Refined Certificate Filtering

- Reworked certificate key usage filtering logic. - Allow filtering of trusted certificates only. - Adjusted Pageant dialog item locations.
NoMoreFood · May 9, 2021 · 389c538 · 389c538
1 parent 2866557
commit 389c538
Show file tree

Hide file tree

Showing 25 changed files with 185 additions and 99 deletions.
diff --git a/binaries/puttycac-0.75-installer.msi b/binaries/puttycac-0.75-installer.msi
diff --git a/binaries/puttycac-0.75.zip b/binaries/puttycac-0.75.zip
diff --git a/binaries/puttycac-64bit-0.75-installer.msi b/binaries/puttycac-64bit-0.75-installer.msi
diff --git a/binaries/puttycac-64bit-0.75.zip b/binaries/puttycac-64bit-0.75.zip
diff --git a/binaries/puttycac-hash.txt b/binaries/puttycac-hash.txt
@@ -1,69 +1,69 @@
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA256          AFAF44382DB71D8406FDB18A1007F59FEF6C3E95BF1D188E6FDD7943B852B6CF       x64\pageant.exe
-SHA256          4F0D9013558548FD9042A98CF9CD8AE4E80CAD6DEF32E59A7876A8ABF0D9EC42       x64\plink.exe
-SHA256          8F228890C47055E2597E7FFA95C60962FA2CD56169BB1ADB86A7455BCA4FCB52       x64\pscp.exe
-SHA256          9B9F3784097A49B74DF40409B923FE00BCF7015468624303E261EB9729C86FA9       x64\psftp.exe
-SHA256          97A9FFB4B9332EDA3D813A0C94E1DDDA06FCBBFC435937ECB1E4F433DC3A5A31       x64\putty.exe
-SHA256          2927BF736F58B78FE05FB79F4A21E2813A3B53C0B7DB02B9C4525BFC04861C06       x64\puttygen.exe
-SHA256          6D21A01152981CECFA7E10254D31D65B30B0A249C4D9B7864F6DE59314C374D7       x64\puttytel.exe
-SHA256          D78360F1EABD328C5C4FB42DA5D8557CA9E3AC024E8F9B2145A236BAD760B915       x86\pageant.exe
-SHA256          A91D038AB5ED6C21E7B3A056D3287FDD12CF1B1D27F4245EDBE1964AE96A915C       x86\plink.exe
-SHA256          B42F08C3505CA4579B3074CD2E185B552FE50E651D0D42BAA384F868E036F075       x86\pscp.exe
-SHA256          2389E2D53A00725F2BDFCC4AE21894CBAA83F03DFE1D249F50F5703AC693593B       x86\psftp.exe
-SHA256          03E75FBCBA074AFD437D2FC81BEFEB1EB7E519A4DE8D73677878F1FFF38E5BBF       x86\putty.exe
-SHA256          EB3393C624AA660CBF53FBC16C9E56156710911462BB8BC49759AF779F1F8DC1       x86\puttygen.exe
-SHA256          50B6B27389D38B71594C799024B29A43C6126756458F6098B72670BB1E4BEF77       x86\puttytel.exe
-SHA256          C37AF02EB5FB1C507C074F18392500E9236D769CCD1D4C01462FCB94C4221276       puttycac-0.75-installer.msi
-SHA256          28462D1DE3EC86BA43FE6C826CB80FB03A430035368BF62CE4A43D692A48CE2C       puttycac-0.75.zip
-SHA256          628ED839521032DE52B2A93AC233D81A207BA425607FA9016975D5BCD7A82904       puttycac-64bit-0.75-installer.msi
-SHA256          DA05CC9A9D6532B90E0A00AE7177DAFD2A2CE71640D886531EA7A5F24ABCFA26       puttycac-64bit-0.75.zip
+SHA256          B287ED00913077B7FCF9177D0EEC20E64D293D5F390E29A10094EFE99AFC0ABC       x64\pageant.exe
+SHA256          044218B4D7B56E25D0C001B98640F76144F3CEEC17046BBB7556A0EE355E0F28       x64\plink.exe
+SHA256          BE3FC0568AFF37AA7D8A67BCEA532272B5B304F07D1C7EB0256CC0163BDCE0AA       x64\pscp.exe
+SHA256          4F4A0263900DB258EF278EDBFCDD7243E52AA39D464739C5559138F3DC365B04       x64\psftp.exe
+SHA256          EC7652633CA19CDC881EFC74168B5873AA07681FC30DD8B96E0A22582FA7C1F7       x64\putty.exe
+SHA256          3AB98948010FC47DD1C3FFF6529190702E2B727AC6EF47754005603193DD3E93       x64\puttygen.exe
+SHA256          184CA1026FCE628AD3E455AD7DCE4FAC76DBDB50EF852A42980D31408CA7CFC9       x64\puttytel.exe
+SHA256          FFB6F56D673384D95136A684D7E20470B4E0315CECB79A4A4FBA6B8C5DB99685       x86\pageant.exe
+SHA256          989B558D346B27CBF897869BFD4FB117FE45892A78C43E646328C02762F1AEDB       x86\plink.exe
+SHA256          59E54563D2C1E29A6916551746AA327A5E090924C0569B87067446B299A5CBD9       x86\pscp.exe
+SHA256          B74C7DFD437541E2F8F9F7851ED8DAE26D1050EDDCB0CAC9B04FDA16B1E89FBF       x86\psftp.exe
+SHA256          52B9C7C773BD59D94D93B84F5E838BC6EFEFC7D9E3AED4284D127BBB9519C38F       x86\putty.exe
+SHA256          2BD7AD09576C80813251911441FB83F0221A6D1814D5DAA44B8B33C6B3F0FBB1       x86\puttygen.exe
+SHA256          91818D4EF5649DC4F94A885D4ED7FCBD30AA345FA9EB4907DFB0BAB75002EAA5       x86\puttytel.exe
+SHA256          928A58E883008909AA38D06DC79801156F59E4E5C4D0BC51913C9E1726B1F494       puttycac-0.75-installer.msi
+SHA256          763F6E9A5E8D9B1E4A98A3E962200EBF19573E51A6AB94D63E9C71D1D1A960F8       puttycac-0.75.zip
+SHA256          BA4C1E3A9109981338208DBD61D2CA2C3C0DBE83A849DF1FFD4E5986FF06D0FA       puttycac-64bit-0.75-installer.msi
+SHA256          A0DC2A0050486FAB7321D59225A0675378E1B0BE9005D54FCD396A111CBCF239       puttycac-64bit-0.75.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA1            690B168BE86E288E7081F67F823CB54CFE5D4B5B                               x64\pageant.exe
-SHA1            C4B5238775F86B82954D96E587306A0F405CBAFA                               x64\plink.exe
-SHA1            7CCFF22648F04CF6107A96C93A1EBA351E9DB614                               x64\pscp.exe
-SHA1            2DBBE612641F4912107CDA43C4F2F458EFA3E875                               x64\psftp.exe
-SHA1            16BE678EC5DECEFEFABEF14F47F99FAF47CFFB39                               x64\putty.exe
-SHA1            B68CCE3E098803ADE4AD7B96641B879A20F502AB                               x64\puttygen.exe
-SHA1            9C06A9806BA1D1AB7B02387CC820EDF99D49EF68                               x64\puttytel.exe
-SHA1            D08B1F799F38EFEC30044A92880980FE817CAE05                               x86\pageant.exe
-SHA1            43AF119316EB573C871457429CF73C2BF58E8D46                               x86\plink.exe
-SHA1            A83C59706DAA0CE6AA03C8E70BA26F4CD6F859E8                               x86\pscp.exe
-SHA1            11DD2BB56045116F9E559EFDFF502ECD78755B1A                               x86\psftp.exe
-SHA1            1B4BD3331C2EB7052532ACC72C9E4594D9106FC1                               x86\putty.exe
-SHA1            F0713B69CF4E94660148153B4BF49F53E67672C6                               x86\puttygen.exe
-SHA1            DDB9F87E6C65C3DECAC38775FE8785CC98E3DF11                               x86\puttytel.exe
-SHA1            5FF1FEC2BCAEBB1F54DF3BFC176E5E3FC1D2F520                               puttycac-0.75-installer.msi
-SHA1            5D3F1905516DB26C6E77777C49F84A7C26AF90E7                               puttycac-0.75.zip
-SHA1            0F0BDF6B750A0EA50A3304BCC4A23A8613B953CA                               puttycac-64bit-0.75-installer.msi
-SHA1            74E3AC6057354BB26743DE997543902E53642425                               puttycac-64bit-0.75.zip
+SHA1            1AFD46C143B96535CE333EF56BD02AACDC1973C6                               x64\pageant.exe
+SHA1            503D66C4CE6C27F02A5260F03846781D1B8AFDE9                               x64\plink.exe
+SHA1            B65D3E51577E2FC93B565DBC773B747ECF9F5853                               x64\pscp.exe
+SHA1            182DA2BC5E023F4707220B02A61CA50A92CB6B17                               x64\psftp.exe
+SHA1            9107F22D15E7D4837B685C72A06A0A938A1A6EFB                               x64\putty.exe
+SHA1            BB81C995E2F60BB937EE4F4674225C35F7132719                               x64\puttygen.exe
+SHA1            B1F369604CE60AC80EDE9330CA1DD214B6EB94CB                               x64\puttytel.exe
+SHA1            9DE8A72456A0C5082564B1C97B9D856768B04AF3                               x86\pageant.exe
+SHA1            4C36DAA92652844BED6F2E7475CDC3D2317A88AA                               x86\plink.exe
+SHA1            5D084FD0E4CAD79FCE52D829E81707799D5432E3                               x86\pscp.exe
+SHA1            8CF6A054694F9472E7520AC04489F5763609E424                               x86\psftp.exe
+SHA1            78E116B789CA6E400CBAEDFCE4C43CA20C62429D                               x86\putty.exe
+SHA1            05F07284190D7DDDF7BB24149BF2B675FBD6B3AB                               x86\puttygen.exe
+SHA1            1AE53C2907C326D82DABA6352DC771492083516C                               x86\puttytel.exe
+SHA1            C9626BC6E93323AF8AC0945882D550DAC53E8D23                               puttycac-0.75-installer.msi
+SHA1            B3617EB73AF881C9A14B167F87947E36593D481C                               puttycac-0.75.zip
+SHA1            B8EAC6266FE800A78EE33AB58766B5013518A4C3                               puttycac-64bit-0.75-installer.msi
+SHA1            46B2DCA659B6A5D3C677A6FEB56324F09CF3C379                               puttycac-64bit-0.75.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-MD5             72A5BBCF7DB5D230B627A92FA29B7DFE                                       x64\pageant.exe
-MD5             964659F68FFD31A49C4E7133B5BF393A                                       x64\plink.exe
-MD5             5C902796B9B6838D4C36823F7D4FF5BF                                       x64\pscp.exe
-MD5             7FF050792CD5AE9FAC47C5AEE759C061                                       x64\psftp.exe
-MD5             E13A90AABA9B6689874319FCDC6EDBC5                                       x64\putty.exe
-MD5             DBF875FAF4708D28986C5CAEDABE884E                                       x64\puttygen.exe
-MD5             F097D137705744316AD7EB309A209C32                                       x64\puttytel.exe
-MD5             66A58EF9B26286CC991C3185F7644C11                                       x86\pageant.exe
-MD5             C38202A9834454438368B65B0AE3ADDE                                       x86\plink.exe
-MD5             10DF351CCA140D549B32440B7AD598BF                                       x86\pscp.exe
-MD5             D8B5A21C660FEA35B7165D137E33237F                                       x86\psftp.exe
-MD5             CCC5480EBF763B7D461149EEA3B70899                                       x86\putty.exe
-MD5             15B130C7DC62B545B096A23C1933F3AB                                       x86\puttygen.exe
-MD5             25BE7870C57A4A86D9307085DBA555A2                                       x86\puttytel.exe
-MD5             147A31516A50D4E09EDA9FD925C96893                                       puttycac-0.75-installer.msi
-MD5             D98F3FE0B1BB6F5AC3354F10CAF10FEA                                       puttycac-0.75.zip
-MD5             4C388F7356BF20194DBA15DBCB02D8E1                                       puttycac-64bit-0.75-installer.msi
-MD5             39CE609BCFD55CF474A8F69F030BDF18                                       puttycac-64bit-0.75.zip
+MD5             95699C1C973DDF61F099628B660EE8B9                                       x64\pageant.exe
+MD5             CAAF983EF57576BFE47FB388BD08A80F                                       x64\plink.exe
+MD5             33AF8AA3841D16309A8872294FCE27C3                                       x64\pscp.exe
+MD5             A6C7B13DCCDBDBF013E4C0B807312898                                       x64\psftp.exe
+MD5             32CF6B1D06D2B76F95144CC60CEC0EE6                                       x64\putty.exe
+MD5             FF798BAC7EC2CC14E3EFD69A913CF3B4                                       x64\puttygen.exe
+MD5             B3259492C6307AC4CE628C682C78AC41                                       x64\puttytel.exe
+MD5             C6DE402B29698E6181411A5184C25F6E                                       x86\pageant.exe
+MD5             EA30EC11FF428B43B79DD53A5D653EE2                                       x86\plink.exe
+MD5             8206B53A36A98E2EEF4DDE1FD1C01B7A                                       x86\pscp.exe
+MD5             9E2F85ED1EAC267E6EF475B90C3409A3                                       x86\psftp.exe
+MD5             6F157623C169B3F9E3C887265514351B                                       x86\putty.exe
+MD5             665C161ADD9CA570C1124A9E385FA70F                                       x86\puttygen.exe
+MD5             08C8A6A7D081974385D2C10CA134DDAB                                       x86\puttytel.exe
+MD5             9FA2F8F86F77D8B66B7140677256B512                                       puttycac-0.75-installer.msi
+MD5             08BFA7F6BF659AF2863FC993D89F3EC0                                       puttycac-0.75.zip
+MD5             019FA9C8511F79397A88C86E37A9BD35                                       puttycac-64bit-0.75-installer.msi
+MD5             DB070091BB3121C5B550EAB1F77678A6                                       puttycac-64bit-0.75.zip
 
 
diff --git a/binaries/x64/pageant.exe b/binaries/x64/pageant.exe
diff --git a/binaries/x64/plink.exe b/binaries/x64/plink.exe
diff --git a/binaries/x64/pscp.exe b/binaries/x64/pscp.exe
diff --git a/binaries/x64/psftp.exe b/binaries/x64/psftp.exe
diff --git a/binaries/x64/putty.exe b/binaries/x64/putty.exe
diff --git a/binaries/x64/puttygen.exe b/binaries/x64/puttygen.exe
diff --git a/binaries/x64/puttytel.exe b/binaries/x64/puttytel.exe
diff --git a/binaries/x86/pageant.exe b/binaries/x86/pageant.exe
diff --git a/binaries/x86/plink.exe b/binaries/x86/plink.exe
diff --git a/binaries/x86/pscp.exe b/binaries/x86/pscp.exe
diff --git a/binaries/x86/psftp.exe b/binaries/x86/psftp.exe
diff --git a/binaries/x86/putty.exe b/binaries/x86/putty.exe
diff --git a/binaries/x86/puttygen.exe b/binaries/x86/puttygen.exe
diff --git a/binaries/x86/puttytel.exe b/binaries/x86/puttytel.exe
diff --git a/code/cert/cert_common.c b/code/cert/cert_common.c
@@ -49,44 +49,34 @@ LPSTR cert_get_cert_hash(LPCSTR szIden, PCCERT_CONTEXT pCertContext, LPCSTR szHi
 
 LPSTR cert_prompt(LPCSTR szIden, HWND hWnd, BOOL bAutoSelect)
 {
-	HCERTSTORE hStore = NULL;
+	HCERTSTORE hCertStore = NULL;
 	LPCSTR szHint = NULL;
 
 	if (cert_is_capipath(szIden))
 	{
-		hStore = cert_capi_get_cert_store(&szHint, hWnd);
+		hCertStore = cert_capi_get_cert_store(&szHint, hWnd);
 	}
 
 	if (cert_is_pkcspath(szIden))
 	{
-		hStore = cert_pkcs_get_cert_store(&szHint, hWnd);
+		hCertStore = cert_pkcs_get_cert_store(&szHint, hWnd);
 	}
 
 	// return if store could not be loaded
-	if (hStore == NULL) return NULL;
+	if (hCertStore == NULL) return NULL;
 
 	// create a memory store so we can proactively filter certificates
 	HCERTSTORE hMemoryStore = CertOpenStore(CERT_STORE_PROV_MEMORY,
 		X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 		0, CERT_STORE_CREATE_NEW_FLAG, NULL);
 
-	// setup a structure to search for only client auth eligible cert
-	CTL_USAGE tItem;
-	CHAR* sClientAuthUsage[] = { szOID_PKIX_KP_CLIENT_AUTH };
-	CHAR* sSmartCardLogonUsage[] = { szOID_KP_SMARTCARD_LOGON };
-	tItem.cUsageIdentifier = 1;
-	tItem.rgpszUsageIdentifier = cert_smartcard_certs_only((DWORD)-1) ? sSmartCardLogonUsage : sClientAuthUsage;
-	PCCERT_CONTEXT pCertContext = NULL;
-
 	// enumerate all certs
+	PCCERT_CONTEXT pCertContext = NULL;
 	int iCertCount = 0;
-	while ((pCertContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-		cert_smartcard_certs_only((DWORD)-1) ? CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG : CERT_FIND_VALID_ENHKEY_USAGE_FLAG,
-		CERT_FIND_ENHKEY_USAGE, &tItem, pCertContext)) != NULL)
+	while ((pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext)) != NULL)
 	{
-		// verify time validity if requested
-		DWORD iFlags = CERT_STORE_TIME_VALIDITY_FLAG;
-		if (cert_ignore_expired_certs((DWORD)-1) && CertVerifySubjectCertificateContext(pCertContext, NULL, &iFlags) == TRUE && iFlags != 0) continue;
+		// ignore invalid cert sbased on settings
+		if (!cert_check_valid(pCertContext)) continue;
 
 		CertAddCertificateContextToStore(hMemoryStore, pCertContext, CERT_STORE_ADD_ALWAYS, NULL);
 		iCertCount++;
@@ -445,30 +435,96 @@ VOID cert_display_cert(LPCSTR szCert, HWND hWnd)
 	CertCloseStore(hCertStore, 0);
 }
 
+BOOL cert_check_valid(PCCERT_CONTEXT pCertContext)
+{
+	// minimally very digital signature key usage
+	BYTE tUsageInfo[2] = { 0, 0 };
+	DWORD iUsageInfo = 2;
+	if (CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pCertContext->pCertInfo, tUsageInfo, sizeof(tUsageInfo)))
+	{
+		if ((tUsageInfo[0] & CERT_DIGITAL_SIGNATURE_KEY_USAGE) == 0)
+		{
+			return FALSE;
+		}
+	}
+
+	// if certificate has eku, then it should be client auth or smartcard logon
+	BOOL bFoundSmartCardLogon = FALSE;
+	BOOL bFoundClientAuth = FALSE;
+	PCERT_EXTENSION pEnhancedKeyUsage = CertFindExtension(szOID_ENHANCED_KEY_USAGE, 
+		pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension);
+	if (pEnhancedKeyUsage != NULL)
+	{
+		// fetch list of usages
+		PCERT_ENHKEY_USAGE pUsage;
+		DWORD iUsageSize = sizeof(iUsageSize);
+		if (CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_ENHANCED_KEY_USAGE, pEnhancedKeyUsage->Value.pbData,
+			pEnhancedKeyUsage->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &pUsage, &iUsageSize) == FALSE)
+		{
+			return FALSE;
+		}
+
+		// loop through usages, looking for match
+		for (DWORD iUsage = 0; iUsage < pUsage->cUsageIdentifier; iUsage++)
+		{
+			bFoundClientAuth |= strcmp(pUsage->rgpszUsageIdentifier[iUsage], szOID_PKIX_KP_CLIENT_AUTH) == 0;
+			bFoundSmartCardLogon |= strcmp(pUsage->rgpszUsageIdentifier[iUsage], szOID_KP_SMARTCARD_LOGON) == 0;
+		}
+
+		// return false if no match found
+		LocalFree(pUsage);
+		if (!bFoundClientAuth && !bFoundSmartCardLogon) return FALSE;
+	}
+
+	// verify only smartcard card eku if requested
+	if (cert_smartcard_certs_only((DWORD)-1))
+	{
+		if (!bFoundSmartCardLogon) return FALSE;
+	}
+
+	// verify time validity if requested
+	DWORD iFlags = CERT_STORE_TIME_VALIDITY_FLAG;
+	if (cert_ignore_expired_certs((DWORD)-1))
+	{
+		if (CertVerifySubjectCertificateContext(pCertContext, NULL, &iFlags) == TRUE && iFlags != 0)
+			return FALSE;
+	}
+
+	// build and validate certificate chain
+	if (cert_trusted_certs_only((DWORD)-1))
+	{
+		// attempt to chain the chain
+		CERT_CHAIN_PARA tChainParams;
+		ZeroMemory(&tChainParams, sizeof(tChainParams));
+		tChainParams.cbSize = sizeof(tChainParams);
+		PCCERT_CHAIN_CONTEXT pChainContext = NULL;
+		BOOL bChainResult = CertGetCertificateChain(NULL, pCertContext, NULL, NULL, &tChainParams, 
+			CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, &pChainContext);
+		if (bChainResult == false) return FALSE;
+
+		// concider trusted if the only error was account offline crls
+		BOOL bTrusted = (pChainContext->TrustStatus.dwErrorStatus
+			& ~(CERT_TRUST_IS_OFFLINE_REVOCATION | CERT_TRUST_REVOCATION_STATUS_UNKNOWN)) == 0;
+		CertFreeCertificateChain(pChainContext);
+		if (!bTrusted) return FALSE;
+	}
+
+	return TRUE;
+}
+
 int cert_all_certs(LPSTR ** pszCert)
 {
 	// get a handle to the cert store
 	LPCSTR szHint = NULL;
 	HCERTSTORE hCertStore = cert_capi_get_cert_store(&szHint, NULL);
 
-	// enumerate all certs
-	CTL_USAGE tItem;
-	CHAR * sClientAuthUsage[] = { szOID_PKIX_KP_CLIENT_AUTH };
-	CHAR * sSmartCardLogonUsage[] = { szOID_KP_SMARTCARD_LOGON };
-	tItem.cUsageIdentifier = 1;
-	tItem.rgpszUsageIdentifier = cert_smartcard_certs_only((DWORD)-1) ? sSmartCardLogonUsage : sClientAuthUsage;
-	PCCERT_CONTEXT pCertContext = NULL;
-
 	// find certificates matching our criteria
 	size_t iCertNum = 0;
-	*pszCert = NULL;
-	while ((pCertContext = CertFindCertificateInStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-		cert_smartcard_certs_only((DWORD)-1) ? CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG : CERT_FIND_VALID_ENHKEY_USAGE_FLAG, 
-		CERT_FIND_ENHKEY_USAGE, &tItem, pCertContext)) != NULL)
+	PCCERT_CONTEXT pCertContext = NULL;
+	while ((pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext)) != NULL)
 	{
-		// verify time validity if requested
-		DWORD iFlags = CERT_STORE_TIME_VALIDITY_FLAG;
-		if (cert_ignore_expired_certs((DWORD)-1) && CertVerifySubjectCertificateContext(pCertContext, NULL, &iFlags) == TRUE && iFlags != 0) continue;
+		// ignore invalid cert sbased on settings
+		if (!cert_check_valid(pCertContext)) continue;
 
 		// count cert and [re]allocate the return string array
 		*pszCert = snrealloc(*pszCert, iCertNum + 1, sizeof(LPSTR));
@@ -686,6 +742,13 @@ PVOID cert_pin(LPSTR szCert, BOOL bUnicode, LPVOID szPin, HWND hWnd)
 	return szReturn;
 }
 
+EXTERN BOOL cert_trusted_certs_only(DWORD bEnable)
+{
+	static BOOL bTrustedCertsOnly = FALSE;
+	if (bEnable != -1) bTrustedCertsOnly = bEnable;
+	return bTrustedCertsOnly;
+}
+
 EXTERN BOOL cert_save_cert_list_enabled(DWORD bEnable)
 {
 	static BOOL bSaveCertListEnabled = FALSE;

diff --git a/code/cert/cert_common.h b/code/cert/cert_common.h
@@ -21,13 +21,15 @@
 // functions used only by the capi and pkcs addon modules
 EXTERN void cert_reverse_array(LPBYTE pb, DWORD cb);
 EXTERN BOOL cert_load_cert(LPCSTR szCert, PCERT_CONTEXT * ppCertContext, HCERTSTORE * phCertStore);
+EXTERN BOOL cert_check_valid(PCCERT_CONTEXT pCertContext);
 EXTERN LPSTR cert_get_cert_hash(LPCSTR szIden, PCCERT_CONTEXT pCertContext, LPCSTR szHint);
 EXTERN PVOID cert_pin(LPSTR szCert, BOOL bUnicode, LPVOID szPin, HWND hWnd);
 EXTERN BOOL cert_save_cert_list_enabled(DWORD bEnable);
 EXTERN BOOL cert_cache_enabled(DWORD bEnable);
 EXTERN BOOL cert_auth_prompting(DWORD bEnable);
 EXTERN BOOL cert_smartcard_certs_only(DWORD bEnable);
 EXTERN BOOL cert_ignore_expired_certs(DWORD bEnable);
+EXTERN BOOL cert_trusted_certs_only(DWORD bEnable);
 
 // functions used by putty code 
 EXTERN LPSTR cert_key_string(LPCSTR szCert);

diff --git a/code/windows/VS2019/putty/putty.vcxproj b/code/windows/VS2019/putty/putty.vcxproj
@@ -468,8 +468,5 @@
     <ClInclude Include="..\..\winsecur.h" />
     <ClInclude Include="..\..\winstuff.h" />
   </ItemGroup>
-  <ItemGroup>
-    <None Include="ClassDiagram.cd" />
-  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
 </Project>
diff --git a/code/windows/VS2019/putty/putty.vcxproj.filters b/code/windows/VS2019/putty/putty.vcxproj.filters
@@ -527,7 +527,4 @@
       <Filter>Resource Files</Filter>
     </ResourceCompile>
   </ItemGroup>
-  <ItemGroup>
-    <None Include="ClassDiagram.cd" />
-  </ItemGroup>
 </Project>