ReactOS 0.4.15-dev-6662-g1b3eed5
Classes | Macros | Typedefs | Functions | Variables
chain.c File Reference
#include <stdarg.h>
#include "windef.h"
#include "winbase.h"
#include "wincrypt.h"
#include "wininet.h"
#include "wine/debug.h"
#include "wine/unicode.h"
#include "crypt32_private.h"
Include dependency graph for chain.c:

Go to the source code of this file.

Classes

struct  _CertificateChainEngine
 
struct  _CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT
 
struct  _CertificateChain
 
struct  _CERT_CHAIN_PARA_NO_EXTRA_FIELDS
 

Macros

#define NONAMELESSUNION
 
#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
 
#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
 
#define DEFAULT_CYCLE_MODULUS   7
 
#define trace_usage_bit(bits, bit)    if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
 
#define trace_cert_type_bit(bits, bit)    if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
 
#define CHAIN_QUALITY_SIGNATURE_VALID   0x16
 
#define CHAIN_QUALITY_TIME_VALID   8
 
#define CHAIN_QUALITY_COMPLETE_CHAIN   4
 
#define CHAIN_QUALITY_BASIC_CONSTRAINTS   2
 
#define CHAIN_QUALITY_TRUSTED_ROOT   1
 
#define CHAIN_QUALITY_HIGHEST
 
#define IS_TRUST_ERROR_SET(TrustStatus, bits)    (TrustStatus)->dwErrorStatus & (bits)
 

Typedefs

typedef struct _CertificateChainEngine CertificateChainEngine
 
typedef struct _CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT
 
typedef struct _CertificateChain CertificateChain
 
typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS CERT_CHAIN_PARA_NO_EXTRA_FIELDS
 
typedef BOOL(WINAPICertVerifyCertificateChainPolicyFunc) (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 

Functions

 WINE_DEFAULT_DEBUG_CHANNEL (crypt)
 
 WINE_DECLARE_DEBUG_CHANNEL (chain)
 
static void CRYPT_AddStoresToCollection (HCERTSTORE collection, DWORD cStores, HCERTSTORE *stores)
 
static void CRYPT_CloseStores (DWORD cStores, HCERTSTORE *stores)
 
static PCCERT_CONTEXT CRYPT_FindCertInStore (HCERTSTORE store, PCCERT_CONTEXT cert)
 
static BOOL CRYPT_CheckRestrictedRoot (HCERTSTORE store)
 
HCERTCHAINENGINE CRYPT_CreateChainEngine (HCERTSTORE root, DWORD system_store, const CERT_CHAIN_ENGINE_CONFIG *config)
 
static CertificateChainEngineget_chain_engine (HCERTCHAINENGINE handle, BOOL allow_default)
 
static void free_chain_engine (CertificateChainEngine *engine)
 
BOOL WINAPI CertCreateCertificateChainEngine (PCERT_CHAIN_ENGINE_CONFIG pConfig, HCERTCHAINENGINE *phChainEngine)
 
void WINAPI CertFreeCertificateChainEngine (HCERTCHAINENGINE hChainEngine)
 
void default_chain_engine_free (void)
 
DWORD CRYPT_IsCertificateSelfSigned (const CERT_CONTEXT *cert)
 
static void CRYPT_FreeChainElement (PCERT_CHAIN_ELEMENT element)
 
static void CRYPT_CheckSimpleChainForCycles (PCERT_SIMPLE_CHAIN chain)
 
static BOOL CRYPT_IsSimpleChainCyclic (const CERT_SIMPLE_CHAIN *chain)
 
static void CRYPT_CombineTrustStatus (CERT_TRUST_STATUS *chainStatus, const CERT_TRUST_STATUS *elementStatus)
 
static BOOL CRYPT_AddCertToSimpleChain (const CertificateChainEngine *engine, PCERT_SIMPLE_CHAIN chain, PCCERT_CONTEXT cert, DWORD subjectInfoStatus)
 
static void CRYPT_FreeSimpleChain (PCERT_SIMPLE_CHAIN chain)
 
static void CRYPT_CheckTrustedStatus (HCERTSTORE hRoot, PCERT_CHAIN_ELEMENT rootElement)
 
static void CRYPT_CheckRootCert (HCERTSTORE hRoot, PCERT_CHAIN_ELEMENT rootElement)
 
static BOOL CRYPT_DecodeBasicConstraints (PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *constraints, BOOL defaultIfNotSpecified)
 
static BOOL CRYPT_CheckBasicConstraintsForCA (CertificateChainEngine *engine, PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *chainConstraints, DWORD remainingCAs, BOOL isRoot, BOOL *pathLengthConstraintViolated)
 
static BOOL domain_name_matches (LPCWSTR constraint, LPCWSTR name)
 
static BOOL url_matches (LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
 
static BOOL rfc822_name_matches (LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
 
static BOOL dns_name_matches (LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
 
static BOOL ip_address_matches (const CRYPT_DATA_BLOB *constraint, const CRYPT_DATA_BLOB *name, DWORD *trustErrorStatus)
 
static BOOL directory_name_matches (const CERT_NAME_BLOB *constraint, const CERT_NAME_BLOB *name)
 
static BOOL alt_name_matches (const CERT_ALT_NAME_ENTRY *name, const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus, BOOL *present)
 
static BOOL alt_name_matches_excluded_name (const CERT_ALT_NAME_ENTRY *name, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 
static BOOL alt_name_matches_permitted_name (const CERT_ALT_NAME_ENTRY *name, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus, BOOL *present)
 
static PCERT_EXTENSION get_subject_alt_name_ext (const CERT_INFO *cert)
 
static void compare_alt_name_with_constraints (const CERT_EXTENSION *altNameExt, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 
static BOOL rfc822_attr_matches_excluded_name (const CERT_RDN_ATTR *attr, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 
static BOOL rfc822_attr_matches_permitted_name (const CERT_RDN_ATTR *attr, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus, BOOL *present)
 
static void compare_subject_with_email_constraints (const CERT_NAME_BLOB *subjectName, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 
static BOOL CRYPT_IsEmptyName (const CERT_NAME_BLOB *name)
 
static void compare_subject_with_constraints (const CERT_NAME_BLOB *subjectName, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 
static void CRYPT_CheckNameConstraints (const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert, DWORD *trustErrorStatus)
 
static CERT_NAME_CONSTRAINTS_INFOCRYPT_GetNameConstraints (CERT_INFO *cert)
 
static BOOL CRYPT_IsValidNameConstraint (const CERT_NAME_CONSTRAINTS_INFO *info)
 
static void CRYPT_CheckChainNameConstraints (PCERT_SIMPLE_CHAIN chain)
 
static CERT_POLICIES_INFOCRYPT_GetPolicies (PCCERT_CONTEXT cert)
 
static void CRYPT_CheckPolicies (const CERT_POLICIES_INFO *policies, CERT_INFO *cert, DWORD *errorStatus)
 
static void CRYPT_CheckChainPolicies (PCERT_SIMPLE_CHAIN chain)
 
static LPWSTR name_value_to_str (const CERT_NAME_BLOB *name)
 
static void dump_alt_name_entry (const CERT_ALT_NAME_ENTRY *entry)
 
static void dump_alt_name (LPCSTR type, const CERT_EXTENSION *ext)
 
static void dump_basic_constraints (const CERT_EXTENSION *ext)
 
static void dump_basic_constraints2 (const CERT_EXTENSION *ext)
 
static void dump_key_usage (const CERT_EXTENSION *ext)
 
static void dump_general_subtree (const CERT_GENERAL_SUBTREE *subtree)
 
static void dump_name_constraints (const CERT_EXTENSION *ext)
 
static void dump_cert_policies (const CERT_EXTENSION *ext)
 
static void dump_enhanced_key_usage (const CERT_EXTENSION *ext)
 
static void dump_netscape_cert_type (const CERT_EXTENSION *ext)
 
static void dump_extension (const CERT_EXTENSION *ext)
 
static LPCSTR filetime_to_str (const FILETIME *time)
 
static void dump_element (PCCERT_CONTEXT cert)
 
static BOOL CRYPT_KeyUsageValid (CertificateChainEngine *engine, PCCERT_CONTEXT cert, BOOL isRoot, BOOL isCA, DWORD index)
 
static BOOL CRYPT_CriticalExtensionsSupported (PCCERT_CONTEXT cert)
 
static BOOL CRYPT_IsCertVersionValid (PCCERT_CONTEXT cert)
 
static void CRYPT_CheckSimpleChain (CertificateChainEngine *engine, PCERT_SIMPLE_CHAIN chain, LPFILETIME time)
 
static PCCERT_CONTEXT CRYPT_FindIssuer (const CertificateChainEngine *engine, const CERT_CONTEXT *cert, HCERTSTORE store, DWORD type, void *para, DWORD flags, PCCERT_CONTEXT prev_issuer)
 
static PCCERT_CONTEXT CRYPT_GetIssuer (const CertificateChainEngine *engine, HCERTSTORE store, PCCERT_CONTEXT subject, PCCERT_CONTEXT prevIssuer, DWORD flags, DWORD *infoStatus)
 
static BOOL CRYPT_BuildSimpleChain (const CertificateChainEngine *engine, HCERTSTORE world, DWORD flags, PCERT_SIMPLE_CHAIN chain)
 
static LPCSTR debugstr_filetime (LPFILETIME pTime)
 
static BOOL CRYPT_GetSimpleChainForCert (CertificateChainEngine *engine, HCERTSTORE world, PCCERT_CONTEXT cert, LPFILETIME pTime, DWORD flags, PCERT_SIMPLE_CHAIN *ppChain)
 
static BOOL CRYPT_BuildCandidateChainFromCert (CertificateChainEngine *engine, PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore, DWORD flags, CertificateChain **ppChain)
 
static PCERT_SIMPLE_CHAIN CRYPT_CopySimpleChainToElement (const CERT_SIMPLE_CHAIN *chain, DWORD iElement)
 
static void CRYPT_FreeLowerQualityChains (CertificateChain *chain)
 
static void CRYPT_FreeChainContext (CertificateChain *chain)
 
static CertificateChainCRYPT_CopyChainToElement (CertificateChain *chain, DWORD iChain, DWORD iElement)
 
static CertificateChainCRYPT_BuildAlternateContextFromChain (CertificateChainEngine *engine, LPFILETIME pTime, HCERTSTORE hAdditionalStore, DWORD flags, CertificateChain *chain)
 
static DWORD CRYPT_ChainQuality (const CertificateChain *chain)
 
static CertificateChainCRYPT_ChooseHighestQualityChain (CertificateChain *chain)
 
static BOOL CRYPT_AddAlternateChainToChain (CertificateChain *chain, const CertificateChain *alternate)
 
static PCERT_CHAIN_ELEMENT CRYPT_FindIthElementInChain (const CERT_CHAIN_CONTEXT *chain, DWORD i)
 
static void CRYPT_VerifyChainRevocation (PCERT_CHAIN_CONTEXT chain, LPFILETIME pTime, HCERTSTORE hAdditionalStore, const CERT_CHAIN_PARA *pChainPara, DWORD chainFlags)
 
static void CRYPT_CheckUsages (PCERT_CHAIN_CONTEXT chain, const CERT_CHAIN_PARA *pChainPara)
 
static void dump_usage_match (LPCSTR name, const CERT_USAGE_MATCH *usageMatch)
 
static void dump_chain_para (const CERT_CHAIN_PARA *pChainPara)
 
BOOL WINAPI CertGetCertificateChain (HCERTCHAINENGINE hChainEngine, PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore, PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved, PCCERT_CHAIN_CONTEXT *ppChainContext)
 
PCCERT_CHAIN_CONTEXT WINAPI CertDuplicateCertificateChain (PCCERT_CHAIN_CONTEXT pChainContext)
 
VOID WINAPI CertFreeCertificateChain (PCCERT_CHAIN_CONTEXT pChainContext)
 
PCCERT_CHAIN_CONTEXT WINAPI CertFindChainInStore (HCERTSTORE store, DWORD certEncodingType, DWORD findFlags, DWORD findType, const void *findPara, PCCERT_CHAIN_CONTEXT prevChainContext)
 
static void find_element_with_error (PCCERT_CHAIN_CONTEXT chain, DWORD error, LONG *iChain, LONG *iElement)
 
static BOOL WINAPI verify_base_policy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 
static void dump_authenticode_extra_chain_policy_para (AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA *extraPara)
 
static BOOL WINAPI verify_authenticode_policy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 
static BOOL WINAPI verify_basic_constraints_policy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 
static BOOL match_dns_to_subject_alt_name (const CERT_EXTENSION *ext, LPCWSTR server_name)
 
static BOOL find_matching_domain_component (const CERT_NAME_INFO *name, LPCWSTR component)
 
static BOOL match_domain_component (LPCWSTR allowed_component, DWORD allowed_len, LPCWSTR server_component, DWORD server_len, BOOL allow_wildcards, BOOL *see_wildcard)
 
static BOOL match_common_name (LPCWSTR server_name, const CERT_RDN_ATTR *nameAttr)
 
static BOOL match_dns_to_subject_dn (PCCERT_CONTEXT cert, LPCWSTR server_name)
 
static void dump_ssl_extra_chain_policy_para (HTTPSPolicyCallbackData *sslPara)
 
static BOOL WINAPI verify_ssl_policy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 
static BOOL WINAPI verify_ms_root_policy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 
static void dump_policy_para (PCERT_CHAIN_POLICY_PARA para)
 
BOOL WINAPI CertVerifyCertificateChainPolicy (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 

Variables

static const WCHAR rootW [] = { 'R','o','o','t',0 }
 
static CertificateChainEnginedefault_cu_engine
 
static CertificateChainEnginedefault_lm_engine
 
static BYTE msTestPubKey1 []
 
static BYTE msTestPubKey2 []
 
static BYTE msPubKey1 []
 
static BYTE msPubKey2 []
 
static BYTE msPubKey3 []
 

Macro Definition Documentation

◆ CERT_CHAIN_PARA_HAS_EXTRA_FIELDS

#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS

Definition at line 23 of file chain.c.

◆ CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS

#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS

Definition at line 24 of file chain.c.

◆ CHAIN_QUALITY_BASIC_CONSTRAINTS

#define CHAIN_QUALITY_BASIC_CONSTRAINTS   2

Definition at line 2517 of file chain.c.

◆ CHAIN_QUALITY_COMPLETE_CHAIN

#define CHAIN_QUALITY_COMPLETE_CHAIN   4

Definition at line 2516 of file chain.c.

◆ CHAIN_QUALITY_HIGHEST

#define CHAIN_QUALITY_HIGHEST
Value:
CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
CHAIN_QUALITY_TRUSTED_ROOT
CHAIN_QUALITY_SIGNATURE_VALID
#define CHAIN_QUALITY_SIGNATURE_VALID
Definition: chain.c:2514
CHAIN_QUALITY_TRUSTED_ROOT
#define CHAIN_QUALITY_TRUSTED_ROOT
Definition: chain.c:2518
CHAIN_QUALITY_TIME_VALID
#define CHAIN_QUALITY_TIME_VALID
Definition: chain.c:2515
CHAIN_QUALITY_BASIC_CONSTRAINTS
#define CHAIN_QUALITY_BASIC_CONSTRAINTS
Definition: chain.c:2517
CHAIN_QUALITY_COMPLETE_CHAIN
#define CHAIN_QUALITY_COMPLETE_CHAIN
Definition: chain.c:2516

Definition at line 2520 of file chain.c.

◆ CHAIN_QUALITY_SIGNATURE_VALID

#define CHAIN_QUALITY_SIGNATURE_VALID   0x16

Definition at line 2514 of file chain.c.

◆ CHAIN_QUALITY_TIME_VALID

#define CHAIN_QUALITY_TIME_VALID   8

Definition at line 2515 of file chain.c.

◆ CHAIN_QUALITY_TRUSTED_ROOT

#define CHAIN_QUALITY_TRUSTED_ROOT   1

Definition at line 2518 of file chain.c.

◆ DEFAULT_CYCLE_MODULUS

#define DEFAULT_CYCLE_MODULUS   7

Definition at line 34 of file chain.c.

◆ IS_TRUST_ERROR_SET

#define IS_TRUST_ERROR_SET (   TrustStatus,
  bits 
)     (TrustStatus)->dwErrorStatus & (bits)

Definition at line 2525 of file chain.c.

◆ NONAMELESSUNION

#define NONAMELESSUNION

Definition at line 20 of file chain.c.

◆ trace_cert_type_bit

#define trace_cert_type_bit (   bits,
  bit 
)     if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)

◆ trace_usage_bit

#define trace_usage_bit (   bits,
  bit 
)     if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)

Typedef Documentation

◆ CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT

typedef struct _CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT

◆ CERT_CHAIN_PARA_NO_EXTRA_FIELDS

typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS CERT_CHAIN_PARA_NO_EXTRA_FIELDS

◆ CertificateChain

typedef struct _CertificateChain CertificateChain

◆ CertificateChainEngine

typedef struct _CertificateChainEngine CertificateChainEngine

◆ CertVerifyCertificateChainPolicyFunc

typedef BOOL(WINAPI * CertVerifyCertificateChainPolicyFunc) (LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)

Definition at line 3702 of file chain.c.

Function Documentation

◆ alt_name_matches()

static BOOL alt_name_matches ( const CERT_ALT_NAME_ENTRY name,
const CERT_ALT_NAME_ENTRY constraint,
DWORD trustErrorStatus,
BOOL present 
)
static

Definition at line 886 of file chain.c.

888{
889 BOOL match = FALSE;
890
891 if (name->dwAltNameChoice == constraint->dwAltNameChoice)
892 {
893 if (present)
894 *present = TRUE;
895 switch (constraint->dwAltNameChoice)
896 {
897 case CERT_ALT_NAME_RFC822_NAME:
898 match = rfc822_name_matches(constraint->u.pwszURL,
899 name->u.pwszURL, trustErrorStatus);
900 break;
901 case CERT_ALT_NAME_DNS_NAME:
902 match = dns_name_matches(constraint->u.pwszURL,
903 name->u.pwszURL, trustErrorStatus);
904 break;
905 case CERT_ALT_NAME_URL:
906 match = url_matches(constraint->u.pwszURL,
907 name->u.pwszURL, trustErrorStatus);
908 break;
909 case CERT_ALT_NAME_IP_ADDRESS:
910 match = ip_address_matches(&constraint->u.IPAddress,
911 &name->u.IPAddress, trustErrorStatus);
912 break;
913 case CERT_ALT_NAME_DIRECTORY_NAME:
914 match = directory_name_matches(&constraint->u.DirectoryName,
915 &name->u.DirectoryName);
916 break;
917 default:
918 ERR("name choice %d unsupported in this context\n",
919 constraint->dwAltNameChoice);
920 *trustErrorStatus |=
921 CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
922 }
923 }
924 else if (present)
925 *present = FALSE;
926 return match;
927}
ERR
#define ERR(fmt,...)
Definition: debug.h:110
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
url_matches
static BOOL url_matches(LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
Definition: chain.c:682
ip_address_matches
static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint, const CRYPT_DATA_BLOB *name, DWORD *trustErrorStatus)
Definition: chain.c:820
dns_name_matches
static BOOL dns_name_matches(LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
Definition: chain.c:775
rfc822_name_matches
static BOOL rfc822_name_matches(LPCWSTR constraint, LPCWSTR name, DWORD *trustErrorStatus)
Definition: chain.c:751
directory_name_matches
static BOOL directory_name_matches(const CERT_NAME_BLOB *constraint, const CERT_NAME_BLOB *name)
Definition: chain.c:864
BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94
_CERT_ALT_NAME_ENTRY::pwszURL
LPWSTR pwszURL
Definition: wincrypt.h:339
_CERT_ALT_NAME_ENTRY::dwAltNameChoice
DWORD dwAltNameChoice
Definition: wincrypt.h:333
_CERT_ALT_NAME_ENTRY::IPAddress
CRYPT_DATA_BLOB IPAddress
Definition: wincrypt.h:340
_CERT_ALT_NAME_ENTRY::DirectoryName
CERT_NAME_BLOB DirectoryName
Definition: wincrypt.h:338
match
Definition: match.c:28
name
Definition: name.c:39
CERT_ALT_NAME_URL
#define CERT_ALT_NAME_URL
Definition: wincrypt.h:351
CERT_ALT_NAME_DIRECTORY_NAME
#define CERT_ALT_NAME_DIRECTORY_NAME
Definition: wincrypt.h:349
CERT_ALT_NAME_IP_ADDRESS
#define CERT_ALT_NAME_IP_ADDRESS
Definition: wincrypt.h:352
CERT_ALT_NAME_RFC822_NAME
#define CERT_ALT_NAME_RFC822_NAME
Definition: wincrypt.h:346
CERT_ALT_NAME_DNS_NAME
#define CERT_ALT_NAME_DNS_NAME
Definition: wincrypt.h:347
CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
#define CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
Definition: wincrypt.h:882

Referenced by alt_name_matches_excluded_name(), and alt_name_matches_permitted_name().

◆ alt_name_matches_excluded_name()

static BOOL alt_name_matches_excluded_name ( const CERT_ALT_NAME_ENTRY name,
const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
DWORD trustErrorStatus 
)
static

Definition at line 929 of file chain.c.

931{
932 DWORD i;
933 BOOL match = FALSE;
934
935 for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++)
936 match = alt_name_matches(name,
937 &nameConstraints->rgExcludedSubtree[i].Base, trustErrorStatus, NULL);
938 return match;
939}
NULL
#define NULL
Definition: types.h:112
alt_name_matches
static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name, const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus, BOOL *present)
Definition: chain.c:886
DWORD
unsigned long DWORD
Definition: ntddk_ex.h:95
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
_CERT_GENERAL_SUBTREE::Base
CERT_ALT_NAME_ENTRY Base
Definition: wincrypt.h:571
_CERT_NAME_CONSTRAINTS_INFO::cExcludedSubtree
DWORD cExcludedSubtree
Definition: wincrypt.h:580
_CERT_NAME_CONSTRAINTS_INFO::rgExcludedSubtree
PCERT_GENERAL_SUBTREE rgExcludedSubtree
Definition: wincrypt.h:581

Referenced by compare_alt_name_with_constraints().

◆ alt_name_matches_permitted_name()

static BOOL alt_name_matches_permitted_name ( const CERT_ALT_NAME_ENTRY name,
const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
DWORD trustErrorStatus,
BOOL present 
)
static

Definition at line 941 of file chain.c.

944{
945 DWORD i;
946 BOOL match = FALSE;
947
948 for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
949 match = alt_name_matches(name,
950 &nameConstraints->rgPermittedSubtree[i].Base, trustErrorStatus,
951 present);
952 return match;
953}
_CERT_NAME_CONSTRAINTS_INFO::rgPermittedSubtree
PCERT_GENERAL_SUBTREE rgPermittedSubtree
Definition: wincrypt.h:579
_CERT_NAME_CONSTRAINTS_INFO::cPermittedSubtree
DWORD cPermittedSubtree
Definition: wincrypt.h:578

Referenced by compare_alt_name_with_constraints().

◆ CertCreateCertificateChainEngine()

BOOL WINAPI CertCreateCertificateChainEngine ( PCERT_CHAIN_ENGINE_CONFIG  pConfig,
HCERTCHAINENGINE phChainEngine 
)

Definition at line 225 of file chain.c.

227{
228 BOOL ret;
229
230 TRACE("(%p, %p)\n", pConfig, phChainEngine);
231
232 if (pConfig->cbSize != sizeof(CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT)
233 && pConfig->cbSize != sizeof(CERT_CHAIN_ENGINE_CONFIG))
234 {
235 SetLastError(E_INVALIDARG);
236 return FALSE;
237 }
238 ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
239 if (!ret)
240 {
241 *phChainEngine = NULL;
242 return FALSE;
243 }
244
245 *phChainEngine = CRYPT_CreateChainEngine(NULL, CERT_SYSTEM_STORE_CURRENT_USER, pConfig);
246 return *phChainEngine != NULL;
247}
E_INVALIDARG
#define E_INVALIDARG
Definition: ddrawi.h:101
CRYPT_CheckRestrictedRoot
static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
Definition: chain.c:89
CRYPT_CreateChainEngine
HCERTCHAINENGINE CRYPT_CreateChainEngine(HCERTSTORE root, DWORD system_store, const CERT_CHAIN_ENGINE_CONFIG *config)
Definition: chain.c:115
SetLastError
#define SetLastError(x)
Definition: compat.h:752
TRACE
#define TRACE(s)
Definition: solgame.cpp:4
_CERT_CHAIN_ENGINE_CONFIG_NO_EXCLUSIVE_ROOT
Definition: chain.c:212
_CERT_CHAIN_ENGINE_CONFIG
Definition: wincrypt.h:3624
_CERT_CHAIN_ENGINE_CONFIG::hRestrictedRoot
HCERTSTORE hRestrictedRoot
Definition: wincrypt.h:3626
_CERT_CHAIN_ENGINE_CONFIG::cbSize
DWORD cbSize
Definition: wincrypt.h:3625
ret
int ret
Definition: wcstombs-tests.c:31
phChainEngine
_Out_ HCERTCHAINENGINE * phChainEngine
Definition: wincrypt.h:4825
CERT_SYSTEM_STORE_CURRENT_USER
#define CERT_SYSTEM_STORE_CURRENT_USER
Definition: wincrypt.h:2324

Referenced by CRYPTDLG_MakeEngine(), and save_pfx().

◆ CertDuplicateCertificateChain()

PCCERT_CHAIN_CONTEXT WINAPI CertDuplicateCertificateChain ( PCCERT_CHAIN_CONTEXT  pChainContext)

Definition at line 2948 of file chain.c.

2950{
2951 CertificateChain *chain = (CertificateChain*)pChainContext;
2952
2953 TRACE("(%p)\n", pChainContext);
2954
2955 if (chain)
2956 InterlockedIncrement(&chain->ref);
2957 return pChainContext;
2958}
InterlockedIncrement
#define InterlockedIncrement
Definition: armddk.h:53
_CertificateChain
Definition: chain.c:262
chain
struct sock * chain
Definition: tcpcore.h:1

Referenced by CRYPTDLG_CopyChain(), and InternetGetSecurityInfoByURLW().

◆ CertFindChainInStore()

PCCERT_CHAIN_CONTEXT WINAPI CertFindChainInStore ( HCERTSTORE  store,
DWORD  certEncodingType,
DWORD  findFlags,
DWORD  findType,
const void findPara,
PCCERT_CHAIN_CONTEXT  prevChainContext 
)

Definition at line 2973 of file chain.c.

2976{
2977 FIXME("(%p, %08x, %08x, %d, %p, %p): stub\n", store, certEncodingType,
2978 findFlags, findType, findPara, prevChainContext);
2979 return NULL;
2980}
FIXME
#define FIXME(fmt,...)
Definition: debug.h:111

◆ CertFreeCertificateChain()

VOID WINAPI CertFreeCertificateChain ( PCCERT_CHAIN_CONTEXT  pChainContext)

Definition at line 2960 of file chain.c.

2961{
2962 CertificateChain *chain = (CertificateChain*)pChainContext;
2963
2964 TRACE("(%p)\n", pChainContext);
2965
2966 if (chain)
2967 {
2968 if (InterlockedDecrement(&chain->ref) == 0)
2969 CRYPT_FreeChainContext(chain);
2970 }
2971}
InterlockedDecrement
#define InterlockedDecrement
Definition: armddk.h:52
CRYPT_FreeChainContext
static void CRYPT_FreeChainContext(CertificateChain *chain)
Definition: chain.c:2362

Referenced by _test_security_info(), CertGetCertificateChain(), CertTrustFinalPolicy(), check_and_store_certs(), CRYPT_FreeLowerQualityChains(), InitFunctionPtrs(), netconn_verify_cert(), save_cert_as_cms(), save_pfx(), server_release(), and SoftpubCleanup().

◆ CertFreeCertificateChainEngine()

void WINAPI CertFreeCertificateChainEngine ( HCERTCHAINENGINE  hChainEngine)

Definition at line 249 of file chain.c.

250{
251 TRACE("(%p)\n", hChainEngine);
252 free_chain_engine(get_chain_engine(hChainEngine, FALSE));
253}
get_chain_engine
static CertificateChainEngine * get_chain_engine(HCERTCHAINENGINE handle, BOOL allow_default)
Definition: chain.c:166
free_chain_engine
static void free_chain_engine(CertificateChainEngine *engine)
Definition: chain.c:201

Referenced by CertTrustFinalPolicy(), check_and_store_certs(), get_chain_engine(), and save_pfx().

◆ CertGetCertificateChain()

BOOL WINAPI CertGetCertificateChain ( HCERTCHAINENGINE  hChainEngine,
PCCERT_CONTEXT  pCertContext,
LPFILETIME  pTime,
HCERTSTORE  hAdditionalStore,
PCERT_CHAIN_PARA  pChainPara,
DWORD  dwFlags,
LPVOID  pvReserved,
PCCERT_CHAIN_CONTEXT ppChainContext 
)

Definition at line 2879 of file chain.c.

2883{
2884 CertificateChainEngine *engine;
2885 BOOL ret;
2886 CertificateChain *chain = NULL;
2887
2888 TRACE("(%p, %p, %s, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext,
2889 debugstr_filetime(pTime), hAdditionalStore, pChainPara, dwFlags,
2890 pvReserved, ppChainContext);
2891
2892 engine = get_chain_engine(hChainEngine, TRUE);
2893 if (!engine)
2894 return FALSE;
2895
2896 if (ppChainContext)
2897 *ppChainContext = NULL;
2898 if (!pChainPara)
2899 {
2900 SetLastError(E_INVALIDARG);
2901 return FALSE;
2902 }
2903 if (!pCertContext->pCertInfo->SignatureAlgorithm.pszObjId)
2904 {
2905 SetLastError(ERROR_INVALID_DATA);
2906 return FALSE;
2907 }
2908
2909 if (TRACE_ON(chain))
2910 dump_chain_para(pChainPara);
2911 /* FIXME: what about HCCE_LOCAL_MACHINE? */
2912 ret = CRYPT_BuildCandidateChainFromCert(engine, pCertContext, pTime,
2913 hAdditionalStore, dwFlags, &chain);
2914 if (ret)
2915 {
2916 CertificateChain *alternate = NULL;
2917 PCERT_CHAIN_CONTEXT pChain;
2918
2919 do {
2920 alternate = CRYPT_BuildAlternateContextFromChain(engine,
2921 pTime, hAdditionalStore, dwFlags, chain);
2922
2923 /* Alternate contexts are added as "lower quality" contexts of
2924 * chain, to avoid loops in alternate chain creation.
2925 * The highest-quality chain is chosen at the end.
2926 */
2927 if (alternate)
2928 ret = CRYPT_AddAlternateChainToChain(chain, alternate);
2929 } while (ret && alternate);
2930 chain = CRYPT_ChooseHighestQualityChain(chain);
2931 if (!(dwFlags & CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS))
2932 CRYPT_FreeLowerQualityChains(chain);
2933 pChain = (PCERT_CHAIN_CONTEXT)chain;
2934 CRYPT_VerifyChainRevocation(pChain, pTime, hAdditionalStore,
2935 pChainPara, dwFlags);
2936 CRYPT_CheckUsages(pChain, pChainPara);
2937 TRACE_(chain)("error status: %08x\n",
2938 pChain->TrustStatus.dwErrorStatus);
2939 if (ppChainContext)
2940 *ppChainContext = pChain;
2941 else
2942 CertFreeCertificateChain(pChain);
2943 }
2944 TRACE("returning %d\n", ret);
2945 return ret;
2946}
CRYPT_BuildCandidateChainFromCert
static BOOL CRYPT_BuildCandidateChainFromCert(CertificateChainEngine *engine, PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore, DWORD flags, CertificateChain **ppChain)
Definition: chain.c:2251
CRYPT_AddAlternateChainToChain
static BOOL CRYPT_AddAlternateChainToChain(CertificateChain *chain, const CertificateChain *alternate)
Definition: chain.c:2586
CRYPT_VerifyChainRevocation
static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain, LPFILETIME pTime, HCERTSTORE hAdditionalStore, const CERT_CHAIN_PARA *pChainPara, DWORD chainFlags)
Definition: chain.c:2632
CertFreeCertificateChain
VOID WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext)
Definition: chain.c:2960
CRYPT_FreeLowerQualityChains
static void CRYPT_FreeLowerQualityChains(CertificateChain *chain)
Definition: chain.c:2351
CRYPT_CheckUsages
static void CRYPT_CheckUsages(PCERT_CHAIN_CONTEXT chain, const CERT_CHAIN_PARA *pChainPara)
Definition: chain.c:2745
debugstr_filetime
static LPCSTR debugstr_filetime(LPFILETIME pTime)
Definition: chain.c:2213
CRYPT_BuildAlternateContextFromChain
static CertificateChain * CRYPT_BuildAlternateContextFromChain(CertificateChainEngine *engine, LPFILETIME pTime, HCERTSTORE hAdditionalStore, DWORD flags, CertificateChain *chain)
Definition: chain.c:2442
CRYPT_ChooseHighestQualityChain
static CertificateChain * CRYPT_ChooseHighestQualityChain(CertificateChain *chain)
Definition: chain.c:2554
dump_chain_para
static void dump_chain_para(const CERT_CHAIN_PARA *pChainPara)
Definition: chain.c:2864
TRACE_
#define TRACE_(x)
Definition: compat.h:76
TRACE_ON
#define TRACE_ON(x)
Definition: compat.h:75
pvReserved
static LPCSTR DWORD void * pvReserved
Definition: str.c:196
_CERT_CHAIN_CONTEXT
Definition: wincrypt.h:937
_CERT_CHAIN_CONTEXT::TrustStatus
CERT_TRUST_STATUS TrustStatus
Definition: wincrypt.h:939
_CERT_CONTEXT::pCertInfo
PCERT_INFO pCertInfo
Definition: wincrypt.h:482
_CERT_INFO::SignatureAlgorithm
CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm
Definition: wincrypt.h:243
_CERT_TRUST_STATUS::dwErrorStatus
DWORD dwErrorStatus
Definition: wincrypt.h:910
_CRYPT_ALGORITHM_IDENTIFIER::pszObjId
LPSTR pszObjId
Definition: wincrypt.h:126
_CertificateChainEngine
Definition: chain.c:42
CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS
#define CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS
Definition: wincrypt.h:1064
pChainPara
_In_ PCCERT_CONTEXT _In_opt_ LPFILETIME _In_opt_ HCERTSTORE _In_ PCERT_CHAIN_PARA pChainPara
Definition: wincrypt.h:4839
ppChainContext
_In_ PCCERT_CONTEXT _In_opt_ LPFILETIME _In_opt_ HCERTSTORE _In_ PCERT_CHAIN_PARA _In_ DWORD _Reserved_ LPVOID _Out_ PCCERT_CHAIN_CONTEXT * ppChainContext
Definition: wincrypt.h:4842
dwFlags
_In_ PCCERT_CONTEXT _In_ DWORD dwFlags
Definition: wincrypt.h:1176
pTime
_In_ PCCERT_CONTEXT _In_opt_ LPFILETIME pTime
Definition: wincrypt.h:4837
pCertContext
_In_ PCCERT_CONTEXT pCertContext
Definition: wincrypt.h:4836
PCERT_CHAIN_CONTEXT
struct _CERT_CHAIN_CONTEXT * PCERT_CHAIN_CONTEXT
Definition: wincrypt.h:934
hAdditionalStore
_In_ PCCERT_CONTEXT _In_opt_ LPFILETIME _In_opt_ HCERTSTORE hAdditionalStore
Definition: wincrypt.h:4838
ERROR_INVALID_DATA
#define ERROR_INVALID_DATA
Definition: winerror.h:116

Referenced by CertTrustFinalPolicy(), check_and_store_certs(), netconn_verify_cert(), save_cert_as_cms(), save_pfx(), testGetCertChain(), and WINTRUST_CreateChainForSigner().

◆ CertVerifyCertificateChainPolicy()

BOOL WINAPI CertVerifyCertificateChainPolicy ( LPCSTR  szPolicyOID,
PCCERT_CHAIN_CONTEXT  pChainContext,
PCERT_CHAIN_POLICY_PARA  pPolicyPara,
PCERT_CHAIN_POLICY_STATUS  pPolicyStatus 
)

Definition at line 3716 of file chain.c.

3719{
3720 static HCRYPTOIDFUNCSET set = NULL;
3721 BOOL ret = FALSE;
3722 CertVerifyCertificateChainPolicyFunc verifyPolicy = NULL;
3723 HCRYPTOIDFUNCADDR hFunc = NULL;
3724
3725 TRACE("(%s, %p, %p, %p)\n", debugstr_a(szPolicyOID), pChainContext,
3726 pPolicyPara, pPolicyStatus);
3727 if (TRACE_ON(chain))
3728 dump_policy_para(pPolicyPara);
3729
3730 if (IS_INTOID(szPolicyOID))
3731 {
3732 switch (LOWORD(szPolicyOID))
3733 {
3734 case LOWORD(CERT_CHAIN_POLICY_BASE):
3735 verifyPolicy = verify_base_policy;
3736 break;
3737 case LOWORD(CERT_CHAIN_POLICY_AUTHENTICODE):
3738 verifyPolicy = verify_authenticode_policy;
3739 break;
3740 case LOWORD(CERT_CHAIN_POLICY_SSL):
3741 verifyPolicy = verify_ssl_policy;
3742 break;
3743 case LOWORD(CERT_CHAIN_POLICY_BASIC_CONSTRAINTS):
3744 verifyPolicy = verify_basic_constraints_policy;
3745 break;
3746 case LOWORD(CERT_CHAIN_POLICY_MICROSOFT_ROOT):
3747 verifyPolicy = verify_ms_root_policy;
3748 break;
3749 default:
3750 FIXME("unimplemented for %d\n", LOWORD(szPolicyOID));
3751 }
3752 }
3753 if (!verifyPolicy)
3754 {
3755 if (!set)
3756 set = CryptInitOIDFunctionSet(
3757 CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC, 0);
3758 CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING, szPolicyOID, 0,
3759 (void **)&verifyPolicy, &hFunc);
3760 }
3761 if (verifyPolicy)
3762 ret = verifyPolicy(szPolicyOID, pChainContext, pPolicyPara,
3763 pPolicyStatus);
3764 if (hFunc)
3765 CryptFreeOIDFunctionAddress(hFunc, 0);
3766 TRACE("returning %d (%08x)\n", ret, pPolicyStatus->dwError);
3767 return ret;
3768}
set
Definition: _set.h:50
IS_INTOID
#define IS_INTOID(x)
Definition: crypt32_private.h:452
verify_ms_root_policy
static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:3665
verify_ssl_policy
static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:3458
verify_basic_constraints_policy
static BOOL WINAPI verify_basic_constraints_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:3130
dump_policy_para
static void dump_policy_para(PCERT_CHAIN_POLICY_PARA para)
Definition: chain.c:3706
verify_base_policy
static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:2998
verify_authenticode_policy
static BOOL WINAPI verify_authenticode_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:3089
CertVerifyCertificateChainPolicyFunc
BOOL(WINAPI * CertVerifyCertificateChainPolicyFunc)(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
Definition: chain.c:3702
CryptInitOIDFunctionSet
HCRYPTOIDFUNCSET WINAPI CryptInitOIDFunctionSet(LPCSTR pszFuncName, DWORD dwFlags)
Definition: oid.c:114
CryptGetOIDFunctionAddress
BOOL WINAPI CryptGetOIDFunctionAddress(HCRYPTOIDFUNCSET hFuncSet, DWORD dwEncodingType, LPCSTR pszOID, DWORD dwFlags, void **ppvFuncAddr, HCRYPTOIDFUNCADDR *phFuncAddr)
Definition: oid.c:387
CryptFreeOIDFunctionAddress
BOOL WINAPI CryptFreeOIDFunctionAddress(HCRYPTOIDFUNCADDR hFuncAddr, DWORD dwFlags)
Definition: oid.c:468
debugstr_a
#define debugstr_a
Definition: kernel32.h:31
LOWORD
#define LOWORD(l)
Definition: pedump.c:82
_CERT_CHAIN_POLICY_STATUS::dwError
DWORD dwError
Definition: wincrypt.h:956
CERT_CHAIN_POLICY_MICROSOFT_ROOT
#define CERT_CHAIN_POLICY_MICROSOFT_ROOT
Definition: wincrypt.h:968
CERT_CHAIN_POLICY_BASE
#define CERT_CHAIN_POLICY_BASE
Definition: wincrypt.h:962
CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
#define CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
Definition: wincrypt.h:966
X509_ASN_ENCODING
#define X509_ASN_ENCODING
Definition: wincrypt.h:2297
CERT_CHAIN_POLICY_AUTHENTICODE
#define CERT_CHAIN_POLICY_AUTHENTICODE
Definition: wincrypt.h:963
CERT_CHAIN_POLICY_SSL
#define CERT_CHAIN_POLICY_SSL
Definition: wincrypt.h:965
CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC
#define CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC
Definition: wincrypt.h:2506

Referenced by netconn_verify_cert(), SoftpubAuthenticode(), and WINTRUST_DefaultPolicy().

◆ compare_alt_name_with_constraints()

static void compare_alt_name_with_constraints ( const CERT_EXTENSION altNameExt,
const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
DWORD trustErrorStatus 
)
static

Definition at line 967 of file chain.c.

969{
970 CERT_ALT_NAME_INFO *subjectAltName;
971 DWORD size;
972
973 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
974 altNameExt->Value.pbData, altNameExt->Value.cbData,
975 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
976 &subjectAltName, &size))
977 {
978 DWORD i;
979
980 for (i = 0; i < subjectAltName->cAltEntry; i++)
981 {
982 BOOL nameFormPresent;
983
984 /* A name constraint only applies if the name form is present.
985 * From RFC 5280, section 4.2.1.10:
986 * "Restrictions apply only when the specified name form is
987 * present. If no name of the type is in the certificate,
988 * the certificate is acceptable."
989 */
990 if (alt_name_matches_excluded_name(
991 &subjectAltName->rgAltEntry[i], nameConstraints,
992 trustErrorStatus))
993 {
994 TRACE_(chain)("subject alternate name form %d excluded\n",
995 subjectAltName->rgAltEntry[i].dwAltNameChoice);
996 *trustErrorStatus |=
997 CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
998 }
999 nameFormPresent = FALSE;
1000 if (!alt_name_matches_permitted_name(
1001 &subjectAltName->rgAltEntry[i], nameConstraints,
1002 trustErrorStatus, &nameFormPresent) && nameFormPresent)
1003 {
1004 TRACE_(chain)("subject alternate name form %d not permitted\n",
1005 subjectAltName->rgAltEntry[i].dwAltNameChoice);
1006 *trustErrorStatus |=
1007 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1008 }
1009 }
1010 LocalFree(subjectAltName);
1011 }
1012 else
1013 *trustErrorStatus |=
1014 CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
1015}
CryptDecodeObjectEx
BOOL WINAPI CryptDecodeObjectEx(DWORD dwCertEncodingType, LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded, DWORD dwFlags, PCRYPT_DECODE_PARA pDecodePara, void *pvStructInfo, DWORD *pcbStructInfo)
Definition: decode.c:6286
alt_name_matches_excluded_name
static BOOL alt_name_matches_excluded_name(const CERT_ALT_NAME_ENTRY *name, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
Definition: chain.c:929
alt_name_matches_permitted_name
static BOOL alt_name_matches_permitted_name(const CERT_ALT_NAME_ENTRY *name, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus, BOOL *present)
Definition: chain.c:941
size
GLsizeiptr size
Definition: glext.h:5919
LocalFree
HLOCAL NTAPI LocalFree(HLOCAL hMem)
Definition: heapmem.c:1594
_CERT_ALT_NAME_INFO
Definition: wincrypt.h:355
_CERT_ALT_NAME_INFO::rgAltEntry
PCERT_ALT_NAME_ENTRY rgAltEntry
Definition: wincrypt.h:357
_CERT_ALT_NAME_INFO::cAltEntry
DWORD cAltEntry
Definition: wincrypt.h:356
_CERT_EXTENSION::Value
CRYPT_OBJID_BLOB Value
Definition: wincrypt.h:232
_CRYPTOAPI_BLOB::cbData
DWORD cbData
Definition: wincrypt.h:102
_CRYPTOAPI_BLOB::pbData
BYTE * pbData
Definition: wincrypt.h:103
CRYPT_DECODE_NOCOPY_FLAG
#define CRYPT_DECODE_NOCOPY_FLAG
Definition: wincrypt.h:3450
CERT_TRUST_INVALID_EXTENSION
#define CERT_TRUST_INVALID_EXTENSION
Definition: wincrypt.h:878
CRYPT_DECODE_ALLOC_FLAG
#define CRYPT_DECODE_ALLOC_FLAG
Definition: wincrypt.h:3454
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
#define CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
Definition: wincrypt.h:884
CERT_TRUST_INVALID_NAME_CONSTRAINTS
#define CERT_TRUST_INVALID_NAME_CONSTRAINTS
Definition: wincrypt.h:881
CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
#define CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
Definition: wincrypt.h:885
X509_ALTERNATE_NAME
#define X509_ALTERNATE_NAME
Definition: wincrypt.h:3377

Referenced by CRYPT_CheckNameConstraints().

◆ compare_subject_with_constraints()

static void compare_subject_with_constraints ( const CERT_NAME_BLOB subjectName,
const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
DWORD trustErrorStatus 
)
static

Definition at line 1126 of file chain.c.

1128{
1129 BOOL hasEmailConstraint = FALSE;
1130 DWORD i;
1131
1132 /* In general, a subject distinguished name only matches a directory name
1133 * constraint. However, an exception exists for email addresses.
1134 * From RFC 5280, section 4.2.1.6:
1135 * "Legacy implementations exist where an electronic mail address is
1136 * embedded in the subject distinguished name as an emailAddress
1137 * attribute [RFC2985]."
1138 * If an email address constraint exists, check that constraint separately.
1139 */
1140 for (i = 0; !hasEmailConstraint && i < nameConstraints->cExcludedSubtree;
1141 i++)
1142 if (nameConstraints->rgExcludedSubtree[i].Base.dwAltNameChoice ==
1143 CERT_ALT_NAME_RFC822_NAME)
1144 hasEmailConstraint = TRUE;
1145 for (i = 0; !hasEmailConstraint && i < nameConstraints->cPermittedSubtree;
1146 i++)
1147 if (nameConstraints->rgPermittedSubtree[i].Base.dwAltNameChoice ==
1148 CERT_ALT_NAME_RFC822_NAME)
1149 hasEmailConstraint = TRUE;
1150 if (hasEmailConstraint)
1151 compare_subject_with_email_constraints(subjectName, nameConstraints,
1152 trustErrorStatus);
1153 for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1154 {
1155 CERT_ALT_NAME_ENTRY *constraint =
1156 &nameConstraints->rgExcludedSubtree[i].Base;
1157
1158 if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME &&
1159 directory_name_matches(&constraint->u.DirectoryName, subjectName))
1160 {
1161 TRACE_(chain)("subject name is excluded\n");
1162 *trustErrorStatus |=
1163 CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1164 }
1165 }
1166 /* RFC 5280, section 4.2.1.10:
1167 * "Restrictions apply only when the specified name form is present.
1168 * If no name of the type is in the certificate, the certificate is
1169 * acceptable."
1170 * An empty name can't have the name form present, so don't check it.
1171 */
1172 if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
1173 {
1174 BOOL match = FALSE, hasDirectoryConstraint = FALSE;
1175
1176 for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
1177 {
1178 CERT_ALT_NAME_ENTRY *constraint =
1179 &nameConstraints->rgPermittedSubtree[i].Base;
1180
1181 if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
1182 {
1183 hasDirectoryConstraint = TRUE;
1184 match = directory_name_matches(&constraint->u.DirectoryName,
1185 subjectName);
1186 }
1187 }
1188 if (hasDirectoryConstraint && !match)
1189 {
1190 TRACE_(chain)("subject name is not permitted\n");
1191 *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1192 }
1193 }
1194}
CRYPT_IsEmptyName
static BOOL CRYPT_IsEmptyName(const CERT_NAME_BLOB *name)
Definition: chain.c:1110
compare_subject_with_email_constraints
static void compare_subject_with_email_constraints(const CERT_NAME_BLOB *subjectName, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
Definition: chain.c:1057
subjectName
static BYTE subjectName[]
Definition: cert.c:63
_CERT_ALT_NAME_ENTRY
Definition: wincrypt.h:332

Referenced by CRYPT_CheckNameConstraints().

◆ compare_subject_with_email_constraints()

static void compare_subject_with_email_constraints ( const CERT_NAME_BLOB subjectName,
const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
DWORD trustErrorStatus 
)
static

Definition at line 1057 of file chain.c.

1060{
1061 CERT_NAME_INFO *name;
1062 DWORD size;
1063
1064 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_UNICODE_NAME,
1065 subjectName->pbData, subjectName->cbData,
1066 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1067 {
1068 DWORD i, j;
1069
1070 for (i = 0; i < name->cRDN; i++)
1071 for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
1072 if (!strcmp(name->rgRDN[i].rgRDNAttr[j].pszObjId,
1073 szOID_RSA_emailAddr))
1074 {
1075 BOOL nameFormPresent;
1076
1077 /* A name constraint only applies if the name form is
1078 * present. From RFC 5280, section 4.2.1.10:
1079 * "Restrictions apply only when the specified name form is
1080 * present. If no name of the type is in the certificate,
1081 * the certificate is acceptable."
1082 */
1083 if (rfc822_attr_matches_excluded_name(
1084 &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1085 trustErrorStatus))
1086 {
1087 TRACE_(chain)(
1088 "email address in subject name is excluded\n");
1089 *trustErrorStatus |=
1090 CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1091 }
1092 nameFormPresent = FALSE;
1093 if (!rfc822_attr_matches_permitted_name(
1094 &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1095 trustErrorStatus, &nameFormPresent) && nameFormPresent)
1096 {
1097 TRACE_(chain)(
1098 "email address in subject name is not permitted\n");
1099 *trustErrorStatus |=
1100 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1101 }
1102 }
1103 LocalFree(name);
1104 }
1105 else
1106 *trustErrorStatus |=
1107 CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
1108}
strcmp
int strcmp(const char *String1, const char *String2)
Definition: utclib.c:469
rfc822_attr_matches_excluded_name
static BOOL rfc822_attr_matches_excluded_name(const CERT_RDN_ATTR *attr, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
Definition: chain.c:1017
rfc822_attr_matches_permitted_name
static BOOL rfc822_attr_matches_permitted_name(const CERT_RDN_ATTR *attr, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus, BOOL *present)
Definition: chain.c:1035
j
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint GLint GLint j
Definition: glfuncs.h:250
_CERT_NAME_INFO
Definition: wincrypt.h:266
X509_UNICODE_NAME
#define X509_UNICODE_NAME
Definition: wincrypt.h:3385
szOID_RSA_emailAddr
#define szOID_RSA_emailAddr
Definition: wincrypt.h:3035

Referenced by compare_subject_with_constraints().

◆ CRYPT_AddAlternateChainToChain()

static BOOL CRYPT_AddAlternateChainToChain ( CertificateChain chain,
const CertificateChain alternate 
)
static

Definition at line 2586 of file chain.c.

2588{
2589 BOOL ret;
2590
2591 if (chain->context.cLowerQualityChainContext)
2592 chain->context.rgpLowerQualityChainContext =
2593 CryptMemRealloc(chain->context.rgpLowerQualityChainContext,
2594 (chain->context.cLowerQualityChainContext + 1) *
2595 sizeof(PCCERT_CHAIN_CONTEXT));
2596 else
2597 chain->context.rgpLowerQualityChainContext =
2598 CryptMemAlloc(sizeof(PCCERT_CHAIN_CONTEXT));
2599 if (chain->context.rgpLowerQualityChainContext)
2600 {
2601 chain->context.rgpLowerQualityChainContext[
2602 chain->context.cLowerQualityChainContext++] =
2603 (PCCERT_CHAIN_CONTEXT)alternate;
2604 ret = TRUE;
2605 }
2606 else
2607 ret = FALSE;
2608 return ret;
2609}
CryptMemAlloc
LPVOID WINAPI CryptMemAlloc(ULONG cbSize)
Definition: main.c:131
CryptMemRealloc
LPVOID WINAPI CryptMemRealloc(LPVOID pv, ULONG cbSize)
Definition: main.c:136
PCCERT_CHAIN_CONTEXT
const CERT_CHAIN_CONTEXT * PCCERT_CHAIN_CONTEXT
Definition: wincrypt.h:935

Referenced by CertGetCertificateChain().

◆ CRYPT_AddCertToSimpleChain()

static BOOL CRYPT_AddCertToSimpleChain ( const CertificateChainEngine engine,
PCERT_SIMPLE_CHAIN  chain,
PCCERT_CONTEXT  cert,
DWORD  subjectInfoStatus 
)
static

Definition at line 427 of file chain.c.

429{
430 BOOL ret = FALSE;
431 PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
432
433 if (element)
434 {
435 if (!chain->cElement)
436 chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT));
437 else
438 chain->rgpElement = CryptMemRealloc(chain->rgpElement,
439 (chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
440 if (chain->rgpElement)
441 {
442 chain->rgpElement[chain->cElement++] = element;
443 memset(element, 0, sizeof(CERT_CHAIN_ELEMENT));
444 element->cbSize = sizeof(CERT_CHAIN_ELEMENT);
445 element->pCertContext = CertDuplicateCertificateContext(cert);
446 if (chain->cElement > 1)
447 chain->rgpElement[chain->cElement - 2]->TrustStatus.dwInfoStatus
448 = subjectInfoStatus;
449 /* FIXME: initialize the rest of element */
450 if (!(chain->cElement % engine->CycleDetectionModulus))
451 {
452 CRYPT_CheckSimpleChainForCycles(chain);
453 /* Reinitialize the element pointer in case the chain is
454 * cyclic, in which case the chain is truncated.
455 */
456 element = chain->rgpElement[chain->cElement - 1];
457 }
458 CRYPT_CombineTrustStatus(&chain->TrustStatus,
459 &element->TrustStatus);
460 ret = TRUE;
461 }
462 else
463 CryptMemFree(element);
464 }
465 return ret;
466}
CertDuplicateCertificateContext
PCCERT_CONTEXT WINAPI CertDuplicateCertificateContext(PCCERT_CONTEXT pCertContext)
Definition: cert.c:360
CRYPT_CheckSimpleChainForCycles
static void CRYPT_CheckSimpleChainForCycles(PCERT_SIMPLE_CHAIN chain)
Definition: chain.c:383
CRYPT_CombineTrustStatus
static void CRYPT_CombineTrustStatus(CERT_TRUST_STATUS *chainStatus, const CERT_TRUST_STATUS *elementStatus)
Definition: chain.c:416
CryptMemFree
VOID WINAPI CryptMemFree(LPVOID pv)
Definition: main.c:141
cert
static BYTE cert[]
Definition: msg.c:1437
memset
#define memset(x, y, z)
Definition: compat.h:39
_CERT_CHAIN_ELEMENT
Definition: wincrypt.h:914
_CertificateChainEngine::CycleDetectionModulus
DWORD CycleDetectionModulus
Definition: chain.c:49
CERT_CHAIN_ELEMENT
struct _CERT_CHAIN_ELEMENT CERT_CHAIN_ELEMENT

Referenced by CRYPT_BuildAlternateContextFromChain(), CRYPT_BuildSimpleChain(), and CRYPT_GetSimpleChainForCert().

◆ CRYPT_AddStoresToCollection()

static void CRYPT_AddStoresToCollection ( HCERTSTORE  collection,
DWORD  cStores,
HCERTSTORE stores 
)
inlinestatic

Definition at line 52 of file chain.c.

54{
55 DWORD i;
56
57 for (i = 0; i < cStores; i++)
58 CertAddStoreToCollection(collection, stores[i], 0, 0);
59}
CertAddStoreToCollection
BOOL WINAPI CertAddStoreToCollection(HCERTSTORE hCollectionStore, HCERTSTORE hSiblingStore, DWORD dwUpdateFlags, DWORD dwPriority)
Definition: collectionstore.c:489
collection
static ICollection collection
Definition: typelib.c:184

Referenced by CRYPT_CreateChainEngine().

◆ CRYPT_BuildAlternateContextFromChain()

static CertificateChain * CRYPT_BuildAlternateContextFromChain ( CertificateChainEngine engine,
LPFILETIME  pTime,
HCERTSTORE  hAdditionalStore,
DWORD  flags,
CertificateChain chain 
)
static

Definition at line 2442 of file chain.c.

2445{
2446 CertificateChain *alternate;
2447
2448 TRACE("(%p, %s, %p, %p)\n", engine, debugstr_filetime(pTime),
2449 hAdditionalStore, chain);
2450
2451 /* Always start with the last "lower quality" chain to ensure a consistent
2452 * order of alternate creation:
2453 */
2454 if (chain->context.cLowerQualityChainContext)
2455 chain = (CertificateChain*)chain->context.rgpLowerQualityChainContext[
2456 chain->context.cLowerQualityChainContext - 1];
2457 /* A chain with only one element can't have any alternates */
2458 if (chain->context.cChain <= 1 && chain->context.rgpChain[0]->cElement <= 1)
2459 alternate = NULL;
2460 else
2461 {
2462 DWORD i, j, infoStatus;
2463 PCCERT_CONTEXT alternateIssuer = NULL;
2464
2465 alternate = NULL;
2466 for (i = 0; !alternateIssuer && i < chain->context.cChain; i++)
2467 for (j = 0; !alternateIssuer &&
2468 j < chain->context.rgpChain[i]->cElement - 1; j++)
2469 {
2470 PCCERT_CONTEXT subject =
2471 chain->context.rgpChain[i]->rgpElement[j]->pCertContext;
2472 PCCERT_CONTEXT prevIssuer = CertDuplicateCertificateContext(
2473 chain->context.rgpChain[i]->rgpElement[j + 1]->pCertContext);
2474
2475 alternateIssuer = CRYPT_GetIssuer(engine, prevIssuer->hCertStore,
2476 subject, prevIssuer, flags, &infoStatus);
2477 }
2478 if (alternateIssuer)
2479 {
2480 i--;
2481 j--;
2482 alternate = CRYPT_CopyChainToElement(chain, i, j);
2483 if (alternate)
2484 {
2485 BOOL ret = CRYPT_AddCertToSimpleChain(engine,
2486 alternate->context.rgpChain[i], alternateIssuer, infoStatus);
2487
2488 /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it
2489 * to close the enumeration that found it
2490 */
2491 CertFreeCertificateContext(alternateIssuer);
2492 if (ret)
2493 {
2494 ret = CRYPT_BuildSimpleChain(engine, alternate->world,
2495 flags, alternate->context.rgpChain[i]);
2496 if (ret)
2497 CRYPT_CheckSimpleChain(engine,
2498 alternate->context.rgpChain[i], pTime);
2499 CRYPT_CombineTrustStatus(&alternate->context.TrustStatus,
2500 &alternate->context.rgpChain[i]->TrustStatus);
2501 }
2502 if (!ret)
2503 {
2504 CRYPT_FreeChainContext(alternate);
2505 alternate = NULL;
2506 }
2507 }
2508 }
2509 }
2510 TRACE("%p\n", alternate);
2511 return alternate;
2512}
CertFreeCertificateContext
BOOL WINAPI CertFreeCertificateContext(PCCERT_CONTEXT pCertContext)
Definition: cert.c:371
CRYPT_AddCertToSimpleChain
static BOOL CRYPT_AddCertToSimpleChain(const CertificateChainEngine *engine, PCERT_SIMPLE_CHAIN chain, PCCERT_CONTEXT cert, DWORD subjectInfoStatus)
Definition: chain.c:427
CRYPT_CopyChainToElement
static CertificateChain * CRYPT_CopyChainToElement(CertificateChain *chain, DWORD iChain, DWORD iElement)
Definition: chain.c:2377
CRYPT_CheckSimpleChain
static void CRYPT_CheckSimpleChain(CertificateChainEngine *engine, PCERT_SIMPLE_CHAIN chain, LPFILETIME time)
Definition: chain.c:1879
CRYPT_GetIssuer
static PCCERT_CONTEXT CRYPT_GetIssuer(const CertificateChainEngine *engine, HCERTSTORE store, PCCERT_CONTEXT subject, PCCERT_CONTEXT prevIssuer, DWORD flags, DWORD *infoStatus)
Definition: chain.c:2056
CRYPT_BuildSimpleChain
static BOOL CRYPT_BuildSimpleChain(const CertificateChainEngine *engine, HCERTSTORE world, DWORD flags, PCERT_SIMPLE_CHAIN chain)
Definition: chain.c:2181
flags
GLbitfield flags
Definition: glext.h:7161
if
if(dx< 0)
Definition: linetemp.h:194
_CERT_CHAIN_CONTEXT::rgpChain
PCERT_SIMPLE_CHAIN * rgpChain
Definition: wincrypt.h:941
_CERT_CONTEXT
Definition: wincrypt.h:478
_CERT_CONTEXT::hCertStore
HCERTSTORE hCertStore
Definition: wincrypt.h:483
_CERT_SIMPLE_CHAIN::TrustStatus
CERT_TRUST_STATUS TrustStatus
Definition: wincrypt.h:926
_CertificateChain::context
CERT_CHAIN_CONTEXT context
Definition: chain.c:263
_CertificateChain::world
HCERTSTORE world
Definition: chain.c:264

Referenced by CertGetCertificateChain().

◆ CRYPT_BuildCandidateChainFromCert()

static BOOL CRYPT_BuildCandidateChainFromCert ( CertificateChainEngine engine,
PCCERT_CONTEXT  cert,
LPFILETIME  pTime,
HCERTSTORE  hAdditionalStore,
DWORD  flags,
CertificateChain **  ppChain 
)
static

Definition at line 2251 of file chain.c.

2254{
2255 PCERT_SIMPLE_CHAIN simpleChain = NULL;
2256 HCERTSTORE world;
2257 BOOL ret;
2258
2259 world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
2260 CERT_STORE_CREATE_NEW_FLAG, NULL);
2261 CertAddStoreToCollection(world, engine->hWorld, 0, 0);
2262 if (hAdditionalStore)
2263 CertAddStoreToCollection(world, hAdditionalStore, 0, 0);
2264 /* FIXME: only simple chains are supported for now, as CTLs aren't
2265 * supported yet.
2266 */
2267 if ((ret = CRYPT_GetSimpleChainForCert(engine, world, cert, pTime, flags, &simpleChain)))
2268 {
2269 CertificateChain *chain = CryptMemAlloc(sizeof(CertificateChain));
2270
2271 if (chain)
2272 {
2273 chain->ref = 1;
2274 chain->world = world;
2275 chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2276 chain->context.TrustStatus = simpleChain->TrustStatus;
2277 chain->context.cChain = 1;
2278 chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN));
2279 chain->context.rgpChain[0] = simpleChain;
2280 chain->context.cLowerQualityChainContext = 0;
2281 chain->context.rgpLowerQualityChainContext = NULL;
2282 chain->context.fHasRevocationFreshnessTime = FALSE;
2283 chain->context.dwRevocationFreshnessTime = 0;
2284 }
2285 else
2286 {
2287 CRYPT_FreeSimpleChain(simpleChain);
2288 ret = FALSE;
2289 }
2290 *ppChain = chain;
2291 }
2292 return ret;
2293}
CRYPT_FreeSimpleChain
static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain)
Definition: chain.c:468
CRYPT_GetSimpleChainForCert
static BOOL CRYPT_GetSimpleChainForCert(CertificateChainEngine *engine, HCERTSTORE world, PCCERT_CONTEXT cert, LPFILETIME pTime, DWORD flags, PCERT_SIMPLE_CHAIN *ppChain)
Definition: chain.c:2220
CertOpenStore
HCERTSTORE WINAPI CertOpenStore(LPCSTR lpszStoreProvider, DWORD dwMsgAndCertEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara)
Definition: store.c:815
_CERT_SIMPLE_CHAIN
Definition: wincrypt.h:924
_CertificateChainEngine::hWorld
HCERTSTORE hWorld
Definition: chain.c:45
CERT_STORE_PROV_COLLECTION
#define CERT_STORE_PROV_COLLECTION
Definition: wincrypt.h:2261
CERT_STORE_CREATE_NEW_FLAG
#define CERT_STORE_CREATE_NEW_FLAG
Definition: wincrypt.h:2464
CERT_CHAIN_CONTEXT
struct _CERT_CHAIN_CONTEXT CERT_CHAIN_CONTEXT
Definition: wincrypt.h:934

Referenced by CertGetCertificateChain().

◆ CRYPT_BuildSimpleChain()

static BOOL CRYPT_BuildSimpleChain ( const CertificateChainEngine engine,
HCERTSTORE  world,
DWORD  flags,
PCERT_SIMPLE_CHAIN  chain 
)
static

Definition at line 2181 of file chain.c.

2183{
2184 BOOL ret = TRUE;
2185 PCCERT_CONTEXT cert = chain->rgpElement[chain->cElement - 1]->pCertContext;
2186
2187 while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
2188 !CRYPT_IsCertificateSelfSigned(cert))
2189 {
2190 PCCERT_CONTEXT issuer = CRYPT_GetIssuer(engine, world, cert, NULL, flags,
2191 &chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2192
2193 if (issuer)
2194 {
2195 ret = CRYPT_AddCertToSimpleChain(engine, chain, issuer,
2196 chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2197 /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it to
2198 * close the enumeration that found it
2199 */
2200 CertFreeCertificateContext(issuer);
2201 cert = issuer;
2202 }
2203 else
2204 {
2205 TRACE_(chain)("Couldn't find issuer, halting chain creation\n");
2206 chain->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_PARTIAL_CHAIN;
2207 break;
2208 }
2209 }
2210 return ret;
2211}
CRYPT_IsSimpleChainCyclic
static BOOL CRYPT_IsSimpleChainCyclic(const CERT_SIMPLE_CHAIN *chain)
Definition: chain.c:407
CRYPT_IsCertificateSelfSigned
DWORD CRYPT_IsCertificateSelfSigned(const CERT_CONTEXT *cert)
Definition: chain.c:268
issuer
static WCHAR issuer[MAX_STRING_RESOURCE_LEN]
Definition: object.c:1905
CERT_TRUST_IS_PARTIAL_CHAIN
#define CERT_TRUST_IS_PARTIAL_CHAIN
Definition: wincrypt.h:891

Referenced by CRYPT_BuildAlternateContextFromChain(), and CRYPT_GetSimpleChainForCert().

◆ CRYPT_ChainQuality()

static DWORD CRYPT_ChainQuality ( const CertificateChain chain)
static

Definition at line 2528 of file chain.c.

2529{
2530 DWORD quality = CHAIN_QUALITY_HIGHEST;
2531
2532 if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2533 CERT_TRUST_IS_UNTRUSTED_ROOT))
2534 quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
2535 if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2536 CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
2537 quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
2538 if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2539 CERT_TRUST_IS_PARTIAL_CHAIN))
2540 quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;
2541 if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2542 CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_NESTED))
2543 quality &= ~CHAIN_QUALITY_TIME_VALID;
2544 if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2545 CERT_TRUST_IS_NOT_SIGNATURE_VALID))
2546 quality &= ~CHAIN_QUALITY_SIGNATURE_VALID;
2547 return quality;
2548}
CHAIN_QUALITY_HIGHEST
#define CHAIN_QUALITY_HIGHEST
Definition: chain.c:2520
IS_TRUST_ERROR_SET
#define IS_TRUST_ERROR_SET(TrustStatus, bits)
Definition: chain.c:2525
quality
int quality
Definition: jpeglib.h:992
CERT_TRUST_INVALID_BASIC_CONSTRAINTS
#define CERT_TRUST_INVALID_BASIC_CONSTRAINTS
Definition: wincrypt.h:880
CERT_TRUST_IS_NOT_TIME_NESTED
#define CERT_TRUST_IS_NOT_TIME_NESTED
Definition: wincrypt.h:871
CERT_TRUST_IS_NOT_SIGNATURE_VALID
#define CERT_TRUST_IS_NOT_SIGNATURE_VALID
Definition: wincrypt.h:873
CERT_TRUST_IS_UNTRUSTED_ROOT
#define CERT_TRUST_IS_UNTRUSTED_ROOT
Definition: wincrypt.h:875
CERT_TRUST_IS_NOT_TIME_VALID
#define CERT_TRUST_IS_NOT_TIME_VALID
Definition: wincrypt.h:870

Referenced by CRYPT_ChooseHighestQualityChain().

◆ CRYPT_CheckBasicConstraintsForCA()

static BOOL CRYPT_CheckBasicConstraintsForCA ( CertificateChainEngine engine,
PCCERT_CONTEXT  cert,
CERT_BASIC_CONSTRAINTS2_INFO chainConstraints,
DWORD  remainingCAs,
BOOL  isRoot,
BOOL pathLengthConstraintViolated 
)
static

Definition at line 580 of file chain.c.

583{
584 BOOL validBasicConstraints, implicitCA = FALSE;
585 CERT_BASIC_CONSTRAINTS2_INFO constraints;
586
587 if (isRoot)
588 implicitCA = TRUE;
589 else if (cert->pCertInfo->dwVersion == CERT_V1 ||
590 cert->pCertInfo->dwVersion == CERT_V2)
591 {
592 BYTE hash[20];
593 DWORD size = sizeof(hash);
594
595 if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
596 hash, &size))
597 {
598 CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
599 PCCERT_CONTEXT localCert = CertFindCertificateInStore(
600 engine->hWorld, cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH,
601 &blob, NULL);
602
603 if (localCert)
604 {
605 CertFreeCertificateContext(localCert);
606 implicitCA = TRUE;
607 }
608 }
609 }
610 if ((validBasicConstraints = CRYPT_DecodeBasicConstraints(cert,
611 &constraints, implicitCA)))
612 {
613 chainConstraints->fCA = constraints.fCA;
614 if (!constraints.fCA)
615 {
616 TRACE_(chain)("chain element %d can't be a CA\n", remainingCAs + 1);
617 validBasicConstraints = FALSE;
618 }
619 else if (constraints.fPathLenConstraint)
620 {
621 /* If the element has path length constraints, they apply to the
622 * entire remaining chain.
623 */
624 if (!chainConstraints->fPathLenConstraint ||
625 constraints.dwPathLenConstraint <
626 chainConstraints->dwPathLenConstraint)
627 {
628 TRACE_(chain)("setting path length constraint to %d\n",
629 chainConstraints->dwPathLenConstraint);
630 chainConstraints->fPathLenConstraint = TRUE;
631 chainConstraints->dwPathLenConstraint =
632 constraints.dwPathLenConstraint;
633 }
634 }
635 }
636 if (chainConstraints->fPathLenConstraint &&
637 remainingCAs > chainConstraints->dwPathLenConstraint)
638 {
639 TRACE_(chain)("remaining CAs %d exceed max path length %d\n",
640 remainingCAs, chainConstraints->dwPathLenConstraint);
641 validBasicConstraints = FALSE;
642 *pathLengthConstraintViolated = TRUE;
643 }
644 return validBasicConstraints;
645}
CertFindCertificateInStore
PCCERT_CONTEXT WINAPI CertFindCertificateInStore(HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFlags, DWORD dwType, const void *pvPara, PCCERT_CONTEXT pPrevCertContext)
Definition: cert.c:1765
CertGetCertificateContextProperty
BOOL WINAPI CertGetCertificateContextProperty(PCCERT_CONTEXT pCertContext, DWORD dwPropId, void *pvData, DWORD *pcbData)
Definition: cert.c:551
CRYPT_DecodeBasicConstraints
static BOOL CRYPT_DecodeBasicConstraints(PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *constraints, BOOL defaultIfNotSpecified)
Definition: chain.c:513
_CERT_BASIC_CONSTRAINTS2_INFO
Definition: wincrypt.h:381
_CERT_BASIC_CONSTRAINTS2_INFO::fPathLenConstraint
BOOL fPathLenConstraint
Definition: wincrypt.h:383
_CERT_BASIC_CONSTRAINTS2_INFO::fCA
BOOL fCA
Definition: wincrypt.h:382
_CERT_BASIC_CONSTRAINTS2_INFO::dwPathLenConstraint
DWORD dwPathLenConstraint
Definition: wincrypt.h:384
_CRYPTOAPI_BLOB
Definition: wincrypt.h:101
blob
Definition: image.c:134
hash
Definition: _hash_fun.h:40
CERT_V1
#define CERT_V1
Definition: wincrypt.h:2656
CERT_HASH_PROP_ID
#define CERT_HASH_PROP_ID
Definition: wincrypt.h:2688
CERT_FIND_SHA1_HASH
#define CERT_FIND_SHA1_HASH
Definition: wincrypt.h:2865
CERT_V2
#define CERT_V2
Definition: wincrypt.h:2657
BYTE
unsigned char BYTE
Definition: xxhash.c:193

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_CheckChainNameConstraints()

static void CRYPT_CheckChainNameConstraints ( PCERT_SIMPLE_CHAIN  chain)
static

Definition at line 1279 of file chain.c.

1280{
1281 int i, j;
1282
1283 /* Microsoft's implementation appears to violate RFC 3280: according to
1284 * MSDN, the various CERT_TRUST_*_NAME_CONSTRAINT errors are set if a CA's
1285 * name constraint is violated in the end cert. According to RFC 3280,
1286 * the constraints should be checked against every subsequent certificate
1287 * in the chain, not just the end cert.
1288 * Microsoft's implementation also sets the name constraint errors on the
1289 * certs whose constraints were violated, not on the certs that violated
1290 * them.
1291 * In order to be error-compatible with Microsoft's implementation, while
1292 * still adhering to RFC 3280, I use a O(n ^ 2) algorithm to check name
1293 * constraints.
1294 */
1295 for (i = chain->cElement - 1; i > 0; i--)
1296 {
1297 CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1298
1299 if ((nameConstraints = CRYPT_GetNameConstraints(
1300 chain->rgpElement[i]->pCertContext->pCertInfo)))
1301 {
1302 if (!CRYPT_IsValidNameConstraint(nameConstraints))
1303 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1304 CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
1305 else
1306 {
1307 for (j = i - 1; j >= 0; j--)
1308 {
1309 DWORD errorStatus = 0;
1310
1311 /* According to RFC 3280, self-signed certs don't have name
1312 * constraints checked unless they're the end cert.
1313 */
1314 if (j == 0 || !CRYPT_IsCertificateSelfSigned(
1315 chain->rgpElement[j]->pCertContext))
1316 {
1317 CRYPT_CheckNameConstraints(nameConstraints,
1318 chain->rgpElement[j]->pCertContext->pCertInfo,
1319 &errorStatus);
1320 if (errorStatus)
1321 {
1322 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1323 errorStatus;
1324 CRYPT_CombineTrustStatus(&chain->TrustStatus,
1325 &chain->rgpElement[i]->TrustStatus);
1326 }
1327 else
1328 chain->rgpElement[i]->TrustStatus.dwInfoStatus |=
1329 CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS;
1330 }
1331 }
1332 }
1333 LocalFree(nameConstraints);
1334 }
1335 }
1336}
CRYPT_IsValidNameConstraint
static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
Definition: chain.c:1234
CRYPT_CheckNameConstraints
static void CRYPT_CheckNameConstraints(const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert, DWORD *trustErrorStatus)
Definition: chain.c:1196
CRYPT_GetNameConstraints
static CERT_NAME_CONSTRAINTS_INFO * CRYPT_GetNameConstraints(CERT_INFO *cert)
Definition: chain.c:1215
_CERT_NAME_CONSTRAINTS_INFO
Definition: wincrypt.h:577
CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
#define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
Definition: wincrypt.h:903

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_CheckChainPolicies()

static void CRYPT_CheckChainPolicies ( PCERT_SIMPLE_CHAIN  chain)
static

Definition at line 1381 of file chain.c.

1382{
1383 int i, j;
1384
1385 for (i = chain->cElement - 1; i > 0; i--)
1386 {
1387 CERT_POLICIES_INFO *policies;
1388
1389 if ((policies = CRYPT_GetPolicies(chain->rgpElement[i]->pCertContext)))
1390 {
1391 for (j = i - 1; j >= 0; j--)
1392 {
1393 DWORD errorStatus = 0;
1394
1395 CRYPT_CheckPolicies(policies,
1396 chain->rgpElement[j]->pCertContext->pCertInfo, &errorStatus);
1397 if (errorStatus)
1398 {
1399 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1400 errorStatus;
1401 CRYPT_CombineTrustStatus(&chain->TrustStatus,
1402 &chain->rgpElement[i]->TrustStatus);
1403 }
1404 }
1405 LocalFree(policies);
1406 }
1407 }
1408}
CRYPT_CheckPolicies
static void CRYPT_CheckPolicies(const CERT_POLICIES_INFO *policies, CERT_INFO *cert, DWORD *errorStatus)
Definition: chain.c:1357
CRYPT_GetPolicies
static CERT_POLICIES_INFO * CRYPT_GetPolicies(PCCERT_CONTEXT cert)
Definition: chain.c:1339
_CERT_POLICIES_INFO
Definition: wincrypt.h:398

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_CheckNameConstraints()

static void CRYPT_CheckNameConstraints ( const CERT_NAME_CONSTRAINTS_INFO nameConstraints,
const CERT_INFO cert,
DWORD trustErrorStatus 
)
static

Definition at line 1196 of file chain.c.

1199{
1200 CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
1201
1202 if (ext)
1203 compare_alt_name_with_constraints(ext, nameConstraints,
1204 trustErrorStatus);
1205 /* Name constraints apply to the subject alternative name as well as the
1206 * subject name. From RFC 5280, section 4.2.1.10:
1207 * "Restrictions apply to the subject distinguished name and apply to
1208 * subject alternative names."
1209 */
1210 compare_subject_with_constraints(&cert->Subject, nameConstraints,
1211 trustErrorStatus);
1212}
compare_alt_name_with_constraints
static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
Definition: chain.c:967
compare_subject_with_constraints
static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName, const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
Definition: chain.c:1126
get_subject_alt_name_ext
static PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
Definition: chain.c:955
ext
static const WCHAR *const ext[]
Definition: module.c:53
_CERT_EXTENSION
Definition: wincrypt.h:229

Referenced by CRYPT_CheckChainNameConstraints().

◆ CRYPT_CheckPolicies()

static void CRYPT_CheckPolicies ( const CERT_POLICIES_INFO policies,
CERT_INFO cert,
DWORD errorStatus 
)
static

Definition at line 1357 of file chain.c.

1359{
1360 DWORD i;
1361
1362 for (i = 0; i < policies->cPolicyInfo; i++)
1363 {
1364 /* For now, the only accepted policy identifier is the anyPolicy
1365 * identifier.
1366 * FIXME: the policy identifiers should be compared against the
1367 * cert's certificate policies extension, subject to the policy
1368 * mappings extension, and the policy constraints extension.
1369 * See RFC 5280, sections 4.2.1.4, 4.2.1.5, and 4.2.1.11.
1370 */
1371 if (strcmp(policies->rgPolicyInfo[i].pszPolicyIdentifier,
1372 szOID_ANY_CERT_POLICY))
1373 {
1374 FIXME("unsupported policy %s\n",
1375 policies->rgPolicyInfo[i].pszPolicyIdentifier);
1376 *errorStatus |= CERT_TRUST_INVALID_POLICY_CONSTRAINTS;
1377 }
1378 }
1379}
_CERT_POLICIES_INFO::cPolicyInfo
DWORD cPolicyInfo
Definition: wincrypt.h:399
_CERT_POLICIES_INFO::rgPolicyInfo
CERT_POLICY_INFO * rgPolicyInfo
Definition: wincrypt.h:400
_CERT_POLICY_INFO::pszPolicyIdentifier
LPSTR pszPolicyIdentifier
Definition: wincrypt.h:393
CERT_TRUST_INVALID_POLICY_CONSTRAINTS
#define CERT_TRUST_INVALID_POLICY_CONSTRAINTS
Definition: wincrypt.h:879
szOID_ANY_CERT_POLICY
#define szOID_ANY_CERT_POLICY
Definition: wincrypt.h:3198

Referenced by CRYPT_CheckChainPolicies().

◆ CRYPT_CheckRestrictedRoot()

static BOOL CRYPT_CheckRestrictedRoot ( HCERTSTORE  store)
static

Definition at line 89 of file chain.c.

90{
91 BOOL ret = TRUE;
92
93 if (store)
94 {
95 HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW);
96 PCCERT_CONTEXT cert = NULL, check;
97
98 do {
99 cert = CertEnumCertificatesInStore(store, cert);
100 if (cert)
101 {
102 if (!(check = CRYPT_FindCertInStore(rootStore, cert)))
103 ret = FALSE;
104 else
105 CertFreeCertificateContext(check);
106 }
107 } while (ret && cert);
108 if (cert)
109 CertFreeCertificateContext(cert);
110 CertCloseStore(rootStore, 0);
111 }
112 return ret;
113}
CRYPT_FindCertInStore
static PCCERT_CONTEXT CRYPT_FindCertInStore(HCERTSTORE store, PCCERT_CONTEXT cert)
Definition: chain.c:72
rootW
static const WCHAR rootW[]
Definition: chain.c:69
CertEnumCertificatesInStore
PCCERT_CONTEXT WINAPI CertEnumCertificatesInStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pPrev)
Definition: store.c:928
CertCloseStore
BOOL WINAPI CertCloseStore(HCERTSTORE hCertStore, DWORD dwFlags)
Definition: store.c:1127
CertOpenSystemStoreW
HCERTSTORE WINAPI CertOpenSystemStoreW(HCRYPTPROV_LEGACY hProv, LPCWSTR szSubSystemProtocol)
Definition: store.c:916
check
#define check(expected, result)
Definition: dplayx.c:32

Referenced by CertCreateCertificateChainEngine().

◆ CRYPT_CheckRootCert()

static void CRYPT_CheckRootCert ( HCERTSTORE  hRoot,
PCERT_CHAIN_ELEMENT  rootElement 
)
static

Definition at line 491 of file chain.c.

493{
494 PCCERT_CONTEXT root = rootElement->pCertContext;
495
496 if (!CryptVerifyCertificateSignatureEx(0, root->dwCertEncodingType,
497 CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *)root,
498 CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root, 0, NULL))
499 {
500 TRACE_(chain)("Last certificate's signature is invalid\n");
501 rootElement->TrustStatus.dwErrorStatus |=
502 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
503 }
504 CRYPT_CheckTrustedStatus(hRoot, rootElement);
505}
CryptVerifyCertificateSignatureEx
BOOL WINAPI CryptVerifyCertificateSignatureEx(HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, DWORD dwSubjectType, void *pvSubject, DWORD dwIssuerType, void *pvIssuer, DWORD dwFlags, void *pvReserved)
Definition: cert.c:2717
CRYPT_CheckTrustedStatus
static void CRYPT_CheckTrustedStatus(HCERTSTORE hRoot, PCERT_CHAIN_ELEMENT rootElement)
Definition: chain.c:478
hRoot
static HTREEITEM hRoot
Definition: treeview.c:381
_CERT_CHAIN_ELEMENT::pCertContext
PCCERT_CONTEXT pCertContext
Definition: wincrypt.h:916
_CERT_CHAIN_ELEMENT::TrustStatus
CERT_TRUST_STATUS TrustStatus
Definition: wincrypt.h:917
_root
Definition: btrfs_drv.h:450
CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT
#define CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT
Definition: wincrypt.h:3474
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT
#define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT
Definition: wincrypt.h:3469

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_CheckSimpleChain()

static void CRYPT_CheckSimpleChain ( CertificateChainEngine engine,
PCERT_SIMPLE_CHAIN  chain,
LPFILETIME  time 
)
static

Definition at line 1879 of file chain.c.

1881{
1882 PCERT_CHAIN_ELEMENT rootElement = chain->rgpElement[chain->cElement - 1];
1883 int i;
1884 BOOL pathLengthConstraintViolated = FALSE;
1885 CERT_BASIC_CONSTRAINTS2_INFO constraints = { FALSE, FALSE, 0 };
1886 DWORD status;
1887
1888 TRACE_(chain)("checking chain with %d elements for time %s\n",
1889 chain->cElement, filetime_to_str(time));
1890 for (i = chain->cElement - 1; i >= 0; i--)
1891 {
1892 BOOL isRoot;
1893
1894 if (TRACE_ON(chain))
1895 dump_element(chain->rgpElement[i]->pCertContext);
1896 if (i == chain->cElement - 1)
1897 isRoot = CRYPT_IsCertificateSelfSigned(
1898 chain->rgpElement[i]->pCertContext);
1899 else
1900 isRoot = FALSE;
1901 if (!CRYPT_IsCertVersionValid(chain->rgpElement[i]->pCertContext))
1902 {
1903 /* MS appears to accept certs whose versions don't match their
1904 * contents, so there isn't an appropriate error code.
1905 */
1906 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1907 CERT_TRUST_INVALID_EXTENSION;
1908 }
1909 if (CertVerifyTimeValidity(time,
1910 chain->rgpElement[i]->pCertContext->pCertInfo) != 0)
1911 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1912 CERT_TRUST_IS_NOT_TIME_VALID;
1913 if (i != 0)
1914 {
1915 /* Check the signature of the cert this issued */
1916 if (!CryptVerifyCertificateSignatureEx(0, X509_ASN_ENCODING,
1917 CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
1918 (void *)chain->rgpElement[i - 1]->pCertContext,
1919 CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
1920 (void *)chain->rgpElement[i]->pCertContext, 0, NULL))
1921 chain->rgpElement[i - 1]->TrustStatus.dwErrorStatus |=
1922 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
1923 /* Once a path length constraint has been violated, every remaining
1924 * CA cert's basic constraints is considered invalid.
1925 */
1926 if (pathLengthConstraintViolated)
1927 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1928 CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1929 else if (!CRYPT_CheckBasicConstraintsForCA(engine,
1930 chain->rgpElement[i]->pCertContext, &constraints, i - 1, isRoot,
1931 &pathLengthConstraintViolated))
1932 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1933 CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1934 else if (constraints.fPathLenConstraint &&
1935 constraints.dwPathLenConstraint)
1936 {
1937 /* This one's valid - decrement max length */
1938 constraints.dwPathLenConstraint--;
1939 }
1940 }
1941 else
1942 {
1943 /* Check whether end cert has a basic constraints extension */
1944 if (!CRYPT_DecodeBasicConstraints(
1945 chain->rgpElement[i]->pCertContext, &constraints, FALSE))
1946 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1947 CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1948 }
1949 if (!CRYPT_KeyUsageValid(engine, chain->rgpElement[i]->pCertContext,
1950 isRoot, constraints.fCA, i))
1951 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1952 CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
1953 if (CRYPT_IsSimpleChainCyclic(chain))
1954 {
1955 /* If the chain is cyclic, then the path length constraints
1956 * are violated, because the chain is infinitely long.
1957 */
1958 pathLengthConstraintViolated = TRUE;
1959 chain->TrustStatus.dwErrorStatus |=
1960 CERT_TRUST_IS_PARTIAL_CHAIN |
1961 CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1962 }
1963 /* Check whether every critical extension is supported */
1964 if (!CRYPT_CriticalExtensionsSupported(
1965 chain->rgpElement[i]->pCertContext))
1966 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1967 CERT_TRUST_INVALID_EXTENSION |
1968 CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT;
1969 CRYPT_CombineTrustStatus(&chain->TrustStatus,
1970 &chain->rgpElement[i]->TrustStatus);
1971 }
1972 CRYPT_CheckChainNameConstraints(chain);
1973 CRYPT_CheckChainPolicies(chain);
1974 if ((status = CRYPT_IsCertificateSelfSigned(rootElement->pCertContext)))
1975 {
1976 rootElement->TrustStatus.dwInfoStatus |= status;
1977 CRYPT_CheckRootCert(engine->hRoot, rootElement);
1978 }
1979 CRYPT_CombineTrustStatus(&chain->TrustStatus, &rootElement->TrustStatus);
1980}
CertVerifyTimeValidity
LONG WINAPI CertVerifyTimeValidity(LPFILETIME pTimeToVerify, PCERT_INFO pCertInfo)
Definition: cert.c:2158
CRYPT_CheckChainPolicies
static void CRYPT_CheckChainPolicies(PCERT_SIMPLE_CHAIN chain)
Definition: chain.c:1381
CRYPT_CheckChainNameConstraints
static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
Definition: chain.c:1279
CRYPT_KeyUsageValid
static BOOL CRYPT_KeyUsageValid(CertificateChainEngine *engine, PCCERT_CONTEXT cert, BOOL isRoot, BOOL isCA, DWORD index)
Definition: chain.c:1723
CRYPT_IsCertVersionValid
static BOOL CRYPT_IsCertVersionValid(PCCERT_CONTEXT cert)
Definition: chain.c:1840
CRYPT_CheckBasicConstraintsForCA
static BOOL CRYPT_CheckBasicConstraintsForCA(CertificateChainEngine *engine, PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *chainConstraints, DWORD remainingCAs, BOOL isRoot, BOOL *pathLengthConstraintViolated)
Definition: chain.c:580
CRYPT_CriticalExtensionsSupported
static BOOL CRYPT_CriticalExtensionsSupported(PCCERT_CONTEXT cert)
Definition: chain.c:1802
filetime_to_str
static LPCSTR filetime_to_str(const FILETIME *time)
Definition: chain.c:1675
CRYPT_CheckRootCert
static void CRYPT_CheckRootCert(HCERTSTORE hRoot, PCERT_CHAIN_ELEMENT rootElement)
Definition: chain.c:491
dump_element
static void dump_element(PCCERT_CONTEXT cert)
Definition: chain.c:1689
time
__u16 time
Definition: mkdosfs.c:8
_CERT_TRUST_STATUS::dwInfoStatus
DWORD dwInfoStatus
Definition: wincrypt.h:911
_CertificateChainEngine::hRoot
HCERTSTORE hRoot
Definition: chain.c:44
status
Definition: ps.c:97
CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT
#define CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT
Definition: wincrypt.h:889
CERT_TRUST_IS_NOT_VALID_FOR_USAGE
#define CERT_TRUST_IS_NOT_VALID_FOR_USAGE
Definition: wincrypt.h:874

Referenced by CRYPT_BuildAlternateContextFromChain(), and CRYPT_GetSimpleChainForCert().

◆ CRYPT_CheckSimpleChainForCycles()

static void CRYPT_CheckSimpleChainForCycles ( PCERT_SIMPLE_CHAIN  chain)
static

Definition at line 383 of file chain.c.

384{
385 DWORD i, j, cyclicCertIndex = 0;
386
387 /* O(n^2) - I don't think there's a faster way */
388 for (i = 0; !cyclicCertIndex && i < chain->cElement; i++)
389 for (j = i + 1; !cyclicCertIndex && j < chain->cElement; j++)
390 if (CertCompareCertificate(X509_ASN_ENCODING,
391 chain->rgpElement[i]->pCertContext->pCertInfo,
392 chain->rgpElement[j]->pCertContext->pCertInfo))
393 cyclicCertIndex = j;
394 if (cyclicCertIndex)
395 {
396 chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
397 |= CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
398 /* Release remaining certs */
399 for (i = cyclicCertIndex + 1; i < chain->cElement; i++)
400 CRYPT_FreeChainElement(chain->rgpElement[i]);
401 /* Truncate chain */
402 chain->cElement = cyclicCertIndex + 1;
403 }
404}
CertCompareCertificate
BOOL WINAPI CertCompareCertificate(DWORD dwCertEncodingType, PCERT_INFO pCertId1, PCERT_INFO pCertId2)
Definition: cert.c:1166
CRYPT_FreeChainElement
static void CRYPT_FreeChainElement(PCERT_CHAIN_ELEMENT element)
Definition: chain.c:377
CERT_TRUST_IS_CYCLIC
#define CERT_TRUST_IS_CYCLIC
Definition: wincrypt.h:877

Referenced by CRYPT_AddCertToSimpleChain().

◆ CRYPT_CheckTrustedStatus()

static void CRYPT_CheckTrustedStatus ( HCERTSTORE  hRoot,
PCERT_CHAIN_ELEMENT  rootElement 
)
static

Definition at line 478 of file chain.c.

480{
481 PCCERT_CONTEXT trustedRoot = CRYPT_FindCertInStore(hRoot,
482 rootElement->pCertContext);
483
484 if (!trustedRoot)
485 rootElement->TrustStatus.dwErrorStatus |=
486 CERT_TRUST_IS_UNTRUSTED_ROOT;
487 else
488 CertFreeCertificateContext(trustedRoot);
489}

Referenced by CRYPT_CheckRootCert().

◆ CRYPT_CheckUsages()

static void CRYPT_CheckUsages ( PCERT_CHAIN_CONTEXT  chain,
const CERT_CHAIN_PARA pChainPara 
)
static

Definition at line 2745 of file chain.c.

2747{
2748 if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS) &&
2749 pChainPara->RequestedUsage.Usage.cUsageIdentifier)
2750 {
2751 PCCERT_CONTEXT endCert;
2752 PCERT_EXTENSION ext;
2753 BOOL validForUsage;
2754
2755 /* A chain, if created, always includes the end certificate */
2756 endCert = chain->rgpChain[0]->rgpElement[0]->pCertContext;
2757 /* The extended key usage extension specifies how a certificate's
2758 * public key may be used. From RFC 5280, section 4.2.1.12:
2759 * "This extension indicates one or more purposes for which the
2760 * certified public key may be used, in addition to or in place of the
2761 * basic purposes indicated in the key usage extension."
2762 * If the extension is present, it only satisfies the requested usage
2763 * if that usage is included in the extension:
2764 * "If the extension is present, then the certificate MUST only be used
2765 * for one of the purposes indicated."
2766 * There is also the special anyExtendedKeyUsage OID, but it doesn't
2767 * have to be respected:
2768 * "Applications that require the presence of a particular purpose
2769 * MAY reject certificates that include the anyExtendedKeyUsage OID
2770 * but not the particular OID expected for the application."
2771 * For now, I'm being more conservative and ignoring the presence of
2772 * the anyExtendedKeyUsage OID.
2773 */
2774 if ((ext = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
2775 endCert->pCertInfo->cExtension, endCert->pCertInfo->rgExtension)))
2776 {
2777 const CERT_ENHKEY_USAGE *requestedUsage =
2778 &pChainPara->RequestedUsage.Usage;
2779 CERT_ENHKEY_USAGE *usage;
2780 DWORD size;
2781
2782 if (CryptDecodeObjectEx(X509_ASN_ENCODING,
2783 X509_ENHANCED_KEY_USAGE, ext->Value.pbData, ext->Value.cbData,
2784 CRYPT_DECODE_ALLOC_FLAG, NULL, &usage, &size))
2785 {
2786 if (pChainPara->RequestedUsage.dwType == USAGE_MATCH_TYPE_AND)
2787 {
2788 DWORD i, j;
2789
2790 /* For AND matches, all usages must be present */
2791 validForUsage = TRUE;
2792 for (i = 0; validForUsage &&
2793 i < requestedUsage->cUsageIdentifier; i++)
2794 {
2795 BOOL match = FALSE;
2796
2797 for (j = 0; !match && j < usage->cUsageIdentifier; j++)
2798 match = !strcmp(usage->rgpszUsageIdentifier[j],
2799 requestedUsage->rgpszUsageIdentifier[i]);
2800 if (!match)
2801 validForUsage = FALSE;
2802 }
2803 }
2804 else
2805 {
2806 DWORD i, j;
2807
2808 /* For OR matches, any matching usage suffices */
2809 validForUsage = FALSE;
2810 for (i = 0; !validForUsage &&
2811 i < requestedUsage->cUsageIdentifier; i++)
2812 {
2813 for (j = 0; !validForUsage &&
2814 j < usage->cUsageIdentifier; j++)
2815 validForUsage =
2816 !strcmp(usage->rgpszUsageIdentifier[j],
2817 requestedUsage->rgpszUsageIdentifier[i]);
2818 }
2819 }
2820 LocalFree(usage);
2821 }
2822 else
2823 validForUsage = FALSE;
2824 }
2825 else
2826 {
2827 /* If the extension isn't present, any interpretation is valid:
2828 * "Certificate using applications MAY require that the extended
2829 * key usage extension be present and that a particular purpose
2830 * be indicated in order for the certificate to be acceptable to
2831 * that application."
2832 * Not all web sites include the extended key usage extension, so
2833 * accept chains without it.
2834 */
2835 TRACE_(chain)("requested usage from certificate with no usages\n");
2836 validForUsage = TRUE;
2837 }
2838 if (!validForUsage)
2839 {
2840 chain->TrustStatus.dwErrorStatus |=
2841 CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2842 chain->rgpChain[0]->rgpElement[0]->TrustStatus.dwErrorStatus |=
2843 CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2844 }
2845 }
2846 if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA) &&
2847 pChainPara->RequestedIssuancePolicy.Usage.cUsageIdentifier)
2848 FIXME("unimplemented for RequestedIssuancePolicy\n");
2849}
CertFindExtension
PCERT_EXTENSION WINAPI CertFindExtension(LPCSTR pszObjId, DWORD cExtensions, CERT_EXTENSION rgExtensions[])
Definition: cert.c:2028
usage
GLsizeiptr const GLvoid GLenum usage
Definition: glext.h:5919
_CERT_CHAIN_PARA_NO_EXTRA_FIELDS
Definition: chain.c:2627
_CERT_CHAIN_PARA
Definition: wincrypt.h:1068
_CERT_INFO::rgExtension
PCERT_EXTENSION rgExtension
Definition: wincrypt.h:252
_CERT_INFO::cExtension
DWORD cExtension
Definition: wincrypt.h:251
_CTL_USAGE
Definition: wincrypt.h:718
_CTL_USAGE::cUsageIdentifier
DWORD cUsageIdentifier
Definition: wincrypt.h:719
_CTL_USAGE::rgpszUsageIdentifier
LPSTR * rgpszUsageIdentifier
Definition: wincrypt.h:720
USAGE_MATCH_TYPE_AND
#define USAGE_MATCH_TYPE_AND
Definition: wincrypt.h:1043
szOID_ENHANCED_KEY_USAGE
#define szOID_ENHANCED_KEY_USAGE
Definition: wincrypt.h:3202
X509_ENHANCED_KEY_USAGE
#define X509_ENHANCED_KEY_USAGE
Definition: wincrypt.h:3403

Referenced by CertGetCertificateChain().

◆ CRYPT_ChooseHighestQualityChain()

static CertificateChain * CRYPT_ChooseHighestQualityChain ( CertificateChain chain)
static

Definition at line 2554 of file chain.c.

2556{
2557 DWORD i;
2558
2559 /* There are always only two chains being considered: chain, and an
2560 * alternate at chain->rgpLowerQualityChainContext[i]. If the alternate
2561 * has a higher quality than chain, the alternate gets assigned the lower
2562 * quality contexts, with chain taking the alternate's place among the
2563 * lower quality contexts.
2564 */
2565 for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2566 {
2567 CertificateChain *alternate =
2568 (CertificateChain*)chain->context.rgpLowerQualityChainContext[i];
2569
2570 if (CRYPT_ChainQuality(alternate) > CRYPT_ChainQuality(chain))
2571 {
2572 alternate->context.cLowerQualityChainContext =
2573 chain->context.cLowerQualityChainContext;
2574 alternate->context.rgpLowerQualityChainContext =
2575 chain->context.rgpLowerQualityChainContext;
2576 alternate->context.rgpLowerQualityChainContext[i] =
2577 (PCCERT_CHAIN_CONTEXT)chain;
2578 chain->context.cLowerQualityChainContext = 0;
2579 chain->context.rgpLowerQualityChainContext = NULL;
2580 chain = alternate;
2581 }
2582 }
2583 return chain;
2584}
CRYPT_ChainQuality
static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
Definition: chain.c:2528
_CERT_CHAIN_CONTEXT::cLowerQualityChainContext
DWORD cLowerQualityChainContext
Definition: wincrypt.h:942
_CERT_CHAIN_CONTEXT::rgpLowerQualityChainContext
PCCERT_CHAIN_CONTEXT * rgpLowerQualityChainContext
Definition: wincrypt.h:943

Referenced by CertGetCertificateChain().

◆ CRYPT_CloseStores()

static void CRYPT_CloseStores ( DWORD  cStores,
HCERTSTORE stores 
)
inlinestatic

Definition at line 61 of file chain.c.

62{
63 DWORD i;
64
65 for (i = 0; i < cStores; i++)
66 CertCloseStore(stores[i], 0);
67}

Referenced by CRYPT_CreateChainEngine().

◆ CRYPT_CombineTrustStatus()

static void CRYPT_CombineTrustStatus ( CERT_TRUST_STATUS chainStatus,
const CERT_TRUST_STATUS elementStatus 
)
inlinestatic

Definition at line 416 of file chain.c.

418{
419 /* Any error that applies to an element also applies to a chain.. */
420 chainStatus->dwErrorStatus |= elementStatus->dwErrorStatus;
421 /* but the bottom nibble of an element's info status doesn't apply to the
422 * chain.
423 */
424 chainStatus->dwInfoStatus |= (elementStatus->dwInfoStatus & 0xfffffff0);
425}

Referenced by CRYPT_AddCertToSimpleChain(), CRYPT_BuildAlternateContextFromChain(), CRYPT_CheckChainNameConstraints(), CRYPT_CheckChainPolicies(), and CRYPT_CheckSimpleChain().

◆ CRYPT_CopyChainToElement()

static CertificateChain * CRYPT_CopyChainToElement ( CertificateChain chain,
DWORD  iChain,
DWORD  iElement 
)
static

Definition at line 2377 of file chain.c.

2379{
2380 CertificateChain *copy = CryptMemAlloc(sizeof(CertificateChain));
2381
2382 if (copy)
2383 {
2384 copy->ref = 1;
2385 copy->world = CertDuplicateStore(chain->world);
2386 copy->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2387 /* Leave the trust status of the copied chain unset, it'll get
2388 * rechecked after the new chain is done.
2389 */
2390 memset(&copy->context.TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2391 copy->context.cLowerQualityChainContext = 0;
2392 copy->context.rgpLowerQualityChainContext = NULL;
2393 copy->context.fHasRevocationFreshnessTime = FALSE;
2394 copy->context.dwRevocationFreshnessTime = 0;
2395 copy->context.rgpChain = CryptMemAlloc(
2396 (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2397 if (copy->context.rgpChain)
2398 {
2399 BOOL ret = TRUE;
2400 DWORD i;
2401
2402 memset(copy->context.rgpChain, 0,
2403 (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2404 if (iChain)
2405 {
2406 for (i = 0; ret && iChain && i < iChain - 1; i++)
2407 {
2408 copy->context.rgpChain[i] =
2409 CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2410 chain->context.rgpChain[i]->cElement - 1);
2411 if (!copy->context.rgpChain[i])
2412 ret = FALSE;
2413 }
2414 }
2415 else
2416 i = 0;
2417 if (ret)
2418 {
2419 copy->context.rgpChain[i] =
2420 CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2421 iElement);
2422 if (!copy->context.rgpChain[i])
2423 ret = FALSE;
2424 }
2425 if (!ret)
2426 {
2427 CRYPT_FreeChainContext(copy);
2428 copy = NULL;
2429 }
2430 else
2431 copy->context.cChain = iChain + 1;
2432 }
2433 else
2434 {
2435 CryptMemFree(copy);
2436 copy = NULL;
2437 }
2438 }
2439 return copy;
2440}
copy
INT copy(TCHAR source[MAX_PATH], TCHAR dest[MAX_PATH], INT append, DWORD lpdwFlags, BOOL bTouch)
Definition: copy.c:51
CRYPT_CopySimpleChainToElement
static PCERT_SIMPLE_CHAIN CRYPT_CopySimpleChainToElement(const CERT_SIMPLE_CHAIN *chain, DWORD iElement)
Definition: chain.c:2296
CertDuplicateStore
HCERTSTORE WINAPI CertDuplicateStore(HCERTSTORE hCertStore)
Definition: store.c:1116
_CERT_TRUST_STATUS
Definition: wincrypt.h:909

Referenced by CRYPT_BuildAlternateContextFromChain().

◆ CRYPT_CopySimpleChainToElement()

static PCERT_SIMPLE_CHAIN CRYPT_CopySimpleChainToElement ( const CERT_SIMPLE_CHAIN chain,
DWORD  iElement 
)
static

Definition at line 2296 of file chain.c.

2298{
2299 PCERT_SIMPLE_CHAIN copy = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2300
2301 if (copy)
2302 {
2303 memset(copy, 0, sizeof(CERT_SIMPLE_CHAIN));
2304 copy->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2305 copy->rgpElement =
2306 CryptMemAlloc((iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2307 if (copy->rgpElement)
2308 {
2309 DWORD i;
2310 BOOL ret = TRUE;
2311
2312 memset(copy->rgpElement, 0,
2313 (iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2314 for (i = 0; ret && i <= iElement; i++)
2315 {
2316 PCERT_CHAIN_ELEMENT element =
2317 CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
2318
2319 if (element)
2320 {
2321 *element = *chain->rgpElement[i];
2322 element->pCertContext = CertDuplicateCertificateContext(
2323 chain->rgpElement[i]->pCertContext);
2324 /* Reset the trust status of the copied element, it'll get
2325 * rechecked after the new chain is done.
2326 */
2327 memset(&element->TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2328 copy->rgpElement[copy->cElement++] = element;
2329 }
2330 else
2331 ret = FALSE;
2332 }
2333 if (!ret)
2334 {
2335 for (i = 0; i <= iElement; i++)
2336 CryptMemFree(copy->rgpElement[i]);
2337 CryptMemFree(copy->rgpElement);
2338 CryptMemFree(copy);
2339 copy = NULL;
2340 }
2341 }
2342 else
2343 {
2344 CryptMemFree(copy);
2345 copy = NULL;
2346 }
2347 }
2348 return copy;
2349}
CERT_SIMPLE_CHAIN
struct _CERT_SIMPLE_CHAIN CERT_SIMPLE_CHAIN

Referenced by CRYPT_CopyChainToElement().

◆ CRYPT_CreateChainEngine()

HCERTCHAINENGINE CRYPT_CreateChainEngine ( HCERTSTORE  root,
DWORD  system_store,
const CERT_CHAIN_ENGINE_CONFIG config 
)

Definition at line 115 of file chain.c.

116{
117 CertificateChainEngine *engine;
118 HCERTSTORE worldStores[4];
119
120 static const WCHAR caW[] = { 'C','A',0 };
121 static const WCHAR myW[] = { 'M','y',0 };
122 static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
123
124 if(!root) {
125 if(config->cbSize >= sizeof(CERT_CHAIN_ENGINE_CONFIG) && config->hExclusiveRoot)
126 root = CertDuplicateStore(config->hExclusiveRoot);
127 else if (config->hRestrictedRoot)
128 root = CertDuplicateStore(config->hRestrictedRoot);
129 else
130 root = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, system_store, rootW);
131 if(!root)
132 return NULL;
133 }
134
135 engine = CryptMemAlloc(sizeof(CertificateChainEngine));
136 if(!engine) {
137 CertCloseStore(root, 0);
138 return NULL;
139 }
140
141 engine->ref = 1;
142 engine->hRoot = root;
143 engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL);
144 worldStores[0] = CertDuplicateStore(engine->hRoot);
145 worldStores[1] = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, system_store, caW);
146 worldStores[2] = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, system_store, myW);
147 worldStores[3] = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, system_store, trustW);
148
149 CRYPT_AddStoresToCollection(engine->hWorld, ARRAY_SIZE(worldStores), worldStores);
150 CRYPT_AddStoresToCollection(engine->hWorld, config->cAdditionalStore, config->rghAdditionalStore);
151 CRYPT_CloseStores(ARRAY_SIZE(worldStores), worldStores);
152
153 engine->dwFlags = config->dwFlags;
154 engine->dwUrlRetrievalTimeout = config->dwUrlRetrievalTimeout;
155 engine->MaximumCachedCertificates = config->MaximumCachedCertificates;
156 if(config->CycleDetectionModulus)
157 engine->CycleDetectionModulus = config->CycleDetectionModulus;
158 else
159 engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
160
161 return engine;
162}
ARRAY_SIZE
#define ARRAY_SIZE(A)
Definition: main.h:33
root
struct _root root
CRYPT_CloseStores
static void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
Definition: chain.c:61
DEFAULT_CYCLE_MODULUS
#define DEFAULT_CYCLE_MODULUS
Definition: chain.c:34
CRYPT_AddStoresToCollection
static void CRYPT_AddStoresToCollection(HCERTSTORE collection, DWORD cStores, HCERTSTORE *stores)
Definition: chain.c:52
_CertificateChainEngine::MaximumCachedCertificates
DWORD MaximumCachedCertificates
Definition: chain.c:48
_CertificateChainEngine::ref
LONG ref
Definition: chain.c:43
_CertificateChainEngine::dwUrlRetrievalTimeout
DWORD dwUrlRetrievalTimeout
Definition: chain.c:47
_CertificateChainEngine::dwFlags
DWORD dwFlags
Definition: chain.c:46
config_s
Definition: deflate.c:114
CERT_STORE_PROV_SYSTEM_W
#define CERT_STORE_PROV_SYSTEM_W
Definition: wincrypt.h:2259
WCHAR
__wchar_t WCHAR
Definition: xmlstorage.h:180

Referenced by CertCreateCertificateChainEngine(), check_and_store_certs(), and get_chain_engine().

◆ CRYPT_CriticalExtensionsSupported()

static BOOL CRYPT_CriticalExtensionsSupported ( PCCERT_CONTEXT  cert)
static

Definition at line 1802 of file chain.c.

1803{
1804 BOOL ret = TRUE;
1805 DWORD i;
1806
1807 for (i = 0; ret && i < cert->pCertInfo->cExtension; i++)
1808 {
1809 if (cert->pCertInfo->rgExtension[i].fCritical)
1810 {
1811 LPCSTR oid = cert->pCertInfo->rgExtension[i].pszObjId;
1812
1813 if (!strcmp(oid, szOID_BASIC_CONSTRAINTS))
1814 ret = TRUE;
1815 else if (!strcmp(oid, szOID_BASIC_CONSTRAINTS2))
1816 ret = TRUE;
1817 else if (!strcmp(oid, szOID_NAME_CONSTRAINTS))
1818 ret = TRUE;
1819 else if (!strcmp(oid, szOID_KEY_USAGE))
1820 ret = TRUE;
1821 else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME))
1822 ret = TRUE;
1823 else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME2))
1824 ret = TRUE;
1825 else if (!strcmp(oid, szOID_CERT_POLICIES))
1826 ret = TRUE;
1827 else if (!strcmp(oid, szOID_ENHANCED_KEY_USAGE))
1828 ret = TRUE;
1829 else
1830 {
1831 FIXME("unsupported critical extension %s\n",
1832 debugstr_a(oid));
1833 ret = FALSE;
1834 }
1835 }
1836 }
1837 return ret;
1838}
szOID_BASIC_CONSTRAINTS2
#define szOID_BASIC_CONSTRAINTS2
Definition: wincrypt.h:3189
szOID_NAME_CONSTRAINTS
#define szOID_NAME_CONSTRAINTS
Definition: wincrypt.h:3195
szOID_KEY_USAGE
#define szOID_KEY_USAGE
Definition: wincrypt.h:3185
szOID_BASIC_CONSTRAINTS
#define szOID_BASIC_CONSTRAINTS
Definition: wincrypt.h:3183
szOID_SUBJECT_ALT_NAME
#define szOID_SUBJECT_ALT_NAME
Definition: wincrypt.h:3180
szOID_CERT_POLICIES
#define szOID_CERT_POLICIES
Definition: wincrypt.h:3197
szOID_SUBJECT_ALT_NAME2
#define szOID_SUBJECT_ALT_NAME2
Definition: wincrypt.h:3187
LPCSTR
const char * LPCSTR
Definition: xmlstorage.h:183

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_DecodeBasicConstraints()

static BOOL CRYPT_DecodeBasicConstraints ( PCCERT_CONTEXT  cert,
CERT_BASIC_CONSTRAINTS2_INFO constraints,
BOOL  defaultIfNotSpecified 
)
static

Definition at line 513 of file chain.c.

515{
516 BOOL ret = TRUE;
517 PCERT_EXTENSION ext = CertFindExtension(szOID_BASIC_CONSTRAINTS,
518 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
519
520 constraints->fPathLenConstraint = FALSE;
521 if (ext)
522 {
523 CERT_BASIC_CONSTRAINTS_INFO *info;
524 DWORD size = 0;
525
526 ret = CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
527 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
528 NULL, &info, &size);
529 if (ret)
530 {
531 if (info->SubjectType.cbData == 1)
532 constraints->fCA =
533 info->SubjectType.pbData[0] & CERT_CA_SUBJECT_FLAG;
534 LocalFree(info);
535 }
536 }
537 else
538 {
539 ext = CertFindExtension(szOID_BASIC_CONSTRAINTS2,
540 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
541 if (ext)
542 {
543 DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
544
545 ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
546 szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
547 0, NULL, constraints, &size);
548 }
549 else
550 constraints->fCA = defaultIfNotSpecified;
551 }
552 return ret;
553}
_CERT_BASIC_CONSTRAINTS_INFO
Definition: wincrypt.h:370
CERT_CA_SUBJECT_FLAG
#define CERT_CA_SUBJECT_FLAG
Definition: wincrypt.h:378
CERT_BASIC_CONSTRAINTS2_INFO
struct _CERT_BASIC_CONSTRAINTS2_INFO CERT_BASIC_CONSTRAINTS2_INFO

Referenced by CRYPT_CheckBasicConstraintsForCA(), and CRYPT_CheckSimpleChain().

◆ CRYPT_FindCertInStore()

static PCCERT_CONTEXT CRYPT_FindCertInStore ( HCERTSTORE  store,
PCCERT_CONTEXT  cert 
)
static

Definition at line 72 of file chain.c.

74{
75 PCCERT_CONTEXT matching = NULL;
76 BYTE hash[20];
77 DWORD size = sizeof(hash);
78
79 if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID, hash, &size))
80 {
81 CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
82
83 matching = CertFindCertificateInStore(store, cert->dwCertEncodingType,
84 0, CERT_FIND_SHA1_HASH, &blob, NULL);
85 }
86 return matching;
87}

Referenced by CRYPT_CheckRestrictedRoot(), and CRYPT_CheckTrustedStatus().

◆ CRYPT_FindIssuer()

static PCCERT_CONTEXT CRYPT_FindIssuer ( const CertificateChainEngine engine,
const CERT_CONTEXT cert,
HCERTSTORE  store,
DWORD  type,
void para,
DWORD  flags,
PCCERT_CONTEXT  prev_issuer 
)
static

Definition at line 1982 of file chain.c.

1984{
1985 CRYPT_URL_ARRAY *urls;
1986 PCCERT_CONTEXT issuer;
1987 DWORD size;
1988 BOOL res;
1989
1990 issuer = CertFindCertificateInStore(store, cert->dwCertEncodingType, 0, type, para, prev_issuer);
1991 if(issuer) {
1992 TRACE("Found in store %p\n", issuer);
1993 return issuer;
1994 }
1995
1996 /* FIXME: For alternate issuers, we don't search world store nor try to retrieve issuer from URL.
1997 * This needs more tests.
1998 */
1999 if(prev_issuer)
2000 return NULL;
2001
2002 if(engine->hWorld) {
2003 issuer = CertFindCertificateInStore(engine->hWorld, cert->dwCertEncodingType, 0, type, para, NULL);
2004 if(issuer) {
2005 TRACE("Found in world %p\n", issuer);
2006 return issuer;
2007 }
2008 }
2009
2010 res = CryptGetObjectUrl(URL_OID_CERTIFICATE_ISSUER, (void*)cert, 0, NULL, &size, NULL, NULL, NULL);
2011 if(!res)
2012 return NULL;
2013
2014 urls = HeapAlloc(GetProcessHeap(), 0, size);
2015 if(!urls)
2016 return NULL;
2017
2018 res = CryptGetObjectUrl(URL_OID_CERTIFICATE_ISSUER, (void*)cert, 0, urls, &size, NULL, NULL, NULL);
2019 if(res)
2020 {
2021 CERT_CONTEXT *new_cert;
2022 HCERTSTORE new_store;
2023 unsigned i;
2024
2025 for(i=0; i < urls->cUrl; i++)
2026 {
2027 TRACE("Trying URL %s\n", debugstr_w(urls->rgwszUrl[i]));
2028
2029 res = CryptRetrieveObjectByUrlW(urls->rgwszUrl[i], CONTEXT_OID_CERTIFICATE,
2030 (flags & CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL) ? CRYPT_CACHE_ONLY_RETRIEVAL : CRYPT_AIA_RETRIEVAL,
2031 0, (void**)&new_cert, NULL, NULL, NULL, NULL);
2032 if(!res)
2033 {
2034 TRACE("CryptRetrieveObjectByUrlW failed: %u\n", GetLastError());
2035 continue;
2036 }
2037
2038 /* FIXME: Use new_cert->hCertStore once cert ref count bug is fixed. */
2039 new_store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL);
2040 CertAddCertificateContextToStore(new_store, new_cert, CERT_STORE_ADD_NEW, NULL);
2041 issuer = CertFindCertificateInStore(new_store, cert->dwCertEncodingType, 0, type, para, NULL);
2042 CertFreeCertificateContext(new_cert);
2043 CertCloseStore(new_store, 0);
2044 if(issuer)
2045 {
2046 TRACE("Found downloaded issuer %p\n", issuer);
2047 break;
2048 }
2049 }
2050 }
2051
2052 HeapFree(GetProcessHeap(), 0, urls);
2053 return issuer;
2054}
CryptRetrieveObjectByUrlW
BOOL WINAPI CryptRetrieveObjectByUrlW(LPCWSTR pszURL, LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject, HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
Definition: cryptnet_main.c:1489
CryptGetObjectUrl
BOOL WINAPI CryptGetObjectUrl(LPCSTR pszUrlOid, LPVOID pvPara, DWORD dwFlags, PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray, PCRYPT_URL_INFO pUrlInfo, DWORD *pcbUrlInfo, LPVOID pvReserved)
Definition: cryptnet_main.c:351
CertAddCertificateContextToStore
BOOL WINAPI CertAddCertificateContextToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT *ppStoreContext)
Definition: cert.c:286
GetProcessHeap
#define GetProcessHeap()
Definition: compat.h:736
HeapAlloc
#define HeapAlloc
Definition: compat.h:733
HeapFree
#define HeapFree(x, y, z)
Definition: compat.h:735
type
GLuint GLuint GLsizei GLenum type
Definition: gl.h:1545
res
GLuint res
Definition: glext.h:9613
debugstr_w
#define debugstr_w
Definition: kernel32.h:32
_CRYPT_URL_ARRAY
Definition: wincrypt.h:1512
_CRYPT_URL_ARRAY::cUrl
DWORD cUrl
Definition: wincrypt.h:1513
_CRYPT_URL_ARRAY::rgwszUrl
LPWSTR * rgwszUrl
Definition: wincrypt.h:1514
GetLastError
DWORD WINAPI GetLastError(void)
Definition: except.c:1042
CONTEXT_OID_CERTIFICATE
#define CONTEXT_OID_CERTIFICATE
Definition: wincrypt.h:1627
URL_OID_CERTIFICATE_ISSUER
#define URL_OID_CERTIFICATE_ISSUER
Definition: wincrypt.h:1524
CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL
#define CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL
Definition: wincrypt.h:3618
CRYPT_AIA_RETRIEVAL
#define CRYPT_AIA_RETRIEVAL
Definition: wincrypt.h:1645
CERT_STORE_PROV_MEMORY
#define CERT_STORE_PROV_MEMORY
Definition: wincrypt.h:2251
CERT_STORE_ADD_NEW
#define CERT_STORE_ADD_NEW
Definition: wincrypt.h:2482
CRYPT_CACHE_ONLY_RETRIEVAL
#define CRYPT_CACHE_ONLY_RETRIEVAL
Definition: wincrypt.h:1634

Referenced by CRYPT_GetIssuer().

◆ CRYPT_FindIthElementInChain()

static PCERT_CHAIN_ELEMENT CRYPT_FindIthElementInChain ( const CERT_CHAIN_CONTEXT chain,
DWORD  i 
)
static

Definition at line 2611 of file chain.c.

2613{
2614 DWORD j, iElement;
2615 PCERT_CHAIN_ELEMENT element = NULL;
2616
2617 for (j = 0, iElement = 0; !element && j < chain->cChain; j++)
2618 {
2619 if (iElement + chain->rgpChain[j]->cElement < i)
2620 iElement += chain->rgpChain[j]->cElement;
2621 else
2622 element = chain->rgpChain[j]->rgpElement[i - iElement];
2623 }
2624 return element;
2625}

Referenced by CRYPT_VerifyChainRevocation().

◆ CRYPT_FreeChainContext()

static void CRYPT_FreeChainContext ( CertificateChain chain)
static

Definition at line 2362 of file chain.c.

2363{
2364 DWORD i;
2365
2366 CRYPT_FreeLowerQualityChains(chain);
2367 for (i = 0; i < chain->context.cChain; i++)
2368 CRYPT_FreeSimpleChain(chain->context.rgpChain[i]);
2369 CryptMemFree(chain->context.rgpChain);
2370 CertCloseStore(chain->world, 0);
2371 CryptMemFree(chain);
2372}

Referenced by CertFreeCertificateChain(), CRYPT_BuildAlternateContextFromChain(), and CRYPT_CopyChainToElement().

◆ CRYPT_FreeChainElement()

static void CRYPT_FreeChainElement ( PCERT_CHAIN_ELEMENT  element)
static

Definition at line 377 of file chain.c.

378{
379 CertFreeCertificateContext(element->pCertContext);
380 CryptMemFree(element);
381}

Referenced by CRYPT_CheckSimpleChainForCycles(), and CRYPT_FreeSimpleChain().

◆ CRYPT_FreeLowerQualityChains()

static void CRYPT_FreeLowerQualityChains ( CertificateChain chain)
static

Definition at line 2351 of file chain.c.

2352{
2353 DWORD i;
2354
2355 for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2356 CertFreeCertificateChain(chain->context.rgpLowerQualityChainContext[i]);
2357 CryptMemFree(chain->context.rgpLowerQualityChainContext);
2358 chain->context.cLowerQualityChainContext = 0;
2359 chain->context.rgpLowerQualityChainContext = NULL;
2360}

Referenced by CertGetCertificateChain(), and CRYPT_FreeChainContext().

◆ CRYPT_FreeSimpleChain()

static void CRYPT_FreeSimpleChain ( PCERT_SIMPLE_CHAIN  chain)
static

Definition at line 468 of file chain.c.

469{
470 DWORD i;
471
472 for (i = 0; i < chain->cElement; i++)
473 CRYPT_FreeChainElement(chain->rgpElement[i]);
474 CryptMemFree(chain->rgpElement);
475 CryptMemFree(chain);
476}

Referenced by CRYPT_BuildCandidateChainFromCert(), CRYPT_FreeChainContext(), and CRYPT_GetSimpleChainForCert().

◆ CRYPT_GetIssuer()

static PCCERT_CONTEXT CRYPT_GetIssuer ( const CertificateChainEngine engine,
HCERTSTORE  store,
PCCERT_CONTEXT  subject,
PCCERT_CONTEXT  prevIssuer,
DWORD  flags,
DWORD infoStatus 
)
static

Definition at line 2056 of file chain.c.

2059{
2060 PCCERT_CONTEXT issuer = NULL;
2061 PCERT_EXTENSION ext;
2062 DWORD size;
2063
2064 *infoStatus = 0;
2065 if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
2066 subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
2067 {
2068 CERT_AUTHORITY_KEY_ID_INFO *info;
2069 BOOL ret;
2070
2071 ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
2072 X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
2073 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
2074 &info, &size);
2075 if (ret)
2076 {
2077 CERT_ID id;
2078
2079 if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
2080 {
2081 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
2082 memcpy(&id.u.IssuerSerialNumber.Issuer, &info->CertIssuer,
2083 sizeof(CERT_NAME_BLOB));
2084 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
2085 &info->CertSerialNumber, sizeof(CRYPT_INTEGER_BLOB));
2086
2087 issuer = CRYPT_FindIssuer(engine, subject, store, CERT_FIND_CERT_ID, &id, flags, prevIssuer);
2088 if (issuer)
2089 {
2090 TRACE_(chain)("issuer found by issuer/serial number\n");
2091 *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
2092 }
2093 }
2094 else if (info->KeyId.cbData)
2095 {
2096 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
2097
2098 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
2099 issuer = CRYPT_FindIssuer(engine, subject, store, CERT_FIND_CERT_ID, &id, flags, prevIssuer);
2100 if (issuer)
2101 {
2102 TRACE_(chain)("issuer found by key id\n");
2103 *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
2104 }
2105 }
2106 LocalFree(info);
2107 }
2108 }
2109 else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
2110 subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
2111 {
2112 CERT_AUTHORITY_KEY_ID2_INFO *info;
2113 BOOL ret;
2114
2115 ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
2116 X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
2117 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
2118 &info, &size);
2119 if (ret)
2120 {
2121 CERT_ID id;
2122
2123 if (info->AuthorityCertIssuer.cAltEntry &&
2124 info->AuthorityCertSerialNumber.cbData)
2125 {
2126 PCERT_ALT_NAME_ENTRY directoryName = NULL;
2127 DWORD i;
2128
2129 for (i = 0; !directoryName &&
2130 i < info->AuthorityCertIssuer.cAltEntry; i++)
2131 if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
2132 == CERT_ALT_NAME_DIRECTORY_NAME)
2133 directoryName =
2134 &info->AuthorityCertIssuer.rgAltEntry[i];
2135 if (directoryName)
2136 {
2137 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
2138 memcpy(&id.u.IssuerSerialNumber.Issuer,
2139 &directoryName->u.DirectoryName, sizeof(CERT_NAME_BLOB));
2140 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
2141 &info->AuthorityCertSerialNumber,
2142 sizeof(CRYPT_INTEGER_BLOB));
2143
2144 issuer = CRYPT_FindIssuer(engine, subject, store, CERT_FIND_CERT_ID, &id, flags, prevIssuer);
2145 if (issuer)
2146 {
2147 TRACE_(chain)("issuer found by directory name\n");
2148 *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
2149 }
2150 }
2151 else
2152 FIXME("no supported name type in authority key id2\n");
2153 }
2154 else if (info->KeyId.cbData)
2155 {
2156 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
2157 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
2158 issuer = CRYPT_FindIssuer(engine, subject, store, CERT_FIND_CERT_ID, &id, flags, prevIssuer);
2159 if (issuer)
2160 {
2161 TRACE_(chain)("issuer found by key id\n");
2162 *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
2163 }
2164 }
2165 LocalFree(info);
2166 }
2167 }
2168 else
2169 {
2170 issuer = CRYPT_FindIssuer(engine, subject, store, CERT_FIND_SUBJECT_NAME,
2171 &subject->pCertInfo->Issuer, flags, prevIssuer);
2172 TRACE_(chain)("issuer found by name\n");
2173 *infoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
2174 }
2175 return issuer;
2176}
CRYPT_FindIssuer
static PCCERT_CONTEXT CRYPT_FindIssuer(const CertificateChainEngine *engine, const CERT_CONTEXT *cert, HCERTSTORE store, DWORD type, void *para, DWORD flags, PCCERT_CONTEXT prev_issuer)
Definition: chain.c:1982
id
GLuint id
Definition: glext.h:5910
u
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble * u
Definition: glfuncs.h:240
memcpy
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
_CERT_AUTHORITY_KEY_ID2_INFO
Definition: wincrypt.h:462
_CERT_AUTHORITY_KEY_ID_INFO
Definition: wincrypt.h:281
_CERT_CONTEXT::dwCertEncodingType
DWORD dwCertEncodingType
Definition: wincrypt.h:479
_CERT_ID
Definition: wincrypt.h:3664
_CERT_INFO::Issuer
CERT_NAME_BLOB Issuer
Definition: wincrypt.h:244
CERT_FIND_CERT_ID
#define CERT_FIND_CERT_ID
Definition: wincrypt.h:2907
X509_AUTHORITY_KEY_ID2
#define X509_AUTHORITY_KEY_ID2
Definition: wincrypt.h:3398
szOID_AUTHORITY_KEY_IDENTIFIER
#define szOID_AUTHORITY_KEY_IDENTIFIER
Definition: wincrypt.h:3175
CERT_ID_ISSUER_SERIAL_NUMBER
#define CERT_ID_ISSUER_SERIAL_NUMBER
Definition: wincrypt.h:3673
CERT_ID_KEY_IDENTIFIER
#define CERT_ID_KEY_IDENTIFIER
Definition: wincrypt.h:3674
CERT_TRUST_HAS_EXACT_MATCH_ISSUER
#define CERT_TRUST_HAS_EXACT_MATCH_ISSUER
Definition: wincrypt.h:896
CERT_TRUST_HAS_KEY_MATCH_ISSUER
#define CERT_TRUST_HAS_KEY_MATCH_ISSUER
Definition: wincrypt.h:897
X509_AUTHORITY_KEY_ID
#define X509_AUTHORITY_KEY_ID
Definition: wincrypt.h:3374
CERT_TRUST_HAS_NAME_MATCH_ISSUER
#define CERT_TRUST_HAS_NAME_MATCH_ISSUER
Definition: wincrypt.h:898
CERT_FIND_SUBJECT_NAME
#define CERT_FIND_SUBJECT_NAME
Definition: wincrypt.h:2878
szOID_AUTHORITY_KEY_IDENTIFIER2
#define szOID_AUTHORITY_KEY_IDENTIFIER2
Definition: wincrypt.h:3200

Referenced by CRYPT_BuildAlternateContextFromChain(), and CRYPT_BuildSimpleChain().

◆ CRYPT_GetNameConstraints()

static CERT_NAME_CONSTRAINTS_INFO * CRYPT_GetNameConstraints ( CERT_INFO cert)
static

Definition at line 1215 of file chain.c.

1216{
1217 CERT_NAME_CONSTRAINTS_INFO *info = NULL;
1218
1219 CERT_EXTENSION *ext;
1220
1221 if ((ext = CertFindExtension(szOID_NAME_CONSTRAINTS, cert->cExtension,
1222 cert->rgExtension)))
1223 {
1224 DWORD size;
1225
1226 CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1227 ext->Value.pbData, ext->Value.cbData,
1228 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &info,
1229 &size);
1230 }
1231 return info;
1232}
X509_NAME_CONSTRAINTS
#define X509_NAME_CONSTRAINTS
Definition: wincrypt.h:3425

Referenced by CRYPT_CheckChainNameConstraints().

◆ CRYPT_GetPolicies()

static CERT_POLICIES_INFO * CRYPT_GetPolicies ( PCCERT_CONTEXT  cert)
static

Definition at line 1339 of file chain.c.

1340{
1341 PCERT_EXTENSION ext;
1342 CERT_POLICIES_INFO *policies = NULL;
1343
1344 ext = CertFindExtension(szOID_KEY_USAGE, cert->pCertInfo->cExtension,
1345 cert->pCertInfo->rgExtension);
1346 if (ext)
1347 {
1348 DWORD size;
1349
1350 CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CERT_POLICIES,
1351 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1352 &policies, &size);
1353 }
1354 return policies;
1355}
X509_CERT_POLICIES
#define X509_CERT_POLICIES
Definition: wincrypt.h:3381

Referenced by CRYPT_CheckChainPolicies().

◆ CRYPT_GetSimpleChainForCert()

static BOOL CRYPT_GetSimpleChainForCert ( CertificateChainEngine engine,
HCERTSTORE  world,
PCCERT_CONTEXT  cert,
LPFILETIME  pTime,
DWORD  flags,
PCERT_SIMPLE_CHAIN ppChain 
)
static

Definition at line 2220 of file chain.c.

2223{
2224 BOOL ret = FALSE;
2225 PCERT_SIMPLE_CHAIN chain;
2226
2227 TRACE("(%p, %p, %p, %s)\n", engine, world, cert, debugstr_filetime(pTime));
2228
2229 chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2230 if (chain)
2231 {
2232 memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN));
2233 chain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2234 ret = CRYPT_AddCertToSimpleChain(engine, chain, cert, 0);
2235 if (ret)
2236 {
2237 ret = CRYPT_BuildSimpleChain(engine, world, flags, chain);
2238 if (ret)
2239 CRYPT_CheckSimpleChain(engine, chain, pTime);
2240 }
2241 if (!ret)
2242 {
2243 CRYPT_FreeSimpleChain(chain);
2244 chain = NULL;
2245 }
2246 *ppChain = chain;
2247 }
2248 return ret;
2249}

Referenced by CRYPT_BuildCandidateChainFromCert().

◆ CRYPT_IsCertificateSelfSigned()

DWORD CRYPT_IsCertificateSelfSigned ( const CERT_CONTEXT cert)

Definition at line 268 of file chain.c.

269{
270 DWORD size, status = 0;
271 PCERT_EXTENSION ext;
272 BOOL ret;
273
274 if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
275 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
276 {
277 CERT_AUTHORITY_KEY_ID2_INFO *info;
278
279 ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
280 X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
281 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
282 &info, &size);
283 if (ret)
284 {
285 if (info->AuthorityCertIssuer.cAltEntry &&
286 info->AuthorityCertSerialNumber.cbData)
287 {
288 PCERT_ALT_NAME_ENTRY directoryName = NULL;
289 DWORD i;
290
291 for (i = 0; !directoryName &&
292 i < info->AuthorityCertIssuer.cAltEntry; i++)
293 if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
294 == CERT_ALT_NAME_DIRECTORY_NAME)
295 directoryName =
296 &info->AuthorityCertIssuer.rgAltEntry[i];
297 if (directoryName)
298 {
299 if (CertCompareCertificateName(cert->dwCertEncodingType, &directoryName->u.DirectoryName, &cert->pCertInfo->Issuer)
300 && CertCompareIntegerBlob(&info->AuthorityCertSerialNumber, &cert->pCertInfo->SerialNumber))
301 status = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
302 }
303 else
304 {
305 FIXME("no supported name type in authority key id2\n");
306 ret = FALSE;
307 }
308 }
309 else if (info->KeyId.cbData)
310 {
311 ret = CertGetCertificateContextProperty(cert,
312 CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
313 if (ret && size == info->KeyId.cbData)
314 {
315 LPBYTE buf = CryptMemAlloc(size);
316
317 if (buf)
318 {
319 CertGetCertificateContextProperty(cert, CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
320 if (!memcmp(buf, info->KeyId.pbData, size))
321 status = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
322 CryptMemFree(buf);
323 }
324 }
325 }
326 LocalFree(info);
327 }
328 }
329 else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
330 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
331 {
332 CERT_AUTHORITY_KEY_ID_INFO *info;
333
334 ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
335 X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
336 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
337 &info, &size);
338 if (ret)
339 {
340 if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
341 {
342 if (CertCompareCertificateName(cert->dwCertEncodingType, &info->CertIssuer, &cert->pCertInfo->Issuer)
343 && CertCompareIntegerBlob(&info->CertSerialNumber, &cert->pCertInfo->SerialNumber))
344 status = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
345 }
346 else if (info->KeyId.cbData)
347 {
348 ret = CertGetCertificateContextProperty(cert,
349 CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
350 if (ret && size == info->KeyId.cbData)
351 {
352 LPBYTE buf = CryptMemAlloc(size);
353
354 if (buf)
355 {
356 CertGetCertificateContextProperty(cert,
357 CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
358 if (!memcmp(buf, info->KeyId.pbData, size))
359 status = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
360 CryptMemFree(buf);
361 }
362 }
363 }
364 LocalFree(info);
365 }
366 }
367 else
368 if (CertCompareCertificateName(cert->dwCertEncodingType, &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer))
369 status = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
370
371 if (status)
372 status |= CERT_TRUST_IS_SELF_SIGNED;
373
374 return status;
375}
memcmp
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
CertCompareCertificateName
BOOL WINAPI CertCompareCertificateName(DWORD dwCertEncodingType, PCERT_NAME_BLOB pCertName1, PCERT_NAME_BLOB pCertName2)
Definition: cert.c:1180
CertCompareIntegerBlob
BOOL WINAPI CertCompareIntegerBlob(PCRYPT_INTEGER_BLOB pInt1, PCRYPT_INTEGER_BLOB pInt2)
Definition: cert.c:1221
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
LPBYTE
unsigned char * LPBYTE
Definition: typedefs.h:53
CERT_KEY_IDENTIFIER_PROP_ID
#define CERT_KEY_IDENTIFIER_PROP_ID
Definition: wincrypt.h:2706
CERT_TRUST_IS_SELF_SIGNED
#define CERT_TRUST_IS_SELF_SIGNED
Definition: wincrypt.h:899

Referenced by CertGetIssuerCertificateFromStore(), CRYPT_BuildSimpleChain(), CRYPT_CheckChainNameConstraints(), and CRYPT_CheckSimpleChain().

◆ CRYPT_IsCertVersionValid()

static BOOL CRYPT_IsCertVersionValid ( PCCERT_CONTEXT  cert)
static

Definition at line 1840 of file chain.c.

1841{
1842 BOOL ret = TRUE;
1843
1844 /* Checks whether the contents of the cert match the cert's version. */
1845 switch (cert->pCertInfo->dwVersion)
1846 {
1847 case CERT_V1:
1848 /* A V1 cert may not contain unique identifiers. See RFC 5280,
1849 * section 4.1.2.8:
1850 * "These fields MUST only appear if the version is 2 or 3 (Section
1851 * 4.1.2.1). These fields MUST NOT appear if the version is 1."
1852 */
1853 if (cert->pCertInfo->IssuerUniqueId.cbData ||
1854 cert->pCertInfo->SubjectUniqueId.cbData)
1855 ret = FALSE;
1856 /* A V1 cert may not contain extensions. See RFC 5280, section 4.1.2.9:
1857 * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1858 */
1859 if (cert->pCertInfo->cExtension)
1860 ret = FALSE;
1861 break;
1862 case CERT_V2:
1863 /* A V2 cert may not contain extensions. See RFC 5280, section 4.1.2.9:
1864 * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1865 */
1866 if (cert->pCertInfo->cExtension)
1867 ret = FALSE;
1868 break;
1869 case CERT_V3:
1870 /* Do nothing, all fields are allowed for V3 certs */
1871 break;
1872 default:
1873 WARN_(chain)("invalid cert version %d\n", cert->pCertInfo->dwVersion);
1874 ret = FALSE;
1875 }
1876 return ret;
1877}
WARN_
#define WARN_(ch,...)
Definition: debug.h:157
CERT_V3
#define CERT_V3
Definition: wincrypt.h:2658

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_IsEmptyName()

static BOOL CRYPT_IsEmptyName ( const CERT_NAME_BLOB name)
static

Definition at line 1110 of file chain.c.

1111{
1112 BOOL empty;
1113
1114 if (!name->cbData)
1115 empty = TRUE;
1116 else if (name->cbData == 2 && name->pbData[1] == 0)
1117 {
1118 /* An empty sequence is also empty */
1119 empty = TRUE;
1120 }
1121 else
1122 empty = FALSE;
1123 return empty;
1124}
empty
static const WCHAR empty[]
Definition: main.c:47

Referenced by compare_subject_with_constraints().

◆ CRYPT_IsSimpleChainCyclic()

static BOOL CRYPT_IsSimpleChainCyclic ( const CERT_SIMPLE_CHAIN chain)
inlinestatic

Definition at line 407 of file chain.c.

408{
409 if (chain->cElement)
410 return chain->rgpElement[chain->cElement - 1]->TrustStatus.dwErrorStatus
411 & CERT_TRUST_IS_CYCLIC;
412 else
413 return FALSE;
414}

Referenced by CRYPT_BuildSimpleChain(), and CRYPT_CheckSimpleChain().

◆ CRYPT_IsValidNameConstraint()

static BOOL CRYPT_IsValidNameConstraint ( const CERT_NAME_CONSTRAINTS_INFO info)
static

Definition at line 1234 of file chain.c.

1235{
1236 DWORD i;
1237 BOOL ret = TRUE;
1238
1239 /* Make sure at least one permitted or excluded subtree is present. From
1240 * RFC 5280, section 4.2.1.10:
1241 * "Conforming CAs MUST NOT issue certificates where name constraints is an
1242 * empty sequence. That is, either the permittedSubtrees field or the
1243 * excludedSubtrees MUST be present."
1244 */
1245 if (!info->cPermittedSubtree && !info->cExcludedSubtree)
1246 {
1247 WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
1248 ret = FALSE;
1249 }
1250 /* Check that none of the constraints specifies a minimum or a maximum.
1251 * See RFC 5280, section 4.2.1.10:
1252 * "Within this profile, the minimum and maximum fields are not used with
1253 * any name forms, thus, the minimum MUST be zero, and maximum MUST be
1254 * absent. However, if an application encounters a critical name
1255 * constraints extension that specifies other values for minimum or
1256 * maximum for a name form that appears in a subsequent certificate, the
1257 * application MUST either process these fields or reject the
1258 * certificate."
1259 * Since it gives no guidance as to how to process these fields, we
1260 * reject any name constraint that contains them.
1261 */
1262 for (i = 0; ret && i < info->cPermittedSubtree; i++)
1263 if (info->rgPermittedSubtree[i].dwMinimum ||
1264 info->rgPermittedSubtree[i].fMaximum)
1265 {
1266 TRACE_(chain)("found a minimum or maximum in permitted subtrees\n");
1267 ret = FALSE;
1268 }
1269 for (i = 0; ret && i < info->cExcludedSubtree; i++)
1270 if (info->rgExcludedSubtree[i].dwMinimum ||
1271 info->rgExcludedSubtree[i].fMaximum)
1272 {
1273 TRACE_(chain)("found a minimum or maximum in excluded subtrees\n");
1274 ret = FALSE;
1275 }
1276 return ret;
1277}

Referenced by CRYPT_CheckChainNameConstraints().

◆ CRYPT_KeyUsageValid()

static BOOL CRYPT_KeyUsageValid ( CertificateChainEngine engine,
PCCERT_CONTEXT  cert,
BOOL  isRoot,
BOOL  isCA,
DWORD  index 
)
static

Definition at line 1723 of file chain.c.

1725{
1726 PCERT_EXTENSION ext;
1727 BOOL ret;
1728 BYTE usageBits = 0;
1729
1730 ext = CertFindExtension(szOID_KEY_USAGE, cert->pCertInfo->cExtension,
1731 cert->pCertInfo->rgExtension);
1732 if (ext)
1733 {
1734 CRYPT_BIT_BLOB usage;
1735 DWORD size = sizeof(usage);
1736
1737 ret = CryptDecodeObjectEx(cert->dwCertEncodingType, X509_BITS,
1738 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL,
1739 &usage, &size);
1740 if (!ret)
1741 return FALSE;
1742 else if (usage.cbData > 2)
1743 {
1744 /* The key usage extension only defines 9 bits => no more than 2
1745 * bytes are needed to encode all known usages.
1746 */
1747 return FALSE;
1748 }
1749 else
1750 {
1751 /* The only bit relevant to chain validation is the keyCertSign
1752 * bit, which is always in the least significant byte of the
1753 * key usage bits.
1754 */
1755 usageBits = usage.pbData[usage.cbData - 1];
1756 }
1757 }
1758 if (isCA)
1759 {
1760 if (!ext)
1761 {
1762 /* MS appears to violate RFC 5280, section 4.2.1.3 (Key Usage)
1763 * here. Quoting the RFC:
1764 * "This [key usage] extension MUST appear in certificates that
1765 * contain public keys that are used to validate digital signatures
1766 * on other public key certificates or CRLs."
1767 * MS appears to accept certs that do not contain key usage
1768 * extensions as CA certs. V1 and V2 certificates did not have
1769 * extensions, and many root certificates are V1 certificates, so
1770 * perhaps this is prudent. On the other hand, MS also accepts V3
1771 * certs without key usage extensions. Because some CAs, e.g.
1772 * Certum, also do not include key usage extensions in their
1773 * intermediate certificates, we are forced to accept V3
1774 * certificates without key usage extensions as well.
1775 */
1776 ret = TRUE;
1777 }
1778 else
1779 {
1780 if (!(usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1781 {
1782 WARN_(chain)("keyCertSign not asserted on a CA cert\n");
1783 ret = FALSE;
1784 }
1785 else
1786 ret = TRUE;
1787 }
1788 }
1789 else
1790 {
1791 if (ext && (usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1792 {
1793 WARN_(chain)("keyCertSign asserted on a non-CA cert\n");
1794 ret = FALSE;
1795 }
1796 else
1797 ret = TRUE;
1798 }
1799 return ret;
1800}
_CRYPT_BIT_BLOB
Definition: wincrypt.h:195
X509_BITS
#define X509_BITS
Definition: wincrypt.h:3392
CERT_KEY_CERT_SIGN_KEY_USAGE
#define CERT_KEY_CERT_SIGN_KEY_USAGE
Definition: wincrypt.h:309

Referenced by CRYPT_CheckSimpleChain().

◆ CRYPT_VerifyChainRevocation()

static void CRYPT_VerifyChainRevocation ( PCERT_CHAIN_CONTEXT  chain,
LPFILETIME  pTime,
HCERTSTORE  hAdditionalStore,
const CERT_CHAIN_PARA pChainPara,
DWORD  chainFlags 
)
static

Definition at line 2632 of file chain.c.

2635{
2636 DWORD cContext;
2637
2638 if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT)
2639 cContext = 1;
2640 else if ((chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN) ||
2641 (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT))
2642 {
2643 DWORD i;
2644
2645 for (i = 0, cContext = 0; i < chain->cChain; i++)
2646 {
2647 if (i < chain->cChain - 1 ||
2648 chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN)
2649 cContext += chain->rgpChain[i]->cElement;
2650 else
2651 cContext += chain->rgpChain[i]->cElement - 1;
2652 }
2653 }
2654 else
2655 cContext = 0;
2656 if (cContext)
2657 {
2658 DWORD i, j, iContext, revocationFlags;
2659 CERT_REVOCATION_PARA revocationPara = { sizeof(revocationPara), 0 };
2660 CERT_REVOCATION_STATUS revocationStatus =
2661 { sizeof(revocationStatus), 0 };
2662 BOOL ret;
2663
2664 revocationFlags = CERT_VERIFY_REV_CHAIN_FLAG;
2665 if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY)
2666 revocationFlags |= CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION;
2667 if (chainFlags & CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT)
2668 revocationFlags |= CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG;
2669 revocationPara.pftTimeToUse = pTime;
2670 if (hAdditionalStore)
2671 {
2672 revocationPara.cCertStore = 1;
2673 revocationPara.rgCertStore = &hAdditionalStore;
2674 revocationPara.hCrlStore = hAdditionalStore;
2675 }
2676 if (pChainPara->cbSize == sizeof(CERT_CHAIN_PARA))
2677 {
2678 revocationPara.dwUrlRetrievalTimeout =
2679 pChainPara->dwUrlRetrievalTimeout;
2680 revocationPara.fCheckFreshnessTime =
2681 pChainPara->fCheckRevocationFreshnessTime;
2682 revocationPara.dwFreshnessTime =
2683 pChainPara->dwRevocationFreshnessTime;
2684 }
2685 for (i = 0, iContext = 0; iContext < cContext && i < chain->cChain; i++)
2686 {
2687 for (j = 0; iContext < cContext &&
2688 j < chain->rgpChain[i]->cElement; j++, iContext++)
2689 {
2690 PCCERT_CONTEXT certToCheck =
2691 chain->rgpChain[i]->rgpElement[j]->pCertContext;
2692
2693 if (j < chain->rgpChain[i]->cElement - 1)
2694 revocationPara.pIssuerCert =
2695 chain->rgpChain[i]->rgpElement[j + 1]->pCertContext;
2696 else
2697 revocationPara.pIssuerCert = NULL;
2698 ret = CertVerifyRevocation(X509_ASN_ENCODING,
2699 CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck,
2700 revocationFlags, &revocationPara, &revocationStatus);
2701
2702 if (!ret && chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN
2703 && revocationStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK && revocationPara.pIssuerCert == NULL)
2704 ret = TRUE;
2705
2706 if (!ret)
2707 {
2708 PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain(
2709 chain, iContext);
2710 DWORD error;
2711
2712 switch (revocationStatus.dwError)
2713 {
2714 case CRYPT_E_NO_REVOCATION_CHECK:
2715 case CRYPT_E_NO_REVOCATION_DLL:
2716 case CRYPT_E_NOT_IN_REVOCATION_DATABASE:
2717 /* If the revocation status is unknown, it's assumed
2718 * to be offline too.
2719 */
2720 error = CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
2721 CERT_TRUST_IS_OFFLINE_REVOCATION;
2722 break;
2723 case CRYPT_E_REVOCATION_OFFLINE:
2724 error = CERT_TRUST_IS_OFFLINE_REVOCATION;
2725 break;
2726 case CRYPT_E_REVOKED:
2727 error = CERT_TRUST_IS_REVOKED;
2728 break;
2729 default:
2730 WARN("unmapped error %08x\n", revocationStatus.dwError);
2731 error = 0;
2732 }
2733 if (element)
2734 {
2735 /* FIXME: set element's pRevocationInfo member */
2736 element->TrustStatus.dwErrorStatus |= error;
2737 }
2738 chain->TrustStatus.dwErrorStatus |= error;
2739 }
2740 }
2741 }
2742 }
2743}
WARN
#define WARN(fmt,...)
Definition: debug.h:112
CertVerifyRevocation
BOOL WINAPI CertVerifyRevocation(DWORD dwEncodingType, DWORD dwRevType, DWORD cContext, PVOID rgpvContext[], DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara, PCERT_REVOCATION_STATUS pRevStatus)
Definition: cert.c:1934
CRYPT_FindIthElementInChain
static PCERT_CHAIN_ELEMENT CRYPT_FindIthElementInChain(const CERT_CHAIN_CONTEXT *chain, DWORD i)
Definition: chain.c:2611
error
#define error(str)
Definition: mkdosfs.c:1605
_CERT_REVOCATION_PARA
Definition: wincrypt.h:802
_CERT_REVOCATION_PARA::pftTimeToUse
LPFILETIME pftTimeToUse
Definition: wincrypt.h:808
_CERT_REVOCATION_PARA::hCrlStore
HCERTSTORE hCrlStore
Definition: wincrypt.h:807
_CERT_REVOCATION_PARA::pIssuerCert
PCCERT_CONTEXT pIssuerCert
Definition: wincrypt.h:804
_CERT_REVOCATION_PARA::cCertStore
DWORD cCertStore
Definition: wincrypt.h:805
_CERT_REVOCATION_PARA::rgCertStore
HCERTSTORE * rgCertStore
Definition: wincrypt.h:806
_CERT_REVOCATION_STATUS
Definition: wincrypt.h:854
_CERT_REVOCATION_STATUS::dwError
DWORD dwError
Definition: wincrypt.h:857
CERT_TRUST_IS_REVOKED
#define CERT_TRUST_IS_REVOKED
Definition: wincrypt.h:872
CERT_TRUST_REVOCATION_STATUS_UNKNOWN
#define CERT_TRUST_REVOCATION_STATUS_UNKNOWN
Definition: wincrypt.h:876
CERT_CHAIN_REVOCATION_CHECK_CHAIN
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN
Definition: wincrypt.h:1057
CERT_CHAIN_REVOCATION_CHECK_END_CERT
#define CERT_CHAIN_REVOCATION_CHECK_END_CERT
Definition: wincrypt.h:1056
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT
#define CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT
Definition: wincrypt.h:1061
CERT_TRUST_IS_OFFLINE_REVOCATION
#define CERT_TRUST_IS_OFFLINE_REVOCATION
Definition: wincrypt.h:886
CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION
#define CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION
Definition: wincrypt.h:820
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
Definition: wincrypt.h:1058
CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG
#define CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG
Definition: wincrypt.h:821
CERT_CONTEXT_REVOCATION_TYPE
#define CERT_CONTEXT_REVOCATION_TYPE
Definition: wincrypt.h:818
CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY
#define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY
Definition: wincrypt.h:1059
CERT_VERIFY_REV_CHAIN_FLAG
#define CERT_VERIFY_REV_CHAIN_FLAG
Definition: wincrypt.h:819
CRYPT_E_REVOKED
#define CRYPT_E_REVOKED
Definition: winerror.h:3019
CRYPT_E_NO_REVOCATION_DLL
#define CRYPT_E_NO_REVOCATION_DLL
Definition: winerror.h:3020
CRYPT_E_NOT_IN_REVOCATION_DATABASE
#define CRYPT_E_NOT_IN_REVOCATION_DATABASE
Definition: winerror.h:3023
CRYPT_E_NO_REVOCATION_CHECK
#define CRYPT_E_NO_REVOCATION_CHECK
Definition: winerror.h:3021
CRYPT_E_REVOCATION_OFFLINE
#define CRYPT_E_REVOCATION_OFFLINE
Definition: winerror.h:3022

Referenced by CertGetCertificateChain().

◆ debugstr_filetime()

static LPCSTR debugstr_filetime ( LPFILETIME  pTime)
static

Definition at line 2213 of file chain.c.

2214{
2215 if (!pTime)
2216 return "(nil)";
2217 return wine_dbg_sprintf("%p (%s)", pTime, filetime_to_str(pTime));
2218}
wine_dbg_sprintf
const char * wine_dbg_sprintf(const char *format,...)
Definition: compat.c:296

Referenced by CertGetCertificateChain(), CRYPT_BuildAlternateContextFromChain(), and CRYPT_GetSimpleChainForCert().

◆ default_chain_engine_free()

void default_chain_engine_free ( void  )

Definition at line 255 of file chain.c.

256{
257 free_chain_engine(default_cu_engine);
258 free_chain_engine(default_lm_engine);
259}
default_lm_engine
static CertificateChainEngine * default_lm_engine
Definition: chain.c:164
default_cu_engine
static CertificateChainEngine * default_cu_engine
Definition: chain.c:164

Referenced by DllMain().

◆ directory_name_matches()

static BOOL directory_name_matches ( const CERT_NAME_BLOB constraint,
const CERT_NAME_BLOB name 
)
static

Definition at line 864 of file chain.c.

866{
867 CERT_NAME_INFO *constraintName;
868 DWORD size;
869 BOOL match = FALSE;
870
871 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME, constraint->pbData,
872 constraint->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &constraintName, &size))
873 {
874 DWORD i;
875
876 match = TRUE;
877 for (i = 0; match && i < constraintName->cRDN; i++)
878 match = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
879 CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG,
880 (CERT_NAME_BLOB *)name, &constraintName->rgRDN[i]);
881 LocalFree(constraintName);
882 }
883 return match;
884}
CertIsRDNAttrsInCertificateName
BOOL WINAPI CertIsRDNAttrsInCertificateName(DWORD dwCertEncodingType, DWORD dwFlags, PCERT_NAME_BLOB pCertName, PCERT_RDN pRDN)
Definition: cert.c:2131
_CERT_NAME_INFO::rgRDN
PCERT_RDN rgRDN
Definition: wincrypt.h:268
_CERT_NAME_INFO::cRDN
DWORD cRDN
Definition: wincrypt.h:267
X509_NAME
#define X509_NAME
Definition: wincrypt.h:3372
CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG
#define CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG
Definition: wincrypt.h:2807

Referenced by alt_name_matches(), and compare_subject_with_constraints().

◆ dns_name_matches()

static BOOL dns_name_matches ( LPCWSTR  constraint,
LPCWSTR  name,
DWORD trustErrorStatus 
)
static

Definition at line 775 of file chain.c.

777{
778 BOOL match = FALSE;
779
780 TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
781
782 if (!constraint)
783 *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
784 else if (!name)
785 ; /* no match */
786 /* RFC 5280, section 4.2.1.10:
787 * "DNS name restrictions are expressed as host.example.com. Any DNS name
788 * that can be constructed by simply adding zero or more labels to the
789 * left-hand side of the name satisfies the name constraint. For example,
790 * www.host.example.com would satisfy the constraint but host1.example.com
791 * would not."
792 */
793 else if (lstrlenW(name) == lstrlenW(constraint))
794 match = !lstrcmpiW(name, constraint);
795 else if (lstrlenW(name) > lstrlenW(constraint))
796 {
797 match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
798 constraint);
799 if (match)
800 {
801 BOOL dot = FALSE;
802 LPCWSTR ptr;
803
804 /* This only matches if name is a subdomain of constraint, i.e.
805 * there's a '.' between the beginning of the name and the
806 * matching portion of the name.
807 */
808 for (ptr = name + lstrlenW(name) - lstrlenW(constraint);
809 !dot && ptr >= name; ptr--)
810 if (*ptr == '.')
811 dot = TRUE;
812 match = dot;
813 }
814 }
815 /* else: name is too short, no match */
816
817 return match;
818}
lstrlenW
#define lstrlenW
Definition: compat.h:750
lstrcmpiW
int WINAPI lstrcmpiW(LPCWSTR lpString1, LPCWSTR lpString2)
Definition: lstring.c:194
ptr
static PVOID ptr
Definition: dispmode.c:27
LPCWSTR
const WCHAR * LPCWSTR
Definition: xmlstorage.h:185

Referenced by alt_name_matches().

◆ domain_name_matches()

static BOOL domain_name_matches ( LPCWSTR  constraint,
LPCWSTR  name 
)
static

Definition at line 647 of file chain.c.

648{
649 BOOL match;
650
651 /* RFC 5280, section 4.2.1.10:
652 * "For URIs, the constraint applies to the host part of the name...
653 * When the constraint begins with a period, it MAY be expanded with one
654 * or more labels. That is, the constraint ".example.com" is satisfied by
655 * both host.example.com and my.host.example.com. However, the constraint
656 * ".example.com" is not satisfied by "example.com". When the constraint
657 * does not begin with a period, it specifies a host."
658 * and for email addresses,
659 * "To indicate all Internet mail addresses on a particular host, the
660 * constraint is specified as the host name. For example, the constraint
661 * "example.com" is satisfied by any mail address at the host
662 * "example.com". To specify any address within a domain, the constraint
663 * is specified with a leading period (as with URIs)."
664 */
665 if (constraint[0] == '.')
666 {
667 /* Must be strictly greater than, a name can't begin with '.' */
668 if (lstrlenW(name) > lstrlenW(constraint))
669 match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
670 constraint);
671 else
672 {
673 /* name is too short, no match */
674 match = FALSE;
675 }
676 }
677 else
678 match = !lstrcmpiW(name, constraint);
679 return match;
680}

Referenced by rfc822_name_matches(), and url_matches().

◆ dump_alt_name()

static void dump_alt_name ( LPCSTR  type,
const CERT_EXTENSION ext 
)
static

Definition at line 1465 of file chain.c.

1466{
1467 CERT_ALT_NAME_INFO *name;
1468 DWORD size;
1469
1470 TRACE_(chain)("%s:\n", type);
1471 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
1472 ext->Value.pbData, ext->Value.cbData,
1473 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1474 {
1475 DWORD i;
1476
1477 TRACE_(chain)("%d alt name entries:\n", name->cAltEntry);
1478 for (i = 0; i < name->cAltEntry; i++)
1479 dump_alt_name_entry(&name->rgAltEntry[i]);
1480 LocalFree(name);
1481 }
1482}
dump_alt_name_entry
static void dump_alt_name_entry(const CERT_ALT_NAME_ENTRY *entry)
Definition: chain.c:1426

Referenced by dump_extension().

◆ dump_alt_name_entry()

static void dump_alt_name_entry ( const CERT_ALT_NAME_ENTRY entry)
static

Definition at line 1426 of file chain.c.

1427{
1428 LPWSTR str;
1429
1430 switch (entry->dwAltNameChoice)
1431 {
1432 case CERT_ALT_NAME_OTHER_NAME:
1433 TRACE_(chain)("CERT_ALT_NAME_OTHER_NAME, oid = %s\n",
1434 debugstr_a(entry->u.pOtherName->pszObjId));
1435 break;
1436 case CERT_ALT_NAME_RFC822_NAME:
1437 TRACE_(chain)("CERT_ALT_NAME_RFC822_NAME: %s\n",
1438 debugstr_w(entry->u.pwszRfc822Name));
1439 break;
1440 case CERT_ALT_NAME_DNS_NAME:
1441 TRACE_(chain)("CERT_ALT_NAME_DNS_NAME: %s\n",
1442 debugstr_w(entry->u.pwszDNSName));
1443 break;
1444 case CERT_ALT_NAME_DIRECTORY_NAME:
1445 str = name_value_to_str(&entry->u.DirectoryName);
1446 TRACE_(chain)("CERT_ALT_NAME_DIRECTORY_NAME: %s\n", debugstr_w(str));
1447 CryptMemFree(str);
1448 break;
1449 case CERT_ALT_NAME_URL:
1450 TRACE_(chain)("CERT_ALT_NAME_URL: %s\n", debugstr_w(entry->u.pwszURL));
1451 break;
1452 case CERT_ALT_NAME_IP_ADDRESS:
1453 TRACE_(chain)("CERT_ALT_NAME_IP_ADDRESS: %d bytes\n",
1454 entry->u.IPAddress.cbData);
1455 break;
1456 case CERT_ALT_NAME_REGISTERED_ID:
1457 TRACE_(chain)("CERT_ALT_NAME_REGISTERED_ID: %s\n",
1458 debugstr_a(entry->u.pszRegisteredID));
1459 break;
1460 default:
1461 TRACE_(chain)("dwAltNameChoice = %d\n", entry->dwAltNameChoice);
1462 }
1463}
name_value_to_str
static LPWSTR name_value_to_str(const CERT_NAME_BLOB *name)
Definition: chain.c:1410
entry
uint32_t entry
Definition: isohybrid.c:63
str
const WCHAR * str
Definition: rpc_transport.c:2724
CERT_ALT_NAME_OTHER_NAME
#define CERT_ALT_NAME_OTHER_NAME
Definition: wincrypt.h:345
CERT_ALT_NAME_REGISTERED_ID
#define CERT_ALT_NAME_REGISTERED_ID
Definition: wincrypt.h:353
LPWSTR
WCHAR * LPWSTR
Definition: xmlstorage.h:184

Referenced by dump_alt_name(), and dump_general_subtree().

◆ dump_authenticode_extra_chain_policy_para()

static void dump_authenticode_extra_chain_policy_para ( AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA extraPara)
static

Definition at line 3077 of file chain.c.

3079{
3080 if (extraPara)
3081 {
3082 TRACE_(chain)("cbSize = %d\n", extraPara->cbSize);
3083 TRACE_(chain)("dwRegPolicySettings = %08x\n",
3084 extraPara->dwRegPolicySettings);
3085 TRACE_(chain)("pSignerInfo = %p\n", extraPara->pSignerInfo);
3086 }
3087}
_AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA::cbSize
DWORD cbSize
Definition: wincrypt.h:1003
_AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA::dwRegPolicySettings
DWORD dwRegPolicySettings
Definition: wincrypt.h:1004
_AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA::pSignerInfo
PCMSG_SIGNER_INFO pSignerInfo
Definition: wincrypt.h:1005

Referenced by verify_authenticode_policy().

◆ dump_basic_constraints()

static void dump_basic_constraints ( const CERT_EXTENSION ext)
static

Definition at line 1484 of file chain.c.

1485{
1486 CERT_BASIC_CONSTRAINTS_INFO *info;
1487 DWORD size = 0;
1488
1489 if (CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
1490 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
1491 NULL, &info, &size))
1492 {
1493 TRACE_(chain)("SubjectType: %02x\n", info->SubjectType.pbData[0]);
1494 TRACE_(chain)("%s path length constraint\n",
1495 info->fPathLenConstraint ? "has" : "doesn't have");
1496 TRACE_(chain)("path length=%d\n", info->dwPathLenConstraint);
1497 LocalFree(info);
1498 }
1499}

Referenced by dump_extension().

◆ dump_basic_constraints2()

static void dump_basic_constraints2 ( const CERT_EXTENSION ext)
static

Definition at line 1501 of file chain.c.

1502{
1503 CERT_BASIC_CONSTRAINTS2_INFO constraints;
1504 DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
1505
1506 if (CryptDecodeObjectEx(X509_ASN_ENCODING,
1507 szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
1508 0, NULL, &constraints, &size))
1509 {
1510 TRACE_(chain)("basic constraints:\n");
1511 TRACE_(chain)("can%s be a CA\n", constraints.fCA ? "" : "not");
1512 TRACE_(chain)("%s path length constraint\n",
1513 constraints.fPathLenConstraint ? "has" : "doesn't have");
1514 TRACE_(chain)("path length=%d\n", constraints.dwPathLenConstraint);
1515 }
1516}

Referenced by dump_extension().

◆ dump_cert_policies()

static void dump_cert_policies ( const CERT_EXTENSION ext)
static

Definition at line 1576 of file chain.c.

1577{
1578 CERT_POLICIES_INFO *policies;
1579 DWORD size;
1580
1581 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CERT_POLICIES,
1582 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1583 &policies, &size))
1584 {
1585 DWORD i, j;
1586
1587 TRACE_(chain)("%d policies:\n", policies->cPolicyInfo);
1588 for (i = 0; i < policies->cPolicyInfo; i++)
1589 {
1590 TRACE_(chain)("policy identifier: %s\n",
1591 debugstr_a(policies->rgPolicyInfo[i].pszPolicyIdentifier));
1592 TRACE_(chain)("%d policy qualifiers:\n",
1593 policies->rgPolicyInfo[i].cPolicyQualifier);
1594 for (j = 0; j < policies->rgPolicyInfo[i].cPolicyQualifier; j++)
1595 TRACE_(chain)("%s\n", debugstr_a(
1596 policies->rgPolicyInfo[i].rgPolicyQualifier[j].
1597 pszPolicyQualifierId));
1598 }
1599 LocalFree(policies);
1600 }
1601}
_CERT_POLICY_INFO::rgPolicyQualifier
CERT_POLICY_QUALIFIER_INFO * rgPolicyQualifier
Definition: wincrypt.h:395
_CERT_POLICY_INFO::cPolicyQualifier
DWORD cPolicyQualifier
Definition: wincrypt.h:394

Referenced by dump_extension().

◆ dump_chain_para()

static void dump_chain_para ( const CERT_CHAIN_PARA pChainPara)
static

Definition at line 2864 of file chain.c.

2865{
2866 TRACE_(chain)("%d\n", pChainPara->cbSize);
2867 if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS))
2868 dump_usage_match("RequestedUsage", &pChainPara->RequestedUsage);
2869 if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA))
2870 {
2871 dump_usage_match("RequestedIssuancePolicy",
2872 &pChainPara->RequestedIssuancePolicy);
2873 TRACE_(chain)("%d\n", pChainPara->dwUrlRetrievalTimeout);
2874 TRACE_(chain)("%d\n", pChainPara->fCheckRevocationFreshnessTime);
2875 TRACE_(chain)("%d\n", pChainPara->dwRevocationFreshnessTime);
2876 }
2877}
dump_usage_match
static void dump_usage_match(LPCSTR name, const CERT_USAGE_MATCH *usageMatch)
Definition: chain.c:2851

Referenced by CertGetCertificateChain().

◆ dump_element()

static void dump_element ( PCCERT_CONTEXT  cert)
static

Definition at line 1689 of file chain.c.

1690{
1691 LPWSTR name = NULL;
1692 DWORD len, i;
1693
1694 TRACE_(chain)("%p: version %d\n", cert, cert->pCertInfo->dwVersion);
1695 len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1696 CERT_NAME_ISSUER_FLAG, NULL, NULL, 0);
1697 name = CryptMemAlloc(len * sizeof(WCHAR));
1698 if (name)
1699 {
1700 CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1701 CERT_NAME_ISSUER_FLAG, NULL, name, len);
1702 TRACE_(chain)("issued by %s\n", debugstr_w(name));
1703 CryptMemFree(name);
1704 }
1705 len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1706 NULL, 0);
1707 name = CryptMemAlloc(len * sizeof(WCHAR));
1708 if (name)
1709 {
1710 CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1711 name, len);
1712 TRACE_(chain)("issued to %s\n", debugstr_w(name));
1713 CryptMemFree(name);
1714 }
1715 TRACE_(chain)("valid from %s to %s\n",
1716 filetime_to_str(&cert->pCertInfo->NotBefore),
1717 filetime_to_str(&cert->pCertInfo->NotAfter));
1718 TRACE_(chain)("%d extensions\n", cert->pCertInfo->cExtension);
1719 for (i = 0; i < cert->pCertInfo->cExtension; i++)
1720 dump_extension(&cert->pCertInfo->rgExtension[i]);
1721}
dump_extension
static void dump_extension(const CERT_EXTENSION *ext)
Definition: chain.c:1647
CertGetNameStringW
DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType, DWORD dwFlags, void *pvTypePara, LPWSTR pszNameString, DWORD cchNameString)
Definition: str.c:1228
len
GLenum GLsizei len
Definition: glext.h:6722
CERT_NAME_SIMPLE_DISPLAY_TYPE
#define CERT_NAME_SIMPLE_DISPLAY_TYPE
Definition: wincrypt.h:3500
CERT_NAME_ISSUER_FLAG
#define CERT_NAME_ISSUER_FLAG
Definition: wincrypt.h:3506

Referenced by CRYPT_CheckSimpleChain().

◆ dump_enhanced_key_usage()

static void dump_enhanced_key_usage ( const CERT_EXTENSION ext)
static

Definition at line 1603 of file chain.c.

1604{
1605 CERT_ENHKEY_USAGE *usage;
1606 DWORD size;
1607
1608 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE,
1609 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1610 &usage, &size))
1611 {
1612 DWORD i;
1613
1614 TRACE_(chain)("%d usages:\n", usage->cUsageIdentifier);
1615 for (i = 0; i < usage->cUsageIdentifier; i++)
1616 TRACE_(chain)("%s\n", usage->rgpszUsageIdentifier[i]);
1617 LocalFree(usage);
1618 }
1619}

Referenced by dump_extension().

◆ dump_extension()

static void dump_extension ( const CERT_EXTENSION ext)
static

Definition at line 1647 of file chain.c.

1648{
1649 TRACE_(chain)("%s (%scritical)\n", debugstr_a(ext->pszObjId),
1650 ext->fCritical ? "" : "not ");
1651 if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME))
1652 dump_alt_name("subject alt name", ext);
1653 else if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME))
1654 dump_alt_name("issuer alt name", ext);
1655 else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS))
1656 dump_basic_constraints(ext);
1657 else if (!strcmp(ext->pszObjId, szOID_KEY_USAGE))
1658 dump_key_usage(ext);
1659 else if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME2))
1660 dump_alt_name("subject alt name 2", ext);
1661 else if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME2))
1662 dump_alt_name("issuer alt name 2", ext);
1663 else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS2))
1664 dump_basic_constraints2(ext);
1665 else if (!strcmp(ext->pszObjId, szOID_NAME_CONSTRAINTS))
1666 dump_name_constraints(ext);
1667 else if (!strcmp(ext->pszObjId, szOID_CERT_POLICIES))
1668 dump_cert_policies(ext);
1669 else if (!strcmp(ext->pszObjId, szOID_ENHANCED_KEY_USAGE))
1670 dump_enhanced_key_usage(ext);
1671 else if (!strcmp(ext->pszObjId, szOID_NETSCAPE_CERT_TYPE))
1672 dump_netscape_cert_type(ext);
1673}
dump_netscape_cert_type
static void dump_netscape_cert_type(const CERT_EXTENSION *ext)
Definition: chain.c:1621
dump_basic_constraints
static void dump_basic_constraints(const CERT_EXTENSION *ext)
Definition: chain.c:1484
dump_key_usage
static void dump_key_usage(const CERT_EXTENSION *ext)
Definition: chain.c:1518
dump_enhanced_key_usage
static void dump_enhanced_key_usage(const CERT_EXTENSION *ext)
Definition: chain.c:1603
dump_basic_constraints2
static void dump_basic_constraints2(const CERT_EXTENSION *ext)
Definition: chain.c:1501
dump_alt_name
static void dump_alt_name(LPCSTR type, const CERT_EXTENSION *ext)
Definition: chain.c:1465
dump_name_constraints
static void dump_name_constraints(const CERT_EXTENSION *ext)
Definition: chain.c:1552
dump_cert_policies
static void dump_cert_policies(const CERT_EXTENSION *ext)
Definition: chain.c:1576
szOID_ISSUER_ALT_NAME2
#define szOID_ISSUER_ALT_NAME2
Definition: wincrypt.h:3188
szOID_NETSCAPE_CERT_TYPE
#define szOID_NETSCAPE_CERT_TYPE
Definition: wincrypt.h:3340
szOID_ISSUER_ALT_NAME
#define szOID_ISSUER_ALT_NAME
Definition: wincrypt.h:3181

Referenced by dump_element().

◆ dump_general_subtree()

static void dump_general_subtree ( const CERT_GENERAL_SUBTREE subtree)
static

Definition at line 1545 of file chain.c.

1546{
1547 dump_alt_name_entry(&subtree->Base);
1548 TRACE_(chain)("dwMinimum = %d, fMaximum = %d, dwMaximum = %d\n",
1549 subtree->dwMinimum, subtree->fMaximum, subtree->dwMaximum);
1550}
_CERT_GENERAL_SUBTREE::fMaximum
BOOL fMaximum
Definition: wincrypt.h:573
_CERT_GENERAL_SUBTREE::dwMaximum
DWORD dwMaximum
Definition: wincrypt.h:574
_CERT_GENERAL_SUBTREE::dwMinimum
DWORD dwMinimum
Definition: wincrypt.h:572

Referenced by dump_name_constraints().

◆ dump_key_usage()

static void dump_key_usage ( const CERT_EXTENSION ext)
static

Definition at line 1518 of file chain.c.

1519{
1520 CRYPT_BIT_BLOB usage;
1521 DWORD size = sizeof(usage);
1522
1523 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1524 ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1525 {
1526#define trace_usage_bit(bits, bit) \
1527 if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1528 if (usage.cbData)
1529 {
1530 trace_usage_bit(usage.pbData[0], CERT_DIGITAL_SIGNATURE_KEY_USAGE);
1531 trace_usage_bit(usage.pbData[0], CERT_NON_REPUDIATION_KEY_USAGE);
1532 trace_usage_bit(usage.pbData[0], CERT_KEY_ENCIPHERMENT_KEY_USAGE);
1533 trace_usage_bit(usage.pbData[0], CERT_DATA_ENCIPHERMENT_KEY_USAGE);
1534 trace_usage_bit(usage.pbData[0], CERT_KEY_AGREEMENT_KEY_USAGE);
1535 trace_usage_bit(usage.pbData[0], CERT_KEY_CERT_SIGN_KEY_USAGE);
1536 trace_usage_bit(usage.pbData[0], CERT_CRL_SIGN_KEY_USAGE);
1537 trace_usage_bit(usage.pbData[0], CERT_ENCIPHER_ONLY_KEY_USAGE);
1538 }
1539#undef trace_usage_bit
1540 if (usage.cbData > 1 && usage.pbData[1] & CERT_DECIPHER_ONLY_KEY_USAGE)
1541 TRACE_(chain)("CERT_DECIPHER_ONLY_KEY_USAGE\n");
1542 }
1543}
trace_usage_bit
#define trace_usage_bit(bits, bit)
CERT_KEY_ENCIPHERMENT_KEY_USAGE
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE
Definition: wincrypt.h:306
CERT_NON_REPUDIATION_KEY_USAGE
#define CERT_NON_REPUDIATION_KEY_USAGE
Definition: wincrypt.h:305
CERT_CRL_SIGN_KEY_USAGE
#define CERT_CRL_SIGN_KEY_USAGE
Definition: wincrypt.h:311
CERT_DIGITAL_SIGNATURE_KEY_USAGE
#define CERT_DIGITAL_SIGNATURE_KEY_USAGE
Definition: wincrypt.h:304
CERT_ENCIPHER_ONLY_KEY_USAGE
#define CERT_ENCIPHER_ONLY_KEY_USAGE
Definition: wincrypt.h:312
CERT_DECIPHER_ONLY_KEY_USAGE
#define CERT_DECIPHER_ONLY_KEY_USAGE
Definition: wincrypt.h:314
CERT_KEY_AGREEMENT_KEY_USAGE
#define CERT_KEY_AGREEMENT_KEY_USAGE
Definition: wincrypt.h:308
CERT_DATA_ENCIPHERMENT_KEY_USAGE
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE
Definition: wincrypt.h:307

Referenced by dump_extension().

◆ dump_name_constraints()

static void dump_name_constraints ( const CERT_EXTENSION ext)
static

Definition at line 1552 of file chain.c.

1553{
1554 CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1555 DWORD size;
1556
1557 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1558 ext->Value.pbData, ext->Value.cbData,
1559 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &nameConstraints,
1560 &size))
1561 {
1562 DWORD i;
1563
1564 TRACE_(chain)("%d permitted subtrees:\n",
1565 nameConstraints->cPermittedSubtree);
1566 for (i = 0; i < nameConstraints->cPermittedSubtree; i++)
1567 dump_general_subtree(&nameConstraints->rgPermittedSubtree[i]);
1568 TRACE_(chain)("%d excluded subtrees:\n",
1569 nameConstraints->cExcludedSubtree);
1570 for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1571 dump_general_subtree(&nameConstraints->rgExcludedSubtree[i]);
1572 LocalFree(nameConstraints);
1573 }
1574}
dump_general_subtree
static void dump_general_subtree(const CERT_GENERAL_SUBTREE *subtree)
Definition: chain.c:1545

Referenced by dump_extension().

◆ dump_netscape_cert_type()

static void dump_netscape_cert_type ( const CERT_EXTENSION ext)
static

Definition at line 1621 of file chain.c.

1622{
1623 CRYPT_BIT_BLOB usage;
1624 DWORD size = sizeof(usage);
1625
1626 if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1627 ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1628 {
1629#define trace_cert_type_bit(bits, bit) \
1630 if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1631 if (usage.cbData)
1632 {
1633 trace_cert_type_bit(usage.pbData[0],
1634 NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE);
1635 trace_cert_type_bit(usage.pbData[0],
1636 NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE);
1637 trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CERT_TYPE);
1638 trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CERT_TYPE);
1639 trace_cert_type_bit(usage.pbData[0], NETSCAPE_SSL_CA_CERT_TYPE);
1640 trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CA_CERT_TYPE);
1641 trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CA_CERT_TYPE);
1642 }
1643#undef trace_cert_type_bit
1644 }
1645}
trace_cert_type_bit
#define trace_cert_type_bit(bits, bit)
NETSCAPE_SSL_CA_CERT_TYPE
#define NETSCAPE_SSL_CA_CERT_TYPE
Definition: wincrypt.h:3360
NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE
#define NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE
Definition: wincrypt.h:3357
NETSCAPE_SIGN_CERT_TYPE
#define NETSCAPE_SIGN_CERT_TYPE
Definition: wincrypt.h:3359
NETSCAPE_SIGN_CA_CERT_TYPE
#define NETSCAPE_SIGN_CA_CERT_TYPE
Definition: wincrypt.h:3362
NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE
#define NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE
Definition: wincrypt.h:3356
NETSCAPE_SMIME_CERT_TYPE
#define NETSCAPE_SMIME_CERT_TYPE
Definition: wincrypt.h:3358
NETSCAPE_SMIME_CA_CERT_TYPE
#define NETSCAPE_SMIME_CA_CERT_TYPE
Definition: wincrypt.h:3361

Referenced by dump_extension().

◆ dump_policy_para()

static void dump_policy_para ( PCERT_CHAIN_POLICY_PARA  para)
static

Definition at line 3706 of file chain.c.

3707{
3708 if (para)
3709 {
3710 TRACE_(chain)("cbSize = %d\n", para->cbSize);
3711 TRACE_(chain)("dwFlags = %08x\n", para->dwFlags);
3712 TRACE_(chain)("pvExtraPolicyPara = %p\n", para->