wintrust(8/8): Implement pfnCertificateTrust
Juan Lang
juan.lang at gmail.com
Tue Aug 28 18:23:01 CDT 2007
--Juan
-------------- next part --------------
From 4ed9c4e36439cf2b37525aa8bd2335ccdcc48952 Mon Sep 17 00:00:00 2001
From: Juan Lang <juanlang at juan.corp.google.com>
Date: Tue, 28 Aug 2007 16:11:14 -0700
Subject: [PATCH] Implement pfnCertificateTrust
---
dlls/wintrust/softpub.c | 140 +++++++++++++++++++++++++++++++++++++++++
dlls/wintrust/tests/softpub.c | 92 +++++++++++++++++++++++++++
dlls/wintrust/wintrust.spec | 4 +
3 files changed, 234 insertions(+), 2 deletions(-)
diff --git a/dlls/wintrust/softpub.c b/dlls/wintrust/softpub.c
index b7c6d5d..a590db7 100644
--- a/dlls/wintrust/softpub.c
+++ b/dlls/wintrust/softpub.c
@@ -426,3 +426,143 @@ HRESULT WINAPI SoftpubLoadSignature(CRYP
GetLastError();
return ret ? S_OK : S_FALSE;
}
+
+BOOL WINAPI SoftpubCheckCert(CRYPT_PROVIDER_DATA *data, DWORD idxSigner,
+ BOOL fCounterSignerChain, DWORD idxCounterSigner)
+{
+ BOOL ret;
+
+ TRACE("(%p, %d, %d, %d)\n", data, idxSigner, fCounterSignerChain,
+ idxCounterSigner);
+
+ if (fCounterSignerChain)
+ {
+ FIXME("unimplemented for counter signers\n");
+ ret = FALSE;
+ }
+ else
+ {
+ PCERT_SIMPLE_CHAIN simpleChain =
+ data->pasSigners[idxSigner].pChainContext->rgpChain[0];
+ DWORD i;
+
+ ret = TRUE;
+ for (i = 0; i < simpleChain->cElement; i++)
+ {
+ /* Set confidence */
+ data->pasSigners[idxSigner].pasCertChain[i].dwConfidence = 0;
+ /* The last element in the chain doesn't have an issuer, so it
+ * can't have a valid time (with respect to its issuer)
+ */
+ if (i != simpleChain->cElement - 1 &&
+ !(simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_NOT_TIME_VALID))
+ data->pasSigners[idxSigner].pasCertChain[i].dwConfidence
+ |= CERT_CONFIDENCE_TIME;
+ if (!(simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_NOT_TIME_NESTED))
+ data->pasSigners[idxSigner].pasCertChain[i].dwConfidence
+ |= CERT_CONFIDENCE_TIMENEST;
+ if (!(simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_NOT_SIGNATURE_VALID))
+ data->pasSigners[idxSigner].pasCertChain[i].dwConfidence
+ |= CERT_CONFIDENCE_SIG;
+ /* Set additional flags */
+ if (!(simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_UNTRUSTED_ROOT))
+ data->pasSigners[idxSigner].pasCertChain[i].fTrustedRoot = TRUE;
+ if (simpleChain->rgpElement[i]->TrustStatus.dwInfoStatus &
+ CERT_TRUST_IS_SELF_SIGNED)
+ data->pasSigners[idxSigner].pasCertChain[i].fSelfSigned = TRUE;
+ if (simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_CYCLIC)
+ data->pasSigners[idxSigner].pasCertChain[i].fIsCyclic = TRUE;
+ }
+ }
+ return ret;
+}
+
+static BOOL WINTRUST_CopyChain(CRYPT_PROVIDER_DATA *data, DWORD signerIdx)
+{
+ BOOL ret;
+ PCERT_SIMPLE_CHAIN simpleChain =
+ data->pasSigners[signerIdx].pChainContext->rgpChain[0];
+ DWORD i;
+
+ data->pasSigners[signerIdx].pasCertChain[0].pChainElement =
+ simpleChain->rgpElement[0];
+ ret = TRUE;
+ for (i = 1; ret && i < simpleChain->cElement; i++)
+ {
+ ret = data->psPfns->pfnAddCert2Chain(data, signerIdx, FALSE, 0,
+ simpleChain->rgpElement[i]->pCertContext);
+ if (ret)
+ data->pasSigners[signerIdx].pasCertChain[i].pChainElement =
+ simpleChain->rgpElement[i];
+ }
+ return ret;
+}
+
+HRESULT WINAPI WintrustCertificateTrust(CRYPT_PROVIDER_DATA *data)
+{
+ BOOL ret;
+
+ if (!data->csSigners)
+ {
+ ret = FALSE;
+ SetLastError(TRUST_E_NOSIGNATURE);
+ }
+ else
+ {
+ DWORD i;
+
+ ret = TRUE;
+ for (i = 0; i < data->csSigners; i++)
+ {
+ CERT_CHAIN_PARA chainPara = { sizeof(chainPara), { 0 } };
+ DWORD flags;
+
+ if (data->pRequestUsage)
+ memcpy(&chainPara.RequestedUsage, data->pRequestUsage,
+ sizeof(CERT_USAGE_MATCH));
+ if (data->dwProvFlags & CPD_REVOCATION_CHECK_END_CERT)
+ flags = CERT_CHAIN_REVOCATION_CHECK_END_CERT;
+ else if (data->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN)
+ flags = CERT_CHAIN_REVOCATION_CHECK_CHAIN;
+ else if (data->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT)
+ flags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
+ else
+ flags = 0;
+ /* Expect the end certificate for each signer to be the only
+ * cert in the chain:
+ */
+ if (data->pasSigners[i].csCertChain)
+ {
+ /* Create a certificate chain for each signer */
+ ret = CertGetCertificateChain(NULL,
+ data->pasSigners[i].pasCertChain[0].pCert,
+ NULL, /* FIXME: use data->pasSigners[i].sftVerifyAsOf? */
+ data->chStores ? data->pahStores[0] : NULL,
+ &chainPara, flags, NULL, &data->pasSigners[i].pChainContext);
+ if (ret)
+ {
+ if (data->pasSigners[i].pChainContext->cChain != 1)
+ {
+ FIXME("unimplemented for more than 1 simple chain\n");
+ ret = FALSE;
+ }
+ else
+ {
+ if ((ret = WINTRUST_CopyChain(data, i)))
+ ret = data->psPfns->pfnCertCheckPolicy(data, i,
+ FALSE, 0);
+ }
+ }
+ }
+ }
+ }
+ if (!ret)
+ data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
+ GetLastError();
+ return ret ? S_OK : S_FALSE;
+}
diff --git a/dlls/wintrust/tests/softpub.c b/dlls/wintrust/tests/softpub.c
index fa58477..a8ce69e 100644
--- a/dlls/wintrust/tests/softpub.c
+++ b/dlls/wintrust/tests/softpub.c
@@ -304,6 +304,97 @@ static void testObjTrust(SAFE_PROVIDER_F
}
}
+static const BYTE selfSignedCert[] = {
+ 0x30, 0x82, 0x01, 0x1f, 0x30, 0x81, 0xce, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x10, 0xeb, 0x0d, 0x57, 0x2a, 0x9c, 0x09, 0xba, 0xa4, 0x4a, 0xb7, 0x25, 0x49,
+ 0xd9, 0x3e, 0xb5, 0x73, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d,
+ 0x05, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30,
+ 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x36, 0x32, 0x39, 0x30, 0x35, 0x30, 0x30,
+ 0x34, 0x36, 0x5a, 0x17, 0x0d, 0x30, 0x37, 0x30, 0x36, 0x32, 0x39, 0x31, 0x31,
+ 0x30, 0x30, 0x34, 0x36, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e,
+ 0x67, 0x00, 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41,
+ 0x00, 0xe2, 0x54, 0x3a, 0xa7, 0x83, 0xb1, 0x27, 0x14, 0x3e, 0x59, 0xbb, 0xb4,
+ 0x53, 0xe6, 0x1f, 0xe7, 0x5d, 0xf1, 0x21, 0x68, 0xad, 0x85, 0x53, 0xdb, 0x6b,
+ 0x1e, 0xeb, 0x65, 0x97, 0x03, 0x86, 0x60, 0xde, 0xf3, 0x6c, 0x38, 0x75, 0xe0,
+ 0x4c, 0x61, 0xbb, 0xbc, 0x62, 0x17, 0xa9, 0xcd, 0x79, 0x3f, 0x21, 0x4e, 0x96,
+ 0xcb, 0x0e, 0xdc, 0x61, 0x94, 0x30, 0x18, 0x10, 0x6b, 0xd0, 0x1c, 0x10, 0x79,
+ 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,
+ 0x1d, 0x05, 0x00, 0x03, 0x41, 0x00, 0x25, 0x90, 0x53, 0x34, 0xd9, 0x56, 0x41,
+ 0x5e, 0xdb, 0x7e, 0x01, 0x36, 0xec, 0x27, 0x61, 0x5e, 0xb7, 0x4d, 0x90, 0x66,
+ 0xa2, 0xe1, 0x9d, 0x58, 0x76, 0xd4, 0x9c, 0xba, 0x2c, 0x84, 0xc6, 0x83, 0x7a,
+ 0x22, 0x0d, 0x03, 0x69, 0x32, 0x1a, 0x6d, 0xcb, 0x0c, 0x15, 0xb3, 0x6b, 0xc7,
+ 0x0a, 0x8c, 0xb4, 0x5c, 0x34, 0x78, 0xe0, 0x3c, 0x9c, 0xe9, 0xf3, 0x30, 0x9f,
+ 0xa8, 0x76, 0x57, 0x92, 0x36 };
+
+static void testCertTrust(SAFE_PROVIDER_FUNCTIONS *funcs, GUID *actionID)
+{
+ CRYPT_PROVIDER_DATA data = { 0 };
+ CRYPT_PROVIDER_SGNR sgnr = { sizeof(sgnr), { 0 } };
+ HRESULT ret;
+
+ data.padwTrustStepErrors =
+ funcs->pfnAlloc(TRUSTERROR_MAX_STEPS * sizeof(DWORD));
+ if (!data.padwTrustStepErrors)
+ {
+ skip("pfnAlloc failed\n");
+ return;
+ }
+ ret = funcs->pfnCertificateTrust(&data);
+ ok(ret == S_FALSE, "Expected S_FALSE, got %08x\n", ret);
+ ok(data.padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] ==
+ TRUST_E_NOSIGNATURE, "Expected TRUST_E_NOSIGNATURE, got %08x\n",
+ data.padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV]);
+ ret = funcs->pfnAddSgnr2Chain(&data, FALSE, 0, &sgnr);
+ if (ret)
+ {
+ PCCERT_CONTEXT cert;
+
+ /* An empty signer "succeeds," even though there's no cert */
+ ret = funcs->pfnCertificateTrust(&data);
+ ok(ret == S_OK, "Expected S_OK, got %08x\n", ret);
+ cert = CertCreateCertificateContext(X509_ASN_ENCODING, selfSignedCert,
+ sizeof(selfSignedCert));
+ if (cert)
+ {
+ WINTRUST_DATA wintrust_data = { 0 };
+
+ ret = funcs->pfnAddCert2Chain(&data, 0, FALSE, 0, cert);
+ /* If pWintrustData isn't set, crashes attempting to access
+ * pWintrustData->fdwRevocationChecks
+ */
+ data.pWintrustData = &wintrust_data;
+ /* If psPfns isn't set, crashes attempting to access
+ * psPfns->pfnCertCheckPolicy
+ */
+ data.psPfns = (CRYPT_PROVIDER_FUNCTIONS *)funcs;
+ ret = funcs->pfnCertificateTrust(&data);
+ ok(ret == S_OK, "Expected S_OK, got %08x\n", ret);
+ ok(data.csSigners == 1, "Unexpected number of signers %d\n",
+ data.csSigners);
+ ok(data.pasSigners[0].pChainContext != NULL,
+ "Expected a certificate chain\n");
+ ok(data.pasSigners[0].csCertChain == 1,
+ "Unexpected number of chain elements %d\n",
+ data.pasSigners[0].csCertChain);
+ /* pasSigners and pasSigners[0].pasCertChain are guaranteed to be
+ * initialized, see tests for pfnAddSgnr2Chain and pfnAddCert2Chain
+ */
+ ok(!data.pasSigners[0].pasCertChain[0].fTrustedRoot,
+ "Didn't expect cert to be trusted\n");
+ ok(data.pasSigners[0].pasCertChain[0].fSelfSigned,
+ "Expected cert to be self-signed\n");
+ ok(data.pasSigners[0].pasCertChain[0].dwConfidence ==
+ (CERT_CONFIDENCE_SIG | CERT_CONFIDENCE_TIMENEST),
+ "Expected CERT_CONFIDENCE_SIG | CERT_CONFIDENCE_TIMENEST, got %08x\n",
+ data.pasSigners[0].pasCertChain[0].dwConfidence);
+ CertFreeCertificateContext(cert);
+ }
+ }
+}
+
START_TEST(softpub)
{
static GUID generic_verify_v2 = WINTRUST_ACTION_GENERIC_VERIFY_V2;
@@ -319,5 +410,6 @@ START_TEST(softpub)
test_utils(&funcs);
testInitialize(&funcs, &generic_verify_v2);
testObjTrust(&funcs, &generic_verify_v2);
+ testCertTrust(&funcs, &generic_verify_v2);
}
}
diff --git a/dlls/wintrust/wintrust.spec b/dlls/wintrust/wintrust.spec
index ef877b4..c7ae993 100644
--- a/dlls/wintrust/wintrust.spec
+++ b/dlls/wintrust/wintrust.spec
@@ -57,7 +57,7 @@
@ stub OfficeInitializePolicy
@ stub OpenPersonalTrustDBDialog
@ stub SoftpubAuthenticode
-@ stub SoftpubCheckCert
+@ stdcall SoftpubCheckCert(ptr long long long)
@ stub SoftpubCleanup
@ stub SoftpubDefCertInit
@ stdcall SoftpubDllRegisterServer()
@@ -112,7 +112,7 @@
@ stdcall WinVerifyTrustEx(long ptr ptr)
@ stdcall WintrustAddActionID(ptr long ptr)
@ stdcall WintrustAddDefaultForUsage(ptr ptr)
-@ stub WintrustCertificateTrust
+@ stdcall WintrustCertificateTrust(ptr)
@ stub WintrustGetDefaultForUsage
@ stdcall WintrustGetRegPolicyFlags(ptr)
@ stdcall WintrustLoadFunctionPointers(ptr ptr)
--
1.4.1
More information about the wine-patches
mailing list