Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

2474 lines
71 KiB

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1999
//
// File: signhlp.cpp
//
// Contents: Digital Signing Helper APIs
//
// History: June-25-1997 Xiaohs Created
//----------------------------------------------------------------------------
#include "global.hxx"
//+-------------------------------------------------------------------------
// Local function for SpcGetCertFromKey
//
// Signer cert flags. Used to determine the "strength" of the signer cert.
//
// The following must be ordered as follows. ie, END_ENTITY_FLAG is most
// important and needs to be the largest number.
//--------------------------------------------------------------------------
#define SIGNER_CERT_NOT_SELF_SIGNED_FLAG 0x00000001
#define SIGNER_CERT_NOT_GLUE_FLAG 0x00000002
#define SIGNER_CERT_NOT_CA_FLAG 0x00000004
#define SIGNER_CERT_END_ENTITY_FLAG 0x00000008
#define SIGNER_CERT_ALL_FLAGS 0x0000000F
//--------------------------------------------------------------------------
//
// Copy all the certs from store name to hDescStore
//
//--------------------------------------------------------------------------
HRESULT MoveStoreName(HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
HCERTSTORE hDescStore,
DWORD dwStoreName,
DWORD dwStoreFlag)
{
HCERTSTORE hTmpStore=NULL;
HRESULT hr;
WCHAR wszStoreName[40];
//load the name of the store
if(0==LoadStringU(hInstance, dwStoreName, wszStoreName, 40))
{
hr=SignError();
goto CLEANUP;
}
//open a system cert store
if (NULL == (hTmpStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
dwCertEncodingType,
hCryptProv,
dwStoreFlag,
wszStoreName
)))
{
hr=SignError();
goto CLEANUP;
}
hr=MoveStore(hDescStore, hTmpStore);
CLEANUP:
if(hTmpStore)
CertCloseStore(hTmpStore,0);
return hr;
}
//--------------------------------------------------------------------------
//
// Copy all the certs from hSrcStore to hDescStore
//
//--------------------------------------------------------------------------
HRESULT MoveStore(HCERTSTORE hDescStore,
HCERTSTORE hSrcStore)
{
PCCERT_CONTEXT pCertContext=NULL;
PCCERT_CONTEXT pPreContext=NULL;
HRESULT hr=S_OK;
while(pCertContext=CertEnumCertificatesInStore(hSrcStore,
pPreContext))
{
if(!(CertAddCertificateContextToStore(hDescStore,
pCertContext,CERT_STORE_ADD_USE_EXISTING,
NULL)))
{
hr=SignError();
goto CLEANUP;
}
pPreContext=pCertContext;
pCertContext=NULL;
}
hr=S_OK;
CLEANUP:
if(pCertContext)
CertFreeCertificateContext(pCertContext);
return hr;
}
//--------------------------------------------------------------------------
//
// Build up the certificate chain. Put the whole chain to the store
//
//
//--------------------------------------------------------------------------
HRESULT BuildCertChain(HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
HCERTSTORE hStore,
HCERTSTORE hOptionalStore,
PCCERT_CONTEXT pSigningCert,
DWORD dwCertPolicy)
{
DWORD i=0;
PCCERT_CHAIN_CONTEXT pCertChainContext = NULL;
CERT_CHAIN_PARA CertChainPara;
HRESULT hr=E_FAIL;
//we regard the chain is good unless there are some cryptographic errors.
//all error code regarding trusted root and CTLs are machine dependent, therefore
//they are ignored. We do not consider revocation.
DWORD dwChainError=CERT_TRUST_IS_NOT_TIME_VALID |
CERT_TRUST_IS_NOT_SIGNATURE_VALID;
memset(&CertChainPara, 0, sizeof(CertChainPara));
CertChainPara.cbSize = sizeof(CertChainPara);
if (!CertGetCertificateChain(
HCCE_CURRENT_USER,
pSigningCert,
NULL,
hOptionalStore,
&CertChainPara,
0,
NULL,
&pCertChainContext))
{
hr=SignError();
goto CLEANUP;
}
//
// make sure there is at least 1 simple chain
//
if (pCertChainContext->cChain == 0)
{
hr=SignError();
goto CLEANUP;
}
// make sure that we have a good chain
if(dwChainError & (pCertChainContext->rgpChain[0]->TrustStatus.dwErrorStatus))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
i = 0;
while (i < pCertChainContext->rgpChain[0]->cElement)
{
//
// if we are supposed to skip the root cert,
// and we are on the root cert, then continue
//
if(dwCertPolicy & SIGNER_CERT_POLICY_CHAIN_NO_ROOT ||
dwCertPolicy & SIGNER_CERT_POLICY_SPC)
{
if ((pCertChainContext->rgpChain[0]->rgpElement[i]->TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED))
{
i++;
continue;
}
}
CertAddCertificateContextToStore(
hStore,
pCertChainContext->rgpChain[0]->rgpElement[i]->pCertContext,
CERT_STORE_ADD_REPLACE_EXISTING,
NULL);
i++;
}
hr=S_OK;
CLEANUP:
if (pCertChainContext != NULL)
{
CertFreeCertificateChain(pCertChainContext);
}
return hr;
}
//--------------------------------------------------------------------------
//
// Make sure the two certificates are the same
//
//
//--------------------------------------------------------------------------
BOOL SameCert(PCCERT_CONTEXT pCertOne, PCCERT_CONTEXT pCertTwo)
{
if(!pCertOne || !pCertTwo)
return FALSE;
if(pCertOne->cbCertEncoded != pCertTwo->cbCertEncoded)
return FALSE;
if(0 == memcmp(pCertOne->pbCertEncoded, pCertTwo->pbCertEncoded, pCertTwo->cbCertEncoded))
return TRUE;
return FALSE;
}
//The following cert chain building code is obsolete. The new cert chain
//building API should be used
//--------------------------------------------------------------------------
//
// Build up the certificate chain. Put the whole chain to the store
//
//
//--------------------------------------------------------------------------
/*HRESULT BuildCertChain(HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
HCERTSTORE hStore,
HCERTSTORE hOptionalStore,
PCCERT_CONTEXT pSigningCert,
DWORD dwCertPolicy)
{
HRESULT hr=E_FAIL;
HCERTSTORE hSpcStore=NULL;
PCCERT_CONTEXT pSubCertContext=NULL;
PCCERT_CONTEXT pIssuerCertContext=NULL;
PCCERT_CONTEXT pFindCertContext=NULL;
LPWSTR rgwszStoreName[4] ={L"MY", L"ROOT", L"CA",L"SPC"};
DWORD dwStoreOpenFlag=0;
HCERTSTORE rghStore[5]={NULL, NULL, NULL, NULL,NULL};
DWORD dwStoreCount=0;
DWORD dwStoreIndex=0;
FILETIME fileTime;
DWORD dwConfidence=0;
DWORD dwError=0;
BYTE *pbHash=NULL;
DWORD cbHash = 0;
CRYPT_HASH_BLOB Blob;
//open a spc cert store
dwStoreCount=sizeof(rgwszStoreName)/sizeof(rgwszStoreName[0]);
GetSystemTimeAsFileTime(&fileTime);
//open the spc store
if (NULL == (hSpcStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
dwCertEncodingType,
hCryptProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG|CERT_SYSTEM_STORE_CURRENT_USER,
L"SPC"
)))
{
hr=SignError();
goto CLEANUP;
}
//open SPC, my, CA, root store
for(dwStoreIndex=0; dwStoreIndex<dwStoreCount; dwStoreIndex++)
{
//open the store
dwStoreOpenFlag= CERT_STORE_NO_CRYPT_RELEASE_FLAG|CERT_SYSTEM_STORE_CURRENT_USER;
if (NULL == (rghStore[dwStoreIndex] = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
dwCertEncodingType,
hCryptProv,
dwStoreOpenFlag,
rgwszStoreName[dwStoreIndex]
)))
{
hr=SignError();
goto CLEANUP;
}
}
//copy all the certs in hOptionalStore if present
if(hOptionalStore)
{
rghStore[dwStoreCount]=hOptionalStore;
dwStoreCount++;
}
//now, build the chain
pSubCertContext=CertDuplicateCertificateContext(pSigningCert);
//loop until break
while(1==1)
{
//find the issuer of the certificate
if(!(pIssuerCertContext=TrustFindIssuerCertificate(
pSubCertContext,
dwCertEncodingType,
dwStoreCount,
rghStore,
&fileTime,
&dwConfidence,
&dwError,
0)))
{
//fail if we can not find one
hr=CERT_E_CHAINING;
goto CLEANUP;
}
//now, make sure the confidence level is hign enough
if(dwConfidence < (CERT_CONFIDENCE_SIG+CERT_CONFIDENCE_TIME+CERT_CONFIDENCE_TIMENEST))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
//check to see if the cert is the root cert
if(TrustIsCertificateSelfSigned(pIssuerCertContext,
pIssuerCertContext->dwCertEncodingType,
0))
{
if(dwCertPolicy & SIGNER_CERT_POLICY_CHAIN_NO_ROOT)
break;
else
{
//add the root and we are done
if(!CertAddCertificateContextToStore(hStore,pIssuerCertContext,
CERT_STORE_ADD_USE_EXISTING, NULL))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
break;
}
}
else
{
//add the certificate context to the store
if(!CertAddCertificateContextToStore(hStore,pIssuerCertContext,
CERT_STORE_ADD_USE_EXISTING, NULL ))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
}
//check if the certificate is from the spc store
if(dwCertPolicy & SIGNER_CERT_POLICY_SPC)
{
//get the SHA1 hash of the certificate
if(!CertGetCertificateContextProperty(
pIssuerCertContext,
CERT_SHA1_HASH_PROP_ID,
NULL,
&cbHash
))
{
hr=SignError();
goto CLEANUP;
}
pbHash=(BYTE *)malloc(cbHash);
if(!pbHash)
{
hr=E_OUTOFMEMORY;
goto CLEANUP;
}
if(!CertGetCertificateContextProperty(
pIssuerCertContext,
CERT_SHA1_HASH_PROP_ID,
pbHash,
&cbHash
))
{
hr=SignError();
goto CLEANUP;
}
//find the ceritificate in the store
Blob.cbData=cbHash;
Blob.pbData=pbHash;
pFindCertContext=CertFindCertificateInStore(
hSpcStore,
dwCertEncodingType,
0,
CERT_FIND_SHA1_HASH,
&Blob,
NULL);
//if the certificate is from the SPC store, we are done
if(pFindCertContext)
break;
}
//free the subject context
if(pSubCertContext)
CertFreeCertificateContext(pSubCertContext);
pSubCertContext=pIssuerCertContext;
pIssuerCertContext=NULL;
}
hr=S_OK;
CLEANUP:
if(pIssuerCertContext)
CertFreeCertificateContext(pIssuerCertContext);
if(pSubCertContext)
CertFreeCertificateContext(pSubCertContext);
if(pFindCertContext)
CertFreeCertificateContext(pFindCertContext);
//close all of the stores
for(dwStoreIndex=0; dwStoreIndex < (hOptionalStore ? dwStoreCount-1 : dwStoreCount);
dwStoreIndex++)
{
if(rghStore[dwStoreIndex])
CertCloseStore(rghStore[dwStoreIndex], 0);
}
if(hSpcStore)
CertCloseStore(hSpcStore,0);
if(pbHash)
free(pbHash);
return hr;
} */
//+-------------------------------------------------------------------------
// Build the SPC certificate store from the SPC file and the certificate chain
//--------------------------------------------------------------------------
HRESULT BuildStoreFromSpcChain(HCRYPTPROV hPvkProv,
DWORD dwKeySpec,
HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
SIGNER_SPC_CHAIN_INFO *pSpcChainInfo,
HCERTSTORE *phSpcStore,
PCCERT_CONTEXT *ppSignCert
)
{
HCERTSTORE hMemoryStore=NULL;
HRESULT hr=S_OK;
PCCERT_CONTEXT pCertContext=NULL;
PCCERT_CONTEXT pPreContext=NULL;
if(!pSpcChainInfo || !phSpcStore || !ppSignCert)
return E_INVALIDARG;
//init
*phSpcStore=NULL;
//open a memory store
if (NULL == (hMemoryStore = CertOpenStore(
CERT_STORE_PROV_FILENAME_W,
dwCertEncodingType,
hCryptProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
pSpcChainInfo->pwszSpcFile)))
{
hr=SignError();
goto CLEANUP;
}
//get the signing certificate
if(S_OK != SpcGetCertFromKey(
dwCertEncodingType,
hMemoryStore,
hPvkProv,
dwKeySpec,
ppSignCert))
{
hr=CRYPT_E_NO_MATCH;
goto CLEANUP;
}
//add all the certs in optional certStore
if(pSpcChainInfo->dwCertPolicy & SIGNER_CERT_POLICY_STORE)
{
if(!(pSpcChainInfo->hCertStore))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
//enumerate all the certs in store and add them
while(pCertContext=CertEnumCertificatesInStore(pSpcChainInfo->hCertStore,
pPreContext))
{
if(!CertAddCertificateContextToStore(hMemoryStore, pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL))
{
hr=SignError();
goto CLEANUP;
}
pPreContext=pCertContext;
}
hr=S_OK;
}
//see if the certs if self-signed
/* if(TrustIsCertificateSelfSigned(*ppSignCert,
(*ppSignCert)->dwCertEncodingType,
0))
{
//no need to build the certificate chain anymore
hr=S_OK;
goto CLEANUP;
} */
//build up the cert chain as requested
if(pSpcChainInfo->dwCertPolicy & SIGNER_CERT_POLICY_CHAIN ||
pSpcChainInfo->dwCertPolicy & SIGNER_CERT_POLICY_CHAIN_NO_ROOT ||
pSpcChainInfo->dwCertPolicy & SIGNER_CERT_POLICY_SPC
)
{
//include everthing in the chain
hr=BuildCertChain(hCryptProv, dwCertEncodingType,
hMemoryStore, hMemoryStore,
*ppSignCert, pSpcChainInfo->dwCertPolicy);
}
CLEANUP:
if(pCertContext)
CertFreeCertificateContext(pCertContext);
if(hr==S_OK)
{
*phSpcStore=hMemoryStore;
}
else
{
if(hMemoryStore)
CertCloseStore(hMemoryStore, 0);
if(*ppSignCert)
{
CertFreeCertificateContext(*ppSignCert);
*ppSignCert=NULL;
}
}
return hr;
}
//+-------------------------------------------------------------------------
// Build the spc certificate store from cert chain
//--------------------------------------------------------------------------
HRESULT BuildStoreFromStore(HCRYPTPROV hPvkProv,
DWORD dwKeySpec,
HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
SIGNER_CERT_STORE_INFO *pCertStoreInfo,
HCERTSTORE *phSpcStore,
PCCERT_CONTEXT *ppSignCert
)
{
HCERTSTORE hMemoryStore=NULL;
HRESULT hr=S_OK;
PCCERT_CONTEXT pCertContext=NULL;
PCCERT_CONTEXT pPreContext=NULL;
if(!pCertStoreInfo || !phSpcStore || !ppSignCert)
return E_INVALIDARG;
//init
*phSpcStore=NULL;
//open a memory store
if (NULL == (hMemoryStore = CertOpenStore(
CERT_STORE_PROV_MEMORY,
dwCertEncodingType,
hCryptProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
NULL
)))
{
hr=SignError();
goto CLEANUP;
}
//add the signing cert to the store
if(!CertAddCertificateContextToStore(hMemoryStore,
pCertStoreInfo->pSigningCert,
CERT_STORE_ADD_USE_EXISTING ,
NULL))
{
hr=SignError();
goto CLEANUP;
}
//get the signing certificate based on the private key
if(S_OK != SpcGetCertFromKey(
dwCertEncodingType,
hMemoryStore,
hPvkProv,
dwKeySpec,
ppSignCert))
{
hr=CRYPT_E_NO_MATCH;
goto CLEANUP;
}
//add all the certs in optional certStore
if(pCertStoreInfo->dwCertPolicy & SIGNER_CERT_POLICY_STORE)
{
if(!(pCertStoreInfo->hCertStore))
{
hr=CERT_E_CHAINING;
goto CLEANUP;
}
//enumerate all the certs in store and add them
while(pCertContext=CertEnumCertificatesInStore(pCertStoreInfo->hCertStore,
pPreContext))
{
if(!CertAddCertificateContextToStore(hMemoryStore, pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL))
{
hr=SignError();
goto CLEANUP;
}
pPreContext=pCertContext;
}
hr=S_OK;
}
//see if the certs if self-signed
/* if(TrustIsCertificateSelfSigned(pCertStoreInfo->pSigningCert,
pCertStoreInfo->pSigningCert->dwCertEncodingType,
0))
{
//no need to build the certificate chain anymore
*ppSignCert=CertDuplicateCertificateContext(pCertStoreInfo->pSigningCert);
hr=S_OK;
goto CLEANUP;
}*/
//build up the cert chain as requested
if(pCertStoreInfo->dwCertPolicy & SIGNER_CERT_POLICY_CHAIN ||
pCertStoreInfo->dwCertPolicy & SIGNER_CERT_POLICY_CHAIN_NO_ROOT ||
pCertStoreInfo->dwCertPolicy & SIGNER_CERT_POLICY_SPC
)
{
//include everthing in the chain
hr=BuildCertChain(hCryptProv, dwCertEncodingType,
hMemoryStore, NULL,
pCertStoreInfo->pSigningCert, pCertStoreInfo->dwCertPolicy);
}
if(S_OK != hr)
goto CLEANUP;
hr=S_OK;
CLEANUP:
if(pCertContext)
CertFreeCertificateContext(pCertContext);
if(hr==S_OK)
{
*phSpcStore=hMemoryStore;
}
else
{
if(hMemoryStore)
CertCloseStore(hMemoryStore, 0);
if(*ppSignCert)
{
CertFreeCertificateContext(*ppSignCert);
*ppSignCert=NULL;
}
}
return hr;
}
//+-------------------------------------------------------------------------
// Build the spc certificate store from a spc file
//--------------------------------------------------------------------------
HRESULT BuildStoreFromSpcFile(HCRYPTPROV hPvkProv,
DWORD dwKeySpec,
HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
LPCWSTR pwszSpcFile,
HCERTSTORE *phSpcStore,
PCCERT_CONTEXT *ppSignCert)
{
if(!phSpcStore || !pwszSpcFile || !ppSignCert)
return E_INVALIDARG;
*phSpcStore=NULL;
// Open up the spc store
*phSpcStore= CertOpenStore(CERT_STORE_PROV_FILENAME_W,
dwCertEncodingType,
hCryptProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
pwszSpcFile);
if(!(*phSpcStore))
return SignError();
//get the signing certificate
if(S_OK != SpcGetCertFromKey(dwCertEncodingType,
*phSpcStore,
hPvkProv,
dwKeySpec,
ppSignCert))
{
CertCloseStore(*phSpcStore, 0);
*phSpcStore=NULL;
return CRYPT_E_NO_MATCH;
}
return S_OK;
}
//+-------------------------------------------------------------------------
// Build the spc certificate store from either a spc file or the
// cert chain
//--------------------------------------------------------------------------
HRESULT BuildCertStore(HCRYPTPROV hPvkProv,
DWORD dwKeySpec,
HCRYPTPROV hCryptProv,
DWORD dwCertEncodingType,
SIGNER_CERT *pSignerCert,
HCERTSTORE *phSpcStore,
PCCERT_CONTEXT *ppSigningCert)
{
HRESULT hr;
if(!pSignerCert || !phSpcStore || !ppSigningCert)
return E_INVALIDARG;
//init
*phSpcStore=NULL;
if(pSignerCert->dwCertChoice==SIGNER_CERT_SPC_FILE)
{
hr=BuildStoreFromSpcFile(hPvkProv,
dwKeySpec,
hCryptProv,
dwCertEncodingType,
pSignerCert->pwszSpcFile,
phSpcStore,
ppSigningCert);
}
else
{
if(pSignerCert->dwCertChoice==SIGNER_CERT_STORE)
{
hr=BuildStoreFromStore(hPvkProv,
dwKeySpec,
hCryptProv,
dwCertEncodingType,
(pSignerCert->pCertStoreInfo),
phSpcStore,
ppSigningCert);
}
else
hr=BuildStoreFromSpcChain(hPvkProv,
dwKeySpec,
hCryptProv,
dwCertEncodingType,
(pSignerCert->pSpcChainInfo),
phSpcStore,
ppSigningCert);
}
#if (0) //DSIE: Bug 284639, the fix is to also preserve 0x80070002 since we
// really don't know what the impact will be for existing apps,
// if we preserve all error codes.
if(hr!=S_OK && hr!=CRYPT_E_NO_MATCH)
hr=CERT_E_CHAINING;
#else
if(hr!=S_OK && hr!=CRYPT_E_NO_MATCH && hr!=0x80070002)
hr=CERT_E_CHAINING;
#endif
return hr;
}
//-----------------------------------------------------------------------------
//
// Parse the private key information from a pCertContext's property
// CERT_PVK_FILE_PROP_ID
//
//----------------------------------------------------------------------------
BOOL GetProviderInfoFromCert(PCCERT_CONTEXT pCertContext,
CRYPT_KEY_PROV_INFO *pKeyProvInfo)
{
BOOL fResult=FALSE;
BYTE *pbData=NULL;
BYTE *pbToFree=NULL;
DWORD cbData=0;
//init
if(!pCertContext || !pKeyProvInfo)
return FALSE;
memset(pKeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
//get the property
if(!CertGetCertificateContextProperty(pCertContext,
CERT_PVK_FILE_PROP_ID,
NULL,
&cbData))
return FALSE;
pbData=(BYTE *)malloc(cbData);
if(!pbData)
return FALSE;
if(!CertGetCertificateContextProperty(pCertContext,
CERT_PVK_FILE_PROP_ID,
pbData,
&cbData))
goto CLEANUP;
//get the information from the property
pbToFree=pbData;
//get the private key information
cbData=sizeof(WCHAR)*(wcslen((LPWSTR)pbData)+1);
pKeyProvInfo->pwszContainerName=(LPWSTR)malloc(cbData);
if(!(pKeyProvInfo->pwszContainerName))
goto CLEANUP;
wcscpy(pKeyProvInfo->pwszContainerName,(LPWSTR)pbData);
//get the key spec
pbData = pbData + cbData;
cbData=sizeof(WCHAR)*(wcslen((LPWSTR)pbData)+1);
pKeyProvInfo->dwKeySpec=_wtol((LPWSTR)pbData);
//get the provider type
pbData = pbData + cbData;
cbData=sizeof(WCHAR)*(wcslen((LPWSTR)pbData)+1);
pKeyProvInfo->dwProvType=_wtol((LPWSTR)pbData);
//get the provider name
pbData = pbData + cbData;
if(*((LPWSTR)pbData)!=L'\0')
{
cbData=sizeof(WCHAR)*(wcslen((LPWSTR)pbData)+1);
pKeyProvInfo->pwszProvName=(LPWSTR)malloc(cbData);
if(NULL == pKeyProvInfo->pwszProvName)
goto CLEANUP;
wcscpy(pKeyProvInfo->pwszProvName, (LPWSTR)pbData);
}
fResult=TRUE;
CLEANUP:
if(pbToFree)
free(pbToFree);
if(FALSE==fResult)
{
if(pKeyProvInfo->pwszContainerName)
free( pKeyProvInfo->pwszContainerName);
if(pKeyProvInfo->pwszProvName)
free( pKeyProvInfo->pwszProvName);
//memset the output to 0
memset(pKeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
}
return fResult;
}
//+-------------------------------------------------------------------------
// Get hCryptProv handle and key spec for the certificate
//--------------------------------------------------------------------------
BOOL WINAPI GetCryptProvFromCert(
HWND hwnd,
PCCERT_CONTEXT pCert,
HCRYPTPROV *phCryptProv,
DWORD *pdwKeySpec,
BOOL *pfDidCryptAcquire,
LPWSTR *ppwszTmpContainer,
LPWSTR *ppwszProviderName,
DWORD *pdwProviderType
)
{
BOOL fResult=FALSE;
WCHAR wszPublisher[45];
CRYPT_KEY_PROV_INFO keyProvInfo;
HRESULT hr;
memset(&keyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
*ppwszTmpContainer=NULL;
*phCryptProv=NULL;
*pfDidCryptAcquire=FALSE;
*ppwszProviderName=NULL;
*pdwKeySpec=0;
//first, try to get from the key container
if(CryptProvFromCert(hwnd, pCert, phCryptProv,
pdwKeySpec, pfDidCryptAcquire))
return TRUE;
//load from the resource of string L"publisher"
if(0==LoadStringU(hInstance, IDS_Publisher, wszPublisher, 40))
goto CLEANUP;
//Get provider information from the property
if(!GetProviderInfoFromCert(pCert, &keyProvInfo))
{
SetLastError((DWORD) CRYPT_E_NO_KEY_PROPERTY);
goto CLEANUP;
}
//acquire context based on the private key file. A temporary
//key container will be created, along with information
//about the provider name and provider type, which are needed
//to destroy the key container
if(S_OK!=(hr=PvkGetCryptProv( hwnd,
wszPublisher,
keyProvInfo.pwszProvName,
keyProvInfo.dwProvType,
keyProvInfo.pwszContainerName,
NULL,
&(keyProvInfo.dwKeySpec),
ppwszTmpContainer,
phCryptProv)))
{
*phCryptProv=NULL;
*ppwszTmpContainer=NULL;
SetLastError((DWORD)hr);
goto CLEANUP;
}
//copy the provder name
if(keyProvInfo.pwszProvName)
{
*ppwszProviderName=(LPWSTR)malloc(
sizeof(WCHAR)*(wcslen(keyProvInfo.pwszProvName)+1));
if((*ppwszProviderName)==NULL)
{
SetLastError(E_OUTOFMEMORY);
//free the hCrytProv
PvkPrivateKeyReleaseContext(
*phCryptProv,
keyProvInfo.pwszProvName,
keyProvInfo.dwProvType,
*ppwszTmpContainer);
*phCryptProv=NULL;
*ppwszTmpContainer=NULL;
goto CLEANUP;
}
wcscpy(*ppwszProviderName, keyProvInfo.pwszProvName);
}
//copy the provider type
*pdwProviderType=keyProvInfo.dwProvType;
//copy the key spec
*pdwKeySpec=keyProvInfo.dwKeySpec;
*pfDidCryptAcquire=TRUE;
fResult=TRUE;
CLEANUP:
if(keyProvInfo.pwszProvName)
free(keyProvInfo.pwszProvName);
if(keyProvInfo.pwszContainerName)
free(keyProvInfo.pwszContainerName);
return fResult;
}
//+-------------------------------------------------------------------------
// Free hCryptProv handle and key spec for the certificate
//--------------------------------------------------------------------------
void WINAPI FreeCryptProvFromCert(BOOL fAcquired,
HCRYPTPROV hProv,
LPWSTR pwszCapiProvider,
DWORD dwProviderType,
LPWSTR pwszTmpContainer)
{
if(fAcquired)
{
if (pwszTmpContainer)
{
// Delete the temporary container for the private key from
// the provider
PvkPrivateKeyReleaseContext(hProv,
pwszCapiProvider,
dwProviderType,
pwszTmpContainer);
if(pwszCapiProvider)
free(pwszCapiProvider);
}
else
{
if (hProv)
CryptReleaseContext(hProv, 0);
}
}
}
//+-------------------------------------------------------------------------
//
//This is a subst of GetCryptProvFromCert. This function does not consider
//the private key file property of the certificate
//+-------------------------------------------------------------------------
BOOL WINAPI CryptProvFromCert(
HWND hwnd,
PCCERT_CONTEXT pCert,
HCRYPTPROV *phCryptProv,
DWORD *pdwKeySpec,
BOOL *pfDidCryptAcquire
)
{
return CryptAcquireCertificatePrivateKey(
pCert,
0, //we do not do the compare. It will be done later.
NULL,
phCryptProv,
pdwKeySpec,
pfDidCryptAcquire);
/*BOOL fResult;
BOOL fDidCryptAcquire = FALSE;
CERT_KEY_CONTEXT KeyContext;
memset(&KeyContext, 0, sizeof(KeyContext));
PCRYPT_KEY_PROV_INFO pKeyProvInfo = NULL;
DWORD cbData;
DWORD dwIdx;
// Get either the CERT_KEY_CONTEXT_PROP_ID or
// CERT_KEY_PROV_INFO_PROP_ID, or
// CERT_PVK_FILE_PROP_ID for the Cert.
cbData = sizeof(KeyContext);
CertGetCertificateContextProperty(
pCert,
CERT_KEY_CONTEXT_PROP_ID,
&KeyContext,
&cbData
);
if (KeyContext.hCryptProv == 0)
{
cbData = 0;
CertGetCertificateContextProperty(
pCert,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&cbData
);
if (cbData == 0)
{
SetLastError((DWORD) CRYPT_E_NO_KEY_PROPERTY);
goto ErrorReturn;
}
else
{
pKeyProvInfo = (PCRYPT_KEY_PROV_INFO) malloc(cbData);
if (pKeyProvInfo == NULL) goto ErrorReturn;
fResult = CertGetCertificateContextProperty(
pCert,
CERT_KEY_PROV_INFO_PROP_ID,
pKeyProvInfo,
&cbData
);
if (!fResult) goto ErrorReturn;
if (PROV_RSA_FULL == pKeyProvInfo->dwProvType &&
(NULL == pKeyProvInfo->pwszProvName ||
L'\0' == *pKeyProvInfo->pwszProvName))
fResult = CryptAcquireContextU(
&KeyContext.hCryptProv,
pKeyProvInfo->pwszContainerName,
MS_ENHANCED_PROV_W,
PROV_RSA_FULL,
pKeyProvInfo->dwFlags & ~CERT_SET_KEY_CONTEXT_PROP_ID
);
else
fResult = FALSE;
if (!fResult)
fResult = CryptAcquireContextU(
&KeyContext.hCryptProv,
pKeyProvInfo->pwszContainerName,
pKeyProvInfo->pwszProvName,
pKeyProvInfo->dwProvType,
pKeyProvInfo->dwFlags & ~CERT_SET_KEY_CONTEXT_PROP_ID
);
if (!fResult) goto ErrorReturn;
fDidCryptAcquire = TRUE;
for (dwIdx = 0; dwIdx < pKeyProvInfo->cProvParam; dwIdx++)
{
PCRYPT_KEY_PROV_PARAM pKeyProvParam = &pKeyProvInfo->rgProvParam[dwIdx];
fResult = CryptSetProvParam(
KeyContext.hCryptProv,
pKeyProvParam->dwParam,
pKeyProvParam->pbData,
pKeyProvParam->dwFlags
);
if (!fResult) goto ErrorReturn;
}
KeyContext.dwKeySpec = pKeyProvInfo->dwKeySpec;
if (pKeyProvInfo->dwFlags & CERT_SET_KEY_CONTEXT_PROP_ID)
{
// Set the certificate's property so we only need to do the
// acquire once
KeyContext.cbSize = sizeof(KeyContext);
fResult = CertSetCertificateContextProperty(
pCert,
CERT_KEY_CONTEXT_PROP_ID,
0, // dwFlags
(void *) &KeyContext
);
if (!fResult) goto ErrorReturn;
fDidCryptAcquire = FALSE;
}
}
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
if (fDidCryptAcquire) {
DWORD dwErr = GetLastError();
CryptReleaseContext(KeyContext.hCryptProv, 0);
SetLastError(dwErr);
fDidCryptAcquire = FALSE;
}
KeyContext.hCryptProv = 0;
fResult = FALSE;
CommonReturn:
if (pKeyProvInfo)
free(pKeyProvInfo);
*phCryptProv = KeyContext.hCryptProv;
*pdwKeySpec = KeyContext.dwKeySpec;
*pfDidCryptAcquire = fDidCryptAcquire;
return fResult;*/
}
//+-----------------------------------------------------------------------
// Check the SIGNER_SUBJECT_INFO
//
//+-----------------------------------------------------------------------
BOOL CheckSigncodeSubjectInfo(
PSIGNER_SUBJECT_INFO pSubjectInfo)
{
if(!pSubjectInfo)
return FALSE;
//check pSubjectInfo
if(pSubjectInfo->cbSize < sizeof(SIGNER_SUBJECT_INFO))
return FALSE;
if(NULL==(pSubjectInfo->pdwIndex))
return FALSE;
//currently, we only allow index of 0
if(0!= (*(pSubjectInfo->pdwIndex)))
return FALSE;
if((pSubjectInfo->dwSubjectChoice!=SIGNER_SUBJECT_FILE)&&
(pSubjectInfo->dwSubjectChoice!=SIGNER_SUBJECT_BLOB))
return FALSE;
if(pSubjectInfo->dwSubjectChoice==SIGNER_SUBJECT_FILE)
{
if((pSubjectInfo->pSignerFileInfo)==NULL)
return FALSE;
//check SIGNER_FILE_INFO
if(pSubjectInfo->pSignerFileInfo->cbSize < sizeof(SIGNER_FILE_INFO))
return FALSE;
if((pSubjectInfo->pSignerFileInfo->pwszFileName)==NULL)
return FALSE;
}
else
{
if((pSubjectInfo->pSignerBlobInfo)==NULL)
return FALSE;
//check SIGNER_BLOB_INFO
if(pSubjectInfo->pSignerBlobInfo->cbSize < sizeof(SIGNER_BLOB_INFO))
return FALSE;
if(NULL==(pSubjectInfo->pSignerBlobInfo->pGuidSubject))
return FALSE;
if(0==(pSubjectInfo->pSignerBlobInfo->cbBlob))
return FALSE;
if(NULL==(pSubjectInfo->pSignerBlobInfo->pbBlob))
return FALSE;
}
return TRUE;
}
//+-----------------------------------------------------------------------
// Check the input parameters of Signcode. Make sure they are valid.
//
//+-----------------------------------------------------------------------
BOOL CheckSigncodeParam(
PSIGNER_SUBJECT_INFO pSubjectInfo,
PSIGNER_CERT pSignerCert,
PSIGNER_SIGNATURE_INFO pSignatureInfo,
PSIGNER_PROVIDER_INFO pProviderInfo)
{
//except for pPvkInfo and pProviderInfo, the rest are required.
if(!pSubjectInfo ||!pSignerCert || !pSignatureInfo)
return FALSE;
//check pSubjectInfo
if(FALSE==CheckSigncodeSubjectInfo(pSubjectInfo))
return FALSE;
//check pSignatureInfo
if(pSignatureInfo->cbSize < sizeof(SIGNER_SIGNATURE_INFO))
return FALSE;
//check the attributes in pSignatureInfo
if(pSignatureInfo->dwAttrChoice == SIGNER_AUTHCODE_ATTR)
{
if((pSignatureInfo->pAttrAuthcode)==NULL)
return FALSE;
//check pSignatureInfo->pAttrAuthcode
if(pSignatureInfo->pAttrAuthcode->cbSize < sizeof(SIGNER_ATTR_AUTHCODE))
return FALSE;
}
else
{
if(pSignatureInfo->dwAttrChoice !=SIGNER_NO_ATTR)
return FALSE;
}
//check provider info
if(pProviderInfo)
{
if(pProviderInfo->cbSize < sizeof(SIGNER_PROVIDER_INFO))
return FALSE;
//dwPvkType has to be valid
if((pProviderInfo->dwPvkChoice!=PVK_TYPE_FILE_NAME) &&
(pProviderInfo->dwPvkChoice!=PVK_TYPE_KEYCONTAINER) )
return FALSE;
if(pProviderInfo->dwPvkChoice==PVK_TYPE_FILE_NAME)
{
if(!(pProviderInfo->pwszPvkFileName))
return FALSE;
}
else
{
if(!(pProviderInfo->pwszKeyContainer))
return FALSE;
}
}
//check pSignerCert
if(pSignerCert->cbSize < sizeof(SIGNER_CERT))
return FALSE;
//check the dwCertChoice
if((pSignerCert->dwCertChoice!= SIGNER_CERT_SPC_FILE) &&
((pSignerCert->dwCertChoice!= SIGNER_CERT_STORE)) &&
(pSignerCert->dwCertChoice!= SIGNER_CERT_SPC_CHAIN)
)
return FALSE;
//check the spc file situation
if(pSignerCert->dwCertChoice == SIGNER_CERT_SPC_FILE)
{
if(pSignerCert->pwszSpcFile==NULL)
return FALSE;
}
//check the cert store situation
if(pSignerCert->dwCertChoice==SIGNER_CERT_STORE)
{
//pCertStoreInfo has to be set
if((pSignerCert->pCertStoreInfo)==NULL)
return FALSE;
if((pSignerCert->pCertStoreInfo)->cbSize < sizeof(SIGNER_CERT_STORE_INFO))
return FALSE;
//pSigngingCert has to be set
if((pSignerCert->pCertStoreInfo)->pSigningCert == NULL )
return FALSE;
}
//check the SPC chain situation
if(pSignerCert->dwCertChoice==SIGNER_CERT_SPC_CHAIN)
{
//pCertStoreInfo has to be set
if((pSignerCert->pSpcChainInfo)==NULL)
return FALSE;
if((pSignerCert->pSpcChainInfo)->cbSize != sizeof(SIGNER_SPC_CHAIN_INFO))
return FALSE;
//pSigngingCert has to be set
if((pSignerCert->pSpcChainInfo)->pwszSpcFile == NULL )
return FALSE;
}
//end of the checking
return TRUE;
}
//-------------------------------------------------------------------------
//
// GetSubjectTypeFlags:
// Check the BASIC_CONSTRAINTS extension from the certificate
// to see if the certificate is a CA or end entity certs
//
//-------------------------------------------------------------------------
static DWORD GetSubjectTypeFlags(IN DWORD dwCertEncodingType,
IN PCCERT_CONTEXT pCert)
{
HRESULT hr = S_OK;
DWORD grfSubjectType = 0;
PCERT_EXTENSION pExt;
PCERT_BASIC_CONSTRAINTS_INFO pInfo = NULL;
DWORD cbInfo;
PKITRY {
if ((pExt = CertFindExtension(szOID_BASIC_CONSTRAINTS,
pCert->pCertInfo->cExtension,
pCert->pCertInfo->rgExtension)) == NULL)
PKITHROW(CRYPT_E_NO_MATCH);
cbInfo = 0;
CryptDecodeObject(dwCertEncodingType,
X509_BASIC_CONSTRAINTS,
pExt->Value.pbData,
pExt->Value.cbData,
0, // dwFlags
NULL, // pInfo
&cbInfo);
if (cbInfo == 0)
PKITHROW(CRYPT_E_NO_MATCH);
pInfo = (PCERT_BASIC_CONSTRAINTS_INFO) malloc(cbInfo);
if(!pInfo)
PKITHROW(E_OUTOFMEMORY);
if (!CryptDecodeObject(dwCertEncodingType,
X509_BASIC_CONSTRAINTS,
pExt->Value.pbData,
pExt->Value.cbData,
0, // dwFlags
pInfo,
&cbInfo))
PKITHROW(SignError());
if (pInfo->SubjectType.cbData > 0) {
BYTE bSubjectType = *pInfo->SubjectType.pbData;
if (bSubjectType & CERT_END_ENTITY_SUBJECT_FLAG)
grfSubjectType |= SIGNER_CERT_END_ENTITY_FLAG;
if (0 == (bSubjectType & CERT_CA_SUBJECT_FLAG))
grfSubjectType |= SIGNER_CERT_NOT_CA_FLAG;
}
}
PKICATCH(err) {
hr = err.pkiError;
} PKIEND;
if (pInfo) free(pInfo);
return grfSubjectType;
}
//-------------------------------------------------------------------------
//
// WSZtoSZ:
// Convert a wchar string to a multi-byte string.
//
//-------------------------------------------------------------------------
HRESULT WSZtoSZ(LPWSTR wsz, LPSTR *psz)
{
DWORD cbSize=0;
*psz=NULL;
if(!wsz)
return S_OK;
cbSize=WideCharToMultiByte(0,0,wsz,-1,
NULL,0,0,0);
if(cbSize==0)
return SignError();
*psz=(LPSTR)malloc(cbSize);
if(*psz==NULL)
return E_OUTOFMEMORY;
if(WideCharToMultiByte(0,0,wsz,-1,
*psz,cbSize,0,0))
{
return S_OK;
}
else
{
free(*psz);
return SignError();
}
}
//-------------------------------------------------------------------------
//
// BytesToBase64:
// convert bytes to base64 bstr
//
//-------------------------------------------------------------------------
HRESULT BytesToBase64(BYTE *pb, DWORD cb, CHAR **pszEncode, DWORD *pdwEncode)
{
DWORD dwErr;
DWORD cch;
CHAR *psz=NULL;
*pszEncode=NULL;
*pdwEncode=0;
if (cb == 0) {
return S_OK;
}
cch = 0;
if (!CryptBinaryToStringA(
pb,
cb,
CRYPT_STRING_BASE64,
NULL,
&cch
))
return HRESULT_FROM_WIN32(GetLastError());
if (NULL == (psz=(CHAR *)malloc(cch * sizeof(char))))
return E_OUTOFMEMORY;
if (!CryptBinaryToStringA(
pb,
cb,
CRYPT_STRING_BASE64,
psz,
&cch
)) {
free(psz);
return HRESULT_FROM_WIN32(GetLastError());
} else {
*pszEncode=psz;
*pdwEncode=cch + 1; //plus 1 to include NULL
return S_OK;
}
}
//-------------------------------------------------------------------------
//
// BytesToBase64:
// conver base64 bstr to bytes
//
//-------------------------------------------------------------------------
HRESULT Base64ToBytes(CHAR *pEncode, DWORD cbEncode, BYTE **ppb, DWORD *pcb)
{
DWORD dwErr;
BYTE *pb;
DWORD cb;
*ppb = NULL;
*pcb = 0;
cb = 0;
if (!CryptStringToBinaryA(
pEncode,
cbEncode,
CRYPT_STRING_ANY,
NULL,
&cb,
NULL,
NULL))
return HRESULT_FROM_WIN32(GetLastError());
if (cb == 0)
return S_OK;
if (NULL == (pb = (BYTE *) malloc(cb)))
return E_OUTOFMEMORY;
if (!CryptStringToBinaryA(
pEncode,
cbEncode,
CRYPT_STRING_ANY,
pb,
&cb,
NULL,
NULL
)) {
free(pb);
return HRESULT_FROM_WIN32(GetLastError());
} else {
*ppb = pb;
*pcb = cb;
return S_OK;
}
}
//+-------------------------------------------------------------------------
// Find the the cert from the hprov
// Parameter Returns:
// pReturnCert - context of the cert found (must pass in cert context);
// Returns:
// S_OK - everything worked
// E_OUTOFMEMORY - memory failure
// E_INVALIDARG - no pReturnCert supplied
// CRYPT_E_NO_MATCH - could not locate certificate in store
//
//+-------------------------------------------------------------------------
HRESULT
SpcGetCertFromKey(IN DWORD dwCertEncodingType,
IN HCERTSTORE hStore,
IN HCRYPTPROV hProv,
IN DWORD dwKeySpec,
OUT PCCERT_CONTEXT* pReturnCert)
{
PCERT_PUBLIC_KEY_INFO psPubKeyInfo = NULL;
DWORD dwPubKeyInfo;
PCCERT_CONTEXT pCert = NULL;
PCCERT_CONTEXT pEnumCert = NULL;
DWORD grfCert = 0;
HRESULT hr = S_OK;
PKITRY {
if(!pReturnCert) PKITHROW(E_INVALIDARG);
// Get public key to compare certificates with
dwPubKeyInfo = 0;
CryptExportPublicKeyInfo(hProv,
dwKeySpec,
dwCertEncodingType,
NULL, // psPubKeyInfo
&dwPubKeyInfo);
if (dwPubKeyInfo == 0)
PKITHROW(SignError());
psPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) malloc(dwPubKeyInfo);
if(!psPubKeyInfo) PKITHROW(E_OUTOFMEMORY);
if (!CryptExportPublicKeyInfo(hProv,
dwKeySpec,
dwCertEncodingType,
psPubKeyInfo,
&dwPubKeyInfo))
PKITHROW(SignError());
// Find the "strongest" cert with a matching public key
while (TRUE) {
pEnumCert = CertEnumCertificatesInStore(hStore, pEnumCert);
if (pEnumCert) {
if (CertComparePublicKeyInfo(pEnumCert->dwCertEncodingType,
&pEnumCert->pCertInfo->SubjectPublicKeyInfo,
psPubKeyInfo)) {
// END_ENTITY, NOT_CA
DWORD grfEnumCert = GetSubjectTypeFlags(pEnumCert->dwCertEncodingType,
pEnumCert);
if (S_OK != SignIsGlueCert(pEnumCert))
grfEnumCert |= SIGNER_CERT_NOT_GLUE_FLAG;
if (!CertCompareCertificateName(pEnumCert->dwCertEncodingType,
&pEnumCert->pCertInfo->Issuer,
&pEnumCert->pCertInfo->Subject))
grfEnumCert |= SIGNER_CERT_NOT_SELF_SIGNED_FLAG;
if (grfEnumCert >= grfCert) {
// Found a signer cert with a stronger match
if (pCert)
CertFreeCertificateContext(pCert);
grfCert = grfEnumCert;
if (grfCert == SIGNER_CERT_ALL_FLAGS) {
pCert = pEnumCert;
break;
} else
// Not a perfect match. Check for a better signer cert.
pCert = CertDuplicateCertificateContext(pEnumCert);
}
}
} else
break;
}
if (pCert == NULL)
PKITHROW(CRYPT_E_NO_MATCH);
if (!CertSetCertificateContextProperty(pCert,
CERT_KEY_PROV_HANDLE_PROP_ID,
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
(void *) hProv))
PKITHROW(SignError());
}
PKICATCH(err) {
hr = err.pkiError;
if (pCert) {
CertFreeCertificateContext(pCert);
pCert = NULL;
}
} PKIEND;
*pReturnCert = pCert;
if (psPubKeyInfo)
free(psPubKeyInfo);
return hr;
}
///-------------------------------------------------------------------------
// Authenticode routines (not necessary for all implementations)
//+-------------------------------------------------------------------------
//If all of the following three conditions are true, we should not put
// commercial or individual authenticated attributes into signer info
//
//1. the enhanced key usage extension of the signer's certificate has no code signing usage (szOID_PKIX_KP_CODE_SIGNING)
//2. basic constraints extension of the signer's cert is missing, or it is neither commercial nor individual
//3. user did not specify -individual or -commercial in signcode.exe.
//--------------------------------------------------------------------------
BOOL NeedStatementTypeAttr(IN PCCERT_CONTEXT pSignerCert,
IN BOOL fCommercial,
IN BOOL fIndividual)
{
BOOL fNeedStatementTypeAttr=FALSE;
PCERT_EXTENSION pEKUExt=NULL;
PCERT_EXTENSION pRestrictionExt=NULL;
DWORD cPolicyId=0;
PCERT_POLICY_ID pPolicyId=NULL;
BOOL fPolicyCommercial = FALSE;
BOOL fPolicyIndividual = FALSE;
BOOL fCodeSiginigEKU=FALSE;
PCERT_KEY_USAGE_RESTRICTION_INFO pInfo = NULL;
DWORD cbInfo=0;
PCERT_ENHKEY_USAGE pEKUInfo=NULL;
DWORD dwIndex=0;
if(!pSignerCert)
return FALSE;
//check for condition # 3
if(fCommercial || fIndividual)
return TRUE;
//now we know user did not specify -individual or -commerical options
//if the cert has enhanced key usage extension
pEKUExt = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
pSignerCert->pCertInfo->cExtension,
pSignerCert->pCertInfo->rgExtension);
pRestrictionExt = CertFindExtension(szOID_KEY_USAGE_RESTRICTION,
pSignerCert->pCertInfo->cExtension,
pSignerCert->pCertInfo->rgExtension);
if((!pEKUExt) && (!pRestrictionExt))
return FALSE;
if(pEKUExt)
{
cbInfo=0;
if(CryptDecodeObject(X509_ASN_ENCODING,
X509_ENHANCED_KEY_USAGE,
pEKUExt->Value.pbData,
pEKUExt->Value.cbData,
0, // dwFlags
NULL, // pInfo
&cbInfo) && (cbInfo != 0))
{
pEKUInfo = (PCERT_ENHKEY_USAGE) malloc(cbInfo);
if(pEKUInfo)
{
if(CryptDecodeObject(X509_ASN_ENCODING,
X509_ENHANCED_KEY_USAGE,
pEKUExt->Value.pbData,
pEKUExt->Value.cbData,
0, // dwFlags
pEKUInfo, // pInfo
&cbInfo) && (cbInfo != 0))
{
for(dwIndex=0; dwIndex < pEKUInfo->cUsageIdentifier; dwIndex++)
{
if(0==strcmp(szOID_PKIX_KP_CODE_SIGNING,
pEKUInfo->rgpszUsageIdentifier[dwIndex]))
fCodeSiginigEKU=TRUE;
if(0==strcmp(SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID,
pEKUInfo->rgpszUsageIdentifier[dwIndex]))
fPolicyCommercial=TRUE;
if(0==strcmp(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID,
pEKUInfo->rgpszUsageIdentifier[dwIndex]))
fPolicyIndividual=TRUE;
}
}
}
}
}
if(pRestrictionExt)
{
cbInfo = 0;
if(CryptDecodeObject(X509_ASN_ENCODING,
X509_KEY_USAGE_RESTRICTION,
pRestrictionExt->Value.pbData,
pRestrictionExt->Value.cbData,
0, // dwFlags
NULL, // pInfo
&cbInfo) && (cbInfo != 0))
{
pInfo = (PCERT_KEY_USAGE_RESTRICTION_INFO) malloc(cbInfo);
if(pInfo)
{
if (CryptDecodeObject(X509_ASN_ENCODING,
X509_KEY_USAGE_RESTRICTION,
pRestrictionExt->Value.pbData,
pRestrictionExt->Value.cbData,
0, // dwFlags
pInfo,
&cbInfo))
{
if (pInfo->cCertPolicyId)
{
cPolicyId = pInfo->cCertPolicyId;
pPolicyId = pInfo->rgCertPolicyId;
for ( ; cPolicyId > 0; cPolicyId--, pPolicyId++)
{
DWORD cElementId = pPolicyId->cCertPolicyElementId;
LPSTR *ppszElementId = pPolicyId->rgpszCertPolicyElementId;
for ( ; cElementId > 0; cElementId--, ppszElementId++)
{
if (strcmp(*ppszElementId,
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID) == 0)
{
fPolicyCommercial = TRUE;
}
if (strcmp(*ppszElementId,
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID) == 0)
fPolicyIndividual = TRUE;
}
}
}
}
}
}
}
//free the memory
if(pInfo)
free(pInfo);
if(pEKUInfo)
free(pEKUInfo);
//if any of the value is true in the properties,
//we need to add the statement type attribute
if( fPolicyCommercial || fPolicyIndividual || fCodeSiginigEKU)
return TRUE;
return FALSE;
}
//+-------------------------------------------------------------------------
//
// The function decides whether to sign the certificate as a commerical,
// or individual. The default is the certificate's highest capability. If fCommercial
// is set and the cert can not signly commercially, an error is returned.
// Same for fIndividual.
//
//--------------------------------------------------------------------------
HRESULT CheckCommercial(PCCERT_CONTEXT pSignerCert, BOOL fCommercial,
BOOL fIndividual, BOOL *pfCommercial)
{
HRESULT hr = S_OK;
BOOL fPolicyCommercial = FALSE;
BOOL fPolicyIndividual = FALSE;
PCERT_EXTENSION pExt;
PCERT_KEY_USAGE_RESTRICTION_INFO pInfo = NULL;
DWORD cbInfo;
PCERT_EXTENSION pEKUExt=NULL;
PCERT_ENHKEY_USAGE pUsage=NULL;
DWORD cCount=0;
if(!pfCommercial)
return E_INVALIDARG;
//init
*pfCommercial=FALSE;
//fCommercial and fIndividual can not be set at the same time
if(fCommercial && fIndividual)
return E_INVALIDARG;
PKITRY {
//first look into the cert extension szOID_KEY_USAGE_RESTRICTION
pExt = CertFindExtension(szOID_KEY_USAGE_RESTRICTION,
pSignerCert->pCertInfo->cExtension,
pSignerCert->pCertInfo->rgExtension);
if(pExt)
{
cbInfo = 0;
CryptDecodeObject(X509_ASN_ENCODING,
X509_KEY_USAGE_RESTRICTION,
pExt->Value.pbData,
pExt->Value.cbData,
0, // dwFlags
NULL, // pInfo
&cbInfo);
if (cbInfo == 0)
PKITHROW(SignError());
pInfo = (PCERT_KEY_USAGE_RESTRICTION_INFO) malloc(cbInfo);
if(!pInfo)
PKITHROW(E_OUTOFMEMORY);
if (!CryptDecodeObject(X509_ASN_ENCODING,
X509_KEY_USAGE_RESTRICTION,
pExt->Value.pbData,
pExt->Value.cbData,
0, // dwFlags
pInfo,
&cbInfo))
PKITHROW(SignError());
if (pInfo->cCertPolicyId)
{
DWORD cPolicyId;
PCERT_POLICY_ID pPolicyId;
cPolicyId = pInfo->cCertPolicyId;
pPolicyId = pInfo->rgCertPolicyId;
for ( ; cPolicyId > 0; cPolicyId--, pPolicyId++)
{
DWORD cElementId = pPolicyId->cCertPolicyElementId;
LPSTR *ppszElementId = pPolicyId->rgpszCertPolicyElementId;
for ( ; cElementId > 0; cElementId--, ppszElementId++)
{
if (strcmp(*ppszElementId,
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID) == 0)
{
fPolicyCommercial = TRUE;
}
if (strcmp(*ppszElementId,
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID) == 0)
fPolicyIndividual = TRUE;
}
}
} //end of pInfo->cCertPolicyId
} //end of pExt
//now
}
PKICATCH(err)
{
hr = err.pkiError;
} PKIEND;
if (pInfo)
{
free(pInfo);
pInfo=NULL;
}
if(hr!=S_OK)
return hr;
//if either of the policy is set, we check for the EKU extension
if((!fPolicyCommercial) && (!fPolicyIndividual))
{
pExt = CertFindExtension(szOID_ENHANCED_KEY_USAGE,
pSignerCert->pCertInfo->cExtension,
pSignerCert->pCertInfo->rgExtension);
if(pExt)
{
cbInfo = 0;
if(CryptDecodeObject(X509_ASN_ENCODING,
X509_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbInfo) && (cbInfo != 0))
{
pUsage = (PCERT_ENHKEY_USAGE) malloc(cbInfo);
if(pUsage)
{
if (CryptDecodeObject(X509_ASN_ENCODING,
X509_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0, // dwFlags
pUsage,
&cbInfo))
{
for(cCount=0; cCount< pUsage->cUsageIdentifier; cCount++)
{
if (strcmp((pUsage->rgpszUsageIdentifier)[cCount],
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID) == 0)
{
fPolicyCommercial = TRUE;
}
if (strcmp((pUsage->rgpszUsageIdentifier)[cCount],
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID) == 0)
{
fPolicyIndividual = TRUE;
}
}
}
}
}
}
}
if(pUsage)
{
free(pUsage);
pUsage=NULL;
}
//if either of the policy is set, we use individual
if(!fPolicyCommercial && !fPolicyIndividual)
fPolicyIndividual=TRUE;
//default
if((!fCommercial) && (!fIndividual))
{
if(fPolicyCommercial)
*pfCommercial=TRUE;
else
*pfCommercial=FALSE;
return S_OK;
}
if(fCommercial && (!fIndividual))
{
if(fPolicyCommercial)
{
*pfCommercial=TRUE;
return S_OK;
}
else
return TYPE_E_TYPEMISMATCH;
}
//the following is fIndividual and !fCommercial
if(fPolicyIndividual)
{
*pfCommercial=FALSE;
return S_OK;
}
else
return TYPE_E_TYPEMISMATCH;
}
//+-------------------------------------------------------------------------
// Encode the StatementType authenticated attribute value
//--------------------------------------------------------------------------
HRESULT CreateStatementType(IN BOOL fCommercial,
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded)
{
HRESULT hr = S_OK;
PBYTE pbEncoded = NULL;
DWORD cbEncoded;
LPSTR pszIndividual = SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID;
LPSTR pszCommercial = SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID;
SPC_STATEMENT_TYPE StatementType;
StatementType.cKeyPurposeId = 1;
if (fCommercial)
StatementType.rgpszKeyPurposeId = &pszCommercial;
else
StatementType.rgpszKeyPurposeId = &pszIndividual;
PKITRY {
cbEncoded = 0;
CryptEncodeObject(X509_ASN_ENCODING,
SPC_STATEMENT_TYPE_STRUCT,
&StatementType,
NULL, // pbEncoded
&cbEncoded);
if (cbEncoded == 0)
PKITHROW(SignError());
pbEncoded = (BYTE *) malloc(cbEncoded);
if (pbEncoded == NULL)
PKITHROW(E_OUTOFMEMORY);
if (!CryptEncodeObject(X509_ASN_ENCODING,
SPC_STATEMENT_TYPE_STRUCT,
&StatementType,
pbEncoded,
&cbEncoded))
PKITHROW(SignError());
}
PKICATCH(err) {
if (pbEncoded) {
free(pbEncoded);
pbEncoded = NULL;
}
cbEncoded = 0;
hr = err.pkiError;
} PKIEND;
*ppbEncoded = pbEncoded;
*pcbEncoded = cbEncoded;
return hr;
}
//+-------------------------------------------------------------------------
// Encode the SpOpusInfo authenticated attribute value
//--------------------------------------------------------------------------
HRESULT CreateOpusInfo(IN LPCWSTR pwszOpusName,
IN LPCWSTR pwszOpusInfo,
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded)
{
HRESULT hr = S_OK;
BYTE *pbEncoded = NULL;
DWORD cbEncoded;
SPC_LINK MoreInfo;
SPC_SP_OPUS_INFO sSpcOpusInfo;
ZeroMemory(&sSpcOpusInfo, sizeof(SPC_SP_OPUS_INFO));
sSpcOpusInfo.pwszProgramName = (LPWSTR) pwszOpusName;
if (pwszOpusInfo) {
MoreInfo.dwLinkChoice = SPC_URL_LINK_CHOICE;
//
// To be backwards compatible with IE 3.0 WinVerifyTrust the
// following is set to an even length to inhibit the possibility
// of an 0x7f length in the encoded ASN.
// In IE 3.0 an 0x81 is erroneously prepended before a
// 0x7f length when the OPUS info is re-encoded before hashing. Making
// the length of pwszUrl even precludes this from happening.
//
// Note, the pwszUrl is first converted to multibyte before being
// encoded. Its the multibyte length that must have an even length.
int cchMultiByte;
cchMultiByte = WideCharToMultiByte(CP_ACP,
0, // dwFlags
pwszOpusInfo,
-1, // cchWideChar, -1 => null terminated
NULL, // lpMultiByteStr
0, // cchMultiByte
NULL, // lpDefaultChar
NULL // lpfUsedDefaultChar
);
// cchMultiByte includes the null terminator
if (cchMultiByte > 1 && ((cchMultiByte - 1) & 1)) {
// Odd length. Add extra space to end.
int Len = wcslen(pwszOpusInfo);
MoreInfo.pwszUrl = (LPWSTR) _alloca((Len + 2) * sizeof(WCHAR));
wcscpy(MoreInfo.pwszUrl, pwszOpusInfo);
wcscpy(MoreInfo.pwszUrl + Len, L" ");
} else
MoreInfo.pwszUrl = (LPWSTR) pwszOpusInfo;
sSpcOpusInfo.pMoreInfo = &MoreInfo;
}
PKITRY {
cbEncoded = 0;
CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
SPC_SP_OPUS_INFO_STRUCT,
&sSpcOpusInfo,
NULL, // pbEncoded
&cbEncoded);
if (cbEncoded == 0)
PKITHROW(SignError());
pbEncoded = (BYTE *) malloc(cbEncoded);
if (pbEncoded == NULL)
PKITHROW(E_OUTOFMEMORY);
if (!CryptEncodeObject(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
SPC_SP_OPUS_INFO_STRUCT,
&sSpcOpusInfo,
pbEncoded,
&cbEncoded))
PKITHROW(SignError());
}
PKICATCH(err) {
if (pbEncoded) {
free(pbEncoded);
pbEncoded = NULL;
}
cbEncoded = 0;
hr = err.pkiError;
} PKIEND;
*ppbEncoded = pbEncoded;
*pcbEncoded = cbEncoded;
return hr;
}
//+-------------------------------------------------------------------------
// Checks if the certificate a glue certificate
// in IE30
// Returns: S_OK - Is a glue certificate
// S_FALSE - Not a certificate
// CRYPT_E_OSS_ERROR + Oss error - Encode or Decode error.
//+-------------------------------------------------------------------------
HRESULT SignIsGlueCert(IN PCCERT_CONTEXT pCert)
{
HRESULT hr = S_OK;
PCERT_NAME_BLOB pName = &pCert->pCertInfo->Subject;
PCERT_NAME_INFO pNameInfo = NULL;
DWORD cbNameInfo;
PKITRY {
cbNameInfo = 0;
CryptDecodeObject(X509_ASN_ENCODING,
X509_NAME,
pName->pbData,
pName->cbData,
0, // dwFlags
NULL, // pNameInfo
&cbNameInfo);
if (cbNameInfo == 0)
PKITHROW(SignError());
pNameInfo = (PCERT_NAME_INFO) malloc(cbNameInfo);
if(!pNameInfo)
return E_OUTOFMEMORY;
if (!CryptDecodeObject(X509_ASN_ENCODING,
X509_NAME,
pName->pbData,
pName->cbData,
0, // dwFlags
pNameInfo,
&cbNameInfo))
PKITHROW(SignError());
if(!CertFindRDNAttr(SPC_GLUE_RDN_OBJID, pNameInfo) != NULL)
hr = S_FALSE;
}
PKICATCH (err) {
hr = err.pkiError;
} PKIEND;
if (pNameInfo) free(pNameInfo);
return hr;
}
//+-------------------------------------------------------------------------
// Skip over the identifier and length octets in an ASN encoded blob.
// Returns the number of bytes skipped.
//
// For an invalid identifier or length octet returns 0.
//--------------------------------------------------------------------------
static DWORD SkipOverIdentifierAndLengthOctets(
IN const BYTE *pbDER,
IN DWORD cbDER
)
{
#define TAG_MASK 0x1f
DWORD cb;
DWORD cbLength;
const BYTE *pb = pbDER;
// Need minimum of 2 bytes
if (cbDER < 2)
return 0;
// Skip over the identifier octet(s)
if (TAG_MASK == (*pb++ & TAG_MASK)) {
// high-tag-number form
for (cb=2; *pb++ & 0x80; cb++) {
if (cb >= cbDER)
return 0;
}
} else
// low-tag-number form
cb = 1;
// need at least one more byte for length
if (cb >= cbDER)
return 0;
if (0x80 == *pb)
// Indefinite
cb++;
else if ((cbLength = *pb) & 0x80) {
cbLength &= ~0x80; // low 7 bits have number of bytes
cb += cbLength + 1;
if (cb > cbDER)
return 0;
} else
cb++;
return cb;
}
//--------------------------------------------------------------------------
//
// Skip over the tag and length
//----------------------------------------------------------------------------
BOOL WINAPI SignNoContentWrap(IN const BYTE *pbDER,
IN DWORD cbDER)
{
DWORD cb;
cb = SkipOverIdentifierAndLengthOctets(pbDER, cbDER);
if (cb > 0 && cb < cbDER && pbDER[cb] == 0x02)
return TRUE;
else
return FALSE;
}
#define SH1_HASH_LENGTH 20
//+-----------------------------------------------------------------------
// Make sure that the certificate is valid for timestamp
//------------------------------------------------------------------------
/*BOOL ValidTimestampCert(PCCERT_CONTEXT pCertContext)
{
BOOL fValid=FALSE;
DWORD cbSize=0;
PCERT_ENHKEY_USAGE pCertEKU=NULL;
BYTE *pbaSignersThumbPrint=NULL;
DWORD dwIndex=0;
static BYTE baVerisignTimeStampThumbPrint[SH1_HASH_LENGTH] =
{ 0x38, 0x73, 0xB6, 0x99, 0xF3, 0x5B, 0x9C, 0xCC, 0x36, 0x62,
0xB6, 0x48, 0x3A, 0x96, 0xBD, 0x6E, 0xEC, 0x97, 0xCF, 0xB7 };
cbSize = 0;
if (!(CertGetCertificateContextProperty(pCertContext, CERT_SHA1_HASH_PROP_ID,
NULL, &cbSize)))
goto CLEANUP;
pbaSignersThumbPrint=(BYTE *)malloc(cbSize);
if(!pbaSignersThumbPrint)
goto CLEANUP;
if (!(CertGetCertificateContextProperty(pCertContext, CERT_SHA1_HASH_PROP_ID,
pbaSignersThumbPrint, &cbSize)))
goto CLEANUP;
//
// 1st, check to see if it's Verisign's first timestamp certificate
if(cbSize!=sizeof(baVerisignTimeStampThumbPrint)/sizeof(baVerisignTimeStampThumbPrint[0]))
goto CLEANUP;
if (memcmp(pbaSignersThumbPrint, baVerisignTimeStampThumbPrint, cbSize) == 0)
{
fValid=TRUE;
goto CLEANUP;
}
//
// see if the certificate has the proper enhanced key usage OID
//
cbSize = 0;
if(!CertGetEnhancedKeyUsage(pCertContext,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
NULL,
&cbSize) || (cbSize==0))
goto CLEANUP;
pCertEKU = (PCERT_ENHKEY_USAGE)malloc(cbSize);
if(!pCertEKU)
goto CLEANUP;
if (!(CertGetEnhancedKeyUsage(pCertContext,
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG,
pCertEKU,
&cbSize)))
goto CLEANUP;
for (dwIndex = 0; dwIndex < pCertEKU->cUsageIdentifier; dwIndex++)
{
if (strcmp(pCertEKU->rgpszUsageIdentifier[dwIndex], szOID_KP_TIME_STAMP_SIGNING) == 0)
{
fValid=TRUE;
break;
}
if (strcmp(pCertEKU->rgpszUsageIdentifier[dwIndex], szOID_PKIX_KP_TIMESTAMP_SIGNING) == 0)
{
fValid=TRUE;
break;
}
}
CLEANUP:
if(pbaSignersThumbPrint)
free(pbaSignersThumbPrint);
if(pCertEKU)
free(pCertEKU);
return fValid;
} */
//-------------------------------------------------------------------------
//
// Call GetLastError and convert the return code to HRESULT
//--------------------------------------------------------------------------
HRESULT WINAPI SignError ()
{
DWORD dw = GetLastError ();
HRESULT hr;
if ( dw <= (DWORD) 0xFFFF )
hr = HRESULT_FROM_WIN32 ( dw );
else
hr = dw;
if ( ! FAILED ( hr ) )
{
// somebody failed a call without properly setting an error condition
hr = E_UNEXPECTED;
}
return hr;
}