archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/cryptoapi/pki/certstor/certhlpr.cpp

5284 lines
166 KiB
Raw Blame History

//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1995 - 1999
//
// File: certhlpr.cpp
//
// Contents: Certificate and CRL Helper APIs
//
// Functions: CertHelperDllMain
// I_CryptGetDefaultCryptProv
// I_CryptGetDefaultCryptProvForEncrypt
// CertCompareIntegerBlob
// CertCompareCertificate
// CertCompareCertificateName
// CertIsRDNAttrsInCertificateName
// CertComparePublicKeyInfo
// CryptVerifyCertificateSignature
// CryptHashCertificate
// CryptHashToBeSigned
// CryptSignCertificate
// CryptSignAndEncodeCertificate
// CertVerifyTimeValidity
// CertVerifyCRLTimeValidity
// CertVerifyValidityNesting
// CertVerifyCRLRevocation
// CertAlgIdToOID
// CertOIDToAlgId
// CertFindExtension
// CertFindAttribute
// CertFindRDNAttr
// CertGetIntendedKeyUsage
// CertGetPublicKeyLength
// CryptHashPublicKeyInfo
//
// I_CertCompareCertAndProviderPublicKey
// CryptFindCertificateKeyProvInfo
//
// CryptCreatePublicKeyInfo
// CryptConvertPublicKeyInfo
// CryptExportPublicKeyInfo
// CryptExportPublicKeyInfoEx
// CryptImportPublicKeyInfo
// CryptImportPublicKeyInfoEx
// CryptCreateKeyIdentifierFromCSP
//
// CryptInstallDefaultContext
// CryptUninstallDefaultContext
//
// History: 23-Feb-96 philh created
//--------------------------------------------------------------------------
#include "global.hxx"
#include <dbgdef.h>
// All the *pvInfo extra stuff needs to be aligned
#define INFO_LEN_ALIGN(Len) ((Len + 7) & ~7)
#define NULL_ASN_TAG 0x05
//+=========================================================================
// CryptCreatePublicKeyInfo, EncodePublicKeyAndParameters
// and CryptConvertPublicKeyInfo functions
//-=========================================================================
// The following should be moved to wincrypt.x
// If CRYPT_ALLOC_FLAG is set, *pvPubKeyInfo is updated with a LocalAlloc'ed
// pointer to a CERT_PUBLIC_KEY_INFO data structure which must be freed by
// calling LocalFree. Otherwise, pvPubKeyInfo points to a user allocated
// CERT_PUBLIC_KEY_INFO data structure which is updated.
WINCRYPT32API
BOOL
WINAPI
CryptCreatePublicKeyInfo(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyInfo,
IN OUT DWORD *pcbPubKeyInfo
);
#define CRYPT_ALLOC_FLAG 0x8000
#define CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC \
"CryptDllEncodePublicKeyAndParameters"
// The returned encoded public keys and parameters are LocalAlloc'ed.
typedef BOOL (WINAPI *PFN_CRYPT_ENCODE_PUBLIC_KEY_AND_PARAMETERS)(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
);
// If CRYPT_ALLOC_FLAG is set, *pvPubKeyStruc is updated with a LocalAlloc'ed
// pointer to a PUBLICKEYSTRUC data structure which must be freed by calling
// LocalFree. Otherwise, pvPubKeyStruc points to a user allocated
// PUBLICKEYSTRUC data structure which is updated.
WINCRYPT32API
BOOL
WINAPI
CryptConvertPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
);
#define CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC "CryptDllConvertPublicKeyInfo"
typedef BOOL (WINAPI *PFN_CRYPT_CONVERT_PUBLIC_KEY_INFO)(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
);
// End of what should be moved to wincrypt.x
static HCRYPTOIDFUNCSET hEncodePubKeyFuncSet;
static HCRYPTOIDFUNCSET hConvertPubKeyFuncSet;
//+-------------------------------------------------------------------------
// Encode the RSA public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeRSAPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
);
//+-------------------------------------------------------------------------
// Convert as an RSA public key
//--------------------------------------------------------------------------
static BOOL WINAPI ConvertRSAPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
);
//+-------------------------------------------------------------------------
// Encode the DSS public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeDSSPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
);
//+-------------------------------------------------------------------------
// Convert as an DSS public key
//--------------------------------------------------------------------------
static BOOL WINAPI ConvertDSSPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
);
//+-------------------------------------------------------------------------
// Encode the RSA DH public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeRSADHPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
);
//+-------------------------------------------------------------------------
// Encode the X942 DH public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeX942DHPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
);
static const CRYPT_OID_FUNC_ENTRY EncodePubKeyFuncTable[] = {
szOID_RSA_RSA, EncodeRSAPublicKeyAndParameters,
szOID_OIWSEC_rsaXchg, EncodeRSAPublicKeyAndParameters,
szOID_OIWSEC_dsa, EncodeDSSPublicKeyAndParameters,
szOID_X957_DSA, EncodeDSSPublicKeyAndParameters,
szOID_ANSI_X942_DH, EncodeX942DHPublicKeyAndParameters,
szOID_RSA_DH, EncodeRSADHPublicKeyAndParameters,
};
#define ENCODE_PUB_KEY_FUNC_COUNT (sizeof(EncodePubKeyFuncTable) / \
sizeof(EncodePubKeyFuncTable[0]))
static const CRYPT_OID_FUNC_ENTRY ConvertPubKeyFuncTable[] = {
szOID_RSA_RSA, ConvertRSAPublicKeyInfo,
szOID_OIWSEC_rsaXchg, ConvertRSAPublicKeyInfo,
szOID_OIWSEC_dsa, ConvertDSSPublicKeyInfo,
szOID_X957_DSA, ConvertDSSPublicKeyInfo,
};
#define CONVERT_PUB_KEY_FUNC_COUNT (sizeof(ConvertPubKeyFuncTable) / \
sizeof(ConvertPubKeyFuncTable[0]))
//+=========================================================================
// CryptExportPublicKeyInfoEx and CryptImportPublicKeyInfoEx OID
// installable functions.
//-=========================================================================
typedef BOOL (WINAPI *PFN_EXPORT_PUB_KEY_FUNC) (
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
IN LPSTR pszPublicKeyObjId,
IN DWORD dwFlags,
IN OPTIONAL void *pvAuxInfo,
OUT PCERT_PUBLIC_KEY_INFO pInfo,
IN OUT DWORD *pcbInfo
);
typedef BOOL (WINAPI *PFN_IMPORT_PUB_KEY_FUNC) (
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pInfo,
IN ALG_ID aiKeyAlg,
IN DWORD dwFlags,
IN OPTIONAL void *pvAuxInfo,
OUT HCRYPTKEY *phKey
);
static HCRYPTOIDFUNCSET hExportPubKeyFuncSet;
static HCRYPTOIDFUNCSET hImportPubKeyFuncSet;
//+-------------------------------------------------------------------------
// Default CryptProvs. Once acquired, not released until ProcessDetach.
//--------------------------------------------------------------------------
#define DEFAULT_RSA_CRYPT_PROV 0
#define DEFAULT_DSS_CRYPT_PROV 1
#define DEFAULT_ENCRYPT_BASE_RSA_CRYPT_PROV 2
#define DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV 3
#define DEFAULT_ENCRYPT_DH_CRYPT_PROV 4
#define DEFAULT_CRYPT_PROV_CNT 5
static HCRYPTPROV rghDefaultCryptProv[DEFAULT_CRYPT_PROV_CNT];
static CRITICAL_SECTION DefaultCryptProvCriticalSection;
typedef struct _ENCRYPT_ALG_INFO ENCRYPT_ALG_INFO, *PENCRYPT_ALG_INFO;
struct _ENCRYPT_ALG_INFO {
ALG_ID aiAlgid;
DWORD dwMinLen;
DWORD dwMaxLen;
PENCRYPT_ALG_INFO pNext;
};
static BOOL fLoadedRSAEncryptAlgInfo = FALSE;
static PENCRYPT_ALG_INFO pRSAEncryptAlgInfoHead = NULL;
//+=========================================================================
// DefaultContext Function Forward References and Data Structures
//-=========================================================================
//
// dwDefaultTypes:
// CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (pvDefaultPara :== pszOID)
BOOL
WINAPI
I_CryptGetDefaultContext(
IN DWORD dwDefaultType,
IN const void *pvDefaultPara,
OUT HCRYPTPROV *phCryptProv,
OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
);
// hDefaultContext is only NON-null for Process default context
void
WINAPI
I_CryptFreeDefaultContext(
HCRYPTDEFAULTCONTEXT hDefaultContext
);
typedef struct _DEFAULT_CONTEXT DEFAULT_CONTEXT, *PDEFAULT_CONTEXT;
struct _DEFAULT_CONTEXT {
HCRYPTPROV hCryptProv;
DWORD dwDefaultType;
union {
// CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (note, converted to MULTI_)
// CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara;
};
DWORD dwFlags;
PDEFAULT_CONTEXT pNext;
PDEFAULT_CONTEXT pPrev;
// Following applicable to Process DefaultContext
LONG lRefCnt;
HANDLE hWait;
};
static BOOL fHasThreadDefaultContext;
static HCRYPTTLS hTlsDefaultContext;
static BOOL fHasProcessDefaultContext;
static CRITICAL_SECTION DefaultContextCriticalSection;
static PDEFAULT_CONTEXT pProcessDefaultContextHead;
//+-------------------------------------------------------------------------
// Default CryptProv: initialization and free
//--------------------------------------------------------------------------
static BOOL InitDefaultCryptProv()
{
return Pki_InitializeCriticalSection(&DefaultCryptProvCriticalSection);
}
static void FreeDefaultCryptProv()
{
PENCRYPT_ALG_INFO pAlgInfo;
DWORD cProv = DEFAULT_CRYPT_PROV_CNT;
while (cProv--) {
HCRYPTPROV hProv = rghDefaultCryptProv[cProv];
if (hProv)
CryptReleaseContext(hProv, 0);
}
pAlgInfo = pRSAEncryptAlgInfoHead;
while (pAlgInfo) {
PENCRYPT_ALG_INFO pDeleteAlgInfo = pAlgInfo;
pAlgInfo = pAlgInfo->pNext;
PkiFree(pDeleteAlgInfo);
}
DeleteCriticalSection(&DefaultCryptProvCriticalSection);
}
static
VOID
WINAPI
DetachDefaultContext(
IN LPVOID pv
)
{
PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) pv;
while (pDefaultContext) {
PDEFAULT_CONTEXT pFree = pDefaultContext;
pDefaultContext = pDefaultContext->pNext;
if (pFree->dwFlags & CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG)
CryptReleaseContext(pFree->hCryptProv, 0);
PkiFree(pFree);
}
}
//+-------------------------------------------------------------------------
// Dll initialization
//--------------------------------------------------------------------------
BOOL
WINAPI
CertHelperDllMain(
HMODULE hInst,
ULONG ulReason,
LPVOID lpReserved)
{
BOOL fRet;
switch (ulReason) {
case DLL_PROCESS_ATTACH:
// Public key function setup
if (NULL == (hExportPubKeyFuncSet = CryptInitOIDFunctionSet(
CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC,
0)))
goto CryptInitOIDFunctionSetError;
if (NULL == (hImportPubKeyFuncSet = CryptInitOIDFunctionSet(
CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC,
0)))
goto CryptInitOIDFunctionSetError;
if (NULL == (hEncodePubKeyFuncSet = CryptInitOIDFunctionSet(
CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC,
0)))
goto CryptInitOIDFunctionSetError;
if (NULL == (hConvertPubKeyFuncSet = CryptInitOIDFunctionSet(
CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC,
0)))
goto CryptInitOIDFunctionSetError;
if (!CryptInstallOIDFunctionAddress(
NULL, // hModule
X509_ASN_ENCODING,
CRYPT_OID_ENCODE_PUBLIC_KEY_AND_PARAMETERS_FUNC,
ENCODE_PUB_KEY_FUNC_COUNT,
EncodePubKeyFuncTable,
0)) // dwFlags
goto CryptInstallOIDFunctionAddressError;
if (!CryptInstallOIDFunctionAddress(
NULL, // hModule
X509_ASN_ENCODING,
CRYPT_OID_CONVERT_PUBLIC_KEY_INFO_FUNC,
CONVERT_PUB_KEY_FUNC_COUNT,
ConvertPubKeyFuncTable,
0)) // dwFlags
goto CryptInstallOIDFunctionAddressError;
if (!InitDefaultCryptProv())
goto InitDefaultCryptProvError;
if (!Pki_InitializeCriticalSection(&DefaultContextCriticalSection))
goto InitCritSectionError;
if (NULL == (hTlsDefaultContext = I_CryptAllocTls()))
goto CryptAllocTlsError;
break;
case DLL_PROCESS_DETACH:
FreeDefaultCryptProv();
while (pProcessDefaultContextHead) {
PDEFAULT_CONTEXT pFree = pProcessDefaultContextHead;
pProcessDefaultContextHead = pProcessDefaultContextHead->pNext;
if (pFree->dwFlags & CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG)
CryptReleaseContext(pFree->hCryptProv, 0);
PkiFree(pFree);
}
DeleteCriticalSection(&DefaultContextCriticalSection);
I_CryptFreeTls(hTlsDefaultContext, DetachDefaultContext);
break;
case DLL_THREAD_DETACH:
DetachDefaultContext(I_CryptDetachTls(hTlsDefaultContext));
break;
default:
break;
}
fRet = TRUE;
CommonReturn:
return fRet;
CryptAllocTlsError:
DeleteCriticalSection(&DefaultContextCriticalSection);
InitCritSectionError:
FreeDefaultCryptProv();
ErrorReturn:
fRet = FALSE;
goto CommonReturn;
TRACE_ERROR(InitDefaultCryptProvError)
TRACE_ERROR(CryptInitOIDFunctionSetError)
TRACE_ERROR(CryptInstallOIDFunctionAddressError)
}
//+-------------------------------------------------------------------------
// Acquire default CryptProv according to the public key algorithm supported
// by the provider type. The provider is acquired with only
// CRYPT_VERIFYCONTEXT.
//
// Setting aiPubKey to 0, gets the default provider for RSA_FULL.
//
// Note, the returned CryptProv must not be released. Once acquired, the
// CryptProv isn't released until ProcessDetach. This allows the returned
// CryptProvs to be shared.
//--------------------------------------------------------------------------
HCRYPTPROV
WINAPI
I_CryptGetDefaultCryptProv(
IN ALG_ID aiPubKey
)
{
HCRYPTPROV hProv;
DWORD dwProvType;
DWORD dwDefaultProvIndex;
switch (aiPubKey) {
case 0:
case CALG_RSA_SIGN:
case CALG_RSA_KEYX:
case CALG_NO_SIGN:
dwProvType = PROV_RSA_FULL;
dwDefaultProvIndex = DEFAULT_RSA_CRYPT_PROV;
break;
case CALG_DSS_SIGN:
dwProvType = PROV_DSS_DH;
dwDefaultProvIndex = DEFAULT_DSS_CRYPT_PROV;
break;
default:
SetLastError((DWORD) E_INVALIDARG);
return 0;
}
hProv = rghDefaultCryptProv[dwDefaultProvIndex];
if (0 == hProv) {
EnterCriticalSection(&DefaultCryptProvCriticalSection);
hProv = rghDefaultCryptProv[dwDefaultProvIndex];
if (0 == hProv) {
if (!CryptAcquireContext(
&hProv,
NULL, // pszContainer
NULL, // pszProvider,
dwProvType,
CRYPT_VERIFYCONTEXT // dwFlags
)) {
hProv = 0; // CAPI bug, sets hCryptProv to nonzero
if (DEFAULT_DSS_CRYPT_PROV == dwDefaultProvIndex) {
if (!CryptAcquireContext(
&hProv,
NULL, // pszContainer
NULL, // pszProvider,
PROV_DSS,
CRYPT_VERIFYCONTEXT // dwFlags
))
hProv = 0; // CAPI bug, sets hCryptProv to nonzero
}
}
rghDefaultCryptProv[dwDefaultProvIndex] = hProv;
}
LeaveCriticalSection(&DefaultCryptProvCriticalSection);
}
return hProv;
}
// Note, PP_ENUMALGS_EX returns the bit range. However, this parameter type
// may not be supported by all CSPs. If this fails, try PP_ENUMALGS which only
// returns a single, default bit length.
static void LoadRSAEncryptAlgInfo()
{
EnterCriticalSection(&DefaultCryptProvCriticalSection);
if (!fLoadedRSAEncryptAlgInfo) {
HCRYPTPROV hProv;
if (hProv = I_CryptGetDefaultCryptProv(CALG_RSA_KEYX)) {
DWORD dwFlags = CRYPT_FIRST;
BOOL fEx = TRUE;
while (TRUE) {
ENCRYPT_ALG_INFO AlgInfo;
PENCRYPT_ALG_INFO pAllocAlgInfo;
if (fEx) {
PROV_ENUMALGS_EX Data;
DWORD cbData = sizeof(Data);
if (!CryptGetProvParam(
hProv,
PP_ENUMALGS_EX,
(BYTE *) &Data,
&cbData,
dwFlags
)) {
if (0 != dwFlags) {
// Try PP_ENUMALGS
fEx = FALSE;
continue;
} else
break;
}
AlgInfo.aiAlgid = Data.aiAlgid;
AlgInfo.dwMinLen = Data.dwMinLen;
AlgInfo.dwMaxLen = Data.dwMaxLen;
} else {
PROV_ENUMALGS Data;
DWORD cbData = sizeof(Data);
if (!CryptGetProvParam(
hProv,
PP_ENUMALGS,
(BYTE *) &Data,
&cbData,
dwFlags
))
break;
// Only know about a single length
AlgInfo.aiAlgid = Data.aiAlgid;
AlgInfo.dwMinLen = Data.dwBitLen;
AlgInfo.dwMaxLen = Data.dwBitLen;
}
dwFlags = 0; // CRYPT_NEXT
// Only interested in encrypt algorithms
if (ALG_CLASS_DATA_ENCRYPT != GET_ALG_CLASS(AlgInfo.aiAlgid))
continue;
if (NULL == (pAllocAlgInfo = (PENCRYPT_ALG_INFO)
PkiNonzeroAlloc(sizeof(ENCRYPT_ALG_INFO))))
break;
AlgInfo.pNext = pRSAEncryptAlgInfoHead;
memcpy(pAllocAlgInfo, &AlgInfo, sizeof(*pAllocAlgInfo));
pRSAEncryptAlgInfoHead = pAllocAlgInfo;
}
}
fLoadedRSAEncryptAlgInfo = TRUE;
}
LeaveCriticalSection(&DefaultCryptProvCriticalSection);
}
static BOOL IsDefaultRSACryptProvForEncrypt(
IN ALG_ID aiEncrypt,
IN DWORD dwBitLen
)
{
PENCRYPT_ALG_INFO pInfo;
if (!fLoadedRSAEncryptAlgInfo)
LoadRSAEncryptAlgInfo();
if (0 == dwBitLen && (CALG_RC2 == aiEncrypt || CALG_RC4 == aiEncrypt))
dwBitLen = 40;
for (pInfo = pRSAEncryptAlgInfoHead; pInfo; pInfo = pInfo->pNext) {
if (aiEncrypt == pInfo->aiAlgid) {
if (0 == dwBitLen || (pInfo->dwMinLen <= dwBitLen &&
dwBitLen <= pInfo->dwMaxLen))
return TRUE;
}
}
return FALSE;
}
//+-------------------------------------------------------------------------
// Acquire default CryptProv according to the public key algorithm, encrypt
// key algorithm and encrypt key length supported by the provider type.
//
// dwBitLen = 0, assumes the aiEncrypt's default bit length. For example,
// CALG_RC2 has a default bit length of 40.
//
// Note, the returned CryptProv must not be released. Once acquired, the
// CryptProv isn't released until ProcessDetach. This allows the returned
// CryptProvs to be shared.
//--------------------------------------------------------------------------
HCRYPTPROV
WINAPI
I_CryptGetDefaultCryptProvForEncrypt(
IN ALG_ID aiPubKey,
IN ALG_ID aiEncrypt,
IN DWORD dwBitLen
)
{
HCRYPTPROV hProv;
DWORD dwProvType;
DWORD dwDefaultProvIndex;
LPCSTR pszProvider;
if (CALG_DH_SF == aiPubKey || CALG_DH_EPHEM == aiPubKey) {
dwProvType = PROV_DSS_DH;
dwDefaultProvIndex = DEFAULT_ENCRYPT_DH_CRYPT_PROV;
pszProvider = NULL;
} else {
dwProvType = PROV_RSA_FULL;
if (IsDefaultRSACryptProvForEncrypt(
aiEncrypt,
dwBitLen
))
// Set to fall through to the default case
aiEncrypt = 0;
switch (aiEncrypt) {
case CALG_DES:
case CALG_3DES:
case CALG_3DES_112:
dwDefaultProvIndex = DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV;
pszProvider = MS_ENHANCED_PROV_A;
break;
case CALG_RC2:
case CALG_RC4:
if (40 >= dwBitLen) {
dwDefaultProvIndex = DEFAULT_ENCRYPT_BASE_RSA_CRYPT_PROV;
pszProvider = MS_DEF_PROV_A;
} else {
dwDefaultProvIndex = DEFAULT_ENCRYPT_ENH_RSA_CRYPT_PROV;
pszProvider = MS_ENHANCED_PROV_A;
}
break;
case 0:
default:
dwDefaultProvIndex = DEFAULT_RSA_CRYPT_PROV;
pszProvider = NULL;
break;
}
}
hProv = rghDefaultCryptProv[dwDefaultProvIndex];
if (0 == hProv) {
EnterCriticalSection(&DefaultCryptProvCriticalSection);
hProv = rghDefaultCryptProv[dwDefaultProvIndex];
if (0 == hProv) {
if (!CryptAcquireContext(
&hProv,
NULL, // pszContainer
pszProvider,
dwProvType,
CRYPT_VERIFYCONTEXT // dwFlags
))
hProv = 0; // CAPI bug, sets hCryptProv to nonzero
else
rghDefaultCryptProv[dwDefaultProvIndex] = hProv;
}
LeaveCriticalSection(&DefaultCryptProvCriticalSection);
}
return hProv;
}
//+-------------------------------------------------------------------------
// Cert helper allocation and free functions
//--------------------------------------------------------------------------
static void *AllocAndDecodeObject(
IN DWORD dwCertEncodingType,
IN LPCSTR lpszStructType,
IN const BYTE *pbEncoded,
IN DWORD cbEncoded,
OUT OPTIONAL DWORD *pcbStructInfo = NULL
)
{
DWORD cbStructInfo;
void *pvStructInfo;
if (!CryptDecodeObjectEx(
dwCertEncodingType,
lpszStructType,
pbEncoded,
cbEncoded,
CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG,
&PkiDecodePara,
(void *) &pvStructInfo,
&cbStructInfo
))
goto ErrorReturn;
CommonReturn:
if (pcbStructInfo)
*pcbStructInfo = cbStructInfo;
return pvStructInfo;
ErrorReturn:
pvStructInfo = NULL;
goto CommonReturn;
}
static BOOL AllocAndEncodeObject(
IN DWORD dwCertEncodingType,
IN LPCSTR lpszStructType,
IN const void *pvStructInfo,
OUT BYTE **ppbEncoded,
OUT DWORD *pcbEncoded
)
{
return CryptEncodeObjectEx(
dwCertEncodingType,
lpszStructType,
pvStructInfo,
CRYPT_ENCODE_ALLOC_FLAG,
&PkiEncodePara,
(void *) ppbEncoded,
pcbEncoded
);
}
#if 0
//+-------------------------------------------------------------------------
// For an authority key identifier extension, compare the extension's optional
// fields with the specified issuer certificate.
//
// Returns TRUE for no authority key identifier extension or an issuer
// certificate match.
//--------------------------------------------------------------------------
static BOOL CompareAuthorityKeyIdentifier(
IN DWORD dwCertEncodingType,
IN DWORD cExtensions,
IN CERT_EXTENSION rgExtensions[],
IN PCERT_INFO pIssuerInfo
)
{
BOOL fResult;
PCERT_EXTENSION pExt;
PCERT_AUTHORITY_KEY_ID_INFO pKeyIdInfo = NULL;
pExt = CertFindExtension(
szOID_AUTHORITY_KEY_IDENTIFIER,
cExtensions,
rgExtensions
);
if (pExt == NULL)
return TRUE;
if (NULL == (pKeyIdInfo =
(PCERT_AUTHORITY_KEY_ID_INFO) AllocAndDecodeObject(
dwCertEncodingType,
X509_AUTHORITY_KEY_ID,
pExt->Value.pbData,
pExt->Value.cbData
))) goto DecodeError;
if (pKeyIdInfo->CertIssuer.cbData) {
// Issuer certificate's issuer name must match
if (!CertCompareCertificateName(
dwCertEncodingType,
&pKeyIdInfo->CertIssuer,
&pIssuerInfo->Issuer
)) goto ErrorReturn;
}
if (pKeyIdInfo->CertSerialNumber.cbData) {
// Issuer certificate's serial number must match
if (!CertCompareIntegerBlob(
&pKeyIdInfo->CertSerialNumber,
&pIssuerInfo->SerialNumber))
goto ErrorReturn;
}
fResult = TRUE;
goto CommonReturn;
DecodeError:
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
CommonReturn:
PkiFree(pKeyIdInfo);
return fResult;
}
#endif
//+-------------------------------------------------------------------------
// Compare two multiple byte integer blobs to see if they are identical.
//
// Before doing the comparison, leading zero bytes are removed from a
// positive number and leading 0xFF bytes are removed from a negative
// number.
//
// The multiple byte integers are treated as Little Endian. pbData[0] is the
// least significant byte and pbData[cbData - 1] is the most significant
// byte.
//
// Returns TRUE if the integer blobs are identical after removing leading
// 0 or 0xFF bytes.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertCompareIntegerBlob(
IN PCRYPT_INTEGER_BLOB pInt1,
IN PCRYPT_INTEGER_BLOB pInt2
)
{
BYTE *pb1 = pInt1->pbData;
DWORD cb1 = pInt1->cbData;
BYTE *pb2 = pInt2->pbData;
DWORD cb2 = pInt2->cbData;
// Assumption: normally don't have leading 0 or 0xFF bytes.
while (cb1 > 1) {
BYTE bEnd = pb1[cb1 - 1];
BYTE bPrev = pb1[cb1 - 2];
if ((0 == bEnd && 0 == (bPrev & 0x80)) ||
(0xFF == bEnd && 0 != (bPrev & 0x80)))
cb1--;
else
break;
}
while (cb2 > 1) {
BYTE bEnd = pb2[cb2 - 1];
BYTE bPrev = pb2[cb2 - 2];
if ((0 == bEnd && 0 == (bPrev & 0x80)) ||
(0xFF == bEnd && 0 != (bPrev & 0x80)))
cb2--;
else
break;
}
if (cb1 == cb2 && (0 == cb1 || 0 == memcmp(pb1, pb2, cb1)))
return TRUE;
else
return FALSE;
}
//+-------------------------------------------------------------------------
// Compare two certificates to see if they are identical.
//
// Since a certificate is uniquely identified by its Issuer and SerialNumber,
// these are the only fields needing to be compared.
//
// Returns TRUE if the certificates are identical.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertCompareCertificate(
IN DWORD dwCertEncodingType,
IN PCERT_INFO pCertId1,
IN PCERT_INFO pCertId2
)
{
if (CertCompareIntegerBlob(&pCertId1->SerialNumber,
&pCertId2->SerialNumber) &&
pCertId1->Issuer.cbData == pCertId2->Issuer.cbData &&
memcmp(pCertId1->Issuer.pbData, pCertId2->Issuer.pbData,
pCertId1->Issuer.cbData) == 0)
return TRUE;
else
return FALSE;
}
//+-------------------------------------------------------------------------
// Compare two certificate names to see if they are identical.
//
// Returns TRUE if the names are identical.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertCompareCertificateName(
IN DWORD dwCertEncodingType,
IN PCERT_NAME_BLOB pCertName1,
IN PCERT_NAME_BLOB pCertName2
)
{
if (pCertName1->cbData == pCertName2->cbData &&
memcmp(pCertName1->pbData, pCertName2->pbData,
pCertName1->cbData) == 0)
return TRUE;
else
return FALSE;
}
//+-------------------------------------------------------------------------
// Compare the attributes in the certificate name with the specified
// Relative Distinguished Name's (CERT_RDN) array of attributes.
// The comparison iterates through the CERT_RDN attributes and looks for an
// attribute match in any of the certificate's RDNs. Returns TRUE if all the
// attributes are found and match.
//
// The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier
// dwValueType == CERT_RDN_ANY_TYPE - ignore the value type
// Value.pbData == NULL - match any value
//
// CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
// a case insensitive match. Otherwise, defaults to an exact, case sensitive
// match.
//
// CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
// with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
//--------------------------------------------------------------------------
BOOL
WINAPI
CertIsRDNAttrsInCertificateName(
IN DWORD dwCertEncodingType,
IN DWORD dwFlags,
IN PCERT_NAME_BLOB pCertName,
IN PCERT_RDN pRDN
)
{
BOOL fResult;
PCERT_NAME_INFO pNameInfo = NULL;
DWORD cCmpAttr;
PCERT_RDN_ATTR pCmpAttr;
BOOL fMatch;
if (NULL == (pNameInfo =
(PCERT_NAME_INFO) AllocAndDecodeObject(
dwCertEncodingType,
CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags ? X509_UNICODE_NAME :
X509_NAME,
pCertName->pbData,
pCertName->cbData
))) goto ErrorReturn;
cCmpAttr = pRDN->cRDNAttr;
pCmpAttr = pRDN->rgRDNAttr;
fMatch = TRUE;
// Iterate through list of attributes to be compared against
for ( ; cCmpAttr > 0; cCmpAttr--, pCmpAttr++) {
fMatch = FALSE;
DWORD cNameRDN = pNameInfo->cRDN;
PCERT_RDN pNameRDN = pNameInfo->rgRDN;
// Iterate through name's list of RDNs
for ( ; cNameRDN > 0; cNameRDN--, pNameRDN++) {
DWORD cNameAttr = pNameRDN->cRDNAttr;
PCERT_RDN_ATTR pNameAttr = pNameRDN->rgRDNAttr;
// Iterate through name's CERT_RDN's list of attributes
for ( ; cNameAttr > 0; cNameAttr--, pNameAttr++) {
if (pCmpAttr->pszObjId &&
(pNameAttr->pszObjId == NULL ||
strcmp(pCmpAttr->pszObjId, pNameAttr->pszObjId) != 0))
continue;
if (pCmpAttr->dwValueType != CERT_RDN_ANY_TYPE &&
pCmpAttr->dwValueType != pNameAttr->dwValueType)
continue;
if (pCmpAttr->Value.pbData == NULL) {
fMatch = TRUE;
break;
}
if (CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG & dwFlags) {
DWORD cch;
if (CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags) {
if (0 == pCmpAttr->Value.cbData)
cch = wcslen((LPWSTR) pCmpAttr->Value.pbData);
else
cch = pCmpAttr->Value.cbData / sizeof(WCHAR);
if (cch == (pNameAttr->Value.cbData / sizeof(WCHAR))
&&
CSTR_EQUAL == CompareStringU(
LOCALE_USER_DEFAULT,
NORM_IGNORECASE,
(LPWSTR) pCmpAttr->Value.pbData,
cch,
(LPWSTR) pNameAttr->Value.pbData,
cch)) {
fMatch = TRUE;
break;
}
} else {
cch = pCmpAttr->Value.cbData;
if (cch == (pNameAttr->Value.cbData)
&&
CSTR_EQUAL == CompareStringA(
LOCALE_USER_DEFAULT,
NORM_IGNORECASE,
(LPSTR) pCmpAttr->Value.pbData,
cch,
(LPSTR) pNameAttr->Value.pbData,
cch)) {
fMatch = TRUE;
break;
}
}
} else {
DWORD cbCmpData = pCmpAttr->Value.cbData;
if ((CERT_UNICODE_IS_RDN_ATTRS_FLAG & dwFlags) &&
0 == cbCmpData)
cbCmpData = wcslen((LPWSTR) pCmpAttr->Value.pbData) *
sizeof(WCHAR);
if (cbCmpData == pNameAttr->Value.cbData &&
(cbCmpData == 0 ||
memcmp(pCmpAttr->Value.pbData,
pNameAttr->Value.pbData,
cbCmpData) == 0)) {
fMatch = TRUE;
break;
}
}
}
if (fMatch) break;
}
if (!fMatch) break;
}
if (!fMatch) {
SetLastError((DWORD) CRYPT_E_NO_MATCH);
goto ErrorReturn;
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
CommonReturn:
PkiFree(pNameInfo);
return fResult;
}
#if 0
#ifndef RSA1
#define RSA1 ((DWORD)'R'+((DWORD)'S'<<8)+((DWORD)'A'<<16)+((DWORD)'1'<<24))
#endif
//+-------------------------------------------------------------------------
// Compare two public keys to see if they are identical.
//
// Returns TRUE if the keys are identical.
//
// Note: ignores CAPI's reserved and aiKeyAlg fields in the comparison.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertComparePublicKeyBitBlob(
IN DWORD dwCertEncodingType,
IN PCRYPT_BIT_BLOB pPublicKey1,
IN PCRYPT_BIT_BLOB pPublicKey2
)
{
BYTE *pb1, *pb2;
PUBLICKEYSTRUC *pPubKeyStruc1, *pPubKeyStruc2;
RSAPUBKEY *pRsaPubKey1, *pRsaPubKey2;
BYTE *pbModulus1, *pbModulus2;
DWORD cbModulus1, cbModulus2;
// The CAPI public key representation consists of the following sequence:
// - PUBLICKEYSTRUC
// - RSAPUBKEY
// - rgbModulus[]
pb1 = pPublicKey1->pbData;
pPubKeyStruc1 = (PUBLICKEYSTRUC *) pb1;
pRsaPubKey1 = (RSAPUBKEY *) (pb1 + sizeof(PUBLICKEYSTRUC));
pbModulus1 = pb1 + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
cbModulus1 = pRsaPubKey1->bitlen / 8;
assert(cbModulus1 > 0);
assert(sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY) + cbModulus1 <=
pPublicKey1->cbData);
assert(pPubKeyStruc1->bType == PUBLICKEYBLOB);
assert(pPubKeyStruc1->bVersion == CUR_BLOB_VERSION);
assert(pPubKeyStruc1->aiKeyAlg == CALG_RSA_SIGN ||
pPubKeyStruc1->aiKeyAlg == CALG_RSA_KEYX);
assert(pRsaPubKey1->magic == RSA1);
assert(pRsaPubKey1->bitlen % 8 == 0);
pb2 = pPublicKey2->pbData;
pPubKeyStruc2 = (PUBLICKEYSTRUC *) pb2;
pRsaPubKey2 = (RSAPUBKEY *) (pb2 + sizeof(PUBLICKEYSTRUC));
pbModulus2 = pb2 + sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY);
cbModulus2 = pRsaPubKey2->bitlen / 8;
assert(cbModulus2 > 0);
assert(sizeof(PUBLICKEYSTRUC) + sizeof(RSAPUBKEY) + cbModulus2 <=
pPublicKey2->cbData);
assert(pPubKeyStruc2->bType == PUBLICKEYBLOB);
assert(pPubKeyStruc2->bVersion == CUR_BLOB_VERSION);
assert(pPubKeyStruc2->aiKeyAlg == CALG_RSA_SIGN ||
pPubKeyStruc2->aiKeyAlg == CALG_RSA_KEYX);
assert(pRsaPubKey2->magic == RSA1);
assert(pRsaPubKey2->bitlen % 8 == 0);
if (pRsaPubKey1->pubexp == pRsaPubKey2->pubexp &&
cbModulus1 == cbModulus2 &&
memcmp(pbModulus1, pbModulus2, cbModulus1) == 0)
return TRUE;
else
return FALSE;
}
#endif
//+-------------------------------------------------------------------------
// Compare two public keys to see if they are identical.
//
// Returns TRUE if the keys are identical.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertComparePublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPublicKey1,
IN PCERT_PUBLIC_KEY_INFO pPublicKey2
)
{
DWORD cbData;
DWORD cb1;
BYTE * pb1;
DWORD cb2;
BYTE * pb2;
BOOL fResult = FALSE;
PUBLICKEYSTRUC * pBlob1 = NULL;
PUBLICKEYSTRUC * pBlob2 = NULL;
if (!((cbData = pPublicKey1->PublicKey.cbData) ==
pPublicKey2->PublicKey.cbData
&&
(cbData == 0 || memcmp(pPublicKey1->PublicKey.pbData,
pPublicKey2->PublicKey.pbData, cbData) == 0)))
{
// DSIE: Bug 402662.
// Encoded compare failed, try decoded compare.
if (NULL == (pBlob1 = (PUBLICKEYSTRUC *) AllocAndDecodeObject(
dwCertEncodingType,
RSA_CSP_PUBLICKEYBLOB,
pPublicKey1->PublicKey.pbData,
pPublicKey1->PublicKey.cbData,
&cb1)))
{
goto CLEANUP;
}
if (NULL == (pBlob2 = (PUBLICKEYSTRUC *) AllocAndDecodeObject(
dwCertEncodingType,
RSA_CSP_PUBLICKEYBLOB,
pPublicKey2->PublicKey.pbData,
pPublicKey2->PublicKey.cbData,
&cb2)))
{
goto CLEANUP;
}
if (!((cb1 == cb2) &&
(cb1 == 0 || memcmp(pBlob1, pBlob2, cb1) == 0)))
{
goto CLEANUP;
}
}
// Compare algorithm parameters
cb1 = pPublicKey1->Algorithm.Parameters.cbData;
pb1 = pPublicKey1->Algorithm.Parameters.pbData;
cb2 = pPublicKey2->Algorithm.Parameters.cbData;
pb2 = pPublicKey2->Algorithm.Parameters.pbData;
if (X509_ASN_ENCODING == GET_CERT_ENCODING_TYPE(dwCertEncodingType))
{
// Check if either has NO or NULL parameters
if (0 == cb1 || *pb1 == NULL_ASN_TAG ||
0 == cb2 || *pb2 == NULL_ASN_TAG)
{
fResult = TRUE;
goto CLEANUP;
}
}
if (cb1 == cb2)
{
if (0 == cb1 || 0 == memcmp(pb1, pb2, cb1))
{
fResult = TRUE;
}
}
CLEANUP:
if (pBlob1)
PkiFree(pBlob1);
if (pBlob2)
PkiFree(pBlob2);
return fResult;
}
static BOOL GetSignOIDInfo(
IN LPCSTR pszObjId,
OUT ALG_ID *paiHash,
OUT ALG_ID *paiPubKey,
OUT DWORD *pdwFlags,
OUT DWORD *pdwProvType = NULL
)
{
BOOL fResult;
PCCRYPT_OID_INFO pInfo;
*paiPubKey = 0;
*pdwFlags = 0;
if (pdwProvType)
*pdwProvType = 0;
if (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
(void *) pszObjId,
CRYPT_SIGN_ALG_OID_GROUP_ID
)) {
DWORD cExtra = pInfo->ExtraInfo.cbData / sizeof(DWORD);
DWORD *pdwExtra = (DWORD *) pInfo->ExtraInfo.pbData;
*paiHash = pInfo->Algid;
if (1 <= cExtra) {
*paiPubKey = pdwExtra[0];
if (2 <= cExtra) {
*pdwFlags = pdwExtra[1];
if (3 <= cExtra && pdwProvType) {
*pdwProvType = pdwExtra[2];
}
}
}
fResult = TRUE;
} else if (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
(void *) pszObjId,
CRYPT_HASH_ALG_OID_GROUP_ID
)) {
*paiHash = pInfo->Algid;
*paiPubKey = CALG_NO_SIGN;
fResult = TRUE;
} else {
*paiHash = 0;
fResult = FALSE;
SetLastError((DWORD) NTE_BAD_ALGID);
}
return fResult;
}
#ifndef CMS_PKCS7
//+-------------------------------------------------------------------------
// Verify the signature of a subject certificate or a CRL using the
// specified public key.
//
// Returns TRUE for a valid signature.
//
// hCryptProv specifies the crypto provider to use to verify the signature.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptVerifyCertificateSignature(
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN const BYTE * pbEncoded,
IN DWORD cbEncoded,
IN PCERT_PUBLIC_KEY_INFO pPublicKey
)
{
BOOL fResult;
PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
HCRYPTDEFAULTCONTEXT hDefaultContext = NULL;
HCRYPTKEY hSignKey = 0;
HCRYPTHASH hHash = 0;
BYTE *pbSignature; // not allocated
DWORD cbSignature;
BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
ALG_ID aiHash;
ALG_ID aiPubKey;
DWORD dwSignFlags;
DWORD dwErr;
if (NULL == (pSignedInfo =
(PCERT_SIGNED_CONTENT_INFO) AllocAndDecodeObject(
dwCertEncodingType,
X509_CERT,
pbEncoded,
cbEncoded
))) goto ErrorReturn;
if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
&aiHash, &aiPubKey, &dwSignFlags))
goto ErrorReturn;
if (0 == hCryptProv) {
if (!I_CryptGetDefaultContext(
CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID,
(const void *) pSignedInfo->SignatureAlgorithm.pszObjId,
&hCryptProv,
&hDefaultContext
)) {
if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
goto ErrorReturn;
}
}
#if 0
// Slow down the signature verify while holding the default context
// reference count
if (hDefaultContext)
Sleep(5000);
#endif
if (!CryptImportPublicKeyInfo(
hCryptProv,
dwCertEncodingType,
pPublicKey,
&hSignKey
)) goto ErrorReturn;
if (!CryptCreateHash(
hCryptProv,
aiHash,
NULL, // hKey - optional for MAC
0, // dwFlags
&hHash
)) goto ErrorReturn;
if (!CryptHashData(
hHash,
pSignedInfo->ToBeSigned.pbData,
pSignedInfo->ToBeSigned.cbData,
0 // dwFlags
)) goto ErrorReturn;
pbSignature = pSignedInfo->Signature.pbData;
cbSignature = pSignedInfo->Signature.cbData;
if (CALG_DSS_SIGN == aiPubKey &&
0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
DWORD cbData;
// Undo the reversal done by CryptDecodeObject(X509_CERT)
PkiAsn1ReverseBytes(pbSignature, cbSignature);
// Convert from ASN.1 sequence of two integers to the CSP signature
// format.
cbData = sizeof(rgbDssSignature);
if (!CryptDecodeObject(
dwCertEncodingType,
X509_DSS_SIGNATURE,
pbSignature,
cbSignature,
0, // dwFlags
rgbDssSignature,
&cbData
))
goto ErrorReturn;
pbSignature = rgbDssSignature;
assert(cbData == sizeof(rgbDssSignature));
cbSignature = sizeof(rgbDssSignature);
}
if (!CryptVerifySignature(
hHash,
pbSignature,
cbSignature,
hSignKey,
NULL, // sDescription
0 // dwFlags
)) goto ErrorReturn;
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
CommonReturn:
dwErr = GetLastError();
if (hSignKey)
CryptDestroyKey(hSignKey);
if (hHash)
CryptDestroyHash(hHash);
I_CryptFreeDefaultContext(hDefaultContext);
PkiFree(pSignedInfo);
SetLastError(dwErr);
return fResult;
}
#endif // CMS_PKCS7
BOOL
WINAPI
DefaultHashCertificate(
IN ALG_ID Algid,
IN const BYTE *pbEncoded,
IN DWORD cbEncoded,
OUT BYTE *pbHash,
IN OUT DWORD *pcbHash
)
{
DWORD cbInHash;
DWORD cbOutHash;
if (NULL == pbHash)
cbInHash = 0;
else
cbInHash = *pcbHash;
switch (Algid) {
case CALG_MD5:
cbOutHash = MD5DIGESTLEN;
if (MD5DIGESTLEN <= cbInHash) {
MD5_CTX md5ctx;
MD5Init(&md5ctx);
if (cbEncoded)
MD5Update(&md5ctx, pbEncoded, cbEncoded);
MD5Final(&md5ctx);
memcpy(pbHash, md5ctx.digest, MD5DIGESTLEN);
}
break;
case CALG_SHA1:
default:
assert(CALG_SHA1 == Algid);
assert(CALG_SHA == Algid);
cbOutHash = A_SHA_DIGEST_LEN;
if (A_SHA_DIGEST_LEN <= cbInHash) {
A_SHA_CTX shactx;
A_SHAInit(&shactx);
if (cbEncoded)
A_SHAUpdate(&shactx, (BYTE *) pbEncoded, cbEncoded);
A_SHAFinal(&shactx, pbHash);
}
break;
}
*pcbHash = cbOutHash;
if (cbInHash < cbOutHash && pbHash) {
SetLastError((DWORD) ERROR_MORE_DATA);
return FALSE;
} else
return TRUE;
}
//+-------------------------------------------------------------------------
// Hash the encoded content.
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//
// Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
// default hash algorithm (currently SHA1) is used.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptHashCertificate(
IN HCRYPTPROV hCryptProv,
IN ALG_ID Algid,
IN DWORD dwFlags,
IN const BYTE *pbEncoded,
IN DWORD cbEncoded,
OUT BYTE *pbComputedHash,
IN OUT DWORD *pcbComputedHash
)
{
BOOL fResult;
HCRYPTHASH hHash = 0;
DWORD dwErr;
if (Algid == 0) {
Algid = CALG_SHA;
dwFlags = 0;
}
if (0 == hCryptProv) {
if (CALG_SHA1 == Algid || CALG_MD5 == Algid)
return DefaultHashCertificate(
Algid,
pbEncoded,
cbEncoded,
pbComputedHash,
pcbComputedHash
);
if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(0)))
goto ErrorReturn;
}
if (!CryptCreateHash(
hCryptProv,
Algid,
NULL, // hKey - optional for MAC
dwFlags,
&hHash
))
goto ErrorReturn;
if (!CryptHashData(
hHash,
pbEncoded,
cbEncoded,
0 // dwFlags
))
goto ErrorReturn;
fResult = CryptGetHashParam(
hHash,
HP_HASHVAL,
pbComputedHash,
pcbComputedHash,
0 // dwFlags
);
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
*pcbComputedHash = 0;
CommonReturn:
dwErr = GetLastError();
if (hHash)
CryptDestroyHash(hHash);
SetLastError(dwErr);
return fResult;
}
//+-------------------------------------------------------------------------
// Compute the hash of the "to be signed" information in the encoded
// signed content.
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptHashToBeSigned(
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN const BYTE *pbEncoded,
IN DWORD cbEncoded,
OUT BYTE *pbComputedHash,
IN OUT DWORD *pcbComputedHash
)
{
BOOL fResult;
PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
HCRYPTHASH hHash = 0;
DWORD dwErr;
ALG_ID aiHash;
ALG_ID aiPubKey;
DWORD dwSignFlags;
if (NULL == (pSignedInfo =
(PCERT_SIGNED_CONTENT_INFO) AllocAndDecodeObject(
dwCertEncodingType,
X509_CERT,
pbEncoded,
cbEncoded
))) goto ErrorReturn;
if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
&aiHash, &aiPubKey, &dwSignFlags))
goto ErrorReturn;
if (0 == hCryptProv) {
if (CALG_SHA1 == aiHash || CALG_MD5 == aiHash) {
fResult = DefaultHashCertificate(
aiHash,
pSignedInfo->ToBeSigned.pbData,
pSignedInfo->ToBeSigned.cbData,
pbComputedHash,
pcbComputedHash
);
goto CommonReturn;
}
if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(0)))
goto ErrorReturn;
}
if (!CryptCreateHash(
hCryptProv,
aiHash,
NULL, // hKey - optional for MAC
0, // dwFlags
&hHash
))
goto ErrorReturn;
if (!CryptHashData(
hHash,
pSignedInfo->ToBeSigned.pbData,
pSignedInfo->ToBeSigned.cbData,
0 // dwFlags
))
goto ErrorReturn;
fResult = CryptGetHashParam(
hHash,
HP_HASHVAL,
pbComputedHash,
pcbComputedHash,
0 // dwFlags
);
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
*pcbComputedHash = 0;
CommonReturn:
dwErr = GetLastError();
if (hHash)
CryptDestroyHash(hHash);
PkiFree(pSignedInfo);
SetLastError(dwErr);
return fResult;
}
//+-------------------------------------------------------------------------
// Sign the "to be signed" information in the encoded signed content.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It needs to use the provider's signature private key.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptSignCertificate(
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
IN const BYTE *pbEncodedToBeSigned,
IN DWORD cbEncodedToBeSigned,
IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
IN OPTIONAL const void *pvHashAuxInfo,
OUT BYTE *pbSignature,
IN OUT DWORD *pcbSignature
)
{
BOOL fResult;
ALG_ID aiHash;
ALG_ID aiPubKey;
DWORD dwSignFlags;
HCRYPTHASH hHash = 0;
DWORD dwErr;
if (!GetSignOIDInfo(pSignatureAlgorithm->pszObjId,
&aiHash, &aiPubKey, &dwSignFlags))
goto ErrorReturn;
if (CALG_NO_SIGN == aiPubKey) {
fResult = CryptHashCertificate(
hCryptProv,
aiHash,
0, // dwFlags
pbEncodedToBeSigned,
cbEncodedToBeSigned,
pbSignature,
pcbSignature
);
if (fResult && pbSignature)
// A subsequent CryptEncodeObject(X509_CERT) will reverse
// the signature bytes
PkiAsn1ReverseBytes(pbSignature, *pcbSignature);
return fResult;
}
if (CALG_DSS_SIGN == aiPubKey &&
0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
if (NULL == pbSignature) {
*pcbSignature = CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN;
return TRUE;
}
}
if (!CryptCreateHash(
hCryptProv,
aiHash,
NULL, // hKey - optional for MAC
0, // dwFlags,
&hHash
))
goto ErrorReturn;
if (!CryptHashData(
hHash,
pbEncodedToBeSigned,
cbEncodedToBeSigned,
0 // dwFlags
))
goto ErrorReturn;
if (CALG_DSS_SIGN == aiPubKey &&
0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
DWORD cbData;
BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
cbData = sizeof(rgbDssSignature);
if (!CryptSignHash(
hHash,
dwKeySpec,
NULL, // sDescription
0, // dwFlags
rgbDssSignature,
&cbData
)) goto ErrorReturn;
assert(cbData == sizeof(rgbDssSignature));
// Convert from the CSP signature format to an ASN.1 sequence of
// two integers
fResult = CryptEncodeObject(
dwCertEncodingType,
X509_DSS_SIGNATURE,
rgbDssSignature,
pbSignature,
pcbSignature
);
if (fResult)
// A subsequent CryptEncodeObject(X509_CERT) will reverse
// the signature bytes
PkiAsn1ReverseBytes(pbSignature, *pcbSignature);
else if (0 != *pcbSignature)
// Since a random number is used in each CryptSignHash invocation,
// the generated signature will be different. In particular
// different signatures may have different leading 0x00's or
// 0xFF's which get removed when converted to the ASN.1 sequence
// of integers.
*pcbSignature = CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN;
} else
fResult = CryptSignHash(
hHash,
dwKeySpec,
NULL, // sDescription
0, // dwFlags
pbSignature, // pbData
pcbSignature
);
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
*pcbSignature = 0;
CommonReturn:
dwErr = GetLastError();
if (hHash)
CryptDestroyHash(hHash);
SetLastError(dwErr);
return fResult;
}
static DWORD AdjustForMaximumEncodedSignatureLength(
IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
IN DWORD cbOrig
)
{
DWORD cbAdjust;
ALG_ID aiHash;
ALG_ID aiPubKey;
DWORD dwSignFlags;
cbAdjust = 0;
if (GetSignOIDInfo(pSignatureAlgorithm->pszObjId,
&aiHash, &aiPubKey, &dwSignFlags)) {
if (CALG_DSS_SIGN == aiPubKey &&
0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
assert(CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN >= cbOrig);
if (CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN > cbOrig)
// the +1 is for adjusting the number of length octets in
// the outer SEQUENCE. Note, the number of length octets in
// the signature's BITSTRING will always be 1, ie,
// CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN <= 0x7F.
cbAdjust =
(CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN - cbOrig) + 1;
}
}
return cbAdjust;
}
//+-------------------------------------------------------------------------
// Encode the "to be signed" information. Sign the encoded "to be signed".
// Encode the "to be signed" and the signature.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It uses the specified private key.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptSignAndEncodeCertificate(
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
IN LPCSTR lpszStructType,
IN const void *pvStructInfo,
IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
IN OPTIONAL const void *pvHashAuxInfo,
OUT BYTE *pbEncoded,
IN OUT DWORD *pcbEncoded
)
{
BOOL fResult;
CERT_SIGNED_CONTENT_INFO SignedInfo;
memset(&SignedInfo, 0, sizeof(SignedInfo));
SignedInfo.SignatureAlgorithm = *pSignatureAlgorithm;
if (!AllocAndEncodeObject(
dwCertEncodingType,
lpszStructType,
pvStructInfo,
&SignedInfo.ToBeSigned.pbData,
&SignedInfo.ToBeSigned.cbData
)) goto ErrorReturn;
CryptSignCertificate(
hCryptProv,
dwKeySpec,
dwCertEncodingType,
SignedInfo.ToBeSigned.pbData,
SignedInfo.ToBeSigned.cbData,
&SignedInfo.SignatureAlgorithm,
pvHashAuxInfo,
NULL, // pbSignature
&SignedInfo.Signature.cbData
);
if (SignedInfo.Signature.cbData == 0) goto ErrorReturn;
SignedInfo.Signature.pbData =
(BYTE *) PkiNonzeroAlloc(SignedInfo.Signature.cbData);
if (SignedInfo.Signature.pbData == NULL) goto ErrorReturn;
if (pbEncoded) {
if (!CryptSignCertificate(
hCryptProv,
dwKeySpec,
dwCertEncodingType,
SignedInfo.ToBeSigned.pbData,
SignedInfo.ToBeSigned.cbData,
&SignedInfo.SignatureAlgorithm,
pvHashAuxInfo,
SignedInfo.Signature.pbData,
&SignedInfo.Signature.cbData
)) goto ErrorReturn;
}
fResult = CryptEncodeObject(
dwCertEncodingType,
X509_CERT,
&SignedInfo,
pbEncoded,
pcbEncoded
);
if (!fResult && *pcbEncoded) {
*pcbEncoded += AdjustForMaximumEncodedSignatureLength(
&SignedInfo.SignatureAlgorithm,
SignedInfo.Signature.cbData
);
}
CommonReturn:
PkiFree(SignedInfo.ToBeSigned.pbData);
PkiFree(SignedInfo.Signature.pbData);
return fResult;
ErrorReturn:
fResult = FALSE;
*pcbEncoded = 0;
goto CommonReturn;
}
//+-------------------------------------------------------------------------
// Verify the time validity of a certificate.
//
// Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
// a valid certificate
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
LONG
WINAPI
CertVerifyTimeValidity(
IN LPFILETIME pTimeToVerify,
IN PCERT_INFO pCertInfo
)
{
SYSTEMTIME SystemTime;
FILETIME FileTime;
LPFILETIME pFileTime;
if (pTimeToVerify)
pFileTime = pTimeToVerify;
else {
GetSystemTime(&SystemTime);
SystemTimeToFileTime(&SystemTime, &FileTime);
pFileTime = &FileTime;
}
if (CompareFileTime(pFileTime, &pCertInfo->NotBefore) < 0)
return -1;
else if (CompareFileTime(pFileTime, &pCertInfo->NotAfter) > 0)
return 1;
else
return 0;
}
//+-------------------------------------------------------------------------
// Verify the time validity of a CRL.
//
// Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
// a valid CRL
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
LONG
WINAPI
CertVerifyCRLTimeValidity(
IN LPFILETIME pTimeToVerify,
IN PCRL_INFO pCrlInfo
)
{
SYSTEMTIME SystemTime;
FILETIME FileTime;
LPFILETIME pFileTime;
if (pTimeToVerify)
pFileTime = pTimeToVerify;
else {
GetSystemTime(&SystemTime);
SystemTimeToFileTime(&SystemTime, &FileTime);
pFileTime = &FileTime;
}
// Note, NextUpdate is optional. When not present, set to 0
if (CompareFileTime(pFileTime, &pCrlInfo->ThisUpdate) < 0)
return -1;
else if ((pCrlInfo->NextUpdate.dwLowDateTime ||
pCrlInfo->NextUpdate.dwHighDateTime) &&
CompareFileTime(pFileTime, &pCrlInfo->NextUpdate) > 0)
return 1;
else
return 0;
}
//+-------------------------------------------------------------------------
// Verify that the subject's time validity nests within the issuer's time
// validity.
//
// Returns TRUE if it nests. Otherwise, returns FALSE.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertVerifyValidityNesting(
IN PCERT_INFO pSubjectInfo,
IN PCERT_INFO pIssuerInfo
)
{
if ((CompareFileTime(&pSubjectInfo->NotBefore,
&pIssuerInfo->NotBefore) >= 0) &&
(CompareFileTime(&pSubjectInfo->NotAfter,
&pIssuerInfo->NotAfter) <= 0))
return TRUE;
else
return FALSE;
}
//+-------------------------------------------------------------------------
// Verify that the subject certificate isn't on its issuer CRL.
//
// Returns true if the certificate isn't on the CRL.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertVerifyCRLRevocation(
IN DWORD dwCertEncodingType,
IN PCERT_INFO pCertId, // Only the Issuer and SerialNumber
// fields are used
IN DWORD cCrlInfo,
IN PCRL_INFO rgpCrlInfo[]
)
{
DWORD InfoIdx;
for (InfoIdx = 0; InfoIdx < cCrlInfo; InfoIdx++) {
DWORD cEntry = rgpCrlInfo[InfoIdx]->cCRLEntry;
PCRL_ENTRY rgEntry = rgpCrlInfo[InfoIdx]->rgCRLEntry;
DWORD EntryIdx;
for (EntryIdx = 0; EntryIdx < cEntry; EntryIdx++) {
if (CertCompareIntegerBlob(&rgEntry[EntryIdx].SerialNumber,
&pCertId->SerialNumber))
// It has been revoked!!!
return FALSE;
}
}
return TRUE;
}
//+-------------------------------------------------------------------------
// Convert the CAPI AlgId to the ASN.1 Object Identifier string
//
// Returns NULL if there isn't an ObjId corresponding to the AlgId.
//--------------------------------------------------------------------------
LPCSTR
WINAPI
CertAlgIdToOID(
IN DWORD dwAlgId
)
{
DWORD dwGroupId;
for (dwGroupId = CRYPT_FIRST_ALG_OID_GROUP_ID;
dwGroupId <= CRYPT_LAST_ALG_OID_GROUP_ID; dwGroupId++) {
PCCRYPT_OID_INFO pInfo;
if (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_ALGID_KEY,
&dwAlgId,
dwGroupId
))
return pInfo->pszOID;
}
return NULL;
}
//+-------------------------------------------------------------------------
// Convert the ASN.1 Object Identifier string to the CAPI AlgId.
//
// Returns 0 if there isn't an AlgId corresponding to the ObjId.
//--------------------------------------------------------------------------
DWORD
WINAPI
CertOIDToAlgId(
IN LPCSTR pszObjId
)
{
DWORD dwGroupId;
for (dwGroupId = CRYPT_FIRST_ALG_OID_GROUP_ID;
dwGroupId <= CRYPT_LAST_ALG_OID_GROUP_ID; dwGroupId++) {
PCCRYPT_OID_INFO pInfo;
if (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
(void *) pszObjId,
dwGroupId
))
return pInfo->Algid;
}
return 0;
}
//+-------------------------------------------------------------------------
// Find an extension identified by its Object Identifier.
//
// If found, returns pointer to the extension. Otherwise, returns NULL.
//--------------------------------------------------------------------------
PCERT_EXTENSION
WINAPI
CertFindExtension(
IN LPCSTR pszObjId,
IN DWORD cExtensions,
IN CERT_EXTENSION rgExtensions[]
)
{
for (; cExtensions > 0; cExtensions--, rgExtensions++) {
if (strcmp(pszObjId, rgExtensions->pszObjId) == 0)
return rgExtensions;
}
return NULL;
}
//+-------------------------------------------------------------------------
// Find the first attribute identified by its Object Identifier.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
PCRYPT_ATTRIBUTE
WINAPI
CertFindAttribute(
IN LPCSTR pszObjId,
IN DWORD cAttr,
IN CRYPT_ATTRIBUTE rgAttr[]
)
{
for (; cAttr > 0; cAttr--, rgAttr++) {
if (strcmp(pszObjId, rgAttr->pszObjId) == 0)
return rgAttr;
}
return NULL;
}
//+-------------------------------------------------------------------------
// Find the first CERT_RDN attribute identified by its Object Identifier in
// the name's list of Relative Distinguished Names.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
PCERT_RDN_ATTR
WINAPI
CertFindRDNAttr(
IN LPCSTR pszObjId,
IN PCERT_NAME_INFO pName
)
{
DWORD cRDN = pName->cRDN;
PCERT_RDN pRDN = pName->rgRDN;
for ( ; cRDN > 0; cRDN--, pRDN++) {
DWORD cRDNAttr = pRDN->cRDNAttr;
PCERT_RDN_ATTR pRDNAttr = pRDN->rgRDNAttr;
for (; cRDNAttr > 0; cRDNAttr--, pRDNAttr++) {
if (strcmp(pszObjId, pRDNAttr->pszObjId) == 0)
return pRDNAttr;
}
}
return NULL;
}
//+-------------------------------------------------------------------------
// Get the intended key usage bytes from the certificate.
//
// If the certificate doesn't have any intended key usage bytes, returns FALSE
// and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
// cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
// bytes are zeroed.
//--------------------------------------------------------------------------
BOOL
WINAPI
CertGetIntendedKeyUsage(
IN DWORD dwCertEncodingType,
IN PCERT_INFO pCertInfo,
OUT BYTE *pbKeyUsage,
IN DWORD cbKeyUsage
)
{
BOOL fResult;
DWORD cbData;
PCERT_EXTENSION pExt;
PCERT_KEY_ATTRIBUTES_INFO pKeyAttrInfo = NULL;
PCRYPT_BIT_BLOB pAllocKeyUsage = NULL;
PCRYPT_BIT_BLOB pKeyUsage = NULL; // not allocated
// First see if the certificate has the simple Key Usage Extension
if (NULL != (pExt = CertFindExtension(
szOID_KEY_USAGE,
pCertInfo->cExtension,
pCertInfo->rgExtension
)) &&
NULL != (pAllocKeyUsage =
(PCRYPT_BIT_BLOB) AllocAndDecodeObject(
dwCertEncodingType,
X509_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData
)))
pKeyUsage = pAllocKeyUsage;
else {
pExt = CertFindExtension(
szOID_KEY_ATTRIBUTES,
pCertInfo->cExtension,
pCertInfo->rgExtension
);
if (pExt == NULL) goto GetError;
if (NULL == (pKeyAttrInfo =
(PCERT_KEY_ATTRIBUTES_INFO) AllocAndDecodeObject(
dwCertEncodingType,
X509_KEY_ATTRIBUTES,
pExt->Value.pbData,
pExt->Value.cbData
))) goto ErrorReturn;
pKeyUsage = &pKeyAttrInfo->IntendedKeyUsage;
}
if (pKeyUsage->cbData == 0 || cbKeyUsage == 0)
goto GetError;
cbData = min(pKeyUsage->cbData, cbKeyUsage);
memcpy(pbKeyUsage, pKeyUsage->pbData, cbData);
fResult = TRUE;
goto CommonReturn;
GetError:
SetLastError(0);
ErrorReturn:
fResult = FALSE;
cbData = 0;
CommonReturn:
PkiFree(pAllocKeyUsage);
PkiFree(pKeyAttrInfo);
if (cbData < cbKeyUsage)
memset(pbKeyUsage + cbData, 0, cbKeyUsage - cbData);
return fResult;
}
static DWORD GetYPublicKeyLength(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo
)
{
PCRYPT_UINT_BLOB pY = NULL;
DWORD dwBitLen;
if (NULL == (pY = (PCRYPT_UINT_BLOB) AllocAndDecodeObject(
dwCertEncodingType,
X509_MULTI_BYTE_UINT,
pPublicKeyInfo->PublicKey.pbData,
pPublicKeyInfo->PublicKey.cbData
))) goto DecodePubKeyError;
dwBitLen = pY->cbData * 8;
CommonReturn:
PkiFree(pY);
return dwBitLen;
ErrorReturn:
dwBitLen = 0;
goto CommonReturn;
TRACE_ERROR(DecodePubKeyError)
}
// If there are parameters, use the length of the 'P' parameter. Otherwise,
// use the length of Y. Note, P's MSB must be set. Y's MSB may not be set.
static DWORD GetDHPublicKeyLength(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPublicKey
)
{
PCERT_X942_DH_PARAMETERS pDhParameters = NULL;
DWORD dwBitLen;
if (0 == pPublicKey->Algorithm.Parameters.cbData)
goto NoDhParametersError;
if (NULL == (pDhParameters =
(PCERT_X942_DH_PARAMETERS) AllocAndDecodeObject(
dwCertEncodingType,
X942_DH_PARAMETERS,
pPublicKey->Algorithm.Parameters.pbData,
pPublicKey->Algorithm.Parameters.cbData
))) goto DecodeParametersError;
dwBitLen = pDhParameters->p.cbData * 8;
CommonReturn:
PkiFree(pDhParameters);
return dwBitLen;
ErrorReturn:
dwBitLen = GetYPublicKeyLength(dwCertEncodingType, pPublicKey);
goto CommonReturn;
TRACE_ERROR(NoDhParametersError)
TRACE_ERROR(DecodeParametersError)
}
// If there are parameters, use the length of the 'P' parameter. Otherwise,
// use the length of Y. Note, P's MSB must be set. Y's MSB may not be set.
static DWORD GetDSSPublicKeyLength(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPublicKey
)
{
PCERT_DSS_PARAMETERS pDssParameters = NULL;
DWORD dwBitLen;
if (0 == pPublicKey->Algorithm.Parameters.cbData)
goto NoDssParametersError;
if (NULL == (pDssParameters = (PCERT_DSS_PARAMETERS) AllocAndDecodeObject(
dwCertEncodingType,
X509_DSS_PARAMETERS,
pPublicKey->Algorithm.Parameters.pbData,
pPublicKey->Algorithm.Parameters.cbData
))) goto DecodeParametersError;
dwBitLen = pDssParameters->p.cbData * 8;
CommonReturn:
PkiFree(pDssParameters);
return dwBitLen;
ErrorReturn:
dwBitLen = GetYPublicKeyLength(dwCertEncodingType, pPublicKey);
goto CommonReturn;
TRACE_ERROR(NoDssParametersError)
TRACE_ERROR(DecodeParametersError)
}
//+-------------------------------------------------------------------------
// Get the public/private key's bit length.
//
// Returns 0 if unable to determine the key's length.
//--------------------------------------------------------------------------
DWORD
WINAPI
CertGetPublicKeyLength(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPublicKey
)
{
DWORD dwErr = 0;
DWORD dwBitLen;
ALG_ID aiPubKey;
PCCRYPT_OID_INFO pOIDInfo;
HCRYPTPROV hCryptProv; // don't need to release
HCRYPTKEY hPubKey = 0;
DWORD cbData;
if (pOIDInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
pPublicKey->Algorithm.pszObjId,
CRYPT_PUBKEY_ALG_OID_GROUP_ID))
aiPubKey = pOIDInfo->Algid;
else
aiPubKey = 0;
if (aiPubKey == CALG_DH_SF || aiPubKey == CALG_DH_EPHEM)
return GetDHPublicKeyLength(
dwCertEncodingType,
pPublicKey
);
if (aiPubKey == CALG_DSS_SIGN)
return GetDSSPublicKeyLength(
dwCertEncodingType,
pPublicKey
);
if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
goto GetDefaultCryptProvError;
if (!CryptImportPublicKeyInfo(
hCryptProv,
dwCertEncodingType,
pPublicKey,
&hPubKey
)) goto ImportPublicKeyError;
cbData = sizeof(dwBitLen);
if (CryptGetKeyParam(
hPubKey,
KP_KEYLEN,
(BYTE *) &dwBitLen,
&cbData,
0)) // dwFlags
goto CommonReturn;
cbData = sizeof(dwBitLen);
if (CryptGetKeyParam(
hPubKey,
KP_BLOCKLEN,
(BYTE *) &dwBitLen,
&cbData,
0)) // dwFlags
goto CommonReturn;
{
// The CSP should have supported one of the above
// Export the public key and look at the bitlen field.
// The CAPI public key representation consists of the following
// sequence:
// - PUBLICKEYSTRUC
// - DSSPUBKEY | RSAPUBKEY (DSSPUBKEY is subset of RSAPUBKEY)
// ...
BYTE *pbPubKey = NULL;
DWORD cbPubKey;
dwBitLen = 0;
dwErr = GetLastError();
cbPubKey = 0;
if (CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
0, // dwFlags
NULL, // pbData
&cbPubKey
) &&
cbPubKey >= (sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY)) &&
NULL != (pbPubKey = (BYTE *) PkiNonzeroAlloc(cbPubKey))) {
if (CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
0, // dwFlags
pbPubKey,
&cbPubKey
)) {
DSSPUBKEY *pPubKey =
(DSSPUBKEY *) (pbPubKey + sizeof(PUBLICKEYSTRUC));
dwBitLen = pPubKey->bitlen;
}
PkiFree(pbPubKey);
}
if (0 != dwBitLen)
goto CommonReturn;
SetLastError(dwErr);
goto GetKeyParamError;
}
CommonReturn:
if (hPubKey)
CryptDestroyKey(hPubKey);
SetLastError(dwErr);
return dwBitLen;
ErrorReturn:
dwBitLen = 0;
dwErr = GetLastError();
goto CommonReturn;
TRACE_ERROR(GetDefaultCryptProvError)
TRACE_ERROR(ImportPublicKeyError)
TRACE_ERROR(GetKeyParamError)
}
//+-------------------------------------------------------------------------
// Compute the hash of the encoded public key info.
//
// The public key info is encoded and then hashed.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptHashPublicKeyInfo(
IN HCRYPTPROV hCryptProv,
IN ALG_ID Algid,
IN DWORD dwFlags,
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pInfo,
OUT BYTE *pbComputedHash,
IN OUT DWORD *pcbComputedHash
)
{
BOOL fResult;
BYTE *pbEncoded = NULL;
DWORD cbEncoded;
if (!AllocAndEncodeObject(
dwCertEncodingType,
X509_PUBLIC_KEY_INFO,
pInfo,
&pbEncoded,
&cbEncoded
))
goto ErrorReturn;
fResult = CryptHashCertificate(
hCryptProv,
Algid ? Algid : CALG_MD5,
dwFlags,
pbEncoded,
cbEncoded,
pbComputedHash,
pcbComputedHash
);
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
*pcbComputedHash = 0;
CommonReturn:
PkiFree(pbEncoded);
return fResult;
}
//+-------------------------------------------------------------------------
// Compares the certificate's public key with the provider's public key
// to see if they are identical.
//
// Returns TRUE if the keys are identical.
//--------------------------------------------------------------------------
BOOL
WINAPI
I_CertCompareCertAndProviderPublicKey(
IN PCCERT_CONTEXT pCert,
IN HCRYPTPROV hProv,
IN DWORD dwKeySpec
)
{
BOOL fResult;
PCERT_PUBLIC_KEY_INFO pProvPubKeyInfo = NULL;
DWORD cbProvPubKeyInfo;
DWORD dwCertEncodingType = pCert->dwCertEncodingType;
// Get provider's public key
if (!CryptExportPublicKeyInfo(
hProv,
dwKeySpec,
dwCertEncodingType,
NULL, // pProvPubKeyInfo
&cbProvPubKeyInfo
))
goto ExportPublicKeyInfoError;
assert(cbProvPubKeyInfo);
if (NULL == (pProvPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) PkiNonzeroAlloc(
cbProvPubKeyInfo)))
goto OutOfMemory;
if (!CryptExportPublicKeyInfo(
hProv,
dwKeySpec,
dwCertEncodingType,
pProvPubKeyInfo,
&cbProvPubKeyInfo
))
goto ExportPublicKeyInfoError;
if (!CertComparePublicKeyInfo(
dwCertEncodingType,
&pCert->pCertInfo->SubjectPublicKeyInfo,
pProvPubKeyInfo
))
goto ComparePublicKeyError;
fResult = TRUE;
CommonReturn:
PkiFree(pProvPubKeyInfo);
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(ExportPublicKeyInfoError)
TRACE_ERROR(OutOfMemory)
SET_ERROR(ComparePublicKeyError, NTE_BAD_PUBLIC_KEY)
}
//+=========================================================================
// CryptFindCertificateKeyProvInfo Support Functions
//-=========================================================================
static BOOL HasValidKeyProvInfo(
IN PCCERT_CONTEXT pCert,
IN DWORD dwFindKeySetFlags
)
{
BOOL fResult;
PCRYPT_KEY_PROV_INFO pKeyProvInfo = NULL;
HCRYPTPROV hProv = 0;
DWORD cbData;
DWORD dwAcquireFlags;
if (!CertGetCertificateContextProperty(
pCert,
CERT_KEY_PROV_INFO_PROP_ID,
NULL, // pvData
&cbData
))
return FALSE;
if (NULL == (pKeyProvInfo = (PCRYPT_KEY_PROV_INFO) PkiNonzeroAlloc(
cbData)))
goto OutOfMemory;
if (!CertGetCertificateContextProperty(
pCert,
CERT_KEY_PROV_INFO_PROP_ID,
pKeyProvInfo,
&cbData
))
goto GetKeyProvInfoPropertyError;
if (pKeyProvInfo->dwFlags & CRYPT_MACHINE_KEYSET) {
if (0 == (dwFindKeySetFlags & CRYPT_FIND_MACHINE_KEYSET_FLAG))
goto NotUserContainer;
} else {
if (0 == (dwFindKeySetFlags & CRYPT_FIND_USER_KEYSET_FLAG))
goto NotMachineContainer;
}
dwAcquireFlags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG;
if (dwFindKeySetFlags & CRYPT_FIND_SILENT_KEYSET_FLAG)
dwAcquireFlags |= CRYPT_ACQUIRE_SILENT_FLAG;
if (!CryptAcquireCertificatePrivateKey(
pCert,
dwAcquireFlags,
NULL, // pvReserved
&hProv,
NULL, // pdwKeySpec
NULL // pfCallerFreeProv
))
goto AcquireCertPrivateKeyError;
fResult = TRUE;
CommonReturn:
PkiFree(pKeyProvInfo);
if (hProv) {
DWORD dwErr = GetLastError();
CryptReleaseContext(hProv, 0);
SetLastError(dwErr);
}
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(OutOfMemory)
TRACE_ERROR(GetKeyProvInfoPropertyError)
SET_ERROR(NotUserContainer, NTE_NOT_FOUND)
SET_ERROR(NotMachineContainer, NTE_NOT_FOUND)
TRACE_ERROR(AcquireCertPrivateKeyError)
}
// Default to Algid being supported. Only return FALSE if successfully
// enumerated all the provider algorithms and didn't find a match.
static BOOL IsPublicKeyAlgidSupported(
IN PCCERT_CONTEXT pCert,
IN HCRYPTPROV hProv,
IN ALG_ID aiPubKey
)
{
BOOL fResult;
DWORD dwErr;
BYTE *pbData = NULL;
DWORD cbMaxData;
DWORD cbData;
DWORD dwFlags;
if (0 == aiPubKey)
return TRUE;
// Get maximum length of provider algorithm parameter data
cbMaxData = 0;
if (!CryptGetProvParam(
hProv,
PP_ENUMALGS,
NULL, // pbData
&cbMaxData,
CRYPT_FIRST // dwFlags
)) {
dwErr = GetLastError();
if (ERROR_MORE_DATA != dwErr)
goto GetProvAlgParamError;
}
if (0 == cbMaxData)
goto NoProvAlgParamError;
if (NULL == (pbData = (BYTE *) PkiNonzeroAlloc(cbMaxData)))
goto OutOfMemory;
dwFlags = CRYPT_FIRST;
while (TRUE) {
ALG_ID aiProv;
cbData = cbMaxData;
if (!CryptGetProvParam(
hProv,
PP_ENUMALGS,
pbData,
&cbData,
dwFlags
)) {
dwErr = GetLastError();
if (ERROR_NO_MORE_ITEMS == dwErr) {
fResult = FALSE;
goto PublicKeyAlgidNotSupported;
} else
goto GetProvAlgParamError;
}
assert(cbData >= sizeof(ALG_ID));
aiProv = *(ALG_ID *) pbData;
// Don't distinguish between exchange or signature
if (GET_ALG_TYPE(aiPubKey) == GET_ALG_TYPE(aiProv))
break;
dwFlags = 0; // CRYPT_NEXT
}
fResult = TRUE;
PublicKeyAlgidNotSupported:
CommonReturn:
PkiFree(pbData);
return fResult;
ErrorReturn:
// For an error, assume the public key algorithm is supported.
fResult = TRUE;
goto CommonReturn;
SET_ERROR_VAR(GetProvAlgParamError, dwErr)
SET_ERROR(NoProvAlgParamError, NTE_NOT_FOUND)
TRACE_ERROR(OutOfMemory)
}
// For success, updates the certificate's KEY_PROV_INFO property
//
// If container isn't found, LastError is set to ERROR_NO_MORE_ITEMS.
//
static BOOL FindContainerAndSetKeyProvInfo(
IN PCCERT_CONTEXT pCert,
IN HCRYPTPROV hProv,
IN LPWSTR pwszProvName,
IN DWORD dwProvType,
IN DWORD dwProvFlags // CRYPT_MACHINE_KEYSET and/or CRYPT_SILENT
)
{
BOOL fResult;
DWORD dwEnumFlags;
DWORD dwEnumErr = 0;
DWORD dwAcquireErr = 0;
LPSTR pszContainerName = NULL;
DWORD cchContainerName;
DWORD cchMaxContainerName;
LPWSTR pwszContainerName = NULL;
// Get maximum container name length
cchMaxContainerName = 0;
if (!CryptGetProvParam(
hProv,
PP_ENUMCONTAINERS,
NULL, // pbData
&cchMaxContainerName,
CRYPT_FIRST
)) {
dwEnumErr = GetLastError();
if (ERROR_FILE_NOT_FOUND == dwEnumErr ||
ERROR_INVALID_PARAMETER == dwEnumErr)
goto PublicKeyContainerNotFound;
else if (ERROR_MORE_DATA != dwEnumErr)
goto EnumContainersError;
}
if (0 == cchMaxContainerName)
goto PublicKeyContainerNotFound;
if (NULL == (pszContainerName = (LPSTR) PkiNonzeroAlloc(
cchMaxContainerName + 1)))
goto OutOfMemory;
dwEnumFlags = CRYPT_FIRST;
while (TRUE) {
HCRYPTPROV hContainerProv = 0;
LPWSTR pwszAcquireProvName = pwszProvName;
cchContainerName = cchMaxContainerName;
if (!CryptGetProvParam(
hProv,
PP_ENUMCONTAINERS,
(BYTE *) pszContainerName,
&cchContainerName,
dwEnumFlags
)) {
dwEnumErr = GetLastError();
if (ERROR_NO_MORE_ITEMS == dwEnumErr ||
ERROR_FILE_NOT_FOUND == dwEnumErr) {
if (0 != dwAcquireErr)
goto CryptAcquireContextError;
else
goto PublicKeyContainerNotFound;
} else
goto EnumContainersError;
}
dwEnumFlags = 0; // CRYPT_NEXT
if (NULL == (pwszContainerName = MkWStr(pszContainerName)))
goto OutOfMemory;
// First try using enhanced providers for the base guys
if (PROV_RSA_FULL == dwProvType &&
0 == _wcsicmp(pwszProvName, MS_DEF_PROV_W)) {
fResult = CryptAcquireContextU(
&hContainerProv,
pwszContainerName,
MS_ENHANCED_PROV_W,
PROV_RSA_FULL,
dwProvFlags
);
if (fResult)
pwszAcquireProvName = MS_ENHANCED_PROV_W;
} else if (PROV_DSS_DH == dwProvType &&
0 == _wcsicmp(pwszProvName, MS_DEF_DSS_DH_PROV_W)) {
fResult = CryptAcquireContextU(
&hContainerProv,
pwszContainerName,
MS_ENH_DSS_DH_PROV_W,
PROV_DSS_DH,
dwProvFlags
);
if (fResult)
pwszAcquireProvName = MS_ENH_DSS_DH_PROV_W;
} else
fResult = FALSE;
if (!fResult)
fResult = CryptAcquireContextU(
&hContainerProv,
pwszContainerName,
pwszAcquireProvName,
dwProvType,
dwProvFlags
);
if (!fResult)
dwAcquireErr = GetLastError();
else {
DWORD dwKeySpec;
dwKeySpec = AT_KEYEXCHANGE;
fResult = FALSE;
while (TRUE) {
if (I_CertCompareCertAndProviderPublicKey(
pCert,
hContainerProv,
dwKeySpec
)) {
fResult = TRUE;
break;
} else if (AT_SIGNATURE == dwKeySpec)
break;
else
dwKeySpec = AT_SIGNATURE;
}
CryptReleaseContext(hContainerProv, 0);
if (fResult) {
CRYPT_KEY_PROV_INFO KeyProvInfo;
memset(&KeyProvInfo, 0, sizeof(KeyProvInfo));
KeyProvInfo.pwszContainerName = pwszContainerName;
KeyProvInfo.pwszProvName = pwszAcquireProvName;
KeyProvInfo.dwProvType = dwProvType;
KeyProvInfo.dwFlags = dwProvFlags & ~CRYPT_SILENT;
KeyProvInfo.dwKeySpec = dwKeySpec;
if (!CertSetCertificateContextProperty(
pCert,
CERT_KEY_PROV_INFO_PROP_ID,
0, // dwFlags
&KeyProvInfo
))
goto SetKeyProvInfoPropertyError;
else
goto SuccessReturn;
}
}
FreeWStr(pwszContainerName);
pwszContainerName = NULL;
}
goto UnexpectedError;
SuccessReturn:
fResult = TRUE;
CommonReturn:
PkiFree(pszContainerName);
FreeWStr(pwszContainerName);
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
SET_ERROR_VAR(EnumContainersError, dwEnumErr)
TRACE_ERROR(OutOfMemory)
SET_ERROR_VAR(CryptAcquireContextError, dwAcquireErr)
SET_ERROR(PublicKeyContainerNotFound, ERROR_NO_MORE_ITEMS)
TRACE_ERROR(SetKeyProvInfoPropertyError)
SET_ERROR(UnexpectedError, E_UNEXPECTED)
}
//+-------------------------------------------------------------------------
// Enumerates the cryptographic providers and their containers to find the
// private key corresponding to the certificate's public key. For a match,
// the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
//
// If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
// see if it matches the provider's public key. For a match, the above
// enumeration is skipped.
//
// By default both the user and machine key containers are searched.
// The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
// can be set in dwFlags to restrict the search to either of the containers.
//
// The CRYPT_FIND_SILENT_KEYSET_FLAG can be set to suppress any UI by the CSP.
// See CryptAcquireContext's CRYPT_SILENT flag for more details.
//
// If a container isn't found, returns FALSE with LastError set to
// NTE_NO_KEY.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptFindCertificateKeyProvInfo(
IN PCCERT_CONTEXT pCert,
IN DWORD dwFlags,
IN void *pvReserved
)
{
BOOL fResult;
DWORD dwFindContainerErr = ERROR_NO_MORE_ITEMS;
DWORD dwAcquireErr = 0;
DWORD dwProvIndex;
PCCRYPT_OID_INFO pOIDInfo;
ALG_ID aiPubKey;
if (0 == (dwFlags &
(CRYPT_FIND_USER_KEYSET_FLAG | CRYPT_FIND_MACHINE_KEYSET_FLAG)))
dwFlags |=
CRYPT_FIND_USER_KEYSET_FLAG | CRYPT_FIND_MACHINE_KEYSET_FLAG;
if (HasValidKeyProvInfo(pCert, dwFlags))
return TRUE;
if (pOIDInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
pCert->pCertInfo->SubjectPublicKeyInfo.Algorithm.pszObjId,
CRYPT_PUBKEY_ALG_OID_GROUP_ID
))
aiPubKey = pOIDInfo->Algid;
else
aiPubKey = 0;
for (dwProvIndex = 0; TRUE; dwProvIndex++) {
LPWSTR pwszProvName;
DWORD cbProvName;
HCRYPTPROV hProv;
DWORD dwProvType;
cbProvName = 0;
dwProvType = 0;
if (!CryptEnumProvidersU(
dwProvIndex,
NULL, // pdwReserved
0, // dwFlags
&dwProvType,
NULL, // pwszProvName,
&cbProvName
) || 0 == cbProvName) {
if (0 == dwProvIndex)
goto EnumProvidersError;
else if (ERROR_NO_MORE_ITEMS != dwFindContainerErr)
goto FindContainerError;
else if (0 != dwAcquireErr)
goto CryptAcquireContextError;
else
goto KeyContainerNotFound;
}
if (NULL == (pwszProvName = (LPWSTR) PkiNonzeroAlloc(
(cbProvName + 1) * sizeof(WCHAR))))
goto OutOfMemory;
if (!CryptEnumProvidersU(
dwProvIndex,
NULL, // pdwReserved
0, // dwFlags
&dwProvType,
pwszProvName,
&cbProvName
)) {
PkiFree(pwszProvName);
goto EnumProvidersError;
}
fResult = FALSE;
if (!CryptAcquireContextU(
&hProv,
NULL, // pwszContainerName,
pwszProvName,
dwProvType,
CRYPT_VERIFYCONTEXT // dwFlags
)) {
dwAcquireErr = GetLastError();
hProv = 0; // CAPI bug, sets hCryptProv to nonzero
} else if (IsPublicKeyAlgidSupported(
pCert,
hProv,
aiPubKey
)) {
DWORD dwSetProvFlags;
if (dwFlags & CRYPT_FIND_SILENT_KEYSET_FLAG)
dwSetProvFlags = CRYPT_SILENT;
else
dwSetProvFlags = 0;
if (dwFlags & CRYPT_FIND_USER_KEYSET_FLAG) {
if (FindContainerAndSetKeyProvInfo(
pCert,
hProv,
pwszProvName,
dwProvType,
dwSetProvFlags
))
fResult = TRUE;
else if (ERROR_NO_MORE_ITEMS == dwFindContainerErr)
dwFindContainerErr = GetLastError();
}
if (!fResult && (dwFlags & CRYPT_FIND_MACHINE_KEYSET_FLAG)) {
CryptReleaseContext(hProv, 0);
if (!CryptAcquireContextU(
&hProv,
NULL, // pwszContainerName,
pwszProvName,
dwProvType,
CRYPT_VERIFYCONTEXT | CRYPT_MACHINE_KEYSET // dwFlags
)) {
dwAcquireErr = GetLastError();
hProv = 0; // CAPI bug, sets hCryptProv to nonzero
} else {
if (FindContainerAndSetKeyProvInfo(
pCert,
hProv,
pwszProvName,
dwProvType,
dwSetProvFlags | CRYPT_MACHINE_KEYSET
))
fResult = TRUE;
else if (ERROR_NO_MORE_ITEMS == dwFindContainerErr)
dwFindContainerErr = GetLastError();
}
}
}
if (hProv)
CryptReleaseContext(hProv, 0);
PkiFree(pwszProvName);
if (fResult)
goto CommonReturn;
}
goto UnexpectedError;
CommonReturn:
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(EnumProvidersError)
SET_ERROR(KeyContainerNotFound, NTE_NO_KEY)
SET_ERROR_VAR(FindContainerError, dwFindContainerErr)
SET_ERROR_VAR(CryptAcquireContextError, dwAcquireErr)
TRACE_ERROR(OutOfMemory)
SET_ERROR(UnexpectedError, E_UNEXPECTED)
}
//+=========================================================================
// CryptCreatePublicKeyInfo, EncodePublicKeyAndParameters
// and CryptConvertPublicKeyInfo functions
//-=========================================================================
static BOOL EncodePublicKeyInfo(
IN LPCSTR pszPubKeyOID,
IN BYTE *pbEncodedPubKey,
IN DWORD cbEncodedPubKey,
IN BYTE *pbEncodedParameters,
IN DWORD cbEncodedParameters,
OUT PCERT_PUBLIC_KEY_INFO pInfo,
IN OUT DWORD *pcbInfo
)
{
BOOL fResult;
BYTE *pbExtra;
LONG lRemainExtra;
DWORD cbOID;
if (pInfo == NULL)
*pcbInfo = 0;
// for lRemainExtra < 0, LENGTH_ONLY calculation
lRemainExtra = (LONG) *pcbInfo - sizeof(CERT_PUBLIC_KEY_INFO);
if (lRemainExtra < 0)
pbExtra = NULL;
else
pbExtra = (BYTE *) pInfo + sizeof(CERT_PUBLIC_KEY_INFO);
cbOID = strlen(pszPubKeyOID) + 1;
lRemainExtra -= INFO_LEN_ALIGN(cbOID) +
INFO_LEN_ALIGN(cbEncodedParameters) + cbEncodedPubKey;
if (lRemainExtra >= 0) {
memset(pInfo, 0, sizeof(CERT_PUBLIC_KEY_INFO));
pInfo->Algorithm.pszObjId = (LPSTR) pbExtra;
memcpy(pbExtra, pszPubKeyOID, cbOID);
pbExtra += INFO_LEN_ALIGN(cbOID);
if (cbEncodedParameters) {
pInfo->Algorithm.Parameters.cbData = cbEncodedParameters;
pInfo->Algorithm.Parameters.pbData = pbExtra;
memcpy(pbExtra, pbEncodedParameters, cbEncodedParameters);
pbExtra += INFO_LEN_ALIGN(cbEncodedParameters);
}
pInfo->PublicKey.pbData = pbExtra;
pInfo->PublicKey.cbData = cbEncodedPubKey;
memcpy(pbExtra, pbEncodedPubKey, cbEncodedPubKey);
*pcbInfo = *pcbInfo - (DWORD) lRemainExtra;
} else {
*pcbInfo = *pcbInfo + (DWORD) -lRemainExtra;
if (pInfo) goto LengthError;
}
fResult = TRUE;
CommonReturn:
return fResult;
LengthError:
SetLastError((DWORD) ERROR_MORE_DATA);
fResult = FALSE;
goto CommonReturn;
}
// By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
// public key Object Identifier. pszPubKeyOID can be set to override
// the default OID obtained from the aiKeyAlg.
BOOL
WINAPI
CryptCreatePublicKeyInfo(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyInfo,
IN OUT DWORD *pcbPubKeyInfo
)
{
BOOL fResult;
void *pvFuncAddr;
HCRYPTOIDFUNCADDR hFuncAddr;
LPCSTR pszEncodePubKeyOID;
BYTE *pbEncodedPubKey = NULL;
DWORD cbEncodedPubKey = 0;
BYTE *pbEncodedParameters = NULL;
DWORD cbEncodedParameters = 0;
PCERT_PUBLIC_KEY_INFO pPubKeyInfo = NULL;
DWORD cbPubKeyInfo;
if (NULL == pszPubKeyOID) {
PCCRYPT_OID_INFO pInfo;
if (NULL == (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_ALGID_KEY,
(void *) &pPubKeyStruc->aiKeyAlg,
CRYPT_PUBKEY_ALG_OID_GROUP_ID
)))
goto NoPubKeyOIDInfo;
pszEncodePubKeyOID = pInfo->pszOID;
} else
pszEncodePubKeyOID = pszPubKeyOID;
if (!CryptGetOIDFunctionAddress(
hEncodePubKeyFuncSet,
dwCertEncodingType,
pszEncodePubKeyOID,
0, // dwFlags
&pvFuncAddr,
&hFuncAddr)) {
PCCRYPT_OID_INFO pInfo;
if (NULL == pszPubKeyOID)
goto NoEncodePubKeyFunction;
if (NULL == (pInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_ALGID_KEY,
(void *) &pPubKeyStruc->aiKeyAlg,
CRYPT_PUBKEY_ALG_OID_GROUP_ID
)))
goto NoPubKeyOIDInfo;
pszEncodePubKeyOID = pInfo->pszOID;
if (!CryptGetOIDFunctionAddress(
hEncodePubKeyFuncSet,
dwCertEncodingType,
pszEncodePubKeyOID,
0, // dwFlags
&pvFuncAddr,
&hFuncAddr))
goto NoEncodePubKeyFunction;
}
if (NULL == pszPubKeyOID)
pszPubKeyOID = pszEncodePubKeyOID;
fResult = ((PFN_CRYPT_ENCODE_PUBLIC_KEY_AND_PARAMETERS) pvFuncAddr)(
dwCertEncodingType,
pszPubKeyOID,
pPubKeyStruc,
cbPubKeyStruc,
dwFlags,
pvReserved,
&pbEncodedPubKey,
&cbEncodedPubKey,
&pbEncodedParameters,
&cbEncodedParameters
);
CryptFreeOIDFunctionAddress(hFuncAddr, 0);
if (!fResult)
goto EncodePubKeyAndParametersError;
if (dwFlags & CRYPT_ALLOC_FLAG) {
if (!EncodePublicKeyInfo(
pszPubKeyOID,
pbEncodedPubKey,
cbEncodedPubKey,
pbEncodedParameters,
cbEncodedParameters,
NULL, // pPubKeyInfo
&cbPubKeyInfo
))
goto EncodePublicKeyInfoError;
if (NULL == (pPubKeyInfo =
(PCERT_PUBLIC_KEY_INFO) PkiDefaultCryptAlloc(cbPubKeyInfo)))
goto OutOfMemory;
*((PCERT_PUBLIC_KEY_INFO *) pvPubKeyInfo) = pPubKeyInfo;
} else {
pPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) pvPubKeyInfo;
cbPubKeyInfo = *pcbPubKeyInfo;
}
fResult = EncodePublicKeyInfo(
pszPubKeyOID,
pbEncodedPubKey,
cbEncodedPubKey,
pbEncodedParameters,
cbEncodedParameters,
pPubKeyInfo,
&cbPubKeyInfo
);
if (!fResult && (dwFlags & CRYPT_ALLOC_FLAG))
goto ErrorReturn;
CommonReturn:
PkiDefaultCryptFree(pbEncodedPubKey);
PkiDefaultCryptFree(pbEncodedParameters);
*pcbPubKeyInfo = cbPubKeyInfo;
return fResult;
ErrorReturn:
if (dwFlags & CRYPT_ALLOC_FLAG) {
PkiDefaultCryptFree(pPubKeyInfo);
*((void **) pvPubKeyInfo) = NULL;
}
cbPubKeyInfo = 0;
fResult = FALSE;
goto CommonReturn;
SET_ERROR(NoPubKeyOIDInfo, ERROR_FILE_NOT_FOUND)
TRACE_ERROR(NoEncodePubKeyFunction)
TRACE_ERROR(EncodePubKeyAndParametersError)
TRACE_ERROR(EncodePublicKeyInfoError)
TRACE_ERROR(OutOfMemory)
}
BOOL
WINAPI
CryptConvertPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
)
{
BOOL fResult;
void *pvFuncAddr;
HCRYPTOIDFUNCADDR hFuncAddr;
if (CryptGetOIDFunctionAddress(
hConvertPubKeyFuncSet,
dwCertEncodingType,
pPubKeyInfo->Algorithm.pszObjId,
0, // dwFlags
&pvFuncAddr,
&hFuncAddr)) {
fResult = ((PFN_CRYPT_CONVERT_PUBLIC_KEY_INFO) pvFuncAddr)(
dwCertEncodingType,
pPubKeyInfo,
dwFlags,
pvReserved,
pvPubKeyStruc,
pcbPubKeyStruc
);
CryptFreeOIDFunctionAddress(hFuncAddr, 0);
} else {
ALG_ID aiPubKey;
PCCRYPT_OID_INFO pOIDInfo;
if (pOIDInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
pPubKeyInfo->Algorithm.pszObjId,
CRYPT_PUBKEY_ALG_OID_GROUP_ID
))
aiPubKey = pOIDInfo->Algid;
else
aiPubKey = 0;
switch (aiPubKey) {
case CALG_DSS_SIGN:
fResult = ConvertDSSPublicKeyInfo(
dwCertEncodingType,
pPubKeyInfo,
dwFlags,
pvReserved,
pvPubKeyStruc,
pcbPubKeyStruc
);
break;
default:
// Attempt to decode as a PKCS #1 RSA public key
fResult = ConvertRSAPublicKeyInfo(
dwCertEncodingType,
pPubKeyInfo,
dwFlags,
pvReserved,
pvPubKeyStruc,
pcbPubKeyStruc
);
break;
}
}
return fResult;
}
//+-------------------------------------------------------------------------
// Encode the RSA public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeRSAPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
)
{
*ppbEncodedParameters = NULL;
*pcbEncodedParameters = 0;
return CryptEncodeObjectEx(
dwCertEncodingType,
RSA_CSP_PUBLICKEYBLOB,
pPubKeyStruc,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedPubKey,
pcbEncodedPubKey
);
}
//+-------------------------------------------------------------------------
// Convert as an RSA public key
//--------------------------------------------------------------------------
static BOOL WINAPI ConvertRSAPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
)
{
return CryptDecodeObjectEx(
dwCertEncodingType,
RSA_CSP_PUBLICKEYBLOB,
pPubKeyInfo->PublicKey.pbData,
pPubKeyInfo->PublicKey.cbData,
(dwFlags & CRYPT_ALLOC_FLAG) ? CRYPT_DECODE_ALLOC_FLAG : 0,
NULL, // pDecodePara,
pvPubKeyStruc,
pcbPubKeyStruc
);
}
#ifndef DSS1
#define DSS1 ((DWORD)'D'+((DWORD)'S'<<8)+((DWORD)'S'<<16)+((DWORD)'1'<<24))
#endif
#define DSS_Q_LEN 20
//+-------------------------------------------------------------------------
// Encode the DSS public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeDSSPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
)
{
BOOL fResult;
BYTE *pbKeyBlob;
DSSPUBKEY *pCspPubKey;
DWORD cbKey;
BYTE *pbKey;
CERT_DSS_PARAMETERS DssParameters;
CRYPT_UINT_BLOB DssPubKey;
*ppbEncodedPubKey = NULL;
*ppbEncodedParameters = NULL;
// The CAPI public key representation consists of the following sequence:
// - PUBLICKEYSTRUC
// - DSSPUBKEY
// - rgbP[cbKey]
// - rgbQ[20]
// - rgbG[cbKey]
// - rgbY[cbKey]
// - DSSSEED
pbKeyBlob = (BYTE *) pPubKeyStruc;
pCspPubKey = (DSSPUBKEY *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY);
cbKey = pCspPubKey->bitlen / 8;
assert(cbKey > 0);
assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY) +
cbKey + DSS_Q_LEN + cbKey + cbKey + sizeof(DSSSEED));
assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
assert(pPubKeyStruc->bVersion == CUR_BLOB_VERSION);
assert(pPubKeyStruc->aiKeyAlg == CALG_DSS_SIGN);
assert(pCspPubKey->magic == DSS1);
assert(pCspPubKey->bitlen % 8 == 0);
if (pPubKeyStruc->bType != PUBLICKEYBLOB)
goto InvalidArg;
// Initialize DSS parameters from CSP data structure
DssParameters.p.cbData = cbKey;
DssParameters.p.pbData = pbKey;
pbKey += cbKey;
DssParameters.q.cbData = DSS_Q_LEN;
DssParameters.q.pbData = pbKey;
pbKey += DSS_Q_LEN;
DssParameters.g.cbData = cbKey;
DssParameters.g.pbData = pbKey;
pbKey += cbKey;
// Initialize DSS public key from CSP data structure
DssPubKey.cbData = cbKey;
DssPubKey.pbData = pbKey;
// Encode the parameters and public key
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X509_DSS_PARAMETERS,
&DssParameters,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedParameters,
pcbEncodedParameters
)) goto ErrorReturn;
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X509_DSS_PUBLICKEY,
&DssPubKey,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedPubKey,
pcbEncodedPubKey
)) goto ErrorReturn;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
PkiDefaultCryptFree(*ppbEncodedParameters);
PkiDefaultCryptFree(*ppbEncodedPubKey);
*ppbEncodedParameters = NULL;
*ppbEncodedPubKey = NULL;
*pcbEncodedParameters = 0;
*pcbEncodedPubKey = 0;
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
}
//+-------------------------------------------------------------------------
// Convert as an DSS public key
//--------------------------------------------------------------------------
static BOOL WINAPI ConvertDSSPublicKeyInfo(
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pPubKeyInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT void *pvPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
)
{
BOOL fResult;
PCERT_DSS_PARAMETERS pDssParameters = NULL;
PCRYPT_UINT_BLOB pDssPubKey = NULL;
PUBLICKEYSTRUC *pPubKeyStruc = NULL;
DWORD cbPubKeyStruc;
BYTE *pbKeyBlob;
DSSPUBKEY *pCspPubKey;
DSSSEED *pCspSeed;
DWORD cbKey;
BYTE *pbKey;
DWORD cb;
if (0 == pPubKeyInfo->Algorithm.Parameters.cbData ||
NULL_ASN_TAG == *pPubKeyInfo->Algorithm.Parameters.pbData)
goto NoDssParametersError;
if (NULL == (pDssParameters = (PCERT_DSS_PARAMETERS) AllocAndDecodeObject(
dwCertEncodingType,
X509_DSS_PARAMETERS,
pPubKeyInfo->Algorithm.Parameters.pbData,
pPubKeyInfo->Algorithm.Parameters.cbData
))) goto DecodeParametersError;
if (NULL == (pDssPubKey = (PCRYPT_UINT_BLOB) AllocAndDecodeObject(
dwCertEncodingType,
X509_DSS_PUBLICKEY,
pPubKeyInfo->PublicKey.pbData,
pPubKeyInfo->PublicKey.cbData
))) goto DecodePubKeyError;
// The CAPI public key representation consists of the following sequence:
// - PUBLICKEYSTRUC
// - DSSPUBKEY
// - rgbP[cbKey]
// - rgbQ[20]
// - rgbG[cbKey]
// - rgbY[cbKey]
// - DSSSEED
cbKey = pDssParameters->p.cbData;
if (0 == cbKey)
goto InvalidDssParametersError;
cbPubKeyStruc = sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY) +
cbKey + DSS_Q_LEN + cbKey + cbKey + sizeof(DSSSEED);
if (dwFlags & CRYPT_ALLOC_FLAG) {
if (NULL == (pPubKeyStruc =
(PUBLICKEYSTRUC *) PkiDefaultCryptAlloc(cbPubKeyStruc)))
goto OutOfMemory;
*((PUBLICKEYSTRUC **) pvPubKeyStruc) = pPubKeyStruc;
} else
pPubKeyStruc = (PUBLICKEYSTRUC *) pvPubKeyStruc;
fResult = TRUE;
if (pPubKeyStruc) {
if (0 == (dwFlags & CRYPT_ALLOC_FLAG) &&
*pcbPubKeyStruc < cbPubKeyStruc) {
SetLastError((DWORD) ERROR_MORE_DATA);
fResult = FALSE;
} else {
pbKeyBlob = (BYTE *) pPubKeyStruc;
pCspPubKey = (DSSPUBKEY *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DSSPUBKEY);
// NOTE, the length of G and Y can be less than the length of P.
// The CSP requires G and Y to be padded out with 0x00 bytes if it
// is less and in little endian form
// PUBLICKEYSTRUC
pPubKeyStruc->bType = PUBLICKEYBLOB;
pPubKeyStruc->bVersion = CUR_BLOB_VERSION;
pPubKeyStruc->reserved = 0;
pPubKeyStruc->aiKeyAlg = CALG_DSS_SIGN;
// DSSPUBKEY
pCspPubKey->magic = DSS1;
pCspPubKey->bitlen = cbKey * 8;
// rgbP[cbKey]
memcpy(pbKey, pDssParameters->p.pbData, cbKey);
pbKey += cbKey;
// rgbQ[20]
cb = pDssParameters->q.cbData;
if (0 == cb || cb > DSS_Q_LEN)
goto InvalidDssParametersError;
memcpy(pbKey, pDssParameters->q.pbData, cb);
if (DSS_Q_LEN > cb)
memset(pbKey + cb, 0, DSS_Q_LEN - cb);
pbKey += DSS_Q_LEN;
// rgbG[cbKey]
cb = pDssParameters->g.cbData;
if (0 == cb || cb > cbKey)
goto InvalidDssParametersError;
memcpy(pbKey, pDssParameters->g.pbData, cb);
if (cbKey > cb)
memset(pbKey + cb, 0, cbKey - cb);
pbKey += cbKey;
// rgbY[cbKey]
cb = pDssPubKey->cbData;
if (0 == cb || cb > cbKey)
goto InvalidDssPubKeyError;
memcpy(pbKey, pDssPubKey->pbData, cb);
if (cbKey > cb)
memset(pbKey + cb, 0, cbKey - cb);
pbKey += cbKey;
// DSSSEED: set counter to 0xFFFFFFFF to indicate not available
pCspSeed = (DSSSEED *) pbKey;
memset(&pCspSeed->counter, 0xFF, sizeof(pCspSeed->counter));
}
}
CommonReturn:
*pcbPubKeyStruc = cbPubKeyStruc;
PkiFree(pDssParameters);
PkiFree(pDssPubKey);
return fResult;
ErrorReturn:
if (dwFlags & CRYPT_ALLOC_FLAG) {
PkiDefaultCryptFree(pPubKeyStruc);
*((PUBLICKEYSTRUC **) pvPubKeyStruc) = NULL;
}
cbPubKeyStruc = 0;
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(OutOfMemory)
TRACE_ERROR(DecodeParametersError)
TRACE_ERROR(DecodePubKeyError)
#ifdef CMS_PKCS7
SET_ERROR(NoDssParametersError, CRYPT_E_MISSING_PUBKEY_PARA)
#else
SET_ERROR(NoDssParametersError, E_INVALIDARG)
#endif // CMS_PKCS7
SET_ERROR(InvalidDssParametersError, E_INVALIDARG)
SET_ERROR(InvalidDssPubKeyError, E_INVALIDARG)
}
#ifndef DH3
#define DH3 (((DWORD)'D'<<8)+((DWORD)'H'<<16)+((DWORD)'3'<<24))
#endif
//+-------------------------------------------------------------------------
// Encode the RSA DH public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeRSADHPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
)
{
BOOL fResult;
BYTE *pbKeyBlob;
DHPUBKEY_VER3 *pCspPubKey;
DWORD cbP;
DWORD cbQ;
DWORD cbJ;
BYTE *pbKey;
CERT_DH_PARAMETERS DhParameters;
CRYPT_UINT_BLOB DhPubKey;
*ppbEncodedPubKey = NULL;
*ppbEncodedParameters = NULL;
// The CAPI public key representation consists of the following sequence:
// - PUBLICKEYSTRUC
// - DHPUBKEY_VER3
// - rgbP[cbP]
// - rgbQ[cbQ] -- not used in RSA_DH
// - rgbG[cbP]
// - rgbJ[cbJ] -- not used in RSA_DH
// - rgbY[cbP]
pbKeyBlob = (BYTE *) pPubKeyStruc;
pCspPubKey = (DHPUBKEY_VER3 *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
cbP = pCspPubKey->bitlenP / 8;
cbQ = pCspPubKey->bitlenQ / 8;
cbJ = pCspPubKey->bitlenJ / 8;
if (cbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
cbP * 3 + cbQ + cbJ)
goto InvalidArg;
if (pPubKeyStruc->bType != PUBLICKEYBLOB)
goto InvalidArg;
if (pCspPubKey->magic != DH3)
goto InvalidArg;
assert(cbP > 0);
assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
cbP * 3 + cbQ + cbJ);
assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
//assert(pPubKeyStruc->bVersion == 3);
assert(pPubKeyStruc->aiKeyAlg == CALG_DH_SF ||
pPubKeyStruc->aiKeyAlg == CALG_DH_EPHEM);
assert(pCspPubKey->magic == DH3);
assert(pCspPubKey->bitlenP % 8 == 0);
assert(pCspPubKey->bitlenQ % 8 == 0);
assert(pCspPubKey->bitlenJ % 8 == 0);
// Initialize the RSA DH Parameters from CSP data structure
DhParameters.p.pbData = pbKey;
DhParameters.p.cbData = cbP;
pbKey += cbP;
// No RSA DH Q parameter
pbKey += cbQ;
DhParameters.g.pbData = pbKey;
DhParameters.g.cbData = cbP;
pbKey += cbP;
// No RSA DH J parameter
pbKey += cbJ;
// Initialize DH public key from CSP data structure
DhPubKey.cbData = cbP;
DhPubKey.pbData = pbKey;
// Encode the parameters and public key
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X509_DH_PARAMETERS,
&DhParameters,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedParameters,
pcbEncodedParameters
)) goto ErrorReturn;
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X509_DH_PUBLICKEY,
&DhPubKey,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedPubKey,
pcbEncodedPubKey
)) goto ErrorReturn;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
PkiDefaultCryptFree(*ppbEncodedParameters);
PkiDefaultCryptFree(*ppbEncodedPubKey);
*ppbEncodedParameters = NULL;
*ppbEncodedPubKey = NULL;
*pcbEncodedParameters = 0;
*pcbEncodedPubKey = 0;
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
}
//+-------------------------------------------------------------------------
// Encode the X942 DH public key and parameters
//--------------------------------------------------------------------------
static BOOL WINAPI EncodeX942DHPublicKeyAndParameters(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE **ppbEncodedPubKey,
OUT DWORD *pcbEncodedPubKey,
OUT BYTE **ppbEncodedParameters,
OUT DWORD *pcbEncodedParameters
)
{
BOOL fResult;
BYTE *pbKeyBlob;
DHPUBKEY_VER3 *pCspPubKey;
DWORD cbP;
DWORD cbQ;
DWORD cbJ;
BYTE *pbKey;
CERT_X942_DH_PARAMETERS DhParameters;
CERT_X942_DH_VALIDATION_PARAMS DhValidationParams;
CRYPT_UINT_BLOB DhPubKey;
*ppbEncodedPubKey = NULL;
*ppbEncodedParameters = NULL;
// The CAPI public key representation consists of the following sequence:
// - PUBLICKEYSTRUC
// - DHPUBKEY_VER3
// - rgbP[cbP]
// - rgbQ[cbQ]
// - rgbG[cbP]
// - rgbJ[cbJ]
// - rgbY[cbP]
pbKeyBlob = (BYTE *) pPubKeyStruc;
pCspPubKey = (DHPUBKEY_VER3 *) (pbKeyBlob + sizeof(PUBLICKEYSTRUC));
pbKey = pbKeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
cbP = pCspPubKey->bitlenP / 8;
cbQ = pCspPubKey->bitlenQ / 8;
cbJ = pCspPubKey->bitlenJ / 8;
if (0 == cbQ)
return EncodeRSADHPublicKeyAndParameters(
dwCertEncodingType,
pszPubKeyOID,
pPubKeyStruc,
cbPubKeyStruc,
dwFlags,
pvReserved,
ppbEncodedPubKey,
pcbEncodedPubKey,
ppbEncodedParameters,
pcbEncodedParameters
);
if (cbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
cbP * 3 + cbQ + cbJ)
goto InvalidArg;
if (pPubKeyStruc->bType != PUBLICKEYBLOB)
goto InvalidArg;
if (pCspPubKey->magic != DH3)
goto InvalidArg;
assert(cbP > 0);
assert(cbPubKeyStruc >= sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
cbP * 3 + cbQ + cbJ);
assert(pPubKeyStruc->bType == PUBLICKEYBLOB);
//assert(pPubKeyStruc->bVersion == 3);
assert(pPubKeyStruc->aiKeyAlg == CALG_DH_SF ||
pPubKeyStruc->aiKeyAlg == CALG_DH_EPHEM);
assert(pCspPubKey->magic == DH3);
assert(pCspPubKey->bitlenP % 8 == 0);
assert(pCspPubKey->bitlenQ % 8 == 0);
assert(pCspPubKey->bitlenJ % 8 == 0);
// Initialize the X942 DH Parameters from CSP data structure
DhParameters.p.pbData = pbKey;
DhParameters.p.cbData = cbP;
pbKey += cbP;
DhParameters.q.pbData = pbKey;
DhParameters.q.cbData = cbQ;
pbKey += cbQ;
DhParameters.g.pbData = pbKey;
DhParameters.g.cbData = cbP;
pbKey += cbP;
DhParameters.j.pbData = pbKey;
DhParameters.j.cbData = cbJ;
pbKey += cbJ;
if (0xFFFFFFFF == pCspPubKey->DSSSeed.counter ||
0 == pCspPubKey->DSSSeed.counter)
DhParameters.pValidationParams = NULL;
else {
DhParameters.pValidationParams = &DhValidationParams;
DhValidationParams.pgenCounter = pCspPubKey->DSSSeed.counter;
DhValidationParams.seed.pbData = pCspPubKey->DSSSeed.seed;
DhValidationParams.seed.cbData = sizeof(pCspPubKey->DSSSeed.seed);
DhValidationParams.seed.cUnusedBits = 0;
}
// Initialize DH public key from CSP data structure
DhPubKey.cbData = cbP;
DhPubKey.pbData = pbKey;
// Encode the parameters and public key
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X942_DH_PARAMETERS,
&DhParameters,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedParameters,
pcbEncodedParameters
)) goto ErrorReturn;
if (!CryptEncodeObjectEx(
dwCertEncodingType,
X509_DH_PUBLICKEY,
&DhPubKey,
CRYPT_ENCODE_ALLOC_FLAG,
NULL, // pEncodePara
(void *) ppbEncodedPubKey,
pcbEncodedPubKey
)) goto ErrorReturn;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
PkiDefaultCryptFree(*ppbEncodedParameters);
PkiDefaultCryptFree(*ppbEncodedPubKey);
*ppbEncodedParameters = NULL;
*ppbEncodedPubKey = NULL;
*pcbEncodedParameters = 0;
*pcbEncodedPubKey = 0;
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
}
#ifndef DH1
#define DH1 (((DWORD)'D'<<8)+((DWORD)'H'<<16)+((DWORD)'1'<<24))
#endif
// Convert a DH1 PublicKey Struc, to a DH3 PublicKey Struc by getting
// the P and G parameters from the hPubKey.
static BOOL ConvertDh1ToDh3PublicKeyStruc(
IN HCRYPTKEY hPubKey,
IN OUT PUBLICKEYSTRUC **ppPubKeyStruc,
IN OUT DWORD *pcbPubKeyStruc
)
{
BOOL fResult;
PUBLICKEYSTRUC *pDh1PubKeyStruc = *ppPubKeyStruc;
BYTE *pbDh1KeyBlob;
DHPUBKEY *pDh1CspPubKey;
BYTE *pbDh1Key;
PUBLICKEYSTRUC *pDh3PubKeyStruc = NULL;
DWORD cbDh3PubKeyStruc;
BYTE *pbDh3KeyBlob;
DHPUBKEY_VER3 *pDh3CspPubKey;
BYTE *pbDh3Key;
DWORD cbP;
DWORD cbData;
// The DH1 CAPI public key representation consists of the following
// sequence:
// - PUBLICKEYSTRUC
// - DHPUBKEY
// - rgbY[cbP]
pbDh1KeyBlob = (BYTE *) pDh1PubKeyStruc;
pDh1CspPubKey = (DHPUBKEY *) (pbDh1KeyBlob + sizeof(PUBLICKEYSTRUC));
pbDh1Key = pbDh1KeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY);
if (pDh1CspPubKey->magic != DH1)
return TRUE;
cbP = pDh1CspPubKey->bitlen / 8;
if (*pcbPubKeyStruc < sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY) + cbP)
goto InvalidArg;
// The DH3 CAPI public key representation consists of the following
// sequence:
// - PUBLICKEYSTRUC
// - DHPUBKEY_VER3
// - rgbP[cbP]
// - rgbQ[cbQ] -- will be omitted here
// - rgbG[cbP]
// - rgbJ[cbJ] -- will be omitted here
// - rgbY[cbP]
cbDh3PubKeyStruc = sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3) +
cbP * 3;
if (NULL == (pDh3PubKeyStruc = (PUBLICKEYSTRUC *) PkiZeroAlloc(
cbDh3PubKeyStruc)))
goto OutOfMemory;
pbDh3KeyBlob = (BYTE *) pDh3PubKeyStruc;
pDh3CspPubKey = (DHPUBKEY_VER3 *) (pbDh3KeyBlob + sizeof(PUBLICKEYSTRUC));
pbDh3Key = pbDh3KeyBlob + sizeof(PUBLICKEYSTRUC) + sizeof(DHPUBKEY_VER3);
pDh3PubKeyStruc->bType = PUBLICKEYBLOB;
pDh3PubKeyStruc->bVersion = 3;
pDh3PubKeyStruc->aiKeyAlg = CALG_DH_SF;
pDh3CspPubKey->magic = DH3;
pDh3CspPubKey->bitlenP = cbP * 8;
//pDh3CspPubKey->bitlenQ = 0;
//pDh3CspPubKey->bitlenJ = 0;
// Get the P parameter from the public key
cbData = cbP;
if (!CryptGetKeyParam(
hPubKey,
KP_P,
pbDh3Key,
&cbData,
0 // dwFlags
) || cbData != cbP)
goto GetPError;
pbDh3Key += cbP;
// No Q parameter
// Get G parameter from the public key
cbData = cbP;
if (!CryptGetKeyParam(
hPubKey,
KP_G,
pbDh3Key,
&cbData,
0 // dwFlags
) || cbData != cbP)
goto GetGError;
pbDh3Key += cbP;
// No J parameter
// Y
memcpy(pbDh3Key, pbDh1Key, cbP);
assert(pbDh3Key - pbDh3KeyBlob + cbP == cbDh3PubKeyStruc);
PkiFree(pDh1PubKeyStruc);
*ppPubKeyStruc = pDh3PubKeyStruc;
*pcbPubKeyStruc = cbDh3PubKeyStruc;
fResult = TRUE;
CommonReturn:
return fResult;
ErrorReturn:
fResult = FALSE;
PkiFree(pDh3PubKeyStruc);
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
TRACE_ERROR(OutOfMemory)
TRACE_ERROR(GetPError)
TRACE_ERROR(GetGError)
}
//+=========================================================================
// CryptExportPublicKeyInfo functions
//-=========================================================================
//+-------------------------------------------------------------------------
// Use the aiKeyAlg in the public key structure exported by the CSP to
// determine how to encode the public key.
//
// The dwFlags and pvAuxInfo aren't used.
//--------------------------------------------------------------------------
static BOOL WINAPI ExportCspPublicKeyInfoEx(
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
IN OPTIONAL LPSTR pszPublicKeyObjId,
IN DWORD dwFlags,
IN OPTIONAL void *pvAuxInfo,
OUT PCERT_PUBLIC_KEY_INFO pInfo,
IN OUT DWORD *pcbInfo
)
{
BOOL fResult;
DWORD dwErr;
HCRYPTKEY hPubKey = 0;
PUBLICKEYSTRUC *pPubKeyStruc = NULL;
DWORD cbPubKeyStruc;
if (!CryptGetUserKey(
hCryptProv,
dwKeySpec,
&hPubKey
)) {
hPubKey = 0;
goto GetUserKeyError;
}
cbPubKeyStruc = 0;
if (!CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
0, // dwFlags
NULL, // pbData
&cbPubKeyStruc
) || (cbPubKeyStruc == 0))
goto ExportPublicKeyBlobError;
if (NULL == (pPubKeyStruc = (PUBLICKEYSTRUC *) PkiNonzeroAlloc(
cbPubKeyStruc)))
goto OutOfMemory;
if (!CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
0, // dwFlags
(BYTE *) pPubKeyStruc,
&cbPubKeyStruc
))
goto ExportPublicKeyBlobError;
if (CALG_DH_SF == pPubKeyStruc->aiKeyAlg ||
CALG_DH_EPHEM == pPubKeyStruc->aiKeyAlg) {
DWORD cbDh3PubKeyStruc;
PUBLICKEYSTRUC *pDh3PubKeyStruc;
// Check if the CSP supports DH3
cbDh3PubKeyStruc = 0;
if (!CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
CRYPT_BLOB_VER3,
NULL, // pbData
&cbDh3PubKeyStruc
) || (cbDh3PubKeyStruc == 0)) {
// Convert DH1 to DH3 by getting and adding the P and G
// parameters
if (!ConvertDh1ToDh3PublicKeyStruc(
hPubKey,
&pPubKeyStruc,
&cbPubKeyStruc
))
goto ConvertDh1ToDh3PublicKeyStrucError;
} else {
if (NULL == (pDh3PubKeyStruc = (PUBLICKEYSTRUC *) PkiNonzeroAlloc(
cbDh3PubKeyStruc)))
goto OutOfMemory;
if (!CryptExportKey(
hPubKey,
0, // hPubKey
PUBLICKEYBLOB,
CRYPT_BLOB_VER3,
(BYTE *) pDh3PubKeyStruc,
&cbDh3PubKeyStruc
)) {
PkiFree(pDh3PubKeyStruc);
goto ExportPublicKeyBlobError;
}
PkiFree(pPubKeyStruc);
pPubKeyStruc = pDh3PubKeyStruc;
cbPubKeyStruc = cbDh3PubKeyStruc;
}
if (NULL == pszPublicKeyObjId) {
DHPUBKEY_VER3 *pDh3CspPubKey;
// The CAPI public key representation consists of the
// following sequence:
// - PUBLICKEYSTRUC
// - DHPUBKEY_VER3
// - rgbP[cbP]
// - rgbQ[cbQ] -- not used in szOID_RSA_DH
// - rgbG[cbP]
// - rgbJ[cbJ] -- not used in szOID_RSA_DH
// - rgbY[cbP]
pDh3CspPubKey = (DHPUBKEY_VER3 *)
((BYTE*) pPubKeyStruc + sizeof(PUBLICKEYSTRUC));
if (DH3 == pDh3CspPubKey->magic && 0 == pDh3CspPubKey->bitlenQ)
// szOID_RSA_DH indicates no Q parameter
pszPublicKeyObjId = szOID_RSA_DH;
}
}
fResult = CryptCreatePublicKeyInfo(
dwCertEncodingType,
pszPublicKeyObjId,
pPubKeyStruc,
cbPubKeyStruc,
0, // dwFlags
NULL, // pvAuxInfo
pInfo,
pcbInfo
);
CommonReturn:
dwErr = GetLastError();
if (hPubKey)
CryptDestroyKey(hPubKey);
PkiFree(pPubKeyStruc);
SetLastError(dwErr);
return fResult;
ErrorReturn:
*pcbInfo = 0;
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(GetUserKeyError)
TRACE_ERROR(ExportPublicKeyBlobError)
TRACE_ERROR(OutOfMemory)
TRACE_ERROR(ConvertDh1ToDh3PublicKeyStrucError)
}
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Uses the dwCertEncodingType and pszPublicKeyObjId to call the
// installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptExportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszPublicKeyObjId,
// attempts to export via the default export function.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptExportPublicKeyInfoEx(
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
IN OPTIONAL LPSTR pszPublicKeyObjId,
IN DWORD dwFlags,
IN OPTIONAL void *pvAuxInfo,
OUT PCERT_PUBLIC_KEY_INFO pInfo,
IN OUT DWORD *pcbInfo
)
{
BOOL fResult;
void *pvFuncAddr;
HCRYPTOIDFUNCADDR hFuncAddr;
if (pszPublicKeyObjId && CryptGetOIDFunctionAddress(
hExportPubKeyFuncSet,
dwCertEncodingType,
pszPublicKeyObjId,
0, // dwFlags
&pvFuncAddr,
&hFuncAddr)) {
fResult = ((PFN_EXPORT_PUB_KEY_FUNC) pvFuncAddr)(
hCryptProv,
dwKeySpec,
dwCertEncodingType,
pszPublicKeyObjId,
dwFlags,
pvAuxInfo,
pInfo,
pcbInfo
);
CryptFreeOIDFunctionAddress(hFuncAddr, 0);
} else
// Attempt to export via the default function that looks at the
// public key algorithm in the public key struc exported by the CSP.
fResult = ExportCspPublicKeyInfoEx(
hCryptProv,
dwKeySpec,
dwCertEncodingType,
pszPublicKeyObjId,
dwFlags,
pvAuxInfo,
pInfo,
pcbInfo
);
return fResult;
}
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Calls CryptExportPublicKeyInfoEx with pszPublicKeyObjId = NULL,
// dwFlags = 0 and pvAuxInfo = NULL.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptExportPublicKeyInfo(
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN DWORD dwCertEncodingType,
OUT PCERT_PUBLIC_KEY_INFO pInfo,
IN OUT DWORD *pcbInfo
)
{
return CryptExportPublicKeyInfoEx(
hCryptProv,
dwKeySpec,
dwCertEncodingType,
NULL, // pszPublicKeyObjId
0, // dwFlags
NULL, // pvAuxInfo
pInfo,
pcbInfo
);
}
//+=========================================================================
// CryptImportPublicKeyInfo functions
//-=========================================================================
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
// installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptImportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszObjId,
// decodes the PublicKeyInfo into a CSP PublicKey Blob and imports.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptImportPublicKeyInfoEx(
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pInfo,
IN ALG_ID aiKeyAlg,
IN DWORD dwFlags,
IN OPTIONAL void *pvAuxInfo,
OUT HCRYPTKEY *phKey
)
{
BOOL fResult;
void *pvFuncAddr;
HCRYPTOIDFUNCADDR hFuncAddr;
PUBLICKEYSTRUC *pPubKeyStruc = NULL;
DWORD cbPubKeyStruc;
if (CryptGetOIDFunctionAddress(
hImportPubKeyFuncSet,
dwCertEncodingType,
pInfo->Algorithm.pszObjId,
0, // dwFlags
&pvFuncAddr,
&hFuncAddr)) {
fResult = ((PFN_IMPORT_PUB_KEY_FUNC) pvFuncAddr)(
hCryptProv,
dwCertEncodingType,
pInfo,
aiKeyAlg,
dwFlags,
pvAuxInfo,
phKey
);
CryptFreeOIDFunctionAddress(hFuncAddr, 0);
} else {
if (!CryptConvertPublicKeyInfo(
dwCertEncodingType,
pInfo,
CRYPT_ALLOC_FLAG,
NULL, // pvReserved
(void *) &pPubKeyStruc,
&cbPubKeyStruc
))
goto ConvertPublicKeyInfoError;
if (aiKeyAlg)
pPubKeyStruc->aiKeyAlg = aiKeyAlg;
if (!CryptImportKey(
hCryptProv,
(BYTE *) pPubKeyStruc,
cbPubKeyStruc,
NULL, // hImpKey
0, // dwFlags
phKey
))
goto ImportKeyError;
fResult = TRUE;
}
CommonReturn:
PkiDefaultCryptFree(pPubKeyStruc);
return fResult;
ErrorReturn:
*phKey = NULL;
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(ConvertPublicKeyInfoError)
TRACE_ERROR(ImportKeyError)
}
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
// pvAuxInfo = NULL.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptImportPublicKeyInfo(
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN PCERT_PUBLIC_KEY_INFO pInfo,
OUT HCRYPTKEY *phKey
)
{
return CryptImportPublicKeyInfoEx(
hCryptProv,
dwCertEncodingType,
pInfo,
0, // aiKeyAlg
0, // dwFlags
NULL, // pvAuxInfo
phKey
);
}
//+-------------------------------------------------------------------------
// Create a KeyIdentifier from the CSP Public Key Blob.
//
// Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
// encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
// the Key Identifier.
//
// By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
// public key Object Identifier. pszPubKeyOID can be set to override
// the default OID obtained from the aiKeyAlg.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptCreateKeyIdentifierFromCSP(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE *pbHash,
IN OUT DWORD *pcbHash
)
{
BOOL fResult;
PCERT_PUBLIC_KEY_INFO pInfo = NULL;
DWORD cbInfo;
if (!CryptCreatePublicKeyInfo(
dwCertEncodingType,
pszPubKeyOID,
pPubKeyStruc,
cbPubKeyStruc,
CRYPT_ALLOC_FLAG,
NULL, // pvReserved
(void *) &pInfo,
&cbInfo
))
goto CreatePublicKeyInfoError;
fResult = CryptHashPublicKeyInfo(
NULL, // hCryptProv
CALG_SHA1,
0, // dwFlags
dwCertEncodingType,
pInfo,
pbHash,
pcbHash
);
CommonReturn:
PkiDefaultCryptFree(pInfo);
return fResult;
ErrorReturn:
*pcbHash = 0;
fResult = FALSE;
goto CommonReturn;
TRACE_ERROR(CreatePublicKeyInfoError)
}
//+=========================================================================
// DefaultContext APIs and Data Structures
//-=========================================================================
static BOOL InstallThreadDefaultContext(
IN PDEFAULT_CONTEXT pDefaultContext
)
{
PDEFAULT_CONTEXT pNext;
pNext = (PDEFAULT_CONTEXT) I_CryptGetTls(hTlsDefaultContext);
if (pNext) {
pDefaultContext->pNext = pNext;
pNext->pPrev = pDefaultContext;
}
fHasThreadDefaultContext = TRUE;
return I_CryptSetTls(hTlsDefaultContext, pDefaultContext);
}
static BOOL InstallProcessDefaultContext(
IN PDEFAULT_CONTEXT pDefaultContext
)
{
EnterCriticalSection(&DefaultContextCriticalSection);
if (pProcessDefaultContextHead) {
pDefaultContext->pNext = pProcessDefaultContextHead;
pProcessDefaultContextHead->pPrev = pDefaultContext;
}
pProcessDefaultContextHead = pDefaultContext;
fHasProcessDefaultContext = TRUE;
LeaveCriticalSection(&DefaultContextCriticalSection);
return TRUE;
}
//+-------------------------------------------------------------------------
// Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
// a default context.
//
// dwDefaultType and pvDefaultPara specify where the default context is used.
// For example, install the HCRYPTPROV to be used to verify certificate's
// having szOID_OIWSEC_md5RSA signatures.
//
// By default, the installed HCRYPTPROV is only applicable to the current
// thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
// to be used by all threads in the current process.
//
// For a successful install, TRUE is returned and *phDefaultContext is
// updated with the HANDLE to be passed to CryptUninstallDefaultContext.
//
// The installed HCRYPTPROVs are stack ordered (the last installed
// HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
// checked before any process HCRYPTPROVs.
//
// The installed HCRYPTPROV remains available for default usage until
// CryptUninstallDefaultContext is called or the thread or process exits.
//
// If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
// is CryptReleaseContext'ed at thread or process exit. However,
// not CryptReleaseContext'ed if CryptUninstallDefaultContext is
// called.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptInstallDefaultContext(
IN HCRYPTPROV hCryptProv,
IN DWORD dwDefaultType,
IN const void *pvDefaultPara,
IN DWORD dwFlags,
IN void *pvReserved,
OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
)
{
BOOL fResult;
CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA MultiOIDPara;
LPSTR rgpszOID[1];
PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pMultiOIDPara;
PDEFAULT_CONTEXT pDefaultContext = NULL;
DWORD cbDefaultContext;
BYTE *pbExtra;
DWORD cbExtra;
if (CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID == dwDefaultType) {
dwDefaultType = CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID;
if (pvDefaultPara) {
rgpszOID[0] = (LPSTR) pvDefaultPara;
MultiOIDPara.cOID = 1;
MultiOIDPara.rgpszOID = rgpszOID;
pvDefaultPara = (const void *) &MultiOIDPara;
}
}
if (CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID != dwDefaultType)
goto InvalidArg;
pMultiOIDPara = (PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA) pvDefaultPara;
if (pMultiOIDPara) {
DWORD cOID = pMultiOIDPara->cOID;
LPSTR *ppszOID = pMultiOIDPara->rgpszOID;
if (0 == cOID)
goto InvalidArg;
cbExtra = INFO_LEN_ALIGN(sizeof(CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA)) +
cOID * sizeof(LPSTR);
for ( ; cOID; cOID--, ppszOID++)
cbExtra += strlen(*ppszOID) + 1;
} else {
if (dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG)
goto InvalidArg;
cbExtra = 0;
}
cbDefaultContext = INFO_LEN_ALIGN(sizeof(DEFAULT_CONTEXT)) + cbExtra;
if (NULL == (pDefaultContext = (PDEFAULT_CONTEXT) PkiZeroAlloc(
cbDefaultContext)))
goto OutOfMemory;
pDefaultContext->hCryptProv = hCryptProv;
pDefaultContext->dwDefaultType = dwDefaultType;
pDefaultContext->dwFlags = dwFlags;
pbExtra = ((BYTE *) pDefaultContext) +
INFO_LEN_ALIGN(sizeof(DEFAULT_CONTEXT));
if (cbExtra) {
DWORD cOID = pMultiOIDPara->cOID;
LPSTR *ppszOID = pMultiOIDPara->rgpszOID;
PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara;
LPSTR *ppszOIDDefault;
assert(cOID);
pOIDDefaultPara = (PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA) pbExtra;
pDefaultContext->pOIDDefaultPara = pOIDDefaultPara;
pbExtra += INFO_LEN_ALIGN(sizeof(CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA));
ppszOIDDefault = (LPSTR *) pbExtra;
pbExtra += cOID * sizeof(LPSTR);
pOIDDefaultPara->cOID = cOID;
pOIDDefaultPara->rgpszOID = ppszOIDDefault;
for ( ; cOID; cOID--, ppszOID++, ppszOIDDefault++) {
DWORD cch = strlen(*ppszOID) + 1;
memcpy(pbExtra, *ppszOID, cch);
*ppszOIDDefault = (LPSTR) pbExtra;
pbExtra += cch;
}
}
assert(pbExtra == ((BYTE *) pDefaultContext) + cbDefaultContext);
if (dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG)
fResult = InstallProcessDefaultContext(pDefaultContext);
else
fResult = InstallThreadDefaultContext(pDefaultContext);
if (!fResult)
goto ErrorReturn;
CommonReturn:
*phDefaultContext = (HCRYPTDEFAULTCONTEXT) pDefaultContext;
return fResult;
ErrorReturn:
PkiFree(pDefaultContext);
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
TRACE_ERROR(OutOfMemory)
}
//+-------------------------------------------------------------------------
// Uninstall a default context previously installed by
// CryptInstallDefaultContext.
//
// For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
// set, if any other threads are currently using this context,
// this function will block until they finish.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptUninstallDefaultContext(
HCRYPTDEFAULTCONTEXT hDefaultContext,
IN DWORD dwFlags,
IN void *pvReserved
)
{
BOOL fResult;
PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) hDefaultContext;
PDEFAULT_CONTEXT pDefaultContextHead;
BOOL fProcess;
if (NULL == pDefaultContext)
return TRUE;
fProcess = (pDefaultContext->dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG);
if (fProcess) {
EnterCriticalSection(&DefaultContextCriticalSection);
pDefaultContextHead = pProcessDefaultContextHead;
} else {
pDefaultContextHead = (PDEFAULT_CONTEXT) I_CryptGetTls(
hTlsDefaultContext);
}
if (NULL == pDefaultContextHead)
goto InvalidArg;
// Remove context from the list
if (pDefaultContext->pNext)
pDefaultContext->pNext->pPrev = pDefaultContext->pPrev;
if (pDefaultContext->pPrev)
pDefaultContext->pPrev->pNext = pDefaultContext->pNext;
else if (pDefaultContext == pDefaultContextHead) {
pDefaultContextHead = pDefaultContext->pNext;
if (fProcess)
pProcessDefaultContextHead = pDefaultContextHead;
else
I_CryptSetTls(hTlsDefaultContext, pDefaultContextHead);
} else
goto InvalidArg;
if (fProcess) {
if (pDefaultContext->lRefCnt) {
// Wait for all uses of the hCryptProv handle to finish
if (NULL == (pDefaultContext->hWait = CreateEvent(
NULL, // lpsa
FALSE, // fManualReset
FALSE, // fInitialState
NULL))) { // lpszEventName
assert(pDefaultContext->hWait);
goto UnexpectedError;
}
while (pDefaultContext->lRefCnt) {
LeaveCriticalSection(&DefaultContextCriticalSection);
WaitForSingleObject(pDefaultContext->hWait, INFINITE);
EnterCriticalSection(&DefaultContextCriticalSection);
}
CloseHandle(pDefaultContext->hWait);
pDefaultContext->hWait = NULL;
}
}
PkiFree(pDefaultContext);
fResult = TRUE;
CommonReturn:
if (fProcess)
LeaveCriticalSection(&DefaultContextCriticalSection);
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidArg, E_INVALIDARG)
SET_ERROR(UnexpectedError, E_UNEXPECTED)
}
static PDEFAULT_CONTEXT FindDefaultContext(
IN DWORD dwDefaultType,
IN const void *pvDefaultPara,
IN PDEFAULT_CONTEXT pDefaultContext
)
{
for ( ; pDefaultContext; pDefaultContext = pDefaultContext->pNext) {
switch (dwDefaultType) {
case CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID:
if (CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID ==
pDefaultContext->dwDefaultType) {
PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA pOIDDefaultPara =
pDefaultContext->pOIDDefaultPara;
DWORD cOID;
LPSTR *ppszOID;
if (NULL == pOIDDefaultPara)
return pDefaultContext;
cOID = pOIDDefaultPara->cOID;
ppszOID = pOIDDefaultPara->rgpszOID;
for ( ; cOID; cOID--, ppszOID++) {
if (0 == strcmp(*ppszOID, (LPSTR) pvDefaultPara))
return pDefaultContext;
}
}
break;
default:
return NULL;
}
}
return NULL;
}
//
// dwDefaultTypes:
// CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID (pvDefaultPara :== pszOID)
BOOL
WINAPI
I_CryptGetDefaultContext(
IN DWORD dwDefaultType,
IN const void *pvDefaultPara,
OUT HCRYPTPROV *phCryptProv,
OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
)
{
if (fHasThreadDefaultContext) {
PDEFAULT_CONTEXT pDefaultContext;
pDefaultContext = (PDEFAULT_CONTEXT) I_CryptGetTls(hTlsDefaultContext);
if (pDefaultContext = FindDefaultContext(
dwDefaultType,
pvDefaultPara,
pDefaultContext
)) {
*phCryptProv = pDefaultContext->hCryptProv;
*phDefaultContext = NULL;
return TRUE;
}
}
if (fHasProcessDefaultContext) {
PDEFAULT_CONTEXT pDefaultContext;
EnterCriticalSection(&DefaultContextCriticalSection);
if (pDefaultContext = FindDefaultContext(
dwDefaultType,
pvDefaultPara,
pProcessDefaultContextHead
))
pDefaultContext->lRefCnt++;
LeaveCriticalSection(&DefaultContextCriticalSection);
if (pDefaultContext) {
*phCryptProv = pDefaultContext->hCryptProv;
*phDefaultContext = (HCRYPTDEFAULTCONTEXT) pDefaultContext;
return TRUE;
}
}
*phCryptProv = NULL;
*phDefaultContext = NULL;
return FALSE;
}
// hDefaultContext is only NON-null for Process default context
void
WINAPI
I_CryptFreeDefaultContext(
HCRYPTDEFAULTCONTEXT hDefaultContext
)
{
PDEFAULT_CONTEXT pDefaultContext = (PDEFAULT_CONTEXT) hDefaultContext;
if (NULL == pDefaultContext)
return;
assert(pDefaultContext->dwFlags & CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG);
assert(0 < pDefaultContext->lRefCnt);
EnterCriticalSection(&DefaultContextCriticalSection);
if (0 == --pDefaultContext->lRefCnt && pDefaultContext->hWait)
SetEvent(pDefaultContext->hWait);
LeaveCriticalSection(&DefaultContextCriticalSection);
}
#ifdef CMS_PKCS7
WINCRYPT32API
BOOL
WINAPI
CryptVerifyCertificateSignatureEx(
IN OPTIONAL HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN DWORD dwSubjectType,
IN void *pvSubject,
IN DWORD dwIssuerType,
IN void *pvIssuer,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
)
{
BOOL fResult;
PCERT_SIGNED_CONTENT_INFO pSignedInfo = NULL;
DWORD cbSignedInfo;
HCRYPTDEFAULTCONTEXT hDefaultContext = NULL;
HCRYPTKEY hSignKey = 0;
HCRYPTHASH hHash = 0;
BYTE *pbSignature; // not allocated
DWORD cbSignature;
BYTE rgbDssSignature[CERT_DSS_SIGNATURE_LEN];
ALG_ID aiHash;
ALG_ID aiPubKey;
DWORD dwProvType;
HCRYPTPROV hAcquiredCryptProv = 0;
DWORD dwSignFlags;
DWORD dwErr;
const BYTE *pbEncoded; // not allocated
DWORD cbEncoded;
PCERT_PUBLIC_KEY_INFO pIssuerPubKeyInfo;
CERT_PUBLIC_KEY_INFO IssuerPubKeyInfo;
PCRYPT_OBJID_BLOB pIssuerPara;
BYTE *pbAllocIssuerPara = NULL;
switch (dwSubjectType) {
case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB:
{
PCRYPT_DATA_BLOB pBlob = (PCRYPT_DATA_BLOB) pvSubject;
pbEncoded = pBlob->pbData;
cbEncoded = pBlob->cbData;
}
break;
case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT:
{
PCCERT_CONTEXT pSubject = (PCCERT_CONTEXT) pvSubject;
pbEncoded = pSubject->pbCertEncoded;
cbEncoded = pSubject->cbCertEncoded;
}
break;
case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL:
{
PCCRL_CONTEXT pSubject = (PCCRL_CONTEXT) pvSubject;
pbEncoded = pSubject->pbCrlEncoded;
cbEncoded = pSubject->cbCrlEncoded;
}
break;
default:
goto InvalidSubjectType;
}
if (!CryptDecodeObjectEx(
dwCertEncodingType,
X509_CERT,
pbEncoded,
cbEncoded,
CRYPT_DECODE_NOCOPY_FLAG | CRYPT_DECODE_ALLOC_FLAG |
CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG,
&PkiDecodePara,
(void *) &pSignedInfo,
&cbSignedInfo
)) goto DecodeCertError;
if (!GetSignOIDInfo(pSignedInfo->SignatureAlgorithm.pszObjId,
&aiHash, &aiPubKey, &dwSignFlags, &dwProvType))
goto GetSignOIDInfoError;
if (0 == hCryptProv) {
if (!I_CryptGetDefaultContext(
CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID,
(const void *) pSignedInfo->SignatureAlgorithm.pszObjId,
&hCryptProv,
&hDefaultContext
)) {
if (dwProvType && CryptAcquireContext(
&hCryptProv,
NULL, // pszContainer
NULL, // pszProvider,
dwProvType,
CRYPT_VERIFYCONTEXT // dwFlags
))
hAcquiredCryptProv = hCryptProv;
else if (0 == (hCryptProv = I_CryptGetDefaultCryptProv(aiPubKey)))
goto GetDefaultCryptProvError;
}
}
#if 0
// Slow down the signature verify while holding the default context
// reference count
if (hDefaultContext)
Sleep(5000);
#endif
switch (dwIssuerType) {
case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY:
pIssuerPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) pvIssuer;
break;
case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN:
{
PCCERT_CHAIN_CONTEXT pChain = (PCCERT_CHAIN_CONTEXT) pvIssuer;
// All chains have at least the leaf certificate context
assert(pChain->cChain && pChain->rgpChain[0]->cElement);
pvIssuer =
(void *) pChain->rgpChain[0]->rgpElement[0]->pCertContext;
dwIssuerType = CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT;
}
// fall through
case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT:
{
PCCERT_CONTEXT pIssuer = (PCCERT_CONTEXT) pvIssuer;
pIssuerPubKeyInfo = &pIssuer->pCertInfo->SubjectPublicKeyInfo;
// Check if the public key parameters were omitted
// from the encoded certificate. If omitted, try
// to use the certificate's CERT_PUBKEY_ALG_PARA_PROP_ID
// property.
pIssuerPara = &pIssuerPubKeyInfo->Algorithm.Parameters;
if (0 == pIssuerPara->cbData ||
NULL_ASN_TAG == *pIssuerPara->pbData) {
DWORD cbData;
if (CertGetCertificateContextProperty(
pIssuer,
CERT_PUBKEY_ALG_PARA_PROP_ID,
NULL, // pvData
&cbData) && 0 < cbData
&&
(pbAllocIssuerPara = (BYTE *) PkiNonzeroAlloc(
cbData))
&&
CertGetCertificateContextProperty(
pIssuer,
CERT_PUBKEY_ALG_PARA_PROP_ID,
pbAllocIssuerPara,
&cbData)) {
IssuerPubKeyInfo = *pIssuerPubKeyInfo;
IssuerPubKeyInfo.Algorithm.Parameters.pbData =
pbAllocIssuerPara;
IssuerPubKeyInfo.Algorithm.Parameters.cbData = cbData;
pIssuerPubKeyInfo = &IssuerPubKeyInfo;
}
}
}
break;
case CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL:
if (CALG_NO_SIGN != aiPubKey)
goto InvalidIssuerType;
pIssuerPubKeyInfo = NULL;
break;
default:
goto InvalidIssuerType;
}
if (CALG_NO_SIGN == aiPubKey) {
if (dwIssuerType != CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL)
goto InvalidIssuerType;
} else {
if (!CryptImportPublicKeyInfo(
hCryptProv,
dwCertEncodingType,
pIssuerPubKeyInfo,
&hSignKey
)) goto ImportPublicKeyInfoError;
}
if (!CryptCreateHash(
hCryptProv,
aiHash,
NULL, // hKey - optional for MAC
0, // dwFlags
&hHash
)) goto CreateHashError;
if (!CryptHashData(
hHash,
pSignedInfo->ToBeSigned.pbData,
pSignedInfo->ToBeSigned.cbData,
0 // dwFlags
)) goto HashDataError;
pbSignature = pSignedInfo->Signature.pbData;
cbSignature = pSignedInfo->Signature.cbData;
if (0 == cbSignature)
goto NoSignatureError;
if (CALG_NO_SIGN == aiPubKey) {
BYTE rgbHash[MAX_HASH_LEN];
DWORD cbHash = sizeof(rgbHash);
if (!CryptGetHashParam(
hHash,
HP_HASHVAL,
rgbHash,
&cbHash,
0 // dwFlags
))
goto GetHashValueError;
if (cbHash != cbSignature || 0 != memcmp(rgbHash, pbSignature, cbHash))
goto NoSignHashCompareError;
goto SuccessReturn;
}
if (CALG_DSS_SIGN == aiPubKey &&
0 == (dwSignFlags & CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG)) {
DWORD cbData;
// Convert from ASN.1 sequence of two integers to the CSP signature
// format.
cbData = sizeof(rgbDssSignature);
if (!CryptDecodeObject(
dwCertEncodingType,
X509_DSS_SIGNATURE,
pbSignature,
cbSignature,
0, // dwFlags
rgbDssSignature,
&cbData
))
goto DecodeDssSignatureError;
pbSignature = rgbDssSignature;
assert(cbData == sizeof(rgbDssSignature));
cbSignature = sizeof(rgbDssSignature);
} else
PkiAsn1ReverseBytes(pbSignature, cbSignature);
if (!CryptVerifySignature(
hHash,
pbSignature,
cbSignature,
hSignKey,
NULL, // sDescription
0 // dwFlags
)) goto VerifySignatureError;
// For a certificate context certificate, check if the issuer has public
// key parameters that can be inherited
pIssuerPara = &pIssuerPubKeyInfo->Algorithm.Parameters;
if (CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT == dwSubjectType &&
pIssuerPara->cbData && NULL_ASN_TAG != *pIssuerPara->pbData) {
// If a subject is missing its public key parameters and has
// the same public key algorithm as its issuer, then, set
// its CERT_PUBKEY_ALG_PARA_PROP_ID property.
PCCERT_CONTEXT pSubject = (PCCERT_CONTEXT) pvSubject;
PCERT_PUBLIC_KEY_INFO pSubjectPubKeyInfo =
&pSubject->pCertInfo->SubjectPublicKeyInfo;
PCCRYPT_OID_INFO pOIDInfo;
PCRYPT_OBJID_BLOB pSubjectPara;
DWORD cbData;
pSubjectPara = &pSubjectPubKeyInfo->Algorithm.Parameters;
if (pSubjectPara->cbData && NULL_ASN_TAG != *pSubjectPara->pbData)
// Subject public key has parameters
goto SuccessReturn;
if (CertGetCertificateContextProperty(
pSubject,
CERT_PUBKEY_ALG_PARA_PROP_ID,
NULL, // pvData
&cbData) && 0 < cbData)
// Subject already has public key parameters property
goto SuccessReturn;
pOIDInfo = CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
pSubjectPubKeyInfo->Algorithm.pszObjId,
CRYPT_PUBKEY_ALG_OID_GROUP_ID);
if (NULL == pOIDInfo || aiPubKey != pOIDInfo->Algid)
// Subject and issuer don't have the same public key algorithms
goto SuccessReturn;
CertSetCertificateContextProperty(
pSubject,
CERT_PUBKEY_ALG_PARA_PROP_ID,
CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
pIssuerPara
);
}
SuccessReturn:
fResult = TRUE;
CommonReturn:
dwErr = GetLastError();
if (hSignKey)
CryptDestroyKey(hSignKey);
if (hHash)
CryptDestroyHash(hHash);
I_CryptFreeDefaultContext(hDefaultContext);
if (hAcquiredCryptProv)
CryptReleaseContext(hAcquiredCryptProv, 0);
PkiFree(pSignedInfo);
PkiFree(pbAllocIssuerPara);
SetLastError(dwErr);
return fResult;
ErrorReturn:
fResult = FALSE;
goto CommonReturn;
SET_ERROR(InvalidSubjectType, E_INVALIDARG)
TRACE_ERROR(DecodeCertError)
TRACE_ERROR(GetSignOIDInfoError)
TRACE_ERROR(GetDefaultCryptProvError)
SET_ERROR(InvalidIssuerType, E_INVALIDARG)
TRACE_ERROR(ImportPublicKeyInfoError)
TRACE_ERROR(CreateHashError)
TRACE_ERROR(HashDataError)
SET_ERROR(NoSignatureError, TRUST_E_NOSIGNATURE)
TRACE_ERROR(GetHashValueError)
SET_ERROR(NoSignHashCompareError, NTE_BAD_SIGNATURE)
TRACE_ERROR(DecodeDssSignatureError)
TRACE_ERROR(VerifySignatureError)
}
//+-------------------------------------------------------------------------
// Verify the signature of a subject certificate or a CRL using the
// specified public key.
//
// Returns TRUE for a valid signature.
//
// hCryptProv specifies the crypto provider to use to verify the signature.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptVerifyCertificateSignature(
IN HCRYPTPROV hCryptProv,
IN DWORD dwCertEncodingType,
IN const BYTE * pbEncoded,
IN DWORD cbEncoded,
IN PCERT_PUBLIC_KEY_INFO pPublicKey
)
{
CRYPT_DATA_BLOB Subject;
Subject.cbData = cbEncoded;
Subject.pbData = (BYTE *) pbEncoded;
return CryptVerifyCertificateSignatureEx(
hCryptProv,
dwCertEncodingType,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB,
(void *) &Subject,
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY,
(void *) pPublicKey,
0, // dwFlags
NULL // pvReserved
);
}
#endif // CMS_PKCS7