cryptnet: Also cache revocation status when using OCSP.

ca40454f · Paul Gofman · Alexandre Julliard · 67de946c · ca40454f
Commit ca40454f authored Jan 11, 2023 by Paul Gofman Committed by Alexandre Julliard Jan 13, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

cryptnet_main.c dlls/cryptnet/cryptnet_main.c +19 -3

No files found.
--- a/dlls/cryptnet/cryptnet_main.c
+++ b/dlls/cryptnet/cryptnet_main.c
@@ -1895,11 +1895,12 @@ static BOOL match_cert_id(const OCSP_CERT_ID *id, const CERT_INFO *cert, const C
 }

 static DWORD check_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *issuer,
-                                      const CRYPT_OBJID_BLOB *blob, DWORD *status)
+                                      const CRYPT_OBJID_BLOB *blob, DWORD *status, FILETIME *next_update)
 {
    OCSP_BASIC_RESPONSE_INFO *info;
    DWORD size, i;

+    memset(next_update, 0, sizeof(*next_update));
    if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_RESPONSE, blob->pbData, blob->cbData,
                             CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();

@@ -1907,7 +1908,11 @@ static DWORD check_ocsp_response_info(const CERT_INFO *cert, const CERT_INFO *is
    for (i = 0; i < info->cResponseEntry; i++)
    {
        OCSP_BASIC_RESPONSE_ENTRY *entry = &info->rgResponseEntry[i];
-        if (match_cert_id(&entry->CertId, cert, issuer)) *status = map_ocsp_status(entry->dwCertStatus);
+        if (match_cert_id(&entry->CertId, cert, issuer))
+        {
+            *status = map_ocsp_status(entry->dwCertStatus);
+            *next_update = entry->NextUpdate;
+        }
    }

    LocalFree(info);
@@ -1920,6 +1925,7 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
    OCSP_BASIC_SIGNED_RESPONSE_INFO *info;
    DWORD size, error, status = CRYPT_E_REVOCATION_OFFLINE;
    CRYPT_ALGORITHM_IDENTIFIER *alg;
+    FILETIME next_update;
    CRYPT_BIT_BLOB *sig;
    HCRYPTPROV prov = 0;
    HCRYPTHASH hash = 0;
@@ -1929,7 +1935,7 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
    if (!CryptDecodeObjectEx(X509_ASN_ENCODING, OCSP_BASIC_SIGNED_RESPONSE, blob->pbData, blob->cbData,
                             CRYPT_DECODE_ALLOC_FLAG, NULL, &info, &size)) return GetLastError();

-    if ((error = check_ocsp_response_info(cert, issuer, &info->ToBeSigned, &status))) goto done;
+    if ((error = check_ocsp_response_info(cert, issuer, &info->ToBeSigned, &status, &next_update))) goto done;

    alg = &info->SignatureInfo.SignatureAlgorithm;
    if (!alg->pszObjId || !(algid = CertOIDToAlgId(alg->pszObjId)))
@@ -1958,6 +1964,16 @@ static DWORD verify_signed_ocsp_response_info(const CERT_INFO *cert, const CERT_
    else error = ERROR_SUCCESS;

 done:
+    if (next_update.dwLowDateTime || next_update.dwHighDateTime)
+    {
+        CERT_REVOCATION_STATUS rev_status;
+
+        memset(&rev_status, 0, sizeof(rev_status));
+        rev_status.cbSize = sizeof(rev_status);
+        rev_status.dwError = status;
+        cache_revocation_status(&cert->SerialNumber, &next_update, &rev_status);
+    }
+
    CryptDestroyKey(key);
    CryptDestroyHash(hash);
    CryptReleaseContext(prov, 0);