Correct client certificate validation policy on Windows and macOS. (#…

…1966)
microsoft · Sep 21, 2021 · 4429da0 · 4429da0
1 parent dee6c6c
commit 4429da0
Show file tree

Hide file tree

Showing 8 changed files with 377 additions and 21 deletions.
diff --git a/src/generated/linux/cert_capi.c.clog.h b/src/generated/linux/cert_capi.c.clog.h
@@ -38,10 +38,10 @@ extern "C" {
         CertCapiVerifiedChain,
         "CertVerifyChain: %S 0x%x, result=0x%x",
         ServerName,
-        IgnoreFlags,
+        CredFlags,
         Status);
 // arg2 = arg2 = ServerName
-// arg3 = arg3 = IgnoreFlags
+// arg3 = arg3 = CredFlags
 // arg4 = arg4 = Status
 ----------------------------------------------------------*/
 #define _clog_5_ARGS_TRACE_CertCapiVerifiedChain(uniqueId, encoded_arg_string, arg2, arg3, arg4)\

diff --git a/src/generated/linux/cert_capi.c.clog.h.lttng.h b/src/generated/linux/cert_capi.c.clog.h.lttng.h
@@ -8,10 +8,10 @@
         CertCapiVerifiedChain,
         "CertVerifyChain: %S 0x%x, result=0x%x",
         ServerName,
-        IgnoreFlags,
+        CredFlags,
         Status);
 // arg2 = arg2 = ServerName
-// arg3 = arg3 = IgnoreFlags
+// arg3 = arg3 = CredFlags
 // arg4 = arg4 = Status
 ----------------------------------------------------------*/
 TRACEPOINT_EVENT(CLOG_CERT_CAPI_C, CertCapiVerifiedChain,

diff --git a/src/generated/linux/cert_capi_openssl.c.clog.h b/src/generated/linux/cert_capi_openssl.c.clog.h
@@ -314,6 +314,138 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\
 
 
 
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            Type,
+            "Unsupported Type passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = Type
+// arg3 = arg3 = "Unsupported Type passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+            "NULL CertHash passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL CertHash passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+            "NULL CertHashStore passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL CertHashStore passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+            "NULL Principal passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL Principal passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            CredType,
+            "Unsupported CredType passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = CredType
+// arg3 = arg3 = "Unsupported CredType passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+            LibraryErrorStatus,
+            "[ lib] ERROR, %u, %s.",
+            GetLastError(),
+            "CertOpenStore failed");
+// arg2 = arg2 = GetLastError()
+// arg3 = arg3 = "CertOpenStore failed"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/src/inc/quic_cert.h b/src/inc/quic_cert.h
@@ -82,7 +82,7 @@ CxPlatCertValidateChain(
     _In_ const QUIC_CERTIFICATE* Certificate,
     _In_opt_z_ const char* Host,
     _In_ uint32_t CertFlags,
-    _In_ uint32_t IgnoreFlags,
+    _In_ uint32_t CredFlags,
     _Out_opt_ uint32_t* ValidationError
     );
 

diff --git a/src/platform/cert_capi.c b/src/platform/cert_capi.c
@@ -796,7 +796,7 @@ DWORD
 CxPlatCertVerifyCertChainPolicy(
     _In_ PCCERT_CHAIN_CONTEXT ChainContext,
     _In_opt_ PWSTR ServerName,
-    _In_ ULONG IgnoreFlags
+    _In_ uint32_t CredFlags
     )
 {
     DWORD Status = NO_ERROR;
@@ -807,9 +807,10 @@ CxPlatCertVerifyCertChainPolicy(
 
     memset(&HttpsPolicy, 0, sizeof(HTTPSPolicyCallbackData));
     HttpsPolicy.cbStruct = sizeof(HTTPSPolicyCallbackData);
-    HttpsPolicy.dwAuthType = AUTHTYPE_SERVER;
+    HttpsPolicy.dwAuthType =
+        (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? AUTHTYPE_SERVER : AUTHTYPE_CLIENT;
     HttpsPolicy.fdwChecks = 0;
-    HttpsPolicy.pwszServerName = ServerName;
+    HttpsPolicy.pwszServerName = (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? ServerName : NULL;
 
     memset(&PolicyPara, 0, sizeof(PolicyPara));
     PolicyPara.cbSize = sizeof(PolicyPara);
@@ -832,10 +833,10 @@ CxPlatCertVerifyCertChainPolicy(
         goto Exit;
 
     } else if (PolicyStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK &&
-        (IgnoreFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK)) {
+        (CredFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK)) {
         Status = NO_ERROR;
     } else if (PolicyStatus.dwError == CRYPT_E_REVOCATION_OFFLINE &&
-        (IgnoreFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE)) {
+        (CredFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE)) {
         Status = NO_ERROR;
     } else if (PolicyStatus.dwError != NO_ERROR) {
 
@@ -854,7 +855,7 @@ CxPlatCertVerifyCertChainPolicy(
         CertCapiVerifiedChain,
         "CertVerifyChain: %S 0x%x, result=0x%x",
         ServerName,
-        IgnoreFlags,
+        CredFlags,
         Status);
 
     return Status;
@@ -866,7 +867,7 @@ CxPlatCertValidateChain(
     _In_ const QUIC_CERTIFICATE* Certificate,
     _In_opt_z_ PCSTR Host,
     _In_ uint32_t CertFlags,
-    _In_ uint32_t IgnoreFlags,
+    _In_ uint32_t CredFlags,
     _Out_opt_ uint32_t* ValidationError
     )
 {
@@ -879,21 +880,27 @@ CxPlatCertValidateChain(
 
     CERT_CHAIN_PARA ChainPara;
 
-    static const LPSTR UsageOids[] = {
+    static const LPSTR ServerUsageOids[] = {
         szOID_PKIX_KP_SERVER_AUTH,
         szOID_SERVER_GATED_CRYPTO,
         szOID_SGC_NETSCAPE
     };
 
+    static const LPSTR ClientUsageOids[] =  {
+        szOID_PKIX_KP_CLIENT_AUTH
+    };
+
     if (ValidationError != NULL) {
         *ValidationError = NO_ERROR;
     }
 
     memset(&ChainPara, 0, sizeof(ChainPara));
     ChainPara.cbSize = sizeof(ChainPara);
     ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
-    ChainPara.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(UsageOids);
-    ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = (LPSTR*)UsageOids;
+    ChainPara.RequestedUsage.Usage.cUsageIdentifier =
+        (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? ARRAYSIZE(ServerUsageOids) : ARRAYSIZE(ClientUsageOids);
+    ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier =
+        (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? (LPSTR*)ServerUsageOids : (LPSTR*)ClientUsageOids;
 
     if (!CertGetCertificateChain(
             NULL,
@@ -933,7 +940,7 @@ CxPlatCertValidateChain(
         CxPlatCertVerifyCertChainPolicy(
             ChainContext,
             ServerName,
-            IgnoreFlags);
+            CredFlags);
 
     Result = NO_ERROR == Error;