search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
wined3d: Correctly destroy the adapter on format initialization failure in no3d mode.
[wine/zf.git] / dlls / crypt32 / cert.c
blobe4cab01cd92e1f703a8b7e757d18903dd0cd120c
1 /*
2 * Copyright 2004-2006 Juan Lang
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17 *
18 */
19
20 #include <assert.h>
21 #include <stdarg.h>
22
23 #define NONAMELESSUNION
24 #include "ntstatus.h"
25 #define WIN32_NO_STATUS
26 #include "windef.h"
27 #include "winbase.h"
28 #include "winternl.h"
29 #define CRYPT_OID_INFO_HAS_EXTRA_FIELDS
30 #include "wincrypt.h"
31 #include "snmp.h"
32 #include "bcrypt.h"
33 #include "winnls.h"
34 #include "rpc.h"
35 #include "wine/debug.h"
36 #include "wine/unicode.h"
37 #include "crypt32_private.h"
38
39 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
40
41 /* Internal version of CertGetCertificateContextProperty that gets properties
42 * directly from the context (or the context it's linked to, depending on its
43 * type.) Doesn't handle special-case properties, since they are handled by
44 * CertGetCertificateContextProperty, and are particular to the store in which
45 * the property exists (which is separate from the context.)
46 */
47 static BOOL CertContext_GetProperty(cert_t *cert, DWORD dwPropId,
48 void *pvData, DWORD *pcbData);
49
50 /* Internal version of CertSetCertificateContextProperty that sets properties
51 * directly on the context (or the context it's linked to, depending on its
52 * type.) Doesn't handle special cases, since they're handled by
53 * CertSetCertificateContextProperty anyway.
54 */
55 static BOOL CertContext_SetProperty(cert_t *cert, DWORD dwPropId,
56 DWORD dwFlags, const void *pvData);
57
58 BOOL WINAPI CertAddEncodedCertificateToStore(HCERTSTORE hCertStore,
59 DWORD dwCertEncodingType, const BYTE *pbCertEncoded, DWORD cbCertEncoded,
60 DWORD dwAddDisposition, PCCERT_CONTEXT *ppCertContext)
61 {
62 PCCERT_CONTEXT cert = CertCreateCertificateContext(dwCertEncodingType,
63 pbCertEncoded, cbCertEncoded);
64 BOOL ret;
65
66 TRACE("(%p, %08x, %p, %d, %08x, %p)\n", hCertStore, dwCertEncodingType,
67 pbCertEncoded, cbCertEncoded, dwAddDisposition, ppCertContext);
68
69 if (cert)
70 {
71 ret = CertAddCertificateContextToStore(hCertStore, cert,
72 dwAddDisposition, ppCertContext);
73 CertFreeCertificateContext(cert);
74 }
75 else
76 ret = FALSE;
77 return ret;
78 }
79
80 BOOL WINAPI CertAddEncodedCertificateToSystemStoreA(LPCSTR pszCertStoreName,
81 const BYTE *pbCertEncoded, DWORD cbCertEncoded)
82 {
83 HCERTSTORE store;
84 BOOL ret = FALSE;
85
86 TRACE("(%s, %p, %d)\n", debugstr_a(pszCertStoreName), pbCertEncoded,
87 cbCertEncoded);
88
89 store = CertOpenSystemStoreA(0, pszCertStoreName);
90 if (store)
91 {
92 ret = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING,
93 pbCertEncoded, cbCertEncoded, CERT_STORE_ADD_USE_EXISTING, NULL);
94 CertCloseStore(store, 0);
95 }
96 return ret;
97 }
98
99 BOOL WINAPI CertAddEncodedCertificateToSystemStoreW(LPCWSTR pszCertStoreName,
100 const BYTE *pbCertEncoded, DWORD cbCertEncoded)
101 {
102 HCERTSTORE store;
103 BOOL ret = FALSE;
104
105 TRACE("(%s, %p, %d)\n", debugstr_w(pszCertStoreName), pbCertEncoded,
106 cbCertEncoded);
107
108 store = CertOpenSystemStoreW(0, pszCertStoreName);
109 if (store)
110 {
111 ret = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING,
112 pbCertEncoded, cbCertEncoded, CERT_STORE_ADD_USE_EXISTING, NULL);
113 CertCloseStore(store, 0);
114 }
115 return ret;
116 }
117
118 static const context_vtbl_t cert_vtbl;
119
120 static void Cert_free(context_t *context)
121 {
122 cert_t *cert = (cert_t*)context;
123
124 CryptMemFree(cert->ctx.pbCertEncoded);
125 LocalFree(cert->ctx.pCertInfo);
126 }
127
128 static context_t *Cert_clone(context_t *context, WINECRYPT_CERTSTORE *store, BOOL use_link)
129 {
130 cert_t *cert;
131
132 if(use_link) {
133 cert = (cert_t*)Context_CreateLinkContext(sizeof(CERT_CONTEXT), context, store);
134 if(!cert)
135 return NULL;
136 }else {
137 const cert_t *cloned = (const cert_t*)context;
138 DWORD size = 0;
139 BOOL res;
140
141 cert = (cert_t*)Context_CreateDataContext(sizeof(CERT_CONTEXT), &cert_vtbl, store);
142 if(!cert)
143 return NULL;
144
145 Context_CopyProperties(&cert->ctx, &cloned->ctx);
146
147 cert->ctx.dwCertEncodingType = cloned->ctx.dwCertEncodingType;
148 cert->ctx.pbCertEncoded = CryptMemAlloc(cloned->ctx.cbCertEncoded);
149 memcpy(cert->ctx.pbCertEncoded, cloned->ctx.pbCertEncoded, cloned->ctx.cbCertEncoded);
150 cert->ctx.cbCertEncoded = cloned->ctx.cbCertEncoded;
151
152 /* FIXME: We don't need to decode the object here, we could just clone cert info. */
153 res = CryptDecodeObjectEx(cert->ctx.dwCertEncodingType, X509_CERT_TO_BE_SIGNED,
154 cert->ctx.pbCertEncoded, cert->ctx.cbCertEncoded, CRYPT_DECODE_ALLOC_FLAG, NULL,
155 &cert->ctx.pCertInfo, &size);
156 if(!res) {
157 CertFreeCertificateContext(&cert->ctx);
158 return NULL;
159 }
160 }
161
162 cert->ctx.hCertStore = store;
163 return &cert->base;
164 }
165
166 static const context_vtbl_t cert_vtbl = {
167 Cert_free,
168 Cert_clone
169 };
170
171 static BOOL add_cert_to_store(WINECRYPT_CERTSTORE *store, const CERT_CONTEXT *cert,
172 DWORD add_disposition, BOOL use_link, PCCERT_CONTEXT *ret_context)
173 {
174 const CERT_CONTEXT *existing = NULL;
175 BOOL ret = TRUE, inherit_props = FALSE;
176 context_t *new_context = NULL;
177
178 switch (add_disposition)
179 {
180 case CERT_STORE_ADD_ALWAYS:
181 break;
182 case CERT_STORE_ADD_NEW:
183 case CERT_STORE_ADD_REPLACE_EXISTING:
184 case CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES:
185 case CERT_STORE_ADD_USE_EXISTING:
186 case CERT_STORE_ADD_NEWER:
187 case CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES:
188 {
189 BYTE hashToAdd[20];
190 DWORD size = sizeof(hashToAdd);
191
192 ret = CertGetCertificateContextProperty(cert, CERT_HASH_PROP_ID,
193 hashToAdd, &size);
194 if (ret)
195 {
196 CRYPT_HASH_BLOB blob = { sizeof(hashToAdd), hashToAdd };
197
198 existing = CertFindCertificateInStore(store, cert->dwCertEncodingType, 0,
199 CERT_FIND_SHA1_HASH, &blob, NULL);
200 }
201 break;
202 }
203 default:
204 FIXME("Unimplemented add disposition %d\n", add_disposition);
205 SetLastError(E_INVALIDARG);
206 return FALSE;
207 }
208
209 switch (add_disposition)
210 {
211 case CERT_STORE_ADD_ALWAYS:
212 break;
213 case CERT_STORE_ADD_NEW:
214 if (existing)
215 {
216 TRACE("found matching certificate, not adding\n");
217 SetLastError(CRYPT_E_EXISTS);
218 return FALSE;
219 }
220 break;
221 case CERT_STORE_ADD_REPLACE_EXISTING:
222 break;
223 case CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES:
224 if (use_link)
225 FIXME("CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES: semi-stub for links\n");
226 if (existing)
227 inherit_props = TRUE;
228 break;
229 case CERT_STORE_ADD_USE_EXISTING:
230 if(use_link)
231 FIXME("CERT_STORE_ADD_USE_EXISTING: semi-stub for links\n");
232 if (existing)
233 {
234 Context_CopyProperties(existing, cert);
235 if (ret_context)
236 *ret_context = CertDuplicateCertificateContext(existing);
237 return TRUE;
238 }
239 break;
240 case CERT_STORE_ADD_NEWER:
241 if (existing && CompareFileTime(&existing->pCertInfo->NotBefore, &cert->pCertInfo->NotBefore) >= 0)
242 {
243 TRACE("existing certificate is newer, not adding\n");
244 SetLastError(CRYPT_E_EXISTS);
245 return FALSE;
246 }
247 break;
248 case CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES:
249 if (existing)
250 {
251 if (CompareFileTime(&existing->pCertInfo->NotBefore, &cert->pCertInfo->NotBefore) >= 0)
252 {
253 TRACE("existing certificate is newer, not adding\n");
254 SetLastError(CRYPT_E_EXISTS);
255 return FALSE;
256 }
257 inherit_props = TRUE;
258 }
259 break;
260 }
261
262 /* FIXME: We have tests that this works, but what should we really do in this case? */
263 if(!store) {
264 if(ret_context)
265 *ret_context = CertDuplicateCertificateContext(cert);
266 return TRUE;
267 }
268
269 ret = store->vtbl->certs.addContext(store, context_from_ptr(cert), existing ? context_from_ptr(existing) : NULL,
270 (ret_context || inherit_props) ? &new_context : NULL, use_link);
271 if(!ret)
272 return FALSE;
273
274 if(inherit_props)
275 Context_CopyProperties(context_ptr(new_context), existing);
276
277 if(ret_context)
278 *ret_context = context_ptr(new_context);
279 else if(new_context)
280 Context_Release(new_context);
281
282 TRACE("returning %d\n", ret);
283 return ret;
284 }
285
286 BOOL WINAPI CertAddCertificateContextToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext,
287 DWORD dwAddDisposition, PCCERT_CONTEXT *ppStoreContext)
288 {
289 WINECRYPT_CERTSTORE *store = hCertStore;
290
291 TRACE("(%p, %p, %08x, %p)\n", hCertStore, pCertContext, dwAddDisposition, ppStoreContext);
292
293 return add_cert_to_store(store, pCertContext, dwAddDisposition, FALSE, ppStoreContext);
294 }
295
296 BOOL WINAPI CertAddCertificateLinkToStore(HCERTSTORE hCertStore,
297 PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition,
298 PCCERT_CONTEXT *ppCertContext)
299 {
300 static int calls;
301 WINECRYPT_CERTSTORE *store = (WINECRYPT_CERTSTORE*)hCertStore;
302
303 if (!(calls++))
304 FIXME("(%p, %p, %08x, %p): semi-stub\n", hCertStore, pCertContext,
305 dwAddDisposition, ppCertContext);
306 if (store->dwMagic != WINE_CRYPTCERTSTORE_MAGIC)
307 return FALSE;
308 if (store->type == StoreTypeCollection)
309 {
310 SetLastError(E_INVALIDARG);
311 return FALSE;
312 }
313 return add_cert_to_store(hCertStore, pCertContext, dwAddDisposition, TRUE, ppCertContext);
314 }
315
316 PCCERT_CONTEXT WINAPI CertCreateCertificateContext(DWORD dwCertEncodingType,
317 const BYTE *pbCertEncoded, DWORD cbCertEncoded)
318 {
319 cert_t *cert = NULL;
320 BYTE *data = NULL;
321 BOOL ret;
322 PCERT_INFO certInfo = NULL;
323 DWORD size = 0;
324
325 TRACE("(%08x, %p, %d)\n", dwCertEncodingType, pbCertEncoded,
326 cbCertEncoded);
327
328 if ((dwCertEncodingType & CERT_ENCODING_TYPE_MASK) != X509_ASN_ENCODING)
329 {
330 SetLastError(E_INVALIDARG);
331 return NULL;
332 }
333
334 ret = CryptDecodeObjectEx(dwCertEncodingType, X509_CERT_TO_BE_SIGNED,
335 pbCertEncoded, cbCertEncoded, CRYPT_DECODE_ALLOC_FLAG, NULL,
336 &certInfo, &size);
337 if (!ret)
338 return NULL;
339
340 cert = (cert_t*)Context_CreateDataContext(sizeof(CERT_CONTEXT), &cert_vtbl, &empty_store);
341 if (!cert)
342 return NULL;
343 data = CryptMemAlloc(cbCertEncoded);
344 if (!data)
345 {
346 Context_Release(&cert->base);
347 return NULL;
348 }
349
350 memcpy(data, pbCertEncoded, cbCertEncoded);
351 cert->ctx.dwCertEncodingType = dwCertEncodingType;
352 cert->ctx.pbCertEncoded = data;
353 cert->ctx.cbCertEncoded = cbCertEncoded;
354 cert->ctx.pCertInfo = certInfo;
355 cert->ctx.hCertStore = &empty_store;
356
357 return &cert->ctx;
358 }
359
360 PCCERT_CONTEXT WINAPI CertDuplicateCertificateContext(PCCERT_CONTEXT pCertContext)
361 {
362 TRACE("(%p)\n", pCertContext);
363
364 if (!pCertContext)
365 return NULL;
366
367 Context_AddRef(&cert_from_ptr(pCertContext)->base);
368 return pCertContext;
369 }
370
371 BOOL WINAPI CertFreeCertificateContext(PCCERT_CONTEXT pCertContext)
372 {
373 TRACE("(%p)\n", pCertContext);
374
375 if (pCertContext)
376 Context_Release(&cert_from_ptr(pCertContext)->base);
377 return TRUE;
378 }
379
380 DWORD WINAPI CertEnumCertificateContextProperties(PCCERT_CONTEXT pCertContext,
381 DWORD dwPropId)
382 {
383 cert_t *cert = cert_from_ptr(pCertContext);
384 DWORD ret;
385
386 TRACE("(%p, %d)\n", pCertContext, dwPropId);
387
388 if (cert->base.properties)
389 ret = ContextPropertyList_EnumPropIDs(cert->base.properties, dwPropId);
390 else
391 ret = 0;
392 return ret;
393 }
394
395 static BOOL CertContext_GetHashProp(cert_t *cert, DWORD dwPropId,
396 ALG_ID algID, const BYTE *toHash, DWORD toHashLen, void *pvData,
397 DWORD *pcbData)
398 {
399 BOOL ret = CryptHashCertificate(0, algID, 0, toHash, toHashLen, pvData,
400 pcbData);
401 if (ret && pvData)
402 {
403 CRYPT_DATA_BLOB blob = { *pcbData, pvData };
404
405 ret = CertContext_SetProperty(cert, dwPropId, 0, &blob);
406 }
407 return ret;
408 }
409
410 static BOOL CertContext_CopyParam(void *pvData, DWORD *pcbData, const void *pb,
411 DWORD cb)
412 {
413 BOOL ret = TRUE;
414
415 if (!pvData)
416 *pcbData = cb;
417 else if (*pcbData < cb)
418 {
419 SetLastError(ERROR_MORE_DATA);
420 *pcbData = cb;
421 ret = FALSE;
422 }
423 else
424 {
425 memcpy(pvData, pb, cb);
426 *pcbData = cb;
427 }
428 return ret;
429 }
430
431 static BOOL CertContext_GetProperty(cert_t *cert, DWORD dwPropId,
432 void *pvData, DWORD *pcbData)
433 {
434 BOOL ret;
435 CRYPT_DATA_BLOB blob;
436
437 TRACE("(%p, %d, %p, %p)\n", cert, dwPropId, pvData, pcbData);
438
439 if (cert->base.properties)
440 ret = ContextPropertyList_FindProperty(cert->base.properties, dwPropId, &blob);
441 else
442 ret = FALSE;
443 if (ret)
444 ret = CertContext_CopyParam(pvData, pcbData, blob.pbData, blob.cbData);
445 else
446 {
447 /* Implicit properties */
448 switch (dwPropId)
449 {
450 case CERT_SHA1_HASH_PROP_ID:
451 ret = CertContext_GetHashProp(cert, dwPropId, CALG_SHA1,
452 cert->ctx.pbCertEncoded, cert->ctx.cbCertEncoded, pvData,
453 pcbData);
454 break;
455 case CERT_MD5_HASH_PROP_ID:
456 ret = CertContext_GetHashProp(cert, dwPropId, CALG_MD5,
457 cert->ctx.pbCertEncoded, cert->ctx.cbCertEncoded, pvData,
458 pcbData);
459 break;
460 case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
461 ret = CertContext_GetHashProp(cert, dwPropId, CALG_MD5,
462 cert->ctx.pCertInfo->Subject.pbData,
463 cert->ctx.pCertInfo->Subject.cbData,
464 pvData, pcbData);
465 break;
466 case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
467 ret = CertContext_GetHashProp(cert, dwPropId, CALG_MD5,
468 cert->ctx.pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData,
469 cert->ctx.pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData,
470 pvData, pcbData);
471 break;
472 case CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID:
473 ret = CertContext_GetHashProp(cert, dwPropId, CALG_MD5,
474 cert->ctx.pCertInfo->SerialNumber.pbData,
475 cert->ctx.pCertInfo->SerialNumber.cbData,
476 pvData, pcbData);
477 break;
478 case CERT_SIGNATURE_HASH_PROP_ID:
479 ret = CryptHashToBeSigned(0, cert->ctx.dwCertEncodingType,
480 cert->ctx.pbCertEncoded, cert->ctx.cbCertEncoded, pvData,
481 pcbData);
482 if (ret && pvData)
483 {
484 CRYPT_DATA_BLOB blob = { *pcbData, pvData };
485
486 ret = CertContext_SetProperty(cert, dwPropId, 0, &blob);
487 }
488 break;
489 case CERT_KEY_IDENTIFIER_PROP_ID:
490 {
491 PCERT_EXTENSION ext = CertFindExtension(
492 szOID_SUBJECT_KEY_IDENTIFIER, cert->ctx.pCertInfo->cExtension,
493 cert->ctx.pCertInfo->rgExtension);
494
495 if (ext)
496 {
497 CRYPT_DATA_BLOB value;
498 DWORD size = sizeof(value);
499
500 ret = CryptDecodeObjectEx(X509_ASN_ENCODING,
501 szOID_SUBJECT_KEY_IDENTIFIER, ext->Value.pbData,
502 ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL, &value,
503 &size);
504 if (ret)
505 {
506 ret = CertContext_CopyParam(pvData, pcbData, value.pbData,
507 value.cbData);
508 CertContext_SetProperty(cert, dwPropId, 0, &value);
509 }
510 }
511 else
512 SetLastError(ERROR_INVALID_DATA);
513 break;
514 }
515 default:
516 SetLastError(CRYPT_E_NOT_FOUND);
517 }
518 }
519 TRACE("returning %d\n", ret);
520 return ret;
521 }
522
523 /* 64-bit compatible layout, so that 64-bit crypt32 is able to read
524 * the structure saved by 32-bit crypt32.
525 */
526 typedef struct
527 {
528 ULONG64 pwszContainerName;
529 ULONG64 pwszProvName;
530 DWORD dwProvType;
531 DWORD dwFlags;
532 DWORD cProvParam;
533 ULONG64 rgProvParam;
534 DWORD dwKeySpec;
535 } store_CRYPT_KEY_PROV_INFO;
536
537 typedef struct
538 {
539 DWORD dwParam;
540 ULONG64 pbData;
541 DWORD cbData;
542 DWORD dwFlags;
543 } store_CRYPT_KEY_PROV_PARAM;
544
545 void CRYPT_FixKeyProvInfoPointers(PCRYPT_KEY_PROV_INFO buf)
546 {
547 CRYPT_KEY_PROV_INFO info;
548 store_CRYPT_KEY_PROV_INFO *store = (store_CRYPT_KEY_PROV_INFO *)buf;
549 BYTE *p = (BYTE *)(store + 1);
550
551 if (store->pwszContainerName)
552 {
553 info.pwszContainerName = (LPWSTR)p;
554 p += (lstrlenW(info.pwszContainerName) + 1) * sizeof(WCHAR);
555 }
556 else
557 info.pwszContainerName = NULL;
558
559 if (store->pwszProvName)
560 {
561 info.pwszProvName = (LPWSTR)p;
562 p += (lstrlenW(info.pwszProvName) + 1) * sizeof(WCHAR);
563 }
564 else
565 info.pwszProvName = NULL;
566
567 info.dwProvType = store->dwProvType;
568 info.dwFlags = store->dwFlags;
569 info.dwKeySpec = store->dwKeySpec;
570 info.cProvParam = store->cProvParam;
571
572 if (info.cProvParam)
573 {
574 DWORD i;
575
576 info.rgProvParam = (CRYPT_KEY_PROV_PARAM *)p;
577
578 for (i = 0; i < store->cProvParam; i++)
579 {
580 CRYPT_KEY_PROV_PARAM param;
581 store_CRYPT_KEY_PROV_PARAM *store_param;
582
583 store_param = (store_CRYPT_KEY_PROV_PARAM *)p;
584 p += sizeof(*store_param);
585
586 param.dwParam = store_param[i].dwParam;
587 param.dwFlags = store_param[i].dwFlags;
588 param.cbData = store_param[i].cbData;
589 param.pbData = param.cbData ? p : NULL;
590 p += store_param[i].cbData;
591
592 memcpy(&info.rgProvParam[i], &param, sizeof(param));
593 }
594 }
595 else
596 info.rgProvParam = NULL;
597
598 TRACE("%s,%s,%u,%08x,%u,%p,%u\n", debugstr_w(info.pwszContainerName), debugstr_w(info.pwszProvName),
599 info.dwProvType, info.dwFlags, info.cProvParam, info.rgProvParam, info.dwKeySpec);
600
601 *buf = info;
602 }
603
604 BOOL WINAPI CertGetCertificateContextProperty(PCCERT_CONTEXT pCertContext,
605 DWORD dwPropId, void *pvData, DWORD *pcbData)
606 {
607 cert_t *cert = cert_from_ptr(pCertContext);
608 BOOL ret;
609
610 TRACE("(%p, %d, %p, %p)\n", pCertContext, dwPropId, pvData, pcbData);
611
612 switch (dwPropId)
613 {
614 case 0:
615 case CERT_CERT_PROP_ID:
616 case CERT_CRL_PROP_ID:
617 case CERT_CTL_PROP_ID:
618 SetLastError(E_INVALIDARG);
619 ret = FALSE;
620 break;
621 case CERT_ACCESS_STATE_PROP_ID:
622 ret = CertGetStoreProperty(cert->ctx.hCertStore, dwPropId, pvData, pcbData);
623 break;
624 case CERT_KEY_PROV_HANDLE_PROP_ID:
625 {
626 CERT_KEY_CONTEXT keyContext;
627 DWORD size = sizeof(keyContext);
628
629 ret = CertContext_GetProperty(cert,
630 CERT_KEY_CONTEXT_PROP_ID, &keyContext, &size);
631 if (ret)
632 ret = CertContext_CopyParam(pvData, pcbData, &keyContext.hCryptProv,
633 sizeof(keyContext.hCryptProv));
634 break;
635 }
636 case CERT_KEY_PROV_INFO_PROP_ID:
637 ret = CertContext_GetProperty(cert, dwPropId, pvData,
638 pcbData);
639 if (ret && pvData)
640 CRYPT_FixKeyProvInfoPointers(pvData);
641 break;
642 default:
643 ret = CertContext_GetProperty(cert, dwPropId, pvData,
644 pcbData);
645 }
646
647 TRACE("returning %d\n", ret);
648 return ret;
649 }
650
651 /* Copies key provider info from from into to, where to is assumed to be a
652 * contiguous buffer of memory large enough for from and all its associated
653 * data, but whose pointers are uninitialized.
654 * Upon return, to contains a contiguous copy of from, packed in the following
655 * order:
656 * - store_CRYPT_KEY_PROV_INFO
657 * - pwszContainerName
658 * - pwszProvName
659 * - store_CRYPT_KEY_PROV_PARAM[0]
660 * - store_CRYPT_KEY_PROV_PARAM[0].data
661 * - ...
662 */
663 static void CRYPT_CopyKeyProvInfo(store_CRYPT_KEY_PROV_INFO *to, const CRYPT_KEY_PROV_INFO *from)
664 {
665 DWORD i;
666 BYTE *p;
667 store_CRYPT_KEY_PROV_PARAM *param;
668
669 p = (BYTE *)(to + 1);
670
671 if (from->pwszContainerName)
672 {
673 to->pwszContainerName = p - (BYTE *)to;
674 lstrcpyW((LPWSTR)p, from->pwszContainerName);
675 p += (lstrlenW(from->pwszContainerName) + 1) * sizeof(WCHAR);
676 }
677 else
678 to->pwszContainerName = 0;
679
680 if (from->pwszProvName)
681 {
682 to->pwszProvName = p - (BYTE *)to;
683 lstrcpyW((LPWSTR)p, from->pwszProvName);
684 p += (lstrlenW(from->pwszProvName) + 1) * sizeof(WCHAR);
685 }
686 else
687 to->pwszProvName = 0;
688
689 to->dwProvType = from->dwProvType;
690 to->dwFlags = from->dwFlags;
691 to->cProvParam = from->cProvParam;
692 to->dwKeySpec = from->dwKeySpec;
693
694 for (i = 0; i < to->cProvParam; i++)
695 {
696 param = (store_CRYPT_KEY_PROV_PARAM *)p;
697 p += sizeof(*param);
698
699 param->dwParam = from->rgProvParam[i].dwParam;
700 param->cbData = from->rgProvParam[i].cbData;
701 param->dwFlags = from->rgProvParam[i].dwFlags;
702 memcpy(p, from->rgProvParam[i].pbData, from->rgProvParam[i].cbData);
703 p += from->rgProvParam[i].cbData;
704 }
705 }
706
707 static BOOL CertContext_SetKeyProvInfoProperty(CONTEXT_PROPERTY_LIST *properties,
708 const CRYPT_KEY_PROV_INFO *info)
709 {
710 BYTE *buf;
711 DWORD size = sizeof(store_CRYPT_KEY_PROV_INFO), i;
712 BOOL ret;
713
714 if (info->pwszContainerName)
715 size += (lstrlenW(info->pwszContainerName) + 1) * sizeof(WCHAR);
716 if (info->pwszProvName)
717 size += (lstrlenW(info->pwszProvName) + 1) * sizeof(WCHAR);
718
719 for (i = 0; i < info->cProvParam; i++)
720 size += sizeof(store_CRYPT_KEY_PROV_PARAM) + info->rgProvParam[i].cbData;
721
722 buf = CryptMemAlloc(size);
723 if (buf)
724 {
725 CRYPT_CopyKeyProvInfo((store_CRYPT_KEY_PROV_INFO *)buf, info);
726 ret = ContextPropertyList_SetProperty(properties,
727 CERT_KEY_PROV_INFO_PROP_ID, buf, size);
728 CryptMemFree(buf);
729 }
730 else
731 ret = FALSE;
732 return ret;
733 }
734
735 static BOOL CertContext_SetProperty(cert_t *cert, DWORD dwPropId,
736 DWORD dwFlags, const void *pvData)
737 {
738 BOOL ret;
739
740 TRACE("(%p, %d, %08x, %p)\n", cert, dwPropId, dwFlags, pvData);
741
742 if (!cert->base.properties)
743 ret = FALSE;
744 else
745 {
746 switch (dwPropId)
747 {
748 case CERT_AUTO_ENROLL_PROP_ID:
749 case CERT_CTL_USAGE_PROP_ID: /* same as CERT_ENHKEY_USAGE_PROP_ID */
750 case CERT_DESCRIPTION_PROP_ID:
751 case CERT_FRIENDLY_NAME_PROP_ID:
752 case CERT_HASH_PROP_ID:
753 case CERT_KEY_IDENTIFIER_PROP_ID:
754 case CERT_MD5_HASH_PROP_ID:
755 case CERT_NEXT_UPDATE_LOCATION_PROP_ID:
756 case CERT_PUBKEY_ALG_PARA_PROP_ID:
757 case CERT_PVK_FILE_PROP_ID:
758 case CERT_SIGNATURE_HASH_PROP_ID:
759 case CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID:
760 case CERT_SUBJECT_NAME_MD5_HASH_PROP_ID:
761 case CERT_EXTENDED_ERROR_INFO_PROP_ID:
762 case CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID:
763 case CERT_ENROLLMENT_PROP_ID:
764 case CERT_CROSS_CERT_DIST_POINTS_PROP_ID:
765 case CERT_OCSP_RESPONSE_PROP_ID:
766 case CERT_RENEWAL_PROP_ID:
767 {
768 if (pvData)
769 {
770 const CRYPT_DATA_BLOB *blob = pvData;
771
772 ret = ContextPropertyList_SetProperty(cert->base.properties, dwPropId,
773 blob->pbData, blob->cbData);
774 }
775 else
776 {
777 ContextPropertyList_RemoveProperty(cert->base.properties, dwPropId);
778 ret = TRUE;
779 }
780 break;
781 }
782 case CERT_DATE_STAMP_PROP_ID:
783 if (pvData)
784 ret = ContextPropertyList_SetProperty(cert->base.properties, dwPropId,
785 pvData, sizeof(FILETIME));
786 else
787 {
788 ContextPropertyList_RemoveProperty(cert->base.properties, dwPropId);
789 ret = TRUE;
790 }
791 break;
792 case CERT_KEY_CONTEXT_PROP_ID:
793 {
794 if (pvData)
795 {
796 const CERT_KEY_CONTEXT *keyContext = pvData;
797
798 if (keyContext->cbSize != sizeof(CERT_KEY_CONTEXT))
799 {
800 SetLastError(E_INVALIDARG);
801 ret = FALSE;
802 }
803 else
804 ret = ContextPropertyList_SetProperty(cert->base.properties, dwPropId,
805 (const BYTE *)keyContext, keyContext->cbSize);
806 }
807 else
808 {
809 ContextPropertyList_RemoveProperty(cert->base.properties, dwPropId);
810 ret = TRUE;
811 }
812 break;
813 }
814 case CERT_KEY_PROV_INFO_PROP_ID:
815 if (pvData)
816 ret = CertContext_SetKeyProvInfoProperty(cert->base.properties, pvData);
817 else
818 {
819 ContextPropertyList_RemoveProperty(cert->base.properties, dwPropId);
820 ret = TRUE;
821 }
822 break;
823 case CERT_KEY_PROV_HANDLE_PROP_ID:
824 {
825 CERT_KEY_CONTEXT keyContext;
826 DWORD size = sizeof(keyContext);
827
828 ret = CertContext_GetProperty(cert, CERT_KEY_CONTEXT_PROP_ID,
829 &keyContext, &size);
830 if (ret)
831 {
832 if (!(dwFlags & CERT_STORE_NO_CRYPT_RELEASE_FLAG))
833 CryptReleaseContext(keyContext.hCryptProv, 0);
834 }
835 keyContext.cbSize = sizeof(keyContext);
836 if (pvData)
837 keyContext.hCryptProv = *(const HCRYPTPROV *)pvData;
838 else
839 {
840 keyContext.hCryptProv = 0;
841 keyContext.dwKeySpec = AT_SIGNATURE;
842 }
843 ret = CertContext_SetProperty(cert, CERT_KEY_CONTEXT_PROP_ID,
844 0, &keyContext);
845 break;
846 }
847 default:
848 FIXME("%d: stub\n", dwPropId);
849 ret = FALSE;
850 }
851 }
852 TRACE("returning %d\n", ret);
853 return ret;
854 }
855
856 BOOL WINAPI CertSetCertificateContextProperty(PCCERT_CONTEXT pCertContext,
857 DWORD dwPropId, DWORD dwFlags, const void *pvData)
858 {
859 BOOL ret;
860
861 TRACE("(%p, %d, %08x, %p)\n", pCertContext, dwPropId, dwFlags, pvData);
862
863 /* Handle special cases for "read-only"/invalid prop IDs. Windows just
864 * crashes on most of these, I'll be safer.
865 */
866 switch (dwPropId)
867 {
868 case 0:
869 case CERT_ACCESS_STATE_PROP_ID:
870 case CERT_CERT_PROP_ID:
871 case CERT_CRL_PROP_ID:
872 case CERT_CTL_PROP_ID:
873 SetLastError(E_INVALIDARG);
874 return FALSE;
875 }
876 ret = CertContext_SetProperty(cert_from_ptr(pCertContext), dwPropId, dwFlags,
877 pvData);
878 TRACE("returning %d\n", ret);
879 return ret;
880 }
881
882 /* Acquires the private key using the key provider info, retrieving info from
883 * the certificate if info is NULL. The acquired provider is returned in
884 * *phCryptProv, and the key spec for the provider is returned in *pdwKeySpec.
885 */
886 static BOOL CRYPT_AcquirePrivateKeyFromProvInfo(PCCERT_CONTEXT pCert, DWORD dwFlags,
887 PCRYPT_KEY_PROV_INFO info, HCRYPTPROV *phCryptProv, DWORD *pdwKeySpec)
888 {
889 DWORD size = 0;
890 BOOL allocated = FALSE, ret = TRUE;
891
892 if (!info)
893 {
894 ret = CertGetCertificateContextProperty(pCert,
895 CERT_KEY_PROV_INFO_PROP_ID, 0, &size);
896 if (ret)
897 {
898 info = HeapAlloc(GetProcessHeap(), 0, size);
899 if (info)
900 {
901 ret = CertGetCertificateContextProperty(pCert,
902 CERT_KEY_PROV_INFO_PROP_ID, info, &size);
903 allocated = TRUE;
904 }
905 else
906 {
907 SetLastError(ERROR_OUTOFMEMORY);
908 ret = FALSE;
909 }
910 }
911 else
912 SetLastError(CRYPT_E_NO_KEY_PROPERTY);
913 }
914 if (ret)
915 {
916 ret = CryptAcquireContextW(phCryptProv, info->pwszContainerName,
917 info->pwszProvName, info->dwProvType, (dwFlags & CRYPT_ACQUIRE_SILENT_FLAG) ? CRYPT_SILENT : 0);
918 if (ret)
919 {
920 DWORD i;
921
922 for (i = 0; i < info->cProvParam; i++)
923 {
924 CryptSetProvParam(*phCryptProv,
925 info->rgProvParam[i].dwParam, info->rgProvParam[i].pbData,
926 info->rgProvParam[i].dwFlags);
927 }
928 *pdwKeySpec = info->dwKeySpec;
929 }
930 else
931 SetLastError(CRYPT_E_NO_KEY_PROPERTY);
932 }
933 if (allocated)
934 HeapFree(GetProcessHeap(), 0, info);
935 return ret;
936 }
937
938 BOOL WINAPI CryptAcquireCertificatePrivateKey(PCCERT_CONTEXT pCert,
939 DWORD dwFlags, void *pvReserved, HCRYPTPROV_OR_NCRYPT_KEY_HANDLE *phCryptProv,
940 DWORD *pdwKeySpec, BOOL *pfCallerFreeProv)
941 {
942 BOOL ret = FALSE, cache = FALSE;
943 PCRYPT_KEY_PROV_INFO info = NULL;
944 CERT_KEY_CONTEXT keyContext;
945 DWORD size;
946 PCCERT_CONTEXT cert_in_store = NULL;
947
948 TRACE("(%p, %08x, %p, %p, %p, %p)\n", pCert, dwFlags, pvReserved,
949 phCryptProv, pdwKeySpec, pfCallerFreeProv);
950
951 if (dwFlags & CRYPT_ACQUIRE_USE_PROV_INFO_FLAG)
952 {
953 DWORD size = 0;
954
955 ret = CertGetCertificateContextProperty(pCert,
956 CERT_KEY_PROV_INFO_PROP_ID, 0, &size);
957
958 if (!ret)
959 {
960 static const WCHAR myW[] = { 'M','y',0 };
961 HCERTSTORE hstore;
962
963 hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0,
964 CERT_SYSTEM_STORE_CURRENT_USER, myW);
965 if (hstore)
966 {
967 cert_in_store = CertFindCertificateInStore(hstore, pCert->dwCertEncodingType, 0,
968 CERT_FIND_EXISTING, pCert, NULL);
969 if (cert_in_store)
970 {
971 ret = CertGetCertificateContextProperty(cert_in_store, CERT_KEY_PROV_INFO_PROP_ID, 0, &size);
972 if (ret)
973 pCert = cert_in_store;
974 else
975 {
976 CertFreeCertificateContext(cert_in_store);
977 cert_in_store = NULL;
978 }
979 }
980
981 CertCloseStore(hstore, 0);
982 }
983 }
984
985 if (ret)
986 {
987 info = HeapAlloc(GetProcessHeap(), 0, size);
988 ret = CertGetCertificateContextProperty(pCert,
989 CERT_KEY_PROV_INFO_PROP_ID, info, &size);
990 if (ret)
991 cache = info->dwFlags & CERT_SET_KEY_CONTEXT_PROP_ID;
992 }
993 }
994 else if (dwFlags & CRYPT_ACQUIRE_CACHE_FLAG)
995 cache = TRUE;
996 *phCryptProv = 0;
997 if (cache)
998 {
999 size = sizeof(keyContext);
1000 ret = CertGetCertificateContextProperty(pCert, CERT_KEY_CONTEXT_PROP_ID,
1001 &keyContext, &size);
1002 if (ret)
1003 {
1004 *phCryptProv = keyContext.hCryptProv;
1005 if (pdwKeySpec)
1006 *pdwKeySpec = keyContext.dwKeySpec;
1007 if (pfCallerFreeProv)
1008 *pfCallerFreeProv = FALSE;
1009 }
1010 }
1011 if (!*phCryptProv)
1012 {
1013 ret = CRYPT_AcquirePrivateKeyFromProvInfo(pCert, dwFlags, info,
1014 &keyContext.hCryptProv, &keyContext.dwKeySpec);
1015 if (ret)
1016 {
1017 *phCryptProv = keyContext.hCryptProv;
1018 if (pdwKeySpec)
1019 *pdwKeySpec = keyContext.dwKeySpec;
1020 if (cache)
1021 {
1022 keyContext.cbSize = sizeof(keyContext);
1023 if (CertSetCertificateContextProperty(pCert,
1024 CERT_KEY_CONTEXT_PROP_ID, 0, &keyContext))
1025 {
1026 if (pfCallerFreeProv)
1027 *pfCallerFreeProv = FALSE;
1028 }
1029 }
1030 else
1031 {
1032 if (pfCallerFreeProv)
1033 *pfCallerFreeProv = TRUE;
1034 }
1035 }
1036 }
1037 HeapFree(GetProcessHeap(), 0, info);
1038 if (cert_in_store)
1039 CertFreeCertificateContext(cert_in_store);
1040 return ret;
1041 }
1042
1043 static BOOL key_prov_info_matches_cert(PCCERT_CONTEXT pCert,
1044 const CRYPT_KEY_PROV_INFO *keyProvInfo)
1045 {
1046 HCRYPTPROV csp;
1047 BOOL matches = FALSE;
1048
1049 if (CryptAcquireContextW(&csp, keyProvInfo->pwszContainerName,
1050 keyProvInfo->pwszProvName, keyProvInfo->dwProvType, keyProvInfo->dwFlags))
1051 {
1052 DWORD size;
1053
1054 /* Need to sign something to verify the sig. What to sign? Why not
1055 * the certificate itself?
1056 */
1057 if (CryptSignAndEncodeCertificate(csp, AT_SIGNATURE,
1058 pCert->dwCertEncodingType, X509_CERT_TO_BE_SIGNED, pCert->pCertInfo,
1059 &pCert->pCertInfo->SignatureAlgorithm, NULL, NULL, &size))
1060 {
1061 BYTE *certEncoded = CryptMemAlloc(size);
1062
1063 if (certEncoded)
1064 {
1065 if (CryptSignAndEncodeCertificate(csp, AT_SIGNATURE,
1066 pCert->dwCertEncodingType, X509_CERT_TO_BE_SIGNED,
1067 pCert->pCertInfo, &pCert->pCertInfo->SignatureAlgorithm,
1068 NULL, certEncoded, &size))
1069 {
1070 if (size == pCert->cbCertEncoded &&
1071 !memcmp(certEncoded, pCert->pbCertEncoded, size))
1072 matches = TRUE;
1073 }
1074 CryptMemFree(certEncoded);
1075 }
1076 }
1077 CryptReleaseContext(csp, 0);
1078 }
1079 return matches;
1080 }
1081
1082 static BOOL container_matches_cert(PCCERT_CONTEXT pCert, LPCSTR container,
1083 CRYPT_KEY_PROV_INFO *keyProvInfo)
1084 {
1085 CRYPT_KEY_PROV_INFO copy;
1086 WCHAR containerW[MAX_PATH];
1087 BOOL matches;
1088
1089 MultiByteToWideChar(CP_ACP, 0, container, -1, containerW, ARRAY_SIZE(containerW));
1090 /* We make a copy of the CRYPT_KEY_PROV_INFO because the caller expects
1091 * keyProvInfo->pwszContainerName to be NULL or a heap-allocated container
1092 * name.
1093 */
1094 copy = *keyProvInfo;
1095 copy.pwszContainerName = containerW;
1096 matches = key_prov_info_matches_cert(pCert, &copy);
1097 if (matches)
1098 {
1099 keyProvInfo->pwszContainerName =
1100 CryptMemAlloc((strlenW(containerW) + 1) * sizeof(WCHAR));
1101 if (keyProvInfo->pwszContainerName)
1102 {
1103 strcpyW(keyProvInfo->pwszContainerName, containerW);
1104 keyProvInfo->dwKeySpec = AT_SIGNATURE;
1105 }
1106 else
1107 matches = FALSE;
1108 }
1109 return matches;
1110 }
1111
1112 /* Searches the provider named keyProvInfo.pwszProvName for a container whose
1113 * private key matches pCert's public key. Upon success, updates keyProvInfo
1114 * with the matching container's info (free keyProvInfo.pwszContainerName upon
1115 * success.)
1116 * Returns TRUE if found, FALSE if not.
1117 */
1118 static BOOL find_key_prov_info_in_provider(PCCERT_CONTEXT pCert,
1119 CRYPT_KEY_PROV_INFO *keyProvInfo)
1120 {
1121 HCRYPTPROV defProvider;
1122 BOOL ret, found = FALSE;
1123 char containerA[MAX_PATH];
1124
1125 assert(keyProvInfo->pwszContainerName == NULL);
1126 if ((ret = CryptAcquireContextW(&defProvider, NULL,
1127 keyProvInfo->pwszProvName, keyProvInfo->dwProvType,
1128 keyProvInfo->dwFlags | CRYPT_VERIFYCONTEXT)))
1129 {
1130 DWORD enumFlags = keyProvInfo->dwFlags | CRYPT_FIRST;
1131
1132 while (ret && !found)
1133 {
1134 DWORD size = sizeof(containerA);
1135
1136 ret = CryptGetProvParam(defProvider, PP_ENUMCONTAINERS,
1137 (BYTE *)containerA, &size, enumFlags);
1138 if (ret)
1139 found = container_matches_cert(pCert, containerA, keyProvInfo);
1140 if (enumFlags & CRYPT_FIRST)
1141 {
1142 enumFlags &= ~CRYPT_FIRST;
1143 enumFlags |= CRYPT_NEXT;
1144 }
1145 }
1146 CryptReleaseContext(defProvider, 0);
1147 }
1148 return found;
1149 }
1150
1151 static BOOL find_matching_provider(PCCERT_CONTEXT pCert, DWORD dwFlags)
1152 {
1153 BOOL found = FALSE, ret = TRUE;
1154 DWORD index = 0, cbProvName = 0;
1155 CRYPT_KEY_PROV_INFO keyProvInfo;
1156
1157 TRACE("(%p, %08x)\n", pCert, dwFlags);
1158
1159 memset(&keyProvInfo, 0, sizeof(keyProvInfo));
1160 while (ret && !found)
1161 {
1162 DWORD size = 0;
1163
1164 ret = CryptEnumProvidersW(index, NULL, 0, &keyProvInfo.dwProvType,
1165 NULL, &size);
1166 if (ret)
1167 {
1168 if (size <= cbProvName)
1169 ret = CryptEnumProvidersW(index, NULL, 0,
1170 &keyProvInfo.dwProvType, keyProvInfo.pwszProvName, &size);
1171 else
1172 {
1173 CryptMemFree(keyProvInfo.pwszProvName);
1174 keyProvInfo.pwszProvName = CryptMemAlloc(size);
1175 if (keyProvInfo.pwszProvName)
1176 {
1177 cbProvName = size;
1178 ret = CryptEnumProvidersW(index, NULL, 0,
1179 &keyProvInfo.dwProvType, keyProvInfo.pwszProvName, &size);
1180 if (ret)
1181 {
1182 if (dwFlags & CRYPT_FIND_SILENT_KEYSET_FLAG)
1183 keyProvInfo.dwFlags |= CRYPT_SILENT;
1184 if (dwFlags & CRYPT_FIND_USER_KEYSET_FLAG ||
1185 !(dwFlags & (CRYPT_FIND_USER_KEYSET_FLAG |
1186 CRYPT_FIND_MACHINE_KEYSET_FLAG)))
1187 {
1188 keyProvInfo.dwFlags |= CRYPT_USER_KEYSET;
1189 found = find_key_prov_info_in_provider(pCert,
1190 &keyProvInfo);
1191 }
1192 if (!found)
1193 {
1194 if (dwFlags & CRYPT_FIND_MACHINE_KEYSET_FLAG ||
1195 !(dwFlags & (CRYPT_FIND_USER_KEYSET_FLAG |
1196 CRYPT_FIND_MACHINE_KEYSET_FLAG)))
1197 {
1198 keyProvInfo.dwFlags &= ~CRYPT_USER_KEYSET;
1199 keyProvInfo.dwFlags |= CRYPT_MACHINE_KEYSET;
1200 found = find_key_prov_info_in_provider(pCert,
1201 &keyProvInfo);
1202 }
1203 }
1204 }
1205 }
1206 else
1207 ret = FALSE;
1208 }
1209 index++;
1210 }
1211 }
1212 if (found)
1213 CertSetCertificateContextProperty(pCert, CERT_KEY_PROV_INFO_PROP_ID,
1214 0, &keyProvInfo);
1215 CryptMemFree(keyProvInfo.pwszProvName);
1216 CryptMemFree(keyProvInfo.pwszContainerName);
1217 return found;
1218 }
1219
1220 static BOOL cert_prov_info_matches_cert(PCCERT_CONTEXT pCert)
1221 {
1222 BOOL matches = FALSE;
1223 DWORD size;
1224
1225 if (CertGetCertificateContextProperty(pCert, CERT_KEY_PROV_INFO_PROP_ID,
1226 NULL, &size))
1227 {
1228 CRYPT_KEY_PROV_INFO *keyProvInfo = CryptMemAlloc(size);
1229
1230 if (keyProvInfo)
1231 {
1232 if (CertGetCertificateContextProperty(pCert,
1233 CERT_KEY_PROV_INFO_PROP_ID, keyProvInfo, &size))
1234 matches = key_prov_info_matches_cert(pCert, keyProvInfo);
1235 CryptMemFree(keyProvInfo);
1236 }
1237 }
1238 return matches;
1239 }
1240
1241 BOOL WINAPI CryptFindCertificateKeyProvInfo(PCCERT_CONTEXT pCert,
1242 DWORD dwFlags, void *pvReserved)
1243 {
1244 BOOL matches;
1245
1246 TRACE("(%p, %08x, %p)\n", pCert, dwFlags, pvReserved);
1247
1248 matches = cert_prov_info_matches_cert(pCert);
1249 if (!matches)
1250 matches = find_matching_provider(pCert, dwFlags);
1251 return matches;
1252 }
1253
1254 BOOL WINAPI CertCompareCertificate(DWORD dwCertEncodingType,
1255 PCERT_INFO pCertId1, PCERT_INFO pCertId2)
1256 {
1257 BOOL ret;
1258
1259 TRACE("(%08x, %p, %p)\n", dwCertEncodingType, pCertId1, pCertId2);
1260
1261 ret = CertCompareCertificateName(dwCertEncodingType, &pCertId1->Issuer,
1262 &pCertId2->Issuer) && CertCompareIntegerBlob(&pCertId1->SerialNumber,
1263 &pCertId2->SerialNumber);
1264 TRACE("returning %d\n", ret);
1265 return ret;
1266 }
1267
1268 BOOL WINAPI CertCompareCertificateName(DWORD dwCertEncodingType,
1269 PCERT_NAME_BLOB pCertName1, PCERT_NAME_BLOB pCertName2)
1270 {
1271 BOOL ret;
1272
1273 TRACE("(%08x, %p, %p)\n", dwCertEncodingType, pCertName1, pCertName2);
1274
1275 if (pCertName1->cbData == pCertName2->cbData)
1276 {
1277 if (pCertName1->cbData)
1278 ret = !memcmp(pCertName1->pbData, pCertName2->pbData,
1279 pCertName1->cbData);
1280 else
1281 ret = TRUE;
1282 }
1283 else
1284 ret = FALSE;
1285 TRACE("returning %d\n", ret);
1286 return ret;
1287 }
1288
1289 /* Returns the number of significant bytes in pInt, where a byte is
1290 * insignificant if it's a leading 0 for positive numbers or a leading 0xff
1291 * for negative numbers. pInt is assumed to be little-endian.
1292 */
1293 static DWORD CRYPT_significantBytes(const CRYPT_INTEGER_BLOB *pInt)
1294 {
1295 DWORD ret = pInt->cbData;
1296
1297 while (ret > 1)
1298 {
1299 if (pInt->pbData[ret - 2] <= 0x7f && pInt->pbData[ret - 1] == 0)
1300 ret--;
1301 else if (pInt->pbData[ret - 2] >= 0x80 && pInt->pbData[ret - 1] == 0xff)
1302 ret--;
1303 else
1304 break;
1305 }
1306 return ret;
1307 }
1308
1309 BOOL WINAPI CertCompareIntegerBlob(PCRYPT_INTEGER_BLOB pInt1,
1310 PCRYPT_INTEGER_BLOB pInt2)
1311 {
1312 BOOL ret;
1313 DWORD cb1, cb2;
1314
1315 TRACE("(%p, %p)\n", pInt1, pInt2);
1316
1317 cb1 = CRYPT_significantBytes(pInt1);
1318 cb2 = CRYPT_significantBytes(pInt2);
1319 if (cb1 == cb2)
1320 {
1321 if (cb1)
1322 ret = !memcmp(pInt1->pbData, pInt2->pbData, cb1);
1323 else
1324 ret = TRUE;
1325 }
1326 else
1327 ret = FALSE;
1328 TRACE("returning %d\n", ret);
1329 return ret;
1330 }
1331
1332 BOOL WINAPI CertComparePublicKeyInfo(DWORD dwCertEncodingType,
1333 PCERT_PUBLIC_KEY_INFO pPublicKey1, PCERT_PUBLIC_KEY_INFO pPublicKey2)
1334 {
1335 BOOL ret;
1336
1337 TRACE("(%08x, %p, %p)\n", dwCertEncodingType, pPublicKey1, pPublicKey2);
1338
1339 /* RSA public key data should start with ASN_SEQUENCE,
1340 * otherwise it's not a RSA_CSP_PUBLICKEYBLOB.
1341 */
1342 if (!pPublicKey1->PublicKey.cbData || pPublicKey1->PublicKey.pbData[0] != ASN_SEQUENCE)
1343 dwCertEncodingType = 0;
1344
1345 switch (GET_CERT_ENCODING_TYPE(dwCertEncodingType))
1346 {
1347 case 0: /* Seems to mean "raw binary bits" */
1348 if (pPublicKey1->PublicKey.cbData == pPublicKey2->PublicKey.cbData &&
1349 pPublicKey1->PublicKey.cUnusedBits == pPublicKey2->PublicKey.cUnusedBits)
1350 {
1351 if (pPublicKey2->PublicKey.cbData)
1352 ret = !memcmp(pPublicKey1->PublicKey.pbData,
1353 pPublicKey2->PublicKey.pbData, pPublicKey1->PublicKey.cbData);
1354 else
1355 ret = TRUE;
1356 }
1357 else
1358 ret = FALSE;
1359 break;
1360 default:
1361 WARN("Unknown encoding type %08x\n", dwCertEncodingType);
1362 /* FALLTHROUGH */
1363 case X509_ASN_ENCODING:
1364 {
1365 BLOBHEADER *pblob1, *pblob2;
1366 DWORD length;
1367 ret = FALSE;
1368 if (CryptDecodeObject(dwCertEncodingType, RSA_CSP_PUBLICKEYBLOB,
1369 pPublicKey1->PublicKey.pbData, pPublicKey1->PublicKey.cbData,
1370 CRYPT_DECODE_ALLOC_FLAG, &pblob1, &length))
1371 {
1372 if (CryptDecodeObject(dwCertEncodingType, RSA_CSP_PUBLICKEYBLOB,
1373 pPublicKey2->PublicKey.pbData, pPublicKey2->PublicKey.cbData,
1374 CRYPT_DECODE_ALLOC_FLAG, &pblob2, &length))
1375 {
1376 /* The RSAPUBKEY structure directly follows the BLOBHEADER */
1377 RSAPUBKEY *pk1 = (LPVOID)(pblob1 + 1),
1378 *pk2 = (LPVOID)(pblob2 + 1);
1379 ret = (pk1->bitlen == pk2->bitlen) && (pk1->pubexp == pk2->pubexp)
1380 && !memcmp(pk1 + 1, pk2 + 1, pk1->bitlen/8);
1381
1382 LocalFree(pblob2);
1383 }
1384 LocalFree(pblob1);
1385 }
1386
1387 break;
1388 }
1389 }
1390 return ret;
1391 }
1392
1393 DWORD WINAPI CertGetPublicKeyLength(DWORD dwCertEncodingType,
1394 PCERT_PUBLIC_KEY_INFO pPublicKey)
1395 {
1396 DWORD len = 0;
1397
1398 TRACE("(%08x, %p)\n", dwCertEncodingType, pPublicKey);
1399
1400 if (GET_CERT_ENCODING_TYPE(dwCertEncodingType) != X509_ASN_ENCODING)
1401 {
1402 SetLastError(ERROR_FILE_NOT_FOUND);
1403 return 0;
1404 }
1405 if (pPublicKey->Algorithm.pszObjId &&
1406 !strcmp(pPublicKey->Algorithm.pszObjId, szOID_RSA_DH))
1407 {
1408 FIXME("unimplemented for DH public keys\n");
1409 SetLastError(CRYPT_E_ASN1_BADTAG);
1410 }
1411 else
1412 {
1413 PCCRYPT_OID_INFO info;
1414 DWORD size;
1415 PBYTE buf;
1416 BOOL ret;
1417
1418 info = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY, pPublicKey->Algorithm.pszObjId, 0);
1419 if (info)
1420 {
1421 HCRYPTKEY key;
1422
1423 TRACE("public key algid %#x (%s)\n", info->u.Algid, debugstr_a(pPublicKey->Algorithm.pszObjId));
1424
1425 ret = CryptImportPublicKeyInfo(I_CryptGetDefaultCryptProv(info->u.Algid), dwCertEncodingType, pPublicKey, &key);
1426 if (ret)
1427 {
1428 size = sizeof(len);
1429 ret = CryptGetKeyParam(key, KP_KEYLEN, (BYTE *)&len, &size, 0);
1430 CryptDestroyKey(key);
1431 return len;
1432 }
1433 /* fallback to RSA */
1434 }
1435
1436 ret = CryptDecodeObjectEx(dwCertEncodingType,
1437 RSA_CSP_PUBLICKEYBLOB, pPublicKey->PublicKey.pbData,
1438 pPublicKey->PublicKey.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &buf,
1439 &size);
1440
1441 if (ret)
1442 {
1443 RSAPUBKEY *rsaPubKey = (RSAPUBKEY *)(buf + sizeof(BLOBHEADER));
1444
1445 len = rsaPubKey->bitlen;
1446 LocalFree(buf);
1447 }
1448 }
1449 return len;
1450 }
1451
1452 typedef BOOL (*CertCompareFunc)(PCCERT_CONTEXT pCertContext, DWORD dwType,
1453 DWORD dwFlags, const void *pvPara);
1454
1455 static BOOL compare_cert_by_md5_hash(PCCERT_CONTEXT pCertContext, DWORD dwType,
1456 DWORD dwFlags, const void *pvPara)
1457 {
1458 BOOL ret;
1459 BYTE hash[16];
1460 DWORD size = sizeof(hash);
1461
1462 ret = CertGetCertificateContextProperty(pCertContext,
1463 CERT_MD5_HASH_PROP_ID, hash, &size);
1464 if (ret)
1465 {
1466 const CRYPT_HASH_BLOB *pHash = pvPara;
1467
1468 if (size == pHash->cbData)
1469 ret = !memcmp(pHash->pbData, hash, size);
1470 else
1471 ret = FALSE;
1472 }
1473 return ret;
1474 }
1475
1476 static BOOL compare_cert_by_sha1_hash(PCCERT_CONTEXT pCertContext, DWORD dwType,
1477 DWORD dwFlags, const void *pvPara)
1478 {
1479 BOOL ret;
1480 BYTE hash[20];
1481 DWORD size = sizeof(hash);
1482
1483 ret = CertGetCertificateContextProperty(pCertContext,
1484 CERT_SHA1_HASH_PROP_ID, hash, &size);
1485 if (ret)
1486 {
1487 const CRYPT_HASH_BLOB *pHash = pvPara;
1488
1489 if (size == pHash->cbData)
1490 ret = !memcmp(pHash->pbData, hash, size);
1491 else
1492 ret = FALSE;
1493 }
1494 return ret;
1495 }
1496
1497 static BOOL compare_cert_by_name(PCCERT_CONTEXT pCertContext, DWORD dwType,
1498 DWORD dwFlags, const void *pvPara)
1499 {
1500 CERT_NAME_BLOB *blob = (CERT_NAME_BLOB *)pvPara, *toCompare;
1501 BOOL ret;
1502
1503 if (dwType & CERT_INFO_SUBJECT_FLAG)
1504 toCompare = &pCertContext->pCertInfo->Subject;
1505 else
1506 toCompare = &pCertContext->pCertInfo->Issuer;
1507 ret = CertCompareCertificateName(pCertContext->dwCertEncodingType,
1508 toCompare, blob);
1509 return ret;
1510 }
1511
1512 static BOOL compare_cert_by_public_key(PCCERT_CONTEXT pCertContext,
1513 DWORD dwType, DWORD dwFlags, const void *pvPara)
1514 {
1515 CERT_PUBLIC_KEY_INFO *publicKey = (CERT_PUBLIC_KEY_INFO *)pvPara;
1516 BOOL ret;
1517
1518 ret = CertComparePublicKeyInfo(pCertContext->dwCertEncodingType,
1519 &pCertContext->pCertInfo->SubjectPublicKeyInfo, publicKey);
1520 return ret;
1521 }
1522
1523 static BOOL compare_cert_by_subject_cert(PCCERT_CONTEXT pCertContext,
1524 DWORD dwType, DWORD dwFlags, const void *pvPara)
1525 {
1526 CERT_INFO *pCertInfo = (CERT_INFO *)pvPara;
1527 BOOL ret;
1528
1529 /* Matching serial number and subject match.. */
1530 ret = CertCompareCertificateName(pCertContext->dwCertEncodingType,
1531 &pCertContext->pCertInfo->Subject, &pCertInfo->Issuer);
1532 if (ret)
1533 ret = CertCompareIntegerBlob(&pCertContext->pCertInfo->SerialNumber,
1534 &pCertInfo->SerialNumber);
1535 else
1536 {
1537 /* failing that, if the serial number and issuer match, we match */
1538 ret = CertCompareIntegerBlob(&pCertContext->pCertInfo->SerialNumber,
1539 &pCertInfo->SerialNumber);
1540 if (ret)
1541 ret = CertCompareCertificateName(pCertContext->dwCertEncodingType,
1542 &pCertContext->pCertInfo->Issuer, &pCertInfo->Issuer);
1543 }
1544 TRACE("returning %d\n", ret);
1545 return ret;
1546 }
1547
1548 static BOOL compare_cert_by_cert_id(PCCERT_CONTEXT pCertContext, DWORD dwType,
1549 DWORD dwFlags, const void *pvPara)
1550 {
1551 CERT_ID *id = (CERT_ID *)pvPara;
1552 BOOL ret;
1553
1554 switch (id->dwIdChoice)
1555 {
1556 case CERT_ID_ISSUER_SERIAL_NUMBER:
1557 ret = CertCompareCertificateName(pCertContext->dwCertEncodingType,
1558 &pCertContext->pCertInfo->Issuer, &id->u.IssuerSerialNumber.Issuer);
1559 if (ret)
1560 ret = CertCompareIntegerBlob(&pCertContext->pCertInfo->SerialNumber,
1561 &id->u.IssuerSerialNumber.SerialNumber);
1562 break;
1563 case CERT_ID_SHA1_HASH:
1564 ret = compare_cert_by_sha1_hash(pCertContext, dwType, dwFlags,
1565 &id->u.HashId);
1566 break;
1567 case CERT_ID_KEY_IDENTIFIER:
1568 {
1569 DWORD size = 0;
1570
1571 ret = CertGetCertificateContextProperty(pCertContext,
1572 CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
1573 if (ret && size == id->u.KeyId.cbData)
1574 {
1575 LPBYTE buf = CryptMemAlloc(size);
1576
1577 if (buf)
1578 {
1579 CertGetCertificateContextProperty(pCertContext,
1580 CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
1581 ret = !memcmp(buf, id->u.KeyId.pbData, size);
1582 CryptMemFree(buf);
1583 }
1584 else
1585 ret = FALSE;
1586 }
1587 else
1588 ret = FALSE;
1589 break;
1590 }
1591 default:
1592 ret = FALSE;
1593 break;
1594 }
1595 return ret;
1596 }
1597
1598 static BOOL compare_existing_cert(PCCERT_CONTEXT pCertContext, DWORD dwType,
1599 DWORD dwFlags, const void *pvPara)
1600 {
1601 PCCERT_CONTEXT toCompare = pvPara;
1602 return CertCompareCertificate(pCertContext->dwCertEncodingType,
1603 pCertContext->pCertInfo, toCompare->pCertInfo);
1604 }
1605
1606 static BOOL compare_cert_by_signature_hash(PCCERT_CONTEXT pCertContext, DWORD dwType,
1607 DWORD dwFlags, const void *pvPara)
1608 {
1609 const CRYPT_HASH_BLOB *hash = pvPara;
1610 DWORD size = 0;
1611 BOOL ret;
1612
1613 ret = CertGetCertificateContextProperty(pCertContext,
1614 CERT_SIGNATURE_HASH_PROP_ID, NULL, &size);
1615 if (ret && size == hash->cbData)
1616 {
1617 LPBYTE buf = CryptMemAlloc(size);
1618
1619 if (buf)
1620 {
1621 CertGetCertificateContextProperty(pCertContext,
1622 CERT_SIGNATURE_HASH_PROP_ID, buf, &size);
1623 ret = !memcmp(buf, hash->pbData, size);
1624 CryptMemFree(buf);
1625 }
1626 else
1627 ret = FALSE;
1628 }
1629 else
1630 ret = FALSE;
1631 return ret;
1632 }
1633
1634 static inline PCCERT_CONTEXT cert_compare_certs_in_store(HCERTSTORE store,
1635 PCCERT_CONTEXT prev, CertCompareFunc compare, DWORD dwType, DWORD dwFlags,
1636 const void *pvPara)
1637 {
1638 BOOL matches = FALSE;
1639 PCCERT_CONTEXT ret;
1640
1641 ret = prev;
1642 do {
1643 ret = CertEnumCertificatesInStore(store, ret);
1644 if (ret)
1645 matches = compare(ret, dwType, dwFlags, pvPara);
1646 } while (ret != NULL && !matches);
1647 return ret;
1648 }
1649
1650 typedef PCCERT_CONTEXT (*CertFindFunc)(HCERTSTORE store, DWORD dwType,
1651 DWORD dwFlags, const void *pvPara, PCCERT_CONTEXT prev);
1652
1653 static PCCERT_CONTEXT find_cert_any(HCERTSTORE store, DWORD dwType,
1654 DWORD dwFlags, const void *pvPara, PCCERT_CONTEXT prev)
1655 {
1656 return CertEnumCertificatesInStore(store, prev);
1657 }
1658
1659 static PCCERT_CONTEXT find_cert_by_issuer(HCERTSTORE store, DWORD dwType,
1660 DWORD dwFlags, const void *pvPara, PCCERT_CONTEXT prev)
1661 {
1662 BOOL ret;
1663 PCCERT_CONTEXT found = NULL, subject = pvPara;
1664 PCERT_EXTENSION ext;
1665 DWORD size;
1666
1667 if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER,
1668 subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
1669 {
1670 CERT_AUTHORITY_KEY_ID_INFO *info;
1671
1672 ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
1673 X509_AUTHORITY_KEY_ID, ext->Value.pbData, ext->Value.cbData,
1674 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
1675 &info, &size);
1676 if (ret)
1677 {
1678 CERT_ID id;
1679
1680 if (info->CertIssuer.cbData && info->CertSerialNumber.cbData)
1681 {
1682 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
1683 memcpy(&id.u.IssuerSerialNumber.Issuer, &info->CertIssuer,
1684 sizeof(CERT_NAME_BLOB));
1685 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
1686 &info->CertSerialNumber, sizeof(CRYPT_INTEGER_BLOB));
1687 }
1688 else if (info->KeyId.cbData)
1689 {
1690 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
1691 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
1692 }
1693 else
1694 ret = FALSE;
1695 if (ret)
1696 found = cert_compare_certs_in_store(store, prev,
1697 compare_cert_by_cert_id, dwType, dwFlags, &id);
1698 LocalFree(info);
1699 }
1700 }
1701 else if ((ext = CertFindExtension(szOID_AUTHORITY_KEY_IDENTIFIER2,
1702 subject->pCertInfo->cExtension, subject->pCertInfo->rgExtension)))
1703 {
1704 CERT_AUTHORITY_KEY_ID2_INFO *info;
1705
1706 ret = CryptDecodeObjectEx(subject->dwCertEncodingType,
1707 X509_AUTHORITY_KEY_ID2, ext->Value.pbData, ext->Value.cbData,
1708 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
1709 &info, &size);
1710 if (ret)
1711 {
1712 CERT_ID id;
1713
1714 if (info->AuthorityCertIssuer.cAltEntry &&
1715 info->AuthorityCertSerialNumber.cbData)
1716 {
1717 PCERT_ALT_NAME_ENTRY directoryName = NULL;
1718 DWORD i;
1719
1720 for (i = 0; !directoryName &&
1721 i < info->AuthorityCertIssuer.cAltEntry; i++)
1722 if (info->AuthorityCertIssuer.rgAltEntry[i].dwAltNameChoice
1723 == CERT_ALT_NAME_DIRECTORY_NAME)
1724 directoryName =
1725 &info->AuthorityCertIssuer.rgAltEntry[i];
1726 if (directoryName)
1727 {
1728 id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
1729 memcpy(&id.u.IssuerSerialNumber.Issuer,
1730 &directoryName->u.DirectoryName, sizeof(CERT_NAME_BLOB));
1731 memcpy(&id.u.IssuerSerialNumber.SerialNumber,
1732 &info->AuthorityCertSerialNumber,
1733 sizeof(CRYPT_INTEGER_BLOB));
1734 }
1735 else
1736 {
1737 FIXME("no supported name type in authority key id2\n");
1738 ret = FALSE;
1739 }
1740 }
1741 else if (info->KeyId.cbData)
1742 {
1743 id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
1744 memcpy(&id.u.KeyId, &info->KeyId, sizeof(CRYPT_HASH_BLOB));
1745 }
1746 else
1747 ret = FALSE;
1748 if (ret)
1749 found = cert_compare_certs_in_store(store, prev,
1750 compare_cert_by_cert_id, dwType, dwFlags, &id);
1751 LocalFree(info);
1752 }
1753 }
1754 else
1755 found = cert_compare_certs_in_store(store, prev,
1756 compare_cert_by_name, CERT_COMPARE_NAME | CERT_COMPARE_SUBJECT_CERT,
1757 dwFlags, &subject->pCertInfo->Issuer);
1758 return found;
1759 }
1760
1761 static BOOL compare_cert_by_name_str(PCCERT_CONTEXT pCertContext,
1762 DWORD dwType, DWORD dwFlags, const void *pvPara)
1763 {
1764 PCERT_NAME_BLOB name;
1765 DWORD len;
1766 BOOL ret = FALSE;
1767
1768 if (dwType & CERT_INFO_SUBJECT_FLAG)
1769 name = &pCertContext->pCertInfo->Subject;
1770 else
1771 name = &pCertContext->pCertInfo->Issuer;
1772 len = CertNameToStrW(pCertContext->dwCertEncodingType, name,
1773 CERT_SIMPLE_NAME_STR, NULL, 0);
1774 if (len)
1775 {
1776 LPWSTR str = CryptMemAlloc(len * sizeof(WCHAR));
1777
1778 if (str)
1779 {
1780 LPWSTR ptr;
1781
1782 CertNameToStrW(pCertContext->dwCertEncodingType, name,
1783 CERT_SIMPLE_NAME_STR, str, len);
1784 for (ptr = str; *ptr; ptr++)
1785 *ptr = tolowerW(*ptr);
1786 if (strstrW(str, pvPara))
1787 ret = TRUE;
1788 CryptMemFree(str);
1789 }
1790 }
1791 return ret;
1792 }
1793
1794 static PCCERT_CONTEXT find_cert_by_name_str_a(HCERTSTORE store, DWORD dwType,
1795 DWORD dwFlags, const void *pvPara, PCCERT_CONTEXT prev)
1796 {
1797 PCCERT_CONTEXT found = NULL;
1798
1799 TRACE("%s\n", debugstr_a(pvPara));
1800
1801 if (pvPara)
1802 {
1803 int len = MultiByteToWideChar(CP_ACP, 0, pvPara, -1, NULL, 0);
1804 LPWSTR str = CryptMemAlloc(len * sizeof(WCHAR));
1805
1806 if (str)
1807 {
1808 LPWSTR ptr;
1809
1810 MultiByteToWideChar(CP_ACP, 0, pvPara, -1, str, len);
1811 for (ptr = str; *ptr; ptr++)
1812 *ptr = tolowerW(*ptr);
1813 found = cert_compare_certs_in_store(store, prev,
1814 compare_cert_by_name_str, dwType, dwFlags, str);
1815 CryptMemFree(str);
1816 }
1817 }
1818 else
1819 found = find_cert_any(store, dwType, dwFlags, NULL, prev);
1820 return found;
1821 }
1822
1823 static PCCERT_CONTEXT find_cert_by_name_str_w(HCERTSTORE store, DWORD dwType,
1824 DWORD dwFlags, const void *pvPara, PCCERT_CONTEXT prev)
1825 {
1826 PCCERT_CONTEXT found = NULL;
1827
1828 TRACE("%s\n", debugstr_w(pvPara));
1829
1830 if (pvPara)
1831 {
1832 DWORD len = strlenW(pvPara);
1833 LPWSTR str = CryptMemAlloc((len + 1) * sizeof(WCHAR));
1834
1835 if (str)
1836 {
1837 LPCWSTR src;
1838 LPWSTR dst;
1839
1840 for (src = pvPara, dst = str; *src; src++, dst++)
1841 *dst = tolowerW(*src);
1842 *dst = 0;
1843 found = cert_compare_certs_in_store(store, prev,
1844 compare_cert_by_name_str, dwType, dwFlags, str);
1845 CryptMemFree(str);
1846 }
1847 }
1848 else
1849 found = find_cert_any(store, dwType, dwFlags, NULL, prev);
1850 return found;
1851 }
1852
1853 PCCERT_CONTEXT WINAPI CertFindCertificateInStore(HCERTSTORE hCertStore,
1854 DWORD dwCertEncodingType, DWORD dwFlags, DWORD dwType, const void *pvPara,
1855 PCCERT_CONTEXT pPrevCertContext)
1856 {
1857 PCCERT_CONTEXT ret;
1858 CertFindFunc find = NULL;
1859 CertCompareFunc compare = NULL;
1860 CERT_ID cert_id;
1861
1862 TRACE("(%p, %08x, %08x, %08x, %p, %p)\n", hCertStore, dwCertEncodingType,
1863 dwFlags, dwType, pvPara, pPrevCertContext);
1864
1865 switch (dwType >> CERT_COMPARE_SHIFT)
1866 {
1867 case CERT_COMPARE_ANY:
1868 find = find_cert_any;
1869 break;
1870 case CERT_COMPARE_MD5_HASH:
1871 compare = compare_cert_by_md5_hash;
1872 break;
1873 case CERT_COMPARE_SHA1_HASH:
1874 compare = compare_cert_by_sha1_hash;
1875 break;
1876 case CERT_COMPARE_NAME:
1877 compare = compare_cert_by_name;
1878 break;
1879 case CERT_COMPARE_PUBLIC_KEY:
1880 compare = compare_cert_by_public_key;
1881 break;
1882 case CERT_COMPARE_NAME_STR_A:
1883 find = find_cert_by_name_str_a;
1884 break;
1885 case CERT_COMPARE_NAME_STR_W:
1886 find = find_cert_by_name_str_w;
1887 break;
1888 case CERT_COMPARE_SUBJECT_CERT:
1889 compare = compare_cert_by_subject_cert;
1890 break;
1891 case CERT_COMPARE_KEY_IDENTIFIER:
1892 cert_id.dwIdChoice = CERT_ID_KEY_IDENTIFIER;
1893 cert_id.u.KeyId = *(const CRYPT_HASH_BLOB *)pvPara;
1894 pvPara = &cert_id;
1895 /* fall through */
1896 case CERT_COMPARE_CERT_ID:
1897 compare = compare_cert_by_cert_id;
1898 break;
1899 case CERT_COMPARE_ISSUER_OF:
1900 find = find_cert_by_issuer;
1901 break;
1902 case CERT_COMPARE_EXISTING:
1903 compare = compare_existing_cert;
1904 break;
1905 case CERT_COMPARE_SIGNATURE_HASH:
1906 compare = compare_cert_by_signature_hash;
1907 break;
1908 default:
1909 FIXME("find type %08x unimplemented\n", dwType);
1910 }
1911
1912 if (find)
1913 ret = find(hCertStore, dwType, dwFlags, pvPara, pPrevCertContext);
1914 else if (compare)
1915 ret = cert_compare_certs_in_store(hCertStore, pPrevCertContext,
1916 compare, dwType, dwFlags, pvPara);
1917 else
1918 ret = NULL;
1919 if (!ret)
1920 SetLastError(CRYPT_E_NOT_FOUND);
1921 TRACE("returning %p\n", ret);
1922 return ret;
1923 }
1924
1925 PCCERT_CONTEXT WINAPI CertGetSubjectCertificateFromStore(HCERTSTORE hCertStore,
1926 DWORD dwCertEncodingType, PCERT_INFO pCertId)
1927 {
1928 TRACE("(%p, %08x, %p)\n", hCertStore, dwCertEncodingType, pCertId);
1929
1930 if (!pCertId)
1931 {
1932 SetLastError(E_INVALIDARG);
1933 return NULL;
1934 }
1935 return CertFindCertificateInStore(hCertStore, dwCertEncodingType, 0,
1936 CERT_FIND_SUBJECT_CERT, pCertId, NULL);
1937 }
1938
1939 BOOL WINAPI CertVerifySubjectCertificateContext(PCCERT_CONTEXT pSubject,
1940 PCCERT_CONTEXT pIssuer, DWORD *pdwFlags)
1941 {
1942 static const DWORD supportedFlags = CERT_STORE_REVOCATION_FLAG |
1943 CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
1944
1945 if (*pdwFlags & ~supportedFlags)
1946 {
1947 SetLastError(E_INVALIDARG);
1948 return FALSE;
1949 }
1950 if (*pdwFlags & CERT_STORE_REVOCATION_FLAG)
1951 {
1952 DWORD flags = 0;
1953 PCCRL_CONTEXT crl = CertGetCRLFromStore(pSubject->hCertStore, pSubject,
1954 NULL, &flags);
1955
1956 /* FIXME: what if the CRL has expired? */
1957 if (crl)
1958 {
1959 if (CertVerifyCRLRevocation(pSubject->dwCertEncodingType,
1960 pSubject->pCertInfo, 1, (PCRL_INFO *)&crl->pCrlInfo))
1961 *pdwFlags &= CERT_STORE_REVOCATION_FLAG;
1962 }
1963 else
1964 *pdwFlags |= CERT_STORE_NO_CRL_FLAG;
1965 }
1966 if (*pdwFlags & CERT_STORE_TIME_VALIDITY_FLAG)
1967 {
1968 if (0 == CertVerifyTimeValidity(NULL, pSubject->pCertInfo))
1969 *pdwFlags &= ~CERT_STORE_TIME_VALIDITY_FLAG;
1970 }
1971 if (*pdwFlags & CERT_STORE_SIGNATURE_FLAG)
1972 {
1973 if (CryptVerifyCertificateSignatureEx(0, pSubject->dwCertEncodingType,
1974 CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, (void *)pSubject,
1975 CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, (void *)pIssuer, 0, NULL))
1976 *pdwFlags &= ~CERT_STORE_SIGNATURE_FLAG;
1977 }
1978 return TRUE;
1979 }
1980
1981 PCCERT_CONTEXT WINAPI CertGetIssuerCertificateFromStore(HCERTSTORE hCertStore,
1982 PCCERT_CONTEXT pSubjectContext, PCCERT_CONTEXT pPrevIssuerContext,
1983 DWORD *pdwFlags)
1984 {
1985 PCCERT_CONTEXT ret;
1986
1987 TRACE("(%p, %p, %p, %08x)\n", hCertStore, pSubjectContext,
1988 pPrevIssuerContext, *pdwFlags);
1989
1990 if (!pSubjectContext)
1991 {
1992 SetLastError(E_INVALIDARG);
1993 return NULL;
1994 }
1995
1996 ret = CertFindCertificateInStore(hCertStore,
1997 pSubjectContext->dwCertEncodingType, 0, CERT_FIND_ISSUER_OF,
1998 pSubjectContext, pPrevIssuerContext);
1999 if (ret)
2000 {
2001 if (!CertVerifySubjectCertificateContext(pSubjectContext, ret,
2002 pdwFlags))
2003 {
2004 CertFreeCertificateContext(ret);
2005 ret = NULL;
2006 }
2007 if (CRYPT_IsCertificateSelfSigned(pSubjectContext))
2008 {
2009 CertFreeCertificateContext(ret);
2010 ret = NULL;
2011 SetLastError(CRYPT_E_SELF_SIGNED);
2012 }
2013 }
2014 TRACE("returning %p\n", ret);
2015 return ret;
2016 }
2017
2018 typedef struct _OLD_CERT_REVOCATION_STATUS {
2019 DWORD cbSize;
2020 DWORD dwIndex;
2021 DWORD dwError;
2022 DWORD dwReason;
2023 } OLD_CERT_REVOCATION_STATUS;
2024
2025 typedef BOOL (WINAPI *CertVerifyRevocationFunc)(DWORD, DWORD, DWORD,
2026 void **, DWORD, PCERT_REVOCATION_PARA, PCERT_REVOCATION_STATUS);
2027
2028 BOOL WINAPI CertVerifyRevocation(DWORD dwEncodingType, DWORD dwRevType,
2029 DWORD cContext, PVOID rgpvContext[], DWORD dwFlags,
2030 PCERT_REVOCATION_PARA pRevPara, PCERT_REVOCATION_STATUS pRevStatus)
2031 {
2032 BOOL ret;
2033
2034 TRACE("(%08x, %d, %d, %p, %08x, %p, %p)\n", dwEncodingType, dwRevType,
2035 cContext, rgpvContext, dwFlags, pRevPara, pRevStatus);
2036
2037 if (pRevStatus->cbSize != sizeof(OLD_CERT_REVOCATION_STATUS) &&
2038 pRevStatus->cbSize != sizeof(CERT_REVOCATION_STATUS))
2039 {
2040 SetLastError(E_INVALIDARG);
2041 return FALSE;
2042 }
2043 if (cContext)
2044 {
2045 static HCRYPTOIDFUNCSET set = NULL;
2046 DWORD size;
2047
2048 if (!set)
2049 set = CryptInitOIDFunctionSet(CRYPT_OID_VERIFY_REVOCATION_FUNC, 0);
2050 ret = CryptGetDefaultOIDDllList(set, dwEncodingType, NULL, &size);
2051 if (ret)
2052 {
2053 if (size == 1)
2054 {
2055 /* empty list */
2056 SetLastError(CRYPT_E_NO_REVOCATION_DLL);
2057 ret = FALSE;
2058 }
2059 else
2060 {
2061 LPWSTR dllList = CryptMemAlloc(size * sizeof(WCHAR)), ptr;
2062
2063 if (dllList)
2064 {
2065 ret = CryptGetDefaultOIDDllList(set, dwEncodingType,
2066 dllList, &size);
2067 if (ret)
2068 {
2069 for (ptr = dllList; ret && *ptr;
2070 ptr += lstrlenW(ptr) + 1)
2071 {
2072 CertVerifyRevocationFunc func;
2073 HCRYPTOIDFUNCADDR hFunc;
2074
2075 ret = CryptGetDefaultOIDFunctionAddress(set,
2076 dwEncodingType, ptr, 0, (void **)&func, &hFunc);
2077 if (ret)
2078 {
2079 ret = func(dwEncodingType, dwRevType, cContext,
2080 rgpvContext, dwFlags, pRevPara, pRevStatus);
2081 CryptFreeOIDFunctionAddress(hFunc, 0);
2082 }
2083 }
2084 }
2085 CryptMemFree(dllList);
2086 }
2087 else
2088 {
2089 SetLastError(ERROR_OUTOFMEMORY);
2090 ret = FALSE;
2091 }
2092 }
2093 }
2094 }
2095 else
2096 ret = TRUE;
2097 return ret;
2098 }
2099
2100 PCRYPT_ATTRIBUTE WINAPI CertFindAttribute(LPCSTR pszObjId, DWORD cAttr,
2101 CRYPT_ATTRIBUTE rgAttr[])
2102 {
2103 PCRYPT_ATTRIBUTE ret = NULL;
2104 DWORD i;
2105
2106 TRACE("%s %d %p\n", debugstr_a(pszObjId), cAttr, rgAttr);
2107
2108 if (!cAttr)
2109 return NULL;
2110 if (!pszObjId)
2111 {
2112 SetLastError(ERROR_INVALID_PARAMETER);
2113 return NULL;
2114 }
2115
2116 for (i = 0; !ret && i < cAttr; i++)
2117 if (rgAttr[i].pszObjId && !strcmp(pszObjId, rgAttr[i].pszObjId))
2118 ret = &rgAttr[i];
2119 return ret;
2120 }
2121
2122 PCERT_EXTENSION WINAPI CertFindExtension(LPCSTR pszObjId, DWORD cExtensions,
2123 CERT_EXTENSION rgExtensions[])
2124 {
2125 PCERT_EXTENSION ret = NULL;
2126 DWORD i;
2127
2128 TRACE("%s %d %p\n", debugstr_a(pszObjId), cExtensions, rgExtensions);
2129
2130 if (!cExtensions)
2131 return NULL;
2132 if (!pszObjId)
2133 {
2134 SetLastError(ERROR_INVALID_PARAMETER);
2135 return NULL;
2136 }
2137
2138 for (i = 0; !ret && i < cExtensions; i++)
2139 if (rgExtensions[i].pszObjId && !strcmp(pszObjId,
2140 rgExtensions[i].pszObjId))
2141 ret = &rgExtensions[i];
2142 return ret;
2143 }
2144
2145 PCERT_RDN_ATTR WINAPI CertFindRDNAttr(LPCSTR pszObjId, PCERT_NAME_INFO pName)
2146 {
2147 PCERT_RDN_ATTR ret = NULL;
2148 DWORD i, j;
2149
2150 TRACE("%s %p\n", debugstr_a(pszObjId), pName);
2151
2152 if (!pszObjId)
2153 {
2154 SetLastError(ERROR_INVALID_PARAMETER);
2155 return NULL;
2156 }
2157
2158 for (i = 0; !ret && i < pName->cRDN; i++)
2159 for (j = 0; !ret && j < pName->rgRDN[i].cRDNAttr; j++)
2160 if (pName->rgRDN[i].rgRDNAttr[j].pszObjId && !strcmp(pszObjId,
2161 pName->rgRDN[i].rgRDNAttr[j].pszObjId))
2162 ret = &pName->rgRDN[i].rgRDNAttr[j];
2163 return ret;
2164 }
2165
2166 static BOOL find_matching_rdn_attr(DWORD dwFlags, const CERT_NAME_INFO *name,
2167 const CERT_RDN_ATTR *attr)
2168 {
2169 DWORD i, j;
2170 BOOL match = FALSE;
2171
2172 for (i = 0; !match && i < name->cRDN; i++)
2173 {
2174 for (j = 0; j < name->rgRDN[i].cRDNAttr; j++)
2175 {
2176 if (!strcmp(name->rgRDN[i].rgRDNAttr[j].pszObjId,
2177 attr->pszObjId) &&
2178 name->rgRDN[i].rgRDNAttr[j].dwValueType ==
2179 attr->dwValueType)
2180 {
2181 if (dwFlags & CERT_UNICODE_IS_RDN_ATTRS_FLAG)
2182 {
2183 LPCWSTR nameStr =
2184 (LPCWSTR)name->rgRDN[i].rgRDNAttr[j].Value.pbData;
2185 LPCWSTR attrStr = (LPCWSTR)attr->Value.pbData;
2186
2187 if (attr->Value.cbData !=
2188 name->rgRDN[i].rgRDNAttr[j].Value.cbData)
2189 match = FALSE;
2190 else if (dwFlags & CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG)
2191 match = !strncmpiW(nameStr, attrStr,
2192 attr->Value.cbData / sizeof(WCHAR));
2193 else
2194 match = !strncmpW(nameStr, attrStr,
2195 attr->Value.cbData / sizeof(WCHAR));
2196 TRACE("%s : %s => %d\n",
2197 debugstr_wn(nameStr, attr->Value.cbData / sizeof(WCHAR)),
2198 debugstr_wn(attrStr, attr->Value.cbData / sizeof(WCHAR)),
2199 match);
2200 }
2201 else
2202 {
2203 LPCSTR nameStr =
2204 (LPCSTR)name->rgRDN[i].rgRDNAttr[j].Value.pbData;
2205 LPCSTR attrStr = (LPCSTR)attr->Value.pbData;
2206
2207 if (attr->Value.cbData !=
2208 name->rgRDN[i].rgRDNAttr[j].Value.cbData)
2209 match = FALSE;
2210 else if (dwFlags & CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG)
2211 match = !_strnicmp(nameStr, attrStr,
2212 attr->Value.cbData);
2213 else
2214 match = !strncmp(nameStr, attrStr, attr->Value.cbData);
2215 TRACE("%s : %s => %d\n",
2216 debugstr_an(nameStr, attr->Value.cbData),
2217 debugstr_an(attrStr, attr->Value.cbData), match);
2218 }
2219 }
2220 }
2221 }
2222 return match;
2223 }
2224
2225 BOOL WINAPI CertIsRDNAttrsInCertificateName(DWORD dwCertEncodingType,
2226 DWORD dwFlags, PCERT_NAME_BLOB pCertName, PCERT_RDN pRDN)
2227 {
2228 CERT_NAME_INFO *name;
2229 LPCSTR type;
2230 DWORD size;
2231 BOOL ret;
2232
2233 TRACE("(%08x, %08x, %p, %p)\n", dwCertEncodingType, dwFlags, pCertName,
2234 pRDN);
2235
2236 type = dwFlags & CERT_UNICODE_IS_RDN_ATTRS_FLAG ? X509_UNICODE_NAME :
2237 X509_NAME;
2238 if ((ret = CryptDecodeObjectEx(dwCertEncodingType, type, pCertName->pbData,
2239 pCertName->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &name, &size)))
2240 {
2241 DWORD i;
2242
2243 for (i = 0; ret && i < pRDN->cRDNAttr; i++)
2244 ret = find_matching_rdn_attr(dwFlags, name, &pRDN->rgRDNAttr[i]);
2245 if (!ret)
2246 SetLastError(CRYPT_E_NO_MATCH);
2247 LocalFree(name);
2248 }
2249 return ret;
2250 }
2251
2252 LONG WINAPI CertVerifyTimeValidity(LPFILETIME pTimeToVerify,
2253 PCERT_INFO pCertInfo)
2254 {
2255 FILETIME fileTime;
2256 LONG ret;
2257
2258 if (!pTimeToVerify)
2259 {
2260 GetSystemTimeAsFileTime(&fileTime);
2261 pTimeToVerify = &fileTime;
2262 }
2263 if ((ret = CompareFileTime(pTimeToVerify, &pCertInfo->NotBefore)) >= 0)
2264 {
2265 ret = CompareFileTime(pTimeToVerify, &pCertInfo->NotAfter);
2266 if (ret < 0)
2267 ret = 0;
2268 }
2269 return ret;
2270 }
2271
2272 BOOL WINAPI CertVerifyValidityNesting(PCERT_INFO pSubjectInfo,
2273 PCERT_INFO pIssuerInfo)
2274 {
2275 TRACE("(%p, %p)\n", pSubjectInfo, pIssuerInfo);
2276
2277 return CertVerifyTimeValidity(&pSubjectInfo->NotBefore, pIssuerInfo) == 0
2278 && CertVerifyTimeValidity(&pSubjectInfo->NotAfter, pIssuerInfo) == 0;
2279 }
2280
2281 BOOL WINAPI CryptHashCertificate(HCRYPTPROV_LEGACY hCryptProv, ALG_ID Algid,
2282 DWORD dwFlags, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash,
2283 DWORD *pcbComputedHash)
2284 {
2285 BOOL ret = TRUE;
2286 HCRYPTHASH hHash = 0;
2287
2288 TRACE("(%08lx, %d, %08x, %p, %d, %p, %p)\n", hCryptProv, Algid, dwFlags,
2289 pbEncoded, cbEncoded, pbComputedHash, pcbComputedHash);
2290
2291 if (!hCryptProv)
2292 hCryptProv = I_CryptGetDefaultCryptProv(Algid);
2293 if (!Algid)
2294 Algid = CALG_SHA1;
2295 if (ret)
2296 {
2297 ret = CryptCreateHash(hCryptProv, Algid, 0, 0, &hHash);
2298 if (ret)
2299 {
2300 ret = CryptHashData(hHash, pbEncoded, cbEncoded, 0);
2301 if (ret)
2302 ret = CryptGetHashParam(hHash, HP_HASHVAL, pbComputedHash,
2303 pcbComputedHash, 0);
2304 CryptDestroyHash(hHash);
2305 }
2306 }
2307 return ret;
2308 }
2309
2310 BOOL WINAPI CryptHashCertificate2(LPCWSTR pwszCNGHashAlgid, DWORD dwFlags,
2311 void *pvReserved, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash,
2312 DWORD *pcbComputedHash)
2313 {
2314 BCRYPT_HASH_HANDLE hash = NULL;
2315 BCRYPT_ALG_HANDLE alg = NULL;
2316 NTSTATUS status;
2317 DWORD hash_len;
2318 DWORD hash_len_size;
2319
2320 TRACE("(%s, %08x, %p, %p, %d, %p, %p)\n", debugstr_w(pwszCNGHashAlgid),
2321 dwFlags, pvReserved, pbEncoded, cbEncoded, pbComputedHash, pcbComputedHash);
2322
2323 if ((status = BCryptOpenAlgorithmProvider(&alg, pwszCNGHashAlgid, NULL, 0)))
2324 {
2325 if (status == STATUS_NOT_IMPLEMENTED)
2326 status = STATUS_NOT_FOUND;
2327 goto done;
2328 }
2329
2330 if ((status = BCryptCreateHash(alg, &hash, NULL, 0, NULL, 0, 0)))
2331 goto done;
2332
2333 if ((status = BCryptGetProperty(hash, BCRYPT_HASH_LENGTH, (BYTE *)&hash_len, sizeof(hash_len), &hash_len_size, 0)))
2334 goto done;
2335
2336 if (!pbComputedHash)
2337 {
2338 *pcbComputedHash = hash_len;
2339 goto done;
2340 }
2341
2342 if (*pcbComputedHash < hash_len)
2343 {
2344 status = ERROR_MORE_DATA;
2345 goto done;
2346 }
2347
2348 *pcbComputedHash = hash_len;
2349
2350 if ((status = BCryptHashData(hash, (BYTE *)pbEncoded, cbEncoded, 0)))
2351 goto done;
2352
2353 if ((status = BCryptFinishHash(hash, pbComputedHash, hash_len, 0)))
2354 goto done;
2355
2356 done:
2357 if (hash) BCryptDestroyHash(hash);
2358 if (alg) BCryptCloseAlgorithmProvider(alg, 0);
2359 if (status) SetLastError(status);
2360 return !status;
2361 }
2362
2363 BOOL WINAPI CryptHashPublicKeyInfo(HCRYPTPROV_LEGACY hCryptProv, ALG_ID Algid,
2364 DWORD dwFlags, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo,
2365 BYTE *pbComputedHash, DWORD *pcbComputedHash)
2366 {
2367 BOOL ret = TRUE;
2368 HCRYPTHASH hHash = 0;
2369
2370 TRACE("(%08lx, %d, %08x, %d, %p, %p, %p)\n", hCryptProv, Algid, dwFlags,
2371 dwCertEncodingType, pInfo, pbComputedHash, pcbComputedHash);
2372
2373 if (!hCryptProv)
2374 hCryptProv = I_CryptGetDefaultCryptProv(0);
2375 if (!Algid)
2376 Algid = CALG_MD5;
2377 if ((dwCertEncodingType & CERT_ENCODING_TYPE_MASK) != X509_ASN_ENCODING)
2378 {
2379 SetLastError(ERROR_FILE_NOT_FOUND);
2380 return FALSE;
2381 }
2382 if (ret)
2383 {
2384 BYTE *buf;
2385 DWORD size = 0;
2386
2387 ret = CRYPT_AsnEncodePubKeyInfoNoNull(dwCertEncodingType,
2388 X509_PUBLIC_KEY_INFO, pInfo, CRYPT_ENCODE_ALLOC_FLAG, NULL,
2389 (LPBYTE)&buf, &size);
2390 if (ret)
2391 {
2392 ret = CryptCreateHash(hCryptProv, Algid, 0, 0, &hHash);
2393 if (ret)
2394 {
2395 ret = CryptHashData(hHash, buf, size, 0);
2396 if (ret)
2397 ret = CryptGetHashParam(hHash, HP_HASHVAL, pbComputedHash,
2398 pcbComputedHash, 0);
2399 CryptDestroyHash(hHash);
2400 }
2401 LocalFree(buf);
2402 }
2403 }
2404 return ret;
2405 }
2406
2407 BOOL WINAPI CryptHashToBeSigned(HCRYPTPROV_LEGACY hCryptProv,
2408 DWORD dwCertEncodingType, const BYTE *pbEncoded, DWORD cbEncoded,
2409 BYTE *pbComputedHash, DWORD *pcbComputedHash)
2410 {
2411 BOOL ret;
2412 CERT_SIGNED_CONTENT_INFO *info;
2413 DWORD size;
2414
2415 TRACE("(%08lx, %08x, %p, %d, %p, %d)\n", hCryptProv, dwCertEncodingType,
2416 pbEncoded, cbEncoded, pbComputedHash, *pcbComputedHash);
2417
2418 ret = CryptDecodeObjectEx(dwCertEncodingType, X509_CERT,
2419 pbEncoded, cbEncoded, CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size);
2420 if (ret)
2421 {
2422 PCCRYPT_OID_INFO oidInfo;
2423 HCRYPTHASH hHash;
2424
2425 if (!hCryptProv)
2426 hCryptProv = I_CryptGetDefaultCryptProv(0);
2427 oidInfo = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY,
2428 info->SignatureAlgorithm.pszObjId, 0);
2429 if (!oidInfo)
2430 {
2431 SetLastError(NTE_BAD_ALGID);
2432 ret = FALSE;
2433 }
2434 else
2435 {
2436 ret = CryptCreateHash(hCryptProv, oidInfo->u.Algid, 0, 0, &hHash);
2437 if (ret)
2438 {
2439 ret = CryptHashData(hHash, info->ToBeSigned.pbData,
2440 info->ToBeSigned.cbData, 0);
2441 if (ret)
2442 ret = CryptGetHashParam(hHash, HP_HASHVAL, pbComputedHash,
2443 pcbComputedHash, 0);
2444 CryptDestroyHash(hHash);
2445 }
2446 }
2447 LocalFree(info);
2448 }
2449 return ret;
2450 }
2451
2452 BOOL WINAPI CryptSignCertificate(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProv,
2453 DWORD dwKeySpec, DWORD dwCertEncodingType, const BYTE *pbEncodedToBeSigned,
2454 DWORD cbEncodedToBeSigned, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
2455 const void *pvHashAuxInfo, BYTE *pbSignature, DWORD *pcbSignature)
2456 {
2457 BOOL ret;
2458 PCCRYPT_OID_INFO info;
2459 HCRYPTHASH hHash;
2460
2461 TRACE("(%08lx, %d, %d, %p, %d, %p, %p, %p, %p)\n", hCryptProv,
2462 dwKeySpec, dwCertEncodingType, pbEncodedToBeSigned, cbEncodedToBeSigned,
2463 pSignatureAlgorithm, pvHashAuxInfo, pbSignature, pcbSignature);
2464
2465 info = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY,
2466 pSignatureAlgorithm->pszObjId, 0);
2467 if (!info)
2468 {
2469 SetLastError(NTE_BAD_ALGID);
2470 return FALSE;
2471 }
2472 if (info->dwGroupId == CRYPT_HASH_ALG_OID_GROUP_ID)
2473 {
2474 if (!hCryptProv)
2475 hCryptProv = I_CryptGetDefaultCryptProv(0);
2476 ret = CryptCreateHash(hCryptProv, info->u.Algid, 0, 0, &hHash);
2477 if (ret)
2478 {
2479 ret = CryptHashData(hHash, pbEncodedToBeSigned,
2480 cbEncodedToBeSigned, 0);
2481 if (ret)
2482 ret = CryptGetHashParam(hHash, HP_HASHVAL, pbSignature,
2483 pcbSignature, 0);
2484 CryptDestroyHash(hHash);
2485 }
2486 }
2487 else
2488 {
2489 if (!hCryptProv)
2490 {
2491 SetLastError(ERROR_INVALID_PARAMETER);
2492 ret = FALSE;
2493 }
2494 else
2495 {
2496 ret = CryptCreateHash(hCryptProv, info->u.Algid, 0, 0, &hHash);
2497 if (ret)
2498 {
2499 ret = CryptHashData(hHash, pbEncodedToBeSigned,
2500 cbEncodedToBeSigned, 0);
2501 if (ret)
2502 ret = CryptSignHashW(hHash, dwKeySpec, NULL, 0, pbSignature,
2503 pcbSignature);
2504 CryptDestroyHash(hHash);
2505 }
2506 }
2507 }
2508 return ret;
2509 }
2510
2511 BOOL WINAPI CryptSignAndEncodeCertificate(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProv,
2512 DWORD dwKeySpec, DWORD dwCertEncodingType, LPCSTR lpszStructType,
2513 const void *pvStructInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
2514 const void *pvHashAuxInfo, BYTE *pbEncoded, DWORD *pcbEncoded)
2515 {
2516 BOOL ret;
2517 DWORD encodedSize, hashSize;
2518
2519 TRACE("(%08lx, %d, %d, %s, %p, %p, %p, %p, %p)\n", hCryptProv, dwKeySpec,
2520 dwCertEncodingType, debugstr_a(lpszStructType), pvStructInfo,
2521 pSignatureAlgorithm, pvHashAuxInfo, pbEncoded, pcbEncoded);
2522
2523 ret = CryptEncodeObject(dwCertEncodingType, lpszStructType, pvStructInfo,
2524 NULL, &encodedSize);
2525 if (ret)
2526 {
2527 PBYTE encoded = CryptMemAlloc(encodedSize);
2528
2529 if (encoded)
2530 {
2531 ret = CryptEncodeObject(dwCertEncodingType, lpszStructType,
2532 pvStructInfo, encoded, &encodedSize);
2533 if (ret)
2534 {
2535 ret = CryptSignCertificate(hCryptProv, dwKeySpec,
2536 dwCertEncodingType, encoded, encodedSize, pSignatureAlgorithm,
2537 pvHashAuxInfo, NULL, &hashSize);
2538 if (ret)
2539 {
2540 PBYTE hash = CryptMemAlloc(hashSize);
2541
2542 if (hash)
2543 {
2544 ret = CryptSignCertificate(hCryptProv, dwKeySpec,
2545 dwCertEncodingType, encoded, encodedSize,
2546 pSignatureAlgorithm, pvHashAuxInfo, hash, &hashSize);
2547 if (ret)
2548 {
2549 CERT_SIGNED_CONTENT_INFO info = { { 0 } };
2550
2551 info.ToBeSigned.cbData = encodedSize;
2552 info.ToBeSigned.pbData = encoded;
2553 info.SignatureAlgorithm = *pSignatureAlgorithm;
2554 info.Signature.cbData = hashSize;
2555 info.Signature.pbData = hash;
2556 info.Signature.cUnusedBits = 0;
2557 ret = CryptEncodeObject(dwCertEncodingType,
2558 X509_CERT, &info, pbEncoded, pcbEncoded);
2559 }
2560 CryptMemFree(hash);
2561 }
2562 else
2563 ret = FALSE;
2564 }
2565 }
2566 CryptMemFree(encoded);
2567 }
2568 else
2569 ret = FALSE;
2570 }
2571 return ret;
2572 }
2573
2574 BOOL WINAPI CryptVerifyCertificateSignature(HCRYPTPROV_LEGACY hCryptProv,
2575 DWORD dwCertEncodingType, const BYTE *pbEncoded, DWORD cbEncoded,
2576 PCERT_PUBLIC_KEY_INFO pPublicKey)
2577 {
2578 CRYPT_DATA_BLOB blob = { cbEncoded, (BYTE *)pbEncoded };
2579
2580 return CryptVerifyCertificateSignatureEx(hCryptProv, dwCertEncodingType,
2581 CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &blob,
2582 CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY, pPublicKey, 0, NULL);
2583 }
2584
2585 static BOOL CRYPT_VerifySignature(HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType,
2586 CERT_PUBLIC_KEY_INFO *pubKeyInfo, const CERT_SIGNED_CONTENT_INFO *signedCert, const CRYPT_OID_INFO *info)
2587 {
2588 BOOL ret;
2589 HCRYPTKEY key;
2590 ALG_ID pubKeyID, hashID;
2591
2592 hashID = info->u.Algid;
2593 if (info->ExtraInfo.cbData >= sizeof(ALG_ID))
2594 pubKeyID = *(ALG_ID *)info->ExtraInfo.pbData;
2595 else
2596 pubKeyID = hashID;
2597 /* Load the default provider if necessary */
2598 if (!hCryptProv)
2599 hCryptProv = I_CryptGetDefaultCryptProv(hashID);
2600 ret = CryptImportPublicKeyInfoEx(hCryptProv, dwCertEncodingType,
2601 pubKeyInfo, pubKeyID, 0, NULL, &key);
2602 if (ret)
2603 {
2604 HCRYPTHASH hash;
2605
2606 ret = CryptCreateHash(hCryptProv, hashID, 0, 0, &hash);
2607 if (ret)
2608 {
2609 ret = CryptHashData(hash, signedCert->ToBeSigned.pbData,
2610 signedCert->ToBeSigned.cbData, 0);
2611 if (ret)
2612 ret = CryptVerifySignatureW(hash, signedCert->Signature.pbData,
2613 signedCert->Signature.cbData, key, NULL, 0);
2614 CryptDestroyHash(hash);
2615 }
2616 CryptDestroyKey(key);
2617 }
2618 return ret;
2619 }
2620
2621 static BOOL CNG_CalcHash(const WCHAR *algorithm, const CERT_SIGNED_CONTENT_INFO *signedCert,
2622 BYTE **hash_value, DWORD *hash_len)
2623 {
2624 BCRYPT_HASH_HANDLE hash = NULL;
2625 BCRYPT_ALG_HANDLE alg = NULL;
2626 NTSTATUS status;
2627 DWORD size;
2628
2629 if ((status = BCryptOpenAlgorithmProvider(&alg, algorithm, NULL, 0)))
2630 goto done;
2631
2632 if ((status = BCryptCreateHash(alg, &hash, NULL, 0, NULL, 0, 0)))
2633 goto done;
2634
2635 if ((status = BCryptHashData(hash, signedCert->ToBeSigned.pbData, signedCert->ToBeSigned.cbData, 0)))
2636 goto done;
2637
2638 if ((status = BCryptGetProperty(hash, BCRYPT_HASH_LENGTH, (BYTE *)hash_len, sizeof(*hash_len), &size, 0)))
2639 goto done;
2640
2641 if (!(*hash_value = CryptMemAlloc(*hash_len)))
2642 {
2643 status = STATUS_NO_MEMORY;
2644 goto done;
2645 }
2646
2647 if ((status = BCryptFinishHash(hash, *hash_value, *hash_len, 0)))
2648 {
2649 CryptMemFree(*hash_value);
2650 goto done;
2651 }
2652
2653 done:
2654 if (hash) BCryptDestroyHash(hash);
2655 if (alg) BCryptCloseAlgorithmProvider(alg, 0);
2656 if (status) SetLastError(RtlNtStatusToDosError(status));
2657 return status == 0;
2658 }
2659
2660 static BOOL CNG_ImportECCPubKey(CERT_PUBLIC_KEY_INFO *pubKeyInfo, BCRYPT_KEY_HANDLE *key)
2661 {
2662 DWORD blob_magic, ecckey_len, size;
2663 BCRYPT_ALG_HANDLE alg = NULL;
2664 BCRYPT_ECCKEY_BLOB *ecckey;
2665 const WCHAR *sign_algo;
2666 char **ecc_curve;
2667 NTSTATUS status;
2668
2669 if (!pubKeyInfo->PublicKey.cbData)
2670 {
2671 SetLastError(NTE_BAD_ALGID);
2672 return FALSE;
2673 }
2674
2675 if (pubKeyInfo->PublicKey.pbData[0] != 0x4)
2676 {
2677 FIXME("Compressed ECC curves (%02x) not yet supported\n", pubKeyInfo->PublicKey.pbData[0]);
2678 SetLastError(NTE_BAD_ALGID);
2679 return FALSE;
2680 }
2681
2682 if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_OBJECT_IDENTIFIER, pubKeyInfo->Algorithm.Parameters.pbData,
2683 pubKeyInfo->Algorithm.Parameters.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &ecc_curve, &size))
2684 return FALSE;
2685
2686 if (!strcmp(*ecc_curve, szOID_ECC_CURVE_P256))
2687 {
2688 sign_algo = BCRYPT_ECDSA_P256_ALGORITHM;
2689 blob_magic = BCRYPT_ECDSA_PUBLIC_P256_MAGIC;
2690 }
2691 else if (!strcmp(*ecc_curve, szOID_ECC_CURVE_P384))
2692 {
2693 sign_algo = BCRYPT_ECDSA_P384_ALGORITHM;
2694 blob_magic = BCRYPT_ECDSA_PUBLIC_P384_MAGIC;
2695 }
2696 else
2697 {
2698 FIXME("Unsupported ecc curve type: %s\n", *ecc_curve);
2699 sign_algo = NULL;
2700 blob_magic = 0;
2701 }
2702 LocalFree(ecc_curve);
2703
2704 if (!sign_algo)
2705 {
2706 SetLastError(NTE_BAD_ALGID);
2707 return FALSE;
2708 }
2709
2710 if ((status = BCryptOpenAlgorithmProvider(&alg, sign_algo, NULL, 0)))
2711 goto done;
2712
2713 ecckey_len = sizeof(BCRYPT_ECCKEY_BLOB) + pubKeyInfo->PublicKey.cbData - 1;
2714 if (!(ecckey = CryptMemAlloc(ecckey_len)))
2715 {
2716 status = STATUS_NO_MEMORY;
2717 goto done;
2718 }
2719
2720 ecckey->dwMagic = blob_magic;
2721 ecckey->cbKey = (pubKeyInfo->PublicKey.cbData - 1) / 2;
2722 memcpy(ecckey + 1, pubKeyInfo->PublicKey.pbData + 1, pubKeyInfo->PublicKey.cbData - 1);
2723
2724 status = BCryptImportKeyPair(alg, NULL, BCRYPT_ECCPUBLIC_BLOB, key, (BYTE*)ecckey, ecckey_len, 0);
2725 CryptMemFree(ecckey);
2726
2727 done:
2728 if (alg) BCryptCloseAlgorithmProvider(alg, 0);
2729 if (status) SetLastError(RtlNtStatusToDosError(status));
2730 return !status;
2731 }
2732
2733 static BOOL CNG_ImportPubKey(CERT_PUBLIC_KEY_INFO *pubKeyInfo, BCRYPT_KEY_HANDLE *key)
2734 {
2735 if (!strcmp(pubKeyInfo->Algorithm.pszObjId, szOID_ECC_PUBLIC_KEY))
2736 return CNG_ImportECCPubKey(pubKeyInfo, key);
2737
2738 FIXME("Unsupported public key type: %s\n", debugstr_a(pubKeyInfo->Algorithm.pszObjId));
2739 SetLastError(NTE_BAD_ALGID);
2740 return FALSE;
2741 }
2742
2743 static BOOL CNG_PrepareSignatureECC(BYTE *encoded_sig, DWORD encoded_size, BYTE **sig_value, DWORD *sig_len)
2744 {
2745 CERT_ECC_SIGNATURE *ecc_sig;
2746 DWORD size;
2747 int i;
2748
2749 if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ECC_SIGNATURE, encoded_sig, encoded_size,
2750 CRYPT_DECODE_ALLOC_FLAG, NULL, &ecc_sig, &size))
2751 return FALSE;
2752
2753 if (!ecc_sig->r.cbData || !ecc_sig->s.cbData)
2754 {
2755 LocalFree(ecc_sig);
2756 SetLastError(ERROR_INVALID_DATA);
2757 return FALSE;
2758 }
2759
2760 *sig_len = ecc_sig->r.cbData + ecc_sig->s.cbData;
2761 if (!(*sig_value = CryptMemAlloc(*sig_len)))
2762 {
2763 LocalFree(ecc_sig);
2764 SetLastError(ERROR_OUTOFMEMORY);
2765 return FALSE;
2766 }
2767
2768 for (i = 0; i < ecc_sig->r.cbData; i++)
2769 (*sig_value)[i] = ecc_sig->r.pbData[ecc_sig->r.cbData - i - 1];
2770 for (i = 0; i < ecc_sig->s.cbData; i++)
2771 (*sig_value)[ecc_sig->r.cbData + i] = ecc_sig->s.pbData[ecc_sig->s.cbData - i - 1];
2772
2773 LocalFree(ecc_sig);
2774 return TRUE;
2775 }
2776
2777 static BOOL CNG_PrepareSignature(CERT_PUBLIC_KEY_INFO *pubKeyInfo, const CERT_SIGNED_CONTENT_INFO *signedCert,
2778 BYTE **sig_value, DWORD *sig_len)
2779 {
2780 BYTE *encoded_sig;
2781 BOOL ret = FALSE;
2782 int i;
2783
2784 if (!signedCert->Signature.cbData)
2785 {
2786 SetLastError(ERROR_INVALID_DATA);
2787 return FALSE;
2788 }
2789
2790 if (!(encoded_sig = CryptMemAlloc(signedCert->Signature.cbData)))
2791 {
2792 SetLastError(ERROR_OUTOFMEMORY);
2793 return FALSE;
2794 }
2795
2796 for (i = 0; i < signedCert->Signature.cbData; i++)
2797 encoded_sig[i] = signedCert->Signature.pbData[signedCert->Signature.cbData - i - 1];
2798
2799 if (!strcmp(pubKeyInfo->Algorithm.pszObjId, szOID_ECC_PUBLIC_KEY))
2800 ret = CNG_PrepareSignatureECC(encoded_sig, signedCert->Signature.cbData, sig_value, sig_len);
2801 else
2802 {
2803 FIXME("Unsupported public key type: %s\n", debugstr_a(pubKeyInfo->Algorithm.pszObjId));
2804 SetLastError(NTE_BAD_ALGID);
2805 }
2806
2807 CryptMemFree(encoded_sig);
2808 return ret;
2809 }
2810
2811 static BOOL CNG_VerifySignature(HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType,
2812 CERT_PUBLIC_KEY_INFO *pubKeyInfo, const CERT_SIGNED_CONTENT_INFO *signedCert, const CRYPT_OID_INFO *info)
2813 {
2814 BCRYPT_KEY_HANDLE key = NULL;
2815 BYTE *hash_value = NULL, *sig_value;
2816 DWORD hash_len, sig_len;
2817 NTSTATUS status;
2818 BOOL ret;
2819
2820 ret = CNG_ImportPubKey(pubKeyInfo, &key);
2821 if (ret)
2822 {
2823 ret = CNG_CalcHash(info->pwszCNGAlgid, signedCert, &hash_value, &hash_len);
2824 if (ret)
2825 {
2826 ret = CNG_PrepareSignature(pubKeyInfo, signedCert, &sig_value, &sig_len);
2827 if (ret)
2828 {
2829 status = BCryptVerifySignature(key, NULL, hash_value, hash_len, sig_value, sig_len, 0);
2830 if (status)
2831 {
2832 FIXME("Failed to verify signature: %08x\n", status);
2833 SetLastError(RtlNtStatusToDosError(status));
2834 ret = FALSE;
2835 }
2836 CryptMemFree(sig_value);
2837 }
2838 CryptMemFree(hash_value);
2839 }
2840 BCryptDestroyKey(key);
2841 }
2842
2843 return ret;
2844 }
2845
2846 static BOOL CRYPT_VerifyCertSignatureFromPublicKeyInfo(HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType,
2847 CERT_PUBLIC_KEY_INFO *pubKeyInfo, const CERT_SIGNED_CONTENT_INFO *signedCert)
2848 {
2849 CCRYPT_OID_INFO *info;
2850
2851 info = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY, signedCert->SignatureAlgorithm.pszObjId, 0);
2852 if (!info || info->dwGroupId != CRYPT_SIGN_ALG_OID_GROUP_ID)
2853 {
2854 SetLastError(NTE_BAD_ALGID);
2855 return FALSE;
2856 }
2857
2858 if (info->u.Algid == CALG_OID_INFO_CNG_ONLY)
2859 return CNG_VerifySignature(hCryptProv, dwCertEncodingType, pubKeyInfo, signedCert, info);
2860 else
2861 return CRYPT_VerifySignature(hCryptProv, dwCertEncodingType, pubKeyInfo, signedCert, info);
2862 }
2863
2864 BOOL WINAPI CryptVerifyCertificateSignatureEx(HCRYPTPROV_LEGACY hCryptProv,
2865 DWORD dwCertEncodingType, DWORD dwSubjectType, void *pvSubject,
2866 DWORD dwIssuerType, void *pvIssuer, DWORD dwFlags, void *pvReserved)
2867 {
2868 BOOL ret = TRUE;
2869 CRYPT_DATA_BLOB subjectBlob;
2870
2871 TRACE("(%08lx, %d, %d, %p, %d, %p, %08x, %p)\n", hCryptProv,
2872 dwCertEncodingType, dwSubjectType, pvSubject, dwIssuerType, pvIssuer,
2873 dwFlags, pvReserved);
2874
2875 switch (dwSubjectType)
2876 {
2877 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB:
2878 {
2879 PCRYPT_DATA_BLOB blob = pvSubject;
2880
2881 subjectBlob.pbData = blob->pbData;
2882 subjectBlob.cbData = blob->cbData;
2883 break;
2884 }
2885 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT:
2886 {
2887 PCERT_CONTEXT context = pvSubject;
2888
2889 subjectBlob.pbData = context->pbCertEncoded;
2890 subjectBlob.cbData = context->cbCertEncoded;
2891 break;
2892 }
2893 case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL:
2894 {
2895 PCRL_CONTEXT context = pvSubject;
2896
2897 subjectBlob.pbData = context->pbCrlEncoded;
2898 subjectBlob.cbData = context->cbCrlEncoded;
2899 break;
2900 }
2901 default:
2902 SetLastError(E_INVALIDARG);
2903 ret = FALSE;
2904 }
2905
2906 if (ret)
2907 {
2908 PCERT_SIGNED_CONTENT_INFO signedCert = NULL;
2909 DWORD size = 0;
2910
2911 ret = CryptDecodeObjectEx(dwCertEncodingType, X509_CERT,
2912 subjectBlob.pbData, subjectBlob.cbData,
2913 CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL,
2914 &signedCert, &size);
2915 if (ret)
2916 {
2917 switch (dwIssuerType)
2918 {
2919 case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY:
2920 ret = CRYPT_VerifyCertSignatureFromPublicKeyInfo(hCryptProv,
2921 dwCertEncodingType, pvIssuer,
2922 signedCert);
2923 break;
2924 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT:
2925 ret = CRYPT_VerifyCertSignatureFromPublicKeyInfo(hCryptProv,
2926 dwCertEncodingType,
2927 &((PCCERT_CONTEXT)pvIssuer)->pCertInfo->SubjectPublicKeyInfo,
2928 signedCert);
2929 break;
2930 case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN:
2931 FIXME("CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: stub\n");
2932 ret = FALSE;
2933 break;
2934 case CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL:
2935 if (pvIssuer)
2936 {
2937 SetLastError(E_INVALIDARG);
2938 ret = FALSE;
2939 }
2940 else
2941 {
2942 FIXME("unimplemented for NULL signer\n");
2943 SetLastError(E_INVALIDARG);
2944 ret = FALSE;
2945 }
2946 break;
2947 default:
2948 SetLastError(E_INVALIDARG);
2949 ret = FALSE;
2950 }
2951 LocalFree(signedCert);
2952 }
2953 }
2954 return ret;
2955 }
2956
2957 BOOL WINAPI CertGetIntendedKeyUsage(DWORD dwCertEncodingType,
2958 PCERT_INFO pCertInfo, BYTE *pbKeyUsage, DWORD cbKeyUsage)
2959 {
2960 PCERT_EXTENSION ext;
2961 BOOL ret = FALSE;
2962
2963 TRACE("(%08x, %p, %p, %d)\n", dwCertEncodingType, pCertInfo, pbKeyUsage,
2964 cbKeyUsage);
2965
2966 ext = CertFindExtension(szOID_KEY_USAGE, pCertInfo->cExtension,
2967 pCertInfo->rgExtension);
2968 if (ext)
2969 {
2970 CRYPT_BIT_BLOB usage;
2971 DWORD size = sizeof(usage);
2972
2973 ret = CryptDecodeObjectEx(dwCertEncodingType, X509_BITS,
2974 ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, NULL,
2975 &usage, &size);
2976 if (ret)
2977 {
2978 if (cbKeyUsage < usage.cbData)
2979 ret = FALSE;
2980 else
2981 {
2982 memcpy(pbKeyUsage, usage.pbData, usage.cbData);
2983 if (cbKeyUsage > usage.cbData)
2984 memset(pbKeyUsage + usage.cbData, 0,
2985 cbKeyUsage - usage.cbData);
2986 }
2987 }
2988 }
2989 else
2990 SetLastError(0);
2991 return ret;
2992 }
2993
2994 BOOL WINAPI CertGetEnhancedKeyUsage(PCCERT_CONTEXT pCertContext, DWORD dwFlags,
2995 PCERT_ENHKEY_USAGE pUsage, DWORD *pcbUsage)
2996 {
2997 PCERT_ENHKEY_USAGE usage = NULL;
2998 DWORD bytesNeeded;
2999 BOOL ret = TRUE;
3000
3001 if (!pCertContext || !pcbUsage)
3002 {
3003 SetLastError(ERROR_INVALID_PARAMETER);
3004 return FALSE;
3005 }
3006
3007 TRACE("(%p, %08x, %p, %d)\n", pCertContext, dwFlags, pUsage, *pcbUsage);
3008
3009 if (!(dwFlags & CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG))
3010 {
3011 DWORD propSize = 0;
3012
3013 if (CertGetCertificateContextProperty(pCertContext,
3014 CERT_ENHKEY_USAGE_PROP_ID, NULL, &propSize))
3015 {
3016 LPBYTE buf = CryptMemAlloc(propSize);
3017
3018 if (buf)
3019 {
3020 if (CertGetCertificateContextProperty(pCertContext,
3021 CERT_ENHKEY_USAGE_PROP_ID, buf, &propSize))
3022 {
3023 ret = CryptDecodeObjectEx(pCertContext->dwCertEncodingType,
3024 X509_ENHANCED_KEY_USAGE, buf, propSize,
3025 CRYPT_ENCODE_ALLOC_FLAG, NULL, &usage, &bytesNeeded);
3026 }
3027 CryptMemFree(buf);
3028 }
3029 }
3030 }
3031 if (!usage && !(dwFlags & CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG))
3032 {
3033 PCERT_EXTENSION ext = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
3034 pCertContext->pCertInfo->cExtension,
3035 pCertContext->pCertInfo->rgExtension);
3036
3037 if (ext)
3038 {
3039 ret = CryptDecodeObjectEx(pCertContext->dwCertEncodingType,
3040 X509_ENHANCED_KEY_USAGE, ext->Value.pbData, ext->Value.cbData,
3041 CRYPT_ENCODE_ALLOC_FLAG, NULL, &usage, &bytesNeeded);
3042 }
3043 }
3044 if (!usage)
3045 {
3046 /* If a particular location is specified, this should fail. Otherwise
3047 * it should succeed with an empty usage. (This is true on Win2k and
3048 * later, which we emulate.)
3049 */
3050 if (dwFlags)
3051 {
3052 SetLastError(CRYPT_E_NOT_FOUND);
3053 ret = FALSE;
3054 }
3055 else
3056 bytesNeeded = sizeof(CERT_ENHKEY_USAGE);
3057 }
3058
3059 if (ret)
3060 {
3061 if (!pUsage)
3062 *pcbUsage = bytesNeeded;
3063 else if (*pcbUsage < bytesNeeded)
3064 {
3065 SetLastError(ERROR_MORE_DATA);
3066 *pcbUsage = bytesNeeded;
3067 ret = FALSE;
3068 }
3069 else
3070 {
3071 *pcbUsage = bytesNeeded;
3072 if (usage)
3073 {
3074 DWORD i;
3075 LPSTR nextOID = (LPSTR)((LPBYTE)pUsage +
3076 sizeof(CERT_ENHKEY_USAGE) +
3077 usage->cUsageIdentifier * sizeof(LPSTR));
3078
3079 pUsage->cUsageIdentifier = usage->cUsageIdentifier;
3080 pUsage->rgpszUsageIdentifier = (LPSTR *)((LPBYTE)pUsage +
3081 sizeof(CERT_ENHKEY_USAGE));
3082 for (i = 0; i < usage->cUsageIdentifier; i++)
3083 {
3084 pUsage->rgpszUsageIdentifier[i] = nextOID;
3085 strcpy(nextOID, usage->rgpszUsageIdentifier[i]);
3086 nextOID += strlen(nextOID) + 1;
3087 }
3088 }
3089 else
3090 pUsage->cUsageIdentifier = 0;
3091 }
3092 }
3093 if (usage)
3094 LocalFree(usage);
3095 TRACE("returning %d\n", ret);
3096 return ret;
3097 }
3098
3099 BOOL WINAPI CertSetEnhancedKeyUsage(PCCERT_CONTEXT pCertContext,
3100 PCERT_ENHKEY_USAGE pUsage)
3101 {
3102 BOOL ret;
3103
3104 TRACE("(%p, %p)\n", pCertContext, pUsage);
3105
3106 if (pUsage)
3107 {
3108 CRYPT_DATA_BLOB blob = { 0, NULL };
3109
3110 ret = CryptEncodeObjectEx(X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE,
3111 pUsage, CRYPT_ENCODE_ALLOC_FLAG, NULL, &blob.pbData, &blob.cbData);
3112 if (ret)
3113 {
3114 ret = CertSetCertificateContextProperty(pCertContext,
3115 CERT_ENHKEY_USAGE_PROP_ID, 0, &blob);
3116 LocalFree(blob.pbData);
3117 }
3118 }
3119 else
3120 ret = CertSetCertificateContextProperty(pCertContext,
3121 CERT_ENHKEY_USAGE_PROP_ID, 0, NULL);
3122 return ret;
3123 }
3124
3125 BOOL WINAPI CertAddEnhancedKeyUsageIdentifier(PCCERT_CONTEXT pCertContext,
3126 LPCSTR pszUsageIdentifier)
3127 {
3128 BOOL ret;
3129 DWORD size;
3130
3131 TRACE("(%p, %s)\n", pCertContext, debugstr_a(pszUsageIdentifier));
3132
3133 if (CertGetEnhancedKeyUsage(pCertContext,
3134 CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, NULL, &size))
3135 {
3136 PCERT_ENHKEY_USAGE usage = CryptMemAlloc(size);
3137
3138 if (usage)
3139 {
3140 ret = CertGetEnhancedKeyUsage(pCertContext,
3141 CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, usage, &size);
3142 if (ret)
3143 {
3144 DWORD i;
3145 BOOL exists = FALSE;
3146
3147 /* Make sure usage doesn't already exist */
3148 for (i = 0; !exists && i < usage->cUsageIdentifier; i++)
3149 {
3150 if (!strcmp(usage->rgpszUsageIdentifier[i],
3151 pszUsageIdentifier))
3152 exists = TRUE;
3153 }
3154 if (!exists)
3155 {
3156 PCERT_ENHKEY_USAGE newUsage = CryptMemAlloc(size +
3157 sizeof(LPSTR) + strlen(pszUsageIdentifier) + 1);
3158
3159 if (newUsage)
3160 {
3161 LPSTR nextOID;
3162
3163 newUsage->rgpszUsageIdentifier = (LPSTR *)
3164 ((LPBYTE)newUsage + sizeof(CERT_ENHKEY_USAGE));
3165 nextOID = (LPSTR)((LPBYTE)newUsage->rgpszUsageIdentifier
3166 + (usage->cUsageIdentifier + 1) * sizeof(LPSTR));
3167 for (i = 0; i < usage->cUsageIdentifier; i++)
3168 {
3169 newUsage->rgpszUsageIdentifier[i] = nextOID;
3170 strcpy(nextOID, usage->rgpszUsageIdentifier[i]);
3171 nextOID += strlen(nextOID) + 1;
3172 }
3173 newUsage->rgpszUsageIdentifier[i] = nextOID;
3174 strcpy(nextOID, pszUsageIdentifier);
3175 newUsage->cUsageIdentifier = i + 1;
3176 ret = CertSetEnhancedKeyUsage(pCertContext, newUsage);
3177 CryptMemFree(newUsage);
3178 }
3179 else
3180 ret = FALSE;
3181 }
3182 }
3183 CryptMemFree(usage);
3184 }
3185 else
3186 ret = FALSE;
3187 }
3188 else
3189 {
3190 PCERT_ENHKEY_USAGE usage = CryptMemAlloc(sizeof(CERT_ENHKEY_USAGE) +
3191 sizeof(LPSTR) + strlen(pszUsageIdentifier) + 1);
3192
3193 if (usage)
3194 {
3195 usage->rgpszUsageIdentifier =
3196 (LPSTR *)((LPBYTE)usage + sizeof(CERT_ENHKEY_USAGE));
3197 usage->rgpszUsageIdentifier[0] = (LPSTR)((LPBYTE)usage +
3198 sizeof(CERT_ENHKEY_USAGE) + sizeof(LPSTR));
3199 strcpy(usage->rgpszUsageIdentifier[0], pszUsageIdentifier);
3200 usage->cUsageIdentifier = 1;
3201 ret = CertSetEnhancedKeyUsage(pCertContext, usage);
3202 CryptMemFree(usage);
3203 }
3204 else
3205 ret = FALSE;
3206 }
3207 return ret;
3208 }
3209
3210 BOOL WINAPI CertRemoveEnhancedKeyUsageIdentifier(PCCERT_CONTEXT pCertContext,
3211 LPCSTR pszUsageIdentifier)
3212 {
3213 BOOL ret;
3214 DWORD size;
3215 CERT_ENHKEY_USAGE usage;
3216
3217 TRACE("(%p, %s)\n", pCertContext, debugstr_a(pszUsageIdentifier));
3218
3219 size = sizeof(usage);
3220 ret = CertGetEnhancedKeyUsage(pCertContext,
3221 CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, &usage, &size);
3222 if (!ret && GetLastError() == ERROR_MORE_DATA)
3223 {
3224 PCERT_ENHKEY_USAGE pUsage = CryptMemAlloc(size);
3225
3226 if (pUsage)
3227 {
3228 ret = CertGetEnhancedKeyUsage(pCertContext,
3229 CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG, pUsage, &size);
3230 if (ret)
3231 {
3232 if (pUsage->cUsageIdentifier)
3233 {
3234 DWORD i;
3235 BOOL found = FALSE;
3236
3237 for (i = 0; i < pUsage->cUsageIdentifier; i++)
3238 {
3239 if (!strcmp(pUsage->rgpszUsageIdentifier[i],
3240 pszUsageIdentifier))
3241 found = TRUE;
3242 if (found && i < pUsage->cUsageIdentifier - 1)
3243 pUsage->rgpszUsageIdentifier[i] =
3244 pUsage->rgpszUsageIdentifier[i + 1];
3245 }
3246 pUsage->cUsageIdentifier--;
3247 /* Remove the usage if it's empty */
3248 if (pUsage->cUsageIdentifier)
3249 ret = CertSetEnhancedKeyUsage(pCertContext, pUsage);
3250 else
3251 ret = CertSetEnhancedKeyUsage(pCertContext, NULL);
3252 }
3253 }
3254 CryptMemFree(pUsage);
3255 }
3256 else
3257 ret = FALSE;
3258 }
3259 else
3260 {
3261 /* it fit in an empty usage, therefore there's nothing to remove */
3262 ret = TRUE;
3263 }
3264 return ret;
3265 }
3266
3267 struct BitField
3268 {
3269 DWORD cIndexes;
3270 DWORD *indexes;
3271 };
3272
3273 #define BITS_PER_DWORD (sizeof(DWORD) * 8)
3274
3275 static void CRYPT_SetBitInField(struct BitField *field, DWORD bit)
3276 {
3277 DWORD indexIndex = bit / BITS_PER_DWORD;
3278
3279 if (indexIndex + 1 > field->cIndexes)
3280 {
3281 if (field->cIndexes)
3282 field->indexes = CryptMemRealloc(field->indexes,
3283 (indexIndex + 1) * sizeof(DWORD));
3284 else
3285 field->indexes = CryptMemAlloc(sizeof(DWORD));
3286 if (field->indexes)
3287 {
3288 field->indexes[indexIndex] = 0;
3289 field->cIndexes = indexIndex + 1;
3290 }
3291 }
3292 if (field->indexes)
3293 field->indexes[indexIndex] |= 1 << (bit % BITS_PER_DWORD);
3294 }
3295
3296 static BOOL CRYPT_IsBitInFieldSet(const struct BitField *field, DWORD bit)
3297 {
3298 BOOL set;
3299 DWORD indexIndex = bit / BITS_PER_DWORD;
3300
3301 assert(field->cIndexes);
3302 set = field->indexes[indexIndex] & (1 << (bit % BITS_PER_DWORD));
3303 return set;
3304 }
3305
3306 BOOL WINAPI CertGetValidUsages(DWORD cCerts, PCCERT_CONTEXT *rghCerts,
3307 int *cNumOIDs, LPSTR *rghOIDs, DWORD *pcbOIDs)
3308 {
3309 BOOL ret = TRUE;
3310 DWORD i, cbOIDs = 0;
3311 BOOL allUsagesValid = TRUE;
3312 CERT_ENHKEY_USAGE validUsages = { 0, NULL };
3313
3314 TRACE("(%d, %p, %d, %p, %d)\n", cCerts, rghCerts, *cNumOIDs,
3315 rghOIDs, *pcbOIDs);
3316
3317 for (i = 0; i < cCerts; i++)
3318 {
3319 CERT_ENHKEY_USAGE usage;
3320 DWORD size = sizeof(usage);
3321
3322 ret = CertGetEnhancedKeyUsage(rghCerts[i], 0, &usage, &size);
3323 /* Success is deliberately ignored: it implies all usages are valid */
3324 if (!ret && GetLastError() == ERROR_MORE_DATA)
3325 {
3326 PCERT_ENHKEY_USAGE pUsage = CryptMemAlloc(size);
3327
3328 allUsagesValid = FALSE;
3329 if (pUsage)
3330 {
3331 ret = CertGetEnhancedKeyUsage(rghCerts[i], 0, pUsage, &size);
3332 if (ret)
3333 {
3334 if (!validUsages.cUsageIdentifier)
3335 {
3336 DWORD j;
3337
3338 cbOIDs = pUsage->cUsageIdentifier * sizeof(LPSTR);
3339 validUsages.cUsageIdentifier = pUsage->cUsageIdentifier;
3340 for (j = 0; j < validUsages.cUsageIdentifier; j++)
3341 cbOIDs += lstrlenA(pUsage->rgpszUsageIdentifier[j])
3342 + 1;
3343 validUsages.rgpszUsageIdentifier =
3344 CryptMemAlloc(cbOIDs);
3345 if (validUsages.rgpszUsageIdentifier)
3346 {
3347 LPSTR nextOID = (LPSTR)
3348 ((LPBYTE)validUsages.rgpszUsageIdentifier +
3349 validUsages.cUsageIdentifier * sizeof(LPSTR));
3350
3351 for (j = 0; j < validUsages.cUsageIdentifier; j++)
3352 {
3353 validUsages.rgpszUsageIdentifier[j] = nextOID;
3354 lstrcpyA(validUsages.rgpszUsageIdentifier[j],
3355 pUsage->rgpszUsageIdentifier[j]);
3356 nextOID += lstrlenA(nextOID) + 1;
3357 }
3358 }
3359 }
3360 else
3361 {
3362 struct BitField validIndexes = { 0, NULL };
3363 DWORD j, k, numRemoved = 0;
3364
3365 /* Merge: build a bitmap of all the indexes of
3366 * validUsages.rgpszUsageIdentifier that are in pUsage.
3367 */
3368 for (j = 0; j < pUsage->cUsageIdentifier; j++)
3369 {
3370 for (k = 0; k < validUsages.cUsageIdentifier; k++)
3371 {
3372 if (!strcmp(pUsage->rgpszUsageIdentifier[j],
3373 validUsages.rgpszUsageIdentifier[k]))
3374 {
3375 CRYPT_SetBitInField(&validIndexes, k);
3376 break;
3377 }
3378 }
3379 }
3380 /* Merge by removing from validUsages those that are
3381 * not in the bitmap.
3382 */
3383 for (j = 0; j < validUsages.cUsageIdentifier; j++)
3384 {
3385 if (!CRYPT_IsBitInFieldSet(&validIndexes, j))
3386 {
3387 if (j < validUsages.cUsageIdentifier - 1)
3388 {
3389 memmove(&validUsages.rgpszUsageIdentifier[j],
3390 &validUsages.rgpszUsageIdentifier[j +
3391 numRemoved + 1],
3392 (validUsages.cUsageIdentifier - numRemoved
3393 - j - 1) * sizeof(LPSTR));
3394 cbOIDs -= lstrlenA(
3395 validUsages.rgpszUsageIdentifier[j]) + 1 +
3396 sizeof(LPSTR);
3397 validUsages.cUsageIdentifier--;
3398 numRemoved++;
3399 }
3400 else
3401 validUsages.cUsageIdentifier--;
3402 }
3403 }
3404 CryptMemFree(validIndexes.indexes);
3405 }
3406 }
3407 CryptMemFree(pUsage);
3408 }
3409 }
3410 }
3411 ret = TRUE;
3412 if (allUsagesValid)
3413 {
3414 *cNumOIDs = -1;
3415 *pcbOIDs = 0;
3416 }
3417 else
3418 {
3419 *cNumOIDs = validUsages.cUsageIdentifier;
3420 if (!rghOIDs)
3421 *pcbOIDs = cbOIDs;
3422 else if (*pcbOIDs < cbOIDs)
3423 {
3424 *pcbOIDs = cbOIDs;
3425 SetLastError(ERROR_MORE_DATA);
3426 ret = FALSE;
3427 }
3428 else
3429 {
3430 LPSTR nextOID = (LPSTR)((LPBYTE)rghOIDs +
3431 validUsages.cUsageIdentifier * sizeof(LPSTR));
3432
3433 *pcbOIDs = cbOIDs;
3434 for (i = 0; i < validUsages.cUsageIdentifier; i++)
3435 {
3436 rghOIDs[i] = nextOID;
3437 lstrcpyA(nextOID, validUsages.rgpszUsageIdentifier[i]);
3438 nextOID += lstrlenA(nextOID) + 1;
3439 }
3440 }
3441 }
3442 CryptMemFree(validUsages.rgpszUsageIdentifier);
3443 TRACE("cNumOIDs: %d\n", *cNumOIDs);
3444 TRACE("returning %d\n", ret);
3445 return ret;
3446 }
3447
3448 /* Sets the CERT_KEY_PROV_INFO_PROP_ID property of context from pInfo, or, if
3449 * pInfo is NULL, from the attributes of hProv.
3450 */
3451 static void CertContext_SetKeyProvInfo(PCCERT_CONTEXT context,
3452 const CRYPT_KEY_PROV_INFO *pInfo, HCRYPTPROV hProv)
3453 {
3454 CRYPT_KEY_PROV_INFO info = { 0 };
3455 BOOL ret;
3456
3457 if (!pInfo)
3458 {
3459 DWORD size;
3460 int len;
3461
3462 ret = CryptGetProvParam(hProv, PP_CONTAINER, NULL, &size, 0);
3463 if (ret)
3464 {
3465 LPSTR szContainer = CryptMemAlloc(size);
3466
3467 if (szContainer)
3468 {
3469 ret = CryptGetProvParam(hProv, PP_CONTAINER,
3470 (BYTE *)szContainer, &size, 0);
3471 if (ret)
3472 {
3473 len = MultiByteToWideChar(CP_ACP, 0, szContainer, -1,
3474 NULL, 0);
3475 if (len)
3476 {
3477 info.pwszContainerName = CryptMemAlloc(len *
3478 sizeof(WCHAR));
3479 MultiByteToWideChar(CP_ACP, 0, szContainer, -1,
3480 info.pwszContainerName, len);
3481 }
3482 }
3483 CryptMemFree(szContainer);
3484 }
3485 }
3486 ret = CryptGetProvParam(hProv, PP_NAME, NULL, &size, 0);
3487 if (ret)
3488 {
3489 LPSTR szProvider = CryptMemAlloc(size);
3490
3491 if (szProvider)
3492 {
3493 ret = CryptGetProvParam(hProv, PP_NAME, (BYTE *)szProvider,
3494 &size, 0);
3495 if (ret)
3496 {
3497 len = MultiByteToWideChar(CP_ACP, 0, szProvider, -1,
3498 NULL, 0);
3499 if (len)
3500 {
3501 info.pwszProvName = CryptMemAlloc(len *
3502 sizeof(WCHAR));
3503 MultiByteToWideChar(CP_ACP, 0, szProvider, -1,
3504 info.pwszProvName, len);
3505 }
3506 }
3507 CryptMemFree(szProvider);
3508 }
3509 }
3510 /* in case no CRYPT_KEY_PROV_INFO given,
3511 * we always use AT_SIGNATURE key spec
3512 */
3513 info.dwKeySpec = AT_SIGNATURE;
3514 size = sizeof(info.dwProvType);
3515 ret = CryptGetProvParam(hProv, PP_PROVTYPE, (LPBYTE)&info.dwProvType,
3516 &size, 0);
3517 if (!ret)
3518 info.dwProvType = PROV_RSA_FULL;
3519 pInfo = &info;
3520 }
3521
3522 CertSetCertificateContextProperty(context, CERT_KEY_PROV_INFO_PROP_ID,
3523 0, pInfo);
3524
3525 if (pInfo == &info)
3526 {
3527 CryptMemFree(info.pwszContainerName);
3528 CryptMemFree(info.pwszProvName);
3529 }
3530 }
3531
3532 /* Creates a signed certificate context from the unsigned, encoded certificate
3533 * in blob, using the crypto provider hProv and the signature algorithm sigAlgo.
3534 */
3535 static PCCERT_CONTEXT CRYPT_CreateSignedCert(const CRYPT_DER_BLOB *blob,
3536 HCRYPTPROV hProv, DWORD dwKeySpec, PCRYPT_ALGORITHM_IDENTIFIER sigAlgo)
3537 {
3538 PCCERT_CONTEXT context = NULL;
3539 BOOL ret;
3540 DWORD sigSize = 0;
3541
3542 ret = CryptSignCertificate(hProv, dwKeySpec, X509_ASN_ENCODING,
3543 blob->pbData, blob->cbData, sigAlgo, NULL, NULL, &sigSize);
3544 if (ret)
3545 {
3546 LPBYTE sig = CryptMemAlloc(sigSize);
3547
3548 ret = CryptSignCertificate(hProv, dwKeySpec, X509_ASN_ENCODING,
3549 blob->pbData, blob->cbData, sigAlgo, NULL, sig, &sigSize);
3550 if (ret)
3551 {
3552 CERT_SIGNED_CONTENT_INFO signedInfo;
3553 BYTE *encodedSignedCert = NULL;
3554 DWORD encodedSignedCertSize = 0;
3555
3556 signedInfo.ToBeSigned.cbData = blob->cbData;
3557 signedInfo.ToBeSigned.pbData = blob->pbData;
3558 signedInfo.SignatureAlgorithm = *sigAlgo;
3559 signedInfo.Signature.cbData = sigSize;
3560 signedInfo.Signature.pbData = sig;
3561 signedInfo.Signature.cUnusedBits = 0;
3562 ret = CryptEncodeObjectEx(X509_ASN_ENCODING, X509_CERT,
3563 &signedInfo, CRYPT_ENCODE_ALLOC_FLAG, NULL,
3564 &encodedSignedCert, &encodedSignedCertSize);
3565 if (ret)
3566 {
3567 context = CertCreateCertificateContext(X509_ASN_ENCODING,
3568 encodedSignedCert, encodedSignedCertSize);
3569 LocalFree(encodedSignedCert);
3570 }
3571 }
3572 CryptMemFree(sig);
3573 }
3574 return context;
3575 }
3576
3577 /* Copies data from the parameters into info, where:
3578 * pSerialNumber: The serial number. Must not be NULL.
3579 * pSubjectIssuerBlob: Specifies both the subject and issuer for info.
3580 * Must not be NULL
3581 * pSignatureAlgorithm: Optional.
3582 * pStartTime: The starting time of the certificate. If NULL, the current
3583 * system time is used.
3584 * pEndTime: The ending time of the certificate. If NULL, one year past the
3585 * starting time is used.
3586 * pubKey: The public key of the certificate. Must not be NULL.
3587 * pExtensions: Extensions to be included with the certificate. Optional.
3588 */
3589 static void CRYPT_MakeCertInfo(PCERT_INFO info, const CRYPT_DATA_BLOB *pSerialNumber,
3590 const CERT_NAME_BLOB *pSubjectIssuerBlob,
3591 const CRYPT_ALGORITHM_IDENTIFIER *pSignatureAlgorithm, const SYSTEMTIME *pStartTime,
3592 const SYSTEMTIME *pEndTime, const CERT_PUBLIC_KEY_INFO *pubKey,
3593 const CERT_EXTENSIONS *pExtensions)
3594 {
3595 static CHAR oid[] = szOID_RSA_SHA1RSA;
3596
3597 assert(info);
3598 assert(pSerialNumber);
3599 assert(pSubjectIssuerBlob);
3600 assert(pubKey);
3601
3602 if (pExtensions && pExtensions->cExtension)
3603 info->dwVersion = CERT_V3;
3604 else
3605 info->dwVersion = CERT_V1;
3606 info->SerialNumber.cbData = pSerialNumber->cbData;
3607 info->SerialNumber.pbData = pSerialNumber->pbData;
3608 if (pSignatureAlgorithm)
3609 info->SignatureAlgorithm = *pSignatureAlgorithm;
3610 else
3611 {
3612 info->SignatureAlgorithm.pszObjId = oid;
3613 info->SignatureAlgorithm.Parameters.cbData = 0;
3614 info->SignatureAlgorithm.Parameters.pbData = NULL;
3615 }
3616 info->Issuer.cbData = pSubjectIssuerBlob->cbData;
3617 info->Issuer.pbData = pSubjectIssuerBlob->pbData;
3618 if (pStartTime)
3619 SystemTimeToFileTime(pStartTime, &info->NotBefore);
3620 else
3621 GetSystemTimeAsFileTime(&info->NotBefore);
3622 if (pEndTime)
3623 SystemTimeToFileTime(pEndTime, &info->NotAfter);
3624 else
3625 {
3626 SYSTEMTIME endTime;
3627
3628 if (FileTimeToSystemTime(&info->NotBefore, &endTime))
3629 {
3630 endTime.wYear++;
3631 SystemTimeToFileTime(&endTime, &info->NotAfter);
3632 }
3633 }
3634 info->Subject.cbData = pSubjectIssuerBlob->cbData;
3635 info->Subject.pbData = pSubjectIssuerBlob->pbData;
3636 info->SubjectPublicKeyInfo = *pubKey;
3637 if (pExtensions)
3638 {
3639 info->cExtension = pExtensions->cExtension;
3640 info->rgExtension = pExtensions->rgExtension;
3641 }
3642 else
3643 {
3644 info->cExtension = 0;
3645 info->rgExtension = NULL;
3646 }
3647 }
3648
3649 typedef RPC_STATUS (RPC_ENTRY *UuidCreateFunc)(UUID *);
3650 typedef RPC_STATUS (RPC_ENTRY *UuidToStringFunc)(UUID *, unsigned char **);
3651 typedef RPC_STATUS (RPC_ENTRY *RpcStringFreeFunc)(unsigned char **);
3652
3653 static HCRYPTPROV CRYPT_CreateKeyProv(void)
3654 {
3655 HCRYPTPROV hProv = 0;
3656 HMODULE rpcrt = LoadLibraryA("rpcrt4");
3657
3658 if (rpcrt)
3659 {
3660 UuidCreateFunc uuidCreate = (UuidCreateFunc)GetProcAddress(rpcrt,
3661 "UuidCreate");
3662 UuidToStringFunc uuidToString = (UuidToStringFunc)GetProcAddress(rpcrt,
3663 "UuidToStringA");
3664 RpcStringFreeFunc rpcStringFree = (RpcStringFreeFunc)GetProcAddress(
3665 rpcrt, "RpcStringFreeA");
3666
3667 if (uuidCreate && uuidToString && rpcStringFree)
3668 {
3669 UUID uuid;
3670 RPC_STATUS status = uuidCreate(&uuid);
3671
3672 if (status == RPC_S_OK || status == RPC_S_UUID_LOCAL_ONLY)
3673 {
3674 unsigned char *uuidStr;
3675
3676 status = uuidToString(&uuid, &uuidStr);
3677 if (status == RPC_S_OK)
3678 {
3679 BOOL ret = CryptAcquireContextA(&hProv, (LPCSTR)uuidStr,
3680 MS_DEF_PROV_A, PROV_RSA_FULL, CRYPT_NEWKEYSET);
3681
3682 if (ret)
3683 {
3684 HCRYPTKEY key;
3685
3686 ret = CryptGenKey(hProv, AT_SIGNATURE, 0, &key);
3687 if (ret)
3688 CryptDestroyKey(key);
3689 }
3690 rpcStringFree(&uuidStr);
3691 }
3692 }
3693 }
3694 FreeLibrary(rpcrt);
3695 }
3696 return hProv;
3697 }
3698
3699 PCCERT_CONTEXT WINAPI CertCreateSelfSignCertificate(HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hProv,
3700 PCERT_NAME_BLOB pSubjectIssuerBlob, DWORD dwFlags,
3701 PCRYPT_KEY_PROV_INFO pKeyProvInfo,
3702 PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, PSYSTEMTIME pStartTime,
3703 PSYSTEMTIME pEndTime, PCERT_EXTENSIONS pExtensions)
3704 {
3705 PCCERT_CONTEXT context = NULL;
3706 BOOL ret, releaseContext = FALSE;
3707 PCERT_PUBLIC_KEY_INFO pubKey = NULL;
3708 DWORD pubKeySize = 0, dwKeySpec;
3709
3710 TRACE("(%08lx, %p, %08x, %p, %p, %p, %p, %p)\n", hProv,
3711 pSubjectIssuerBlob, dwFlags, pKeyProvInfo, pSignatureAlgorithm, pStartTime,
3712 pExtensions, pExtensions);
3713
3714 if(!pSubjectIssuerBlob)
3715 {
3716 SetLastError(ERROR_INVALID_PARAMETER);
3717 return NULL;
3718 }
3719
3720 dwKeySpec = pKeyProvInfo ? pKeyProvInfo->dwKeySpec : AT_SIGNATURE;
3721 if (!hProv)
3722 {
3723 if (!pKeyProvInfo)
3724 {
3725 hProv = CRYPT_CreateKeyProv();
3726 releaseContext = TRUE;
3727 }
3728 else if (pKeyProvInfo->dwFlags & CERT_SET_KEY_PROV_HANDLE_PROP_ID)
3729 {
3730 SetLastError(NTE_BAD_FLAGS);
3731 return NULL;
3732 }
3733 else
3734 {
3735 HCRYPTKEY hKey = 0;
3736 /* acquire the context using the given information*/
3737 ret = CryptAcquireContextW(&hProv,pKeyProvInfo->pwszContainerName,
3738 pKeyProvInfo->pwszProvName,pKeyProvInfo->dwProvType,
3739 pKeyProvInfo->dwFlags);
3740 if (!ret)
3741 {
3742 if(GetLastError() != NTE_BAD_KEYSET)
3743 return NULL;
3744 /* create the key set */
3745 ret = CryptAcquireContextW(&hProv,pKeyProvInfo->pwszContainerName,
3746 pKeyProvInfo->pwszProvName,pKeyProvInfo->dwProvType,
3747 pKeyProvInfo->dwFlags|CRYPT_NEWKEYSET);
3748 if (!ret)
3749 return NULL;
3750 }
3751 /* check if the key is here */
3752 ret = CryptGetUserKey(hProv,dwKeySpec,&hKey);
3753 if(!ret)
3754 {
3755 if (NTE_NO_KEY == GetLastError())
3756 { /* generate the key */
3757 ret = CryptGenKey(hProv,dwKeySpec,0,&hKey);
3758 }
3759 if (!ret)
3760 {
3761 CryptReleaseContext(hProv,0);
3762 SetLastError(NTE_BAD_KEYSET);
3763 return NULL;
3764 }
3765 }
3766 CryptDestroyKey(hKey);
3767 releaseContext = TRUE;
3768 }
3769 }
3770
3771 ret = CryptExportPublicKeyInfo(hProv, dwKeySpec, X509_ASN_ENCODING, NULL,
3772 &pubKeySize);
3773 if (!ret)
3774 goto end;
3775 pubKey = CryptMemAlloc(pubKeySize);
3776 if (pubKey)
3777 {
3778 ret = CryptExportPublicKeyInfo(hProv, dwKeySpec, X509_ASN_ENCODING,
3779 pubKey, &pubKeySize);
3780 if (ret)
3781 {
3782 CERT_INFO info = { 0 };
3783 CRYPT_DER_BLOB blob = { 0, NULL };
3784 BYTE serial[16];
3785 CRYPT_DATA_BLOB serialBlob = { sizeof(serial), serial };
3786
3787 CryptGenRandom(hProv, sizeof(serial), serial);
3788 CRYPT_MakeCertInfo(&info, &serialBlob, pSubjectIssuerBlob,
3789 pSignatureAlgorithm, pStartTime, pEndTime, pubKey, pExtensions);
3790 ret = CryptEncodeObjectEx(X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED,
3791 &info, CRYPT_ENCODE_ALLOC_FLAG, NULL, &blob.pbData,
3792 &blob.cbData);
3793 if (ret)
3794 {
3795 if (!(dwFlags & CERT_CREATE_SELFSIGN_NO_SIGN))
3796 context = CRYPT_CreateSignedCert(&blob, hProv,dwKeySpec,
3797 &info.SignatureAlgorithm);
3798 else
3799 context = CertCreateCertificateContext(X509_ASN_ENCODING,
3800 blob.pbData, blob.cbData);
3801 if (context && !(dwFlags & CERT_CREATE_SELFSIGN_NO_KEY_INFO))
3802 CertContext_SetKeyProvInfo(context, pKeyProvInfo, hProv);
3803 LocalFree(blob.pbData);
3804 }
3805 }
3806 CryptMemFree(pubKey);
3807 }
3808 end:
3809 if (releaseContext)
3810 CryptReleaseContext(hProv, 0);
3811 return context;
3812 }
3813
3814 BOOL WINAPI CertVerifyCTLUsage(DWORD dwEncodingType, DWORD dwSubjectType,
3815 void *pvSubject, PCTL_USAGE pSubjectUsage, DWORD dwFlags,
3816 PCTL_VERIFY_USAGE_PARA pVerifyUsagePara,
3817 PCTL_VERIFY_USAGE_STATUS pVerifyUsageStatus)
3818 {
3819 FIXME("(0x%x, %d, %p, %p, 0x%x, %p, %p): stub\n", dwEncodingType,
3820 dwSubjectType, pvSubject, pSubjectUsage, dwFlags, pVerifyUsagePara,
3821 pVerifyUsageStatus);
3822 SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
3823 return FALSE;
3824 }
3825
3826 const void * WINAPI CertCreateContext(DWORD dwContextType, DWORD dwEncodingType,
3827 const BYTE *pbEncoded, DWORD cbEncoded,
3828 DWORD dwFlags, PCERT_CREATE_CONTEXT_PARA pCreatePara)
3829 {
3830 TRACE("(0x%x, 0x%x, %p, %d, 0x%08x, %p)\n", dwContextType, dwEncodingType,
3831 pbEncoded, cbEncoded, dwFlags, pCreatePara);
3832
3833 if (dwFlags)
3834 {
3835 FIXME("dwFlags 0x%08x not handled\n", dwFlags);
3836 return NULL;
3837 }
3838 if (pCreatePara)
3839 {
3840 FIXME("pCreatePara not handled\n");
3841 return NULL;
3842 }
3843
3844 switch (dwContextType)
3845 {
3846 case CERT_STORE_CERTIFICATE_CONTEXT:
3847 return CertCreateCertificateContext(dwEncodingType, pbEncoded, cbEncoded);
3848 case CERT_STORE_CRL_CONTEXT:
3849 return CertCreateCRLContext(dwEncodingType, pbEncoded, cbEncoded);
3850 case CERT_STORE_CTL_CONTEXT:
3851 return CertCreateCTLContext(dwEncodingType, pbEncoded, cbEncoded);
3852 default:
3853 WARN("unknown context type: 0x%x\n", dwContextType);
3854 return NULL;
3855 }
3856 }
3857
3858 BOOL WINAPI CryptSetKeyIdentifierProperty(const CRYPT_HASH_BLOB *pKeyIdentifier, DWORD dwPropId,
3859 DWORD dwFlags, LPCWSTR pwszComputerName, void *pvReserved, const void *pvData)
3860 {
3861 FIXME("(%p, 0x%x, 0x%x, %s, %p, %p): stub\n", pKeyIdentifier, dwPropId, dwFlags,
3862 debugstr_w(pwszComputerName), pvReserved, pvData);
3863 return FALSE;
3864 }
Zebediah Figura's local tree