From 5f06293eb10f21ef852a267235023ed8f5a6cea8 Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Mon, 10 Sep 2007 16:12:14 -0700 Subject: [PATCH] crypt32: Implement CertVerifyCertificateChainPolicy for the authenticode policy. --- dlls/crypt32/chain.c | 60 ++++++++++++++++++++++++++++++++++++++ dlls/crypt32/tests/chain.c | 45 ++++++++++------------------ 2 files changed, 75 insertions(+), 30 deletions(-) diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 8249596b7a4..b716be9b4df 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -1069,6 +1069,63 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID, return TRUE; } +static BYTE msTestPubKey1[] = { +0x30,0x47,0x02,0x40,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,0xd9, +0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,0xf7, +0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,0x5f, +0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,0x10, +0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 }; +static BYTE msTestPubKey2[] = { +0x30,0x48,0x02,0x41,0x00,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7, +0xd9,0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1, +0xf7,0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46, +0x5f,0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a, +0x10,0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 }; +static BYTE msTestPubKey3[] = { +0x30,0x47,0x02,0x40,0x9c,0x50,0x05,0x1d,0xe2,0x0e,0x4c,0x53,0xd8,0xd9,0xb5, +0xe5,0xfd,0xe9,0xe3,0xad,0x83,0x4b,0x80,0x08,0xd9,0xdc,0xe8,0xe8,0x35,0xf8, +0x11,0xf1,0xe9,0x9b,0x03,0x7a,0x65,0x64,0x76,0x35,0xce,0x38,0x2c,0xf2,0xb6, +0x71,0x9e,0x06,0xd9,0xbf,0xbb,0x31,0x69,0xa3,0xf6,0x30,0xa0,0x78,0x7b,0x18, +0xdd,0x50,0x4d,0x79,0x1e,0xeb,0x61,0xc1,0x02,0x03,0x01,0x00,0x01 }; + +static BOOL WINAPI verify_authenticode_policy(LPCSTR szPolicyOID, + PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, + PCERT_CHAIN_POLICY_STATUS pPolicyStatus) +{ + BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara, + pPolicyStatus); + + if (ret && pPolicyStatus->dwError == CERT_E_UNTRUSTEDROOT) + { + CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } }; + BOOL isMSTestRoot = FALSE; + PCCERT_CONTEXT failingCert = + pChainContext->rgpChain[pPolicyStatus->lChainIndex]-> + rgpElement[pPolicyStatus->lElementIndex]->pCertContext; + DWORD i; + CRYPT_DATA_BLOB keyBlobs[] = { + { sizeof(msTestPubKey1), msTestPubKey1 }, + { sizeof(msTestPubKey2), msTestPubKey2 }, + { sizeof(msTestPubKey3), msTestPubKey3 }, + }; + + /* Check whether the root is an MS test root */ + for (i = 0; !isMSTestRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]); + i++) + { + msPubKey.PublicKey.cbData = keyBlobs[i].cbData; + msPubKey.PublicKey.pbData = keyBlobs[i].pbData; + if (CertComparePublicKeyInfo( + X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + &failingCert->pCertInfo->SubjectPublicKeyInfo, &msPubKey)) + isMSTestRoot = TRUE; + } + if (isMSTestRoot) + pPolicyStatus->dwError = CERT_E_UNTRUSTEDTESTROOT; + } + return ret; +} + typedef BOOL (WINAPI *CertVerifyCertificateChainPolicyFunc)(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, PCERT_CHAIN_POLICY_STATUS pPolicyStatus); @@ -1092,6 +1149,9 @@ BOOL WINAPI CertVerifyCertificateChainPolicy(LPCSTR szPolicyOID, case (int)CERT_CHAIN_POLICY_BASE: verifyPolicy = verify_base_policy; break; + case (int)CERT_CHAIN_POLICY_AUTHENTICODE: + verifyPolicy = verify_authenticode_policy; + break; default: FIXME("unimplemented for %d\n", LOWORD(szPolicyOID)); } diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index fd8952f618d..17cab3aac98 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -1750,50 +1750,35 @@ static ChainPolicyCheck basePolicyCheck[] = { static ChainPolicyCheck authenticodePolicyCheck[] = { { { sizeof(chain0) / sizeof(chain0[0]), chain0 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain1) / sizeof(chain1[0]), chain1 }, - { 0, TRUST_E_CERT_SIGNATURE, 0, 0, NULL }, - TODO_POLICY }, + { 0, TRUST_E_CERT_SIGNATURE, 0, 0, NULL }, 0 }, { { sizeof(chain2) / sizeof(chain2[0]), chain2 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain3) / sizeof(chain3[0]), chain3 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain4) / sizeof(chain4[0]), chain4 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, 0 }, { { sizeof(chain5) / sizeof(chain5[0]), chain5 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain6) / sizeof(chain6[0]), chain6 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain7) / sizeof(chain7[0]), chain7 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain8) / sizeof(chain8[0]), chain8 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, 0 }, { { sizeof(chain9) / sizeof(chain9[0]), chain9 }, - { 0, CERT_E_CHAINING, 0, -1, NULL }, - TODO_POLICY }, + { 0, CERT_E_CHAINING, 0, -1, NULL }, 0 }, { { sizeof(chain10) / sizeof(chain10[0]), chain10 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain11) / sizeof(chain11[0]), chain11 }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 1, NULL }, 0 }, { { sizeof(chain12) / sizeof(chain12[0]), chain12 }, - { 0, TRUST_E_CERT_SIGNATURE, 0, 1, NULL }, - TODO_POLICY }, + { 0, TRUST_E_CERT_SIGNATURE, 0, 1, NULL }, 0 }, { { sizeof(selfSignedChain) / sizeof(selfSignedChain[0]), selfSignedChain }, - { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, - TODO_POLICY }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, 0 }, { { sizeof(iTunesChain) / sizeof(iTunesChain[0]), iTunesChain }, - { 0, 0, -1, -1, NULL }, - TODO_POLICY }, + { 0, 0, -1, -1, NULL }, 0 }, }; static ChainPolicyCheck basicConstraintsPolicyCheck[] = {