ntdll/tests: Add tests for RtlIpv4AddressToString / RtlIpv4AddressToStringEx.
[wine] / dlls / crypt32 / crl.c
1 /*
2  * Copyright 2006 Juan Lang
3  *
4  * This library is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * This library is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with this library; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17  *
18  */
19
20 #include <assert.h>
21 #include <stdarg.h>
22 #define NONAMELESSUNION
23 #include "windef.h"
24 #include "winbase.h"
25 #include "wincrypt.h"
26 #include "wine/debug.h"
27 #include "wine/unicode.h"
28 #include "crypt32_private.h"
29
30 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
31
32 PCCRL_CONTEXT WINAPI CertCreateCRLContext(DWORD dwCertEncodingType,
33  const BYTE* pbCrlEncoded, DWORD cbCrlEncoded)
34 {
35     PCRL_CONTEXT crl = NULL;
36     BOOL ret;
37     PCRL_INFO crlInfo = NULL;
38     DWORD size = 0;
39
40     TRACE("(%08x, %p, %d)\n", dwCertEncodingType, pbCrlEncoded,
41      cbCrlEncoded);
42
43     if ((dwCertEncodingType & CERT_ENCODING_TYPE_MASK) != X509_ASN_ENCODING)
44     {
45         SetLastError(E_INVALIDARG);
46         return NULL;
47     }
48     ret = CryptDecodeObjectEx(dwCertEncodingType, X509_CERT_CRL_TO_BE_SIGNED,
49      pbCrlEncoded, cbCrlEncoded, CRYPT_DECODE_ALLOC_FLAG, NULL,
50      &crlInfo, &size);
51     if (ret)
52     {
53         BYTE *data = NULL;
54
55         crl = Context_CreateDataContext(sizeof(CRL_CONTEXT));
56         if (!crl)
57             goto end;
58         data = CryptMemAlloc(cbCrlEncoded);
59         if (!data)
60         {
61             CryptMemFree(crl);
62             crl = NULL;
63             goto end;
64         }
65         memcpy(data, pbCrlEncoded, cbCrlEncoded);
66         crl->dwCertEncodingType = dwCertEncodingType;
67         crl->pbCrlEncoded       = data;
68         crl->cbCrlEncoded       = cbCrlEncoded;
69         crl->pCrlInfo           = crlInfo;
70         crl->hCertStore         = 0;
71     }
72
73 end:
74     return crl;
75 }
76
77 BOOL WINAPI CertAddEncodedCRLToStore(HCERTSTORE hCertStore,
78  DWORD dwCertEncodingType, const BYTE *pbCrlEncoded, DWORD cbCrlEncoded,
79  DWORD dwAddDisposition, PCCRL_CONTEXT *ppCrlContext)
80 {
81     PCCRL_CONTEXT crl = CertCreateCRLContext(dwCertEncodingType,
82      pbCrlEncoded, cbCrlEncoded);
83     BOOL ret;
84
85     TRACE("(%p, %08x, %p, %d, %08x, %p)\n", hCertStore, dwCertEncodingType,
86      pbCrlEncoded, cbCrlEncoded, dwAddDisposition, ppCrlContext);
87
88     if (crl)
89     {
90         ret = CertAddCRLContextToStore(hCertStore, crl, dwAddDisposition,
91          ppCrlContext);
92         CertFreeCRLContext(crl);
93     }
94     else
95         ret = FALSE;
96     return ret;
97 }
98
99 typedef BOOL (*CrlCompareFunc)(PCCRL_CONTEXT pCrlContext, DWORD dwType,
100  DWORD dwFlags, const void *pvPara);
101
102 static BOOL compare_crl_any(PCCRL_CONTEXT pCrlContext, DWORD dwType,
103  DWORD dwFlags, const void *pvPara)
104 {
105     return TRUE;
106 }
107
108 static BOOL compare_crl_issued_by(PCCRL_CONTEXT pCrlContext, DWORD dwType,
109  DWORD dwFlags, const void *pvPara)
110 {
111     BOOL ret;
112
113     if (pvPara)
114     {
115         PCCERT_CONTEXT issuer = pvPara;
116
117         ret = CertCompareCertificateName(issuer->dwCertEncodingType,
118          &issuer->pCertInfo->Subject, &pCrlContext->pCrlInfo->Issuer);
119         if (ret && (dwFlags & CRL_FIND_ISSUED_BY_SIGNATURE_FLAG))
120             ret = CryptVerifyCertificateSignatureEx(0,
121              issuer->dwCertEncodingType,
122              CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL, (void *)pCrlContext,
123              CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)issuer, 0, NULL);
124         if (ret && (dwFlags & CRL_FIND_ISSUED_BY_AKI_FLAG))
125         {
126             PCERT_EXTENSION ext = CertFindExtension(
127              szOID_AUTHORITY_KEY_IDENTIFIER2, pCrlContext->pCrlInfo->cExtension,
128              pCrlContext->pCrlInfo->rgExtension);
129
130             if (ext)
131             {
132                 CERT_AUTHORITY_KEY_ID2_INFO *info;
133                 DWORD size;
134
135                 if ((ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
136                  X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
137                  CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)))
138                 {
139                     if (info->AuthorityCertIssuer.cAltEntry &&
140                      info->AuthorityCertSerialNumber.cbData)
141                     {
142                         PCERT_ALT_NAME_ENTRY directoryName = NULL;
143                         DWORD i;
144
145                         for (i = 0; !directoryName &&
146                          i < info->AuthorityCertIssuer.cAltEntry; i++)
147                             if (info->AuthorityCertIssuer.rgAltEntry[i].
148                              dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
149                                 directoryName =
150                                  &info->AuthorityCertIssuer.rgAltEntry[i];
151                         if (directoryName)
152                         {
153                             ret = CertCompareCertificateName(
154                              issuer->dwCertEncodingType,
155                              &issuer->pCertInfo->Subject,
156                              &directoryName->u.DirectoryName);
157                             if (ret)
158                                 ret = CertCompareIntegerBlob(
159                                  &issuer->pCertInfo->SerialNumber,
160                                  &info->AuthorityCertSerialNumber);
161                         }
162                         else
163                         {
164                             FIXME("no supported name type in authority key id2\n");
165                             ret = FALSE;
166                         }
167                     }
168                     else if (info->KeyId.cbData)
169                     {
170                         DWORD size;
171
172                         ret = CertGetCertificateContextProperty(issuer,
173                          CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
174                         if (ret && size == info->KeyId.cbData)
175                         {
176                             LPBYTE buf = CryptMemAlloc(size);
177
178                             if (buf)
179                             {
180                                 CertGetCertificateContextProperty(issuer,
181                                  CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
182                                 ret = !memcmp(buf, info->KeyId.pbData, size);
183                                 CryptMemFree(buf);
184                             }
185                             else
186                                 ret = FALSE;
187                         }
188                         else
189                             ret = FALSE;
190                     }
191                     else
192                     {
193                         FIXME("unsupported value for AKI extension\n");
194                         ret = FALSE;
195                     }
196                     LocalFree(info);
197                 }
198             }
199             /* else: a CRL without an AKI matches any cert */
200         }
201     }
202     else
203         ret = TRUE;
204     return ret;
205 }
206
207 static BOOL compare_crl_existing(PCCRL_CONTEXT pCrlContext, DWORD dwType,
208  DWORD dwFlags, const void *pvPara)
209 {
210     BOOL ret;
211
212     if (pvPara)
213     {
214         PCCRL_CONTEXT crl = pvPara;
215
216         ret = CertCompareCertificateName(pCrlContext->dwCertEncodingType,
217          &pCrlContext->pCrlInfo->Issuer, &crl->pCrlInfo->Issuer);
218     }
219     else
220         ret = TRUE;
221     return ret;
222 }
223
224 static BOOL compare_crl_issued_for(PCCRL_CONTEXT pCrlContext, DWORD dwType,
225  DWORD dwFlags, const void *pvPara)
226 {
227     const CRL_FIND_ISSUED_FOR_PARA *para = pvPara;
228     BOOL ret;
229
230     ret = CertCompareCertificateName(para->pIssuerCert->dwCertEncodingType,
231      &para->pIssuerCert->pCertInfo->Issuer, &pCrlContext->pCrlInfo->Issuer);
232     return ret;
233 }
234
235 PCCRL_CONTEXT WINAPI CertFindCRLInStore(HCERTSTORE hCertStore,
236  DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType,
237  const void *pvFindPara, PCCRL_CONTEXT pPrevCrlContext)
238 {
239     PCCRL_CONTEXT ret;
240     CrlCompareFunc compare;
241
242     TRACE("(%p, %d, %d, %d, %p, %p)\n", hCertStore, dwCertEncodingType,
243          dwFindFlags, dwFindType, pvFindPara, pPrevCrlContext);
244
245     switch (dwFindType)
246     {
247     case CRL_FIND_ANY:
248         compare = compare_crl_any;
249         break;
250     case CRL_FIND_ISSUED_BY:
251         compare = compare_crl_issued_by;
252         break;
253     case CRL_FIND_EXISTING:
254         compare = compare_crl_existing;
255         break;
256     case CRL_FIND_ISSUED_FOR:
257         compare = compare_crl_issued_for;
258         break;
259     default:
260         FIXME("find type %08x unimplemented\n", dwFindType);
261         compare = NULL;
262     }
263
264     if (compare)
265     {
266         BOOL matches = FALSE;
267
268         ret = pPrevCrlContext;
269         do {
270             ret = CertEnumCRLsInStore(hCertStore, ret);
271             if (ret)
272                 matches = compare(ret, dwFindType, dwFindFlags, pvFindPara);
273         } while (ret != NULL && !matches);
274         if (!ret)
275             SetLastError(CRYPT_E_NOT_FOUND);
276     }
277     else
278     {
279         SetLastError(CRYPT_E_NOT_FOUND);
280         ret = NULL;
281     }
282     return ret;
283 }
284
285 PCCRL_CONTEXT WINAPI CertGetCRLFromStore(HCERTSTORE hCertStore,
286  PCCERT_CONTEXT pIssuerContext, PCCRL_CONTEXT pPrevCrlContext, DWORD *pdwFlags)
287 {
288     static const DWORD supportedFlags = CERT_STORE_SIGNATURE_FLAG |
289      CERT_STORE_TIME_VALIDITY_FLAG | CERT_STORE_BASE_CRL_FLAG |
290      CERT_STORE_DELTA_CRL_FLAG;
291     PCCRL_CONTEXT ret;
292
293     TRACE("(%p, %p, %p, %08x)\n", hCertStore, pIssuerContext, pPrevCrlContext,
294      *pdwFlags);
295
296     if (*pdwFlags & ~supportedFlags)
297     {
298         SetLastError(E_INVALIDARG);
299         return NULL;
300     }
301     if (pIssuerContext)
302         ret = CertFindCRLInStore(hCertStore, pIssuerContext->dwCertEncodingType,
303          0, CRL_FIND_ISSUED_BY, pIssuerContext, pPrevCrlContext);
304     else
305         ret = CertFindCRLInStore(hCertStore, 0, 0, CRL_FIND_ANY, NULL,
306          pPrevCrlContext);
307     if (ret)
308     {
309         if (*pdwFlags & CERT_STORE_TIME_VALIDITY_FLAG)
310         {
311             if (0 == CertVerifyCRLTimeValidity(NULL, ret->pCrlInfo))
312                 *pdwFlags &= ~CERT_STORE_TIME_VALIDITY_FLAG;
313         }
314         if (*pdwFlags & CERT_STORE_SIGNATURE_FLAG)
315         {
316             if (CryptVerifyCertificateSignatureEx(0, ret->dwCertEncodingType,
317              CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL, (void *)ret,
318              CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)pIssuerContext, 0,
319              NULL))
320                 *pdwFlags &= ~CERT_STORE_SIGNATURE_FLAG;
321         }
322     }
323     return ret;
324 }
325
326 PCCRL_CONTEXT WINAPI CertDuplicateCRLContext(PCCRL_CONTEXT pCrlContext)
327 {
328     TRACE("(%p)\n", pCrlContext);
329     if (pCrlContext)
330         Context_AddRef((void *)pCrlContext, sizeof(CRL_CONTEXT));
331     return pCrlContext;
332 }
333
334 static void CrlDataContext_Free(void *context)
335 {
336     PCRL_CONTEXT crlContext = context;
337
338     CryptMemFree(crlContext->pbCrlEncoded);
339     LocalFree(crlContext->pCrlInfo);
340 }
341
342 BOOL WINAPI CertFreeCRLContext( PCCRL_CONTEXT pCrlContext)
343 {
344     BOOL ret = TRUE;
345
346     TRACE("(%p)\n", pCrlContext);
347
348     if (pCrlContext)
349         ret = Context_Release((void *)pCrlContext, sizeof(CRL_CONTEXT),
350          CrlDataContext_Free);
351     return ret;
352 }
353
354 DWORD WINAPI CertEnumCRLContextProperties(PCCRL_CONTEXT pCRLContext,
355  DWORD dwPropId)
356 {
357     PCONTEXT_PROPERTY_LIST properties = Context_GetProperties(
358      pCRLContext, sizeof(CRL_CONTEXT));
359     DWORD ret;
360
361     TRACE("(%p, %d)\n", pCRLContext, dwPropId);
362
363     if (properties)
364         ret = ContextPropertyList_EnumPropIDs(properties, dwPropId);
365     else
366         ret = 0;
367     return ret;
368 }
369
370 static BOOL CRLContext_SetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
371                                    DWORD dwFlags, const void *pvData);
372
373 static BOOL CRLContext_GetHashProp(PCCRL_CONTEXT context, DWORD dwPropId,
374  ALG_ID algID, const BYTE *toHash, DWORD toHashLen, void *pvData,
375  DWORD *pcbData)
376 {
377     BOOL ret = CryptHashCertificate(0, algID, 0, toHash, toHashLen, pvData,
378      pcbData);
379     if (ret && pvData)
380     {
381         CRYPT_DATA_BLOB blob = { *pcbData, pvData };
382
383         ret = CRLContext_SetProperty(context, dwPropId, 0, &blob);
384     }
385     return ret;
386 }
387
388 static BOOL CRLContext_GetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
389                                    void *pvData, DWORD *pcbData)
390 {
391     PCONTEXT_PROPERTY_LIST properties =
392      Context_GetProperties(context, sizeof(CRL_CONTEXT));
393     BOOL ret;
394     CRYPT_DATA_BLOB blob;
395
396     TRACE("(%p, %d, %p, %p)\n", context, dwPropId, pvData, pcbData);
397
398     if (properties)
399         ret = ContextPropertyList_FindProperty(properties, dwPropId, &blob);
400     else
401         ret = FALSE;
402     if (ret)
403     {
404         if (!pvData)
405             *pcbData = blob.cbData;
406         else if (*pcbData < blob.cbData)
407         {
408             SetLastError(ERROR_MORE_DATA);
409             *pcbData = blob.cbData;
410             ret = FALSE;
411         }
412         else
413         {
414             memcpy(pvData, blob.pbData, blob.cbData);
415             *pcbData = blob.cbData;
416         }
417     }
418     else
419     {
420         /* Implicit properties */
421         switch (dwPropId)
422         {
423         case CERT_SHA1_HASH_PROP_ID:
424             ret = CRLContext_GetHashProp(context, dwPropId, CALG_SHA1,
425                                          context->pbCrlEncoded, context->cbCrlEncoded, pvData,
426              pcbData);
427             break;
428         case CERT_MD5_HASH_PROP_ID:
429             ret = CRLContext_GetHashProp(context, dwPropId, CALG_MD5,
430                                          context->pbCrlEncoded, context->cbCrlEncoded, pvData,
431              pcbData);
432             break;
433         default:
434             SetLastError(CRYPT_E_NOT_FOUND);
435         }
436     }
437     TRACE("returning %d\n", ret);
438     return ret;
439 }
440
441 BOOL WINAPI CertGetCRLContextProperty(PCCRL_CONTEXT pCRLContext,
442  DWORD dwPropId, void *pvData, DWORD *pcbData)
443 {
444     BOOL ret;
445
446     TRACE("(%p, %d, %p, %p)\n", pCRLContext, dwPropId, pvData, pcbData);
447
448     switch (dwPropId)
449     {
450     case 0:
451     case CERT_CERT_PROP_ID:
452     case CERT_CRL_PROP_ID:
453     case CERT_CTL_PROP_ID:
454         SetLastError(E_INVALIDARG);
455         ret = FALSE;
456         break;
457     case CERT_ACCESS_STATE_PROP_ID:
458         if (!pvData)
459         {
460             *pcbData = sizeof(DWORD);
461             ret = TRUE;
462         }
463         else if (*pcbData < sizeof(DWORD))
464         {
465             SetLastError(ERROR_MORE_DATA);
466             *pcbData = sizeof(DWORD);
467             ret = FALSE;
468         }
469         else
470         {
471             if (pCRLContext->hCertStore)
472                 ret = CertGetStoreProperty(pCRLContext->hCertStore, dwPropId,
473                  pvData, pcbData);
474             else
475                 *(DWORD *)pvData = 0;
476             ret = TRUE;
477         }
478         break;
479     default:
480         ret = CRLContext_GetProperty(pCRLContext, dwPropId, pvData,
481          pcbData);
482     }
483     return ret;
484 }
485
486 static BOOL CRLContext_SetProperty(PCCRL_CONTEXT context, DWORD dwPropId,
487  DWORD dwFlags, const void *pvData)
488 {
489     PCONTEXT_PROPERTY_LIST properties =
490      Context_GetProperties(context, sizeof(CRL_CONTEXT));
491     BOOL ret;
492
493     TRACE("(%p, %d, %08x, %p)\n", context, dwPropId, dwFlags, pvData);
494
495     if (!properties)
496         ret = FALSE;
497     else if (!pvData)
498     {
499         ContextPropertyList_RemoveProperty(properties, dwPropId);
500         ret = TRUE;
501     }
502     else
503     {
504         switch (dwPropId)
505         {
506         case CERT_AUTO_ENROLL_PROP_ID:
507         case CERT_CTL_USAGE_PROP_ID: /* same as CERT_ENHKEY_USAGE_PROP_ID */
508         case CERT_DESCRIPTION_PROP_ID:
509         case CERT_FRIENDLY_NAME_PROP_ID:
510         case CERT_HASH_PROP_ID:
511         case CERT_KEY_IDENTIFIER_PROP_ID:
512         case CERT_MD5_HASH_PROP_ID:
513         case CERT_NEXT_UPDATE_LOCATION_PROP_ID:
514         case CERT_PUBKEY_ALG_PARA_PROP_ID:
515         case CERT_PVK_FILE_PROP_ID:
516         case CERT_SIGNATURE_HASH_PROP_ID:
517         case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID:
518         case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
519         case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
520         case CERT_ENROLLMENT_PROP_ID:
521         case CERT_CROSS_CERT_DIST_POINTS_PROP_ID:
522         case CERT_RENEWAL_PROP_ID:
523         {
524             PCRYPT_DATA_BLOB blob = (PCRYPT_DATA_BLOB)pvData;
525
526             ret = ContextPropertyList_SetProperty(properties, dwPropId,
527              blob->pbData, blob->cbData);
528             break;
529         }
530         case CERT_DATE_STAMP_PROP_ID:
531             ret = ContextPropertyList_SetProperty(properties, dwPropId,
532              pvData, sizeof(FILETIME));
533             break;
534         default:
535             FIXME("%d: stub\n", dwPropId);
536             ret = FALSE;
537         }
538     }
539     TRACE("returning %d\n", ret);
540     return ret;
541 }
542
543 BOOL WINAPI CertSetCRLContextProperty(PCCRL_CONTEXT pCRLContext,
544  DWORD dwPropId, DWORD dwFlags, const void *pvData)
545 {
546     BOOL ret;
547
548     TRACE("(%p, %d, %08x, %p)\n", pCRLContext, dwPropId, dwFlags, pvData);
549
550     /* Handle special cases for "read-only"/invalid prop IDs.  Windows just
551      * crashes on most of these, I'll be safer.
552      */
553     switch (dwPropId)
554     {
555     case 0:
556     case CERT_ACCESS_STATE_PROP_ID:
557     case CERT_CERT_PROP_ID:
558     case CERT_CRL_PROP_ID:
559     case CERT_CTL_PROP_ID:
560         SetLastError(E_INVALIDARG);
561         return FALSE;
562     }
563     ret = CRLContext_SetProperty(pCRLContext, dwPropId, dwFlags, pvData);
564     TRACE("returning %d\n", ret);
565     return ret;
566 }
567
568 static BOOL compare_dist_point_name(const CRL_DIST_POINT_NAME *name1,
569  const CRL_DIST_POINT_NAME *name2)
570 {
571     BOOL match;
572
573     if (name1->dwDistPointNameChoice == name2->dwDistPointNameChoice)
574     {
575         match = TRUE;
576         if (name1->dwDistPointNameChoice == CRL_DIST_POINT_FULL_NAME)
577         {
578             if (name1->u.FullName.cAltEntry == name2->u.FullName.cAltEntry)
579             {
580                 DWORD i;
581
582                 for (i = 0; match && i < name1->u.FullName.cAltEntry; i++)
583                 {
584                     const CERT_ALT_NAME_ENTRY *entry1 =
585                      &name1->u.FullName.rgAltEntry[i];
586                     const CERT_ALT_NAME_ENTRY *entry2 =
587                      &name2->u.FullName.rgAltEntry[i];
588
589                     if (entry1->dwAltNameChoice == entry2->dwAltNameChoice)
590                     {
591                         switch (entry1->dwAltNameChoice)
592                         {
593                         case CERT_ALT_NAME_URL:
594                             match = !strcmpiW(entry1->u.pwszURL,
595                              entry2->u.pwszURL);
596                             break;
597                         case CERT_ALT_NAME_DIRECTORY_NAME:
598                             match = (entry1->u.DirectoryName.cbData ==
599                              entry2->u.DirectoryName.cbData) &&
600                              !memcmp(entry1->u.DirectoryName.pbData,
601                              entry2->u.DirectoryName.pbData,
602                              entry1->u.DirectoryName.cbData);
603                             break;
604                         default:
605                             FIXME("unimplemented for type %d\n",
606                              entry1->dwAltNameChoice);
607                             match = FALSE;
608                         }
609                     }
610                     else
611                         match = FALSE;
612                 }
613             }
614             else
615                 match = FALSE;
616         }
617     }
618     else
619         match = FALSE;
620     return match;
621 }
622
623 static BOOL match_dist_point_with_issuing_dist_point(
624  const CRL_DIST_POINT *distPoint, const CRL_ISSUING_DIST_POINT *idp)
625 {
626     BOOL match;
627
628     /* While RFC 5280, section 4.2.1.13 recommends against segmenting
629      * CRL distribution points by reasons, it doesn't preclude doing so.
630      * "This profile RECOMMENDS against segmenting CRLs by reason code."
631      * If the issuing distribution point for this CRL is only valid for
632      * some reasons, only match if the reasons covered also match the
633      * reasons in the CRL distribution point.
634      */
635     if (idp->OnlySomeReasonFlags.cbData)
636     {
637         if (idp->OnlySomeReasonFlags.cbData == distPoint->ReasonFlags.cbData)
638         {
639             DWORD i;
640
641             match = TRUE;
642             for (i = 0; match && i < distPoint->ReasonFlags.cbData; i++)
643                 if (idp->OnlySomeReasonFlags.pbData[i] !=
644                  distPoint->ReasonFlags.pbData[i])
645                     match = FALSE;
646         }
647         else
648             match = FALSE;
649     }
650     else
651         match = TRUE;
652     if (match)
653         match = compare_dist_point_name(&idp->DistPointName,
654          &distPoint->DistPointName);
655     return match;
656 }
657
658 BOOL WINAPI CertIsValidCRLForCertificate(PCCERT_CONTEXT pCert,
659  PCCRL_CONTEXT pCrl, DWORD dwFlags, void *pvReserved)
660 {
661     PCERT_EXTENSION ext;
662     BOOL ret;
663
664     TRACE("(%p, %p, %08x, %p)\n", pCert, pCrl, dwFlags, pvReserved);
665
666     if (!pCert)
667         return TRUE;
668
669     if ((ext = CertFindExtension(szOID_ISSUING_DIST_POINT,
670      pCrl->pCrlInfo->cExtension, pCrl->pCrlInfo->rgExtension)))
671     {
672         CRL_ISSUING_DIST_POINT *idp;
673         DWORD size;
674
675         if ((ret = CryptDecodeObjectEx(pCrl->dwCertEncodingType,
676          X509_ISSUING_DIST_POINT, ext->Value.pbData, ext->Value.cbData,
677          CRYPT_DECODE_ALLOC_FLAG, NULL, &idp, &size)))
678         {
679             if ((ext = CertFindExtension(szOID_CRL_DIST_POINTS,
680              pCert->pCertInfo->cExtension, pCert->pCertInfo->rgExtension)))
681             {
682                 CRL_DIST_POINTS_INFO *distPoints;
683
684                 if ((ret = CryptDecodeObjectEx(pCert->dwCertEncodingType,
685                  X509_CRL_DIST_POINTS, ext->Value.pbData, ext->Value.cbData,
686                  CRYPT_DECODE_ALLOC_FLAG, NULL, &distPoints, &size)))
687                 {
688                     DWORD i;
689
690                     ret = FALSE;
691                     for (i = 0; !ret && i < distPoints->cDistPoint; i++)
692                         ret = match_dist_point_with_issuing_dist_point(
693                          &distPoints->rgDistPoint[i], idp);
694                     if (!ret)
695                         SetLastError(CRYPT_E_NO_MATCH);
696                     LocalFree(distPoints);
697                 }
698             }
699             else
700             {
701                 /* no CRL dist points extension in cert, can't match the CRL
702                  * (which has an issuing dist point extension)
703                  */
704                 ret = FALSE;
705                 SetLastError(CRYPT_E_NO_MATCH);
706             }
707             LocalFree(idp);
708         }
709     }
710     else
711         ret = TRUE;
712     return ret;
713 }
714
715 static PCRL_ENTRY CRYPT_FindCertificateInCRL(PCERT_INFO cert, const CRL_INFO *crl)
716 {
717     DWORD i;
718     PCRL_ENTRY entry = NULL;
719
720     for (i = 0; !entry && i < crl->cCRLEntry; i++)
721         if (CertCompareIntegerBlob(&crl->rgCRLEntry[i].SerialNumber,
722          &cert->SerialNumber))
723             entry = &crl->rgCRLEntry[i];
724     return entry;
725 }
726
727 BOOL WINAPI CertFindCertificateInCRL(PCCERT_CONTEXT pCert,
728  PCCRL_CONTEXT pCrlContext, DWORD dwFlags, void *pvReserved,
729  PCRL_ENTRY *ppCrlEntry)
730 {
731     TRACE("(%p, %p, %08x, %p, %p)\n", pCert, pCrlContext, dwFlags, pvReserved,
732      ppCrlEntry);
733
734     *ppCrlEntry = CRYPT_FindCertificateInCRL(pCert->pCertInfo,
735      pCrlContext->pCrlInfo);
736     return TRUE;
737 }
738
739 BOOL WINAPI CertVerifyCRLRevocation(DWORD dwCertEncodingType,
740  PCERT_INFO pCertId, DWORD cCrlInfo, PCRL_INFO rgpCrlInfo[])
741 {
742     DWORD i;
743     PCRL_ENTRY entry = NULL;
744
745     TRACE("(%08x, %p, %d, %p)\n", dwCertEncodingType, pCertId, cCrlInfo,
746      rgpCrlInfo);
747
748     for (i = 0; !entry && i < cCrlInfo; i++)
749         entry = CRYPT_FindCertificateInCRL(pCertId, rgpCrlInfo[i]);
750     return entry == NULL;
751 }
752
753 LONG WINAPI CertVerifyCRLTimeValidity(LPFILETIME pTimeToVerify,
754  PCRL_INFO pCrlInfo)
755 {
756     FILETIME fileTime;
757     LONG ret;
758
759     if (!pTimeToVerify)
760     {
761         GetSystemTimeAsFileTime(&fileTime);
762         pTimeToVerify = &fileTime;
763     }
764     if ((ret = CompareFileTime(pTimeToVerify, &pCrlInfo->ThisUpdate)) >= 0)
765     {
766         ret = CompareFileTime(pTimeToVerify, &pCrlInfo->NextUpdate);
767         if (ret < 0)
768             ret = 0;
769     }
770     return ret;
771 }