|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1995 - 1999
//
// File: store.cpp
//
//--------------------------------------------------------------------------
#include <pch.cpp>
#pragma hdrstop
#include <winldap.h>
#include <setupapi.h>
#include "ocmanage.h"
#include "initcert.h"
#include "cscsp.h"
#include "csber.h"
#include "csldap.h"
#define __dwFILE__ __dwFILE_CERTUTIL_STORE_CPP__
#define RSAPRIV_MAGIC 0x32415352 // "RSA2"
DWORDcuGetSystemStoreFlags(){ return(g_fEnterpriseRegistry? CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE : (g_fUserRegistry? CERT_SYSTEM_STORE_CURRENT_USER : CERT_SYSTEM_STORE_LOCAL_MACHINE));}
// Parse a CertIndex -- any one of the following:
//
// Return the following in *piCert, *piCRL and *piCTL. MAXDWORD if not
// specified
// Each value must be less than 64k.
// iCert decimal number
// iCert.iCRL decimal number, period, decimal number
// iCert.iCRL.iCTL decimal number, period, decimal number, period, number
// .iCRL period, decimal number
// ..iCTL period, period, decimal number
//
// Return the string in *ppwszCertName, if no Cert, CRL and CTL indexes.
HRESULTParseCertCRLIndex( IN WCHAR const *pwszCertIndex, OUT WCHAR **ppwszCertName, OUT DWORD *piCert, OUT DWORD *piCRL, OUT DWORD *piCTL){ HRESULT hr; WCHAR *pwszCopy = NULL; *ppwszCertName = NULL; *piCert = MAXDWORD; *piCRL = MAXDWORD; *piCTL = MAXDWORD; if (NULL != pwszCertIndex && 0 != lstrcmp(L"*", pwszCertIndex)) { BOOL fNumericIndex = TRUE; WCHAR *pwszCert; WCHAR *pwszCRL; WCHAR *pwszCTL; if (L' ' == *pwszCertIndex) { fNumericIndex = FALSE; pwszCertIndex++; } hr = myDupString(pwszCertIndex, &pwszCopy); _JumpIfError(hr, error, "myDupString");
pwszCert = pwszCopy;
if (!iswdigit(*pwszCert) && L'.' != *pwszCert) { fNumericIndex = FALSE; }
pwszCRL = NULL; pwszCTL = NULL; if (fNumericIndex) { pwszCRL = wcschr(pwszCert, L'.'); if (NULL != pwszCRL) { *pwszCRL++ = L'\0'; pwszCTL = wcschr(pwszCRL, L'.'); if (NULL != pwszCTL) { *pwszCTL++ = L'\0'; if (L'\0' != *pwszCTL) { hr = myGetLong(pwszCTL, (LONG *) piCTL); if (S_OK != hr || 64*1024 <= *piCTL) { fNumericIndex = FALSE; } } } if (fNumericIndex && L'\0' != *pwszCRL) { hr = myGetLong(pwszCRL, (LONG *) piCRL); if (S_OK != hr || 64*1024 <= *piCRL) { fNumericIndex = FALSE; } } } } if (fNumericIndex && L'\0' != *pwszCert) { hr = myGetLong(pwszCert, (LONG *) piCert); if (S_OK != hr || 64*1024 <= *piCert) { fNumericIndex = FALSE; } } if (!fNumericIndex) { hr = myRevertSanitizeName(pwszCertIndex, ppwszCertName); _JumpIfError(hr, error, "myRevertSanitizeName");
*piCert = MAXDWORD; *piCRL = MAXDWORD; *piCTL = MAXDWORD; } } if (1 < g_fVerbose) { wprintf( L"pwszCertIndex=%ws, %ws, %d.%d.%d\n", pwszCertIndex, *ppwszCertName, *piCert, *piCRL, *piCTL); } hr = S_OK;
error: if (NULL != pwszCopy) { LocalFree(pwszCopy); } return(hr);}
HRESULTDeleteKeys( IN CERT_CONTEXT const *pcc, IN BOOL fUser){ HRESULT hr; CRYPT_KEY_PROV_INFO *pkpi = NULL;
hr = myCertGetKeyProviderInfo(pcc, &pkpi); _PrintIfError(hr, "myCertGetKeyProviderInfo"); if (S_OK == hr) { HCRYPTPROV hProv;
if (!myCertSrvCryptAcquireContext( &hProv, pkpi->pwszContainerName, pkpi->pwszProvName, pkpi->dwProvType, pkpi->dwFlags | CRYPT_DELETEKEYSET, !fUser)) { hr = myHLastError(); _PrintIfError(hr, "myCertSrvCryptAcquireContext"); } else { DBGPRINT(( DBG_SS_CERTLIBI, "DeleteKeys(%ws, %ws)\n", !fUser? L"Machine" : L"User", pkpi->pwszContainerName)); } } hr = S_OK;
//error:
if (NULL != pkpi) { LocalFree(pkpi); } return(hr);}
// Delete keys copied into new CSP, and close store
HRESULTcuDeleteStoreAndKeys( OPTIONAL IN HCERTSTORE hStore, IN BOOL fUser){ HRESULT hr; CERT_CONTEXT const *pcc; // Enumerate certs and delete keys
pcc = NULL; while (TRUE) { pcc = CertEnumCertificatesInStore(hStore, pcc); if (NULL == pcc) { break; } hr = DeleteKeys(pcc, fUser); _PrintIfError(hr, "DeleteKeys"); } CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); hr = S_OK;
//error:
return(hr);}
HRESULTCopyOneCertAndKeys( IN CERT_CONTEXT const *pcc, IN BOOL fUser, IN WCHAR const *pwszNewCSP, IN OUT HCERTSTORE hStore){ HRESULT hr; CRYPT_KEY_PROV_INFO *pkpi = NULL; WCHAR *pwszKeyContainerName = NULL; CERT_CONTEXT const *pccNew = NULL;
pccNew = CertCreateCertificateContext( X509_ASN_ENCODING, pcc->pbCertEncoded, pcc->cbCertEncoded); if (NULL == pccNew) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
hr = myCertGetKeyProviderInfo(pcc, &pkpi); _PrintIfError(hr, "myCertGetKeyProviderInfo"); if (S_OK == hr) { hr = cuGenerateKeyContainerName(pcc, &pwszKeyContainerName); _JumpIfError(hr, error, "cuGenerateKeyContainerName");
hr = myCopyKeys( pkpi, pkpi->pwszContainerName, // pwszOldContainer
pwszKeyContainerName, // pwszNewContainer
pwszNewCSP, // pwszNewCSP
fUser, // fOldUserKey
fUser, // fNewUserKey
FALSE, // fNewProtect
g_fForce); _JumpIfError(hr, error, "myCopyKeys");
pkpi->pwszContainerName = pwszKeyContainerName; pkpi->pwszProvName = const_cast<WCHAR *>(pwszNewCSP);
if (!CertSetCertificateContextProperty( pccNew, CERT_KEY_PROV_INFO_PROP_ID, 0, pkpi)) { hr = myHLastError(); _JumpError(hr, error, "CertSetCertificateContextProperty"); } } if (!CertAddCertificateContextToStore( hStore, pccNew, CERT_STORE_ADD_ALWAYS, NULL)) { hr = myHLastError(); _JumpError(hr, error, "CertAddCertificateContextToStore"); } hr = S_OK;
error: if (NULL != pccNew) { CertFreeCertificateContext(pccNew); } if (NULL != pkpi) { LocalFree(pkpi); } if (NULL != pwszKeyContainerName) { LocalFree(pwszKeyContainerName); } return(hr);}
HRESULTcuCopyStoreToNewCSP( IN HCERTSTORE hStoreIn, IN BOOL fUser, IN WCHAR const *pwszNewCSP, OUT HCERTSTORE *phStoreOut){ HRESULT hr; HCERTSTORE hStoreOut = NULL; CERT_CONTEXT const *pcc; *phStoreOut = NULL; hStoreOut = CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG, NULL); if (NULL == hStoreOut) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
// Enumerate certs:
// copy certs to new store and keys to new CSP
pcc = NULL; while (TRUE) { pcc = CertEnumCertificatesInStore(hStoreIn, pcc); if (NULL == pcc) { break; } hr = CopyOneCertAndKeys(pcc, fUser, pwszNewCSP, hStoreOut); _JumpIfError(hr, error, "CopyOneCertAndKeys"); } *phStoreOut = hStoreOut; hStoreOut = NULL; hr = S_OK;
error: if (NULL != hStoreOut) { cuDeleteStoreAndKeys(hStoreOut, fUser); } return(hr);}
HRESULTSavePFXStoreToFile( IN HCERTSTORE hStoreSave, IN WCHAR const *pwszfnOut, OPTIONAL IN WCHAR const *pwszNewCSP, OPTIONAL IN WCHAR const *pwszSalt, OPTIONAL IN WCHAR const *pwszV3CACertId, IN BOOL fSaveAsPFX, IN DWORD dwEPFAlg, IN WCHAR const *pwszPassword, IN OUT WCHAR **ppwszPassword){ HRESULT hr; CRYPT_DATA_BLOB pfx; WCHAR wszPassword[MAX_PATH]; HCERTSTORE hStoreT = NULL; BOOL fUser = !g_fEnterpriseRegistry && g_fUserRegistry;
pfx.pbData = NULL;
if (NULL == *ppwszPassword) { hr = cuGetPassword( IDS_FORMAT_ENTER_PASSWORD_OUTPUT_FILE, pwszfnOut, pwszPassword, TRUE, // fVerify
wszPassword, ARRAYSIZE(wszPassword), &pwszPassword); _JumpIfError(hr, error, "cuGetPassword");
hr = myDupString(pwszPassword, ppwszPassword); _JumpIfError(hr, error, "myDupString"); } pwszPassword = *ppwszPassword;
if (fSaveAsPFX) { if (NULL != pwszNewCSP) { // Copy keys to new CSP, create new store with updated KeyProvInfo
//wprintf(L"New CSP: %ws\n", pwszNewCSP);
hr = cuCopyStoreToNewCSP(hStoreSave, fUser, pwszNewCSP, &hStoreT); _JumpIfError(hr, error, "cuCopyStoreToNewCSP");
hStoreSave = hStoreT; }
// GemPlus returns NTE_BAD_TYPE instead of NTE_BAD_KEY, blowing up
// REPORT_NOT_ABLE* filtering. If they ever get this right, we can
// pass "[...] : EXPORT_PRIVATE_KEYS"
hr = myPFXExportCertStore( hStoreSave, &pfx, pwszPassword, !g_fWeakPFX, EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY); _JumpIfError(hr, error, "myPFXExportCertStore");
hr = EncodeToFileW( pwszfnOut, pfx.pbData, pfx.cbData, CRYPT_STRING_BINARY | g_EncodeFlags); _JumpIfError(hr, error, "EncodeToFileW"); } else { hr = EPFSaveCertStoreToFile( hStoreSave, pwszPassword, pwszfnOut, pwszV3CACertId, dwEPFAlg, pwszSalt); _JumpIfError(hr, error, "EPFSaveCertStoreToFile"); }
error: SecureZeroMemory(wszPassword, sizeof(wszPassword)); // password data
if (NULL != hStoreT) { cuDeleteStoreAndKeys(hStoreT, fUser); } if (NULL != pfx.pbData) { LocalFree(pfx.pbData); } return(hr);}
HRESULTSavePFXToFile( IN CERT_CONTEXT const *pCert, IN WCHAR const *pwszfnOut, IN BOOL fFirst, IN WCHAR const *pwszPassword, IN OUT WCHAR **ppwszPassword){ HRESULT hr; HCERTSTORE hTempMemoryStore = NULL;
hTempMemoryStore = CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG, NULL); if (NULL == hTempMemoryStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
// Begin Chain Building
hr = myAddChainToMemoryStore(hTempMemoryStore, pCert, g_dwmsTimeout); _JumpIfError(hr, error, "myAddChainToMemoryStore");
// End Chain Building
hr = SavePFXStoreToFile( hTempMemoryStore, pwszfnOut, NULL, // pwszNewCSP
NULL, // pwszSalt
NULL, // pwszV3CACertId
TRUE, // fSaveAsPFX
0, // dwEPFAlg
pwszPassword, ppwszPassword); _JumpIfError(hr, error, "SavePFXStoreToFile");
error: if (NULL != hTempMemoryStore) { CertCloseStore(hTempMemoryStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTSavePVKToFile( IN CERT_CONTEXT const *pCert, IN WCHAR const *pwszfnOut, IN BOOL fFirst){ return(S_OK);}
HRESULTcuDumpCTLProperties( IN CTL_CONTEXT const *pCTL){ HRESULT hr; DWORD dwPropId; BYTE *pb = NULL; DWORD cb;
dwPropId = 0; while (TRUE) { if (NULL != pb) { LocalFree(pb); pb = NULL; } dwPropId = CertEnumCTLContextProperties(pCTL, dwPropId); if (0 == dwPropId) { break; } while (TRUE) { if (!CertGetCTLContextProperty(pCTL, dwPropId, pb, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCTLContextProperty"); } if (NULL != pb) { break; // memory alloc'd, property fetched
} pb = (BYTE *) LocalAlloc(LMEM_FIXED, cb); if (NULL == pb) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } } hr = cuDumpFormattedProperty(dwPropId, NULL, pb, cb); _PrintIfError(hr, "cuDumpFormattedProperty"); } hr = S_OK;
error: if (NULL != pb) { LocalFree(pb); } return(hr);}
HRESULTcuDumpCRLProperties( IN CRL_CONTEXT const *pCRL){ HRESULT hr; DWORD dwPropId; BYTE *pb = NULL; DWORD cb;
dwPropId = 0; while (TRUE) { if (NULL != pb) { LocalFree(pb); pb = NULL; } dwPropId = CertEnumCRLContextProperties(pCRL, dwPropId); if (0 == dwPropId) { break; } while (TRUE) { if (!CertGetCRLContextProperty(pCRL, dwPropId, pb, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCRLContextProperty"); } if (NULL != pb) { break; // memory alloc'd, property fetched
} pb = (BYTE *) LocalAlloc(LMEM_FIXED, cb); if (NULL == pb) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } } hr = cuDumpFormattedProperty(dwPropId, NULL, pb, cb); _PrintIfError(hr, "cuDumpFormattedProperty"); } hr = S_OK;
error: if (NULL != pb) { LocalFree(pb); } return(hr);}
HRESULTcuDumpCertProperties( IN CERT_CONTEXT const *pCert){ HRESULT hr; DWORD dwPropId; BYTE *pb = NULL; DWORD cb;
dwPropId = 0; while (TRUE) { dwPropId = CertEnumCertificateContextProperties(pCert, dwPropId); if (0 == dwPropId) { break; } if (NULL != pb) { LocalFree(pb); pb = NULL; } while (TRUE) { if (!CertGetCertificateContextProperty(pCert, dwPropId, pb, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); } if (NULL != pb) { break; // memory alloc'd, property fetched
} pb = (BYTE *) LocalAlloc(LMEM_FIXED, cb); if (NULL == pb) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } } hr = cuDumpFormattedProperty(dwPropId, NULL, pb, cb); _PrintIfError(hr, "cuDumpFormattedProperty"); } hr = S_OK;
error: if (NULL != pb) { LocalFree(pb); } return(hr);}
HRESULTSetCertificateKeyProvInfo( IN CERT_CONTEXT const *pCert, IN CRYPT_KEY_PROV_INFO const *pkpi, IN CERT_PUBLIC_KEY_INFO const *pPubKeyInfo){ HRESULT hr;
if (!myCertComparePublicKeyInfo( X509_ASN_ENCODING, CERT_V1 == pCert->pCertInfo->dwVersion, pPubKeyInfo, &pCert->pCertInfo->SubjectPublicKeyInfo)) { // by design, (my)CertComparePublicKeyInfo doesn't set last error!
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError2(hr, error, "myCertComparePublicKeyInfo", hr); } if (!CertSetCertificateContextProperty( pCert, CERT_KEY_PROV_INFO_PROP_ID, 0, pkpi)) { hr = myHLastError(); _JumpError(hr, error, "CertSetCertificateContextProperty"); } hr = S_OK;
error: return(hr);}
HRESULTcuFindCertificateKeyProvInfo( IN CERT_CONTEXT const *pCert){ HRESULT hr; HCRYPTPROV hProv = NULL; KEY_LIST *pKeyList = NULL; CERT_PUBLIC_KEY_INFO *pPubKeyInfoSig = NULL; CERT_PUBLIC_KEY_INFO *pPubKeyInfoXchg = NULL;
if (NULL != g_pwszCSP) { DWORD dwKeySpec; DWORD dwProvType; KEY_LIST *pKeyT; hr = csiGetProviderTypeFromProviderName(g_pwszCSP, &dwProvType); _JumpIfErrorStr(hr, error, "csiGetProviderTypeFromProviderName", g_pwszCSP); if (!CryptAcquireCertificatePrivateKey( pCert, CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, // pvReserved
&hProv, &dwKeySpec, NULL)) // pfCallerFreeProv
{ hr = myHLastError(); _PrintError(hr, "CryptFindCertificateKeyProvInfo"); } else { hr = CRYPT_E_EXISTS; _PrintError2(hr, "Key Exists!", hr); if (!g_fForce) { goto error; } } hr = csiGetKeyList( dwProvType, // dwProvType
g_pwszCSP, // pwszProvName
!g_fUserRegistry, // fMachineKeyset
!g_fCryptSilent, // inverted fSilent: default is Silent!
&pKeyList); _JumpIfErrorStr(hr, error, "csiGetKeyList", g_pwszCSP);
for (pKeyT = pKeyList; NULL != pKeyT; pKeyT = pKeyT->next) { DWORD dwProvTypeT;
dwProvTypeT = dwProvType; hr = cuLoadKeys( g_pwszCSP, &dwProvTypeT, pKeyT->pwszName, !g_fUserRegistry, // fMachineKeyset
TRUE, NULL, &pPubKeyInfoSig, &pPubKeyInfoXchg); if (S_OK != hr) { cuPrintError(IDS_ERR_FORMAT_LOADKEYS, hr); } else { CRYPT_KEY_PROV_INFO kpi;
ZeroMemory(&kpi, sizeof(kpi)); kpi.pwszContainerName = pKeyT->pwszName; kpi.pwszProvName = g_pwszCSP; kpi.dwProvType = dwProvTypeT; kpi.dwFlags = g_fUserRegistry? 0 : CRYPT_MACHINE_KEYSET;
if (NULL != pPubKeyInfoSig) { kpi.dwKeySpec = AT_SIGNATURE; hr = SetCertificateKeyProvInfo( pCert, &kpi, pPubKeyInfoSig); if (S_OK == hr) { break; } _PrintError2(hr, "SetCertificateKeyProvInfo", hr); } if (NULL != pPubKeyInfoXchg) { kpi.dwKeySpec = AT_KEYEXCHANGE;
hr = SetCertificateKeyProvInfo( pCert, &kpi, pPubKeyInfoXchg); if (S_OK == hr) { break; } _PrintError2(hr, "SetCertificateKeyProvInfo", hr); } } if (NULL != pPubKeyInfoSig) { LocalFree(pPubKeyInfoSig); pPubKeyInfoSig = NULL; } if (NULL != pPubKeyInfoXchg) { LocalFree(pPubKeyInfoXchg); pPubKeyInfoXchg = NULL; } } if (NULL == pKeyT) { hr = CRYPT_E_NOT_FOUND; _JumpError(hr, error, "cuFindCertificateKeyProvInfo"); } } else { if (!CryptFindCertificateKeyProvInfo( pCert, 0, // dwFlags
NULL)) // pvReserved
{ hr = myHLastError(); _JumpError(hr, error, "CryptFindCertificateKeyProvInfo"); } } hr = S_OK;
error: if (NULL != pPubKeyInfoSig) { LocalFree(pPubKeyInfoSig); } if (NULL != pPubKeyInfoXchg) { LocalFree(pPubKeyInfoXchg); } if (NULL != pKeyList) { csiFreeKeyList(pKeyList); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } return(hr);}
HRESULTEnumCertsInStore( IN HCERTSTORE hStore, IN DWORD Mode, IN DWORD iCertSave, OPTIONAL IN WCHAR const *pwszCertName, IN DWORD cbHash, OPTIONAL IN BYTE *pbHash, OPTIONAL IN WCHAR const *pwszfnOut, OPTIONAL IN WCHAR const *pwszPasswordArg, IN OUT WCHAR **ppwszPassword, OUT DWORD *pcCert){ HRESULT hr; HRESULT hr2; DWORD iCert; CERT_CONTEXT const *pCert = NULL; BSTR strSerialNumber = NULL;
*pcCert = 0; hr2 = S_OK; if (NULL != pwszCertName) { hr = myMakeSerialBstr(pwszCertName, &strSerialNumber); _PrintIfError2(hr, "myMakeSerialBstr", hr); } for (iCert = 0; ; iCert++) { DWORD VerifyState; BOOL fSigningKey; BOOL fMatchingKey;
pCert = CertEnumCertificatesInStore(hStore, pCert); if (NULL == pCert) { break; } if (MAXDWORD == iCertSave || iCert == iCertSave) { DWORD cb;
if (NULL != pwszCertName) { BOOL fMatch; hr = myCertMatch( pCert, pwszCertName, FALSE, // fAllowMissingCN
pbHash, cbHash, strSerialNumber, &fMatch); _PrintIfError(hr, "myCertMatch"); if (S_OK == hr2) { hr2 = hr; } if (S_OK != hr || !fMatch) { continue; } } if (0 != *pcCert) { wprintf(wszNewLine); }
wprintf( myLoadResourceString(IDS_FORMAT_DUMP_CERT_INDEX), // "================ Certificate %d ================"
iCert); wprintf(wszNewLine);
if (CertGetCertificateContextProperty( pCert, CERT_ARCHIVED_PROP_ID, NULL, &cb)) { wprintf(myLoadResourceString(IDS_ARCHIVED)); // "Archived!"
wprintf(wszNewLine); } if ((iCert == iCertSave || NULL != pwszCertName) && NULL != pwszfnOut && (DVNS_SAVECERT & Mode)) { hr = EncodeToFileW( pwszfnOut, pCert->pbCertEncoded, pCert->cbCertEncoded, CRYPT_STRING_BINARY | g_EncodeFlags); _PrintIfError(hr, "EncodeToFileW"); if (S_OK == hr2) { hr2 = hr; } }
hr = cuDumpAsnBinary( pCert->pbCertEncoded, pCert->cbCertEncoded, MAXDWORD); _PrintIfError(hr, "cuDumpAsnBinary"); if (S_OK == hr2) { hr2 = hr; }
if (DVNS_REPAIRKPI & Mode) { hr = cuFindCertificateKeyProvInfo(pCert); _PrintIfError(hr, "cuFindCertificateKeyProvInfo"); if (S_OK == hr2) { hr2 = hr; } } if ((DVNS_DUMPPROPERTIES & Mode) && !g_fQuiet) { hr = cuDumpCertProperties(pCert); _PrintIfError(hr, "cuDumpCertProperties"); if (S_OK == hr2) { hr2 = hr; } } if (DVNS_DUMPKEYS & Mode) { if (0 == (DVNS_DUMPPROPERTIES & Mode) || g_fQuiet) { hr = cuDumpCertKeyProviderInfo( g_wszPad2, pCert, NULL, NULL); _PrintIfError(hr, "cuDumpCertKeyProviderInfo"); if (S_OK == hr2) { hr2 = hr; } } hr = cuDumpPrivateKey(pCert, &fSigningKey, &fMatchingKey); if (!IsHrSkipPrivateKey(hr)) { if (S_OK != hr) { wprintf(myLoadResourceString( fSigningKey? IDS_SIGNATURE_BAD : // "Signature test FAILED"
IDS_ENCRYPTION_BAD)); // "Encryption test FAILED"
wprintf(wszNewLine); _PrintError(hr, "cuDumpPrivateKey"); fMatchingKey = FALSE; }
if (fMatchingKey) { wprintf(myLoadResourceString( fSigningKey? IDS_SIGNATURE_OK : // "Signature test passed"
IDS_ENCRYPTION_OK)); // "Encryption test passed"
wprintf(wszNewLine); } } } if (DVNS_VERIFYCERT & Mode) { hr = cuVerifyCertContext( pCert, (DVNS_CASTORE & Mode)? hStore : NULL, 0, // cApplicationPolicies
NULL, // apszApplicationPolicies
0, // cIssuancePolicies
NULL, // apszIssuancePolicies
FALSE, // fNTAuth
&VerifyState); if (S_OK != hr) { cuPrintError(IDS_ERR_FORMAT_BAD_CERT, hr); _PrintError(hr, "cuVerifyCertContext"); if (S_OK == hr2) { hr2 = hr; // Save first error
} } else if (0 == (VS_ERRORMASK & VerifyState)) { wprintf(myLoadResourceString(IDS_CERT_VERIFIES)); // "Certificate is valid"
} wprintf(wszNewLine); } if (DVNS_SAVEPFX & Mode) { hr = SavePFXToFile( pCert, pwszfnOut, 0 == *pcCert, pwszPasswordArg, ppwszPassword); _PrintIfError(hr, "SavePFXToFile"); if (S_OK == hr2) { hr2 = hr; } } if (DVNS_SAVEPVK & Mode) { hr = SavePVKToFile(pCert, pwszfnOut, 0 == *pcCert); _PrintIfError(hr, "SavePVKToFile"); if (S_OK == hr2) { hr2 = hr; } } (*pcCert)++; } } hr = hr2; _JumpIfError(hr, error, "EnumCertsInStore");
error: if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != strSerialNumber) { SysFreeString(strSerialNumber); } return(hr);}
HRESULTEnumCRLsInStore( IN HCERTSTORE hStore, IN DWORD Mode, IN DWORD iCRLSave, OPTIONAL IN WCHAR const *pwszCertName, IN DWORD cbHash, OPTIONAL IN BYTE *pbHash, OPTIONAL IN WCHAR const *pwszfnOut, OUT DWORD *pcCRL){ HRESULT hr; HRESULT hr2; DWORD iCRL; CRL_CONTEXT const *pCRL = NULL;
*pcCRL = 0; hr2 = S_OK; for (iCRL = 0; ; iCRL++) { pCRL = CertEnumCRLsInStore(hStore, pCRL); if (NULL == pCRL) { break; } if (MAXDWORD == iCRLSave || iCRL == iCRLSave) { if (NULL != pwszCertName) { BOOL fMatch; hr = myCRLMatch( pCRL, pwszCertName, FALSE, // fAllowMissingCN
pbHash, cbHash, &fMatch); _PrintIfError(hr, "myCRLMatch"); if (S_OK == hr2) { hr2 = hr; } if (S_OK != hr || !fMatch) { continue; } } if (0 != *pcCRL) { wprintf(wszNewLine); }
wprintf( myLoadResourceString(IDS_FORMAT_DUMP_CRL_INDEX), // "================ CRL %d ================"
iCRL); wprintf(wszNewLine);
if ((iCRL == iCRLSave || NULL != pwszCertName) && NULL != pwszfnOut && (DVNS_SAVECRL & Mode)) { hr = EncodeToFileW( pwszfnOut, pCRL->pbCrlEncoded, pCRL->cbCrlEncoded, CRYPT_STRING_BINARY | g_EncodeFlags); _PrintIfError(hr, "EncodeToFileW"); if (S_OK == hr2) { hr2 = hr; } }
hr = cuDumpAsnBinary( pCRL->pbCrlEncoded, pCRL->cbCrlEncoded, MAXDWORD); _PrintIfError(hr, "cuDumpAsnBinary"); if (S_OK == hr2) { hr2 = hr; }
if ((DVNS_DUMPPROPERTIES & Mode) && !g_fQuiet) { hr = cuDumpCRLProperties(pCRL); _PrintIfError(hr, "cuDumpCRLProperties"); if (S_OK == hr2) { hr2 = hr; } } (*pcCRL)++; } } hr = hr2; _JumpIfError(hr, error, "EnumCRLsInStore");
error: if (NULL != pCRL) { CertFreeCRLContext(pCRL); } return(hr);}
HRESULTEnumCTLsInStore( IN HCERTSTORE hStore, IN DWORD Mode, IN DWORD iCTLSave, OPTIONAL IN WCHAR const *pwszCertName, IN DWORD cbHash, OPTIONAL IN BYTE *pbHash, OPTIONAL IN WCHAR const *pwszfnOut, OUT DWORD *pcCTL){ HRESULT hr; HRESULT hr2; DWORD iCTL; CTL_CONTEXT const *pCTL = NULL;
*pcCTL = 0; hr2 = S_OK; for (iCTL = 0; ; iCTL++) { pCTL = CertEnumCTLsInStore(hStore, pCTL); if (NULL == pCTL) { break; } if (MAXDWORD == iCTLSave || iCTL == iCTLSave) { DWORD cb;
if (NULL != pwszCertName) { BOOL fMatch; hr = myCTLMatch(pCTL, pbHash, cbHash, &fMatch); _PrintIfError(hr, "myCTLMatch"); if (S_OK == hr2) { hr2 = hr; } if (S_OK != hr || !fMatch) { continue; } } if (0 != *pcCTL) { wprintf(wszNewLine); }
wprintf( myLoadResourceString(IDS_FORMAT_DUMP_CTL_INDEX), // "================ CTL %d ================"
iCTL); wprintf(wszNewLine);
if (CertGetCTLContextProperty( pCTL, CERT_ARCHIVED_PROP_ID, NULL, &cb)) { wprintf(myLoadResourceString(IDS_ARCHIVED)); // "Archived!"
wprintf(wszNewLine); } if ((iCTL == iCTLSave || NULL != pwszCertName) && NULL != pwszfnOut && (DVNS_SAVECTL & Mode)) { hr = EncodeToFileW( pwszfnOut, pCTL->pbCtlEncoded, pCTL->cbCtlEncoded, CRYPT_STRING_BINARY | g_EncodeFlags); _PrintIfError(hr, "EncodeToFileW"); if (S_OK == hr2) { hr2 = hr; } }
hr = cuDumpAsnBinary( pCTL->pbCtlEncoded, pCTL->cbCtlEncoded, MAXDWORD); _PrintIfError(hr, "cuDumpAsnBinary"); if (S_OK == hr2) { hr2 = hr; }
if ((DVNS_DUMPPROPERTIES & Mode) && !g_fQuiet) { hr = cuDumpCTLProperties(pCTL); _PrintIfError(hr, "cuDumpCTLProperties"); if (S_OK == hr2) { hr2 = hr; } }#if 0
if (DVNS_VERIFYCERT & Mode) { hr = cuVerifyCertContext( pCTL, (DVNS_CASTORE & Mode)? hStore : NULL, NULL, // apszPolicies
0, // cPolicies
FALSE, // fNTAuth
&VerifyState); if (S_OK != hr) { cuPrintError(IDS_ERR_FORMAT_BAD_CTL, hr); _PrintError(hr, "cuVerifyCertContext"); if (S_OK == hr2) { hr2 = hr; // Save first error
} } else { wprintf(myLoadResourceString(IDS_CTL_VERIFIES)); // "CTL is valid"
} wprintf(wszNewLine); }#endif
(*pcCTL)++; } } hr = hr2; _JumpIfError(hr, error, "EnumCTLsInStore");
error: if (NULL != pCTL) { CertFreeCTLContext(pCTL); } return(hr);}
HRESULTcuDumpAndVerifyStore( IN HCERTSTORE hStore, IN DWORD Mode, OPTIONAL IN WCHAR const *pwszCertName, IN DWORD iCertSave, IN DWORD iCRLSave, IN DWORD iCTLSave, OPTIONAL IN WCHAR const *pwszfnOut, OPTIONAL IN WCHAR const *pwszPasswordArg){ HRESULT hr; HRESULT hr2; BYTE *pbHash = NULL; DWORD cbHash; BOOL fVerboseOld = g_fVerbose; BOOL fQuietOld = g_fQuiet; WCHAR *pwszPassword = NULL; DWORD cCert = 0; DWORD cCRL = 0; DWORD cCTL = 0;
if (g_fVerbose) { g_fVerbose--; } else { g_fQuiet = TRUE; } hr2 = S_OK;
if (NULL != pwszCertName) { hr = WszToMultiByteInteger(TRUE, pwszCertName, &cbHash, &pbHash); _PrintIfError2(hr, "WszToMultiByteInteger", hr); }
if (NULL != pwszCertName || MAXDWORD != iCertSave || (MAXDWORD == iCRLSave && MAXDWORD == iCTLSave)) { hr = EnumCertsInStore( hStore, Mode, iCertSave, pwszCertName, cbHash, pbHash, pwszfnOut, pwszPasswordArg, &pwszPassword, &cCert); _PrintIfError(hr, "EnumCertsInStore"); if (S_OK == hr2) { hr2 = hr; } }
if (NULL != pwszCertName || MAXDWORD != iCRLSave || (MAXDWORD == iCertSave && MAXDWORD == iCTLSave)) { hr = EnumCRLsInStore( hStore, Mode, iCRLSave, pwszCertName, cbHash, pbHash, pwszfnOut, &cCRL); _PrintIfError(hr, "EnumCRLsInStore"); if (S_OK == hr2) { hr2 = hr; } }
if (NULL != pwszCertName || MAXDWORD != iCTLSave || (MAXDWORD == iCertSave && MAXDWORD == iCRLSave)) { hr = EnumCTLsInStore( hStore, Mode, iCTLSave, pwszCertName, cbHash, pbHash, pwszfnOut, &cCTL); _PrintIfError(hr, "EnumCTLsInStore"); if (S_OK == hr2) { hr2 = hr; } }
hr = hr2; if (S_OK == hr && NULL != pwszCertName && 0 == (cCert + cCRL + cCTL)) { hr = NTE_NOT_FOUND; _JumpError(hr, error, "cuDumpAndVerifyStore"); }
error: g_fVerbose = fVerboseOld; g_fQuiet = fQuietOld; if (NULL != pbHash) { LocalFree(pbHash); } if (NULL != pwszPassword) { myZeroDataString(pwszPassword); // password data
LocalFree(pwszPassword); } return(hr);}
// Reorder LDAP URL paramaters as per RFC 2255:
// Attribute list: ?attribute,...
// Scope: ?sub or ?one or ?base
// Search filter: ?objectClass=*,...
HRESULTPatchLdapURL( IN WCHAR const *pwszURLIn, OUT WCHAR **ppwszURLOut){ HRESULT hr; DWORD cParm; DWORD iParm; WCHAR *pwsz; WCHAR *pwszT = NULL; WCHAR *pwszURLOut = NULL; WCHAR **apwsz = NULL;
*ppwszURLOut = NULL;
hr = myDupString(pwszURLIn, &pwszT); _JumpIfError(hr, error, "myDupString");
pwsz = pwszT; for (cParm = 0; ; cParm++) { pwsz = wcschr(pwsz, L'?'); if (NULL == pwsz) { break; } pwsz++; } if (1 < cParm) { apwsz = (WCHAR **) LocalAlloc(LMEM_FIXED, sizeof(apwsz[0]) * cParm); if (NULL == apwsz) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } pwsz = pwszT; for (iParm = 0; iParm < cParm; iParm++) { pwsz = wcschr(pwsz, L'?'); CSASSERT(NULL != pwsz); *pwsz++ = L'\0'; apwsz[iParm] = pwsz; } CSASSERT(cParm == iParm); CSASSERT(NULL == wcschr(pwsz, L'?'));
hr = myDupString(pwszURLIn, &pwszURLOut); _JumpIfError(hr, error, "myDupString");
pwsz = wcschr(pwszURLOut, L'?'); if (NULL != pwsz) { DWORD i; *pwsz = L'\0'; for (i = 0; i < 3; i++) { for (iParm = 0; iParm < cParm; iParm++) { BOOL fScope; BOOL fFilter; BOOL fCopy; fScope = 0 == mylstrcmpiS(apwsz[iParm], &wszDSSUBSEARCH[1]) || 0 == mylstrcmpiS(apwsz[iParm], &wszDSBASESEARCH[1]) || 0 == mylstrcmpiS(apwsz[iParm], &wszDSONESEARCH[1]); fFilter = NULL != wcschr(apwsz[iParm], L'=');
switch (i) { case 0: fCopy = !fScope && !fFilter; break; case 1: fCopy = fScope; break; default: fCopy = fFilter; break; } if (fCopy) { wcscat(pwszURLOut, L"?"); wcscat(pwszURLOut, apwsz[iParm]); } } } CSASSERT(wcslen(pwszURLOut) == wcslen(pwszURLIn));
// If the URL was reordered, return the patched URL.
if (0 != lstrcmp(pwszURLIn, pwszURLOut)) { *ppwszURLOut = pwszURLOut; pwszURLOut = NULL; } } } hr = NULL == *ppwszURLOut? S_FALSE : S_OK;
error: if (NULL != apwsz) { LocalFree(apwsz); } if (NULL != pwszT) { LocalFree(pwszT); } if (NULL != pwszURLOut) { LocalFree(pwszURLOut); } return(hr);}
#define wszLDAPCOLONSLASH L"ldap:/"
#define wszFMTLDAPPREFIX L"ldap://%ws/"
HRESULTcuOpenCertStore( IN WCHAR const *pwszStoreName, IN OUT DWORD *pMode, OPTIONAL OUT WCHAR **ppwszStoreNameOut, OUT HCERTSTORE *phStore){ HRESULT hr; WCHAR awcLdap[ARRAYSIZE(wszLDAPCOLONSLASH)]; LPCSTR pszStoreProvider = CERT_STORE_PROV_SYSTEM_REGISTRY_W; WCHAR *pwszStoreAlloc = NULL; WCHAR *pwszStoreAlloc2 = NULL; WCHAR *pwszStoreNameOut = NULL;
if (NULL != ppwszStoreNameOut) { *ppwszStoreNameOut = NULL; } if (NULL == pwszStoreName || 0 == wcscmp(L"*", pwszStoreName) || 0 == LSTRCMPIS(pwszStoreName, wszCA_CERTSTORE)) { pwszStoreName = wszCA_CERTSTORE; *pMode |= DVNS_CASTORE; } wcsncpy(awcLdap, pwszStoreName, ARRAYSIZE(awcLdap) - 1); awcLdap[ARRAYSIZE(awcLdap) - 1] = L'\0'; if (0 == LSTRCMPIS(awcLdap, wszLDAPCOLONSLASH)) { pszStoreProvider = CERT_STORE_PROV_LDAP_W; *pMode |= DVNS_DSSTORE; } else { CSASSERT(3 < ARRAYSIZE(awcLdap)); awcLdap[3] = L'\0'; if (0 == LSTRCMPIS(awcLdap, L"CN=")) { DWORD cwc = WSZARRAYSIZE(wszFMTLDAPPREFIX) + wcslen(pwszStoreName);
if (NULL != g_pwszDC) { cwc += wcslen (g_pwszDC); } pwszStoreAlloc = (WCHAR *) LocalAlloc( LMEM_FIXED, (cwc + 1) * sizeof(WCHAR)); if (NULL == pwszStoreAlloc) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } swprintf( pwszStoreAlloc, wszFMTLDAPPREFIX, NULL != g_pwszDC? g_pwszDC : g_wszEmpty); wcscat(pwszStoreAlloc, pwszStoreName); pwszStoreName = pwszStoreAlloc; pszStoreProvider = CERT_STORE_PROV_LDAP_W; *pMode |= DVNS_DSSTORE; } } if (DVNS_DSSTORE & *pMode) { hr = PatchLdapURL(pwszStoreName, &pwszStoreAlloc2); if (S_FALSE != hr) { _JumpIfError(hr, error, "PatchLdapURL");
pwszStoreName = pwszStoreAlloc2; } }
if (NULL != ppwszStoreNameOut) { hr = myDupString(pwszStoreName, &pwszStoreNameOut); _JumpIfError(hr, error, "myDupString"); } if ((DVNS_DSSTORE & *pMode) && 0 == ((DVNS_REPAIRKPI | DVNS_WRITESTORE) & *pMode)) { wprintf(L"%ws\n", pwszStoreName); *phStore = myUrlCertOpenStore( CRYPT_WIRE_ONLY_RETRIEVAL | CRYPT_RETRIEVE_MULTIPLE_OBJECTS, pwszStoreName); if (NULL == *phStore) { hr = myHLastError(); _PrintErrorStr(hr, "myUrlCertOpenStore", pwszStoreName); if (CRYPT_E_NOT_FOUND != hr) { _JumpError(hr, error, "myUrlCertOpenStore"); } } } if (NULL == *phStore) { *phStore = CertOpenStore( pszStoreProvider, X509_ASN_ENCODING, NULL, // hProv
CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG | (((DVNS_REPAIRKPI | DVNS_WRITESTORE) & *pMode)? 0 : CERT_STORE_READONLY_FLAG) | (g_fForce? 0 : CERT_STORE_OPEN_EXISTING_FLAG) | cuGetSystemStoreFlags(), pwszStoreName); if (NULL == *phStore) { hr = myHLastError(); _JumpErrorStr(hr, error, "CertOpenStore", pwszStoreName); } } if (NULL != ppwszStoreNameOut) { *ppwszStoreNameOut = pwszStoreNameOut; pwszStoreNameOut = NULL; } hr = S_OK;
error: if (NULL != pwszStoreAlloc) { LocalFree(pwszStoreAlloc); } if (NULL != pwszStoreAlloc2) { LocalFree(pwszStoreAlloc2); } if (NULL != pwszStoreNameOut) { LocalFree(pwszStoreNameOut); } return(hr);}
HRESULTDumpAndVerifyNamedStore( IN WCHAR const *pwszStoreName, IN DWORD Mode, OPTIONAL IN WCHAR const *pwszCertName, IN DWORD iCertSave, IN DWORD iCRLSave, IN DWORD iCTLSave, OPTIONAL IN WCHAR const *pwszfnOut, OPTIONAL IN WCHAR const *pwszPassword){ HRESULT hr; HCERTSTORE hStore = NULL;
hr = cuOpenCertStore(pwszStoreName, &Mode, NULL, &hStore); _JumpIfError(hr, error, "cuOpenCertStore");
hr = cuDumpAndVerifyStore( hStore, Mode, pwszCertName, iCertSave, iCRLSave, iCTLSave, pwszfnOut, pwszPassword); _JumpIfError(hr, error, "cuDumpAndVerifyStore");
error: if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTmyDupStringN( IN WCHAR const *pwszIn, IN DWORD cwc, OUT WCHAR **ppwszOut){ HRESULT hr; CSASSERT(wcslen(pwszIn) >= cwc); *ppwszOut = (WCHAR *) LocalAlloc(LMEM_FIXED, (cwc + 1) * sizeof(WCHAR)); if (NULL == *ppwszOut) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(*ppwszOut, pwszIn, cwc * sizeof(WCHAR)); (*ppwszOut)[cwc] = L'\0'; hr = S_OK;
error: return(hr);}
#define URLI_DC 0
#define URLI_DN 1
#define URLI_ATTRIBUTE 2
#define URLI_SCOPE 3
#define URLI_CLASS 4
#define URLI_MAX 5
HRESULTParseLdapUrl( IN WCHAR const *pwszIn, OUT WCHAR *ppwszOut[URLI_MAX]){ HRESULT hr; WCHAR *pwszAlloc = NULL; WCHAR awcLdap[ARRAYSIZE(wszLDAPCOLONSLASH)]; DWORD cSlash; WCHAR const *pwsz; DWORD i; ZeroMemory(ppwszOut, URLI_MAX * sizeof(*ppwszOut)); wcsncpy(awcLdap, pwszIn, ARRAYSIZE(awcLdap) - 1); awcLdap[ARRAYSIZE(awcLdap) - 1] = L'\0'; if (0 != LSTRCMPIS(awcLdap, wszLDAPCOLONSLASH)) { hr = E_INVALIDARG; _JumpError(hr, error, "ldap:URL"); }
hr = myInternetUncanonicalizeURL(pwszIn, &pwszAlloc); _JumpIfError(hr, error, "myInternetUncanonicalizeURL");
pwszIn = pwszAlloc; pwszIn += WSZARRAYSIZE(wszLDAPCOLONSLASH);
cSlash = 1; while (L'/' == *pwszIn) { pwszIn++; cSlash++; } if (2 == cSlash) { pwsz = pwszIn; while (L'\0' != *pwszIn && L'/' != *pwszIn) { pwszIn++; } hr = myDupStringN( pwsz, SAFE_SUBTRACT_POINTERS(pwszIn, pwsz), &ppwszOut[0]); _JumpIfError(hr, error, "myDupStringN");
if (L'\0' != *pwszIn) { pwszIn++; } } for (i = 1; i < URLI_MAX; i++) { pwsz = pwszIn; while (L'\0' != *pwszIn && L'?' != *pwszIn) { pwszIn++; } hr = myDupStringN( pwsz, SAFE_SUBTRACT_POINTERS(pwszIn, pwsz), &ppwszOut[i]); _JumpIfError(hr, error, "myDupStringN");
if (L'\0' == *pwszIn) { break; } pwszIn++; } hr = S_OK;
error: for (i = 0; i < ARRAYSIZE(ppwszOut); i++) { wprintf(L"DeleteLastLdapValue[%u](%ws)\n", i, ppwszOut[i]); } if (S_OK != hr) { for (i = 0; i < URLI_MAX; i++) { if (NULL != ppwszOut[i]) { LocalFree(ppwszOut[i]); ppwszOut[i] = NULL; } } } if (NULL != pwszAlloc) { LocalFree(pwszAlloc); } return(hr);}
HRESULTmyLdapDeleteLastValue( IN LDAP *pld, IN WCHAR const *pwszDN, IN WCHAR const *pwszAttribute, OPTIONAL IN BYTE const *pb, IN DWORD cb, OUT DWORD *pdwDisposition, OPTIONAL OUT WCHAR **ppwszError){ HRESULT hr; DWORD cres; DWORD cber; DWORD iber; DWORD i; LDAP_TIMEVAL timeval; LDAPMessage *pmsg = NULL; LDAPMessage *pres; WCHAR *apwszAttrs[2]; struct berval **ppberval = NULL; struct berval *rgpberVals[2]; struct berval certberval; LDAPMod *mods[2]; LDAPMod certmod; char chZero = '\0';
*pdwDisposition = LDAP_OTHER; if (NULL != ppwszError) { *ppwszError = NULL; }
apwszAttrs[0] = const_cast<WCHAR *>(pwszAttribute); apwszAttrs[1] = NULL;
timeval.tv_sec = csecLDAPTIMEOUT; timeval.tv_usec = 0;
hr = ldap_search_st( pld, // ld
const_cast<WCHAR *>(pwszDN), // base
LDAP_SCOPE_BASE, // scope
NULL, // filter
apwszAttrs, // attrs
FALSE, // attrsonly
&timeval, // timeout
&pmsg); // res
if (S_OK != hr) { *pdwDisposition = hr; hr = myHLdapError(pld, hr, NULL); _JumpErrorStr(hr, error, "ldap_search_st", pwszDN); } cres = ldap_count_entries(pld, pmsg); if (1 != cres) { // Exactly one entry was not found.
hr = NTE_NOT_FOUND; _JumpError(hr, error, "ldap_count_entries"); }
pres = ldap_first_entry(pld, pmsg); if (NULL == pres) { hr = NTE_NOT_FOUND; _JumpError(hr, error, "ldap_first_entry"); }
ppberval = ldap_get_values_len( pld, pres, const_cast<WCHAR *>(pwszAttribute)); hr = NTE_NOT_FOUND; if (NULL == ppberval) { _JumpError(hr, error, "ppberval"); } cber = 0; while (NULL != ppberval[cber]) { cber++; } if (NULL != pb) { if (1 != cber) { _JumpError(hr, error, "cber"); } if (ppberval[0]->bv_len != cb || 0 != memcmp(ppberval[0]->bv_val, pb, cb)) { _JumpError(hr, error, "memcmp"); } }
// set disposition assuming there's nothing to do:
*pdwDisposition = LDAP_ATTRIBUTE_OR_VALUE_EXISTS;
mods[0] = &certmod; mods[1] = NULL;
certmod.mod_op = LDAP_MOD_BVALUES | LDAP_MOD_REPLACE; certmod.mod_type = const_cast<WCHAR *>(pwszAttribute); certmod.mod_bvalues = rgpberVals;
rgpberVals[0] = &certberval; rgpberVals[1] = NULL;
certberval.bv_val = &chZero; certberval.bv_len = sizeof(chZero);
hr = ldap_modify_ext_s( pld, const_cast<WCHAR *>(pwszDN), // base
mods, NULL, NULL); *pdwDisposition = hr; if (hr != S_OK) { hr = myHLdapError(pld, hr, ppwszError); _JumpError(hr, error, "ldap_modify_ext_s"); } hr = S_OK;
error: if (NULL != ppberval) { ldap_value_free_len(ppberval); } if (NULL != pmsg) { ldap_msgfree(pmsg); } return(hr);}
HRESULTDeleteLastLdapValue( IN WCHAR const *pwszURL, OPTIONAL IN BYTE const *pb, IN DWORD cb){ HRESULT hr; WCHAR *rgpwsz[URLI_MAX]; DWORD i; DWORD dwDisposition; WCHAR *pwszError = NULL; LDAP *pld = NULL;
ZeroMemory(rgpwsz, sizeof(rgpwsz));
hr = ParseLdapUrl(pwszURL, rgpwsz); _JumpIfErrorStr(hr, error, "ParseLdapUrl", pwszURL);
if (NULL != rgpwsz[URLI_SCOPE] && 0 != mylstrcmpiS(rgpwsz[URLI_SCOPE], &wszDSBASESEARCH[1])) { hr = E_INVALIDARG; _JumpErrorStr(hr, error, "ldap scope", rgpwsz[URLI_SCOPE]); }
hr = myLdapOpen(rgpwsz[URLI_DC], 0, &pld, NULL, NULL); _JumpIfError(hr, error, "myLdapOpen");
hr = myLdapDeleteLastValue( pld, rgpwsz[URLI_DN], rgpwsz[URLI_ATTRIBUTE], pb, cb, &dwDisposition, &pwszError); _JumpIfErrorStr(hr, error, "myLdapDeleteLastValue", pwszError);
error: if (NULL != pwszError) { LocalFree(pwszError); } for (i = 0; i < ARRAYSIZE(rgpwsz); i++) { if (NULL != rgpwsz[i]) { wprintf(L"DeleteLastLdapValue[%u](%ws)\n", i, rgpwsz[i]); LocalFree(rgpwsz[i]); } } myLdapClose(pld, NULL, NULL); return(hr);}
HRESULTCommitStore( IN HCERTSTORE hStore, IN WCHAR const *pwszStoreName, IN DWORD Mode, OPTIONAL IN BYTE const *pb, IN DWORD cb){ HRESULT hr; if (!CertControlStore(hStore, 0, CERT_STORE_CTRL_COMMIT, NULL)) { // Add workaround for LdapMapErrorToWin32 incorrect mapping
// LDAP_OBJECT_CLASS_VIOLATION -> E_INVALIDARG. Mapping it to
// the correct code should be pretty safe, CertControlStore
// shouldn't otherwise fail with this error code since we know
// our code passes the right parameters.
hr = myHLastError(); _PrintError(hr, "CertControlStore");
if (DVNS_DSSTORE & Mode) { if (E_INVALIDARG == HRESULT_FROM_WIN32(hr)) { hr = HRESULT_FROM_WIN32(ERROR_DS_OBJ_CLASS_VIOLATION); _PrintError(hr, "CertControlStore"); } if (HRESULT_FROM_WIN32(ERROR_DS_OBJ_CLASS_VIOLATION) == hr) { hr = DeleteLastLdapValue(pwszStoreName, pb, cb); _JumpIfError(hr, error, "DeleteLastLdapValue"); } } _JumpIfError(hr, error, "CertControlStore"); } hr = S_OK;
error: return(hr);}
HRESULTverbViewOrDeleteStore( IN WCHAR const *pwszOption, OPTIONAL IN WCHAR const *pwszStoreName, OPTIONAL IN WCHAR const *pwszCertId, OPTIONAL IN WCHAR const *pwszfnOut, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; WCHAR *pwszStoreNameNew = NULL; DWORD Mode; DWORD iCert; DWORD iCRL; DWORD iCTL; HCERTSTORE hStore = NULL; CERT_CONTEXT const *pCert = NULL; CERT_CONTEXT const *pCertDeleted = NULL; BOOL fDelete = g_wszViewDelStore == pwszOption; WCHAR *pwszSubject = NULL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
Mode = DVNS_SAVECERT; if (fDelete) { Mode |= DVNS_WRITESTORE; }
hr = cuOpenCertStore(pwszStoreName, &Mode, &pwszStoreNameNew, &hStore); _JumpIfError(hr, error, "cuOpenCertStore");
hr = myGetCertificateFromPicker( g_hInstance, // hInstance
NULL, // hwndParent
IDS_VIEWSTORE_TITLE, // idTitle
fDelete? IDS_VIEWSTORE_SUBTITLE_DELETE : IDS_VIEWSTORE_SUBTITLE, // idSubTitle
0, // dwFlags -- CUCS_*
pwszCertName, // pwszCommonName
1, // cStore
&hStore, // rghStore
0, // cpszObjId
NULL, // apszObjId
&pCert); // ppCert
_JumpIfError(hr, error, "myGetCertificateFromPicker");
if (NULL != pCert) { hr = myCertNameToStr( X509_ASN_ENCODING, &pCert->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszSubject); _JumpIfError(hr, error, "myCertNameToStr");
if (NULL != pwszfnOut) { hr = EncodeToFileW( pwszfnOut, pCert->pbCertEncoded, pCert->cbCertEncoded, CRYPT_STRING_BINARY | g_EncodeFlags); _JumpIfError(hr, error, "EncodeToFileW"); wprintf( myLoadResourceString( IDS_FORMAT_SAVED_CERT_NAME), // "Saved certificate %ws"
pwszSubject); wprintf(L": %ws\n", pwszfnOut); } if (fDelete) { pCertDeleted = CertDuplicateCertificateContext(pCert); if (!CertDeleteCertificateFromStore(pCert)) { hr = myHLastError(); _JumpError(hr, error, "CertDeleteCertificateFromStore"); } pCert = NULL;
hr = CommitStore( hStore, pwszStoreNameNew, Mode, pCertDeleted->pbCertEncoded, pCertDeleted->cbCertEncoded); _JumpIfError(hr, error, "CommitStore");
wprintf( myLoadResourceString( IDS_FORMAT_DELETED_CERT_NAME), // "Deleted certificate %ws"
pwszSubject); wprintf(wszNewLine); } } hr = S_OK;
error: if (NULL != pwszSubject) { LocalFree(pwszSubject); } if (NULL != pwszCertName) { LocalFree(pwszCertName); } if (NULL != pwszStoreNameNew) { LocalFree(pwszStoreNameNew); } if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != pCertDeleted) { CertFreeCertificateContext(pCertDeleted); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTverbStore( IN WCHAR const *pwszOption, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszCertId, IN WCHAR const *pwszfnOut, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; DWORD iCert; DWORD iCRL; DWORD iCTL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
hr = DumpAndVerifyNamedStore( pwszStoreName, DVNS_SAVECERT | DVNS_SAVECRL | DVNS_SAVECTL | DVNS_DUMP | DVNS_DUMPKEYS | DVNS_DUMPPROPERTIES, pwszCertName, iCert, iCRL, iCTL, pwszfnOut, NULL); _JumpIfError(hr, error, "DumpAndVerifyNamedStore");
error: if (NULL != pwszCertName) { LocalFree(pwszCertName); } return(hr);}
HRESULTDisplayAddResult( OPTIONAL IN CERT_NAME_BLOB const *pName, IN DWORD Index, IN DWORD idsMsg){ HRESULT hr = S_OK; WCHAR *pwszName = NULL; WCHAR wszIndex[cwcDWORDSPRINTF];
if (NULL != pName) { hr = myCertNameToStr( X509_ASN_ENCODING, pName, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszName); _JumpIfError(hr, error, "myCertNameToStr"); } else { swprintf(wszIndex, L"%u", Index); } wprintf(myLoadResourceString(idsMsg), NULL != pName? pwszName : wszIndex); wprintf(wszNewLine);
error: if (NULL != pwszName) { LocalFree(pwszName); } return(hr);}
HRESULTAddCertToStore( IN HCERTSTORE hStore, IN WCHAR const *pwszStoreName, IN CERT_CONTEXT const *pccAdd, IN DWORD Index){ HRESULT hr; BOOL fRoot = FALSE; CERT_CONTEXT const *pcc = NULL; DWORD cDup; DWORD cDisplay; DWORD i;
if (CertCompareCertificateName( X509_ASN_ENCODING, &pccAdd->pCertInfo->Issuer, &pccAdd->pCertInfo->Subject)) { hr = cuVerifySignature( pccAdd->pbCertEncoded, pccAdd->cbCertEncoded, &pccAdd->pCertInfo->SubjectPublicKeyInfo, FALSE, FALSE); fRoot = S_OK == hr; _PrintIfError(hr, "cuVerifySignature"); } if (0 == LSTRCMPIS(pwszStoreName, wszROOT_CERTSTORE) && !fRoot && !g_fForce) { wprintf(myLoadResourceString(IDS_ROOT_STORE_NEEDS_ROOT_CERT)); // "Cannot add a non-root certificate to the root store"
wprintf(wszNewLine); hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Non-root cert"); }
cDup = 0; cDisplay = 0; for (i = 0; ; i++) { pcc = CertEnumCertificatesInStore(hStore, pcc); if (NULL == pcc) { break; }
// Skip Certs for other Subjects
if (!CertCompareCertificateName( X509_ASN_ENCODING, &pcc->pCertInfo->Issuer, &pccAdd->pCertInfo->Issuer)) { continue; }
// Skip Certs with different public keys
if (!CertComparePublicKeyInfo( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &pcc->pCertInfo->SubjectPublicKeyInfo, &pccAdd->pCertInfo->SubjectPublicKeyInfo)) { continue; }
if (0 == cDisplay++) { wprintf(myLoadResourceString(IDS_RELATED_CERTS_COLON)); // "Related Certificates:"
wprintf(wszNewLine); } wprintf(wszNewLine);
// Remember if an exact match exists
if (pcc->cbCertEncoded == pccAdd->cbCertEncoded && 0 == memcmp( pcc->pbCertEncoded, pccAdd->pbCertEncoded, pcc->cbCertEncoded)) { cDup++; wprintf(myLoadResourceString(IDS_EXACT_MATCH_COLON)); // "Exact match:"
wprintf(wszNewLine); } hr = cuDumpAsnBinaryQuiet( pcc->pbCertEncoded, pcc->cbCertEncoded, i); _PrintIfError(hr, "cuDumpAsnBinaryQuiet"); }
if (0 == cDup) { if (!CertAddCertificateContextToStore( hStore, pccAdd, CERT_STORE_ADD_ALWAYS, NULL)) { hr = myHLastError(); _JumpError(hr, error, "CertAddCertificateContextToStore"); } } else { wprintf(wszNewLine); }
hr = DisplayAddResult( &pccAdd->pCertInfo->Subject, Index, 0 != cDup? IDS_FORMAT_CERT_ALREADY_IN_STORE : // "Certificate ""%ws"" already in store."
IDS_FORMAT_CERT_ADDED_TO_STORE); // "Certificate ""%ws"" added to store."
_JumpIfError(hr, error, "DisplayAddResult");
error: if (NULL != pcc) { CertFreeCertificateContext(pcc); } return(hr);}
HRESULTAddCRLToStore( IN HCERTSTORE hStore, IN CRL_CONTEXT const *pCRLAdd, IN DWORD Index){ HRESULT hr; CRL_CONTEXT const *pCRL = NULL; DWORD cDup; DWORD cDisplay; BOOL fDeltaAdd; BOOL fDelta; DWORD NameId; DWORD NameIdAdd; DWORD i;
hr = myIsDeltaCRL(pCRLAdd, &fDeltaAdd); _JumpIfError(hr, error, "myIsDeltaCRL");
hr = myGetCRLNameId(pCRLAdd, &NameIdAdd); _PrintIfError2(hr, "DisplayAddResult", hr);
cDup = 0; cDisplay = 0; for (i = 0; ; i++) { pCRL = CertEnumCRLsInStore(hStore, pCRL); if (NULL == pCRL) { break; } hr = myIsDeltaCRL(pCRL, &fDelta); _JumpIfError(hr, error, "myIsDeltaCRL");
// Skip base or delta CRLs when we're looking for the other.
if (fDeltaAdd ^ fDelta) { continue; }
// Skip CRLs for other Issuers
if (!CertCompareCertificateName( X509_ASN_ENCODING, &pCRL->pCrlInfo->Issuer, &pCRLAdd->pCrlInfo->Issuer)) { continue; } hr = myGetCRLNameId(pCRL, &NameId); _PrintIfError2(hr, "DisplayAddResult", hr);
// Skip CRLs for different CA keys
if (MAXDWORD != NameIdAdd && MAXDWORD != NameId) { if (CANAMEIDTOIKEY(NameIdAdd) != CANAMEIDTOIKEY(NameId)) { continue; } }
if (0 == cDisplay++) { wprintf(myLoadResourceString(IDS_RELATED_CRLS_COLON)); // "Related CRLs:"
wprintf(wszNewLine); } wprintf(wszNewLine);
// Remember if an exact match exists
if (pCRL->cbCrlEncoded == pCRLAdd->cbCrlEncoded && 0 == memcmp( pCRL->pbCrlEncoded, pCRLAdd->pbCrlEncoded, pCRL->cbCrlEncoded)) { cDup++; wprintf(myLoadResourceString(IDS_EXACT_MATCH_COLON)); // "Exact match:"
wprintf(wszNewLine); } hr = cuDumpAsnBinaryQuiet( pCRL->pbCrlEncoded, pCRL->cbCrlEncoded, i); _PrintIfError(hr, "cuDumpAsnBinaryQuiet"); }
if (0 == cDup) { if (!CertAddCRLContextToStore( hStore, pCRLAdd, CERT_STORE_ADD_ALWAYS, NULL)) { hr = myHLastError(); _JumpError(hr, error, "CertAddCRLContextToStore"); } } else { wprintf(wszNewLine); }
hr = DisplayAddResult( &pCRLAdd->pCrlInfo->Issuer, Index, 0 != cDup? IDS_FORMAT_CRL_ALREADY_IN_STORE : // "CRL ""%ws"" already in store."
IDS_FORMAT_CRL_ADDED_TO_STORE); // "CRL ""%ws"" added to store."
_JumpIfError(hr, error, "DisplayAddResult");
error: if (NULL != pCRL) { CertFreeCRLContext(pCRL); } return(hr);}
HRESULTAddCTLToStore( IN HCERTSTORE hStore, IN CTL_CONTEXT const *pCTL, IN DWORD Index){ HRESULT hr; BOOL fDup = FALSE;
if (!CertAddCTLContextToStore(hStore, pCTL, CERT_STORE_ADD_NEW, NULL)) { hr = myHLastError(); if (CRYPT_E_EXISTS != hr) { _JumpError(hr, error, "CertAddCTLContextToStore"); } fDup = TRUE; } hr = DisplayAddResult( NULL, Index, fDup? IDS_FORMAT_CTL_ALREADY_IN_STORE : // "CTL ""%ws"" already in store."
IDS_FORMAT_CTL_ADDED_TO_STORE); // "CTL ""%ws"" added to store."
_JumpIfError(hr, error, "DisplayAddResult");
error: return(hr);}
HRESULTAddCertToStoreFromFile( IN HCERTSTORE hStore, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszfnIn, OUT BOOL *pfBadAsn){ HRESULT hr; CERT_CONTEXT const *pCert = NULL; BOOL fRoot = FALSE;
*pfBadAsn = FALSE;
// Load and decode certificate
hr = cuLoadCert(pwszfnIn, &pCert); if (CRYPT_E_ASN1_BADTAG == hr) { *pfBadAsn = TRUE; } _JumpIfError(hr, error, "cuLoadCert");
hr = AddCertToStore(hStore, pwszStoreName, pCert, 0); _JumpIfError(hr, error, "AddCertToStore");
error: cuUnloadCert(&pCert); return(hr);}
HRESULTAddCRLToStoreFromFile( IN HCERTSTORE hStore, IN WCHAR const *pwszfnIn, OUT BOOL *pfBadAsn){ HRESULT hr; CRL_CONTEXT const *pCRL = NULL;
*pfBadAsn = FALSE;
hr = cuLoadCRL(pwszfnIn, &pCRL); if (CRYPT_E_ASN1_BADTAG == hr) { *pfBadAsn = TRUE; } _JumpIfError(hr, error, "cuLoadCRL");
hr = AddCRLToStore(hStore, pCRL, 0); _JumpIfError(hr, error, "AddCRLToStore");
error: cuUnloadCRL(&pCRL); return(hr);}
HRESULTAddPKCS7ToStoreFromFile( IN HCERTSTORE hStore, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszfnIn){ HRESULT hr; BYTE *pb = NULL; DWORD cb; HCERTSTORE hStorePKCS7 = NULL; DWORD i; CERT_CONTEXT const *pCert = NULL; CRL_CONTEXT const *pCRL = NULL; CTL_CONTEXT const *pCTL = NULL;
hr = DecodeFileW(pwszfnIn, &pb, &cb, CRYPT_STRING_ANY); if (S_OK != hr) { cuPrintError(IDS_ERR_FORMAT_DECODEFILE, hr); goto error; }
hr = myDecodePKCS7( pb, cb, NULL, // ppbContents
NULL, // pcbContents
NULL, // pdwMsgType
NULL, // ppszInnerContentObjId
NULL, // pcSigner
NULL, // pcRecipient
&hStore, NULL); // phMsg
_JumpIfError(hr, error, "myDecodePKCS7");
for (i = 0; ; i++) { pCert = CertEnumCertificatesInStore(hStore, pCert); if (NULL == pCert) { break; } hr = AddCertToStore(hStore, pwszStoreName, pCert, i); _JumpIfError(hr, error, "AddCertToStore"); }
for (i = 0; ; i++) { pCRL = CertEnumCRLsInStore(hStore, pCRL); if (NULL == pCRL) { break; } hr = AddCRLToStore(hStore, pCRL, i); _JumpIfError(hr, error, "AddCRLToStore"); }
for (i = 0; ; i++) { pCTL = CertEnumCTLsInStore(hStore, pCTL); if (NULL == pCTL) { break; } hr = AddCTLToStore(hStore, pCTL, i); _JumpIfError(hr, error, "AddCTLToStore"); } hr = S_OK;
error: if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != pCRL) { CertFreeCRLContext(pCRL); } if (NULL != pCTL) { CertFreeCTLContext(pCTL); } if (NULL != hStorePKCS7) { CertCloseStore(hStorePKCS7, CERT_CLOSE_STORE_CHECK_FLAG); } if (NULL != pb) { LocalFree(pb); } return(hr);}
HRESULTverbAddStore( IN WCHAR const *pwszOption, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszfnIn, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; DWORD Mode; HCERTSTORE hStore = NULL; BOOL fBadAsn;
Mode = DVNS_WRITESTORE; // force open for write
hr = cuOpenCertStore(pwszStoreName, &Mode, NULL, &hStore); if (S_OK != hr) { wprintf( myLoadResourceString( g_fForce? IDS_CANNOT_CREATE_STORE : // "Cannot open Cert store."
IDS_CANNOT_OPEN_STORE), L"-f"); // "Cannot open existing Cert store. Use %ws switch to force Cert store creation."
wprintf(wszNewLine); _JumpErrorStr(hr, error, "cuOpenCertStore", pwszStoreName); }
hr = AddCertToStoreFromFile(hStore, pwszStoreName, pwszfnIn, &fBadAsn); if (S_OK != hr) { if (!fBadAsn) { _JumpError(hr, error, "AddCertToStoreFromFile"); } hr = AddCRLToStoreFromFile(hStore, pwszfnIn, &fBadAsn); if (S_OK != hr) { if (!fBadAsn) { _JumpError(hr, error, "AddCRLToStoreFromFile"); } hr = AddPKCS7ToStoreFromFile(hStore, pwszStoreName, pwszfnIn); _JumpIfError(hr, error, "AddPKCS7ToStoreFromFile"); } } CSASSERT(S_OK == hr);
error: if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTSaveFirstBlob( IN BYTE const *pbEncoded, IN DWORD cbEncoded, IN OUT BYTE **ppbDeleted, IN OUT DWORD *pcbDeleted){ HRESULT hr; if (NULL == *ppbDeleted) { *pcbDeleted = cbEncoded; *ppbDeleted = (BYTE *) LocalAlloc(LMEM_FIXED, cbEncoded); if (NULL == *ppbDeleted) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(*ppbDeleted, pbEncoded, cbEncoded); } hr = S_OK;
error: return(hr);}
HRESULTverbDelStore( IN WCHAR const *pwszOption, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszCertId, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszStore = NULL; HCERTSTORE hStore = NULL; CERT_CONTEXT const *pCert = NULL; CRL_CONTEXT const *pCRL = NULL; WCHAR *pwszCertName = NULL; BYTE *pbHash = NULL; DWORD cbHash; BSTR strSerialNumber = NULL; DWORD Mode; DWORD iCert; DWORD iCertDel; DWORD iCRL; DWORD iCRLDel; DWORD iCTL; DWORD iCTLDel; DWORD cCertDeleted; DWORD cCRLDeleted; BYTE *pbDeleted = NULL; DWORD cbDeleted;
if (NULL == pwszStoreName || 0 == wcscmp(L"*", pwszStoreName)) { pwszStoreName = wszCA_CERTSTORE; }
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCertDel, &iCRLDel, &iCTLDel); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
if (MAXDWORD == iCertDel && NULL == pwszCertName && MAXDWORD == iCRLDel) { hr = E_INVALIDARG; _JumpErrorStr(hr, error, "incomplete Index arg", pwszCertId); } if (NULL != pwszCertName) { hr = WszToMultiByteInteger(TRUE, pwszCertName, &cbHash, &pbHash); _PrintIfError2(hr, "WszToMultiByteInteger", hr);
hr = myMakeSerialBstr(pwszCertName, &strSerialNumber); _PrintIfError2(hr, "myMakeSerialBstr", hr); }
Mode = DVNS_WRITESTORE; // force open for write
hr = cuOpenCertStore(pwszStoreName, &Mode, NULL, &hStore); _JumpIfError(hr, error, "cuOpenCertStore");
cCertDeleted = 0; cCRLDeleted = 0; if (MAXDWORD != iCertDel || NULL != pwszCertName) { for (iCert = 0; ; iCert++) { pCert = CertEnumCertificatesInStore(hStore, pCert); if (NULL == pCert) { break; } if (iCert == iCertDel || (MAXDWORD == iCertDel && NULL != pwszCertName)) { CERT_CONTEXT const *pCertT;
if (NULL != pwszCertName) { BOOL fMatch; hr = myCertMatch( pCert, pwszCertName, FALSE, // fAllowMissingCN
pbHash, cbHash, strSerialNumber, &fMatch); _JumpIfError(hr, error, "myCertMatch");
if (!fMatch) { continue; } } wprintf( myLoadResourceString(IDS_FORMAT_DELETE_CERT_INDEX), // "Deleting Certificate %d"
iCert); wprintf(wszNewLine);
cCertDeleted++; SaveFirstBlob( pCert->pbCertEncoded, pCert->cbCertEncoded, &pbDeleted, &cbDeleted); pCertT = CertDuplicateCertificateContext(pCert); if (!CertDeleteCertificateFromStore(pCertT)) { hr = myHLastError(); _JumpError(hr, error, "CertDeleteCertificateFromStore"); } if (iCert == iCertDel) { break; } } } } if (MAXDWORD != iCRLDel || NULL != pwszCertName) { for (iCRL = 0; ; iCRL++) { pCRL = CertEnumCRLsInStore(hStore, pCRL); if (NULL == pCRL) { break; } if (iCRL == iCRLDel || (MAXDWORD == iCRLDel && NULL != pwszCertName)) { CRL_CONTEXT const *pCRLT;
if (NULL != pwszCertName) { BOOL fMatch; hr = myCRLMatch( pCRL, pwszCertName, FALSE, // fAllowMissingCN
pbHash, cbHash, &fMatch); _JumpIfError(hr, error, "myCRLMatch");
if (!fMatch) { continue; } } wprintf( myLoadResourceString(IDS_FORMAT_DELETE_CRL_INDEX), // "Deleting CRL %d"
iCRL); wprintf(wszNewLine);
cCRLDeleted++; SaveFirstBlob( pCRL->pbCrlEncoded, pCRL->cbCrlEncoded, &pbDeleted, &cbDeleted); pCRLT = CertDuplicateCRLContext(pCRL); if (!CertDeleteCRLFromStore(pCRLT)) { hr = myHLastError(); _JumpError(hr, error, "CertDeleteCRLFromStore"); } if (iCRL == iCRLDel) { break; } } } } if (0 != cCertDeleted + cCRLDeleted) { BOOL fSingle = 1 == cCertDeleted + cCRLDeleted;
hr = CommitStore( hStore, pwszStoreName, Mode, fSingle? pbDeleted : NULL, fSingle? cbDeleted : 0); _JumpIfError(hr, error, "CommitStore"); } hr = S_OK;
error: if (NULL != strSerialNumber) { SysFreeString(strSerialNumber); } if (NULL != pbDeleted) { LocalFree(pbDeleted); } if (NULL != pbHash) { LocalFree(pbHash); } if (NULL != pwszCertName) { LocalFree(pwszCertName); } if (NULL != pwszStore) { LocalFree(pwszStore); } if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != pCRL) { CertFreeCRLContext(pCRL); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTverbVerifyStore( IN WCHAR const *pwszOption, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszCertId, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; DWORD iCert; DWORD iCRL; DWORD iCTL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
hr = DumpAndVerifyNamedStore( pwszStoreName, DVNS_SAVECERT | DVNS_SAVECRL | DVNS_SAVECTL | DVNS_VERIFYCERT | DVNS_DUMPKEYS | DVNS_DUMPPROPERTIES, pwszCertName, iCert, iCRL, iCTL, NULL, NULL); _JumpIfError(hr, error, "DumpAndVerifyNamedStore");
error: if (NULL != pwszCertName) { LocalFree(pwszCertName); } return(hr);}
HRESULTverbRepairStore( IN WCHAR const *pwszOption, IN WCHAR const *pwszStoreName, IN WCHAR const *pwszCertId, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; DWORD iCert; DWORD iCRL; DWORD iCTL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
hr = DumpAndVerifyNamedStore( pwszStoreName, DVNS_SAVECERT | DVNS_SAVECRL | DVNS_SAVECTL | DVNS_REPAIRKPI | DVNS_DUMPKEYS, pwszCertName, iCert, iCRL, iCTL, NULL, NULL); _JumpIfError(hr, error, "DumpAndVerifyNamedStore");
error: if (NULL != pwszCertName) { LocalFree(pwszCertName); } return(hr);}
HRESULTverbExportPVK( IN WCHAR const *pwszOption, IN WCHAR const *pwszCertId, IN WCHAR const *pwszfnPVKBaseName, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; DWORD iCert; DWORD iCRL; DWORD iCTL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
hr = DumpAndVerifyNamedStore( wszMY_CERTSTORE, DVNS_SAVEPVK | DVNS_DUMPKEYS, pwszCertName, iCert, iCRL, iCTL, pwszfnPVKBaseName, g_pwszPassword); _JumpIfError(hr, error, "DumpAndVerifyNamedStore");
error: if (NULL != pwszCertName) { LocalFree(pwszCertName); } return(hr);}
HRESULTverbExportPFX( IN WCHAR const *pwszOption, IN WCHAR const *pwszCertId, IN WCHAR const *pwszfnPFX, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszCertName = NULL; DWORD iCert; DWORD iCRL; DWORD iCTL;
hr = ParseCertCRLIndex(pwszCertId, &pwszCertName, &iCert, &iCRL, &iCTL); _JumpIfErrorStr(hr, error, "ParseCertCRLIndex", pwszCertId);
hr = DumpAndVerifyNamedStore( wszMY_CERTSTORE, DVNS_SAVEPFX | DVNS_DUMPKEYS, pwszCertName, iCert, iCRL, iCTL, pwszfnPFX, g_pwszPassword); _JumpIfError(hr, error, "DumpAndVerifyNamedStore");
error: if (NULL != pwszCertName) { LocalFree(pwszCertName); } return(hr);}
HRESULTcuGenerateKeyContainerName( IN CERT_CONTEXT const *pcc, OUT WCHAR **ppwszKeyContainerName){ HRESULT hr; GUID guid; WCHAR *pwszGUID = NULL; WCHAR *pwszSimpleName = NULL; WCHAR *pwszRawContainerName = NULL; DWORD cwc; *ppwszKeyContainerName = NULL;
hr = myCertGetNameString( pcc, CERT_NAME_SIMPLE_DISPLAY_TYPE, &pwszSimpleName); _JumpIfError(hr, error, "myCertGetNameString");
myUuidCreate(&guid); hr = myCLSIDToWsz(&guid, &pwszGUID); _JumpIfError(hr, error, "myCLSIDToWsz");
cwc = wcslen(pwszSimpleName) + 1 + wcslen(pwszGUID); pwszRawContainerName = (WCHAR *) LocalAlloc( LMEM_FIXED, (cwc + 1) * sizeof(WCHAR)); if (NULL == pwszRawContainerName) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } wcscpy(pwszRawContainerName, pwszSimpleName); wcscat(pwszRawContainerName, L"-"); wcscat(pwszRawContainerName, pwszGUID);
hr = mySanitizeName(pwszRawContainerName, ppwszKeyContainerName); _JumpIfError(hr, error, "mySanitizeName");
wprintf(L"%ws -- %ws\n", pwszSimpleName, *ppwszKeyContainerName);
error: if (NULL != pwszGUID) { LocalFree(pwszGUID); } if (NULL != pwszSimpleName) { LocalFree(pwszSimpleName); } if (NULL != pwszRawContainerName) { LocalFree(pwszRawContainerName); } return(hr);}
HRESULTcuImportChainAndKeys( IN CERT_CHAIN_CONTEXT const *pChain, OPTIONAL IN WCHAR const *pwszNewCSP, IN BOOL fUser, OPTIONAL IN WCHAR const *pwszStoreName){ HRESULT hr; CRYPT_KEY_PROV_INFO *pkpi = NULL; WCHAR *pwszKeyContainerName = NULL; CERT_CONTEXT const *pcc;
if (NULL == pwszStoreName) { pwszStoreName = wszMY_CERTSTORE; } pcc = pChain->rgpChain[0]->rgpElement[0]->pCertContext;
hr = myCertGetKeyProviderInfo(pcc, &pkpi); _JumpIfError(hr, error, "myCertGetKeyProviderInfo");
hr = cuGenerateKeyContainerName(pcc, &pwszKeyContainerName); _JumpIfError(hr, error, "cuGenerateKeyContainerName");
if (NULL == pwszNewCSP) { pwszNewCSP = pkpi->pwszProvName; } hr = myCopyKeys( pkpi, pkpi->pwszContainerName, // pwszOldContainer
pwszKeyContainerName, // pwszNewContainer
pwszNewCSP, // pwszNewCSP
fUser, // fOldUserKey
fUser, // fNewUserKey
g_fProtect, g_fForce); _JumpIfError(hr, error, "myCopyKeys");
pkpi->pwszContainerName = pwszKeyContainerName; pkpi->pwszProvName = const_cast<WCHAR *>(pwszNewCSP);
hr = mySaveChainAndKeys( pChain->rgpChain[0], pwszStoreName, cuGetSystemStoreFlags(), pkpi, NULL); _JumpIfError(hr, error, "mySaveChainAndKeys");
error: if (NULL != pkpi) { LocalFree(pkpi); } if (NULL != pwszKeyContainerName) { LocalFree(pwszKeyContainerName); } return(hr);}
HRESULTReadPFXOrEPFIntoCertStore( IN WCHAR const *pwszfnPFXOrEPF, IN BOOL fUser, OUT HCERTSTORE *phStore){ HRESULT hr; CRYPT_DATA_BLOB pfx; WCHAR const *pwszPassword; WCHAR wszPassword[MAX_PATH]; HCERTSTORE hStore = NULL;
pfx.pbData = NULL; *phStore = NULL;
hr = cuGetPassword( 0, // idsPrompt
NULL, // pwszfn
g_pwszPassword, FALSE, // fVerify
wszPassword, ARRAYSIZE(wszPassword), &pwszPassword); _JumpIfError(hr, error, "cuGetPassword");
hr = DecodeFileW( pwszfnPFXOrEPF, &pfx.pbData, &pfx.cbData, CRYPT_STRING_ANY); _JumpIfError(hr, error, "DecodeFileW");
CSASSERT(NULL != pfx.pbData);
if (PFXIsPFXBlob(&pfx)) { hStore = myPFXImportCertStore( &pfx, pwszPassword, CRYPT_EXPORTABLE | (fUser? CRYPT_USER_KEYSET : CRYPT_MACHINE_KEYSET)); if (NULL == hStore) { hr = myHLastError(); _JumpError(hr, error, "myPFXImportCertStore"); } } else { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _PrintError(hr, "PFXIsPFXBlob");
hStore = CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG, NULL); if (NULL == hStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); } hr = EPFFileDump(pwszfnPFXOrEPF, pwszPassword, hStore); if (S_FALSE == hr) // if not an EPF file
{ hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); } _JumpIfErrorStr(hr, error, "EPFFileDump", pwszfnPFXOrEPF); } *phStore = hStore; hStore = NULL; hr = S_OK;
error: SecureZeroMemory(wszPassword, sizeof(wszPassword)); // password data
if (NULL != hStore) { myDeleteGuidKeys(hStore, !fUser); CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } if (NULL != pfx.pbData) { LocalFree(pfx.pbData); } return(hr);}
HRESULTverbImportPFX( IN WCHAR const *pwszOption, IN WCHAR const *pwszfnPFXOrEPF, IN WCHAR const *pwszArg2, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; HCERTSTORE hStorePFX = NULL; RESTORECHAIN *paRestoreChain = NULL; DWORD cRestoreChain; DWORD iChain; BOOL fUser = !g_fEnterpriseRegistry && g_fUserRegistry;
hr = ReadPFXOrEPFIntoCertStore(pwszfnPFXOrEPF, fUser, &hStorePFX); _JumpIfError(hr, error, "ReadPFXOrEPFIntoCertStore");
cRestoreChain = 0; hr = myGetChainArrayFromStore( hStorePFX, FALSE, fUser, NULL, // ppwszCommonName
&cRestoreChain, NULL); _JumpIfError(hr, error, "myGetChainArrayFromStore");
if (0 == cRestoreChain) { hr = HRESULT_FROM_WIN32(CRYPT_E_SELF_SIGNED); _JumpError(hr, error, "myGetChainArrayFromStore <no chain>"); }
paRestoreChain = (RESTORECHAIN *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cRestoreChain * sizeof(paRestoreChain[0])); if (NULL == paRestoreChain) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
hr = myGetChainArrayFromStore( hStorePFX, FALSE, fUser, NULL, // ppwszCommonName
&cRestoreChain, paRestoreChain); _JumpIfError(hr, error, "myGetChainArrayFromStore");
for (iChain = 0; iChain < cRestoreChain; iChain++) { CERT_CHAIN_CONTEXT const *pChain = paRestoreChain[iChain].pChain; CERT_PUBLIC_KEY_INFO *pPublicKeyInfo;
if (1 > pChain->cChain) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "No Chain Context"); } hr = cuImportChainAndKeys(pChain, g_pwszCSP, fUser, wszMY_CERTSTORE); _JumpIfError(hr, error, "cuImportChainAndKeys"); } hr = S_OK;
error: if (NULL != paRestoreChain) { for (iChain = 0; iChain < cRestoreChain; iChain++) { if (NULL != paRestoreChain[iChain].pChain) { CertFreeCertificateChain(paRestoreChain[iChain].pChain); } } LocalFree(paRestoreChain); } if (NULL != hStorePFX) { myDeleteGuidKeys(hStorePFX, !fUser); CertCloseStore(hStorePFX, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTAddStringToList( IN WCHAR const *pwszNew, IN OUT WCHAR ***papwsz){ HRESULT hr; WCHAR *pwszAlloc = NULL; WCHAR **ppwsz; DWORD i;
// Count the strings in the existing list.
// If the new string matches an existing string, return imemdiately.
ppwsz = *papwsz; i = 0; if (NULL != ppwsz) { for ( ; NULL != ppwsz[i]; i++) { if (0 == lstrcmp(pwszNew, ppwsz[i])) { hr = S_OK; goto error; } } } hr = myDupString(pwszNew, &pwszAlloc); _JumpIfError(hr, error, "myDupString");
ppwsz = (WCHAR **) LocalAlloc(LMEM_FIXED, (i + 2) * sizeof(*ppwsz)); if (NULL == ppwsz) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
// Insert the new string at the head of the list.
ppwsz[0] = pwszAlloc; pwszAlloc = NULL; if (0 != i) { CopyMemory(&ppwsz[1], *papwsz, i * sizeof(*ppwsz)); LocalFree(*papwsz); } ppwsz[i + 1] = NULL; *papwsz = ppwsz; hr = S_OK;
error: if (NULL != pwszAlloc) { LocalFree(pwszAlloc); } return(hr);}
HRESULTAddPFXOrEPFToStoreSub( IN WCHAR const *pwszfn, IN WCHAR const *pwszPassword, OPTIONAL IN CRYPT_DATA_BLOB *ppfx, IN HCERTSTORE hStoreMerge){ HRESULT hr; HCERTSTORE hStorePFX = NULL; CERT_CONTEXT const *pCert = NULL;
if (NULL == ppfx) { hr = EPFFileDump(pwszfn, pwszPassword, hStoreMerge); if (S_FALSE == hr) // if not an EPF file
{ hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); } _JumpIfErrorStr(hr, error, "EPFFileDump", pwszfn); } else { hStorePFX = myPFXImportCertStore( ppfx, pwszPassword, CRYPT_EXPORTABLE | (g_fUserRegistry? CRYPT_USER_KEYSET : CRYPT_MACHINE_KEYSET)); if (NULL == hStorePFX) { hr = myHLastError(); _JumpErrorStr2( hr, error, "myPFXImportCertStore", pwszfn, HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD)); } while (TRUE) { pCert = CertEnumCertificatesInStore(hStorePFX, pCert); if (NULL == pCert) { break; } if (!CertAddCertificateContextToStore( hStoreMerge, pCert, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { hr = myHLastError(); _JumpError(hr, error, "CertAddCertificateContextToStore"); } if (!CertDeleteCertificateFromStore(pCert)) { hr = myHLastError(); _JumpError(hr, error, "CertDeleteCertificateFromStore"); } pCert = NULL; } } hr = S_OK;
error: if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != hStorePFX) { myDeleteGuidKeys(hStorePFX, !g_fUserRegistry); CertCloseStore(hStorePFX, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTmyCryptGetDefaultProvider( DWORD dwProvType, DWORD dwFlags, WCHAR **ppwszProvName){ HRESULT hr; DWORD cb;
*ppwszProvName = NULL; cb = 0; while (TRUE) { if (!CryptGetDefaultProvider( dwProvType, NULL, // pdwReserved
dwFlags, *ppwszProvName, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CryptGetDefaultProvider"); } if (NULL != *ppwszProvName) { break; } *ppwszProvName = (WCHAR *) LocalAlloc(LMEM_FIXED, cb); if (NULL == *ppwszProvName) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } } hr = S_OK;
error: return(hr);}
#define cuSIGN_KEY_USAGE \
(CERT_DIGITAL_SIGNATURE_KEY_USAGE | \ CERT_NON_REPUDIATION_KEY_USAGE | \ CERT_KEY_CERT_SIGN_KEY_USAGE | \ CERT_OFFLINE_CRL_SIGN_KEY_USAGE | \ CERT_CRL_SIGN_KEY_USAGE)
#define cuENCRYPT_KEY_USAGE \
(CERT_KEY_ENCIPHERMENT_KEY_USAGE | \ CERT_DATA_ENCIPHERMENT_KEY_USAGE | \ CERT_KEY_AGREEMENT_KEY_USAGE | \ CERT_ENCIPHER_ONLY_KEY_USAGE)
static CHAR const *s_cuapszObjIdSign[] ={ szOID_PKIX_KP_CLIENT_AUTH, szOID_PKIX_KP_CODE_SIGNING, szOID_PKIX_KP_TIMESTAMP_SIGNING, szOID_KP_TIME_STAMP_SIGNING, szOID_KP_QUALIFIED_SUBORDINATION, szOID_KP_DOCUMENT_SIGNING, szOID_KP_SMARTCARD_LOGON,};
static CHAR const *s_cuapszObjIdEncrypt[] ={ szOID_PKIX_KP_EMAIL_PROTECTION, szOID_KP_KEY_RECOVERY_AGENT, szOID_KP_KEY_RECOVERY, szOID_PKIX_KP_SERVER_AUTH,};
BOOLIsSigningCert( IN CERT_CONTEXT const *pcc){ HRESULT hr; BOOL fSigningCert = TRUE; CERT_EXTENSION const *pExt; DWORD cb; BOOL fMatch;
pExt = CertFindExtension( szOID_KEY_USAGE, pcc->pCertInfo->cExtension, pcc->pCertInfo->rgExtension); if (NULL != pExt) { CRYPT_DATA_BLOB aBlob[1 + BLOB_ROUND(2)];
cb = sizeof(aBlob); if (CryptDecodeObject( X509_ASN_ENCODING, X509_KEY_USAGE, pExt->Value.pbData, pExt->Value.cbData, 0, aBlob, &cb)) { if (1 <= aBlob[0].cbData) { if (cuSIGN_KEY_USAGE & aBlob[0].pbData[0]) { goto done; } if (cuENCRYPT_KEY_USAGE & aBlob[0].pbData[0]) { fSigningCert = FALSE; goto done; } } } } hr = myCertMatchEKUOrApplicationPolicies( pcc, ARRAYSIZE(s_cuapszObjIdSign), s_cuapszObjIdSign, FALSE, // fUsageRequired
&fMatch); if (S_OK == hr && fMatch) { goto done; } hr = myCertMatchEKUOrApplicationPolicies( pcc, ARRAYSIZE(s_cuapszObjIdEncrypt), s_cuapszObjIdEncrypt, FALSE, // fUsageRequired
&fMatch); if (S_OK == hr && fMatch) { fSigningCert = FALSE; goto done; }
done: return(fSigningCert);}
HRESULTAddCertAndKeyBlobToStore( IN HCERTSTORE hStore, IN CERT_CONTEXT const *pcc, IN BYTE const *pbKey, IN DWORD cbKey, IN ALG_ID aiKeyAlg){ HRESULT hr; BYTE *pbKeyAlloc = NULL; DWORD cbKeyAlloc; HCRYPTPROV hProv = NULL; HCRYPTKEY hKey = NULL; CRYPT_KEY_PROV_INFO kpi; WCHAR *pwszProviderName = NULL; WCHAR *pwszKeyContainerName = NULL; BOOL fSigningKey; BOOL fMatchingKey; BOOL fQuiet;
#if 0
wprintf(wszNewLine); DumpHex( DH_NOTABPREFIX | DH_NOASCIIHEX | DH_PRIVATEDATA | 4, pbKey, cbKey);#endif
hr = cuGenerateKeyContainerName(pcc, &pwszKeyContainerName); _JumpIfError(hr, error, "cuGenerateKeyContainerName");
hr = myCryptGetDefaultProvider( PROV_RSA_FULL, g_fUserRegistry? CRYPT_USER_DEFAULT : CRYPT_MACHINE_DEFAULT, &pwszProviderName); _JumpIfError(hr, error, "myCryptGetDefaultProvider");
if (!CryptAcquireContext( &hProv, pwszKeyContainerName, pwszProviderName, PROV_RSA_FULL, CRYPT_NEWKEYSET)) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); }
if (PRIVATEKEYBLOB == ((PUBLICKEYSTRUC const *) pbKey)->bType && CUR_BLOB_VERSION == ((PUBLICKEYSTRUC const *) pbKey)->bVersion && RSAPRIV_MAGIC == ((RSAPUBKEY const *) &pbKey[sizeof(PUBLICKEYSTRUC)])->magic) { if (0 == aiKeyAlg) { aiKeyAlg = ((PUBLICKEYSTRUC const *) pbKey)->aiKeyAlg; } else if (aiKeyAlg != ((PUBLICKEYSTRUC const *) pbKey)->aiKeyAlg) { ((PUBLICKEYSTRUC *) pbKey)->aiKeyAlg = aiKeyAlg; } } if (0 == aiKeyAlg) { aiKeyAlg = IsSigningCert(pcc)? CALG_RSA_SIGN : CALG_RSA_KEYX; } if (!CryptImportKey(hProv, pbKey, cbKey, NULL, CRYPT_EXPORTABLE, &hKey)) { hr = myHLastError(); _PrintError(hr, "CryptImportKey");
hr = myDecodeKMSRSAKey( pbKey, cbKey, aiKeyAlg, &pbKeyAlloc, &cbKeyAlloc); _JumpIfError(hr, error, "myDecodeKMSRSAKey");
pbKey = pbKeyAlloc; cbKey = cbKeyAlloc;
//cuDumpPrivateKeyBlob(pbKey, cbKey, FALSE);
if (!CryptImportKey(hProv, pbKey, cbKey, NULL, CRYPT_EXPORTABLE, &hKey)) { hr = myHLastError(); _JumpError(hr, error, "CryptImportKey"); } } ZeroMemory(&kpi, sizeof(kpi)); kpi.pwszContainerName = pwszKeyContainerName; kpi.pwszProvName = pwszProviderName; kpi.dwProvType = PROV_RSA_FULL; kpi.dwKeySpec = CALG_RSA_SIGN == aiKeyAlg? AT_SIGNATURE : AT_KEYEXCHANGE;
if (!CertSetCertificateContextProperty( pcc, CERT_KEY_PROV_INFO_PROP_ID, 0, &kpi)) { hr = myHLastError(); _JumpError(hr, error, "CertSetCertificateContextProperty"); } if (!CertAddCertificateContextToStore( hStore, pcc, CERT_STORE_ADD_NEW, NULL)) { hr = myHLastError(); _JumpError(hr, error, "CertAddCertificateContextToStore"); }
fQuiet = g_fQuiet; g_fQuiet = TRUE; hr = cuDumpPrivateKey(pcc, &fSigningKey, &fMatchingKey); g_fQuiet = fQuiet; if (!IsHrSkipPrivateKey(hr)) { if (S_OK != hr) { wprintf(myLoadResourceString( fSigningKey? IDS_SIGNATURE_BAD : // "Signature test FAILED"
IDS_ENCRYPTION_BAD)); // "Encryption test FAILED"
wprintf(wszNewLine); _PrintError(hr, "cuDumpPrivateKey"); fMatchingKey = FALSE; }
if (fMatchingKey) { wprintf(myLoadResourceString( fSigningKey? IDS_SIGNATURE_OK : // "Signature test passed"
IDS_ENCRYPTION_OK)); // "Encryption test passed"
wprintf(wszNewLine); } } hr = S_OK;
error: if (NULL != pwszProviderName) { LocalFree(pwszProviderName); } if (NULL != pwszKeyContainerName) { LocalFree(pwszKeyContainerName); } if (NULL != hKey) { CryptDestroyKey(hKey); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } if (NULL != pbKeyAlloc) { SecureZeroMemory(pbKeyAlloc, cbKeyAlloc); // Key material
LocalFree(pbKeyAlloc); } return(hr);}
#define cwcEXTMAX 4
typedef struct _KEYEXTENSION { WCHAR const *pwszExt; ALG_ID aiKeyAlg;} KEYEXTENSION;
KEYEXTENSION s_akePrivate[] ={ { L".sig", CALG_RSA_SIGN }, { L".enc", CALG_RSA_KEYX }, { L".key", 0 }, { L".pri", 0 },};
HRESULTAddCertAndKeyToStore( IN CERT_CONTEXT const *pcc, IN WCHAR const *pwszfn, IN HCERTSTORE hStore, IN BYTE const *pbCert, IN DWORD cbCert){ HRESULT hr; WCHAR *pwszfnKey = NULL; WCHAR *pwszfnExt; KEYEXTENSION const *pke; BYTE *pbKey = NULL; DWORD cbKey;
pwszfnKey = (WCHAR *) LocalAlloc( LMEM_FIXED, (wcslen(pwszfn) + cwcEXTMAX + 1) * sizeof(WCHAR)); if (NULL == pwszfnKey) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } wcscpy(pwszfnKey, pwszfn); pwszfnExt = wcsrchr(pwszfnKey, L'.'); if (NULL == pwszfnExt || NULL != wcschr(pwszfnExt, L'\\')) { pwszfnExt = &pwszfnKey[wcslen(pwszfnKey)]; }
for (pke = s_akePrivate; ; pke++) { if (pke >= &s_akePrivate[ARRAYSIZE(s_akePrivate)]) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); _JumpErrorStr(hr, error, "No private key file", pwszfnKey); } CSASSERT(cwcEXTMAX >= wcslen(pke->pwszExt)); wcscpy(pwszfnExt, pke->pwszExt); hr = DecodeFileW(pwszfnKey, &pbKey, &cbKey, CRYPT_STRING_ANY); if (S_OK == hr) { break; } _PrintErrorStr2(hr, "DecodeFileW", pwszfnKey, hr); } hr = AddCertAndKeyBlobToStore(hStore, pcc, pbKey, cbKey, pke->aiKeyAlg); _JumpIfError(hr, error, "AddCertAndKeyBlobToStore");
error: if (NULL != pbKey) { LocalFree(pbKey); } if (NULL != pwszfnKey) { LocalFree(pwszfnKey); } return(hr);}
HRESULTAddSimplePKCS8WithCertToSTore( IN HCERTSTORE hStoreMerge, IN BYTE *pbIn, IN DWORD cbIn){ HRESULT hr; DWORD i; DWORD cbKey; CERT_CONTEXT const *pcc = NULL;
i = myASNGetDataIndex( BER_SEQUENCE, 0, pbIn, cbIn, &cbKey); if (MAXDWORD == i) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "myASNGetDataIndex"); } cbKey += i;
pcc = CertCreateCertificateContext( X509_ASN_ENCODING, &pbIn[cbKey], cbIn - cbKey); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } hr = AddCertAndKeyBlobToStore( hStoreMerge, pcc, pbIn, cbKey, 0); // aiKeyAlg
_JumpIfError(hr, error, "AddCertAndKeyBlobToStore");
error: if (NULL != pcc) { CertFreeCertificateContext(pcc); } return(hr);}
HRESULTAddPFXOrEPFToStore( IN WCHAR const *pwszfn, IN HCERTSTORE hStoreMerge, IN OUT WCHAR ***papwszPasswordList){ HRESULT hr; WCHAR const * const *ppwszPasswordList = *papwszPasswordList; BOOL fPFX; DWORD i; CRYPT_DATA_BLOB pfx; WCHAR wszPassword[MAX_PATH]; WCHAR const *pwszPassword; BOOL fLoaded; CERT_CONTEXT const *pcc = NULL;
pfx.pbData = NULL;
hr = DecodeFileW(pwszfn, &pfx.pbData, &pfx.cbData, CRYPT_STRING_ANY); _JumpIfError(hr, error, "DecodeFileW");
fPFX = PFXIsPFXBlob(&pfx);
if (!fPFX) { pcc = CertCreateCertificateContext( X509_ASN_ENCODING, pfx.pbData, pfx.cbData); if (NULL != pcc) { hr = AddCertAndKeyToStore( pcc, pwszfn, hStoreMerge, pfx.pbData, pfx.cbData); _PrintIfError(hr, "AddCertAndKeyToStore");
// File was a cert. If we found the key, hr is S_OK & we're done.
// If we didn't found the key, hr is set & we're done.
goto error; } else { // File was not a cert. See if it's a simple PKCS8 w/appended Cert.
hr = AddSimplePKCS8WithCertToSTore( hStoreMerge, pfx.pbData, pfx.cbData); _PrintIfError(hr, "AddSimplePKCS8WithCertToSTore"); if (S_OK == hr) { // If we succeeded, we're done.
goto error; } } }
// Try all of the passwords collected so far.
fLoaded = FALSE; if (NULL != ppwszPasswordList) { for (i = 0; NULL != ppwszPasswordList[i]; i++) { hr = AddPFXOrEPFToStoreSub( pwszfn, ppwszPasswordList[i], fPFX? &pfx : NULL, hStoreMerge); if (HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD) != hr) { _JumpIfErrorStr(hr, error, "AddPFXOrEPFToStoreSub", pwszfn);
fLoaded = TRUE; break; // success
} } }
// Try the unparsed command line password, or collect a new one.
pwszPassword = g_pwszPassword; if (!fLoaded) { while (TRUE) { if (NULL != pwszPassword) { hr = AddPFXOrEPFToStoreSub( pwszfn, pwszPassword, fPFX? &pfx : NULL, hStoreMerge); if (HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD) != hr) { _JumpIfErrorStr(hr, error, "AddPFXOrEPFToStoreSub", pwszfn);
break; // success
} } hr = cuGetPassword( IDS_FORMAT_ENTER_PASSWORD, pwszfn, NULL, // pwszPasswordIn
FALSE, // fVerify
wszPassword, ARRAYSIZE(wszPassword), &pwszPassword); _JumpIfError(hr, error, "cuGetPassword");
hr = AddStringToList(pwszPassword, papwszPasswordList); _JumpIfError(hr, error, "AddStringToList"); } } hr = S_OK;
error: SecureZeroMemory(wszPassword, sizeof(wszPassword)); // password data
if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (NULL != pfx.pbData) { LocalFree(pfx.pbData); } return(hr);}
HRESULTLoadAndSavePFXFiles( IN BOOL fSaveAsPFX, IN BOOL dwEPFAlg, IN WCHAR const *pwszfnPFXInFileList, IN WCHAR const *pwszfnOutFile, OPTIONAL IN WCHAR const *pwszNewCSP, OPTIONAL IN WCHAR const *pwszSalt, OPTIONAL IN WCHAR const *pwszV3CACertId){ HRESULT hr; WCHAR **ppwszfnList = NULL; WCHAR **ppwszPasswordList = NULL; DWORD i; HCERTSTORE hStoreMerge = NULL; WCHAR *pwszPasswordAlloc = NULL; WCHAR *pwszPasswordOut;
hr = cuParseStrings( pwszfnPFXInFileList, FALSE, NULL, NULL, &ppwszfnList, NULL); _JumpIfError(hr, error, "cuParseStrings");
pwszPasswordOut = NULL; if (NULL != g_pwszPassword) { hr = cuParseStrings( g_pwszPassword, FALSE, NULL, NULL, &ppwszPasswordList, NULL); _JumpIfError(hr, error, "cuParseStrings");
if (NULL != ppwszPasswordList) { if (NULL != g_pwszPassword && (L',' == *g_pwszPassword || NULL != wcsstr(g_pwszPassword, L",,"))) { hr = AddStringToList(g_wszEmpty, &ppwszPasswordList); _JumpIfError(hr, error, "AddStringToList");
// make sure it was added at the head of the list
CSASSERT(L'\0' == ppwszPasswordList[0][0]); } for (i = 0; NULL != ppwszPasswordList[i]; i++) { } if (i > 1 && 0 != lstrcmp(L"*", ppwszPasswordList[i - 1])) { pwszPasswordOut = ppwszPasswordList[i - 1]; } } } hStoreMerge = CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG, NULL); if (NULL == hStoreMerge) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); } if (NULL != ppwszfnList) { for (i = 0; NULL != ppwszfnList[i]; i++) { hr = AddPFXOrEPFToStore( ppwszfnList[i], hStoreMerge, &ppwszPasswordList); _JumpIfError(hr, error, "AddPFXOrEPFToStore"); } } else { hr = AddPFXOrEPFToStore( pwszfnPFXInFileList, hStoreMerge, &ppwszPasswordList); _JumpIfError(hr, error, "AddPFXOrEPFToStore"); } hr = SavePFXStoreToFile( hStoreMerge, pwszfnOutFile, pwszNewCSP, pwszSalt, pwszV3CACertId, fSaveAsPFX, dwEPFAlg, pwszPasswordOut, &pwszPasswordAlloc); _JumpIfError(hr, error, "SavePFXStoreToFile");
error: if (NULL != hStoreMerge) { myDeleteGuidKeys(hStoreMerge, !g_fUserRegistry); CertCloseStore(hStoreMerge, CERT_CLOSE_STORE_CHECK_FLAG); } cuFreeStringArray(ppwszPasswordList); cuFreeStringArray(ppwszfnList); if (NULL != pwszPasswordAlloc) { myZeroDataString(pwszPasswordAlloc); // password data
LocalFree(pwszPasswordAlloc); } return(hr);}
HRESULTverbMergePFX( IN WCHAR const *pwszOption, IN WCHAR const *pwszfnPFXInFileList, IN WCHAR const *pwszfnPFXOutFile, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr;
hr = LoadAndSavePFXFiles( TRUE, // fSaveAsPFX
0, // dwEPFAlg
pwszfnPFXInFileList, pwszfnPFXOutFile, g_pwszCSP, NULL, // pwszSalt
NULL); // pwszV3CACertId
_JumpIfError(hr, error, "LoadAndSavePFXFiles");
error: return(hr);}
HRESULTverbConvertEPF( IN WCHAR const *pwszOption, IN WCHAR const *pwszfnPFXInFileList, IN WCHAR const *pwszfnEPFOutFile, OPTIONAL IN WCHAR const *pwszV3CACertId, OPTIONAL IN WCHAR const *pwszAlg){ HRESULT hr; DWORD dwEPFAlg = EPFALG_DEFAULT; WCHAR *pwszDup = NULL; WCHAR const *pwsz; WCHAR *pwszSalt = NULL;
if (NULL != pwszV3CACertId && (0 == LSTRCMPIS(pwszV3CACertId, L"cast-") || 0 == LSTRCMPIS(pwszV3CACertId, L"cast"))) { pwsz = pwszV3CACertId; pwszV3CACertId = pwszAlg; pwszAlg = pwsz; } if (NULL != pwszV3CACertId && NULL != wcsrchr(pwszV3CACertId, L',')) { hr = myDupString(pwszV3CACertId, &pwszDup); _JumpIfError(hr, error, "myDupString");
pwszV3CACertId = pwszDup; pwszSalt = wcsrchr(pwszV3CACertId, L','); *pwszSalt++ = L'\0'; if (L'\0' == *pwszSalt) { pwszSalt = NULL; } if (L'\0' == *pwszV3CACertId) { pwszV3CACertId = NULL; } } if (NULL != pwszAlg) { if (0 == LSTRCMPIS(pwszAlg, L"cast-")) { dwEPFAlg = EPFALG_CASTEXPORT; } else if (0 == LSTRCMPIS(pwszAlg, L"cast")) { dwEPFAlg = EPFALG_CAST; } else { hr = E_INVALIDARG; _JumpErrorStr(hr, error, "pwszAlg", pwszAlg); } }
hr = LoadAndSavePFXFiles( FALSE, // fSaveAsPFX
dwEPFAlg, pwszfnPFXInFileList, pwszfnEPFOutFile, g_pwszCSP, pwszSalt, pwszV3CACertId); _JumpIfError(hr, error, "LoadAndSavePFXFiles");
error: if (NULL != pwszDup) { LocalFree(pwszDup); } return(hr);}
HRESULTGetMarshaledDword( IN BOOL fFetchLength, IN OUT BYTE const **ppb, IN OUT DWORD *pcb, OUT DWORD *pdw){ HRESULT hr = HRESULT_FROM_WIN32(ERROR_HANDLE_EOF);
if (sizeof(*pdw) > *pcb) { _JumpError(hr, error, "input buffer too small"); } *pdw = *(DWORD UNALIGNED *) *ppb; *ppb += sizeof(*pdw); *pcb -= sizeof(*pdw); if (fFetchLength && *pdw > *pcb) { _JumpError(hr, error, "input buffer too small for length"); } hr = S_OK;
error: return(hr);}
HRESULTcuDecodeSequence( IN BYTE const *pbSeq, IN DWORD cbSeq, IN DWORD cSeq, OUT CRYPT_SEQUENCE_OF_ANY **ppSeq){ HRESULT hr; DWORD cb; DWORD i; CRYPT_SEQUENCE_OF_ANY *pSeq = NULL;
*ppSeq = NULL; if (!myDecodeObject( X509_ASN_ENCODING, X509_SEQUENCE_OF_ANY, pbSeq, cbSeq, CERTLIB_USE_LOCALALLOC, (VOID **) &pSeq, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (cSeq != pSeq->cValue) { _JumpError(hr, error, "Sequence count"); } for (i = 0; i < cSeq; i++) { if (NULL == pSeq->rgValue[i].pbData || 0 == pSeq->rgValue[i].cbData) { _JumpError(hr, error, "Empty Sequence"); } } *ppSeq = pSeq; pSeq = NULL; hr = S_OK;
error: if (NULL != pSeq) { LocalFree(pSeq); } return(hr);}
#define k_PrivateKeyVersion 0
HRESULTVerifyKeyVersion( IN BYTE const *pbIn, IN DWORD cbIn){ HRESULT hr; DWORD dwKeyVersion; DWORD cb;
dwKeyVersion = MAXDWORD; cb = sizeof(dwKeyVersion); if (!CryptDecodeObject( X509_ASN_ENCODING, X509_INTEGER, pbIn, cbIn, 0, &dwKeyVersion, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CryptDecodeObject"); } if (k_PrivateKeyVersion != dwKeyVersion) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Public key version"); } hr = S_OK;
error: return(hr);}
HRESULTEncodeKeyVersion( OUT BYTE **ppbOut, OUT DWORD *pcbOut){ HRESULT hr; DWORD dwKeyVersion;
*ppbOut = NULL; dwKeyVersion = k_PrivateKeyVersion; if (!myEncodeObject( X509_ASN_ENCODING, X509_INTEGER, &dwKeyVersion, 0, CERTLIB_USE_LOCALALLOC, ppbOut, pcbOut)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } hr = S_OK;
error: return(hr);}
//+-------------------------------------------------------------------------
// Inputs a private key in PKCS PrivateKeyInfo format:
// RSAPrivateKeyInfo ::= SEQUENCE {
// version Version, -- only 0 supported
// privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
// privateKey PrivateKey
// }
//
// Version ::= INTEGER
//
// PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
//
// PrivateKey ::= OCTET STRING -- contains an RSAPrivateKey
//
// RSAPrivateKey ::= SEQUENCE {
// version Version, -- only 0 supported
// modulus INTEGER, -- n
// publicExponent INTEGER, -- e
// privateExponent INTEGER, -- d
// prime1 INTEGER, -- p
// prime2 INTEGER, -- q
// exponent1 INTEGER, -- d mod (p-1)
// exponent2 INTEGER, -- d mod (q-1)
// coefficient INTEGER -- (inverse of q) mod p
// }
//
// returns a PRIVATEKEYBLOB
//--------------------------------------------------------------------------
// Indexes into pSeqOuter:
#define ISO_VERSION 0
#define ISO_ALG 1
#define ISO_KEY 2
#define ISO_MAX 3 // number of elements
// Indexes into pSeqAlg:
#define ISA_OID 0
#define ISA_PARM 1
#define ISA_MAX 2 // number of elements
// Indexes into pSeqKey:
#define ISK_VERSION 0
#define ISK_MODULUS 1 // public key
#define ISK_PUBEXP 2
#define ISK_PRIVEXP 3
#define ISK_PRIME1 4
#define ISK_PRIME2 5
#define ISK_EXP1 6
#define ISK_EXP2 7
#define ISK_COEFF 8
#define ISK_MAX 9 // number of elements
typedef struct _KEYBLOBMAP{ DWORD dwisk; // index into pSeqKey: ISK_*
DWORD dwdivisor; // cbitKey/dwDivisor is expected byte count
} KEYBLOBMAP;
// The KEYBLOBMAP array defines the order and expected size of the key element
// integers as they will appear in the RSA PRIVATEKEYBLOB.
KEYBLOBMAP g_akbm[] = { { ISK_MODULUS, 8 }, // public key
{ ISK_PRIME1, 16 }, { ISK_PRIME2, 16 }, { ISK_EXP1, 16 }, { ISK_EXP2, 16 }, { ISK_COEFF, 16 }, { ISK_PRIVEXP, 8 },};
HRESULTmyDecodeKMSRSAKey( IN BYTE const *pbKMSRSAKey, IN DWORD cbKMSRSAKey, IN ALG_ID aiKeyAlg, OUT BYTE **ppbKey, OUT DWORD *pcbKey){ HRESULT hr; CRYPT_SEQUENCE_OF_ANY *pSeqOuter = NULL; CRYPT_SEQUENCE_OF_ANY *pSeqAlg = NULL; CRYPT_SEQUENCE_OF_ANY *pSeqKey = NULL; DWORD cb; DWORD i; BYTE *pb; BYTE *pbKey = NULL; DWORD cbKey; DWORD cbitKey; char *pszObjId = NULL; CRYPT_DATA_BLOB *pBlobKey = NULL; CRYPT_INTEGER_BLOB *apIntKey[ISK_MAX]; DWORD dwPubExp;
*ppbKey = NULL; ZeroMemory(apIntKey, sizeof(apIntKey)); hr = cuDecodeSequence(pbKMSRSAKey, cbKMSRSAKey, ISO_MAX, &pSeqOuter); _JumpIfError(hr, error, "cuDecodeSequence");
hr = VerifyKeyVersion( pSeqOuter->rgValue[ISO_VERSION].pbData, pSeqOuter->rgValue[ISO_VERSION].cbData); _JumpIfError(hr, error, "VerifyKeyVersion");
hr = cuDecodeSequence( pSeqOuter->rgValue[ISO_ALG].pbData, pSeqOuter->rgValue[ISO_ALG].cbData, ISA_MAX, &pSeqAlg); _JumpIfError(hr, error, "cuDecodeSequence");
hr = cuDecodeObjId( pSeqAlg->rgValue[ISA_OID].pbData, pSeqAlg->rgValue[ISA_OID].cbData, &pszObjId); _JumpIfError(hr, error, "cuDecodeObjId");
// key algorithm must be szOID_RSA_RSA
if (0 != strcmp(szOID_RSA_RSA, pszObjId)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Bad key alg ObjId"); }
// key algorithm parms must be NULL (BER_NULL, cb == 0)
if (2 != pSeqAlg->rgValue[ISA_PARM].cbData || BER_NULL != pSeqAlg->rgValue[ISA_PARM].pbData[0] || 0 != pSeqAlg->rgValue[ISA_PARM].pbData[1]) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Bad key alg parameters"); }
if (!myDecodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, pSeqOuter->rgValue[ISO_KEY].pbData, pSeqOuter->rgValue[ISO_KEY].cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pBlobKey, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
hr = cuDecodeSequence( pBlobKey->pbData, pBlobKey->cbData, ARRAYSIZE(apIntKey), &pSeqKey); _JumpIfError(hr, error, "cuDecodeSequence");
hr = VerifyKeyVersion( pSeqKey->rgValue[ISK_VERSION].pbData, pSeqKey->rgValue[ISK_VERSION].cbData); _JumpIfError(hr, error, "VerifyKeyVersion");
cb = sizeof(dwPubExp); if (!CryptDecodeObject( X509_ASN_ENCODING, X509_INTEGER, pSeqKey->rgValue[ISK_PUBEXP].pbData, pSeqKey->rgValue[ISK_PUBEXP].cbData, 0, &dwPubExp, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CryptDecodeObject"); }
for (i = 0; i < ARRAYSIZE(apIntKey); i++) { if (!myDecodeObject( X509_ASN_ENCODING, X509_MULTI_BYTE_INTEGER, pSeqKey->rgValue[i].pbData, pSeqKey->rgValue[i].cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &apIntKey[i], &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } } cb = apIntKey[ISK_MODULUS]->cbData; if (0 < cb && 0 == apIntKey[ISK_MODULUS]->pbData[cb - 1]) { cb--; } cbitKey = 8 * cb;
#if 0
wprintf(L"cbitKey = %u\n", cbitKey); for (i = 0; i < ARRAYSIZE(apIntKey); i++) { wprintf(wszNewLine); DumpHex( DH_NOTABPREFIX | DH_NOASCIIHEX | DH_PRIVATEDATA | 4, apIntKey[i]->pbData, apIntKey[i]->cbData); }#endif
cbKey = sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY); for (i = 0; i < ARRAYSIZE(g_akbm); i++) { cbKey += cbitKey / g_akbm[i].dwdivisor; } pbKey = (BYTE *) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, cbKey); if (NULL == pbKey) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
pb = pbKey; ((PUBLICKEYSTRUC *) pb)->bType = PRIVATEKEYBLOB; ((PUBLICKEYSTRUC *) pb)->bVersion = CUR_BLOB_VERSION; ((PUBLICKEYSTRUC *) pb)->aiKeyAlg = aiKeyAlg;
pb += sizeof(PUBLICKEYSTRUC); ((RSAPUBKEY *) pb)->magic = RSAPRIV_MAGIC; // "RSA2"
((RSAPUBKEY *) pb)->bitlen = cbitKey; ((RSAPUBKEY *) pb)->pubexp = dwPubExp;
pb += sizeof(RSAPUBKEY); for (i = 0; i < ARRAYSIZE(g_akbm); i++) { DWORD cbcopy; BYTE const *pbcopy; CSASSERT(ISK_MAX > g_akbm[i].dwisk); cb = cbitKey / g_akbm[i].dwdivisor; cbcopy = apIntKey[g_akbm[i].dwisk]->cbData; pbcopy = apIntKey[g_akbm[i].dwisk]->pbData; if (cb < cbcopy) { if (cb + 1 != cbcopy || 0 != pbcopy[cb]) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Bad key element size"); } //DumpHex(DH_NOTABPREFIX | DH_PRIVATEDATA | 4, pbcopy, cbcopy);
cbcopy--; } CopyMemory(pb, pbcopy, cbcopy); if (cb > cbcopy) { ZeroMemory(&pb[cbcopy], cb - cbcopy); // Add trailing zeros
} pb += cb; //DumpHex(DH_NOTABPREFIX | DH_NOASCIIHEX | DH_PRIVATEDATA | 4, pb - cb, cb);
} CSASSERT(pb = &pbKey[cbKey]); if (g_fVerbose) { wprintf(myLoadResourceString(IDS_FORMAT_BIT_KEY), cbitKey); wprintf(wszNewLine); if (1 < g_fVerbose) { DumpHex(DH_NOTABPREFIX | DH_PRIVATEDATA | 4, pbKey, cbKey); } } *pcbKey = cbKey; *ppbKey = pbKey; pbKey = NULL; hr = S_OK;
error: if (NULL != pSeqOuter) { LocalFree(pSeqOuter); } if (NULL != pSeqAlg) { LocalFree(pSeqAlg); } if (NULL != pSeqKey) { LocalFree(pSeqKey); } if (NULL != pszObjId) { LocalFree(pszObjId); } if (NULL != pBlobKey) { LocalFree(pBlobKey); } for (i = 0; i < ARRAYSIZE(apIntKey); i++) { if (NULL != apIntKey[i]) { LocalFree(apIntKey[i]); } } if (NULL != pbKey) { LocalFree(pbKey); } return(hr);}
//+-------------------------------------------------------------------------
// Inputs a private key in PRIVATEKEYBLOB format.
// returns a PKCS PrivateKeyInfo
//--------------------------------------------------------------------------
HRESULTmyEncodeKMSRSAKey( IN BYTE const *pbKey, IN DWORD cbKey, OUT BYTE **ppbKMSRSAKey, OUT DWORD *pcbKMSRSAKey){ HRESULT hr; DWORD i; BYTE const *pb; CRYPT_SEQUENCE_OF_ANY SeqOuter; CRYPT_SEQUENCE_OF_ANY SeqAlg; CRYPT_SEQUENCE_OF_ANY SeqKey; CRYPT_DER_BLOB rgBlobOuter[ISO_MAX]; CRYPT_DER_BLOB rgBlobAlg[ISA_MAX]; CRYPT_DER_BLOB rgBlobKey[ISK_MAX]; CRYPT_DER_BLOB BlobKey; DWORD cbitKey; DWORD dwPubExp; BYTE rgbNull[] = { BER_NULL, 0 };
ZeroMemory(rgBlobOuter, sizeof(rgBlobOuter)); ZeroMemory(rgBlobAlg, sizeof(rgBlobAlg)); ZeroMemory(rgBlobKey, sizeof(rgBlobKey)); BlobKey.pbData = NULL;
pb = pbKey; if (PRIVATEKEYBLOB != ((PUBLICKEYSTRUC const *) pb)->bType || CUR_BLOB_VERSION != ((PUBLICKEYSTRUC const *) pb)->bVersion) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Bad RSA key type/version"); } // aiKeyAlg = ((PUBLICKEYSTRUC const *) pb)->aiKeyAlg;
pb += sizeof(PUBLICKEYSTRUC); if (RSAPRIV_MAGIC != ((RSAPUBKEY const *) pb)->magic) // "RSA2"
{ hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Bad RSA key magic"); } cbitKey = ((RSAPUBKEY const *) pb)->bitlen; dwPubExp = ((RSAPUBKEY const *) pb)->pubexp;
pb += sizeof(RSAPUBKEY);
hr = EncodeKeyVersion( &rgBlobKey[ISK_VERSION].pbData, &rgBlobKey[ISK_VERSION].cbData); _JumpIfError(hr, error, "EncodeKeyVersion");
if (!myEncodeObject( X509_ASN_ENCODING, X509_INTEGER, &dwPubExp, 0, CERTLIB_USE_LOCALALLOC, &rgBlobKey[ISK_PUBEXP].pbData, &rgBlobKey[ISK_PUBEXP].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
for (i = 0; i < ARRAYSIZE(g_akbm); i++) { DWORD dwisk = g_akbm[i].dwisk; CRYPT_DER_BLOB Blob; CSASSERT(ISK_MAX > dwisk); CSASSERT(NULL == rgBlobKey[dwisk].pbData);
Blob.pbData = const_cast<BYTE *>(pb); Blob.cbData = cbitKey / g_akbm[i].dwdivisor; pb += Blob.cbData;
while (1 < Blob.cbData && 0 == Blob.pbData[Blob.cbData - 1]) { Blob.cbData--; } if (!myEncodeObject( X509_ASN_ENCODING, X509_MULTI_BYTE_INTEGER, &Blob, 0, CERTLIB_USE_LOCALALLOC, &rgBlobKey[dwisk].pbData, &rgBlobKey[dwisk].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } }
SeqKey.cValue = ARRAYSIZE(rgBlobKey); SeqKey.rgValue = rgBlobKey; if (!myEncodeObject( X509_ASN_ENCODING, X509_SEQUENCE_OF_ANY, &SeqKey, 0, CERTLIB_USE_LOCALALLOC, &BlobKey.pbData, &BlobKey.cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } if (!myEncodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, &BlobKey, 0, CERTLIB_USE_LOCALALLOC, &rgBlobOuter[ISO_KEY].pbData, &rgBlobOuter[ISO_KEY].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
// set key algorithm to szOID_RSA_RSA
hr = cuEncodeObjId( szOID_RSA_RSA, &rgBlobAlg[ISA_OID].pbData, &rgBlobAlg[ISA_OID].cbData); _JumpIfError(hr, error, "cuEncodeObjId");
// set key algorithm parms to NULL (BER_NULL, cb == 0)
rgBlobAlg[ISA_PARM].cbData = ARRAYSIZE(rgbNull); rgBlobAlg[ISA_PARM].pbData = rgbNull;
SeqAlg.cValue = ARRAYSIZE(rgBlobAlg); SeqAlg.rgValue = rgBlobAlg; if (!myEncodeObject( X509_ASN_ENCODING, X509_SEQUENCE_OF_ANY, &SeqAlg, 0, CERTLIB_USE_LOCALALLOC, &rgBlobOuter[ISO_ALG].pbData, &rgBlobOuter[ISO_ALG].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } hr = EncodeKeyVersion( &rgBlobOuter[ISO_VERSION].pbData, &rgBlobOuter[ISO_VERSION].cbData); _JumpIfError(hr, error, "EncodeKeyVersion");
SeqOuter.cValue = ARRAYSIZE(rgBlobOuter); SeqOuter.rgValue = rgBlobOuter; if (!myEncodeObject( X509_ASN_ENCODING, X509_SEQUENCE_OF_ANY, &SeqOuter, 0, CERTLIB_USE_LOCALALLOC, ppbKMSRSAKey, pcbKMSRSAKey)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } hr = S_OK;
error: if (NULL != BlobKey.pbData) { LocalFree(BlobKey.pbData); } for (i = 0; i < ARRAYSIZE(rgBlobKey); i++) { if (NULL != rgBlobKey[i].pbData) { LocalFree(rgBlobKey[i].pbData); } } for (i = 0; i < ARRAYSIZE(rgBlobOuter); i++) { if (NULL != rgBlobOuter[i].pbData) { LocalFree(rgBlobOuter[i].pbData); } } if (NULL != rgBlobAlg[ISA_OID].pbData) { LocalFree(rgBlobAlg[ISA_OID].pbData); } return(hr);}
HRESULTmyVerifyKMSKey( IN BYTE const *pbCert, IN DWORD cbCert, IN BYTE const *pbKey, IN DWORD cbKey, IN DWORD dwKeySpec, IN BOOL fQuiet){ HRESULT hr; CERT_CONTEXT const *pCert; HCRYPTPROV hProv = NULL; HCRYPTKEY hKey = NULL; CERT_PUBLIC_KEY_INFO *pPublicKeyInfo = NULL; DWORD cb;
pCert = CertCreateCertificateContext(X509_ASN_ENCODING, pbCert, cbCert); if (NULL == pCert) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
if (!CryptAcquireContext( &hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); } if (!CryptImportKey(hProv, pbKey, cbKey, NULL, CRYPT_EXPORTABLE, &hKey)) { hr = myHLastError(); _JumpError(hr, error, "CryptImportKey"); } if (!myCryptExportPublicKeyInfo( hProv, dwKeySpec, CERTLIB_USE_LOCALALLOC, &pPublicKeyInfo, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myCryptExportPublicKeyInfo"); } if (g_fVerbose) { cuDumpVersion(pCert->pCertInfo->dwVersion + 1); if (1 < g_fVerbose) { cuDumpPublicKey(&pCert->pCertInfo->SubjectPublicKeyInfo); cuDisplayKeyId(&pCert->pCertInfo->SubjectPublicKeyInfo, 0, NULL); cuDumpPublicKey(pPublicKeyInfo); } } cuDisplayKeyId(pPublicKeyInfo, 0, NULL);
if (!myCertComparePublicKeyInfo( X509_ASN_ENCODING, CERT_V1 == pCert->pCertInfo->dwVersion, pPublicKeyInfo, &pCert->pCertInfo->SubjectPublicKeyInfo)) { // by design, (my)CertComparePublicKeyInfo doesn't set last error!
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (!fQuiet) { wprintf(myLoadResourceString(IDS_ERR_PUBLICKEY_MISMATCH)); // "ERROR: Certificate public key does NOT match stored keyset"
wprintf(wszNewLine); } _JumpError2(hr, error, "myCertComparePublicKeyInfo", fQuiet? hr : S_OK); } if (AT_SIGNATURE == dwKeySpec) { hr = myValidateKeyForSigning( hProv, &pCert->pCertInfo->SubjectPublicKeyInfo, CALG_SHA1); } else { hr = myValidateKeyForEncrypting( hProv, &pCert->pCertInfo->SubjectPublicKeyInfo, CALG_RC4); } if (S_OK != hr) { wprintf(myLoadResourceString(IDS_ERR_PRIVATEKEY_MISMATCH)); // "ERROR: Certificate public key does NOT match private key"
wprintf(wszNewLine); _JumpError(hr, error, "myValidateKeyForEncrypting"); } if (g_fVerbose) { wprintf(myLoadResourceString(IDS_PRIVATEKEY_VERIFIES)); wprintf(wszNewLine); }
error: if (NULL != pCert) { CertFreeCertificateContext(pCert); } if (NULL != pPublicKeyInfo) { LocalFree(pPublicKeyInfo); } if (NULL != hKey) { CryptDestroyKey(hKey); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } return(hr);}
HRESULTcuDumpAsnBinaryQuiet( IN BYTE const *pb, IN DWORD cb, IN DWORD iElement){ HRESULT hr; BOOL fVerboseOld = g_fVerbose; BOOL fQuietOld = g_fQuiet;
if (g_fVerbose) { g_fVerbose--; } else { g_fQuiet = TRUE; } hr = cuDumpAsnBinary(pb, cb, iElement); _JumpIfError(hr, error, "cuDumpAsnBinary");
error: g_fVerbose = fVerboseOld; g_fQuiet = fQuietOld; return(hr);}
HRESULTReadTaggedBlob( IN HANDLE hFile, IN DWORD cbRemain, OUT TagHeader *pth, OUT BYTE **ppb){ HRESULT hr; DWORD cbRead; *ppb = NULL; if (!ReadFile(hFile, pth, sizeof(*pth), &cbRead, NULL)) { hr = myHLastError(); _JumpError(hr, error, "ReadFile"); } hr = HRESULT_FROM_WIN32(ERROR_HANDLE_EOF); if (cbRead != sizeof(*pth)) { DBGPRINT(( DBG_SS_ERROR, "ReadFile read %u bytes, requested %u\n", cbRead, sizeof(*pth))); _JumpError(hr, error, "ReadFile(cbRead)"); } if (cbRead + pth->cbSize > cbRemain) { DBGPRINT(( DBG_SS_ERROR, "Header size %u bytes, cbRemain %u\n", sizeof(*pth) + pth->cbSize, cbRemain)); _JumpError(hr, error, "cbRemain"); }
*ppb = (BYTE *) LocalAlloc(LMEM_FIXED, pth->cbSize); if (NULL == *ppb) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } if (!ReadFile(hFile, *ppb, pth->cbSize, &cbRead, NULL)) { hr = myHLastError(); _JumpError(hr, error, "ReadFile"); } if (cbRead != pth->cbSize) { hr = HRESULT_FROM_WIN32(ERROR_HANDLE_EOF); DBGPRINT(( DBG_SS_ERROR, "ReadFile read %u bytes, requested %u\n", cbRead, pth->cbSize)); _JumpError(hr, error, "ReadFile(cbRead)"); } hr = S_OK;
error: if (S_OK != hr && NULL != *ppb) { LocalFree(*ppb); *ppb = NULL; } return(hr);}
BOOLDumpKMSTag( IN TagHeader const *pth){ WCHAR const *pwsz; WCHAR awctag[cwcDWORDSPRINTF];
pwsz = NULL; switch (pth->tag) { case KMS_LOCKBOX_TAG: pwsz = L"KMS_LOCKBOX_TAG"; break; case KMS_SIGNING_CERT_TAG: pwsz = L"KMS_SIGNING_CERT_TAG"; break; case KMS_SIGNATURE_TAG: pwsz = L"KMS_SIGNATURE_TAG"; break; case KMS_USER_RECORD_TAG: pwsz = L"KMS_USER_RECORD_TAG"; break; default: swprintf(awctag, L"%u", pth->tag); pwsz = awctag; break; } if (1 < g_fVerbose) { wprintf( L"%ws: %x (%u) %ws\n", pwsz, pth->cbSize, pth->cbSize, myLoadResourceString(IDS_BYTES)); // "Bytes"
} return(pwsz != awctag); // TRUE if tag is valid
}
HRESULTVerifyKMSExportFile( IN HANDLE hFile, IN DWORD cbFile, OUT CERT_CONTEXT const **ppccSigner){ HRESULT hr; DWORD cbRemain; DWORD cbRead; TagHeader th; BYTE *pb = NULL; CERT_CONTEXT const *pccSigner = NULL; HCRYPTPROV hProv = NULL; HCRYPTHASH hHash = NULL; HCRYPTKEY hkeyPub = NULL; BOOL fVerified = FALSE; WCHAR *pwszSubject = NULL;
*ppccSigner = NULL;
if (!CryptAcquireContext( &hProv, NULL, // pszContainer
NULL, // pszProvider
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); } if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash)) { hr = myHLastError(); _JumpError(hr, error, "CryptCreateHash"); }
cbRemain = cbFile; while (0 < cbRemain) { fVerified = FALSE; CSASSERT(NULL == pb); hr = ReadTaggedBlob(hFile, cbRemain, &th, &pb); _JumpIfError(hr, error, "ReadTaggedBlob"); if (!DumpKMSTag(&th)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "invalid tag"); }
switch (th.tag) { case KMS_SIGNING_CERT_TAG:
if (g_fVerbose || g_fSplitASN) { hr = cuDumpAsnBinaryQuiet(pb, th.cbSize, MAXDWORD); _JumpIfError(hr, error, "cuDumpAsnBinaryQuiet"); }
if (NULL != pccSigner) { hr = HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS); _JumpError(hr, error, "too many signers"); } pccSigner = CertCreateCertificateContext( X509_ASN_ENCODING, pb, th.cbSize); if (NULL == pccSigner) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } hr = myCertNameToStr( X509_ASN_ENCODING, &pccSigner->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszSubject); _PrintIfError(hr, "myCertNameToStr"); wprintf(myLoadResourceString(IDS_PROCESSING_KMS_EXPORTS_COLON)); wprintf(L"\n %ws\n\n", pwszSubject); break;
case KMS_SIGNATURE_TAG: if (NULL != hkeyPub) { _JumpError(hr, error, "too many signatures"); } if (NULL == pccSigner) { hr = TRUST_E_NO_SIGNER_CERT; _JumpError(hr, error, "no signer"); } if (!CryptImportPublicKeyInfo( hProv, X509_ASN_ENCODING, &pccSigner->pCertInfo->SubjectPublicKeyInfo, &hkeyPub)) { hr = myHLastError(); _JumpError(hr, error, "CryptImportPublicKeyInfo"); } if (!CryptVerifySignature( hHash, pb, th.cbSize, hkeyPub, NULL, 0)) { hr = myHLastError(); _JumpError(hr, error, "CryptVerifySignature"); } fVerified = TRUE; wprintf(myLoadResourceString(IDS_KMSEXPORT_SIG_OK)); // "KMS export file signature verifies"
wprintf(wszNewLine); break;
default: if (!CryptHashData(hHash, (BYTE *) &th, sizeof(th), 0)) { hr = myHLastError(); _JumpError(hr, error, "CryptHashData"); } if (!CryptHashData(hHash, pb, th.cbSize, 0)) { hr = myHLastError(); _JumpError(hr, error, "CryptHashData"); } break; } LocalFree(pb); pb = NULL; CSASSERT(cbRemain >= sizeof(th) + sizeof(th.cbSize)); cbRemain -= sizeof(th) + th.cbSize; } if (!fVerified) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "unsigned data"); } hr = S_OK;
error: if (NULL != pwszSubject) { LocalFree(pwszSubject); } if (NULL != pb) { LocalFree(pb); } if (NULL != hkeyPub) { CryptDestroyKey(hkeyPub); } if (NULL != hHash) { CryptDestroyHash(hHash); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } return(hr);}
HRESULTmyEncryptPrivateKey( IN CERT_CONTEXT const *pccXchg, IN BYTE const *pbKey, IN DWORD cbKey, OUT BYTE **ppbKeyEncrypted, OUT DWORD *pcbKeyEncrypted){ HRESULT hr; ALG_ID rgalgId[] = { CALG_3DES, CALG_RC4, CALG_RC2 }; DWORD i;
*ppbKeyEncrypted = NULL;
hr = CRYPT_E_NOT_FOUND; for (i = 0; i < ARRAYSIZE(rgalgId); i++) { // encryt into pkcs7
hr = myCryptEncryptMessage( rgalgId[i], 1, // cCertRecipient
&pccXchg, // rgCertRecipient
pbKey, cbKey, NULL, // hCryptProv
ppbKeyEncrypted, pcbKeyEncrypted); if (S_OK == hr) { break; // done
} _PrintError2(hr, "myCryptEncryptMessage", hr); } _JumpIfError(hr, error, "myCryptEncryptMessage");
error: return(hr);}
#define CB_IV 8
typedef struct _KMSSTATS { HRESULT hr; DWORD cRecUser;
DWORD cCertWithoutKeys; DWORD cCertTotal; DWORD cCertNotSaved; DWORD cCertAlreadySaved; DWORD cCertSaved; DWORD cCertSavedForeign;
DWORD cKeyTotal; DWORD cKeyNotSaved; DWORD cKeyAlreadySaved; DWORD cKeySaved; DWORD cKeySavedOverwrite;} KMSSTATS;
HRESULTArchiveCertAndKey( IN DISPATCHINTERFACE *pdiAdmin, IN CERT_CONTEXT const *pccXchg, IN BYTE const *pbCert, IN DWORD cbCert, IN BYTE const *pbKey, IN DWORD cbKey, IN BOOL fSigningKey, IN OUT KMSSTATS *pkmsStats){ HRESULT hr; LONG RequestId; BYTE *pbKeyEncrypted = NULL; DWORD cbKeyEncrypted; CERT_CONTEXT const *pcc = NULL; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; DWORD cbHash; BSTR strHash = NULL; BOOL fCertSaved = FALSE; DWORD ids; pcc = CertCreateCertificateContext(X509_ASN_ENCODING, pbCert, cbCert); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } ids = 0; hr = Admin_ImportCertificate( pdiAdmin, g_pwszConfig, (WCHAR const *) pbCert, cbCert, CR_IN_BINARY, &RequestId); if (g_fForce && S_OK != hr && HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS) != hr) { hr = Admin_ImportCertificate( pdiAdmin, g_pwszConfig, (WCHAR const *) pbCert, cbCert, ICF_ALLOWFOREIGN | CR_IN_BINARY, &RequestId); if (S_OK == hr) { pkmsStats->cCertSavedForeign++; ids = IDS_IMPORT_CERT_FOREIGN; // "Imported foreign certificate"
} } if (HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS) != hr) { _JumpIfError2(hr, error, "Admin_ImportCertificate", NTE_BAD_SIGNATURE);
//wprintf(L"RequestId = %u\n", RequestId);
pkmsStats->cCertSaved++; if (0 == ids) { ids = IDS_IMPORT_CERT_DOMESTIC; // "Imported certificate"
} } else { RequestId = MAXDWORD; pkmsStats->cCertAlreadySaved++; ids = IDS_IMPORT_CERT_EXISTS; // "Certificate exists"
cbHash = sizeof(abHash); if (!CertGetCertificateContextProperty( pcc, CERT_SHA1_HASH_PROP_ID, abHash, &cbHash)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); } hr = MultiByteIntegerToBstr(TRUE, cbHash, abHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr"); } fCertSaved = TRUE; if (g_fVerbose) { wprintf(myLoadResourceString(ids)); wprintf(wszNewLine); } else { wprintf(L"."); }
hr = myEncryptPrivateKey( pccXchg, pbKey, cbKey, &pbKeyEncrypted, &cbKeyEncrypted); _JumpIfError(hr, error, "myEncryptPrivateKey");
ids = 0; hr = Admin2_ImportKey( pdiAdmin, g_pwszConfig, RequestId, strHash, CR_IN_BINARY, (WCHAR const *) pbKeyEncrypted, cbKeyEncrypted); if (g_fForce && HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS) == hr) { hr = Admin2_ImportKey( pdiAdmin, g_pwszConfig, RequestId, strHash, IKF_OVERWRITE | CR_IN_BINARY, (WCHAR const *) pbKeyEncrypted, cbKeyEncrypted); if (S_OK == hr) { pkmsStats->cKeySavedOverwrite++; ids = IDS_IMPORT_KEY_REPLACED; // "Archived key replaced"
} } if (HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS) != hr) { _JumpIfError(hr, error, "Admin2_ImportKey");
pkmsStats->cKeySaved++; if (0 == ids) { ids = IDS_IMPORT_KEY_SAVED; // "Archived key"
} } else { pkmsStats->cKeyAlreadySaved++; ids = IDS_IMPORT_KEY_EXISTS; // "Key already archived"
} if (g_fVerbose) { wprintf(myLoadResourceString(ids)); wprintf(wszNewLine); } else { wprintf(L"."); } hr = S_OK;
error: if (S_OK != hr) { cuPrintErrorMessageText(hr); if (!fCertSaved) { pkmsStats->cCertNotSaved++; } pkmsStats->cKeyNotSaved++; if (fSigningKey && NTE_BAD_KEY_STATE == hr) { hr = S_OK; } else if (S_OK == pkmsStats->hr) { pkmsStats->hr = hr; } } if (NULL != pbKeyEncrypted) { LocalFree(pbKeyEncrypted); } if (NULL != strHash) { SysFreeString(strHash); } if (NULL != pcc) { CertFreeCertificateContext(pcc); } return(hr);}
HRESULTImportOneKMSUser( IN DISPATCHINTERFACE *pdiAdmin, IN CERT_CONTEXT const *pccXchg, IN BYTE const *pbRecUser, IN DWORD cbRecUser, IN HCRYPTKEY hkeySym, IN OUT KMSSTATS *pkmsStats){ HRESULT hr; BYTE const *pbT = pbRecUser; WCHAR *pwszUser = NULL; DWORD cbT = cbRecUser; DWORD cb; DWORD dw; CLSID clsid; WCHAR *pwszGUID = NULL; BYTE *pbKeyASN = NULL; DWORD cbKeyASN; DWORD cbStream;
pkmsStats->cRecUser++;
// Get the user's directory GUID
CopyMemory(&clsid, pbT, sizeof(clsid));
hr = myCLSIDToWsz(&clsid, &pwszGUID); _JumpIfError(hr, error, "myCLSIDToWsz");
pbT += sizeof(GUID); cbT -= sizeof(GUID);
// Get the user's name length
hr = GetMarshaledDword(TRUE, &pbT, &cbT, &cb); _JumpIfError(hr, error, "GetMarshaledDword");
pwszUser = (WCHAR *) LocalAlloc( LMEM_FIXED, ((cb / sizeof(WCHAR)) + 1) * sizeof(WCHAR)); if (NULL == pwszUser) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(pwszUser, pbT, cb); pwszUser[cb / sizeof(WCHAR)] = L'\0';
if (g_fVerbose) { wprintf(L"\n----------------------\n"); wprintf(myLoadResourceString(IDS_USER_COLON)); wprintf(L" %ws -- %ws\n", pwszUser, pwszGUID); }
pbT += cb; cbT -= cb;
// for each User cert:
while (0 < cbT) { DWORD CertStatus; FILETIME ftRevoke; BYTE const *pbCert; DWORD cbCert; if (g_fVerbose) { wprintf(wszNewLine); } hr = GetMarshaledDword(FALSE, &pbT, &cbT, &CertStatus); _JumpIfError(hr, error, "GetMarshaledDword");
if (1 < g_fVerbose) { wprintf(wszNewLine); cuRegPrintDwordValue( TRUE, wszKMSCERTSTATUS, wszKMSCERTSTATUS, CertStatus); }
hr = GetMarshaledDword(TRUE, &pbT, &cbT, &cb); _JumpIfError(hr, error, "GetMarshaledDword");
// Dump one user cert:
pbCert = pbT; cbCert = cb; if (g_fSplitASN) { wprintf(wszNewLine); hr = cuDumpAsnBinaryQuiet(pbCert, cbCert, MAXDWORD); _JumpIfError(hr, error, "cuDumpAsnBinaryQuiet"); }
pbT += cb; cbT -= cb;
// Get the revocation date (KMS export date):
hr = GetMarshaledDword( FALSE, &pbT, &cbT, &ftRevoke.dwLowDateTime); _JumpIfError(hr, error, "GetMarshaledDword");
hr = GetMarshaledDword( FALSE, &pbT, &cbT, &ftRevoke.dwHighDateTime); _JumpIfError(hr, error, "GetMarshaledDword");
if (g_fVerbose) { hr = cuDumpFileTime(IDS_REVOCATIONDATE, NULL, &ftRevoke); _PrintIfError(hr, "cuDumpFileTime"); }
// Only encryption certs have archived keys:
if (0 == (CERTFLAGS_SEALING & CertStatus)) { pkmsStats->cCertWithoutKeys++; if (g_fVerbose) { wprintf(myLoadResourceString(IDS_IMPORT_CERT_SKIPPED_SIGNING)); // "Ignored signing certificate"
wprintf(wszNewLine); } continue; } pkmsStats->cCertTotal++; pkmsStats->cKeyTotal++;
// get encrypted private key size
hr = GetMarshaledDword(TRUE, &pbT, &cbT, &cb); _JumpIfError(hr, error, "GetMarshaledDword"); // get 8 byte RC2 IV
if (1 < g_fVerbose) { wprintf(L"IV:\n"); DumpHex( DH_NOADDRESS | DH_NOTABPREFIX | DH_NOASCIIHEX | 4, pbT, CB_IV); }
if (NULL != hkeySym) { // Set IV
if (!CryptSetKeyParam( hkeySym, KP_IV, const_cast<BYTE *>(pbT), 0)) { hr = GetLastError(); _JumpIfError(hr, error, "CryptSetKeyParam"); } } pbT += CB_IV; cbT -= CB_IV; cb -= CB_IV;
if (1 < g_fVerbose) { wprintf(wszNewLine); wprintf(myLoadResourceString(IDS_ENCRYPTED_KEY_COLON)); wprintf(wszNewLine); DumpHex(0, pbT, cb); } // decrypt key using hkeySym
// in-place decode is Ok because the size of the
// original data is always less than or equal to that
// of the encrypted data
cbStream = cb; // save off the real stream size first
if (NULL != hkeySym) { cbKeyASN = cb; pbKeyASN = (BYTE *) LocalAlloc(LMEM_FIXED, cb); if (NULL == pbKeyASN) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(pbKeyASN, pbT, cbKeyASN); if (!CryptDecrypt(hkeySym, NULL, TRUE, 0, pbKeyASN, &cb)) { hr = GetLastError(); _PrintError(hr, "CryptDecrypt"); } else { BYTE *pbKey; DWORD cbKey;
if (1 < g_fVerbose) { wprintf(wszNewLine); wprintf(myLoadResourceString(IDS_DECRYPTED_KEY_COLON)); wprintf(wszNewLine); DumpHex(DH_PRIVATEDATA, pbKeyASN, cb); }
hr = myDecodeKMSRSAKey( pbKeyASN, cbKeyASN, CALG_RSA_KEYX, &pbKey, &cbKey); _JumpIfError(hr, error, "myDecodeKMSRSAKey");
hr = myVerifyKMSKey( pbCert, cbCert, pbKey, cbKey, AT_KEYEXCHANGE, FALSE); _PrintIfError(hr, "myVerifyKMSKey");
hr = ArchiveCertAndKey( pdiAdmin, pccXchg, pbCert, cbCert, pbKey, cbKey, FALSE, // fSigningKey
pkmsStats); _PrintIfError2(hr, "ArchiveCertAndKey", NTE_BAD_SIGNATURE);
SecureZeroMemory(pbKey, cbKey); // Key material
LocalFree(pbKey); } SecureZeroMemory(pbKeyASN, cbKeyASN); // Key material
LocalFree(pbKeyASN); pbKeyASN = NULL; }
// skip cbStream bytes, not cb
pbT += cbStream; cbT -= cbStream; } hr = S_OK;
error: if (NULL != pwszGUID) { LocalFree(pwszGUID); } if (NULL != pbKeyASN) { SecureZeroMemory(pbKeyASN, cbKeyASN); // Key material
LocalFree(pbKeyASN); } return(hr);}
HRESULTGetCAXchgCert( IN DISPATCHINTERFACE *pdiAdmin, OUT CERT_CONTEXT const **ppccXchg){ HRESULT hr; BSTR strCert = NULL; *ppccXchg = NULL;
hr = Admin2_GetCAProperty( pdiAdmin, g_pwszConfig, CR_PROP_CAXCHGCERT, 0, // PropIndex
PROPTYPE_BINARY, CR_OUT_BINARY, &strCert); _JumpIfError(hr, error, "Admin2_GetCAProperty");
*ppccXchg = CertCreateCertificateContext( X509_ASN_ENCODING, (BYTE const *) strCert, SysStringByteLen(strCert)); if (NULL == *ppccXchg) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } hr = S_OK;
error: if (NULL != strCert) { SysFreeString(strCert); } return(hr);}
typedef struct _KMSMAP { DWORD dwFieldOffset; DWORD idMsg;} KMSMAP;
KMSMAP g_akmUsers[] = { { FIELD_OFFSET(KMSSTATS, cRecUser), IDS_KMS_USERS, },};
KMSMAP g_akmCerts[] = { { FIELD_OFFSET(KMSSTATS, cCertWithoutKeys), IDS_KMS_CERTS_SKIPPED, }, { FIELD_OFFSET(KMSSTATS, cCertTotal), IDS_KMS_CERTS_TOTAL, }, { FIELD_OFFSET(KMSSTATS, cCertSavedForeign), IDS_KMS_CERTS_FOREIGN, }, { FIELD_OFFSET(KMSSTATS, cCertAlreadySaved), IDS_KMS_CERTS_ALREADYSAVED, }, { FIELD_OFFSET(KMSSTATS, cCertSaved), IDS_KMS_CERTS_SAVED, }, { FIELD_OFFSET(KMSSTATS, cCertNotSaved), IDS_KMS_CERTS_NOTSAVED, },};
KMSMAP g_akmKeys[] = { { FIELD_OFFSET(KMSSTATS, cKeyTotal), IDS_KMS_KEYS_TOTAL, }, { FIELD_OFFSET(KMSSTATS, cKeyAlreadySaved), IDS_KMS_KEYS_ALREADYSAVED, }, { FIELD_OFFSET(KMSSTATS, cKeySavedOverwrite), IDS_KMS_KEYS_UPDATED, }, { FIELD_OFFSET(KMSSTATS, cKeySaved), IDS_KMS_KEYS_SAVED, }, { FIELD_OFFSET(KMSSTATS, cKeyNotSaved), IDS_KMS_KEYS_NOTSAVED, },};
VOIDDumpKMSMap( IN KMSSTATS const *pkmsStats, IN KMSMAP const *pkm, IN DWORD ckm){ DWORD i; BOOL fFirst = TRUE; DWORD count;
for (i = 0; i < ckm; i++) { count = *(DWORD *) Add2ConstPtr(pkmsStats, pkm[i].dwFieldOffset); if (g_fVerbose || 0 != count) { if (fFirst) { wprintf(wszNewLine); fFirst = FALSE; } wprintf(myLoadResourceString(pkm[i].idMsg)); wprintf(L": %u\n", count); } }}
HRESULTDumpKMSStats( IN KMSSTATS const *pkmsStats){ DumpKMSMap(pkmsStats, g_akmUsers, ARRAYSIZE(g_akmUsers)); DumpKMSMap(pkmsStats, g_akmCerts, ARRAYSIZE(g_akmCerts)); DumpKMSMap(pkmsStats, g_akmKeys, ARRAYSIZE(g_akmKeys)); return(pkmsStats->hr);}
HRESULTImportKMSExportedUsers( IN HANDLE hFile, IN DWORD cbFile, IN HCRYPTPROV hProvKMS, IN HCRYPTKEY hkeyKMS){ HRESULT hr; HRESULT hrImport = S_OK; DWORD cbRemain; DWORD cbRead; TagHeader th; BYTE *pb = NULL; HCRYPTKEY hkeySym = NULL; KMSSTATS kmsStats; DISPATCHINTERFACE diAdmin; BOOL fMustRelease = FALSE; CERT_CONTEXT const *pccXchg = NULL; DWORD cImportFailures;
ZeroMemory(&kmsStats, sizeof(kmsStats));
hr = Admin_Init(g_DispatchFlags, &diAdmin); _JumpIfError(hr, error, "Admin_Init");
fMustRelease = TRUE;
hr = GetCAXchgCert(&diAdmin, &pccXchg); _JumpIfError(hr, error, "GetCAXchgCert");
cImportFailures = 0; cbRemain = cbFile; while (0 < cbRemain) { CSASSERT(NULL == pb); hr = ReadTaggedBlob(hFile, cbRemain, &th, &pb); _JumpIfError(hr, error, "ReadTaggedBlob");
if (!DumpKMSTag(&th)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "invalid tag"); }
switch (th.tag) { case KMS_LOCKBOX_TAG: { if (1 < g_fVerbose) { hr = cuDumpPrivateKeyBlob(pb, th.cbSize, FALSE); _PrintIfError(hr, "cuDumpPrivateKeyBlob"); }
// only need one symmetric key per file
if (NULL == hkeySym) { // 0x0000660c ALG_ID CALG_RC2_128
//
// CALG_RC2_128:
// ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_RC2_128
//
// CALG_CYLINK_MEK:
// ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_CYLINK_MEK
//
// UGH! Exchange's CALG_RC2_128 #define collides with
// wincrypt.h's CALG_CYLINK_MEK -- fix it up to be the
// correct CALG_RC2 algid from wincrypt.h.
((PUBLICKEYSTRUC *) pb)->aiKeyAlg = CALG_RC2;
// dump the fixed-up blob
if (1 < g_fVerbose) { hr = cuDumpPrivateKeyBlob(pb, th.cbSize, FALSE); _PrintIfError(hr, "cuDumpPrivateKeyBlob"); }
// import 128 bit key
if (!CryptImportKey( hProvKMS, pb, th.cbSize, hkeyKMS, 0, &hkeySym)) { hrImport = myHLastError(); _PrintError2(hrImport, "CryptImportKey", hrImport); if (0 < cImportFailures++) { wprintf(myLoadResourceString(IDS_ERROR_SYMMETRIC_KEY)); wprintf(wszNewLine); _PrintError(hrImport, "CryptImportKey"); } } else { // We found the right lockbox. Effective keylen is
// still 40 bits in our CSP, reset to 128
DWORD dwEffectiveKeylen = 128;
if (!CryptSetKeyParam( hkeySym, KP_EFFECTIVE_KEYLEN, (BYTE *) &dwEffectiveKeylen, 0)) { hr = myHLastError(); _JumpError(hr, error, "CryptSetKeyParam(KP_EFFECTIVE_KEYLEN)"); } wprintf(myLoadResourceString(IDS_SYMMETRIC_KEY_IMPORTED)); wprintf(wszNewLine); hrImport = S_OK; } } break; }
case KMS_USER_RECORD_TAG: hr = ImportOneKMSUser( &diAdmin, pccXchg, pb, th.cbSize, hkeySym, &kmsStats); _JumpIfError(hr, error, "ImportOneKMSUser");
break;
default: break; }
LocalFree(pb); pb = NULL; CSASSERT(cbRemain >= sizeof(th) + sizeof(th.cbSize)); cbRemain -= sizeof(th) + th.cbSize; }
if (!g_fVerbose) { wprintf(wszNewLine); } hr = DumpKMSStats(&kmsStats); _PrintIfError(hr, "DumpKMSStats"); if (S_OK != hrImport) { hr = hrImport; } _JumpIfError(hr, error, "hrImport");
error: if (NULL != pccXchg) { CertFreeCertificateContext(pccXchg); } if (fMustRelease) { Admin_Release(&diAdmin); } if (NULL != hkeySym) { CryptDestroyKey(hkeySym); } return(hr);}
HRESULTLoadKMSCert( IN WCHAR const *pwszCertIdDecrypt, OUT CERT_CONTEXT const **ppccKMS, OUT HCRYPTPROV *phProvKMS, OUT HCRYPTKEY *phkeyKMS){ HRESULT hr; CRYPT_KEY_PROV_INFO *pkpiKMS = NULL; DWORD cbkpiKMS; BYTE *pbKey = NULL; DWORD cbKey; HCRYPTKEY hkeyKMSSig = NULL;
*ppccKMS = NULL; *phProvKMS = NULL; *phkeyKMS = NULL;
hr = myGetCertificateFromPicker( g_hInstance, NULL, // hwndParent
IDS_GETCERT_TITLE, // "Certificate List"
IDS_GETDECRYPTCERT_SUBTITLE,
// dwFlags: HKLM+HKCU My store
CUCS_MYSTORE | CUCS_MACHINESTORE | CUCS_USERSTORE | CUCS_PRIVATEKEYREQUIRED | (g_fCryptSilent? CUCS_SILENT : 0), pwszCertIdDecrypt, 0, // cStore
NULL, // rghStore
0, // cpszObjId
NULL, // apszObjId
ppccKMS); // ppCert
_JumpIfError(hr, error, "myGetCertificateFromPicker");
if (NULL == *ppccKMS) { hr = ERROR_CANCELLED; _JumpError(hr, error, "myGetCertificateFromPicker"); }
if (!myCertGetCertificateContextProperty( *ppccKMS, CERT_KEY_PROV_INFO_PROP_ID, CERTLIB_USE_LOCALALLOC, (VOID **) &pkpiKMS, &cbkpiKMS)) { hr = myHLastError(); _JumpError(hr, error, "myCertGetCertificateContextProperty"); } if (0 == LSTRCMPIS(pkpiKMS->pwszProvName, MS_DEF_PROV_W)) { pkpiKMS->pwszProvName = MS_STRONG_PROV_W; } if (g_fVerbose) { wprintf( L"CryptAcquireContext(%ws, %ws)\n", pkpiKMS->pwszContainerName, pkpiKMS->pwszProvName); } if (!CryptAcquireContext( phProvKMS, pkpiKMS->pwszContainerName, pkpiKMS->pwszProvName, pkpiKMS->dwProvType, pkpiKMS->dwFlags)) { hr = myHLastError(); wprintf(L"CryptAcquireContext() --> %x\n", hr); _JumpError(hr, error, "CryptAcquireContext"); }
if (!CryptGetUserKey(*phProvKMS, AT_KEYEXCHANGE, phkeyKMS)) { hr = myHLastError(); if (hr != NTE_NO_KEY) { _JumpError(hr, error, "CryptGetUserKey"); }
if (!CryptGetUserKey(*phProvKMS, AT_SIGNATURE, &hkeyKMSSig)) { hr = myHLastError(); _JumpError(hr, error, "CryptGetUserKey - sig"); }
// UGH! migrate from AT_SIGNATURE container!
cbKey = 0; hr = myCryptExportKey( hkeyKMSSig, // hKey
NULL, // hKeyExp
PRIVATEKEYBLOB, // dwBlobType
0, // dwFlags
&pbKey, &cbKey); _JumpIfError(hr, error, "myCryptExportKey");
// UGH! fix up the algid to signature...
((PUBLICKEYSTRUC *) pbKey)->aiKeyAlg = CALG_RSA_KEYX; // and re-import it
if (!CryptImportKey( *phProvKMS, pbKey, cbKey, NULL, CRYPT_EXPORTABLE, phkeyKMS)) { hr = myHLastError(); _JumpError(hr, error, "CryptImportKey"); } wprintf(myLoadResourceString(IDS_MOVED_SIGNATURE_KEY)); wprintf(wszNewLine); } hr = S_OK;
error: if (S_OK != hr) { if (NULL != *ppccKMS) { CertFreeCertificateContext(*ppccKMS); *ppccKMS = NULL; } if (NULL != *phProvKMS) { CryptReleaseContext(*phProvKMS, 0); *phProvKMS = NULL; } } if (NULL != pbKey) { LocalFree(pbKey); } if (NULL != pkpiKMS) { LocalFree(pkpiKMS); } if (NULL != hkeyKMSSig) { CryptDestroyKey(hkeyKMSSig); } return(hr);}
HRESULTImportOnePFXCert( IN DISPATCHINTERFACE *pdiAdmin, IN CERT_CONTEXT const *pccXchg, IN CERT_CONTEXT const *pCert, IN OUT KMSSTATS *pkmsStats){ HRESULT hr; CRYPT_KEY_PROV_INFO *pkpi = NULL; HCRYPTPROV hProv = NULL; HCRYPTKEY hKey = NULL; BYTE *pbKey = NULL; DWORD cbKey;
hr = myCertGetKeyProviderInfo(pCert, &pkpi); if (S_OK != hr) { _PrintError(hr, "myCertGetKeyProviderInfo"); pkmsStats->cCertWithoutKeys++; hr = S_OK; goto error; } pkmsStats->cCertTotal++; if (!CryptAcquireContext( &hProv, pkpi->pwszContainerName, pkpi->pwszProvName, pkpi->dwProvType, pkpi->dwFlags)) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); } if (!CryptGetUserKey(hProv, pkpi->dwKeySpec, &hKey)) { hr = myHLastError(); _JumpIfError(hr, error, "CryptGetUserKey"); } hr = myCryptExportPrivateKey(hKey, &pbKey, &cbKey); _JumpIfError(hr, error, "myCryptExportPrivateKey");
pkmsStats->cKeyTotal++;
hr = myVerifyKMSKey( pCert->pbCertEncoded, pCert->cbCertEncoded, pbKey, cbKey, pkpi->dwKeySpec, FALSE); _JumpIfError(hr, error, "myVerifyKMSKey");
hr = ArchiveCertAndKey( pdiAdmin, pccXchg, pCert->pbCertEncoded, pCert->cbCertEncoded, pbKey, cbKey, AT_KEYEXCHANGE != pkpi->dwKeySpec, // fSigningKey
pkmsStats); _JumpIfError(hr, error, "ArchiveCertAndKey");
error: if (NULL != pbKey) { SecureZeroMemory(pbKey, cbKey); // Key material
LocalFree(pbKey); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } if (NULL != pkpi) { LocalFree(pkpi); } return(hr);}
HRESULTImportKMSPFXOrEPFFile( IN WCHAR const *pwszfn){ HRESULT hr; CERT_CONTEXT const *pccXchg = NULL; HCERTSTORE hStorePFX = NULL; CERT_CONTEXT const *pCert = NULL; DISPATCHINTERFACE diAdmin; BOOL fMustRelease = FALSE; KMSSTATS kmsStats; BOOL fUser = TRUE;
ZeroMemory(&kmsStats, sizeof(kmsStats));
hr = ReadPFXOrEPFIntoCertStore(pwszfn, fUser, &hStorePFX); _JumpIfError(hr, error, "ReadPFXOrEPFIntoCertStore");
hr = Admin_Init(g_DispatchFlags, &diAdmin); _JumpIfError(hr, error, "Admin_Init");
fMustRelease = TRUE;
hr = GetCAXchgCert(&diAdmin, &pccXchg); _JumpIfError(hr, error, "GetCAXchgCert");
while (TRUE) { pCert = CertEnumCertificatesInStore(hStorePFX, pCert); if (NULL == pCert) { break; } hr = ImportOnePFXCert(&diAdmin, pccXchg, pCert, &kmsStats); _PrintIfError(hr, "ImportOnePFXCert"); } hr = DumpKMSStats(&kmsStats); _JumpIfError(hr, error, "DumpKMSStats");
error: if (NULL != hStorePFX) { myDeleteGuidKeys(hStorePFX, !fUser); CertCloseStore(hStorePFX, CERT_CLOSE_STORE_CHECK_FLAG); } if (NULL != pccXchg) { CertFreeCertificateContext(pccXchg); } if (fMustRelease) { Admin_Release(&diAdmin); } return(hr);}
HRESULTImportKMSExportFile( IN WCHAR const *pwszfnKMS, IN WCHAR const *pwszCertIdDecrypt, OUT BOOL *pfBadTag){ HRESULT hr; CERT_CONTEXT const *pccKMS = NULL; HCRYPTPROV hProvKMS = NULL; HCRYPTKEY hkeyKMS = NULL; HANDLE hFile = INVALID_HANDLE_VALUE; DWORD cbFile; CERT_CONTEXT const *pccSigner = NULL;
*pfBadTag = TRUE; hFile = CreateFile( pwszfnKMS, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL); if (INVALID_HANDLE_VALUE == hFile) { hr = myHLastError(); _JumpError(hr, error, "CreateFile"); }
cbFile = GetFileSize(hFile, NULL); if (MAXDWORD == cbFile) { hr = myHLastError(); _JumpError(hr, error, "GetFileSize"); }
// verify the KMS data signature
hr = VerifyKMSExportFile(hFile, cbFile, &pccSigner); _JumpIfError(hr, error, "VerifyKMSExportFile");
*pfBadTag = FALSE; if (INVALID_SET_FILE_POINTER == SetFilePointer(hFile, 0, NULL, FILE_BEGIN)) { hr = myHLastError(); _JumpError(hr, error, "SetFilePointer"); }
// Load the KMS recipient cert to be used to decrypt user keys
hr = LoadKMSCert(pwszCertIdDecrypt, &pccKMS, &hProvKMS, &hkeyKMS); _JumpIfError(hr, error, "LoadKMSCert");
// import the KMS data
hr = ImportKMSExportedUsers(hFile, cbFile, hProvKMS, hkeyKMS); _JumpIfError(hr, error, "ImportKMSExportedUsers");
error: if (NULL != pccKMS) { CertFreeCertificateContext(pccKMS); } if (NULL != pccSigner) { CertFreeCertificateContext(pccSigner); } if (NULL != hkeyKMS) { CryptDestroyKey(hkeyKMS); } if (NULL != hProvKMS) { CryptReleaseContext(hProvKMS, 0); } if (INVALID_HANDLE_VALUE != hFile) { CloseHandle(hFile); } return(hr);}
HRESULTverbImportKMS( IN WCHAR const *pwszOption, IN WCHAR const *pwszfnKMS, IN WCHAR const *pwszCertIdDecrypt, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; BOOL fBadTag;
hr = ImportKMSExportFile(pwszfnKMS, pwszCertIdDecrypt, &fBadTag); if (S_OK != hr) { _PrintError(hr, "ImportKMSExportFile"); if (!fBadTag) { goto error; } if (NULL != pwszCertIdDecrypt) { hr = E_INVALIDARG; _JumpErrorStr(hr, error, "unexpected arg", pwszCertIdDecrypt); } hr = ImportKMSPFXOrEPFFile(pwszfnKMS); _JumpIfError(hr, error, "ImportKMSPFXOrEPFFile"); }
error: return(hr);}
HRESULTstoreDumpPrivateKey( IN HCRYPTPROV hProv, IN DWORD dwKeySpec){ HRESULT hr; HCRYPTKEY hKey = NULL; CRYPT_BIT_BLOB PrivateKey;
ZeroMemory(&PrivateKey, sizeof(PrivateKey)); if (!CryptGetUserKey(hProv, dwKeySpec, &hKey)) { hr = myHLastError(); _PrintError(hr, "CryptGetUserKey"); cuPrintError(IDS_ERR_FORMAT_LOADKEY, hr); goto error; } hr = myCryptExportPrivateKey( hKey, &PrivateKey.pbData, &PrivateKey.cbData); if (NTE_BAD_KEY_STATE == hr || NTE_PERM == hr) { wprintf(myLoadResourceString(IDS_PRIVATE_KEY_NOT_EXPORTABLE)); // "Private key is NOT exportable"
wprintf(wszNewLine); } else { _JumpIfError(hr, error, "myCryptExportPrivateKey"); } if (NULL != PrivateKey.pbData) { hr = cuDumpPrivateKeyBlob( PrivateKey.pbData, PrivateKey.cbData, FALSE); _JumpIfError(hr, error, "cuDumpPrivateKeyBlob"); } hr = S_OK;
error: if (NULL != PrivateKey.pbData) { SecureZeroMemory(PrivateKey.pbData, PrivateKey.cbData); // Key material
LocalFree(PrivateKey.pbData); } if (NULL != hKey) { CryptDestroyKey(hKey); } return(hr);}
HRESULTmyCryptGetProvParamToUnicode( IN HCRYPTPROV hProv, IN DWORD dwParam, OUT WCHAR **ppwszOut, IN DWORD dwFlags);
HRESULTDisplayUniqueContainer( IN HCRYPTPROV hProv){ HRESULT hr; WCHAR *pwszUniqueContainer = NULL;
hr = myCryptGetProvParamToUnicode( hProv, PP_UNIQUE_CONTAINER, &pwszUniqueContainer, 0); _JumpIfError(hr, error, "myCryptGetProvParamToUnicode");
wprintf(L" %ws\n", pwszUniqueContainer);
error: if (NULL != pwszUniqueContainer) { LocalFree(pwszUniqueContainer); } return(hr);}
HRESULTEnumKeys( IN WCHAR const *pwszProvName, IN DWORD dwProvType, IN BOOL fSkipKeys, OPTIONAL IN WCHAR const *pwszKeyContainerName){ HRESULT hr; KEY_LIST *pKeyList = NULL; KEY_LIST *pKeyT; WCHAR *pwszRevert = NULL; CERT_PUBLIC_KEY_INFO *pPubKeyInfoSig = NULL; CERT_PUBLIC_KEY_INFO *pPubKeyInfoXchg = NULL; WCHAR const *pwszPrefix;
if (!fSkipKeys) { hr = csiGetKeyList( dwProvType, // dwProvType
pwszProvName, // pwszProvName
!g_fUserRegistry, // fMachineKeyset
!g_fCryptSilent, // inverted fSilent: default is Silent!
&pKeyList); _JumpIfErrorStr(hr, error, "csiGetKeyList", pwszProvName); } if (fSkipKeys || NULL != pKeyList) { wprintf(L"%ws:\n", pwszProvName); } for (pKeyT = pKeyList; NULL != pKeyT; pKeyT = pKeyT->next) { DWORD dwProvTypeT;
hr = myRevertSanitizeName(pKeyT->pwszName, &pwszRevert); _JumpIfError(hr, error, "myRevertSanitizeName");
if (NULL == pwszKeyContainerName || 0 == mylstrcmpiL(pwszKeyContainerName, pwszRevert) || 0 == mylstrcmpiL(pwszKeyContainerName, pKeyT->pwszName)) { HCRYPTPROV hProv = NULL;
wprintf(L" %ws", pwszRevert); if (g_fVerbose && 0 != lstrcmp(pKeyT->pwszName, pwszRevert)) { wprintf(L" -- %ws", pKeyT->pwszName); } wprintf(wszNewLine);
dwProvTypeT = dwProvType; hr = cuLoadKeys( pwszProvName, &dwProvTypeT, pKeyT->pwszName, !g_fUserRegistry, // fMachineKeyset
TRUE, &hProv, &pPubKeyInfoSig, &pPubKeyInfoXchg); if (S_OK != hr) { cuPrintError(IDS_ERR_FORMAT_LOADKEYS, hr); } else if (g_fVerbose && NULL != hProv) { DisplayUniqueContainer(hProv); } if (NULL != pPubKeyInfoSig || NULL != pPubKeyInfoXchg) { pwszPrefix = g_wszPad4; if (NULL != pPubKeyInfoSig) { if (g_fVerbose) { wprintf(wszNewLine); } wprintf(L"%wsAT_SIGNATURE", pwszPrefix); pwszPrefix = L", "; if (g_fVerbose) { wprintf(L":\n"); cuDisplayKeyId(pPubKeyInfoSig, 0, NULL); wprintf(myLoadResourceString(IDS_CONTAINER_PUBLIC_KEY)); // "Container Public Key:"
wprintf(wszNewLine); DumpHex( DH_NOTABPREFIX | DH_NOASCIIHEX | 2, pPubKeyInfoSig->PublicKey.pbData, pPubKeyInfoSig->PublicKey.cbData);
wprintf(wszNewLine); storeDumpPrivateKey(hProv, AT_SIGNATURE); pwszPrefix = L" "; } LocalFree(pPubKeyInfoSig); pPubKeyInfoSig = NULL; } if (NULL != pPubKeyInfoXchg) { if (g_fVerbose) { wprintf(wszNewLine); } wprintf(L"%wsAT_KEYEXCHANGE", pwszPrefix); if (g_fVerbose) { wprintf(L":\n"); cuDisplayKeyId(pPubKeyInfoXchg, 0, NULL); wprintf(myLoadResourceString(IDS_CONTAINER_PUBLIC_KEY)); // "Container Public Key:"
wprintf(wszNewLine); DumpHex( DH_NOTABPREFIX | DH_NOASCIIHEX | 2, pPubKeyInfoXchg->PublicKey.pbData, pPubKeyInfoXchg->PublicKey.cbData);
wprintf(wszNewLine); storeDumpPrivateKey(hProv, AT_KEYEXCHANGE); } LocalFree(pPubKeyInfoXchg); pPubKeyInfoXchg = NULL; } wprintf(wszNewLine); } if (NULL != hProv) { CryptReleaseContext(hProv, 0); } if (NULL == pwszKeyContainerName) { wprintf(wszNewLine); } } LocalFree(pwszRevert); pwszRevert = NULL; } hr = S_OK;
error: if (NULL != pPubKeyInfoSig) { LocalFree(pPubKeyInfoSig); } if (NULL != pPubKeyInfoXchg) { LocalFree(pPubKeyInfoXchg); } if (NULL != pwszRevert) { LocalFree(pwszRevert); } if (NULL != pKeyList) { csiFreeKeyList(pKeyList); } return(hr);}
HRESULTverbKey( IN WCHAR const *pwszOption, OPTIONAL IN WCHAR const *pwszKeyContainerName, IN WCHAR const *pwszArg2, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; WCHAR *pwszProvider = g_pwszCSP; WCHAR *pwszProvName = NULL; WCHAR *pwszProvNameDefault = NULL; DWORD i; DWORD dwProvType; BOOL fSkipKeys = FALSE;
if (NULL == pwszProvider) { hr = myCryptGetDefaultProvider( PROV_RSA_FULL, g_fUserRegistry? CRYPT_USER_DEFAULT : CRYPT_MACHINE_DEFAULT, &pwszProvNameDefault); _JumpIfError(hr, error, "myCryptGetDefaultProvider");
pwszProvider = pwszProvNameDefault; } else if (0 == lstrcmp(L"*", pwszProvider)) { pwszProvider = NULL; // all CSPs
} if (NULL != pwszKeyContainerName) { if (myIsMinusSignString(pwszKeyContainerName)) { pwszKeyContainerName = NULL; // all keys
fSkipKeys = TRUE; } }
if (NULL != pwszProvider) { hr = csiGetProviderTypeFromProviderName(pwszProvider, &dwProvType); _JumpIfErrorStr(hr, error, "csiGetProviderTypeFromProviderName", pwszProvider); hr = EnumKeys( pwszProvider, dwProvType, fSkipKeys, pwszKeyContainerName); _JumpIfErrorStr(hr, error, "EnumKeys", pwszProvider); } else { for (i = 0; ; i++) { CSASSERT(NULL == pwszProvName); hr = myEnumProviders(i, NULL, 0, &dwProvType, &pwszProvName); if (S_OK != hr) { if (HRESULT_FROM_WIN32(ERROR_NO_MORE_ITEMS) == hr || NTE_FAIL == hr) { // no more providers under type, out of i loop
break; } // invalid csp entry, skip it
wprintf(myLoadResourceString(IDS_FORMAT_SKIP_CSP_ENUM), i); wprintf(wszNewLine); } else { hr = EnumKeys( pwszProvName, dwProvType, fSkipKeys, pwszKeyContainerName); _JumpIfErrorStr(hr, error, "EnumKeys", pwszProvName);
LocalFree(pwszProvName); pwszProvName = NULL; } } } hr = S_OK;
error: if (NULL != pwszProvName) { LocalFree(pwszProvName); } if (NULL != pwszProvNameDefault) { LocalFree(pwszProvNameDefault); } return(hr);}
HRESULTcuSanitizeNameWithSuffix( IN WCHAR const *pwszName, OUT WCHAR **ppwszNameOut){ HRESULT hr; WCHAR const *pwszSuffix; WCHAR const *pwsz; WCHAR *pwszBase = NULL; WCHAR *pwszSanitizedName = NULL; DWORD cwc;
pwsz = wcsrchr(pwszName, wcLPAREN); pwszSuffix = pwsz; if (NULL != pwsz) { BOOL fSawDigit = FALSE;
pwsz++; while (iswdigit(*pwsz)) { pwsz++; fSawDigit = TRUE; } if (fSawDigit && wcRPAREN == *pwsz && (L'.' == pwsz[1] || L'\0' == pwsz[1])) { cwc = SAFE_SUBTRACT_POINTERS(pwszSuffix, pwszName);
pwszBase = (WCHAR *) LocalAlloc( LMEM_FIXED, (cwc + 1) * sizeof(WCHAR)); if (NULL == pwszBase) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(pwszBase, pwszName, cwc * sizeof(WCHAR)); pwszBase[cwc] = L'\0'; pwszName = pwszBase; } else { pwszSuffix = NULL; } } hr = mySanitizeName(pwszName, &pwszSanitizedName); _JumpIfError(hr, error, "mySanitizeName");
if (NULL == pwszSuffix) { *ppwszNameOut = pwszSanitizedName; pwszSanitizedName = NULL; } else { *ppwszNameOut = (WCHAR *) LocalAlloc( LMEM_FIXED, (wcslen(pwszSanitizedName) + wcslen(pwszSuffix) + 1) * sizeof(WCHAR)); if (NULL == *ppwszNameOut) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } wcscpy(*ppwszNameOut, pwszSanitizedName); wcscat(*ppwszNameOut, pwszSuffix); } hr = S_OK;
error: if (NULL != pwszSanitizedName) { LocalFree(pwszSanitizedName); } if (NULL != pwszBase) { LocalFree(pwszBase); } return(hr);}
HRESULTverbDelKey( IN WCHAR const *pwszOption, IN WCHAR const *pwszKeyContainerName, IN WCHAR const *pwszArg2, IN WCHAR const *pwszArg3, IN WCHAR const *pwszArg4){ HRESULT hr; HCRYPTPROV hProv = NULL; WCHAR *pwszProvider = g_pwszCSP; WCHAR *pwszProvNameDefault = NULL; WCHAR *apwszKeyContainer[3]; DWORD i; DWORD dwProviderType; DWORD dwFlags = CRYPT_DELETEKEYSET;
// If supplied provider is NULL, use the default provider.
if (pwszProvider == NULL) { hr = myCryptGetDefaultProvider( PROV_RSA_FULL, g_fUserRegistry? CRYPT_USER_DEFAULT : CRYPT_MACHINE_DEFAULT, &pwszProvNameDefault); _JumpIfError(hr, error, "myCryptGetDefaultProvider");
pwszProvider = pwszProvNameDefault; } apwszKeyContainer[0] = const_cast<WCHAR *>(pwszKeyContainerName); apwszKeyContainer[1] = NULL; apwszKeyContainer[2] = NULL;
hr = mySanitizeName(pwszKeyContainerName, &apwszKeyContainer[1]); _JumpIfError(hr, error, "mySanitizeName");
hr = cuSanitizeNameWithSuffix(pwszKeyContainerName, &apwszKeyContainer[2]); _JumpIfError(hr, error, "cuSanitizeNameWithSuffix");
hr = csiGetProviderTypeFromProviderName(pwszProvider, &dwProviderType); _JumpIfError(hr, error, "csiGetProviderTypeFromProviderName"); if (g_fCryptSilent) { dwFlags |= CRYPT_SILENT; }
for (i = 0; i < ARRAYSIZE(apwszKeyContainer); i++) { if (!myCertSrvCryptAcquireContext( &hProv, apwszKeyContainer[i], pwszProvider, dwProviderType, dwFlags, !g_fUserRegistry)) // fMachineKeyset
{ hr = myHLastError(); _PrintErrorStr2( hr, "myCertSrvCryptAcquireContext", apwszKeyContainer[i], hr); } else { DWORD j; wprintf(L" %ws", apwszKeyContainer[i]); if (g_fVerbose) { wprintf(L" --"); for (j = 0; j < ARRAYSIZE(apwszKeyContainer); j++) { wprintf(L" %ws", apwszKeyContainer[j]); } } wprintf(wszNewLine); hr = S_OK; break; } } _JumpIfError(hr, error, "myCertSrvCryptAcquireContext");
error: for (i = 1; i < ARRAYSIZE(apwszKeyContainer); i++) { if (NULL != apwszKeyContainer[i]) { LocalFree(apwszKeyContainer[i]); } } if (NULL != pwszProvNameDefault) { LocalFree(pwszProvNameDefault); } return(hr);}
|
