Greetings!
> On Mon, 19 Dec 2005, Aleksey Sanin wrote:
>
> > > Then does a call to xmlSecMSCryptoX509StoreConstructCertsChain do both a
> > > cert chain check and a revocation check ?
> > Take a look at the code. Yes, it does everything including all the
> > checks (e.g. verification time).
> >
> > >
> > > Does this work now, or will it work only after Dmitry's patch ?
> > >
> > Unrelated to Dmirty's patch. His patch provides a shortcut that does
> > not call this function.
>
> I've found out I should improve the patch concerning to the revocation
> status of the chain. So I'll provide the improved version tomorrow.
The improved version is attached.
--
SY, Dmitry Belyavsky (ICQ UIN 11116575)
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.1.1.1
retrieving revision 1.7
diff -r1.1.1.1 -r1.7
263a264,313
> static DWORD
> xmlSecBuildChainUsingWinapi (PCCERT_CONTEXT pCertContext, LPFILETIME pfTime,
> HCERTSTORE hAdditionalStore)
> {
> PCCERT_CHAIN_CONTEXT pChainContext;
> CERT_ENHKEY_USAGE EnhkeyUsage;
> CERT_USAGE_MATCH CertUsage;
> CERT_CHAIN_PARA ChainPara;
> DWORD dwFlags=CERT_CHAIN_REVOCATION_CHECK_CHAIN;
> DWORD dwRes = 0;
>
> /* Initialize data structures. */
>
> EnhkeyUsage.cUsageIdentifier = 0;
> EnhkeyUsage.rgpszUsageIdentifier=NULL;
> CertUsage.dwType = USAGE_MATCH_TYPE_AND;
> CertUsage.Usage = EnhkeyUsage;
> ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
> ChainPara.RequestedUsage=CertUsage;
>
> /* Build a chain using CertGetCertificateChain
> and the certificate retrieved. */
>
> if(!CertGetCertificateChain(
> NULL, /* use the default chain
> engine */
> pCertContext,
> pfTime,
> hAdditionalStore,
> &ChainPara, /* use AND logic and
> enhanced key usage
> as indicated in the
> ChainPara
> data structure */
> dwFlags,
> NULL,
> &pChainContext))
> {
> xmlSecError(XMLSEC_ERRORS_HERE,
> NULL,
> NULL,
> XMLSEC_ERRORS_R_MALLOC_FAILED,
> XMLSEC_ERRORS_NO_MESSAGE);
> return (-1);
> }
>
> dwRes = pChainContext->TrustStatus.dwErrorStatus;
>
> CertFreeCertificateChain(pChainContext);
> return (dwRes);
> }
>
>
270a321
> DWORD dwApiCheckResult;
290a342,357
> dwApiCheckResult = xmlSecBuildChainUsingWinapi(cert, &fTime,
> ctx->trusted);
>
> switch(dwApiCheckResult)
> {
> case CERT_TRUST_NO_ERROR :
> return (TRUE);
> case CERT_TRUST_IS_NOT_TIME_VALID:
> case CERT_TRUST_IS_NOT_TIME_NESTED:
> case CERT_TRUST_IS_REVOKED:
> case CERT_TRUST_IS_NOT_SIGNATURE_VALID:
> return (FALSE);
> default:
> /* Other errors may be fixed by in-document
> certificates */
> break;
> }
>
298a366,380
> /**
> * Try to find the cert in the trusted cert store. We will trust
> * the certificate in the trusted store.
> */
> issuerCert = CertFindCertificateInStore(ctx->trusted,
> X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 0,
> CERT_FIND_SUBJECT_NAME,
> &(cert->pCertInfo->Subject),
> NULL);
> if( issuerCert != NULL) {
> /* We have found the trusted cert, so return true */
> CertFreeCertificateContext( issuerCert ) ;
> return( TRUE ) ;
> }
300,317c382,383
< /**
< * Try to find the cert in the trusted cert store. We will trust
< * the certificate in the trusted store.
< */
< issuerCert = CertFindCertificateInStore(ctx->trusted,
< X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< 0,
< CERT_FIND_SUBJECT_NAME,
< &(cert->pCertInfo->Subject),
< NULL);
< if( issuerCert != NULL) {
< /* We have found the trusted cert, so return true */
< CertFreeCertificateContext( issuerCert ) ;
< return( TRUE ) ;
< }
<
< /* Check whether the certificate is self signed certificate */
< if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
&(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
---
> /* Check whether the certificate is self signed certificate */
> if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
319c385
< }
---
> }
422,424c488,490
< if((nextCert != NULL) &&
!CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< &(nextCert->pCertInfo->Subject),
&(nextCert->pCertInfo->Issuer))) {
< selected = 0;
---
> if((nextCert != NULL) &&
> !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> &(nextCert->pCertInfo->Subject),
> &(nextCert->pCertInfo->Issuer))) {
> selected = 0;
848,860c914,926
< certInfo.Issuer.cbData = cnb.cbData ;
< certInfo.Issuer.pbData = cnb.pbData ;
< certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
< certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
<
< pCert = CertFindCertificateInStore(
< store,
< X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< 0,
< CERT_FIND_SUBJECT_CERT,
< &certInfo,
< NULL
< ) ;
---
> certInfo.Issuer.cbData = cnb.cbData ;
> certInfo.Issuer.pbData = cnb.pbData ;
> certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
> certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
>
> pCert = CertFindCertificateInStore(
> store,
> X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 0,
> CERT_FIND_SUBJECT_CERT,
> &certInfo,
> NULL
> ) ;
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
