search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
wintrust: Return error directly from SOFTPUB_GetSIP.
[wine/wine-gecko.git] / dlls / wintrust / softpub.c
bloba6edfe258a698cb5d84ae0c65c5f3f47f5436407
1 /*
2 * Copyright 2007 Juan Lang
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17 */
18 #include <stdarg.h>
19
20 #define NONAMELESSUNION
21
22 #include "windef.h"
23 #include "winbase.h"
24 #include "wintrust.h"
25 #include "mssip.h"
26 #include "softpub.h"
27 #include "wine/debug.h"
28
29 WINE_DEFAULT_DEBUG_CHANNEL(wintrust);
30
31 HRESULT WINAPI SoftpubDefCertInit(CRYPT_PROVIDER_DATA *data)
32 {
33 HRESULT ret = S_FALSE;
34
35 TRACE("(%p)\n", data);
36
37 if (data->padwTrustStepErrors &&
38 !data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_WVTINIT])
39 ret = S_OK;
40 TRACE("returning %08x\n", ret);
41 return ret;
42 }
43
44 HRESULT WINAPI SoftpubInitialize(CRYPT_PROVIDER_DATA *data)
45 {
46 HRESULT ret = S_FALSE;
47
48 TRACE("(%p)\n", data);
49
50 if (data->padwTrustStepErrors &&
51 !data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_WVTINIT])
52 ret = S_OK;
53 TRACE("returning %08x\n", ret);
54 return ret;
55 }
56
57 HRESULT WINAPI DriverInitializePolicy(CRYPT_PROVIDER_DATA *data)
58 {
59 FIXME("stub\n");
60 return S_OK;
61 }
62
63 HRESULT WINAPI DriverCleanupPolicy(CRYPT_PROVIDER_DATA *data)
64 {
65 FIXME("stub\n");
66 return S_OK;
67 }
68
69 HRESULT WINAPI DriverFinalPolicy(CRYPT_PROVIDER_DATA *data)
70 {
71 FIXME("stub\n");
72 return S_OK;
73 }
74
75 /* Assumes data->pWintrustData->u.pFile exists. Makes sure a file handle is
76 * open for the file.
77 */
78 static DWORD SOFTPUB_OpenFile(CRYPT_PROVIDER_DATA *data)
79 {
80 DWORD err = ERROR_SUCCESS;
81
82 /* PSDK implies that all values should be initialized to NULL, so callers
83 * typically have hFile as NULL rather than INVALID_HANDLE_VALUE. Check
84 * for both.
85 */
86 if (!data->pWintrustData->u.pFile->hFile ||
87 data->pWintrustData->u.pFile->hFile == INVALID_HANDLE_VALUE)
88 {
89 data->pWintrustData->u.pFile->hFile =
90 CreateFileW(data->pWintrustData->u.pFile->pcwszFilePath, GENERIC_READ,
91 FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
92 if (data->pWintrustData->u.pFile->hFile != INVALID_HANDLE_VALUE)
93 data->fOpenedFile = TRUE;
94 else
95 err = GetLastError();
96 }
97 if (!err)
98 GetFileTime(data->pWintrustData->u.pFile->hFile, &data->sftSystemTime,
99 NULL, NULL);
100 TRACE("returning %d\n", err);
101 return err;
102 }
103
104 /* Assumes data->pWintrustData->u.pFile exists. Sets data->pPDSip->gSubject to
105 * the file's subject GUID.
106 */
107 static DWORD SOFTPUB_GetFileSubject(CRYPT_PROVIDER_DATA *data)
108 {
109 DWORD err = ERROR_SUCCESS;
110
111 if (!WVT_ISINSTRUCT(WINTRUST_FILE_INFO,
112 data->pWintrustData->u.pFile->cbStruct, pgKnownSubject) ||
113 !data->pWintrustData->u.pFile->pgKnownSubject)
114 {
115 if (!CryptSIPRetrieveSubjectGuid(
116 data->pWintrustData->u.pFile->pcwszFilePath,
117 data->pWintrustData->u.pFile->hFile,
118 &data->u.pPDSip->gSubject))
119 err = GetLastError();
120 }
121 else
122 data->u.pPDSip->gSubject = *data->pWintrustData->u.pFile->pgKnownSubject;
123 TRACE("returning %d\n", err);
124 return err;
125 }
126
127 /* Assumes data->u.pPDSip exists, and its gSubject member set.
128 * Allocates data->u.pPDSip->pSip and loads it, if possible.
129 */
130 static DWORD SOFTPUB_GetSIP(CRYPT_PROVIDER_DATA *data)
131 {
132 DWORD err = ERROR_SUCCESS;
133
134 data->u.pPDSip->pSip = data->psPfns->pfnAlloc(sizeof(SIP_DISPATCH_INFO));
135 if (data->u.pPDSip->pSip)
136 {
137 if (!CryptSIPLoad(&data->u.pPDSip->gSubject, 0, data->u.pPDSip->pSip))
138 err = GetLastError();
139 }
140 else
141 err = ERROR_OUTOFMEMORY;
142 TRACE("returning %d\n", err);
143 return err;
144 }
145
146 /* Assumes data->u.pPDSip has been loaded, and data->u.pPDSip->pSip allocated.
147 * Calls data->u.pPDSip->pSip->pfGet to construct data->hMsg.
148 */
149 static BOOL SOFTPUB_GetMessageFromFile(CRYPT_PROVIDER_DATA *data, HANDLE file,
150 LPCWSTR filePath)
151 {
152 BOOL ret;
153 LPBYTE buf = NULL;
154 DWORD size = 0;
155
156 data->u.pPDSip->psSipSubjectInfo =
157 data->psPfns->pfnAlloc(sizeof(SIP_SUBJECTINFO));
158 if (!data->u.pPDSip->psSipSubjectInfo)
159 {
160 SetLastError(ERROR_OUTOFMEMORY);
161 return FALSE;
162 }
163
164 data->u.pPDSip->psSipSubjectInfo->cbSize = sizeof(SIP_SUBJECTINFO);
165 data->u.pPDSip->psSipSubjectInfo->pgSubjectType = &data->u.pPDSip->gSubject;
166 data->u.pPDSip->psSipSubjectInfo->hFile = file;
167 data->u.pPDSip->psSipSubjectInfo->pwsFileName = filePath;
168 data->u.pPDSip->psSipSubjectInfo->hProv = data->hProv;
169 ret = data->u.pPDSip->pSip->pfGet(data->u.pPDSip->psSipSubjectInfo,
170 &data->dwEncoding, 0, &size, 0);
171 if (!ret)
172 {
173 SetLastError(TRUST_E_NOSIGNATURE);
174 return FALSE;
175 }
176
177 buf = data->psPfns->pfnAlloc(size);
178 if (!buf)
179 {
180 SetLastError(ERROR_OUTOFMEMORY);
181 return FALSE;
182 }
183
184 ret = data->u.pPDSip->pSip->pfGet(data->u.pPDSip->psSipSubjectInfo,
185 &data->dwEncoding, 0, &size, buf);
186 if (ret)
187 {
188 data->hMsg = CryptMsgOpenToDecode(data->dwEncoding, 0, 0, data->hProv,
189 NULL, NULL);
190 if (data->hMsg)
191 ret = CryptMsgUpdate(data->hMsg, buf, size, TRUE);
192 }
193
194 data->psPfns->pfnFree(buf);
195 TRACE("returning %d\n", ret);
196 return ret;
197 }
198
199 static BOOL SOFTPUB_CreateStoreFromMessage(CRYPT_PROVIDER_DATA *data)
200 {
201 BOOL ret = FALSE;
202 HCERTSTORE store;
203
204 store = CertOpenStore(CERT_STORE_PROV_MSG, data->dwEncoding,
205 data->hProv, CERT_STORE_NO_CRYPT_RELEASE_FLAG, data->hMsg);
206 if (store)
207 {
208 ret = data->psPfns->pfnAddStore2Chain(data, store);
209 CertCloseStore(store, 0);
210 }
211 TRACE("returning %d\n", ret);
212 return ret;
213 }
214
215 static DWORD SOFTPUB_DecodeInnerContent(CRYPT_PROVIDER_DATA *data)
216 {
217 BOOL ret;
218 DWORD size;
219 LPSTR oid = NULL;
220 LPBYTE buf = NULL;
221
222 ret = CryptMsgGetParam(data->hMsg, CMSG_INNER_CONTENT_TYPE_PARAM, 0, NULL,
223 &size);
224 if (!ret)
225 goto error;
226 oid = data->psPfns->pfnAlloc(size);
227 if (!oid)
228 {
229 SetLastError(ERROR_OUTOFMEMORY);
230 ret = FALSE;
231 goto error;
232 }
233 ret = CryptMsgGetParam(data->hMsg, CMSG_INNER_CONTENT_TYPE_PARAM, 0, oid,
234 &size);
235 if (!ret)
236 goto error;
237 ret = CryptMsgGetParam(data->hMsg, CMSG_CONTENT_PARAM, 0, NULL, &size);
238 if (!ret)
239 goto error;
240 buf = data->psPfns->pfnAlloc(size);
241 if (!buf)
242 {
243 SetLastError(ERROR_OUTOFMEMORY);
244 ret = FALSE;
245 goto error;
246 }
247 ret = CryptMsgGetParam(data->hMsg, CMSG_CONTENT_PARAM, 0, buf, &size);
248 if (!ret)
249 goto error;
250 ret = CryptDecodeObject(data->dwEncoding, oid, buf, size, 0, NULL, &size);
251 if (!ret)
252 goto error;
253 data->u.pPDSip->psIndirectData = data->psPfns->pfnAlloc(size);
254 if (!data->u.pPDSip->psIndirectData)
255 {
256 SetLastError(ERROR_OUTOFMEMORY);
257 ret = FALSE;
258 goto error;
259 }
260 ret = CryptDecodeObject(data->dwEncoding, oid, buf, size, 0,
261 data->u.pPDSip->psIndirectData, &size);
262
263 error:
264 TRACE("returning %d\n", ret);
265 data->psPfns->pfnFree(oid);
266 data->psPfns->pfnFree(buf);
267 return ret;
268 }
269
270 static BOOL SOFTPUB_LoadCertMessage(CRYPT_PROVIDER_DATA *data)
271 {
272 BOOL ret;
273
274 if (data->pWintrustData->u.pCert &&
275 WVT_IS_CBSTRUCT_GT_MEMBEROFFSET(WINTRUST_CERT_INFO,
276 data->pWintrustData->u.pCert->cbStruct, psCertContext))
277 {
278 if (data->psPfns)
279 {
280 CRYPT_PROVIDER_SGNR signer = { sizeof(signer), { 0 } };
281 DWORD i;
282
283 /* Add a signer with nothing but the time to verify, so we can
284 * add a cert to it
285 */
286 if (WVT_ISINSTRUCT(WINTRUST_CERT_INFO,
287 data->pWintrustData->u.pCert->cbStruct, psftVerifyAsOf) &&
288 data->pWintrustData->u.pCert->psftVerifyAsOf)
289 data->sftSystemTime = signer.sftVerifyAsOf;
290 else
291 {
292 SYSTEMTIME sysTime;
293
294 GetSystemTime(&sysTime);
295 SystemTimeToFileTime(&sysTime, &signer.sftVerifyAsOf);
296 }
297 ret = data->psPfns->pfnAddSgnr2Chain(data, FALSE, 0, &signer);
298 if (ret)
299 {
300 ret = data->psPfns->pfnAddCert2Chain(data, 0, FALSE, 0,
301 data->pWintrustData->u.pCert->psCertContext);
302 if (WVT_ISINSTRUCT(WINTRUST_CERT_INFO,
303 data->pWintrustData->u.pCert->cbStruct, pahStores))
304 for (i = 0;
305 ret && i < data->pWintrustData->u.pCert->chStores; i++)
306 ret = data->psPfns->pfnAddStore2Chain(data,
307 data->pWintrustData->u.pCert->pahStores[i]);
308 }
309 }
310 else
311 {
312 /* Do nothing!? See the tests */
313 ret = TRUE;
314 }
315 }
316 else
317 {
318 SetLastError(ERROR_INVALID_PARAMETER);
319 ret = FALSE;
320 }
321 return ret;
322 }
323
324 static DWORD SOFTPUB_LoadFileMessage(CRYPT_PROVIDER_DATA *data)
325 {
326 DWORD err = ERROR_SUCCESS;
327
328 if (!data->pWintrustData->u.pFile)
329 {
330 err = ERROR_INVALID_PARAMETER;
331 goto error;
332 }
333 err = SOFTPUB_OpenFile(data);
334 if (err)
335 goto error;
336 err = SOFTPUB_GetFileSubject(data);
337 if (err)
338 goto error;
339 err = SOFTPUB_GetSIP(data);
340 if (err)
341 goto error;
342 if (!SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile,
343 data->pWintrustData->u.pFile->pcwszFilePath))
344 {
345 err = GetLastError();
346 goto error;
347 }
348 if (!SOFTPUB_CreateStoreFromMessage(data))
349 {
350 err = GetLastError();
351 goto error;
352 }
353 if (!SOFTPUB_DecodeInnerContent(data))
354 err = GetLastError();
355 error:
356 return err;
357 }
358
359 static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data)
360 {
361 DWORD err;
362 HANDLE catalog = INVALID_HANDLE_VALUE;
363
364 if (!data->pWintrustData->u.pCatalog)
365 {
366 SetLastError(ERROR_INVALID_PARAMETER);
367 return FALSE;
368 }
369 catalog = CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath,
370 GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
371 NULL);
372 if (catalog == INVALID_HANDLE_VALUE)
373 return GetLastError();
374 if (!CryptSIPRetrieveSubjectGuid(
375 data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog,
376 &data->u.pPDSip->gSubject))
377 {
378 err = GetLastError();
379 goto error;
380 }
381 err = SOFTPUB_GetSIP(data);
382 if (err)
383 goto error;
384 if (!SOFTPUB_GetMessageFromFile(data, catalog,
385 data->pWintrustData->u.pCatalog->pcwszCatalogFilePath))
386 {
387 err = GetLastError();
388 goto error;
389 }
390 if (!SOFTPUB_CreateStoreFromMessage(data))
391 {
392 err = GetLastError();
393 goto error;
394 }
395 if (!SOFTPUB_DecodeInnerContent(data))
396 err = GetLastError();
397 /* FIXME: this loads the catalog file, but doesn't validate the member. */
398 error:
399 CloseHandle(catalog);
400 return err;
401 }
402
403 HRESULT WINAPI SoftpubLoadMessage(CRYPT_PROVIDER_DATA *data)
404 {
405 BOOL ret = TRUE;
406 DWORD err = ERROR_SUCCESS;
407
408 TRACE("(%p)\n", data);
409
410 if (!data->padwTrustStepErrors)
411 return S_FALSE;
412
413 switch (data->pWintrustData->dwUnionChoice)
414 {
415 case WTD_CHOICE_CERT:
416 ret = SOFTPUB_LoadCertMessage(data);
417 break;
418 case WTD_CHOICE_FILE:
419 err = SOFTPUB_LoadFileMessage(data);
420 break;
421 case WTD_CHOICE_CATALOG:
422 err = SOFTPUB_LoadCatalogMessage(data);
423 break;
424 default:
425 FIXME("unimplemented for %d\n", data->pWintrustData->dwUnionChoice);
426 SetLastError(ERROR_INVALID_PARAMETER);
427 ret = FALSE;
428 }
429
430 if (!ret)
431 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] =
432 GetLastError();
433 else if (err)
434 {
435 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] = err;
436 ret = FALSE;
437 }
438 TRACE("returning %d (%08x)\n", ret ? S_OK : S_FALSE,
439 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV]);
440 return ret ? S_OK : S_FALSE;
441 }
442
443 static CMSG_SIGNER_INFO *WINTRUST_GetSigner(CRYPT_PROVIDER_DATA *data,
444 DWORD signerIdx)
445 {
446 BOOL ret;
447 CMSG_SIGNER_INFO *signerInfo = NULL;
448 DWORD size;
449
450 ret = CryptMsgGetParam(data->hMsg, CMSG_SIGNER_INFO_PARAM, signerIdx,
451 NULL, &size);
452 if (ret)
453 {
454 signerInfo = data->psPfns->pfnAlloc(size);
455 if (signerInfo)
456 {
457 ret = CryptMsgGetParam(data->hMsg, CMSG_SIGNER_INFO_PARAM,
458 signerIdx, signerInfo, &size);
459 if (!ret)
460 {
461 data->psPfns->pfnFree(signerInfo);
462 signerInfo = NULL;
463 }
464 }
465 else
466 SetLastError(ERROR_OUTOFMEMORY);
467 }
468 return signerInfo;
469 }
470
471 static BOOL WINTRUST_SaveSigner(CRYPT_PROVIDER_DATA *data, DWORD signerIdx)
472 {
473 BOOL ret;
474 CMSG_SIGNER_INFO *signerInfo = WINTRUST_GetSigner(data, signerIdx);
475
476 if (signerInfo)
477 {
478 CRYPT_PROVIDER_SGNR sgnr = { sizeof(sgnr), { 0 } };
479
480 sgnr.psSigner = signerInfo;
481 sgnr.sftVerifyAsOf = data->sftSystemTime;
482 ret = data->psPfns->pfnAddSgnr2Chain(data, FALSE, signerIdx, &sgnr);
483 }
484 else
485 ret = FALSE;
486 return ret;
487 }
488
489 static CERT_INFO *WINTRUST_GetSignerCertInfo(CRYPT_PROVIDER_DATA *data,
490 DWORD signerIdx)
491 {
492 BOOL ret;
493 CERT_INFO *certInfo = NULL;
494 DWORD size;
495
496 ret = CryptMsgGetParam(data->hMsg, CMSG_SIGNER_CERT_INFO_PARAM, signerIdx,
497 NULL, &size);
498 if (ret)
499 {
500 certInfo = data->psPfns->pfnAlloc(size);
501 if (certInfo)
502 {
503 ret = CryptMsgGetParam(data->hMsg, CMSG_SIGNER_CERT_INFO_PARAM,
504 signerIdx, certInfo, &size);
505 if (!ret)
506 {
507 data->psPfns->pfnFree(certInfo);
508 certInfo = NULL;
509 }
510 }
511 else
512 SetLastError(ERROR_OUTOFMEMORY);
513 }
514 return certInfo;
515 }
516
517 static BOOL WINTRUST_VerifySigner(CRYPT_PROVIDER_DATA *data, DWORD signerIdx)
518 {
519 BOOL ret;
520 CERT_INFO *certInfo = WINTRUST_GetSignerCertInfo(data, signerIdx);
521
522 if (certInfo)
523 {
524 PCCERT_CONTEXT subject = CertGetSubjectCertificateFromStore(
525 data->pahStores[0], data->dwEncoding, certInfo);
526
527 if (subject)
528 {
529 CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA para = { sizeof(para), 0,
530 signerIdx, CMSG_VERIFY_SIGNER_CERT, (LPVOID)subject };
531
532 ret = CryptMsgControl(data->hMsg, 0, CMSG_CTRL_VERIFY_SIGNATURE_EX,
533 &para);
534 if (!ret)
535 SetLastError(TRUST_E_CERT_SIGNATURE);
536 else
537 data->psPfns->pfnAddCert2Chain(data, signerIdx, FALSE, 0,
538 subject);
539 CertFreeCertificateContext(subject);
540 }
541 else
542 {
543 SetLastError(TRUST_E_NO_SIGNER_CERT);
544 ret = FALSE;
545 }
546 data->psPfns->pfnFree(certInfo);
547 }
548 else
549 ret = FALSE;
550 return ret;
551 }
552
553 HRESULT WINAPI SoftpubLoadSignature(CRYPT_PROVIDER_DATA *data)
554 {
555 BOOL ret;
556
557 TRACE("(%p)\n", data);
558
559 if (!data->padwTrustStepErrors)
560 return S_FALSE;
561
562 if (data->hMsg)
563 {
564 DWORD signerCount, size;
565
566 size = sizeof(signerCount);
567 ret = CryptMsgGetParam(data->hMsg, CMSG_SIGNER_COUNT_PARAM, 0,
568 &signerCount, &size);
569 if (ret)
570 {
571 DWORD i;
572
573 for (i = 0; ret && i < signerCount; i++)
574 {
575 if ((ret = WINTRUST_SaveSigner(data, i)))
576 ret = WINTRUST_VerifySigner(data, i);
577 }
578 }
579 else
580 SetLastError(TRUST_E_NOSIGNATURE);
581 }
582 else
583 ret = TRUE;
584 if (!ret)
585 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_SIGPROV] =
586 GetLastError();
587 return ret ? S_OK : S_FALSE;
588 }
589
590 static DWORD WINTRUST_TrustStatusToConfidence(DWORD errorStatus)
591 {
592 DWORD confidence = 0;
593
594 confidence = 0;
595 if (!(errorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID))
596 confidence |= CERT_CONFIDENCE_SIG;
597 if (!(errorStatus & CERT_TRUST_IS_NOT_TIME_VALID))
598 confidence |= CERT_CONFIDENCE_TIME;
599 if (!(errorStatus & CERT_TRUST_IS_NOT_TIME_NESTED))
600 confidence |= CERT_CONFIDENCE_TIMENEST;
601 return confidence;
602 }
603
604 BOOL WINAPI SoftpubCheckCert(CRYPT_PROVIDER_DATA *data, DWORD idxSigner,
605 BOOL fCounterSignerChain, DWORD idxCounterSigner)
606 {
607 BOOL ret;
608
609 TRACE("(%p, %d, %d, %d)\n", data, idxSigner, fCounterSignerChain,
610 idxCounterSigner);
611
612 if (fCounterSignerChain)
613 {
614 FIXME("unimplemented for counter signers\n");
615 ret = FALSE;
616 }
617 else
618 {
619 PCERT_SIMPLE_CHAIN simpleChain =
620 data->pasSigners[idxSigner].pChainContext->rgpChain[0];
621 DWORD i;
622
623 ret = TRUE;
624 for (i = 0; i < simpleChain->cElement; i++)
625 {
626 /* Set confidence */
627 data->pasSigners[idxSigner].pasCertChain[i].dwConfidence =
628 WINTRUST_TrustStatusToConfidence(
629 simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus);
630 /* Set additional flags */
631 if (!(simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
632 CERT_TRUST_IS_UNTRUSTED_ROOT))
633 data->pasSigners[idxSigner].pasCertChain[i].fTrustedRoot = TRUE;
634 if (simpleChain->rgpElement[i]->TrustStatus.dwInfoStatus &
635 CERT_TRUST_IS_SELF_SIGNED)
636 data->pasSigners[idxSigner].pasCertChain[i].fSelfSigned = TRUE;
637 if (simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus &
638 CERT_TRUST_IS_CYCLIC)
639 data->pasSigners[idxSigner].pasCertChain[i].fIsCyclic = TRUE;
640 }
641 }
642 return ret;
643 }
644
645 static DWORD WINTRUST_TrustStatusToError(DWORD errorStatus)
646 {
647 DWORD error;
648
649 if (errorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID)
650 error = TRUST_E_CERT_SIGNATURE;
651 else if (errorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT)
652 error = CERT_E_UNTRUSTEDROOT;
653 else if (errorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
654 error = CERT_E_EXPIRED;
655 else if (errorStatus & CERT_TRUST_IS_NOT_TIME_NESTED)
656 error = CERT_E_VALIDITYPERIODNESTING;
657 else if (errorStatus & CERT_TRUST_IS_REVOKED)
658 error = CERT_E_REVOKED;
659 else if (errorStatus & CERT_TRUST_IS_OFFLINE_REVOCATION ||
660 errorStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
661 error = CERT_E_REVOCATION_FAILURE;
662 else if (errorStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE)
663 error = CERT_E_WRONG_USAGE;
664 else if (errorStatus & CERT_TRUST_IS_CYCLIC)
665 error = CERT_E_CHAINING;
666 else if (errorStatus & CERT_TRUST_INVALID_EXTENSION)
667 error = CERT_E_CRITICAL;
668 else if (errorStatus & CERT_TRUST_INVALID_POLICY_CONSTRAINTS)
669 error = CERT_E_INVALID_POLICY;
670 else if (errorStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
671 error = TRUST_E_BASIC_CONSTRAINTS;
672 else if (errorStatus & CERT_TRUST_INVALID_NAME_CONSTRAINTS ||
673 errorStatus & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT ||
674 errorStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT ||
675 errorStatus & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT ||
676 errorStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT)
677 error = CERT_E_INVALID_NAME;
678 else if (errorStatus & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY)
679 error = CERT_E_INVALID_POLICY;
680 else if (errorStatus)
681 {
682 FIXME("unknown error status %08x\n", errorStatus);
683 error = TRUST_E_SYSTEM_ERROR;
684 }
685 else
686 error = S_OK;
687 return error;
688 }
689
690 static BOOL WINTRUST_CopyChain(CRYPT_PROVIDER_DATA *data, DWORD signerIdx)
691 {
692 BOOL ret;
693 PCERT_SIMPLE_CHAIN simpleChain =
694 data->pasSigners[signerIdx].pChainContext->rgpChain[0];
695 DWORD i;
696
697 data->pasSigners[signerIdx].pasCertChain[0].dwConfidence =
698 WINTRUST_TrustStatusToConfidence(
699 simpleChain->rgpElement[0]->TrustStatus.dwErrorStatus);
700 data->pasSigners[signerIdx].pasCertChain[0].pChainElement =
701 simpleChain->rgpElement[0];
702 ret = TRUE;
703 for (i = 1; ret && i < simpleChain->cElement; i++)
704 {
705 ret = data->psPfns->pfnAddCert2Chain(data, signerIdx, FALSE, 0,
706 simpleChain->rgpElement[i]->pCertContext);
707 if (ret)
708 {
709 data->pasSigners[signerIdx].pasCertChain[i].pChainElement =
710 simpleChain->rgpElement[i];
711 data->pasSigners[signerIdx].pasCertChain[i].dwConfidence =
712 WINTRUST_TrustStatusToConfidence(
713 simpleChain->rgpElement[i]->TrustStatus.dwErrorStatus);
714 }
715 }
716 data->pasSigners[signerIdx].pasCertChain[simpleChain->cElement - 1].dwError
717 = WINTRUST_TrustStatusToError(
718 simpleChain->rgpElement[simpleChain->cElement - 1]->
719 TrustStatus.dwErrorStatus);
720 return ret;
721 }
722
723 static void WINTRUST_CreateChainPolicyCreateInfo(
724 const CRYPT_PROVIDER_DATA *data, PWTD_GENERIC_CHAIN_POLICY_CREATE_INFO info,
725 PCERT_CHAIN_PARA chainPara)
726 {
727 chainPara->cbSize = sizeof(CERT_CHAIN_PARA);
728 if (data->pRequestUsage)
729 chainPara->RequestedUsage = *data->pRequestUsage;
730 else
731 {
732 chainPara->RequestedUsage.dwType = 0;
733 chainPara->RequestedUsage.Usage.cUsageIdentifier = 0;
734 }
735 info->u.cbSize = sizeof(WTD_GENERIC_CHAIN_POLICY_CREATE_INFO);
736 info->hChainEngine = NULL;
737 info->pChainPara = chainPara;
738 if (data->dwProvFlags & CPD_REVOCATION_CHECK_END_CERT)
739 info->dwFlags = CERT_CHAIN_REVOCATION_CHECK_END_CERT;
740 else if (data->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN)
741 info->dwFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN;
742 else if (data->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT)
743 info->dwFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
744 else
745 info->dwFlags = 0;
746 info->pvReserved = NULL;
747 }
748
749 static BOOL WINTRUST_CreateChainForSigner(CRYPT_PROVIDER_DATA *data,
750 DWORD signer, PWTD_GENERIC_CHAIN_POLICY_CREATE_INFO createInfo,
751 PCERT_CHAIN_PARA chainPara)
752 {
753 BOOL ret = TRUE;
754 HCERTSTORE store = NULL;
755
756 if (data->chStores)
757 {
758 store = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
759 CERT_STORE_CREATE_NEW_FLAG, NULL);
760 if (store)
761 {
762 DWORD i;
763
764 for (i = 0; i < data->chStores; i++)
765 CertAddStoreToCollection(store, data->pahStores[i], 0, 0);
766 }
767 }
768 /* Expect the end certificate for each signer to be the only cert in the
769 * chain:
770 */
771 if (data->pasSigners[signer].csCertChain)
772 {
773 /* Create a certificate chain for each signer */
774 ret = CertGetCertificateChain(createInfo->hChainEngine,
775 data->pasSigners[signer].pasCertChain[0].pCert,
776 &data->pasSigners[signer].sftVerifyAsOf, store,
777 chainPara, createInfo->dwFlags, createInfo->pvReserved,
778 &data->pasSigners[signer].pChainContext);
779 if (ret)
780 {
781 if (data->pasSigners[signer].pChainContext->cChain != 1)
782 {
783 FIXME("unimplemented for more than 1 simple chain\n");
784 ret = FALSE;
785 }
786 else
787 {
788 if ((ret = WINTRUST_CopyChain(data, signer)))
789 {
790 if (data->psPfns->pfnCertCheckPolicy)
791 ret = data->psPfns->pfnCertCheckPolicy(data, signer,
792 FALSE, 0);
793 else
794 TRACE("no cert check policy, skipping policy check\n");
795 }
796 }
797 }
798 }
799 CertCloseStore(store, 0);
800 return ret;
801 }
802
803 HRESULT WINAPI WintrustCertificateTrust(CRYPT_PROVIDER_DATA *data)
804 {
805 BOOL ret;
806
807 TRACE("(%p)\n", data);
808
809 if (!data->csSigners)
810 {
811 ret = FALSE;
812 SetLastError(TRUST_E_NOSIGNATURE);
813 }
814 else
815 {
816 DWORD i;
817 WTD_GENERIC_CHAIN_POLICY_CREATE_INFO createInfo;
818 CERT_CHAIN_PARA chainPara;
819
820 WINTRUST_CreateChainPolicyCreateInfo(data, &createInfo, &chainPara);
821 ret = TRUE;
822 for (i = 0; i < data->csSigners; i++)
823 ret = WINTRUST_CreateChainForSigner(data, i, &createInfo,
824 &chainPara);
825 }
826 if (!ret)
827 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
828 GetLastError();
829 TRACE("returning %d (%08x)\n", ret ? S_OK : S_FALSE,
830 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV]);
831 return ret ? S_OK : S_FALSE;
832 }
833
834 HRESULT WINAPI GenericChainCertificateTrust(CRYPT_PROVIDER_DATA *data)
835 {
836 BOOL ret;
837 WTD_GENERIC_CHAIN_POLICY_DATA *policyData =
838 data->pWintrustData->pPolicyCallbackData;
839
840 TRACE("(%p)\n", data);
841
842 if (policyData && policyData->u.cbSize !=
843 sizeof(WTD_GENERIC_CHAIN_POLICY_CREATE_INFO))
844 {
845 SetLastError(ERROR_INVALID_PARAMETER);
846 ret = FALSE;
847 goto end;
848 }
849 if (!data->csSigners)
850 {
851 ret = FALSE;
852 SetLastError(TRUST_E_NOSIGNATURE);
853 }
854 else
855 {
856 DWORD i;
857 WTD_GENERIC_CHAIN_POLICY_CREATE_INFO createInfo, *pCreateInfo;
858 CERT_CHAIN_PARA chainPara, *pChainPara;
859
860 if (policyData)
861 {
862 pCreateInfo = policyData->pSignerChainInfo;
863 pChainPara = pCreateInfo->pChainPara;
864 }
865 else
866 {
867 WINTRUST_CreateChainPolicyCreateInfo(data, &createInfo, &chainPara);
868 pChainPara = &chainPara;
869 pCreateInfo = &createInfo;
870 }
871 ret = TRUE;
872 for (i = 0; i < data->csSigners; i++)
873 ret = WINTRUST_CreateChainForSigner(data, i, pCreateInfo,
874 pChainPara);
875 }
876
877 end:
878 if (!ret)
879 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
880 GetLastError();
881 TRACE("returning %d (%08x)\n", ret ? S_OK : S_FALSE,
882 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV]);
883 return ret ? S_OK : S_FALSE;
884 }
885
886 HRESULT WINAPI SoftpubAuthenticode(CRYPT_PROVIDER_DATA *data)
887 {
888 BOOL ret;
889 CERT_CHAIN_POLICY_STATUS policyStatus = { sizeof(policyStatus), 0 };
890
891 TRACE("(%p)\n", data);
892
893 if (data->pWintrustData->dwUIChoice != WTD_UI_NONE)
894 FIXME("unimplemented for UI choice %d\n",
895 data->pWintrustData->dwUIChoice);
896 if (!data->csSigners)
897 {
898 ret = FALSE;
899 policyStatus.dwError = TRUST_E_NOSIGNATURE;
900 }
901 else
902 {
903 DWORD i;
904
905 ret = TRUE;
906 for (i = 0; ret && i < data->csSigners; i++)
907 {
908 BYTE hash[20];
909 DWORD size = sizeof(hash);
910
911 /* First make sure cert isn't disallowed */
912 if ((ret = CertGetCertificateContextProperty(
913 data->pasSigners[i].pasCertChain[0].pCert,
914 CERT_SIGNATURE_HASH_PROP_ID, hash, &size)))
915 {
916 static const WCHAR disallowedW[] =
917 { 'D','i','s','a','l','l','o','w','e','d',0 };
918 HCERTSTORE disallowed = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
919 X509_ASN_ENCODING, 0, CERT_SYSTEM_STORE_CURRENT_USER,
920 disallowedW);
921
922 if (disallowed)
923 {
924 PCCERT_CONTEXT found = CertFindCertificateInStore(
925 disallowed, X509_ASN_ENCODING, 0, CERT_FIND_SIGNATURE_HASH,
926 hash, NULL);
927
928 if (found)
929 {
930 /* Disallowed! Can't verify it. */
931 policyStatus.dwError = TRUST_E_SUBJECT_NOT_TRUSTED;
932 ret = FALSE;
933 CertFreeCertificateContext(found);
934 }
935 CertCloseStore(disallowed, 0);
936 }
937 }
938 if (ret)
939 {
940 CERT_CHAIN_POLICY_PARA policyPara = { sizeof(policyPara), 0 };
941
942 if (data->dwRegPolicySettings & WTPF_TRUSTTEST)
943 policyPara.dwFlags |= CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG;
944 if (data->dwRegPolicySettings & WTPF_TESTCANBEVALID)
945 policyPara.dwFlags |= CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG;
946 if (data->dwRegPolicySettings & WTPF_IGNOREEXPIRATION)
947 policyPara.dwFlags |=
948 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG |
949 CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG |
950 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
951 if (data->dwRegPolicySettings & WTPF_IGNOREREVOKATION)
952 policyPara.dwFlags |=
953 CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG |
954 CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG |
955 CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG |
956 CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG;
957 CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_AUTHENTICODE,
958 data->pasSigners[i].pChainContext, &policyPara, &policyStatus);
959 if (policyStatus.dwError != NO_ERROR)
960 ret = FALSE;
961 }
962 }
963 }
964 if (!ret)
965 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV] =
966 policyStatus.dwError;
967 TRACE("returning %d (%08x)\n", ret ? S_OK : S_FALSE,
968 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV]);
969 return ret ? S_OK : S_FALSE;
970 }
971
972 static HRESULT WINAPI WINTRUST_DefaultPolicy(CRYPT_PROVIDER_DATA *pProvData,
973 DWORD dwStepError, DWORD dwRegPolicySettings, DWORD cSigner,
974 PWTD_GENERIC_CHAIN_POLICY_SIGNER_INFO rgpSigner, void *pvPolicyArg)
975 {
976 DWORD i;
977 CERT_CHAIN_POLICY_STATUS policyStatus = { sizeof(policyStatus), 0 };
978
979 for (i = 0; !policyStatus.dwError && i < cSigner; i++)
980 {
981 CERT_CHAIN_POLICY_PARA policyPara = { sizeof(policyPara), 0 };
982
983 if (dwRegPolicySettings & WTPF_IGNOREEXPIRATION)
984 policyPara.dwFlags |=
985 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG |
986 CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG |
987 CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
988 if (dwRegPolicySettings & WTPF_IGNOREREVOKATION)
989 policyPara.dwFlags |=
990 CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG |
991 CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG |
992 CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG |
993 CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG;
994 CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE,
995 rgpSigner[i].pChainContext, &policyPara, &policyStatus);
996 }
997 return policyStatus.dwError;
998 }
999
1000 HRESULT WINAPI GenericChainFinalProv(CRYPT_PROVIDER_DATA *data)
1001 {
1002 HRESULT err = NO_ERROR; /* not a typo, MS confused the types */
1003 WTD_GENERIC_CHAIN_POLICY_DATA *policyData =
1004 data->pWintrustData->pPolicyCallbackData;
1005
1006 TRACE("(%p)\n", data);
1007
1008 if (data->pWintrustData->dwUIChoice != WTD_UI_NONE)
1009 FIXME("unimplemented for UI choice %d\n",
1010 data->pWintrustData->dwUIChoice);
1011 if (!data->csSigners)
1012 err = TRUST_E_NOSIGNATURE;
1013 else
1014 {
1015 PFN_WTD_GENERIC_CHAIN_POLICY_CALLBACK policyCallback;
1016 void *policyArg;
1017 WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO *signers = NULL;
1018
1019 if (policyData)
1020 {
1021 policyCallback = policyData->pfnPolicyCallback;
1022 policyArg = policyData->pvPolicyArg;
1023 }
1024 else
1025 {
1026 policyCallback = WINTRUST_DefaultPolicy;
1027 policyArg = NULL;
1028 }
1029 if (data->csSigners)
1030 {
1031 DWORD i;
1032
1033 signers = data->psPfns->pfnAlloc(
1034 data->csSigners * sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO));
1035 if (signers)
1036 {
1037 for (i = 0; i < data->csSigners; i++)
1038 {
1039 signers[i].u.cbSize =
1040 sizeof(WTD_GENERIC_CHAIN_POLICY_SIGNER_INFO);
1041 signers[i].pChainContext =
1042 data->pasSigners[i].pChainContext;
1043 signers[i].dwSignerType = data->pasSigners[i].dwSignerType;
1044 signers[i].pMsgSignerInfo = data->pasSigners[i].psSigner;
1045 signers[i].dwError = data->pasSigners[i].dwError;
1046 if (data->pasSigners[i].csCounterSigners)
1047 FIXME("unimplemented for counter signers\n");
1048 signers[i].cCounterSigner = 0;
1049 signers[i].rgpCounterSigner = NULL;
1050 }
1051 }
1052 else
1053 err = ERROR_OUTOFMEMORY;
1054 }
1055 if (err == NO_ERROR)
1056 err = policyCallback(data, TRUSTERROR_STEP_FINAL_POLICYPROV,
1057 data->dwRegPolicySettings, data->csSigners, signers, policyArg);
1058 data->psPfns->pfnFree(signers);
1059 }
1060 if (err != NO_ERROR)
1061 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV] = err;
1062 TRACE("returning %d (%08x)\n", err == NO_ERROR ? S_OK : S_FALSE,
1063 data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV]);
1064 return err == NO_ERROR ? S_OK : S_FALSE;
1065 }
1066
1067 HRESULT WINAPI SoftpubCleanup(CRYPT_PROVIDER_DATA *data)
1068 {
1069 DWORD i, j;
1070
1071 for (i = 0; i < data->csSigners; i++)
1072 {
1073 for (j = 0; j < data->pasSigners[i].csCertChain; j++)
1074 CertFreeCertificateContext(data->pasSigners[i].pasCertChain[j].pCert);
1075 data->psPfns->pfnFree(data->pasSigners[i].pasCertChain);
1076 data->psPfns->pfnFree(data->pasSigners[i].psSigner);
1077 CertFreeCertificateChain(data->pasSigners[i].pChainContext);
1078 }
1079 data->psPfns->pfnFree(data->pasSigners);
1080
1081 for (i = 0; i < data->chStores; i++)
1082 CertCloseStore(data->pahStores[i], 0);
1083 data->psPfns->pfnFree(data->pahStores);
1084
1085 if (data->u.pPDSip)
1086 {
1087 data->psPfns->pfnFree(data->u.pPDSip->pSip);
1088 data->psPfns->pfnFree(data->u.pPDSip->pCATSip);
1089 data->psPfns->pfnFree(data->u.pPDSip->psSipSubjectInfo);
1090 data->psPfns->pfnFree(data->u.pPDSip->psSipCATSubjectInfo);
1091 data->psPfns->pfnFree(data->u.pPDSip->psIndirectData);
1092 }
1093
1094 CryptMsgClose(data->hMsg);
1095
1096 if (data->fOpenedFile &&
1097 data->pWintrustData->dwUnionChoice == WTD_CHOICE_FILE)
1098 CloseHandle(data->pWintrustData->u.pFile->hFile);
1099
1100 return S_OK;
1101 }
1102
1103 HRESULT WINAPI HTTPSCertificateTrust(CRYPT_PROVIDER_DATA *data)
1104 {
1105 FIXME("(%p)\n", data);
1106 return S_OK;
1107 }
1108
1109 HRESULT WINAPI HTTPSFinalProv(CRYPT_PROVIDER_DATA *data)
1110 {
1111 FIXME("(%p)\n", data);
1112 return S_OK;
1113 }
Wine tree for Wine Gecko development