archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/services/ca/include/certsd.h

266 lines
8.0 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: certsd.h
  3. // Contents: CA's security descriptor class declaration
  4. //---------------------------------------------------------------------------
  5. #ifndef __CERTSD_H__
  6. #define __CERTSD_H__
  8. namespace CertSrv
  9. {
  11. typedef struct _SID_LIST
  12. {
  13. DWORD dwSidCount;
  14. DWORD SidListStart[ANYSIZE_ARRAY];
  16. } SID_LIST, *PSID_LIST;
  18. HRESULT GetWellKnownSID(
  19. PSID *ppSid,
  20. SID_IDENTIFIER_AUTHORITY *pAuth,
  21. BYTE SubauthorityCount,
  22. DWORD SubAuthority1,
  23. DWORD SubAuthority2=0,
  24. DWORD SubAuthority3=0,
  25. DWORD SubAuthority4=0,
  26. DWORD SubAuthority5=0,
  27. DWORD SubAuthority6=0,
  28. DWORD SubAuthority7=0,
  29. DWORD SubAuthority8=0);
  31. // caller is responsible for LocalFree'ing PSID
  32. HRESULT GetEveryoneSID(PSID *ppSid);
  33. HRESULT GetLocalSystemSID(PSID *ppSid);
  34. HRESULT GetBuiltinAdministratorsSID(PSID *ppSid);
  35. HRESULT GetLocalSID(PSID *ppSid);
  36. HRESULT GetNetworkSID(PSID *ppSid);
  38. // This class wraps a SD with single writer multiple reader access control on
  39. // it. Allows any number of threads to LockGet() the pointer to the SD if no
  40. // thread is in the middle of a Set(). Set() is blocked until all threads
  41. // that already retrieved the SD released it (calling Unlock)
  42. //
  43. // Also provides the support for persistently saving/loading the SD to registy
  45. class CProtectedSecurityDescriptor
  46. {
  47. public:
  49. CProtectedSecurityDescriptor() :
  50. m_pSD(NULL),
  51. m_fInitialized(false),
  52. m_cReaders(0),
  53. m_hevtNoReaders(NULL),
  54. m_pcwszSanitizedName(NULL),
  55. m_pcwszPersistRegVal(NULL)
  56. {};
  57. ~CProtectedSecurityDescriptor()
  58. {
  59. Uninitialize();
  60. }
  62. void Uninitialize()
  63. {
  64. if(m_pSD)
  65. {
  66. LocalFree(m_pSD);
  67. m_pSD = NULL;
  68. }
  69. if(m_hevtNoReaders)
  70. {
  71. CloseHandle(m_hevtNoReaders);
  72. m_hevtNoReaders = NULL;
  73. }
  74. if(IsInitialized())
  75. {
  76. DeleteCriticalSection(&m_csWrite);
  77. }
  78. m_pcwszSanitizedName = NULL;
  79. m_fInitialized = false;
  80. m_cReaders = 0;
  81. }
  83. BOOL IsInitialized() const { return m_fInitialized;}
  85. // init, loading SD from the registry
  86. HRESULT Initialize(LPCWSTR pwszSanitizedName);
  87. // init from supplied SD
  88. HRESULT Initialize(const PSECURITY_DESCRIPTOR pSD, LPCWSTR pwszSanitizedName);
  90. HRESULT InitializeFromTemplate(LPCWSTR pcwszTemplate, LPCWSTR pwszSanitizedName);
  92. HRESULT Set(const PSECURITY_DESCRIPTOR pSD);
  93. HRESULT LockGet(PSECURITY_DESCRIPTOR *ppSD);
  94. HRESULT Unlock();
  96. PSECURITY_DESCRIPTOR Get() { return m_pSD; };
  98. // load SD from registry
  99. HRESULT Load();
  100. // save SD to registry
  101. HRESULT Save();
  102. // delete SD from registry
  103. HRESULT Delete();
  105. LPCWSTR GetPersistRegistryVal() { return m_pcwszPersistRegVal;}
  107. void ImportResourceStrings(LPCWSTR *pcwszStrings)
  108. {m_pcwszResources = pcwszStrings;};
  110. protected:
  112. HRESULT Init(LPCWSTR pwszSanitizedName);
  113. HRESULT SetSD(PSECURITY_DESCRIPTOR pSD);
  115. PSECURITY_DESCRIPTOR m_pSD;
  116. bool m_fInitialized;
  117. LONG m_cReaders;
  118. HANDLE m_hevtNoReaders;
  119. CRITICAL_SECTION m_csWrite;
  120. LPCWSTR m_pcwszSanitizedName; // no free
  121. LPCWSTR m_pcwszPersistRegVal; // no free
  123. static LPCWSTR const *m_pcwszResources; // no free
  125. }; //class CProtectedSecurityDescriptor
  129. // The class stores a list of officers/groups and the principals they are
  130. // allowed to manage certificates for:
  131. //
  132. // officerSID1 -> clientSID1, clientSID2...
  133. // officerSID2 -> clientSID3, clientSID4...
  134. //
  135. // The information is stored as a DACL containing callback ACEs .
  136. // The officer SID is stored as in the ACE's SID and the list of client
  137. // SIDs are stored in the custom data space following the officer SID
  138. // (see definition of _ACCESS_*_CALLBACK_ACE)
  139. //
  140. // The DACL will be used to AccessCheck if an officer is allowed to perform
  141. // an action over a certificate.
  142. //
  143. // The SD contains only the officer DACL, SACL or other data is not used.
  145. class COfficerRightsSD : public CProtectedSecurityDescriptor
  146. {
  147. public:
  149. COfficerRightsSD() : m_fEnabled(FALSE)
  150. { m_pcwszPersistRegVal = wszREGOFFICERRIGHTS; }
  152. HRESULT InitializeEmpty();
  153. HRESULT Initialize(LPCWSTR pwszSanitizedName);
  155. // The officer rights have to be in sync with the CA security descriptor.
  156. // An officer ACE for a certain SID can exist only if the principal is
  157. // an officer as defined by the CA SD.
  158. // Merge sets the internal officer DACL making sure it's in sync
  159. // with the CA SD:
  160. // - removes any ACE found in the officer DACL which is not present as an
  161. // allow ACE in the CA DACL
  162. // - add an Everyone ACE in the officer DACL for each allow ACE in CA DACL
  163. // that is not already present
  164. HRESULT Merge(
  165. PSECURITY_DESCRIPTOR pOfficerSD,
  166. PSECURITY_DESCRIPTOR pCASD);
  168. // Same as above but using the internal officer SD. Used to generate the
  169. // initial officer SD and to update it when CA SD changes
  170. HRESULT Adjust(
  171. PSECURITY_DESCRIPTOR pCASD);
  173. BOOL IsEnabled() { return m_fEnabled; }
  174. void SetEnable(BOOL fEnable) { m_fEnabled = fEnable;}
  175. HRESULT Save();
  176. HRESULT Load();
  177. HRESULT Validate() { return S_OK; }
  179. static HRESULT ConvertToString(
  180. IN PSECURITY_DESCRIPTOR pSD,
  181. OUT LPWSTR& rpwszSD);
  183. protected:
  185. static HRESULT ConvertAceToString(
  186. IN PACCESS_ALLOWED_CALLBACK_ACE pAce,
  187. OUT OPTIONAL PDWORD pdwSize,
  188. IN OUT OPTIONAL LPWSTR pwszSD);
  191. BOOL m_fEnabled;
  192. }; // class COfficerRightsSD
  194. class CCertificateAuthoritySD : public CProtectedSecurityDescriptor
  195. {
  196. public:
  198. CCertificateAuthoritySD() :
  199. m_pDefaultDSSD(NULL),
  200. m_pDefaultServiceSD(NULL),
  201. m_pDefaultDSAcl(NULL),
  202. m_pDefaultServiceAcl(NULL),
  203. m_pwszComputerSID(NULL)
  204. { m_pcwszPersistRegVal = wszREGCASECURITY; }
  206. ~CCertificateAuthoritySD()
  207. {
  208. if(m_pDefaultDSSD)
  209. LocalFree(m_pDefaultDSSD);
  210. if(m_pDefaultServiceSD)
  211. LocalFree(m_pDefaultServiceSD);
  212. if(m_pwszComputerSID)
  213. LocalFree(m_pwszComputerSID);
  214. }
  216. // Sets a new CA SD. Uses the new DACL but keeps the old owner, group and
  217. // SACL.
  218. // Also rebuilds the DACL for objects CA owns (eg DS pKIEnrollmentService,
  219. // service). The new DACL contains a default DACL plus additional aces
  220. // depending on the object:
  221. // DS - add an enroll ace for each enroll ace found in CA DACL
  222. // Service - add a full control ace for each CA admin ace
  223. HRESULT Set(const PSECURITY_DESCRIPTOR pSD, bool fSetDSSecurity);
  224. static HRESULT Validate(const PSECURITY_DESCRIPTOR pSD);
  225. HRESULT ResetSACL();
  226. HRESULT MapAndSetDaclOnObjects(bool fSetDSSecurity);
  228. // Upgrade SD from Win2k.
  229. HRESULT UpgradeWin2k(bool fUseEnterpriseAcl);
  231. static HRESULT ConvertToString(
  232. IN PSECURITY_DESCRIPTOR pSD,
  233. OUT LPWSTR& rpwszSD);
  235. protected:
  237. enum ObjType
  238. {
  239. ObjType_DS,
  240. ObjType_Service,
  241. };
  243. HRESULT MapAclGetSize(PVOID pAce, ObjType type, DWORD& dwSize);
  244. HRESULT MapAclAddAce(PACL pAcl, ObjType type, PVOID pAce);
  245. HRESULT SetDefaultAcl(ObjType type);
  246. HRESULT SetComputerSID();
  247. HRESULT MapAclSetOnDS(const PACL pAcl);
  248. HRESULT MapAclSetOnService(const PACL pAcl);
  250. DWORD GetUpgradeAceSizeAndType(PVOID pAce, DWORD *pdwType, PSID *ppSid);
  252. static HRESULT ConvertAceToString(
  253. IN PACCESS_ALLOWED_ACE pAce,
  254. OUT OPTIONAL PDWORD pdwSize,
  255. IN OUT OPTIONAL LPWSTR pwszSD);
  258. PSECURITY_DESCRIPTOR m_pDefaultDSSD;
  259. PSECURITY_DESCRIPTOR m_pDefaultServiceSD;
  260. PACL m_pDefaultDSAcl; // no free
  261. PACL m_pDefaultServiceAcl; // no free
  262. LPWSTR m_pwszComputerSID;
  263. };
  265. } // namespace CertSrv
  267. #endif //__CERTSD_H__