Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

638 lines
21 KiB

  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1996 - 1999
  6. //
  7. // File: chainprv.cpp
  8. //
  9. // Contents: Microsoft Internet Security Generic Chain Policy Provider
  10. //
  11. // Functions: GenericChainRegisterServer
  12. // GenericChainUnregisterServer
  13. // GenericChainCertificateTrust
  14. // GenericChainFinalProv
  15. //
  16. // History: 21-Feb-1998 philh created
  17. //
  18. //--------------------------------------------------------------------------
  19. #include "global.hxx"
  20. //////////////////////////////////////////////////////////////////////////////
  21. //
  22. // GenericChainRegisterServer
  23. //----------------------------------------------------------------------------
  24. // Register the GenericChain provider
  25. //
  26. STDAPI GenericChainRegisterServer(void)
  27. {
  28. GUID gGenericChainProv = WINTRUST_ACTION_GENERIC_CHAIN_VERIFY;
  29. BOOL fRet;
  30. CRYPT_REGISTER_ACTIONID sRegAID;
  31. fRet = TRUE;
  32. memset(&sRegAID, 0x00, sizeof(CRYPT_REGISTER_ACTIONID));
  33. sRegAID.cbStruct = sizeof(CRYPT_REGISTER_ACTIONID);
  34. // Authenticode initialization provider
  35. sRegAID.sInitProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  36. sRegAID.sInitProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  37. sRegAID.sInitProvider.pwszFunctionName = SP_INIT_FUNCTION;
  38. // Authenticode object provider
  39. sRegAID.sObjectProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  40. sRegAID.sObjectProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  41. sRegAID.sObjectProvider.pwszFunctionName = SP_OBJTRUST_FUNCTION;
  42. // Authenticode signature provider
  43. sRegAID.sSignatureProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  44. sRegAID.sSignatureProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  45. sRegAID.sSignatureProvider.pwszFunctionName = SP_SIGTRUST_FUNCTION;
  46. //------------------------------------------------------------------------
  47. // Our Generic Chain certificate provider (builds the chain)
  48. //+-----------------------------------------------------------------------
  49. sRegAID.sCertificateProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  50. sRegAID.sCertificateProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  51. sRegAID.sCertificateProvider.pwszFunctionName = GENERIC_CHAIN_CERTTRUST_FUNCTION;
  52. // authenticode cert policy
  53. sRegAID.sCertificatePolicyProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  54. sRegAID.sCertificatePolicyProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  55. sRegAID.sCertificatePolicyProvider.pwszFunctionName = SP_CHKCERT_FUNCTION;
  56. //------------------------------------------------------------------------
  57. // Our Generic Chain final provider (chain policy callback)
  58. //+-----------------------------------------------------------------------
  59. sRegAID.sFinalPolicyProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  60. sRegAID.sFinalPolicyProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  61. sRegAID.sFinalPolicyProvider.pwszFunctionName = GENERIC_CHAIN_FINALPOLICY_FUNCTION;
  62. // Authenticode cleanup -- we don't store any data.
  63. sRegAID.sCleanupProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  64. sRegAID.sCleanupProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  65. sRegAID.sCleanupProvider.pwszFunctionName = SP_CLEANUPPOLICY_FUNCTION;
  66. fRet &= WintrustAddActionID(&gGenericChainProv, 0, &sRegAID);
  67. return((fRet) ? S_OK : S_FALSE);
  68. }
  69. //////////////////////////////////////////////////////////////////////////////
  70. //
  71. // DllUnregisterServer
  72. //----------------------------------------------------------------------------
  73. // unregisters GenericChain provider
  74. //
  75. STDAPI GenericChainUnregisterServer(void)
  76. {
  77. GUID gGenericChainProv = WINTRUST_ACTION_GENERIC_CHAIN_VERIFY;
  78. WintrustRemoveActionID(&gGenericChainProv);
  79. return(S_OK);
  80. }
  81. //////////////////////////////////////////////////////////////////////////////
  82. //
  83. // GenericChainCertificateTrust
  84. //----------------------------------------------------------------------------
  85. // Creates the chains for the signers and counter signers
  86. //
  87. void GenericChainWalkSigner(
  88. IN OUT PCRYPT_PROVIDER_DATA pProvData,
  89. IN OUT PCRYPT_PROVIDER_SGNR pSgnr,
  90. IN PWTD_GENERIC_CHAIN_POLICY_CREATE_INFO pChainInfo
  91. );
  92. HRESULT
  93. WINAPI
  94. GenericChainCertificateTrust(
  95. IN OUT PCRYPT_PROVIDER_DATA pProvData
  96. )
  97. {
  98. HRESULT hr;
  99. WTD_GENERIC_CHAIN_POLICY_DATA DefaultPolicyData;
  100. PWTD_GENERIC_CHAIN_POLICY_DATA pPolicyData;
  101. if (_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct,
  102. fRecallWithState) && pProvData->fRecallWithState == TRUE)
  103. return S_OK;
  104. pPolicyData = (PWTD_GENERIC_CHAIN_POLICY_DATA)
  105. pProvData->pWintrustData->pPolicyCallbackData;
  106. if (NULL == pPolicyData) {
  107. memset(&DefaultPolicyData, 0, sizeof(DefaultPolicyData));
  108. DefaultPolicyData.cbSize = sizeof(DefaultPolicyData);
  109. pPolicyData = &DefaultPolicyData;
  110. }
  111. if (!_ISINSTRUCT(WTD_GENERIC_CHAIN_POLICY_DATA,
  112. pPolicyData->cbSize, pvPolicyArg) ||
  113. !_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, dwProvFlags) ||
  114. (pProvData->dwProvFlags & WTD_USE_IE4_TRUST_FLAG)) {
  115. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  116. ERROR_INVALID_PARAMETER;
  117. return S_FALSE;
  118. }
  119. if (pProvData->csSigners < 1) {
  120. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  121. TRUST_E_NOSIGNATURE;
  122. return S_FALSE;
  123. }
  124. pProvData->dwProvFlags |= CPD_USE_NT5_CHAIN_FLAG;
  125. hr = S_OK;
  126. //
  127. // loop through all signers
  128. //
  129. for (DWORD i = 0; i < pProvData->csSigners; i++) {
  130. PCRYPT_PROVIDER_SGNR pSgnr;
  131. pSgnr = WTHelperGetProvSignerFromChain(pProvData, i, FALSE, 0);
  132. if (pSgnr->csCertChain < 1) {
  133. pSgnr->dwError = TRUST_E_NO_SIGNER_CERT;
  134. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  135. TRUST_E_NO_SIGNER_CERT;
  136. hr = S_FALSE;
  137. continue;
  138. }
  139. GenericChainWalkSigner(
  140. pProvData,
  141. pSgnr,
  142. pPolicyData->pSignerChainInfo
  143. );
  144. //
  145. // loop through all counter signers
  146. //
  147. for (DWORD j = 0; j < pSgnr->csCounterSigners; j++) {
  148. PCRYPT_PROVIDER_SGNR pCounterSgnr;
  149. pCounterSgnr = WTHelperGetProvSignerFromChain(
  150. pProvData, i, TRUE, j);
  151. if (pCounterSgnr->csCertChain < 1) {
  152. pCounterSgnr->dwError = TRUST_E_NO_SIGNER_CERT;
  153. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  154. TRUST_E_COUNTER_SIGNER;
  155. hr = S_FALSE;
  156. continue;
  157. }
  158. GenericChainWalkSigner(
  159. pProvData,
  160. pCounterSgnr,
  161. pPolicyData->pCounterSignerChainInfo
  162. );
  163. }
  164. }
  165. return hr;
  166. }
  167. HCERTSTORE GenericChainGetAdditionalStore(
  168. IN CRYPT_PROVIDER_DATA *pProvData
  169. )
  170. {
  171. if (0 == pProvData->chStores)
  172. return NULL;
  173. if (1 < pProvData->chStores) {
  174. HCERTSTORE hCollectionStore;
  175. if (hCollectionStore = CertOpenStore(
  176. CERT_STORE_PROV_COLLECTION,
  177. 0, // dwEncodingType
  178. 0, // hCryptProv
  179. 0, // dwFlags
  180. NULL // pvPara
  181. )) {
  182. DWORD i;
  183. for (i = 0; i < pProvData->chStores; i++)
  184. CertAddStoreToCollection(
  185. hCollectionStore,
  186. pProvData->pahStores[i],
  187. CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
  188. 0 // dwPriority
  189. );
  190. }
  191. return hCollectionStore;
  192. } else
  193. return CertDuplicateStore(pProvData->pahStores[0]);
  194. }
  195. void GenericChainWalkSigner(
  196. IN OUT PCRYPT_PROVIDER_DATA pProvData,
  197. IN OUT PCRYPT_PROVIDER_SGNR pSgnr,
  198. IN PWTD_GENERIC_CHAIN_POLICY_CREATE_INFO pChainInfo
  199. )
  200. {
  201. DWORD dwSgnrError;
  202. WTD_GENERIC_CHAIN_POLICY_CREATE_INFO DefaultChainInfo;
  203. CERT_CHAIN_PARA ChainPara;
  204. HCERTSTORE hAdditionalStore = NULL;
  205. PCCERT_CHAIN_CONTEXT pChainContext;
  206. PCRYPT_PROVIDER_CERT pCert = NULL;
  207. if (pChainInfo) {
  208. if (!_ISINSTRUCT(WTD_GENERIC_CHAIN_POLICY_CREATE_INFO,
  209. pChainInfo->cbSize, pvReserved)) {
  210. dwSgnrError = ERROR_INVALID_PARAMETER;
  211. goto InvalidParameter;
  212. }
  213. } else {
  214. memset(&ChainPara, 0, sizeof(ChainPara));
  215. ChainPara.cbSize = sizeof(ChainPara);
  216. memset(&DefaultChainInfo, 0, sizeof(DefaultChainInfo));
  217. DefaultChainInfo.cbSize = sizeof(DefaultChainInfo);
  218. DefaultChainInfo.pChainPara = &ChainPara;
  219. pChainInfo = &DefaultChainInfo;
  220. }
  221. hAdditionalStore = GenericChainGetAdditionalStore(pProvData);
  222. pCert = WTHelperGetProvCertFromChain(pSgnr, 0);
  223. if (pCert == NULL)
  224. {
  225. // Not really sure what error to put here
  226. pProvData->dwError = E_UNEXPECTED;
  227. dwSgnrError = E_UNEXPECTED;
  228. goto ErrorReturn;
  229. }
  230. if (!CertGetCertificateChain (
  231. pChainInfo->hChainEngine,
  232. pCert->pCert,
  233. &pSgnr->sftVerifyAsOf,
  234. hAdditionalStore,
  235. pChainInfo->pChainPara,
  236. pChainInfo->dwFlags,
  237. pChainInfo->pvReserved,
  238. &pChainContext
  239. )) {
  240. pProvData->dwError = GetLastError();
  241. dwSgnrError = TRUST_E_SYSTEM_ERROR;
  242. goto GetChainError;
  243. }
  244. pSgnr->pChainContext = pChainContext;
  245. CommonReturn:
  246. if (hAdditionalStore)
  247. CertCloseStore(hAdditionalStore, 0);
  248. return;
  249. ErrorReturn:
  250. pSgnr->dwError = dwSgnrError;
  251. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  252. dwSgnrError;
  253. goto CommonReturn;
  254. TRACE_ERROR_EX(DBG_SS, InvalidParameter)
  255. TRACE_ERROR_EX(DBG_SS, GetChainError)
  256. }
  257. //////////////////////////////////////////////////////////////////////////////
  258. //
  259. // Final Policy Provider function: GenericChainFinalProv
  260. //----------------------------------------------------------------------------
  261. // Check the outcome of the previous functions and display UI based on this.
  262. //
  263. DWORD GenericChainGetErrorBasedOnStepErrors(
  264. IN PCRYPT_PROVIDER_DATA pProvData
  265. );
  266. HRESULT
  267. WINAPI
  268. GenericChainDefaultPolicyCallback(
  269. IN PCRYPT_PROVIDER_DATA pProvData,
  270. IN DWORD dwStepError,
  271. IN DWORD dwRegPolicySettings,
  272. IN DWORD cSigner,
  273. IN PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *rgpSigner,
  274. IN void *pvPolicyArg
  275. );
  276. HRESULT
  277. WINAPI
  278. GenericChainFinalProv(
  279. IN OUT PCRYPT_PROVIDER_DATA pProvData
  280. )
  281. {
  282. HRESULT hr;
  283. WTD_GENERIC_CHAIN_POLICY_DATA DefaultPolicyData;
  284. PWTD_GENERIC_CHAIN_POLICY_DATA pPolicyData;
  285. DWORD dwStepError;
  286. DWORD cSigner = 0;
  287. DWORD i;
  288. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *ppSignerInfo = NULL;
  289. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO pSignerInfo; // not allocated
  290. PFN_WTD_GENERIC_CHAIN_POLICY_CALLBACK pfnPolicyCallback;
  291. pPolicyData = (PWTD_GENERIC_CHAIN_POLICY_DATA)
  292. pProvData->pWintrustData->pPolicyCallbackData;
  293. if (NULL == pPolicyData) {
  294. memset(&DefaultPolicyData, 0, sizeof(DefaultPolicyData));
  295. DefaultPolicyData.cbSize = sizeof(DefaultPolicyData);
  296. pPolicyData = &DefaultPolicyData;
  297. }
  298. if (!_ISINSTRUCT(WTD_GENERIC_CHAIN_POLICY_DATA,
  299. pPolicyData->cbSize, pvPolicyArg) ||
  300. !_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, dwFinalError) ||
  301. (pProvData->dwProvFlags & WTD_USE_IE4_TRUST_FLAG) ||
  302. 0 == (pProvData->dwProvFlags & CPD_USE_NT5_CHAIN_FLAG))
  303. goto InvalidParameter;
  304. dwStepError = GenericChainGetErrorBasedOnStepErrors(pProvData);
  305. cSigner = pProvData->csSigners;
  306. if (0 == cSigner)
  307. goto NoSignature;
  308. if (NULL == (ppSignerInfo =
  309. (PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *) malloc(
  310. sizeof(PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cSigner +
  311. sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cSigner)))
  312. goto OutOfMemory;
  313. memset(ppSignerInfo, 0,
  314. sizeof(PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cSigner +
  315. sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cSigner);
  316. //
  317. // Update allocated info for each signer
  318. //
  319. pSignerInfo = (PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO)
  320. &ppSignerInfo[cSigner];
  321. i = 0;
  322. for ( ; i < cSigner; i++, pSignerInfo++) {
  323. CRYPT_PROVIDER_SGNR *pSgnr;
  324. DWORD cCounterSigner;
  325. ppSignerInfo[i] = pSignerInfo;
  326. pSignerInfo->cbSize = sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO);
  327. pSgnr = WTHelperGetProvSignerFromChain(pProvData, i, FALSE, 0);
  328. pSignerInfo->pChainContext = pSgnr->pChainContext;
  329. pSignerInfo->dwSignerType = pSgnr->dwSignerType;
  330. pSignerInfo->pMsgSignerInfo = pSgnr->psSigner;
  331. pSignerInfo->dwError = pSgnr->dwError;
  332. cCounterSigner = pSgnr->csCounterSigners;
  333. if (cCounterSigner) {
  334. DWORD j;
  335. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *ppCounterSignerInfo;
  336. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO pCounterSignerInfo;
  337. if (NULL == (ppCounterSignerInfo =
  338. (PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *) malloc(
  339. sizeof(PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) *
  340. cCounterSigner +
  341. sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) *
  342. cCounterSigner)))
  343. goto OutOfMemory;
  344. memset(ppCounterSignerInfo, 0,
  345. sizeof(PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cCounterSigner +
  346. sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO) * cCounterSigner);
  347. pSignerInfo->cCounterSigner = cCounterSigner;
  348. pSignerInfo->rgpCounterSigner = ppCounterSignerInfo;
  349. //
  350. // Update allocated info for each counter signer
  351. //
  352. pCounterSignerInfo = (PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO)
  353. &ppCounterSignerInfo[cCounterSigner];
  354. j = 0;
  355. for ( ; j < cCounterSigner; j++, pCounterSignerInfo++) {
  356. PCRYPT_PROVIDER_SGNR pCounterSgnr;
  357. ppCounterSignerInfo[j] = pCounterSignerInfo;
  358. pCounterSignerInfo->cbSize =
  359. sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO);
  360. pCounterSgnr = WTHelperGetProvSignerFromChain(pProvData, i,
  361. TRUE, j);
  362. pCounterSignerInfo->pChainContext = pCounterSgnr->pChainContext;
  363. pCounterSignerInfo->dwSignerType = pCounterSgnr->dwSignerType;
  364. pCounterSignerInfo->pMsgSignerInfo = pCounterSgnr->psSigner;
  365. pCounterSignerInfo->dwError = pCounterSgnr->dwError;
  366. }
  367. }
  368. }
  369. if (pPolicyData->pfnPolicyCallback)
  370. pfnPolicyCallback = pPolicyData->pfnPolicyCallback;
  371. else
  372. pfnPolicyCallback = GenericChainDefaultPolicyCallback;
  373. hr = pfnPolicyCallback(
  374. pProvData,
  375. dwStepError,
  376. pProvData->dwRegPolicySettings,
  377. cSigner,
  378. ppSignerInfo,
  379. pPolicyData->pvPolicyArg
  380. );
  381. CommonReturn:
  382. if (ppSignerInfo) {
  383. while (cSigner--) {
  384. pSignerInfo = ppSignerInfo[cSigner];
  385. if (pSignerInfo && pSignerInfo->rgpCounterSigner)
  386. free(pSignerInfo->rgpCounterSigner);
  387. }
  388. free(ppSignerInfo);
  389. }
  390. pProvData->dwFinalError = (DWORD) hr;
  391. return hr;
  392. ErrorReturn:
  393. hr = (HRESULT) GetLastError();
  394. if (S_OK == hr)
  395. hr = E_UNEXPECTED;
  396. goto CommonReturn;
  397. SET_ERROR_EX(DBG_SS, InvalidParameter, ERROR_INVALID_PARAMETER)
  398. SET_ERROR_EX(DBG_SS, OutOfMemory, ERROR_NOT_ENOUGH_MEMORY)
  399. SET_ERROR_EX(DBG_SS, NoSignature, TRUST_E_NOSIGNATURE);
  400. }
  401. DWORD GenericChainGetErrorBasedOnStepErrors(
  402. IN PCRYPT_PROVIDER_DATA pProvData
  403. )
  404. {
  405. //
  406. // initial allocation of the step errors?
  407. //
  408. if (NULL == pProvData->padwTrustStepErrors)
  409. return ERROR_NOT_ENOUGH_MEMORY;
  410. // problem with file
  411. if ((pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FILEIO] != 0) ||
  412. (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_CATALOGFILE] != 0))
  413. {
  414. return(CRYPT_E_FILE_ERROR);
  415. }
  416. //
  417. // did we fail in one of the last steps?
  418. //
  419. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_INITPROV] != 0)
  420. {
  421. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_INITPROV]);
  422. }
  423. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] != 0)
  424. {
  425. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV]);
  426. }
  427. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_SIGPROV] != 0)
  428. {
  429. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_SIGPROV]);
  430. }
  431. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] != 0)
  432. {
  433. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV]);
  434. }
  435. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTCHKPROV] != 0)
  436. {
  437. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTCHKPROV]);
  438. }
  439. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV] != 0)
  440. {
  441. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV]);
  442. }
  443. return(ERROR_SUCCESS);
  444. }
  445. HRESULT
  446. WINAPI
  447. GenericChainDefaultPolicyCallback(
  448. IN PCRYPT_PROVIDER_DATA pProvData,
  449. IN DWORD dwStepError,
  450. IN DWORD dwRegPolicySettings,
  451. IN DWORD cSigner,
  452. IN PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *rgpSigner,
  453. IN void *pvPolicyArg
  454. )
  455. {
  456. HRESULT hr;
  457. DWORD i;
  458. AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA ExtraPolicyPara;
  459. memset(&ExtraPolicyPara, 0, sizeof(ExtraPolicyPara));
  460. ExtraPolicyPara.cbSize = sizeof(ExtraPolicyPara);
  461. ExtraPolicyPara.dwRegPolicySettings = dwRegPolicySettings;
  462. CERT_CHAIN_POLICY_PARA PolicyPara;
  463. memset(&PolicyPara, 0, sizeof(PolicyPara));
  464. PolicyPara.cbSize = sizeof(PolicyPara);
  465. PolicyPara.pvExtraPolicyPara = (void *) &ExtraPolicyPara;
  466. AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS ExtraPolicyStatus;
  467. memset(&ExtraPolicyStatus, 0, sizeof(ExtraPolicyStatus));
  468. ExtraPolicyStatus.cbSize = sizeof(ExtraPolicyStatus);
  469. CERT_CHAIN_POLICY_STATUS PolicyStatus;
  470. memset(&PolicyStatus, 0, sizeof(PolicyStatus));
  471. PolicyStatus.cbSize = sizeof(PolicyStatus);
  472. PolicyStatus.pvExtraPolicyStatus = (void *) &ExtraPolicyStatus;
  473. //
  474. // check the high level error codes.
  475. //
  476. if (0 != dwStepError) {
  477. hr = (HRESULT) dwStepError;
  478. goto CommonReturn;
  479. }
  480. //
  481. // check each signer
  482. //
  483. for (i = 0; i < cSigner; i++) {
  484. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO pSigner = rgpSigner[i];
  485. ExtraPolicyPara.pSignerInfo = pSigner->pMsgSignerInfo;
  486. if (!CertVerifyCertificateChainPolicy(
  487. CERT_CHAIN_POLICY_AUTHENTICODE,
  488. pSigner->pChainContext,
  489. &PolicyPara,
  490. &PolicyStatus
  491. )) {
  492. hr = TRUST_E_SYSTEM_ERROR;
  493. goto CommonReturn;
  494. }
  495. if (0 != PolicyStatus.dwError) {
  496. hr = (HRESULT) PolicyStatus.dwError;
  497. goto CommonReturn;
  498. }
  499. if (pSigner->cCounterSigner) {
  500. AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA TSExtraPolicyPara;
  501. memset(&TSExtraPolicyPara, 0, sizeof(TSExtraPolicyPara));
  502. TSExtraPolicyPara.cbSize = sizeof(TSExtraPolicyPara);
  503. TSExtraPolicyPara.dwRegPolicySettings = dwRegPolicySettings;
  504. TSExtraPolicyPara.fCommercial = ExtraPolicyStatus.fCommercial;
  505. CERT_CHAIN_POLICY_PARA TSPolicyPara;
  506. memset(&TSPolicyPara, 0, sizeof(TSPolicyPara));
  507. TSPolicyPara.cbSize = sizeof(TSPolicyPara);
  508. TSPolicyPara.pvExtraPolicyPara = (void *) &TSExtraPolicyPara;
  509. CERT_CHAIN_POLICY_STATUS TSPolicyStatus;
  510. memset(&TSPolicyStatus, 0, sizeof(TSPolicyStatus));
  511. TSPolicyStatus.cbSize = sizeof(TSPolicyStatus);
  512. //
  513. // check counter signers
  514. //
  515. for (DWORD j = 0; j < pSigner->cCounterSigner; j++) {
  516. PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO pCounterSigner =
  517. pSigner->rgpCounterSigner[j];
  518. //
  519. // do we care about this counter signer?
  520. //
  521. if (pCounterSigner->dwSignerType != SGNR_TYPE_TIMESTAMP)
  522. continue;
  523. if (!CertVerifyCertificateChainPolicy(
  524. CERT_CHAIN_POLICY_AUTHENTICODE_TS,
  525. pCounterSigner->pChainContext,
  526. &TSPolicyPara,
  527. &TSPolicyStatus
  528. )) {
  529. hr = TRUST_E_SYSTEM_ERROR;
  530. goto CommonReturn;
  531. } else if (0 != TSPolicyStatus.dwError) {
  532. hr = (HRESULT) TSPolicyStatus.dwError;
  533. goto CommonReturn;
  534. }
  535. }
  536. }
  537. }
  538. hr = S_OK;
  539. CommonReturn:
  540. return hr;
  541. }