static void test_verifyTimeValidity(void)
{
SYSTEMTIME sysTime;
FILETIME fileTime;
CERT_INFO info = { 0 };
LONG ret;
GetSystemTime(&sysTime);
SystemTimeToFileTime(&sysTime, &fileTime);
/* crashes
ret = CertVerifyTimeValidity(NULL, NULL);
ret = CertVerifyTimeValidity(&fileTime, NULL);
*/
/* Check with 0 NotBefore and NotAfter */
ret = CertVerifyTimeValidity(&fileTime, &info);
ok(ret == 1, "Expected 1, got %d\n", ret);
info.NotAfter = fileTime;
/* Check with NotAfter equal to comparison time */
ret = CertVerifyTimeValidity(&fileTime, &info);
ok(ret == 0, "Expected 0, got %d\n", ret);
/* Check with NotBefore after comparison time */
info.NotBefore = fileTime;
info.NotBefore.dwLowDateTime += 5000;
ret = CertVerifyTimeValidity(&fileTime, &info);
ok(ret == -1, "Expected -1, got %d\n", ret);
}
static BOOL DigiCrypt_IsValidCert(PCCERT_CONTEXT pCertContext, BOOL fTimeCheck)
{
BOOL fIsValid = FALSE;
BOOL fRes = FALSE;
BYTE bKeyUsageBits = CERT_NON_REPUDIATION_KEY_USAGE;
DWORD dwKeyUsageBytes = 1;
//Old version
//FILETIME oCurrentTime;
if (pCertContext != NULL && pCertContext->pCertInfo != NULL)
{
//not needed (info from Tarmo Milva)
//if (DigiCrypt_CertIsSig(pCertContext) == TRUE)
fRes = CertGetIntendedKeyUsage(X509_ASN_ENCODING,pCertContext->pCertInfo,&bKeyUsageBits,dwKeyUsageBytes);
//else
// fRes = FALSE;
if (fRes == TRUE)
{
if (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE)
fIsValid = TRUE;
}
if (fIsValid == TRUE && fTimeCheck == TRUE)
{
//Old version
//GetSystemTimeAsFileTime(&oCurrentTime);
//if (CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotBefore) < 0 ||
// CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotAfter) > 0 )
// fIsValid = FALSE;
//New version
//NULL, if current datetime
if (CertVerifyTimeValidity(NULL,pCertContext->pCertInfo) != 0)
fIsValid = FALSE;
}
}
return(fIsValid);
}
SECURITY_STATUS SSL_SOCKET :: Verify(PCCERT_CONTEXT px)
{
if (px == 0)
return SEC_E_WRONG_PRINCIPAL;
// Time
int iRc = CertVerifyTimeValidity(NULL,px->pCertInfo);
if (iRc != 0)
return SEC_E_CERT_EXPIRED;
// Chain
CERT_CHAIN_PARA ChainPara = {0};
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
ChainPara.cbSize = sizeof(ChainPara);
if (!CertGetCertificateChain(0,px,0,0,&ChainPara,0,0,&pChainContext))
return SEC_E_INVALID_TOKEN;
/* ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
polHttps.cbStruct = sizeof(HTTPSPolicyCallbackData);
polHttps.dwAuthType = AUTHTYPE_SERVER;
polHttps.fdwChecks = dwCertFlags;
polHttps.pwszServerName = pwszServerName;
memset(&PolicyPara, 0, sizeof(PolicyPara));
PolicyPara.cbSize = sizeof(PolicyPara);
PolicyPara.pvExtraPolicyPara = &polHttps;
memset(&PolicyStatus, 0, sizeof(PolicyStatus));
PolicyStatus.cbSize = sizeof(PolicyStatus);
if (!CertVerifyCertificateChainPolicy(
CERT_CHAIN_POLICY_SSL,
pChainContext,
&PolicyPara,
&PolicyStatus)) {
Status = ::GetLastError();
SetLastError(Status);
break;
}
*/
PCCERT_CONTEXT j[2];
j[0] = px;
CERT_REVOCATION_STATUS cs = {0};
cs.cbSize = sizeof(cs);
SECURITY_STATUS ss =
CertVerifyRevocation(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,CERT_CONTEXT_REVOCATION_TYPE,
1,(void**)j,0,0,&cs);
if (pChainContext)
CertFreeCertificateChain(pChainContext);
return ss;
}
BOOL WINAPI isValidForSigning(PCCERT_CONTEXT certContext) {
BYTE keyUsage;
CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certContext->pCertInfo, &keyUsage, 1);
if (!(keyUsage & CERT_NON_REPUDIATION_KEY_USAGE)) {
return FALSE;
}
if(CertVerifyTimeValidity(NULL, certContext->pCertInfo) != 0) {
return FALSE;
}
return isCardInReader(certContext);
}
static BOOL DigiCrypt_IsValidCert(PCCERT_CONTEXT pCertContext, BOOL fTimeCheck)
{
BOOL fIsValid = FALSE;
BOOL fRes = FALSE;
BOOL fKuCheck = TRUE;
BYTE bKeyUsageBits = CERT_NON_REPUDIATION_KEY_USAGE;
DWORD dwKeyUsageBytes = 1;
// VS use auth certs if key_usage_check = 0
fKuCheck = (BOOL)ConfigItem_lookup_int("KEY_USAGE_CHECK", 1);
bKeyUsageBits = fKuCheck ? CERT_NON_REPUDIATION_KEY_USAGE : 0;
//LOG("KEY_USAGE_CHECK: %d ku: %d", fKuCheck, bKeyUsageBits);
//Old version
//FILETIME oCurrentTime;
if (pCertContext != NULL && pCertContext->pCertInfo != NULL)
{
//not needed (info from Tarmo Milva)
//if (DigiCrypt_CertIsSig(pCertContext) == TRUE)
fRes = CertGetIntendedKeyUsage(X509_ASN_ENCODING,pCertContext->pCertInfo,&bKeyUsageBits,dwKeyUsageBytes);
//else
// fRes = FALSE;
if (fRes == TRUE)
{
//LOG("KU non-repu: %d", (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE));
if(!fKuCheck || (bKeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE))
fIsValid = TRUE;
if(bKeyUsageBits & CERT_KEY_CERT_SIGN_KEY_USAGE) // don't display CA certs
fIsValid = FALSE;
}
if (fIsValid == TRUE && fTimeCheck == TRUE)
{
//Old version
//GetSystemTimeAsFileTime(&oCurrentTime);
//if (CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotBefore) < 0 ||
// CompareFileTime(&oCurrentTime, &pCertContext->pCertInfo->NotAfter) > 0 )
// fIsValid = FALSE;
//New version
//NULL, if current datetime
if (CertVerifyTimeValidity(NULL,pCertContext->pCertInfo) != 0)
fIsValid = FALSE;
}
}
return(fIsValid);
}
/***********************************************************************
* CertTrustFinalPolicy (CRYPTDLG.@)
*/
HRESULT WINAPI CertTrustFinalPolicy(CRYPT_PROVIDER_DATA *data)
{
BOOL ret;
DWORD err = S_OK;
CERT_VERIFY_CERTIFICATE_TRUST *pCert = CRYPTDLG_GetVerifyData(data);
TRACE("(%p)\n", data);
if (data->pWintrustData->dwUIChoice != WTD_UI_NONE)
FIXME("unimplemented for UI choice %d\n",
data->pWintrustData->dwUIChoice);
if (pCert)
{
DWORD flags = 0;
CERT_CHAIN_PARA chainPara;
HCERTCHAINENGINE engine;
memset(&chainPara, 0, sizeof(chainPara));
chainPara.cbSize = sizeof(chainPara);
if (CRYPTDLG_CheckOnlineCRL())
flags |= CERT_CHAIN_REVOCATION_CHECK_END_CERT;
engine = CRYPTDLG_MakeEngine(pCert);
GetSystemTimeAsFileTime(&data->sftSystemTime);
ret = CRYPTDLG_IsCertAllowed(pCert->pccert);
if (ret)
{
PCCERT_CHAIN_CONTEXT chain;
ret = CertGetCertificateChain(engine, pCert->pccert,
&data->sftSystemTime, NULL, &chainPara, flags, NULL, &chain);
if (ret)
{
if (chain->cChain != 1)
{
FIXME("unimplemented for more than 1 simple chain\n");
err = TRUST_E_SUBJECT_FORM_UNKNOWN;
ret = FALSE;
}
else if ((ret = CRYPTDLG_CopyChain(data, chain)))
{
if (CertVerifyTimeValidity(&data->sftSystemTime,
pCert->pccert->pCertInfo))
{
ret = FALSE;
err = CERT_E_EXPIRED;
}
}
else
err = TRUST_E_SYSTEM_ERROR;
CertFreeCertificateChain(chain);
}
else
err = TRUST_E_SUBJECT_NOT_TRUSTED;
}
CertFreeCertificateChainEngine(engine);
}
else
{
ret = FALSE;
err = TRUST_E_NOSIGNATURE;
}
/* Oddly, native doesn't set the error in the trust step error location,
* probably because this action is more advisory than anything else.
* Instead it stores it as the final error, but the function "succeeds" in
* any case.
*/
if (!ret)
data->dwFinalError = err;
TRACE("returning %d (%08x)\n", S_OK, data->dwFinalError);
return S_OK;
}