|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1999
//
// File: enrlhelp.cpp
//
// Contents: Helper functions for smard card enrollment station
//
//----------------------------------------------------------------------------
#define INC_OLE2
#define SECURITY_WIN32 //Or in the sources file -DSECURITY_WIN32
#include "stdafx.h"
#include <windows.h>
#include <wincrypt.h>
#include <oleauto.h>
#include <objbase.h>
#include "security.h"
#include "certca.h"
#include <dbgdef.h>
#include "unicode.h"
#include "scrdenrl.h"
#include "SCrdEnr.h"
#include "xEnroll.h"
#include "enrlhelp.h"
#include "scenum.h"
#include "wzrdpvk.h"
UINT g_cfDsObjectPicker = RegisterClipboardFormat(CFSTR_DSOP_DS_SELECTION_LIST);
//-----------------------------------------------------------------------------
// Memory routines
//
//-----------------------------------------------------------------------------
void*MIDL_user_allocate(size_t cb){ return(SCrdEnrollAlloc(cb));}
voidMIDL_user_free(void *pb){ SCrdEnrollFree(pb);}
LPVOID SCrdEnrollAlloc (ULONG cbSize){ return CoTaskMemAlloc(cbSize);}
LPVOID SCrdEnrollRealloc ( LPVOID pv, ULONG cbSize){ LPVOID pvTemp=NULL;
if(NULL==pv) return CoTaskMemAlloc(cbSize);
return CoTaskMemRealloc(pv, cbSize);}
VOID SCrdEnrollFree (LPVOID pv){ if (pv) CoTaskMemFree(pv);}
BOOL CertTypeFlagsToGenKeyFlags(IN OPTIONAL DWORD dwEnrollmentFlags, IN OPTIONAL DWORD dwSubjectNameFlags, IN OPTIONAL DWORD dwPrivateKeyFlags, IN OPTIONAL DWORD dwGeneralFlags, OUT DWORD *pdwGenKeyFlags){ // Define a locally scoped helper function. This allows us to gain the benefits of procedural
// abstraction without corrupting the global namespace.
//
LocalScope(CertTypeMap): // Maps cert type flags of one category (enrollment flags, private key flags, etc...)
// to their corresponding gen key flags. This function always returns successfully.
//
DWORD mapOneCertTypeCategory(IN DWORD dwOption, IN DWORD dwCertTypeFlags) { static DWORD const rgdwEnrollmentFlags[][2] = { { 0, 0 } // No enrollment flags mapped.
}; static DWORD const rgdwSubjectNameFlags[][2] = { { 0, 0 } // No subject name flags mapped.
}; static DWORD const rgdwPrivateKeyFlags[][2] = { { CT_FLAG_EXPORTABLE_KEY, CRYPT_EXPORTABLE } }; static DWORD const rgdwGeneralFlags[][2] = { { 0, 0 } // No general flags mapped.
}; static DWORD const dwEnrollmentLen = sizeof(rgdwEnrollmentFlags) / sizeof(DWORD[2]); static DWORD const dwSubjectNameLen = sizeof(rgdwSubjectNameFlags) / sizeof(DWORD[2]); static DWORD const dwPrivateKeyLen = sizeof(rgdwPrivateKeyFlags) / sizeof(DWORD[2]); static DWORD const dwGeneralLen = sizeof(rgdwGeneralFlags) / sizeof(DWORD[2]); static DWORD const CERT_TYPE_INDEX = 0; static DWORD const GEN_KEY_INDEX = 1;
DWORD const *pdwFlags; DWORD dwLen, dwIndex, dwResult = 0;
switch (dwOption) {
case CERTTYPE_ENROLLMENT_FLAG: pdwFlags = &rgdwEnrollmentFlags[0][0]; dwLen = dwEnrollmentLen; break; case CERTTYPE_SUBJECT_NAME_FLAG: pdwFlags = &rgdwSubjectNameFlags[0][0]; dwLen = dwSubjectNameLen; break; case CERTTYPE_PRIVATE_KEY_FLAG: pdwFlags = &rgdwPrivateKeyFlags[0][0]; dwLen = dwPrivateKeyLen; break; case CERTTYPE_GENERAL_FLAG: pdwFlags = &rgdwGeneralFlags[0][0]; dwLen = dwGeneralLen; break; } for (dwIndex = 0; dwIndex < dwLen; dwIndex++) { if (0 != (pdwFlags[CERT_TYPE_INDEX] & dwCertTypeFlags)) { dwResult |= pdwFlags[GEN_KEY_INDEX]; } pdwFlags += 2; } return dwResult; } EndLocalScope;
//
// Begin procedure body:
//
BOOL fResult; DWORD dwResult = 0; DWORD dwErr = ERROR_SUCCESS; // Input parameter validation:
_JumpConditionWithExpr(pdwGenKeyFlags == NULL, Error, dwErr = ERROR_INVALID_PARAMETER);
// Compute the gen key flags using the locally scope function.
dwResult |= local.mapOneCertTypeCategory(CERTTYPE_ENROLLMENT_FLAG, dwEnrollmentFlags); dwResult |= local.mapOneCertTypeCategory(CERTTYPE_SUBJECT_NAME_FLAG, dwSubjectNameFlags); dwResult |= local.mapOneCertTypeCategory(CERTTYPE_PRIVATE_KEY_FLAG, dwPrivateKeyFlags); dwResult |= local.mapOneCertTypeCategory(CERTTYPE_GENERAL_FLAG, dwGeneralFlags);
// Assign the out parameter:
*pdwGenKeyFlags = dwResult;
fResult = TRUE;
CommonReturn: return fResult;
Error: fResult = FALSE; SetLastError(dwErr); goto CommonReturn; }
//----------------------------------------------------------------------------
// CallBack fro cert selection call back
//
//----------------------------------------------------------------------------
BOOL WINAPI SelectSignCertCallBack( PCCERT_CONTEXT pCertContext, BOOL *pfInitialSelectedCert, void *pvCallbackData){ BOOL fRet = FALSE; DWORD cbData=0; SCrdEnroll_CERT_SELECT_INFO *pCertSelectInfo; PCERT_ENHKEY_USAGE pUsage = NULL; CHAR *pszOID = NULL; DWORD i; BOOL fFoundOid;
if(!pCertContext) { goto done; }
//the certificate has to have the CERT_KEY_PROV_INFO_PROP_ID
if(!CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &cbData)) { goto done; }
if(0==cbData) { goto done; }
pCertSelectInfo = (SCrdEnroll_CERT_SELECT_INFO *)pvCallbackData; if(NULL == pCertSelectInfo) { goto done; }
if (NULL == pCertSelectInfo->pwszCertTemplateName || L'\0' == pCertSelectInfo->pwszCertTemplateName[0]) { goto done; }
switch (pCertSelectInfo->dwFlags) { case SCARD_SELECT_TEMPLATENAME: //ask to check template name
if(!VerifyCertTemplateName( pCertContext, pCertSelectInfo->pwszCertTemplateName)) { goto done; } break; case SCARD_SELECT_EKU: cbData = 0; while (TRUE) { cbData = WideCharToMultiByte( GetACP(), 0, pCertSelectInfo->pwszCertTemplateName, -1, pszOID, cbData, NULL, NULL); if(0 == cbData) { goto done; } if (NULL != pszOID) { break; } pszOID = (CHAR*)LocalAlloc(LMEM_FIXED, cbData); if (NULL == pszOID) { goto done; } } cbData = 0; while (TRUE) { if (!CertGetEnhancedKeyUsage( pCertContext, CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG, pUsage, &cbData)) { goto done; } if (NULL != pUsage) { //done
break; } pUsage = (PCERT_ENHKEY_USAGE)LocalAlloc(LMEM_FIXED, cbData); if (NULL == pUsage) { goto done; } } fFoundOid = FALSE; for (i = 0 ; i < pUsage->cUsageIdentifier; ++i) { if (0 == strcmp(pszOID, pUsage->rgpszUsageIdentifier[i])) { fFoundOid = TRUE; break; } } if (!fFoundOid) { //not found
goto done; } break; default: //invalid_parameter
goto done; }
//make sure the certificate pass the chain building
if(!VerifyCertChain(pCertContext)) { goto done; }
fRet = TRUE; done: if (NULL != pUsage) { LocalFree(pUsage); } if (NULL != pszOID) { LocalFree(pszOID); } return fRet;}
//-------------------------------------------------------------------------
// GetName
//
//--------------------------------------------------------------------------
BOOL GetName(LPWSTR pwszName, EXTENDED_NAME_FORMAT NameFormat, EXTENDED_NAME_FORMAT DesiredFormat, LPWSTR *ppwszDesiredName){ BOOL fResult = FALSE; DWORD cbSize = 0;
*ppwszDesiredName = NULL;
if(!TranslateNameW( pwszName, NameFormat, DesiredFormat, NULL, &cbSize)) goto TraceErr;
*ppwszDesiredName=(LPWSTR)SCrdEnrollAlloc((cbSize + 1) * sizeof(WCHAR));
if(NULL == *ppwszDesiredName) goto MemoryErr;
if(!TranslateNameW( pwszName, NameFormat, DesiredFormat, *ppwszDesiredName, &cbSize)) goto TraceErr;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
if(*ppwszDesiredName) { SCrdEnrollFree(*ppwszDesiredName); *ppwszDesiredName = NULL; } fResult = FALSE;
goto CommonReturn;
SET_ERROR(MemoryErr, E_OUTOFMEMORY);TRACE_ERROR(TraceErr);}
//-------------------------------------------------------------------------
// VerifyCertChain
//
//--------------------------------------------------------------------------
BOOL VerifyCertChain(PCCERT_CONTEXT pCertContext){ PCCERT_CHAIN_CONTEXT pCertChainContext = NULL; CERT_CHAIN_PARA CertChainPara; BOOL fResult=FALSE; DWORD dwChainError=CERT_TRUST_IS_NOT_TIME_VALID | CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_REVOKED | CERT_TRUST_IS_NOT_SIGNATURE_VALID | CERT_TRUST_IS_NOT_VALID_FOR_USAGE | CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_IS_CYCLIC | CERT_TRUST_IS_PARTIAL_CHAIN | CERT_TRUST_CTL_IS_NOT_TIME_VALID | CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID | CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE;
memset(&CertChainPara, 0, sizeof(CertChainPara)); CertChainPara.cbSize = sizeof(CertChainPara);
if (!CertGetCertificateChain( HCCE_CURRENT_USER, pCertContext, NULL, NULL, &CertChainPara, CERT_CHAIN_REVOCATION_CHECK_CHAIN, NULL, &pCertChainContext)) goto CLEANUP; //
// make sure there is at least 1 simple chain
//
if (pCertChainContext->cChain == 0) goto CLEANUP;
// make sure that we have a good simple chain
if(dwChainError & (pCertChainContext->rgpChain[0]->TrustStatus.dwErrorStatus)) goto CLEANUP; fResult = TRUE; CLEANUP:
if (pCertChainContext != NULL) CertFreeCertificateChain(pCertChainContext);
return fResult;}
//-------------------------------------------------------------------------
// VerifyCertTemplateName
//
//--------------------------------------------------------------------------
BOOL VerifyCertTemplateName(PCCERT_CONTEXT pCertContext, LPWSTR pwszCertTemplateName){ BOOL fResult=FALSE; PCERT_EXTENSION pCertTypeExtension=NULL; DWORD cbCertType=0; CERT_NAME_VALUE *pCertType=NULL;
if((!pCertContext) || (!pwszCertTemplateName)) goto CLEANUP;
//find the extension for cert type
if(NULL==(pCertTypeExtension=CertFindExtension( szOID_ENROLL_CERTTYPE_EXTENSION, pCertContext->pCertInfo->cExtension, pCertContext->pCertInfo->rgExtension))) goto CLEANUP;
if(!CryptDecodeObject(pCertContext->dwCertEncodingType, X509_UNICODE_ANY_STRING, pCertTypeExtension->Value.pbData, pCertTypeExtension->Value.cbData, 0, NULL, &cbCertType) || (0==cbCertType)) goto CLEANUP;
pCertType=(CERT_NAME_VALUE *)SCrdEnrollAlloc(cbCertType);
if(NULL==pCertType) goto CLEANUP;
if(!CryptDecodeObject(pCertContext->dwCertEncodingType, X509_UNICODE_ANY_STRING, pCertTypeExtension->Value.pbData, pCertTypeExtension->Value.cbData, 0, (void *)pCertType, &cbCertType)) goto CLEANUP;
if(0 != _wcsicmp((LPWSTR)(pCertType->Value.pbData), pwszCertTemplateName)) goto CLEANUP;
fResult=TRUE;
CLEANUP:
if(pCertType) SCrdEnrollFree(pCertType);
return fResult;}
//----------------------------------------------------------------------------
//
// CopyWideString
//
//----------------------------------------------------------------------------
LPWSTR CopyWideString(LPCWSTR wsz){
DWORD cch = 0; LPWSTR wszOut = NULL;
if(wsz == NULL) { SetLastError(ERROR_INVALID_PARAMETER); return(NULL); }
cch = wcslen(wsz) + 1;
if( (wszOut = (LPWSTR) SCrdEnrollAlloc(sizeof(WCHAR) * cch)) == NULL ) { SetLastError(ERROR_OUTOFMEMORY); return(NULL); }
wcscpy(wszOut, wsz);
return(wszOut);}
//----------------------------------------------------------------------------
//
// CopyWideStrings
//
//----------------------------------------------------------------------------
LPWSTR* CopyWideStrings(LPWSTR* rgpwsz){
DWORD dwCount = 1; DWORD dwIndex = 0; DWORD cb = 0; LPWSTR *ppwsz; LPWSTR *rgpwszOut = NULL; LPWSTR pwszCur;
if (NULL != rgpwsz) { //get count of strings
for (ppwsz = rgpwsz; NULL != *ppwsz; ppwsz++) { ++dwCount; cb += (wcslen(*ppwsz) + 1) * sizeof(WCHAR); } }
// allocate buffer
rgpwszOut = (LPWSTR*)SCrdEnrollAlloc(dwCount * sizeof(WCHAR*) + cb); if (NULL == rgpwszOut) { SetLastError(ERROR_OUTOFMEMORY); goto error; }
if (NULL != rgpwsz) { pwszCur = (LPWSTR)(rgpwszOut + dwCount);
for(ppwsz = rgpwsz; NULL != *ppwsz; ppwsz++) { rgpwszOut[dwIndex] = pwszCur; wcscpy(pwszCur, *ppwsz); pwszCur += wcslen(pwszCur) + 1; ++dwIndex; } } rgpwszOut[dwIndex] = NULL;
error: return(rgpwszOut);}
//--------------------------------------------------------------------------
//
// Decode a generic BLOB
//
//--------------------------------------------------------------------------
BOOL DecodeGenericBLOB(DWORD dwEncodingType, LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded,void **ppStructInfo){ DWORD cbStructInfo=0;
//decode the object. No copying
if(!CryptDecodeObject(dwEncodingType,lpszStructType,pbEncoded, cbEncoded, 0,NULL, &cbStructInfo)) return FALSE;
*ppStructInfo=SCrdEnrollAlloc(cbStructInfo);
if(!(*ppStructInfo)) { SetLastError(E_OUTOFMEMORY); return FALSE; }
return CryptDecodeObject(dwEncodingType,lpszStructType,pbEncoded, cbEncoded, 0,*ppStructInfo,&cbStructInfo);}
//----------------------------------------------------------------------------
//
// GetNameFromPKCS10
//
//----------------------------------------------------------------------------
BOOL GetNameFromPKCS10(BYTE *pbPKCS10, DWORD cbPKCS10, DWORD dwFlags, LPSTR pszOID, LPWSTR *ppwszName){ BOOL fResult=FALSE; DWORD errBefore= GetLastError(); DWORD dwRDNIndex=0; DWORD dwAttrCount=0; DWORD dwAttrIndex=0; CERT_RDN_ATTR *pCertRDNAttr=NULL;
CERT_REQUEST_INFO *pCertRequestInfo=NULL; CERT_NAME_INFO *pCertNameInfo=NULL;
*ppwszName=NULL;
if(!DecodeGenericBLOB(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, X509_CERT_REQUEST_TO_BE_SIGNED, pbPKCS10, cbPKCS10, (void **)&pCertRequestInfo)) goto TraceErr;
if(!DecodeGenericBLOB(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, X509_UNICODE_NAME, (pCertRequestInfo->Subject).pbData, (pCertRequestInfo->Subject).cbData, (void **)&pCertNameInfo)) goto TraceErr;
//search for the OID requested.
*ppwszName = (LPWSTR)SCrdEnrollAlloc(sizeof(WCHAR));
if(NULL == (*ppwszName)) goto MemoryErr;
*(*ppwszName)=L'\0';
for(dwRDNIndex=0; dwRDNIndex<pCertNameInfo->cRDN; dwRDNIndex++) { dwAttrCount=(pCertNameInfo->rgRDN)[dwRDNIndex].cRDNAttr;
for(dwAttrIndex=0; dwAttrIndex<dwAttrCount; dwAttrIndex++) { pCertRDNAttr=&((pCertNameInfo->rgRDN)[dwRDNIndex].rgRDNAttr[dwAttrIndex]);
if(_stricmp(pszOID, pCertRDNAttr->pszObjId)==0) { if(0 != wcslen(*ppwszName)) wcscat(*ppwszName, L"; ");
(*ppwszName) = (LPWSTR)SCrdEnrollRealloc (*ppwszName, sizeof(WCHAR) * (wcslen(*ppwszName) + wcslen(L"; ") + wcslen((LPWSTR)((pCertRDNAttr->Value).pbData))+1));
if(NULL == *ppwszName) goto MemoryErr;
wcscat(*ppwszName, (LPWSTR)((pCertRDNAttr->Value).pbData)); } } }
if(0 == wcslen(*ppwszName)) goto NotFindErr;
fResult=TRUE;
CommonReturn:
if(pCertRequestInfo) SCrdEnrollFree(pCertRequestInfo);
if(pCertNameInfo) SCrdEnrollFree(pCertNameInfo);
SetLastError(errBefore);
return fResult;
ErrorReturn: errBefore = GetLastError();
if(*ppwszName) { SCrdEnrollFree(*ppwszName); *ppwszName=NULL; }
fResult=FALSE;
goto CommonReturn;
TRACE_ERROR(TraceErr);SET_ERROR(NotFindErr, CRYPT_E_NOT_FOUND);SET_ERROR(MemoryErr, E_OUTOFMEMORY);}
//----------------------------------------------------------------------------
//
// SearchAndDeleteCert
//
//----------------------------------------------------------------------------
BOOL SearchAndDeleteCert(PCCERT_CONTEXT pCertContext){ BOOL fResult=FALSE; DWORD errBefore= GetLastError(); HCERTSTORE hCertStore=NULL; PCCERT_CONTEXT pFoundCert=NULL; CERT_BLOB HashBlob;
memset(&HashBlob, 0, sizeof(CERT_BLOB));
if(NULL==pCertContext) goto InvalidArgErr;
//open the temporary store
hCertStore=CertOpenStore(CERT_STORE_PROV_SYSTEM_W, g_dwMsgAndCertEncodingType, NULL, CERT_SYSTEM_STORE_CURRENT_USER, g_MyStoreName); if(NULL==hCertStore) goto TraceErr;
//get the SHA1 hash
if(!CertGetCertificateContextProperty( pCertContext, CERT_SHA1_HASH_PROP_ID, NULL, &(HashBlob.cbData))) goto TraceErr;
HashBlob.pbData=(BYTE *)SCrdEnrollAlloc(HashBlob.cbData);
if(NULL==(HashBlob.pbData)) goto MemoryErr;
if(!CertGetCertificateContextProperty( pCertContext, CERT_SHA1_HASH_PROP_ID, HashBlob.pbData, &(HashBlob.cbData))) goto TraceErr;
pFoundCert=CertFindCertificateInStore( hCertStore, X509_ASN_ENCODING, 0, CERT_FIND_SHA1_HASH, &HashBlob, NULL);
if(pFoundCert) CertDeleteCertificateFromStore(pFoundCert);
fResult=TRUE;
CommonReturn:
if(hCertStore) CertCloseStore(hCertStore, 0);
if(HashBlob.pbData) SCrdEnrollFree(HashBlob.pbData);
SetLastError(errBefore);
return fResult;
ErrorReturn: errBefore = GetLastError();
fResult=FALSE;
goto CommonReturn;
SET_ERROR(InvalidArgErr, E_INVALIDARG);SET_ERROR(MemoryErr, E_OUTOFMEMORY);TRACE_ERROR(TraceErr);}
//--------------------------------------------------------------------------
//
// FormatMessageUnicode
//
//--------------------------------------------------------------------------
BOOL FormatMessageUnicode(LPWSTR *ppwszFormat,LPWSTR wszFormat,...){ va_list argList; DWORD cbMsg=0; BOOL fResult=FALSE; HRESULT hr=S_OK;
if(NULL == ppwszFormat) goto InvalidArgErr;
// format message into requested buffer
va_start(argList, wszFormat);
cbMsg = FormatMessageU( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING, wszFormat, 0, // dwMessageId
0, // dwLanguageId
(LPWSTR) (ppwszFormat), 0, // minimum size to allocate
&argList);
va_end(argList);
if(!cbMsg) goto FormatMessageError;
fResult=TRUE;
CommonReturn: return fResult;
ErrorReturn: fResult=FALSE;
goto CommonReturn;
TRACE_ERROR(FormatMessageError);SET_ERROR(InvalidArgErr, E_INVALIDARG);}
//-----------------------------------------------------------------------
//
// IsNewerCert
//
// Return TRUE is pFirstCert has a later starting date of pSecondCert
//------------------------------------------------------------------------
BOOL IsNewerCert(PCCERT_CONTEXT pFirstCert, PCCERT_CONTEXT pSecondCert){ if(NULL == pSecondCert) return TRUE;
if(NULL == pFirstCert) return FALSE;
if(1 != CompareFileTime(&(pFirstCert->pCertInfo->NotBefore), &(pSecondCert->pCertInfo->NotBefore))) return FALSE;
return TRUE;}
//-----------------------------------------------------------------------
//
// SmartCardCSP
//
// Return TRUE is the CSP is a smart card CSP. If anything went wrong,
// we will return TRUE for as a safe guard.
//------------------------------------------------------------------------
BOOL SmartCardCSP(PCCERT_CONTEXT pCertContext){ BOOL fResult = TRUE; DWORD cbData = 0; DWORD dwImpType=0;
CRYPT_KEY_PROV_INFO *pProvInfo=NULL; HCRYPTPROV hProv = NULL;
if(NULL == pCertContext) goto CLEANUP;
//the certificate has to have the CERT_KEY_PROV_INFO_PROP_ID
if(!CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &cbData)) goto CLEANUP;
if((cbData == 0) || (NULL == (pProvInfo =(CRYPT_KEY_PROV_INFO *)SCrdEnrollAlloc(cbData)))) goto CLEANUP;
if(!CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID, pProvInfo, &cbData)) goto CLEANUP;
if(!CryptAcquireContextU(&hProv, NULL, pProvInfo->pwszProvName, pProvInfo->dwProvType, CRYPT_VERIFYCONTEXT)) goto CLEANUP;
cbData = sizeof(dwImpType); if(!CryptGetProvParam(hProv, PP_IMPTYPE, (BYTE *)(&dwImpType), &cbData, 0)) goto CLEANUP;
if(0 == (CRYPT_IMPL_REMOVABLE & dwImpType)) fResult = FALSE;
CLEANUP:
if(hProv) CryptReleaseContext(hProv, 0);
if(pProvInfo) SCrdEnrollFree(pProvInfo);
return fResult;
}
//-----------------------------------------------------------------------
//
// ChKInsertedCardSigningCert
//
// This function checks to see if the inserted smart card matches
// the signing certificate. That is, they are actually the same cert
// with the same public key
//
//------------------------------------------------------------------------
BOOL ChKInsertedCardSigningCert(LPWSTR pwszInsertProvider, DWORD dwInsertProviderType, LPWSTR pwszReaderName, PCCERT_CONTEXT pSignCertContext, LPSTR pszSignProvider, DWORD dwSignProviderType, LPSTR pszSignContainer, BOOL *pfSame){
BOOL fResult=FALSE; DWORD cbData=0;
CRYPT_KEY_PROV_INFO *pKeyProvInfo=NULL; CERT_PUBLIC_KEY_INFO *pPubInfo=NULL; HCRYPTPROV hProv=NULL; LPWSTR pwszInsertContainer=NULL; LPWSTR pwszSignProvider=NULL; if(NULL==pwszInsertProvider || NULL == pwszReaderName || NULL == pSignCertContext || NULL == pszSignProvider || NULL == pszSignContainer || NULL == pfSame) goto InvalidArgErr;
*pfSame=FALSE;
//get the key specification from the signing cert
if(!CertGetCertificateContextProperty( pSignCertContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &cbData) || (0==cbData)) goto TraceErr;
pKeyProvInfo=(CRYPT_KEY_PROV_INFO *)SCrdEnrollAlloc(cbData); if(NULL==pKeyProvInfo) goto MemoryErr;
if(!CertGetCertificateContextProperty( pSignCertContext, CERT_KEY_PROV_INFO_PROP_ID, pKeyProvInfo, &cbData)) goto TraceErr;
//build a default container name with the reader information
if(!FormatMessageUnicode(&pwszInsertContainer, L"\\\\.\\%1!s!\\", pwszReaderName)) goto TraceErr;
//get the hProv from the reader's card
if(!CryptAcquireContextU(&hProv, pwszInsertContainer, pwszInsertProvider, dwInsertProviderType, CRYPT_SILENT)) { //check to see if we have an empty card
if((GetLastError() == NTE_BAD_KEYSET) || (GetLastError() == NTE_KEYSET_NOT_DEF)) { //we have an empty card
*pfSame=FALSE; fResult=TRUE; goto CommonReturn; } else goto TraceErr; }
//get the public key information
cbData=0;
if(!CryptExportPublicKeyInfo(hProv, pKeyProvInfo->dwKeySpec, pSignCertContext->dwCertEncodingType, NULL, &cbData) || (0 == cbData)) { //the insert card does not have a private key
*pfSame=FALSE; fResult=TRUE; goto CommonReturn; }
pPubInfo = (CERT_PUBLIC_KEY_INFO *)SCrdEnrollAlloc(cbData);
if(NULL == pPubInfo) goto MemoryErr;
if(!CryptExportPublicKeyInfo(hProv, pKeyProvInfo->dwKeySpec, pSignCertContext->dwCertEncodingType, pPubInfo, &cbData)) { //the insert card does not have a private key
*pfSame=FALSE; fResult=TRUE; goto CommonReturn; } if(CertComparePublicKeyInfo(pSignCertContext->dwCertEncodingType, pPubInfo, &(pSignCertContext->pCertInfo->SubjectPublicKeyInfo))) { //make sure that we have the same CSP name
pwszSignProvider=MkWStr(pszSignProvider);
if(NULL != pwszSignProvider) { //case insensitive compare of the two csp names
if(0 == _wcsicmp(pwszSignProvider, pwszInsertProvider)) *pfSame=TRUE; else *pfSame=FALSE; } else { //we are out of memory. Assume same CSP here
*pfSame=TRUE; } } else *pfSame=FALSE;
fResult=TRUE;
CommonReturn:
if(pwszSignProvider) FreeWStr(pwszSignProvider);
if(pPubInfo) SCrdEnrollFree(pPubInfo);
if(pKeyProvInfo) SCrdEnrollFree(pKeyProvInfo);
if(hProv) CryptReleaseContext(hProv, 0);
if(pwszInsertContainer) LocalFree((HLOCAL)pwszInsertContainer);
return fResult;
ErrorReturn:
fResult=FALSE; goto CommonReturn;
SET_ERROR(InvalidArgErr, E_INVALIDARG);TRACE_ERROR(TraceErr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);
}//-----------------------------------------------------------------------
//
// DeleteKeySet
//
// If the user's smart card is not empty, we delete the private key
//
//------------------------------------------------------------------------
BOOL DeleteKeySet(LPWSTR pwszUserCSPName, DWORD dwUserCSPType, LPWSTR pwszReaderName){ BOOL fResult=FALSE; DWORD dwSize=0; HCRYPTPROV hDeleteProv=NULL; //no need to free this
HCRYPTPROV hProv=NULL; LPWSTR pwszDefaultContainer=NULL; LPSTR pszContainer=NULL; LPWSTR pwszContainer=NULL;
if(NULL == pwszUserCSPName || NULL == pwszReaderName) goto InvalidArgErr;
if(!FormatMessageUnicode(&pwszDefaultContainer, L"\\\\.\\%1!s!\\", pwszReaderName)) goto TraceErr;
//get the hProv from the reader's card
if(!CryptAcquireContextU(&hProv, pwszDefaultContainer, pwszUserCSPName, dwUserCSPType, CRYPT_SILENT)) { //check to see if we have an empty card
if((GetLastError() == NTE_BAD_KEYSET) || (GetLastError() == NTE_KEYSET_NOT_DEF)) { //we have an empty card
fResult=TRUE; goto CommonReturn; } else goto TraceErr; }
//get the container name
dwSize = 0;
if(!CryptGetProvParam(hProv, PP_CONTAINER, NULL, &dwSize, 0) || (0==dwSize)) goto TraceErr;
pszContainer = (LPSTR) SCrdEnrollAlloc(dwSize);
if(NULL == pszContainer) goto MemoryErr;
if(!CryptGetProvParam(hProv, PP_CONTAINER, (BYTE *)pszContainer, &dwSize, 0)) goto TraceErr;
//release the context
if(hProv) { CryptReleaseContext(hProv, 0); hProv=NULL; }
//build the fully qualified container name
if(!FormatMessageUnicode(&pwszContainer, L"\\\\.\\%1!s!\\%2!S!", pwszReaderName, pszContainer)) goto TraceErr;
//delete the container
if(!CryptAcquireContextU(&hDeleteProv, pwszContainer, pwszUserCSPName, dwUserCSPType, CRYPT_DELETEKEYSET)) { //check to see if we have an empty card
if(GetLastError() == NTE_BAD_KEYSET) { //we have an empty card
fResult=TRUE; goto CommonReturn; } else goto TraceErr; }
fResult=TRUE;
CommonReturn:
if(pwszDefaultContainer) LocalFree((HLOCAL)pwszDefaultContainer);
if(pwszContainer) LocalFree((HLOCAL)pwszContainer);
if(pszContainer) SCrdEnrollFree(pszContainer);
if(hProv) CryptReleaseContext(hProv, 0);
return fResult;
ErrorReturn:
fResult=FALSE; goto CommonReturn;
SET_ERROR(InvalidArgErr, E_INVALIDARG);TRACE_ERROR(TraceErr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);}
//-----------------------------------------------------------------------
//
// ChkSCardStatus
//
// This function makes sure that the smart card enrollment station has the
// correct number of readers connected to the station, and the correct number
// of smart cards inserted into the readers. If everything looks good,
// the user smart card is initialized (old key container deleted) and a fully
// qualified key container name, in the format of "\\.\ReaderName\ContainerName",
// will be returned.
//
//------------------------------------------------------------------------
HRESULT ChkSCardStatus(BOOL fSCardSigningCert, PCCERT_CONTEXT pSigningCertCertContext, LPSTR pszCSPNameSigningCert, DWORD dwCSPTypeSigningCert, LPSTR pszContainerSigningCert, LPWSTR pwszSelectedCSP, LPWSTR *ppwszNewContainerName){
HRESULT hr=E_FAIL; DWORD dwExpectedReader=0; DWORD dwReader=0; DWORD dwSCard=0; WCHAR wszProvider[MAX_PATH]; DWORD dwProviderType=0; DWORD dwCount=0; BOOL fFindSigningCert=FALSE; DWORD errBefore=0; BOOL fSameCert=FALSE; DWORD dwUserCSPType=0; LPCWSTR pwszReaderName=NULL; //no need to free. Point to internal data
LPWSTR pwszUserReaderName=NULL; //no need to free . Point to internal data
GUID guidContainerName;
LPVOID pvContext = NULL; LPWSTR pwszNewContainerName=NULL; LPWSTR pwszUserCSPName=NULL; char * sz = NULL; RPC_STATUS rpc_status;
if(NULL == pszCSPNameSigningCert || NULL == pszContainerSigningCert || NULL == ppwszNewContainerName || NULL == pSigningCertCertContext || NULL == pwszSelectedCSP) goto CLEANUP;
*ppwszNewContainerName=NULL;
if(fSCardSigningCert) dwExpectedReader=2; else dwExpectedReader=1;
dwReader = CountReaders(NULL);
//check the # of smart card readers
if(dwReader < dwExpectedReader) { hr=SCARD_E_READER_UNAVAILABLE; goto CLEANUP; }
dwSCard = ScanReaders(&pvContext);
//no smart card is inserted
if( 0 == dwSCard || NULL == pvContext) { hr=SCARD_E_NO_SMARTCARD; goto CLEANUP; }
//we have more than expected # of smart card inserted
if(dwSCard > dwExpectedReader) { // seems ERROR_TOO_MANY_OPEN_FILES is closest one for this case
hr=HRESULT_FROM_WIN32(ERROR_TOO_MANY_OPEN_FILES); goto CLEANUP; }
dwCount=0; dwProviderType=0; wszProvider[0]=L'\0'; pwszReaderName=NULL; fSameCert=FALSE;
//now, we loop through we all inserted cards and make sure:
//1. We find the signing certificate if applicable
//2. We find a valid user certificate
while (EnumInsertedCards( pvContext, wszProvider, sizeof(wszProvider)/sizeof(wszProvider[0]), &dwProviderType, &pwszReaderName)) { if((NULL == pwszReaderName) || (0 == wcslen(wszProvider))) { //we can not determine the status of the smart card
hr = SCARD_E_CARD_UNSUPPORTED; goto CLEANUP; }
if (!ChKInsertedCardSigningCert( wszProvider, dwProviderType, (LPWSTR)pwszReaderName, pSigningCertCertContext, pszCSPNameSigningCert, dwCSPTypeSigningCert, pszContainerSigningCert, &fSameCert)) { if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
hr = CodeToHR(GetLastError()); goto CLEANUP; }
if(TRUE == fSameCert) { if(TRUE == fSCardSigningCert) { if(TRUE == fFindSigningCert) { //too many signing cards. Not expected
hr = SCARD_E_CARD_UNSUPPORTED; goto CLEANUP; } else fFindSigningCert=TRUE; } else { //we should not expect a siging certificate
hr=SCARD_E_CARD_UNSUPPORTED; goto CLEANUP; } } else { //this is a user card.
if(NULL != (pwszUserCSPName)) { //too many user cards.
// seems ERROR_TOO_MANY_OPEN_FILES is closest one for this case
hr=HRESULT_FROM_WIN32(ERROR_TOO_MANY_OPEN_FILES); goto CLEANUP; }
pwszUserCSPName = CopyWideString(wszProvider);
if(NULL == pwszUserCSPName) { hr=E_OUTOFMEMORY; goto CLEANUP; }
dwUserCSPType = dwProviderType; pwszUserReaderName = (LPWSTR)pwszReaderName; }
dwCount++; if(dwCount >= dwSCard) break;
dwProviderType=0; pwszReaderName=NULL; wszProvider[0]=L'\0'; fSameCert=FALSE; }
if((TRUE == fSCardSigningCert) && (FALSE == fFindSigningCert)) { //we failed to find the signing certificate
hr=SCARD_E_NO_SUCH_CERTIFICATE;
goto CLEANUP; } if(NULL == pwszUserCSPName) { //we failed to find the target user certificate
hr=SCARD_E_NO_SMARTCARD; goto CLEANUP; }
//make sure the pwszUserCSPName matches with the CSP selected by the admin
if(0 != _wcsicmp(pwszUserCSPName, pwszSelectedCSP)) { hr=SCARD_E_PROTO_MISMATCH; goto CLEANUP; }
//delete the key set from the user's certificate
if(!DeleteKeySet(pwszUserCSPName, dwUserCSPType, pwszUserReaderName)) { if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
hr = CodeToHR(GetLastError()); goto CLEANUP;
}
//Build the fully qualified container name with a GUID
// get a container based on a guid
rpc_status = UuidCreate(&guidContainerName); if (RPC_S_OK != rpc_status && RPC_S_UUID_LOCAL_ONLY != rpc_status) { hr = rpc_status; goto CLEANUP; }
rpc_status = UuidToStringA(&guidContainerName, (unsigned char **) &sz); if (RPC_S_OK != rpc_status) { hr = rpc_status; goto CLEANUP; }
if(NULL == sz) { hr=E_OUTOFMEMORY; goto CLEANUP; }
//although the chance is VERY low, we could generate a same GUID
//as the signing cert's container.
if(0 == _stricmp(sz,pszContainerSigningCert)) { //we will have to do this again
RpcStringFree((unsigned char **) &sz); sz=NULL;
rpc_status = UuidCreate(&guidContainerName); if (RPC_S_OK != rpc_status && RPC_S_UUID_LOCAL_ONLY != rpc_status) { hr = rpc_status; goto CLEANUP; }
rpc_status = UuidToStringA(&guidContainerName, (unsigned char **) &sz); if (RPC_S_OK != rpc_status) { hr = rpc_status; goto CLEANUP; }
if(NULL == sz) { hr=E_OUTOFMEMORY; goto CLEANUP; }
//since we are guaranted a new GUID, we should be fine here
if(0 == _stricmp(sz,pszContainerSigningCert)) { //can not support this smart card
hr = SCARD_E_CARD_UNSUPPORTED; goto CLEANUP; } }
if(!FormatMessageUnicode(&pwszNewContainerName, L"\\\\.\\%1!s!\\%2!S!", pwszUserReaderName, sz)) { if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
hr = CodeToHR(GetLastError()); goto CLEANUP; }
*ppwszNewContainerName = pwszNewContainerName; pwszNewContainerName = NULL;
hr=S_OK;
CLEANUP:
if(pwszUserCSPName) SCrdEnrollFree(pwszUserCSPName);
if(sz) RpcStringFree((unsigned char **) &sz);
if(pvContext) EndReaderScan(&pvContext);
if(pwszNewContainerName) LocalFree((HLOCAL)pwszNewContainerName);
return hr;
} //-----------------------------------------------------------------------
//
// SignWithCert
//
// We sign a dummy message with the signing certificate so that
// the smart card insert cert dialogue will be prompted
//
//------------------------------------------------------------------------
BOOL SignWithCert(LPSTR pszCSPName, DWORD dwCSPType, PCCERT_CONTEXT pSigningCert){ BOOL fResult=FALSE; DWORD errBefore= GetLastError(); HRESULT hr=E_FAIL; CRYPT_SIGN_MESSAGE_PARA signMsgPara; DWORD cbData=0;
BYTE *pbData=NULL; IEnroll *pIEnroll=NULL; LPWSTR pwszCSPName=NULL; LPWSTR pwszOID=NULL; LPSTR pszOID=NULL;
char szMessage[] = "MyMessage"; LPSTR pszMessage = szMessage; BYTE* pbMessage = (BYTE*) pszMessage; DWORD cbMessage = sizeof(szMessage);
memset(&signMsgPara, 0, sizeof(CRYPT_SIGN_MESSAGE_PARA));
if(NULL == pszCSPName) goto InvalidArgErr;
pwszCSPName = MkWStr(pszCSPName);
if(NULL == pwszCSPName) goto MemoryErr;
//use xEnroll to get the correct hash algorithm for the
//CSP
if(NULL == (pIEnroll=PIEnrollGetNoCOM())) goto TraceErr;
//set the CSP information
if(S_OK != (hr=pIEnroll->put_ProviderType(dwCSPType))) goto SetErr;
if(S_OK !=(hr=pIEnroll->put_ProviderNameWStr(pwszCSPName))) goto SetErr;
if(S_OK != (hr=pIEnroll->get_HashAlgorithmWStr(&pwszOID))) goto SetErr;
if(!MkMBStr(NULL, 0, pwszOID, &pszOID)) goto TraceErr;
signMsgPara.cbSize = sizeof(CRYPT_SIGN_MESSAGE_PARA); signMsgPara.dwMsgEncodingType = X509_ASN_ENCODING | PKCS_7_ASN_ENCODING; signMsgPara.pSigningCert = pSigningCert; signMsgPara.HashAlgorithm.pszObjId = pszOID; signMsgPara.cMsgCert = 1; signMsgPara.rgpMsgCert = &pSigningCert;
cbData = 0;
if( !CryptSignMessage( &signMsgPara, FALSE, 1, (const BYTE **) &(pbMessage), &(cbMessage) , NULL, &cbData)|| (0 == cbData)) goto TraceErr;
pbData = (BYTE *)SCrdEnrollAlloc(cbData);
if(NULL == pbData) goto MemoryErr;
if( !CryptSignMessage( &signMsgPara, FALSE, 1, (const BYTE **) &(pbMessage), &(cbMessage) , pbData, &cbData)) goto TraceErr;
fResult=TRUE;
CommonReturn:
if(pbData) SCrdEnrollFree(pbData);
if(pwszCSPName) FreeWStr(pwszCSPName);
if(pszOID) FreeMBStr(NULL,pszOID);
//the memory from xEnroll is freed via LocalFree
//since we use the PIEnrollGetNoCOM function
if(pwszOID) LocalFree(pwszOID);
if(pIEnroll) pIEnroll->Release();
SetLastError(errBefore);
return fResult;
ErrorReturn: errBefore = GetLastError();
fResult=FALSE;
goto CommonReturn;
TRACE_ERROR(TraceErr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);SET_ERROR(InvalidArgErr, E_INVALIDARG);SET_ERROR_VAR(SetErr, hr);}
//-----------------------------------------------------------------------
//
// GetSelectedUserName
//
//------------------------------------------------------------------------
HRESULT GetSelectedUserName(IDsObjectPicker *pDsObjectPicker, LPWSTR *ppwszSelectedUserSAM, LPWSTR *ppwszSelectedUserUPN){ HRESULT hr= E_FAIL; DWORD errBefore= GetLastError(); BOOL fGotStgMedium = FALSE; LPWSTR pwszPath=NULL; DWORD dwIndex =0 ; DWORD dwCount=0;
IDataObject *pdo = NULL; PDS_SELECTION_LIST pDsSelList=NULL; WCHAR wszWinNT[]=L"WinNT://";
STGMEDIUM stgmedium = { TYMED_HGLOBAL, NULL, NULL };
FORMATETC formatetc = { (CLIPFORMAT)g_cfDsObjectPicker, NULL, DVASPECT_CONTENT, -1, TYMED_HGLOBAL };
//input check
if((NULL == ppwszSelectedUserSAM) || (NULL == ppwszSelectedUserUPN)) goto InvalidArgErr;
*ppwszSelectedUserSAM = NULL; *ppwszSelectedUserUPN = NULL;
if(NULL == pDsObjectPicker) goto InvalidArgErr;
if(S_OK != (hr = pDsObjectPicker->InvokeDialog(NULL, &pdo))) goto SetErr;
if(S_OK != (hr = pdo->GetData(&formatetc, &stgmedium))) goto SetErr;
fGotStgMedium = TRUE;
pDsSelList = (PDS_SELECTION_LIST)GlobalLock(stgmedium.hGlobal);
if(!pDsSelList) goto TraceErr;
//Get the SAM name
if((pDsSelList->aDsSelection[0]).pwzADsPath == NULL) goto UnexpectedErr;
//the ADsPath is in the form of "WinNT://"
if(wcslen((pDsSelList->aDsSelection[0]).pwzADsPath) <= wcslen(wszWinNT)) goto UnexpectedErr;
if( 0 != _wcsnicmp((pDsSelList->aDsSelection[0]).pwzADsPath, wszWinNT, wcslen(wszWinNT))) goto UnexpectedErr;
pwszPath = ((pDsSelList->aDsSelection[0]).pwzADsPath) + wcslen(wszWinNT);
*ppwszSelectedUserSAM=CopyWideString(pwszPath);
if(NULL == (*ppwszSelectedUserSAM)) goto MemoryErr;
//search for the "/" and make it "\". Since the ADsPath is in the form
//of "WinNT://domain/name". We need the SAM name in the form of
//domain\name
dwCount = wcslen(*ppwszSelectedUserSAM);
for(dwIndex = 0; dwIndex < dwCount; dwIndex++) { if((*ppwszSelectedUserSAM)[dwIndex] == L'/') { (*ppwszSelectedUserSAM)[dwIndex] = L'\\'; break; } } //get the UPN name
if((pDsSelList->aDsSelection[0]).pwzUPN != NULL) {
if(0 != _wcsicmp(L"",(pDsSelList->aDsSelection[0]).pwzUPN)) {
*ppwszSelectedUserUPN= CopyWideString((pDsSelList->aDsSelection[0]).pwzUPN);
if(NULL == (*ppwszSelectedUserUPN)) goto MemoryErr;
//if we already have a UPN name, get the SAM name from TraslateName
if(*ppwszSelectedUserSAM) { SCrdEnrollFree(*ppwszSelectedUserSAM); *ppwszSelectedUserSAM=NULL; }
if(!GetName(*ppwszSelectedUserUPN, NameUserPrincipal, NameSamCompatible, ppwszSelectedUserSAM)) goto TraceErr; } }
hr=S_OK;
CommonReturn:
if(pDsSelList) GlobalUnlock(stgmedium.hGlobal);
if (TRUE == fGotStgMedium) ReleaseStgMedium(&stgmedium);
if(pdo) pdo->Release();
SetLastError(errBefore);
return hr;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
hr = CodeToHR(errBefore);
//we should free the memory for the output
if(ppwszSelectedUserSAM) { if(*ppwszSelectedUserSAM) { SCrdEnrollFree(*ppwszSelectedUserSAM); *ppwszSelectedUserSAM=NULL; } }
if(ppwszSelectedUserUPN) { if(*ppwszSelectedUserUPN) { SCrdEnrollFree(*ppwszSelectedUserUPN); *ppwszSelectedUserUPN=NULL; } }
goto CommonReturn;
SET_ERROR_VAR(SetErr, hr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);TRACE_ERROR(TraceErr);SET_ERROR(UnexpectedErr, E_UNEXPECTED);SET_ERROR(InvalidArgErr, E_INVALIDARG);}
//-----------------------------------------------------------------------
//
// CodeToHR
//
//------------------------------------------------------------------------
HRESULT CodeToHR(HRESULT hr){ if (S_OK != hr && S_FALSE != hr && (!FAILED(hr) || 0x0 == (LONG)HRESULT_FACILITY(hr))) { hr = HRESULT_FROM_WIN32(hr); if (0x0 == (LONG)HRESULT_CODE(hr)) { // A call failed without properly setting an error condition!
hr = E_UNEXPECTED; } } return(hr);}
//-----------------------------------------------------------------------
//
// ValidCSP
//
//------------------------------------------------------------------------
BOOL ValidCSP(DWORD dwProviderType, LPWSTR pwszName){ HCRYPTPROV hProv=NULL; BOOL fValid=FALSE; DWORD dwImpType=0; DWORD dwSize=sizeof(dwImpType);
if(CryptAcquireContextU(&hProv, NULL, pwszName, dwProviderType, CRYPT_VERIFYCONTEXT)) {
if(CryptGetProvParam(hProv, PP_IMPTYPE, (BYTE *)(&dwImpType), &dwSize, 0)) { if(CRYPT_IMPL_REMOVABLE & dwImpType) fValid=TRUE; } }
if(hProv) CryptReleaseContext(hProv, 0);
return fValid;}
//-----------------------------------------------------------------------
//
// InitlializeCSPList
//
//------------------------------------------------------------------------
BOOL InitlializeCSPList(DWORD *pdwCSPCount, SCrdEnroll_CSP_INFO **prgCSPInfo){ BOOL fResult=FALSE; DWORD errBefore= GetLastError();
DWORD dwIndex=0; DWORD dwProviderType=0; DWORD cbSize=0;
SCrdEnroll_CSP_INFO *rgCSPInfo=NULL; LPWSTR pwszName=NULL;
*pdwCSPCount=0; *prgCSPInfo=NULL;
while(CryptEnumProvidersU( dwIndex, 0, 0, &dwProviderType, NULL, &cbSize)) {
pwszName=(LPWSTR)SCrdEnrollAlloc(cbSize);
if(NULL==pwszName) goto MemoryErr;
if(!CryptEnumProvidersU( dwIndex, 0, 0, &dwProviderType, pwszName, &cbSize)) goto TraceErr;
if(ValidCSP(dwProviderType, pwszName)) { rgCSPInfo=(SCrdEnroll_CSP_INFO *)SCrdEnrollRealloc(*prgCSPInfo, ((*pdwCSPCount) + 1) * sizeof(SCrdEnroll_CSP_INFO));
if(NULL==rgCSPInfo) goto MemoryErr;
*prgCSPInfo=rgCSPInfo;
memset(&(*prgCSPInfo)[*pdwCSPCount], 0, sizeof(SCrdEnroll_CSP_INFO));
(*prgCSPInfo)[*pdwCSPCount].pwszCSPName=pwszName; pwszName=NULL;
(*prgCSPInfo)[*pdwCSPCount].dwCSPType=dwProviderType;
(*pdwCSPCount)++; } else { SCrdEnrollFree(pwszName); pwszName=NULL; }
dwIndex++;
dwProviderType=0; cbSize=0; }
if((*pdwCSPCount == 0) || (*prgCSPInfo == NULL)) goto NoItemErr;
fResult=TRUE;
CommonReturn:
if(pwszName) SCrdEnrollFree(pwszName);
SetLastError(errBefore);
return fResult;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
//we need to free all the memory
FreeCSPInfo(*pdwCSPCount, *prgCSPInfo);
*pdwCSPCount=0; *prgCSPInfo=NULL;
goto CommonReturn;
SET_ERROR(MemoryErr, E_OUTOFMEMORY);TRACE_ERROR(TraceErr);SET_ERROR(NoItemErr,ERROR_NO_MORE_ITEMS);
}
//-----------------------------------------------------------------------
//
// FreeCSPInfo
//
//------------------------------------------------------------------------
void FreeCSPInfo(DWORD dwCSPCount, SCrdEnroll_CSP_INFO *prgCSPInfo){ DWORD dwIndex=0;
if(prgCSPInfo) { for(dwIndex=0; dwIndex < dwCSPCount; dwIndex++) { if(prgCSPInfo[dwIndex].pwszCSPName) SCrdEnrollFree(prgCSPInfo[dwIndex].pwszCSPName); }
SCrdEnrollFree(prgCSPInfo); }}
//-----------------------------------------------------------------------
//
// FreeCAInfoElement
//
//------------------------------------------------------------------------
void FreeCAInfoElement(SCrdEnroll_CA_INFO *pCAInfo){ if(pCAInfo) { if(pCAInfo->pwszCAName) SCrdEnrollFree(pCAInfo->pwszCAName);
if(pCAInfo->pwszCALocation) SCrdEnrollFree(pCAInfo->pwszCALocation);
if(pCAInfo->pwszCADisplayName) SCrdEnrollFree(pCAInfo->pwszCADisplayName);
memset(pCAInfo, 0, sizeof(SCrdEnroll_CA_INFO)); }}
//-----------------------------------------------------------------------
//
// FreeCAInfo
//
//------------------------------------------------------------------------
void FreeCAInfo(DWORD dwCACount, SCrdEnroll_CA_INFO *rgCAInfo){ DWORD dwIndex=0;
if(rgCAInfo) { for(dwIndex=0; dwIndex < dwCACount; dwIndex++) FreeCAInfoElement(&(rgCAInfo[dwIndex]));
SCrdEnrollFree(rgCAInfo); }}//-----------------------------------------------------------------------
//
// FreeCTInfoElement
//
//------------------------------------------------------------------------
void FreeCTInfoElement(SCrdEnroll_CT_INFO * pCTInfo){
if(pCTInfo) { if(pCTInfo->pCertTypeExtensions) CAFreeCertTypeExtensions(NULL,pCTInfo->pCertTypeExtensions);
if(pCTInfo->pwszCTName) SCrdEnrollFree(pCTInfo->pwszCTName);
if(pCTInfo->pwszCTDisplayName) SCrdEnrollFree(pCTInfo->pwszCTDisplayName);
if(pCTInfo->rgCAInfo) FreeCAInfo(pCTInfo->dwCACount, pCTInfo->rgCAInfo);
if (NULL != pCTInfo->rgpwszSupportedCSPs) { SCrdEnrollFree(pCTInfo->rgpwszSupportedCSPs); } memset(pCTInfo, 0, sizeof(SCrdEnroll_CT_INFO)); }}
//-----------------------------------------------------------------------
//
// FreeCTInfo(DWORD dwCTCount, SCrdEnroll_CT_INFO *rgCTInfo);
//
//------------------------------------------------------------------------
void FreeCTInfo(DWORD dwCTCount, SCrdEnroll_CT_INFO *rgCTInfo){ DWORD dwIndex=0;
if(rgCTInfo) { for(dwIndex=0; dwIndex < dwCTCount; dwIndex++) FreeCTInfoElement(&(rgCTInfo[dwIndex]));
SCrdEnrollFree(rgCTInfo); }}
//-----------------------------------------------------------------------
//
// GetCertTypeProperties
//
//------------------------------------------------------------------------
BOOL GetCertTypeProperties(HCERTTYPE hCurCertType, SCrdEnroll_CT_INFO *pCertInfo){
BOOL fResult=FALSE; DWORD errBefore= GetLastError(); HRESULT hr=S_OK; DWORD dwCertType=0; DWORD dwMinKeySize; DWORD dwEnrollmentFlags; DWORD dwSubjectNameFlags; DWORD dwPrivateKeyFlags; DWORD dwGeneralFlags; DWORD dwGenKeyFlags; LPWSTR *rgpwszSupportedCSPs = NULL;
LPWSTR *ppwszDisplayCertTypeName=NULL; LPWSTR *ppwszCertTypeName=NULL;
if((NULL==pCertInfo) || (NULL == hCurCertType)) goto InvalidArgErr; //
// Get all of the cert type flags.
//
// Get enrollment flags:
if (S_OK != (hr=MyCAGetCertTypeFlagsEx (hCurCertType, CERTTYPE_ENROLLMENT_FLAG, &pCertInfo->dwEnrollmentFlags))) goto CertCliErr; // Get subject name flags:
if (S_OK != (hr=MyCAGetCertTypeFlagsEx (hCurCertType, CERTTYPE_SUBJECT_NAME_FLAG, &pCertInfo->dwSubjectNameFlags))) goto CertCliErr;
// Get private key flags.
if(S_OK != (hr = MyCAGetCertTypeFlagsEx (hCurCertType, CERTTYPE_PRIVATE_KEY_FLAG, &pCertInfo->dwPrivateKeyFlags))) goto CertCliErr;
// Get general flags:
if (S_OK != (hr=MyCAGetCertTypeFlagsEx (hCurCertType, CERTTYPE_GENERAL_FLAG, &pCertInfo->dwGeneralFlags))) goto CertCliErr; //detremine machine boolean flag
pCertInfo->fMachine = (0x0 != (pCertInfo->dwGeneralFlags & CT_FLAG_MACHINE_TYPE)) ? TRUE : FALSE;
// Extract gen key flags from the type flags.
dwGenKeyFlags = 0; if (!(CertTypeFlagsToGenKeyFlags (pCertInfo->dwEnrollmentFlags, pCertInfo->dwSubjectNameFlags, pCertInfo->dwPrivateKeyFlags, pCertInfo->dwGeneralFlags, &pCertInfo->dwGenKeyFlags))) goto CertCliErr;
// Get key spec:
if(S_OK != (hr= CAGetCertTypeKeySpec(hCurCertType, &(pCertInfo->dwKeySpec)))) goto CertCliErr;
//get the display name of the cert type
hr=CAGetCertTypeProperty( hCurCertType, CERTTYPE_PROP_FRIENDLY_NAME, &ppwszDisplayCertTypeName);
if(S_OK != hr || NULL==ppwszDisplayCertTypeName) { if(S_OK == hr) hr=E_FAIL; goto CertCliErr; }
//copy the name
pCertInfo->pwszCTDisplayName=CopyWideString(ppwszDisplayCertTypeName[0]);
if(NULL==(pCertInfo->pwszCTDisplayName)) goto MemoryErr;
//get the machine readable name of the cert type
hr=CAGetCertTypeProperty( hCurCertType, CERTTYPE_PROP_DN, &ppwszCertTypeName);
if(S_OK != hr || NULL==ppwszCertTypeName) { if(S_OK == hr) hr=E_FAIL; goto CertCliErr; }
//copy the name
pCertInfo->pwszCTName=CopyWideString(ppwszCertTypeName[0]);
if(NULL==(pCertInfo->pwszCTName)) goto MemoryErr;
//copy the certType extensions
if(S_OK != (hr=CAGetCertTypeExtensions( hCurCertType, &(pCertInfo->pCertTypeExtensions)))) goto CertCliErr;
//copy csp list supported by template
hr = CAGetCertTypeProperty( hCurCertType, CERTTYPE_PROP_CSP_LIST, &rgpwszSupportedCSPs); if (S_OK != hr) { goto CertCliErr; } pCertInfo->rgpwszSupportedCSPs = CopyWideStrings(rgpwszSupportedCSPs); if (NULL == pCertInfo->rgpwszSupportedCSPs) { goto MemoryErr; } pCertInfo->dwCurrentCSP = 0; //first one
//
// Set V2 properties.
// If we're dealing with a v2 cert type, add v2 properties.
// Otherwise, insert defaults.
//
if (S_OK != (hr=MyCAGetCertTypePropertyEx (hCurCertType, CERTTYPE_PROP_SCHEMA_VERSION, &dwCertType))) goto CertCliErr;
if (dwCertType == CERTTYPE_SCHEMA_VERSION_1) { // Just a v1 cert type, it won't have v2 properties.
// Set left half-word of the type flags to 0. This means that
// that the min key size is not specified.
pCertInfo->dwGenKeyFlags &= 0x0000FFFF; pCertInfo->dwRASignature = 0; } else // We must have a v2 (or greater) cert type.
{ // Get the minimum key size of the cert type
if (S_OK != (hr=MyCAGetCertTypePropertyEx (hCurCertType, CERTTYPE_PROP_MIN_KEY_SIZE, (LPVOID)&dwMinKeySize))) goto CertCliErr;
// store the minimum key size in the left half-word of the
// type flags.
pCertInfo->dwGenKeyFlags = (dwMinKeySize << 16) | (pCertInfo->dwGenKeyFlags & 0x0000FFFF) ;
// Get the number of RA signatures required for this cert type.
if (S_OK != (hr=MyCAGetCertTypePropertyEx (hCurCertType, CERTTYPE_PROP_RA_SIGNATURE, (LPVOID)(&pCertInfo->dwRASignature)))) goto CertCliErr; } fResult=TRUE;
CommonReturn:
if(ppwszDisplayCertTypeName) CAFreeCertTypeProperty(hCurCertType, ppwszDisplayCertTypeName);
if(ppwszCertTypeName) CAFreeCertTypeProperty(hCurCertType, ppwszCertTypeName); if (NULL != rgpwszSupportedCSPs) { CAFreeCertTypeProperty(hCurCertType, rgpwszSupportedCSPs); }
SetLastError(errBefore);
return fResult;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
//in error case, free the memory and memset to 0
if(pCertInfo) FreeCTInfoElement(pCertInfo);
goto CommonReturn;
SET_ERROR(InvalidArgErr, E_INVALIDARG);SET_ERROR_VAR(CertCliErr, hr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);}
//--------------------------------------------------------------------
//
// IsMachineCertType
//
//--------------------------------------------------------------------
BOOL IsMachineCertType(HCERTTYPE hCertType){ DWORD dwCertType=0;
if(S_OK != CAGetCertTypeFlags(hCertType, &dwCertType)) return FALSE;
if(CT_FLAG_MACHINE_TYPE & dwCertType) return TRUE;
return FALSE;}
//-----------------------------------------------------------------------
// Get a list of allowed cert types
//
//------------------------------------------------------------------------
/*BOOL GetAllowedCertTypeName(LPWSTR **pawszAllowedCertTypes)
{ DWORD dwErr=0; KEYSVC_TYPE dwServiceType=KeySvcMachine; DWORD cTypes=0; DWORD dwSize=0; CHAR szComputerName[MAX_COMPUTERNAME_LENGTH + 1]={0}; DWORD cbArray = 0; DWORD i=0; LPWSTR wszCurrentType; BOOL fResult=FALSE; KEYSVCC_HANDLE hKeyService=NULL; PKEYSVC_UNICODE_STRING pCertTypes = NULL;
dwSize=sizeof(szComputerName);
if(0==GetComputerNameA(szComputerName, &dwSize)) goto TraceErr; dwErr = KeyOpenKeyService(szComputerName, dwServiceType, NULL, NULL, // no authentication string right now
NULL, &hKeyService);
if(dwErr != ERROR_SUCCESS) { SetLastError(dwErr); goto TraceErr; }
dwErr = KeyEnumerateAvailableCertTypes(hKeyService, NULL, &cTypes, &pCertTypes); if(dwErr != ERROR_SUCCESS) { SetLastError(dwErr); goto TraceErr; }
cbArray = (cTypes+1)*sizeof(LPWSTR);
// Convert into a simple array
for(i=0; i < cTypes; i++) { cbArray += pCertTypes[i].Length; }
*pawszAllowedCertTypes = (LPWSTR *)SCrdEnrollAlloc(cbArray);
if(*pawszAllowedCertTypes == NULL) goto MemoryErr;
memset(*pawszAllowedCertTypes, 0, cbArray);
wszCurrentType = (LPWSTR)(&((*pawszAllowedCertTypes)[cTypes + 1])); for(i=0; i < cTypes; i++) { (*pawszAllowedCertTypes)[i] = wszCurrentType;
wcscpy(wszCurrentType, pCertTypes[i].Buffer);
wszCurrentType += wcslen(wszCurrentType)+1; }
fResult=TRUE;
CommonReturn:
//memory from the KeyService
if(pCertTypes) LocalFree((HLOCAL)pCertTypes);
if(hKeyService) KeyCloseKeyService(hKeyService, NULL);
return fResult;
ErrorReturn:
fResult=FALSE; goto CommonReturn;
TRACE_ERROR(TraceErr);SET_ERROR(MemoryErr, E_OUTOFMEMORY);} */
//--------------------------------------------------------------------
//
// CheckAccessPermission
//
//--------------------------------------------------------------------
BOOL CheckAccessPermission(HCERTTYPE hCertType){ //make sure the principal making this call has access to request
//this cert type, even if he's requesting on behalf of another.
//
HRESULT hr = S_OK; HANDLE hHandle = NULL; HANDLE hClientToken = NULL;
hHandle = GetCurrentThread(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else {
if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } } if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if(hr == S_OK) {
hr = CACertTypeAccessCheck( hCertType, hClientToken);
CloseHandle(hClientToken); } if(hHandle) { CloseHandle(hHandle); }
return (S_OK == hr);}
//--------------------------------------------------------------------
//
// TokenCheckAccessPermission
//
//--------------------------------------------------------------------
BOOL TokenCheckAccessPermission(HANDLE hToken, HCERTTYPE hCertType){ HRESULT hr=E_FAIL;
if(hToken) { hr = CACertTypeAccessCheck( hCertType, hToken);
return (S_OK == hr);
}
return CheckAccessPermission(hCertType);}
//--------------------------------------------------------------------
//
// CheckCAPermission
//
//--------------------------------------------------------------------
BOOL CheckCAPermission(HCAINFO hCAInfo){ //make sure the principal making this call has access to request
//this cert type, even if he's requesting on behalf of another.
//
HRESULT hr = S_OK; HANDLE hHandle = NULL; HANDLE hClientToken = NULL;
hHandle = GetCurrentThread(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else {
if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } } if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if(hr == S_OK) {
hr = CAAccessCheck( hCAInfo, hClientToken);
CloseHandle(hClientToken); } if(hHandle) { CloseHandle(hHandle); }
return (S_OK == hr);}
//--------------------------------------------------------------------
//
// TokenCheckCAPermission
//
//--------------------------------------------------------------------
BOOL TokenCheckCAPermission(HANDLE hToken, HCAINFO hCAInfo){ HRESULT hr=E_FAIL;
if(hToken) { hr = CAAccessCheck( hCAInfo, hToken);
return (S_OK == hr);
}
return CheckCAPermission(hCAInfo);}
//--------------------------------------------------------------------
//
// CheckSubjectRequirement
//
//--------------------------------------------------------------------
/*BOOL CheckSubjectRequirement(HCERTTYPE hCurCertType)
{ DWORD dwFlags=0;
//check the subject requirement of the cert type
if(S_OK != CAGetCertTypeFlags(hCurCertType, &dwFlags)) return FALSE;
if(CT_FLAG_IS_SUBJECT_REQ & dwFlags) return FALSE;
return TRUE;} */
//-----------------------------------------------------------------------
//
// GetCAProperties
//
//------------------------------------------------------------------------
BOOL GetCAProperties(HCAINFO hCurCAInfo, SCrdEnroll_CA_INFO *pCAInfo){ BOOL fResult=FALSE; DWORD errBefore= GetLastError(); HRESULT hr=S_OK;
LPWSTR *ppwszNameProp=NULL; LPWSTR *ppwszLocationProp=NULL; LPWSTR *ppwszDisplayNameProp=NULL;
//get the CAName
hr=CAGetCAProperty( hCurCAInfo, CA_PROP_NAME, &ppwszNameProp);
if((S_OK != hr) || (NULL==ppwszNameProp)) { if(!FAILED(hr)) hr=E_FAIL;
goto CertCliErr; }
pCAInfo->pwszCAName=CopyWideString(ppwszNameProp[0]);
if(NULL == pCAInfo->pwszCAName) goto MemoryErr;
//get the CADisplayName
hr=CAGetCAProperty( hCurCAInfo, CA_PROP_DISPLAY_NAME, &ppwszDisplayNameProp);
if((S_OK != hr) || (NULL==ppwszDisplayNameProp)) { if(!FAILED(hr)) hr=E_FAIL;
goto CertCliErr; }
pCAInfo->pwszCADisplayName=CopyWideString(ppwszDisplayNameProp[0]);
if(NULL == pCAInfo->pwszCADisplayName) goto MemoryErr;
//get the CA location
hr=CAGetCAProperty( hCurCAInfo, CA_PROP_DNSNAME, &ppwszLocationProp);
if((S_OK != hr) || (NULL==ppwszLocationProp)) { if(!FAILED(hr)) hr=E_FAIL;
goto CertCliErr; }
//copy the name
pCAInfo->pwszCALocation=CopyWideString(ppwszLocationProp[0]);
if(NULL == pCAInfo->pwszCALocation) goto MemoryErr;
fResult=TRUE;
CommonReturn:
if(ppwszNameProp) CAFreeCAProperty(hCurCAInfo, ppwszNameProp);
if(ppwszLocationProp) CAFreeCAProperty(hCurCAInfo, ppwszLocationProp);
if(ppwszDisplayNameProp) CAFreeCAProperty(hCurCAInfo, ppwszDisplayNameProp);
SetLastError(errBefore);
return fResult;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
//in error case, free the memory and memset to 0
if(pCAInfo) FreeCAInfoElement(pCAInfo);
goto CommonReturn;
SET_ERROR(MemoryErr, E_OUTOFMEMORY);SET_ERROR_VAR(CertCliErr, hr);}
//-----------------------------------------------------------------------
//
// GetCAInfoFromCertType
//
//------------------------------------------------------------------------
BOOL GetCAInfoFromCertType(HANDLE hToken, LPWSTR pwszCTName, DWORD *pdwValidCA, SCrdEnroll_CA_INFO **prgCAInfo){
BOOL fResult=FALSE; HRESULT hr=S_OK; DWORD errBefore= GetLastError();
DWORD dwCACount=0; DWORD dwValidCA=0; SCrdEnroll_CA_INFO *rgCAInfo=NULL;
HCAINFO hCurCAInfo=NULL; HCAINFO hPreCAInfo=NULL;
//init
*pdwValidCA=0; *prgCAInfo=NULL;
if(NULL == pwszCTName) goto InvalidArgErr;
hr = CAFindByCertType( pwszCTName, NULL, 0, &hCurCAInfo);
if( hr!=S_OK || NULL==hCurCAInfo) { if(S_OK == hr) hr=E_FAIL;
goto CertCliErr; }
//get the CA count
dwCACount=CACountCAs(hCurCAInfo);
if(0==dwCACount) { hr=E_FAIL; goto CertCliErr;
}
//allocate memory
rgCAInfo=(SCrdEnroll_CA_INFO *)SCrdEnrollAlloc(dwCACount * sizeof(SCrdEnroll_CA_INFO));
if(NULL == rgCAInfo) goto MemoryErr;
memset(rgCAInfo, 0, dwCACount * sizeof(SCrdEnroll_CA_INFO));
dwValidCA=0;
while(hCurCAInfo) {
//get the CA information
if(TokenCheckCAPermission(hToken, hCurCAInfo)) { if(GetCAProperties(hCurCAInfo, &(rgCAInfo[dwValidCA]))) { //increment the count
dwValidCA++; } }
//enum for the CA
hPreCAInfo=hCurCAInfo;
hr=CAEnumNextCA( hPreCAInfo, &hCurCAInfo);
//free the old CA Info
CACloseCA(hPreCAInfo); hPreCAInfo=NULL;
if((S_OK != hr) || (NULL==hCurCAInfo)) break; }
if( (0 == dwValidCA) || (NULL == rgCAInfo)) { hr=E_FAIL; goto CertCliErr; }
//copy the output data
*pdwValidCA=dwValidCA; *prgCAInfo=rgCAInfo;
fResult=TRUE;
CommonReturn:
if(hPreCAInfo) CACloseCA(hPreCAInfo);
if(hCurCAInfo) CACloseCA(hCurCAInfo);
SetLastError(errBefore);
return fResult;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
if(rgCAInfo) FreeCAInfo(dwValidCA, rgCAInfo);
//NULL the output
*pdwValidCA=0; *prgCAInfo=NULL;
goto CommonReturn;
SET_ERROR(MemoryErr, E_OUTOFMEMORY);SET_ERROR_VAR(CertCliErr, hr);SET_ERROR(InvalidArgErr, E_INVALIDARG);
}
//-----------------------------------------------------------------------
//
// InitializeCTList
//
//------------------------------------------------------------------------
BOOL InitializeCTList(DWORD *pdwCTIndex, DWORD *pdwCTCount, SCrdEnroll_CT_INFO **prgCTInfo){
BOOL fResult=FALSE; HRESULT hr=S_OK; DWORD errBefore= GetLastError();
HCERTTYPE hCurCertType=NULL; HCERTTYPE hPreCertType=NULL; DWORD dwCertTypeCount=0; DWORD dwIndex=0;
DWORD dwValidCertType=0; SCrdEnroll_CT_INFO * rgCTInfo=NULL;
HANDLE hThread=NULL; //no need to close
HANDLE hToken=NULL;
*pdwCTIndex=0; *pdwCTCount=0; *prgCTInfo=NULL;
//first of all, we need to revert to ourselves if we are under impersonation
hThread=GetCurrentThread(); if(NULL != hThread) { if(OpenThreadToken(hThread, TOKEN_IMPERSONATE | TOKEN_QUERY, FALSE, &hToken)) { if(hToken) { //no need to check for return here. If this failed, just go on
RevertToSelf(); } } }
//get the 1st CT, including both machine and user cert types
hr=CAEnumCertTypes(CT_ENUM_USER_TYPES | CT_ENUM_MACHINE_TYPES, &hCurCertType);
if((S_OK != hr) || (NULL==hCurCertType)) { if(S_OK != hr) hr=E_FAIL;
goto CertCliErr; }
//get the count of the cert types supported by this CA
dwCertTypeCount=CACountCertTypes(hCurCertType);
if(0==dwCertTypeCount) { hr=E_FAIL;
goto CertCliErr; }
//allocate memory
rgCTInfo=(SCrdEnroll_CT_INFO *)SCrdEnrollAlloc(dwCertTypeCount * sizeof(SCrdEnroll_CT_INFO));
if(NULL == rgCTInfo) goto MemoryErr;
memset(rgCTInfo, 0, dwCertTypeCount * sizeof(SCrdEnroll_CT_INFO));
dwValidCertType = 0;
while(hCurCertType) {
if(TokenCheckAccessPermission(hToken, hCurCertType) && GetCertTypeProperties(hCurCertType, &(rgCTInfo[dwValidCertType])) ) { dwValidCertType++; }
//enum for the next cert types
hPreCertType=hCurCertType;
hr=CAEnumNextCertType( hPreCertType, &hCurCertType);
//free the old cert type
CACloseCertType(hPreCertType); hPreCertType=NULL;
if((S_OK != hr) || (NULL==hCurCertType)) break; }
//now that we have find all the cert types, we need to find one cert
//that has the associated CA information
//if hToken, we are running as the certserv's ASP pages. We need to retrieve all the
// CA's information since we are in the revert to self mode.
if(NULL == hToken) { for(dwIndex=0; dwIndex < dwValidCertType; dwIndex++) { //we do not consider the machine cert types
if(TRUE == rgCTInfo[dwIndex].fMachine) continue; //mark that we have queried the CA information of the
//certType
rgCTInfo[dwIndex].fCAInfo=TRUE; if(GetCAInfoFromCertType(NULL, rgCTInfo[dwIndex].pwszCTName, &(rgCTInfo[dwIndex].dwCACount), &(rgCTInfo[dwIndex].rgCAInfo))) break; } if(dwIndex == dwValidCertType) { hr=E_FAIL; goto CertCliErr; } } else { for(dwIndex=0; dwIndex < dwValidCertType; dwIndex++) { //mark that we have queried the CA information of the
//certType
rgCTInfo[dwIndex].fCAInfo=TRUE; GetCAInfoFromCertType( hToken, rgCTInfo[dwIndex].pwszCTName, &(rgCTInfo[dwIndex].dwCACount), &(rgCTInfo[dwIndex].rgCAInfo)); } }
if((0 == dwValidCertType) || (NULL == rgCTInfo)) { hr=E_FAIL; goto CertCliErr; }
*pdwCTIndex=dwIndex; *pdwCTCount=dwValidCertType; *prgCTInfo=rgCTInfo;
fResult=TRUE;
CommonReturn:
if(hPreCertType) CACloseCertType(hPreCertType);
if(hCurCertType) CACloseCertType(hCurCertType);
//if hToken is valid, we reverted to ourselves.
if(hToken) { SetThreadToken(&hThread, hToken); CloseHandle(hToken); }
SetLastError(errBefore);
return fResult;
ErrorReturn: if(ERROR_SUCCESS == (errBefore = GetLastError())) errBefore=E_UNEXPECTED;
//free all the memory
if(rgCTInfo) FreeCTInfo(dwValidCertType, rgCTInfo);
//NULL the output
*pdwCTIndex=0; *pdwCTCount=0; *prgCTInfo=NULL;
goto CommonReturn;
SET_ERROR(MemoryErr, E_OUTOFMEMORY);SET_ERROR_VAR(CertCliErr, hr);}
//-----------------------------------------------------------------------
//
// RetrieveCAName
//
//------------------------------------------------------------------------
BOOL RetrieveCAName(DWORD dwFlags, SCrdEnroll_CA_INFO *pCAInfo, LPWSTR *ppwszName){ DWORD dwSize = 0; BOOL fResult=FALSE;
if(NULL == ppwszName) goto InvalidArgErr;
if(dwFlags == SCARD_ENROLL_CA_MACHINE_NAME) *ppwszName = CopyWideString(pCAInfo->pwszCALocation); else { if(dwFlags == SCARD_ENROLL_CA_DISPLAY_NAME) *ppwszName = CopyWideString(pCAInfo->pwszCADisplayName); else { if(dwFlags == SCARD_ENROLL_CA_UNIQUE_NAME) { dwSize = wcslen(pCAInfo->pwszCALocation) + wcslen(pCAInfo->pwszCADisplayName) + wcslen(L"\\") + 2;
*ppwszName = (LPWSTR)SCrdEnrollAlloc(sizeof(WCHAR) * dwSize); if(NULL == (*ppwszName)) goto MemoryErr;
wcscpy(*ppwszName, pCAInfo->pwszCALocation); wcscat(*ppwszName, L"\\"); wcscat(*ppwszName, pCAInfo->pwszCADisplayName); } else *ppwszName = CopyWideString(pCAInfo->pwszCAName);
} }
if(NULL == (*ppwszName)) goto MemoryErr;
fResult=TRUE;
CommonReturn:
return fResult;
ErrorReturn:
fResult=FALSE;
goto CommonReturn;
SET_ERROR(InvalidArgErr, E_INVALIDARG);SET_ERROR(MemoryErr, E_OUTOFMEMORY);}
|
