static BOOL DigiCrypt_IsValidCert(PCCERT_CONTEXT pCertContext, BOOL fTimeCheck)
{
BOOL fIsValid = FALSE;
BOOL fRes = FALSE;
BYTE bKeyUsageBits = CERT_NON_REPUDIATION_KEY_USAGE;
DWORD dwKeyUsageBytes = 1;
//Old version
//FILETIME oCurrentTime;
if (pCertContext != NULL && pCertContext->pCertInfo != NULL)
{
//not needed (info from Tarmo Milva)
//if (DigiCrypt_CertIsSig(pCertContext) == TRUE)
fRes = CertGetIntendedKeyUsage(X509_ASN_ENCODING,pCertContext->pCertInfo,&bKeyUsageBits,dwKeyUsageBytes);
//else
// fRes = FALSE;
if (fRes == TRUE)
{
if (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE)
fIsValid = TRUE;
}
if (fIsValid == TRUE && fTimeCheck == TRUE)
{
//Old version
//GetSystemTimeAsFileTime(&oCurrentTime);
//if (CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotBefore) < 0 ||
// CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotAfter) > 0 )
// fIsValid = FALSE;
//New version
//NULL, if current datetime
if (CertVerifyTimeValidity(NULL,pCertContext->pCertInfo) != 0)
fIsValid = FALSE;
}
}
return(fIsValid);
}
BOOL WINAPI isValidForSigning(PCCERT_CONTEXT certContext) {
BYTE keyUsage;
CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certContext->pCertInfo, &keyUsage, 1);
if (!(keyUsage & CERT_NON_REPUDIATION_KEY_USAGE)) {
return FALSE;
}
if(CertVerifyTimeValidity(NULL, certContext->pCertInfo) != 0) {
return FALSE;
}
return isCardInReader(certContext);
}
static BOOL DigiCrypt_IsValidCert(PCCERT_CONTEXT pCertContext, BOOL fTimeCheck)
{
BOOL fIsValid = FALSE;
BOOL fRes = FALSE;
BOOL fKuCheck = TRUE;
BYTE bKeyUsageBits = CERT_NON_REPUDIATION_KEY_USAGE;
DWORD dwKeyUsageBytes = 1;
// VS use auth certs if key_usage_check = 0
fKuCheck = (BOOL)ConfigItem_lookup_int("KEY_USAGE_CHECK", 1);
bKeyUsageBits = fKuCheck ? CERT_NON_REPUDIATION_KEY_USAGE : 0;
//LOG("KEY_USAGE_CHECK: %d ku: %d", fKuCheck, bKeyUsageBits);
//Old version
//FILETIME oCurrentTime;
if (pCertContext != NULL && pCertContext->pCertInfo != NULL)
{
//not needed (info from Tarmo Milva)
//if (DigiCrypt_CertIsSig(pCertContext) == TRUE)
fRes = CertGetIntendedKeyUsage(X509_ASN_ENCODING,pCertContext->pCertInfo,&bKeyUsageBits,dwKeyUsageBytes);
//else
// fRes = FALSE;
if (fRes == TRUE)
{
//LOG("KU non-repu: %d", (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE));
if(!fKuCheck || (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE))
fIsValid = TRUE;
if(bKeyUsageBits & CERT_KEY_CERT_SIGN_KEY_USAGE) // don't display CA certs
fIsValid = FALSE;
}
if (fIsValid == TRUE && fTimeCheck == TRUE)
{
//Old version
//GetSystemTimeAsFileTime(&oCurrentTime);
//if (CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotBefore) < 0 ||
// CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotAfter) > 0 )
// fIsValid = FALSE;
//New version
//NULL, if current datetime
if (CertVerifyTimeValidity(NULL,pCertContext->pCertInfo) != 0)
fIsValid = FALSE;
}
}
return(fIsValid);
}
void CEstEIDCertificate::readFromCertContext() {
PCCERT_CONTEXT certContext = NULL;
HCERTSTORE cert_store = NULL;
cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!cert_store){
throw CryptoException();
}
if(!CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, NULL)) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
throw CryptoException();
}
while(certContext = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext)) {
BYTE keyUsage;
CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certContext->pCertInfo, &keyUsage, 1);
if (keyUsage & CERT_NON_REPUDIATION_KEY_USAGE) {
this->certificates.push_back(CertDuplicateCertificateContext(certContext));
}
}
//PCCERT_CONTEXT ct = CryptUIDlgSelectCertificateFromStore(cert_store, NULL, L"TIITEL", L"Vali cert:", NULL, 0, 0);
//loadCertContexts(ct);
CCertificateSelectionDlg *dlg = new CCertificateSelectionDlg();
dlg->setCertificate(this->certificates);
INT_PTR selectedItem = dlg->DoModal();
EstEID_log("selected item index = %i", selectedItem);
if(selectedItem == -1) {
throw CryptoException(ESTEID_USER_CANCEL);
}
loadCertContexts(this->certificates[selectedItem]);
if(certContext){
CertFreeCertificateContext(certContext);
}
if(cert_store) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
}
}
DWORD ImportCertificate(CK_BYTE* certData, DWORD certSize, CK_BYTE* cardSerialNumber, CK_ULONG cardSerialNumberLen)
{
PCCERT_CONTEXT pCertContext = NULL;
DWORD dwRet = 0;
// ------------------------------------------------------------
// create the certificate context with the certificate raw data
// ------------------------------------------------------------
pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certData,certSize);
if( pCertContext == NULL )
{
dwRet = GetLastError();
if (dwRet == E_INVALIDARG)
printf("ImportCertificates: Unable to create certificate context. The certificate encoding type is not supported.Error code: %d.\n",dwRet);
else
printf("ImportCertificates: Unable to create certificate context. Error code: %d.\n",dwRet);
}
else
{
unsigned char KeyUsageBits = 0; // Intended key usage bits copied to here.
CertGetIntendedKeyUsage(X509_ASN_ENCODING, pCertContext->pCertInfo, &KeyUsageBits, 1);
// ----------------------------------------------------------------------
// Only store the context of the certificates with usages for an end-user
// i.e. no CA or root certificates
// ----------------------------------------------------------------------
if((KeyUsageBits & CERT_KEY_CERT_SIGN_KEY_USAGE) == CERT_KEY_CERT_SIGN_KEY_USAGE)
{
dwRet = StoreAuthorityCert (pCertContext, KeyUsageBits);
}
else
{
dwRet = StoreUserCert (pCertContext, KeyUsageBits, cardSerialNumber, cardSerialNumberLen);
}
if (pCertContext)
CertFreeCertificateContext(pCertContext);
}
return dwRet;
}
