From: Paul Gofman pgofman@codeweavers.com
--- dlls/crypt32/decode.c | 17 ++++- dlls/crypt32/tests/encode.c | 122 ++++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 2 deletions(-)
diff --git a/dlls/crypt32/decode.c b/dlls/crypt32/decode.c index 6d683974f44..cfdeef5380a 100644 --- a/dlls/crypt32/decode.c +++ b/dlls/crypt32/decode.c @@ -6254,13 +6254,26 @@ static BOOL CRYPT_AsnDecodeOCSPSignatureInfoCertEncoded(const BYTE *pbEncoded, DWORD *pcbDecoded) { BOOL ret; - struct AsnArrayDescriptor arrayDesc = { 0, + DWORD data_len, len_bytes; + struct AsnArrayDescriptor arrayDesc = { ASN_SEQUENCE, offsetof(OCSP_SIGNATURE_INFO, cCertEncoded), offsetof(OCSP_SIGNATURE_INFO, rgCertEncoded), FINALMEMBERSIZE(OCSP_SIGNATURE_INFO, cCertEncoded), verify_and_copy_certificate, sizeof(CRYPT_DER_BLOB), TRUE, offsetof(CRYPT_DER_BLOB, pbData) };
- ret = CRYPT_AsnDecodeArray(&arrayDesc, pbEncoded, cbEncoded, + if (pbEncoded[0] != (ASN_CONTEXT | ASN_CONSTRUCTOR)) + { + WARN("Unexpected tag %#x.\n", pbEncoded[0]); + SetLastError(CRYPT_E_ASN1_BADTAG); + return FALSE; + } + + if (!(ret = CRYPT_GetLen(pbEncoded, cbEncoded, &data_len))) return FALSE; + len_bytes = GET_LEN_BYTES(pbEncoded[1]); + + ret = CRYPT_AsnDecodeArray(&arrayDesc, pbEncoded + 1 + len_bytes, cbEncoded - 1 - len_bytes, dwFlags, NULL, pvStructInfo, pcbStructInfo, pcbDecoded); + if (pcbDecoded) + *pcbDecoded = 1 + len_bytes + data_len; return ret; }
diff --git a/dlls/crypt32/tests/encode.c b/dlls/crypt32/tests/encode.c index da3a9094d8c..b5db9cf7d0d 100644 --- a/dlls/crypt32/tests/encode.c +++ b/dlls/crypt32/tests/encode.c @@ -8728,6 +8728,122 @@ static const BYTE ocsp_signature[] = { 0xe8, 0x67, 0xcf, 0xa7 };
+static const BYTE ocsp_basic_signed_response_with_cert[] = +{ + 0x30, 0x82, 0x05, 0x32, 0x30, 0x81, 0xdf, 0xa1, 0x54, 0x30, 0x52, 0x31, + 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4d, 0x58, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x44, + 0x46, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, + 0x43, 0x57, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x04, 0x74, 0x65, 0x73, 0x74, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0b, 0x74, 0x65, + 0x73, 0x74, 0x40, 0x71, 0x71, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f, 0x32, + 0x30, 0x32, 0x34, 0x30, 0x34, 0x32, 0x35, 0x30, 0x30, 0x30, 0x36, 0x31, + 0x31, 0x5a, 0x30, 0x51, 0x30, 0x4f, 0x30, 0x3a, 0x30, 0x09, 0x06, 0x05, + 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x1b, 0xe8, 0x99, + 0x10, 0xe7, 0x3d, 0x9c, 0x6b, 0xba, 0x65, 0xb8, 0x6e, 0x6f, 0xd1, 0x63, + 0x52, 0xa5, 0x6f, 0xd9, 0x81, 0x04, 0x14, 0xc4, 0x57, 0x2a, 0x53, 0xb7, + 0x21, 0x6d, 0x03, 0x2d, 0xd0, 0xbc, 0xd4, 0x2a, 0x88, 0xd2, 0xae, 0x62, + 0xa9, 0x97, 0x2a, 0x02, 0x01, 0x02, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, + 0x32, 0x34, 0x30, 0x34, 0x32, 0x35, 0x30, 0x30, 0x30, 0x36, 0x31, 0x31, + 0x5a, 0xa1, 0x23, 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, + 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, 0x04, 0x12, 0x04, 0x10, 0xab, 0x7a, + 0x07, 0x8a, 0xef, 0xc9, 0x7e, 0xb3, 0x51, 0x90, 0xa5, 0x72, 0x09, 0x60, + 0x84, 0x27, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xb5, 0x61, + 0x78, 0x5b, 0xc4, 0xb5, 0xe4, 0x8d, 0xff, 0xe1, 0xc5, 0x95, 0xd1, 0xad, + 0xb8, 0x55, 0xb4, 0xca, 0xcc, 0xf5, 0xe9, 0x6f, 0x63, 0x64, 0x4b, 0xf7, + 0x46, 0xf9, 0x12, 0x02, 0x36, 0xe1, 0x9f, 0xce, 0xe0, 0x5e, 0x6c, 0xf7, + 0x35, 0x19, 0x80, 0x89, 0x6b, 0x7d, 0x8f, 0xa1, 0x8c, 0xb1, 0x7d, 0xdc, + 0xf1, 0x1c, 0xf7, 0x70, 0x45, 0x77, 0xf3, 0xb4, 0x42, 0x99, 0x58, 0x68, + 0x11, 0xec, 0x41, 0x47, 0x11, 0xcc, 0xb1, 0x2f, 0xbb, 0x11, 0xe7, 0x81, + 0x7d, 0x17, 0x93, 0x30, 0xab, 0x58, 0xb1, 0xe0, 0x69, 0x34, 0x17, 0x3a, + 0xa0, 0x4a, 0xed, 0xd6, 0x9e, 0x02, 0xfd, 0xb7, 0xd1, 0x77, 0x3c, 0x59, + 0x47, 0xeb, 0xce, 0xa0, 0x64, 0x06, 0x38, 0x78, 0x96, 0x86, 0x77, 0x1e, + 0x3f, 0xa8, 0x56, 0x9d, 0xc4, 0x8f, 0x1d, 0x23, 0x23, 0x1c, 0xe6, 0x03, + 0x2c, 0xb9, 0xfd, 0xac, 0x3e, 0x30, 0x52, 0x51, 0x27, 0x35, 0x20, 0x93, + 0x94, 0xaa, 0x69, 0x83, 0xeb, 0x04, 0x32, 0x2a, 0xc0, 0x6b, 0x24, 0x30, + 0x6f, 0x0f, 0x61, 0xdb, 0xac, 0x01, 0x46, 0x71, 0x52, 0x96, 0x07, 0x48, + 0xba, 0xdf, 0x71, 0x96, 0x25, 0xa6, 0x04, 0x36, 0x49, 0xb9, 0xd9, 0x93, + 0x9a, 0x79, 0xbf, 0xad, 0x4a, 0x4f, 0x49, 0x98, 0x7d, 0xa3, 0x49, 0x1d, + 0x65, 0xb8, 0x51, 0x93, 0x60, 0x63, 0x91, 0x34, 0x5c, 0xe4, 0xad, 0x91, + 0x44, 0xc7, 0x69, 0x93, 0x82, 0x28, 0xce, 0xc1, 0xf6, 0xc2, 0xfb, 0xf5, + 0xef, 0xaf, 0xdb, 0xc2, 0x14, 0xed, 0x26, 0xad, 0xc9, 0xba, 0xee, 0xe8, + 0x40, 0xc6, 0x03, 0x21, 0x9a, 0x7a, 0x47, 0x45, 0x24, 0x5b, 0xc6, 0xf3, + 0xb4, 0x55, 0x7e, 0xa5, 0x86, 0x22, 0x60, 0x16, 0x4a, 0x67, 0x0b, 0xbd, + 0x92, 0x7a, 0x53, 0x6b, 0xa0, 0x05, 0x2e, 0x3c, 0xfa, 0x5e, 0x06, 0x4f, + 0xf1, 0x70, 0xa0, 0x82, 0x03, 0x38, 0x30, 0x82, 0x03, 0x34, 0x30, 0x82, + 0x03, 0x30, 0x30, 0x82, 0x02, 0x99, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, + 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x61, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4d, 0x58, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x44, 0x46, 0x31, 0x0d, 0x30, + 0x0b, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x04, 0x43, 0x44, 0x4d, 0x58, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x43, + 0x57, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, + 0x74, 0x65, 0x73, 0x74, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0b, 0x74, 0x65, 0x73, + 0x74, 0x40, 0x71, 0x71, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x20, 0x17, 0x0d, + 0x32, 0x34, 0x30, 0x34, 0x32, 0x34, 0x32, 0x33, 0x35, 0x31, 0x31, 0x39, + 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x35, 0x31, 0x30, 0x39, 0x30, 0x39, 0x32, + 0x33, 0x35, 0x31, 0x31, 0x39, 0x5a, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4d, 0x58, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x44, 0x46, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x02, 0x43, 0x57, 0x31, + 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x04, 0x74, 0x65, + 0x73, 0x74, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0b, 0x74, 0x65, 0x73, 0x74, 0x40, + 0x71, 0x71, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xd5, 0x4d, 0x96, 0x69, 0x63, 0x59, 0x0a, 0x6e, 0x79, + 0x9e, 0x5a, 0x16, 0x0a, 0xb2, 0xc1, 0x2f, 0x9c, 0x73, 0x9f, 0x0d, 0x61, + 0xac, 0x48, 0x31, 0x04, 0x9f, 0xcb, 0x30, 0xb6, 0x47, 0xf3, 0xe3, 0x9d, + 0x9e, 0x96, 0xe6, 0xad, 0x2e, 0xe7, 0x40, 0x9e, 0x54, 0xe1, 0x85, 0x94, + 0x2f, 0xf5, 0xc4, 0x46, 0x21, 0x37, 0x57, 0xbe, 0x4f, 0x47, 0xda, 0x91, + 0x0b, 0xd6, 0x51, 0xe0, 0x13, 0x1c, 0x4b, 0x3f, 0xe8, 0xf2, 0xad, 0x8b, + 0xdb, 0xc1, 0x3d, 0xb5, 0x6c, 0x4d, 0xf7, 0x52, 0x5e, 0x67, 0x90, 0xd7, + 0xc8, 0xe9, 0xf5, 0x0a, 0xc1, 0x26, 0xbc, 0x00, 0x21, 0xca, 0xc1, 0xd5, + 0x37, 0xc2, 0xea, 0xd7, 0x82, 0x18, 0x94, 0x3e, 0xd7, 0x1a, 0x9e, 0xa6, + 0x77, 0x76, 0x37, 0xe8, 0x90, 0xeb, 0x4d, 0x09, 0x18, 0x6f, 0xda, 0xca, + 0x73, 0xbc, 0x15, 0x1f, 0xac, 0x14, 0x1f, 0xe5, 0x28, 0x3e, 0x04, 0x11, + 0x91, 0x71, 0x34, 0x50, 0xc4, 0xfc, 0x32, 0xb3, 0x2d, 0x0a, 0x9d, 0xa7, + 0x15, 0xca, 0x7a, 0xf8, 0x57, 0xc0, 0xe6, 0x92, 0x5e, 0x55, 0xa7, 0x45, + 0x58, 0x2b, 0xbf, 0x82, 0x23, 0x8d, 0xe4, 0xb7, 0x4a, 0xd4, 0x15, 0x44, + 0x80, 0x88, 0x16, 0x10, 0xcd, 0x42, 0x98, 0x46, 0xd1, 0x55, 0xa4, 0xa2, + 0xd8, 0xd8, 0x65, 0x33, 0x4d, 0x21, 0x6d, 0x1d, 0x11, 0x66, 0xd8, 0xa9, + 0xf9, 0x12, 0x42, 0x38, 0x2d, 0x36, 0x43, 0xa5, 0xe2, 0x5e, 0xff, 0x7c, + 0xae, 0xaa, 0xc8, 0x85, 0x42, 0xf3, 0xa0, 0x90, 0xd2, 0x04, 0xc9, 0xe4, + 0xa0, 0x0d, 0x97, 0xbb, 0x66, 0x8d, 0x81, 0xaa, 0x86, 0xa9, 0x49, 0x4c, + 0x14, 0x67, 0x02, 0xf6, 0x32, 0xde, 0x19, 0xf9, 0x14, 0xd0, 0xdb, 0x89, + 0xbf, 0x65, 0xc9, 0x87, 0x1d, 0xcc, 0xd3, 0x5f, 0x6a, 0xd4, 0x9d, 0x54, + 0x9d, 0x34, 0x08, 0xef, 0x7a, 0x77, 0x4f, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x81, 0x80, 0x30, 0x7e, 0x30, 0x31, 0x06, 0x08, 0x2b, 0x06, 0x01, + 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x25, 0x30, 0x23, 0x30, 0x21, 0x06, + 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x15, 0x68, + 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, + 0x30, 0x2e, 0x31, 0x3a, 0x38, 0x30, 0x38, 0x30, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, + 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x58, 0x25, 0x0b, 0x7b, 0x6c, 0xe7, + 0x50, 0xdf, 0x45, 0x4b, 0x35, 0x37, 0xd1, 0x84, 0x25, 0x66, 0xbb, 0xda, + 0x7b, 0xc5, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0xc4, 0x57, 0x2a, 0x53, 0xb7, 0x21, 0x6d, 0x03, 0x2d, + 0xd0, 0xbc, 0xd4, 0x2a, 0x88, 0xd2, 0xae, 0x62, 0xa9, 0x97, 0x2a, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xca, 0xbf, 0xb3, 0xcb, 0xf8, 0x5d, + 0x57, 0x25, 0xc4, 0xcd, 0xd3, 0xa2, 0xae, 0xcb, 0xc8, 0xe0, 0xd0, 0x16, + 0xa5, 0x54, 0x80, 0xf9, 0x6c, 0xa9, 0x4a, 0x8d, 0xa0, 0xea, 0x21, 0x6b, + 0xec, 0xfe, 0xa1, 0xdd, 0x48, 0x4c, 0xc0, 0x37, 0x5c, 0x36, 0x9f, 0x6d, + 0x3d, 0x89, 0x31, 0xc2, 0x74, 0xfd, 0xdf, 0x60, 0xa4, 0x05, 0xcb, 0x47, + 0xd2, 0x13, 0xa4, 0x23, 0x9f, 0xfb, 0x3c, 0x3f, 0x7a, 0x1f, 0x75, 0xfc, + 0x32, 0x8f, 0xbc, 0xb1, 0x3d, 0x7b, 0xef, 0x49, 0xd1, 0x47, 0x4a, 0x6d, + 0x6d, 0x8f, 0xd4, 0xb3, 0x71, 0x3d, 0x24, 0x48, 0x05, 0x1b, 0x29, 0xa7, + 0xe0, 0xbd, 0xad, 0x01, 0xff, 0x92, 0x2a, 0x24, 0x1e, 0x94, 0x6e, 0x59, + 0x7b, 0xd4, 0x98, 0xf0, 0x60, 0xe5, 0x69, 0xa2, 0x45, 0xaf, 0xd6, 0x7f, + 0x5b, 0x69, 0x84, 0x97, 0x23, 0xc7, 0xda, 0x3b, 0x37, 0xcd, 0x15, 0x4e, + 0x6b, 0xf0, +}; + static void test_decodeOCSPBasicSignedResponseInfo(DWORD dwEncoding) { OCSP_BASIC_SIGNED_RESPONSE_INFO *info; @@ -8760,6 +8876,12 @@ static void test_decodeOCSPBasicSignedResponseInfo(DWORD dwEncoding) ok(!info->SignatureInfo.cCertEncoded, "got %lu\n", info->SignatureInfo.cCertEncoded); ok(!info->SignatureInfo.rgCertEncoded, "got %p\n", info->SignatureInfo.rgCertEncoded); LocalFree(info); + + size = 0; + ret = CryptDecodeObjectEx(dwEncoding, OCSP_BASIC_SIGNED_RESPONSE, ocsp_basic_signed_response_with_cert, + sizeof(ocsp_basic_signed_response_with_cert), CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size); + ok(ret, "got %08lx\n", GetLastError()); + LocalFree(info); }
static void test_decodeOCSPBasicResponseInfo(DWORD dwEncoding)
From: Paul Gofman pgofman@codeweavers.com
--- dlls/cryptnet/cryptnet_main.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/dlls/cryptnet/cryptnet_main.c b/dlls/cryptnet/cryptnet_main.c index 7768e9e5bd3..1068dd26868 100644 --- a/dlls/cryptnet/cryptnet_main.c +++ b/dlls/cryptnet/cryptnet_main.c @@ -1869,15 +1869,16 @@ static WCHAR *build_request_url(const WCHAR *base_url, const BYTE *data, DWORD d DWORD len = 0;
if (!(path = build_request_path(data, data_size))) return NULL; - - InternetCombineUrlW(base_url, path, NULL, &len, 0); + len = (wcslen(base_url) + wcslen(path) + 1) * sizeof(WCHAR); if (!(ret = malloc(len * sizeof(WCHAR)))) { free(path); return NULL; } - InternetCombineUrlW(base_url, path, ret, &len, 0); + wcscpy(ret, base_url); + wcscat(ret, path); free(path); + TRACE("-> %s.\n", debugstr_w(ret)); return ret; }
This fixes some certs revocation check failures I encountered.
For the first patch (constructor tag in CRYPT_AsnDecodeOCSPSignatureInfoCertEncoded) see [1], p. 4.2.1: ``` BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } ``` Mind the [0] which is that constructor tag which is handled elsewhere when processing OCSP resonse but not here. Without that decoding any response with certs present is failing.
I am attaching the test for the second patch separately, mostly because it is hard to make it reliable, it inherently depends on OCSP responder. Note that the test with existing cert which I am replacing does not actually test what it is supposed to. OCSP response fails with code '6' received from server (unauthorized request; reproducible from a browser querying the same URL and parsing the response with openssl). On Windows with CERT_VERIFY_REV_SERVER_OCSP_FLAG (which we currently don't support) the revocation check fails as well, the tests succeeds both on Windows and Wine by falling back to CRL check which is also defined in the certificate. I screwed in some support for CERT_VERIFY_REV_SERVER_OCSP_FLAG in the test patch, otherwise revocation check will succeed even with OCSP not working without patch 2 (the same way as existing test).
For the second patch itself, InternetCombineUrlW() doesn't work in an obvious way one could expect. If base url contains local path (e. g., http://ocsp.pki.goog/gts1c3 like in the separate test's cert) InternetCombineUrlW will strip off the local part and append the relative URL to the base URL which is http://ocsp.pki.goog, resulting in error 404 from http request. We already escape the added relative part, so I guess we can just concat that.
1. https://www.ietf.org/rfc/rfc2560.txt
UPDATE: here is the test patch: [0001-do-not-commit-cryptnet-Test-OCSP-URL-with-local-path.patch](/uploads/3aa81a331c50c6fb87ba32e641fc5184/0001-do-not-commit-cryptnet-Test-OCSP-URL-with-local-path.patch)
This merge request was approved by Hans Leidekker.
-
Hans Leidekker (@hans) -
Paul Gofman
-
Paul Gofman (@gofman)