archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pkitrust/softpub/httpsprv.cpp

521 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1996 - 1999
  6. //
  7. // File: httpsprv.cpp
  8. //
  9. // Contents: Microsoft Internet Security Authenticode Policy Provider
  10. //
  11. // Functions: HTTPSRegisterServer
  12. // HTTPSUnregisterServer
  13. // HTTPSCertificateTrust
  14. // HTTPSFinalProv
  15. //
  16. // History: 29-Jul-1997 pberkman created
  17. //
  18. //--------------------------------------------------------------------------
  20. #include "global.hxx"
  22. #include <wininet.h>
  24. DWORD GetErrorBasedOnStepErrors(CRYPT_PROVIDER_DATA *pProvData);
  26. //////////////////////////////////////////////////////////////////////////////
  27. //
  28. // HTTPSRegisterServer
  29. //----------------------------------------------------------------------------
  30. // Register the HTTPS provider
  31. //
  33. STDAPI HTTPSRegisterServer(void)
  34. {
  35. GUID gHTTPSProv = HTTPSPROV_ACTION;
  36. BOOL fRet;
  37. CRYPT_REGISTER_ACTIONID sRegAID;
  38. CRYPT_PROVIDER_REGDEFUSAGE sDefUsage;
  40. fRet = TRUE;
  42. //
  43. // set the usages we want
  44. //
  45. memset(&sDefUsage, 0x00, sizeof(CRYPT_PROVIDER_REGDEFUSAGE));
  47. sDefUsage.cbStruct = sizeof(CRYPT_PROVIDER_REGDEFUSAGE);
  48. sDefUsage.pgActionID = &gHTTPSProv;
  49. sDefUsage.pwszDllName = SP_POLICY_PROVIDER_DLL_NAME;
  50. sDefUsage.pwszLoadCallbackDataFunctionName = "SoftpubLoadDefUsageCallData";
  51. sDefUsage.pwszFreeCallbackDataFunctionName = "SoftpubFreeDefUsageCallData";
  53. fRet &= WintrustAddDefaultForUsage(szOID_PKIX_KP_SERVER_AUTH, &sDefUsage);
  54. fRet &= WintrustAddDefaultForUsage(szOID_PKIX_KP_CLIENT_AUTH, &sDefUsage);
  55. fRet &= WintrustAddDefaultForUsage(szOID_SERVER_GATED_CRYPTO, &sDefUsage);
  56. fRet &= WintrustAddDefaultForUsage(szOID_SGC_NETSCAPE, &sDefUsage);
  59. memset(&sRegAID, 0x00, sizeof(CRYPT_REGISTER_ACTIONID));
  61. sRegAID.cbStruct = sizeof(CRYPT_REGISTER_ACTIONID);
  63. // Authenticode initialization provider
  64. sRegAID.sInitProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  65. sRegAID.sInitProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  66. sRegAID.sInitProvider.pwszFunctionName = SP_INIT_FUNCTION;
  68. // Authenticode object provider
  69. sRegAID.sObjectProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  70. sRegAID.sObjectProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  71. sRegAID.sObjectProvider.pwszFunctionName = SP_OBJTRUST_FUNCTION;
  73. // Authenticode signature provider
  74. sRegAID.sSignatureProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  75. sRegAID.sSignatureProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  76. sRegAID.sSignatureProvider.pwszFunctionName = SP_SIGTRUST_FUNCTION;
  78. // wintrust's certificate provider
  79. sRegAID.sCertificateProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  81. #if 0
  82. sRegAID.sCertificateProvider.pwszDLLName = WT_PROVIDER_DLL_NAME; // set to wintrust.dll
  83. sRegAID.sCertificateProvider.pwszFunctionName = WT_PROVIDER_CERTTRUST_FUNCTION; // use wintrust's standard!
  84. #else
  85. // philh changed on Feb 19, 1998 to use HTTPS
  86. sRegAID.sCertificateProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  87. sRegAID.sCertificateProvider.pwszFunctionName = HTTPS_CERTTRUST_FUNCTION;
  88. #endif
  90. // authenticode cert policy
  91. sRegAID.sCertificatePolicyProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  92. sRegAID.sCertificatePolicyProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  93. sRegAID.sCertificatePolicyProvider.pwszFunctionName = SP_CHKCERT_FUNCTION;
  95. // custom final ...
  96. sRegAID.sFinalPolicyProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  97. sRegAID.sFinalPolicyProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  98. sRegAID.sFinalPolicyProvider.pwszFunctionName = HTTPS_FINALPOLICY_FUNCTION;
  100. // Authenticode cleanup -- we don't store any data.
  101. sRegAID.sCleanupProvider.cbStruct = sizeof(CRYPT_TRUST_REG_ENTRY);
  102. sRegAID.sCleanupProvider.pwszDLLName = SP_POLICY_PROVIDER_DLL_NAME;
  103. sRegAID.sCleanupProvider.pwszFunctionName = SP_CLEANUPPOLICY_FUNCTION;
  105. fRet &= WintrustAddActionID(&gHTTPSProv, 0, &sRegAID);
  107. return((fRet) ? S_OK : S_FALSE);
  108. }
  110. //////////////////////////////////////////////////////////////////////////////
  111. //
  112. // DllUnregisterServer
  113. //----------------------------------------------------------------------------
  114. // unregisters schannel provider
  115. //
  117. STDAPI HTTPSUnregisterServer(void)
  118. {
  119. GUID gHTTPSProv = HTTPSPROV_ACTION;
  121. WintrustRemoveActionID(&gHTTPSProv);
  123. return(S_OK);
  124. }
  127. HCERTCHAINENGINE HTTPSGetChainEngine(
  128. IN CRYPT_PROVIDER_DATA *pProvData
  129. )
  130. {
  131. CERT_CHAIN_ENGINE_CONFIG Config;
  132. HCERTSTORE hStore = NULL;
  133. HCERTCHAINENGINE hChainEngine = NULL;
  135. if (NULL == pProvData->pWintrustData ||
  136. pProvData->pWintrustData->dwUnionChoice != WTD_CHOICE_CERT ||
  137. !_ISINSTRUCT(WINTRUST_CERT_INFO,
  138. pProvData->pWintrustData->pCert->cbStruct, dwFlags) ||
  139. 0 == (pProvData->pWintrustData->pCert->dwFlags &
  140. (WTCI_DONT_OPEN_STORES | WTCI_OPEN_ONLY_ROOT)))
  141. return NULL;
  143. memset(&Config, 0, sizeof(Config));
  144. Config.cbSize = sizeof(Config);
  146. if (NULL == (hStore = CertOpenStore(
  147. CERT_STORE_PROV_MEMORY,
  148. 0, // dwEncodingType
  149. 0, // hCryptProv
  150. 0, // dwFlags
  151. NULL // pvPara
  152. )))
  153. goto OpenMemoryStoreError;
  155. if (pProvData->pWintrustData->pCert->dwFlags & WTCI_DONT_OPEN_STORES)
  156. Config.hRestrictedRoot = hStore;
  157. Config.hRestrictedTrust = hStore;
  158. Config.hRestrictedOther = hStore;
  160. if (!CertCreateCertificateChainEngine(
  161. &Config,
  162. &hChainEngine
  163. ))
  164. goto CreateChainEngineError;
  166. CommonReturn:
  167. CertCloseStore(hStore, 0);
  168. return hChainEngine;
  169. ErrorReturn:
  170. hChainEngine = NULL;
  171. goto CommonReturn;
  172. TRACE_ERROR_EX(DBG_SS, OpenMemoryStoreError)
  173. TRACE_ERROR_EX(DBG_SS, CreateChainEngineError)
  174. }
  177. HCERTSTORE HTTPSGetChainAdditionalStore(
  178. IN CRYPT_PROVIDER_DATA *pProvData
  179. )
  180. {
  181. if (0 == pProvData->chStores)
  182. return NULL;
  184. if (1 < pProvData->chStores) {
  185. HCERTSTORE hCollectionStore;
  187. if (hCollectionStore = CertOpenStore(
  188. CERT_STORE_PROV_COLLECTION,
  189. 0, // dwEncodingType
  190. 0, // hCryptProv
  191. 0, // dwFlags
  192. NULL // pvPara
  193. )) {
  194. DWORD i;
  195. for (i = 0; i < pProvData->chStores; i++)
  196. CertAddStoreToCollection(
  197. hCollectionStore,
  198. pProvData->pahStores[i],
  199. CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
  200. 0 // dwPriority
  201. );
  202. }
  203. return hCollectionStore;
  204. } else
  205. return CertDuplicateStore(pProvData->pahStores[0]);
  206. }
  208. // Following is in ..\wintrust\certtrst.cpp
  209. extern
  210. BOOL UpdateCertProvChain(
  211. IN OUT PCRYPT_PROVIDER_DATA pProvData,
  212. IN DWORD idxSigner,
  213. OUT DWORD *pdwError,
  214. IN BOOL fCounterSigner,
  215. IN DWORD idxCounterSigner,
  216. IN PCRYPT_PROVIDER_SGNR pSgnr,
  217. IN PCCERT_CHAIN_CONTEXT pChainContext
  218. );
  220. // Following is in .\authcode.cpp
  221. extern
  222. void UpdateCertError(
  223. IN PCRYPT_PROVIDER_SGNR pSgnr,
  224. IN PCERT_CHAIN_POLICY_STATUS pPolicyStatus
  225. );
  227. HRESULT WINAPI HTTPSCertificateTrust(CRYPT_PROVIDER_DATA *pProvData)
  228. {
  229. HTTPSPolicyCallbackData *pHTTPS;
  230. CRYPT_PROVIDER_SGNR *pSgnr;
  231. CRYPT_PROVIDER_CERT *pProvCert;
  233. DWORD dwError;
  234. DWORD dwSgnrError;
  235. DWORD dwCreateChainFlags;
  236. CERT_CHAIN_PARA ChainPara;
  237. HCERTCHAINENGINE hChainEngine = NULL;
  238. HCERTSTORE hAdditionalStore = NULL;
  239. PCCERT_CHAIN_CONTEXT pChainContext = NULL;
  241. LPSTR rgpszClientUsage[] = {
  242. szOID_PKIX_KP_CLIENT_AUTH,
  243. };
  244. #define CLIENT_USAGE_COUNT (sizeof(rgpszClientUsage) / \
  245. sizeof(rgpszClientUsage[0]))
  246. LPSTR rgpszServerUsage[] = {
  247. szOID_PKIX_KP_SERVER_AUTH,
  248. szOID_SERVER_GATED_CRYPTO,
  249. szOID_SGC_NETSCAPE,
  250. };
  251. #define SERVER_USAGE_COUNT (sizeof(rgpszServerUsage) / \
  252. sizeof(rgpszServerUsage[0]))
  254. if ((_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, fRecallWithState)) &&
  255. (pProvData->fRecallWithState == TRUE))
  256. {
  257. return(S_OK);
  258. }
  260. pSgnr = WTHelperGetProvSignerFromChain(pProvData, 0, FALSE, 0);
  261. if (pSgnr)
  262. pProvCert = WTHelperGetProvCertFromChain(pSgnr, 0);
  263. if (NULL == pSgnr || NULL == pProvCert) {
  264. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  265. TRUST_E_NOSIGNATURE;
  266. return S_FALSE;
  267. }
  270. pHTTPS = (HTTPSPolicyCallbackData *) pProvData->pWintrustData->pPolicyCallbackData;
  272. if (!pHTTPS || !WVT_IS_CBSTRUCT_GT_MEMBEROFFSET(
  273. HTTPSPolicyCallbackData, pHTTPS->cbStruct, pwszServerName) ||
  274. !_ISINSTRUCT(CRYPT_PROVIDER_DATA, pProvData->cbStruct, dwProvFlags) ||
  275. (pProvData->dwProvFlags & WTD_USE_IE4_TRUST_FLAG) ||
  276. !_ISINSTRUCT(CRYPT_PROVIDER_SGNR, pSgnr->cbStruct, pChainContext))
  277. {
  278. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  279. ERROR_INVALID_PARAMETER;
  280. return S_FALSE;
  281. }
  283. pProvData->dwProvFlags |= CPD_USE_NT5_CHAIN_FLAG;
  285. dwCreateChainFlags = 0;
  286. memset(&ChainPara, 0, sizeof(ChainPara));
  287. ChainPara.cbSize = sizeof(ChainPara);
  288. ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
  289. if (pHTTPS->dwAuthType == AUTHTYPE_CLIENT) {
  290. ChainPara.RequestedUsage.Usage.cUsageIdentifier = CLIENT_USAGE_COUNT;
  291. ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = rgpszClientUsage;
  292. } else {
  293. ChainPara.RequestedUsage.Usage.cUsageIdentifier = SERVER_USAGE_COUNT;
  294. ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = rgpszServerUsage;
  295. }
  296. if (0 == (pHTTPS->fdwChecks & SECURITY_FLAG_IGNORE_REVOCATION)) {
  297. if (pProvData->pWintrustData->fdwRevocationChecks != WTD_REVOKE_NONE)
  298. // On 4-16-01 changed from END_CERT to EXCLUDE_ROOT
  299. dwCreateChainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
  300. }
  301. hChainEngine = HTTPSGetChainEngine(pProvData);
  302. hAdditionalStore = HTTPSGetChainAdditionalStore(pProvData);
  305. if (!CertGetCertificateChain (
  306. hChainEngine,
  307. pProvCert->pCert,
  308. &pSgnr->sftVerifyAsOf,
  309. hAdditionalStore,
  310. &ChainPara,
  311. dwCreateChainFlags,
  312. NULL, // pvReserved,
  313. &pChainContext
  314. )) {
  315. pProvData->dwError = GetLastError();
  316. dwSgnrError = TRUST_E_SYSTEM_ERROR;
  317. goto GetChainError;
  318. }
  320. if (WTD_STATEACTION_VERIFY == pProvData->pWintrustData->dwStateAction) {
  321. DWORD dwUpdateError;
  323. UpdateCertProvChain(
  324. pProvData,
  325. 0, // idxSigner
  326. &dwUpdateError,
  327. FALSE, // fCounterSigner
  328. 0, // idxCounterSigner
  329. pSgnr,
  330. pChainContext
  331. );
  333. dwSgnrError = pSgnr->dwError;
  334. if (CERT_E_REVOKED == dwSgnrError ||
  335. CERT_E_REVOCATION_FAILURE == dwSgnrError) {
  337. // Clear the updated errors. Will be updated in the final policy
  338. pSgnr->dwError = 0;
  339. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] = 0;
  341. if (CERT_E_REVOKED == pProvCert->dwError ||
  342. CERT_E_REVOCATION_FAILURE == pProvCert->dwError) {
  343. pProvCert->dwError = 0;
  344. }
  345. }
  346. }
  348. dwError = S_OK;
  350. CommonReturn:
  351. if (hChainEngine)
  352. CertFreeCertificateChainEngine(hChainEngine);
  353. if (hAdditionalStore)
  354. CertCloseStore(hAdditionalStore, 0);
  355. pSgnr->pChainContext = pChainContext;
  356. return dwError;
  357. ErrorReturn:
  358. pSgnr->dwError = dwSgnrError;
  359. pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] =
  360. dwSgnrError;
  361. dwError = S_FALSE;
  362. goto CommonReturn;
  363. TRACE_ERROR_EX(DBG_SS, GetChainError)
  365. }
  366. //////////////////////////////////////////////////////////////////////////////
  367. //
  368. // Final Policy Provider function: HTTPSFinalProv
  369. //----------------------------------------------------------------------------
  370. // Check the outcome of the previous functions and display UI based on this.
  371. //
  374. // On July 26, 2000, disabled the use of the test root
  375. #if 0
  377. void MapHTTPSRegPolicySettingsToBaseChainPolicyFlags(
  378. IN DWORD dwRegPolicySettings,
  379. IN OUT DWORD *pdwFlags
  380. )
  381. {
  382. DWORD dwFlags;
  384. if (0 == dwRegPolicySettings)
  385. return;
  387. dwFlags = *pdwFlags;
  388. if (dwRegPolicySettings & WTPF_TRUSTTEST)
  389. dwFlags |= CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG;
  390. if (dwRegPolicySettings & WTPF_TESTCANBEVALID)
  391. dwFlags |= CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG;
  393. *pdwFlags = dwFlags;
  394. }
  396. #endif
  398. HRESULT WINAPI HTTPSFinalProv(CRYPT_PROVIDER_DATA *pProvData)
  399. {
  401. HTTPSPolicyCallbackData *pHTTPS;
  403. pHTTPS = (HTTPSPolicyCallbackData *)
  404. pProvData->pWintrustData->pPolicyCallbackData;
  406. if (!(pHTTPS) ||
  407. !(WVT_IS_CBSTRUCT_GT_MEMBEROFFSET(HTTPSPolicyCallbackData,
  408. pHTTPS->cbStruct, pwszServerName)))
  409. {
  410. SetLastError(ERROR_INVALID_PARAMETER);
  411. return(ERROR_INVALID_PARAMETER);
  412. }
  415. DWORD dwError;
  416. CRYPT_PROVIDER_SGNR *pSgnr;
  417. CERT_CHAIN_POLICY_PARA PolicyPara;
  418. memset(&PolicyPara, 0, sizeof(PolicyPara));
  419. PolicyPara.cbSize = sizeof(PolicyPara);
  420. PolicyPara.pvExtraPolicyPara = (void *) pHTTPS;
  422. CERT_CHAIN_POLICY_STATUS PolicyStatus;
  423. memset(&PolicyStatus, 0, sizeof(PolicyStatus));
  424. PolicyStatus.cbSize = sizeof(PolicyStatus);
  427. //
  428. // check the high level error codes.
  429. //
  430. if (0 != (dwError = GetErrorBasedOnStepErrors(pProvData)))
  431. goto CommonReturn;
  433. pSgnr = WTHelperGetProvSignerFromChain(pProvData, 0, FALSE, 0);
  434. if (pSgnr == NULL) {
  435. dwError = TRUST_E_SYSTEM_ERROR;
  436. goto CommonReturn;
  437. }
  440. // On July 26, 2000, disabled the use of the test root
  441. #if 0
  442. MapHTTPSRegPolicySettingsToBaseChainPolicyFlags(
  443. pProvData->dwRegPolicySettings,
  444. &PolicyPara.dwFlags
  445. );
  446. #endif
  448. if (!CertVerifyCertificateChainPolicy(
  449. CERT_CHAIN_POLICY_SSL,
  450. pSgnr->pChainContext,
  451. &PolicyPara,
  452. &PolicyStatus
  453. )) {
  454. dwError = TRUST_E_SYSTEM_ERROR;
  455. goto CommonReturn;
  456. } else if (0 != PolicyStatus.dwError) {
  457. dwError = PolicyStatus.dwError;
  458. UpdateCertError(pSgnr, &PolicyStatus);
  459. goto CommonReturn;
  460. }
  462. dwError = 0;
  463. CommonReturn:
  464. pProvData->dwFinalError = dwError;
  465. return dwError;
  466. }
  469. ///////////////////////////////////////////////////////////////////////////////////
  470. //
  471. // Local Functions
  472. //
  473. ///////////////////////////////////////////////////////////////////////////////////
  475. DWORD GetErrorBasedOnStepErrors(CRYPT_PROVIDER_DATA *pProvData)
  476. {
  477. //
  478. // initial allocation of the step errors?
  479. //
  480. if (!(pProvData->padwTrustStepErrors))
  481. {
  482. return(ERROR_NOT_ENOUGH_MEMORY);
  483. }
  485. //
  486. // did we fail in one of the last steps?
  487. //
  488. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_INITPROV] != 0)
  489. {
  490. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_INITPROV]);
  491. }
  493. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV] != 0)
  494. {
  495. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_OBJPROV]);
  496. }
  498. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_SIGPROV] != 0)
  499. {
  500. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_SIGPROV]);
  501. }
  503. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV] != 0)
  504. {
  505. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTPROV]);
  506. }
  508. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTCHKPROV] != 0)
  509. {
  510. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_CERTCHKPROV]);
  511. }
  513. if (pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV] != 0)
  514. {
  515. return(pProvData->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV]);
  516. }
  518. return(ERROR_SUCCESS);
  519. }