Juan Lang : crypt32: When searching for a CRL by the AKI extension, the extension has to be decoded to match.
Alexandre Julliard
julliard at winehq.org
Mon Nov 23 08:49:50 CST 2009
Module: wine
Branch: master
Commit: 8e51a866b72494b402c9df486c8843b7ed49754d
URL: http://source.winehq.org/git/wine.git/?a=commit;h=8e51a866b72494b402c9df486c8843b7ed49754d
Author: Juan Lang <juan.lang at gmail.com>
Date: Fri Nov 20 15:18:23 2009 -0800
crypt32: When searching for a CRL by the AKI extension, the extension has to be decoded to match.
---
dlls/crypt32/crl.c | 67 ++++++++++++++++++++++++++++++++++++++-------
dlls/crypt32/tests/crl.c | 1 -
2 files changed, 56 insertions(+), 12 deletions(-)
diff --git a/dlls/crypt32/crl.c b/dlls/crypt32/crl.c
index b8e8182..a24e6ad 100644
--- a/dlls/crypt32/crl.c
+++ b/dlls/crypt32/crl.c
@@ -123,26 +123,71 @@ static BOOL compare_crl_issued_by(PCCRL_CONTEXT pCrlContext, DWORD dwType,
CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)issuer, 0, NULL);
if (ret && (dwFlags & CRL_FIND_ISSUED_BY_AKI_FLAG))
{
- PCERT_EXTENSION aki = CertFindExtension(
+ PCERT_EXTENSION ext = CertFindExtension(
szOID_AUTHORITY_KEY_IDENTIFIER2, pCrlContext->pCrlInfo->cExtension,
pCrlContext->pCrlInfo->rgExtension);
- if (aki)
+ if (ext)
{
- CERT_EXTENSION *ski;
+ CERT_AUTHORITY_KEY_ID2_INFO *info;
+ DWORD size;
- if ((ski = CertFindExtension(szOID_SUBJECT_KEY_IDENTIFIER,
- issuer->pCertInfo->cExtension,
- issuer->pCertInfo->rgExtension)))
+ if ((ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
+ X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
+ CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)))
{
- if (aki->Value.cbData == ski->Value.cbData)
- ret = !memcmp(aki->Value.pbData, ski->Value.pbData,
- aki->Value.cbData);
+ if (info->AuthorityCertIssuer.cAltEntry &&
+ info->AuthorityCertSerialNumber.cbData)
+ {
+ PCERT_ALT_NAME_ENTRY directoryName = NULL;
+ DWORD i;
+
+ for (i = 0; !directoryName &&
+ i < info->AuthorityCertIssuer.cAltEntry; i++)
+ if (info->AuthorityCertIssuer.rgAltEntry[i].
+ dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+ directoryName =
+ &info->AuthorityCertIssuer.rgAltEntry[i];
+ if (directoryName)
+ {
+ ret = CertCompareCertificateName(
+ issuer->dwCertEncodingType,
+ &issuer->pCertInfo->Subject,
+ &directoryName->u.DirectoryName);
+ if (ret)
+ ret = CertCompareIntegerBlob(
+ &issuer->pCertInfo->SerialNumber,
+ &info->AuthorityCertSerialNumber);
+ }
+ else
+ {
+ FIXME("no supported name type in authority key id2\n");
+ ret = FALSE;
+ }
+ }
+ else if (info->KeyId.cbData)
+ {
+ if ((ext = CertFindExtension(
+ szOID_SUBJECT_KEY_IDENTIFIER,
+ issuer->pCertInfo->cExtension,
+ issuer->pCertInfo->rgExtension)))
+ {
+ if (info->KeyId.cbData == ext->Value.cbData)
+ ret = !memcmp(info->KeyId.pbData,
+ ext->Value.pbData, info->KeyId.cbData);
+ else
+ ret = FALSE;
+ }
+ else
+ ret = FALSE;
+ }
else
+ {
+ FIXME("unsupported value for AKI extension\n");
ret = FALSE;
+ }
+ LocalFree(info);
}
- else
- ret = FALSE;
}
/* else: a CRL without an AKI matches any cert */
}
diff --git a/dlls/crypt32/tests/crl.c b/dlls/crypt32/tests/crl.c
index 26033c2..bb62219 100644
--- a/dlls/crypt32/tests/crl.c
+++ b/dlls/crypt32/tests/crl.c
@@ -702,7 +702,6 @@ static void testFindCRL(void)
revoked_count++;
}
} while (context);
- todo_wine
ok(count == 0 || broken(count == 1 /* Win9x */),
"expected 0 matching CRLs, got %d\n", count);
ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
More information about the wine-cvs
mailing list