[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
Dmitry Belyavsky
beldmit at cryptocom.ru
Mon Dec 12 07:33:55 PST 2005
Greetings!
On Mon, 12 Dec 2005, Dmitry Belyavsky wrote:
> Greetings!
>
> I've fixed some more my errors and found out what seems to be
> reimplemented.
>
> I think xmlSecMSCryptoX509StoreConstructCertsChain() should use WinAPI
> functions for building cert chains - CertGetCertificateChain() etc.
>
> I've written a prototype code to use this API so I want to discuss the
> integration of it if possible.
Slightly APIed patch attached.
I'll be very pleased if anybody who understand WinAPI better then I
would comment this patch. I understand some commented code can be used
in combination with xmlSecMSCryptoX509StoreCertError.
Thank you!
--
SY, Dmitry Belyavsky (ICQ UIN 11116575)
-------------- next part --------------
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.1.1.1
retrieving revision 1.4
diff -r1.1.1.1 -r1.4
263a264,384
> static DWORD
> xmlSecBuildChainUsingWinapi (PCCERT_CONTEXT pCertContext, LPFILETIME pfTime,
> HCERTSTORE hAdditionalStore)
> {
> //---------------------------------------------------------
> // Declare and initialize variables.
>
> PCCERT_CHAIN_CONTEXT pChainContext;
> CERT_ENHKEY_USAGE EnhkeyUsage;
> CERT_USAGE_MATCH CertUsage;
> CERT_CHAIN_PARA ChainPara;
> DWORD dwFlags=0;
> DWORD dwRes = 0;
>
> //---------------------------------------------------------
> // Initialize data structures.
>
> EnhkeyUsage.cUsageIdentifier = 0;
> EnhkeyUsage.rgpszUsageIdentifier=NULL;
> CertUsage.dwType = USAGE_MATCH_TYPE_AND;
> CertUsage.Usage = EnhkeyUsage;
> ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
> ChainPara.RequestedUsage=CertUsage;
>
> //----------------------------------------------------------------
> // Build a chain using CertGetCertificateChain
> // and the certificate retrieved.
>
> if(!CertGetCertificateChain(
> NULL, // use the default chain engine
> pCertContext, // pointer to the end certificate
> pfTime, // use the default time
> hAdditionalStore, // search no additional stores
> &ChainPara, // use AND logic and enhanced key usage
> // as indicated in the ChainPara
> // data structure
> dwFlags,
> NULL, // currently reserved
> &pChainContext)) // return a pointer to the chain created
> {
> xmlSecError(XMLSEC_ERRORS_HERE,
> NULL,
> NULL,
> XMLSEC_ERRORS_R_MALLOC_FAILED,
> XMLSEC_ERRORS_NO_MESSAGE);
> return (-1);
> }
>
> dwRes = pChainContext->TrustStatus.dwErrorStatus;
>
> #if 0
> switch(pChainContext->TrustStatus.dwErrorStatus)
> {
> case CERT_TRUST_NO_ERROR :
> printf("No error found for this certificate or chain.\n");
> break;
> case CERT_TRUST_IS_NOT_TIME_VALID:
> printf("This certificate or one of the certificates in the certificate chain is not time-valid.\n");
> break;
> case CERT_TRUST_IS_NOT_TIME_NESTED:
> printf("Certificates in the chain are not properly time-nested.\n");
> break;
> case CERT_TRUST_IS_REVOKED:
> printf("Trust for this certificate or one of the certificates in the certificate chain has been revoked.\n");
> break;
> case CERT_TRUST_IS_NOT_SIGNATURE_VALID:
> printf("The certificate or one of the certificates in the certificate chain does not have a valid signature.\n");
> break;
> case CERT_TRUST_IS_NOT_VALID_FOR_USAGE:
> printf("The certificate or certificate chain is not valid in its proposed usage.\n");
> break;
> case CERT_TRUST_IS_UNTRUSTED_ROOT:
> printf("The certificate or certificate chain is based on an untrusted root.\n");
> break;
> case CERT_TRUST_REVOCATION_STATUS_UNKNOWN:
> printf("The revocation status of the certificate or one of the certificates in the certificate chain is unknown.\n");
> break;
> case CERT_TRUST_IS_CYCLIC :
> printf("One of the certificates in the chain was issued by a certification authority that the original certificate had certified.\n");
> break;
> case CERT_TRUST_IS_PARTIAL_CHAIN:
> printf("The certificate chain is not complete.\n");
> break;
> case CERT_TRUST_CTL_IS_NOT_TIME_VALID:
> printf("A CTL used to create this chain was not time-valid.\n");
> break;
> case CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID:
> printf("A CTL used to create this chain did not have a valid signature.\n");
> break;
> case CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE:
> printf("A CTL used to create this chain is not valid for this usage.\n");
> } // End switch
>
> printf("\nInfo status for the chain:\n");
> switch(pChainContext->TrustStatus.dwInfoStatus)
> {
> case 0:
> printf("No information status reported.\n");
> break;
> case CERT_TRUST_HAS_EXACT_MATCH_ISSUER :
> printf("An exact match issuer certificate has been found for this certificate.\n");
> break;
> case CERT_TRUST_HAS_KEY_MATCH_ISSUER:
> printf("A key match issuer certificate has been found for this certificate.\n");
> break;
> case CERT_TRUST_HAS_NAME_MATCH_ISSUER:
> printf("A name match issuer certificate has been found for this certificate.\n");
> break;
> case CERT_TRUST_IS_SELF_SIGNED:
> printf("This certificate is self-signed.\n");
> break;
> case CERT_TRUST_IS_COMPLEX_CHAIN:
> printf("The certificate chain created is a complex chain.\n");
> break;
> } // end switch
> #endif
> CertFreeCertificateChain(pChainContext);
> return (dwRes);
> } // end
>
>
290a412,416
> if (xmlSecBuildChainUsingWinapi(cert, &fTime, ctx->trusted) == CERT_TRUST_NO_ERROR)
> {
> return (TRUE);
> }
>
298a425,439
> /**
> * Try to find the cert in the trusted cert store. We will trust
> * the certificate in the trusted store.
> */
> issuerCert = CertFindCertificateInStore(ctx->trusted,
> X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 0,
> CERT_FIND_SUBJECT_NAME,
> &(cert->pCertInfo->Subject),
> NULL);
> if( issuerCert != NULL) {
> /* We have found the trusted cert, so return true */
> CertFreeCertificateContext( issuerCert ) ;
> return( TRUE ) ;
> }
300,317c441,442
< /**
< * Try to find the cert in the trusted cert store. We will trust
< * the certificate in the trusted store.
< */
< issuerCert = CertFindCertificateInStore(ctx->trusted,
< X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< 0,
< CERT_FIND_SUBJECT_NAME,
< &(cert->pCertInfo->Subject),
< NULL);
< if( issuerCert != NULL) {
< /* We have found the trusted cert, so return true */
< CertFreeCertificateContext( issuerCert ) ;
< return( TRUE ) ;
< }
<
< /* Check whether the certificate is self signed certificate */
< if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
---
> /* Check whether the certificate is self signed certificate */
> if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
319c444
< }
---
> }
422,424c547,549
< if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {
< selected = 0;
---
> if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {
> selected = 0;
848,860c973,985
< certInfo.Issuer.cbData = cnb.cbData ;
< certInfo.Issuer.pbData = cnb.pbData ;
< certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
< certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
<
< pCert = CertFindCertificateInStore(
< store,
< X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
< 0,
< CERT_FIND_SUBJECT_CERT,
< &certInfo,
< NULL
< ) ;
---
> certInfo.Issuer.cbData = cnb.cbData ;
> certInfo.Issuer.pbData = cnb.pbData ;
> certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
> certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
>
> pCert = CertFindCertificateInStore(
> store,
> X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 0,
> CERT_FIND_SUBJECT_CERT,
> &certInfo,
> NULL
> ) ;
More information about the xmlsec
mailing list