2 * Copyright 2006 Juan Lang
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
22 #define NONAMELESSUNION
26 #include "wine/debug.h"
27 #include "wine/unicode.h"
28 #include "crypt32_private.h"
30 WINE_DEFAULT_DEBUG_CHANNEL(crypt
);
32 PCCRL_CONTEXT WINAPI
CertCreateCRLContext(DWORD dwCertEncodingType
,
33 const BYTE
* pbCrlEncoded
, DWORD cbCrlEncoded
)
35 PCRL_CONTEXT crl
= NULL
;
37 PCRL_INFO crlInfo
= NULL
;
40 TRACE("(%08x, %p, %d)\n", dwCertEncodingType
, pbCrlEncoded
,
43 if ((dwCertEncodingType
& CERT_ENCODING_TYPE_MASK
) != X509_ASN_ENCODING
)
45 SetLastError(E_INVALIDARG
);
48 ret
= CryptDecodeObjectEx(dwCertEncodingType
, X509_CERT_CRL_TO_BE_SIGNED
,
49 pbCrlEncoded
, cbCrlEncoded
, CRYPT_DECODE_ALLOC_FLAG
, NULL
,
55 crl
= Context_CreateDataContext(sizeof(CRL_CONTEXT
));
58 data
= CryptMemAlloc(cbCrlEncoded
);
65 memcpy(data
, pbCrlEncoded
, cbCrlEncoded
);
66 crl
->dwCertEncodingType
= dwCertEncodingType
;
67 crl
->pbCrlEncoded
= data
;
68 crl
->cbCrlEncoded
= cbCrlEncoded
;
69 crl
->pCrlInfo
= crlInfo
;
77 BOOL WINAPI
CertAddEncodedCRLToStore(HCERTSTORE hCertStore
,
78 DWORD dwCertEncodingType
, const BYTE
*pbCrlEncoded
, DWORD cbCrlEncoded
,
79 DWORD dwAddDisposition
, PCCRL_CONTEXT
*ppCrlContext
)
81 PCCRL_CONTEXT crl
= CertCreateCRLContext(dwCertEncodingType
,
82 pbCrlEncoded
, cbCrlEncoded
);
85 TRACE("(%p, %08x, %p, %d, %08x, %p)\n", hCertStore
, dwCertEncodingType
,
86 pbCrlEncoded
, cbCrlEncoded
, dwAddDisposition
, ppCrlContext
);
90 ret
= CertAddCRLContextToStore(hCertStore
, crl
, dwAddDisposition
,
92 CertFreeCRLContext(crl
);
99 typedef BOOL (*CrlCompareFunc
)(PCCRL_CONTEXT pCrlContext
, DWORD dwType
,
100 DWORD dwFlags
, const void *pvPara
);
102 static BOOL
compare_crl_any(PCCRL_CONTEXT pCrlContext
, DWORD dwType
,
103 DWORD dwFlags
, const void *pvPara
)
108 static BOOL
compare_crl_issued_by(PCCRL_CONTEXT pCrlContext
, DWORD dwType
,
109 DWORD dwFlags
, const void *pvPara
)
115 PCCERT_CONTEXT issuer
= pvPara
;
117 ret
= CertCompareCertificateName(issuer
->dwCertEncodingType
,
118 &issuer
->pCertInfo
->Issuer
, &pCrlContext
->pCrlInfo
->Issuer
);
125 static BOOL
compare_crl_existing(PCCRL_CONTEXT pCrlContext
, DWORD dwType
,
126 DWORD dwFlags
, const void *pvPara
)
132 PCCRL_CONTEXT crl
= pvPara
;
134 ret
= CertCompareCertificateName(pCrlContext
->dwCertEncodingType
,
135 &pCrlContext
->pCrlInfo
->Issuer
, &crl
->pCrlInfo
->Issuer
);
142 static BOOL
compare_crl_issued_for(PCCRL_CONTEXT pCrlContext
, DWORD dwType
,
143 DWORD dwFlags
, const void *pvPara
)
145 const CRL_FIND_ISSUED_FOR_PARA
*para
= pvPara
;
148 ret
= CertCompareCertificateName(para
->pIssuerCert
->dwCertEncodingType
,
149 ¶
->pIssuerCert
->pCertInfo
->Issuer
, &pCrlContext
->pCrlInfo
->Issuer
);
151 ret
= CertIsValidCRLForCertificate(para
->pSubjectCert
, pCrlContext
,
156 PCCRL_CONTEXT WINAPI
CertFindCRLInStore(HCERTSTORE hCertStore
,
157 DWORD dwCertEncodingType
, DWORD dwFindFlags
, DWORD dwFindType
,
158 const void *pvFindPara
, PCCRL_CONTEXT pPrevCrlContext
)
161 CrlCompareFunc compare
;
163 TRACE("(%p, %d, %d, %d, %p, %p)\n", hCertStore
, dwCertEncodingType
,
164 dwFindFlags
, dwFindType
, pvFindPara
, pPrevCrlContext
);
169 compare
= compare_crl_any
;
171 case CRL_FIND_ISSUED_BY
:
172 compare
= compare_crl_issued_by
;
174 case CRL_FIND_EXISTING
:
175 compare
= compare_crl_existing
;
177 case CRL_FIND_ISSUED_FOR
:
178 compare
= compare_crl_issued_for
;
181 FIXME("find type %08x unimplemented\n", dwFindType
);
187 BOOL matches
= FALSE
;
189 ret
= pPrevCrlContext
;
191 ret
= CertEnumCRLsInStore(hCertStore
, ret
);
193 matches
= compare(ret
, dwFindType
, dwFindFlags
, pvFindPara
);
194 } while (ret
!= NULL
&& !matches
);
196 SetLastError(CRYPT_E_NOT_FOUND
);
200 SetLastError(CRYPT_E_NOT_FOUND
);
206 PCCRL_CONTEXT WINAPI
CertGetCRLFromStore(HCERTSTORE hCertStore
,
207 PCCERT_CONTEXT pIssuerContext
, PCCRL_CONTEXT pPrevCrlContext
, DWORD
*pdwFlags
)
209 static const DWORD supportedFlags
= CERT_STORE_SIGNATURE_FLAG
|
210 CERT_STORE_TIME_VALIDITY_FLAG
| CERT_STORE_BASE_CRL_FLAG
|
211 CERT_STORE_DELTA_CRL_FLAG
;
214 TRACE("(%p, %p, %p, %08x)\n", hCertStore
, pIssuerContext
, pPrevCrlContext
,
217 if (*pdwFlags
& ~supportedFlags
)
219 SetLastError(E_INVALIDARG
);
223 ret
= CertFindCRLInStore(hCertStore
, pIssuerContext
->dwCertEncodingType
,
224 0, CRL_FIND_ISSUED_BY
, pIssuerContext
, pPrevCrlContext
);
226 ret
= CertFindCRLInStore(hCertStore
, 0, 0, CRL_FIND_ANY
, NULL
,
230 if (*pdwFlags
& CERT_STORE_TIME_VALIDITY_FLAG
)
232 if (0 == CertVerifyCRLTimeValidity(NULL
, ret
->pCrlInfo
))
233 *pdwFlags
&= ~CERT_STORE_TIME_VALIDITY_FLAG
;
235 if (*pdwFlags
& CERT_STORE_SIGNATURE_FLAG
)
237 if (CryptVerifyCertificateSignatureEx(0, ret
->dwCertEncodingType
,
238 CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL
, (void *)ret
,
239 CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT
, (void *)pIssuerContext
, 0,
241 *pdwFlags
&= ~CERT_STORE_SIGNATURE_FLAG
;
247 PCCRL_CONTEXT WINAPI
CertDuplicateCRLContext(PCCRL_CONTEXT pCrlContext
)
249 TRACE("(%p)\n", pCrlContext
);
251 Context_AddRef((void *)pCrlContext
, sizeof(CRL_CONTEXT
));
255 static void CrlDataContext_Free(void *context
)
257 PCRL_CONTEXT crlContext
= context
;
259 CryptMemFree(crlContext
->pbCrlEncoded
);
260 LocalFree(crlContext
->pCrlInfo
);
263 BOOL WINAPI
CertFreeCRLContext( PCCRL_CONTEXT pCrlContext
)
267 TRACE("(%p)\n", pCrlContext
);
270 ret
= Context_Release((void *)pCrlContext
, sizeof(CRL_CONTEXT
),
271 CrlDataContext_Free
);
275 DWORD WINAPI
CertEnumCRLContextProperties(PCCRL_CONTEXT pCRLContext
,
278 PCONTEXT_PROPERTY_LIST properties
= Context_GetProperties(
279 pCRLContext
, sizeof(CRL_CONTEXT
));
282 TRACE("(%p, %d)\n", pCRLContext
, dwPropId
);
285 ret
= ContextPropertyList_EnumPropIDs(properties
, dwPropId
);
291 static BOOL
CRLContext_SetProperty(PCCRL_CONTEXT context
, DWORD dwPropId
,
292 DWORD dwFlags
, const void *pvData
);
294 static BOOL
CRLContext_GetHashProp(PCCRL_CONTEXT context
, DWORD dwPropId
,
295 ALG_ID algID
, const BYTE
*toHash
, DWORD toHashLen
, void *pvData
,
298 BOOL ret
= CryptHashCertificate(0, algID
, 0, toHash
, toHashLen
, pvData
,
302 CRYPT_DATA_BLOB blob
= { *pcbData
, pvData
};
304 ret
= CRLContext_SetProperty(context
, dwPropId
, 0, &blob
);
309 static BOOL
CRLContext_GetProperty(PCCRL_CONTEXT context
, DWORD dwPropId
,
310 void *pvData
, DWORD
*pcbData
)
312 PCONTEXT_PROPERTY_LIST properties
=
313 Context_GetProperties(context
, sizeof(CRL_CONTEXT
));
315 CRYPT_DATA_BLOB blob
;
317 TRACE("(%p, %d, %p, %p)\n", context
, dwPropId
, pvData
, pcbData
);
320 ret
= ContextPropertyList_FindProperty(properties
, dwPropId
, &blob
);
326 *pcbData
= blob
.cbData
;
327 else if (*pcbData
< blob
.cbData
)
329 SetLastError(ERROR_MORE_DATA
);
330 *pcbData
= blob
.cbData
;
335 memcpy(pvData
, blob
.pbData
, blob
.cbData
);
336 *pcbData
= blob
.cbData
;
341 /* Implicit properties */
344 case CERT_SHA1_HASH_PROP_ID
:
345 ret
= CRLContext_GetHashProp(context
, dwPropId
, CALG_SHA1
,
346 context
->pbCrlEncoded
, context
->cbCrlEncoded
, pvData
,
349 case CERT_MD5_HASH_PROP_ID
:
350 ret
= CRLContext_GetHashProp(context
, dwPropId
, CALG_MD5
,
351 context
->pbCrlEncoded
, context
->cbCrlEncoded
, pvData
,
355 SetLastError(CRYPT_E_NOT_FOUND
);
358 TRACE("returning %d\n", ret
);
362 BOOL WINAPI
CertGetCRLContextProperty(PCCRL_CONTEXT pCRLContext
,
363 DWORD dwPropId
, void *pvData
, DWORD
*pcbData
)
367 TRACE("(%p, %d, %p, %p)\n", pCRLContext
, dwPropId
, pvData
, pcbData
);
372 case CERT_CERT_PROP_ID
:
373 case CERT_CRL_PROP_ID
:
374 case CERT_CTL_PROP_ID
:
375 SetLastError(E_INVALIDARG
);
378 case CERT_ACCESS_STATE_PROP_ID
:
381 *pcbData
= sizeof(DWORD
);
384 else if (*pcbData
< sizeof(DWORD
))
386 SetLastError(ERROR_MORE_DATA
);
387 *pcbData
= sizeof(DWORD
);
392 if (pCRLContext
->hCertStore
)
393 ret
= CertGetStoreProperty(pCRLContext
->hCertStore
, dwPropId
,
396 *(DWORD
*)pvData
= 0;
401 ret
= CRLContext_GetProperty(pCRLContext
, dwPropId
, pvData
,
407 static BOOL
CRLContext_SetProperty(PCCRL_CONTEXT context
, DWORD dwPropId
,
408 DWORD dwFlags
, const void *pvData
)
410 PCONTEXT_PROPERTY_LIST properties
=
411 Context_GetProperties(context
, sizeof(CRL_CONTEXT
));
414 TRACE("(%p, %d, %08x, %p)\n", context
, dwPropId
, dwFlags
, pvData
);
420 ContextPropertyList_RemoveProperty(properties
, dwPropId
);
427 case CERT_AUTO_ENROLL_PROP_ID
:
428 case CERT_CTL_USAGE_PROP_ID
: /* same as CERT_ENHKEY_USAGE_PROP_ID */
429 case CERT_DESCRIPTION_PROP_ID
:
430 case CERT_FRIENDLY_NAME_PROP_ID
:
431 case CERT_HASH_PROP_ID
:
432 case CERT_KEY_IDENTIFIER_PROP_ID
:
433 case CERT_MD5_HASH_PROP_ID
:
434 case CERT_NEXT_UPDATE_LOCATION_PROP_ID
:
435 case CERT_PUBKEY_ALG_PARA_PROP_ID
:
436 case CERT_PVK_FILE_PROP_ID
:
437 case CERT_SIGNATURE_HASH_PROP_ID
:
438 case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID
:
439 case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID
:
440 case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID
:
441 case CERT_ENROLLMENT_PROP_ID
:
442 case CERT_CROSS_CERT_DIST_POINTS_PROP_ID
:
443 case CERT_RENEWAL_PROP_ID
:
445 PCRYPT_DATA_BLOB blob
= (PCRYPT_DATA_BLOB
)pvData
;
447 ret
= ContextPropertyList_SetProperty(properties
, dwPropId
,
448 blob
->pbData
, blob
->cbData
);
451 case CERT_DATE_STAMP_PROP_ID
:
452 ret
= ContextPropertyList_SetProperty(properties
, dwPropId
,
453 pvData
, sizeof(FILETIME
));
456 FIXME("%d: stub\n", dwPropId
);
460 TRACE("returning %d\n", ret
);
464 BOOL WINAPI
CertSetCRLContextProperty(PCCRL_CONTEXT pCRLContext
,
465 DWORD dwPropId
, DWORD dwFlags
, const void *pvData
)
469 TRACE("(%p, %d, %08x, %p)\n", pCRLContext
, dwPropId
, dwFlags
, pvData
);
471 /* Handle special cases for "read-only"/invalid prop IDs. Windows just
472 * crashes on most of these, I'll be safer.
477 case CERT_ACCESS_STATE_PROP_ID
:
478 case CERT_CERT_PROP_ID
:
479 case CERT_CRL_PROP_ID
:
480 case CERT_CTL_PROP_ID
:
481 SetLastError(E_INVALIDARG
);
484 ret
= CRLContext_SetProperty(pCRLContext
, dwPropId
, dwFlags
, pvData
);
485 TRACE("returning %d\n", ret
);
489 static BOOL
compare_dist_point_name(const CRL_DIST_POINT_NAME
*name1
,
490 const CRL_DIST_POINT_NAME
*name2
)
494 if (name1
->dwDistPointNameChoice
== name2
->dwDistPointNameChoice
)
497 if (name1
->dwDistPointNameChoice
== CRL_DIST_POINT_FULL_NAME
)
499 if (name1
->u
.FullName
.cAltEntry
== name2
->u
.FullName
.cAltEntry
)
503 for (i
= 0; match
&& i
< name1
->u
.FullName
.cAltEntry
; i
++)
505 const CERT_ALT_NAME_ENTRY
*entry1
=
506 &name1
->u
.FullName
.rgAltEntry
[i
];
507 const CERT_ALT_NAME_ENTRY
*entry2
=
508 &name2
->u
.FullName
.rgAltEntry
[i
];
510 if (entry1
->dwAltNameChoice
== entry2
->dwAltNameChoice
)
512 switch (entry1
->dwAltNameChoice
)
514 case CERT_ALT_NAME_URL
:
515 match
= !strcmpiW(entry1
->u
.pwszURL
,
518 case CERT_ALT_NAME_DIRECTORY_NAME
:
519 match
= (entry1
->u
.DirectoryName
.cbData
==
520 entry2
->u
.DirectoryName
.cbData
) &&
521 !memcmp(entry1
->u
.DirectoryName
.pbData
,
522 entry2
->u
.DirectoryName
.pbData
,
523 entry1
->u
.DirectoryName
.cbData
);
526 FIXME("unimplemented for type %d\n",
527 entry1
->dwAltNameChoice
);
544 static BOOL
match_dist_point_with_issuing_dist_point(
545 const CRL_DIST_POINT
*distPoint
, const CRL_ISSUING_DIST_POINT
*idp
)
549 /* While RFC 5280, section 4.2.1.13 recommends against segmenting
550 * CRL distribution points by reasons, it doesn't preclude doing so.
551 * "This profile RECOMMENDS against segmenting CRLs by reason code."
552 * If the issuing distribution point for this CRL is only valid for
553 * some reasons, only match if the reasons covered also match the
554 * reasons in the CRL distribution point.
556 if (idp
->OnlySomeReasonFlags
.cbData
)
558 if (idp
->OnlySomeReasonFlags
.cbData
== distPoint
->ReasonFlags
.cbData
)
563 for (i
= 0; match
&& i
< distPoint
->ReasonFlags
.cbData
; i
++)
564 if (idp
->OnlySomeReasonFlags
.pbData
[i
] !=
565 distPoint
->ReasonFlags
.pbData
[i
])
574 match
= compare_dist_point_name(&idp
->DistPointName
,
575 &distPoint
->DistPointName
);
579 BOOL WINAPI
CertIsValidCRLForCertificate(PCCERT_CONTEXT pCert
,
580 PCCRL_CONTEXT pCrl
, DWORD dwFlags
, void *pvReserved
)
585 TRACE("(%p, %p, %08x, %p)\n", pCert
, pCrl
, dwFlags
, pvReserved
);
590 if ((ext
= CertFindExtension(szOID_ISSUING_DIST_POINT
,
591 pCrl
->pCrlInfo
->cExtension
, pCrl
->pCrlInfo
->rgExtension
)))
593 CRL_ISSUING_DIST_POINT
*idp
;
596 if ((ret
= CryptDecodeObjectEx(pCrl
->dwCertEncodingType
,
597 X509_ISSUING_DIST_POINT
, ext
->Value
.pbData
, ext
->Value
.cbData
,
598 CRYPT_DECODE_ALLOC_FLAG
, NULL
, &idp
, &size
)))
600 if ((ext
= CertFindExtension(szOID_CRL_DIST_POINTS
,
601 pCert
->pCertInfo
->cExtension
, pCert
->pCertInfo
->rgExtension
)))
603 CRL_DIST_POINTS_INFO
*distPoints
;
605 if ((ret
= CryptDecodeObjectEx(pCert
->dwCertEncodingType
,
606 X509_CRL_DIST_POINTS
, ext
->Value
.pbData
, ext
->Value
.cbData
,
607 CRYPT_DECODE_ALLOC_FLAG
, NULL
, &distPoints
, &size
)))
612 for (i
= 0; !ret
&& i
< distPoints
->cDistPoint
; i
++)
613 ret
= match_dist_point_with_issuing_dist_point(
614 &distPoints
->rgDistPoint
[i
], idp
);
616 SetLastError(CRYPT_E_NO_MATCH
);
617 LocalFree(distPoints
);
622 /* no CRL dist points extension in cert, compare CRL's issuer
625 if (!CertCompareCertificateName(pCrl
->dwCertEncodingType
,
626 &pCrl
->pCrlInfo
->Issuer
, &pCert
->pCertInfo
->Issuer
))
629 SetLastError(CRYPT_E_NO_MATCH
);
640 static PCRL_ENTRY
CRYPT_FindCertificateInCRL(PCERT_INFO cert
, const CRL_INFO
*crl
)
643 PCRL_ENTRY entry
= NULL
;
645 for (i
= 0; !entry
&& i
< crl
->cCRLEntry
; i
++)
646 if (CertCompareIntegerBlob(&crl
->rgCRLEntry
[i
].SerialNumber
,
647 &cert
->SerialNumber
))
648 entry
= &crl
->rgCRLEntry
[i
];
652 BOOL WINAPI
CertFindCertificateInCRL(PCCERT_CONTEXT pCert
,
653 PCCRL_CONTEXT pCrlContext
, DWORD dwFlags
, void *pvReserved
,
654 PCRL_ENTRY
*ppCrlEntry
)
656 TRACE("(%p, %p, %08x, %p, %p)\n", pCert
, pCrlContext
, dwFlags
, pvReserved
,
659 *ppCrlEntry
= CRYPT_FindCertificateInCRL(pCert
->pCertInfo
,
660 pCrlContext
->pCrlInfo
);
664 BOOL WINAPI
CertVerifyCRLRevocation(DWORD dwCertEncodingType
,
665 PCERT_INFO pCertId
, DWORD cCrlInfo
, PCRL_INFO rgpCrlInfo
[])
668 PCRL_ENTRY entry
= NULL
;
670 TRACE("(%08x, %p, %d, %p)\n", dwCertEncodingType
, pCertId
, cCrlInfo
,
673 for (i
= 0; !entry
&& i
< cCrlInfo
; i
++)
674 entry
= CRYPT_FindCertificateInCRL(pCertId
, rgpCrlInfo
[i
]);
675 return entry
== NULL
;
678 LONG WINAPI
CertVerifyCRLTimeValidity(LPFILETIME pTimeToVerify
,
686 GetSystemTimeAsFileTime(&fileTime
);
687 pTimeToVerify
= &fileTime
;
689 if ((ret
= CompareFileTime(pTimeToVerify
, &pCrlInfo
->ThisUpdate
)) >= 0)
691 ret
= CompareFileTime(pTimeToVerify
, &pCrlInfo
->NextUpdate
);