|
|
/////////////////////////////////////////////////////////////////////////////
// FILE : sgccheck.c //
// DESCRIPTION : Code to check if SGC is enabled //
// AUTHOR : jeffspel //
// HISTORY : //
// Jun 16 1998 jeffspel Create //
// Nov 16 1998 jbanes Pluggable SGC roots. //
// //
// Copyright (C) 1998 Microsoft Corporation All Rights Reserved //
/////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <windef.h>
#include <wincrypt.h>
#include <sgccheck.h>
#define SGCAlloc(cb) LocalAlloc(LMEM_ZEROINIT, cb)
#define SGCFree(pb) LocalFree(pb)
//#define SGC_TEST_KEY // COMMENT OUT THIS LINE BEFORE CHECKING IN!!!
#ifdef SGC_TEST_KEY
#pragma message ("WARNING -- Building with SGC Test Key enabled.")
#endif
#define SGC_VERIFICATION_FLAGS (CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG)
// Geneva SGC Root
static CONST BYTE GenevaSGCRoot[] = { 0x30, 0x82, 0x03, 0x0a, 0x30, 0x82, 0x01, 0xf2, // 0...0...
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0a, 0x20, // .......
0x9d, 0x11, 0xd1, 0x0e, 0x7f, 0x7b, 0x85, 0x74, // .....{.t
0x80, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, // .0...*.H
0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, // ........
0x30, 0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, // 0.1.0...
0x55, 0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, // U....Roo
0x74, 0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, // t SGC Au
0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, // thority0
0x1e, 0x17, 0x0d, 0x39, 0x37, 0x30, 0x38, 0x30, // ...97080
0x36, 0x31, 0x37, 0x31, 0x34, 0x34, 0x37, 0x5a, // 6171447Z
0x17, 0x0d, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, // ..100101
0x30, 0x37, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, // 070000Z0
0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, // .1.0...U
0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, 0x74, // ....Root
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x82, // hority0.
0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, // ."0...*.
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, // H.......
0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, // ......0.
0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xec, // ........
0x55, 0x5d, 0x0f, 0xaf, 0x6c, 0x5b, 0xa5, 0x21, // U]..l[.!
0xe5, 0x81, 0xbc, 0x0d, 0x96, 0xee, 0xb4, 0x63, // .......c
0xbc, 0x4c, 0x14, 0x68, 0x6d, 0xfe, 0xd7, 0x64, // .L.hm..d
0x2d, 0xe7, 0x59, 0x9d, 0x8e, 0x20, 0x9c, 0x1c, // -.Y.. ..
0xb1, 0x18, 0x39, 0x38, 0x80, 0xc6, 0x08, 0xa6, // ..98....
0x65, 0x39, 0x6c, 0x0a, 0x86, 0x6c, 0x8b, 0x6a, // e9l..l.j
0xaa, 0x4a, 0x7a, 0xb4, 0xe5, 0x23, 0x7b, 0x9c, // .Jz..#{.
0xa2, 0x88, 0x81, 0xa5, 0x2c, 0x9f, 0x2e, 0xce, // ....,...
0x56, 0xd8, 0x69, 0xc7, 0xd7, 0x54, 0xf8, 0xdd, // V.i..T..
0xab, 0x9b, 0xc7, 0xba, 0x8e, 0xe7, 0x60, 0x1c, // ......`.
0x45, 0x20, 0x09, 0x9d, 0x00, 0x25, 0x16, 0x15, // E ...%..
0xe0, 0x40, 0x2c, 0xf2, 0xac, 0xfa, 0x1f, 0xf8, // .@,.....
0x6d, 0x5e, 0xda, 0xbb, 0x14, 0xaf, 0x4c, 0x82, // m^....L.
0xf3, 0x5d, 0x81, 0xcb, 0xef, 0xcd, 0xa8, 0x0f, // .]......
0xf1, 0xec, 0xa5, 0xa3, 0x44, 0x94, 0x69, 0x7a, // ....D.iz
0x88, 0xec, 0xa9, 0x18, 0xf3, 0xac, 0x38, 0xe6, // ......8.
0xe7, 0xe0, 0xe1, 0x11, 0xa8, 0xa5, 0x5f, 0x18, // ......_.
0x00, 0x72, 0xd0, 0x00, 0x9e, 0x12, 0x89, 0x50, // .r.....P
0x96, 0x20, 0xdb, 0xcd, 0x63, 0xe7, 0xb3, 0xc0, // . ..c...
0xfa, 0x54, 0xa1, 0xe7, 0x4a, 0x74, 0x5d, 0xcd, // .T..Jt].
0x4a, 0x2f, 0x4c, 0x44, 0xa3, 0xdc, 0x40, 0xad, // J/LD..@.
0xe7, 0xdc, 0x4d, 0x9b, 0x2a, 0x55, 0x13, 0x0b, // ..M.*U..
0x4d, 0x4f, 0x3d, 0xc3, 0x02, 0xac, 0xd2, 0x03, // MO=.....
0x70, 0x0a, 0x48, 0xa9, 0x96, 0x5b, 0x04, 0x57, // p.H..[.W
0xb9, 0xe2, 0x5a, 0x04, 0x5e, 0xcf, 0x6f, 0x4e, // ..Z.^.oN
0x4c, 0xf3, 0x8e, 0xa2, 0xd0, 0xd9, 0xcb, 0x01, // L.......
0xbc, 0x8c, 0x14, 0xd5, 0x08, 0xfc, 0x18, 0x08, // ........
0xc1, 0x65, 0x83, 0x3f, 0x0e, 0xa4, 0x17, 0x1c, // .e.?....
0x6e, 0x45, 0x0a, 0xef, 0x1d, 0x40, 0xc4, 0x7b, // nE...@.{
0x6a, 0x7e, 0x5d, 0xa6, 0xde, 0x97, 0x22, 0x7b, // j~]..."{
0x67, 0xbf, 0xc0, 0xa2, 0x83, 0x39, 0xb6, 0xf6, // g....9..
0x15, 0x16, 0xc6, 0x6f, 0x09, 0x61, 0xb1, 0x02, // ...o.a..
0x03, 0x01, 0x00, 0x01, 0xa3, 0x4c, 0x30, 0x4a, // .....L0J
0x30, 0x48, 0x06, 0x03, 0x55, 0x1d, 0x01, 0x04, // 0H..U...
0x41, 0x30, 0x3f, 0x80, 0x10, 0x0d, 0x27, 0x29, // A0?...')
0xe4, 0x05, 0x2a, 0x97, 0xb4, 0x77, 0x58, 0x35, // ..*..wX5
0x47, 0x93, 0x2d, 0x06, 0xb8, 0xa1, 0x1f, 0x30, // G.-....0
0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, // .1.0...U
0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, 0x74, // ....Root
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x82, 0x0a, // hority..
0x20, 0x9d, 0x11, 0xd1, 0x0e, 0x7f, 0x7b, 0x85, // .....{.
0x74, 0x80, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, // t.0...*.
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, // H.......
0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2b, 0x02, // ......+.
0x2b, 0x37, 0x66, 0xa5, 0xd1, 0x8c, 0x3e, 0x20, // +7f...>
0x08, 0x1a, 0x0c, 0xb7, 0xf5, 0x63, 0xcb, 0xc6, // .....c..
0xdd, 0x9b, 0x62, 0x52, 0x32, 0xbc, 0x33, 0x74, // ..bR2.3t
0x7a, 0xde, 0xb0, 0x80, 0x05, 0xfa, 0xe5, 0xb5, // z.......
0xe4, 0xf7, 0xf1, 0xd7, 0xa0, 0x95, 0x5c, 0x6c, // .......l
0x05, 0x9b, 0x2f, 0x03, 0x4b, 0xb7, 0x8a, 0x95, // ../.K...
0x0e, 0xb0, 0x06, 0x80, 0xa0, 0x2a, 0x1b, 0xa4, // .....*..
0x09, 0x58, 0xbd, 0x87, 0xd4, 0x38, 0x44, 0xb4, // .X...8D.
0x71, 0x7b, 0xfb, 0x74, 0xa2, 0x89, 0x48, 0xe6, // q{.t..H.
0x5f, 0xab, 0x9a, 0xa4, 0x0a, 0x38, 0xcc, 0x57, // _....8.W
0xa1, 0x14, 0x2c, 0x5c, 0xee, 0xc2, 0x13, 0x81, // ..,.....
0x00, 0xc3, 0x2d, 0xb1, 0x70, 0xde, 0x9f, 0xb1, // ..-.p...
0x70, 0x43, 0x7e, 0x22, 0xa0, 0x77, 0x96, 0xc8, // pC~".w..
0xdf, 0x99, 0xdc, 0xa6, 0x4e, 0xb3, 0xb5, 0x74, // ....N..t
0x34, 0x13, 0x12, 0x24, 0xa2, 0x6b, 0x95, 0x80, // 4..$.k..
0xcf, 0xaa, 0x4a, 0x68, 0xb1, 0x77, 0x27, 0x98, // ..Jh.w'.
0xef, 0xaa, 0x62, 0xd3, 0x22, 0x81, 0x33, 0x2b, // ..b.".3+
0x12, 0x50, 0xef, 0x16, 0x86, 0xe6, 0x9a, 0x5a, // .P.....Z
0x73, 0x89, 0x6d, 0x83, 0xf2, 0x08, 0xa3, 0x13, // s.m.....
0xab, 0x05, 0xd5, 0x6e, 0x68, 0xf6, 0x90, 0xa4, // ...nh...
0x4a, 0x9f, 0x7c, 0x4c, 0x5d, 0x8f, 0x58, 0xf3, // J.|L].X.
0x11, 0x4c, 0xc7, 0x08, 0x51, 0xea, 0x76, 0xd1, // .L..Q.v.
0xb5, 0x55, 0x32, 0x3f, 0xff, 0x67, 0xef, 0x35, // .U2?.g.5
0x8c, 0x89, 0xd3, 0xc6, 0x75, 0x15, 0x68, 0x9f, // ....u.h.
0x67, 0x46, 0x9c, 0x94, 0x41, 0xf5, 0x76, 0x51, // gF..A.vQ
0x86, 0xac, 0x91, 0x75, 0xec, 0xb6, 0xf7, 0x00, // ...u....
0x40, 0x5b, 0xfe, 0x61, 0xd8, 0x33, 0x2d, 0x37, // @[.a.3-7
0x65, 0x8b, 0x94, 0xd9, 0x97, 0x21, 0x15, 0x2c, // e....!.,
0x13, 0x49, 0xff, 0xde, 0xb7, 0x83, 0xd9, 0xae, // .I......
0xc4, 0xce, 0x24, 0xb2, 0x50, 0xdf, 0x75, 0x14, // ..$.P.u.
0x12, 0x8c, 0x46, 0xa4, 0xac, 0xef, 0x4c, 0x72, // ..F...Lr
0x00, 0x00, 0xe1, 0x4c, 0x8e, 0xee }; // ...L..
// Versign Class 3 SGC Root
static CONST BYTE VSCLASS3ROOT[] = { 0x30, 0x82, 0x02, 0x31, 0x30, 0x82, 0x01, 0x9a, 0x02, 0x05, 0x02, 0xa1, 0x00, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39, 0x36, 0x30, 0x31, 0x32, 0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x5c, 0x59, 0x9e, 0xf2, 0x1b, 0x8a, 0x01, 0x14, 0xb4, 0x10, 0xdf, 0x04, 0x40, 0xdb, 0xe3, 0x57, 0xaf, 0x6a, 0x45, 0x40, 0x8f, 0x84, 0x0c, 0x0b, 0xd1, 0x33, 0xd9, 0xd9, 0x11, 0xcf, 0xee, 0x02, 0x58, 0x1f, 0x25, 0xf7, 0x2a, 0xa8, 0x44, 0x05, 0xaa, 0xec, 0x03, 0x1f, 0x78, 0x7f, 0x9e, 0x93, 0xb9, 0x9a, 0x00, 0xaa, 0x23, 0x7d, 0xd6, 0xac, 0x85, 0xa2, 0x63, 0x45, 0xc7, 0x72, 0x27, 0xcc, 0xf4, 0x4c, 0xc6, 0x75, 0x71, 0xd2, 0x39, 0xef, 0x4f, 0x42, 0xf0, 0x75, 0xdf, 0x0a, 0x90, 0xc6, 0x8e, 0x20, 0x6f, 0x98, 0x0f, 0xf8, 0xac, 0x23, 0x5f, 0x70, 0x29, 0x36, 0xa4, 0xc9, 0x86, 0xe7, 0xb1, 0x9a, 0x20, 0xcb, 0x53, 0xa5, 0x85, 0xe7, 0x3d, 0xbe, 0x7d, 0x9a, 0xfe, 0x24, 0x45, 0x33, 0xdc, 0x76, 0x15, 0xed, 0x0f, 0xa2, 0x71, 0x64, 0x4c, 0x65, 0x2e, 0x81, 0x68, 0x45, 0xa7, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x75, 0x66, 0x6c, 0x3e, 0xd1, 0xcd, 0x81, 0xdb, 0xb5, 0xf8, 0x2f, 0x36, 0x51, 0xb6, 0xf7, 0x42, 0xbc, 0xcd, 0x42, 0xaf, 0xdc, 0x0e, 0xfa, 0x15, 0x6c, 0xf8, 0x67, 0x93, 0x57, 0x3a, 0xeb, 0xb6, 0x92, 0xe8, 0xb6, 0x01, 0xca, 0x8c, 0xb7, 0x8e, 0x43, 0xb4, 0x49, 0x65, 0xf9, 0x3e, 0xee, 0xbd, 0x75, 0x46, 0x2e, 0xc9, 0xfc, 0x25, 0x5d, 0xa8, 0xc7, 0x2f, 0x8b, 0x9b, 0x8f, 0x68, 0xcf, 0xb4, 0x9c, 0x97, 0x18, 0xc0, 0x4d, 0xef, 0x1f, 0xd9, 0xaf, 0x82, 0xb3, 0xe6, 0x64, 0xb8, 0x84, 0x5c, 0x8a, 0x9a, 0x07, 0x52, 0x43, 0x61, 0xfb, 0x74, 0x9e, 0x5b, 0x3a, 0x36, 0xfc, 0x4c, 0xb2, 0xfc, 0x1a, 0x3f, 0x15, 0x2e, 0xa5, 0x5b, 0x3c, 0x1b, 0x90, 0xec, 0x88, 0x29, 0xe4, 0x59, 0x16, 0xf9, 0xce, 0x07, 0xad, 0xec, 0xe9, 0xdd, 0xda, 0xd2, 0x31, 0x8a, 0x4f, 0xd6, 0xd8, 0xef, 0x17, 0x8d };
// SGC Test Root
#ifdef SGC_TEST_KEY
static CONST BYTE TestSGCRoot[] = { 0x30, 0x82, 0x01, 0xda, 0x30, 0x82, 0x01, 0x84, // 0...0...
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x46, // .......F
0xeb, 0x72, 0x4f, 0xc0, 0x00, 0x78, 0xab, 0x11, // .rO..x..
0xd2, 0x84, 0xb0, 0x35, 0xb8, 0xe0, 0xb1, 0x30, // ...5...0
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, // ...*.H..
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x26, // ......0&
0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, // 1$0"..U.
0x03, 0x13, 0x1b, 0x53, 0x63, 0x68, 0x61, 0x6e, // ...Schan
0x6e, 0x65, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, // nel Test
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, // hority0.
0x17, 0x0d, 0x39, 0x38, 0x31, 0x31, 0x32, 0x35, // ..981125
0x32, 0x31, 0x34, 0x35, 0x35, 0x34, 0x5a, 0x17, // 214554Z.
0x0d, 0x33, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, // .3912312
0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x26, // 35959Z0&
0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, // 1$0"..U.
0x03, 0x13, 0x1b, 0x53, 0x63, 0x68, 0x61, 0x6e, // ...Schan
0x6e, 0x65, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, // nel Test
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x5c, // hority0.
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, // 0...*.H.
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, // ........
0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xd1, // K.0H.A..
0x95, 0x8e, 0x14, 0xc9, 0x8b, 0x28, 0x00, 0xd4, // .....(..
0xed, 0x40, 0xb5, 0xd4, 0xec, 0x1f, 0x67, 0xb1, // [email protected].
0xa2, 0xb3, 0x18, 0xca, 0x6b, 0x48, 0x6c, 0x54, // ....kHlT
0xaf, 0xc4, 0x70, 0x3c, 0x6e, 0xee, 0x15, 0xba, // ..p<n...
0x4b, 0xf7, 0x40, 0x93, 0xd3, 0x35, 0x1d, 0x17, // [email protected]..
0x6c, 0xe8, 0x1d, 0x62, 0xec, 0x74, 0x96, 0x48, // l..b.t.H
0x4f, 0x1e, 0xcf, 0xf0, 0x54, 0x2b, 0x30, 0x0b, // O...T+0.
0x66, 0x3a, 0x83, 0x1c, 0x32, 0xda, 0x3d, 0x02, // f:..2.=.
0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8d, 0x30, // .......0
0x81, 0x8a, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x1d, // ..0...U.
0x0a, 0x04, 0x06, 0x30, 0x04, 0x03, 0x02, 0x07, // ...0....
0x80, 0x30, 0x20, 0x06, 0x03, 0x55, 0x1d, 0x25, // .0 ..U.%
0x04, 0x19, 0x30, 0x17, 0x06, 0x0a, 0x2b, 0x06, // ..0...+.
0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x03, // ....7...
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, // ..`.H...
0x42, 0x04, 0x01, 0x30, 0x57, 0x06, 0x03, 0x55, // B..0W..U
0x1d, 0x01, 0x04, 0x50, 0x30, 0x4e, 0x80, 0x10, // ...P0N..
0x35, 0x2f, 0x90, 0xa8, 0x13, 0xd6, 0x82, 0x32, // 5......2
0x85, 0x1a, 0x5d, 0x0f, 0xdc, 0x83, 0xe3, 0x28, // ..]....(
0xa1, 0x28, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, // .(0&1$0"
0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1b, 0x53, // ..U....S
0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x20, // channel
0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x47, 0x43, // Test SGC
0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, // Authori
0x74, 0x79, 0x82, 0x10, 0x46, 0xeb, 0x72, 0x4f, // ty..F.rO
0xc0, 0x00, 0x78, 0xab, 0x11, 0xd2, 0x84, 0xb0, // ..x.....
0x35, 0xb8, 0xe0, 0xb1, 0x30, 0x0d, 0x06, 0x09, // 5...0...
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, // *.H.....
0x04, 0x05, 0x00, 0x03, 0x41, 0x00, 0x65, 0x35, // ....A.e5
0x80, 0xaf, 0xa3, 0xba, 0x5d, 0x13, 0xcd, 0x86, // ....]...
0xad, 0xda, 0x06, 0xb6, 0xb3, 0x51, 0xf4, 0x71, // .....Q.q
0x4a, 0x0b, 0xd2, 0xc1, 0x91, 0x13, 0xc3, 0x0c, // J.......
0xd7, 0xb7, 0x9f, 0xa6, 0x3c, 0x04, 0xfa, 0xb7, // ....<...
0x97, 0x94, 0x64, 0xf0, 0x5b, 0xab, 0x65, 0x3b, // ..d.[.e;
0x88, 0x95, 0x59, 0x4c, 0x18, 0x11, 0xc4, 0xac, // ..YL....
0x5c, 0x6e, 0x31, 0xf0, 0xdd, 0x74, 0xc1, 0x55, // .n1..t.U
0x7e, 0x7f, 0x66, 0xf4, 0x8a, 0x57 }; // ~.f..W
#endif // SGC_TEST_KEY
typedef struct SGC_ROOT{ CONST BYTE * pbCert; DWORD cbCert; PCCERT_CONTEXT pCertContext;} SGC_ROOT, *PSGC_ROOT;
static SGC_ROOT SGCRoots[] = { { GenevaSGCRoot, sizeof(GenevaSGCRoot), NULL }, { VSCLASS3ROOT, sizeof(VSCLASS3ROOT), NULL },#ifdef SGC_TEST_KEY
{ TestSGCRoot, sizeof(TestSGCRoot), NULL }#endif // SGC_TEST_KEY
};
static CONST DWORD SGCRootCount = sizeof(SGCRoots) / sizeof(SGC_ROOT);
static CONST LPCSTR rgSGCExtensions[] = { szOID_SGC_NETSCAPE, szOID_SERVER_GATED_CRYPTO };
static CONST CERT_ENHKEY_USAGE SGCExtensions = { sizeof(rgSGCExtensions)/sizeof(LPSTR), (LPSTR *)rgSGCExtensions };
//
// Load root certs
//
DWORDLoadSGCRoots( IN CRITICAL_SECTION *pCritSec) // must be initialized
{ DWORD dwReturn = ERROR_INTERNAL_ERROR; BOOL fInCritSec = FALSE; BOOL fLoadRoots = FALSE; DWORD i;
// check if the Roots are already loaded
for (i = 0; i < SGCRootCount; i++) { if (SGCRoots[i].pCertContext == NULL) { fLoadRoots = TRUE; break; } } if (!fLoadRoots) { dwReturn = ERROR_SUCCESS; goto ErrorExit; }
// wrap with a try since there is a critical sections in here
__try { // take the critical section
EnterCriticalSection(pCritSec); fInCritSec = TRUE;
for (i = 0; i < SGCRootCount; i++) { if (SGCRoots[i].pCertContext == NULL) {
SGCRoots[i].pCertContext = CertCreateCertificateContext( X509_ASN_ENCODING, SGCRoots[i].pbCert, SGCRoots[i].cbCert); if (NULL == SGCRoots[i].pCertContext) { dwReturn = GetLastError(); goto ErrorExit; } } }
} __except ( EXCEPTION_EXECUTE_HANDLER ) { // ?BUGBUG? Could be resource exhaustion
dwReturn = ERROR_INVALID_PARAMETER; goto ErrorExit; }
dwReturn = ERROR_SUCCESS;
ErrorExit: if (fInCritSec) LeaveCriticalSection(pCritSec); return dwReturn;}
//
// delete the public key values
//
voidSGCDeletePubKeyValues( IN OUT BYTE **ppbKeyMod, IN OUT DWORD *pcbKeyMod, IN OUT DWORD *pdwKeyExpo){ if (*ppbKeyMod) SGCFree(*ppbKeyMod); *ppbKeyMod = NULL; *pcbKeyMod = 0; *pdwKeyExpo = 0;}
//
// get the public key form the cert context and assign it to the
// passed in parameters
//
DWORDSGCAssignPubKey( IN PCCERT_CONTEXT pCertContext, IN OUT BYTE **ppbKeyMod, IN OUT DWORD *pcbKeyMod, IN OUT DWORD *pdwKeyExpo){ DWORD dwReturn = ERROR_INTERNAL_ERROR; BLOBHEADER *pBlob = NULL; DWORD cbBlob = 0; RSAPUBKEY *pRSAPubKey; BYTE *pb;
// decode the public key from the cert into a PUBLICKEYBLOB
if (!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData, 0, NULL, &cbBlob)) { dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
goto ErrorExit; }
pBlob = (BLOBHEADER*)SGCAlloc(cbBlob); if (NULL == pBlob) { dwReturn = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
if (!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData, 0, pBlob, &cbBlob)) { dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
goto ErrorExit; }
pRSAPubKey = (RSAPUBKEY*)((BYTE*)pBlob + sizeof(BLOBHEADER));
// delete any old public key info
SGCDeletePubKeyValues(ppbKeyMod, pcbKeyMod, pdwKeyExpo);
// assign public key values
*pdwKeyExpo = pRSAPubKey->pubexp; *pcbKeyMod = pRSAPubKey->bitlen / 8; *ppbKeyMod = (BYTE*)SGCAlloc(*pcbKeyMod); if (NULL == *ppbKeyMod) { dwReturn = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
pb = (BYTE*)pRSAPubKey + sizeof(RSAPUBKEY); memcpy(*ppbKeyMod, pb, *pcbKeyMod);
dwReturn = ERROR_SUCCESS;
ErrorExit: if (pBlob) SGCFree(pBlob); return dwReturn;}
//
// check if the passed in public key matches the one in the cert
//
static DWORDSamePublicKey( IN PCCERT_CONTEXT pCertContext, IN BYTE *pbExchKeyMod, IN DWORD cbExchKeyMod, IN DWORD dwExchKeyExpo){ DWORD dwReturn = ERROR_INTERNAL_ERROR; BLOBHEADER *pBlob = NULL; DWORD cbBlob = 0; RSAPUBKEY *pRSAPubKey; BYTE *pb;
// decode the public key from the cert into a PUBLICKEYBLOB
if (!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData, 0, NULL, &cbBlob)) { dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
goto ErrorExit; }
pBlob = (BLOBHEADER*)SGCAlloc(cbBlob); if (NULL == pBlob) { dwReturn = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
if (!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData, pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData, 0, pBlob, &cbBlob)) { dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
goto ErrorExit; }
pRSAPubKey = (RSAPUBKEY*)((BYTE*)pBlob + sizeof(BLOBHEADER));
// check the length of the modulus and the exponent
if (((pRSAPubKey->bitlen / 8) != cbExchKeyMod) || (pRSAPubKey->pubexp != dwExchKeyExpo)) { dwReturn = (DWORD)NTE_BAD_DATA; goto ErrorExit; }
// check that the modulus values match
pb = (BYTE*)pRSAPubKey + sizeof(RSAPUBKEY); if (0 != memcmp(pbExchKeyMod, pb, cbExchKeyMod)) { dwReturn = (DWORD)NTE_BAD_DATA; goto ErrorExit; }
dwReturn = ERROR_SUCCESS;
ErrorExit: if (pBlob) SGCFree(pBlob); return dwReturn;}
static DWORDReadSgcExtensions( PCCERT_CONTEXT pCertContext){ PCERT_EXTENSION pExt; PCTL_USAGE pUsage = NULL; DWORD cbUsage; DWORD dwSGCFlags = 0; DWORD i;
pExt = CertFindExtension(szOID_ENHANCED_KEY_USAGE, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension); if (pExt == NULL) goto cleanup;
if (!CryptDecodeObject(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE, pExt->Value.pbData, pExt->Value.cbData, 0, NULL, &cbUsage)) { goto cleanup; }
pUsage = (PCTL_USAGE)SGCAlloc(cbUsage); if (pUsage == NULL) goto cleanup;
if (!CryptDecodeObject(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE, pExt->Value.pbData, pExt->Value.cbData, 0, pUsage, &cbUsage)) { goto cleanup; }
for (i = 0; i < pUsage->cUsageIdentifier; i++) { if (0 == strcmp(pUsage->rgpszUsageIdentifier[i], szOID_SGC_NETSCAPE)) { dwSGCFlags |= CRYPT_SGC; } else if (0 == strcmp(pUsage->rgpszUsageIdentifier[i], szOID_SERVER_GATED_CRYPTO)) { dwSGCFlags |= CRYPT_FASTSGC | CRYPT_SGC; } }
cleanup: if (pUsage) SGCFree(pUsage); return dwSGCFlags;}
//+---------------------------------------------------------------------------
//
// Function: FindBridgeCertificate
//
// Synopsis: Search the specified certificate store for a valid SGC
// bridge certificate.
//
// Arguments: [hCAStore] -- Certificate store to search. This is
// typically the CA store.
//
// [pChainContext] -- Certificate chain for which we are finding
// a bridge certificate. The bridge cert
// may branch off of any certificate in the
// chain.
//
// [pRootContext] -- Handle to baked-in SGC root certificate
// (typically Geneva).
//
// History: 11-16-98 jbanes Created
//
// Notes: An SGC bridge certificate is defined as a certificate with a
// SUBJECT equal to the ISSUER in one of the 'pChainContext'
// certificates. To be valid, the bridge certificate must
// contain at least one SGC EKU and it must chain up to a
// baked-in SGC root certificate.
//
// Returns: TRUE if a valid SGC bridge cert was found, and FALSE
// otherwise.
//
//----------------------------------------------------------------------------
static BOOLFindBridgeCertificate( IN HCERTSTORE hCAStore, IN PCCERT_CHAIN_CONTEXT pChainContext, IN PCCERT_CONTEXT pRootContext){ PCERT_SIMPLE_CHAIN pSimpleChain; PCCERT_CONTEXT pCurrent = NULL; PCCERT_CONTEXT pCurrentCA = NULL; PCCERT_CHAIN_CONTEXT pCAChainContext = NULL; CERT_CHAIN_PARA ChainPara; CERT_TRUST_STATUS TrustStatus; BOOL fFound; DWORD i; BOOL fRet = FALSE; DWORD dwFlags;
//
// Enumerate all of the certificates in the CA store that contain
// one of the SGC extensions.
//
pCurrent = NULL;
for (;;) { // Find an SGC intermediate certificate.
pCurrentCA = CertFindCertificateInStore( hCAStore, X509_ASN_ENCODING, CERT_FIND_OR_ENHKEY_USAGE_FLAG, CERT_COMPARE_ENHKEY_USAGE, &SGCExtensions, pCurrentCA); if (pCurrentCA == NULL) break;
//
// Is this CA certificate a bridge for any of the certificates in the
// passed in certificate chain?
//
fFound = FALSE; pSimpleChain = pChainContext->rgpChain[0];
for (i = 0; i < pSimpleChain->cElement; i++) { pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
if (ReadSgcExtensions(pCurrent) == 0) { // This certificate doesn't contain any SGC certificate
// extensions, so skip the rest of this chain.
break; }
if (CertCompareCertificateName(X509_ASN_ENCODING, &pCurrentCA->pCertInfo->Subject, &pCurrent->pCertInfo->Issuer)) { // The names match. Now check the signature.
dwFlags = SGC_VERIFICATION_FLAGS;
if (!CertVerifySubjectCertificateContext(pCurrent, pCurrentCA, &dwFlags)) { // Error checking signature.
continue; } if (dwFlags & SGC_VERIFICATION_FLAGS) { // Signature did not verify or certificate expired.
continue; }
fFound = TRUE; break; } } if (!fFound) continue;
//
// Does this CA certificate chain up to Geneva?
//
ZeroMemory(&ChainPara, sizeof(ChainPara)); ChainPara.cbSize = sizeof(ChainPara);
if (!CertGetCertificateChain(NULL, pCurrentCA, NULL, hCAStore, &ChainPara, 0, NULL, &pCAChainContext)) { // Error building chain.
continue; }
pSimpleChain = pCAChainContext->rgpChain[0];
for (i = 0; i < pSimpleChain->cElement; i++) { pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
// Determine if certificate is signed correctly.
TrustStatus = pSimpleChain->rgpElement[i]->TrustStatus; if (0 != (TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID)) { break; }
// Is issuer Geneva?
if (CertCompareCertificateName(pCurrent->dwCertEncodingType, &pCurrent->pCertInfo->Issuer, &pRootContext->pCertInfo->Subject)) { // Verify the signature of the current certificate using the
// validated root certificate from the schannel resource.
dwFlags = SGC_VERIFICATION_FLAGS; if (!CertVerifySubjectCertificateContext(pCurrent, pRootContext, &dwFlags)) { break; } if (dwFlags & SGC_VERIFICATION_FLAGS) break;
fRet = TRUE; goto ErrorExit; } } }
ErrorExit: if (pCurrentCA) CertFreeCertificateContext(pCurrentCA); if (pCAChainContext) CertFreeCertificateChain(pCAChainContext); return fRet;}
//
// check if the context may be SGC enabled
//
DWORDSPQueryCFLevel( IN PCCERT_CONTEXT pCertContext, IN BYTE *pbExchKeyMod, IN DWORD cbExchKeyMod, IN DWORD dwExchKeyExpo, OUT DWORD *pdwSGCFlags){ DWORD dwReturn = ERROR_INTERNAL_ERROR; DWORD i, j;
PCCERT_CHAIN_CONTEXT pChainContext = NULL; CERT_CHAIN_PARA ChainPara; PCERT_SIMPLE_CHAIN pSimpleChain; CERT_TRUST_STATUS TrustStatus; HCERTSTORE hCAStore = NULL;
PCCERT_CONTEXT pCurrent = NULL; PCCERT_CONTEXT pIssuer = NULL; DWORD dwFlags; DWORD dwSgcFlags; DWORD dwSts;
*pdwSGCFlags = 0;
//
// check if the passed in public key matches the one in the cert
//
if (pbExchKeyMod) { dwSts = SamePublicKey(pCertContext, pbExchKeyMod, cbExchKeyMod, dwExchKeyExpo); if (ERROR_SUCCESS != dwSts) { dwReturn = dwSts; goto ErrorExit; } }
//
// Does the leaf certificate contain any SGC extensions?
//
dwSgcFlags = ReadSgcExtensions(pCertContext);
if (dwSgcFlags == 0) { // No SGC extensions found.
dwReturn = ERROR_SUCCESS; goto ErrorExit; }
//
// Build a certificate chain.
//
ZeroMemory(&ChainPara, sizeof(ChainPara)); ChainPara.cbSize = sizeof(ChainPara);
*pdwSGCFlags = 0;
if (!CertGetCertificateChain( NULL, pCertContext, NULL, pCertContext->hCertStore, &ChainPara, 0, NULL, &pChainContext)) { dwReturn = GetLastError(); goto ErrorExit; }
//
// Does the leaf chain directly up to the Geneva root?
//
pSimpleChain = pChainContext->rgpChain[0]; for (i = 0; i < pSimpleChain->cElement; i++) { pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
if (ReadSgcExtensions(pCurrent) == 0) { // This certificate doesn't contain any SGC certificate
// extensions, so skip the rest of this chain.
break; }
TrustStatus = pSimpleChain->rgpElement[i]->TrustStatus; if (0 != (TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID)) { // Certificate is not signed correctly.
dwReturn = (DWORD)NTE_BAD_SIGNATURE; goto ErrorExit; }
// Is Geneva issuer of "pCurrent"?
for (j = 0; j < SGCRootCount; j++) { dwFlags = SGC_VERIFICATION_FLAGS; if (!CertVerifySubjectCertificateContext( pCurrent, SGCRoots[j].pCertContext, &dwFlags)) { continue; }
if (dwFlags & SGC_VERIFICATION_FLAGS) { continue; }
// We made it, so set the SGC flags as appropriate.
*pdwSGCFlags |= dwSgcFlags; dwReturn = ERROR_SUCCESS; goto ErrorExit; } }
//
// Search for bridge certificate.
//
hCAStore = CertOpenSystemStore(0, "CA"); if (NULL == hCAStore) { dwReturn = GetLastError(); goto ErrorExit; }
for (i = 0; i < SGCRootCount; i++) { if (SGCRoots[i].pCertContext != NULL) { if (FindBridgeCertificate(hCAStore, pChainContext, SGCRoots[i].pCertContext)) { // We made it, so set the SGC flags as appropriate.
*pdwSGCFlags |= dwSgcFlags; dwReturn = ERROR_SUCCESS; goto ErrorExit; } } }
dwReturn = (DWORD)NTE_FAIL;
ErrorExit: if (pIssuer) CertFreeCertificateContext(pIssuer); if (pChainContext) CertFreeCertificateChain(pChainContext); if (hCAStore) CertCloseStore(hCAStore, 0); return dwReturn;}
|
