archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/ca/certlib/crypt.cpp

4529 lines
100 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1996 - 1999
  5. //
  6. // File: crypt.cpp
  7. //
  8. // Contents: Cert Server wrapper routines
  9. //
  10. //---------------------------------------------------------------------------
  12. #include <pch.cpp>
  14. #pragma hdrstop
  16. #include <stdlib.h>
  17. #include <winldap.h>
  19. #include "csdisp.h"
  20. #include "cscsp.h"
  21. #include "csprop.h"
  22. #include "csber.h"
  23. #include "csldap.h"
  25. #define __dwFILE__ __dwFILE_CERTLIB_CRYPT_CPP__
  28. HRESULT
  29. myGenerateKeys(
  30. IN WCHAR const *pwszContainer,
  31. OPTIONAL IN WCHAR const *pwszProvName,
  32. IN DWORD dwFlags,
  33. IN BOOL fMachineKeySet,
  34. IN DWORD dwKeySpec,
  35. IN DWORD dwProvType,
  36. IN DWORD dwKeySize,
  37. OUT HCRYPTPROV *phProv)
  38. {
  39. HRESULT hr;
  40. HCRYPTKEY hKey = NULL;
  42. *phProv = NULL;
  44. if (fMachineKeySet)
  45. {
  46. dwFlags |= CRYPT_MACHINE_KEYSET;
  47. }
  49. // see if the container already exists
  51. if (CryptAcquireContext(
  52. phProv,
  53. pwszContainer,
  54. pwszProvName,
  55. dwProvType,
  56. dwFlags))
  57. {
  58. if (NULL != *phProv)
  59. {
  60. CryptReleaseContext(*phProv, 0);
  61. *phProv = NULL;
  62. }
  64. // container exists -- remove old keys and generate new ones.
  66. if (!CryptAcquireContext(
  67. phProv,
  68. pwszContainer,
  69. pwszProvName,
  70. dwProvType,
  71. CRYPT_DELETEKEYSET | dwFlags))
  72. {
  73. hr = myHLastError();
  74. _JumpError(hr, error, "CryptAcquireContextEx");
  75. }
  76. }
  78. // create new container
  80. if (!CryptAcquireContext(
  81. phProv,
  82. pwszContainer,
  83. pwszProvName,
  84. dwProvType,
  85. CRYPT_NEWKEYSET | dwFlags)) // force new container
  86. {
  87. hr = myHLastError();
  88. _JumpError(hr, error, "CryptAcquireContextEx");
  89. }
  91. // create keys
  93. if (!CryptGenKey(*phProv, dwKeySpec, dwKeySize << 16, &hKey))
  94. {
  95. hr = myHLastError();
  96. _JumpError(hr, error, "CryptGenKey");
  97. }
  98. hr = S_OK;
  100. error:
  101. if (NULL != hKey)
  102. {
  103. CryptDestroyKey(hKey);
  104. }
  105. return(hr);
  106. }
  109. HRESULT
  110. myCryptExportPrivateKey(
  111. IN HCRYPTKEY hKey,
  112. OUT BYTE **ppbKey,
  113. OUT DWORD *pcbKey)
  114. {
  115. HRESULT hr;
  116. BYTE *pbKey = NULL;
  118. *ppbKey = NULL;
  120. // export the key set to a CAPI blob
  122. if (!CryptExportKey(hKey, NULL, PRIVATEKEYBLOB, 0, NULL, pcbKey))
  123. {
  124. hr = myHLastError();
  125. _JumpError2(hr, error, "CryptExportKey", NTE_BAD_KEY_STATE);
  126. }
  128. pbKey = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbKey);
  129. if (NULL == pbKey)
  130. {
  131. hr = E_OUTOFMEMORY;
  132. _JumpError(hr, error, "LocalAlloc");
  133. }
  135. if (!CryptExportKey(hKey, NULL, PRIVATEKEYBLOB, 0, pbKey, pcbKey))
  136. {
  137. hr = myHLastError();
  138. _JumpError(hr, error, "CryptExportKey");
  139. }
  141. *ppbKey = pbKey;
  142. pbKey = NULL;
  143. hr = S_OK;
  145. error:
  146. if (NULL != pbKey)
  147. {
  148. LocalFree(pbKey);
  149. }
  150. return(hr);
  151. }
  154. HRESULT
  155. myVerifyPublicKeyFromHProv(
  156. IN HCRYPTPROV hProv,
  157. IN DWORD dwKeySpec,
  158. IN OPTIONAL CERT_CONTEXT const *pCert,
  159. IN BOOL fV1Cert,
  160. IN OPTIONAL CERT_PUBLIC_KEY_INFO const *pPublicKeyInfo,
  161. OPTIONAL OUT BOOL *pfMatchingKey)
  162. {
  163. HRESULT hr;
  164. DWORD cb;
  165. CERT_PUBLIC_KEY_INFO *pPublicKeyInfoExported = NULL;
  167. if (NULL != pfMatchingKey)
  168. {
  169. *pfMatchingKey = FALSE;
  170. }
  171. if (!myCryptExportPublicKeyInfo(
  172. hProv,
  173. dwKeySpec,
  174. CERTLIB_USE_LOCALALLOC,
  175. &pPublicKeyInfoExported,
  176. &cb))
  177. {
  178. hr = myHLastError();
  179. _JumpError(hr, error, "myCryptExportPublicKeyInfo");
  180. }
  182. if (NULL == pPublicKeyInfo)
  183. {
  184. if (NULL == pCert)
  185. {
  186. hr = E_POINTER;
  187. _JumpError(hr, error, "No cert & no SubjectPublicKeyInfo");
  188. }
  189. pPublicKeyInfo = &pCert->pCertInfo->SubjectPublicKeyInfo;
  190. }
  191. if (!myCertComparePublicKeyInfo(
  192. X509_ASN_ENCODING,
  193. fV1Cert,
  194. pPublicKeyInfoExported,
  195. pPublicKeyInfo))
  196. {
  197. // by design, (my)CertComparePublicKeyInfo doesn't set last error!
  199. hr = NTE_BAD_KEY;
  200. _JumpError(hr, error, "myCertComparePublicKeyInfo");
  201. }
  202. if (NULL != pfMatchingKey)
  203. {
  204. *pfMatchingKey = TRUE;
  205. }
  206. hr = S_OK;
  208. error:
  209. if (NULL != pPublicKeyInfoExported)
  210. {
  211. LocalFree(pPublicKeyInfoExported);
  212. }
  213. return(hr);
  214. }
  217. HRESULT
  218. myVerifyPublicKey(
  219. IN OPTIONAL CERT_CONTEXT const *pCert,
  220. IN BOOL fV1Cert,
  221. IN OPTIONAL CRYPT_KEY_PROV_INFO const *pKeyProvInfo,
  222. IN OPTIONAL CERT_PUBLIC_KEY_INFO const *pPublicKeyInfo,
  223. OPTIONAL OUT BOOL *pfMatchingKey)
  224. {
  225. HRESULT hr;
  226. HCRYPTPROV hProv = NULL;
  227. DWORD dwKeySpec;
  229. if (NULL != pfMatchingKey)
  230. {
  231. *pfMatchingKey = FALSE;
  232. }
  233. if (NULL == pCert ||
  234. !CryptAcquireCertificatePrivateKey(
  235. pCert,
  236. 0, // dwFlags
  237. NULL, // pvReserved
  238. &hProv,
  239. &dwKeySpec,
  240. NULL)) // pfCallerFreeProv
  241. {
  242. if (NULL != pKeyProvInfo)
  243. {
  244. // ok, try passed kpi
  246. if (!myCertSrvCryptAcquireContext(
  247. &hProv,
  248. pKeyProvInfo->pwszContainerName,
  249. pKeyProvInfo->pwszProvName,
  250. pKeyProvInfo->dwProvType,
  251. ~CRYPT_MACHINE_KEYSET & pKeyProvInfo->dwFlags,
  252. (CRYPT_MACHINE_KEYSET & pKeyProvInfo->dwFlags)? TRUE : FALSE))
  253. {
  254. hr = myHLastError();
  255. _JumpErrorStr(
  256. hr,
  257. error,
  258. "myCertSrvCryptAcquireContextEx",
  259. pKeyProvInfo->pwszContainerName);
  260. }
  261. dwKeySpec = pKeyProvInfo->dwKeySpec;
  262. }
  263. else if (NULL != pCert)
  264. {
  265. hr = myHLastError();
  266. _JumpError(hr, error, "CryptAcquireCertificatePrivateKey");
  267. }
  268. else
  269. {
  270. hr = E_POINTER;
  271. _JumpError(hr, error, "No cert & no KeyProvInfo");
  272. }
  273. }
  274. hr = myVerifyPublicKeyFromHProv(
  275. hProv,
  276. dwKeySpec,
  277. pCert,
  278. fV1Cert,
  279. pPublicKeyInfo,
  280. pfMatchingKey);
  281. _JumpIfError(hr, error, "myVerifyPublicKeyFromHProv");
  283. error:
  284. if (NULL != hProv)
  285. {
  286. CryptReleaseContext(hProv, 0);
  287. }
  288. return(hr);
  289. }
  292. DWORD
  293. myASNGetDataIndex(
  294. IN BYTE bBERTag,
  295. IN DWORD iStart,
  296. IN BYTE const *pb,
  297. IN DWORD cb,
  298. OUT DWORD *pdwLen)
  299. {
  300. DWORD iData = MAXDWORD;
  302. pb += iStart;
  303. if (iStart + 2 <= cb && bBERTag == pb[0])
  304. {
  305. DWORD cbLen = 0;
  307. if (0x7f >= pb[1])
  308. {
  309. *pdwLen = pb[1];
  310. cbLen = 1;
  311. }
  312. else if (iStart + 3 <= cb && 0x81 == pb[1])
  313. {
  314. *pdwLen = pb[2];
  315. cbLen = 2;
  316. }
  317. else if (iStart + 4 <= cb && 0x82 == pb[1])
  318. {
  319. *pdwLen = (pb[2] << 8) | pb[3];
  320. cbLen = 3;
  321. }
  322. if (0 != cbLen &&
  323. iStart + cbLen + *pdwLen <= cb)
  324. {
  325. iData = iStart + 1 + cbLen;
  326. }
  327. }
  328. return(iData);
  329. }
  332. DWORD
  333. myASNStoreLength(
  334. IN DWORD dwLen,
  335. IN OUT BYTE *pb,
  336. IN DWORD cb)
  337. {
  338. DWORD cbLen = MAXDWORD;
  340. if (1 <= cb && 0x7f >= dwLen)
  341. {
  342. pb[0] = (BYTE) dwLen;
  343. cbLen = 1;
  344. }
  345. else if (2 <= cb && 0xff >= dwLen)
  346. {
  347. pb[0] = 0x81;
  348. pb[1] = (BYTE) dwLen;
  349. cbLen = 2;
  350. }
  351. else if (3 <= cb && 0xffff >= dwLen)
  352. {
  353. pb[0] = 0x82;
  354. pb[1] = (BYTE) (dwLen >> 8);
  355. pb[2] = (BYTE) dwLen;
  356. cbLen = 3;
  357. }
  358. return(cbLen);
  359. }
  362. // If this is a valid public key with a missing leading zero byte before the
  363. // sign bit set in the first public key byte, add a zero byte and increment
  364. // the lengths. This canonicalizes the old incorrect V1 public key encoding
  365. // used in EPF files.
  367. HRESULT
  368. myCanonicalizePublicKey(
  369. IN BYTE const *pbKeyIn,
  370. IN DWORD cbKeyIn,
  371. OUT BYTE **ppbKeyOut,
  372. OUT DWORD *pcbKeyOut)
  373. {
  374. HRESULT hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
  375. DWORD iDataSequence;
  376. DWORD dwLenSequence;
  377. DWORD iDataModulus;
  378. DWORD dwLenModulus;
  379. BYTE *pbKeyOut = NULL;
  380. DWORD cbKeyOut;
  381. BYTE *pb;
  382. DWORD cb;
  383. DWORD cbLen;
  385. *ppbKeyOut = NULL;
  387. iDataSequence = myASNGetDataIndex(
  388. BER_SEQUENCE,
  389. 0,
  390. pbKeyIn,
  391. cbKeyIn,
  392. &dwLenSequence);
  393. if (MAXDWORD == iDataSequence)
  394. {
  395. _JumpError(hr, error, "iDataSequence");
  396. }
  397. iDataModulus = myASNGetDataIndex(
  398. BER_INTEGER,
  399. iDataSequence,
  400. pbKeyIn,
  401. cbKeyIn,
  402. &dwLenModulus);
  403. if (MAXDWORD == iDataModulus)
  404. {
  405. _JumpError(hr, error, "iDataModulus");
  406. }
  407. if (iDataSequence + dwLenSequence == cbKeyIn - 1 &&
  408. 1 == pbKeyIn[cbKeyIn - 1])
  409. {
  410. cbKeyIn--;
  411. }
  412. if (0 == (0x80 & pbKeyIn[iDataModulus]))
  413. {
  414. _JumpError2(hr, error, "key sign", hr);
  415. }
  416. cbKeyOut = cbKeyIn + 1;
  417. pbKeyOut = (BYTE *) LocalAlloc(LMEM_FIXED, cbKeyOut);
  418. if (NULL == pbKeyOut)
  419. {
  420. hr = E_OUTOFMEMORY;
  421. _JumpError(hr, error, "LocalAlloc");
  422. }
  424. pb = pbKeyOut;
  425. cb = cbKeyOut;
  427. // Set the sequence tag and new length:
  429. *pb++ = BER_SEQUENCE;
  430. cb--;
  431. cbLen = myASNStoreLength(dwLenSequence + 1, pb, cb);
  432. if (MAXDWORD == cbLen)
  433. {
  434. _JumpError(hr, error, "new dwLenSequence");
  435. }
  436. pb += cbLen;
  437. cb -= cbLen;
  439. // Set the modulus tag and new length:
  441. *pb++ = BER_INTEGER;
  442. cb--;
  443. cbLen = myASNStoreLength(dwLenModulus + 1, pb, cb);
  444. if (MAXDWORD == cbLen)
  445. {
  446. _JumpError(hr, error, "new dwLenModulus");
  447. }
  448. pb += cbLen;
  449. cb -= cbLen;
  451. *pb++ = 0;
  452. cb--;
  454. if (cb != cbKeyIn - (iDataModulus))
  455. {
  456. // crossed an encoding length boundary -- shouldn't happen!
  457. // new and old sequence and modulus lengths expected:
  458. // 0x10a <== 0x109, 0x101 <== 0x100
  459. // 0x89 <== 0x88, 0x81 <== 0x80
  460. // 0x48 <== 0x47, 0x41 <== 0x40
  462. _JumpError(hr, error, "new key length");
  463. }
  464. CopyMemory(pb, &pbKeyIn[iDataModulus], cb);
  466. *pcbKeyOut = cbKeyOut;
  467. *ppbKeyOut = pbKeyOut;
  468. pbKeyOut = NULL;
  469. hr = S_OK;
  471. error:
  472. if (NULL != pbKeyOut)
  473. {
  474. LocalFree(pbKeyOut);
  475. }
  476. return(hr);
  477. }
  480. // If this is a valid public key with a proper leading zero byte before the
  481. // sign bit set in the next public key byte, remove the zero byte and decrement
  482. // the lengths. This conforms to the old incorrect V1 public key encoding
  483. // used in EPF files.
  485. HRESULT
  486. mySqueezePublicKey(
  487. IN BYTE const *pbKeyIn,
  488. IN DWORD cbKeyIn,
  489. OUT BYTE **ppbKeyOut,
  490. OUT DWORD *pcbKeyOut)
  491. {
  492. HRESULT hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
  493. DWORD iDataSequence;
  494. DWORD dwLenSequence;
  495. DWORD iDataModulus;
  496. DWORD dwLenModulus;
  497. BYTE *pbKeyOut = NULL;
  498. DWORD cbKeyOut;
  499. BYTE *pb;
  500. DWORD cb;
  501. DWORD cbLen;
  503. *ppbKeyOut = NULL;
  505. iDataSequence = myASNGetDataIndex(
  506. BER_SEQUENCE,
  507. 0,
  508. pbKeyIn,
  509. cbKeyIn,
  510. &dwLenSequence);
  511. if (MAXDWORD == iDataSequence)
  512. {
  513. _JumpError(hr, error, "iDataSequence");
  514. }
  515. iDataModulus = myASNGetDataIndex(
  516. BER_INTEGER,
  517. iDataSequence,
  518. pbKeyIn,
  519. cbKeyIn,
  520. &dwLenModulus);
  521. if (MAXDWORD == iDataModulus)
  522. {
  523. _JumpError(hr, error, "iDataModulus");
  524. }
  525. if (0 != pbKeyIn[iDataModulus] ||
  526. 0 == (0x80 & pbKeyIn[iDataModulus + 1]))
  527. {
  528. _JumpError(hr, error, "key sign");
  529. }
  530. cbKeyOut = cbKeyIn - 1;
  531. pbKeyOut = (BYTE *) LocalAlloc(LMEM_FIXED, cbKeyOut);
  532. if (NULL == pbKeyOut)
  533. {
  534. hr = E_OUTOFMEMORY;
  535. _JumpError(hr, error, "LocalAlloc");
  536. }
  538. pb = pbKeyOut;
  539. cb = cbKeyOut;
  541. // Set the sequence tag and new length:
  543. *pb++ = BER_SEQUENCE;
  544. cb--;
  545. cbLen = myASNStoreLength(dwLenSequence - 1, pb, cb);
  546. if (MAXDWORD == cbLen)
  547. {
  548. _JumpError(hr, error, "new dwLenSequence");
  549. }
  550. pb += cbLen;
  551. cb -= cbLen;
  553. // Set the modulus tag and new length:
  555. *pb++ = BER_INTEGER;
  556. cb--;
  557. cbLen = myASNStoreLength(dwLenModulus - 1, pb, cb);
  558. if (MAXDWORD == cbLen)
  559. {
  560. _JumpError(hr, error, "new dwLenModulus");
  561. }
  562. pb += cbLen;
  563. cb -= cbLen;
  565. if (cb != cbKeyIn - (iDataModulus + 1))
  566. {
  567. // crossed an encoding length boundary -- shouldn't happen!
  568. // new and old sequence and modulus lengths expected:
  569. // 0x10a ==> 0x109, 0x101 ==> 0x100
  570. // 0x89 ==> 0x88, 0x81 ==> 0x80
  571. // 0x48 ==> 0x47, 0x41 ==> 0x40
  573. _JumpError(hr, error, "new key length");
  574. }
  575. CopyMemory(pb, &pbKeyIn[iDataModulus + 1], cb);
  577. *pcbKeyOut = cbKeyOut;
  578. *ppbKeyOut = pbKeyOut;
  579. pbKeyOut = NULL;
  580. hr = S_OK;
  582. error:
  583. if (NULL != pbKeyOut)
  584. {
  585. LocalFree(pbKeyOut);
  586. }
  587. return(hr);
  588. }
  591. // by design, (my)CertComparePublicKeyInfo doesn't set last error!
  593. BOOL
  594. myCertComparePublicKeyInfo(
  595. IN DWORD dwCertEncodingType,
  596. IN BOOL fV1Cert,
  597. IN CERT_PUBLIC_KEY_INFO const *pPubKey1,
  598. IN CERT_PUBLIC_KEY_INFO const *pPubKey2)
  599. {
  600. BOOL fMatch = FALSE;
  601. BYTE *pbKeyNew = NULL;
  603. if (CertComparePublicKeyInfo(
  604. dwCertEncodingType,
  605. const_cast<CERT_PUBLIC_KEY_INFO *>(pPubKey1),
  606. const_cast<CERT_PUBLIC_KEY_INFO *>(pPubKey2)))
  607. {
  608. fMatch = TRUE;
  609. goto error;
  610. }
  612. #if 0
  613. wprintf(L"pPubKey1:\n");
  614. DumpHex(
  615. DH_NOADDRESS | DH_NOTABPREFIX | 8,
  616. pPubKey1->PublicKey.pbData,
  617. pPubKey1->PublicKey.cbData);
  619. wprintf(L"pPubKey2:\n");
  620. DumpHex(
  621. DH_NOADDRESS | DH_NOTABPREFIX | 8,
  622. pPubKey2->PublicKey.pbData,
  623. pPubKey2->PublicKey.cbData);
  624. #endif
  626. // If this is a V1 X509 cert with the sign bit set in the first public key
  627. // byte -- without a leading zero pad byte, and there's a wasted byte at
  628. // the end of the public key, squeeze out the leading zero byte from the
  629. // correctly encoded key, and compare the result.
  631. if (fV1Cert &&
  632. (pPubKey1->PublicKey.cbData == pPubKey2->PublicKey.cbData ||
  633. pPubKey1->PublicKey.cbData == pPubKey2->PublicKey.cbData + 1))
  634. {
  635. HRESULT hr;
  636. CERT_PUBLIC_KEY_INFO PubKey1;
  637. CERT_PUBLIC_KEY_INFO PubKey2;
  639. PubKey1 = *pPubKey1;
  640. PubKey2 = *pPubKey2;
  642. hr = mySqueezePublicKey(
  643. PubKey1.PublicKey.pbData,
  644. PubKey1.PublicKey.cbData,
  645. &pbKeyNew,
  646. &PubKey1.PublicKey.cbData);
  647. _JumpIfError(hr, error, "mySqueezePublicKey");
  649. //PubKey1.PublicKey.cbData--;
  650. PubKey1.PublicKey.pbData = pbKeyNew;
  651. if (2 < PubKey2.PublicKey.cbData &&
  652. PubKey2.PublicKey.cbData == 1 + PubKey1.PublicKey.cbData &&
  653. 1 == PubKey2.PublicKey.pbData[PubKey2.PublicKey.cbData - 1] &&
  654. 1 == PubKey2.PublicKey.pbData[PubKey2.PublicKey.cbData - 2])
  655. {
  656. PubKey2.PublicKey.cbData--;
  657. }
  658. #if 0
  659. wprintf(L"PubKey1:\n");
  660. DumpHex(
  661. DH_NOADDRESS | DH_NOTABPREFIX | 8,
  662. PubKey1.PublicKey.pbData,
  663. PubKey1.PublicKey.cbData);
  665. wprintf(L"PubKey2:\n");
  666. DumpHex(
  667. DH_NOADDRESS | DH_NOTABPREFIX | 8,
  668. PubKey2.PublicKey.pbData,
  669. PubKey2.PublicKey.cbData);
  670. #endif
  671. if (CertComparePublicKeyInfo(
  672. dwCertEncodingType,
  673. &PubKey1,
  674. &PubKey2))
  675. {
  676. fMatch = TRUE;
  677. }
  678. }
  680. error:
  681. if (NULL != pbKeyNew)
  682. {
  683. LocalFree(pbKeyNew);
  684. }
  685. return(fMatch);
  686. }
  689. BOOL
  690. myCryptSignMessage(
  691. IN CRYPT_SIGN_MESSAGE_PARA const *pcsmp,
  692. IN BYTE const *pbToBeSigned,
  693. IN DWORD cbToBeSigned,
  694. IN CERTLIB_ALLOCATOR allocType,
  695. OUT BYTE **ppbSignedBlob,
  696. OUT DWORD *pcbSignedBlob)
  697. {
  698. BOOL b;
  700. *ppbSignedBlob = NULL;
  701. *pcbSignedBlob = 0;
  702. for (;;)
  703. {
  704. b = CryptSignMessage(
  705. const_cast<CRYPT_SIGN_MESSAGE_PARA *>(pcsmp),
  706. TRUE, // fDetachedSignature
  707. 1, // cToBeSigned
  708. &pbToBeSigned, // rgpbToBeSigned
  709. &cbToBeSigned, // rgcbToBeSigned
  710. *ppbSignedBlob,
  711. pcbSignedBlob);
  712. if (b && 0 == *pcbSignedBlob)
  713. {
  714. SetLastError((DWORD) HRESULT_FROM_WIN32(ERROR_INVALID_DATA));
  715. b = FALSE;
  716. }
  717. if (!b)
  718. {
  719. if (NULL != *ppbSignedBlob)
  720. {
  721. myFree(*ppbSignedBlob, allocType);
  722. *ppbSignedBlob = NULL;
  723. }
  724. break;
  725. }
  726. if (NULL != *ppbSignedBlob)
  727. {
  728. break;
  729. }
  730. *ppbSignedBlob = (BYTE *) myAlloc(*pcbSignedBlob, allocType);
  731. if (NULL == *ppbSignedBlob)
  732. {
  733. b = FALSE;
  734. break;
  735. }
  736. }
  737. return(b);
  738. }
  741. BOOL
  742. myEncodeCert(
  743. IN DWORD dwEncodingType,
  744. IN CERT_SIGNED_CONTENT_INFO const *pInfo,
  745. IN CERTLIB_ALLOCATOR allocType,
  746. OUT BYTE **ppbEncoded,
  747. OUT DWORD *pcbEncoded)
  748. {
  749. return(myEncodeObject(
  750. dwEncodingType,
  751. X509_CERT,
  752. pInfo,
  753. 0,
  754. allocType,
  755. ppbEncoded,
  756. pcbEncoded));
  757. }
  760. BOOL
  761. myEncodeName(
  762. IN DWORD dwEncodingType,
  763. IN CERT_NAME_INFO const *pInfo,
  764. IN DWORD dwFlags,
  765. IN CERTLIB_ALLOCATOR allocType,
  766. OUT BYTE **ppbEncoded,
  767. OUT DWORD *pcbEncoded)
  768. {
  769. return(myEncodeObject(
  770. dwEncodingType,
  771. X509_UNICODE_NAME,
  772. pInfo,
  773. dwFlags,
  774. allocType,
  775. ppbEncoded,
  776. pcbEncoded));
  777. }
  780. BOOL
  781. myEncodeKeyAttributes(
  782. IN DWORD dwEncodingType,
  783. IN CERT_KEY_ATTRIBUTES_INFO const *pInfo,
  784. IN CERTLIB_ALLOCATOR allocType,
  785. OUT BYTE **ppbEncoded,
  786. OUT DWORD *pcbEncoded)
  787. {
  788. return(myEncodeObject(
  789. dwEncodingType,
  790. X509_KEY_ATTRIBUTES,
  791. pInfo,
  792. 0,
  793. allocType,
  794. ppbEncoded,
  795. pcbEncoded));
  796. }
  799. BOOL
  800. myEncodeKeyUsage(
  801. IN DWORD dwEncodingType,
  802. IN CRYPT_BIT_BLOB const *pInfo,
  803. IN CERTLIB_ALLOCATOR allocType,
  804. OUT BYTE **ppbEncoded,
  805. OUT DWORD *pcbEncoded)
  806. {
  807. return(myEncodeObject(
  808. dwEncodingType,
  809. X509_KEY_USAGE,
  810. pInfo,
  811. 0,
  812. allocType,
  813. ppbEncoded,
  814. pcbEncoded));
  815. }
  818. BOOL
  819. myEncodeKeyAuthority2(
  820. IN DWORD dwEncodingType,
  821. IN CERT_AUTHORITY_KEY_ID2_INFO const *pInfo,
  822. IN CERTLIB_ALLOCATOR allocType,
  823. OUT BYTE **ppbEncoded,
  824. OUT DWORD *pcbEncoded)
  825. {
  826. return(myEncodeObject(
  827. dwEncodingType,
  828. X509_AUTHORITY_KEY_ID2,
  829. pInfo,
  830. 0,
  831. allocType,
  832. ppbEncoded,
  833. pcbEncoded));
  834. }
  837. BOOL
  838. myEncodeToBeSigned(
  839. DWORD dwEncodingType,
  840. CERT_INFO const *pInfo,
  841. IN CERTLIB_ALLOCATOR allocType,
  842. BYTE **ppbEncoded,
  843. DWORD *pcbEncoded)
  844. {
  845. return(myEncodeObject(
  846. dwEncodingType,
  847. X509_CERT_TO_BE_SIGNED,
  848. pInfo,
  849. 0,
  850. allocType,
  851. ppbEncoded,
  852. pcbEncoded));
  853. }
  855. BOOL
  856. myDecodeName(
  857. IN DWORD dwEncodingType,
  858. IN LPCSTR lpszStructType,
  859. IN BYTE const *pbEncoded,
  860. IN DWORD cbEncoded,
  861. IN CERTLIB_ALLOCATOR allocType,
  862. OUT CERT_NAME_INFO **ppNameInfo,
  863. OUT DWORD *pcbNameInfo)
  864. {
  865. return(myDecodeObject(
  866. dwEncodingType,
  867. lpszStructType,
  868. pbEncoded,
  869. cbEncoded,
  870. allocType,
  871. (VOID **) ppNameInfo,
  872. pcbNameInfo));
  873. }
  876. BOOL
  877. myDecodeKeyAuthority(
  878. IN DWORD dwEncodingType,
  879. IN BYTE const *pbEncoded,
  880. IN DWORD cbEncoded,
  881. IN CERTLIB_ALLOCATOR allocType,
  882. OUT CERT_AUTHORITY_KEY_ID_INFO const **ppInfo,
  883. OUT DWORD *pcbInfo)
  884. {
  885. return(myDecodeObject(
  886. dwEncodingType,
  887. X509_AUTHORITY_KEY_ID,
  888. pbEncoded,
  889. cbEncoded,
  890. allocType,
  891. (VOID **) ppInfo,
  892. pcbInfo));
  893. }
  896. BOOL
  897. myDecodeKeyAuthority2(
  898. IN DWORD dwEncodingType,
  899. IN BYTE const *pbEncoded,
  900. IN DWORD cbEncoded,
  901. IN CERTLIB_ALLOCATOR allocType,
  902. OUT CERT_AUTHORITY_KEY_ID2_INFO const **ppInfo,
  903. OUT DWORD *pcbInfo)
  904. {
  905. return(myDecodeObject(
  906. dwEncodingType,
  907. X509_AUTHORITY_KEY_ID2,
  908. pbEncoded,
  909. cbEncoded,
  910. allocType,
  911. (VOID **) ppInfo,
  912. pcbInfo));
  913. }
  916. BOOL
  917. myDecodeExtensions(
  918. IN DWORD dwEncodingType,
  919. IN BYTE const *pbEncoded,
  920. IN DWORD cbEncoded,
  921. IN CERTLIB_ALLOCATOR allocType,
  922. OUT CERT_EXTENSIONS **ppInfo,
  923. OUT DWORD *pcbInfo)
  924. {
  925. return(myDecodeObject(
  926. dwEncodingType,
  927. X509_NAME,
  928. pbEncoded,
  929. cbEncoded,
  930. allocType,
  931. (VOID **) ppInfo,
  932. pcbInfo));
  933. }
  936. BOOL
  937. myDecodeKeyGenRequest(
  938. IN BYTE const *pbRequest,
  939. IN DWORD cbRequest,
  940. IN CERTLIB_ALLOCATOR allocType,
  941. OUT CERT_KEYGEN_REQUEST_INFO **ppKeyGenRequest,
  942. OUT DWORD *pcbKeyGenRequest)
  943. {
  944. return(myDecodeObject(
  945. X509_ASN_ENCODING,
  946. X509_KEYGEN_REQUEST_TO_BE_SIGNED,
  947. pbRequest,
  948. cbRequest,
  949. allocType,
  950. (VOID **) ppKeyGenRequest,
  951. pcbKeyGenRequest));
  952. }
  955. HRESULT
  956. myDecodeCSPProviderAttribute(
  957. IN BYTE const *pbCSPEncoded,
  958. IN DWORD cbCSPEncoded,
  959. OUT CRYPT_CSP_PROVIDER **ppccp)
  960. {
  961. HRESULT hr;
  962. CRYPT_SEQUENCE_OF_ANY *pCSPProviderSeq = NULL;
  963. DWORD cb;
  964. CRYPT_CSP_PROVIDER *pccp;
  965. DWORD dwKeySpec;
  966. CERT_NAME_VALUE *pName = NULL;
  967. CRYPT_BIT_BLOB *pBlob = NULL;
  968. BYTE *pb;
  970. *ppccp = NULL;
  972. if (!myDecodeObject(
  973. X509_ASN_ENCODING,
  974. X509_SEQUENCE_OF_ANY,
  975. pbCSPEncoded,
  976. cbCSPEncoded,
  977. CERTLIB_USE_LOCALALLOC,
  978. (VOID **) &pCSPProviderSeq,
  979. &cb))
  980. {
  981. hr = myHLastError();
  982. _JumpError(hr, error, "myDecodeObject");
  983. }
  984. if (3 > pCSPProviderSeq->cValue)
  985. {
  986. hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
  987. _JumpError(hr, error, "Sequence count < 3");
  988. }
  990. dwKeySpec = 0;
  991. if (NULL != pCSPProviderSeq->rgValue[0].pbData &&
  992. 0 != pCSPProviderSeq->rgValue[0].cbData)
  993. {
  994. cb = sizeof(dwKeySpec);
  995. if (!CryptDecodeObject(
  996. X509_ASN_ENCODING,
  997. X509_INTEGER,
  998. pCSPProviderSeq->rgValue[0].pbData,
  999. pCSPProviderSeq->rgValue[0].cbData,
  1000. 0,
  1001. &dwKeySpec,
  1002. &cb))
  1003. {
  1004. hr = myHLastError();
  1005. _JumpError(hr, error, "CryptDecodeObject");
  1006. }
  1007. }
  1008. if (NULL != pCSPProviderSeq->rgValue[1].pbData &&
  1009. 0 != pCSPProviderSeq->rgValue[1].cbData)
  1010. {
  1011. if (!myDecodeObject(
  1012. X509_ASN_ENCODING,
  1013. X509_UNICODE_ANY_STRING,
  1014. pCSPProviderSeq->rgValue[1].pbData,
  1015. pCSPProviderSeq->rgValue[1].cbData,
  1016. CERTLIB_USE_LOCALALLOC,
  1017. (VOID **) &pName,
  1018. &cb))
  1019. {
  1020. hr = myHLastError();
  1021. _JumpError(hr, error, "myDecodeObject");
  1022. }
  1023. }
  1024. if (NULL != pCSPProviderSeq->rgValue[2].pbData &&
  1025. 0 != pCSPProviderSeq->rgValue[2].cbData)
  1026. {
  1027. if (!myDecodeObject(
  1028. X509_ASN_ENCODING,
  1029. X509_BITS,
  1030. pCSPProviderSeq->rgValue[2].pbData,
  1031. pCSPProviderSeq->rgValue[2].cbData,
  1032. CERTLIB_USE_LOCALALLOC,
  1033. (VOID **) &pBlob,
  1034. &cb))
  1035. {
  1036. hr = myHLastError();
  1037. _JumpError(hr, error, "myDecodeObject");
  1038. }
  1039. }
  1040. cb = sizeof(*pccp);
  1041. if (NULL != pName && NULL != pName->Value.pbData)
  1042. {
  1043. cb += POINTERROUND((wcslen((WCHAR const *) pName->Value.pbData) + 1) *
  1044. sizeof(WCHAR));
  1045. }
  1046. if (NULL != pBlob && NULL != pBlob->pbData)
  1047. {
  1048. cb += POINTERROUND(pBlob->cbData);
  1049. }
  1050. pccp = (CRYPT_CSP_PROVIDER *) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, cb);
  1051. if (NULL == pccp)
  1052. {
  1053. hr = E_OUTOFMEMORY;
  1054. _JumpError(hr, error, "LocalAlloc");
  1055. }
  1056. *ppccp = pccp;
  1057. pb = (BYTE *) (pccp + 1);
  1058. pccp->dwKeySpec = dwKeySpec;
  1059. if (NULL != pName->Value.pbData)
  1060. {
  1061. pccp->pwszProviderName = (WCHAR *) pb;
  1062. wcscpy(pccp->pwszProviderName, (WCHAR const *) pName->Value.pbData);
  1063. pb += POINTERROUND((wcslen((WCHAR const *) pName->Value.pbData) + 1) *
  1064. sizeof(WCHAR));
  1065. }
  1066. if (NULL != pBlob && NULL != pBlob->pbData)
  1067. {
  1068. pccp->Signature.pbData = pb;
  1069. pccp->Signature.cbData = pBlob->cbData;
  1070. pccp->Signature.cUnusedBits = pBlob->cUnusedBits;
  1071. CopyMemory(pccp->Signature.pbData, pBlob->pbData, pBlob->cbData);
  1072. }
  1073. hr = S_OK;
  1075. error:
  1076. if (NULL != pCSPProviderSeq)
  1077. {
  1078. LocalFree(pCSPProviderSeq);
  1079. }
  1080. if (NULL != pName)
  1081. {
  1082. LocalFree(pName);
  1083. }
  1084. if (NULL != pBlob)
  1085. {
  1086. LocalFree(pBlob);
  1087. }
  1088. return(hr);
  1089. }
  1092. BOOL
  1093. myCertGetCertificateContextProperty(
  1094. IN CERT_CONTEXT const *pCertContext,
  1095. IN DWORD dwPropId,
  1096. IN CERTLIB_ALLOCATOR allocType,
  1097. OUT VOID **ppvData,
  1098. OUT DWORD *pcbData)
  1099. {
  1100. BOOL b;
  1102. *ppvData = NULL;
  1103. *pcbData = 0;
  1104. for (;;)
  1105. {
  1106. b = CertGetCertificateContextProperty(
  1107. pCertContext,
  1108. dwPropId,
  1109. *ppvData,
  1110. pcbData);
  1111. if (b && 0 == *pcbData)
  1112. {
  1113. SetLastError((DWORD) HRESULT_FROM_WIN32(ERROR_INVALID_DATA));
  1114. b = FALSE;
  1115. }
  1116. if (!b)
  1117. {
  1118. if (NULL != *ppvData)
  1119. {
  1120. myFree(*ppvData, allocType);
  1121. *ppvData = NULL;
  1122. }
  1123. break;
  1124. }
  1125. if (NULL != *ppvData)
  1126. {
  1127. break;
  1128. }
  1129. *ppvData = (VOID *) myAlloc(*pcbData, allocType);
  1130. if (NULL == *ppvData)
  1131. {
  1132. b = FALSE;
  1133. break;
  1134. }
  1135. }
  1136. return(b);
  1137. }
  1140. HRESULT
  1141. myCertGetKeyProviderInfo(
  1142. IN CERT_CONTEXT const *pCert,
  1143. OUT CRYPT_KEY_PROV_INFO **ppkpi)
  1144. {
  1145. HRESULT hr;
  1146. DWORD cb;
  1148. *ppkpi = NULL;
  1150. if (!CertGetCertificateContextProperty(
  1151. pCert,
  1152. CERT_KEY_PROV_INFO_PROP_ID,
  1153. NULL,
  1154. &cb))
  1155. {
  1156. hr = myHLastError();
  1157. _JumpError2(
  1158. hr,
  1159. error,
  1160. "CertGetCertificateContextProperty",
  1161. CRYPT_E_NOT_FOUND);
  1162. }
  1164. *ppkpi = (CRYPT_KEY_PROV_INFO *) LocalAlloc(LMEM_FIXED, cb);
  1165. if (NULL == *ppkpi)
  1166. {
  1167. hr = E_OUTOFMEMORY;
  1168. _JumpError(hr, error, "LocalAlloc");
  1169. }
  1171. if (!CertGetCertificateContextProperty(
  1172. pCert,
  1173. CERT_KEY_PROV_INFO_PROP_ID,
  1174. *ppkpi,
  1175. &cb))
  1176. {
  1177. hr = myHLastError();
  1178. _JumpError(hr, error, "CertGetCertificateContextProperty");
  1179. }
  1180. hr = S_OK;
  1182. error:
  1183. return(hr);
  1184. }
  1187. HRESULT
  1188. myCryptExportKey(
  1189. IN HCRYPTKEY hKey,
  1190. IN HCRYPTKEY hKeyExp,
  1191. IN DWORD dwBlobType,
  1192. IN DWORD dwFlags,
  1193. OUT BYTE **ppbKey,
  1194. OUT DWORD *pcbKey)
  1195. {
  1196. HRESULT hr;
  1198. if (!CryptExportKey(hKey, hKeyExp, dwBlobType, dwFlags, NULL, pcbKey))
  1199. {
  1200. hr = myHLastError();
  1201. _JumpError(hr, error, "CryptExportKey");
  1202. }
  1204. *ppbKey = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbKey);
  1205. if (NULL == *ppbKey)
  1206. {
  1207. hr = E_OUTOFMEMORY;
  1208. _JumpError(hr, error, "LocalAlloc");
  1209. }
  1211. if (!CryptExportKey(hKey, hKeyExp, dwBlobType, dwFlags, *ppbKey, pcbKey))
  1212. {
  1213. hr = myHLastError();
  1214. LocalFree(*ppbKey);
  1215. *ppbKey = NULL;
  1216. _JumpError(hr, error, "CryptExportKey");
  1217. }
  1218. hr = S_OK;
  1220. error:
  1221. return(hr);
  1222. }
  1225. HRESULT
  1226. myCryptEncrypt(
  1227. IN HCRYPTKEY hKey,
  1228. IN BYTE const *pbIn,
  1229. IN DWORD cbIn,
  1230. OUT BYTE **ppbEncrypted,
  1231. OUT DWORD *pcbEncrypted)
  1232. {
  1233. HRESULT hr;
  1234. BYTE *pbEncrypted = NULL;
  1235. DWORD cbEncrypted;
  1236. DWORD cbAlloc;
  1237. BOOL fRetried = FALSE;
  1239. cbAlloc = cbIn + 64; // may be enough to prevent overflow
  1240. for (;;)
  1241. {
  1242. cbEncrypted = cbIn;
  1243. pbEncrypted = (BYTE *) LocalAlloc(LMEM_FIXED, cbAlloc);
  1244. if (NULL == pbEncrypted)
  1245. {
  1246. hr = E_OUTOFMEMORY;
  1247. _JumpError(hr, error, "LocalAlloc");
  1248. }
  1249. CopyMemory(pbEncrypted, pbIn, cbIn);
  1251. if (!CryptEncrypt(
  1252. hKey,
  1253. NULL, // hHash
  1254. TRUE, // Final
  1255. 0, // dwFlags
  1256. pbEncrypted, // pbData
  1257. &cbEncrypted, // pdwDataLen
  1258. cbAlloc)) // dwBufLen
  1259. {
  1260. hr = myHLastError();
  1261. if (!fRetried && HRESULT_FROM_WIN32(ERROR_MORE_DATA) == hr)
  1262. {
  1263. SecureZeroMemory(pbEncrypted, cbAlloc); // only zero size we alloced last time around
  1264. LocalFree(pbEncrypted);
  1265. pbEncrypted = NULL;
  1266. DBGPRINT((
  1267. DBG_SS_CERTLIB,
  1268. "CryptEncrypt(MORE DATA): %u -> %u\n",
  1269. cbAlloc,
  1270. cbEncrypted));
  1271. cbAlloc = cbEncrypted;
  1272. fRetried = TRUE;
  1273. continue;
  1274. }
  1275. _JumpError(hr, error, "CryptEncrypt");
  1276. }
  1277. break;
  1278. }
  1279. *ppbEncrypted = pbEncrypted;
  1280. *pcbEncrypted = cbEncrypted;
  1281. pbEncrypted = NULL;
  1282. hr = S_OK;
  1284. error:
  1285. if (NULL != pbEncrypted)
  1286. {
  1287. LocalFree(pbEncrypted);
  1288. }
  1289. return(hr);
  1290. }
  1293. HRESULT
  1294. myCryptDecrypt(
  1295. IN HCRYPTKEY hKey,
  1296. IN BYTE const *pbIn,
  1297. IN DWORD cbIn,
  1298. OUT BYTE **ppbDecrypted,
  1299. OUT DWORD *pcbDecrypted)
  1300. {
  1301. HRESULT hr;
  1302. BYTE *pbDecrypted = NULL;
  1303. DWORD cbDecrypted;
  1305. // init
  1306. *ppbDecrypted = NULL;
  1307. *pcbDecrypted = 0;
  1309. cbDecrypted = cbIn;
  1310. pbDecrypted = (BYTE *) LocalAlloc(LMEM_FIXED, cbIn);
  1311. if (NULL == pbDecrypted)
  1312. {
  1313. hr = E_OUTOFMEMORY;
  1314. _JumpError(hr, error, "LocalAlloc");
  1315. }
  1316. CopyMemory(pbDecrypted, pbIn, cbIn);
  1318. if (!CryptDecrypt(
  1319. hKey,
  1320. NULL, // hHash
  1321. TRUE, // Final
  1322. 0, // dwFlags
  1323. pbDecrypted, // pbData
  1324. &cbDecrypted)) // pdwDataLen
  1325. {
  1326. hr = myHLastError();
  1327. _JumpError(hr, error, "CryptDecrypt");
  1328. }
  1329. *ppbDecrypted = pbDecrypted;
  1330. *pcbDecrypted = cbDecrypted;
  1331. pbDecrypted = NULL;
  1332. hr = S_OK;
  1334. error:
  1335. if (NULL != pbDecrypted)
  1336. {
  1337. LocalFree(pbDecrypted);
  1338. }
  1339. return(hr);
  1340. }
  1343. HRESULT
  1344. myCryptEncryptMessage(
  1345. IN ALG_ID algId,
  1346. IN DWORD cCertRecipient,
  1347. IN CERT_CONTEXT const **rgCertRecipient,
  1348. IN BYTE const *pbIn,
  1349. IN DWORD cbIn,
  1350. IN OPTIONAL HCRYPTPROV hCryptProv,
  1351. OUT BYTE **ppbEncrypted,
  1352. OUT DWORD *pcbEncrypted)
  1353. {
  1354. HRESULT hr;
  1355. CRYPT_ENCRYPT_MESSAGE_PARA cemp;
  1356. CRYPT_OID_INFO const *pOidInfo;
  1358. // Convert to an Object Id
  1360. pOidInfo = CryptFindOIDInfo(
  1361. CRYPT_OID_INFO_ALGID_KEY,
  1362. &algId,
  1363. CRYPT_ENCRYPT_ALG_OID_GROUP_ID);
  1364. if (NULL == pOidInfo)
  1365. {
  1366. // function is not doc'd to set GetLastError()
  1368. hr = CRYPT_E_NOT_FOUND;
  1369. DBGPRINT((DBG_SS_ERROR, "algId = %x\n", algId));
  1370. _JumpError(hr, error, "CryptFindOIDInfo");
  1371. }
  1373. // Encrypt the data with the public key
  1375. ZeroMemory(&cemp, sizeof(cemp));
  1376. cemp.cbSize = sizeof(cemp);
  1377. cemp.dwMsgEncodingType = PKCS_7_ASN_ENCODING | CRYPT_ASN_ENCODING;
  1378. cemp.ContentEncryptionAlgorithm.pszObjId = const_cast<char *>(pOidInfo->pszOID);
  1379. cemp.hCryptProv = hCryptProv;
  1381. *pcbEncrypted = 0;
  1382. for (;;)
  1383. {
  1384. if (!CryptEncryptMessage(
  1385. &cemp,
  1386. cCertRecipient, // cRecipientCert
  1387. rgCertRecipient, // rgpRecipientCert IN
  1388. pbIn, // pbToBeEncrypted
  1389. cbIn, // cbToBeEncrypted
  1390. *ppbEncrypted, // pbEncryptedBlob
  1391. pcbEncrypted)) // pcbEncryptedBlob
  1392. {
  1393. hr = myHLastError();
  1394. if (NULL != *ppbEncrypted)
  1395. {
  1396. LocalFree(*ppbEncrypted);
  1397. *ppbEncrypted = NULL;
  1398. }
  1399. _JumpError(hr, error, "CryptEncryptMessage");
  1400. }
  1401. if (NULL != *ppbEncrypted)
  1402. {
  1403. break;
  1404. }
  1405. *ppbEncrypted = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbEncrypted);
  1406. if (NULL == *ppbEncrypted)
  1407. {
  1408. hr = E_OUTOFMEMORY;
  1409. _JumpError(hr, error, "LocalAlloc");
  1410. }
  1411. }
  1412. hr = S_OK;
  1414. error:
  1415. CSASSERT(S_OK == hr || FAILED(hr));
  1416. return(hr);
  1417. }
  1420. HRESULT
  1421. myCryptDecryptMessage(
  1422. IN HCERTSTORE hStore,
  1423. IN BYTE const *pbEncrypted,
  1424. IN DWORD cbEncrypted,
  1425. IN CERTLIB_ALLOCATOR allocType,
  1426. OUT BYTE **ppbDecrypted,
  1427. OUT DWORD *pcbDecrypted)
  1428. {
  1429. HRESULT hr;
  1430. CRYPT_DECRYPT_MESSAGE_PARA cdmp;
  1432. ZeroMemory(&cdmp, sizeof(cdmp));
  1433. cdmp.cbSize = sizeof(cdmp);
  1434. cdmp.dwMsgAndCertEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
  1435. cdmp.cCertStore = 1;
  1436. cdmp.rghCertStore = &hStore;
  1438. *ppbDecrypted = NULL;
  1439. *pcbDecrypted = 0;
  1440. for (;;)
  1441. {
  1442. if (!CryptDecryptMessage(
  1443. &cdmp,
  1444. pbEncrypted,
  1445. cbEncrypted,
  1446. *ppbDecrypted,
  1447. pcbDecrypted,
  1448. NULL)) // ppXchgCert
  1449. {
  1450. hr = myHLastError();
  1451. if (NULL != *ppbDecrypted)
  1452. {
  1453. myFree(*ppbDecrypted, allocType);
  1454. *ppbDecrypted = NULL;
  1455. }
  1456. _JumpError(hr, error, "CryptDecryptMessage");
  1457. }
  1458. if (NULL != *ppbDecrypted)
  1459. {
  1460. break;
  1461. }
  1462. *ppbDecrypted = (BYTE *) myAlloc(*pcbDecrypted, allocType);
  1463. if (NULL == *ppbDecrypted)
  1464. {
  1465. hr = E_OUTOFMEMORY;
  1466. _JumpError(hr, error, "myAlloc");
  1467. }
  1468. }
  1469. hr = S_OK;
  1471. error:
  1472. return(hr);
  1473. }
  1476. HRESULT
  1477. myGetInnerPKCS10(
  1478. IN HCRYPTMSG hMsg,
  1479. IN char const *pszInnerContentObjId,
  1480. OUT CERT_REQUEST_INFO **ppRequest)
  1481. {
  1482. HRESULT hr;
  1483. BYTE *pbContent = NULL;
  1484. DWORD cbContent;
  1485. CMC_DATA_INFO *pcmcData = NULL;
  1486. DWORD cbcmcData;
  1487. CMC_TAGGED_CERT_REQUEST const *pTaggedCertRequest;
  1488. DWORD cbRequest;
  1490. *ppRequest = NULL;
  1492. if (0 != strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA))
  1493. {
  1494. hr = CRYPT_E_INVALID_MSG_TYPE;
  1495. _JumpError(hr, error, "Not a CMC request");
  1496. }
  1498. // Get the request content, then search for the PKCS10's public key.
  1500. hr = myCryptMsgGetParam(
  1501. hMsg,
  1502. CMSG_CONTENT_PARAM,
  1503. 0,
  1504. CERTLIB_USE_LOCALALLOC,
  1505. (VOID **) &pbContent,
  1506. &cbContent);
  1507. _JumpIfError(hr, error, "myCryptMsgGetParam");
  1509. if (!myDecodeObject(
  1510. X509_ASN_ENCODING,
  1511. CMC_DATA,
  1512. pbContent,
  1513. cbContent,
  1514. CERTLIB_USE_LOCALALLOC,
  1515. (VOID **) &pcmcData,
  1516. &cbcmcData))
  1517. {
  1518. hr = myHLastError();
  1519. _JumpError(hr, error, "myDecodeObject");
  1520. }
  1522. if (1 != pcmcData->cTaggedRequest ||
  1523. CMC_TAGGED_CERT_REQUEST_CHOICE !=
  1524. pcmcData->rgTaggedRequest[0].dwTaggedRequestChoice)
  1525. {
  1526. hr = CRYPT_E_INVALID_MSG_TYPE;
  1527. _JumpError(hr, error, "Must be 1 PKCS10");
  1528. }
  1529. pTaggedCertRequest = pcmcData->rgTaggedRequest[0].pTaggedCertRequest;
  1531. if (!myDecodeObject(
  1532. X509_ASN_ENCODING,
  1533. X509_CERT_REQUEST_TO_BE_SIGNED,
  1534. pTaggedCertRequest->SignedCertRequest.pbData,
  1535. pTaggedCertRequest->SignedCertRequest.cbData,
  1536. CERTLIB_USE_LOCALALLOC,
  1537. (VOID **) ppRequest,
  1538. &cbRequest))
  1539. {
  1540. hr = myHLastError();
  1541. _JumpError(hr, error, "myDecodeObject");
  1542. }
  1543. hr = S_OK;
  1545. error:
  1546. if (NULL != pbContent)
  1547. {
  1548. LocalFree(pbContent);
  1549. }
  1550. if (NULL != pcmcData)
  1551. {
  1552. LocalFree(pcmcData);
  1553. }
  1554. return(hr);
  1555. }
  1558. HRESULT
  1559. myPKCSEncodeString(
  1560. IN WCHAR const *pwsz,
  1561. OUT BYTE **ppbOut,
  1562. OUT DWORD *pcbOut)
  1563. {
  1564. HRESULT hr = S_OK;
  1565. CERT_NAME_VALUE cnv;
  1567. // encode the string as an IA5 string
  1569. cnv.dwValueType = CERT_RDN_IA5_STRING;
  1570. cnv.Value.pbData = (BYTE *) pwsz;
  1571. cnv.Value.cbData = 0; // Use L'\0' termination for the length
  1573. if (!myEncodeObject(
  1574. X509_ASN_ENCODING,
  1575. X509_UNICODE_NAME_VALUE,
  1576. &cnv,
  1577. 0,
  1578. CERTLIB_USE_LOCALALLOC,
  1579. ppbOut,
  1580. pcbOut))
  1581. {
  1582. hr = myHLastError();
  1583. _JumpError(hr, error, "myEncodeObject");
  1584. }
  1585. error:
  1586. return(hr);
  1587. }
  1590. HRESULT
  1591. myPKCSDecodeString(
  1592. IN BYTE const *pbIn,
  1593. IN DWORD cbIn,
  1594. OUT WCHAR **ppwszOut)
  1595. {
  1596. HRESULT hr = S_OK;
  1597. CERT_NAME_VALUE *pcnv = NULL;
  1598. DWORD cbOut;
  1600. *ppwszOut = NULL;
  1602. // decode the string from an IA5 string
  1604. if (!myDecodeObject(
  1605. X509_ASN_ENCODING,
  1606. X509_UNICODE_NAME_VALUE,
  1607. pbIn,
  1608. cbIn,
  1609. CERTLIB_USE_LOCALALLOC,
  1610. (VOID **) &pcnv,
  1611. &cbOut))
  1612. {
  1613. hr = myHLastError();
  1614. _JumpError(hr, error, "myDecodeObject");
  1615. }
  1616. if (CERT_RDN_IA5_STRING != pcnv->dwValueType)
  1617. {
  1618. hr = E_INVALIDARG;
  1619. _JumpError(hr, error, "Not an IA5 string");
  1620. }
  1621. cbOut = (wcslen((WCHAR const *) pcnv->Value.pbData) + 1) * sizeof(WCHAR);
  1622. *ppwszOut = (WCHAR *) LocalAlloc(LMEM_FIXED, cbOut);
  1623. if (NULL == *ppwszOut)
  1624. {
  1625. hr = E_OUTOFMEMORY;
  1626. _JumpError(hr, error, "LocalAlloc");
  1627. }
  1628. CopyMemory(*ppwszOut, pcnv->Value.pbData, cbOut);
  1630. error:
  1631. if (NULL != pcnv)
  1632. {
  1633. LocalFree(pcnv);
  1634. }
  1635. return(hr);
  1636. }
  1639. HRESULT
  1640. myPKCSEncodeLong(
  1641. IN LONG Value,
  1642. OUT BYTE **ppbOut,
  1643. OUT DWORD *pcbOut)
  1644. {
  1645. HRESULT hr = S_OK;
  1647. // encode the long value
  1649. if (!myEncodeObject(
  1650. X509_ASN_ENCODING,
  1651. X509_INTEGER,
  1652. &Value,
  1653. 0,
  1654. CERTLIB_USE_LOCALALLOC,
  1655. ppbOut,
  1656. pcbOut))
  1657. {
  1658. hr = myHLastError();
  1659. _JumpError(hr, error, "myEncodeObject");
  1660. }
  1661. error:
  1662. return(hr);
  1663. }
  1666. HRESULT
  1667. myPKCSDecodeLong(
  1668. IN BYTE const *pbIn,
  1669. IN DWORD cbIn,
  1670. OUT LONG **ppValue)
  1671. {
  1672. HRESULT hr = S_OK;
  1673. DWORD cbOut;
  1675. // encode the long value
  1677. if (!myDecodeObject(
  1678. X509_ASN_ENCODING,
  1679. X509_INTEGER,
  1680. pbIn,
  1681. cbIn,
  1682. CERTLIB_USE_LOCALALLOC,
  1683. (VOID **) ppValue,
  1684. &cbOut))
  1685. {
  1686. hr = myHLastError();
  1687. _JumpError(hr, error, "myDecodeObject");
  1688. }
  1689. CSASSERT(sizeof(**ppValue) == cbOut);
  1690. error:
  1691. return(hr);
  1692. }
  1695. HRESULT
  1696. myPKCSEncodeDate(
  1697. IN FILETIME const *pft,
  1698. OUT BYTE **ppbOut,
  1699. OUT DWORD *pcbOut)
  1700. {
  1701. HRESULT hr = S_OK;
  1703. // encode the time value
  1705. if (!myEncodeObject(
  1706. X509_ASN_ENCODING,
  1707. X509_CHOICE_OF_TIME,
  1708. pft,
  1709. 0,
  1710. CERTLIB_USE_LOCALALLOC,
  1711. ppbOut,
  1712. pcbOut))
  1713. {
  1714. hr = myHLastError();
  1715. _JumpError(hr, error, "myEncodeObject");
  1716. }
  1717. error:
  1718. return(hr);
  1719. }
  1722. HRESULT
  1723. myPKCSDecodeDate(
  1724. IN BYTE const *pbIn,
  1725. IN DWORD cbIn,
  1726. OUT FILETIME **ppftOut)
  1727. {
  1728. HRESULT hr = S_OK;
  1729. DWORD cbOut;
  1731. // encode the time value
  1733. if (!myDecodeObject(
  1734. X509_ASN_ENCODING,
  1735. X509_CHOICE_OF_TIME,
  1736. pbIn,
  1737. cbIn,
  1738. CERTLIB_USE_LOCALALLOC,
  1739. (VOID **) ppftOut,
  1740. &cbOut))
  1741. {
  1742. hr = myHLastError();
  1743. _JumpError(hr, error, "myDecodeObject");
  1744. }
  1745. CSASSERT(sizeof(**ppftOut) == cbOut);
  1746. error:
  1747. return(hr);
  1748. }
  1751. HRESULT
  1752. myEncodeExtension(
  1753. IN DWORD Flags,
  1754. IN BYTE const *pbIn,
  1755. IN DWORD cbIn,
  1756. OUT BYTE **ppbOut,
  1757. OUT DWORD *pcbOut)
  1758. {
  1759. HRESULT hr = E_INVALIDARG;
  1761. // everyone assumes pbIn != NULL
  1763. if (NULL == pbIn || 0 == cbIn)
  1764. {
  1765. _JumpError(hr, error, "NULL param");
  1766. }
  1768. switch (PROPTYPE_MASK & Flags)
  1769. {
  1770. case PROPTYPE_STRING:
  1771. if (0 == (PROPMARSHAL_LOCALSTRING & Flags) &&
  1772. sizeof(WCHAR) <= cbIn)
  1773. {
  1774. cbIn -= sizeof(WCHAR);
  1775. }
  1776. if (wcslen((WCHAR const *) pbIn) * sizeof(WCHAR) != cbIn)
  1777. {
  1778. _JumpError(hr, error, "bad string len");
  1779. }
  1780. hr = myPKCSEncodeString((WCHAR const *) pbIn, ppbOut, pcbOut);
  1781. _JumpIfError(hr, error, "myPKCSEncodeString");
  1783. break;
  1785. case PROPTYPE_LONG:
  1786. CSASSERT(sizeof(DWORD) == cbIn);
  1787. hr = myPKCSEncodeLong(*(DWORD const *) pbIn, ppbOut, pcbOut);
  1788. _JumpIfError(hr, error, "myPKCSEncodeLong");
  1790. break;
  1792. case PROPTYPE_DATE:
  1793. CSASSERT(sizeof(FILETIME) == cbIn);
  1794. hr = myPKCSEncodeDate((FILETIME const *) pbIn, ppbOut, pcbOut);
  1795. _JumpIfError(hr, error, "myPKCSEncodeDate");
  1797. break;
  1799. default:
  1800. _JumpError(hr, error, "variant type/value");
  1801. }
  1802. hr = S_OK;
  1804. error:
  1805. return(hr);
  1806. }
  1809. HRESULT
  1810. myDecodeExtension(
  1811. IN DWORD Flags,
  1812. IN BYTE const *pbIn,
  1813. IN DWORD cbIn,
  1814. OUT BYTE **ppbOut,
  1815. OUT DWORD *pcbOut)
  1816. {
  1817. HRESULT hr;
  1819. switch (PROPTYPE_MASK & Flags)
  1820. {
  1821. case PROPTYPE_STRING:
  1822. hr = myPKCSDecodeString(pbIn, cbIn, (WCHAR **) ppbOut);
  1823. _JumpIfError(hr, error, "myPKCSDecodeString");
  1825. *pcbOut = wcslen((WCHAR const *) *ppbOut) * sizeof(WCHAR);
  1826. break;
  1828. case PROPTYPE_LONG:
  1829. hr = myPKCSDecodeLong(pbIn, cbIn, (LONG **) ppbOut);
  1830. _JumpIfError(hr, error, "myPKCSDecodeLong");
  1832. *pcbOut = sizeof(LONG);
  1833. break;
  1835. case PROPTYPE_DATE:
  1836. hr = myPKCSDecodeDate(pbIn, cbIn, (FILETIME **) ppbOut);
  1837. _JumpIfError(hr, error, "myPKCSDecodeDate");
  1839. *pcbOut = sizeof(FILETIME);
  1840. break;
  1842. default:
  1843. hr = E_INVALIDARG;
  1844. _JumpError(hr, error, "Flags: Invalid type");
  1845. }
  1847. error:
  1848. return(hr);
  1849. }
  1852. // szOID_ENROLLMENT_NAME_VALUE_PAIR
  1854. BOOL
  1855. myDecodeNameValuePair(
  1856. IN DWORD dwEncodingType,
  1857. IN BYTE const *pbEncoded,
  1858. IN DWORD cbEncoded,
  1859. IN CERTLIB_ALLOCATOR allocType,
  1860. OUT CRYPT_ENROLLMENT_NAME_VALUE_PAIR **ppInfo,
  1861. OUT DWORD *pcbInfo)
  1862. {
  1864. return(myDecodeObject(
  1865. dwEncodingType,
  1866. szOID_ENROLLMENT_NAME_VALUE_PAIR,
  1867. pbEncoded,
  1868. cbEncoded,
  1869. allocType,
  1870. (VOID **) ppInfo,
  1871. pcbInfo));
  1872. }
  1875. //+-------------------------------------------------------------------------
  1876. // myVerifyObjIdA - verify the passed pszObjId is valid as per X.208
  1877. //
  1878. // Encode and Decode the Object Id and make sure it survives the round trip.
  1879. // The first number must be 0, 1 or 2.
  1880. // Enforce all characters are digits and dots.
  1881. // Enforce that no dot starts or ends the Object Id, and disallow double dots.
  1882. // Enforce there is at least one dot separator.
  1883. // If the first number is 0 or 1, the second number must be between 0 & 39.
  1884. // If the first number is 2, the second number can be any value.
  1885. //--------------------------------------------------------------------------
  1887. HRESULT
  1888. myVerifyObjIdA(
  1889. IN CHAR const *pszObjId)
  1890. {
  1891. HRESULT hr;
  1892. BYTE *pbEncoded = NULL;
  1893. DWORD cbEncoded;
  1894. CRYPT_ATTRIBUTE ainfo;
  1895. CRYPT_ATTRIBUTE *painfo = NULL;
  1896. DWORD cbainfo;
  1897. char const *psz;
  1898. int i;
  1899. BOOL fNoisy = FALSE;
  1901. hr = E_INVALIDARG;
  1902. for (psz = pszObjId; '\0' != *psz; psz++)
  1903. {
  1904. // must be a digit or a dot separator
  1906. if (!isdigit(*psz))
  1907. {
  1908. if ('.' != *psz)
  1909. {
  1910. _JumpError2(hr, error, "bad ObjId: bad char", hr);
  1911. }
  1913. // can't have dot at start, double dots or dot at end
  1915. if (psz == pszObjId || '.' == psz[1] || '\0' == psz[1])
  1916. {
  1917. _JumpError2(hr, error, "bad ObjId: dot location", hr);
  1918. }
  1919. }
  1920. }
  1921. psz = strchr(pszObjId, '.');
  1922. if (NULL == psz)
  1923. {
  1924. _JumpError2(hr, error, "bad ObjId: must have at least one dot", hr);
  1925. }
  1926. i = atoi(pszObjId);
  1927. switch (i)
  1928. {
  1929. case 0:
  1930. case 1:
  1931. i = atoi(++psz);
  1932. if (0 > i || 39 < i)
  1933. {
  1934. _JumpError(hr, error, "bad ObjId: 0. or 1. must be followed by 0..39");
  1935. }
  1936. break;
  1938. case 2:
  1939. break;
  1941. default:
  1942. fNoisy = TRUE;
  1943. _JumpError(hr, error, "bad ObjId: must start with 0, 1 or 2");
  1944. }
  1946. fNoisy = TRUE;
  1947. ainfo.pszObjId = const_cast<char *>(pszObjId);
  1948. ainfo.cValue = 0;
  1949. ainfo.rgValue = NULL;
  1951. if (!myEncodeObject(
  1952. X509_ASN_ENCODING,
  1953. PKCS_ATTRIBUTE,
  1954. &ainfo,
  1955. 0,
  1956. CERTLIB_USE_LOCALALLOC,
  1957. &pbEncoded,
  1958. &cbEncoded))
  1959. {
  1960. hr = myHLastError();
  1961. _JumpError(hr, error, "myEncodeObject");
  1962. }
  1964. if (!myDecodeObject(
  1965. X509_ASN_ENCODING,
  1966. PKCS_ATTRIBUTE,
  1967. pbEncoded,
  1968. cbEncoded,
  1969. CERTLIB_USE_LOCALALLOC,
  1970. (VOID **) &painfo,
  1971. &cbainfo))
  1972. {
  1973. hr = myHLastError();
  1974. _JumpError(hr, error, "myDecodeObject");
  1975. }
  1977. if (0 != strcmp(pszObjId, painfo->pszObjId))
  1978. {
  1979. hr = E_INVALIDARG;
  1980. _JumpError(hr, error, "bad ObjId: decode mismatch");
  1981. }
  1982. hr = S_OK;
  1984. error:
  1985. if (S_OK != hr)
  1986. {
  1987. DBGPRINT((
  1988. fNoisy? DBG_SS_CERTLIB : DBG_SS_CERTLIBI,
  1989. "myVerifyObjIdA(%hs): %x\n",
  1990. pszObjId,
  1991. hr));
  1992. }
  1993. if (NULL != pbEncoded)
  1994. {
  1995. LocalFree(pbEncoded);
  1996. }
  1997. if (NULL != painfo)
  1998. {
  1999. LocalFree(painfo);
  2000. }
  2001. return(hr);
  2002. }
  2005. HRESULT
  2006. myVerifyObjId(
  2007. IN WCHAR const *pwszObjId)
  2008. {
  2009. HRESULT hr;
  2010. CHAR *pszObjId = NULL;
  2012. if (!ConvertWszToSz(&pszObjId, pwszObjId, -1))
  2013. {
  2014. hr = E_OUTOFMEMORY;
  2015. _JumpError(hr, error, "ConvertWszToSz");
  2016. }
  2017. hr = myVerifyObjIdA(pszObjId);
  2018. _JumpIfErrorStr2(hr, error, "myVerifyObjIdA", pwszObjId, E_INVALIDARG);
  2020. error:
  2021. if (NULL != pszObjId)
  2022. {
  2023. LocalFree(pszObjId);
  2024. }
  2025. return(hr);
  2026. }
  2029. // The returned pszObjId is a constant that must not be freed. CryptFindOIDInfo
  2030. // has a static internal database that is valid until crypt32.dll is unloaded.
  2032. #define GON_GROUP 0x00000001
  2033. #define GON_GENERIC 0x00000002
  2035. typedef struct _OIDNAME
  2036. {
  2037. char const *pszObjId;
  2038. WCHAR const *pwszDisplayName;
  2039. } OIDNAME;
  2041. #if DBG
  2042. #define wszCERTLIB L"(certlib)"
  2043. #else
  2044. #define wszCERTLIB L""
  2045. #endif
  2047. OIDNAME s_aOIDName[] = {
  2048. { szOID_CT_PKI_DATA, L"CMC Data" wszCERTLIB, },
  2049. { szOID_CT_PKI_RESPONSE, L"CMC Response" wszCERTLIB, },
  2050. { szOID_CMC, L"Unsigned CMC Request" wszCERTLIB, },
  2051. { szOID_CMC_TRANSACTION_ID, L"Transaction Id" wszCERTLIB, },
  2052. { szOID_CMC_SENDER_NONCE, L"Sender Nonce" wszCERTLIB, },
  2053. { szOID_CMC_RECIPIENT_NONCE, L"Recipient Nonce" wszCERTLIB, },
  2054. { szOID_CMC_REG_INFO, L"Reg Info" wszCERTLIB, },
  2055. { szOID_CMC_GET_CERT, L"Get Certificate" wszCERTLIB, },
  2056. { szOID_CMC_GET_CRL, L"Get CRL" wszCERTLIB, },
  2057. { szOID_CMC_REVOKE_REQUEST, L"Revoke Request" wszCERTLIB, },
  2058. { szOID_CMC_QUERY_PENDING, L"Query Pending" wszCERTLIB, },
  2059. { szOID_CMC_ID_CONFIRM_CERT_ACCEPTANCE, L"Confirm Certificate Acceptance" wszCERTLIB, },
  2060. { szOID_CMC_STATUS_INFO, L"Unsigned CMC Response" wszCERTLIB, },
  2061. { szOID_CMC_ADD_EXTENSIONS, L"CMC Extensions" wszCERTLIB, },
  2062. { szOID_CMC_ADD_ATTRIBUTES, L"CMC Attributes" wszCERTLIB, },
  2063. { szOID_VERISIGN_ONSITE_JURISDICTION_HASH, L"Jurisdiction Hash" wszCERTLIB, },
  2064. { szOID_PKCS_7_DATA, L"PKCS 7 Data" wszCERTLIB, },
  2065. { szOID_ARCHIVED_KEY_ATTR, L"Archived Key" wszCERTLIB, },
  2066. { szOID_CTL, L"Certifcate Trust List" wszCERTLIB, },
  2067. { szOID_ARCHIVED_KEY_CERT_HASH, L"Archived Key Certificate Hash" wszCERTLIB, },
  2068. { szOID_ROOT_LIST_SIGNER, L"Root List Signer" wszCERTLIB, },
  2069. { szOID_PRIVATEKEY_USAGE_PERIOD, L"Private Key Usage Period" wszCERTLIB, },
  2070. { szOID_REQUEST_CLIENT_INFO, L"Client Information" wszCERTLIB, },
  2071. { szOID_NTDS_REPLICATION, L"DS object Guid" wszCERTLIB, },
  2072. { szOID_CERTSRV_CROSSCA_VERSION, L"Cross CA Version" wszCERTLIB, },
  2073. };
  2076. WCHAR const *
  2077. myGetOIDNameA(
  2078. IN char const *pszObjId)
  2079. {
  2080. CRYPT_OID_INFO const *pInfo = NULL;
  2081. WCHAR const *pwszName = L"";
  2082. DWORD Flags = GON_GROUP | GON_GENERIC;
  2084. if ('+' == *pszObjId)
  2085. {
  2086. Flags = GON_GROUP; // Group lookup only
  2087. pszObjId++;
  2088. }
  2089. else
  2090. if ('-' == *pszObjId)
  2091. {
  2092. Flags = GON_GENERIC; // Generic lookup only
  2093. pszObjId++;
  2094. }
  2096. // First try looking up the ObjectId as an Extension or Attribute, because
  2097. // we get a better Display Name, especially for Subject RDNs: CN, L, etc.
  2098. // If that fails, look it up without restricting the group.
  2100. if (GON_GROUP & Flags)
  2101. {
  2102. pInfo = CryptFindOIDInfo(
  2103. CRYPT_OID_INFO_OID_KEY,
  2104. (VOID *) pszObjId,
  2105. CRYPT_EXT_OR_ATTR_OID_GROUP_ID);
  2106. }
  2107. if ((GON_GENERIC & Flags) &&
  2108. (NULL == pInfo ||
  2109. NULL == pInfo->pwszName ||
  2110. L'\0' == pInfo->pwszName[0]))
  2111. {
  2112. pInfo = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY, (VOID *) pszObjId, 0);
  2113. }
  2114. if (NULL != pInfo && NULL != pInfo->pwszName && L'\0' != pInfo->pwszName[0])
  2115. {
  2116. pwszName = pInfo->pwszName;
  2117. }
  2118. else
  2119. {
  2120. OIDNAME const *pOIDName;
  2122. for (pOIDName = s_aOIDName;
  2123. pOIDName < &s_aOIDName[ARRAYSIZE(s_aOIDName)];
  2124. pOIDName++)
  2125. {
  2126. if (0 == strcmp(pOIDName->pszObjId, pszObjId))
  2127. {
  2128. pwszName = pOIDName->pwszDisplayName;
  2129. break;
  2130. }
  2131. }
  2132. }
  2133. return(pwszName);
  2134. }
  2137. WCHAR const *
  2138. myGetOIDName(
  2139. IN WCHAR const *pwszObjId)
  2140. {
  2141. char *pszObjId = NULL;
  2142. WCHAR const *pwszName = L"";
  2144. if (!ConvertWszToSz(&pszObjId, pwszObjId, -1))
  2145. {
  2146. _JumpError(E_OUTOFMEMORY, error, "ConvertWszToSz");
  2147. }
  2148. pwszName = myGetOIDNameA(pszObjId);
  2150. error:
  2151. if (NULL != pszObjId)
  2152. {
  2153. LocalFree(pszObjId);
  2154. }
  2155. return(pwszName);
  2156. }
  2159. typedef struct _DUMPFLAGS
  2160. {
  2161. DWORD Mask;
  2162. DWORD Value;
  2163. WCHAR const *pwszDescription;
  2164. } DUMPFLAGS;
  2167. #define _DFBIT(def) { (def), (def), L#def }
  2168. #define _DFBIT2(mask, def) { (mask), (def), L#def }
  2171. DUMPFLAGS g_adfErrorStatus[] =
  2172. {
  2173. _DFBIT(CERT_TRUST_IS_NOT_TIME_VALID),
  2174. _DFBIT(CERT_TRUST_IS_NOT_TIME_NESTED),
  2175. _DFBIT(CERT_TRUST_IS_REVOKED),
  2176. _DFBIT(CERT_TRUST_IS_NOT_SIGNATURE_VALID),
  2177. _DFBIT(CERT_TRUST_IS_NOT_VALID_FOR_USAGE),
  2178. _DFBIT(CERT_TRUST_IS_UNTRUSTED_ROOT),
  2179. _DFBIT(CERT_TRUST_REVOCATION_STATUS_UNKNOWN),
  2180. _DFBIT(CERT_TRUST_IS_CYCLIC),
  2182. _DFBIT(CERT_TRUST_INVALID_EXTENSION),
  2183. _DFBIT(CERT_TRUST_INVALID_POLICY_CONSTRAINTS),
  2184. _DFBIT(CERT_TRUST_INVALID_BASIC_CONSTRAINTS),
  2185. _DFBIT(CERT_TRUST_INVALID_NAME_CONSTRAINTS),
  2186. _DFBIT(CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT),
  2187. _DFBIT(CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT),
  2188. _DFBIT(CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT),
  2189. _DFBIT(CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT),
  2191. _DFBIT(CERT_TRUST_IS_OFFLINE_REVOCATION),
  2192. _DFBIT(CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY),
  2194. _DFBIT(CERT_TRUST_IS_PARTIAL_CHAIN),
  2195. _DFBIT(CERT_TRUST_CTL_IS_NOT_TIME_VALID),
  2196. _DFBIT(CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID),
  2197. _DFBIT(CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE),
  2199. { 0, 0, NULL }
  2200. };
  2202. DUMPFLAGS g_adfInfoStatus[] =
  2203. {
  2204. _DFBIT(CERT_TRUST_HAS_EXACT_MATCH_ISSUER),
  2205. _DFBIT(CERT_TRUST_HAS_KEY_MATCH_ISSUER),
  2206. _DFBIT(CERT_TRUST_HAS_NAME_MATCH_ISSUER),
  2207. _DFBIT(CERT_TRUST_IS_SELF_SIGNED),
  2209. _DFBIT(CERT_TRUST_HAS_PREFERRED_ISSUER),
  2210. _DFBIT(CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY),
  2211. _DFBIT(CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS),
  2213. _DFBIT(CERT_TRUST_IS_COMPLEX_CHAIN),
  2214. { 0, 0, NULL }
  2215. };
  2217. DUMPFLAGS g_adfChainFlags[] =
  2218. {
  2219. _DFBIT(CERT_CHAIN_CACHE_END_CERT),
  2220. _DFBIT(CERT_CHAIN_THREAD_STORE_SYNC),
  2221. _DFBIT(CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL),
  2222. _DFBIT(CERT_CHAIN_USE_LOCAL_MACHINE_STORE),
  2223. _DFBIT(CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE),
  2224. _DFBIT(CERT_CHAIN_ENABLE_SHARE_STORE),
  2225. _DFBIT(CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING),
  2226. _DFBIT(CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS),
  2227. _DFBIT(CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE),
  2228. _DFBIT(CERT_CHAIN_TIMESTAMP_TIME),
  2229. _DFBIT(CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT),
  2230. _DFBIT(CERT_CHAIN_REVOCATION_CHECK_END_CERT),
  2231. _DFBIT(CERT_CHAIN_REVOCATION_CHECK_CHAIN),
  2232. _DFBIT(CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT),
  2233. _DFBIT(CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY),
  2234. { 0, 0, NULL }
  2235. };
  2237. DUMPFLAGS g_adfVerifyFlags[] =
  2238. {
  2239. _DFBIT(CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT),
  2240. _DFBIT(CA_VERIFY_FLAGS_IGNORE_OFFLINE),
  2241. _DFBIT(CA_VERIFY_FLAGS_NO_REVOCATION),
  2242. _DFBIT(CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION),
  2243. _DFBIT(CA_VERIFY_FLAGS_NT_AUTH),
  2244. _DFBIT(CA_VERIFY_FLAGS_IGNORE_INVALID_POLICIES),
  2245. _DFBIT(CA_VERIFY_FLAGS_IGNORE_NOREVCHECK),
  2246. _DFBIT(CA_VERIFY_FLAGS_DUMP_CHAIN),
  2247. _DFBIT(CA_VERIFY_FLAGS_SAVE_CHAIN),
  2248. { 0, 0, NULL }
  2249. };
  2252. VOID
  2253. DumpFlags(
  2254. IN DWORD Flags,
  2255. IN WCHAR const *pwsz,
  2256. IN DUMPFLAGS const *pdf)
  2257. {
  2258. for ( ; NULL != pdf->pwszDescription; pdf++)
  2259. {
  2260. if ((Flags & pdf->Mask) == pdf->Value)
  2261. {
  2262. CONSOLEPRINT3((
  2263. MAXDWORD,
  2264. "%ws = %ws (0x%x)\n",
  2265. pwsz,
  2266. pdf->pwszDescription,
  2267. pdf->Value));
  2268. }
  2269. }
  2270. }
  2273. VOID
  2274. DumpUsage(
  2275. IN WCHAR const *pwsz,
  2276. OPTIONAL IN CERT_ENHKEY_USAGE const *pUsage)
  2277. {
  2278. DWORD i;
  2280. if (NULL != pUsage)
  2281. {
  2282. for (i = 0; i < pUsage->cUsageIdentifier; i++)
  2283. {
  2284. CONSOLEPRINT4((
  2285. MAXDWORD,
  2286. "%ws[%u] = %hs %ws\n",
  2287. pwsz,
  2288. i,
  2289. pUsage->rgpszUsageIdentifier[i],
  2290. myGetOIDNameA(pUsage->rgpszUsageIdentifier[i])));
  2291. }
  2292. }
  2293. }
  2296. HRESULT
  2297. WriteBlob(
  2298. IN FILE *pf,
  2299. IN BYTE const *pb,
  2300. IN DWORD cb,
  2301. IN DWORD Flags)
  2302. {
  2303. HRESULT hr;
  2304. char *pszBase64 = NULL;
  2306. hr = myCryptBinaryToStringA(
  2307. pb,
  2308. cb,
  2309. Flags | CRYPT_STRING_NOCR,
  2310. &pszBase64);
  2311. _JumpIfError(hr, error, "myCryptBinaryToStringA");
  2313. fputs(pszBase64, pf);
  2314. fflush(pf);
  2315. if (ferror(pf))
  2316. {
  2317. hr = HRESULT_FROM_WIN32(ERROR_DISK_FULL);
  2318. _JumpError(hr, error, "fputs");
  2319. }
  2320. hr = S_OK;
  2322. error:
  2323. if (NULL != pszBase64)
  2324. {
  2325. LocalFree(pszBase64);
  2326. }
  2327. return(hr);
  2328. }
  2331. DWORD
  2332. myCRLNumber(
  2333. IN CRL_CONTEXT const *pCRL)
  2334. {
  2335. HRESULT hr;
  2336. CERT_EXTENSION const *pExt;
  2337. DWORD CRLNumber = 0;
  2338. DWORD dw;
  2339. DWORD cb;
  2341. pExt = CertFindExtension(
  2342. szOID_CRL_NUMBER,
  2343. pCRL->pCrlInfo->cExtension,
  2344. pCRL->pCrlInfo->rgExtension);
  2345. if (NULL == pExt)
  2346. {
  2347. // This API doesn't set LastError
  2348. hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
  2349. _JumpError(hr, error, "CertFindExtension(CRLNumber)");
  2350. }
  2351. cb = sizeof(dw);
  2352. dw = 0;
  2353. if (!CryptDecodeObject(
  2354. X509_ASN_ENCODING,
  2355. X509_INTEGER,
  2356. pExt->Value.pbData,
  2357. pExt->Value.cbData,
  2358. 0,
  2359. &dw,
  2360. &cb))
  2361. {
  2362. hr = myHLastError();
  2363. _JumpError(hr, error, "CryptDecodeObject");
  2364. }
  2365. CRLNumber = dw;
  2367. error:
  2368. return(CRLNumber);
  2369. }
  2372. VOID
  2373. WriteChain(
  2374. IN CERT_SIMPLE_CHAIN const *pChain,
  2375. IN DWORD SaveIndex,
  2376. IN DWORD ChainIndex)
  2377. {
  2378. HRESULT hr;
  2379. #define szCHAINFORMAT "Chain%d_%d.txt"
  2380. char szPath[MAX_PATH + ARRAYSIZE(szCHAINFORMAT) + 2 * cwcDWORDSPRINTF];
  2381. DWORD i;
  2382. FILE *pf = NULL;
  2383. DWORD cch;
  2385. cch = GetEnvironmentVariableA("temp", szPath, MAX_PATH);
  2386. if (0 == cch || MAX_PATH <= cch)
  2387. {
  2388. strcpy(szPath, "\\");
  2389. }
  2390. i = strlen(szPath);
  2391. if (0 == i || '\\' != szPath[i - 1])
  2392. {
  2393. szPath[i++] = '\\';
  2394. }
  2395. sprintf(&szPath[i], szCHAINFORMAT, SaveIndex, ChainIndex);
  2396. pf = fopen(szPath, "w");
  2397. if (NULL == pf)
  2398. {
  2399. hr = errno;
  2400. _JumpError(hr, error, "fopen");
  2401. }
  2402. for (i = 0; i < pChain->cElement; i++)
  2403. {
  2404. CERT_CHAIN_ELEMENT const *pElement = pChain->rgpElement[i];
  2405. CERT_REVOCATION_INFO *pRevocationInfo;
  2407. if (0 < i)
  2408. {
  2409. fputs("\n", pf);
  2410. }
  2411. fprintf(pf, "Certificate %d:\n", i);
  2413. hr = WriteBlob(
  2414. pf,
  2415. pElement->pCertContext->pbCertEncoded,
  2416. pElement->pCertContext->cbCertEncoded,
  2417. CRYPT_STRING_BASE64HEADER);
  2418. _JumpIfError(hr, error, "WriteBlob");
  2420. pRevocationInfo = pElement->pRevocationInfo;
  2422. if (NULL != pRevocationInfo &&
  2423. CCSIZEOF_STRUCT(CERT_REVOCATION_INFO, pCrlInfo) <=
  2424. pRevocationInfo->cbSize &&
  2425. NULL != pRevocationInfo->pCrlInfo)
  2426. {
  2427. CERT_REVOCATION_CRL_INFO *pCrlInfo;
  2429. pCrlInfo = pRevocationInfo->pCrlInfo;
  2430. if (NULL != pCrlInfo)
  2431. {
  2432. if (NULL != pCrlInfo->pBaseCrlContext)
  2433. {
  2434. fprintf(
  2435. pf,
  2436. "\nCRL %u:\n",
  2437. myCRLNumber(pCrlInfo->pBaseCrlContext));
  2438. hr = WriteBlob(
  2439. pf,
  2440. pCrlInfo->pBaseCrlContext->pbCrlEncoded,
  2441. pCrlInfo->pBaseCrlContext->cbCrlEncoded,
  2442. CRYPT_STRING_BASE64X509CRLHEADER);
  2443. _JumpIfError(hr, error, "WriteBlob");
  2444. }
  2445. if (NULL != pCrlInfo->pDeltaCrlContext)
  2446. {
  2447. fprintf(
  2448. pf,
  2449. "\nDelta CRL %u:\n",
  2450. myCRLNumber(pCrlInfo->pDeltaCrlContext));
  2451. hr = WriteBlob(
  2452. pf,
  2453. pCrlInfo->pDeltaCrlContext->pbCrlEncoded,
  2454. pCrlInfo->pDeltaCrlContext->cbCrlEncoded,
  2455. CRYPT_STRING_BASE64X509CRLHEADER);
  2456. _JumpIfError(hr, error, "WriteBlob");
  2457. }
  2458. }
  2459. }
  2460. }
  2462. error:
  2463. if (NULL != pf)
  2464. {
  2465. fclose(pf);
  2466. }
  2467. }
  2470. HRESULT
  2471. DumpChainOpenHash(
  2472. OUT HCRYPTPROV *phProv,
  2473. OUT HCRYPTHASH *phHash)
  2474. {
  2475. HRESULT hr;
  2477. *phProv = NULL;
  2478. *phHash = NULL;
  2479. if (!CryptAcquireContext(
  2480. phProv,
  2481. NULL, // container
  2482. MS_DEF_PROV,
  2483. PROV_RSA_FULL,
  2484. CRYPT_VERIFYCONTEXT))
  2485. {
  2486. *phProv = NULL;
  2487. hr = myHLastError();
  2488. _JumpError(hr, error, "CryptAcquireContext");
  2489. }
  2491. if (!CryptCreateHash(*phProv, CALG_SHA1, 0, 0, phHash))
  2492. {
  2493. *phHash = NULL;
  2494. hr = myHLastError();
  2495. _JumpError(hr, error, "CryptCreateHash");
  2496. }
  2497. hr = S_OK;
  2499. error:
  2500. if (S_OK != hr && NULL != *phProv)
  2501. {
  2502. if (!CryptReleaseContext(*phProv, 0))
  2503. {
  2504. HRESULT hr2 = myHLastError();
  2506. _PrintError(hr, "CryptReleaseContext");
  2507. if (hr == S_OK)
  2508. {
  2509. hr = hr2;
  2510. }
  2511. }
  2512. *phProv = NULL;
  2513. }
  2514. return(hr);
  2515. }
  2518. VOID
  2519. DumpChainName(
  2520. IN char const *pszType,
  2521. IN CERT_NAME_BLOB const *pName)
  2522. {
  2523. HRESULT hr;
  2524. WCHAR *pwsz;
  2526. pwsz = NULL;
  2527. hr = myCertNameToStr(
  2528. X509_ASN_ENCODING,
  2529. pName,
  2530. CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
  2531. &pwsz);
  2532. _PrintIfError(hr, "myCertNameToStr");
  2533. if (NULL != pwsz)
  2534. {
  2535. CONSOLEPRINT2((MAXDWORD, "%hs: %ws\n", pszType, pwsz));
  2536. LocalFree(pwsz);
  2537. }
  2538. }
  2541. HRESULT
  2542. DumpChainSerial(
  2543. IN char const *pszType,
  2544. IN CRYPT_INTEGER_BLOB const *pSerial)
  2545. {
  2546. HRESULT hr;
  2547. BSTR strSerial = NULL;
  2549. hr = MultiByteIntegerToBstr(
  2550. FALSE,
  2551. pSerial->cbData,
  2552. pSerial->pbData,
  2553. &strSerial);
  2554. _JumpIfError(hr, error, "MultiByteIntegerToBstr");
  2556. CONSOLEPRINT2((MAXDWORD, "%hs: %ws\n", pszType, strSerial));
  2558. error:
  2559. if (NULL != strSerial)
  2560. {
  2561. SysFreeString(strSerial);
  2562. }
  2563. return(hr);
  2564. }
  2567. HRESULT
  2568. DumpChainHash(
  2569. IN BYTE const *pbHash,
  2570. IN DWORD cbHash)
  2571. {
  2572. HRESULT hr;
  2573. WCHAR wszHash[CBMAX_CRYPT_HASH_LEN * 3];
  2574. DWORD cbwszHash;
  2576. cbwszHash = sizeof(wszHash);
  2577. hr = MultiByteIntegerToWszBuf(
  2578. TRUE, // byte multiple
  2579. cbHash,
  2580. pbHash,
  2581. &cbwszHash,
  2582. wszHash);
  2583. _JumpIfError(hr, error, "MultiByteIntegerToWszBuf");
  2585. CONSOLEPRINT1((MAXDWORD, " %ws\n", wszHash));
  2587. hr = S_OK;
  2589. error:
  2590. return(hr);
  2591. }
  2594. HRESULT
  2595. DumpChainAddHash(
  2596. IN OPTIONAL HCRYPTHASH hHash,
  2597. IN BYTE const *pb,
  2598. IN DWORD cb)
  2599. {
  2600. HRESULT hr;
  2602. if (NULL != hHash)
  2603. {
  2604. if (!CryptHashData(hHash, pb, cb, 0))
  2605. {
  2606. hr = myHLastError();
  2607. _JumpError(hr, error, "CryptHashData");
  2608. }
  2609. }
  2610. hr = S_OK;
  2612. error:
  2613. return(hr);
  2614. }
  2617. HRESULT
  2618. DumpChainHashResult(
  2619. IN OPTIONAL HCRYPTHASH hHash,
  2620. IN char const *pszType)
  2621. {
  2622. HRESULT hr;
  2623. HCRYPTHASH hHashT = NULL;
  2624. BYTE abHash[CBMAX_CRYPT_HASH_LEN];
  2625. DWORD cbHash;
  2627. if (NULL != hHash)
  2628. {
  2629. if (!CryptDuplicateHash(
  2630. hHash,
  2631. NULL, // pdwReserved
  2632. 0, // dwFlags
  2633. &hHashT))
  2634. {
  2635. hr = myHLastError();
  2636. _JumpError(hr, error, "CryptDuplicateHash");
  2637. }
  2638. if (!CryptGetHashParam(hHashT, HP_HASHVAL, abHash, &cbHash, 0))
  2639. {
  2640. hr = myHLastError();
  2641. _JumpError(hr, error, "CryptGetHashParam");
  2642. }
  2643. CONSOLEPRINT2((MAXDWORD, "%hs:\n", pszType));
  2644. hr = DumpChainHash(abHash, cbHash);
  2645. _JumpIfError(hr, error, "DumpChainHash");
  2646. }
  2647. hr = S_OK;
  2649. error:
  2650. if (NULL != hHashT)
  2651. {
  2652. CryptDestroyHash(hHashT);
  2653. }
  2654. return(hr);
  2655. }
  2658. VOID
  2659. DumpChainTemplate(
  2660. IN CERT_INFO const *pCertInfo)
  2661. {
  2662. HRESULT hr;
  2663. CERT_NAME_VALUE *pbName = NULL;
  2664. CERT_TEMPLATE_EXT *pTemplate = NULL;
  2665. CERT_EXTENSION *pExt;
  2666. DWORD cb;
  2668. // display v1 template extension first
  2670. pExt = CertFindExtension(
  2671. szOID_ENROLL_CERTTYPE_EXTENSION,
  2672. pCertInfo->cExtension,
  2673. pCertInfo->rgExtension);
  2674. if (NULL != pExt)
  2675. {
  2676. if (!myDecodeObject(
  2677. X509_ASN_ENCODING,
  2678. X509_UNICODE_ANY_STRING,
  2679. pExt->Value.pbData,
  2680. pExt->Value.cbData,
  2681. CERTLIB_USE_LOCALALLOC,
  2682. (VOID **) &pbName,
  2683. &cb))
  2684. {
  2685. hr = myHLastError();
  2686. _PrintError(hr, "myDecodeObject");
  2687. }
  2688. else
  2689. {
  2690. CONSOLEPRINT1((MAXDWORD, " Template: %ws\n", pbName->Value.pbData));
  2691. }
  2692. }
  2693. pExt = CertFindExtension(
  2694. szOID_CERTIFICATE_TEMPLATE,
  2695. pCertInfo->cExtension,
  2696. pCertInfo->rgExtension);
  2698. if (NULL != pExt)
  2699. {
  2700. if (!myDecodeObject(
  2701. X509_ASN_ENCODING,
  2702. X509_CERTIFICATE_TEMPLATE,
  2703. pExt->Value.pbData,
  2704. pExt->Value.cbData,
  2705. CERTLIB_USE_LOCALALLOC,
  2706. (VOID **) &pTemplate,
  2707. &cb))
  2708. {
  2709. hr = myHLastError();
  2710. _PrintError(hr, "myDecodeObject");
  2711. }
  2712. else
  2713. {
  2714. WCHAR const *pwsz;
  2716. pwsz = myGetOIDNameA(pTemplate->pszObjId); // Static: do not free!
  2717. if (NULL != pwsz && L'\0' != *pwsz)
  2718. {
  2719. CONSOLEPRINT1((MAXDWORD, " Template: %ws\n", pwsz));
  2720. }
  2721. else
  2722. {
  2723. CONSOLEPRINT1((MAXDWORD, " Template: %hs\n", pTemplate->pszObjId));
  2724. }
  2725. }
  2726. }
  2728. //error:
  2729. LOCAL_FREE(pTemplate);
  2730. LOCAL_FREE(pbName);
  2731. }
  2734. HRESULT
  2735. DumpChainCert(
  2736. IN CERT_CONTEXT const *pcc)
  2737. {
  2738. HRESULT hr;
  2739. BYTE abHash[CBMAX_CRYPT_HASH_LEN];
  2740. DWORD cbHash;
  2742. DumpChainName(" Issuer", &pcc->pCertInfo->Issuer);
  2743. DumpChainName(" Subject", &pcc->pCertInfo->Subject);
  2744. DumpChainSerial(" Serial", &pcc->pCertInfo->SerialNumber);
  2745. DumpChainTemplate(pcc->pCertInfo);
  2746. if (!CertGetCertificateContextProperty(
  2747. pcc,
  2748. CERT_SHA1_HASH_PROP_ID,
  2749. abHash,
  2750. &cbHash))
  2751. {
  2752. hr = myHLastError();
  2753. _JumpError(hr, error, "CertGetCertificateContextProperty");
  2754. }
  2755. hr = DumpChainHash(abHash, cbHash);
  2756. _JumpIfError(hr, error, "DumpChainHash");
  2758. error:
  2759. return(hr);
  2760. }
  2763. HRESULT
  2764. DumpChainCRL(
  2765. IN BOOL fDelta,
  2766. OPTIONAL IN CRL_CONTEXT const *pCRL,
  2767. IN OPTIONAL HCRYPTHASH hHash)
  2768. {
  2769. HRESULT hr;
  2770. BYTE abHash[CBMAX_CRYPT_HASH_LEN];
  2771. DWORD cbHash;
  2773. if (NULL != pCRL)
  2774. {
  2775. CONSOLEPRINT2((
  2776. MAXDWORD,
  2777. " %hsCRL %u:\n",
  2778. fDelta? "Delta " : "",
  2779. myCRLNumber(pCRL)));
  2781. DumpChainName(" Issuer", &pCRL->pCrlInfo->Issuer);
  2782. if (!CertGetCRLContextProperty(
  2783. pCRL,
  2784. CERT_SHA1_HASH_PROP_ID,
  2785. abHash,
  2786. &cbHash))
  2787. {
  2788. hr = myHLastError();
  2789. _PrintError(hr, "CertGetCRLContextProperty");
  2790. }
  2791. else
  2792. {
  2793. CONSOLEPRINT0((MAXDWORD, " "));
  2794. hr = DumpChainHash(abHash, cbHash);
  2795. _PrintIfError(hr, "DumpChainHash");
  2796. }
  2797. hr = DumpChainAddHash(hHash, pCRL->pbCrlEncoded, pCRL->cbCrlEncoded);
  2798. _JumpIfError(hr, error, "DumpChainAddHash");
  2799. }
  2800. hr = S_OK;
  2802. error:
  2803. return(hr);
  2804. }
  2807. VOID
  2808. DumpChainSeconds(
  2809. IN WCHAR const *pwszField,
  2810. IN DWORD dwSeconds)
  2811. {
  2812. HRESULT hr;
  2813. LLFILETIME llftPeriod;
  2814. WCHAR *pwszTimePeriod;
  2816. llftPeriod.ft.dwHighDateTime = 0;
  2817. llftPeriod.ft.dwLowDateTime = dwSeconds;
  2818. llftPeriod.ll *= CVT_BASE;
  2819. llftPeriod.ll = -llftPeriod.ll;
  2821. hr = myFileTimePeriodToWszTimePeriod(&llftPeriod.ft, TRUE, &pwszTimePeriod);
  2822. if (S_OK != hr)
  2823. {
  2824. _PrintError(hr, "myFileTimePeriodToWszTimePeriod");
  2825. CONSOLEPRINT2((MAXDWORD, "%ws: %us\n", pwszField, dwSeconds));
  2826. }
  2827. else
  2828. {
  2829. CONSOLEPRINT2((MAXDWORD, "%ws: %ws\n", pwszField, pwszTimePeriod));
  2830. LocalFree(pwszTimePeriod);
  2831. }
  2832. }
  2835. VOID
  2836. myDumpChain(
  2837. IN HRESULT hrVerify,
  2838. IN DWORD dwFlags,
  2839. IN CERT_CONTEXT const *pCert,
  2840. OPTIONAL IN FNSIMPLECHAINELEMENTCALLBACK *pfnCallback,
  2841. OPTIONAL IN WCHAR const *pwszMissingIssuer,
  2842. IN CERT_CHAIN_CONTEXT const *pChainContext)
  2843. {
  2844. HRESULT hr;
  2845. DWORD i;
  2846. DWORD j;
  2847. static BOOL s_fEnvChecked = FALSE;
  2848. static BOOL s_fDumpEnabled = FALSE;
  2849. static DWORD s_SaveCount = 0;
  2850. static DWORD s_SaveIndex;
  2851. BOOL fDump;
  2852. BOOL fSave;
  2853. HCRYPTPROV hProv = NULL;
  2854. HCRYPTHASH hHash = NULL;
  2856. if (!s_fEnvChecked)
  2857. {
  2858. WCHAR wszBuf[20];
  2859. DWORD cwc;
  2861. cwc = GetEnvironmentVariable(
  2862. L"CertSrv_Chain",
  2863. wszBuf,
  2864. ARRAYSIZE(wszBuf));
  2865. if (0 < cwc && ARRAYSIZE(wszBuf) > cwc)
  2866. {
  2867. s_fDumpEnabled = TRUE;
  2868. s_SaveCount = _wtoi(wszBuf);
  2869. s_SaveIndex = s_SaveCount;
  2870. }
  2871. s_fEnvChecked = TRUE;
  2872. }
  2873. fSave = 0 != s_SaveCount || (CA_VERIFY_FLAGS_SAVE_CHAIN & dwFlags);
  2874. fDump = s_fDumpEnabled ||
  2875. S_OK != hrVerify ||
  2876. (CA_VERIFY_FLAGS_DUMP_CHAIN & dwFlags);
  2877. #if DBG_CERTSRV
  2878. if (DbgIsSSActive(DBG_SS_CERTLIBI))
  2879. {
  2880. fDump = TRUE;
  2881. }
  2882. #endif
  2883. if (!fSave && !fDump)
  2884. {
  2885. return;
  2886. }
  2887. if (0 != s_SaveCount)
  2888. {
  2889. if (++s_SaveIndex >= s_SaveCount)
  2890. {
  2891. s_SaveIndex = 0;
  2892. }
  2893. }
  2894. if (fDump)
  2895. {
  2896. CONSOLEPRINT0((MAXDWORD, "-------- CERT_CHAIN_CONTEXT --------\n"));
  2897. DumpFlags(
  2898. pChainContext->TrustStatus.dwInfoStatus,
  2899. L"ChainContext.dwInfoStatus",
  2900. g_adfInfoStatus);
  2901. DumpFlags(
  2902. pChainContext->TrustStatus.dwErrorStatus,
  2903. L"ChainContext.dwErrorStatus",
  2904. g_adfErrorStatus);
  2905. if (CCSIZEOF_STRUCT(CERT_CHAIN_CONTEXT, dwRevocationFreshnessTime) <=
  2906. pChainContext->cbSize &&
  2907. pChainContext->fHasRevocationFreshnessTime)
  2908. {
  2909. DumpChainSeconds(
  2910. L"ChainContext.dwRevocationFreshnessTime",
  2911. pChainContext->dwRevocationFreshnessTime);
  2912. }
  2913. }
  2914. for (i = 0; i < pChainContext->cChain; i++)
  2915. {
  2916. if (fSave)
  2917. {
  2918. WriteChain(pChainContext->rgpChain[i], s_SaveIndex, i);
  2919. }
  2920. if (fDump)
  2921. {
  2922. DumpFlags(
  2923. pChainContext->rgpChain[i]->TrustStatus.dwInfoStatus,
  2924. L"\nSimpleChain.dwInfoStatus",
  2925. g_adfInfoStatus);
  2926. DumpFlags(
  2927. pChainContext->rgpChain[i]->TrustStatus.dwErrorStatus,
  2928. L"SimpleChain.dwErrorStatus",
  2929. g_adfErrorStatus);
  2930. if (CCSIZEOF_STRUCT(CERT_SIMPLE_CHAIN, dwRevocationFreshnessTime) <=
  2931. pChainContext->rgpChain[i]->cbSize &&
  2932. pChainContext->rgpChain[i]->fHasRevocationFreshnessTime)
  2933. {
  2934. DumpChainSeconds(
  2935. L"SimpleChain.dwRevocationFreshnessTime",
  2936. pChainContext->rgpChain[i]->dwRevocationFreshnessTime);
  2937. }
  2938. }
  2939. if (NULL != hHash)
  2940. {
  2941. CryptDestroyHash(hHash);
  2942. hHash = NULL;
  2943. }
  2944. if (NULL != hProv)
  2945. {
  2946. CryptReleaseContext(hProv, 0);
  2947. hProv = NULL;
  2948. }
  2949. hr = DumpChainOpenHash(&hProv, &hHash);
  2950. _PrintIfError(hr, "DumpChainOpenHash");
  2952. for (j = 0; j < pChainContext->rgpChain[i]->cElement; j++)
  2953. {
  2954. CERT_CHAIN_ELEMENT const *pElement;
  2956. pElement = pChainContext->rgpChain[i]->rgpElement[j];
  2958. if (fDump ||
  2959. S_OK != hrVerify ||
  2960. 0 != pElement->TrustStatus.dwErrorStatus)
  2961. {
  2962. CERT_REVOCATION_INFO *pRevocationInfo;
  2964. CONSOLEPRINT4((
  2965. MAXDWORD,
  2966. "\nCertContext[%u][%u]: dwInfoStatus=%x dwErrorStatus=%x\n",
  2967. i,
  2968. j,
  2969. pElement->TrustStatus.dwInfoStatus,
  2970. pElement->TrustStatus.dwErrorStatus));
  2972. hr = DumpChainCert(pElement->pCertContext);
  2973. _PrintIfError(hr, "DumpChainCert");
  2975. DumpFlags(
  2976. pElement->TrustStatus.dwInfoStatus,
  2977. L" Element.dwInfoStatus",
  2978. g_adfInfoStatus);
  2979. DumpFlags(
  2980. pElement->TrustStatus.dwErrorStatus,
  2981. L" Element.dwErrorStatus",
  2982. g_adfErrorStatus);
  2984. if (NULL != pfnCallback)
  2985. {
  2986. (*pfnCallback)(dwFlags, j, pChainContext->rgpChain[i]);
  2987. }
  2988. pRevocationInfo = pElement->pRevocationInfo;
  2990. if (NULL != pRevocationInfo &&
  2991. CCSIZEOF_STRUCT(CERT_REVOCATION_INFO, pCrlInfo) <=
  2992. pRevocationInfo->cbSize &&
  2993. NULL != pRevocationInfo->pCrlInfo)
  2994. {
  2995. hr = DumpChainCRL(
  2996. FALSE,
  2997. pRevocationInfo->pCrlInfo->pBaseCrlContext,
  2998. hHash);
  2999. _PrintIfError(hr, "DumpChainCRL");
  3001. hr = DumpChainCRL(
  3002. TRUE,
  3003. pRevocationInfo->pCrlInfo->pDeltaCrlContext,
  3004. hHash);
  3005. _PrintIfError(hr, "DumpChainCRL");
  3006. }
  3008. if (CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pIssuanceUsage) <=
  3009. pElement->cbSize)
  3010. {
  3011. DumpUsage(L" Issuance", pElement->pIssuanceUsage);
  3012. }
  3013. if (CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pApplicationUsage) <=
  3014. pElement->cbSize)
  3015. {
  3016. DumpUsage(L" Application", pElement->pApplicationUsage);
  3017. }
  3018. if (CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pwszExtendedErrorInfo) <=
  3019. pElement->cbSize &&
  3020. NULL != pElement->pwszExtendedErrorInfo)
  3021. {
  3022. CONSOLEPRINT1((
  3023. MAXDWORD,
  3024. " %ws",
  3025. pElement->pwszExtendedErrorInfo));
  3026. }
  3027. if (1 + j == pChainContext->rgpChain[i]->cElement)
  3028. {
  3029. DumpChainHashResult(hHash, "\nExclude leaf cert");
  3030. }
  3032. hr = DumpChainAddHash(
  3033. hHash,
  3034. pElement->pCertContext->pbCertEncoded,
  3035. pElement->pCertContext->cbCertEncoded);
  3036. _PrintIfError(hr, "DumpChainAddHash");
  3038. if (1 + j == pChainContext->rgpChain[i]->cElement)
  3039. {
  3040. hr = DumpChainHashResult(hHash, "Full chain");
  3041. _PrintIfError(hr, "DumpChainAddHash");
  3042. }
  3043. }
  3044. }
  3045. }
  3046. if (fDump)
  3047. {
  3048. if (S_OK != hrVerify)
  3049. {
  3050. WCHAR const *pwszErr = myGetErrorMessageText(hrVerify, TRUE);
  3052. if (NULL != pwszMissingIssuer)
  3053. {
  3054. CONSOLEPRINT1((
  3055. MAXDWORD,
  3056. "Missing Issuer: %ws\n",
  3057. pwszMissingIssuer));
  3058. }
  3059. DumpChainCert(pCert);
  3060. if (NULL != pwszErr)
  3061. {
  3062. CONSOLEPRINT1((MAXDWORD, "%ws\n", pwszErr));
  3063. LocalFree(const_cast<WCHAR *>(pwszErr));
  3064. }
  3065. }
  3066. CONSOLEPRINT0((MAXDWORD, "------------------------------------\n"));
  3067. }
  3068. if (NULL != hHash)
  3069. {
  3070. CryptDestroyHash(hHash);
  3071. }
  3072. if (NULL != hProv)
  3073. {
  3074. CryptReleaseContext(hProv, 0);
  3075. }
  3076. }
  3079. #pragma warning(push)
  3080. #pragma warning(disable: 4706) // assignment within conditional expression: while (*pwsz++ = *psz++)
  3081. HRESULT
  3082. SavePolicies(
  3083. OPTIONAL IN CERT_ENHKEY_USAGE const *pUsage,
  3084. OUT WCHAR **ppwszzPolicies)
  3085. {
  3086. HRESULT hr;
  3087. DWORD i;
  3088. DWORD cwc;
  3089. char const *psz;
  3090. WCHAR *pwsz;
  3092. // pUsage == NULL means the cert is good for *all* policies.
  3093. // Do nothing here, which returns *ppwszzPolicies == NULL.
  3094. //
  3095. // pUsage->cUsageIdentifier == 0 means the cert is good for *no* policies.
  3096. // Return a double L'\0' terminated string containing no policy OIDs.
  3098. if (NULL != pUsage)
  3099. {
  3100. BOOL fEmpty = 0 == pUsage->cUsageIdentifier ||
  3101. NULL == pUsage->rgpszUsageIdentifier;
  3103. cwc = 1;
  3104. if (fEmpty)
  3105. {
  3106. cwc++;
  3107. }
  3108. else
  3109. {
  3110. for (i = 0; i < pUsage->cUsageIdentifier; i++)
  3111. {
  3112. cwc += strlen(pUsage->rgpszUsageIdentifier[i]) + 1;
  3113. }
  3114. }
  3115. pwsz = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR));
  3116. if (NULL == pwsz)
  3117. {
  3118. hr = E_OUTOFMEMORY;
  3119. _JumpError(hr, error, "LocalAlloc");
  3120. }
  3121. *ppwszzPolicies = pwsz;
  3122. if (fEmpty)
  3123. {
  3124. *pwsz++ = L'\0';
  3125. }
  3126. else
  3127. {
  3128. for (i = 0; i < pUsage->cUsageIdentifier; i++)
  3129. {
  3130. psz = pUsage->rgpszUsageIdentifier[i];
  3131. while (*pwsz++ = *psz++)
  3132. ;
  3133. }
  3134. }
  3135. *pwsz++ = L'\0';
  3136. CSASSERT(pwsz == &(*ppwszzPolicies)[cwc]);
  3137. }
  3138. hr = S_OK;
  3140. error:
  3141. return(hr);
  3142. }
  3143. #pragma warning(pop)
  3146. HRESULT
  3147. myVerifyCertContextEx(
  3148. IN CERT_CONTEXT const *pCert,
  3149. IN DWORD dwFlags,
  3150. IN DWORD dwmsTimeout,
  3151. IN DWORD cUsageOids,
  3152. OPTIONAL IN CHAR const * const *apszUsageOids,
  3153. IN DWORD cIssuanceOids,
  3154. OPTIONAL IN CHAR const * const *apszIssuanceOids,
  3155. OPTIONAL IN HCERTCHAINENGINE hChainEngine,
  3156. OPTIONAL IN FILETIME const *pft,
  3157. OPTIONAL IN HCERTSTORE hAdditionalStore,
  3158. OPTIONAL IN FNSIMPLECHAINELEMENTCALLBACK *pfnCallback,
  3159. OPTIONAL OUT WCHAR **ppwszMissingIssuer,
  3160. OPTIONAL OUT WCHAR **ppwszzIssuancePolicies,
  3161. OPTIONAL OUT WCHAR **ppwszzApplicationPolicies,
  3162. OPTIONAL OUT WCHAR **ppwszExtendedErrorInfo,
  3163. OPTIONAL OUT CERT_TRUST_STATUS *pTrustStatus)
  3164. {
  3165. HRESULT hr;
  3166. DWORD ChainFlags;
  3167. CERT_CHAIN_PARA ChainParams;
  3168. CERT_CHAIN_POLICY_PARA ChainPolicy;
  3169. CERT_CHAIN_POLICY_STATUS PolicyStatus;
  3170. CERT_CHAIN_CONTEXT const *pChainContext = NULL;
  3171. LPCSTR pszChainPolicyFlags;
  3172. WCHAR *pwszMissingIssuer = NULL;
  3173. CERT_CHAIN_ELEMENT const *pElement;
  3174. WCHAR const *pwsz;
  3176. if (NULL != ppwszMissingIssuer)
  3177. {
  3178. *ppwszMissingIssuer = NULL;
  3179. }
  3180. if (NULL != ppwszzIssuancePolicies)
  3181. {
  3182. *ppwszzIssuancePolicies = NULL;
  3183. }
  3184. if (NULL != ppwszzApplicationPolicies)
  3185. {
  3186. *ppwszzApplicationPolicies = NULL;
  3187. }
  3188. if (NULL != ppwszExtendedErrorInfo)
  3189. {
  3190. *ppwszExtendedErrorInfo = NULL;
  3191. }
  3192. if (NULL != pTrustStatus)
  3193. {
  3194. ZeroMemory(pTrustStatus, sizeof(*pTrustStatus));
  3195. }
  3196. ZeroMemory(&ChainParams, sizeof(ChainParams));
  3197. ChainParams.cbSize = sizeof(ChainParams);
  3198. ChainParams.dwUrlRetrievalTimeout = dwmsTimeout;
  3200. if (0 != cUsageOids && NULL != apszUsageOids)
  3201. {
  3202. ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
  3203. ChainParams.RequestedUsage.Usage.cUsageIdentifier = cUsageOids;
  3204. ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<char **>(apszUsageOids);
  3205. }
  3207. if (0 != cIssuanceOids && NULL != apszIssuanceOids)
  3208. {
  3209. ChainParams.RequestedIssuancePolicy.dwType = USAGE_MATCH_TYPE_AND;
  3210. ChainParams.RequestedIssuancePolicy.Usage.cUsageIdentifier = cIssuanceOids;
  3211. ChainParams.RequestedIssuancePolicy.Usage.rgpszUsageIdentifier = const_cast<char **>(apszIssuanceOids);
  3212. }
  3214. ChainFlags = 0;
  3215. if (0 == (CA_VERIFY_FLAGS_NO_REVOCATION & dwFlags))
  3216. {
  3217. if (CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION & dwFlags)
  3218. {
  3219. ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN;
  3220. }
  3221. else
  3222. {
  3223. ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
  3224. }
  3225. }
  3226. if (CA_VERIFY_FLAGS_DUMP_CHAIN & dwFlags)
  3227. {
  3228. DumpFlags(dwFlags, L"dwFlags", g_adfVerifyFlags);
  3229. if (0 != cIssuanceOids && NULL != apszIssuanceOids)
  3230. {
  3231. DumpUsage(L"Issuance", &ChainParams.RequestedIssuancePolicy.Usage);
  3232. }
  3233. if (0 != cUsageOids && NULL != apszUsageOids)
  3234. {
  3235. DumpUsage(L"Application", &ChainParams.RequestedUsage.Usage);
  3236. }
  3237. DumpFlags(ChainFlags, L"ChainFlags", g_adfChainFlags);
  3238. pwsz = NULL;
  3239. if (HCCE_LOCAL_MACHINE == hChainEngine)
  3240. {
  3241. pwsz = L"HCCE_LOCAL_MACHINE";
  3242. }
  3243. else if (HCCE_CURRENT_USER == hChainEngine)
  3244. {
  3245. pwsz = L"HCCE_CURRENT_USER";
  3246. }
  3247. if (NULL != pwsz)
  3248. {
  3249. CONSOLEPRINT1((MAXDWORD, "%ws\n", pwsz));
  3250. }
  3251. }
  3253. // use NTAuth policy if (usage oids being added) & (caller asks us to check(EntCA))
  3255. pwsz = NULL;
  3256. if (0 != cUsageOids &&
  3257. NULL != apszUsageOids &&
  3258. (CA_VERIFY_FLAGS_NT_AUTH & dwFlags))
  3259. {
  3260. pszChainPolicyFlags = CERT_CHAIN_POLICY_NT_AUTH;
  3261. pwsz = L"CERT_CHAIN_POLICY_NT_AUTH";
  3262. }
  3263. else
  3264. {
  3265. pszChainPolicyFlags = CERT_CHAIN_POLICY_BASE;
  3266. pwsz = L"CERT_CHAIN_POLICY_BASE";
  3267. }
  3268. if (NULL != pwsz && (CA_VERIFY_FLAGS_DUMP_CHAIN & dwFlags))
  3269. {
  3270. CONSOLEPRINT1((MAXDWORD, "%ws\n", pwsz));
  3271. }
  3273. // Get the chain and verify the cert:
  3275. DBGPRINT((DBG_SS_CERTLIBI, "Calling CertGetCertificateChain...\n"));
  3276. if (!CertGetCertificateChain(
  3277. hChainEngine, // hChainEngine
  3278. pCert, // pCertContext
  3279. const_cast<FILETIME *>(pft), // pTime
  3280. hAdditionalStore, // hAdditionalStore
  3281. &ChainParams, // pChainPara
  3282. ChainFlags, // dwFlags
  3283. NULL, // pvReserved
  3284. &pChainContext)) // ppChainContext
  3285. {
  3286. hr = myHLastError();
  3287. _JumpError(hr, error, "CertGetCertificateChain");
  3288. }
  3289. DBGPRINT((DBG_SS_CERTLIBI, "CertGetCertificateChain done\n"));
  3291. ZeroMemory(&ChainPolicy, sizeof(ChainPolicy));
  3292. ChainPolicy.cbSize = sizeof(ChainPolicy);
  3293. ChainPolicy.dwFlags = CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
  3294. //ChainPolicy.pvExtraPolicyPara = NULL;
  3296. ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
  3297. PolicyStatus.cbSize = sizeof(PolicyStatus);
  3298. //PolicyStatus.dwError = 0;
  3299. PolicyStatus.lChainIndex = -1;
  3300. PolicyStatus.lElementIndex = -1;
  3301. //PolicyStatus.pvExtraPolicyStatus = NULL;
  3303. if (!CertVerifyCertificateChainPolicy(
  3304. pszChainPolicyFlags,
  3305. pChainContext,
  3306. &ChainPolicy,
  3307. &PolicyStatus))
  3308. {
  3309. hr = myHLastError();
  3310. _JumpError(hr, error, "CertVerifyCertificateChainPolicy");
  3311. }
  3313. hr = myHError(PolicyStatus.dwError);
  3314. if ((CA_VERIFY_FLAGS_IGNORE_OFFLINE |
  3315. CA_VERIFY_FLAGS_IGNORE_NOREVCHECK |
  3316. CA_VERIFY_FLAGS_NO_REVOCATION) & dwFlags)
  3317. {
  3318. if (CRYPT_E_NO_REVOCATION_CHECK == hr ||
  3319. (CRYPT_E_REVOCATION_OFFLINE == hr &&
  3320. ((CA_VERIFY_FLAGS_IGNORE_OFFLINE |
  3321. CA_VERIFY_FLAGS_IGNORE_NOREVCHECK) & dwFlags)))
  3322. {
  3323. hr = S_OK;
  3324. }
  3325. }
  3326. if (CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT & dwFlags)
  3327. {
  3328. if (CERT_E_UNTRUSTEDROOT == hr)
  3329. {
  3330. hr = S_OK;
  3331. }
  3332. }
  3333. if (CA_VERIFY_FLAGS_IGNORE_INVALID_POLICIES & dwFlags)
  3334. {
  3335. if (CERT_E_INVALID_POLICY == hr)
  3336. {
  3337. hr = S_OK;
  3338. }
  3339. }
  3340. if (S_OK != hr &&
  3341. 0 < pChainContext->cChain &&
  3342. 0 < pChainContext->rgpChain[0]->cElement)
  3343. {
  3344. pElement = pChainContext->rgpChain[0]->rgpElement[
  3345. pChainContext->rgpChain[0]->cElement - 1];
  3347. if (0 == (CERT_TRUST_IS_SELF_SIGNED & pElement->TrustStatus.dwInfoStatus))
  3348. {
  3349. HRESULT hr2;
  3351. hr2 = myCertNameToStr(
  3352. X509_ASN_ENCODING,
  3353. &pElement->pCertContext->pCertInfo->Issuer,
  3354. CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
  3355. &pwszMissingIssuer);
  3356. _PrintIfError(hr2, "myCertNameToStr");
  3357. }
  3358. }
  3359. if (NULL != pTrustStatus)
  3360. {
  3361. *pTrustStatus = pChainContext->TrustStatus;
  3362. }
  3363. myDumpChain(
  3364. hr,
  3365. dwFlags,
  3366. pCert,
  3367. pfnCallback,
  3368. pwszMissingIssuer,
  3369. pChainContext);
  3371. if (NULL != ppwszMissingIssuer)
  3372. {
  3373. *ppwszMissingIssuer = pwszMissingIssuer;
  3374. pwszMissingIssuer = NULL;
  3375. }
  3376. if (NULL != ppwszExtendedErrorInfo)
  3377. {
  3378. CERT_CHAIN_ELEMENT **ppElement;
  3379. CERT_CHAIN_ELEMENT **ppElementEnd;
  3381. ppElement = &pChainContext->rgpChain[0]->rgpElement[0];
  3382. ppElementEnd = &ppElement[pChainContext->rgpChain[0]->cElement];
  3383. while (ppElement < ppElementEnd)
  3384. {
  3385. if (CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pwszExtendedErrorInfo) <=
  3386. (*ppElement)->cbSize &&
  3387. NULL != (*ppElement)->pwszExtendedErrorInfo)
  3388. {
  3389. HRESULT hr2;
  3391. hr2 = myDupString(
  3392. (*ppElement)->pwszExtendedErrorInfo,
  3393. ppwszExtendedErrorInfo);
  3394. _PrintIfError(hr2, "myDupString");
  3396. break;
  3397. }
  3398. ppElement++;
  3399. }
  3400. }
  3401. _JumpIfError(hr, error, "PolicyStatus.dwError");
  3403. pElement = pChainContext->rgpChain[0]->rgpElement[0];
  3405. if (NULL != ppwszzIssuancePolicies &&
  3406. CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pIssuanceUsage) <= pElement->cbSize)
  3407. {
  3408. hr = SavePolicies(
  3409. pElement->pIssuanceUsage,
  3410. ppwszzIssuancePolicies);
  3411. _JumpIfError(hr, error, "SavePolicies");
  3412. }
  3413. if (NULL != ppwszzApplicationPolicies &&
  3414. CCSIZEOF_STRUCT(CERT_CHAIN_ELEMENT, pApplicationUsage) <= pElement->cbSize)
  3415. {
  3416. hr = SavePolicies(
  3417. pElement->pApplicationUsage,
  3418. ppwszzApplicationPolicies);
  3419. _JumpIfError(hr, error, "SavePolicies");
  3420. }
  3422. error:
  3423. if (S_OK != hr)
  3424. {
  3425. if (NULL != ppwszzIssuancePolicies && NULL != *ppwszzIssuancePolicies)
  3426. {
  3427. LocalFree(*ppwszzIssuancePolicies);
  3428. *ppwszzIssuancePolicies = NULL;
  3429. }
  3430. if (NULL != ppwszzApplicationPolicies && NULL != *ppwszzApplicationPolicies)
  3431. {
  3432. LocalFree(*ppwszzApplicationPolicies);
  3433. *ppwszzApplicationPolicies = NULL;
  3434. }
  3435. }
  3436. if (NULL != pwszMissingIssuer)
  3437. {
  3438. LocalFree(pwszMissingIssuer);
  3439. }
  3440. if (NULL != pChainContext)
  3441. {
  3442. CertFreeCertificateChain(pChainContext);
  3443. }
  3444. return(hr);
  3445. }
  3448. HRESULT
  3449. myVerifyCertContext(
  3450. IN CERT_CONTEXT const *pCert,
  3451. IN DWORD dwFlags,
  3452. IN DWORD cUsageOids,
  3453. OPTIONAL IN CHAR const * const *apszUsageOids,
  3454. OPTIONAL IN HCERTCHAINENGINE hChainEngine,
  3455. OPTIONAL IN HCERTSTORE hAdditionalStore,
  3456. OPTIONAL OUT WCHAR **ppwszMissingIssuer)
  3457. {
  3458. HRESULT hr;
  3460. hr = myVerifyCertContextEx(
  3461. pCert,
  3462. dwFlags,
  3463. 0, // dwmsTimeout
  3464. cUsageOids,
  3465. apszUsageOids,
  3466. 0, // cIssuanceOids
  3467. NULL, // apszIssuanceOids
  3468. hChainEngine,
  3469. NULL, // pft
  3470. hAdditionalStore,
  3471. NULL, // pfnCallback
  3472. ppwszMissingIssuer,
  3473. NULL, // ppwszzIssuancePolicies
  3474. NULL, // ppwszzApplicationPolicies
  3475. NULL, // ppwszExtendedErrorInfo
  3476. NULL); // pTrustStatus
  3477. _JumpIfError2(hr, error, "myVerifyCertContextEx", hr);
  3479. error:
  3480. return(hr);
  3481. }
  3484. HRESULT
  3485. myIsFirstSigner(
  3486. IN CERT_NAME_BLOB const *pNameBlob,
  3487. OUT BOOL *pfFirst)
  3488. {
  3489. HRESULT hr;
  3490. CERT_NAME_INFO *pNameInfo = NULL;
  3491. DWORD cbNameInfo;
  3492. DWORD i;
  3494. *pfFirst = FALSE;
  3496. if (!myDecodeName(
  3497. X509_ASN_ENCODING,
  3498. X509_UNICODE_NAME,
  3499. pNameBlob->pbData,
  3500. pNameBlob->cbData,
  3501. CERTLIB_USE_LOCALALLOC,
  3502. &pNameInfo,
  3503. &cbNameInfo))
  3504. {
  3506. hr = myHLastError();
  3507. _JumpError(hr, error, "myDecodeName");
  3508. }
  3509. for (i = 0; i < pNameInfo->cRDN; i++)
  3510. {
  3511. CERT_RDN const *prdn;
  3512. DWORD j;
  3514. prdn = &pNameInfo->rgRDN[i];
  3516. for (j = 0; j < prdn->cRDNAttr; j++)
  3517. {
  3518. if (0 == strcmp(
  3519. prdn->rgRDNAttr[j].pszObjId,
  3520. szOID_RDN_DUMMY_SIGNER))
  3521. {
  3522. *pfFirst = TRUE;
  3523. i = pNameInfo->cRDN; // terminate outer loop
  3524. break;
  3525. }
  3526. }
  3527. }
  3528. hr = S_OK;
  3530. error:
  3531. if (NULL != pNameInfo)
  3532. {
  3533. LocalFree(pNameInfo);
  3534. }
  3535. return(hr);
  3536. }
  3539. HCERTSTORE
  3540. myPFXImportCertStore(
  3541. IN CRYPT_DATA_BLOB *ppfx,
  3542. OPTIONAL IN WCHAR const *pwszPassword,
  3543. IN DWORD dwFlags)
  3544. {
  3545. HCERTSTORE hStore;
  3546. HRESULT hr;
  3548. if (NULL == pwszPassword)
  3549. {
  3550. pwszPassword = L""; // Try empty password first, then NULL
  3551. }
  3553. for (;;)
  3554. {
  3555. hStore = PFXImportCertStore(ppfx, pwszPassword, dwFlags);
  3556. if (NULL == hStore)
  3557. {
  3558. hr = myHLastError();
  3559. if (HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD) != hr ||
  3560. NULL == pwszPassword ||
  3561. L'\0' != *pwszPassword)
  3562. {
  3563. _JumpError2(
  3564. hr,
  3565. error,
  3566. "PFXImportCertStore",
  3567. HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD));
  3568. }
  3569. pwszPassword = NULL; // empty password failed; try NULL
  3570. continue;
  3571. }
  3572. break;
  3573. }
  3576. error:
  3577. return(hStore);
  3578. }
  3581. // No longer support versions before IE3.02 - Auth2 update, advisory only
  3583. HRESULT
  3584. CertCheck7f(
  3585. IN CERT_CONTEXT const *pcc)
  3586. {
  3587. HRESULT hr;
  3588. DWORD State;
  3589. DWORD Index1;
  3590. DWORD Index2;
  3591. DWORD cwcField;
  3592. WCHAR wszField[128];
  3593. DWORD cwcObjectId;
  3594. WCHAR wszObjectId[128];
  3595. WCHAR const *pwszObjectIdDescription = NULL;
  3597. cwcField = sizeof(wszField)/sizeof(wszField[0]);
  3598. cwcObjectId = sizeof(wszObjectId)/sizeof(wszObjectId[0]);
  3599. hr = myCheck7f(
  3600. pcc->pbCertEncoded,
  3601. pcc->cbCertEncoded,
  3602. FALSE,
  3603. &State,
  3604. &Index1,
  3605. &Index2,
  3606. &cwcField,
  3607. wszField,
  3608. &cwcObjectId,
  3609. wszObjectId,
  3610. &pwszObjectIdDescription); // Static: do not free!
  3611. _JumpIfError(hr, error, "myCheck7f");
  3613. if (CHECK7F_NONE != State)
  3614. {
  3615. hr = CERTSRV_E_ENCODING_LENGTH;
  3617. #if DBG_CERTSRV
  3618. WCHAR wszIndex[5 + 2 * cwcDWORDSPRINTF];
  3620. wszIndex[0] = L'\0';
  3621. if (0 != Index1)
  3622. {
  3623. wsprintf(
  3624. wszIndex,
  3625. 0 != Index2? L"[%u,%u]" : L"[%u]",
  3626. Index1 - 1,
  3627. Index2 - 1);
  3628. }
  3629. DBGPRINT((
  3630. DBG_SS_CERTLIB,
  3631. "CertCheck7f: %ws%ws%ws%ws%ws%ws%ws, hr=%x\n",
  3632. wszField,
  3633. wszIndex,
  3634. 0 != cwcObjectId? L" ObjectId=" : L"",
  3635. 0 != cwcObjectId? wszObjectId : L"",
  3636. NULL != pwszObjectIdDescription? L" " wszLPAREN : L"",
  3637. NULL != pwszObjectIdDescription? pwszObjectIdDescription : L"",
  3638. NULL != pwszObjectIdDescription? wszRPAREN : L"",
  3639. hr));
  3640. #endif // DBG_CERTSRV
  3641. }
  3642. error:
  3643. return(hr);
  3644. }
  3647. HRESULT
  3648. myAddCertToStore(
  3649. IN HCERTSTORE hStore,
  3650. IN CERT_CONTEXT const *pCertContext,
  3651. OPTIONAL IN CRYPT_KEY_PROV_INFO const *pkpi,
  3652. OPTIONAL OUT CERT_CONTEXT const **ppCert)
  3653. {
  3654. HRESULT hr;
  3655. CERT_CONTEXT const *pcc = NULL;
  3657. if (NULL != ppCert)
  3658. {
  3659. *ppCert = NULL;
  3660. }
  3662. // for root cert, if it shows related private key, it will
  3663. // pfx import failure for other applications
  3665. // Add as encoded blob to avoid all properties, key prov info, etc.
  3667. if (!CertAddEncodedCertificateToStore(
  3668. hStore,
  3669. X509_ASN_ENCODING,
  3670. pCertContext->pbCertEncoded,
  3671. pCertContext->cbCertEncoded,
  3672. NULL != pkpi?
  3673. CERT_STORE_ADD_REPLACE_EXISTING :
  3674. CERT_STORE_ADD_USE_EXISTING,
  3675. &pcc)) // ppCertContext
  3676. {
  3677. hr = myHLastError();
  3678. _JumpError(hr, error, "CertAddEncodedCertificateToStore");
  3679. }
  3680. if (NULL != pkpi)
  3681. {
  3682. if (!CertSetCertificateContextProperty(
  3683. pcc,
  3684. CERT_KEY_PROV_INFO_PROP_ID,
  3685. 0,
  3686. pkpi))
  3687. {
  3688. hr = myHLastError();
  3689. _JumpError(hr, error, "CertSetCertificateContextProperty");
  3690. }
  3691. }
  3692. if (NULL != ppCert)
  3693. {
  3694. *ppCert = pcc;
  3695. pcc = NULL;
  3696. }
  3697. hr = S_OK;
  3699. error:
  3700. if (NULL != pcc)
  3701. {
  3702. CertFreeCertificateContext(pcc);
  3703. }
  3704. return(hr);
  3705. }
  3708. HRESULT
  3709. mySaveChainAndKeys(
  3710. IN CERT_SIMPLE_CHAIN const *pSimpleChain,
  3711. IN WCHAR const *pwszStore,
  3712. IN DWORD dwStoreFlags,
  3713. IN CRYPT_KEY_PROV_INFO const *pkpi,
  3714. OPTIONAL IN CERT_CONTEXT const **ppCert)
  3715. {
  3716. HRESULT hr;
  3717. HCERTSTORE hRootStore = NULL;
  3718. HCERTSTORE hCAStore = NULL;
  3719. HCERTSTORE hMyStore = NULL;
  3720. DWORD i;
  3722. if (NULL != ppCert)
  3723. {
  3724. *ppCert = NULL;
  3725. }
  3726. hRootStore = CertOpenStore(
  3727. CERT_STORE_PROV_SYSTEM_REGISTRY_W,
  3728. X509_ASN_ENCODING,
  3729. NULL, // hProv
  3730. dwStoreFlags,
  3731. wszROOT_CERTSTORE);
  3732. if (NULL == hRootStore)
  3733. {
  3734. hr = myHLastError();
  3735. _JumpErrorStr(hr, error, "CertOpenStore", wszROOT_CERTSTORE);
  3736. }
  3738. hCAStore = CertOpenStore(
  3739. CERT_STORE_PROV_SYSTEM_REGISTRY_W,
  3740. X509_ASN_ENCODING,
  3741. NULL, // hProv
  3742. dwStoreFlags,
  3743. wszCA_CERTSTORE);
  3744. if (NULL == hCAStore)
  3745. {
  3746. hr = myHLastError();
  3747. _JumpErrorStr(hr, error, "CertOpenStore", wszCA_CERTSTORE);
  3748. }
  3750. hMyStore = CertOpenStore(
  3751. CERT_STORE_PROV_SYSTEM_REGISTRY_W,
  3752. X509_ASN_ENCODING,
  3753. NULL, // hProv
  3754. dwStoreFlags,
  3755. pwszStore);
  3756. if (NULL == hMyStore)
  3757. {
  3758. hr = myHLastError();
  3759. _JumpErrorStr(hr, error, "CertOpenStore", pwszStore);
  3760. }
  3762. for (i = 0; i < pSimpleChain->cElement; i++)
  3763. {
  3764. CERT_CONTEXT const *pcc = pSimpleChain->rgpElement[i]->pCertContext;
  3765. HCERTSTORE hStore;
  3767. // CertCheck7f(pcc);
  3769. // if leaf CA cert, add to MY store
  3771. if (0 == i)
  3772. {
  3773. CERT_CONTEXT const *pccFound = CertFindCertificateInStore(
  3774. hMyStore,
  3775. X509_ASN_ENCODING,
  3776. 0,
  3777. CERT_FIND_EXISTING,
  3778. pcc,
  3779. NULL);
  3781. if (NULL == pccFound)
  3782. {
  3783. hr = myAddCertToStore(hMyStore, pcc, pkpi, ppCert);
  3784. _JumpIfError(hr, error, "myAddCertToStore");
  3785. }
  3786. else
  3787. {
  3788. if (NULL != ppCert)
  3789. {
  3790. *ppCert = pccFound;
  3791. }
  3792. else
  3793. {
  3794. CertFreeCertificateContext(pccFound);
  3795. }
  3796. }
  3797. }
  3799. // if root cert, add to ROOT store (without key); else add to CA store
  3801. hStore = hCAStore;
  3803. if (CERT_TRUST_IS_SELF_SIGNED &
  3804. pSimpleChain->rgpElement[i]->TrustStatus.dwInfoStatus)
  3805. {
  3806. hStore = hRootStore;
  3807. }
  3808. hr = myAddCertToStore(hStore, pcc, NULL, NULL);
  3809. _JumpIfError(hr, error, "myAddCertToStore");
  3810. }
  3811. hr = S_OK;
  3813. error:
  3814. if (NULL != hRootStore)
  3815. {
  3816. CertCloseStore(hRootStore, CERT_CLOSE_STORE_CHECK_FLAG);
  3817. }
  3818. if (NULL != hCAStore)
  3819. {
  3820. CertCloseStore(hCAStore, CERT_CLOSE_STORE_CHECK_FLAG);
  3821. }
  3822. if (NULL != hMyStore)
  3823. {
  3824. CertCloseStore(hMyStore, CERT_CLOSE_STORE_CHECK_FLAG);
  3825. }
  3826. return(hr);
  3827. }
  3830. HRESULT
  3831. myGetNameIdExtension(
  3832. IN DWORD cExtension,
  3833. IN CERT_EXTENSION const *rgExtension,
  3834. OUT DWORD *pdwNameId)
  3835. {
  3836. HRESULT hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
  3837. CERT_EXTENSION const *pExt;
  3838. DWORD NameId;
  3839. DWORD cb;
  3841. *pdwNameId = MAXDWORD;
  3842. pExt = CertFindExtension(
  3843. szOID_CERTSRV_CA_VERSION,
  3844. cExtension,
  3845. const_cast<CERT_EXTENSION *>(rgExtension));
  3846. if (NULL == pExt)
  3847. {
  3848. // This API doesn't set LastError
  3849. _JumpError(hr, error, "CertFindExtension(CA Version)");
  3850. }
  3851. cb = sizeof(NameId);
  3852. NameId = 0;
  3853. if (!CryptDecodeObject(
  3854. X509_ASN_ENCODING,
  3855. X509_INTEGER,
  3856. pExt->Value.pbData,
  3857. pExt->Value.cbData,
  3858. 0,
  3859. &NameId,
  3860. &cb))
  3861. {
  3862. hr = myHLastError();
  3863. _JumpError(hr, error, "CryptDecodeObject");
  3864. }
  3865. *pdwNameId = NameId;
  3866. hr = S_OK;
  3868. error:
  3869. return(hr);
  3870. }
  3873. HRESULT
  3874. myGetNameId(
  3875. IN CERT_CONTEXT const *pCACert,
  3876. OUT DWORD *pdwNameId)
  3877. {
  3878. HRESULT hr;
  3880. hr = myGetNameIdExtension(
  3881. pCACert->pCertInfo->cExtension,
  3882. pCACert->pCertInfo->rgExtension,
  3883. pdwNameId);
  3884. _JumpIfError2(hr, error, "myGetNameIdExtension", hr);
  3886. error:
  3887. return(hr);
  3888. }
  3891. HRESULT
  3892. myGetCRLNameId(
  3893. IN CRL_CONTEXT const *pCRL,
  3894. OUT DWORD *pdwNameId)
  3895. {
  3896. HRESULT hr;
  3898. hr = myGetNameIdExtension(
  3899. pCRL->pCrlInfo->cExtension,
  3900. pCRL->pCrlInfo->rgExtension,
  3901. pdwNameId);
  3902. _JumpIfError2(hr, error, "myGetNameIdExtension", hr);
  3904. error:
  3905. return(hr);
  3906. }
  3909. HRESULT
  3910. myGetCertSubjectField(
  3911. IN CERT_CONTEXT const *pCert,
  3912. IN LPCSTR pcszFieldOID,
  3913. OUT WCHAR **ppwszField)
  3914. {
  3915. HRESULT hr;
  3916. CERT_NAME_INFO *pCertNameInfo = NULL;
  3917. DWORD cbCertNameInfo;
  3918. WCHAR const *pwszName;
  3920. if (!myDecodeName(
  3921. X509_ASN_ENCODING,
  3922. X509_UNICODE_NAME,
  3923. pCert->pCertInfo->Subject.pbData,
  3924. pCert->pCertInfo->Subject.cbData,
  3925. CERTLIB_USE_LOCALALLOC,
  3926. &pCertNameInfo,
  3927. &cbCertNameInfo))
  3928. {
  3929. hr = myHLastError();
  3930. _JumpError(hr, error, "myDecodeName");
  3931. }
  3932. hr = myGetCertNameProperty(
  3933. CERT_V1 == pCert->pCertInfo->dwVersion,
  3934. pCertNameInfo,
  3935. pcszFieldOID,
  3936. &pwszName);
  3937. _JumpIfError(hr, error, "myGetCertNameProperty");
  3939. *ppwszField = (WCHAR *) LocalAlloc(
  3940. LMEM_FIXED,
  3941. (wcslen(pwszName) + 1) * sizeof(WCHAR));
  3942. if (NULL == *ppwszField)
  3943. {
  3944. hr = E_OUTOFMEMORY;
  3945. _JumpError(hr, error, "LocalAlloc");
  3946. }
  3947. wcscpy(*ppwszField, pwszName);
  3948. hr = S_OK;
  3950. error:
  3951. if (NULL != pCertNameInfo)
  3952. {
  3953. LocalFree(pCertNameInfo);
  3954. }
  3955. return(hr);
  3956. }
  3958. HRESULT
  3959. myGetCertSubjectCommonName(
  3960. IN CERT_CONTEXT const *pCert,
  3961. OUT WCHAR **ppwszCommonName)
  3962. {
  3963. return myGetCertSubjectField(
  3964. pCert,
  3965. szOID_COMMON_NAME,
  3966. ppwszCommonName);
  3967. }
  3969. HRESULT
  3970. myCertGetNameString(
  3971. IN CERT_CONTEXT const *pcc,
  3972. IN DWORD dwType,
  3973. OUT WCHAR **ppwszSimpleName)
  3974. {
  3975. HRESULT hr;
  3976. WCHAR *pwsz = NULL;
  3978. *ppwszSimpleName = NULL;
  3979. if (CERT_NAME_SIMPLE_DISPLAY_TYPE == dwType &&
  3980. CERT_V1 == pcc->pCertInfo->dwVersion)
  3981. {
  3982. hr = myGetCertSubjectCommonName(pcc, &pwsz);
  3983. _PrintIfError(hr, "myGetCertSubjectCommonName");
  3984. }
  3985. if (NULL == pwsz)
  3986. {
  3987. DWORD cwc = 0;
  3989. for (;;)
  3990. {
  3991. cwc = CertGetNameString(
  3992. pcc,
  3993. CERT_NAME_SIMPLE_DISPLAY_TYPE,
  3994. 0, // dwFlags
  3995. NULL, // pvTypePara
  3996. pwsz,
  3997. cwc);
  3998. if (1 >= cwc)
  3999. {
  4000. hr = HRESULT_FROM_WIN32(ERROR_OBJECT_NOT_FOUND);
  4001. _JumpError(hr, error, "CertGetNameString");
  4002. }
  4003. if (NULL != pwsz)
  4004. {
  4005. break;
  4006. }
  4007. pwsz = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR));
  4008. if (NULL == pwsz)
  4009. {
  4010. hr = E_OUTOFMEMORY;
  4011. _JumpError(hr, error, "LocalAlloc");
  4012. }
  4013. }
  4014. }
  4015. *ppwszSimpleName = pwsz;
  4016. pwsz = NULL;
  4017. hr = S_OK;
  4019. error:
  4020. if (NULL != pwsz)
  4021. {
  4022. LocalFree(pwsz);
  4023. }
  4024. return(hr);
  4025. }
  4028. HRESULT
  4029. myCertStrToName(
  4030. IN DWORD dwCertEncodingType,
  4031. IN LPCWSTR pszX500,
  4032. IN DWORD dwStrType,
  4033. IN OPTIONAL void *pvReserved,
  4034. OUT BYTE **ppbEncoded,
  4035. OUT DWORD *pcbEncoded,
  4036. OUT OPTIONAL LPCWSTR *ppszError)
  4037. {
  4038. HRESULT hr;
  4040. *ppbEncoded = NULL;
  4041. *pcbEncoded = 0;
  4043. for (;;)
  4044. {
  4045. if (!CertStrToName(
  4046. dwCertEncodingType,
  4047. pszX500,
  4048. dwStrType,
  4049. pvReserved,
  4050. *ppbEncoded,
  4051. pcbEncoded,
  4052. ppszError))
  4053. {
  4054. hr = myHLastError();
  4055. if (NULL != *ppbEncoded)
  4056. {
  4057. LocalFree(*ppbEncoded);
  4058. *ppbEncoded = NULL;
  4059. }
  4060. _JumpError(hr, error, "CertStrToName");
  4061. }
  4062. if (NULL != *ppbEncoded)
  4063. {
  4064. break;
  4065. }
  4066. *ppbEncoded = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbEncoded);
  4067. if (NULL == *ppbEncoded)
  4068. {
  4069. hr = E_OUTOFMEMORY;
  4070. _JumpError(hr, error, "LocalAlloc");
  4071. }
  4072. }
  4073. hr = S_OK;
  4075. error:
  4076. return(hr);
  4077. }
  4080. HRESULT
  4081. myCertNameToStr(
  4082. IN DWORD dwCertEncodingType,
  4083. IN CERT_NAME_BLOB const *pName,
  4084. IN DWORD dwStrType,
  4085. OUT WCHAR **ppwszName)
  4086. {
  4087. HRESULT hr;
  4088. DWORD cwc = 0;
  4089. WCHAR *pwszName = NULL;
  4091. for (;;)
  4092. {
  4093. cwc = CertNameToStr(
  4094. dwCertEncodingType,
  4095. const_cast<CERT_NAME_BLOB *>(pName),
  4096. dwStrType,
  4097. pwszName,
  4098. cwc);
  4099. if (1 > cwc)
  4100. {
  4101. hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
  4102. _JumpError(hr, error, "CertNameToStr");
  4103. }
  4104. if (NULL != pwszName)
  4105. {
  4106. break;
  4107. }
  4108. pwszName = (WCHAR *) LocalAlloc(
  4109. LMEM_FIXED,
  4110. (cwc + 1) * sizeof(WCHAR));
  4111. if (NULL == pwszName)
  4112. {
  4113. hr = E_OUTOFMEMORY;
  4114. _JumpError(hr, error, "LocalAlloc");
  4115. }
  4116. }
  4117. *ppwszName = pwszName;
  4118. pwszName = NULL;
  4119. hr = S_OK;
  4121. error:
  4122. if (NULL != pwszName)
  4123. {
  4124. LocalFree(pwszName);
  4125. }
  4126. return(hr);
  4127. }
  4130. HRESULT
  4131. myVerifyKRACertContext(
  4132. IN CERT_CONTEXT const *pCert,
  4133. IN DWORD dwFlags)
  4134. {
  4135. HRESULT hr;
  4136. WCHAR *pwszzAppPolicies = NULL;
  4137. WCHAR *pwszCrt;
  4138. DWORD dwKeyUsage;
  4139. DWORD cb = sizeof(dwKeyUsage);
  4141. hr = myVerifyCertContextEx(
  4142. pCert,
  4143. dwFlags,
  4144. 0, // dwmsTimeout
  4145. 0, // cUsageOids
  4146. NULL, // apszUsageOids
  4147. 0, // cIssuanceOids
  4148. NULL, // apszIssuanceOids
  4149. HCCE_LOCAL_MACHINE, // hChainEngine
  4150. NULL, // pft
  4151. NULL, // hAdditionalStore
  4152. NULL, // pfnCallback
  4153. NULL, // ppwszMissingIssuer
  4154. NULL, // ppwszzIssuancePolicies
  4155. &pwszzAppPolicies,
  4156. NULL, // ppwszExtendedErrorInfo
  4157. NULL); // pTrustStatus
  4158. _JumpIfError(hr, error, "myVerifyCertContextEx");
  4161. if (!CertGetIntendedKeyUsage(
  4162. X509_ASN_ENCODING,
  4163. pCert->pCertInfo,
  4164. (BYTE*)&dwKeyUsage,
  4165. cb))
  4166. {
  4167. hr = myHLastError();
  4168. _JumpError(hr, error, "CertGetIntendedKeyUsage");
  4169. }
  4171. if(!(dwKeyUsage & CERT_KEY_ENCIPHERMENT_KEY_USAGE))
  4172. {
  4173. hr = CERT_E_WRONG_USAGE;
  4174. _JumpError(hr, error, "Key usage not containing key encipherment");
  4175. }
  4177. hr = CERT_E_WRONG_USAGE;
  4178. for (pwszCrt = pwszzAppPolicies;
  4179. pwszCrt && L'\0' != *pwszCrt;
  4180. pwszCrt += wcslen(pwszCrt) + 1)
  4181. {
  4182. if(0==wcscmp(TEXT(szOID_KP_KEY_RECOVERY_AGENT), pwszCrt))
  4183. {
  4184. hr = S_OK;
  4185. break;
  4186. }
  4187. }
  4188. _JumpIfError(hr, error, "myVerifyKRACertContext");
  4190. error:
  4191. if(pwszzAppPolicies)
  4192. {
  4193. LocalFree(pwszzAppPolicies);
  4194. }
  4195. return(hr);
  4196. }
  4199. HRESULT
  4200. myIsDeltaCRL(
  4201. IN CRL_CONTEXT const *pCRL,
  4202. OUT BOOL *pfIsDeltaCRL)
  4203. {
  4204. HRESULT hr;
  4205. CERT_EXTENSION *pExt;
  4207. *pfIsDeltaCRL = FALSE;
  4208. pExt = CertFindExtension(
  4209. szOID_DELTA_CRL_INDICATOR,
  4210. pCRL->pCrlInfo->cExtension,
  4211. pCRL->pCrlInfo->rgExtension);
  4212. if (NULL != pExt)
  4213. {
  4214. *pfIsDeltaCRL = TRUE;
  4215. }
  4216. hr = S_OK;
  4218. //error:
  4219. return(hr);
  4220. }
  4223. typedef BOOL (WINAPI fnCryptRetrieveObjectByUrlW) (
  4224. IN LPCWSTR pszUrl,
  4225. IN LPCSTR pszObjectOid,
  4226. IN DWORD dwRetrievalFlags,
  4227. IN DWORD dwTimeout,
  4228. OUT LPVOID* ppvObject,
  4229. IN HCRYPTASYNC hAsyncRetrieve,
  4230. IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
  4231. IN OPTIONAL LPVOID pvVerify,
  4232. IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
  4233. );
  4235. HCERTSTORE
  4236. myUrlCertOpenStore(
  4237. IN DWORD dwFlags,
  4238. IN WCHAR const *pwszURL)
  4239. {
  4240. HRESULT hr;
  4241. HMODULE hModule = NULL;
  4242. fnCryptRetrieveObjectByUrlW *pfn = NULL;
  4243. HCERTSTORE hStore = NULL;
  4245. hModule = LoadLibrary(TEXT("cryptnet.dll"));
  4246. if (NULL == hModule)
  4247. {
  4248. hr = myHLastError();
  4249. _JumpError(hr, error, "LoadLibrary(cryptnet.dll)");
  4250. }
  4252. pfn = (fnCryptRetrieveObjectByUrlW *) GetProcAddress(
  4253. hModule,
  4254. "CryptRetrieveObjectByUrlW");
  4255. if (NULL == pfn)
  4256. {
  4257. hr = myHLastError();
  4258. _JumpError(hr, error, "CryptRetrieveObjectByUrl");
  4259. }
  4261. if (!(*pfn)(
  4262. pwszURL,
  4263. CONTEXT_OID_CAPI2_ANY,
  4264. dwFlags,
  4265. csecLDAPTIMEOUT * 1000, // ms
  4266. (VOID **) &hStore,
  4267. NULL,
  4268. NULL,
  4269. NULL,
  4270. NULL))
  4271. {
  4272. hr = myHLastError();
  4273. _JumpErrorStr(hr, error, "CryptRetrieveObjectByUrl", pwszURL);
  4274. }
  4275. hr = S_OK;
  4277. error:
  4278. if (NULL != hModule)
  4279. {
  4280. FreeLibrary(hModule);
  4281. }
  4282. if (NULL == hStore)
  4283. {
  4284. SetLastError(hr);
  4285. }
  4286. return(hStore);
  4287. }
  4290. HRESULT
  4291. mySetEnablePrivateKeyUsageCount(
  4292. IN HCRYPTPROV hProv,
  4293. IN BOOL fEnabled)
  4294. {
  4295. HRESULT hr;
  4296. DWORD dwEnableKeyUsageCount = fEnabled? 1 : 0;
  4298. if (!CryptSetProvParam(
  4299. hProv,
  4300. PP_CRYPT_COUNT_KEY_USE,
  4301. (BYTE *) &dwEnableKeyUsageCount,
  4302. 0))
  4303. {
  4304. hr = myHLastError();
  4305. _JumpErrorStr(hr, error, "CryptSetProvParam", L"PP_CRYPT_COUNT_KEY_USE");
  4306. }
  4307. hr = S_OK;
  4309. error:
  4310. return(hr);
  4311. }
  4314. HRESULT
  4315. myGetSigningKeyUsageCount(
  4316. IN HCRYPTPROV hProv,
  4317. OUT BOOL *pfSupported,
  4318. OUT BOOL *pfEnabled,
  4319. OPTIONAL OUT ULARGE_INTEGER *puliCount)
  4320. {
  4321. HRESULT hr;
  4322. HCRYPTKEY hKey = NULL;
  4323. DWORD cb;
  4324. DWORD dwEnableKeyUsageCount;
  4325. ULARGE_INTEGER uliCount;
  4326. BOOL fPropSupported;
  4328. *pfSupported = FALSE;
  4329. *pfEnabled = FALSE;
  4330. if (NULL != puliCount)
  4331. {
  4332. puliCount->QuadPart = 0;
  4333. }
  4334. #define CSP_DBGPRINT
  4335. #ifdef CSP_DBGPRINT
  4336. uliCount.QuadPart = 0; // zero only for the debug print
  4337. #endif
  4339. // An old CSP supports setting PP_CRYPT_COUNT_KEY_USE, but not fetching!
  4340. // The new CSP supports setting and fetching PP_CRYPT_COUNT_KEY_USE,
  4341. // but always returns with dwEnableKeyUsageCount set to zero on a freshly
  4342. // acquired hProv (the flag is not persistent, and is only used to control
  4343. // key use counting for newly created keys).
  4344. // Always fetch the actual count, if the CSP supports the feature.
  4345. // To distinguish between supported but not enabled & enabled but not yet
  4346. // used (count is zero), fetching the actual count should fail when not
  4347. // enabled, leaving *pfEnabled set to FALSE.
  4349. cb = sizeof(dwEnableKeyUsageCount);
  4350. fPropSupported = CryptGetProvParam(
  4351. hProv,
  4352. PP_CRYPT_COUNT_KEY_USE,
  4353. (BYTE *) &dwEnableKeyUsageCount,
  4354. &cb,
  4355. 0);
  4356. if (!fPropSupported)
  4357. {
  4358. hr = myHLastError();
  4359. _PrintErrorStr2(
  4360. hr,
  4361. "CryptGetProvParam",
  4362. L"PP_CRYPT_COUNT_KEY_USE",
  4363. NTE_BAD_TYPE);
  4364. }
  4365. else
  4366. {
  4367. *pfSupported = TRUE;
  4368. if (!CryptGetUserKey(hProv, AT_SIGNATURE, &hKey))
  4369. {
  4370. hr = myHLastError();
  4371. _JumpError(hr, error, "CryptGetUserKey");
  4372. }
  4373. cb = sizeof(uliCount);
  4374. if (!CryptGetKeyParam(
  4375. hKey,
  4376. KP_GET_USE_COUNT,
  4377. (BYTE *) &uliCount,
  4378. &cb,
  4379. 0))
  4380. {
  4381. hr = myHLastError();
  4382. _PrintErrorStr2(
  4383. hr,
  4384. "CryptGetKeyParam",
  4385. L"KP_GET_USE_COUNT",
  4386. NTE_BAD_TYPE);
  4387. }
  4388. else
  4389. {
  4390. *pfEnabled = TRUE;
  4391. if (NULL != puliCount)
  4392. {
  4393. *puliCount = uliCount;
  4394. }
  4395. }
  4396. }
  4397. hr = S_OK;
  4399. error:
  4400. #ifdef CSP_DBGPRINT
  4401. DBGPRINT((
  4402. DBG_SS_CERTLIB,
  4403. "myGetSigningKeyUsageCount:%hs hr=%x Supported=%u Enabled=%u Count=%I64u\n",
  4404. fPropSupported? "NEW" : "OLD",
  4405. hr,
  4406. *pfSupported,
  4407. *pfEnabled,
  4408. NULL != puliCount? puliCount->QuadPart : uliCount.QuadPart));
  4409. #endif
  4410. if (NULL != hKey)
  4411. {
  4412. CryptDestroyKey(hKey);
  4413. }
  4414. return(hr);
  4415. }
  4417. HRESULT
  4418. myCertGetEnhancedKeyUsage(
  4419. IN CERT_CONTEXT const *pcc,
  4420. IN DWORD dwFlags,
  4421. OUT CERT_ENHKEY_USAGE **ppUsage)
  4422. {
  4423. HRESULT hr;
  4424. CERT_ENHKEY_USAGE *pUsage = NULL;
  4425. DWORD cb;
  4427. *ppUsage = NULL;
  4429. for (;;)
  4430. {
  4431. if (!CertGetEnhancedKeyUsage(pcc, dwFlags, pUsage, &cb))
  4432. {
  4433. hr = myHLastError();
  4434. _JumpError2(hr, error, "CertGetEnhancedKeyUsage", CRYPT_E_NOT_FOUND);
  4435. }
  4436. if (NULL != pUsage)
  4437. {
  4438. *ppUsage = pUsage;
  4439. pUsage = NULL;
  4440. break;
  4441. }
  4442. pUsage = (CERT_ENHKEY_USAGE *) LocalAlloc(LMEM_FIXED, cb);
  4443. if (NULL == pUsage)
  4444. {
  4445. hr = E_OUTOFMEMORY;
  4446. _JumpError(hr, error, "LocalAlloc");
  4447. }
  4448. }
  4449. hr = S_OK;
  4451. error:
  4452. if (NULL != pUsage)
  4453. {
  4454. LocalFree(pUsage);
  4455. }
  4456. return(hr);
  4457. }
  4459. // if app policies extension was empty, myConvertAppPoliciesToEKU returns S_OK and NULL pbEKU
  4460. HRESULT
  4461. myConvertAppPoliciesToEKU(
  4462. IN BYTE * pbAppPolicies,
  4463. IN DWORD cbAppPolicies,
  4464. OUT BYTE **ppbEKU,
  4465. OUT DWORD *pcbEKU)
  4466. {
  4467. HRESULT hr = S_OK;
  4468. CERT_POLICIES_INFO *pcpsi = NULL;
  4469. DWORD cb, i;
  4470. CERT_ENHKEY_USAGE ceu;
  4472. ZeroMemory(&ceu, sizeof(ceu));
  4473. *ppbEKU = NULL;
  4474. *pcbEKU = 0;
  4476. if (!myDecodeObject(
  4477. X509_ASN_ENCODING,
  4478. X509_CERT_POLICIES,
  4479. pbAppPolicies,
  4480. cbAppPolicies,
  4481. CERTLIB_USE_LOCALALLOC,
  4482. (VOID **) &pcpsi,
  4483. &cb))
  4484. {
  4485. hr = myHLastError();
  4486. _JumpError(hr, error, "myDecodeObject");
  4487. }
  4489. if(0 < pcpsi->cPolicyInfo)
  4490. {
  4491. ceu.rgpszUsageIdentifier = (char **) LocalAlloc(
  4492. LMEM_FIXED,
  4493. pcpsi->cPolicyInfo * sizeof(ceu.rgpszUsageIdentifier[0]));
  4494. if (NULL == ceu.rgpszUsageIdentifier)
  4495. {
  4496. hr = E_OUTOFMEMORY;
  4497. _JumpError(hr, error, "Policy:myLocalAlloc");
  4498. }
  4500. for (i = 0; i < pcpsi->cPolicyInfo; i++)
  4501. {
  4502. ceu.rgpszUsageIdentifier[i] = pcpsi->rgPolicyInfo[i].pszPolicyIdentifier;
  4503. }
  4505. ceu.cUsageIdentifier = pcpsi->cPolicyInfo;
  4507. if (!myEncodeObject(
  4508. X509_ASN_ENCODING,
  4509. X509_ENHANCED_KEY_USAGE,
  4510. &ceu,
  4511. 0,
  4512. CERTLIB_USE_LOCALALLOC,
  4513. ppbEKU,
  4514. pcbEKU))
  4515. {
  4516. hr = myHLastError();
  4517. _JumpError(hr, error, "Policy:myEncodeObject");
  4518. }
  4519. }
  4521. hr = S_OK;
  4523. error:
  4524. if (NULL != ceu.rgpszUsageIdentifier)
  4525. {
  4526. LocalFree(ceu.rgpszUsageIdentifier);
  4527. }
  4528. return hr;
  4529. }