search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernelbase: Let GetModuleBaseName succeed on 64bit modules in wow64.
[wine.git] / dlls / cryptnet / cryptnet_main.c
blob75fa4028d12741034fc9f553df4a217dc8aba083
1 /*
2 * Copyright (C) 2006 Maarten Lankhorst
3 * Copyright 2007 Juan Lang
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
18 *
19 */
20
21 #define NONAMELESSUNION
22 #define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
23
24 #include <share.h>
25 #include <stdio.h>
26 #include <stdarg.h>
27
28 #include "windef.h"
29 #include "winbase.h"
30 #include "winnt.h"
31 #include "winnls.h"
32 #include "wininet.h"
33 #include "objbase.h"
34 #include "wincrypt.h"
35 #include "initguid.h"
36 #include "knownfolders.h"
37 #include "shlobj.h"
38
39 #include "wine/debug.h"
40
41 WINE_DEFAULT_DEBUG_CHANNEL(cryptnet);
42
43 #define IS_INTOID(x) (((ULONG_PTR)(x) >> 16) == 0)
44
45
46 /***********************************************************************
47 * DllRegisterServer (CRYPTNET.@)
48 */
49 HRESULT WINAPI DllRegisterServer(void)
50 {
51 TRACE("\n");
52 CryptRegisterDefaultOIDFunction(X509_ASN_ENCODING,
53 CRYPT_OID_VERIFY_REVOCATION_FUNC, 0, L"cryptnet.dll");
54 CryptRegisterOIDFunction(0, CRYPT_OID_OPEN_STORE_PROV_FUNC, "Ldap",
55 L"cryptnet.dll", "LdapProvOpenStore");
56 CryptRegisterOIDFunction(0, CRYPT_OID_OPEN_STORE_PROV_FUNC,
57 CERT_STORE_PROV_LDAP_W, L"cryptnet.dll", "LdapProvOpenStore");
58 return S_OK;
59 }
60
61 /***********************************************************************
62 * DllUnregisterServer (CRYPTNET.@)
63 */
64 HRESULT WINAPI DllUnregisterServer(void)
65 {
66 TRACE("\n");
67 CryptUnregisterDefaultOIDFunction(X509_ASN_ENCODING,
68 CRYPT_OID_VERIFY_REVOCATION_FUNC, L"cryptnet.dll");
69 CryptUnregisterOIDFunction(0, CRYPT_OID_OPEN_STORE_PROV_FUNC, "Ldap");
70 CryptUnregisterOIDFunction(0, CRYPT_OID_OPEN_STORE_PROV_FUNC,
71 CERT_STORE_PROV_LDAP_W);
72 return S_OK;
73 }
74
75 static const char *url_oid_to_str(LPCSTR oid)
76 {
77 if (IS_INTOID(oid))
78 {
79 static char buf[10];
80
81 switch (LOWORD(oid))
82 {
83 #define _x(oid) case LOWORD(oid): return #oid
84 _x(URL_OID_CERTIFICATE_ISSUER);
85 _x(URL_OID_CERTIFICATE_CRL_DIST_POINT);
86 _x(URL_OID_CTL_ISSUER);
87 _x(URL_OID_CTL_NEXT_UPDATE);
88 _x(URL_OID_CRL_ISSUER);
89 _x(URL_OID_CERTIFICATE_FRESHEST_CRL);
90 _x(URL_OID_CRL_FRESHEST_CRL);
91 _x(URL_OID_CROSS_CERT_DIST_POINT);
92 #undef _x
93 default:
94 snprintf(buf, sizeof(buf), "%d", LOWORD(oid));
95 return buf;
96 }
97 }
98 else
99 return oid;
100 }
101
102 typedef BOOL (WINAPI *UrlDllGetObjectUrlFunc)(LPCSTR, LPVOID, DWORD,
103 PCRYPT_URL_ARRAY, DWORD *, PCRYPT_URL_INFO, DWORD *, LPVOID);
104
105 static BOOL WINAPI CRYPT_GetUrlFromCertificateIssuer(LPCSTR pszUrlOid,
106 LPVOID pvPara, DWORD dwFlags, PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray,
107 PCRYPT_URL_INFO pUrlInfo, DWORD *pcbUrlInfo, LPVOID pvReserved)
108 {
109 PCCERT_CONTEXT cert = pvPara;
110 PCERT_EXTENSION ext;
111 BOOL ret = FALSE;
112
113 /* The only applicable flag is CRYPT_GET_URL_FROM_EXTENSION */
114 if (dwFlags && !(dwFlags & CRYPT_GET_URL_FROM_EXTENSION))
115 {
116 SetLastError(CRYPT_E_NOT_FOUND);
117 return FALSE;
118 }
119 if ((ext = CertFindExtension(szOID_AUTHORITY_INFO_ACCESS,
120 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
121 {
122 CERT_AUTHORITY_INFO_ACCESS *aia;
123 DWORD size;
124
125 ret = CryptDecodeObjectEx(X509_ASN_ENCODING, X509_AUTHORITY_INFO_ACCESS,
126 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
127 &aia, &size);
128 if (ret)
129 {
130 DWORD i, cUrl, bytesNeeded = sizeof(CRYPT_URL_ARRAY);
131
132 for (i = 0, cUrl = 0; i < aia->cAccDescr; i++)
133 if (!strcmp(aia->rgAccDescr[i].pszAccessMethod,
134 szOID_PKIX_CA_ISSUERS))
135 {
136 if (aia->rgAccDescr[i].AccessLocation.dwAltNameChoice ==
137 CERT_ALT_NAME_URL)
138 {
139 if (aia->rgAccDescr[i].AccessLocation.u.pwszURL)
140 {
141 cUrl++;
142 bytesNeeded += sizeof(LPWSTR) +
143 (lstrlenW(aia->rgAccDescr[i].AccessLocation.u.
144 pwszURL) + 1) * sizeof(WCHAR);
145 }
146 }
147 else
148 FIXME("unsupported alt name type %ld\n",
149 aia->rgAccDescr[i].AccessLocation.dwAltNameChoice);
150 }
151 if (!pcbUrlArray)
152 {
153 SetLastError(E_INVALIDARG);
154 ret = FALSE;
155 }
156 else if (!pUrlArray)
157 *pcbUrlArray = bytesNeeded;
158 else if (*pcbUrlArray < bytesNeeded)
159 {
160 SetLastError(ERROR_MORE_DATA);
161 *pcbUrlArray = bytesNeeded;
162 ret = FALSE;
163 }
164 else
165 {
166 LPWSTR nextUrl;
167
168 *pcbUrlArray = bytesNeeded;
169 pUrlArray->cUrl = 0;
170 pUrlArray->rgwszUrl =
171 (LPWSTR *)((BYTE *)pUrlArray + sizeof(CRYPT_URL_ARRAY));
172 nextUrl = (LPWSTR)((BYTE *)pUrlArray + sizeof(CRYPT_URL_ARRAY)
173 + cUrl * sizeof(LPWSTR));
174 for (i = 0; i < aia->cAccDescr; i++)
175 if (!strcmp(aia->rgAccDescr[i].pszAccessMethod,
176 szOID_PKIX_CA_ISSUERS))
177 {
178 if (aia->rgAccDescr[i].AccessLocation.dwAltNameChoice
179 == CERT_ALT_NAME_URL)
180 {
181 if (aia->rgAccDescr[i].AccessLocation.u.pwszURL)
182 {
183 lstrcpyW(nextUrl,
184 aia->rgAccDescr[i].AccessLocation.u.pwszURL);
185 pUrlArray->rgwszUrl[pUrlArray->cUrl++] =
186 nextUrl;
187 nextUrl += (lstrlenW(nextUrl) + 1);
188 }
189 }
190 }
191 }
192 if (ret)
193 {
194 if (pcbUrlInfo)
195 {
196 FIXME("url info: stub\n");
197 if (!pUrlInfo)
198 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
199 else if (*pcbUrlInfo < sizeof(CRYPT_URL_INFO))
200 {
201 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
202 SetLastError(ERROR_MORE_DATA);
203 ret = FALSE;
204 }
205 else
206 {
207 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
208 memset(pUrlInfo, 0, sizeof(CRYPT_URL_INFO));
209 }
210 }
211 }
212 LocalFree(aia);
213 }
214 }
215 else
216 SetLastError(CRYPT_E_NOT_FOUND);
217 return ret;
218 }
219
220 static BOOL CRYPT_GetUrlFromCRLDistPointsExt(const CRYPT_DATA_BLOB *value,
221 PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray, PCRYPT_URL_INFO pUrlInfo,
222 DWORD *pcbUrlInfo)
223 {
224 BOOL ret;
225 CRL_DIST_POINTS_INFO *info;
226 DWORD size;
227
228 ret = CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CRL_DIST_POINTS,
229 value->pbData, value->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size);
230 if (ret)
231 {
232 DWORD i, cUrl, bytesNeeded = sizeof(CRYPT_URL_ARRAY);
233
234 for (i = 0, cUrl = 0; i < info->cDistPoint; i++)
235 if (info->rgDistPoint[i].DistPointName.dwDistPointNameChoice
236 == CRL_DIST_POINT_FULL_NAME)
237 {
238 DWORD j;
239 CERT_ALT_NAME_INFO *name =
240 &info->rgDistPoint[i].DistPointName.u.FullName;
241
242 for (j = 0; j < name->cAltEntry; j++)
243 if (name->rgAltEntry[j].dwAltNameChoice ==
244 CERT_ALT_NAME_URL)
245 {
246 if (name->rgAltEntry[j].u.pwszURL)
247 {
248 cUrl++;
249 bytesNeeded += sizeof(LPWSTR) +
250 (lstrlenW(name->rgAltEntry[j].u.pwszURL) + 1)
251 * sizeof(WCHAR);
252 }
253 }
254 }
255 if (!pcbUrlArray)
256 {
257 SetLastError(E_INVALIDARG);
258 ret = FALSE;
259 }
260 else if (!pUrlArray)
261 *pcbUrlArray = bytesNeeded;
262 else if (*pcbUrlArray < bytesNeeded)
263 {
264 SetLastError(ERROR_MORE_DATA);
265 *pcbUrlArray = bytesNeeded;
266 ret = FALSE;
267 }
268 else
269 {
270 LPWSTR nextUrl;
271
272 *pcbUrlArray = bytesNeeded;
273 pUrlArray->cUrl = 0;
274 pUrlArray->rgwszUrl =
275 (LPWSTR *)((BYTE *)pUrlArray + sizeof(CRYPT_URL_ARRAY));
276 nextUrl = (LPWSTR)((BYTE *)pUrlArray + sizeof(CRYPT_URL_ARRAY)
277 + cUrl * sizeof(LPWSTR));
278 for (i = 0; i < info->cDistPoint; i++)
279 if (info->rgDistPoint[i].DistPointName.dwDistPointNameChoice
280 == CRL_DIST_POINT_FULL_NAME)
281 {
282 DWORD j;
283 CERT_ALT_NAME_INFO *name =
284 &info->rgDistPoint[i].DistPointName.u.FullName;
285
286 for (j = 0; j < name->cAltEntry; j++)
287 if (name->rgAltEntry[j].dwAltNameChoice ==
288 CERT_ALT_NAME_URL)
289 {
290 if (name->rgAltEntry[j].u.pwszURL)
291 {
292 lstrcpyW(nextUrl,
293 name->rgAltEntry[j].u.pwszURL);
294 pUrlArray->rgwszUrl[pUrlArray->cUrl++] =
295 nextUrl;
296 nextUrl +=
297 (lstrlenW(name->rgAltEntry[j].u.pwszURL) + 1);
298 }
299 }
300 }
301 }
302 if (ret)
303 {
304 if (pcbUrlInfo)
305 {
306 FIXME("url info: stub\n");
307 if (!pUrlInfo)
308 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
309 else if (*pcbUrlInfo < sizeof(CRYPT_URL_INFO))
310 {
311 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
312 SetLastError(ERROR_MORE_DATA);
313 ret = FALSE;
314 }
315 else
316 {
317 *pcbUrlInfo = sizeof(CRYPT_URL_INFO);
318 memset(pUrlInfo, 0, sizeof(CRYPT_URL_INFO));
319 }
320 }
321 }
322 LocalFree(info);
323 }
324 return ret;
325 }
326
327 static BOOL WINAPI CRYPT_GetUrlFromCertificateCRLDistPoint(LPCSTR pszUrlOid,
328 LPVOID pvPara, DWORD dwFlags, PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray,
329 PCRYPT_URL_INFO pUrlInfo, DWORD *pcbUrlInfo, LPVOID pvReserved)
330 {
331 PCCERT_CONTEXT cert = pvPara;
332 PCERT_EXTENSION ext;
333 BOOL ret = FALSE;
334
335 /* The only applicable flag is CRYPT_GET_URL_FROM_EXTENSION */
336 if (dwFlags && !(dwFlags & CRYPT_GET_URL_FROM_EXTENSION))
337 {
338 SetLastError(CRYPT_E_NOT_FOUND);
339 return FALSE;
340 }
341 if ((ext = CertFindExtension(szOID_CRL_DIST_POINTS,
342 cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
343 ret = CRYPT_GetUrlFromCRLDistPointsExt(&ext->Value, pUrlArray,
344 pcbUrlArray, pUrlInfo, pcbUrlInfo);
345 else
346 SetLastError(CRYPT_E_NOT_FOUND);
347 return ret;
348 }
349
350 /***********************************************************************
351 * CryptGetObjectUrl (CRYPTNET.@)
352 */
353 BOOL WINAPI CryptGetObjectUrl(LPCSTR pszUrlOid, LPVOID pvPara, DWORD dwFlags,
354 PCRYPT_URL_ARRAY pUrlArray, DWORD *pcbUrlArray, PCRYPT_URL_INFO pUrlInfo,
355 DWORD *pcbUrlInfo, LPVOID pvReserved)
356 {
357 UrlDllGetObjectUrlFunc func = NULL;
358 HCRYPTOIDFUNCADDR hFunc = NULL;
359 BOOL ret = FALSE;
360
361 TRACE("(%s, %p, %08lx, %p, %p, %p, %p, %p)\n", debugstr_a(pszUrlOid),
362 pvPara, dwFlags, pUrlArray, pcbUrlArray, pUrlInfo, pcbUrlInfo, pvReserved);
363
364 if (IS_INTOID(pszUrlOid))
365 {
366 switch (LOWORD(pszUrlOid))
367 {
368 case LOWORD(URL_OID_CERTIFICATE_ISSUER):
369 func = CRYPT_GetUrlFromCertificateIssuer;
370 break;
371 case LOWORD(URL_OID_CERTIFICATE_CRL_DIST_POINT):
372 func = CRYPT_GetUrlFromCertificateCRLDistPoint;
373 break;
374 default:
375 FIXME("unimplemented for %s\n", url_oid_to_str(pszUrlOid));
376 SetLastError(ERROR_FILE_NOT_FOUND);
377 }
378 }
379 else
380 {
381 static HCRYPTOIDFUNCSET set = NULL;
382
383 if (!set)
384 set = CryptInitOIDFunctionSet(URL_OID_GET_OBJECT_URL_FUNC, 0);
385 CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING, pszUrlOid, 0,
386 (void **)&func, &hFunc);
387 }
388 if (func)
389 ret = func(pszUrlOid, pvPara, dwFlags, pUrlArray, pcbUrlArray,
390 pUrlInfo, pcbUrlInfo, pvReserved);
391 if (hFunc)
392 CryptFreeOIDFunctionAddress(hFunc, 0);
393 return ret;
394 }
395
396 /***********************************************************************
397 * CryptRetrieveObjectByUrlA (CRYPTNET.@)
398 */
399 BOOL WINAPI CryptRetrieveObjectByUrlA(LPCSTR pszURL, LPCSTR pszObjectOid,
400 DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject,
401 HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify,
402 PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
403 {
404 BOOL ret = FALSE;
405 int len;
406
407 TRACE("(%s, %s, %08lx, %ld, %p, %p, %p, %p, %p)\n", debugstr_a(pszURL),
408 debugstr_a(pszObjectOid), dwRetrievalFlags, dwTimeout, ppvObject,
409 hAsyncRetrieve, pCredentials, pvVerify, pAuxInfo);
410
411 if (!pszURL)
412 {
413 SetLastError(ERROR_INVALID_PARAMETER);
414 return FALSE;
415 }
416 len = MultiByteToWideChar(CP_ACP, 0, pszURL, -1, NULL, 0);
417 if (len)
418 {
419 LPWSTR url = CryptMemAlloc(len * sizeof(WCHAR));
420
421 if (url)
422 {
423 MultiByteToWideChar(CP_ACP, 0, pszURL, -1, url, len);
424 ret = CryptRetrieveObjectByUrlW(url, pszObjectOid,
425 dwRetrievalFlags, dwTimeout, ppvObject, hAsyncRetrieve,
426 pCredentials, pvVerify, pAuxInfo);
427 CryptMemFree(url);
428 }
429 else
430 SetLastError(ERROR_OUTOFMEMORY);
431 }
432 return ret;
433 }
434
435 static void WINAPI CRYPT_FreeBlob(LPCSTR pszObjectOid,
436 PCRYPT_BLOB_ARRAY pObject, void *pvFreeContext)
437 {
438 DWORD i;
439
440 for (i = 0; i < pObject->cBlob; i++)
441 CryptMemFree(pObject->rgBlob[i].pbData);
442 CryptMemFree(pObject->rgBlob);
443 }
444
445 static BOOL CRYPT_GetObjectFromFile(HANDLE hFile, PCRYPT_BLOB_ARRAY pObject)
446 {
447 BOOL ret;
448 LARGE_INTEGER size;
449
450 if ((ret = GetFileSizeEx(hFile, &size)))
451 {
452 if (size.u.HighPart)
453 {
454 WARN("file too big\n");
455 SetLastError(ERROR_INVALID_DATA);
456 ret = FALSE;
457 }
458 else
459 {
460 CRYPT_DATA_BLOB blob;
461
462 blob.pbData = CryptMemAlloc(size.u.LowPart);
463 if (blob.pbData)
464 {
465 ret = ReadFile(hFile, blob.pbData, size.u.LowPart, &blob.cbData,
466 NULL);
467 if (ret)
468 {
469 pObject->rgBlob = CryptMemAlloc(sizeof(CRYPT_DATA_BLOB));
470 if (pObject->rgBlob)
471 {
472 pObject->cBlob = 1;
473 memcpy(pObject->rgBlob, &blob, sizeof(CRYPT_DATA_BLOB));
474 }
475 else
476 {
477 SetLastError(ERROR_OUTOFMEMORY);
478 ret = FALSE;
479 }
480 }
481 if (!ret)
482 CryptMemFree(blob.pbData);
483 }
484 else
485 {
486 SetLastError(ERROR_OUTOFMEMORY);
487 ret = FALSE;
488 }
489 }
490 }
491 return ret;
492 }
493
494 static BOOL CRYPT_GetObjectFromCache(LPCWSTR pszURL, PCRYPT_BLOB_ARRAY pObject,
495 PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
496 {
497 BOOL ret = FALSE;
498 INTERNET_CACHE_ENTRY_INFOW *pCacheInfo = NULL;
499 DWORD size = 0;
500
501 TRACE("(%s, %p, %p)\n", debugstr_w(pszURL), pObject, pAuxInfo);
502
503 RetrieveUrlCacheEntryFileW(pszURL, NULL, &size, 0);
504 if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
505 return FALSE;
506
507 pCacheInfo = CryptMemAlloc(size);
508 if (!pCacheInfo)
509 {
510 SetLastError(ERROR_OUTOFMEMORY);
511 return FALSE;
512 }
513
514 if ((ret = RetrieveUrlCacheEntryFileW(pszURL, pCacheInfo, &size, 0)))
515 {
516 FILETIME ft;
517
518 GetSystemTimeAsFileTime(&ft);
519 if (CompareFileTime(&pCacheInfo->ExpireTime, &ft) >= 0)
520 {
521 HANDLE hFile = CreateFileW(pCacheInfo->lpszLocalFileName, GENERIC_READ,
522 FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
523
524 if (hFile != INVALID_HANDLE_VALUE)
525 {
526 if ((ret = CRYPT_GetObjectFromFile(hFile, pObject)))
527 {
528 if (pAuxInfo && pAuxInfo->cbSize >= RTL_SIZEOF_THROUGH_FIELD(CRYPT_RETRIEVE_AUX_INFO, pLastSyncTime)
529 && pAuxInfo->pLastSyncTime)
530 {
531 memcpy(pAuxInfo->pLastSyncTime,
532 &pCacheInfo->LastSyncTime,
533 sizeof(FILETIME));
534 }
535 }
536 CloseHandle(hFile);
537 }
538 else
539 {
540 DeleteUrlCacheEntryW(pszURL);
541 ret = FALSE;
542 }
543 }
544 else
545 {
546 DeleteUrlCacheEntryW(pszURL);
547 ret = FALSE;
548 }
549 UnlockUrlCacheEntryFileW(pszURL, 0);
550 }
551 CryptMemFree(pCacheInfo);
552 TRACE("returning %d\n", ret);
553 return ret;
554 }
555
556 /* Parses the URL, and sets components' lpszHostName and lpszUrlPath members
557 * to NULL-terminated copies of those portions of the URL (to be freed with
558 * CryptMemFree.)
559 */
560 static BOOL CRYPT_CrackUrl(LPCWSTR pszURL, URL_COMPONENTSW *components)
561 {
562 BOOL ret;
563
564 TRACE("(%s, %p)\n", debugstr_w(pszURL), components);
565
566 memset(components, 0, sizeof(*components));
567 components->dwStructSize = sizeof(*components);
568 components->lpszHostName = CryptMemAlloc(INTERNET_MAX_HOST_NAME_LENGTH * sizeof(WCHAR));
569 components->dwHostNameLength = INTERNET_MAX_HOST_NAME_LENGTH;
570 if (!components->lpszHostName)
571 {
572 SetLastError(ERROR_OUTOFMEMORY);
573 return FALSE;
574 }
575 components->lpszUrlPath = CryptMemAlloc(INTERNET_MAX_PATH_LENGTH * sizeof(WCHAR));
576 components->dwUrlPathLength = INTERNET_MAX_PATH_LENGTH;
577 if (!components->lpszUrlPath)
578 {
579 CryptMemFree(components->lpszHostName);
580 SetLastError(ERROR_OUTOFMEMORY);
581 return FALSE;
582 }
583
584 ret = InternetCrackUrlW(pszURL, 0, ICU_DECODE, components);
585 if (ret)
586 {
587 switch (components->nScheme)
588 {
589 case INTERNET_SCHEME_FTP:
590 if (!components->nPort)
591 components->nPort = INTERNET_DEFAULT_FTP_PORT;
592 break;
593 case INTERNET_SCHEME_HTTP:
594 if (!components->nPort)
595 components->nPort = INTERNET_DEFAULT_HTTP_PORT;
596 break;
597 default:
598 ; /* do nothing */
599 }
600 }
601 TRACE("returning %d\n", ret);
602 return ret;
603 }
604
605 struct InetContext
606 {
607 HANDLE event;
608 DWORD timeout;
609 DWORD error;
610 };
611
612 static struct InetContext *CRYPT_MakeInetContext(DWORD dwTimeout)
613 {
614 struct InetContext *context = CryptMemAlloc(sizeof(struct InetContext));
615
616 if (context)
617 {
618 context->event = CreateEventW(NULL, FALSE, FALSE, NULL);
619 if (!context->event)
620 {
621 CryptMemFree(context);
622 context = NULL;
623 }
624 else
625 {
626 context->timeout = dwTimeout;
627 context->error = ERROR_SUCCESS;
628 }
629 }
630 return context;
631 }
632
633 static BOOL CRYPT_DownloadObject(DWORD dwRetrievalFlags, HINTERNET hHttp,
634 struct InetContext *context, PCRYPT_BLOB_ARRAY pObject,
635 PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
636 {
637 CRYPT_DATA_BLOB object = { 0, NULL };
638 DWORD bytesAvailable;
639 BOOL ret;
640
641 do {
642 if ((ret = InternetQueryDataAvailable(hHttp, &bytesAvailable, 0, 0)))
643 {
644 if (bytesAvailable)
645 {
646 if (object.pbData)
647 object.pbData = CryptMemRealloc(object.pbData,
648 object.cbData + bytesAvailable);
649 else
650 object.pbData = CryptMemAlloc(bytesAvailable);
651 if (object.pbData)
652 {
653 INTERNET_BUFFERSA buffer = { sizeof(buffer), 0 };
654
655 buffer.dwBufferLength = bytesAvailable;
656 buffer.lpvBuffer = object.pbData + object.cbData;
657 if (!(ret = InternetReadFileExA(hHttp, &buffer, IRF_NO_WAIT,
658 (DWORD_PTR)context)))
659 {
660 if (GetLastError() == ERROR_IO_PENDING)
661 {
662 if (WaitForSingleObject(context->event,
663 context->timeout) == WAIT_TIMEOUT)
664 SetLastError(ERROR_TIMEOUT);
665 else if (context->error)
666 SetLastError(context->error);
667 else
668 ret = TRUE;
669 }
670 }
671 if (ret)
672 object.cbData += buffer.dwBufferLength;
673 }
674 else
675 {
676 SetLastError(ERROR_OUTOFMEMORY);
677 ret = FALSE;
678 }
679 }
680 }
681 else if (GetLastError() == ERROR_IO_PENDING)
682 {
683 if (WaitForSingleObject(context->event, context->timeout) ==
684 WAIT_TIMEOUT)
685 SetLastError(ERROR_TIMEOUT);
686 else
687 ret = TRUE;
688 }
689 } while (ret && bytesAvailable);
690 if (ret)
691 {
692 pObject->rgBlob = CryptMemAlloc(sizeof(CRYPT_DATA_BLOB));
693 if (!pObject->rgBlob)
694 {
695 CryptMemFree(object.pbData);
696 SetLastError(ERROR_OUTOFMEMORY);
697 ret = FALSE;
698 }
699 else
700 {
701 pObject->rgBlob[0].cbData = object.cbData;
702 pObject->rgBlob[0].pbData = object.pbData;
703 pObject->cBlob = 1;
704 }
705 }
706 TRACE("returning %d\n", ret);
707 return ret;
708 }
709
710 /* Finds the object specified by pszURL in the cache. If it's not found,
711 * creates a new cache entry for the object and writes the object to it.
712 * Sets the expiration time of the cache entry to expires.
713 */
714 static void CRYPT_CacheURL(LPCWSTR pszURL, const CRYPT_BLOB_ARRAY *pObject,
715 DWORD dwRetrievalFlags, FILETIME expires)
716 {
717 WCHAR cacheFileName[MAX_PATH];
718 HANDLE hCacheFile;
719 DWORD size = 0, entryType;
720 FILETIME ft;
721
722 GetUrlCacheEntryInfoW(pszURL, NULL, &size);
723 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
724 {
725 INTERNET_CACHE_ENTRY_INFOW *info = CryptMemAlloc(size);
726
727 if (!info)
728 {
729 ERR("out of memory\n");
730 return;
731 }
732
733 if (GetUrlCacheEntryInfoW(pszURL, info, &size))
734 {
735 lstrcpyW(cacheFileName, info->lpszLocalFileName);
736 /* Check if the existing cache entry is up to date. If it isn't,
737 * remove the existing cache entry, and create a new one with the
738 * new value.
739 */
740 GetSystemTimeAsFileTime(&ft);
741 if (CompareFileTime(&info->ExpireTime, &ft) < 0)
742 {
743 DeleteUrlCacheEntryW(pszURL);
744 }
745 else
746 {
747 info->ExpireTime = expires;
748 SetUrlCacheEntryInfoW(pszURL, info, CACHE_ENTRY_EXPTIME_FC);
749 CryptMemFree(info);
750 return;
751 }
752 }
753 CryptMemFree(info);
754 }
755
756 if (!CreateUrlCacheEntryW(pszURL, pObject->rgBlob[0].cbData, NULL, cacheFileName, 0))
757 return;
758
759 hCacheFile = CreateFileW(cacheFileName, GENERIC_WRITE, 0,
760 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
761 if(hCacheFile == INVALID_HANDLE_VALUE)
762 return;
763
764 WriteFile(hCacheFile, pObject->rgBlob[0].pbData,
765 pObject->rgBlob[0].cbData, &size, NULL);
766 CloseHandle(hCacheFile);
767
768 if (!(dwRetrievalFlags & CRYPT_STICKY_CACHE_RETRIEVAL))
769 entryType = NORMAL_CACHE_ENTRY;
770 else
771 entryType = STICKY_CACHE_ENTRY;
772 memset(&ft, 0, sizeof(ft));
773 CommitUrlCacheEntryW(pszURL, cacheFileName, expires, ft, entryType,
774 NULL, 0, NULL, NULL);
775 }
776
777 static void CALLBACK CRYPT_InetStatusCallback(HINTERNET hInt,
778 DWORD_PTR dwContext, DWORD status, void *statusInfo, DWORD statusInfoLen)
779 {
780 struct InetContext *context = (struct InetContext *)dwContext;
781 LPINTERNET_ASYNC_RESULT result;
782
783 switch (status)
784 {
785 case INTERNET_STATUS_REQUEST_COMPLETE:
786 result = statusInfo;
787 context->error = result->dwError;
788 SetEvent(context->event);
789 }
790 }
791
792 static BOOL CRYPT_Connect(const URL_COMPONENTSW *components,
793 struct InetContext *context, PCRYPT_CREDENTIALS pCredentials,
794 HINTERNET *phInt, HINTERNET *phHost)
795 {
796 BOOL ret;
797
798 TRACE("(%s:%d, %p, %p, %p, %p)\n", debugstr_w(components->lpszHostName),
799 components->nPort, context, pCredentials, phInt, phInt);
800
801 *phHost = NULL;
802 *phInt = InternetOpenW(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL,
803 context ? INTERNET_FLAG_ASYNC : 0);
804 if (*phInt)
805 {
806 DWORD service;
807
808 if (context)
809 InternetSetStatusCallbackW(*phInt, CRYPT_InetStatusCallback);
810 switch (components->nScheme)
811 {
812 case INTERNET_SCHEME_FTP:
813 service = INTERNET_SERVICE_FTP;
814 break;
815 case INTERNET_SCHEME_HTTP:
816 service = INTERNET_SERVICE_HTTP;
817 break;
818 default:
819 service = 0;
820 }
821 /* FIXME: use pCredentials for username/password */
822 *phHost = InternetConnectW(*phInt, components->lpszHostName,
823 components->nPort, NULL, NULL, service, 0, (DWORD_PTR)context);
824 if (!*phHost)
825 {
826 InternetCloseHandle(*phInt);
827 *phInt = NULL;
828 ret = FALSE;
829 }
830 else
831 ret = TRUE;
832 }
833 else
834 ret = FALSE;
835 TRACE("returning %d\n", ret);
836 return ret;
837 }
838
839 static BOOL WINAPI FTP_RetrieveEncodedObjectW(LPCWSTR pszURL,
840 LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout,
841 PCRYPT_BLOB_ARRAY pObject, PFN_FREE_ENCODED_OBJECT_FUNC *ppfnFreeObject,
842 void **ppvFreeContext, HCRYPTASYNC hAsyncRetrieve,
843 PCRYPT_CREDENTIALS pCredentials, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
844 {
845 FIXME("(%s, %s, %08lx, %ld, %p, %p, %p, %p, %p, %p)\n", debugstr_w(pszURL),
846 debugstr_a(pszObjectOid), dwRetrievalFlags, dwTimeout, pObject,
847 ppfnFreeObject, ppvFreeContext, hAsyncRetrieve, pCredentials, pAuxInfo);
848
849 pObject->cBlob = 0;
850 pObject->rgBlob = NULL;
851 *ppfnFreeObject = CRYPT_FreeBlob;
852 *ppvFreeContext = NULL;
853 return FALSE;
854 }
855
856 static BOOL WINAPI HTTP_RetrieveEncodedObjectW(LPCWSTR pszURL,
857 LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout,
858 PCRYPT_BLOB_ARRAY pObject, PFN_FREE_ENCODED_OBJECT_FUNC *ppfnFreeObject,
859 void **ppvFreeContext, HCRYPTASYNC hAsyncRetrieve,
860 PCRYPT_CREDENTIALS pCredentials, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
861 {
862 BOOL ret = FALSE;
863
864 TRACE("(%s, %s, %08lx, %ld, %p, %p, %p, %p, %p, %p)\n", debugstr_w(pszURL),
865 debugstr_a(pszObjectOid), dwRetrievalFlags, dwTimeout, pObject,
866 ppfnFreeObject, ppvFreeContext, hAsyncRetrieve, pCredentials, pAuxInfo);
867
868 pObject->cBlob = 0;
869 pObject->rgBlob = NULL;
870 *ppfnFreeObject = CRYPT_FreeBlob;
871 *ppvFreeContext = NULL;
872
873 if (!(dwRetrievalFlags & CRYPT_WIRE_ONLY_RETRIEVAL))
874 ret = CRYPT_GetObjectFromCache(pszURL, pObject, pAuxInfo);
875 if (!ret && (!(dwRetrievalFlags & CRYPT_CACHE_ONLY_RETRIEVAL) ||
876 (dwRetrievalFlags & CRYPT_WIRE_ONLY_RETRIEVAL)))
877 {
878 URL_COMPONENTSW components;
879
880 if ((ret = CRYPT_CrackUrl(pszURL, &components)))
881 {
882 HINTERNET hInt, hHost;
883 struct InetContext *context = NULL;
884
885 if (dwTimeout)
886 context = CRYPT_MakeInetContext(dwTimeout);
887 ret = CRYPT_Connect(&components, context, pCredentials, &hInt,
888 &hHost);
889 if (ret)
890 {
891 static LPCWSTR types[] =
892 {
893 L"application/x-x509-ca-cert", L"application/x-x509-email-cert",
894 L"application/x-x509-server-cert", L"application/x-x509-user-cert",
895 L"application/x-pkcs7-certificates", L"application/pkix-crl",
896 L"application/x-pkcs7-crl", L"application/x-pkcs7-signature",
897 L"application/x-pkcs7-mime", NULL
898 };
899 HINTERNET hHttp = HttpOpenRequestW(hHost, NULL,
900 components.lpszUrlPath, NULL, NULL, types,
901 INTERNET_FLAG_NO_COOKIES | INTERNET_FLAG_NO_UI,
902 (DWORD_PTR)context);
903
904 if (hHttp)
905 {
906 if (dwTimeout)
907 {
908 InternetSetOptionW(hHttp,
909 INTERNET_OPTION_RECEIVE_TIMEOUT, &dwTimeout,
910 sizeof(dwTimeout));
911 InternetSetOptionW(hHttp, INTERNET_OPTION_SEND_TIMEOUT,
912 &dwTimeout, sizeof(dwTimeout));
913 }
914 ret = HttpSendRequestExW(hHttp, NULL, NULL, 0,
915 (DWORD_PTR)context);
916 if (!ret && GetLastError() == ERROR_IO_PENDING)
917 {
918 if (WaitForSingleObject(context->event,
919 context->timeout) == WAIT_TIMEOUT)
920 SetLastError(ERROR_TIMEOUT);
921 else
922 ret = TRUE;
923 }
924 if (ret &&
925 !(ret = HttpEndRequestW(hHttp, NULL, 0, (DWORD_PTR)context)) &&
926 GetLastError() == ERROR_IO_PENDING)
927 {
928 if (WaitForSingleObject(context->event,
929 context->timeout) == WAIT_TIMEOUT)
930 SetLastError(ERROR_TIMEOUT);
931 else
932 ret = TRUE;
933 }
934 if (ret)
935 ret = CRYPT_DownloadObject(dwRetrievalFlags, hHttp,
936 context, pObject, pAuxInfo);
937 if (ret && !(dwRetrievalFlags & CRYPT_DONT_CACHE_RESULT))
938 {
939 SYSTEMTIME st;
940 FILETIME ft;
941 DWORD len = sizeof(st);
942
943 if (HttpQueryInfoW(hHttp, HTTP_QUERY_EXPIRES | HTTP_QUERY_FLAG_SYSTEMTIME,
944 &st, &len, NULL) && SystemTimeToFileTime(&st, &ft))
945 CRYPT_CacheURL(pszURL, pObject, dwRetrievalFlags, ft);
946 }
947 InternetCloseHandle(hHttp);
948 }
949 InternetCloseHandle(hHost);
950 InternetCloseHandle(hInt);
951 }
952 if (context)
953 {
954 CloseHandle(context->event);
955 CryptMemFree(context);
956 }
957 CryptMemFree(components.lpszUrlPath);
958 CryptMemFree(components.lpszHostName);
959 }
960 }
961 TRACE("returning %d\n", ret);
962 return ret;
963 }
964
965 static BOOL WINAPI File_RetrieveEncodedObjectW(LPCWSTR pszURL,
966 LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout,
967 PCRYPT_BLOB_ARRAY pObject, PFN_FREE_ENCODED_OBJECT_FUNC *ppfnFreeObject,
968 void **ppvFreeContext, HCRYPTASYNC hAsyncRetrieve,
969 PCRYPT_CREDENTIALS pCredentials, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
970 {
971 URL_COMPONENTSW components = { sizeof(components), 0 };
972 BOOL ret;
973
974 TRACE("(%s, %s, %08lx, %ld, %p, %p, %p, %p, %p, %p)\n", debugstr_w(pszURL),
975 debugstr_a(pszObjectOid), dwRetrievalFlags, dwTimeout, pObject,
976 ppfnFreeObject, ppvFreeContext, hAsyncRetrieve, pCredentials, pAuxInfo);
977
978 pObject->cBlob = 0;
979 pObject->rgBlob = NULL;
980 *ppfnFreeObject = CRYPT_FreeBlob;
981 *ppvFreeContext = NULL;
982
983 components.lpszUrlPath = CryptMemAlloc(INTERNET_MAX_PATH_LENGTH * sizeof(WCHAR));
984 components.dwUrlPathLength = INTERNET_MAX_PATH_LENGTH;
985 if (!components.lpszUrlPath)
986 {
987 SetLastError(ERROR_OUTOFMEMORY);
988 return FALSE;
989 }
990
991 ret = InternetCrackUrlW(pszURL, 0, ICU_DECODE, &components);
992 if (ret)
993 {
994 LPWSTR path;
995
996 /* 3 == lstrlenW(L"c:") + 1 */
997 path = CryptMemAlloc((components.dwUrlPathLength + 3) * sizeof(WCHAR));
998 if (path)
999 {
1000 HANDLE hFile;
1001
1002 /* Try to create the file directly - Wine handles / in pathnames */
1003 lstrcpynW(path, components.lpszUrlPath,
1004 components.dwUrlPathLength + 1);
1005 hFile = CreateFileW(path, GENERIC_READ, FILE_SHARE_READ,
1006 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1007 if (hFile == INVALID_HANDLE_VALUE)
1008 {
1009 /* Try again on the current drive */
1010 GetCurrentDirectoryW(components.dwUrlPathLength, path);
1011 if (path[1] == ':')
1012 {
1013 lstrcpynW(path + 2, components.lpszUrlPath,
1014 components.dwUrlPathLength + 1);
1015 hFile = CreateFileW(path, GENERIC_READ, FILE_SHARE_READ,
1016 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1017 }
1018 if (hFile == INVALID_HANDLE_VALUE)
1019 {
1020 /* Try again on the Windows drive */
1021 GetWindowsDirectoryW(path, components.dwUrlPathLength);
1022 if (path[1] == ':')
1023 {
1024 lstrcpynW(path + 2, components.lpszUrlPath,
1025 components.dwUrlPathLength + 1);
1026 hFile = CreateFileW(path, GENERIC_READ, FILE_SHARE_READ,
1027 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1028 }
1029 }
1030 }
1031 if (hFile != INVALID_HANDLE_VALUE)
1032 {
1033 if ((ret = CRYPT_GetObjectFromFile(hFile, pObject)))
1034 {
1035 if (pAuxInfo && pAuxInfo->cbSize >= RTL_SIZEOF_THROUGH_FIELD(CRYPT_RETRIEVE_AUX_INFO, pLastSyncTime)
1036 && pAuxInfo->pLastSyncTime)
1037 {
1038 GetFileTime(hFile, NULL, NULL,
1039 pAuxInfo->pLastSyncTime);
1040 }
1041 }
1042 CloseHandle(hFile);
1043 }
1044 else
1045 ret = FALSE;
1046 CryptMemFree(path);
1047 }
1048 else
1049 {
1050 SetLastError(ERROR_OUTOFMEMORY);
1051 ret = FALSE;
1052 }
1053 }
1054 CryptMemFree(components.lpszUrlPath);
1055 return ret;
1056 }
1057
1058 typedef BOOL (WINAPI *SchemeDllRetrieveEncodedObjectW)(LPCWSTR pwszUrl,
1059 LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout,
1060 PCRYPT_BLOB_ARRAY pObject, PFN_FREE_ENCODED_OBJECT_FUNC *ppfnFreeObject,
1061 void **ppvFreeContext, HCRYPTASYNC hAsyncRetrieve,
1062 PCRYPT_CREDENTIALS pCredentials, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo);
1063
1064 static BOOL CRYPT_GetRetrieveFunction(LPCWSTR pszURL,
1065 SchemeDllRetrieveEncodedObjectW *pFunc, HCRYPTOIDFUNCADDR *phFunc)
1066 {
1067 URL_COMPONENTSW components = { sizeof(components), 0 };
1068 BOOL ret;
1069
1070 TRACE("(%s, %p, %p)\n", debugstr_w(pszURL), pFunc, phFunc);
1071
1072 *pFunc = NULL;
1073 *phFunc = 0;
1074 components.dwSchemeLength = 1;
1075 ret = InternetCrackUrlW(pszURL, 0, 0, &components);
1076 if (ret)
1077 {
1078 /* Microsoft always uses CryptInitOIDFunctionSet/
1079 * CryptGetOIDFunctionAddress, but there doesn't seem to be a pressing
1080 * reason to do so for builtin schemes.
1081 */
1082 switch (components.nScheme)
1083 {
1084 case INTERNET_SCHEME_FTP:
1085 *pFunc = FTP_RetrieveEncodedObjectW;
1086 break;
1087 case INTERNET_SCHEME_HTTP:
1088 *pFunc = HTTP_RetrieveEncodedObjectW;
1089 break;
1090 case INTERNET_SCHEME_FILE:
1091 *pFunc = File_RetrieveEncodedObjectW;
1092 break;
1093 default:
1094 {
1095 int len = WideCharToMultiByte(CP_ACP, 0, components.lpszScheme,
1096 components.dwSchemeLength, NULL, 0, NULL, NULL);
1097
1098 if (len)
1099 {
1100 LPSTR scheme = CryptMemAlloc(len);
1101
1102 if (scheme)
1103 {
1104 static HCRYPTOIDFUNCSET set = NULL;
1105
1106 if (!set)
1107 set = CryptInitOIDFunctionSet(
1108 SCHEME_OID_RETRIEVE_ENCODED_OBJECTW_FUNC, 0);
1109 WideCharToMultiByte(CP_ACP, 0, components.lpszScheme,
1110 components.dwSchemeLength, scheme, len, NULL, NULL);
1111 ret = CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING,
1112 scheme, 0, (void **)pFunc, phFunc);
1113 CryptMemFree(scheme);
1114 }
1115 else
1116 {
1117 SetLastError(ERROR_OUTOFMEMORY);
1118 ret = FALSE;
1119 }
1120 }
1121 else
1122 ret = FALSE;
1123 }
1124 }
1125 }
1126 TRACE("returning %d\n", ret);
1127 return ret;
1128 }
1129
1130 static BOOL WINAPI CRYPT_CreateBlob(LPCSTR pszObjectOid,
1131 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1132 {
1133 DWORD size, i;
1134 CRYPT_BLOB_ARRAY *context;
1135 BOOL ret = FALSE;
1136
1137 size = sizeof(CRYPT_BLOB_ARRAY) + pObject->cBlob * sizeof(CRYPT_DATA_BLOB);
1138 for (i = 0; i < pObject->cBlob; i++)
1139 size += pObject->rgBlob[i].cbData;
1140 context = CryptMemAlloc(size);
1141 if (context)
1142 {
1143 LPBYTE nextData;
1144
1145 context->cBlob = 0;
1146 context->rgBlob =
1147 (CRYPT_DATA_BLOB *)((LPBYTE)context + sizeof(CRYPT_BLOB_ARRAY));
1148 nextData =
1149 (LPBYTE)context->rgBlob + pObject->cBlob * sizeof(CRYPT_DATA_BLOB);
1150 for (i = 0; i < pObject->cBlob; i++)
1151 {
1152 memcpy(nextData, pObject->rgBlob[i].pbData,
1153 pObject->rgBlob[i].cbData);
1154 context->rgBlob[i].pbData = nextData;
1155 context->rgBlob[i].cbData = pObject->rgBlob[i].cbData;
1156 nextData += pObject->rgBlob[i].cbData;
1157 context->cBlob++;
1158 }
1159 *ppvContext = context;
1160 ret = TRUE;
1161 }
1162 return ret;
1163 }
1164
1165 typedef BOOL (WINAPI *AddContextToStore)(HCERTSTORE hCertStore,
1166 const void *pContext, DWORD dwAddDisposition, const void **ppStoreContext);
1167
1168 static BOOL decode_base64_blob( const CRYPT_DATA_BLOB *in, CRYPT_DATA_BLOB *out )
1169 {
1170 BOOL ret;
1171 DWORD len = in->cbData;
1172
1173 while (len && !in->pbData[len - 1]) len--;
1174 if (!CryptStringToBinaryA( (char *)in->pbData, len, CRYPT_STRING_BASE64_ANY,
1175 NULL, &out->cbData, NULL, NULL )) return FALSE;
1176
1177 if (!(out->pbData = CryptMemAlloc( out->cbData ))) return FALSE;
1178 ret = CryptStringToBinaryA( (char *)in->pbData, len, CRYPT_STRING_BASE64_ANY,
1179 out->pbData, &out->cbData, NULL, NULL );
1180 if (!ret) CryptMemFree( out->pbData );
1181 return ret;
1182 }
1183
1184 static BOOL CRYPT_CreateContext(const CRYPT_BLOB_ARRAY *pObject,
1185 DWORD dwExpectedContentTypeFlags, AddContextToStore addFunc, void **ppvContext)
1186 {
1187 BOOL ret = TRUE;
1188 CRYPT_DATA_BLOB blob;
1189
1190 if (!pObject->cBlob)
1191 {
1192 SetLastError(ERROR_INVALID_DATA);
1193 *ppvContext = NULL;
1194 ret = FALSE;
1195 }
1196 else if (pObject->cBlob == 1)
1197 {
1198 if (decode_base64_blob(&pObject->rgBlob[0], &blob))
1199 {
1200 ret = CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob,
1201 dwExpectedContentTypeFlags, CERT_QUERY_FORMAT_FLAG_BINARY, 0,
1202 NULL, NULL, NULL, NULL, NULL, (const void **)ppvContext);
1203 CryptMemFree(blob.pbData);
1204 }
1205 else
1206 {
1207 ret = CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &pObject->rgBlob[0],
1208 dwExpectedContentTypeFlags, CERT_QUERY_FORMAT_FLAG_BINARY, 0,
1209 NULL, NULL, NULL, NULL, NULL, (const void **)ppvContext);
1210 }
1211 if (!ret)
1212 {
1213 SetLastError(CRYPT_E_NO_MATCH);
1214 ret = FALSE;
1215 }
1216 }
1217 else
1218 {
1219 HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
1220 CERT_STORE_CREATE_NEW_FLAG, NULL);
1221
1222 if (store)
1223 {
1224 DWORD i;
1225 const void *context;
1226
1227 for (i = 0; i < pObject->cBlob; i++)
1228 {
1229 if (decode_base64_blob(&pObject->rgBlob[i], &blob))
1230 {
1231 ret = CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob,
1232 dwExpectedContentTypeFlags, CERT_QUERY_FORMAT_FLAG_BINARY,
1233 0, NULL, NULL, NULL, NULL, NULL, &context);
1234 CryptMemFree(blob.pbData);
1235 }
1236 else
1237 {
1238 ret = CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
1239 &pObject->rgBlob[i], dwExpectedContentTypeFlags,
1240 CERT_QUERY_FORMAT_FLAG_BINARY, 0, NULL, NULL, NULL, NULL,
1241 NULL, &context);
1242 }
1243 if (ret)
1244 {
1245 if (!addFunc(store, context, CERT_STORE_ADD_ALWAYS, NULL))
1246 ret = FALSE;
1247 }
1248 else
1249 {
1250 SetLastError(CRYPT_E_NO_MATCH);
1251 ret = FALSE;
1252 }
1253 }
1254 }
1255 else
1256 ret = FALSE;
1257 *ppvContext = store;
1258 }
1259 return ret;
1260 }
1261
1262 static BOOL WINAPI CRYPT_CreateCert(LPCSTR pszObjectOid,
1263 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1264 {
1265 return CRYPT_CreateContext(pObject, CERT_QUERY_CONTENT_FLAG_CERT,
1266 (AddContextToStore)CertAddCertificateContextToStore, ppvContext);
1267 }
1268
1269 static BOOL WINAPI CRYPT_CreateCRL(LPCSTR pszObjectOid,
1270 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1271 {
1272 return CRYPT_CreateContext(pObject, CERT_QUERY_CONTENT_FLAG_CRL,
1273 (AddContextToStore)CertAddCRLContextToStore, ppvContext);
1274 }
1275
1276 static BOOL WINAPI CRYPT_CreateCTL(LPCSTR pszObjectOid,
1277 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1278 {
1279 return CRYPT_CreateContext(pObject, CERT_QUERY_CONTENT_FLAG_CTL,
1280 (AddContextToStore)CertAddCTLContextToStore, ppvContext);
1281 }
1282
1283 static BOOL WINAPI CRYPT_CreatePKCS7(LPCSTR pszObjectOid,
1284 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1285 {
1286 BOOL ret;
1287
1288 if (!pObject->cBlob)
1289 {
1290 SetLastError(ERROR_INVALID_DATA);
1291 *ppvContext = NULL;
1292 ret = FALSE;
1293 }
1294 else if (pObject->cBlob == 1)
1295 ret = CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &pObject->rgBlob[0],
1296 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
1297 CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED, CERT_QUERY_FORMAT_FLAG_BINARY,
1298 0, NULL, NULL, NULL, ppvContext, NULL, NULL);
1299 else
1300 {
1301 FIXME("multiple messages unimplemented\n");
1302 ret = FALSE;
1303 }
1304 return ret;
1305 }
1306
1307 static BOOL WINAPI CRYPT_CreateAny(LPCSTR pszObjectOid,
1308 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext)
1309 {
1310 BOOL ret;
1311
1312 if (!pObject->cBlob)
1313 {
1314 SetLastError(ERROR_INVALID_DATA);
1315 *ppvContext = NULL;
1316 ret = FALSE;
1317 }
1318 else
1319 {
1320 HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
1321 CERT_STORE_CREATE_NEW_FLAG, NULL);
1322
1323 if (store)
1324 {
1325 HCERTSTORE memStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
1326 CERT_STORE_CREATE_NEW_FLAG, NULL);
1327
1328 if (memStore)
1329 {
1330 CertAddStoreToCollection(store, memStore,
1331 CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0);
1332 CertCloseStore(memStore, 0);
1333 }
1334 else
1335 {
1336 CertCloseStore(store, 0);
1337 store = NULL;
1338 }
1339 }
1340 if (store)
1341 {
1342 DWORD i;
1343
1344 ret = TRUE;
1345 for (i = 0; i < pObject->cBlob; i++)
1346 {
1347 DWORD contentType, expectedContentTypes =
1348 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
1349 CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED |
1350 CERT_QUERY_CONTENT_FLAG_CERT |
1351 CERT_QUERY_CONTENT_FLAG_CRL |
1352 CERT_QUERY_CONTENT_FLAG_CTL;
1353 HCERTSTORE contextStore;
1354 const void *context;
1355
1356 if (CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
1357 &pObject->rgBlob[i], expectedContentTypes,
1358 CERT_QUERY_FORMAT_FLAG_BINARY, 0, NULL, &contentType, NULL,
1359 &contextStore, NULL, &context))
1360 {
1361 switch (contentType)
1362 {
1363 case CERT_QUERY_CONTENT_CERT:
1364 if (!CertAddCertificateContextToStore(store,
1365 context, CERT_STORE_ADD_ALWAYS, NULL))
1366 ret = FALSE;
1367 CertFreeCertificateContext(context);
1368 break;
1369 case CERT_QUERY_CONTENT_CRL:
1370 if (!CertAddCRLContextToStore(store,
1371 context, CERT_STORE_ADD_ALWAYS, NULL))
1372 ret = FALSE;
1373 CertFreeCRLContext(context);
1374 break;
1375 case CERT_QUERY_CONTENT_CTL:
1376 if (!CertAddCTLContextToStore(store,
1377 context, CERT_STORE_ADD_ALWAYS, NULL))
1378 ret = FALSE;
1379 CertFreeCTLContext(context);
1380 break;
1381 default:
1382 CertAddStoreToCollection(store, contextStore, 0, 0);
1383 }
1384 CertCloseStore(contextStore, 0);
1385 }
1386 else
1387 ret = FALSE;
1388 }
1389 }
1390 else
1391 ret = FALSE;
1392 *ppvContext = store;
1393 }
1394 return ret;
1395 }
1396
1397 typedef BOOL (WINAPI *ContextDllCreateObjectContext)(LPCSTR pszObjectOid,
1398 DWORD dwRetrievalFlags, const CRYPT_BLOB_ARRAY *pObject, void **ppvContext);
1399
1400 static BOOL CRYPT_GetCreateFunction(LPCSTR pszObjectOid,
1401 ContextDllCreateObjectContext *pFunc, HCRYPTOIDFUNCADDR *phFunc)
1402 {
1403 BOOL ret = TRUE;
1404
1405 TRACE("(%s, %p, %p)\n", debugstr_a(pszObjectOid), pFunc, phFunc);
1406
1407 *pFunc = NULL;
1408 *phFunc = 0;
1409 if (IS_INTOID(pszObjectOid))
1410 {
1411 switch (LOWORD(pszObjectOid))
1412 {
1413 case 0:
1414 *pFunc = CRYPT_CreateBlob;
1415 break;
1416 case LOWORD(CONTEXT_OID_CERTIFICATE):
1417 *pFunc = CRYPT_CreateCert;
1418 break;
1419 case LOWORD(CONTEXT_OID_CRL):
1420 *pFunc = CRYPT_CreateCRL;
1421 break;
1422 case LOWORD(CONTEXT_OID_CTL):
1423 *pFunc = CRYPT_CreateCTL;
1424 break;
1425 case LOWORD(CONTEXT_OID_PKCS7):
1426 *pFunc = CRYPT_CreatePKCS7;
1427 break;
1428 case LOWORD(CONTEXT_OID_CAPI2_ANY):
1429 *pFunc = CRYPT_CreateAny;
1430 break;
1431 }
1432 }
1433 if (!*pFunc)
1434 {
1435 static HCRYPTOIDFUNCSET set = NULL;
1436
1437 if (!set)
1438 set = CryptInitOIDFunctionSet(
1439 CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC, 0);
1440 ret = CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING, pszObjectOid,
1441 0, (void **)pFunc, phFunc);
1442 }
1443 TRACE("returning %d\n", ret);
1444 return ret;
1445 }
1446
1447 static BOOL CRYPT_GetExpiration(const void *object, const char *pszObjectOid, FILETIME *expiration)
1448 {
1449 if (!IS_INTOID(pszObjectOid))
1450 return FALSE;
1451
1452 switch (LOWORD(pszObjectOid)) {
1453 case LOWORD(CONTEXT_OID_CERTIFICATE):
1454 *expiration = ((const CERT_CONTEXT*)object)->pCertInfo->NotAfter;
1455 return TRUE;
1456 case LOWORD(CONTEXT_OID_CRL):
1457 *expiration = ((const CRL_CONTEXT*)object)->pCrlInfo->NextUpdate;
1458 return TRUE;
1459 case LOWORD(CONTEXT_OID_CTL):
1460 *expiration = ((const CTL_CONTEXT*)object)->pCtlInfo->NextUpdate;
1461 return TRUE;
1462 }
1463
1464 return FALSE;
1465 }
1466
1467 /***********************************************************************
1468 * CryptRetrieveObjectByUrlW (CRYPTNET.@)
1469 */
1470 BOOL WINAPI CryptRetrieveObjectByUrlW(LPCWSTR pszURL, LPCSTR pszObjectOid,
1471 DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject,
1472 HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify,
1473 PCRYPT_RETRIEVE_AUX_INFO pAuxInfo)
1474 {
1475 BOOL ret;
1476 SchemeDllRetrieveEncodedObjectW retrieve;
1477 ContextDllCreateObjectContext create;
1478 HCRYPTOIDFUNCADDR hRetrieve = 0, hCreate = 0;
1479
1480 TRACE("(%s, %s, %08lx, %ld, %p, %p, %p, %p, %p)\n", debugstr_w(pszURL),
1481 debugstr_a(pszObjectOid), dwRetrievalFlags, dwTimeout, ppvObject,
1482 hAsyncRetrieve, pCredentials, pvVerify, pAuxInfo);
1483
1484 if (!pszURL)
1485 {
1486 SetLastError(ERROR_INVALID_PARAMETER);
1487 return FALSE;
1488 }
1489 ret = CRYPT_GetRetrieveFunction(pszURL, &retrieve, &hRetrieve);
1490 if (ret)
1491 ret = CRYPT_GetCreateFunction(pszObjectOid, &create, &hCreate);
1492 if (ret)
1493 {
1494 CRYPT_BLOB_ARRAY object = { 0, NULL };
1495 PFN_FREE_ENCODED_OBJECT_FUNC freeObject;
1496 void *freeContext;
1497 FILETIME expires;
1498
1499 ret = retrieve(pszURL, pszObjectOid, dwRetrievalFlags, dwTimeout,
1500 &object, &freeObject, &freeContext, hAsyncRetrieve, pCredentials,
1501 pAuxInfo);
1502 if (ret)
1503 {
1504 ret = create(pszObjectOid, dwRetrievalFlags, &object, ppvObject);
1505 if (ret && !(dwRetrievalFlags & CRYPT_DONT_CACHE_RESULT) &&
1506 CRYPT_GetExpiration(*ppvObject, pszObjectOid, &expires))
1507 {
1508 CRYPT_CacheURL(pszURL, &object, dwRetrievalFlags, expires);
1509 }
1510 freeObject(pszObjectOid, &object, freeContext);
1511 }
1512 }
1513 if (hCreate)
1514 CryptFreeOIDFunctionAddress(hCreate, 0);
1515 if (hRetrieve)
1516 CryptFreeOIDFunctionAddress(hRetrieve, 0);
1517 TRACE("returning %d\n", ret);
1518 return ret;
1519 }
1520
1521 /* Store successful revocation checks (whether the certificate was revoked or
1522 * not) in an on-disk cache. This is not because of network latency—we already
1523 * have a cache for that—but rather because parsing very large CRLs can take a
1524 * long time (at the time of writing, 20 MB CRLs have been seen in the wild and
1525 * can take several hundred milliseconds) and applications expect chain building
1526 * to be much faster.
1527 *
1528 * The cache is treated as invalid once we pass the nextUpdate field of the CRL.
1529 * This isn't quite what the field is meant for (it's rather meant to specify a
1530 * later bound for the next time the CRL will be reissued, and doesn't prescribe
1531 * a date by which the CRL is invalid; see RFC 5280 § 5.1.2.5) but it's the way
1532 * it's used in practice.
1533 *
1534 * The location of the cache roughly matches Windows, but the file name and
1535 * contents do not.
1536 */
1537
1538 static const char revocation_cache_signature[] = "Wine cached revocation";
1539
1540 #define CACHED_CERT_HASH_SIZE 20
1541
1542 static FILE *open_cached_revocation_file(const CERT_CONTEXT *cert, const CERT_REVOCATION_PARA *params,
1543 const WCHAR *mode, int sharing)
1544 {
1545 BYTE hash_data[CACHED_CERT_HASH_SIZE];
1546 WCHAR path[MAX_PATH];
1547 WCHAR *appdata_path;
1548 DWORD len, i, size;
1549 HCRYPTPROV prov;
1550 HCRYPTHASH hash;
1551 HRESULT hr;
1552
1553 if (FAILED(hr = SHGetKnownFolderPath(&FOLDERID_LocalAppDataLow, 0, NULL, &appdata_path)))
1554 {
1555 ERR("Failed to get LocalAppDataLow path, hr %#lx.\n", hr);
1556 return INVALID_HANDLE_VALUE;
1557 }
1558
1559 len = swprintf(path, ARRAY_SIZE(path), L"%s\\Microsoft\\CryptnetUrlCache\\Content\\", appdata_path);
1560 CoTaskMemFree(appdata_path);
1561
1562 if (len + CACHED_CERT_HASH_SIZE * 2 * sizeof(WCHAR) > ARRAY_SIZE(path) - 1)
1563 {
1564 WARN("Hash length exceeds static buffer; not caching.\n");
1565 return INVALID_HANDLE_VALUE;
1566 }
1567
1568 CryptAcquireContextW(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
1569 CryptCreateHash(prov, CALG_SHA1, 0, 0, &hash);
1570 CryptHashData(hash, cert->pbCertEncoded, cert->cbCertEncoded, 0);
1571 if (params && params->pIssuerCert)
1572 {
1573 CryptHashData(hash, (BYTE *)&params->pIssuerCert->cbCertEncoded, sizeof(params->pIssuerCert->cbCertEncoded), 0);
1574 CryptHashData(hash, params->pIssuerCert->pbCertEncoded, params->pIssuerCert->cbCertEncoded, 0);
1575 }
1576 else
1577 {
1578 size = 0;
1579 CryptHashData(hash, (BYTE *)&size, sizeof(size), 0);
1580 }
1581 size = sizeof(hash_data);
1582 CryptGetHashParam(hash, HP_HASHVAL, hash_data, &size, 0);
1583 CryptDestroyHash(hash);
1584 CryptReleaseContext(prov, 0);
1585
1586 SHCreateDirectoryExW(NULL, path, NULL);
1587
1588 for (i = 0; i < CACHED_CERT_HASH_SIZE; ++i)
1589 {
1590 swprintf(path + len, 3, L"%02x", hash_data[i]);
1591 len += 2;
1592 }
1593
1594 return _wfsopen(path, mode, sharing);
1595 }
1596
1597 static BOOL find_cached_revocation_status(const CERT_CONTEXT *cert, const CERT_REVOCATION_PARA *params,
1598 const FILETIME *time, CERT_REVOCATION_STATUS *status)
1599 {
1600 char buffer[sizeof(revocation_cache_signature)];
1601 FILETIME update_time;
1602 FILE *file;
1603 int len;
1604
1605 if (!(file = open_cached_revocation_file(cert, params, L"rb", _SH_DENYWR)))
1606 return FALSE;
1607
1608 if ((len = fread(buffer, 1, sizeof(buffer), file)) != sizeof(buffer)
1609 || memcmp(buffer, revocation_cache_signature, len))
1610 {
1611 ERR("Invalid cache signature.\n");
1612 fclose(file);
1613 return FALSE;
1614 }
1615
1616 if (fread(&update_time, sizeof(update_time), 1, file) != 1)
1617 {
1618 ERR("Failed to read update time.\n");
1619 fclose(file);
1620 return FALSE;
1621 }
1622
1623 if (CompareFileTime(time, &update_time) > 0)
1624 {
1625 TRACE("Cached revocation status is potentially out of date.\n");
1626 fclose(file);
1627 return FALSE;
1628 }
1629
1630 if (fread(&status->dwError, sizeof(status->dwError), 1, file) != 1)
1631 {
1632 ERR("Failed to read error code.\n");
1633 fclose(file);
1634 return FALSE;
1635 }
1636
1637 if (status->dwError == CERT_E_REVOKED && fread(&status->dwReason, sizeof(status->dwReason), 1, file) != 1)
1638 {
1639 ERR("Failed to read revocation reason.\n");
1640 fclose(file);
1641 return FALSE;
1642 }
1643
1644 TRACE("Using cached status %#lx, reason %#lx.\n", status->dwError, status->dwReason);
1645 return TRUE;
1646 }
1647
1648 static void cache_revocation_status(const CERT_CONTEXT *cert, const CERT_REVOCATION_PARA *params,
1649 const FILETIME *time, const CERT_REVOCATION_STATUS *status)
1650 {
1651 FILE *file;
1652
1653 if (!(file = open_cached_revocation_file(cert, params, L"wb", _SH_DENYRW)))
1654 return;
1655 fwrite(revocation_cache_signature, 1, sizeof(revocation_cache_signature), file);
1656 fwrite(time, sizeof(*time), 1, file);
1657 fwrite(&status->dwError, sizeof(status->dwError), 1, file);
1658 if (status->dwError == CERT_E_REVOKED)
1659 fwrite(&status->dwReason, sizeof(status->dwReason), 1, file);
1660 fclose(file);
1661 }
1662
1663 static DWORD verify_cert_revocation_with_crl_online(const CERT_CONTEXT *cert,
1664 const CRL_CONTEXT *crl, FILETIME *pTime, CERT_REVOCATION_STATUS *pRevStatus)
1665 {
1666 PCRL_ENTRY entry = NULL;
1667
1668 CertFindCertificateInCRL(cert, crl, 0, NULL, &entry);
1669 if (entry)
1670 return CRYPT_E_REVOKED;
1671
1672 /* Since the CRL was retrieved for the cert being checked, then it's
1673 * guaranteed to be fresh, and the cert is not revoked. */
1674 return ERROR_SUCCESS;
1675 }
1676
1677 /* Try to retrieve a CRL from any one of the specified distribution points. */
1678 static const CRL_CONTEXT *retrieve_crl_from_dist_points(const CRYPT_URL_ARRAY *array,
1679 DWORD verify_flags, DWORD timeout)
1680 {
1681 DWORD retrieve_flags = 0;
1682 const CRL_CONTEXT *crl;
1683 DWORD i;
1684
1685 if (verify_flags & CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION)
1686 retrieve_flags |= CRYPT_CACHE_ONLY_RETRIEVAL;
1687
1688 /* Yes, this is a weird algorithm, but the documentation for
1689 * CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT specifies this, and
1690 * tests seem to bear it out for CertVerifyRevocation() as well. */
1691 if (verify_flags & CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG)
1692 timeout /= 2;
1693
1694 for (i = 0; i < array->cUrl; ++i)
1695 {
1696 if (CryptRetrieveObjectByUrlW(array->rgwszUrl[i], CONTEXT_OID_CRL, retrieve_flags,
1697 timeout, (void **)&crl, NULL, NULL, NULL, NULL))
1698 return crl;
1699
1700 /* We don't check the current time here. This may result in less
1701 * accurate timeouts, but this too seems to be true of Windows. */
1702 if ((verify_flags & CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG) && GetLastError() == ERROR_TIMEOUT)
1703 timeout /= 2;
1704 }
1705
1706 return NULL;
1707 }
1708
1709 static DWORD verify_cert_revocation_from_dist_points_ext(const CRYPT_DATA_BLOB *value, const CERT_CONTEXT *cert,
1710 FILETIME *time, DWORD flags, const CERT_REVOCATION_PARA *params, CERT_REVOCATION_STATUS *status,
1711 FILETIME *next_update)
1712 {
1713 DWORD url_array_size, error;
1714 CRYPT_URL_ARRAY *url_array;
1715 const CRL_CONTEXT *crl;
1716 DWORD timeout = 0;
1717
1718 if (!params || !params->pIssuerCert)
1719 {
1720 TRACE("no issuer certificate\n");
1721 return CRYPT_E_REVOCATION_OFFLINE;
1722 }
1723
1724 if (!CRYPT_GetUrlFromCRLDistPointsExt(value, NULL, &url_array_size, NULL, NULL))
1725 return GetLastError();
1726
1727 if (!(url_array = CryptMemAlloc(url_array_size)))
1728 return ERROR_OUTOFMEMORY;
1729
1730 if (!CRYPT_GetUrlFromCRLDistPointsExt(value, url_array, &url_array_size, NULL, NULL))
1731 {
1732 CryptMemFree(url_array);
1733 return GetLastError();
1734 }
1735
1736 if (params && params->cbSize >= RTL_SIZEOF_THROUGH_FIELD(CERT_REVOCATION_PARA, dwUrlRetrievalTimeout))
1737 timeout = params->dwUrlRetrievalTimeout;
1738
1739 if (!(crl = retrieve_crl_from_dist_points(url_array, flags, timeout)))
1740 {
1741 CryptMemFree(url_array);
1742 return CRYPT_E_REVOCATION_OFFLINE;
1743 }
1744
1745 error = verify_cert_revocation_with_crl_online(cert, crl, time, status);
1746
1747 *next_update = crl->pCrlInfo->NextUpdate;
1748
1749 CertFreeCRLContext(crl);
1750 CryptMemFree(url_array);
1751 return error;
1752 }
1753
1754 static void sha1_hash(const BYTE *data, DWORD datalen, BYTE *buf, DWORD *buflen)
1755 {
1756 HCRYPTPROV prov;
1757 HCRYPTHASH hash;
1758
1759 CryptAcquireContextW(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
1760 CryptCreateHash(prov, CALG_SHA1, 0, 0, &hash);
1761 CryptHashData(hash, data, datalen, 0);
1762 CryptGetHashParam(hash, HP_HASHVAL, buf, buflen, 0);
1763
1764 CryptDestroyHash(hash);
1765 CryptReleaseContext(prov, 0);
1766 }
1767
1768 static BYTE *build_ocsp_request(const CERT_CONTEXT *cert, const CERT_CONTEXT *issuer_cert, DWORD *ret_size)
1769 {
1770 OCSP_REQUEST_ENTRY entry;
1771 OCSP_REQUEST_INFO request;
1772 OCSP_SIGNED_REQUEST_INFO request_signed;
1773 CERT_INFO *issuer = issuer_cert->pCertInfo;
1774 BYTE issuer_name_hash[20], issuer_key_hash[20], *buf, *ret;
1775 DWORD size = 0, hash_len = sizeof(issuer_name_hash);
1776
1777 memset(&entry, 0, sizeof(entry));
1778 entry.CertId.HashAlgorithm.pszObjId = (char *)szOID_OIWSEC_sha1;
1779
1780 sha1_hash(issuer->Subject.pbData, issuer->Subject.cbData, issuer_name_hash, &hash_len);
1781 entry.CertId.IssuerNameHash.cbData = sizeof(issuer_name_hash);
1782 entry.CertId.IssuerNameHash.pbData = issuer_name_hash;
1783
1784 sha1_hash(issuer->SubjectPublicKeyInfo.PublicKey.pbData, issuer->SubjectPublicKeyInfo.PublicKey.cbData,
1785 issuer_key_hash, &hash_len);
1786 entry.CertId.IssuerKeyHash.cbData = sizeof(issuer_key_hash);
1787 entry.CertId.IssuerKeyHash.pbData = issuer_key_hash;
1788
1789 entry.CertId.SerialNumber.cbData = cert->pCertInfo->SerialNumber.cbData;
1790 entry.CertId.SerialNumber.pbData = cert->pCertInfo->SerialNumber.pbData;
1791
1792 request.dwVersion = OCSP_REQUEST_V1;
1793 request.pRequestorName = NULL;
1794 request.cRequestEntry = 1;
1795 request.rgRequestEntry = &entry;
1796 request.cExtension = 0;
1797 request.rgExtension = NULL;
1798 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, OCSP_REQUEST, &request, CRYPT_ENCODE_ALLOC_FLAG, NULL, &buf, &size))
1799 {
1800 ERR("failed to encode request %#lx\n", GetLastError());
1801 return NULL;
1802 }
1803
1804 request_signed.ToBeSigned.pbData = buf;
1805 request_signed.ToBeSigned.cbData = size;
1806 request_signed.pOptionalSignatureInfo = NULL;
1807 if (!CryptEncodeObjectEx(X509_ASN_ENCODING, OCSP_SIGNED_REQUEST, &request_signed, CRYPT_ENCODE_ALLOC_FLAG, NULL,
1808 &ret, &size))
1809 {
1810 ERR("failed to encode signed request %#lx\n", GetLastError());
1811 LocalFree(buf);
1812 return NULL;
1813 }
1814
1815 LocalFree(buf);
1816 *ret_size = size;
1817 return ret;
1818 }
1819
1820 static void escape_path(const WCHAR *src, DWORD src_len, WCHAR *dst, DWORD *dst_len)
1821 {
1822 static const WCHAR hex[] = L"0123456789ABCDEF";
1823 WCHAR *ptr = dst;
1824 DWORD i;
1825
1826 *dst_len = src_len;
1827 for (i = 0; i < src_len; i++)
1828 {
1829 if (src[i] == '+' || src[i] == '/' || src[i] == '=')
1830 {
1831 if (dst)
1832 {
1833 ptr[0] = '%';
1834 ptr[1] = hex[(src[i] >> 4) & 0xf];
1835 ptr[2] = hex[src[i] & 0xf];
1836 ptr += 3;
1837 }
1838 *dst_len += 2;
1839 }
1840 else if (dst) *ptr++ = src[i];
1841 }
1842 }
1843
1844 static WCHAR *build_request_path(const BYTE *data, DWORD data_size)
1845 {
1846 WCHAR *path, *ret;
1847 DWORD path_len, ret_len;
1848
1849 if (!CryptBinaryToStringW(data, data_size, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &path_len)) return NULL;
1850 if (!(path = malloc(path_len * sizeof(WCHAR)))) return NULL;
1851 CryptBinaryToStringW(data, data_size, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, path, &path_len);
1852
1853 escape_path(path, path_len, NULL, &ret_len);
1854 if (!(ret = malloc((ret_len + 2) * sizeof(WCHAR))))
1855 {
1856 free(path);
1857 return NULL;
1858 }
1859 escape_path(path, path_len, ret + 1, &ret_len);
1860 ret[ret_len + 1] = 0;
1861 ret[0] = '/';
1862
1863 free(path);
1864 return ret;
1865 }
1866
1867 static WCHAR *build_request_url(const WCHAR *base_url, const BYTE *data, DWORD data_size)
1868 {
1869 WCHAR *path, *ret;
1870 DWORD len = 0;
1871
1872 if (!(path = build_request_path(data, data_size))) return NULL;
1873
1874 InternetCombineUrlW(base_url, path, NULL, &len, 0);
1875 if (!(ret = malloc(len * sizeof(WCHAR))))
1876 {
1877 free(path);
1878 return NULL;
1879 }
1880 InternetCombineUrlW(base_url, path, ret, &len, 0);
1881 free(path);
1882 return ret;
1883 }
1884
1885 static DWORD map_ocsp_status(DWORD status)
1886 {
1887 switch (status)
1888 {
1889 case OCSP_BASIC_GOOD_CERT_STATUS: return ERROR_SUCCESS;
1890 case OCSP_BASIC_REVOKED_CERT_STATUS: return CRYPT_E_REVOKED;
1891 case OCSP_BASIC_UNKNOWN_CERT_STATUS: return CRYPT_E_REVOCATION_OFFLINE;
1892 default:
1893 FIXME("unhandled status %lu\n", status);
1894 return CRYPT_E_REVOCATION_OFFLINE;
1895 }
1896 }
1897
1898 static BOOL match_cert_id(const OCSP_CERT_ID *id, const CERT_INFO *cert, const CERT_INFO *issuer)
1899 {
1900 BYTE hash[20];
1901 DWORD hash_len = sizeof(hash);
1902
1903 if (!id->HashAlgorithm.pszObjId || strcmp(id->HashAlgorithm.pszObjId, szOID_OIWSEC_sha1))
1904 {
1905 FIXME("hash algorithm %s not supported\n", debugstr_a(id->HashAlgorithm.pszObjId));
1906 return FALSE;
1907 }
1908
1909 sha1_hash(issuer->Subject.pbData, issuer->Subject.cbData, hash, &hash_len);
1910 if (id->IssuerNameHash.cbData != hash_len) return FALSE;
1911 if (memcmp(id->IssuerNameHash.pbData, hash, hash_len)) return FALSE;
1912
1913 sha1_hash(issuer->SubjectPublicKeyInfo.PublicKey.pbData,
1914 issuer->SubjectPublicKeyInfo.PublicKey.cbData, hash, &hash_len);
1915 if (id->IssuerKeyHash.cbData != hash_len) return FALSE;
1916 if (memcmp(id->IssuerKeyHash.pbData, hash, hash_len)) return FALSE;
1917
1918 if (cert->SerialNumber.cbData != id->SerialNumber.cbData) return FALSE;
1919 return !memcmp(cert->SerialNumber.pbData, id->SerialNumber.pbData, id->SerialNumber.cbData);
1920 }
1921
1922 static DWORD check_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *issuer,
1923 const CRYPT_OBJID_BLOB *blob, DWORD *status, FILETIME *next_update)
1924 {
1925 OCSP_BASIC_RESPONSE_INFO *info;
1926 DWORD size, i;
1927
1928 memset(next_update, 0, sizeof(*next_update));
1929 if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_RESPONSE, blob->pbData, blob->cbData,
1930 CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();
1931
1932 FIXME("check responder id\n");
1933 for (i = 0; i < info->cResponseEntry; i++)
1934 {
1935 OCSP_BASIC_RESPONSE_ENTRY *entry = &info->rgResponseEntry[i];
1936 if (match_cert_id(&entry->CertId, cert, issuer))
1937 {
1938 *status = map_ocsp_status(entry->dwCertStatus);
1939 *next_update = entry->NextUpdate;
1940 }
1941 }
1942
1943 LocalFree(info);
1944 return ERROR_SUCCESS;
1945 }
1946
1947 static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *issuer,
1948 const CRYPT_OBJID_BLOB *blob, FILETIME *next_update)
1949 {
1950 OCSP_BASIC_SIGNED_RESPONSE_INFO *info;
1951 DWORD size, error, status = CRYPT_E_REVOCATION_OFFLINE;
1952 CRYPT_ALGORITHM_IDENTIFIER *alg;
1953 CRYPT_BIT_BLOB *sig;
1954 HCRYPTPROV prov = 0;
1955 HCRYPTHASH hash = 0;
1956 HCRYPTKEY key = 0;
1957 DWORD algid;
1958
1959 if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_SIGNED_RESPONSE, blob->pbData, blob->cbData,
1960 CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();
1961
1962 if ((error = check_ocsp_response_info(cert, issuer, &info->ToBeSigned, &status, next_update))) goto done;
1963
1964 alg = &info->SignatureInfo.SignatureAlgorithm;
1965 if (!alg->pszObjId || !(algid = CertOIDToAlgId(alg->pszObjId)))
1966 {
1967 FIXME("unhandled signature algorithm %s\n", debugstr_a(alg->pszObjId));
1968 error = CRYPT_E_NO_REVOCATION_CHECK;
1969 goto done;
1970 }
1971
1972 if (!CryptAcquireContextW(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) goto done;
1973 if (!CryptCreateHash(prov, algid, 0, 0, &hash)) goto done;
1974 if (!CryptHashData(hash, info->ToBeSigned.pbData, info->ToBeSigned.cbData, 0)) goto done;
1975
1976 sig = &info->SignatureInfo.Signature;
1977 if (!CryptImportPublicKeyInfoEx(prov, X509_ASN_ENCODING, (CERT_PUBLIC_KEY_INFO *)&issuer->SubjectPublicKeyInfo,
1978 0, 0, NULL, &key))
1979 {
1980 error = GetLastError();
1981 TRACE("failed to import public key %#lx\n", error);
1982 }
1983 else if (!CryptVerifySignatureW(hash, sig->pbData, sig->cbData, key, NULL, 0))
1984 {
1985 error = GetLastError();
1986 TRACE("failed to verify signature %#lx\n", error);
1987 }
1988 else error = ERROR_SUCCESS;
1989
1990 done:
1991 CryptDestroyKey(key);
1992 CryptDestroyHash(hash);
1993 CryptReleaseContext(prov, 0);
1994 LocalFree(info);
1995 if (error) return error;
1996 return status;
1997 }
1998
1999 static DWORD handle_ocsp_response(const CERT_INFO *cert, const CERT_INFO *issuer, const BYTE *encoded,
2000 DWORD encoded_size, FILETIME *next_update)
2001 {
2002 OCSP_RESPONSE_INFO *info;
2003 DWORD size, error = CRYPT_E_NO_REVOCATION_CHECK;
2004
2005 if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_RESPONSE, encoded, encoded_size, CRYPT_DECODE_ALLOC_FLAG, NULL,
2006 &info, &size)) return GetLastError();
2007
2008 switch (info->dwStatus)
2009 {
2010 case OCSP_SUCCESSFUL_RESPONSE:
2011 if (!info->pszObjId || strcmp(info->pszObjId, szOID_PKIX_OCSP_BASIC_SIGNED_RESPONSE))
2012 {
2013 FIXME("unhandled response type %s\n", debugstr_a(info->pszObjId));
2014 break;
2015 }
2016 error = verify_signed_ocsp_response_info(cert, issuer, &info->Value, next_update);
2017 break;
2018
2019 default:
2020 FIXME("unhandled status %lu\n", info->dwStatus);
2021 break;
2022 }
2023
2024 LocalFree(info);
2025 return error;
2026 }
2027
2028 static DWORD verify_cert_revocation_with_ocsp(const CERT_CONTEXT *cert, const WCHAR *base_url,
2029 const CERT_REVOCATION_PARA *revpara, FILETIME *next_update)
2030 {
2031 HINTERNET ses, con, req = NULL;
2032 BYTE *request_data = NULL, *response_data = NULL;
2033 DWORD size, flags, status, request_len, response_len, count, ret = CRYPT_E_REVOCATION_OFFLINE;
2034 URL_COMPONENTSW comp;
2035 WCHAR *url;
2036
2037 if (!revpara || !revpara->pIssuerCert)
2038 {
2039 TRACE("no issuer certificate\n");
2040 return CRYPT_E_REVOCATION_OFFLINE;
2041 }
2042 if (!(request_data = build_ocsp_request(cert, revpara->pIssuerCert, &request_len)))
2043 return CRYPT_E_REVOCATION_OFFLINE;
2044
2045 url = build_request_url(base_url, request_data, request_len);
2046 LocalFree(request_data);
2047 if (!url) return CRYPT_E_REVOCATION_OFFLINE;
2048
2049 memset(&comp, 0, sizeof(comp));
2050 comp.dwStructSize = sizeof(comp);
2051 comp.dwHostNameLength = ~0u;
2052 comp.dwUrlPathLength = ~0u;
2053 if (!InternetCrackUrlW(url, 0, 0, &comp))
2054 {
2055 free(url);
2056 return CRYPT_E_REVOCATION_OFFLINE;
2057 }
2058
2059 switch (comp.nScheme)
2060 {
2061 case INTERNET_SCHEME_HTTP:
2062 flags = 0;
2063 break;
2064 case INTERNET_SCHEME_HTTPS:
2065 flags = INTERNET_FLAG_SECURE;
2066 break;
2067 default:
2068 FIXME("scheme %u not supported\n", comp.nScheme);
2069 free(url);
2070 return ERROR_NOT_SUPPORTED;
2071 }
2072
2073 if (!(ses = InternetOpenW(L"CryptoAPI", 0, NULL, NULL, 0))) return GetLastError();
2074 comp.lpszHostName[comp.dwHostNameLength] = 0;
2075 if (!(con = InternetConnectW(ses, comp.lpszHostName, comp.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0)))
2076 {
2077 free(url);
2078 InternetCloseHandle(ses);
2079 return GetLastError();
2080 }
2081 comp.lpszHostName[comp.dwHostNameLength] = '/';
2082 if (!(req = HttpOpenRequestW(con, NULL, comp.lpszUrlPath, NULL, NULL, NULL, flags, 0)) ||
2083 !HttpSendRequestW(req, NULL, 0, NULL, 0)) goto done;
2084
2085 size = sizeof(status);
2086 if (!HttpQueryInfoW(req, HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, &status, &size, NULL)) goto done;
2087 if (status != HTTP_STATUS_OK)
2088 {
2089 WARN("request status %lu\n", status);
2090 goto done;
2091 }
2092
2093 size = sizeof(response_len);
2094 if (!HttpQueryInfoW(req, HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_CONTENT_LENGTH, &response_len, &size, 0) ||
2095 !response_len || !(response_data = malloc(response_len)) ||
2096 !InternetReadFile(req, response_data, response_len, &count) || count != response_len) goto done;
2097
2098 ret = handle_ocsp_response(cert->pCertInfo, revpara->pIssuerCert->pCertInfo, response_data, response_len,
2099 next_update);
2100
2101 done:
2102 free(url);
2103 free(response_data);
2104 InternetCloseHandle(req);
2105 InternetCloseHandle(con);
2106 InternetCloseHandle(ses);
2107 return ret;
2108 }
2109
2110 static DWORD verify_cert_revocation_from_aia_ext(const CRYPT_DATA_BLOB *value, const CERT_CONTEXT *cert,
2111 FILETIME *pTime, DWORD dwFlags, CERT_REVOCATION_PARA *pRevPara, CERT_REVOCATION_STATUS *pRevStatus,
2112 FILETIME *next_update)
2113 {
2114 BOOL ret;
2115 DWORD size, i, error = CRYPT_E_NO_REVOCATION_CHECK;
2116 CERT_AUTHORITY_INFO_ACCESS *aia;
2117
2118 ret = CryptDecodeObjectEx(X509_ASN_ENCODING, X509_AUTHORITY_INFO_ACCESS, value->pbData, value->cbData,
2119 CRYPT_DECODE_ALLOC_FLAG, NULL, &aia, &size);
2120 if (!ret) return GetLastError();
2121
2122 for (i = 0; i < aia->cAccDescr; i++)
2123 {
2124 if (!strcmp(aia->rgAccDescr[i].pszAccessMethod, szOID_PKIX_OCSP))
2125 {
2126 if (aia->rgAccDescr[i].AccessLocation.dwAltNameChoice == CERT_ALT_NAME_URL)
2127 {
2128 const WCHAR *url = aia->rgAccDescr[i].AccessLocation.u.pwszURL;
2129 TRACE("OCSP URL = %s\n", debugstr_w(url));
2130 error = verify_cert_revocation_with_ocsp(cert, url, pRevPara, next_update);
2131 }
2132 else
2133 {
2134 FIXME("unsupported AccessLocation type %lu\n", aia->rgAccDescr[i].AccessLocation.dwAltNameChoice);
2135 error = ERROR_NOT_SUPPORTED;
2136 }
2137 break;
2138 }
2139 }
2140
2141 LocalFree(aia);
2142 return error;
2143 }
2144
2145 static DWORD verify_cert_revocation_with_crl_offline(PCCERT_CONTEXT cert,
2146 const CRL_CONTEXT *crl, FILETIME *pTime, CERT_REVOCATION_STATUS *pRevStatus)
2147 {
2148 PCRL_ENTRY entry = NULL;
2149 LONG valid;
2150
2151 valid = CompareFileTime(pTime, &crl->pCrlInfo->ThisUpdate);
2152 if (valid <= 0)
2153 {
2154 /* If this CRL is not older than the time being verified, there's no
2155 * way to know whether the certificate was revoked.
2156 */
2157 TRACE("CRL not old enough\n");
2158 return CRYPT_E_REVOCATION_OFFLINE;
2159 }
2160
2161 CertFindCertificateInCRL(cert, crl, 0, NULL, &entry);
2162 if (entry)
2163 return CRYPT_E_REVOKED;
2164
2165 /* Since the CRL was not retrieved for the cert being checked, there's no
2166 * guarantee it's fresh, so the cert *might* be okay, but it's safer not to
2167 * guess. */
2168 TRACE("certificate not found\n");
2169 return CRYPT_E_REVOCATION_OFFLINE;
2170 }
2171
2172 static DWORD verify_cert_revocation(const CERT_CONTEXT *cert, FILETIME *pTime,
2173 DWORD dwFlags, CERT_REVOCATION_PARA *pRevPara, CERT_REVOCATION_STATUS *pRevStatus)
2174 {
2175 DWORD error = ERROR_SUCCESS;
2176 FILETIME next_update = {0};
2177 PCERT_EXTENSION ext;
2178
2179 if (find_cached_revocation_status(cert, pRevPara, pTime, pRevStatus))
2180 {
2181 if (pRevStatus->dwError == ERROR_SUCCESS || pRevStatus->dwError == CRYPT_E_REVOKED)
2182 {
2183 TRACE("Returning cached status.\n");
2184 return pRevStatus->dwError;
2185 }
2186 }
2187
2188 if ((ext = CertFindExtension(szOID_AUTHORITY_INFO_ACCESS, cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
2189 {
2190 error = verify_cert_revocation_from_aia_ext(&ext->Value, cert, pTime, dwFlags, pRevPara, pRevStatus,
2191 &next_update);
2192 TRACE("verify_cert_revocation_from_aia_ext() returned %08lx\n", error);
2193 if (error == ERROR_SUCCESS || error == CRYPT_E_REVOKED) goto done;
2194 }
2195 if ((ext = CertFindExtension(szOID_CRL_DIST_POINTS, cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
2196 {
2197 error = verify_cert_revocation_from_dist_points_ext(&ext->Value, cert, pTime, dwFlags, pRevPara, pRevStatus,
2198 &next_update);
2199 TRACE("verify_cert_revocation_from_dist_points_ext() returned %08lx\n", error);
2200 if (error == ERROR_SUCCESS || error == CRYPT_E_REVOKED) goto done;
2201 }
2202 if (!ext)
2203 {
2204 if (pRevPara && pRevPara->hCrlStore && pRevPara->pIssuerCert)
2205 {
2206 PCCRL_CONTEXT crl = NULL;
2207 BOOL canSignCRLs;
2208
2209 /* If the caller told us about the issuer, make sure the issuer
2210 * can sign CRLs before looking for one.
2211 */
2212 if ((ext = CertFindExtension(szOID_KEY_USAGE,
2213 pRevPara->pIssuerCert->pCertInfo->cExtension,
2214 pRevPara->pIssuerCert->pCertInfo->rgExtension)))
2215 {
2216 CRYPT_BIT_BLOB usage;
2217 DWORD size = sizeof(usage);
2218
2219 if (!CryptDecodeObjectEx(cert->dwCertEncodingType, X509_BITS,
2220 ext->Value.pbData, ext->Value.cbData,
2221 CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
2222 canSignCRLs = FALSE;
2223 else if (usage.cbData > 2)
2224 {
2225 /* The key usage extension only defines 9 bits => no more
2226 * than 2 bytes are needed to encode all known usages.
2227 */
2228 canSignCRLs = FALSE;
2229 }
2230 else
2231 {
2232 BYTE usageBits = usage.pbData[usage.cbData - 1];
2233
2234 canSignCRLs = usageBits & CERT_CRL_SIGN_KEY_USAGE;
2235 }
2236 }
2237 else
2238 canSignCRLs = TRUE;
2239 if (canSignCRLs)
2240 {
2241 /* If the caller was helpful enough to tell us where to find a
2242 * CRL for the cert, look for one and check it.
2243 */
2244 crl = CertFindCRLInStore(pRevPara->hCrlStore,
2245 cert->dwCertEncodingType,
2246 CRL_FIND_ISSUED_BY_SIGNATURE_FLAG |
2247 CRL_FIND_ISSUED_BY_AKI_FLAG,
2248 CRL_FIND_ISSUED_BY, pRevPara->pIssuerCert, NULL);
2249 }
2250 if (crl)
2251 {
2252 error = verify_cert_revocation_with_crl_offline(cert, crl, pTime, pRevStatus);
2253 CertFreeCRLContext(crl);
2254 }
2255 else
2256 {
2257 TRACE("no CRL found\n");
2258 error = CRYPT_E_NO_REVOCATION_CHECK;
2259 }
2260 }
2261 else
2262 {
2263 if (!pRevPara)
2264 WARN("no CERT_REVOCATION_PARA\n");
2265 else if (!pRevPara->hCrlStore)
2266 WARN("no dist points/aia extension and no CRL store\n");
2267 else if (!pRevPara->pIssuerCert)
2268 WARN("no dist points/aia extension and no issuer\n");
2269 error = CRYPT_E_NO_REVOCATION_CHECK;
2270 }
2271 }
2272 done:
2273 if ((next_update.dwLowDateTime || next_update.dwHighDateTime)
2274 && (error == ERROR_SUCCESS || error == CRYPT_E_REVOKED))
2275 {
2276 CERT_REVOCATION_STATUS rev_status;
2277
2278 memset(&rev_status, 0, sizeof(rev_status));
2279 rev_status.cbSize = sizeof(rev_status);
2280 rev_status.dwError = error;
2281 cache_revocation_status(cert, pRevPara, &next_update, &rev_status);
2282 }
2283 return error;
2284 }
2285
2286 typedef struct _CERT_REVOCATION_PARA_NO_EXTRA_FIELDS {
2287 DWORD cbSize;
2288 PCCERT_CONTEXT pIssuerCert;
2289 DWORD cCertStore;
2290 HCERTSTORE *rgCertStore;
2291 HCERTSTORE hCrlStore;
2292 LPFILETIME pftTimeToUse;
2293 } CERT_REVOCATION_PARA_NO_EXTRA_FIELDS;
2294
2295 typedef struct _OLD_CERT_REVOCATION_STATUS {
2296 DWORD cbSize;
2297 DWORD dwIndex;
2298 DWORD dwError;
2299 DWORD dwReason;
2300 } OLD_CERT_REVOCATION_STATUS;
2301
2302 /***********************************************************************
2303 * CertDllVerifyRevocation (CRYPTNET.@)
2304 */
2305 BOOL WINAPI CertDllVerifyRevocation(DWORD dwEncodingType, DWORD dwRevType,
2306 DWORD cContext, PVOID rgpvContext[], DWORD dwFlags,
2307 PCERT_REVOCATION_PARA pRevPara, PCERT_REVOCATION_STATUS pRevStatus)
2308 {
2309 DWORD error = 0, i;
2310 FILETIME now;
2311 LPFILETIME pTime = NULL;
2312
2313 TRACE("(%08lx, %ld, %ld, %p, %08lx, %p, %p)\n", dwEncodingType, dwRevType,
2314 cContext, rgpvContext, dwFlags, pRevPara, pRevStatus);
2315
2316 if (pRevStatus->cbSize != sizeof(OLD_CERT_REVOCATION_STATUS) &&
2317 pRevStatus->cbSize != sizeof(CERT_REVOCATION_STATUS))
2318 {
2319 SetLastError(E_INVALIDARG);
2320 return FALSE;
2321 }
2322 if (!cContext)
2323 {
2324 SetLastError(E_INVALIDARG);
2325 return FALSE;
2326 }
2327 if (pRevPara && pRevPara->cbSize >=
2328 sizeof(CERT_REVOCATION_PARA_NO_EXTRA_FIELDS))
2329 pTime = pRevPara->pftTimeToUse;
2330 if (!pTime)
2331 {
2332 GetSystemTimeAsFileTime(&now);
2333 pTime = &now;
2334 }
2335 memset(&pRevStatus->dwIndex, 0, pRevStatus->cbSize - sizeof(DWORD));
2336 if (dwRevType != CERT_CONTEXT_REVOCATION_TYPE)
2337 error = CRYPT_E_NO_REVOCATION_CHECK;
2338 else
2339 {
2340 for (i = 0; i < cContext; i++)
2341 {
2342 if ((error = verify_cert_revocation(rgpvContext[i], pTime, dwFlags, pRevPara, pRevStatus)))
2343 {
2344 pRevStatus->dwIndex = i;
2345 break;
2346 }
2347 }
2348 }
2349 if (error)
2350 {
2351 SetLastError(error);
2352 pRevStatus->dwError = error;
2353 }
2354 TRACE("returning %d (%08lx)\n", !error, error);
2355 return !error;
2356 }
Windows API implementation