. CertDllVerifyRevocation(
  151. IN DWORD dwEncodingType,
  152. IN DWORD dwRevType,
  153. IN DWORD cContext,
  154. IN PVOID rgpvContext[],
  155. IN DWORD dwFlags,
  156. IN PCERT_REVOCATION_PARA pRevPara,
  157. IN OUT PCERT_REVOCATION_STATUS pRevStatus
  158. )
  159. {
  160. DWORD dwError = (DWORD) CRYPT_E_NO_REVOCATION_CHECK;
  161. DWORD dwReason = 0;
  162. PCCERT_CONTEXT pCert; // not allocated
  163. PCCERT_CONTEXT pIssuer = NULL;
  164. PCCRL_CONTEXT pCrl = NULL;
  165. PCRL_ENTRY pCrlEntry;
  167. if (cContext == 0)
  168. goto NoContextError;
  169. if (GET_CERT_ENCODING_TYPE(dwEncodingType) != CRYPT_ASN_ENCODING)
  170. goto NoRevocationCheckForEncodingTypeError;
  171. if (dwRevType != CERT_CONTEXT_REVOCATION_TYPE)
  172. goto NoRevocationCheckForRevTypeError;
  174. pCert = (PCCERT_CONTEXT) rgpvContext[0];
  176. // Get the certificate's issuer
  177. if (NULL == (pIssuer = GetIssuerCert(
  178. cContext,
  179. (PCCERT_CONTEXT *) rgpvContext,
  180. dwFlags,
  181. pRevPara
  182. )))
  183. goto NoIssuerError;
  185. if (!GetSubjectCrl(
  186. pCert,
  187. pIssuer,
  188. &pCrl
  189. ))
  190. goto NoCrl;
  192. // Check if revoked
  193. pCrlEntry = FindCertInCrl(pCert, pCrl, pRevPara);
  194. if (pCrlEntry) {
  195. dwError = (DWORD) CRYPT_E_REVOKED;
  196. dwReason = GetCrlReason(pCrlEntry);
  197. goto Revoked;
  198. }
  200. CommonReturn:
  201. if (pIssuer)
  202. CertFreeCertificateContext(pIssuer);
  203. if (pCrl)
  204. CertFreeCRLContext(pCrl);
  206. pRevStatus->dwIndex = 0;
  207. pRevStatus->dwError = dwError;
  208. pRevStatus->dwReason = dwReason;
  209. SetLastError(dwError);
  210. return FALSE;
  211. ErrorReturn:
  212. goto CommonReturn;
  214. TRACE_ERROR(NoContextError)
  215. TRACE_ERROR(NoRevocationCheckForEncodingTypeError)
  216. TRACE_ERROR(NoRevocationCheckForRevTypeError)
  217. TRACE_ERROR(NoIssuerError)
  218. TRACE_ERROR(NoCrl)
  219. TRACE_ERROR(Revoked)
  220. }
  223. //+-------------------------------------------------------------------------
  224. // If the CRL entry has a CRL Reason extension, the enumerated reason
  225. // code is returned. Otherwise, a reason code of 0 is returned.
  226. //--------------------------------------------------------------------------
  227. DWORD GetCrlReason(
  228. IN PCRL_ENTRY pCrlEntry
  229. )
  230. {
  231. DWORD dwReason = 0;
  232. PCERT_EXTENSION pExt;
  234. // Check if the certificate has a szOID_CRL_REASON_CODE extension
  235. if (pExt = CertFindExtension(
  236. szOID_CRL_REASON_CODE,
  237. pCrlEntry->cExtension,
  238. pCrlEntry->rgExtension
  239. )) {
  240. DWORD cbInfo = sizeof(dwReason);
  241. CryptDecodeObject(
  242. CRYPT_ASN_ENCODING,
  243. X509_CRL_REASON_CODE,
  244. pExt->Value.pbData,
  245. pExt->Value.cbData,
  246. 0, // dwFlags
  247. &dwReason,
  248. &cbInfo);
  249. }
  250. return dwReason;
  251. }
  253. //+=========================================================================
  254. // Get Issuer Certificate Functions
  255. //==========================================================================
  257. PCCERT_CONTEXT FindIssuerCertInStores(
  258. IN PCCERT_CONTEXT pSubjectCert,
  259. IN DWORD cStore,
  260. IN HCERTSTORE rgStore[]
  261. )
  262. {
  263. PCCERT_CONTEXT pIssuerCert = NULL;
  264. DWORD i;
  266. for (i = 0; i < cStore; i++) {
  267. while (TRUE) {
  268. DWORD dwFlags = CERT_STORE_SIGNATURE_FLAG;
  269. pIssuerCert = CertGetIssuerCertificateFromStore(
  270. rgStore[i],
  271. pSubjectCert,
  272. pIssuerCert,
  273. &dwFlags);
  274. if (NULL == pIssuerCert)
  275. break;
  276. else if (0 == (dwFlags & CERT_STORE_SIGNATURE_FLAG))
  277. return pIssuerCert;
  278. }
  279. }
  281. return NULL;
  282. }
  284. PCCERT_CONTEXT FindIssuerCertInDefaultStores(
  285. IN PCCERT_CONTEXT pSubjectCert
  286. )
  287. {
  288. PCCERT_CONTEXT pIssuerCert;
  289. HCERTSTORE hStore;
  290. DWORD i;
  292. for (i = 0; i < NUM_DEFAULT_ISSUER_STORES; i++) {
  293. if (hStore = CertOpenStore(
  294. CERT_STORE_PROV_SYSTEM_W,
  295. 0, // dwEncodingType
  296. 0, // hCryptProv
  297. rgDefaultIssuerStores[i].dwFlags | CERT_STORE_READONLY_FLAG,
  298. (const void *) rgDefaultIssuerStores[i].pwszStore
  299. )) {
  300. pIssuerCert = FindIssuerCertInStores(pSubjectCert, 1, &hStore);
  301. CertCloseStore(hStore, 0);
  302. if (pIssuerCert)
  303. return pIssuerCert;
  304. }
  305. }
  307. return NULL;
  308. }
  310. //+-------------------------------------------------------------------------
  311. // Get the issuer of the first certificate in the array
  312. //--------------------------------------------------------------------------
  313. PCCERT_CONTEXT GetIssuerCert(
  314. IN DWORD cCert,
  315. IN PCCERT_CONTEXT rgpCert[],
  316. IN DWORD dwFlags,
  317. IN PCERT_REVOCATION_PARA pRevPara
  318. )
  319. {
  320. PCCERT_CONTEXT pSubjectCert;
  321. PCCERT_CONTEXT pIssuerCert = NULL;
  323. assert(cCert >= 1);
  324. pSubjectCert = rgpCert[0];
  325. if (cCert == 1) {
  326. if (pRevPara && pRevPara->cbSize >=
  327. (offsetof(CERT_REVOCATION_PARA, pIssuerCert) +
  328. sizeof(pRevPara->pIssuerCert)))
  329. pIssuerCert = pRevPara->pIssuerCert;
  330. if (NULL == pIssuerCert && CertCompareCertificateName(
  331. pSubjectCert->dwCertEncodingType,
  332. &pSubjectCert->pCertInfo->Subject,
  333. &pSubjectCert->pCertInfo->Issuer))
  334. // Self issued
  335. pIssuerCert = pSubjectCert;
  336. } else if (dwFlags && CERT_VERIFY_REV_CHAIN_FLAG)
  337. pIssuerCert = rgpCert[1];
  339. if (pIssuerCert)
  340. pIssuerCert = CertDuplicateCertificateContext(pIssuerCert);
  341. else {
  342. if (pRevPara && pRevPara->cbSize >=
  343. (offsetof(CERT_REVOCATION_PARA, rgCertStore) +
  344. sizeof(pRevPara->rgCertStore)))
  345. pIssuerCert = FindIssuerCertInStores(
  346. pSubjectCert, pRevPara->cCertStore, pRevPara->rgCertStore);
  347. if (NULL == pIssuerCert)
  348. pIssuerCert = FindIssuerCertInDefaultStores(pSubjectCert);
  349. }
  351. if (NULL == pIssuerCert)
  352. SetLastError(CRYPT_E_NO_REVOCATION_CHECK);
  353. return pIssuerCert;
  354. }
  358. //+-------------------------------------------------------------------------
  359. // Check that the CRL doesn't have any critical extensions
  360. //--------------------------------------------------------------------------
  361. BOOL IsExtensionValidCrl(
  362. IN PCCRL_CONTEXT pCrl
  363. )
  364. {
  365. DWORD cExt = pCrl->pCrlInfo->cExtension;
  366. PCERT_EXTENSION pExt = pCrl->pCrlInfo->rgExtension;
  368. for ( ; cExt > 0; cExt--, pExt++) {
  369. if (pExt->fCritical)
  370. return FALSE;
  371. }
  373. return TRUE;
  374. }
  376. //+---------------------------------------------------------------------------
  377. //
  378. // Function: GetSubjectCrl
  379. //
  380. // Synopsis: get the CRL associated with the subject certificate
  381. //
  382. //----------------------------------------------------------------------------
  383. BOOL GetSubjectCrl (
  384. IN PCCERT_CONTEXT pSubject,
  385. IN PCCERT_CONTEXT pIssuer,
  386. OUT PCCRL_CONTEXT* ppCrl
  387. )
  388. {
  389. BOOL fResult;
  390. HCERTSTORE hStore;
  391. PCCRL_CONTEXT pFindCrl = NULL;
  392. DWORD dwGetCrlFlags = CERT_STORE_SIGNATURE_FLAG;
  394. *ppCrl = NULL;
  396. hStore = CertOpenSystemStoreW( NULL, L"CA" );
  397. if ( hStore != NULL )
  398. {
  399. while ( ( pFindCrl = CertGetCRLFromStore(
  400. hStore,
  401. pIssuer,
  402. pFindCrl,
  403. &dwGetCrlFlags
  404. ) ) != NULL )
  405. {
  406. if ( dwGetCrlFlags != 0 || !IsExtensionValidCrl( pFindCrl ))
  407. {
  408. dwGetCrlFlags = CERT_STORE_SIGNATURE_FLAG;
  409. continue;
  410. }
  412. *ppCrl = pFindCrl;
  413. break;
  414. }
  416. CertCloseStore( hStore, 0 );
  418. if ( *ppCrl != NULL )
  419. {
  420. return( TRUE );
  421. }
  423. }
  425. return( FALSE );
  426. }
  428. //+-------------------------------------------------------------------------
  429. // Find a certificate identified by its serial number in the CRL.
  430. //--------------------------------------------------------------------------
  431. PCRL_ENTRY FindCertInCrl(
  432. IN PCCERT_CONTEXT pCert,
  433. IN PCCRL_CONTEXT pCrl,
  434. IN PCERT_REVOCATION_PARA pRevPara
  435. )
  436. {
  437. DWORD cEntry = pCrl->pCrlInfo->cCRLEntry;
  438. PCRL_ENTRY pEntry = pCrl->pCrlInfo->rgCRLEntry;
  439. DWORD cbSerialNumber = pCert->pCertInfo->SerialNumber.cbData;
  440. BYTE *pbSerialNumber = pCert->pCertInfo->SerialNumber.pbData;
  442. if (0 == cbSerialNumber)
  443. return NULL;
  445. for ( ; 0 < cEntry; cEntry--, pEntry++) {
  446. if (cbSerialNumber == pEntry->SerialNumber.cbData &&
  447. 0 == memcmp(pbSerialNumber, pEntry->SerialNumber.pbData,
  448. cbSerialNumber))
  449. {
  450. if (pRevPara && pRevPara->cbSize >=
  451. (offsetof(CERT_REVOCATION_PARA, pftTimeToUse) +
  452. sizeof(pRevPara->pftTimeToUse))
  453. &&
  454. NULL != pRevPara->pftTimeToUse
  455. &&
  456. 0 > CompareFileTime(pRevPara->pftTimeToUse,
  457. &pEntry->RevocationDate))
  458. // It was used before being revoked
  459. return NULL;
  460. else
  461. return pEntry;
  462. }
  463. }
  465. return NULL;
  466. }