archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pki/certstor/certhlpr.cpp

5284 lines
166 KiB
Raw Normal View History

commiting as it is
4 years ago
  2. //+-------------------------------------------------------------------------
  3. //
  4. // Microsoft Windows
  5. //
  6. // Copyright (C) Microsoft Corporation, 1995 - 1999
  7. //
  8. // File: certhlpr.cpp
  9. //
  10. // Contents: Certificate and CRL Helper APIs
  11. //
  12. // Functions: CertHelperDllMain
  13. // I_CryptGetDefaultCryptProv
  14. // I_CryptGetDefaultCryptProvForEncrypt
  15. // CertCompareIntegerBlob
  16. // CertCompareCertificate
  17. // CertCompareCertificateName
  18. // CertIsRDNAttrsInCertificateName
  19. // CertComparePublicKeyInfo
  20. // CryptVerifyCertificateSignature
  21. // CryptHashCertificate
  22. // CryptHashToBeSigned
  23. // CryptSignCertificate
  24. // CryptSignAndEncodeCertificate
  25. // CertVerifyTimeValidity
  26. // CertVerifyCRLTimeValidity
  27. // CertVerifyValidityNesting
  28. // CertVerifyCRLRevocation
  29. // CertAlgIdToOID
  30. // CertOIDToAlgId
  31. // CertFindExtension
  32. // CertFindAttribute
  33. // CertFindRDNAttr
  34. // CertGetIntendedKeyUsage
  35. // CertGetPublicKeyLength
  36. // CryptHashPublicKeyInfo
  37. //
  38. // I_CertCompareCertAndProviderPublicKey
  39. // CryptFindCertificateKeyProvInfo
  40. //
  41. // CryptCreatePublicKeyInfo
  42. // CryptConvertPublicKeyInfo
  43. // CryptExportPublicKeyInfo
  44. // CryptExportPublicKeyInfoEx
  45. // CryptImportPublicKeyInfo
  46. // CryptImportPublicKeyInfoEx
  47. // CryptCreateKeyIdentifierFromCSP
  48. //
  49. // CryptInstallDefaultContext
  50. // CryptUninstallDefaultContext
  51. //
  52. // History: 23-Feb-96 philh created
  53. //--------------------------------------------------------------------------
  55. #include "global.hxx"
  56. #include <dbgdef.h>
  58. // All the *pvInfo extra stuff needs to be aligned
  59. #define INFO_LEN_ALIGN(Len) ((Len + 7) & ~7)
  61. #define NULL_ASN_TAG 0x05
  63. //+=========================================================================
  64. // CryptCreatePublicKeyInfo, EncodePublicKeyAndParameters
  65. // and CryptConvertPublicKeyInfo functions
  66. //-=========================================================================
  68. // The following should be moved to wincrypt.x
  70. // If CRYPT_ALLOC_FLAG is set, *pvPubKeyInfo is updated with a LocalAlloc'ed
  71. // pointer to a CERT_PUBLIC_KEY_INFO data structure which must be freed by
  72. // calling LocalFree. Otherwise, pvPubKeyInfo points to a user allocated
  73. // CERT_PUBLIC_KEY_INFO data structure which is updated.
  74. WINCRYPT32API
  75. BOOL
  76. WINAPI
  77. CryptCreatePublicKeyInfo(
  78. IN DWORD dwCertEncodingType,
  79. IN OPTIONAL LPCSTR pszPubKeyOID,
  80. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  81. IN DWORD cbPubKeyStruc,
  82. IN DWORD dwFlags,
  83. IN OPTIONAL void *pvReserved,
  84. OUT void *pvPubKeyInfo,
  85. IN OUT DWORD *pcbPubKeyInfo
  86. );
  88. #define CRYPT_ALLOC_FLAG 0x8000
  91. #define CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC \
  92. "CryptDllEncodePublicKeyAndParameters"
  94. // The returned encoded public keys and parameters are LocalAlloc'ed.
  95. typedef BOOL (WINAPI *PFN_CRYPT_ENCODE_PUBLIC_KEY_AND_PARAMETERS)(
  96. IN DWORD dwCertEncodingType,
  97. IN OPTIONAL LPCSTR pszPubKeyOID,
  98. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  99. IN DWORD cbPubKeyStruc,
  100. IN DWORD dwFlags,
  101. IN OPTIONAL void *pvReserved,
  102. OUT BYTE **ppbEncodedPubKey,
  103. OUT DWORD *pcbEncodedPubKey,
  104. OUT BYTE **ppbEncodedParameters,
  105. OUT DWORD *pcbEncodedParameters
  106. );
  108. // If CRYPT_ALLOC_FLAG is set, *pvPubKeyStruc is updated with a LocalAlloc'ed
  109. // pointer to a PUBLICKEYSTRUC data structure which must be freed by calling
  110. // LocalFree. Otherwise, pvPubKeyStruc points to a user allocated
  111. // PUBLICKEYSTRUC data structure which is updated.
  112. WINCRYPT32API
  113. BOOL
  114. WINAPI
  115. CryptConvertPublicKeyInfo(
  116. IN DWORD dwCertEncodingType,
  117. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  118. IN DWORD dwFlags,
  119. IN OPTIONAL void *pvReserved,
  120. OUT void *pvPubKeyStruc,
  121. IN OUT DWORD *pcbPubKeyStruc
  122. );
  125. #define CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC "CryptDllConvertPublicKeyInfo"
  127. typedef BOOL (WINAPI *PFN_CRYPT_CONVERT_PUBLIC_KEY_INFO)(
  128. IN DWORD dwCertEncodingType,
  129. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  130. IN DWORD dwFlags,
  131. IN OPTIONAL void *pvReserved,
  132. OUT void *pvPubKeyStruc,
  133. IN OUT DWORD *pcbPubKeyStruc
  134. );
  136. // End of what should be moved to wincrypt.x
  138. static HCRYPTOIDFUNCSET hEncodePubKeyFuncSet;
  139. static HCRYPTOIDFUNCSET hConvertPubKeyFuncSet;
  141. //+-------------------------------------------------------------------------
  142. // Encode the RSA public key and parameters
  143. //--------------------------------------------------------------------------
  144. static BOOL WINAPI EncodeRSAPublicKeyAndParameters(
  145. IN DWORD dwCertEncodingType,
  146. IN OPTIONAL LPCSTR pszPubKeyOID,
  147. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  148. IN DWORD cbPubKeyStruc,
  149. IN DWORD dwFlags,
  150. IN OPTIONAL void *pvReserved,
  151. OUT BYTE **ppbEncodedPubKey,
  152. OUT DWORD *pcbEncodedPubKey,
  153. OUT BYTE **ppbEncodedParameters,
  154. OUT DWORD *pcbEncodedParameters
  155. );
  157. //+-------------------------------------------------------------------------
  158. // Convert as an RSA public key
  159. //--------------------------------------------------------------------------
  160. static BOOL WINAPI ConvertRSAPublicKeyInfo(
  161. IN DWORD dwCertEncodingType,
  162. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  163. IN DWORD dwFlags,
  164. IN OPTIONAL void *pvReserved,
  165. OUT void *pvPubKeyStruc,
  166. IN OUT DWORD *pcbPubKeyStruc
  167. );
  169. //+-------------------------------------------------------------------------
  170. // Encode the DSS public key and parameters
  171. //--------------------------------------------------------------------------
  172. static BOOL WINAPI EncodeDSSPublicKeyAndParameters(
  173. IN DWORD dwCertEncodingType,
  174. IN OPTIONAL LPCSTR pszPubKeyOID,
  175. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  176. IN DWORD cbPubKeyStruc,
  177. IN DWORD dwFlags,
  178. IN OPTIONAL void *pvReserved,
  179. OUT BYTE **ppbEncodedPubKey,
  180. OUT DWORD *pcbEncodedPubKey,
  181. OUT BYTE **ppbEncodedParameters,
  182. OUT DWORD *pcbEncodedParameters
  183. );
  185. //+-------------------------------------------------------------------------
  186. // Convert as an DSS public key
  187. //--------------------------------------------------------------------------
  188. static BOOL WINAPI ConvertDSSPublicKeyInfo(
  189. IN DWORD dwCertEncodingType,
  190. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  191. IN DWORD dwFlags,
  192. IN OPTIONAL void *pvReserved,
  193. OUT void *pvPubKeyStruc,
  194. IN OUT DWORD *pcbPubKeyStruc
  195. );
  197. //+-------------------------------------------------------------------------
  198. // Encode the RSA DH public key and parameters
  199. //--------------------------------------------------------------------------
  200. static BOOL WINAPI EncodeRSADHPublicKeyAndParameters(
  201. IN DWORD dwCertEncodingType,
  202. IN OPTIONAL LPCSTR pszPubKeyOID,
  203. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  204. IN DWORD cbPubKeyStruc,
  205. IN DWORD dwFlags,
  206. IN OPTIONAL void *pvReserved,
  207. OUT BYTE **ppbEncodedPubKey,
  208. OUT DWORD *pcbEncodedPubKey,
  209. OUT BYTE **ppbEncodedParameters,
  210. OUT DWORD *pcbEncodedParameters
  211. );
  213. //+-------------------------------------------------------------------------
  214. // Encode the X942 DH public key and parameters
  215. //--------------------------------------------------------------------------
  216. static BOOL WINAPI EncodeX942DHPublicKeyAndParameters(
  217. IN DWORD dwCertEncodingType,
  218. IN OPTIONAL LPCSTR pszPubKeyOID,
  219. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  220. IN DWORD cbPubKeyStruc,
  221. IN DWORD dwFlags,
  222. IN OPTIONAL void *pvReserved,
  223. OUT BYTE **ppbEncodedPubKey,
  224. OUT DWORD *pcbEncodedPubKey,
  225. OUT BYTE **ppbEncodedParameters,
  226. OUT DWORD *pcbEncodedParameters
  227. );
  229. static const CRYPT_OID_FUNC_ENTRY EncodePubKeyFuncTable[] = {
  230. szOID_RSA_RSA, EncodeRSAPublicKeyAndParameters,
  231. szOID_OIWSEC_rsaXchg, EncodeRSAPublicKeyAndParameters,
  232. szOID_OIWSEC_dsa, EncodeDSSPublicKeyAndParameters,
  233. szOID_X957_DSA, EncodeDSSPublicKeyAndParameters,
  234. szOID_ANSI_X942_DH, EncodeX942DHPublicKeyAndParameters,
  235. szOID_RSA_DH, EncodeRSADHPublicKeyAndParameters,
  236. };
  237. #define ENCODE_PUB_KEY_FUNC_COUNT (sizeof(EncodePubKeyFuncTable) / \
  238. sizeof(EncodePubKeyFuncTable[0]))
  240. static const CRYPT_OID_FUNC_ENTRY ConvertPubKeyFuncTable[] = {
  241. szOID_RSA_RSA, ConvertRSAPublicKeyInfo,
  242. szOID_OIWSEC_rsaXchg, ConvertRSAPublicKeyInfo,
  243. szOID_OIWSEC_dsa, ConvertDSSPublicKeyInfo,
  244. szOID_X957_DSA, ConvertDSSPublicKeyInfo,
  245. };
  246. #define CONVERT_PUB_KEY_FUNC_COUNT (sizeof(ConvertPubKeyFuncTable) / \
  247. sizeof(ConvertPubKeyFuncTable[0]))
  250. //+=========================================================================
  251. // CryptExportPublicKeyInfoEx and CryptImportPublicKeyInfoEx OID
  252. // installable functions.
  253. //-=========================================================================
  255. typedef BOOL (WINAPI *PFN_EXPORT_PUB_KEY_FUNC) (
  256. IN HCRYPTPROV hCryptProv,
  257. IN DWORD dwKeySpec,
  258. IN DWORD dwCertEncodingType,
  259. IN LPSTR pszPublicKeyObjId,
  260. IN DWORD dwFlags,
  261. IN OPTIONAL void *pvAuxInfo,
  262. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  263. IN OUT DWORD *pcbInfo
  264. );
  266. typedef BOOL (WINAPI *PFN_IMPORT_PUB_KEY_FUNC) (
  267. IN HCRYPTPROV hCryptProv,
  268. IN DWORD dwCertEncodingType,
  269. IN PCERT_PUBLIC_KEY_INFO pInfo,
  270. IN ALG_ID aiKeyAlg,
  271. IN DWORD dwFlags,
  272. IN OPTIONAL void *pvAuxInfo,
  273. OUT HCRYPTKEY *phKey
  274. );
  276. static HCRYPTOIDFUNCSET hExportPubKeyFuncSet;
  277. static HCRYPTOIDFUNCSET hImportPubKeyFuncSet;
  280. //+-------------------------------------------------------------------------
  281. // Default CryptProvs. Once acquired, not released until ProcessDetach.
  282. //--------------------------------------------------------------------------
  283. #define DEFAULT_RSA_CRYPT_PROV 0
  284. #define DEFAULT_DSS_CRYPT_PROV 1
  285. #define DEFAULT_ENCRYPT_BASE_RSA_CRYPT_PROV 2
  286. #define DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV 3
  287. #define DEFAULT_ENCRYPT_DH_CRYPT_PROV 4
  288. #define DEFAULT_CRYPT_PROV_CNT 5
  290. static HCRYPTPROV rghDefaultCryptProv[DEFAULT_CRYPT_PROV_CNT];
  291. static CRITICAL_SECTION DefaultCryptProvCriticalSection;
  293. typedef struct _ENCRYPT_ALG_INFO ENCRYPT_ALG_INFO, *PENCRYPT_ALG_INFO;
  294. struct _ENCRYPT_ALG_INFO {
  295. ALG_ID aiAlgid;
  296. DWORD dwMinLen;
  297. DWORD dwMaxLen;
  298. PENCRYPT_ALG_INFO pNext;
  299. };
  301. static BOOL fLoadedRSAEncryptAlgInfo = FALSE;
  302. static PENCRYPT_ALG_INFO pRSAEncryptAlgInfoHead = NULL;
  304. //+=========================================================================
  305. // DefaultContext Function Forward References and Data Structures
  306. //-=========================================================================
  308. //
  309. // dwDefaultTypes:
  310. // CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (pvDefaultPara :== pszOID)
  311. BOOL
  312. WINAPI
  313. I_CryptGetDefaultContext(
  314. IN DWORD dwDefaultType,
  315. IN const void *pvDefaultPara,
  316. OUT HCRYPTPROV *phCryptProv,
  317. OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
  318. );
  320. // hDefaultContext is only NON-null for Process default context
  321. void
  322. WINAPI
  323. I_CryptFreeDefaultContext(
  324. HCRYPTDEFAULTCONTEXT hDefaultContext
  325. );
  327. typedef struct _DEFAULT_CONTEXT DEFAULT_CONTEXT, *PDEFAULT_CONTEXT;
  328. struct _DEFAULT_CONTEXT {
  329. HCRYPTPROV hCryptProv;
  330. DWORD dwDefaultType;
  331. union {
  332. // CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (note, converted to MULTI_)
  333. // CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
  334. PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara;
  335. };
  337. DWORD dwFlags;
  338. PDEFAULT_CONTEXT pNext;
  339. PDEFAULT_CONTEXT pPrev;
  341. // Following applicable to Process DefaultContext
  342. LONG lRefCnt;
  343. HANDLE hWait;
  344. };
  346. static BOOL fHasThreadDefaultContext;
  347. static HCRYPTTLS hTlsDefaultContext;
  349. static BOOL fHasProcessDefaultContext;
  350. static CRITICAL_SECTION DefaultContextCriticalSection;
  351. static PDEFAULT_CONTEXT pProcessDefaultContextHead;
  354. //+-------------------------------------------------------------------------
  355. // Default CryptProv: initialization and free
  356. //--------------------------------------------------------------------------
  357. static BOOL InitDefaultCryptProv()
  358. {
  359. return Pki_InitializeCriticalSection(&DefaultCryptProvCriticalSection);
  360. }
  361. static void FreeDefaultCryptProv()
  362. {
  363. PENCRYPT_ALG_INFO pAlgInfo;
  365. DWORD cProv = DEFAULT_CRYPT_PROV_CNT;
  366. while (cProv--) {
  367. HCRYPTPROV hProv = rghDefaultCryptProv[cProv];
  368. if (hProv)
  369. CryptReleaseContext(hProv, 0);
  370. }
  372. pAlgInfo = pRSAEncryptAlgInfoHead;
  373. while (pAlgInfo) {
  374. PENCRYPT_ALG_INFO pDeleteAlgInfo = pAlgInfo;
  375. pAlgInfo = pAlgInfo->pNext;
  376. PkiFree(pDeleteAlgInfo);
  377. }
  379. DeleteCriticalSection(&DefaultCryptProvCriticalSection);
  380. }
  382. static
  383. VOID
  384. WINAPI
  385. DetachDefaultContext(
  386. IN LPVOID pv
  387. )
  388. {
  389. PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) pv;
  391. while (pDefaultContext) {
  392. PDEFAULT_CONTEXT pFree = pDefaultContext;
  393. pDefaultContext = pDefaultContext->pNext;
  394. if (pFree->dwFlags & CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG)
  395. CryptReleaseContext(pFree->hCryptProv, 0);
  396. PkiFree(pFree);
  397. }
  398. }
  400. //+-------------------------------------------------------------------------
  401. // Dll initialization
  402. //--------------------------------------------------------------------------
  403. BOOL
  404. WINAPI
  405. CertHelperDllMain(
  406. HMODULE hInst,
  407. ULONG ulReason,
  408. LPVOID lpReserved)
  409. {
  410. BOOL fRet;
  412. switch (ulReason) {
  413. case DLL_PROCESS_ATTACH:
  414. // Public key function setup
  415. if (NULL == (hExportPubKeyFuncSet = CryptInitOIDFunctionSet(
  416. CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC,
  417. 0)))
  418. goto CryptInitOIDFunctionSetError;
  419. if (NULL == (hImportPubKeyFuncSet = CryptInitOIDFunctionSet(
  420. CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC,
  421. 0)))
  422. goto CryptInitOIDFunctionSetError;
  424. if (NULL == (hEncodePubKeyFuncSet = CryptInitOIDFunctionSet(
  425. CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC,
  426. 0)))
  427. goto CryptInitOIDFunctionSetError;
  428. if (NULL == (hConvertPubKeyFuncSet = CryptInitOIDFunctionSet(
  429. CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC,
  430. 0)))
  431. goto CryptInitOIDFunctionSetError;
  433. if (!CryptInstallOIDFunctionAddress(
  434. NULL, // hModule
  435. X509_ASN_ENCODING,
  436. CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC,
  437. ENCODE_PUB_KEY_FUNC_COUNT,
  438. EncodePubKeyFuncTable,
  439. 0)) // dwFlags
  440. goto CryptInstallOIDFunctionAddressError;
  441. if (!CryptInstallOIDFunctionAddress(
  442. NULL, // hModule
  443. X509_ASN_ENCODING,
  444. CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC,
  445. CONVERT_PUB_KEY_FUNC_COUNT,
  446. ConvertPubKeyFuncTable,
  447. 0)) // dwFlags
  448. goto CryptInstallOIDFunctionAddressError;
  450. if (!InitDefaultCryptProv())
  451. goto InitDefaultCryptProvError;
  453. if (!Pki_InitializeCriticalSection(&DefaultContextCriticalSection))
  454. goto InitCritSectionError;
  456. if (NULL == (hTlsDefaultContext = I_CryptAllocTls()))
  457. goto CryptAllocTlsError;
  458. break;
  461. case DLL_PROCESS_DETACH:
  462. FreeDefaultCryptProv();
  464. while (pProcessDefaultContextHead) {
  465. PDEFAULT_CONTEXT pFree = pProcessDefaultContextHead;
  466. pProcessDefaultContextHead = pProcessDefaultContextHead->pNext;
  467. if (pFree->dwFlags & CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG)
  468. CryptReleaseContext(pFree->hCryptProv, 0);
  469. PkiFree(pFree);
  470. }
  471. DeleteCriticalSection(&DefaultContextCriticalSection);
  472. I_CryptFreeTls(hTlsDefaultContext, DetachDefaultContext);
  473. break;
  475. case DLL_THREAD_DETACH:
  476. DetachDefaultContext(I_CryptDetachTls(hTlsDefaultContext));
  477. break;
  479. default:
  480. break;
  481. }
  483. fRet = TRUE;
  484. CommonReturn:
  485. return fRet;
  487. CryptAllocTlsError:
  488. DeleteCriticalSection(&DefaultContextCriticalSection);
  489. InitCritSectionError:
  490. FreeDefaultCryptProv();
  491. ErrorReturn:
  492. fRet = FALSE;
  493. goto CommonReturn;
  494. TRACE_ERROR(InitDefaultCryptProvError)
  495. TRACE_ERROR(CryptInitOIDFunctionSetError)
  496. TRACE_ERROR(CryptInstallOIDFunctionAddressError)
  498. }
  501. //+-------------------------------------------------------------------------
  502. // Acquire default CryptProv according to the public key algorithm supported
  503. // by the provider type. The provider is acquired with only
  504. // CRYPT_VERIFYCONTEXT.
  505. //
  506. // Setting aiPubKey to 0, gets the default provider for RSA_FULL.
  507. //
  508. // Note, the returned CryptProv must not be released. Once acquired, the
  509. // CryptProv isn't released until ProcessDetach. This allows the returned
  510. // CryptProvs to be shared.
  511. //--------------------------------------------------------------------------
  512. HCRYPTPROV
  513. WINAPI
  514. I_CryptGetDefaultCryptProv(
  515. IN ALG_ID aiPubKey
  516. )
  517. {
  518. HCRYPTPROV hProv;
  519. DWORD dwProvType;
  520. DWORD dwDefaultProvIndex;
  522. switch (aiPubKey) {
  523. case 0:
  524. case CALG_RSA_SIGN:
  525. case CALG_RSA_KEYX:
  526. case CALG_NO_SIGN:
  527. dwProvType = PROV_RSA_FULL;
  528. dwDefaultProvIndex = DEFAULT_RSA_CRYPT_PROV;
  529. break;
  530. case CALG_DSS_SIGN:
  531. dwProvType = PROV_DSS_DH;
  532. dwDefaultProvIndex = DEFAULT_DSS_CRYPT_PROV;
  533. break;
  534. default:
  535. SetLastError((DWORD) E_INVALIDARG);
  536. return 0;
  537. }
  539. hProv = rghDefaultCryptProv[dwDefaultProvIndex];
  541. if (0 == hProv) {
  542. EnterCriticalSection(&DefaultCryptProvCriticalSection);
  543. hProv = rghDefaultCryptProv[dwDefaultProvIndex];
  544. if (0 == hProv) {
  545. if (!CryptAcquireContext(
  546. &hProv,
  547. NULL, // pszContainer
  548. NULL, // pszProvider,
  549. dwProvType,
  550. CRYPT_VERIFYCONTEXT // dwFlags
  551. )) {
  552. hProv = 0; // CAPI bug, sets hCryptProv to nonzero
  553. if (DEFAULT_DSS_CRYPT_PROV == dwDefaultProvIndex) {
  554. if (!CryptAcquireContext(
  555. &hProv,
  556. NULL, // pszContainer
  557. NULL, // pszProvider,
  558. PROV_DSS,
  559. CRYPT_VERIFYCONTEXT // dwFlags
  560. ))
  561. hProv = 0; // CAPI bug, sets hCryptProv to nonzero
  562. }
  563. }
  564. rghDefaultCryptProv[dwDefaultProvIndex] = hProv;
  565. }
  566. LeaveCriticalSection(&DefaultCryptProvCriticalSection);
  567. }
  568. return hProv;
  569. }
  572. // Note, PP_ENUMALGS_EX returns the bit range. However, this parameter type
  573. // may not be supported by all CSPs. If this fails, try PP_ENUMALGS which only
  574. // returns a single, default bit length.
  575. static void LoadRSAEncryptAlgInfo()
  576. {
  577. EnterCriticalSection(&DefaultCryptProvCriticalSection);
  579. if (!fLoadedRSAEncryptAlgInfo) {
  580. HCRYPTPROV hProv;
  581. if (hProv = I_CryptGetDefaultCryptProv(CALG_RSA_KEYX)) {
  582. DWORD dwFlags = CRYPT_FIRST;
  583. BOOL fEx = TRUE;
  585. while (TRUE) {
  586. ENCRYPT_ALG_INFO AlgInfo;
  587. PENCRYPT_ALG_INFO pAllocAlgInfo;
  589. if (fEx) {
  590. PROV_ENUMALGS_EX Data;
  591. DWORD cbData = sizeof(Data);
  593. if (!CryptGetProvParam(
  594. hProv,
  595. PP_ENUMALGS_EX,
  596. (BYTE *) &Data,
  597. &cbData,
  598. dwFlags
  599. )) {
  600. if (0 != dwFlags) {
  601. // Try PP_ENUMALGS
  602. fEx = FALSE;
  603. continue;
  604. } else
  605. break;
  606. }
  607. AlgInfo.aiAlgid = Data.aiAlgid;
  608. AlgInfo.dwMinLen = Data.dwMinLen;
  609. AlgInfo.dwMaxLen = Data.dwMaxLen;
  610. } else {
  611. PROV_ENUMALGS Data;
  612. DWORD cbData = sizeof(Data);
  614. if (!CryptGetProvParam(
  615. hProv,
  616. PP_ENUMALGS,
  617. (BYTE *) &Data,
  618. &cbData,
  619. dwFlags
  620. ))
  621. break;
  622. // Only know about a single length
  623. AlgInfo.aiAlgid = Data.aiAlgid;
  624. AlgInfo.dwMinLen = Data.dwBitLen;
  625. AlgInfo.dwMaxLen = Data.dwBitLen;
  626. }
  628. dwFlags = 0; // CRYPT_NEXT
  630. // Only interested in encrypt algorithms
  631. if (ALG_CLASS_DATA_ENCRYPT != GET_ALG_CLASS(AlgInfo.aiAlgid))
  632. continue;
  634. if (NULL == (pAllocAlgInfo = (PENCRYPT_ALG_INFO)
  635. PkiNonzeroAlloc(sizeof(ENCRYPT_ALG_INFO))))
  636. break;
  637. AlgInfo.pNext = pRSAEncryptAlgInfoHead;
  638. memcpy(pAllocAlgInfo, &AlgInfo, sizeof(*pAllocAlgInfo));
  639. pRSAEncryptAlgInfoHead = pAllocAlgInfo;
  640. }
  641. }
  643. fLoadedRSAEncryptAlgInfo = TRUE;
  644. }
  645. LeaveCriticalSection(&DefaultCryptProvCriticalSection);
  646. }
  648. static BOOL IsDefaultRSACryptProvForEncrypt(
  649. IN ALG_ID aiEncrypt,
  650. IN DWORD dwBitLen
  651. )
  652. {
  653. PENCRYPT_ALG_INFO pInfo;
  654. if (!fLoadedRSAEncryptAlgInfo)
  655. LoadRSAEncryptAlgInfo();
  657. if (0 == dwBitLen && (CALG_RC2 == aiEncrypt || CALG_RC4 == aiEncrypt))
  658. dwBitLen = 40;
  660. for (pInfo = pRSAEncryptAlgInfoHead; pInfo; pInfo = pInfo->pNext) {
  661. if (aiEncrypt == pInfo->aiAlgid) {
  662. if (0 == dwBitLen || (pInfo->dwMinLen <= dwBitLen &&
  663. dwBitLen <= pInfo->dwMaxLen))
  664. return TRUE;
  665. }
  666. }
  668. return FALSE;
  669. }
  672. //+-------------------------------------------------------------------------
  673. // Acquire default CryptProv according to the public key algorithm, encrypt
  674. // key algorithm and encrypt key length supported by the provider type.
  675. //
  676. // dwBitLen = 0, assumes the aiEncrypt's default bit length. For example,
  677. // CALG_RC2 has a default bit length of 40.
  678. //
  679. // Note, the returned CryptProv must not be released. Once acquired, the
  680. // CryptProv isn't released until ProcessDetach. This allows the returned
  681. // CryptProvs to be shared.
  682. //--------------------------------------------------------------------------
  683. HCRYPTPROV
  684. WINAPI
  685. I_CryptGetDefaultCryptProvForEncrypt(
  686. IN ALG_ID aiPubKey,
  687. IN ALG_ID aiEncrypt,
  688. IN DWORD dwBitLen
  689. )
  690. {
  691. HCRYPTPROV hProv;
  692. DWORD dwProvType;
  693. DWORD dwDefaultProvIndex;
  694. LPCSTR pszProvider;
  696. if (CALG_DH_SF == aiPubKey || CALG_DH_EPHEM == aiPubKey) {
  697. dwProvType = PROV_DSS_DH;
  698. dwDefaultProvIndex = DEFAULT_ENCRYPT_DH_CRYPT_PROV;
  699. pszProvider = NULL;
  700. } else {
  701. dwProvType = PROV_RSA_FULL;
  703. if (IsDefaultRSACryptProvForEncrypt(
  704. aiEncrypt,
  705. dwBitLen
  706. ))
  707. // Set to fall through to the default case
  708. aiEncrypt = 0;
  710. switch (aiEncrypt) {
  711. case CALG_DES:
  712. case CALG_3DES:
  713. case CALG_3DES_112:
  714. dwDefaultProvIndex = DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV;
  715. pszProvider = MS_ENHANCED_PROV_A;
  716. break;
  717. case CALG_RC2:
  718. case CALG_RC4:
  719. if (40 >= dwBitLen) {
  720. dwDefaultProvIndex = DEFAULT_ENCRYPT_BASE_RSA_CRYPT_PROV;
  721. pszProvider = MS_DEF_PROV_A;
  722. } else {
  723. dwDefaultProvIndex = DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV;
  724. pszProvider = MS_ENHANCED_PROV_A;
  725. }
  726. break;
  727. case 0:
  728. default:
  729. dwDefaultProvIndex = DEFAULT_RSA_CRYPT_PROV;
  730. pszProvider = NULL;
  731. break;
  732. }
  733. }
  735. hProv = rghDefaultCryptProv[dwDefaultProvIndex];
  737. if (0 == hProv) {
  738. EnterCriticalSection(&DefaultCryptProvCriticalSection);
  739. hProv = rghDefaultCryptProv[dwDefaultProvIndex];
  740. if (0 == hProv) {
  741. if (!CryptAcquireContext(
  742. &hProv,
  743. NULL, // pszContainer
  744. pszProvider,
  745. dwProvType,
  746. CRYPT_VERIFYCONTEXT // dwFlags
  747. ))
  748. hProv = 0; // CAPI bug, sets hCryptProv to nonzero
  749. else
  750. rghDefaultCryptProv[dwDefaultProvIndex] = hProv;
  751. }
  752. LeaveCriticalSection(&DefaultCryptProvCriticalSection);
  753. }
  754. return hProv;
  755. }
  758. //+-------------------------------------------------------------------------
  759. // Cert helper allocation and free functions
  760. //--------------------------------------------------------------------------
  761. static void *AllocAndDecodeObject(
  762. IN DWORD dwCertEncodingType,
  763. IN LPCSTR lpszStructType,
  764. IN const BYTE *pbEncoded,
  765. IN DWORD cbEncoded,
  766. OUT OPTIONAL DWORD *pcbStructInfo = NULL
  767. )
  768. {
  769. DWORD cbStructInfo;
  770. void *pvStructInfo;
  772. if (!CryptDecodeObjectEx(
  773. dwCertEncodingType,
  774. lpszStructType,
  775. pbEncoded,
  776. cbEncoded,
  777. CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG,
  778. &PkiDecodePara,
  779. (void *) &pvStructInfo,
  780. &cbStructInfo
  781. ))
  782. goto ErrorReturn;
  784. CommonReturn:
  785. if (pcbStructInfo)
  786. *pcbStructInfo = cbStructInfo;
  787. return pvStructInfo;
  788. ErrorReturn:
  789. pvStructInfo = NULL;
  790. goto CommonReturn;
  791. }
  793. static BOOL AllocAndEncodeObject(
  794. IN DWORD dwCertEncodingType,
  795. IN LPCSTR lpszStructType,
  796. IN const void *pvStructInfo,
  797. OUT BYTE **ppbEncoded,
  798. OUT DWORD *pcbEncoded
  799. )
  800. {
  801. return CryptEncodeObjectEx(
  802. dwCertEncodingType,
  803. lpszStructType,
  804. pvStructInfo,
  805. CRYPT_ENCODE_ALLOC_FLAG,
  806. &PkiEncodePara,
  807. (void *) ppbEncoded,
  808. pcbEncoded
  809. );
  810. }
  812. #if 0
  813. //+-------------------------------------------------------------------------
  814. // For an authority key identifier extension, compare the extension's optional
  815. // fields with the specified issuer certificate.
  816. //
  817. // Returns TRUE for no authority key identifier extension or an issuer
  818. // certificate match.
  819. //--------------------------------------------------------------------------
  820. static BOOL CompareAuthorityKeyIdentifier(
  821. IN DWORD dwCertEncodingType,
  822. IN DWORD cExtensions,
  823. IN CERT_EXTENSION rgExtensions[],
  824. IN PCERT_INFO pIssuerInfo
  825. )
  826. {
  827. BOOL fResult;
  828. PCERT_EXTENSION pExt;
  829. PCERT_AUTHORITY_KEY_ID_INFO pKeyIdInfo = NULL;
  831. pExt = CertFindExtension(
  832. szOID_AUTHORITY_KEY_IDENTIFIER,
  833. cExtensions,
  834. rgExtensions
  835. );
  836. if (pExt == NULL)
  837. return TRUE;
  839. if (NULL == (pKeyIdInfo =
  840. (PCERT_AUTHORITY_KEY_ID_INFO) AllocAndDecodeObject(
  841. dwCertEncodingType,
  842. X509_AUTHORITY_KEY_ID,
  843. pExt->Value.pbData,
  844. pExt->Value.cbData
  845. ))) goto DecodeError;
  847. if (pKeyIdInfo->CertIssuer.cbData) {
  848. // Issuer certificate's issuer name must match
  849. if (!CertCompareCertificateName(
  850. dwCertEncodingType,
  851. &pKeyIdInfo->CertIssuer,
  852. &pIssuerInfo->Issuer
  853. )) goto ErrorReturn;
  854. }
  856. if (pKeyIdInfo->CertSerialNumber.cbData) {
  857. // Issuer certificate's serial number must match
  858. if (!CertCompareIntegerBlob(
  859. &pKeyIdInfo->CertSerialNumber,
  860. &pIssuerInfo->SerialNumber))
  861. goto ErrorReturn;
  862. }
  864. fResult = TRUE;
  865. goto CommonReturn;
  867. DecodeError:
  868. fResult = TRUE;
  869. goto CommonReturn;
  870. ErrorReturn:
  871. fResult = FALSE;
  872. CommonReturn:
  873. PkiFree(pKeyIdInfo);
  874. return fResult;
  875. }
  876. #endif
  879. //+-------------------------------------------------------------------------
  880. // Compare two multiple byte integer blobs to see if they are identical.
  881. //
  882. // Before doing the comparison, leading zero bytes are removed from a
  883. // positive number and leading 0xFF bytes are removed from a negative
  884. // number.
  885. //
  886. // The multiple byte integers are treated as Little Endian. pbData[0] is the
  887. // least significant byte and pbData[cbData - 1] is the most significant
  888. // byte.
  889. //
  890. // Returns TRUE if the integer blobs are identical after removing leading
  891. // 0 or 0xFF bytes.
  892. //--------------------------------------------------------------------------
  893. BOOL
  894. WINAPI
  895. CertCompareIntegerBlob(
  896. IN PCRYPT_INTEGER_BLOB pInt1,
  897. IN PCRYPT_INTEGER_BLOB pInt2
  898. )
  899. {
  900. BYTE *pb1 = pInt1->pbData;
  901. DWORD cb1 = pInt1->cbData;
  902. BYTE *pb2 = pInt2->pbData;
  903. DWORD cb2 = pInt2->cbData;
  905. // Assumption: normally don't have leading 0 or 0xFF bytes.
  907. while (cb1 > 1) {
  908. BYTE bEnd = pb1[cb1 - 1];
  909. BYTE bPrev = pb1[cb1 - 2];
  910. if ((0 == bEnd && 0 == (bPrev & 0x80)) ||
  911. (0xFF == bEnd && 0 != (bPrev & 0x80)))
  912. cb1--;
  913. else
  914. break;
  915. }
  917. while (cb2 > 1) {
  918. BYTE bEnd = pb2[cb2 - 1];
  919. BYTE bPrev = pb2[cb2 - 2];
  920. if ((0 == bEnd && 0 == (bPrev & 0x80)) ||
  921. (0xFF == bEnd && 0 != (bPrev & 0x80)))
  922. cb2--;
  923. else
  924. break;
  925. }
  927. if (cb1 == cb2 && (0 == cb1 || 0 == memcmp(pb1, pb2, cb1)))
  928. return TRUE;
  929. else
  930. return FALSE;
  931. }
  933. //+-------------------------------------------------------------------------
  934. // Compare two certificates to see if they are identical.
  935. //
  936. // Since a certificate is uniquely identified by its Issuer and SerialNumber,
  937. // these are the only fields needing to be compared.
  938. //
  939. // Returns TRUE if the certificates are identical.
  940. //--------------------------------------------------------------------------
  941. BOOL
  942. WINAPI
  943. CertCompareCertificate(
  944. IN DWORD dwCertEncodingType,
  945. IN PCERT_INFO pCertId1,
  946. IN PCERT_INFO pCertId2
  947. )
  948. {
  949. if (CertCompareIntegerBlob(&pCertId1->SerialNumber,
  950. &pCertId2->SerialNumber) &&
  951. pCertId1->Issuer.cbData == pCertId2->Issuer.cbData &&
  952. memcmp(pCertId1->Issuer.pbData, pCertId2->Issuer.pbData,
  953. pCertId1->Issuer.cbData) == 0)
  954. return TRUE;
  955. else
  956. return FALSE;
  957. }
  959. //+-------------------------------------------------------------------------
  960. // Compare two certificate names to see if they are identical.
  961. //
  962. // Returns TRUE if the names are identical.
  963. //--------------------------------------------------------------------------
  964. BOOL
  965. WINAPI
  966. CertCompareCertificateName(
  967. IN DWORD dwCertEncodingType,
  968. IN PCERT_NAME_BLOB pCertName1,
  969. IN PCERT_NAME_BLOB pCertName2
  970. )
  971. {
  972. if (pCertName1->cbData == pCertName2->cbData &&
  973. memcmp(pCertName1->pbData, pCertName2->pbData,
  974. pCertName1->cbData) == 0)
  975. return TRUE;
  976. else
  977. return FALSE;
  978. }
  980. //+-------------------------------------------------------------------------
  981. // Compare the attributes in the certificate name with the specified
  982. // Relative Distinguished Name's (CERT_RDN) array of attributes.
  983. // The comparison iterates through the CERT_RDN attributes and looks for an
  984. // attribute match in any of the certificate's RDNs. Returns TRUE if all the
  985. // attributes are found and match.
  986. //
  987. // The CERT_RDN_ATTR fields can have the following special values:
  988. // pszObjId == NULL - ignore the attribute object identifier
  989. // dwValueType == CERT_RDN_ANY_TYPE - ignore the value type
  990. // Value.pbData == NULL - match any value
  991. //
  992. // CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
  993. // a case insensitive match. Otherwise, defaults to an exact, case sensitive
  994. // match.
  995. //
  996. // CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
  997. // with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
  998. //--------------------------------------------------------------------------
  999. BOOL
  1000. WINAPI
  1001. CertIsRDNAttrsInCertificateName(
  1002. IN DWORD dwCertEncodingType,
  1003. IN DWORD dwFlags,
  1004. IN PCERT_NAME_BLOB pCertName,
  1005. IN PCERT_RDN pRDN
  1006. )
  1007. {
  1008. BOOL fResult;
  1009. PCERT_NAME_INFO pNameInfo = NULL;
  1011. DWORD cCmpAttr;
  1012. PCERT_RDN_ATTR pCmpAttr;
  1013. BOOL fMatch;
  1015. if (NULL == (pNameInfo =
  1016. (PCERT_NAME_INFO) AllocAndDecodeObject(
  1017. dwCertEncodingType,
  1018. CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags ? X509_UNICODE_NAME :
  1019. X509_NAME,
  1020. pCertName->pbData,
  1021. pCertName->cbData
  1022. ))) goto ErrorReturn;
  1024. cCmpAttr = pRDN->cRDNAttr;
  1025. pCmpAttr = pRDN->rgRDNAttr;
  1026. fMatch = TRUE;
  1027. // Iterate through list of attributes to be compared against
  1028. for ( ; cCmpAttr > 0; cCmpAttr--, pCmpAttr++) {
  1029. fMatch = FALSE;
  1030. DWORD cNameRDN = pNameInfo->cRDN;
  1031. PCERT_RDN pNameRDN = pNameInfo->rgRDN;
  1032. // Iterate through name's list of RDNs
  1033. for ( ; cNameRDN > 0; cNameRDN--, pNameRDN++) {
  1034. DWORD cNameAttr = pNameRDN->cRDNAttr;
  1035. PCERT_RDN_ATTR pNameAttr = pNameRDN->rgRDNAttr;
  1036. // Iterate through name's CERT_RDN's list of attributes
  1037. for ( ; cNameAttr > 0; cNameAttr--, pNameAttr++) {
  1038. if (pCmpAttr->pszObjId &&
  1039. (pNameAttr->pszObjId == NULL ||
  1040. strcmp(pCmpAttr->pszObjId, pNameAttr->pszObjId) != 0))
  1041. continue;
  1042. if (pCmpAttr->dwValueType != CERT_RDN_ANY_TYPE &&
  1043. pCmpAttr->dwValueType != pNameAttr->dwValueType)
  1044. continue;
  1046. if (pCmpAttr->Value.pbData == NULL) {
  1047. fMatch = TRUE;
  1048. break;
  1049. }
  1051. if (CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG & dwFlags) {
  1052. DWORD cch;
  1054. if (CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags) {
  1055. if (0 == pCmpAttr->Value.cbData)
  1056. cch = wcslen((LPWSTR) pCmpAttr->Value.pbData);
  1057. else
  1058. cch = pCmpAttr->Value.cbData / sizeof(WCHAR);
  1059. if (cch == (pNameAttr->Value.cbData / sizeof(WCHAR))
  1060. &&
  1061. CSTR_EQUAL == CompareStringU(
  1062. LOCALE_USER_DEFAULT,
  1063. NORM_IGNORECASE,
  1064. (LPWSTR) pCmpAttr->Value.pbData,
  1065. cch,
  1066. (LPWSTR) pNameAttr->Value.pbData,
  1067. cch)) {
  1068. fMatch = TRUE;
  1069. break;
  1070. }
  1071. } else {
  1072. cch = pCmpAttr->Value.cbData;
  1073. if (cch == (pNameAttr->Value.cbData)
  1074. &&
  1075. CSTR_EQUAL == CompareStringA(
  1076. LOCALE_USER_DEFAULT,
  1077. NORM_IGNORECASE,
  1078. (LPSTR) pCmpAttr->Value.pbData,
  1079. cch,
  1080. (LPSTR) pNameAttr->Value.pbData,
  1081. cch)) {
  1082. fMatch = TRUE;
  1083. break;
  1084. }
  1085. }
  1086. } else {
  1087. DWORD cbCmpData = pCmpAttr->Value.cbData;
  1089. if ((CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags) &&
  1090. 0 == cbCmpData)
  1091. cbCmpData = wcslen((LPWSTR) pCmpAttr->Value.pbData) *
  1092. sizeof(WCHAR);
  1094. if (cbCmpData == pNameAttr->Value.cbData &&
  1095. (cbCmpData == 0 ||
  1096. memcmp(pCmpAttr->Value.pbData,
  1097. pNameAttr->Value.pbData,
  1098. cbCmpData) == 0)) {
  1099. fMatch = TRUE;
  1100. break;
  1101. }
  1102. }
  1103. }
  1104. if (fMatch) break;
  1105. }
  1106. if (!fMatch) break;
  1107. }
  1109. if (!fMatch) {
  1110. SetLastError((DWORD) CRYPT_E_NO_MATCH);
  1111. goto ErrorReturn;
  1112. }
  1114. fResult = TRUE;
  1115. goto CommonReturn;
  1118. ErrorReturn:
  1119. fResult = FALSE;
  1120. CommonReturn:
  1121. PkiFree(pNameInfo);
  1122. return fResult;
  1123. }
  1125. #if 0
  1126. #ifndef RSA1
  1127. #define RSA1 ((DWORD)'R'+((DWORD)'S'<<8)+((DWORD)'A'<<16)+((DWORD)'1'<<24))
  1128. #endif
  1130. //+-------------------------------------------------------------------------
  1131. // Compare two public keys to see if they are identical.
  1132. //
  1133. // Returns TRUE if the keys are identical.
  1134. //
  1135. // Note: ignores CAPI's reserved and aiKeyAlg fields in the comparison.
  1136. //--------------------------------------------------------------------------
  1137. BOOL
  1138. WINAPI
  1139. CertComparePublicKeyBitBlob(
  1140. IN DWORD dwCertEncodingType,
  1141. IN PCRYPT_BIT_BLOB pPublicKey1,
  1142. IN PCRYPT_BIT_BLOB pPublicKey2
  1143. )
  1144. {
  1145. BYTE *pb1, *pb2;
  1146. PUBLICKEYSTRUC *pPubKeyStruc1, *pPubKeyStruc2;
  1147. RSAPUBKEY *pRsaPubKey1, *pRsaPubKey2;
  1148. BYTE *pbModulus1, *pbModulus2;
  1149. DWORD cbModulus1, cbModulus2;
  1152. // The CAPI public key representation consists of the following sequence:
  1153. // - PUBLICKEYSTRUC
  1154. // - RSAPUBKEY
  1155. // - rgbModulus[]
  1156. pb1 = pPublicKey1->pbData;
  1157. pPubKeyStruc1 = (PUBLICKEYSTRUC *) pb1;
  1158. pRsaPubKey1 = (RSAPUBKEY *) (pb1 + sizeof(PUBLICKEYSTRUC));
  1159. pbModulus1 = pb1 + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
  1160. cbModulus1 = pRsaPubKey1->bitlen / 8;
  1162. assert(cbModulus1 > 0);
  1163. assert(sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY) + cbModulus1 <=
  1164. pPublicKey1->cbData);
  1165. assert(pPubKeyStruc1->bType == PUBLICKEYBLOB);
  1166. assert(pPubKeyStruc1->bVersion == CUR_BLOB_VERSION);
  1167. assert(pPubKeyStruc1->aiKeyAlg == CALG_RSA_SIGN ||
  1168. pPubKeyStruc1->aiKeyAlg == CALG_RSA_KEYX);
  1169. assert(pRsaPubKey1->magic == RSA1);
  1170. assert(pRsaPubKey1->bitlen % 8 == 0);
  1172. pb2 = pPublicKey2->pbData;
  1173. pPubKeyStruc2 = (PUBLICKEYSTRUC *) pb2;
  1174. pRsaPubKey2 = (RSAPUBKEY *) (pb2 + sizeof(PUBLICKEYSTRUC));
  1175. pbModulus2 = pb2 + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
  1176. cbModulus2 = pRsaPubKey2->bitlen / 8;
  1178. assert(cbModulus2 > 0);
  1179. assert(sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY) + cbModulus2 <=
  1180. pPublicKey2->cbData);
  1181. assert(pPubKeyStruc2->bType == PUBLICKEYBLOB);
  1182. assert(pPubKeyStruc2->bVersion == CUR_BLOB_VERSION);
  1183. assert(pPubKeyStruc2->aiKeyAlg == CALG_RSA_SIGN ||
  1184. pPubKeyStruc2->aiKeyAlg == CALG_RSA_KEYX);
  1185. assert(pRsaPubKey2->magic == RSA1);
  1186. assert(pRsaPubKey2->bitlen % 8 == 0);
  1188. if (pRsaPubKey1->pubexp == pRsaPubKey2->pubexp &&
  1189. cbModulus1 == cbModulus2 &&
  1190. memcmp(pbModulus1, pbModulus2, cbModulus1) == 0)
  1191. return TRUE;
  1192. else
  1193. return FALSE;
  1195. }
  1196. #endif
  1198. //+-------------------------------------------------------------------------
  1199. // Compare two public keys to see if they are identical.
  1200. //
  1201. // Returns TRUE if the keys are identical.
  1202. //--------------------------------------------------------------------------
  1203. BOOL
  1204. WINAPI
  1205. CertComparePublicKeyInfo(
  1206. IN DWORD dwCertEncodingType,
  1207. IN PCERT_PUBLIC_KEY_INFO pPublicKey1,
  1208. IN PCERT_PUBLIC_KEY_INFO pPublicKey2
  1209. )
  1210. {
  1211. DWORD cbData;
  1212. DWORD cb1;
  1213. BYTE * pb1;
  1214. DWORD cb2;
  1215. BYTE * pb2;
  1216. BOOL fResult = FALSE;
  1217. PUBLICKEYSTRUC * pBlob1 = NULL;
  1218. PUBLICKEYSTRUC * pBlob2 = NULL;
  1220. if (!((cbData = pPublicKey1->PublicKey.cbData) ==
  1221. pPublicKey2->PublicKey.cbData
  1222. &&
  1223. (cbData == 0 || memcmp(pPublicKey1->PublicKey.pbData,
  1224. pPublicKey2->PublicKey.pbData, cbData) == 0)))
  1225. {
  1226. // DSIE: Bug 402662.
  1227. // Encoded compare failed, try decoded compare.
  1228. if (NULL == (pBlob1 = (PUBLICKEYSTRUC *) AllocAndDecodeObject(
  1229. dwCertEncodingType,
  1230. RSA_CSP_PUBLICKEYBLOB,
  1231. pPublicKey1->PublicKey.pbData,
  1232. pPublicKey1->PublicKey.cbData,
  1233. &cb1)))
  1234. {
  1235. goto CLEANUP;
  1236. }
  1238. if (NULL == (pBlob2 = (PUBLICKEYSTRUC *) AllocAndDecodeObject(
  1239. dwCertEncodingType,
  1240. RSA_CSP_PUBLICKEYBLOB,
  1241. pPublicKey2->PublicKey.pbData,
  1242. pPublicKey2->PublicKey.cbData,
  1243. &cb2)))
  1244. {
  1245. goto CLEANUP;
  1246. }
  1248. if (!((cb1 == cb2) &&
  1249. (cb1 == 0 || memcmp(pBlob1, pBlob2, cb1) == 0)))
  1250. {
  1251. goto CLEANUP;
  1252. }
  1253. }
  1255. // Compare algorithm parameters
  1256. cb1 = pPublicKey1->Algorithm.Parameters.cbData;
  1257. pb1 = pPublicKey1->Algorithm.Parameters.pbData;
  1258. cb2 = pPublicKey2->Algorithm.Parameters.cbData;
  1259. pb2 = pPublicKey2->Algorithm.Parameters.pbData;
  1261. if (X509_ASN_ENCODING == GET_CERT_ENCODING_TYPE(dwCertEncodingType))
  1262. {
  1263. // Check if either has NO or NULL parameters
  1264. if (0 == cb1 || *pb1 == NULL_ASN_TAG ||
  1265. 0 == cb2 || *pb2 == NULL_ASN_TAG)
  1266. {
  1267. fResult = TRUE;
  1268. goto CLEANUP;
  1269. }
  1270. }
  1272. if (cb1 == cb2)
  1273. {
  1274. if (0 == cb1 || 0 == memcmp(pb1, pb2, cb1))
  1275. {
  1276. fResult = TRUE;
  1277. }
  1278. }
  1280. CLEANUP:
  1281. if (pBlob1)
  1282. PkiFree(pBlob1);
  1284. if (pBlob2)
  1285. PkiFree(pBlob2);
  1287. return fResult;
  1288. }
  1290. static BOOL GetSignOIDInfo(
  1291. IN LPCSTR pszObjId,
  1292. OUT ALG_ID *paiHash,
  1293. OUT ALG_ID *paiPubKey,
  1294. OUT DWORD *pdwFlags,
  1295. OUT DWORD *pdwProvType = NULL
  1296. )
  1297. {
  1298. BOOL fResult;
  1299. PCCRYPT_OID_INFO pInfo;
  1301. *paiPubKey = 0;
  1302. *pdwFlags = 0;
  1303. if (pdwProvType)
  1304. *pdwProvType = 0;
  1305. if (pInfo = CryptFindOIDInfo(
  1306. CRYPT_OID_INFO_OID_KEY,
  1307. (void *) pszObjId,
  1308. CRYPT_SIGN_ALG_OID_GROUP_ID
  1309. )) {
  1310. DWORD cExtra = pInfo->ExtraInfo.cbData / sizeof(DWORD);
  1311. DWORD *pdwExtra = (DWORD *) pInfo->ExtraInfo.pbData;
  1313. *paiHash = pInfo->Algid;
  1314. if (1 <= cExtra) {
  1315. *paiPubKey = pdwExtra[0];
  1316. if (2 <= cExtra) {
  1317. *pdwFlags = pdwExtra[1];
  1318. if (3 <= cExtra && pdwProvType) {
  1319. *pdwProvType = pdwExtra[2];
  1320. }
  1321. }
  1322. }
  1323. fResult = TRUE;
  1324. } else if (pInfo = CryptFindOIDInfo(
  1325. CRYPT_OID_INFO_OID_KEY,
  1326. (void *) pszObjId,
  1327. CRYPT_HASH_ALG_OID_GROUP_ID
  1328. )) {
  1329. *paiHash = pInfo->Algid;
  1330. *paiPubKey = CALG_NO_SIGN;
  1331. fResult = TRUE;
  1332. } else {
  1333. *paiHash = 0;
  1334. fResult = FALSE;
  1335. SetLastError((DWORD) NTE_BAD_ALGID);
  1336. }
  1337. return fResult;
  1338. }
  1341. #ifndef CMS_PKCS7
  1343. //+-------------------------------------------------------------------------
  1344. // Verify the signature of a subject certificate or a CRL using the
  1345. // specified public key.
  1346. //
  1347. // Returns TRUE for a valid signature.
  1348. //
  1349. // hCryptProv specifies the crypto provider to use to verify the signature.
  1350. // It doesn't need to use a private key.
  1351. //--------------------------------------------------------------------------
  1352. BOOL
  1353. WINAPI
  1354. CryptVerifyCertificateSignature(
  1355. IN HCRYPTPROV hCryptProv,
  1356. IN DWORD dwCertEncodingType,
  1357. IN const BYTE * pbEncoded,
  1358. IN DWORD cbEncoded,
  1359. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  1360. )
  1361. {
  1362. BOOL fResult;
  1363. PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
  1364. HCRYPTDEFAULTCONTEXT hDefaultContext = NULL;
  1365. HCRYPTKEY hSignKey = 0;
  1366. HCRYPTHASH hHash = 0;
  1367. BYTE *pbSignature; // not allocated
  1368. DWORD cbSignature;
  1369. BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
  1370. ALG_ID aiHash;
  1371. ALG_ID aiPubKey;
  1372. DWORD dwSignFlags;
  1373. DWORD dwErr;
  1375. if (NULL == (pSignedInfo =
  1376. (PCERT_SIGNED_CONTENT_INFO) AllocAndDecodeObject(
  1377. dwCertEncodingType,
  1378. X509_CERT,
  1379. pbEncoded,
  1380. cbEncoded
  1381. ))) goto ErrorReturn;
  1383. if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
  1384. &aiHash, &aiPubKey, &dwSignFlags))
  1385. goto ErrorReturn;
  1387. if (0 == hCryptProv) {
  1388. if (!I_CryptGetDefaultContext(
  1389. CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID,
  1390. (const void *) pSignedInfo->SignatureAlgorithm.pszObjId,
  1391. &hCryptProv,
  1392. &hDefaultContext
  1393. )) {
  1394. if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
  1395. goto ErrorReturn;
  1396. }
  1397. }
  1399. #if 0
  1400. // Slow down the signature verify while holding the default context
  1401. // reference count
  1402. if (hDefaultContext)
  1403. Sleep(5000);
  1404. #endif
  1406. if (!CryptImportPublicKeyInfo(
  1407. hCryptProv,
  1408. dwCertEncodingType,
  1409. pPublicKey,
  1410. &hSignKey
  1411. )) goto ErrorReturn;
  1412. if (!CryptCreateHash(
  1413. hCryptProv,
  1414. aiHash,
  1415. NULL, // hKey - optional for MAC
  1416. 0, // dwFlags
  1417. &hHash
  1418. )) goto ErrorReturn;
  1419. if (!CryptHashData(
  1420. hHash,
  1421. pSignedInfo->ToBeSigned.pbData,
  1422. pSignedInfo->ToBeSigned.cbData,
  1423. 0 // dwFlags
  1424. )) goto ErrorReturn;
  1427. pbSignature = pSignedInfo->Signature.pbData;
  1428. cbSignature = pSignedInfo->Signature.cbData;
  1429. if (CALG_DSS_SIGN == aiPubKey &&
  1430. 0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
  1431. DWORD cbData;
  1433. // Undo the reversal done by CryptDecodeObject(X509_CERT)
  1434. PkiAsn1ReverseBytes(pbSignature, cbSignature);
  1435. // Convert from ASN.1 sequence of two integers to the CSP signature
  1436. // format.
  1437. cbData = sizeof(rgbDssSignature);
  1438. if (!CryptDecodeObject(
  1439. dwCertEncodingType,
  1440. X509_DSS_SIGNATURE,
  1441. pbSignature,
  1442. cbSignature,
  1443. 0, // dwFlags
  1444. rgbDssSignature,
  1445. &cbData
  1446. ))
  1447. goto ErrorReturn;
  1448. pbSignature = rgbDssSignature;
  1449. assert(cbData == sizeof(rgbDssSignature));
  1450. cbSignature = sizeof(rgbDssSignature);
  1451. }
  1453. if (!CryptVerifySignature(
  1454. hHash,
  1455. pbSignature,
  1456. cbSignature,
  1457. hSignKey,
  1458. NULL, // sDescription
  1459. 0 // dwFlags
  1460. )) goto ErrorReturn;
  1462. fResult = TRUE;
  1463. goto CommonReturn;
  1465. ErrorReturn:
  1466. fResult = FALSE;
  1467. CommonReturn:
  1468. dwErr = GetLastError();
  1469. if (hSignKey)
  1470. CryptDestroyKey(hSignKey);
  1471. if (hHash)
  1472. CryptDestroyHash(hHash);
  1473. I_CryptFreeDefaultContext(hDefaultContext);
  1474. PkiFree(pSignedInfo);
  1476. SetLastError(dwErr);
  1477. return fResult;
  1478. }
  1480. #endif // CMS_PKCS7
  1482. BOOL
  1483. WINAPI
  1484. DefaultHashCertificate(
  1485. IN ALG_ID Algid,
  1486. IN const BYTE *pbEncoded,
  1487. IN DWORD cbEncoded,
  1488. OUT BYTE *pbHash,
  1489. IN OUT DWORD *pcbHash
  1490. )
  1491. {
  1492. DWORD cbInHash;
  1493. DWORD cbOutHash;
  1495. if (NULL == pbHash)
  1496. cbInHash = 0;
  1497. else
  1498. cbInHash = *pcbHash;
  1500. switch (Algid) {
  1501. case CALG_MD5:
  1502. cbOutHash = MD5DIGESTLEN;
  1503. if (MD5DIGESTLEN <= cbInHash) {
  1504. MD5_CTX md5ctx;
  1506. MD5Init(&md5ctx);
  1507. if (cbEncoded)
  1508. MD5Update(&md5ctx, pbEncoded, cbEncoded);
  1509. MD5Final(&md5ctx);
  1510. memcpy(pbHash, md5ctx.digest, MD5DIGESTLEN);
  1511. }
  1512. break;
  1514. case CALG_SHA1:
  1515. default:
  1516. assert(CALG_SHA1 == Algid);
  1517. assert(CALG_SHA == Algid);
  1518. cbOutHash = A_SHA_DIGEST_LEN;
  1519. if (A_SHA_DIGEST_LEN <= cbInHash) {
  1520. A_SHA_CTX shactx;
  1522. A_SHAInit(&shactx);
  1523. if (cbEncoded)
  1524. A_SHAUpdate(&shactx, (BYTE *) pbEncoded, cbEncoded);
  1525. A_SHAFinal(&shactx, pbHash);
  1526. }
  1527. break;
  1528. }
  1530. *pcbHash = cbOutHash;
  1531. if (cbInHash < cbOutHash && pbHash) {
  1532. SetLastError((DWORD) ERROR_MORE_DATA);
  1533. return FALSE;
  1534. } else
  1535. return TRUE;
  1536. }
  1538. //+-------------------------------------------------------------------------
  1539. // Hash the encoded content.
  1540. //
  1541. // hCryptProv specifies the crypto provider to use to compute the hash.
  1542. // It doesn't need to use a private key.
  1543. //
  1544. // Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
  1545. // default hash algorithm (currently SHA1) is used.
  1546. //--------------------------------------------------------------------------
  1547. BOOL
  1548. WINAPI
  1549. CryptHashCertificate(
  1550. IN HCRYPTPROV hCryptProv,
  1551. IN ALG_ID Algid,
  1552. IN DWORD dwFlags,
  1553. IN const BYTE *pbEncoded,
  1554. IN DWORD cbEncoded,
  1555. OUT BYTE *pbComputedHash,
  1556. IN OUT DWORD *pcbComputedHash
  1557. )
  1558. {
  1559. BOOL fResult;
  1560. HCRYPTHASH hHash = 0;
  1561. DWORD dwErr;
  1563. if (Algid == 0) {
  1564. Algid = CALG_SHA;
  1565. dwFlags = 0;
  1566. }
  1568. if (0 == hCryptProv) {
  1569. if (CALG_SHA1 == Algid || CALG_MD5 == Algid)
  1570. return DefaultHashCertificate(
  1571. Algid,
  1572. pbEncoded,
  1573. cbEncoded,
  1574. pbComputedHash,
  1575. pcbComputedHash
  1576. );
  1577. if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(0)))
  1578. goto ErrorReturn;
  1579. }
  1581. if (!CryptCreateHash(
  1582. hCryptProv,
  1583. Algid,
  1584. NULL, // hKey - optional for MAC
  1585. dwFlags,
  1586. &hHash
  1587. ))
  1588. goto ErrorReturn;
  1589. if (!CryptHashData(
  1590. hHash,
  1591. pbEncoded,
  1592. cbEncoded,
  1593. 0 // dwFlags
  1594. ))
  1595. goto ErrorReturn;
  1597. fResult = CryptGetHashParam(
  1598. hHash,
  1599. HP_HASHVAL,
  1600. pbComputedHash,
  1601. pcbComputedHash,
  1602. 0 // dwFlags
  1603. );
  1604. goto CommonReturn;
  1606. ErrorReturn:
  1607. fResult = FALSE;
  1608. *pcbComputedHash = 0;
  1609. CommonReturn:
  1610. dwErr = GetLastError();
  1611. if (hHash)
  1612. CryptDestroyHash(hHash);
  1613. SetLastError(dwErr);
  1614. return fResult;
  1615. }
  1617. //+-------------------------------------------------------------------------
  1618. // Compute the hash of the "to be signed" information in the encoded
  1619. // signed content.
  1620. //
  1621. // hCryptProv specifies the crypto provider to use to compute the hash.
  1622. // It doesn't need to use a private key.
  1623. //--------------------------------------------------------------------------
  1624. BOOL
  1625. WINAPI
  1626. CryptHashToBeSigned(
  1627. IN HCRYPTPROV hCryptProv,
  1628. IN DWORD dwCertEncodingType,
  1629. IN const BYTE *pbEncoded,
  1630. IN DWORD cbEncoded,
  1631. OUT BYTE *pbComputedHash,
  1632. IN OUT DWORD *pcbComputedHash
  1633. )
  1634. {
  1635. BOOL fResult;
  1636. PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
  1637. HCRYPTHASH hHash = 0;
  1638. DWORD dwErr;
  1639. ALG_ID aiHash;
  1640. ALG_ID aiPubKey;
  1641. DWORD dwSignFlags;
  1643. if (NULL == (pSignedInfo =
  1644. (PCERT_SIGNED_CONTENT_INFO) AllocAndDecodeObject(
  1645. dwCertEncodingType,
  1646. X509_CERT,
  1647. pbEncoded,
  1648. cbEncoded
  1649. ))) goto ErrorReturn;
  1651. if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
  1652. &aiHash, &aiPubKey, &dwSignFlags))
  1653. goto ErrorReturn;
  1655. if (0 == hCryptProv) {
  1656. if (CALG_SHA1 == aiHash || CALG_MD5 == aiHash) {
  1657. fResult = DefaultHashCertificate(
  1658. aiHash,
  1659. pSignedInfo->ToBeSigned.pbData,
  1660. pSignedInfo->ToBeSigned.cbData,
  1661. pbComputedHash,
  1662. pcbComputedHash
  1663. );
  1664. goto CommonReturn;
  1665. }
  1666. if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(0)))
  1667. goto ErrorReturn;
  1668. }
  1670. if (!CryptCreateHash(
  1671. hCryptProv,
  1672. aiHash,
  1673. NULL, // hKey - optional for MAC
  1674. 0, // dwFlags
  1675. &hHash
  1676. ))
  1677. goto ErrorReturn;
  1678. if (!CryptHashData(
  1679. hHash,
  1680. pSignedInfo->ToBeSigned.pbData,
  1681. pSignedInfo->ToBeSigned.cbData,
  1682. 0 // dwFlags
  1683. ))
  1684. goto ErrorReturn;
  1686. fResult = CryptGetHashParam(
  1687. hHash,
  1688. HP_HASHVAL,
  1689. pbComputedHash,
  1690. pcbComputedHash,
  1691. 0 // dwFlags
  1692. );
  1693. goto CommonReturn;
  1695. ErrorReturn:
  1696. fResult = FALSE;
  1697. *pcbComputedHash = 0;
  1698. CommonReturn:
  1699. dwErr = GetLastError();
  1700. if (hHash)
  1701. CryptDestroyHash(hHash);
  1702. PkiFree(pSignedInfo);
  1703. SetLastError(dwErr);
  1704. return fResult;
  1705. }
  1707. //+-------------------------------------------------------------------------
  1708. // Sign the "to be signed" information in the encoded signed content.
  1709. //
  1710. // hCryptProv specifies the crypto provider to use to do the signature.
  1711. // It needs to use the provider's signature private key.
  1712. //--------------------------------------------------------------------------
  1713. BOOL
  1714. WINAPI
  1715. CryptSignCertificate(
  1716. IN HCRYPTPROV hCryptProv,
  1717. IN DWORD dwKeySpec,
  1718. IN DWORD dwCertEncodingType,
  1719. IN const BYTE *pbEncodedToBeSigned,
  1720. IN DWORD cbEncodedToBeSigned,
  1721. IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  1722. IN OPTIONAL const void *pvHashAuxInfo,
  1723. OUT BYTE *pbSignature,
  1724. IN OUT DWORD *pcbSignature
  1725. )
  1726. {
  1727. BOOL fResult;
  1728. ALG_ID aiHash;
  1729. ALG_ID aiPubKey;
  1730. DWORD dwSignFlags;
  1731. HCRYPTHASH hHash = 0;
  1732. DWORD dwErr;
  1734. if (!GetSignOIDInfo(pSignatureAlgorithm->pszObjId,
  1735. &aiHash, &aiPubKey, &dwSignFlags))
  1736. goto ErrorReturn;
  1738. if (CALG_NO_SIGN == aiPubKey) {
  1739. fResult = CryptHashCertificate(
  1740. hCryptProv,
  1741. aiHash,
  1742. 0, // dwFlags
  1743. pbEncodedToBeSigned,
  1744. cbEncodedToBeSigned,
  1745. pbSignature,
  1746. pcbSignature
  1747. );
  1748. if (fResult && pbSignature)
  1749. // A subsequent CryptEncodeObject(X509_CERT) will reverse
  1750. // the signature bytes
  1751. PkiAsn1ReverseBytes(pbSignature, *pcbSignature);
  1752. return fResult;
  1753. }
  1755. if (CALG_DSS_SIGN == aiPubKey &&
  1756. 0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
  1757. if (NULL == pbSignature) {
  1758. *pcbSignature = CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN;
  1759. return TRUE;
  1760. }
  1761. }
  1763. if (!CryptCreateHash(
  1764. hCryptProv,
  1765. aiHash,
  1766. NULL, // hKey - optional for MAC
  1767. 0, // dwFlags,
  1768. &hHash
  1769. ))
  1770. goto ErrorReturn;
  1772. if (!CryptHashData(
  1773. hHash,
  1774. pbEncodedToBeSigned,
  1775. cbEncodedToBeSigned,
  1776. 0 // dwFlags
  1777. ))
  1778. goto ErrorReturn;
  1780. if (CALG_DSS_SIGN == aiPubKey &&
  1781. 0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
  1782. DWORD cbData;
  1783. BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
  1785. cbData = sizeof(rgbDssSignature);
  1786. if (!CryptSignHash(
  1787. hHash,
  1788. dwKeySpec,
  1789. NULL, // sDescription
  1790. 0, // dwFlags
  1791. rgbDssSignature,
  1792. &cbData
  1793. )) goto ErrorReturn;
  1794. assert(cbData == sizeof(rgbDssSignature));
  1795. // Convert from the CSP signature format to an ASN.1 sequence of
  1796. // two integers
  1797. fResult = CryptEncodeObject(
  1798. dwCertEncodingType,
  1799. X509_DSS_SIGNATURE,
  1800. rgbDssSignature,
  1801. pbSignature,
  1802. pcbSignature
  1803. );
  1804. if (fResult)
  1805. // A subsequent CryptEncodeObject(X509_CERT) will reverse
  1806. // the signature bytes
  1807. PkiAsn1ReverseBytes(pbSignature, *pcbSignature);
  1808. else if (0 != *pcbSignature)
  1809. // Since a random number is used in each CryptSignHash invocation,
  1810. // the generated signature will be different. In particular
  1811. // different signatures may have different leading 0x00's or
  1812. // 0xFF's which get removed when converted to the ASN.1 sequence
  1813. // of integers.
  1814. *pcbSignature = CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN;
  1815. } else
  1816. fResult = CryptSignHash(
  1817. hHash,
  1818. dwKeySpec,
  1819. NULL, // sDescription
  1820. 0, // dwFlags
  1821. pbSignature, // pbData
  1822. pcbSignature
  1823. );
  1824. goto CommonReturn;
  1826. ErrorReturn:
  1827. fResult = FALSE;
  1828. *pcbSignature = 0;
  1829. CommonReturn:
  1830. dwErr = GetLastError();
  1831. if (hHash)
  1832. CryptDestroyHash(hHash);
  1833. SetLastError(dwErr);
  1834. return fResult;
  1835. }
  1837. static DWORD AdjustForMaximumEncodedSignatureLength(
  1838. IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  1839. IN DWORD cbOrig
  1840. )
  1841. {
  1842. DWORD cbAdjust;
  1843. ALG_ID aiHash;
  1844. ALG_ID aiPubKey;
  1845. DWORD dwSignFlags;
  1847. cbAdjust = 0;
  1848. if (GetSignOIDInfo(pSignatureAlgorithm->pszObjId,
  1849. &aiHash, &aiPubKey, &dwSignFlags)) {
  1850. if (CALG_DSS_SIGN == aiPubKey &&
  1851. 0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
  1852. assert(CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN >= cbOrig);
  1853. if (CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN > cbOrig)
  1854. // the +1 is for adjusting the number of length octets in
  1855. // the outer SEQUENCE. Note, the number of length octets in
  1856. // the signature's BITSTRING will always be 1, ie,
  1857. // CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN <= 0x7F.
  1858. cbAdjust =
  1859. (CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN - cbOrig) + 1;
  1860. }
  1861. }
  1862. return cbAdjust;
  1863. }
  1865. //+-------------------------------------------------------------------------
  1866. // Encode the "to be signed" information. Sign the encoded "to be signed".
  1867. // Encode the "to be signed" and the signature.
  1868. //
  1869. // hCryptProv specifies the crypto provider to use to do the signature.
  1870. // It uses the specified private key.
  1871. //--------------------------------------------------------------------------
  1872. BOOL
  1873. WINAPI
  1874. CryptSignAndEncodeCertificate(
  1875. IN HCRYPTPROV hCryptProv,
  1876. IN DWORD dwKeySpec,
  1877. IN DWORD dwCertEncodingType,
  1878. IN LPCSTR lpszStructType,
  1879. IN const void *pvStructInfo,
  1880. IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  1881. IN OPTIONAL const void *pvHashAuxInfo,
  1882. OUT BYTE *pbEncoded,
  1883. IN OUT DWORD *pcbEncoded
  1884. )
  1885. {
  1886. BOOL fResult;
  1887. CERT_SIGNED_CONTENT_INFO SignedInfo;
  1888. memset(&SignedInfo, 0, sizeof(SignedInfo));
  1890. SignedInfo.SignatureAlgorithm = *pSignatureAlgorithm;
  1892. if (!AllocAndEncodeObject(
  1893. dwCertEncodingType,
  1894. lpszStructType,
  1895. pvStructInfo,
  1896. &SignedInfo.ToBeSigned.pbData,
  1897. &SignedInfo.ToBeSigned.cbData
  1898. )) goto ErrorReturn;
  1900. CryptSignCertificate(
  1901. hCryptProv,
  1902. dwKeySpec,
  1903. dwCertEncodingType,
  1904. SignedInfo.ToBeSigned.pbData,
  1905. SignedInfo.ToBeSigned.cbData,
  1906. &SignedInfo.SignatureAlgorithm,
  1907. pvHashAuxInfo,
  1908. NULL, // pbSignature
  1909. &SignedInfo.Signature.cbData
  1910. );
  1911. if (SignedInfo.Signature.cbData == 0) goto ErrorReturn;
  1912. SignedInfo.Signature.pbData =
  1913. (BYTE *) PkiNonzeroAlloc(SignedInfo.Signature.cbData);
  1914. if (SignedInfo.Signature.pbData == NULL) goto ErrorReturn;
  1915. if (pbEncoded) {
  1916. if (!CryptSignCertificate(
  1917. hCryptProv,
  1918. dwKeySpec,
  1919. dwCertEncodingType,
  1920. SignedInfo.ToBeSigned.pbData,
  1921. SignedInfo.ToBeSigned.cbData,
  1922. &SignedInfo.SignatureAlgorithm,
  1923. pvHashAuxInfo,
  1924. SignedInfo.Signature.pbData,
  1925. &SignedInfo.Signature.cbData
  1926. )) goto ErrorReturn;
  1927. }
  1929. fResult = CryptEncodeObject(
  1930. dwCertEncodingType,
  1931. X509_CERT,
  1932. &SignedInfo,
  1933. pbEncoded,
  1934. pcbEncoded
  1935. );
  1936. if (!fResult && *pcbEncoded) {
  1937. *pcbEncoded += AdjustForMaximumEncodedSignatureLength(
  1938. &SignedInfo.SignatureAlgorithm,
  1939. SignedInfo.Signature.cbData
  1940. );
  1941. }
  1943. CommonReturn:
  1944. PkiFree(SignedInfo.ToBeSigned.pbData);
  1945. PkiFree(SignedInfo.Signature.pbData);
  1946. return fResult;
  1948. ErrorReturn:
  1949. fResult = FALSE;
  1950. *pcbEncoded = 0;
  1951. goto CommonReturn;
  1952. }
  1955. //+-------------------------------------------------------------------------
  1956. // Verify the time validity of a certificate.
  1957. //
  1958. // Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
  1959. // a valid certificate
  1960. //
  1961. // If pTimeToVerify is NULL, uses the current time.
  1962. //--------------------------------------------------------------------------
  1963. LONG
  1964. WINAPI
  1965. CertVerifyTimeValidity(
  1966. IN LPFILETIME pTimeToVerify,
  1967. IN PCERT_INFO pCertInfo
  1968. )
  1969. {
  1970. SYSTEMTIME SystemTime;
  1971. FILETIME FileTime;
  1972. LPFILETIME pFileTime;
  1974. if (pTimeToVerify)
  1975. pFileTime = pTimeToVerify;
  1976. else {
  1977. GetSystemTime(&SystemTime);
  1978. SystemTimeToFileTime(&SystemTime, &FileTime);
  1979. pFileTime = &FileTime;
  1980. }
  1982. if (CompareFileTime(pFileTime, &pCertInfo->NotBefore) < 0)
  1983. return -1;
  1984. else if (CompareFileTime(pFileTime, &pCertInfo->NotAfter) > 0)
  1985. return 1;
  1986. else
  1987. return 0;
  1988. }
  1991. //+-------------------------------------------------------------------------
  1992. // Verify the time validity of a CRL.
  1993. //
  1994. // Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
  1995. // a valid CRL
  1996. //
  1997. // If pTimeToVerify is NULL, uses the current time.
  1998. //--------------------------------------------------------------------------
  1999. LONG
  2000. WINAPI
  2001. CertVerifyCRLTimeValidity(
  2002. IN LPFILETIME pTimeToVerify,
  2003. IN PCRL_INFO pCrlInfo
  2004. )
  2005. {
  2006. SYSTEMTIME SystemTime;
  2007. FILETIME FileTime;
  2008. LPFILETIME pFileTime;
  2010. if (pTimeToVerify)
  2011. pFileTime = pTimeToVerify;
  2012. else {
  2013. GetSystemTime(&SystemTime);
  2014. SystemTimeToFileTime(&SystemTime, &FileTime);
  2015. pFileTime = &FileTime;
  2016. }
  2018. // Note, NextUpdate is optional. When not present, set to 0
  2019. if (CompareFileTime(pFileTime, &pCrlInfo->ThisUpdate) < 0)
  2020. return -1;
  2021. else if ((pCrlInfo->NextUpdate.dwLowDateTime ||
  2022. pCrlInfo->NextUpdate.dwHighDateTime) &&
  2023. CompareFileTime(pFileTime, &pCrlInfo->NextUpdate) > 0)
  2024. return 1;
  2025. else
  2026. return 0;
  2027. }
  2029. //+-------------------------------------------------------------------------
  2030. // Verify that the subject's time validity nests within the issuer's time
  2031. // validity.
  2032. //
  2033. // Returns TRUE if it nests. Otherwise, returns FALSE.
  2034. //--------------------------------------------------------------------------
  2035. BOOL
  2036. WINAPI
  2037. CertVerifyValidityNesting(
  2038. IN PCERT_INFO pSubjectInfo,
  2039. IN PCERT_INFO pIssuerInfo
  2040. )
  2041. {
  2042. if ((CompareFileTime(&pSubjectInfo->NotBefore,
  2043. &pIssuerInfo->NotBefore) >= 0) &&
  2044. (CompareFileTime(&pSubjectInfo->NotAfter,
  2045. &pIssuerInfo->NotAfter) <= 0))
  2046. return TRUE;
  2047. else
  2048. return FALSE;
  2049. }
  2051. //+-------------------------------------------------------------------------
  2052. // Verify that the subject certificate isn't on its issuer CRL.
  2053. //
  2054. // Returns true if the certificate isn't on the CRL.
  2055. //--------------------------------------------------------------------------
  2056. BOOL
  2057. WINAPI
  2058. CertVerifyCRLRevocation(
  2059. IN DWORD dwCertEncodingType,
  2060. IN PCERT_INFO pCertId, // Only the Issuer and SerialNumber
  2061. // fields are used
  2062. IN DWORD cCrlInfo,
  2063. IN PCRL_INFO rgpCrlInfo[]
  2064. )
  2065. {
  2066. DWORD InfoIdx;
  2068. for (InfoIdx = 0; InfoIdx < cCrlInfo; InfoIdx++) {
  2069. DWORD cEntry = rgpCrlInfo[InfoIdx]->cCRLEntry;
  2070. PCRL_ENTRY rgEntry = rgpCrlInfo[InfoIdx]->rgCRLEntry;
  2071. DWORD EntryIdx;
  2073. for (EntryIdx = 0; EntryIdx < cEntry; EntryIdx++) {
  2074. if (CertCompareIntegerBlob(&rgEntry[EntryIdx].SerialNumber,
  2075. &pCertId->SerialNumber))
  2076. // It has been revoked!!!
  2077. return FALSE;
  2078. }
  2079. }
  2081. return TRUE;
  2082. }
  2084. //+-------------------------------------------------------------------------
  2085. // Convert the CAPI AlgId to the ASN.1 Object Identifier string
  2086. //
  2087. // Returns NULL if there isn't an ObjId corresponding to the AlgId.
  2088. //--------------------------------------------------------------------------
  2089. LPCSTR
  2090. WINAPI
  2091. CertAlgIdToOID(
  2092. IN DWORD dwAlgId
  2093. )
  2094. {
  2095. DWORD dwGroupId;
  2097. for (dwGroupId = CRYPT_FIRST_ALG_OID_GROUP_ID;
  2098. dwGroupId <= CRYPT_LAST_ALG_OID_GROUP_ID; dwGroupId++) {
  2099. PCCRYPT_OID_INFO pInfo;
  2100. if (pInfo = CryptFindOIDInfo(
  2101. CRYPT_OID_INFO_ALGID_KEY,
  2102. &dwAlgId,
  2103. dwGroupId
  2104. ))
  2105. return pInfo->pszOID;
  2106. }
  2107. return NULL;
  2108. }
  2110. //+-------------------------------------------------------------------------
  2111. // Convert the ASN.1 Object Identifier string to the CAPI AlgId.
  2112. //
  2113. // Returns 0 if there isn't an AlgId corresponding to the ObjId.
  2114. //--------------------------------------------------------------------------
  2115. DWORD
  2116. WINAPI
  2117. CertOIDToAlgId(
  2118. IN LPCSTR pszObjId
  2119. )
  2120. {
  2121. DWORD dwGroupId;
  2123. for (dwGroupId = CRYPT_FIRST_ALG_OID_GROUP_ID;
  2124. dwGroupId <= CRYPT_LAST_ALG_OID_GROUP_ID; dwGroupId++) {
  2125. PCCRYPT_OID_INFO pInfo;
  2126. if (pInfo = CryptFindOIDInfo(
  2127. CRYPT_OID_INFO_OID_KEY,
  2128. (void *) pszObjId,
  2129. dwGroupId
  2130. ))
  2131. return pInfo->Algid;
  2132. }
  2133. return 0;
  2134. }
  2136. //+-------------------------------------------------------------------------
  2137. // Find an extension identified by its Object Identifier.
  2138. //
  2139. // If found, returns pointer to the extension. Otherwise, returns NULL.
  2140. //--------------------------------------------------------------------------
  2141. PCERT_EXTENSION
  2142. WINAPI
  2143. CertFindExtension(
  2144. IN LPCSTR pszObjId,
  2145. IN DWORD cExtensions,
  2146. IN CERT_EXTENSION rgExtensions[]
  2147. )
  2148. {
  2149. for (; cExtensions > 0; cExtensions--, rgExtensions++) {
  2150. if (strcmp(pszObjId, rgExtensions->pszObjId) == 0)
  2151. return rgExtensions;
  2152. }
  2153. return NULL;
  2154. }
  2156. //+-------------------------------------------------------------------------
  2157. // Find the first attribute identified by its Object Identifier.
  2158. //
  2159. // If found, returns pointer to the attribute. Otherwise, returns NULL.
  2160. //--------------------------------------------------------------------------
  2161. PCRYPT_ATTRIBUTE
  2162. WINAPI
  2163. CertFindAttribute(
  2164. IN LPCSTR pszObjId,
  2165. IN DWORD cAttr,
  2166. IN CRYPT_ATTRIBUTE rgAttr[]
  2167. )
  2168. {
  2169. for (; cAttr > 0; cAttr--, rgAttr++) {
  2170. if (strcmp(pszObjId, rgAttr->pszObjId) == 0)
  2171. return rgAttr;
  2172. }
  2173. return NULL;
  2174. }
  2176. //+-------------------------------------------------------------------------
  2177. // Find the first CERT_RDN attribute identified by its Object Identifier in
  2178. // the name's list of Relative Distinguished Names.
  2179. //
  2180. // If found, returns pointer to the attribute. Otherwise, returns NULL.
  2181. //--------------------------------------------------------------------------
  2182. PCERT_RDN_ATTR
  2183. WINAPI
  2184. CertFindRDNAttr(
  2185. IN LPCSTR pszObjId,
  2186. IN PCERT_NAME_INFO pName
  2187. )
  2188. {
  2189. DWORD cRDN = pName->cRDN;
  2190. PCERT_RDN pRDN = pName->rgRDN;
  2191. for ( ; cRDN > 0; cRDN--, pRDN++) {
  2192. DWORD cRDNAttr = pRDN->cRDNAttr;
  2193. PCERT_RDN_ATTR pRDNAttr = pRDN->rgRDNAttr;
  2194. for (; cRDNAttr > 0; cRDNAttr--, pRDNAttr++) {
  2195. if (strcmp(pszObjId, pRDNAttr->pszObjId) == 0)
  2196. return pRDNAttr;
  2197. }
  2198. }
  2199. return NULL;
  2200. }
  2202. //+-------------------------------------------------------------------------
  2203. // Get the intended key usage bytes from the certificate.
  2204. //
  2205. // If the certificate doesn't have any intended key usage bytes, returns FALSE
  2206. // and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
  2207. // cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
  2208. // bytes are zeroed.
  2209. //--------------------------------------------------------------------------
  2210. BOOL
  2211. WINAPI
  2212. CertGetIntendedKeyUsage(
  2213. IN DWORD dwCertEncodingType,
  2214. IN PCERT_INFO pCertInfo,
  2215. OUT BYTE *pbKeyUsage,
  2216. IN DWORD cbKeyUsage
  2217. )
  2218. {
  2219. BOOL fResult;
  2220. DWORD cbData;
  2221. PCERT_EXTENSION pExt;
  2222. PCERT_KEY_ATTRIBUTES_INFO pKeyAttrInfo = NULL;
  2223. PCRYPT_BIT_BLOB pAllocKeyUsage = NULL;
  2224. PCRYPT_BIT_BLOB pKeyUsage = NULL; // not allocated
  2226. // First see if the certificate has the simple Key Usage Extension
  2227. if (NULL != (pExt = CertFindExtension(
  2228. szOID_KEY_USAGE,
  2229. pCertInfo->cExtension,
  2230. pCertInfo->rgExtension
  2231. )) &&
  2232. NULL != (pAllocKeyUsage =
  2233. (PCRYPT_BIT_BLOB) AllocAndDecodeObject(
  2234. dwCertEncodingType,
  2235. X509_KEY_USAGE,
  2236. pExt->Value.pbData,
  2237. pExt->Value.cbData
  2238. )))
  2239. pKeyUsage = pAllocKeyUsage;
  2240. else {
  2241. pExt = CertFindExtension(
  2242. szOID_KEY_ATTRIBUTES,
  2243. pCertInfo->cExtension,
  2244. pCertInfo->rgExtension
  2245. );
  2246. if (pExt == NULL) goto GetError;
  2248. if (NULL == (pKeyAttrInfo =
  2249. (PCERT_KEY_ATTRIBUTES_INFO) AllocAndDecodeObject(
  2250. dwCertEncodingType,
  2251. X509_KEY_ATTRIBUTES,
  2252. pExt->Value.pbData,
  2253. pExt->Value.cbData
  2254. ))) goto ErrorReturn;
  2255. pKeyUsage = &pKeyAttrInfo->IntendedKeyUsage;
  2256. }
  2258. if (pKeyUsage->cbData == 0 || cbKeyUsage == 0)
  2259. goto GetError;
  2261. cbData = min(pKeyUsage->cbData, cbKeyUsage);
  2262. memcpy(pbKeyUsage, pKeyUsage->pbData, cbData);
  2263. fResult = TRUE;
  2264. goto CommonReturn;
  2266. GetError:
  2267. SetLastError(0);
  2268. ErrorReturn:
  2269. fResult = FALSE;
  2270. cbData = 0;
  2271. CommonReturn:
  2272. PkiFree(pAllocKeyUsage);
  2273. PkiFree(pKeyAttrInfo);
  2274. if (cbData < cbKeyUsage)
  2275. memset(pbKeyUsage + cbData, 0, cbKeyUsage - cbData);
  2276. return fResult;
  2277. }
  2279. static DWORD GetYPublicKeyLength(
  2280. IN DWORD dwCertEncodingType,
  2281. IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo
  2282. )
  2283. {
  2284. PCRYPT_UINT_BLOB pY = NULL;
  2285. DWORD dwBitLen;
  2287. if (NULL == (pY = (PCRYPT_UINT_BLOB) AllocAndDecodeObject(
  2288. dwCertEncodingType,
  2289. X509_MULTI_BYTE_UINT,
  2290. pPublicKeyInfo->PublicKey.pbData,
  2291. pPublicKeyInfo->PublicKey.cbData
  2292. ))) goto DecodePubKeyError;
  2294. dwBitLen = pY->cbData * 8;
  2296. CommonReturn:
  2297. PkiFree(pY);
  2298. return dwBitLen;
  2299. ErrorReturn:
  2300. dwBitLen = 0;
  2301. goto CommonReturn;
  2303. TRACE_ERROR(DecodePubKeyError)
  2304. }
  2306. // If there are parameters, use the length of the 'P' parameter. Otherwise,
  2307. // use the length of Y. Note, P's MSB must be set. Y's MSB may not be set.
  2308. static DWORD GetDHPublicKeyLength(
  2309. IN DWORD dwCertEncodingType,
  2310. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  2311. )
  2312. {
  2313. PCERT_X942_DH_PARAMETERS pDhParameters = NULL;
  2314. DWORD dwBitLen;
  2316. if (0 == pPublicKey->Algorithm.Parameters.cbData)
  2317. goto NoDhParametersError;
  2318. if (NULL == (pDhParameters =
  2319. (PCERT_X942_DH_PARAMETERS) AllocAndDecodeObject(
  2320. dwCertEncodingType,
  2321. X942_DH_PARAMETERS,
  2322. pPublicKey->Algorithm.Parameters.pbData,
  2323. pPublicKey->Algorithm.Parameters.cbData
  2324. ))) goto DecodeParametersError;
  2326. dwBitLen = pDhParameters->p.cbData * 8;
  2328. CommonReturn:
  2329. PkiFree(pDhParameters);
  2330. return dwBitLen;
  2331. ErrorReturn:
  2332. dwBitLen = GetYPublicKeyLength(dwCertEncodingType, pPublicKey);
  2333. goto CommonReturn;
  2335. TRACE_ERROR(NoDhParametersError)
  2336. TRACE_ERROR(DecodeParametersError)
  2337. }
  2339. // If there are parameters, use the length of the 'P' parameter. Otherwise,
  2340. // use the length of Y. Note, P's MSB must be set. Y's MSB may not be set.
  2341. static DWORD GetDSSPublicKeyLength(
  2342. IN DWORD dwCertEncodingType,
  2343. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  2344. )
  2345. {
  2346. PCERT_DSS_PARAMETERS pDssParameters = NULL;
  2347. DWORD dwBitLen;
  2349. if (0 == pPublicKey->Algorithm.Parameters.cbData)
  2350. goto NoDssParametersError;
  2351. if (NULL == (pDssParameters = (PCERT_DSS_PARAMETERS) AllocAndDecodeObject(
  2352. dwCertEncodingType,
  2353. X509_DSS_PARAMETERS,
  2354. pPublicKey->Algorithm.Parameters.pbData,
  2355. pPublicKey->Algorithm.Parameters.cbData
  2356. ))) goto DecodeParametersError;
  2358. dwBitLen = pDssParameters->p.cbData * 8;
  2360. CommonReturn:
  2361. PkiFree(pDssParameters);
  2362. return dwBitLen;
  2363. ErrorReturn:
  2364. dwBitLen = GetYPublicKeyLength(dwCertEncodingType, pPublicKey);
  2365. goto CommonReturn;
  2367. TRACE_ERROR(NoDssParametersError)
  2368. TRACE_ERROR(DecodeParametersError)
  2369. }
  2371. //+-------------------------------------------------------------------------
  2372. // Get the public/private key's bit length.
  2373. //
  2374. // Returns 0 if unable to determine the key's length.
  2375. //--------------------------------------------------------------------------
  2376. DWORD
  2377. WINAPI
  2378. CertGetPublicKeyLength(
  2379. IN DWORD dwCertEncodingType,
  2380. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  2381. )
  2382. {
  2383. DWORD dwErr = 0;
  2384. DWORD dwBitLen;
  2385. ALG_ID aiPubKey;
  2386. PCCRYPT_OID_INFO pOIDInfo;
  2387. HCRYPTPROV hCryptProv; // don't need to release
  2388. HCRYPTKEY hPubKey = 0;
  2389. DWORD cbData;
  2391. if (pOIDInfo = CryptFindOIDInfo(
  2392. CRYPT_OID_INFO_OID_KEY,
  2393. pPublicKey->Algorithm.pszObjId,
  2394. CRYPT_PUBKEY_ALG_OID_GROUP_ID))
  2395. aiPubKey = pOIDInfo->Algid;
  2396. else
  2397. aiPubKey = 0;
  2399. if (aiPubKey == CALG_DH_SF || aiPubKey == CALG_DH_EPHEM)
  2400. return GetDHPublicKeyLength(
  2401. dwCertEncodingType,
  2402. pPublicKey
  2403. );
  2405. if (aiPubKey == CALG_DSS_SIGN)
  2406. return GetDSSPublicKeyLength(
  2407. dwCertEncodingType,
  2408. pPublicKey
  2409. );
  2411. if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
  2412. goto GetDefaultCryptProvError;
  2413. if (!CryptImportPublicKeyInfo(
  2414. hCryptProv,
  2415. dwCertEncodingType,
  2416. pPublicKey,
  2417. &hPubKey
  2418. )) goto ImportPublicKeyError;
  2420. cbData = sizeof(dwBitLen);
  2421. if (CryptGetKeyParam(
  2422. hPubKey,
  2423. KP_KEYLEN,
  2424. (BYTE *) &dwBitLen,
  2425. &cbData,
  2426. 0)) // dwFlags
  2427. goto CommonReturn;
  2429. cbData = sizeof(dwBitLen);
  2430. if (CryptGetKeyParam(
  2431. hPubKey,
  2432. KP_BLOCKLEN,
  2433. (BYTE *) &dwBitLen,
  2434. &cbData,
  2435. 0)) // dwFlags
  2436. goto CommonReturn;
  2439. {
  2440. // The CSP should have supported one of the above
  2442. // Export the public key and look at the bitlen field.
  2443. // The CAPI public key representation consists of the following
  2444. // sequence:
  2445. // - PUBLICKEYSTRUC
  2446. // - DSSPUBKEY | RSAPUBKEY (DSSPUBKEY is subset of RSAPUBKEY)
  2447. // ...
  2449. BYTE *pbPubKey = NULL;
  2450. DWORD cbPubKey;
  2452. dwBitLen = 0;
  2453. dwErr = GetLastError();
  2454. cbPubKey = 0;
  2455. if (CryptExportKey(
  2456. hPubKey,
  2457. 0, // hPubKey
  2458. PUBLICKEYBLOB,
  2459. 0, // dwFlags
  2460. NULL, // pbData
  2461. &cbPubKey
  2462. ) &&
  2463. cbPubKey >= (sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY)) &&
  2464. NULL != (pbPubKey = (BYTE *) PkiNonzeroAlloc(cbPubKey))) {
  2465. if (CryptExportKey(
  2466. hPubKey,
  2467. 0, // hPubKey
  2468. PUBLICKEYBLOB,
  2469. 0, // dwFlags
  2470. pbPubKey,
  2471. &cbPubKey
  2472. )) {
  2473. DSSPUBKEY *pPubKey =
  2474. (DSSPUBKEY *) (pbPubKey + sizeof(PUBLICKEYSTRUC));
  2475. dwBitLen = pPubKey->bitlen;
  2476. }
  2477. PkiFree(pbPubKey);
  2478. }
  2479. if (0 != dwBitLen)
  2480. goto CommonReturn;
  2481. SetLastError(dwErr);
  2482. goto GetKeyParamError;
  2483. }
  2485. CommonReturn:
  2486. if (hPubKey)
  2487. CryptDestroyKey(hPubKey);
  2488. SetLastError(dwErr);
  2489. return dwBitLen;
  2490. ErrorReturn:
  2491. dwBitLen = 0;
  2492. dwErr = GetLastError();
  2493. goto CommonReturn;
  2494. TRACE_ERROR(GetDefaultCryptProvError)
  2495. TRACE_ERROR(ImportPublicKeyError)
  2496. TRACE_ERROR(GetKeyParamError)
  2497. }
  2499. //+-------------------------------------------------------------------------
  2500. // Compute the hash of the encoded public key info.
  2501. //
  2502. // The public key info is encoded and then hashed.
  2503. //--------------------------------------------------------------------------
  2504. BOOL
  2505. WINAPI
  2506. CryptHashPublicKeyInfo(
  2507. IN HCRYPTPROV hCryptProv,
  2508. IN ALG_ID Algid,
  2509. IN DWORD dwFlags,
  2510. IN DWORD dwCertEncodingType,
  2511. IN PCERT_PUBLIC_KEY_INFO pInfo,
  2512. OUT BYTE *pbComputedHash,
  2513. IN OUT DWORD *pcbComputedHash
  2514. )
  2515. {
  2516. BOOL fResult;
  2517. BYTE *pbEncoded = NULL;
  2518. DWORD cbEncoded;
  2520. if (!AllocAndEncodeObject(
  2521. dwCertEncodingType,
  2522. X509_PUBLIC_KEY_INFO,
  2523. pInfo,
  2524. &pbEncoded,
  2525. &cbEncoded
  2526. ))
  2527. goto ErrorReturn;
  2529. fResult = CryptHashCertificate(
  2530. hCryptProv,
  2531. Algid ? Algid : CALG_MD5,
  2532. dwFlags,
  2533. pbEncoded,
  2534. cbEncoded,
  2535. pbComputedHash,
  2536. pcbComputedHash
  2537. );
  2538. goto CommonReturn;
  2540. ErrorReturn:
  2541. fResult = FALSE;
  2542. *pcbComputedHash = 0;
  2544. CommonReturn:
  2545. PkiFree(pbEncoded);
  2546. return fResult;
  2547. }
  2551. //+-------------------------------------------------------------------------
  2552. // Compares the certificate's public key with the provider's public key
  2553. // to see if they are identical.
  2554. //
  2555. // Returns TRUE if the keys are identical.
  2556. //--------------------------------------------------------------------------
  2557. BOOL
  2558. WINAPI
  2559. I_CertCompareCertAndProviderPublicKey(
  2560. IN PCCERT_CONTEXT pCert,
  2561. IN HCRYPTPROV hProv,
  2562. IN DWORD dwKeySpec
  2563. )
  2564. {
  2565. BOOL fResult;
  2566. PCERT_PUBLIC_KEY_INFO pProvPubKeyInfo = NULL;
  2567. DWORD cbProvPubKeyInfo;
  2568. DWORD dwCertEncodingType = pCert->dwCertEncodingType;
  2570. // Get provider's public key
  2571. if (!CryptExportPublicKeyInfo(
  2572. hProv,
  2573. dwKeySpec,
  2574. dwCertEncodingType,
  2575. NULL, // pProvPubKeyInfo
  2576. &cbProvPubKeyInfo
  2577. ))
  2578. goto ExportPublicKeyInfoError;
  2579. assert(cbProvPubKeyInfo);
  2580. if (NULL == (pProvPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) PkiNonzeroAlloc(
  2581. cbProvPubKeyInfo)))
  2582. goto OutOfMemory;
  2583. if (!CryptExportPublicKeyInfo(
  2584. hProv,
  2585. dwKeySpec,
  2586. dwCertEncodingType,
  2587. pProvPubKeyInfo,
  2588. &cbProvPubKeyInfo
  2589. ))
  2590. goto ExportPublicKeyInfoError;
  2592. if (!CertComparePublicKeyInfo(
  2593. dwCertEncodingType,
  2594. &pCert->pCertInfo->SubjectPublicKeyInfo,
  2595. pProvPubKeyInfo
  2596. ))
  2597. goto ComparePublicKeyError;
  2599. fResult = TRUE;
  2600. CommonReturn:
  2601. PkiFree(pProvPubKeyInfo);
  2602. return fResult;
  2603. ErrorReturn:
  2604. fResult = FALSE;
  2605. goto CommonReturn;
  2607. TRACE_ERROR(ExportPublicKeyInfoError)
  2608. TRACE_ERROR(OutOfMemory)
  2609. SET_ERROR(ComparePublicKeyError, NTE_BAD_PUBLIC_KEY)
  2610. }
  2612. //+=========================================================================
  2613. // CryptFindCertificateKeyProvInfo Support Functions
  2614. //-=========================================================================
  2615. static BOOL HasValidKeyProvInfo(
  2616. IN PCCERT_CONTEXT pCert,
  2617. IN DWORD dwFindKeySetFlags
  2618. )
  2619. {
  2620. BOOL fResult;
  2621. PCRYPT_KEY_PROV_INFO pKeyProvInfo = NULL;
  2622. HCRYPTPROV hProv = 0;
  2623. DWORD cbData;
  2624. DWORD dwAcquireFlags;
  2626. if (!CertGetCertificateContextProperty(
  2627. pCert,
  2628. CERT_KEY_PROV_INFO_PROP_ID,
  2629. NULL, // pvData
  2630. &cbData
  2631. ))
  2632. return FALSE;
  2633. if (NULL == (pKeyProvInfo = (PCRYPT_KEY_PROV_INFO) PkiNonzeroAlloc(
  2634. cbData)))
  2635. goto OutOfMemory;
  2636. if (!CertGetCertificateContextProperty(
  2637. pCert,
  2638. CERT_KEY_PROV_INFO_PROP_ID,
  2639. pKeyProvInfo,
  2640. &cbData
  2641. ))
  2642. goto GetKeyProvInfoPropertyError;
  2644. if (pKeyProvInfo->dwFlags & CRYPT_MACHINE_KEYSET) {
  2645. if (0 == (dwFindKeySetFlags & CRYPT_FIND_MACHINE_KEYSET_FLAG))
  2646. goto NotUserContainer;
  2647. } else {
  2648. if (0 == (dwFindKeySetFlags & CRYPT_FIND_USER_KEYSET_FLAG))
  2649. goto NotMachineContainer;
  2650. }
  2652. dwAcquireFlags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG;
  2653. if (dwFindKeySetFlags & CRYPT_FIND_SILENT_KEYSET_FLAG)
  2654. dwAcquireFlags |= CRYPT_ACQUIRE_SILENT_FLAG;
  2656. if (!CryptAcquireCertificatePrivateKey(
  2657. pCert,
  2658. dwAcquireFlags,
  2659. NULL, // pvReserved
  2660. &hProv,
  2661. NULL, // pdwKeySpec
  2662. NULL // pfCallerFreeProv
  2663. ))
  2664. goto AcquireCertPrivateKeyError;
  2666. fResult = TRUE;
  2667. CommonReturn:
  2668. PkiFree(pKeyProvInfo);
  2669. if (hProv) {
  2670. DWORD dwErr = GetLastError();
  2671. CryptReleaseContext(hProv, 0);
  2672. SetLastError(dwErr);
  2673. }
  2674. return fResult;
  2675. ErrorReturn:
  2676. fResult = FALSE;
  2677. goto CommonReturn;
  2679. TRACE_ERROR(OutOfMemory)
  2680. TRACE_ERROR(GetKeyProvInfoPropertyError)
  2681. SET_ERROR(NotUserContainer, NTE_NOT_FOUND)
  2682. SET_ERROR(NotMachineContainer, NTE_NOT_FOUND)
  2683. TRACE_ERROR(AcquireCertPrivateKeyError)
  2684. }
  2687. // Default to Algid being supported. Only return FALSE if successfully
  2688. // enumerated all the provider algorithms and didn't find a match.
  2689. static BOOL IsPublicKeyAlgidSupported(
  2690. IN PCCERT_CONTEXT pCert,
  2691. IN HCRYPTPROV hProv,
  2692. IN ALG_ID aiPubKey
  2693. )
  2694. {
  2695. BOOL fResult;
  2696. DWORD dwErr;
  2697. BYTE *pbData = NULL;
  2698. DWORD cbMaxData;
  2699. DWORD cbData;
  2700. DWORD dwFlags;
  2702. if (0 == aiPubKey)
  2703. return TRUE;
  2705. // Get maximum length of provider algorithm parameter data
  2706. cbMaxData = 0;
  2707. if (!CryptGetProvParam(
  2708. hProv,
  2709. PP_ENUMALGS,
  2710. NULL, // pbData
  2711. &cbMaxData,
  2712. CRYPT_FIRST // dwFlags
  2713. )) {
  2714. dwErr = GetLastError();
  2715. if (ERROR_MORE_DATA != dwErr)
  2716. goto GetProvAlgParamError;
  2717. }
  2718. if (0 == cbMaxData)
  2719. goto NoProvAlgParamError;
  2720. if (NULL == (pbData = (BYTE *) PkiNonzeroAlloc(cbMaxData)))
  2721. goto OutOfMemory;
  2723. dwFlags = CRYPT_FIRST;
  2724. while (TRUE) {
  2725. ALG_ID aiProv;
  2727. cbData = cbMaxData;
  2728. if (!CryptGetProvParam(
  2729. hProv,
  2730. PP_ENUMALGS,
  2731. pbData,
  2732. &cbData,
  2733. dwFlags
  2734. )) {
  2735. dwErr = GetLastError();
  2736. if (ERROR_NO_MORE_ITEMS == dwErr) {
  2737. fResult = FALSE;
  2738. goto PublicKeyAlgidNotSupported;
  2739. } else
  2740. goto GetProvAlgParamError;
  2741. }
  2742. assert(cbData >= sizeof(ALG_ID));
  2743. aiProv = *(ALG_ID *) pbData;
  2744. // Don't distinguish between exchange or signature
  2745. if (GET_ALG_TYPE(aiPubKey) == GET_ALG_TYPE(aiProv))
  2746. break;
  2748. dwFlags = 0; // CRYPT_NEXT
  2749. }
  2750. fResult = TRUE;
  2752. PublicKeyAlgidNotSupported:
  2753. CommonReturn:
  2754. PkiFree(pbData);
  2755. return fResult;
  2756. ErrorReturn:
  2757. // For an error, assume the public key algorithm is supported.
  2758. fResult = TRUE;
  2759. goto CommonReturn;
  2761. SET_ERROR_VAR(GetProvAlgParamError, dwErr)
  2762. SET_ERROR(NoProvAlgParamError, NTE_NOT_FOUND)
  2763. TRACE_ERROR(OutOfMemory)
  2764. }
  2766. // For success, updates the certificate's KEY_PROV_INFO property
  2767. //
  2768. // If container isn't found, LastError is set to ERROR_NO_MORE_ITEMS.
  2769. //
  2770. static BOOL FindContainerAndSetKeyProvInfo(
  2771. IN PCCERT_CONTEXT pCert,
  2772. IN HCRYPTPROV hProv,
  2773. IN LPWSTR pwszProvName,
  2774. IN DWORD dwProvType,
  2775. IN DWORD dwProvFlags // CRYPT_MACHINE_KEYSET and/or CRYPT_SILENT
  2776. )
  2777. {
  2778. BOOL fResult;
  2779. DWORD dwEnumFlags;
  2780. DWORD dwEnumErr = 0;
  2781. DWORD dwAcquireErr = 0;
  2782. LPSTR pszContainerName = NULL;
  2783. DWORD cchContainerName;
  2784. DWORD cchMaxContainerName;
  2785. LPWSTR pwszContainerName = NULL;
  2787. // Get maximum container name length
  2788. cchMaxContainerName = 0;
  2789. if (!CryptGetProvParam(
  2790. hProv,
  2791. PP_ENUMCONTAINERS,
  2792. NULL, // pbData
  2793. &cchMaxContainerName,
  2794. CRYPT_FIRST
  2795. )) {
  2796. dwEnumErr = GetLastError();
  2797. if (ERROR_FILE_NOT_FOUND == dwEnumErr ||
  2798. ERROR_INVALID_PARAMETER == dwEnumErr)
  2799. goto PublicKeyContainerNotFound;
  2800. else if (ERROR_MORE_DATA != dwEnumErr)
  2801. goto EnumContainersError;
  2802. }
  2803. if (0 == cchMaxContainerName)
  2804. goto PublicKeyContainerNotFound;
  2805. if (NULL == (pszContainerName = (LPSTR) PkiNonzeroAlloc(
  2806. cchMaxContainerName + 1)))
  2807. goto OutOfMemory;
  2809. dwEnumFlags = CRYPT_FIRST;
  2810. while (TRUE) {
  2811. HCRYPTPROV hContainerProv = 0;
  2812. LPWSTR pwszAcquireProvName = pwszProvName;
  2814. cchContainerName = cchMaxContainerName;
  2815. if (!CryptGetProvParam(
  2816. hProv,
  2817. PP_ENUMCONTAINERS,
  2818. (BYTE *) pszContainerName,
  2819. &cchContainerName,
  2820. dwEnumFlags
  2821. )) {
  2822. dwEnumErr = GetLastError();
  2823. if (ERROR_NO_MORE_ITEMS == dwEnumErr ||
  2824. ERROR_FILE_NOT_FOUND == dwEnumErr) {
  2825. if (0 != dwAcquireErr)
  2826. goto CryptAcquireContextError;
  2827. else
  2828. goto PublicKeyContainerNotFound;
  2829. } else
  2830. goto EnumContainersError;
  2831. }
  2832. dwEnumFlags = 0; // CRYPT_NEXT
  2834. if (NULL == (pwszContainerName = MkWStr(pszContainerName)))
  2835. goto OutOfMemory;
  2837. // First try using enhanced providers for the base guys
  2838. if (PROV_RSA_FULL == dwProvType &&
  2839. 0 == _wcsicmp(pwszProvName, MS_DEF_PROV_W)) {
  2840. fResult = CryptAcquireContextU(
  2841. &hContainerProv,
  2842. pwszContainerName,
  2843. MS_ENHANCED_PROV_W,
  2844. PROV_RSA_FULL,
  2845. dwProvFlags
  2846. );
  2847. if (fResult)
  2848. pwszAcquireProvName = MS_ENHANCED_PROV_W;
  2849. } else if (PROV_DSS_DH == dwProvType &&
  2850. 0 == _wcsicmp(pwszProvName, MS_DEF_DSS_DH_PROV_W)) {
  2851. fResult = CryptAcquireContextU(
  2852. &hContainerProv,
  2853. pwszContainerName,
  2854. MS_ENH_DSS_DH_PROV_W,
  2855. PROV_DSS_DH,
  2856. dwProvFlags
  2857. );
  2858. if (fResult)
  2859. pwszAcquireProvName = MS_ENH_DSS_DH_PROV_W;
  2860. } else
  2861. fResult = FALSE;
  2863. if (!fResult)
  2864. fResult = CryptAcquireContextU(
  2865. &hContainerProv,
  2866. pwszContainerName,
  2867. pwszAcquireProvName,
  2868. dwProvType,
  2869. dwProvFlags
  2870. );
  2872. if (!fResult)
  2873. dwAcquireErr = GetLastError();
  2874. else {
  2875. DWORD dwKeySpec;
  2877. dwKeySpec = AT_KEYEXCHANGE;
  2878. fResult = FALSE;
  2879. while (TRUE) {
  2880. if (I_CertCompareCertAndProviderPublicKey(
  2881. pCert,
  2882. hContainerProv,
  2883. dwKeySpec
  2884. )) {
  2885. fResult = TRUE;
  2886. break;
  2887. } else if (AT_SIGNATURE == dwKeySpec)
  2888. break;
  2889. else
  2890. dwKeySpec = AT_SIGNATURE;
  2891. }
  2892. CryptReleaseContext(hContainerProv, 0);
  2894. if (fResult) {
  2895. CRYPT_KEY_PROV_INFO KeyProvInfo;
  2897. memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
  2898. KeyProvInfo.pwszContainerName = pwszContainerName;
  2899. KeyProvInfo.pwszProvName = pwszAcquireProvName;
  2900. KeyProvInfo.dwProvType = dwProvType;
  2901. KeyProvInfo.dwFlags = dwProvFlags & ~CRYPT_SILENT;
  2902. KeyProvInfo.dwKeySpec = dwKeySpec;
  2904. if (!CertSetCertificateContextProperty(
  2905. pCert,
  2906. CERT_KEY_PROV_INFO_PROP_ID,
  2907. 0, // dwFlags
  2908. &KeyProvInfo
  2909. ))
  2910. goto SetKeyProvInfoPropertyError;
  2911. else
  2912. goto SuccessReturn;
  2913. }
  2914. }
  2916. FreeWStr(pwszContainerName);
  2917. pwszContainerName = NULL;
  2918. }
  2920. goto UnexpectedError;
  2922. SuccessReturn:
  2923. fResult = TRUE;
  2924. CommonReturn:
  2925. PkiFree(pszContainerName);
  2926. FreeWStr(pwszContainerName);
  2927. return fResult;
  2928. ErrorReturn:
  2929. fResult = FALSE;
  2930. goto CommonReturn;
  2932. SET_ERROR_VAR(EnumContainersError, dwEnumErr)
  2933. TRACE_ERROR(OutOfMemory)
  2934. SET_ERROR_VAR(CryptAcquireContextError, dwAcquireErr)
  2935. SET_ERROR(PublicKeyContainerNotFound, ERROR_NO_MORE_ITEMS)
  2936. TRACE_ERROR(SetKeyProvInfoPropertyError)
  2937. SET_ERROR(UnexpectedError, E_UNEXPECTED)
  2938. }
  2940. //+-------------------------------------------------------------------------
  2941. // Enumerates the cryptographic providers and their containers to find the
  2942. // private key corresponding to the certificate's public key. For a match,
  2943. // the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
  2944. //
  2945. // If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
  2946. // see if it matches the provider's public key. For a match, the above
  2947. // enumeration is skipped.
  2948. //
  2949. // By default both the user and machine key containers are searched.
  2950. // The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
  2951. // can be set in dwFlags to restrict the search to either of the containers.
  2952. //
  2953. // The CRYPT_FIND_SILENT_KEYSET_FLAG can be set to suppress any UI by the CSP.
  2954. // See CryptAcquireContext's CRYPT_SILENT flag for more details.
  2955. //
  2956. // If a container isn't found, returns FALSE with LastError set to
  2957. // NTE_NO_KEY.
  2958. //--------------------------------------------------------------------------
  2959. BOOL
  2960. WINAPI
  2961. CryptFindCertificateKeyProvInfo(
  2962. IN PCCERT_CONTEXT pCert,
  2963. IN DWORD dwFlags,
  2964. IN void *pvReserved
  2965. )
  2966. {
  2967. BOOL fResult;
  2968. DWORD dwFindContainerErr = ERROR_NO_MORE_ITEMS;
  2969. DWORD dwAcquireErr = 0;
  2970. DWORD dwProvIndex;
  2971. PCCRYPT_OID_INFO pOIDInfo;
  2972. ALG_ID aiPubKey;
  2974. if (0 == (dwFlags &
  2975. (CRYPT_FIND_USER_KEYSET_FLAG | CRYPT_FIND_MACHINE_KEYSET_FLAG)))
  2976. dwFlags |=
  2977. CRYPT_FIND_USER_KEYSET_FLAG | CRYPT_FIND_MACHINE_KEYSET_FLAG;
  2979. if (HasValidKeyProvInfo(pCert, dwFlags))
  2980. return TRUE;
  2982. if (pOIDInfo = CryptFindOIDInfo(
  2983. CRYPT_OID_INFO_OID_KEY,
  2984. pCert->pCertInfo->SubjectPublicKeyInfo.Algorithm.pszObjId,
  2985. CRYPT_PUBKEY_ALG_OID_GROUP_ID
  2986. ))
  2987. aiPubKey = pOIDInfo->Algid;
  2988. else
  2989. aiPubKey = 0;
  2992. for (dwProvIndex = 0; TRUE; dwProvIndex++) {
  2993. LPWSTR pwszProvName;
  2994. DWORD cbProvName;
  2995. HCRYPTPROV hProv;
  2996. DWORD dwProvType;
  2998. cbProvName = 0;
  2999. dwProvType = 0;
  3000. if (!CryptEnumProvidersU(
  3001. dwProvIndex,
  3002. NULL, // pdwReserved
  3003. 0, // dwFlags
  3004. &dwProvType,
  3005. NULL, // pwszProvName,
  3006. &cbProvName
  3007. ) || 0 == cbProvName) {
  3008. if (0 == dwProvIndex)
  3009. goto EnumProvidersError;
  3010. else if (ERROR_NO_MORE_ITEMS != dwFindContainerErr)
  3011. goto FindContainerError;
  3012. else if (0 != dwAcquireErr)
  3013. goto CryptAcquireContextError;
  3014. else
  3015. goto KeyContainerNotFound;
  3016. }
  3017. if (NULL == (pwszProvName = (LPWSTR) PkiNonzeroAlloc(
  3018. (cbProvName + 1) * sizeof(WCHAR))))
  3019. goto OutOfMemory;
  3020. if (!CryptEnumProvidersU(
  3021. dwProvIndex,
  3022. NULL, // pdwReserved
  3023. 0, // dwFlags
  3024. &dwProvType,
  3025. pwszProvName,
  3026. &cbProvName
  3027. )) {
  3028. PkiFree(pwszProvName);
  3029. goto EnumProvidersError;
  3030. }
  3032. fResult = FALSE;
  3033. if (!CryptAcquireContextU(
  3034. &hProv,
  3035. NULL, // pwszContainerName,
  3036. pwszProvName,
  3037. dwProvType,
  3038. CRYPT_VERIFYCONTEXT // dwFlags
  3039. )) {
  3040. dwAcquireErr = GetLastError();
  3041. hProv = 0; // CAPI bug, sets hCryptProv to nonzero
  3042. } else if (IsPublicKeyAlgidSupported(
  3043. pCert,
  3044. hProv,
  3045. aiPubKey
  3046. )) {
  3047. DWORD dwSetProvFlags;
  3048. if (dwFlags & CRYPT_FIND_SILENT_KEYSET_FLAG)
  3049. dwSetProvFlags = CRYPT_SILENT;
  3050. else
  3051. dwSetProvFlags = 0;
  3053. if (dwFlags & CRYPT_FIND_USER_KEYSET_FLAG) {
  3054. if (FindContainerAndSetKeyProvInfo(
  3055. pCert,
  3056. hProv,
  3057. pwszProvName,
  3058. dwProvType,
  3059. dwSetProvFlags
  3060. ))
  3061. fResult = TRUE;
  3062. else if (ERROR_NO_MORE_ITEMS == dwFindContainerErr)
  3063. dwFindContainerErr = GetLastError();
  3064. }
  3066. if (!fResult && (dwFlags & CRYPT_FIND_MACHINE_KEYSET_FLAG)) {
  3067. CryptReleaseContext(hProv, 0);
  3069. if (!CryptAcquireContextU(
  3070. &hProv,
  3071. NULL, // pwszContainerName,
  3072. pwszProvName,
  3073. dwProvType,
  3074. CRYPT_VERIFYCONTEXT | CRYPT_MACHINE_KEYSET // dwFlags
  3075. )) {
  3076. dwAcquireErr = GetLastError();
  3077. hProv = 0; // CAPI bug, sets hCryptProv to nonzero
  3078. } else {
  3079. if (FindContainerAndSetKeyProvInfo(
  3080. pCert,
  3081. hProv,
  3082. pwszProvName,
  3083. dwProvType,
  3084. dwSetProvFlags | CRYPT_MACHINE_KEYSET
  3085. ))
  3086. fResult = TRUE;
  3087. else if (ERROR_NO_MORE_ITEMS == dwFindContainerErr)
  3088. dwFindContainerErr = GetLastError();
  3089. }
  3090. }
  3091. }
  3093. if (hProv)
  3094. CryptReleaseContext(hProv, 0);
  3095. PkiFree(pwszProvName);
  3096. if (fResult)
  3097. goto CommonReturn;
  3098. }
  3100. goto UnexpectedError;
  3102. CommonReturn:
  3103. return fResult;
  3104. ErrorReturn:
  3105. fResult = FALSE;
  3106. goto CommonReturn;
  3108. TRACE_ERROR(EnumProvidersError)
  3109. SET_ERROR(KeyContainerNotFound, NTE_NO_KEY)
  3110. SET_ERROR_VAR(FindContainerError, dwFindContainerErr)
  3111. SET_ERROR_VAR(CryptAcquireContextError, dwAcquireErr)
  3112. TRACE_ERROR(OutOfMemory)
  3113. SET_ERROR(UnexpectedError, E_UNEXPECTED)
  3114. }
  3118. //+=========================================================================
  3119. // CryptCreatePublicKeyInfo, EncodePublicKeyAndParameters
  3120. // and CryptConvertPublicKeyInfo functions
  3121. //-=========================================================================
  3123. static BOOL EncodePublicKeyInfo(
  3124. IN LPCSTR pszPubKeyOID,
  3125. IN BYTE *pbEncodedPubKey,
  3126. IN DWORD cbEncodedPubKey,
  3127. IN BYTE *pbEncodedParameters,
  3128. IN DWORD cbEncodedParameters,
  3129. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  3130. IN OUT DWORD *pcbInfo
  3131. )
  3132. {
  3133. BOOL fResult;
  3134. BYTE *pbExtra;
  3135. LONG lRemainExtra;
  3136. DWORD cbOID;
  3138. if (pInfo == NULL)
  3139. *pcbInfo = 0;
  3141. // for lRemainExtra < 0, LENGTH_ONLY calculation
  3142. lRemainExtra = (LONG) *pcbInfo - sizeof(CERT_PUBLIC_KEY_INFO);
  3143. if (lRemainExtra < 0)
  3144. pbExtra = NULL;
  3145. else
  3146. pbExtra = (BYTE *) pInfo + sizeof(CERT_PUBLIC_KEY_INFO);
  3148. cbOID = strlen(pszPubKeyOID) + 1;
  3149. lRemainExtra -= INFO_LEN_ALIGN(cbOID) +
  3150. INFO_LEN_ALIGN(cbEncodedParameters) + cbEncodedPubKey;
  3151. if (lRemainExtra >= 0) {
  3152. memset(pInfo, 0, sizeof(CERT_PUBLIC_KEY_INFO));
  3153. pInfo->Algorithm.pszObjId = (LPSTR) pbExtra;
  3154. memcpy(pbExtra, pszPubKeyOID, cbOID);
  3155. pbExtra += INFO_LEN_ALIGN(cbOID);
  3156. if (cbEncodedParameters) {
  3157. pInfo->Algorithm.Parameters.cbData = cbEncodedParameters;
  3158. pInfo->Algorithm.Parameters.pbData = pbExtra;
  3159. memcpy(pbExtra, pbEncodedParameters, cbEncodedParameters);
  3160. pbExtra += INFO_LEN_ALIGN(cbEncodedParameters);
  3161. }
  3163. pInfo->PublicKey.pbData = pbExtra;
  3164. pInfo->PublicKey.cbData = cbEncodedPubKey;
  3165. memcpy(pbExtra, pbEncodedPubKey, cbEncodedPubKey);
  3167. *pcbInfo = *pcbInfo - (DWORD) lRemainExtra;
  3168. } else {
  3169. *pcbInfo = *pcbInfo + (DWORD) -lRemainExtra;
  3170. if (pInfo) goto LengthError;
  3171. }
  3172. fResult = TRUE;
  3174. CommonReturn:
  3175. return fResult;
  3177. LengthError:
  3178. SetLastError((DWORD) ERROR_MORE_DATA);
  3179. fResult = FALSE;
  3180. goto CommonReturn;
  3181. }
  3183. // By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
  3184. // public key Object Identifier. pszPubKeyOID can be set to override
  3185. // the default OID obtained from the aiKeyAlg.
  3186. BOOL
  3187. WINAPI
  3188. CryptCreatePublicKeyInfo(
  3189. IN DWORD dwCertEncodingType,
  3190. IN OPTIONAL LPCSTR pszPubKeyOID,
  3191. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  3192. IN DWORD cbPubKeyStruc,
  3193. IN DWORD dwFlags,
  3194. IN OPTIONAL void *pvReserved,
  3195. OUT void *pvPubKeyInfo,
  3196. IN OUT DWORD *pcbPubKeyInfo
  3197. )
  3198. {
  3199. BOOL fResult;
  3200. void *pvFuncAddr;
  3201. HCRYPTOIDFUNCADDR hFuncAddr;
  3202. LPCSTR pszEncodePubKeyOID;
  3204. BYTE *pbEncodedPubKey = NULL;
  3205. DWORD cbEncodedPubKey = 0;
  3206. BYTE *pbEncodedParameters = NULL;
  3207. DWORD cbEncodedParameters = 0;
  3209. PCERT_PUBLIC_KEY_INFO pPubKeyInfo = NULL;
  3210. DWORD cbPubKeyInfo;
  3212. if (NULL == pszPubKeyOID) {
  3213. PCCRYPT_OID_INFO pInfo;
  3214. if (NULL == (pInfo = CryptFindOIDInfo(
  3215. CRYPT_OID_INFO_ALGID_KEY,
  3216. (void *) &pPubKeyStruc->aiKeyAlg,
  3217. CRYPT_PUBKEY_ALG_OID_GROUP_ID
  3218. )))
  3219. goto NoPubKeyOIDInfo;
  3220. pszEncodePubKeyOID = pInfo->pszOID;
  3221. } else
  3222. pszEncodePubKeyOID = pszPubKeyOID;
  3224. if (!CryptGetOIDFunctionAddress(
  3225. hEncodePubKeyFuncSet,
  3226. dwCertEncodingType,
  3227. pszEncodePubKeyOID,
  3228. 0, // dwFlags
  3229. &pvFuncAddr,
  3230. &hFuncAddr)) {
  3231. PCCRYPT_OID_INFO pInfo;
  3233. if (NULL == pszPubKeyOID)
  3234. goto NoEncodePubKeyFunction;
  3236. if (NULL == (pInfo = CryptFindOIDInfo(
  3237. CRYPT_OID_INFO_ALGID_KEY,
  3238. (void *) &pPubKeyStruc->aiKeyAlg,
  3239. CRYPT_PUBKEY_ALG_OID_GROUP_ID
  3240. )))
  3241. goto NoPubKeyOIDInfo;
  3242. pszEncodePubKeyOID = pInfo->pszOID;
  3244. if (!CryptGetOIDFunctionAddress(
  3245. hEncodePubKeyFuncSet,
  3246. dwCertEncodingType,
  3247. pszEncodePubKeyOID,
  3248. 0, // dwFlags
  3249. &pvFuncAddr,
  3250. &hFuncAddr))
  3251. goto NoEncodePubKeyFunction;
  3252. }
  3254. if (NULL == pszPubKeyOID)
  3255. pszPubKeyOID = pszEncodePubKeyOID;
  3257. fResult = ((PFN_CRYPT_ENCODE_PUBLIC_KEY_AND_PARAMETERS) pvFuncAddr)(
  3258. dwCertEncodingType,
  3259. pszPubKeyOID,
  3260. pPubKeyStruc,
  3261. cbPubKeyStruc,
  3262. dwFlags,
  3263. pvReserved,
  3264. &pbEncodedPubKey,
  3265. &cbEncodedPubKey,
  3266. &pbEncodedParameters,
  3267. &cbEncodedParameters
  3268. );
  3269. CryptFreeOIDFunctionAddress(hFuncAddr, 0);
  3270. if (!fResult)
  3271. goto EncodePubKeyAndParametersError;
  3273. if (dwFlags & CRYPT_ALLOC_FLAG) {
  3274. if (!EncodePublicKeyInfo(
  3275. pszPubKeyOID,
  3276. pbEncodedPubKey,
  3277. cbEncodedPubKey,
  3278. pbEncodedParameters,
  3279. cbEncodedParameters,
  3280. NULL, // pPubKeyInfo
  3281. &cbPubKeyInfo
  3282. ))
  3283. goto EncodePublicKeyInfoError;
  3284. if (NULL == (pPubKeyInfo =
  3285. (PCERT_PUBLIC_KEY_INFO) PkiDefaultCryptAlloc(cbPubKeyInfo)))
  3286. goto OutOfMemory;
  3287. *((PCERT_PUBLIC_KEY_INFO *) pvPubKeyInfo) = pPubKeyInfo;
  3288. } else {
  3289. pPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) pvPubKeyInfo;
  3290. cbPubKeyInfo = *pcbPubKeyInfo;
  3291. }
  3293. fResult = EncodePublicKeyInfo(
  3294. pszPubKeyOID,
  3295. pbEncodedPubKey,
  3296. cbEncodedPubKey,
  3297. pbEncodedParameters,
  3298. cbEncodedParameters,
  3299. pPubKeyInfo,
  3300. &cbPubKeyInfo
  3301. );
  3303. if (!fResult && (dwFlags & CRYPT_ALLOC_FLAG))
  3304. goto ErrorReturn;
  3306. CommonReturn:
  3307. PkiDefaultCryptFree(pbEncodedPubKey);
  3308. PkiDefaultCryptFree(pbEncodedParameters);
  3310. *pcbPubKeyInfo = cbPubKeyInfo;
  3311. return fResult;
  3312. ErrorReturn:
  3313. if (dwFlags & CRYPT_ALLOC_FLAG) {
  3314. PkiDefaultCryptFree(pPubKeyInfo);
  3315. *((void **) pvPubKeyInfo) = NULL;
  3316. }
  3317. cbPubKeyInfo = 0;
  3318. fResult = FALSE;
  3319. goto CommonReturn;
  3321. SET_ERROR(NoPubKeyOIDInfo, ERROR_FILE_NOT_FOUND)
  3322. TRACE_ERROR(NoEncodePubKeyFunction)
  3323. TRACE_ERROR(EncodePubKeyAndParametersError)
  3324. TRACE_ERROR(EncodePublicKeyInfoError)
  3325. TRACE_ERROR(OutOfMemory)
  3326. }
  3328. BOOL
  3329. WINAPI
  3330. CryptConvertPublicKeyInfo(
  3331. IN DWORD dwCertEncodingType,
  3332. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  3333. IN DWORD dwFlags,
  3334. IN OPTIONAL void *pvReserved,
  3335. OUT void *pvPubKeyStruc,
  3336. IN OUT DWORD *pcbPubKeyStruc
  3337. )
  3338. {
  3339. BOOL fResult;
  3340. void *pvFuncAddr;
  3341. HCRYPTOIDFUNCADDR hFuncAddr;
  3343. if (CryptGetOIDFunctionAddress(
  3344. hConvertPubKeyFuncSet,
  3345. dwCertEncodingType,
  3346. pPubKeyInfo->Algorithm.pszObjId,
  3347. 0, // dwFlags
  3348. &pvFuncAddr,
  3349. &hFuncAddr)) {
  3350. fResult = ((PFN_CRYPT_CONVERT_PUBLIC_KEY_INFO) pvFuncAddr)(
  3351. dwCertEncodingType,
  3352. pPubKeyInfo,
  3353. dwFlags,
  3354. pvReserved,
  3355. pvPubKeyStruc,
  3356. pcbPubKeyStruc
  3357. );
  3358. CryptFreeOIDFunctionAddress(hFuncAddr, 0);
  3359. } else {
  3360. ALG_ID aiPubKey;
  3361. PCCRYPT_OID_INFO pOIDInfo;
  3363. if (pOIDInfo = CryptFindOIDInfo(
  3364. CRYPT_OID_INFO_OID_KEY,
  3365. pPubKeyInfo->Algorithm.pszObjId,
  3366. CRYPT_PUBKEY_ALG_OID_GROUP_ID
  3367. ))
  3368. aiPubKey = pOIDInfo->Algid;
  3369. else
  3370. aiPubKey = 0;
  3372. switch (aiPubKey) {
  3373. case CALG_DSS_SIGN:
  3374. fResult = ConvertDSSPublicKeyInfo(
  3375. dwCertEncodingType,
  3376. pPubKeyInfo,
  3377. dwFlags,
  3378. pvReserved,
  3379. pvPubKeyStruc,
  3380. pcbPubKeyStruc
  3381. );
  3382. break;
  3383. default:
  3384. // Attempt to decode as a PKCS #1 RSA public key
  3385. fResult = ConvertRSAPublicKeyInfo(
  3386. dwCertEncodingType,
  3387. pPubKeyInfo,
  3388. dwFlags,
  3389. pvReserved,
  3390. pvPubKeyStruc,
  3391. pcbPubKeyStruc
  3392. );
  3393. break;
  3394. }
  3395. }
  3396. return fResult;
  3397. }
  3399. //+-------------------------------------------------------------------------
  3400. // Encode the RSA public key and parameters
  3401. //--------------------------------------------------------------------------
  3402. static BOOL WINAPI EncodeRSAPublicKeyAndParameters(
  3403. IN DWORD dwCertEncodingType,
  3404. IN OPTIONAL LPCSTR pszPubKeyOID,
  3405. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  3406. IN DWORD cbPubKeyStruc,
  3407. IN DWORD dwFlags,
  3408. IN OPTIONAL void *pvReserved,
  3409. OUT BYTE **ppbEncodedPubKey,
  3410. OUT DWORD *pcbEncodedPubKey,
  3411. OUT BYTE **ppbEncodedParameters,
  3412. OUT DWORD *pcbEncodedParameters
  3413. )
  3414. {
  3415. *ppbEncodedParameters = NULL;
  3416. *pcbEncodedParameters = 0;
  3418. return CryptEncodeObjectEx(
  3419. dwCertEncodingType,
  3420. RSA_CSP_PUBLICKEYBLOB,
  3421. pPubKeyStruc,
  3422. CRYPT_ENCODE_ALLOC_FLAG,
  3423. NULL, // pEncodePara
  3424. (void *) ppbEncodedPubKey,
  3425. pcbEncodedPubKey
  3426. );
  3427. }
  3429. //+-------------------------------------------------------------------------
  3430. // Convert as an RSA public key
  3431. //--------------------------------------------------------------------------
  3432. static BOOL WINAPI ConvertRSAPublicKeyInfo(
  3433. IN DWORD dwCertEncodingType,
  3434. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  3435. IN DWORD dwFlags,
  3436. IN OPTIONAL void *pvReserved,
  3437. OUT void *pvPubKeyStruc,
  3438. IN OUT DWORD *pcbPubKeyStruc
  3439. )
  3440. {
  3441. return CryptDecodeObjectEx(
  3442. dwCertEncodingType,
  3443. RSA_CSP_PUBLICKEYBLOB,
  3444. pPubKeyInfo->PublicKey.pbData,
  3445. pPubKeyInfo->PublicKey.cbData,
  3446. (dwFlags & CRYPT_ALLOC_FLAG) ? CRYPT_DECODE_ALLOC_FLAG : 0,
  3447. NULL, // pDecodePara,
  3448. pvPubKeyStruc,
  3449. pcbPubKeyStruc
  3450. );
  3451. }
  3453. #ifndef DSS1
  3454. #define DSS1 ((DWORD)'D'+((DWORD)'S'<<8)+((DWORD)'S'<<16)+((DWORD)'1'<<24))
  3455. #endif
  3457. #define DSS_Q_LEN 20
  3459. //+-------------------------------------------------------------------------
  3460. // Encode the DSS public key and parameters
  3461. //--------------------------------------------------------------------------
  3462. static BOOL WINAPI EncodeDSSPublicKeyAndParameters(
  3463. IN DWORD dwCertEncodingType,
  3464. IN OPTIONAL LPCSTR pszPubKeyOID,
  3465. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  3466. IN DWORD cbPubKeyStruc,
  3467. IN DWORD dwFlags,
  3468. IN OPTIONAL void *pvReserved,
  3469. OUT BYTE **ppbEncodedPubKey,
  3470. OUT DWORD *pcbEncodedPubKey,
  3471. OUT BYTE **ppbEncodedParameters,
  3472. OUT DWORD *pcbEncodedParameters
  3473. )
  3474. {
  3475. BOOL fResult;
  3476. BYTE *pbKeyBlob;
  3477. DSSPUBKEY *pCspPubKey;
  3478. DWORD cbKey;
  3479. BYTE *pbKey;
  3481. CERT_DSS_PARAMETERS DssParameters;
  3482. CRYPT_UINT_BLOB DssPubKey;
  3484. *ppbEncodedPubKey = NULL;
  3485. *ppbEncodedParameters = NULL;
  3487. // The CAPI public key representation consists of the following sequence:
  3488. // - PUBLICKEYSTRUC
  3489. // - DSSPUBKEY
  3490. // - rgbP[cbKey]
  3491. // - rgbQ[20]
  3492. // - rgbG[cbKey]
  3493. // - rgbY[cbKey]
  3494. // - DSSSEED
  3495. pbKeyBlob = (BYTE *) pPubKeyStruc;
  3496. pCspPubKey = (DSSPUBKEY *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
  3497. pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY);
  3498. cbKey = pCspPubKey->bitlen / 8;
  3500. assert(cbKey > 0);
  3501. assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY) +
  3502. cbKey + DSS_Q_LEN + cbKey + cbKey + sizeof(DSSSEED));
  3503. assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
  3504. assert(pPubKeyStruc->bVersion == CUR_BLOB_VERSION);
  3505. assert(pPubKeyStruc->aiKeyAlg == CALG_DSS_SIGN);
  3506. assert(pCspPubKey->magic == DSS1);
  3507. assert(pCspPubKey->bitlen % 8 == 0);
  3509. if (pPubKeyStruc->bType != PUBLICKEYBLOB)
  3510. goto InvalidArg;
  3512. // Initialize DSS parameters from CSP data structure
  3513. DssParameters.p.cbData = cbKey;
  3514. DssParameters.p.pbData = pbKey;
  3515. pbKey += cbKey;
  3516. DssParameters.q.cbData = DSS_Q_LEN;
  3517. DssParameters.q.pbData = pbKey;
  3518. pbKey += DSS_Q_LEN;
  3519. DssParameters.g.cbData = cbKey;
  3520. DssParameters.g.pbData = pbKey;
  3521. pbKey += cbKey;
  3523. // Initialize DSS public key from CSP data structure
  3524. DssPubKey.cbData = cbKey;
  3525. DssPubKey.pbData = pbKey;
  3527. // Encode the parameters and public key
  3528. if (!CryptEncodeObjectEx(
  3529. dwCertEncodingType,
  3530. X509_DSS_PARAMETERS,
  3531. &DssParameters,
  3532. CRYPT_ENCODE_ALLOC_FLAG,
  3533. NULL, // pEncodePara
  3534. (void *) ppbEncodedParameters,
  3535. pcbEncodedParameters
  3536. )) goto ErrorReturn;
  3538. if (!CryptEncodeObjectEx(
  3539. dwCertEncodingType,
  3540. X509_DSS_PUBLICKEY,
  3541. &DssPubKey,
  3542. CRYPT_ENCODE_ALLOC_FLAG,
  3543. NULL, // pEncodePara
  3544. (void *) ppbEncodedPubKey,
  3545. pcbEncodedPubKey
  3546. )) goto ErrorReturn;
  3548. fResult = TRUE;
  3549. CommonReturn:
  3550. return fResult;
  3552. ErrorReturn:
  3553. PkiDefaultCryptFree(*ppbEncodedParameters);
  3554. PkiDefaultCryptFree(*ppbEncodedPubKey);
  3555. *ppbEncodedParameters = NULL;
  3556. *ppbEncodedPubKey = NULL;
  3557. *pcbEncodedParameters = 0;
  3558. *pcbEncodedPubKey = 0;
  3559. fResult = FALSE;
  3560. goto CommonReturn;
  3561. SET_ERROR(InvalidArg, E_INVALIDARG)
  3562. }
  3564. //+-------------------------------------------------------------------------
  3565. // Convert as an DSS public key
  3566. //--------------------------------------------------------------------------
  3567. static BOOL WINAPI ConvertDSSPublicKeyInfo(
  3568. IN DWORD dwCertEncodingType,
  3569. IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
  3570. IN DWORD dwFlags,
  3571. IN OPTIONAL void *pvReserved,
  3572. OUT void *pvPubKeyStruc,
  3573. IN OUT DWORD *pcbPubKeyStruc
  3574. )
  3575. {
  3576. BOOL fResult;
  3577. PCERT_DSS_PARAMETERS pDssParameters = NULL;
  3578. PCRYPT_UINT_BLOB pDssPubKey = NULL;
  3579. PUBLICKEYSTRUC *pPubKeyStruc = NULL;
  3580. DWORD cbPubKeyStruc;
  3581. BYTE *pbKeyBlob;
  3582. DSSPUBKEY *pCspPubKey;
  3583. DSSSEED *pCspSeed;
  3584. DWORD cbKey;
  3585. BYTE *pbKey;
  3586. DWORD cb;
  3588. if (0 == pPubKeyInfo->Algorithm.Parameters.cbData ||
  3589. NULL_ASN_TAG == *pPubKeyInfo->Algorithm.Parameters.pbData)
  3590. goto NoDssParametersError;
  3591. if (NULL == (pDssParameters = (PCERT_DSS_PARAMETERS) AllocAndDecodeObject(
  3592. dwCertEncodingType,
  3593. X509_DSS_PARAMETERS,
  3594. pPubKeyInfo->Algorithm.Parameters.pbData,
  3595. pPubKeyInfo->Algorithm.Parameters.cbData
  3596. ))) goto DecodeParametersError;
  3598. if (NULL == (pDssPubKey = (PCRYPT_UINT_BLOB) AllocAndDecodeObject(
  3599. dwCertEncodingType,
  3600. X509_DSS_PUBLICKEY,
  3601. pPubKeyInfo->PublicKey.pbData,
  3602. pPubKeyInfo->PublicKey.cbData
  3603. ))) goto DecodePubKeyError;
  3605. // The CAPI public key representation consists of the following sequence:
  3606. // - PUBLICKEYSTRUC
  3607. // - DSSPUBKEY
  3608. // - rgbP[cbKey]
  3609. // - rgbQ[20]
  3610. // - rgbG[cbKey]
  3611. // - rgbY[cbKey]
  3612. // - DSSSEED
  3614. cbKey = pDssParameters->p.cbData;
  3615. if (0 == cbKey)
  3616. goto InvalidDssParametersError;
  3618. cbPubKeyStruc = sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY) +
  3619. cbKey + DSS_Q_LEN + cbKey + cbKey + sizeof(DSSSEED);
  3621. if (dwFlags & CRYPT_ALLOC_FLAG) {
  3622. if (NULL == (pPubKeyStruc =
  3623. (PUBLICKEYSTRUC *) PkiDefaultCryptAlloc(cbPubKeyStruc)))
  3624. goto OutOfMemory;
  3625. *((PUBLICKEYSTRUC **) pvPubKeyStruc) = pPubKeyStruc;
  3626. } else
  3627. pPubKeyStruc = (PUBLICKEYSTRUC *) pvPubKeyStruc;
  3629. fResult = TRUE;
  3630. if (pPubKeyStruc) {
  3631. if (0 == (dwFlags & CRYPT_ALLOC_FLAG) &&
  3632. *pcbPubKeyStruc < cbPubKeyStruc) {
  3633. SetLastError((DWORD) ERROR_MORE_DATA);
  3634. fResult = FALSE;
  3635. } else {
  3636. pbKeyBlob = (BYTE *) pPubKeyStruc;
  3637. pCspPubKey = (DSSPUBKEY *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
  3638. pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY);
  3640. // NOTE, the length of G and Y can be less than the length of P.
  3641. // The CSP requires G and Y to be padded out with 0x00 bytes if it
  3642. // is less and in little endian form
  3644. // PUBLICKEYSTRUC
  3645. pPubKeyStruc->bType = PUBLICKEYBLOB;
  3646. pPubKeyStruc->bVersion = CUR_BLOB_VERSION;
  3647. pPubKeyStruc->reserved = 0;
  3648. pPubKeyStruc->aiKeyAlg = CALG_DSS_SIGN;
  3649. // DSSPUBKEY
  3650. pCspPubKey->magic = DSS1;
  3651. pCspPubKey->bitlen = cbKey * 8;
  3653. // rgbP[cbKey]
  3654. memcpy(pbKey, pDssParameters->p.pbData, cbKey);
  3655. pbKey += cbKey;
  3657. // rgbQ[20]
  3658. cb = pDssParameters->q.cbData;
  3659. if (0 == cb || cb > DSS_Q_LEN)
  3660. goto InvalidDssParametersError;
  3661. memcpy(pbKey, pDssParameters->q.pbData, cb);
  3662. if (DSS_Q_LEN > cb)
  3663. memset(pbKey + cb, 0, DSS_Q_LEN - cb);
  3664. pbKey += DSS_Q_LEN;
  3666. // rgbG[cbKey]
  3667. cb = pDssParameters->g.cbData;
  3668. if (0 == cb || cb > cbKey)
  3669. goto InvalidDssParametersError;
  3670. memcpy(pbKey, pDssParameters->g.pbData, cb);
  3671. if (cbKey > cb)
  3672. memset(pbKey + cb, 0, cbKey - cb);
  3673. pbKey += cbKey;
  3675. // rgbY[cbKey]
  3676. cb = pDssPubKey->cbData;
  3677. if (0 == cb || cb > cbKey)
  3678. goto InvalidDssPubKeyError;
  3679. memcpy(pbKey, pDssPubKey->pbData, cb);
  3680. if (cbKey > cb)
  3681. memset(pbKey + cb, 0, cbKey - cb);
  3682. pbKey += cbKey;
  3684. // DSSSEED: set counter to 0xFFFFFFFF to indicate not available
  3685. pCspSeed = (DSSSEED *) pbKey;
  3686. memset(&pCspSeed->counter, 0xFF, sizeof(pCspSeed->counter));
  3687. }
  3688. }
  3690. CommonReturn:
  3691. *pcbPubKeyStruc = cbPubKeyStruc;
  3692. PkiFree(pDssParameters);
  3693. PkiFree(pDssPubKey);
  3694. return fResult;
  3696. ErrorReturn:
  3697. if (dwFlags & CRYPT_ALLOC_FLAG) {
  3698. PkiDefaultCryptFree(pPubKeyStruc);
  3699. *((PUBLICKEYSTRUC **) pvPubKeyStruc) = NULL;
  3700. }
  3701. cbPubKeyStruc = 0;
  3702. fResult = FALSE;
  3703. goto CommonReturn;
  3704. TRACE_ERROR(OutOfMemory)
  3705. TRACE_ERROR(DecodeParametersError)
  3706. TRACE_ERROR(DecodePubKeyError)
  3707. #ifdef CMS_PKCS7
  3708. SET_ERROR(NoDssParametersError, CRYPT_E_MISSING_PUBKEY_PARA)
  3709. #else
  3710. SET_ERROR(NoDssParametersError, E_INVALIDARG)
  3711. #endif // CMS_PKCS7
  3712. SET_ERROR(InvalidDssParametersError, E_INVALIDARG)
  3713. SET_ERROR(InvalidDssPubKeyError, E_INVALIDARG)
  3714. }
  3716. #ifndef DH3
  3717. #define DH3 (((DWORD)'D'<<8)+((DWORD)'H'<<16)+((DWORD)'3'<<24))
  3718. #endif
  3720. //+-------------------------------------------------------------------------
  3721. // Encode the RSA DH public key and parameters
  3722. //--------------------------------------------------------------------------
  3723. static BOOL WINAPI EncodeRSADHPublicKeyAndParameters(
  3724. IN DWORD dwCertEncodingType,
  3725. IN OPTIONAL LPCSTR pszPubKeyOID,
  3726. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  3727. IN DWORD cbPubKeyStruc,
  3728. IN DWORD dwFlags,
  3729. IN OPTIONAL void *pvReserved,
  3730. OUT BYTE **ppbEncodedPubKey,
  3731. OUT DWORD *pcbEncodedPubKey,
  3732. OUT BYTE **ppbEncodedParameters,
  3733. OUT DWORD *pcbEncodedParameters
  3734. )
  3735. {
  3736. BOOL fResult;
  3737. BYTE *pbKeyBlob;
  3738. DHPUBKEY_VER3 *pCspPubKey;
  3739. DWORD cbP;
  3740. DWORD cbQ;
  3741. DWORD cbJ;
  3742. BYTE *pbKey;
  3744. CERT_DH_PARAMETERS DhParameters;
  3745. CRYPT_UINT_BLOB DhPubKey;
  3747. *ppbEncodedPubKey = NULL;
  3748. *ppbEncodedParameters = NULL;
  3750. // The CAPI public key representation consists of the following sequence:
  3751. // - PUBLICKEYSTRUC
  3752. // - DHPUBKEY_VER3
  3753. // - rgbP[cbP]
  3754. // - rgbQ[cbQ] -- not used in RSA_DH
  3755. // - rgbG[cbP]
  3756. // - rgbJ[cbJ] -- not used in RSA_DH
  3757. // - rgbY[cbP]
  3758. pbKeyBlob = (BYTE *) pPubKeyStruc;
  3759. pCspPubKey = (DHPUBKEY_VER3 *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
  3760. pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
  3762. cbP = pCspPubKey->bitlenP / 8;
  3763. cbQ = pCspPubKey->bitlenQ / 8;
  3764. cbJ = pCspPubKey->bitlenJ / 8;
  3766. if (cbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
  3767. cbP * 3 + cbQ + cbJ)
  3768. goto InvalidArg;
  3769. if (pPubKeyStruc->bType != PUBLICKEYBLOB)
  3770. goto InvalidArg;
  3771. if (pCspPubKey->magic != DH3)
  3772. goto InvalidArg;
  3774. assert(cbP > 0);
  3775. assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
  3776. cbP * 3 + cbQ + cbJ);
  3777. assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
  3779. //assert(pPubKeyStruc->bVersion == 3);
  3780. assert(pPubKeyStruc->aiKeyAlg == CALG_DH_SF ||
  3781. pPubKeyStruc->aiKeyAlg == CALG_DH_EPHEM);
  3782. assert(pCspPubKey->magic == DH3);
  3783. assert(pCspPubKey->bitlenP % 8 == 0);
  3784. assert(pCspPubKey->bitlenQ % 8 == 0);
  3785. assert(pCspPubKey->bitlenJ % 8 == 0);
  3787. // Initialize the RSA DH Parameters from CSP data structure
  3788. DhParameters.p.pbData = pbKey;
  3789. DhParameters.p.cbData = cbP;
  3790. pbKey += cbP;
  3792. // No RSA DH Q parameter
  3793. pbKey += cbQ;
  3795. DhParameters.g.pbData = pbKey;
  3796. DhParameters.g.cbData = cbP;
  3797. pbKey += cbP;
  3799. // No RSA DH J parameter
  3800. pbKey += cbJ;
  3802. // Initialize DH public key from CSP data structure
  3803. DhPubKey.cbData = cbP;
  3804. DhPubKey.pbData = pbKey;
  3806. // Encode the parameters and public key
  3807. if (!CryptEncodeObjectEx(
  3808. dwCertEncodingType,
  3809. X509_DH_PARAMETERS,
  3810. &DhParameters,
  3811. CRYPT_ENCODE_ALLOC_FLAG,
  3812. NULL, // pEncodePara
  3813. (void *) ppbEncodedParameters,
  3814. pcbEncodedParameters
  3815. )) goto ErrorReturn;
  3817. if (!CryptEncodeObjectEx(
  3818. dwCertEncodingType,
  3819. X509_DH_PUBLICKEY,
  3820. &DhPubKey,
  3821. CRYPT_ENCODE_ALLOC_FLAG,
  3822. NULL, // pEncodePara
  3823. (void *) ppbEncodedPubKey,
  3824. pcbEncodedPubKey
  3825. )) goto ErrorReturn;
  3827. fResult = TRUE;
  3828. CommonReturn:
  3829. return fResult;
  3831. ErrorReturn:
  3832. PkiDefaultCryptFree(*ppbEncodedParameters);
  3833. PkiDefaultCryptFree(*ppbEncodedPubKey);
  3834. *ppbEncodedParameters = NULL;
  3835. *ppbEncodedPubKey = NULL;
  3836. *pcbEncodedParameters = 0;
  3837. *pcbEncodedPubKey = 0;
  3838. fResult = FALSE;
  3839. goto CommonReturn;
  3840. SET_ERROR(InvalidArg, E_INVALIDARG)
  3841. }
  3843. //+-------------------------------------------------------------------------
  3844. // Encode the X942 DH public key and parameters
  3845. //--------------------------------------------------------------------------
  3846. static BOOL WINAPI EncodeX942DHPublicKeyAndParameters(
  3847. IN DWORD dwCertEncodingType,
  3848. IN OPTIONAL LPCSTR pszPubKeyOID,
  3849. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  3850. IN DWORD cbPubKeyStruc,
  3851. IN DWORD dwFlags,
  3852. IN OPTIONAL void *pvReserved,
  3853. OUT BYTE **ppbEncodedPubKey,
  3854. OUT DWORD *pcbEncodedPubKey,
  3855. OUT BYTE **ppbEncodedParameters,
  3856. OUT DWORD *pcbEncodedParameters
  3857. )
  3858. {
  3859. BOOL fResult;
  3860. BYTE *pbKeyBlob;
  3861. DHPUBKEY_VER3 *pCspPubKey;
  3862. DWORD cbP;
  3863. DWORD cbQ;
  3864. DWORD cbJ;
  3865. BYTE *pbKey;
  3867. CERT_X942_DH_PARAMETERS DhParameters;
  3868. CERT_X942_DH_VALIDATION_PARAMS DhValidationParams;
  3869. CRYPT_UINT_BLOB DhPubKey;
  3871. *ppbEncodedPubKey = NULL;
  3872. *ppbEncodedParameters = NULL;
  3874. // The CAPI public key representation consists of the following sequence:
  3875. // - PUBLICKEYSTRUC
  3876. // - DHPUBKEY_VER3
  3877. // - rgbP[cbP]
  3878. // - rgbQ[cbQ]
  3879. // - rgbG[cbP]
  3880. // - rgbJ[cbJ]
  3881. // - rgbY[cbP]
  3882. pbKeyBlob = (BYTE *) pPubKeyStruc;
  3883. pCspPubKey = (DHPUBKEY_VER3 *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
  3884. pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
  3886. cbP = pCspPubKey->bitlenP / 8;
  3887. cbQ = pCspPubKey->bitlenQ / 8;
  3888. cbJ = pCspPubKey->bitlenJ / 8;
  3890. if (0 == cbQ)
  3891. return EncodeRSADHPublicKeyAndParameters(
  3892. dwCertEncodingType,
  3893. pszPubKeyOID,
  3894. pPubKeyStruc,
  3895. cbPubKeyStruc,
  3896. dwFlags,
  3897. pvReserved,
  3898. ppbEncodedPubKey,
  3899. pcbEncodedPubKey,
  3900. ppbEncodedParameters,
  3901. pcbEncodedParameters
  3902. );
  3904. if (cbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
  3905. cbP * 3 + cbQ + cbJ)
  3906. goto InvalidArg;
  3907. if (pPubKeyStruc->bType != PUBLICKEYBLOB)
  3908. goto InvalidArg;
  3909. if (pCspPubKey->magic != DH3)
  3910. goto InvalidArg;
  3912. assert(cbP > 0);
  3913. assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
  3914. cbP * 3 + cbQ + cbJ);
  3915. assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
  3917. //assert(pPubKeyStruc->bVersion == 3);
  3918. assert(pPubKeyStruc->aiKeyAlg == CALG_DH_SF ||
  3919. pPubKeyStruc->aiKeyAlg == CALG_DH_EPHEM);
  3920. assert(pCspPubKey->magic == DH3);
  3921. assert(pCspPubKey->bitlenP % 8 == 0);
  3922. assert(pCspPubKey->bitlenQ % 8 == 0);
  3923. assert(pCspPubKey->bitlenJ % 8 == 0);
  3925. // Initialize the X942 DH Parameters from CSP data structure
  3926. DhParameters.p.pbData = pbKey;
  3927. DhParameters.p.cbData = cbP;
  3928. pbKey += cbP;
  3930. DhParameters.q.pbData = pbKey;
  3931. DhParameters.q.cbData = cbQ;
  3932. pbKey += cbQ;
  3934. DhParameters.g.pbData = pbKey;
  3935. DhParameters.g.cbData = cbP;
  3936. pbKey += cbP;
  3938. DhParameters.j.pbData = pbKey;
  3939. DhParameters.j.cbData = cbJ;
  3940. pbKey += cbJ;
  3942. if (0xFFFFFFFF == pCspPubKey->DSSSeed.counter ||
  3943. 0 == pCspPubKey->DSSSeed.counter)
  3944. DhParameters.pValidationParams = NULL;
  3945. else {
  3946. DhParameters.pValidationParams = &DhValidationParams;
  3947. DhValidationParams.pgenCounter = pCspPubKey->DSSSeed.counter;
  3948. DhValidationParams.seed.pbData = pCspPubKey->DSSSeed.seed;
  3949. DhValidationParams.seed.cbData = sizeof(pCspPubKey->DSSSeed.seed);
  3950. DhValidationParams.seed.cUnusedBits = 0;
  3951. }
  3953. // Initialize DH public key from CSP data structure
  3954. DhPubKey.cbData = cbP;
  3955. DhPubKey.pbData = pbKey;
  3957. // Encode the parameters and public key
  3958. if (!CryptEncodeObjectEx(
  3959. dwCertEncodingType,
  3960. X942_DH_PARAMETERS,
  3961. &DhParameters,
  3962. CRYPT_ENCODE_ALLOC_FLAG,
  3963. NULL, // pEncodePara
  3964. (void *) ppbEncodedParameters,
  3965. pcbEncodedParameters
  3966. )) goto ErrorReturn;
  3968. if (!CryptEncodeObjectEx(
  3969. dwCertEncodingType,
  3970. X509_DH_PUBLICKEY,
  3971. &DhPubKey,
  3972. CRYPT_ENCODE_ALLOC_FLAG,
  3973. NULL, // pEncodePara
  3974. (void *) ppbEncodedPubKey,
  3975. pcbEncodedPubKey
  3976. )) goto ErrorReturn;
  3978. fResult = TRUE;
  3979. CommonReturn:
  3980. return fResult;
  3982. ErrorReturn:
  3983. PkiDefaultCryptFree(*ppbEncodedParameters);
  3984. PkiDefaultCryptFree(*ppbEncodedPubKey);
  3985. *ppbEncodedParameters = NULL;
  3986. *ppbEncodedPubKey = NULL;
  3987. *pcbEncodedParameters = 0;
  3988. *pcbEncodedPubKey = 0;
  3989. fResult = FALSE;
  3990. goto CommonReturn;
  3991. SET_ERROR(InvalidArg, E_INVALIDARG)
  3992. }
  3995. #ifndef DH1
  3996. #define DH1 (((DWORD)'D'<<8)+((DWORD)'H'<<16)+((DWORD)'1'<<24))
  3997. #endif
  3999. // Convert a DH1 PublicKey Struc, to a DH3 PublicKey Struc by getting
  4000. // the P and G parameters from the hPubKey.
  4001. static BOOL ConvertDh1ToDh3PublicKeyStruc(
  4002. IN HCRYPTKEY hPubKey,
  4003. IN OUT PUBLICKEYSTRUC **ppPubKeyStruc,
  4004. IN OUT DWORD *pcbPubKeyStruc
  4005. )
  4006. {
  4007. BOOL fResult;
  4008. PUBLICKEYSTRUC *pDh1PubKeyStruc = *ppPubKeyStruc;
  4009. BYTE *pbDh1KeyBlob;
  4010. DHPUBKEY *pDh1CspPubKey;
  4011. BYTE *pbDh1Key;
  4013. PUBLICKEYSTRUC *pDh3PubKeyStruc = NULL;
  4014. DWORD cbDh3PubKeyStruc;
  4015. BYTE *pbDh3KeyBlob;
  4016. DHPUBKEY_VER3 *pDh3CspPubKey;
  4017. BYTE *pbDh3Key;
  4018. DWORD cbP;
  4019. DWORD cbData;
  4021. // The DH1 CAPI public key representation consists of the following
  4022. // sequence:
  4023. // - PUBLICKEYSTRUC
  4024. // - DHPUBKEY
  4025. // - rgbY[cbP]
  4026. pbDh1KeyBlob = (BYTE *) pDh1PubKeyStruc;
  4027. pDh1CspPubKey = (DHPUBKEY *) (pbDh1KeyBlob + sizeof(PUBLICKEYSTRUC));
  4028. pbDh1Key = pbDh1KeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY);
  4030. if (pDh1CspPubKey->magic != DH1)
  4031. return TRUE;
  4032. cbP = pDh1CspPubKey->bitlen / 8;
  4033. if (*pcbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY) + cbP)
  4034. goto InvalidArg;
  4036. // The DH3 CAPI public key representation consists of the following
  4037. // sequence:
  4038. // - PUBLICKEYSTRUC
  4039. // - DHPUBKEY_VER3
  4040. // - rgbP[cbP]
  4041. // - rgbQ[cbQ] -- will be omitted here
  4042. // - rgbG[cbP]
  4043. // - rgbJ[cbJ] -- will be omitted here
  4044. // - rgbY[cbP]
  4045. cbDh3PubKeyStruc = sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
  4046. cbP * 3;
  4047. if (NULL == (pDh3PubKeyStruc = (PUBLICKEYSTRUC *) PkiZeroAlloc(
  4048. cbDh3PubKeyStruc)))
  4049. goto OutOfMemory;
  4051. pbDh3KeyBlob = (BYTE *) pDh3PubKeyStruc;
  4052. pDh3CspPubKey = (DHPUBKEY_VER3 *) (pbDh3KeyBlob + sizeof(PUBLICKEYSTRUC));
  4053. pbDh3Key = pbDh3KeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
  4055. pDh3PubKeyStruc->bType = PUBLICKEYBLOB;
  4056. pDh3PubKeyStruc->bVersion = 3;
  4057. pDh3PubKeyStruc->aiKeyAlg = CALG_DH_SF;
  4058. pDh3CspPubKey->magic = DH3;
  4059. pDh3CspPubKey->bitlenP = cbP * 8;
  4060. //pDh3CspPubKey->bitlenQ = 0;
  4061. //pDh3CspPubKey->bitlenJ = 0;
  4063. // Get the P parameter from the public key
  4064. cbData = cbP;
  4065. if (!CryptGetKeyParam(
  4066. hPubKey,
  4067. KP_P,
  4068. pbDh3Key,
  4069. &cbData,
  4070. 0 // dwFlags
  4071. ) || cbData != cbP)
  4072. goto GetPError;
  4073. pbDh3Key += cbP;
  4075. // No Q parameter
  4077. // Get G parameter from the public key
  4078. cbData = cbP;
  4079. if (!CryptGetKeyParam(
  4080. hPubKey,
  4081. KP_G,
  4082. pbDh3Key,
  4083. &cbData,
  4084. 0 // dwFlags
  4085. ) || cbData != cbP)
  4086. goto GetGError;
  4087. pbDh3Key += cbP;
  4089. // No J parameter
  4091. // Y
  4092. memcpy(pbDh3Key, pbDh1Key, cbP);
  4094. assert(pbDh3Key - pbDh3KeyBlob + cbP == cbDh3PubKeyStruc);
  4096. PkiFree(pDh1PubKeyStruc);
  4097. *ppPubKeyStruc = pDh3PubKeyStruc;
  4098. *pcbPubKeyStruc = cbDh3PubKeyStruc;
  4099. fResult = TRUE;
  4100. CommonReturn:
  4101. return fResult;
  4103. ErrorReturn:
  4104. fResult = FALSE;
  4105. PkiFree(pDh3PubKeyStruc);
  4106. goto CommonReturn;
  4107. SET_ERROR(InvalidArg, E_INVALIDARG)
  4108. TRACE_ERROR(OutOfMemory)
  4109. TRACE_ERROR(GetPError)
  4110. TRACE_ERROR(GetGError)
  4111. }
  4113. //+=========================================================================
  4114. // CryptExportPublicKeyInfo functions
  4115. //-=========================================================================
  4117. //+-------------------------------------------------------------------------
  4118. // Use the aiKeyAlg in the public key structure exported by the CSP to
  4119. // determine how to encode the public key.
  4120. //
  4121. // The dwFlags and pvAuxInfo aren't used.
  4122. //--------------------------------------------------------------------------
  4123. static BOOL WINAPI ExportCspPublicKeyInfoEx(
  4124. IN HCRYPTPROV hCryptProv,
  4125. IN DWORD dwKeySpec,
  4126. IN DWORD dwCertEncodingType,
  4127. IN OPTIONAL LPSTR pszPublicKeyObjId,
  4128. IN DWORD dwFlags,
  4129. IN OPTIONAL void *pvAuxInfo,
  4130. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  4131. IN OUT DWORD *pcbInfo
  4132. )
  4133. {
  4134. BOOL fResult;
  4135. DWORD dwErr;
  4136. HCRYPTKEY hPubKey = 0;
  4137. PUBLICKEYSTRUC *pPubKeyStruc = NULL;
  4138. DWORD cbPubKeyStruc;
  4140. if (!CryptGetUserKey(
  4141. hCryptProv,
  4142. dwKeySpec,
  4143. &hPubKey
  4144. )) {
  4145. hPubKey = 0;
  4146. goto GetUserKeyError;
  4147. }
  4149. cbPubKeyStruc = 0;
  4150. if (!CryptExportKey(
  4151. hPubKey,
  4152. 0, // hPubKey
  4153. PUBLICKEYBLOB,
  4154. 0, // dwFlags
  4155. NULL, // pbData
  4156. &cbPubKeyStruc
  4157. ) || (cbPubKeyStruc == 0))
  4158. goto ExportPublicKeyBlobError;
  4159. if (NULL == (pPubKeyStruc = (PUBLICKEYSTRUC *) PkiNonzeroAlloc(
  4160. cbPubKeyStruc)))
  4161. goto OutOfMemory;
  4162. if (!CryptExportKey(
  4163. hPubKey,
  4164. 0, // hPubKey
  4165. PUBLICKEYBLOB,
  4166. 0, // dwFlags
  4167. (BYTE *) pPubKeyStruc,
  4168. &cbPubKeyStruc
  4169. ))
  4170. goto ExportPublicKeyBlobError;
  4172. if (CALG_DH_SF == pPubKeyStruc->aiKeyAlg ||
  4173. CALG_DH_EPHEM == pPubKeyStruc->aiKeyAlg) {
  4174. DWORD cbDh3PubKeyStruc;
  4175. PUBLICKEYSTRUC *pDh3PubKeyStruc;
  4177. // Check if the CSP supports DH3
  4178. cbDh3PubKeyStruc = 0;
  4179. if (!CryptExportKey(
  4180. hPubKey,
  4181. 0, // hPubKey
  4182. PUBLICKEYBLOB,
  4183. CRYPT_BLOB_VER3,
  4184. NULL, // pbData
  4185. &cbDh3PubKeyStruc
  4186. ) || (cbDh3PubKeyStruc == 0)) {
  4187. // Convert DH1 to DH3 by getting and adding the P and G
  4188. // parameters
  4189. if (!ConvertDh1ToDh3PublicKeyStruc(
  4190. hPubKey,
  4191. &pPubKeyStruc,
  4192. &cbPubKeyStruc
  4193. ))
  4194. goto ConvertDh1ToDh3PublicKeyStrucError;
  4195. } else {
  4196. if (NULL == (pDh3PubKeyStruc = (PUBLICKEYSTRUC *) PkiNonzeroAlloc(
  4197. cbDh3PubKeyStruc)))
  4198. goto OutOfMemory;
  4199. if (!CryptExportKey(
  4200. hPubKey,
  4201. 0, // hPubKey
  4202. PUBLICKEYBLOB,
  4203. CRYPT_BLOB_VER3,
  4204. (BYTE *) pDh3PubKeyStruc,
  4205. &cbDh3PubKeyStruc
  4206. )) {
  4207. PkiFree(pDh3PubKeyStruc);
  4208. goto ExportPublicKeyBlobError;
  4209. }
  4211. PkiFree(pPubKeyStruc);
  4212. pPubKeyStruc = pDh3PubKeyStruc;
  4213. cbPubKeyStruc = cbDh3PubKeyStruc;
  4214. }
  4216. if (NULL == pszPublicKeyObjId) {
  4217. DHPUBKEY_VER3 *pDh3CspPubKey;
  4219. // The CAPI public key representation consists of the
  4220. // following sequence:
  4221. // - PUBLICKEYSTRUC
  4222. // - DHPUBKEY_VER3
  4223. // - rgbP[cbP]
  4224. // - rgbQ[cbQ] -- not used in szOID_RSA_DH
  4225. // - rgbG[cbP]
  4226. // - rgbJ[cbJ] -- not used in szOID_RSA_DH
  4227. // - rgbY[cbP]
  4228. pDh3CspPubKey = (DHPUBKEY_VER3 *)
  4229. ((BYTE*) pPubKeyStruc + sizeof(PUBLICKEYSTRUC));
  4231. if (DH3 == pDh3CspPubKey->magic && 0 == pDh3CspPubKey->bitlenQ)
  4232. // szOID_RSA_DH indicates no Q parameter
  4233. pszPublicKeyObjId = szOID_RSA_DH;
  4234. }
  4235. }
  4237. fResult = CryptCreatePublicKeyInfo(
  4238. dwCertEncodingType,
  4239. pszPublicKeyObjId,
  4240. pPubKeyStruc,
  4241. cbPubKeyStruc,
  4242. 0, // dwFlags
  4243. NULL, // pvAuxInfo
  4244. pInfo,
  4245. pcbInfo
  4246. );
  4248. CommonReturn:
  4249. dwErr = GetLastError();
  4250. if (hPubKey)
  4251. CryptDestroyKey(hPubKey);
  4252. PkiFree(pPubKeyStruc);
  4253. SetLastError(dwErr);
  4254. return fResult;
  4256. ErrorReturn:
  4257. *pcbInfo = 0;
  4258. fResult = FALSE;
  4259. goto CommonReturn;
  4261. TRACE_ERROR(GetUserKeyError)
  4262. TRACE_ERROR(ExportPublicKeyBlobError)
  4263. TRACE_ERROR(OutOfMemory)
  4264. TRACE_ERROR(ConvertDh1ToDh3PublicKeyStrucError)
  4265. }
  4267. //+-------------------------------------------------------------------------
  4268. // Export the public key info associated with the provider's corresponding
  4269. // private key.
  4270. //
  4271. // Uses the dwCertEncodingType and pszPublicKeyObjId to call the
  4272. // installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
  4273. // has the same signature as CryptExportPublicKeyInfoEx.
  4274. //
  4275. // If unable to find an installable OID function for the pszPublicKeyObjId,
  4276. // attempts to export via the default export function.
  4277. //--------------------------------------------------------------------------
  4278. BOOL
  4279. WINAPI
  4280. CryptExportPublicKeyInfoEx(
  4281. IN HCRYPTPROV hCryptProv,
  4282. IN DWORD dwKeySpec,
  4283. IN DWORD dwCertEncodingType,
  4284. IN OPTIONAL LPSTR pszPublicKeyObjId,
  4285. IN DWORD dwFlags,
  4286. IN OPTIONAL void *pvAuxInfo,
  4287. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  4288. IN OUT DWORD *pcbInfo
  4289. )
  4290. {
  4291. BOOL fResult;
  4292. void *pvFuncAddr;
  4293. HCRYPTOIDFUNCADDR hFuncAddr;
  4295. if (pszPublicKeyObjId && CryptGetOIDFunctionAddress(
  4296. hExportPubKeyFuncSet,
  4297. dwCertEncodingType,
  4298. pszPublicKeyObjId,
  4299. 0, // dwFlags
  4300. &pvFuncAddr,
  4301. &hFuncAddr)) {
  4302. fResult = ((PFN_EXPORT_PUB_KEY_FUNC) pvFuncAddr)(
  4303. hCryptProv,
  4304. dwKeySpec,
  4305. dwCertEncodingType,
  4306. pszPublicKeyObjId,
  4307. dwFlags,
  4308. pvAuxInfo,
  4309. pInfo,
  4310. pcbInfo
  4311. );
  4312. CryptFreeOIDFunctionAddress(hFuncAddr, 0);
  4313. } else
  4314. // Attempt to export via the default function that looks at the
  4315. // public key algorithm in the public key struc exported by the CSP.
  4316. fResult = ExportCspPublicKeyInfoEx(
  4317. hCryptProv,
  4318. dwKeySpec,
  4319. dwCertEncodingType,
  4320. pszPublicKeyObjId,
  4321. dwFlags,
  4322. pvAuxInfo,
  4323. pInfo,
  4324. pcbInfo
  4325. );
  4326. return fResult;
  4327. }
  4329. //+-------------------------------------------------------------------------
  4330. // Export the public key info associated with the provider's corresponding
  4331. // private key.
  4332. //
  4333. // Calls CryptExportPublicKeyInfoEx with pszPublicKeyObjId = NULL,
  4334. // dwFlags = 0 and pvAuxInfo = NULL.
  4335. //--------------------------------------------------------------------------
  4336. BOOL
  4337. WINAPI
  4338. CryptExportPublicKeyInfo(
  4339. IN HCRYPTPROV hCryptProv,
  4340. IN DWORD dwKeySpec,
  4341. IN DWORD dwCertEncodingType,
  4342. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  4343. IN OUT DWORD *pcbInfo
  4344. )
  4345. {
  4346. return CryptExportPublicKeyInfoEx(
  4347. hCryptProv,
  4348. dwKeySpec,
  4349. dwCertEncodingType,
  4350. NULL, // pszPublicKeyObjId
  4351. 0, // dwFlags
  4352. NULL, // pvAuxInfo
  4353. pInfo,
  4354. pcbInfo
  4355. );
  4356. }
  4358. //+=========================================================================
  4359. // CryptImportPublicKeyInfo functions
  4360. //-=========================================================================
  4362. //+-------------------------------------------------------------------------
  4363. // Convert and import the public key info into the provider and return a
  4364. // handle to the public key.
  4365. //
  4366. // Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
  4367. // installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
  4368. // has the same signature as CryptImportPublicKeyInfoEx.
  4369. //
  4370. // If unable to find an installable OID function for the pszObjId,
  4371. // decodes the PublicKeyInfo into a CSP PublicKey Blob and imports.
  4372. //--------------------------------------------------------------------------
  4373. BOOL
  4374. WINAPI
  4375. CryptImportPublicKeyInfoEx(
  4376. IN HCRYPTPROV hCryptProv,
  4377. IN DWORD dwCertEncodingType,
  4378. IN PCERT_PUBLIC_KEY_INFO pInfo,
  4379. IN ALG_ID aiKeyAlg,
  4380. IN DWORD dwFlags,
  4381. IN OPTIONAL void *pvAuxInfo,
  4382. OUT HCRYPTKEY *phKey
  4383. )
  4384. {
  4385. BOOL fResult;
  4386. void *pvFuncAddr;
  4387. HCRYPTOIDFUNCADDR hFuncAddr;
  4388. PUBLICKEYSTRUC *pPubKeyStruc = NULL;
  4389. DWORD cbPubKeyStruc;
  4391. if (CryptGetOIDFunctionAddress(
  4392. hImportPubKeyFuncSet,
  4393. dwCertEncodingType,
  4394. pInfo->Algorithm.pszObjId,
  4395. 0, // dwFlags
  4396. &pvFuncAddr,
  4397. &hFuncAddr)) {
  4398. fResult = ((PFN_IMPORT_PUB_KEY_FUNC) pvFuncAddr)(
  4399. hCryptProv,
  4400. dwCertEncodingType,
  4401. pInfo,
  4402. aiKeyAlg,
  4403. dwFlags,
  4404. pvAuxInfo,
  4405. phKey
  4406. );
  4407. CryptFreeOIDFunctionAddress(hFuncAddr, 0);
  4408. } else {
  4409. if (!CryptConvertPublicKeyInfo(
  4410. dwCertEncodingType,
  4411. pInfo,
  4412. CRYPT_ALLOC_FLAG,
  4413. NULL, // pvReserved
  4414. (void *) &pPubKeyStruc,
  4415. &cbPubKeyStruc
  4416. ))
  4417. goto ConvertPublicKeyInfoError;
  4419. if (aiKeyAlg)
  4420. pPubKeyStruc->aiKeyAlg = aiKeyAlg;
  4422. if (!CryptImportKey(
  4423. hCryptProv,
  4424. (BYTE *) pPubKeyStruc,
  4425. cbPubKeyStruc,
  4426. NULL, // hImpKey
  4427. 0, // dwFlags
  4428. phKey
  4429. ))
  4430. goto ImportKeyError;
  4431. fResult = TRUE;
  4432. }
  4434. CommonReturn:
  4435. PkiDefaultCryptFree(pPubKeyStruc);
  4436. return fResult;
  4437. ErrorReturn:
  4438. *phKey = NULL;
  4439. fResult = FALSE;
  4440. goto CommonReturn;
  4442. TRACE_ERROR(ConvertPublicKeyInfoError)
  4443. TRACE_ERROR(ImportKeyError)
  4444. }
  4446. //+-------------------------------------------------------------------------
  4447. // Convert and import the public key info into the provider and return a
  4448. // handle to the public key.
  4449. //
  4450. // Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
  4451. // pvAuxInfo = NULL.
  4452. //--------------------------------------------------------------------------
  4453. BOOL
  4454. WINAPI
  4455. CryptImportPublicKeyInfo(
  4456. IN HCRYPTPROV hCryptProv,
  4457. IN DWORD dwCertEncodingType,
  4458. IN PCERT_PUBLIC_KEY_INFO pInfo,
  4459. OUT HCRYPTKEY *phKey
  4460. )
  4461. {
  4462. return CryptImportPublicKeyInfoEx(
  4463. hCryptProv,
  4464. dwCertEncodingType,
  4465. pInfo,
  4466. 0, // aiKeyAlg
  4467. 0, // dwFlags
  4468. NULL, // pvAuxInfo
  4469. phKey
  4470. );
  4471. }
  4473. //+-------------------------------------------------------------------------
  4474. // Create a KeyIdentifier from the CSP Public Key Blob.
  4475. //
  4476. // Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
  4477. // encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
  4478. // the Key Identifier.
  4479. //
  4480. // By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
  4481. // public key Object Identifier. pszPubKeyOID can be set to override
  4482. // the default OID obtained from the aiKeyAlg.
  4483. //--------------------------------------------------------------------------
  4484. BOOL
  4485. WINAPI
  4486. CryptCreateKeyIdentifierFromCSP(
  4487. IN DWORD dwCertEncodingType,
  4488. IN OPTIONAL LPCSTR pszPubKeyOID,
  4489. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  4490. IN DWORD cbPubKeyStruc,
  4491. IN DWORD dwFlags,
  4492. IN OPTIONAL void *pvReserved,
  4493. OUT BYTE *pbHash,
  4494. IN OUT DWORD *pcbHash
  4495. )
  4496. {
  4497. BOOL fResult;
  4498. PCERT_PUBLIC_KEY_INFO pInfo = NULL;
  4499. DWORD cbInfo;
  4501. if (!CryptCreatePublicKeyInfo(
  4502. dwCertEncodingType,
  4503. pszPubKeyOID,
  4504. pPubKeyStruc,
  4505. cbPubKeyStruc,
  4506. CRYPT_ALLOC_FLAG,
  4507. NULL, // pvReserved
  4508. (void *) &pInfo,
  4509. &cbInfo
  4510. ))
  4511. goto CreatePublicKeyInfoError;
  4513. fResult = CryptHashPublicKeyInfo(
  4514. NULL, // hCryptProv
  4515. CALG_SHA1,
  4516. 0, // dwFlags
  4517. dwCertEncodingType,
  4518. pInfo,
  4519. pbHash,
  4520. pcbHash
  4521. );
  4523. CommonReturn:
  4524. PkiDefaultCryptFree(pInfo);
  4525. return fResult;
  4527. ErrorReturn:
  4528. *pcbHash = 0;
  4529. fResult = FALSE;
  4530. goto CommonReturn;
  4532. TRACE_ERROR(CreatePublicKeyInfoError)
  4533. }
  4536. //+=========================================================================
  4537. // DefaultContext APIs and Data Structures
  4538. //-=========================================================================
  4540. static BOOL InstallThreadDefaultContext(
  4541. IN PDEFAULT_CONTEXT pDefaultContext
  4542. )
  4543. {
  4544. PDEFAULT_CONTEXT pNext;
  4545. pNext = (PDEFAULT_CONTEXT) I_CryptGetTls(hTlsDefaultContext);
  4546. if (pNext) {
  4547. pDefaultContext->pNext = pNext;
  4548. pNext->pPrev = pDefaultContext;
  4549. }
  4551. fHasThreadDefaultContext = TRUE;
  4552. return I_CryptSetTls(hTlsDefaultContext, pDefaultContext);
  4553. }
  4555. static BOOL InstallProcessDefaultContext(
  4556. IN PDEFAULT_CONTEXT pDefaultContext
  4557. )
  4558. {
  4559. EnterCriticalSection(&DefaultContextCriticalSection);
  4561. if (pProcessDefaultContextHead) {
  4562. pDefaultContext->pNext = pProcessDefaultContextHead;
  4563. pProcessDefaultContextHead->pPrev = pDefaultContext;
  4564. }
  4565. pProcessDefaultContextHead = pDefaultContext;
  4567. fHasProcessDefaultContext = TRUE;
  4569. LeaveCriticalSection(&DefaultContextCriticalSection);
  4571. return TRUE;
  4572. }
  4574. //+-------------------------------------------------------------------------
  4575. // Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
  4576. // a default context.
  4577. //
  4578. // dwDefaultType and pvDefaultPara specify where the default context is used.
  4579. // For example, install the HCRYPTPROV to be used to verify certificate's
  4580. // having szOID_OIWSEC_md5RSA signatures.
  4581. //
  4582. // By default, the installed HCRYPTPROV is only applicable to the current
  4583. // thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
  4584. // to be used by all threads in the current process.
  4585. //
  4586. // For a successful install, TRUE is returned and *phDefaultContext is
  4587. // updated with the HANDLE to be passed to CryptUninstallDefaultContext.
  4588. //
  4589. // The installed HCRYPTPROVs are stack ordered (the last installed
  4590. // HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
  4591. // checked before any process HCRYPTPROVs.
  4592. //
  4593. // The installed HCRYPTPROV remains available for default usage until
  4594. // CryptUninstallDefaultContext is called or the thread or process exits.
  4595. //
  4596. // If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
  4597. // is CryptReleaseContext'ed at thread or process exit. However,
  4598. // not CryptReleaseContext'ed if CryptUninstallDefaultContext is
  4599. // called.
  4600. //--------------------------------------------------------------------------
  4601. BOOL
  4602. WINAPI
  4603. CryptInstallDefaultContext(
  4604. IN HCRYPTPROV hCryptProv,
  4605. IN DWORD dwDefaultType,
  4606. IN const void *pvDefaultPara,
  4607. IN DWORD dwFlags,
  4608. IN void *pvReserved,
  4609. OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
  4610. )
  4611. {
  4612. BOOL fResult;
  4613. CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA MultiOIDPara;
  4614. LPSTR rgpszOID[1];
  4615. PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pMultiOIDPara;
  4617. PDEFAULT_CONTEXT pDefaultContext = NULL;
  4618. DWORD cbDefaultContext;
  4619. BYTE *pbExtra;
  4620. DWORD cbExtra;
  4622. if (CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID == dwDefaultType) {
  4623. dwDefaultType = CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID;
  4624. if (pvDefaultPara) {
  4625. rgpszOID[0] = (LPSTR) pvDefaultPara;
  4626. MultiOIDPara.cOID = 1;
  4627. MultiOIDPara.rgpszOID = rgpszOID;
  4628. pvDefaultPara = (const void *) &MultiOIDPara;
  4629. }
  4630. }
  4632. if (CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID != dwDefaultType)
  4633. goto InvalidArg;
  4635. pMultiOIDPara = (PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA) pvDefaultPara;
  4636. if (pMultiOIDPara) {
  4637. DWORD cOID = pMultiOIDPara->cOID;
  4638. LPSTR *ppszOID = pMultiOIDPara->rgpszOID;
  4640. if (0 == cOID)
  4641. goto InvalidArg;
  4642. cbExtra = INFO_LEN_ALIGN(sizeof(CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA)) +
  4643. cOID * sizeof(LPSTR);
  4645. for ( ; cOID; cOID--, ppszOID++)
  4646. cbExtra += strlen(*ppszOID) + 1;
  4647. } else {
  4648. if (dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG)
  4649. goto InvalidArg;
  4650. cbExtra = 0;
  4651. }
  4653. cbDefaultContext = INFO_LEN_ALIGN(sizeof(DEFAULT_CONTEXT)) + cbExtra;
  4655. if (NULL == (pDefaultContext = (PDEFAULT_CONTEXT) PkiZeroAlloc(
  4656. cbDefaultContext)))
  4657. goto OutOfMemory;
  4659. pDefaultContext->hCryptProv = hCryptProv;
  4660. pDefaultContext->dwDefaultType = dwDefaultType;
  4661. pDefaultContext->dwFlags = dwFlags;
  4663. pbExtra = ((BYTE *) pDefaultContext) +
  4664. INFO_LEN_ALIGN(sizeof(DEFAULT_CONTEXT));
  4666. if (cbExtra) {
  4667. DWORD cOID = pMultiOIDPara->cOID;
  4668. LPSTR *ppszOID = pMultiOIDPara->rgpszOID;
  4670. PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara;
  4671. LPSTR *ppszOIDDefault;
  4673. assert(cOID);
  4675. pOIDDefaultPara = (PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA) pbExtra;
  4676. pDefaultContext->pOIDDefaultPara = pOIDDefaultPara;
  4677. pbExtra += INFO_LEN_ALIGN(sizeof(CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA));
  4679. ppszOIDDefault = (LPSTR *) pbExtra;
  4680. pbExtra += cOID * sizeof(LPSTR);
  4681. pOIDDefaultPara->cOID = cOID;
  4682. pOIDDefaultPara->rgpszOID = ppszOIDDefault;
  4684. for ( ; cOID; cOID--, ppszOID++, ppszOIDDefault++) {
  4685. DWORD cch = strlen(*ppszOID) + 1;
  4687. memcpy(pbExtra, *ppszOID, cch);
  4688. *ppszOIDDefault = (LPSTR) pbExtra;
  4689. pbExtra += cch;
  4690. }
  4691. }
  4692. assert(pbExtra == ((BYTE *) pDefaultContext) + cbDefaultContext);
  4694. if (dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG)
  4695. fResult = InstallProcessDefaultContext(pDefaultContext);
  4696. else
  4697. fResult = InstallThreadDefaultContext(pDefaultContext);
  4698. if (!fResult)
  4699. goto ErrorReturn;
  4701. CommonReturn:
  4702. *phDefaultContext = (HCRYPTDEFAULTCONTEXT) pDefaultContext;
  4703. return fResult;
  4705. ErrorReturn:
  4706. PkiFree(pDefaultContext);
  4707. fResult = FALSE;
  4708. goto CommonReturn;
  4710. SET_ERROR(InvalidArg, E_INVALIDARG)
  4711. TRACE_ERROR(OutOfMemory)
  4712. }
  4714. //+-------------------------------------------------------------------------
  4715. // Uninstall a default context previously installed by
  4716. // CryptInstallDefaultContext.
  4717. //
  4718. // For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
  4719. // set, if any other threads are currently using this context,
  4720. // this function will block until they finish.
  4721. //--------------------------------------------------------------------------
  4722. BOOL
  4723. WINAPI
  4724. CryptUninstallDefaultContext(
  4725. HCRYPTDEFAULTCONTEXT hDefaultContext,
  4726. IN DWORD dwFlags,
  4727. IN void *pvReserved
  4728. )
  4729. {
  4730. BOOL fResult;
  4731. PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) hDefaultContext;
  4732. PDEFAULT_CONTEXT pDefaultContextHead;
  4733. BOOL fProcess;
  4735. if (NULL == pDefaultContext)
  4736. return TRUE;
  4738. fProcess = (pDefaultContext->dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG);
  4739. if (fProcess) {
  4740. EnterCriticalSection(&DefaultContextCriticalSection);
  4741. pDefaultContextHead = pProcessDefaultContextHead;
  4742. } else {
  4743. pDefaultContextHead = (PDEFAULT_CONTEXT) I_CryptGetTls(
  4744. hTlsDefaultContext);
  4745. }
  4747. if (NULL == pDefaultContextHead)
  4748. goto InvalidArg;
  4750. // Remove context from the list
  4751. if (pDefaultContext->pNext)
  4752. pDefaultContext->pNext->pPrev = pDefaultContext->pPrev;
  4753. if (pDefaultContext->pPrev)
  4754. pDefaultContext->pPrev->pNext = pDefaultContext->pNext;
  4755. else if (pDefaultContext == pDefaultContextHead) {
  4756. pDefaultContextHead = pDefaultContext->pNext;
  4757. if (fProcess)
  4758. pProcessDefaultContextHead = pDefaultContextHead;
  4759. else
  4760. I_CryptSetTls(hTlsDefaultContext, pDefaultContextHead);
  4761. } else
  4762. goto InvalidArg;
  4764. if (fProcess) {
  4765. if (pDefaultContext->lRefCnt) {
  4766. // Wait for all uses of the hCryptProv handle to finish
  4767. if (NULL == (pDefaultContext->hWait = CreateEvent(
  4768. NULL, // lpsa
  4769. FALSE, // fManualReset
  4770. FALSE, // fInitialState
  4771. NULL))) { // lpszEventName
  4772. assert(pDefaultContext->hWait);
  4773. goto UnexpectedError;
  4774. }
  4776. while (pDefaultContext->lRefCnt) {
  4777. LeaveCriticalSection(&DefaultContextCriticalSection);
  4778. WaitForSingleObject(pDefaultContext->hWait, INFINITE);
  4779. EnterCriticalSection(&DefaultContextCriticalSection);
  4780. }
  4781. CloseHandle(pDefaultContext->hWait);
  4782. pDefaultContext->hWait = NULL;
  4783. }
  4784. }
  4786. PkiFree(pDefaultContext);
  4787. fResult = TRUE;
  4789. CommonReturn:
  4790. if (fProcess)
  4791. LeaveCriticalSection(&DefaultContextCriticalSection);
  4792. return fResult;
  4794. ErrorReturn:
  4795. fResult = FALSE;
  4796. goto CommonReturn;
  4797. SET_ERROR(InvalidArg, E_INVALIDARG)
  4798. SET_ERROR(UnexpectedError, E_UNEXPECTED)
  4799. }
  4802. static PDEFAULT_CONTEXT FindDefaultContext(
  4803. IN DWORD dwDefaultType,
  4804. IN const void *pvDefaultPara,
  4805. IN PDEFAULT_CONTEXT pDefaultContext
  4806. )
  4807. {
  4808. for ( ; pDefaultContext; pDefaultContext = pDefaultContext->pNext) {
  4809. switch (dwDefaultType) {
  4810. case CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID:
  4811. if (CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID ==
  4812. pDefaultContext->dwDefaultType) {
  4813. PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara =
  4814. pDefaultContext->pOIDDefaultPara;
  4815. DWORD cOID;
  4816. LPSTR *ppszOID;
  4818. if (NULL == pOIDDefaultPara)
  4819. return pDefaultContext;
  4821. cOID = pOIDDefaultPara->cOID;
  4822. ppszOID = pOIDDefaultPara->rgpszOID;
  4823. for ( ; cOID; cOID--, ppszOID++) {
  4824. if (0 == strcmp(*ppszOID, (LPSTR) pvDefaultPara))
  4825. return pDefaultContext;
  4826. }
  4827. }
  4828. break;
  4829. default:
  4830. return NULL;
  4831. }
  4832. }
  4834. return NULL;
  4835. }
  4837. //
  4838. // dwDefaultTypes:
  4839. // CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (pvDefaultPara :== pszOID)
  4840. BOOL
  4841. WINAPI
  4842. I_CryptGetDefaultContext(
  4843. IN DWORD dwDefaultType,
  4844. IN const void *pvDefaultPara,
  4845. OUT HCRYPTPROV *phCryptProv,
  4846. OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
  4847. )
  4848. {
  4850. if (fHasThreadDefaultContext) {
  4851. PDEFAULT_CONTEXT pDefaultContext;
  4853. pDefaultContext = (PDEFAULT_CONTEXT) I_CryptGetTls(hTlsDefaultContext);
  4854. if (pDefaultContext = FindDefaultContext(
  4855. dwDefaultType,
  4856. pvDefaultPara,
  4857. pDefaultContext
  4858. )) {
  4859. *phCryptProv = pDefaultContext->hCryptProv;
  4860. *phDefaultContext = NULL;
  4861. return TRUE;
  4862. }
  4863. }
  4865. if (fHasProcessDefaultContext) {
  4866. PDEFAULT_CONTEXT pDefaultContext;
  4868. EnterCriticalSection(&DefaultContextCriticalSection);
  4869. if (pDefaultContext = FindDefaultContext(
  4870. dwDefaultType,
  4871. pvDefaultPara,
  4872. pProcessDefaultContextHead
  4873. ))
  4874. pDefaultContext->lRefCnt++;
  4875. LeaveCriticalSection(&DefaultContextCriticalSection);
  4877. if (pDefaultContext) {
  4878. *phCryptProv = pDefaultContext->hCryptProv;
  4879. *phDefaultContext = (HCRYPTDEFAULTCONTEXT) pDefaultContext;
  4880. return TRUE;
  4881. }
  4882. }
  4884. *phCryptProv = NULL;
  4885. *phDefaultContext = NULL;
  4886. return FALSE;
  4887. }
  4889. // hDefaultContext is only NON-null for Process default context
  4890. void
  4891. WINAPI
  4892. I_CryptFreeDefaultContext(
  4893. HCRYPTDEFAULTCONTEXT hDefaultContext
  4894. )
  4895. {
  4896. PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) hDefaultContext;
  4898. if (NULL == pDefaultContext)
  4899. return;
  4901. assert(pDefaultContext->dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG);
  4902. assert(0 < pDefaultContext->lRefCnt);
  4904. EnterCriticalSection(&DefaultContextCriticalSection);
  4905. if (0 == --pDefaultContext->lRefCnt && pDefaultContext->hWait)
  4906. SetEvent(pDefaultContext->hWait);
  4907. LeaveCriticalSection(&DefaultContextCriticalSection);
  4908. }
  4911. #ifdef CMS_PKCS7
  4913. WINCRYPT32API
  4914. BOOL
  4915. WINAPI
  4916. CryptVerifyCertificateSignatureEx(
  4917. IN OPTIONAL HCRYPTPROV hCryptProv,
  4918. IN DWORD dwCertEncodingType,
  4919. IN DWORD dwSubjectType,
  4920. IN void *pvSubject,
  4921. IN DWORD dwIssuerType,
  4922. IN void *pvIssuer,
  4923. IN DWORD dwFlags,
  4924. IN OPTIONAL void *pvReserved
  4925. )
  4926. {
  4927. BOOL fResult;
  4928. PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
  4929. DWORD cbSignedInfo;
  4930. HCRYPTDEFAULTCONTEXT hDefaultContext = NULL;
  4931. HCRYPTKEY hSignKey = 0;
  4932. HCRYPTHASH hHash = 0;
  4933. BYTE *pbSignature; // not allocated
  4934. DWORD cbSignature;
  4935. BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
  4936. ALG_ID aiHash;
  4937. ALG_ID aiPubKey;
  4938. DWORD dwProvType;
  4939. HCRYPTPROV hAcquiredCryptProv = 0;
  4940. DWORD dwSignFlags;
  4941. DWORD dwErr;
  4943. const BYTE *pbEncoded; // not allocated
  4944. DWORD cbEncoded;
  4945. PCERT_PUBLIC_KEY_INFO pIssuerPubKeyInfo;
  4946. CERT_PUBLIC_KEY_INFO IssuerPubKeyInfo;
  4947. PCRYPT_OBJID_BLOB pIssuerPara;
  4948. BYTE *pbAllocIssuerPara = NULL;
  4950. switch (dwSubjectType) {
  4951. case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB:
  4952. {
  4953. PCRYPT_DATA_BLOB pBlob = (PCRYPT_DATA_BLOB) pvSubject;
  4954. pbEncoded = pBlob->pbData;
  4955. cbEncoded = pBlob->cbData;
  4956. }
  4957. break;
  4958. case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT:
  4959. {
  4960. PCCERT_CONTEXT pSubject = (PCCERT_CONTEXT) pvSubject;
  4961. pbEncoded = pSubject->pbCertEncoded;
  4962. cbEncoded = pSubject->cbCertEncoded;
  4963. }
  4964. break;
  4965. case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL:
  4966. {
  4967. PCCRL_CONTEXT pSubject = (PCCRL_CONTEXT) pvSubject;
  4968. pbEncoded = pSubject->pbCrlEncoded;
  4969. cbEncoded = pSubject->cbCrlEncoded;
  4970. }
  4971. break;
  4972. default:
  4973. goto InvalidSubjectType;
  4974. }
  4976. if (!CryptDecodeObjectEx(
  4977. dwCertEncodingType,
  4978. X509_CERT,
  4979. pbEncoded,
  4980. cbEncoded,
  4981. CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG |
  4982. CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG,
  4983. &PkiDecodePara,
  4984. (void *) &pSignedInfo,
  4985. &cbSignedInfo
  4986. )) goto DecodeCertError;
  4988. if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
  4989. &aiHash, &aiPubKey, &dwSignFlags, &dwProvType))
  4990. goto GetSignOIDInfoError;
  4992. if (0 == hCryptProv) {
  4993. if (!I_CryptGetDefaultContext(
  4994. CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID,
  4995. (const void *) pSignedInfo->SignatureAlgorithm.pszObjId,
  4996. &hCryptProv,
  4997. &hDefaultContext
  4998. )) {
  4999. if (dwProvType && CryptAcquireContext(
  5000. &hCryptProv,
  5001. NULL, // pszContainer
  5002. NULL, // pszProvider,
  5003. dwProvType,
  5004. CRYPT_VERIFYCONTEXT // dwFlags
  5005. ))
  5006. hAcquiredCryptProv = hCryptProv;
  5007. else if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
  5008. goto GetDefaultCryptProvError;
  5009. }
  5010. }
  5012. #if 0
  5013. // Slow down the signature verify while holding the default context
  5014. // reference count
  5015. if (hDefaultContext)
  5016. Sleep(5000);
  5017. #endif
  5019. switch (dwIssuerType) {
  5020. case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY:
  5021. pIssuerPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) pvIssuer;
  5022. break;
  5023. case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN:
  5024. {
  5025. PCCERT_CHAIN_CONTEXT pChain = (PCCERT_CHAIN_CONTEXT) pvIssuer;
  5027. // All chains have at least the leaf certificate context
  5028. assert(pChain->cChain && pChain->rgpChain[0]->cElement);
  5029. pvIssuer =
  5030. (void *) pChain->rgpChain[0]->rgpElement[0]->pCertContext;
  5031. dwIssuerType = CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT;
  5032. }
  5033. // fall through
  5034. case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT:
  5035. {
  5036. PCCERT_CONTEXT pIssuer = (PCCERT_CONTEXT) pvIssuer;
  5038. pIssuerPubKeyInfo = &pIssuer->pCertInfo->SubjectPublicKeyInfo;
  5040. // Check if the public key parameters were omitted
  5041. // from the encoded certificate. If omitted, try
  5042. // to use the certificate's CERT_PUBKEY_ALG_PARA_PROP_ID
  5043. // property.
  5044. pIssuerPara = &pIssuerPubKeyInfo->Algorithm.Parameters;
  5045. if (0 == pIssuerPara->cbData ||
  5046. NULL_ASN_TAG == *pIssuerPara->pbData) {
  5047. DWORD cbData;
  5049. if (CertGetCertificateContextProperty(
  5050. pIssuer,
  5051. CERT_PUBKEY_ALG_PARA_PROP_ID,
  5052. NULL, // pvData
  5053. &cbData) && 0 < cbData
  5054. &&
  5055. (pbAllocIssuerPara = (BYTE *) PkiNonzeroAlloc(
  5056. cbData))
  5057. &&
  5058. CertGetCertificateContextProperty(
  5059. pIssuer,
  5060. CERT_PUBKEY_ALG_PARA_PROP_ID,
  5061. pbAllocIssuerPara,
  5062. &cbData)) {
  5064. IssuerPubKeyInfo = *pIssuerPubKeyInfo;
  5065. IssuerPubKeyInfo.Algorithm.Parameters.pbData =
  5066. pbAllocIssuerPara;
  5067. IssuerPubKeyInfo.Algorithm.Parameters.cbData = cbData;
  5068. pIssuerPubKeyInfo = &IssuerPubKeyInfo;
  5069. }
  5070. }
  5071. }
  5072. break;
  5073. case CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL:
  5074. if (CALG_NO_SIGN != aiPubKey)
  5075. goto InvalidIssuerType;
  5076. pIssuerPubKeyInfo = NULL;
  5077. break;
  5078. default:
  5079. goto InvalidIssuerType;
  5080. }
  5082. if (CALG_NO_SIGN == aiPubKey) {
  5083. if (dwIssuerType != CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL)
  5084. goto InvalidIssuerType;
  5085. } else {
  5086. if (!CryptImportPublicKeyInfo(
  5087. hCryptProv,
  5088. dwCertEncodingType,
  5089. pIssuerPubKeyInfo,
  5090. &hSignKey
  5091. )) goto ImportPublicKeyInfoError;
  5092. }
  5093. if (!CryptCreateHash(
  5094. hCryptProv,
  5095. aiHash,
  5096. NULL, // hKey - optional for MAC
  5097. 0, // dwFlags
  5098. &hHash
  5099. )) goto CreateHashError;
  5100. if (!CryptHashData(
  5101. hHash,
  5102. pSignedInfo->ToBeSigned.pbData,
  5103. pSignedInfo->ToBeSigned.cbData,
  5104. 0 // dwFlags
  5105. )) goto HashDataError;
  5108. pbSignature = pSignedInfo->Signature.pbData;
  5109. cbSignature = pSignedInfo->Signature.cbData;
  5111. if (0 == cbSignature)
  5112. goto NoSignatureError;
  5114. if (CALG_NO_SIGN == aiPubKey) {
  5115. BYTE rgbHash[MAX_HASH_LEN];
  5116. DWORD cbHash = sizeof(rgbHash);
  5118. if (!CryptGetHashParam(
  5119. hHash,
  5120. HP_HASHVAL,
  5121. rgbHash,
  5122. &cbHash,
  5123. 0 // dwFlags
  5124. ))
  5125. goto GetHashValueError;
  5127. if (cbHash != cbSignature || 0 != memcmp(rgbHash, pbSignature, cbHash))
  5128. goto NoSignHashCompareError;
  5130. goto SuccessReturn;
  5131. }
  5133. if (CALG_DSS_SIGN == aiPubKey &&
  5134. 0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
  5135. DWORD cbData;
  5137. // Convert from ASN.1 sequence of two integers to the CSP signature
  5138. // format.
  5139. cbData = sizeof(rgbDssSignature);
  5140. if (!CryptDecodeObject(
  5141. dwCertEncodingType,
  5142. X509_DSS_SIGNATURE,
  5143. pbSignature,
  5144. cbSignature,
  5145. 0, // dwFlags
  5146. rgbDssSignature,
  5147. &cbData
  5148. ))
  5149. goto DecodeDssSignatureError;
  5150. pbSignature = rgbDssSignature;
  5151. assert(cbData == sizeof(rgbDssSignature));
  5152. cbSignature = sizeof(rgbDssSignature);
  5153. } else
  5154. PkiAsn1ReverseBytes(pbSignature, cbSignature);
  5156. if (!CryptVerifySignature(
  5157. hHash,
  5158. pbSignature,
  5159. cbSignature,
  5160. hSignKey,
  5161. NULL, // sDescription
  5162. 0 // dwFlags
  5163. )) goto VerifySignatureError;
  5166. // For a certificate context certificate, check if the issuer has public
  5167. // key parameters that can be inherited
  5168. pIssuerPara = &pIssuerPubKeyInfo->Algorithm.Parameters;
  5169. if (CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT == dwSubjectType &&
  5170. pIssuerPara->cbData && NULL_ASN_TAG != *pIssuerPara->pbData) {
  5171. // If a subject is missing its public key parameters and has
  5172. // the same public key algorithm as its issuer, then, set
  5173. // its CERT_PUBKEY_ALG_PARA_PROP_ID property.
  5175. PCCERT_CONTEXT pSubject = (PCCERT_CONTEXT) pvSubject;
  5176. PCERT_PUBLIC_KEY_INFO pSubjectPubKeyInfo =
  5177. &pSubject->pCertInfo->SubjectPublicKeyInfo;
  5178. PCCRYPT_OID_INFO pOIDInfo;
  5179. PCRYPT_OBJID_BLOB pSubjectPara;
  5180. DWORD cbData;
  5182. pSubjectPara = &pSubjectPubKeyInfo->Algorithm.Parameters;
  5183. if (pSubjectPara->cbData && NULL_ASN_TAG != *pSubjectPara->pbData)
  5184. // Subject public key has parameters
  5185. goto SuccessReturn;
  5187. if (CertGetCertificateContextProperty(
  5188. pSubject,
  5189. CERT_PUBKEY_ALG_PARA_PROP_ID,
  5190. NULL, // pvData
  5191. &cbData) && 0 < cbData)
  5192. // Subject already has public key parameters property
  5193. goto SuccessReturn;
  5195. pOIDInfo = CryptFindOIDInfo(
  5196. CRYPT_OID_INFO_OID_KEY,
  5197. pSubjectPubKeyInfo->Algorithm.pszObjId,
  5198. CRYPT_PUBKEY_ALG_OID_GROUP_ID);
  5200. if (NULL == pOIDInfo || aiPubKey != pOIDInfo->Algid)
  5201. // Subject and issuer don't have the same public key algorithms
  5202. goto SuccessReturn;
  5204. CertSetCertificateContextProperty(
  5205. pSubject,
  5206. CERT_PUBKEY_ALG_PARA_PROP_ID,
  5207. CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
  5208. pIssuerPara
  5209. );
  5210. }
  5213. SuccessReturn:
  5214. fResult = TRUE;
  5215. CommonReturn:
  5216. dwErr = GetLastError();
  5217. if (hSignKey)
  5218. CryptDestroyKey(hSignKey);
  5219. if (hHash)
  5220. CryptDestroyHash(hHash);
  5221. I_CryptFreeDefaultContext(hDefaultContext);
  5222. if (hAcquiredCryptProv)
  5223. CryptReleaseContext(hAcquiredCryptProv, 0);
  5224. PkiFree(pSignedInfo);
  5225. PkiFree(pbAllocIssuerPara);
  5227. SetLastError(dwErr);
  5228. return fResult;
  5230. ErrorReturn:
  5231. fResult = FALSE;
  5232. goto CommonReturn;
  5234. SET_ERROR(InvalidSubjectType, E_INVALIDARG)
  5235. TRACE_ERROR(DecodeCertError)
  5236. TRACE_ERROR(GetSignOIDInfoError)
  5237. TRACE_ERROR(GetDefaultCryptProvError)
  5238. SET_ERROR(InvalidIssuerType, E_INVALIDARG)
  5239. TRACE_ERROR(ImportPublicKeyInfoError)
  5240. TRACE_ERROR(CreateHashError)
  5241. TRACE_ERROR(HashDataError)
  5242. SET_ERROR(NoSignatureError, TRUST_E_NOSIGNATURE)
  5243. TRACE_ERROR(GetHashValueError)
  5244. SET_ERROR(NoSignHashCompareError, NTE_BAD_SIGNATURE)
  5245. TRACE_ERROR(DecodeDssSignatureError)
  5246. TRACE_ERROR(VerifySignatureError)
  5247. }
  5249. //+-------------------------------------------------------------------------
  5250. // Verify the signature of a subject certificate or a CRL using the
  5251. // specified public key.
  5252. //
  5253. // Returns TRUE for a valid signature.
  5254. //
  5255. // hCryptProv specifies the crypto provider to use to verify the signature.
  5256. // It doesn't need to use a private key.
  5257. //--------------------------------------------------------------------------
  5258. BOOL
  5259. WINAPI
  5260. CryptVerifyCertificateSignature(
  5261. IN HCRYPTPROV hCryptProv,
  5262. IN DWORD dwCertEncodingType,
  5263. IN const BYTE * pbEncoded,
  5264. IN DWORD cbEncoded,
  5265. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  5266. )
  5267. {
  5268. CRYPT_DATA_BLOB Subject;
  5270. Subject.cbData = cbEncoded;
  5271. Subject.pbData = (BYTE *) pbEncoded;
  5272. return CryptVerifyCertificateSignatureEx(
  5273. hCryptProv,
  5274. dwCertEncodingType,
  5275. CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB,
  5276. (void *) &Subject,
  5277. CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY,
  5278. (void *) pPublicKey,
  5279. 0, // dwFlags
  5280. NULL // pvReserved
  5281. );
  5282. }
  5284. #endif // CMS_PKCS7