Sweden-Number/dlls/crypt32/tests/cert.c

700 lines
30 KiB
C

/*
* crypt32 cert functions tests
*
* Copyright 2005-2006 Juan Lang
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <assert.h>
#include <stdio.h>
#include <stdarg.h>
#include <windef.h>
#include <winbase.h>
#include <winreg.h>
#include <winerror.h>
#include <wincrypt.h>
#include "wine/test.h"
static BOOL (WINAPI * pCryptVerifyCertificateSignatureEx)
(HCRYPTPROV, DWORD, DWORD, void *, DWORD, void *, DWORD, void *);
#define CRYPT_GET_PROC(func) \
p ## func = (void *)GetProcAddress(hCrypt32, #func); \
if(!p ## func) \
trace("GetProcAddress(hCrypt32, \"%s\") failed\n", #func); \
static void init_function_pointers(void)
{
HMODULE hCrypt32;
pCryptVerifyCertificateSignatureEx = NULL;
hCrypt32 = GetModuleHandleA("crypt32.dll");
assert(hCrypt32);
CRYPT_GET_PROC(CryptVerifyCertificateSignatureEx);
}
static void testCryptHashCert(void)
{
static const BYTE emptyHash[] = { 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b,
0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07,
0x09 };
static const BYTE knownHash[] = { 0xae, 0x9d, 0xbf, 0x6d, 0xf5, 0x46, 0xee,
0x8b, 0xc5, 0x7a, 0x13, 0xba, 0xc2, 0xb1, 0x04, 0xf2, 0xbf, 0x52, 0xa8,
0xa2 };
static const BYTE toHash[] = "abcdefghijklmnopqrstuvwxyz0123456789.,;!?:";
BOOL ret;
BYTE hash[20];
DWORD hashLen = sizeof(hash);
/* NULL buffer and nonzero length crashes
ret = CryptHashCertificate(0, 0, 0, NULL, size, hash, &hashLen);
empty hash length also crashes
ret = CryptHashCertificate(0, 0, 0, buf, size, hash, NULL);
*/
/* Test empty hash */
ret = CryptHashCertificate(0, 0, 0, toHash, sizeof(toHash), NULL,
&hashLen);
ok(ret, "CryptHashCertificate failed: %08lx\n", GetLastError());
ok(hashLen == sizeof(hash),
"Got unexpected size of hash %ld, expected %d\n", hashLen, sizeof(hash));
/* Test with empty buffer */
ret = CryptHashCertificate(0, 0, 0, NULL, 0, hash, &hashLen);
ok(ret, "CryptHashCertificate failed: %08lx\n", GetLastError());
ok(!memcmp(hash, emptyHash, sizeof(emptyHash)),
"Unexpected hash of nothing\n");
/* Test a known value */
ret = CryptHashCertificate(0, 0, 0, toHash, sizeof(toHash), hash,
&hashLen);
ok(ret, "CryptHashCertificate failed: %08lx\n", GetLastError());
ok(!memcmp(hash, knownHash, sizeof(knownHash)), "Unexpected hash\n");
}
static const WCHAR cspNameW[] = { 'W','i','n','e','C','r','y','p','t','T','e',
'm','p',0 };
static void verifySig(HCRYPTPROV csp, const BYTE *toSign, size_t toSignLen,
const BYTE *sig, size_t sigLen)
{
HCRYPTHASH hash;
BOOL ret = CryptCreateHash(csp, CALG_SHA1, 0, 0, &hash);
ok(ret, "CryptCreateHash failed: %08lx\n", GetLastError());
if (ret)
{
BYTE mySig[64];
DWORD mySigSize = sizeof(mySig);
ret = CryptHashData(hash, toSign, toSignLen, 0);
ok(ret, "CryptHashData failed: %08lx\n", GetLastError());
/* use the A variant so the test can run on Win9x */
ret = CryptSignHashA(hash, AT_SIGNATURE, NULL, 0, mySig, &mySigSize);
ok(ret, "CryptSignHash failed: %08lx\n", GetLastError());
if (ret)
{
ok(mySigSize == sigLen, "Expected sig length %d, got %ld\n",
sigLen, mySigSize);
ok(!memcmp(mySig, sig, sigLen), "Unexpected signature\n");
}
CryptDestroyHash(hash);
}
}
/* Tests signing the certificate described by toBeSigned with the CSP passed in,
* using the algorithm with OID sigOID. The CSP is assumed to be empty, and a
* keyset named AT_SIGNATURE will be added to it. The signing key will be
* stored in *key, and the signature will be stored in sig. sigLen should be
* at least 64 bytes.
*/
static void testSignCert(HCRYPTPROV csp, const CRYPT_DATA_BLOB *toBeSigned,
LPCSTR sigOID, HCRYPTKEY *key, BYTE *sig, DWORD *sigLen)
{
BOOL ret;
DWORD size = 0;
CRYPT_ALGORITHM_IDENTIFIER algoID = { NULL, { 0, NULL } };
/* These all crash
ret = CryptSignCertificate(0, 0, 0, NULL, 0, NULL, NULL, NULL, NULL);
ret = CryptSignCertificate(0, 0, 0, NULL, 0, NULL, NULL, NULL, &size);
ret = CryptSignCertificate(0, 0, 0, toBeSigned->pbData, toBeSigned->cbData,
NULL, NULL, NULL, &size);
*/
ret = CryptSignCertificate(0, 0, 0, toBeSigned->pbData, toBeSigned->cbData,
&algoID, NULL, NULL, &size);
ok(!ret && GetLastError() == NTE_BAD_ALGID,
"Expected NTE_BAD_ALGID, got %08lx\n", GetLastError());
algoID.pszObjId = (LPSTR)sigOID;
ret = CryptSignCertificate(0, 0, 0, toBeSigned->pbData, toBeSigned->cbData,
&algoID, NULL, NULL, &size);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
ret = CryptSignCertificate(0, AT_SIGNATURE, 0, toBeSigned->pbData,
toBeSigned->cbData, &algoID, NULL, NULL, &size);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
/* No keys exist in the new CSP yet.. */
ret = CryptSignCertificate(csp, AT_SIGNATURE, 0, toBeSigned->pbData,
toBeSigned->cbData, &algoID, NULL, NULL, &size);
ok(!ret && (GetLastError() == NTE_BAD_KEYSET || GetLastError() ==
NTE_NO_KEY), "Expected NTE_BAD_KEYSET or NTE_NO_KEY, got %08lx\n",
GetLastError());
ret = CryptGenKey(csp, AT_SIGNATURE, 0, key);
ok(ret, "CryptGenKey failed: %08lx\n", GetLastError());
if (ret)
{
ret = CryptSignCertificate(csp, AT_SIGNATURE, 0, toBeSigned->pbData,
toBeSigned->cbData, &algoID, NULL, NULL, &size);
ok(ret, "CryptSignCertificate failed: %08lx\n", GetLastError());
ok(size <= *sigLen, "Expected size <= %ld, got %ld\n", *sigLen, size);
if (ret)
{
ret = CryptSignCertificate(csp, AT_SIGNATURE, 0, toBeSigned->pbData,
toBeSigned->cbData, &algoID, NULL, sig, &size);
ok(ret, "CryptSignCertificate failed: %08lx\n", GetLastError());
if (ret)
{
*sigLen = size;
verifySig(csp, toBeSigned->pbData, toBeSigned->cbData, sig,
size);
}
}
}
}
static void testVerifyCertSig(HCRYPTPROV csp, const CRYPT_DATA_BLOB *toBeSigned,
LPCSTR sigOID, const BYTE *sig, DWORD sigLen)
{
CERT_SIGNED_CONTENT_INFO info;
LPBYTE cert = NULL;
DWORD size = 0;
BOOL ret;
if(pCryptVerifyCertificateSignatureEx) {
ret = pCryptVerifyCertificateSignatureEx(0, 0, 0, NULL, 0, NULL, 0, NULL);
ok(!ret && GetLastError() == HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER),
"Expected HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER), got %08lx\n",
GetLastError());
ret = pCryptVerifyCertificateSignatureEx(csp, 0, 0, NULL, 0, NULL, 0, NULL);
ok(!ret && GetLastError() == HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER),
"Expected HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER), got %08lx\n",
GetLastError());
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING, 0, NULL, 0,
NULL, 0, NULL);
ok(!ret && GetLastError() == HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER),
"Expected HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER), got %08lx\n",
GetLastError());
/* This crashes
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, NULL, 0, NULL, 0, NULL);
*/
}
info.ToBeSigned.cbData = toBeSigned->cbData;
info.ToBeSigned.pbData = toBeSigned->pbData;
info.SignatureAlgorithm.pszObjId = (LPSTR)sigOID;
info.SignatureAlgorithm.Parameters.cbData = 0;
info.Signature.cbData = sigLen;
info.Signature.pbData = (BYTE *)sig;
info.Signature.cUnusedBits = 0;
ret = CryptEncodeObjectEx(X509_ASN_ENCODING, X509_CERT, &info,
CRYPT_ENCODE_ALLOC_FLAG, NULL, (BYTE *)&cert, &size);
ok(ret, "CryptEncodeObjectEx failed: %08lx\n", GetLastError());
if (cert)
{
CRYPT_DATA_BLOB certBlob = { 0, NULL };
PCERT_PUBLIC_KEY_INFO pubKeyInfo = NULL;
if(pCryptVerifyCertificateSignatureEx) {
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob, 0, NULL, 0, NULL);
ok(!ret && GetLastError() == CRYPT_E_ASN1_EOD,
"Expected CRYPT_E_ASN1_EOD, got %08lx\n", GetLastError());
certBlob.cbData = 1;
certBlob.pbData = (void *)0xdeadbeef;
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob, 0, NULL, 0, NULL);
ok(!ret && GetLastError() == STATUS_ACCESS_VIOLATION,
"Expected STATUS_ACCESS_VIOLATION, got %08lx\n", GetLastError());
certBlob.cbData = size;
certBlob.pbData = cert;
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob, 0, NULL, 0, NULL);
ok(!ret && GetLastError() ==
HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER),
"Expected HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER), got %08lx\n",
GetLastError());
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob,
CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL, NULL, 0, NULL);
ok(!ret && GetLastError() ==
HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER),
"Expected HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER), got %08lx\n",
GetLastError());
/* This crashes
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob,
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY, NULL, 0, NULL);
*/
}
CryptExportPublicKeyInfoEx(csp, AT_SIGNATURE, X509_ASN_ENCODING,
(LPSTR)sigOID, 0, NULL, NULL, &size);
pubKeyInfo = HeapAlloc(GetProcessHeap(), 0, size);
if (pubKeyInfo)
{
ret = CryptExportPublicKeyInfoEx(csp, AT_SIGNATURE,
X509_ASN_ENCODING, (LPSTR)sigOID, 0, NULL, pubKeyInfo, &size);
ok(ret, "CryptExportKey failed: %08lx\n", GetLastError());
if (ret && pCryptVerifyCertificateSignatureEx)
{
ret = pCryptVerifyCertificateSignatureEx(csp, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &certBlob,
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY, pubKeyInfo, 0, NULL);
ok(ret, "CryptVerifyCertificateSignatureEx failed: %08lx\n",
GetLastError());
}
HeapFree(GetProcessHeap(), 0, pubKeyInfo);
}
LocalFree(cert);
}
}
static const BYTE emptyCert[] = { 0x30, 0x00 };
static void testCertSigs(void)
{
HCRYPTPROV csp;
CRYPT_DATA_BLOB toBeSigned = { sizeof(emptyCert), (LPBYTE)emptyCert };
BOOL ret;
HCRYPTKEY key;
BYTE sig[64];
DWORD sigSize = sizeof(sig);
/* Just in case a previous run failed, delete this thing */
CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_DELETEKEYSET);
ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_NEWKEYSET);
ok(ret, "CryptAcquireContext failed: %08lx\n", GetLastError());
testSignCert(csp, &toBeSigned, szOID_RSA_SHA1RSA, &key, sig, &sigSize);
testVerifyCertSig(csp, &toBeSigned, szOID_RSA_SHA1RSA, sig, sigSize);
CryptDestroyKey(key);
CryptReleaseContext(csp, 0);
ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_DELETEKEYSET);
}
static const BYTE subjectName[] = { 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06,
0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61,
0x6e, 0x67, 0x00 };
static void testCreateSelfSignCert(void)
{
PCCERT_CONTEXT context;
CERT_NAME_BLOB name = { sizeof(subjectName), (LPBYTE)subjectName };
HCRYPTPROV csp;
BOOL ret;
HCRYPTKEY key;
/* This crashes:
context = CertCreateSelfSignCertificate(0, NULL, 0, NULL, NULL, NULL, NULL,
NULL);
* Calling this with no first parameter creates a new key container, which
* lasts beyond the test, so I don't test that. Nb: the generated key
* name is a GUID.
context = CertCreateSelfSignCertificate(0, &name, 0, NULL, NULL, NULL, NULL,
NULL);
*/
/* Acquire a CSP */
CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_DELETEKEYSET);
ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_NEWKEYSET);
ok(ret, "CryptAcquireContext failed: %08lx\n", GetLastError());
context = CertCreateSelfSignCertificate(csp, &name, 0, NULL, NULL, NULL,
NULL, NULL);
ok(!context && GetLastError() == NTE_NO_KEY,
"Expected NTE_NO_KEY, got %08lx\n", GetLastError());
ret = CryptGenKey(csp, AT_SIGNATURE, 0, &key);
ok(ret, "CryptGenKey failed: %08lx\n", GetLastError());
if (ret)
{
context = CertCreateSelfSignCertificate(csp, &name, 0, NULL, NULL, NULL,
NULL, NULL);
ok(context != NULL, "CertCreateSelfSignCertificate failed: %08lx\n",
GetLastError());
if (context)
{
DWORD size = 0;
PCRYPT_KEY_PROV_INFO info;
/* The context must have a key provider info property */
ret = CertGetCertificateContextProperty(context,
CERT_KEY_PROV_INFO_PROP_ID, NULL, &size);
ok(ret && size, "Expected non-zero key provider info\n");
if (size)
{
info = HeapAlloc(GetProcessHeap(), 0, size);
if (info)
{
ret = CertGetCertificateContextProperty(context,
CERT_KEY_PROV_INFO_PROP_ID, info, &size);
ok(ret, "CertGetCertificateContextProperty failed: %08lx\n",
GetLastError());
if (ret)
{
/* Sanity-check the key provider */
ok(!lstrcmpW(info->pwszContainerName, cspNameW),
"Unexpected key container\n");
ok(!lstrcmpW(info->pwszProvName, MS_DEF_PROV_W),
"Unexpected provider\n");
ok(info->dwKeySpec == AT_SIGNATURE,
"Expected AT_SIGNATURE, got %ld\n", info->dwKeySpec);
}
HeapFree(GetProcessHeap(), 0, info);
}
}
CertFreeCertificateContext(context);
}
CryptDestroyKey(key);
}
CryptReleaseContext(csp, 0);
ret = CryptAcquireContextW(&csp, cspNameW, MS_DEF_PROV_W, PROV_RSA_FULL,
CRYPT_DELETEKEYSET);
}
static const BYTE bigCert[] = { 0x30, 0x7a, 0x02, 0x01, 0x01, 0x30, 0x02, 0x06,
0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x22,
0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30,
0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30,
0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x15, 0x31, 0x13, 0x30,
0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20,
0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x07, 0x30, 0x02, 0x06, 0x00, 0x03, 0x01,
0x00, 0xa3, 0x16, 0x30, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01 };
static const LPCSTR keyUsages[] = { szOID_PKIX_KP_CODE_SIGNING,
szOID_PKIX_KP_CLIENT_AUTH, szOID_RSA_RSA };
static const BYTE certWithUsage[] = { 0x30, 0x81, 0x93, 0x02, 0x01, 0x01, 0x30,
0x02, 0x06, 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00,
0x30, 0x22, 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30,
0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x31, 0x36, 0x30, 0x31, 0x30,
0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x15, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0a, 0x4a, 0x75, 0x61,
0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x30, 0x07, 0x30, 0x02, 0x06, 0x00,
0x03, 0x01, 0x00, 0xa3, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x1d,
0x25, 0x01, 0x01, 0xff, 0x04, 0x21, 0x30, 0x1f, 0x06, 0x08, 0x2b, 0x06, 0x01,
0x05, 0x05, 0x07, 0x03, 0x03, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x03, 0x02, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01 };
static void testKeyUsage(void)
{
BOOL ret;
PCCERT_CONTEXT context;
DWORD size;
/* Test base cases */
ret = CertGetEnhancedKeyUsage(NULL, 0, NULL, NULL);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
size = 1;
ret = CertGetEnhancedKeyUsage(NULL, 0, NULL, &size);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
size = 0;
ret = CertGetEnhancedKeyUsage(NULL, 0, NULL, &size);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
/* These crash
ret = CertSetEnhancedKeyUsage(NULL, NULL);
usage.cUsageIdentifier = 0;
ret = CertSetEnhancedKeyUsage(NULL, &usage);
*/
/* Test with a cert with no enhanced key usage extension */
context = CertCreateCertificateContext(X509_ASN_ENCODING, bigCert,
sizeof(bigCert));
ok(context != NULL, "CertCreateCertificateContext failed: %08lx\n",
GetLastError());
if (context)
{
static const char oid[] = "1.2.3.4";
BYTE buf[sizeof(CERT_ENHKEY_USAGE) + 2 * (sizeof(LPSTR) + sizeof(oid))];
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
ret = CertGetEnhancedKeyUsage(context, 0, NULL, NULL);
ok(!ret && GetLastError() == ERROR_INVALID_PARAMETER,
"Expected ERROR_INVALID_PARAMETER, got %08lx\n", GetLastError());
size = 1;
ret = CertGetEnhancedKeyUsage(context, 0, NULL, &size);
if (ret)
{
/* Windows 2000, ME, or later: even though it succeeded, we expect
* CRYPT_E_NOT_FOUND, which indicates there is no enhanced key
* usage set for this cert (which implies it's valid for all uses.)
*/
ok(GetLastError() == CRYPT_E_NOT_FOUND,
"Expected CRYPT_E_NOT_FOUND, got %08lx\n", GetLastError());
ok(size == sizeof(CERT_ENHKEY_USAGE), "Expected size %d, got %ld\n",
sizeof(CERT_ENHKEY_USAGE), size);
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 0, "Expected 0 usages, got %ld\n",
pUsage->cUsageIdentifier);
}
else
{
/* Windows NT, 95, or 98: it fails, and the last error is
* CRYPT_E_NOT_FOUND.
*/
ok(GetLastError() == CRYPT_E_NOT_FOUND,
"Expected CRYPT_E_NOT_FOUND, got %08lx\n", GetLastError());
}
/* I can add a usage identifier when no key usage has been set */
ret = CertAddEnhancedKeyUsageIdentifier(context, oid);
ok(ret, "CertAddEnhancedKeyUsageIdentifier failed: %08lx\n",
GetLastError());
size = sizeof(buf);
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 1, "Expected 1 usage, got %ld\n",
pUsage->cUsageIdentifier);
if (pUsage->cUsageIdentifier)
ok(!strcmp(pUsage->rgpszUsageIdentifier[0], oid),
"Expected %s, got %s\n", oid, pUsage->rgpszUsageIdentifier[0]);
/* Now set an empty key usage */
pUsage->cUsageIdentifier = 0;
ret = CertSetEnhancedKeyUsage(context, pUsage);
ok(ret, "CertSetEnhancedKeyUsage failed: %08lx\n", GetLastError());
/* Shouldn't find it in the cert */
size = sizeof(buf);
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
ok(!ret && GetLastError() == CRYPT_E_NOT_FOUND,
"Expected CRYPT_E_NOT_FOUND, got %08lx\n", GetLastError());
/* Should find it as an extended property */
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 0, "Expected 0 usages, got %ld\n",
pUsage->cUsageIdentifier);
/* Should find it as either */
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 0, "Expected 0 usages, got %ld\n",
pUsage->cUsageIdentifier);
/* Add a usage identifier */
ret = CertAddEnhancedKeyUsageIdentifier(context, oid);
ok(ret, "CertAddEnhancedKeyUsageIdentifier failed: %08lx\n",
GetLastError());
size = sizeof(buf);
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 1, "Expected 1 identifier, got %ld\n",
pUsage->cUsageIdentifier);
if (pUsage->cUsageIdentifier)
ok(!strcmp(pUsage->rgpszUsageIdentifier[0], oid),
"Expected %s, got %s\n", oid, pUsage->rgpszUsageIdentifier[0]);
/* Yep, I can re-add the same usage identifier */
ret = CertAddEnhancedKeyUsageIdentifier(context, oid);
ok(ret, "CertAddEnhancedKeyUsageIdentifier failed: %08lx\n",
GetLastError());
size = sizeof(buf);
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 2, "Expected 2 identifiers, got %ld\n",
pUsage->cUsageIdentifier);
if (pUsage->cUsageIdentifier)
ok(!strcmp(pUsage->rgpszUsageIdentifier[0], oid),
"Expected %s, got %s\n", oid, pUsage->rgpszUsageIdentifier[0]);
if (pUsage->cUsageIdentifier >= 2)
ok(!strcmp(pUsage->rgpszUsageIdentifier[1], oid),
"Expected %s, got %s\n", oid, pUsage->rgpszUsageIdentifier[1]);
/* Now set a NULL extended property--this deletes the property. */
ret = CertSetEnhancedKeyUsage(context, NULL);
ok(ret, "CertSetEnhancedKeyUsage failed: %08lx\n", GetLastError());
SetLastError(0xbaadcafe);
size = sizeof(buf);
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(GetLastError() == CRYPT_E_NOT_FOUND,
"Expected CRYPT_E_NOT_FOUND, got %08lx\n", GetLastError());
CertFreeCertificateContext(context);
}
/* Now test with a cert with an enhanced key usage extension */
context = CertCreateCertificateContext(X509_ASN_ENCODING, certWithUsage,
sizeof(certWithUsage));
ok(context != NULL, "CertCreateCertificateContext failed: %08lx\n",
GetLastError());
if (context)
{
LPBYTE buf = NULL;
DWORD bufSize = 0, i;
/* The size may depend on what flags are used to query it, so I
* realloc the buffer for each test.
*/
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, NULL, &bufSize);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, bufSize);
if (buf)
{
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
/* Should find it in the cert */
size = bufSize;
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
ok(ret && GetLastError() == 0,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 3, "Expected 3 usages, got %ld\n",
pUsage->cUsageIdentifier);
for (i = 0; i < pUsage->cUsageIdentifier; i++)
ok(!strcmp(pUsage->rgpszUsageIdentifier[i], keyUsages[i]),
"Expected %s, got %s\n", keyUsages[i],
pUsage->rgpszUsageIdentifier[i]);
HeapFree(GetProcessHeap(), 0, buf);
}
ret = CertGetEnhancedKeyUsage(context, 0, NULL, &bufSize);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, bufSize);
if (buf)
{
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
/* Should find it as either */
size = bufSize;
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
/* In Windows, GetLastError returns CRYPT_E_NOT_FOUND not found
* here, even though the return is successful and the usage id
* count is positive. I don't enforce that here.
*/
ok(ret,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 3, "Expected 3 usages, got %ld\n",
pUsage->cUsageIdentifier);
for (i = 0; i < pUsage->cUsageIdentifier; i++)
ok(!strcmp(pUsage->rgpszUsageIdentifier[i], keyUsages[i]),
"Expected %s, got %s\n", keyUsages[i],
pUsage->rgpszUsageIdentifier[i]);
HeapFree(GetProcessHeap(), 0, buf);
}
/* Shouldn't find it as an extended property */
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, NULL, &size);
ok(!ret && GetLastError() == CRYPT_E_NOT_FOUND,
"Expected CRYPT_E_NOT_FOUND, got %08lx\n", GetLastError());
/* Adding a usage identifier overrides the cert's usage!? */
ret = CertAddEnhancedKeyUsageIdentifier(context, szOID_RSA_RSA);
ok(ret, "CertAddEnhancedKeyUsageIdentifier failed: %08lx\n",
GetLastError());
ret = CertGetEnhancedKeyUsage(context, 0, NULL, &bufSize);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, bufSize);
if (buf)
{
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
/* Should find it as either */
size = bufSize;
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 1, "Expected 1 usage, got %ld\n",
pUsage->cUsageIdentifier);
ok(!strcmp(pUsage->rgpszUsageIdentifier[0], szOID_RSA_RSA),
"Expected %s, got %s\n", szOID_RSA_RSA,
pUsage->rgpszUsageIdentifier[0]);
HeapFree(GetProcessHeap(), 0, buf);
}
/* But querying the cert directly returns its usage */
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, NULL, &bufSize);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, bufSize);
if (buf)
{
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
size = bufSize;
ret = CertGetEnhancedKeyUsage(context,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
ok(ret,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 3, "Expected 3 usages, got %ld\n",
pUsage->cUsageIdentifier);
for (i = 0; i < pUsage->cUsageIdentifier; i++)
ok(!strcmp(pUsage->rgpszUsageIdentifier[i], keyUsages[i]),
"Expected %s, got %s\n", keyUsages[i],
pUsage->rgpszUsageIdentifier[i]);
HeapFree(GetProcessHeap(), 0, buf);
}
/* And removing the only usage identifier in the extended property
* results in the cert's key usage being found.
*/
ret = CertRemoveEnhancedKeyUsageIdentifier(context, szOID_RSA_RSA);
ok(ret, "CertRemoveEnhancedKeyUsage failed: %08lx\n", GetLastError());
ret = CertGetEnhancedKeyUsage(context, 0, NULL, &bufSize);
ok(ret, "CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, bufSize);
if (buf)
{
PCERT_ENHKEY_USAGE pUsage = (PCERT_ENHKEY_USAGE)buf;
/* Should find it as either */
size = bufSize;
ret = CertGetEnhancedKeyUsage(context, 0, pUsage, &size);
ok(ret,
"CertGetEnhancedKeyUsage failed: %08lx\n", GetLastError());
ok(pUsage->cUsageIdentifier == 3, "Expected 3 usages, got %ld\n",
pUsage->cUsageIdentifier);
for (i = 0; i < pUsage->cUsageIdentifier; i++)
ok(!strcmp(pUsage->rgpszUsageIdentifier[i], keyUsages[i]),
"Expected %s, got %s\n", keyUsages[i],
pUsage->rgpszUsageIdentifier[i]);
HeapFree(GetProcessHeap(), 0, buf);
}
CertFreeCertificateContext(context);
}
}
START_TEST(cert)
{
init_function_pointers();
testCryptHashCert();
testCertSigs();
testCreateSelfSignCert();
testKeyUsage();
}