2 * Copyright 2006 Juan Lang
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
23 #include "wine/debug.h"
24 #include "crypt32_private.h"
26 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
28 #define DEFAULT_CYCLE_MODULUS 7
30 static HCERTCHAINENGINE CRYPT_defaultChainEngine;
32 /* This represents a subset of a certificate chain engine: it doesn't include
33 * the "hOther" store described by MSDN, because I'm not sure how that's used.
34 * It also doesn't include the "hTrust" store, because I don't yet implement
35 * CTLs or complex certificate chains.
37 typedef struct _CertificateChainEngine
43 DWORD dwUrlRetrievalTimeout;
44 DWORD MaximumCachedCertificates;
45 DWORD CycleDetectionModulus;
46 } CertificateChainEngine, *PCertificateChainEngine;
48 static inline void CRYPT_AddStoresToCollection(HCERTSTORE collection,
49 DWORD cStores, HCERTSTORE *stores)
53 for (i = 0; i < cStores; i++)
54 CertAddStoreToCollection(collection, stores[i], 0, 0);
57 static inline void CRYPT_CloseStores(DWORD cStores, HCERTSTORE *stores)
61 for (i = 0; i < cStores; i++)
62 CertCloseStore(stores[i], 0);
65 static const WCHAR rootW[] = { 'R','o','o','t',0 };
67 static BOOL CRYPT_CheckRestrictedRoot(HCERTSTORE store)
73 HCERTSTORE rootStore = CertOpenSystemStoreW(0, rootW);
74 PCCERT_CONTEXT cert = NULL, check;
79 cert = CertEnumCertificatesInStore(store, cert);
84 ret = CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
88 CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
90 check = CertFindCertificateInStore(rootStore,
91 cert->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob,
96 CertFreeCertificateContext(check);
99 } while (ret && cert);
101 CertFreeCertificateContext(cert);
102 CertCloseStore(rootStore, 0);
107 BOOL WINAPI CertCreateCertificateChainEngine(PCERT_CHAIN_ENGINE_CONFIG pConfig,
108 HCERTCHAINENGINE *phChainEngine)
110 static const WCHAR caW[] = { 'C','A',0 };
111 static const WCHAR myW[] = { 'M','y',0 };
112 static const WCHAR trustW[] = { 'T','r','u','s','t',0 };
115 TRACE("(%p, %p)\n", pConfig, phChainEngine);
117 if (pConfig->cbSize != sizeof(*pConfig))
119 SetLastError(E_INVALIDARG);
122 *phChainEngine = NULL;
123 ret = CRYPT_CheckRestrictedRoot(pConfig->hRestrictedRoot);
126 PCertificateChainEngine engine =
127 CryptMemAlloc(sizeof(CertificateChainEngine));
131 HCERTSTORE worldStores[4];
134 if (pConfig->hRestrictedRoot)
135 engine->hRoot = CertDuplicateStore(pConfig->hRestrictedRoot);
137 engine->hRoot = CertOpenSystemStoreW(0, rootW);
138 engine->hWorld = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
139 CERT_STORE_CREATE_NEW_FLAG, NULL);
140 worldStores[0] = CertDuplicateStore(engine->hRoot);
141 worldStores[1] = CertOpenSystemStoreW(0, caW);
142 worldStores[2] = CertOpenSystemStoreW(0, myW);
143 worldStores[3] = CertOpenSystemStoreW(0, trustW);
144 CRYPT_AddStoresToCollection(engine->hWorld,
145 sizeof(worldStores) / sizeof(worldStores[0]), worldStores);
146 CRYPT_AddStoresToCollection(engine->hWorld,
147 pConfig->cAdditionalStore, pConfig->rghAdditionalStore);
148 CRYPT_CloseStores(sizeof(worldStores) / sizeof(worldStores[0]),
150 engine->dwFlags = pConfig->dwFlags;
151 engine->dwUrlRetrievalTimeout = pConfig->dwUrlRetrievalTimeout;
152 engine->MaximumCachedCertificates =
153 pConfig->MaximumCachedCertificates;
154 if (pConfig->CycleDetectionModulus)
155 engine->CycleDetectionModulus = pConfig->CycleDetectionModulus;
157 engine->CycleDetectionModulus = DEFAULT_CYCLE_MODULUS;
158 *phChainEngine = (HCERTCHAINENGINE)engine;
167 void WINAPI CertFreeCertificateChainEngine(HCERTCHAINENGINE hChainEngine)
169 PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
171 TRACE("(%p)\n", hChainEngine);
173 if (engine && InterlockedDecrement(&engine->ref) == 0)
175 CertCloseStore(engine->hWorld, 0);
176 CertCloseStore(engine->hRoot, 0);
177 CryptMemFree(engine);
181 static HCERTCHAINENGINE CRYPT_GetDefaultChainEngine(void)
183 if (!CRYPT_defaultChainEngine)
185 CERT_CHAIN_ENGINE_CONFIG config = { 0 };
186 HCERTCHAINENGINE engine;
188 config.cbSize = sizeof(config);
189 CertCreateCertificateChainEngine(&config, &engine);
190 InterlockedCompareExchangePointer(&CRYPT_defaultChainEngine, engine,
192 if (CRYPT_defaultChainEngine != engine)
193 CertFreeCertificateChainEngine(engine);
195 return CRYPT_defaultChainEngine;
198 void default_chain_engine_free(void)
200 CertFreeCertificateChainEngine(CRYPT_defaultChainEngine);
203 typedef struct _CertificateChain
205 CERT_CHAIN_CONTEXT context;
207 } CertificateChain, *PCertificateChain;
209 static inline BOOL WINAPI CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
211 return CertCompareCertificateName(cert->dwCertEncodingType,
212 &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer);
215 /* Gets cert's issuer from store, and returns the validity flags associated
216 * with it. Returns NULL if no issuer whose public key matches cert's
217 * signature could be found.
219 static PCCERT_CONTEXT CRYPT_GetIssuerFromStore(HCERTSTORE store,
220 PCCERT_CONTEXT cert, PDWORD pdwFlags)
222 PCCERT_CONTEXT issuer = NULL;
224 /* There might be more than issuer with the same name, so keep looking until
225 * one produces the correct signature for this cert.
228 *pdwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG |
229 CERT_STORE_TIME_VALIDITY_FLAG;
230 issuer = CertGetIssuerCertificateFromStore(store, cert, issuer,
232 } while (issuer && (*pdwFlags & CERT_STORE_SIGNATURE_FLAG));
236 static BOOL CRYPT_AddCertToSimpleChain(PCERT_SIMPLE_CHAIN chain,
237 PCCERT_CONTEXT cert, DWORD dwFlags)
240 PCERT_CHAIN_ELEMENT element = CryptMemAlloc(sizeof(CERT_CHAIN_ELEMENT));
244 if (!chain->cElement)
245 chain->rgpElement = CryptMemAlloc(sizeof(PCERT_CHAIN_ELEMENT));
247 chain->rgpElement = CryptMemRealloc(chain->rgpElement,
248 (chain->cElement + 1) * sizeof(PCERT_CHAIN_ELEMENT));
249 if (chain->rgpElement)
251 memset(element, 0, sizeof(CERT_CHAIN_ELEMENT));
252 element->cbSize = sizeof(CERT_CHAIN_ELEMENT);
253 element->pCertContext = CertDuplicateCertificateContext(cert);
254 if (dwFlags & CERT_STORE_REVOCATION_FLAG &&
255 !(dwFlags & CERT_STORE_NO_CRL_FLAG))
256 element->TrustStatus.dwErrorStatus |= CERT_TRUST_IS_REVOKED;
257 if (dwFlags & CERT_STORE_SIGNATURE_FLAG)
258 element->TrustStatus.dwErrorStatus |=
259 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
260 if (dwFlags & CERT_STORE_TIME_VALIDITY_FLAG)
261 element->TrustStatus.dwErrorStatus |=
262 CERT_TRUST_IS_NOT_TIME_VALID;
265 PCERT_CHAIN_ELEMENT prevElement =
266 chain->rgpElement[chain->cElement - 1];
268 /* This cert is the issuer of the previous one in the chain, so
269 * retroactively check the previous one's time validity nesting.
271 if (!CertVerifyValidityNesting(
272 prevElement->pCertContext->pCertInfo, cert->pCertInfo))
273 prevElement->TrustStatus.dwErrorStatus |=
274 CERT_TRUST_IS_NOT_TIME_NESTED;
276 /* FIXME: check valid usages, name constraints, and for cycles */
277 /* FIXME: initialize the rest of element */
278 chain->TrustStatus.dwErrorStatus |=
279 element->TrustStatus.dwErrorStatus;
280 chain->TrustStatus.dwInfoStatus |=
281 element->TrustStatus.dwInfoStatus;
282 chain->rgpElement[chain->cElement++] = element;
286 CryptMemFree(element);
291 static void CRYPT_FreeChainElement(PCERT_CHAIN_ELEMENT element)
293 CertFreeCertificateContext(element->pCertContext);
294 CryptMemFree(element);
297 static void CRYPT_FreeSimpleChain(PCERT_SIMPLE_CHAIN chain)
301 for (i = 0; i < chain->cElement; i++)
302 CRYPT_FreeChainElement(chain->rgpElement[i]);
303 CryptMemFree(chain->rgpElement);
307 static BOOL CRYPT_BuildSimpleChain(HCERTCHAINENGINE hChainEngine,
308 PCCERT_CONTEXT cert, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
309 PCERT_SIMPLE_CHAIN *ppChain)
312 PCertificateChainEngine engine = (PCertificateChainEngine)hChainEngine;
313 PCERT_SIMPLE_CHAIN chain;
316 TRACE("(%p, %p, %p, %p)\n", hChainEngine, cert, pTime, hAdditionalStore);
318 world = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0,
319 CERT_STORE_CREATE_NEW_FLAG, NULL);
320 CertAddStoreToCollection(world, engine->hWorld, 0, 0);
321 if (cert->hCertStore)
322 CertAddStoreToCollection(world, cert->hCertStore, 0, 0);
323 if (hAdditionalStore)
324 CertAddStoreToCollection(world, hAdditionalStore, 0, 0);
325 chain = CryptMemAlloc(sizeof(CERT_SIMPLE_CHAIN));
328 memset(chain, 0, sizeof(CERT_SIMPLE_CHAIN));
329 chain->cbSize = sizeof(CERT_SIMPLE_CHAIN);
330 ret = CRYPT_AddCertToSimpleChain(chain, cert, 0);
331 while (ret && !CRYPT_IsCertificateSelfSigned(cert))
334 PCCERT_CONTEXT issuer = CRYPT_GetIssuerFromStore(world, cert,
339 ret = CRYPT_AddCertToSimpleChain(chain, issuer, flags);
344 TRACE("Couldn't find issuer, aborting chain creation\n");
350 PCERT_CHAIN_ELEMENT rootElement =
351 chain->rgpElement[chain->cElement - 1];
352 PCCERT_CONTEXT root = rootElement->pCertContext;
354 if (!(ret = CRYPT_IsCertificateSelfSigned(root)))
355 TRACE("Last certificate is not self-signed\n");
358 rootElement->TrustStatus.dwInfoStatus |=
359 CERT_TRUST_IS_SELF_SIGNED;
360 if (!(ret = CryptVerifyCertificateSignatureEx(0,
361 root->dwCertEncodingType, CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
362 (void *)root, CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)root,
365 TRACE("Last certificate's signature is invalid\n");
366 rootElement->TrustStatus.dwErrorStatus |=
367 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
370 if (CRYPT_IsCertificateSelfSigned(root))
373 DWORD size = sizeof(hash);
374 CRYPT_HASH_BLOB blob = { sizeof(hash), hash };
375 PCCERT_CONTEXT trustedRoot;
377 CertGetCertificateContextProperty(root, CERT_HASH_PROP_ID, hash,
379 trustedRoot = CertFindCertificateInStore(engine->hRoot,
380 root->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob, NULL);
382 rootElement->TrustStatus.dwErrorStatus |=
383 CERT_TRUST_IS_UNTRUSTED_ROOT;
385 CertFreeCertificateContext(trustedRoot);
387 chain->TrustStatus.dwErrorStatus |=
388 rootElement->TrustStatus.dwErrorStatus;
389 chain->TrustStatus.dwInfoStatus |=
390 rootElement->TrustStatus.dwInfoStatus & ~CERT_TRUST_IS_SELF_SIGNED;
394 CRYPT_FreeSimpleChain(chain);
399 CertCloseStore(world, 0);
403 typedef struct _CERT_CHAIN_PARA_NO_EXTRA_FIELDS {
405 CERT_USAGE_MATCH RequestedUsage;
406 } CERT_CHAIN_PARA_NO_EXTRA_FIELDS, *PCERT_CHAIN_PARA_NO_EXTRA_FIELDS;
408 typedef struct _CERT_CHAIN_PARA_EXTRA_FIELDS {
410 CERT_USAGE_MATCH RequestedUsage;
411 CERT_USAGE_MATCH RequestedIssuancePolicy;
412 DWORD dwUrlRetrievalTimeout;
413 BOOL fCheckRevocationFreshnessTime;
414 DWORD dwRevocationFreshnessTime;
415 } CERT_CHAIN_PARA_EXTRA_FIELDS, *PCERT_CHAIN_PARA_EXTRA_FIELDS;
417 BOOL WINAPI CertGetCertificateChain(HCERTCHAINENGINE hChainEngine,
418 PCCERT_CONTEXT pCertContext, LPFILETIME pTime, HCERTSTORE hAdditionalStore,
419 PCERT_CHAIN_PARA pChainPara, DWORD dwFlags, LPVOID pvReserved,
420 PCCERT_CHAIN_CONTEXT* ppChainContext)
422 PCERT_SIMPLE_CHAIN simpleChain = NULL;
425 TRACE("(%p, %p, %p, %p, %p, %08x, %p, %p)\n", hChainEngine, pCertContext,
426 pTime, hAdditionalStore, pChainPara, dwFlags, pvReserved, ppChainContext);
430 SetLastError(E_INVALIDARG);
434 *ppChainContext = NULL;
436 hChainEngine = CRYPT_GetDefaultChainEngine();
437 /* FIXME: what about HCCE_LOCAL_MACHINE? */
438 /* FIXME: pChainPara is for now ignored */
439 /* FIXME: only simple chains are supported for now, as CTLs aren't
442 if ((ret = CRYPT_BuildSimpleChain(hChainEngine, pCertContext, pTime,
443 hAdditionalStore, &simpleChain)))
445 PCertificateChain chain = CryptMemAlloc(sizeof(CertificateChain));
450 chain->context.cbSize = sizeof(CERT_CHAIN_CONTEXT);
451 memcpy(&chain->context.TrustStatus, &simpleChain->TrustStatus,
452 sizeof(CERT_TRUST_STATUS));
453 chain->context.cChain = 1;
454 chain->context.rgpChain = CryptMemAlloc(sizeof(PCERT_SIMPLE_CHAIN));
455 chain->context.rgpChain[0] = simpleChain;
456 chain->context.cLowerQualityChainContext = 0;
457 chain->context.rgpLowerQualityChainContext = NULL;
458 chain->context.fHasRevocationFreshnessTime = FALSE;
459 chain->context.dwRevocationFreshnessTime = 0;
464 *ppChainContext = (PCCERT_CHAIN_CONTEXT)chain;
466 CertFreeCertificateChain((PCCERT_CHAIN_CONTEXT)chain);
468 TRACE("returning %d\n", ret);
472 static void CRYPT_FreeChainContext(PCertificateChain chain)
476 /* Note the chain's rgpLowerQualityChainContext isn't freed, but
477 * it's never set, either.
479 for (i = 0; i < chain->context.cChain; i++)
480 CRYPT_FreeSimpleChain(chain->context.rgpChain[i]);
481 CryptMemFree(chain->context.rgpChain);
485 void WINAPI CertFreeCertificateChain(PCCERT_CHAIN_CONTEXT pChainContext)
487 PCertificateChain chain = (PCertificateChain)pChainContext;
489 TRACE("(%p)\n", pChainContext);
493 if (InterlockedDecrement(&chain->ref) == 0)
494 CRYPT_FreeChainContext(chain);