/* * Copyright 2006 Juan Lang * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA * */ #include #include "windef.h" #include "winbase.h" #include "wincrypt.h" #include "wine/debug.h" #include "crypt32_private.h" WINE_DEFAULT_DEBUG_CHANNEL(crypt); #define DEFAULT_CYCLE_MODULUS 7 static HCERTCHAINENGINE CRYPT_defaultChainEngine; /* This represents a subset of a certificate chain engine: it doesn't include * the "hOther" store described by MSDN, because I'm not sure how that's used. * It also doesn't include the "hTrust" store, because I don't yet implement * CTLs or complex certificate chains. */ typedef struct _CertificateChainEngine { LONG ref; HCERTSTORE hRoot; HCERTSTORE hWorld; DWORD dwFlags; DWORD dwUrlRetrievalTimeout; DWORD MaximumCachedCertificates; DWORD CycleDetectionModulus; } CertificateChainEngine, *PCertificateChainEngine; static inline void CRYPT_AddStoresToCollection(HCERTSTORE collection, DWORD cStores, HCERTSTORE *stores) { DWORD i; for (i = 0; i < cStores; i++) CertAddStoreToCollection(collection, stores[i], 0, 0); } static inline void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores) { DWORD i; for (i = 0; i < cStores; i++) CertCloseStore(stores[i], 0); } static const WCHAR rootW[] = { 'R','o','o','t',0 }; static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store) { BOOL ret = TRUE; if (store) { HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW); PCCERT_CONTEXT cert = NULL, check; BYTE hash[20]; DWORD size; do { cert = CertEnumCertificatesInStore(store, cert); if (cert) { size = sizeof(hash); ret = CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID, hash, &size); if (ret) { CRYPT_HASH_BLOB blob = { sizeof(hash), hash }; check = CertFindCertificateInStore(rootStore, cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob, NULL); if (!check) ret = FALSE; else CertFreeCertificateContext(check); } } } while (ret && cert); if (cert) CertFreeCertificateContext(cert); CertCloseStore(rootStore, 0); } return ret; } BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig, HCERTCHAINENGINE *phChainEngine) { static const WCHAR caW[] = { 'C','A',0 }; static const WCHAR myW[] = { 'M','y',0 }; static const WCHAR trustW[] = { 'T','r','u','s','t',0 }; BOOL ret; TRACE("(%p, %p)\n", pConfig, phChainEngine); if (pConfig->cbSize != sizeof(*pConfig)) { SetLastError(E_INVALIDARG); return FALSE; } *phChainEngine = NULL; ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot); if (ret) { PCertificateChainEngine engine = CryptMemAlloc(sizeof(CertificateChainEngine)); if (engine) { HCERTSTORE worldStores[4]; engine->ref = 1; if (pConfig->hRestrictedRoot) engine->hRoot = CertDuplicateStore(pConfig->hRestrictedRoot); else engine->hRoot = CertOpenSystemStoreW(0, rootW); engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); worldStores[0] = CertDuplicateStore(engine->hRoot); worldStores[1] = CertOpenSystemStoreW(0, caW); worldStores[2] = CertOpenSystemStoreW(0, myW); worldStores[3] = CertOpenSystemStoreW(0, trustW); CRYPT_AddStoresToCollection(engine->hWorld, sizeof(worldStores) / sizeof(worldStores[0]), worldStores); CRYPT_AddStoresToCollection(engine->hWorld, pConfig->cAdditionalStore, pConfig->rghAdditionalStore); CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]), worldStores); engine->dwFlags = pConfig->dwFlags; engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout; engine->MaximumCachedCertificates = pConfig->MaximumCachedCertificates; if (pConfig->CycleDetectionModulus) engine->CycleDetectionModulus = pConfig->CycleDetectionModulus; else engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS; *phChainEngine = (HCERTCHAINENGINE)engine; ret = TRUE; } else ret = FALSE; } return ret; } void WINAPI CertFreeCertificateChainEngine(HCERTCHAINENGINE hChainEngine) { PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine; TRACE("(%p)\n", hChainEngine); if (engine && InterlockedDecrement(&engine->ref) == 0) { CertCloseStore(engine->hWorld, 0); CertCloseStore(engine->hRoot, 0); CryptMemFree(engine); } } static HCERTCHAINENGINE CRYPT_GetDefaultChainEngine(void) { if (!CRYPT_defaultChainEngine) { CERT_CHAIN_ENGINE_CONFIG config = { 0 }; HCERTCHAINENGINE engine; config.cbSize = sizeof(config); CertCreateCertificateChainEngine(&config, &engine); InterlockedCompareExchangePointer(&CRYPT_defaultChainEngine, engine, NULL); if (CRYPT_defaultChainEngine != engine) CertFreeCertificateChainEngine(engine); } return CRYPT_defaultChainEngine; } void default_chain_engine_free(void) { CertFreeCertificateChainEngine(CRYPT_defaultChainEngine); } typedef struct _CertificateChain { CERT_CHAIN_CONTEXT context; LONG ref; } CertificateChain, *PCertificateChain; static inline BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert) { return CertCompareCertificateName(cert->dwCertEncodingType, &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer); } /* Gets cert's issuer from store, and returns the validity flags associated * with it. Returns NULL if no issuer whose public key matches cert's * signature could be found. */ static PCCERT_CONTEXT CRYPT_GetIssuerFromStore(HCERTSTORE store, PCCERT_CONTEXT cert, PDWORD pdwFlags) { PCCERT_CONTEXT issuer = NULL; /* There might be more than issuer with the same name, so keep looking until * one produces the correct signature for this cert. */ do { *pdwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG; issuer = CertGetIssuerCertificateFromStore(store, cert, issuer, pdwFlags); } while (issuer && (*pdwFlags & CERT_STORE_SIGNATURE_FLAG)); return issuer; } static BOOL CRYPT_AddCertToSimpleChain(PCERT_SIMPLE_CHAIN chain, PCCERT_CONTEXT cert, DWORD dwFlags) { BOOL ret = FALSE; PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT)); if (element) { if (!chain->cElement) chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT)); else chain->rgpElement = CryptMemRealloc(chain->rgpElement, (chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT)); if (chain->rgpElement) { memset(element, 0, sizeof(CERT_CHAIN_ELEMENT)); element->cbSize = sizeof(CERT_CHAIN_ELEMENT); element->pCertContext = CertDuplicateCertificateContext(cert); if (dwFlags & CERT_STORE_REVOCATION_FLAG && !(dwFlags & CERT_STORE_NO_CRL_FLAG)) element->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_REVOKED; if (dwFlags & CERT_STORE_SIGNATURE_FLAG) element->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_SIGNATURE_VALID; if (dwFlags & CERT_STORE_TIME_VALIDITY_FLAG) element->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_VALID; if (chain->cElement) { PCERT_CHAIN_ELEMENT prevElement = chain->rgpElement[chain->cElement - 1]; /* This cert is the issuer of the previous one in the chain, so * retroactively check the previous one's time validity nesting. */ if (!CertVerifyValidityNesting( prevElement->pCertContext->pCertInfo, cert->pCertInfo)) prevElement->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_TIME_NESTED; } /* FIXME: check valid usages, name constraints, and for cycles */ /* FIXME: initialize the rest of element */ chain->TrustStatus.dwErrorStatus |= element->TrustStatus.dwErrorStatus; chain->TrustStatus.dwInfoStatus |= element->TrustStatus.dwInfoStatus; chain->rgpElement[chain->cElement++] = element; ret = TRUE; } else CryptMemFree(element); } return ret; } static void CRYPT_FreeChainElement(PCERT_CHAIN_ELEMENT element) { CertFreeCertificateContext(element->pCertContext); CryptMemFree(element); } static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain) { DWORD i; for (i = 0; i < chain->cElement; i++) CRYPT_FreeChainElement(chain->rgpElement[i]); CryptMemFree(chain->rgpElement); CryptMemFree(chain); } static BOOL CRYPT_BuildSimpleChain(HCERTCHAINENGINE hChainEngine, PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore, PCERT_SIMPLE_CHAIN *ppChain) { BOOL ret = FALSE; PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine; PCERT_SIMPLE_CHAIN chain; HCERTSTORE world; TRACE("(%p, %p, %p, %p)\n", hChainEngine, cert, pTime, hAdditionalStore); world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); CertAddStoreToCollection(world, engine->hWorld, 0, 0); if (cert->hCertStore) CertAddStoreToCollection(world, cert->hCertStore, 0, 0); if (hAdditionalStore) CertAddStoreToCollection(world, hAdditionalStore, 0, 0); chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN)); if (chain) { memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN)); chain->cbSize = sizeof(CERT_SIMPLE_CHAIN); ret = CRYPT_AddCertToSimpleChain(chain, cert, 0); while (ret && !CRYPT_IsCertificateSelfSigned(cert)) { DWORD flags; PCCERT_CONTEXT issuer = CRYPT_GetIssuerFromStore(world, cert, &flags); if (issuer) { ret = CRYPT_AddCertToSimpleChain(chain, issuer, flags); cert = issuer; } else { TRACE("Couldn't find issuer, aborting chain creation\n"); ret = FALSE; } } if (ret) { PCERT_CHAIN_ELEMENT rootElement = chain->rgpElement[chain->cElement - 1]; PCCERT_CONTEXT root = rootElement->pCertContext; if (!(ret = CRYPT_IsCertificateSelfSigned(root))) TRACE("Last certificate is not self-signed\n"); else { rootElement->TrustStatus.dwInfoStatus |= CERT_TRUST_IS_SELF_SIGNED; if (!(ret = CryptVerifyCertificateSignatureEx(0, root->dwCertEncodingType, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *)root, CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root, 0, NULL))) { TRACE("Last certificate's signature is invalid\n"); rootElement->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_NOT_SIGNATURE_VALID; } } if (CRYPT_IsCertificateSelfSigned(root)) { BYTE hash[20]; DWORD size = sizeof(hash); CRYPT_HASH_BLOB blob = { sizeof(hash), hash }; PCCERT_CONTEXT trustedRoot; CertGetCertificateContextProperty(root, CERT_HASH_PROP_ID, hash, &size); trustedRoot = CertFindCertificateInStore(engine->hRoot, root->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob, NULL); if (!trustedRoot) rootElement->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_UNTRUSTED_ROOT; else CertFreeCertificateContext(trustedRoot); } chain->TrustStatus.dwErrorStatus |= rootElement->TrustStatus.dwErrorStatus; chain->TrustStatus.dwInfoStatus |= rootElement->TrustStatus.dwInfoStatus & ~CERT_TRUST_IS_SELF_SIGNED; } if (!ret) { CRYPT_FreeSimpleChain(chain); chain = NULL; } *ppChain = chain; } CertCloseStore(world, 0); return ret; } typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS { DWORD cbSize; CERT_USAGE_MATCH RequestedUsage; } CERT_CHAIN_PARA_NO_EXTRA_FIELDS, *PCERT_CHAIN_PARA_NO_EXTRA_FIELDS; typedef struct _CERT_CHAIN_PARA_EXTRA_FIELDS { DWORD cbSize; CERT_USAGE_MATCH RequestedUsage; CERT_USAGE_MATCH RequestedIssuancePolicy; DWORD dwUrlRetrievalTimeout; BOOL fCheckRevocationFreshnessTime; DWORD dwRevocationFreshnessTime; } CERT_CHAIN_PARA_EXTRA_FIELDS, *PCERT_CHAIN_PARA_EXTRA_FIELDS; BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine, PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore, PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved, PCCERT_CHAIN_CONTEXT* ppChainContext) { PCERT_SIMPLE_CHAIN simpleChain = NULL; BOOL ret; TRACE("(%p, %p, %p, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext, pTime, hAdditionalStore, pChainPara, dwFlags, pvReserved, ppChainContext); if (!pChainPara) { SetLastError(E_INVALIDARG); return FALSE; } if (ppChainContext) *ppChainContext = NULL; if (!hChainEngine) hChainEngine = CRYPT_GetDefaultChainEngine(); /* FIXME: what about HCCE_LOCAL_MACHINE? */ /* FIXME: pChainPara is for now ignored */ /* FIXME: only simple chains are supported for now, as CTLs aren't * supported yet. */ if ((ret = CRYPT_BuildSimpleChain(hChainEngine, pCertContext, pTime, hAdditionalStore, &simpleChain))) { PCertificateChain chain = CryptMemAlloc(sizeof(CertificateChain)); if (chain) { chain->ref = 1; chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT); memcpy(&chain->context.TrustStatus, &simpleChain->TrustStatus, sizeof(CERT_TRUST_STATUS)); chain->context.cChain = 1; chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN)); chain->context.rgpChain[0] = simpleChain; chain->context.cLowerQualityChainContext = 0; chain->context.rgpLowerQualityChainContext = NULL; chain->context.fHasRevocationFreshnessTime = FALSE; chain->context.dwRevocationFreshnessTime = 0; } else ret = FALSE; if (ppChainContext) *ppChainContext = (PCCERT_CHAIN_CONTEXT)chain; else CertFreeCertificateChain((PCCERT_CHAIN_CONTEXT)chain); } TRACE("returning %d\n", ret); return ret; } static void CRYPT_FreeChainContext(PCertificateChain chain) { DWORD i; for (i = 0; i < chain->context.cLowerQualityChainContext; i++) CertFreeCertificateChain(chain->context.rgpLowerQualityChainContext[i]); CryptMemFree(chain->context.rgpLowerQualityChainContext); for (i = 0; i < chain->context.cChain; i++) CRYPT_FreeSimpleChain(chain->context.rgpChain[i]); CryptMemFree(chain->context.rgpChain); CryptMemFree(chain); } PCCERT_CHAIN_CONTEXT WINAPI CertDuplicateCertificateChain( PCCERT_CHAIN_CONTEXT pChainContext) { PCertificateChain chain = (PCertificateChain)pChainContext; TRACE("(%p)\n", pChainContext); if (chain) InterlockedIncrement(&chain->ref); return pChainContext; } void WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext) { PCertificateChain chain = (PCertificateChain)pChainContext; TRACE("(%p)\n", pChainContext); if (chain) { if (InterlockedDecrement(&chain->ref) == 0) CRYPT_FreeChainContext(chain); } }