|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows NT Security
// Copyright (C) Microsoft Corporation, 1997 - 1999
//
// File: chain.cpp
//
// Contents: Certificate Chaining Infrastructure
//
// History: 15-Jan-98 kirtd Created
//
//----------------------------------------------------------------------------
#include <global.hxx>
#include <dbgdef.h>
//+===========================================================================
// CCertObject methods
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CCertObject::CCertObject, public
//
// Synopsis: Constructor
//
// Leaves the engine's critical section to create an object of
// dwObjectType = CERT_END_OBJECT_TYPE. For a self-signed root
// may also leave the critical section to retrieve and validate
// the AuthRoot Auto Update CTL and add such a root to the
// AuthRoot store.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
CCertObject::CCertObject ( IN DWORD dwObjectType, IN PCCHAINCALLCONTEXT pCallContext, IN PCCERT_CONTEXT pCertContext, IN BYTE rgbCertHash[CHAINHASHLEN], OUT BOOL& rfResult ){ BOOL fLocked = TRUE; CRYPT_DATA_BLOB DataBlob; DWORD cbData;
if (CERT_END_OBJECT_TYPE == dwObjectType) { pCallContext->ChainEngine()->UnlockEngine(); fLocked = FALSE; }
m_dwObjectType = dwObjectType; m_cRefs = 1;
// NOTE: The chain engine is NOT addref'd
m_pChainEngine = pCallContext->ChainEngine();
m_dwIssuerMatchFlags = 0; m_dwCachedMatchFlags = 0; m_dwIssuerStatusFlags = 0; m_dwInfoFlags = 0; m_pCtlCacheHead = NULL; m_pCertContext = CertDuplicateCertificateContext( pCertContext ); memset(&m_PoliciesInfo, 0, sizeof(m_PoliciesInfo)); m_pBasicConstraintsInfo = NULL; m_pKeyUsage = NULL; m_pIssuerNameConstraintsInfo = NULL; m_fAvailableSubjectNameConstraintsInfo = FALSE; memset(&m_SubjectNameConstraintsInfo, 0, sizeof(m_SubjectNameConstraintsInfo)); m_pAuthKeyIdentifier = NULL; // m_ObjectIdentifier;
memcpy(m_rgbCertHash, rgbCertHash, CHAINHASHLEN); m_cbKeyIdentifier = 0; m_pbKeyIdentifier = NULL; // m_rgbPublicKeyHash[ CHAINHASHLEN ];
// m_rgbIssuerPublicKeyHash[ CHAINHASHLEN ];
// m_rgbIssuerExactMatchHash[ CHAINHASHLEN ];
// m_rgbIssuerNameMatchHash[ CHAINHASHLEN ];
m_hHashEntry = NULL; m_hIdentifierEntry = NULL; m_hSubjectNameEntry = NULL; m_hKeyIdEntry = NULL; m_hPublicKeyHashEntry = NULL;
m_hEndHashEntry = NULL;
if (!CertGetCertificateContextProperty( pCertContext, CERT_KEY_IDENTIFIER_PROP_ID, NULL, &m_cbKeyIdentifier )) goto GetKeyIdentifierPropertyError; m_pbKeyIdentifier = new BYTE [ m_cbKeyIdentifier ]; if (NULL == m_pbKeyIdentifier) goto OutOfMemory; if (!CertGetCertificateContextProperty( pCertContext, CERT_KEY_IDENTIFIER_PROP_ID, m_pbKeyIdentifier, &m_cbKeyIdentifier )) goto GetKeyIdentifierPropertyError;
cbData = CHAINHASHLEN; if (!CertGetCertificateContextProperty( pCertContext, CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID, m_rgbPublicKeyHash, &cbData ) || CHAINHASHLEN != cbData) goto GetSubjectPublicKeyHashPropertyError;
cbData = CHAINHASHLEN; if (CertGetCertificateContextProperty( pCertContext, CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID, m_rgbIssuerPublicKeyHash, &cbData ) && CHAINHASHLEN == cbData) m_dwIssuerStatusFlags |= CERT_ISSUER_PUBKEY_FLAG;
ChainGetPoliciesInfo(pCertContext, &m_PoliciesInfo);
if (!ChainGetBasicConstraintsInfo(pCertContext, &m_pBasicConstraintsInfo)) m_dwInfoFlags |= CHAIN_INVALID_BASIC_CONSTRAINTS_INFO_FLAG;
if (!ChainGetKeyUsage(pCertContext, &m_pKeyUsage)) m_dwInfoFlags |= CHAIN_INVALID_KEY_USAGE_FLAG;
if (!ChainGetIssuerNameConstraintsInfo(pCertContext, &m_pIssuerNameConstraintsInfo)) m_dwInfoFlags |= CHAIN_INVALID_ISSUER_NAME_CONSTRAINTS_INFO_FLAG;
if (CERT_CACHED_ISSUER_OBJECT_TYPE == dwObjectType) { DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = m_rgbCertHash; if (!I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->HashIndex(), &DataBlob, this, &m_hHashEntry )) goto CreateHashLruEntryError;
// Need to double check this, only needed for issuer caching ???
ChainCreateCertificateObjectIdentifier( &pCertContext->pCertInfo->Issuer, &pCertContext->pCertInfo->SerialNumber, m_ObjectIdentifier );
DataBlob.cbData = sizeof( CERT_OBJECT_IDENTIFIER ); DataBlob.pbData = m_ObjectIdentifier; if (!I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->IdentifierIndex(), &DataBlob, this, &m_hIdentifierEntry )) goto CreateIdentifierLruEntryError;
DataBlob.cbData = pCertContext->pCertInfo->Subject.cbData; DataBlob.pbData = pCertContext->pCertInfo->Subject.pbData; if (!I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->SubjectNameIndex(), &DataBlob, this, &m_hSubjectNameEntry )) goto CreateSubjectNameLruEntryError;
DataBlob.cbData = m_cbKeyIdentifier; DataBlob.pbData = m_pbKeyIdentifier; if (!I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->KeyIdIndex(), &DataBlob, this, &m_hKeyIdEntry )) goto CreateKeyIdLruEntryError;
DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = m_rgbPublicKeyHash; if (!I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->PublicKeyHashIndex(), &DataBlob, this, &m_hPublicKeyHashEntry )) goto CreatePublicKeyHashLruEntryError; }
ChainGetIssuerMatchInfo( pCertContext, &m_dwIssuerMatchFlags, &m_pAuthKeyIdentifier );
ChainGetSelfSignedStatus(pCallContext, this, &m_dwIssuerStatusFlags);
if (m_dwIssuerStatusFlags & CERT_ISSUER_SELF_SIGNED_FLAG) { //
// NOTE: This means that only self-signed roots are supported
//
if (!fLocked) { pCallContext->ChainEngine()->LockEngine(); fLocked = TRUE; }
ChainGetRootStoreStatus( m_pChainEngine->RootStore(), m_pChainEngine->RealRootStore(), rgbCertHash, &m_dwIssuerStatusFlags );
if (!(m_dwIssuerStatusFlags & CERT_ISSUER_TRUSTED_ROOT_FLAG)) { if (!ChainGetAuthRootAutoUpdateStatus( pCallContext, this, &m_dwIssuerStatusFlags )) goto AuthRootAutoUpdateError; }
if (!(m_dwIssuerStatusFlags & CERT_ISSUER_TRUSTED_ROOT_FLAG)) { // Get all cached CTLs we are a member of
CERT_OBJECT_CTL_CACHE_ENUM_DATA EnumData;
memset(&EnumData, 0, sizeof(EnumData)); EnumData.fResult = TRUE; EnumData.pCertObject = this;
m_pChainEngine->SSCtlObjectCache()->EnumObjects( ChainFillCertObjectCtlCacheEnumFn, &EnumData );
if (!EnumData.fResult) { SetLastError(EnumData.dwLastError); goto FillCertObjectCtlCacheError; } } }
rfResult = TRUE;
CommonReturn: if (!fLocked) pCallContext->ChainEngine()->LockEngine(); return;
ErrorReturn: rfResult = FALSE; goto CommonReturn;
TRACE_ERROR(GetKeyIdentifierPropertyError)SET_ERROR(OutOfMemory, E_OUTOFMEMORY)TRACE_ERROR(GetSubjectPublicKeyHashPropertyError)TRACE_ERROR(CreateHashLruEntryError)TRACE_ERROR(CreateIdentifierLruEntryError)TRACE_ERROR(CreateSubjectNameLruEntryError)TRACE_ERROR(CreateKeyIdLruEntryError)TRACE_ERROR(CreatePublicKeyHashLruEntryError)TRACE_ERROR(AuthRootAutoUpdateError)TRACE_ERROR(FillCertObjectCtlCacheError)}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::~CCertObject, public
//
// Synopsis: Destructor
//
//----------------------------------------------------------------------------
CCertObject::~CCertObject (){ if ( m_hKeyIdEntry != NULL ) { I_CryptReleaseLruEntry( m_hKeyIdEntry ); }
if ( m_hSubjectNameEntry != NULL ) { I_CryptReleaseLruEntry( m_hSubjectNameEntry ); }
if ( m_hIdentifierEntry != NULL ) { I_CryptReleaseLruEntry( m_hIdentifierEntry ); }
if ( m_hPublicKeyHashEntry != NULL ) { I_CryptReleaseLruEntry( m_hPublicKeyHashEntry ); }
if ( m_hHashEntry != NULL ) { I_CryptReleaseLruEntry( m_hHashEntry ); }
if ( m_hEndHashEntry != NULL ) { I_CryptReleaseLruEntry( m_hEndHashEntry ); }
ChainFreeCertObjectCtlCache(m_pCtlCacheHead);
delete m_pbKeyIdentifier; ChainFreeAuthorityKeyIdentifier( m_pAuthKeyIdentifier ); ChainFreePoliciesInfo( &m_PoliciesInfo ); ChainFreeBasicConstraintsInfo( m_pBasicConstraintsInfo ); ChainFreeKeyUsage( m_pKeyUsage ); ChainFreeIssuerNameConstraintsInfo( m_pIssuerNameConstraintsInfo ); ChainFreeSubjectNameConstraintsInfo( &m_SubjectNameConstraintsInfo ); CertFreeCertificateContext( m_pCertContext );}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::CacheEndObject, public
//
// Synopsis: Convert a CERT_END_OBJECT_TYPE to a CERT_CACHED_END_OBJECT_TYPE.
//
//----------------------------------------------------------------------------
BOOL CCertObject::CacheEndObject( IN PCCHAINCALLCONTEXT pCallContext ){ BOOL fResult; CRYPT_DATA_BLOB DataBlob;
assert(CERT_END_OBJECT_TYPE == m_dwObjectType);
DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = m_rgbCertHash; fResult = I_CryptCreateLruEntry( m_pChainEngine->CertObjectCache()->EndHashIndex(), &DataBlob, this, &m_hEndHashEntry );
if (fResult) m_dwObjectType = CERT_CACHED_END_OBJECT_TYPE;
return fResult;}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::SubjectNameConstraintsInfo, public
//
// Synopsis: return the subject name constraints info
//
// allocation and getting of info is deferred until the
// first name constraint check is done.
//
// Assumption: chain engine isn't locked upon entry.
//
//----------------------------------------------------------------------------
PCHAIN_SUBJECT_NAME_CONSTRAINTS_INFOCCertObject::SubjectNameConstraintsInfo (){ if (!m_fAvailableSubjectNameConstraintsInfo) { CHAIN_SUBJECT_NAME_CONSTRAINTS_INFO Info;
memset(&Info, 0, sizeof(Info));
ChainGetSubjectNameConstraintsInfo(m_pCertContext, &Info);
// Must do the update while holding the engine's critical section
m_pChainEngine->LockEngine();
if (m_fAvailableSubjectNameConstraintsInfo) // Another thread already did the update
ChainFreeSubjectNameConstraintsInfo(&Info); else { memcpy(&m_SubjectNameConstraintsInfo, &Info, sizeof(m_SubjectNameConstraintsInfo));
// Must be set last!!!
m_fAvailableSubjectNameConstraintsInfo = TRUE; } m_pChainEngine->UnlockEngine(); }
return &m_SubjectNameConstraintsInfo;}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::GetIssuerExactMatchHash, public
//
// Synopsis: if the cert has an Authority Key Info extension with
// the optional issuer and serial number, returns the count and
// pointer to the MD5 hash of the issuer name and serial number.
// Otherwise, pMatchHash->cbData is set to 0.
//
// MD5 hash calculation is deferred until the first call.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
VOIDCCertObject::GetIssuerExactMatchHash( OUT PCRYPT_DATA_BLOB pMatchHash ){ if (!(m_dwIssuerStatusFlags & CERT_ISSUER_EXACT_MATCH_HASH_FLAG)) { PCERT_AUTHORITY_KEY_ID_INFO pAKI = m_pAuthKeyIdentifier;
if (pAKI && 0 != pAKI->CertIssuer.cbData && 0 != pAKI->CertSerialNumber.cbData) { ChainCreateCertificateObjectIdentifier( &pAKI->CertIssuer, &pAKI->CertSerialNumber, m_rgbIssuerExactMatchHash ); m_dwIssuerStatusFlags |= CERT_ISSUER_EXACT_MATCH_HASH_FLAG; } else { pMatchHash->cbData = 0; pMatchHash->pbData = NULL; return; } } // else
// We have already calculated the MD5 hash
pMatchHash->cbData = CHAINHASHLEN; pMatchHash->pbData = m_rgbIssuerExactMatchHash;}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::GetIssuerKeyMatchHash, public
//
// Synopsis: if the cert has an Authority Key Info extension with
// the optional key id, returns the key id.
// Otherwise, pMatchHash->cbData is set to 0.
//
//----------------------------------------------------------------------------
VOIDCCertObject::GetIssuerKeyMatchHash( OUT PCRYPT_DATA_BLOB pMatchHash ){ PCERT_AUTHORITY_KEY_ID_INFO pAKI = m_pAuthKeyIdentifier;
if (pAKI) *pMatchHash = pAKI->KeyId; else { pMatchHash->cbData = 0; pMatchHash->pbData = NULL; }}
//+---------------------------------------------------------------------------
//
// Member: CCertObject::GetIssuerNameMatchHash, public
//
// Synopsis: if the cert has an issuer name, returns the count and
// pointer to the MD5 hash of the issuer name.
// Otherwise, pMatchHash->cbData is set to 0.
//
// MD5 hash calculation is deferred until the first call.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
VOIDCCertObject::GetIssuerNameMatchHash( OUT PCRYPT_DATA_BLOB pMatchHash ){ if (!(m_dwIssuerStatusFlags & CERT_ISSUER_NAME_MATCH_HASH_FLAG)) { PCERT_INFO pCertInfo = m_pCertContext->pCertInfo;
if (0 != pCertInfo->Issuer.cbData) { MD5_CTX md5ctx;
MD5Init( &md5ctx ); MD5Update( &md5ctx, pCertInfo->Issuer.pbData, pCertInfo->Issuer.cbData ); MD5Final( &md5ctx );
assert(CHAINHASHLEN == MD5DIGESTLEN); memcpy(m_rgbIssuerNameMatchHash, md5ctx.digest, CHAINHASHLEN);
m_dwIssuerStatusFlags |= CERT_ISSUER_NAME_MATCH_HASH_FLAG; } else { pMatchHash->cbData = 0; pMatchHash->pbData = NULL; return; } }
pMatchHash->cbData = CHAINHASHLEN; pMatchHash->pbData = m_rgbIssuerNameMatchHash;}
//+===========================================================================
// CChainPathObject methods
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CChainPathObject, public
//
// Synopsis: Constructor
//
// Once successfully added to the call context cache, rfAddedToCreationCache
// is set. This object will be deleted when CChainCallContext gets destroyed.
//
// Since this object is per call, no AddRef'ing is required.
//
//----------------------------------------------------------------------------
CChainPathObject::CChainPathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN BOOL fCyclic, IN LPVOID pvObject, // fCyclic : pPathObject ? pCertObject
IN OPTIONAL HCERTSTORE hAdditionalStore, OUT BOOL& rfResult, OUT BOOL& rfAddedToCreationCache ){ PCCERTOBJECT pCertObject; PCCHAINPATHOBJECT pPathObject; DWORD dwIssuerStatusFlags;
rfAddedToCreationCache = FALSE;
if (fCyclic) { pPathObject = (PCCHAINPATHOBJECT) pvObject; pCertObject = pPathObject->CertObject(); } else { pPathObject = NULL; pCertObject = (PCCERTOBJECT) pvObject; }
m_pCertObject = pCertObject; pCertObject->AddRef(); memset( &m_TrustStatus, 0, sizeof( m_TrustStatus ) ); m_dwPass1Quality = 0; m_dwPass1DuplicateKeyDepth = 0; m_dwChainIndex = 0; m_dwElementIndex = 0; m_pDownIssuerElement = NULL; m_pDownPathObject = NULL; m_pUpIssuerElement = NULL; m_fHasAdditionalStatus = FALSE; memset( &m_AdditionalStatus, 0, sizeof( m_AdditionalStatus ) ); m_fHasRevocationInfo = FALSE; memset( &m_RevocationInfo, 0, sizeof( m_RevocationInfo ) ); memset( &m_RevocationCrlInfo, 0, sizeof( m_RevocationCrlInfo ) ); m_pIssuerList = NULL; m_pwszExtendedErrorInfo = NULL; m_fCompleted = FALSE;
if (!ChainCreateIssuerList( this, &m_pIssuerList )) goto CreateIssuerListError;
if (!pCallContext->AddPathObjectToCreationCache( this )) goto AddPathObjectToCreationCacheError; rfAddedToCreationCache = TRUE;
if (fCyclic) { m_TrustStatus = pPathObject->m_TrustStatus; m_TrustStatus.dwInfoStatus |= ChainGetMatchInfoStatusForNoIssuer( pCertObject->IssuerMatchFlags()); m_TrustStatus.dwErrorStatus |= CERT_TRUST_IS_CYCLIC; goto SuccessReturn; }
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (dwIssuerStatusFlags & CERT_ISSUER_SELF_SIGNED_FLAG) { m_TrustStatus.dwInfoStatus |= CERT_TRUST_IS_SELF_SIGNED; ChainGetMatchInfoStatus(pCertObject, pCertObject, &m_TrustStatus.dwInfoStatus); m_dwPass1Quality |= CERT_QUALITY_COMPLETE_CHAIN | CERT_QUALITY_NOT_CYCLIC;
if (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG) { m_dwPass1Quality |= CERT_QUALITY_SIGNATURE_VALID; } else { m_TrustStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_SIGNATURE_VALID; m_TrustStatus.dwInfoStatus &= ~CERT_TRUST_HAS_PREFERRED_ISSUER; }
if (dwIssuerStatusFlags & CERT_ISSUER_TRUSTED_ROOT_FLAG) { m_dwPass1Quality |= CERT_QUALITY_HAS_TRUSTED_ROOT;
if (0 == (pCallContext->CallFlags() & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING)) m_dwPass1Quality |= CERT_QUALITY_NO_DUPLICATE_KEY;
// Check if we have a time valid root. This is an extra
// check necessary to determine if we will need to do
// AuthRoot Auto Update.
FILETIME RequestedTime; PCERT_INFO pCertInfo = pCertObject->CertContext()->pCertInfo;
pCallContext->RequestedTime(&RequestedTime); if ((0 == (pCallContext->CallFlags() & CERT_CHAIN_TIMESTAMP_TIME)) && 0 == CertVerifyTimeValidity(&RequestedTime, pCertInfo)) { m_dwPass1Quality |= CERT_QUALITY_HAS_TIME_VALID_TRUSTED_ROOT; } else { // Use current time for timestamping or try again using the
// current time. This is necessary for cross certificate
// chains.
FILETIME CurrentTime;
pCallContext->CurrentTime(&CurrentTime); if (0 == CertVerifyTimeValidity(&CurrentTime, pCertInfo)) { m_dwPass1Quality |= CERT_QUALITY_HAS_TIME_VALID_TRUSTED_ROOT; } } } else { m_TrustStatus.dwErrorStatus |= CERT_TRUST_IS_UNTRUSTED_ROOT;
if (!FindAndAddCtlIssuersFromCache(pCallContext, hAdditionalStore)) goto FindAndCtlIssuersFromCacheError;
if (hAdditionalStore) { if (!FindAndAddCtlIssuersFromAdditionalStore( pCallContext, hAdditionalStore )) goto FindAndCtlIssuersFromAdditionalStoreError; }
if (!(dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) m_dwPass1Quality &= ~CERT_QUALITY_SIGNATURE_VALID;
if (0 == (pCallContext->CallFlags() & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING) && m_pIssuerList->IsEmpty()) m_dwPass1Quality |= CERT_QUALITY_NO_DUPLICATE_KEY; } } else { DWORD iLast; BOOL fGetIssuerUrlStore;
if (!FindAndAddIssuers ( pCallContext, hAdditionalStore, NULL // hIssuerUrlStore
)) goto FindAndAddIssuersError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); iLast = 1; // Default to allow AIA wire
fGetIssuerUrlStore = FALSE;
if (m_pIssuerList->IsEmpty()) fGetIssuerUrlStore = TRUE; else if (!(dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG) || !(m_dwPass1Quality & CERT_QUALITY_SIGNATURE_VALID)) { fGetIssuerUrlStore = TRUE;
if (dwIssuerStatusFlags & CERT_ISSUER_URL_FLAG) iLast = 0; // Only do AIA cache
}
if (fGetIssuerUrlStore) { DWORD i;
// Try the following 2 URL cases:
// 0 - AIA cache
// 1 - AIA wire
// Continue through the cases until finding a "good" issuer.
for (i = 0; i <= iLast; i++) { HCERTSTORE hIssuerUrlStore = NULL; DWORD dwRetrievalFlags;
if (0 == i) dwRetrievalFlags = CRYPT_CACHE_ONLY_RETRIEVAL; else { if (!pCallContext->IsOnline()) break; dwRetrievalFlags = CRYPT_WIRE_ONLY_RETRIEVAL; }
// The following leaves the engine's critical section to do
// URL fetching. If the engine was touched by another
// thread, it fails with LastError set to
// ERROR_CAN_NOT_COMPLETE.
if (!pCallContext->ChainEngine()->GetIssuerUrlStore( pCallContext, pCertObject->CertContext(), dwRetrievalFlags, &hIssuerUrlStore )) goto GetIssuerUrlStoreError;
if (hIssuerUrlStore) { BOOL fResult;
fResult = FindAndAddIssuers ( pCallContext, hAdditionalStore, hIssuerUrlStore ); CertCloseStore(hIssuerUrlStore, 0);
if (!fResult) goto FindAndAddIssuersFromUrlStoreError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (!m_pIssuerList->IsEmpty() && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// Try to find all issuers having the same public key.
if (!FindAndAddIssuersByMatchType( CERT_PUBKEY_ISSUER_MATCH_TYPE, pCallContext, hAdditionalStore, NULL // hIssuerUrlStore
)) goto FindIssuersByPubKeyError;
if (m_dwPass1Quality & CERT_QUALITY_SIGNATURE_VALID) break; }
} }
pCertObject->OrIssuerStatusFlags(CERT_ISSUER_URL_FLAG); }
// Check if we have a time valid, signature valid, trusted root
if ((CERT_QUALITY_HAS_TIME_VALID_TRUSTED_ROOT | CERT_QUALITY_SIGNATURE_VALID) != (m_dwPass1Quality & (CERT_QUALITY_HAS_TIME_VALID_TRUSTED_ROOT | CERT_QUALITY_SIGNATURE_VALID)) && pCallContext->IsOnline()) { HCERTSTORE hIssuerUrlStore = NULL;
// The following leaves the engine's critical section to do
// URL fetching. If the engine was touched by another
// thread, it fails with LastError set to
// ERROR_CAN_NOT_COMPLETE.
// Note, we only hit the wire to fetch AuthRoots stored
// on Microsoft's web server
if (!GetAuthRootAutoUpdateUrlStore( pCallContext, &hIssuerUrlStore )) goto GetAuthRootAutoUpdateUrlStoreError;
if (hIssuerUrlStore) { BOOL fResult;
fResult = FindAndAddIssuers ( pCallContext, hAdditionalStore, hIssuerUrlStore ); CertCloseStore(hIssuerUrlStore, 0);
if (!fResult) goto FindAndAddIssuersFromUrlStoreError; } }
if (m_pIssuerList->IsEmpty()) { m_TrustStatus.dwInfoStatus |= ChainGetMatchInfoStatusForNoIssuer( pCertObject->IssuerMatchFlags());
assert(0 == (m_dwPass1Quality & (CERT_QUALITY_HAS_TRUSTED_ROOT | CERT_QUALITY_COMPLETE_CHAIN)));
// Unable to verify our signature, default to being valid.
// Also, we can't be cyclic.
m_dwPass1Quality |= CERT_QUALITY_SIGNATURE_VALID | CERT_QUALITY_NOT_CYCLIC;
if (0 == (pCallContext->CallFlags() & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING)) m_dwPass1Quality |= CERT_QUALITY_NO_DUPLICATE_KEY; } }
SuccessReturn: rfResult = TRUE;CommonReturn: m_fCompleted = TRUE; return;ErrorReturn: rfResult = FALSE; goto CommonReturn;
TRACE_ERROR(CreateIssuerListError)TRACE_ERROR(AddPathObjectToCreationCacheError)TRACE_ERROR(FindAndCtlIssuersFromCacheError)TRACE_ERROR(FindAndCtlIssuersFromAdditionalStoreError)TRACE_ERROR(FindAndAddIssuersError)TRACE_ERROR(GetIssuerUrlStoreError)TRACE_ERROR(GetAuthRootAutoUpdateUrlStoreError)TRACE_ERROR(FindAndAddIssuersFromUrlStoreError)TRACE_ERROR(FindIssuersByPubKeyError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::~CChainPathObject, public
//
// Synopsis: Destructor
//
//----------------------------------------------------------------------------
CChainPathObject::~CChainPathObject (){ if (m_pCertObject) m_pCertObject->Release();
if (m_fHasRevocationInfo) { if (m_RevocationCrlInfo.pBaseCrlContext) CertFreeCRLContext(m_RevocationCrlInfo.pBaseCrlContext); if (m_RevocationCrlInfo.pDeltaCrlContext) CertFreeCRLContext(m_RevocationCrlInfo.pDeltaCrlContext); }
if (m_pIssuerList) ChainFreeIssuerList( m_pIssuerList ); if (m_pwszExtendedErrorInfo) PkiFree(m_pwszExtendedErrorInfo);}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddIssuers, public
//
// Synopsis: find and add issuers for all matching types
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddIssuers ( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore, IN OPTIONAL HCERTSTORE hIssuerUrlStore ){ BOOL fResult; PCCERTOBJECT pCertObject = m_pCertObject; DWORD dwIssuerMatchFlags; DWORD i;
static const rgdwMatchType[] = { CERT_EXACT_ISSUER_MATCH_TYPE, CERT_KEYID_ISSUER_MATCH_TYPE, CERT_NAME_ISSUER_MATCH_TYPE };#define FIND_MATCH_TYPE_CNT (sizeof(rgdwMatchType) / sizeof(rgdwMatchType[0]))
if (pCertObject->IssuerStatusFlags() & CERT_ISSUER_PUBKEY_FLAG) { // We know the issuer's public key. First, attempt to find all issuers
// having that public key.
if (!FindAndAddIssuersByMatchType( CERT_PUBKEY_ISSUER_MATCH_TYPE, pCallContext, hAdditionalStore, hIssuerUrlStore )) goto FindIssuersByPubKeyError;
if (!m_pIssuerList->IsEmpty() && (pCertObject->IssuerStatusFlags() & CERT_ISSUER_VALID_SIGNATURE_FLAG)) goto SuccessReturn; }
dwIssuerMatchFlags = pCertObject->IssuerMatchFlags();
for (i = 0; i < FIND_MATCH_TYPE_CNT; i++) { if (dwIssuerMatchFlags & CERT_MATCH_TYPE_TO_FLAG(rgdwMatchType[i])) { DWORD dwIssuerStatusFlags;
if (!FindAndAddIssuersByMatchType( rgdwMatchType[i], pCallContext, hAdditionalStore, hIssuerUrlStore )) goto FindIssuersByMatchTypeError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (!m_pIssuerList->IsEmpty() && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// We can now find all issuers having the same public key.
if (!FindAndAddIssuersByMatchType( CERT_PUBKEY_ISSUER_MATCH_TYPE, pCallContext, hAdditionalStore, hIssuerUrlStore )) goto FindIssuersByPubKeyError;
break; } } }
SuccessReturn: fResult = TRUE;CommonReturn: return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn; TRACE_ERROR(FindIssuersByPubKeyError)TRACE_ERROR(FindIssuersByMatchTypeError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddIssuersByMatchType, public
//
// Synopsis: find and add issuers for the specified match type
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddIssuersByMatchType( IN DWORD dwMatchType, IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore, IN OPTIONAL HCERTSTORE hIssuerUrlStore ){ BOOL fResult; PCCERTOBJECT pCertObject = m_pCertObject;
if (NULL == hIssuerUrlStore) { DWORD dwIssuerStatusFlags; DWORD dwCachedMatchFlags;
// Note, we need to get the cached match flags before finding
// in the cache. Due to recursive, doing a find further up the
// chain may result in another issuer being inserted at the beginning
// of the cache bucket list. Pretty remote, but possible.
dwCachedMatchFlags = pCertObject->CachedMatchFlags();
if (!FindAndAddIssuersFromCacheByMatchType( dwMatchType, pCallContext, hAdditionalStore )) goto FindIssuersFromCacheError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (CERT_PUBKEY_ISSUER_MATCH_TYPE != dwMatchType && !m_pIssuerList->IsEmpty() && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// We will be called again using the PUBKEY match
goto SuccessReturn; }
if (!(dwCachedMatchFlags & CERT_MATCH_TYPE_TO_FLAG(dwMatchType))) { if (!FindAndAddIssuersFromStoreByMatchType( dwMatchType, pCallContext, FALSE, // fExternalStore
hAdditionalStore, NULL // hIssuerUrlStore
)) goto FindIssuersFromEngineStoreError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (CERT_PUBKEY_ISSUER_MATCH_TYPE != dwMatchType && !m_pIssuerList->IsEmpty() && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// We will be called again using the PUBKEY match
goto SuccessReturn; } } }
if (NULL != hAdditionalStore || NULL != hIssuerUrlStore) { if (!FindAndAddIssuersFromStoreByMatchType( dwMatchType, pCallContext, TRUE, // fExternalStore
hAdditionalStore, hIssuerUrlStore )) goto FindIssuersFromAdditionalOrUrlStoreError; }
SuccessReturn: fResult = TRUE;CommonReturn: return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(FindIssuersFromCacheError)TRACE_ERROR(FindIssuersFromEngineStoreError)TRACE_ERROR(FindIssuersFromAdditionalOrUrlStoreError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddIssuersFromCacheByMatchType, public
//
// Synopsis: find and add cached issuers for the specified match type
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddIssuersFromCacheByMatchType( IN DWORD dwMatchType, IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore ){ BOOL fResult; PCCERTOBJECT pCertObject = m_pCertObject; PCCERTCHAINENGINE pChainEngine = pCertObject->ChainEngine(); PCCERTOBJECTCACHE pCertObjectCache = pChainEngine->CertObjectCache(); PCCERTOBJECT pIssuer = NULL;
HLRUCACHE hCache; HLRUENTRY hEntry; PCRYPT_DATA_BLOB pIdentifier; CRYPT_DATA_BLOB DataBlob;
PCERT_AUTHORITY_KEY_ID_INFO pAuthKeyIdentifier;
switch (dwMatchType) { case CERT_EXACT_ISSUER_MATCH_TYPE: hCache = pCertObjectCache->IdentifierIndex(); pCertObject->GetIssuerExactMatchHash(&DataBlob); pIdentifier = &DataBlob; break; case CERT_KEYID_ISSUER_MATCH_TYPE: hCache = pCertObjectCache->KeyIdIndex(); pAuthKeyIdentifier = pCertObject->AuthorityKeyIdentifier(); pIdentifier = &pAuthKeyIdentifier->KeyId; break; case CERT_NAME_ISSUER_MATCH_TYPE: hCache = pCertObjectCache->SubjectNameIndex(); pIdentifier = &pCertObject->CertContext()->pCertInfo->Issuer; break; case CERT_PUBKEY_ISSUER_MATCH_TYPE: hCache = pCertObjectCache->PublicKeyHashIndex(); DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = pCertObject->IssuerPublicKeyHash(); pIdentifier = &DataBlob; break; default: goto InvalidMatchType; }
pIssuer = pCertObjectCache->FindIssuerObject(hCache, pIdentifier); while (pIssuer) { DWORD dwIssuerStatusFlags;
if (!m_pIssuerList->AddIssuer( pCallContext, hAdditionalStore, pIssuer )) goto AddIssuerError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (CERT_PUBKEY_ISSUER_MATCH_TYPE != dwMatchType && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// We will be called again using the PUBKEY match
goto SuccessReturn; }
switch (dwMatchType) { case CERT_EXACT_ISSUER_MATCH_TYPE: hEntry = pIssuer->IdentifierIndexEntry(); break; case CERT_KEYID_ISSUER_MATCH_TYPE: hEntry = pIssuer->KeyIdIndexEntry(); break; case CERT_NAME_ISSUER_MATCH_TYPE: hEntry = pIssuer->SubjectNameIndexEntry(); break; case CERT_PUBKEY_ISSUER_MATCH_TYPE: hEntry = pIssuer->PublicKeyHashIndexEntry(); break; default: goto InvalidMatchType; }
pIssuer = pCertObjectCache->NextMatchingIssuerObject(hEntry, pIssuer); }
SuccessReturn: fResult = TRUE;CommonReturn: if (pIssuer) { DWORD dwErr = GetLastError();
pIssuer->Release();
SetLastError(dwErr); } return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;SET_ERROR(InvalidMatchType, E_UNEXPECTED)TRACE_ERROR(AddIssuerError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddIssuersFromStoreByMatchType, public
//
// Synopsis: find and add issuers from either the engine's or an
// external store for the specified match type
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddIssuersFromStoreByMatchType( IN DWORD dwMatchType, IN PCCHAINCALLCONTEXT pCallContext, IN BOOL fExternalStore, IN OPTIONAL HCERTSTORE hAdditionalStore, IN OPTIONAL HCERTSTORE hIssuerUrlStore ){ BOOL fResult; PCCERTOBJECT pCertObject = m_pCertObject; PCCERTCHAINENGINE pChainEngine = pCertObject->ChainEngine();
HCERTSTORE hAdditionalStoreToUse = NULL; HCERTSTORE hStore = NULL; PCCERT_CONTEXT pCertContext = NULL; DWORD dwFindType; const void *pvFindPara; CRYPT_DATA_BLOB DataBlob; CERT_INFO CertInfo; PCERT_AUTHORITY_KEY_ID_INFO pAuthKeyIdentifier;
if (fExternalStore) { if (hIssuerUrlStore) { hStore = CertDuplicateStore(hIssuerUrlStore); if (hAdditionalStore) { hAdditionalStoreToUse = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL ); if (NULL == hAdditionalStoreToUse) goto OpenCollectionStoreError;
if (!CertAddStoreToCollection(hAdditionalStoreToUse, hIssuerUrlStore, 0, 0)) goto AddToCollectionStoreError; if (!CertAddStoreToCollection(hAdditionalStoreToUse, hAdditionalStore, 0, 0)) goto AddToCollectionStoreError; } else hAdditionalStoreToUse = CertDuplicateStore(hIssuerUrlStore);
} else { assert(hAdditionalStore); hStore = CertDuplicateStore(hAdditionalStore); hAdditionalStoreToUse = CertDuplicateStore(hAdditionalStore); } } else { hStore = CertDuplicateStore(pChainEngine->OtherStore()); if (hAdditionalStore) hAdditionalStoreToUse = CertDuplicateStore(hAdditionalStore); }
switch (dwMatchType) { case CERT_EXACT_ISSUER_MATCH_TYPE: dwFindType = CERT_FIND_SUBJECT_CERT; pAuthKeyIdentifier = pCertObject->AuthorityKeyIdentifier(); CertInfo.Issuer = pAuthKeyIdentifier->CertIssuer; CertInfo.SerialNumber = pAuthKeyIdentifier->CertSerialNumber; pvFindPara = (const void *) &CertInfo; break; case CERT_KEYID_ISSUER_MATCH_TYPE: dwFindType = CERT_FIND_KEY_IDENTIFIER; pAuthKeyIdentifier = pCertObject->AuthorityKeyIdentifier(); pvFindPara = (const void *) &pAuthKeyIdentifier->KeyId; break; case CERT_NAME_ISSUER_MATCH_TYPE: dwFindType = CERT_FIND_SUBJECT_NAME; pvFindPara = (const void *) &pCertObject->CertContext()->pCertInfo->Issuer; break; case CERT_PUBKEY_ISSUER_MATCH_TYPE: dwFindType = CERT_FIND_PUBKEY_MD5_HASH; DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = pCertObject->IssuerPublicKeyHash(); pvFindPara = (const void *) &DataBlob; break; default: goto InvalidMatchType; }
while (pCertContext = CertFindCertificateInStore( hStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, // dwFindFlags
dwFindType, pvFindPara, pCertContext )) { DWORD dwIssuerStatusFlags; PCCERTOBJECT pIssuer = NULL;
if (!ChainCreateCertObject ( fExternalStore ? CERT_EXTERNAL_ISSUER_OBJECT_TYPE : CERT_CACHED_ISSUER_OBJECT_TYPE, pCallContext, pCertContext, NULL, // rgbCertHash
&pIssuer )) goto CreateIssuerObjectError;
fResult = m_pIssuerList->AddIssuer( pCallContext, hAdditionalStoreToUse, pIssuer ); pIssuer->Release(); if (!fResult) goto AddIssuerError;
dwIssuerStatusFlags = pCertObject->IssuerStatusFlags(); if (CERT_PUBKEY_ISSUER_MATCH_TYPE != dwMatchType && (dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG);
// We will be called again using the PUBKEY match
goto SuccessReturn; } }
if (CRYPT_E_NOT_FOUND != GetLastError()) goto FindCertificateInStoreError;
if (!fExternalStore) // All matching issuers from the engine's store should be in
// the cache now.
pCertObject->OrCachedMatchFlags(CERT_MATCH_TYPE_TO_FLAG(dwMatchType));
SuccessReturn: fResult = TRUE;CommonReturn: if (pCertContext) CertFreeCertificateContext(pCertContext);
if (hAdditionalStoreToUse) CertCloseStore(hAdditionalStoreToUse, 0); if (hStore) CertCloseStore(hStore, 0);
return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn; TRACE_ERROR(OpenCollectionStoreError)TRACE_ERROR(AddToCollectionStoreError)SET_ERROR(InvalidMatchType, E_UNEXPECTED)TRACE_ERROR(CreateIssuerObjectError)TRACE_ERROR(AddIssuerError)TRACE_ERROR(FindCertificateInStoreError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddCtlIssuersFromCache, public
//
// Synopsis: find and add matching CTL issuers from the cache
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddCtlIssuersFromCache ( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore ){ PCERT_OBJECT_CTL_CACHE_ENTRY pEntry;
assert(m_pCertObject->IssuerStatusFlags() & CERT_ISSUER_SELF_SIGNED_FLAG); assert(!(m_pCertObject->IssuerStatusFlags() & CERT_ISSUER_TRUSTED_ROOT_FLAG));
pEntry = NULL; while (pEntry = m_pCertObject->NextCtlCacheEntry(pEntry)) { PCERT_TRUST_LIST_INFO pTrustListInfo = NULL;
if (!SSCtlAllocAndCopyTrustListInfo( pEntry->pTrustListInfo, &pTrustListInfo )) return FALSE;
if (!m_pIssuerList->AddCtlIssuer( pCallContext, hAdditionalStore, pEntry->pSSCtlObject, pTrustListInfo )) { SSCtlFreeTrustListInfo(pTrustListInfo); return FALSE; } }
return TRUE;}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::FindAndAddCtlIssuersFromAdditionalStore, public
//
// Synopsis: find and add matching Ctl issuers from an additional store
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::FindAndAddCtlIssuersFromAdditionalStore ( IN PCCHAINCALLCONTEXT pCallContext, IN HCERTSTORE hAdditionalStore ){ BOOL fResult; PCCTL_CONTEXT pCtlContext = NULL; PCSSCTLOBJECT pSSCtlObject = NULL;
assert(hAdditionalStore);
while (pCtlContext = CertEnumCTLsInStore(hAdditionalStore, pCtlContext)) { PCERT_TRUST_LIST_INFO pTrustListInfo = NULL;
pSSCtlObject = NULL;
if (!SSCtlCreateCtlObject( m_pCertObject->ChainEngine(), pCtlContext, TRUE, // fAdditionalStore
&pSSCtlObject )) // Should look at the different errors
continue; if (!pSSCtlObject->GetTrustListInfo( m_pCertObject->CertContext(), &pTrustListInfo )) { DWORD dwErr = GetLastError(); if (CRYPT_E_NOT_FOUND != dwErr) goto GetTrustListInfoError; else { pSSCtlObject->Release(); continue; } }
if (!m_pIssuerList->AddCtlIssuer( pCallContext, hAdditionalStore, pSSCtlObject, pTrustListInfo )) { SSCtlFreeTrustListInfo(pTrustListInfo); goto AddCtlIssuerError; }
pSSCtlObject->Release(); }
fResult = TRUE;
CommonReturn: return fResult;ErrorReturn: if (pCtlContext) CertFreeCTLContext(pCtlContext); if (pSSCtlObject) pSSCtlObject->Release();
fResult = FALSE; goto CommonReturn;
TRACE_ERROR(GetTrustListInfoError)TRACE_ERROR(AddCtlIssuerError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::NextPath, public
//
// Synopsis: Get the next top path object for this end path object.
// If CERT_QUALITY_NO_DUPLICATE_KEY is set in the
// Pass1Quality, advances past paths containing duplicate keys.
//
//----------------------------------------------------------------------------
PCCHAINPATHOBJECTCChainPathObject::NextPath ( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL PCCHAINPATHOBJECT pPrevTopPathObject ){ PCCHAINPATHOBJECT pTopPathObject = pPrevTopPathObject;
while (pTopPathObject = NextPathWithoutDuplicateKeyCheck( pCallContext, pTopPathObject )) { BOOL fDuplicateKey = FALSE; PCCHAINPATHOBJECT pSubjectObject;
for (pSubjectObject = pTopPathObject->m_pDownPathObject; NULL != pSubjectObject; pSubjectObject = pSubjectObject->m_pDownPathObject) { if (0 == (pSubjectObject->m_dwPass1Quality & CERT_QUALITY_NO_DUPLICATE_KEY)) break;
LPBYTE pbSubjectPublicKeyHash = pSubjectObject->m_pCertObject->PublicKeyHash(); PCERT_ISSUER_ELEMENT pIssuerElement; PCCHAINPATHOBJECT pIssuerObject;
for (pIssuerElement = pSubjectObject->m_pUpIssuerElement; NULL != pIssuerElement && NULL != (pIssuerObject = pIssuerElement->pIssuer); pIssuerElement = pIssuerObject->m_pUpIssuerElement) { if (0 == memcmp(pbSubjectPublicKeyHash, pIssuerObject->m_pCertObject->PublicKeyHash(), CHAINHASHLEN)) { fDuplicateKey = TRUE; break; } }
if (fDuplicateKey) break; }
if (!fDuplicateKey) break; }
return pTopPathObject;}
VOIDCChainPathObject::ResetNextPath ( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL PCCHAINPATHOBJECT pTopPathObject ){ while (pTopPathObject) { PCERT_ISSUER_ELEMENT pSubjectIssuerElement = pTopPathObject->m_pDownIssuerElement; PCCHAINPATHOBJECT pSubjectPathObject = pTopPathObject->m_pDownPathObject;
pTopPathObject->m_pDownPathObject = NULL; pTopPathObject->m_fHasAdditionalStatus = FALSE; pTopPathObject->m_pDownIssuerElement = NULL;
if (pSubjectIssuerElement && pSubjectIssuerElement->pCyclicSaveIssuer) {
// Remove and delete the cyclic path object
ChainDeleteCyclicPathObject( pCallContext, pSubjectIssuerElement->pIssuer );
// Restore the issuer replaced by the cyclic issuer
pSubjectIssuerElement->pIssuer = pSubjectIssuerElement->pCyclicSaveIssuer; pSubjectIssuerElement->pCyclicSaveIssuer = NULL; }
pTopPathObject = pSubjectPathObject; }
}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::NextPathWithoutDuplicateKeyCheck, public
//
// Synopsis: Get the next top path object for this end path object
// without checking for duplicate keys.
//
//----------------------------------------------------------------------------
PCCHAINPATHOBJECTCChainPathObject::NextPathWithoutDuplicateKeyCheck ( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL PCCHAINPATHOBJECT pPrevTopPathObject ){ PCCHAINPATHOBJECT pTopPathObject; PCERT_ISSUER_ELEMENT pSubjectIssuerElement; PCCHAINPATHOBJECT pSubjectPathObject; DWORD dwFlags = pCallContext->CallFlags();
if (NULL == pPrevTopPathObject) { pSubjectIssuerElement = NULL; pSubjectPathObject = NULL; } else { // Find the next issuer for the issuer's subject certificate.
// We iterate downward toward the end certificate
while (TRUE) { pSubjectIssuerElement = pPrevTopPathObject->m_pDownIssuerElement; pSubjectPathObject = pPrevTopPathObject->m_pDownPathObject;
// Set to NULL so it can be reused. Used to determine if
// cyclic.
pPrevTopPathObject->m_pDownPathObject = NULL; pPrevTopPathObject->m_fHasAdditionalStatus = FALSE;
if (NULL == pSubjectPathObject) { // We have reached the end certificate without having a
// next path
SetLastError((DWORD) CRYPT_E_NOT_FOUND); goto NoPath; }
assert(pSubjectIssuerElement); if (pSubjectIssuerElement->pCyclicSaveIssuer) {
// Remove and delete the cyclic path object
ChainDeleteCyclicPathObject( pCallContext, pSubjectIssuerElement->pIssuer );
// Restore the issuer replaced by the cyclic issuer
pSubjectIssuerElement->pIssuer = pSubjectIssuerElement->pCyclicSaveIssuer; pSubjectIssuerElement->pCyclicSaveIssuer = NULL; }
// Move on to the next issuer for the subject. Skip low
// quality issuers
while (pSubjectIssuerElement = pSubjectPathObject->m_pIssuerList->NextElement( pSubjectIssuerElement)) { if ((dwFlags & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING) || ((pSubjectIssuerElement->dwPass1Quality >= pSubjectPathObject->m_dwPass1Quality) && (pSubjectIssuerElement->dwPass1DuplicateKeyDepth <= pSubjectPathObject->m_dwPass1DuplicateKeyDepth))) { // For a CTL, check that we have an issuer
if (NULL != pSubjectIssuerElement->pIssuer) break; else { assert(pSubjectIssuerElement->fCtlIssuer); } } }
if (pSubjectIssuerElement) // The subject has another issuer
break;
// Note, a untrusted self signed root without CTLs is equal and
// possibly higher quality than having untrusted CTLs
if ((pSubjectPathObject->m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) && (dwFlags & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING) && !(pSubjectPathObject->m_dwPass1Quality & CERT_QUALITY_HAS_TRUSTED_ROOT)) { pTopPathObject = pSubjectPathObject; pTopPathObject->m_pUpIssuerElement = NULL; goto SelfSignedRootInsteadOfCtlPathReturn; }
// Find the next issuer for my subject
pPrevTopPathObject = pSubjectPathObject; } }
// Iterate upward until the TopPathObject's issuer list is empty or
// we have detected a cyclic PathObject
while (TRUE) { if (NULL == pSubjectIssuerElement) { // End (bottom) certificate
pTopPathObject = this; pTopPathObject->m_dwChainIndex = 0; pTopPathObject->m_dwElementIndex = 0; } else { pTopPathObject = pSubjectIssuerElement->pIssuer; // Determine if cyclic.
if (pTopPathObject->m_pDownPathObject || pTopPathObject == this) { // The returned Cyclic path won't have any issuers
if (!ChainCreateCyclicPathObject( pCallContext, pTopPathObject, &pTopPathObject )) goto CreateCyclicPathObjectError; pSubjectIssuerElement->pCyclicSaveIssuer = pSubjectIssuerElement->pIssuer; pSubjectIssuerElement->pIssuer = pTopPathObject; }
if (pSubjectPathObject->m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) { pTopPathObject->m_dwChainIndex = pSubjectPathObject->m_dwChainIndex + 1; pTopPathObject->m_dwElementIndex = 0; } else { pTopPathObject->m_dwChainIndex = pSubjectPathObject->m_dwChainIndex; pTopPathObject->m_dwElementIndex = pSubjectPathObject->m_dwElementIndex + 1; }
pSubjectPathObject->m_pUpIssuerElement = pSubjectIssuerElement;
}
pTopPathObject->m_pDownIssuerElement = pSubjectIssuerElement; pTopPathObject->m_pDownPathObject = pSubjectPathObject;
pSubjectPathObject = pTopPathObject;
// Find the first issuer having sufficient quality
pSubjectIssuerElement = NULL; while (pSubjectIssuerElement = pSubjectPathObject->m_pIssuerList->NextElement( pSubjectIssuerElement)) { if ((dwFlags & CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING) || ((pSubjectIssuerElement->dwPass1Quality >= pSubjectPathObject->m_dwPass1Quality) && (pSubjectIssuerElement->dwPass1DuplicateKeyDepth <= pSubjectPathObject->m_dwPass1DuplicateKeyDepth))) { // For a CTL, check that we have an issuer
if (NULL != pSubjectIssuerElement->pIssuer) break; else { assert(pSubjectIssuerElement->fCtlIssuer); } } }
if (NULL == pSubjectIssuerElement) { pTopPathObject->m_pUpIssuerElement = NULL; break; }
}
SelfSignedRootInsteadOfCtlPathReturn:CommonReturn: return pTopPathObject;
NoPath:ErrorReturn: pTopPathObject = NULL; goto CommonReturn;TRACE_ERROR(CreateCyclicPathObjectError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculateAdditionalStatus, public
//
// Synopsis: calculate additional status bits based on time, usage,
// revocation, ...
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculateAdditionalStatus ( IN PCCHAINCALLCONTEXT pCallContext, IN HCERTSTORE hAllStore ){ PCERT_INFO pCertInfo = m_pCertObject->CertContext()->pCertInfo; FILETIME RequestedTime; FILETIME CurrentTime;
assert(!m_fHasAdditionalStatus); memset(&m_AdditionalStatus, 0, sizeof(m_AdditionalStatus)); if (m_pwszExtendedErrorInfo) { PkiFree(m_pwszExtendedErrorInfo); m_pwszExtendedErrorInfo = NULL; }
pCallContext->RequestedTime(&RequestedTime); pCallContext->CurrentTime(&CurrentTime);
if (0 == m_dwChainIndex) { // First simple chain
if (0 == m_dwElementIndex) { // End cert
if (pCallContext->CallFlags() & CERT_CHAIN_TIMESTAMP_TIME) { // For time stamping, the end certificate needs to be valid
// for both the time stamped and current times.
if (0 != CertVerifyTimeValidity(&RequestedTime, pCertInfo) || 0 != CertVerifyTimeValidity(&CurrentTime, pCertInfo)) m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; } else { // End certificate needs to be valid for the requested time
if (0 != CertVerifyTimeValidity(&RequestedTime, pCertInfo)) m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; } } else { // CA or root
if (pCallContext->CallFlags() & CERT_CHAIN_TIMESTAMP_TIME) { // For time stamping, the CA or root needs to be valid using
// current time
if (0 != CertVerifyTimeValidity(&CurrentTime, pCertInfo)) m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; } else { // The CA or root needs to be valid using either the requested
// or current time. Allowing current time is necessary for
// cross certificate chains.
if (!(0 == CertVerifyTimeValidity(&RequestedTime, pCertInfo) || 0 == CertVerifyTimeValidity(&CurrentTime, pCertInfo))) m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; } } } else { // CTL signer chains. Must be valid using current time.
if (0 != CertVerifyTimeValidity(&CurrentTime, pCertInfo)) m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; } if (m_pDownIssuerElement) { PCERT_USAGE_MATCH pUsageToUse; CERT_USAGE_MATCH CtlUsage; LPSTR pszUsage = szOID_KP_CTL_USAGE_SIGNING;
// Update subject's issuer status
assert (m_pDownIssuerElement->pIssuer = this);
if (0 != m_pDownPathObject->m_dwChainIndex) { // CTL path object
memset(&CtlUsage, 0, sizeof(CtlUsage));
CtlUsage.dwType = USAGE_MATCH_TYPE_AND; CtlUsage.Usage.cUsageIdentifier = 1; CtlUsage.Usage.rgpszUsageIdentifier = &pszUsage;
pUsageToUse = &CtlUsage; } else pUsageToUse = &pCallContext->ChainPara()->RequestedUsage;
if (m_pDownIssuerElement->fCtlIssuer) { FILETIME CurrentTime;
memset(&m_pDownIssuerElement->SubjectStatus, 0, sizeof(m_pDownIssuerElement->SubjectStatus)); pCallContext->CurrentTime(&CurrentTime); m_pDownIssuerElement->pCtlIssuerData->pSSCtlObject-> CalculateStatus( &CurrentTime, pUsageToUse, &m_pDownIssuerElement->SubjectStatus ); } else { CalculatePolicyConstraintsStatus(); CalculateBasicConstraintsStatus(); CalculateKeyUsageStatus(); CalculateNameConstraintsStatus(pUsageToUse); } }
if (pCallContext->CallFlags() & CERT_CHAIN_REVOCATION_CHECK_ALL) { // For CTL signer chains, always use current time
CalculateRevocationStatus( pCallContext, hAllStore, 0 == m_dwChainIndex ? &RequestedTime : &CurrentTime ); }
m_fHasAdditionalStatus = TRUE;}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculatePolicyConstraintsStatus, public
//
// Synopsis: calculate policy constraints additional status for this
// issuer
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculatePolicyConstraintsStatus (){ PCHAIN_POLICIES_INFO pPoliciesInfo; DWORD i;
assert (0 != m_dwElementIndex);
pPoliciesInfo = m_pCertObject->PoliciesInfo(); for (i = 0; i < CHAIN_ISS_OR_APP_COUNT; i++ ) { PCERT_POLICY_CONSTRAINTS_INFO pConstraints = pPoliciesInfo->rgIssOrAppInfo[i].pConstraints;
DWORD dwRequireSkipCerts; DWORD dwInhibitSkipCerts; PCCHAINPATHOBJECT pPathObject; PCCHAINPATHOBJECT pIssuerObject;
if (NULL == pConstraints) continue;
dwRequireSkipCerts = pConstraints->dwRequireExplicitPolicySkipCerts; dwInhibitSkipCerts = pConstraints->dwInhibitPolicyMappingSkipCerts; for (pIssuerObject = this, pPathObject = m_pDownPathObject; NULL != pPathObject && pPathObject->m_dwChainIndex == m_dwChainIndex; pIssuerObject = pPathObject, pPathObject = pPathObject->m_pDownPathObject) { PCHAIN_POLICIES_INFO pSubjectPoliciesInfo;
if (ChainIsKeyRolloverSubject(pIssuerObject, pPathObject)) continue;
pSubjectPoliciesInfo = pPathObject->m_pCertObject->PoliciesInfo();
if (pConstraints->fRequireExplicitPolicy) { if (0 < dwRequireSkipCerts) dwRequireSkipCerts--; else { if (NULL == pSubjectPoliciesInfo->rgIssOrAppInfo[i].pPolicy) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_POLICY_CONSTRAINTS; goto RequireExplicitPolicyError; } } }
if (pConstraints->fInhibitPolicyMapping) { if (0 < dwInhibitSkipCerts) dwInhibitSkipCerts--; else { if (pSubjectPoliciesInfo->rgIssOrAppInfo[i].pMappings) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_POLICY_CONSTRAINTS; goto InhibitPolicyMappingError; } } } } }
CommonReturn: return;
ErrorReturn: goto CommonReturn;TRACE_ERROR(RequireExplicitPolicyError)TRACE_ERROR(InhibitPolicyMappingError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculateBasicConstraintsStatus, public
//
// Synopsis: calculate basic constraints additional status for this
// issuer
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculateBasicConstraintsStatus (){ PCERT_BASIC_CONSTRAINTS2_INFO pInfo;
assert (0 != m_dwElementIndex);
if (m_pCertObject->InfoFlags() & CHAIN_INVALID_BASIC_CONSTRAINTS_INFO_FLAG) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_BASIC_CONSTRAINTS; }
pInfo = m_pCertObject->BasicConstraintsInfo(); if (NULL == pInfo) { if (0 != (m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) || CertObject()->ChainEngine()->DisableMandatoryBasicConstraints()) return;
m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_BASIC_CONSTRAINTS; goto BasicConstraintsError; }
if (!pInfo->fCA) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_BASIC_CONSTRAINTS; goto BasicConstraintsError; }
if (pInfo->fPathLenConstraint && m_dwElementIndex > pInfo->dwPathLenConstraint + 1) {
DWORD dwElementIndex; PCCHAINPATHOBJECT pIssuer; PCCHAINPATHOBJECT pSubject;
// Remove any key rollover entries
for (pIssuer = this, pSubject = m_pDownPathObject, dwElementIndex = m_dwElementIndex; NULL != pSubject && pSubject->m_dwChainIndex == m_dwChainIndex; pIssuer = pSubject, pSubject = pSubject->m_pDownPathObject) { if (ChainIsKeyRolloverSubject(pIssuer, pSubject)) dwElementIndex--; }
if (dwElementIndex > pInfo->dwPathLenConstraint + 1) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_BASIC_CONSTRAINTS; goto BasicConstraintsError; } }
CommonReturn: return;
ErrorReturn: goto CommonReturn;TRACE_ERROR(BasicConstraintsError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculateKeyUsageStatus, public
//
// Synopsis: calculate key usage additional status for this
// issuer
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculateKeyUsageStatus (){ PCRYPT_BIT_BLOB pKeyUsage;
assert (0 != m_dwElementIndex);
if (m_pCertObject->InfoFlags() & CHAIN_INVALID_KEY_USAGE_FLAG) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_IS_NOT_VALID_FOR_USAGE; }
pKeyUsage = m_pCertObject->KeyUsage(); if (NULL == pKeyUsage) return;
if (1 > pKeyUsage->cbData || 0 == (pKeyUsage->pbData[0] & CERT_KEY_CERT_SIGN_KEY_USAGE)) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_VALID_FOR_USAGE; goto KeyUsageError; }
CommonReturn: return;
ErrorReturn: goto CommonReturn;TRACE_ERROR(KeyUsageError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculateNameConstraintsStatus, public
//
// Synopsis: calculate name constraints additional status for this
// issuer
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculateNameConstraintsStatus ( IN PCERT_USAGE_MATCH pUsageToUse ){ PCERT_NAME_CONSTRAINTS_INFO pIssuerInfo; PCHAIN_SUBJECT_NAME_CONSTRAINTS_INFO pSubjectInfo; PCERT_BASIC_CONSTRAINTS2_INFO pSubjectBasicInfo; PCCHAINPATHOBJECT pSubjectObject; DWORD dwErrorStatus = 0;
assert (0 != m_dwElementIndex);
if (m_pCertObject->InfoFlags() & CHAIN_INVALID_ISSUER_NAME_CONSTRAINTS_INFO_FLAG) { m_AdditionalStatus.dwErrorStatus |= CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
ChainFormatAndAppendExtendedErrorInfo( &m_pwszExtendedErrorInfo, IDS_INVALID_ISSUER_NAME_CONSTRAINT_EXT ); } pIssuerInfo = m_pCertObject->IssuerNameConstraintsInfo(); if (NULL == pIssuerInfo) // No NameConstraint check
return;
// We only verify the name constraints on the end cert
for (pSubjectObject = m_pDownPathObject; NULL != pSubjectObject && 0 != pSubjectObject->m_dwElementIndex; pSubjectObject = pSubjectObject->m_pDownPathObject) ;
assert(pSubjectObject); assert(pSubjectObject->m_dwChainIndex == m_dwChainIndex); if (NULL == pSubjectObject) return;
pSubjectBasicInfo = pSubjectObject->m_pCertObject->BasicConstraintsInfo(); if (pSubjectBasicInfo && pSubjectBasicInfo->fCA) // End cert is a CA.
return;
pSubjectInfo = pSubjectObject->m_pCertObject->SubjectNameConstraintsInfo();
if (pSubjectInfo->fInvalid) { dwErrorStatus |= CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
ChainFormatAndAppendExtendedErrorInfo( &m_pwszExtendedErrorInfo, IDS_INVALID_SUBJECT_NAME_CONSTRAINT_INFO );
goto InvalidNameConstraints; }
if (pSubjectInfo->pAltNameInfo) { // Loop through all the AltName entries. There needs to be a
// name constraint for each entry.
DWORD cEntry; PCERT_ALT_NAME_ENTRY pEntry; cEntry = pSubjectInfo->pAltNameInfo->cAltEntry; pEntry = pSubjectInfo->pAltNameInfo->rgAltEntry; for ( ; 0 < cEntry; cEntry--, pEntry++) { BOOL fSupported;
// Check if a NameConstraint for this entry choice is supported
fSupported = FALSE; switch (pEntry->dwAltNameChoice) { case CERT_ALT_NAME_OTHER_NAME: case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_DNS_NAME: case CERT_ALT_NAME_URL: case CERT_ALT_NAME_DIRECTORY_NAME: fSupported = TRUE; break; case CERT_ALT_NAME_IP_ADDRESS: // Only support 4 or 16 byte IP addresses
if (4 == pEntry->IPAddress.cbData || 16 == pEntry->IPAddress.cbData) fSupported = TRUE; break; case CERT_ALT_NAME_X400_ADDRESS: case CERT_ALT_NAME_EDI_PARTY_NAME: case CERT_ALT_NAME_REGISTERED_ID: default: // Not supported
break; }
if (!fSupported) { dwErrorStatus |= CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
ChainFormatAndAppendNameConstraintsAltNameEntryFixup( &m_pwszExtendedErrorInfo, pEntry, IDS_NOT_SUPPORTED_ENTRY_NAME_CONSTRAINT ); } else dwErrorStatus |= ChainCalculateNameConstraintsErrorStatusForAltNameEntry( pEntry, pIssuerInfo, &m_pwszExtendedErrorInfo); } }
if (pSubjectInfo->pUnicodeNameInfo) { // Check as a DIRECTORY_NAME AltNameEntry choice. The DIRECTORY_NAME
// fixup expects the DirectoryName.pbData to be the decoded and
// fixup'ed UnicodeNameInfo.
CERT_ALT_NAME_ENTRY Entry;
Entry.dwAltNameChoice = CERT_ALT_NAME_DIRECTORY_NAME; Entry.DirectoryName.pbData = (BYTE *) pSubjectInfo->pUnicodeNameInfo; dwErrorStatus |= ChainCalculateNameConstraintsErrorStatusForAltNameEntry( &Entry, pIssuerInfo, &m_pwszExtendedErrorInfo); }
if (pSubjectInfo->pEmailAttr) { // The SubjectAltName doesn't have an email choice. However, there is an
// email attribute in the Subject UnicodeNameInfo.
//
// Check as a CERT_ALT_NAME_RFC822_NAME AltNameEntry choice. The
// RFC822 fixup uses the DirectoryName.pbData and DirectoryName.cbData
// to contain the pointer to and length of the unicode string.
CERT_ALT_NAME_ENTRY Entry; Entry.dwAltNameChoice = CERT_ALT_NAME_RFC822_NAME; Entry.DirectoryName = pSubjectInfo->pEmailAttr->Value; dwErrorStatus |= ChainCalculateNameConstraintsErrorStatusForAltNameEntry( &Entry, pIssuerInfo, &m_pwszExtendedErrorInfo); }
if (!pSubjectInfo->fHasDnsAltNameEntry && NULL != pSubjectInfo->pUnicodeNameInfo && ChainIsOIDInUsage(szOID_PKIX_KP_SERVER_AUTH, &pUsageToUse->Usage)) { // The SubjectAltName doesn't have a DNS choice and we are building
// a ServerAuth chain.
// Need to check all the CN components in the UnicodeNameInfo.
DWORD cRDN; PCERT_RDN pRDN;
cRDN = pSubjectInfo->pUnicodeNameInfo->cRDN; pRDN = pSubjectInfo->pUnicodeNameInfo->rgRDN; for ( ; cRDN > 0; cRDN--, pRDN++) { DWORD cAttr = pRDN->cRDNAttr; PCERT_RDN_ATTR pAttr = pRDN->rgRDNAttr; for ( ; cAttr > 0; cAttr--, pAttr++) { if (!IS_CERT_RDN_CHAR_STRING(pAttr->dwValueType)) continue; if (0 == strcmp(pAttr->pszObjId, szOID_COMMON_NAME)) { //
// Check as a CERT_ALT_NAME_DNS_NAME AltNameEntry choice.
// The DNS fixup uses the DirectoryName.pbData and
// DirectoryName.cbData to contain the pointer to and
// length of the unicode string.
CERT_ALT_NAME_ENTRY Entry; Entry.dwAltNameChoice = CERT_ALT_NAME_DNS_NAME; Entry.DirectoryName = pAttr->Value; dwErrorStatus |= ChainCalculateNameConstraintsErrorStatusForAltNameEntry( &Entry, pIssuerInfo, &m_pwszExtendedErrorInfo); } } } }
CommonReturn: if (0 == dwErrorStatus) m_AdditionalStatus.dwInfoStatus |= CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS; else m_AdditionalStatus.dwErrorStatus |= dwErrorStatus; return;
ErrorReturn: goto CommonReturn;TRACE_ERROR(InvalidNameConstraints)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CalculateRevocationStatus, public
//
// Synopsis: calculate additional status bits based on revocation
//
//----------------------------------------------------------------------------
VOIDCChainPathObject::CalculateRevocationStatus ( IN PCCHAINCALLCONTEXT pCallContext, IN HCERTSTORE hCrlStore, IN LPFILETIME pTime ){ CERT_REVOCATION_PARA RevPara; CERT_REVOCATION_STATUS RevStatus; DWORD dwRevFlags; DWORD dwFlags = pCallContext->CallFlags(); PCERT_CHAIN_PARA pChainPara = pCallContext->ChainPara(); FILETIME CurrentTime;
assert(dwFlags & CERT_CHAIN_REVOCATION_CHECK_ALL);
memset( &RevPara, 0, sizeof( RevPara ) ); RevPara.cbSize = sizeof( RevPara ); RevPara.hCrlStore = hCrlStore; RevPara.pftTimeToUse = pTime; RevPara.dwUrlRetrievalTimeout = pCallContext->RevocationUrlRetrievalTimeout(); RevPara.fCheckFreshnessTime = pChainPara->fCheckRevocationFreshnessTime; RevPara.dwFreshnessTime = pChainPara->dwRevocationFreshnessTime; pCallContext->CurrentTime(&CurrentTime); RevPara.pftCurrentTime = &CurrentTime;
memset( &RevStatus, 0, sizeof( RevStatus ) ); RevStatus.cbSize = sizeof( RevStatus );
dwRevFlags = 0; if (dwFlags & CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY) dwRevFlags |= CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION; if (dwFlags & CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT) dwRevFlags |= CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG;
if (!m_fHasRevocationInfo) { BOOL fHasRevocationInfo = FALSE;
if (m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) { BOOL fDoRevocation = FALSE;
if (dwFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT) { ; } else if (dwFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT) { if (0 == m_dwChainIndex && 0 == m_dwElementIndex) fDoRevocation = TRUE; } else { assert(dwFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN); fDoRevocation = TRUE; }
if (fDoRevocation) { PCCERT_CONTEXT pSubjectCert = m_pCertObject->CertContext(); RevPara.pIssuerCert = m_pCertObject->CertContext(); RevPara.pCrlInfo = &m_RevocationCrlInfo; m_RevocationCrlInfo.cbSize = sizeof(m_RevocationCrlInfo);
RevStatus.dwError = (DWORD) CRYPT_E_REVOCATION_OFFLINE; if (IsValidCertQualityForRevocationCheck(m_dwPass1Quality)) CertVerifyRevocation( X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE, 1, (LPVOID *) &pSubjectCert, dwRevFlags, &RevPara, &RevStatus ); fHasRevocationInfo = TRUE; } } else if (NULL == m_pUpIssuerElement) { if (dwFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT) { if (0 == m_dwChainIndex && 0 == m_dwElementIndex) fHasRevocationInfo = TRUE; } else { fHasRevocationInfo = TRUE; }
if (fHasRevocationInfo) { RevStatus.dwError = (DWORD) CRYPT_E_REVOCATION_OFFLINE; } }
if (fHasRevocationInfo) { ChainUpdateRevocationInfo(&RevStatus, &m_RevocationInfo, &m_TrustStatus); m_fHasRevocationInfo = TRUE;
memset( &RevStatus, 0, sizeof( RevStatus ) ); RevStatus.cbSize = sizeof( RevStatus ); } }
if (m_pDownIssuerElement && !m_pDownIssuerElement->fCtlIssuer && !m_pDownIssuerElement->fHasRevocationInfo) { BOOL fDoRevocation = FALSE;
if (dwFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT) { if (0 == m_dwChainIndex && 1 == m_dwElementIndex) fDoRevocation = TRUE; } else { fDoRevocation = TRUE; }
if (fDoRevocation) { PCCERT_CONTEXT pSubjectCert = m_pDownPathObject->m_pCertObject->CertContext(); RevPara.pIssuerCert = m_pCertObject->CertContext(); RevPara.pCrlInfo = &m_pDownIssuerElement->RevocationCrlInfo; m_pDownIssuerElement->RevocationCrlInfo.cbSize = sizeof(m_pDownIssuerElement->RevocationCrlInfo);
RevStatus.dwError = (DWORD) CRYPT_E_REVOCATION_OFFLINE;
if (IsValidCertQualityForRevocationCheck( m_pDownIssuerElement->dwPass1Quality)) { BOOL fRevokedIssuer = FALSE; PCCHAINPATHOBJECT pIssuerObject = this;
while (TRUE) { PCERT_ISSUER_ELEMENT pIssuerElement = pIssuerObject->m_pUpIssuerElement;
if (NULL == pIssuerElement) { if (pIssuerObject->m_TrustStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED) fRevokedIssuer = TRUE; break; } else { if (pIssuerElement->SubjectStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED) { fRevokedIssuer = TRUE; break; } pIssuerObject = pIssuerElement->pIssuer; } } if (!fRevokedIssuer) CertVerifyRevocation( X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE, 1, (LPVOID *) &pSubjectCert, dwRevFlags, &RevPara, &RevStatus ); }
ChainUpdateRevocationInfo(&RevStatus, &m_pDownIssuerElement->RevocationInfo, &m_pDownIssuerElement->SubjectStatus); m_pDownIssuerElement->fHasRevocationInfo = TRUE; } }}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::CreateChainContextFromPath, public
//
// Synopsis: Create the chain context for chain path ending in the
// specified top path object. Also calculates the chain's
// quality value.
//
//----------------------------------------------------------------------------
PINTERNAL_CERT_CHAIN_CONTEXTCChainPathObject::CreateChainContextFromPath ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCHAINPATHOBJECT pTopPathObject ){ // Single PkiZeroAlloc for all of the following:
PINTERNAL_CERT_CHAIN_CONTEXT pContext = NULL; PCERT_SIMPLE_CHAIN *ppChain; PCERT_SIMPLE_CHAIN pChain; PCERT_CHAIN_ELEMENT *ppElement; PCERT_CHAIN_ELEMENT pElement; DWORD cChain; DWORD cTotalElement; DWORD cbTotal; PCCHAINPATHOBJECT pPathObject; DWORD dwQuality; DWORD dwChainErrorStatus; DWORD dwChainInfoStatus; PCERT_ENHKEY_USAGE pAppUsage;
BOOL fHasContextRevocationFreshnessTime;
// Restricted usage info that gets propogated downward
CHAIN_RESTRICTED_USAGE_INFO RestrictedUsageInfo;
memset(&RestrictedUsageInfo, 0, sizeof(RestrictedUsageInfo));
cChain = pTopPathObject->m_dwChainIndex + 1;
if (1 == cChain) { cTotalElement = pTopPathObject->m_dwElementIndex + 1; } else { cTotalElement = 0; for (pPathObject = pTopPathObject; NULL != pPathObject; pPathObject = pPathObject->m_pDownPathObject) cTotalElement++; }
cbTotal = sizeof(INTERNAL_CERT_CHAIN_CONTEXT) + sizeof(PCERT_SIMPLE_CHAIN) * cChain + sizeof(CERT_SIMPLE_CHAIN) * cChain + sizeof(PCERT_CHAIN_ELEMENT) * cTotalElement + sizeof(CERT_CHAIN_ELEMENT) * cTotalElement;
pContext = (PINTERNAL_CERT_CHAIN_CONTEXT) PkiZeroAlloc(cbTotal); if (NULL == pContext) goto OutOfMemory; ppChain = (PCERT_SIMPLE_CHAIN *) &pContext[1]; pChain = (PCERT_SIMPLE_CHAIN) &ppChain[cChain]; ppElement = (PCERT_CHAIN_ELEMENT *) &pChain[cChain]; pElement = (PCERT_CHAIN_ELEMENT) &ppElement[cTotalElement];
pContext->cRefs = 1; pContext->ChainContext.cbSize = sizeof(CERT_CHAIN_CONTEXT); pContext->ChainContext.cChain = cChain; pContext->ChainContext.rgpChain = ppChain;
if (1 < cChain ) pContext->ChainContext.TrustStatus.dwInfoStatus |= CERT_TRUST_IS_COMPLEX_CHAIN;
// Default to having preferred issuers
pContext->ChainContext.TrustStatus.dwInfoStatus |= CERT_TRUST_HAS_PREFERRED_ISSUER;
// Default to having revocation freshness time
fHasContextRevocationFreshnessTime = TRUE;
// Work our way from the top downward
pPathObject = pTopPathObject; ppChain += cChain - 1; pChain += cChain - 1; ppElement += cTotalElement - 1; pElement += cTotalElement - 1;
if (!(pTopPathObject->m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED)) pChain->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_PARTIAL_CHAIN;
for ( ; 0 < cChain; cChain--, ppChain--, pChain--) { BOOL fHasChainRevocationFreshnessTime; DWORD cElement;
*ppChain = pChain; pChain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
// Default to having preferred issuers
pChain->TrustStatus.dwInfoStatus |= CERT_TRUST_HAS_PREFERRED_ISSUER;
// Default to having revocation freshness time
fHasChainRevocationFreshnessTime = TRUE;
cElement = pPathObject->m_dwElementIndex + 1; pChain->cElement = cElement; pChain->rgpElement = ppElement - (cElement - 1); for ( ; 0 < cElement; cElement--, cTotalElement--, ppElement--, pElement--, pPathObject = pPathObject->m_pDownPathObject) { assert(pPathObject); *ppElement = pElement; pElement->cbSize = sizeof(CERT_CHAIN_ELEMENT);
if (!pPathObject->UpdateChainContextUsageForPathObject ( pCallContext, pChain, pElement, &RestrictedUsageInfo )) goto UpdateChainContextUsageForPathObjectError;
// This must be last. It updates the chain's TrustStatus
// from the element's TrustStatus.
if (!pPathObject->UpdateChainContextFromPathObject ( pCallContext, pChain, pElement )) goto UpdateChainContextFromPathObjectError;
// Remember the largest revocation freshness time for the
// simple chain and the chain context.
if (pElement->pRevocationInfo && fHasChainRevocationFreshnessTime) { PCERT_REVOCATION_INFO pRevInfo = pElement->pRevocationInfo;
if (pRevInfo->fHasFreshnessTime) { if (pRevInfo->dwFreshnessTime > pChain->dwRevocationFreshnessTime) pChain->dwRevocationFreshnessTime = pRevInfo->dwFreshnessTime; pChain->fHasRevocationFreshnessTime = TRUE;
if (fHasContextRevocationFreshnessTime) { if (pRevInfo->dwFreshnessTime > pContext->ChainContext.dwRevocationFreshnessTime) pContext->ChainContext.dwRevocationFreshnessTime = pRevInfo->dwFreshnessTime; pContext->ChainContext.fHasRevocationFreshnessTime = TRUE; } } else if (CRYPT_E_NO_REVOCATION_CHECK != pRevInfo->dwRevocationResult) { fHasChainRevocationFreshnessTime = FALSE; pChain->fHasRevocationFreshnessTime = FALSE;
fHasContextRevocationFreshnessTime = FALSE; pContext->ChainContext.fHasRevocationFreshnessTime = FALSE; } }
CertPerfIncrementChainElementCount();
}
ChainUpdateSummaryStatusByTrustStatus( &pContext->ChainContext.TrustStatus, &pChain->TrustStatus);
ChainFreeAndClearRestrictedUsageInfo(&RestrictedUsageInfo); }
assert(0 == cTotalElement);
// Calculate chain quality value
dwQuality = 0; dwChainErrorStatus = pContext->ChainContext.TrustStatus.dwErrorStatus; dwChainInfoStatus = pContext->ChainContext.TrustStatus.dwInfoStatus;
if (!(dwChainErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID) && !(dwChainErrorStatus & CERT_TRUST_CTL_IS_NOT_TIME_VALID)) dwQuality |= CERT_QUALITY_TIME_VALID;
if (!(dwChainErrorStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE) && !(dwChainErrorStatus & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE)) dwQuality |= CERT_QUALITY_MEETS_USAGE_CRITERIA;
pAppUsage = pContext->ChainContext.rgpChain[0]->rgpElement[0]->pApplicationUsage; if (NULL == pAppUsage || 0 != pAppUsage->cUsageIdentifier) dwQuality |= CERT_QUALITY_HAS_APPLICATION_USAGE;
if (!(dwChainErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT)) dwQuality |= CERT_QUALITY_HAS_TRUSTED_ROOT;
if (!(dwChainErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID) && !(dwChainErrorStatus & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID)) dwQuality |= CERT_QUALITY_SIGNATURE_VALID;
if (!(dwChainErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)) dwQuality |= CERT_QUALITY_COMPLETE_CHAIN;
if (!(dwChainErrorStatus & CERT_TRUST_IS_REVOKED)) dwQuality |= CERT_QUALITY_NOT_REVOKED;
if (!(dwChainErrorStatus & CERT_TRUST_IS_OFFLINE_REVOCATION) && !(dwChainErrorStatus & CERT_TRUST_IS_REVOKED)) dwQuality |= CERT_QUALITY_ONLINE_REVOCATION;
if (!(dwChainErrorStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN) && !(dwChainErrorStatus & CERT_TRUST_IS_REVOKED)) dwQuality |= CERT_QUALITY_CHECK_REVOCATION;
if (!(dwChainInfoStatus & CERT_TRUST_IS_COMPLEX_CHAIN)) dwQuality |= CERT_QUALITY_SIMPLE_CHAIN;
if (dwChainInfoStatus & CERT_TRUST_HAS_PREFERRED_ISSUER) dwQuality |= CERT_QUALITY_PREFERRED_ISSUER;
if (dwChainInfoStatus & CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY) dwQuality |= CERT_QUALITY_HAS_ISSUANCE_CHAIN_POLICY; if (!(dwChainErrorStatus & (CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY | CERT_TRUST_INVALID_POLICY_CONSTRAINTS))) dwQuality |= CERT_QUALITY_POLICY_CONSTRAINTS_VALID; if (!(dwChainErrorStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)) dwQuality |= CERT_QUALITY_BASIC_CONSTRAINTS_VALID;
if (dwChainInfoStatus & CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS) dwQuality |= CERT_QUALITY_HAS_NAME_CONSTRAINTS; if (!(dwChainErrorStatus & (CERT_TRUST_INVALID_NAME_CONSTRAINTS | CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT | CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT))) dwQuality |= CERT_QUALITY_NAME_CONSTRAINTS_VALID; if (!(dwChainErrorStatus & (CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT | CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT))) dwQuality |= CERT_QUALITY_NAME_CONSTRAINTS_MET;
pContext->dwQuality = dwQuality;
CertPerfIncrementChainCount();
CommonReturn: return pContext;
ErrorReturn: if (pContext) { ChainReleaseInternalChainContext(pContext); pContext = NULL; }
ChainFreeAndClearRestrictedUsageInfo(&RestrictedUsageInfo); goto CommonReturn;
SET_ERROR(OutOfMemory, E_OUTOFMEMORY)TRACE_ERROR(UpdateChainContextUsageForPathObjectError)TRACE_ERROR(UpdateChainContextFromPathObjectError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::UpdateChainContextUsageForPathObject, public
//
// Synopsis: update the chain context usage information for this
// path object.
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::UpdateChainContextUsageForPathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN OUT PCERT_SIMPLE_CHAIN pChain, IN OUT PCERT_CHAIN_ELEMENT pElement, IN OUT PCHAIN_RESTRICTED_USAGE_INFO pRestrictedUsageInfo ){ BOOL fResult; PCHAIN_POLICIES_INFO pPoliciesInfo = m_pCertObject->PoliciesInfo(); CERT_USAGE_MATCH CtlUsage; PCERT_USAGE_MATCH pUsageToUse; LPSTR pszUsage = szOID_KP_CTL_USAGE_SIGNING; PCERT_ENHKEY_USAGE pIssUsage; PCERT_ENHKEY_USAGE pAppUsage; PCERT_ENHKEY_USAGE pPropUsage; DWORD dwIssFlags; DWORD dwAppFlags;
static const CERT_ENHKEY_USAGE NoUsage = { 0, NULL };
// Update the usage to use for the second and subsequent chains
if (0 != m_dwChainIndex) { // CTL path object
memset(&CtlUsage, 0, sizeof(CtlUsage));
CtlUsage.dwType = USAGE_MATCH_TYPE_AND; CtlUsage.Usage.cUsageIdentifier = 1; CtlUsage.Usage.rgpszUsageIdentifier = &pszUsage;
pUsageToUse = &CtlUsage; } else { pUsageToUse = &pCallContext->ChainPara()->RequestedUsage; }
dwIssFlags = pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].dwFlags; dwAppFlags = pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].dwFlags;
// Update TrustStatus to reflect any policy decoding errors
if ((dwIssFlags & CHAIN_INVALID_POLICY_FLAG) || (dwAppFlags & CHAIN_INVALID_POLICY_FLAG)) pElement->TrustStatus.dwErrorStatus |= CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_POLICY_CONSTRAINTS;
// Issuance :: restricted and mapped usage
pIssUsage = pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].pUsage; if (NULL == pIssUsage) { // NULL => Any Usage
// Only allow any usage for self signed roots or certs having
// the CertPolicies extension. Otherwise, treat as having no usage.
if (!(m_TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) && NULL == pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].pPolicy) pIssUsage = (PCERT_ENHKEY_USAGE) &NoUsage; }
if (!ChainCalculateRestrictedUsage ( pIssUsage, pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].pMappings, &pRestrictedUsageInfo->pIssuanceRestrictedUsage, &pRestrictedUsageInfo->pIssuanceMappedUsage, &pRestrictedUsageInfo->rgdwIssuanceMappedIndex )) goto CalculateIssuanceRestrictedUsageError;
if (!ChainAllocAndCopyUsage( pRestrictedUsageInfo->pIssuanceRestrictedUsage, &pElement->pIssuanceUsage )) goto AllocAndCopyUsageError;
if (0 != m_dwElementIndex) { PCERT_POLICY_CONSTRAINTS_INFO pConstraints = pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].pConstraints;
if (pConstraints && pConstraints->fRequireExplicitPolicy && m_dwElementIndex > pConstraints->dwRequireExplicitPolicySkipCerts && !pRestrictedUsageInfo->fRequireIssuancePolicy) { DWORD dwElementIndex; PCCHAINPATHOBJECT pIssuer; PCCHAINPATHOBJECT pSubject;
// Remove any key rollover entries
for (pIssuer = this, pSubject = m_pDownPathObject, dwElementIndex = m_dwElementIndex; NULL != pSubject && pSubject->m_dwChainIndex == m_dwChainIndex; pIssuer = pSubject, pSubject = pSubject->m_pDownPathObject) { if (ChainIsKeyRolloverSubject(pIssuer, pSubject)) dwElementIndex--; } if (dwElementIndex > pConstraints->dwRequireExplicitPolicySkipCerts) pRestrictedUsageInfo->fRequireIssuancePolicy = TRUE; } } else { // For the end cert, update the require issuance chain policy
// TrustStatus. Also, check the requested issuance policy.
if (pRestrictedUsageInfo->fRequireIssuancePolicy) { if (pRestrictedUsageInfo->pIssuanceRestrictedUsage && 0 == pRestrictedUsageInfo->pIssuanceRestrictedUsage->cUsageIdentifier) { // Must have either ANY_POLICY or some policy OIDs
pChain->TrustStatus.dwErrorStatus |= CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY; } else if (pPoliciesInfo->rgIssOrAppInfo[CHAIN_ISS_INDEX].pPolicy) { pChain->TrustStatus.dwInfoStatus |= CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY; } }
pIssUsage = pElement->pIssuanceUsage; if (pIssUsage) { PCERT_USAGE_MATCH pRequestedIssuancePolicy = &pCallContext->ChainPara()->RequestedIssuancePolicy;
ChainGetUsageStatus( &pRequestedIssuancePolicy->Usage, pIssUsage, pRequestedIssuancePolicy->dwType, &pElement->TrustStatus ); } }
if (USAGE_MATCH_TYPE_OR == pUsageToUse->dwType && 1 < pUsageToUse->Usage.cUsageIdentifier) { // For "OR" match type request, we can't use restricted property usage
pPropUsage = pPoliciesInfo->pPropertyUsage;
// For "OR" match type request, we only use restricted application
// usage upon seeing policy mappings.
if (pRestrictedUsageInfo->pApplicationMappedUsage || pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pMappings) { if (!ChainCalculateRestrictedUsage ( pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pUsage, pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pMappings, &pRestrictedUsageInfo->pApplicationRestrictedUsage, &pRestrictedUsageInfo->pApplicationMappedUsage, &pRestrictedUsageInfo->rgdwApplicationMappedIndex )) goto CalculateApplicationRestrictedUsageError; pAppUsage = pRestrictedUsageInfo->pApplicationRestrictedUsage; } else pAppUsage = pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pUsage; } else { // Restricted property and application usage
PCERT_ENHKEY_USAGE pPropMappedUsage = NULL; LPDWORD pdwPropMappedIndex = NULL;
fResult = ChainCalculateRestrictedUsage ( pPoliciesInfo->pPropertyUsage, NULL, // pMappings
&pRestrictedUsageInfo->pPropertyRestrictedUsage, &pPropMappedUsage, &pdwPropMappedIndex ); assert(NULL == pPropMappedUsage && NULL == pdwPropMappedIndex); if (!fResult) goto CalculatePropertyRestrictedUsageError; pPropUsage = pRestrictedUsageInfo->pPropertyRestrictedUsage;
if (!ChainCalculateRestrictedUsage ( pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pUsage, pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].pMappings, &pRestrictedUsageInfo->pApplicationRestrictedUsage, &pRestrictedUsageInfo->pApplicationMappedUsage, &pRestrictedUsageInfo->rgdwApplicationMappedIndex )) goto CalculateApplicationRestrictedUsageError; pAppUsage = pRestrictedUsageInfo->pApplicationRestrictedUsage; }
// The element's application usage includes the intersection with
// the property usage
if (NULL == pAppUsage) { if (!ChainAllocAndCopyUsage( pPropUsage, &pElement->pApplicationUsage )) goto AllocAndCopyUsageError; } else { if (!ChainAllocAndCopyUsage( pAppUsage, &pElement->pApplicationUsage )) goto AllocAndCopyUsageError; if (pPropUsage) // Remove OIDs not also in the property usage
ChainIntersectUsages(pPropUsage, pElement->pApplicationUsage); }
// Check the requested usage
pAppUsage = pElement->pApplicationUsage; if (pAppUsage) ChainGetUsageStatus( &pUsageToUse->Usage, pAppUsage, pUsageToUse->dwType, &pElement->TrustStatus );
fResult = TRUE;CommonReturn: return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(CalculateIssuanceRestrictedUsageError)TRACE_ERROR(AllocAndCopyUsageError)TRACE_ERROR(CalculateApplicationRestrictedUsageError)TRACE_ERROR(CalculatePropertyRestrictedUsageError)}
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::UpdateChainContextFromPathObject, public
//
// Synopsis: update the chain context using information from this
// path object.
//
//----------------------------------------------------------------------------
BOOLCChainPathObject::UpdateChainContextFromPathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN OUT PCERT_SIMPLE_CHAIN pChain, IN OUT PCERT_CHAIN_ELEMENT pElement ){ BOOL fResult; PCERT_REVOCATION_INFO pRevocationInfo = NULL; PCERT_REVOCATION_CRL_INFO pRevocationCrlInfo = NULL; CERT_REVOCATION_INFO DisallowedRevocationInfo;
ChainOrInStatusBits(&pElement->TrustStatus, &m_TrustStatus); assert(m_fHasAdditionalStatus); ChainOrInStatusBits(&pElement->TrustStatus, &m_AdditionalStatus);
if ((pElement->TrustStatus.dwErrorStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT) && (pChain->TrustStatus.dwInfoStatus & CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS)) { // If one of our parents has a valid name constraint, then,
// it isn't mandatory that we have a constraint for all name spaces.
pElement->TrustStatus.dwErrorStatus &= ~CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT; }
if (m_pUpIssuerElement) { if (m_pUpIssuerElement->fCtlIssuer) { ChainOrInStatusBits(&pChain->TrustStatus, &m_pUpIssuerElement->SubjectStatus);
assert(pElement->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT);
pElement->TrustStatus.dwErrorStatus &= ~CERT_TRUST_IS_UNTRUSTED_ROOT;
if (!SSCtlAllocAndCopyTrustListInfo( m_pUpIssuerElement->pCtlIssuerData->pTrustListInfo, &pChain->pTrustListInfo )) goto AllocAndCopyTrustListInfoError; } else { ChainOrInStatusBits(&pElement->TrustStatus, &m_pUpIssuerElement->SubjectStatus); } }
pRevocationInfo = NULL; if (m_fHasRevocationInfo) { pRevocationInfo = &m_RevocationInfo; pRevocationCrlInfo = &m_RevocationCrlInfo; } else if (m_pUpIssuerElement && m_pUpIssuerElement->fHasRevocationInfo) { pRevocationInfo = &m_pUpIssuerElement->RevocationInfo; pRevocationCrlInfo = &m_pUpIssuerElement->RevocationCrlInfo; }
if (0 == m_dwElementIndex && 0 == m_dwChainIndex && !(pElement->TrustStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED) && NULL != m_pCertObject->ChainEngine()->DisallowedStore()) { // Check if the end certificate has been explicitly disallowed.
// Since the signature component can be altered, must use the signature
// hash
BYTE rgbSigHash[CHAIN_MAX_SIG_HASH_LEN]; CRYPT_DATA_BLOB SigHashBlob; SigHashBlob.pbData = rgbSigHash; SigHashBlob.cbData = CHAIN_MAX_SIG_HASH_LEN;
if (CertGetCertificateContextProperty( m_pCertObject->CertContext(), CERT_SIGNATURE_HASH_PROP_ID, rgbSigHash, &SigHashBlob.cbData ) && CHAIN_MIN_SIG_HASH_LEN <= SigHashBlob.cbData) { PCCERT_CONTEXT pDisallowedCert;
pDisallowedCert = CertFindCertificateInStore( m_pCertObject->ChainEngine()->DisallowedStore(), 0, // dwCertEncodingType
0, // dwFindFlags
CERT_FIND_SIGNATURE_HASH, (const void *) &SigHashBlob, NULL //pPrevCertContext
);
if (pDisallowedCert) { CertFreeCertificateContext(pDisallowedCert);
memset(&DisallowedRevocationInfo, 0, sizeof(DisallowedRevocationInfo)); DisallowedRevocationInfo.cbSize = sizeof(DisallowedRevocationInfo); DisallowedRevocationInfo.dwRevocationResult = (DWORD) CRYPT_E_REVOKED; DisallowedRevocationInfo.fHasFreshnessTime = TRUE; // DisallowedRevocationInfo.dwFreshnessTime = 0;
pRevocationInfo = &DisallowedRevocationInfo; pRevocationCrlInfo = NULL;
pElement->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_REVOKED; pElement->TrustStatus.dwErrorStatus &= ~(CERT_TRUST_REVOCATION_STATUS_UNKNOWN | CERT_TRUST_IS_OFFLINE_REVOCATION); } } }
if (pRevocationInfo) { pElement->pRevocationInfo = new CERT_REVOCATION_INFO; if (NULL == pElement->pRevocationInfo) goto OutOfMemory;
memset(pElement->pRevocationInfo, 0, sizeof(CERT_REVOCATION_INFO)); pElement->pRevocationInfo->cbSize = sizeof(CERT_REVOCATION_INFO); pElement->pRevocationInfo->dwRevocationResult = pRevocationInfo->dwRevocationResult; pElement->pRevocationInfo->fHasFreshnessTime = pRevocationInfo->fHasFreshnessTime; pElement->pRevocationInfo->dwFreshnessTime = pRevocationInfo->dwFreshnessTime;
if (NULL != pRevocationCrlInfo && NULL != pRevocationCrlInfo->pBaseCrlContext) { PCERT_REVOCATION_CRL_INFO pCrlInfo;
pCrlInfo = new CERT_REVOCATION_CRL_INFO; if (NULL == pCrlInfo) goto OutOfMemory;
pElement->pRevocationInfo->pCrlInfo = pCrlInfo; memcpy(pCrlInfo, pRevocationCrlInfo, sizeof(*pCrlInfo)); assert(pCrlInfo->cbSize = sizeof(*pCrlInfo));
pCrlInfo->pBaseCrlContext = CertDuplicateCRLContext( pRevocationCrlInfo->pBaseCrlContext); if (NULL != pRevocationCrlInfo->pDeltaCrlContext) pCrlInfo->pDeltaCrlContext = CertDuplicateCRLContext( pRevocationCrlInfo->pDeltaCrlContext); } }
if (m_pwszExtendedErrorInfo) { DWORD cbExtendedErrorInfo; LPWSTR pwszExtendedErrorInfo;
cbExtendedErrorInfo = (wcslen(m_pwszExtendedErrorInfo) + 1) * sizeof(WCHAR); if (NULL == (pwszExtendedErrorInfo = (LPWSTR) PkiNonzeroAlloc( cbExtendedErrorInfo))) goto OutOfMemory; memcpy(pwszExtendedErrorInfo, m_pwszExtendedErrorInfo, cbExtendedErrorInfo); pElement->pwszExtendedErrorInfo = pwszExtendedErrorInfo; }
pElement->pCertContext = CertDuplicateCertificateContext( m_pCertObject->CertContext());
ChainUpdateSummaryStatusByTrustStatus(&pChain->TrustStatus, &pElement->TrustStatus);
fResult = TRUE;CommonReturn: return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(AllocAndCopyTrustListInfoError)SET_ERROR(OutOfMemory, E_OUTOFMEMORY)}
//+===========================================================================
// CCertIssuerList methods
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::CCertIssuerList, public
//
// Synopsis: Constructor
//
//----------------------------------------------------------------------------
CCertIssuerList::CCertIssuerList (IN PCCHAINPATHOBJECT pSubject){ m_pSubject = pSubject; m_pHead = NULL;}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::~CCertIssuerList, public
//
// Synopsis: Destructor
//
//----------------------------------------------------------------------------
CCertIssuerList::~CCertIssuerList (){ PCERT_ISSUER_ELEMENT pElement;
while ( ( pElement = NextElement( NULL ) ) != NULL ) { RemoveElement( pElement ); DeleteElement( pElement ); }}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::AddIssuer, public
//
// Synopsis: add an issuer to the list
//
//----------------------------------------------------------------------------
BOOLCCertIssuerList::AddIssuer( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore, IN PCCERTOBJECT pIssuer ){ BOOL fResult; PCCHAINPATHOBJECT pIssuerPathObject = NULL; PCERT_ISSUER_ELEMENT pElement = NULL;
if (CheckForDuplicateElement(pIssuer->CertHash(), FALSE)) return TRUE;
// Don't add ourself as an issuer.
if (0 == memcmp(m_pSubject->CertObject()->CertHash(), pIssuer->CertHash(), CHAINHASHLEN)) return TRUE;
// Mainly for certs generated by tstore2.exe that mostly contain
// the same public key, need to add an additional filter to
// discard certs that only match via the public key, ie no
// AKI, name or basic constraints match.
if (!ChainIsValidPubKeyMatchForIssuer(pIssuer, m_pSubject->CertObject())) return TRUE;
if (!ChainCreatePathObject( pCallContext, pIssuer, hAdditionalStore, &pIssuerPathObject )) return FALSE;
fResult = CreateElement( pCallContext, FALSE, // fCtlIssuer
pIssuerPathObject, hAdditionalStore, NULL, // pSSCtlObject
NULL, // pTrustListInfo
&pElement );
if (!fResult) { return( FALSE ); }
AddElement( pElement );
return( TRUE );}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::AddCtlIssuer, public
//
// Synopsis: add an issuer to the list
//
//----------------------------------------------------------------------------
BOOLCCertIssuerList::AddCtlIssuer( IN PCCHAINCALLCONTEXT pCallContext, IN OPTIONAL HCERTSTORE hAdditionalStore, IN PCSSCTLOBJECT pSSCtlObject, IN PCERT_TRUST_LIST_INFO pTrustListInfo ){ PCERT_ISSUER_ELEMENT pElement = NULL;
if (CheckForDuplicateElement(pSSCtlObject->CtlHash(), TRUE)) return TRUE;
if (!CreateElement( pCallContext, TRUE, // fCtlIssuer
NULL, // pIssuerPathObject
hAdditionalStore, pSSCtlObject, pTrustListInfo, &pElement )) return FALSE;
AddElement( pElement );
return( TRUE );}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::CreateElement, public
//
// Synopsis: create an element
//
//----------------------------------------------------------------------------
BOOLCCertIssuerList::CreateElement( IN PCCHAINCALLCONTEXT pCallContext, IN BOOL fCtlIssuer, IN OPTIONAL PCCHAINPATHOBJECT pIssuer, IN OPTIONAL HCERTSTORE hAdditionalStore, IN OPTIONAL PCSSCTLOBJECT pSSCtlObject, IN OPTIONAL PCERT_TRUST_LIST_INFO pTrustListInfo, // allocated by caller
OUT PCERT_ISSUER_ELEMENT* ppElement ){ BOOL fResult; BOOL fCtlSignatureValid = FALSE; PCERT_ISSUER_ELEMENT pElement;
pElement = new CERT_ISSUER_ELEMENT; if (NULL == pElement) goto OutOfMemory;
memset( pElement, 0, sizeof( CERT_ISSUER_ELEMENT ) );
pElement->fCtlIssuer = fCtlIssuer;
if (!fCtlIssuer) { pElement->pIssuer = pIssuer;
// The following may leave the engine's critical section to verify the
// signature. If the engine was touched by another thread, it fails with
// LastError set to ERROR_CAN_NOT_COMPLETE.
if (!ChainGetSubjectStatus( pCallContext, pIssuer, m_pSubject, &pElement->SubjectStatus )) goto GetSubjectStatusError; } else { pElement->pCtlIssuerData = new CTL_ISSUER_DATA; if (NULL == pElement->pCtlIssuerData) goto OutOfMemory;
memset( pElement->pCtlIssuerData, 0, sizeof( CTL_ISSUER_DATA ) );
pSSCtlObject->AddRef(); pElement->pCtlIssuerData->pSSCtlObject = pSSCtlObject; pElement->pCtlIssuerData->pTrustListInfo = pTrustListInfo;
// The following may leave the engine's critical section to verify a
// signature or do URL retrieval. If the engine was touched by
// another thread, it fails with LastError set to
// ERROR_CAN_NOT_COMPLETE.
if (!pSSCtlObject->GetSigner( m_pSubject, pCallContext, hAdditionalStore, &pElement->pIssuer, &fCtlSignatureValid )) { if (GetLastError() != CRYPT_E_NOT_FOUND) goto GetSignerError; } }
if (pElement->pIssuer) { // If the Issuer hasn't completed yet, then, we are cyclic.
if (!pElement->pIssuer->IsCompleted()) pElement->dwPass1Quality = 0; else { pElement->dwPass1Quality = pElement->pIssuer->Pass1Quality();
if (!fCtlIssuer) { if (pElement->SubjectStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID) { pElement->dwPass1Quality &= ~CERT_QUALITY_SIGNATURE_VALID; } } else if (!fCtlSignatureValid) { pElement->dwPass1Quality &= ~CERT_QUALITY_SIGNATURE_VALID; }
if (0 == (pElement->dwPass1Quality & CERT_QUALITY_NO_DUPLICATE_KEY)) { // Add to the duplicate key depth
pElement->dwPass1DuplicateKeyDepth = pElement->pIssuer->Pass1DuplicateKeyDepth() + 1; } else { // Check that we have a no duplicate key path to the top
PCCHAINPATHOBJECT pTopPathObject = NULL; LPBYTE pbPathPublicKeyHash = m_pSubject->CertObject()->PublicKeyHash();
while (pTopPathObject = pElement->pIssuer->NextPath( pCallContext, pTopPathObject )) { BOOL fDuplicateKey = FALSE;
PCERT_ISSUER_ELEMENT pIssuerElement; PCCHAINPATHOBJECT pIssuerObject;
for (pIssuerElement = pElement; NULL != pIssuerElement && NULL != (pIssuerObject = pIssuerElement->pIssuer); pIssuerElement = pIssuerObject->UpIssuerElement()) {
assert(0 != (pIssuerElement->dwPass1Quality & CERT_QUALITY_NO_DUPLICATE_KEY));
if (0 == memcmp(pbPathPublicKeyHash, pIssuerObject->CertObject()->PublicKeyHash(), CHAINHASHLEN)) { fDuplicateKey = TRUE; break; } }
if (!fDuplicateKey) break; } if (pTopPathObject) pElement->pIssuer->ResetNextPath( pCallContext, pTopPathObject ); else { pElement->dwPass1Quality &= ~CERT_QUALITY_NO_DUPLICATE_KEY; // Start the duplicate key depth count
pElement->dwPass1DuplicateKeyDepth = 1; } } } } else { assert(fCtlIssuer); pElement->dwPass1Quality = 0; }
// Remember highest quality issuer and lowest duplicate key depth
if (pElement->dwPass1Quality > m_pSubject->Pass1Quality()) { m_pSubject->SetPass1Quality(pElement->dwPass1Quality); m_pSubject->SetPass1DuplicateKeyDepth( pElement->dwPass1DuplicateKeyDepth); } else if (pElement->dwPass1Quality == m_pSubject->Pass1Quality()) { if (IsEmpty() || pElement->dwPass1DuplicateKeyDepth < m_pSubject->Pass1DuplicateKeyDepth()) { m_pSubject->SetPass1DuplicateKeyDepth( pElement->dwPass1DuplicateKeyDepth); } } fResult = TRUE;
CommonReturn: *ppElement = pElement; return fResult;
ErrorReturn: if (pElement) { DeleteElement(pElement); pElement = NULL; }
fResult = FALSE; goto CommonReturn;
SET_ERROR(OutOfMemory, E_OUTOFMEMORY)TRACE_ERROR(GetSubjectStatusError)TRACE_ERROR(GetSignerError)}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::DeleteElement, public
//
// Synopsis: delete an element
//
//----------------------------------------------------------------------------
VOIDCCertIssuerList::DeleteElement (IN PCERT_ISSUER_ELEMENT pElement){ if ( pElement->pCtlIssuerData ) { ChainFreeCtlIssuerData( pElement->pCtlIssuerData ); }
if (pElement->fHasRevocationInfo) { if (pElement->RevocationCrlInfo.pBaseCrlContext) CertFreeCRLContext(pElement->RevocationCrlInfo.pBaseCrlContext); if (pElement->RevocationCrlInfo.pDeltaCrlContext) CertFreeCRLContext(pElement->RevocationCrlInfo.pDeltaCrlContext); }
delete pElement;}
//+---------------------------------------------------------------------------
//
// Member: CCertIssuerList::CheckForDuplicateElement, public
//
// Synopsis: check for a duplicate element
//
//----------------------------------------------------------------------------
BOOLCCertIssuerList::CheckForDuplicateElement ( IN BYTE rgbHash[ CHAINHASHLEN ], IN BOOL fCtlIssuer ){ PCERT_ISSUER_ELEMENT pElement = NULL;
while ( ( pElement = NextElement( pElement ) ) != NULL ) { if ( pElement->fCtlIssuer == fCtlIssuer ) { if ( fCtlIssuer == FALSE ) { if ( memcmp( rgbHash, pElement->pIssuer->CertObject()->CertHash(), CHAINHASHLEN ) == 0 ) { return( TRUE ); } } else { if ( memcmp( rgbHash, pElement->pCtlIssuerData->pSSCtlObject->CtlHash(), CHAINHASHLEN ) == 0 ) { return( TRUE ); } } } }
return( FALSE );}
//+===========================================================================
// CCertObjectCache methods
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::CCertObjectCache, public
//
// Synopsis: Constructor
//
//----------------------------------------------------------------------------
CCertObjectCache::CCertObjectCache ( IN DWORD MaxIndexEntries, OUT BOOL& rfResult ){ LRU_CACHE_CONFIG Config;
memset( &Config, 0, sizeof( Config ) );
Config.dwFlags = LRU_CACHE_NO_SERIALIZE | LRU_CACHE_NO_COPY_IDENTIFIER; Config.cBuckets = DEFAULT_CERT_OBJECT_CACHE_BUCKETS;
m_hHashIndex = NULL; m_hIdentifierIndex = NULL; m_hKeyIdIndex = NULL; m_hSubjectNameIndex = NULL; m_hPublicKeyHashIndex = NULL; m_hEndHashIndex = NULL;
Config.pfnHash = CertObjectCacheHashNameIdentifier;
rfResult = I_CryptCreateLruCache( &Config, &m_hSubjectNameIndex );
Config.pfnHash = CertObjectCacheHashMd5Identifier;
if ( rfResult == TRUE ) { rfResult = I_CryptCreateLruCache( &Config, &m_hIdentifierIndex ); }
if ( rfResult == TRUE ) { rfResult = I_CryptCreateLruCache( &Config, &m_hKeyIdIndex ); }
if ( rfResult == TRUE ) { rfResult = I_CryptCreateLruCache( &Config, &m_hPublicKeyHashIndex ); }
Config.pfnOnRemoval = CertObjectCacheOnRemovalFromPrimaryIndex;
if ( rfResult == TRUE ) { rfResult = I_CryptCreateLruCache( &Config, &m_hHashIndex ); }
Config.MaxEntries = MaxIndexEntries; Config.pfnOnRemoval = CertObjectCacheOnRemovalFromEndHashIndex;
if ( rfResult == TRUE ) { rfResult = I_CryptCreateLruCache( &Config, &m_hEndHashIndex ); }}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::~CCertObjectCache, public
//
// Synopsis: Destructor
//
//----------------------------------------------------------------------------
CCertObjectCache::~CCertObjectCache (){ I_CryptFreeLruCache( m_hHashIndex, 0, NULL );
I_CryptFreeLruCache( m_hSubjectNameIndex, LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptFreeLruCache( m_hIdentifierIndex, LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptFreeLruCache( m_hKeyIdIndex, LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptFreeLruCache( m_hPublicKeyHashIndex, LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptFreeLruCache( m_hEndHashIndex, 0, NULL );}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::AddIssuerObject, public
//
// Synopsis: add an issuer object to the cache
// Increments engine's touch count
//
//----------------------------------------------------------------------------
VOIDCCertObjectCache::AddIssuerObject ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERTOBJECT pCertObject ){ assert(CERT_CACHED_ISSUER_OBJECT_TYPE == pCertObject->ObjectType()); pCertObject->AddRef();
I_CryptInsertLruEntry( pCertObject->HashIndexEntry(), pCallContext ); I_CryptInsertLruEntry( pCertObject->IdentifierIndexEntry(), pCallContext ); I_CryptInsertLruEntry( pCertObject->SubjectNameIndexEntry(), pCallContext ); I_CryptInsertLruEntry( pCertObject->KeyIdIndexEntry(), pCallContext ); I_CryptInsertLruEntry( pCertObject->PublicKeyHashIndexEntry(), pCallContext );
pCallContext->TouchEngine();
CertPerfIncrementChainCertCacheCount();}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::AddEndObject, public
//
// Synopsis: add an end object to the cache
//
//----------------------------------------------------------------------------
VOIDCCertObjectCache::AddEndObject ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERTOBJECT pCertObject ){ PCCERTOBJECT pDuplicate;
if (CERT_END_OBJECT_TYPE != pCertObject->ObjectType()) return;
pDuplicate = FindEndObjectByHash(pCertObject->CertHash()); if (pDuplicate) { pDuplicate->Release(); return; }
if (pCertObject->CacheEndObject(pCallContext)) { pCertObject->AddRef();
I_CryptInsertLruEntry( pCertObject->EndHashIndexEntry(), pCallContext );
CertPerfIncrementChainCertCacheCount();
CertPerfIncrementChainCacheEndCertCount(); }}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::FindIssuerObject, public
//
// Synopsis: find object
//
// Note, also called by FindEndObjectByHash
//
//----------------------------------------------------------------------------
PCCERTOBJECTCCertObjectCache::FindIssuerObject ( IN HLRUCACHE hIndex, IN PCRYPT_DATA_BLOB pIdentifier ){ HLRUENTRY hFound; PCCERTOBJECT pFound = NULL;
hFound = I_CryptFindLruEntry( hIndex, pIdentifier ); if ( hFound != NULL ) { pFound = (PCCERTOBJECT)I_CryptGetLruEntryData( hFound ); pFound->AddRef();
I_CryptReleaseLruEntry( hFound ); }
return( pFound );}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::FindIssuerObjectByHash, public
//
// Synopsis: find object by hash
//
//----------------------------------------------------------------------------
PCCERTOBJECTCCertObjectCache::FindIssuerObjectByHash ( IN BYTE rgbCertHash[ CHAINHASHLEN ] ){ CRYPT_DATA_BLOB DataBlob;
DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = rgbCertHash; return( FindIssuerObject( m_hHashIndex, &DataBlob ) );}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::FindEndObjectByHash, public
//
// Synopsis: find object by hash
//
//----------------------------------------------------------------------------
PCCERTOBJECTCCertObjectCache::FindEndObjectByHash ( IN BYTE rgbCertHash[ CHAINHASHLEN ] ){ CRYPT_DATA_BLOB DataBlob;
DataBlob.cbData = CHAINHASHLEN; DataBlob.pbData = rgbCertHash; return( FindIssuerObject( m_hEndHashIndex, &DataBlob ) );}
//+---------------------------------------------------------------------------
//
// Member: CCertObjectCache::NextMatchingIssuerObject, public
//
// Synopsis: next matching issuer object
//
//----------------------------------------------------------------------------
PCCERTOBJECTCCertObjectCache::NextMatchingIssuerObject ( IN HLRUENTRY hObjectEntry, IN PCCERTOBJECT pCertObject ){ HLRUENTRY hFound; PCCERTOBJECT pFound = NULL;
I_CryptAddRefLruEntry( hObjectEntry );
hFound = I_CryptEnumMatchingLruEntries( hObjectEntry ); if ( hFound != NULL ) { pFound = (PCCERTOBJECT)I_CryptGetLruEntryData( hFound ); pFound->AddRef();
I_CryptReleaseLruEntry( hFound ); }
pCertObject->Release();
return( pFound );}
//+===========================================================================
// CCertChainEngine methods
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::CCertChainEngine, public
//
// Synopsis: Constructor
//
//----------------------------------------------------------------------------
CCertChainEngine::CCertChainEngine ( IN PCERT_CHAIN_ENGINE_CONFIG pConfig, IN BOOL fDefaultEngine, OUT BOOL& rfResult ){ HCERTSTORE hWorld = NULL; DWORD dwStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER; HKEY hConfigKey = NULL;
assert( pConfig->cbSize == sizeof( CERT_CHAIN_ENGINE_CONFIG ) );
rfResult = TRUE;
m_cRefs = 1; m_hRootStore = NULL; m_hRealRootStore = NULL; m_hTrustStore = NULL; m_hOtherStore = NULL; m_hCAStore = NULL; m_hDisallowedStore = NULL; m_hEngineStore = NULL; m_hEngineStoreChangeEvent = NULL; m_pCertObjectCache = NULL; m_pSSCtlObjectCache = NULL; m_dwFlags = pConfig->dwFlags; if (0 == pConfig->dwUrlRetrievalTimeout) { m_dwUrlRetrievalTimeout = DEFAULT_ENGINE_URL_RETRIEVAL_TIMEOUT; m_fDefaultUrlRetrievalTimeout = TRUE; } else { m_dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout; m_fDefaultUrlRetrievalTimeout = FALSE; } m_dwTouchEngineCount = 0;
m_pCrossCertDPEntry = NULL; m_pCrossCertDPLink = NULL; m_hCrossCertStore = NULL; m_dwCrossCertDPResyncIndex = 0; m_pAuthRootAutoUpdateInfo = NULL;
m_Config.fDisableMandatoryBasicConstraints = FALSE;
m_Config.fDisableAIAUrlRetrieval = FALSE; m_Config.dwMaxAIAUrlCountInCert = CERT_CHAIN_MAX_AIA_URL_COUNT_IN_CERT_DEFAULT; m_Config.dwMaxAIAUrlRetrievalCountPerChain = CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_COUNT_PER_CHAIN_DEFAULT; m_Config.dwMaxAIAUrlRetrievalByteCount = CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_BYTE_COUNT_DEFAULT; m_Config.dwMaxAIAUrlRetrievalCertCount = CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_CERT_COUNT_DEFAULT;
if (ERROR_SUCCESS == RegOpenKeyExU( HKEY_LOCAL_MACHINE, CERT_CHAIN_CONFIG_REGPATH, 0, // dwReserved
KEY_READ, &hConfigKey )) { DWORD dwValue;
ILS_ReadDWORDValueFromRegistry( hConfigKey, L"DisableMandatoryBasicConstraints", &dwValue ); if (0 != dwValue) m_Config.fDisableMandatoryBasicConstraints = TRUE;
ILS_ReadDWORDValueFromRegistry( hConfigKey, CERT_CHAIN_DISABLE_AIA_URL_RETRIEVAL_VALUE_NAME, &dwValue ); if (0 != dwValue) m_Config.fDisableAIAUrlRetrieval = TRUE;
ILS_ReadDWORDValueFromRegistry( hConfigKey, CERT_CHAIN_MAX_AIA_URL_COUNT_IN_CERT_VALUE_NAME, &dwValue ); if (0 != dwValue) m_Config.dwMaxAIAUrlCountInCert = dwValue;
ILS_ReadDWORDValueFromRegistry( hConfigKey, CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_COUNT_PER_CHAIN_VALUE_NAME, &dwValue ); if (0 != dwValue) m_Config.dwMaxAIAUrlRetrievalCountPerChain = dwValue;
ILS_ReadDWORDValueFromRegistry( hConfigKey, CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_BYTE_COUNT_VALUE_NAME, &dwValue ); if (0 != dwValue) m_Config.dwMaxAIAUrlRetrievalByteCount = dwValue;
ILS_ReadDWORDValueFromRegistry( hConfigKey, CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_CERT_COUNT_VALUE_NAME, &dwValue ); if (0 != dwValue) m_Config.dwMaxAIAUrlRetrievalCertCount = dwValue;
ILS_CloseRegistryKey(hConfigKey); }
if ( !Pki_InitializeCriticalSection( &m_Lock )) { m_fInitializedLock = FALSE; rfResult = FALSE; return; } else { m_fInitializedLock = TRUE; }
if ( pConfig->dwFlags & CERT_CHAIN_USE_LOCAL_MACHINE_STORE ) { dwStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE; }
if ( pConfig->dwFlags & CERT_CHAIN_ENABLE_SHARE_STORE ) { dwStoreFlags |= CERT_STORE_SHARE_STORE_FLAG; }
dwStoreFlags |= CERT_STORE_SHARE_CONTEXT_FLAG;
m_hRealRootStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, dwStoreFlags | CERT_STORE_MAXIMUM_ALLOWED_FLAG, L"root" );
if ( m_hRealRootStore == NULL ) { rfResult = FALSE; return; }
m_hCAStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, dwStoreFlags | CERT_STORE_MAXIMUM_ALLOWED_FLAG, L"ca" );
m_hDisallowedStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, dwStoreFlags | CERT_STORE_MAXIMUM_ALLOWED_FLAG, L"disallowed" );
if ( m_hDisallowedStore != NULL ) { CertControlStore( m_hDisallowedStore, 0, // dwFlags
CERT_STORE_CTRL_AUTO_RESYNC, NULL // pvCtrlPara
); }
if ( pConfig->hRestrictedRoot != NULL ) { if ( ChainIsProperRestrictedRoot( m_hRealRootStore, pConfig->hRestrictedRoot ) == TRUE ) { m_hRootStore = CertDuplicateStore( pConfig->hRestrictedRoot );
// Having restricted roots implicitly disables the auto
// updating of roots
m_dwFlags |= CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE; } } else { m_hRootStore = CertDuplicateStore( m_hRealRootStore ); }
if ( m_hRootStore == NULL ) { rfResult = FALSE; return; }
if ( ( pConfig->hRestrictedTrust == NULL ) || ( pConfig->hRestrictedOther == NULL ) ) { rfResult = ChainCreateWorldStore( m_hRootStore, m_hCAStore, pConfig->cAdditionalStore, pConfig->rghAdditionalStore, dwStoreFlags, &hWorld );
if ( rfResult == FALSE ) { return; } }
if ( pConfig->hRestrictedTrust != NULL ) { m_hTrustStore = CertDuplicateStore( pConfig->hRestrictedTrust ); } else { m_hTrustStore = CertDuplicateStore( hWorld ); }
m_hOtherStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL );
if ( m_hOtherStore != NULL ) { if ( pConfig->hRestrictedOther != NULL ) { rfResult = CertAddStoreToCollection( m_hOtherStore, pConfig->hRestrictedOther, 0, 0 );
if ( rfResult == TRUE ) { rfResult = CertAddStoreToCollection( m_hOtherStore, m_hRootStore, 0, 0 ); } } else { rfResult = CertAddStoreToCollection( m_hOtherStore, hWorld, 0, 0 );
if ( ( rfResult == TRUE ) && ( pConfig->hRestrictedTrust != NULL ) ) { rfResult = CertAddStoreToCollection( m_hOtherStore, pConfig->hRestrictedTrust, 0, 0 ); } } } else { rfResult = FALSE; }
if ( hWorld != NULL ) { CertCloseStore( hWorld, 0 ); }
if ( rfResult == TRUE ) { rfResult = ChainCreateEngineStore( m_hRootStore, m_hTrustStore, m_hOtherStore, fDefaultEngine, pConfig->dwFlags, &m_hEngineStore, &m_hEngineStoreChangeEvent ); }
if ( rfResult == TRUE ) { rfResult = ChainCreateCertificateObjectCache( pConfig->MaximumCachedCertificates, &m_pCertObjectCache ); }
if ( rfResult == TRUE ) { rfResult = SSCtlCreateObjectCache( &m_pSSCtlObjectCache ); }
if ( rfResult == TRUE ) { rfResult = m_pSSCtlObjectCache->PopulateCache( this ); }
assert( m_hRootStore != NULL );
// Beginning of cross certificate stuff
if ( rfResult == FALSE ) { return; }
m_hCrossCertStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL );
if ( m_hCrossCertStore == NULL ) { rfResult = FALSE; return; }
rfResult = GetCrossCertDistPointsForStore( m_hEngineStore, TRUE, // fOnlyLMSystemStore
&m_pCrossCertDPLink ); if ( rfResult == FALSE ) { return; }
rfResult = CertAddStoreToCollection( m_hOtherStore, m_hCrossCertStore, 0, 0 );
// End of cross certificate stuff
CertPerfIncrementChainEngineCurrentCount(); CertPerfIncrementChainEngineTotalCount();}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::~CCertChainEngine, public
//
// Synopsis: Destructor
//
//----------------------------------------------------------------------------
CCertChainEngine::~CCertChainEngine (){ CertPerfDecrementChainEngineCurrentCount();
// Beginning of cross certificate stuff
FreeCrossCertDistPoints( &m_pCrossCertDPLink );
assert( NULL == m_pCrossCertDPLink ); assert( NULL == m_pCrossCertDPEntry );
if ( m_hCrossCertStore != NULL ) { CertCloseStore( m_hCrossCertStore, 0 ); }
// End of cross certificate stuff
FreeAuthRootAutoUpdateInfo(m_pAuthRootAutoUpdateInfo);
ChainFreeCertificateObjectCache( m_pCertObjectCache ); SSCtlFreeObjectCache( m_pSSCtlObjectCache );
if ( m_hRootStore != NULL ) { CertCloseStore( m_hRootStore, 0 ); }
if ( m_hRealRootStore != NULL ) { CertCloseStore( m_hRealRootStore, 0 ); }
if ( m_hTrustStore != NULL ) { CertCloseStore( m_hTrustStore, 0 ); }
if ( m_hOtherStore != NULL ) { CertCloseStore( m_hOtherStore, 0 ); }
if ( m_hCAStore != NULL ) { CertCloseStore( m_hCAStore, 0 ); }
if ( m_hDisallowedStore != NULL ) { CertCloseStore( m_hDisallowedStore, 0 ); }
if ( m_hEngineStore != NULL ) { if ( m_hEngineStoreChangeEvent != NULL ) { CertControlStore( m_hEngineStore, 0, // dwFlags
CERT_STORE_CTRL_CANCEL_NOTIFY, &m_hEngineStoreChangeEvent ); }
CertCloseStore( m_hEngineStore, 0 ); }
if ( m_hEngineStoreChangeEvent != NULL ) { CloseHandle( m_hEngineStoreChangeEvent ); }
if ( m_fInitializedLock ) { DeleteCriticalSection( &m_Lock ); }}
// "CrossCA"
const BYTE rgbEncodedCrossCAUnicodeString[] = { 0x1E, 0x0E, 0x00, 0x43, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x73, 0x00, 0x73, 0x00, 0x43, 0x00, 0x41};
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::GetChainContext, public
//
// Synopsis: get a certificate chain context
//
// NOTE: This method acquires the engine lock
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::GetChainContext ( IN PCCERT_CONTEXT pCertContext, IN LPFILETIME pTime, IN OPTIONAL HCERTSTORE hAdditionalStore, IN OPTIONAL PCERT_CHAIN_PARA pChainPara, IN DWORD dwFlags, IN LPVOID pvReserved, OUT PCCERT_CHAIN_CONTEXT* ppChainContext ){ BOOL fResult; DWORD dwLastError = 0; PCCHAINCALLCONTEXT pCallContext = NULL; PCCERT_CHAIN_CONTEXT pChainContext = NULL; PCERT_SIMPLE_CHAIN pChain; DWORD cEle; PCERT_CHAIN_ELEMENT *ppEle;
#define RETRY_AIA_ERROR_STATUS \
(CERT_TRUST_IS_REVOKED | \ CERT_TRUST_IS_NOT_TIME_VALID | \ CERT_TRUST_IS_UNTRUSTED_ROOT)
#define DISABLE_AIA_ADD_CERT_STATUS \
(CERT_TRUST_IS_NOT_TIME_VALID | \ CERT_TRUST_IS_REVOKED | \ CERT_TRUST_IS_NOT_SIGNATURE_VALID | \ CERT_TRUST_IS_UNTRUSTED_ROOT | \ CERT_TRUST_IS_CYCLIC | \ CERT_TRUST_IS_PARTIAL_CHAIN | \ CERT_TRUST_CTL_IS_NOT_TIME_VALID | \ CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID)
if (!CallContextCreateCallObject( this, pTime, pChainPara, dwFlags, &pCallContext )) goto CallContextCreateCallObjectError;
if (!CreateChainContextFromPathGraph( pCallContext, pCertContext, hAdditionalStore, &pChainContext )) goto CreateChainContextFromPathGraphError;
if (0 == (pChainContext->TrustStatus.dwErrorStatus & RETRY_AIA_ERROR_STATUS)) goto SuccessReturn;
pChain = pChainContext->rgpChain[0]; cEle = pChain->cElement; ppEle = pChain->rgpElement;
// If the end certificate is time invalid, revoked or the untrusted root,
// then, no need to retry via AIA retrieval.
if (ppEle[0]->TrustStatus.dwErrorStatus & RETRY_AIA_ERROR_STATUS) goto SuccessReturn;
if (!pCallContext->IsOnline()) goto SuccessReturn;
{ HCERTSTORE hNewerIssuerUrlStore = NULL;
if (CERT_TRUST_IS_UNTRUSTED_ROOT == (pChainContext->TrustStatus.dwErrorStatus & RETRY_AIA_ERROR_STATUS)) { // For a potential key rollover root attempt to retrieve
// the key rollover cross cert using the subject's AIA.
if (2 <= cEle && IsPotentialKeyRolloverRoot(ppEle[cEle - 1]->pCertContext)) { hNewerIssuerUrlStore = GetNewerIssuerUrlStore( pCallContext, ppEle[cEle - 2]->pCertContext, // Subject
ppEle[cEle - 1]->pCertContext // Root, Issuer
); } } else { // Try to retrieve a newer CA cert via the subject's AIA extension.
//
// Note, will only try for the first revoked or time
// invalid CA cert in the first simple chain.
DWORD i;
for (i = 1; i < cEle; i++) { PCERT_CHAIN_ELEMENT pIssuerEle = ppEle[i];
if (pIssuerEle->TrustStatus.dwErrorStatus & RETRY_AIA_ERROR_STATUS) { // First Revoked or Time Invalid CA
PCCERT_CONTEXT pIssuerCert = pIssuerEle->pCertContext; PCERT_EXTENSION pExt;
// Ignore CrossCA's. If the CA cert has a Certificate
// Template Name extension we will check if its set to
// "CrossCA". Note, this is only a hint. Its not a
// requirement to have this extension for a cross cert.
pExt = CertFindExtension( szOID_ENROLL_CERTTYPE_EXTENSION, pIssuerCert->pCertInfo->cExtension, pIssuerCert->pCertInfo->rgExtension ); if (pExt && pExt->Value.cbData == sizeof(rgbEncodedCrossCAUnicodeString) && 0 == memcmp(pExt->Value.pbData, rgbEncodedCrossCAUnicodeString, sizeof(rgbEncodedCrossCAUnicodeString))) break; hNewerIssuerUrlStore = GetNewerIssuerUrlStore( pCallContext, ppEle[i - 1]->pCertContext, // Subject
pIssuerCert );
break; } } }
if (hNewerIssuerUrlStore) { // Rebuild the chain using the newer AIA retrieved Issuer cert
HCERTSTORE hNewerAdditionalStore = NULL;
if (hAdditionalStore) { hNewerAdditionalStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL ); if (hNewerAdditionalStore) { if (!CertAddStoreToCollection(hNewerAdditionalStore, hNewerIssuerUrlStore, 0, 0) || !CertAddStoreToCollection(hNewerAdditionalStore, hAdditionalStore, 0, 0)) {
CertCloseStore(hNewerAdditionalStore, 0); hNewerAdditionalStore = NULL; } } } else hNewerAdditionalStore = CertDuplicateStore(hNewerIssuerUrlStore);
if (hNewerAdditionalStore) { PCCERT_CHAIN_CONTEXT pNewerChainContext = NULL;
LockEngine();
pCallContext->FlushObjectsInCreationCache( );
UnlockEngine();
if (CreateChainContextFromPathGraph( pCallContext, pCertContext, hNewerAdditionalStore, &pNewerChainContext )) { assert(pNewerChainContext); CertFreeCertificateChain(pChainContext); pChainContext = pNewerChainContext; }
CertCloseStore(hNewerAdditionalStore, 0); }
CertCloseStore(hNewerIssuerUrlStore, 0); } }
SuccessReturn: if (0 < pCallContext->AIAUrlRetrievalCount() && 0 == (pChainContext->TrustStatus.dwErrorStatus & DISABLE_AIA_ADD_CERT_STATUS) && NULL != CAStore()) {
DWORD i;
// Add any AIA retrieved CA certificates to the CA store
pChain = pChainContext->rgpChain[0]; cEle = pChain->cElement; ppEle = pChain->rgpElement;
// Ignore end entity and self signed root certificates
for (i = 1; i < cEle - 1; i++) { PCCERT_CONTEXT pAIACert = ppEle[i]->pCertContext; DWORD cbData;
if (CertGetCertificateContextProperty( pAIACert, CERT_AIA_URL_RETRIEVED_PROP_ID, NULL, &cbData )) {
// Delete the property
CertSetCertificateContextProperty( pAIACert, CERT_AIA_URL_RETRIEVED_PROP_ID, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, NULL );
CertAddCertificateContextToStore( CAStore(), pAIACert, CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES, NULL ); } } }
fResult = TRUE;
CommonReturn: if (pCallContext) { LockEngine();
CallContextFreeCallObject(pCallContext);
UnlockEngine(); }
if (0 != dwLastError) SetLastError(dwLastError);
*ppChainContext = pChainContext; return fResult;
ErrorReturn: dwLastError = GetLastError();
assert(NULL == pChainContext); fResult = FALSE; goto CommonReturn;
TRACE_ERROR(CallContextCreateCallObjectError)TRACE_ERROR(CreateChainContextFromPathGraphError)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::CreateChainContextFromPathGraph, public
//
// Synopsis: builds a chain path graph and returns quality ordered
// chain contexts
//
// NOTE: This method acquires the engine lock
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::CreateChainContextFromPathGraph ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERT_CONTEXT pCertContext, IN OPTIONAL HCERTSTORE hAdditionalStore, OUT PCCERT_CHAIN_CONTEXT* ppChainContext ){ BOOL fResult; DWORD dwLastError = 0; BOOL fLocked = FALSE; BYTE rgbCertHash[CHAINHASHLEN]; DWORD cbCertHash; PCCERTOBJECT pEndCertObject = NULL; PCCHAINPATHOBJECT pEndPathObject = NULL; PCCHAINPATHOBJECT pTopPathObject = NULL; HCERTSTORE hAdditionalStoreToUse = NULL; HCERTSTORE hAllStore = NULL; PINTERNAL_CERT_CHAIN_CONTEXT pNewChainContext = NULL; // don't release
PINTERNAL_CERT_CHAIN_CONTEXT pChainContext = NULL; DWORD cChainContext = 0; DWORD dwFlags = pCallContext->CallFlags();
cbCertHash = CHAINHASHLEN; if (!CertGetCertificateContextProperty( pCertContext, CERT_MD5_HASH_PROP_ID, rgbCertHash, &cbCertHash ) || CHAINHASHLEN != cbCertHash) goto GetCertHashError;
if (hAdditionalStore) { if (!ChainCreateCollectionIncludingCtlCertificates( hAdditionalStore, &hAdditionalStoreToUse )) goto CreateAdditionalStoreCollectionError;
hAllStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL ); if (NULL == hAllStore) goto OpenAllCollectionError; if (!CertAddStoreToCollection(hAllStore, OtherStore(), 0, 0 )) goto AddToAllCollectionError; if (!CertAddStoreToCollection(hAllStore, hAdditionalStoreToUse, 0, 0 )) goto AddToAllCollectionError; } else hAllStore = CertDuplicateStore(OtherStore());
LockEngine(); fLocked = TRUE;
// We're in this loop to handle the case where we leave the engine's
// critical section and another thread has entered the engine's
// critical section and done a resync or added a cached issuer cert object.
while (TRUE) { if (!Resync(pCallContext, FALSE)) goto ResyncError;
pCallContext->ResetTouchEngine();
assert(NULL == pEndCertObject); pEndCertObject = m_pCertObjectCache->FindIssuerObjectByHash( rgbCertHash);
fResult = TRUE; if (NULL == pEndCertObject) { pEndCertObject = m_pCertObjectCache->FindEndObjectByHash( rgbCertHash);
if (NULL == pEndCertObject) { fResult = ChainCreateCertObject( CERT_END_OBJECT_TYPE, pCallContext, pCertContext, rgbCertHash, &pEndCertObject ); } else { CertPerfIncrementChainEndCertInCacheCount(); } }
if (pCallContext->IsTouchedEngine()) { // The chain engine was touched at some point when we left
// the engine's lock to create the end cert object
if (pEndCertObject) { pEndCertObject->Release(); pEndCertObject = NULL; }
continue; }
if (!fResult) goto CreateCertObjectError; assert(pEndCertObject);
// This will create the entire path graph
fResult = ChainCreatePathObject( pCallContext, pEndCertObject, hAdditionalStoreToUse, &pEndPathObject );
if (pCallContext->IsTouchedEngine()) { // The chain engine was touched at some point when we left
// the engine's lock to verify a signature or do URL fetching.
pEndCertObject->Release(); pEndCertObject = NULL; pEndPathObject = NULL; pCallContext->FlushObjectsInCreationCache( ); } else break; }
if (!fResult) goto CreatePathObjectError;
if (pCallContext->CallOrEngineFlags() & CERT_CHAIN_CACHE_END_CERT) m_pCertObjectCache->AddEndObject(pCallContext, pEndCertObject);
// Create the ChainContext without holding the engine lock
UnlockEngine(); fLocked = FALSE;
// Loop through all the certificate paths:
// - Calculate additional status
// - Create chain context and its quality value
// - Determine highest quality chain
// - Optionally, maintain a linked list of the lower quality chains
while (pTopPathObject = pEndPathObject->NextPath( pCallContext, pTopPathObject )) { PCCHAINPATHOBJECT pPathObject;
// Loop downward to calculate additional status
for (pPathObject = pTopPathObject; pPathObject && !pPathObject->HasAdditionalStatus(); pPathObject = pPathObject->DownPathObject()) { pPathObject->CalculateAdditionalStatus( pCallContext, hAllStore ); }
// Also calculates the chain's quality value
pNewChainContext = pEndPathObject->CreateChainContextFromPath( pCallContext, pTopPathObject ); if (NULL == pNewChainContext) goto CreateChainContextFromPathError;
// Fixup end cert
ChainUpdateEndEntityCertContext(pNewChainContext, pCertContext);
// Add logic to call either the chain engine's or the caller's
// callback function here to provide additional chain context
// quality
if (NULL == pChainContext) { pChainContext = pNewChainContext; cChainContext = 1; } else { BOOL fNewHigherQuality = FALSE;
if (pNewChainContext->dwQuality > pChainContext->dwQuality) fNewHigherQuality = TRUE; else if (pNewChainContext->dwQuality == pChainContext->dwQuality) { BOOL fDupPublicKeyOrName = FALSE;
PCERT_SIMPLE_CHAIN pChain = pChainContext->ChainContext.rgpChain[0]; PCERT_SIMPLE_CHAIN pNewChain = pNewChainContext->ChainContext.rgpChain[0]; DWORD cElement = pChain->cElement; DWORD cNewElement = pNewChain->cElement;
if (cElement != cNewElement) { // Check if the longer chain has any duplicate public
// keys or names. This could happen if we have 2 sets of
// cross certificates or root rollever certs
PCERT_SIMPLE_CHAIN pLongChain; DWORD cLongElement; DWORD i;
if (cElement > cNewElement) { pLongChain = pChain; cLongElement = cElement; } else { pLongChain = pNewChain; cLongElement = cNewElement; }
// Start with the CA and compare all keys and names up to
// and including the root
for (i = 1; i + 1 < cLongElement; i++) { DWORD j; DWORD cbHash; BYTE rgbHash0[ CHAINHASHLEN ]; PCCERT_CONTEXT pCert0 = pLongChain->rgpElement[i]->pCertContext;
cbHash = CHAINHASHLEN; if (!CertGetCertificateContextProperty( pCert0, CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID, rgbHash0, &cbHash ) || CHAINHASHLEN != cbHash) break;
for (j = i + 1; j < cLongElement; j++) { BYTE rgbHash1[ CHAINHASHLEN ]; PCCERT_CONTEXT pCert1 = pLongChain->rgpElement[j]->pCertContext;
cbHash = CHAINHASHLEN; if (!CertGetCertificateContextProperty( pCert1, CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID, rgbHash1, &cbHash ) || CHAINHASHLEN != cbHash) break;
if (0 == memcmp(rgbHash0, rgbHash1, CHAINHASHLEN) || CertCompareCertificateName( pCert0->dwCertEncodingType, &pCert0->pCertInfo->Subject, &pCert1->pCertInfo->Subject)) { fDupPublicKeyOrName = TRUE; break; } }
if (fDupPublicKeyOrName) break; } }
if (fDupPublicKeyOrName) { if (cElement > cNewElement) fNewHigherQuality = TRUE; } else { DWORD i; DWORD cMinElement;
// Chains having certs with later NotAfter/NotBefore dates
// starting with the first CA cert are considered higher
// quality when dwQuality is the same. Will only compare
// the first simple chain.
cMinElement = min(cElement, cNewElement);
for (i = 1; i < cMinElement; i++) { LONG lCmp;
PCERT_INFO pCertInfo = pChain->rgpElement[i]->pCertContext->pCertInfo; PCERT_INFO pNewCertInfo = pNewChain->rgpElement[i]->pCertContext->pCertInfo; lCmp = CompareFileTime(&pNewCertInfo->NotAfter, &pCertInfo->NotAfter); if (0 < lCmp) { fNewHigherQuality = TRUE; break; } else if (0 > lCmp) { break; } else { // Same NotAfter. Check NotBefore.
lCmp = CompareFileTime(&pNewCertInfo->NotBefore, &pCertInfo->NotBefore); if (0 < lCmp) { fNewHigherQuality = TRUE; break; } else if (0 > lCmp) break; // else
// Same
} } } } // else
// fNewHigherQuality = FALSE;
if (fNewHigherQuality) { if (dwFlags & CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS) { pNewChainContext->pNext = pChainContext; pChainContext = pNewChainContext; cChainContext++; } else { ChainReleaseInternalChainContext(pChainContext); pChainContext = pNewChainContext; } } else { if (dwFlags & CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS) { PINTERNAL_CERT_CHAIN_CONTEXT p;
// Insert according to quality
for (p = pChainContext; p->pNext && p->pNext->dwQuality >= pNewChainContext->dwQuality; p = p->pNext) { ; }
pNewChainContext->pNext = p->pNext; p->pNext = pNewChainContext;
cChainContext++; } else { ChainReleaseInternalChainContext(pNewChainContext); } } } }
if (GetLastError() != CRYPT_E_NOT_FOUND) goto NextPathError;
assert(pChainContext && cChainContext);
if (cChainContext > 1) { PINTERNAL_CERT_CHAIN_CONTEXT p; PCCERT_CHAIN_CONTEXT *ppLower;
// Create array of lower quality chain contexts
ppLower = new PCCERT_CHAIN_CONTEXT [ cChainContext - 1]; if (NULL == ppLower) goto OutOfMemory;
pChainContext->ChainContext.cLowerQualityChainContext = cChainContext - 1; pChainContext->ChainContext.rgpLowerQualityChainContext = ppLower;
for (p = pChainContext->pNext; p; p = p->pNext, ppLower++) { assert(cChainContext > 1); cChainContext--;
*ppLower = (PCCERT_CHAIN_CONTEXT) p; }
}
assert(1 == cChainContext);
fResult = TRUE;
CommonReturn: if (!fLocked) LockEngine();
if (pEndCertObject) pEndCertObject->Release();
if (hAllStore) CertCloseStore(hAllStore, 0); if (hAdditionalStoreToUse) CertCloseStore(hAdditionalStoreToUse, 0);
*ppChainContext = (PCCERT_CHAIN_CONTEXT) pChainContext;
UnlockEngine();
if (0 != dwLastError) SetLastError(dwLastError); return fResult;
ErrorReturn: dwLastError = GetLastError();
if (pChainContext) { PINTERNAL_CERT_CHAIN_CONTEXT p;
while (p = pChainContext->pNext) { pChainContext->pNext = p->pNext; ChainReleaseInternalChainContext(p); }
ChainReleaseInternalChainContext(pChainContext); pChainContext = NULL; }
fResult = FALSE; goto CommonReturn;
TRACE_ERROR(GetCertHashError)TRACE_ERROR(CreateAdditionalStoreCollectionError)TRACE_ERROR(OpenAllCollectionError)TRACE_ERROR(AddToAllCollectionError)TRACE_ERROR(ResyncError)TRACE_ERROR(CreateCertObjectError)TRACE_ERROR(CreatePathObjectError)TRACE_ERROR(CreateChainContextFromPathError)TRACE_ERROR(NextPathError)SET_ERROR(OutOfMemory, E_OUTOFMEMORY)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::IsPotentialKeyRolloverRoot, public
//
// Synopsis: checks if the root certificate is a potential key rollover
// candidate by trying to find a matching cross certificate
// having the same subject name with a different key. Returns TRUE
// if such a matching cross certificate is found in the engine's
// OtherStore (really WorldStore).
//
// NOTE: This method acquires the engine lock
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::IsPotentialKeyRolloverRoot ( IN PCCERT_CONTEXT pRootCertContext ){ BOOL fPotentialRollover = FALSE; PCCERT_CONTEXT pCert = NULL;
LockEngine();
while (pCert = CertFindCertificateInStore( m_hOtherStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, // dwFindFlags
CERT_FIND_SUBJECT_NAME, (const void *) &pRootCertContext->pCertInfo->Subject, pCert )) { PCRYPT_BIT_BLOB pRootKey = &pRootCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey; PCRYPT_BIT_BLOB pCertKey = &pCert->pCertInfo->SubjectPublicKeyInfo.PublicKey;
if (pRootKey->cbData != pCertKey->cbData || 0 != memcmp(pRootKey->pbData, pCertKey->pbData, pRootKey->cbData)) { fPotentialRollover = TRUE; CertFreeCertificateContext(pCert); break; } }
UnlockEngine(); return fPotentialRollover;}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::GetIssuerUrlStore, public
//
// Synopsis: if the certificate has an Authority Info Access extension,
// return a store containing the issuing certificates
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::GetIssuerUrlStore( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERT_CONTEXT pSubjectCertContext, IN DWORD dwRetrievalFlags, OUT HCERTSTORE *phIssuerUrlStore ){ BOOL fTouchedResult = TRUE; BOOL fResult; DWORD cbUrlArray; PCRYPT_URL_ARRAY pUrlArray = NULL; DWORD cCount; DWORD dwCacheResultFlag;
*phIssuerUrlStore = NULL;
if (m_Config.fDisableAIAUrlRetrieval || pCallContext->AIAUrlRetrievalCount() >= m_Config.dwMaxAIAUrlRetrievalCountPerChain) { return TRUE; }
dwRetrievalFlags |= CRYPT_RETRIEVE_MULTIPLE_OBJECTS | CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL | CRYPT_OFFLINE_CHECK_RETRIEVAL | CRYPT_AIA_RETRIEVAL;
fResult = ChainGetObjectUrl( URL_OID_CERTIFICATE_ISSUER, (LPVOID) pSubjectCertContext, CRYPT_GET_URL_FROM_EXTENSION, NULL, &cbUrlArray, NULL, NULL, NULL );
if ( fResult ) { pUrlArray = (PCRYPT_URL_ARRAY)new BYTE [ cbUrlArray ]; if ( pUrlArray == NULL ) { return TRUE; }
fResult = ChainGetObjectUrl( URL_OID_CERTIFICATE_ISSUER, (LPVOID) pSubjectCertContext, CRYPT_GET_URL_FROM_EXTENSION, pUrlArray, &cbUrlArray, NULL, NULL, NULL );
if ( fResult ) { if (pUrlArray->cUrl > m_Config.dwMaxAIAUrlCountInCert) { ChainOutputDebugStringA("CRYPT32.DLL --> Exceeded MaxAIAUrlCountInCert\n"); fResult = FALSE; }
} }
if ( fResult ) { BOOL fLocked = FALSE; CRYPT_RETRIEVE_AUX_INFO RetrieveAuxInfo;
memset(&RetrieveAuxInfo, 0, sizeof(RetrieveAuxInfo)); RetrieveAuxInfo.cbSize = sizeof(RetrieveAuxInfo); RetrieveAuxInfo.dwMaxUrlRetrievalByteCount = m_Config.dwMaxAIAUrlRetrievalByteCount;
//
// We are about to go on the wire to retrieve the issuer certificate.
// At this time we will release the chain engine lock so others can
// go about there business while we wait for the protocols to do the
// fetching.
//
UnlockEngine();
for ( cCount = 0; cCount < pUrlArray->cUrl; cCount++ ) { dwCacheResultFlag = 0;
if (!(dwRetrievalFlags & CRYPT_CACHE_ONLY_RETRIEVAL)) { if (pCallContext->AIAUrlRetrievalCount() >= m_Config.dwMaxAIAUrlRetrievalCountPerChain) { ChainOutputDebugStringA("CRYPT32.DLL --> Exceeded MaxAIAUrlRetrievalCountPerChain\n"); break; } pCallContext->IncrementAIAUrlRetrievalCount();
if (0 != _wcsnicmp(pUrlArray->rgwszUrl[ cCount ], L"http:", 5)) { dwCacheResultFlag = CRYPT_DONT_CACHE_RESULT; } } else if (0 == pCallContext->AIAUrlRetrievalCount()) { // Need a nonzero retrieval count so we can add to the CA
// store
pCallContext->IncrementAIAUrlRetrievalCount(); }
fResult = ChainRetrieveObjectByUrlW( pUrlArray->rgwszUrl[ cCount ], CONTEXT_OID_CERTIFICATE, dwRetrievalFlags | dwCacheResultFlag, (dwRetrievalFlags & CRYPT_CACHE_ONLY_RETRIEVAL) ? 0 : pCallContext->AIAUrlRetrievalTimeout(), (LPVOID *)phIssuerUrlStore, NULL, NULL, NULL, &RetrieveAuxInfo );
if ( fResult ) { CertPerfIncrementChainUrlIssuerCount(); if (dwRetrievalFlags & CRYPT_CACHE_ONLY_RETRIEVAL) CertPerfIncrementChainCacheOnlyUrlIssuerCount();
//
// Retake the engine lock. Also check if the engine was
// touched during our absence.
//
LockEngine(); if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; SetLastError( (DWORD) ERROR_CAN_NOT_COMPLETE ); }
fLocked = TRUE;
if (!fTouchedResult) { CertCloseStore(*phIssuerUrlStore, 0); *phIssuerUrlStore = NULL; } else { // Check that we don't exceed the maximum allowed number
// of certificates per AIA retrieval. Also, set
// the AIA property on each certificate. If these
// certificates are used in the returned chain context,
// then, they will be added to the CA store.
CRYPT_DATA_BLOB DataBlob = {0, NULL}; PCCERT_CONTEXT pAIACert = NULL; DWORD cAIACert = 0;
while (pAIACert = CertEnumCertificatesInStore( *phIssuerUrlStore, pAIACert)) { cAIACert++;
CertSetCertificateContextProperty( pAIACert, CERT_AIA_URL_RETRIEVED_PROP_ID, CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG, &DataBlob ); }
if (cAIACert > m_Config.dwMaxAIAUrlRetrievalCertCount) { ChainOutputDebugStringA("CRYPT32.DLL --> Exceeded MaxAIAUrlRetrievalCertCount\n"); CertCloseStore(*phIssuerUrlStore, 0); *phIssuerUrlStore = NULL; } }
break; } }
//
// Retake the engine lock if necessary
//
if ( !fLocked ) { LockEngine(); if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; SetLastError( (DWORD) ERROR_CAN_NOT_COMPLETE ); } } }
delete (LPBYTE)pUrlArray;
// NOTE: Need to somehow log that we tried to retrieve the issuer but
// it was inaccessible
return( fTouchedResult );}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::GetNewerIssuerUrlStore, public
//
// Synopsis: if the subject certificate has an Authority Info Access
// extension, attempts an online URL retrieval of the
// issuer certificate(s). If any of the URL retrieved
// certs are different from the input Issuer cert,
// returns a store containing the issuing certificates.
// Otherwise, returns NULL store.
//
// Assumption: Chain engine isn't locked in the calling thread. Also,
// only called if online.
//
//----------------------------------------------------------------------------
HCERTSTORECCertChainEngine::GetNewerIssuerUrlStore( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERT_CONTEXT pSubjectCertContext, IN PCCERT_CONTEXT pIssuerCertContext ){ HCERTSTORE hNewIssuerUrlStore = NULL;
LockEngine();
while (TRUE) { pCallContext->ResetTouchEngine();
GetIssuerUrlStore( pCallContext, pSubjectCertContext, CRYPT_WIRE_ONLY_RETRIEVAL, &hNewIssuerUrlStore ); if (!pCallContext->IsTouchedEngine()) break;
assert(NULL == hNewIssuerUrlStore); }
UnlockEngine();
if (hNewIssuerUrlStore) { // Discard if it doesn't contain more than just the input
// pIssuerCertContext
PCCERT_CONTEXT pCert;
pCert = NULL; while (pCert = CertEnumCertificatesInStore(hNewIssuerUrlStore, pCert)) { if (!CertCompareCertificate( pCert->dwCertEncodingType, pCert->pCertInfo, pIssuerCertContext->pCertInfo )) { CertFreeCertificateContext(pCert); return hNewIssuerUrlStore; } }
CertCloseStore(hNewIssuerUrlStore, 0); }
return NULL;}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::Resync, public
//
// Synopsis: resync the store if necessary
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// A resync increments the engine's touch count.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::Resync (IN PCCHAINCALLCONTEXT pCallContext, BOOL fForce){ BOOL fResync = FALSE; BOOL fResult = TRUE;
if ( fForce == FALSE ) { if ( WaitForSingleObject( m_hEngineStoreChangeEvent, 0 ) == WAIT_OBJECT_0 ) { fResync = TRUE; } } else { fResync = TRUE; }
if ( fResync ) { CertControlStore( m_hEngineStore, CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG, CERT_STORE_CTRL_RESYNC, &m_hEngineStoreChangeEvent );
m_pCertObjectCache->FlushObjects( pCallContext );
fResult = m_pSSCtlObjectCache->Resync( this );
assert( fResult == TRUE );
assert( m_hCrossCertStore );
// Remove CrossCert collection from engine's list. Don't want to
// also search it for cross cert distribution points
CertRemoveStoreFromCollection( m_hOtherStore, m_hCrossCertStore );
fResult = GetCrossCertDistPointsForStore( m_hEngineStore, TRUE, // fOnlyLMSystemStore
&m_pCrossCertDPLink );
CertAddStoreToCollection( m_hOtherStore, m_hCrossCertStore, 0, 0 );
pCallContext->TouchEngine();
CertPerfIncrementChainEngineResyncCount(); }
if ( fResult ) { while (TRUE ) { pCallContext->ResetTouchEngine();
// The following 2 updates leave the engine's critical
// section to do the URL fetching. If the engine was touched by
// another thread, it fails with LastError set to
// ERROR_CAN_NOT_COMPLETE and IsTouchedEngine() is TRUE.
UpdateCrossCerts(pCallContext); if (pCallContext->IsTouchedEngine()) continue;
m_pSSCtlObjectCache->UpdateCache(this, pCallContext); if (!pCallContext->IsTouchedEngine()) break; } }
return( TRUE );}
//+===========================================================================
// CCertObject helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainCreateCertObject
//
// Synopsis: create a cert object, note since it is a ref-counted
// object, freeing occurs by doing a pCertObject->Release
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateCertObject ( IN DWORD dwObjectType, IN PCCHAINCALLCONTEXT pCallContext, IN PCCERT_CONTEXT pCertContext, IN OPTIONAL LPBYTE pbCertHash, OUT PCCERTOBJECT *ppCertObject ){ BOOL fResult = TRUE; PCCERTOBJECT pCertObject; BYTE rgbHash[CHAINHASHLEN];
if (NULL == pbCertHash) { DWORD cbHash = CHAINHASHLEN;
if (!CertGetCertificateContextProperty( pCertContext, CERT_MD5_HASH_PROP_ID, rgbHash, &cbHash ) || CHAINHASHLEN != cbHash) { *ppCertObject = NULL; return FALSE; } pbCertHash = rgbHash; }
if (CERT_CACHED_ISSUER_OBJECT_TYPE == dwObjectType) { pCertObject = pCallContext->ChainEngine()->CertObjectCache()->FindIssuerObjectByHash( pbCertHash);
if (NULL != pCertObject) { *ppCertObject = pCertObject; return TRUE; } } else { PCCHAINPATHOBJECT pPathObject;
pPathObject = pCallContext->FindPathObjectInCreationCache( pbCertHash); if (NULL != pPathObject) { pCertObject = pPathObject->CertObject(); pCertObject->AddRef(); *ppCertObject = pCertObject;
return TRUE; } }
pCertObject = new CCertObject( dwObjectType, pCallContext, pCertContext, pbCertHash, fResult );
if (NULL != pCertObject) { if (!fResult) { pCertObject->Release(); pCertObject = NULL; } else if (CERT_CACHED_ISSUER_OBJECT_TYPE == dwObjectType) { // Following add increments the engine's touch count
pCallContext->ChainEngine()->CertObjectCache()->AddIssuerObject( pCallContext, pCertObject ); } } else { fResult = FALSE;
}
*ppCertObject = pCertObject; return fResult;}
//+---------------------------------------------------------------------------
//
// Function: ChainFillCertObjectCtlCacheEnumFn
//
// Synopsis: CSSCtlObjectCache::EnumObjects callback used to create
// the linked list of CTL cache entries.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainFillCertObjectCtlCacheEnumFn( IN LPVOID pvParameter, IN PCSSCTLOBJECT pSSCtlObject ){ PCERT_OBJECT_CTL_CACHE_ENUM_DATA pEnumData = (PCERT_OBJECT_CTL_CACHE_ENUM_DATA) pvParameter; PCERT_TRUST_LIST_INFO pTrustListInfo = NULL; PCERT_OBJECT_CTL_CACHE_ENTRY pEntry = NULL;
if (!pEnumData->fResult) return FALSE;
if (!pSSCtlObject->GetTrustListInfo( pEnumData->pCertObject->CertContext(), &pTrustListInfo )) { DWORD dwErr = GetLastError(); if (CRYPT_E_NOT_FOUND == dwErr) return TRUE; else { pEnumData->fResult = FALSE; pEnumData->dwLastError = dwErr; return FALSE; } }
pEntry = new CERT_OBJECT_CTL_CACHE_ENTRY; if (NULL == pEntry) { SSCtlFreeTrustListInfo(pTrustListInfo);
pEnumData->fResult = FALSE; pEnumData->dwLastError = (DWORD) E_OUTOFMEMORY; return FALSE; }
pSSCtlObject->AddRef(); pEntry->pSSCtlObject = pSSCtlObject; pEntry->pTrustListInfo = pTrustListInfo; pEnumData->pCertObject->InsertCtlCacheEntry(pEntry); return TRUE;}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeCertObjectCtlCache
//
// Synopsis: free the linked list of CTL cache entries.
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeCertObjectCtlCache( IN PCERT_OBJECT_CTL_CACHE_ENTRY pCtlCacheHead ){ PCERT_OBJECT_CTL_CACHE_ENTRY pCtlCache;
while (pCtlCache = pCtlCacheHead) { pCtlCacheHead = pCtlCacheHead->pNext;
if (pCtlCache->pTrustListInfo) SSCtlFreeTrustListInfo(pCtlCache->pTrustListInfo);
if (pCtlCache->pSSCtlObject) pCtlCache->pSSCtlObject->Release();
delete pCtlCache; }}
//+---------------------------------------------------------------------------
//
// Function: ChainAllocAndDecodeObject
//
// Synopsis: allocate and decodes the ASN.1 encoded data structure.
//
// NULL is returned for a decoding or allocation error.
// PkiFree must be called to free the allocated data structure.
//
//----------------------------------------------------------------------------
LPVOID WINAPIChainAllocAndDecodeObject( IN LPCSTR lpszStructType, IN const BYTE *pbEncoded, IN DWORD cbEncoded ){ DWORD cbStructInfo; void *pvStructInfo;
if (!CryptDecodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, lpszStructType, pbEncoded, cbEncoded, CRYPT_DECODE_SHARE_OID_STRING_FLAG | CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG, &PkiDecodePara, (void *) &pvStructInfo, &cbStructInfo )) goto DecodeError;
CommonReturn: return pvStructInfo;ErrorReturn: pvStructInfo = NULL; goto CommonReturn;TRACE_ERROR(DecodeError)}
//+---------------------------------------------------------------------------
//
// Function: ChainGetIssuerMatchInfo
//
// Synopsis: return match bits specifying the types of issuer matching
// that can be done for this certificate and if available return
// the decoded authority key identifier extension
//
//----------------------------------------------------------------------------
VOID WINAPIChainGetIssuerMatchInfo ( IN PCCERT_CONTEXT pCertContext, OUT DWORD *pdwIssuerMatchFlags, OUT PCERT_AUTHORITY_KEY_ID_INFO* ppAuthKeyIdentifier ){ PCERT_EXTENSION pExt; LPVOID pv = NULL; BOOL fV1AuthKeyIdInfo = TRUE; PCERT_AUTHORITY_KEY_ID_INFO pAuthKeyIdentifier = NULL; DWORD dwIssuerMatchFlags = 0;
pExt = CertFindExtension( szOID_AUTHORITY_KEY_IDENTIFIER, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension );
if ( pExt == NULL ) { fV1AuthKeyIdInfo = FALSE;
pExt = CertFindExtension( szOID_AUTHORITY_KEY_IDENTIFIER2, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension ); }
if ( pExt != NULL ) {
pv = ChainAllocAndDecodeObject( pExt->pszObjId, pExt->Value.pbData, pExt->Value.cbData ); }
if ( pv ) { if ( fV1AuthKeyIdInfo == FALSE ) { // NOTENOTE: Yes, this is a bit backwards but, right now but the
// V1 structure is a bit easier to deal with and we
// only support the V1 version of the V2 structure
// anyway
ChainConvertAuthKeyIdentifierFromV2ToV1( (PCERT_AUTHORITY_KEY_ID2_INFO)pv, &pAuthKeyIdentifier );
} else { pAuthKeyIdentifier = (PCERT_AUTHORITY_KEY_ID_INFO)pv; pv = NULL; }
if ( pAuthKeyIdentifier != NULL ) { if ( ( pAuthKeyIdentifier->CertIssuer.cbData != 0 ) && ( pAuthKeyIdentifier->CertSerialNumber.cbData != 0 ) ) { dwIssuerMatchFlags |= CERT_EXACT_ISSUER_MATCH_FLAG; }
if ( pAuthKeyIdentifier->KeyId.cbData != 0 ) { dwIssuerMatchFlags |= CERT_KEYID_ISSUER_MATCH_FLAG; }
if (0 == dwIssuerMatchFlags) { delete (LPBYTE) pAuthKeyIdentifier; pAuthKeyIdentifier = NULL; }
} }
dwIssuerMatchFlags |= CERT_NAME_ISSUER_MATCH_FLAG;
if (pv) PkiFree(pv);
*pdwIssuerMatchFlags = dwIssuerMatchFlags; *ppAuthKeyIdentifier = pAuthKeyIdentifier;}
//+---------------------------------------------------------------------------
//
// Function: ChainConvertAuthKeyIdentifierFromV2ToV1
//
// Synopsis: convert authority key identifier from V2 to V1
//
//----------------------------------------------------------------------------
BOOL WINAPIChainConvertAuthKeyIdentifierFromV2ToV1 ( IN PCERT_AUTHORITY_KEY_ID2_INFO pAuthKeyIdentifier2, OUT PCERT_AUTHORITY_KEY_ID_INFO* ppAuthKeyIdentifier ){ DWORD cb; PCERT_AUTHORITY_KEY_ID_INFO pAuthKeyIdentifier; BOOL fExactMatchAvailable = FALSE;
if ( ( pAuthKeyIdentifier2->AuthorityCertIssuer.cAltEntry == 1 ) && ( pAuthKeyIdentifier2->AuthorityCertIssuer.rgAltEntry[0].dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME ) ) { fExactMatchAvailable = TRUE; }
cb = sizeof( CERT_AUTHORITY_KEY_ID_INFO ); cb += pAuthKeyIdentifier2->KeyId.cbData;
if ( fExactMatchAvailable == TRUE ) { cb += pAuthKeyIdentifier2->AuthorityCertIssuer.rgAltEntry[0].DirectoryName.cbData; cb += pAuthKeyIdentifier2->AuthorityCertSerialNumber.cbData; }
pAuthKeyIdentifier = (PCERT_AUTHORITY_KEY_ID_INFO)PkiZeroAlloc(cb); if ( pAuthKeyIdentifier == NULL ) { return( FALSE ); }
pAuthKeyIdentifier->KeyId.cbData = pAuthKeyIdentifier2->KeyId.cbData; pAuthKeyIdentifier->KeyId.pbData = (LPBYTE)pAuthKeyIdentifier + sizeof( CERT_AUTHORITY_KEY_ID_INFO );
memcpy( pAuthKeyIdentifier->KeyId.pbData, pAuthKeyIdentifier2->KeyId.pbData, pAuthKeyIdentifier->KeyId.cbData );
if ( fExactMatchAvailable == TRUE ) { pAuthKeyIdentifier->CertIssuer.cbData = pAuthKeyIdentifier2->AuthorityCertIssuer.rgAltEntry[0].DirectoryName.cbData; pAuthKeyIdentifier->CertIssuer.pbData = pAuthKeyIdentifier->KeyId.pbData + pAuthKeyIdentifier->KeyId.cbData;
memcpy( pAuthKeyIdentifier->CertIssuer.pbData, pAuthKeyIdentifier2->AuthorityCertIssuer.rgAltEntry[0].DirectoryName.pbData, pAuthKeyIdentifier->CertIssuer.cbData );
pAuthKeyIdentifier->CertSerialNumber.cbData = pAuthKeyIdentifier2->AuthorityCertSerialNumber.cbData; pAuthKeyIdentifier->CertSerialNumber.pbData = pAuthKeyIdentifier->CertIssuer.pbData + pAuthKeyIdentifier->CertIssuer.cbData;
memcpy( pAuthKeyIdentifier->CertSerialNumber.pbData, pAuthKeyIdentifier2->AuthorityCertSerialNumber.pbData, pAuthKeyIdentifier->CertSerialNumber.cbData ); }
*ppAuthKeyIdentifier = pAuthKeyIdentifier;
return( TRUE );}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeAuthorityKeyIdentifier
//
// Synopsis: free the authority key identifier
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeAuthorityKeyIdentifier ( IN PCERT_AUTHORITY_KEY_ID_INFO pAuthKeyIdInfo ){ PkiFree(pAuthKeyIdInfo);}
//+---------------------------------------------------------------------------
//
// Function: ChainProcessSpecialOrDuplicateOIDsInUsage
//
// Synopsis: process and removes special or duplicate OIDs from the usage
//
// For szOID_ANY_CERT_POLICY, frees the usage
//
//----------------------------------------------------------------------------
VOID WINAPIChainProcessSpecialOrDuplicateOIDsInUsage ( IN OUT PCERT_ENHKEY_USAGE *ppUsage, IN OUT DWORD *pdwFlags ){ PCERT_ENHKEY_USAGE pUsage = *ppUsage; DWORD dwFlags = *pdwFlags; LPSTR *ppszOID; DWORD cOID; DWORD i;
cOID = pUsage->cUsageIdentifier; ppszOID = pUsage->rgpszUsageIdentifier;
i = 0; while (i < cOID) { BOOL fSpecialOrDuplicate = TRUE; LPSTR pszOID = ppszOID[i];
if (0 == strcmp(pszOID, szOID_ANY_CERT_POLICY)) dwFlags |= CHAIN_ANY_POLICY_FLAG; else { // Check for duplicate OID
DWORD j;
fSpecialOrDuplicate = FALSE; for (j = 0; j < i; j++) { if (0 == strcmp(ppszOID[j], ppszOID[i])) { fSpecialOrDuplicate = TRUE; break; } } }
if (fSpecialOrDuplicate) { // Remove the special or duplicate OID string and move the remaining
// strings up one.
DWORD j;
for (j = i; j + 1 < cOID; j++) ppszOID[j] = ppszOID[j + 1];
cOID--; pUsage->cUsageIdentifier = cOID; } else i++; }
if (dwFlags & CHAIN_ANY_POLICY_FLAG) { PkiFree(pUsage); *ppUsage = NULL; } *pdwFlags = dwFlags;}
//+---------------------------------------------------------------------------
//
// Function: ChainConvertPoliciesToUsage
//
// Synopsis: extract the usage OIDs from the cert policies
//
//----------------------------------------------------------------------------
VOID WINAPIChainConvertPoliciesToUsage ( IN PCERT_POLICIES_INFO pPolicy, IN OUT DWORD *pdwFlags, OUT PCERT_ENHKEY_USAGE *ppUsage ){ PCERT_ENHKEY_USAGE pUsage; LPSTR *ppszOID; DWORD cOID; DWORD i;
cOID = pPolicy->cPolicyInfo;
pUsage = (PCERT_ENHKEY_USAGE) PkiNonzeroAlloc( sizeof(CERT_ENHKEY_USAGE) + sizeof(LPSTR) * cOID);
if (NULL == pUsage) { *pdwFlags |= CHAIN_INVALID_POLICY_FLAG; *ppUsage = NULL; return; }
ppszOID = (LPSTR *) &pUsage[1];
pUsage->cUsageIdentifier = cOID; pUsage->rgpszUsageIdentifier = ppszOID;
for (i = 0; i < cOID; i++) ppszOID[i] = pPolicy->rgPolicyInfo[i].pszPolicyIdentifier;
*ppUsage = pUsage;
ChainProcessSpecialOrDuplicateOIDsInUsage(ppUsage, pdwFlags);}
//+---------------------------------------------------------------------------
//
// Function: ChainRemoveDuplicatePolicyMappings
//
// Synopsis: remove any duplicate mappings
//
//----------------------------------------------------------------------------
VOID WINAPIChainRemoveDuplicatePolicyMappings ( IN OUT PCERT_POLICY_MAPPINGS_INFO pInfo ){ DWORD cMap = pInfo->cPolicyMapping; PCERT_POLICY_MAPPING pMap = pInfo->rgPolicyMapping; DWORD i;
i = 0; while (i < cMap) { DWORD j;
for (j = 0; j < i; j++) { if (0 == strcmp(pMap[i].pszSubjectDomainPolicy, pMap[j].pszSubjectDomainPolicy)) break; }
if (j < i) { // Duplicate
//
// Remove the duplicate mapping and move the remaining
// mappings up one.
for (j = i; j + 1 < cMap; j++) pMap[j] = pMap[j + 1];
cMap--; pInfo->cPolicyMapping = cMap; } else i++; }
}
//+---------------------------------------------------------------------------
//
// Function: ChainGetPoliciesInfo
//
// Synopsis: allocate and return the policies and usage info
//
//----------------------------------------------------------------------------
VOID WINAPIChainGetPoliciesInfo ( IN PCCERT_CONTEXT pCertContext, IN OUT PCHAIN_POLICIES_INFO pPoliciesInfo ){ DWORD cExt = pCertContext->pCertInfo->cExtension; PCERT_EXTENSION rgExt = pCertContext->pCertInfo->rgExtension; DWORD i; DWORD cbData;
for (i = 0; i < CHAIN_ISS_OR_APP_COUNT; i++ ) { PCHAIN_ISS_OR_APP_INFO pInfo = &pPoliciesInfo->rgIssOrAppInfo[i]; PCERT_EXTENSION pExt;
pExt = CertFindExtension( CHAIN_ISS_INDEX == i ? szOID_CERT_POLICIES : szOID_APPLICATION_CERT_POLICIES, cExt, rgExt); if (pExt) { pInfo->pPolicy = (PCERT_POLICIES_INFO) ChainAllocAndDecodeObject( X509_CERT_POLICIES, pExt->Value.pbData, pExt->Value.cbData );
if (NULL == pInfo->pPolicy) pInfo->dwFlags |= CHAIN_INVALID_POLICY_FLAG; else ChainConvertPoliciesToUsage(pInfo->pPolicy, &pInfo->dwFlags, &pInfo->pUsage); } else if (CHAIN_APP_INDEX == i) { pExt = CertFindExtension(szOID_ENHANCED_KEY_USAGE, cExt, rgExt); if (pExt) { pInfo->pUsage = (PCERT_ENHKEY_USAGE) ChainAllocAndDecodeObject( X509_ENHANCED_KEY_USAGE, pExt->Value.pbData, pExt->Value.cbData );
if (NULL == pInfo->pUsage) pInfo->dwFlags |= CHAIN_INVALID_POLICY_FLAG; else ChainProcessSpecialOrDuplicateOIDsInUsage( &pInfo->pUsage, &pInfo->dwFlags); } }
pExt = CertFindExtension( CHAIN_ISS_INDEX == i ? szOID_POLICY_MAPPINGS : szOID_APPLICATION_POLICY_MAPPINGS, cExt, rgExt); if (pExt) { pInfo->pMappings = (PCERT_POLICY_MAPPINGS_INFO) ChainAllocAndDecodeObject( X509_POLICY_MAPPINGS, pExt->Value.pbData, pExt->Value.cbData );
if (NULL == pInfo->pMappings) pInfo->dwFlags |= CHAIN_INVALID_POLICY_FLAG; else ChainRemoveDuplicatePolicyMappings(pInfo->pMappings); }
pExt = CertFindExtension( CHAIN_ISS_INDEX == i ? szOID_POLICY_CONSTRAINTS : szOID_APPLICATION_POLICY_CONSTRAINTS, cExt, rgExt); if (pExt) { pInfo->pConstraints = (PCERT_POLICY_CONSTRAINTS_INFO) ChainAllocAndDecodeObject( X509_POLICY_CONSTRAINTS, pExt->Value.pbData, pExt->Value.cbData );
if (NULL == pInfo->pConstraints) pInfo->dwFlags |= CHAIN_INVALID_POLICY_FLAG; } }
cbData = 0; if (CertGetCertificateContextProperty( pCertContext, CERT_ENHKEY_USAGE_PROP_ID, NULL, // pbData
&cbData ) && 0 != cbData) { BYTE *pbData;
pbData = (BYTE *) PkiNonzeroAlloc(cbData); if (pbData) { if (CertGetCertificateContextProperty( pCertContext, CERT_ENHKEY_USAGE_PROP_ID, pbData, &cbData )) pPoliciesInfo->pPropertyUsage = (PCERT_ENHKEY_USAGE) ChainAllocAndDecodeObject( X509_ENHANCED_KEY_USAGE, pbData, cbData );
PkiFree(pbData); }
if (NULL == pPoliciesInfo->pPropertyUsage) pPoliciesInfo->rgIssOrAppInfo[CHAIN_APP_INDEX].dwFlags |= CHAIN_INVALID_POLICY_FLAG; }}
//+---------------------------------------------------------------------------
//
// Function: ChainFreePoliciesInfo
//
// Synopsis: free the policies and usage info
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreePoliciesInfo ( IN OUT PCHAIN_POLICIES_INFO pPoliciesInfo ){ DWORD i;
for (i = 0; i < CHAIN_ISS_OR_APP_COUNT; i++ ) { PCHAIN_ISS_OR_APP_INFO pInfo = &pPoliciesInfo->rgIssOrAppInfo[i];
PkiFree(pInfo->pPolicy); PkiFree(pInfo->pUsage); PkiFree(pInfo->pMappings); PkiFree(pInfo->pConstraints); }
PkiFree(pPoliciesInfo->pPropertyUsage);}
//+---------------------------------------------------------------------------
//
// Function: ChainGetBasicConstraintsInfo
//
// Synopsis: alloc and return the basic constraints info.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetBasicConstraintsInfo ( IN PCCERT_CONTEXT pCertContext, IN OUT PCERT_BASIC_CONSTRAINTS2_INFO *ppInfo ){ BOOL fResult; PCERT_EXTENSION pExt; PCERT_BASIC_CONSTRAINTS2_INFO pInfo = NULL; PCERT_BASIC_CONSTRAINTS_INFO pLegacyInfo = NULL;
pExt = CertFindExtension( szOID_BASIC_CONSTRAINTS2, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension );
if (pExt) { pInfo = (PCERT_BASIC_CONSTRAINTS2_INFO) ChainAllocAndDecodeObject( X509_BASIC_CONSTRAINTS2, pExt->Value.pbData, pExt->Value.cbData ); if (NULL == pInfo) goto DecodeError; } else { // Try to find the legacy extension
pExt = CertFindExtension( szOID_BASIC_CONSTRAINTS, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension );
if (pExt) { pLegacyInfo = (PCERT_BASIC_CONSTRAINTS_INFO) ChainAllocAndDecodeObject( X509_BASIC_CONSTRAINTS, pExt->Value.pbData, pExt->Value.cbData ); if (NULL == pLegacyInfo) goto DecodeError;
// Convert to new format
pInfo = (PCERT_BASIC_CONSTRAINTS2_INFO) PkiZeroAlloc( sizeof(CERT_BASIC_CONSTRAINTS2_INFO)); if (NULL == pInfo) goto OutOfMemory;
if (pLegacyInfo->SubjectType.cbData > 0 && (pLegacyInfo->SubjectType.pbData[0] & CERT_CA_SUBJECT_FLAG)) { pInfo->fCA = TRUE; pInfo->fPathLenConstraint = pLegacyInfo->fPathLenConstraint; pInfo->dwPathLenConstraint = pLegacyInfo->dwPathLenConstraint; } } }
fResult = TRUE;CommonReturn: if (pLegacyInfo) PkiFree(pLegacyInfo); *ppInfo = pInfo; return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(DecodeError)TRACE_ERROR(OutOfMemory)}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeBasicConstraintsInfo
//
// Synopsis: free the basic constraints info
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeBasicConstraintsInfo ( IN OUT PCERT_BASIC_CONSTRAINTS2_INFO pInfo ){ PkiFree(pInfo);}
//+---------------------------------------------------------------------------
//
// Function: ChainGetKeyUsage
//
// Synopsis: alloc and return the key usage.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetKeyUsage ( IN PCCERT_CONTEXT pCertContext, IN OUT PCRYPT_BIT_BLOB *ppKeyUsage ){ BOOL fResult; PCERT_EXTENSION pExt; PCRYPT_BIT_BLOB pKeyUsage = NULL;
pExt = CertFindExtension( szOID_KEY_USAGE, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension );
if (pExt) { pKeyUsage = (PCRYPT_BIT_BLOB) ChainAllocAndDecodeObject( X509_KEY_USAGE, pExt->Value.pbData, pExt->Value.cbData ); if (NULL == pKeyUsage) goto DecodeError; }
fResult = TRUE;CommonReturn: *ppKeyUsage = pKeyUsage; return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(DecodeError)}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeKeyUsage
//
// Synopsis: free the key usage
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeKeyUsage ( IN OUT PCRYPT_BIT_BLOB pKeyUsage ){ PkiFree(pKeyUsage);}
//+---------------------------------------------------------------------------
//
// Function: ChainGetSelfSignedStatus
//
// Synopsis: return status bits specifying if the certificate is self signed
// and if so, if it is signature valid
//
//----------------------------------------------------------------------------
VOID WINAPIChainGetSelfSignedStatus ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERTOBJECT pCertObject, IN OUT DWORD *pdwIssuerStatusFlags ){ DWORD dwInfoStatus = 0;
// If the certificate has an AKI, then, ignore name matching
if (ChainGetMatchInfoStatus(pCertObject, pCertObject, &dwInfoStatus) && (CERT_TRUST_HAS_NAME_MATCH_ISSUER != dwInfoStatus)) {
*pdwIssuerStatusFlags |= CERT_ISSUER_SELF_SIGNED_FLAG;
if (CryptVerifyCertificateSignatureEx( NULL, // hCryptProv
X509_ASN_ENCODING, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *) pCertObject->CertContext(), CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *) pCertObject->CertContext(), 0, // dwFlags
NULL // pvReserved
)) *pdwIssuerStatusFlags |= CERT_ISSUER_VALID_SIGNATURE_FLAG;
CertPerfIncrementChainVerifyCertSignatureCount(); }}
//+---------------------------------------------------------------------------
//
// Function: ChainGetRootStoreStatus
//
// Synopsis: determine if the certificate with the given hash is in the
// root store
//
// Assumption: Chain engine is locked once in the calling thread.
//----------------------------------------------------------------------------
VOID WINAPIChainGetRootStoreStatus ( IN HCERTSTORE hRoot, IN HCERTSTORE hRealRoot, IN BYTE rgbCertHash[ CHAINHASHLEN ], IN OUT DWORD *pdwIssuerStatusFlags ){ CRYPT_HASH_BLOB HashBlob; PCCERT_CONTEXT pCertContext;
HashBlob.cbData = CHAINHASHLEN; HashBlob.pbData = rgbCertHash; pCertContext = CertFindCertificateInStore( hRoot, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_MD5_HASH, (LPVOID) &HashBlob, NULL );
if ( pCertContext ) { CertFreeCertificateContext( pCertContext );
if ( hRoot == hRealRoot ) { *pdwIssuerStatusFlags |= CERT_ISSUER_TRUSTED_ROOT_FLAG; return; }
pCertContext = CertFindCertificateInStore( hRealRoot, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_MD5_HASH, (LPVOID) &HashBlob, NULL );
if ( pCertContext ) { CertFreeCertificateContext( pCertContext ); *pdwIssuerStatusFlags |= CERT_ISSUER_TRUSTED_ROOT_FLAG; } }}
//+===========================================================================
// CCertObjectCache helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainCreateCertificateObjectCache
//
// Synopsis: create certificate object cache object
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateCertificateObjectCache ( IN DWORD MaxIndexEntries, OUT PCCERTOBJECTCACHE* ppCertObjectCache ){ BOOL fResult = FALSE; PCCERTOBJECTCACHE pCertObjectCache = NULL;
pCertObjectCache = new CCertObjectCache( MaxIndexEntries, fResult ); if ( pCertObjectCache != NULL ) { if ( fResult == TRUE ) { *ppCertObjectCache = pCertObjectCache; } else { delete pCertObjectCache; } } else { SetLastError( (DWORD) E_OUTOFMEMORY ); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeCertificateObjectCache
//
// Synopsis: free the certificate object cache object
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeCertificateObjectCache ( IN PCCERTOBJECTCACHE pCertObjectCache ){ delete pCertObjectCache;}
//+---------------------------------------------------------------------------
//
// Function: CertObjectCacheOnRemovalFromPrimaryIndex
//
// Synopsis: removes the cert object from all other indexes and also
// removes the reference on the cert object.
//
//----------------------------------------------------------------------------
VOID WINAPICertObjectCacheOnRemovalFromPrimaryIndex ( IN LPVOID pv, IN OPTIONAL LPVOID pvRemovalContext ){ PCCERTOBJECT pCertObject = (PCCERTOBJECT) pv;
I_CryptRemoveLruEntry( pCertObject->IdentifierIndexEntry(), LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptRemoveLruEntry( pCertObject->SubjectNameIndexEntry(), LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptRemoveLruEntry( pCertObject->KeyIdIndexEntry(), LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
I_CryptRemoveLruEntry( pCertObject->PublicKeyHashIndexEntry(), LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL );
pCertObject->Release();
CertPerfDecrementChainCertCacheCount();}
//+---------------------------------------------------------------------------
//
// Function: CertObjectCacheOnRemovalFromEndHashIndex
//
// Synopsis: removes the reference on the end cert object.
//
//----------------------------------------------------------------------------
VOID WINAPICertObjectCacheOnRemovalFromEndHashIndex ( IN LPVOID pv, IN LPVOID pvRemovalContext ){ PCCERTOBJECT pCertObject = (PCCERTOBJECT) pv;
pCertObject->Release();
CertPerfDecrementChainCertCacheCount();}
//+---------------------------------------------------------------------------
//
// Function: CertObjectCacheHashMd5Identifier
//
// Synopsis: DWORD hash an MD5 identifier. This is done by taking the
// first four bytes of the MD5 hash since there is enough
// randomness already
//
//----------------------------------------------------------------------------
DWORD WINAPICertObjectCacheHashMd5Identifier ( IN PCRYPT_DATA_BLOB pIdentifier ){ if ( sizeof(DWORD) > pIdentifier->cbData ) { return 0; } else { return( *( (DWORD UNALIGNED *)pIdentifier->pbData ) ); }}
//+---------------------------------------------------------------------------
//
// Function: CertObjectCacheHashNameIdentifier
//
// Synopsis: DWORD hash a subject or issuer name.
//
//----------------------------------------------------------------------------
DWORD WINAPICertObjectCacheHashNameIdentifier ( IN PCRYPT_DATA_BLOB pIdentifier ){ DWORD dwHash = 0; DWORD cb = pIdentifier->cbData; LPBYTE pb = pIdentifier->pbData;
while ( cb-- ) { if ( dwHash & 0x80000000 ) { dwHash = ( dwHash << 1 ) | 1; } else { dwHash = dwHash << 1; }
dwHash += *pb++; }
return( dwHash );}
//+---------------------------------------------------------------------------
//
// Function: ChainCreateCertificateObjectIdentifier
//
// Synopsis: create an object identifier given the issuer name and serial
// number. This is done using an MD5 hash over the content
//
//----------------------------------------------------------------------------
VOID WINAPIChainCreateCertificateObjectIdentifier ( IN PCERT_NAME_BLOB pIssuer, IN PCRYPT_INTEGER_BLOB pSerialNumber, OUT CERT_OBJECT_IDENTIFIER ObjectIdentifier ){ MD5_CTX md5ctx;
MD5Init( &md5ctx );
MD5Update( &md5ctx, pIssuer->pbData, pIssuer->cbData ); MD5Update( &md5ctx, pSerialNumber->pbData, pSerialNumber->cbData );
MD5Final( &md5ctx );
assert(CHAINHASHLEN == MD5DIGESTLEN);
memcpy( ObjectIdentifier, md5ctx.digest, CHAINHASHLEN );}
//+===========================================================================
// CChainPathObject helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainCreatePathObject
//
// Synopsis: create a path object, note since it is a ref-counted
// object, freeing occurs by doing a pCertObject->Release
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreatePathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERTOBJECT pCertObject, IN OPTIONAL HCERTSTORE hAdditionalStore, OUT PCCHAINPATHOBJECT *ppPathObject ){ BOOL fResult = TRUE; BOOL fAddedToCreationCache = TRUE; PCCHAINPATHOBJECT pPathObject = NULL;
pPathObject = pCallContext->FindPathObjectInCreationCache( pCertObject->CertHash() ); if ( pPathObject != NULL ) { *ppPathObject = pPathObject; return( TRUE ); }
pPathObject = new CChainPathObject( pCallContext, FALSE, // fCyclic
(LPVOID) pCertObject, hAdditionalStore, fResult, fAddedToCreationCache );
if ( pPathObject != NULL ) { if (!fResult) { if (!fAddedToCreationCache) { delete pPathObject; } pPathObject = NULL; } } else { fResult = FALSE; }
*ppPathObject = pPathObject; return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainCreateCyclicPathObject
//
// Synopsis: create a path object, note since it is a ref-counted
// object, freeing occurs by doing a pCertObject->Release
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateCyclicPathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCHAINPATHOBJECT pPathObject, OUT PCCHAINPATHOBJECT *ppCyclicPathObject ){ BOOL fResult = TRUE; BOOL fAddedToCreationCache = TRUE; PCCHAINPATHOBJECT pCyclicPathObject = NULL;
pCyclicPathObject = new CChainPathObject( pCallContext, TRUE, // fCyclic
(LPVOID) pPathObject, NULL, // hAdditionalStore
fResult, fAddedToCreationCache );
if ( pCyclicPathObject != NULL ) { if (!fResult) { if (!fAddedToCreationCache) { delete pCyclicPathObject; } pCyclicPathObject = NULL; } } else { fResult = FALSE; }
*ppCyclicPathObject = pCyclicPathObject; return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainDeleteCyclicPathObject
//
// Synopsis: delete a previously created cyclic path object.
// Also, remove the creation cache.
//
//----------------------------------------------------------------------------
VOID WINAPIChainDeleteCyclicPathObject ( IN PCCHAINCALLCONTEXT pCallContext, IN OUT PCCHAINPATHOBJECT pCyclicPathObject ){ pCallContext->RemovePathObjectFromCreationCache(pCyclicPathObject);}
//+---------------------------------------------------------------------------
//
// Function: ChainAllocAndCopyOID
//
// Synopsis: allocate and copy OID
//
//----------------------------------------------------------------------------
LPSTR WINAPIChainAllocAndCopyOID ( IN LPSTR pszSrcOID ){ DWORD cchOID; LPSTR pszDstOID;
cchOID = strlen(pszSrcOID) + 1; pszDstOID = (LPSTR) PkiNonzeroAlloc(cchOID); if (NULL == pszDstOID) return NULL;
memcpy(pszDstOID, pszSrcOID, cchOID); return pszDstOID;}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeOID
//
// Synopsis: free allocated OID
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeOID ( IN OUT LPSTR pszOID ){ PkiFree(pszOID);}
//+---------------------------------------------------------------------------
//
// Function: ChainAllocAndCopyUsage
//
// Synopsis: allocates and copies usage OIDs.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainAllocAndCopyUsage ( IN PCERT_ENHKEY_USAGE pSrcUsage, OUT PCERT_ENHKEY_USAGE *ppDstUsage ){ BOOL fResult; PCERT_ENHKEY_USAGE pDstUsage = NULL; DWORD cOID; LPSTR *ppszDstOID; DWORD i;
if (NULL == pSrcUsage) goto SuccessReturn;
cOID = pSrcUsage->cUsageIdentifier;
pDstUsage = (PCERT_ENHKEY_USAGE) PkiZeroAlloc( sizeof(CERT_ENHKEY_USAGE) + sizeof(LPSTR) * cOID); if (NULL == pDstUsage) goto OutOfMemory;
ppszDstOID = (LPSTR *) &pDstUsage[1];
pDstUsage->cUsageIdentifier = cOID; pDstUsage->rgpszUsageIdentifier = ppszDstOID;
for (i = 0; i < cOID; i++) { ppszDstOID[i] = ChainAllocAndCopyOID(pSrcUsage->rgpszUsageIdentifier[i]); if (NULL == ppszDstOID[i]) goto OutOfMemory; }
SuccessReturn: fResult = TRUE;CommonReturn: *ppDstUsage = pDstUsage; return fResult;
ErrorReturn: if (pDstUsage) { ChainFreeUsage(pDstUsage); pDstUsage = NULL; } fResult = FALSE; goto CommonReturn;
SET_ERROR(OutOfMemory, E_OUTOFMEMORY)}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeUsage
//
// Synopsis: frees usage OIDs allocated by ChainAllocAndCopyUsage
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeUsage ( IN OUT PCERT_ENHKEY_USAGE pUsage ){ if (pUsage) { DWORD cOID = pUsage->cUsageIdentifier; LPSTR *ppszOID = pUsage->rgpszUsageIdentifier; DWORD i;
for (i = 0; i < cOID; i++) ChainFreeOID(ppszOID[i]);
PkiFree(pUsage); }}
//+---------------------------------------------------------------------------
//
// Function: ChainIsOIDInUsage
//
// Synopsis: returns TRUE if the OID is in the usage
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsOIDInUsage ( IN LPSTR pszOID, IN PCERT_ENHKEY_USAGE pUsage ){ DWORD cOID; DWORD i;
assert(pUsage);
cOID = pUsage->cUsageIdentifier; for (i = 0; i < cOID; i++){ if (0 == strcmp(pszOID, pUsage->rgpszUsageIdentifier[i])) return TRUE; }
return FALSE;}
//+---------------------------------------------------------------------------
//
// Function: ChainIntersectUsages
//
// Synopsis: returns the intersection of the two usages
//
//----------------------------------------------------------------------------
VOID WINAPIChainIntersectUsages ( IN PCERT_ENHKEY_USAGE pCertUsage, IN OUT PCERT_ENHKEY_USAGE pRestrictedUsage ){ LPSTR *ppszOID; DWORD cOID; DWORD i; cOID = pRestrictedUsage->cUsageIdentifier; ppszOID = pRestrictedUsage->rgpszUsageIdentifier; i = 0; while (i < cOID) { if (ChainIsOIDInUsage(ppszOID[i], pCertUsage)) i++; else { // Remove the OID string and move the remaining
// strings up one.
DWORD j;
ChainFreeOID(ppszOID[i]);
for (j = i; j + 1 < cOID; j++) ppszOID[j] = ppszOID[j + 1];
cOID--; pRestrictedUsage->cUsageIdentifier = cOID; } }}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeAndClearRestrictedUsageInfo
//
// Synopsis: frees allocated restricted usage info
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeAndClearRestrictedUsageInfo( IN OUT PCHAIN_RESTRICTED_USAGE_INFO pInfo ){ ChainFreeUsage(pInfo->pIssuanceRestrictedUsage); ChainFreeUsage(pInfo->pIssuanceMappedUsage); PkiFree(pInfo->rgdwIssuanceMappedIndex); // fRequireIssuancePolicy
ChainFreeUsage(pInfo->pApplicationRestrictedUsage); ChainFreeUsage(pInfo->pApplicationMappedUsage); PkiFree(pInfo->rgdwApplicationMappedIndex);
ChainFreeUsage(pInfo->pPropertyRestrictedUsage);
memset(pInfo, 0, sizeof(*pInfo));} //+---------------------------------------------------------------------------
//
// Function: ChainCalculateRestrictedUsage
//
// Synopsis: update the restricted and mapped usage using the cert's
// usage and optional policy mappings
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCalculateRestrictedUsage ( IN PCERT_ENHKEY_USAGE pCertUsage, IN OPTIONAL PCERT_POLICY_MAPPINGS_INFO pMappings, IN OUT PCERT_ENHKEY_USAGE *ppRestrictedUsage, IN OUT PCERT_ENHKEY_USAGE *ppMappedUsage, IN OUT LPDWORD *ppdwMappedIndex ){ BOOL fResult; PCERT_ENHKEY_USAGE pNewMappedUsage = NULL; LPDWORD pdwNewMappedIndex = NULL;
if (pCertUsage) { if (NULL == *ppRestrictedUsage) { // Top most, first certificate with a usage restriction
assert(NULL == *ppMappedUsage); assert(NULL == *ppdwMappedIndex);
if (!ChainAllocAndCopyUsage(pCertUsage, ppRestrictedUsage)) goto AllocAndCopyUsageError; } else { PCERT_ENHKEY_USAGE pRestrictedUsage = *ppRestrictedUsage; PCERT_ENHKEY_USAGE pMappedUsage = *ppMappedUsage; if (NULL == pMappedUsage) { // Take the intersection of the restricted and cert's
// usage
ChainIntersectUsages(pCertUsage, pRestrictedUsage);
} else { // Take the intersection of the mapped and cert's
// usage. If removed from the mapped usage,
// we might also need to remove from the restricted usage.
LPDWORD pdwMappedIndex = *ppdwMappedIndex; LPSTR *ppszOID; DWORD cOID; DWORD i;
assert(pdwMappedIndex);
cOID = pMappedUsage->cUsageIdentifier; ppszOID = pMappedUsage->rgpszUsageIdentifier; i = 0; while (i < cOID) { if (ChainIsOIDInUsage(ppszOID[i], pCertUsage)) i++; else { // If no other mappings to the restricted OID, then,
// remove the restricted OID.
DWORD j; BOOL fRemoveRestricted;
if ((0 == i || pdwMappedIndex[i - 1] != pdwMappedIndex[i]) && (i + 1 == cOID || pdwMappedIndex[i] != pdwMappedIndex[i + 1])) { // Remove the restricted OID we are mapped to.
LPSTR *ppszRestrictedOID = pRestrictedUsage->rgpszUsageIdentifier; DWORD cRestrictedOID = pRestrictedUsage->cUsageIdentifier;
fRemoveRestricted = TRUE;
j = pdwMappedIndex[i]; assert(j < cRestrictedOID);
if (j < cRestrictedOID) ChainFreeOID(ppszRestrictedOID[j]);
for ( ; j + 1 < cRestrictedOID; j++) ppszRestrictedOID[j] = ppszRestrictedOID[j + 1];
cRestrictedOID--; pRestrictedUsage->cUsageIdentifier = cRestrictedOID; } else fRemoveRestricted = FALSE;
// Remove the OID string and mapped index. Move the
// remaining strings and indices up one.
ChainFreeOID(ppszOID[i]);
for (j = i; j + 1 < cOID; j++) { ppszOID[j] = ppszOID[j + 1]; pdwMappedIndex[j] = pdwMappedIndex[j + 1]; if (fRemoveRestricted) { assert(0 < pdwMappedIndex[j]); pdwMappedIndex[j] -= 1; } }
cOID--; pMappedUsage->cUsageIdentifier = cOID; } } } } } // else
// No restrictions added by certificate
if (pMappings) { PCERT_ENHKEY_USAGE pRestrictedUsage = *ppRestrictedUsage; PCERT_ENHKEY_USAGE pMappedUsage = *ppMappedUsage;
if (NULL == pRestrictedUsage || 0 == pRestrictedUsage->cUsageIdentifier) { // Nothing to be mapped.
assert(NULL == pMappedUsage || 0 == pMappedUsage->cUsageIdentifier); } else { LPDWORD pdwMappedIndex; PCERT_ENHKEY_USAGE pSrcUsage; LPSTR *ppszSrcOID; DWORD cSrcOID; DWORD iSrc;
DWORD cMap; PCERT_POLICY_MAPPING pMap;
DWORD cNewOID; LPSTR *ppszNewOID;
if (pMappedUsage) { // Subsequent mapping
assert(0 < pMappedUsage->cUsageIdentifier); pSrcUsage = pMappedUsage; pdwMappedIndex = *ppdwMappedIndex; assert(pdwMappedIndex); } else { // First mapping
pSrcUsage = pRestrictedUsage; pdwMappedIndex = NULL; }
cSrcOID = pSrcUsage->cUsageIdentifier; ppszSrcOID = pSrcUsage->rgpszUsageIdentifier;
cMap = pMappings->cPolicyMapping; pMap = pMappings->rgPolicyMapping;
// Note, all duplicates have been remove from usage and
// mappings
cNewOID = cSrcOID + cMap;
pNewMappedUsage = (PCERT_ENHKEY_USAGE) PkiZeroAlloc( sizeof(CERT_ENHKEY_USAGE) + sizeof(LPSTR) * cNewOID); if (NULL == pNewMappedUsage) goto OutOfMemory;
ppszNewOID = (LPSTR *) &pNewMappedUsage[1]; pNewMappedUsage->cUsageIdentifier = cNewOID; pNewMappedUsage->rgpszUsageIdentifier = ppszNewOID;
pdwNewMappedIndex = (LPDWORD) PkiZeroAlloc( sizeof(DWORD) * cNewOID); if (NULL == pdwNewMappedIndex) goto OutOfMemory;
cNewOID = 0; for (iSrc = 0; iSrc < cSrcOID; iSrc++) { DWORD iMap; BOOL fMapped = FALSE;
for (iMap = 0; iMap < cMap; iMap++) { if (0 == strcmp(ppszSrcOID[iSrc], pMap[iMap].pszIssuerDomainPolicy)) { assert(cNewOID < pNewMappedUsage->cUsageIdentifier);
ppszNewOID[cNewOID] = ChainAllocAndCopyOID( pMap[iMap].pszSubjectDomainPolicy); if (NULL == ppszNewOID[cNewOID]) goto OutOfMemory;
if (pdwMappedIndex) pdwNewMappedIndex[cNewOID] = pdwMappedIndex[iSrc]; else pdwNewMappedIndex[cNewOID] = iSrc; cNewOID++; fMapped = TRUE; } }
if (!fMapped) { assert(cNewOID < pNewMappedUsage->cUsageIdentifier);
ppszNewOID[cNewOID] = ChainAllocAndCopyOID(ppszSrcOID[iSrc]); if (NULL == ppszNewOID[cNewOID]) goto OutOfMemory; if (pdwMappedIndex) pdwNewMappedIndex[cNewOID] = pdwMappedIndex[iSrc]; else pdwNewMappedIndex[cNewOID] = iSrc;
cNewOID++;
} }
assert(cNewOID >= cSrcOID); pNewMappedUsage->cUsageIdentifier = cNewOID;
if (pMappedUsage) { ChainFreeUsage(pMappedUsage); PkiFree(pdwMappedIndex); }
*ppMappedUsage = pNewMappedUsage; *ppdwMappedIndex = pdwNewMappedIndex;
} }
fResult = TRUE;
CommonReturn: return fResult;ErrorReturn: ChainFreeUsage(pNewMappedUsage); PkiFree(pdwNewMappedIndex); fResult = FALSE; goto CommonReturn;
TRACE_ERROR(AllocAndCopyUsageError)TRACE_ERROR(OutOfMemory)}
//+---------------------------------------------------------------------------
//
// Function: ChainGetUsageStatus
//
// Synopsis: get the usage status
//
//----------------------------------------------------------------------------
VOID WINAPIChainGetUsageStatus ( IN PCERT_ENHKEY_USAGE pRequestedUsage, IN PCERT_ENHKEY_USAGE pAvailableUsage, IN DWORD dwMatchType, IN OUT PCERT_TRUST_STATUS pStatus ){ DWORD cRequested; DWORD cAvailable; DWORD cFound; BOOL fFound;
if ( pAvailableUsage == NULL ) { return; }
if ( ( pRequestedUsage->cUsageIdentifier > pAvailableUsage->cUsageIdentifier ) && ( dwMatchType == USAGE_MATCH_TYPE_AND ) ) { pStatus->dwErrorStatus |= CERT_TRUST_IS_NOT_VALID_FOR_USAGE; return; }
for ( cRequested = 0, cFound = 0; cRequested < pRequestedUsage->cUsageIdentifier; cRequested++ ) { for ( cAvailable = 0, fFound = FALSE; ( cAvailable < pAvailableUsage->cUsageIdentifier ) && ( fFound == FALSE ); cAvailable++ ) { // NOTE: Optimize compares of OIDs. Perhaps with a different
// encoding
if ( strcmp( pRequestedUsage->rgpszUsageIdentifier[ cRequested ], pAvailableUsage->rgpszUsageIdentifier[ cAvailable ] ) == 0 ) { fFound = TRUE; } }
if ( fFound == TRUE ) { cFound += 1; } }
if ( ( dwMatchType == USAGE_MATCH_TYPE_AND ) && ( cFound != pRequestedUsage->cUsageIdentifier ) ) { pStatus->dwErrorStatus |= CERT_TRUST_IS_NOT_VALID_FOR_USAGE; } else if ( ( dwMatchType == USAGE_MATCH_TYPE_OR ) && ( cFound == 0 ) ) { pStatus->dwErrorStatus |= CERT_TRUST_IS_NOT_VALID_FOR_USAGE; }}
//+---------------------------------------------------------------------------
//
// Function: ChainOrInStatusBits
//
// Synopsis: bit or in the status bits from the source into the destination
//
//----------------------------------------------------------------------------
VOID WINAPIChainOrInStatusBits ( IN PCERT_TRUST_STATUS pDestStatus, IN PCERT_TRUST_STATUS pSourceStatus ){ pDestStatus->dwErrorStatus |= pSourceStatus->dwErrorStatus; pDestStatus->dwInfoStatus |= pSourceStatus->dwInfoStatus;}
//+---------------------------------------------------------------------------
//
// Function: ChainGetMatchInfoStatus
//
// Synopsis: return the info status used to match the issuer
//
// For a match returns TRUE, where dwInfoStatus can be
// one of the following:
// - CERT_TRUST_HAS_EXACT_MATCH_ISSUER |
// CERT_TRUST_HAS_PREFERRED_ISSUER
// - CERT_TRUST_HAS_KEY_MATCH_ISSUER |
// CERT_TRUST_HAS_PREFERRED_ISSUER
// - CERT_TRUST_HAS_KEY_MATCH_ISSUER (nonmatching AKI exact match)
// - CERT_TRUST_HAS_NAME_MATCH_ISSUER |
// CERT_TRUST_HAS_PREFERRED_ISSUER
// - CERT_TRUST_HAS_NAME_MATCH_ISSUER (nonmatching AKI)
//
// For no match returns FALSE with dwInfoStatus set to the
// following:
// - CERT_TRUST_HAS_KEY_MATCH_ISSUER
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetMatchInfoStatus ( IN PCCERTOBJECT pIssuerObject, IN PCCERTOBJECT pSubjectObject, IN OUT DWORD *pdwInfoStatus ){ BOOL fResult = FALSE; DWORD dwInfoStatus = 0; DWORD dwPreferredStatus = CERT_TRUST_HAS_PREFERRED_ISSUER;
PCERT_INFO pSubjectInfo = pSubjectObject->CertContext()->pCertInfo; PCERT_AUTHORITY_KEY_ID_INFO pAKI = pSubjectObject->AuthorityKeyIdentifier(); PCERT_INFO pIssuerInfo = pIssuerObject->CertContext()->pCertInfo;
if (pAKI) { if ( ( pAKI->CertIssuer.cbData != 0 ) && ( pAKI->CertSerialNumber.cbData != 0 ) ) { DWORD cbAuthIssuerName; LPBYTE pbAuthIssuerName; DWORD cbAuthSerialNumber; LPBYTE pbAuthSerialNumber;
cbAuthIssuerName = pAKI->CertIssuer.cbData; pbAuthIssuerName = pAKI->CertIssuer.pbData; cbAuthSerialNumber = pAKI->CertSerialNumber.cbData; pbAuthSerialNumber = pAKI->CertSerialNumber.pbData;
if ( ( cbAuthIssuerName == pIssuerInfo->Issuer.cbData ) && ( memcmp( pbAuthIssuerName, pIssuerInfo->Issuer.pbData, cbAuthIssuerName ) == 0 ) && ( cbAuthSerialNumber == pIssuerInfo->SerialNumber.cbData ) && ( memcmp( pbAuthSerialNumber, pIssuerInfo->SerialNumber.pbData, cbAuthSerialNumber ) == 0 ) ) { dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER | CERT_TRUST_HAS_PREFERRED_ISSUER; goto SuccessReturn; } else { // Doesn't have preferred match
dwPreferredStatus = 0; } }
if ( pAKI->KeyId.cbData != 0 ) { DWORD cbAuthKeyIdentifier; LPBYTE pbAuthKeyIdentifier; DWORD cbIssuerKeyIdentifier; LPBYTE pbIssuerKeyIdentifier;
cbAuthKeyIdentifier = pAKI->KeyId.cbData; pbAuthKeyIdentifier = pAKI->KeyId.pbData; cbIssuerKeyIdentifier = pIssuerObject->KeyIdentifierSize(); pbIssuerKeyIdentifier = pIssuerObject->KeyIdentifier();
if ( ( cbAuthKeyIdentifier == cbIssuerKeyIdentifier ) && ( memcmp( pbAuthKeyIdentifier, pbIssuerKeyIdentifier, cbAuthKeyIdentifier ) == 0 ) ) { dwInfoStatus = dwPreferredStatus | CERT_TRUST_HAS_KEY_MATCH_ISSUER; goto SuccessReturn; } else { // Doesn't have preferred match
dwPreferredStatus = 0; } } }
if ( ( pSubjectInfo->Issuer.cbData == pIssuerInfo->Subject.cbData ) && ( pSubjectInfo->Issuer.cbData != 0) && ( memcmp( pSubjectInfo->Issuer.pbData, pIssuerInfo->Subject.pbData, pIssuerInfo->Subject.cbData ) == 0 ) ) { dwInfoStatus = dwPreferredStatus | CERT_TRUST_HAS_NAME_MATCH_ISSUER; goto SuccessReturn; }
// Default to nonPreferred public key match
dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER; goto ErrorReturn;
SuccessReturn: fResult = TRUE;CommonReturn: *pdwInfoStatus |= dwInfoStatus; return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;}
//+---------------------------------------------------------------------------
//
// Function: ChainGetMatchInfoStatusForNoIssuer
//
// Synopsis: return the info status when unable to find our issuer
//
//----------------------------------------------------------------------------
DWORD WINAPIChainGetMatchInfoStatusForNoIssuer ( IN DWORD dwIssuerMatchFlags ){ if (dwIssuerMatchFlags & CERT_EXACT_ISSUER_MATCH_FLAG) return CERT_TRUST_HAS_EXACT_MATCH_ISSUER; else if (dwIssuerMatchFlags & CERT_KEYID_ISSUER_MATCH_TYPE) return CERT_TRUST_HAS_KEY_MATCH_ISSUER; else return CERT_TRUST_HAS_NAME_MATCH_ISSUER;}
//+---------------------------------------------------------------------------
//
// Function: ChainIsValidPubKeyMatchForIssuer
//
// Synopsis: returns TRUE if the issuer matches more than just the
// public key match criteria
//
// This logic is mainly here to handle tstore2.exe and regress.bat
// which has end, CA and root certificates using the same
// public key.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsValidPubKeyMatchForIssuer ( IN PCCERTOBJECT pIssuer, IN PCCERTOBJECT pSubject ){ BOOL fResult = TRUE; BOOL fCheckMatchInfo; PCERT_BASIC_CONSTRAINTS2_INFO pIssuerBasicConstraints;
fCheckMatchInfo = FALSE;
// Check if the issuer has a basic constraints extension. If it does
// and it isn't a CA, then, we will need to do an additional issuer match.
pIssuerBasicConstraints = pIssuer->BasicConstraintsInfo(); if (pIssuerBasicConstraints && !pIssuerBasicConstraints->fCA) fCheckMatchInfo = TRUE; else { // Check if the issuer has the same public key as the subject. If it
// does, then, will need to do an additional issuer match.
BYTE *pbIssuerPublicKeyHash; BYTE *pbSubjectPublicKeyHash;
pbIssuerPublicKeyHash = pIssuer->PublicKeyHash(); pbSubjectPublicKeyHash = pSubject->PublicKeyHash(); if (0 == memcmp(pbIssuerPublicKeyHash, pbSubjectPublicKeyHash, CHAINHASHLEN)) fCheckMatchInfo = TRUE; }
if (fCheckMatchInfo) { // Check that the issuer matches the subject's AKI or subject's
// issuer name.
DWORD dwInfoStatus = 0;
// Following returns FALSE if only has the public key match
fResult = ChainGetMatchInfoStatus(pIssuer, pSubject, &dwInfoStatus); }
return fResult;}
//+---------------------------------------------------------------------------
//
// Function: ChainGetSubjectStatus
//
// Synopsis: get the subject status bits by checking the time nesting and
// signature validity
//
// For CERT_END_OBJECT_TYPE or CERT_EXTERNAL_ISSUER_OBJECT_TYPE
// CCertObject types, leaves the engine's critical section to
// verify the signature. If the engine was touched by another
// thread, it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetSubjectStatus ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCHAINPATHOBJECT pIssuerPathObject, IN PCCHAINPATHOBJECT pSubjectPathObject, IN OUT PCERT_TRUST_STATUS pStatus ){ BOOL fResult;
PCCERTOBJECT pIssuerObject = pIssuerPathObject->CertObject(); PCCERTOBJECT pSubjectObject = pSubjectPathObject->CertObject(); PCCERT_CONTEXT pIssuerContext = pIssuerObject->CertContext(); PCCERT_CONTEXT pSubjectContext = pSubjectObject->CertContext();
DWORD dwIssuerStatusFlags;
ChainGetMatchInfoStatus( pIssuerObject, pSubjectObject, &pStatus->dwInfoStatus );
dwIssuerStatusFlags = pSubjectObject->IssuerStatusFlags(); if (!(dwIssuerStatusFlags & CERT_ISSUER_VALID_SIGNATURE_FLAG)) { DWORD dwObjectType;
dwObjectType = pSubjectObject->ObjectType(); if (CERT_END_OBJECT_TYPE == dwObjectType || CERT_EXTERNAL_ISSUER_OBJECT_TYPE == dwObjectType) pCallContext->ChainEngine()->UnlockEngine();
fResult = CryptVerifyCertificateSignatureEx( NULL, // hCryptProv
X509_ASN_ENCODING, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *) pSubjectContext, CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *) pIssuerContext, 0, // dwFlags
NULL // pvReserved
);
if (CERT_END_OBJECT_TYPE == dwObjectType || CERT_EXTERNAL_ISSUER_OBJECT_TYPE == dwObjectType) { pCallContext->ChainEngine()->LockEngine(); if (pCallContext->IsTouchedEngine()) goto TouchedDuringSignatureVerification; }
if (!fResult) { pStatus->dwErrorStatus |= CERT_TRUST_IS_NOT_SIGNATURE_VALID; pStatus->dwInfoStatus &= ~CERT_TRUST_HAS_PREFERRED_ISSUER; } else { if (dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG) { // Verify the issuer's public key hash
if (0 != memcmp(pSubjectObject->IssuerPublicKeyHash(), pIssuerObject->PublicKeyHash(), CHAINHASHLEN)) dwIssuerStatusFlags &= ~CERT_ISSUER_PUBKEY_FLAG; }
if (!(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG)) { CRYPT_DATA_BLOB DataBlob;
memcpy(pSubjectObject->IssuerPublicKeyHash(), pIssuerObject->PublicKeyHash(), CHAINHASHLEN); DataBlob.pbData = pSubjectObject->IssuerPublicKeyHash(), DataBlob.cbData = CHAINHASHLEN; CertSetCertificateContextProperty( pSubjectContext, CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &DataBlob ); }
pSubjectObject->OrIssuerStatusFlags( CERT_ISSUER_PUBKEY_FLAG | CERT_ISSUER_VALID_SIGNATURE_FLAG ); }
CertPerfIncrementChainVerifyCertSignatureCount(); } else {
// also need to check public key parameters
assert(dwIssuerStatusFlags & CERT_ISSUER_PUBKEY_FLAG); if (0 != memcmp(pSubjectObject->IssuerPublicKeyHash(), pIssuerObject->PublicKeyHash(), CHAINHASHLEN)) { pStatus->dwErrorStatus |= CERT_TRUST_IS_NOT_SIGNATURE_VALID; pStatus->dwInfoStatus &= ~CERT_TRUST_HAS_PREFERRED_ISSUER; }
CertPerfIncrementChainCompareIssuerPublicKeyCount(); }
fResult = TRUE;CommonReturn: return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;
SET_ERROR(TouchedDuringSignatureVerification, ERROR_CAN_NOT_COMPLETE)}
//+---------------------------------------------------------------------------
//
// Function: ChainUpdateSummaryStatusByTrustStatus
//
// Synopsis: update the summary status bits given new trust status bits
//
//----------------------------------------------------------------------------
VOID WINAPIChainUpdateSummaryStatusByTrustStatus( IN OUT PCERT_TRUST_STATUS pSummaryStatus, IN PCERT_TRUST_STATUS pTrustStatus ){ pSummaryStatus->dwErrorStatus |= pTrustStatus->dwErrorStatus; pSummaryStatus->dwInfoStatus |= pTrustStatus->dwInfoStatus & ~(CERT_TRUST_CERTIFICATE_ONLY_INFO_STATUS | CERT_TRUST_HAS_PREFERRED_ISSUER); if (!(pTrustStatus->dwInfoStatus & CERT_TRUST_HAS_PREFERRED_ISSUER)) pSummaryStatus->dwInfoStatus &= ~CERT_TRUST_HAS_PREFERRED_ISSUER;
if (pSummaryStatus->dwErrorStatus & CERT_TRUST_ANY_NAME_CONSTRAINT_ERROR_STATUS) pSummaryStatus->dwInfoStatus &= ~CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS;}
//+---------------------------------------------------------------------------
//
// Function: ChainIsKeyRolloverSubject
//
// Synopsis: a subject is considered to be a key rollover cert if its
// subject name == issuer name == issuer cert's subject name
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsKeyRolloverSubject( IN PCCHAINPATHOBJECT pIssuerPathObject, IN PCCHAINPATHOBJECT pSubjectPathObject ){ PCERT_INFO pIssuerInfo = pIssuerPathObject->CertObject()->CertContext()->pCertInfo; PCERT_INFO pSubjectInfo = pSubjectPathObject->CertObject()->CertContext()->pCertInfo; DWORD cbData = pSubjectInfo->Subject.cbData;
if (0 != cbData && cbData == pSubjectInfo->Issuer.cbData && cbData == pIssuerInfo->Subject.cbData && 0 == memcmp(pSubjectInfo->Subject.pbData, pSubjectInfo->Issuer.pbData, cbData) && 0 == memcmp(pSubjectInfo->Subject.pbData, pIssuerInfo->Subject.pbData, cbData)) return TRUE; else return FALSE;}
//+===========================================================================
// Format and append extended error information helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainAllocAndEncodeObject
//
// Synopsis: allocate and ASN.1 encodes the data structure.
//
// PkiFree must be called to free the encoded bytes
//
//----------------------------------------------------------------------------
BOOL WINAPIChainAllocAndEncodeObject( IN LPCSTR lpszStructType, IN const void *pvStructInfo, OUT BYTE **ppbEncoded, OUT DWORD *pcbEncoded ){ return CryptEncodeObjectEx( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, lpszStructType, pvStructInfo, CRYPT_ENCODE_ALLOC_FLAG, &PkiEncodePara, (void *) ppbEncoded, pcbEncoded );}
//+---------------------------------------------------------------------------
//
// Function: ChainAppendExtendedErrorInfo
//
// Synopsis: PkiReallocate and append an already localization formatted
// line of extended error information
//
//----------------------------------------------------------------------------
VOID WINAPIChainAppendExtendedErrorInfo( IN OUT LPWSTR *ppwszExtErrorInfo, IN LPWSTR pwszAppend, IN DWORD cchAppend // Includes NULL terminator
){ LPWSTR pwszExtErrorInfo = *ppwszExtErrorInfo; DWORD cchExtErrorInfo;
if (pwszExtErrorInfo) cchExtErrorInfo = wcslen(pwszExtErrorInfo); else cchExtErrorInfo = 0;
assert(0 < cchAppend);
if (pwszExtErrorInfo = (LPWSTR) PkiRealloc(pwszExtErrorInfo, (cchExtErrorInfo + cchAppend) * sizeof(WCHAR))) { memcpy(&pwszExtErrorInfo[cchExtErrorInfo], pwszAppend, cchAppend * sizeof(WCHAR)); *ppwszExtErrorInfo = pwszExtErrorInfo; }}
//+---------------------------------------------------------------------------
//
// Function: ChainFormatAndAppendExtendedErrorInfo
//
// Synopsis: localization format a line of extended error information
// and append via the above ChainAppendExtendedErrorInfo
//
//----------------------------------------------------------------------------
VOID WINAPIChainFormatAndAppendExtendedErrorInfo( IN OUT LPWSTR *ppwszExtErrorInfo, IN UINT nFormatID, ... ){ DWORD cchMsg = 0; LPWSTR pwszMsg = NULL; WCHAR wszFormat[256]; wszFormat[0] = '\0'; va_list argList;
// get format string from resources
if(0 == LoadStringU(g_hChainInst, nFormatID, wszFormat, sizeof(wszFormat)/sizeof(wszFormat[0]))) return;
__try {
// format message into requested buffer
va_start(argList, nFormatID); cchMsg = FormatMessageU( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING, wszFormat, 0, // dwMessageId
0, // dwLanguageId
(LPWSTR) &pwszMsg, 0, // minimum size to allocate
&argList);
va_end(argList);
// Must at least have the L'\n' terminator
if (1 < cchMsg && pwszMsg) ChainAppendExtendedErrorInfo( ppwszExtErrorInfo, pwszMsg, cchMsg + 1 );
} __except(EXCEPTION_EXECUTE_HANDLER) { }
if (pwszMsg) LocalFree(pwszMsg);}
//+===========================================================================
// Name Constraint helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainIsWhiteSpace
//
// Synopsis: returns TRUE for a white space character
//
//----------------------------------------------------------------------------
static inline BOOL ChainIsWhiteSpace(WCHAR wc){ return wc == L' ' || (wc >= 0x09 && wc <= 0x0d);}
//+---------------------------------------------------------------------------
//
// Function: ChainRemoveLeadingAndTrailingWhiteSpace
//
// Synopsis: advances the pointer past any leading white space. Removes
// any trailing white space by inserting the L'\0' and updating
// the character count.
//
//----------------------------------------------------------------------------
VOID WINAPIChainRemoveLeadingAndTrailingWhiteSpace( IN LPWSTR pwszIn, OUT LPWSTR *ppwszOut, OUT DWORD *pcchOut ){ LPWSTR pwszOut; DWORD cchOut; WCHAR wc;
// Remove leading white space
for (pwszOut = pwszIn ; L'\0' != (wc = *pwszOut); pwszOut++) { if (!ChainIsWhiteSpace(wc)) break; }
for (cchOut = wcslen(pwszOut); 0 < cchOut; cchOut--) { if (!ChainIsWhiteSpace(pwszOut[cchOut - 1])) break; }
pwszOut[cchOut] = L'\0'; *ppwszOut = pwszOut; *pcchOut = cchOut;}
#define NO_LOCALE MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT)
//+---------------------------------------------------------------------------
//
// Function: ChainIsRightStringInString
//
// Synopsis: returns TRUE for a case insensitive match of the
// "Right" string with the right most characters of the
// string.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsRightStringInString( IN LPCWSTR pwszRight, IN DWORD cchRight, IN LPCWSTR pwszString, IN DWORD cchString ){ if (0 == cchRight) return TRUE; if (cchRight > cchString) return FALSE;
if (CSTR_EQUAL == CompareStringU( NO_LOCALE, NORM_IGNORECASE, pwszRight, cchRight, pwszString + (cchString - cchRight), cchRight )) return TRUE; else return FALSE;}
//+---------------------------------------------------------------------------
//
// Function: ChainIsSpecialAtCharacterMatch
//
// Synopsis: returns TRUE if the "Right" string satisfies one of the
// following conditions:
// - doesn't contain an "@" (at character)
// - "@" is the left-most character
// - "Right" string has the same number of characters as the
// string (indicates an exact case insensitive match)
//
// alternatively, returns FALSE if the "Right" string contains
// a non-leading "@" and isn't an exact case insensitive match
// of the string.
//
// Assumes that ChainIsRightStringInString() was previously
// called and returned TRUE.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsSpecialAtCharacterMatch( IN LPCWSTR pwszRight, IN DWORD cchRight, IN DWORD cchString ){ BOOL fMatch = TRUE;
if (cchString > cchRight) { DWORD i;
for (i = 0; i < cchRight; i++) { if (L'@' == pwszRight[i]) { if (0 != i) fMatch = FALSE;
break; } } }
return fMatch;}
//+---------------------------------------------------------------------------
//
// Function: ChainIsEmptyOrStringEncodedValue
//
// Synopsis: Checks if the encoded value is empty (only contains
// the tag and length octets) or is a string (has string tag).
//
// Returns one of the following values:
// +1 - The encoded value is a string
// 0 - The encoded value is empty (takes precedence over being
// a string)
// -1 - The encoded value isn't a string
//
//----------------------------------------------------------------------------
const BYTE rgbChainStringTag[] = { 0x0C, // UTF8STRING ::= UTF8String -- tag 0x0C (12)
0x1E, // BMPSTRING ::= BMPString -- tag 0x1E (30)
0x16, // IA5STRING ::= IA5String -- tag 0x16 (22)
0x13, // PRINTABLESTRING ::= PrintableString -- tag 0x13 (19)
0x1C, // UNIVERSALSTRING ::= UniversalString -- tag 0x1C (28)
0x14, // TELETEXSTRING ::= TeletexString -- tag 0x14 (20)
// 0x14, // T61STRING ::= T61String -- tag 0x14 (20)
0x12, // NUMERICSTRING ::= NumericString -- tag 0x12 (18)
0x1B, // GENERALSTRING ::= GeneralString -- tag 0x1B (27)
0x15, // VIDEOTEXSTRING ::= VideotexString -- tag 0x15 (21)
0x19, // GRAPHICSTRING ::= GraphicString -- tag 0x19 (25)
0x1A, // VISIBLESTRING ::= VisibleString -- tag 0x1A (26)
// 0x1A, // ISO646STRING ::= ISO646String -- tag 0x1A (26)
};
#define CHAIN_STRING_TAB_CNT \
(sizeof(rgbChainStringTag) / sizeof(rgbChainStringTag[0]))
int WINAPIChainIsEmptyOrStringEncodedValue( IN PCRYPT_OBJID_BLOB pEncodedValue ){ DWORD i; BYTE bTag;
if (CHAIN_OTHER_NAME_MAX_EMPTY_LENGTH >= pEncodedValue->cbData) return 0;
bTag = pEncodedValue->pbData[0];
for (i = 0; i < CHAIN_STRING_TAB_CNT; i++) { if (bTag == rgbChainStringTag[i]) return 1; }
return -1;}
//+---------------------------------------------------------------------------
//
// Function: ChainFixupNameConstraintsOtherNameValue
//
// Synopsis: fixup the CERT_ALT_NAME_OTHER_NAME AltName entry choice
// for values encoded as strings by allocating and converting
// to a PCERT_NAME_VALUE containing the unicode string
// with leading and trailing white space removed.
//
// The pOtherName->Value.pbData is updated to point to the
// PCERT_NAME_VALUE instead of the original ASN.1 encoded
// bytes.
//
// pOtherName->Value.cbData is set to
// CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH for a successful
// fixup.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainFixupNameConstraintsOtherNameValue( IN OUT PCRYPT_OBJID_BLOB pOtherValue ){ BOOL fResult; PCERT_NAME_VALUE pNameValue; LPWSTR pwsz; DWORD cch;
if (0 >= ChainIsEmptyOrStringEncodedValue(pOtherValue)) // Empty or not a string. No Fixup.
goto SuccessReturn;
pNameValue = (PCERT_NAME_VALUE) ChainAllocAndDecodeObject( X509_UNICODE_ANY_STRING, pOtherValue->pbData, pOtherValue->cbData ); if (NULL == pNameValue) goto DecodeError;
if (!IS_CERT_RDN_CHAR_STRING(pNameValue->dwValueType)) { PkiFree(pNameValue); goto InvalidStringType; }
ChainRemoveLeadingAndTrailingWhiteSpace( (LPWSTR) pNameValue->Value.pbData, &pwsz, &cch );
pNameValue->Value.pbData = (BYTE *) pwsz; pNameValue->Value.cbData = cch * sizeof(WCHAR);
pOtherValue->pbData = (BYTE *) pNameValue; pOtherValue->cbData = CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH;
SuccessReturn: fResult = TRUE;CommonReturn: return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(DecodeError)SET_ERROR(InvalidStringType, CRYPT_E_BAD_ENCODE)}
//+---------------------------------------------------------------------------
//
// Function: ChainAllocDecodeAndFixupNameConstraintsDirectoryName
//
// Synopsis: fixup the CERT_ALT_NAME_DIRECTORY_NAME AltName entry choice
// or the encoded certificate Subject name by allocating and
// converting to a unicode PCERT_NAME_INFO where
// leading and trailing white space has been removed from
// all the attributes.
//
// The DirectoryName.pbData is updated to point to the
// PCERT_NAME_INFO instead of the original ASN.1 encoded
// bytes.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainAllocDecodeAndFixupNameConstraintsDirectoryName( IN PCERT_NAME_BLOB pDirName, OUT PCERT_NAME_INFO *ppNameInfo ){ BOOL fResult; PCERT_NAME_INFO pNameInfo = NULL; DWORD cRDN; PCERT_RDN pRDN;
if (0 == pDirName->cbData) goto SuccessReturn;
pNameInfo = (PCERT_NAME_INFO) ChainAllocAndDecodeObject( X509_UNICODE_NAME, pDirName->pbData, pDirName->cbData ); if (NULL == pNameInfo) goto DecodeError;
if (0 == pNameInfo->cRDN) { PkiFree(pNameInfo); pNameInfo = NULL; goto SuccessReturn; }
// Iterate through all the attributes and remove leading and trailing
// white space.
cRDN = pNameInfo->cRDN; pRDN = pNameInfo->rgRDN; for ( ; cRDN > 0; cRDN--, pRDN++) { DWORD cAttr = pRDN->cRDNAttr; PCERT_RDN_ATTR pAttr = pRDN->rgRDNAttr; for ( ; cAttr > 0; cAttr--, pAttr++) { LPWSTR pwsz; DWORD cch;
if (!IS_CERT_RDN_CHAR_STRING(pAttr->dwValueType)) continue;
ChainRemoveLeadingAndTrailingWhiteSpace( (LPWSTR) pAttr->Value.pbData, &pwsz, &cch );
pAttr->Value.pbData = (BYTE *) pwsz; pAttr->Value.cbData = cch * sizeof(WCHAR); } }
SuccessReturn: fResult = TRUE;
CommonReturn: *ppNameInfo = pNameInfo; return fResult;
ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(DecodeError)}
//+---------------------------------------------------------------------------
//
// Function: ChainFixupNameConstraintsAltNameEntry
//
// Synopsis: fixup the AltName entry choices as follows:
// CERT_ALT_NAME_OTHER_NAME
// For values encoded as strings, pOtherName->Value.pbData
// is updated to point to the allocated
// PCERT_NAME_VALUE containing the decoded unicode string.
// For a fixup, pOtherName->Value.cbData is set to
// CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH.
//
// CERT_ALT_NAME_RFC822_NAME
// CERT_ALT_NAME_DNS_NAME
// CERT_ALT_NAME_URL
// Uses DirectoryName.pbData and DirectoryName.cbData
// to contain the pointer to and length of the unicode
// string.
//
// For the subject URL, the DirectoryName.pbData's
// unicode string is the allocated host name.
//
// CERT_ALT_NAME_DIRECTORY_NAME:
// DirectoryName.pbData is updated to point to the
// allocated and decoded unicode PCERT_NAME_INFO.
//
// For the above choices, leading and trailing white space
// has been removed. cbData is number of bytes and not number
// of characters, ie, cbData = cch * sizeof(WCHAR)
//
//----------------------------------------------------------------------------
BOOL WINAPIChainFixupNameConstraintsAltNameEntry( IN BOOL fSubjectConstraint, IN OUT PCERT_ALT_NAME_ENTRY pEntry ){ BOOL fResult = TRUE;
LPWSTR pwsz = NULL; DWORD cch = 0;
switch (pEntry->dwAltNameChoice) { case CERT_ALT_NAME_OTHER_NAME: fResult = ChainFixupNameConstraintsOtherNameValue( &pEntry->pOtherName->Value); break; case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_DNS_NAME: ChainRemoveLeadingAndTrailingWhiteSpace( pEntry->pwszRfc822Name, &pwsz, &cch ); // Use the directory name's BLOB choice to contain both
// the pointer to and length of the string
pEntry->DirectoryName.pbData = (BYTE *) pwsz; pEntry->DirectoryName.cbData = cch * sizeof(WCHAR); break; case CERT_ALT_NAME_URL: if (fSubjectConstraint) { WCHAR rgwszHostName[MAX_PATH + 1]; LPWSTR pwszHostName;
rgwszHostName[0] = L'\0'; fResult = ChainGetHostNameFromUrl( pEntry->pwszURL, MAX_PATH, rgwszHostName); if (fResult) { ChainRemoveLeadingAndTrailingWhiteSpace( rgwszHostName, &pwszHostName, &cch ); pwsz = (LPWSTR) PkiNonzeroAlloc((cch + 1) * sizeof(WCHAR)); if (NULL == pwsz) fResult = FALSE; else memcpy(pwsz, pwszHostName, (cch + 1) * sizeof(WCHAR)); }
if (!fResult) { pwsz = NULL; cch = 0; } } else { ChainRemoveLeadingAndTrailingWhiteSpace( pEntry->pwszURL, &pwsz, &cch ); }
// Use the directory name's BLOB choice to contain both
// the pointer to and length of the string
pEntry->DirectoryName.pbData = (BYTE *) pwsz; pEntry->DirectoryName.cbData = cch * sizeof(WCHAR); break; case CERT_ALT_NAME_DIRECTORY_NAME: { PCERT_NAME_INFO pNameInfo = NULL; fResult = ChainAllocDecodeAndFixupNameConstraintsDirectoryName( &pEntry->DirectoryName, &pNameInfo);
// Update the directory name's BLOB to contain the pointer
// to the decoded name info
pEntry->DirectoryName.pbData = (BYTE *) pNameInfo; } break; case CERT_ALT_NAME_X400_ADDRESS: case CERT_ALT_NAME_EDI_PARTY_NAME: case CERT_ALT_NAME_IP_ADDRESS: case CERT_ALT_NAME_REGISTERED_ID: default: break; }
return fResult;}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeNameConstraintsAltNameEntryFixup
//
// Synopsis: free memory allocated by the above
// ChainFixupNameConstraintsAltNameEntry
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeNameConstraintsAltNameEntryFixup( IN BOOL fSubjectConstraint, IN OUT PCERT_ALT_NAME_ENTRY pEntry ){ switch (pEntry->dwAltNameChoice) { case CERT_ALT_NAME_OTHER_NAME: if (CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH == pEntry->pOtherName->Value.cbData) // pbData :: PCERT_NAME_VALUE
PkiFree(pEntry->pOtherName->Value.pbData); break; case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_DNS_NAME: break; case CERT_ALT_NAME_URL: if (fSubjectConstraint) // pbData :: LPWSTR
PkiFree(pEntry->DirectoryName.pbData); break; case CERT_ALT_NAME_DIRECTORY_NAME: // pbData :: PCERT_NAME_INFO
PkiFree(pEntry->DirectoryName.pbData); break; case CERT_ALT_NAME_X400_ADDRESS: case CERT_ALT_NAME_EDI_PARTY_NAME: case CERT_ALT_NAME_IP_ADDRESS: case CERT_ALT_NAME_REGISTERED_ID: default: break; }}
//+---------------------------------------------------------------------------
//
// Function: ChainFormatNameConstraintsAltNameEntryFixup
//
// Synopsis: localization format and allocate a previously fixed up
// AltName entry.
//
// The returned string must be freed via PkiFree().
//
//----------------------------------------------------------------------------
LPWSTR WINAPIChainFormatNameConstraintsAltNameEntryFixup( IN PCERT_ALT_NAME_ENTRY pEntry ){ DWORD dwExceptionCode; LPWSTR pwszFormat = NULL; DWORD cbFormat = 0; CERT_ALT_NAME_ENTRY AltEntry; const CERT_ALT_NAME_INFO AltNameInfo = { 1, &AltEntry }; CERT_OTHER_NAME OtherName;
BYTE *pbEncoded = NULL; DWORD cbEncoded; BYTE *pbEncoded2 = NULL; DWORD cbEncoded2;
__try {
AltEntry = *pEntry;
// Restore fixed up entries so we can re-encode
switch (AltEntry.dwAltNameChoice) { case CERT_ALT_NAME_OTHER_NAME: if (CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH == pEntry->pOtherName->Value.cbData) { // Restore from the following fixup:
// pEntry->pOtherName->Value.pbData :: PCERT_NAME_VALUE
if (NULL == pEntry->pOtherName->Value.pbData) goto InvalidOtherName; if (!ChainAllocAndEncodeObject( X509_UNICODE_ANY_STRING, (PCERT_NAME_VALUE) pEntry->pOtherName->Value.pbData, &pbEncoded2, &cbEncoded2 )) goto EncodedOtherNameError; OtherName.pszObjId = pEntry->pOtherName->pszObjId; OtherName.Value.pbData = pbEncoded2; OtherName.Value.cbData = cbEncoded2;
AltEntry.pOtherName = &OtherName; } break; case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_DNS_NAME: case CERT_ALT_NAME_URL: // Restore from the following fixup:
// pEntry->DirectoryName.pbData = (BYTE *) pwsz;
// pEntry->DirectoryName.cbData = cch * sizeof(WCHAR);
if (NULL == pEntry->DirectoryName.pbData || 0 == pEntry->DirectoryName.cbData) AltEntry.pwszRfc822Name = L"???"; else AltEntry.pwszRfc822Name = (LPWSTR) pEntry->DirectoryName.pbData; break; case CERT_ALT_NAME_DIRECTORY_NAME: // Restore from the following fixup:
// pEntry->DirectoryName.pbData :: PCERT_NAME_INFO
if (NULL == pEntry->DirectoryName.pbData) goto InvalidDirName; if (!ChainAllocAndEncodeObject( X509_UNICODE_NAME, (PCERT_NAME_INFO) pEntry->DirectoryName.pbData, &pbEncoded2, &cbEncoded2 )) goto EncodeDirNameError;
AltEntry.DirectoryName.pbData = pbEncoded2; AltEntry.DirectoryName.cbData = cbEncoded2; break; case CERT_ALT_NAME_X400_ADDRESS: case CERT_ALT_NAME_EDI_PARTY_NAME: case CERT_ALT_NAME_IP_ADDRESS: case CERT_ALT_NAME_REGISTERED_ID: default: break; }
if (!ChainAllocAndEncodeObject( X509_ALTERNATE_NAME, &AltNameInfo, &pbEncoded, &cbEncoded )) goto EncodeAltNameError;
if (!CryptFormatObject( X509_ASN_ENCODING, 0, // dwFormatType
0, // dwFormatStrType
NULL, // pFormatStruct
X509_ALTERNATE_NAME, pbEncoded, cbEncoded, NULL, // pwszFormat
&cbFormat )) goto FormatAltNameError;
if (NULL == (pwszFormat = (LPWSTR) PkiZeroAlloc( cbFormat + sizeof(WCHAR)))) goto OutOfMemory;
if (!CryptFormatObject( X509_ASN_ENCODING, 0, // dwFormatType
0, // dwFormatStrType
NULL, // pFormatStruct
X509_ALTERNATE_NAME, pbEncoded, cbEncoded, pwszFormat, &cbFormat )) goto FormatAltNameError;
} __except(EXCEPTION_EXECUTE_HANDLER) { dwExceptionCode = GetExceptionCode(); goto ExceptionError; }
CommonReturn: PkiFree(pbEncoded); PkiFree(pbEncoded2);
return pwszFormat;
ErrorReturn: if (pwszFormat) { PkiFree(pwszFormat); pwszFormat = NULL; } goto CommonReturn;
SET_ERROR(InvalidOtherName, ERROR_INVALID_DATA)TRACE_ERROR(EncodedOtherNameError)TRACE_ERROR(InvalidDirName)TRACE_ERROR(EncodeDirNameError)TRACE_ERROR(EncodeAltNameError)TRACE_ERROR(FormatAltNameError)TRACE_ERROR(OutOfMemory)SET_ERROR_VAR(ExceptionError, dwExceptionCode)}
//+---------------------------------------------------------------------------
//
// Function: ChainFormatAndAppendNameConstraintsAltNameEntryFixup
//
// Synopsis: localization format a previously fixed up
// AltName entry and append to the extended error information.
//
//----------------------------------------------------------------------------
VOID WINAPIChainFormatAndAppendNameConstraintsAltNameEntryFixup( IN OUT LPWSTR *ppwszExtErrorInfo, IN PCERT_ALT_NAME_ENTRY pEntry, IN UINT nFormatID, IN OPTIONAL DWORD dwSubtreeIndex // 0 => no subtree parameter
){ LPWSTR pwszAllocFormatEntry = NULL; LPWSTR pwszFormatEntry;
pwszAllocFormatEntry = ChainFormatNameConstraintsAltNameEntryFixup(pEntry); if (pwszAllocFormatEntry) pwszFormatEntry = pwszAllocFormatEntry; else pwszFormatEntry = L"???";
if (0 == dwSubtreeIndex) ChainFormatAndAppendExtendedErrorInfo( ppwszExtErrorInfo, nFormatID, pwszFormatEntry ); else ChainFormatAndAppendExtendedErrorInfo( ppwszExtErrorInfo, nFormatID, dwSubtreeIndex, pwszFormatEntry );
PkiFree(pwszAllocFormatEntry);}
//+---------------------------------------------------------------------------
//
// Function: ChainGetIssuerNameConstraintsInfo
//
// Synopsis: alloc and return the issuer name constraints info.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetIssuerNameConstraintsInfo ( IN PCCERT_CONTEXT pCertContext, IN OUT PCERT_NAME_CONSTRAINTS_INFO *ppInfo ){ BOOL fResult; PCERT_EXTENSION pExt; PCERT_NAME_CONSTRAINTS_INFO pInfo = NULL; PCERT_GENERAL_SUBTREE pSubtree; DWORD cSubtree;
pExt = CertFindExtension( szOID_NAME_CONSTRAINTS, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension ); if (NULL == pExt) goto SuccessReturn;
pInfo = (PCERT_NAME_CONSTRAINTS_INFO) ChainAllocAndDecodeObject( X509_NAME_CONSTRAINTS, pExt->Value.pbData, pExt->Value.cbData ); if (NULL == pInfo) goto DecodeError;
// Fixup all the AltName entries
// Note, even for an error we need to fixup all the entries.
// ChainFreeIssuerNameConstraintsInfo iterates through all the entries.
fResult = TRUE;
cSubtree = pInfo->cPermittedSubtree; pSubtree = pInfo->rgPermittedSubtree; for ( ; 0 < cSubtree; cSubtree--, pSubtree++) { if (!ChainFixupNameConstraintsAltNameEntry(FALSE, &pSubtree->Base)) fResult = FALSE; }
cSubtree = pInfo->cExcludedSubtree; pSubtree = pInfo->rgExcludedSubtree; for ( ; 0 < cSubtree; cSubtree--, pSubtree++) { if (!ChainFixupNameConstraintsAltNameEntry(FALSE, &pSubtree->Base)) fResult = FALSE; }
if (!fResult) goto FixupAltNameEntryError;
SuccessReturn: fResult = TRUE;CommonReturn: *ppInfo = pInfo; return fResult;ErrorReturn: fResult = FALSE; goto CommonReturn;
TRACE_ERROR(DecodeError)TRACE_ERROR(FixupAltNameEntryError)}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeIssuerNameConstraintsInfo
//
// Synopsis: free the issuer name constraints info
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeIssuerNameConstraintsInfo ( IN OUT PCERT_NAME_CONSTRAINTS_INFO pInfo ){ PCERT_GENERAL_SUBTREE pSubtree; DWORD cSubtree;
if (NULL == pInfo) return;
cSubtree = pInfo->cPermittedSubtree; pSubtree = pInfo->rgPermittedSubtree; for ( ; 0 < cSubtree; cSubtree--, pSubtree++) ChainFreeNameConstraintsAltNameEntryFixup(FALSE, &pSubtree->Base);
cSubtree = pInfo->cExcludedSubtree; pSubtree = pInfo->rgExcludedSubtree; for ( ; 0 < cSubtree; cSubtree--, pSubtree++) ChainFreeNameConstraintsAltNameEntryFixup(FALSE, &pSubtree->Base);
PkiFree(pInfo);}
//+---------------------------------------------------------------------------
//
// Function: ChainGetSubjectNameConstraintsInfo
//
// Synopsis: alloc and return the subject name constraints info.
//
//----------------------------------------------------------------------------
VOID WINAPIChainGetSubjectNameConstraintsInfo ( IN PCCERT_CONTEXT pCertContext, IN OUT PCHAIN_SUBJECT_NAME_CONSTRAINTS_INFO pSubjectInfo ){ PCERT_EXTENSION pExt; BOOL fHasEmailAltNameEntry = FALSE;
pExt = CertFindExtension( szOID_SUBJECT_ALT_NAME2, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension );
if (NULL == pExt) { pExt = CertFindExtension( szOID_SUBJECT_ALT_NAME, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension ); }
if (pExt) { PCERT_ALT_NAME_INFO pAltNameInfo;
pAltNameInfo = (PCERT_ALT_NAME_INFO) ChainAllocAndDecodeObject( X509_ALTERNATE_NAME, pExt->Value.pbData, pExt->Value.cbData ); if (NULL == pAltNameInfo) pSubjectInfo->fInvalid = TRUE; else { DWORD cEntry; PCERT_ALT_NAME_ENTRY pEntry; pSubjectInfo->pAltNameInfo = pAltNameInfo;
// Fixup all the AltName entries
// Note, even for an error we need to fixup all the entries.
// ChainFreeSubjectNameConstraintsInfo iterates through all
// the entries.
cEntry = pAltNameInfo->cAltEntry; pEntry = pAltNameInfo->rgAltEntry; for ( ; 0 < cEntry; cEntry--, pEntry++) { if (CERT_ALT_NAME_RFC822_NAME == pEntry->dwAltNameChoice) fHasEmailAltNameEntry = TRUE; else if (CERT_ALT_NAME_DNS_NAME == pEntry->dwAltNameChoice) pSubjectInfo->fHasDnsAltNameEntry = TRUE;
if (!ChainFixupNameConstraintsAltNameEntry(TRUE, pEntry)) pSubjectInfo->fInvalid = TRUE; } } }
if (!ChainAllocDecodeAndFixupNameConstraintsDirectoryName( &pCertContext->pCertInfo->Subject, &pSubjectInfo->pUnicodeNameInfo )) pSubjectInfo->fInvalid = TRUE;
if (!fHasEmailAltNameEntry && pSubjectInfo->pUnicodeNameInfo) { DWORD cRDN; PCERT_RDN pRDN;
cRDN = pSubjectInfo->pUnicodeNameInfo->cRDN; pRDN = pSubjectInfo->pUnicodeNameInfo->rgRDN; for ( ; cRDN > 0; cRDN--, pRDN++) { DWORD cAttr = pRDN->cRDNAttr; PCERT_RDN_ATTR pAttr = pRDN->rgRDNAttr; for ( ; cAttr > 0; cAttr--, pAttr++) { if (!IS_CERT_RDN_CHAR_STRING(pAttr->dwValueType)) continue;
if (0 == strcmp(pAttr->pszObjId, szOID_RSA_emailAddr)) { pSubjectInfo->pEmailAttr = pAttr; break; }
} if (cAttr > 0) break; } }}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeSubjectNameConstraintsInfo
//
// Synopsis: free the subject name constraints info
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeSubjectNameConstraintsInfo ( IN OUT PCHAIN_SUBJECT_NAME_CONSTRAINTS_INFO pSubjectInfo ){ PCERT_ALT_NAME_INFO pAltNameInfo;
pAltNameInfo = pSubjectInfo->pAltNameInfo; if (pAltNameInfo) { DWORD cEntry; PCERT_ALT_NAME_ENTRY pEntry; cEntry = pAltNameInfo->cAltEntry; pEntry = pAltNameInfo->rgAltEntry; for ( ; 0 < cEntry; cEntry--, pEntry++) ChainFreeNameConstraintsAltNameEntryFixup(TRUE, pEntry);
PkiFree(pAltNameInfo); }
PkiFree(pSubjectInfo->pUnicodeNameInfo);}
//+---------------------------------------------------------------------------
//
// Function: ChainCompareNameConstraintsDirectoryName
//
// Synopsis: returns TRUE if all the subtree RDN attributes match
// the RDN attributes at the beginning of the subject
// directory name. A case insensitive match
// is performed on each RDN attribute that is a string type.
// A binary compare is performed on nonstring attribute types.
//
// The OIDs of the RDN attributes must match.
//
// Note, a NULL subtree or a subtree with no RDNs matches
// any subject directory name. Also, an empty subtree
// RDN attribute matches any subject attribute.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCompareNameConstraintsDirectoryName( IN PCERT_NAME_INFO pSubjectInfo, IN PCERT_NAME_INFO pSubtreeInfo ){ DWORD cSubjectRDN; PCERT_RDN pSubjectRDN; DWORD cSubtreeRDN; PCERT_RDN pSubtreeRDN;
if (NULL == pSubtreeInfo || 0 == pSubtreeInfo->cRDN) // Match any subject
return TRUE; if (NULL == pSubjectInfo) return FALSE;
cSubjectRDN = pSubjectInfo->cRDN; cSubtreeRDN = pSubtreeInfo->cRDN; if (cSubtreeRDN > cSubjectRDN) return FALSE;
pSubjectRDN = pSubjectInfo->rgRDN; pSubtreeRDN = pSubtreeInfo->rgRDN; for ( ; cSubtreeRDN > 0; cSubtreeRDN--, pSubtreeRDN++, pSubjectRDN++) { DWORD cSubjectAttr = pSubjectRDN->cRDNAttr; PCERT_RDN_ATTR pSubjectAttr = pSubjectRDN->rgRDNAttr; DWORD cSubtreeAttr = pSubtreeRDN->cRDNAttr; PCERT_RDN_ATTR pSubtreeAttr = pSubtreeRDN->rgRDNAttr;
if (1 < cSubtreeRDN) { if (cSubtreeAttr != cSubjectAttr) return FALSE; } else { if (cSubtreeAttr > cSubjectAttr) return FALSE; }
for ( ; cSubtreeAttr > 0; cSubtreeAttr--, pSubtreeAttr++, pSubjectAttr++) { if (0 != strcmp(pSubtreeAttr->pszObjId, pSubjectAttr->pszObjId)) return FALSE;
if (IS_CERT_RDN_CHAR_STRING(pSubtreeAttr->dwValueType) != IS_CERT_RDN_CHAR_STRING(pSubjectAttr->dwValueType)) return FALSE;
if (IS_CERT_RDN_CHAR_STRING(pSubtreeAttr->dwValueType)) { DWORD cchSubtree = pSubtreeAttr->Value.cbData / sizeof(WCHAR);
if (0 == cchSubtree) { // Match any attribute
; } else if (cchSubtree != pSubjectAttr->Value.cbData / sizeof(WCHAR)) { // For X.509, must match entire attribute
return FALSE; } else if (!ChainIsRightStringInString( (LPCWSTR) pSubtreeAttr->Value.pbData, cchSubtree, (LPCWSTR) pSubjectAttr->Value.pbData, cchSubtree )) { return FALSE; } } else { if (pSubtreeAttr->Value.cbData != pSubjectAttr->Value.cbData) return FALSE; if (0 != memcmp(pSubtreeAttr->Value.pbData, pSubjectAttr->Value.pbData, pSubtreeAttr->Value.cbData )) return FALSE; } } }
return TRUE;}
//+---------------------------------------------------------------------------
//
// Function: ChainCompareNameConstraintsIPAddress
//
// Synopsis: returns TRUE if the subject IP address is within the IP
// range specified by subtree IP address and mask.
//
// The subtree IP contains the octet bytes for both the
// IP address and its mask.
//
// For IPv4, there are 4 address bytes followed by 4 mask bytes.
// See RFC 2459 for more details.
//
// Here's my interpretation:
//
// For a match: SubtreeIPAddr == (SubjectIPAddr & SubtreeIPMask)
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCompareNameConstraintsIPAddress( IN PCRYPT_DATA_BLOB pSubjectIPAddress, IN PCRYPT_DATA_BLOB pSubtreeIPAddress ){ BYTE *pbSubject = pSubjectIPAddress->pbData; DWORD cbSubject = pSubjectIPAddress->cbData; BYTE *pbSubtree = pSubtreeIPAddress->pbData; DWORD cbSubtree = pSubtreeIPAddress->cbData; BYTE *pbSubtreeMask = pbSubtree + cbSubject;
DWORD i;
if (0 == cbSubtree) // Match any IP address
return TRUE;
// Only compare if the number of subtree bytes is twice the length of
// the subject. Second half contains the mask.
if (cbSubtree != 2 * cbSubject) return FALSE;
for (i = 0; i < cbSubject; i++) { if (pbSubtree[i] != (pbSubject[i] & pbSubtreeMask[i])) return FALSE; }
return TRUE;
}
//+---------------------------------------------------------------------------
//
// Function: ChainCompareNameConstraintsOtherNameValue
//
// Synopsis: returns TRUE if the subtree OtherName value is empty.
// If both the subtree and subject OtherName values are strings,
// returns TRUE if the subtree OtherName string matches the
// right most characters of the subject's OtherName
// doing a case insensitive match.
//
// For the szOID_NT_PRINCIPAL_NAME (UPN) OtherName also
// does a special "@" (At character) match.
//
// For CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH == Value.cbData,
// the Value.pbData points to the decoded PCERT_NAME_VALUE.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCompareNameConstraintsOtherNameValue( IN LPCSTR pszOtherNameOID, IN PCRYPT_OBJID_BLOB pSubjectValue, IN PCRYPT_OBJID_BLOB pSubtreeValue ){ BOOL fCompare; PCERT_NAME_VALUE pSubjectNameValue; PCERT_NAME_VALUE pSubtreeNameValue;
if (CHAIN_OTHER_NAME_MAX_EMPTY_LENGTH >= pSubtreeValue->cbData) // Subtree has an empty value. Match any subject.
return TRUE;
if (CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH != pSubjectValue->cbData || CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH != pSubtreeValue->cbData) // Only support string matching
return FALSE;
// The OtherName's Value.pbData is used to point to the decoded
// PCERT_NAME_VALUE
pSubjectNameValue = (PCERT_NAME_VALUE) pSubjectValue->pbData; pSubtreeNameValue = (PCERT_NAME_VALUE) pSubtreeValue->pbData;
if (pSubjectNameValue && pSubtreeNameValue) { fCompare = ChainIsRightStringInString( (LPCWSTR) pSubtreeNameValue->Value.pbData, pSubtreeNameValue->Value.cbData / sizeof(WCHAR), (LPCWSTR) pSubjectNameValue->Value.pbData, pSubjectNameValue->Value.cbData / sizeof(WCHAR) );
if (fCompare && 0 == strcmp(pszOtherNameOID, szOID_NT_PRINCIPAL_NAME)) fCompare = ChainIsSpecialAtCharacterMatch( (LPCWSTR) pSubtreeNameValue->Value.pbData, pSubtreeNameValue->Value.cbData / sizeof(WCHAR), pSubjectNameValue->Value.cbData / sizeof(WCHAR) ); } else fCompare = FALSE;
return fCompare;}
//+---------------------------------------------------------------------------
//
// Function: ChainCalculateNameConstraintsSubtreeErrorStatusForAltNameEntry
//
// Synopsis: calculates the name constraints error status by seeing if
// the subject AltName entry matches any subtree AltName entry.
//
//----------------------------------------------------------------------------
DWORD WINAPIChainCalculateNameConstraintsSubtreeErrorStatusForAltNameEntry( IN PCERT_ALT_NAME_ENTRY pSubjectEntry, IN BOOL fExcludedSubtree, IN DWORD cSubtree, IN PCERT_GENERAL_SUBTREE pSubtree, IN OUT LPWSTR *ppwszExtErrorInfo ){ DWORD dwErrorStatus = 0; BOOL fHasSubtreeEntry = FALSE; DWORD dwAltNameChoice = pSubjectEntry->dwAltNameChoice; DWORD i;
for (i = 0; i < cSubtree; i++, pSubtree++) { PCERT_ALT_NAME_ENTRY pSubtreeEntry; BOOL fCompare;
if (0 != pSubtree->dwMinimum || pSubtree->fMaximum) { dwErrorStatus |= CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
ChainFormatAndAppendExtendedErrorInfo( ppwszExtErrorInfo, fExcludedSubtree ? IDS_NOT_SUPPORTED_EXCLUDED_NAME_CONSTRAINT : IDS_NOT_SUPPORTED_PERMITTED_NAME_CONSTRAINT, i + 1 ); continue; }
pSubtreeEntry = &pSubtree->Base; if (dwAltNameChoice != pSubtreeEntry->dwAltNameChoice) continue;
fCompare = FALSE; switch (dwAltNameChoice) { case CERT_ALT_NAME_OTHER_NAME: // Only support empty or string OtherName Values.
if (CHAIN_OTHER_NAME_MAX_EMPTY_LENGTH < pSubtreeEntry->pOtherName->Value.cbData && CHAIN_OTHER_NAME_FIXUP_STRING_LENGTH != pSubtreeEntry->pOtherName->Value.cbData) { dwErrorStatus |= CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
ChainFormatAndAppendExtendedErrorInfo( ppwszExtErrorInfo, fExcludedSubtree ? IDS_NOT_SUPPORTED_EXCLUDED_NAME_CONSTRAINT : IDS_NOT_SUPPORTED_PERMITTED_NAME_CONSTRAINT, i + 1 ); } else if (0 == strcmp(pSubtreeEntry->pOtherName->pszObjId, pSubjectEntry->pOtherName->pszObjId)) { fHasSubtreeEntry = TRUE;
fCompare = ChainCompareNameConstraintsOtherNameValue( pSubtreeEntry->pOtherName->pszObjId, &pSubjectEntry->pOtherName->Value, &pSubtreeEntry->pOtherName->Value ); } break; case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_DNS_NAME: case CERT_ALT_NAME_URL: fHasSubtreeEntry = TRUE; // The directory name's BLOB choice is used to contain both
// the pointer to and length of the string
fCompare = ChainIsRightStringInString( (LPCWSTR) pSubtreeEntry->DirectoryName.pbData, pSubtreeEntry->DirectoryName.cbData / sizeof(WCHAR), (LPCWSTR) pSubjectEntry->DirectoryName.pbData, pSubjectEntry->DirectoryName.cbData / sizeof(WCHAR) ); if (fCompare && CERT_ALT_NAME_RFC822_NAME == dwAltNameChoice) fCompare = ChainIsSpecialAtCharacterMatch( (LPCWSTR) pSubtreeEntry->DirectoryName.pbData, pSubtreeEntry->DirectoryName.cbData / sizeof(WCHAR), pSubjectEntry->DirectoryName.cbData / sizeof(WCHAR) ); break; case CERT_ALT_NAME_DIRECTORY_NAME: fHasSubtreeEntry = TRUE; fCompare = ChainCompareNameConstraintsDirectoryName( (PCERT_NAME_INFO) pSubjectEntry->DirectoryName.pbData, (PCERT_NAME_INFO) pSubtreeEntry->DirectoryName.pbData ); break; case CERT_ALT_NAME_IP_ADDRESS: fHasSubtreeEntry = TRUE; fCompare = ChainCompareNameConstraintsIPAddress( &pSubjectEntry->IPAddress, &pSubtreeEntry->IPAddress); break; case CERT_ALT_NAME_X400_ADDRESS: case CERT_ALT_NAME_EDI_PARTY_NAME: case CERT_ALT_NAME_REGISTERED_ID: default: assert(0); break; }
if (fCompare) { if (fExcludedSubtree) { dwErrorStatus |= CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
ChainFormatAndAppendNameConstraintsAltNameEntryFixup( ppwszExtErrorInfo, pSubjectEntry, IDS_EXCLUDED_ENTRY_NAME_CONSTRAINT, i + 1 ); } return dwErrorStatus; } }
if (!fExcludedSubtree) { if (fHasSubtreeEntry) { dwErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
ChainFormatAndAppendNameConstraintsAltNameEntryFixup( ppwszExtErrorInfo, pSubjectEntry, IDS_NOT_PERMITTED_ENTRY_NAME_CONSTRAINT ); } else if (!IPR_IsNotDefinedNameConstraintDisabled()) { dwErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
ChainFormatAndAppendNameConstraintsAltNameEntryFixup( ppwszExtErrorInfo, pSubjectEntry, IDS_NOT_DEFINED_ENTRY_NAME_CONSTRAINT ); } }
return dwErrorStatus;}
//+---------------------------------------------------------------------------
//
// Function: ChainCalculateNameConstraintsErrorStatusForAltNameEntry
//
// Synopsis: calculates the name constraints error status by seeing if
// the subject AltName entry matches either an excluded
// or permitted subtree AltName entry.
//
//----------------------------------------------------------------------------
DWORD WINAPIChainCalculateNameConstraintsErrorStatusForAltNameEntry( IN PCERT_ALT_NAME_ENTRY pSubjectEntry, IN PCERT_NAME_CONSTRAINTS_INFO pNameConstraintsInfo, IN OUT LPWSTR *ppwszExtErrorInfo ){ DWORD dwErrorStatus;
dwErrorStatus = ChainCalculateNameConstraintsSubtreeErrorStatusForAltNameEntry( pSubjectEntry, TRUE, // fExcludedSubtree
pNameConstraintsInfo->cExcludedSubtree, pNameConstraintsInfo->rgExcludedSubtree, ppwszExtErrorInfo );
if (!(dwErrorStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT)) dwErrorStatus = ChainCalculateNameConstraintsSubtreeErrorStatusForAltNameEntry( pSubjectEntry, FALSE, // fExcludedSubtree
pNameConstraintsInfo->cPermittedSubtree, pNameConstraintsInfo->rgPermittedSubtree, ppwszExtErrorInfo );
return dwErrorStatus;}
//+===========================================================================
// CCertIssuerList helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainCreateIssuerList
//
// Synopsis: create the issuer list object for the given subject
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateIssuerList ( IN PCCHAINPATHOBJECT pSubject, OUT PCCERTISSUERLIST* ppIssuerList ){ PCCERTISSUERLIST pIssuerList;
pIssuerList = new CCertIssuerList( pSubject ); if ( pIssuerList == NULL ) { SetLastError( (DWORD) E_OUTOFMEMORY ); return( FALSE ); }
*ppIssuerList = pIssuerList; return( TRUE );}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeIssuerList
//
// Synopsis: free the issuer list object
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeIssuerList ( IN PCCERTISSUERLIST pIssuerList ){ delete pIssuerList;}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeCtlIssuerData
//
// Synopsis: free CTL issuer data
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeCtlIssuerData ( IN PCTL_ISSUER_DATA pCtlIssuerData ){ if ( pCtlIssuerData->pTrustListInfo != NULL ) { SSCtlFreeTrustListInfo( pCtlIssuerData->pTrustListInfo ); }
if ( pCtlIssuerData->pSSCtlObject != NULL ) { pCtlIssuerData->pSSCtlObject->Release(); }
delete pCtlIssuerData;}
//+===========================================================================
// INTERNAL_CERT_CHAIN_CONTEXT helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainAddRefInternalChainContext
//
// Synopsis: addref the internal chain context
//
//----------------------------------------------------------------------------
VOID WINAPIChainAddRefInternalChainContext ( IN PINTERNAL_CERT_CHAIN_CONTEXT pChainContext ){ InterlockedIncrement( &pChainContext->cRefs );}
//+---------------------------------------------------------------------------
//
// Function: ChainReleaseInternalChainContext
//
// Synopsis: release the internal chain context
//
//----------------------------------------------------------------------------
VOID WINAPIChainReleaseInternalChainContext ( IN PINTERNAL_CERT_CHAIN_CONTEXT pChainContext ){ if ( InterlockedDecrement( &pChainContext->cRefs ) == 0 ) { ChainFreeInternalChainContext( pChainContext ); }}
//+---------------------------------------------------------------------------
//
// Function: ChainFreeInternalChainContext
//
// Synopsis: free the internal chain context
//
//----------------------------------------------------------------------------
VOID WINAPIChainFreeInternalChainContext ( IN PINTERNAL_CERT_CHAIN_CONTEXT pContext ){
PCERT_SIMPLE_CHAIN *ppChain; DWORD cChain;
PINTERNAL_CERT_CHAIN_CONTEXT *ppLowerContext;
if (NULL == pContext) return;
cChain = pContext->ChainContext.cChain; ppChain = pContext->ChainContext.rgpChain; for ( ; 0 < cChain; cChain--, ppChain++) { PCERT_SIMPLE_CHAIN pChain; DWORD cElement; PCERT_CHAIN_ELEMENT *ppElement;
pChain = *ppChain; if (NULL == pChain) continue;
if (pChain->pTrustListInfo) SSCtlFreeTrustListInfo(pChain->pTrustListInfo);
cElement = pChain->cElement; ppElement = pChain->rgpElement; for ( ; 0 < cElement; cElement--, ppElement++) { PCERT_CHAIN_ELEMENT pElement;
pElement = *ppElement; if (NULL == pElement) continue;
if (pElement->pRevocationInfo) { PCERT_REVOCATION_CRL_INFO pCrlInfo = pElement->pRevocationInfo->pCrlInfo;
if (pCrlInfo) { if (pCrlInfo->pBaseCrlContext) CertFreeCRLContext(pCrlInfo->pBaseCrlContext); if (pCrlInfo->pDeltaCrlContext) CertFreeCRLContext(pCrlInfo->pDeltaCrlContext);
delete pCrlInfo; }
delete pElement->pRevocationInfo; }
if (pElement->pCertContext) CertFreeCertificateContext(pElement->pCertContext);
ChainFreeUsage(pElement->pIssuanceUsage); ChainFreeUsage(pElement->pApplicationUsage);
if (pElement->pwszExtendedErrorInfo) PkiFree((LPWSTR) pElement->pwszExtendedErrorInfo); }
}
ppLowerContext = (PINTERNAL_CERT_CHAIN_CONTEXT*) pContext->ChainContext.rgpLowerQualityChainContext; if (ppLowerContext) { DWORD cLowerContext; DWORD i;
cLowerContext = pContext->ChainContext.cLowerQualityChainContext; for (i = 0; i < cLowerContext; i++) ChainReleaseInternalChainContext(ppLowerContext[i]);
delete ppLowerContext; }
PkiFree(pContext);}
//+---------------------------------------------------------------------------
//
// Function: ChainUpdateEndEntityCertContext
//
// Synopsis: update the end entity cert context in the chain context
//
//----------------------------------------------------------------------------
VOIDChainUpdateEndEntityCertContext( IN OUT PINTERNAL_CERT_CHAIN_CONTEXT pChainContext, IN OUT PCCERT_CONTEXT pEndCertContext ){ PCCERT_CONTEXT pCertContext = pChainContext->ChainContext.rgpChain[0]->rgpElement[0]->pCertContext; if (pCertContext == pEndCertContext) return; pChainContext->ChainContext.rgpChain[0]->rgpElement[0]->pCertContext = pEndCertContext;
{ DWORD cbData; DWORD cbEndData;
// If the chain context's end context has the public key parameter
// property and the end context passed in to CertGetCertificateChain
// doesn't, then copy the public key parameter property.
if (CertGetCertificateContextProperty( pCertContext, CERT_PUBKEY_ALG_PARA_PROP_ID, NULL, // pvData
&cbData) && 0 < cbData && !CertGetCertificateContextProperty( pEndCertContext, CERT_PUBKEY_ALG_PARA_PROP_ID, NULL, // pvData
&cbEndData)) { BYTE *pbData;
__try { pbData = (BYTE *) _alloca(cbData); } __except(EXCEPTION_EXECUTE_HANDLER) { pbData = NULL; } if (pbData) { if (CertGetCertificateContextProperty( pCertContext, CERT_PUBKEY_ALG_PARA_PROP_ID, pbData, &cbData)) { CRYPT_DATA_BLOB Para; Para.pbData = pbData; Para.cbData = cbData; CertSetCertificateContextProperty( pEndCertContext, CERT_PUBKEY_ALG_PARA_PROP_ID, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &Para ); } } } }
CertDuplicateCertificateContext(pEndCertContext); CertFreeCertificateContext(pCertContext);}
//+===========================================================================
// CERT_REVOCATION_INFO helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainUpdateRevocationInfo
//
// Synopsis: update the revocation information on the element
//
//----------------------------------------------------------------------------
VOID WINAPIChainUpdateRevocationInfo ( IN PCERT_REVOCATION_STATUS pRevStatus, IN OUT PCERT_REVOCATION_INFO pRevocationInfo, IN OUT PCERT_TRUST_STATUS pTrustStatus ){ CertPerfIncrementChainRevocationCount();
if (ERROR_SUCCESS == pRevStatus->dwError) { ; } else if (CRYPT_E_REVOKED == pRevStatus->dwError) { pTrustStatus->dwErrorStatus |= CERT_TRUST_IS_REVOKED; CertPerfIncrementChainRevokedCount(); } else { pTrustStatus->dwErrorStatus |= CERT_TRUST_REVOCATION_STATUS_UNKNOWN; if (CRYPT_E_NO_REVOCATION_CHECK == pRevStatus->dwError) { CertPerfIncrementChainNoRevocationCheckCount(); } else { pTrustStatus->dwErrorStatus |= CERT_TRUST_IS_OFFLINE_REVOCATION; CertPerfIncrementChainRevocationOfflineCount(); } }
pRevocationInfo->cbSize = sizeof(CERT_REVOCATION_INFO); pRevocationInfo->dwRevocationResult = pRevStatus->dwError; pRevocationInfo->fHasFreshnessTime = pRevStatus->fHasFreshnessTime; pRevocationInfo->dwFreshnessTime = pRevStatus->dwFreshnessTime;}
//+===========================================================================
// CCertChainEngine helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainCreateWorldStore
//
// Synopsis: create the world store
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateWorldStore ( IN HCERTSTORE hRoot, IN HCERTSTORE hCA, IN DWORD cAdditionalStore, IN HCERTSTORE* rghAdditionalStore, IN DWORD dwStoreFlags, OUT HCERTSTORE* phWorld ){ BOOL fResult; HCERTSTORE hWorld; HCERTSTORE hStore; DWORD cCount;
hWorld = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL );
if ( hWorld == NULL ) { return( FALSE ); }
fResult = CertAddStoreToCollection( hWorld, hRoot, 0, 0 );
for ( cCount = 0; ( cCount < cAdditionalStore ) && ( fResult == TRUE ); cCount++ ) { fResult = CertAddStoreToCollection( hWorld, rghAdditionalStore[ cCount ], 0, 0 ); }
dwStoreFlags |= CERT_STORE_MAXIMUM_ALLOWED_FLAG | CERT_STORE_SHARE_CONTEXT_FLAG;
if ( fResult == TRUE ) { hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, dwStoreFlags, L"trust" );
if ( hStore != NULL ) { fResult = CertAddStoreToCollection( hWorld, hStore, 0, 0 ); CertCloseStore( hStore, 0 ); } else { fResult = FALSE; } }
if ( fResult == TRUE ) { if ( hCA != NULL ) { fResult = CertAddStoreToCollection( hWorld, hCA, 0, 0 ); } else { fResult = FALSE; } }
if ( fResult == TRUE ) { hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, dwStoreFlags, L"my" );
if ( hStore != NULL ) { fResult = CertAddStoreToCollection( hWorld, hStore, 0, 0 ); CertCloseStore( hStore, 0 ); } else { fResult = FALSE; } }
if ( fResult == TRUE ) { *phWorld = hWorld; } else { CertCloseStore( hWorld, 0 ); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainCreateEngineStore
//
// Synopsis: create the engine store and the change event handle
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateEngineStore ( IN HCERTSTORE hRootStore, IN HCERTSTORE hTrustStore, IN HCERTSTORE hOtherStore, IN BOOL fDefaultEngine, IN DWORD dwFlags, OUT HCERTSTORE* phEngineStore, OUT HANDLE* phEngineStoreChangeEvent ){ BOOL fResult = TRUE; HCERTSTORE hEngineStore; HANDLE hEvent;
hEngineStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL );
hEvent = CreateEventA( NULL, FALSE, FALSE, NULL );
if ( ( hEngineStore == NULL ) || ( hEvent == NULL ) ) { fResult = FALSE; }
if ( fResult == TRUE ) { fResult = CertAddStoreToCollection( hEngineStore, hRootStore, 0, 0 ); }
if ( fResult == TRUE ) { fResult = CertAddStoreToCollection( hEngineStore, hTrustStore, 0, 0 ); }
if ( fResult == TRUE ) { fResult = CertAddStoreToCollection( hEngineStore, hOtherStore, 0, 0 ); }
if ( ( fResult == TRUE ) && ( dwFlags & CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE ) ) { // Someday support a let me know about errors flag
CertControlStore( hEngineStore, CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG, CERT_STORE_CTRL_NOTIFY_CHANGE, &hEvent ); }
if ( fResult == TRUE ) { *phEngineStore = hEngineStore; *phEngineStoreChangeEvent = hEvent; } else { if ( hEngineStore != NULL ) { CertCloseStore( hEngineStore, 0 ); }
if ( hEvent != NULL ) { CloseHandle( hEvent ); } }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainIsProperRestrictedRoot
//
// Synopsis: check to see if this restricted root store is a proper subset
// of the real root store
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsProperRestrictedRoot ( IN HCERTSTORE hRealRoot, IN HCERTSTORE hRestrictedRoot ){ PCCERT_CONTEXT pCertContext = NULL; PCCERT_CONTEXT pFound = NULL; DWORD cbData = CHAINHASHLEN; BYTE CertificateHash[ CHAINHASHLEN ]; CRYPT_HASH_BLOB HashBlob;
HashBlob.cbData = cbData; HashBlob.pbData = CertificateHash;
while ( ( pCertContext = CertEnumCertificatesInStore( hRestrictedRoot, pCertContext ) ) != NULL ) { if ( CertGetCertificateContextProperty( pCertContext, CERT_MD5_HASH_PROP_ID, CertificateHash, &cbData ) == TRUE ) { pFound = CertFindCertificateInStore( hRealRoot, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_MD5_HASH, &HashBlob, NULL );
if ( pFound == NULL ) { CertFreeCertificateContext( pCertContext ); return( FALSE ); } else { CertFreeCertificateContext( pFound ); } } }
return( TRUE );}
//+---------------------------------------------------------------------------
//
// Function: ChainCreateCollectionIncludingCtlCertificates
//
// Synopsis: create a collection which includes the source store hStore and
// any CTL certificates from it
//
//----------------------------------------------------------------------------
BOOL WINAPIChainCreateCollectionIncludingCtlCertificates ( IN HCERTSTORE hStore, OUT HCERTSTORE* phCollection ){ BOOL fResult = FALSE; HCERTSTORE hCollection; PCCTL_CONTEXT pCtlContext = NULL; HCERTSTORE hCtlStore;
hCollection = CertOpenStore( CERT_STORE_PROV_COLLECTION, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL );
if ( hCollection == NULL ) { return( FALSE ); }
fResult = CertAddStoreToCollection( hCollection, hStore, 0, 0 );
while ( ( fResult == TRUE ) && ( ( pCtlContext = CertEnumCTLsInStore( hStore, pCtlContext ) ) != NULL ) ) { hCtlStore = CertOpenStore( CERT_STORE_PROV_MSG, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 0, pCtlContext->hCryptMsg );
if ( hCtlStore != NULL ) { fResult = CertAddStoreToCollection( hCollection, hCtlStore, 0, 0 );
CertCloseStore( hCtlStore, 0 ); } }
if ( fResult == TRUE ) { *phCollection = hCollection; } else { CertCloseStore( hCollection, 0 ); }
return( fResult );}
//+===========================================================================
// URL helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Function: ChainGetObjectUrl
//
// Synopsis: thunk to CryptGetObjectUrl in cryptnet.dll
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetObjectUrl ( IN LPCSTR pszUrlOid, IN LPVOID pvPara, IN DWORD dwFlags, OUT OPTIONAL PCRYPT_URL_ARRAY pUrlArray, IN OUT DWORD* pcbUrlArray, OUT OPTIONAL PCRYPT_URL_INFO pUrlInfo, IN OUT OPTIONAL DWORD* pcbUrlInfo, IN OPTIONAL LPVOID pvReserved ){ BOOL fResult = FALSE; HMODULE hModule; PFN_GETOBJECTURL pfn = NULL;
hModule = ChainGetCryptnetModule();
if ( hModule != NULL ) { pfn = (PFN_GETOBJECTURL)GetProcAddress( hModule, "CryptGetObjectUrl" ); }
if ( pfn != NULL ) { fResult = ( *pfn )( pszUrlOid, pvPara, dwFlags, pUrlArray, pcbUrlArray, pUrlInfo, pcbUrlInfo, pvReserved ); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainRetrieveObjectByUrlW
//
// Synopsis: thunk to CryptRetrieveObjectByUrlW in cryptnet.dll
//
//----------------------------------------------------------------------------
BOOL WINAPIChainRetrieveObjectByUrlW ( IN LPCWSTR pszUrl, IN LPCSTR pszObjectOid, IN DWORD dwRetrievalFlags, IN DWORD dwTimeout, OUT LPVOID* ppvObject, IN HCRYPTASYNC hAsyncRetrieve, IN PCRYPT_CREDENTIALS pCredentials, IN LPVOID pvVerify, IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo ){ BOOL fResult = FALSE; HMODULE hModule; PFN_RETRIEVEOBJECTBYURLW pfn = NULL;
hModule = ChainGetCryptnetModule();
if ( hModule != NULL ) { pfn = (PFN_RETRIEVEOBJECTBYURLW)GetProcAddress( hModule, "CryptRetrieveObjectByUrlW" ); }
if ( pfn != NULL ) { fResult = ( *pfn )( pszUrl, pszObjectOid, dwRetrievalFlags, dwTimeout, ppvObject, hAsyncRetrieve, pCredentials, pvVerify, pAuxInfo ); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainIsConnected
//
// Synopsis: thunk to I_CryptNetIsConnected in cryptnet.dll
//
//----------------------------------------------------------------------------
BOOL WINAPIChainIsConnected(){ BOOL fResult = FALSE; HMODULE hModule; PFN_I_CRYPTNET_IS_CONNECTED pfn = NULL;
hModule = ChainGetCryptnetModule();
if ( hModule != NULL ) { pfn = (PFN_I_CRYPTNET_IS_CONNECTED)GetProcAddress( hModule, "I_CryptNetIsConnected" ); }
if ( pfn != NULL ) { fResult = ( *pfn )(); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainGetHostNameFromUrl
//
// Synopsis: thunk to I_CryptNetGetHostNameFromUrl in cryptnet.dll
//
//----------------------------------------------------------------------------
BOOLWINAPIChainGetHostNameFromUrl ( IN LPWSTR pwszUrl, IN DWORD cchHostName, OUT LPWSTR pwszHostName ){ BOOL fResult = FALSE; HMODULE hModule; PFN_I_CRYPTNET_GET_HOST_NAME_FROM_URL pfn = NULL;
hModule = ChainGetCryptnetModule();
if ( hModule != NULL ) { pfn = (PFN_I_CRYPTNET_GET_HOST_NAME_FROM_URL)GetProcAddress( hModule, "I_CryptNetGetHostNameFromUrl" ); }
if ( pfn != NULL ) { fResult = ( *pfn )( pwszUrl, cchHostName, pwszHostName ); }
return( fResult );}
//+---------------------------------------------------------------------------
//
// Function: ChainGetOfflineUrlDeltaSeconds
//
// Synopsis: given the number of unsuccessful attempts to retrieve the
// Url, returns the number of seconds to wait before the
// next attempt.
//
//----------------------------------------------------------------------------
const DWORD rgdwChainOfflineUrlDeltaSeconds[] = { 15, // 15 seconds
15, // 15 seconds
60, // 1 minute
60 * 5, // 5 minutes
60 * 10, // 10 minutes
60 * 30, // 30 minutes
};
#define CHAIN_OFFLINE_URL_DELTA_SECONDS_CNT \
(sizeof(rgdwChainOfflineUrlDeltaSeconds) / \ sizeof(rgdwChainOfflineUrlDeltaSeconds[0]))
DWORDWINAPIChainGetOfflineUrlDeltaSeconds ( IN DWORD dwOfflineCnt ){ if (0 == dwOfflineCnt) return 0;
if (CHAIN_OFFLINE_URL_DELTA_SECONDS_CNT < dwOfflineCnt) dwOfflineCnt = CHAIN_OFFLINE_URL_DELTA_SECONDS_CNT;
return rgdwChainOfflineUrlDeltaSeconds[dwOfflineCnt - 1];}
//+===========================================================================
// Debug helper functions
//============================================================================
DWORDWINAPIChainGetDebugFlags(){ HKEY hKey = NULL; DWORD dwType = 0; DWORD dwValue = 0; DWORD cbValue = sizeof(dwValue);
DWORD dwLastErr = GetLastError();
if (ERROR_SUCCESS != RegOpenKeyExA( HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\crypt32", 0, // dwReserved
KEY_READ, &hKey )) goto ErrorReturn;
if (ERROR_SUCCESS != RegQueryValueExA( hKey, "DebugFlags", NULL, // pdwReserved
&dwType, (BYTE *) &dwValue, &cbValue )) goto ErrorReturn;
if (dwType != REG_DWORD || cbValue != sizeof(dwValue)) goto ErrorReturn;
CommonReturn: if (hKey) RegCloseKey(hKey);
SetLastError(dwLastErr);
return dwValue;
ErrorReturn: dwValue = 0; goto CommonReturn;}
VOIDWINAPIChainOutputDebugStringA( LPCSTR lpOutputString ){ if (ChainGetDebugFlags() & 0x1) { DWORD dwLastErr = GetLastError(); OutputDebugStringA(lpOutputString);
SetLastError(dwLastErr); }}
//+===========================================================================
// AuthRoot Auto Update methods and helper functions
//============================================================================
//+---------------------------------------------------------------------------
//
// Member: CChainPathObject::GetAuthRootAutoUpdateUrlStore, public
//
// Synopsis: attempts to get a time valid AuthRoot Auto Update CTL.
// Checks if there is CTL entry matching the subject
// certificate's AKI exact match, key identifier or name
// match. For a match URL retrieves the certificate and
// returns a store containing the retrieved certificates
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// Only returns FALSE, if the engine was touched when
// leaving the critical section.
//
// The caller has already checked that we are online.
//
//----------------------------------------------------------------------------
// CN=Root Agency
const BYTE rgbRootAgencyIssuerName[] = { 0x30, 0x16, // SEQUENCE
0x31, 0x14, // SET
0x30, 0x12, // SEQUENCE
0x06, 0x03, 0x55, 0x04, 0x03, // OID
// PRINTABLE STRING
0x13, 0x0b, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x41, 0x67, 0x65, 0x6e, 0x63, 0x79};
// CN=Root SGC Authority
const BYTE rgbRootSGCAuthorityIssuerName[] = { 0x30, 0x1d, // SEQUENCE
0x31, 0x1b, // SET
0x30, 0x19, // SEQUENCE
0x06, 0x03, 0x55, 0x04, 0x03, // OID
// PRINTABLE STRING
0x13, 0x12, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79};
const CRYPT_DATA_BLOB rgSkipPartialIssuer[] = { sizeof(rgbRootAgencyIssuerName), (BYTE *) rgbRootAgencyIssuerName, sizeof(rgbRootSGCAuthorityIssuerName), (BYTE *) rgbRootSGCAuthorityIssuerName};#define SKIP_PARTIAL_ISSUER_CNT (sizeof(rgSkipPartialIssuer)/ \
sizeof(rgSkipPartialIssuer[0]))
BOOLCChainPathObject::GetAuthRootAutoUpdateUrlStore( IN PCCHAINCALLCONTEXT pCallContext, OUT HCERTSTORE *phIssuerUrlStore ){ BOOL fTouchedResult = TRUE; PCCERTCHAINENGINE pChainEngine = pCallContext->ChainEngine(); PCERT_INFO pCertInfo = m_pCertObject->CertContext()->pCertInfo; PCCTL_CONTEXT pCtl = NULL; HCERTSTORE hIssuerUrlStore = NULL;
CRYPT_DATA_BLOB rgAuthRootMatchHash[AUTH_ROOT_MATCH_CNT]; DWORD cEntry = 0; PCTL_ENTRY *rgpEntry = NULL; PCCERT_CONTEXT pCert; DWORD cCert; DWORD i;
*phIssuerUrlStore = NULL;
// Loop and skip known issuers such as, "Root Agency". Don't want all
// clients in the world hiting the wire when building these chains
for (i = 0; i < SKIP_PARTIAL_ISSUER_CNT; i++) { if (pCertInfo->Issuer.cbData == rgSkipPartialIssuer[i].cbData && 0 == memcmp(pCertInfo->Issuer.pbData, rgSkipPartialIssuer[i].pbData, rgSkipPartialIssuer[i].cbData)) return TRUE; } fTouchedResult = pChainEngine->GetAuthRootAutoUpdateCtl( pCallContext, &pCtl );
if (!fTouchedResult || NULL == pCtl) {
#if 0
// This logs too many test failures
if (fTouchedResult) { PAUTH_ROOT_AUTO_UPDATE_INFO pInfo = pChainEngine->AuthRootAutoUpdateInfo();
if (NULL == pInfo || !(pInfo->dwFlags & CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_PARTIAL_CHAIN_LOGGING_FLAG)) IPR_LogCertInformation( MSG_PARTIAL_CHAIN_INFORMATIONAL, m_pCertObject->CertContext(), TRUE // fFormatIssuerName
); }#endif
return fTouchedResult; }
// We have a valid AuthRoot Auto Update CTL.
// See if we can find any matching AuthRoots
memset(rgAuthRootMatchHash, 0, sizeof(rgAuthRootMatchHash));
m_pCertObject->GetIssuerKeyMatchHash( &rgAuthRootMatchHash[AUTH_ROOT_KEY_MATCH_IDX]); m_pCertObject->GetIssuerNameMatchHash( &rgAuthRootMatchHash[AUTH_ROOT_NAME_MATCH_IDX]);
pChainEngine->FindAuthRootAutoUpdateMatchingCtlEntries( rgAuthRootMatchHash, &pCtl, &cEntry, &rgpEntry );
if (0 == cEntry) {
#if 0
// This logs too many test failures
PAUTH_ROOT_AUTO_UPDATE_INFO pInfo = pChainEngine->AuthRootAutoUpdateInfo();
if (NULL == pInfo || !(pInfo->dwFlags & CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_PARTIAL_CHAIN_LOGGING_FLAG)) IPR_LogCertInformation( MSG_PARTIAL_CHAIN_INFORMATIONAL, m_pCertObject->CertContext(), TRUE // fFormatIssuerName
);#endif
goto NoAutoUpdateCtlEntry; }
hIssuerUrlStore = CertOpenStore( CERT_STORE_PROV_MEMORY, 0, // dwEncodingType
NULL, // hCryptProv
0, // dwFlags
NULL // pvPara
); if (NULL == hIssuerUrlStore) goto OpenMemoryStoreError;
for (i = 0; i < cEntry; i++) { PCTL_ENTRY pEntry = rgpEntry[i];
// If already in our store, no need to hit the wire and retrieve.
if (pCert = CertFindCertificateInStore( pChainEngine->OtherStore(), X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SHA1_HASH, (LPVOID) &pEntry->SubjectIdentifier, NULL )) { CertFreeCertificateContext(pCert); continue; }
fTouchedResult = pChainEngine->GetAuthRootAutoUpdateCert( pCallContext, pEntry, hIssuerUrlStore );
if (!fTouchedResult) goto TouchedDuringUrlRetrievalOfAuthRoots; }
pCert = NULL; cCert = 0; while (pCert = CertEnumCertificatesInStore(hIssuerUrlStore, pCert)) cCert++;
if (0 == cCert) goto NoAuthRootAutoUpdateCerts;
if (1 < cCert) { // If more than one root in the list, explicitly add them all here.
// While building the chain using the returned AuthRoots we might
// leave the critical section and restart. After restarting may
// have a trusted root and won't redo this URL retrieval.
pChainEngine->UnlockEngine();
pCert = NULL; while (pCert = CertEnumCertificatesInStore(hIssuerUrlStore, pCert)) IPR_AddCertInAuthRootAutoUpdateCtl(pCert, pCtl);
pChainEngine->LockEngine(); if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; goto TouchedDuringAddOfAuthRoots; } }
*phIssuerUrlStore = hIssuerUrlStore; CommonReturn: if (rgpEntry) PkiFree(rgpEntry); if (pCtl) CertFreeCTLContext(pCtl);
return fTouchedResult;ErrorReturn: if (hIssuerUrlStore) CertCloseStore(hIssuerUrlStore, 0); goto CommonReturn;
TRACE_ERROR(NoAutoUpdateCtlEntry)TRACE_ERROR(OpenMemoryStoreError)TRACE_ERROR(TouchedDuringUrlRetrievalOfAuthRoots)TRACE_ERROR(NoAuthRootAutoUpdateCerts)TRACE_ERROR(TouchedDuringAddOfAuthRoots)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::RetrieveAuthRootAutoUpdateObjectByUrlW, public
//
// Synopsis: URL retrieves an AuthRoot Auto Update object. For wire
// retrieval, logs the event.
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// If the object was successfully retrieved,
// *ppvObject != NULL. Otherwise, *ppvObject = NULL.
//
// Only returns FALSE, if the engine was touched when
// leaving the critical section. *ppvObject may be != NULL
// when touched.
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::RetrieveAuthRootAutoUpdateObjectByUrlW( IN PCCHAINCALLCONTEXT pCallContext, IN DWORD dwSuccessEventID, IN DWORD dwFailEventID, IN LPCWSTR pwszUrl, IN LPCSTR pszObjectOid, IN DWORD dwRetrievalFlags, IN DWORD dwTimeout, // 0 => use default
OUT LPVOID* ppvObject, IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo ){ BOOL fTouchedResult = TRUE; BOOL fResult;
*ppvObject = NULL; if (0 == dwTimeout) dwTimeout = pCallContext->ChainPara()->dwUrlRetrievalTimeout;
//
// We are about to go on the wire to retrieve the object.
// At this time we will release the chain engine lock so others can
// go about there business while we wait for the protocols to do the
// fetching.
//
UnlockEngine();
// Note, the windows update server doesn't require authentication.
// wininet sometimes calls us within a critical section. NO_AUTH
// normally will fix this deadlock.
//
// On 09-May-01 the above was fixed by wininet.
// Removed setting CRYPT_NO_AUTH_RETRIEVAL.
//
// Authentication may be required by a proxy.
fResult = ChainRetrieveObjectByUrlW( pwszUrl, pszObjectOid, dwRetrievalFlags, dwTimeout, ppvObject, NULL, // hAsyncRetrieve
NULL, // pCredentials
NULL, // pvVerify
pAuxInfo );
if (dwRetrievalFlags & CRYPT_WIRE_ONLY_RETRIEVAL) { // Only log wire retrievals
if (fResult) { LPCWSTR rgpwszStrings[1] = { pwszUrl };
IPR_LogCrypt32Event( EVENTLOG_INFORMATION_TYPE, dwSuccessEventID, 1, // wNumStrings
rgpwszStrings ); } else IPR_LogCrypt32Error( dwFailEventID, pwszUrl, GetLastError() ); }
LockEngine();
if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; goto TouchedDuringAuthRootObjectUrlRetrieval; }
if (fResult) assert(*ppvObject); else assert(NULL == *ppvObject);
CommonReturn: return fTouchedResult;ErrorReturn: goto CommonReturn;
SET_ERROR(TouchedDuringAuthRootObjectUrlRetrieval, ERROR_CAN_NOT_COMPLETE)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::GetAuthRootAutoUpdateCtl, public
//
// Synopsis: if auto update hasn't been disabled,
// returns the AuthRoot Auto Update CTL. Hits the wire
// if necessary to get a "fresh" CTL.
//
// Note, 2 URL fetches. One for the SequenceNumber file. The
// other for the CTL cab file. The SequenceNumber file
// is small and bounded in size. If it matches the SequenceNumber
// in an already retrieved CTL, then, no need to hit the
// wire to retrive the larger CTL file. This optimization will
// reduce the number of bytes needing to be fetched across the
// wire. The CTL won't be updated that often.
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// If auto update has been disabled, returns TRUE and
// *ppCtl = NULL.
//
// Only returns FALSE, if the engine was touched when
// leaving the critical section.
//
// The returned pCtl is AddRef'ed.
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::GetAuthRootAutoUpdateCtl( IN PCCHAINCALLCONTEXT pCallContext, OUT PCCTL_CONTEXT *ppCtl ){ BOOL fTouchedResult = TRUE; FILETIME CurrentTime; PAUTH_ROOT_AUTO_UPDATE_INFO pInfo; PCRYPT_BLOB_ARRAY pcbaSeq = NULL; PCRYPT_BLOB_ARRAY pcbaCab = NULL; PCCTL_CONTEXT pNewCtl = NULL; CRYPT_RETRIEVE_AUX_INFO RetrieveAuxInfo; DWORD i;
*ppCtl = NULL;
if ((pCallContext->CallOrEngineFlags() & CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE) || IPR_IsAuthRootAutoUpdateDisabled()) return TRUE;
if (NULL == (pInfo = m_pAuthRootAutoUpdateInfo)) { if (NULL == (pInfo = CreateAuthRootAutoUpdateInfo())) return TRUE; m_pAuthRootAutoUpdateInfo = pInfo; }
pCallContext->CurrentTime(&CurrentTime);
memset(&RetrieveAuxInfo, 0, sizeof(RetrieveAuxInfo)); RetrieveAuxInfo.cbSize = sizeof(RetrieveAuxInfo);
// First try the cache. If unable to retrieve the seq file or
// find a time valid CTL cab in the cache, hit the wire.
for (i = 0; i <= 1; i++) { BOOL fResult; DWORD dwRetrievalFlags; DWORD dwCtlTimeout = 0; PCRYPT_INTEGER_BLOB pSequenceNumber; FILETIME NewLastSyncTime; FILETIME CtlLastSyncTime; PCTL_INFO pNewCtlInfo;
if (pInfo->pCtl && 0 < CompareFileTime(&pInfo->NextSyncTime, &CurrentTime)) // We already have a time valid CTL
break;
if (0 == i) dwRetrievalFlags = CRYPT_CACHE_ONLY_RETRIEVAL; else { if (!pCallContext->IsOnline()) break; dwRetrievalFlags = CRYPT_WIRE_ONLY_RETRIEVAL; }
// First try to fetch the CTL's sequence number file
RetrieveAuxInfo.pLastSyncTime = &NewLastSyncTime; fTouchedResult = RetrieveAuthRootAutoUpdateObjectByUrlW( pCallContext, MSG_ROOT_SEQUENCE_NUMBER_AUTO_UPDATE_URL_RETRIEVAL_INFORMATIONAL, MSG_ROOT_SEQUENCE_NUMBER_AUTO_UPDATE_URL_RETRIEVAL_ERROR, pInfo->pwszSeqUrl, NULL, // pszObjectOid,
dwRetrievalFlags | CRYPT_OFFLINE_CHECK_RETRIEVAL | CRYPT_STICKY_CACHE_RETRIEVAL, 0, // dwTimeout (use default)
(LPVOID*) &pcbaSeq, &RetrieveAuxInfo ); if (!fTouchedResult) goto TouchedDuringAuthRootSeqUrlRetrieval;
pSequenceNumber = NULL; if (NULL == pcbaSeq) { // SequenceNumber retrieval failed
if (0 != i) // For wire retrieval failure, don't try to fetch the CTL
continue; } else if (0 > CompareFileTime(&NewLastSyncTime, &pInfo->LastSyncTime)) { // An older sync time
CryptMemFree(pcbaSeq); pcbaSeq = NULL; } else { // Extract the Sequence Number from the retrieved blob.
// Convert the ascii hex characters to binary. Overwrite
// the ascii hex with the converted bytes.
// Convert binary to little endian.
DWORD cchSeq; BOOL fUpperNibble = TRUE; DWORD cb = 0; DWORD j;
pSequenceNumber = pcbaSeq->rgBlob; if (0 == pcbaSeq->cBlob) cchSeq = 0; else cchSeq = pSequenceNumber->cbData;
for (j = 0; j < cchSeq; j++) { char ch = (char) pSequenceNumber->pbData[j]; BYTE b;
// only convert ascii hex characters 0..9, a..f, A..F
// silently ignore all others
if (ch >= '0' && ch <= '9') b = (BYTE) (ch - '0'); else if (ch >= 'a' && ch <= 'f') b = (BYTE) (10 + ch - 'a'); else if (ch >= 'A' && ch <= 'F') b = (BYTE) (10 + ch - 'A'); else continue; if (fUpperNibble) { pSequenceNumber->pbData[cb] = b << 4; fUpperNibble = FALSE; } else { pSequenceNumber->pbData[cb] |= b; cb++; fUpperNibble = TRUE; } }
if (0 == cb) { // Empty sequence number.
CryptMemFree(pcbaSeq); pcbaSeq = NULL; } else { pSequenceNumber->cbData = cb;
PkiAsn1ReverseBytes(pSequenceNumber->pbData, pSequenceNumber->cbData);
// Check if we already have a CTL corresponding to this
// fetched SequenceNumber
if (pInfo->pCtl) { PCTL_INFO pCtlInfo = pInfo->pCtl->pCtlInfo;
if (pCtlInfo->SequenceNumber.cbData == pSequenceNumber->cbData && 0 == memcmp(pCtlInfo->SequenceNumber.pbData, pSequenceNumber->pbData, pSequenceNumber->cbData)) { // Same CTL
pInfo->LastSyncTime = NewLastSyncTime; I_CryptIncrementFileTimeBySeconds( &pInfo->LastSyncTime, pInfo->dwSyncDeltaTime, &pInfo->NextSyncTime );
CryptMemFree(pcbaSeq); pcbaSeq = NULL; continue; } }
// The SequenceNumber consists of the FILETIME followed by
// an optional byte containing a hint for the CTL URL
// retrieval timeout (in seconds). If we are using the
// default retrieval timeout, use the hint if it exceeds
// the default timeout.
if (sizeof(FILETIME) < cb && pCallContext->HasDefaultUrlRetrievalTimeout()) { dwCtlTimeout = ((DWORD) pSequenceNumber->pbData[sizeof(FILETIME)]) * 1000; if (dwCtlTimeout < pCallContext->ChainPara()->dwUrlRetrievalTimeout) dwCtlTimeout = pCallContext->ChainPara()->dwUrlRetrievalTimeout; } } }
// After retrieving the sequence number file, now
// try to fetch the cab containing the CTL
RetrieveAuxInfo.pLastSyncTime = &CtlLastSyncTime; fTouchedResult = RetrieveAuthRootAutoUpdateObjectByUrlW( pCallContext, MSG_ROOT_LIST_AUTO_UPDATE_URL_RETRIEVAL_INFORMATIONAL, MSG_ROOT_LIST_AUTO_UPDATE_URL_RETRIEVAL_ERROR, pInfo->pwszCabUrl, NULL, // pszObjectOid,
dwRetrievalFlags | CRYPT_OFFLINE_CHECK_RETRIEVAL | CRYPT_STICKY_CACHE_RETRIEVAL, dwCtlTimeout, (LPVOID*) &pcbaCab, &RetrieveAuxInfo ); if (!fTouchedResult) goto TouchedDuringAuthRootCabUrlRetrieval;
if (NULL == pcbaCab) { // Cab Retrieval failed
if (pcbaSeq) { CryptMemFree(pcbaSeq); pcbaSeq = NULL; } continue; }
// Leave the engine to extract the CTL from the cab
UnlockEngine();
pNewCtl = ExtractAuthRootAutoUpdateCtlFromCab(pcbaCab); if (NULL == pNewCtl) IPR_LogCrypt32Error( MSG_ROOT_LIST_AUTO_UPDATE_EXTRACT_ERROR, pInfo->pwszCabUrl, GetLastError() );
CryptMemFree(pcbaCab); pcbaCab = NULL;
LockEngine();
if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; goto TouchedDuringExtractAuthRootCtl; }
if (NULL == pNewCtl) { // Ctl Extraction failed
if (pcbaSeq) { CryptMemFree(pcbaSeq); pcbaSeq = NULL; } continue; }
// If the SequenceNumber is the same as the one in the retrieved
// Ctl, then, use the lastest sync of the 2 URL fetches. Otherwise,
// use the Ctl sync time
pNewCtlInfo = pNewCtl->pCtlInfo; if (NULL == pcbaSeq || pNewCtlInfo->SequenceNumber.cbData != pSequenceNumber->cbData || 0 != memcmp(pNewCtlInfo->SequenceNumber.pbData, pSequenceNumber->pbData, pSequenceNumber->cbData) || 0 < CompareFileTime(&CtlLastSyncTime, &NewLastSyncTime)) NewLastSyncTime = CtlLastSyncTime;
// We are done with the SequenceNumber info
if (pcbaSeq) { CryptMemFree(pcbaSeq); pcbaSeq = NULL; }
if (0 >= CompareFileTime(&NewLastSyncTime, &pInfo->LastSyncTime)) { // Not a newer sync
CertFreeCTLContext(pNewCtl); pNewCtl = NULL; continue; } if (pInfo->pCtl && pInfo->pCtl->cbCtlEncoded == pNewCtl->cbCtlEncoded && 0 == memcmp(pInfo->pCtl->pbCtlEncoded, pNewCtl->pbCtlEncoded, pNewCtl->cbCtlEncoded)) { // Same CTL
pInfo->LastSyncTime = NewLastSyncTime; I_CryptIncrementFileTimeBySeconds( &pInfo->LastSyncTime, pInfo->dwSyncDeltaTime, &pInfo->NextSyncTime );
CertFreeCTLContext(pNewCtl); pNewCtl = NULL; continue; }
// Leave the engine to verify the CTL
UnlockEngine(); fResult = IRL_VerifyAuthRootAutoUpdateCtl(pNewCtl); if (!fResult) IPR_LogCrypt32Error( MSG_ROOT_LIST_AUTO_UPDATE_EXTRACT_ERROR, pInfo->pwszCabUrl, GetLastError() ); LockEngine();
if (fResult && 0 < CompareFileTime(&NewLastSyncTime, &pInfo->LastSyncTime)) { // Valid CTL that is newer
pInfo->LastSyncTime = NewLastSyncTime; I_CryptIncrementFileTimeBySeconds( &pInfo->LastSyncTime, pInfo->dwSyncDeltaTime, &pInfo->NextSyncTime );
FreeAuthRootAutoUpdateMatchCaches(pInfo->rghMatchCache); if (pInfo->pCtl) CertFreeCTLContext(pInfo->pCtl); pInfo->pCtl = pNewCtl; pNewCtl = NULL; }
if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; goto TouchedDuringVerifyAuthRootCtl; } }
if (pInfo->pCtl) *ppCtl = CertDuplicateCTLContext(pInfo->pCtl);
CommonReturn: if (pcbaSeq) CryptMemFree(pcbaSeq); if (pcbaCab) CryptMemFree(pcbaCab); if (pNewCtl) CertFreeCTLContext(pNewCtl); return fTouchedResult;ErrorReturn: goto CommonReturn;
TRACE_ERROR(TouchedDuringAuthRootSeqUrlRetrieval)TRACE_ERROR(TouchedDuringAuthRootCabUrlRetrieval)SET_ERROR(TouchedDuringExtractAuthRootCtl, ERROR_CAN_NOT_COMPLETE)SET_ERROR(TouchedDuringVerifyAuthRootCtl, ERROR_CAN_NOT_COMPLETE)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::FindAuthRootAutoUpdateMatchingCtlEntries, public
//
// Synopsis: If the CTL hash match cache doesn't exist its created.
// Iterates through the key and name hash cache entries.
// Returns matching entries. Removes duplicates.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// The returned prgpCtlEntry must be PkiFree()'ed.
//
// Note, if the engine's pCtl is different then the passed in
// pCtl, the passed in pCtl is free'ed and updated with the
// engine's.
//
//----------------------------------------------------------------------------
VOIDCCertChainEngine::FindAuthRootAutoUpdateMatchingCtlEntries( IN CRYPT_DATA_BLOB rgMatchHash[AUTH_ROOT_MATCH_CNT], IN OUT PCCTL_CONTEXT *ppCtl, OUT DWORD *pcCtlEntry, OUT PCTL_ENTRY **prgpCtlEntry ){ PAUTH_ROOT_AUTO_UPDATE_INFO pInfo; PCCTL_CONTEXT pCtl; DWORD cCtlEntry = 0; PCTL_ENTRY *rgpCtlEntry = NULL; DWORD i;
pInfo = m_pAuthRootAutoUpdateInfo; if (NULL == pInfo || NULL == pInfo->pCtl) goto InvalidCtl;
pCtl = *ppCtl; if (pCtl != pInfo->pCtl) { assert(pCtl); CertFreeCTLContext(pCtl); *ppCtl = pCtl = pInfo->pCtl; CertDuplicateCTLContext(pCtl); }
if (!CreateAuthRootAutoUpdateMatchCaches( pCtl, pInfo->rghMatchCache )) goto CreateMatchCachesError;
assert(pInfo->rghMatchCache[0]); assert(pInfo->rghMatchCache[AUTH_ROOT_MATCH_CNT - 1]);
// Loop through the exact, key and name match hashes and try to find an
// entry in the corresponding CTL match cache
for (i = 0; i < AUTH_ROOT_MATCH_CNT; i++) { HLRUENTRY hEntry;
if (0 == rgMatchHash[i].cbData) continue;
hEntry = I_CryptFindLruEntry(pInfo->rghMatchCache[i], &rgMatchHash[i]); while (NULL != hEntry) { PCTL_ENTRY pCtlEntry; PCTL_ENTRY *rgpNewCtlEntry; DWORD j;
pCtlEntry = (PCTL_ENTRY) I_CryptGetLruEntryData(hEntry); hEntry = I_CryptEnumMatchingLruEntries(hEntry);
assert(pCtlEntry); if (NULL == pCtlEntry) continue;
// Check if we already have this Ctl Entry
for (j = 0; j < cCtlEntry; j++) { if (pCtlEntry == rgpCtlEntry[j]) break; }
if (j < cCtlEntry) continue; if (NULL == (rgpNewCtlEntry = (PCTL_ENTRY *) PkiRealloc( rgpCtlEntry, (cCtlEntry + 1) * sizeof(PCTL_ENTRY)))) continue;
rgpCtlEntry = rgpNewCtlEntry; rgpCtlEntry[cCtlEntry++] = pCtlEntry; } }
CommonReturn: *pcCtlEntry = cCtlEntry; *prgpCtlEntry = rgpCtlEntry; return;ErrorReturn: goto CommonReturn;
TRACE_ERROR(InvalidCtl)TRACE_ERROR(CreateMatchCachesError)}
//+---------------------------------------------------------------------------
//
// Member: CCertChainEngine::GetAuthRootAutoUpdateCert, public
//
// Synopsis: URL retrieval of the AuthRoot from the Microsoft web
// server.
//
// Leaves the engine's critical section to do the URL
// fetching. If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// Only returns FALSE, if the engine was touched when
// leaving the critical section.
//
//----------------------------------------------------------------------------
BOOLCCertChainEngine::GetAuthRootAutoUpdateCert( IN PCCHAINCALLCONTEXT pCallContext, IN PCTL_ENTRY pCtlEntry, IN OUT HCERTSTORE hStore ){ BOOL fTouchedResult = TRUE; LPWSTR pwszCertUrl = NULL; HCERTSTORE hUrlStore = NULL;
assert(m_pAuthRootAutoUpdateInfo);
if (SHA1_HASH_LEN != pCtlEntry->SubjectIdentifier.cbData) goto InvalidCtlEntryError;
if (NULL == (pwszCertUrl = FormatAuthRootAutoUpdateCertUrl( pCtlEntry->SubjectIdentifier.pbData, m_pAuthRootAutoUpdateInfo ))) goto FormatCertUrlError;
fTouchedResult = RetrieveAuthRootAutoUpdateObjectByUrlW( pCallContext, MSG_ROOT_CERT_AUTO_UPDATE_URL_RETRIEVAL_INFORMATIONAL, MSG_ROOT_CERT_AUTO_UPDATE_URL_RETRIEVAL_ERROR, pwszCertUrl, CONTEXT_OID_CERTIFICATE, CRYPT_RETRIEVE_MULTIPLE_OBJECTS | CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL | CRYPT_OFFLINE_CHECK_RETRIEVAL | CRYPT_WIRE_ONLY_RETRIEVAL | CRYPT_DONT_CACHE_RESULT, 0, // dwTimeout (use default)
(LPVOID *) &hUrlStore, NULL // pAuxInfo
); if (!fTouchedResult) goto TouchedDuringAuthRootCertUrlRetrieval;
if (hUrlStore) I_CertUpdateStore(hStore, hUrlStore, 0, NULL);
CommonReturn: PkiFree(pwszCertUrl); if (hUrlStore) CertCloseStore(hUrlStore, 0); return fTouchedResult;ErrorReturn: goto CommonReturn;SET_ERROR(InvalidCtlEntryError, ERROR_INVALID_DATA)TRACE_ERROR(FormatCertUrlError)TRACE_ERROR(TouchedDuringAuthRootCertUrlRetrieval)}
//+---------------------------------------------------------------------------
//
// Function: CreateAuthRootAutoUpdateInfo
//
// Synopsis: creates and initializes the AuthRoot Auto Update info
//
//----------------------------------------------------------------------------
PAUTH_ROOT_AUTO_UPDATE_INFO WINAPICreateAuthRootAutoUpdateInfo(){ HKEY hKey = NULL; PAUTH_ROOT_AUTO_UPDATE_INFO pInfo = NULL; DWORD cchDir; DWORD cchUrl;
if (NULL == (pInfo = (PAUTH_ROOT_AUTO_UPDATE_INFO) PkiZeroAlloc( sizeof(AUTH_ROOT_AUTO_UPDATE_INFO)))) goto OutOfMemory;
if (ERROR_SUCCESS != RegOpenKeyExU( HKEY_LOCAL_MACHINE, CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH, 0, // dwReserved
KEY_READ, &hKey )) hKey = NULL;
if (hKey) { // Attempt to get values from registry
ILS_ReadDWORDValueFromRegistry( hKey, CERT_AUTH_ROOT_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME, &pInfo->dwSyncDeltaTime );
ILS_ReadDWORDValueFromRegistry( hKey, CERT_AUTH_ROOT_AUTO_UPDATE_FLAGS_VALUE_NAME, &pInfo->dwFlags );
pInfo->pwszRootDirUrl = ILS_ReadSZValueFromRegistry( hKey, CERT_AUTH_ROOT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME ); if (pInfo->pwszRootDirUrl && L'\0' == *pInfo->pwszRootDirUrl) { PkiFree(pInfo->pwszRootDirUrl); pInfo->pwszRootDirUrl = NULL; } }
// If not defined in registry, use our defaults
if (0 == pInfo->dwSyncDeltaTime) pInfo->dwSyncDeltaTime = AUTH_ROOT_AUTO_UPDATE_SYNC_DELTA_TIME;
if (NULL == pInfo->pwszRootDirUrl) { if (NULL == (pInfo->pwszRootDirUrl = ILS_AllocAndCopyString( AUTH_ROOT_AUTO_UPDATE_ROOT_DIR_URL))) goto OutOfMemory; }
// Construct the CTL and Seq Urls
cchDir = wcslen(pInfo->pwszRootDirUrl);
cchUrl = cchDir + 1 + wcslen(CERT_AUTH_ROOT_CAB_FILENAME) + 1; if (NULL == (pInfo->pwszCabUrl = (LPWSTR) PkiNonzeroAlloc( sizeof(WCHAR) * cchUrl))) goto OutOfMemory; wcscpy(pInfo->pwszCabUrl, pInfo->pwszRootDirUrl); pInfo->pwszCabUrl[cchDir] = L'/'; wcscpy(pInfo->pwszCabUrl + cchDir + 1, CERT_AUTH_ROOT_CAB_FILENAME);
cchUrl = cchDir + 1 + wcslen(CERT_AUTH_ROOT_SEQ_FILENAME) + 1; if (NULL == (pInfo->pwszSeqUrl = (LPWSTR) PkiNonzeroAlloc( sizeof(WCHAR) * cchUrl))) goto OutOfMemory; wcscpy(pInfo->pwszSeqUrl, pInfo->pwszRootDirUrl); pInfo->pwszSeqUrl[cchDir] = L'/'; wcscpy(pInfo->pwszSeqUrl + cchDir + 1, CERT_AUTH_ROOT_SEQ_FILENAME);
CommonReturn: ILS_CloseRegistryKey(hKey); return pInfo;
ErrorReturn: FreeAuthRootAutoUpdateInfo(pInfo); pInfo = NULL; goto CommonReturn;
TRACE_ERROR(OutOfMemory)}
//+---------------------------------------------------------------------------
//
// Function: FreeAuthRootAutoUpdateInfo
//
// Synopsis: frees the AuthRoot Auto Update info
//
//----------------------------------------------------------------------------
VOID WINAPIFreeAuthRootAutoUpdateInfo( IN OUT PAUTH_ROOT_AUTO_UPDATE_INFO pInfo ){ if (NULL == pInfo) return;
PkiFree(pInfo->pwszRootDirUrl); PkiFree(pInfo->pwszCabUrl); PkiFree(pInfo->pwszSeqUrl);
FreeAuthRootAutoUpdateMatchCaches(pInfo->rghMatchCache);
if (pInfo->pCtl) CertFreeCTLContext(pInfo->pCtl);
PkiFree(pInfo);}
const LPCSTR rgpszAuthRootMatchOID[AUTH_ROOT_MATCH_CNT] = { szOID_CERT_KEY_IDENTIFIER_PROP_ID, szOID_CERT_SUBJECT_NAME_MD5_HASH_PROP_ID};
//+---------------------------------------------------------------------------
//
// Function: CreateAuthRootAutoUpdateMatchCaches
//
// Synopsis: if not already created, iterates through the CTL entries
// and creates key and name match caches entries from
// the associated entry hash attribute values.
//
//----------------------------------------------------------------------------
BOOL WINAPICreateAuthRootAutoUpdateMatchCaches( IN PCCTL_CONTEXT pCtl, IN OUT HLRUCACHE rghMatchCache[AUTH_ROOT_MATCH_CNT] ){ BOOL fResult; LRU_CACHE_CONFIG Config; DWORD i; DWORD cEntry; PCTL_ENTRY pEntry;
if (NULL != rghMatchCache[0]) // Already created.
return TRUE;
memset( &Config, 0, sizeof( Config ) ); Config.dwFlags = LRU_CACHE_NO_SERIALIZE | LRU_CACHE_NO_COPY_IDENTIFIER; Config.pfnHash = CertObjectCacheHashMd5Identifier; Config.cBuckets = AUTH_ROOT_MATCH_CACHE_BUCKETS;
for (i = 0; i < AUTH_ROOT_MATCH_CNT; i++) { if (!I_CryptCreateLruCache(&Config, &rghMatchCache[i])) goto CreateLruCacheError; }
// Loop through the CTL entries and add the exact, key and name match
// hash cache entries
cEntry = pCtl->pCtlInfo->cCTLEntry; pEntry = pCtl->pCtlInfo->rgCTLEntry; for ( ; cEntry > 0; cEntry--, pEntry++) { DWORD cAttr; PCRYPT_ATTRIBUTE pAttr;
cAttr = pEntry->cAttribute; pAttr = pEntry->rgAttribute;
// Skip a remove entry
if (CertFindAttribute( szOID_REMOVE_CERTIFICATE, cAttr, pAttr )) continue;
for ( ; cAttr > 0; cAttr--, pAttr++) { for (i = 0; i < AUTH_ROOT_MATCH_CNT; i++) { if (0 == strcmp(rgpszAuthRootMatchOID[i], pAttr->pszObjId)) break; }
if (i < AUTH_ROOT_MATCH_CNT) { PCRYPT_ATTR_BLOB pValue; DWORD cbHash; const BYTE *pbHash; CRYPT_DATA_BLOB DataBlob; HLRUENTRY hEntry = NULL;
// Check that we have a single valued attribute encoded as an
// OCTET STRING
if (1 != pAttr->cValue) continue;
pValue = pAttr->rgValue; if (2 > pValue->cbData || ASN1UTIL_TAG_OCTETSTRING != pValue->pbData[0]) continue;
// Extract the hash bytes from the encoded OCTET STRING
if (0 >= Asn1UtilExtractContent( pValue->pbData, pValue->cbData, &cbHash, &pbHash ) || CMSG_INDEFINITE_LENGTH == cbHash || 0 == cbHash) continue;
DataBlob.cbData = cbHash; DataBlob.pbData = (BYTE *) pbHash; if (!I_CryptCreateLruEntry( rghMatchCache[i], &DataBlob, pEntry, &hEntry )) goto CreateLruEntryError; I_CryptInsertLruEntry(hEntry, NULL); I_CryptReleaseLruEntry(hEntry); } } }
fResult = TRUE;CommonReturn: return fResult;
ErrorReturn: FreeAuthRootAutoUpdateMatchCaches(rghMatchCache); fResult = FALSE; goto CommonReturn;
TRACE_ERROR(CreateLruCacheError)TRACE_ERROR(CreateLruEntryError)}
//+---------------------------------------------------------------------------
//
// Function: FreeAuthRootAutoUpdateMatchCaches
//
// Synopsis: frees the AuthRoot Auto Match Caches
//
//----------------------------------------------------------------------------
VOID WINAPIFreeAuthRootAutoUpdateMatchCaches( IN OUT HLRUCACHE rghMatchCache[AUTH_ROOT_MATCH_CNT] ){ DWORD i;
for (i = 0; i < AUTH_ROOT_MATCH_CNT; i++) { if (NULL != rghMatchCache[i]) { I_CryptFreeLruCache( rghMatchCache[i], LRU_SUPPRESS_REMOVAL_NOTIFICATION, NULL ); rghMatchCache[i] = NULL; } }}
//+---------------------------------------------------------------------------
//
// Function: FormatAuthRootAutoUpdateCertUrl
//
// Synopsis: allocates and formats the URL to retrieve the auth root cert
//
// returns "RootDir" "/" "AsciiHexHash" ".cer"
// for example,
// "http://www.xyz.com/roots/216B2A29E62A00CE820146D8244141B92511B279.cer"
//
//----------------------------------------------------------------------------
LPWSTR WINAPIFormatAuthRootAutoUpdateCertUrl( IN BYTE rgbSha1Hash[SHA1_HASH_LEN], IN PAUTH_ROOT_AUTO_UPDATE_INFO pInfo ){ LPWSTR pwszUrl; DWORD cchDir; DWORD cchUrl;
assert(pInfo->pwszRootDirUrl);
cchDir = wcslen(pInfo->pwszRootDirUrl);
cchUrl = cchDir + 1 + SHA1_HASH_NAME_LEN + wcslen(CERT_AUTH_ROOT_CERT_EXT) + 1;
if (NULL == (pwszUrl = (LPWSTR) PkiNonzeroAlloc(sizeof(WCHAR) * cchUrl))) return NULL;
wcscpy(pwszUrl, pInfo->pwszRootDirUrl); pwszUrl[cchDir] = L'/'; ILS_BytesToWStr(SHA1_HASH_LEN, rgbSha1Hash, pwszUrl + cchDir + 1); wcscpy(pwszUrl + cchDir + 1 + SHA1_HASH_NAME_LEN, CERT_AUTH_ROOT_CERT_EXT); return pwszUrl;}
// Known invalid roots
BYTE AuthRootInvalidList[][SHA1_HASH_LEN] = { // verisign "timestamp" - '97
{ 0xD4, 0x73, 0x5D, 0x8A, 0x9A, 0xE5, 0xBC, 0x4B, 0x0A, 0x0D, 0xC2, 0x70, 0xD6, 0xA6, 0x25, 0x38, 0xA5, 0x87, 0xD3, 0x2F },
// Root Agency (test root)
{ 0xFE, 0xE4, 0x49, 0xEE, 0x0E, 0x39, 0x65, 0xA5, 0x24, 0x6F, 0x00, 0x0E, 0x87, 0xFD, 0xE2, 0xA0, 0x65, 0xFD, 0x89, 0xD4 },};
#define AUTH_ROOT_INVALID_LIST_CNT (sizeof(AuthRootInvalidList) / \
sizeof(AuthRootInvalidList[0]))
//+---------------------------------------------------------------------------
//
// Function: ChainGetAuthRootAutoUpdateStatus
//
// Synopsis: return status bits specifying if the root is
// trusted via the AuthRoot Auto Update CTL.
//
// Leaves the engine's critical section to URL retrieve and
// validate the CTL. Also leaves critical section to
// add the cert to the AuthRoot store via crypt32 service.
// If the engine was touched by another thread,
// it fails with LastError set to ERROR_CAN_NOT_COMPLETE.
//
// Assumption: Chain engine is locked once in the calling thread.
//
// Only returns FALSE, if the engine was touched when
// leaving the critical section.
//
//----------------------------------------------------------------------------
BOOL WINAPIChainGetAuthRootAutoUpdateStatus ( IN PCCHAINCALLCONTEXT pCallContext, IN PCCERTOBJECT pCertObject, IN OUT DWORD *pdwIssuerStatusFlags ){ BOOL fTouchedResult = TRUE; BOOL fResult; PCCERTCHAINENGINE pChainEngine = pCallContext->ChainEngine(); PCCERT_CONTEXT pCert = pCertObject->CertContext(); PCCTL_CONTEXT pCtl = NULL; PCTL_ENTRY pCtlEntry; PCERT_BASIC_CONSTRAINTS2_INFO pBasicConstraintsInfo;
DWORD i; DWORD cbData; BYTE rgbSha1Hash[SHA1_HASH_LEN];
// Check if the root has an end entity basic constraint. These can't
// be used for roots.
pBasicConstraintsInfo = pCertObject->BasicConstraintsInfo(); if (pBasicConstraintsInfo && !pBasicConstraintsInfo->fCA) return TRUE;
// Check if a known invalid root, such as, expired timestamp
// root or the "Root Agency" test root. Don't want all clients in the
// world hiting the wire for these guys.
cbData = SHA1_HASH_LEN; if (!CertGetCertificateContextProperty( pCert, CERT_SHA1_HASH_PROP_ID, rgbSha1Hash, &cbData ) || SHA1_HASH_LEN != cbData) goto GetSha1HashPropertyError;
for (i = 0; i < AUTH_ROOT_INVALID_LIST_CNT; i++) { if (0 == memcmp(AuthRootInvalidList[i], rgbSha1Hash, SHA1_HASH_LEN)) return TRUE; }
// Check if this certificate has an associated private key. Such
// certificates are generated by EFS.
cbData = 0; if (CertGetCertificateContextProperty( pCert, CERT_KEY_PROV_INFO_PROP_ID, NULL, // pbData
&cbData) && 0 < cbData) return TRUE;
fTouchedResult = pChainEngine->GetAuthRootAutoUpdateCtl( pCallContext, &pCtl );
if (!fTouchedResult || NULL == pCtl) {
#if 0
// This logs too many test failures
if (fTouchedResult) { PAUTH_ROOT_AUTO_UPDATE_INFO pInfo = pChainEngine->AuthRootAutoUpdateInfo();
if (NULL == pInfo || !(pInfo->dwFlags & CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_UNTRUSTED_ROOT_LOGGING_FLAG)) IPR_LogCertInformation( MSG_UNTRUSTED_ROOT_INFORMATIONAL, pCert, FALSE // fFormatIssuerName
); }#endif
return fTouchedResult; }
if (NULL == (pCtlEntry = CertFindSubjectInCTL( pCert->dwCertEncodingType, CTL_CERT_SUBJECT_TYPE, (void *) pCert, pCtl, 0 // dwFlags
))) {
#if 0
// This logs too many test failures
PAUTH_ROOT_AUTO_UPDATE_INFO pInfo = pChainEngine->AuthRootAutoUpdateInfo();
if (NULL == pInfo || !(pInfo->dwFlags & CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_UNTRUSTED_ROOT_LOGGING_FLAG)) IPR_LogCertInformation( MSG_UNTRUSTED_ROOT_INFORMATIONAL, pCert, FALSE // fFormatIssuerName
);#endif
goto CommonReturn; }
// Check if a remove entry
if (CertFindAttribute( szOID_REMOVE_CERTIFICATE, pCtlEntry->cAttribute, pCtlEntry->rgAttribute )) goto CommonReturn;
pChainEngine->UnlockEngine(); fResult = IPR_AddCertInAuthRootAutoUpdateCtl(pCert, pCtl); pChainEngine->LockEngine(); if (pCallContext->IsTouchedEngine()) { fTouchedResult = FALSE; goto TouchedDuringAddAuthRootInCtl; }
if (fResult && CertSetCertificateContextPropertiesFromCTLEntry( pCert, pCtlEntry, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG )) *pdwIssuerStatusFlags |= CERT_ISSUER_TRUSTED_ROOT_FLAG;
CommonReturn: if (pCtl) CertFreeCTLContext(pCtl);
return fTouchedResult;ErrorReturn: goto CommonReturn;
TRACE_ERROR(GetSha1HashPropertyError)SET_ERROR(TouchedDuringAddAuthRootInCtl, ERROR_CAN_NOT_COMPLETE)}
|
