|
|
/*
usage:
winhttpcertcfg [-?] : to view help information
winhttpcertcfg [-i PFXFile | -g | -r | -l] -c CertLocation\CertStore [-a Account] [-s SubjectStr] [-p PFXPassword]
-i PFXFile : Import cert via specified .pfx filename given with the option. This option also requires -a and -c to indicate destination (doesn't support -a in conjunction with importing just yet).
-g : Grant access to private key for already installed cert indicated by subject string. This option also requires -a, -c, and -s.
-r : Remove access to private key for specified account name and certificate. This option also requires -a, -c, -s to specify the account and certificate information.
-l : List accounts that have access to the private key of enumerated certs specified via other filter options. This option also requires -c and -s to specify which certificate should be queried.
Description of addtional options: -c LOCAL_MACHINE|CURRENT_USER\CertStore (Example: LOCAL_MACHINE\MY)
-a Account (Represents user or domain account on the machine. Examples: IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\DOMAINUSER)
-s SubjectStr (Case-insensitive search string for finding the first enumerated certificate with a subject name that contains this substring.)
-p PFXPassword (Password to use when importing a PFX file. Only used with -i.) */
#include <windows.h>
#include <cryptui.h>
#include <wincrypt.h>
#include <stdio.h>
typedef DWORD (WINAPI* CRYPTUIWIZIMPORT) (DWORD, HWND, LPCWSTR, PCCRYPTUI_WIZ_IMPORT_SRC_INFO, HCERTSTORE);typedef BOOL (WINAPI* SETSECURITYDESCRIPTORCONTROL) (PSECURITY_DESCRIPTOR, SECURITY_DESCRIPTOR_CONTROL, SECURITY_DESCRIPTOR_CONTROL);
static const char gc_szLocalMachine[] = "LOCAL_MACHINE";static const char gc_szCurrentUser[] = "CURRENT_USER";
enum ARGTYPE{ ARGS_HELP, ARGS_IMPORT_PFX, ARGS_ADD_PRIVATE_KEY_ACCESS, ARGS_REMOVE_PRIVATE_KEY_ACCESS, ARGS_LIST_PRIVATE_KEY_ACCESS};
struct ARGS{ ARGTYPE Command;
LPWSTR pwszPFXFile; LPWSTR pwszCertStore; LPWSTR pwszCertSubject; LPWSTR pwszPFXPassword; LPSTR pszDomain; LPSTR pszAccount; BOOL fUseLocalMachine;};
void ParseArguments(int argc, char **argv, ARGS *pArgs);DWORD AsciiToWideChar(const char * pszA, LPWSTR * ppszW);DWORD ImportPFXFile(ARGS *pArgs);VOID DumpSid(BYTE *pSid);VOID DumpCertInfo(PCCERT_CONTEXT pCertContext);DWORD GetAccountForSid(BYTE *pSid, LPTSTR *ppszDomain, LPTSTR *ppszAccount);DWORD GetSidForAccount(LPCTSTR pszDomain, LPCTSTR pszAccount, BYTE **ppSid, char **ppszDomain);DWORD DumpAccessAllowedList(PACL pDacl);DWORD DoPrivateKeyAccessAction(ARGS *pArgs);DWORD ProcessCertContext(PCCERT_CONTEXT pCertContext, BYTE *pSid, ARGTYPE eCommand);BOOL CheckForRootCert(PCCERT_CONTEXT pCertContext);DWORD AddPrivateKeyAccess(PACL pDacl, BYTE *pSid, PACL *ppNewDacl);DWORD RemovePrivateKeyAccess(PACL pDacl, BYTE *pSid);BOOL MySetSecurityDescriptorControl(PSECURITY_DESCRIPTOR pSD, SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);
voidParseArguments(int argc, char **argv, ARGS *pArgs){ char *pszBreak;
ZeroMemory((PVOID) pArgs, sizeof(ARGS));
pArgs->Command = ARGS_HELP; pArgs->fUseLocalMachine = TRUE;
for (; argc > 0; argc--, argv++) { if (((argv[0][0] != '-') && (argv[0][0] != '/')) || (lstrlen(argv[0]) != 2)) { goto ErrorExit; }
switch (tolower(argv[0][1])) { case 'l': pArgs->Command = ARGS_LIST_PRIVATE_KEY_ACCESS; break;
case 'g': pArgs->Command = ARGS_ADD_PRIVATE_KEY_ACCESS; break; case 'i': { TCHAR szShortPath[MAX_PATH]; BOOL fUseConvertedPath = TRUE;
argc--; argv++;
if (argc == 0) { // error: no PFX file specified
goto ErrorExit; }
// PFX Import API doesn't handle long filenames
if (GetShortPathName(argv[0], szShortPath, MAX_PATH) > MAX_PATH) { fUseConvertedPath = FALSE; }
if (ERROR_SUCCESS == AsciiToWideChar(fUseConvertedPath ? szShortPath : argv[0], &pArgs->pwszPFXFile)) { pArgs->Command = ARGS_IMPORT_PFX; break; } else { goto ErrorExit; } } case 'r': pArgs->Command = ARGS_REMOVE_PRIVATE_KEY_ACCESS; break;
case 'c': argc--; argv++;
if (argc > 0 && (pszBreak = strchr(argv[0], '\\')) != NULL) { if (_strnicmp(argv[0], gc_szLocalMachine, strlen(gc_szLocalMachine)) == 0) { pArgs->fUseLocalMachine = TRUE; } else if (_strnicmp(argv[0], gc_szCurrentUser, strlen(gc_szCurrentUser)) == 0) { pArgs->fUseLocalMachine = FALSE; } else { goto ErrorExit; }
// increment to skip the backslash
pszBreak++; if (ERROR_SUCCESS == AsciiToWideChar(pszBreak, &pArgs->pwszCertStore)) { break; } } goto ErrorExit;
case 's': argc--; argv++;
if (argc <= 0 || ERROR_SUCCESS != AsciiToWideChar(argv[0], &pArgs->pwszCertSubject)) { goto ErrorExit; } break;
case 'a': argc--; argv++;
if (argc > 0) { pArgs->pszAccount = strchr(argv[0], '\\'); if (pArgs->pszAccount) { // Break the two apart by removing the slash
*(pArgs->pszAccount) = '\0'; pArgs->pszAccount++; pArgs->pszDomain = argv[0]; } else { pArgs->pszAccount = argv[0]; } } else { goto ErrorExit; } break;
case 'p': argc--; argv++;
if (argc <= 0 || ERROR_SUCCESS != AsciiToWideChar(argv[0], &pArgs->pwszPFXPassword)) { // error: no password specified
goto ErrorExit; } break;
default: goto ErrorExit;
} }
// Now verify that we've obtained all the needed
// options based on the desired config operation.
if (pArgs->Command != ARGS_HELP) { // All options need -c.
// All but -i need -s, and all but -i prohibit -p.
// All but -l need -a.
// -a not allowed for -l.
// -s not allowed for -i.
if (pArgs->pwszCertStore == NULL || (pArgs->Command != ARGS_IMPORT_PFX && (pArgs->pwszCertSubject == NULL || pArgs->pwszPFXPassword)) || (pArgs->Command == ARGS_LIST_PRIVATE_KEY_ACCESS && pArgs->pszAccount) || (pArgs->Command == ARGS_IMPORT_PFX && pArgs->pwszCertSubject)) { // Incorrect set of options were passed, so flip this to
// displaying the usage.
goto ErrorExit; } }
return;
ErrorExit: pArgs->Command = ARGS_HELP; return;}
//
// AsciiToWideChar was borrowed from WinHttp\v5\common\util.cxx
//
DWORDAsciiToWideChar(const char * pszA, LPWSTR * ppszW){ DWORD cchA; DWORD cchW;
*ppszW = NULL;
if (!pszA) return ERROR_SUCCESS;
cchA = lstrlenA(pszA);
// Determine how big the widechar string will be
cchW = MultiByteToWideChar(CP_ACP, 0, pszA, cchA, NULL, 0);
*ppszW = new WCHAR[cchW+1];
if (!*ppszW) return ERROR_NOT_ENOUGH_MEMORY;
cchW = MultiByteToWideChar(CP_ACP, 0, pszA, cchA, *ppszW, cchW);
(*ppszW)[cchW] = 0;
return ERROR_SUCCESS;}
DWORDImportPFXFile(ARGS *pArgs){ CRYPTUI_WIZ_IMPORT_SRC_INFO importSrc; HCERTSTORE hDestCertStore = NULL; HCERTSTORE hTempCertStore = NULL; DWORD dwError = ERROR_SUCCESS; HINSTANCE hCryptUILib = NULL; CRYPTUIWIZIMPORT pfnCryptUIWizImport; hCryptUILib = LoadLibrary(TEXT("cryptui.dll")); if (hCryptUILib == NULL) { dwError = GetLastError(); fprintf(stderr, "Error: Failed to load cryptography component with error code 0x%X\n", dwError); goto Cleanup; }
pfnCryptUIWizImport = (CRYPTUIWIZIMPORT)GetProcAddress(hCryptUILib, "CryptUIWizImport"); if (pfnCryptUIWizImport == NULL) { dwError = GetLastError(); fprintf(stderr, "Error: Could not find needed DLL entry point\n"); goto Cleanup; }
hDestCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_STORE_OPEN_EXISTING_FLAG | (pArgs->fUseLocalMachine ? CERT_SYSTEM_STORE_LOCAL_MACHINE : CERT_SYSTEM_STORE_CURRENT_USER), pArgs->pwszCertStore);
hTempCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL);
if (!hDestCertStore || !hTempCertStore) { dwError = GetLastError(); fprintf(stderr, "Error: Failed to open certificate store with error code 0x%X\n", dwError); goto Cleanup; }
// Ensure that it's really a PFX file that can be imported.
if(CryptQueryObject(CERT_QUERY_OBJECT_FILE, pArgs->pwszPFXFile, CERT_QUERY_CONTENT_FLAG_PFX, CERT_QUERY_FORMAT_FLAG_ALL, 0, NULL, NULL, NULL, NULL, NULL, NULL)) {
memset(&importSrc, 0, sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO)); importSrc.dwSize = sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO); importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE; importSrc.pwszFileName = pArgs->pwszPFXFile; importSrc.pwszPassword = pArgs->pwszPFXPassword;
if ((*pfnCryptUIWizImport)(CRYPTUI_WIZ_NO_UI | (pArgs->fUseLocalMachine ? CRYPTUI_WIZ_IMPORT_TO_LOCALMACHINE : CRYPTUI_WIZ_IMPORT_TO_CURRENTUSER) | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, NULL, NULL, &importSrc, hTempCertStore)) { DWORD dwImportCount = 0; DWORD dwAclCount = 0; BYTE *pSid = NULL; LPSTR pszDomain = NULL;
dwError = GetSidForAccount(pArgs->pszDomain, pArgs->pszAccount, &pSid, &pszDomain); if (ERROR_SUCCESS != dwError) { goto Cleanup; }
// Extract cert context(s) from temporary store and copy to
// destination store. Need to enumerate and import one
// at a time, so the private key access can also be modified.
PCCERT_CONTEXT pCertContext = NULL; PCCERT_CONTEXT pDestCertContext = NULL;
importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_CERT_CONTEXT;
while (ERROR_SUCCESS == dwError && (pCertContext = CertEnumCertificatesInStore(hTempCertStore, pCertContext)) != NULL) { // Root cert is last...break and add it to the root store.
if (CheckForRootCert(pCertContext)) break;
// Overwrite if already installed.
if (CertAddCertificateContextToStore(hDestCertStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, &pDestCertContext)) { // Let the user see info regarding the cert imported
fprintf(stdout, "Imported certificate:\n"); DumpCertInfo(pCertContext); fprintf(stdout, "\n"); dwError = ProcessCertContext(pDestCertContext, pSid, ARGS_ADD_PRIVATE_KEY_ACCESS);
if (ERROR_SUCCESS == dwError) { dwAclCount++; } CertFreeCertificateContext(pDestCertContext);
dwImportCount++; } else { fprintf(stderr, "Error: Failed to import a certificate, error = 0x%X\n\n", GetLastError()); } } if (pCertContext) { CertCloseStore(hDestCertStore, 0);
hDestCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_STORE_OPEN_EXISTING_FLAG | (pArgs->fUseLocalMachine ? CERT_SYSTEM_STORE_LOCAL_MACHINE : CERT_SYSTEM_STORE_CURRENT_USER), L"Root");
if (!hDestCertStore) { dwError = GetLastError(); fprintf(stderr, "Error: Unable to import root certificate\n\n"); goto Cleanup; }
if (!CertAddCertificateContextToStore(hDestCertStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { fprintf(stderr, "Warning: Failed to import root certificate\n\n"); }
CertFreeCertificateContext(pCertContext); }
if (pSid) LocalFree(pSid);
if (pszDomain) LocalFree(pszDomain); } else { dwError = GetLastError(); fprintf(stderr, "Error: Unable to import contents of PFX file.\n" " Please make sure the filename and path,\n" " as well as the password, are correct.\n\n", dwError); } } else { dwError = GetLastError(); if (dwError == ERROR_FILE_NOT_FOUND) { fprintf(stderr,"Error: PFX file was not found\n"); } else { fprintf(stderr,"Error: Unable to open PFX file\n"); } }
Cleanup:
if (hTempCertStore) CertCloseStore(hTempCertStore, CERT_CLOSE_STORE_FORCE_FLAG); if (hDestCertStore) CertCloseStore(hDestCertStore, CERT_CLOSE_STORE_FORCE_FLAG);
if (hCryptUILib) { FreeLibrary(hCryptUILib); }
return dwError;}
VOIDDumpSid(BYTE *pSid){ LPTSTR pszDomain = NULL; LPTSTR pszAccount = NULL;
if (ERROR_SUCCESS == GetAccountForSid(pSid, &pszDomain, &pszAccount)) { if (pszDomain) { fprintf(stdout, " %s\\%s\n", pszDomain, pszAccount); } else { fprintf(stdout, " %s\n", pszDomain, pszAccount); } if (pszDomain) LocalFree(pszDomain); if (pszAccount) LocalFree(pszAccount); }}
DWORDGetAccountForSid(BYTE *pSid, LPTSTR *ppszDomain, LPTSTR *ppszAccount){ DWORD cbAccountLength = 0; DWORD cbDomainLength = 0; SID_NAME_USE eUse; DWORD dwError = ERROR_SUCCESS;
if (!pSid || !ppszDomain || !ppszAccount || !IsValidSid(pSid)) return ERROR_INVALID_PARAMETER;
*ppszDomain = NULL; *ppszAccount = NULL;
if (!LookupAccountSid(NULL, pSid, *ppszAccount, &cbAccountLength, *ppszDomain, &cbDomainLength, &eUse)) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { return GetLastError(); } } else { return ERROR_INVALID_PARAMETER; }
if (cbDomainLength) { *ppszDomain = (LPTSTR) LocalAlloc(LPTR, cbDomainLength * sizeof(TCHAR)); if (!*ppszDomain) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }; }
*ppszAccount = (LPTSTR) LocalAlloc(LPTR, cbAccountLength * sizeof(TCHAR)); if (!*ppszAccount) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
if (!LookupAccountSid(NULL, pSid, *ppszAccount, &cbAccountLength, *ppszDomain, &cbDomainLength, &eUse)) { dwError = GetLastError(); goto ErrorExit; }
// Made it through, should be ERROR_SUCCESS
return dwError;
ErrorExit: if (*ppszDomain) { LocalFree(*ppszDomain); *ppszDomain = NULL; } if (*ppszAccount) { LocalFree(*ppszAccount); *ppszAccount = NULL; }
fprintf(stderr,"Error: Unable to determine account name for SID, error = 0x%X\n", dwError);
return dwError;}
DWORDGetSidForAccount(LPCTSTR pszDomain, LPCTSTR pszAccount, BYTE **ppSid, char **ppszDomain){ SID_NAME_USE su; DWORD cbSidLength = 0; DWORD cbDomainLength = 0; DWORD dwError = ERROR_SUCCESS;
if (!pszAccount || !ppSid || !ppszDomain) return ERROR_INVALID_PARAMETER;
*ppSid = NULL; *ppszDomain = NULL;
// Determine the SID that belongs to the user. Make first call to
// get the needed buffer sizes.
if (!(LookupAccountName(pszDomain, pszAccount, *ppSid, &cbSidLength, *ppszDomain, &cbDomainLength, &su))) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { dwError = GetLastError(); goto ErrorExit; } } else { return ERROR_INVALID_PARAMETER; } *ppSid = (BYTE *) LocalAlloc(LPTR, cbSidLength); if (!*ppSid) { return ERROR_NOT_ENOUGH_MEMORY; }; *ppszDomain = (char *) LocalAlloc(LPTR, cbDomainLength); if (!*ppszDomain) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
if (!LookupAccountName(pszDomain, pszAccount, *ppSid, &cbSidLength, *ppszDomain, &cbDomainLength, &su)) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
// Double check the returned SID
if (!IsValidSid(*ppSid)) { dwError = GetLastError(); goto ErrorExit; }
return dwError;
ErrorExit: if (*ppSid) { LocalFree(*ppSid); *ppSid = NULL; } if (*ppszDomain) { LocalFree(*ppszDomain); *ppszDomain = NULL; }
fprintf(stderr, "Error: No account information was found.\n", dwError);
return dwError;}
DWORDDumpAccessAllowedList(PACL pDacl){ WORD wIndex; LPVOID pAce = NULL;
if (pDacl == NULL) { fprintf(stdout, "The Discretionary Access Control List (DACL) for this object is a NULL DACL. " "This implies everyone has full access to this object. This NULL DACL could be" "in place because the system is running on a filesystem which does not support " "protected files (such as the FAT32 filesystem)" "\n"); goto done; } fprintf(stdout, "Additional accounts and groups with access to the private key include:\n"); for (wIndex = 0; wIndex < pDacl->AceCount; wIndex++) { if (GetAce(pDacl, wIndex, &pAce)) { // Should only be an access allowed ace, right?
if (((ACCESS_ALLOWED_ACE *)pAce)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { DumpSid((BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart)); } } }
done: return ERROR_SUCCESS;}
// Wrapper that performs common work around the list, add, and remove actions
// involving a private key for a specified certificate.
DWORD DoPrivateKeyAccessAction(ARGS *pArgs){ HCRYPTPROV hProv = NULL; BOOL fFreeProv = FALSE; HCERTSTORE hCertStore = NULL; PCCERT_CONTEXT pCertContext = NULL; DWORD dwError = ERROR_SUCCESS; PACL pDacl = NULL; DWORD cbSD = 0;
// Assume args have already been verified.
hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG | (pArgs->fUseLocalMachine ? CERT_SYSTEM_STORE_LOCAL_MACHINE : CERT_SYSTEM_STORE_CURRENT_USER), pArgs->pwszCertStore);
if (!hCertStore) { DWORD dwError = GetLastError(); goto Cleanup; }
pCertContext = CertFindCertificateInStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (LPVOID) pArgs->pwszCertSubject, NULL);
if (pCertContext) { BYTE *pSid = NULL; LPSTR pszDomain = NULL;
// Let the user have a solid idea of which cert was matched.
fprintf(stdout, "Matching certificate:\n"); DumpCertInfo(pCertContext);
// Bogus command will fall through when processing the cert context.
if (pArgs->Command != ARGS_LIST_PRIVATE_KEY_ACCESS) { dwError = GetSidForAccount(pArgs->pszDomain, pArgs->pszAccount, &pSid, &pszDomain); }
if (ERROR_SUCCESS == dwError) { dwError = ProcessCertContext(pCertContext, pSid, pArgs->Command);
if (pSid) LocalFree(pSid);
if (pszDomain) LocalFree(pszDomain); } } else { fprintf(stderr, "Error: Unable to find or obtain a context for requested certificate\n\n"); dwError = ERROR_NOT_FOUND; }
Cleanup: if (pCertContext) { CertFreeCertificateContext(pCertContext); } if (hCertStore) { CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG); } return dwError;}
// For a given cert, obtain the DACL associated with its private
// key and process the appropriate command.
DWORDProcessCertContext(PCCERT_CONTEXT pCertContext, BYTE *pSid, ARGTYPE eCommand){ DWORD dwError = ERROR_SUCCESS; DWORD dwKeySpec; DWORD cbSD; WORD wIndex; LPVOID pAce = NULL; PSECURITY_DESCRIPTOR pSD = NULL; SECURITY_DESCRIPTOR sd; HCRYPTPROV hProv = NULL; BOOL fFreeProv = FALSE; PACL pDacl = NULL; PACL pNewDacl = NULL; BOOL fPresent = FALSE; BOOL fDefault = FALSE;
if (!pCertContext) return ERROR_INVALID_PARAMETER;
// Get the CSP for the cert context.
// The client must be the owner to do this.
if (CryptAcquireCertificatePrivateKey(pCertContext, CRYPT_ACQUIRE_USE_PROV_INFO_FLAG | CRYPT_ACQUIRE_SILENT_FLAG, NULL, &hProv, &dwKeySpec, &fFreeProv)) { // Grab the DACL ACE list
if (CryptGetProvParam(hProv, PP_KEYSET_SEC_DESCR, NULL, &cbSD, DACL_SECURITY_INFORMATION)) { pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, cbSD); if (pSD) { if (CryptGetProvParam(hProv, PP_KEYSET_SEC_DESCR, (BYTE *)pSD, &cbSD, DACL_SECURITY_INFORMATION)) { if (!GetSecurityDescriptorDacl(pSD, &fPresent, &pDacl, &fDefault) && fPresent) { dwError = GetLastError(); fprintf(stderr, "Error: Failed to obtain access list private key\n\n"); goto Cleanup; } } else { dwError = GetLastError(); fprintf(stderr, "Error: Failed to obtain security information for private key\n\n"); goto Cleanup; } } else { dwError = ERROR_NOT_ENOUGH_MEMORY; goto Cleanup; } } else { fprintf(stderr, "Error: Failed to obtain security descriptor for private key\n\n"); goto Cleanup; } } else { fprintf(stderr, "Error: Access was not successfully obtained for the private key.\n"); fprintf(stderr, " This can only be done by the user who installed the certificate.\n\n"); goto Cleanup; }
switch (eCommand) { case ARGS_ADD_PRIVATE_KEY_ACCESS: case ARGS_REMOVE_PRIVATE_KEY_ACCESS:
if (pDacl == NULL) { fprintf(stdout, "OPERATION FAILED\n" "The Discretionary Access Control List (DACL) for this object is a NULL DACL. " "This implies everyone has full access to this object. This NULL DACL could be" "in place because the system is running on a filesystem which does not support " "protected files (such as the FAT32 filesystem)" "\n"); dwError = ERROR_SUCCESS; goto Cleanup; }
if (eCommand == ARGS_ADD_PRIVATE_KEY_ACCESS) dwError = AddPrivateKeyAccess(pDacl, pSid, &pNewDacl); else dwError = RemovePrivateKeyAccess(pDacl, pSid);
// If successful, update the DACL in the security descriptor
if (ERROR_SUCCESS == dwError) { SECURITY_DESCRIPTOR_CONTROL sdControl; DWORD dwRevision;
if (!GetSecurityDescriptorControl(pSD, &sdControl, &dwRevision)) { dwError = GetLastError(); goto Cleanup; }
// initialize a new security descriptor.
if(!InitializeSecurityDescriptor(&sd, dwRevision)) { dwError = GetLastError(); goto Cleanup; } // add the ACL to the security descriptor.
if(!SetSecurityDescriptorDacl(&sd, TRUE, pNewDacl ? pNewDacl : pDacl, FALSE)) { dwError = GetLastError(); goto Cleanup; }
// Set descriptor control.
// API Helper for this exists only on Win2K and up.
MySetSecurityDescriptorControl(&sd, SE_DACL_PROTECTED, SE_DACL_PROTECTED);
if (!IsValidSecurityDescriptor(&sd)) { dwError = ERROR_INVALID_PARAMETER; goto Cleanup; }
if(!CryptSetProvParam(hProv, PP_KEYSET_SEC_DESCR, (BYTE*)&sd, DACL_SECURITY_INFORMATION)) { dwError = GetLastError(); goto Cleanup; } } break;
case ARGS_LIST_PRIVATE_KEY_ACCESS: DumpAccessAllowedList(pDacl);
// Don't care about reporting an error here when dumping the list.
dwError = ERROR_SUCCESS; break;
default: // should never be here...do nothing
break; }
Cleanup: if (ERROR_SUCCESS != dwError) { fprintf(stderr, "Error: Unable to update security info for key container, error = 0x%X\n\n", dwError); } if (fFreeProv && hProv) { CryptReleaseContext(hProv, 0); } if (pSD) { LocalFree(pSD); } return dwError;}
DWORDAddPrivateKeyAccess(PACL pDacl, BYTE *pSid, PACL *ppNewDacl){ WORD wIndex; BOOL fFound = FALSE; LPVOID pAce = NULL;
for (wIndex = 0; wIndex < pDacl->AceCount; wIndex++) { if (GetAce(pDacl, wIndex, &pAce)) { // Should only be an access allowed ace, right?
if (((ACCESS_ALLOWED_ACE *)pAce)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { if (EqualSid((BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart), pSid)) { fprintf(stdout, "Private key access has already been granted for account:\n"); DumpSid((BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart)); fFound = TRUE; } } } }
DWORD dwError = ERROR_SUCCESS;
if (!fFound) { fprintf(stdout, "Granting private key access for account:\n"); DumpSid(pSid);
if (!AddAccessAllowedAce(pDacl, ACL_REVISION, KEY_ALL_ACCESS, pSid)) { dwError = GetLastError(); if (ERROR_ALLOTTED_SPACE_EXCEEDED == dwError) { // Not enough space, so allocate a new dacl,
// and copy data from the old acl and append new ace.
WORD wAclSize = pDacl->AclSize + (WORD)GetLengthSid(pSid) + sizeof(ACCESS_ALLOWED_OBJECT_ACE); dwError = ERROR_SUCCESS;
// Allocate dacl + sizeof new sid + sizeof largest ace
*ppNewDacl = (PACL) LocalAlloc(LPTR, wAclSize);
if (NULL == *ppNewDacl) { dwError = ERROR_NOT_ENOUGH_MEMORY; goto ErrorExit; }
if (!InitializeAcl (*ppNewDacl, wAclSize, pDacl->AclRevision)) { dwError = GetLastError(); LocalFree(*ppNewDacl); *ppNewDacl = NULL; goto ErrorExit; } // Copy all the original ACEs
for (wIndex = 0; wIndex < pDacl->AceCount; wIndex++) { if (GetAce(pDacl, wIndex, &pAce)) { if (((ACCESS_ALLOWED_ACE *)pAce)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { if (!AddAccessAllowedAce(*ppNewDacl, ACL_REVISION, ((ACCESS_ALLOWED_ACE *)pAce)->Mask, (BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart))) { dwError = GetLastError(); break; } } else { // Should only contain access allowed ACEs,
// but we'll handle anyway.
if (!AddAccessDeniedAce(*ppNewDacl, ACL_REVISION, ((ACCESS_DENIED_ACE *)pAce)->Mask, (BYTE *)&(((ACCESS_DENIED_ACE *)pAce)->SidStart))) { dwError = GetLastError(); break; } } } else { dwError = GetLastError(); break; } }
// Check for any errors
if (wIndex >= pDacl->AceCount) { // Try again
if (!AddAccessAllowedAce(*ppNewDacl, ACL_REVISION, KEY_ALL_ACCESS, pSid)) { dwError = GetLastError(); } } else { LocalFree(*ppNewDacl); *ppNewDacl = NULL; } } } }
ErrorExit: if (ERROR_SUCCESS != dwError) { fprintf(stderr, "Error: Failed to grant access with error code 0x%X\n\n", dwError); } return dwError;}
DWORDRemovePrivateKeyAccess(PACL pDacl, BYTE *pSid){ WORD wIndex; LPVOID pAce = NULL; BOOL fFound = FALSE;
for (wIndex = 0; wIndex < pDacl->AceCount; wIndex++) { if (GetAce(pDacl, wIndex, &pAce)) { // Should only be an access allowed ace, right?
if (((ACCESS_ALLOWED_ACE *)pAce)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { if (EqualSid((BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart), pSid)) { fprintf(stdout, "Removing private key access for account:\n"); DumpSid((BYTE *)&(((ACCESS_ALLOWED_ACE *)pAce)->SidStart)); if (!DeleteAce(pDacl, wIndex)) { // Break on error
DWORD dwError = GetLastError(); fprintf(stderr, "Error: Failed to remove access with error code 0x%X\n\n", dwError); return dwError; } fFound = TRUE; // Keep going? Can there be dupes?
} } } } if (!fFound) { fprintf(stderr, "Account already does not have access to private key.\n\n"); } return ERROR_SUCCESS;}
// Wrapper to only set on Win2K and up because the API
// doesn't exist on NT4
BOOLMySetSecurityDescriptorControl( PSECURITY_DESCRIPTOR pSD, SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest, SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet){ SETSECURITYDESCRIPTORCONTROL pfnSetSecurityDescriptorControl = NULL; HMODULE hModule = NULL;
hModule = GetModuleHandle("advapi32.dll"); if (NULL != hModule) { pfnSetSecurityDescriptorControl = (SETSECURITYDESCRIPTORCONTROL) GetProcAddress(hModule, "SetSecurityDescriptorControl"); if (NULL != pfnSetSecurityDescriptorControl) { return (*pfnSetSecurityDescriptorControl)(pSD, ControlBitsOfInterest, ControlBitsToSet); } } return FALSE;}
VOIDDumpCertInfo(PCCERT_CONTEXT pCertContext){ LPTSTR pszCertName = NULL; DWORD cbCertName = 0;
if (!pCertContext) return;
cbCertName = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &pCertContext->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG, NULL, 0);
pszCertName = (LPTSTR) LocalAlloc(LPTR, cbCertName * sizeof(TCHAR) + 1); if (!pszCertName) return;
*pszCertName = TEXT('\0');
if (CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &pCertContext->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_CRLF_FLAG | CERT_NAME_STR_REVERSE_FLAG, pszCertName, cbCertName)) { fprintf(stdout, "%s\n\n", pszCertName); }}
// Does quick and dirty check for a root cert by testing
// the issuer and issued to fields.
BOOLCheckForRootCert(PCCERT_CONTEXT pCertContext){ TCHAR szIssuer[1024] = TEXT(""); TCHAR szIssuedTo[1024] = TEXT(""); DWORD cbCertName = 1024;
if (!pCertContext) return FALSE;
CertGetNameString(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, szIssuer, cbCertName);
CertGetNameString(pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, szIssuedTo, cbCertName);
return (lstrcmp(szIssuer, szIssuedTo) == 0) ? TRUE : FALSE;}
int __cdecl main (int argc, char **argv){ ARGS Args; DWORD dwErr = ERROR_SUCCESS;
fprintf (stdout, "Microsoft (R) WinHTTP Certificate Configuration Tool\n" "Copyright (C) Microsoft Corporation 2001.\n\n" ); // Discard program argument
argv++; argc--;
ParseArguments(argc, argv, &Args);
switch (Args.Command) { case ARGS_IMPORT_PFX:
dwErr = ImportPFXFile(&Args); break;
case ARGS_ADD_PRIVATE_KEY_ACCESS: case ARGS_REMOVE_PRIVATE_KEY_ACCESS: case ARGS_LIST_PRIVATE_KEY_ACCESS:
dwErr = DoPrivateKeyAccessAction(&Args); break;
case ARGS_HELP: default: fprintf(stderr, "Usage:\n\n" " winhttpcertcfg [-?] : To view help information\n\n" " winhttpcertcfg [-i PFXFile | -g | -r | -l]\n" " [-a Account] [-c CertStore] [-s SubjectStr] [-p PFXPassword]\n\n" "Note:\n\n" " The user must have sufficient privileges to use this tool,\n" " which likely requires the user to be an administrator and\n" " the same user who installed the client certificate, if it is\n" " already installed.\n\n" "Options:\n\n" " To list accounts which have access to the private key for\n" " specified certificate:\n" " winhttpcertcfg -l -c CertLocation -s SubjectStr\n\n" " To grant access to private key for an account with\n" " specified certificate that is already installed:\n" " winhttpcertcfg -g -c CertLocation -s SubjectStr -a Account\n\n" " To import a certificate plus private key from a PFX file:\n" " winhttpcertcfg -i PFXFile -c CertLocation\n\n" " To remove access to private key for an account with\n" " specified certificate:\n" " winhttpcertcfg -r -c CertLocation -s SubjectStr -a Account\n\n" "Description of secondary options:\n\n" " -c LOCAL_MACHINE|CURRENT_USER\\CertStore\n\n" " Use LOCAL_MACHINE or CURRENT_USER to designate which\n" " registry branch to use for the location. The\n" " certificate store can be any installed on the machine.\n" " Typical examples are MY, Root, and TrustedPeople.\n\n" " -a Account\n\n" " User account on the machine being configured. This could\n" " be a local machine or domain account, such as:\n" " IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\\DOMAINUSER.\n\n" " -s SubjectStr\n\n" " Case-insensitive search string for finding the first\n" " enumerated certificate with a subject name that contains\n" " this substring.\n\n" " -p PFXPassword\n\n" " Password to use for importing the certificate and\n" " private key. This option can only be used with -i.\n\n"); break; }
if (Args.pwszPFXFile) delete [] Args.pwszPFXFile; if (Args.pwszCertStore) delete [] Args.pwszCertStore; if (Args.pwszCertSubject) delete [] Args.pwszCertSubject; if (Args.pwszPFXPassword) delete [] Args.pwszPFXPassword;
return dwErr;}
|
