| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/test_root_certs.h" | 5 #include "net/cert/test_root_certs.h" |
| 6 | 6 |
| 7 #include <windows.h> | 7 #include <windows.h> |
| 8 #include <wincrypt.h> | 8 #include <wincrypt.h> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| (...skipping 28 matching lines...) Expand all Loading... |
| 39 // I_CertDllOpenSystemStoreProvW function. | 39 // I_CertDllOpenSystemStoreProvW function. |
| 40 PFN_CERT_DLL_OPEN_STORE_PROV_FUNC original_function; | 40 PFN_CERT_DLL_OPEN_STORE_PROV_FUNC original_function; |
| 41 | 41 |
| 42 // The handle that CryptoAPI uses to ensure the DLL implementing | 42 // The handle that CryptoAPI uses to ensure the DLL implementing |
| 43 // |original_function| remains loaded in memory. | 43 // |original_function| remains loaded in memory. |
| 44 HCRYPTOIDFUNCADDR original_handle; | 44 HCRYPTOIDFUNCADDR original_handle; |
| 45 | 45 |
| 46 private: | 46 private: |
| 47 friend struct base::DefaultLazyInstanceTraits<CryptoAPIInjector>; | 47 friend struct base::DefaultLazyInstanceTraits<CryptoAPIInjector>; |
| 48 | 48 |
| 49 CryptoAPIInjector() | 49 CryptoAPIInjector() : original_function(NULL), original_handle(NULL) { |
| 50 : original_function(NULL), | |
| 51 original_handle(NULL) { | |
| 52 HCRYPTOIDFUNCSET registered_functions = | 50 HCRYPTOIDFUNCSET registered_functions = |
| 53 CryptInitOIDFunctionSet(CRYPT_OID_OPEN_STORE_PROV_FUNC, 0); | 51 CryptInitOIDFunctionSet(CRYPT_OID_OPEN_STORE_PROV_FUNC, 0); |
| 54 | 52 |
| 55 // Preserve the original handler function in |original_function|. If other | 53 // Preserve the original handler function in |original_function|. If other |
| 56 // functions are overridden, they will also need to be preserved. | 54 // functions are overridden, they will also need to be preserved. |
| 57 BOOL ok = CryptGetOIDFunctionAddress( | 55 BOOL ok = |
| 58 registered_functions, 0, CERT_STORE_PROV_SYSTEM_W, 0, | 56 CryptGetOIDFunctionAddress(registered_functions, |
| 59 reinterpret_cast<void**>(&original_function), &original_handle); | 57 0, |
| 58 CERT_STORE_PROV_SYSTEM_W, |
| 59 0, |
| 60 reinterpret_cast<void**>(&original_function), |
| 61 &original_handle); |
| 60 DCHECK(ok); | 62 DCHECK(ok); |
| 61 | 63 |
| 62 // For now, intercept only the numeric form of the system store | 64 // For now, intercept only the numeric form of the system store |
| 63 // function, CERT_STORE_PROV_SYSTEM_W (0x0A), which is what Crypt32 | 65 // function, CERT_STORE_PROV_SYSTEM_W (0x0A), which is what Crypt32 |
| 64 // functionality uses exclusively. Depending on the machine that tests | 66 // functionality uses exclusively. Depending on the machine that tests |
| 65 // are being run on, it may prove necessary to also intercept | 67 // are being run on, it may prove necessary to also intercept |
| 66 // sz_CERT_STORE_PROV_SYSTEM_[A/W] and CERT_STORE_PROV_SYSTEM_A, based | 68 // sz_CERT_STORE_PROV_SYSTEM_[A/W] and CERT_STORE_PROV_SYSTEM_A, based |
| 67 // on whether or not any third-party CryptoAPI modules have been | 69 // on whether or not any third-party CryptoAPI modules have been |
| 68 // installed. | 70 // installed. |
| 69 const CRYPT_OID_FUNC_ENTRY kFunctionToIntercept = | 71 const CRYPT_OID_FUNC_ENTRY kFunctionToIntercept = {CERT_STORE_PROV_SYSTEM_W, |
| 70 { CERT_STORE_PROV_SYSTEM_W, &InterceptedOpenStoreW }; | 72 &InterceptedOpenStoreW}; |
| 71 | 73 |
| 72 // Inject kFunctionToIntercept at the front of the linked list that | 74 // Inject kFunctionToIntercept at the front of the linked list that |
| 73 // crypt32 uses when CertOpenStore is called, replacing the existing | 75 // crypt32 uses when CertOpenStore is called, replacing the existing |
| 74 // registered function. | 76 // registered function. |
| 75 ok = CryptInstallOIDFunctionAddress(NULL, 0, | 77 ok = CryptInstallOIDFunctionAddress(NULL, |
| 76 CRYPT_OID_OPEN_STORE_PROV_FUNC, 1, | 78 0, |
| 79 CRYPT_OID_OPEN_STORE_PROV_FUNC, |
| 80 1, |
| 77 &kFunctionToIntercept, | 81 &kFunctionToIntercept, |
| 78 CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG); | 82 CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG); |
| 79 DCHECK(ok); | 83 DCHECK(ok); |
| 80 } | 84 } |
| 81 | 85 |
| 82 // This is never called, because this object is intentionally leaked. | 86 // This is never called, because this object is intentionally leaked. |
| 83 // Certificate verification happens on a non-joinable worker thread, which | 87 // Certificate verification happens on a non-joinable worker thread, which |
| 84 // may still be running when ~AtExitManager is called, so the LazyInstance | 88 // may still be running when ~AtExitManager is called, so the LazyInstance |
| 85 // must be leaky. | 89 // must be leaky. |
| 86 ~CryptoAPIInjector() { | 90 ~CryptoAPIInjector() { |
| 87 original_function = NULL; | 91 original_function = NULL; |
| 88 CryptFreeOIDFunctionAddress(original_handle, NULL); | 92 CryptFreeOIDFunctionAddress(original_handle, NULL); |
| 89 } | 93 } |
| 90 }; | 94 }; |
| 91 | 95 |
| 92 base::LazyInstance<CryptoAPIInjector>::Leaky | 96 base::LazyInstance<CryptoAPIInjector>::Leaky g_capi_injector = |
| 93 g_capi_injector = LAZY_INSTANCE_INITIALIZER; | 97 LAZY_INSTANCE_INITIALIZER; |
| 94 | 98 |
| 95 BOOL WINAPI InterceptedOpenStoreW(LPCSTR store_provider, | 99 BOOL WINAPI InterceptedOpenStoreW(LPCSTR store_provider, |
| 96 DWORD encoding, | 100 DWORD encoding, |
| 97 HCRYPTPROV crypt_provider, | 101 HCRYPTPROV crypt_provider, |
| 98 DWORD flags, | 102 DWORD flags, |
| 99 const void* store_name, | 103 const void* store_name, |
| 100 HCERTSTORE memory_store, | 104 HCERTSTORE memory_store, |
| 101 PCERT_STORE_PROV_INFO store_info) { | 105 PCERT_STORE_PROV_INFO store_info) { |
| 102 // If the high word is all zeroes, then |store_provider| is a numeric ID. | 106 // If the high word is all zeroes, then |store_provider| is a numeric ID. |
| 103 // Otherwise, it's a pointer to a null-terminated ASCII string. See the | 107 // Otherwise, it's a pointer to a null-terminated ASCII string. See the |
| 104 // documentation for CryptGetOIDFunctionAddress for more information. | 108 // documentation for CryptGetOIDFunctionAddress for more information. |
| 105 uint32 store_as_uint = reinterpret_cast<uint32>(store_provider); | 109 uint32 store_as_uint = reinterpret_cast<uint32>(store_provider); |
| 106 if (store_as_uint > 0xFFFF || store_provider != CERT_STORE_PROV_SYSTEM_W || | 110 if (store_as_uint > 0xFFFF || store_provider != CERT_STORE_PROV_SYSTEM_W || |
| 107 !g_capi_injector.Get().original_function) | 111 !g_capi_injector.Get().original_function) |
| 108 return FALSE; | 112 return FALSE; |
| 109 | 113 |
| 110 BOOL ok = g_capi_injector.Get().original_function(store_provider, encoding, | 114 BOOL ok = g_capi_injector.Get().original_function(store_provider, |
| 111 crypt_provider, flags, | 115 encoding, |
| 112 store_name, memory_store, | 116 crypt_provider, |
| 117 flags, |
| 118 store_name, |
| 119 memory_store, |
| 113 store_info); | 120 store_info); |
| 114 // Only the Root store should have certificates injected. If | 121 // Only the Root store should have certificates injected. If |
| 115 // CERT_SYSTEM_STORE_RELOCATE_FLAG is set, then |store_name| points to a | 122 // CERT_SYSTEM_STORE_RELOCATE_FLAG is set, then |store_name| points to a |
| 116 // CERT_SYSTEM_STORE_RELOCATE_PARA structure, rather than a | 123 // CERT_SYSTEM_STORE_RELOCATE_PARA structure, rather than a |
| 117 // NULL-terminated wide string, so check before making a string | 124 // NULL-terminated wide string, so check before making a string |
| 118 // comparison. | 125 // comparison. |
| 119 if (!ok || TestRootCerts::GetInstance()->IsEmpty() || | 126 if (!ok || TestRootCerts::GetInstance()->IsEmpty() || |
| 120 (flags & CERT_SYSTEM_STORE_RELOCATE_FLAG) || | 127 (flags & CERT_SYSTEM_STORE_RELOCATE_FLAG) || |
| 121 lstrcmpiW(reinterpret_cast<LPCWSTR>(store_name), L"root")) | 128 lstrcmpiW(reinterpret_cast<LPCWSTR>(store_name), L"root")) |
| 122 return ok; | 129 return ok; |
| (...skipping 15 matching lines...) Expand all Loading... |
| 138 } | 145 } |
| 139 | 146 |
| 140 } // namespace | 147 } // namespace |
| 141 | 148 |
| 142 bool TestRootCerts::Add(X509Certificate* certificate) { | 149 bool TestRootCerts::Add(X509Certificate* certificate) { |
| 143 // Ensure that the default CryptoAPI functionality has been intercepted. | 150 // Ensure that the default CryptoAPI functionality has been intercepted. |
| 144 // If a test certificate is never added, then no interception should | 151 // If a test certificate is never added, then no interception should |
| 145 // happen. | 152 // happen. |
| 146 g_capi_injector.Get(); | 153 g_capi_injector.Get(); |
| 147 | 154 |
| 148 BOOL ok = CertAddCertificateContextToStore( | 155 BOOL ok = CertAddCertificateContextToStore(temporary_roots_, |
| 149 temporary_roots_, certificate->os_cert_handle(), | 156 certificate->os_cert_handle(), |
| 150 CERT_STORE_ADD_NEW, NULL); | 157 CERT_STORE_ADD_NEW, |
| 158 NULL); |
| 151 if (!ok) { | 159 if (!ok) { |
| 152 // If the certificate is already added, return successfully. | 160 // If the certificate is already added, return successfully. |
| 153 return GetLastError() == CRYPT_E_EXISTS; | 161 return GetLastError() == CRYPT_E_EXISTS; |
| 154 } | 162 } |
| 155 | 163 |
| 156 empty_ = false; | 164 empty_ = false; |
| 157 return true; | 165 return true; |
| 158 } | 166 } |
| 159 | 167 |
| 160 void TestRootCerts::Clear() { | 168 void TestRootCerts::Clear() { |
| 161 empty_ = true; | 169 empty_ = true; |
| 162 | 170 |
| 163 PCCERT_CONTEXT prev_cert = NULL; | 171 PCCERT_CONTEXT prev_cert = NULL; |
| 164 while (prev_cert = CertEnumCertificatesInStore(temporary_roots_, NULL)) | 172 while (prev_cert = CertEnumCertificatesInStore(temporary_roots_, NULL)) |
| 165 CertDeleteCertificateFromStore(prev_cert); | 173 CertDeleteCertificateFromStore(prev_cert); |
| 166 } | 174 } |
| 167 | 175 |
| 168 bool TestRootCerts::IsEmpty() const { | 176 bool TestRootCerts::IsEmpty() const { |
| 169 return empty_; | 177 return empty_; |
| 170 } | 178 } |
| 171 | 179 |
| 172 HCERTCHAINENGINE TestRootCerts::GetChainEngine() const { | 180 HCERTCHAINENGINE TestRootCerts::GetChainEngine() const { |
| 173 if (IsEmpty()) | 181 if (IsEmpty()) |
| 174 return NULL; // Default chain engine will suffice. | 182 return NULL; // Default chain engine will suffice. |
| 175 | 183 |
| 176 // Windows versions before 7 don't accept the struct size for later versions. | 184 // Windows versions before 7 don't accept the struct size for later versions. |
| 177 // We report the size of the old struct since we don't need the new members. | 185 // We report the size of the old struct since we don't need the new members. |
| 178 static const DWORD kSizeofCertChainEngineConfig = | 186 static const DWORD kSizeofCertChainEngineConfig = |
| 179 SIZEOF_STRUCT_WITH_SPECIFIED_LAST_MEMBER( | 187 SIZEOF_STRUCT_WITH_SPECIFIED_LAST_MEMBER(CERT_CHAIN_ENGINE_CONFIG, |
| 180 CERT_CHAIN_ENGINE_CONFIG, CycleDetectionModulus); | 188 CycleDetectionModulus); |
| 181 | 189 |
| 182 // Each HCERTCHAINENGINE caches both the configured system stores and | 190 // Each HCERTCHAINENGINE caches both the configured system stores and |
| 183 // information about each chain that has been built. In order to ensure | 191 // information about each chain that has been built. In order to ensure |
| 184 // that changes to |temporary_roots_| are properly propagated and that the | 192 // that changes to |temporary_roots_| are properly propagated and that the |
| 185 // various caches are flushed, when at least one certificate is added, | 193 // various caches are flushed, when at least one certificate is added, |
| 186 // return a new chain engine for every call. Each chain engine creation | 194 // return a new chain engine for every call. Each chain engine creation |
| 187 // should re-open the root store, ensuring the most recent changes are | 195 // should re-open the root store, ensuring the most recent changes are |
| 188 // visible. | 196 // visible. |
| 189 CERT_CHAIN_ENGINE_CONFIG engine_config = { | 197 CERT_CHAIN_ENGINE_CONFIG engine_config = {kSizeofCertChainEngineConfig}; |
| 190 kSizeofCertChainEngineConfig | |
| 191 }; | |
| 192 engine_config.dwFlags = | 198 engine_config.dwFlags = |
| 193 CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE | | 199 CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE | CERT_CHAIN_ENABLE_SHARE_STORE; |
| 194 CERT_CHAIN_ENABLE_SHARE_STORE; | |
| 195 HCERTCHAINENGINE chain_engine = NULL; | 200 HCERTCHAINENGINE chain_engine = NULL; |
| 196 BOOL ok = CertCreateCertificateChainEngine(&engine_config, &chain_engine); | 201 BOOL ok = CertCreateCertificateChainEngine(&engine_config, &chain_engine); |
| 197 DCHECK(ok); | 202 DCHECK(ok); |
| 198 return chain_engine; | 203 return chain_engine; |
| 199 } | 204 } |
| 200 | 205 |
| 201 TestRootCerts::~TestRootCerts() { | 206 TestRootCerts::~TestRootCerts() { |
| 202 CertCloseStore(temporary_roots_, 0); | 207 CertCloseStore(temporary_roots_, 0); |
| 203 } | 208 } |
| 204 | 209 |
| 205 void TestRootCerts::Init() { | 210 void TestRootCerts::Init() { |
| 206 empty_ = true; | 211 empty_ = true; |
| 207 temporary_roots_ = CertOpenStore( | 212 temporary_roots_ = CertOpenStore(CERT_STORE_PROV_MEMORY, |
| 208 CERT_STORE_PROV_MEMORY, 0, NULL, | 213 0, |
| 209 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL); | 214 NULL, |
| 215 CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, |
| 216 NULL); |
| 210 DCHECK(temporary_roots_); | 217 DCHECK(temporary_roots_); |
| 211 } | 218 } |
| 212 | 219 |
| 213 } // namespace net | 220 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
