|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1997 - 1999
//
// File: tcertcli.cpp
//
//--------------------------------------------------------------------------
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <stdio.h>
#include <certca.h>
#include <winldap.h>
#include <dsrole.h>
#include <dsgetdc.h>
#include <lmaccess.h>
#include <lmapibuf.h>
#include <shobjidl.h>
#include <shellapi.h>
#include "..\..\..\..\..\win32\ntcrypto\autoenrl\pautoenr\autoenro.h"
#include "cryptuiapi.h"
//--------------------------------------------------------------------
HRESULTmyRobustLdapBindEx( OUT LDAP ** ppldap, OPTIONAL OUT LPWSTR* ppszForestDNSName, IN BOOL fGC){ HRESULT hr; BOOL fForceRediscovery = FALSE; DWORD dwGetDCFlags = DS_RETURN_DNS_NAME; PDOMAIN_CONTROLLER_INFO pDomainInfo = NULL; LDAP *pld = NULL; WCHAR const *pwszDomainControllerName = NULL; ULONG ldaperr;
if (fGC) { dwGetDCFlags |= DS_GC_SERVER_REQUIRED; }
do { if (fForceRediscovery) { dwGetDCFlags |= DS_FORCE_REDISCOVERY; } ldaperr = LDAP_SERVER_DOWN;
// netapi32!DsGetDcName is delay loaded, so wrap
__try { // Get the GC location
hr = DsGetDcName( NULL, // Delayload wrapped
NULL, NULL, NULL, dwGetDCFlags, &pDomainInfo); } __except(EXCEPTION_EXECUTE_HANDLER) { hr=E_UNEXPECTED; } if (S_OK != hr) { hr = HRESULT_FROM_WIN32(hr); if (fForceRediscovery) { goto error; } fForceRediscovery = TRUE; continue; }
if (NULL == pDomainInfo || (fGC && 0 == (DS_GC_FLAG & pDomainInfo->Flags)) || 0 == (DS_DNS_CONTROLLER_FLAG & pDomainInfo->Flags) || NULL == pDomainInfo->DomainControllerName) { if (!fForceRediscovery) { fForceRediscovery = TRUE; continue; } hr = HRESULT_FROM_WIN32(ERROR_CANT_ACCESS_DOMAIN_INFO); goto error; }
pwszDomainControllerName = pDomainInfo->DomainControllerName;
// skip past forward slashes (why are they there?)
while (L'\\' == *pwszDomainControllerName) { pwszDomainControllerName++; }
// bind to ds
pld = ldap_init( const_cast<WCHAR *>(pwszDomainControllerName), fGC? LDAP_GC_PORT : LDAP_PORT); if (NULL == pld) { ldaperr = LdapGetLastError(); } else { // do this because we're explicitly setting DC name
ldaperr = ldap_set_option(pld, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
ldaperr = ldap_bind_s(pld, NULL, NULL, LDAP_AUTH_NEGOTIATE); }
hr = HRESULT_FROM_WIN32(LdapMapErrorToWin32(ldaperr));
if (fForceRediscovery) { break; } fForceRediscovery = TRUE;
} while (LDAP_SERVER_DOWN == ldaperr);
// everything's cool, party down
if (S_OK == hr) { *ppldap = pld; pld = NULL; }
error: if (NULL != pld) { ldap_unbind(pld); }
// we know netapi32 was already loaded safely (that's where we got
// pDomainInfo), so no need to wrap
if (NULL != pDomainInfo) { NetApiBufferFree(pDomainInfo); // Delayload wrapped
} return(hr);}
//--------------------------------------------------------------------
HRESULTmyRobustLdapBind( OUT LDAP ** ppldap, IN BOOL fGC){ return(myRobustLdapBindEx(ppldap, NULL, fGC));}
//--------------------------------------------------------------------
void PrintHelp(void) { wprintf(L"tcertcli <testID>\n"L" Available tests:\n"L" OID - test CAOIDxxxx functions\n"L" Template - test CACertTypexxxx functions\n"L" Query - test CACertTypeQuery functions without pld\n"L" QueryLDAP - test CACertTypeQuery functions with pld\n"L" CAEnum <CAName> - test CAEnumCertTypesForCA functions without pld\n"L" CAEnumLDAP <CAName> - test CAEnumCertTypesForCAEx functions with pld\n"L" TemplateDes - test the description property of templates\n"L" Clone <TemplateName> - test the clone without pld\n"L" CloneLDAP <TemplateName> - test the clone with pld\n"L" ACRS - test create/delete autoenrollment object from ACRS store\n"L" OIDURL - test URL code for OID container\n"L" PROPERTY <#1> <#2> - update the CERT_AUTO_ENROLL_RETRY_PROP_ID property of certificates in local machine My store\n"L" <#1> The # of retrial. 0 clears the property\n"L" <#2> The # of seconds to wait. \n"L" SHOW PROPERTY - display the CERT_AUTO_ENROLL_RETRY_PROP_ID property of certificates in local machine My store\n" );}
//--------------------------------------------------------------------
BOOL TemplateTest(){ BOOL fSuccess=FALSE; HRESULT hr=S_OK; DWORD dwProp=0; LPWSTR rgwszProp[4]; CERT_ENHKEY_USAGE KeyUsage; LPSTR szOID="1.2.3.4.5.6"; FILETIME time1; FILETIME time2; DWORD dwNameFlag;
HCERTTYPE hCertType=NULL; HANDLE hClientToken=NULL; HANDLE hHandle = NULL; PCERT_EXTENSIONS pCertExtensions=NULL; LPWSTR *pwszProp=NULL; LPWSTR *pwszProp1=NULL; PSECURITY_DESCRIPTOR pSD=NULL; LPWSTR pwszOID=NULL; LPWSTR pwsz=NULL; DWORD dwType=0;
//get the client token
hHandle = GetCurrentThread(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else {
if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } } if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if(S_OK != hr) goto error;
//find a certifcate type admin
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_ADMIN, NULL, CT_ENUM_USER_TYPES, &hCertType )) { wprintf(L"Can not find template %ws\n", wszCERTTYPE_ADMIN); goto error; }
//get the name flag
if(S_OK != CAGetCertTypeFlagsEx( hCertType, CERTTYPE_SUBJECT_NAME_FLAG, &dwNameFlag )) { wprintf(L"Can not find template %ws\n", wszCERTTYPE_ADMIN); goto error; }
//get all extensions
if(S_OK != CAGetCertTypeExtensionsEx( hCertType, 0, NULL, &pCertExtensions )) { wprintf(L"Can not find extensions %ws\n", wszCERTTYPE_ADMIN); goto error; }
if(S_OK != (CAFreeCertTypeExtensions(hCertType, pCertExtensions))) goto error;
pCertExtensions=NULL;
//get template extensions
if(S_OK != CAGetCertTypeExtensionsEx( hCertType, CT_EXTENSION_TEMPLATE, NULL, &pCertExtensions )) { wprintf(L"Can not find extensions %ws\n", wszCERTTYPE_ADMIN); goto error; }
if(S_OK != (CAFreeCertTypeExtensions(hCertType, pCertExtensions))) goto error;
pCertExtensions=NULL;
//get selected extension
if(S_OK != CAGetCertTypeExtensionsEx( hCertType, CT_EXTENSION_BASIC_CONTRAINTS | CT_EXTENSION_APPLICATION_POLICY, NULL, &pCertExtensions )) { wprintf(L"Can not find extensions %ws\n", wszCERTTYPE_ADMIN); } else { if(S_OK != (CAFreeCertTypeExtensions(hCertType, pCertExtensions))) goto error; }
pCertExtensions=NULL;
//get all extension from the old way
if(S_OK != CAGetCertTypeExtensions( hCertType, &pCertExtensions )) { wprintf(L"Can not find extensions %ws\n", wszCERTTYPE_ADMIN); goto error; }
if(S_OK != (CAFreeCertTypeExtensions(hCertType, pCertExtensions))) goto error;
pCertExtensions=NULL;
if(S_OK != CAGetCertTypeFlagsEx( hCertType, CERTTYPE_SUBJECT_NAME_FLAG, &dwNameFlag )) { wprintf(L"Can not find template %ws\n", wszCERTTYPE_ADMIN); goto error; }
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_FRIENDLY_NAME, &pwszProp)) { wprintf(L"Can not get friendly name for template %ws\n", wszCERTTYPE_ADMIN); goto error; } wprintf(L"The friendly name for %ws is %ws\n", wszCERTTYPE_ADMIN, pwszProp[0]);
CAFreeCertTypeProperty(hCertType, pwszProp); pwszProp=NULL;
CACloseCertType(hCertType); hCertType=NULL; //delete a certifcate type
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_USER, NULL, CT_ENUM_USER_TYPES, &hCertType )) goto error;
if(S_OK != CADeleteCertType(hCertType)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//testing find cert type by oid
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_CA_EXCHANGE, NULL, CT_ENUM_USER_TYPES | CT_FLAG_NO_CACHE_LOOKUP | CT_ENUM_MACHINE_TYPES, &hCertType )) goto error;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_OID, &pwszProp)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
if(S_OK != CAFindCertTypeByName( pwszProp[0], NULL, CT_FIND_BY_OID | CT_ENUM_MACHINE_TYPES, &hCertType )) goto error;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_OID, &pwszProp1)) goto error;
if(0!=wcscmp(pwszProp[0], pwszProp1[0])) goto error;
if(S_OK != CAFreeCertTypeProperty(hCertType, pwszProp)) goto error;
if(S_OK != CAFreeCertTypeProperty(hCertType, pwszProp1)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//create a certificate type
if(S_OK != CACreateCertType(L"NewCertType", NULL, 0, &hCertType)) goto error;
if(S_OK != CAUpdateCertType(hCertType)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//retrieve V1 certifcate type: EFS
//access check on the EFS cert type
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_EFS, NULL, CT_ENUM_USER_TYPES, &hCertType )) goto error;
if(S_OK != CAGetCertTypeFlagsEx( hCertType, CERTTYPE_GENERAL_FLAG, &dwProp)) goto error;
printf("The general flag for EFS is: %d\n", dwProp);
if(S_OK != CAGetCertTypeFlagsEx( hCertType, CERTTYPE_PRIVATE_KEY_FLAG, &dwProp)) goto error;
printf("The private key flag for EFS is: %d\n", dwProp);
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_SCHEMA_VERSION, &dwProp)) goto error;
printf("The schema version for EFS is: %d\n", dwProp);
if(S_OK != CACertTypeAccessCheckEx( hCertType, hClientToken, CERTTYPE_ACCESS_CHECK_ENROLL)) goto error;
//no autoenrollment
if(S_OK == CACertTypeAccessCheckEx( hCertType, hClientToken, CERTTYPE_ACCESS_CHECK_AUTO_ENROLL)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//retrieve V2 certifcate type: EFS
//access check on the EFS cert type
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_CROSS_CA, NULL, CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES, &hCertType )) goto error;
if(S_OK != CACertTypeAccessCheckEx( hCertType, hClientToken, CERTTYPE_ACCESS_CHECK_ENROLL)) goto error;
//no autoenrollment
if(S_OK == CACertTypeAccessCheckEx( hCertType, hClientToken, CERTTYPE_ACCESS_CHECK_AUTO_ENROLL)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//clone a certificate type
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_SUBORDINATE_CA, NULL, CT_ENUM_MACHINE_TYPES, &hCertType )) goto error;
rgwszProp[0]=L"ClonedCertType"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_CN, rgwszProp)) goto error;
rgwszProp[0]=L"ClonedCertType Friendly"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_FRIENDLY_NAME, rgwszProp)) goto error;
rgwszProp[0]=L"1.2.3.4.5"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_OID, rgwszProp)) goto error;
rgwszProp[0]=L"1.2.3.4.5.6.7.8.9.10"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_APPLICATION_POLICY, rgwszProp)) goto error; rgwszProp[0]=L"1.2.3.4.5.6.7.8.9.10.11"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_APPLICATION_POLICY, rgwszProp)) goto error;
rgwszProp[0]=L"1.2.3.4.5.6.7.8.9.10.11.12"; rgwszProp[1]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_POLICY, rgwszProp)) goto error; rgwszProp[0]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_SUPERSEDE, rgwszProp)) goto error; rgwszProp[0]=L"CloneSuper1"; rgwszProp[1]=L"CloneSuper2"; rgwszProp[2]=L"CloneSuper3"; rgwszProp[3]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_SUPERSEDE, rgwszProp)) goto error;
dwProp=2048;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_MIN_KEY_SIZE, &dwProp)) goto error;
if(S_OK != CAGetCertTypeExtensions( hCertType, &pCertExtensions)) goto error;
KeyUsage.cUsageIdentifier=1; KeyUsage.rgpszUsageIdentifier=&szOID; if(S_OK != CASetCertTypeExtension( hCertType, TEXT(szOID_ENHANCED_KEY_USAGE), CA_EXT_FLAG_CRITICAL, &KeyUsage)) goto error;
if(S_OK != CAUpdateCertType(hCertType)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//edit V2 certificate type: KeyRecoveryAgent
//update SD, Expiration,
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_KEY_RECOVERY_AGENT, NULL, CT_ENUM_USER_TYPES, &hCertType )) goto error;
if(S_OK != CACertTypeAccessCheckEx( hCertType, hClientToken, CERTTYPE_ACCESS_CHECK_ENROLL)) goto error;
dwProp=103;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_REVISION, &dwProp)) goto error;
if(S_OK != CASetCertTypeFlagsEx( hCertType, CERTTYPE_ENROLLMENT_FLAG, 0)) goto error;
if(S_OK != CASetCertTypeFlagsEx( hCertType, CERTTYPE_SUBJECT_NAME_FLAG, 0)) goto error;
if(S_OK != CAGetCertTypeExpiration( hCertType, &time1, &time2)) goto error;
if(S_OK != CASetCertTypeExpiration( hCertType, &time1, &time2)) goto error;
if(S_OK != CACertTypeGetSecurity( hCertType, &pSD)) goto error;
if(S_OK != CACertTypeSetSecurity( hCertType, pSD)) goto error;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_CSP_LIST, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The CSP for KRA is: %S\n", pwszProp[0]); if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_POLICY, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The RAPolicy for KRA is: %S\n", pwszProp[0]);
if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
rgwszProp[0]=L"1.2.3.4.5.6.7.8.9.10"; rgwszProp[1]=L"2.2.3.4.5.6.7.8.9.10"; rgwszProp[2]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_APPLICATION_POLICY, rgwszProp)) goto error; rgwszProp[0]=L"1.2.3.4.5.6.7.8.9.10.11"; rgwszProp[1]=L"2.2.3.4.5.6.7.8.9.10.11"; rgwszProp[2]=NULL;
if(S_OK != CASetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_APPLICATION_POLICY, rgwszProp)) goto error;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_APPLICATION_POLICY, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The RAAppPolicy for KRA is: %S\n", pwszProp[0]);
if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_APPLICATION_POLICY, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The AppPolicy for KRA is: %S\n", pwszProp[0]);
if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
if(S_OK != CAUpdateCertType(hCertType)) goto error;
if(S_OK != CACloseCertType(hCertType)) goto error;
hCertType=NULL;
//get the KRA properties again
if(S_OK != CAFindCertTypeByName( wszCERTTYPE_KEY_RECOVERY_AGENT, NULL, CT_ENUM_USER_TYPES, &hCertType )) goto error;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_RA_APPLICATION_POLICY, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The RAAppPolicy for KRA is: %S\n", pwszProp[0]);
if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
if(S_OK != CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_APPLICATION_POLICY, &pwszProp)) goto error;
if(pwszProp && pwszProp[0]) printf("The AppPolicy for KRA is: %S\n", pwszProp[0]);
if(S_OK != CAFreeCertTypeProperty( hCertType, pwszProp)) goto error; pwszProp=NULL;
fSuccess=TRUE;
error: if(pwszOID) LocalFree(pwszOID);
if(pCertExtensions) CAFreeCertTypeExtensions(hCertType,pCertExtensions);
if(hCertType) CACloseCertType(hCertType);
if(pSD) LocalFree(pSD);
if(hHandle) CloseHandle(hHandle);
if(hClientToken) CloseHandle(hClientToken);
return fSuccess;}
//--------------------------------------------------------------------
BOOL OIDTest(){ BOOL fSuccess=FALSE; HRESULT hr=S_OK; DWORD dwProp=0; LPWSTR rgwszProp[4]; CERT_ENHKEY_USAGE KeyUsage; LPSTR szOID="1.2.3.4.5.6"; FILETIME time1; FILETIME time2;
LPWSTR *pwszProp=NULL; LPWSTR *pwszProp1=NULL; LPWSTR pwszOID=NULL; LPWSTR pwsz=NULL; DWORD dwType=0;
//oid manipulation
//create
if(S_OK != CAOIDCreateNew(CERT_OID_TYPE_TEMPLATE, 0, &pwszOID)) goto error;
//set/get property test
if(S_OK != CAOIDSetProperty( pwszOID, CERT_OID_PROPERTY_DISPLAY_NAME, L"MyNewOIDFriendlyName")) goto error;
if(S_OK != CAOIDSetProperty( pwszOID, CERT_OID_PROPERTY_CPS, L"MYCSPStatement")) goto error;
if(S_OK != CAOIDGetProperty( pwszOID, CERT_OID_PROPERTY_CPS, &pwsz)) goto error;
printf("The CPS statement is: %S\n", pwsz);
if(S_OK != CAOIDFreeProperty(pwsz)) goto error; pwsz=NULL;
if(S_OK != CAOIDGetProperty( pwszOID, CERT_OID_PROPERTY_TYPE, &dwType)) goto error;
printf("The property type is: %d\n", dwType);
if(S_OK == CAOIDSetProperty( pwszOID, CERT_OID_PROPERTY_TYPE, L"MyNewOIDFriendlyName")) goto error;
if(S_OK == CAOIDSetProperty( L"1.2", CERT_OID_PROPERTY_DISPLAY_NAME, L"MyNewOIDFriendlyName")) goto error;
//add and delete
if(S_OK != CAOIDAdd(CERT_OID_TYPE_ISSUER_POLICY, 0, L"1.2.3")) goto error;
if(S_OK != CAOIDAdd(CERT_OID_TYPE_ISSUER_POLICY, 0, L"1.2.3.4")) goto error;
if(S_OK != CAOIDSetProperty(L"1.2.3.4", CERT_OID_PROPERTY_DISPLAY_NAME, L"MyNewIssuerPolicyOid")) goto error;
if(S_OK != CAOIDGetProperty(L"1.2.3.4", CERT_OID_PROPERTY_DISPLAY_NAME, &pwsz)) goto error; printf("The display name is: %S\n", pwsz);
if(S_OK != CAOIDSetProperty(L"1.2.3.4", CERT_OID_PROPERTY_CPS, L"The DS Issuer Policy String")) goto error;
if(S_OK != CAOIDSetProperty(L"1.2.3.4", CERT_OID_PROPERTY_CPS, NULL)) goto error;
if(S_OK != CAOIDSetProperty(L"1.2.3.4", CERT_OID_PROPERTY_CPS, L"New CPS")) goto error;
if(S_OK != CAOIDFreeProperty(pwsz)) goto error; pwsz=NULL;
if(CRYPT_E_EXISTS != CAOIDAdd(CERT_OID_TYPE_ISSUER_POLICY, 0, L"1.2.3")) goto error;
if(S_OK != CAOIDDelete(L"1.2.3")) goto error;
if(S_OK != CAOIDDelete(L"1.2.3.4")) goto error;
//URL testing
if(S_OK != CAOIDGetLdapURL(CERT_OID_TYPE_TEMPLATE, 0, &pwsz)) goto error; printf("The URL for template is: %S\n", pwsz);
if(S_OK != CAOIDFreeLdapURL(pwsz)) goto error;
if(S_OK != CAOIDGetLdapURL(CERT_OID_TYPE_ALL, 0, &pwsz)) goto error; printf("The URL for all is: %S\n", pwsz);
if(S_OK != CAOIDFreeLdapURL(pwsz)) goto error;
if(S_OK != CAOIDGetLdapURL(CERT_OID_TYPE_APPLICATION_POLICY, 0, &pwsz)) goto error; printf("The URL for application policy is: %S\n", pwsz);
if(S_OK != CAOIDFreeLdapURL(pwsz)) goto error;
fSuccess=TRUE;
error: if(pwszOID) LocalFree(pwszOID);
return fSuccess;
}
//--------------------------------------------------------------------
BOOL QueryTest(BOOL fBind){ HRESULT hr=E_FAIL; BOOL fResult = FALSE; DWORD dwNumber = 0; DWORD dwIndex=0;
LDAP *pldap=NULL; HCERTTYPEQUERY hCertTypeQuery=NULL;
if(fBind) { if(S_OK != (hr = myRobustLdapBind(&pldap, FALSE))) { wprintf(L"myRobustLdapBind failed with 0x%08X. \n",hr); goto error; }
}
if(S_OK != CACertTypeRegisterQuery(0, pldap, &hCertTypeQuery)) { wprintf(L"CACertTypeRegisterQury failed with 0x%08X. \n",hr); goto error; }
for(dwIndex=0; dwIndex < 3; dwIndex++) { if(S_OK != CACertTypeQuery(hCertTypeQuery, &dwNumber)) { wprintf(L"CACertTypeQuery failed with 0x%08X. \n",hr); goto error; }
wprintf(L"CACertTypeQuery returned %d. \n", dwNumber); wprintf(L"Wait for 20 seconds. \n"); Sleep(20 * 1000); }
fResult = TRUE;
error:
if(hCertTypeQuery) CACertTypeUnregisterQuery(hCertTypeQuery);
if(pldap) ldap_unbind(pldap);
return fResult;}
//--------------------------------------------------------------------
//
//
// CAEnumTest
//
//
//--------------------------------------------------------------------
BOOL CAEnumTest(BOOL fBind, LPWSTR pwszCA){ HRESULT hr=E_FAIL; BOOL fResult = FALSE; DWORD dwCount = 0;
HCAINFO hCAInfo = NULL; HCERTTYPE hCertType = NULL; LDAP *pldap=NULL; LPWSTR *awszProp=NULL;
if(fBind) { if(S_OK != (hr = myRobustLdapBind(&pldap, FALSE))) { wprintf(L"myRobustLdapBind failed with 0x%08X. \n",hr); goto error; }
}
if(S_OK != (hr = CAFindByName( pwszCA, NULL, CA_FIND_LOCAL_SYSTEM, &hCAInfo))) { wprintf(L"CAFindByName failed with 0x%08X. \n",hr); goto error; }
if(NULL==hCAInfo) { wprintf(L"CAFindByName return NULL hCAInfo. \n"); goto error; }
if(fBind) { hr = CAEnumCertTypesForCAEx( hCAInfo, (LPCWSTR)pldap, CT_FIND_LOCAL_SYSTEM | CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES | CT_FLAG_SCOPE_IS_LDAP_HANDLE | CT_FLAG_NO_CACHE_LOOKUP, &hCertType); } else { hr = CAEnumCertTypesForCA( hCAInfo, CT_FIND_LOCAL_SYSTEM | CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES, &hCertType); }
if( (S_OK != hr) || (NULL == hCertType)) { wprintf(L"CAEnumCertTyes failed with 0x%08X. \n",hr); goto error; }
dwCount = CACountCertTypes(hCertType);
if(0 == dwCount) { wprintf(L"Error: CACountCertTypes returns 0 templates.\n"); goto error; }
wprintf(L"CACountCertTypes returns %d templates.\n", dwCount);
//get the CA properties
hr=CAGetCAProperty(hCAInfo, CA_PROP_DNSNAME, &awszProp);
if((S_OK != hr) || (NULL==awszProp) || (NULL==awszProp[0])) { wprintf(L"CAGetCAProperty failed with 0x%08X. \n",hr); goto error; }
wprintf(L"CA's DNS name is %ws.\n", awszProp[0]);
hr=CAFreeCAProperty(hCAInfo, awszProp);
if(S_OK != hr) { wprintf(L"CAFreeCAProperty failed with 0x%08X. \n",hr); goto error; }
//name
hr=CAGetCAProperty(hCAInfo, CA_PROP_NAME, &awszProp);
if((S_OK != hr) || (NULL==awszProp) || (NULL==awszProp[0])) { wprintf(L"CAGetCAProperty failed with 0x%08X. \n",hr); goto error; }
wprintf(L"CA's CN name is %ws.\n", awszProp[0]);
hr=CAFreeCAProperty(hCAInfo, awszProp);
if(S_OK != hr) { wprintf(L"CAFreeCAProperty failed with 0x%08X. \n",hr); goto error; }
//display name
hr=CAGetCAProperty(hCAInfo, CA_PROP_DISPLAY_NAME, &awszProp);
if((S_OK != hr) || (NULL==awszProp) || (NULL==awszProp[0])) { wprintf(L"CAGetCAProperty failed with 0x%08X. \n",hr); goto error; }
wprintf(L"CA's display name is %ws.\n", awszProp[0]);
hr=CAFreeCAProperty(hCAInfo, awszProp);
if(S_OK != hr) { wprintf(L"CAFreeCAProperty failed with 0x%08X. \n",hr); goto error; }
//cert types
hr=CAGetCAProperty(hCAInfo, CA_PROP_CERT_TYPES, &awszProp);
if((S_OK != hr) || (NULL==awszProp) || (NULL==awszProp[0])) { wprintf(L"CAGetCAProperty failed with 0x%08X. \n",hr); goto error; }
wprintf(L"CA's cert types name is %ws.\n", awszProp[0]);
hr=CAFreeCAProperty(hCAInfo, awszProp);
if(S_OK != hr) { wprintf(L"CAFreeCAProperty failed with 0x%08X. \n",hr); goto error; }
fResult = TRUE;
error:
if(hCertType) CACloseCertType(hCertType);
if(hCAInfo) { CACloseCA(hCAInfo); }
if(pldap) ldap_unbind(pldap);
return fResult;}
//--------------------------------------------------------------------
//
// CloneTest
//
//
//--------------------------------------------------------------------
BOOL CloneTest(BOOL fBind, LPWSTR pwszCertType){ HRESULT hr=E_FAIL; BOOL fResult = FALSE; DWORD dwFindCT=CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES; WCHAR wszName[100]; WCHAR wszFriendlyName[100];
LPWSTR *awszFriendlyName=NULL; LDAP *pldap=NULL; HCERTTYPE hCertType=NULL; HCERTTYPE hNewCertType=NULL;
if(fBind) { if(S_OK != (hr = myRobustLdapBind(&pldap, FALSE))) { wprintf(L"myRobustLdapBind failed with 0x%08X. \n",hr); goto error; }
}
if(S_OK != (hr = CAFindCertTypeByName( pwszCertType, NULL, dwFindCT, &hCertType))) { wprintf(L"CAFindCertTypeByName failed with 0x%08X. \n",hr); goto error; }
wcscpy(wszName, pwszCertType); wcscat(wszName, L"_Clone");
wcscpy(wszFriendlyName, pwszCertType); wcscat(wszFriendlyName, L"_CloneFriendly");
if(S_OK != (hr=CACloneCertType(hCertType, wszName, wszFriendlyName, pldap, fBind? CT_CLONE_KEEP_AUTOENROLLMENT_SETTING | CT_CLONE_KEEP_SUBJECT_NAME_SETTING : 0, &hNewCertType))) { wprintf(L"CACloneCertType failed with 0x%08X. \n",hr); goto error; }
if(S_OK != (hr=CAUpdateCertType(hNewCertType))) { wprintf(L"CAUpdateCertType failed with 0x%08X. \n",hr); goto error;
}
//close the tempate
if(S_OK != (hr=CACloseCertType(hNewCertType))) { hNewCertType=NULL; wprintf(L"CACloseCertType failed with 0x%08X. \n",hr); goto error; }
hNewCertType=NULL;
if(S_OK != (hr = CAFindCertTypeByName( wszName, NULL, dwFindCT, &hNewCertType))) { wprintf(L"CAFindCertTypeByName for the cloned template failed with 0x%08X. \n",hr); goto error; }
if(S_OK != (hr=CAGetCertTypePropertyEx( hNewCertType, CERTTYPE_PROP_FRIENDLY_NAME, &awszFriendlyName))) { wprintf(L"CAGetCertTypePropertyEx for the cloned template failed with 0x%08X. \n",hr); goto error; }
if(0 != (wcscmp(awszFriendlyName[0], wszFriendlyName))) { wprintf(L"The friendly name for the cloned template does not match the original. \n"); hr=E_FAIL; goto error; }
fResult = TRUE;
error:
if(pldap) ldap_unbind(pldap);
if(awszFriendlyName) CAFreeCertTypeProperty(hNewCertType, awszFriendlyName);
if(hCertType) CACloseCertType(hCertType);
if(hNewCertType) CACloseCertType(hNewCertType);
return fResult;}
//--------------------------------------------------------------------
//
// TemplateDesTest
//
//
//--------------------------------------------------------------------
BOOL TemplateDesTest(){ BOOL fResult = FALSE; HRESULT hr = E_FAIL; DWORD dwCount=0; DWORD dwIndex=0;
HCERTTYPE hCertType=NULL; HCERTTYPE hNextCertType=NULL; LPWSTR *pwszFriendlyName=NULL; LPWSTR *pwszDescription=NULL; HANDLE hClientToken=NULL; HANDLE hHandle = NULL; HCAINFO hCAInfo=NULL;
//get the client token
/* hHandle = GetCurrentThread();
if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else {
if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } } if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if(S_OK != hr) goto error;
hr = CAFindCertTypeByName(L"WindowsTestBuildSigning", NULL, CT_ENUM_USER_TYPES, &hCertType);
if(S_OK != hr) { wprintf(L"CAFindCertTypeByName failed with 0x%08X. \n",hr); goto error; }
hr = CACertTypeAccessCheck( hCertType, hClientToken );
if(S_OK != hr) { wprintf(L"CACertTypeAccessCheck failed with 0x%08X. \n",hr); goto error; }
hr = CAFindByName( L"Microsoft Windows VBL03 !0028DS!0029", NULL, 0, &hCAInfo);
if((S_OK != hr) || (NULL==hCAInfo)) { wprintf(L"CAFindByName for %ws failed with 0x%08X. \n", hr); goto error; }
hr=CAAccessCheck(hCAInfo, hClientToken);
if(S_OK != hr) { wprintf(L"CAAccessCheck failed with 0x%08X. \n",hr); goto error; } */
hr = CAEnumCertTypes( CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES, &hCertType);
if((S_OK != hr) || (NULL==hCertType)) { wprintf(L"CAEnumCertTyes failed with 0x%08X. \n",hr); goto error; }
dwCount = CACountCertTypes(hCertType);
wprintf(L"We have 0x%d cert types. \n", dwCount);
if(0 == dwCount) goto error;
for(dwIndex=0; dwIndex < dwCount; dwIndex++) { if(dwIndex!=0) { hr = CAEnumNextCertType(hCertType, &hNextCertType); if(S_OK != hr) { wprintf(L"CAEnumNextCertType failed with 0x%08X. \n",hr); goto error; } CACloseCertType(hCertType); hCertType=hNextCertType;
}
hr = CAGetCertTypePropertyEx(hCertType, CERTTYPE_PROP_FRIENDLY_NAME, &pwszFriendlyName);
if((S_OK != hr) || (NULL==pwszFriendlyName) || (NULL==pwszFriendlyName[0])) { wprintf(L"Friendly Name property failed with 0x%08X. \n",hr); goto error; } hr = CAGetCertTypePropertyEx(hCertType, CERTTYPE_PROP_DESCRIPTION, &pwszDescription);
if((S_OK != hr) || (NULL==pwszDescription) || (NULL==pwszDescription[0])) { wprintf(L"Description property failed with 0x%08X. \n",hr); goto error; }
wprintf(L"%ws has the description of %ws. \n",pwszFriendlyName[0], pwszDescription[0]);
CAFreeCertTypeProperty(hCertType, pwszFriendlyName); CAFreeCertTypeProperty(hCertType, pwszDescription); }
fResult = TRUE;
error: if(hHandle) CloseHandle(hHandle);
if(hClientToken) CloseHandle(hClientToken);
return fResult;
}
//--------------------------------------------------------------------
//
// OIDURLTest
//
//
//--------------------------------------------------------------------
BOOL OIDURLTest(){ BOOL fResult=FALSE; HRESULT hr=E_FAIL; DWORD dwIndex=0;
LPWSTR pwsz=NULL;
for(dwIndex=0; dwIndex < 14; dwIndex++) { //URL testing
if(S_OK != (hr=CAOIDGetLdapURL(CERT_OID_TYPE_TEMPLATE, 0, &pwsz))) { wprintf(L"CAOIDGetLdapURL failed with 0x%08X. \n",hr); }
printf("The URL for template is: %S\n", pwsz);
if(S_OK != (hr=CAOIDFreeLdapURL(pwsz))) { wprintf(L"CAOIDFreeLdapURL failed with 0x%08X. \n",hr); goto error; }
//sleep for 1 second
Sleep(1000); }
fResult=TRUE;
error:
return fResult;
}
//--------------------------------------------------------------------
//
// ACRSTest
//
//
//--------------------------------------------------------------------
BOOL ACRSTest(){ BOOL fResult=FALSE; HRESULT hr=E_FAIL;
/* hr = CACreateLocalAutoEnrollmentObject(
wszCERTTYPE_DC, // DC certificate
NULL, // any CA
NULL, // reserved
CERT_SYSTEM_STORE_LOCAL_MACHINE); if(S_OK != hr) { wprintf(L"CreateLocalAutoEnrollmentObject failed with 0x%08X. \n",hr); goto error; } */
hr = CADeleteLocalAutoEnrollmentObject( wszCERTTYPE_DC, // DC certificate
NULL, // any CA
NULL, // reserved
CERT_SYSTEM_STORE_LOCAL_MACHINE); if(S_OK != hr) { wprintf(L"DeleteLocalAutoEnrollmentObject failed with 0x%08X. \n",hr); goto error; }
fResult=TRUE;
error:
return fResult;
}
//--------------------------------------------------------------------
//
//
// PropertyTest()
//
//
//--------------------------------------------------------------------
BOOL PropertyTest(LPWSTR pwszRetry, LPWSTR pwszSecond){ BOOL fResult=FALSE; CRYPT_DATA_BLOB blobProp; DWORD dwRetry=0; DWORD dwSecond=0; AE_RETRY_INFO AE_Retry_Info; ULARGE_INTEGER ftTime; ULARGE_INTEGER DueTime; ULONG lConvert=0;
HCERTSTORE hMyStore=NULL; PCCERT_CONTEXT pCertContext=NULL;
hMyStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
if(NULL == hMyStore) goto Ret;
dwRetry=_wtoi(pwszRetry); dwSecond=_wtoi(pwszSecond);
if(0 != dwRetry) { memset(&blobProp, 0, sizeof(CRYPT_DATA_BLOB));
blobProp.cbData=sizeof(AE_RETRY_INFO); blobProp.pbData=(BYTE *)&AE_Retry_Info;
memset(&AE_Retry_Info, 0, sizeof(AE_RETRY_INFO));
AE_Retry_Info.cbSize=sizeof(AE_RETRY_INFO); AE_Retry_Info.dwRetry=dwRetry;
//get the current time
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
// convert to 10^-7s.
lConvert=10000*1000;
DueTime.QuadPart=Int32x32To64(dwSecond, lConvert);
(AE_Retry_Info.dueTime).QuadPart = ftTime.QuadPart + DueTime.QuadPart; }
while(pCertContext=CertEnumCertificatesInStore(hMyStore, pCertContext)) { //copy the property on the certificate
if(0 == dwRetry) { if(!CertSetCertificateContextProperty( pCertContext, CERT_AUTO_ENROLL_RETRY_PROP_ID, 0, NULL)) { goto Ret; } } else { if(!CertSetCertificateContextProperty( pCertContext, CERT_AUTO_ENROLL_RETRY_PROP_ID, 0, &blobProp)) { goto Ret; } } }
fResult=TRUE;
Ret:
if(pCertContext) CertFreeCertificateContext(pCertContext);
if(hMyStore) CertCloseStore(hMyStore, 0);
return fResult;}
//-----------------------------------------------------------------------
//
// GetRetryProperty
//
//-----------------------------------------------------------------------
BOOL GetRetryProperty(PCCERT_CONTEXT pCertContext, AE_RETRY_INFO **ppAE_Retry_Info){ BOOL fResult=FALSE; DWORD cbData=0;
AE_RETRY_INFO *pRetry_Info=NULL;
if((NULL==pCertContext) || (NULL==ppAE_Retry_Info)) goto Ret;
*ppAE_Retry_Info=NULL;
if(!CertGetCertificateContextProperty( pCertContext, CERT_AUTO_ENROLL_RETRY_PROP_ID, NULL, &cbData)) goto Ret;
pRetry_Info=(AE_RETRY_INFO *)LocalAlloc(LPTR, cbData); if(NULL == pRetry_Info) goto Ret;
if(!CertGetCertificateContextProperty( pCertContext, CERT_AUTO_ENROLL_RETRY_PROP_ID, pRetry_Info, &cbData)) goto Ret;
//verify the integrity of the property on the certificate
if(cbData < sizeof(AE_RETRY_INFO)) goto Ret;
if((pRetry_Info->cbSize) < sizeof(AE_RETRY_INFO)) goto Ret;
*ppAE_Retry_Info=pRetry_Info; pRetry_Info=NULL;
fResult=TRUE;
Ret:
if(pRetry_Info) LocalFree(pRetry_Info);
return fResult;}
//--------------------------------------------------------------------
//
//
// ShowPropertyTest()
//
//
//--------------------------------------------------------------------
BOOL ShowPropertyTest(){ BOOL fResult=FALSE; DWORD i=0; ULARGE_INTEGER dwSeconds; ULARGE_INTEGER one; ULARGE_INTEGER two; ULARGE_INTEGER three; ULARGE_INTEGER ftTime;
HCERTSTORE hMyStore=NULL; PCCERT_CONTEXT pCertContext=NULL; AE_RETRY_INFO *pAE_Retry_Info=NULL;
hMyStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY");
if(NULL == hMyStore) goto Ret;
while(pCertContext=CertEnumCertificatesInStore(hMyStore, pCertContext)) { //display the property
if(!GetRetryProperty(pCertContext, &pAE_Retry_Info)) { wprintf(L"===================== %d =========================================\n", i); wprintf(L"The certificate has no CERT_AUTO_ENROLL_RETRY_PROP_ID property.\n"); wprintf(L"===============================================================\n\n"); } else { GetSystemTimeAsFileTime((LPFILETIME)&ftTime); dwSeconds.QuadPart = pAE_Retry_Info->dueTime.QuadPart-ftTime.QuadPart; one.QuadPart=dwSeconds.QuadPart/10000; two.QuadPart=one.QuadPart/1000;
wprintf(L"===================== %d =========================================\n", i); wprintf(L"The certificate has the following CERT_AUTO_ENROLL_RETRY_PROP_ID property.\n"); wprintf(L"Size = %d.\n", pAE_Retry_Info->cbSize); wprintf(L"Retry = %d.\n", pAE_Retry_Info->dwRetry); wprintf(L"dueTime = %d seconds. \n", (DWORD)(two.QuadPart)); wprintf(L"===============================================================\n\n"); }
//display the certificate
CryptUIDlgViewContext( CERT_STORE_CERTIFICATE_CONTEXT, pCertContext, NULL, NULL, 0, NULL);
i++;
if(pAE_Retry_Info) LocalFree(pAE_Retry_Info); }
fResult=TRUE;
Ret:
if(pCertContext) CertFreeCertificateContext(pCertContext);
if(hMyStore) CertCloseStore(hMyStore, 0);
return fResult;}
//--------------------------------------------------------------------
extern "C" int __cdecl wmain(int nArgs, WCHAR ** rgwszArgs) { BOOL fResult;
if (1 == nArgs || 0==wcscmp(rgwszArgs[1], L"/?") || 0==wcscmp(rgwszArgs[1], L"-?")) { PrintHelp(); goto done; }
if (0==_wcsicmp(L"OID", rgwszArgs[1])) { fResult=OIDTest();
} else if (0==_wcsicmp(L"Template", rgwszArgs[1])) { fResult=TemplateTest();
} else if (0==_wcsicmp(L"Query", rgwszArgs[1])) { fResult=QueryTest(FALSE);
} else if (0==_wcsicmp(L"QueryLDAP", rgwszArgs[1])) { fResult=QueryTest(TRUE);
} else if (0==_wcsicmp(L"CAEnum", rgwszArgs[1])) { fResult=CAEnumTest(FALSE, rgwszArgs[2]);
} else if (0==_wcsicmp(L"CAEnumLDAP", rgwszArgs[1])) { fResult=CAEnumTest(TRUE, rgwszArgs[2]);
} else if (0==_wcsicmp(L"Clone", rgwszArgs[1])) { fResult=CloneTest(FALSE, rgwszArgs[2]);
} else if (0==_wcsicmp(L"CloneLDAP", rgwszArgs[1])) { fResult=CloneTest(TRUE, rgwszArgs[2]);
} else if (0==_wcsicmp(L"TemplateDes", rgwszArgs[1])) { fResult=TemplateDesTest();
} else if (0==_wcsicmp(L"ACRS", rgwszArgs[1])) { fResult=ACRSTest();
} else if (0==_wcsicmp(L"OIDURL", rgwszArgs[1])) { fResult=OIDURLTest();
} else if (0==_wcsicmp(L"PROPERTY", rgwszArgs[1])) { fResult=PropertyTest(rgwszArgs[2], rgwszArgs[3]);
} else if (0==_wcsicmp(L"SHOW PROPERTY", rgwszArgs[1])) { fResult=ShowPropertyTest();
} else { wprintf(L"Command '%ws' unknown.\n", rgwszArgs[1]); goto done; } if (!fResult) { wprintf(L"Command '%ws' failed \n", rgwszArgs[1]); } else { wprintf(L"Command '%ws' completed successfully.\n", rgwszArgs[1]); }
done: return fResult; }
|
