Paul Gofman : cryptnet: Also cache revocation status when using OCSP. - wine-commits

13 Jan 2023

Module: wine
Branch: master
Commit: ca40454f47ee18f769dee2261eeac0182b205726
URL:    https://gitlab.winehq.org/wine/wine/-/commit/ca40454f47ee18f769dee2261eeac01...
Author: Paul Gofman pgofman@codeweavers.com
Date:   Wed Jan 11 14:17:47 2023 -0600
cryptnet: Also cache revocation status when using OCSP.
---
dlls/cryptnet/cryptnet_main.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/dlls/cryptnet/cryptnet_main.c b/dlls/cryptnet/cryptnet_main.c
index 01ded96d88f..516bbad9ca4 100644
--- a/dlls/cryptnet/cryptnet_main.c
+++ b/dlls/cryptnet/cryptnet_main.c
@@ -1895,11 +1895,12 @@ static BOOL match_cert_id(const OCSP_CERT_ID *id, const CERT_INFO *cert, const C
 }
static DWORD check_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *issuer,
-                                      const CRYPT_OBJID_BLOB *blob, DWORD *status)
+                                      const CRYPT_OBJID_BLOB *blob, DWORD *status, FILETIME *next_update)
 {
     OCSP_BASIC_RESPONSE_INFO *info;
     DWORD size, i;
+    memset(next_update, 0, sizeof(*next_update));
     if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_RESPONSE, blob->pbData, blob->cbData,
                              CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();
@@ -1907,7 +1908,11 @@ static DWORD check_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *is
     for (i = 0; i < info->cResponseEntry; i++)
     {
         OCSP_BASIC_RESPONSE_ENTRY *entry = &info->rgResponseEntry[i];
-        if (match_cert_id(&entry->CertId, cert, issuer)) *status = map_ocsp_status(entry->dwCertStatus);
+        if (match_cert_id(&entry->CertId, cert, issuer))
+        {
+            *status = map_ocsp_status(entry->dwCertStatus);
+            *next_update = entry->NextUpdate;
+        }
     }
LocalFree(info);
@@ -1920,6 +1925,7 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
     OCSP_BASIC_SIGNED_RESPONSE_INFO *info;
     DWORD size, error, status = CRYPT_E_REVOCATION_OFFLINE;
     CRYPT_ALGORITHM_IDENTIFIER *alg;
+    FILETIME next_update;
     CRYPT_BIT_BLOB *sig;
     HCRYPTPROV prov = 0;
     HCRYPTHASH hash = 0;
@@ -1929,7 +1935,7 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
     if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_SIGNED_RESPONSE, blob->pbData, blob->cbData,
                              CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();
-    if ((error = check_ocsp_response_info(cert, issuer, &info->ToBeSigned, &status))) goto done;
+    if ((error = check_ocsp_response_info(cert, issuer, &info->ToBeSigned, &status, &next_update))) goto done;
alg = &info->SignatureInfo.SignatureAlgorithm;
     if (!alg->pszObjId || !(algid = CertOIDToAlgId(alg->pszObjId)))
@@ -1958,6 +1964,16 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
     else error = ERROR_SUCCESS;
done:
+    if (next_update.dwLowDateTime || next_update.dwHighDateTime)
+    {
+        CERT_REVOCATION_STATUS rev_status;
+
+        memset(&rev_status, 0, sizeof(rev_status));
+        rev_status.cbSize = sizeof(rev_status);
+        rev_status.dwError = status;
+        cache_revocation_status(&cert->SerialNumber, &next_update, &rev_status);
+    }
+
     CryptDestroyKey(key);
     CryptDestroyHash(hash);
     CryptReleaseContext(prov, 0);

    