windows-nt/Source/XPSP1/NT/ds/security/protocols/schannel/spbase/cert.c

//+---------------------------------------------------------------------------
//
//  Microsoft Windows
//  Copyright (C) Microsoft Corporation, 1992 - 1995.
//
//  File:       cert.c
//
//  Contents:   
//
//  Classes:
//
//  Functions:
//
//  History:    09-23-97   jbanes   LSA integration stuff.
//              01-05-98   jbanes   Use WinVerifyTrust to validate certs.
//              03-26-99   jbanes   Fix CTL support, bug #303246 
//
//----------------------------------------------------------------------------

#include <stdlib.h>
#include <spbase.h>
#include <ssl2msg.h>
#include <ssl3msg.h>
#include <wincrypt.h>
#include <oidenc.h>
#include <softpub.h>

#define CERT_HEADER_CONST "certificate"
#define CERT_HEADER_OFFSET 6

SP_STATUS
SchGetTrustedRoots(
    HCERTSTORE *phClientRootStore);

BOOL
WINAPI
SchCreateWorldStore (
     IN HCERTSTORE hRoot,
     IN DWORD cAdditionalStore,
     IN HCERTSTORE* rghAdditionalStore,
     OUT HCERTSTORE* phWorld);

BOOL
IsCertSelfSigned(PCCERT_CONTEXT pCertContext);


// typedef struct _OIDPROVMAP
// {
//     LPSTR   szOid;
//     DWORD   dwExchSpec;
//     DWORD   dwCertType;         // used for SSL 3.0 client auth
// }  OIDPROVMAP, *POIDPROVMAP;

OIDPROVMAP g_CertTypes[] = 
{
    { szOID_RSA_RSA,                  SP_EXCH_RSA_PKCS1,     SSL3_CERTTYPE_RSA_SIGN},
    { szOID_RSA_MD2RSA,               SP_EXCH_RSA_PKCS1,     SSL3_CERTTYPE_RSA_SIGN},
    { szOID_RSA_MD4RSA,               SP_EXCH_RSA_PKCS1,     SSL3_CERTTYPE_RSA_SIGN},
    { szOID_RSA_MD5RSA,               SP_EXCH_RSA_PKCS1,     SSL3_CERTTYPE_RSA_SIGN},
    { szOID_RSA_SHA1RSA,              SP_EXCH_RSA_PKCS1,     SSL3_CERTTYPE_RSA_SIGN},
    { szOID_OIWSEC_dsa,               SP_EXCH_DH_PKCS3,      SSL3_CERTTYPE_DSS_SIGN},
    { szOID_X957_DSA,                 SP_EXCH_DH_PKCS3,      SSL3_CERTTYPE_DSS_SIGN},
};

DWORD g_cCertTypes = sizeof(g_CertTypes)/sizeof(OIDPROVMAP);


DWORD 
MapOidToKeyExch(LPSTR szOid)
{
    DWORD i;

    for(i = 0; i < g_cCertTypes; i++)
    {
        if(strcmp(szOid, g_CertTypes[i].szOid) == 0)
        {
            return g_CertTypes[i].dwExchSpec;
        }
    }
    return 0;
}

DWORD 
MapOidToCertType(LPSTR szOid)
{
    DWORD i;

    for(i = 0; i < g_cCertTypes; i++)
    {
        if(strcmp(szOid, g_CertTypes[i].szOid) == 0)
        {
            return g_CertTypes[i].dwCertType;
        }
    }
    return 0;
}


// SPLoadCertificate takes a string of encoded cert bytes
// and decodes them into the local certificate cache.  It
// then returns the first certificate of the group.

SP_STATUS
SPLoadCertificate(
    DWORD      fProtocol,
    DWORD      dwCertEncodingType,
    PUCHAR     pCertificate,
    DWORD      cbCertificate,
    PCCERT_CONTEXT *ppCertContext)
{
    HCERTSTORE      hCertStore   = NULL;
    PCCERT_CONTEXT  pCertContext = NULL;

    PBYTE           pbCurrentRaw;
    DWORD           cbCurrentRaw;
    BOOL            fLeafCert;
    SP_STATUS       pctRet;


    //
    // Dereference the cert that we are replacing.
    //

    if(ppCertContext == NULL)
    {
        return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
    }

    if(*ppCertContext != NULL)
    {
        CertFreeCertificateContext(*ppCertContext);
    }
    *ppCertContext = NULL;


    //
    // Create an in-memory certificate store.
    //

    hCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 
                               0, 0, 
                               CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, 
                               0);
    if(hCertStore == NULL)
    {
        SP_LOG_RESULT(GetLastError());
        return SEC_E_INSUFFICIENT_MEMORY;
    }

    fLeafCert    = TRUE;
    pbCurrentRaw = pCertificate;
    cbCurrentRaw = cbCertificate;

    do 
    {

        //
        // Skip to beginning of certificate.
        //

        if((fProtocol & SP_PROT_SSL3TLS1) && cbCurrentRaw > 3)
        {
            // SSL3 style cert chain, where the length
            // of each cert is prepended.
            pbCurrentRaw += 3;
            cbCurrentRaw -= 3;
        }

        // Skip past the "certificate" header
        if((cbCurrentRaw > (CERT_HEADER_OFFSET + strlen(CERT_HEADER_CONST))) && 
            (memcmp(pbCurrentRaw + CERT_HEADER_OFFSET, CERT_HEADER_CONST, strlen(CERT_HEADER_CONST)) == 0))
        {
            pbCurrentRaw += CERT_HEADER_OFFSET + strlen(CERT_HEADER_CONST);
            cbCurrentRaw -= CERT_HEADER_OFFSET + strlen(CERT_HEADER_CONST);
        }


        //
        // Decode this certificate context.
        //

        if(!CertAddEncodedCertificateToStore(hCertStore, 
                                             dwCertEncodingType,
                                             pbCurrentRaw,
                                             cbCurrentRaw,
                                             CERT_STORE_ADD_USE_EXISTING,
                                             &pCertContext))
        {
            SP_LOG_RESULT(GetLastError());
            pctRet = PCT_ERR_BAD_CERTIFICATE;
            goto cleanup;
        }

        pbCurrentRaw += pCertContext->cbCertEncoded;
        if(cbCurrentRaw < pCertContext->cbCertEncoded)
        {
            pctRet =  SP_LOG_RESULT(PCT_ERR_BAD_CERTIFICATE);
            goto cleanup;
        }
        cbCurrentRaw -= pCertContext->cbCertEncoded;

        if(fLeafCert)
        {
            fLeafCert = FALSE;
            *ppCertContext = pCertContext;
        }
        else
        {
            CertFreeCertificateContext(pCertContext);
        }
        pCertContext = NULL;

    } while(cbCurrentRaw);

    pctRet = PCT_ERR_OK;


cleanup:

    CertCloseStore(hCertStore, 0);

    if(pctRet != PCT_ERR_OK)
    {
        if(pCertContext)
        {
            CertFreeCertificateContext(pCertContext);
        }
        if(*ppCertContext)
        {
            CertFreeCertificateContext(*ppCertContext);
            *ppCertContext = NULL;
        }
    }

    return pctRet;
}


SP_STATUS  
SPPublicKeyFromCert(
    PCCERT_CONTEXT  pCert, 
    PUBLICKEY **    ppKey,
    ExchSpec *      pdwExchSpec)
{
    PCERT_PUBLIC_KEY_INFO pPubKeyInfo;
    PUBLICKEY * pPublicKey;
    DWORD       dwExchSpec;
    DWORD       cbBlob;
    SP_STATUS   pctRet;

    //
    // Log the subject and issuer names.
    //

    LogDistinguishedName(DEB_TRACE, 
                         "Subject: %s\n", 
                         pCert->pCertInfo->Subject.pbData, 
                         pCert->pCertInfo->Subject.cbData);

    LogDistinguishedName(DEB_TRACE, 
                         "Issuer: %s\n", 
                         pCert->pCertInfo->Issuer.pbData, 
                         pCert->pCertInfo->Issuer.cbData);

    //
    // Determine type of public key embedded in the certificate.
    //

    pPubKeyInfo = &pCert->pCertInfo->SubjectPublicKeyInfo;
    if(pPubKeyInfo == NULL)
    {
        return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
    }

    dwExchSpec = MapOidToKeyExch(pPubKeyInfo->Algorithm.pszObjId);

    if(dwExchSpec == 0)
    {
        return PCT_INT_UNKNOWN_CREDENTIAL;
    }

    //
    // Build public key blob from encoded public key.
    //

    switch(dwExchSpec)
    {
    case SP_EXCH_RSA_PKCS1:
        pctRet = RsaPublicKeyFromCert(pPubKeyInfo,
                                      NULL,
                                      &cbBlob);
        if(pctRet != PCT_ERR_OK)
        {
            return pctRet;
        }

        pPublicKey = SPExternalAlloc(sizeof(PUBLICKEY) + cbBlob);
        if(pPublicKey == NULL)
        {
            return SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
        }

        pPublicKey->pPublic  = (BLOBHEADER *)(pPublicKey + 1);
        pPublicKey->cbPublic = cbBlob;

        pctRet = RsaPublicKeyFromCert(pPubKeyInfo,
                                      pPublicKey->pPublic,
                                      &pPublicKey->cbPublic);
        if(pctRet != PCT_ERR_OK)
        {
            SPExternalFree(pPublicKey);
            return pctRet;
        }
        break;

    case SP_EXCH_DH_PKCS3:
        pctRet = DssPublicKeyFromCert(pPubKeyInfo,
                                      NULL,
                                      &cbBlob);
        if(pctRet != PCT_ERR_OK)
        {
            return pctRet;
        }

        pPublicKey = SPExternalAlloc(sizeof(PUBLICKEY) + cbBlob);
        if(pPublicKey == NULL)
        {
            return SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
        }

        pPublicKey->pPublic  = (BLOBHEADER *)(pPublicKey + 1);
        pPublicKey->cbPublic = cbBlob;

        pctRet = DssPublicKeyFromCert(pPubKeyInfo,
                                      pPublicKey->pPublic,
                                      &pPublicKey->cbPublic);
        if(pctRet != PCT_ERR_OK)
        {
            SPExternalFree(pPublicKey);
            return pctRet;
        }
        break;

    default:
        return SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR);
    }


    //
    // Set function outputs.
    //

    *ppKey = pPublicKey;

    if(pdwExchSpec)
    {
        *pdwExchSpec = dwExchSpec;
    }

    return PCT_ERR_OK;
}


SP_STATUS
SPSerializeCertificate(
    DWORD           dwProtocol,         // in
    BOOL            fBuildChain,        // in
    PBYTE *         ppCertChain,        // out
    DWORD *         pcbCertChain,       // out
    PCCERT_CONTEXT  pCertContext,       // in
    DWORD           dwChainingFlags)    // in
{
    PCCERT_CHAIN_CONTEXT pChainContext = NULL;
    CERT_CHAIN_PARA      ChainPara;
    PCERT_SIMPLE_CHAIN   pSimpleChain;
    PCCERT_CONTEXT       pCurrentCert;

    BOOL        fSuccess = FALSE;
    PBYTE       pbCertChain;
    DWORD       cbCertChain;
    DWORD       i;
    SP_STATUS   pctRet;
    BOOL        fImpersonating = FALSE;

    SP_BEGIN("SPSerializeCertificate");

    if(pcbCertChain == NULL)
    {
        SP_RETURN( SP_LOG_RESULT(PCT_INT_INTERNAL_ERROR));
    }

    if(fBuildChain)
    {
        ZeroMemory(&ChainPara, sizeof(ChainPara));
        ChainPara.cbSize = sizeof(ChainPara);

        fImpersonating = SslImpersonateClient();

        if(!(fSuccess = CertGetCertificateChain(
                                NULL,
                                pCertContext,
                                NULL,
                                NULL,
                                &ChainPara,
                                dwChainingFlags,
                                NULL,
                                &pChainContext)))
        {
            DebugLog((DEB_WARN, "Error 0x%x returned by CertGetCertificateChain!\n", GetLastError()));
            pChainContext = NULL;
        }

        if(fImpersonating) 
        {
            RevertToSelf();
            fImpersonating = FALSE;
        }
    }

    if(!fSuccess)
    {
        //
        // Send the leaf certificate only.
        //

        // Compute size of chain.
        cbCertChain = pCertContext->cbCertEncoded;
        if(dwProtocol & SP_PROT_SSL3TLS1)
        {
            cbCertChain += CB_SSL3_CERT_VECTOR;
        }

        // Allocate memory for chain.
        if(ppCertChain == NULL)
        {
            *pcbCertChain = cbCertChain;
            pctRet = PCT_ERR_OK;
            goto cleanup;
        }
        else if(*ppCertChain == NULL)
        {
            *ppCertChain = SPExternalAlloc(cbCertChain);
            if(*ppCertChain == NULL)
            {
                pctRet = SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
                goto cleanup;
            }
        }
        else if(*pcbCertChain < cbCertChain)
        {
            pctRet = SP_LOG_RESULT(PCT_INT_BUFF_TOO_SMALL);
            goto cleanup;
        }
        *pcbCertChain = cbCertChain;

        // Place chain in output buffer.
        pbCertChain = *ppCertChain;

        if(dwProtocol & SP_PROT_SSL3TLS1)
        {
            pbCertChain[0] = MS24BOF(pCertContext->cbCertEncoded);
            pbCertChain[1] = MSBOF(pCertContext->cbCertEncoded);
            pbCertChain[2] = LSBOF(pCertContext->cbCertEncoded);
            pbCertChain += CB_SSL3_CERT_VECTOR;
        }
        CopyMemory(pbCertChain, pCertContext->pbCertEncoded, pCertContext->cbCertEncoded);

        pctRet = PCT_ERR_OK;
        goto cleanup;
    }


    //
    // Compute size of chain.
    //

    pSimpleChain = pChainContext->rgpChain[0];
    cbCertChain  = 0;

    for(i = 0; i < pSimpleChain->cElement; i++)
    {
        pCurrentCert = pSimpleChain->rgpElement[i]->pCertContext;
        
        if(i > 0)
        {
            // Verify that this is not a root certificate.
            if(CertCompareCertificateName(pCurrentCert->dwCertEncodingType, 
                                          &pCurrentCert->pCertInfo->Issuer,
                                          &pCurrentCert->pCertInfo->Subject))
            {
                break;
            }
        }

        cbCertChain += pCurrentCert->cbCertEncoded;
        if(dwProtocol & SP_PROT_SSL3TLS1)
        {
            cbCertChain += CB_SSL3_CERT_VECTOR;
        }
    }


    //
    // Allocate memory for chain.
    //

    if(ppCertChain == NULL)
    {
        *pcbCertChain = cbCertChain;
        pctRet = PCT_ERR_OK;
        goto cleanup;
    }
    else if(*ppCertChain == NULL)
    {
        *ppCertChain = SPExternalAlloc(cbCertChain);
        if(*ppCertChain == NULL)
        {
            pctRet = SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
            goto cleanup;
        }
    }
    else if(*pcbCertChain < cbCertChain)
    {
        pctRet = SP_LOG_RESULT(PCT_INT_BUFF_TOO_SMALL);
        goto cleanup;
    }
    *pcbCertChain = cbCertChain;


    //
    // Place chain in output buffer.
    //

    pbCertChain = *ppCertChain;

    for(i = 0; i < pSimpleChain->cElement; i++)
    {
        pCurrentCert = pSimpleChain->rgpElement[i]->pCertContext;
        
        if(i > 0)
        {
            // Verify that this is not a root certificate.
            if(CertCompareCertificateName(pCurrentCert->dwCertEncodingType, 
                                          &pCurrentCert->pCertInfo->Issuer,
                                          &pCurrentCert->pCertInfo->Subject))
            {
                break;
            }
        }

        if(dwProtocol & SP_PROT_SSL3TLS1)
        {
            pbCertChain[0] = MS24BOF(pCurrentCert->cbCertEncoded);
            pbCertChain[1] = MSBOF(pCurrentCert->cbCertEncoded);
            pbCertChain[2] = LSBOF(pCurrentCert->cbCertEncoded);
            pbCertChain += CB_SSL3_CERT_VECTOR;
        }
        CopyMemory(pbCertChain, pCurrentCert->pbCertEncoded, pCurrentCert->cbCertEncoded);
        pbCertChain += pCurrentCert->cbCertEncoded;
    }

    SP_ASSERT(*ppCertChain + cbCertChain == pbCertChain);

    pctRet = PCT_ERR_OK;

cleanup:

    if(pChainContext)
    {
        CertFreeCertificateChain(pChainContext);
    }

    SP_RETURN(pctRet);
}


/*****************************************************************************/
SP_STATUS 
ExtractIssuerNamesFromStore(
    HCERTSTORE  hStore,         // in
    PBYTE       pbIssuers,      // out
    DWORD       *pcbIssuers)    // in, out
{
    DWORD cbCurIssuerLen = 0;
    DWORD cbIssuerLen = *pcbIssuers;
    PBYTE pbCurIssuer = pbIssuers;
    PCCERT_CONTEXT pCurrent = NULL;
    SECURITY_STATUS scRet;
    BOOL fIsAllowed;

    // Initialize output to zero.
    *pcbIssuers = 0;

    while(TRUE)
    {
        pCurrent = CertEnumCertificatesInStore(hStore, pCurrent);
        if(pCurrent == NULL) break;

        // Is this a client-auth certificate?
        scRet = SPCheckKeyUsage(pCurrent,
                                szOID_PKIX_KP_CLIENT_AUTH,
                                FALSE,
                                &fIsAllowed);
        if(scRet != SEC_E_OK)
        {
            continue;
        }
        if(!fIsAllowed)
        {
            continue;
        }

        cbCurIssuerLen += 2 + pCurrent->pCertInfo->Subject.cbData;

        // Are we writing?
        if(pbIssuers)
        {
            if(cbCurIssuerLen > cbIssuerLen)
            {
                // Memory overrun
                CertFreeCertificateContext(pCurrent);
                return SP_LOG_RESULT(PCT_INT_DATA_OVERFLOW);
            }

            pbCurIssuer[0] = MSBOF(pCurrent->pCertInfo->Subject.cbData);
            pbCurIssuer[1] = LSBOF(pCurrent->pCertInfo->Subject.cbData);
            pbCurIssuer += 2;

            CopyMemory(pbCurIssuer, pCurrent->pCertInfo->Subject.pbData,
            pCurrent->pCertInfo->Subject.cbData);
            pbCurIssuer += pCurrent->pCertInfo->Subject.cbData;
        }
    }

    *pcbIssuers = cbCurIssuerLen;

    return PCT_ERR_OK;
}


/*****************************************************************************/
SP_STATUS 
GetDefaultIssuers(
    PBYTE   pbIssuers,      // out
    DWORD   *pcbIssuers)    // in, out
{
    HCERTSTORE  hStore;
    SP_STATUS   pctRet;

    pctRet = SchGetTrustedRoots(&hStore);
    if(pctRet != PCT_ERR_OK)
    {
        return pctRet;
    }

    pctRet = ExtractIssuerNamesFromStore(hStore, pbIssuers, pcbIssuers);
    if(pctRet != PCT_ERR_OK)
    {
        CertCloseStore(hStore, 0);
        return pctRet;
    }

    CertCloseStore(hStore, 0);
    return PCT_ERR_OK;
}


SP_STATUS
SchGetTrustedRoots(
    HCERTSTORE *phClientRootStore)
{
    HTTPSPolicyCallbackData  polHttps;
    CERT_CHAIN_POLICY_PARA   PolicyPara;
    CERT_CHAIN_POLICY_STATUS PolicyStatus;
    CERT_CHAIN_PARA          ChainPara;
    PCCERT_CHAIN_CONTEXT     pChainContext = NULL;
    LPSTR                    pszUsage;

    PCCERT_CONTEXT  pCertContext;
    HCERTSTORE      hClientRootStore = 0;
    HCERTSTORE      hRootStore       = 0;
    HCERTSTORE      hWorldStore      = 0;
    DWORD           Status           = SEC_E_OK;
    BOOL            fImpersonating   = FALSE;



    // Open output store.
    hClientRootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 
                                     0, 0, 
                                     CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, 
                                     0);
    if(hClientRootStore == NULL)
    {
        //SP_LOG_RESULT(GetLastError());
        Status = SEC_E_INSUFFICIENT_MEMORY;
        goto cleanup;
    }

    fImpersonating = SslImpersonateClient();

    // Open root store.
    hRootStore = CertOpenSystemStore(0, "ROOT");
    if(hRootStore == NULL)
    {
        DebugLog((DEB_WARN, "Error 0x%x opening root store\n", GetLastError()));
    }

    // Create world store.
    if(!SchCreateWorldStore(hRootStore,
                            0, NULL, 
                            &hWorldStore))
    {
        DebugLog((DEB_ERROR, "Error 0x%x creating world store\n", GetLastError()));
        goto cleanup;
    }

    // Enumerate the certificates in the world store, looking 
    // for trusted roots. This approach will automatically take
    // advantage of any CTLs that are installed on the system.
    pCertContext = NULL;
    while(TRUE)
    {
        pCertContext = CertEnumCertificatesInStore(hWorldStore, pCertContext);
        if(pCertContext == NULL) break;

        if(!IsCertSelfSigned(pCertContext))
        {
            continue;
        }

        pszUsage = szOID_PKIX_KP_CLIENT_AUTH;

        ZeroMemory(&ChainPara, sizeof(ChainPara));
        ChainPara.cbSize = sizeof(ChainPara);
        ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
        ChainPara.RequestedUsage.Usage.cUsageIdentifier     = 1;
        ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = &pszUsage;

        if(!CertGetCertificateChain(
                                NULL,
                                pCertContext,
                                NULL,
                                0,
                                &ChainPara,
                                0,
                                NULL,
                                &pChainContext))
        {
            SP_LOG_RESULT(GetLastError());
            continue;
        }

        // Set up validate chain structures.
        ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
        polHttps.cbStruct           = sizeof(HTTPSPolicyCallbackData);
        polHttps.dwAuthType         = AUTHTYPE_CLIENT;
        polHttps.fdwChecks          = 0;
        polHttps.pwszServerName     = NULL;

        ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
        PolicyStatus.cbSize         = sizeof(PolicyStatus);

        ZeroMemory(&PolicyPara, sizeof(PolicyPara));
        PolicyPara.cbSize           = sizeof(PolicyPara);
        PolicyPara.pvExtraPolicyPara= &polHttps;
        PolicyPara.dwFlags = CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS;

        // Validate chain
        if(!CertVerifyCertificateChainPolicy(
                                CERT_CHAIN_POLICY_SSL,
                                pChainContext,
                                &PolicyPara,
                                &PolicyStatus))
        {
            SP_LOG_RESULT(GetLastError());
            CertFreeCertificateChain(pChainContext);
            continue;
        }

        if(PolicyStatus.dwError)
        {
            // Certificate did not validate, move on to the next one.
            CertFreeCertificateChain(pChainContext);
            continue;
        }

        CertFreeCertificateChain(pChainContext);

        // Add the root certificate to the list of trusted ones.
        if(!CertAddCertificateContextToStore(hClientRootStore,
                                             pCertContext,
                                             CERT_STORE_ADD_USE_EXISTING,
                                             NULL))
        {
            SP_LOG_RESULT(GetLastError());
        }
    }

cleanup:

    if(hRootStore)
    {
        CertCloseStore(hRootStore, 0);
    }

    if(hWorldStore)
    {
        CertCloseStore(hWorldStore, 0);
    }

    if(fImpersonating)
    {
        RevertToSelf();
    }

    if(Status == SEC_E_OK)
    {
        *phClientRootStore = hClientRootStore;
    }

    return Status;
}


//+---------------------------------------------------------------------------
//
//  Function:   ChainCreateCollectionIncludingCtlCertificates
//
//  Synopsis:   create a collection which includes the source store hStore and
//              any CTL certificates from it
//
//----------------------------------------------------------------------------
BOOL WINAPI
ChainCreateCollectionIncludingCtlCertificates (
     IN HCERTSTORE hStore,
     OUT HCERTSTORE* phCollection
     )
{
    BOOL          fResult = FALSE;
    HCERTSTORE    hCollection;
    PCCTL_CONTEXT pCtlContext = NULL;
    HCERTSTORE    hCtlStore;

    hCollection = CertOpenStore(
                      CERT_STORE_PROV_COLLECTION,
                      X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                      0,
                      CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG,
                      NULL
                      );

    if ( hCollection == NULL )
    {
        return( FALSE );
    }

    fResult = CertAddStoreToCollection( hCollection, hStore, 0, 0 );

    while ( ( fResult == TRUE ) &&
            ( ( pCtlContext = CertEnumCTLsInStore(
                                  hStore,
                                  pCtlContext
                                  ) ) != NULL ) )
    {
        hCtlStore = CertOpenStore(
                        CERT_STORE_PROV_MSG,
                        X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                        0,
                        0,
                        pCtlContext->hCryptMsg
                        );

        if ( hCtlStore != NULL )
        {
            fResult = CertAddStoreToCollection(
                          hCollection,
                          hCtlStore,
                          0,
                          0
                          );

            CertCloseStore( hCtlStore, 0 );
        }
    }

    if ( fResult == TRUE )
    {
        *phCollection = hCollection;
    }
    else
    {
        CertCloseStore( hCollection, 0 );
    }

    return( fResult );
}


BOOL
WINAPI
SchCreateWorldStore (
     IN HCERTSTORE hRoot,
     IN DWORD cAdditionalStore,
     IN HCERTSTORE* rghAdditionalStore,
     OUT HCERTSTORE* phWorld)
{
    BOOL       fResult;
    HCERTSTORE hWorld;
    HCERTSTORE hStore, hCtl;
    DWORD      cCount;

    hWorld = CertOpenStore(
                 CERT_STORE_PROV_COLLECTION,
                 X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                 0,
                 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG,
                 NULL
                 );

    if ( hWorld == NULL )
    {
        return( FALSE );
    }

    fResult = CertAddStoreToCollection( hWorld, hRoot, 0, 0 );

    for ( cCount = 0;
          ( cCount < cAdditionalStore ) && ( fResult == TRUE );
          cCount++ )
    {
        fResult = CertAddStoreToCollection(
                      hWorld,
                      rghAdditionalStore[ cCount ],
                      0,
                      0
                      );
    }

    if ( fResult == TRUE )
    {
        hStore = CertOpenSystemStore(0, "trust");
        if( hStore != NULL )
        {
            if(ChainCreateCollectionIncludingCtlCertificates(hStore, &hCtl))
            {
                if(!CertAddStoreToCollection( hWorld, hCtl, 0, 0 ))
                {
                    DebugLog((DEB_WARN, "Error 0x%x adding CTL collection\n", GetLastError()));
                }
                CertCloseStore( hCtl, 0 );
            }
            else
            {
                DebugLog((DEB_WARN, "Error 0x%x creating CTL collection\n", GetLastError()));
            }
            CertCloseStore( hStore, 0 );
        }
    }

    if ( fResult == TRUE )
    {
        hStore = CertOpenSystemStore(0, "ca");
        if ( hStore != NULL )
        {
            fResult = CertAddStoreToCollection( hWorld, hStore, 0, 0 );
            CertCloseStore( hStore, 0 );
        }
        else
        {
            fResult = FALSE;
        }
    }

    if ( fResult == TRUE )
    {
        hStore = CertOpenSystemStore(0, "my");
        if ( hStore != NULL )
        {
            fResult = CertAddStoreToCollection( hWorld, hStore, 0, 0 );
            CertCloseStore( hStore, 0 );
        }
        else
        {
            fResult = FALSE;
        }
    }

    if ( fResult == TRUE )
    {
        *phWorld = hWorld;
    }
    else
    {
        CertCloseStore( hWorld, 0 );
    }

    return( fResult );
}


BOOL
IsCertSelfSigned(PCCERT_CONTEXT pCertContext)
{
    // Compare subject and issuer names.
    if(pCertContext->pCertInfo->Subject.cbData == pCertContext->pCertInfo->Issuer.cbData)
    {
        if(memcmp(pCertContext->pCertInfo->Subject.pbData,
                  pCertContext->pCertInfo->Issuer.pbData,  
                  pCertContext->pCertInfo->Issuer.cbData) == 0)
        {
            return TRUE;
        }
    }

    return FALSE;
}


SP_STATUS
MapWinTrustError(DWORD Status, DWORD DefaultError, DWORD dwIgnoreErrors)
{
    if((Status == CRYPT_E_NO_REVOCATION_CHECK) &&
       (dwIgnoreErrors & CRED_FLAG_IGNORE_NO_REVOCATION_CHECK))
    {
        DebugLog((DEB_WARN, "MapWinTrustError: Ignoring CRYPT_E_NO_REVOCATION_CHECK\n"));
        Status = STATUS_SUCCESS;
    }
    if((Status == CRYPT_E_REVOCATION_OFFLINE) &&
       (dwIgnoreErrors & CRED_FLAG_IGNORE_REVOCATION_OFFLINE))
    {
        DebugLog((DEB_WARN, "MapWinTrustError: Ignoring CRYPT_E_REVOCATION_OFFLINE\n"));
        Status = STATUS_SUCCESS;
    }

    if(HRESULT_FACILITY(Status) == FACILITY_SECURITY)
    {
        return (Status);
    }

    switch(Status)
    {
        case ERROR_SUCCESS:
            return SEC_E_OK;

        // Expired certificate.
        case CERT_E_EXPIRED:
        case CERT_E_VALIDITYPERIODNESTING:
            return SEC_E_CERT_EXPIRED;

        // Unknown CA
        case CERT_E_UNTRUSTEDROOT:
        case CERT_E_UNTRUSTEDCA:
            return SEC_E_UNTRUSTED_ROOT;

        // Certificate revoked.
        case CERT_E_REVOKED:
            return CRYPT_E_REVOKED;

        // Target name doesn't match name in certificate.
        case CERT_E_CN_NO_MATCH:
            return SEC_E_WRONG_PRINCIPAL;

        // Some other error.
        default:
            if(DefaultError)
            {
                return DefaultError;
            }
            else
            {
                return SEC_E_CERT_UNKNOWN;
            }
    }
}

NTSTATUS
VerifyClientCertificate(
    PCCERT_CONTEXT  pCertContext,
    DWORD           dwCertFlags,
    DWORD           dwIgnoreErrors,
    LPCSTR          pszPolicyOID,
    PCCERT_CHAIN_CONTEXT *ppChainContext)   // optional
{
    HTTPSPolicyCallbackData  polHttps;
    CERT_CHAIN_POLICY_PARA   PolicyPara;
    CERT_CHAIN_POLICY_STATUS PolicyStatus;
    CERT_CHAIN_PARA          ChainPara;
    PCCERT_CHAIN_CONTEXT     pChainContext = NULL;
    DWORD                    Status;
    LPSTR                    pszUsage;
    BOOL                     fImpersonating = FALSE;

    //
    // Build certificate chain.
    //

    fImpersonating = SslImpersonateClient();

    pszUsage = szOID_PKIX_KP_CLIENT_AUTH;

    ZeroMemory(&ChainPara, sizeof(ChainPara));
    ChainPara.cbSize = sizeof(ChainPara);
    ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
    ChainPara.RequestedUsage.Usage.cUsageIdentifier     = 1;
    ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = &pszUsage;

    if(!CertGetCertificateChain(
                            NULL,                       // hChainEngine
                            pCertContext,               // pCertContext
                            NULL,                       // pTime
                            pCertContext->hCertStore,   // hAdditionalStore
                            &ChainPara,                 // pChainPara
                            dwCertFlags,                // dwFlags
                            NULL,                       // pvReserved
                            &pChainContext))            // ppChainContext
    {
        Status = SP_LOG_RESULT(GetLastError());
        goto cleanup;
    }


    //
    // Validate certificate chain.
    // 

    if(pszPolicyOID == CERT_CHAIN_POLICY_NT_AUTH)
    {
        ZeroMemory(&PolicyPara, sizeof(PolicyPara));
        PolicyPara.cbSize   = sizeof(PolicyPara);
        PolicyPara.dwFlags  = BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG;
    }
    else
    {
        ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
        polHttps.cbStruct   = sizeof(HTTPSPolicyCallbackData);
        polHttps.dwAuthType = AUTHTYPE_CLIENT;
        polHttps.fdwChecks  = 0;

        ZeroMemory(&PolicyPara, sizeof(PolicyPara));
        PolicyPara.cbSize            = sizeof(PolicyPara);
        PolicyPara.pvExtraPolicyPara = &polHttps;
    }

    ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
    PolicyStatus.cbSize = sizeof(PolicyStatus);

    if(!CertVerifyCertificateChainPolicy(
                            pszPolicyOID,
                            pChainContext,
                            &PolicyPara,
                            &PolicyStatus))
    {
        Status = SP_LOG_RESULT(GetLastError());
        goto cleanup;
    }

#if DBG
    if(PolicyStatus.dwError)
    {
        DebugLog((DEB_WARN, "CertVerifyCertificateChainPolicy returned 0x%x\n", PolicyStatus.dwError));
    }
#endif

    Status = MapWinTrustError(PolicyStatus.dwError, 0, dwIgnoreErrors);

    if(Status)
    {
        DebugLog((DEB_ERROR, "MapWinTrustError returned 0x%x\n", Status));
        goto cleanup;
    }

    Status = STATUS_SUCCESS;

    if(ppChainContext != NULL)
    {
        *ppChainContext = pChainContext;
        pChainContext = NULL;
    }

cleanup:

    if(pChainContext)
    {
        CertFreeCertificateChain(pChainContext);
    }

    if(fImpersonating) RevertToSelf();

    return Status;
}


NTSTATUS
AutoVerifyServerCertificate(PSPContext pContext)
{
    PSPCredentialGroup pCredGroup;
    DWORD dwCertFlags = 0;
    DWORD dwIgnoreErrors = 0;

    if(pContext->Flags & CONTEXT_FLAG_MANUAL_CRED_VALIDATION)
    {
        return STATUS_SUCCESS;
    }

    pCredGroup = pContext->pCredGroup;
    if(pCredGroup == NULL)
    {
        return SP_LOG_RESULT(SEC_E_INTERNAL_ERROR);
    }

    if(pCredGroup->dwFlags & CRED_FLAG_REVCHECK_END_CERT)
        dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_END_CERT;
    if(pCredGroup->dwFlags & CRED_FLAG_REVCHECK_CHAIN)
        dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN;
    if(pCredGroup->dwFlags & CRED_FLAG_REVCHECK_CHAIN_EXCLUDE_ROOT)
        dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
    if(pCredGroup->dwFlags & CRED_FLAG_IGNORE_NO_REVOCATION_CHECK)
        dwIgnoreErrors |= CRED_FLAG_IGNORE_NO_REVOCATION_CHECK;
    if(pCredGroup->dwFlags & CRED_FLAG_IGNORE_REVOCATION_OFFLINE)
        dwIgnoreErrors |= CRED_FLAG_IGNORE_REVOCATION_OFFLINE;

    return VerifyServerCertificate(pContext, dwCertFlags, dwIgnoreErrors);
}


NTSTATUS
VerifyServerCertificate(
    PSPContext  pContext,
    DWORD       dwCertFlags,
    DWORD       dwIgnoreErrors)
{
    HTTPSPolicyCallbackData  polHttps;
    CERT_CHAIN_POLICY_PARA   PolicyPara;
    CERT_CHAIN_POLICY_STATUS PolicyStatus;
    CERT_CHAIN_PARA          ChainPara;
    PCCERT_CHAIN_CONTEXT     pChainContext = NULL;

    #define SERVER_USAGE_COUNT 3
    LPSTR               rgszUsages[SERVER_USAGE_COUNT] = {
                            szOID_PKIX_KP_SERVER_AUTH,
                            szOID_SERVER_GATED_CRYPTO,
                            szOID_SGC_NETSCAPE };
 
    DWORD               Status;
    PWSTR               pwszServerName = NULL;
    PSPCredentialGroup  pCred;
    PCCERT_CONTEXT      pCertContext;
    BOOL                fImpersonating = FALSE;

    pCred = pContext->pCredGroup;
    if(pCred == NULL)
    {
        return SEC_E_INTERNAL_ERROR;
    }

    pCertContext = pContext->RipeZombie->pRemoteCert;
    if(pCertContext == NULL)
    {
        return SEC_E_INTERNAL_ERROR;
    }


    //
    // Build certificate chain.
    //

    fImpersonating = SslImpersonateClient();

    ZeroMemory(&ChainPara, sizeof(ChainPara));
    ChainPara.cbSize = sizeof(ChainPara);
    ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
    ChainPara.RequestedUsage.Usage.cUsageIdentifier     = SERVER_USAGE_COUNT;
    ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = rgszUsages;

    if(!CertGetCertificateChain(
                            NULL,                       // hChainEngine
                            pCertContext,               // pCertContext
                            NULL,                       // pTime
                            pCertContext->hCertStore,   // hAdditionalStore
                            &ChainPara,                 // pChainPara
                            dwCertFlags,                // dwFlags
                            NULL,                       // pvReserved
                            &pChainContext))            // ppChainContext
    {
        Status = SP_LOG_RESULT(GetLastError());
        goto cleanup;
    }


    //
    // Validate certificate chain.
    // 

    if(!(pCred->dwFlags & CRED_FLAG_NO_SERVERNAME_CHECK))
    {
        pwszServerName = pContext->RipeZombie->szCacheID;

        if(pwszServerName == NULL || lstrlenW(pwszServerName) == 0)
        {
            Status = SP_LOG_RESULT(SEC_E_WRONG_PRINCIPAL);
            goto cleanup;
        }
    }

    ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
    polHttps.cbStruct           = sizeof(HTTPSPolicyCallbackData);
    polHttps.dwAuthType         = AUTHTYPE_SERVER;
    polHttps.fdwChecks          = 0;
    polHttps.pwszServerName     = pwszServerName;

    ZeroMemory(&PolicyPara, sizeof(PolicyPara));
    PolicyPara.cbSize            = sizeof(PolicyPara);
    PolicyPara.pvExtraPolicyPara = &polHttps;

    ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
    PolicyStatus.cbSize = sizeof(PolicyStatus);

    if(!CertVerifyCertificateChainPolicy(
                            CERT_CHAIN_POLICY_SSL,
                            pChainContext,
                            &PolicyPara,
                            &PolicyStatus))
    {
        Status = SP_LOG_RESULT(GetLastError());
        goto cleanup;
    }

#if DBG
    if(PolicyStatus.dwError)
    {
        DebugLog((DEB_WARN, "CertVerifyCertificateChainPolicy returned 0x%x\n", PolicyStatus.dwError));
    }
#endif

    Status = MapWinTrustError(PolicyStatus.dwError, 0, dwIgnoreErrors);

    if(Status)
    {
        DebugLog((DEB_ERROR, "MapWinTrustError returned 0x%x\n", Status));
        LogBogusServerCertEvent(pCertContext, pwszServerName, Status);
        goto cleanup;
    }

    Status = STATUS_SUCCESS;


cleanup:

    if(pChainContext)
    {
        CertFreeCertificateChain(pChainContext);
    }

    if(fImpersonating) RevertToSelf();

    return Status;
}


SECURITY_STATUS
SPCheckKeyUsage(
    PCCERT_CONTEXT  pCertContext, 
    PSTR            pszUsage,
    BOOL            fOnCertOnly,
    PBOOL           pfIsAllowed)
{
    PCERT_ENHKEY_USAGE pKeyUsage;
    DWORD cbKeyUsage;
    DWORD j;
    BOOL  fFound;
    DWORD dwFlags = 0;

    if(fOnCertOnly)
    {
        dwFlags = CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG;
    }

    // Determine size of usage information.
    if(!CertGetEnhancedKeyUsage(pCertContext,
                                dwFlags, 
                                NULL,
                                &cbKeyUsage))
    {
        // No usage information exists.
        *pfIsAllowed = TRUE;
        return SEC_E_OK;
    }

    pKeyUsage = SPExternalAlloc(cbKeyUsage);
    if(pKeyUsage == NULL)
    {
        *pfIsAllowed = FALSE;
        return SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
    }

    // Read key usage information.
    if(!CertGetEnhancedKeyUsage(pCertContext,
                                dwFlags, 
                                pKeyUsage,
                                &cbKeyUsage))
    {
        // No usage information exists.
        SPExternalFree(pKeyUsage);
        *pfIsAllowed = TRUE;
        return SEC_E_OK;
    }

    if(pKeyUsage->cUsageIdentifier == 0 && GetLastError() == CRYPT_E_NOT_FOUND)
    {
        // No usage information exists.
        SPExternalFree(pKeyUsage);
        *pfIsAllowed = TRUE;
        return SEC_E_OK;
    }

    // See if requested usage is in list of supported usages.
    fFound = FALSE;
    for(j = 0; j < pKeyUsage->cUsageIdentifier; j++)
    {
        if(strcmp(pszUsage, pKeyUsage->rgpszUsageIdentifier[j]) == 0)
        {
            fFound = TRUE;
            break;
        }
    }

    SPExternalFree(pKeyUsage);

    if(!fFound)
    {
        // Usage extensions found, but doesn't list ours.
        *pfIsAllowed = FALSE;
    }
    else
    {
        *pfIsAllowed = TRUE;
    }

    return SEC_E_OK;
}