windows intermediate certificates: check intermediate certificate is validated by root

Author: shalupov

src/main/java/org/jetbrains/nativecerts/win32/Crypt32Ext.java

@@ -61,6 +61,15 @@ public interface Crypt32Ext extends StdCallLibrary {
     int CERT_SYSTEM_STORE_UNPROTECTED_FLAG = 0x40000000;
     int CERT_SYSTEM_STORE_RELOCATE_FLAG = 0x80000000;
 
+    // Revocation flags for CertGetCertificateChain https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain
+    int CERT_CHAIN_REVOCATION_CHECK_END_CERT = 0x10000000;
+    int CERT_CHAIN_REVOCATION_CHECK_CHAIN = 0x20000000;
+    int CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT = 0x40000000;
+    int CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY = 0x80000000;
+
+    // for CertVerifyCertificateChainPolicy https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy
+    int CERT_CHAIN_POLICY_SSL = 4;
+
     Crypt32Ext INSTANCE = Native.load("Crypt32", Crypt32Ext.class, W32APIOptions.DEFAULT_OPTIONS);
 
     /**
@@ -98,4 +107,31 @@ WinCrypt.HCERTSTORE CertOpenStore(
             WinCrypt.HCRYPTPROV_LEGACY hCryptProv,
             int dwFlags,
             WTypes.LPWSTR pvPara);
+
+    /**
+     * The {@code CertCreateCertificateContext} function creates a certificate context from an encoded certificate.
+     * The created context is not persisted to a certificate store.
+     * The function makes a copy of the encoded certificate within the created context.
+     * @param dwCertEncodingType
+     *          [in] Specifies the type of encoding used. It is always acceptable to specify both the certificate and message
+     *          encoding types by combining them with a bitwise-OR operation as shown in the following example:
+     *          X509_ASN_ENCODING | PKCS_7_ASN_ENCODING. Currently, defined encoding types are:
+     *          X509_ASN_ENCODING PKCS_7_ASN_ENCODING
+     * @param pbCertEncoded
+     *          [in] A pointer to a buffer that contains the encoded certificate from which the context is to be created.
+     * @param cbCertEncoded
+     *          [in] The size, in bytes, of the {@code pbCertEncoded} buffer.
+     * @return
+     *          If the function succeeds, the function returns a pointer to a read-only {@link WinCrypt.CERT_CONTEXT}.
+     *          When you have finished using the certificate context, free it by calling the {@link com.sun.jna.platform.win32.Crypt32#CertFreeCertificateContext(WinCrypt.CERT_CONTEXT)} function.
+     *          If the function is unable to decode and create the certificate context, it returns NULL.
+     *          For extended error information, call {@link Native#getLastError()}.
+     *
+     * @see <a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcreatecertificatecontext">MSDN</a>
+     */
+    WinCrypt.CERT_CONTEXT CertCreateCertificateContext(
+            int dwCertEncodingType,
+            byte[] pbCertEncoded,
+            int cbCertEncoded
+    );
 }

src/main/java/org/jetbrains/nativecerts/win32/Crypt32ExtUtil.java

@@ -2,11 +2,13 @@
 
 import com.sun.jna.Native;
 import com.sun.jna.Pointer;
+import com.sun.jna.Structure;
 import com.sun.jna.platform.win32.Crypt32;
 import com.sun.jna.platform.win32.Kernel32Util;
 import com.sun.jna.platform.win32.WTypes;
 import com.sun.jna.platform.win32.Win32Exception;
 import com.sun.jna.platform.win32.WinCrypt;
+import com.sun.jna.ptr.PointerByReference;
 import org.jetbrains.nativecerts.NativeTrustedRootsInternalUtils;
 
 import java.security.cert.X509Certificate;
@@ -44,12 +46,13 @@ public static Collection<X509Certificate> getCustomTrustedRootCertificates() {
 
             if (LOGGER.isLoggable(Level.FINE)) {
                 StringBuilder message = new StringBuilder();
-                message.append("Received ").append(root.size()).append(" certificates from store ROOT / ").append(entry.getKey());
-                message.append("Received ").append(intermediates.size()).append(" certificates from store CA (Intermediates) / ").append(entry.getKey());
 
+                message.append("Received ").append(root.size()).append(" certificates from store ROOT / ").append(entry.getKey());
                 for (X509Certificate certificate : root) {
                     message.append("\n  ROOT/").append(entry.getKey()).append(": ").append(certificate.getSubjectX500Principal());
                 }
+
+                message.append("\nReceived ").append(intermediates.size()).append(" certificates from store CA (Intermediates) / ").append(entry.getKey());
                 for (X509Certificate certificate : intermediates) {
                     message.append("\n  CA/").append(entry.getKey()).append(": ").append(certificate.getSubjectX500Principal());
                 }
@@ -58,7 +61,18 @@ public static Collection<X509Certificate> getCustomTrustedRootCertificates() {
             }
 
             result.addAll(root);
-            result.addAll(intermediates);
+
+            for (X509Certificate intermediate : intermediates) {
+                try {
+                    validateCertificate(intermediate.getEncoded());
+                    result.add(intermediate);
+                } catch (Throwable t) {
+                    LOGGER.log(
+                            Level.FINE,
+                            "Unable to validate whether certificate '" + intermediate.getSubjectX500Principal() + "' is trusted: " + t.getMessage(),
+                            t);
+                }
+            }
         }
 
         return result;
@@ -127,4 +141,67 @@ public static List<X509Certificate> gatherEnterpriseCertsForLocation(int locatio
             CertCloseStore(hcertstore);
         }
     }
+
+    public static void validateCertificate(byte[] encodedCertificate) {
+        var certificateContext = Crypt32Ext.INSTANCE.CertCreateCertificateContext(
+                WinCrypt.X509_ASN_ENCODING | WinCrypt.PKCS_7_ASN_ENCODING, encodedCertificate, encodedCertificate.length);
+        if (certificateContext == null) {
+            throw new Win32Exception(Native.getLastError());
+        }
+
+        try {
+            WinCrypt.CERT_CHAIN_PARA pChainPara = new WinCrypt.CERT_CHAIN_PARA();
+            pChainPara.cbSize = pChainPara.size();
+            pChainPara.RequestedUsage.dwType = WinCrypt.USAGE_MATCH_TYPE_AND;
+            pChainPara.RequestedUsage.Usage.cUsageIdentifier = 0;
+            pChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = null;
+
+            PointerByReference ppChainContext = new PointerByReference();
+            if (!Crypt32.INSTANCE.CertGetCertificateChain(
+                    null, certificateContext, null, null, pChainPara,
+                    Crypt32Ext.CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY,
+                    null, ppChainContext)) {
+                throw new Win32Exception(Native.getLastError());
+            }
+
+            if (ppChainContext.getValue() == null) {
+                throw new IllegalStateException("CertGetCertificateChain was successful, but returned chain context is null");
+            }
+
+            WinCrypt.CERT_CHAIN_CONTEXT pChainContext = Structure.newInstance(WinCrypt.CERT_CHAIN_CONTEXT.class, ppChainContext.getValue());
+            pChainContext.read();
+
+            if (pChainContext.cbSize != pChainContext.size()) {
+                throw new IllegalStateException("CertGetCertificateChain was successful, but returned chain context size is incorrect." +
+                        "returned cbSize is " + pChainContext.cbSize + ", but the structure size is " + pChainContext.size());
+            }
+
+            try {
+                WinCrypt.CERT_CHAIN_POLICY_PARA chainPolicyPara = new WinCrypt.CERT_CHAIN_POLICY_PARA();
+                chainPolicyPara.cbSize = chainPolicyPara.size();
+                chainPolicyPara.dwFlags = 0;
+
+                WinCrypt.CERT_CHAIN_POLICY_STATUS policyStatus = new WinCrypt.CERT_CHAIN_POLICY_STATUS();
+                policyStatus.dwError = 1; // extra check that CertVerifyCertificateChainPolicy actually sets this field
+                policyStatus.cbSize = policyStatus.size();
+
+                if (!Crypt32.INSTANCE.CertVerifyCertificateChainPolicy(
+                        new WTypes.LPSTR(Pointer.createConstant(Crypt32Ext.CERT_CHAIN_POLICY_SSL)),
+                        pChainContext, chainPolicyPara, policyStatus)) {
+                    throw new Win32Exception(Native.getLastError());
+                }
+
+                int dwError = policyStatus.dwError;
+                if (dwError != 0) {
+                    throw new Win32Exception(dwError, null, "CertVerifyCertificateChainPolicy failed to validate certificate with code " +
+                            Integer.toHexString(dwError) + ":\n" + Kernel32Util.formatMessage(dwError)) {
+                    };
+                }
+            } finally {
+                Crypt32.INSTANCE.CertFreeCertificateChain(pChainContext);
+            }
+        } finally {
+            Crypt32.INSTANCE.CertFreeCertificateContext(certificateContext);
+        }
+    }
 }

src/test/java/org/jetbrains/nativecerts/win32/Crypt32ExtUtilTest.java

@@ -1,5 +1,7 @@
 package org.jetbrains.nativecerts.win32;
 
+import com.sun.jna.platform.win32.Win32Exception;
+import com.sun.jna.platform.win32.WinError;
 import org.jetbrains.nativecerts.NativeCertsSetupLoggingRule;
 import org.junit.After;
 import org.junit.Assert;
@@ -21,9 +23,9 @@
 import static org.jetbrains.nativecerts.NativeCertsTestUtil.isManualTestingEnabled;
 import static org.jetbrains.nativecerts.NativeTrustedRootsInternalUtils.isWindows;
 import static org.jetbrains.nativecerts.NativeTrustedRootsInternalUtils.sha1hex;
-import static org.jetbrains.nativecerts.NativeTrustedRootsInternalUtils.sha256hex;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 public class Crypt32ExtUtilTest {
@@ -60,7 +62,9 @@ public void realUserTrustedCertificateTest() throws Exception {
 
         byte[] encoded = getTestCertificate().getEncoded();
         String sha1 = sha1hex(encoded);
-        String sha256 = sha256hex(encoded);
+
+        Win32Exception notTrustedException = assertThrows(Win32Exception.class, () -> Crypt32ExtUtil.validateCertificate(encoded));
+        assertEquals(WinError.CERT_E_UNTRUSTEDROOT, notTrustedException.getErrorCode());
 
         // cleanup just in case it was imported before
         removeTrustedCert(sha1);
@@ -75,6 +79,7 @@ public void realUserTrustedCertificateTest() throws Exception {
                     List.of("certutil", "-user", "-addstore", "Root", getTestCertificatePath().toString())
             );
             assertTrue(verifyCert(sha1));
+            Crypt32ExtUtil.validateCertificate(encoded);
 
             Collection<X509Certificate> rootsAfter = Crypt32ExtUtil.getCustomTrustedRootCertificates();
             assertTrue(rootsAfter.contains(getTestCertificate()));
@@ -110,8 +115,8 @@ public void intermediateCACertsAreIncluded() throws Exception {
         try {
             Collection<X509Certificate> rootsBefore = Crypt32ExtUtil.getCustomTrustedRootCertificates();
             assertFalse(rootsBefore.contains(rootCertificate));
-
-            Assert.assertFalse(verifyCert(sha1Root));
+            assertFalse(rootsBefore.contains(intermediateCertificate));
+            assertFalse(verifyCert(sha1Root));
 
             executeProcess(
                     List.of("certutil", "-user", "-addstore", "Root", getTestCertificatePath().toString())
@@ -126,13 +131,24 @@ public void intermediateCACertsAreIncluded() throws Exception {
             Collection<X509Certificate> rootsAfter = Crypt32ExtUtil.getCustomTrustedRootCertificates();
             assertTrue(rootsAfter.contains(rootCertificate));
             assertTrue(rootsAfter.contains(intermediateCertificate));
+            Crypt32ExtUtil.validateCertificate(intermediateEncoded);
 
+            // Remove only root
             assertTrue(removeTrustedCert(sha1Root));
             Assert.assertFalse(verifyCert(sha1Root));
 
+            // intermediate certificate should not be accepted after removing root
+            Collection<X509Certificate> rootsAfterRootRemoval = Crypt32ExtUtil.getCustomTrustedRootCertificates();
+            assertFalse(rootsAfterRootRemoval.contains(rootCertificate));
+            assertFalse(rootsAfterRootRemoval.contains(intermediateCertificate));
+            var noTrustedRoot = assertThrows(Win32Exception.class, () -> Crypt32ExtUtil.validateCertificate(intermediateEncoded));
+            assertEquals(WinError.CERT_E_UNTRUSTEDROOT, noTrustedRoot.getErrorCode());
+
+            // Remove intermediate too
             assertTrue(removeTrustedCert(sha1Intermediate, "CA"));
             Assert.assertFalse(verifyCert(sha1Intermediate));
 
+            // Check that cleanup was successful
             Collection<X509Certificate> rootsAfterRemoval = Crypt32ExtUtil.getCustomTrustedRootCertificates();
             assertFalse(rootsAfterRemoval.contains(rootCertificate));
             assertFalse(rootsAfterRemoval.contains(intermediateCertificate));