SUPPORT-8703. Добавлены дополнительные проверки

2024-11-15 16:54:31 +03:00 · 2024-11-15 16:54:31 +03:00 · 3277329a14
commit 3277329a14
parent 5ce934287f
1 changed files with 43 additions and 21 deletions
--- a/src/utils/cryptopro.c
+++ b/src/utils/cryptopro.c
@ -79,6 +79,18 @@ error:
    return -1;
 }

+static void
+free_cert_chain(PCCERT_CHAIN_CONTEXT chain_ctx)
+{
+    LOG_TRACE("free_cert_chain enter");
+
+    if (chain_ctx) {
+        cp_function_list.CertFreeCertificateChain(chain_ctx);
+    }
+
+    LOG_TRACE("free_cert_chain exit");
+}
+
 static PCCERT_CHAIN_CONTEXT
 get_cert_chain(PCCERT_CONTEXT certificate)
 {
@ -95,16 +107,27 @@ get_cert_chain(PCCERT_CONTEXT certificate)
                                                    NULL, 
                                                    NULL, 
                                                    &chain_para,
-                                                    (CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_END_CERT),
+                                                    (CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT),
                                                    NULL, 
                                                    &chain_ctx)) {
        LOG_ERROR("CertGetCertificateChain() failed");
-        LOG_ERROR("get_cert_chain exit with error");
-        return NULL;
+        goto error;
+    }
+    LOG_DEBUG("Trust error status: '0x%08x'", chain_ctx->TrustStatus.dwErrorStatus);
+    LOG_DEBUG("Trust info status: '0x%08x'", chain_ctx->TrustStatus.dwInfoStatus);
+    if (chain_ctx->TrustStatus.dwErrorStatus) {
+        LOG_WARN("The certificate is not trusted. CERT_TRUST_STATUS: '0x%08x'", 
+                    chain_ctx->TrustStatus.dwErrorStatus);
+        goto error;
    }

    LOG_TRACE("get_cert_chain exit");
    return chain_ctx;
+
+error:
+    free_cert_chain(chain_ctx);
+    LOG_ERROR("get_cert_chain exit with error");
+    return NULL;
 }

 static const char* 
@ -127,6 +150,8 @@ check_cert_chain_policy(PCCERT_CHAIN_CONTEXT chain_ctx)
 {
    LOG_TRACE("check_cert_chain_policy enter");

+    bool is_valid = false;
+
    CERT_CHAIN_POLICY_PARA policy_para = {0};
    policy_para.cbSize = sizeof(policy_para);

@ -144,33 +169,30 @@ check_cert_chain_policy(PCCERT_CHAIN_CONTEXT chain_ctx)
            chain_ctx, 
            &policy_para,
            &status)) {
-        LOG_ERROR("CertVerifyCertificateChainPolicy() failed");
-        LOG_ERROR("check_cert_chain_policy exit with error");
-        return false;
+        LOG_ERROR("CertVerifyCertificateChainPolicy() failed. Error code: 0x%08x", 
+                    cp_function_list.GetLastError());
+        goto exit;
    }

    if (status.dwError != 0) {
        LOG_WARN("The certificate chain cannot be validated. "
                 "CertVerifyCertificateChainPolicy status: %s('0x%08x')", 
                    get_cert_chain_policy_status_error_desc(status.dwError), status.dwError);
-        LOG_TRACE("check_cert_chain_policy exit");
-        return false;
+        goto exit;
    }

+    if (extraStatus.dwError != 0) {
+        LOG_WARN("The certificate chain cannot be validated. "
+                 "CertVerifyCertificateChainPolicy extra status: %s('0x%08x')", 
+                    get_cert_chain_policy_status_error_desc(status.dwError), status.dwError);
+        goto exit;
+    }
+
+    is_valid = true;
+
+exit:
    LOG_TRACE("check_cert_chain_policy exit");
-    return true;
-}
-
-static void
-free_cert_chain(PCCERT_CHAIN_CONTEXT chain_ctx)
-{
-    LOG_TRACE("free_cert_chain enter");
-
-    if (chain_ctx) {
-        cp_function_list.CertFreeCertificateChain(chain_ctx);
-    }
-
-    LOG_TRACE("free_cert_chain exit");
+    return is_valid;
 }

 static bool