//+------------------------------------------------------------------------- // // Microsoft Windows // // Copyright (C) Microsoft Corporation, 1996 - 1999 // // File: certtrst.cpp // // Contents: Microsoft Internet Security Provider // // Functions: WintrustCertificateTrust // // *** local functions *** // _WalkChain // _IsLifetimeSigningCert // // History: 07-Jun-1997 pberkman created // //-------------------------------------------------------------------------- #include "global.hxx" // // support for MS test roots!!!! // static BYTE rgbTestRoot[] = { # include "certs\\mstest1.h" }; static BYTE rgbTestRootCorrected[] = { # include "certs\\mstest2.h" }; static BYTE rgbTestRootBeta1[] = { # include "certs\\mstestb1.h" }; #define NTESTROOTS 3 static CERT_PUBLIC_KEY_INFO rgTestRootPublicKeyInfo[NTESTROOTS] = { {szOID_RSA_RSA, 0, NULL, sizeof(rgbTestRoot), rgbTestRoot, 0}, {szOID_RSA_RSA, 0, NULL, sizeof(rgbTestRootCorrected), rgbTestRootCorrected, 0}, {szOID_RSA_RSA, 0, NULL, sizeof(rgbTestRootBeta1), rgbTestRootBeta1, 0} }; BOOL _WalkChain( CRYPT_PROVIDER_DATA *pProvData, DWORD idxSigner, DWORD *pdwError, BOOL fCounterSigner, DWORD idxCounterSigner, BOOL fTimeStamped, BOOL *pfLifetimeSigning // IN OUT, only accessed for fTimeStamped ); BOOL WINAPI _IsLifetimeSigningCert( PCCERT_CONTEXT pCertContext ); HRESULT WINAPI WintrustCertificateTrust(CRYPT_PROVIDER_DATA *pProvData) { if ((_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, fRecallWithState)) && (pProvData->fRecallWithState == TRUE)) { return(S_OK); } DWORD dwError; dwError = S_OK; if (pProvData->csSigners < 1) { pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = TRUST_E_NOSIGNATURE; return(S_FALSE); } // // loop through all signers // for (int i = 0; i < (int)pProvData->csSigners; i++) { BOOL fTimeStamped = FALSE; BOOL fLifetimeSigning = FALSE; if (pProvData->pasSigners[i].csCertChain < 1) { pProvData->pasSigners[i].dwError = TRUST_E_NO_SIGNER_CERT; pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = TRUST_E_NO_SIGNER_CERT; continue; } // Check if timestamped. if (0 < pProvData->pasSigners[i].csCounterSigners && (pProvData->pasSigners[i].pasCounterSigners[0].dwSignerType & SGNR_TYPE_TIMESTAMP)) { fTimeStamped = TRUE; // See if LifeTime Signing has been enabled if (pProvData->dwProvFlags & WTD_LIFETIME_SIGNING_FLAG) { fLifetimeSigning = TRUE; } else { // Check if the signer certificate has the LIFETIME_SIGNING // EKU. fLifetimeSigning = _IsLifetimeSigningCert( pProvData->pasSigners[i].pasCertChain[0].pCert); } } _WalkChain(pProvData, i, &dwError, FALSE, 0, fTimeStamped, &fLifetimeSigning); for (int i2 = 0; i2 < (int)pProvData->pasSigners[i].csCounterSigners; i2++) { if (pProvData->pasSigners[i].pasCounterSigners[i2].csCertChain < 1) { pProvData->pasSigners[i].pasCounterSigners[i2].dwError = TRUST_E_NO_SIGNER_CERT; pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = TRUST_E_COUNTER_SIGNER; dwError = S_FALSE; continue; } // If lifetime signing has been enabled, use current time instead // of timestamp time. if (fLifetimeSigning) { memcpy(&pProvData->pasSigners[i].pasCounterSigners[i2].sftVerifyAsOf, &pProvData->sftSystemTime, sizeof(FILETIME)); } _WalkChain(pProvData, i, &dwError, TRUE, i2, FALSE, NULL); } } return(dwError); } HCERTCHAINENGINE GetChainEngine( IN CRYPT_PROVIDER_DATA *pProvData ) { CERT_CHAIN_ENGINE_CONFIG Config; HCERTSTORE hStore = NULL; HCERTCHAINENGINE hChainEngine = NULL; if (NULL == pProvData->pWintrustData || pProvData->pWintrustData->dwUnionChoice != WTD_CHOICE_CERT || !_ISINSTRUCT(WINTRUST_CERT_INFO, pProvData->pWintrustData->pCert->cbStruct, dwFlags) || 0 == (pProvData->pWintrustData->pCert->dwFlags & (WTCI_DONT_OPEN_STORES | WTCI_OPEN_ONLY_ROOT))) return NULL; memset(&Config, 0, sizeof(Config)); Config.cbSize = sizeof(Config); if (NULL == (hStore = CertOpenStore( CERT_STORE_PROV_MEMORY, 0, // dwEncodingType 0, // hCryptProv 0, // dwFlags NULL // pvPara ))) goto OpenMemoryStoreError; if (pProvData->pWintrustData->pCert->dwFlags & WTCI_DONT_OPEN_STORES) Config.hRestrictedRoot = hStore; Config.hRestrictedTrust = hStore; Config.hRestrictedOther = hStore; if (!CertCreateCertificateChainEngine( &Config, &hChainEngine )) goto CreateChainEngineError; CommonReturn: CertCloseStore(hStore, 0); return hChainEngine; ErrorReturn: hChainEngine = NULL; goto CommonReturn; TRACE_ERROR_EX(DBG_SS, OpenMemoryStoreError) TRACE_ERROR_EX(DBG_SS, CreateChainEngineError) } HCERTSTORE GetChainAdditionalStore( IN CRYPT_PROVIDER_DATA *pProvData ) { HCERTSTORE hStore = NULL; if (0 == pProvData->chStores) return NULL; if (1 < pProvData->chStores) { if (hStore = CertOpenStore( CERT_STORE_PROV_COLLECTION, 0, // dwEncodingType 0, // hCryptProv 0, // dwFlags NULL // pvPara )) { DWORD i; for (i = 0; i < pProvData->chStores; i++) CertAddStoreToCollection( hStore, pProvData->pahStores[i], CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0 // dwPriority ); } } else hStore = CertDuplicateStore(pProvData->pahStores[0]); #if 0 CertSaveStore( hStore, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, CERT_STORE_SAVE_AS_STORE, CERT_STORE_SAVE_TO_FILENAME_A, (void *) "C:\\temp\\wintrust.sto", 0 // dwFlags ); #endif return hStore; } BOOL UpdateCertProvChain( IN OUT PCRYPT_PROVIDER_DATA pProvData, IN DWORD idxSigner, OUT DWORD *pdwError, IN BOOL fCounterSigner, IN DWORD idxCounterSigner, IN PCRYPT_PROVIDER_SGNR pSgnr, IN PCCERT_CHAIN_CONTEXT pChainContext ) { BOOL fTestCert = FALSE; DWORD dwSgnrError = 0; DWORD i; // The chain better have at least the certificate we passed in assert(0 < pChainContext->cChain && 0 < pChainContext->rgpChain[0]->cElement); for (i = 0; i < pChainContext->cChain; i++) { DWORD j; PCERT_SIMPLE_CHAIN pChain = pChainContext->rgpChain[i]; for (j = 0; j < pChain->cElement; j++) { PCERT_CHAIN_ELEMENT pEle = pChain->rgpElement[j]; DWORD dwEleError = pEle->TrustStatus.dwErrorStatus; DWORD dwEleInfo = pEle->TrustStatus.dwInfoStatus; PCRYPT_PROVIDER_CERT pProvCert; if (0 != i || 0 != j) { if (!(pProvData->psPfns->pfnAddCert2Chain( pProvData, idxSigner, fCounterSigner, idxCounterSigner, pEle->pCertContext))) { pProvData->dwError = GetLastError(); dwSgnrError = TRUST_E_SYSTEM_ERROR; goto CommonReturn; } } // // else // Signer cert has already been added pProvCert = &pSgnr->pasCertChain[pSgnr->csCertChain -1]; //DSIE: 12-Oct-2000 added to get pChainElement. pProvCert->pChainElement = pEle; pProvCert->fSelfSigned = 0 != (dwEleInfo & CERT_TRUST_IS_SELF_SIGNED) && 0 == (dwEleError & CERT_TRUST_IS_NOT_SIGNATURE_VALID); pProvCert->fTrustedRoot = pProvCert->fSelfSigned && i == pChainContext->cChain - 1 && j == pChain->cElement - 1 && 0 == (dwEleError & CERT_TRUST_IS_UNTRUSTED_ROOT); if (pProvCert->fSelfSigned) { // Check if one of the "test" roots DWORD k; for (k = 0; k < NTESTROOTS; k++) { if (CertComparePublicKeyInfo( pProvData->dwEncoding, &pProvCert->pCert->pCertInfo->SubjectPublicKeyInfo, &rgTestRootPublicKeyInfo[k])) { pProvCert->fTestCert = TRUE; fTestCert = TRUE; if (pProvData->dwRegPolicySettings & WTPF_TRUSTTEST) pProvCert->fTrustedRoot = TRUE; break; } } } // First Element in all but the first simple chain pProvCert->fTrustListSignerCert = (0 < i && 0 == j); pProvCert->fIsCyclic = (0 != (dwEleError & CERT_TRUST_IS_CYCLIC)); // Map to IE4Trust confidence if (0 == (dwEleError & CERT_TRUST_IS_NOT_SIGNATURE_VALID)) pProvCert->dwConfidence |= CERT_CONFIDENCE_SIG; if (0 == (dwEleError & CERT_TRUST_IS_NOT_TIME_VALID)) pProvCert->dwConfidence |= CERT_CONFIDENCE_TIME; // On Sep 10, 1998 Trevor/Brian wanted time nesting checks to // be disabled // if (0 == (dwEleError & CERT_TRUST_IS_NOT_TIME_NESTED)) pProvCert->dwConfidence |= CERT_CONFIDENCE_TIMENEST; if (0 != (dwEleInfo & CERT_TRUST_HAS_EXACT_MATCH_ISSUER)) pProvCert->dwConfidence |= CERT_CONFIDENCE_AUTHIDEXT; if (0 == (dwEleError & CERT_TRUST_IS_NOT_SIGNATURE_VALID) && 0 != (dwEleInfo & CERT_TRUST_HAS_EXACT_MATCH_ISSUER)) pProvCert->dwConfidence |= CERT_CONFIDENCE_HYGIENE; if (pEle->pRevocationInfo) { pProvCert->dwRevokedReason = pEle->pRevocationInfo->dwRevocationResult; } // Update any signature or revocations errors if (dwEleError & CERT_TRUST_IS_NOT_SIGNATURE_VALID) { pProvCert->dwError = TRUST_E_CERT_SIGNATURE; assert(pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID); dwSgnrError = TRUST_E_CERT_SIGNATURE; } else if (dwEleError & CERT_TRUST_IS_REVOKED) { pProvCert->dwError = CERT_E_REVOKED; assert(pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_REVOKED); if (0 == dwSgnrError || CERT_E_REVOCATION_FAILURE == dwSgnrError) dwSgnrError = CERT_E_REVOKED; } else if (dwEleError & CERT_TRUST_IS_OFFLINE_REVOCATION) { // Ignore NO_CHECK errors if (pProvData->pWintrustData->fdwRevocationChecks == WTD_REVOKE_WHOLECHAIN) { pProvCert->dwError = CERT_E_REVOCATION_FAILURE; assert(pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN); if (0 == dwSgnrError) dwSgnrError = CERT_E_REVOCATION_FAILURE; } } // If last element in simple chain, check if it was in a // CTL and update CryptProvData if it was. if (j == pChain->cElement - 1 && pChain->pTrustListInfo && pChain->pTrustListInfo->pCtlContext) { DWORD dwChainError = pChain->TrustStatus.dwErrorStatus; // Note, don't need to AddRef since we already hold an // AddRef on the ChainContext. pProvCert->pCtlContext = pChain->pTrustListInfo->pCtlContext; if (dwChainError & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID) { pProvCert->dwCtlError = TRUST_E_CERT_SIGNATURE; dwSgnrError = TRUST_E_CERT_SIGNATURE; } else if (dwChainError & CERT_TRUST_CTL_IS_NOT_TIME_VALID) { if (0 == (pProvData->dwRegPolicySettings & WTPF_IGNOREEXPIRATION)) pProvCert->dwCtlError = CERT_E_EXPIRED; } else if (dwChainError & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE) { pProvCert->dwCtlError = CERT_E_WRONG_USAGE; } } if (pProvData->psPfns->pfnCertCheckPolicy) { if (! (*pProvData->psPfns->pfnCertCheckPolicy)( pProvData, idxSigner, fCounterSigner, idxCounterSigner)) goto CommonReturn; } } } CommonReturn: if (fTestCert) { if (CERT_TRUST_IS_REVOKED == dwSgnrError || CERT_E_REVOCATION_FAILURE == dwSgnrError) { // No revocation errors for "test" roots dwSgnrError = 0; // Loop through certs and remove any revocation error status for (i = 0; i < pSgnr->csCertChain; i++) { PCRYPT_PROVIDER_CERT pProvCert = &pSgnr->pasCertChain[i]; pProvCert->dwError = 0; pProvCert->dwRevokedReason = 0; } } } if (CERT_E_REVOCATION_FAILURE == dwSgnrError && pProvData->pWintrustData->fdwRevocationChecks != WTD_REVOKE_WHOLECHAIN) // Will check during Final Policy dwSgnrError = 0; if (dwSgnrError) { pSgnr->dwError = dwSgnrError; pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = dwSgnrError; *pdwError = S_FALSE; return FALSE; } else return TRUE; } BOOL _WalkChain( CRYPT_PROVIDER_DATA *pProvData, DWORD idxSigner, DWORD *pdwError, BOOL fCounterSigner, DWORD idxCounterSigner, BOOL fTimeStamped, BOOL *pfLifetimeSigning // IN OUT, only accessed for fTimeStamped ) { BOOL fResult; DWORD dwCreateChainFlags; DWORD dwSgnrError = 0; CRYPT_PROVIDER_SGNR *pSgnr; // not allocated PCCERT_CONTEXT pCertContext; // not allocated CERT_CHAIN_PARA ChainPara; HCERTCHAINENGINE hChainEngine = NULL; HCERTSTORE hAdditionalStore = NULL; PCCERT_CHAIN_CONTEXT pChainContext = NULL; LPSTR pszUsage = NULL; if (fCounterSigner) pSgnr = &pProvData->pasSigners[idxSigner].pasCounterSigners[ idxCounterSigner]; else pSgnr = &pProvData->pasSigners[idxSigner]; assert(pSgnr); // // at this stage, the last cert in the chain "should be" the signers cert. // eg: there should only be one cert in the chain from the Signature // Provider // if (1 != pSgnr->csCertChain || (NULL == (pCertContext = pSgnr->pasCertChain[pSgnr->csCertChain - 1].pCert))) { dwSgnrError = TRUST_E_NO_SIGNER_CERT; goto NoSignerCertError; } memset(&ChainPara, 0, sizeof(ChainPara)); ChainPara.cbSize = sizeof(ChainPara); if (fCounterSigner && SGNR_TYPE_TIMESTAMP == pSgnr->dwSignerType) { pszUsage = szOID_PKIX_KP_TIMESTAMP_SIGNING; } else if(NULL != pProvData->pRequestUsage) { ChainPara.RequestedUsage = *pProvData->pRequestUsage; } else { pszUsage = pProvData->pszUsageOID; } if ( (0 == (pProvData->dwProvFlags & WTD_NO_POLICY_USAGE_FLAG)) && pszUsage) { ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND; ChainPara.RequestedUsage.Usage.cUsageIdentifier = 1; ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = &pszUsage; } hChainEngine = GetChainEngine(pProvData); hAdditionalStore = GetChainAdditionalStore(pProvData); dwCreateChainFlags = 0; if (pProvData->dwProvFlags & CPD_REVOCATION_CHECK_NONE) { ; } else if (pProvData->dwProvFlags & CPD_REVOCATION_CHECK_END_CERT) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_END_CERT; } else if (pProvData->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN; } else if (pProvData->dwProvFlags & CPD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; } else if (pProvData->dwProvFlags & WTD_REVOCATION_CHECK_NONE) { ; } else if (pProvData->dwProvFlags & WTD_REVOCATION_CHECK_END_CERT) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_END_CERT; } else if (pProvData->dwProvFlags & WTD_REVOCATION_CHECK_CHAIN) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN; } else if (pProvData->dwProvFlags & WTD_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; } else if (pProvData->pWintrustData->fdwRevocationChecks == WTD_REVOKE_WHOLECHAIN) { dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN; } else if (fCounterSigner && SGNR_TYPE_TIMESTAMP == pSgnr->dwSignerType) { if (0 == (pProvData->dwRegPolicySettings & WTPF_IGNOREREVOCATIONONTS)) // On 4-12-01 changed from END_CERT to EXCLUDE_ROOT dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; } else if (0 == (pProvData->dwRegPolicySettings & WTPF_IGNOREREVOKATION)) // On 4-12-01 changed from END_CERT to EXCLUDE_ROOT dwCreateChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; if (!(pProvData->pWintrustData->dwUnionChoice == WTD_CHOICE_CERT || pProvData->pWintrustData->dwUnionChoice == WTD_CHOICE_SIGNER)) // Certificate was obtained from either the message store, or one // of our known stores dwCreateChainFlags |= CERT_CHAIN_CACHE_END_CERT; // else // Can't implicitly cache a context passed to us #if 0 { HCERTSTORE hDebugStore; if (hDebugStore = CertOpenSystemStoreA(0, "wintrust")) { CertAddCertificateContextToStore( hDebugStore, pCertContext, CERT_STORE_ADD_ALWAYS, NULL ); CertCloseStore(hDebugStore, 0); } } #endif FILETIME fileTime; memset(&fileTime, 0, sizeof(fileTime)); if (fTimeStamped && *pfLifetimeSigning) dwCreateChainFlags |= CERT_CHAIN_TIMESTAMP_TIME; if (!CertGetCertificateChain ( hChainEngine, pCertContext, (memcmp(&pSgnr->sftVerifyAsOf, &fileTime, sizeof(fileTime)) == 0) ? NULL : &pSgnr->sftVerifyAsOf, hAdditionalStore, &ChainPara, dwCreateChainFlags, NULL, // pvReserved, &pChainContext )) { pProvData->dwError = GetLastError(); dwSgnrError = TRUST_E_SYSTEM_ERROR; goto GetChainError; } if (fTimeStamped && !*pfLifetimeSigning) { // See if resultant application policy has the LIFETIME_SIGNING OID PCERT_ENHKEY_USAGE pAppUsage = pChainContext->rgpChain[0]->rgpElement[0]->pApplicationUsage; if (pAppUsage) { DWORD i; for (i = 0; i < pAppUsage->cUsageIdentifier; i++) { if (0 == strcmp(pAppUsage->rgpszUsageIdentifier[i], szOID_KP_LIFETIME_SIGNING)) { *pfLifetimeSigning = TRUE; break; } } } if (*pfLifetimeSigning) { CertFreeCertificateChain(pChainContext); pChainContext = NULL; dwCreateChainFlags |= CERT_CHAIN_TIMESTAMP_TIME; if (!CertGetCertificateChain ( hChainEngine, pCertContext, (memcmp(&pSgnr->sftVerifyAsOf, &fileTime, sizeof(fileTime)) == 0) ? NULL : &pSgnr->sftVerifyAsOf, hAdditionalStore, &ChainPara, dwCreateChainFlags, NULL, // pvReserved, &pChainContext )) { pProvData->dwError = GetLastError(); dwSgnrError = TRUST_E_SYSTEM_ERROR; goto GetChainError; } } } pSgnr->pChainContext = pChainContext; if (pProvData->dwProvFlags & WTD_NO_IE4_CHAIN_FLAG) { pProvData->dwProvFlags |= CPD_USE_NT5_CHAIN_FLAG; fResult = TRUE; } else fResult = UpdateCertProvChain( pProvData, idxSigner, pdwError, fCounterSigner, idxCounterSigner, pSgnr, pChainContext ); CommonReturn: if (hChainEngine) CertFreeCertificateChainEngine(hChainEngine); if (hAdditionalStore) CertCloseStore(hAdditionalStore, 0); return fResult; ErrorReturn: pSgnr->dwError = dwSgnrError; pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = dwSgnrError; *pdwError = S_FALSE; fResult = FALSE; goto CommonReturn; TRACE_ERROR_EX(DBG_SS, NoSignerCertError) TRACE_ERROR_EX(DBG_SS, GetChainError) } BOOL WINAPI _IsLifetimeSigningCert( PCCERT_CONTEXT pCertContext ) { DWORD cbSize; PCERT_ENHKEY_USAGE pCertEKU; // // see if the certificate has the proper enhanced key usage OID // cbSize = 0; CertGetEnhancedKeyUsage(pCertContext, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, NULL, &cbSize); if (cbSize == 0) { return(FALSE); } if (!(pCertEKU = (PCERT_ENHKEY_USAGE)new BYTE[cbSize])) { SetLastError(ERROR_NOT_ENOUGH_MEMORY); return(FALSE); } if (!(CertGetEnhancedKeyUsage(pCertContext, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, pCertEKU, &cbSize))) { delete pCertEKU; return(FALSE); } for (int i = 0; i < (int)pCertEKU->cUsageIdentifier; i++) { if (strcmp(pCertEKU->rgpszUsageIdentifier[i], szOID_KP_LIFETIME_SIGNING) == 0) { delete pCertEKU; return(TRUE); } } delete pCertEKU; return(FALSE); }