mirror of
https://github.com/reactos/wine.git
synced 2024-12-05 18:27:13 +00:00
481 lines
16 KiB
C
481 lines
16 KiB
C
/*
|
|
* Copyright 2006 Juan Lang
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
|
|
*
|
|
*/
|
|
#include <stdarg.h>
|
|
#include "windef.h"
|
|
#include "winbase.h"
|
|
#include "wincrypt.h"
|
|
#include "wine/debug.h"
|
|
#include "crypt32_private.h"
|
|
|
|
WINE_DEFAULT_DEBUG_CHANNEL(crypt);
|
|
|
|
static HCERTCHAINENGINE CRYPT_defaultChainEngine;
|
|
|
|
/* This represents a subset of a certificate chain engine: it doesn't include
|
|
* the "hOther" store described by MSDN, because I'm not sure how that's used.
|
|
* It also doesn't include the "hTrust" store, because I don't yet implement
|
|
* CTLs or complex certificate chains.
|
|
*/
|
|
typedef struct _CertificateChainEngine
|
|
{
|
|
LONG ref;
|
|
HCERTSTORE hRoot;
|
|
HCERTSTORE hWorld;
|
|
DWORD dwFlags;
|
|
DWORD dwUrlRetrievalTimeout;
|
|
DWORD MaximumCachedCertificates;
|
|
DWORD CycleDetectionModulus;
|
|
} CertificateChainEngine, *PCertificateChainEngine;
|
|
|
|
static inline void CRYPT_AddStoresToCollection(HCERTSTORE collection,
|
|
DWORD cStores, HCERTSTORE *stores)
|
|
{
|
|
DWORD i;
|
|
|
|
for (i = 0; i < cStores; i++)
|
|
CertAddStoreToCollection(collection, stores[i], 0, 0);
|
|
}
|
|
|
|
static inline void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
|
|
{
|
|
DWORD i;
|
|
|
|
for (i = 0; i < cStores; i++)
|
|
CertCloseStore(stores[i], 0);
|
|
}
|
|
|
|
static const WCHAR rootW[] = { 'R','o','o','t',0 };
|
|
|
|
static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
|
|
{
|
|
BOOL ret = TRUE;
|
|
|
|
if (store)
|
|
{
|
|
HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW);
|
|
PCCERT_CONTEXT cert = NULL, check;
|
|
BYTE hash[20];
|
|
DWORD size;
|
|
|
|
do {
|
|
cert = CertEnumCertificatesInStore(store, cert);
|
|
if (cert)
|
|
{
|
|
size = sizeof(hash);
|
|
|
|
ret = CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
|
|
hash, &size);
|
|
if (ret)
|
|
{
|
|
CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
|
|
|
|
check = CertFindCertificateInStore(rootStore,
|
|
cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob,
|
|
NULL);
|
|
if (!check)
|
|
ret = FALSE;
|
|
else
|
|
CertFreeCertificateContext(check);
|
|
}
|
|
}
|
|
} while (ret && cert);
|
|
if (cert)
|
|
CertFreeCertificateContext(cert);
|
|
CertCloseStore(rootStore, 0);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
|
|
HCERTCHAINENGINE *phChainEngine)
|
|
{
|
|
static const WCHAR caW[] = { 'C','A',0 };
|
|
static const WCHAR myW[] = { 'M','y',0 };
|
|
static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
|
|
BOOL ret;
|
|
|
|
TRACE("(%p, %p)\n", pConfig, phChainEngine);
|
|
|
|
if (pConfig->cbSize != sizeof(*pConfig))
|
|
{
|
|
SetLastError(E_INVALIDARG);
|
|
return FALSE;
|
|
}
|
|
*phChainEngine = NULL;
|
|
ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
|
|
if (ret)
|
|
{
|
|
PCertificateChainEngine engine =
|
|
CryptMemAlloc(sizeof(CertificateChainEngine));
|
|
|
|
if (engine)
|
|
{
|
|
HCERTSTORE worldStores[4];
|
|
|
|
engine->ref = 1;
|
|
if (pConfig->hRestrictedRoot)
|
|
engine->hRoot = CertDuplicateStore(pConfig->hRestrictedRoot);
|
|
else
|
|
engine->hRoot = CertOpenSystemStoreW(0, rootW);
|
|
engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
|
|
CERT_STORE_CREATE_NEW_FLAG, NULL);
|
|
worldStores[0] = CertDuplicateStore(engine->hRoot);
|
|
worldStores[1] = CertOpenSystemStoreW(0, caW);
|
|
worldStores[2] = CertOpenSystemStoreW(0, myW);
|
|
worldStores[3] = CertOpenSystemStoreW(0, trustW);
|
|
CRYPT_AddStoresToCollection(engine->hWorld,
|
|
sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
|
|
CRYPT_AddStoresToCollection(engine->hWorld,
|
|
pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
|
|
CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
|
|
worldStores);
|
|
engine->dwFlags = pConfig->dwFlags;
|
|
engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
|
|
engine->MaximumCachedCertificates =
|
|
pConfig->MaximumCachedCertificates;
|
|
engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
|
|
*phChainEngine = (HCERTCHAINENGINE)engine;
|
|
ret = TRUE;
|
|
}
|
|
else
|
|
ret = FALSE;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
void WINAPI CertFreeCertificateChainEngine(HCERTCHAINENGINE hChainEngine)
|
|
{
|
|
PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
|
|
|
|
TRACE("(%p)\n", hChainEngine);
|
|
|
|
if (engine && InterlockedDecrement(&engine->ref) == 0)
|
|
{
|
|
CertCloseStore(engine->hWorld, 0);
|
|
CertCloseStore(engine->hRoot, 0);
|
|
CryptMemFree(engine);
|
|
}
|
|
}
|
|
|
|
static HCERTCHAINENGINE CRYPT_GetDefaultChainEngine(void)
|
|
{
|
|
if (!CRYPT_defaultChainEngine)
|
|
{
|
|
CERT_CHAIN_ENGINE_CONFIG config = { 0 };
|
|
HCERTCHAINENGINE engine;
|
|
|
|
config.cbSize = sizeof(config);
|
|
CertCreateCertificateChainEngine(&config, &engine);
|
|
InterlockedCompareExchangePointer(&CRYPT_defaultChainEngine, engine,
|
|
NULL);
|
|
if (CRYPT_defaultChainEngine != engine)
|
|
CertFreeCertificateChainEngine(engine);
|
|
}
|
|
return CRYPT_defaultChainEngine;
|
|
}
|
|
|
|
void default_chain_engine_free(void)
|
|
{
|
|
CertFreeCertificateChainEngine(CRYPT_defaultChainEngine);
|
|
}
|
|
|
|
typedef struct _CertificateChain
|
|
{
|
|
CERT_CHAIN_CONTEXT context;
|
|
LONG ref;
|
|
} CertificateChain, *PCertificateChain;
|
|
|
|
static inline BOOL WINAPI CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
|
|
{
|
|
return CertCompareCertificateName(cert->dwCertEncodingType,
|
|
&cert->pCertInfo->Subject, &cert->pCertInfo->Issuer);
|
|
}
|
|
|
|
/* Gets cert's issuer from store, and returns the validity flags associated
|
|
* with it. Returns NULL if no issuer whose public key matches cert's
|
|
* signature could be found.
|
|
*/
|
|
static PCCERT_CONTEXT CRYPT_GetIssuerFromStore(HCERTSTORE store,
|
|
PCCERT_CONTEXT cert, PDWORD pdwFlags)
|
|
{
|
|
PCCERT_CONTEXT issuer = NULL;
|
|
|
|
/* There might be more than issuer with the same name, so keep looking until
|
|
* one produces the correct signature for this cert.
|
|
*/
|
|
do {
|
|
*pdwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG |
|
|
CERT_STORE_TIME_VALIDITY_FLAG;
|
|
issuer = CertGetIssuerCertificateFromStore(store, cert, issuer,
|
|
pdwFlags);
|
|
} while (issuer && (*pdwFlags & CERT_STORE_SIGNATURE_FLAG));
|
|
return issuer;
|
|
}
|
|
|
|
static BOOL CRYPT_AddCertToSimpleChain(PCERT_SIMPLE_CHAIN chain,
|
|
PCCERT_CONTEXT cert, DWORD dwFlags)
|
|
{
|
|
BOOL ret = FALSE;
|
|
PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
|
|
|
|
if (element)
|
|
{
|
|
if (!chain->cElement)
|
|
chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT));
|
|
else
|
|
chain->rgpElement = CryptMemRealloc(chain->rgpElement,
|
|
(chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
|
|
if (chain->rgpElement)
|
|
{
|
|
memset(element, 0, sizeof(CERT_CHAIN_ELEMENT));
|
|
element->cbSize = sizeof(CERT_CHAIN_ELEMENT);
|
|
element->pCertContext = cert;
|
|
if (dwFlags & CERT_STORE_REVOCATION_FLAG &&
|
|
!(dwFlags & CERT_STORE_NO_CRL_FLAG))
|
|
element->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_REVOKED;
|
|
if (dwFlags & CERT_STORE_SIGNATURE_FLAG)
|
|
element->TrustStatus.dwErrorStatus |=
|
|
CERT_TRUST_IS_NOT_SIGNATURE_VALID;
|
|
if (dwFlags & CERT_STORE_TIME_VALIDITY_FLAG)
|
|
element->TrustStatus.dwErrorStatus |=
|
|
CERT_TRUST_IS_NOT_TIME_VALID;
|
|
/* It appears, from every example certificate chain I've found,
|
|
* that this flag is always set:
|
|
*/
|
|
element->TrustStatus.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER;
|
|
if (chain->cElement)
|
|
{
|
|
PCERT_CHAIN_ELEMENT prevElement =
|
|
chain->rgpElement[chain->cElement - 1];
|
|
|
|
/* This cert is the issuer of the previous one in the chain, so
|
|
* retroactively check the previous one's time validity nesting.
|
|
*/
|
|
if (!CertVerifyValidityNesting(
|
|
prevElement->pCertContext->pCertInfo, cert->pCertInfo))
|
|
prevElement->TrustStatus.dwErrorStatus |=
|
|
CERT_TRUST_IS_NOT_TIME_NESTED;
|
|
}
|
|
/* FIXME: check valid usages, name constraints, and for cycles */
|
|
/* FIXME: initialize the rest of element */
|
|
chain->TrustStatus.dwErrorStatus |=
|
|
element->TrustStatus.dwErrorStatus;
|
|
chain->TrustStatus.dwInfoStatus |=
|
|
element->TrustStatus.dwInfoStatus;
|
|
chain->rgpElement[chain->cElement++] = element;
|
|
ret = TRUE;
|
|
}
|
|
else
|
|
CryptMemFree(element);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain)
|
|
{
|
|
DWORD i;
|
|
|
|
for (i = 0; i < chain->cElement; i++)
|
|
CryptMemFree(chain->rgpElement[i]);
|
|
CryptMemFree(chain->rgpElement);
|
|
CryptMemFree(chain);
|
|
}
|
|
|
|
static BOOL CRYPT_BuildSimpleChain(HCERTCHAINENGINE hChainEngine,
|
|
PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
|
|
PCERT_SIMPLE_CHAIN *ppChain)
|
|
{
|
|
BOOL ret = FALSE;
|
|
PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
|
|
PCERT_SIMPLE_CHAIN chain;
|
|
HCERTSTORE world;
|
|
|
|
TRACE("(%p, %p, %p, %p)\n", hChainEngine, cert, pTime, hAdditionalStore);
|
|
|
|
world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
|
|
CERT_STORE_CREATE_NEW_FLAG, NULL);
|
|
CertAddStoreToCollection(world, engine->hWorld, 0, 0);
|
|
if (cert->hCertStore)
|
|
CertAddStoreToCollection(world, cert->hCertStore, 0, 0);
|
|
if (hAdditionalStore)
|
|
CertAddStoreToCollection(world, hAdditionalStore, 0, 0);
|
|
chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
|
|
if (chain)
|
|
{
|
|
memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN));
|
|
chain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
|
|
ret = CRYPT_AddCertToSimpleChain(chain, cert, 0);
|
|
while (ret && !CRYPT_IsCertificateSelfSigned(cert))
|
|
{
|
|
DWORD flags;
|
|
PCCERT_CONTEXT issuer = CRYPT_GetIssuerFromStore(world, cert,
|
|
&flags);
|
|
|
|
if (issuer)
|
|
{
|
|
ret = CRYPT_AddCertToSimpleChain(chain, issuer, flags);
|
|
cert = issuer;
|
|
}
|
|
else
|
|
{
|
|
TRACE("Couldn't find issuer, aborting chain creation\n");
|
|
ret = FALSE;
|
|
}
|
|
}
|
|
if (ret)
|
|
{
|
|
PCCERT_CONTEXT root = chain->rgpElement[chain->cElement - 1]->
|
|
pCertContext;
|
|
|
|
if (!(ret = CRYPT_IsCertificateSelfSigned(root)))
|
|
TRACE("Last certificate is not self-signed\n");
|
|
else
|
|
{
|
|
chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus
|
|
|= CERT_TRUST_IS_SELF_SIGNED;
|
|
if (!(ret = CryptVerifyCertificateSignatureEx(0,
|
|
root->dwCertEncodingType, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
|
|
(void *)root, CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root,
|
|
0, NULL)))
|
|
TRACE("Last certificate's signature is invalid\n");
|
|
}
|
|
if (ret)
|
|
{
|
|
BYTE hash[20];
|
|
DWORD size = sizeof(hash);
|
|
CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
|
|
PCCERT_CONTEXT trustedRoot;
|
|
|
|
CertGetCertificateContextProperty(root, CERT_HASH_PROP_ID, hash,
|
|
&size);
|
|
trustedRoot = CertFindCertificateInStore(engine->hRoot,
|
|
root->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob, NULL);
|
|
if (!trustedRoot)
|
|
chain->TrustStatus.dwErrorStatus |=
|
|
CERT_TRUST_IS_UNTRUSTED_ROOT;
|
|
else
|
|
CertFreeCertificateContext(trustedRoot);
|
|
}
|
|
}
|
|
if (!ret)
|
|
{
|
|
CRYPT_FreeSimpleChain(chain);
|
|
chain = NULL;
|
|
}
|
|
*ppChain = chain;
|
|
}
|
|
CertCloseStore(world, 0);
|
|
return ret;
|
|
}
|
|
|
|
typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS {
|
|
DWORD cbSize;
|
|
CERT_USAGE_MATCH RequestedUsage;
|
|
} CERT_CHAIN_PARA_NO_EXTRA_FIELDS, *PCERT_CHAIN_PARA_NO_EXTRA_FIELDS;
|
|
|
|
typedef struct _CERT_CHAIN_PARA_EXTRA_FIELDS {
|
|
DWORD cbSize;
|
|
CERT_USAGE_MATCH RequestedUsage;
|
|
CERT_USAGE_MATCH RequestedIssuancePolicy;
|
|
DWORD dwUrlRetrievalTimeout;
|
|
BOOL fCheckRevocationFreshnessTime;
|
|
DWORD dwRevocationFreshnessTime;
|
|
} CERT_CHAIN_PARA_EXTRA_FIELDS, *PCERT_CHAIN_PARA_EXTRA_FIELDS;
|
|
|
|
BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine,
|
|
PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
|
|
PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved,
|
|
PCCERT_CHAIN_CONTEXT* ppChainContext)
|
|
{
|
|
PCERT_SIMPLE_CHAIN simpleChain = NULL;
|
|
BOOL ret;
|
|
|
|
TRACE("(%p, %p, %p, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext,
|
|
pTime, hAdditionalStore, pChainPara, dwFlags, pvReserved, ppChainContext);
|
|
|
|
if (!pChainPara)
|
|
{
|
|
SetLastError(E_INVALIDARG);
|
|
return FALSE;
|
|
}
|
|
if (ppChainContext)
|
|
*ppChainContext = NULL;
|
|
if (!hChainEngine)
|
|
hChainEngine = CRYPT_GetDefaultChainEngine();
|
|
/* FIXME: what about HCCE_LOCAL_MACHINE? */
|
|
/* FIXME: pChainPara is for now ignored */
|
|
/* FIXME: only simple chains are supported for now, as CTLs aren't
|
|
* supported yet.
|
|
*/
|
|
if ((ret = CRYPT_BuildSimpleChain(hChainEngine, pCertContext, pTime,
|
|
hAdditionalStore, &simpleChain)))
|
|
{
|
|
PCertificateChain chain = CryptMemAlloc(sizeof(CertificateChain));
|
|
|
|
if (chain)
|
|
{
|
|
chain->ref = 1;
|
|
chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
|
|
memcpy(&chain->context.TrustStatus, &simpleChain->TrustStatus,
|
|
sizeof(CERT_TRUST_STATUS));
|
|
chain->context.cChain = 1;
|
|
chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN));
|
|
chain->context.rgpChain[0] = simpleChain;
|
|
chain->context.cLowerQualityChainContext = 0;
|
|
chain->context.rgpLowerQualityChainContext = NULL;
|
|
chain->context.fHasRevocationFreshnessTime = FALSE;
|
|
chain->context.dwRevocationFreshnessTime = 0;
|
|
}
|
|
else
|
|
ret = FALSE;
|
|
if (ppChainContext)
|
|
*ppChainContext = (PCCERT_CHAIN_CONTEXT)chain;
|
|
else
|
|
CertFreeCertificateChain((PCCERT_CHAIN_CONTEXT)chain);
|
|
}
|
|
TRACE("returning %d\n", ret);
|
|
return ret;
|
|
}
|
|
|
|
static void CRYPT_FreeChainContext(PCertificateChain chain)
|
|
{
|
|
DWORD i;
|
|
|
|
/* Note the chain's rgpLowerQualityChainContext isn't freed, but
|
|
* it's never set, either.
|
|
*/
|
|
for (i = 0; i < chain->context.cChain; i++)
|
|
CRYPT_FreeSimpleChain(chain->context.rgpChain[i]);
|
|
CryptMemFree(chain->context.rgpChain);
|
|
CryptMemFree(chain);
|
|
}
|
|
|
|
void WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext)
|
|
{
|
|
PCertificateChain chain = (PCertificateChain)pChainContext;
|
|
|
|
TRACE("(%p)\n", pChainContext);
|
|
|
|
if (chain)
|
|
{
|
|
if (InterlockedDecrement(&chain->ref) == 0)
|
|
CRYPT_FreeChainContext(chain);
|
|
}
|
|
}
|