crypt32: When searching for a CRL by the AKI extension, the extension has to be decoded to match.

2009-11-20 15:18:23 -08:00 · 2009-11-20 15:18:23 -08:00 · 8e51a866b7
parent 7dee971809
commit 8e51a866b7
2 changed files with 56 additions and 12 deletions
--- a/dlls/crypt32/crl.c
+++ b/dlls/crypt32/crl.c
@ -123,26 +123,71 @@ static BOOL compare_crl_issued_by(PCCRL_CONTEXT pCrlContext, DWORD dwType,
             CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)issuer, 0, NULL);
        if (ret && (dwFlags & CRL_FIND_ISSUED_BY_AKI_FLAG))
        {
-            PCERT_EXTENSION aki = CertFindExtension(
+            PCERT_EXTENSION ext = CertFindExtension(
             szOID_AUTHORITY_KEY_IDENTIFIER2, pCrlContext->pCrlInfo->cExtension,
             pCrlContext->pCrlInfo->rgExtension);

-            if (aki)
+            if (ext)
            {
-                CERT_EXTENSION *ski;
+                CERT_AUTHORITY_KEY_ID2_INFO *info;
+                DWORD size;

-                if ((ski = CertFindExtension(szOID_SUBJECT_KEY_IDENTIFIER,
-                 issuer->pCertInfo->cExtension,
-                 issuer->pCertInfo->rgExtension)))
+                if ((ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
+                 X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
+                 CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)))
                {
-                    if (aki->Value.cbData == ski->Value.cbData)
-                        ret = !memcmp(aki->Value.pbData, ski->Value.pbData,
-                         aki->Value.cbData);
+                    if (info->AuthorityCertIssuer.cAltEntry &&
+                     info->AuthorityCertSerialNumber.cbData)
+                    {
+                        PCERT_ALT_NAME_ENTRY directoryName = NULL;
+                        DWORD i;
+
+                        for (i = 0; !directoryName &&
+                         i < info->AuthorityCertIssuer.cAltEntry; i++)
+                            if (info->AuthorityCertIssuer.rgAltEntry[i].
+                             dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
+                                directoryName =
+                                 &info->AuthorityCertIssuer.rgAltEntry[i];
+                        if (directoryName)
+                        {
+                            ret = CertCompareCertificateName(
+                             issuer->dwCertEncodingType,
+                             &issuer->pCertInfo->Subject,
+                             &directoryName->u.DirectoryName);
+                            if (ret)
+                                ret = CertCompareIntegerBlob(
+                                 &issuer->pCertInfo->SerialNumber,
+                                 &info->AuthorityCertSerialNumber);
+                        }
+                        else
+                        {
+                            FIXME("no supported name type in authority key id2\n");
+                            ret = FALSE;
+                        }
+                    }
+                    else if (info->KeyId.cbData)
+                    {
+                        if ((ext = CertFindExtension(
+                         szOID_SUBJECT_KEY_IDENTIFIER,
+                         issuer->pCertInfo->cExtension,
+                         issuer->pCertInfo->rgExtension)))
+                        {
+                            if (info->KeyId.cbData == ext->Value.cbData)
+                                ret = !memcmp(info->KeyId.pbData,
+                                 ext->Value.pbData, info->KeyId.cbData);
+                            else
+                                ret = FALSE;
+                        }
+                        else
+                            ret = FALSE;
+                    }
                    else
+                    {
+                        FIXME("unsupported value for AKI extension\n");
                        ret = FALSE;
+                    }
+                    LocalFree(info);
                }
-                else
-                    ret = FALSE;
            }
            /* else: a CRL without an AKI matches any cert */
        }
--- a/dlls/crypt32/tests/crl.c
+++ b/dlls/crypt32/tests/crl.c
@ -702,7 +702,6 @@ static void testFindCRL(void)
                revoked_count++;
        }
    } while (context);
-    todo_wine
    ok(count == 0 || broken(count == 1 /* Win9x */),
     "expected 0 matching CRLs, got %d\n", count);
    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",