dbghelp: Extend dwarf stack unwinding by reading information out of .debug_frame...
[wine] / dlls / crypt32 / chain.c
1 /*
2  * Copyright 2006 Juan Lang
3  *
4  * This library is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * This library is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with this library; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17  *
18  */
19 #include <stdarg.h>
20 #define NONAMELESSUNION
21 #include "windef.h"
22 #include "winbase.h"
23 #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
24 #define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
25 #include "wincrypt.h"
26 #include "wine/debug.h"
27 #include "wine/unicode.h"
28 #include "crypt32_private.h"
29
30 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
31 WINE_DECLARE_DEBUG_CHANNEL(chain);
32
33 #define DEFAULT_CYCLE_MODULUS 7
34
35 static HCERTCHAINENGINE CRYPT_defaultChainEngine;
36
37 /* This represents a subset of a certificate chain engine:  it doesn't include
38  * the "hOther" store described by MSDN, because I'm not sure how that's used.
39  * It also doesn't include the "hTrust" store, because I don't yet implement
40  * CTLs or complex certificate chains.
41  */
42 typedef struct _CertificateChainEngine
43 {
44     LONG       ref;
45     HCERTSTORE hRoot;
46     HCERTSTORE hWorld;
47     DWORD      dwFlags;
48     DWORD      dwUrlRetrievalTimeout;
49     DWORD      MaximumCachedCertificates;
50     DWORD      CycleDetectionModulus;
51 } CertificateChainEngine, *PCertificateChainEngine;
52
53 static inline void CRYPT_AddStoresToCollection(HCERTSTORE collection,
54  DWORD cStores, HCERTSTORE *stores)
55 {
56     DWORD i;
57
58     for (i = 0; i < cStores; i++)
59         CertAddStoreToCollection(collection, stores[i], 0, 0);
60 }
61
62 static inline void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
63 {
64     DWORD i;
65
66     for (i = 0; i < cStores; i++)
67         CertCloseStore(stores[i], 0);
68 }
69
70 static const WCHAR rootW[] = { 'R','o','o','t',0 };
71
72 /* Finds cert in store by comparing the cert's hashes. */
73 static PCCERT_CONTEXT CRYPT_FindCertInStore(HCERTSTORE store,
74  PCCERT_CONTEXT cert)
75 {
76     PCCERT_CONTEXT matching = NULL;
77     BYTE hash[20];
78     DWORD size = sizeof(hash);
79
80     if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID, hash, &size))
81     {
82         CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
83
84         matching = CertFindCertificateInStore(store, cert->dwCertEncodingType,
85          0, CERT_FIND_SHA1_HASH, &blob, NULL);
86     }
87     return matching;
88 }
89
90 static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
91 {
92     BOOL ret = TRUE;
93
94     if (store)
95     {
96         HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW);
97         PCCERT_CONTEXT cert = NULL, check;
98
99         do {
100             cert = CertEnumCertificatesInStore(store, cert);
101             if (cert)
102             {
103                 if (!(check = CRYPT_FindCertInStore(rootStore, cert)))
104                     ret = FALSE;
105                 else
106                     CertFreeCertificateContext(check);
107             }
108         } while (ret && cert);
109         if (cert)
110             CertFreeCertificateContext(cert);
111         CertCloseStore(rootStore, 0);
112     }
113     return ret;
114 }
115
116 HCERTCHAINENGINE CRYPT_CreateChainEngine(HCERTSTORE root,
117  PCERT_CHAIN_ENGINE_CONFIG pConfig)
118 {
119     static const WCHAR caW[] = { 'C','A',0 };
120     static const WCHAR myW[] = { 'M','y',0 };
121     static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
122     PCertificateChainEngine engine =
123      CryptMemAlloc(sizeof(CertificateChainEngine));
124
125     if (engine)
126     {
127         HCERTSTORE worldStores[4];
128
129         engine->ref = 1;
130         engine->hRoot = root;
131         engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
132          CERT_STORE_CREATE_NEW_FLAG, NULL);
133         worldStores[0] = CertDuplicateStore(engine->hRoot);
134         worldStores[1] = CertOpenSystemStoreW(0, caW);
135         worldStores[2] = CertOpenSystemStoreW(0, myW);
136         worldStores[3] = CertOpenSystemStoreW(0, trustW);
137         CRYPT_AddStoresToCollection(engine->hWorld,
138          sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
139         CRYPT_AddStoresToCollection(engine->hWorld,
140          pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
141         CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
142          worldStores);
143         engine->dwFlags = pConfig->dwFlags;
144         engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
145         engine->MaximumCachedCertificates =
146          pConfig->MaximumCachedCertificates;
147         if (pConfig->CycleDetectionModulus)
148             engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
149         else
150             engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
151     }
152     return engine;
153 }
154
155 BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
156  HCERTCHAINENGINE *phChainEngine)
157 {
158     BOOL ret;
159
160     TRACE("(%p, %p)\n", pConfig, phChainEngine);
161
162     if (pConfig->cbSize != sizeof(*pConfig))
163     {
164         SetLastError(E_INVALIDARG);
165         return FALSE;
166     }
167     *phChainEngine = NULL;
168     ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
169     if (ret)
170     {
171         HCERTSTORE root;
172         HCERTCHAINENGINE engine;
173
174         if (pConfig->hRestrictedRoot)
175             root = CertDuplicateStore(pConfig->hRestrictedRoot);
176         else
177             root = CertOpenSystemStoreW(0, rootW);
178         engine = CRYPT_CreateChainEngine(root, pConfig);
179         if (engine)
180         {
181             *phChainEngine = engine;
182             ret = TRUE;
183         }
184         else
185             ret = FALSE;
186     }
187     return ret;
188 }
189
190 VOID WINAPI CertFreeCertificateChainEngine(HCERTCHAINENGINE hChainEngine)
191 {
192     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
193
194     TRACE("(%p)\n", hChainEngine);
195
196     if (engine && InterlockedDecrement(&engine->ref) == 0)
197     {
198         CertCloseStore(engine->hWorld, 0);
199         CertCloseStore(engine->hRoot, 0);
200         CryptMemFree(engine);
201     }
202 }
203
204 static HCERTCHAINENGINE CRYPT_GetDefaultChainEngine(void)
205 {
206     if (!CRYPT_defaultChainEngine)
207     {
208         CERT_CHAIN_ENGINE_CONFIG config = { 0 };
209         HCERTCHAINENGINE engine;
210
211         config.cbSize = sizeof(config);
212         CertCreateCertificateChainEngine(&config, &engine);
213         InterlockedCompareExchangePointer(&CRYPT_defaultChainEngine, engine,
214          NULL);
215         if (CRYPT_defaultChainEngine != engine)
216             CertFreeCertificateChainEngine(engine);
217     }
218     return CRYPT_defaultChainEngine;
219 }
220
221 void default_chain_engine_free(void)
222 {
223     CertFreeCertificateChainEngine(CRYPT_defaultChainEngine);
224 }
225
226 typedef struct _CertificateChain
227 {
228     CERT_CHAIN_CONTEXT context;
229     HCERTSTORE world;
230     LONG ref;
231 } CertificateChain, *PCertificateChain;
232
233 static BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
234 {
235     PCERT_EXTENSION ext;
236     DWORD size;
237     BOOL ret;
238
239     if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
240      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
241     {
242         CERT_AUTHORITY_KEY_ID2_INFO *info;
243
244         ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
245          X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
246          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
247          &info, &size);
248         if (ret)
249         {
250             if (info->AuthorityCertIssuer.cAltEntry &&
251              info->AuthorityCertSerialNumber.cbData)
252             {
253                 PCERT_ALT_NAME_ENTRY directoryName = NULL;
254                 DWORD i;
255
256                 for (i = 0; !directoryName &&
257                  i < info->AuthorityCertIssuer.cAltEntry; i++)
258                     if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
259                      == CERT_ALT_NAME_DIRECTORY_NAME)
260                         directoryName =
261                          &info->AuthorityCertIssuer.rgAltEntry[i];
262                 if (directoryName)
263                 {
264                     ret = CertCompareCertificateName(cert->dwCertEncodingType,
265                      &directoryName->u.DirectoryName, &cert->pCertInfo->Issuer)
266                      && CertCompareIntegerBlob(&info->AuthorityCertSerialNumber,
267                      &cert->pCertInfo->SerialNumber);
268                 }
269                 else
270                 {
271                     FIXME("no supported name type in authority key id2\n");
272                     ret = FALSE;
273                 }
274             }
275             else if (info->KeyId.cbData)
276             {
277                 ret = CertGetCertificateContextProperty(cert,
278                  CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
279                 if (ret && size == info->KeyId.cbData)
280                 {
281                     LPBYTE buf = CryptMemAlloc(size);
282
283                     if (buf)
284                     {
285                         CertGetCertificateContextProperty(cert,
286                          CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
287                         ret = !memcmp(buf, info->KeyId.pbData, size);
288                         CryptMemFree(buf);
289                     }
290                 }
291                 else
292                     ret = FALSE;
293             }
294             LocalFree(info);
295         }
296     }
297     else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
298      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension)))
299     {
300         CERT_AUTHORITY_KEY_ID_INFO *info;
301
302         ret = CryptDecodeObjectEx(cert->dwCertEncodingType,
303          X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
304          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
305          &info, &size);
306         if (ret)
307         {
308             if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
309             {
310                 ret = CertCompareCertificateName(cert->dwCertEncodingType,
311                  &info->CertIssuer, &cert->pCertInfo->Issuer) &&
312                  CertCompareIntegerBlob(&info->CertSerialNumber,
313                  &cert->pCertInfo->SerialNumber);
314             }
315             else if (info->KeyId.cbData)
316             {
317                 ret = CertGetCertificateContextProperty(cert,
318                  CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
319                 if (ret && size == info->KeyId.cbData)
320                 {
321                     LPBYTE buf = CryptMemAlloc(size);
322
323                     if (buf)
324                     {
325                         CertGetCertificateContextProperty(cert,
326                          CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
327                         ret = !memcmp(buf, info->KeyId.pbData, size);
328                         CryptMemFree(buf);
329                     }
330                     else
331                         ret = FALSE;
332                 }
333                 else
334                     ret = FALSE;
335             }
336             else
337                 ret = FALSE;
338             LocalFree(info);
339         }
340     }
341     else
342         ret = CertCompareCertificateName(cert->dwCertEncodingType,
343          &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer);
344     return ret;
345 }
346
347 static void CRYPT_FreeChainElement(PCERT_CHAIN_ELEMENT element)
348 {
349     CertFreeCertificateContext(element->pCertContext);
350     CryptMemFree(element);
351 }
352
353 static void CRYPT_CheckSimpleChainForCycles(PCERT_SIMPLE_CHAIN chain)
354 {
355     DWORD i, j, cyclicCertIndex = 0;
356
357     /* O(n^2) - I don't think there's a faster way */
358     for (i = 0; !cyclicCertIndex && i < chain->cElement; i++)
359         for (j = i + 1; !cyclicCertIndex && j < chain->cElement; j++)
360             if (CertCompareCertificate(X509_ASN_ENCODING,
361              chain->rgpElement[i]->pCertContext->pCertInfo,
362              chain->rgpElement[j]->pCertContext->pCertInfo))
363                 cyclicCertIndex = j;
364     if (cyclicCertIndex)
365     {
366         chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
367          |= CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
368         /* Release remaining certs */
369         for (i = cyclicCertIndex + 1; i < chain->cElement; i++)
370             CRYPT_FreeChainElement(chain->rgpElement[i]);
371         /* Truncate chain */
372         chain->cElement = cyclicCertIndex + 1;
373     }
374 }
375
376 /* Checks whether the chain is cyclic by examining the last element's status */
377 static inline BOOL CRYPT_IsSimpleChainCyclic(const CERT_SIMPLE_CHAIN *chain)
378 {
379     if (chain->cElement)
380         return chain->rgpElement[chain->cElement - 1]->TrustStatus.dwErrorStatus
381          & CERT_TRUST_IS_CYCLIC;
382     else
383         return FALSE;
384 }
385
386 static inline void CRYPT_CombineTrustStatus(CERT_TRUST_STATUS *chainStatus,
387  const CERT_TRUST_STATUS *elementStatus)
388 {
389     /* Any error that applies to an element also applies to a chain.. */
390     chainStatus->dwErrorStatus |= elementStatus->dwErrorStatus;
391     /* but the bottom nibble of an element's info status doesn't apply to the
392      * chain.
393      */
394     chainStatus->dwInfoStatus |= (elementStatus->dwInfoStatus & 0xfffffff0);
395 }
396
397 static BOOL CRYPT_AddCertToSimpleChain(const CertificateChainEngine *engine,
398  PCERT_SIMPLE_CHAIN chain, PCCERT_CONTEXT cert, DWORD subjectInfoStatus)
399 {
400     BOOL ret = FALSE;
401     PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
402
403     if (element)
404     {
405         if (!chain->cElement)
406             chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT));
407         else
408             chain->rgpElement = CryptMemRealloc(chain->rgpElement,
409              (chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
410         if (chain->rgpElement)
411         {
412             chain->rgpElement[chain->cElement++] = element;
413             memset(element, 0, sizeof(CERT_CHAIN_ELEMENT));
414             element->cbSize = sizeof(CERT_CHAIN_ELEMENT);
415             element->pCertContext = CertDuplicateCertificateContext(cert);
416             if (chain->cElement > 1)
417                 chain->rgpElement[chain->cElement - 2]->TrustStatus.dwInfoStatus
418                  = subjectInfoStatus;
419             /* FIXME: initialize the rest of element */
420             if (!(chain->cElement % engine->CycleDetectionModulus))
421             {
422                 CRYPT_CheckSimpleChainForCycles(chain);
423                 /* Reinitialize the element pointer in case the chain is
424                  * cyclic, in which case the chain is truncated.
425                  */
426                 element = chain->rgpElement[chain->cElement - 1];
427             }
428             CRYPT_CombineTrustStatus(&chain->TrustStatus,
429              &element->TrustStatus);
430             ret = TRUE;
431         }
432         else
433             CryptMemFree(element);
434     }
435     return ret;
436 }
437
438 static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain)
439 {
440     DWORD i;
441
442     for (i = 0; i < chain->cElement; i++)
443         CRYPT_FreeChainElement(chain->rgpElement[i]);
444     CryptMemFree(chain->rgpElement);
445     CryptMemFree(chain);
446 }
447
448 static void CRYPT_CheckTrustedStatus(HCERTSTORE hRoot,
449  PCERT_CHAIN_ELEMENT rootElement)
450 {
451     PCCERT_CONTEXT trustedRoot = CRYPT_FindCertInStore(hRoot,
452      rootElement->pCertContext);
453
454     if (!trustedRoot)
455         rootElement->TrustStatus.dwErrorStatus |=
456          CERT_TRUST_IS_UNTRUSTED_ROOT;
457     else
458         CertFreeCertificateContext(trustedRoot);
459 }
460
461 static void CRYPT_CheckRootCert(HCERTCHAINENGINE hRoot,
462  PCERT_CHAIN_ELEMENT rootElement)
463 {
464     PCCERT_CONTEXT root = rootElement->pCertContext;
465
466     if (!CryptVerifyCertificateSignatureEx(0, root->dwCertEncodingType,
467      CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *)root,
468      CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root, 0, NULL))
469     {
470         TRACE_(chain)("Last certificate's signature is invalid\n");
471         rootElement->TrustStatus.dwErrorStatus |=
472          CERT_TRUST_IS_NOT_SIGNATURE_VALID;
473     }
474     CRYPT_CheckTrustedStatus(hRoot, rootElement);
475 }
476
477 /* Decodes a cert's basic constraints extension (either szOID_BASIC_CONSTRAINTS
478  * or szOID_BASIC_CONSTRAINTS2, whichever is present) into a
479  * CERT_BASIC_CONSTRAINTS2_INFO.  If it neither extension is present, sets
480  * constraints->fCA to defaultIfNotSpecified.
481  * Returns FALSE if the extension is present but couldn't be decoded.
482  */
483 static BOOL CRYPT_DecodeBasicConstraints(PCCERT_CONTEXT cert,
484  CERT_BASIC_CONSTRAINTS2_INFO *constraints, BOOL defaultIfNotSpecified)
485 {
486     BOOL ret = TRUE;
487     PCERT_EXTENSION ext = CertFindExtension(szOID_BASIC_CONSTRAINTS,
488      cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
489
490     constraints->fPathLenConstraint = FALSE;
491     if (ext)
492     {
493         CERT_BASIC_CONSTRAINTS_INFO *info;
494         DWORD size = 0;
495
496         ret = CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
497          ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
498          NULL, &info, &size);
499         if (ret)
500         {
501             if (info->SubjectType.cbData == 1)
502                 constraints->fCA =
503                  info->SubjectType.pbData[0] & CERT_CA_SUBJECT_FLAG;
504             LocalFree(info);
505         }
506     }
507     else
508     {
509         ext = CertFindExtension(szOID_BASIC_CONSTRAINTS2,
510          cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
511         if (ext)
512         {
513             DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
514
515             ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
516              szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
517              0, NULL, constraints, &size);
518         }
519         else
520             constraints->fCA = defaultIfNotSpecified;
521     }
522     return ret;
523 }
524
525 /* Checks element's basic constraints to see if it can act as a CA, with
526  * remainingCAs CAs left in this chain.  In general, a cert must include the
527  * basic constraints extension, with the CA flag asserted, in order to be
528  * allowed to be a CA.  A V1 or V2 cert, which has no extensions, is also
529  * allowed to be a CA if it's installed locally (in the engine's world store.)
530  * This matches the expected usage in RFC 5280, section 4.2.1.9:  a conforming
531  * CA MUST include the basic constraints extension in all certificates that are
532  * used to validate digital signatures on certificates.  It also matches
533  * section 6.1.4(k): "If a certificate is a v1 or v2 certificate, then the
534  * application MUST either verify that the certificate is a CA certificate
535  * through out-of-band means or reject the certificate." Rejecting the
536  * certificate prohibits a large number of commonly used certificates, so
537  * accepting locally installed ones is a compromise.
538  * Root certificates are also allowed to be CAs even without a basic
539  * constraints extension.  This is implied by RFC 5280, section 6.1:  the
540  * root of a certificate chain's only requirement is that it was used to issue
541  * the next certificate in the chain.
542  * Updates chainConstraints with the element's constraints, if:
543  * 1. chainConstraints doesn't have a path length constraint, or
544  * 2. element's path length constraint is smaller than chainConstraints's
545  * Sets *pathLengthConstraintViolated to TRUE if a path length violation
546  * occurs.
547  * Returns TRUE if the element can be a CA, and the length of the remaining
548  * chain is valid.
549  */
550 static BOOL CRYPT_CheckBasicConstraintsForCA(PCertificateChainEngine engine,
551  PCCERT_CONTEXT cert, CERT_BASIC_CONSTRAINTS2_INFO *chainConstraints,
552  DWORD remainingCAs, BOOL isRoot, BOOL *pathLengthConstraintViolated)
553 {
554     BOOL validBasicConstraints, implicitCA = FALSE;
555     CERT_BASIC_CONSTRAINTS2_INFO constraints;
556
557     if (isRoot)
558         implicitCA = TRUE;
559     else if (cert->pCertInfo->dwVersion == CERT_V1 ||
560      cert->pCertInfo->dwVersion == CERT_V2)
561     {
562         BYTE hash[20];
563         DWORD size = sizeof(hash);
564
565         if (CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
566          hash, &size))
567         {
568             CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
569             PCCERT_CONTEXT localCert = CertFindCertificateInStore(
570              engine->hWorld, cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH,
571              &blob, NULL);
572
573             if (localCert)
574             {
575                 CertFreeCertificateContext(localCert);
576                 implicitCA = TRUE;
577             }
578         }
579     }
580     if ((validBasicConstraints = CRYPT_DecodeBasicConstraints(cert,
581      &constraints, implicitCA)))
582     {
583         chainConstraints->fCA = constraints.fCA;
584         if (!constraints.fCA)
585         {
586             TRACE_(chain)("chain element %d can't be a CA\n", remainingCAs + 1);
587             validBasicConstraints = FALSE;
588         }
589         else if (constraints.fPathLenConstraint)
590         {
591             /* If the element has path length constraints, they apply to the
592              * entire remaining chain.
593              */
594             if (!chainConstraints->fPathLenConstraint ||
595              constraints.dwPathLenConstraint <
596              chainConstraints->dwPathLenConstraint)
597             {
598                 TRACE_(chain)("setting path length constraint to %d\n",
599                  chainConstraints->dwPathLenConstraint);
600                 chainConstraints->fPathLenConstraint = TRUE;
601                 chainConstraints->dwPathLenConstraint =
602                  constraints.dwPathLenConstraint;
603             }
604         }
605     }
606     if (chainConstraints->fPathLenConstraint &&
607      remainingCAs > chainConstraints->dwPathLenConstraint)
608     {
609         TRACE_(chain)("remaining CAs %d exceed max path length %d\n",
610          remainingCAs, chainConstraints->dwPathLenConstraint);
611         validBasicConstraints = FALSE;
612         *pathLengthConstraintViolated = TRUE;
613     }
614     return validBasicConstraints;
615 }
616
617 static BOOL domain_name_matches(LPCWSTR constraint, LPCWSTR name)
618 {
619     BOOL match;
620
621     /* RFC 5280, section 4.2.1.10:
622      * "For URIs, the constraint applies to the host part of the name...
623      *  When the constraint begins with a period, it MAY be expanded with one
624      *  or more labels.  That is, the constraint ".example.com" is satisfied by
625      *  both host.example.com and my.host.example.com.  However, the constraint
626      *  ".example.com" is not satisfied by "example.com".  When the constraint
627      *  does not begin with a period, it specifies a host."
628      * and for email addresses,
629      * "To indicate all Internet mail addresses on a particular host, the
630      *  constraint is specified as the host name.  For example, the constraint
631      *  "example.com" is satisfied by any mail address at the host
632      *  "example.com".  To specify any address within a domain, the constraint
633      *  is specified with a leading period (as with URIs)."
634      */
635     if (constraint[0] == '.')
636     {
637         /* Must be strictly greater than, a name can't begin with '.' */
638         if (lstrlenW(name) > lstrlenW(constraint))
639             match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
640              constraint);
641         else
642         {
643             /* name is too short, no match */
644             match = FALSE;
645         }
646     }
647     else
648         match = !lstrcmpiW(name, constraint);
649      return match;
650 }
651
652 static BOOL url_matches(LPCWSTR constraint, LPCWSTR name,
653  DWORD *trustErrorStatus)
654 {
655     BOOL match = FALSE;
656
657     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
658
659     if (!constraint)
660         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
661     else if (!name)
662         ; /* no match */
663     else
664     {
665         LPCWSTR colon, authority_end, at, hostname = NULL;
666         /* The maximum length for a hostname is 254 in the DNS, see RFC 1034 */
667         WCHAR hostname_buf[255];
668
669         /* RFC 5280: only the hostname portion of the URL is compared.  From
670          * section 4.2.1.10:
671          * "For URIs, the constraint applies to the host part of the name.
672          *  The constraint MUST be specified as a fully qualified domain name
673          *  and MAY specify a host or a domain."
674          * The format for URIs is in RFC 2396.
675          *
676          * First, remove any scheme that's present. */
677         colon = strchrW(name, ':');
678         if (colon && *(colon + 1) == '/' && *(colon + 2) == '/')
679             name = colon + 3;
680         /* Next, find the end of the authority component.  (The authority is
681          * generally just the hostname, but it may contain a username or a port.
682          * Those are removed next.)
683          */
684         authority_end = strchrW(name, '/');
685         if (!authority_end)
686             authority_end = strchrW(name, '?');
687         if (!authority_end)
688             authority_end = name + strlenW(name);
689         /* Remove any port number from the authority.  The userinfo portion
690          * of an authority may contain a colon, so stop if a userinfo portion
691          * is found (indicated by '@').
692          */
693         for (colon = authority_end; colon >= name && *colon != ':' &&
694          *colon != '@'; colon--)
695             ;
696         if (*colon == ':')
697             authority_end = colon;
698         /* Remove any username from the authority */
699         if ((at = strchrW(name, '@')))
700             name = at;
701         /* Ignore any path or query portion of the URL. */
702         if (*authority_end)
703         {
704             if (authority_end - name < sizeof(hostname_buf) /
705              sizeof(hostname_buf[0]))
706             {
707                 memcpy(hostname_buf, name,
708                  (authority_end - name) * sizeof(WCHAR));
709                 hostname_buf[authority_end - name] = 0;
710                 hostname = hostname_buf;
711             }
712             /* else: Hostname is too long, not a match */
713         }
714         else
715             hostname = name;
716         if (hostname)
717             match = domain_name_matches(constraint, hostname);
718     }
719     return match;
720 }
721
722 static BOOL rfc822_name_matches(LPCWSTR constraint, LPCWSTR name,
723  DWORD *trustErrorStatus)
724 {
725     BOOL match = FALSE;
726     LPCWSTR at;
727
728     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
729
730     if (!constraint)
731         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
732     else if (!name)
733         ; /* no match */
734     else if (strchrW(constraint, '@'))
735         match = !lstrcmpiW(constraint, name);
736     else
737     {
738         if ((at = strchrW(name, '@')))
739             match = domain_name_matches(constraint, at + 1);
740         else
741             match = !lstrcmpiW(constraint, name);
742     }
743     return match;
744 }
745
746 static BOOL dns_name_matches(LPCWSTR constraint, LPCWSTR name,
747  DWORD *trustErrorStatus)
748 {
749     BOOL match = FALSE;
750
751     TRACE("%s, %s\n", debugstr_w(constraint), debugstr_w(name));
752
753     if (!constraint)
754         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
755     else if (!name)
756         ; /* no match */
757     /* RFC 5280, section 4.2.1.10:
758      * "DNS name restrictions are expressed as host.example.com.  Any DNS name
759      *  that can be constructed by simply adding zero or more labels to the
760      *  left-hand side of the name satisfies the name constraint.  For example,
761      *  www.host.example.com would satisfy the constraint but host1.example.com
762      *  would not."
763      */
764     else if (lstrlenW(name) == lstrlenW(constraint))
765         match = !lstrcmpiW(name, constraint);
766     else if (lstrlenW(name) > lstrlenW(constraint))
767     {
768         match = !lstrcmpiW(name + lstrlenW(name) - lstrlenW(constraint),
769          constraint);
770         if (match)
771         {
772             BOOL dot = FALSE;
773             LPCWSTR ptr;
774
775             /* This only matches if name is a subdomain of constraint, i.e.
776              * there's a '.' between the beginning of the name and the
777              * matching portion of the name.
778              */
779             for (ptr = name + lstrlenW(name) - lstrlenW(constraint);
780              !dot && ptr >= name; ptr--)
781                 if (*ptr == '.')
782                     dot = TRUE;
783             match = dot;
784         }
785     }
786     /* else:  name is too short, no match */
787
788     return match;
789 }
790
791 static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint,
792  const CRYPT_DATA_BLOB *name, DWORD *trustErrorStatus)
793 {
794     BOOL match = FALSE;
795
796     TRACE("(%d, %p), (%d, %p)\n", constraint->cbData, constraint->pbData,
797      name->cbData, name->pbData);
798
799     /* RFC5280, section 4.2.1.10, iPAddress syntax: either 8 or 32 bytes, for
800      * IPv4 or IPv6 addresses, respectively.
801      */
802     if (constraint->cbData != sizeof(DWORD) * 2 && constraint->cbData != 32)
803         *trustErrorStatus |= CERT_TRUST_INVALID_NAME_CONSTRAINTS;
804     else if (name->cbData == sizeof(DWORD) &&
805      constraint->cbData == sizeof(DWORD) * 2)
806     {
807         DWORD subnet, mask, addr;
808
809         memcpy(&subnet, constraint->pbData, sizeof(subnet));
810         memcpy(&mask, constraint->pbData + sizeof(subnet), sizeof(mask));
811         memcpy(&addr, name->pbData, sizeof(addr));
812         /* These are really in big-endian order, but for equality matching we
813          * don't need to swap to host order
814          */
815         match = (subnet & mask) == (addr & mask);
816     }
817     else if (name->cbData == 16 && constraint->cbData == 32)
818     {
819         const BYTE *subnet, *mask, *addr;
820         DWORD i;
821
822         subnet = constraint->pbData;
823         mask = constraint->pbData + 16;
824         addr = name->pbData;
825         match = TRUE;
826         for (i = 0; match && i < 16; i++)
827             if ((subnet[i] & mask[i]) != (addr[i] & mask[i]))
828                 match = FALSE;
829     }
830     /* else: name is wrong size, no match */
831
832     return match;
833 }
834
835 static BOOL directory_name_matches(const CERT_NAME_BLOB *constraint,
836  const CERT_NAME_BLOB *name)
837 {
838     CERT_NAME_INFO *constraintName;
839     DWORD size;
840     BOOL match = FALSE;
841
842     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME, constraint->pbData,
843      constraint->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &constraintName, &size))
844     {
845         DWORD i;
846
847         match = TRUE;
848         for (i = 0; match && i < constraintName->cRDN; i++)
849             match = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
850              CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG,
851              (CERT_NAME_BLOB *)name, &constraintName->rgRDN[i]);
852         LocalFree(constraintName);
853     }
854     return match;
855 }
856
857 static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name,
858  const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus, BOOL *present)
859 {
860     BOOL match = FALSE;
861
862     if (name->dwAltNameChoice == constraint->dwAltNameChoice)
863     {
864         if (present)
865             *present = TRUE;
866         switch (constraint->dwAltNameChoice)
867         {
868         case CERT_ALT_NAME_RFC822_NAME:
869             match = rfc822_name_matches(constraint->u.pwszURL,
870              name->u.pwszURL, trustErrorStatus);
871             break;
872         case CERT_ALT_NAME_DNS_NAME:
873             match = dns_name_matches(constraint->u.pwszURL,
874              name->u.pwszURL, trustErrorStatus);
875             break;
876         case CERT_ALT_NAME_URL:
877             match = url_matches(constraint->u.pwszURL,
878              name->u.pwszURL, trustErrorStatus);
879             break;
880         case CERT_ALT_NAME_IP_ADDRESS:
881             match = ip_address_matches(&constraint->u.IPAddress,
882              &name->u.IPAddress, trustErrorStatus);
883             break;
884         case CERT_ALT_NAME_DIRECTORY_NAME:
885             match = directory_name_matches(&constraint->u.DirectoryName,
886              &name->u.DirectoryName);
887             break;
888         default:
889             ERR("name choice %d unsupported in this context\n",
890              constraint->dwAltNameChoice);
891             *trustErrorStatus |=
892              CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
893         }
894     }
895     else if (present)
896         *present = FALSE;
897     return match;
898 }
899
900 static BOOL alt_name_matches_excluded_name(const CERT_ALT_NAME_ENTRY *name,
901  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
902 {
903     DWORD i;
904     BOOL match = FALSE;
905
906     for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++)
907         match = alt_name_matches(name,
908          &nameConstraints->rgExcludedSubtree[i].Base, trustErrorStatus, NULL);
909     return match;
910 }
911
912 static BOOL alt_name_matches_permitted_name(const CERT_ALT_NAME_ENTRY *name,
913  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus,
914  BOOL *present)
915 {
916     DWORD i;
917     BOOL match = FALSE;
918
919     for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
920         match = alt_name_matches(name,
921          &nameConstraints->rgPermittedSubtree[i].Base, trustErrorStatus,
922          present);
923     return match;
924 }
925
926 static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert)
927 {
928     PCERT_EXTENSION ext;
929
930     ext = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
931      cert->cExtension, cert->rgExtension);
932     if (!ext)
933         ext = CertFindExtension(szOID_SUBJECT_ALT_NAME,
934          cert->cExtension, cert->rgExtension);
935     return ext;
936 }
937
938 static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
939  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
940 {
941     CERT_ALT_NAME_INFO *subjectAltName;
942     DWORD size;
943
944     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
945      altNameExt->Value.pbData, altNameExt->Value.cbData,
946      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
947      &subjectAltName, &size))
948     {
949         DWORD i;
950
951         for (i = 0; i < subjectAltName->cAltEntry; i++)
952         {
953              BOOL nameFormPresent;
954
955              /* A name constraint only applies if the name form is present.
956               * From RFC 5280, section 4.2.1.10:
957               * "Restrictions apply only when the specified name form is
958               *  present.  If no name of the type is in the certificate,
959               *  the certificate is acceptable."
960               */
961             if (alt_name_matches_excluded_name(
962              &subjectAltName->rgAltEntry[i], nameConstraints,
963              trustErrorStatus))
964             {
965                 TRACE_(chain)("subject alternate name form %d excluded\n",
966                  subjectAltName->rgAltEntry[i].dwAltNameChoice);
967                 *trustErrorStatus |=
968                  CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
969             }
970             nameFormPresent = FALSE;
971             if (!alt_name_matches_permitted_name(
972              &subjectAltName->rgAltEntry[i], nameConstraints,
973              trustErrorStatus, &nameFormPresent) && nameFormPresent)
974             {
975                 TRACE_(chain)("subject alternate name form %d not permitted\n",
976                  subjectAltName->rgAltEntry[i].dwAltNameChoice);
977                 *trustErrorStatus |=
978                  CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
979             }
980         }
981         LocalFree(subjectAltName);
982     }
983     else
984         *trustErrorStatus |=
985          CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
986 }
987
988 static BOOL rfc822_attr_matches_excluded_name(const CERT_RDN_ATTR *attr,
989  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
990 {
991     DWORD i;
992     BOOL match = FALSE;
993
994     for (i = 0; !match && i < nameConstraints->cExcludedSubtree; i++)
995     {
996         const CERT_ALT_NAME_ENTRY *constraint =
997          &nameConstraints->rgExcludedSubtree[i].Base;
998
999         if (constraint->dwAltNameChoice == CERT_ALT_NAME_RFC822_NAME)
1000             match = rfc822_name_matches(constraint->u.pwszRfc822Name,
1001              (LPCWSTR)attr->Value.pbData, trustErrorStatus);
1002     }
1003     return match;
1004 }
1005
1006 static BOOL rfc822_attr_matches_permitted_name(const CERT_RDN_ATTR *attr,
1007  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus,
1008  BOOL *present)
1009 {
1010     DWORD i;
1011     BOOL match = FALSE;
1012
1013     for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
1014     {
1015         const CERT_ALT_NAME_ENTRY *constraint =
1016          &nameConstraints->rgPermittedSubtree[i].Base;
1017
1018         if (constraint->dwAltNameChoice == CERT_ALT_NAME_RFC822_NAME)
1019         {
1020             *present = TRUE;
1021             match = rfc822_name_matches(constraint->u.pwszRfc822Name,
1022              (LPCWSTR)attr->Value.pbData, trustErrorStatus);
1023         }
1024     }
1025     return match;
1026 }
1027
1028 static void compare_subject_with_email_constraints(
1029  const CERT_NAME_BLOB *subjectName,
1030  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
1031 {
1032     CERT_NAME_INFO *name;
1033     DWORD size;
1034
1035     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_UNICODE_NAME,
1036      subjectName->pbData, subjectName->cbData,
1037      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1038     {
1039         DWORD i, j;
1040
1041         for (i = 0; i < name->cRDN; i++)
1042             for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
1043                 if (!strcmp(name->rgRDN[i].rgRDNAttr[j].pszObjId,
1044                  szOID_RSA_emailAddr))
1045                 {
1046                     BOOL nameFormPresent;
1047
1048                     /* A name constraint only applies if the name form is
1049                      * present.  From RFC 5280, section 4.2.1.10:
1050                      * "Restrictions apply only when the specified name form is
1051                      *  present.  If no name of the type is in the certificate,
1052                      *  the certificate is acceptable."
1053                      */
1054                     if (rfc822_attr_matches_excluded_name(
1055                      &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1056                      trustErrorStatus))
1057                     {
1058                         TRACE_(chain)(
1059                          "email address in subject name is excluded\n");
1060                         *trustErrorStatus |=
1061                          CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1062                     }
1063                     nameFormPresent = FALSE;
1064                     if (!rfc822_attr_matches_permitted_name(
1065                      &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
1066                      trustErrorStatus, &nameFormPresent) && nameFormPresent)
1067                     {
1068                         TRACE_(chain)(
1069                          "email address in subject name is not permitted\n");
1070                         *trustErrorStatus |=
1071                          CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1072                     }
1073                 }
1074         LocalFree(name);
1075     }
1076     else
1077         *trustErrorStatus |=
1078          CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
1079 }
1080
1081 static BOOL CRYPT_IsEmptyName(const CERT_NAME_BLOB *name)
1082 {
1083     BOOL empty;
1084
1085     if (!name->cbData)
1086         empty = TRUE;
1087     else if (name->cbData == 2 && name->pbData[1] == 0)
1088     {
1089         /* An empty sequence is also empty */
1090         empty = TRUE;
1091     }
1092     else
1093         empty = FALSE;
1094     return empty;
1095 }
1096
1097 static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
1098  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
1099 {
1100     BOOL hasEmailConstraint = FALSE;
1101     DWORD i;
1102
1103     /* In general, a subject distinguished name only matches a directory name
1104      * constraint.  However, an exception exists for email addresses.
1105      * From RFC 5280, section 4.2.1.6:
1106      * "Legacy implementations exist where an electronic mail address is
1107      *  embedded in the subject distinguished name as an emailAddress
1108      *  attribute [RFC2985]."
1109      * If an email address constraint exists, check that constraint separately.
1110      */
1111     for (i = 0; !hasEmailConstraint && i < nameConstraints->cExcludedSubtree;
1112      i++)
1113         if (nameConstraints->rgExcludedSubtree[i].Base.dwAltNameChoice ==
1114          CERT_ALT_NAME_RFC822_NAME)
1115             hasEmailConstraint = TRUE;
1116     for (i = 0; !hasEmailConstraint && i < nameConstraints->cPermittedSubtree;
1117      i++)
1118         if (nameConstraints->rgPermittedSubtree[i].Base.dwAltNameChoice ==
1119          CERT_ALT_NAME_RFC822_NAME)
1120             hasEmailConstraint = TRUE;
1121     if (hasEmailConstraint)
1122         compare_subject_with_email_constraints(subjectName, nameConstraints,
1123          trustErrorStatus);
1124     for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1125     {
1126         CERT_ALT_NAME_ENTRY *constraint =
1127          &nameConstraints->rgExcludedSubtree[i].Base;
1128
1129         if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME &&
1130          directory_name_matches(&constraint->u.DirectoryName, subjectName))
1131         {
1132             TRACE_(chain)("subject name is excluded\n");
1133             *trustErrorStatus |=
1134              CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
1135         }
1136     }
1137     /* RFC 5280, section 4.2.1.10:
1138      * "Restrictions apply only when the specified name form is present.
1139      *  If no name of the type is in the certificate, the certificate is
1140      *  acceptable."
1141      * An empty name can't have the name form present, so don't check it.
1142      */
1143     if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
1144     {
1145         BOOL match = FALSE, hasDirectoryConstraint = FALSE;
1146
1147         for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
1148         {
1149             CERT_ALT_NAME_ENTRY *constraint =
1150              &nameConstraints->rgPermittedSubtree[i].Base;
1151
1152             if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
1153             {
1154                 hasDirectoryConstraint = TRUE;
1155                 match = directory_name_matches(&constraint->u.DirectoryName,
1156                  subjectName);
1157             }
1158         }
1159         if (hasDirectoryConstraint && !match)
1160         {
1161             TRACE_(chain)("subject name is not permitted\n");
1162             *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
1163         }
1164     }
1165 }
1166
1167 static void CRYPT_CheckNameConstraints(
1168  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,
1169  DWORD *trustErrorStatus)
1170 {
1171     CERT_EXTENSION *ext = get_subject_alt_name_ext(cert);
1172
1173     if (ext)
1174         compare_alt_name_with_constraints(ext, nameConstraints,
1175          trustErrorStatus);
1176     /* Name constraints apply to the subject alternative name as well as the
1177      * subject name.  From RFC 5280, section 4.2.1.10:
1178      * "Restrictions apply to the subject distinguished name and apply to
1179      *  subject alternative names."
1180      */
1181     compare_subject_with_constraints(&cert->Subject, nameConstraints,
1182      trustErrorStatus);
1183 }
1184
1185 /* Gets cert's name constraints, if any.  Free with LocalFree. */
1186 static CERT_NAME_CONSTRAINTS_INFO *CRYPT_GetNameConstraints(CERT_INFO *cert)
1187 {
1188     CERT_NAME_CONSTRAINTS_INFO *info = NULL;
1189
1190     CERT_EXTENSION *ext;
1191
1192     if ((ext = CertFindExtension(szOID_NAME_CONSTRAINTS, cert->cExtension,
1193      cert->rgExtension)))
1194     {
1195         DWORD size;
1196
1197         CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1198          ext->Value.pbData, ext->Value.cbData,
1199          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &info,
1200          &size);
1201     }
1202     return info;
1203 }
1204
1205 static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
1206 {
1207     DWORD i;
1208     BOOL ret = TRUE;
1209
1210     /* Make sure at least one permitted or excluded subtree is present.  From
1211      * RFC 5280, section 4.2.1.10:
1212      * "Conforming CAs MUST NOT issue certificates where name constraints is an
1213      *  empty sequence.  That is, either the permittedSubtrees field or the
1214      *  excludedSubtrees MUST be present."
1215      */
1216     if (!info->cPermittedSubtree && !info->cExcludedSubtree)
1217     {
1218         WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
1219         ret = FALSE;
1220     }
1221     /* Check that none of the constraints specifies a minimum or a maximum.
1222      * See RFC 5280, section 4.2.1.10:
1223      * "Within this profile, the minimum and maximum fields are not used with
1224      *  any name forms, thus, the minimum MUST be zero, and maximum MUST be
1225      *  absent.  However, if an application encounters a critical name
1226      *  constraints extension that specifies other values for minimum or
1227      *  maximum for a name form that appears in a subsequent certificate, the
1228      *  application MUST either process these fields or reject the
1229      *  certificate."
1230      * Since it gives no guidance as to how to process these fields, we
1231      * reject any name constraint that contains them.
1232      */
1233     for (i = 0; ret && i < info->cPermittedSubtree; i++)
1234         if (info->rgPermittedSubtree[i].dwMinimum ||
1235          info->rgPermittedSubtree[i].fMaximum)
1236         {
1237             TRACE_(chain)("found a minimum or maximum in permitted subtrees\n");
1238             ret = FALSE;
1239         }
1240     for (i = 0; ret && i < info->cExcludedSubtree; i++)
1241         if (info->rgExcludedSubtree[i].dwMinimum ||
1242          info->rgExcludedSubtree[i].fMaximum)
1243         {
1244             TRACE_(chain)("found a minimum or maximum in excluded subtrees\n");
1245             ret = FALSE;
1246         }
1247     return ret;
1248 }
1249
1250 static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
1251 {
1252     int i, j;
1253
1254     /* Microsoft's implementation appears to violate RFC 3280:  according to
1255      * MSDN, the various CERT_TRUST_*_NAME_CONSTRAINT errors are set if a CA's
1256      * name constraint is violated in the end cert.  According to RFC 3280,
1257      * the constraints should be checked against every subsequent certificate
1258      * in the chain, not just the end cert.
1259      * Microsoft's implementation also sets the name constraint errors on the
1260      * certs whose constraints were violated, not on the certs that violated
1261      * them.
1262      * In order to be error-compatible with Microsoft's implementation, while
1263      * still adhering to RFC 3280, I use a O(n ^ 2) algorithm to check name
1264      * constraints.
1265      */
1266     for (i = chain->cElement - 1; i > 0; i--)
1267     {
1268         CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1269
1270         if ((nameConstraints = CRYPT_GetNameConstraints(
1271          chain->rgpElement[i]->pCertContext->pCertInfo)))
1272         {
1273             if (!CRYPT_IsValidNameConstraint(nameConstraints))
1274                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1275                  CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
1276             else
1277             {
1278                 for (j = i - 1; j >= 0; j--)
1279                 {
1280                     DWORD errorStatus = 0;
1281
1282                     /* According to RFC 3280, self-signed certs don't have name
1283                      * constraints checked unless they're the end cert.
1284                      */
1285                     if (j == 0 || !CRYPT_IsCertificateSelfSigned(
1286                      chain->rgpElement[j]->pCertContext))
1287                     {
1288                         CRYPT_CheckNameConstraints(nameConstraints,
1289                          chain->rgpElement[j]->pCertContext->pCertInfo,
1290                          &errorStatus);
1291                         if (errorStatus)
1292                         {
1293                             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1294                              errorStatus;
1295                             CRYPT_CombineTrustStatus(&chain->TrustStatus,
1296                              &chain->rgpElement[i]->TrustStatus);
1297                         }
1298                         else
1299                             chain->rgpElement[i]->TrustStatus.dwInfoStatus |=
1300                              CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS;
1301                     }
1302                 }
1303             }
1304             LocalFree(nameConstraints);
1305         }
1306     }
1307 }
1308
1309 /* Gets cert's policies info, if any.  Free with LocalFree. */
1310 static CERT_POLICIES_INFO *CRYPT_GetPolicies(PCCERT_CONTEXT cert)
1311 {
1312     PCERT_EXTENSION ext;
1313     CERT_POLICIES_INFO *policies = NULL;
1314
1315     ext = CertFindExtension(szOID_KEY_USAGE, cert->pCertInfo->cExtension,
1316      cert->pCertInfo->rgExtension);
1317     if (ext)
1318     {
1319         DWORD size;
1320
1321         CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CERT_POLICIES,
1322          ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1323          &policies, &size);
1324     }
1325     return policies;
1326 }
1327
1328 static void CRYPT_CheckPolicies(CERT_POLICIES_INFO *policies, CERT_INFO *cert,
1329  DWORD *errorStatus)
1330 {
1331     DWORD i;
1332
1333     for (i = 0; i < policies->cPolicyInfo; i++)
1334     {
1335         /* For now, the only accepted policy identifier is the anyPolicy
1336          * identifier.
1337          * FIXME: the policy identifiers should be compared against the
1338          * cert's certificate policies extension, subject to the policy
1339          * mappings extension, and the policy constraints extension.
1340          * See RFC 5280, sections 4.2.1.4, 4.2.1.5, and 4.2.1.11.
1341          */
1342         if (strcmp(policies->rgPolicyInfo[i].pszPolicyIdentifier,
1343          szOID_ANY_CERT_POLICY))
1344         {
1345             FIXME("unsupported policy %s\n",
1346              policies->rgPolicyInfo[i].pszPolicyIdentifier);
1347             *errorStatus |= CERT_TRUST_INVALID_POLICY_CONSTRAINTS;
1348         }
1349     }
1350 }
1351
1352 static void CRYPT_CheckChainPolicies(PCERT_SIMPLE_CHAIN chain)
1353 {
1354     int i, j;
1355
1356     for (i = chain->cElement - 1; i > 0; i--)
1357     {
1358         CERT_POLICIES_INFO *policies;
1359
1360         if ((policies = CRYPT_GetPolicies(chain->rgpElement[i]->pCertContext)))
1361         {
1362             for (j = i - 1; j >= 0; j--)
1363             {
1364                 DWORD errorStatus = 0;
1365
1366                 CRYPT_CheckPolicies(policies,
1367                  chain->rgpElement[j]->pCertContext->pCertInfo, &errorStatus);
1368                 if (errorStatus)
1369                 {
1370                     chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1371                      errorStatus;
1372                     CRYPT_CombineTrustStatus(&chain->TrustStatus,
1373                      &chain->rgpElement[i]->TrustStatus);
1374                 }
1375             }
1376             LocalFree(policies);
1377         }
1378     }
1379 }
1380
1381 static LPWSTR name_value_to_str(const CERT_NAME_BLOB *name)
1382 {
1383     DWORD len = cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, name,
1384      CERT_SIMPLE_NAME_STR, NULL, 0);
1385     LPWSTR str = NULL;
1386
1387     if (len)
1388     {
1389         str = CryptMemAlloc(len * sizeof(WCHAR));
1390         if (str)
1391             cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, name,
1392              CERT_SIMPLE_NAME_STR, str, len);
1393     }
1394     return str;
1395 }
1396
1397 static void dump_alt_name_entry(const CERT_ALT_NAME_ENTRY *entry)
1398 {
1399     LPWSTR str;
1400
1401     switch (entry->dwAltNameChoice)
1402     {
1403     case CERT_ALT_NAME_OTHER_NAME:
1404         TRACE_(chain)("CERT_ALT_NAME_OTHER_NAME, oid = %s\n",
1405          debugstr_a(entry->u.pOtherName->pszObjId));
1406          break;
1407     case CERT_ALT_NAME_RFC822_NAME:
1408         TRACE_(chain)("CERT_ALT_NAME_RFC822_NAME: %s\n",
1409          debugstr_w(entry->u.pwszRfc822Name));
1410         break;
1411     case CERT_ALT_NAME_DNS_NAME:
1412         TRACE_(chain)("CERT_ALT_NAME_DNS_NAME: %s\n",
1413          debugstr_w(entry->u.pwszDNSName));
1414         break;
1415     case CERT_ALT_NAME_DIRECTORY_NAME:
1416         str = name_value_to_str(&entry->u.DirectoryName);
1417         TRACE_(chain)("CERT_ALT_NAME_DIRECTORY_NAME: %s\n", debugstr_w(str));
1418         CryptMemFree(str);
1419         break;
1420     case CERT_ALT_NAME_URL:
1421         TRACE_(chain)("CERT_ALT_NAME_URL: %s\n", debugstr_w(entry->u.pwszURL));
1422         break;
1423     case CERT_ALT_NAME_IP_ADDRESS:
1424         TRACE_(chain)("CERT_ALT_NAME_IP_ADDRESS: %d bytes\n",
1425          entry->u.IPAddress.cbData);
1426         break;
1427     case CERT_ALT_NAME_REGISTERED_ID:
1428         TRACE_(chain)("CERT_ALT_NAME_REGISTERED_ID: %s\n",
1429          debugstr_a(entry->u.pszRegisteredID));
1430         break;
1431     default:
1432         TRACE_(chain)("dwAltNameChoice = %d\n", entry->dwAltNameChoice);
1433     }
1434 }
1435
1436 static void dump_alt_name(LPCSTR type, const CERT_EXTENSION *ext)
1437 {
1438     CERT_ALT_NAME_INFO *name;
1439     DWORD size;
1440
1441     TRACE_(chain)("%s:\n", type);
1442     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
1443      ext->Value.pbData, ext->Value.cbData,
1444      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &name, &size))
1445     {
1446         DWORD i;
1447
1448         TRACE_(chain)("%d alt name entries:\n", name->cAltEntry);
1449         for (i = 0; i < name->cAltEntry; i++)
1450             dump_alt_name_entry(&name->rgAltEntry[i]);
1451         LocalFree(name);
1452     }
1453 }
1454
1455 static void dump_basic_constraints(const CERT_EXTENSION *ext)
1456 {
1457     CERT_BASIC_CONSTRAINTS_INFO *info;
1458     DWORD size = 0;
1459
1460     if (CryptDecodeObjectEx(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS,
1461      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG,
1462      NULL, &info, &size))
1463     {
1464         TRACE_(chain)("SubjectType: %02x\n", info->SubjectType.pbData[0]);
1465         TRACE_(chain)("%s path length constraint\n",
1466          info->fPathLenConstraint ? "has" : "doesn't have");
1467         TRACE_(chain)("path length=%d\n", info->dwPathLenConstraint);
1468         LocalFree(info);
1469     }
1470 }
1471
1472 static void dump_basic_constraints2(const CERT_EXTENSION *ext)
1473 {
1474     CERT_BASIC_CONSTRAINTS2_INFO constraints;
1475     DWORD size = sizeof(CERT_BASIC_CONSTRAINTS2_INFO);
1476
1477     if (CryptDecodeObjectEx(X509_ASN_ENCODING,
1478      szOID_BASIC_CONSTRAINTS2, ext->Value.pbData, ext->Value.cbData,
1479      0, NULL, &constraints, &size))
1480     {
1481         TRACE_(chain)("basic constraints:\n");
1482         TRACE_(chain)("can%s be a CA\n", constraints.fCA ? "" : "not");
1483         TRACE_(chain)("%s path length constraint\n",
1484          constraints.fPathLenConstraint ? "has" : "doesn't have");
1485         TRACE_(chain)("path length=%d\n", constraints.dwPathLenConstraint);
1486     }
1487 }
1488
1489 static void dump_key_usage(const CERT_EXTENSION *ext)
1490 {
1491     CRYPT_BIT_BLOB usage;
1492     DWORD size = sizeof(usage);
1493
1494     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1495      ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1496     {
1497 #define trace_usage_bit(bits, bit) \
1498  if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1499         if (usage.cbData)
1500         {
1501             trace_usage_bit(usage.pbData[0], CERT_DIGITAL_SIGNATURE_KEY_USAGE);
1502             trace_usage_bit(usage.pbData[0], CERT_NON_REPUDIATION_KEY_USAGE);
1503             trace_usage_bit(usage.pbData[0], CERT_KEY_ENCIPHERMENT_KEY_USAGE);
1504             trace_usage_bit(usage.pbData[0], CERT_DATA_ENCIPHERMENT_KEY_USAGE);
1505             trace_usage_bit(usage.pbData[0], CERT_KEY_AGREEMENT_KEY_USAGE);
1506             trace_usage_bit(usage.pbData[0], CERT_KEY_CERT_SIGN_KEY_USAGE);
1507             trace_usage_bit(usage.pbData[0], CERT_CRL_SIGN_KEY_USAGE);
1508             trace_usage_bit(usage.pbData[0], CERT_ENCIPHER_ONLY_KEY_USAGE);
1509         }
1510 #undef trace_usage_bit
1511         if (usage.cbData > 1 && usage.pbData[1] & CERT_DECIPHER_ONLY_KEY_USAGE)
1512             TRACE_(chain)("CERT_DECIPHER_ONLY_KEY_USAGE\n");
1513     }
1514 }
1515
1516 static void dump_general_subtree(const CERT_GENERAL_SUBTREE *subtree)
1517 {
1518     dump_alt_name_entry(&subtree->Base);
1519     TRACE_(chain)("dwMinimum = %d, fMaximum = %d, dwMaximum = %d\n",
1520      subtree->dwMinimum, subtree->fMaximum, subtree->dwMaximum);
1521 }
1522
1523 static void dump_name_constraints(const CERT_EXTENSION *ext)
1524 {
1525     CERT_NAME_CONSTRAINTS_INFO *nameConstraints;
1526     DWORD size;
1527
1528     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME_CONSTRAINTS,
1529      ext->Value.pbData, ext->Value.cbData,
1530      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, &nameConstraints,
1531      &size))
1532     {
1533         DWORD i;
1534
1535         TRACE_(chain)("%d permitted subtrees:\n",
1536          nameConstraints->cPermittedSubtree);
1537         for (i = 0; i < nameConstraints->cPermittedSubtree; i++)
1538             dump_general_subtree(&nameConstraints->rgPermittedSubtree[i]);
1539         TRACE_(chain)("%d excluded subtrees:\n",
1540          nameConstraints->cExcludedSubtree);
1541         for (i = 0; i < nameConstraints->cExcludedSubtree; i++)
1542             dump_general_subtree(&nameConstraints->rgExcludedSubtree[i]);
1543         LocalFree(nameConstraints);
1544     }
1545 }
1546
1547 static void dump_cert_policies(const CERT_EXTENSION *ext)
1548 {
1549     CERT_POLICIES_INFO *policies;
1550     DWORD size;
1551
1552     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_CERT_POLICIES,
1553      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1554      &policies, &size))
1555     {
1556         DWORD i, j;
1557
1558         TRACE_(chain)("%d policies:\n", policies->cPolicyInfo);
1559         for (i = 0; i < policies->cPolicyInfo; i++)
1560         {
1561             TRACE_(chain)("policy identifier: %s\n",
1562              debugstr_a(policies->rgPolicyInfo[i].pszPolicyIdentifier));
1563             TRACE_(chain)("%d policy qualifiers:\n",
1564              policies->rgPolicyInfo[i].cPolicyQualifier);
1565             for (j = 0; j < policies->rgPolicyInfo[i].cPolicyQualifier; j++)
1566                 TRACE_(chain)("%s\n", debugstr_a(
1567                  policies->rgPolicyInfo[i].rgPolicyQualifier[j].
1568                  pszPolicyQualifierId));
1569         }
1570         LocalFree(policies);
1571     }
1572 }
1573
1574 static void dump_enhanced_key_usage(const CERT_EXTENSION *ext)
1575 {
1576     CERT_ENHKEY_USAGE *usage;
1577     DWORD size;
1578
1579     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE,
1580      ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
1581      &usage, &size))
1582     {
1583         DWORD i;
1584
1585         TRACE_(chain)("%d usages:\n", usage->cUsageIdentifier);
1586         for (i = 0; i < usage->cUsageIdentifier; i++)
1587             TRACE_(chain)("%s\n", usage->rgpszUsageIdentifier[i]);
1588         LocalFree(usage);
1589     }
1590 }
1591
1592 static void dump_netscape_cert_type(const CERT_EXTENSION *ext)
1593 {
1594     CRYPT_BIT_BLOB usage;
1595     DWORD size = sizeof(usage);
1596
1597     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_BITS, ext->Value.pbData,
1598      ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
1599     {
1600 #define trace_cert_type_bit(bits, bit) \
1601  if ((bits) & (bit)) TRACE_(chain)("%s\n", #bit)
1602         if (usage.cbData)
1603         {
1604             trace_cert_type_bit(usage.pbData[0],
1605              NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE);
1606             trace_cert_type_bit(usage.pbData[0],
1607              NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE);
1608             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CERT_TYPE);
1609             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CERT_TYPE);
1610             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SSL_CA_CERT_TYPE);
1611             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SMIME_CA_CERT_TYPE);
1612             trace_cert_type_bit(usage.pbData[0], NETSCAPE_SIGN_CA_CERT_TYPE);
1613         }
1614 #undef trace_cert_type_bit
1615     }
1616 }
1617
1618 static void dump_extension(const CERT_EXTENSION *ext)
1619 {
1620     TRACE_(chain)("%s (%scritical)\n", debugstr_a(ext->pszObjId),
1621      ext->fCritical ? "" : "not ");
1622     if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME))
1623         dump_alt_name("subject alt name", ext);
1624     else  if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME))
1625         dump_alt_name("issuer alt name", ext);
1626     else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS))
1627         dump_basic_constraints(ext);
1628     else if (!strcmp(ext->pszObjId, szOID_KEY_USAGE))
1629         dump_key_usage(ext);
1630     else if (!strcmp(ext->pszObjId, szOID_SUBJECT_ALT_NAME2))
1631         dump_alt_name("subject alt name 2", ext);
1632     else if (!strcmp(ext->pszObjId, szOID_ISSUER_ALT_NAME2))
1633         dump_alt_name("issuer alt name 2", ext);
1634     else if (!strcmp(ext->pszObjId, szOID_BASIC_CONSTRAINTS2))
1635         dump_basic_constraints2(ext);
1636     else if (!strcmp(ext->pszObjId, szOID_NAME_CONSTRAINTS))
1637         dump_name_constraints(ext);
1638     else if (!strcmp(ext->pszObjId, szOID_CERT_POLICIES))
1639         dump_cert_policies(ext);
1640     else if (!strcmp(ext->pszObjId, szOID_ENHANCED_KEY_USAGE))
1641         dump_enhanced_key_usage(ext);
1642     else if (!strcmp(ext->pszObjId, szOID_NETSCAPE_CERT_TYPE))
1643         dump_netscape_cert_type(ext);
1644 }
1645
1646 static LPCWSTR filetime_to_str(const FILETIME *time)
1647 {
1648     static WCHAR date[80];
1649     WCHAR dateFmt[80]; /* sufficient for all versions of LOCALE_SSHORTDATE */
1650     SYSTEMTIME sysTime;
1651
1652     if (!time) return NULL;
1653
1654     GetLocaleInfoW(LOCALE_SYSTEM_DEFAULT, LOCALE_SSHORTDATE, dateFmt,
1655      sizeof(dateFmt) / sizeof(dateFmt[0]));
1656     FileTimeToSystemTime(time, &sysTime);
1657     GetDateFormatW(LOCALE_SYSTEM_DEFAULT, 0, &sysTime, dateFmt, date,
1658      sizeof(date) / sizeof(date[0]));
1659     return date;
1660 }
1661
1662 static void dump_element(PCCERT_CONTEXT cert)
1663 {
1664     LPWSTR name = NULL;
1665     DWORD len, i;
1666
1667     TRACE_(chain)("%p: version %d\n", cert, cert->pCertInfo->dwVersion);
1668     len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1669      CERT_NAME_ISSUER_FLAG, NULL, NULL, 0);
1670     name = CryptMemAlloc(len * sizeof(WCHAR));
1671     if (name)
1672     {
1673         CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE,
1674          CERT_NAME_ISSUER_FLAG, NULL, name, len);
1675         TRACE_(chain)("issued by %s\n", debugstr_w(name));
1676         CryptMemFree(name);
1677     }
1678     len = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1679      NULL, 0);
1680     name = CryptMemAlloc(len * sizeof(WCHAR));
1681     if (name)
1682     {
1683         CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL,
1684          name, len);
1685         TRACE_(chain)("issued to %s\n", debugstr_w(name));
1686         CryptMemFree(name);
1687     }
1688     TRACE_(chain)("valid from %s to %s\n",
1689      debugstr_w(filetime_to_str(&cert->pCertInfo->NotBefore)),
1690      debugstr_w(filetime_to_str(&cert->pCertInfo->NotAfter)));
1691     TRACE_(chain)("%d extensions\n", cert->pCertInfo->cExtension);
1692     for (i = 0; i < cert->pCertInfo->cExtension; i++)
1693         dump_extension(&cert->pCertInfo->rgExtension[i]);
1694 }
1695
1696 static BOOL CRYPT_KeyUsageValid(PCertificateChainEngine engine,
1697  PCCERT_CONTEXT cert, BOOL isRoot, BOOL isCA, DWORD index)
1698 {
1699     PCERT_EXTENSION ext;
1700     BOOL ret;
1701     BYTE usageBits = 0;
1702
1703     ext = CertFindExtension(szOID_KEY_USAGE, cert->pCertInfo->cExtension,
1704      cert->pCertInfo->rgExtension);
1705     if (ext)
1706     {
1707         CRYPT_BIT_BLOB usage;
1708         DWORD size = sizeof(usage);
1709
1710         ret = CryptDecodeObjectEx(cert->dwCertEncodingType, X509_BITS,
1711          ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL,
1712          &usage, &size);
1713         if (!ret)
1714             return FALSE;
1715         else if (usage.cbData > 2)
1716         {
1717             /* The key usage extension only defines 9 bits => no more than 2
1718              * bytes are needed to encode all known usages.
1719              */
1720             return FALSE;
1721         }
1722         else
1723         {
1724             /* The only bit relevant to chain validation is the keyCertSign
1725              * bit, which is always in the least significant byte of the
1726              * key usage bits.
1727              */
1728             usageBits = usage.pbData[usage.cbData - 1];
1729         }
1730     }
1731     if (isCA)
1732     {
1733         if (!ext)
1734         {
1735             /* MS appears to violate RFC 5280, section 4.2.1.3 (Key Usage)
1736              * here.  Quoting the RFC:
1737              * "This [key usage] extension MUST appear in certificates that
1738              * contain public keys that are used to validate digital signatures
1739              * on other public key certificates or CRLs."
1740              * MS appears to accept certs that do not contain key usage
1741              * extensions as CA certs.  V1 and V2 certificates did not have
1742              * extensions, and many root certificates are V1 certificates, so
1743              * perhaps this is prudent.  On the other hand, MS also accepts V3
1744              * certs without key usage extensions.  We are more restrictive:
1745              * we accept locally installed V1 or V2 certs as CA certs.
1746              * We also accept a lack of key usage extension on root certs,
1747              * which is implied in RFC 5280, section 6.1:  the trust anchor's
1748              * only requirement is that it was used to issue the next
1749              * certificate in the chain.
1750              */
1751             if (isRoot)
1752                 ret = TRUE;
1753             else if (cert->pCertInfo->dwVersion == CERT_V1 ||
1754              cert->pCertInfo->dwVersion == CERT_V2)
1755             {
1756                 PCCERT_CONTEXT localCert = CRYPT_FindCertInStore(
1757                  engine->hWorld, cert);
1758
1759                 ret = localCert != NULL;
1760                 CertFreeCertificateContext(localCert);
1761             }
1762             else
1763                 ret = FALSE;
1764             if (!ret)
1765                 WARN_(chain)("no key usage extension on a CA cert\n");
1766         }
1767         else
1768         {
1769             if (!(usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1770             {
1771                 WARN_(chain)("keyCertSign not asserted on a CA cert\n");
1772                 ret = FALSE;
1773             }
1774             else
1775                 ret = TRUE;
1776         }
1777     }
1778     else
1779     {
1780         if (ext && (usageBits & CERT_KEY_CERT_SIGN_KEY_USAGE))
1781         {
1782             WARN_(chain)("keyCertSign asserted on a non-CA cert\n");
1783             ret = FALSE;
1784         }
1785         else
1786             ret = TRUE;
1787     }
1788     return ret;
1789 }
1790
1791 static BOOL CRYPT_CriticalExtensionsSupported(PCCERT_CONTEXT cert)
1792 {
1793     BOOL ret = TRUE;
1794     DWORD i;
1795
1796     for (i = 0; ret && i < cert->pCertInfo->cExtension; i++)
1797     {
1798         if (cert->pCertInfo->rgExtension[i].fCritical)
1799         {
1800             LPCSTR oid = cert->pCertInfo->rgExtension[i].pszObjId;
1801
1802             if (!strcmp(oid, szOID_BASIC_CONSTRAINTS))
1803                 ret = TRUE;
1804             else if (!strcmp(oid, szOID_BASIC_CONSTRAINTS2))
1805                 ret = TRUE;
1806             else if (!strcmp(oid, szOID_NAME_CONSTRAINTS))
1807                 ret = TRUE;
1808             else if (!strcmp(oid, szOID_KEY_USAGE))
1809                 ret = TRUE;
1810             else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME))
1811                 ret = TRUE;
1812             else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME2))
1813                 ret = TRUE;
1814             else if (!strcmp(oid, szOID_CERT_POLICIES))
1815                 ret = TRUE;
1816             else if (!strcmp(oid, szOID_ENHANCED_KEY_USAGE))
1817                 ret = TRUE;
1818             else
1819             {
1820                 FIXME("unsupported critical extension %s\n",
1821                  debugstr_a(oid));
1822                 ret = FALSE;
1823             }
1824         }
1825     }
1826     return ret;
1827 }
1828
1829 static BOOL CRYPT_IsCertVersionValid(PCCERT_CONTEXT cert)
1830 {
1831     BOOL ret = TRUE;
1832
1833     /* Checks whether the contents of the cert match the cert's version. */
1834     switch (cert->pCertInfo->dwVersion)
1835     {
1836     case CERT_V1:
1837         /* A V1 cert may not contain unique identifiers.  See RFC 5280,
1838          * section 4.1.2.8:
1839          * "These fields MUST only appear if the version is 2 or 3 (Section
1840          *  4.1.2.1).  These fields MUST NOT appear if the version is 1."
1841          */
1842         if (cert->pCertInfo->IssuerUniqueId.cbData ||
1843          cert->pCertInfo->SubjectUniqueId.cbData)
1844             ret = FALSE;
1845         /* A V1 cert may not contain extensions.  See RFC 5280, section 4.1.2.9:
1846          * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1847          */
1848         if (cert->pCertInfo->cExtension)
1849             ret = FALSE;
1850         break;
1851     case CERT_V2:
1852         /* A V2 cert may not contain extensions.  See RFC 5280, section 4.1.2.9:
1853          * "This field MUST only appear if the version is 3 (Section 4.1.2.1)."
1854          */
1855         if (cert->pCertInfo->cExtension)
1856             ret = FALSE;
1857         break;
1858     case CERT_V3:
1859         /* Do nothing, all fields are allowed for V3 certs */
1860         break;
1861     default:
1862         WARN_(chain)("invalid cert version %d\n", cert->pCertInfo->dwVersion);
1863         ret = FALSE;
1864     }
1865     return ret;
1866 }
1867
1868 static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
1869  PCERT_SIMPLE_CHAIN chain, LPFILETIME time)
1870 {
1871     PCERT_CHAIN_ELEMENT rootElement = chain->rgpElement[chain->cElement - 1];
1872     int i;
1873     BOOL pathLengthConstraintViolated = FALSE;
1874     CERT_BASIC_CONSTRAINTS2_INFO constraints = { FALSE, FALSE, 0 };
1875
1876     TRACE_(chain)("checking chain with %d elements for time %s\n",
1877      chain->cElement, debugstr_w(filetime_to_str(time)));
1878     for (i = chain->cElement - 1; i >= 0; i--)
1879     {
1880         BOOL isRoot;
1881
1882         if (TRACE_ON(chain))
1883             dump_element(chain->rgpElement[i]->pCertContext);
1884         if (i == chain->cElement - 1)
1885             isRoot = CRYPT_IsCertificateSelfSigned(
1886              chain->rgpElement[i]->pCertContext);
1887         else
1888             isRoot = FALSE;
1889         if (!CRYPT_IsCertVersionValid(chain->rgpElement[i]->pCertContext))
1890         {
1891             /* MS appears to accept certs whose versions don't match their
1892              * contents, so there isn't an appropriate error code.
1893              */
1894             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1895              CERT_TRUST_INVALID_EXTENSION;
1896         }
1897         if (CertVerifyTimeValidity(time,
1898          chain->rgpElement[i]->pCertContext->pCertInfo) != 0)
1899             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1900              CERT_TRUST_IS_NOT_TIME_VALID;
1901         if (i != 0)
1902         {
1903             /* Check the signature of the cert this issued */
1904             if (!CryptVerifyCertificateSignatureEx(0, X509_ASN_ENCODING,
1905              CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
1906              (void *)chain->rgpElement[i - 1]->pCertContext,
1907              CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
1908              (void *)chain->rgpElement[i]->pCertContext, 0, NULL))
1909                 chain->rgpElement[i - 1]->TrustStatus.dwErrorStatus |=
1910                  CERT_TRUST_IS_NOT_SIGNATURE_VALID;
1911             /* Once a path length constraint has been violated, every remaining
1912              * CA cert's basic constraints is considered invalid.
1913              */
1914             if (pathLengthConstraintViolated)
1915                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1916                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1917             else if (!CRYPT_CheckBasicConstraintsForCA(engine,
1918              chain->rgpElement[i]->pCertContext, &constraints, i - 1, isRoot,
1919              &pathLengthConstraintViolated))
1920                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1921                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1922             else if (constraints.fPathLenConstraint &&
1923              constraints.dwPathLenConstraint)
1924             {
1925                 /* This one's valid - decrement max length */
1926                 constraints.dwPathLenConstraint--;
1927             }
1928         }
1929         else
1930         {
1931             /* Check whether end cert has a basic constraints extension */
1932             if (!CRYPT_DecodeBasicConstraints(
1933              chain->rgpElement[i]->pCertContext, &constraints, FALSE))
1934                 chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1935                  CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1936         }
1937         if (!CRYPT_KeyUsageValid(engine, chain->rgpElement[i]->pCertContext,
1938          isRoot, constraints.fCA, i))
1939             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1940              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
1941         if (CRYPT_IsSimpleChainCyclic(chain))
1942         {
1943             /* If the chain is cyclic, then the path length constraints
1944              * are violated, because the chain is infinitely long.
1945              */
1946             pathLengthConstraintViolated = TRUE;
1947             chain->TrustStatus.dwErrorStatus |=
1948              CERT_TRUST_IS_PARTIAL_CHAIN |
1949              CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
1950         }
1951         /* Check whether every critical extension is supported */
1952         if (!CRYPT_CriticalExtensionsSupported(
1953          chain->rgpElement[i]->pCertContext))
1954             chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
1955              CERT_TRUST_INVALID_EXTENSION;
1956         CRYPT_CombineTrustStatus(&chain->TrustStatus,
1957          &chain->rgpElement[i]->TrustStatus);
1958     }
1959     CRYPT_CheckChainNameConstraints(chain);
1960     CRYPT_CheckChainPolicies(chain);
1961     if (CRYPT_IsCertificateSelfSigned(rootElement->pCertContext))
1962     {
1963         rootElement->TrustStatus.dwInfoStatus |=
1964          CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER;
1965         CRYPT_CheckRootCert(engine->hRoot, rootElement);
1966     }
1967     CRYPT_CombineTrustStatus(&chain->TrustStatus, &rootElement->TrustStatus);
1968 }
1969
1970 static PCCERT_CONTEXT CRYPT_GetIssuer(HCERTSTORE store, PCCERT_CONTEXT subject,
1971  PCCERT_CONTEXT prevIssuer, DWORD *infoStatus)
1972 {
1973     PCCERT_CONTEXT issuer = NULL;
1974     PCERT_EXTENSION ext;
1975     DWORD size;
1976
1977     *infoStatus = 0;
1978     if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
1979      subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
1980     {
1981         CERT_AUTHORITY_KEY_ID_INFO *info;
1982         BOOL ret;
1983
1984         ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
1985          X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
1986          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
1987          &info, &size);
1988         if (ret)
1989         {
1990             CERT_ID id;
1991
1992             if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
1993             {
1994                 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
1995                 memcpy(&id.u.IssuerSerialNumber.Issuer, &info->CertIssuer,
1996                  sizeof(CERT_NAME_BLOB));
1997                 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
1998                  &info->CertSerialNumber, sizeof(CRYPT_INTEGER_BLOB));
1999                 issuer = CertFindCertificateInStore(store,
2000                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
2001                  prevIssuer);
2002                 if (issuer)
2003                 {
2004                     TRACE_(chain)("issuer found by issuer/serial number\n");
2005                     *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
2006                 }
2007             }
2008             else if (info->KeyId.cbData)
2009             {
2010                 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
2011                 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
2012                 issuer = CertFindCertificateInStore(store,
2013                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
2014                  prevIssuer);
2015                 if (issuer)
2016                 {
2017                     TRACE_(chain)("issuer found by key id\n");
2018                     *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
2019                 }
2020             }
2021             LocalFree(info);
2022         }
2023     }
2024     else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
2025      subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
2026     {
2027         CERT_AUTHORITY_KEY_ID2_INFO *info;
2028         BOOL ret;
2029
2030         ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
2031          X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
2032          CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
2033          &info, &size);
2034         if (ret)
2035         {
2036             CERT_ID id;
2037
2038             if (info->AuthorityCertIssuer.cAltEntry &&
2039              info->AuthorityCertSerialNumber.cbData)
2040             {
2041                 PCERT_ALT_NAME_ENTRY directoryName = NULL;
2042                 DWORD i;
2043
2044                 for (i = 0; !directoryName &&
2045                  i < info->AuthorityCertIssuer.cAltEntry; i++)
2046                     if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
2047                      == CERT_ALT_NAME_DIRECTORY_NAME)
2048                         directoryName =
2049                          &info->AuthorityCertIssuer.rgAltEntry[i];
2050                 if (directoryName)
2051                 {
2052                     id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
2053                     memcpy(&id.u.IssuerSerialNumber.Issuer,
2054                      &directoryName->u.DirectoryName, sizeof(CERT_NAME_BLOB));
2055                     memcpy(&id.u.IssuerSerialNumber.SerialNumber,
2056                      &info->AuthorityCertSerialNumber,
2057                      sizeof(CRYPT_INTEGER_BLOB));
2058                     issuer = CertFindCertificateInStore(store,
2059                      subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
2060                      prevIssuer);
2061                     if (issuer)
2062                     {
2063                         TRACE_(chain)("issuer found by directory name\n");
2064                         *infoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER;
2065                     }
2066                 }
2067                 else
2068                     FIXME("no supported name type in authority key id2\n");
2069             }
2070             else if (info->KeyId.cbData)
2071             {
2072                 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
2073                 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
2074                 issuer = CertFindCertificateInStore(store,
2075                  subject->dwCertEncodingType, 0, CERT_FIND_CERT_ID, &id,
2076                  prevIssuer);
2077                 if (issuer)
2078                 {
2079                     TRACE_(chain)("issuer found by key id\n");
2080                     *infoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
2081                 }
2082             }
2083             LocalFree(info);
2084         }
2085     }
2086     else
2087     {
2088         issuer = CertFindCertificateInStore(store,
2089          subject->dwCertEncodingType, 0, CERT_FIND_SUBJECT_NAME,
2090          &subject->pCertInfo->Issuer, prevIssuer);
2091         TRACE_(chain)("issuer found by name\n");
2092         *infoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
2093     }
2094     return issuer;
2095 }
2096
2097 /* Builds a simple chain by finding an issuer for the last cert in the chain,
2098  * until reaching a self-signed cert, or until no issuer can be found.
2099  */
2100 static BOOL CRYPT_BuildSimpleChain(const CertificateChainEngine *engine,
2101  HCERTSTORE world, PCERT_SIMPLE_CHAIN chain)
2102 {
2103     BOOL ret = TRUE;
2104     PCCERT_CONTEXT cert = chain->rgpElement[chain->cElement - 1]->pCertContext;
2105
2106     while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
2107      !CRYPT_IsCertificateSelfSigned(cert))
2108     {
2109         PCCERT_CONTEXT issuer = CRYPT_GetIssuer(world, cert, NULL,
2110          &chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2111
2112         if (issuer)
2113         {
2114             ret = CRYPT_AddCertToSimpleChain(engine, chain, issuer,
2115              chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
2116             /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it to
2117              * close the enumeration that found it
2118              */
2119             CertFreeCertificateContext(issuer);
2120             cert = issuer;
2121         }
2122         else
2123         {
2124             TRACE_(chain)("Couldn't find issuer, halting chain creation\n");
2125             chain->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_PARTIAL_CHAIN;
2126             break;
2127         }
2128     }
2129     return ret;
2130 }
2131
2132 static BOOL CRYPT_GetSimpleChainForCert(PCertificateChainEngine engine,
2133  HCERTSTORE world, PCCERT_CONTEXT cert, LPFILETIME pTime,
2134  PCERT_SIMPLE_CHAIN *ppChain)
2135 {
2136     BOOL ret = FALSE;
2137     PCERT_SIMPLE_CHAIN chain;
2138
2139     TRACE("(%p, %p, %p, %p)\n", engine, world, cert, pTime);
2140
2141     chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2142     if (chain)
2143     {
2144         memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN));
2145         chain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2146         ret = CRYPT_AddCertToSimpleChain(engine, chain, cert, 0);
2147         if (ret)
2148         {
2149             ret = CRYPT_BuildSimpleChain(engine, world, chain);
2150             if (ret)
2151                 CRYPT_CheckSimpleChain(engine, chain, pTime);
2152         }
2153         if (!ret)
2154         {
2155             CRYPT_FreeSimpleChain(chain);
2156             chain = NULL;
2157         }
2158         *ppChain = chain;
2159     }
2160     return ret;
2161 }
2162
2163 static BOOL CRYPT_BuildCandidateChainFromCert(HCERTCHAINENGINE hChainEngine,
2164  PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2165  PCertificateChain *ppChain)
2166 {
2167     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
2168     PCERT_SIMPLE_CHAIN simpleChain = NULL;
2169     HCERTSTORE world;
2170     BOOL ret;
2171
2172     world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
2173      CERT_STORE_CREATE_NEW_FLAG, NULL);
2174     CertAddStoreToCollection(world, engine->hWorld, 0, 0);
2175     if (hAdditionalStore)
2176         CertAddStoreToCollection(world, hAdditionalStore, 0, 0);
2177     /* FIXME: only simple chains are supported for now, as CTLs aren't
2178      * supported yet.
2179      */
2180     if ((ret = CRYPT_GetSimpleChainForCert(engine, world, cert, pTime,
2181      &simpleChain)))
2182     {
2183         PCertificateChain chain = CryptMemAlloc(sizeof(CertificateChain));
2184
2185         if (chain)
2186         {
2187             chain->ref = 1;
2188             chain->world = world;
2189             chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2190             chain->context.TrustStatus = simpleChain->TrustStatus;
2191             chain->context.cChain = 1;
2192             chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN));
2193             chain->context.rgpChain[0] = simpleChain;
2194             chain->context.cLowerQualityChainContext = 0;
2195             chain->context.rgpLowerQualityChainContext = NULL;
2196             chain->context.fHasRevocationFreshnessTime = FALSE;
2197             chain->context.dwRevocationFreshnessTime = 0;
2198         }
2199         else
2200             ret = FALSE;
2201         *ppChain = chain;
2202     }
2203     return ret;
2204 }
2205
2206 /* Makes and returns a copy of chain, up to and including element iElement. */
2207 static PCERT_SIMPLE_CHAIN CRYPT_CopySimpleChainToElement(
2208  const CERT_SIMPLE_CHAIN *chain, DWORD iElement)
2209 {
2210     PCERT_SIMPLE_CHAIN copy = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
2211
2212     if (copy)
2213     {
2214         memset(copy, 0, sizeof(CERT_SIMPLE_CHAIN));
2215         copy->cbSize = sizeof(CERT_SIMPLE_CHAIN);
2216         copy->rgpElement =
2217          CryptMemAlloc((iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2218         if (copy->rgpElement)
2219         {
2220             DWORD i;
2221             BOOL ret = TRUE;
2222
2223             memset(copy->rgpElement, 0,
2224              (iElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
2225             for (i = 0; ret && i <= iElement; i++)
2226             {
2227                 PCERT_CHAIN_ELEMENT element =
2228                  CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
2229
2230                 if (element)
2231                 {
2232                     *element = *chain->rgpElement[i];
2233                     element->pCertContext = CertDuplicateCertificateContext(
2234                      chain->rgpElement[i]->pCertContext);
2235                     /* Reset the trust status of the copied element, it'll get
2236                      * rechecked after the new chain is done.
2237                      */
2238                     memset(&element->TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2239                     copy->rgpElement[copy->cElement++] = element;
2240                 }
2241                 else
2242                     ret = FALSE;
2243             }
2244             if (!ret)
2245             {
2246                 for (i = 0; i <= iElement; i++)
2247                     CryptMemFree(copy->rgpElement[i]);
2248                 CryptMemFree(copy->rgpElement);
2249                 CryptMemFree(copy);
2250                 copy = NULL;
2251             }
2252         }
2253         else
2254         {
2255             CryptMemFree(copy);
2256             copy = NULL;
2257         }
2258     }
2259     return copy;
2260 }
2261
2262 static void CRYPT_FreeLowerQualityChains(PCertificateChain chain)
2263 {
2264     DWORD i;
2265
2266     for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2267         CertFreeCertificateChain(chain->context.rgpLowerQualityChainContext[i]);
2268     CryptMemFree(chain->context.rgpLowerQualityChainContext);
2269     chain->context.cLowerQualityChainContext = 0;
2270     chain->context.rgpLowerQualityChainContext = NULL;
2271 }
2272
2273 static void CRYPT_FreeChainContext(PCertificateChain chain)
2274 {
2275     DWORD i;
2276
2277     CRYPT_FreeLowerQualityChains(chain);
2278     for (i = 0; i < chain->context.cChain; i++)
2279         CRYPT_FreeSimpleChain(chain->context.rgpChain[i]);
2280     CryptMemFree(chain->context.rgpChain);
2281     CertCloseStore(chain->world, 0);
2282     CryptMemFree(chain);
2283 }
2284
2285 /* Makes and returns a copy of chain, up to and including element iElement of
2286  * simple chain iChain.
2287  */
2288 static PCertificateChain CRYPT_CopyChainToElement(PCertificateChain chain,
2289  DWORD iChain, DWORD iElement)
2290 {
2291     PCertificateChain copy = CryptMemAlloc(sizeof(CertificateChain));
2292
2293     if (copy)
2294     {
2295         copy->ref = 1;
2296         copy->world = CertDuplicateStore(chain->world);
2297         copy->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
2298         /* Leave the trust status of the copied chain unset, it'll get
2299          * rechecked after the new chain is done.
2300          */
2301         memset(&copy->context.TrustStatus, 0, sizeof(CERT_TRUST_STATUS));
2302         copy->context.cLowerQualityChainContext = 0;
2303         copy->context.rgpLowerQualityChainContext = NULL;
2304         copy->context.fHasRevocationFreshnessTime = FALSE;
2305         copy->context.dwRevocationFreshnessTime = 0;
2306         copy->context.rgpChain = CryptMemAlloc(
2307          (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2308         if (copy->context.rgpChain)
2309         {
2310             BOOL ret = TRUE;
2311             DWORD i;
2312
2313             memset(copy->context.rgpChain, 0,
2314              (iChain + 1) * sizeof(PCERT_SIMPLE_CHAIN));
2315             if (iChain)
2316             {
2317                 for (i = 0; ret && iChain && i < iChain - 1; i++)
2318                 {
2319                     copy->context.rgpChain[i] =
2320                      CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2321                      chain->context.rgpChain[i]->cElement - 1);
2322                     if (!copy->context.rgpChain[i])
2323                         ret = FALSE;
2324                 }
2325             }
2326             else
2327                 i = 0;
2328             if (ret)
2329             {
2330                 copy->context.rgpChain[i] =
2331                  CRYPT_CopySimpleChainToElement(chain->context.rgpChain[i],
2332                  iElement);
2333                 if (!copy->context.rgpChain[i])
2334                     ret = FALSE;
2335             }
2336             if (!ret)
2337             {
2338                 CRYPT_FreeChainContext(copy);
2339                 copy = NULL;
2340             }
2341             else
2342                 copy->context.cChain = iChain + 1;
2343         }
2344         else
2345         {
2346             CryptMemFree(copy);
2347             copy = NULL;
2348         }
2349     }
2350     return copy;
2351 }
2352
2353 static PCertificateChain CRYPT_BuildAlternateContextFromChain(
2354  HCERTCHAINENGINE hChainEngine, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2355  PCertificateChain chain)
2356 {
2357     PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
2358     PCertificateChain alternate;
2359
2360     TRACE("(%p, %p, %p, %p)\n", hChainEngine, pTime, hAdditionalStore, chain);
2361
2362     /* Always start with the last "lower quality" chain to ensure a consistent
2363      * order of alternate creation:
2364      */
2365     if (chain->context.cLowerQualityChainContext)
2366         chain = (PCertificateChain)chain->context.rgpLowerQualityChainContext[
2367          chain->context.cLowerQualityChainContext - 1];
2368     /* A chain with only one element can't have any alternates */
2369     if (chain->context.cChain <= 1 && chain->context.rgpChain[0]->cElement <= 1)
2370         alternate = NULL;
2371     else
2372     {
2373         DWORD i, j, infoStatus;
2374         PCCERT_CONTEXT alternateIssuer = NULL;
2375
2376         alternate = NULL;
2377         for (i = 0; !alternateIssuer && i < chain->context.cChain; i++)
2378             for (j = 0; !alternateIssuer &&
2379              j < chain->context.rgpChain[i]->cElement - 1; j++)
2380             {
2381                 PCCERT_CONTEXT subject =
2382                  chain->context.rgpChain[i]->rgpElement[j]->pCertContext;
2383                 PCCERT_CONTEXT prevIssuer = CertDuplicateCertificateContext(
2384                  chain->context.rgpChain[i]->rgpElement[j + 1]->pCertContext);
2385
2386                 alternateIssuer = CRYPT_GetIssuer(prevIssuer->hCertStore,
2387                  subject, prevIssuer, &infoStatus);
2388             }
2389         if (alternateIssuer)
2390         {
2391             i--;
2392             j--;
2393             alternate = CRYPT_CopyChainToElement(chain, i, j);
2394             if (alternate)
2395             {
2396                 BOOL ret = CRYPT_AddCertToSimpleChain(engine,
2397                  alternate->context.rgpChain[i], alternateIssuer, infoStatus);
2398
2399                 /* CRYPT_AddCertToSimpleChain add-ref's the issuer, so free it
2400                  * to close the enumeration that found it
2401                  */
2402                 CertFreeCertificateContext(alternateIssuer);
2403                 if (ret)
2404                 {
2405                     ret = CRYPT_BuildSimpleChain(engine, alternate->world,
2406                      alternate->context.rgpChain[i]);
2407                     if (ret)
2408                         CRYPT_CheckSimpleChain(engine,
2409                          alternate->context.rgpChain[i], pTime);
2410                     CRYPT_CombineTrustStatus(&alternate->context.TrustStatus,
2411                      &alternate->context.rgpChain[i]->TrustStatus);
2412                 }
2413                 if (!ret)
2414                 {
2415                     CRYPT_FreeChainContext(alternate);
2416                     alternate = NULL;
2417                 }
2418             }
2419         }
2420     }
2421     TRACE("%p\n", alternate);
2422     return alternate;
2423 }
2424
2425 #define CHAIN_QUALITY_SIGNATURE_VALID   0x16
2426 #define CHAIN_QUALITY_TIME_VALID        8
2427 #define CHAIN_QUALITY_COMPLETE_CHAIN    4
2428 #define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
2429 #define CHAIN_QUALITY_TRUSTED_ROOT      1
2430
2431 #define CHAIN_QUALITY_HIGHEST \
2432  CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
2433  CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
2434  CHAIN_QUALITY_TRUSTED_ROOT
2435
2436 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
2437  (TrustStatus)->dwErrorStatus & (bits)
2438
2439 static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
2440 {
2441     DWORD quality = CHAIN_QUALITY_HIGHEST;
2442
2443     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2444      CERT_TRUST_IS_UNTRUSTED_ROOT))
2445         quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
2446     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2447      CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
2448         quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
2449     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2450      CERT_TRUST_IS_PARTIAL_CHAIN))
2451         quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;
2452     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2453      CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_NESTED))
2454         quality &= ~CHAIN_QUALITY_TIME_VALID;
2455     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
2456      CERT_TRUST_IS_NOT_SIGNATURE_VALID))
2457         quality &= ~CHAIN_QUALITY_SIGNATURE_VALID;
2458     return quality;
2459 }
2460
2461 /* Chooses the highest quality chain among chain and its "lower quality"
2462  * alternate chains.  Returns the highest quality chain, with all other
2463  * chains as lower quality chains of it.
2464  */
2465 static PCertificateChain CRYPT_ChooseHighestQualityChain(
2466  PCertificateChain chain)
2467 {
2468     DWORD i;
2469
2470     /* There are always only two chains being considered:  chain, and an
2471      * alternate at chain->rgpLowerQualityChainContext[i].  If the alternate
2472      * has a higher quality than chain, the alternate gets assigned the lower
2473      * quality contexts, with chain taking the alternate's place among the
2474      * lower quality contexts.
2475      */
2476     for (i = 0; i < chain->context.cLowerQualityChainContext; i++)
2477     {
2478         PCertificateChain alternate =
2479          (PCertificateChain)chain->context.rgpLowerQualityChainContext[i];
2480
2481         if (CRYPT_ChainQuality(alternate) > CRYPT_ChainQuality(chain))
2482         {
2483             alternate->context.cLowerQualityChainContext =
2484              chain->context.cLowerQualityChainContext;
2485             alternate->context.rgpLowerQualityChainContext =
2486              chain->context.rgpLowerQualityChainContext;
2487             alternate->context.rgpLowerQualityChainContext[i] =
2488              (PCCERT_CHAIN_CONTEXT)chain;
2489             chain->context.cLowerQualityChainContext = 0;
2490             chain->context.rgpLowerQualityChainContext = NULL;
2491             chain = alternate;
2492         }
2493     }
2494     return chain;
2495 }
2496
2497 static BOOL CRYPT_AddAlternateChainToChain(PCertificateChain chain,
2498  const CertificateChain *alternate)
2499 {
2500     BOOL ret;
2501
2502     if (chain->context.cLowerQualityChainContext)
2503         chain->context.rgpLowerQualityChainContext =
2504          CryptMemRealloc(chain->context.rgpLowerQualityChainContext,
2505          (chain->context.cLowerQualityChainContext + 1) *
2506          sizeof(PCCERT_CHAIN_CONTEXT));
2507     else
2508         chain->context.rgpLowerQualityChainContext =
2509          CryptMemAlloc(sizeof(PCCERT_CHAIN_CONTEXT));
2510     if (chain->context.rgpLowerQualityChainContext)
2511     {
2512         chain->context.rgpLowerQualityChainContext[
2513          chain->context.cLowerQualityChainContext++] =
2514          (PCCERT_CHAIN_CONTEXT)alternate;
2515         ret = TRUE;
2516     }
2517     else
2518         ret = FALSE;
2519     return ret;
2520 }
2521
2522 static PCERT_CHAIN_ELEMENT CRYPT_FindIthElementInChain(
2523  const CERT_CHAIN_CONTEXT *chain, DWORD i)
2524 {
2525     DWORD j, iElement;
2526     PCERT_CHAIN_ELEMENT element = NULL;
2527
2528     for (j = 0, iElement = 0; !element && j < chain->cChain; j++)
2529     {
2530         if (iElement + chain->rgpChain[j]->cElement < i)
2531             iElement += chain->rgpChain[j]->cElement;
2532         else
2533             element = chain->rgpChain[j]->rgpElement[i - iElement];
2534     }
2535     return element;
2536 }
2537
2538 typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS {
2539     DWORD            cbSize;
2540     CERT_USAGE_MATCH RequestedUsage;
2541 } CERT_CHAIN_PARA_NO_EXTRA_FIELDS, *PCERT_CHAIN_PARA_NO_EXTRA_FIELDS;
2542
2543 static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain,
2544  LPFILETIME pTime, const CERT_CHAIN_PARA *pChainPara, DWORD chainFlags)
2545 {
2546     DWORD cContext;
2547
2548     if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_END_CERT)
2549         cContext = 1;
2550     else if ((chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN) ||
2551      (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT))
2552     {
2553         DWORD i;
2554
2555         for (i = 0, cContext = 0; i < chain->cChain; i++)
2556         {
2557             if (i < chain->cChain - 1 ||
2558              chainFlags & CERT_CHAIN_REVOCATION_CHECK_CHAIN)
2559                 cContext += chain->rgpChain[i]->cElement;
2560             else
2561                 cContext += chain->rgpChain[i]->cElement - 1;
2562         }
2563     }
2564     else
2565         cContext = 0;
2566     if (cContext)
2567     {
2568         PCCERT_CONTEXT *contexts =
2569          CryptMemAlloc(cContext * sizeof(PCCERT_CONTEXT));
2570
2571         if (contexts)
2572         {
2573             DWORD i, j, iContext, revocationFlags;
2574             CERT_REVOCATION_PARA revocationPara = { sizeof(revocationPara), 0 };
2575             CERT_REVOCATION_STATUS revocationStatus =
2576              { sizeof(revocationStatus), 0 };
2577             BOOL ret;
2578
2579             for (i = 0, iContext = 0; iContext < cContext && i < chain->cChain;
2580              i++)
2581             {
2582                 for (j = 0; iContext < cContext &&
2583                  j < chain->rgpChain[i]->cElement; j++)
2584                     contexts[iContext++] =
2585                      chain->rgpChain[i]->rgpElement[j]->pCertContext;
2586             }
2587             revocationFlags = CERT_VERIFY_REV_CHAIN_FLAG;
2588             if (chainFlags & CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY)
2589                 revocationFlags |= CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION;
2590             if (chainFlags & CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT)
2591                 revocationFlags |= CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG;
2592             revocationPara.pftTimeToUse = pTime;
2593             if (pChainPara->cbSize == sizeof(CERT_CHAIN_PARA))
2594             {
2595                 revocationPara.dwUrlRetrievalTimeout =
2596                  pChainPara->dwUrlRetrievalTimeout;
2597                 revocationPara.fCheckFreshnessTime =
2598                  pChainPara->fCheckRevocationFreshnessTime;
2599                 revocationPara.dwFreshnessTime =
2600                  pChainPara->dwRevocationFreshnessTime;
2601             }
2602             ret = CertVerifyRevocation(X509_ASN_ENCODING,
2603              CERT_CONTEXT_REVOCATION_TYPE, cContext, (void **)contexts,
2604              revocationFlags, &revocationPara, &revocationStatus);
2605             if (!ret)
2606             {
2607                 PCERT_CHAIN_ELEMENT element =
2608                  CRYPT_FindIthElementInChain(chain, revocationStatus.dwIndex);
2609                 DWORD error;
2610
2611                 switch (revocationStatus.dwError)
2612                 {
2613                 case CRYPT_E_NO_REVOCATION_CHECK:
2614                 case CRYPT_E_NO_REVOCATION_DLL:
2615                 case CRYPT_E_NOT_IN_REVOCATION_DATABASE:
2616                     /* If the revocation status is unknown, it's assumed to be
2617                      * offline too.
2618                      */
2619                     error = CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
2620                      CERT_TRUST_IS_OFFLINE_REVOCATION;
2621                     break;
2622                 case CRYPT_E_REVOCATION_OFFLINE:
2623                     error = CERT_TRUST_IS_OFFLINE_REVOCATION;
2624                     break;
2625                 case CRYPT_E_REVOKED:
2626                     error = CERT_TRUST_IS_REVOKED;
2627                     break;
2628                 default:
2629                     WARN("unmapped error %08x\n", revocationStatus.dwError);
2630                     error = 0;
2631                 }
2632                 if (element)
2633                 {
2634                     /* FIXME: set element's pRevocationInfo member */
2635                     element->TrustStatus.dwErrorStatus |= error;
2636                 }
2637                 chain->TrustStatus.dwErrorStatus |= error;
2638             }
2639             CryptMemFree(contexts);
2640         }
2641     }
2642 }
2643
2644 static void CRYPT_CheckUsages(PCERT_CHAIN_CONTEXT chain,
2645  const CERT_CHAIN_PARA *pChainPara)
2646 {
2647     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS) &&
2648      pChainPara->RequestedUsage.Usage.cUsageIdentifier)
2649     {
2650         PCCERT_CONTEXT endCert;
2651         PCERT_EXTENSION ext;
2652         BOOL validForUsage;
2653
2654         /* A chain, if created, always includes the end certificate */
2655         endCert = chain->rgpChain[0]->rgpElement[0]->pCertContext;
2656         /* The extended key usage extension specifies how a certificate's
2657          * public key may be used.  From RFC 5280, section 4.2.1.12:
2658          * "This extension indicates one or more purposes for which the
2659          *  certified public key may be used, in addition to or in place of the
2660          *  basic purposes indicated in the key usage extension."
2661          * If the extension is present, it only satisfies the requested usage
2662          * if that usage is included in the extension:
2663          * "If the extension is present, then the certificate MUST only be used
2664          *  for one of the purposes indicated."
2665          * There is also the special anyExtendedKeyUsage OID, but it doesn't
2666          * have to be respected:
2667          * "Applications that require the presence of a particular purpose
2668          *  MAY reject certificates that include the anyExtendedKeyUsage OID
2669          *  but not the particular OID expected for the application."
2670          * For now, I'm being more conservative and ignoring the presence of
2671          * the anyExtendedKeyUsage OID.
2672          */
2673         if ((ext = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
2674          endCert->pCertInfo->cExtension, endCert->pCertInfo->rgExtension)))
2675         {
2676             const CERT_ENHKEY_USAGE *requestedUsage =
2677              &pChainPara->RequestedUsage.Usage;
2678             CERT_ENHKEY_USAGE *usage;
2679             DWORD size;
2680
2681             if (CryptDecodeObjectEx(X509_ASN_ENCODING,
2682              X509_ENHANCED_KEY_USAGE, ext->Value.pbData, ext->Value.cbData,
2683              CRYPT_DECODE_ALLOC_FLAG, NULL, &usage, &size))
2684             {
2685                 if (pChainPara->RequestedUsage.dwType == USAGE_MATCH_TYPE_AND)
2686                 {
2687                     DWORD i, j;
2688
2689                     /* For AND matches, all usages must be present */
2690                     validForUsage = TRUE;
2691                     for (i = 0; validForUsage &&
2692                      i < requestedUsage->cUsageIdentifier; i++)
2693                     {
2694                         BOOL match = FALSE;
2695
2696                         for (j = 0; !match && j < usage->cUsageIdentifier; j++)
2697                             match = !strcmp(usage->rgpszUsageIdentifier[j],
2698                              requestedUsage->rgpszUsageIdentifier[i]);
2699                         if (!match)
2700                             validForUsage = FALSE;
2701                     }
2702                 }
2703                 else
2704                 {
2705                     DWORD i, j;
2706
2707                     /* For OR matches, any matching usage suffices */
2708                     validForUsage = FALSE;
2709                     for (i = 0; !validForUsage &&
2710                      i < requestedUsage->cUsageIdentifier; i++)
2711                     {
2712                         for (j = 0; !validForUsage &&
2713                          j < usage->cUsageIdentifier; j++)
2714                             validForUsage =
2715                              !strcmp(usage->rgpszUsageIdentifier[j],
2716                              requestedUsage->rgpszUsageIdentifier[i]);
2717                     }
2718                 }
2719                 LocalFree(usage);
2720             }
2721             else
2722                 validForUsage = FALSE;
2723         }
2724         else
2725         {
2726             /* If the extension isn't present, any interpretation is valid:
2727              * "Certificate using applications MAY require that the extended
2728              *  key usage extension be present and that a particular purpose
2729              *  be indicated in order for the certificate to be acceptable to
2730              *  that application."
2731              * Not all web sites include the extended key usage extension, so
2732              * accept chains without it.
2733              */
2734             TRACE_(chain)("requested usage from certificate with no usages\n");
2735             validForUsage = TRUE;
2736         }
2737         if (!validForUsage)
2738         {
2739             chain->TrustStatus.dwErrorStatus |=
2740              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2741             chain->rgpChain[0]->rgpElement[0]->TrustStatus.dwErrorStatus |=
2742              CERT_TRUST_IS_NOT_VALID_FOR_USAGE;
2743         }
2744     }
2745     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA) &&
2746      pChainPara->RequestedIssuancePolicy.Usage.cUsageIdentifier)
2747         FIXME("unimplemented for RequestedIssuancePolicy\n");
2748 }
2749
2750 static void dump_usage_match(LPCSTR name, const CERT_USAGE_MATCH *usageMatch)
2751 {
2752     if (usageMatch->Usage.cUsageIdentifier)
2753     {
2754         DWORD i;
2755
2756         TRACE_(chain)("%s: %s\n", name,
2757          usageMatch->dwType == USAGE_MATCH_TYPE_AND ? "AND" : "OR");
2758         for (i = 0; i < usageMatch->Usage.cUsageIdentifier; i++)
2759             TRACE_(chain)("%s\n", usageMatch->Usage.rgpszUsageIdentifier[i]);
2760     }
2761 }
2762
2763 static void dump_chain_para(const CERT_CHAIN_PARA *pChainPara)
2764 {
2765     TRACE_(chain)("%d\n", pChainPara->cbSize);
2766     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA_NO_EXTRA_FIELDS))
2767         dump_usage_match("RequestedUsage", &pChainPara->RequestedUsage);
2768     if (pChainPara->cbSize >= sizeof(CERT_CHAIN_PARA))
2769     {
2770         dump_usage_match("RequestedIssuancePolicy",
2771          &pChainPara->RequestedIssuancePolicy);
2772         TRACE_(chain)("%d\n", pChainPara->dwUrlRetrievalTimeout);
2773         TRACE_(chain)("%d\n", pChainPara->fCheckRevocationFreshnessTime);
2774         TRACE_(chain)("%d\n", pChainPara->dwRevocationFreshnessTime);
2775     }
2776 }
2777
2778 BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine,
2779  PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
2780  PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved,
2781  PCCERT_CHAIN_CONTEXT* ppChainContext)
2782 {
2783     BOOL ret;
2784     PCertificateChain chain = NULL;
2785
2786     TRACE("(%p, %p, %p, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext,
2787      pTime, hAdditionalStore, pChainPara, dwFlags, pvReserved, ppChainContext);
2788
2789     if (ppChainContext)
2790         *ppChainContext = NULL;
2791     if (!pChainPara)
2792     {
2793         SetLastError(E_INVALIDARG);
2794         return FALSE;
2795     }
2796     if (!pCertContext->pCertInfo->SignatureAlgorithm.pszObjId)
2797     {
2798         SetLastError(ERROR_INVALID_DATA);
2799         return FALSE;
2800     }
2801
2802     if (!hChainEngine)
2803         hChainEngine = CRYPT_GetDefaultChainEngine();
2804     if (TRACE_ON(chain))
2805         dump_chain_para(pChainPara);
2806     /* FIXME: what about HCCE_LOCAL_MACHINE? */
2807     ret = CRYPT_BuildCandidateChainFromCert(hChainEngine, pCertContext, pTime,
2808      hAdditionalStore, &chain);
2809     if (ret)
2810     {
2811         PCertificateChain alternate = NULL;
2812         PCERT_CHAIN_CONTEXT pChain;
2813
2814         do {
2815             alternate = CRYPT_BuildAlternateContextFromChain(hChainEngine,
2816              pTime, hAdditionalStore, chain);
2817
2818             /* Alternate contexts are added as "lower quality" contexts of
2819              * chain, to avoid loops in alternate chain creation.
2820              * The highest-quality chain is chosen at the end.
2821              */
2822             if (alternate)
2823                 ret = CRYPT_AddAlternateChainToChain(chain, alternate);
2824         } while (ret && alternate);
2825         chain = CRYPT_ChooseHighestQualityChain(chain);
2826         if (!(dwFlags & CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS))
2827             CRYPT_FreeLowerQualityChains(chain);
2828         pChain = (PCERT_CHAIN_CONTEXT)chain;
2829         if (!pChain->TrustStatus.dwErrorStatus)
2830             CRYPT_VerifyChainRevocation(pChain, pTime, pChainPara, dwFlags);
2831         CRYPT_CheckUsages(pChain, pChainPara);
2832         TRACE_(chain)("error status: %08x\n",
2833          pChain->TrustStatus.dwErrorStatus);
2834         if (ppChainContext)
2835             *ppChainContext = pChain;
2836         else
2837             CertFreeCertificateChain(pChain);
2838     }
2839     TRACE("returning %d\n", ret);
2840     return ret;
2841 }
2842
2843 PCCERT_CHAIN_CONTEXT WINAPI CertDuplicateCertificateChain(
2844  PCCERT_CHAIN_CONTEXT pChainContext)
2845 {
2846     PCertificateChain chain = (PCertificateChain)pChainContext;
2847
2848     TRACE("(%p)\n", pChainContext);
2849
2850     if (chain)
2851         InterlockedIncrement(&chain->ref);
2852     return pChainContext;
2853 }
2854
2855 VOID WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext)
2856 {
2857     PCertificateChain chain = (PCertificateChain)pChainContext;
2858
2859     TRACE("(%p)\n", pChainContext);
2860
2861     if (chain)
2862     {
2863         if (InterlockedDecrement(&chain->ref) == 0)
2864             CRYPT_FreeChainContext(chain);
2865     }
2866 }
2867
2868 static void find_element_with_error(PCCERT_CHAIN_CONTEXT chain, DWORD error,
2869  LONG *iChain, LONG *iElement)
2870 {
2871     DWORD i, j;
2872
2873     for (i = 0; i < chain->cChain; i++)
2874         for (j = 0; j < chain->rgpChain[i]->cElement; j++)
2875             if (chain->rgpChain[i]->rgpElement[j]->TrustStatus.dwErrorStatus &
2876              error)
2877             {
2878                 *iChain = i;
2879                 *iElement = j;
2880                 return;
2881             }
2882 }
2883
2884 static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
2885  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2886  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2887 {
2888     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
2889     if (pChainContext->TrustStatus.dwErrorStatus &
2890      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
2891     {
2892         pPolicyStatus->dwError = TRUST_E_CERT_SIGNATURE;
2893         find_element_with_error(pChainContext,
2894          CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
2895          &pPolicyStatus->lElementIndex);
2896     }
2897     else if (pChainContext->TrustStatus.dwErrorStatus &
2898      CERT_TRUST_IS_UNTRUSTED_ROOT)
2899     {
2900         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
2901         find_element_with_error(pChainContext,
2902          CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
2903          &pPolicyStatus->lElementIndex);
2904     }
2905     else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
2906     {
2907         pPolicyStatus->dwError = CERT_E_CHAINING;
2908         find_element_with_error(pChainContext, CERT_TRUST_IS_CYCLIC,
2909          &pPolicyStatus->lChainIndex, &pPolicyStatus->lElementIndex);
2910         /* For a cyclic chain, which element is a cycle isn't meaningful */
2911         pPolicyStatus->lElementIndex = -1;
2912     }
2913     else
2914         pPolicyStatus->dwError = NO_ERROR;
2915     return TRUE;
2916 }
2917
2918 static BYTE msTestPubKey1[] = {
2919 0x30,0x47,0x02,0x40,0x81,0x55,0x22,0xb9,0x8a,0xa4,0x6f,0xed,0xd6,0xe7,0xd9,
2920 0x66,0x0f,0x55,0xbc,0xd7,0xcd,0xd5,0xbc,0x4e,0x40,0x02,0x21,0xa2,0xb1,0xf7,
2921 0x87,0x30,0x85,0x5e,0xd2,0xf2,0x44,0xb9,0xdc,0x9b,0x75,0xb6,0xfb,0x46,0x5f,
2922 0x42,0xb6,0x9d,0x23,0x36,0x0b,0xde,0x54,0x0f,0xcd,0xbd,0x1f,0x99,0x2a,0x10,
2923 0x58,0x11,0xcb,0x40,0xcb,0xb5,0xa7,0x41,0x02,0x03,0x01,0x00,0x01 };
2924 static BYTE msTestPubKey2[] = {
2925 0x30,0x47,0x02,0x40,0x9c,0x50,0x05,0x1d,0xe2,0x0e,0x4c,0x53,0xd8,0xd9,0xb5,
2926 0xe5,0xfd,0xe9,0xe3,0xad,0x83,0x4b,0x80,0x08,0xd9,0xdc,0xe8,0xe8,0x35,0xf8,
2927 0x11,0xf1,0xe9,0x9b,0x03,0x7a,0x65,0x64,0x76,0x35,0xce,0x38,0x2c,0xf2,0xb6,
2928 0x71,0x9e,0x06,0xd9,0xbf,0xbb,0x31,0x69,0xa3,0xf6,0x30,0xa0,0x78,0x7b,0x18,
2929 0xdd,0x50,0x4d,0x79,0x1e,0xeb,0x61,0xc1,0x02,0x03,0x01,0x00,0x01 };
2930
2931 static BOOL WINAPI verify_authenticode_policy(LPCSTR szPolicyOID,
2932  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2933  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2934 {
2935     BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara,
2936      pPolicyStatus);
2937
2938     if (ret && pPolicyStatus->dwError == CERT_E_UNTRUSTEDROOT)
2939     {
2940         CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } };
2941         BOOL isMSTestRoot = FALSE;
2942         PCCERT_CONTEXT failingCert =
2943          pChainContext->rgpChain[pPolicyStatus->lChainIndex]->
2944          rgpElement[pPolicyStatus->lElementIndex]->pCertContext;
2945         DWORD i;
2946         CRYPT_DATA_BLOB keyBlobs[] = {
2947          { sizeof(msTestPubKey1), msTestPubKey1 },
2948          { sizeof(msTestPubKey2), msTestPubKey2 },
2949         };
2950
2951         /* Check whether the root is an MS test root */
2952         for (i = 0; !isMSTestRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]);
2953          i++)
2954         {
2955             msPubKey.PublicKey.cbData = keyBlobs[i].cbData;
2956             msPubKey.PublicKey.pbData = keyBlobs[i].pbData;
2957             if (CertComparePublicKeyInfo(
2958              X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
2959              &failingCert->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
2960                 isMSTestRoot = TRUE;
2961         }
2962         if (isMSTestRoot)
2963             pPolicyStatus->dwError = CERT_E_UNTRUSTEDTESTROOT;
2964     }
2965     return ret;
2966 }
2967
2968 static BOOL WINAPI verify_basic_constraints_policy(LPCSTR szPolicyOID,
2969  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
2970  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
2971 {
2972     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
2973     if (pChainContext->TrustStatus.dwErrorStatus &
2974      CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
2975     {
2976         pPolicyStatus->dwError = TRUST_E_BASIC_CONSTRAINTS;
2977         find_element_with_error(pChainContext,
2978          CERT_TRUST_INVALID_BASIC_CONSTRAINTS, &pPolicyStatus->lChainIndex,
2979          &pPolicyStatus->lElementIndex);
2980     }
2981     else
2982         pPolicyStatus->dwError = NO_ERROR;
2983     return TRUE;
2984 }
2985
2986 static BOOL match_dns_to_subject_alt_name(PCERT_EXTENSION ext,
2987  LPCWSTR server_name)
2988 {
2989     BOOL matches = FALSE;
2990     CERT_ALT_NAME_INFO *subjectName;
2991     DWORD size;
2992
2993     TRACE_(chain)("%s\n", debugstr_w(server_name));
2994     /* This could be spoofed by the embedded NULL vulnerability, since the
2995      * returned CERT_ALT_NAME_INFO doesn't have a way to indicate the
2996      * encoded length of a name.  Fortunately CryptDecodeObjectEx fails if
2997      * the encoded form of the name contains a NULL.
2998      */
2999     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME,
3000      ext->Value.pbData, ext->Value.cbData,
3001      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
3002      &subjectName, &size))
3003     {
3004         DWORD i;
3005
3006         /* RFC 5280 states that multiple instances of each name type may exist,
3007          * in section 4.2.1.6:
3008          * "Multiple name forms, and multiple instances of each name form,
3009          *  MAY be included."
3010          * It doesn't specify the behavior in such cases, but both RFC 2818
3011          * and RFC 2595 explicitly accept a certificate if any name matches.
3012          */
3013         for (i = 0; !matches && i < subjectName->cAltEntry; i++)
3014         {
3015             if (subjectName->rgAltEntry[i].dwAltNameChoice ==
3016              CERT_ALT_NAME_DNS_NAME)
3017             {
3018                 TRACE_(chain)("dNSName: %s\n", debugstr_w(
3019                  subjectName->rgAltEntry[i].u.pwszDNSName));
3020                 if (!strcmpiW(server_name,
3021                  subjectName->rgAltEntry[i].u.pwszDNSName))
3022                     matches = TRUE;
3023             }
3024         }
3025         LocalFree(subjectName);
3026     }
3027     return matches;
3028 }
3029
3030 static BOOL find_matching_domain_component(CERT_NAME_INFO *name,
3031  LPCWSTR component)
3032 {
3033     BOOL matches = FALSE;
3034     DWORD i, j;
3035
3036     for (i = 0; !matches && i < name->cRDN; i++)
3037         for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
3038             if (!strcmp(szOID_DOMAIN_COMPONENT,
3039              name->rgRDN[i].rgRDNAttr[j].pszObjId))
3040             {
3041                 PCERT_RDN_ATTR attr;
3042
3043                 attr = &name->rgRDN[i].rgRDNAttr[j];
3044                 /* Compare with memicmpW rather than strcmpiW in order to avoid
3045                  * a match with a string with an embedded NULL.  The component
3046                  * must match one domain component attribute's entire string
3047                  * value with a case-insensitive match.
3048                  */
3049                 matches = !memicmpW(component, (LPWSTR)attr->Value.pbData,
3050                  attr->Value.cbData / sizeof(WCHAR));
3051             }
3052     return matches;
3053 }
3054
3055 static BOOL match_domain_component(LPCWSTR allowed_component, DWORD allowed_len,
3056  LPCWSTR server_component, DWORD server_len, BOOL allow_wildcards,
3057  BOOL *see_wildcard)
3058 {
3059     LPCWSTR allowed_ptr, server_ptr;
3060     BOOL matches = TRUE;
3061
3062     *see_wildcard = FALSE;
3063     if (server_len < allowed_len)
3064     {
3065         WARN_(chain)("domain component %s too short for %s\n",
3066          debugstr_wn(server_component, server_len),
3067          debugstr_wn(allowed_component, allowed_len));
3068         /* A domain component can't contain a wildcard character, so a domain
3069          * component shorter than the allowed string can't produce a match.
3070          */
3071         return FALSE;
3072     }
3073     for (allowed_ptr = allowed_component, server_ptr = server_component;
3074          matches && allowed_ptr - allowed_component < allowed_len;
3075          allowed_ptr++, server_ptr++)
3076     {
3077         if (*allowed_ptr == '*')
3078         {
3079             if (allowed_ptr - allowed_component < allowed_len - 1)
3080             {
3081                 WARN_(chain)("non-wildcard characters after wildcard not supported\n");
3082                 matches = FALSE;
3083             }
3084             else if (!allow_wildcards)
3085             {
3086                 WARN_(chain)("wildcard after non-wildcard component\n");
3087                 matches = FALSE;
3088             }
3089             else
3090             {
3091                 /* the preceding characters must have matched, so the rest of
3092                  * the component also matches.
3093                  */
3094                 *see_wildcard = TRUE;
3095                 break;
3096             }
3097         }
3098         matches = tolowerW(*allowed_ptr) == tolowerW(*server_ptr);
3099     }
3100     if (matches && server_ptr - server_component < server_len)
3101     {
3102         /* If there are unmatched characters in the server domain component,
3103          * the server domain only matches if the allowed string ended in a '*'.
3104          */
3105         matches = *allowed_ptr == '*';
3106     }
3107     return matches;
3108 }
3109
3110 static BOOL match_common_name(LPCWSTR server_name, PCERT_RDN_ATTR nameAttr)
3111 {
3112     LPCWSTR allowed = (LPCWSTR)nameAttr->Value.pbData;
3113     LPCWSTR allowed_component = allowed;
3114     DWORD allowed_len = nameAttr->Value.cbData / sizeof(WCHAR);
3115     LPCWSTR server_component = server_name;
3116     DWORD server_len = strlenW(server_name);
3117     BOOL matches = TRUE, allow_wildcards = TRUE;
3118
3119     TRACE_(chain)("CN = %s\n", debugstr_wn(allowed_component, allowed_len));
3120
3121     /* From RFC 2818 (HTTP over TLS), section 3.1:
3122      * "Names may contain the wildcard character * which is considered to match
3123      *  any single domain name component or component fragment. E.g.,
3124      *  *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com
3125      *  but not bar.com."
3126      *
3127      * And from RFC 2595 (Using TLS with IMAP, POP3 and ACAP), section 2.4:
3128      * "A "*" wildcard character MAY be used as the left-most name component in
3129      *  the certificate.  For example, *.example.com would match a.example.com,
3130      *  foo.example.com, etc. but would not match example.com."
3131      *
3132      * There are other protocols which use TLS, and none of them is
3133      * authoritative.  This accepts certificates in common usage, e.g.
3134      * *.domain.com matches www.domain.com but not domain.com, and
3135      * www*.domain.com matches www1.domain.com but not mail.domain.com.
3136      */
3137     do {
3138         LPCWSTR allowed_dot, server_dot;
3139
3140         allowed_dot = memchrW(allowed_component, '.',
3141          allowed_len - (allowed_component - allowed));
3142         server_dot = memchrW(server_component, '.',
3143          server_len - (server_component - server_name));
3144         /* The number of components must match */
3145         if ((!allowed_dot && server_dot) || (allowed_dot && !server_dot))
3146         {
3147             if (!allowed_dot)
3148                 WARN_(chain)("%s: too many components for CN=%s\n",
3149                  debugstr_w(server_name), debugstr_wn(allowed, allowed_len));
3150             else
3151                 WARN_(chain)("%s: not enough components for CN=%s\n",
3152                  debugstr_w(server_name), debugstr_wn(allowed, allowed_len));
3153             matches = FALSE;
3154         }
3155         else
3156         {
3157             LPCWSTR allowed_end, server_end;
3158             BOOL has_wildcard;
3159
3160             allowed_end = allowed_dot ? allowed_dot : allowed + allowed_len;
3161             server_end = server_dot ? server_dot : server_name + server_len;
3162             matches = match_domain_component(allowed_component,
3163              allowed_end - allowed_component, server_component,
3164              server_end - server_component, allow_wildcards, &has_wildcard);
3165             /* Once a non-wildcard component is seen, no wildcard components
3166              * may follow
3167              */
3168             if (!has_wildcard)
3169                 allow_wildcards = FALSE;
3170             if (matches)
3171             {
3172                 allowed_component = allowed_dot ? allowed_dot + 1 : allowed_end;
3173                 server_component = server_dot ? server_dot + 1 : server_end;
3174             }
3175         }
3176     } while (matches && allowed_component &&
3177      allowed_component - allowed < allowed_len &&
3178      server_component && server_component - server_name < server_len);
3179     TRACE_(chain)("returning %d\n", matches);
3180     return matches;
3181 }
3182
3183 static BOOL match_dns_to_subject_dn(PCCERT_CONTEXT cert, LPCWSTR server_name)
3184 {
3185     BOOL matches = FALSE;
3186     CERT_NAME_INFO *name;
3187     DWORD size;
3188
3189     TRACE_(chain)("%s\n", debugstr_w(server_name));
3190     if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_UNICODE_NAME,
3191      cert->pCertInfo->Subject.pbData, cert->pCertInfo->Subject.cbData,
3192      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
3193      &name, &size))
3194     {
3195         /* If the subject distinguished name contains any name components,
3196          * make sure all of them are present.
3197          */
3198         if (CertFindRDNAttr(szOID_DOMAIN_COMPONENT, name))
3199         {
3200             LPCWSTR ptr = server_name;
3201
3202             matches = TRUE;
3203             do {
3204                 LPCWSTR dot = strchrW(ptr, '.'), end;
3205                 /* 254 is the maximum DNS label length, see RFC 1035 */
3206                 WCHAR component[255];
3207                 DWORD len;
3208
3209                 end = dot ? dot : ptr + strlenW(ptr);
3210                 len = end - ptr;
3211                 if (len >= sizeof(component) / sizeof(component[0]))
3212                 {
3213                     WARN_(chain)("domain component %s too long\n",
3214                      debugstr_wn(ptr, len));
3215                     matches = FALSE;
3216                 }
3217                 else
3218                 {
3219                     memcpy(component, ptr, len * sizeof(WCHAR));
3220                     component[len] = 0;
3221                     matches = find_matching_domain_component(name, component);
3222                 }
3223                 ptr = dot ? dot + 1 : end;
3224             } while (matches && ptr && *ptr);
3225         }
3226         else
3227         {
3228             PCERT_RDN_ATTR attr;
3229
3230             /* If the certificate isn't using a DN attribute in the name, make
3231              * make sure the common name matches.
3232              */
3233             if ((attr = CertFindRDNAttr(szOID_COMMON_NAME, name)))
3234                 matches = match_common_name(server_name, attr);
3235         }
3236         LocalFree(name);
3237     }
3238     return matches;
3239 }
3240
3241 static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
3242  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3243  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3244 {
3245     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
3246     if (pChainContext->TrustStatus.dwErrorStatus &
3247      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
3248     {
3249         pPolicyStatus->dwError = TRUST_E_CERT_SIGNATURE;
3250         find_element_with_error(pChainContext,
3251          CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
3252          &pPolicyStatus->lElementIndex);
3253     }
3254     else if (pChainContext->TrustStatus.dwErrorStatus &
3255      CERT_TRUST_IS_UNTRUSTED_ROOT)
3256     {
3257         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
3258         find_element_with_error(pChainContext,
3259          CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
3260          &pPolicyStatus->lElementIndex);
3261     }
3262     else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
3263     {
3264         pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
3265         find_element_with_error(pChainContext,
3266          CERT_TRUST_IS_CYCLIC, &pPolicyStatus->lChainIndex,
3267          &pPolicyStatus->lElementIndex);
3268         /* For a cyclic chain, which element is a cycle isn't meaningful */
3269         pPolicyStatus->lElementIndex = -1;
3270     }
3271     else if (pChainContext->TrustStatus.dwErrorStatus &
3272      CERT_TRUST_IS_NOT_TIME_VALID)
3273     {
3274         pPolicyStatus->dwError = CERT_E_EXPIRED;
3275         find_element_with_error(pChainContext,
3276          CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
3277          &pPolicyStatus->lElementIndex);
3278     }
3279     else
3280         pPolicyStatus->dwError = NO_ERROR;
3281     /* We only need bother checking whether the name in the end certificate
3282      * matches if the chain is otherwise okay.
3283      */
3284     if (!pPolicyStatus->dwError && pPolicyPara &&
3285      pPolicyPara->cbSize >= sizeof(CERT_CHAIN_POLICY_PARA))
3286     {
3287         HTTPSPolicyCallbackData *sslPara = pPolicyPara->pvExtraPolicyPara;
3288
3289         if (sslPara && sslPara->u.cbSize >= sizeof(HTTPSPolicyCallbackData))
3290         {
3291             if (sslPara->dwAuthType == AUTHTYPE_SERVER &&
3292              sslPara->pwszServerName)
3293             {
3294                 PCCERT_CONTEXT cert;
3295                 PCERT_EXTENSION altNameExt;
3296                 BOOL matches;
3297
3298                 cert = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
3299                 altNameExt = get_subject_alt_name_ext(cert->pCertInfo);
3300                 /* If the alternate name extension exists, the name it contains
3301                  * is bound to the certificate, so make sure the name matches
3302                  * it.  Otherwise, look for the server name in the subject
3303                  * distinguished name.  RFC5280, section 4.2.1.6:
3304                  * "Whenever such identities are to be bound into a
3305                  *  certificate, the subject alternative name (or issuer
3306                  *  alternative name) extension MUST be used; however, a DNS
3307                  *  name MAY also be represented in the subject field using the
3308                  *  domainComponent attribute."
3309                  */
3310                 if (altNameExt)
3311                     matches = match_dns_to_subject_alt_name(altNameExt,
3312                      sslPara->pwszServerName);
3313                 else
3314                     matches = match_dns_to_subject_dn(cert,
3315                      sslPara->pwszServerName);
3316                 if (!matches)
3317                 {
3318                     pPolicyStatus->dwError = CERT_E_CN_NO_MATCH;
3319                     pPolicyStatus->lChainIndex = 0;
3320                     pPolicyStatus->lElementIndex = 0;
3321                 }
3322             }
3323         }
3324     }
3325     return TRUE;
3326 }
3327
3328 static BYTE msPubKey1[] = {
3329 0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xdf,0x08,0xba,0xe3,0x3f,0x6e,
3330 0x64,0x9b,0xf5,0x89,0xaf,0x28,0x96,0x4a,0x07,0x8f,0x1b,0x2e,0x8b,0x3e,0x1d,
3331 0xfc,0xb8,0x80,0x69,0xa3,0xa1,0xce,0xdb,0xdf,0xb0,0x8e,0x6c,0x89,0x76,0x29,
3332 0x4f,0xca,0x60,0x35,0x39,0xad,0x72,0x32,0xe0,0x0b,0xae,0x29,0x3d,0x4c,0x16,
3333 0xd9,0x4b,0x3c,0x9d,0xda,0xc5,0xd3,0xd1,0x09,0xc9,0x2c,0x6f,0xa6,0xc2,0x60,
3334 0x53,0x45,0xdd,0x4b,0xd1,0x55,0xcd,0x03,0x1c,0xd2,0x59,0x56,0x24,0xf3,0xe5,
3335 0x78,0xd8,0x07,0xcc,0xd8,0xb3,0x1f,0x90,0x3f,0xc0,0x1a,0x71,0x50,0x1d,0x2d,
3336 0xa7,0x12,0x08,0x6d,0x7c,0xb0,0x86,0x6c,0xc7,0xba,0x85,0x32,0x07,0xe1,0x61,
3337 0x6f,0xaf,0x03,0xc5,0x6d,0xe5,0xd6,0xa1,0x8f,0x36,0xf6,0xc1,0x0b,0xd1,0x3e,
3338 0x69,0x97,0x48,0x72,0xc9,0x7f,0xa4,0xc8,0xc2,0x4a,0x4c,0x7e,0xa1,0xd1,0x94,
3339 0xa6,0xd7,0xdc,0xeb,0x05,0x46,0x2e,0xb8,0x18,0xb4,0x57,0x1d,0x86,0x49,0xdb,
3340 0x69,0x4a,0x2c,0x21,0xf5,0x5e,0x0f,0x54,0x2d,0x5a,0x43,0xa9,0x7a,0x7e,0x6a,
3341 0x8e,0x50,0x4d,0x25,0x57,0xa1,0xbf,0x1b,0x15,0x05,0x43,0x7b,0x2c,0x05,0x8d,
3342 0xbd,0x3d,0x03,0x8c,0x93,0x22,0x7d,0x63,0xea,0x0a,0x57,0x05,0x06,0x0a,0xdb,
3343 0x61,0x98,0x65,0x2d,0x47,0x49,0xa8,0xe7,0xe6,0x56,0x75,0x5c,0xb8,0x64,0x08,
3344 0x63,0xa9,0x30,0x40,0x66,0xb2,0xf9,0xb6,0xe3,0x34,0xe8,0x67,0x30,0xe1,0x43,
3345 0x0b,0x87,0xff,0xc9,0xbe,0x72,0x10,0x5e,0x23,0xf0,0x9b,0xa7,0x48,0x65,0xbf,
3346 0x09,0x88,0x7b,0xcd,0x72,0xbc,0x2e,0x79,0x9b,0x7b,0x02,0x03,0x01,0x00,0x01 };
3347 static BYTE msPubKey2[] = {
3348 0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xa9,0x02,0xbd,0xc1,0x70,0xe6,
3349 0x3b,0xf2,0x4e,0x1b,0x28,0x9f,0x97,0x78,0x5e,0x30,0xea,0xa2,0xa9,0x8d,0x25,
3350 0x5f,0xf8,0xfe,0x95,0x4c,0xa3,0xb7,0xfe,0x9d,0xa2,0x20,0x3e,0x7c,0x51,0xa2,
3351 0x9b,0xa2,0x8f,0x60,0x32,0x6b,0xd1,0x42,0x64,0x79,0xee,0xac,0x76,0xc9,0x54,
3352 0xda,0xf2,0xeb,0x9c,0x86,0x1c,0x8f,0x9f,0x84,0x66,0xb3,0xc5,0x6b,0x7a,0x62,
3353 0x23,0xd6,0x1d,0x3c,0xde,0x0f,0x01,0x92,0xe8,0x96,0xc4,0xbf,0x2d,0x66,0x9a,
3354 0x9a,0x68,0x26,0x99,0xd0,0x3a,0x2c,0xbf,0x0c,0xb5,0x58,0x26,0xc1,0x46,0xe7,
3355 0x0a,0x3e,0x38,0x96,0x2c,0xa9,0x28,0x39,0xa8,0xec,0x49,0x83,0x42,0xe3,0x84,
3356 0x0f,0xbb,0x9a,0x6c,0x55,0x61,0xac,0x82,0x7c,0xa1,0x60,0x2d,0x77,0x4c,0xe9,
3357 0x99,0xb4,0x64,0x3b,0x9a,0x50,0x1c,0x31,0x08,0x24,0x14,0x9f,0xa9,0xe7,0x91,
3358 0x2b,0x18,0xe6,0x3d,0x98,0x63,0x14,0x60,0x58,0x05,0x65,0x9f,0x1d,0x37,0x52,
3359 0x87,0xf7,0xa7,0xef,0x94,0x02,0xc6,0x1b,0xd3,0xbf,0x55,0x45,0xb3,0x89,0x80,
3360 0xbf,0x3a,0xec,0x54,0x94,0x4e,0xae,0xfd,0xa7,0x7a,0x6d,0x74,0x4e,0xaf,0x18,
3361 0xcc,0x96,0x09,0x28,0x21,0x00,0x57,0x90,0x60,0x69,0x37,0xbb,0x4b,0x12,0x07,
3362 0x3c,0x56,0xff,0x5b,0xfb,0xa4,0x66,0x0a,0x08,0xa6,0xd2,0x81,0x56,0x57,0xef,
3363 0xb6,0x3b,0x5e,0x16,0x81,0x77,0x04,0xda,0xf6,0xbe,0xae,0x80,0x95,0xfe,0xb0,
3364 0xcd,0x7f,0xd6,0xa7,0x1a,0x72,0x5c,0x3c,0xca,0xbc,0xf0,0x08,0xa3,0x22,0x30,
3365 0xb3,0x06,0x85,0xc9,0xb3,0x20,0x77,0x13,0x85,0xdf,0x02,0x03,0x01,0x00,0x01 };
3366 static BYTE msPubKey3[] = {
3367 0x30,0x82,0x02,0x0a,0x02,0x82,0x02,0x01,0x00,0xf3,0x5d,0xfa,0x80,0x67,0xd4,
3368 0x5a,0xa7,0xa9,0x0c,0x2c,0x90,0x20,0xd0,0x35,0x08,0x3c,0x75,0x84,0xcd,0xb7,
3369 0x07,0x89,0x9c,0x89,0xda,0xde,0xce,0xc3,0x60,0xfa,0x91,0x68,0x5a,0x9e,0x94,
3370 0x71,0x29,0x18,0x76,0x7c,0xc2,0xe0,0xc8,0x25,0x76,0x94,0x0e,0x58,0xfa,0x04,
3371 0x34,0x36,0xe6,0xdf,0xaf,0xf7,0x80,0xba,0xe9,0x58,0x0b,0x2b,0x93,0xe5,0x9d,
3372 0x05,0xe3,0x77,0x22,0x91,0xf7,0x34,0x64,0x3c,0x22,0x91,0x1d,0x5e,0xe1,0x09,
3373 0x90,0xbc,0x14,0xfe,0xfc,0x75,0x58,0x19,0xe1,0x79,0xb7,0x07,0x92,0xa3,0xae,
3374 0x88,0x59,0x08,0xd8,0x9f,0x07,0xca,0x03,0x58,0xfc,0x68,0x29,0x6d,0x32,0xd7,
3375 0xd2,0xa8,0xcb,0x4b,0xfc,0xe1,0x0b,0x48,0x32,0x4f,0xe6,0xeb,0xb8,0xad,0x4f,
3376 0xe4,0x5c,0x6f,0x13,0x94,0x99,0xdb,0x95,0xd5,0x75,0xdb,0xa8,0x1a,0xb7,0x94,
3377 0x91,0xb4,0x77,0x5b,0xf5,0x48,0x0c,0x8f,0x6a,0x79,0x7d,0x14,0x70,0x04,0x7d,
3378 0x6d,0xaf,0x90,0xf5,0xda,0x70,0xd8,0x47,0xb7,0xbf,0x9b,0x2f,0x6c,0xe7,0x05,
3379 0xb7,0xe1,0x11,0x60,0xac,0x79,0x91,0x14,0x7c,0xc5,0xd6,0xa6,0xe4,0xe1,0x7e,
3380 0xd5,0xc3,0x7e,0xe5,0x92,0xd2,0x3c,0x00,0xb5,0x36,0x82,0xde,0x79,0xe1,0x6d,
3381 0xf3,0xb5,0x6e,0xf8,0x9f,0x33,0xc9,0xcb,0x52,0x7d,0x73,0x98,0x36,0xdb,0x8b,
3382 0xa1,0x6b,0xa2,0x95,0x97,0x9b,0xa3,0xde,0xc2,0x4d,0x26,0xff,0x06,0x96,0x67,
3383 0x25,0x06,0xc8,0xe7,0xac,0xe4,0xee,0x12,0x33,0x95,0x31,0x99,0xc8,0x35,0x08,
3384 0x4e,0x34,0xca,0x79,0x53,0xd5,0xb5,0xbe,0x63,0x32,0x59,0x40,0x36,0xc0,0xa5,
3385 0x4e,0x04,0x4d,0x3d,0xdb,0x5b,0x07,0x33,0xe4,0x58,0xbf,0xef,0x3f,0x53,0x64,
3386 0xd8,0x42,0x59,0x35,0x57,0xfd,0x0f,0x45,0x7c,0x24,0x04,0x4d,0x9e,0xd6,0x38,
3387 0x74,0x11,0x97,0x22,0x90,0xce,0x68,0x44,0x74,0x92,0x6f,0xd5,0x4b,0x6f,0xb0,
3388 0x86,0xe3,0xc7,0x36,0x42,0xa0,0xd0,0xfc,0xc1,0xc0,0x5a,0xf9,0xa3,0x61,0xb9,
3389 0x30,0x47,0x71,0x96,0x0a,0x16,0xb0,0x91,0xc0,0x42,0x95,0xef,0x10,0x7f,0x28,
3390 0x6a,0xe3,0x2a,0x1f,0xb1,0xe4,0xcd,0x03,0x3f,0x77,0x71,0x04,0xc7,0x20,0xfc,
3391 0x49,0x0f,0x1d,0x45,0x88,0xa4,0xd7,0xcb,0x7e,0x88,0xad,0x8e,0x2d,0xec,0x45,
3392 0xdb,0xc4,0x51,0x04,0xc9,0x2a,0xfc,0xec,0x86,0x9e,0x9a,0x11,0x97,0x5b,0xde,
3393 0xce,0x53,0x88,0xe6,0xe2,0xb7,0xfd,0xac,0x95,0xc2,0x28,0x40,0xdb,0xef,0x04,
3394 0x90,0xdf,0x81,0x33,0x39,0xd9,0xb2,0x45,0xa5,0x23,0x87,0x06,0xa5,0x55,0x89,
3395 0x31,0xbb,0x06,0x2d,0x60,0x0e,0x41,0x18,0x7d,0x1f,0x2e,0xb5,0x97,0xcb,0x11,
3396 0xeb,0x15,0xd5,0x24,0xa5,0x94,0xef,0x15,0x14,0x89,0xfd,0x4b,0x73,0xfa,0x32,
3397 0x5b,0xfc,0xd1,0x33,0x00,0xf9,0x59,0x62,0x70,0x07,0x32,0xea,0x2e,0xab,0x40,
3398 0x2d,0x7b,0xca,0xdd,0x21,0x67,0x1b,0x30,0x99,0x8f,0x16,0xaa,0x23,0xa8,0x41,
3399 0xd1,0xb0,0x6e,0x11,0x9b,0x36,0xc4,0xde,0x40,0x74,0x9c,0xe1,0x58,0x65,0xc1,
3400 0x60,0x1e,0x7a,0x5b,0x38,0xc8,0x8f,0xbb,0x04,0x26,0x7c,0xd4,0x16,0x40,0xe5,
3401 0xb6,0x6b,0x6c,0xaa,0x86,0xfd,0x00,0xbf,0xce,0xc1,0x35,0x02,0x03,0x01,0x00,
3402 0x01 };
3403
3404 static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID,
3405  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3406  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3407 {
3408     BOOL ret = verify_base_policy(szPolicyOID, pChainContext, pPolicyPara,
3409      pPolicyStatus);
3410
3411     if (ret && !pPolicyStatus->dwError)
3412     {
3413         CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } };
3414         BOOL isMSRoot = FALSE;
3415         DWORD i;
3416         CRYPT_DATA_BLOB keyBlobs[] = {
3417          { sizeof(msPubKey1), msPubKey1 },
3418          { sizeof(msPubKey2), msPubKey2 },
3419          { sizeof(msPubKey3), msPubKey3 },
3420         };
3421         PCERT_SIMPLE_CHAIN rootChain =
3422          pChainContext->rgpChain[pChainContext->cChain -1 ];
3423         PCCERT_CONTEXT root =
3424          rootChain->rgpElement[rootChain->cElement - 1]->pCertContext;
3425
3426         for (i = 0; !isMSRoot && i < sizeof(keyBlobs) / sizeof(keyBlobs[0]);
3427          i++)
3428         {
3429             msPubKey.PublicKey.cbData = keyBlobs[i].cbData;
3430             msPubKey.PublicKey.pbData = keyBlobs[i].pbData;
3431             if (CertComparePublicKeyInfo(
3432              X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
3433              &root->pCertInfo->SubjectPublicKeyInfo, &msPubKey))
3434                 isMSRoot = TRUE;
3435         }
3436         if (isMSRoot)
3437             pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = 0;
3438     }
3439     return ret;
3440 }
3441
3442 typedef BOOL (WINAPI *CertVerifyCertificateChainPolicyFunc)(LPCSTR szPolicyOID,
3443  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3444  PCERT_CHAIN_POLICY_STATUS pPolicyStatus);
3445
3446 BOOL WINAPI CertVerifyCertificateChainPolicy(LPCSTR szPolicyOID,
3447  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
3448  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
3449 {
3450     static HCRYPTOIDFUNCSET set = NULL;
3451     BOOL ret = FALSE;
3452     CertVerifyCertificateChainPolicyFunc verifyPolicy = NULL;
3453     HCRYPTOIDFUNCADDR hFunc = NULL;
3454
3455     TRACE("(%s, %p, %p, %p)\n", debugstr_a(szPolicyOID), pChainContext,
3456      pPolicyPara, pPolicyStatus);
3457
3458     if (IS_INTOID(szPolicyOID))
3459     {
3460         switch (LOWORD(szPolicyOID))
3461         {
3462         case LOWORD(CERT_CHAIN_POLICY_BASE):
3463             verifyPolicy = verify_base_policy;
3464             break;
3465         case LOWORD(CERT_CHAIN_POLICY_AUTHENTICODE):
3466             verifyPolicy = verify_authenticode_policy;
3467             break;
3468         case LOWORD(CERT_CHAIN_POLICY_SSL):
3469             verifyPolicy = verify_ssl_policy;
3470             break;
3471         case LOWORD(CERT_CHAIN_POLICY_BASIC_CONSTRAINTS):
3472             verifyPolicy = verify_basic_constraints_policy;
3473             break;
3474         case LOWORD(CERT_CHAIN_POLICY_MICROSOFT_ROOT):
3475             verifyPolicy = verify_ms_root_policy;
3476             break;
3477         default:
3478             FIXME("unimplemented for %d\n", LOWORD(szPolicyOID));
3479         }
3480     }
3481     if (!verifyPolicy)
3482     {
3483         if (!set)
3484             set = CryptInitOIDFunctionSet(
3485              CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC, 0);
3486         CryptGetOIDFunctionAddress(set, X509_ASN_ENCODING, szPolicyOID, 0,
3487          (void **)&verifyPolicy, &hFunc);
3488     }
3489     if (verifyPolicy)
3490         ret = verifyPolicy(szPolicyOID, pChainContext, pPolicyPara,
3491          pPolicyStatus);
3492     if (hFunc)
3493         CryptFreeOIDFunctionAddress(hFunc, 0);
3494     TRACE("returning %d (%08x)\n", ret, pPolicyStatus->dwError);
3495     return ret;
3496 }