Crash reported on Windows in X509Certificate verification

[jdee]

We've received reports of an enterprise app using an SDK built on Poco that often experiences crashes at this location:

00 (Inline Function) --------`--------     EnterpriseApp!std::_WChar_traits<wchar_t>::length+0xa [C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.26.28801\include\xstring @ 168]
01 (Inline Function) --------`--------     EnterpriseApp!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xa [C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.26.28801\include\xstring @ 2992]
02 (Inline Function) --------`--------     EnterpriseApp!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::{ctor}+0x1b [C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.26.28801\include\xstring @ 2344]
03 000000bc`387fe430 00007ff7`e983ae6b     EnterpriseApp!Poco::Net::X509Certificate::extractNames+0x2a4 [D:\path\to\poco\NetSSL_Win\src\X509Certificate.cpp @ 262]
04 000000bc`387fe590 00007ff7`e983eee2     EnterpriseApp!Poco::Net::X509Certificate::verify+0x9b [D:\path\to\poco\NetSSL_Win\src\X509Certificate.cpp @ 478]
05 000000bc`387fe6c0 00007ff7`e983eb91     EnterpriseApp!Poco::Net::SecureSocketImpl::clientVerifyCertificate+0x82 [D:\path\to\poco\NetSSL_Win\src\SecureSocketImpl.cpp @ 1173]

This happens with Poco 1.9.4 in production releases using HTTPSClientSession for API calls, but apparently only for a limited subset of users. For them, it is consistent. It seems to be directly correlated with Kaspersky. When users disable Kaspersky, the issue is resolved. We cannot directly reproduce in testing. The app involved is a Win32 app, packaged without MSIX, running on Windows 10.

https://github.com/pocoproject/poco/blob/poco-1.9.4/NetSSL_Win/src/X509Certificate.cpp#L262

I wonder if it is possible for rgAltEntry[i].pwszDNSName to be NULL. I don't see any significant difference there between 1.9.4 and the 1.10 releases or the master branch. I could contribute a PR with a NULL check, but I don't know if that is the issue.

Any advice or assistance is appreciated. Thank you.

[echo-branch]

On further investigation it appears the crash is due to a certificate with Subject Alternative Name entries that are not DNS Name. For the problem certificate, pwszDNSName is NULL since the entry is actually IPAddress.

https://github.com/pocoproject/poco/blob/poco-1.9.4/NetSSL_Win/src/X509Certificate.cpp#L262-L265

std::wstring waltName(pNameInfo->rgAltEntry[i].pwszDNSName);
std::string altName;
Poco::UnicodeConverter::toUTF8(waltName, altName);

[echo-branch]

A bit more info. I was mistaken on pwszDNSName being NULL. The struct is a union. https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_alt_name_entry

Something like this prevents the crash, however the cert doesn't pass verification.
if (pNameInfo->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) {

Still researching.

[echo-branch]

My team member found there's an issue in the following area of code. Basically the if check is not ignoring all errors other than CRYPT_E_REVOKED. In our case, the Kaspersky cert was failing on CRYPT_E_NO_REVOCATION_CHECK. I believe the existing comment is correct and the revocation check can fail for innocuous reasons.

https://github.com/pocoproject/poco/blob/master/NetSSL_Win/src/SecureSocketImpl.cpp#L1318-L1320

Modifying the check fixes the issue for us.