Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

620 lines
18 KiB

  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1997 - 1999
  6. //
  7. // File: usagutil.cpp
  8. //
  9. //--------------------------------------------------------------------------
  10. #include "global.hxx"
  11. #include <dbgdef.h>
  12. extern HINSTANCE HinstDll;
  13. //BOOL CertifiateValidForEnhancedKeyUsage(LPCSTR szEku, PCCERT_CONTEXT pCert);
  14. //BOOL CertifiateValidForEnhancedKeyUsageWithChain(LPCSTR szEku, PCCERT_CONTEXT pCert);
  15. //////////////////////////////////////////////////////////////////////////////////////
  16. //
  17. //////////////////////////////////////////////////////////////////////////////////////
  18. BOOL OIDinArray(LPCSTR pszOID, LPSTR *rgszOIDArray, DWORD cOIDs)
  19. {
  20. DWORD i;
  21. for (i=0; i<cOIDs; i++)
  22. {
  23. if (strcmp(pszOID, rgszOIDArray[i]) == 0)
  24. {
  25. return TRUE;
  26. }
  27. }
  28. return FALSE;
  29. }
  30. //////////////////////////////////////////////////////////////////////////////////////
  31. //
  32. //////////////////////////////////////////////////////////////////////////////////////
  33. BOOL OIDInUsages(PCERT_ENHKEY_USAGE pUsage, LPCSTR pszOID)
  34. {
  35. DWORD i;
  36. // check every extension
  37. for(i=0; i<pUsage->cUsageIdentifier; i++)
  38. {
  39. if(!strcmp(pUsage->rgpszUsageIdentifier[i], pszOID))
  40. break;
  41. }
  42. return (i < pUsage->cUsageIdentifier);
  43. }
  44. //////////////////////////////////////////////////////////////////////////////////////
  45. //
  46. //////////////////////////////////////////////////////////////////////////////////////
  47. static BOOL UsageExists(PCCRYPT_OID_INFO *pCryptOIDInfo, LPSTR pszOID)
  48. {
  49. int i = 0;
  50. while (pCryptOIDInfo[i] != NULL)
  51. {
  52. if (strcmp(pCryptOIDInfo[i]->pszOID, pszOID) == 0)
  53. {
  54. return TRUE;
  55. }
  56. i++;
  57. }
  58. return FALSE;
  59. }
  60. //////////////////////////////////////////////////////////////////////////////////////
  61. //
  62. //////////////////////////////////////////////////////////////////////////////////////
  63. static BOOL WINAPI AddNewOIDToArray(IN LPTSTR pNewOID, IN LPTSTR ** pppOIDs, IN DWORD * pdwOIDs)
  64. {
  65. LPTSTR * ppNewOIDs;
  66. DWORD cNumOIDs = *pdwOIDs;
  67. for (DWORD i = 0; i < cNumOIDs; i++)
  68. {
  69. if (0 == strcmp(pNewOID, (*pppOIDs)[i]))
  70. {
  71. return TRUE;
  72. }
  73. }
  74. if (0 == cNumOIDs)
  75. ppNewOIDs = (LPTSTR *) malloc(sizeof(LPSTR));
  76. else
  77. ppNewOIDs = (LPTSTR *) realloc(*pppOIDs, (cNumOIDs + 1) * sizeof(LPSTR));
  78. if (ppNewOIDs)
  79. {
  80. if (NULL == (ppNewOIDs[cNumOIDs] = (LPSTR) malloc(strlen(pNewOID) + 1)))
  81. {
  82. free(ppNewOIDs);
  83. return FALSE;
  84. }
  85. strcpy(ppNewOIDs[cNumOIDs], pNewOID);
  86. *pppOIDs = ppNewOIDs;
  87. *pdwOIDs = cNumOIDs + 1;
  88. }
  89. return TRUE;
  90. }
  91. //////////////////////////////////////////////////////////////////////////////////////
  92. //
  93. //////////////////////////////////////////////////////////////////////////////////////
  94. BOOL AllocAndReturnKeyUsageList(PCRYPT_PROVIDER_CERT pCryptProviderCert, LPSTR **pKeyUsageOIDs, DWORD *numOIDs)
  95. {
  96. BOOL fRet = TRUE;
  97. DWORD i, j = 0;
  98. PCERT_CHAIN_ELEMENT pChainElement = pCryptProviderCert->pChainElement;
  99. *numOIDs = 0;
  100. *pKeyUsageOIDs = NULL;
  101. if (!pChainElement)
  102. {
  103. goto ErrorCleanUp;
  104. }
  105. //
  106. // For NULL usages, use
  107. //
  108. // szOID_ANY_CERT_POLICY = good for all issuance usages (maps to "All issuance purposes")
  109. // szOID_ANY_APPLICATION_POLICY = good for all application usages (maps to "All application purposes")
  110. //
  111. if (!pChainElement->pIssuanceUsage)
  112. {
  113. //
  114. // Good for all issuance usages.
  115. //
  116. if (!AddNewOIDToArray(szOID_ANY_CERT_POLICY, pKeyUsageOIDs, numOIDs))
  117. {
  118. goto ErrorCleanUp;
  119. }
  120. }
  121. else
  122. {
  123. for (i = 0; i < pChainElement->pIssuanceUsage->cUsageIdentifier; i++)
  124. {
  125. if (!AddNewOIDToArray(pChainElement->pIssuanceUsage->rgpszUsageIdentifier[i], pKeyUsageOIDs, numOIDs))
  126. {
  127. goto ErrorCleanUp;
  128. }
  129. }
  130. }
  131. if (!pChainElement->pApplicationUsage)
  132. {
  133. //
  134. // Good for all application usages.
  135. //
  136. if (!AddNewOIDToArray(szOID_ANY_APPLICATION_POLICY, pKeyUsageOIDs, numOIDs))
  137. {
  138. goto ErrorCleanUp;
  139. }
  140. }
  141. else
  142. {
  143. for (i = 0; i < pChainElement->pApplicationUsage->cUsageIdentifier; i++)
  144. {
  145. if (!AddNewOIDToArray(pChainElement->pApplicationUsage->rgpszUsageIdentifier[i], pKeyUsageOIDs, numOIDs))
  146. {
  147. goto ErrorCleanUp;
  148. }
  149. }
  150. }
  151. CleanUp:
  152. return(fRet);
  153. ErrorCleanUp:
  154. if (*pKeyUsageOIDs != NULL)
  155. {
  156. for (i = 0; i < *numOIDs; i++)
  157. {
  158. if ((*pKeyUsageOIDs)[i])
  159. free((*pKeyUsageOIDs)[i]);
  160. }
  161. *numOIDs = 0;
  162. free(*pKeyUsageOIDs);
  163. *pKeyUsageOIDs = NULL;
  164. }
  165. fRet = FALSE;
  166. goto CleanUp;
  167. }
  168. //////////////////////////////////////////////////////////////////////////////////////
  169. //
  170. //////////////////////////////////////////////////////////////////////////////////////
  171. BOOL AllocAndReturnEKUList(PCCERT_CONTEXT pCert, LPSTR **pKeyUsageOIDs, DWORD *numOIDs)
  172. {
  173. BOOL fRet = TRUE;
  174. DWORD cbExtensionUsage = 0;
  175. PCERT_ENHKEY_USAGE pExtensionUsage = NULL;
  176. DWORD cbPropertyUsage = 0;
  177. PCERT_ENHKEY_USAGE pPropertyUsage = NULL;
  178. DWORD i;
  179. DWORD numPropUsages = 0;
  180. //
  181. // get all of the usages from extensions
  182. //
  183. if(!CertGetEnhancedKeyUsage (
  184. pCert,
  185. CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
  186. NULL,
  187. &cbExtensionUsage
  188. ) ||
  189. (pExtensionUsage = (PCERT_ENHKEY_USAGE) malloc(cbExtensionUsage)) == NULL ||
  190. !CertGetEnhancedKeyUsage (
  191. pCert,
  192. CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
  193. pExtensionUsage,
  194. &cbExtensionUsage
  195. ) ) {
  196. // if not found, then we mean everything is OK
  197. if( GetLastError() == CRYPT_E_NOT_FOUND) {
  198. if(pExtensionUsage != NULL)
  199. free(pExtensionUsage);
  200. pExtensionUsage = NULL;
  201. }
  202. else
  203. goto ErrorCleanUp;
  204. }
  205. //
  206. // get all of the usages from properties
  207. //
  208. if(!CertGetEnhancedKeyUsage (
  209. pCert,
  210. CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG,
  211. NULL,
  212. &cbPropertyUsage
  213. ) ||
  214. (pPropertyUsage = (PCERT_ENHKEY_USAGE) malloc(cbPropertyUsage)) == NULL ||
  215. !CertGetEnhancedKeyUsage (
  216. pCert,
  217. CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG,
  218. pPropertyUsage,
  219. &cbPropertyUsage
  220. ) ) {
  221. // if not found, then we mean everything is OK
  222. if( GetLastError() == CRYPT_E_NOT_FOUND) {
  223. if(pPropertyUsage != NULL)
  224. free(pPropertyUsage);
  225. pPropertyUsage = NULL;
  226. }
  227. else
  228. goto ErrorCleanUp;
  229. }
  230. *numOIDs = 0;
  231. //
  232. // if there are usages in the extensions, then that is the
  233. // available list, otherwise get the global list and add the properties
  234. //
  235. if (pExtensionUsage != NULL)
  236. {
  237. *pKeyUsageOIDs = (LPSTR *) malloc(pExtensionUsage->cUsageIdentifier * sizeof(LPSTR));
  238. if (*pKeyUsageOIDs == NULL)
  239. {
  240. goto ErrorCleanUp;
  241. }
  242. for(i=0; i<pExtensionUsage->cUsageIdentifier; i++)
  243. {
  244. (*pKeyUsageOIDs)[*numOIDs] =
  245. (LPSTR) malloc(strlen(pExtensionUsage->rgpszUsageIdentifier[i])+1);
  246. if ((*pKeyUsageOIDs)[*numOIDs] == NULL)
  247. {
  248. goto ErrorCleanUp;
  249. }
  250. strcpy((*pKeyUsageOIDs)[(*numOIDs)++], pExtensionUsage->rgpszUsageIdentifier[i]);
  251. }
  252. }
  253. else
  254. {
  255. PCCRYPT_OID_INFO *pCryptOIDInfo;
  256. DWORD numUsages = 0;
  257. //
  258. // use WTHelperGetKnownUsages to get the default list
  259. //
  260. if (!WTHelperGetKnownUsages(WTH_ALLOC, &pCryptOIDInfo))
  261. {
  262. goto ErrorCleanUp;
  263. }
  264. //
  265. // count the number of oids
  266. //
  267. i = 0;
  268. while (pCryptOIDInfo[i] != NULL)
  269. {
  270. numUsages++;
  271. i++;
  272. }
  273. //
  274. // if there are properties, then count how many there are that
  275. // are not already in the global list
  276. //
  277. if (pPropertyUsage)
  278. {
  279. for(i=0; i<pPropertyUsage->cUsageIdentifier; i++)
  280. {
  281. if (!UsageExists(pCryptOIDInfo, pPropertyUsage->rgpszUsageIdentifier[i]))
  282. {
  283. numPropUsages++;
  284. }
  285. }
  286. }
  287. *pKeyUsageOIDs = (LPSTR *) malloc((numUsages + numPropUsages) * sizeof(LPSTR));
  288. if (*pKeyUsageOIDs == NULL)
  289. {
  290. goto ErrorCleanUp;
  291. }
  292. i = 0;
  293. while (pCryptOIDInfo[i] != NULL)
  294. {
  295. (*pKeyUsageOIDs)[*numOIDs] =
  296. (LPSTR) malloc(strlen(pCryptOIDInfo[i]->pszOID)+1);
  297. if ((*pKeyUsageOIDs)[*numOIDs] == NULL)
  298. {
  299. WTHelperGetKnownUsages(WTH_FREE, &pCryptOIDInfo);
  300. goto ErrorCleanUp;
  301. }
  302. strcpy((*pKeyUsageOIDs)[(*numOIDs)++], pCryptOIDInfo[i]->pszOID);
  303. i++;
  304. }
  305. //
  306. // add the property usages
  307. //
  308. if (pPropertyUsage)
  309. {
  310. for(i=0; i<pPropertyUsage->cUsageIdentifier; i++)
  311. {
  312. if (!UsageExists(pCryptOIDInfo, pPropertyUsage->rgpszUsageIdentifier[i]))
  313. {
  314. (*pKeyUsageOIDs)[*numOIDs] =
  315. (LPSTR) malloc(strlen(pPropertyUsage->rgpszUsageIdentifier[i])+1);
  316. if ((*pKeyUsageOIDs)[*numOIDs] == NULL)
  317. {
  318. WTHelperGetKnownUsages(WTH_FREE, &pCryptOIDInfo);
  319. goto ErrorCleanUp;
  320. }
  321. strcpy((*pKeyUsageOIDs)[(*numOIDs)++], pPropertyUsage->rgpszUsageIdentifier[i]);
  322. }
  323. }
  324. }
  325. WTHelperGetKnownUsages(WTH_FREE, &pCryptOIDInfo);
  326. }
  327. CleanUp:
  328. if(pExtensionUsage != NULL)
  329. free(pExtensionUsage);
  330. if(pPropertyUsage != NULL)
  331. free(pPropertyUsage);
  332. if ((*numOIDs == 0) && (*pKeyUsageOIDs != NULL))
  333. {
  334. free(*pKeyUsageOIDs);
  335. }
  336. return(fRet);
  337. ErrorCleanUp:
  338. if (*pKeyUsageOIDs != NULL)
  339. {
  340. for(i=0; i<*numOIDs; i++)
  341. {
  342. free(*pKeyUsageOIDs[i]);
  343. }
  344. *numOIDs = 0;
  345. }
  346. fRet = FALSE;
  347. goto CleanUp;
  348. }
  349. //////////////////////////////////////////////////////////////////////////////////////
  350. //
  351. //////////////////////////////////////////////////////////////////////////////////////
  352. void FreeEKUList(LPSTR *pKeyUsageOIDs, DWORD numOIDs)
  353. {
  354. DWORD i;
  355. if (*pKeyUsageOIDs != NULL)
  356. {
  357. for(i=0; i<numOIDs; i++)
  358. {
  359. free(pKeyUsageOIDs[i]);
  360. }
  361. free(pKeyUsageOIDs);
  362. }
  363. }
  364. //////////////////////////////////////////////////////////////////////////////////////
  365. //
  366. //////////////////////////////////////////////////////////////////////////////////////
  367. BOOL MyGetOIDInfo(LPWSTR string, DWORD stringSize, LPSTR pszObjId)
  368. {
  369. PCCRYPT_OID_INFO pOIDInfo;
  370. pOIDInfo = CryptFindOIDInfo(
  371. CRYPT_OID_INFO_OID_KEY,
  372. pszObjId,
  373. 0);
  374. if (pOIDInfo != NULL)
  375. {
  376. if ((DWORD)wcslen(pOIDInfo->pwszName)+1 <= stringSize)
  377. {
  378. wcscpy(string, pOIDInfo->pwszName);
  379. }
  380. else
  381. {
  382. return FALSE;
  383. }
  384. }
  385. else
  386. {
  387. return (MultiByteToWideChar(CP_ACP, 0, pszObjId, -1, string, stringSize) != 0);
  388. }
  389. return TRUE;
  390. }
  391. //////////////////////////////////////////////////////////////////////////////////////
  392. //
  393. //////////////////////////////////////////////////////////////////////////////////////
  394. BOOL fPropertiesDisabled(PCERT_ENHKEY_USAGE pPropertyUsage)
  395. {
  396. if (pPropertyUsage == NULL)
  397. {
  398. return FALSE;
  399. }
  400. else if (pPropertyUsage->cUsageIdentifier == 0)
  401. {
  402. return TRUE;
  403. }
  404. else
  405. {
  406. return ((pPropertyUsage->cUsageIdentifier == 1) &&
  407. (strcmp(szOID_YESNO_TRUST_ATTR, pPropertyUsage->rgpszUsageIdentifier[0]) == 0));
  408. }
  409. }
  410. //////////////////////////////////////////////////////////////////////////////////////
  411. //
  412. //////////////////////////////////////////////////////////////////////////////////////
  413. BOOL CertHasEmptyEKUProp(PCCERT_CONTEXT pCertContext)
  414. {
  415. DWORD cbPropertyUsage = 0;
  416. PCERT_ENHKEY_USAGE pPropertyUsage = NULL;
  417. BOOL fRet = FALSE;
  418. // get the extension usages that are in the cert
  419. if(!CertGetEnhancedKeyUsage (
  420. pCertContext,
  421. CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG,
  422. NULL,
  423. &cbPropertyUsage
  424. ) ||
  425. (pPropertyUsage = (PCERT_ENHKEY_USAGE) malloc(cbPropertyUsage)) == NULL ||
  426. !CertGetEnhancedKeyUsage (
  427. pCertContext,
  428. CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG,
  429. pPropertyUsage,
  430. &cbPropertyUsage
  431. ) )
  432. {
  433. if(GetLastError() == CRYPT_E_NOT_FOUND)
  434. {
  435. return FALSE;
  436. }
  437. }
  438. if (pPropertyUsage == NULL)
  439. {
  440. return FALSE;
  441. }
  442. if ((pPropertyUsage->cUsageIdentifier == 0) ||
  443. ((pPropertyUsage->cUsageIdentifier == 1) && (strcmp(szOID_YESNO_TRUST_ATTR, pPropertyUsage->rgpszUsageIdentifier[0]) == 0)))
  444. {
  445. fRet = TRUE;
  446. }
  447. if (pPropertyUsage != NULL)
  448. {
  449. free(pPropertyUsage);
  450. }
  451. return fRet;
  452. }
  453. //////////////////////////////////////////////////////////////////////////////////////
  454. // This function will validate the cert for the given oid
  455. //////////////////////////////////////////////////////////////////////////////////////
  456. BOOL ValidateCertForUsage(
  457. PCCERT_CONTEXT pCertContext,
  458. FILETIME *psftVerifyAsOf,
  459. DWORD cStores,
  460. HCERTSTORE * rghStores,
  461. HCERTSTORE hExtraStore,
  462. LPCSTR pszOID)
  463. {
  464. WINTRUST_DATA WTD;
  465. WINTRUST_CERT_INFO WTCI;
  466. CRYPT_PROVIDER_DEFUSAGE cryptProviderDefUsage;
  467. GUID defaultProviderGUID = WINTRUST_ACTION_GENERIC_CERT_VERIFY;
  468. BOOL fUseDefaultProvider;
  469. BOOL fRet = FALSE;
  470. HCERTSTORE *rghLocalStoreArray;
  471. DWORD i;
  472. //
  473. // make one array out of the array of hCertStores plus the extra hCertStore
  474. //
  475. if (NULL == (rghLocalStoreArray = (HCERTSTORE *) malloc(sizeof(HCERTSTORE) * (cStores+1))))
  476. {
  477. return FALSE;
  478. }
  479. i=0;
  480. while (i<cStores)
  481. {
  482. rghLocalStoreArray[i] = rghStores[i];
  483. i++;
  484. }
  485. rghLocalStoreArray[i] = hExtraStore;
  486. //
  487. // initialize structs that are used with WinVerifyTrust()
  488. //
  489. memset(&WTD, 0x00, sizeof(WINTRUST_DATA));
  490. WTD.cbStruct = sizeof(WINTRUST_DATA);
  491. WTD.dwUIChoice = WTD_UI_NONE;
  492. WTD.dwUnionChoice = WTD_CHOICE_CERT;
  493. WTD.pCert = &WTCI;
  494. memset(&WTCI, 0x00, sizeof(WINTRUST_CERT_INFO));
  495. WTCI.cbStruct = sizeof(WINTRUST_CERT_INFO);
  496. WTCI.pcwszDisplayName = L"CryptUI";
  497. WTCI.psCertContext = (CERT_CONTEXT *)pCertContext;
  498. WTCI.chStores = cStores+1;
  499. WTCI.pahStores = rghLocalStoreArray;
  500. WTCI.psftVerifyAsOf = psftVerifyAsOf;
  501. fUseDefaultProvider = FALSE;
  502. if (pszOID != NULL)
  503. {
  504. memset(&cryptProviderDefUsage, 0, sizeof(cryptProviderDefUsage));
  505. cryptProviderDefUsage.cbStruct = sizeof(cryptProviderDefUsage);
  506. if (!(WintrustGetDefaultForUsage(DWACTION_ALLOCANDFILL, pszOID, &cryptProviderDefUsage)))
  507. {
  508. // if we can't get a provider to check trust for this usage, then use the default
  509. // provider to check usage
  510. fUseDefaultProvider = TRUE;
  511. }
  512. }
  513. //
  514. // this call to WVT will verify the chain and return the data in sWTD.hWVTStateData
  515. //
  516. if (fUseDefaultProvider)
  517. {
  518. // the default default provider requires the policycallback data to point
  519. // to the usage oid you are validating for, if usage is "all" then wintrust ignores
  520. // usage checks
  521. WTD.pPolicyCallbackData = (pszOID != NULL) ? (void *) pszOID : "all";
  522. WTD.pSIPClientData = NULL;
  523. if (SUCCEEDED(WinVerifyTrustEx(NULL, &defaultProviderGUID, &WTD)))
  524. {
  525. fRet = TRUE;
  526. }
  527. }
  528. else
  529. {
  530. WTD.pPolicyCallbackData = cryptProviderDefUsage.pDefPolicyCallbackData;
  531. WTD.pSIPClientData = cryptProviderDefUsage.pDefSIPClientData;
  532. if (SUCCEEDED(WinVerifyTrustEx(NULL, &cryptProviderDefUsage.gActionID, &WTD)))
  533. {
  534. fRet = TRUE;
  535. }
  536. WintrustGetDefaultForUsage(DWACTION_FREE, szOID_KP_CTL_USAGE_SIGNING, &cryptProviderDefUsage);
  537. }
  538. free(rghLocalStoreArray);
  539. return fRet;
  540. }