Telerik
/
poco
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'develop' of https://github.com/pocoproject/poco into develop

This commit is contained in:
Guenter Obiltschnig 2014-10-10 08:13:24 +02:00
Родитель d74afb9492 2d5827d332
Коммит af38d47df2
9 изменённых файлов: 207 добавлений и 175 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
Net/src/HTTPSession.cpp
Просмотреть файл

@ -78,7 +78,6 @@ HTTPSession::~HTTPSession()
}
catch (...)
{
poco_unexpected();
}
delete _pException;
}

2
NetSSL_Win/include/Poco/Net/SecureSocketImpl.h
Просмотреть файл

@ -188,7 +188,7 @@ protected:
void performServerHandshake();
bool serverHandshakeLoop(PCtxtHandle phContext, PCredHandle phCred, bool requireClientAuth, bool doInitialRead, bool newContext);
void clientVerifyCertificate(const std::string& hostName);
void verifyCertificateChainClient(PCCERT_CONTEXT pServerCert, PCCERT_CHAIN_CONTEXT pChainContext);
void verifyCertificateChainClient(PCCERT_CONTEXT pServerCert);
void serverVerifyCertificate();
LONG serverDisconnect(PCredHandle phCreds, CtxtHandle* phContext);
LONG clientDisconnect(PCredHandle phCreds, CtxtHandle* phContext);

20
NetSSL_Win/include/Poco/Net/X509Certificate.h
Просмотреть файл

@ -3,7 +3,7 @@
//
// $Id$
//
// Library: Crypto
// Library: NetSSL_Win
// Package: Certificate
// Module: X509Certificate
//
@ -22,8 +22,8 @@
#include "Poco/Net/NetSSL.h"
#include "Poco/DateTime.h"
#include "Poco/SharedPtr.h"
#include <set>
#include <istream>
#include <wincrypt.h>
@ -51,6 +51,10 @@ public:
/// Creates the X509Certificate object by reading
/// a certificate in PEM or DER format from a file.
explicit X509Certificate(std::istream& istr);
/// Creates the X509Certificate object by reading
/// a certificate in PEM or DER format from a stream.
X509Certificate(const std::string& certName, const std::string& certStoreName, bool useMachineStore = false);
/// Creates the X509Certificate object by loading
/// a certificate from the specified certificate store.
@ -116,9 +120,8 @@ public:
/// the issuer given by issuerCertificate. This can be
/// used to validate a certificate chain.
///
/// Verifies if the certificate has been signed with the
/// issuer's private key, using the public key from the issuer
/// certificate.
/// Verifies that the given certificate is contained in the
/// certificate's issuer certificate chain.
///
/// Returns true if verification against the issuer certificate
/// was successful, false otherwise.
@ -140,7 +143,6 @@ public:
/// of the host.
///
/// Returns true if verification succeeded, or false otherwise.
const PCCERT_CONTEXT system() const;
/// Returns the underlying WinCrypt certificate.
@ -154,6 +156,7 @@ protected:
void loadCertificate(const std::string& certName, const std::string& certStoreName, bool useMachineStore);
void importCertificate(const std::string& certPath);
void importCertificate(std::istream& istr);
void importCertificate(const char* pBuffer, std::size_t size);
void importPEMCertificate(const char* pBuffer, std::size_t size);
void importDERCertificate(const char* pBuffer, std::size_t size);
@ -162,11 +165,6 @@ protected:
static bool matchWildcard(const std::string& alias, const std::string& hostName);
private:
enum
{
NAME_BUFFER_SIZE = 256
};
std::string _issuerName;
std::string _subjectName;
PCCERT_CONTEXT _pCert;

4
NetSSL_Win/samples/HTTPSTimeServer/HTTPSTimeServer.properties
Просмотреть файл

@ -3,7 +3,9 @@
HTTPSTimeServer.format = %W, %e %b %y %H:%M:%S %Z
HTTPSTimeServer.port = 9443
schannel.server.certificateName = ${system.nodeName}
schannel.server.certificatePath = ${application.configDir}any.pfx
schannel.server.privateKeyPassphraseHandler.name = KeyFileHandler
schannel.server.privateKeyPassphraseHandler.options.password = secret
schannel.server.verificationMode = none
schannel.server.useMachineStore = false
schannel.server.useStrongCrypto = true

Двоичные данные
NetSSL_Win/samples/HTTPSTimeServer/any.pfx Normal file
Просмотреть файл

Двоичный файл не отображается.

3
NetSSL_Win/samples/Mail/src/Mail.cpp
Просмотреть файл

@ -18,6 +18,7 @@
#include "Poco/Net/StringPartSource.h"
#include "Poco/Net/SSLManager.h"
#include "Poco/Net/ConsoleCertificateHandler.h"
#include "Poco/Net/PrivateKeyPassphraseHandler.h"
#include "Poco/SharedPtr.h"
#include "Poco/Path.h"
#include "Poco/Exception.h"
@ -83,7 +84,7 @@ int main(int argc, char** argv)
// Note: we must create the passphrase handler prior Context
SharedPtr<InvalidCertificateHandler> pCert = new ConsoleCertificateHandler(false); // ask the user via console
Context::Ptr pContext = new Context(Context::CLIENT_USE, "");
SSLManager::instance().initializeClient(pCert, pContext);
SSLManager::instance().initializeClient(0, pCert, pContext);
MailMessage message;
message.setSender(sender);

3
NetSSL_Win/samples/download/src/download.cpp
Просмотреть файл

@ -23,6 +23,7 @@
#include "Poco/Net/FTPStreamFactory.h"
#include "Poco/Net/SSLManager.h"
#include "Poco/Net/ConsoleCertificateHandler.h"
#include "Poco/Net/PrivateKeyPassphraseHandler.h"
#include <memory>
#include <iostream>
@ -75,7 +76,7 @@ int main(int argc, char** argv)
SharedPtr<InvalidCertificateHandler> pCertHandler = new ConsoleCertificateHandler(false); // ask the user via console
Context::Ptr pContext = new Context(Context::CLIENT_USE, "");
SSLManager::instance().initializeClient(pCertHandler, pContext);
SSLManager::instance().initializeClient(0, pCertHandler, pContext);
try
{

174
NetSSL_Win/src/SecureSocketImpl.cpp
Просмотреть файл

@ -1175,15 +1175,24 @@ void SecureSocketImpl::clientVerifyCertificate(const std::string& hostName)
if (!args.getIgnoreError())
throw InvalidCertificateException("Host name verification failed");
}
int iRc = CertVerifyTimeValidity(NULL, _pPeerCertificate->pCertInfo);
if (iRc != 0)
LONG rc = CertVerifyTimeValidity(0, _pPeerCertificate->pCertInfo);
if (rc != 0)
{
VerificationErrorArgs args(cert, 0, SEC_E_CERT_EXPIRED, "The certificate is expired");
VerificationErrorArgs args(cert, 0, SEC_E_CERT_EXPIRED, "The certificate is not yet, or no longer valid");
SSLManager::instance().ClientVerificationError(this, args);
if (!args.getIgnoreError())
throw InvalidCertificateException("Expired certificate");
}
verifyCertificateChainClient(_pPeerCertificate);
}
void SecureSocketImpl::verifyCertificateChainClient(PCCERT_CONTEXT pServerCert)
{
X509Certificate cert(pServerCert, true);
CERT_CHAIN_PARA chainPara;
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
std::memset(&chainPara, 0, sizeof(chainPara));
@ -1199,24 +1208,15 @@ void SecureSocketImpl::clientVerifyCertificate(const std::string& hostName)
NULL,
&pChainContext))
{
CertFreeCertificateChain(pChainContext);
throw SSLException("Failed to get certificate chain", GetLastError());
throw SSLException("Cannot get certificate chain", GetLastError());
}
verifyCertificateChainClient(_pPeerCertificate, pChainContext);
}
void SecureSocketImpl::verifyCertificateChainClient(PCCERT_CONTEXT pServerCert, PCCERT_CHAIN_CONTEXT pChainContext)
{
X509Certificate cert(pServerCert, true);
HTTPSPolicyCallbackData polHttps;
std::memset(&polHttps, 0, sizeof(HTTPSPolicyCallbackData));
polHttps.cbStruct = sizeof(HTTPSPolicyCallbackData);
polHttps.dwAuthType = AUTHTYPE_SERVER;
polHttps.fdwChecks = SECURITY_FLAG_IGNORE_UNKNOWN_CA; // we do our own CA verification!
polHttps.pwszServerName = 0;// not supported on Win98, ME! but ignored on client side anyway
polHttps.fdwChecks = SECURITY_FLAG_IGNORE_UNKNOWN_CA; // we do our own check later on
polHttps.pwszServerName = 0;
CERT_CHAIN_POLICY_PARA polPara;
std::memset(&polPara, 0, sizeof(polPara));
@ -1238,12 +1238,11 @@ void SecureSocketImpl::verifyCertificateChainClient(PCCERT_CONTEXT pServerCert,
if (!args.getIgnoreError())
{
CertFreeCertificateChain(pChainContext);
throw SSLException("Failed to verify certificate chain");
throw SSLException("Cannot verify certificate chain");
}
else return;
}
if (polStatus.dwError)
else if (polStatus.dwError)
{
VerificationErrorArgs args(cert, polStatus.lElementIndex, polStatus.dwError, Utility::formatError(polStatus.dwError));
SSLManager::instance().ClientVerificationError(this, args);
@ -1257,13 +1256,15 @@ void SecureSocketImpl::verifyCertificateChainClient(PCCERT_CONTEXT pServerCert,
// now verify CA's
HCERTSTORE trustedCerts = _pContext->certificateStore();
Poco::Buffer<PCERT_CONTEXT> certs(pChainContext->cChain);
for (DWORD i = 0; i < pChainContext->cChain; i++)
{
certs[i] = (PCERT_CONTEXT)(pChainContext->rgpChain[i]->rgpElement[0]->pCertContext);
// each issuer of the pCert must be a member of the trustedCerts store
PCCERT_CONTEXT pResult = CertFindCertificateInStore(trustedCerts, certs[i]->dwCertEncodingType, 0, CERT_FIND_ISSUER_OF, certs[i], 0);
std::vector<PCCERT_CONTEXT> certs;
for (DWORD k = 0; k < pChainContext->rgpChain[i]->cElement; k++)
{
certs.push_back(pChainContext->rgpChain[i]->rgpElement[k]->pCertContext);
}
// verify that the root of the chain can be found in the trusted store
PCCERT_CONTEXT pResult = CertFindCertificateInStore(trustedCerts, certs.back()->dwCertEncodingType, 0, CERT_FIND_ISSUER_OF, certs.back(), 0);
if (!pResult)
{
poco_assert_dbg (GetLastError() == CRYPT_E_NOT_FOUND);
@ -1276,34 +1277,36 @@ void SecureSocketImpl::verifyCertificateChainClient(PCCERT_CONTEXT pServerCert,
return;
}
CertFreeCertificateContext(pResult);
}
#if !defined(_WIN32_WCE)
// check if cert is revoked
if (_pContext->options() & Context::OPT_PERFORM_REVOCATION_CHECK)
{
CERT_REVOCATION_STATUS revStat;
revStat.cbSize = sizeof(CERT_REVOCATION_STATUS);
PCERT_CONTEXT* pCerts = certs.begin();
BOOL rc = CertVerifyRevocation(
X509_ASN_ENCODING,
CERT_CONTEXT_REVOCATION_TYPE,
pChainContext->cChain,
(void **)pCerts,
CERT_VERIFY_REV_CHAIN_FLAG,
NULL,
&revStat);
if (!rc)
// check if cert is revoked
if (_pContext->options() & Context::OPT_PERFORM_REVOCATION_CHECK)
{
VerificationErrorArgs args(cert, revStat.dwIndex, revStat.dwReason, Utility::formatError(revStat.dwError));
SSLManager::instance().ClientVerificationError(this, args);
if (!args.getIgnoreError())
CERT_REVOCATION_STATUS revStat;
revStat.cbSize = sizeof(CERT_REVOCATION_STATUS);
BOOL ok = CertVerifyRevocation(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
CERT_CONTEXT_REVOCATION_TYPE,
certs.size(),
(void**) &certs[0],
CERT_VERIFY_REV_CHAIN_FLAG,
NULL,
&revStat);
// Revocation check of the root certificate may fail due to missing CRL points, etc.
// We ignore all errors checking the root certificate except CRYPT_E_REVOKED.
if (!ok && (revStat.dwIndex < certs.size() - 1 || revStat.dwError == CRYPT_E_REVOKED))
{
CertFreeCertificateChain(pChainContext);
throw SSLException("Failed to verify revoked certificate chain");
VerificationErrorArgs args(cert, revStat.dwIndex, revStat.dwReason, Utility::formatError(revStat.dwError));
SSLManager::instance().ClientVerificationError(this, args);
if (!args.getIgnoreError())
{
CertFreeCertificateChain(pChainContext);
throw SSLException("Failed to verify revoked certificate chain");
}
}
else break;
}
}
#endif
@ -1321,10 +1324,10 @@ void SecureSocketImpl::serverVerifyCertificate()
DWORD status = SEC_E_OK;
X509Certificate cert(_pPeerCertificate, true);
int iRc = CertVerifyTimeValidity(NULL, _pPeerCertificate->pCertInfo);
if (iRc != 0)
LONG rc = CertVerifyTimeValidity(0, _pPeerCertificate->pCertInfo);
if (rc != 0)
{
VerificationErrorArgs args(cert, 0, SEC_E_CERT_EXPIRED, "The certificate is expired");
VerificationErrorArgs args(cert, 0, SEC_E_CERT_EXPIRED, "The certificate is not yet, or no longer valid");
SSLManager::instance().ServerVerificationError(this, args);
if (!args.getIgnoreError())
@ -1348,14 +1351,7 @@ void SecureSocketImpl::serverVerifyCertificate()
NULL,
&pChainContext))
{
VerificationErrorArgs args(cert, 0, GetLastError(), "The certificate chain is expired");
SSLManager::instance().ServerVerificationError(this, args);
if (pChainContext) CertFreeCertificateChain(pChainContext);
if (!args.getIgnoreError())
{
throw SSLException("The certificate chain is expired");
}
else return;
throw SSLException("Cannot get certificate chain", GetLastError());
}
HTTPSPolicyCallbackData polHttps;
@ -1363,7 +1359,7 @@ void SecureSocketImpl::serverVerifyCertificate()
polHttps.cbStruct = sizeof(HTTPSPolicyCallbackData);
polHttps.dwAuthType = AUTHTYPE_CLIENT;
polHttps.fdwChecks = 0;
polHttps.pwszServerName = NULL;
polHttps.pwszServerName = 0;
CERT_CHAIN_POLICY_PARA policyPara;
std::memset(&policyPara, 0, sizeof(policyPara));
@ -1378,18 +1374,17 @@ void SecureSocketImpl::serverVerifyCertificate()
{
VerificationErrorArgs args(cert, 0, GetLastError(), "Failed to verify certificate chain");
SSLManager::instance().ServerVerificationError(this, args);
if (pChainContext) CertFreeCertificateChain(pChainContext);
CertFreeCertificateChain(pChainContext);
if (!args.getIgnoreError())
throw SSLException("Failed to verify certificate chain");
throw SSLException("Cannot verify certificate chain");
else
return;
}
if (policyStatus.dwError)
else if (policyStatus.dwError)
{
VerificationErrorArgs args(cert, policyStatus.lElementIndex, status, Utility::formatError(policyStatus.dwError));
SSLManager::instance().ServerVerificationError(this, args);
if (pChainContext) CertFreeCertificateChain(pChainContext);
CertFreeCertificateChain(pChainContext);
if (!args.getIgnoreError())
throw SSLException("Failed to verify certificate chain");
else
@ -1397,36 +1392,37 @@ void SecureSocketImpl::serverVerifyCertificate()
}
#if !defined(_WIN32_WCE)
PCERT_CONTEXT *pCerts = new PCERT_CONTEXT[pChainContext->cChain];
// perform revocation checking
for (DWORD i = 0; i < pChainContext->cChain; i++)
{
pCerts[i] = (PCERT_CONTEXT)(pChainContext->rgpChain[i]->rgpElement[0]->pCertContext);
}
CERT_REVOCATION_STATUS revStat;
revStat.cbSize = sizeof(CERT_REVOCATION_STATUS);
BOOL bRc = CertVerifyRevocation(
X509_ASN_ENCODING,
CERT_CONTEXT_REVOCATION_TYPE,
pChainContext->cChain,
(void **)pCerts,
CERT_VERIFY_REV_CHAIN_FLAG,
NULL,
&revStat);
if (!bRc)
{
VerificationErrorArgs args(cert, revStat.dwIndex, revStat.dwReason, Utility::formatError(revStat.dwReason));
SSLManager::instance().ServerVerificationError(this, args);
if (!args.getIgnoreError())
std::vector<PCCERT_CONTEXT> certs;
for (DWORD k = 0; k < pChainContext->rgpChain[i]->cElement; k++)
{
CertFreeCertificateChain(pChainContext);
delete [] pCerts;
throw SSLException("Failed to verify certificate chain");
certs.push_back(pChainContext->rgpChain[i]->rgpElement[k]->pCertContext);
}
CERT_REVOCATION_STATUS revStat;
revStat.cbSize = sizeof(CERT_REVOCATION_STATUS);
BOOL ok = CertVerifyRevocation(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
CERT_CONTEXT_REVOCATION_TYPE,
certs.size(),
(void**) &certs[0],
CERT_VERIFY_REV_CHAIN_FLAG,
NULL,
&revStat);
if (!ok && (revStat.dwIndex < certs.size() - 1 || revStat.dwError == CRYPT_E_REVOKED))
{
VerificationErrorArgs args(cert, revStat.dwIndex, revStat.dwReason, Utility::formatError(revStat.dwReason));
SSLManager::instance().ServerVerificationError(this, args);
if (!args.getIgnoreError())
{
CertFreeCertificateChain(pChainContext);
throw SSLException("Failed to verify certificate chain");
}
}
}
delete [] pCerts;
#endif
if (pChainContext)
{
@ -1439,8 +1435,6 @@ LONG SecureSocketImpl::clientDisconnect(PCredHandle phCreds, CtxtHandle* phConte
{
if (phContext->dwLower == 0 && phContext->dwUpper == 0)
{
// handshake has never been done
poco_assert_dbg (_needHandshake);
return SEC_E_OK;
}

175
NetSSL_Win/src/X509Certificate.cpp
Просмотреть файл

@ -3,7 +3,7 @@
//
// $Id$
//
// Library: Crypto
// Library: NetSSL_Win
// Package: Certificate
// Module: X509Certificate
//
@ -42,6 +42,13 @@ X509Certificate::X509Certificate(const std::string& path):
}
X509Certificate::X509Certificate(std::istream& istr):
_pCert(0)
{
importCertificate(istr);
}
X509Certificate::X509Certificate(const std::string& certName, const std::string& certStoreName, bool useMachineStore):
_pCert(0)
{
@ -106,11 +113,55 @@ X509Certificate::~X509Certificate()
void X509Certificate::init()
{
wchar_t data[256];
CertGetNameStringW(_pCert, CERT_NAME_SIMPLE_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, data, 256);
Poco::UnicodeConverter::convert(data, _issuerName);
CertGetNameStringW(_pCert, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, data, 256);
Poco::UnicodeConverter::convert(data, _subjectName);
std::string name = issuerName(NID_COUNTRY);
if (!name.empty())
{
_issuerName += "/C=";
_issuerName += name;
}
name = issuerName(NID_STATE_OR_PROVINCE);
if (!name.empty())
{
_issuerName += "/ST=";
_issuerName += name;
}
name = issuerName(NID_ORGANIZATION_NAME);
if (!name.empty())
{
_issuerName += "/O=";
_issuerName += name;
}
name = issuerName(NID_COMMON_NAME);
if (!name.empty())
{
_issuerName += "/CN=";
_issuerName += name;
}
name = subjectName(NID_COUNTRY);
if (!name.empty())
{
_subjectName += "/C=";
_subjectName += name;
}
name = subjectName(NID_STATE_OR_PROVINCE);
if (!name.empty())
{
_subjectName += "/ST=";
_subjectName += name;
}
name = subjectName(NID_ORGANIZATION_NAME);
if (!name.empty())
{
_subjectName += "/O=";
_subjectName += name;
}
name = subjectName(NID_COMMON_NAME);
if (!name.empty())
{
_subjectName += "/CN=";
_subjectName += name;
}
}
@ -123,9 +174,10 @@ std::string X509Certificate::commonName() const
std::string X509Certificate::issuerName(NID nid) const
{
std::string result;
wchar_t data[256];
CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, CERT_NAME_ISSUER_FLAG, nid2oid(nid), data, 256);
Poco::UnicodeConverter::convert(data, result);
DWORD size = CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, CERT_NAME_ISSUER_FLAG, nid2oid(nid), 0, 0);
Poco::Buffer<wchar_t> data(size);
CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, CERT_NAME_ISSUER_FLAG, nid2oid(nid), data.begin(), size);
Poco::UnicodeConverter::convert(data.begin(), result);
return result;
}
@ -133,9 +185,10 @@ std::string X509Certificate::issuerName(NID nid) const
std::string X509Certificate::subjectName(NID nid) const
{
std::string result;
wchar_t data[256];
CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, 0, nid2oid(nid), data, 256);
Poco::UnicodeConverter::convert(data, result);
DWORD size = CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, 0, nid2oid(nid), 0, 0);
Poco::Buffer<wchar_t> data(size);
CertGetNameStringW(_pCert, CERT_NAME_ATTR_TYPE, 0, nid2oid(nid), data.begin(), size);
Poco::UnicodeConverter::convert(data.begin(), result);
return result;
}
@ -182,7 +235,7 @@ void X509Certificate::extractNames(std::string& cmnName, std::set<std::string>&
PCERT_ALT_NAME_INFO pNameInfo = reinterpret_cast<PCERT_ALT_NAME_INFO>(buffer.begin());
for (int i = 0; i < pNameInfo->cAltEntry; i++)
{
std::wstring waltName(pNameInfo->rgAltEntry->pwszDNSName);
std::wstring waltName(pNameInfo->rgAltEntry[i].pwszDNSName);
std::string altName;
Poco::UnicodeConverter::toUTF8(waltName, altName);
domainNames.insert(altName);
@ -213,68 +266,40 @@ Poco::DateTime X509Certificate::expiresOn() const
bool X509Certificate::issuedBy(const X509Certificate& issuerCertificate) const
{
class CertStoreHandle
CERT_CHAIN_PARA chainPara;
PCCERT_CHAIN_CONTEXT pChainContext = 0;
std::memset(&chainPara, 0, sizeof(chainPara));
chainPara.cbSize = sizeof(chainPara);
if (!CertGetCertificateChain(
NULL,
_pCert,
NULL,
NULL,
&chainPara,
0,
NULL,
&pChainContext))
{
public:
CertStoreHandle(HCERTSTORE hStore):
_hStore(hStore)
{
}
~CertStoreHandle()
{
if (_hStore) CertCloseStore(_hStore, 0);
}
HCERTSTORE handle() const
{
return _hStore;
}
private:
HCERTSTORE _hStore;
};
CertStoreHandle caStore(CertOpenSystemStoreW(0, L"CA"));
CertStoreHandle rootStore(CertOpenSystemStoreW(0, L"ROOT"));
throw SSLException("Cannot get certificate chain", subjectName(), GetLastError());
}
bool result = false;
PCCERT_CONTEXT pIssuer;
PCCERT_CONTEXT pIssued = _pCert;
do
for (DWORD i = 0; i < pChainContext->cChain && !result; i++)
{
DWORD flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
pIssuer = 0;
if (caStore.handle())
for (DWORD k = 0; k < pChainContext->rgpChain[i]->cElement && !result; k++)
{
pIssuer = CertGetIssuerCertificateFromStore(caStore.handle(), pIssued, 0, &flags);
}
if (!pIssuer && rootStore.handle())
{
pIssuer = CertGetIssuerCertificateFromStore(rootStore.handle(), pIssued, 0, &flags);
}
if (pIssuer)
{
X509Certificate issuer(pIssuer);
if (flags & CERT_STORE_NO_CRL_FLAG)
flags &= ~(CERT_STORE_NO_CRL_FLAG | CERT_STORE_REVOCATION_FLAG);
if (flags)
break;
if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, issuerCertificate.system()->pCertInfo, issuer.system()->pCertInfo))
PCCERT_CONTEXT pChainCert = pChainContext->rgpChain[i]->rgpElement[k]->pCertContext;
if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, issuerCertificate.system()->pCertInfo, pChainCert->pCertInfo))
{
result = true;
break;
}
if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pIssuer->pCertInfo, pIssued->pCertInfo))
{
// reached self-signed certificate
break;
if (CertComparePublicKeyInfo(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &issuerCertificate.system()->pCertInfo->SubjectPublicKeyInfo, &pChainCert->pCertInfo->SubjectPublicKeyInfo))
{
result = true;
}
}
}
else break;
}
while (pIssuer);
}
CertFreeCertificateChain(pChainContext);
return result;
}
@ -326,8 +351,8 @@ void X509Certificate::loadCertificate(const std::string& certName, const std::st
CERT_RDN_ATTR cert_rdn_attr;
cert_rdn_attr.pszObjId = szOID_COMMON_NAME;
cert_rdn_attr.dwValueType = CERT_RDN_ANY_TYPE;
cert_rdn_attr.Value.cbData = (DWORD) certName.size();
cert_rdn_attr.Value.pbData = (BYTE *) certName.c_str();
cert_rdn_attr.Value.cbData = static_cast<DWORD>(certName.size());
cert_rdn_attr.Value.pbData = reinterpret_cast<BYTE*>(const_cast<char*>(certName.c_str()));
CERT_RDN cert_rdn;
cert_rdn.cRDNAttr = 1;
@ -358,6 +383,18 @@ void X509Certificate::importCertificate(const std::string& certPath)
}
void X509Certificate::importCertificate(std::istream& istr)
{
std::string data;
Poco::StreamCopier::copyToString(istr, data);
if (!data.empty())
{
importCertificate(data.data(), data.size());
}
else throw Poco::IOException("failed to read certificate from stream");
}
void X509Certificate::importCertificate(const char* pBuffer, std::size_t size)
{
if (std::memcmp(pBuffer, "-----BEGIN CERTIFICATE-----", 27) == 0)