|
|
//+--------------------------------------------------------------------------
//
// Copyright (c) 1999 Microsoft Corporation
//
// File: keypack.c
//
// Contents: Keypack encoding/decoding library
//
// History:
//
//---------------------------------------------------------------------------
#include "precomp.h"
#include <stddef.h>
#include "md5.h"
#include "rc4.h"
#ifdef IGNORE_EXPIRATION
#define LICENSE_EXPIRATION_IGNORE L"SOFTWARE\\Microsoft\\TermServLicensing\\IgnoreLicenseExpiration"
#endif
typedef struct _Enveloped_Data{ DWORD cbEncryptedKey; PBYTE pbEncryptedKey; DWORD cbEncryptedData; PBYTE pbEncryptedData;} Enveloped_Data, * PEnveloped_Data;
///////////////////////////////////////////////////////////////////////////////
//
// Internal functions
//
DWORD WINAPIVerifyAndGetLicenseKeyPack( HCRYPTPROV hCryptProv, PLicense_KeyPack pLicenseKeyPack, DWORD cbSignerCert, PBYTE pbSignerCert, DWORD cbRootCertificate, PBYTE pbRootCertificate, DWORD cbSignedBlob, PBYTE pbSignedBlob );
DWORD WINAPIGetCertificate( DWORD cbCertificateBlob, PBYTE pbCertificateBlob, HCRYPTPROV hCryptProv, PCCERT_CONTEXT * ppCertContext, HCERTSTORE * phCertStore );
DWORD WINAPIVerifyCertificateChain( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD cbRootCertificate, PBYTE pbRootCertificate );
DWORD WINAPIGetCertVerificationResult( DWORD dwFlags );
DWORD WINAPIUnpackEnvelopedData( IN OUT PEnveloped_Data pEnvelopedData, IN DWORD cbPackedData, IN PBYTE pbPackedData );
DWORD WINAPIGetEnvelopedData( IN DWORD dwEncyptType, IN HCRYPTPROV hCryptProv, IN PEnveloped_Data pEnvelopedData, OUT PDWORD pcbData, OUT PBYTE *ppbData );
/////////////////////////////////////////////////////////
DWORD WINAPILicensePackEncryptDecryptData( IN PBYTE pbParm, IN DWORD cbParm, IN OUT PBYTE pbData, IN DWORD cbData )/*++
Abstract:
Internal routine to encrypt/decrypt a blob of data
Parameter:
pbParm : binary blob to generate encrypt/decrypt key. cbParm : size of binary blob. pbData : data to be encrypt/decrypt. cbData : size of data to be encrypt/decrypt.
Returns:
ERROR_SUCCESS or error code.
Remark:
--*/{ DWORD dwRetCode = ERROR_SUCCESS; MD5_CTX md5Ctx; RC4_KEYSTRUCT rc4KS; BYTE key[16]; int i;
if(NULL == pbParm || 0 == cbParm) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); return dwRetCode; }
MD5Init(&md5Ctx); MD5Update( &md5Ctx, pbParm, cbParm );
MD5Final(&md5Ctx);
memset(key, 0, sizeof(key));
for(i=0; i < 5; i++) { key[i] = md5Ctx.digest[i]; }
//
// Call RC4 to encrypt/decrypt data
//
rc4_key( &rc4KS, sizeof(key), key );
rc4( &rc4KS, cbData, pbData );
return dwRetCode;}
static BYTE rgbPubKeyWithExponentOfOne[] ={0x06, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00,0x52, 0x53, 0x41, 0x31, 0x00, 0x02, 0x00, 0x00,0x01, 0x00, 0x00, 0x00,
0xab, 0xef, 0xfa, 0xc6, 0x7d, 0xe8, 0xde, 0xfb,0x68, 0x38, 0x09, 0x92, 0xd9, 0x42, 0x7e, 0x6b,0x89, 0x9e, 0x21, 0xd7, 0x52, 0x1c, 0x99, 0x3c,0x17, 0x48, 0x4e, 0x3a, 0x44, 0x02, 0xf2, 0xfa,0x74, 0x57, 0xda, 0xe4, 0xd3, 0xc0, 0x35, 0x67,0xfa, 0x6e, 0xdf, 0x78, 0x4c, 0x75, 0x35, 0x1c,0xa0, 0x74, 0x49, 0xe3, 0x20, 0x13, 0x71, 0x35,0x65, 0xdf, 0x12, 0x20, 0xf5, 0xf5, 0xf5, 0xc1};
//---------------------------------------------------------------
BOOL WINAPI GetPlaintextKey( IN HCRYPTPROV hProv, IN HCRYPTKEY hSymKey, OUT BYTE *pbPlainKey // this must be a 16 byte buffer
)/*++
part of Jeff Spelman's code
--*/{ HCRYPTKEY hPubKey = 0; BYTE rgbSimpleBlob[128]; DWORD cbSimpleBlob; BYTE *pb; DWORD i; BOOL fRet = FALSE;
memset(rgbSimpleBlob, 0, sizeof(rgbSimpleBlob));
if (!CryptImportKey(hProv, rgbPubKeyWithExponentOfOne, sizeof(rgbPubKeyWithExponentOfOne), 0, 0, &hPubKey)) { goto Ret; }
cbSimpleBlob = sizeof(rgbSimpleBlob); if (!CryptExportKey(hSymKey, hPubKey, SIMPLEBLOB, 0, rgbSimpleBlob, &cbSimpleBlob)) { goto Ret; }
memset(pbPlainKey, 0, 16); pb = rgbSimpleBlob + sizeof(BLOBHEADER) + sizeof(ALG_ID); // byte reverse the key
for (i = 0; i < 5; i++) { pbPlainKey[i] = pb[5 - (i + 1)]; }
fRet = TRUE;
Ret: if (hPubKey) { CryptDestroyKey(hPubKey); }
return fRet;}
//--------------------------------------------------------------------
DWORD WINAPIKeyPackDecryptData( IN DWORD dwEncryptType, IN HCRYPTPROV hCryptProv, IN BYTE* pbEncryptKey, IN DWORD cbEncryptKey, IN BYTE* pbEncryptData, IN DWORD cbEncryptData, OUT PBYTE* ppbDecryptData, OUT PDWORD pcbDecryptData )/*++
Abstract:
Decrypt a blob of data
Parameters:
bForceCrypto : TRUE if always use Crypto. API, FALSE otherwise. hCryptProv : pbEncryptKey : cbEncryptKey : pbEncryptData : cbEncryptData : ppbDecryptData : pcbDecryptData :
Returns:
ERROR_SUCCESS or error code.
Remark:
--*/{ HCRYPTKEY hSymKey = 0; DWORD dwErrCode = ERROR_SUCCESS; BYTE rgbPlainKey[16]; RC4_KEYSTRUCT KeyStruct; BOOL bFrenchLocale;
bFrenchLocale = (MAKELANGID(LANG_FRENCH, SUBLANG_FRENCH) == GetSystemDefaultLangID());
if( (HCRYPTPROV)NULL == hCryptProv || NULL == pbEncryptKey || 0 == cbEncryptKey || NULL == pbEncryptData || 0 == cbEncryptData ) { SetLastError(dwErrCode = ERROR_INVALID_PARAMETER); return dwErrCode; }
if( NULL == ppbDecryptData || NULL == pcbDecryptData ) { SetLastError(dwErrCode = ERROR_INVALID_PARAMETER); return dwErrCode; }
*pcbDecryptData = 0; *ppbDecryptData = NULL;
if(!CryptImportKey( hCryptProv, pbEncryptKey, cbEncryptKey, 0, CRYPT_EXPORTABLE, &hSymKey )) { dwErrCode = GetLastError(); goto cleanup; }
*pcbDecryptData = cbEncryptData; *ppbDecryptData = (PBYTE) LocalAlloc(LPTR, cbEncryptData); if(NULL == *ppbDecryptData) { dwErrCode = GetLastError(); goto cleanup; }
memcpy( *ppbDecryptData, pbEncryptData, *pcbDecryptData );
if(bFrenchLocale && LICENSE_KEYPACK_ENCRYPT_CRYPTO == dwEncryptType) { if(!GetPlaintextKey( hCryptProv, hSymKey, rgbPlainKey)) { dwErrCode = GetLastError(); goto cleanup; }
//
// RC4 - input buffer size = output buffer size
//
rc4_key(&KeyStruct, sizeof(rgbPlainKey), rgbPlainKey); rc4(&KeyStruct, *pcbDecryptData, *ppbDecryptData);
dwErrCode = ERROR_SUCCESS; } else { if(!CryptDecrypt(hSymKey, 0, TRUE, 0, *ppbDecryptData, pcbDecryptData)) { dwErrCode = GetLastError(); if(NTE_BAD_LEN == dwErrCode) { PBYTE pbNew; //
// output buffer is too small, re-allocate
//
pbNew = (PBYTE) LocalReAlloc( *ppbDecryptData, *pcbDecryptData, LMEM_ZEROINIT ); if(NULL == pbNew) { dwErrCode = GetLastError(); goto cleanup; }
*ppbDecryptData = pbNew; }
memcpy( *ppbDecryptData, pbEncryptData, cbEncryptData );
if(!CryptDecrypt(hSymKey, 0, TRUE, 0, *ppbDecryptData, pcbDecryptData)) { dwErrCode = GetLastError(); } } } cleanup:
if (hSymKey) { CryptDestroyKey(hSymKey); } if(dwErrCode != ERROR_SUCCESS) { if(*ppbDecryptData != NULL) { LocalFree(*ppbDecryptData); }
*ppbDecryptData = NULL; *pcbDecryptData = 0; }
return dwErrCode; }
///////////////////////////////////////////////////////////////////////////////
//
// decode the encrypted license key pack blob with the license server's private
// key.
//
// hCryptProv is opened with the key container that contains the key exchange
// private key.
//
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIDecodeLicenseKeyPackEx( OUT PLicense_KeyPack pLicenseKeyPack, IN PLicensePackDecodeParm pDecodeParm, IN DWORD cbKeyPackBlob, IN PBYTE pbKeyPackBlob )/*++
Abstract:
Decode the encrypted license key pack blob.
Parameters:
pLicenseKeyPack : Decoded license key pack. hCryptProv :
--*/{ DWORD dwRetCode = ERROR_SUCCESS; DWORD cbSignedBlob, cbSignature; PBYTE pbSignedBlob = NULL, pcbSignature = NULL; Enveloped_Data EnvelopedData; PEncodedLicenseKeyPack pEncodedLicensePack;
if( NULL == pLicenseKeyPack || NULL == pDecodeParm || NULL == pbKeyPackBlob || 0 == cbKeyPackBlob ) { return ERROR_INVALID_PARAMETER; }
if( (HCRYPTPROV)NULL == pDecodeParm->hCryptProv ) { return ERROR_INVALID_PARAMETER; }
pEncodedLicensePack = (PEncodedLicenseKeyPack)pbKeyPackBlob; if(pEncodedLicensePack->dwSignature != LICENSEPACKENCODE_SIGNATURE) { //
// EncodedLicenseKeyPack() puts size of encryption key as first DWORD
//
dwRetCode = DecodeLicenseKeyPack( pLicenseKeyPack, pDecodeParm->hCryptProv, pDecodeParm->cbClearingHouseCert, pDecodeParm->pbClearingHouseCert, pDecodeParm->cbRootCertificate, pDecodeParm->pbRootCertificate, cbKeyPackBlob, pbKeyPackBlob );
return dwRetCode; }
if(pEncodedLicensePack->dwStructVersion > LICENSEPACKENCODE_CURRENTVERSION) { return ERROR_INVALID_DATA; }
if( pEncodedLicensePack->dwEncodeType > LICENSE_KEYPACK_ENCRYPT_MAX ) { return ERROR_INVALID_DATA; }
if( cbKeyPackBlob != offsetof(EncodedLicenseKeyPack, pbData) + pEncodedLicensePack->cbData ) { return ERROR_INVALID_DATA; } //
// check input parameters
//
if( 0 == pDecodeParm->cbClearingHouseCert || NULL == pDecodeParm->pbClearingHouseCert || 0 == pDecodeParm->cbRootCertificate || NULL == pDecodeParm->pbRootCertificate ) { return ERROR_INVALID_PARAMETER; }
//
// Get the enveloped data
//
memset( &EnvelopedData, 0, sizeof( Enveloped_Data ) );
dwRetCode = UnpackEnvelopedData( &EnvelopedData, pEncodedLicensePack->cbData, &(pEncodedLicensePack->pbData[0]) );
if( ERROR_SUCCESS != dwRetCode ) { goto done; }
switch( pEncodedLicensePack->dwEncodeType ) { case LICENSE_KEYPACK_ENCRYPT_CRYPTO: case LICENSE_KEYPACK_ENCRYPT_ALWAYSCRYPTO:
//
// unpack the enveloped data to get the signed keypack blob
//
dwRetCode = GetEnvelopedData( pEncodedLicensePack->dwEncodeType, pDecodeParm->hCryptProv, &EnvelopedData, &cbSignedBlob, &pbSignedBlob );
break;
default:
// impossible to come here
dwRetCode = ERROR_INVALID_DATA; }
if( ERROR_SUCCESS != dwRetCode ) { goto done; } //
// Get the license keypack from the signed blob. We also provide the
// clearing house certificate to verify the authenticity of the keypack.
//
dwRetCode = VerifyAndGetLicenseKeyPack( pDecodeParm->hCryptProv, pLicenseKeyPack, pDecodeParm->cbClearingHouseCert, pDecodeParm->pbClearingHouseCert, pDecodeParm->cbRootCertificate, pDecodeParm->pbRootCertificate, cbSignedBlob, pbSignedBlob );
done:
if( EnvelopedData.pbEncryptedKey ) { LocalFree( EnvelopedData.pbEncryptedKey ); }
if( EnvelopedData.pbEncryptedData ) { LocalFree( EnvelopedData.pbEncryptedData ); }
if( pbSignedBlob ) { LocalFree( pbSignedBlob ); }
return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIGetEnvelopedData( IN DWORD dwEncryptType, IN HCRYPTPROV hCryptProv, IN PEnveloped_Data pEnvelopedData, OUT PDWORD pcbData, OUT PBYTE *ppbData )/*++
--*/{ HCRYPTKEY hPrivateKey = 0; DWORD dwRetCode = ERROR_SUCCESS;
if( (HCRYPTPROV)NULL == hCryptProv || pEnvelopedData == NULL || ppbData == NULL || pcbData == NULL ) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); return dwRetCode; }
//
// Make sure we have a exchange key to decrypt session key.
//
if( !CryptGetUserKey( hCryptProv, AT_KEYEXCHANGE, &hPrivateKey ) ) { dwRetCode = GetLastError(); goto done; }
//
// decrypt the data, KeyPackDecryptData() handle
// memory freeing in case of error.
//
dwRetCode = KeyPackDecryptData( dwEncryptType, hCryptProv, pEnvelopedData->pbEncryptedKey, pEnvelopedData->cbEncryptedKey, pEnvelopedData->pbEncryptedData, pEnvelopedData->cbEncryptedData, ppbData, pcbData ); done:
if( hPrivateKey ) { CryptDestroyKey( hPrivateKey ); }
return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIUnpackEnvelopedData( IN OUT PEnveloped_Data pEnvelopedData, IN DWORD cbPackedData, IN PBYTE pbPackedData )/*++
Abstract:
Unpack an encrypted license pack blob.
Parameters:
pEnvelopedData : cbPackedData : pbPackedData :
Returns:
--*/{ PBYTE pbCopyPos = pbPackedData; DWORD cbDataToUnpack = cbPackedData;
//
// ensure that the data is of minimum length
//
if( ( ( sizeof( DWORD ) * 2 ) > cbPackedData ) || ( NULL == pbPackedData ) || ( NULL == pEnvelopedData ) ) { return( ERROR_INVALID_PARAMETER ); }
//
// read a DWORD to get the encrypted key length
//
memcpy( &pEnvelopedData->cbEncryptedKey, pbCopyPos, sizeof( DWORD ) );
pbCopyPos += sizeof( DWORD ); cbDataToUnpack -= sizeof( DWORD ); if( cbDataToUnpack < pEnvelopedData->cbEncryptedKey ) { return( ERROR_INVALID_DATA ); }
//
// Allocate memory to unpack the encrypted key
//
if(pEnvelopedData->cbEncryptedKey > 0) { pEnvelopedData->pbEncryptedKey = LocalAlloc( GPTR, pEnvelopedData->cbEncryptedKey );
if( NULL == pEnvelopedData->pbEncryptedKey ) { return( GetLastError() ); }
memcpy( pEnvelopedData->pbEncryptedKey, pbCopyPos, pEnvelopedData->cbEncryptedKey ); } pbCopyPos += pEnvelopedData->cbEncryptedKey; cbDataToUnpack -= pEnvelopedData->cbEncryptedKey;
//
// expecting to read a DWORD for the encrypted data length
//
if( sizeof( DWORD ) > cbDataToUnpack ) { return( ERROR_INVALID_DATA ); }
memcpy( &pEnvelopedData->cbEncryptedData, pbCopyPos, sizeof( DWORD ) );
pbCopyPos += sizeof( DWORD ); cbDataToUnpack -= sizeof( DWORD );
if( cbDataToUnpack < pEnvelopedData->cbEncryptedData ) { return( ERROR_INVALID_DATA ); }
//
// allocate memory for the encrypted data
//
pEnvelopedData->pbEncryptedData = LocalAlloc( GPTR, pEnvelopedData->cbEncryptedData );
if( NULL == pEnvelopedData->pbEncryptedData ) { return( GetLastError() ); }
memcpy( pEnvelopedData->pbEncryptedData, pbCopyPos, pEnvelopedData->cbEncryptedData );
return( ERROR_SUCCESS );}
///////////////////////////////////////////////////////////////////////////////
//
// decode the encrypted license key pack blob with the license server's private
// key.
//
// hCryptProv is opened with the key container that contains the key exchange
// private key.
//
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIDecodeLicenseKeyPack( PLicense_KeyPack pLicenseKeyPack, HCRYPTPROV hCryptProv, DWORD cbClearingHouseCert, PBYTE pbClearingHouseCert, DWORD cbRootCertificate, PBYTE pbRootCertificate, DWORD cbKeyPackBlob, PBYTE pbKeyPackBlob ){ DWORD dwRetCode = ERROR_SUCCESS; DWORD cbSignedBlob, cbSignature; PBYTE pbSignedBlob = NULL, pcbSignature = NULL; Enveloped_Data EnvelopedData;
if( 0 == hCryptProv ) { return( ERROR_INVALID_PARAMETER ); } //
// Get the enveloped data
//
memset( &EnvelopedData, 0, sizeof( Enveloped_Data ) );
dwRetCode = UnpackEnvelopedData( &EnvelopedData, cbKeyPackBlob, pbKeyPackBlob );
if( ERROR_SUCCESS != dwRetCode ) { goto done; }
//
// unpack the enveloped data to get the signed keypack blob
//
dwRetCode = GetEnvelopedData( LICENSE_KEYPACK_ENCRYPT_CRYPTO, hCryptProv, &EnvelopedData, &cbSignedBlob, &pbSignedBlob );
if( ERROR_SUCCESS != dwRetCode ) { goto done; } //
// Get the license keypack from the signed blob. We also provide the
// clearing house certificate to verify the authenticity of the keypack.
//
dwRetCode = VerifyAndGetLicenseKeyPack( hCryptProv, pLicenseKeyPack, cbClearingHouseCert, pbClearingHouseCert, cbRootCertificate, pbRootCertificate, cbSignedBlob, pbSignedBlob );
done:
if( EnvelopedData.pbEncryptedKey ) { LocalFree( EnvelopedData.pbEncryptedKey ); }
if( EnvelopedData.pbEncryptedData ) { LocalFree( EnvelopedData.pbEncryptedData ); }
if( pbSignedBlob ) { LocalFree( pbSignedBlob ); }
return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIVerifyAndGetLicenseKeyPack( HCRYPTPROV hCryptProv, PLicense_KeyPack pLicenseKeyPack, DWORD cbSignerCert, PBYTE pbSignerCert, DWORD cbRootCertificate, PBYTE pbRootCertificate, DWORD cbSignedBlob, PBYTE pbSignedBlob ){ DWORD dwRetCode = ERROR_SUCCESS; PCCERT_CONTEXT pCertContext = 0; HCERTSTORE hCertStore = 0; HCRYPTHASH hCryptHash = 0; HCRYPTKEY hPubKey = 0; PBYTE pbCopyPos = pbSignedBlob, pbSignedHash; PKeyPack_Description pKpDesc; DWORD i, cbSignedHash, cbRequired = 0; SetLastError(ERROR_SUCCESS);
//
// make sure that the signed key blob is of the minimum size
//
cbRequired = ( 10 * sizeof( DWORD ) ) + ( 3 * sizeof( FILETIME ) ) + sizeof( GUID ) ;
if( cbSignedBlob < cbRequired ) { return( ERROR_INVALID_PARAMETER ); }
//
// get a certificate context for the signer's certificate
//
dwRetCode = GetCertificate( cbSignerCert, pbSignerCert, hCryptProv, &pCertContext, &hCertStore );
if( ERROR_SUCCESS != dwRetCode ) { SetLastError(dwRetCode); goto ErrorReturn; } //
// Verify the signer's certificate and the certificate chain that issued the
// certificate.
//
dwRetCode = VerifyCertificateChain( hCertStore, pCertContext, cbRootCertificate, pbRootCertificate );
if( ERROR_SUCCESS != dwRetCode ) { SetLastError(dwRetCode); goto ErrorReturn; }
//
// unpack the signed blob
//
memcpy( &pLicenseKeyPack->dwVersion, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD ); memcpy( &pLicenseKeyPack->dwKeypackType, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD ); memcpy( &pLicenseKeyPack->dwDistChannel, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD ); memcpy( &pLicenseKeyPack->KeypackSerialNum, pbCopyPos, sizeof( GUID ) ); pbCopyPos += sizeof( GUID ); memcpy( &pLicenseKeyPack->IssueDate, pbCopyPos, sizeof( FILETIME ) ); pbCopyPos += sizeof( FILETIME );
memcpy( &pLicenseKeyPack->ActiveDate, pbCopyPos, sizeof( FILETIME ) ); pbCopyPos += sizeof( FILETIME );
memcpy( &pLicenseKeyPack->ExpireDate, pbCopyPos, sizeof( FILETIME ) ); pbCopyPos += sizeof( FILETIME );
memcpy( &pLicenseKeyPack->dwBeginSerialNum, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
memcpy( &pLicenseKeyPack->dwQuantity, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
memcpy( &pLicenseKeyPack->cbProductId, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pLicenseKeyPack->cbProductId ) { cbRequired += pLicenseKeyPack->cbProductId;
if( cbSignedBlob < cbRequired ) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn; }
pLicenseKeyPack->pbProductId = LocalAlloc( GPTR, pLicenseKeyPack->cbProductId );
if( NULL == pLicenseKeyPack->pbProductId ) { goto ErrorReturn; }
memcpy( pLicenseKeyPack->pbProductId, pbCopyPos, pLicenseKeyPack->cbProductId ); pbCopyPos += pLicenseKeyPack->cbProductId; }
memcpy( &pLicenseKeyPack->dwProductVersion, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
memcpy( &pLicenseKeyPack->dwPlatformId, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
memcpy( &pLicenseKeyPack->dwLicenseType, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
memcpy( &pLicenseKeyPack->dwDescriptionCount, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pLicenseKeyPack->dwDescriptionCount ) { //
// allocate memory for the keypack descriptions structure
//
pLicenseKeyPack->pDescription = LocalAlloc( GPTR, ( sizeof( KeyPack_Description ) * pLicenseKeyPack->dwDescriptionCount ) );
if( NULL == pLicenseKeyPack->pDescription ) { goto ErrorReturn; } for( i = 0, pKpDesc = pLicenseKeyPack->pDescription; i < pLicenseKeyPack->dwDescriptionCount; i++, pKpDesc++ ) { cbRequired += ( sizeof( LCID ) + 2* (sizeof( DWORD ) ));
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn;
}
memcpy( &pKpDesc->Locale, pbCopyPos, sizeof( LCID ) ); pbCopyPos += sizeof( LCID );
memcpy( &pKpDesc->cbProductName, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pKpDesc->cbProductName ) { //
// allocate memory for product name
//
cbRequired += (pKpDesc->cbProductName);
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn;
}
pKpDesc->pbProductName = LocalAlloc( GPTR, pKpDesc->cbProductName );
if( NULL == pKpDesc->pbProductName ) { goto ErrorReturn; }
//
// copy the product name
//
memcpy( pKpDesc->pbProductName, pbCopyPos, pKpDesc->cbProductName ); pbCopyPos += pKpDesc->cbProductName; }
memcpy( &pKpDesc->cbDescription, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pKpDesc->cbDescription ) { //
// allocate memory for the keypack description
//
cbRequired += (pKpDesc->cbDescription);
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn; }
pKpDesc->pDescription = LocalAlloc( GPTR, pKpDesc->cbDescription );
if( NULL == pKpDesc->pDescription ) { goto ErrorReturn; }
//
// copy the key pack description
//
memcpy( pKpDesc->pDescription, pbCopyPos, pKpDesc->cbDescription ); pbCopyPos += pKpDesc->cbDescription; } } }
cbRequired += ( 3 * sizeof( DWORD ));
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn; }
memcpy( &pLicenseKeyPack->cbManufacturer, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pLicenseKeyPack->cbManufacturer ) { cbRequired += (pLicenseKeyPack->cbManufacturer);
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn;
} pLicenseKeyPack->pbManufacturer = LocalAlloc( GPTR, pLicenseKeyPack->cbManufacturer );
if( NULL == pLicenseKeyPack->pbManufacturer ) { goto ErrorReturn; }
memcpy( pLicenseKeyPack->pbManufacturer, pbCopyPos, pLicenseKeyPack->cbManufacturer ); pbCopyPos += pLicenseKeyPack->cbManufacturer; }
memcpy( &pLicenseKeyPack->cbManufacturerData, pbCopyPos, sizeof( DWORD ) ); pbCopyPos += sizeof( DWORD );
if( pLicenseKeyPack->cbManufacturerData ) { cbRequired += (pLicenseKeyPack->cbManufacturerData);
if( cbSignedBlob < cbRequired) { SetLastError(dwRetCode = ERROR_INVALID_PARAMETER); goto ErrorReturn;
}
pLicenseKeyPack->pbManufacturerData = LocalAlloc( GPTR, pLicenseKeyPack->cbManufacturerData );
if( NULL == pLicenseKeyPack->pbManufacturerData ) { goto ErrorReturn; }
memcpy( pLicenseKeyPack->pbManufacturerData, pbCopyPos, pLicenseKeyPack->cbManufacturerData ); pbCopyPos += pLicenseKeyPack->cbManufacturerData; }
//
// get the size and the pointer of the signed hash.
//
memcpy( &cbSignedHash, pbCopyPos, sizeof( DWORD ) ); pbSignedHash = pbCopyPos + sizeof( DWORD );
//
// compute the hash
//
if( !CryptCreateHash( hCryptProv, CALG_MD5, 0, 0, &hCryptHash ) ) { goto ErrorReturn; }
if( !CryptHashData( hCryptHash, pbSignedBlob, (DWORD)(pbCopyPos - pbSignedBlob), 0 ) ) { goto ErrorReturn; }
//
// import the public key
//
if( !CryptImportPublicKeyInfoEx( hCryptProv, X509_ASN_ENCODING, &pCertContext->pCertInfo->SubjectPublicKeyInfo, CALG_RSA_SIGN, 0, NULL, &hPubKey ) ) { goto ErrorReturn; } //
// use the public key to verify the signed hash
//
if( !CryptVerifySignature( hCryptHash, pbSignedHash, cbSignedHash, hPubKey, NULL, 0) ) { goto ErrorReturn; } ErrorReturn:
dwRetCode = GetLastError();
if( hCryptHash ) { CryptDestroyHash( hCryptHash ); }
if( hPubKey ) { CryptDestroyKey( hPubKey ); }
if( pCertContext ) { CertFreeCertificateContext( pCertContext ); }
if( hCertStore ) { CertCloseStore( hCertStore, CERT_CLOSE_STORE_FORCE_FLAG ); }
return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
//
// GetCertificate
//
// Get the first certificate from the certificate blob. The certificate blob
// is in fact a certificate store that may contain a chain of certificates.
// This function also return handles to the crypto provider and the certificate
// store.
//
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIGetCertificate( DWORD cbCertificateBlob, PBYTE pbCertificateBlob, HCRYPTPROV hCryptProv, PCCERT_CONTEXT * ppCertContext, HCERTSTORE * phCertStore ){ CRYPT_DATA_BLOB CertBlob; DWORD dwRetCode = ERROR_SUCCESS; //
// Open the PKCS7 certificate store
//
CertBlob.cbData = cbCertificateBlob; CertBlob.pbData = pbCertificateBlob;
*phCertStore = CertOpenStore( sz_CERT_STORE_PROV_PKCS7, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, hCryptProv, CERT_STORE_NO_CRYPT_RELEASE_FLAG, &CertBlob );
if( NULL == ( *phCertStore ) ) { return( GetLastError() ); }
//
// get the first certificate from the store
//
*ppCertContext = CertEnumCertificatesInStore( *phCertStore, NULL ); if( NULL == ( *ppCertContext ) ) { return( GetLastError() ); } return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
//
// VerifyCertificateChain
//
// Verify the certificate represented by the cert context against the
// issuers in the certificate store. The caller may provide a root
// certificate so that all issuers are eventually verified against this
// root certificate. If no root certificate is provided, then the last
// issuer in the chain must be a self-signing issuer.
//
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIVerifyCertificateChain( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD cbRootCertificate, PBYTE pbRootCertificate ){ DWORD dwRetCode = ERROR_SUCCESS, dwFlags; PCCERT_CONTEXT pRootCertCtx = NULL; PCCERT_CONTEXT pIssuerCertCtx = NULL; PCCERT_CONTEXT pCurrentContext = NULL;#ifdef IGNORE_EXPIRATION
LONG lRet; HKEY hKey = NULL;#endif
if( ( 0 != cbRootCertificate ) && ( NULL != pbRootCertificate ) ) { //
// Get a certificate context for the root certificate
//
pRootCertCtx = CertCreateCertificateContext( X509_ASN_ENCODING, pbRootCertificate, cbRootCertificate );
if( NULL == pRootCertCtx ) { dwRetCode = GetLastError(); goto done; } }
//
// Verify the certificate chain. The time, signature and validity of
// the subject certificate is verified. Only the signatures are verified
// for the certificates in the issuer chain.
//
#ifdef IGNORE_EXPIRATION
//Verify if registry key exists and ignore time check
lRet = RegOpenKeyEx( HKEY_LOCAL_MACHINE, LICENSE_EXPIRATION_IGNORE , 0, KEY_READ , &hKey );
if( ERROR_SUCCESS == lRet ) {
dwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG; } else {#endif
dwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;#ifdef IGNORE_EXPIRATION
}
if(hKey) { RegCloseKey(hKey); }#endif
pCurrentContext = CertDuplicateCertificateContext( pCertContext );
if (NULL == pCurrentContext) { dwRetCode = ERROR_INVALID_PARAMETER; goto done; }
do { pIssuerCertCtx = NULL; pIssuerCertCtx = CertGetIssuerCertificateFromStore( hCertStore, pCurrentContext, pIssuerCertCtx, &dwFlags ); if( pIssuerCertCtx ) { //
// Found the issuer, verify that the checks went OK
//
dwRetCode = GetCertVerificationResult( dwFlags );
if( ERROR_SUCCESS != dwRetCode ) { break; } //
// only verify the signature for subsequent issuer certificates
//
dwFlags = CERT_STORE_SIGNATURE_FLAG;
//
// free the current certificate context and make the current issuer certificate
// the subject certificate for the next iteration.
//
CertFreeCertificateContext( pCurrentContext ); pCurrentContext = pIssuerCertCtx; } } while( pIssuerCertCtx );
if( ERROR_SUCCESS != dwRetCode ) { //
// encountered some error while verifying the certificate
//
goto done; }
//
// we got here because we have walked through the chain of issuers in the
// store. The last issuer in the chain may or may not be a self signing root.
//
if( pRootCertCtx ) { //
// The caller has specified a root certificate that must be used. Verify the
// last issuer against this root certificate regardless of whether it is a
// self signing root.
//
dwFlags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG;
if( ( NULL == pCurrentContext ) || ( !CertVerifySubjectCertificateContext( pCurrentContext, pRootCertCtx, &dwFlags ) ) ) { dwRetCode = GetLastError(); goto done; }
//
// get the certificate verification result
//
dwRetCode = GetCertVerificationResult( dwFlags ); } else { //
// if the caller did not specify a CA root certificate, make sure that the root
// issuer of the certificate is a self-signed root. Otherwise, return an error
//
if( CRYPT_E_SELF_SIGNED != GetLastError() ) { dwRetCode = GetLastError(); } }
done: if( pRootCertCtx ) { CertFreeCertificateContext( pRootCertCtx ); }
if( pCurrentContext ) { CertFreeCertificateContext( pCurrentContext ); }
if( pIssuerCertCtx ) { CertFreeCertificateContext( pIssuerCertCtx ); }
return( dwRetCode );}
///////////////////////////////////////////////////////////////////////////////
DWORD WINAPIGetCertVerificationResult( DWORD dwFlags ){ if( dwFlags & CERT_STORE_SIGNATURE_FLAG ) { //
// The certificate signature did not verify
//
return( (DWORD )NTE_BAD_SIGNATURE );
} if( dwFlags & CERT_STORE_TIME_VALIDITY_FLAG ) { //
// The certificate has expired
//
return( ( DWORD )CERT_E_EXPIRED ); }
//
// check if the cert has been revoked
//
if( dwFlags & CERT_STORE_REVOCATION_FLAG ) { if( !( dwFlags & CERT_STORE_NO_CRL_FLAG ) ) { //
// The certificate has been revoked
//
return( ( DWORD )CERT_E_REVOKED ); } }
return( ERROR_SUCCESS );}
|
