archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/ca/certmmc/casec.cpp

689 lines
17 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1998 - 1999
  6. //
  7. // File: casec.cpp
  8. //
  9. //--------------------------------------------------------------------------
  11. /////////////////////////////////////////////////////////////////////
  12. // casec.cpp
  13. //
  14. // ISecurityInformation implementation for CA objects
  15. // and the new acl editor
  16. //
  17. // PURPOSE
  19. //
  20. //
  21. // DYNALOADED LIBRARIES
  22. //
  23. // HISTORY
  24. // 5-Nov-1998 petesk Copied template from privobsi.cpp sample.
  25. //
  26. /////////////////////////////////////////////////////////////////////
  29. #include <stdafx.h>
  30. #include <accctrl.h>
  31. #include <certca.h>
  32. #include <sddl.h>
  33. #include "certsrvd.h"
  34. #include "certacl.h"
  36. #define __dwFILE__ __dwFILE_CERTMMC_CASEC_CPP__
  39. //
  40. // defined in Security.cpp
  41. //
  42. // // define our generic mapping structure for our private objects //
  45. #define INHERIT_FULL (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)
  48. GENERIC_MAPPING ObjMap =
  49. {
  50. ACTRL_CERTSRV_READ,
  51. DELETE | WRITE_DAC | WRITE_OWNER | ACTRL_DS_WRITE_PROP,
  52. 0,
  53. ACTRL_CERTSRV_MANAGE
  54. };
  57. //
  58. // DESCRIPTION OF ACCESS FLAG AFFECTS
  59. //
  60. // SI_ACCESS_GENERAL shows up on general properties page
  61. // SI_ACCESS_SPECIFIC shows up on advanced page
  62. // SI_ACCESS_CONTAINER shows on general page IF object is a container
  63. //
  65. SI_ACCESS g_siObjAccesses[] = {CERTSRV_SI_ACCESS_LIST};
  67. #define g_iObjDefAccess 3 // ENROLL enabled by default
  69. // The following array defines the inheritance types for my containers.
  70. SI_INHERIT_TYPE g_siObjInheritTypes[] =
  71. {
  72. &GUID_NULL, 0, MAKEINTRESOURCE(IDS_INH_NONE),
  73. };
  76. HRESULT
  77. LocalAllocString(LPWSTR* ppResult, LPCWSTR pString)
  78. {
  79. if (!ppResult || !pString)
  80. return E_INVALIDARG;
  82. *ppResult = (LPWSTR)LocalAlloc(LPTR, (lstrlen(pString) + 1) * sizeof(WCHAR));
  84. if (!*ppResult)
  85. return E_OUTOFMEMORY;
  87. lstrcpy(*ppResult, pString);
  88. return S_OK;
  89. }
  91. void
  92. LocalFreeString(LPWSTR* ppString)
  93. {
  94. if (ppString)
  95. {
  96. if (*ppString)
  97. LocalFree(*ppString);
  98. *ppString = NULL;
  99. }
  100. }
  102. class CCASecurityObject : public ISecurityInformation
  103. {
  104. protected:
  105. ULONG m_cRef;
  106. CertSvrCA * m_pSvrCA;
  107. // PSECURITY_DESCRIPTOR m_pSD;
  109. public:
  110. CCASecurityObject() : m_cRef(1)
  111. {
  112. m_pSvrCA = NULL;
  113. // m_pSD = NULL;
  114. }
  115. virtual ~CCASecurityObject();
  117. STDMETHOD(Initialize)(CertSvrCA *pCA);
  119. // IUnknown methods
  120. STDMETHOD(QueryInterface)(REFIID, LPVOID *);
  121. STDMETHOD_(ULONG, AddRef)();
  122. STDMETHOD_(ULONG, Release)();
  124. // ISecurityInformation methods
  125. STDMETHOD(GetObjectInformation)(PSI_OBJECT_INFO pObjectInfo);
  126. STDMETHOD(GetSecurity)(SECURITY_INFORMATION si,
  127. PSECURITY_DESCRIPTOR *ppSD,
  128. BOOL fDefault);
  129. STDMETHOD(SetSecurity)(SECURITY_INFORMATION si,
  130. PSECURITY_DESCRIPTOR pSD);
  131. STDMETHOD(GetAccessRights)(const GUID* pguidObjectType,
  132. DWORD dwFlags,
  133. PSI_ACCESS *ppAccess,
  134. ULONG *pcAccesses,
  135. ULONG *piDefaultAccess);
  136. STDMETHOD(MapGeneric)(const GUID *pguidObjectType,
  137. UCHAR *pAceFlags,
  138. ACCESS_MASK *pmask);
  139. STDMETHOD(GetInheritTypes)(PSI_INHERIT_TYPE *ppInheritTypes,
  140. ULONG *pcInheritTypes);
  141. STDMETHOD(PropertySheetPageCallback)(HWND hwnd,
  142. UINT uMsg,
  143. SI_PAGE_TYPE uPage);
  145. protected:
  146. HRESULT GetSecurityDCOM(PSECURITY_DESCRIPTOR *ppSD);
  147. HRESULT GetSecurityRegistry(PSECURITY_DESCRIPTOR *ppSD);
  148. HRESULT SetSecurityDCOM(PSECURITY_DESCRIPTOR pSD);
  149. HRESULT SetSecurityRegistry(PSECURITY_DESCRIPTOR pSD);
  150. };
  152. ///////////////////////////////////////////////////////////////////////////////
  153. //
  154. // This is the entry point function called from our code that establishes
  155. // what the ACLUI interface is going to need to know.
  156. //
  157. //
  158. ///////////////////////////////////////////////////////////////////////////////
  160. extern "C"
  161. HRESULT
  162. CreateCASecurityInfo( CertSvrCA *pCA,
  163. LPSECURITYINFO *ppObjSI)
  164. {
  165. HRESULT hr;
  166. CCASecurityObject *psi;
  168. *ppObjSI = NULL;
  170. psi = new CCASecurityObject;
  171. if (!psi)
  172. return E_OUTOFMEMORY;
  174. hr = psi->Initialize(pCA);
  176. if (SUCCEEDED(hr))
  177. *ppObjSI = psi;
  178. else
  179. delete psi;
  181. return hr;
  182. }
  185. CCASecurityObject::~CCASecurityObject()
  186. {
  187. }
  189. STDMETHODIMP
  190. CCASecurityObject::Initialize(CertSvrCA *pCA)
  191. {
  192. m_pSvrCA = pCA;
  193. return S_OK;
  194. }
  197. ///////////////////////////////////////////////////////////
  198. //
  199. // IUnknown methods
  200. //
  201. ///////////////////////////////////////////////////////////
  203. STDMETHODIMP_(ULONG)
  204. CCASecurityObject::AddRef()
  205. {
  206. return ++m_cRef;
  207. }
  209. STDMETHODIMP_(ULONG)
  210. CCASecurityObject::Release()
  211. {
  212. if (--m_cRef == 0)
  213. {
  214. delete this;
  215. return 0;
  216. }
  218. return m_cRef;
  219. }
  221. STDMETHODIMP
  222. CCASecurityObject::QueryInterface(REFIID riid, LPVOID FAR* ppv)
  223. {
  224. if (IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_ISecurityInformation))
  225. {
  226. *ppv = (LPSECURITYINFO)this;
  227. m_cRef++;
  228. return S_OK;
  229. }
  230. else
  231. {
  232. *ppv = NULL;
  233. return E_NOINTERFACE;
  234. }
  235. }
  238. ///////////////////////////////////////////////////////////
  239. //
  240. // ISecurityInformation methods
  241. //
  242. ///////////////////////////////////////////////////////////
  244. STDMETHODIMP
  245. CCASecurityObject::GetObjectInformation(PSI_OBJECT_INFO pObjectInfo)
  246. {
  249. if(pObjectInfo == NULL)
  250. {
  251. return E_POINTER;
  252. }
  253. if(m_pSvrCA == NULL)
  254. {
  255. return E_POINTER;
  256. }
  258. ZeroMemory(pObjectInfo, sizeof(SI_OBJECT_INFO));
  259. pObjectInfo->dwFlags = SI_EDIT_PERMS |
  260. SI_NO_TREE_APPLY |
  261. SI_EDIT_AUDITS |
  262. SI_NO_ACL_PROTECT |
  263. SI_NO_ADDITIONAL_PERMISSION;
  265. if(!m_pSvrCA->AccessAllowed(CA_ACCESS_ADMIN))
  266. pObjectInfo->dwFlags |= SI_READONLY;
  268. pObjectInfo->hInstance = g_hInstance;
  270. if(m_pSvrCA->m_pParentMachine)
  271. {
  272. pObjectInfo->pszServerName = const_cast<WCHAR *>((LPCTSTR)m_pSvrCA->m_pParentMachine->m_strMachineName);
  273. }
  275. pObjectInfo->pszObjectName = const_cast<WCHAR *>((LPCTSTR)m_pSvrCA->m_strCommonName);
  277. return S_OK;
  278. }
  280. HRESULT CCASecurityObject::GetSecurityDCOM(PSECURITY_DESCRIPTOR *ppSD)
  281. {
  282. HRESULT hr = S_OK;
  284. ICertAdminD2 *pICertAdminD = NULL;
  285. DWORD dwServerVersion = 0; // 0 required by myOpenAdminDComConnection
  286. WCHAR const *pwszAuthority;
  287. CERTTRANSBLOB ctbSD;
  288. ZeroMemory(&ctbSD, sizeof(CERTTRANSBLOB));
  290. CSASSERT(m_pSvrCA);
  292. hr = myOpenAdminDComConnection(
  293. m_pSvrCA->m_bstrConfig,
  294. &pwszAuthority,
  295. NULL,
  296. &dwServerVersion,
  297. &pICertAdminD);
  298. _JumpIfError(hr, error, "myOpenAdminDComConnection");
  300. if (2 > dwServerVersion)
  301. {
  302. hr = RPC_E_VERSION_MISMATCH;
  303. _JumpError(hr, error, "old server");
  304. }
  306. __try
  307. {
  308. hr = pICertAdminD->GetCASecurity(
  309. pwszAuthority,
  310. &ctbSD);
  311. }
  312. __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER)
  313. {
  314. }
  315. _JumpIfError(hr, error, "pICertAdminD->GetCASecurity");
  317. myRegisterMemAlloc(ctbSD.pb, ctbSD.cb, CSM_COTASKALLOC);
  319. // take the return
  320. *ppSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, ctbSD.cb);
  321. if (NULL == *ppSD)
  322. {
  323. hr = E_OUTOFMEMORY;
  324. _JumpError(hr, error, "LocalAlloc");
  325. }
  326. MoveMemory(*ppSD, ctbSD.pb, ctbSD.cb);
  328. error:
  329. myCloseDComConnection((IUnknown **) &pICertAdminD, NULL);
  330. if (NULL != ctbSD.pb)
  331. {
  332. CoTaskMemFree(ctbSD.pb);
  333. }
  335. return hr;
  336. }
  338. HRESULT CCASecurityObject::GetSecurityRegistry(PSECURITY_DESCRIPTOR *ppSD)
  339. {
  340. HRESULT hr = S_OK;
  341. variant_t var;
  342. DWORD dwType;
  343. DWORD dwSize;
  344. BYTE* pbTmp;
  346. hr = m_pSvrCA->GetConfigEntry(
  347. NULL,
  348. wszREGCASECURITY,
  349. &var);
  350. _JumpIfError(hr, error, "GetConfigEntry");
  352. hr = myVariantToRegValue(
  353. &var,
  354. &dwType,
  355. &dwSize,
  356. &pbTmp);
  357. _JumpIfError(hr, error, "myVariantToRegValue");
  359. *ppSD = pbTmp;
  361. error:
  362. return hr;
  363. }
  366. STDMETHODIMP
  367. CCASecurityObject::GetSecurity(
  368. SECURITY_INFORMATION, // si
  369. PSECURITY_DESCRIPTOR *ppSD,
  370. BOOL /* fDefault */ )
  371. {
  372. HRESULT hr = S_OK;
  373. SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED;
  374. DWORD dwRevision;
  376. hr = GetSecurityDCOM(ppSD);
  377. _PrintIfError(hr, "GetSecurityDCOM");
  378. if(S_OK!=hr)
  379. {
  380. hr = GetSecurityRegistry(ppSD);
  381. _JumpIfError(hr, error, "GetSecurityRegistry");
  382. }
  384. CSASSERT(*ppSD);
  386. if(GetSecurityDescriptorControl(*ppSD, &Control, &dwRevision))
  387. {
  388. Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
  389. SetSecurityDescriptorControl(*ppSD,
  390. SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED,
  391. Control);
  392. }
  394. error:
  395. return hr;
  396. }
  399. HRESULT CCASecurityObject::SetSecurityDCOM(PSECURITY_DESCRIPTOR pSD)
  400. {
  401. HRESULT hr = S_OK;
  402. HANDLE hClientToken = NULL;
  403. HANDLE hHandle = NULL;
  404. ICertAdminD2 *pICertAdminD = NULL;
  405. DWORD dwServerVersion = 0;
  406. CERTTRANSBLOB ctbSD;
  407. WCHAR const *pwszAuthority;
  409. hHandle = GetCurrentThread();
  410. if (NULL == hHandle)
  411. {
  412. hr = myHLastError();
  413. }
  414. else
  415. {
  416. if (!OpenThreadToken(hHandle,
  417. TOKEN_QUERY,
  418. TRUE, // open as self
  419. &hClientToken))
  420. {
  421. hr = myHLastError();
  422. CloseHandle(hHandle);
  423. hHandle = NULL;
  424. }
  425. }
  427. if(hr != S_OK)
  428. {
  429. hHandle = GetCurrentProcess();
  430. if (NULL == hHandle)
  431. {
  432. hr = myHLastError();
  433. }
  434. else
  435. {
  436. HANDLE hProcessToken = NULL;
  437. hr = S_OK;
  439. if (!OpenProcessToken(hHandle,
  440. TOKEN_DUPLICATE,
  441. &hProcessToken))
  442. {
  443. hr = myHLastError();
  444. CloseHandle(hHandle);
  445. hHandle = NULL;
  446. }
  447. else
  448. {
  449. if(!DuplicateToken(hProcessToken,
  450. SecurityImpersonation,
  451. &hClientToken))
  452. {
  453. hr = myHLastError();
  454. CloseHandle(hHandle);
  455. hHandle = NULL;
  456. }
  457. CloseHandle(hProcessToken);
  458. }
  459. }
  460. }
  462. if(hr != S_OK)
  463. {
  464. goto error;
  465. }
  467. hr = myOpenAdminDComConnection(
  468. m_pSvrCA->m_bstrConfig,
  469. &pwszAuthority,
  470. NULL,
  471. &dwServerVersion,
  472. &pICertAdminD);
  473. _JumpIfError(hr, error, "myOpenAdminDComConnection");
  475. if (2 > dwServerVersion)
  476. {
  477. hr = RPC_E_VERSION_MISMATCH;
  478. _JumpError(hr, error, "old server");
  479. }
  481. __try
  482. {
  483. ctbSD.cb = GetSecurityDescriptorLength(pSD);
  484. ctbSD.pb = (BYTE*)pSD;
  485. hr = pICertAdminD->SetCASecurity(
  486. pwszAuthority,
  487. &ctbSD);
  489. if(hr == HRESULT_FROM_WIN32(ERROR_CAN_NOT_COMPLETE))
  490. {
  491. // Attempt to fix enrollment object, see bug# 193388
  492. m_pSvrCA->FixEnrollmentObject();
  494. // try again
  495. hr = pICertAdminD->SetCASecurity(
  496. pwszAuthority,
  497. &ctbSD);
  498. }
  499. }
  500. __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER)
  501. {
  502. }
  503. _JumpIfError(hr, error, "pICertAdminD->SetCASecurity");
  505. error:
  506. myCloseDComConnection((IUnknown **) &pICertAdminD, NULL);
  507. if(hClientToken)
  508. {
  509. CloseHandle(hClientToken);
  510. }
  511. if(hHandle)
  512. {
  513. CloseHandle(hHandle);
  514. }
  516. return hr;
  517. }
  519. HRESULT CCASecurityObject::SetSecurityRegistry(PSECURITY_DESCRIPTOR pSD)
  520. {
  521. HRESULT hr = S_OK;
  522. variant_t var;
  523. CertSrv::CCertificateAuthoritySD CASD;
  525. // SD passed in contains only a DACL. We need to fully construct the
  526. // CA SD as certsrv would do
  528. hr = CASD.InitializeFromTemplate(WSZ_EMPTY_CA_SECURITY, L"");
  529. _JumpIfError(hr, error, "CCertificateAuthoritySD::Initialize");
  531. hr = CASD.Set(pSD, false);
  532. _JumpIfError(hr, error, "CCertificateAuthoritySD::Set");
  534. hr = myRegValueToVariant(
  535. REG_BINARY,
  536. GetSecurityDescriptorLength(CASD.Get()),
  537. (BYTE const*)CASD.Get(),
  538. &var);
  539. _JumpIfError(hr, error, "myRegValueToVariant");
  541. hr = m_pSvrCA->SetConfigEntry(
  542. NULL,
  543. wszREGCASECURITY,
  544. &var);
  545. _JumpIfErrorStr(hr, error, "SetConfigEntry", wszREGCASECURITY);
  547. // set status bit to signal certsrv to pick up changes next
  548. // time it starts
  549. hr = m_pSvrCA->GetConfigEntry(
  550. NULL,
  551. wszREGSETUPSTATUS,
  552. &var);
  553. _JumpIfErrorStr(hr, error, "GetConfigEntry", wszREGSETUPSTATUS);
  555. V_I4(&var) |= SETUP_SECURITY_CHANGED;
  557. hr = m_pSvrCA->SetConfigEntry(
  558. NULL,
  559. wszREGSETUPSTATUS,
  560. &var);
  561. _JumpIfErrorStr(hr, error, "SetConfigEntry", wszREGSETUPSTATUS);
  563. error:
  564. return hr;
  565. }
  567. STDMETHODIMP
  568. CCASecurityObject::SetSecurity(SECURITY_INFORMATION si,
  569. PSECURITY_DESCRIPTOR pSD)
  570. {
  571. HRESULT hr = S_OK;
  572. SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED;
  573. DWORD dwSize;
  574. DWORD dwRevision;
  575. PSECURITY_DESCRIPTOR pSDSelfRel = NULL;
  577. if (DACL_SECURITY_INFORMATION!=si)
  578. return E_NOTIMPL;
  580. if(si & DACL_SECURITY_INFORMATION)
  581. {
  582. if(GetSecurityDescriptorControl(pSD, &Control, &dwRevision))
  583. {
  584. Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
  585. SetSecurityDescriptorControl(pSD,
  586. SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED,
  587. Control);
  588. }
  589. }
  591. dwSize = GetSecurityDescriptorLength(pSD);
  593. pSDSelfRel = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSize);
  594. if(NULL == pSDSelfRel)
  595. {
  596. hr = E_OUTOFMEMORY;
  597. _JumpError(hr, error, "LocalAlloc");
  598. }
  600. if(!MakeSelfRelativeSD(pSD, pSDSelfRel, &dwSize))
  601. {
  602. LocalFree(pSDSelfRel);
  603. pSDSelfRel = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSize);
  604. if(NULL == pSDSelfRel)
  605. {
  606. hr = E_OUTOFMEMORY;
  607. _JumpError(hr, error, "LocalAlloc");
  608. }
  610. if(!MakeSelfRelativeSD(pSD, pSDSelfRel, &dwSize))
  611. {
  612. hr = myHLastError();
  613. _JumpError(hr, error, "LocalAlloc");
  614. }
  615. }
  617. hr = SetSecurityDCOM(pSDSelfRel);
  618. if (S_OK != hr)
  619. {
  620. HRESULT hr2 = hr;
  622. _PrintError(hr, "SetSecurityDCOM");
  624. if (E_ACCESSDENIED == hr ||
  625. (HRESULT) RPC_S_SERVER_UNAVAILABLE == hr ||
  626. HRESULT_FROM_WIN32(RPC_S_SERVER_UNAVAILABLE) == hr)
  627. {
  629. hr2 = SetSecurityRegistry(pSDSelfRel);
  630. _JumpIfError(hr2, error, "SetSecurityRegistry");
  631. }
  632. DisplayCertSrvErrorWithContext(NULL, hr, IDS_CANNOT_UPDATE_SECURITY_ON_CA);
  633. if (S_OK == hr2)
  634. {
  635. hr = S_OK;
  636. }
  637. }
  639. error:
  641. if(NULL != pSDSelfRel)
  642. {
  643. LocalFree(pSDSelfRel);
  644. }
  646. return hr;
  647. }
  649. STDMETHODIMP
  650. CCASecurityObject::GetAccessRights(const GUID* /*pguidObjectType*/,
  651. DWORD /*dwFlags*/,
  652. PSI_ACCESS *ppAccesses,
  653. ULONG *pcAccesses,
  654. ULONG *piDefaultAccess)
  655. {
  656. *ppAccesses = g_siObjAccesses;
  657. *pcAccesses = sizeof(g_siObjAccesses)/sizeof(g_siObjAccesses[0]);
  658. *piDefaultAccess = g_iObjDefAccess;
  660. return S_OK;
  661. }
  663. STDMETHODIMP
  664. CCASecurityObject::MapGeneric(const GUID* /*pguidObjectType*/,
  665. UCHAR * /*pAceFlags*/,
  666. ACCESS_MASK *pmask)
  667. {
  668. MapGenericMask(pmask, &ObjMap);
  670. return S_OK;
  671. }
  673. STDMETHODIMP
  674. CCASecurityObject::GetInheritTypes(PSI_INHERIT_TYPE *ppInheritTypes,
  675. ULONG *pcInheritTypes)
  676. {
  677. *ppInheritTypes = g_siObjInheritTypes;
  678. *pcInheritTypes = sizeof(g_siObjInheritTypes)/sizeof(g_siObjInheritTypes[0]);
  680. return S_OK;
  681. }
  683. STDMETHODIMP
  684. CCASecurityObject::PropertySheetPageCallback(HWND /*hwnd*/,
  685. UINT /*uMsg*/,
  686. SI_PAGE_TYPE /*uPage*/)
  687. {
  688. return S_OK;
  689. }