archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pki/activex/capicom/signhlpr.cpp

724 lines
22 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  3. Microsoft Windows, Copyright (C) Microsoft Corporation, 2000 - 2001.
  5. File: SignHlpr.cpp
  7. Content: Helper functions for signing.
  9. History: 11-15-99 dsie created
  11. ------------------------------------------------------------------------------*/
  13. #include "StdAfx.h"
  14. #include "CAPICOM.h"
  15. #include "SignHlpr.h"
  17. #include "Common.h"
  18. #include "CertHlpr.h"
  19. #include "Certificate.h"
  20. #include "Signer2.h"
  22. ////////////////////////////////////////////////////////////////////////////////
  23. //
  24. // Local functions.
  25. //
  28. ////////////////////////////////////////////////////////////////////////////////
  29. //
  30. // Exported functions.
  31. //
  33. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  35. Function : FreeAttributes
  37. Synopsis : Free elements of an attribute array.
  39. Parameter: DWORD cAttr - Number fo attributes
  41. PCRYPT_ATTRIBUTE rgAuthAttr - Pointer to CRYPT_ATTRIBUTE array.
  43. Remark :
  45. ------------------------------------------------------------------------------*/
  47. void FreeAttributes (DWORD cAttr,
  48. PCRYPT_ATTRIBUTE rgAttr)
  49. {
  50. DebugTrace("Entering FreeAttributes().\n");
  52. //
  53. // Free each element of the array.
  54. //
  55. for (DWORD i = 0; i < cAttr; i++)
  56. {
  57. //
  58. // Make sure pointer is valid.
  59. //
  60. if (rgAttr[i].rgValue)
  61. {
  62. for (DWORD j = 0; j < rgAttr[i].cValue; j++)
  63. {
  64. if (rgAttr[i].rgValue[j].pbData)
  65. {
  66. ::CoTaskMemFree((LPVOID) rgAttr[i].rgValue[j].pbData);
  67. }
  68. }
  70. ::CoTaskMemFree((LPVOID) rgAttr[i].rgValue);
  71. }
  72. }
  74. DebugTrace("Leaving FreeAttributes().\n");
  76. return;
  77. }
  79. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  81. Function : FreeAttributes
  83. Synopsis : Free memory allocated for all attributes.
  85. Parameter: PCRYPT_ATTRIBUTES pAttributes
  87. Remark :
  89. ------------------------------------------------------------------------------*/
  91. void FreeAttributes (PCRYPT_ATTRIBUTES pAttributes)
  92. {
  93. //
  94. // Sanity check.
  95. //
  96. ATLASSERT(pAttributes);
  98. //
  99. // Do we have any attribute?
  100. //
  101. if (pAttributes->rgAttr)
  102. {
  103. //
  104. // First free elements of array.
  105. //
  106. FreeAttributes(pAttributes->cAttr, pAttributes->rgAttr);
  108. //
  109. // Then free the array itself.
  110. //
  111. ::CoTaskMemFree((LPVOID) pAttributes->rgAttr);
  112. }
  114. ::ZeroMemory(pAttributes, sizeof(CRYPT_ATTRIBUTES));
  116. return;
  117. }
  119. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  121. Function : GetAuthenticatedAttributes
  123. Synopsis : Encode and return authenticated attributes of the specified signer.
  125. Parameter: ISigner * pISigner - Pointer to ISigner.
  127. PCRYPT_ATTRIBUTES pAttributes
  129. Remark :
  131. ------------------------------------------------------------------------------*/
  133. HRESULT GetAuthenticatedAttributes (ISigner * pISigner,
  134. PCRYPT_ATTRIBUTES pAttributes)
  135. {
  136. HRESULT hr = S_OK;
  137. long cAttr = 0;
  138. PCRYPT_ATTRIBUTE rgAttr = NULL;
  139. CComPtr<IAttributes> pIAttributes = NULL;
  141. DebugTrace("Entering GetAuthenticatedAttributes().\n");
  143. //
  144. // Sanity check.
  145. //
  146. ATLASSERT(pISigner);
  147. ATLASSERT(pAttributes);
  149. //
  150. // Initialize.
  151. //
  152. ::ZeroMemory(pAttributes, sizeof(CRYPT_ATTRIBUTES));
  154. //
  155. // Get authenticated attributes.
  156. //
  157. if (FAILED(hr = pISigner->get_AuthenticatedAttributes(&pIAttributes)))
  158. {
  159. DebugTrace("Error [%#x]: pISigner->get_AuthenticatedAttributes() failed.\n", hr);
  160. goto ErrorExit;
  161. }
  163. //
  164. // Get count of attributes.
  165. //
  166. if (FAILED(hr = pIAttributes->get_Count(&cAttr)))
  167. {
  168. DebugTrace("Error [%#x]: pIAttributes->get_Count() failed.\n", hr);
  169. goto ErrorExit;
  170. }
  172. if (0 < cAttr)
  173. {
  174. //
  175. // Allocate memory for attribute array.
  176. //
  177. if (!(rgAttr = (PCRYPT_ATTRIBUTE) ::CoTaskMemAlloc(sizeof(CRYPT_ATTRIBUTE) * cAttr)))
  178. {
  179. hr = E_OUTOFMEMORY;
  181. DebugTrace("Error: out of memory.\n");
  182. goto ErrorExit;
  183. }
  185. ::ZeroMemory(rgAttr, sizeof(CRYPT_ATTRIBUTE) * cAttr);
  187. //
  188. // Loop thru each attribute and add to the array.
  189. //
  190. for (long i = 0; i < cAttr; i++)
  191. {
  192. CAPICOM_ATTRIBUTE AttrName;
  193. CComVariant varValue;
  194. CComVariant varIAttribute;
  195. CComPtr<IAttribute> pIAttribute = NULL;
  197. //
  198. // Get next attribute.
  199. //
  200. if (FAILED(hr = pIAttributes->get_Item(i + 1, &varIAttribute)))
  201. {
  202. DebugTrace("Error [%#x]: pIAttributes->get_Item() failed.\n", hr);
  203. goto ErrorExit;
  204. }
  206. //
  207. // Get custom interface.
  208. //
  209. if (FAILED(hr = varIAttribute.pdispVal->QueryInterface(IID_IAttribute,
  210. (void **) &pIAttribute)))
  211. {
  212. DebugTrace("Error [%#x]: varIAttribute.pdispVal->QueryInterface() failed.\n", hr);
  213. goto ErrorExit;
  214. }
  216. //
  217. // Get attribute name.
  218. //
  219. if (FAILED(hr = pIAttribute->get_Name(&AttrName)))
  220. {
  221. DebugTrace("Error [%#x]: pIAttribute->get_Name() failed.\n", hr);
  222. goto ErrorExit;
  223. }
  225. //
  226. // Get attribute value.
  227. //
  228. if (FAILED(hr = pIAttribute->get_Value(&varValue)))
  229. {
  230. DebugTrace("Error [%#x]: pIAttribute->get_Value() failed.\n", hr);
  231. goto ErrorExit;
  232. }
  234. switch (AttrName)
  235. {
  236. case CAPICOM_AUTHENTICATED_ATTRIBUTE_SIGNING_TIME:
  237. {
  238. FILETIME ft;
  239. SYSTEMTIME st;
  241. //
  242. // Conver to FILETIME.
  243. //
  244. if (!::VariantTimeToSystemTime(varValue.date, &st))
  245. {
  246. hr = CAPICOM_E_ATTRIBUTE_INVALID_VALUE;
  248. DebugTrace("Error [%#x]: VariantTimeToSystemTime() failed.\n");
  249. goto ErrorExit;
  250. }
  252. if (!::SystemTimeToFileTime(&st, &ft))
  253. {
  254. hr = CAPICOM_E_ATTRIBUTE_INVALID_VALUE;
  256. DebugTrace("Error [%#x]: VariantTimeToSystemTime() failed.\n");
  257. goto ErrorExit;
  258. }
  260. //
  261. // Now encode it.
  262. //
  263. rgAttr[i].cValue = 1;
  264. rgAttr[i].pszObjId = szOID_RSA_signingTime;
  265. if (!(rgAttr[i].rgValue = (CRYPT_ATTR_BLOB *) ::CoTaskMemAlloc(sizeof(CRYPT_ATTR_BLOB))))
  266. {
  267. hr = E_OUTOFMEMORY;
  269. DebugTrace("Error: out of memory.\n");
  270. goto ErrorExit;
  271. }
  273. if (FAILED(hr = ::EncodeObject((LPSTR) szOID_RSA_signingTime,
  274. (LPVOID) &ft,
  275. rgAttr[i].rgValue)))
  276. {
  277. DebugTrace("Error [%#x]: EncodeObject() failed.\n", hr);
  278. goto ErrorExit;
  279. }
  281. break;
  282. }
  284. case CAPICOM_AUTHENTICATED_ATTRIBUTE_DOCUMENT_NAME:
  285. {
  286. CRYPT_DATA_BLOB NameBlob = {0, NULL};
  288. NameBlob.cbData = ::SysStringByteLen(varValue.bstrVal);
  289. NameBlob.pbData = (PBYTE) varValue.bstrVal;
  291. rgAttr[i].cValue = 1;
  292. rgAttr[i].pszObjId = szOID_CAPICOM_DOCUMENT_NAME;
  293. if (!(rgAttr[i].rgValue = (CRYPT_ATTR_BLOB *) ::CoTaskMemAlloc(sizeof(CRYPT_ATTR_BLOB))))
  294. {
  295. hr = E_OUTOFMEMORY;
  297. DebugTrace("Error: out of memory.\n");
  298. goto ErrorExit;
  299. }
  301. if (FAILED(hr = ::EncodeObject((LPSTR) X509_OCTET_STRING,
  302. (LPVOID) &NameBlob,
  303. rgAttr[i].rgValue)))
  304. {
  305. DebugTrace("Error [%#x]: EncodeObject() failed.\n", hr);
  306. goto ErrorExit;
  307. }
  309. break;
  310. }
  312. case CAPICOM_AUTHENTICATED_ATTRIBUTE_DOCUMENT_DESCRIPTION:
  313. {
  314. CRYPT_DATA_BLOB DescBlob = {0, NULL};
  316. DescBlob.cbData = ::SysStringByteLen(varValue.bstrVal);
  317. DescBlob.pbData = (PBYTE) varValue.bstrVal;
  319. rgAttr[i].cValue = 1;
  320. rgAttr[i].pszObjId = szOID_CAPICOM_DOCUMENT_DESCRIPTION;
  321. if (!(rgAttr[i].rgValue = (CRYPT_ATTR_BLOB *) ::CoTaskMemAlloc(sizeof(CRYPT_ATTR_BLOB))))
  322. {
  323. hr = E_OUTOFMEMORY;
  325. DebugTrace("Error: out of memory.\n");
  326. goto ErrorExit;
  327. }
  329. if (FAILED(hr = ::EncodeObject((LPSTR) X509_OCTET_STRING,
  330. (LPVOID) &DescBlob,
  331. rgAttr[i].rgValue)))
  332. {
  333. DebugTrace("Error [%#x]: EncodeObject() failed.\n", hr);
  334. goto ErrorExit;
  335. }
  337. break;
  338. }
  340. default:
  341. {
  342. hr = CAPICOM_E_ATTRIBUTE_INVALID_NAME;
  344. DebugTrace("Error [%#x]: unknown attribute name.\n", hr);
  345. goto ErrorExit;
  346. }
  347. }
  348. }
  350. //
  351. // Return attributes to caller.
  352. //
  353. pAttributes->cAttr = cAttr;
  354. pAttributes->rgAttr = rgAttr;
  355. }
  357. CommonExit:
  359. DebugTrace("Leaving GetAuthenticatedAttributes().\n");
  361. return hr;
  363. ErrorExit:
  364. //
  365. // Sanity check.
  366. //
  367. ATLASSERT(FAILED(hr));
  369. //
  370. // Free resources.
  371. //
  372. if (rgAttr)
  373. {
  374. ::FreeAttributes(cAttr, rgAttr);
  376. ::CoTaskMemFree(rgAttr);
  377. }
  379. goto CommonExit;
  380. }
  382. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  384. Function : IsValidForSigning
  386. Synopsis : Verify if the certificate is valid for signing.
  388. Parameter: PCCERT_CONTEXT pCertContext - CERT_CONTEXT of cert to verify.
  390. LPCSTR pszPolicy - Policy used to verify the cert (i.e.
  391. CERT_CHAIN_POLICY_BASE).
  393. Remark :
  395. ------------------------------------------------------------------------------*/
  397. HRESULT IsValidForSigning (PCCERT_CONTEXT pCertContext, LPCSTR pszPolicy)
  398. {
  399. HRESULT hr = S_OK;
  400. DWORD cb = 0;
  401. int nValidity = 0;
  403. DebugTrace("Entering IsValidForSigning().\n");
  405. //
  406. // Sanity check.
  407. //
  408. ATLASSERT(pCertContext);
  410. //
  411. // Make sure we have a private key.
  412. //
  413. if (!::CertGetCertificateContextProperty(pCertContext,
  414. CERT_KEY_PROV_INFO_PROP_ID,
  415. NULL,
  416. &cb))
  417. {
  418. hr = CAPICOM_E_CERTIFICATE_NO_PRIVATE_KEY;
  420. DebugTrace("Error: signer's private key is not available.\n");
  421. goto ErrorExit;
  422. }
  424. //
  425. // Check cert time validity.
  426. //
  427. if (0 != (nValidity = ::CertVerifyTimeValidity(NULL, pCertContext->pCertInfo)))
  428. {
  429. hr = HRESULT_FROM_WIN32(CERT_E_EXPIRED);
  431. DebugTrace("Info: SelectSignerCertCallback() - invalid time (%s).\n",
  432. nValidity < 0 ? "not yet valid" : "expired");
  433. goto ErrorExit;
  434. }
  436. #if (0) //DSIE: Flip this if we decide to build chain here.
  437. //
  438. // Make sure the cert is valid.
  439. //
  440. if (FAILED(hr = ::VerifyCertificate(pCertContext, NULL, pszPolicy)))
  441. {
  442. DebugTrace("Error [%#x]: VerifyCertificate() failed.\n", hr);
  443. goto ErrorExit;
  444. }
  445. #endif
  447. CommonExit:
  449. DebugTrace("Leaving IsValidForSigning().\n");
  451. return hr;
  453. ErrorExit:
  454. //
  455. // Sanity check.
  456. //
  457. ATLASSERT(FAILED(hr));
  459. goto CommonExit;
  460. }
  462. /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  464. Function : GetSignerCert
  466. Synopsis : Retrieve signer's cert from ISigner object. If signer's cert is
  467. not available in the ISigner object, pop UI to prompt user to
  468. select a signing cert.
  470. Parameter: ISigner2 * pISigner2 - Pointer to ISigner2 or NULL.
  472. LPCSTR pszPolicy - Policy used to verify the cert (i.e.
  473. CERT_CHAIN_POLICY_BASE).
  475. CAPICOM_STORE_INFO StoreInfo - Store to select from.
  477. PFNCFILTERPROC pfnFilterCallback - Pointer to filter callback
  478. function.
  480. ISigner2 ** ppISigner2 - Pointer to pointer to ISigner2 to receive
  481. interface pointer.
  483. ICertificate ** ppICertificate - Pointer to pointer to ICertificate
  484. to receive interface pointer.
  486. PCCERT_CONTEXT * ppCertContext - Pointer to pointer to CERT_CONTEXT
  487. to receive cert context.
  488. Remark :
  490. ------------------------------------------------------------------------------*/
  492. HRESULT GetSignerCert (ISigner2 * pISigner2,
  493. LPCSTR pszPolicy,
  494. CAPICOM_STORE_INFO StoreInfo,
  495. PFNCFILTERPROC pfnFilterCallback,
  496. ISigner2 ** ppISigner2,
  497. ICertificate ** ppICertificate,
  498. PCCERT_CONTEXT * ppCertContext)
  499. {
  500. HRESULT hr = S_OK;
  501. BOOL bVerified = FALSE;
  502. CComPtr<ISigner2> pISelectedSigner2 = NULL;
  503. CComPtr<ICertificate> pISelectedCertificate = NULL;
  504. CComPtr<ICertificate2> pISelectedCertificate2 = NULL;
  505. PCCERT_CONTEXT pSelectedCertContext = NULL;
  507. DebugTrace("Entering GetSignerCert().\n");
  509. try
  510. {
  511. //
  512. // Initialize.
  513. //
  514. if (ppISigner2)
  515. {
  516. *ppISigner2 = NULL;
  517. }
  518. if (ppICertificate)
  519. {
  520. *ppICertificate = NULL;
  521. }
  522. if (ppCertContext)
  523. {
  524. *ppCertContext = NULL;
  525. }
  527. //
  528. // Did user pass us a signer?
  529. //
  530. if (pISigner2)
  531. {
  532. //
  533. // Retrieve the signer's cert.
  534. //
  535. if (FAILED(hr = pISigner2->get_Certificate((ICertificate **) &pISelectedCertificate)))
  536. {
  537. //
  538. // If signer's cert is not present, pop UI.
  539. //
  540. if (CAPICOM_E_SIGNER_NOT_INITIALIZED == hr)
  541. {
  542. //
  543. // Prompt user to select a certificate.
  544. //
  545. if (FAILED(hr = ::SelectCertificate(StoreInfo,
  546. pfnFilterCallback,
  547. &pISelectedCertificate2)))
  548. {
  549. DebugTrace("Error [%#x]: SelectCertificate() failed.\n", hr);
  550. goto ErrorExit;
  551. }
  553. //
  554. // QI for ICertificate.
  555. //
  556. if (FAILED(hr = pISelectedCertificate2->QueryInterface(&pISelectedCertificate)))
  557. {
  558. DebugTrace("Internal error [%#x]: pISelectedCertificate2->QueryInterface() failed.\n", hr);
  559. goto ErrorExit;
  560. }
  562. bVerified = TRUE;
  563. }
  564. else
  565. {
  566. DebugTrace("Error [%#x]: pISigner2->get_Certificate() failed.\n", hr);
  567. goto ErrorExit;
  568. }
  569. }
  571. //
  572. // Get cert context.
  573. //
  574. if (FAILED(hr = ::GetCertContext(pISelectedCertificate, &pSelectedCertContext)))
  575. {
  576. DebugTrace("Error [%#x]: GetCertContext() failed.\n", hr);
  577. goto ErrorExit;
  578. }
  580. //
  581. // Verify cert, if not already done so.
  582. //
  583. if (!bVerified)
  584. {
  585. if (pfnFilterCallback && !pfnFilterCallback(pSelectedCertContext, NULL, NULL))
  586. {
  587. hr = CAPICOM_E_SIGNER_INVALID_USAGE;
  589. DebugTrace("Error [%#x]: Signing certificate is invalid.\n", hr);
  590. goto ErrorExit;
  591. }
  592. }
  594. //
  595. // QI for ISigner2.
  596. //
  597. if (FAILED(hr = pISigner2->QueryInterface(&pISelectedSigner2)))
  598. {
  599. DebugTrace("Unexpected error [%#x]: pISigner2->QueryInterface() failed.\n", hr);
  600. goto ErrorExit;
  601. }
  602. }
  603. else
  604. {
  605. CRYPT_ATTRIBUTES attributes = {0, NULL};
  607. //
  608. // No signer specified, so prompt user to select a certificate.
  609. //
  610. if (FAILED(hr = ::SelectCertificate(StoreInfo, pfnFilterCallback, &pISelectedCertificate2)))
  611. {
  612. DebugTrace("Error [%#x]: SelectCertificate() failed.\n", hr);
  613. goto ErrorExit;
  614. }
  616. //
  617. // QI for ICertificate.
  618. //
  619. if (FAILED(hr = pISelectedCertificate2->QueryInterface(&pISelectedCertificate)))
  620. {
  621. DebugTrace("Internal error [%#x]: pISelectedCertificate2->QueryInterface() failed.\n", hr);
  622. goto ErrorExit;
  623. }
  625. //
  626. // Get cert context.
  627. //
  628. if (FAILED(hr = ::GetCertContext(pISelectedCertificate, &pSelectedCertContext)))
  629. {
  630. DebugTrace("Error [%#x]: GetCertContext() failed.\n", hr);
  631. goto ErrorExit;
  632. }
  634. //
  635. // Create the ISigner2 object.
  636. //
  637. if (FAILED(hr = ::CreateSignerObject(pSelectedCertContext,
  638. &attributes,
  639. NULL,
  640. INTERFACESAFE_FOR_UNTRUSTED_CALLER |
  641. INTERFACESAFE_FOR_UNTRUSTED_DATA,
  642. &pISelectedSigner2)))
  643. {
  644. DebugTrace("Error [%#x]: CreateSignerObject() failed.\n", hr);
  645. goto ErrorExit;
  646. }
  647. }
  649. //
  650. // Make sure cert is valid for signing.
  651. //
  652. if (FAILED(hr = ::IsValidForSigning(pSelectedCertContext, pszPolicy)))
  653. {
  654. DebugTrace("Error [%#x]: IsValidForSigning() failed.\n", hr);
  655. goto ErrorExit;
  656. }
  658. //
  659. // Return values to caller.
  660. //
  661. if (ppISigner2)
  662. {
  663. if (FAILED(hr = pISelectedSigner2->QueryInterface(ppISigner2)))
  664. {
  665. DebugTrace("Unexpected error [%#x]: pISelectedSigner2->QueryInterface() failed.\n", hr);
  666. goto ErrorExit;
  667. }
  668. }
  670. if (ppICertificate)
  671. {
  672. if (FAILED(hr = pISelectedCertificate->QueryInterface(ppICertificate)))
  673. {
  674. DebugTrace("Unexpected error [%#x]: pISelectedCertificate->QueryInterface() failed.\n", hr);
  675. goto ErrorExit;
  676. }
  677. }
  679. if (ppCertContext)
  680. {
  681. *ppCertContext = pSelectedCertContext;
  682. }
  683. }
  685. catch(...)
  686. {
  687. hr = E_POINTER;
  689. DebugTrace("Exception: invalid parameter.\n");
  690. goto ErrorExit;
  691. }
  693. CommonExit:
  695. DebugTrace("Leaving GetSignerCert().\n");
  697. return hr;
  699. ErrorExit:
  700. //
  701. // Sanity check.
  702. //
  703. ATLASSERT(FAILED(hr));
  705. //
  706. // Free resource.
  707. //
  708. if (pSelectedCertContext)
  709. {
  710. ::CertFreeCertificateContext(pSelectedCertContext);
  711. }
  712. if (ppICertificate && *ppICertificate)
  713. {
  714. (*ppICertificate)->Release();
  715. *ppICertificate = NULL;
  716. }
  717. if (ppISigner2 && *ppISigner2)
  718. {
  719. (*ppISigner2)->Release();
  720. *ppISigner2 = NULL;
  721. }
  723. goto CommonExit;
  724. }