[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Dmitry Belyavsky beldmit at cryptocom.ru
Wed Dec 14 07:57:32 PST 2005


Greetings!

On Wed, 14 Dec 2005, Aleksey Sanin wrote:


> > Should I repost the patch?
>
> It would be great! I'll try to take a look but
> it will probably not happen till weekend.

Patch is attached.

Thank you!

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)
-------------- next part --------------
Index: src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.1.1.1
retrieving revision 1.4
diff -r1.1.1.1 -r1.4
263a264,384
> static DWORD 
> xmlSecBuildChainUsingWinapi (PCCERT_CONTEXT pCertContext, LPFILETIME pfTime,
> 		HCERTSTORE hAdditionalStore)
> {
> 	//---------------------------------------------------------
> 	// Declare and initialize variables.
> 
> 	PCCERT_CHAIN_CONTEXT     pChainContext;
> 	CERT_ENHKEY_USAGE        EnhkeyUsage;
> 	CERT_USAGE_MATCH         CertUsage;  
> 	CERT_CHAIN_PARA          ChainPara;
> 	DWORD                    dwFlags=0;
> 	DWORD dwRes = 0;
> 
> 	//---------------------------------------------------------
> 	// Initialize data structures.
> 
> 	EnhkeyUsage.cUsageIdentifier = 0;
> 	EnhkeyUsage.rgpszUsageIdentifier=NULL;
> 	CertUsage.dwType = USAGE_MATCH_TYPE_AND;
> 	CertUsage.Usage  = EnhkeyUsage;
> 	ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
> 	ChainPara.RequestedUsage=CertUsage;
> 
> 	//----------------------------------------------------------------
> 	// Build a chain using CertGetCertificateChain
> 	// and the certificate retrieved.
> 
> 	if(!CertGetCertificateChain(
> 				NULL,                  // use the default chain engine
> 				pCertContext,          // pointer to the end certificate
> 				pfTime,                // use the default time
> 				hAdditionalStore,      // search no additional stores
> 				&ChainPara,            // use AND logic and enhanced key usage 
> 				//  as indicated in the ChainPara 
> 				//  data structure
> 				dwFlags,
> 				NULL,                  // currently reserved
> 				&pChainContext))       // return a pointer to the chain created
> 	{
>     	xmlSecError(XMLSEC_ERRORS_HERE,
> 		    NULL,
> 		    NULL,
> 		    XMLSEC_ERRORS_R_MALLOC_FAILED,
> 		    XMLSEC_ERRORS_NO_MESSAGE);
> 		return (-1);
> 	}
> 
> 	dwRes = pChainContext->TrustStatus.dwErrorStatus;
> 
> #if 0	
> 	switch(pChainContext->TrustStatus.dwErrorStatus)
> 	{
> 		case CERT_TRUST_NO_ERROR :
> 			printf("No error found for this certificate or chain.\n");
> 			break;
> 		case CERT_TRUST_IS_NOT_TIME_VALID: 
> 			printf("This certificate or one of the certificates in the certificate chain is not time-valid.\n");
> 			break;
> 		case CERT_TRUST_IS_NOT_TIME_NESTED: 
> 			printf("Certificates in the chain are not properly time-nested.\n");
> 			break;
> 		case CERT_TRUST_IS_REVOKED:
> 			printf("Trust for this certificate or one of the certificates in the certificate chain has been revoked.\n");
> 			break;
> 		case CERT_TRUST_IS_NOT_SIGNATURE_VALID:
> 			printf("The certificate or one of the certificates in the certificate chain does not have a valid signature.\n");
> 			break;
> 		case CERT_TRUST_IS_NOT_VALID_FOR_USAGE:
> 			printf("The certificate or certificate chain is not valid in its proposed usage.\n");
> 			break;
> 		case CERT_TRUST_IS_UNTRUSTED_ROOT:
> 			printf("The certificate or certificate chain is based on an untrusted root.\n");
> 			break;
> 		case CERT_TRUST_REVOCATION_STATUS_UNKNOWN:
> 			printf("The revocation status of the certificate or one of the certificates in the certificate chain is unknown.\n");
> 			break;
> 		case CERT_TRUST_IS_CYCLIC :
> 			printf("One of the certificates in the chain was issued by a certification authority that the original certificate had certified.\n");
> 			break;
> 		case CERT_TRUST_IS_PARTIAL_CHAIN: 
> 			printf("The certificate chain is not complete.\n");
> 			break;
> 		case CERT_TRUST_CTL_IS_NOT_TIME_VALID: 
> 			printf("A CTL used to create this chain was not time-valid.\n");
> 			break;
> 		case CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID: 
> 			printf("A CTL used to create this chain did not have a valid signature.\n");
> 			break;
> 		case CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE: 
> 			printf("A CTL used to create this chain is not valid for this usage.\n");
> 	} // End switch
> 
> 	printf("\nInfo status for the chain:\n");
> 	switch(pChainContext->TrustStatus.dwInfoStatus)
> 	{
> 		case 0:
> 			printf("No information status reported.\n");
> 			break;
> 		case CERT_TRUST_HAS_EXACT_MATCH_ISSUER :
> 			printf("An exact match issuer certificate has been found for this certificate.\n");
> 			break;
> 		case CERT_TRUST_HAS_KEY_MATCH_ISSUER: 
> 			printf("A key match issuer certificate has been found for this certificate.\n");
> 			break;
> 		case CERT_TRUST_HAS_NAME_MATCH_ISSUER: 
> 			printf("A name match issuer certificate has been found for this certificate.\n");
> 			break;
> 		case CERT_TRUST_IS_SELF_SIGNED:
> 			printf("This certificate is self-signed.\n");
> 			break;
> 		case CERT_TRUST_IS_COMPLEX_CHAIN:
> 			printf("The certificate chain created is a complex chain.\n");
> 			break;
> 	} // end switch
> #endif
> 	CertFreeCertificateChain(pChainContext);
> 	return (dwRes);
> } // end
> 
> 
290a412,416
> 		if (xmlSecBuildChainUsingWinapi(cert, &fTime, ctx->trusted) == CERT_TRUST_NO_ERROR) 
> 		{
> 			return (TRUE);
> 		}
> 
298a425,439
> 	/**
>      * Try to find the cert in the trusted cert store. We will trust
>      * the certificate in the trusted store.
> 	 */
>     issuerCert = CertFindCertificateInStore(ctx->trusted, 
> 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
> 			    0,
> 			    CERT_FIND_SUBJECT_NAME,
> 			    &(cert->pCertInfo->Subject),
> 			    NULL);
>     if( issuerCert != NULL) {
> 		/* We have found the trusted cert, so return true */
> 		CertFreeCertificateContext( issuerCert ) ;
> 		return( TRUE ) ;
>     }
300,317c441,442
<     /**

<      * Try to find the cert in the trusted cert store. We will trust

<      * the certificate in the trusted store.

< 	 */

<     issuerCert = CertFindCertificateInStore(ctx->trusted, 

< 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

< 			    0,

< 			    CERT_FIND_SUBJECT_NAME,

< 			    &(cert->pCertInfo->Subject),

< 			    NULL);

<     if( issuerCert != NULL) {

< 		/* We have found the trusted cert, so return true */

< 		CertFreeCertificateContext( issuerCert ) ;

< 		return( TRUE ) ;

<     }

< 

<     /* Check whether the certificate is self signed certificate */

<     if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {

---
>     /* Check whether the certificate is self signed certificate */
>     if(CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer))) {
319c444
<     }

---
>     }
422,424c547,549
<             if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 

<                                         &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {

<                 selected = 0;

---
>             if((nextCert != NULL) && !CertCompareCertificateName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
>                                         &(nextCert->pCertInfo->Subject), &(nextCert->pCertInfo->Issuer))) {
>                 selected = 0;
848,860c973,985
<     certInfo.Issuer.cbData = cnb.cbData ;

< 	certInfo.Issuer.pbData = cnb.pbData ;

< 	certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;

<     certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;

< 

<     pCert = CertFindCertificateInStore(

<                     store,

<                     X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

<                     0,

<                     CERT_FIND_SUBJECT_CERT,

<                     &certInfo,

<                     NULL

<             ) ;

---
>     certInfo.Issuer.cbData = cnb.cbData ;
> 	certInfo.Issuer.pbData = cnb.pbData ;
> 	certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
>     certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
> 
>     pCert = CertFindCertificateInStore(
>                     store,
>                     X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
>                     0,
>                     CERT_FIND_SUBJECT_CERT,
>                     &certInfo,
>                     NULL
>             ) ;


More information about the xmlsec mailing list