advapi32/tests: Restore default cryptographic provider after the tests.
[wine] / dlls / crypt32 / chain.c
1 /*
2  * Copyright 2006 Juan Lang
3  *
4  * This library is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * This library is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with this library; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17  *
18  */
19 #include <stdarg.h>
20 #define NONAMELESSUNION
21 #include "windef.h"
22 #include "winbase.h"
23 #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
24 #define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
25 #include "wincrypt.h"
26 #include "wine/debug.h"
27 #include "wine/unicode.h"
28 #include "crypt32_private.h"
29
30 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
31 WINE_DECLARE_DEBUG_CHANNEL(chain);
32
33 #define DEFAULT_CYCLE_MODULUS 7
34
35 static HCERTCHAINENGINE CRYPT_defaultChainEngine;
36
37 /* This represents a subset of a certificate chain engine:  it doesn't include
38  * the "hOther" store described by MSDN, because I'm not sure how that's used.
39  * It also doesn't include the "hTrust" store, because I don't yet implement
40  * CTLs or complex certificate chains.
41  */
42 typedef struct _CertificateChainEngine
43 {
44     LONG       ref;
45     HCERTSTORE hRoot;
46     HCERTSTORE hWorld;
47     DWORD      dwFlags;
48     DWORD      dwUrlRetrievalTimeout;
49     DWORD      MaximumCachedCertificates;
50     DWORD      CycleDetectionModulus;
51 } CertificateChainEngine, *PCertificateChainEngine;
52
53 static inline void CRYPT_AddStoresToCollection(HCERTSTORE collection,
54  DWORD cStores, HCERTSTORE *stores)
55 {
56     DWORD i;
57
58     for (i = 0; i < cStores; i++)
59         CertAddStoreToCollection(collection, stores[i], 0, 0);
60 }
61
62 static inline void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
63 {
64     DWORD i;
65
66     for (i = 0; i < cStores; i++)
67         CertCloseStore(stores[i], 0);
68 }
69
70 static const WCHAR rootW[] = { 'R','o','o','t',0 };
71
72 /* Finds cert in store by comparing the cert's hashes. */
73 static PCCERT_CONTEXT CRYPT_FindCertInStore(HCERTSTORE store,
74  PCCERT_CONTEXT cert)
75 {
76     PCCERT_CONTEXT matching = NULL;
77     BYTE hash[20];
78     DWORD size = sizeof(hash);
79
80     if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID, hash, &size))
81     {
82         CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
83
84         matching = CertFindCertificateInStore(store, cert->dwCertEncodingType,
85          0, CERT_FIND_SHA1_HASH, &blob, NULL);
86     }
87     return matching;
88 }
89
90 static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
91 {
92     BOOL ret = TRUE;
93
94     if (store)
95     {
96         HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW);
97         PCCERT_CONTEXT cert = NULL, check;
98
99         do {
100             cert = CertEnumCertificatesInStore(store, cert);
101             if (cert)
102             {
103                 if (!(check = CRYPT_FindCertInStore(rootStore, cert)))
104                     ret = FALSE;
105                 else
106                     CertFreeCertificateContext(check);
107             }
108         } while (ret && cert);
109         if (cert)
110             CertFreeCertificateContext(cert);
111         CertCloseStore(rootStore, 0);
112     }
113     return ret;
114 }
115
116 HCERTCHAINENGINE CRYPT_CreateChainEngine(HCERTSTORE root,
117  PCERT_CHAIN_ENGINE_CONFIG pConfig)
118 {
119     static const WCHAR caW[] = { 'C','A',0 };
120     static const WCHAR myW[] = { 'M','y',0 };
121     static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
122     PCertificateChainEngine engine =
123      CryptMemAlloc(sizeof(CertificateChainEngine));
124
125     if (engine)
126     {
127         HCERTSTORE worldStores[4];
128
129         engine->ref = 1;
130         engine->hRoot = root;
131         engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
132          CERT_STORE_CREATE_NEW_FLAG, NULL);
133         worldStores[0] = CertDuplicateStore(engine->hRoot);
134         worldStores[1] = CertOpenSystemStoreW(0, caW);
135         worldStores[2] = CertOpenSystemStoreW(0, myW);
136         worldStores[3] = CertOpenSystemStoreW(0, trustW);
137         CRYPT_AddStoresToCollection(engine->hWorld,
138          sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
139         CRYPT_AddStoresToCollection(engine->hWorld,
140          pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
141         CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
142          worldStores);
143         engine->dwFlags = pConfig->dwFlags;
144         engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
145         engine->MaximumCachedCertificates =
146          pConfig->MaximumCachedCertificates;
147         if (pConfig->CycleDetectionModulus)
148             engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
149         else
150             engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
151     }
152     return engine;
153 }
154
155 BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
156  HCERTCHAINENGINE *phChainEngine)
157 {
158     BOOL ret;
159
160     TRACE("(%p, %p)\n", pConfig, phChainEngine);
161
162     if (pConfig->cbSize != sizeof(*pConfig))
163     {
164         SetLastError(E_INVALIDARG);
165         return FALSE;
166     }
167     *phChainEngine = NULL;
168     ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
169     if (ret)
170     {
171         HCERTSTORE root;
172         HCERTCHAINENGINE engine;
173
174         if (pConfig->hRestrictedRoot)
175             root = CertDuplicateStore(pConfig->hRestrictedRoot);
176         else
177             root = CertOpenSystemStoreW(0, rootW);
178         engine = CRYPT_CreateChainEngine(root, pConfig);
179         if (engine)
180         {
181             *phChainEngine = engine;
182             ret = TRUE;
183         }
184         else
185             ret = FALSE;
186     }
187     return ret;
188 }
189
190 VOID WINAPI CertFreeCertificateChainEngine(HCERTCHAINENGINE hChainEngine)
191 {
192     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
193
194     TRACE("(%p)\n", hChainEngine);
195
196     if (engine && InterlockedDecrement(&engine->ref) == 0)
197     {
198         CertCloseStore(engine->hWorld, 0);
199         CertCloseStore(engine->hRoot, 0);
200         CryptMemFree(engine);
201     }
202 }
203
204 static HCERTCHAINENGINE CRYPT_GetDefaultChainEngine(void)
205 {
206     if (!CRYPT_defaultChainEngine)
207     {
208         CERT_CHAIN_ENGINE_CONFIG config = { 0 };
209         HCERTCHAINENGINE engine;
210
211         config.cbSize = sizeof(config);
212         CertCreateCertificateChainEngine(&config, &engine);
213         InterlockedCompareExchangePointer(&CRYPT_defaultChainEngine, engine,
214          NULL);
215         if (CRYPT_defaultChainEngine != engine)
216             CertFreeCertificateChainEngine(engine);
217     }
218     return CRYPT_defaultChainEngine;
219 }
220
221 void default_chain_engine_free(void)
222 {
223     CertFreeCertificateChainEngine(CRYPT_defaultChainEngine);
224 }
225
226 typedef struct _CertificateChain
227 {
228     CERT_CHAIN_CONTEXT context;
229     HCERTSTORE world;
230     LONG ref;
231 } CertificateChain, *PCertificateChain;
232
233 static BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
234 {
235     PCERT_EXTENSION ext;
236     DWORD size;
237     BOOL ret;
238
239     if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
240      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
241     {
242         CERT_AUTHORITY_KEY_ID2_INFO *info;
243
244         ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
245          X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
246          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
247          &info, &size);
248         if (ret)
249         {
250             if (info->AuthorityCertIssuer.cAltEntry &&
251              info->AuthorityCertSerialNumber.cbData)
252             {
253                 PCERT_ALT_NAME_ENTRY directoryName = NULL;
254                 DWORD i;
255
256                 for (i = 0; !directoryName &&
257                  i < info->AuthorityCertIssuer.cAltEntry; i++)
258                     if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
259                      == CERT_ALT_NAME_DIRECTORY_NAME)
260                         directoryName =
261                          &info->AuthorityCertIssuer.rgAltEntry[i];
262                 if (directoryName)
263                 {
264                     ret = CertCompareCertificateName(cert->dwCertEncodingType,
265                      &directoryName->u.DirectoryName, &cert->pCertInfo->Issuer)
266                      && CertCompareIntegerBlob(&info->AuthorityCertSerialNumber,
267                      &cert->pCertInfo->SerialNumber);
268                 }
269                 else
270                 {
271                     FIXME("no supported name type in authority key id2\n");
272                     ret = FALSE;
273                 }
274             }
275             else if (info->KeyId.cbData)
276             {
277                 ret = CertGetCertificateContextProperty(cert,
278                  CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
279                 if (ret && size == info->KeyId.cbData)
280                 {
281                     LPBYTE buf = CryptMemAlloc(size);
282
283                     if (buf)
284                     {
285                         CertGetCertificateContextProperty(cert,
286                          CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
287                         ret = !memcmp(buf, info->KeyId.pbData, size);
288                         CryptMemFree(buf);
289                     }
290                 }
291                 else
292                     ret = FALSE;
293             }
294             LocalFree(info);
295         }
296     }
297     else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
298      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
299     {
300         CERT_AUTHORITY_KEY_ID_INFO *info;
301
302         ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
303          X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
304          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
305          &info, &size);
306         if (ret)
307         {
308             if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
309             {
310                 ret = CertCompareCertificateName(cert->dwCertEncodingType,
311                  &info->CertIssuer, &cert->pCertInfo->Issuer) &&
312                  CertCompareIntegerBlob(&info->CertSerialNumber,
313                  &cert->pCertInfo->SerialNumber);
314             }
315             else if (info->KeyId.cbData)
316             {
317                 ret = CertGetCertificateContextProperty(cert,
318                  CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
319                 if (ret && size == info->KeyId.cbData)
320                 {
321                     LPBYTE buf = CryptMemAlloc(size);
322
323                     if (buf)
324                     {
325                         CertGetCertificateContextProperty(cert,
326                          CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
327                         ret = !memcmp(buf, info->KeyId.pbData, size);
328                         CryptMemFree(buf);
329                     }
330                     else
331                         ret = FALSE;
332                 }
333                 else
334                     ret = FALSE;
335             }
336             else
337                 ret = FALSE;
338             LocalFree(info);
339         }
340     }
341     else
342         ret = CertCompareCertificateName(cert->dwCertEncodingType,
343          &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer);
344     return ret;
345 }
346
347 static void CRYPT_FreeChainElement(PCERT_CHAIN_ELEMENT element)
348 {
349     CertFreeCertificateContext(element->pCertContext);
350     CryptMemFree(element);
351 }
352
353 static void CRYPT_CheckSimpleChainForCycles(PCERT_SIMPLE_CHAIN chain)
354 {
355     DWORD i, j, cyclicCertIndex = 0;
356
357     /* O(n^2) - I don't think there's a faster way */
358     for (i = 0; !cyclicCertIndex && i < chain->cElement; i++)
359         for (j = i + 1; !cyclicCertIndex && j < chain->cElement; j++)
360             if (CertCompareCertificate(X509_ASN_ENCODING,
361              chain->rgpElement[i]->pCertContext->pCertInfo,
362              chain->rgpElement[j]->pCertContext->pCertInfo))
363                 cyclicCertIndex = j;
364     if (cyclicCertIndex)
365     {
366         chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
367          |= CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
368         /* Release remaining certs */
369         for (i = cyclicCertIndex + 1; i < chain->cElement; i++)
370             CRYPT_FreeChainElement(chain->rgpElement[i]);
371         /* Truncate chain */
372         chain->cElement = cyclicCertIndex + 1;
373     }
374 }
375
376 /* Checks whether the chain is cyclic by examining the last element's status */
377 static inline BOOL CRYPT_IsSimpleChainCyclic(const CERT_SIMPLE_CHAIN *chain)
378 {
379     if (chain->cElement)
380         return chain->rgpElement[chain->cElement - 1]->TrustStatus.dwErrorStatus
381          & CERT_TRUST_IS_CYCLIC;
382     else
383         return FALSE;
384 }
385
386 static inline void CRYPT_CombineTrustStatus(CERT_TRUST_STATUS *chainStatus,
387  const CERT_TRUST_STATUS *elementStatus)
388 {
389     /* Any error that applies to an element also applies to a chain.. */
390     chainStatus->dwErrorStatus |= elementStatus->dwErrorStatus;
391     /* but the bottom nibble of an element's info status doesn't apply to the
392      * chain.
393      */
394     chainStatus->dwInfoStatus |= (elementStatus->dwInfoStatus & 0xfffffff0);
395 }
396
397 static BOOL CRYPT_AddCertToSimpleChain(const CertificateChainEngine *engine,
398  PCERT_SIMPLE_CHAIN chain, PCCERT_CONTEXT cert, DWORD subjectInfoStatus)
399 {
400     BOOL ret = FALSE;
401     PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
402
403     if (element)
404     {
405         if (!chain->cElement)
406             chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT));
407         else
408             chain->rgpElement = CryptMemRealloc(chain->rgpElement,
409              (chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
410         if (chain->rgpElement)
411         {
412             chain->rgpElement[chain->cElement++] = element;
413             memset(element, 0, sizeof(CERT_CHAIN_ELEMENT));
414             element->cbSize = sizeof(CERT_CHAIN_ELEMENT);
415             element->pCertContext = CertDuplicateCertificateContext(cert);
416             if (chain->cElement > 1)
417                 chain->rgpElement[chain->cElement - 2]->TrustStatus.dwInfoStatus
418                  = subjectInfoStatus;
419             /* FIXME: initialize the rest of element */
420             if (!(chain->cElement % engine->CycleDetectionModulus))
421             {
422                 CRYPT_CheckSimpleChainForCycles(chain);
423                 /* Reinitialize the element pointer in case the chain is
424                  * cyclic, in which case the chain is truncated.
425                  */
426                 element = chain->rgpElement[chain->cElement - 1];
427             }
428             CRYPT_CombineTrustStatus(&chain->TrustStatus,
429              &element->TrustStatus);
430             ret = TRUE;
431         }
432         else
433             CryptMemFree(element);
434     }
435     return ret;
436 }
437
438 static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain)
439 {
440     DWORD i;
441
442     for (i = 0; i < chain->cElement; i++)
443         CRYPT_FreeChainElement(chain->rgpElement[i]);
444     CryptMemFree(chain->rgpElement);
445     CryptMemFree(chain);
446 }
447
448 static void CRYPT_CheckTrustedStatus(HCERTSTORE hRoot,
449  PCERT_CHAIN_ELEMENT rootElement)
450 {
451     PCCERT_CONTEXT trustedRoot = CRYPT_FindCertInStore(hRoot,
452      rootElement->pCertContext);
453
454     if (!trustedRoot)
455         rootElement->TrustStatus.dwErrorStatus |=
456          CERT_TRUST_IS_UNTRUSTED_ROOT;
457     else
458         CertFreeCertificateContext(trustedRoot);
459 }
460
461 static void CRYPT_CheckRootCert(HCERTCHAINENGINE hRoot,
462  PCERT_CHAIN_ELEMENT rootElement)
463 {
464     PCCERT_CONTEXT root = rootElement->pCertContext;
465
466     if (!CryptVerifyCertificateSignatureEx(0, root->dwCertEncodingType,
467      CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *)root,
468      CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root, 0, NULL))
469     {
470         TRACE_(chain)("Last certificate's signature is invalid\n");
471         rootElement->TrustStatus.dwErrorStatus |=
472          CERT_TRUST_IS_NOT_SIGNATURE_VALID;
473     }
474     CRYPT_CheckTrustedStatus(hRoot, rootElement);
475 }
476
477 /* Decodes a cert's basic constraints extension (either szOID_BASIC_CONSTRAINTS
478  * or szOID_BASIC_CONSTRAINTS2, whichever is present) into a
479  * CERT_BASIC_CONSTRAINTS2_INFO.  If it neither extension is present, sets
480  * constraints->fCA to defaultIfNotSpecified.
481  * Returns FALSE if the extension is present but couldn't be decoded.
482  */
483 static BOOL CRYPT_DecodeBasicConstraints(PCCERT_CONTEXT cert,
484  CERT_BASIC_CONSTRAINTS2_INFO *constraints, BOOL defaultIfNotSpecified)
485 {
486     BOOL ret = TRUE;
487     PCERT_EXTENSION ext = CertFindExtension(szOID_BASIC_CONSTRAINTS,
488      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
489
490     constraints->fPathLenConstraint = FALSE;
491     if (ext)
492     {
493         CERT_BASIC_CONSTRAINTS_INFO *info;
494         DWORD size = 0;
495
496         ret = CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
497          ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
498          NULL, &info, &size);
499         if (ret)
500         {
501             if (info->SubjectType.cbData == 1)
502                 constraints->fCA =
503                  info->SubjectType.pbData[0] & CERT_CA_SUBJECT_FLAG;
504             LocalFree(info);
505         }
506     }
507     else
508     {
509         ext = CertFindExtension(szOID_BASIC_CONSTRAINTS2,
510          cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
511         if (ext)
512         {
513             DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
514
515             ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
516              szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
517              0, NULL, constraints, &size);
518         }
519         else
520             constraints->fCA = defaultIfNotSpecified;
521     }
522     return ret;
523 }
524
525 /* Checks element's basic constraints to see if it can act as a CA, with
526  * remainingCAs CAs left in this chain.  In general, a cert must include the
527  * basic constraints extension, with the CA flag asserted, in order to be
528  * allowed to be a CA.  A V1 or V2 cert, which has no extensions, is also
529  * allowed to be a CA if it's installed locally (in the engine's world store.)
530  * This matches the expected usage in RFC 5280, section 4.2.1.9:  a conforming
531  * CA MUST include the basic constraints extension in all certificates that are
532  * used to validate digital signatures on certificates.  It also matches
533  * section 6.1.4(k): "If a certificate is a v1 or v2 certificate, then the
534  * application MUST either verify that the certificate is a CA certificate
535  * through out-of-band means or reject the certificate." Rejecting the
536  * certificate prohibits a large number of commonly used certificates, so
537  * accepting locally installed ones is a compromise.
538  * Root certificates are also allowed to be CAs even without a basic
539  * constraints extension.  This is implied by RFC 5280, section 6.1:  the
540  * root of a certificate chain's only requirement is that it was used to issue
541  * the next certificate in the chain.
542  * Updates chainConstraints with the element's constraints, if:
543  * 1. chainConstraints doesn't have a path length constraint, or
544  * 2. element's path length constraint is smaller than chainConstraints's
545  * Sets *pathLengthConstraintViolated to TRUE if a path length violation
546  * occurs.
547  * Returns TRUE if the element can be a CA, and the length of the remaining
548  * chain is valid.
549  */
550 static BOOL CRYPT_CheckBasicConstraintsForCA(PCertificateChainEngine engine,
551  PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *chainConstraints,
552  DWORD remainingCAs, BOOL isRoot, BOOL *pathLengthConstraintViolated)
553 {
554     BOOL validBasicConstraints, implicitCA = FALSE;
555     CERT_BASIC_CONSTRAINTS2_INFO constraints;
556
557     if (isRoot)
558         implicitCA = TRUE;
559     else if (cert->pCertInfo->dwVersion == CERT_V1 ||
560      cert->pCertInfo->dwVersion == CERT_V2)
561     {
562         BYTE hash[20];
563         DWORD size = sizeof(hash);
564
565         if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
566          hash, &size))
567         {
568             CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
569             PCCERT_CONTEXT localCert = CertFindCertificateInStore(
570              engine->hWorld, cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH,
571              &blob, NULL);
572
573             if (localCert)
574             {
575                 CertFreeCertificateContext(localCert);
576                 implicitCA = TRUE;
577             }
578         }
579     }
580     if ((validBasicConstraints = CRYPT_DecodeBasicConstraints(cert,
581      &constraints, implicitCA)))
582     {
583         chainConstraints->fCA = constraints.fCA;
584         if (!constraints.fCA)
585         {
586             TRACE_(chain)("chain element %d can't be a CA\n", remainingCAs + 1);
587             validBasicConstraints = FALSE;
588         }
589         else if (constraints.fPathLenConstraint)
590         {
591             /* If the element has path length constraints, they apply to the
592              * entire remaining chain.
593              */
594             if (!chainConstraints->fPathLenConstraint ||
595              constraints.dwPathLenConstraint <
596              chainConstraints->dwPathLenConstraint)
597             {
598                 TRACE_(chain)("setting path length constraint to %d\n",
599                  chainConstraints->dwPathLenConstraint);
600                 chainConstraints->fPathLenConstraint = TRUE;
601                 chainConstraints->dwPathLenConstraint =
602                  constraints.dwPathLenConstraint;
603             }
604         }
605     }
606     if (chainConstraints->fPathLenConstraint &&
607      remainingCAs > chainConstraints->dwPathLenConstraint)
608     {
609         TRACE_(chain)("remaining CAs %d exceed max path length %d\n",
610          remainingCAs, chainConstraints->dwPathLenConstraint);
611         validBasicConstraints = FALSE;
612         *pathLengthConstraintViolated = TRUE;
613     }
614     return validBasicConstraints;
615 }
616
617 static BOOL domain_name_matches(LPCWSTR constraint, LPCWSTR name)
618 {
619     BOOL match;
620
621     /* RFC 5280, section 4.2.1.10:
622      * "For URIs, the constraint applies to the host part of the name...
623      *  When the constraint begins with a period, it MAY be expanded with one
624      *  or more labels.  That is, the constraint ".example.com" is satisfied by
625      *  both host.example.com and my.host.example.com.  However, the constraint
626      *  ".example.com" is not satisfied by "example.com".  When the constraint
627      *  does not begin with a period, it specifies a host."
628      * and for email addresses,
629      * "To indicate all Internet mail addresses on a particular host, the
630      *  constraint is specified as the host name.  For example, the constraint
631      *  "example.com" is satisfied by any mail address at the host
632      *  "example.com".  To specify any address within a domain, the constraint
633      *  is specified with a leading period (as with URIs)."
634      */
635     if (constraint[0] == '.')
636     {
637         /* Must be strictly greater than, a name can't begin with '.' */
638         if (lstrlenW(name) > lstrlenW(constraint))
639             match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
640              constraint);
641         else
642         {
643             /* name is too short, no match */
644             match = FALSE;
645         }
646     }
647     else
648         match = !lstrcmpiW(name, constraint);
649      return match;
650 }
651
652 static BOOL url_matches(LPCWSTR constraint, LPCWSTR name,
653  DWORD *trustErrorStatus)
654 {
655     BOOL match = FALSE;
656
657     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
658
659     if (!constraint)
660         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
661     else if (!name)
662         ; /* no match */
663     else
664     {
665         LPCWSTR colon, authority_end, at, hostname = NULL;
666         /* The maximum length for a hostname is 254 in the DNS, see RFC 1034 */
667         WCHAR hostname_buf[255];
668
669         /* RFC 5280: only the hostname portion of the URL is compared.  From
670          * section 4.2.1.10:
671          * "For URIs, the constraint applies to the host part of the name.
672          *  The constraint MUST be specified as a fully qualified domain name
673          *  and MAY specify a host or a domain."
674          * The format for URIs is in RFC 2396.
675          *
676          * First, remove any scheme that's present. */
677         colon = strchrW(name, ':');
678         if (colon && *(colon + 1) == '/' && *(colon + 2) == '/')
679             name = colon + 3;
680         /* Next, find the end of the authority component.  (The authority is
681          * generally just the hostname, but it may contain a username or a port.
682          * Those are removed next.)
683          */
684         authority_end = strchrW(name, '/');
685         if (!authority_end)
686             authority_end = strchrW(name, '?');
687         if (!authority_end)
688             authority_end = name + strlenW(name);
689         /* Remove any port number from the authority.  The userinfo portion
690          * of an authority may contain a colon, so stop if a userinfo portion
691          * is found (indicated by '@').
692          */
693         for (colon = authority_end; colon >= name && *colon != ':' &&
694          *colon != '@'; colon--)
695             ;
696         if (*colon == ':')
697             authority_end = colon;
698         /* Remove any username from the authority */
699         if ((at = strchrW(name, '@')))
700             name = at;
701         /* Ignore any path or query portion of the URL. */
702         if (*authority_end)
703         {
704             if (authority_end - name < sizeof(hostname_buf) /
705              sizeof(hostname_buf[0]))
706             {
707                 memcpy(hostname_buf, name,
708                  (authority_end - name) * sizeof(WCHAR));
709                 hostname_buf[authority_end - name] = 0;
710                 hostname = hostname_buf;
711             }
712             /* else: Hostname is too long, not a match */
713         }
714         else
715             hostname = name;
716         if (hostname)
717             match = domain_name_matches(constraint, hostname);
718     }
719     return match;
720 }
721
722 static BOOL rfc822_name_matches(LPCWSTR constraint, LPCWSTR name,
723  DWORD *trustErrorStatus)
724 {
725     BOOL match = FALSE;
726     LPCWSTR at;
727
728     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
729
730     if (!constraint)
731         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
732     else if (!name)
733         ; /* no match */
734     else if (strchrW(constraint, '@'))
735         match = !lstrcmpiW(constraint, name);
736     else
737     {
738         if ((at = strchrW(name, '@')))
739             match = domain_name_matches(constraint, at + 1);
740         else
741             match = !lstrcmpiW(constraint, name);
742     }
743     return match;
744 }
745
746 static BOOL dns_name_matches(LPCWSTR constraint, LPCWSTR name,
747  DWORD *trustErrorStatus)
748 {
749     BOOL match = FALSE;
750
751     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
752
753     if (!constraint)
754         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
755     else if (!name)
756         ; /* no match */
757     /* RFC 5280, section 4.2.1.10:
758      * "DNS name restrictions are expressed as host.example.com.  Any DNS name
759      *  that can be constructed by simply adding zero or more labels to the
760      *  left-hand side of the name satisfies the name constraint.  For example,
761      *  www.host.example.com would satisfy the constraint but host1.example.com
762      *  would not."
763      */
764     else if (lstrlenW(name) == lstrlenW(constraint))
765         match = !lstrcmpiW(name, constraint);
766     else if (lstrlenW(name) > lstrlenW(constraint))
767     {
768         match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
769          constraint);
770         if (match)
771         {
772             BOOL dot = FALSE;
773             LPCWSTR ptr;
774
775             /* This only matches if name is a subdomain of constraint, i.e.
776              * there's a '.' between the beginning of the name and the
777              * matching portion of the name.
778              */
779             for (ptr = name + lstrlenW(name) - lstrlenW(constraint);
780              !dot && ptr >= name; ptr--)
781                 if (*ptr == '.')
782                     dot = TRUE;
783             match = dot;
784         }
785     }
786     /* else:  name is too short, no match */
787
788     return match;
789 }
790
791 static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint,
792  const CRYPT_DATA_BLOB *name, DWORD *trustErrorStatus)
793 {
794     BOOL match = FALSE;
795
796     TRACE("(%d, %p), (%d, %p)\n", constraint->cbData, constraint->pbData,
797      name->cbData, name->pbData);
798
799     /* RFC5280, section 4.2.1.10, iPAddress syntax: either 8 or 32 bytes, for
800      * IPv4 or IPv6 addresses, respectively.
801      */
802     if (constraint->cbData != sizeof(DWORD) * 2 && constraint->cbData != 32)
803         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
804     else if (name->cbData == sizeof(DWORD) &&
805      constraint->cbData == sizeof(DWORD) * 2)
806     {
807         DWORD subnet, mask, addr;
808
809         memcpy(&subnet, constraint->pbData, sizeof(subnet));
810         memcpy(&mask, constraint->pbData + sizeof(subnet), sizeof(mask));
811         memcpy(&addr, name->pbData, sizeof(addr));
812         /* These are really in big-endian order, but for equality matching we
813          * don't need to swap to host order
814          */
815         match = (subnet & mask) == (addr & mask);
816     }
817     else if (name->cbData == 16 && constraint->cbData == 32)
818     {
819         const BYTE *subnet, *mask, *addr;
820         DWORD i;
821
822         subnet = constraint->pbData;
823         mask = constraint->pbData + 16;
824         addr = name->pbData;
825         match = TRUE;
826         for (i = 0; match && i < 16; i++)
827             if ((subnet[i] & mask[i]) != (addr[i] & mask[i]))
828                 match = FALSE;
829     }
830     /* else: name is wrong size, no match */
831
832     return match;
833 }
834
835 static BOOL directory_name_matches(const CERT_NAME_BLOB *constraint,
836  const CERT_NAME_BLOB *name)
837 {
838     CERT_NAME_INFO *constraintName;
839     DWORD size;
840     BOOL match = FALSE;
841
842     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME, constraint->pbData,
843      constraint->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &constraintName, &size))
844     {
845         DWORD i;
846
847         match = TRUE;
848         for (i = 0; match && i < constraintName->cRDN; i++)
849             match = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
850              CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG,
851              (CERT_NAME_BLOB *)name, &constraintName->rgRDN[i]);
852         LocalFree(constraintName);
853     }
854     return match;
855 }
856
857 static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name,
858  const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus, BOOL *present)
859 {
860     BOOL match = FALSE;
861
862     if (name->dwAltNameChoice == constraint->dwAltNameChoice)
863     {
864         if (present)
865             *present = TRUE;
866         switch (constraint->dwAltNameChoice)
867         {
868         case CERT_ALT_NAME_RFC822_NAME:
869             match = rfc822_name_matches(constraint->u.pwszURL,
870              name->u.pwszURL, trustErrorStatus);
871             break;
872         case CERT_ALT_NAME_DNS_NAME:
873             match = dns_name_matches(constraint->u.pwszURL,
874              name->u.pwszURL, trustErrorStatus);
875             break;
876         case CERT_ALT_NAME_URL:
877             match = url_matches(constraint->u.pwszURL,
878              name->u.pwszURL, trustErrorStatus);
879             break;
880         case CERT_ALT_NAME_IP_ADDRESS:
881             match = ip_address_matches(&constraint->u.IPAddress,
882              &name->u.IPAddress, trustErrorStatus);
883             break;
884         case CERT_ALT_NAME_DIRECTORY_NAME:
885             match = directory_name_matches(&constraint->u.DirectoryName,
886              &name->u.DirectoryName);
887             break;
888         default:
889             ERR("name choice %d unsupported in this context\n",
890              constraint->dwAltNameChoice);
891             *trustErrorStatus |=
892              CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
893         }
894     }
895     else if (present)
896         *present = FALSE;
897     return match;
898 }
899
900 static BOOL alt_name_matches_excluded_name(const CERT_ALT_NAME_ENTRY *name,
901  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
902 {
903     DWORD i;
904     BOOL match = FALSE;
905
906     for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++)
907         match = alt_name_matches(name,
908          &nameConstraints->rgExcludedSubtree[i].Base, trustErrorStatus, NULL);
909     return match;
910 }
911
912 static BOOL alt_name_matches_permitted_name(const CERT_ALT_NAME_ENTRY *name,
913  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus,
914  BOOL *present)
915 {
916     DWORD i;
917     BOOL match = FALSE;
918
919     for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
920         match = alt_name_matches(name,
921          &nameConstraints->rgPermittedSubtree[i].Base, trustErrorStatus,
922          present);
923     return match;
924 }
925
926 static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
927 {
928     PCERT_EXTENSION ext;
929
930     ext = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
931      cert->cExtension, cert->rgExtension);
932     if (!ext)
933         ext = CertFindExtension(szOID_SUBJECT_ALT_NAME,
934          cert->cExtension, cert->rgExtension);
935     return ext;
936 }
937
938 static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
939  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
940 {
941     CERT_ALT_NAME_INFO *subjectAltName;
942     DWORD size;
943
944     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
945      altNameExt->Value.pbData, altNameExt->Value.cbData,
946      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
947      &subjectAltName, &size))
948     {
949         DWORD i;
950
951         for (i = 0; i < subjectAltName->cAltEntry; i++)
952         {
953              BOOL nameFormPresent;
954
955              /* A name constraint only applies if the name form is present.
956               * From RFC 5280, section 4.2.1.10:
957               * "Restrictions apply only when the specified name form is
958               *  present.  If no name of the type is in the certificate,
959               *  the certificate is acceptable."
960               */
961             if (alt_name_matches_excluded_name(
962              &subjectAltName->rgAltEntry[i], nameConstraints,
963              trustErrorStatus))
964             {
965                 TRACE_(chain)("subject alternate name form %d excluded\n",
966                  subjectAltName->rgAltEntry[i].dwAltNameChoice);
967                 *trustErrorStatus |=
968                  CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
969             }
970             nameFormPresent = FALSE;
971             if (!alt_name_matches_permitted_name(
972              &subjectAltName->rgAltEntry[i], nameConstraints,
973              trustErrorStatus, &nameFormPresent) && nameFormPresent)
974             {
975                 TRACE_(chain)("subject alternate name form %d not permitted\n",
976                  subjectAltName->rgAltEntry[i].dwAltNameChoice);
977                 *trustErrorStatus |=
978                  CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
979             }
980         }
981         LocalFree(subjectAltName);
982     }
983     else
984         *trustErrorStatus |=
985          CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
986 }
987
988 static BOOL rfc822_attr_matches_excluded_name(const CERT_RDN_ATTR *attr,
989  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
990 {
991     DWORD i;
992     BOOL match = FALSE;
993
994     for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++)
995     {
996         const CERT_ALT_NAME_ENTRY *constraint =
997          &nameConstraints->rgExcludedSubtree[i].Base;
998
999         if (constraint->dwAltNameChoice == CERT_ALT_NAME_RFC822_NAME)
1000             match = rfc822_name_matches(constraint->u.pwszRfc822Name,
1001              (LPCWSTR)attr->Value.pbData, trustErrorStatus);
1002     }
1003     return match;
1004 }
1005
1006 static BOOL rfc822_attr_matches_permitted_name(const CERT_RDN_ATTR *attr,
1007  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus,
1008  BOOL *present)
1009 {
1010     DWORD i;
1011     BOOL match = FALSE;
1012
1013     for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
1014     {
1015         const CERT_ALT_NAME_ENTRY *constraint =
1016          &nameConstraints->rgPermittedSubtree[i].Base;
1017
1018         if (constraint->dwAltNameChoice == CERT_ALT_NAME_RFC822_NAME)
1019         {
1020             *present = TRUE;
1021             match = rfc822_name_matches(constraint->u.pwszRfc822Name,
1022              (LPCWSTR)attr->Value.pbData, trustErrorStatus);
1023         }
1024     }
1025     return match;
1026 }
1027
1028 static void compare_subject_with_email_constraints(
1029  const CERT_NAME_BLOB *subjectName,
1030  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
1031 {
1032     CERT_NAME_INFO *name;
1033     DWORD size;
1034
1035     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_UNICODE_NAME,
1036      subjectName->pbData, subjectName->cbData,
1037      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1038     {
1039         DWORD i, j;
1040
1041         for (i = 0; i < name->cRDN; i++)
1042             for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
1043                 if (!strcmp(name->rgRDN[i].rgRDNAttr[j].pszObjId,
1044                  szOID_RSA_emailAddr))
1045                 {
1046                     BOOL nameFormPresent;
1047
1048                     /* A name constraint only applies if the name form is
1049                      * present.  From RFC 5280, section 4.2.1.10:
1050                      * "Restrictions apply only when the specified name form is
1051                      *  present.  If no name of the type is in the certificate,
1052                      *  the certificate is acceptable."
1053                      */
1054                     if (rfc822_attr_matches_excluded_name(
1055                      &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1056                      trustErrorStatus))
1057                     {
1058                         TRACE_(chain)(
1059                          "email address in subject name is excluded\n");
1060                         *trustErrorStatus |=
1061                          CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1062                     }
1063                     nameFormPresent = FALSE;
1064                     if (!rfc822_attr_matches_permitted_name(
1065                      &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1066                      trustErrorStatus, &nameFormPresent) && nameFormPresent)
1067                     {
1068                         TRACE_(chain)(
1069                          "email address in subject name is not permitted\n");
1070                         *trustErrorStatus |=
1071                          CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1072                     }
1073                 }
1074         LocalFree(name);
1075     }
1076     else
1077         *trustErrorStatus |=
1078          CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
1079 }
1080
1081 static BOOL CRYPT_IsEmptyName(const CERT_NAME_BLOB *name)
1082 {
1083     BOOL empty;
1084
1085     if (!name->cbData)
1086         empty = TRUE;
1087     else if (name->cbData == 2 && name->pbData[1] == 0)
1088     {
1089         /* An empty sequence is also empty */
1090         empty = TRUE;
1091     }
1092     else
1093         empty = FALSE;
1094     return empty;
1095 }
1096
1097 static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
1098  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
1099 {
1100     BOOL hasEmailConstraint = FALSE;
1101     DWORD i;
1102
1103     /* In general, a subject distinguished name only matches a directory name
1104      * constraint.  However, an exception exists for email addresses.
1105      * From RFC 5280, section 4.2.1.6:
1106      * "Legacy implementations exist where an electronic mail address is
1107      *  embedded in the subject distinguished name as an emailAddress
1108      *  attribute [RFC2985]."
1109      * If an email address constraint exists, check that constraint separately.
1110      */
1111     for (i = 0; !hasEmailConstraint && i < nameConstraints->cExcludedSubtree;
1112      i++)
1113         if (nameConstraints->rgExcludedSubtree[i].Base.dwAltNameChoice ==
1114          CERT_ALT_NAME_RFC822_NAME)
1115             hasEmailConstraint = TRUE;
1116     for (i = 0; !hasEmailConstraint && i < nameConstraints->cPermittedSubtree;
1117      i++)
1118         if (nameConstraints->rgPermittedSubtree[i].Base.dwAltNameChoice ==
1119          CERT_ALT_NAME_RFC822_NAME)
1120             hasEmailConstraint = TRUE;
1121     if (hasEmailConstraint)
1122         compare_subject_with_email_constraints(subjectName, nameConstraints,
1123          trustErrorStatus);
1124     for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1125     {
1126         CERT_ALT_NAME_ENTRY *constraint =
1127          &nameConstraints->rgExcludedSubtree[i].Base;
1128
1129         if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME &&
1130          directory_name_matches(&constraint->u.DirectoryName, subjectName))
1131         {
1132             TRACE_(chain)("subject name is excluded\n");
1133             *trustErrorStatus |=
1134              CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1135         }
1136     }
1137     /* RFC 5280, section 4.2.1.10:
1138      * "Restrictions apply only when the specified name form is present.
1139      *  If no name of the type is in the certificate, the certificate is
1140      *  acceptable."
1141      * An empty name can't have the name form present, so don't check it.
1142      */
1143     if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
1144     {
1145         BOOL match = FALSE, hasDirectoryConstraint = FALSE;
1146
1147         for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
1148         {
1149             CERT_ALT_NAME_ENTRY *constraint =
1150              &nameConstraints->rgPermittedSubtree[i].Base;
1151
1152             if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
1153             {
1154                 hasDirectoryConstraint = TRUE;
1155                 match = directory_name_matches(&constraint->u.DirectoryName,
1156                  subjectName);
1157             }
1158         }
1159         if (hasDirectoryConstraint && !match)
1160         {
1161             TRACE_(chain)("subject name is not permitted\n");
1162             *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1163         }
1164     }
1165 }
1166
1167 static void CRYPT_CheckNameConstraints(
1168  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
1169  DWORD *trustErrorStatus)
1170 {
1171     CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
1172
1173     if (ext)
1174         compare_alt_name_with_constraints(ext, nameConstraints,
1175          trustErrorStatus);
1176     /* Name constraints apply to the subject alternative name as well as the
1177      * subject name.  From RFC 5280, section 4.2.1.10:
1178      * "Restrictions apply to the subject distinguished name and apply to
1179      *  subject alternative names."
1180      */
1181     compare_subject_with_constraints(&cert->Subject, nameConstraints,
1182      trustErrorStatus);
1183 }
1184
1185 /* Gets cert's name constraints, if any.  Free with LocalFree. */
1186 static CERT_NAME_CONSTRAINTS_INFO *CRYPT_GetNameConstraints(CERT_INFO *cert)
1187 {
1188     CERT_NAME_CONSTRAINTS_INFO *info = NULL;
1189
1190     CERT_EXTENSION *ext;
1191
1192     if ((ext = CertFindExtension(szOID_NAME_CONSTRAINTS, cert->cExtension,
1193      cert->rgExtension)))
1194     {
1195         DWORD size;
1196
1197         CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1198          ext->Value.pbData, ext->Value.cbData,
1199          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &info,
1200          &size);
1201     }
1202     return info;
1203 }
1204
1205 static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
1206 {
1207     DWORD i;
1208     BOOL ret = TRUE;
1209
1210     /* Make sure at least one permitted or excluded subtree is present.  From
1211      * RFC 5280, section 4.2.1.10:
1212      * "Conforming CAs MUST NOT issue certificates where name constraints is an
1213      *  empty sequence.  That is, either the permittedSubtrees field or the
1214      *  excludedSubtrees MUST be present."
1215      */
1216     if (!info->cPermittedSubtree && !info->cExcludedSubtree)
1217     {
1218         WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
1219         ret = FALSE;
1220     }
1221     /* Check that none of the constraints specifies a minimum or a maximum.
1222      * See RFC 5280, section 4.2.1.10:
1223      * "Within this profile, the minimum and maximum fields are not used with
1224      *  any name forms, thus, the minimum MUST be zero, and maximum MUST be
1225      *  absent.  However, if an application encounters a critical name
1226      *  constraints extension that specifies other values for minimum or
1227      *  maximum for a name form that appears in a subsequent certificate, the
1228      *  application MUST either process these fields or reject the
1229      *  certificate."
1230      * Since it gives no guidance as to how to process these fields, we
1231      * reject any name constraint that contains them.
1232      */
1233     for (i = 0; ret && i < info->cPermittedSubtree; i++)
1234         if (info->rgPermittedSubtree[i].dwMinimum ||
1235          info->rgPermittedSubtree[i].fMaximum)
1236         {
1237             TRACE_(chain)("found a minimum or maximum in permitted subtrees\n");
1238             ret = FALSE;
1239         }
1240     for (i = 0; ret && i < info->cExcludedSubtree; i++)
1241         if (info->rgExcludedSubtree[i].dwMinimum ||
1242          info->rgExcludedSubtree[i].fMaximum)
1243         {
1244             TRACE_(chain)("found a minimum or maximum in excluded subtrees\n");
1245             ret = FALSE;
1246         }
1247     return ret;
1248 }
1249
1250 static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
1251 {
1252     int i, j;
1253
1254     /* Microsoft's implementation appears to violate RFC 3280:  according to
1255      * MSDN, the various CERT_TRUST_*_NAME_CONSTRAINT errors are set if a CA's
1256      * name constraint is violated in the end cert.  According to RFC 3280,
1257      * the constraints should be checked against every subsequent certificate
1258      * in the chain, not just the end cert.
1259      * Microsoft's implementation also sets the name constraint errors on the
1260      * certs whose constraints were violated, not on the certs that violated
1261      * them.
1262      * In order to be error-compatible with Microsoft's implementation, while
1263      * still adhering to RFC 3280, I use a O(n ^ 2) algorithm to check name
1264      * constraints.
1265      */
1266     for (i = chain->cElement - 1; i > 0; i--)
1267     {
1268         CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1269
1270         if ((nameConstraints = CRYPT_GetNameConstraints(
1271          chain->rgpElement[i]->pCertContext->pCertInfo)))
1272         {
1273             if (!CRYPT_IsValidNameConstraint(nameConstraints))
1274                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1275                  CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
1276             else
1277             {
1278                 for (j = i - 1; j >= 0; j--)
1279                 {
1280                     DWORD errorStatus = 0;
1281
1282                     /* According to RFC 3280, self-signed certs don't have name
1283                      * constraints checked unless they're the end cert.
1284                      */
1285                     if (j == 0 || !CRYPT_IsCertificateSelfSigned(
1286                      chain->rgpElement[j]->pCertContext))
1287                     {
1288                         CRYPT_CheckNameConstraints(nameConstraints,
1289                          chain->rgpElement[j]->pCertContext->pCertInfo,
1290                          &errorStatus);
1291                         if (errorStatus)
1292                         {
1293                             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1294                              errorStatus;
1295                             CRYPT_CombineTrustStatus(&chain->TrustStatus,
1296                              &chain->rgpElement[i]->TrustStatus);
1297                         }
1298                         else
1299                             chain->rgpElement[i]->TrustStatus.dwInfoStatus |=
1300                              CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS;
1301                     }
1302                 }
1303             }
1304             LocalFree(nameConstraints);
1305         }
1306     }
1307 }
1308
1309 static LPWSTR name_value_to_str(const CERT_NAME_BLOB *name)
1310 {
1311     DWORD len = cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, name,
1312      CERT_SIMPLE_NAME_STR, NULL, 0);
1313     LPWSTR str = NULL;
1314
1315     if (len)
1316     {
1317         str = CryptMemAlloc(len * sizeof(WCHAR));
1318         if (str)
1319             cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, name,
1320              CERT_SIMPLE_NAME_STR, str, len);
1321     }
1322     return str;
1323 }
1324
1325 static void dump_alt_name_entry(const CERT_ALT_NAME_ENTRY *entry)
1326 {
1327     LPWSTR str;
1328
1329     switch (entry->dwAltNameChoice)
1330     {
1331     case CERT_ALT_NAME_OTHER_NAME:
1332         TRACE_(chain)("CERT_ALT_NAME_OTHER_NAME, oid = %s\n",
1333          debugstr_a(entry->u.pOtherName->pszObjId));
1334          break;
1335     case CERT_ALT_NAME_RFC822_NAME:
1336         TRACE_(chain)("CERT_ALT_NAME_RFC822_NAME: %s\n",
1337          debugstr_w(entry->u.pwszRfc822Name));
1338         break;
1339     case CERT_ALT_NAME_DNS_NAME:
1340         TRACE_(chain)("CERT_ALT_NAME_DNS_NAME: %s\n",
1341          debugstr_w(entry->u.pwszDNSName));
1342         break;
1343     case CERT_ALT_NAME_DIRECTORY_NAME:
1344         str = name_value_to_str(&entry->u.DirectoryName);
1345         TRACE_(chain)("CERT_ALT_NAME_DIRECTORY_NAME: %s\n", debugstr_w(str));
1346         CryptMemFree(str);
1347         break;
1348     case CERT_ALT_NAME_URL:
1349         TRACE_(chain)("CERT_ALT_NAME_URL: %s\n", debugstr_w(entry->u.pwszURL));
1350         break;
1351     case CERT_ALT_NAME_IP_ADDRESS:
1352         TRACE_(chain)("CERT_ALT_NAME_IP_ADDRESS: %d bytes\n",
1353          entry->u.IPAddress.cbData);
1354         break;
1355     case CERT_ALT_NAME_REGISTERED_ID:
1356         TRACE_(chain)("CERT_ALT_NAME_REGISTERED_ID: %s\n",
1357          debugstr_a(entry->u.pszRegisteredID));
1358         break;
1359     default:
1360         TRACE_(chain)("dwAltNameChoice = %d\n", entry->dwAltNameChoice);
1361     }
1362 }
1363
1364 static void dump_alt_name(LPCSTR type, const CERT_EXTENSION *ext)
1365 {
1366     CERT_ALT_NAME_INFO *name;
1367     DWORD size;
1368
1369     TRACE_(chain)("%s:\n", type);
1370     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
1371      ext->Value.pbData, ext->Value.cbData,
1372      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1373     {
1374         DWORD i;
1375
1376         TRACE_(chain)("%d alt name entries:\n", name->cAltEntry);
1377         for (i = 0; i < name->cAltEntry; i++)
1378             dump_alt_name_entry(&name->rgAltEntry[i]);
1379         LocalFree(name);
1380     }
1381 }
1382
1383 static void dump_basic_constraints(const CERT_EXTENSION *ext)
1384 {
1385     CERT_BASIC_CONSTRAINTS_INFO *info;
1386     DWORD size = 0;
1387
1388     if (CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
1389      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
1390      NULL, &info, &size))
1391     {
1392         TRACE_(chain)("SubjectType: %02x\n", info->SubjectType.pbData[0]);
1393         TRACE_(chain)("%s path length constraint\n",
1394          info->fPathLenConstraint ? "has" : "doesn't have");
1395         TRACE_(chain)("path length=%d\n", info->dwPathLenConstraint);
1396         LocalFree(info);
1397     }
1398 }
1399
1400 static void dump_basic_constraints2(const CERT_EXTENSION *ext)
1401 {
1402     CERT_BASIC_CONSTRAINTS2_INFO constraints;
1403     DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
1404
1405     if (CryptDecodeObjectEx(X509_ASN_ENCODING,
1406      szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
1407      0, NULL, &constraints, &size))
1408     {
1409         TRACE_(chain)("basic constraints:\n");
1410         TRACE_(chain)("can%s be a CA\n", constraints.fCA ? "" : "not");
1411         TRACE_(chain)("%s path length constraint\n",
1412          constraints.fPathLenConstraint ? "has" : "doesn't have");
1413         TRACE_(chain)("path length=%d\n", constraints.dwPathLenConstraint);
1414     }
1415 }
1416
1417 static void dump_key_usage(const CERT_EXTENSION *ext)
1418 {
1419     CRYPT_BIT_BLOB usage;
1420     DWORD size = sizeof(usage);
1421
1422     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1423      ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1424     {
1425 #define trace_usage_bit(bits, bit) \
1426  if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1427         if (usage.cbData)
1428         {
1429             trace_usage_bit(usage.pbData[0], CERT_DIGITAL_SIGNATURE_KEY_USAGE);
1430             trace_usage_bit(usage.pbData[0], CERT_NON_REPUDIATION_KEY_USAGE);
1431             trace_usage_bit(usage.pbData[0], CERT_KEY_ENCIPHERMENT_KEY_USAGE);
1432             trace_usage_bit(usage.pbData[0], CERT_DATA_ENCIPHERMENT_KEY_USAGE);
1433             trace_usage_bit(usage.pbData[0], CERT_KEY_AGREEMENT_KEY_USAGE);
1434             trace_usage_bit(usage.pbData[0], CERT_KEY_CERT_SIGN_KEY_USAGE);
1435             trace_usage_bit(usage.pbData[0], CERT_CRL_SIGN_KEY_USAGE);
1436             trace_usage_bit(usage.pbData[0], CERT_ENCIPHER_ONLY_KEY_USAGE);
1437         }
1438 #undef trace_usage_bit
1439         if (usage.cbData > 1 && usage.pbData[1] & CERT_DECIPHER_ONLY_KEY_USAGE)
1440             TRACE_(chain)("CERT_DECIPHER_ONLY_KEY_USAGE\n");
1441     }
1442 }
1443
1444 static void dump_general_subtree(const CERT_GENERAL_SUBTREE *subtree)
1445 {
1446     dump_alt_name_entry(&subtree->Base);
1447     TRACE_(chain)("dwMinimum = %d, fMaximum = %d, dwMaximum = %d\n",
1448      subtree->dwMinimum, subtree->fMaximum, subtree->dwMaximum);
1449 }
1450
1451 static void dump_name_constraints(const CERT_EXTENSION *ext)
1452 {
1453     CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1454     DWORD size;
1455
1456     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1457      ext->Value.pbData, ext->Value.cbData,
1458      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &nameConstraints,
1459      &size))
1460     {
1461         DWORD i;
1462
1463         TRACE_(chain)("%d permitted subtrees:\n",
1464          nameConstraints->cPermittedSubtree);
1465         for (i = 0; i < nameConstraints->cPermittedSubtree; i++)
1466             dump_general_subtree(&nameConstraints->rgPermittedSubtree[i]);
1467         TRACE_(chain)("%d excluded subtrees:\n",
1468          nameConstraints->cExcludedSubtree);
1469         for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1470             dump_general_subtree(&nameConstraints->rgExcludedSubtree[i]);
1471         LocalFree(nameConstraints);
1472     }
1473 }
1474
1475 static void dump_cert_policies(const CERT_EXTENSION *ext)
1476 {
1477     CERT_POLICIES_INFO *policies;
1478     DWORD size;
1479
1480     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CERT_POLICIES,
1481      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1482      &policies, &size))
1483     {
1484         DWORD i, j;
1485
1486         TRACE_(chain)("%d policies:\n", policies->cPolicyInfo);
1487         for (i = 0; i < policies->cPolicyInfo; i++)
1488         {
1489             TRACE_(chain)("policy identifier: %s\n",
1490              debugstr_a(policies->rgPolicyInfo[i].pszPolicyIdentifier));
1491             TRACE_(chain)("%d policy qualifiers:\n",
1492              policies->rgPolicyInfo[i].cPolicyQualifier);
1493             for (j = 0; j < policies->rgPolicyInfo[i].cPolicyQualifier; j++)
1494                 TRACE_(chain)("%s\n", debugstr_a(
1495                  policies->rgPolicyInfo[i].rgPolicyQualifier[j].
1496                  pszPolicyQualifierId));
1497         }
1498         LocalFree(policies);
1499     }
1500 }
1501
1502 static void dump_enhanced_key_usage(const CERT_EXTENSION *ext)
1503 {
1504     CERT_ENHKEY_USAGE *usage;
1505     DWORD size;
1506
1507     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE,
1508      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1509      &usage, &size))
1510     {
1511         DWORD i;
1512
1513         TRACE_(chain)("%d usages:\n", usage->cUsageIdentifier);
1514         for (i = 0; i < usage->cUsageIdentifier; i++)
1515             TRACE_(chain)("%s\n", usage->rgpszUsageIdentifier[i]);
1516         LocalFree(usage);
1517     }
1518 }
1519
1520 static void dump_netscape_cert_type(const CERT_EXTENSION *ext)
1521 {
1522     CRYPT_BIT_BLOB usage;
1523     DWORD size = sizeof(usage);
1524
1525     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1526      ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1527     {
1528 #define trace_cert_type_bit(bits, bit) \
1529  if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1530         if (usage.cbData)
1531         {
1532             trace_cert_type_bit(usage.pbData[0],
1533              NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE);
1534             trace_cert_type_bit(usage.pbData[0],
1535              NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE);
1536             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CERT_TYPE);
1537             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CERT_TYPE);
1538             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SSL_CA_CERT_TYPE);
1539             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CA_CERT_TYPE);
1540             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CA_CERT_TYPE);
1541         }
1542 #undef trace_cert_type_bit
1543     }
1544 }
1545
1546 static void dump_extension(const CERT_EXTENSION *ext)
1547 {
1548     TRACE_(chain)("%s (%scritical)\n", debugstr_a(ext->pszObjId),
1549      ext->fCritical ? "" : "not ");
1550     if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME))
1551         dump_alt_name("subject alt name", ext);
1552     else  if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME))
1553         dump_alt_name("issuer alt name", ext);
1554     else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS))
1555         dump_basic_constraints(ext);
1556     else if (!strcmp(ext->pszObjId, szOID_KEY_USAGE))
1557         dump_key_usage(ext);
1558     else if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME2))
1559         dump_alt_name("subject alt name 2", ext);
1560     else if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME2))
1561         dump_alt_name("issuer alt name 2", ext);
1562     else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS2))
1563         dump_basic_constraints2(ext);
1564     else if (!strcmp(ext->pszObjId, szOID_NAME_CONSTRAINTS))
1565         dump_name_constraints(ext);
1566     else if (!strcmp(ext->pszObjId, szOID_CERT_POLICIES))
1567         dump_cert_policies(ext);
1568     else if (!strcmp(ext->pszObjId, szOID_ENHANCED_KEY_USAGE))
1569         dump_enhanced_key_usage(ext);
1570     else if (!strcmp(ext->pszObjId, szOID_NETSCAPE_CERT_TYPE))
1571         dump_netscape_cert_type(ext);
1572 }
1573
1574 static LPCWSTR filetime_to_str(const FILETIME *time)
1575 {
1576     static WCHAR date[80];
1577     WCHAR dateFmt[80]; /* sufficient for all versions of LOCALE_SSHORTDATE */
1578     SYSTEMTIME sysTime;
1579
1580     if (!time) return NULL;
1581
1582     GetLocaleInfoW(LOCALE_SYSTEM_DEFAULT, LOCALE_SSHORTDATE, dateFmt,
1583      sizeof(dateFmt) / sizeof(dateFmt[0]));
1584     FileTimeToSystemTime(time, &sysTime);
1585     GetDateFormatW(LOCALE_SYSTEM_DEFAULT, 0, &sysTime, dateFmt, date,
1586      sizeof(date) / sizeof(date[0]));
1587     return date;
1588 }
1589
1590 static void dump_element(PCCERT_CONTEXT cert)
1591 {
1592     LPWSTR name = NULL;
1593     DWORD len, i;
1594
1595     TRACE_(chain)("%p: version %d\n", cert, cert->pCertInfo->dwVersion);
1596     len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1597      CERT_NAME_ISSUER_FLAG, NULL, NULL, 0);
1598     name = CryptMemAlloc(len * sizeof(WCHAR));
1599     if (name)
1600     {
1601         CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1602          CERT_NAME_ISSUER_FLAG, NULL, name, len);
1603         TRACE_(chain)("issued by %s\n", debugstr_w(name));
1604         CryptMemFree(name);
1605     }
1606     len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1607      NULL, 0);
1608     name = CryptMemAlloc(len * sizeof(WCHAR));
1609     if (name)
1610     {
1611         CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1612          name, len);
1613         TRACE_(chain)("issued to %s\n", debugstr_w(name));
1614         CryptMemFree(name);
1615     }
1616     TRACE_(chain)("valid from %s to %s\n",
1617      debugstr_w(filetime_to_str(&cert->pCertInfo->NotBefore)),
1618      debugstr_w(filetime_to_str(&cert->pCertInfo->NotAfter)));
1619     TRACE_(chain)("%d extensions\n", cert->pCertInfo->cExtension);
1620     for (i = 0; i < cert->pCertInfo->cExtension; i++)
1621         dump_extension(&cert->pCertInfo->rgExtension[i]);
1622 }
1623
1624 static BOOL CRYPT_KeyUsageValid(PCertificateChainEngine engine,
1625  PCCERT_CONTEXT cert, BOOL isRoot, BOOL isCA, DWORD index)
1626 {
1627     PCERT_EXTENSION ext;
1628     BOOL ret;
1629     BYTE usageBits = 0;
1630
1631     ext = CertFindExtension(szOID_KEY_USAGE, cert->pCertInfo->cExtension,
1632      cert->pCertInfo->rgExtension);
1633     if (ext)
1634     {
1635         CRYPT_BIT_BLOB usage;
1636         DWORD size = sizeof(usage);
1637
1638         ret = CryptDecodeObjectEx(cert->dwCertEncodingType, X509_BITS,
1639          ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL,
1640          &usage, &size);
1641         if (!ret)
1642             return FALSE;
1643         else if (usage.cbData > 2)
1644         {
1645             /* The key usage extension only defines 9 bits => no more than 2
1646              * bytes are needed to encode all known usages.
1647              */
1648             return FALSE;
1649         }
1650         else
1651         {
1652             /* The only bit relevant to chain validation is the keyCertSign
1653              * bit, which is always in the least significant byte of the
1654              * key usage bits.
1655              */
1656             usageBits = usage.pbData[usage.cbData - 1];
1657         }
1658     }
1659     if (isCA)
1660     {
1661         if (!ext)
1662         {
1663             /* MS appears to violate RFC 5280, section 4.2.1.3 (Key Usage)
1664              * here.  Quoting the RFC:
1665              * "This [key usage] extension MUST appear in certificates that
1666              * contain public keys that are used to validate digital signatures
1667              * on other public key certificates or CRLs."
1668              * MS appears to accept certs that do not contain key usage
1669              * extensions as CA certs.  V1 and V2 certificates did not have
1670              * extensions, and many root certificates are V1 certificates, so
1671              * perhaps this is prudent.  On the other hand, MS also accepts V3
1672              * certs without key usage extensions.  We are more restrictive:
1673              * we accept locally installed V1 or V2 certs as CA certs.
1674              * We also accept a lack of key usage extension on root certs,
1675              * which is implied in RFC 5280, section 6.1:  the trust anchor's
1676              * only requirement is that it was used to issue the next
1677              * certificate in the chain.
1678              */
1679             if (isRoot)
1680                 ret = TRUE;
1681             else if (cert->pCertInfo->dwVersion == CERT_V1 ||
1682              cert->pCertInfo->dwVersion == CERT_V2)
1683             {
1684                 PCCERT_CONTEXT localCert = CRYPT_FindCertInStore(
1685                  engine->hWorld, cert);
1686
1687                 ret = localCert != NULL;
1688                 CertFreeCertificateContext(localCert);
1689             }
1690             else
1691                 ret = FALSE;
1692             if (!ret)
1693                 WARN_(chain)("no key usage extension on a CA cert\n");
1694         }
1695         else
1696         {
1697             if (!(usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1698             {
1699                 WARN_(chain)("keyCertSign not asserted on a CA cert\n");
1700                 ret = FALSE;
1701             }
1702             else
1703                 ret = TRUE;
1704         }
1705     }
1706     else
1707     {
1708         if (ext && (usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1709         {
1710             WARN_(chain)("keyCertSign asserted on a non-CA cert\n");
1711             ret = FALSE;
1712         }
1713         else
1714             ret = TRUE;
1715     }
1716     return ret;
1717 }
1718
1719 static BOOL CRYPT_CriticalExtensionsSupported(PCCERT_CONTEXT cert)
1720 {
1721     BOOL ret = TRUE;
1722     DWORD i;
1723
1724     for (i = 0; ret && i < cert->pCertInfo->cExtension; i++)
1725     {
1726         if (cert->pCertInfo->rgExtension[i].fCritical)
1727         {
1728             LPCSTR oid = cert->pCertInfo->rgExtension[i].pszObjId;
1729
1730             if (!strcmp(oid, szOID_BASIC_CONSTRAINTS))
1731                 ret = TRUE;
1732             else if (!strcmp(oid, szOID_BASIC_CONSTRAINTS2))
1733                 ret = TRUE;
1734             else if (!strcmp(oid, szOID_NAME_CONSTRAINTS))
1735                 ret = TRUE;
1736             else if (!strcmp(oid, szOID_KEY_USAGE))
1737                 ret = TRUE;
1738             else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME))
1739                 ret = TRUE;
1740             else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME2))
1741                 ret = TRUE;
1742             else if (!strcmp(oid, szOID_ENHANCED_KEY_USAGE))
1743                 ret = TRUE;
1744             else
1745             {
1746                 FIXME("unsupported critical extension %s\n",
1747                  debugstr_a(oid));
1748                 ret = FALSE;
1749             }
1750         }
1751     }
1752     return ret;
1753 }
1754
1755 static BOOL CRYPT_IsCertVersionValid(PCCERT_CONTEXT cert)
1756 {
1757     BOOL ret = TRUE;
1758
1759     /* Checks whether the contents of the cert match the cert's version. */
1760     switch (cert->pCertInfo->dwVersion)
1761     {
1762     case CERT_V1:
1763         /* A V1 cert may not contain unique identifiers.  See RFC 5280,
1764          * section 4.1.2.8:
1765          * "These fields MUST only appear if the version is 2 or 3 (Section
1766          *  4.1.2.1).  These fields MUST NOT appear if the version is 1."
1767          */
1768         if (cert->pCertInfo->IssuerUniqueId.cbData ||
1769          cert->pCertInfo->SubjectUniqueId.cbData)
1770             ret = FALSE;
1771         /* A V1 cert may not contain extensions.  See RFC 5280, section 4.1.2.9:
1772          * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1773          */
1774         if (cert->pCertInfo->cExtension)
1775             ret = FALSE;
1776         break;
1777     case CERT_V2:
1778         /* A V2 cert may not contain extensions.  See RFC 5280, section 4.1.2.9:
1779          * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1780          */
1781         if (cert->pCertInfo->cExtension)
1782             ret = FALSE;
1783         break;
1784     case CERT_V3:
1785         /* Do nothing, all fields are allowed for V3 certs */
1786         break;
1787     default:
1788         WARN_(chain)("invalid cert version %d\n", cert->pCertInfo->dwVersion);
1789         ret = FALSE;
1790     }
1791     return ret;
1792 }
1793
1794 static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
1795  PCERT_SIMPLE_CHAIN chain, LPFILETIME time)
1796 {
1797     PCERT_CHAIN_ELEMENT rootElement = chain->rgpElement[chain->cElement - 1];
1798     int i;
1799     BOOL pathLengthConstraintViolated = FALSE;
1800     CERT_BASIC_CONSTRAINTS2_INFO constraints = { FALSE, FALSE, 0 };
1801
1802     TRACE_(chain)("checking chain with %d elements for time %s\n",
1803      chain->cElement, debugstr_w(filetime_to_str(time)));
1804     for (i = chain->cElement - 1; i >= 0; i--)
1805     {
1806         BOOL isRoot;
1807
1808         if (TRACE_ON(chain))
1809             dump_element(chain->rgpElement[i]->pCertContext);
1810         if (i == chain->cElement - 1)
1811             isRoot = CRYPT_IsCertificateSelfSigned(
1812              chain->rgpElement[i]->pCertContext);
1813         else
1814             isRoot = FALSE;
1815         if (!CRYPT_IsCertVersionValid(chain->rgpElement[i]->pCertContext))
1816         {
1817             /* MS appears to accept certs whose versions don't match their
1818              * contents, so there isn't an appropriate error code.
1819              */
1820             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1821              CERT_TRUST_INVALID_EXTENSION;
1822         }
1823         if (CertVerifyTimeValidity(time,
1824          chain->rgpElement[i]->pCertContext->pCertInfo) != 0)
1825             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1826              CERT_TRUST_IS_NOT_TIME_VALID;
1827         if (i != 0)
1828         {
1829             /* Check the signature of the cert this issued */
1830             if (!CryptVerifyCertificateSignatureEx(0, X509_ASN_ENCODING,
1831              CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
1832              (void *)chain->rgpElement[i - 1]->pCertContext,
1833              CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
1834              (void *)chain->rgpElement[i]->pCertContext, 0, NULL))
1835                 chain->rgpElement[i - 1]->TrustStatus.dwErrorStatus |=
1836                  CERT_TRUST_IS_NOT_SIGNATURE_VALID;
1837             /* Once a path length constraint has been violated, every remaining
1838              * CA cert's basic constraints is considered invalid.
1839              */
1840             if (pathLengthConstraintViolated)
1841                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1842                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1843             else if (!CRYPT_CheckBasicConstraintsForCA(engine,
1844              chain->rgpElement[i]->pCertContext, &constraints, i - 1, isRoot,
1845              &pathLengthConstraintViolated))
1846                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1847                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1848             else if (constraints.fPathLenConstraint &&
1849              constraints.dwPathLenConstraint)
1850             {
1851                 /* This one's valid - decrement max length */
1852                 constraints.dwPathLenConstraint--;
1853             }
1854         }
1855         else
1856         {
1857             /* Check whether end cert has a basic constraints extension */
1858             if (!CRYPT_DecodeBasicConstraints(
1859              chain->rgpElement[i]->pCertContext, &constraints, FALSE))
1860                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1861                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1862         }
1863         if (!CRYPT_KeyUsageValid(engine, chain->rgpElement[i]->pCertContext,
1864          isRoot, constraints.fCA, i))
1865             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1866              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
1867         if (CRYPT_IsSimpleChainCyclic(chain))
1868         {
1869             /* If the chain is cyclic, then the path length constraints
1870              * are violated, because the chain is infinitely long.
1871              */
1872             pathLengthConstraintViolated = TRUE;
1873             chain->TrustStatus.dwErrorStatus |=
1874              CERT_TRUST_IS_PARTIAL_CHAIN |
1875              CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1876         }
1877         /* Check whether every critical extension is supported */
1878         if (!CRYPT_CriticalExtensionsSupported(
1879          chain->rgpElement[i]->pCertContext))
1880             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1881              CERT_TRUST_INVALID_EXTENSION;
1882         CRYPT_CombineTrustStatus(&chain->TrustStatus,
1883          &chain->rgpElement[i]->TrustStatus);
1884     }
1885     CRYPT_CheckChainNameConstraints(chain);
1886     if (CRYPT_IsCertificateSelfSigned(rootElement->pCertContext))
1887     {
1888         rootElement->TrustStatus.dwInfoStatus |=
1889          CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER;
1890         CRYPT_CheckRootCert(engine->hRoot, rootElement);
1891     }
1892     CRYPT_CombineTrustStatus(&chain->TrustStatus, &rootElement->TrustStatus);
1893 }
1894
1895 static PCCERT_CONTEXT CRYPT_GetIssuer(HCERTSTORE store, PCCERT_CONTEXT subject,
1896  PCCERT_CONTEXT prevIssuer, DWORD *infoStatus)
1897 {
1898     PCCERT_CONTEXT issuer = NULL;
1899     PCERT_EXTENSION ext;
1900     DWORD size;
1901
1902     *infoStatus = 0;
1903     if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
1904      subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
1905     {
1906         CERT_AUTHORITY_KEY_ID_INFO *info;
1907         BOOL ret;
1908
1909         ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
1910          X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
1911          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
1912          &info, &size);
1913         if (ret)
1914         {
1915             CERT_ID id;
1916
1917             if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
1918             {
1919                 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
1920                 memcpy(&id.u.IssuerSerialNumber.Issuer, &info->CertIssuer,
1921                  sizeof(CERT_NAME_BLOB));
1922                 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
1923                  &info->CertSerialNumber, sizeof(CRYPT_INTEGER_BLOB));
1924                 issuer = CertFindCertificateInStore(store,
1925                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
1926                  prevIssuer);
1927                 if (issuer)
1928                 {
1929                     TRACE_(chain)("issuer found by issuer/serial number\n");
1930                     *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
1931                 }
1932             }
1933             else if (info->KeyId.cbData)
1934             {
1935                 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
1936                 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
1937                 issuer = CertFindCertificateInStore(store,
1938                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
1939                  prevIssuer);
1940                 if (issuer)
1941                 {
1942                     TRACE_(chain)("issuer found by key id\n");
1943                     *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
1944                 }
1945             }
1946             LocalFree(info);
1947         }
1948     }
1949     else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
1950      subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
1951     {
1952         CERT_AUTHORITY_KEY_ID2_INFO *info;
1953         BOOL ret;
1954
1955         ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
1956          X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
1957          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
1958          &info, &size);
1959         if (ret)
1960         {
1961             CERT_ID id;
1962
1963             if (info->AuthorityCertIssuer.cAltEntry &&
1964              info->AuthorityCertSerialNumber.cbData)
1965             {
1966                 PCERT_ALT_NAME_ENTRY directoryName = NULL;
1967                 DWORD i;
1968
1969                 for (i = 0; !directoryName &&
1970                  i < info->AuthorityCertIssuer.cAltEntry; i++)
1971                     if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
1972                      == CERT_ALT_NAME_DIRECTORY_NAME)
1973                         directoryName =
1974                          &info->AuthorityCertIssuer.rgAltEntry[i];
1975                 if (directoryName)
1976                 {
1977                     id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
1978                     memcpy(&id.u.IssuerSerialNumber.Issuer,
1979                      &directoryName->u.DirectoryName, sizeof(CERT_NAME_BLOB));
1980                     memcpy(&id.u.IssuerSerialNumber.SerialNumber,
1981                      &info->AuthorityCertSerialNumber,
1982                      sizeof(CRYPT_INTEGER_BLOB));
1983                     issuer = CertFindCertificateInStore(store,
1984                      subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
1985                      prevIssuer);
1986                     if (issuer)
1987                     {
1988                         TRACE_(chain)("issuer found by directory name\n");
1989                         *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
1990                     }
1991                 }
1992                 else
1993                     FIXME("no supported name type in authority key id2\n");
1994             }
1995             else if (info->KeyId.cbData)
1996             {
1997                 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
1998                 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
1999                 issuer = CertFindCertificateInStore(store,
2000                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
2001                  prevIssuer);
2002                 if (issuer)
2003                 {
2004                     TRACE_(chain)("issuer found by key id\n");
2005                     *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
2006                 }
2007             }
2008             LocalFree(info);
2009         }
2010     }
2011     else
2012     {
2013         issuer = CertFindCertificateInStore(store,
2014          subject->dwCertEncodingType, 0, CERT_FIND_SUBJECT_NAME,
2015          &subject->pCertInfo->Issuer, prevIssuer);
2016         TRACE_(chain)("issuer found by name\n");
2017         *infoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
2018     }
2019     return issuer;
2020 }
2021
2022 /* Builds a simple chain by finding an issuer for the last cert in the chain,
2023  * until reaching a self-signed cert, or until no issuer can be found.
2024  */
2025 static BOOL CRYPT_BuildSimpleChain(const CertificateChainEngine *engine,
2026  HCERTSTORE world, PCERT_SIMPLE_CHAIN chain)
2027 {
2028     BOOL ret = TRUE;
2029     PCCERT_CONTEXT cert = chain->rgpElement[chain->cElement - 1]->pCertContext;
2030
2031     while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
2032      !CRYPT_IsCertificateSelfSigned(cert))
2033     {
2034         PCCERT_CONTEXT issuer = CRYPT_GetIssuer(world, cert, NULL,
2035          &chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2036
2037         if (issuer)
2038         {
2039             ret = CRYPT_AddCertToSimpleChain(engine, chain, issuer,
2040              chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2041             /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it to
2042              * close the enumeration that found it
2043              */
2044             CertFreeCertificateContext(issuer);
2045             cert = issuer;
2046         }
2047         else
2048         {
2049             TRACE_(chain)("Couldn't find issuer, halting chain creation\n");
2050             chain->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_PARTIAL_CHAIN;
2051             break;
2052         }
2053     }
2054     return ret;
2055 }
2056
2057 static BOOL CRYPT_GetSimpleChainForCert(PCertificateChainEngine engine,
2058  HCERTSTORE world, PCCERT_CONTEXT cert, LPFILETIME pTime,
2059  PCERT_SIMPLE_CHAIN *ppChain)
2060 {
2061     BOOL ret = FALSE;
2062     PCERT_SIMPLE_CHAIN chain;
2063
2064     TRACE("(%p, %p, %p, %p)\n", engine, world, cert, pTime);
2065
2066     chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2067     if (chain)
2068     {
2069         memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN));
2070         chain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2071         ret = CRYPT_AddCertToSimpleChain(engine, chain, cert, 0);
2072         if (ret)
2073         {
2074             ret = CRYPT_BuildSimpleChain(engine, world, chain);
2075             if (ret)
2076                 CRYPT_CheckSimpleChain(engine, chain, pTime);
2077         }
2078         if (!ret)
2079         {
2080             CRYPT_FreeSimpleChain(chain);
2081             chain = NULL;
2082         }
2083         *ppChain = chain;
2084     }
2085     return ret;
2086 }
2087
2088 static BOOL CRYPT_BuildCandidateChainFromCert(HCERTCHAINENGINE hChainEngine,
2089  PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2090  PCertificateChain *ppChain)
2091 {
2092     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
2093     PCERT_SIMPLE_CHAIN simpleChain = NULL;
2094     HCERTSTORE world;
2095     BOOL ret;
2096
2097     world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
2098      CERT_STORE_CREATE_NEW_FLAG, NULL);
2099     CertAddStoreToCollection(world, engine->hWorld, 0, 0);
2100     if (hAdditionalStore)
2101         CertAddStoreToCollection(world, hAdditionalStore, 0, 0);
2102     /* FIXME: only simple chains are supported for now, as CTLs aren't
2103      * supported yet.
2104      */
2105     if ((ret = CRYPT_GetSimpleChainForCert(engine, world, cert, pTime,
2106      &simpleChain)))
2107     {
2108         PCertificateChain chain = CryptMemAlloc(sizeof(CertificateChain));
2109
2110         if (chain)
2111         {
2112             chain->ref = 1;
2113             chain->world = world;
2114             chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2115             chain->context.TrustStatus = simpleChain->TrustStatus;
2116             chain->context.cChain = 1;
2117             chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN));
2118             chain->context.rgpChain[0] = simpleChain;
2119             chain->context.cLowerQualityChainContext = 0;
2120             chain->context.rgpLowerQualityChainContext = NULL;
2121             chain->context.fHasRevocationFreshnessTime = FALSE;
2122             chain->context.dwRevocationFreshnessTime = 0;
2123         }
2124         else
2125             ret = FALSE;
2126         *ppChain = chain;
2127     }
2128     return ret;
2129 }
2130
2131 /* Makes and returns a copy of chain, up to and including element iElement. */
2132 static PCERT_SIMPLE_CHAIN CRYPT_CopySimpleChainToElement(
2133  const CERT_SIMPLE_CHAIN *chain, DWORD iElement)
2134 {
2135     PCERT_SIMPLE_CHAIN copy = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2136
2137     if (copy)
2138     {
2139         memset(copy, 0, sizeof(CERT_SIMPLE_CHAIN));
2140         copy->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2141         copy->rgpElement =
2142          CryptMemAlloc((iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2143         if (copy->rgpElement)
2144         {
2145             DWORD i;
2146             BOOL ret = TRUE;
2147
2148             memset(copy->rgpElement, 0,
2149              (iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2150             for (i = 0; ret && i <= iElement; i++)
2151             {
2152                 PCERT_CHAIN_ELEMENT element =
2153                  CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
2154
2155                 if (element)
2156                 {
2157                     *element = *chain->rgpElement[i];
2158                     element->pCertContext = CertDuplicateCertificateContext(
2159                      chain->rgpElement[i]->pCertContext);
2160                     /* Reset the trust status of the copied element, it'll get
2161                      * rechecked after the new chain is done.
2162                      */
2163                     memset(&element->TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2164                     copy->rgpElement[copy->cElement++] = element;
2165                 }
2166                 else
2167                     ret = FALSE;
2168             }
2169             if (!ret)
2170             {
2171                 for (i = 0; i <= iElement; i++)
2172                     CryptMemFree(copy->rgpElement[i]);
2173                 CryptMemFree(copy->rgpElement);
2174                 CryptMemFree(copy);
2175                 copy = NULL;
2176             }
2177         }
2178         else
2179         {
2180             CryptMemFree(copy);
2181             copy = NULL;
2182         }
2183     }
2184     return copy;
2185 }
2186
2187 static void CRYPT_FreeLowerQualityChains(PCertificateChain chain)
2188 {
2189     DWORD i;
2190
2191     for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2192         CertFreeCertificateChain(chain->context.rgpLowerQualityChainContext[i]);
2193     CryptMemFree(chain->context.rgpLowerQualityChainContext);
2194     chain->context.cLowerQualityChainContext = 0;
2195     chain->context.rgpLowerQualityChainContext = NULL;
2196 }
2197
2198 static void CRYPT_FreeChainContext(PCertificateChain chain)
2199 {
2200     DWORD i;
2201
2202     CRYPT_FreeLowerQualityChains(chain);
2203     for (i = 0; i < chain->context.cChain; i++)
2204         CRYPT_FreeSimpleChain(chain->context.rgpChain[i]);
2205     CryptMemFree(chain->context.rgpChain);
2206     CertCloseStore(chain->world, 0);
2207     CryptMemFree(chain);
2208 }
2209
2210 /* Makes and returns a copy of chain, up to and including element iElement of
2211  * simple chain iChain.
2212  */
2213 static PCertificateChain CRYPT_CopyChainToElement(PCertificateChain chain,
2214  DWORD iChain, DWORD iElement)
2215 {
2216     PCertificateChain copy = CryptMemAlloc(sizeof(CertificateChain));
2217
2218     if (copy)
2219     {
2220         copy->ref = 1;
2221         copy->world = CertDuplicateStore(chain->world);
2222         copy->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2223         /* Leave the trust status of the copied chain unset, it'll get
2224          * rechecked after the new chain is done.
2225          */
2226         memset(&copy->context.TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2227         copy->context.cLowerQualityChainContext = 0;
2228         copy->context.rgpLowerQualityChainContext = NULL;
2229         copy->context.fHasRevocationFreshnessTime = FALSE;
2230         copy->context.dwRevocationFreshnessTime = 0;
2231         copy->context.rgpChain = CryptMemAlloc(
2232          (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2233         if (copy->context.rgpChain)
2234         {
2235             BOOL ret = TRUE;
2236             DWORD i;
2237
2238             memset(copy->context.rgpChain, 0,
2239              (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2240             if (iChain)
2241             {
2242                 for (i = 0; ret && iChain && i < iChain - 1; i++)
2243                 {
2244                     copy->context.rgpChain[i] =
2245                      CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2246                      chain->context.rgpChain[i]->cElement - 1);
2247                     if (!copy->context.rgpChain[i])
2248                         ret = FALSE;
2249                 }
2250             }
2251             else
2252                 i = 0;
2253             if (ret)
2254             {
2255                 copy->context.rgpChain[i] =
2256                  CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2257                  iElement);
2258                 if (!copy->context.rgpChain[i])
2259                     ret = FALSE;
2260             }
2261             if (!ret)
2262             {
2263                 CRYPT_FreeChainContext(copy);
2264                 copy = NULL;
2265             }
2266             else
2267                 copy->context.cChain = iChain + 1;
2268         }
2269         else
2270         {
2271             CryptMemFree(copy);
2272             copy = NULL;
2273         }
2274     }
2275     return copy;
2276 }
2277
2278 static PCertificateChain CRYPT_BuildAlternateContextFromChain(
2279  HCERTCHAINENGINE hChainEngine, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2280  PCertificateChain chain)
2281 {
2282     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
2283     PCertificateChain alternate;
2284
2285     TRACE("(%p, %p, %p, %p)\n", hChainEngine, pTime, hAdditionalStore, chain);
2286
2287     /* Always start with the last "lower quality" chain to ensure a consistent
2288      * order of alternate creation:
2289      */
2290     if (chain->context.cLowerQualityChainContext)
2291         chain = (PCertificateChain)chain->context.rgpLowerQualityChainContext[
2292          chain->context.cLowerQualityChainContext - 1];
2293     /* A chain with only one element can't have any alternates */
2294     if (chain->context.cChain <= 1 && chain->context.rgpChain[0]->cElement <= 1)
2295         alternate = NULL;
2296     else
2297     {
2298         DWORD i, j, infoStatus;
2299         PCCERT_CONTEXT alternateIssuer = NULL;
2300
2301         alternate = NULL;
2302         for (i = 0; !alternateIssuer && i < chain->context.cChain; i++)
2303             for (j = 0; !alternateIssuer &&
2304              j < chain->context.rgpChain[i]->cElement - 1; j++)
2305             {
2306                 PCCERT_CONTEXT subject =
2307                  chain->context.rgpChain[i]->rgpElement[j]->pCertContext;
2308                 PCCERT_CONTEXT prevIssuer = CertDuplicateCertificateContext(
2309                  chain->context.rgpChain[i]->rgpElement[j + 1]->pCertContext);
2310
2311                 alternateIssuer = CRYPT_GetIssuer(prevIssuer->hCertStore,
2312                  subject, prevIssuer, &infoStatus);
2313             }
2314         if (alternateIssuer)
2315         {
2316             i--;
2317             j--;
2318             alternate = CRYPT_CopyChainToElement(chain, i, j);
2319             if (alternate)
2320             {
2321                 BOOL ret = CRYPT_AddCertToSimpleChain(engine,
2322                  alternate->context.rgpChain[i], alternateIssuer, infoStatus);
2323
2324                 /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it
2325                  * to close the enumeration that found it
2326                  */
2327                 CertFreeCertificateContext(alternateIssuer);
2328                 if (ret)
2329                 {
2330                     ret = CRYPT_BuildSimpleChain(engine, alternate->world,
2331                      alternate->context.rgpChain[i]);
2332                     if (ret)
2333                         CRYPT_CheckSimpleChain(engine,
2334                          alternate->context.rgpChain[i], pTime);
2335                     CRYPT_CombineTrustStatus(&alternate->context.TrustStatus,
2336                      &alternate->context.rgpChain[i]->TrustStatus);
2337                 }
2338                 if (!ret)
2339                 {
2340                     CRYPT_FreeChainContext(alternate);
2341                     alternate = NULL;
2342                 }
2343             }
2344         }
2345     }
2346     TRACE("%p\n", alternate);
2347     return alternate;
2348 }
2349
2350 #define CHAIN_QUALITY_SIGNATURE_VALID   0x16
2351 #define CHAIN_QUALITY_TIME_VALID        8
2352 #define CHAIN_QUALITY_COMPLETE_CHAIN    4
2353 #define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
2354 #define CHAIN_QUALITY_TRUSTED_ROOT      1
2355
2356 #define CHAIN_QUALITY_HIGHEST \
2357  CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
2358  CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
2359  CHAIN_QUALITY_TRUSTED_ROOT
2360
2361 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
2362  (TrustStatus)->dwErrorStatus & (bits)
2363
2364 static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
2365 {
2366     DWORD quality = CHAIN_QUALITY_HIGHEST;
2367
2368     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2369      CERT_TRUST_IS_UNTRUSTED_ROOT))
2370         quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
2371     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2372      CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
2373         quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
2374     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2375      CERT_TRUST_IS_PARTIAL_CHAIN))
2376         quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;
2377     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2378      CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_NESTED))
2379         quality &= ~CHAIN_QUALITY_TIME_VALID;
2380     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2381      CERT_TRUST_IS_NOT_SIGNATURE_VALID))
2382         quality &= ~CHAIN_QUALITY_SIGNATURE_VALID;
2383     return quality;
2384 }
2385
2386 /* Chooses the highest quality chain among chain and its "lower quality"
2387  * alternate chains.  Returns the highest quality chain, with all other
2388  * chains as lower quality chains of it.
2389  */
2390 static PCertificateChain CRYPT_ChooseHighestQualityChain(
2391  PCertificateChain chain)
2392 {
2393     DWORD i;
2394
2395     /* There are always only two chains being considered:  chain, and an
2396      * alternate at chain->rgpLowerQualityChainContext[i].  If the alternate
2397      * has a higher quality than chain, the alternate gets assigned the lower
2398      * quality contexts, with chain taking the alternate's place among the
2399      * lower quality contexts.
2400      */
2401     for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2402     {
2403         PCertificateChain alternate =
2404          (PCertificateChain)chain->context.rgpLowerQualityChainContext[i];
2405
2406         if (CRYPT_ChainQuality(alternate) > CRYPT_ChainQuality(chain))
2407         {
2408             alternate->context.cLowerQualityChainContext =
2409              chain->context.cLowerQualityChainContext;
2410             alternate->context.rgpLowerQualityChainContext =
2411              chain->context.rgpLowerQualityChainContext;
2412             alternate->context.rgpLowerQualityChainContext[i] =
2413              (PCCERT_CHAIN_CONTEXT)chain;
2414             chain->context.cLowerQualityChainContext = 0;
2415             chain->context.rgpLowerQualityChainContext = NULL;
2416             chain = alternate;
2417         }
2418     }
2419     return chain;
2420 }
2421
2422 static BOOL CRYPT_AddAlternateChainToChain(PCertificateChain chain,
2423  const CertificateChain *alternate)
2424 {
2425     BOOL ret;
2426
2427     if (chain->context.cLowerQualityChainContext)
2428         chain->context.rgpLowerQualityChainContext =
2429          CryptMemRealloc(chain->context.rgpLowerQualityChainContext,
2430          (chain->context.cLowerQualityChainContext + 1) *
2431          sizeof(PCCERT_CHAIN_CONTEXT));
2432     else
2433         chain->context.rgpLowerQualityChainContext =
2434          CryptMemAlloc(sizeof(PCCERT_CHAIN_CONTEXT));
2435     if (chain->context.rgpLowerQualityChainContext)
2436     {
2437         chain->context.rgpLowerQualityChainContext[
2438          chain->context.cLowerQualityChainContext++] =
2439          (PCCERT_CHAIN_CONTEXT)alternate;
2440         ret = TRUE;
2441     }
2442     else
2443         ret = FALSE;
2444     return ret;
2445 }
2446
2447 static PCERT_CHAIN_ELEMENT CRYPT_FindIthElementInChain(
2448  const CERT_CHAIN_CONTEXT *chain, DWORD i)
2449 {
2450     DWORD j, iElement;
2451     PCERT_CHAIN_ELEMENT element = NULL;
2452
2453     for (j = 0, iElement = 0; !element && j < chain->cChain; j++)
2454     {
2455         if (iElement + chain->rgpChain[j]->cElement < i)
2456             iElement += chain->rgpChain[j]->cElement;
2457         else
2458             element = chain->rgpChain[j]->rgpElement[i - iElement];
2459     }
2460     return element;
2461 }
2462
2463 typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS {
2464     DWORD            cbSize;
2465     CERT_USAGE_MATCH RequestedUsage;
2466 } CERT_CHAIN_PARA_NO_EXTRA_FIELDS, *PCERT_CHAIN_PARA_NO_EXTRA_FIELDS;
2467
2468 static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain,
2469  LPFILETIME pTime, const CERT_CHAIN_PARA *pChainPara, DWORD chainFlags)
2470 {
2471     DWORD cContext;
2472
2473     if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT)
2474         cContext = 1;
2475     else if ((chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN) ||
2476      (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT))
2477     {
2478         DWORD i;
2479
2480         for (i = 0, cContext = 0; i < chain->cChain; i++)
2481         {
2482             if (i < chain->cChain - 1 ||
2483              chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN)
2484                 cContext += chain->rgpChain[i]->cElement;
2485             else
2486                 cContext += chain->rgpChain[i]->cElement - 1;
2487         }
2488     }
2489     else
2490         cContext = 0;
2491     if (cContext)
2492     {
2493         PCCERT_CONTEXT *contexts =
2494          CryptMemAlloc(cContext * sizeof(PCCERT_CONTEXT));
2495
2496         if (contexts)
2497         {
2498             DWORD i, j, iContext, revocationFlags;
2499             CERT_REVOCATION_PARA revocationPara = { sizeof(revocationPara), 0 };
2500             CERT_REVOCATION_STATUS revocationStatus =
2501              { sizeof(revocationStatus), 0 };
2502             BOOL ret;
2503
2504             for (i = 0, iContext = 0; iContext < cContext && i < chain->cChain;
2505              i++)
2506             {
2507                 for (j = 0; iContext < cContext &&
2508                  j < chain->rgpChain[i]->cElement; j++)
2509                     contexts[iContext++] =
2510                      chain->rgpChain[i]->rgpElement[j]->pCertContext;
2511             }
2512             revocationFlags = CERT_VERIFY_REV_CHAIN_FLAG;
2513             if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY)
2514                 revocationFlags |= CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION;
2515             if (chainFlags & CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT)
2516                 revocationFlags |= CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG;
2517             revocationPara.pftTimeToUse = pTime;
2518             if (pChainPara->cbSize == sizeof(CERT_CHAIN_PARA))
2519             {
2520                 revocationPara.dwUrlRetrievalTimeout =
2521                  pChainPara->dwUrlRetrievalTimeout;
2522                 revocationPara.fCheckFreshnessTime =
2523                  pChainPara->fCheckRevocationFreshnessTime;
2524                 revocationPara.dwFreshnessTime =
2525                  pChainPara->dwRevocationFreshnessTime;
2526             }
2527             ret = CertVerifyRevocation(X509_ASN_ENCODING,
2528              CERT_CONTEXT_REVOCATION_TYPE, cContext, (void **)contexts,
2529              revocationFlags, &revocationPara, &revocationStatus);
2530             if (!ret)
2531             {
2532                 PCERT_CHAIN_ELEMENT element =
2533                  CRYPT_FindIthElementInChain(chain, revocationStatus.dwIndex);
2534                 DWORD error;
2535
2536                 switch (revocationStatus.dwError)
2537                 {
2538                 case CRYPT_E_NO_REVOCATION_CHECK:
2539                 case CRYPT_E_NO_REVOCATION_DLL:
2540                 case CRYPT_E_NOT_IN_REVOCATION_DATABASE:
2541                     /* If the revocation status is unknown, it's assumed to be
2542                      * offline too.
2543                      */
2544                     error = CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
2545                      CERT_TRUST_IS_OFFLINE_REVOCATION;
2546                     break;
2547                 case CRYPT_E_REVOCATION_OFFLINE:
2548                     error = CERT_TRUST_IS_OFFLINE_REVOCATION;
2549                     break;
2550                 case CRYPT_E_REVOKED:
2551                     error = CERT_TRUST_IS_REVOKED;
2552                     break;
2553                 default:
2554                     WARN("unmapped error %08x\n", revocationStatus.dwError);
2555                     error = 0;
2556                 }
2557                 if (element)
2558                 {
2559                     /* FIXME: set element's pRevocationInfo member */
2560                     element->TrustStatus.dwErrorStatus |= error;
2561                 }
2562                 chain->TrustStatus.dwErrorStatus |= error;
2563             }
2564             CryptMemFree(contexts);
2565         }
2566     }
2567 }
2568
2569 static void CRYPT_CheckUsages(PCERT_CHAIN_CONTEXT chain,
2570  const CERT_CHAIN_PARA *pChainPara)
2571 {
2572     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS) &&
2573      pChainPara->RequestedUsage.Usage.cUsageIdentifier)
2574     {
2575         PCCERT_CONTEXT endCert;
2576         PCERT_EXTENSION ext;
2577         BOOL validForUsage;
2578
2579         /* A chain, if created, always includes the end certificate */
2580         endCert = chain->rgpChain[0]->rgpElement[0]->pCertContext;
2581         /* The extended key usage extension specifies how a certificate's
2582          * public key may be used.  From RFC 5280, section 4.2.1.12:
2583          * "This extension indicates one or more purposes for which the
2584          *  certified public key may be used, in addition to or in place of the
2585          *  basic purposes indicated in the key usage extension."
2586          * If the extension is present, it only satisfies the requested usage
2587          * if that usage is included in the extension:
2588          * "If the extension is present, then the certificate MUST only be used
2589          *  for one of the purposes indicated."
2590          * There is also the special anyExtendedKeyUsage OID, but it doesn't
2591          * have to be respected:
2592          * "Applications that require the presence of a particular purpose
2593          *  MAY reject certificates that include the anyExtendedKeyUsage OID
2594          *  but not the particular OID expected for the application."
2595          * For now, I'm being more conservative and ignoring the presence of
2596          * the anyExtendedKeyUsage OID.
2597          */
2598         if ((ext = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
2599          endCert->pCertInfo->cExtension, endCert->pCertInfo->rgExtension)))
2600         {
2601             const CERT_ENHKEY_USAGE *requestedUsage =
2602              &pChainPara->RequestedUsage.Usage;
2603             CERT_ENHKEY_USAGE *usage;
2604             DWORD size;
2605
2606             if (CryptDecodeObjectEx(X509_ASN_ENCODING,
2607              X509_ENHANCED_KEY_USAGE, ext->Value.pbData, ext->Value.cbData,
2608              CRYPT_DECODE_ALLOC_FLAG, NULL, &usage, &size))
2609             {
2610                 if (pChainPara->RequestedUsage.dwType == USAGE_MATCH_TYPE_AND)
2611                 {
2612                     DWORD i, j;
2613
2614                     /* For AND matches, all usages must be present */
2615                     validForUsage = TRUE;
2616                     for (i = 0; validForUsage &&
2617                      i < requestedUsage->cUsageIdentifier; i++)
2618                     {
2619                         BOOL match = FALSE;
2620
2621                         for (j = 0; !match && j < usage->cUsageIdentifier; j++)
2622                             match = !strcmp(usage->rgpszUsageIdentifier[j],
2623                              requestedUsage->rgpszUsageIdentifier[i]);
2624                         if (!match)
2625                             validForUsage = FALSE;
2626                     }
2627                 }
2628                 else
2629                 {
2630                     DWORD i, j;
2631
2632                     /* For OR matches, any matching usage suffices */
2633                     validForUsage = FALSE;
2634                     for (i = 0; !validForUsage &&
2635                      i < requestedUsage->cUsageIdentifier; i++)
2636                     {
2637                         for (j = 0; !validForUsage &&
2638                          j < usage->cUsageIdentifier; j++)
2639                             validForUsage =
2640                              !strcmp(usage->rgpszUsageIdentifier[j],
2641                              requestedUsage->rgpszUsageIdentifier[i]);
2642                     }
2643                 }
2644                 LocalFree(usage);
2645             }
2646             else
2647                 validForUsage = FALSE;
2648         }
2649         else
2650         {
2651             /* If the extension isn't present, any interpretation is valid:
2652              * "Certificate using applications MAY require that the extended
2653              *  key usage extension be present and that a particular purpose
2654              *  be indicated in order for the certificate to be acceptable to
2655              *  that application."
2656              * Not all web sites include the extended key usage extension, so
2657              * accept chains without it.
2658              */
2659             TRACE_(chain)("requested usage from certificate with no usages\n");
2660             validForUsage = TRUE;
2661         }
2662         if (!validForUsage)
2663         {
2664             chain->TrustStatus.dwErrorStatus |=
2665              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2666             chain->rgpChain[0]->rgpElement[0]->TrustStatus.dwErrorStatus |=
2667              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2668         }
2669     }
2670     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA) &&
2671      pChainPara->RequestedIssuancePolicy.Usage.cUsageIdentifier)
2672         FIXME("unimplemented for RequestedIssuancePolicy\n");
2673 }
2674
2675 static void dump_usage_match(LPCSTR name, const CERT_USAGE_MATCH *usageMatch)
2676 {
2677     if (usageMatch->Usage.cUsageIdentifier)
2678     {
2679         DWORD i;
2680
2681         TRACE_(chain)("%s: %s\n", name,
2682          usageMatch->dwType == USAGE_MATCH_TYPE_AND ? "AND" : "OR");
2683         for (i = 0; i < usageMatch->Usage.cUsageIdentifier; i++)
2684             TRACE_(chain)("%s\n", usageMatch->Usage.rgpszUsageIdentifier[i]);
2685     }
2686 }
2687
2688 static void dump_chain_para(const CERT_CHAIN_PARA *pChainPara)
2689 {
2690     TRACE_(chain)("%d\n", pChainPara->cbSize);
2691     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS))
2692         dump_usage_match("RequestedUsage", &pChainPara->RequestedUsage);
2693     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA))
2694     {
2695         dump_usage_match("RequestedIssuancePolicy",
2696          &pChainPara->RequestedIssuancePolicy);
2697         TRACE_(chain)("%d\n", pChainPara->dwUrlRetrievalTimeout);
2698         TRACE_(chain)("%d\n", pChainPara->fCheckRevocationFreshnessTime);
2699         TRACE_(chain)("%d\n", pChainPara->dwRevocationFreshnessTime);
2700     }
2701 }
2702
2703 BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine,
2704  PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2705  PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved,
2706  PCCERT_CHAIN_CONTEXT* ppChainContext)
2707 {
2708     BOOL ret;
2709     PCertificateChain chain = NULL;
2710
2711     TRACE("(%p, %p, %p, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext,
2712      pTime, hAdditionalStore, pChainPara, dwFlags, pvReserved, ppChainContext);
2713
2714     if (ppChainContext)
2715         *ppChainContext = NULL;
2716     if (!pChainPara)
2717     {
2718         SetLastError(E_INVALIDARG);
2719         return FALSE;
2720     }
2721     if (!pCertContext->pCertInfo->SignatureAlgorithm.pszObjId)
2722     {
2723         SetLastError(ERROR_INVALID_DATA);
2724         return FALSE;
2725     }
2726
2727     if (!hChainEngine)
2728         hChainEngine = CRYPT_GetDefaultChainEngine();
2729     if (TRACE_ON(chain))
2730         dump_chain_para(pChainPara);
2731     /* FIXME: what about HCCE_LOCAL_MACHINE? */
2732     ret = CRYPT_BuildCandidateChainFromCert(hChainEngine, pCertContext, pTime,
2733      hAdditionalStore, &chain);
2734     if (ret)
2735     {
2736         PCertificateChain alternate = NULL;
2737         PCERT_CHAIN_CONTEXT pChain;
2738
2739         do {
2740             alternate = CRYPT_BuildAlternateContextFromChain(hChainEngine,
2741              pTime, hAdditionalStore, chain);
2742
2743             /* Alternate contexts are added as "lower quality" contexts of
2744              * chain, to avoid loops in alternate chain creation.
2745              * The highest-quality chain is chosen at the end.
2746              */
2747             if (alternate)
2748                 ret = CRYPT_AddAlternateChainToChain(chain, alternate);
2749         } while (ret && alternate);
2750         chain = CRYPT_ChooseHighestQualityChain(chain);
2751         if (!(dwFlags & CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS))
2752             CRYPT_FreeLowerQualityChains(chain);
2753         pChain = (PCERT_CHAIN_CONTEXT)chain;
2754         if (!pChain->TrustStatus.dwErrorStatus)
2755             CRYPT_VerifyChainRevocation(pChain, pTime, pChainPara, dwFlags);
2756         CRYPT_CheckUsages(pChain, pChainPara);
2757         TRACE_(chain)("error status: %08x\n",
2758          pChain->TrustStatus.dwErrorStatus);
2759         if (ppChainContext)
2760             *ppChainContext = pChain;
2761         else
2762             CertFreeCertificateChain(pChain);
2763     }
2764     TRACE("returning %d\n", ret);
2765     return ret;
2766 }
2767
2768 PCCERT_CHAIN_CONTEXT WINAPI CertDuplicateCertificateChain(
2769  PCCERT_CHAIN_CONTEXT pChainContext)
2770 {
2771     PCertificateChain chain = (PCertificateChain)pChainContext;
2772
2773     TRACE("(%p)\n", pChainContext);
2774
2775     if (chain)
2776         InterlockedIncrement(&chain->ref);
2777     return pChainContext;
2778 }
2779
2780 VOID WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext)
2781 {
2782     PCertificateChain chain = (PCertificateChain)pChainContext;
2783
2784     TRACE("(%p)\n", pChainContext);
2785
2786     if (chain)
2787     {
2788         if (InterlockedDecrement(&chain->ref) == 0)
2789             CRYPT_FreeChainContext(chain);
2790     }
2791 }
2792
2793 static void find_element_with_error(PCCERT_CHAIN_CONTEXT chain, DWORD error,
2794  LONG *iChain, LONG *iElement)
2795 {
2796     DWORD i, j;
2797
2798     for (i = 0; i < chain->cChain; i++)
2799         for (j = 0; j < chain->rgpChain[i]->cElement; j++)
2800             if (chain->rgpChain[i]->rgpElement[j]->TrustStatus.dwErrorStatus &
2801              error)
2802             {
2803                 *iChain = i;
2804                 *iElement = j;
2805                 return;
2806             }
2807 }
2808
2809 static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
2810  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2811  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2812 {
2813     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
2814     if (pChainContext->TrustStatus.dwErrorStatus &
2815      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
2816     {
2817         pPolicyStatus->dwError = TRUST_E_CERT_SIGNATURE;
2818         find_element_with_error(pChainContext,
2819          CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
2820          &pPolicyStatus->lElementIndex);
2821     }
2822     else if (pChainContext->TrustStatus.dwErrorStatus &
2823      CERT_TRUST_IS_UNTRUSTED_ROOT)
2824     {
2825         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
2826         find_element_with_error(pChainContext,
2827          CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
2828          &pPolicyStatus->lElementIndex);
2829     }
2830     else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
2831     {
2832         pPolicyStatus->dwError = CERT_E_CHAINING;
2833         find_element_with_error(pChainContext, CERT_TRUST_IS_CYCLIC,
2834          &pPolicyStatus->lChainIndex, &pPolicyStatus->lElementIndex);
2835         /* For a cyclic chain, which element is a cycle isn't meaningful */
2836         pPolicyStatus->lElementIndex = -1;
2837     }
2838     else
2839         pPolicyStatus->dwError = NO_ERROR;
2840     return TRUE;
2841 }
2842
2843 static BYTE msTestPubKey1[] = {
2844 0x30,0x47,0x02,0x40,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,0xd9,
2845 0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,0xf7,
2846 0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,0x5f,
2847 0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,0x10,
2848 0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 };
2849 static BYTE msTestPubKey2[] = {
2850 0x30,0x47,0x02,0x40,0x9c,0x50,0x05,0x1d,0xe2,0x0e,0x4c,0x53,0xd8,0xd9,0xb5,
2851 0xe5,0xfd,0xe9,0xe3,0xad,0x83,0x4b,0x80,0x08,0xd9,0xdc,0xe8,0xe8,0x35,0xf8,
2852 0x11,0xf1,0xe9,0x9b,0x03,0x7a,0x65,0x64,0x76,0x35,0xce,0x38,0x2c,0xf2,0xb6,
2853 0x71,0x9e,0x06,0xd9,0xbf,0xbb,0x31,0x69,0xa3,0xf6,0x30,0xa0,0x78,0x7b,0x18,
2854 0xdd,0x50,0x4d,0x79,0x1e,0xeb,0x61,0xc1,0x02,0x03,0x01,0x00,0x01 };
2855
2856 static BOOL WINAPI verify_authenticode_policy(LPCSTR szPolicyOID,
2857  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2858  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2859 {
2860     BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara,
2861      pPolicyStatus);
2862
2863     if (ret && pPolicyStatus->dwError == CERT_E_UNTRUSTEDROOT)
2864     {
2865         CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } };
2866         BOOL isMSTestRoot = FALSE;
2867         PCCERT_CONTEXT failingCert =
2868          pChainContext->rgpChain[pPolicyStatus->lChainIndex]->
2869          rgpElement[pPolicyStatus->lElementIndex]->pCertContext;
2870         DWORD i;
2871         CRYPT_DATA_BLOB keyBlobs[] = {
2872          { sizeof(msTestPubKey1), msTestPubKey1 },
2873          { sizeof(msTestPubKey2), msTestPubKey2 },
2874         };
2875
2876         /* Check whether the root is an MS test root */
2877         for (i = 0; !isMSTestRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]);
2878          i++)
2879         {
2880             msPubKey.PublicKey.cbData = keyBlobs[i].cbData;
2881             msPubKey.PublicKey.pbData = keyBlobs[i].pbData;
2882             if (CertComparePublicKeyInfo(
2883              X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
2884              &failingCert->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
2885                 isMSTestRoot = TRUE;
2886         }
2887         if (isMSTestRoot)
2888             pPolicyStatus->dwError = CERT_E_UNTRUSTEDTESTROOT;
2889     }
2890     return ret;
2891 }
2892
2893 static BOOL WINAPI verify_basic_constraints_policy(LPCSTR szPolicyOID,
2894  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2895  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2896 {
2897     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
2898     if (pChainContext->TrustStatus.dwErrorStatus &
2899      CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
2900     {
2901         pPolicyStatus->dwError = TRUST_E_BASIC_CONSTRAINTS;
2902         find_element_with_error(pChainContext,
2903          CERT_TRUST_INVALID_BASIC_CONSTRAINTS, &pPolicyStatus->lChainIndex,
2904          &pPolicyStatus->lElementIndex);
2905     }
2906     else
2907         pPolicyStatus->dwError = NO_ERROR;
2908     return TRUE;
2909 }
2910
2911 static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext,
2912  LPCWSTR server_name)
2913 {
2914     BOOL matches = FALSE;
2915     CERT_ALT_NAME_INFO *subjectName;
2916     DWORD size;
2917
2918     TRACE_(chain)("%s\n", debugstr_w(server_name));
2919     /* This could be spoofed by the embedded NULL vulnerability, since the
2920      * returned CERT_ALT_NAME_INFO doesn't have a way to indicate the
2921      * encoded length of a name.  Fortunately CryptDecodeObjectEx fails if
2922      * the encoded form of the name contains a NULL.
2923      */
2924     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
2925      ext->Value.pbData, ext->Value.cbData,
2926      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
2927      &subjectName, &size))
2928     {
2929         DWORD i;
2930
2931         /* RFC 5280 states that multiple instances of each name type may exist,
2932          * in section 4.2.1.6:
2933          * "Multiple name forms, and multiple instances of each name form,
2934          *  MAY be included."
2935          * It doesn't specify the behavior in such cases, but both RFC 2818
2936          * and RFC 2595 explicitly accept a certificate if any name matches.
2937          */
2938         for (i = 0; !matches && i < subjectName->cAltEntry; i++)
2939         {
2940             if (subjectName->rgAltEntry[i].dwAltNameChoice ==
2941              CERT_ALT_NAME_DNS_NAME)
2942             {
2943                 TRACE_(chain)("dNSName: %s\n", debugstr_w(
2944                  subjectName->rgAltEntry[i].u.pwszDNSName));
2945                 if (!strcmpiW(server_name,
2946                  subjectName->rgAltEntry[i].u.pwszDNSName))
2947                     matches = TRUE;
2948             }
2949         }
2950         LocalFree(subjectName);
2951     }
2952     return matches;
2953 }
2954
2955 static BOOL find_matching_domain_component(CERT_NAME_INFO *name,
2956  LPCWSTR component)
2957 {
2958     BOOL matches = FALSE;
2959     DWORD i, j;
2960
2961     for (i = 0; !matches && i < name->cRDN; i++)
2962         for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
2963             if (!strcmp(szOID_DOMAIN_COMPONENT,
2964              name->rgRDN[i].rgRDNAttr[j].pszObjId))
2965             {
2966                 PCERT_RDN_ATTR attr;
2967
2968                 attr = &name->rgRDN[i].rgRDNAttr[j];
2969                 /* Compare with memicmpW rather than strcmpiW in order to avoid
2970                  * a match with a string with an embedded NULL.  The component
2971                  * must match one domain component attribute's entire string
2972                  * value with a case-insensitive match.
2973                  */
2974                 matches = !memicmpW(component, (LPWSTR)attr->Value.pbData,
2975                  attr->Value.cbData / sizeof(WCHAR));
2976             }
2977     return matches;
2978 }
2979
2980 static BOOL match_domain_component(LPCWSTR allowed_component, DWORD allowed_len,
2981  LPCWSTR server_component, DWORD server_len, BOOL allow_wildcards,
2982  BOOL *see_wildcard)
2983 {
2984     LPCWSTR allowed_ptr, server_ptr;
2985     BOOL matches = TRUE;
2986
2987     *see_wildcard = FALSE;
2988     if (server_len < allowed_len)
2989     {
2990         WARN_(chain)("domain component %s too short for %s\n",
2991          debugstr_wn(server_component, server_len),
2992          debugstr_wn(allowed_component, allowed_len));
2993         /* A domain component can't contain a wildcard character, so a domain
2994          * component shorter than the allowed string can't produce a match.
2995          */
2996         return FALSE;
2997     }
2998     for (allowed_ptr = allowed_component, server_ptr = server_component;
2999          matches && allowed_ptr - allowed_component < allowed_len;
3000          allowed_ptr++, server_ptr++)
3001     {
3002         if (*allowed_ptr == '*')
3003         {
3004             if (allowed_ptr - allowed_component < allowed_len - 1)
3005             {
3006                 WARN_(chain)("non-wildcard characters after wildcard not supported\n");
3007                 matches = FALSE;
3008             }
3009             else if (!allow_wildcards)
3010             {
3011                 WARN_(chain)("wildcard after non-wildcard component\n");
3012                 matches = FALSE;
3013             }
3014             else
3015             {
3016                 /* the preceding characters must have matched, so the rest of
3017                  * the component also matches.
3018                  */
3019                 *see_wildcard = TRUE;
3020                 break;
3021             }
3022         }
3023         matches = tolowerW(*allowed_ptr) == tolowerW(*server_ptr);
3024     }
3025     if (matches && server_ptr - server_component < server_len)
3026     {
3027         /* If there are unmatched characters in the server domain component,
3028          * the server domain only matches if the allowed string ended in a '*'.
3029          */
3030         matches = *allowed_ptr == '*';
3031     }
3032     return matches;
3033 }
3034
3035 static BOOL match_common_name(LPCWSTR server_name, PCERT_RDN_ATTR nameAttr)
3036 {
3037     LPCWSTR allowed = (LPCWSTR)nameAttr->Value.pbData;
3038     LPCWSTR allowed_component = allowed;
3039     DWORD allowed_len = nameAttr->Value.cbData / sizeof(WCHAR);
3040     LPCWSTR server_component = server_name;
3041     DWORD server_len = strlenW(server_name);
3042     BOOL matches = TRUE, allow_wildcards = TRUE;
3043
3044     TRACE_(chain)("CN = %s\n", debugstr_wn(allowed_component, allowed_len));
3045
3046     /* From RFC 2818 (HTTP over TLS), section 3.1:
3047      * "Names may contain the wildcard character * which is considered to match
3048      *  any single domain name component or component fragment. E.g.,
3049      *  *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com
3050      *  but not bar.com."
3051      *
3052      * And from RFC 2595 (Using TLS with IMAP, POP3 and ACAP), section 2.4:
3053      * "A "*" wildcard character MAY be used as the left-most name component in
3054      *  the certificate.  For example, *.example.com would match a.example.com,
3055      *  foo.example.com, etc. but would not match example.com."
3056      *
3057      * There are other protocols which use TLS, and none of them is
3058      * authoritative.  This accepts certificates in common usage, e.g.
3059      * *.domain.com matches www.domain.com but not domain.com, and
3060      * www*.domain.com matches www1.domain.com but not mail.domain.com.
3061      */
3062     do {
3063         LPCWSTR allowed_dot, server_dot;
3064
3065         allowed_dot = memchrW(allowed_component, '.',
3066          allowed_len - (allowed_component - allowed));
3067         server_dot = memchrW(server_component, '.',
3068          server_len - (server_component - server_name));
3069         /* The number of components must match */
3070         if ((!allowed_dot && server_dot) || (allowed_dot && !server_dot))
3071         {
3072             if (!allowed_dot)
3073                 WARN_(chain)("%s: too many components for CN=%s\n",
3074                  debugstr_w(server_name), debugstr_wn(allowed, allowed_len));
3075             else
3076                 WARN_(chain)("%s: not enough components for CN=%s\n",
3077                  debugstr_w(server_name), debugstr_wn(allowed, allowed_len));
3078             matches = FALSE;
3079         }
3080         else
3081         {
3082             LPCWSTR allowed_end, server_end;
3083             BOOL has_wildcard;
3084
3085             allowed_end = allowed_dot ? allowed_dot : allowed + allowed_len;
3086             server_end = server_dot ? server_dot : server_name + server_len;
3087             matches = match_domain_component(allowed_component,
3088              allowed_end - allowed_component, server_component,
3089              server_end - server_component, allow_wildcards, &has_wildcard);
3090             /* Once a non-wildcard component is seen, no wildcard components
3091              * may follow
3092              */
3093             if (!has_wildcard)
3094                 allow_wildcards = FALSE;
3095             if (matches)
3096             {
3097                 allowed_component = allowed_dot ? allowed_dot + 1 : allowed_end;
3098                 server_component = server_dot ? server_dot + 1 : server_end;
3099             }
3100         }
3101     } while (matches && allowed_component &&
3102      allowed_component - allowed < allowed_len &&
3103      server_component && server_component - server_name < server_len);
3104     TRACE_(chain)("returning %d\n", matches);
3105     return matches;
3106 }
3107
3108 static BOOL match_dns_to_subject_dn(PCCERT_CONTEXT cert, LPCWSTR server_name)
3109 {
3110     BOOL matches = FALSE;
3111     CERT_NAME_INFO *name;
3112     DWORD size;
3113
3114     TRACE_(chain)("%s\n", debugstr_w(server_name));
3115     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_UNICODE_NAME,
3116      cert->pCertInfo->Subject.pbData, cert->pCertInfo->Subject.cbData,
3117      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
3118      &name, &size))
3119     {
3120         /* If the subject distinguished name contains any name components,
3121          * make sure all of them are present.
3122          */
3123         if (CertFindRDNAttr(szOID_DOMAIN_COMPONENT, name))
3124         {
3125             LPCWSTR ptr = server_name;
3126
3127             matches = TRUE;
3128             do {
3129                 LPCWSTR dot = strchrW(ptr, '.'), end;
3130                 /* 254 is the maximum DNS label length, see RFC 1035 */
3131                 WCHAR component[255];
3132                 DWORD len;
3133
3134                 end = dot ? dot : ptr + strlenW(ptr);
3135                 len = end - ptr;
3136                 if (len >= sizeof(component) / sizeof(component[0]))
3137                 {
3138                     WARN_(chain)("domain component %s too long\n",
3139                      debugstr_wn(ptr, len));
3140                     matches = FALSE;
3141                 }
3142                 else
3143                 {
3144                     memcpy(component, ptr, len * sizeof(WCHAR));
3145                     component[len] = 0;
3146                     matches = find_matching_domain_component(name, component);
3147                 }
3148                 ptr = dot ? dot + 1 : end;
3149             } while (matches && ptr && *ptr);
3150         }
3151         else
3152         {
3153             PCERT_RDN_ATTR attr;
3154
3155             /* If the certificate isn't using a DN attribute in the name, make
3156              * make sure the common name matches.
3157              */
3158             if ((attr = CertFindRDNAttr(szOID_COMMON_NAME, name)))
3159                 matches = match_common_name(server_name, attr);
3160         }
3161         LocalFree(name);
3162     }
3163     return matches;
3164 }
3165
3166 static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
3167  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3168  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3169 {
3170     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
3171     if (pChainContext->TrustStatus.dwErrorStatus &
3172      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
3173     {
3174         pPolicyStatus->dwError = TRUST_E_CERT_SIGNATURE;
3175         find_element_with_error(pChainContext,
3176          CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
3177          &pPolicyStatus->lElementIndex);
3178     }
3179     else if (pChainContext->TrustStatus.dwErrorStatus &
3180      CERT_TRUST_IS_UNTRUSTED_ROOT)
3181     {
3182         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
3183         find_element_with_error(pChainContext,
3184          CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
3185          &pPolicyStatus->lElementIndex);
3186     }
3187     else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
3188     {
3189         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
3190         find_element_with_error(pChainContext,
3191          CERT_TRUST_IS_CYCLIC, &pPolicyStatus->lChainIndex,
3192          &pPolicyStatus->lElementIndex);
3193         /* For a cyclic chain, which element is a cycle isn't meaningful */
3194         pPolicyStatus->lElementIndex = -1;
3195     }
3196     else if (pChainContext->TrustStatus.dwErrorStatus &
3197      CERT_TRUST_IS_NOT_TIME_VALID)
3198     {
3199         pPolicyStatus->dwError = CERT_E_EXPIRED;
3200         find_element_with_error(pChainContext,
3201          CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
3202          &pPolicyStatus->lElementIndex);
3203     }
3204     else
3205         pPolicyStatus->dwError = NO_ERROR;
3206     /* We only need bother checking whether the name in the end certificate
3207      * matches if the chain is otherwise okay.
3208      */
3209     if (!pPolicyStatus->dwError && pPolicyPara &&
3210      pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
3211     {
3212         HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
3213
3214         if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
3215         {
3216             if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
3217              sslPara->pwszServerName)
3218             {
3219                 PCCERT_CONTEXT cert;
3220                 PCERT_EXTENSION altNameExt;
3221                 BOOL matches;
3222
3223                 cert = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
3224                 altNameExt = get_subject_alt_name_ext(cert->pCertInfo);
3225                 /* If the alternate name extension exists, the name it contains
3226                  * is bound to the certificate, so make sure the name matches
3227                  * it.  Otherwise, look for the server name in the subject
3228                  * distinguished name.  RFC5280, section 4.2.1.6:
3229                  * "Whenever such identities are to be bound into a
3230                  *  certificate, the subject alternative name (or issuer
3231                  *  alternative name) extension MUST be used; however, a DNS
3232                  *  name MAY also be represented in the subject field using the
3233                  *  domainComponent attribute."
3234                  */
3235                 if (altNameExt)
3236                     matches = match_dns_to_subject_alt_name(altNameExt,
3237                      sslPara->pwszServerName);
3238                 else
3239                     matches = match_dns_to_subject_dn(cert,
3240                      sslPara->pwszServerName);
3241                 if (!matches)
3242                 {
3243                     pPolicyStatus->dwError = CERT_E_CN_NO_MATCH;
3244                     pPolicyStatus->lChainIndex = 0;
3245                     pPolicyStatus->lElementIndex = 0;
3246                 }
3247             }
3248         }
3249     }
3250     return TRUE;
3251 }
3252
3253 static BYTE msPubKey1[] = {
3254 0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xdf,0x08,0xba,0xe3,0x3f,0x6e,
3255 0x64,0x9b,0xf5,0x89,0xaf,0x28,0x96,0x4a,0x07,0x8f,0x1b,0x2e,0x8b,0x3e,0x1d,
3256 0xfc,0xb8,0x80,0x69,0xa3,0xa1,0xce,0xdb,0xdf,0xb0,0x8e,0x6c,0x89,0x76,0x29,
3257 0x4f,0xca,0x60,0x35,0x39,0xad,0x72,0x32,0xe0,0x0b,0xae,0x29,0x3d,0x4c,0x16,
3258 0xd9,0x4b,0x3c,0x9d,0xda,0xc5,0xd3,0xd1,0x09,0xc9,0x2c,0x6f,0xa6,0xc2,0x60,
3259 0x53,0x45,0xdd,0x4b,0xd1,0x55,0xcd,0x03,0x1c,0xd2,0x59,0x56,0x24,0xf3,0xe5,
3260 0x78,0xd8,0x07,0xcc,0xd8,0xb3,0x1f,0x90,0x3f,0xc0,0x1a,0x71,0x50,0x1d,0x2d,
3261 0xa7,0x12,0x08,0x6d,0x7c,0xb0,0x86,0x6c,0xc7,0xba,0x85,0x32,0x07,0xe1,0x61,
3262 0x6f,0xaf,0x03,0xc5,0x6d,0xe5,0xd6,0xa1,0x8f,0x36,0xf6,0xc1,0x0b,0xd1,0x3e,
3263 0x69,0x97,0x48,0x72,0xc9,0x7f,0xa4,0xc8,0xc2,0x4a,0x4c,0x7e,0xa1,0xd1,0x94,
3264 0xa6,0xd7,0xdc,0xeb,0x05,0x46,0x2e,0xb8,0x18,0xb4,0x57,0x1d,0x86,0x49,0xdb,
3265 0x69,0x4a,0x2c,0x21,0xf5,0x5e,0x0f,0x54,0x2d,0x5a,0x43,0xa9,0x7a,0x7e,0x6a,
3266 0x8e,0x50,0x4d,0x25,0x57,0xa1,0xbf,0x1b,0x15,0x05,0x43,0x7b,0x2c,0x05,0x8d,
3267 0xbd,0x3d,0x03,0x8c,0x93,0x22,0x7d,0x63,0xea,0x0a,0x57,0x05,0x06,0x0a,0xdb,
3268 0x61,0x98,0x65,0x2d,0x47,0x49,0xa8,0xe7,0xe6,0x56,0x75,0x5c,0xb8,0x64,0x08,
3269 0x63,0xa9,0x30,0x40,0x66,0xb2,0xf9,0xb6,0xe3,0x34,0xe8,0x67,0x30,0xe1,0x43,
3270 0x0b,0x87,0xff,0xc9,0xbe,0x72,0x10,0x5e,0x23,0xf0,0x9b,0xa7,0x48,0x65,0xbf,
3271 0x09,0x88,0x7b,0xcd,0x72,0xbc,0x2e,0x79,0x9b,0x7b,0x02,0x03,0x01,0x00,0x01 };
3272 static BYTE msPubKey2[] = {
3273 0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa9,0x02,0xbd,0xc1,0x70,0xe6,
3274 0x3b,0xf2,0x4e,0x1b,0x28,0x9f,0x97,0x78,0x5e,0x30,0xea,0xa2,0xa9,0x8d,0x25,
3275 0x5f,0xf8,0xfe,0x95,0x4c,0xa3,0xb7,0xfe,0x9d,0xa2,0x20,0x3e,0x7c,0x51,0xa2,
3276 0x9b,0xa2,0x8f,0x60,0x32,0x6b,0xd1,0x42,0x64,0x79,0xee,0xac,0x76,0xc9,0x54,
3277 0xda,0xf2,0xeb,0x9c,0x86,0x1c,0x8f,0x9f,0x84,0x66,0xb3,0xc5,0x6b,0x7a,0x62,
3278 0x23,0xd6,0x1d,0x3c,0xde,0x0f,0x01,0x92,0xe8,0x96,0xc4,0xbf,0x2d,0x66,0x9a,
3279 0x9a,0x68,0x26,0x99,0xd0,0x3a,0x2c,0xbf,0x0c,0xb5,0x58,0x26,0xc1,0x46,0xe7,
3280 0x0a,0x3e,0x38,0x96,0x2c,0xa9,0x28,0x39,0xa8,0xec,0x49,0x83,0x42,0xe3,0x84,
3281 0x0f,0xbb,0x9a,0x6c,0x55,0x61,0xac,0x82,0x7c,0xa1,0x60,0x2d,0x77,0x4c,0xe9,
3282 0x99,0xb4,0x64,0x3b,0x9a,0x50,0x1c,0x31,0x08,0x24,0x14,0x9f,0xa9,0xe7,0x91,
3283 0x2b,0x18,0xe6,0x3d,0x98,0x63,0x14,0x60,0x58,0x05,0x65,0x9f,0x1d,0x37,0x52,
3284 0x87,0xf7,0xa7,0xef,0x94,0x02,0xc6,0x1b,0xd3,0xbf,0x55,0x45,0xb3,0x89,0x80,
3285 0xbf,0x3a,0xec,0x54,0x94,0x4e,0xae,0xfd,0xa7,0x7a,0x6d,0x74,0x4e,0xaf,0x18,
3286 0xcc,0x96,0x09,0x28,0x21,0x00,0x57,0x90,0x60,0x69,0x37,0xbb,0x4b,0x12,0x07,
3287 0x3c,0x56,0xff,0x5b,0xfb,0xa4,0x66,0x0a,0x08,0xa6,0xd2,0x81,0x56,0x57,0xef,
3288 0xb6,0x3b,0x5e,0x16,0x81,0x77,0x04,0xda,0xf6,0xbe,0xae,0x80,0x95,0xfe,0xb0,
3289 0xcd,0x7f,0xd6,0xa7,0x1a,0x72,0x5c,0x3c,0xca,0xbc,0xf0,0x08,0xa3,0x22,0x30,
3290 0xb3,0x06,0x85,0xc9,0xb3,0x20,0x77,0x13,0x85,0xdf,0x02,0x03,0x01,0x00,0x01 };
3291 static BYTE msPubKey3[] = {
3292 0x30,0x82,0x02,0x0a,0x02,0x82,0x02,0x01,0x00,0xf3,0x5d,0xfa,0x80,0x67,0xd4,
3293 0x5a,0xa7,0xa9,0x0c,0x2c,0x90,0x20,0xd0,0x35,0x08,0x3c,0x75,0x84,0xcd,0xb7,
3294 0x07,0x89,0x9c,0x89,0xda,0xde,0xce,0xc3,0x60,0xfa,0x91,0x68,0x5a,0x9e,0x94,
3295 0x71,0x29,0x18,0x76,0x7c,0xc2,0xe0,0xc8,0x25,0x76,0x94,0x0e,0x58,0xfa,0x04,
3296 0x34,0x36,0xe6,0xdf,0xaf,0xf7,0x80,0xba,0xe9,0x58,0x0b,0x2b,0x93,0xe5,0x9d,
3297 0x05,0xe3,0x77,0x22,0x91,0xf7,0x34,0x64,0x3c,0x22,0x91,0x1d,0x5e,0xe1,0x09,
3298 0x90,0xbc,0x14,0xfe,0xfc,0x75,0x58,0x19,0xe1,0x79,0xb7,0x07,0x92,0xa3,0xae,
3299 0x88,0x59,0x08,0xd8,0x9f,0x07,0xca,0x03,0x58,0xfc,0x68,0x29,0x6d,0x32,0xd7,
3300 0xd2,0xa8,0xcb,0x4b,0xfc,0xe1,0x0b,0x48,0x32,0x4f,0xe6,0xeb,0xb8,0xad,0x4f,
3301 0xe4,0x5c,0x6f,0x13,0x94,0x99,0xdb,0x95,0xd5,0x75,0xdb,0xa8,0x1a,0xb7,0x94,
3302 0x91,0xb4,0x77,0x5b,0xf5,0x48,0x0c,0x8f,0x6a,0x79,0x7d,0x14,0x70,0x04,0x7d,
3303 0x6d,0xaf,0x90,0xf5,0xda,0x70,0xd8,0x47,0xb7,0xbf,0x9b,0x2f,0x6c,0xe7,0x05,
3304 0xb7,0xe1,0x11,0x60,0xac,0x79,0x91,0x14,0x7c,0xc5,0xd6,0xa6,0xe4,0xe1,0x7e,
3305 0xd5,0xc3,0x7e,0xe5,0x92,0xd2,0x3c,0x00,0xb5,0x36,0x82,0xde,0x79,0xe1,0x6d,
3306 0xf3,0xb5,0x6e,0xf8,0x9f,0x33,0xc9,0xcb,0x52,0x7d,0x73,0x98,0x36,0xdb,0x8b,
3307 0xa1,0x6b,0xa2,0x95,0x97,0x9b,0xa3,0xde,0xc2,0x4d,0x26,0xff,0x06,0x96,0x67,
3308 0x25,0x06,0xc8,0xe7,0xac,0xe4,0xee,0x12,0x33,0x95,0x31,0x99,0xc8,0x35,0x08,
3309 0x4e,0x34,0xca,0x79,0x53,0xd5,0xb5,0xbe,0x63,0x32,0x59,0x40,0x36,0xc0,0xa5,
3310 0x4e,0x04,0x4d,0x3d,0xdb,0x5b,0x07,0x33,0xe4,0x58,0xbf,0xef,0x3f,0x53,0x64,
3311 0xd8,0x42,0x59,0x35,0x57,0xfd,0x0f,0x45,0x7c,0x24,0x04,0x4d,0x9e,0xd6,0x38,
3312 0x74,0x11,0x97,0x22,0x90,0xce,0x68,0x44,0x74,0x92,0x6f,0xd5,0x4b,0x6f,0xb0,
3313 0x86,0xe3,0xc7,0x36,0x42,0xa0,0xd0,0xfc,0xc1,0xc0,0x5a,0xf9,0xa3,0x61,0xb9,
3314 0x30,0x47,0x71,0x96,0x0a,0x16,0xb0,0x91,0xc0,0x42,0x95,0xef,0x10,0x7f,0x28,
3315 0x6a,0xe3,0x2a,0x1f,0xb1,0xe4,0xcd,0x03,0x3f,0x77,0x71,0x04,0xc7,0x20,0xfc,
3316 0x49,0x0f,0x1d,0x45,0x88,0xa4,0xd7,0xcb,0x7e,0x88,0xad,0x8e,0x2d,0xec,0x45,
3317 0xdb,0xc4,0x51,0x04,0xc9,0x2a,0xfc,0xec,0x86,0x9e,0x9a,0x11,0x97,0x5b,0xde,
3318 0xce,0x53,0x88,0xe6,0xe2,0xb7,0xfd,0xac,0x95,0xc2,0x28,0x40,0xdb,0xef,0x04,
3319 0x90,0xdf,0x81,0x33,0x39,0xd9,0xb2,0x45,0xa5,0x23,0x87,0x06,0xa5,0x55,0x89,
3320 0x31,0xbb,0x06,0x2d,0x60,0x0e,0x41,0x18,0x7d,0x1f,0x2e,0xb5,0x97,0xcb,0x11,
3321 0xeb,0x15,0xd5,0x24,0xa5,0x94,0xef,0x15,0x14,0x89,0xfd,0x4b,0x73,0xfa,0x32,
3322 0x5b,0xfc,0xd1,0x33,0x00,0xf9,0x59,0x62,0x70,0x07,0x32,0xea,0x2e,0xab,0x40,
3323 0x2d,0x7b,0xca,0xdd,0x21,0x67,0x1b,0x30,0x99,0x8f,0x16,0xaa,0x23,0xa8,0x41,
3324 0xd1,0xb0,0x6e,0x11,0x9b,0x36,0xc4,0xde,0x40,0x74,0x9c,0xe1,0x58,0x65,0xc1,
3325 0x60,0x1e,0x7a,0x5b,0x38,0xc8,0x8f,0xbb,0x04,0x26,0x7c,0xd4,0x16,0x40,0xe5,
3326 0xb6,0x6b,0x6c,0xaa,0x86,0xfd,0x00,0xbf,0xce,0xc1,0x35,0x02,0x03,0x01,0x00,
3327 0x01 };
3328
3329 static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID,
3330  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3331  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3332 {
3333     BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara,
3334      pPolicyStatus);
3335
3336     if (ret && !pPolicyStatus->dwError)
3337     {
3338         CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } };
3339         BOOL isMSRoot = FALSE;
3340         DWORD i;
3341         CRYPT_DATA_BLOB keyBlobs[] = {
3342          { sizeof(msPubKey1), msPubKey1 },
3343          { sizeof(msPubKey2), msPubKey2 },
3344          { sizeof(msPubKey3), msPubKey3 },
3345         };
3346         PCERT_SIMPLE_CHAIN rootChain =
3347          pChainContext->rgpChain[pChainContext->cChain -1 ];
3348         PCCERT_CONTEXT root =
3349          rootChain->rgpElement[rootChain->cElement - 1]->pCertContext;
3350
3351         for (i = 0; !isMSRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]);
3352          i++)
3353         {
3354             msPubKey.PublicKey.cbData = keyBlobs[i].cbData;
3355             msPubKey.PublicKey.pbData = keyBlobs[i].pbData;
3356             if (CertComparePublicKeyInfo(
3357              X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
3358              &root->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
3359                 isMSRoot = TRUE;
3360         }
3361         if (isMSRoot)
3362             pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = 0;
3363     }
3364     return ret;
3365 }
3366
3367 typedef BOOL (WINAPI *CertVerifyCertificateChainPolicyFunc)(LPCSTR szPolicyOID,
3368  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3369  PCERT_CHAIN_POLICY_STATUS pPolicyStatus);
3370
3371 BOOL WINAPI CertVerifyCertificateChainPolicy(LPCSTR szPolicyOID,
3372  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3373  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3374 {
3375     static HCRYPTOIDFUNCSET set = NULL;
3376     BOOL ret = FALSE;
3377     CertVerifyCertificateChainPolicyFunc verifyPolicy = NULL;
3378     HCRYPTOIDFUNCADDR hFunc = NULL;
3379
3380     TRACE("(%s, %p, %p, %p)\n", debugstr_a(szPolicyOID), pChainContext,
3381      pPolicyPara, pPolicyStatus);
3382
3383     if (IS_INTOID(szPolicyOID))
3384     {
3385         switch (LOWORD(szPolicyOID))
3386         {
3387         case LOWORD(CERT_CHAIN_POLICY_BASE):
3388             verifyPolicy = verify_base_policy;
3389             break;
3390         case LOWORD(CERT_CHAIN_POLICY_AUTHENTICODE):
3391             verifyPolicy = verify_authenticode_policy;
3392             break;
3393         case LOWORD(CERT_CHAIN_POLICY_SSL):
3394             verifyPolicy = verify_ssl_policy;
3395             break;
3396         case LOWORD(CERT_CHAIN_POLICY_BASIC_CONSTRAINTS):
3397             verifyPolicy = verify_basic_constraints_policy;
3398             break;
3399         case LOWORD(CERT_CHAIN_POLICY_MICROSOFT_ROOT):
3400             verifyPolicy = verify_ms_root_policy;
3401             break;
3402         default:
3403             FIXME("unimplemented for %d\n", LOWORD(szPolicyOID));
3404         }
3405     }
3406     if (!verifyPolicy)
3407     {
3408         if (!set)
3409             set = CryptInitOIDFunctionSet(
3410              CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC, 0);
3411         CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING, szPolicyOID, 0,
3412          (void **)&verifyPolicy, &hFunc);
3413     }
3414     if (verifyPolicy)
3415         ret = verifyPolicy(szPolicyOID, pChainContext, pPolicyPara,
3416          pPolicyStatus);
3417     if (hFunc)
3418         CryptFreeOIDFunctionAddress(hFunc, 0);
3419     TRACE("returning %d (%08x)\n", ret, pPolicyStatus->dwError);
3420     return ret;
3421 }