20#define NONAMELESSUNION
23#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
24#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
28#include "wine/unicode.h"
34#define DEFAULT_CYCLE_MODULUS 7
57 for (
i = 0;
i < cStores;
i++)
65 for (
i = 0;
i < cStores;
i++)
120 static const WCHAR caW[] = {
'C',
'A',0 };
121 static const WCHAR myW[] = {
'M',
'y',0 };
122 static const WCHAR trustW[] = {
'T',
'r',
'u',
's',
't',0 };
127 else if (
config->hRestrictedRoot)
156 if(
config->CycleDetectionModulus)
251 TRACE(
"(%p)\n", hChainEngine);
275 cert->pCertInfo->cExtension,
cert->pCertInfo->rgExtension)))
285 if (
info->AuthorityCertIssuer.cAltEntry &&
286 info->AuthorityCertSerialNumber.cbData)
291 for (
i = 0; !directoryName &&
292 i <
info->AuthorityCertIssuer.cAltEntry;
i++)
293 if (
info->AuthorityCertIssuer.rgAltEntry[
i].dwAltNameChoice
296 &
info->AuthorityCertIssuer.rgAltEntry[
i];
305 FIXME(
"no supported name type in authority key id2\n");
309 else if (
info->KeyId.cbData)
330 cert->pCertInfo->cExtension,
cert->pCertInfo->rgExtension)))
340 if (
info->CertIssuer.cbData &&
info->CertSerialNumber.cbData)
346 else if (
info->KeyId.cbData)
385 DWORD i,
j, cyclicCertIndex = 0;
388 for (
i = 0; !cyclicCertIndex &&
i <
chain->cElement;
i++)
389 for (
j =
i + 1; !cyclicCertIndex &&
j <
chain->cElement;
j++)
391 chain->rgpElement[
i]->pCertContext->pCertInfo,
392 chain->rgpElement[
j]->pCertContext->pCertInfo))
396 chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
399 for (
i = cyclicCertIndex + 1;
i <
chain->cElement;
i++)
402 chain->cElement = cyclicCertIndex + 1;
410 return chain->rgpElement[
chain->cElement - 1]->TrustStatus.dwErrorStatus
435 if (!
chain->cElement)
440 if (
chain->rgpElement)
446 if (
chain->cElement > 1)
447 chain->rgpElement[
chain->cElement - 2]->TrustStatus.dwInfoStatus
472 for (
i = 0;
i <
chain->cElement;
i++)
500 TRACE_(
chain)(
"Last certificate's signature is invalid\n");
518 cert->pCertInfo->cExtension,
cert->pCertInfo->rgExtension);
531 if (
info->SubjectType.cbData == 1)
540 cert->pCertInfo->cExtension,
cert->pCertInfo->rgExtension);
550 constraints->
fCA = defaultIfNotSpecified;
582 DWORD remainingCAs,
BOOL isRoot,
BOOL *pathLengthConstraintViolated)
584 BOOL validBasicConstraints, implicitCA =
FALSE;
611 &constraints, implicitCA)))
613 chainConstraints->
fCA = constraints.
fCA;
614 if (!constraints.
fCA)
616 TRACE_(
chain)(
"chain element %d can't be a CA\n", remainingCAs + 1);
617 validBasicConstraints =
FALSE;
628 TRACE_(
chain)(
"setting path length constraint to %d\n",
639 TRACE_(
chain)(
"remaining CAs %d exceed max path length %d\n",
641 validBasicConstraints =
FALSE;
642 *pathLengthConstraintViolated =
TRUE;
644 return validBasicConstraints;
665 if (constraint[0] ==
'.')
683 DWORD *trustErrorStatus)
697 WCHAR hostname_buf[255];
708 if (colon && *(colon + 1) ==
'/' && *(colon + 2) ==
'/')
723 for (colon = authority_end; colon >=
name && *colon !=
':' &&
724 *colon !=
'@'; colon--)
727 authority_end = colon;
738 hostname_buf[authority_end -
name] = 0;
752 DWORD *trustErrorStatus)
763 else if (
strchrW(constraint,
'@'))
776 DWORD *trustErrorStatus)
833 else if (
name->cbData ==
sizeof(
DWORD) &&
846 else if (
name->cbData == 16 && constraint->
cbData == 32)
851 subnet = constraint->
pbData;
899 name->u.pwszURL, trustErrorStatus);
903 name->u.pwszURL, trustErrorStatus);
907 name->u.pwszURL, trustErrorStatus);
911 &
name->u.IPAddress, trustErrorStatus);
915 &
name->u.DirectoryName);
918 ERR(
"name choice %d unsupported in this context\n",
960 cert->cExtension,
cert->rgExtension);
963 cert->cExtension,
cert->rgExtension);
976 &subjectAltName, &
size))
982 BOOL nameFormPresent;
994 TRACE_(
chain)(
"subject alternate name form %d excluded\n",
999 nameFormPresent =
FALSE;
1002 trustErrorStatus, &nameFormPresent) && nameFormPresent)
1004 TRACE_(
chain)(
"subject alternate name form %d not permitted\n",
1006 *trustErrorStatus |=
1013 *trustErrorStatus |=
1070 for (
i = 0;
i <
name->cRDN;
i++)
1071 for (
j = 0;
j <
name->rgRDN[
i].cRDNAttr;
j++)
1075 BOOL nameFormPresent;
1084 &
name->rgRDN[
i].rgRDNAttr[
j], nameConstraints,
1088 "email address in subject name is excluded\n");
1089 *trustErrorStatus |=
1092 nameFormPresent =
FALSE;
1094 &
name->rgRDN[
i].rgRDNAttr[
j], nameConstraints,
1095 trustErrorStatus, &nameFormPresent) && nameFormPresent)
1098 "email address in subject name is not permitted\n");
1099 *trustErrorStatus |=
1106 *trustErrorStatus |=
1116 else if (
name->cbData == 2 &&
name->pbData[1] == 0)
1144 hasEmailConstraint =
TRUE;
1149 hasEmailConstraint =
TRUE;
1150 if (hasEmailConstraint)
1162 *trustErrorStatus |=
1183 hasDirectoryConstraint =
TRUE;
1188 if (hasDirectoryConstraint && !
match)
1198 DWORD *trustErrorStatus)
1222 cert->rgExtension)))
1227 ext->Value.pbData,
ext->Value.cbData,
1245 if (!
info->cPermittedSubtree && !
info->cExcludedSubtree)
1247 WARN_(
chain)(
"constraints contain no permitted nor excluded subtree\n");
1262 for (
i = 0;
ret &&
i <
info->cPermittedSubtree;
i++)
1263 if (
info->rgPermittedSubtree[
i].dwMinimum ||
1264 info->rgPermittedSubtree[
i].fMaximum)
1266 TRACE_(
chain)(
"found a minimum or maximum in permitted subtrees\n");
1269 for (
i = 0;
ret &&
i <
info->cExcludedSubtree;
i++)
1270 if (
info->rgExcludedSubtree[
i].dwMinimum ||
1271 info->rgExcludedSubtree[
i].fMaximum)
1273 TRACE_(
chain)(
"found a minimum or maximum in excluded subtrees\n");
1295 for (
i =
chain->cElement - 1;
i > 0;
i--)
1300 chain->rgpElement[
i]->pCertContext->pCertInfo)))
1303 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1307 for (
j =
i - 1;
j >= 0;
j--)
1309 DWORD errorStatus = 0;
1315 chain->rgpElement[
j]->pCertContext))
1318 chain->rgpElement[
j]->pCertContext->pCertInfo,
1322 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1325 &
chain->rgpElement[
i]->TrustStatus);
1328 chain->rgpElement[
i]->TrustStatus.dwInfoStatus |=
1345 cert->pCertInfo->rgExtension);
1374 FIXME(
"unsupported policy %s\n",
1385 for (
i =
chain->cElement - 1;
i > 0;
i--)
1391 for (
j =
i - 1;
j >= 0;
j--)
1393 DWORD errorStatus = 0;
1396 chain->rgpElement[
j]->pCertContext->pCertInfo, &errorStatus);
1399 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1402 &
chain->rgpElement[
i]->TrustStatus);
1430 switch (
entry->dwAltNameChoice)
1433 TRACE_(
chain)(
"CERT_ALT_NAME_OTHER_NAME, oid = %s\n",
1453 TRACE_(
chain)(
"CERT_ALT_NAME_IP_ADDRESS: %d bytes\n",
1454 entry->u.IPAddress.cbData);
1457 TRACE_(
chain)(
"CERT_ALT_NAME_REGISTERED_ID: %s\n",
1472 ext->Value.pbData,
ext->Value.cbData,
1478 for (
i = 0;
i <
name->cAltEntry;
i++)
1495 info->fPathLenConstraint ?
"has" :
"doesn't have");
1526#define trace_usage_bit(bits, bit) \
1527 if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1539#undef trace_usage_bit
1548 TRACE_(
chain)(
"dwMinimum = %d, fMaximum = %d, dwMaximum = %d\n",
1558 ext->Value.pbData,
ext->Value.cbData,
1597 pszPolicyQualifierId));
1615 for (
i = 0;
i <
usage->cUsageIdentifier;
i++)
1629#define trace_cert_type_bit(bits, bit) \
1630 if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1643#undef trace_cert_type_bit
1650 ext->fCritical ?
"" :
"not ");
1681 if (!
time)
return "(null)";
1719 for (
i = 0;
i <
cert->pCertInfo->cExtension;
i++)
1731 cert->pCertInfo->rgExtension);
1742 else if (
usage.cbData > 2)
1782 WARN_(
chain)(
"keyCertSign not asserted on a CA cert\n");
1793 WARN_(
chain)(
"keyCertSign asserted on a non-CA cert\n");
1807 for (
i = 0;
ret &&
i <
cert->pCertInfo->cExtension;
i++)
1809 if (
cert->pCertInfo->rgExtension[
i].fCritical)
1811 LPCSTR oid =
cert->pCertInfo->rgExtension[
i].pszObjId;
1831 FIXME(
"unsupported critical extension %s\n",
1845 switch (
cert->pCertInfo->dwVersion)
1853 if (
cert->pCertInfo->IssuerUniqueId.cbData ||
1854 cert->pCertInfo->SubjectUniqueId.cbData)
1859 if (
cert->pCertInfo->cExtension)
1866 if (
cert->pCertInfo->cExtension)
1873 WARN_(
chain)(
"invalid cert version %d\n",
cert->pCertInfo->dwVersion);
1884 BOOL pathLengthConstraintViolated =
FALSE;
1888 TRACE_(
chain)(
"checking chain with %d elements for time %s\n",
1890 for (
i =
chain->cElement - 1;
i >= 0;
i--)
1896 if (
i ==
chain->cElement - 1)
1898 chain->rgpElement[
i]->pCertContext);
1906 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1910 chain->rgpElement[
i]->pCertContext->pCertInfo) != 0)
1911 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1918 (
void *)
chain->rgpElement[
i - 1]->pCertContext,
1920 (
void *)
chain->rgpElement[
i]->pCertContext, 0,
NULL))
1921 chain->rgpElement[
i - 1]->TrustStatus.dwErrorStatus |=
1926 if (pathLengthConstraintViolated)
1927 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1930 chain->rgpElement[
i]->pCertContext, &constraints,
i - 1, isRoot,
1931 &pathLengthConstraintViolated))
1932 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1945 chain->rgpElement[
i]->pCertContext, &constraints,
FALSE))
1946 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1950 isRoot, constraints.
fCA,
i))
1951 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1958 pathLengthConstraintViolated =
TRUE;
1959 chain->TrustStatus.dwErrorStatus |=
1965 chain->rgpElement[
i]->pCertContext))
1966 chain->rgpElement[
i]->TrustStatus.dwErrorStatus |=
1970 &
chain->rgpElement[
i]->TrustStatus);
2079 if (
info->CertIssuer.cbData &&
info->CertSerialNumber.cbData)
2082 memcpy(&
id.
u.IssuerSerialNumber.Issuer, &
info->CertIssuer,
2084 memcpy(&
id.
u.IssuerSerialNumber.SerialNumber,
2090 TRACE_(
chain)(
"issuer found by issuer/serial number\n");
2094 else if (
info->KeyId.cbData)
2123 if (
info->AuthorityCertIssuer.cAltEntry &&
2124 info->AuthorityCertSerialNumber.cbData)
2129 for (
i = 0; !directoryName &&
2130 i <
info->AuthorityCertIssuer.cAltEntry;
i++)
2131 if (
info->AuthorityCertIssuer.rgAltEntry[
i].dwAltNameChoice
2134 &
info->AuthorityCertIssuer.rgAltEntry[
i];
2138 memcpy(&
id.
u.IssuerSerialNumber.Issuer,
2140 memcpy(&
id.
u.IssuerSerialNumber.SerialNumber,
2141 &
info->AuthorityCertSerialNumber,
2147 TRACE_(
chain)(
"issuer found by directory name\n");
2152 FIXME(
"no supported name type in authority key id2\n");
2154 else if (
info->KeyId.cbData)
2191 &
chain->rgpElement[
chain->cElement - 1]->TrustStatus.dwInfoStatus);
2196 chain->rgpElement[
chain->cElement - 1]->TrustStatus.dwInfoStatus);
2205 TRACE_(
chain)(
"Couldn't find issuer, halting chain creation\n");
2274 chain->world = world;
2277 chain->context.cChain = 1;
2279 chain->context.rgpChain[0] = simpleChain;
2280 chain->context.cLowerQualityChainContext = 0;
2281 chain->context.rgpLowerQualityChainContext =
NULL;
2282 chain->context.fHasRevocationFreshnessTime =
FALSE;
2283 chain->context.dwRevocationFreshnessTime = 0;
2307 if (
copy->rgpElement)
2314 for (
i = 0;
ret &&
i <= iElement;
i++)
2323 chain->rgpElement[
i]->pCertContext);
2335 for (
i = 0;
i <= iElement;
i++)
2355 for (
i = 0;
i <
chain->context.cLowerQualityChainContext;
i++)
2358 chain->context.cLowerQualityChainContext = 0;
2359 chain->context.rgpLowerQualityChainContext =
NULL;
2367 for (
i = 0;
i <
chain->context.cChain;
i++)
2391 copy->context.cLowerQualityChainContext = 0;
2392 copy->context.rgpLowerQualityChainContext =
NULL;
2393 copy->context.fHasRevocationFreshnessTime =
FALSE;
2394 copy->context.dwRevocationFreshnessTime = 0;
2397 if (
copy->context.rgpChain)
2406 for (
i = 0;
ret && iChain &&
i < iChain - 1;
i++)
2408 copy->context.rgpChain[
i] =
2410 chain->context.rgpChain[
i]->cElement - 1);
2411 if (!
copy->context.rgpChain[
i])
2419 copy->context.rgpChain[
i] =
2422 if (!
copy->context.rgpChain[
i])
2431 copy->context.cChain = iChain + 1;
2454 if (
chain->context.cLowerQualityChainContext)
2456 chain->context.cLowerQualityChainContext - 1];
2458 if (
chain->context.cChain <= 1 &&
chain->context.rgpChain[0]->cElement <= 1)
2466 for (
i = 0; !alternateIssuer &&
i <
chain->context.cChain;
i++)
2467 for (
j = 0; !alternateIssuer &&
2468 j <
chain->context.rgpChain[
i]->cElement - 1;
j++)
2471 chain->context.rgpChain[
i]->rgpElement[
j]->pCertContext;
2473 chain->context.rgpChain[
i]->rgpElement[
j + 1]->pCertContext);
2476 subject, prevIssuer,
flags, &infoStatus);
2478 if (alternateIssuer)
2510 TRACE(
"%p\n", alternate);
2514#define CHAIN_QUALITY_SIGNATURE_VALID 0x16
2515#define CHAIN_QUALITY_TIME_VALID 8
2516#define CHAIN_QUALITY_COMPLETE_CHAIN 4
2517#define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
2518#define CHAIN_QUALITY_TRUSTED_ROOT 1
2520#define CHAIN_QUALITY_HIGHEST \
2521 CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
2522 CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
2523 CHAIN_QUALITY_TRUSTED_ROOT
2525#define IS_TRUST_ERROR_SET(TrustStatus, bits) \
2526 (TrustStatus)->dwErrorStatus & (bits)
2534 quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
2537 quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
2540 quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;
2543 quality &= ~CHAIN_QUALITY_TIME_VALID;
2546 quality &= ~CHAIN_QUALITY_SIGNATURE_VALID;
2565 for (
i = 0;
i <
chain->context.cLowerQualityChainContext;
i++)
2573 chain->context.cLowerQualityChainContext;
2575 chain->context.rgpLowerQualityChainContext;
2578 chain->context.cLowerQualityChainContext = 0;
2579 chain->context.rgpLowerQualityChainContext =
NULL;
2591 if (
chain->context.cLowerQualityChainContext)
2592 chain->context.rgpLowerQualityChainContext =
2594 (
chain->context.cLowerQualityChainContext + 1) *
2597 chain->context.rgpLowerQualityChainContext =
2599 if (
chain->context.rgpLowerQualityChainContext)
2601 chain->context.rgpLowerQualityChainContext[
2602 chain->context.cLowerQualityChainContext++] =
2619 if (iElement +
chain->rgpChain[
j]->cElement <
i)
2620 iElement +=
chain->rgpChain[
j]->cElement;
2645 for (
i = 0, cContext = 0;
i <
chain->cChain;
i++)
2647 if (i < chain->cChain - 1 ||
2649 cContext +=
chain->rgpChain[
i]->cElement;
2651 cContext +=
chain->rgpChain[
i]->cElement - 1;
2658 DWORD i,
j, iContext, revocationFlags;
2661 {
sizeof(revocationStatus), 0 };
2678 revocationPara.dwUrlRetrievalTimeout =
2680 revocationPara.fCheckFreshnessTime =
2682 revocationPara.dwFreshnessTime =
2685 for (
i = 0, iContext = 0; iContext < cContext &&
i <
chain->cChain;
i++)
2687 for (
j = 0; iContext < cContext &&
2688 j <
chain->rgpChain[
i]->cElement;
j++, iContext++)
2691 chain->rgpChain[
i]->rgpElement[
j]->pCertContext;
2693 if (j < chain->rgpChain[
i]->cElement - 1)
2695 chain->rgpChain[
i]->rgpElement[
j + 1]->pCertContext;
2700 revocationFlags, &revocationPara, &revocationStatus);
2712 switch (revocationStatus.
dwError)
2730 WARN(
"unmapped error %08x\n", revocationStatus.
dwError);
2749 pChainPara->RequestedUsage.Usage.cUsageIdentifier)
2756 endCert =
chain->rgpChain[0]->rgpElement[0]->pCertContext;
2791 validForUsage =
TRUE;
2792 for (
i = 0; validForUsage &&
2801 validForUsage =
FALSE;
2809 validForUsage =
FALSE;
2810 for (
i = 0; !validForUsage &&
2813 for (
j = 0; !validForUsage &&
2814 j <
usage->cUsageIdentifier;
j++)
2823 validForUsage =
FALSE;
2835 TRACE_(
chain)(
"requested usage from certificate with no usages\n");
2836 validForUsage =
TRUE;
2840 chain->TrustStatus.dwErrorStatus |=
2842 chain->rgpChain[0]->rgpElement[0]->TrustStatus.dwErrorStatus |=
2847 pChainPara->RequestedIssuancePolicy.Usage.cUsageIdentifier)
2848 FIXME(
"unimplemented for RequestedIssuancePolicy\n");
2888 TRACE(
"(%p, %p, %s, %p, %p, %08x, %p, %p)\n", hChainEngine,
pCertContext,
2929 }
while (
ret && alternate);
2953 TRACE(
"(%p)\n", pChainContext);
2957 return pChainContext;
2964 TRACE(
"(%p)\n", pChainContext);
2977 FIXME(
"(%p, %08x, %08x, %d, %p, %p): stub\n", store, certEncodingType,
2978 findFlags, findType, findPara, prevChainContext);
2987 for (
i = 0;
i <
chain->cChain;
i++)
2988 for (
j = 0;
j <
chain->rgpChain[
i]->cElement;
j++)
2989 if (
chain->rgpChain[
i]->rgpElement[
j]->TrustStatus.dwErrorStatus &
3005 checks = pPolicyPara->
dwFlags;
3024 if (!pPolicyStatus->
dwError &&
3033 if (!pPolicyStatus->
dwError &&
3041 if (!pPolicyStatus->
dwError &&
3051 if (!pPolicyStatus->
dwError &&
30650x30,0x47,0x02,0x40,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,0xd9,
30660x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,0xf7,
30670x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,0x5f,
30680x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,0x10,
30690x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 };
30710x30,0x47,0x02,0x40,0x9c,0x50,0x05,0x1d,0xe2,0x0e,0x4c,0x53,0xd8,0xd9,0xb5,
30720xe5,0xfd,0xe9,0xe3,0xad,0x83,0x4b,0x80,0x08,0xd9,0xdc,0xe8,0xe8,0x35,0xf8,
30730x11,0xf1,0xe9,0x9b,0x03,0x7a,0x65,0x64,0x76,0x35,0xce,0x38,0x2c,0xf2,0xb6,
30740x71,0x9e,0x06,0xd9,0xbf,0xbb,0x31,0x69,0xa3,0xf6,0x30,0xa0,0x78,0x7b,0x18,
30750xdd,0x50,0x4d,0x79,0x1e,0xeb,0x61,0xc1,0x02,0x03,0x01,0x00,0x01 };
3122 isMSTestRoot =
TRUE;
3162 ext->Value.pbData,
ext->Value.cbData,
3182 if (
subjectName->rgAltEntry[
i].u.pwszDNSName[0] ==
'*')
3199 if (server_name_dot)
3223 for (
j = 0;
j <
name->rgRDN[
i].cRDNAttr;
j++)
3225 name->rgRDN[
i].rgRDNAttr[
j].pszObjId))
3245 LPCWSTR allowed_ptr, server_ptr;
3248 *see_wildcard =
FALSE;
3250 if (server_len < allowed_len)
3252 WARN_(
chain)(
"domain component %s too short for %s\n",
3260 for (allowed_ptr = allowed_component, server_ptr = server_component;
3261 matches && allowed_ptr - allowed_component < allowed_len;
3262 allowed_ptr++, server_ptr++)
3264 if (*allowed_ptr ==
'*')
3266 if (allowed_ptr - allowed_component < allowed_len - 1)
3268 WARN_(
chain)(
"non-wildcard characters after wildcard not supported\n");
3271 else if (!allow_wildcards)
3273 WARN_(
chain)(
"wildcard after non-wildcard component\n");
3281 *see_wildcard =
TRUE;
3288 if (
matches && server_ptr - server_component < server_len)
3293 matches = *allowed_ptr ==
'*';
3301 LPCWSTR allowed_component = allowed;
3313 while (allowed_len && allowed_component[allowed_len - 1] == 0)
3333 LPCWSTR allowed_dot, server_dot;
3335 allowed_dot =
memchrW(allowed_component,
'.',
3336 allowed_len - (allowed_component - allowed));
3337 server_dot =
memchrW(server_component,
'.',
3340 if ((!allowed_dot && server_dot) || (allowed_dot && !server_dot))
3343 WARN_(
chain)(
"%s: too many components for CN=%s\n",
3346 WARN_(
chain)(
"%s: not enough components for CN=%s\n",
3352 LPCWSTR allowed_end, server_end;
3355 allowed_end = allowed_dot ? allowed_dot : allowed + allowed_len;
3356 server_end = server_dot ? server_dot :
server_name + server_len;
3358 allowed_end - allowed_component, server_component,
3359 server_end - server_component, allow_wildcards, &has_wildcard);
3364 allow_wildcards =
FALSE;
3367 allowed_component = allowed_dot ? allowed_dot + 1 : allowed_end;
3368 server_component = server_dot ? server_dot + 1 : server_end;
3371 }
while (
matches && allowed_component &&
3372 allowed_component - allowed < allowed_len &&
3373 server_component && server_component -
server_name < server_len);
3386 cert->pCertInfo->Subject.pbData,
cert->pCertInfo->Subject.cbData,
3400 WCHAR component[255];
3407 WARN_(
chain)(
"domain component %s too long\n",
3417 ptr = dot ? dot + 1 :
end;
3546 if (!pPolicyStatus->
dwError && pPolicyPara &&
35900x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xdf,0x08,0xba,0xe3,0x3f,0x6e,
35910x64,0x9b,0xf5,0x89,0xaf,0x28,0x96,0x4a,0x07,0x8f,0x1b,0x2e,0x8b,0x3e,0x1d,
35920xfc,0xb8,0x80,0x69,0xa3,0xa1,0xce,0xdb,0xdf,0xb0,0x8e,0x6c,0x89,0x76,0x29,
35930x4f,0xca,0x60,0x35,0x39,0xad,0x72,0x32,0xe0,0x0b,0xae,0x29,0x3d,0x4c,0x16,
35940xd9,0x4b,0x3c,0x9d,0xda,0xc5,0xd3,0xd1,0x09,0xc9,0x2c,0x6f,0xa6,0xc2,0x60,
35950x53,0x45,0xdd,0x4b,0xd1,0x55,0xcd,0x03,0x1c,0xd2,0x59,0x56,0x24,0xf3,0xe5,
35960x78,0xd8,0x07,0xcc,0xd8,0xb3,0x1f,0x90,0x3f,0xc0,0x1a,0x71,0x50,0x1d,0x2d,
35970xa7,0x12,0x08,0x6d,0x7c,0xb0,0x86,0x6c,0xc7,0xba,0x85,0x32,0x07,0xe1,0x61,
35980x6f,0xaf,0x03,0xc5,0x6d,0xe5,0xd6,0xa1,0x8f,0x36,0xf6,0xc1,0x0b,0xd1,0x3e,
35990x69,0x97,0x48,0x72,0xc9,0x7f,0xa4,0xc8,0xc2,0x4a,0x4c,0x7e,0xa1,0xd1,0x94,
36000xa6,0xd7,0xdc,0xeb,0x05,0x46,0x2e,0xb8,0x18,0xb4,0x57,0x1d,0x86,0x49,0xdb,
36010x69,0x4a,0x2c,0x21,0xf5,0x5e,0x0f,0x54,0x2d,0x5a,0x43,0xa9,0x7a,0x7e,0x6a,
36020x8e,0x50,0x4d,0x25,0x57,0xa1,0xbf,0x1b,0x15,0x05,0x43,0x7b,0x2c,0x05,0x8d,
36030xbd,0x3d,0x03,0x8c,0x93,0x22,0x7d,0x63,0xea,0x0a,0x57,0x05,0x06,0x0a,0xdb,
36040x61,0x98,0x65,0x2d,0x47,0x49,0xa8,0xe7,0xe6,0x56,0x75,0x5c,0xb8,0x64,0x08,
36050x63,0xa9,0x30,0x40,0x66,0xb2,0xf9,0xb6,0xe3,0x34,0xe8,0x67,0x30,0xe1,0x43,
36060x0b,0x87,0xff,0xc9,0xbe,0x72,0x10,0x5e,0x23,0xf0,0x9b,0xa7,0x48,0x65,0xbf,
36070x09,0x88,0x7b,0xcd,0x72,0xbc,0x2e,0x79,0x9b,0x7b,0x02,0x03,0x01,0x00,0x01 };
36090x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa9,0x02,0xbd,0xc1,0x70,0xe6,
36100x3b,0xf2,0x4e,0x1b,0x28,0x9f,0x97,0x78,0x5e,0x30,0xea,0xa2,0xa9,0x8d,0x25,
36110x5f,0xf8,0xfe,0x95,0x4c,0xa3,0xb7,0xfe,0x9d,0xa2,0x20,0x3e,0x7c,0x51,0xa2,
36120x9b,0xa2,0x8f,0x60,0x32,0x6b,0xd1,0x42,0x64,0x79,0xee,0xac,0x76,0xc9,0x54,
36130xda,0xf2,0xeb,0x9c,0x86,0x1c,0x8f,0x9f,0x84,0x66,0xb3,0xc5,0x6b,0x7a,0x62,
36140x23,0xd6,0x1d,0x3c,0xde,0x0f,0x01,0x92,0xe8,0x96,0xc4,0xbf,0x2d,0x66,0x9a,
36150x9a,0x68,0x26,0x99,0xd0,0x3a,0x2c,0xbf,0x0c,0xb5,0x58,0x26,0xc1,0x46,0xe7,
36160x0a,0x3e,0x38,0x96,0x2c,0xa9,0x28,0x39,0xa8,0xec,0x49,0x83,0x42,0xe3,0x84,
36170x0f,0xbb,0x9a,0x6c,0x55,0x61,0xac,0x82,0x7c,0xa1,0x60,0x2d,0x77,0x4c,0xe9,
36180x99,0xb4,0x64,0x3b,0x9a,0x50,0x1c,0x31,0x08,0x24,0x14,0x9f,0xa9,0xe7,0x91,
36190x2b,0x18,0xe6,0x3d,0x98,0x63,0x14,0x60,0x58,0x05,0x65,0x9f,0x1d,0x37,0x52,
36200x87,0xf7,0xa7,0xef,0x94,0x02,0xc6,0x1b,0xd3,0xbf,0x55,0x45,0xb3,0x89,0x80,
36210xbf,0x3a,0xec,0x54,0x94,0x4e,0xae,0xfd,0xa7,0x7a,0x6d,0x74,0x4e,0xaf,0x18,
36220xcc,0x96,0x09,0x28,0x21,0x00,0x57,0x90,0x60,0x69,0x37,0xbb,0x4b,0x12,0x07,
36230x3c,0x56,0xff,0x5b,0xfb,0xa4,0x66,0x0a,0x08,0xa6,0xd2,0x81,0x56,0x57,0xef,
36240xb6,0x3b,0x5e,0x16,0x81,0x77,0x04,0xda,0xf6,0xbe,0xae,0x80,0x95,0xfe,0xb0,
36250xcd,0x7f,0xd6,0xa7,0x1a,0x72,0x5c,0x3c,0xca,0xbc,0xf0,0x08,0xa3,0x22,0x30,
36260xb3,0x06,0x85,0xc9,0xb3,0x20,0x77,0x13,0x85,0xdf,0x02,0x03,0x01,0x00,0x01 };
36280x30,0x82,0x02,0x0a,0x02,0x82,0x02,0x01,0x00,0xf3,0x5d,0xfa,0x80,0x67,0xd4,
36290x5a,0xa7,0xa9,0x0c,0x2c,0x90,0x20,0xd0,0x35,0x08,0x3c,0x75,0x84,0xcd,0xb7,
36300x07,0x89,0x9c,0x89,0xda,0xde,0xce,0xc3,0x60,0xfa,0x91,0x68,0x5a,0x9e,0x94,
36310x71,0x29,0x18,0x76,0x7c,0xc2,0xe0,0xc8,0x25,0x76,0x94,0x0e,0x58,0xfa,0x04,
36320x34,0x36,0xe6,0xdf,0xaf,0xf7,0x80,0xba,0xe9,0x58,0x0b,0x2b,0x93,0xe5,0x9d,
36330x05,0xe3,0x77,0x22,0x91,0xf7,0x34,0x64,0x3c,0x22,0x91,0x1d,0x5e,0xe1,0x09,
36340x90,0xbc,0x14,0xfe,0xfc,0x75,0x58,0x19,0xe1,0x79,0xb7,0x07,0x92,0xa3,0xae,
36350x88,0x59,0x08,0xd8,0x9f,0x07,0xca,0x03,0x58,0xfc,0x68,0x29,0x6d,0x32,0xd7,
36360xd2,0xa8,0xcb,0x4b,0xfc,0xe1,0x0b,0x48,0x32,0x4f,0xe6,0xeb,0xb8,0xad,0x4f,
36370xe4,0x5c,0x6f,0x13,0x94,0x99,0xdb,0x95,0xd5,0x75,0xdb,0xa8,0x1a,0xb7,0x94,
36380x91,0xb4,0x77,0x5b,0xf5,0x48,0x0c,0x8f,0x6a,0x79,0x7d,0x14,0x70,0x04,0x7d,
36390x6d,0xaf,0x90,0xf5,0xda,0x70,0xd8,0x47,0xb7,0xbf,0x9b,0x2f,0x6c,0xe7,0x05,
36400xb7,0xe1,0x11,0x60,0xac,0x79,0x91,0x14,0x7c,0xc5,0xd6,0xa6,0xe4,0xe1,0x7e,
36410xd5,0xc3,0x7e,0xe5,0x92,0xd2,0x3c,0x00,0xb5,0x36,0x82,0xde,0x79,0xe1,0x6d,
36420xf3,0xb5,0x6e,0xf8,0x9f,0x33,0xc9,0xcb,0x52,0x7d,0x73,0x98,0x36,0xdb,0x8b,
36430xa1,0x6b,0xa2,0x95,0x97,0x9b,0xa3,0xde,0xc2,0x4d,0x26,0xff,0x06,0x96,0x67,
36440x25,0x06,0xc8,0xe7,0xac,0xe4,0xee,0x12,0x33,0x95,0x31,0x99,0xc8,0x35,0x08,
36450x4e,0x34,0xca,0x79,0x53,0xd5,0xb5,0xbe,0x63,0x32,0x59,0x40,0x36,0xc0,0xa5,
36460x4e,0x04,0x4d,0x3d,0xdb,0x5b,0x07,0x33,0xe4,0x58,0xbf,0xef,0x3f,0x53,0x64,
36470xd8,0x42,0x59,0x35,0x57,0xfd,0x0f,0x45,0x7c,0x24,0x04,0x4d,0x9e,0xd6,0x38,
36480x74,0x11,0x97,0x22,0x90,0xce,0x68,0x44,0x74,0x92,0x6f,0xd5,0x4b,0x6f,0xb0,
36490x86,0xe3,0xc7,0x36,0x42,0xa0,0xd0,0xfc,0xc1,0xc0,0x5a,0xf9,0xa3,0x61,0xb9,
36500x30,0x47,0x71,0x96,0x0a,0x16,0xb0,0x91,0xc0,0x42,0x95,0xef,0x10,0x7f,0x28,
36510x6a,0xe3,0x2a,0x1f,0xb1,0xe4,0xcd,0x03,0x3f,0x77,0x71,0x04,0xc7,0x20,0xfc,
36520x49,0x0f,0x1d,0x45,0x88,0xa4,0xd7,0xcb,0x7e,0x88,0xad,0x8e,0x2d,0xec,0x45,
36530xdb,0xc4,0x51,0x04,0xc9,0x2a,0xfc,0xec,0x86,0x9e,0x9a,0x11,0x97,0x5b,0xde,
36540xce,0x53,0x88,0xe6,0xe2,0xb7,0xfd,0xac,0x95,0xc2,0x28,0x40,0xdb,0xef,0x04,
36550x90,0xdf,0x81,0x33,0x39,0xd9,0xb2,0x45,0xa5,0x23,0x87,0x06,0xa5,0x55,0x89,
36560x31,0xbb,0x06,0x2d,0x60,0x0e,0x41,0x18,0x7d,0x1f,0x2e,0xb5,0x97,0xcb,0x11,
36570xeb,0x15,0xd5,0x24,0xa5,0x94,0xef,0x15,0x14,0x89,0xfd,0x4b,0x73,0xfa,0x32,
36580x5b,0xfc,0xd1,0x33,0x00,0xf9,0x59,0x62,0x70,0x07,0x32,0xea,0x2e,0xab,0x40,
36590x2d,0x7b,0xca,0xdd,0x21,0x67,0x1b,0x30,0x99,0x8f,0x16,0xaa,0x23,0xa8,0x41,
36600xd1,0xb0,0x6e,0x11,0x9b,0x36,0xc4,0xde,0x40,0x74,0x9c,0xe1,0x58,0x65,0xc1,
36610x60,0x1e,0x7a,0x5b,0x38,0xc8,0x8f,0xbb,0x04,0x26,0x7c,0xd4,0x16,0x40,0xe5,
36620xb6,0x6b,0x6c,0xaa,0x86,0xfd,0x00,0xbf,0xce,0xc1,0x35,0x02,0x03,0x01,0x00,
3693 &
root->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
3726 pPolicyPara, pPolicyStatus);
3732 switch (
LOWORD(szPolicyOID))
3750 FIXME(
"unimplemented for %d\n",
LOWORD(szPolicyOID));
3759 (
void **)&verifyPolicy, &hFunc);
3762 ret = verifyPolicy(szPolicyOID, pChainContext, pPolicyPara,
int strcmp(const char *String1, const char *String2)
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
#define InterlockedIncrement
#define InterlockedDecrement
#define WINE_DEFAULT_DEBUG_CHANNEL(t)
INT copy(TCHAR source[MAX_PATH], TCHAR dest[MAX_PATH], INT append, DWORD lpdwFlags, BOOL bTouch)
BOOL WINAPI CertAddStoreToCollection(HCERTSTORE hCollectionStore, HCERTSTORE hSiblingStore, DWORD dwUpdateFlags, DWORD dwPriority)
BOOL WINAPI CryptDecodeObjectEx(DWORD dwCertEncodingType, LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded, DWORD dwFlags, PCRYPT_DECODE_PARA pDecodePara, void *pvStructInfo, DWORD *pcbStructInfo)
DWORD cert_name_to_str_with_indent(DWORD dwCertEncodingType, DWORD indent, const CERT_NAME_BLOB *pName, DWORD dwStrType, LPWSTR psz, DWORD csz) DECLSPEC_HIDDEN
BOOL WINAPI CryptRetrieveObjectByUrlW(LPCWSTR pszURL, LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject, HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
BOOL WINAPI CryptGetObjectUrl(LPCSTR pszUrlOid, LPVOID pvPara, DWORD dwFlags, PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray, PCRYPT_URL_INFO pUrlInfo, DWORD *pcbUrlInfo, LPVOID pvReserved)
BOOL WINAPI CertAddCertificateContextToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT *ppStoreContext)
BOOL WINAPI CertFreeCertificateContext(PCCERT_CONTEXT pCertContext)
BOOL WINAPI CertCompareCertificateName(DWORD dwCertEncodingType, PCERT_NAME_BLOB pCertName1, PCERT_NAME_BLOB pCertName2)
PCCERT_CONTEXT WINAPI CertFindCertificateInStore(HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFlags, DWORD dwType, const void *pvPara, PCCERT_CONTEXT pPrevCertContext)
BOOL WINAPI CertVerifyRevocation(DWORD dwEncodingType, DWORD dwRevType, DWORD cContext, PVOID rgpvContext[], DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara, PCERT_REVOCATION_STATUS pRevStatus)
BOOL WINAPI CertIsRDNAttrsInCertificateName(DWORD dwCertEncodingType, DWORD dwFlags, PCERT_NAME_BLOB pCertName, PCERT_RDN pRDN)
BOOL WINAPI CryptVerifyCertificateSignatureEx(HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, DWORD dwSubjectType, void *pvSubject, DWORD dwIssuerType, void *pvIssuer, DWORD dwFlags, void *pvReserved)
BOOL WINAPI CertCompareCertificate(DWORD dwCertEncodingType, PCERT_INFO pCertId1, PCERT_INFO pCertId2)
PCERT_EXTENSION WINAPI CertFindExtension(LPCSTR pszObjId, DWORD cExtensions, CERT_EXTENSION rgExtensions[])
BOOL WINAPI CertGetCertificateContextProperty(PCCERT_CONTEXT pCertContext, DWORD dwPropId, void *pvData, DWORD *pcbData)
BOOL WINAPI CertComparePublicKeyInfo(DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pPublicKey1, PCERT_PUBLIC_KEY_INFO pPublicKey2)
PCCERT_CONTEXT WINAPI CertDuplicateCertificateContext(PCCERT_CONTEXT pCertContext)
LONG WINAPI CertVerifyTimeValidity(LPFILETIME pTimeToVerify, PCERT_INFO pCertInfo)
BOOL WINAPI CertCompareIntegerBlob(PCRYPT_INTEGER_BLOB pInt1, PCRYPT_INTEGER_BLOB pInt2)
PCERT_RDN_ATTR WINAPI CertFindRDNAttr(LPCSTR pszObjId, PCERT_NAME_INFO pName)
BOOL WINAPI CertVerifyCertificateChainPolicy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
static void CRYPT_CheckChainPolicies(PCERT_SIMPLE_CHAIN chain)
static void dump_netscape_cert_type(const CERT_EXTENSION *ext)
BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine, PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore, PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved, PCCERT_CHAIN_CONTEXT *ppChainContext)
static void CRYPT_CheckSimpleChainForCycles(PCERT_SIMPLE_CHAIN chain)
static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
static void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
static CertificateChainEngine * default_lm_engine
static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
static BOOL CRYPT_BuildCandidateChainFromCert(CertificateChainEngine *engine, PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore, DWORD flags, CertificateChain **ppChain)