wininet: Differentiate checking online and offline CRLs.

2011-03-11 16:26:02 -08:00 · 2011-03-11 16:26:02 -08:00 · 1ce0799dae
parent ec223a2129
commit 1ce0799dae
2 changed files with 53 additions and 23 deletions
--- a/dlls/cryptnet/cryptnet_main.c
+++ b/dlls/cryptnet/cryptnet_main.c
@ -1557,19 +1557,11 @@ BOOL WINAPI CryptRetrieveObjectByUrlW(LPCWSTR pszURL, LPCSTR pszObjectOid,
    return ret;
 }

-static DWORD verify_cert_revocation_with_crl(PCCERT_CONTEXT cert,
+static DWORD verify_cert_revocation_with_crl_online(PCCERT_CONTEXT cert,
 PCCRL_CONTEXT crl, DWORD index, FILETIME *pTime,
 PCERT_REVOCATION_STATUS pRevStatus)
 {
    DWORD error;
-
-    if (CertVerifyCRLTimeValidity(pTime, crl->pCrlInfo))
-    {
-        /* The CRL isn't time valid */
-        error = CRYPT_E_NO_REVOCATION_CHECK;
-    }
-    else
-    {
    PCRL_ENTRY entry = NULL;

    CertFindCertificateInCRL(cert, crl, 0, NULL, &entry);
@ -1579,6 +1571,10 @@ static DWORD verify_cert_revocation_with_crl(PCCERT_CONTEXT cert,
        pRevStatus->dwIndex = index;
    }
    else
+    {
+        /* Since the CRL was retrieved for the cert being checked, then it's
+         * guaranteed to be fresh, and the cert is not revoked.
+         */
        error = ERROR_SUCCESS;
    }
    return error;
@ -1625,8 +1621,8 @@ static DWORD verify_cert_revocation_from_dist_points_ext(
                 NULL, NULL, NULL, NULL);
                if (ret)
                {
-                    error = verify_cert_revocation_with_crl(cert, crl, index,
-                     pTime, pRevStatus);
+                    error = verify_cert_revocation_with_crl_online(cert, crl,
+                     index, pTime, pRevStatus);
                    if (!error && timeout)
                    {
                        DWORD time = GetTickCount();
@ -1696,6 +1692,45 @@ static DWORD verify_cert_revocation_from_aia_ext(
    return error;
 }

+static DWORD verify_cert_revocation_with_crl_offline(PCCERT_CONTEXT cert,
+ PCCRL_CONTEXT crl, DWORD index, FILETIME *pTime,
+ PCERT_REVOCATION_STATUS pRevStatus)
+{
+    DWORD error;
+    LONG valid;
+
+    valid = CompareFileTime(pTime, &crl->pCrlInfo->ThisUpdate);
+    if (valid <= 0)
+    {
+        /* If this CRL is not older than the time being verified, there's no
+         * way to know whether the certificate was revoked.
+         */
+        TRACE("CRL not old enough\n");
+        error = CRYPT_E_REVOCATION_OFFLINE;
+    }
+    else
+    {
+        PCRL_ENTRY entry = NULL;
+
+        CertFindCertificateInCRL(cert, crl, 0, NULL, &entry);
+        if (entry)
+        {
+            error = CRYPT_E_REVOKED;
+            pRevStatus->dwIndex = index;
+        }
+        else
+        {
+            /* Since the CRL was not retrieved for the cert being checked,
+             * there's no guarantee it's fresh, so the cert *might* be okay,
+             * but it's safer not to guess.
+             */
+            TRACE("certificate not found\n");
+            error = CRYPT_E_REVOCATION_OFFLINE;
+        }
+    }
+    return error;
+}
+
 static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index,
 FILETIME *pTime, DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara,
 PCERT_REVOCATION_STATUS pRevStatus)
@ -1761,8 +1796,8 @@ static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index,
            }
            if (crl)
            {
-                error = verify_cert_revocation_with_crl(cert, crl, index,
-                 pTime, pRevStatus);
+                error = verify_cert_revocation_with_crl_offline(cert, crl,
+                 index, pTime, pRevStatus);
                CertFreeCRLContext(crl);
            }
            else
--- a/dlls/cryptnet/tests/cryptnet.c
+++ b/dlls/cryptnet/tests/cryptnet.c
@ -733,7 +733,6 @@ static void test_verifyRevocation(void)
    SetLastError(0xdeadbeef);
    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
     1, (void **)&certs[1], 0, &revPara, &status);
-    todo_wine
    ok(!ret && (GetLastError() == CRYPT_E_REVOKED ||
     broken(GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* NT4 */)),
     "expected CRYPT_E_REVOKED, got %08x\n", GetLastError());
@ -748,7 +747,6 @@ static void test_verifyRevocation(void)
    SetLastError(0xdeadbeef);
    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
     1, (void **)&certs[1], 0, &revPara, &status);
-    todo_wine
    ok(!ret && (GetLastError() == CRYPT_E_REVOCATION_OFFLINE ||
     broken(GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* NT4 */)),
     "expected CRYPT_E_REVOCATION_OFFLINE, got %08x\n", GetLastError());
@ -764,7 +762,6 @@ static void test_verifyRevocation(void)
    SetLastError(0xdeadbeef);
    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
     1, (void **)&certs[1], 0, &revPara, &status);
-    todo_wine
    ok(!ret && (GetLastError() == CRYPT_E_REVOCATION_OFFLINE ||
     broken(GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* NT4 */)),
     "expected CRYPT_E_REVOCATION_OFFLINE, got %08x\n", GetLastError());
@ -772,7 +769,6 @@ static void test_verifyRevocation(void)
    SetLastError(0xdeadbeef);
    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
     1, (void **)&certs[1], 0, &revPara, &status);
-    todo_wine
    ok(!ret && (GetLastError() == CRYPT_E_REVOCATION_OFFLINE ||
     broken(GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* NT4 */)),
     "expected CRYPT_E_REVOCATION_OFFLINE, got %08x\n", GetLastError());
@ -780,7 +776,6 @@ static void test_verifyRevocation(void)
    SetLastError(0xdeadbeef);
    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
     1, (void **)&certs[1], 0, &revPara, &status);
-    todo_wine
    ok(!ret && (GetLastError() == CRYPT_E_REVOCATION_OFFLINE ||
     broken(GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* NT4 */)),
     "expected CRYPT_E_REVOCATION_OFFLINE, got %08x\n", GetLastError());