archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/ca/tools/cep/mscep/cepca.cpp

504 lines
12 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows NT
  4. //
  5. // Copyright (C) Microsoft Corporation, 1995 - 1998
  6. //
  7. // File: cepca.cpp
  8. //
  9. // Contents: Cisco enrollment protocal implementation.
  10. // This file has CA specific code.
  11. //
  12. //
  13. //
  14. //--------------------------------------------------------------------------
  16. #include "global.hxx"
  17. #include <dbgdef.h>
  20. //--------------------------------------------------------------------------
  21. //
  22. // InitCAInformation
  23. //
  24. //--------------------------------------------------------------------------
  25. BOOL InitCAInformation(CEP_CA_INFO *pCAInfo)
  26. {
  27. BOOL fResult = FALSE;
  28. long nCount=0;
  29. long nIndex=0;
  30. WCHAR wszComputerName[MAX_COMPUTERNAME_LENGTH + 1];
  31. DWORD dwSize=MAX_COMPUTERNAME_LENGTH + 1;
  32. HRESULT hr = E_FAIL;
  33. DWORD cbData=0;
  34. DWORD dwData=0;
  35. DWORD dwType=0;
  36. long dwErr=0;
  38. ICertConfig *pICertConfig=NULL;
  39. BSTR bstrFieldName=NULL;
  40. BSTR bstrFieldValue=NULL;
  41. HKEY hKeyCAType=NULL;
  42. HKEY hKeyCEP=NULL;
  45. memset(pCAInfo, 0, sizeof(CEP_CA_INFO));
  47. //we should only worry about the NetBois name. Do not care about the DNS
  48. //GetComputerNameW in Win2K only returns NetBois name
  49. if(!GetComputerNameW(wszComputerName, &dwSize))
  50. goto TraceErr;
  52. if(S_OK != (hr=CoCreateInstance(CLSID_CCertConfig,
  53. NULL,
  54. CLSCTX_INPROC_SERVER,
  55. IID_ICertConfig,
  56. (void **)&pICertConfig)))
  57. goto CertSrvErr;
  59. if(S_OK != (hr=pICertConfig->Reset(nIndex, &nCount)))
  60. goto CertSrvErr;
  62. if(0==nCount)
  63. goto NoSrvErr;
  65. if(NULL == (bstrFieldName=SysAllocString(wszCONFIG_SERVER)))
  66. goto MemoryErr;
  68. while(nIndex != -1)
  69. {
  70. //find the configuration that matches the current machine's name
  71. if(S_OK != (hr=pICertConfig->GetField(bstrFieldName, &bstrFieldValue)))
  72. goto CertSrvErr;
  74. if(0==_wcsnicmp(bstrFieldValue, wszComputerName, wcslen(wszComputerName)))
  75. {
  76. if(NULL == ((pCAInfo->bstrCAMachine)=SysAllocString(bstrFieldValue)))
  77. goto MemoryErr;
  79. //CA name
  80. SysFreeString(bstrFieldName);
  81. bstrFieldName=NULL;
  83. if(NULL == (bstrFieldName=SysAllocString(wszCONFIG_AUTHORITY)))
  84. goto MemoryErr;
  86. if(S_OK != (hr=pICertConfig->GetField(bstrFieldName, &(pCAInfo->bstrCAName))))
  87. goto CertSrvErr;
  89. if(NULL == pCAInfo->bstrCAName)
  90. goto FailErr;
  92. //CA config
  93. SysFreeString(bstrFieldName);
  94. bstrFieldName=NULL;
  96. if(NULL == (bstrFieldName=SysAllocString(wszCONFIG_CONFIG)))
  97. goto MemoryErr;
  99. if(S_OK != (hr=pICertConfig->GetField(bstrFieldName, &(pCAInfo->bstrCAConfig))))
  100. goto CertSrvErr;
  102. if(NULL == pCAInfo->bstrCAConfig)
  103. goto FailErr;
  105. //DSName
  106. SysFreeString(bstrFieldName);
  107. bstrFieldName=NULL;
  109. if(NULL == (bstrFieldName=SysAllocString(wszCONFIG_SANITIZEDSHORTNAME)))
  110. goto MemoryErr;
  112. if(S_OK != (hr=pICertConfig->GetField(bstrFieldName, &(pCAInfo->bstrDSName))))
  113. goto CertSrvErr;
  115. if(NULL == pCAInfo->bstrDSName)
  116. goto FailErr;
  118. //ICertRequest
  119. if(S_OK != (hr=CoCreateInstance(CLSID_CCertRequest,
  120. NULL,
  121. CLSCTX_INPROC_SERVER,
  122. IID_ICertRequest,
  123. (void **)&(pCAInfo->pICertRequest))))
  124. goto CertSrvErr;
  126. //success
  127. break;
  128. }
  130. SysFreeString(bstrFieldValue);
  131. bstrFieldValue=NULL;
  133. hr = pICertConfig->Next(&nIndex);
  135. if( (S_OK != hr) && (-1 != nIndex))
  136. goto CertSrvErr;
  137. }
  139. if(-1 == nIndex)
  140. goto NoSrvErr;
  142. //get the CA's type from the registry
  143. cbData=sizeof(dwData);
  145. //we have to have the knowledge of the ca type
  146. if(ERROR_SUCCESS != (dwErr = RegOpenKeyExU(
  147. HKEY_LOCAL_MACHINE,
  148. MSCEP_CATYPE_LOCATION,
  149. 0,
  150. KEY_READ,
  151. &hKeyCAType)))
  152. goto RegErr;
  154. if(ERROR_SUCCESS != (dwErr = RegQueryValueExU(
  155. hKeyCAType,
  156. MSCEP_KEY_CATYPE,
  157. NULL,
  158. &dwType,
  159. (BYTE *)&dwData,
  160. &cbData)))
  161. goto RegErr;
  163. if ((dwType != REG_DWORD) &&
  164. (dwType != REG_BINARY))
  165. goto RegErr;
  167. if(0 == dwData)
  168. pCAInfo->fEnterpriseCA=FALSE;
  169. else
  170. pCAInfo->fEnterpriseCA=TRUE;
  172. if(pCAInfo->fEnterpriseCA)
  173. {
  174. //get the template name for key usage requests
  175. if(ERROR_SUCCESS != (dwErr = RegOpenKeyExU(
  176. HKEY_LOCAL_MACHINE,
  177. MSCEP_LOCATION,
  178. 0,
  179. KEY_READ,
  180. &hKeyCEP)))
  181. goto RegErr;
  184. //signature template
  185. cbData=0;
  186. if(ERROR_SUCCESS == (dwErr = RegQueryValueExW(hKeyCEP, MSCEP_KEY_SIG_TEMPLATE,
  187. NULL, &dwType, NULL, &cbData)))
  188. {
  189. if((REG_SZ == dwType) && (1 < cbData))
  190. {
  191. pCAInfo->pwszTemplateSig=(LPWSTR)malloc(cbData);
  192. if(NULL == pCAInfo->pwszTemplateSig)
  193. goto MemoryErr;
  195. if(ERROR_SUCCESS != (dwErr = RegQueryValueExW(hKeyCEP, MSCEP_KEY_SIG_TEMPLATE,
  196. NULL, &dwType, (BYTE *)(pCAInfo->pwszTemplateSig), &cbData)))
  197. goto RegErr;
  199. }
  200. }
  202. //encryption template
  203. cbData=0;
  204. if(ERROR_SUCCESS == (dwErr = RegQueryValueExW(hKeyCEP, MSCEP_KEY_ENCYPT_TEMPLATE,
  205. NULL, &dwType, NULL, &cbData)))
  206. {
  207. if((REG_SZ == dwType) && (1 < cbData))
  208. {
  209. pCAInfo->pwszTemplateEnt=(LPWSTR)malloc(cbData);
  210. if(NULL == pCAInfo->pwszTemplateEnt)
  211. goto MemoryErr;
  213. if(ERROR_SUCCESS != (dwErr = RegQueryValueExW(hKeyCEP, MSCEP_KEY_ENCYPT_TEMPLATE,
  214. NULL, &dwType, (BYTE *)(pCAInfo->pwszTemplateEnt), &cbData)))
  215. goto RegErr;
  217. }
  219. }
  221. //make sure both templates are present in the DS
  222. //make sure the CA does issue the template
  223. if(pCAInfo->pwszTemplateSig)
  224. {
  225. if(S_OK != (hr=CheckACLOnCertTemplate(FALSE, pCAInfo->bstrDSName, pCAInfo->pwszTemplateSig)))
  226. {
  227. LogSCEPEvent(0, TRUE, hr, EVENT_MSCEP_NO_ENROLL, 3, g_pwszComputerName, pCAInfo->pwszTemplateSig, pCAInfo->bstrDSName);
  228. goto CertSrvErr;
  229. }
  230. }
  232. if(pCAInfo->pwszTemplateEnt)
  233. {
  234. if(S_OK != (hr=CheckACLOnCertTemplate(FALSE, pCAInfo->bstrDSName, pCAInfo->pwszTemplateEnt)))
  235. {
  236. LogSCEPEvent(0, TRUE, hr, EVENT_MSCEP_NO_ENROLL, 3, g_pwszComputerName, pCAInfo->pwszTemplateEnt, pCAInfo->bstrDSName);
  237. goto CertSrvErr;
  238. }
  239. }
  241. if(S_OK != (hr=CheckACLOnCertTemplate(FALSE, pCAInfo->bstrDSName, wszCERTTYPE_IPSEC_INTERMEDIATE_OFFLINE)))
  242. {
  243. LogSCEPEvent(0, TRUE, hr, EVENT_MSCEP_NO_ENROLL, 3, g_pwszComputerName, wszCERTTYPE_IPSEC_INTERMEDIATE_OFFLINE, pCAInfo->bstrDSName);
  244. goto CertSrvErr;
  245. }
  246. }
  248. //get the hProv to generate the random password
  249. if(!CryptAcquireContextU(&(pCAInfo->hProv),
  250. NULL,
  251. MS_DEF_PROV_W,
  252. PROV_RSA_FULL,
  253. CRYPT_VERIFYCONTEXT))
  254. goto TraceErr;
  256. fResult = TRUE;
  258. CommonReturn:
  260. if(hKeyCEP)
  261. RegCloseKey(hKeyCEP);
  263. if(hKeyCAType)
  264. RegCloseKey(hKeyCAType);
  266. if(bstrFieldName)
  267. SysFreeString(bstrFieldName);
  269. if(bstrFieldValue)
  270. SysFreeString(bstrFieldValue);
  272. if(pICertConfig)
  273. pICertConfig->Release();
  275. return fResult;
  277. ErrorReturn:
  279. FreeCAInformation(pCAInfo);
  281. fResult=FALSE;
  282. goto CommonReturn;
  284. SET_ERROR_VAR(CertSrvErr, hr);
  285. SET_ERROR(NoSrvErr, E_FAIL);
  286. TRACE_ERROR(TraceErr);
  287. SET_ERROR(MemoryErr, E_OUTOFMEMORY);
  288. SET_ERROR(FailErr, E_FAIL);
  289. SET_ERROR_VAR(RegErr, dwErr);
  290. }
  292. //--------------------------------------------------------------------------
  293. //
  294. // GetCACertFromInfo
  295. //
  296. //--------------------------------------------------------------------------
  297. BOOL GetCACertFromInfo(CEP_CA_INFO *pCAInfo, HCERTSTORE *pHCACertStore)
  298. {
  299. BOOL fResult = FALSE;
  300. HRESULT hr = S_OK;
  301. CERT_BLOB CertBlob;
  302. DWORD dwFlags=0;
  303. PCCERT_CONTEXT pPreCert=NULL;
  304. DWORD cbData=0;
  306. BSTR bstrCACert=NULL;
  307. PCCERT_CONTEXT pCurCert=NULL;
  308. BYTE *pbData=NULL;
  310. if(NULL == (pCAInfo->pICertRequest))
  311. goto InvalidArgErr;
  313. //NT5 SPECIFIC: fExchangeCertificate can only be FALSE
  314. if(S_OK != (hr=(pCAInfo->pICertRequest)->GetCACertificate(
  315. FALSE,
  316. pCAInfo->bstrCAConfig,
  317. CR_OUT_BINARY | CR_OUT_CHAIN,
  318. &bstrCACert)))
  319. goto CAErr;
  321. if(NULL == bstrCACert)
  322. goto UnexpectedErr;
  324. CertBlob.cbData = (DWORD)SysStringByteLen(bstrCACert);
  325. CertBlob.pbData = (BYTE *)bstrCACert;
  327. if(NULL == (*pHCACertStore = CertOpenStore(
  328. CERT_STORE_PROV_PKCS7,
  329. ENCODE_TYPE,
  330. NULL,
  331. 0,
  332. &CertBlob)))
  333. goto TraceErr;
  335. //we now need to get the CA's certificate's MD5 hash
  336. while(pCurCert=CertEnumCertificatesInStore(*pHCACertStore,
  337. pPreCert))
  338. {
  339. dwFlags = CERT_STORE_SIGNATURE_FLAG;
  340. if(CertVerifySubjectCertificateContext(pCurCert,
  341. pCurCert,
  342. &dwFlags) && (0==dwFlags))
  344. break;
  346. pPreCert=pCurCert;
  347. }
  349. if(NULL==pCurCert)
  350. goto InvalidArgErr;
  352. //get the MD5 hash
  353. if(!CertGetCertificateContextProperty(pCurCert,
  354. CERT_MD5_HASH_PROP_ID,
  355. NULL,
  356. &cbData))
  357. goto TraceErr;
  359. pbData=(BYTE *)malloc(cbData);
  361. if(NULL==pbData)
  362. goto MemoryErr;
  364. if(!CertGetCertificateContextProperty(pCurCert,
  365. CERT_MD5_HASH_PROP_ID,
  366. pbData,
  367. &cbData))
  368. goto TraceErr;
  371. if(!ConvertByteToWstr(pbData, cbData, &(pCAInfo->pwszCAHash), TRUE))
  372. goto TraceErr;
  374. fResult = TRUE;
  376. CommonReturn:
  378. if(pbData)
  379. free(pbData);
  381. if(pCurCert)
  382. CertFreeCertificateContext(pCurCert);
  384. if(bstrCACert)
  385. SysFreeString(bstrCACert);
  387. return fResult;
  389. ErrorReturn:
  391. fResult=FALSE;
  392. goto CommonReturn;
  394. SET_ERROR(InvalidArgErr, E_INVALIDARG);
  395. SET_ERROR_VAR(CAErr, hr);
  396. TRACE_ERROR(TraceErr);
  397. SET_ERROR(UnexpectedErr, E_UNEXPECTED);
  398. SET_ERROR(MemoryErr, E_OUTOFMEMORY);
  399. }
  401. //--------------------------------------------------------------------------
  402. //
  403. // FreeCAInformation
  404. //
  405. //--------------------------------------------------------------------------
  406. BOOL FreeCAInformation(CEP_CA_INFO *pCAInfo)
  407. {
  408. if(pCAInfo)
  409. {
  410. if(pCAInfo->bstrCAMachine)
  411. SysFreeString(pCAInfo->bstrCAMachine);
  413. if(pCAInfo->bstrCAName)
  414. SysFreeString(pCAInfo->bstrCAName);
  416. if(pCAInfo->bstrCAConfig)
  417. SysFreeString(pCAInfo->bstrCAConfig);
  419. if(pCAInfo->bstrDSName)
  420. SysFreeString(pCAInfo->bstrDSName);
  422. if(pCAInfo->pwszCAHash)
  423. free(pCAInfo->pwszCAHash);
  425. if(pCAInfo->hProv)
  426. CryptReleaseContext(pCAInfo->hProv, 0);
  428. if(pCAInfo->pICertRequest)
  429. (pCAInfo->pICertRequest)->Release();
  431. if(pCAInfo->pwszTemplateSig)
  432. free(pCAInfo->pwszTemplateSig);
  434. if(pCAInfo->pwszTemplateEnt)
  435. free(pCAInfo->pwszTemplateEnt);
  437. //reset the data
  438. memset(pCAInfo, 0, sizeof(CEP_CA_INFO));
  439. }
  441. return TRUE;
  442. }
  445. //--------------------------------------------------------------------------
  446. //
  447. // OperationGetCACert
  448. //
  449. //--------------------------------------------------------------------------
  450. BOOL OperationGetCACert(HCERTSTORE hCACertStore,
  451. LPSTR szMsg,
  452. BYTE **ppbData,
  453. DWORD *pcbData)
  454. {
  455. BOOL fResult = FALSE;
  456. CERT_BLOB CertBlob;
  458. CertBlob.cbData=0;
  459. CertBlob.pbData=NULL;
  461. if(!CertSaveStore(hCACertStore,
  462. ENCODE_TYPE,
  463. CERT_STORE_SAVE_AS_PKCS7,
  464. CERT_STORE_SAVE_TO_MEMORY,
  465. &CertBlob,
  466. 0))
  467. goto CertErr;
  469. CertBlob.pbData = (BYTE *)malloc(CertBlob.cbData);
  471. if(NULL == CertBlob.pbData)
  472. goto MemoryErr;
  474. if(!CertSaveStore(hCACertStore,
  475. ENCODE_TYPE,
  476. CERT_STORE_SAVE_AS_PKCS7,
  477. CERT_STORE_SAVE_TO_MEMORY,
  478. &CertBlob,
  479. 0))
  480. goto CertErr;
  482. //copy the memory
  483. *ppbData=CertBlob.pbData;
  484. *pcbData=CertBlob.cbData;
  486. CertBlob.pbData=NULL;
  488. fResult = TRUE;
  490. CommonReturn:
  492. if(CertBlob.pbData)
  493. free(CertBlob.pbData);
  495. return fResult;
  497. ErrorReturn:
  499. fResult=FALSE;
  500. goto CommonReturn;
  502. TRACE_ERROR(CertErr);
  503. SET_ERROR(MemoryErr, E_OUTOFMEMORY);
  504. }