archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
3.3 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pkitrust/softpub/authcode.cpp

253 lines
8.6 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1996 - 1999
  6. //
  7. // File: authcode.cpp
  8. //
  9. // Contents: Microsoft Internet Security Authenticode Policy Provider
  10. //
  11. // Functions: SoftpubAuthenticode
  12. //
  13. // History: 05-Jun-1997 pberkman created
  14. //
  15. //--------------------------------------------------------------------------
  17. #include "global.hxx"
  19. // Following is also called from .\httpsprv.cpp
  21. void UpdateCertError(
  22. IN PCRYPT_PROVIDER_SGNR pSgnr,
  23. IN PCERT_CHAIN_POLICY_STATUS pPolicyStatus
  24. )
  25. {
  26. PCCERT_CHAIN_CONTEXT pChainContext = pSgnr->pChainContext;
  27. LONG lChainIndex = pPolicyStatus->lChainIndex;
  28. LONG lElementIndex = pPolicyStatus->lElementIndex;
  29. DWORD dwProvCertIndex;
  30. LONG i;
  32. assert (lChainIndex < (LONG) pChainContext->cChain);
  33. if (0 > lChainIndex || lChainIndex >= (LONG) pChainContext->cChain ||
  34. 0 > lElementIndex) {
  35. if (CERT_E_CHAINING == pPolicyStatus->dwError) {
  36. if (0 < pSgnr->csCertChain) {
  37. PCRYPT_PROVIDER_CERT pProvCert;
  39. pProvCert = WTHelperGetProvCertFromChain(
  40. pSgnr, pSgnr->csCertChain - 1);
  41. if (0 == pProvCert->dwError)
  42. pProvCert->dwError = pPolicyStatus->dwError;
  43. }
  44. }
  45. return;
  46. }
  48. dwProvCertIndex = 0;
  49. for (i = 0; i < lChainIndex; i++) {
  50. PCERT_SIMPLE_CHAIN pChain = pChainContext->rgpChain[i];
  52. dwProvCertIndex += pChain->cElement;
  53. }
  54. dwProvCertIndex += lElementIndex;
  56. if (dwProvCertIndex < pSgnr->csCertChain) {
  57. PCRYPT_PROVIDER_CERT pProvCert;
  59. pProvCert = WTHelperGetProvCertFromChain(pSgnr, dwProvCertIndex);
  60. pProvCert->dwError = pPolicyStatus->dwError;
  61. }
  62. }
  65. HRESULT WINAPI SoftpubAuthenticode(CRYPT_PROVIDER_DATA *pProvData)
  66. {
  67. DWORD dwError;
  68. DWORD i1;
  70. AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA ExtraPolicyPara;
  71. memset(&ExtraPolicyPara, 0, sizeof(ExtraPolicyPara));
  72. ExtraPolicyPara.cbSize = sizeof(ExtraPolicyPara);
  73. ExtraPolicyPara.dwRegPolicySettings = pProvData->dwRegPolicySettings;
  75. CERT_CHAIN_POLICY_PARA PolicyPara;
  76. memset(&PolicyPara, 0, sizeof(PolicyPara));
  77. PolicyPara.cbSize = sizeof(PolicyPara);
  78. PolicyPara.pvExtraPolicyPara = (void *) &ExtraPolicyPara;
  80. AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS ExtraPolicyStatus;
  81. memset(&ExtraPolicyStatus, 0, sizeof(ExtraPolicyStatus));
  82. ExtraPolicyStatus.cbSize = sizeof(ExtraPolicyStatus);
  84. CERT_CHAIN_POLICY_STATUS PolicyStatus;
  85. memset(&PolicyStatus, 0, sizeof(PolicyStatus));
  86. PolicyStatus.cbSize = sizeof(PolicyStatus);
  87. PolicyStatus.pvExtraPolicyStatus = (void *) &ExtraPolicyStatus;
  90. //
  91. // check the high level error codes. For SAFER, must also have a
  92. // signer and subject hash.
  93. //
  94. dwError = checkGetErrorBasedOnStepErrors(pProvData);
  97. // Check if we have a valid signature
  99. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] != 0 ||
  100. NULL == pProvData->pPDSip ||
  101. NULL == pProvData->pPDSip->psIndirectData ||
  102. 0 == pProvData->pPDSip->psIndirectData->Digest.cbData)
  103. {
  104. if (pProvData->dwProvFlags & (WTD_SAFER_FLAG | WTD_HASH_ONLY_FLAG))
  105. {
  106. pProvData->dwFinalError = dwError;
  107. return TRUST_E_NOSIGNATURE;
  108. }
  109. }
  110. else if (pProvData->dwProvFlags & WTD_HASH_ONLY_FLAG)
  111. {
  112. pProvData->dwFinalError = 0;
  113. return S_OK;
  114. }
  116. if (0 != dwError)
  117. {
  118. goto CommonReturn;
  119. }
  123. //
  124. // check each signer
  125. //
  126. for (i1 = 0; i1 < pProvData->csSigners; i1++) {
  127. CRYPT_PROVIDER_SGNR *pSgnr;
  128. LPSTR pszUsage;
  130. pSgnr = WTHelperGetProvSignerFromChain(pProvData, i1, FALSE, 0);
  132. pszUsage = pProvData->pszUsageOID;
  133. if (pszUsage && 0 != strcmp(pszUsage, szOID_PKIX_KP_CODE_SIGNING))
  134. // Inhibit checking of signer purpose
  135. ExtraPolicyPara.pSignerInfo = NULL;
  136. else
  137. ExtraPolicyPara.pSignerInfo = pSgnr->psSigner;
  139. if (!CertVerifyCertificateChainPolicy(
  140. CERT_CHAIN_POLICY_AUTHENTICODE,
  141. pSgnr->pChainContext,
  142. &PolicyPara,
  143. &PolicyStatus
  144. )) {
  145. dwError = TRUST_E_SYSTEM_ERROR;
  146. goto CommonReturn;
  147. }
  149. if (CERT_E_REVOCATION_FAILURE == PolicyStatus.dwError &&
  150. (pProvData->dwProvFlags & WTD_SAFER_FLAG)) {
  151. // For SAFER, ignore NO_CHECK errors
  152. if (0 == (pSgnr->pChainContext->TrustStatus.dwErrorStatus &
  153. CERT_TRUST_IS_OFFLINE_REVOCATION)) {
  154. PolicyStatus.dwError = 0;
  155. }
  156. }
  158. if (0 != PolicyStatus.dwError) {
  159. dwError = PolicyStatus.dwError;
  160. UpdateCertError(pSgnr, &PolicyStatus);
  161. goto CommonReturn;
  162. } else if (0 < pSgnr->csCertChain) {
  163. PCRYPT_PROVIDER_CERT pProvCert;
  165. pProvCert = WTHelperGetProvCertFromChain(pSgnr, 0);
  166. if (CERT_E_REVOCATION_FAILURE == pProvCert->dwError) {
  167. // Policy says to ignore offline revocation errors
  168. pProvCert->dwError = 0;
  169. pProvCert->dwRevokedReason = 0;
  170. }
  171. }
  173. if (pSgnr->csCounterSigners) {
  174. AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA TSExtraPolicyPara;
  175. memset(&TSExtraPolicyPara, 0, sizeof(TSExtraPolicyPara));
  176. TSExtraPolicyPara.cbSize = sizeof(TSExtraPolicyPara);
  177. TSExtraPolicyPara.dwRegPolicySettings =
  178. pProvData->dwRegPolicySettings;
  179. TSExtraPolicyPara.fCommercial = ExtraPolicyStatus.fCommercial;
  181. CERT_CHAIN_POLICY_PARA TSPolicyPara;
  182. memset(&TSPolicyPara, 0, sizeof(TSPolicyPara));
  183. TSPolicyPara.cbSize = sizeof(TSPolicyPara);
  184. TSPolicyPara.pvExtraPolicyPara = (void *) &TSExtraPolicyPara;
  186. CERT_CHAIN_POLICY_STATUS TSPolicyStatus;
  187. memset(&TSPolicyStatus, 0, sizeof(TSPolicyStatus));
  188. TSPolicyStatus.cbSize = sizeof(TSPolicyStatus);
  191. //
  192. // check counter signers
  193. //
  194. for (DWORD i2 = 0; i2 < pSgnr->csCounterSigners; i2++)
  195. {
  196. PCRYPT_PROVIDER_SGNR pCounterSgnr =
  197. WTHelperGetProvSignerFromChain(pProvData, i1, TRUE, i2);
  199. //
  200. // do we care about this counter signer?
  201. //
  202. if (pCounterSgnr->dwSignerType != SGNR_TYPE_TIMESTAMP)
  203. continue;
  205. if (!CertVerifyCertificateChainPolicy(
  206. CERT_CHAIN_POLICY_AUTHENTICODE_TS,
  207. pCounterSgnr->pChainContext,
  208. &TSPolicyPara,
  209. &TSPolicyStatus
  210. )) {
  211. dwError = TRUST_E_SYSTEM_ERROR;
  212. goto CommonReturn;
  213. }
  215. if (CERT_E_REVOCATION_FAILURE == TSPolicyStatus.dwError &&
  216. (pProvData->dwProvFlags & WTD_SAFER_FLAG)) {
  217. // For SAFER, ignore NO_CHECK errors
  218. if (0 == (pCounterSgnr->pChainContext->TrustStatus.dwErrorStatus &
  219. CERT_TRUST_IS_OFFLINE_REVOCATION)) {
  220. TSPolicyStatus.dwError = 0;
  221. }
  222. }
  224. if (0 != TSPolicyStatus.dwError) {
  225. // On April 13, 1999 changed to map all time stamp errors
  226. // to TRUST_E_TIME_STAMP
  227. dwError = TRUST_E_TIME_STAMP;
  228. // dwError = TSPolicyStatus.dwError;
  229. UpdateCertError(pCounterSgnr, &TSPolicyStatus);
  230. goto CommonReturn;
  231. } else if (0 < pCounterSgnr->csCertChain) {
  232. PCRYPT_PROVIDER_CERT pProvCert;
  234. pProvCert = WTHelperGetProvCertFromChain(pCounterSgnr, 0);
  235. if (CERT_E_REVOCATION_FAILURE == pProvCert->dwError) {
  236. // Policy says to ignore offline revocation errors
  237. pProvCert->dwError = 0;
  238. pProvCert->dwRevokedReason = 0;
  239. }
  240. }
  241. }
  242. }
  243. }
  245. dwError = 0;
  246. CommonReturn:
  247. pProvData->dwFinalError = dwError;
  249. return SoftpubCallUI(pProvData, dwError, TRUE);
  250. }