Differences between revisions 49 and 50
| Deletions are marked like this. | Additions are marked like this. |
| Line 23: | Line 23: |
|
!CertVerifyCertificateChainPolicy implements checking several "policies", including the SSL policy. The SSL policy allows you to check that the DNS name of the server matches the DNS name or common name of the certificate. Unfortunately it can be spoofed with a name containing an embedded NULL. This vulnerability, found in nearly every browser, was first presented at BlackHat 2009. Many browsers have been fixed, but Wine's code has not been yet. |
Crypt32
Crypt32.dll is where most of the CryptoAPI is implemented. It supports encryption, decryption, and manipulation of certificates and related data structures. The actual encryption and decryption routines are implemented by a Cryptographic Service Provider, or CSP. The RSA enhanced provider was added by MichaelJung. JuanLang is implementing the certificate stores.
Currently crypt32 supports encoding and decoding of certificates and certificate revocation lists (CRLs) in DER format, and a reasonable subset of certificate stores and cryptographic messages.
TODO
Messages
- Attribute certificates. These are part of the Cryptographic Message Standard (CMS), and are used by Windows for attributes of catalog files (I think.)
- Message countersignatures. These are used for time-stamping digital signatures, among other things.
- Encrypted (aka enveloped) messages
More "simplified message" functions (Crypt*Message*, compared to the lower level CryptMsg* functions.)
PFX
PFX is documented, sort of, in PKCS #12, and is implemented by the PFX functions in crypt32, e.g. PFXImportCertStore and PFXExportCertStore. These are used by native cryptui and by the importpfx tool (see bug 11070).
Certificate Chains
The Wine version of CertGetCertificateChain only builds simple chains. Complex chains depend on CTLs. CTLs are a Microsoft-proprietary cryptographic message. Perhaps because they're a Microsoft invention rather than a standard, they aren't much used in practice. (The only app I've seen call any of the CTL APIs is MSN Messenger, aka Windows Live Messenger, during installation.)
It also doesn't support all the extensions it should. In particular, it doesn't check the certificate policies extension. This is needed at least by bug 19517, XenCenter is unable to contact anything on the network.
RFC 5280 is the reference for certificate usage on the Internet. Mozilla also published a good guide to how Netscape did certificate validation.
Miscellaneous
- Lots more tests