Juan Lang : crypt32: Implement CertVerifyCertificateChainPolicy for the authenticode policy.

Alexandre Julliard julliard at wine.codeweavers.com
Tue Sep 11 07:28:47 CDT 2007


Module: wine
Branch: master
Commit: 5f06293eb10f21ef852a267235023ed8f5a6cea8
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=5f06293eb10f21ef852a267235023ed8f5a6cea8

Author: Juan Lang <juan.lang at gmail.com>
Date:   Mon Sep 10 16:12:14 2007 -0700

crypt32: Implement CertVerifyCertificateChainPolicy for the authenticode policy.

---

 dlls/crypt32/chain.c       |   60 ++++++++++++++++++++++++++++++++++++++++++++
 dlls/crypt32/tests/chain.c |   45 +++++++++++----------------------
 2 files changed, 75 insertions(+), 30 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 8249596..b716be9 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -1069,6 +1069,63 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
     return TRUE;
 }
 
+static BYTE msTestPubKey1[] = {
+0x30,0x47,0x02,0x40,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,0xd9,
+0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,0xf7,
+0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,0x5f,
+0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,0x10,
+0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 };
+static BYTE msTestPubKey2[] = {
+0x30,0x48,0x02,0x41,0x00,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,
+0xd9,0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,
+0xf7,0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,
+0x5f,0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,
+0x10,0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 };
+static BYTE msTestPubKey3[] = {
+0x30,0x47,0x02,0x40,0x9c,0x50,0x05,0x1d,0xe2,0x0e,0x4c,0x53,0xd8,0xd9,0xb5,
+0xe5,0xfd,0xe9,0xe3,0xad,0x83,0x4b,0x80,0x08,0xd9,0xdc,0xe8,0xe8,0x35,0xf8,
+0x11,0xf1,0xe9,0x9b,0x03,0x7a,0x65,0x64,0x76,0x35,0xce,0x38,0x2c,0xf2,0xb6,
+0x71,0x9e,0x06,0xd9,0xbf,0xbb,0x31,0x69,0xa3,0xf6,0x30,0xa0,0x78,0x7b,0x18,
+0xdd,0x50,0x4d,0x79,0x1e,0xeb,0x61,0xc1,0x02,0x03,0x01,0x00,0x01 };
+
+static BOOL WINAPI verify_authenticode_policy(LPCSTR szPolicyOID,
+ PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
+ PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
+{
+    BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara,
+     pPolicyStatus);
+
+    if (ret && pPolicyStatus->dwError == CERT_E_UNTRUSTEDROOT)
+    {
+        CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } };
+        BOOL isMSTestRoot = FALSE;
+        PCCERT_CONTEXT failingCert =
+         pChainContext->rgpChain[pPolicyStatus->lChainIndex]->
+         rgpElement[pPolicyStatus->lElementIndex]->pCertContext;
+        DWORD i;
+        CRYPT_DATA_BLOB keyBlobs[] = {
+         { sizeof(msTestPubKey1), msTestPubKey1 },
+         { sizeof(msTestPubKey2), msTestPubKey2 },
+         { sizeof(msTestPubKey3), msTestPubKey3 },
+        };
+
+        /* Check whether the root is an MS test root */
+        for (i = 0; !isMSTestRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]);
+         i++)
+        {
+            msPubKey.PublicKey.cbData = keyBlobs[i].cbData;
+            msPubKey.PublicKey.pbData = keyBlobs[i].pbData;
+            if (CertComparePublicKeyInfo(
+             X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+             &failingCert->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
+                isMSTestRoot = TRUE;
+        }
+        if (isMSTestRoot)
+            pPolicyStatus->dwError = CERT_E_UNTRUSTEDTESTROOT;
+    }
+    return ret;
+}
+
 typedef BOOL (WINAPI *CertVerifyCertificateChainPolicyFunc)(LPCSTR szPolicyOID,
  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
  PCERT_CHAIN_POLICY_STATUS pPolicyStatus);
@@ -1092,6 +1149,9 @@ BOOL WINAPI CertVerifyCertificateChainPolicy(LPCSTR szPolicyOID,
         case (int)CERT_CHAIN_POLICY_BASE:
             verifyPolicy = verify_base_policy;
             break;
+        case (int)CERT_CHAIN_POLICY_AUTHENTICODE:
+            verifyPolicy = verify_authenticode_policy;
+            break;
         default:
             FIXME("unimplemented for %d\n", LOWORD(szPolicyOID));
         }
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index fd8952f..17cab3a 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -1750,50 +1750,35 @@ static ChainPolicyCheck basePolicyCheck[] = {
 
 static ChainPolicyCheck authenticodePolicyCheck[] = {
  { { sizeof(chain0) / sizeof(chain0[0]), chain0 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain1) / sizeof(chain1[0]), chain1 },
-   { 0, TRUST_E_CERT_SIGNATURE, 0, 0, NULL },
-   TODO_POLICY },
+   { 0, TRUST_E_CERT_SIGNATURE, 0, 0, NULL }, 0 },
  { { sizeof(chain2) / sizeof(chain2[0]), chain2 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain3) / sizeof(chain3[0]), chain3 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain4) / sizeof(chain4[0]), chain4 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, 0 },
  { { sizeof(chain5) / sizeof(chain5[0]), chain5 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain6) / sizeof(chain6[0]), chain6 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain7) / sizeof(chain7[0]), chain7 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain8) / sizeof(chain8[0]), chain8 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, 0 },
  { { sizeof(chain9) / sizeof(chain9[0]), chain9 },
-   { 0, CERT_E_CHAINING, 0, -1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_CHAINING, 0, -1, NULL }, 0 },
  { { sizeof(chain10) / sizeof(chain10[0]), chain10 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain11) / sizeof(chain11[0]), chain11 },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 },
  { { sizeof(chain12) / sizeof(chain12[0]), chain12 },
-   { 0, TRUST_E_CERT_SIGNATURE, 0, 1, NULL },
-   TODO_POLICY },
+   { 0, TRUST_E_CERT_SIGNATURE, 0, 1, NULL }, 0 },
  { { sizeof(selfSignedChain) / sizeof(selfSignedChain[0]), selfSignedChain },
-   { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL },
-   TODO_POLICY },
+   { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, 0 },
  { { sizeof(iTunesChain) / sizeof(iTunesChain[0]), iTunesChain },
-   { 0, 0, -1, -1, NULL },
-   TODO_POLICY },
+   { 0, 0, -1, -1, NULL }, 0 },
 };
 
 static ChainPolicyCheck basicConstraintsPolicyCheck[] = {




More information about the wine-cvs mailing list