dlls/crypt32/crl.c

   1 /*
   2  * Copyright 2006 Juan Lang
   3  *
   4  * This library is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU Lesser General Public
   6  * License as published by the Free Software Foundation; either
   7  * version 2.1 of the License, or (at your option) any later version.
   8  *
   9  * This library is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  12  * Lesser General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU Lesser General Public
  15  * License along with this library; if not, write to the Free Software
  16  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  17  *
  18  */
  19
  20 #include <assert.h>
  21 #include <stdarg.h>
  22 #define NONAMELESSUNION
  23 #include "windef.h"
  24 #include "winbase.h"
  25 #include "wincrypt.h"
  26 #include "wine/debug.h"
  27 #include "wine/unicode.h"
  28 #include "crypt32_private.h"
  29
  30 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
  31
  32 PCCRL_CONTEXT WINAPI CertCreateCRLContext(DWORD dwCertEncodingType,
  33  const BYTE* pbCrlEncoded, DWORD cbCrlEncoded)
  34 {
  35     PCRL_CONTEXT crl = NULL;
  36     BOOL ret;
  37     PCRL_INFO crlInfo = NULL;
  38     DWORD size = 0;
  39
  40     TRACE("(%08x, %p, %d)\n", dwCertEncodingType, pbCrlEncoded,
  41      cbCrlEncoded);
  42
  43     if ((dwCertEncodingType & CERT_ENCODING_TYPE_MASK) != X509_ASN_ENCODING)
  44     {
  45         SetLastError(E_INVALIDARG);
  46         return NULL;
  47     }
  48     ret = CryptDecodeObjectEx(dwCertEncodingType, X509_CERT_CRL_TO_BE_SIGNED,
  49      pbCrlEncoded, cbCrlEncoded, CRYPT_DECODE_ALLOC_FLAG, NULL,
  50      &crlInfo, &size);
  51     if (ret)
  52     {
  53         BYTE *data = NULL;
  54
  55         crl = Context_CreateDataContext(sizeof(CRL_CONTEXT));
  56         if (!crl)
  57             goto end;
  58         data = CryptMemAlloc(cbCrlEncoded);
  59         if (!data)
  60         {
  61             CryptMemFree(crl);
  62             crl = NULL;
  63             goto end;
  64         }
  65         memcpy(data, pbCrlEncoded, cbCrlEncoded);
  66         crl->dwCertEncodingType = dwCertEncodingType;
  67         crl->pbCrlEncoded       = data;
  68         crl->cbCrlEncoded       = cbCrlEncoded;
  69         crl->pCrlInfo           = crlInfo;
  70         crl->hCertStore         = 0;
  71     }
  72
  73 end:
  74     return crl;
  75 }
  76
  77 BOOL WINAPI CertAddEncodedCRLToStore(HCERTSTORE hCertStore,
  78  DWORD dwCertEncodingType, const BYTE *pbCrlEncoded, DWORD cbCrlEncoded,
  79  DWORD dwAddDisposition, PCCRL_CONTEXT *ppCrlContext)
  80 {
  81     PCCRL_CONTEXT crl = CertCreateCRLContext(dwCertEncodingType,
  82      pbCrlEncoded, cbCrlEncoded);
  83     BOOL ret;
  84
  85     TRACE("(%p, %08x, %p, %d, %08x, %p)\n", hCertStore, dwCertEncodingType,
  86      pbCrlEncoded, cbCrlEncoded, dwAddDisposition, ppCrlContext);
  87
  88     if (crl)
  89     {
  90         ret = CertAddCRLContextToStore(hCertStore, crl, dwAddDisposition,
  91          ppCrlContext);
  92         CertFreeCRLContext(crl);
  93     }
  94     else
  95         ret = FALSE;
  96     return ret;
  97 }
  98
  99 typedef BOOL (*CrlCompareFunc)(PCCRL_CONTEXT pCrlContext, DWORD dwType,
 100  DWORD dwFlags, const void *pvPara);
 101
 102 static BOOL compare_crl_any(PCCRL_CONTEXT pCrlContext, DWORD dwType,
 103  DWORD dwFlags, const void *pvPara)
 104 {
 105     return TRUE;
 106 }
 107
 108 static BOOL compare_crl_issued_by(PCCRL_CONTEXT pCrlContext, DWORD dwType,
 109  DWORD dwFlags, const void *pvPara)
 110 {
 111     BOOL ret;
 112
 113     if (pvPara)
 114     {
 115         PCCERT_CONTEXT issuer = pvPara;
 116
 117         ret = CertCompareCertificateName(issuer->dwCertEncodingType,
 118          &issuer->pCertInfo->Issuer, &pCrlContext->pCrlInfo->Issuer);
 119     }
 120     else
 121         ret = TRUE;
 122     return ret;
 123 }
 124
 125 static BOOL compare_crl_existing(PCCRL_CONTEXT pCrlContext, DWORD dwType,
 126  DWORD dwFlags, const void *pvPara)
 127 {
 128     BOOL ret;
 129
 130     if (pvPara)
 131     {
 132         PCCRL_CONTEXT crl = pvPara;
 133
 134         ret = CertCompareCertificateName(pCrlContext->dwCertEncodingType,
 135          &pCrlContext->pCrlInfo->Issuer, &crl->pCrlInfo->Issuer);
 136     }
 137     else
 138         ret = TRUE;
 139     return ret;
 140 }
 141
 142 static BOOL compare_crl_issued_for(PCCRL_CONTEXT pCrlContext, DWORD dwType,
 143  DWORD dwFlags, const void *pvPara)
 144 {
 145     const CRL_FIND_ISSUED_FOR_PARA *para = pvPara;
 146     BOOL ret;
 147
 148     ret = CertCompareCertificateName(para->pIssuerCert->dwCertEncodingType,
 149      &para->pIssuerCert->pCertInfo->Issuer, &pCrlContext->pCrlInfo->Issuer);
 150     if (ret)
 151         ret = CertIsValidCRLForCertificate(para->pSubjectCert, pCrlContext,
 152          0, NULL);
 153     return ret;
 154 }
 155
 156 PCCRL_CONTEXT WINAPI CertFindCRLInStore(HCERTSTORE hCertStore,
 157  DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType,
 158  const void *pvFindPara, PCCRL_CONTEXT pPrevCrlContext)
 159 {
 160     PCCRL_CONTEXT ret;
 161     CrlCompareFunc compare;
 162
 163     TRACE("(%p, %d, %d, %d, %p, %p)\n", hCertStore, dwCertEncodingType,
 164          dwFindFlags, dwFindType, pvFindPara, pPrevCrlContext);
 165
 166     switch (dwFindType)
 167     {
 168     case CRL_FIND_ANY:
 169         compare = compare_crl_any;
 170         break;
 171     case CRL_FIND_ISSUED_BY:
 172         compare = compare_crl_issued_by;
 173         break;
 174     case CRL_FIND_EXISTING:
 175         compare = compare_crl_existing;
 176         break;
 177     case CRL_FIND_ISSUED_FOR:
 178         compare = compare_crl_issued_for;
 179         break;
 180     default:
 181         FIXME("find type %08x unimplemented\n", dwFindType);
 182         compare = NULL;
 183     }
 184
 185     if (compare)
 186     {
 187         BOOL matches = FALSE;
 188
 189         ret = pPrevCrlContext;
 190         do {
 191             ret = CertEnumCRLsInStore(hCertStore, ret);
 192             if (ret)
 193                 matches = compare(ret, dwFindType, dwFindFlags, pvFindPara);
 194         } while (ret != NULL && !matches);
 195         if (!ret)
 196             SetLastError(CRYPT_E_NOT_FOUND);
 197     }
 198     else
 199     {
 200         SetLastError(CRYPT_E_NOT_FOUND);
 201         ret = NULL;
 202     }
 203     return ret;
 204 }
 205
 206 PCCRL_CONTEXT WINAPI CertGetCRLFromStore(HCERTSTORE hCertStore,
 207  PCCERT_CONTEXT pIssuerContext, PCCRL_CONTEXT pPrevCrlContext, DWORD *pdwFlags)
 208 {
 209     static const DWORD supportedFlags = CERT_STORE_SIGNATURE_FLAG |
 210      CERT_STORE_TIME_VALIDITY_FLAG | CERT_STORE_BASE_CRL_FLAG |
 211      CERT_STORE_DELTA_CRL_FLAG;
 212     PCCRL_CONTEXT ret;
 213
 214     TRACE("(%p, %p, %p, %08x)\n", hCertStore, pIssuerContext, pPrevCrlContext,
 215      *pdwFlags);
 216
 217     if (*pdwFlags & ~supportedFlags)
 218     {
 219         SetLastError(E_INVALIDARG);
 220         return NULL;
 221     }
 222     if (pIssuerContext)
 223         ret = CertFindCRLInStore(hCertStore, pIssuerContext->dwCertEncodingType,
 224          0, CRL_FIND_ISSUED_BY, pIssuerContext, pPrevCrlContext);
 225     else
 226         ret = CertFindCRLInStore(hCertStore, 0, 0, CRL_FIND_ANY, NULL,
 227          pPrevCrlContext);
 228     if (ret)
 229     {
 230         if (*pdwFlags & CERT_STORE_TIME_VALIDITY_FLAG)
 231         {
 232             if (0 == CertVerifyCRLTimeValidity(NULL, ret->pCrlInfo))
 233                 *pdwFlags &= ~CERT_STORE_TIME_VALIDITY_FLAG;
 234         }
 235         if (*pdwFlags & CERT_STORE_SIGNATURE_FLAG)
 236         {
 237             if (CryptVerifyCertificateSignatureEx(0, ret->dwCertEncodingType,
 238              CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL, (void *)ret,
 239              CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)pIssuerContext, 0,
 240              NULL))
 241                 *pdwFlags &= ~CERT_STORE_SIGNATURE_FLAG;
 242         }
 243     }
 244     return ret;
 245 }
 246
 247 PCCRL_CONTEXT WINAPI CertDuplicateCRLContext(PCCRL_CONTEXT pCrlContext)
 248 {
 249     TRACE("(%p)\n", pCrlContext);
 250     if (pCrlContext)
 251         Context_AddRef((void *)pCrlContext, sizeof(CRL_CONTEXT));
 252     return pCrlContext;
 253 }
 254
 255 static void CrlDataContext_Free(void *context)
 256 {
 257     PCRL_CONTEXT crlContext = context;
 258
 259     CryptMemFree(crlContext->pbCrlEncoded);
 260     LocalFree(crlContext->pCrlInfo);
 261 }
 262
 263 BOOL WINAPI CertFreeCRLContext( PCCRL_CONTEXT pCrlContext)
 264 {
 265     BOOL ret = TRUE;
 266
 267     TRACE("(%p)\n", pCrlContext);
 268
 269     if (pCrlContext)
 270         ret = Context_Release((void *)pCrlContext, sizeof(CRL_CONTEXT),
 271          CrlDataContext_Free);
 272     return ret;
 273 }
 274
 275 DWORD WINAPI CertEnumCRLContextProperties(PCCRL_CONTEXT pCRLContext,
 276  DWORD dwPropId)
 277 {
 278     PCONTEXT_PROPERTY_LIST properties = Context_GetProperties(
 279      pCRLContext, sizeof(CRL_CONTEXT));
 280     DWORD ret;
 281
 282     TRACE("(%p, %d)\n", pCRLContext, dwPropId);
 283
 284     if (properties)
 285         ret = ContextPropertyList_EnumPropIDs(properties, dwPropId);
 286     else
 287         ret = 0;
 288     return ret;
 289 }
 290
 291 static BOOL CRLContext_SetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
 292                                    DWORD dwFlags, const void *pvData);
 293
 294 static BOOL CRLContext_GetHashProp(PCCRL_CONTEXT context, DWORD dwPropId,
 295  ALG_ID algID, const BYTE *toHash, DWORD toHashLen, void *pvData,
 296  DWORD *pcbData)
 297 {
 298     BOOL ret = CryptHashCertificate(0, algID, 0, toHash, toHashLen, pvData,
 299      pcbData);
 300     if (ret && pvData)
 301     {
 302         CRYPT_DATA_BLOB blob = { *pcbData, pvData };
 303
 304         ret = CRLContext_SetProperty(context, dwPropId, 0, &blob);
 305     }
 306     return ret;
 307 }
 308
 309 static BOOL CRLContext_GetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
 310                                    void *pvData, DWORD *pcbData)
 311 {
 312     PCONTEXT_PROPERTY_LIST properties =
 313      Context_GetProperties(context, sizeof(CRL_CONTEXT));
 314     BOOL ret;
 315     CRYPT_DATA_BLOB blob;
 316
 317     TRACE("(%p, %d, %p, %p)\n", context, dwPropId, pvData, pcbData);
 318
 319     if (properties)
 320         ret = ContextPropertyList_FindProperty(properties, dwPropId, &blob);
 321     else
 322         ret = FALSE;
 323     if (ret)
 324     {
 325         if (!pvData)
 326             *pcbData = blob.cbData;
 327         else if (*pcbData < blob.cbData)
 328         {
 329             SetLastError(ERROR_MORE_DATA);
 330             *pcbData = blob.cbData;
 331             ret = FALSE;
 332         }
 333         else
 334         {
 335             memcpy(pvData, blob.pbData, blob.cbData);
 336             *pcbData = blob.cbData;
 337         }
 338     }
 339     else
 340     {
 341         /* Implicit properties */
 342         switch (dwPropId)
 343         {
 344         case CERT_SHA1_HASH_PROP_ID:
 345             ret = CRLContext_GetHashProp(context, dwPropId, CALG_SHA1,
 346                                          context->pbCrlEncoded, context->cbCrlEncoded, pvData,
 347              pcbData);
 348             break;
 349         case CERT_MD5_HASH_PROP_ID:
 350             ret = CRLContext_GetHashProp(context, dwPropId, CALG_MD5,
 351                                          context->pbCrlEncoded, context->cbCrlEncoded, pvData,
 352              pcbData);
 353             break;
 354         default:
 355             SetLastError(CRYPT_E_NOT_FOUND);
 356         }
 357     }
 358     TRACE("returning %d\n", ret);
 359     return ret;
 360 }
 361
 362 BOOL WINAPI CertGetCRLContextProperty(PCCRL_CONTEXT pCRLContext,
 363  DWORD dwPropId, void *pvData, DWORD *pcbData)
 364 {
 365     BOOL ret;
 366
 367     TRACE("(%p, %d, %p, %p)\n", pCRLContext, dwPropId, pvData, pcbData);
 368
 369     switch (dwPropId)
 370     {
 371     case 0:
 372     case CERT_CERT_PROP_ID:
 373     case CERT_CRL_PROP_ID:
 374     case CERT_CTL_PROP_ID:
 375         SetLastError(E_INVALIDARG);
 376         ret = FALSE;
 377         break;
 378     case CERT_ACCESS_STATE_PROP_ID:
 379         if (!pvData)
 380         {
 381             *pcbData = sizeof(DWORD);
 382             ret = TRUE;
 383         }
 384         else if (*pcbData < sizeof(DWORD))
 385         {
 386             SetLastError(ERROR_MORE_DATA);
 387             *pcbData = sizeof(DWORD);
 388             ret = FALSE;
 389         }
 390         else
 391         {
 392             if (pCRLContext->hCertStore)
 393                 ret = CertGetStoreProperty(pCRLContext->hCertStore, dwPropId,
 394                  pvData, pcbData);
 395             else
 396                 *(DWORD *)pvData = 0;
 397             ret = TRUE;
 398         }
 399         break;
 400     default:
 401         ret = CRLContext_GetProperty(pCRLContext, dwPropId, pvData,
 402          pcbData);
 403     }
 404     return ret;
 405 }
 406
 407 static BOOL CRLContext_SetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
 408  DWORD dwFlags, const void *pvData)
 409 {
 410     PCONTEXT_PROPERTY_LIST properties =
 411      Context_GetProperties(context, sizeof(CRL_CONTEXT));
 412     BOOL ret;
 413
 414     TRACE("(%p, %d, %08x, %p)\n", context, dwPropId, dwFlags, pvData);
 415
 416     if (!properties)
 417         ret = FALSE;
 418     else if (!pvData)
 419     {
 420         ContextPropertyList_RemoveProperty(properties, dwPropId);
 421         ret = TRUE;
 422     }
 423     else
 424     {
 425         switch (dwPropId)
 426         {
 427         case CERT_AUTO_ENROLL_PROP_ID:
 428         case CERT_CTL_USAGE_PROP_ID: /* same as CERT_ENHKEY_USAGE_PROP_ID */
 429         case CERT_DESCRIPTION_PROP_ID:
 430         case CERT_FRIENDLY_NAME_PROP_ID:
 431         case CERT_HASH_PROP_ID:
 432         case CERT_KEY_IDENTIFIER_PROP_ID:
 433         case CERT_MD5_HASH_PROP_ID:
 434         case CERT_NEXT_UPDATE_LOCATION_PROP_ID:
 435         case CERT_PUBKEY_ALG_PARA_PROP_ID:
 436         case CERT_PVK_FILE_PROP_ID:
 437         case CERT_SIGNATURE_HASH_PROP_ID:
 438         case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID:
 439         case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
 440         case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
 441         case CERT_ENROLLMENT_PROP_ID:
 442         case CERT_CROSS_CERT_DIST_POINTS_PROP_ID:
 443         case CERT_RENEWAL_PROP_ID:
 444         {
 445             PCRYPT_DATA_BLOB blob = (PCRYPT_DATA_BLOB)pvData;
 446
 447             ret = ContextPropertyList_SetProperty(properties, dwPropId,
 448              blob->pbData, blob->cbData);
 449             break;
 450         }
 451         case CERT_DATE_STAMP_PROP_ID:
 452             ret = ContextPropertyList_SetProperty(properties, dwPropId,
 453              pvData, sizeof(FILETIME));
 454             break;
 455         default:
 456             FIXME("%d: stub\n", dwPropId);
 457             ret = FALSE;
 458         }
 459     }
 460     TRACE("returning %d\n", ret);
 461     return ret;
 462 }
 463
 464 BOOL WINAPI CertSetCRLContextProperty(PCCRL_CONTEXT pCRLContext,
 465  DWORD dwPropId, DWORD dwFlags, const void *pvData)
 466 {
 467     BOOL ret;
 468
 469     TRACE("(%p, %d, %08x, %p)\n", pCRLContext, dwPropId, dwFlags, pvData);
 470
 471     /* Handle special cases for "read-only"/invalid prop IDs.  Windows just
 472      * crashes on most of these, I'll be safer.
 473      */
 474     switch (dwPropId)
 475     {
 476     case 0:
 477     case CERT_ACCESS_STATE_PROP_ID:
 478     case CERT_CERT_PROP_ID:
 479     case CERT_CRL_PROP_ID:
 480     case CERT_CTL_PROP_ID:
 481         SetLastError(E_INVALIDARG);
 482         return FALSE;
 483     }
 484     ret = CRLContext_SetProperty(pCRLContext, dwPropId, dwFlags, pvData);
 485     TRACE("returning %d\n", ret);
 486     return ret;
 487 }
 488
 489 static BOOL compare_dist_point_name(const CRL_DIST_POINT_NAME *name1,
 490  const CRL_DIST_POINT_NAME *name2)
 491 {
 492     BOOL match;
 493
 494     if (name1->dwDistPointNameChoice == name2->dwDistPointNameChoice)
 495     {
 496         match = TRUE;
 497         if (name1->dwDistPointNameChoice == CRL_DIST_POINT_FULL_NAME)
 498         {
 499             if (name1->u.FullName.cAltEntry == name2->u.FullName.cAltEntry)
 500             {
 501                 DWORD i;
 502
 503                 for (i = 0; match && i < name1->u.FullName.cAltEntry; i++)
 504                 {
 505                     const CERT_ALT_NAME_ENTRY *entry1 =
 506                      &name1->u.FullName.rgAltEntry[i];
 507                     const CERT_ALT_NAME_ENTRY *entry2 =
 508                      &name2->u.FullName.rgAltEntry[i];
 509
 510                     if (entry1->dwAltNameChoice == entry2->dwAltNameChoice)
 511                     {
 512                         switch (entry1->dwAltNameChoice)
 513                         {
 514                         case CERT_ALT_NAME_URL:
 515                             match = !strcmpiW(entry1->u.pwszURL,
 516                              entry2->u.pwszURL);
 517                             break;
 518                         case CERT_ALT_NAME_DIRECTORY_NAME:
 519                             match = (entry1->u.DirectoryName.cbData ==
 520                              entry2->u.DirectoryName.cbData) &&
 521                              !memcmp(entry1->u.DirectoryName.pbData,
 522                              entry2->u.DirectoryName.pbData,
 523                              entry1->u.DirectoryName.cbData);
 524                             break;
 525                         default:
 526                             FIXME("unimplemented for type %d\n",
 527                              entry1->dwAltNameChoice);
 528                             match = FALSE;
 529                         }
 530                     }
 531                     else
 532                         match = FALSE;
 533                 }
 534             }
 535             else
 536                 match = FALSE;
 537         }
 538     }
 539     else
 540         match = FALSE;
 541     return match;
 542 }
 543
 544 static BOOL match_dist_point_with_issuing_dist_point(
 545  const CRL_DIST_POINT *distPoint, const CRL_ISSUING_DIST_POINT *idp)
 546 {
 547     BOOL match;
 548
 549     /* While RFC 5280, section 4.2.1.13 recommends against segmenting
 550      * CRL distribution points by reasons, it doesn't preclude doing so.
 551      * "This profile RECOMMENDS against segmenting CRLs by reason code."
 552      * If the issuing distribution point for this CRL is only valid for
 553      * some reasons, only match if the reasons covered also match the
 554      * reasons in the CRL distribution point.
 555      */
 556     if (idp->OnlySomeReasonFlags.cbData)
 557     {
 558         if (idp->OnlySomeReasonFlags.cbData == distPoint->ReasonFlags.cbData)
 559         {
 560             DWORD i;
 561
 562             match = TRUE;
 563             for (i = 0; match && i < distPoint->ReasonFlags.cbData; i++)
 564                 if (idp->OnlySomeReasonFlags.pbData[i] !=
 565                  distPoint->ReasonFlags.pbData[i])
 566                     match = FALSE;
 567         }
 568         else
 569             match = FALSE;
 570     }
 571     else
 572         match = TRUE;
 573     if (match)
 574         match = compare_dist_point_name(&idp->DistPointName,
 575          &distPoint->DistPointName);
 576     return match;
 577 }
 578
 579 BOOL WINAPI CertIsValidCRLForCertificate(PCCERT_CONTEXT pCert,
 580  PCCRL_CONTEXT pCrl, DWORD dwFlags, void *pvReserved)
 581 {
 582     PCERT_EXTENSION ext;
 583     BOOL ret;
 584
 585     TRACE("(%p, %p, %08x, %p)\n", pCert, pCrl, dwFlags, pvReserved);
 586
 587     if (!pCert)
 588         return TRUE;
 589
 590     if ((ext = CertFindExtension(szOID_ISSUING_DIST_POINT,
 591      pCrl->pCrlInfo->cExtension, pCrl->pCrlInfo->rgExtension)))
 592     {
 593         CRL_ISSUING_DIST_POINT *idp;
 594         DWORD size;
 595
 596         if ((ret = CryptDecodeObjectEx(pCrl->dwCertEncodingType,
 597          X509_ISSUING_DIST_POINT, ext->Value.pbData, ext->Value.cbData,
 598          CRYPT_DECODE_ALLOC_FLAG, NULL, &idp, &size)))
 599         {
 600             if ((ext = CertFindExtension(szOID_CRL_DIST_POINTS,
 601              pCert->pCertInfo->cExtension, pCert->pCertInfo->rgExtension)))
 602             {
 603                 CRL_DIST_POINTS_INFO *distPoints;
 604
 605                 if ((ret = CryptDecodeObjectEx(pCert->dwCertEncodingType,
 606                  X509_CRL_DIST_POINTS, ext->Value.pbData, ext->Value.cbData,
 607                  CRYPT_DECODE_ALLOC_FLAG, NULL, &distPoints, &size)))
 608                 {
 609                     DWORD i;
 610
 611                     ret = FALSE;
 612                     for (i = 0; !ret && i < distPoints->cDistPoint; i++)
 613                         ret = match_dist_point_with_issuing_dist_point(
 614                          &distPoints->rgDistPoint[i], idp);
 615                     if (!ret)
 616                         SetLastError(CRYPT_E_NO_MATCH);
 617                     LocalFree(distPoints);
 618                 }
 619             }
 620             else
 621             {
 622                 /* no CRL dist points extension in cert, compare CRL's issuer
 623                  * to cert's issuer.
 624                  */
 625                 if (!CertCompareCertificateName(pCrl->dwCertEncodingType,
 626                  &pCrl->pCrlInfo->Issuer, &pCert->pCertInfo->Issuer))
 627                 {
 628                     ret = FALSE;
 629                     SetLastError(CRYPT_E_NO_MATCH);
 630                 }
 631             }
 632             LocalFree(idp);
 633         }
 634     }
 635     else
 636         ret = TRUE;
 637     return ret;
 638 }
 639
 640 static PCRL_ENTRY CRYPT_FindCertificateInCRL(PCERT_INFO cert, const CRL_INFO *crl)
 641 {
 642     DWORD i;
 643     PCRL_ENTRY entry = NULL;
 644
 645     for (i = 0; !entry && i < crl->cCRLEntry; i++)
 646         if (CertCompareIntegerBlob(&crl->rgCRLEntry[i].SerialNumber,
 647          &cert->SerialNumber))
 648             entry = &crl->rgCRLEntry[i];
 649     return entry;
 650 }
 651
 652 BOOL WINAPI CertFindCertificateInCRL(PCCERT_CONTEXT pCert,
 653  PCCRL_CONTEXT pCrlContext, DWORD dwFlags, void *pvReserved,
 654  PCRL_ENTRY *ppCrlEntry)
 655 {
 656     TRACE("(%p, %p, %08x, %p, %p)\n", pCert, pCrlContext, dwFlags, pvReserved,
 657      ppCrlEntry);
 658
 659     *ppCrlEntry = CRYPT_FindCertificateInCRL(pCert->pCertInfo,
 660      pCrlContext->pCrlInfo);
 661     return TRUE;
 662 }
 663
 664 BOOL WINAPI CertVerifyCRLRevocation(DWORD dwCertEncodingType,
 665  PCERT_INFO pCertId, DWORD cCrlInfo, PCRL_INFO rgpCrlInfo[])
 666 {
 667     DWORD i;
 668     PCRL_ENTRY entry = NULL;
 669
 670     TRACE("(%08x, %p, %d, %p)\n", dwCertEncodingType, pCertId, cCrlInfo,
 671      rgpCrlInfo);
 672
 673     for (i = 0; !entry && i < cCrlInfo; i++)
 674         entry = CRYPT_FindCertificateInCRL(pCertId, rgpCrlInfo[i]);
 675     return entry == NULL;
 676 }
 677
 678 LONG WINAPI CertVerifyCRLTimeValidity(LPFILETIME pTimeToVerify,
 679  PCRL_INFO pCrlInfo)
 680 {
 681     FILETIME fileTime;
 682     LONG ret;
 683
 684     if (!pTimeToVerify)
 685     {
 686         GetSystemTimeAsFileTime(&fileTime);
 687         pTimeToVerify = &fileTime;
 688     }
 689     if ((ret = CompareFileTime(pTimeToVerify, &pCrlInfo->ThisUpdate)) >= 0)
 690     {
 691         ret = CompareFileTime(pTimeToVerify, &pCrlInfo->NextUpdate);
 692         if (ret < 0)
 693             ret = 0;
 694     }
 695     return ret;
 696 }