|
|
//+--------------------------------------------------------------------------
//
// Copyright (c) 1997-1999 Microsoft Corporation
//
// File: gencert.cpp
//
// Contents:
//
// History:
//
//---------------------------------------------------------------------------
#include "pch.cpp"
#include "misc.h"
#include "utils.h"
#include "gencert.h"
#include "globals.h"
#ifndef UNICODE
const DWORD dwCertRdnValueType = CERT_RDN_PRINTABLE_STRING; #else
const DWORD dwCertRdnValueType = CERT_RDN_UNICODE_STRING;
#endif
#ifndef CertStrToName
//
// Function prototype not found in wincrypt.h or anywhere but
// is in crypt32.lib
//
#ifdef __cplusplus
extern "C" {#endif
BOOL WINAPI CertStrToNameA( DWORD dwCertEncodingType, // in
LPCSTR pszX500, // in
DWORD dwStrType, // in
void* pvReserved, // in, optional
BYTE* pbEncoded, // out
DWORD* pcbEncoded, // in/out
LPCSTR* ppszError // out, optional
);
CertStrToNameW( DWORD dwCertEncodingType, // in
LPCWSTR pszX500, // in
DWORD dwStrType, // in
void* pvReserved, // in, optional
BYTE* pbEncoded, // out
DWORD* pcbEncoded, // in/out
LPCWSTR* ppszError // out, optional
);
#ifdef UNICODE
#define CertStrToName CertStrToNameW
#else
#define CertStrToName CertStrToNameA
#endif
#ifdef __cplusplus
}#endif
#endif
/*******************************************************************************************
Function: LSEncryptBase64EncodeHWID()
Description: Encrypt using license server private key then base64 encode the hardware ID
Arguments: IN PHWID - pointer to HWID to be encrypt/encoded OUT DWORD* cbBase64EncodeHwid - size of pointer to encrypted/encoded string OUT PBYTE* szBase64EncodeHwid - Pointer to encrypted/encoded string.
Returns: TRUE if successful, FALSE otherwise, call GetLastError() for detail.*******************************************************************************************/BOOL TLSEncryptBase64EncodeHWID( PHWID pHwid, DWORD* cbBase64EncodeHwid, PBYTE* szBase64EncodeHwid ){ DWORD status=ERROR_SUCCESS;
//
// Encrypt HWID
//
BYTE tmp_pbEncryptedHwid[sizeof(HWID)*2+2]; DWORD tmp_cbEncryptedHwid=sizeof(tmp_pbEncryptedHwid);
do { memset(tmp_pbEncryptedHwid, 0, sizeof(tmp_pbEncryptedHwid)); if((status=LicenseEncryptHwid( pHwid, &tmp_cbEncryptedHwid, tmp_pbEncryptedHwid, g_cbSecretKey, g_pbSecretKey) != LICENSE_STATUS_OK)) { break; }
//
// BASE64 Encode Encrypted HWID - printable char. string
//
if((status=LSBase64Encode( tmp_pbEncryptedHwid, tmp_cbEncryptedHwid, NULL, cbBase64EncodeHwid)) != ERROR_SUCCESS) { break; }
*szBase64EncodeHwid=(PBYTE)AllocateMemory(*cbBase64EncodeHwid*(sizeof(TCHAR)+1)); if(*szBase64EncodeHwid == NULL) { SetLastError(status = ERROR_OUTOFMEMORY); break; }
// base64 encoding
status=LSBase64Encode( tmp_pbEncryptedHwid, tmp_cbEncryptedHwid, (TCHAR *)*szBase64EncodeHwid, cbBase64EncodeHwid); } while(FALSE);
return status == ERROR_SUCCESS;}
/*******************************************************************************************/
DWORDTLSAddCertAuthorityInfoAccess( LPTSTR szIssuerDnsName, PCERT_EXTENSION pExtension )/*
*/{ LSCERT_AUTHORITY_INFO_ACCESS certInfoAccess; LSCERT_ACCESS_DESCRIPTION certAcccessDesc;
certAcccessDesc.pszAccessMethod=szOID_X509_ACCESS_PKIX_OCSP; certAcccessDesc.AccessLocation.dwAltNameChoice = LSCERT_ALT_NAME_DNS_NAME; certAcccessDesc.AccessLocation.pwszDNSName = szIssuerDnsName;
certInfoAccess.cAccDescr = 1; certInfoAccess.rgAccDescr = &certAcccessDesc;
pExtension->pszObjId = szOID_X509_AUTHORITY_ACCESS_INFO; pExtension->fCritical = TRUE;
return TLSCryptEncodeObject( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, szOID_X509_AUTHORITY_ACCESS_INFO, &certInfoAccess, &pExtension->Value.pbData, &pExtension->Value.cbData );}
///////////////////////////////////////////////////////////////////////////////
DWORDTLSAddCertAuthorityKeyIdExtension( LPTSTR szIssuer, ULARGE_INTEGER* CertSerialNumber, PCERT_EXTENSION pExtension )/*
*/{ //
// Use CERT_AUTHORITY_KEY_ID2_INFO
// some structure not defined in SP3's wincrypt.h
//
LSCERT_ALT_NAME_ENTRY certAltNameEntry; LSCERT_AUTHORITY_KEY_ID2_INFO authKeyId2Info;
memset(&authKeyId2Info, 0, sizeof(authKeyId2Info)); authKeyId2Info.AuthorityCertSerialNumber.cbData = sizeof(ULARGE_INTEGER); authKeyId2Info.AuthorityCertSerialNumber.pbData = (PBYTE)CertSerialNumber;
memset(&certAltNameEntry, 0, sizeof(certAltNameEntry)); certAltNameEntry.dwAltNameChoice=CERT_ALT_NAME_DIRECTORY_NAME; //LSCERT_ALT_NAME_RFC822_NAME;
certAltNameEntry.DirectoryName.cbData = (_tcslen(szIssuer) + 1) * sizeof(TCHAR); certAltNameEntry.DirectoryName.pbData = (PBYTE)szIssuer;
authKeyId2Info.AuthorityCertIssuer.cAltEntry=1; authKeyId2Info.AuthorityCertIssuer.rgAltEntry=&certAltNameEntry; pExtension->pszObjId = szOID_X509_AUTHORITY_KEY_ID2; pExtension->fCritical = TRUE; return TLSCryptEncodeObject( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, szOID_X509_AUTHORITY_KEY_ID2, &authKeyId2Info, &pExtension->Value.pbData, &pExtension->Value.cbData );}
///////////////////////////////////////////////////////////////////////////////
DWORDTLSExportPublicKey( IN HCRYPTPROV hCryptProv, IN DWORD dwKeyType, IN OUT PDWORD pcbByte, IN OUT PCERT_PUBLIC_KEY_INFO *ppbByte )/*
*/{ BOOL bRetCode=TRUE;
*pcbByte=0; *ppbByte=NULL;
bRetCode = CryptExportPublicKeyInfo( hCryptProv, dwKeyType, X509_ASN_ENCODING, NULL, pcbByte); if(bRetCode == FALSE) goto cleanup; if((*ppbByte=(PCERT_PUBLIC_KEY_INFO)AllocateMemory(*pcbByte)) == NULL) { bRetCode = FALSE; goto cleanup; }
bRetCode = CryptExportPublicKeyInfo( hCryptProv, dwKeyType, X509_ASN_ENCODING, *ppbByte, pcbByte); if(bRetCode == FALSE) { FreeMemory(*ppbByte); *pcbByte = 0; }
cleanup:
return (bRetCode) ? ERROR_SUCCESS : GetLastError();}
///////////////////////////////////////////////////////////////////////////////
DWORD TLSCryptEncodeObject( IN DWORD dwEncodingType, IN LPCSTR lpszStructType, IN const void * pvStructInfo, OUT PBYTE* ppbEncoded, OUT DWORD* pcbEncoded )/*
Description: Allocate memory and encode object, wrapper for CryptEncodeObject()
*/{ DWORD dwStatus = ERROR_SUCCESS;
if(!CryptEncodeObject(dwEncodingType, lpszStructType, pvStructInfo, NULL, pcbEncoded) || (*ppbEncoded=(PBYTE)AllocateMemory(*pcbEncoded)) == NULL || !CryptEncodeObject(dwEncodingType, lpszStructType, pvStructInfo, *ppbEncoded, pcbEncoded)) { dwStatus=GetLastError(); }
return dwStatus;}
//////////////////////////////////////////////////////////////////////
DWORDTLSCryptSignAndEncodeCertificate( IN HCRYPTPROV hCryptProv, IN DWORD dwKeySpec, IN PCERT_INFO pCertInfo, IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, IN OUT PBYTE* ppbEncodedCert, IN OUT PDWORD pcbEncodedCert )/*
*/{ BOOL bRetCode;
bRetCode = CryptSignAndEncodeCertificate( hCryptProv, dwKeySpec, X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED, pCertInfo, pSignatureAlgorithm, NULL, NULL, pcbEncodedCert);
if(bRetCode == FALSE && GetLastError() != ERROR_MORE_DATA) goto cleanup;
*ppbEncodedCert=(PBYTE)AllocateMemory(*pcbEncodedCert); if(*ppbEncodedCert == FALSE) goto cleanup;
bRetCode = CryptSignAndEncodeCertificate( hCryptProv, AT_SIGNATURE, X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED, pCertInfo, pSignatureAlgorithm, NULL, *ppbEncodedCert, pcbEncodedCert);
if(bRetCode == FALSE) { FreeMemory(*ppbEncodedCert); *pcbEncodedCert = 0; }
cleanup:
return (bRetCode) ? ERROR_SUCCESS : GetLastError();}
////////////////////////////////////////////////////////////////////////
#define MAX_NUM_CERT_BLOBS 200 // actually, we can't go over 10.
DWORDTLSVerifyProprietyChainedCertificate( HCRYPTPROV hCryptProv, PBYTE pbCert, DWORD cbCert )/*++
--*/{ DWORD dwStatus=ERROR_SUCCESS, cbRequired = 0; PCert_Chain pCertChain = (PCert_Chain)pbCert; UNALIGNED Cert_Blob *pCertificate = NULL; PCCERT_CONTEXT pIssuerCert = NULL; PCCERT_CONTEXT pSubjectCert = NULL;
DWORD dwVerifyFlag = CERT_DATE_DONT_VALIDATE; int i;
cbRequired = 2 * sizeof(DWORD);
if( pCertChain == NULL || ( cbCert < cbRequired ) || MAX_CERT_CHAIN_VERSION < GET_CERTIFICATE_VERSION(pCertChain->dwVersion) || pCertChain->dwNumCertBlobs > MAX_NUM_CERT_BLOBS || pCertChain->dwNumCertBlobs <= 1 ) // must have at least two certificates
{ SetLastError(dwStatus = TLS_E_INVALID_DATA); return dwStatus; } //
// Verify input data before actually allocate memory
//
pCertificate = (PCert_Blob)&(pCertChain->CertBlob[0]); for(i=0; i < pCertChain->dwNumCertBlobs; i++) { cbRequired += (sizeof (DWORD)+ sizeof(BYTE)) ;
if(cbCert < cbRequired ) { SetLastError(dwStatus = TLS_E_INVALID_DATA); return dwStatus; }
if (((PBYTE)pCertificate > (cbCert + pbCert - sizeof(Cert_Blob))) || (pCertificate->cbCert == 0) || (pCertificate->cbCert > (DWORD)((pbCert + cbCert) - pCertificate->abCert))) { return (LICENSE_STATUS_INVALID_INPUT); }
pCertificate = (PCert_Blob)(pCertificate->abCert + pCertificate->cbCert); }
//
// First certificate is root certificate
//
pCertificate = (PCert_Blob)&(pCertChain->CertBlob[0]); pIssuerCert = CertCreateCertificateContext( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(pCertificate->abCert[0]), pCertificate->cbCert ); if(pIssuerCert == NULL) { dwStatus = GetLastError(); // just for debugging.
goto cleanup; }
dwStatus = ERROR_SUCCESS; pSubjectCert = CertDuplicateCertificateContext(pIssuerCert);
for(i=0; i < pCertChain->dwNumCertBlobs; i++) { if(pSubjectCert == NULL) { dwStatus = GetLastError(); break; }
//
// verify subject's certificate
dwVerifyFlag = CERT_STORE_SIGNATURE_FLAG; if(CertVerifySubjectCertificateContext( pSubjectCert, pIssuerCert, &dwVerifyFlag ) == FALSE) { dwStatus = GetLastError(); break; }
if(dwVerifyFlag != 0) { // signature verification failed.
dwStatus = TLS_E_INVALID_DATA; break; }
if(CertFreeCertificateContext(pIssuerCert) == FALSE) { dwStatus = GetLastError(); break; }
pIssuerCert = pSubjectCert;
pCertificate = (PCert_Blob)(pCertificate->abCert + pCertificate->cbCert);
pSubjectCert = CertCreateCertificateContext( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(pCertificate->abCert[0]), pCertificate->cbCert ); } cleanup:
if(pSubjectCert != NULL) { CertFreeCertificateContext(pSubjectCert); }
if(pIssuerCert != NULL) { CertFreeCertificateContext(pIssuerCert); }
return dwStatus;}
////////////////////////////////////////////////////////////////////////
BOOL IsHydraClientCertficate( PCERT_INFO pCertInfo ){ CERT_EXTENSION UNALIGNED * pCertExtension=pCertInfo->rgExtension; DWORD dwVersion = TERMSERV_CERT_VERSION_UNKNOWN; DWORD UNALIGNED * pdwVersion;
for(DWORD i=0; i < pCertInfo->cExtension; i++, pCertExtension++) { if(strcmp(pCertExtension->pszObjId, szOID_PKIX_HYDRA_CERT_VERSION) == 0) { pdwVersion = (DWORD UNALIGNED *) pCertExtension->Value.pbData;
if(pCertExtension->Value.cbData == sizeof(DWORD) && *pdwVersion <= TERMSERV_CERT_VERSION_CURRENT) { dwVersion = *pdwVersion; break; } } }
return (dwVersion == TERMSERV_CERT_VERSION_UNKNOWN) ? FALSE : TRUE;}
////////////////////////////////////////////////////////////////////////
DWORDChainProprietyCert( HCRYPTPROV hCryptProv, HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, PCert_Chain pCertChain, DWORD* dwCertOffset, DWORD dwBufSize){ DWORD dwStatus = ERROR_SUCCESS; DWORD dwFlags; PCCERT_CONTEXT pCertIssuer=NULL;
pCertIssuer=NULL; dwFlags = CERT_STORE_SIGNATURE_FLAG;
//
// Get the issuer's certificate from store
//
pCertIssuer = CertGetIssuerCertificateFromStore( hCertStore, pCertContext, pCertIssuer, &dwFlags );
if(pCertIssuer != NULL) { if(dwFlags & CERT_STORE_SIGNATURE_FLAG) { // invalid signature
dwStatus = TLS_E_INVALID_DATA; } else { //
// Recursively find the issuer of the issuer's certificate
//
dwStatus = ChainProprietyCert( hCryptProv, hCertStore, pCertIssuer, pCertChain, dwCertOffset, dwBufSize ); } } else { dwStatus = GetLastError(); if(dwStatus != CRYPT_E_SELF_SIGNED) { goto cleanup; }
//
// Verify issuer's certificate
//
if(CryptVerifyCertificateSignature( hCryptProv, X509_ASN_ENCODING, pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, &pCertContext->pCertInfo->SubjectPublicKeyInfo)) { dwStatus=ERROR_SUCCESS; } }
if(dwStatus == ERROR_SUCCESS) { //
// Push certificate into propriety certificate chain
//
if((*dwCertOffset + pCertContext->cbCertEncoded) >= dwBufSize) { dwStatus = ERROR_MORE_DATA; goto cleanup; }
(pCertChain->dwNumCertBlobs)++;
UNALIGNED Cert_Blob *pCertBlob = (PCert_Blob)((PBYTE)&(pCertChain->CertBlob) + *dwCertOffset); pCertBlob->cbCert = pCertContext->cbCertEncoded; memcpy( &(pCertBlob->abCert), pCertContext->pbCertEncoded, pCertContext->cbCertEncoded);
*dwCertOffset += (sizeof(pCertBlob->cbCert) + pCertContext->cbCertEncoded); }
cleanup:
if(pCertIssuer != NULL) { CertFreeCertificateContext(pCertIssuer); }
return dwStatus;}
////////////////////////////////////////////////////////////////////////
DWORD TLSChainProprietyCertificate( HCRYPTPROV hCryptProv, BOOL bTemp, PBYTE pbLicense, DWORD cbLicense, PBYTE* pbChained, DWORD* cbChained ){ HCERTSTORE hCertStore=NULL; DWORD dwStatus=ERROR_SUCCESS; CRYPT_DATA_BLOB Serialized; PCCERT_CONTEXT pCertContext=NULL; PCCERT_CONTEXT pPrevCertContext=NULL; PCERT_INFO pCertInfo; BOOL bFound=FALSE; Serialized.pbData = pbLicense; Serialized.cbData = cbLicense;
DWORD dwCertOffset = 0; PCert_Chain pCertChain;
DWORD numCerts=0; DWORD cbSize=0;
if(hCryptProv == NULL) { SetLastError(dwStatus = ERROR_INVALID_PARAMETER); goto cleanup; }
hCertStore=CertOpenStore( sz_CERT_STORE_PROV_PKCS7, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, hCryptProv, CERT_STORE_NO_CRYPT_RELEASE_FLAG, &Serialized );
if(!hCertStore) { dwStatus=GetLastError(); goto cleanup; }
//
// Get number of certificate and estimated size first - save memory
//
do { pCertContext = CertEnumCertificatesInStore( hCertStore, pPrevCertContext ); if(pCertContext == NULL) { dwStatus = GetLastError(); if(dwStatus != CRYPT_E_NOT_FOUND) goto cleanup;
dwStatus = ERROR_SUCCESS; break; }
numCerts++; cbSize += pCertContext->cbCertEncoded; pPrevCertContext = pCertContext;
} while(TRUE);
*cbChained = cbSize + numCerts * sizeof(Cert_Blob) + sizeof(Cert_Chain);
//
// Allocate memory for our propriety certificate chain
//
pCertChain=(PCert_Chain)LocalAlloc(LPTR, *cbChained); if(pCertChain == NULL) { dwStatus = GetLastError(); goto cleanup; }
pCertChain->dwVersion = CERT_CHAIN_VERSION_2 | ((bTemp) ? 0x80000000 : 0);
//
// Enumerate license in certificate to find actual client license.
//
pPrevCertContext = NULL; do { pCertContext=CertEnumCertificatesInStore(hCertStore, pPrevCertContext); if(pCertContext == NULL) { // end certificate in store or error
if((dwStatus=GetLastError()) != CRYPT_E_NOT_FOUND) goto cleanup;
dwStatus = ERROR_SUCCESS; break; }
pPrevCertContext = pCertContext;
if(IsHydraClientCertficate(pCertContext->pCertInfo)) { bFound = TRUE; } } while(bFound == FALSE);
if(bFound == FALSE) { dwStatus = ERROR_INVALID_PARAMETER; goto cleanup; } //
// Recusively chain certificate in backward.
//
dwStatus = ChainProprietyCert( hCryptProv, hCertStore, pCertContext, pCertChain, &dwCertOffset, *cbChained); *pbChained = (PBYTE)pCertChain;
cleanup:
if(hCertStore) CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG); return dwStatus;}
///////////////////////////////////////////////////////////////////////////////
DWORDTLSCertSetCertRdnStr( IN OUT CERT_NAME_BLOB* pCertNameBlob, IN LPTSTR szRdn )/*
Abstract:
Add RDN into certificate
Parameter:
pCertNameBlob - szRdn - RDN to be added, see CertStrToName() for help
Returns:
ERROR_INVALID_PARAMETER Memory allocation failed. Error returns from CertStrToName() */{ if(pCertNameBlob == NULL) return ERROR_INVALID_PARAMETER;
BOOL bRetCode=TRUE;
bRetCode = CertStrToName( X509_ASN_ENCODING, szRdn, CERT_X500_NAME_STR | CERT_SIMPLE_NAME_STR, NULL, pCertNameBlob->pbData, &pCertNameBlob->cbData, NULL );
if(bRetCode != TRUE) goto cleanup;
pCertNameBlob->pbData = (PBYTE)AllocateMemory(pCertNameBlob->cbData); if(pCertNameBlob->pbData == NULL) goto cleanup;
bRetCode = CertStrToName( X509_ASN_ENCODING, szRdn, CERT_X500_NAME_STR | CERT_SIMPLE_NAME_STR, NULL, pCertNameBlob->pbData, &pCertNameBlob->cbData, NULL );
cleanup:
return (bRetCode) ? ERROR_SUCCESS : GetLastError();}
///////////////////////////////////////////////////////////////////////////////
DWORD TLSCertSetCertRdnName( IN OUT CERT_NAME_BLOB* pCertNameBlob, IN CERT_NAME_INFO* pRdn )/*
Abstract:
Add RDN into certificate
Parameters:
pCertNameBlob - pRdn -
Returns
ERROR_INVALID_PARAMETER Error code from CryptEncodeObject() Memory allocation fail.
*/{ if(pCertNameBlob == NULL || pRdn == NULL) return ERROR_INVALID_PARAMETER;
//
// CertStrToName() not defined in SP3 build environment
//
return TLSCryptEncodeObject( CRYPT_ASN_ENCODING, X509_NAME, pRdn, &pCertNameBlob->pbData, &pCertNameBlob->cbData );}
//////////////////////////////////////////////////////////////////////////
DWORDTLSSetCertRdn( PCERT_NAME_BLOB pCertNameBlob, PTLSClientCertRDN pLsCertRdn )/*
*/{ DWORD dwStatus=ERROR_SUCCESS;
switch(pLsCertRdn->type) { case LSCERT_RDN_STRING_TYPE: dwStatus = TLSCertSetCertRdnStr( pCertNameBlob, pLsCertRdn->szRdn ); break;
case LSCERT_RDN_NAME_INFO_TYPE: dwStatus = TLSCertSetCertRdnName( pCertNameBlob, pLsCertRdn->pCertNameInfo );
break;
case LSCERT_RDN_NAME_BLOB_TYPE: *pCertNameBlob = *pLsCertRdn->pNameBlob; break;
case LSCERT_CLIENT_INFO_TYPE: { PBYTE szBase64EncodeHwid=NULL; DWORD cbBase64EncodeHwid=0; if(!TLSEncryptBase64EncodeHWID( pLsCertRdn->ClientInfo.pClientID, &cbBase64EncodeHwid, &szBase64EncodeHwid)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, dwStatus=TLS_E_ENCRYPTHWID, GetLastError() );
break; }
CERT_RDN_ATTR rgNameAttr[] = { { OID_SUBJECT_CLIENT_COMPUTERNAME, dwCertRdnValueType, _tcslen(pLsCertRdn->ClientInfo.szMachineName) * sizeof(TCHAR), (UCHAR *)pLsCertRdn->ClientInfo.szMachineName }, { OID_SUBJECT_CLIENT_USERNAME, dwCertRdnValueType, _tcslen(pLsCertRdn->ClientInfo.szUserName) * sizeof(TCHAR), (UCHAR *)pLsCertRdn->ClientInfo.szUserName }, { OID_SUBJECT_CLIENT_HWID, dwCertRdnValueType, cbBase64EncodeHwid*sizeof(TCHAR), (UCHAR *)szBase64EncodeHwid } }; CERT_RDN rgRDN[] = { sizeof(rgNameAttr)/sizeof(rgNameAttr[0]), &rgNameAttr[0] };
CERT_NAME_INFO Name = {1, rgRDN};
dwStatus = TLSCertSetCertRdnName( pCertNameBlob, &Name );
FreeMemory(szBase64EncodeHwid); } break;
default:
dwStatus = ERROR_INVALID_PARAMETER; }
return dwStatus;}
//////////////////////////////////////////////////////////////////////////
DWORD TLSGenerateCertificate( HCRYPTPROV hCryptProv, DWORD dwKeySpec, ULARGE_INTEGER* pCertSerialNumber, PTLSClientCertRDN pCertIssuer, PTLSClientCertRDN pCertSubject, FILETIME* ftNotBefore, FILETIME* ftNotAfter, PCERT_PUBLIC_KEY_INFO pSubjectPublicKey, DWORD dwNumExtensions, PCERT_EXTENSION pCertExtensions, PDWORD pcbEncodedCert, PBYTE* ppbEncodedCert )/*
*/{ DWORD dwStatus=ERROR_SUCCESS; CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm={ szOID_OIWSEC_sha1RSASign, 0, 0 }; CERT_INFO CertInfo; PCERT_PUBLIC_KEY_INFO pbPublicKeyInfo=NULL; DWORD cbPublicKeyInfo=0;
memset(&CertInfo, 0, sizeof(CERT_INFO)); CertInfo.dwVersion = CERT_V3; CertInfo.SerialNumber.cbData = sizeof(*pCertSerialNumber); CertInfo.SerialNumber.pbData = (PBYTE)pCertSerialNumber; CertInfo.SignatureAlgorithm = SignatureAlgorithm;
dwStatus = TLSSetCertRdn( &CertInfo.Issuer, pCertIssuer );
if(dwStatus != ERROR_SUCCESS) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SETCERTISSUER, dwStatus ); goto cleanup; }
CertInfo.NotBefore = *ftNotBefore; CertInfo.NotAfter = *ftNotAfter;
dwStatus = TLSSetCertRdn( &CertInfo.Subject, pCertSubject ); if(dwStatus != ERROR_SUCCESS) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SETCERTSUBJECT, dwStatus ); goto cleanup; }
if(pSubjectPublicKey) { CertInfo.SubjectPublicKeyInfo = *pSubjectPublicKey; } else { dwStatus = TLSExportPublicKey( hCryptProv, dwKeySpec, &cbPublicKeyInfo, &pbPublicKeyInfo );
if(dwStatus != ERROR_SUCCESS) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_EXPORT_KEY, dwStatus ); goto cleanup; }
CertInfo.SubjectPublicKeyInfo = *pbPublicKeyInfo; } CertInfo.cExtension = dwNumExtensions; CertInfo.rgExtension = pCertExtensions;
dwStatus = TLSCryptSignAndEncodeCertificate( hCryptProv, dwKeySpec, &CertInfo, &SignatureAlgorithm, ppbEncodedCert, pcbEncodedCert );
if(dwStatus != ERROR_SUCCESS) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SIGNENCODECERT, dwStatus ); }
cleanup:
if(pbPublicKeyInfo) { FreeMemory(pbPublicKeyInfo); }
if(pCertIssuer->type != LSCERT_RDN_NAME_BLOB_TYPE) { FreeMemory(CertInfo.Issuer.pbData); }
if(pCertSubject->type != LSCERT_RDN_NAME_BLOB_TYPE) { FreeMemory(CertInfo.Subject.pbData); } return dwStatus;}
//////////////////////////////////////////////////////////////////////
DWORD TLSCreateSelfSignCertificate( IN HCRYPTPROV hCryptProv, IN DWORD dwKeySpec, IN PBYTE pbSPK, IN DWORD cbSPK, IN DWORD dwNumExtensions, IN PCERT_EXTENSION pCertExtension, OUT PDWORD cbEncoded, OUT PBYTE* pbEncoded)/*
*/{ DWORD dwStatus=ERROR_SUCCESS; DWORD index;
#define MAX_EXTENSIONS_IN_SELFSIGN 40
SYSTEMTIME sysTime; FILETIME ftTime; CERT_EXTENSION rgExtension[MAX_EXTENSIONS_IN_SELFSIGN]; int iExtCount=0, iExtNotFreeCount=0; FILETIME ftNotBefore; FILETIME ftNotAfter; ULARGE_INTEGER ulSerialNumber; TLSClientCertRDN certRdn; CERT_BASIC_CONSTRAINTS2_INFO basicConstraint;
// modify here is we want to set to different issuer name
LPTSTR szIssuerName; szIssuerName = g_szComputerName;
//static LPTSTR pszEnforce=L"Enforce";
CERT_RDN_ATTR rgNameAttr[] = { { szOID_COMMON_NAME, dwCertRdnValueType, _tcslen(szIssuerName) * sizeof(TCHAR), (UCHAR *)szIssuerName },
//#if ENFORCE_LICENSING
// {
// szOID_BUSINESS_CATEGORY,
// dwCertRdnValueType,
// _tcslen(pszEnforce) * sizeof(TCHAR),
// (UCHAR *)pszEnforce
// },
//#endif
{ szOID_LOCALITY_NAME, dwCertRdnValueType, _tcslen(g_pszScope) * sizeof(TCHAR), (UCHAR *)g_pszScope }
}; CERT_RDN rgRDN[] = { sizeof(rgNameAttr)/sizeof(rgNameAttr[0]), &rgNameAttr[0] }; CERT_NAME_INFO Name = {1, rgRDN};
certRdn.type = LSCERT_RDN_NAME_INFO_TYPE; certRdn.pCertNameInfo = &Name;
memset(rgExtension, 0, sizeof(rgExtension));
//
// Set validity of self sign certificate
//
//
// If system time is not in sync, this will cause server
// can't request cert. from license server
//
memset(&sysTime, 0, sizeof(sysTime)); GetSystemTime(&sysTime); sysTime.wYear = 1970; if(TLSSystemTimeToFileTime(&sysTime, &ftNotBefore) == FALSE) { dwStatus = GetLastError(); goto cleanup; }
//
// draft-ietf-pkix-ipki-part1-06.txt section 4.1.2.5.1
// where year is greater or equal to 50, the year shall be interpreted as 19YY; and
// where year is less than 50, the year shall be interpreted as 20YY
//
sysTime.wYear = PERMANENT_CERT_EXPIRE_DATE; if(TLSSystemTimeToFileTime(&sysTime, &ftNotAfter) == FALSE) { dwStatus = GetLastError(); goto cleanup; }
ulSerialNumber.LowPart = ftNotBefore.dwLowDateTime; ulSerialNumber.HighPart = ftNotBefore.dwHighDateTime;
//
// Add basic constrains extension to indicate this is a CA certificate
//
rgExtension[iExtCount].pszObjId = szOID_BASIC_CONSTRAINTS2; rgExtension[iExtCount].fCritical = FALSE;
basicConstraint.fCA = TRUE; // act as CA
basicConstraint.fPathLenConstraint = TRUE; basicConstraint.dwPathLenConstraint = 0; // can only issue certificates
// to end-entities and not to further CAs
dwStatus=TLSCryptEncodeObject( X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS2, &basicConstraint, &(rgExtension[iExtCount].Value.pbData), &(rgExtension[iExtCount].Value.cbData) ); if(dwStatus != ERROR_SUCCESS) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SIGNENCODECERT, dwStatus ); goto cleanup; }
iExtCount++;
//
// From here - extension memory should not be free
//
if(pbSPK != NULL && cbSPK != 0) { rgExtension[iExtCount].pszObjId = szOID_PKIS_TLSERVER_SPK_OID; rgExtension[iExtCount].fCritical = FALSE; rgExtension[iExtCount].Value.pbData = pbSPK; rgExtension[iExtCount].Value.cbData = cbSPK;
iExtNotFreeCount++; iExtCount++; }
for(index = 0; index < dwNumExtensions; index ++, iExtCount++, iExtNotFreeCount++ ) { if (iExtCount >= MAX_EXTENSIONS_IN_SELFSIGN) { iExtCount--; dwStatus = ERROR_INVALID_PARAMETER; goto cleanup; }
rgExtension[iExtCount] = pCertExtension[index]; } dwStatus = TLSGenerateCertificate( hCryptProv, dwKeySpec, &ulSerialNumber, &certRdn, &certRdn, &ftNotBefore, &ftNotAfter, NULL, iExtCount, rgExtension, cbEncoded, pbEncoded ); cleanup:
//
// Don't free memory for SPK and extensions...
//
for(int i=0; i < iExtCount - iExtNotFreeCount; i++) { FreeMemory(rgExtension[i].Value.pbData); }
return (dwStatus != ERROR_SUCCESS) ? TLS_E_CREATE_SELFSIGN_CERT : ERROR_SUCCESS;}
////////////////////////////////////////////////////////////////////////////
DWORDTLSGenerateSingleCertificate( IN HCRYPTPROV hCryptProv, IN PCERT_NAME_BLOB pIssuerRdn, IN PTLSClientCertRDN pSubjectRdn, IN PCERT_PUBLIC_KEY_INFO pSubjectPublicKeyInfo, IN PTLSDBLICENSEDPRODUCT pLicProduct, OUT PBYTE* ppbEncodedCert, IN PDWORD pcbEncodedCert )/*
*/{ DWORD dwStatus = ERROR_SUCCESS;
#define MAX_CLIENT_EXTENSION 10
CERT_EXTENSION CertExtension[MAX_CLIENT_EXTENSION]; DWORD dwNumExtensions=0; DWORD currentCertVersion=TERMSERV_CERT_VERSION_CURRENT;
TLSClientCertRDN IssuerRdn;
#if ENFORCE_LICENSING
//
// Use certificate that CH gets for us
//
IssuerRdn.type = LSCERT_RDN_NAME_BLOB_TYPE; //IssuerRdn.pNameBlob = &g_LicenseCertContext->pCertInfo->Subject;
IssuerRdn.pNameBlob = pIssuerRdn;
#else
LPTSTR szIssuerName;
// modify here if we want to set to different issuer name
szIssuerName = g_szComputerName;
CERT_RDN_ATTR rgNameAttr[] = { { OID_ISSUER_LICENSE_SERVER_NAME, dwCertRdnValueType, _tcslen(szIssuerName) * sizeof(TCHAR), (UCHAR *)szIssuerName }, { OID_ISSUER_LICENSE_SERVER_SCOPE, dwCertRdnValueType, _tcslen(g_pszScope) * sizeof(TCHAR), (UCHAR *)g_pszScope } }; CERT_RDN rgRDN[] = { sizeof(rgNameAttr)/sizeof(rgNameAttr[0]), &rgNameAttr[0] }; CERT_NAME_INFO Name = {1, rgRDN};
IssuerRdn.type = LSCERT_RDN_NAME_INFO_TYPE; IssuerRdn.pCertNameInfo = &Name;
#endif
//------------------------------------------------------------------------------------------
// add extension to certificate
// WARNING : End of routine free memory allocated for extension's pbData, skip those
// that can't be free, for example, version stamp extension. all these is just
// to keep memory fragmentaion low
//------------------------------------------------------------------------------------------
//
// DO NOT FREE pbData on first two extensions
//
// Hydra Certificate version stamp - DO NOT FREE
memset(CertExtension, 0, sizeof(CertExtension)); dwNumExtensions = 0;
//
// Add License Server Info
//
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_HYDRA_CERT_VERSION; CertExtension[dwNumExtensions].fCritical = TRUE; CertExtension[dwNumExtensions].Value.cbData = sizeof(DWORD); CertExtension[dwNumExtensions].Value.pbData = (PBYTE)¤tCertVersion; dwNumExtensions++;
// manufacturer's name, no encoding - DO NOT FREE
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_MANUFACTURER; CertExtension[dwNumExtensions].fCritical = TRUE; CertExtension[dwNumExtensions].Value.cbData = (_tcslen(pLicProduct->szCompanyName)+1) * sizeof(TCHAR); CertExtension[dwNumExtensions].Value.pbData = (PBYTE)pLicProduct->szCompanyName; dwNumExtensions++;
//
// MS Licensed Product Info, no encoding
//
LICENSED_VERSION_INFO LicensedInfo;
memset(&LicensedInfo, 0, sizeof(LicensedInfo)); LicensedInfo.wMajorVersion = HIWORD(pLicProduct->dwProductVersion); LicensedInfo.wMinorVersion = LOWORD(pLicProduct->dwProductVersion); LicensedInfo.dwFlags = (pLicProduct->bTemp) ? LICENSED_VERSION_TEMPORARY : 0;
DWORD dwLSVersionMajor; DWORD dwLSVersionMinor;
dwLSVersionMajor = GET_SERVER_MAJOR_VERSION(TLS_CURRENT_VERSION); dwLSVersionMinor = GET_SERVER_MINOR_VERSION(TLS_CURRENT_VERSION); LicensedInfo.dwFlags |= ((dwLSVersionMajor << 4 | dwLSVersionMinor) << 16);
if(TLSIsBetaNTServer() == FALSE) { LicensedInfo.dwFlags |= LICENSED_VERSION_RTM; }
#if ENFORCE_LICENSING
LicensedInfo.dwFlags |= LICENSE_ISSUER_ENFORCE_TYPE;#endif
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_LICENSED_PRODUCT_INFO; CertExtension[dwNumExtensions].fCritical = TRUE; dwStatus=LSLicensedProductInfoToExtension( 1, pLicProduct->dwPlatformID, pLicProduct->dwLanguageID, (PBYTE)pLicProduct->szRequestProductId, (_tcslen(pLicProduct->szRequestProductId) + 1) * sizeof(TCHAR), (PBYTE)pLicProduct->szLicensedProductId, (_tcslen(pLicProduct->szLicensedProductId) + 1) * sizeof(TCHAR), &LicensedInfo, 1, &(CertExtension[dwNumExtensions].Value.pbData), &(CertExtension[dwNumExtensions].Value.cbData) );
if(dwStatus != ERROR_SUCCESS) goto cleanup;
dwNumExtensions++;
//
// Add license server info into extension
//
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_MS_LICENSE_SERVER_INFO; CertExtension[dwNumExtensions].fCritical = TRUE; dwStatus=LSMsLicenseServerInfoToExtension( g_szComputerName, (LPTSTR)g_pszServerPid, g_pszScope, &(CertExtension[dwNumExtensions].Value.pbData), &(CertExtension[dwNumExtensions].Value.cbData) );
if(dwStatus != ERROR_SUCCESS) goto cleanup;
dwNumExtensions++;
//
// Add policy module specific extension
if( pLicProduct->pbPolicyData != NULL && pLicProduct->cbPolicyData != 0 ) { CertExtension[dwNumExtensions].pszObjId = szOID_PKIS_PRODUCT_SPECIFIC_OID; CertExtension[dwNumExtensions].fCritical = TRUE; CertExtension[dwNumExtensions].Value.pbData = pLicProduct->pbPolicyData; CertExtension[dwNumExtensions].Value.cbData = pLicProduct->cbPolicyData;
dwNumExtensions++; }
//
// Add CertAuthorityKeyId2Info for certificate chain
dwStatus=TLSAddCertAuthorityKeyIdExtension( g_szComputerName, &pLicProduct->ulSerialNumber, CertExtension + dwNumExtensions ); if(dwStatus != ERROR_SUCCESS) goto cleanup;
dwNumExtensions++;
// Add Access info
dwStatus = TLSGenerateCertificate( hCryptProv, AT_SIGNATURE, &pLicProduct->ulSerialNumber, &IssuerRdn, pSubjectRdn, &pLicProduct->NotBefore, &pLicProduct->NotAfter, pLicProduct->pSubjectPublicKeyInfo, dwNumExtensions, CertExtension, pcbEncodedCert, ppbEncodedCert );
cleanup:
// Extensions. DO NOT FREE first two extensions
for(int i=2; i < dwNumExtensions; i++) { FreeMemory(CertExtension[i].Value.pbData); } return (dwStatus != ERROR_SUCCESS) ? TLS_E_CREATE_CERT : ERROR_SUCCESS;}
////////////////////////////////////////////////////////////
DWORDTLSGenerateClientCertificate( IN HCRYPTPROV hCryptProv, IN DWORD dwNumLicensedProduct, IN PTLSDBLICENSEDPRODUCT pLicProduct, IN WORD wLicenseChainDetail, OUT PBYTE* ppbEncodedCert, OUT PDWORD pcbEncodedCert )/*++
++*/{ DWORD dwStatus = ERROR_SUCCESS; HCERTSTORE hStore = NULL; PCCERT_CONTEXT pCertContext = NULL; PBYTE pbCert=NULL; DWORD cbCert=NULL; DWORD index; TLSClientCertRDN clientCertRdn; PCERT_NAME_BLOB pIssuerNameBlob = NULL;
//
// Create a in-memory store
//
hStore=CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, hCryptProv, CERT_STORE_NO_CRYPT_RELEASE_FLAG, NULL );
if(!hStore) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_OPEN_CERT_STORE, dwStatus=GetLastError() );
goto cleanup; } #ifndef ENFORCE_LICENSING
pIssuerNameBlob = &g_SelfSignCertContext->pCertInfo->Subject;
#else
if( g_SelfSignCertContext == NULL ) { TLSASSERT(FALSE); dwStatus = TLS_E_INTERNAL; goto cleanup; }
if(g_bHasHydraCert && g_hCaStore && wLicenseChainDetail == LICENSE_DETAIL_DETAIL) { pIssuerNameBlob = &g_LicenseCertContext->pCertInfo->Subject; } else { pIssuerNameBlob = &g_SelfSignCertContext->pCertInfo->Subject; }
#endif
//
// Generate client certificate and add to certstore
//
for(index = 0; index < dwNumLicensedProduct; index++) { if(pCertContext != NULL) { //
// Need to keep one pCertContext for later use
//
CertFreeCertificateContext(pCertContext); pCertContext = NULL; }
clientCertRdn.type = LSCERT_CLIENT_INFO_TYPE; clientCertRdn.ClientInfo.szUserName = pLicProduct[index].szUserName; clientCertRdn.ClientInfo.szMachineName = pLicProduct[index].szMachineName; clientCertRdn.ClientInfo.pClientID = &pLicProduct[index].ClientHwid;
dwStatus = TLSGenerateSingleCertificate( hCryptProv, pIssuerNameBlob, &clientCertRdn, pLicProduct[index].pSubjectPublicKeyInfo, pLicProduct+index, &pbCert, &cbCert );
if(dwStatus != ERROR_SUCCESS) { break; }
//
// Add certificate to store
//
pCertContext = CertCreateCertificateContext( X509_ASN_ENCODING, pbCert, cbCert );
if(pCertContext == NULL) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_CREATE_CERTCONTEXT, dwStatus=GetLastError() ); break; }
//
// always start from empty so CERT_STORE_ADD_ALWAYS
//
if(!CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_ALWAYS, NULL)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_ADD_CERT_TO_STORE, dwStatus=GetLastError() ); break; }
FreeMemory(pbCert); pbCert = NULL; }
if(dwStatus == ERROR_SUCCESS) { #ifndef ENFORCE_LICENSING
//
// Add license server's certificate
if(!CertAddCertificateContextToStore(hStore, g_LicenseCertContext, CERT_STORE_ADD_ALWAYS, NULL)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_ADD_CERT_TO_STORE, dwStatus=GetLastError() ); goto cleanup; }#else
//
// we don't support LICENSE_DETAIL_MODERATE at this time, treat it as LICENSE_DETAIL_SIMPLE
//
if(g_bHasHydraCert && g_hCaStore && wLicenseChainDetail == LICENSE_DETAIL_DETAIL) { //
// Chain issuer certificate with client certificate
//
if(!TLSChainIssuerCertificate(hCryptProv, g_hCaStore, hStore, pCertContext)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_ADD_CERT_TO_STORE, dwStatus=GetLastError() ); goto cleanup; } } else { //
// Add license server's certificate
if(!CertAddCertificateContextToStore(hStore, g_SelfSignCertContext, CERT_STORE_ADD_ALWAYS, NULL)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_ADD_CERT_TO_STORE, dwStatus=GetLastError() ); goto cleanup; } }#endif
CRYPT_DATA_BLOB saveBlob; memset(&saveBlob, 0, sizeof(saveBlob));
// save certificate into memory
if(!CertSaveStore(hStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, LICENSE_BLOB_SAVEAS_TYPE, CERT_STORE_SAVE_TO_MEMORY, &saveBlob, 0) && (dwStatus=GetLastError()) != ERROR_MORE_DATA) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SAVE_STORE, dwStatus=GetLastError() ); goto cleanup; }
if(!(saveBlob.pbData = (PBYTE)AllocateMemory(saveBlob.cbData))) { dwStatus=TLS_E_ALLOCATE_MEMORY; goto cleanup; }
// save certificate into memory
if(!CertSaveStore(hStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, LICENSE_BLOB_SAVEAS_TYPE, CERT_STORE_SAVE_TO_MEMORY, &saveBlob, 0)) { TLSLogEvent( EVENTLOG_ERROR_TYPE, TLS_E_GENERATECLIENTELICENSE, TLS_E_SAVE_STORE, dwStatus=GetLastError() ); goto cleanup; } *ppbEncodedCert = saveBlob.pbData; *pcbEncodedCert = saveBlob.cbData; }
cleanup:
FreeMemory(pbCert);
if(pCertContext) { CertFreeCertificateContext(pCertContext); }
if(hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_FORCE_FLAG); }
return dwStatus;}
|
