mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
955 lines
34 KiB
955 lines
34 KiB
/////////////////////////////////////////////////////////////////////////////
|
|
// FILE : sgccheck.c //
|
|
// DESCRIPTION : Code to check if SGC is enabled //
|
|
// AUTHOR : jeffspel //
|
|
// HISTORY : //
|
|
// Jun 16 1998 jeffspel Create //
|
|
// Nov 16 1998 jbanes Pluggable SGC roots. //
|
|
// //
|
|
// Copyright (C) 1998 Microsoft Corporation All Rights Reserved //
|
|
/////////////////////////////////////////////////////////////////////////////
|
|
|
|
#include <windows.h>
|
|
#include <windef.h>
|
|
#include <wincrypt.h>
|
|
#include <sgccheck.h>
|
|
|
|
#define SGCAlloc(cb) LocalAlloc(LMEM_ZEROINIT, cb)
|
|
#define SGCFree(pb) LocalFree(pb)
|
|
|
|
|
|
//#define SGC_TEST_KEY // COMMENT OUT THIS LINE BEFORE CHECKING IN!!!
|
|
#ifdef SGC_TEST_KEY
|
|
#pragma message ("WARNING -- Building with SGC Test Key enabled.")
|
|
#endif
|
|
|
|
#define SGC_VERIFICATION_FLAGS (CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG)
|
|
|
|
|
|
// Geneva SGC Root
|
|
static CONST BYTE GenevaSGCRoot[] =
|
|
{ 0x30, 0x82, 0x03, 0x0a, 0x30, 0x82, 0x01, 0xf2, // 0...0...
|
|
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0a, 0x20, // .......
|
|
0x9d, 0x11, 0xd1, 0x0e, 0x7f, 0x7b, 0x85, 0x74, // .....{.t
|
|
0x80, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, // .0...*.H
|
|
0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, // ........
|
|
0x30, 0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, // 0.1.0...
|
|
0x55, 0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, // U....Roo
|
|
0x74, 0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, // t SGC Au
|
|
0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, // thority0
|
|
0x1e, 0x17, 0x0d, 0x39, 0x37, 0x30, 0x38, 0x30, // ...97080
|
|
0x36, 0x31, 0x37, 0x31, 0x34, 0x34, 0x37, 0x5a, // 6171447Z
|
|
0x17, 0x0d, 0x31, 0x30, 0x30, 0x31, 0x30, 0x31, // ..100101
|
|
0x30, 0x37, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, // 070000Z0
|
|
0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, // .1.0...U
|
|
0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, 0x74, // ....Root
|
|
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
|
|
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x82, // hority0.
|
|
0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, // ."0...*.
|
|
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, // H.......
|
|
0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, // ......0.
|
|
0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xec, // ........
|
|
0x55, 0x5d, 0x0f, 0xaf, 0x6c, 0x5b, 0xa5, 0x21, // U]..l[.!
|
|
0xe5, 0x81, 0xbc, 0x0d, 0x96, 0xee, 0xb4, 0x63, // .......c
|
|
0xbc, 0x4c, 0x14, 0x68, 0x6d, 0xfe, 0xd7, 0x64, // .L.hm..d
|
|
0x2d, 0xe7, 0x59, 0x9d, 0x8e, 0x20, 0x9c, 0x1c, // -.Y.. ..
|
|
0xb1, 0x18, 0x39, 0x38, 0x80, 0xc6, 0x08, 0xa6, // ..98....
|
|
0x65, 0x39, 0x6c, 0x0a, 0x86, 0x6c, 0x8b, 0x6a, // e9l..l.j
|
|
0xaa, 0x4a, 0x7a, 0xb4, 0xe5, 0x23, 0x7b, 0x9c, // .Jz..#{.
|
|
0xa2, 0x88, 0x81, 0xa5, 0x2c, 0x9f, 0x2e, 0xce, // ....,...
|
|
0x56, 0xd8, 0x69, 0xc7, 0xd7, 0x54, 0xf8, 0xdd, // V.i..T..
|
|
0xab, 0x9b, 0xc7, 0xba, 0x8e, 0xe7, 0x60, 0x1c, // ......`.
|
|
0x45, 0x20, 0x09, 0x9d, 0x00, 0x25, 0x16, 0x15, // E ...%..
|
|
0xe0, 0x40, 0x2c, 0xf2, 0xac, 0xfa, 0x1f, 0xf8, // .@,.....
|
|
0x6d, 0x5e, 0xda, 0xbb, 0x14, 0xaf, 0x4c, 0x82, // m^....L.
|
|
0xf3, 0x5d, 0x81, 0xcb, 0xef, 0xcd, 0xa8, 0x0f, // .]......
|
|
0xf1, 0xec, 0xa5, 0xa3, 0x44, 0x94, 0x69, 0x7a, // ....D.iz
|
|
0x88, 0xec, 0xa9, 0x18, 0xf3, 0xac, 0x38, 0xe6, // ......8.
|
|
0xe7, 0xe0, 0xe1, 0x11, 0xa8, 0xa5, 0x5f, 0x18, // ......_.
|
|
0x00, 0x72, 0xd0, 0x00, 0x9e, 0x12, 0x89, 0x50, // .r.....P
|
|
0x96, 0x20, 0xdb, 0xcd, 0x63, 0xe7, 0xb3, 0xc0, // . ..c...
|
|
0xfa, 0x54, 0xa1, 0xe7, 0x4a, 0x74, 0x5d, 0xcd, // .T..Jt].
|
|
0x4a, 0x2f, 0x4c, 0x44, 0xa3, 0xdc, 0x40, 0xad, // J/LD..@.
|
|
0xe7, 0xdc, 0x4d, 0x9b, 0x2a, 0x55, 0x13, 0x0b, // ..M.*U..
|
|
0x4d, 0x4f, 0x3d, 0xc3, 0x02, 0xac, 0xd2, 0x03, // MO=.....
|
|
0x70, 0x0a, 0x48, 0xa9, 0x96, 0x5b, 0x04, 0x57, // p.H..[.W
|
|
0xb9, 0xe2, 0x5a, 0x04, 0x5e, 0xcf, 0x6f, 0x4e, // ..Z.^.oN
|
|
0x4c, 0xf3, 0x8e, 0xa2, 0xd0, 0xd9, 0xcb, 0x01, // L.......
|
|
0xbc, 0x8c, 0x14, 0xd5, 0x08, 0xfc, 0x18, 0x08, // ........
|
|
0xc1, 0x65, 0x83, 0x3f, 0x0e, 0xa4, 0x17, 0x1c, // .e.?....
|
|
0x6e, 0x45, 0x0a, 0xef, 0x1d, 0x40, 0xc4, 0x7b, // nE...@.{
|
|
0x6a, 0x7e, 0x5d, 0xa6, 0xde, 0x97, 0x22, 0x7b, // j~]..."{
|
|
0x67, 0xbf, 0xc0, 0xa2, 0x83, 0x39, 0xb6, 0xf6, // g....9..
|
|
0x15, 0x16, 0xc6, 0x6f, 0x09, 0x61, 0xb1, 0x02, // ...o.a..
|
|
0x03, 0x01, 0x00, 0x01, 0xa3, 0x4c, 0x30, 0x4a, // .....L0J
|
|
0x30, 0x48, 0x06, 0x03, 0x55, 0x1d, 0x01, 0x04, // 0H..U...
|
|
0x41, 0x30, 0x3f, 0x80, 0x10, 0x0d, 0x27, 0x29, // A0?...')
|
|
0xe4, 0x05, 0x2a, 0x97, 0xb4, 0x77, 0x58, 0x35, // ..*..wX5
|
|
0x47, 0x93, 0x2d, 0x06, 0xb8, 0xa1, 0x1f, 0x30, // G.-....0
|
|
0x1d, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, // .1.0...U
|
|
0x04, 0x03, 0x13, 0x12, 0x52, 0x6f, 0x6f, 0x74, // ....Root
|
|
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
|
|
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x82, 0x0a, // hority..
|
|
0x20, 0x9d, 0x11, 0xd1, 0x0e, 0x7f, 0x7b, 0x85, // .....{.
|
|
0x74, 0x80, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, // t.0...*.
|
|
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, // H.......
|
|
0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2b, 0x02, // ......+.
|
|
0x2b, 0x37, 0x66, 0xa5, 0xd1, 0x8c, 0x3e, 0x20, // +7f...>
|
|
0x08, 0x1a, 0x0c, 0xb7, 0xf5, 0x63, 0xcb, 0xc6, // .....c..
|
|
0xdd, 0x9b, 0x62, 0x52, 0x32, 0xbc, 0x33, 0x74, // ..bR2.3t
|
|
0x7a, 0xde, 0xb0, 0x80, 0x05, 0xfa, 0xe5, 0xb5, // z.......
|
|
0xe4, 0xf7, 0xf1, 0xd7, 0xa0, 0x95, 0x5c, 0x6c, // .......l
|
|
0x05, 0x9b, 0x2f, 0x03, 0x4b, 0xb7, 0x8a, 0x95, // ../.K...
|
|
0x0e, 0xb0, 0x06, 0x80, 0xa0, 0x2a, 0x1b, 0xa4, // .....*..
|
|
0x09, 0x58, 0xbd, 0x87, 0xd4, 0x38, 0x44, 0xb4, // .X...8D.
|
|
0x71, 0x7b, 0xfb, 0x74, 0xa2, 0x89, 0x48, 0xe6, // q{.t..H.
|
|
0x5f, 0xab, 0x9a, 0xa4, 0x0a, 0x38, 0xcc, 0x57, // _....8.W
|
|
0xa1, 0x14, 0x2c, 0x5c, 0xee, 0xc2, 0x13, 0x81, // ..,.....
|
|
0x00, 0xc3, 0x2d, 0xb1, 0x70, 0xde, 0x9f, 0xb1, // ..-.p...
|
|
0x70, 0x43, 0x7e, 0x22, 0xa0, 0x77, 0x96, 0xc8, // pC~".w..
|
|
0xdf, 0x99, 0xdc, 0xa6, 0x4e, 0xb3, 0xb5, 0x74, // ....N..t
|
|
0x34, 0x13, 0x12, 0x24, 0xa2, 0x6b, 0x95, 0x80, // 4..$.k..
|
|
0xcf, 0xaa, 0x4a, 0x68, 0xb1, 0x77, 0x27, 0x98, // ..Jh.w'.
|
|
0xef, 0xaa, 0x62, 0xd3, 0x22, 0x81, 0x33, 0x2b, // ..b.".3+
|
|
0x12, 0x50, 0xef, 0x16, 0x86, 0xe6, 0x9a, 0x5a, // .P.....Z
|
|
0x73, 0x89, 0x6d, 0x83, 0xf2, 0x08, 0xa3, 0x13, // s.m.....
|
|
0xab, 0x05, 0xd5, 0x6e, 0x68, 0xf6, 0x90, 0xa4, // ...nh...
|
|
0x4a, 0x9f, 0x7c, 0x4c, 0x5d, 0x8f, 0x58, 0xf3, // J.|L].X.
|
|
0x11, 0x4c, 0xc7, 0x08, 0x51, 0xea, 0x76, 0xd1, // .L..Q.v.
|
|
0xb5, 0x55, 0x32, 0x3f, 0xff, 0x67, 0xef, 0x35, // .U2?.g.5
|
|
0x8c, 0x89, 0xd3, 0xc6, 0x75, 0x15, 0x68, 0x9f, // ....u.h.
|
|
0x67, 0x46, 0x9c, 0x94, 0x41, 0xf5, 0x76, 0x51, // gF..A.vQ
|
|
0x86, 0xac, 0x91, 0x75, 0xec, 0xb6, 0xf7, 0x00, // ...u....
|
|
0x40, 0x5b, 0xfe, 0x61, 0xd8, 0x33, 0x2d, 0x37, // @[.a.3-7
|
|
0x65, 0x8b, 0x94, 0xd9, 0x97, 0x21, 0x15, 0x2c, // e....!.,
|
|
0x13, 0x49, 0xff, 0xde, 0xb7, 0x83, 0xd9, 0xae, // .I......
|
|
0xc4, 0xce, 0x24, 0xb2, 0x50, 0xdf, 0x75, 0x14, // ..$.P.u.
|
|
0x12, 0x8c, 0x46, 0xa4, 0xac, 0xef, 0x4c, 0x72, // ..F...Lr
|
|
0x00, 0x00, 0xe1, 0x4c, 0x8e, 0xee }; // ...L..
|
|
|
|
// Versign Class 3 SGC Root
|
|
static CONST BYTE VSCLASS3ROOT[] =
|
|
{ 0x30, 0x82, 0x02, 0x31, 0x30, 0x82, 0x01, 0x9a,
|
|
0x02, 0x05, 0x02, 0xa1, 0x00, 0x00, 0x01, 0x30,
|
|
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
|
|
0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x30, 0x5f,
|
|
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
|
|
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30,
|
|
0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e,
|
|
0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e,
|
|
0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37,
|
|
0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
|
|
0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33,
|
|
0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20,
|
|
0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20,
|
|
0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
|
|
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
|
|
0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
|
|
0x1e, 0x17, 0x0d, 0x39, 0x36, 0x30, 0x31, 0x32,
|
|
0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
|
|
0x17, 0x0d, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31,
|
|
0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30,
|
|
0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
|
|
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17,
|
|
0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
|
|
0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
|
|
0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
|
|
0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b,
|
|
0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20,
|
|
0x33, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
|
|
0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79,
|
|
0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
|
|
0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41,
|
|
0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
|
|
0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
|
|
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
|
|
0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
|
|
0x89, 0x02, 0x81, 0x81, 0x00, 0xc9, 0x5c, 0x59,
|
|
0x9e, 0xf2, 0x1b, 0x8a, 0x01, 0x14, 0xb4, 0x10,
|
|
0xdf, 0x04, 0x40, 0xdb, 0xe3, 0x57, 0xaf, 0x6a,
|
|
0x45, 0x40, 0x8f, 0x84, 0x0c, 0x0b, 0xd1, 0x33,
|
|
0xd9, 0xd9, 0x11, 0xcf, 0xee, 0x02, 0x58, 0x1f,
|
|
0x25, 0xf7, 0x2a, 0xa8, 0x44, 0x05, 0xaa, 0xec,
|
|
0x03, 0x1f, 0x78, 0x7f, 0x9e, 0x93, 0xb9, 0x9a,
|
|
0x00, 0xaa, 0x23, 0x7d, 0xd6, 0xac, 0x85, 0xa2,
|
|
0x63, 0x45, 0xc7, 0x72, 0x27, 0xcc, 0xf4, 0x4c,
|
|
0xc6, 0x75, 0x71, 0xd2, 0x39, 0xef, 0x4f, 0x42,
|
|
0xf0, 0x75, 0xdf, 0x0a, 0x90, 0xc6, 0x8e, 0x20,
|
|
0x6f, 0x98, 0x0f, 0xf8, 0xac, 0x23, 0x5f, 0x70,
|
|
0x29, 0x36, 0xa4, 0xc9, 0x86, 0xe7, 0xb1, 0x9a,
|
|
0x20, 0xcb, 0x53, 0xa5, 0x85, 0xe7, 0x3d, 0xbe,
|
|
0x7d, 0x9a, 0xfe, 0x24, 0x45, 0x33, 0xdc, 0x76,
|
|
0x15, 0xed, 0x0f, 0xa2, 0x71, 0x64, 0x4c, 0x65,
|
|
0x2e, 0x81, 0x68, 0x45, 0xa7, 0x02, 0x03, 0x01,
|
|
0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
|
|
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02, 0x05,
|
|
0x00, 0x03, 0x81, 0x81, 0x00, 0x75, 0x66, 0x6c,
|
|
0x3e, 0xd1, 0xcd, 0x81, 0xdb, 0xb5, 0xf8, 0x2f,
|
|
0x36, 0x51, 0xb6, 0xf7, 0x42, 0xbc, 0xcd, 0x42,
|
|
0xaf, 0xdc, 0x0e, 0xfa, 0x15, 0x6c, 0xf8, 0x67,
|
|
0x93, 0x57, 0x3a, 0xeb, 0xb6, 0x92, 0xe8, 0xb6,
|
|
0x01, 0xca, 0x8c, 0xb7, 0x8e, 0x43, 0xb4, 0x49,
|
|
0x65, 0xf9, 0x3e, 0xee, 0xbd, 0x75, 0x46, 0x2e,
|
|
0xc9, 0xfc, 0x25, 0x5d, 0xa8, 0xc7, 0x2f, 0x8b,
|
|
0x9b, 0x8f, 0x68, 0xcf, 0xb4, 0x9c, 0x97, 0x18,
|
|
0xc0, 0x4d, 0xef, 0x1f, 0xd9, 0xaf, 0x82, 0xb3,
|
|
0xe6, 0x64, 0xb8, 0x84, 0x5c, 0x8a, 0x9a, 0x07,
|
|
0x52, 0x43, 0x61, 0xfb, 0x74, 0x9e, 0x5b, 0x3a,
|
|
0x36, 0xfc, 0x4c, 0xb2, 0xfc, 0x1a, 0x3f, 0x15,
|
|
0x2e, 0xa5, 0x5b, 0x3c, 0x1b, 0x90, 0xec, 0x88,
|
|
0x29, 0xe4, 0x59, 0x16, 0xf9, 0xce, 0x07, 0xad,
|
|
0xec, 0xe9, 0xdd, 0xda, 0xd2, 0x31, 0x8a, 0x4f,
|
|
0xd6, 0xd8, 0xef, 0x17, 0x8d };
|
|
|
|
// SGC Test Root
|
|
#ifdef SGC_TEST_KEY
|
|
static CONST BYTE TestSGCRoot[] =
|
|
{ 0x30, 0x82, 0x01, 0xda, 0x30, 0x82, 0x01, 0x84, // 0...0...
|
|
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x46, // .......F
|
|
0xeb, 0x72, 0x4f, 0xc0, 0x00, 0x78, 0xab, 0x11, // .rO..x..
|
|
0xd2, 0x84, 0xb0, 0x35, 0xb8, 0xe0, 0xb1, 0x30, // ...5...0
|
|
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, // ...*.H..
|
|
0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x26, // ......0&
|
|
0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, // 1$0"..U.
|
|
0x03, 0x13, 0x1b, 0x53, 0x63, 0x68, 0x61, 0x6e, // ...Schan
|
|
0x6e, 0x65, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, // nel Test
|
|
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
|
|
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, // hority0.
|
|
0x17, 0x0d, 0x39, 0x38, 0x31, 0x31, 0x32, 0x35, // ..981125
|
|
0x32, 0x31, 0x34, 0x35, 0x35, 0x34, 0x5a, 0x17, // 214554Z.
|
|
0x0d, 0x33, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, // .3912312
|
|
0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x26, // 35959Z0&
|
|
0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, // 1$0"..U.
|
|
0x03, 0x13, 0x1b, 0x53, 0x63, 0x68, 0x61, 0x6e, // ...Schan
|
|
0x6e, 0x65, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, // nel Test
|
|
0x20, 0x53, 0x47, 0x43, 0x20, 0x41, 0x75, 0x74, // SGC Aut
|
|
0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x5c, // hority0.
|
|
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, // 0...*.H.
|
|
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, // ........
|
|
0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xd1, // K.0H.A..
|
|
0x95, 0x8e, 0x14, 0xc9, 0x8b, 0x28, 0x00, 0xd4, // .....(..
|
|
0xed, 0x40, 0xb5, 0xd4, 0xec, 0x1f, 0x67, 0xb1, // [email protected].
|
|
0xa2, 0xb3, 0x18, 0xca, 0x6b, 0x48, 0x6c, 0x54, // ....kHlT
|
|
0xaf, 0xc4, 0x70, 0x3c, 0x6e, 0xee, 0x15, 0xba, // ..p<n...
|
|
0x4b, 0xf7, 0x40, 0x93, 0xd3, 0x35, 0x1d, 0x17, // [email protected]..
|
|
0x6c, 0xe8, 0x1d, 0x62, 0xec, 0x74, 0x96, 0x48, // l..b.t.H
|
|
0x4f, 0x1e, 0xcf, 0xf0, 0x54, 0x2b, 0x30, 0x0b, // O...T+0.
|
|
0x66, 0x3a, 0x83, 0x1c, 0x32, 0xda, 0x3d, 0x02, // f:..2.=.
|
|
0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x8d, 0x30, // .......0
|
|
0x81, 0x8a, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x1d, // ..0...U.
|
|
0x0a, 0x04, 0x06, 0x30, 0x04, 0x03, 0x02, 0x07, // ...0....
|
|
0x80, 0x30, 0x20, 0x06, 0x03, 0x55, 0x1d, 0x25, // .0 ..U.%
|
|
0x04, 0x19, 0x30, 0x17, 0x06, 0x0a, 0x2b, 0x06, // ..0...+.
|
|
0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x03, // ....7...
|
|
0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, // ..`.H...
|
|
0x42, 0x04, 0x01, 0x30, 0x57, 0x06, 0x03, 0x55, // B..0W..U
|
|
0x1d, 0x01, 0x04, 0x50, 0x30, 0x4e, 0x80, 0x10, // ...P0N..
|
|
0x35, 0x2f, 0x90, 0xa8, 0x13, 0xd6, 0x82, 0x32, // 5......2
|
|
0x85, 0x1a, 0x5d, 0x0f, 0xdc, 0x83, 0xe3, 0x28, // ..]....(
|
|
0xa1, 0x28, 0x30, 0x26, 0x31, 0x24, 0x30, 0x22, // .(0&1$0"
|
|
0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1b, 0x53, // ..U....S
|
|
0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x20, // channel
|
|
0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x47, 0x43, // Test SGC
|
|
0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, // Authori
|
|
0x74, 0x79, 0x82, 0x10, 0x46, 0xeb, 0x72, 0x4f, // ty..F.rO
|
|
0xc0, 0x00, 0x78, 0xab, 0x11, 0xd2, 0x84, 0xb0, // ..x.....
|
|
0x35, 0xb8, 0xe0, 0xb1, 0x30, 0x0d, 0x06, 0x09, // 5...0...
|
|
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, // *.H.....
|
|
0x04, 0x05, 0x00, 0x03, 0x41, 0x00, 0x65, 0x35, // ....A.e5
|
|
0x80, 0xaf, 0xa3, 0xba, 0x5d, 0x13, 0xcd, 0x86, // ....]...
|
|
0xad, 0xda, 0x06, 0xb6, 0xb3, 0x51, 0xf4, 0x71, // .....Q.q
|
|
0x4a, 0x0b, 0xd2, 0xc1, 0x91, 0x13, 0xc3, 0x0c, // J.......
|
|
0xd7, 0xb7, 0x9f, 0xa6, 0x3c, 0x04, 0xfa, 0xb7, // ....<...
|
|
0x97, 0x94, 0x64, 0xf0, 0x5b, 0xab, 0x65, 0x3b, // ..d.[.e;
|
|
0x88, 0x95, 0x59, 0x4c, 0x18, 0x11, 0xc4, 0xac, // ..YL....
|
|
0x5c, 0x6e, 0x31, 0xf0, 0xdd, 0x74, 0xc1, 0x55, // .n1..t.U
|
|
0x7e, 0x7f, 0x66, 0xf4, 0x8a, 0x57 }; // ~.f..W
|
|
#endif // SGC_TEST_KEY
|
|
|
|
|
|
typedef struct SGC_ROOT
|
|
{
|
|
CONST BYTE * pbCert;
|
|
DWORD cbCert;
|
|
PCCERT_CONTEXT pCertContext;
|
|
} SGC_ROOT, *PSGC_ROOT;
|
|
|
|
|
|
static SGC_ROOT SGCRoots[] = {
|
|
{ GenevaSGCRoot, sizeof(GenevaSGCRoot), NULL },
|
|
{ VSCLASS3ROOT, sizeof(VSCLASS3ROOT), NULL },
|
|
#ifdef SGC_TEST_KEY
|
|
{ TestSGCRoot, sizeof(TestSGCRoot), NULL }
|
|
#endif // SGC_TEST_KEY
|
|
};
|
|
|
|
static CONST DWORD SGCRootCount = sizeof(SGCRoots) / sizeof(SGC_ROOT);
|
|
|
|
static CONST LPCSTR rgSGCExtensions[]
|
|
= { szOID_SGC_NETSCAPE,
|
|
szOID_SERVER_GATED_CRYPTO };
|
|
|
|
static CONST CERT_ENHKEY_USAGE SGCExtensions
|
|
= { sizeof(rgSGCExtensions)/sizeof(LPSTR),
|
|
(LPSTR *)rgSGCExtensions };
|
|
|
|
|
|
//
|
|
// Load root certs
|
|
//
|
|
|
|
DWORD
|
|
LoadSGCRoots(
|
|
IN CRITICAL_SECTION *pCritSec) // must be initialized
|
|
{
|
|
DWORD dwReturn = ERROR_INTERNAL_ERROR;
|
|
BOOL fInCritSec = FALSE;
|
|
BOOL fLoadRoots = FALSE;
|
|
DWORD i;
|
|
|
|
// check if the Roots are already loaded
|
|
for (i = 0; i < SGCRootCount; i++)
|
|
{
|
|
if (SGCRoots[i].pCertContext == NULL)
|
|
{
|
|
fLoadRoots = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (!fLoadRoots)
|
|
{
|
|
dwReturn = ERROR_SUCCESS;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// wrap with a try since there is a critical sections in here
|
|
__try
|
|
{
|
|
// take the critical section
|
|
EnterCriticalSection(pCritSec);
|
|
fInCritSec = TRUE;
|
|
|
|
for (i = 0; i < SGCRootCount; i++)
|
|
{
|
|
if (SGCRoots[i].pCertContext == NULL)
|
|
{
|
|
|
|
SGCRoots[i].pCertContext = CertCreateCertificateContext(
|
|
X509_ASN_ENCODING,
|
|
SGCRoots[i].pbCert,
|
|
SGCRoots[i].cbCert);
|
|
if (NULL == SGCRoots[i].pCertContext)
|
|
{
|
|
dwReturn = GetLastError();
|
|
goto ErrorExit;
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
__except ( EXCEPTION_EXECUTE_HANDLER )
|
|
{
|
|
// ?BUGBUG? Could be resource exhaustion
|
|
dwReturn = ERROR_INVALID_PARAMETER;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
dwReturn = ERROR_SUCCESS;
|
|
|
|
ErrorExit:
|
|
if (fInCritSec)
|
|
LeaveCriticalSection(pCritSec);
|
|
return dwReturn;
|
|
}
|
|
|
|
|
|
//
|
|
// delete the public key values
|
|
//
|
|
|
|
void
|
|
SGCDeletePubKeyValues(
|
|
IN OUT BYTE **ppbKeyMod,
|
|
IN OUT DWORD *pcbKeyMod,
|
|
IN OUT DWORD *pdwKeyExpo)
|
|
{
|
|
if (*ppbKeyMod)
|
|
SGCFree(*ppbKeyMod);
|
|
*ppbKeyMod = NULL;
|
|
*pcbKeyMod = 0;
|
|
*pdwKeyExpo = 0;
|
|
}
|
|
|
|
|
|
//
|
|
// get the public key form the cert context and assign it to the
|
|
// passed in parameters
|
|
//
|
|
|
|
DWORD
|
|
SGCAssignPubKey(
|
|
IN PCCERT_CONTEXT pCertContext,
|
|
IN OUT BYTE **ppbKeyMod,
|
|
IN OUT DWORD *pcbKeyMod,
|
|
IN OUT DWORD *pdwKeyExpo)
|
|
{
|
|
DWORD dwReturn = ERROR_INTERNAL_ERROR;
|
|
BLOBHEADER *pBlob = NULL;
|
|
DWORD cbBlob = 0;
|
|
RSAPUBKEY *pRSAPubKey;
|
|
BYTE *pb;
|
|
|
|
// decode the public key from the cert into a PUBLICKEYBLOB
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
RSA_CSP_PUBLICKEYBLOB,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData,
|
|
0,
|
|
NULL,
|
|
&cbBlob))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
|
|
goto ErrorExit;
|
|
}
|
|
|
|
pBlob = (BLOBHEADER*)SGCAlloc(cbBlob);
|
|
if (NULL == pBlob)
|
|
{
|
|
dwReturn = ERROR_NOT_ENOUGH_MEMORY;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
RSA_CSP_PUBLICKEYBLOB,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData,
|
|
0,
|
|
pBlob,
|
|
&cbBlob))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
|
|
goto ErrorExit;
|
|
}
|
|
|
|
pRSAPubKey = (RSAPUBKEY*)((BYTE*)pBlob + sizeof(BLOBHEADER));
|
|
|
|
// delete any old public key info
|
|
SGCDeletePubKeyValues(ppbKeyMod, pcbKeyMod, pdwKeyExpo);
|
|
|
|
// assign public key values
|
|
*pdwKeyExpo = pRSAPubKey->pubexp;
|
|
*pcbKeyMod = pRSAPubKey->bitlen / 8;
|
|
*ppbKeyMod = (BYTE*)SGCAlloc(*pcbKeyMod);
|
|
if (NULL == *ppbKeyMod)
|
|
{
|
|
dwReturn = ERROR_NOT_ENOUGH_MEMORY;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
pb = (BYTE*)pRSAPubKey + sizeof(RSAPUBKEY);
|
|
memcpy(*ppbKeyMod, pb, *pcbKeyMod);
|
|
|
|
dwReturn = ERROR_SUCCESS;
|
|
|
|
ErrorExit:
|
|
if (pBlob)
|
|
SGCFree(pBlob);
|
|
return dwReturn;
|
|
}
|
|
|
|
|
|
//
|
|
// check if the passed in public key matches the one in the cert
|
|
//
|
|
|
|
static DWORD
|
|
SamePublicKey(
|
|
IN PCCERT_CONTEXT pCertContext,
|
|
IN BYTE *pbExchKeyMod,
|
|
IN DWORD cbExchKeyMod,
|
|
IN DWORD dwExchKeyExpo)
|
|
{
|
|
DWORD dwReturn = ERROR_INTERNAL_ERROR;
|
|
BLOBHEADER *pBlob = NULL;
|
|
DWORD cbBlob = 0;
|
|
RSAPUBKEY *pRSAPubKey;
|
|
BYTE *pb;
|
|
|
|
// decode the public key from the cert into a PUBLICKEYBLOB
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
RSA_CSP_PUBLICKEYBLOB,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData,
|
|
0,
|
|
NULL,
|
|
&cbBlob))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
|
|
goto ErrorExit;
|
|
}
|
|
|
|
pBlob = (BLOBHEADER*)SGCAlloc(cbBlob);
|
|
if (NULL == pBlob)
|
|
{
|
|
dwReturn = ERROR_NOT_ENOUGH_MEMORY;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
RSA_CSP_PUBLICKEYBLOB,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData,
|
|
pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData,
|
|
0,
|
|
pBlob,
|
|
&cbBlob))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA; // ?BUGBUG? Always?
|
|
goto ErrorExit;
|
|
}
|
|
|
|
pRSAPubKey = (RSAPUBKEY*)((BYTE*)pBlob + sizeof(BLOBHEADER));
|
|
|
|
// check the length of the modulus and the exponent
|
|
if (((pRSAPubKey->bitlen / 8) != cbExchKeyMod) ||
|
|
(pRSAPubKey->pubexp != dwExchKeyExpo))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// check that the modulus values match
|
|
pb = (BYTE*)pRSAPubKey + sizeof(RSAPUBKEY);
|
|
if (0 != memcmp(pbExchKeyMod, pb, cbExchKeyMod))
|
|
{
|
|
dwReturn = (DWORD)NTE_BAD_DATA;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
dwReturn = ERROR_SUCCESS;
|
|
|
|
ErrorExit:
|
|
if (pBlob)
|
|
SGCFree(pBlob);
|
|
return dwReturn;
|
|
}
|
|
|
|
|
|
static DWORD
|
|
ReadSgcExtensions(
|
|
PCCERT_CONTEXT pCertContext)
|
|
{
|
|
PCERT_EXTENSION pExt;
|
|
PCTL_USAGE pUsage = NULL;
|
|
DWORD cbUsage;
|
|
DWORD dwSGCFlags = 0;
|
|
DWORD i;
|
|
|
|
pExt = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension);
|
|
if (pExt == NULL)
|
|
goto cleanup;
|
|
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
X509_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbUsage))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
pUsage = (PCTL_USAGE)SGCAlloc(cbUsage);
|
|
if (pUsage == NULL)
|
|
goto cleanup;
|
|
|
|
if (!CryptDecodeObject(X509_ASN_ENCODING,
|
|
X509_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pUsage,
|
|
&cbUsage))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
for (i = 0; i < pUsage->cUsageIdentifier; i++)
|
|
{
|
|
if (0 == strcmp(pUsage->rgpszUsageIdentifier[i],
|
|
szOID_SGC_NETSCAPE))
|
|
{
|
|
dwSGCFlags |= CRYPT_SGC;
|
|
}
|
|
else if (0 == strcmp(pUsage->rgpszUsageIdentifier[i],
|
|
szOID_SERVER_GATED_CRYPTO))
|
|
{
|
|
dwSGCFlags |= CRYPT_FASTSGC | CRYPT_SGC;
|
|
}
|
|
}
|
|
|
|
cleanup:
|
|
if (pUsage)
|
|
SGCFree(pUsage);
|
|
return dwSGCFlags;
|
|
}
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: FindBridgeCertificate
|
|
//
|
|
// Synopsis: Search the specified certificate store for a valid SGC
|
|
// bridge certificate.
|
|
//
|
|
// Arguments: [hCAStore] -- Certificate store to search. This is
|
|
// typically the CA store.
|
|
//
|
|
// [pChainContext] -- Certificate chain for which we are finding
|
|
// a bridge certificate. The bridge cert
|
|
// may branch off of any certificate in the
|
|
// chain.
|
|
//
|
|
// [pRootContext] -- Handle to baked-in SGC root certificate
|
|
// (typically Geneva).
|
|
//
|
|
// History: 11-16-98 jbanes Created
|
|
//
|
|
// Notes: An SGC bridge certificate is defined as a certificate with a
|
|
// SUBJECT equal to the ISSUER in one of the 'pChainContext'
|
|
// certificates. To be valid, the bridge certificate must
|
|
// contain at least one SGC EKU and it must chain up to a
|
|
// baked-in SGC root certificate.
|
|
//
|
|
// Returns: TRUE if a valid SGC bridge cert was found, and FALSE
|
|
// otherwise.
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
static BOOL
|
|
FindBridgeCertificate(
|
|
IN HCERTSTORE hCAStore,
|
|
IN PCCERT_CHAIN_CONTEXT pChainContext,
|
|
IN PCCERT_CONTEXT pRootContext)
|
|
{
|
|
PCERT_SIMPLE_CHAIN pSimpleChain;
|
|
PCCERT_CONTEXT pCurrent = NULL;
|
|
PCCERT_CONTEXT pCurrentCA = NULL;
|
|
PCCERT_CHAIN_CONTEXT pCAChainContext = NULL;
|
|
CERT_CHAIN_PARA ChainPara;
|
|
CERT_TRUST_STATUS TrustStatus;
|
|
BOOL fFound;
|
|
DWORD i;
|
|
BOOL fRet = FALSE;
|
|
DWORD dwFlags;
|
|
|
|
//
|
|
// Enumerate all of the certificates in the CA store that contain
|
|
// one of the SGC extensions.
|
|
//
|
|
|
|
pCurrent = NULL;
|
|
|
|
for (;;)
|
|
{
|
|
// Find an SGC intermediate certificate.
|
|
pCurrentCA = CertFindCertificateInStore(
|
|
hCAStore,
|
|
X509_ASN_ENCODING,
|
|
CERT_FIND_OR_ENHKEY_USAGE_FLAG,
|
|
CERT_COMPARE_ENHKEY_USAGE,
|
|
&SGCExtensions,
|
|
pCurrentCA);
|
|
if (pCurrentCA == NULL)
|
|
break;
|
|
|
|
|
|
//
|
|
// Is this CA certificate a bridge for any of the certificates in the
|
|
// passed in certificate chain?
|
|
//
|
|
|
|
fFound = FALSE;
|
|
pSimpleChain = pChainContext->rgpChain[0];
|
|
|
|
for (i = 0; i < pSimpleChain->cElement; i++)
|
|
{
|
|
pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
|
|
|
|
if (ReadSgcExtensions(pCurrent) == 0)
|
|
{
|
|
// This certificate doesn't contain any SGC certificate
|
|
// extensions, so skip the rest of this chain.
|
|
break;
|
|
}
|
|
|
|
if (CertCompareCertificateName(X509_ASN_ENCODING,
|
|
&pCurrentCA->pCertInfo->Subject,
|
|
&pCurrent->pCertInfo->Issuer))
|
|
{
|
|
// The names match. Now check the signature.
|
|
dwFlags = SGC_VERIFICATION_FLAGS;
|
|
|
|
if (!CertVerifySubjectCertificateContext(pCurrent,
|
|
pCurrentCA,
|
|
&dwFlags))
|
|
{
|
|
// Error checking signature.
|
|
continue;
|
|
}
|
|
if (dwFlags & SGC_VERIFICATION_FLAGS)
|
|
{
|
|
// Signature did not verify or certificate expired.
|
|
continue;
|
|
}
|
|
|
|
fFound = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (!fFound)
|
|
continue;
|
|
|
|
|
|
//
|
|
// Does this CA certificate chain up to Geneva?
|
|
//
|
|
|
|
ZeroMemory(&ChainPara, sizeof(ChainPara));
|
|
ChainPara.cbSize = sizeof(ChainPara);
|
|
|
|
if (!CertGetCertificateChain(NULL,
|
|
pCurrentCA,
|
|
NULL,
|
|
hCAStore,
|
|
&ChainPara,
|
|
0,
|
|
NULL,
|
|
&pCAChainContext))
|
|
{
|
|
// Error building chain.
|
|
continue;
|
|
}
|
|
|
|
pSimpleChain = pCAChainContext->rgpChain[0];
|
|
|
|
for (i = 0; i < pSimpleChain->cElement; i++)
|
|
{
|
|
pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
|
|
|
|
// Determine if certificate is signed correctly.
|
|
TrustStatus = pSimpleChain->rgpElement[i]->TrustStatus;
|
|
if (0 != (TrustStatus.dwErrorStatus
|
|
& CERT_TRUST_IS_NOT_SIGNATURE_VALID))
|
|
{
|
|
break;
|
|
}
|
|
|
|
// Is issuer Geneva?
|
|
if (CertCompareCertificateName(pCurrent->dwCertEncodingType,
|
|
&pCurrent->pCertInfo->Issuer,
|
|
&pRootContext->pCertInfo->Subject))
|
|
{
|
|
// Verify the signature of the current certificate using the
|
|
// validated root certificate from the schannel resource.
|
|
dwFlags = SGC_VERIFICATION_FLAGS;
|
|
if (!CertVerifySubjectCertificateContext(pCurrent,
|
|
pRootContext,
|
|
&dwFlags))
|
|
{
|
|
break;
|
|
}
|
|
if (dwFlags & SGC_VERIFICATION_FLAGS)
|
|
break;
|
|
|
|
fRet = TRUE;
|
|
goto ErrorExit;
|
|
}
|
|
}
|
|
}
|
|
|
|
ErrorExit:
|
|
if (pCurrentCA)
|
|
CertFreeCertificateContext(pCurrentCA);
|
|
if (pCAChainContext)
|
|
CertFreeCertificateChain(pCAChainContext);
|
|
return fRet;
|
|
}
|
|
|
|
|
|
//
|
|
// check if the context may be SGC enabled
|
|
//
|
|
|
|
DWORD
|
|
SPQueryCFLevel(
|
|
IN PCCERT_CONTEXT pCertContext,
|
|
IN BYTE *pbExchKeyMod,
|
|
IN DWORD cbExchKeyMod,
|
|
IN DWORD dwExchKeyExpo,
|
|
OUT DWORD *pdwSGCFlags)
|
|
{
|
|
DWORD dwReturn = ERROR_INTERNAL_ERROR;
|
|
DWORD i, j;
|
|
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
CERT_CHAIN_PARA ChainPara;
|
|
PCERT_SIMPLE_CHAIN pSimpleChain;
|
|
CERT_TRUST_STATUS TrustStatus;
|
|
HCERTSTORE hCAStore = NULL;
|
|
|
|
PCCERT_CONTEXT pCurrent = NULL;
|
|
PCCERT_CONTEXT pIssuer = NULL;
|
|
DWORD dwFlags;
|
|
DWORD dwSgcFlags;
|
|
DWORD dwSts;
|
|
|
|
|
|
*pdwSGCFlags = 0;
|
|
|
|
|
|
//
|
|
// check if the passed in public key matches the one in the cert
|
|
//
|
|
|
|
if (pbExchKeyMod)
|
|
{
|
|
dwSts = SamePublicKey(pCertContext, pbExchKeyMod,
|
|
cbExchKeyMod, dwExchKeyExpo);
|
|
if (ERROR_SUCCESS != dwSts)
|
|
{
|
|
dwReturn = dwSts;
|
|
goto ErrorExit;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Does the leaf certificate contain any SGC extensions?
|
|
//
|
|
|
|
dwSgcFlags = ReadSgcExtensions(pCertContext);
|
|
|
|
if (dwSgcFlags == 0)
|
|
{
|
|
// No SGC extensions found.
|
|
dwReturn = ERROR_SUCCESS;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
|
|
//
|
|
// Build a certificate chain.
|
|
//
|
|
|
|
ZeroMemory(&ChainPara, sizeof(ChainPara));
|
|
ChainPara.cbSize = sizeof(ChainPara);
|
|
|
|
*pdwSGCFlags = 0;
|
|
|
|
if (!CertGetCertificateChain(
|
|
NULL,
|
|
pCertContext,
|
|
NULL,
|
|
pCertContext->hCertStore,
|
|
&ChainPara,
|
|
0,
|
|
NULL,
|
|
&pChainContext))
|
|
{
|
|
dwReturn = GetLastError();
|
|
goto ErrorExit;
|
|
}
|
|
|
|
|
|
//
|
|
// Does the leaf chain directly up to the Geneva root?
|
|
//
|
|
|
|
pSimpleChain = pChainContext->rgpChain[0];
|
|
for (i = 0; i < pSimpleChain->cElement; i++)
|
|
{
|
|
pCurrent = pSimpleChain->rgpElement[i]->pCertContext;
|
|
|
|
if (ReadSgcExtensions(pCurrent) == 0)
|
|
{
|
|
// This certificate doesn't contain any SGC certificate
|
|
// extensions, so skip the rest of this chain.
|
|
break;
|
|
}
|
|
|
|
TrustStatus = pSimpleChain->rgpElement[i]->TrustStatus;
|
|
if (0 != (TrustStatus.dwErrorStatus
|
|
& CERT_TRUST_IS_NOT_SIGNATURE_VALID))
|
|
{
|
|
// Certificate is not signed correctly.
|
|
dwReturn = (DWORD)NTE_BAD_SIGNATURE;
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// Is Geneva issuer of "pCurrent"?
|
|
for (j = 0; j < SGCRootCount; j++)
|
|
{
|
|
dwFlags = SGC_VERIFICATION_FLAGS;
|
|
if (!CertVerifySubjectCertificateContext(
|
|
pCurrent,
|
|
SGCRoots[j].pCertContext,
|
|
&dwFlags))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if (dwFlags & SGC_VERIFICATION_FLAGS)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
// We made it, so set the SGC flags as appropriate.
|
|
*pdwSGCFlags |= dwSgcFlags;
|
|
dwReturn = ERROR_SUCCESS;
|
|
goto ErrorExit;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Search for bridge certificate.
|
|
//
|
|
|
|
hCAStore = CertOpenSystemStore(0, "CA");
|
|
if (NULL == hCAStore)
|
|
{
|
|
dwReturn = GetLastError();
|
|
goto ErrorExit;
|
|
}
|
|
|
|
for (i = 0; i < SGCRootCount; i++)
|
|
{
|
|
if (SGCRoots[i].pCertContext != NULL)
|
|
{
|
|
if (FindBridgeCertificate(hCAStore,
|
|
pChainContext,
|
|
SGCRoots[i].pCertContext))
|
|
{
|
|
// We made it, so set the SGC flags as appropriate.
|
|
*pdwSGCFlags |= dwSgcFlags;
|
|
dwReturn = ERROR_SUCCESS;
|
|
goto ErrorExit;
|
|
}
|
|
}
|
|
}
|
|
|
|
dwReturn = (DWORD)NTE_FAIL;
|
|
|
|
ErrorExit:
|
|
if (pIssuer)
|
|
CertFreeCertificateContext(pIssuer);
|
|
if (pChainContext)
|
|
CertFreeCertificateChain(pChainContext);
|
|
if (hCAStore)
|
|
CertCloseStore(hCAStore, 0);
|
|
return dwReturn;
|
|
}
|
|
|