Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1493 lines
34 KiB

//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1996 - 1999
//
// File: certpick.cpp
//
// Contents: Cert Server wrapper routines
//
//---------------------------------------------------------------------------
#include <pch.cpp>
#pragma hdrstop
#include "cainfop.h"
#include "csdisp.h"
#include "csldap.h"
#include "tfc.h"
#include "clibres.h"
#define __dwFILE__ __dwFILE_CERTLIB_CERTPICK_CPP__
#define CUCS_SOURCEMASK (CUCS_MACHINESTORE | CUCS_USERSTORE | CUCS_DSSTORE)
#define CUCS_TYPEMASK (CUCS_MYSTORE | \
CUCS_CASTORE | \
CUCS_KRASTORE | \
CUCS_ROOTSTORE)
#define CUCS_VALIDMASK (CUCS_SOURCEMASK | \
CUCS_TYPEMASK | \
CUCS_V1ONLY | \
CUCS_V3ONLY | \
CUCS_ARCHIVED | \
CUCS_USAGEREQUIRED | \
CUCS_SILENT | \
CUCS_PRIVATEKEYREQUIRED | \
CUCS_USAGEKEYENCIPHER)
// My, CA, KRA and Root stores -- in HKLM, HKCU and the DS
#define CDISPLAYSTOREMAX (4 * 3)
typedef struct _STOREMAP {
DWORD dwFlags;
WCHAR const *pwszStoreName;
WCHAR const *pwszDSTemplate;
} STOREMAP;
STOREMAP s_aStoreMap[] = {
{ CUCS_MYSTORE, wszMY_CERTSTORE, NULL },
{ CUCS_CASTORE, wszCA_CERTSTORE, wszDSAIAQUERYTEMPLATE },
{ CUCS_KRASTORE, wszKRA_CERTSTORE, wszDSKRAQUERYTEMPLATE },
{ CUCS_ROOTSTORE, wszROOT_CERTSTORE, NULL },
{ 0x0, NULL, NULL },
};
HRESULT
FormatDSStoreName(
IN OUT BSTR *pstrDomainDN,
IN OUT BSTR *pstrConfigDN,
IN WCHAR const *pwszTemplate,
OUT WCHAR **ppwszOut)
{
HRESULT hr;
LDAP *pld = NULL;
if (NULL == *pstrConfigDN) // first call
{
// Renewal domain and config containers (%5, %6)
hr = myLdapOpen(
NULL, // pwszDomainName
RLBF_REQUIRE_SECURE_LDAP, // dwFlags
&pld,
pstrDomainDN,
pstrConfigDN);
_JumpIfError(hr, error, "myLdapOpen");
}
hr = myFormatCertsrvStringArray(
FALSE, // fURL
L"", // pwszServerName_p1_2
L"", // pwszSanitizedName_p3_7
0, // iCert_p4
MAXDWORD, // iCertTarget_p4
*pstrDomainDN, // pwszDomainDN_p5
*pstrConfigDN, // pwszConfigDN_p6
0, // iCRL_p8
FALSE, // fDeltaCRL_p9
FALSE, // fDSAttrib_p10_11
1, // cStrings
(LPCWSTR *) &pwszTemplate, // apwszStringsIn
ppwszOut); // apwszStringsOut
_JumpIfError(hr, error, "myFormatCertsrvStringArray");
error:
myLdapClose(pld, NULL, NULL);
return(hr);
}
HRESULT
myOpenCertStores(
IN DWORD dwFlags, // CUCS_*
OUT DWORD *pcStore,
OUT HCERTSTORE **prghStore)
{
HRESULT hr;
HRESULT hr2;
HCERTSTORE *rghStore = NULL;
DWORD cStore = 0;
STOREMAP *psm;
DWORD OpenFlags;
BSTR strDomainDN = NULL;
BSTR strConfigDN = NULL;
WCHAR *pwszDSStore = NULL;
*pcStore = 0;
*prghStore = NULL;
rghStore = (HCERTSTORE *) LocalAlloc(
LMEM_FIXED,
CDISPLAYSTOREMAX * sizeof(HCERTSTORE));
if (NULL == rghStore)
{
hr = E_OUTOFMEMORY;
_JumpError(hr, error, "LocalAlloc(rghStore)");
}
OpenFlags = CERT_STORE_READONLY_FLAG | CERT_STORE_SET_LOCALIZED_NAME_FLAG;
if (CUCS_ARCHIVED & dwFlags)
{
OpenFlags |= CERT_STORE_ENUM_ARCHIVED_FLAG;
}
hr2 = S_OK;
if ((CUCS_SOURCEMASK | CUCS_TYPEMASK) & dwFlags)
{
if (~CUCS_VALIDMASK & dwFlags)
{
hr = E_INVALIDARG;
_JumpError(hr, error, "dwFlags");
}
if (0 == (CUCS_SOURCEMASK & dwFlags))
{
dwFlags |= CUCS_SOURCEMASK; // source default: all cert store sources
}
if (0 == (CUCS_TYPEMASK & dwFlags))
{
dwFlags |= CUCS_MYSTORE; // type default: use my store
}
for (psm = s_aStoreMap; NULL != psm->pwszStoreName; psm++)
{
if (dwFlags & psm->dwFlags)
{
HCERTSTORE hStore;
if (CUCS_MACHINESTORE & dwFlags)
{
hStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING,
NULL,
CERT_SYSTEM_STORE_LOCAL_MACHINE | OpenFlags,
psm->pwszStoreName);
if (NULL == hStore)
{
hr = myHLastError();
_PrintErrorStr(hr, "CertOpenStore LocalMachine", psm->pwszStoreName);
if (S_OK == hr2)
{
hr2 = hr;
}
}
else
{
DBGPRINT((
DBG_SS_CERTLIBI,
"CertOpenStore LocalMachine(%ws, HKLM)[%u]\n",
psm->pwszStoreName,
cStore));
rghStore[cStore++] = hStore;
}
}
if (CUCS_USERSTORE & dwFlags)
{
hStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER | OpenFlags,
psm->pwszStoreName);
if (NULL == hStore)
{
hr = myHLastError();
_PrintErrorStr(hr, "CertOpenStore User", psm->pwszStoreName);
if (S_OK == hr2)
{
hr2 = hr;
}
}
else
{
DBGPRINT((
DBG_SS_CERTLIBI,
"CertOpenStore User(%ws, HKCU)[%u]\n",
psm->pwszStoreName,
cStore));
rghStore[cStore++] = hStore;
}
}
if ((CUCS_DSSTORE & dwFlags) && NULL != psm->pwszDSTemplate)
{
CString strStoreFriendlyName;
int idResource;
switch(psm->dwFlags)
{
case CUCS_CASTORE:
idResource = IDS_STORENAME_DS_AIA;
break;
case CUCS_KRASTORE:
idResource = IDS_STORENAME_DS_KRA;
break;
default:
CSASSERT(CSExpr(!"Invalid cert store name"));
idResource = 0;
}
strStoreFriendlyName.LoadString(idResource);
if (NULL != pwszDSStore)
{
LocalFree(pwszDSStore);
pwszDSStore = NULL;
}
hr = FormatDSStoreName(
&strDomainDN,
&strConfigDN,
psm->pwszDSTemplate,
&pwszDSStore);
if (S_OK != hr)
{
_PrintError(hr, "FormatDSStoreName");
}
else
{
hStore = myUrlCertOpenStore(
CRYPT_WIRE_ONLY_RETRIEVAL |
CRYPT_RETRIEVE_MULTIPLE_OBJECTS,
pwszDSStore);
if (NULL == hStore)
{
hr = myHLastError();
_PrintErrorStr(hr, "myUrlCertOpenStore", pwszDSStore);
if (S_OK == hr2)
{
hr2 = hr;
}
}
else
{
CRYPT_DATA_BLOB cdb;
cdb.pbData = (BYTE *) strStoreFriendlyName.GetBuffer();
cdb.cbData = sizeof(WCHAR) *
(wcslen(strStoreFriendlyName.GetBuffer()) + 1);
if (!CertSetStoreProperty(
hStore,
CERT_STORE_LOCALIZED_NAME_PROP_ID,
0,
(const void *) &cdb))
{
hr = myHLastError();
_PrintErrorStr(hr, "CertSetStoreProp LDAP", pwszDSStore);
hr = S_OK;
}
DBGPRINT((
DBG_SS_CERTLIBI,
"myUrlCertOpenStore(%ws)[%u]\n",
pwszDSStore,
cStore));
rghStore[cStore++] = hStore;
}
}
}
}
}
}
hr = hr2;
if (0 == cStore)
{
if (hr == S_OK)
{
hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
}
_JumpError(hr, error, "no Cert Store");
}
CSASSERT(CDISPLAYSTOREMAX >= cStore);
*pcStore = cStore;
*prghStore = rghStore;
rghStore = NULL;
// successfully opened some stores
hr = S_OK;
error:
if (NULL != strDomainDN)
{
SysFreeString(strDomainDN);
}
if (NULL != strConfigDN)
{
SysFreeString(strConfigDN);
}
if (NULL != pwszDSStore)
{
LocalFree(pwszDSStore);
}
if (NULL != rghStore)
{
myCloseCertStores(cStore, rghStore);
}
return(hr);
}
VOID
myCloseCertStores(
IN DWORD cStore,
IN HCERTSTORE *rghStore)
{
DWORD i;
if (NULL != rghStore)
{
for (i = cStore; i < cStore; i++)
{
if (NULL != rghStore[i])
{
CertCloseStore(rghStore[i], CERT_CLOSE_STORE_CHECK_FLAG);
}
}
LocalFree(rghStore);
}
}
// Search for and load the cryptographic provider and private key.
HRESULT
myLoadPrivateKey(
IN CERT_PUBLIC_KEY_INFO const *pPubKeyInfo,
IN DWORD dwFlags, // CUCS_*
OUT HCRYPTPROV *phProv,
OUT DWORD *pdwKeySpec,
OUT BOOL *pfCallerFreeProv)
{
HRESULT hr;
HCERTSTORE *rghStore = NULL;
DWORD cStore;
hr = myOpenCertStores(dwFlags, &cStore, &rghStore);
_JumpIfError(hr, error, "myOpenCertStores");
hr = myLoadPrivateKeyFromCertStores(
pPubKeyInfo,
cStore,
rghStore,
phProv,
pdwKeySpec,
pfCallerFreeProv);
_JumpIfError(hr, error, "myLoadPrivateKeyFromCertStores");
error:
if (NULL != rghStore)
{
myCloseCertStores(cStore, rghStore);
}
return(hr);
}
HRESULT
myLoadPrivateKeyFromCertStores(
IN CERT_PUBLIC_KEY_INFO const *pPubKeyInfo,
IN DWORD cStore,
IN HCERTSTORE *rghStore,
OUT HCRYPTPROV *phProv,
OUT DWORD *pdwKeySpec,
OUT BOOL *pfCallerFreeProv)
{
HRESULT hr;
DWORD i;
CERT_CONTEXT const *pcc = NULL;
// for each cert store
// for each cert in store with matching public key (lookup by public key)
// call CryptAcquireCertificatePrivateKey
// if succeeds, exit w/S_OK
hr = S_OK;
for (i = 0; i < cStore; i++)
{
HCERTSTORE hStore = rghStore[i];
for (;;)
{
pcc = CertFindCertificateInStore(
hStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_PUBLIC_KEY,
pPubKeyInfo,
pcc);
if (NULL == pcc)
{
hr = myHLastError();
_PrintError(hr, "CertFindCertificateInStore");
break;
}
if (!CryptAcquireCertificatePrivateKey(
pcc,
CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
NULL, // pvReserved
phProv,
pdwKeySpec,
pfCallerFreeProv))
{
hr = myHLastError();
_PrintError(hr, "CryptAcquireCertificatePrivateKey");
continue;
}
hr = S_OK;
goto error;
}
}
if (S_OK == hr)
{
hr = CRYPT_E_NOT_FOUND;
}
_JumpError(hr, error, "CertFindCertificateInStore");
error:
if (NULL != pcc)
{
CertFreeCertificateContext(pcc);
pcc = NULL;
}
return(hr);
}
HRESULT
myMakeSerialBstr(
IN WCHAR const *pwszSerialNumber,
OUT BSTR *pstrSerialNumber)
{
HRESULT hr = E_OUTOFMEMORY;
WCHAR *pwszDup = NULL;
WCHAR const *pwszSrc;
WCHAR *pwszDst;
pwszDup = (WCHAR *) LocalAlloc(
LMEM_FIXED,
(wcslen(pwszSerialNumber) + 2) * sizeof(*pwszDup));
if (NULL == pwszDup)
{
_JumpError(hr, error, "LocalAlloc");
}
pwszSrc = pwszSerialNumber;
*pwszDup = L'0'; // allow possible leading zero
pwszDst = &pwszDup[1];
while (L'\0' != *pwszSrc)
{
WCHAR wc = *pwszSrc++;
if (iswspace(wc))
{
continue;
}
if (L'A' <= wc && L'F' >= wc)
{
wc += L'a' - L'A';
}
if ((L'a' > wc || L'f' < wc) &&
(L'0' > wc || L'9' < wc))
{
hr = E_INVALIDARG;
_JumpErrorStr2(hr, error, "myMakeSerialBstr", pwszSerialNumber, hr);
}
*pwszDst++ = wc;
}
*pwszDst = L'\0';
pwszSrc = pwszDup; // point at possible extra leading zero
if (1 & (pwszDst - pwszSrc))
{
pwszSrc++; // keep the length even
}
while (L'0' == pwszSrc[0] && L'0' == pwszSrc[1] && L'\0' != pwszSrc[2])
{
pwszSrc += 2; // skip pairs of leading zeros
}
if (!myConvertWszToBstr(pstrSerialNumber, pwszSrc, MAXDWORD))
{
_JumpError(hr, error, "myConvertWszToBstr");
}
hr = S_OK;
error:
if (NULL != pwszDup)
{
LocalFree(pwszDup);
}
return(hr);
}
HRESULT
myNameBlobMatch(
IN CERT_NAME_BLOB const *pSubject,
IN WCHAR const *pwszCertName,
IN BOOL fAllowMissingCN,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fFoundCN = FALSE;
BOOL fMatchCN = FALSE;
CERT_NAME_INFO *pNameInfo = NULL;
DWORD cbNameInfo;
DWORD i;
if (!myDecodeName(
X509_ASN_ENCODING,
X509_UNICODE_NAME,
pSubject->pbData,
pSubject->cbData,
CERTLIB_USE_LOCALALLOC,
&pNameInfo,
&cbNameInfo))
{
hr = myHLastError();
_JumpError(hr, error, "myDecodeName");
}
for (i = 0; i < pNameInfo->cRDN; i++)
{
CERT_RDN const *prdn;
DWORD j;
prdn = &pNameInfo->rgRDN[i];
for (j = 0; j < prdn->cRDNAttr; j++)
{
CERT_RDN_ATTR const *prdna;
prdna = &prdn->rgRDNAttr[j];
if (0 == strcmp(szOID_COMMON_NAME, prdna->pszObjId) &&
NULL != prdna->Value.pbData)
{
fFoundCN = TRUE;
if (0 == mylstrcmpiL(
pwszCertName,
(WCHAR const *) prdna->Value.pbData))
{
fMatchCN = TRUE;
break;
}
}
}
}
hr = S_OK;
error:
if (NULL != pNameInfo)
{
LocalFree(pNameInfo);
}
*pfMatch = fMatchCN || (fAllowMissingCN && !fFoundCN);
return(hr);
}
HRESULT
mySerialNumberMatch(
IN CRYPT_INTEGER_BLOB const *pSerialNumber,
IN WCHAR const *pwszSerialNumber,
OUT BOOL *pfMatch)
{
HRESULT hr;
BSTR strSerialNumber = NULL;
BOOL fMatch = FALSE;
hr = MultiByteIntegerToBstr(
FALSE,
pSerialNumber->cbData,
pSerialNumber->pbData,
&strSerialNumber);
_JumpIfError(hr, error, "MultiByteIntegerToBstr");
if (0 == mylstrcmpiL(pwszSerialNumber, strSerialNumber))
{
fMatch = TRUE;
}
CSASSERT(S_OK == hr);
error:
if (NULL != strSerialNumber)
{
SysFreeString(strSerialNumber);
}
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCertHashMatch(
IN CERT_CONTEXT const *pCert,
IN DWORD cb,
IN BYTE const *pb,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
BYTE abHash[CBMAX_CRYPT_HASH_LEN];
DWORD cbHash;
//wprintf(L"IN: ");
//DumpHex(DH_NOADDRESS | DH_NOTABPREFIX | DH_NOASCIIHEX | 1, pb, cb);
cbHash = sizeof(abHash);
if (!CertGetCertificateContextProperty(
pCert,
CERT_SHA1_HASH_PROP_ID,
abHash,
&cbHash))
{
hr = myHLastError();
_JumpError(hr, error, "CertGetCertificateContextProperty");
}
//wprintf(L"CH: ");
//DumpHex(DH_NOADDRESS | DH_NOTABPREFIX | DH_NOASCIIHEX | 1, abHash, cbHash);
if (cbHash == cb && 0 == memcmp(abHash, pb, cb))
{
fMatch = TRUE;
hr = S_OK;
goto error;
}
cbHash = sizeof(abHash);
if (!CertGetCertificateContextProperty(
pCert,
CERT_KEY_IDENTIFIER_PROP_ID,
abHash,
&cbHash))
{
hr = myHLastError();
_PrintError(hr, "CertGetCertificateContextProperty(KeyId)");
}
else
{
//wprintf(L"KH: ");
//DumpHex(DH_NOADDRESS | DH_NOTABPREFIX | DH_NOASCIIHEX | 1, abHash, cbHash);
if (cbHash == cb && 0 == memcmp(abHash, pb, cb))
{
fMatch = TRUE;
hr = S_OK;
goto error;
}
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCertMatch(
IN CERT_CONTEXT const *pCert,
IN WCHAR const *pwszCertName,
IN BOOL fAllowMissingCN,
OPTIONAL IN BYTE const *pbHash,
IN DWORD cbHash,
OPTIONAL IN WCHAR const *pwszSerialNumber,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
if (NULL != pbHash)
{
hr = myCertHashMatch(pCert, cbHash, pbHash, &fMatch);
_JumpIfError(hr, error, "myCertHashMatch");
}
if (!fMatch && NULL != pwszSerialNumber)
{
hr = mySerialNumberMatch(
&pCert->pCertInfo->SerialNumber,
pwszSerialNumber,
&fMatch);
_JumpIfError(hr, error, "mySerialNumberMatch");
}
if (!fMatch)
{
hr = myNameBlobMatch(
&pCert->pCertInfo->Subject,
pwszCertName,
fAllowMissingCN,
&fMatch);
_JumpIfError(hr, error, "myNameBlobMatch");
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCertMatchEKUOrApplicationPolicies(
IN CERT_CONTEXT const *pCert,
IN DWORD cpszObjId,
IN CHAR const * const *apszObjId,
IN BOOL fUsageRequired,
OUT BOOL *pfMatch)
{
HRESULT hr;
CERT_ENHKEY_USAGE *pKeyUsage = NULL;
DWORD cbKeyUsage = 0;
BOOL fMatch = FALSE;
DWORD i;
DWORD j;
for (;;)
{
// get enhanced key usage OIDs
if (!CertGetEnhancedKeyUsage(
pCert,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
pKeyUsage,
&cbKeyUsage))
{
// accept match if EKU extension not found
hr = myHLastError();
if (!fUsageRequired && CRYPT_E_NOT_FOUND == hr)
{
fMatch = TRUE;
}
_PrintError2(hr, "CertGetEnhancedKeyUsage", CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
if (NULL != pKeyUsage)
{
break; // EKU extension fetched; break out of while loop
}
pKeyUsage = (CERT_ENHKEY_USAGE *) LocalAlloc(LMEM_FIXED, cbKeyUsage);
if (NULL == pKeyUsage)
{
hr = E_OUTOFMEMORY;
_JumpError(hr, error, "out of memory");
}
}
if (NULL != pKeyUsage)
{
if (0 == pKeyUsage->cUsageIdentifier)
{
hr = myHLastError(); // set by CertGetEnhancedKeyUsage
if (S_OK != hr)
{
fMatch = TRUE;
}
}
else
{
for (i = 0; i < pKeyUsage->cUsageIdentifier; i++)
{
if (fMatch)
{
break;
}
for (j = 0; j < cpszObjId; j++)
{
if (0 == strcmp(
pKeyUsage->rgpszUsageIdentifier[i],
apszObjId[j]))
{
fMatch = TRUE; // found matching EKU OID
break;
}
}
}
}
}
hr = S_OK;
error:
*pfMatch = fMatch;
if (NULL != pKeyUsage)
{
LocalFree(pKeyUsage);
}
return(hr);
}
HRESULT
myCRLHashMatch(
IN CRL_CONTEXT const *pCRL,
IN DWORD cb,
IN BYTE const *pb,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
BYTE abHash[CBMAX_CRYPT_HASH_LEN];
DWORD cbHash;
cbHash = sizeof(abHash);
if (!CertGetCRLContextProperty(
pCRL,
CERT_SHA1_HASH_PROP_ID,
abHash,
&cbHash))
{
hr = myHLastError();
_JumpError(hr, error, "CertGetCRLContextProperty");
}
if (cbHash == cb && 0 == memcmp(abHash, pb, cb))
{
fMatch = TRUE;
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCRLMatch(
IN CRL_CONTEXT const *pCRL,
IN WCHAR const *pwszCRLName,
IN BOOL fAllowMissingCN,
OPTIONAL IN BYTE const *pbHash,
IN DWORD cbHash,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
if (NULL != pbHash)
{
hr = myCRLHashMatch(pCRL, cbHash, pbHash, &fMatch);
_JumpIfError(hr, error, "myCRLHashMatch");
}
if (!fMatch)
{
hr = myNameBlobMatch(
&pCRL->pCrlInfo->Issuer,
pwszCRLName,
fAllowMissingCN,
&fMatch);
_JumpIfError(hr, error, "myNameBlobMatch");
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCTLHashMatch(
IN CTL_CONTEXT const *pCTL,
IN DWORD cb,
IN BYTE const *pb,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
BYTE abHash[CBMAX_CRYPT_HASH_LEN];
DWORD cbHash;
cbHash = sizeof(abHash);
if (!CertGetCTLContextProperty(
pCTL,
CERT_SHA1_HASH_PROP_ID,
abHash,
&cbHash))
{
hr = myHLastError();
_JumpError(hr, error, "CertGetCTLContextProperty");
}
if (cbHash == cb && 0 == memcmp(abHash, pb, cb))
{
fMatch = TRUE;
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
HRESULT
myCTLMatch(
IN CTL_CONTEXT const *pCTL,
OPTIONAL IN BYTE const *pbHash,
IN DWORD cbHash,
OUT BOOL *pfMatch)
{
HRESULT hr;
BOOL fMatch = FALSE;
if (NULL != pbHash)
{
hr = myCTLHashMatch(pCTL, cbHash, pbHash, &fMatch);
_JumpIfError(hr, error, "myCTLHashMatch");
}
hr = S_OK;
error:
*pfMatch = fMatch;
return(hr);
}
typedef struct _CERTFILTERCALLBACKDATA
{
DWORD dwFlags; // CUCS_*
DWORD cpszObjId;
CHAR const * const *apszObjId;
WCHAR const *pwszCommonName;
BYTE *pbHash;
DWORD cbHash;
BSTR strSerialNumber;
HRESULT hr;
HCERTSTORE hMemStore;
} CERTFILTERCALLBACKDATA;
BOOL WINAPI
CertificateFilterProc(
PCCERT_CONTEXT pCertContext,
BOOL *pfInitialSelectedCert,
void *pvCallbackData)
{
HRESULT hr;
BOOL fMatch;
CERTFILTERCALLBACKDATA *pCallbackData =
(CERTFILTERCALLBACKDATA *) pvCallbackData;
CERT_NAME_INFO *pNameInfo = NULL;
WCHAR *pwszSubject = NULL;
CSASSERT(NULL != pCertContext);
*pfInitialSelectedCert = FALSE;
hr = myCertNameToStr(
X509_ASN_ENCODING,
&pCertContext->pCertInfo->Subject,
CERT_X500_NAME_STR |
CERT_NAME_STR_REVERSE_FLAG |
CERT_NAME_STR_NO_QUOTING_FLAG,
&pwszSubject);
_PrintIfError(hr, "myCertNameToStr");
if (NULL != pCallbackData->apszObjId)
{
hr = myCertMatchEKUOrApplicationPolicies(
pCertContext,
pCallbackData->cpszObjId,
pCallbackData->apszObjId,
CUCS_USAGEREQUIRED & pCallbackData->dwFlags,
&fMatch);
_JumpIfError(hr, error, "myCertMatchEKUOrApplicationPolicies");
if (!fMatch)
{
_PrintErrorStr2(
CRYPT_E_NOT_FOUND,
"no matching EKU",
pwszSubject,
CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
}
// The CommonName filter serves three purposes: 1: a common name, 2: the
// sha-1 hash of the cert, 3: the sha-1 hash of the public key (or the
// Subject Key Id extension), 4: the serial number of the cert. If any one
// of these match, the cert is accepted.
if (NULL != pCallbackData->pwszCommonName)
{
hr = myCertMatch(
pCertContext,
pCallbackData->pwszCommonName,
FALSE, // fAllowMissingCN
pCallbackData->pbHash,
pCallbackData->cbHash,
pCallbackData->strSerialNumber,
&fMatch);
_JumpIfError(hr, error, "myCertMatch");
if (!fMatch)
{
_PrintErrorStr2(
CRYPT_E_NOT_FOUND,
"no matching CN/Hash/Serial",
pwszSubject,
CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
}
fMatch = FALSE;
if ((CUCS_V1ONLY & pCallbackData->dwFlags) &&
CERT_V1 != pCertContext->pCertInfo->dwVersion)
{
_PrintErrorStr2(
CRYPT_E_NOT_FOUND,
"not V1",
pwszSubject,
CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
if ((CUCS_V3ONLY & pCallbackData->dwFlags) &&
CERT_V3 != pCertContext->pCertInfo->dwVersion)
{
_PrintErrorStr2(
CRYPT_E_NOT_FOUND,
"not V3",
pwszSubject,
CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
if (CUCS_PRIVATEKEYREQUIRED & pCallbackData->dwFlags)
{
DWORD cb;
if (!CertGetCertificateContextProperty(
pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&cb))
{
_PrintErrorStr(CRYPT_E_NOT_FOUND, "no KeyProvInfo", pwszSubject);
hr = S_OK;
goto error;
}
}
if (CUCS_USAGEKEYENCIPHER & pCallbackData->dwFlags)
{
DWORD dwKeyUsage;
DWORD cb = sizeof(dwKeyUsage);
if (!CertGetIntendedKeyUsage(
X509_ASN_ENCODING,
pCertContext->pCertInfo,
(BYTE*)&dwKeyUsage,
cb))
{
_PrintErrorStr(CRYPT_E_NOT_FOUND, "CertGetIntendedKeyUsage", pwszSubject);
hr = S_OK;
goto error;
}
if (!(dwKeyUsage & CERT_KEY_ENCIPHERMENT_KEY_USAGE))
{
_PrintErrorStr2(
CRYPT_E_NOT_FOUND,
"key encipherment key usage not found",
pwszSubject,
CRYPT_E_NOT_FOUND);
hr = S_OK;
goto error;
}
}
// Attempt to add to the temporary store; if it fails then it already
// exists so we don't want it displayed.
if (!CertAddCertificateLinkToStore(
pCallbackData->hMemStore,
pCertContext,
CERT_STORE_ADD_NEW,
NULL))
{
hr = myHLastError();
_PrintErrorStr2(hr, "CertAddCertificateLinkToStore Dup", pwszSubject, hr);
hr = S_OK;
goto error;
}
fMatch = TRUE;
hr = S_OK;
error:
if (S_OK == pCallbackData->hr || (fMatch && S_FALSE == pCallbackData->hr))
{
pCallbackData->hr = hr; // keep the first HRESULT
}
if (NULL != pwszSubject)
{
LocalFree(pwszSubject);
}
if (NULL != pNameInfo)
{
LocalFree(pNameInfo);
}
return(fMatch);
}
HRESULT
myGetKRACertificateFromPicker(
OPTIONAL IN HINSTANCE hInstance,
OPTIONAL IN HWND hwndParent,
OPTIONAL IN int idTitle,
OPTIONAL IN int idSubTitle,
OPTIONAL IN WCHAR const *pwszCommonName,
IN BOOL fUseDS,
IN BOOL fSilent,
OUT CERT_CONTEXT const **ppCert)
{
HRESULT hr;
CHAR const *pszObjId = szOID_KP_KEY_RECOVERY_AGENT;
hr = myGetCertificateFromPicker(
hInstance,
hwndParent,
idTitle,
idSubTitle,
CUCS_MYSTORE | CUCS_KRASTORE | CUCS_CASTORE |
CUCS_MACHINESTORE | CUCS_USERSTORE |
CUCS_USAGEREQUIRED | CUCS_USAGEKEYENCIPHER |
(fUseDS? CUCS_DSSTORE : 0) |
(fSilent? CUCS_SILENT : 0),
pwszCommonName,
0, // cStore
NULL, // rghStore
1, // cpszObjId
&pszObjId,
ppCert);
_JumpIfError(hr, error, "myGetCertificateFromPicker");
error:
return(hr);
}
HRESULT
myGetERACertificateFromPicker(
OPTIONAL IN HINSTANCE hInstance,
OPTIONAL IN HWND hwndParent,
OPTIONAL IN int idTitle,
OPTIONAL IN int idSubTitle,
OPTIONAL IN WCHAR const *pwszCommonName,
IN BOOL fSilent,
OUT CERT_CONTEXT const **ppCert)
{
HRESULT hr;
CHAR const * const apszObjId[2] = {
szOID_ENROLLMENT_AGENT,
szOID_KP_QUALIFIED_SUBORDINATION,
};
hr = myGetCertificateFromPicker(
hInstance,
hwndParent,
idTitle,
idSubTitle,
CUCS_MYSTORE |
CUCS_PRIVATEKEYREQUIRED |
//CUCS_USAGEREQUIRED |
(fSilent? CUCS_SILENT : 0),
pwszCommonName,
0, // cStore
NULL, // rghStore
ARRAYSIZE(apszObjId), // cpszObjId
apszObjId,
ppCert);
_JumpIfError(hr, error, "myGetCertificateFromPicker");
error:
return(hr);
}
HRESULT
mySelectCertificateFromStore(
IN OUT CRYPTUI_SELECTCERTIFICATE_STRUCT *pCertSelect,
IN HCERTSTORE hStore,
IN OUT CERT_CONTEXT const **ppCertRet)
{
HRESULT hr;
CERT_CONTEXT const *pCertRet = *ppCertRet;
CERT_CONTEXT const *pCert = NULL;
BOOL fInitialSelectedCert = FALSE;
for (;;)
{
pCert = CertEnumCertificatesInStore(hStore, pCert);
if (NULL == pCert)
{
hr = myHLastError();
_PrintError(hr, "CertEnumCertificatesInStore");
break;
}
if ((*pCertSelect->pFilterCallback)(
pCert,
&fInitialSelectedCert,
pCertSelect->pvCallbackData))
{
if (NULL != pCertRet)
{
hr = CRYPT_E_EXISTS;
_JumpError(hr, error, "more than one cert matches");
}
pCertRet = CertDuplicateCertificateContext(pCert);
if (NULL == pCertRet)
{
hr = CRYPT_E_NOT_FOUND;
_JumpError(hr, error, "CertDuplicateCertificateContext");
}
}
}
hr = S_OK;
error:
if (NULL != pCert)
{
CertFreeCertificateContext(pCert);
}
*ppCertRet = pCertRet;
return(hr);
}
CERT_CONTEXT const *
mySelectCertificate(
IN OUT CRYPTUI_SELECTCERTIFICATE_STRUCT *pCertSelect)
{
HRESULT hr;
CERT_CONTEXT const *pCert = NULL;
DWORD i;
if (NULL == pCertSelect->rghDisplayStores ||
0 == pCertSelect->cDisplayStores)
{
hr = CRYPT_E_NOT_FOUND;
_JumpError(hr, error, "no Cert Stores");
}
for (i = 0; i < pCertSelect->cDisplayStores; i++)
{
hr = mySelectCertificateFromStore(
pCertSelect,
pCertSelect->rghDisplayStores[i],
&pCert);
_JumpIfError(hr, error, "mySelectCertificateFromStore");
}
hr = S_OK;
error:
if (S_OK != hr)
{
if (NULL != pCert)
{
CertFreeCertificateContext(pCert);
pCert = NULL;
}
SetLastError(hr);
}
return(pCert);
}
HRESULT
myGetCertificateFromPicker(
OPTIONAL IN HINSTANCE hInstance,
OPTIONAL IN HWND hwndParent,
OPTIONAL IN int idTitle,
OPTIONAL IN int idSubTitle,
IN DWORD dwFlags, // CUCS_*
OPTIONAL IN WCHAR const *pwszCommonName,
OPTIONAL IN DWORD cStore,
OPTIONAL IN HCERTSTORE *rghStore,
IN DWORD cpszObjId,
OPTIONAL IN CHAR const * const *apszObjId,
OUT CERT_CONTEXT const **ppCert)
{
HRESULT hr;
HCERTSTORE *rghStoreOpened = NULL;
DWORD cStoreOpened;
CERTFILTERCALLBACKDATA callbackData;
CRYPTUI_SELECTCERTIFICATE_STRUCT CertSelect;
ZeroMemory(&callbackData, sizeof(callbackData));
ZeroMemory(&CertSelect, sizeof(CertSelect));
// custom titles
if (NULL != hInstance)
{
// try to load title from resource
hr = myLoadRCString(
hInstance,
idTitle,
const_cast<WCHAR **>(&CertSelect.szTitle));
if (S_OK != hr)
{
CSASSERT(NULL == CertSelect.szTitle);
_PrintError(hr, "myLoadRCString(Title)");
}
hr = myLoadRCString(
hInstance,
idSubTitle,
const_cast<WCHAR **>(&CertSelect.szDisplayString));
if (S_OK != hr)
{
CSASSERT(NULL == CertSelect.szDisplayString);
_PrintError(hr, "myLoadRCString(Title)");
}
}
if (NULL == rghStore)
{
cStore = 0;
}
cStoreOpened = 0;
if ((CUCS_SOURCEMASK | CUCS_TYPEMASK) & dwFlags)
{
CWaitCursor cwait;
hr = myOpenCertStores(dwFlags, &cStoreOpened, &rghStoreOpened);
_PrintIfError(hr, "myOpenCertStores");
}
CertSelect.cDisplayStores = cStore + cStoreOpened;
if (0 == CertSelect.cDisplayStores)
{
hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
_JumpError(hr, error, "no Cert Store");
}
CertSelect.rghDisplayStores = (HCERTSTORE *) LocalAlloc(
LMEM_FIXED,
CertSelect.cDisplayStores * sizeof(HCERTSTORE));
if (NULL == CertSelect.rghDisplayStores)
{
hr = E_OUTOFMEMORY;
_JumpError(hr, error, "LocalAlloc(CertSelect.rghDisplayStores)");
}
if (0 != cStore)
{
CopyMemory(
&CertSelect.rghDisplayStores[0],
rghStore,
cStore * sizeof(rghStore[0]));
}
if (0 != cStoreOpened)
{
CopyMemory(
&CertSelect.rghDisplayStores[cStore],
rghStoreOpened,
cStoreOpened * sizeof(rghStore[0]));
}
// temporary store where the callback will store links to found certs
// so it can check for duplicates
callbackData.hMemStore = CertOpenStore(
CERT_STORE_PROV_MEMORY,
X509_ASN_ENCODING,
NULL,
CERT_STORE_CREATE_NEW_FLAG,
NULL);
if (NULL == callbackData.hMemStore)
{
hr = myHLastError();
_JumpError(hr, error, "can't create memory store");
}
CertSelect.dwSize = sizeof(CertSelect);
CertSelect.hwndParent = hwndParent;
//CertSelect.dwFlags = 0; // single selection
//CertSelect.dwDontUseColumn = 0; // display all column
CertSelect.pFilterCallback = CertificateFilterProc; // assign callback
//CertSelect.pDisplayCallback = NULL; // use default cert view dlg
callbackData.dwFlags = dwFlags;
callbackData.cpszObjId = cpszObjId;
callbackData.apszObjId = apszObjId;
callbackData.pwszCommonName = pwszCommonName;
if (NULL != pwszCommonName)
{
hr = WszToMultiByteInteger(
TRUE,
pwszCommonName,
&callbackData.cbHash,
&callbackData.pbHash);
_PrintIfError2(hr, "WszToMultiByteInteger", hr);
hr = myMakeSerialBstr(pwszCommonName, &callbackData.strSerialNumber);
_PrintIfError2(hr, "myMakeSerialBstr", hr);
}
callbackData.hr = S_FALSE;
CertSelect.pvCallbackData = &callbackData; // pass filter info as data
//CertSelect.cStores = 0; // no additional stores for chain verify
//CertSelect.rghStores = NULL; // no additional stores for chain verify
//CertSelect.cPropSheetPages = 0; // no custom cert view pages
//CertSelect.rgPropSheetPages = NULL; // no custom cert view pages
//CertSelect.hSelectedCertStore = NULL; // single selection
if (CUCS_SILENT & dwFlags)
{
*ppCert = mySelectCertificate(&CertSelect);
if (NULL == *ppCert)
{
hr = myHLastError();
_JumpError(hr, error, "mySelectCertificate");
}
}
else
{
*ppCert = CryptUIDlgSelectCertificate(&CertSelect);
}
// check for error in selection dialog
hr = callbackData.hr;
if (S_FALSE == hr)
{
hr = S_OK;
//hr = CRYPT_E_NOT_FOUND;
}
_JumpIfError(hr, error, "CryptUIDlgSelectCertificate");
error:
if (NULL != rghStoreOpened)
{
myCloseCertStores(cStoreOpened, rghStoreOpened);
}
if (NULL != callbackData.hMemStore)
{
CertCloseStore(callbackData.hMemStore, 0);
}
if (NULL != callbackData.strSerialNumber)
{
SysFreeString(callbackData.strSerialNumber);
}
if (NULL != callbackData.pbHash)
{
LocalFree(callbackData.pbHash);
}
if (NULL != CertSelect.szTitle)
{
LocalFree(const_cast<WCHAR *>(CertSelect.szTitle));
}
if (NULL != CertSelect.szDisplayString)
{
LocalFree(const_cast<WCHAR *>(CertSelect.szDisplayString));
}
if (NULL != CertSelect.rghDisplayStores)
{
LocalFree(CertSelect.rghDisplayStores);
}
return(hr);
}