[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Dmitry Belyavsky beldmit at cryptocom.ru
Tue Dec 20 06:52:12 PST 2005


Greetings!

> On Mon, 19 Dec 2005, Aleksey Sanin wrote:
>
> > > Then does a call to xmlSecMSCryptoX509StoreConstructCertsChain do both a
> > > cert chain check and a revocation check ?
> > Take a look at the code. Yes, it does everything including all the
> > checks (e.g. verification time).
> >
> > >
> > > Does this work now, or will it work only after Dmitry's patch ?
> > >
> > Unrelated to Dmirty's patch. His patch provides a shortcut that does
> > not call this function.
>
> I've found out I should improve the patch concerning to the revocation
> status of the chain. So I'll provide the improved version tomorrow.

The improved version is attached.

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)
-------------- next part --------------
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.1.1.1
retrieving revision 1.7
diff -r1.1.1.1 -r1.7
263a264,313
> static DWORD 
> xmlSecBuildChainUsingWinapi (PCCERT_CONTEXT pCertContext, LPFILETIME pfTime,
> 		HCERTSTORE hAdditionalStore)
> {
> 	PCCERT_CHAIN_CONTEXT     pChainContext;
> 	CERT_ENHKEY_USAGE        EnhkeyUsage;
> 	CERT_USAGE_MATCH         CertUsage;  
> 	CERT_CHAIN_PARA          ChainPara;
> 	DWORD                    dwFlags=CERT_CHAIN_REVOCATION_CHECK_CHAIN;
> 	DWORD dwRes = 0;
> 
> 	/* Initialize data structures. */
> 
> 	EnhkeyUsage.cUsageIdentifier = 0;
> 	EnhkeyUsage.rgpszUsageIdentifier=NULL;
> 	CertUsage.dwType = USAGE_MATCH_TYPE_AND;
> 	CertUsage.Usage  = EnhkeyUsage;
> 	ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
> 	ChainPara.RequestedUsage=CertUsage;
> 
> 	/* Build a chain using CertGetCertificateChain
> 	 and the certificate retrieved. */
> 
> 	if(!CertGetCertificateChain(
> 				NULL,                  /* use the default chain engine */
> 				pCertContext,
> 				pfTime,
> 				hAdditionalStore,
> 				&ChainPara,            /* use AND logic and enhanced key usage 
> 							  as indicated in the ChainPara 
> 							  data structure */
> 				dwFlags,
> 				NULL,
> 				&pChainContext))
> 	{
>     	xmlSecError(XMLSEC_ERRORS_HERE,
> 		    NULL,
> 		    NULL,
> 		    XMLSEC_ERRORS_R_MALLOC_FAILED,
> 		    XMLSEC_ERRORS_NO_MESSAGE);
> 		return (-1);
> 	}
> 
> 	dwRes = pChainContext->TrustStatus.dwErrorStatus;
> 
> 	CertFreeCertificateChain(pChainContext);
> 	return (dwRes);
> }
> 
> 
270a321
>     DWORD dwApiCheckResult;
290a342,357
>     dwApiCheckResult = xmlSecBuildChainUsingWinapi(cert, &fTime, ctx->trusted);
>     
> 	switch(dwApiCheckResult)
> 	{
> 		case CERT_TRUST_NO_ERROR :
> 			return (TRUE);
> 		case CERT_TRUST_IS_NOT_TIME_VALID: 
> 		case CERT_TRUST_IS_NOT_TIME_NESTED: 
> 		case CERT_TRUST_IS_REVOKED:
> 		case CERT_TRUST_IS_NOT_SIGNATURE_VALID:
> 			return (FALSE);
> 		default:
> 			/* Other errors may be fixed by in-document certificates */
> 			break;
> 	}
> 
298a366,380
> 	/**
>      * Try to find the cert in the trusted cert store. We will trust
>      * the certificate in the trusted store.
> 	 */
>     issuerCert = CertFindCertificateInStore(ctx->trusted, 
> 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 			    0,
> 			    CERT_FIND_SUBJECT_NAME,
> 			    &(cert->pCertInfo->Subject),
> 			    NULL);
>     if( issuerCert != NULL) {
> 		/* We have found the trusted cert, so return true */
> 		CertFreeCertificateContext( issuerCert ) ;
> 		return( TRUE ) ;
>     }
300,317c382,383
<     /**

<      * Try to find the cert in the trusted cert store. We will trust

<      * the certificate in the trusted store.

< 	 */

<     issuerCert = CertFindCertificateInStore(ctx->trusted, 

< 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

< 			    0,

< 			    CERT_FIND_SUBJECT_NAME,

< 			    &(cert->pCertInfo->Subject),

< 			    NULL);

<     if( issuerCert != NULL) {

< 		/* We have found the trusted cert, so return true */

< 		CertFreeCertificateContext( issuerCert ) ;

< 		return( TRUE ) ;

<     }

< 

<     /* Check whether the certificate is self signed certificate */

<     if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {

---
>     /* Check whether the certificate is self signed certificate */
>     if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
319c385
<     }

---
>     }
422,424c488,490
<             if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 

<                                         &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {

<                 selected = 0;

---
>             if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
>                                         &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {
>                 selected = 0;
848,860c914,926
<     certInfo.Issuer.cbData = cnb.cbData ;

< 	certInfo.Issuer.pbData = cnb.pbData ;

< 	certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;

<     certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;

< 

<     pCert = CertFindCertificateInStore(

<                     store,

<                     X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

<                     0,

<                     CERT_FIND_SUBJECT_CERT,

<                     &certInfo,

<                     NULL

<             ) ;

---
>     certInfo.Issuer.cbData = cnb.cbData ;
> 	certInfo.Issuer.pbData = cnb.pbData ;
> 	certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
>     certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
> 
>     pCert = CertFindCertificateInStore(
>                     store,
>                     X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>                     0,
>                     CERT_FIND_SUBJECT_CERT,
>                     &certInfo,
>                     NULL
>             ) ;


More information about the xmlsec mailing list