#include "wzrdpvk.h" #include "certca.h" #include "cautil.h" #include "CertRequesterContext.h" //-------------------------------------------------------------------------------- // Machine context and local context now use the same code to build the CSP list: HRESULT BuildCSPList(CERT_WIZARD_INFO *m_pCertWizardInfo) { DWORD dwIndex = 0; DWORD dwProviderType = 0; DWORD cbSize = 0; HRESULT hr = E_FAIL; LPWSTR pwszProviderName = 0; if (NULL == m_pCertWizardInfo) return E_POINTER; //free the old memory FreeProviders(m_pCertWizardInfo->dwCSPCount, m_pCertWizardInfo->rgdwProviderType, m_pCertWizardInfo->rgwszProvider); m_pCertWizardInfo->dwCSPCount = 0; m_pCertWizardInfo->rgdwProviderType = NULL; m_pCertWizardInfo->rgwszProvider = NULL; for (dwIndex = 0; CryptEnumProvidersU(dwIndex, 0, 0, &dwProviderType, NULL, &cbSize); dwIndex++) { pwszProviderName = (LPWSTR)WizardAlloc(cbSize); if(NULL == pwszProviderName) goto MemoryErr; //get the provider name and type if(!CryptEnumProvidersU (dwIndex, 0, 0, &dwProviderType, pwszProviderName, &cbSize)) goto CryptEnumProvidersUError; m_pCertWizardInfo->dwCSPCount = dwIndex + 1; m_pCertWizardInfo->rgdwProviderType = (DWORD *)WizardRealloc (m_pCertWizardInfo->rgdwProviderType, sizeof(DWORD) * m_pCertWizardInfo->dwCSPCount); if(NULL == m_pCertWizardInfo->rgdwProviderType) goto MemoryErr; m_pCertWizardInfo->rgwszProvider = (LPWSTR *)WizardRealloc (m_pCertWizardInfo->rgwszProvider, sizeof(LPWSTR) * m_pCertWizardInfo->dwCSPCount); if(NULL == m_pCertWizardInfo->rgwszProvider) goto MemoryErr; (m_pCertWizardInfo->rgdwProviderType)[dwIndex] = dwProviderType; (m_pCertWizardInfo->rgwszProvider)[dwIndex] = pwszProviderName; // Our only reference to this data should now be m_pCertWizardInfo->rgwszProvider. pwszProviderName = NULL; } //we should have some CSPs if(0 == m_pCertWizardInfo->dwCSPCount) goto FailErr; hr = S_OK; CommonReturn: return hr; ErrorReturn: if (NULL != pwszProviderName) { WizardFree(pwszProviderName); } //free the old memory FreeProviders(m_pCertWizardInfo->dwCSPCount, m_pCertWizardInfo->rgdwProviderType, m_pCertWizardInfo->rgwszProvider); m_pCertWizardInfo->dwCSPCount = 0; m_pCertWizardInfo->rgdwProviderType = NULL; m_pCertWizardInfo->rgwszProvider = NULL; goto CommonReturn; SET_HRESULT(CryptEnumProvidersUError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(MemoryErr, E_OUTOFMEMORY); SET_HRESULT(FailErr, E_FAIL); } //-------------------------------------------------------------------------------- // Machine context and local context now use the same code to get the default prov HRESULT GetDefaultCSP(IN CERT_WIZARD_INFO *m_pCertWizardInfo, IN BOOL fMachine, OUT UINT *pIdsText, OUT BOOL *pfAllocateCSP) { DWORD cbProvName = 0; DWORD dwFlags = fMachine ? CRYPT_MACHINE_DEFAULT : CRYPT_USER_DEFAULT; HRESULT hr = E_FAIL; LPWSTR pwszProvider = NULL; if (NULL == m_pCertWizardInfo) return E_POINTER; if (NULL == pfAllocateCSP) return E_INVALIDARG; *pfAllocateCSP = FALSE; //no provider has been selected if(0 == m_pCertWizardInfo->dwProviderType) return S_OK; //return if user has selected both the dwProviderType //or the provider name if(NULL != m_pCertWizardInfo->pwszProvider) return S_OK; //get the default provider if (!CryptGetDefaultProviderW(m_pCertWizardInfo->dwProviderType, NULL, dwFlags, NULL, &cbProvName)) goto CryptGetDefaultProviderWError; pwszProvider = (LPWSTR)LocalAlloc(LPTR, cbProvName); if (NULL == pwszProvider) goto MemoryError; if (!CryptGetDefaultProviderW(m_pCertWizardInfo->dwProviderType, NULL, dwFlags, pwszProvider, &cbProvName)) goto CryptGetDefaultProviderWError; m_pCertWizardInfo->pwszProvider = pwszProvider; pwszProvider = NULL; *pfAllocateCSP = TRUE; hr = S_OK; CommonReturn: if(NULL != pwszProvider) { LocalFree(pwszProvider); } return hr; ErrorReturn: *pIdsText = IDS_INVALID_CSP; goto CommonReturn; SET_HRESULT(CryptGetDefaultProviderWError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(MemoryError, E_OUTOFMEMORY); } //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // // // LocalContext Implementation. // See CertRequestContext.h for method-level documentation. // // //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HRESULT LocalContext::BuildCSPList() { return ::BuildCSPList(m_pCertWizardInfo); } BOOL LocalContext::CheckAccessPermission(IN HCERTTYPE hCertType) { BOOL fResult = FALSE; HANDLE hClientToken = NULL; HRESULT hr = E_FAIL; // First attempts to get the thread token. If this fails, acquires the // process token. Finally, if that fails, returns NULL. if (0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_TEMPLATES)) { fResult = TRUE; } else { hClientToken = this->GetClientIdentity(); if (NULL == hClientToken) goto GetClientIdentityError; __try { fResult = S_OK == CACertTypeAccessCheck(hCertType, hClientToken); } __except(EXCEPTION_EXECUTE_HANDLER) { goto CACertTypeAccessCheckError; } } CommonReturn: if (NULL != hClientToken) { CloseHandle(hClientToken); } return fResult; ErrorReturn: fResult = FALSE; goto CommonReturn; SET_HRESULT(CACertTypeAccessCheckError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(GetClientIdentityError, HRESULT_FROM_WIN32(GetLastError())); } BOOL LocalContext::CheckCAPermission(IN HCAINFO hCAInfo) { BOOL fResult = FALSE; HANDLE hClientToken = NULL; HRESULT hr = E_FAIL; if (0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_CAS)) { fResult = TRUE; } else { hClientToken = this->GetClientIdentity(); if (NULL == hClientToken) goto GetClientIdentityError; __try { fResult = S_OK == CAAccessCheck(hCAInfo, hClientToken); } __except(EXCEPTION_EXECUTE_HANDLER) { goto CAAccessCheckError; } } CommonReturn: if (NULL != hClientToken) { CloseHandle(hClientToken); } return fResult; ErrorReturn: fResult = FALSE; goto CommonReturn; SET_HRESULT(CAAccessCheckError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(GetClientIdentityError, HRESULT_FROM_WIN32(GetLastError())); } HRESULT LocalContext::GetDefaultCSP(OUT BOOL *pfAllocateCSP) { return ::GetDefaultCSP(m_pCertWizardInfo, FALSE /*user*/, &m_idsText, pfAllocateCSP); } HRESULT LocalContext::Enroll(OUT DWORD *pdwStatus, OUT HANDLE *pResult) { BOOL fHasNextCSP = TRUE; BOOL fRequestIsCached; BOOL fCreateRequest; BOOL fFreeRequest; BOOL fSubmitRequest; CERT_BLOB renewCert; CERT_ENROLL_INFO RequestInfo; CERT_REQUEST_PVK_NEW CertRequestPvkNew; CERT_REQUEST_PVK_NEW CertRenewPvk; CRYPTUI_WIZ_CERT_CA CertCA; DWORD dwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_UNKNOWN; DWORD dwCSPIndex; DWORD dwSavedGenKeyFlags; HANDLE hRequest = NULL; HRESULT hr = E_FAIL; LPWSTR pwszHashAlg = NULL; //init 1st for error jump ZeroMemory(&CertRenewPvk, sizeof(CertRenewPvk)); if (NULL == pResult) return E_INVALIDARG; if (NULL == m_pCertWizardInfo) return E_POINTER; memset(&CertCA, 0, sizeof(CertCA)); memset(&RequestInfo, 0, sizeof(RequestInfo)); dwSavedGenKeyFlags = m_pCertWizardInfo->dwGenKeyFlags; fCreateRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_SUBMIT_ONLY | CRYPTUI_WIZ_FREE_ONLY)); fFreeRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_SUBMIT_ONLY)); fSubmitRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_FREE_ONLY)); // An invalid combination of flags was specified. if (FALSE == (fCreateRequest || fFreeRequest || fSubmitRequest)) return E_INVALIDARG; // For FREE_ONLY and SUBMIT_ONLY, copy the request from the IN parameter. if (0 != ((CRYPTUI_WIZ_SUBMIT_ONLY | CRYPTUI_WIZ_FREE_ONLY) & m_pCertWizardInfo->dwFlags)) { if (NULL == *pResult) return E_INVALIDARG; hRequest = *pResult; } // Initialize to false ... we need the marshalled parameters to know whether we can cache the request. fRequestIsCached = FALSE; // Iterate over each CA, performing a create and submit operation for each. // Note that we can cache requests for certs if key archival is not needed. // if (fCreateRequest || fSubmitRequest) { for (IEnumCA CAEnumerator(m_pCertWizardInfo); ; ) { if (S_OK != (CAEnumerator.Next(&CertCA))) { if (!FAILED(hr)) hr=E_FAIL; if (E_FAIL == hr) m_pCertWizardInfo->idsText = IDS_NO_CA_FOR_ENROLL_REQUEST_FAILED; goto ErrorReturn; } // Create a certificate request only if // 1) This is not a submit-only or a free-only operation. // 2) We don't already have a cached request. // (We can cache requests which don't require key archival on the CA). // // The request is created by looping over available CSPs until one successfully generates // the request. // if (TRUE == fCreateRequest && FALSE == fRequestIsCached) { fHasNextCSP = TRUE; for (IEnumCSP CSPEnumerator(m_pCertWizardInfo); fHasNextCSP; ) { _JumpCondition(S_OK != (hr = CSPEnumerator.Next(&dwCSPIndex)), ErrorReturn); _JumpCondition(S_OK != (hr = CSPEnumerator.HasNext(&fHasNextCSP)), ErrorReturn); // Each call to MarshallRequestParameters can change the dwGenKeyFlags of pCertWizardInfo // if the CSP does not support the min key size contained in this field. // As a result, we must reset the dwGenKeyFlags field to the desired value // before every call to MarshallRequestParameters. m_pCertWizardInfo->dwGenKeyFlags = dwSavedGenKeyFlags; if (S_OK != (hr = ::MarshallRequestParameters (dwCSPIndex, m_pCertWizardInfo, &renewCert, &CertRequestPvkNew, &CertRenewPvk, &pwszHashAlg, &RequestInfo))) goto NextCSP; if (NULL != hRequest) { ::FreeRequest(hRequest); hRequest = NULL; } hr = ::CreateRequest (m_pCertWizardInfo->dwFlags, m_pCertWizardInfo->dwPurpose, CertCA.pwszCAName, CertCA.pwszCALocation, ((CRYPTUI_WIZ_CERT_RENEW & m_pCertWizardInfo->dwPurpose) ? &renewCert : NULL), ((CRYPTUI_WIZ_CERT_RENEW & m_pCertWizardInfo->dwPurpose) ? &CertRenewPvk : NULL), m_pCertWizardInfo->fNewKey, &CertRequestPvkNew, pwszHashAlg, (LPWSTR)m_pCertWizardInfo->pwszDesStore, m_pCertWizardInfo->dwStoreFlags, &RequestInfo, &hRequest); // Process the return value: if (S_OK == hr) { // Success, get rid of whatever error text we have from past creations: m_pCertWizardInfo->idsText = 0; // We're done if we don't need to submit the request. _JumpCondition(!fSubmitRequest, CommonReturn); // Cache the request if we don't need support for key archival. fRequestIsCached = 0 == (CertRequestPvkNew.dwPrivateKeyFlags & CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL); break; } else if (E_ACCESSDENIED == HRESULT_FROM_WIN32(hr)) { // E_ACCESSDENIED could indicate one of several different error conditions. Map this // to an resource identifier which details the possible causes of failure, and try again... m_pCertWizardInfo->idsText = IDS_NO_ACCESS_TO_ICERTREQUEST2; } else if (NTE_BAD_ALGID == HRESULT_FROM_WIN32(hr)) { // NTE_BAD_ALGID indicates that the CSP didn't support the algorithm type required // by the template. Map this to a resource identifier that details the possible causes // of failure, and try again... m_pCertWizardInfo->idsText = IDS_CSP_BAD_ALGTYPE; } else if (HRESULT_FROM_WIN32(ERROR_CANCELLED) == HRESULT_FROM_WIN32(hr)) { // The user cancelled the operation. Don't try to enroll any longer. goto ErrorReturn; } else { // It's an error, but we don't need to map it to special text. Just keep processing... } // We're out of CSPs, and we haven't yet created the request! if (!fHasNextCSP) { // If the template doesn't require key archival, we're done. Otherwise, we've got to // try the other CAs. Note that if we had a mechanism for knowing whether it was the // key archival step if (0 == (CertRequestPvkNew.dwPrivateKeyFlags & CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL)) goto ErrorReturn; else { ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); goto NextCA; } } NextCSP: ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); } } // Submit the request only if this is not a create-only or a free-only operation: // if (TRUE == fSubmitRequest) { hr = ::SubmitRequest (hRequest, FALSE, m_pCertWizardInfo->dwPurpose, m_pCertWizardInfo->fConfirmation, m_pCertWizardInfo->hwndParent, (LPWSTR)m_pCertWizardInfo->pwszConfirmationTitle, m_pCertWizardInfo->idsConfirmTitle, CertCA.pwszCALocation, CertCA.pwszCAName, NULL, NULL, NULL, &dwStatus, (PCCERT_CONTEXT *)pResult); if (S_OK == hr) { // Success, get rid of whatever error text we have from past submits: m_pCertWizardInfo->idsText = 0; // If we've successfully submitted or pended goto CommonReturn; } else if (E_ACCESSDENIED == HRESULT_FROM_WIN32(hr)) { // E_ACCESSDENIED could indicate one of several different error conditions. Map this // to an resource identifier which details the possible causes of failure, and try again... m_pCertWizardInfo->idsText = IDS_SUBMIT_NO_ACCESS_TO_ICERTREQUEST2; } // Some error has occured. // If it's a non-CA related error, give up... _JumpCondition(dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR && dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_DENIED && dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_CONNECTION_FAILED, ErrorReturn); // Otherwise, try another CA... } NextCA:; } } CommonReturn: // Write the request to pResult for a create only operation: if (hr == S_OK && 0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_CREATE_ONLY)) { *pResult = hRequest; } // Write the status code, if requested. if (NULL != pdwStatus) { *pdwStatus = dwStatus; } // Free resources. if (NULL != hRequest && fFreeRequest) { ::FreeRequest(hRequest); } ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); return hr; ErrorReturn: goto CommonReturn; } HRESULT LocalContext::QueryRequestStatus(IN HANDLE hRequest, OUT CRYPTUI_WIZ_QUERY_CERT_REQUEST_INFO *pQueryInfo) { HRESULT hr; if (!QueryRequest(hRequest, pQueryInfo)) goto QueryRequestError; hr = S_OK; ErrorReturn: return hr; SET_HRESULT(QueryRequestError, GetLastError()); } HRESULT KeySvcContext::QueryRequestStatus(IN HANDLE hRequest, OUT CRYPTUI_WIZ_QUERY_CERT_REQUEST_INFO *pQueryInfo) { HRESULT hr = E_FAIL; KEYSVCC_HANDLE hKeyService = NULL; KEYSVC_TYPE dwServiceType = KeySvcMachine; LPSTR pszMachineName = NULL; if (NULL == m_pCertWizardInfo) return E_POINTER; if (0 != (hr = ::KeyOpenKeyService(pszMachineName, dwServiceType, (LPWSTR)(m_pCertWizardInfo->pwszAccountName), // Service name if necessary NULL, // no authentication string right now NULL, &hKeyService))) goto KeyOpenKeyServiceError; if (0 != (hr = ::KeyQueryRequestStatus(hKeyService, hRequest, pQueryInfo))) goto KeyQueryRequestStatusError; hr = S_OK; ErrorReturn: if (NULL != hKeyService) { KeyCloseKeyService(hKeyService, NULL); } if (NULL != pszMachineName) { FreeMBStr(NULL,pszMachineName); } return hr; TRACE_ERROR(KeyOpenKeyServiceError); TRACE_ERROR(KeyQueryRequestStatusError); } HRESULT LocalContext::Initialize() { return S_OK; } HANDLE LocalContext::GetClientIdentity() { HANDLE hHandle = NULL; HANDLE hClientToken = NULL; HANDLE hProcessToken = NULL; HRESULT hr; // Step 1: attempt to acquire the thread token. hHandle = GetCurrentThread(); if (NULL == hHandle) goto GetThreadTokenError; if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self &hClientToken)) goto GetThreadTokenError; // We got the thread token: goto GetThreadTokenSuccess; // Step 2: we've failed to acquire the thread token, // try to get the process token. GetThreadTokenError: if (hHandle != NULL) { CloseHandle(hHandle); } // We failed to get the thread token, now try to acquire the process token: hHandle = GetCurrentProcess(); if (NULL == hHandle) goto GetProcessHandleError; if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) goto OpenProcessTokenError; if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) goto DuplicateTokenError; GetThreadTokenSuccess: CommonReturn: if (NULL != hHandle) { CloseHandle(hHandle); } if (NULL != hProcessToken) { CloseHandle(hProcessToken); } return hClientToken; ErrorReturn: goto CommonReturn; SET_HRESULT(DuplicateTokenError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(GetProcessHandleError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(OpenProcessTokenError, HRESULT_FROM_WIN32(GetLastError())); } //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // // // KeySvcContext Implementation. // See requesters.h for method-level documentation. // // //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HRESULT KeySvcContext::BuildCSPList() { return ::BuildCSPList(m_pCertWizardInfo); } BOOL KeySvcContext::CheckAccessPermission(IN HCERTTYPE hCertType) { LPWSTR *awszCurrentType = NULL; LPWSTR *awszTypeName = NULL; if (NULL == m_pCertWizardInfo) { SetLastError(ERROR_INVALID_DATA); return FALSE; } if (0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_TEMPLATES)) { return TRUE; } if(NULL != m_pCertWizardInfo->awszAllowedCertTypes) { if(S_OK == CAGetCertTypeProperty(hCertType, CERTTYPE_PROP_DN, &awszTypeName)) { if(NULL != awszTypeName) { if(NULL != awszTypeName[0]) { awszCurrentType = m_pCertWizardInfo->awszAllowedCertTypes; while(NULL != *awszCurrentType) { if(wcscmp(*awszCurrentType, awszTypeName[0]) == 0) { return TRUE; } awszCurrentType++; } } CAFreeCertTypeProperty(hCertType, awszTypeName); } } } return FALSE; } BOOL KeySvcContext::CheckCAPermission(IN HCAINFO hCAInfo) { LPWSTR *wszCAName = NULL; LPWSTR *wszCurrentCA = NULL; if (NULL == m_pCertWizardInfo) { SetLastError(ERROR_INVALID_DATA); return FALSE; } if (0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_CAS)) { return TRUE; } if (NULL != m_pCertWizardInfo->awszValidCA) { if(S_OK == CAGetCAProperty(hCAInfo, CA_PROP_NAME, &wszCAName)) { if(NULL != wszCAName) { if(NULL != wszCAName[0]) { wszCurrentCA = m_pCertWizardInfo->awszValidCA; while(*wszCurrentCA) { if(0 == wcscmp(*wszCurrentCA, wszCAName[0])) { return TRUE; } wszCurrentCA++; } } CAFreeCAProperty(hCAInfo, wszCAName); } } } return FALSE; } HRESULT KeySvcContext::GetDefaultCSP(OUT BOOL *pfAllocateCSP) { return ::GetDefaultCSP(m_pCertWizardInfo, TRUE /*machine*/, &m_idsText, pfAllocateCSP); } HRESULT WhistlerMachineContext::Enroll(OUT DWORD *pdwStatus, IN OUT HANDLE *pResult) { BOOL fRequestIsCached; BOOL fCreateRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_SUBMIT_ONLY | CRYPTUI_WIZ_FREE_ONLY)); BOOL fFreeRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_SUBMIT_ONLY)); BOOL fSubmitRequest = 0 == (m_pCertWizardInfo->dwFlags & (CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_FREE_ONLY)); CERT_BLOB renewCert; CERT_ENROLL_INFO RequestInfo; CERT_REQUEST_PVK_NEW CertRequestPvkNew; CERT_REQUEST_PVK_NEW CertRenewPvk; CRYPTUI_WIZ_CERT_CA CertCA; DWORD dwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_UNKNOWN; DWORD dwCSPIndex; DWORD dwSavedGenKeyFlags; HANDLE hRequest = NULL; HRESULT hr = E_FAIL; KEYSVCC_HANDLE hKeyService = NULL; KEYSVC_TYPE ktServiceType; LPSTR pszMachineName = NULL; LPWSTR pwszHashAlg = NULL; //init 1st for error jump ZeroMemory(&CertRenewPvk, sizeof(CertRenewPvk)); if (NULL == pResult) return E_INVALIDARG; if (NULL == m_pCertWizardInfo) return E_POINTER; memset(&renewCert, 0, sizeof(renewCert)); memset(&CertCA, 0, sizeof(CertCA)); memset(&RequestInfo, 0, sizeof(RequestInfo)); dwSavedGenKeyFlags = m_pCertWizardInfo->dwGenKeyFlags; // An invalid combination of flags was specified. if (FALSE == (fCreateRequest || fFreeRequest || fSubmitRequest)) return E_INVALIDARG; // For FREE_ONLY and SUBMIT_ONLY, copy the request from the IN parameter. if (0 != ((CRYPTUI_WIZ_SUBMIT_ONLY | CRYPTUI_WIZ_FREE_ONLY) & m_pCertWizardInfo->dwFlags)) { if (NULL == *pResult) return E_INVALIDARG; hRequest = *pResult; } if(!MkMBStr(NULL, 0, m_pCertWizardInfo->pwszMachineName, &pszMachineName)) goto MkMBStrError; ktServiceType = NULL != m_pCertWizardInfo->pwszAccountName ? KeySvcService : KeySvcMachine; hr = ::KeyOpenKeyService (pszMachineName, ktServiceType, (LPWSTR)(m_pCertWizardInfo->pwszAccountName), NULL, NULL, &hKeyService); _JumpConditionWithExpr(S_OK != hr, KeyOpenKeyServiceError, m_idsText = IDS_RPC_CALL_FAILED); // Initialize to false ... we need the marshalled parameters to know whether we can cache the request. fRequestIsCached = FALSE; // Iterate over each CA, performing a create and submit operation for each. // Note that we can cache requests for certs if key archival is not needed. // if (fCreateRequest || fSubmitRequest) { for (IEnumCA CAEnumerator(m_pCertWizardInfo); ; ) { if (S_OK != (CAEnumerator.Next(&CertCA))) { if(!FAILED(hr)) hr=E_FAIL; if (E_FAIL == hr) m_pCertWizardInfo->idsText = IDS_NO_CA_FOR_ENROLL_REQUEST_FAILED; goto ErrorReturn; } // Create a certificate request only if // 1) This is not a submit-only or a free-only operation. // 2) We don't already have a cached request. // (We can cache requests which don't require key archival on the CA). // // The request is created by looping over available CSPs until one successfully generates // the request. // if (TRUE == fCreateRequest && FALSE == fRequestIsCached) { BOOL fHasNextCSP = TRUE; for (IEnumCSP CSPEnumerator(m_pCertWizardInfo); fHasNextCSP; ) { _JumpCondition(S_OK != (hr = CSPEnumerator.Next(&dwCSPIndex)), ErrorReturn); _JumpCondition(S_OK != (hr = CSPEnumerator.HasNext(&fHasNextCSP)), ErrorReturn); // Each call to MarshallRequestParameters can change the dwGenKeyFlags of pCertWizardInfo // if the CSP does not support the min key size contained in this field. // As a result, we must reset the dwGenKeyFlags field to the desired value // before every call to MarshallRequestParameters. m_pCertWizardInfo->dwGenKeyFlags = dwSavedGenKeyFlags; if (S_OK != (hr = ::MarshallRequestParameters (dwCSPIndex, m_pCertWizardInfo, &renewCert, &CertRequestPvkNew, &CertRenewPvk, &pwszHashAlg, &RequestInfo))) goto NextCSP; if (NULL != hRequest) { this->FreeRequest(hKeyService, pszMachineName, &hRequest); hRequest = NULL; } hr = this->CreateRequest (hKeyService, pszMachineName, CertCA.pwszCALocation, CertCA.pwszCAName, &CertRequestPvkNew, &renewCert, &CertRenewPvk, pwszHashAlg, &RequestInfo, &hRequest); // Process the return value: if (S_OK == hr) { // Success, get rid of whatever error text we have from past creations: m_pCertWizardInfo->idsText = 0; // We're done if we don't need to submit the request. _JumpCondition(!fSubmitRequest, CommonReturn); // Cache the request if we don't need support for key archival. fRequestIsCached = 0 == (CertRequestPvkNew.dwPrivateKeyFlags & CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL); break; } else if (E_ACCESSDENIED == HRESULT_FROM_WIN32(hr)) { // E_ACCESSDENIED could indicate one of several different error conditions. Map this // to an resource identifier which details the possible causes of failure, and try again... m_pCertWizardInfo->idsText = IDS_NO_ACCESS_TO_ICERTREQUEST2; } else if (NTE_BAD_ALGID == HRESULT_FROM_WIN32(hr)) { // NTE_BAD_ALGID indicates that the CSP didn't support the algorithm type required // by the template. Map this to a resource identifier that details the possible causes // of failure, and try again... m_pCertWizardInfo->idsText = IDS_CSP_BAD_ALGTYPE; } else if (HRESULT_FROM_WIN32(ERROR_CANCELLED) == HRESULT_FROM_WIN32(hr)) { // The user cancelled the operation. Don't try to enroll any longer. goto ErrorReturn; } else { // It's an error, but we don't need to map it to special text. Just keep processing... } // We're out of CSPs, and we haven't yet created the request! if (!fHasNextCSP) { // If the template doesn't require key archival, we're done. Otherwise, we've got to // try the other CAs. Note that if we had a mechanism for knowing whether it was the // key archival step if (0 == (CertRequestPvkNew.dwPrivateKeyFlags & CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL)) goto ErrorReturn; else { ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); goto NextCA; } } NextCSP: ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); } } if (TRUE == fSubmitRequest) { hr = this->SubmitRequest (hKeyService, pszMachineName, CertCA.pwszCALocation, CertCA.pwszCAName, hRequest, (PCCERT_CONTEXT *)pResult, &dwStatus); if (S_OK == hr) { // Success, get rid of whatever error text we have from past submits: m_pCertWizardInfo->idsText = 0; // If we've successfully submitted or pended goto CommonReturn; } else if (E_ACCESSDENIED == HRESULT_FROM_WIN32(hr)) { // E_ACCESSDENIED could indicate one of several different error conditions. Map this // to an resource identifier which details the possible causes of failure, and try again... m_pCertWizardInfo->idsText = IDS_SUBMIT_NO_ACCESS_TO_ICERTREQUEST2; } // Some error has occured. // If it's a non-CA related error, give up... _JumpCondition(dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR && dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_DENIED && dwStatus != CRYPTUI_WIZ_CERT_REQUEST_STATUS_CONNECTION_FAILED, ErrorReturn); // Otherwise, try another CA... } NextCA:; } } CommonReturn: // Write the request to pResult for a create only operation: if (hr == S_OK && 0 != (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_CREATE_ONLY)) { *pResult = hRequest; } // Write the status code, if requested. if (NULL != pdwStatus) { *pdwStatus = dwStatus; } // Free resources. if (NULL != hRequest && TRUE == fFreeRequest) { this->FreeRequest(hKeyService, pszMachineName, hRequest); } if (NULL != hKeyService) { ::KeyCloseKeyService(hKeyService, NULL); } if (NULL != pszMachineName) { ::FreeMBStr(NULL,pszMachineName); } ::FreeRequestParameters(&pwszHashAlg, &CertRenewPvk, &RequestInfo); return hr; ErrorReturn: goto CommonReturn; SET_HRESULT(KeyOpenKeyServiceError, hr); SET_HRESULT(MkMBStrError, HRESULT_FROM_WIN32(GetLastError())); } HRESULT WhistlerMachineContext::CreateRequest (IN KEYSVCC_HANDLE hKeyService, IN LPSTR pszMachineName, IN LPWSTR pwszCALocation, IN LPWSTR pwszCAName, IN PCERT_REQUEST_PVK_NEW pKeyNew, IN CERT_BLOB *pCert, IN PCERT_REQUEST_PVK_NEW pRenewKey, IN LPWSTR pwszHashAlg, IN PCERT_ENROLL_INFO pRequestInfo, OUT HANDLE *phRequest) { DWORD dwFlags = m_pCertWizardInfo->dwFlags; dwFlags &= ~(CRYPTUI_WIZ_SUBMIT_ONLY | CRYPTUI_WIZ_FREE_ONLY); dwFlags |= CRYPTUI_WIZ_CREATE_ONLY; // Create the certificate request... return ::KeyEnroll_V2 (hKeyService, pszMachineName, TRUE, m_pCertWizardInfo->dwPurpose, dwFlags, (LPWSTR)(m_pCertWizardInfo->pwszAccountName), NULL, (CRYPTUI_WIZ_CERT_ENROLL & m_pCertWizardInfo->dwPurpose) ? TRUE : FALSE, pwszCALocation, pwszCAName, m_pCertWizardInfo->fNewKey, pKeyNew, pCert, pRenewKey, pwszHashAlg, (LPWSTR)m_pCertWizardInfo->pwszDesStore, m_pCertWizardInfo->dwStoreFlags, pRequestInfo, (LPWSTR)m_pCertWizardInfo->pwszRequestString, 0, NULL, phRequest, NULL, NULL, NULL); } HRESULT WhistlerMachineContext::SubmitRequest (IN KEYSVCC_HANDLE hKeyService, IN LPSTR pszMachineName, IN LPWSTR pwszCALocation, IN LPWSTR pwszCAName, IN HANDLE hRequest, OUT PCCERT_CONTEXT *ppCertContext, OUT DWORD *pdwStatus) { CERT_BLOB HashBlob; CERT_BLOB PKCS7Blob; HRESULT hr = E_FAIL; memset(&HashBlob, 0, sizeof(HashBlob)); memset(&PKCS7Blob, 0, sizeof(PKCS7Blob)); DWORD dwFlags = m_pCertWizardInfo->dwFlags; dwFlags &= ~(CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_FREE_ONLY); dwFlags |= CRYPTUI_WIZ_SUBMIT_ONLY; // Submit the certificate request... hr = ::KeyEnroll_V2 (hKeyService, pszMachineName, TRUE, m_pCertWizardInfo->dwPurpose, dwFlags, (LPWSTR)(m_pCertWizardInfo->pwszAccountName), NULL, (CRYPTUI_WIZ_CERT_ENROLL & m_pCertWizardInfo->dwPurpose) ? TRUE : FALSE, pwszCALocation, pwszCAName, m_pCertWizardInfo->fNewKey, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, NULL, &hRequest, &PKCS7Blob, &HashBlob, pdwStatus); if (S_OK == hr && CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == *pdwStatus) { hr = this->ToCertContext (&PKCS7Blob, &HashBlob, pdwStatus, ppCertContext); } if (NULL != HashBlob.pbData) { ::WizardFree(HashBlob.pbData); } if (NULL != PKCS7Blob.pbData) { ::WizardFree(PKCS7Blob.pbData); } return hr; } void WhistlerMachineContext::FreeRequest (IN KEYSVCC_HANDLE hKeyService, IN LPSTR pszMachineName, IN HANDLE hRequest) { DWORD dwFlags = m_pCertWizardInfo->dwFlags; dwFlags &= ~(CRYPTUI_WIZ_CREATE_ONLY | CRYPTUI_WIZ_SUBMIT_ONLY); dwFlags |= CRYPTUI_WIZ_FREE_ONLY; ::KeyEnroll_V2 (hKeyService, pszMachineName, TRUE, 0, dwFlags, NULL, NULL, FALSE, NULL, NULL, FALSE, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, NULL, &hRequest, NULL, NULL, NULL); } HRESULT KeySvcContext::ToCertContext(IN CERT_BLOB *pPKCS7Blob, IN CERT_BLOB *pHashBlob, OUT DWORD *pdwStatus, OUT PCCERT_CONTEXT *ppCertContext) { HCERTSTORE hCertStore = NULL; HRESULT hr = E_FAIL; if (NULL == pPKCS7Blob || NULL == pHashBlob || NULL == ppCertContext) return E_INVALIDARG; //get the certificate store from the PKCS7 for the remote case if (!::CryptQueryObject(CERT_QUERY_OBJECT_BLOB, pPKCS7Blob, CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED, CERT_QUERY_FORMAT_FLAG_ALL, 0, NULL, NULL, NULL, &hCertStore, NULL, NULL)) { if (NULL != pdwStatus) { *pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_INSTALL_FAILED; } goto FailError; } //find the certificate based on the hash if (NULL == (*ppCertContext = ::CertFindCertificateInStore (hCertStore, X509_ASN_ENCODING, 0, CERT_FIND_SHA1_HASH, pHashBlob, NULL))) { if (NULL != pdwStatus) { *pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_INSTALL_FAILED; } goto FailError; } hr = S_OK; CommonReturn: if(NULL != hCertStore) { CertCloseStore(hCertStore, 0); } return hr; ErrorReturn: if (NULL != pdwStatus && 0 == *pdwStatus) { *pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_KEYSVC_FAILED; } goto CommonReturn; SET_HRESULT(FailError, E_FAIL); } HRESULT KeySvcContext::Initialize() { if (NULL == m_pCertWizardInfo) return E_POINTER; // We don't need to download the list of allowed templates if we're not going // to be performing the access check anyway. if (0 == (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_TEMPLATES)) { //for the remote enrollment, we have to get the allowed cert type //list from the key service. if(!::GetCertTypeName(m_pCertWizardInfo)) { m_idsText = IDS_NO_VALID_CERT_TEMPLATE; return HRESULT_FROM_WIN32(GetLastError()); } } // We don't need to download the list of allowed CAs if we're not going // to be performing the access check anyway if (0 == (m_pCertWizardInfo->dwFlags & CRYPTUI_WIZ_ALLOW_ALL_CAS)) { if(!::GetCAName(m_pCertWizardInfo)) { m_idsText = IDS_NO_CA_FOR_ENROLL; return HRESULT_FROM_WIN32(GetLastError()); } } return S_OK; } //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ // // // CertRequesterContext: implementation of abstract superclass. // See requesters.h for method-level documentation. // // //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HRESULT CertRequesterContext::MakeDefaultCertRequesterContext (OUT CertRequesterContext **ppRequesterContext) { CERT_WIZARD_INFO *pCertWizardInfo = NULL; HRESULT hr; pCertWizardInfo = (CERT_WIZARD_INFO *)WizardAlloc(sizeof(CERT_WIZARD_INFO)); _JumpCondition(NULL == pCertWizardInfo, MemoryError); hr = MakeCertRequesterContext (NULL, NULL, 0, pCertWizardInfo, ppRequesterContext, NULL); _JumpCondition(S_OK != hr, MakeCertRequesterContextError); hr = S_OK; CommonReturn: return hr; ErrorReturn: if (NULL != pCertWizardInfo) { WizardFree(pCertWizardInfo); } goto CommonReturn; SET_HRESULT(MakeCertRequesterContextError, hr); SET_HRESULT(MemoryError, E_OUTOFMEMORY); } HRESULT CertRequesterContext::MakeCertRequesterContext (IN LPCWSTR pwszAccountName, IN LPCWSTR pwszMachineName, IN DWORD dwCertOpenStoreFlags, IN CERT_WIZARD_INFO *pCertWizardInfo, OUT CertRequesterContext **ppRequesterContext, OUT UINT *pIDSText) { BOOL fMachine = FALSE; DWORD const dwLocalUserNameSize = UNLEN + 1; DWORD const dwLocalMachineNameSize = MAX_COMPUTERNAME_LENGTH + 1; HRESULT hr = E_FAIL; UINT idsText = NULL == pIDSText ? 0 : *pIDSText; WCHAR wszLocalUserName[dwLocalUserNameSize] = { 0 }; WCHAR wszLocalMachineName[dwLocalMachineNameSize] = { 0 }; // Input validation: if (NULL == pCertWizardInfo || NULL == ppRequesterContext) return E_INVALIDARG; // Should not have assigned values to these fields yet: if (NULL != pCertWizardInfo->pwszAccountName || NULL != pCertWizardInfo->pwszMachineName) return E_INVALIDARG; if(!GetUserNameU(wszLocalUserName, (DWORD *)&dwLocalUserNameSize)) { idsText=IDS_FAIL_TO_GET_USER_NAME; goto Win32Error; } if(!GetComputerNameU(wszLocalMachineName, (DWORD *)&dwLocalMachineNameSize)) { idsText=IDS_FAIL_TO_GET_COMPUTER_NAME; goto Win32Error; } // Map all unspecified values to defaults: // // Default #1: NULL pwszAccountName indicates current user _iff_ pwszMachineName is NULL. if (NULL == pwszAccountName && NULL == pwszMachineName) { pwszAccountName = wszLocalUserName; } // Default #2: NULL pwszMachineName indicates local machine. if (NULL == pwszMachineName) { pwszMachineName = wszLocalMachineName; } // Default #3: NULL pwszAccountName and non-NULL pwszMachineName indicates machine enrollment. fMachine = (NULL == pwszAccountName || (0 != _wcsicmp(pwszAccountName, wszLocalUserName)) || (0 != _wcsicmp(pwszMachineName, wszLocalMachineName))); // Default #4: dwCertOpenStoreFlags == 0 defaults to CERT_SYSTEM_STORE_LOCAL_MACHINE // for machine enrollment, CERT_SYSTEM_STORE_CURRENT_USER for user enrollment. if (0 == dwCertOpenStoreFlags) { dwCertOpenStoreFlags = fMachine ? CERT_SYSTEM_STORE_LOCAL_MACHINE : CERT_SYSTEM_STORE_CURRENT_USER; } // Now that we've mapped unspecified values to defaults, assign the wizard's fields // with these values: // if (NULL != pwszAccountName) { pCertWizardInfo->pwszAccountName = (LPWSTR)WizardAlloc(sizeof(WCHAR) * (wcslen(pwszAccountName) + 1)); _JumpConditionWithExpr(NULL == pCertWizardInfo->pwszAccountName, MemoryError, idsText = IDS_OUT_OF_MEMORY); wcscpy((LPWSTR)pCertWizardInfo->pwszAccountName, pwszAccountName); } pCertWizardInfo->pwszMachineName = (LPWSTR)WizardAlloc(sizeof(WCHAR) * (wcslen(pwszMachineName) + 1)); _JumpConditionWithExpr(NULL == pCertWizardInfo->pwszMachineName, MemoryError, idsText = IDS_OUT_OF_MEMORY); wcscpy((LPWSTR)pCertWizardInfo->pwszMachineName, pwszMachineName); pCertWizardInfo->fMachine = fMachine; pCertWizardInfo->dwStoreFlags = dwCertOpenStoreFlags; // We need keysvc if: // // 1) We're doing machine enrollment (we need to run under the local machine's context). // 2) An account _other_ than the current user on the local machine is specified. // (we need to run under another user's context). // if (TRUE == fMachine) { KEYSVC_TYPE ktServiceType; KEYSVC_OPEN_KEYSVC_INFO OpenKeySvcInfo = { sizeof(KEYSVC_OPEN_KEYSVC_INFO), 0 }; KEYSVCC_HANDLE hKeyService = NULL; LPSTR pszMachineName = NULL; ktServiceType = NULL != pwszAccountName ? KeySvcService : KeySvcMachine; _JumpConditionWithExpr(!MkMBStr(NULL, 0, pwszMachineName, &pszMachineName), MkMBStrError, idsText = IDS_OUT_OF_MEMORY); // See if we're enrolling for a W2K or a Whistler machine: hr = KeyOpenKeyService (pszMachineName, ktServiceType, (LPWSTR)pwszAccountName, NULL, NULL, &hKeyService); _JumpConditionWithExpr(S_OK != hr, KeyOpenKeyServiceError, idsText = IDS_RPC_CALL_FAILED); *ppRequesterContext = new WhistlerMachineContext(pCertWizardInfo); } else { // We're requesting a cert for ourselves: we don't need keysvc. *ppRequesterContext = new LocalContext(pCertWizardInfo); } if (NULL == *ppRequesterContext) goto MemoryError; hr = S_OK; CommonReturn: return hr; ErrorReturn: if (NULL != pCertWizardInfo->pwszMachineName) { WizardFree((LPVOID)pCertWizardInfo->pwszMachineName); } if (NULL != pCertWizardInfo->pwszAccountName) { WizardFree((LPVOID)pCertWizardInfo->pwszAccountName); } pCertWizardInfo->pwszMachineName = NULL; pCertWizardInfo->pwszAccountName = NULL; // Assign error text if specified: if (NULL != pIDSText) { *pIDSText = idsText; } goto CommonReturn; SET_HRESULT(MemoryError, E_OUTOFMEMORY); SET_HRESULT(KeyOpenKeyServiceError, hr); SET_HRESULT(MkMBStrError, HRESULT_FROM_WIN32(GetLastError())); SET_HRESULT(Win32Error, HRESULT_FROM_WIN32(GetLastError())); } CertRequesterContext::~CertRequesterContext() { if (NULL != m_pCertWizardInfo) { if (NULL != m_pCertWizardInfo->pwszMachineName) { WizardFree((LPVOID)m_pCertWizardInfo->pwszMachineName); } if (NULL != m_pCertWizardInfo->pwszAccountName) { WizardFree((LPVOID)m_pCertWizardInfo->pwszAccountName); } m_pCertWizardInfo->pwszMachineName = NULL; m_pCertWizardInfo->pwszAccountName = NULL; } }