microsoft · nibanks · Sep 21, 2021 · Sep 7, 2021 · Sep 7, 2021 · Sep 7, 2021
@@ -38,10 +38,10 @@ extern "C" {
  CertCapiVerifiedChain,
  "CertVerifyChain: %S 0x%x, result=0x%x",
  ServerName,
- IgnoreFlags,
+ CredFlags,
  Status);
 // arg2 = arg2 = ServerName
-// arg3 = arg3 = IgnoreFlags
+// arg3 = arg3 = CredFlags
 // arg4 = arg4 = Status
 ----------------------------------------------------------*/
 #define _clog_5_ARGS_TRACE_CertCapiVerifiedChain(uniqueId, encoded_arg_string, arg2, arg3, arg4)\

@@ -8,10 +8,10 @@
  CertCapiVerifiedChain,
  "CertVerifyChain: %S 0x%x, result=0x%x",
  ServerName,
- IgnoreFlags,
+ CredFlags,
  Status);
 // arg2 = arg2 = ServerName
-// arg3 = arg3 = IgnoreFlags
+// arg3 = arg3 = CredFlags
 // arg4 = arg4 = Status
 ----------------------------------------------------------*/
 TRACEPOINT_EVENT(CLOG_CERT_CAPI_C, CertCapiVerifiedChain,

@@ -314,6 +314,138 @@ tracepoint(CLOG_CERT_CAPI_OPENSSL_C, AllocFailure , arg2, arg3);\
 
 
 
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ Type,
+ "Unsupported Type passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = Type
+// arg3 = arg3 = "Unsupported Type passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+ "NULL CertHash passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL CertHash passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+ "NULL CertHashStore passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL CertHashStore passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ (unsigned int)QUIC_STATUS_INVALID_PARAMETER,
+ "NULL Principal passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = (unsigned int)QUIC_STATUS_INVALID_PARAMETER
+// arg3 = arg3 = "NULL Principal passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ CredType,
+ "Unsupported CredType passed to CxPlatGetTestCertificate");
+// arg2 = arg2 = CredType
+// arg3 = arg3 = "Unsupported CredType passed to CxPlatGetTestCertificate"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
+#ifndef _clog_4_ARGS_TRACE_LibraryErrorStatus
+
+
+
+/*----------------------------------------------------------
+// Decoder Ring for LibraryErrorStatus
+// [ lib] ERROR, %u, %s.
+// QuicTraceEvent(
+ LibraryErrorStatus,
+ "[ lib] ERROR, %u, %s.",
+ GetLastError(),
+ "CertOpenStore failed");
+// arg2 = arg2 = GetLastError()
+// arg3 = arg3 = "CertOpenStore failed"
+----------------------------------------------------------*/
+#define _clog_4_ARGS_TRACE_LibraryErrorStatus(uniqueId, encoded_arg_string, arg2, arg3)\
+
+#endif
+
+
+
+
 #ifdef __cplusplus
 }
 #endif

@@ -82,7 +82,7 @@ CxPlatCertValidateChain(
  _In_ const QUIC_CERTIFICATE* Certificate,
  _In_opt_z_ const char* Host,
  _In_ uint32_t CertFlags,
- _In_ uint32_t IgnoreFlags,
+ _In_ uint32_t CredFlags,
  _Out_opt_ uint32_t* ValidationError
  );
 

@@ -796,7 +796,7 @@ DWORD
 CxPlatCertVerifyCertChainPolicy(
  _In_ PCCERT_CHAIN_CONTEXT ChainContext,
  _In_opt_ PWSTR ServerName,
- _In_ ULONG IgnoreFlags
+ _In_ uint32_t CredFlags
  )
 {
  DWORD Status = NO_ERROR;
@@ -807,9 +807,10 @@ CxPlatCertVerifyCertChainPolicy(
 
  memset(&HttpsPolicy, 0, sizeof(HTTPSPolicyCallbackData));
  HttpsPolicy.cbStruct = sizeof(HTTPSPolicyCallbackData);
- HttpsPolicy.dwAuthType = AUTHTYPE_SERVER;
+ HttpsPolicy.dwAuthType =
+ (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? AUTHTYPE_SERVER : AUTHTYPE_CLIENT;
  HttpsPolicy.fdwChecks = 0;
- HttpsPolicy.pwszServerName = ServerName;
+ HttpsPolicy.pwszServerName = (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? ServerName : NULL;
 
  memset(&PolicyPara, 0, sizeof(PolicyPara));
  PolicyPara.cbSize = sizeof(PolicyPara);
@@ -832,10 +833,10 @@ CxPlatCertVerifyCertChainPolicy(
  goto Exit;
 
  } else if (PolicyStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK &&
- (IgnoreFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK)) {
+ (CredFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK)) {
  Status = NO_ERROR;
  } else if (PolicyStatus.dwError == CRYPT_E_REVOCATION_OFFLINE &&
- (IgnoreFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE)) {
+ (CredFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE)) {
  Status = NO_ERROR;
  } else if (PolicyStatus.dwError != NO_ERROR) {
 
@@ -854,7 +855,7 @@ CxPlatCertVerifyCertChainPolicy(
  CertCapiVerifiedChain,
  "CertVerifyChain: %S 0x%x, result=0x%x",
  ServerName,
- IgnoreFlags,
+ CredFlags,
  Status);
 
  return Status;
@@ -866,7 +867,7 @@ CxPlatCertValidateChain(
  _In_ const QUIC_CERTIFICATE* Certificate,
  _In_opt_z_ PCSTR Host,
  _In_ uint32_t CertFlags,
- _In_ uint32_t IgnoreFlags,
+ _In_ uint32_t CredFlags,
  _Out_opt_ uint32_t* ValidationError
  )
 {
@@ -879,21 +880,27 @@ CxPlatCertValidateChain(
 
  CERT_CHAIN_PARA ChainPara;
 
- static const LPSTR UsageOids[] = {
+ static const LPSTR ServerUsageOids[] = {
  szOID_PKIX_KP_SERVER_AUTH,
  szOID_SERVER_GATED_CRYPTO,
  szOID_SGC_NETSCAPE
  };
 
+ static const LPSTR ClientUsageOids[] = {
+ szOID_PKIX_KP_CLIENT_AUTH
+ };
+
  if (ValidationError != NULL) {
  *ValidationError = NO_ERROR;
  }
 
  memset(&ChainPara, 0, sizeof(ChainPara));
  ChainPara.cbSize = sizeof(ChainPara);
  ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
- ChainPara.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(UsageOids);
- ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = (LPSTR*)UsageOids;
+ ChainPara.RequestedUsage.Usage.cUsageIdentifier =
+ (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? ARRAYSIZE(ServerUsageOids) : ARRAYSIZE(ClientUsageOids);
+ ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier =
+ (CredFlags & QUIC_CREDENTIAL_FLAG_CLIENT) ? (LPSTR*)ServerUsageOids : (LPSTR*)ClientUsageOids;
 
  if (!CertGetCertificateChain(
  NULL,
@@ -933,7 +940,7 @@ CxPlatCertValidateChain(
  CxPlatCertVerifyCertChainPolicy(
  ChainContext,
  ServerName,
- IgnoreFlags);
+ CredFlags);
 
  Result = NO_ERROR == Error;