Skip to content

Commit

Permalink
DELETE ME: add debug trace for Windows test
Browse files Browse the repository at this point in the history
  • Loading branch information
stormshield-gt committed Aug 28, 2024
1 parent 19ef705 commit 223bbe7
Showing 1 changed file with 140 additions and 8 deletions.
148 changes: 140 additions & 8 deletions rustls-platform-verifier/src/verification/windows.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,22 @@ use std::{
ptr::{self, NonNull},
sync::Arc,
};
use windows_sys::Win32::Security::Cryptography::{
CertCloseStore, CertEnumCertificatesInStore, CertFreeCertificateChainEngine,
CertGetNameStringW, CERT_NAME_SIMPLE_DISPLAY_TYPE,
};
use windows_sys::Win32::{
Foundation::{
BOOL, CERT_E_CN_NO_MATCH, CERT_E_EXPIRED, CERT_E_INVALID_NAME, CERT_E_UNTRUSTEDROOT,
CERT_E_WRONG_USAGE, CRYPT_E_REVOKED, FILETIME, TRUE,
},
Security::Cryptography::{
CertAddEncodedCertificateToStore, CertCloseStore, CertFreeCertificateChain,
CertFreeCertificateChainEngine, CertFreeCertificateContext, CertGetCertificateChain,
CertOpenStore, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy,
HTTPSPolicyCallbackData, AUTHTYPE_SERVER, CERT_CHAIN_CACHE_END_CERT, CERT_CHAIN_CONTEXT,
CERT_CHAIN_ENGINE_CONFIG, CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS,
CERT_CHAIN_POLICY_PARA, CERT_CHAIN_POLICY_SSL, CERT_CHAIN_POLICY_STATUS,
CertAddEncodedCertificateToStore, CertFreeCertificateChain, CertFreeCertificateContext,
CertGetCertificateChain, CertOpenStore, CertSetCertificateContextProperty,
CertVerifyCertificateChainPolicy, HTTPSPolicyCallbackData, AUTHTYPE_SERVER,
CERT_CHAIN_CACHE_END_CERT, CERT_CHAIN_CONTEXT, CERT_CHAIN_ENGINE_CONFIG,
CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS, CERT_CHAIN_POLICY_PARA,
CERT_CHAIN_POLICY_SSL, CERT_CHAIN_POLICY_STATUS,
CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT, CERT_CHAIN_REVOCATION_CHECK_END_CERT,
CERT_CONTEXT, CERT_OCSP_RESPONSE_PROP_ID, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
CERT_STORE_ADD_ALWAYS, CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, CERT_STORE_PROV_MEMORY,
Expand Down Expand Up @@ -283,8 +287,11 @@ impl CertificateStore {
}

let mut config = CERT_CHAIN_ENGINE_CONFIG::zeroed_with_size();
config.cAdditionalStore = 1;
config.rghAdditionalStore = &mut additional_store.inner.as_ptr();
config.cAdditionalStore = 1;

println!("additionnal cert store content:");
print_cert_store(unsafe { *config.rghAdditionalStore });

let mut engine = 0;
// SAFETY: `engine` is valid to be written to and the config is valid to be read.
Expand All @@ -295,6 +302,7 @@ impl CertificateStore {
Some(c) if res == TRUE => Some(c),
_ => None,
})?;

inner.engine = Some(engine);

Ok(inner)
Expand Down Expand Up @@ -571,7 +579,7 @@ impl Verifier {
.collect();

let cert_chain = store.new_chain_in(&primary_cert, now)?;

print_cert_chain_status(&cert_chain);
let status = cert_chain.verify_chain_policy(server)?;

if status.dwError == 0 {
Expand Down Expand Up @@ -699,3 +707,127 @@ unsafe trait ZeroedWithSize: Sized {
/// Returns a zeroed structure with its structure size (`cbSize`) field set to the correct value.
fn zeroed_with_size() -> Self;
}
fn print_cert_store(store: windows_sys::Win32::Security::Cryptography::HCERTSTORE) {
let mut cert_ctx = ptr::null_mut();
loop {
cert_ctx = unsafe { CertEnumCertificatesInStore(store, cert_ctx) };
if cert_ctx.is_null() {
break;
}
let mut name: Vec<u16> = Vec::with_capacity(128);
let char_nb = unsafe {
CertGetNameStringW(
cert_ctx,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
0,
ptr::null(),
name.as_mut_ptr(),
128,
)
};
if char_nb == 0 {
println!("CertGertNameStringW failed");
} else {
unsafe {
#[allow(clippy::as_conversions)]
name.set_len(char_nb as usize - 1);
}
println!(
"Certificate for '{}' found",
String::from_utf16_lossy(&name)
);
}
}
}

fn print_cert_chain_status(cert_chain: &CertChain) {
println!(
"The is {} simple chain in the array",
unsafe { *cert_chain.inner.as_ptr() }.cChain
);
let trust_status = (unsafe { *cert_chain.inner.as_ptr() }).TrustStatus;
let error_status = trust_status.dwErrorStatus;
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_NOT_TIME_VALID)
!= 0
{
println!("This certificate or one of the certificates in the certificate chain is not time-valid.");
}
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_REVOKED) != 0 {
println!("Trust for this certificate or one of the certificates in the certificate chain has been revoked.");
}
if (error_status
& windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_NOT_SIGNATURE_VALID)
!= 0
{
println!("The certificate or one of the certificates in the certificate chain does not have a valid signature.");
}
if (error_status
& windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_NOT_VALID_FOR_USAGE)
!= 0
{
println!("The certificate or certificate chain is not valid in its proposed usage.");
}
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_UNTRUSTED_ROOT)
!= 0
{
println!("The certificate or certificate chain is based on an untrusted root.");
}
if (error_status
& windows_sys::Win32::Security::Cryptography::CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
!= 0
{
println!("The revocation status of the certificate or one of the certificates in the certificate chain is unknown.");
}
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_CYCLIC) != 0 {
println!("One of the certificates in the chain was issued by a certification authority that the original certificate had certified.");
}
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_PARTIAL_CHAIN) != 0
{
println!("The certificate chain is not complete.");
}
if (error_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_CTL_IS_NOT_TIME_VALID)
!= 0
{
println!("A CTL used to create this chain was not time-valid.");
}
if (error_status
& windows_sys::Win32::Security::Cryptography::CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID)
!= 0
{
println!("A CTL used to create this chain did not have a valid signature.");
}
if (error_status
& windows_sys::Win32::Security::Cryptography::CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE)
!= 0
{
println!("A CTL used to create this chain did not have a valid signature.");
} else {
println!("No error found for this certificate or chain.");
}
let info_status = trust_status.dwInfoStatus;
if (info_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_HAS_EXACT_MATCH_ISSUER)
!= 0
{
println!("An exact match issuer certificate has been found for this certificate.");
}
if (info_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_HAS_KEY_MATCH_ISSUER)
!= 0
{
println!("A key match issuer certificate has been found for this certificate.");
}
if (info_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_HAS_NAME_MATCH_ISSUER)
!= 0
{
println!("A name match issuer certificate has been found for this certificate.");
}
if (info_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_SELF_SIGNED) != 0 {
println!("This certificate is self-signed.");
}
if (info_status & windows_sys::Win32::Security::Cryptography::CERT_TRUST_IS_COMPLEX_CHAIN) != 0
{
println!("The certificate chain created is a complex chain.");
} else {
// No dwInfoStatus bits set
println!("No information status reported.");
}
}

0 comments on commit 223bbe7

Please sign in to comment.