archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pki/activex/xaddroot/caddroot.cpp

446 lines
13 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1997 - 1999
  6. //
  7. // File: caddroot.cpp
  8. //
  9. //--------------------------------------------------------------------------
  11. // caddroot.cpp : Implementation of Ccaddroot
  13. #include "stdafx.h"
  14. #include "cobjsaf.h"
  15. #include "Xaddroot.h"
  16. #include "caddroot.h"
  17. #include "rootlist.h"
  18. #include "assert.h"
  20. #include "wincrypt.h"
  21. #include "unicode.h"
  22. #include "ui.h"
  24. BOOL FAnyCertUpdates(HCERTSTORE hStore, HCERTSTORE hStoreCertsToCheck) {
  26. BOOL fSomeNotInStore = FALSE;
  27. PCCERT_CONTEXT pCertContext = NULL;
  28. PCCERT_CONTEXT pCertTemp = NULL;
  29. BYTE arHashBytes[20];
  30. CRYPT_HASH_BLOB blobHash = {sizeof(arHashBytes), arHashBytes};
  32. while(NULL != (pCertContext = CertEnumCertificatesInStore(hStoreCertsToCheck, pCertContext))) {
  34. if( CryptHashCertificate(
  35. NULL,
  36. 0,
  37. X509_ASN_ENCODING,
  38. pCertContext->pbCertEncoded,
  39. pCertContext->cbCertEncoded,
  40. blobHash.pbData,
  41. &blobHash.cbData) ) {
  43. pCertTemp = CertFindCertificateInStore(
  44. hStore,
  45. X509_ASN_ENCODING,
  46. 0,
  47. CERT_FIND_HASH,
  48. &blobHash,
  49. NULL);
  51. fSomeNotInStore = (fSomeNotInStore || (pCertTemp == NULL));
  53. if(pCertTemp != NULL)
  54. CertFreeCertificateContext(pCertTemp);
  56. }
  57. }
  59. return(fSomeNotInStore);
  60. }
  62. BOOL MyCryptInstallSignedListOfTrustedRoots(
  63. DWORD dwMsgAndCertEncodeingType,
  64. LPCWSTR wszCTL,
  65. DWORD dwFlags,
  66. void * pvReserved
  67. ) {
  69. BOOL fIsProtected = TRUE;
  70. BOOL fRet = TRUE;
  71. DWORD cb = 0;
  72. BYTE * pb = NULL;
  73. BOOL fRemoveRoots = FALSE;
  74. HCERTSTORE hStore = NULL;
  75. HCERTSTORE hStoreRoot = NULL;
  76. PCCERT_CONTEXT pCertContext = NULL;
  77. PCCERT_CONTEXT pCertContextInStore = NULL;
  78. PCCERT_CONTEXT pCertContextSigner = NULL;
  79. HINSTANCE hCryptUI = NULL;
  80. INT_PTR iDlgRet = 0;
  81. HKEY hKeyStores = NULL;
  82. DWORD err;
  83. DWORD dwVer = 0;
  84. CRYPT_DATA_BLOB dataBlob = {0, NULL};
  85. MDI mdi;
  86. WCHAR wrgInstallCA[MAX_MSG_LEN];
  87. WCHAR wrgJustSayYes[MAX_MSG_LEN];
  89. BYTE arHashBytes[20];
  90. CRYPT_HASH_BLOB blobHash = {sizeof(arHashBytes), arHashBytes};
  92. BOOL fAnyCertUpdates;
  94. if(NULL == (pb = HTTPGet(wszCTL, &cb)))
  95. goto ErrorReturn;
  97. // get the certs to add or delete
  98. if(!I_CertVerifySignedListOfTrustedRoots(
  99. pb,
  100. cb,
  101. &fRemoveRoots,
  102. &hStore,
  103. &pCertContextSigner
  104. ))
  105. goto ErrorReturn;
  107. if(fRemoveRoots) {
  108. SetLastError(E_NOTIMPL);
  109. goto ErrorReturn;
  110. }
  112. dwVer = GetVersion();
  114. // see if this is NT5 or higher
  115. if((dwVer < 0x80000000) && ((dwVer & 0xFF) >= 5)) {
  117. if(NULL == (hStoreRoot = CertOpenStore(
  118. CERT_STORE_PROV_SYSTEM,
  119. X509_ASN_ENCODING,
  120. NULL,
  121. CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_MAXIMUM_ALLOWED_FLAG,
  122. L"Root"
  123. )) )
  124. goto ErrorReturn;
  126. // else it is before NT5 or Win9x and does not have a protected store.
  127. } else {
  129. if(ERROR_SUCCESS != (err = RegOpenKeyA(
  130. HKEY_CURRENT_USER,
  131. "Software\\Microsoft\\SystemCertificates\\Root",
  132. &hKeyStores
  133. ))) {
  134. SetLastError(err);
  135. hKeyStores = NULL;
  136. goto ErrorReturn;
  137. }
  139. // open the root store
  140. // must be current user
  141. if( NULL == (hStoreRoot = CertOpenStore(
  142. CERT_STORE_PROV_REG,
  143. X509_ASN_ENCODING,
  144. NULL,
  145. CERT_SYSTEM_STORE_CURRENT_USER,
  146. (void *) hKeyStores
  147. )) )
  148. goto ErrorReturn;
  150. fIsProtected = FALSE;
  151. }
  154. // prepare the data for the dialog
  155. memset(&mdi, 0, sizeof(mdi));
  156. if( NULL != (hCryptUI = LoadLibraryA("cryptui.dll")) )
  157. mdi.pfnCryptUIDlgViewCertificateW = (PFNCryptUIDlgViewCertificateW)
  158. GetProcAddress(hCryptUI, "CryptUIDlgViewCertificateW");
  159. mdi.hStore = hStore;
  160. mdi.pCertSigner = pCertContextSigner;
  161. mdi.hInstance = _Module.GetResourceInstance();
  163. fAnyCertUpdates = FAnyCertUpdates(hStoreRoot, hStore);
  164. if (fAnyCertUpdates) {
  165. // put the dialog up
  166. iDlgRet = DialogBoxParam(
  167. _Module.GetResourceInstance(),
  168. (LPSTR) MAKEINTRESOURCE(IDD_MAINDLG),
  169. NULL,
  170. MainDialogProc,
  171. (LPARAM) &mdi);
  172. }
  173. else
  174. {
  175. iDlgRet = IDYES;
  176. }
  179. if(hCryptUI != NULL)
  180. FreeLibrary(hCryptUI);
  181. hCryptUI = NULL;
  183. // only take it if the user said OK
  184. if(iDlgRet != IDYES)
  185. goto ErrorReturn;
  187. // throw UI if we are on a protected system
  188. if(fIsProtected && fAnyCertUpdates) {
  190. // put up the Just Say Yes to install the CA dialog
  191. LoadStringU(_Module.GetResourceInstance(), IDS_INSTALLCA, wrgInstallCA, sizeof(wrgInstallCA)/sizeof(WCHAR));
  192. LoadStringU(_Module.GetResourceInstance(), IDS_JUST_SAY_YES, wrgJustSayYes, sizeof(wrgJustSayYes)/sizeof(WCHAR));
  193. MessageBoxU(NULL, wrgJustSayYes, wrgInstallCA, MB_OK);
  194. }
  196. while(NULL != (pCertContext = CertEnumCertificatesInStore(hStore, pCertContext))) {
  198. // add the cert to the store
  199. assert(pCertContextInStore == NULL);
  200. CertAddCertificateContextToStore(
  201. hStoreRoot,
  202. pCertContext,
  203. CERT_STORE_ADD_USE_EXISTING,
  204. &pCertContextInStore
  205. );
  207. // move the EKU property in case the cert already existed
  208. if(pCertContextInStore != NULL) {
  210. assert(dataBlob.cbData == 0);
  212. // Attempt to delete the old EKU, if we succeed we will put
  213. // the new EKU on it, otherwise if we fail we know we don't
  214. // have access to HKLM and we should just add the cert to the HKCU
  215. if(!CertSetCertificateContextProperty(
  216. pCertContextInStore,
  217. CERT_ENHKEY_USAGE_PROP_ID,
  218. 0,
  219. NULL
  220. )) {
  222. // just add the cert, should go to HKCU, if it fails, what am I going
  223. // to do about it, just continue
  224. CertAddCertificateContextToStore(
  225. hStoreRoot,
  226. pCertContext,
  227. CERT_STORE_ADD_ALWAYS,
  228. NULL
  229. );
  231. // at this point I know I have access to the cert and I know the
  232. // EKU have been removed, only add the EKU if the new one has some EKU's
  233. } else if( CertGetCertificateContextProperty(
  234. pCertContext,
  235. CERT_ENHKEY_USAGE_PROP_ID,
  236. NULL,
  237. &dataBlob.cbData
  238. )
  239. &&
  240. (NULL != (dataBlob.pbData = (PBYTE) malloc(dataBlob.cbData)))
  241. &&
  242. CertGetCertificateContextProperty(
  243. pCertContext,
  244. CERT_ENHKEY_USAGE_PROP_ID,
  245. dataBlob.pbData,
  246. &dataBlob.cbData
  247. )
  248. ) {
  250. // set EKU on the cert, what am I going to do if it fails, just continue
  251. CertSetCertificateContextProperty(
  252. pCertContextInStore,
  253. CERT_ENHKEY_USAGE_PROP_ID,
  254. 0,
  255. &dataBlob
  256. );
  257. }
  259. // free context and memory
  260. CertFreeCertificateContext(pCertContextInStore);
  261. pCertContextInStore = NULL;
  263. if(dataBlob.pbData != NULL)
  264. free(dataBlob.pbData);
  265. memset(&dataBlob, 0, sizeof(CRYPT_DATA_BLOB));
  266. }
  267. }
  269. CommonReturn:
  271. if(pCertContextSigner != NULL)
  272. CertFreeCertificateContext(pCertContextSigner);
  274. if(pCertContext != NULL)
  275. CertFreeCertificateContext(pCertContext);
  277. if(pCertContextInStore != NULL)
  278. CertFreeCertificateContext(pCertContextInStore);
  280. if(hStore != NULL)
  281. CertCloseStore(hStore, CERT_CLOSE_STORE_FORCE_FLAG); // clean up from dialog box dups
  283. if(hStoreRoot != NULL)
  284. CertCloseStore(hStoreRoot, 0);
  286. if(hKeyStores != NULL)
  287. RegCloseKey(hKeyStores);
  289. if(pb != NULL)
  290. free(pb);
  292. return(fRet);
  294. ErrorReturn:
  296. fRet = FALSE;
  298. goto CommonReturn;
  300. }
  302. HRESULT STDMETHODCALLTYPE Ccaddroot::AddRoots(BSTR wszCTL) {
  304. HRESULT hr;
  305. DWORD fRet = TRUE;
  308. fRet = MyCryptInstallSignedListOfTrustedRoots(
  309. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  310. wszCTL,
  311. 0,
  312. NULL);
  315. if(fRet)
  316. hr = S_OK;
  317. else
  318. hr = MY_HRESULT_FROM_WIN32(GetLastError());
  321. return hr;
  323. }
  325. BOOL MyCryptInstallIntermediateCAs(
  326. DWORD dwMsgAndCertEncodeingType,
  327. LPCWSTR wszX509,
  328. DWORD dwFlags,
  329. void * pvReserved
  330. ) {
  332. DWORD cb = 0;
  333. DWORD cCerts = 0;
  334. BYTE * pb = NULL;
  335. PCCERT_CONTEXT pCertContext = NULL;
  336. PCCERT_CONTEXT pCertContextT = NULL;
  337. HCERTSTORE hStore = NULL;
  338. BOOL fOK = FALSE;
  340. pb = HTTPGet(wszX509, &cb);
  342. if(pb != NULL) {
  344. pCertContext = CertCreateCertificateContext(
  345. X509_ASN_ENCODING,
  346. pb,
  347. cb
  348. );
  350. if(pCertContext != NULL) {
  352. hStore = CertOpenStore(
  353. CERT_STORE_PROV_SYSTEM,
  354. X509_ASN_ENCODING,
  355. NULL,
  356. CERT_SYSTEM_STORE_CURRENT_USER,
  357. L"CA"
  358. );
  360. if(hStore != NULL) {
  362. // count the number of certs in the store
  363. cCerts = 0;
  364. while(NULL != (pCertContextT = CertEnumCertificatesInStore(hStore, pCertContextT)))
  365. cCerts++;
  367. if(FIsTooManyCertsOK(cCerts, _Module.GetResourceInstance())) {
  369. CertAddCertificateContextToStore(
  370. hStore,
  371. pCertContext,
  372. CERT_STORE_ADD_USE_EXISTING,
  373. NULL
  374. );
  376. CertCloseStore(hStore, 0);
  377. fOK = TRUE;
  378. }
  379. }
  381. CertFreeCertificateContext(pCertContext);
  382. }
  383. free(pb);
  384. }
  386. return(fOK);
  387. }
  389. HRESULT STDMETHODCALLTYPE Ccaddroot::AddCA(BSTR wszX509) {
  391. HRESULT hr;
  392. DWORD fRet = TRUE;
  394. fRet = MyCryptInstallIntermediateCAs(
  395. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  396. wszX509,
  397. 0,
  398. NULL);
  400. if(fRet)
  401. hr = S_OK;
  402. else
  403. hr = MY_HRESULT_FROM_WIN32(GetLastError());
  406. return hr;
  407. }
  409. HRESULT __stdcall Ccaddroot::GetInterfaceSafetyOptions(
  410. /* [in] */ REFIID riid,
  411. /* [out] */ DWORD __RPC_FAR *pdwSupportedOptions,
  412. /* [out] */ DWORD __RPC_FAR *pdwEnabledOptions) {
  414. RPC_STATUS rpcStatus;
  416. if(0 != UuidCompare((GUID *) &riid, (GUID *) &IID_IDispatch, &rpcStatus) )
  417. return(E_NOINTERFACE);
  419. *pdwEnabledOptions = dwEnabledSafteyOptions;
  420. *pdwSupportedOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA;
  423. return(S_OK);
  424. }
  427. HRESULT __stdcall Ccaddroot::SetInterfaceSafetyOptions(
  428. /* [in] */ REFIID riid,
  429. /* [in] */ DWORD dwOptionSetMask,
  430. /* [in] */ DWORD dwEnabledOptions) {
  432. RPC_STATUS rpcStatus;
  433. DWORD dwSupport = 0;
  435. if(0 != UuidCompare((GUID *) &riid, (GUID *) &IID_IDispatch, &rpcStatus) )
  436. return(E_NOINTERFACE);
  438. dwSupport = dwOptionSetMask & ~(INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA);
  439. if(dwSupport != 0)
  440. return(E_FAIL);
  442. dwEnabledSafteyOptions &= ~dwOptionSetMask;
  443. dwEnabledSafteyOptions |= dwEnabledOptions;
  445. return(S_OK);
  446. }