+ RevokedError,

+ RevocationCheckFailedError

+ case CertificateVerificationError::Revoked:

+ clientError = ClientError(ClientError::RevokedError);

+ break;

+ case CertificateVerificationError::RevocationCheckFailed:

+ clientError = ClientError(ClientError::RevocationCheckFailedError);

+ break;

+ Revoked,

+ RevocationCheckFailed

+ ScopedCertContext getCertContext() const

+ {

+ return m_cert;

+ }

+ ByteArray toDER() const;

+

+#include "Swiften/TLS/Schannel/SchannelContext.h"

+#include "Swiften/TLS/Schannel/SchannelCertificate.h"

+#include <WinHTTP.h> // For SECURITY_FLAG_IGNORE_CERT_CN_INVALID

+ ScopedCertContext pCertContext;

+ sc.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;

+ sc.paCred = pCertContext.GetPointer();

+

+ handleCertError(status);

+ status = validateServerCertificate();

+ if (status != SEC_E_OK)

+ handleCertError(status);

+

+SECURITY_STATUS SchannelContext::validateServerCertificate()

+{

+ SchannelCertificate::ref pServerCert = boost::dynamic_pointer_cast<SchannelCertificate>( getPeerCertificate() );

+ if (!pServerCert)

+ return SEC_E_WRONG_PRINCIPAL;

+

+ const LPSTR usage[] =

+ {

+ szOID_PKIX_KP_SERVER_AUTH,

+ szOID_SERVER_GATED_CRYPTO,

+ szOID_SGC_NETSCAPE

+ };

+

+ CERT_CHAIN_PARA chainParams = {0};

+ chainParams.cbSize = sizeof(chainParams);

+ chainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;

+ chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage);

+ chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<LPSTR*>(usage);

+

+ DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;

+

+ ScopedCertChainContext pChainContext;

+

+ BOOL success = CertGetCertificateChain(

+ NULL, // Use the chain engine for the current user (assumes a user is logged in)

+ pServerCert->getCertContext(),

+ NULL,

+ NULL,

+ &chainParams,

+ chainFlags,

+ NULL,

+ pChainContext.Reset());

+

+ if (!success)

+ return GetLastError();

+

+ SSL_EXTRA_CERT_CHAIN_POLICY_PARA sslChainPolicy = {0};

+ sslChainPolicy.cbSize = sizeof(sslChainPolicy);

+ sslChainPolicy.dwAuthType = AUTHTYPE_SERVER;

+ sslChainPolicy.fdwChecks = SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // Swiften checks the server name for us. Is this the correct way to disable server name checking?

+ sslChainPolicy.pwszServerName = NULL;

+

+ CERT_CHAIN_POLICY_PARA certChainPolicy = {0};

+ certChainPolicy.cbSize = sizeof(certChainPolicy);

+ certChainPolicy.dwFlags = CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG; // Swiften checks the server name for us. Is this the correct way to disable server name checking?

+ certChainPolicy.pvExtraPolicyPara = &sslChainPolicy;

+

+ CERT_CHAIN_POLICY_STATUS certChainPolicyStatus = {0};

+ certChainPolicyStatus.cbSize = sizeof(certChainPolicyStatus);

+

+ // Verify the chain

+ if (!CertVerifyCertificateChainPolicy(

+ CERT_CHAIN_POLICY_SSL,

+ pChainContext,

+ &certChainPolicy,

+ &certChainPolicyStatus))

+ {

+ return GetLastError();

+ }

+

+ if (certChainPolicyStatus.dwError != S_OK)

+ return certChainPolicyStatus.dwError;

+

+ return S_OK;

+}

+

+//------------------------------------------------------------------------

+

+ status = validateServerCertificate();

+ if (status != SEC_E_OK)

+ handleCertError(status);

+

+ handleCertError(status);

+void SchannelContext::handleCertError(SECURITY_STATUS status)

+{

+ if (status == SEC_E_UNTRUSTED_ROOT ||

+ status == CERT_E_UNTRUSTEDROOT ||

+ status == CRYPT_E_ISSUER_SERIALNUMBER ||

+ status == CRYPT_E_SIGNER_NOT_FOUND ||

+ status == CRYPT_E_NO_TRUSTED_SIGNER)

+ {

+ m_verificationError = CertificateVerificationError::Untrusted;

+ }

+ else if (status == SEC_E_CERT_EXPIRED ||

+ status == CERT_E_EXPIRED)

+ {

+ m_verificationError = CertificateVerificationError::Expired;

+ }

+ else if (status == CRYPT_E_SELF_SIGNED)

+ {

+ m_verificationError = CertificateVerificationError::SelfSigned;

+ }

+ else if (status == CRYPT_E_HASH_VALUE ||

+ status == TRUST_E_CERT_SIGNATURE)

+ {

+ m_verificationError = CertificateVerificationError::InvalidSignature;

+ }

+ else if (status == CRYPT_E_REVOKED)

+ {

+ m_verificationError = CertificateVerificationError::Revoked;

+ }

+ else if (status == CRYPT_E_NO_REVOCATION_CHECK ||

+ status == CRYPT_E_REVOCATION_OFFLINE)

+ {

+ m_verificationError = CertificateVerificationError::RevocationCheckFailed;

+ }

+ else

+ {

+ m_verificationError = CertificateVerificationError::UnknownError;

+ }

+}

+

+//------------------------------------------------------------------------

+

+ if (m_streamSizes.cbMaximumMessage == 0)

+ return;

+

+ if (m_verificationError)

+ pCertError.reset( new CertificateVerificationError(*m_verificationError) );

+ void handleCertError(SECURITY_STATUS status) ;

+ SECURITY_STATUS validateServerCertificate();

+ boost::optional<CertificateVerificationError> m_verificationError;

+ ScopedCertContext(const ScopedCertContext& rhs)

+ PCCERT_CONTEXT* GetPointer() const

+ {

+ return &m_pHandle->m_pCertCtxt;

+ }

+

+ ScopedCertContext& operator=(PCCERT_CONTEXT pCertCtxt)

+ {

+ // Only update the internal handle if it's different

+ if (m_pHandle && m_pHandle->m_pCertCtxt != pCertCtxt)

+ m_pHandle.reset( new HandleContext(pCertCtxt) );

+

+ return *this;

+ }

+

+ void FreeContext()

+ {

+ m_pHandle.reset( new HandleContext );

+ }

+

+ private:

+ boost::shared_ptr<HandleContext> m_pHandle;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel HCERTSTORE.

+ //

+ class ScopedCertStore : boost::noncopyable

+ {

+ public:

+ ScopedCertStore(HCERTSTORE hCertStore)

+ : m_hCertStore(hCertStore)

+ {

+ }

+

+ ~ScopedCertStore()

+ {

+ // Forcefully free all memory related to the store, i.e. we assume all CertContext's that have been opened via this

+ // cert store have been closed at this point.

+ if (m_hCertStore)

+ CertCloseStore(m_hCertStore, CERT_CLOSE_STORE_FORCE_FLAG);

+ }

+

+ operator HCERTSTORE() const

+ {

+ return m_hCertStore;

+ }

+

+ private:

+ HCERTSTORE m_hCertStore;

+ };

+

+ //------------------------------------------------------------------------

+

+ //

+ // Convenience wrapper around the Schannel CERT_CHAIN_CONTEXT.

+ //

+ class ScopedCertChainContext

+ {

+ private:

+ struct HandleContext

+ {

+ HandleContext()

+ : m_pCertChainCtxt(NULL)

+ {

+ }

+

+ HandleContext(PCCERT_CHAIN_CONTEXT pCert)

+ : m_pCertChainCtxt(pCert)

+ {

+ }

+

+ ~HandleContext()

+ {

+ if (m_pCertChainCtxt)

+ CertFreeCertificateChain(m_pCertChainCtxt);

+ }

+

+ PCCERT_CHAIN_CONTEXT m_pCertChainCtxt;

+ };

+

+ public:

+ ScopedCertChainContext()

+ : m_pHandle( new HandleContext )

+ {

+ }

+

+ explicit ScopedCertChainContext(PCCERT_CHAIN_CONTEXT pCert)

+ : m_pHandle( new HandleContext(pCert) )

+ {

+ }

+

+ // Copy constructor

+ ScopedCertChainContext(const ScopedCertChainContext& rhs)

+ {

+ m_pHandle = rhs.m_pHandle;

+ }

+

+ ~ScopedCertChainContext()

+ {

+ m_pHandle.reset();

+ }

+

+ PCCERT_CHAIN_CONTEXT* Reset()

+ {

+ FreeContext();

+ return &m_pHandle->m_pCertChainCtxt;

+ }

+

+ operator PCCERT_CHAIN_CONTEXT() const

+ {

+ return m_pHandle->m_pCertChainCtxt;

+ }

+

+ PCCERT_CHAIN_CONTEXT operator->() const

+ {

+ return m_pHandle->m_pCertChainCtxt;

+ }

+

+ ScopedCertChainContext& operator=(const ScopedCertChainContext& sh)

+ {

+ // Only update the internal handle if it's different

+ if (&m_pHandle->m_pCertChainCtxt != &sh.m_pHandle->m_pCertChainCtxt)

+ {

+ m_pHandle = sh.m_pHandle;

+ }

+

+ return *this;

+ }

+

+ };