You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1217 lines
36 KiB
1217 lines
36 KiB
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows NT Security
|
|
// Copyright (C) Microsoft Corporation, 1997 - 1999
|
|
//
|
|
// File: initpki.cpp
|
|
//
|
|
// Contents: migrates Bob Store to SPC store and adds root certificates
|
|
//
|
|
// History: 03-Jun-97 kirtd Created
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
#include "global.hxx"
|
|
#include "cryptreg.h"
|
|
#include "..\mscat32\mscatprv.h"
|
|
|
|
HMODULE hModule = NULL;
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////
|
|
|
|
#define INITPKI_HRESULT_FROM_WIN32(a) ((a >= 0x80000000) ? a : HRESULT_FROM_WIN32(a))
|
|
|
|
|
|
#define SHA1_HASH_LENGTH 20
|
|
|
|
|
|
#define wsz_ROOT_STORE L"Root"
|
|
#define wsz_TRUST_STORE L"Trust"
|
|
#define wsz_CA_STORE L"CA"
|
|
#define wsz_TRUST_PUB_STORE L"TrustedPublisher"
|
|
#define wsz_DISALLOWED_STORE L"Disallowed"
|
|
static LPCWSTR rgpwszPredefinedEnterpriseStore[] = {
|
|
wsz_ROOT_STORE,
|
|
wsz_TRUST_STORE,
|
|
wsz_CA_STORE,
|
|
wsz_TRUST_PUB_STORE,
|
|
wsz_DISALLOWED_STORE
|
|
};
|
|
#define NUM_PREDEFINED_ENTERPRISE_STORE \
|
|
(sizeof(rgpwszPredefinedEnterpriseStore) / \
|
|
sizeof(rgpwszPredefinedEnterpriseStore[0]))
|
|
|
|
void RegisterEnterpriseStores()
|
|
{
|
|
DWORD i;
|
|
|
|
for (i = 0; i < NUM_PREDEFINED_ENTERPRISE_STORE; i++) {
|
|
CertRegisterSystemStore(
|
|
rgpwszPredefinedEnterpriseStore[i],
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
|
|
NULL, // pSystemStoreInfo
|
|
NULL // pvReserved
|
|
);
|
|
}
|
|
}
|
|
|
|
void RemoveCert(HCERTSTORE hStore, BYTE *pThumbPrint)
|
|
{
|
|
PCERT_CONTEXT pCertContext;
|
|
CRYPT_HASH_BLOB CryptHashBlob;
|
|
|
|
CryptHashBlob.cbData = SHA1_HASH_LENGTH;
|
|
CryptHashBlob.pbData = pThumbPrint;
|
|
|
|
pCertContext = (PCERT_CONTEXT)CertFindCertificateInStore( hStore,
|
|
X509_ASN_ENCODING,
|
|
0,
|
|
CERT_FIND_SHA1_HASH,
|
|
&CryptHashBlob,
|
|
NULL);
|
|
if (pCertContext)
|
|
{
|
|
CertDeleteCertificateFromStore(pCertContext);
|
|
}
|
|
}
|
|
|
|
//
|
|
// if byte 0 is null, make sure to change while loop below!
|
|
//
|
|
BYTE CertRemoveList[][SHA1_HASH_LENGTH] =
|
|
{
|
|
{ 0x4B, 0x33, 0x8D, 0xCD, 0x50, 0x18, 0x10, 0xB9, 0x36, 0xA0,
|
|
0x63, 0x61, 0x4C, 0x3C, 0xDD, 0x3F, 0xC2, 0xC4, 0x88, 0x55 }, // GTE Glue - '96
|
|
|
|
{ 0x56, 0xB0, 0x65, 0xA7, 0x4B, 0xDC, 0xE3, 0x7C, 0x96, 0xD3,
|
|
0xBA, 0x69, 0x81, 0x08, 0x02, 0xD5, 0x87, 0x03, 0xC0, 0xBD }, // Verisign Comm Glue - '96
|
|
|
|
{ 0x13, 0x39, 0x72, 0xAA, 0x97, 0xD3, 0x65, 0xFB, 0x6A, 0x1D,
|
|
0x47, 0xA5, 0xC7, 0x7A, 0x5C, 0x03, 0x94, 0xBD, 0xB9, 0xED }, // Verisign Indv Glue - '96
|
|
|
|
{ 0x69, 0xD0, 0x4F, 0xFB, 0x62, 0xE1, 0xC9, 0xAE, 0x30, 0x76,
|
|
0x99, 0x2A, 0xE7, 0x46, 0xFD, 0x69, 0x08, 0x3A, 0xBD, 0xE9 }, // MS Root cert - '96
|
|
|
|
{ 0xA7, 0xD7, 0xD5, 0xFD, 0xBB, 0x26, 0xB4, 0x10, 0xC1, 0xD6,
|
|
0x7A, 0xFB, 0xF5, 0xC9, 0x05, 0x39, 0x42, 0xDE, 0xE0, 0xEF }, // MS SGC Root Authority - '99
|
|
|
|
// { 0xCC, 0x7E, 0xD0, 0x77, 0xF0, 0xF2, 0x92, 0x59, 0x5A, 0x81,
|
|
// 0x66, 0xB0, 0x17, 0x09, 0xE2, 0x0C, 0x08, 0x84, 0xA5, 0xF8 }, // verisign "Class1" - '97
|
|
//
|
|
// { 0xD4, 0x73, 0x5D, 0x8A, 0x9A, 0xE5, 0xBC, 0x4B, 0x0A, 0x0D,
|
|
// 0xC2, 0x70, 0xD6, 0xA6, 0x25, 0x38, 0xA5, 0x87, 0xD3, 0x2F }, // verisign "timestamp" - '97
|
|
//
|
|
// { 0x68, 0x8B, 0x6E, 0xB8, 0x07, 0xE8, 0xED, 0xA5, 0xC7, 0xB1,
|
|
// 0x7C, 0x43, 0x93, 0xD0, 0x79, 0x5F, 0x0F, 0xAE, 0x15, 0x5F }, // verisign "commercial" - '97
|
|
//
|
|
// { 0xB1, 0x9D, 0xD0, 0x96, 0xDC, 0xD4, 0xE3, 0xE0, 0xFD, 0x67,
|
|
// 0x68, 0x85, 0x50, 0x5A, 0x67, 0x2C, 0x43, 0x8D, 0x4E, 0x9C }, // verisign "individual" - '97
|
|
|
|
|
|
|
|
// Certiposte Classe A Personne
|
|
{ 0xEB, 0xBC, 0x0E, 0x2D, 0x02, 0x0C, 0xA6, 0x9B, 0x22, 0x2C,
|
|
0x2B, 0xFF, 0xD2, 0x03, 0xCB, 0x8B, 0xF5, 0xA8, 0x27, 0x66 },
|
|
|
|
// Certiposte Serveur
|
|
{ 0x28, 0x4F, 0x55, 0xC4, 0x1A, 0x1A, 0x7A, 0x3F, 0x83, 0x28,
|
|
0xD4, 0xC2, 0x62, 0xFB, 0x37, 0x6E, 0xD6, 0x09, 0x6F, 0x24 },
|
|
|
|
// ViaCode Certification Authority
|
|
{0xB5, 0xD3, 0x03, 0xBF, 0x86, 0x82, 0xE1, 0x52, 0x91, 0x9D,
|
|
0x83, 0xF1, 0x84, 0xED, 0x05, 0xF1, 0xDC, 0xE5, 0x37, 0x0C },
|
|
|
|
// Swisskey Root CA
|
|
{ 0x13, 0x31, 0xF4, 0x8A, 0x5D, 0xA8, 0xE0, 0x1D, 0xAA, 0xCA,
|
|
0x1B, 0xB0, 0xC1, 0x70, 0x44, 0xAC, 0xFE, 0xF7, 0x55, 0xBB },
|
|
|
|
// CN=Microsoft Windows Hardware Compatibility,
|
|
// OU=Microsoft Corporation,
|
|
// OU=Microsoft Windows Hardware Compatibility Intermediate CA,
|
|
// OU=Copyright (c) 1997 Microsoft Corp.
|
|
//
|
|
// The one without a basic constraints extension
|
|
{ 0xBA, 0x9E, 0x3C, 0x32, 0x56, 0x2A, 0x67, 0x12, 0x8C, 0xAA,
|
|
0xBD, 0x4A, 0xB0, 0xC5, 0x00, 0xBE, 0xE1, 0xD0, 0xC2, 0x56 },
|
|
|
|
|
|
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } // term
|
|
|
|
};
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: PurgeExpiringCertsFromStores
|
|
//
|
|
// Synopsis: blech!
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
HRESULT PurgeExpiringCertsFromStores ()
|
|
{
|
|
DWORD cRemove;
|
|
DWORD cStores;
|
|
HCERTSTORE hStore = NULL;
|
|
HKEY hKey = NULL;
|
|
char *pszStores[] = { "SPC", "ROOT", "CU_ROOT", "AUTHROOT", "CA", NULL };
|
|
|
|
//
|
|
// HACKHACK! no crypt32 UI about the root store.
|
|
//
|
|
if (RegCreateHKCUKeyExU(HKEY_CURRENT_USER, ROOT_STORE_REGPATH,
|
|
0, NULL, 0, KEY_ALL_ACCESS, NULL, &hKey, NULL) != ERROR_SUCCESS)
|
|
{
|
|
hKey = NULL;
|
|
}
|
|
|
|
cStores = 0;
|
|
|
|
while (pszStores[cStores])
|
|
{
|
|
if (strcmp(pszStores[cStores], "CU_ROOT") == 0)
|
|
{
|
|
if (hKey)
|
|
hStore = CertOpenStore(CERT_STORE_PROV_REG, 0, NULL, 0, (LPVOID)hKey);
|
|
else
|
|
hStore = NULL;
|
|
}
|
|
else
|
|
{
|
|
hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, NULL,
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE |
|
|
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
|
|
pszStores[cStores]);
|
|
}
|
|
|
|
if (hStore)
|
|
{
|
|
cRemove = 0;
|
|
while (CertRemoveList[cRemove][0] != 0x00)
|
|
{
|
|
if (hStore)
|
|
{
|
|
RemoveCert(hStore, &CertRemoveList[cRemove][0]);
|
|
}
|
|
|
|
cRemove++;
|
|
}
|
|
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
|
|
cStores++;
|
|
}
|
|
|
|
if (hKey)
|
|
RegCloseKey(hKey);
|
|
return( S_OK );
|
|
}
|
|
|
|
PCCERT_CONTEXT FindCertificateInOtherStore(
|
|
IN HCERTSTORE hOtherStore,
|
|
IN PCCERT_CONTEXT pCert
|
|
)
|
|
{
|
|
BYTE rgbHash[SHA1_HASH_LENGTH];
|
|
CRYPT_DATA_BLOB HashBlob;
|
|
|
|
HashBlob.pbData = rgbHash;
|
|
HashBlob.cbData = SHA1_HASH_LENGTH;
|
|
if (!CertGetCertificateContextProperty(
|
|
pCert,
|
|
CERT_SHA1_HASH_PROP_ID,
|
|
rgbHash,
|
|
&HashBlob.cbData
|
|
) || SHA1_HASH_LENGTH != HashBlob.cbData)
|
|
return NULL;
|
|
|
|
return CertFindCertificateInStore(
|
|
hOtherStore,
|
|
0, // dwCertEncodingType
|
|
0, // dwFindFlags
|
|
CERT_FIND_SHA1_HASH,
|
|
(const void *) &HashBlob,
|
|
NULL //pPrevCertContext
|
|
);
|
|
}
|
|
|
|
BOOL IsCertificateInOtherStore(
|
|
IN HCERTSTORE hOtherStore,
|
|
IN PCCERT_CONTEXT pCert
|
|
)
|
|
{
|
|
PCCERT_CONTEXT pOtherCert;
|
|
|
|
if (pOtherCert = FindCertificateInOtherStore(hOtherStore, pCert)) {
|
|
CertFreeCertificateContext(pOtherCert);
|
|
return TRUE;
|
|
} else
|
|
return FALSE;
|
|
}
|
|
|
|
void DeleteCertificateFromOtherStore(
|
|
IN HCERTSTORE hOtherStore,
|
|
IN PCCERT_CONTEXT pCert
|
|
)
|
|
{
|
|
PCCERT_CONTEXT pOtherCert;
|
|
|
|
if (pOtherCert = FindCertificateInOtherStore(hOtherStore, pCert))
|
|
CertDeleteCertificateFromStore(pOtherCert);
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
// Read a SignedData message consisting of certificates and
|
|
// CRLs from memory and copy to the specified cert store.
|
|
//
|
|
// Except for the SPC being loaded from memory, identical to SpcReadSpcFile.
|
|
//
|
|
// For hLMStore != NULL: if the certificate or CRL already exists in the
|
|
// LocalMachine store don't add it. Also if it exists in hCertstore,
|
|
// delete it.
|
|
//--------------------------------------------------------------------------
|
|
HRESULT
|
|
SpcReadSpcFromMemory(
|
|
IN BYTE *pbData,
|
|
IN DWORD cbData,
|
|
IN HCERTSTORE hCertStore,
|
|
IN DWORD dwMsgAndCertEncodingType,
|
|
IN DWORD dwFlags,
|
|
IN OPTIONAL HCERTSTORE hLMStore
|
|
)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
HCERTSTORE hSpcStore = NULL;
|
|
CRYPT_DATA_BLOB sSpcBlob;
|
|
HCRYPTPROV hCryptProv = NULL;
|
|
PCCERT_CONTEXT pCert = NULL;
|
|
PCCRL_CONTEXT pCrl = NULL;
|
|
|
|
if (!(hCertStore))
|
|
{
|
|
goto InvalidArg;
|
|
}
|
|
|
|
// Set the blob data.
|
|
sSpcBlob.pbData = pbData;
|
|
sSpcBlob.cbData = cbData;
|
|
|
|
|
|
// Open up the spc store
|
|
hSpcStore = CertOpenStore(CERT_STORE_PROV_SERIALIZED, //CERT_STORE_PROV_PKCS7,
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
hCryptProv,
|
|
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
|
|
&sSpcBlob);
|
|
if (!hSpcStore)
|
|
{
|
|
goto CertStoreError;
|
|
}
|
|
|
|
// Copy in the certificates from the caller.
|
|
while (pCert = CertEnumCertificatesInStore(hSpcStore, pCert))
|
|
{
|
|
if (hLMStore && IsCertificateInOtherStore(hLMStore, pCert))
|
|
// Certificate exists in LocalMachine. Delete it from
|
|
// CurrentUser if it already exists there.
|
|
DeleteCertificateFromOtherStore(hCertStore, pCert);
|
|
else
|
|
CertAddCertificateContextToStore(hCertStore,
|
|
pCert,
|
|
CERT_STORE_ADD_REPLACE_EXISTING,
|
|
NULL);
|
|
}
|
|
|
|
while (pCrl = CertEnumCRLsInStore(hSpcStore, pCrl))
|
|
{
|
|
CertAddCRLContextToStore(hCertStore,
|
|
pCrl,
|
|
CERT_STORE_ADD_NEWER,
|
|
NULL);
|
|
|
|
if (hLMStore) {
|
|
// Check if newer or same CRL exists in the hLMStore
|
|
PCCRL_CONTEXT pLMCrl;
|
|
|
|
pLMCrl = CertFindCRLInStore(
|
|
hLMStore,
|
|
pCrl->dwCertEncodingType,
|
|
0, // dwFindFlags
|
|
CRL_FIND_EXISTING,
|
|
(const void *) pCrl,
|
|
NULL // pPrevCrlContext
|
|
);
|
|
|
|
if (NULL != pLMCrl) {
|
|
PCCRL_CONTEXT pCUCrl;
|
|
|
|
pCUCrl = CertFindCRLInStore(
|
|
hCertStore,
|
|
pCrl->dwCertEncodingType,
|
|
0, // dwFindFlags
|
|
CRL_FIND_EXISTING,
|
|
(const void *) pCrl,
|
|
NULL // pPrevCrlContext
|
|
);
|
|
|
|
if (NULL != pCUCrl) {
|
|
if (0 <= CompareFileTime(
|
|
&pLMCrl->pCrlInfo->ThisUpdate,
|
|
&pCUCrl->pCrlInfo->ThisUpdate
|
|
))
|
|
CertDeleteCRLFromStore(pCUCrl);
|
|
else
|
|
CertFreeCRLContext(pCUCrl);
|
|
}
|
|
|
|
CertFreeCRLContext(pLMCrl);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
CommonReturn:
|
|
if (hSpcStore)
|
|
{
|
|
CertCloseStore(hSpcStore, 0);
|
|
}
|
|
return(hr);
|
|
|
|
ErrorReturn:
|
|
SetLastError((DWORD)hr);
|
|
goto CommonReturn;
|
|
|
|
SET_HRESULT_EX(DBG_SS, InvalidArg, E_INVALIDARG);
|
|
SET_HRESULT_EX(DBG_SS, CertStoreError, GetLastError());
|
|
}
|
|
|
|
// For nonNULL pszLMStoreName, doesn't add certificates if already in
|
|
// pszLMStoreName store.
|
|
HRESULT AddCertificates2(
|
|
IN LPCSTR pszStoreName,
|
|
IN OPTIONAL LPCSTR pszLMStoreName,
|
|
IN DWORD dwOpenStoreFlags,
|
|
IN LPCSTR pszResourceName,
|
|
IN LPCSTR pszResourceType
|
|
)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
HCERTSTORE hCertStore = NULL;
|
|
HCERTSTORE hLMStore = NULL;
|
|
LPBYTE pb = NULL;
|
|
DWORD cb;
|
|
HRSRC hrsrc;
|
|
|
|
hCertStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_REGISTRY_A,
|
|
0, // dwEncodingType
|
|
NULL, // hCryptProv
|
|
dwOpenStoreFlags |
|
|
CERT_SYSTEM_STORE_UNPROTECTED_FLAG,
|
|
(const void *) pszStoreName
|
|
);
|
|
|
|
if (!(hCertStore))
|
|
{
|
|
return(GetLastError());
|
|
}
|
|
|
|
if (NULL != pszLMStoreName)
|
|
{
|
|
hLMStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_REGISTRY_A,
|
|
0, // dwEncodingType
|
|
NULL, // hCryptProv
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE |
|
|
CERT_STORE_READONLY_FLAG |
|
|
CERT_SYSTEM_STORE_UNPROTECTED_FLAG,
|
|
(const void *) pszLMStoreName
|
|
);
|
|
}
|
|
|
|
|
|
hrsrc = FindResourceA(hModule, pszResourceName, pszResourceType);
|
|
if ( hrsrc != NULL )
|
|
{
|
|
HGLOBAL hglobRes;
|
|
|
|
hglobRes = LoadResource(hModule, hrsrc);
|
|
if ( hglobRes != NULL )
|
|
{
|
|
ULONG cbRes;
|
|
BYTE* pbRes;
|
|
|
|
cbRes = SizeofResource(hModule, hrsrc);
|
|
pbRes = (BYTE *)LockResource(hglobRes);
|
|
|
|
hr = SpcReadSpcFromMemory( pbRes,
|
|
cbRes,
|
|
hCertStore,
|
|
PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
|
|
0,
|
|
hLMStore);
|
|
|
|
UnlockResource(hglobRes);
|
|
FreeResource(hglobRes);
|
|
|
|
}
|
|
else
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
|
|
if ( hCertStore != NULL )
|
|
{
|
|
CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG);
|
|
}
|
|
|
|
if ( hLMStore != NULL )
|
|
{
|
|
CertCloseStore(hLMStore, CERT_CLOSE_STORE_FORCE_FLAG);
|
|
}
|
|
|
|
return( hr );
|
|
}
|
|
|
|
|
|
// For non-LocalMachine store, doesn't add certificates if already in
|
|
// corresponding LocalMachine store.
|
|
HRESULT AddCertificates(
|
|
IN LPCSTR pszStoreName,
|
|
IN DWORD dwOpenStoreFlags,
|
|
IN LPCSTR pszResourceName,
|
|
IN LPCSTR pszResourceType
|
|
)
|
|
{
|
|
LPCSTR pszLMStoreName;
|
|
|
|
if (CERT_SYSTEM_STORE_LOCAL_MACHINE !=
|
|
(dwOpenStoreFlags & CERT_SYSTEM_STORE_LOCATION_MASK))
|
|
pszLMStoreName = pszStoreName;
|
|
else
|
|
pszLMStoreName = NULL;
|
|
|
|
return AddCertificates2(
|
|
pszStoreName,
|
|
pszLMStoreName,
|
|
dwOpenStoreFlags,
|
|
pszResourceName,
|
|
pszResourceType
|
|
);
|
|
}
|
|
|
|
HRESULT AddCurrentUserCACertificates()
|
|
{
|
|
return AddCertificates(
|
|
"CA",
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
MAKEINTRESOURCE(IDR_CAS),
|
|
"CAS"
|
|
);
|
|
}
|
|
HRESULT AddLocalMachineCACertificates()
|
|
{
|
|
return AddCertificates(
|
|
"CA",
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_CAS),
|
|
"CAS"
|
|
);
|
|
}
|
|
|
|
HRESULT AddCurrentUserDisallowedCertificates()
|
|
{
|
|
return AddCertificates(
|
|
"Disallowed",
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
MAKEINTRESOURCE(IDR_DISALLOW),
|
|
"DISALLOW"
|
|
);
|
|
}
|
|
HRESULT AddLocalMachineDisallowedCertificates()
|
|
{
|
|
return AddCertificates(
|
|
"Disallowed",
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_DISALLOW),
|
|
"DISALLOW"
|
|
);
|
|
}
|
|
|
|
HRESULT AddCurrentUserRootCertificates()
|
|
{
|
|
HRESULT hr;
|
|
HRESULT hr2;
|
|
|
|
hr = AddCertificates(
|
|
"Root",
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
MAKEINTRESOURCE(IDR_ROOTS),
|
|
"ROOTS"
|
|
);
|
|
|
|
hr2 = AddCertificates2(
|
|
"Root",
|
|
"AuthRoot", // check if already in LM AuthRoot store
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
MAKEINTRESOURCE(IDR_AUTHROOTS),
|
|
"AUTHROOTS"
|
|
);
|
|
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
|
|
return hr;
|
|
}
|
|
|
|
HRESULT AddLocalMachineRootCertificates()
|
|
{
|
|
HRESULT hr;
|
|
HRESULT hr2;
|
|
HRESULT hr3;
|
|
HRESULT hr4;
|
|
|
|
hr = AddCertificates(
|
|
"AuthRoot",
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_AUTHROOTS),
|
|
"AUTHROOTS"
|
|
);
|
|
|
|
// Remove all the AuthRoots from the "Root" store
|
|
hr2 = AddCertificates2(
|
|
"Root",
|
|
"AuthRoot", // check if already in LM AuthRoot store
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_AUTHROOTS),
|
|
"AUTHROOTS"
|
|
);
|
|
|
|
hr3 = AddCertificates(
|
|
"Root",
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_ROOTS),
|
|
"ROOTS"
|
|
);
|
|
|
|
// Remove all the Roots from the "AuthRoot" store
|
|
hr4 = AddCertificates2(
|
|
"AuthRoot",
|
|
"Root", // check if already in LM Root store
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE,
|
|
MAKEINTRESOURCE(IDR_ROOTS),
|
|
"ROOTS"
|
|
);
|
|
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr3;
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr4;
|
|
|
|
return hr;
|
|
}
|
|
|
|
void CreateKey(
|
|
IN HKEY hKey,
|
|
IN LPCWSTR pwszSubKey
|
|
)
|
|
{
|
|
LONG err;
|
|
DWORD dwDisposition;
|
|
HKEY hSubKey;
|
|
|
|
if (ERROR_SUCCESS != (err = RegCreateKeyExU(
|
|
hKey,
|
|
pwszSubKey,
|
|
0, // dwReserved
|
|
NULL, // lpClass
|
|
REG_OPTION_NON_VOLATILE,
|
|
MAXIMUM_ALLOWED,
|
|
NULL, // lpSecurityAttributes
|
|
&hSubKey,
|
|
&dwDisposition))) {
|
|
#if DBG
|
|
DbgPrintf(DBG_SS_CRYPT32,
|
|
"RegCreateKeyEx(%S) returned error: %d 0x%x\n",
|
|
pwszSubKey, err, err);
|
|
#endif
|
|
} else {
|
|
RegCloseKey(hSubKey);
|
|
}
|
|
}
|
|
|
|
// Loop through the certificates in the "My" store and get their
|
|
// KeyIdentifier property. If the certificate also has a KEY_PROV_INFO,
|
|
// then, this will cause its KeyIdentifier to be created.
|
|
void UpdateMyKeyIdentifiers(
|
|
IN DWORD dwOpenStoreFlags
|
|
)
|
|
{
|
|
HCERTSTORE hStore;
|
|
if (hStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_A,
|
|
0, // dwEncodingType
|
|
NULL, // hCryptProv
|
|
dwOpenStoreFlags | CERT_STORE_ENUM_ARCHIVED_FLAG,
|
|
(const void *) "My"
|
|
)) {
|
|
PCCERT_CONTEXT pCert = NULL;
|
|
while (pCert = CertEnumCertificatesInStore(hStore, pCert)) {
|
|
DWORD cbData = 0;
|
|
|
|
// Dummy get to force the KeyIdentifer property to be created
|
|
// if it doesn't already exist.
|
|
CertGetCertificateContextProperty(
|
|
pCert,
|
|
CERT_KEY_IDENTIFIER_PROP_ID,
|
|
NULL, // pvData
|
|
&cbData
|
|
);
|
|
}
|
|
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
}
|
|
|
|
//---------------------------------------------------------------------------
|
|
// Set Software Publisher State Key Value
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
BOOL SetSoftPubKey(DWORD dwMask, BOOL fOn)
|
|
{
|
|
DWORD dwState=0;
|
|
DWORD dwDisposition=0;
|
|
DWORD dwType=0;
|
|
DWORD cbData=0;
|
|
LPWSTR wszState=REGNAME_WINTRUST_POLICY_FLAGS;
|
|
BOOL fResult=FALSE;
|
|
|
|
HKEY hKey=NULL;
|
|
|
|
|
|
// Set the State in the registry
|
|
if (ERROR_SUCCESS != RegCreateKeyExU(
|
|
HKEY_CURRENT_USER,
|
|
REGPATH_WINTRUST_POLICY_FLAGS,
|
|
0, // dwReserved
|
|
NULL, // lpszClass
|
|
REG_OPTION_NON_VOLATILE,
|
|
KEY_ALL_ACCESS,
|
|
NULL, // lpSecurityAttributes
|
|
&hKey,
|
|
&dwDisposition))
|
|
goto RegErr;
|
|
|
|
|
|
dwState = 0;
|
|
cbData = sizeof(dwState);
|
|
|
|
if(ERROR_SUCCESS != RegQueryValueExU
|
|
( hKey,
|
|
wszState,
|
|
NULL, // lpReserved
|
|
&dwType,
|
|
(BYTE *) &dwState,
|
|
&cbData
|
|
))
|
|
goto RegErr;
|
|
|
|
if ((dwType != REG_DWORD) && (dwType != REG_BINARY))
|
|
goto UnexpectedErr;
|
|
|
|
switch(dwMask)
|
|
{
|
|
case WTPF_IGNOREREVOCATIONONTS:
|
|
case WTPF_IGNOREREVOKATION:
|
|
case WTPF_IGNOREEXPIRATION:
|
|
// Revocation and expiration are a double negative so the bit set
|
|
// means revocation and expriation checking is off.
|
|
fOn = !fOn;
|
|
break;
|
|
default:
|
|
break;
|
|
};
|
|
|
|
if (fOn)
|
|
dwState |= dwMask;
|
|
else
|
|
dwState &= ~dwMask;
|
|
|
|
if(ERROR_SUCCESS != RegSetValueExU(
|
|
hKey,
|
|
wszState,
|
|
0, // dwReserved
|
|
REG_DWORD,
|
|
(BYTE *) &dwState,
|
|
sizeof(dwState)
|
|
))
|
|
goto SetValueErr;
|
|
|
|
|
|
fResult=TRUE;
|
|
|
|
CommonReturn:
|
|
if(hKey)
|
|
RegCloseKey(hKey);
|
|
|
|
return fResult;
|
|
|
|
ErrorReturn:
|
|
|
|
goto CommonReturn;
|
|
|
|
TRACE_ERROR(RegErr);
|
|
SET_ERROR(UnexpectedErr, E_UNEXPECTED);
|
|
TRACE_ERROR(SetValueErr);
|
|
|
|
}
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: GetNextRegToken
|
|
//
|
|
// Synopsis:
|
|
// Find the next token with space as the deliminator
|
|
//----------------------------------------------------------------------------
|
|
LPWSTR GetNextRegToken(LPWSTR pwsz, LPWSTR pwszPreToken, BOOL *pfEnd)
|
|
{
|
|
LPWSTR pwszStart=NULL;
|
|
LPWSTR pwszSearch=NULL;
|
|
|
|
if(NULL == pwsz)
|
|
return NULL;
|
|
|
|
if(TRUE == (*pfEnd))
|
|
return NULL;
|
|
|
|
pwszStart=pwsz;
|
|
|
|
if(pwszPreToken)
|
|
pwszStart=pwszPreToken + wcslen(pwszPreToken) + 1;
|
|
|
|
//skip the spaces
|
|
while((*pwszStart)==L' ')
|
|
pwszStart++;
|
|
|
|
//check for NULL
|
|
if(*pwszStart==L'\0')
|
|
return NULL;
|
|
|
|
pwszSearch=pwszStart;
|
|
|
|
while(((*pwszSearch) != L'\0') && ((*pwszSearch) !=L' ') )
|
|
pwszSearch++;
|
|
|
|
if(*pwszSearch == L'\0')
|
|
{
|
|
*pfEnd=TRUE;
|
|
return pwszStart;
|
|
}
|
|
|
|
*pwszSearch=L'\0';
|
|
|
|
*pfEnd=FALSE;
|
|
|
|
return pwszStart;
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: InitRegistryValue
|
|
//
|
|
// Synopsis: This function replace SetReg.exe. The expected
|
|
// command line would be: 1 TRUE 3 FALSE 9 TRUE 4 FALSE ....
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
HRESULT InitRegistryValue(LPWSTR pwszCommand)
|
|
{
|
|
HRESULT hr= E_FAIL;
|
|
DWORD SoftPubFlags[] =
|
|
{
|
|
WTPF_TRUSTTEST | WTPF_TESTCANBEVALID,
|
|
WTPF_IGNOREEXPIRATION,
|
|
WTPF_IGNOREREVOKATION,
|
|
WTPF_OFFLINEOK_IND,
|
|
WTPF_OFFLINEOK_COM,
|
|
WTPF_OFFLINEOKNBU_IND,
|
|
WTPF_OFFLINEOKNBU_COM,
|
|
WTPF_VERIFY_V1_OFF,
|
|
WTPF_IGNOREREVOCATIONONTS,
|
|
WTPF_ALLOWONLYPERTRUST
|
|
};
|
|
|
|
|
|
LPWSTR pwszNextToken=NULL;
|
|
int iIndex=-1;
|
|
BOOL fOn=FALSE;
|
|
int cFlags=sizeof(SoftPubFlags)/sizeof(SoftPubFlags[0]);
|
|
DWORD cParam=0;
|
|
LPWSTR pwszCopy=NULL;
|
|
BOOL fPassThrough=FALSE;
|
|
|
|
//make a copy of the command line since we will change it
|
|
pwszCopy=(LPWSTR)LocalAlloc(LPTR, (1+wcslen(pwszCommand)) * sizeof(WCHAR));
|
|
|
|
if(NULL== pwszCopy)
|
|
goto MemoryErr;
|
|
|
|
wcscpy(pwszCopy, pwszCommand);
|
|
|
|
while(pwszNextToken=GetNextRegToken(pwszCopy, pwszNextToken, &fPassThrough))
|
|
{
|
|
|
|
if(-1 == iIndex)
|
|
{
|
|
iIndex=_wtoi(pwszNextToken);
|
|
|
|
if((iIndex <= 0) || (iIndex > cFlags))
|
|
goto InvalidArgErr;
|
|
|
|
cParam++;
|
|
}
|
|
else
|
|
{
|
|
|
|
if(0 == _wcsicmp(pwszNextToken, L"true"))
|
|
fOn=TRUE;
|
|
else
|
|
{
|
|
if(0 == _wcsicmp(pwszNextToken, L"false"))
|
|
fOn=FALSE;
|
|
else
|
|
goto InvalidArgErr;
|
|
}
|
|
|
|
cParam++;
|
|
|
|
//set the registry value
|
|
if(!SetSoftPubKey(SoftPubFlags[iIndex-1],
|
|
fOn))
|
|
{
|
|
hr=INITPKI_HRESULT_FROM_WIN32(GetLastError());
|
|
goto SetKeyErr;
|
|
}
|
|
|
|
//reset the value for dwIndex
|
|
iIndex=-1;
|
|
}
|
|
}
|
|
|
|
//we have to have even number of parameters
|
|
if( (0 != (cParam %2)) || (0 == cParam))
|
|
goto InvalidArgErr;
|
|
|
|
hr=S_OK;
|
|
|
|
CommonReturn:
|
|
|
|
if(pwszCopy)
|
|
LocalFree((HLOCAL)pwszCopy);
|
|
|
|
return hr;
|
|
|
|
ErrorReturn:
|
|
|
|
goto CommonReturn;
|
|
|
|
SET_ERROR(InvalidArgErr, E_INVALIDARG);
|
|
SET_ERROR_VAR(SetKeyErr, hr);
|
|
SET_ERROR(MemoryErr, E_OUTOFMEMORY);
|
|
}
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: DllMain
|
|
//
|
|
// Synopsis:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
BOOL WINAPI DllMain(HMODULE hInstDLL, DWORD fdwReason, LPVOID lpvReserved)
|
|
{
|
|
switch ( fdwReason )
|
|
{
|
|
case DLL_PROCESS_ATTACH:
|
|
hModule = hInstDLL;
|
|
break;
|
|
}
|
|
|
|
return( TRUE );
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: DllInstall
|
|
//
|
|
// Synopsis: dll installation entry point
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
STDAPI DllInstall (BOOL fRegister, LPCSTR pszCommand)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
HRESULT hr2;
|
|
LPWSTR pwszCommand=NULL;
|
|
|
|
if ( fRegister == FALSE )
|
|
{
|
|
return( E_NOTIMPL );
|
|
}
|
|
|
|
switch ( *pszCommand )
|
|
{
|
|
//letter S stands for setreg input parameters
|
|
//the command line should look like following:
|
|
//S 1 TRUE 2 FALSE 3 FALSE ...
|
|
//pszCommand is ACTUALLY LPWSTR for BOTH
|
|
//NT5, NT4 and Win95.
|
|
case 'S':
|
|
case 's':
|
|
pwszCommand=(LPWSTR)pszCommand;
|
|
|
|
if(wcslen(pwszCommand) <= 2)
|
|
{
|
|
hr=E_INVALIDARG;
|
|
}
|
|
else
|
|
{
|
|
hr=InitRegistryValue((LPWSTR)(&(pwszCommand[1])));
|
|
}
|
|
|
|
break;
|
|
case 'M':
|
|
case 'm':
|
|
PurgeExpiringCertsFromStores();
|
|
break;
|
|
|
|
case 'U':
|
|
case 'u':
|
|
_AdjustPolicyFlags(psPolicySettings);
|
|
|
|
PurgeExpiringCertsFromStores();
|
|
|
|
// Ensure we have a registry entry for the Group Policy
|
|
// SystemCertificates. On NT 4.0 or Win98, we emulate NT 5.0 GPT
|
|
// notification by doing a RegNotifyChangeKeyValue on this
|
|
// registry key.
|
|
CreateKey(HKEY_CURRENT_USER, GROUP_POLICY_STORE_REGPATH);
|
|
|
|
// Before adding to CurrentUser, will check if the root or CA
|
|
// already exists in LocalMachine. If it exists in
|
|
// LocalMachine and also exists in CurrentUser, will delete it
|
|
// from CurrentUser instead of adding.
|
|
hr = AddCurrentUserRootCertificates();
|
|
hr2 = AddCurrentUserCACertificates();
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
hr2 = AddCurrentUserDisallowedCertificates();
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
|
|
// Protect the CurrentUser roots and purge any existing
|
|
// protected CurrentUser roots also in LocalMachine
|
|
//
|
|
// Note, once the roots are protected, all subsequent adds are
|
|
// done by a special service executing with System privileges.
|
|
// This special service does secure attention sequence (SAS) UI
|
|
// before doing the add.
|
|
//
|
|
// Note, subsequent purges are exempt from UI. ie, this function
|
|
// doesn't do any SAS UI.
|
|
I_CertProtectFunction(
|
|
CERT_PROT_PURGE_LM_ROOTS_FUNC_ID,
|
|
0, // dwFlags
|
|
NULL, // pwszIn
|
|
NULL, // pbIn
|
|
0, // cbIn
|
|
NULL, // ppbOut
|
|
NULL // pcbOut
|
|
);
|
|
|
|
UpdateMyKeyIdentifiers(CERT_SYSTEM_STORE_CURRENT_USER);
|
|
break;
|
|
|
|
case 'B':
|
|
case 'b':
|
|
case 'R':
|
|
case 'r':
|
|
case 'A':
|
|
case 'a':
|
|
PurgeExpiringCertsFromStores();
|
|
|
|
// Ensure we have a registry entry for the Group Policy
|
|
// SystemCertificates. On NT 4.0 or Win98, we emulate NT 5.0 GPT
|
|
// notification by doing a RegNotifyChangeKeyValue on this
|
|
// registry key.
|
|
CreateKey(HKEY_LOCAL_MACHINE, GROUP_POLICY_STORE_REGPATH);
|
|
CreateKey(HKEY_CURRENT_USER, GROUP_POLICY_STORE_REGPATH);
|
|
|
|
// Ensure we have existing predefined stores for the LocalMachine
|
|
// Enterprise system stores. These stores are periodically updated
|
|
// from the DS by a system service. RegNotifyChangeKeyValue is
|
|
// used to signal clients about Enterprise store changes.
|
|
RegisterEnterpriseStores();
|
|
|
|
// Our goal is to get the roots and CAs into LocalMachine.
|
|
// Note previously, they were only copied to CurrentUser.
|
|
AddLocalMachineRootCertificates();
|
|
AddLocalMachineCACertificates();
|
|
AddLocalMachineDisallowedCertificates();
|
|
|
|
// If the above adds to LocalMachine failed, then, add
|
|
// to CurrentUser.
|
|
//
|
|
// Before adding to CurrentUser, will check if the root or CA
|
|
// already exists in LocalMachine. If it exists in
|
|
// LocalMachine and also exists in CurrentUser, will delete it
|
|
// from CurrentUser instead of adding.
|
|
hr = AddCurrentUserRootCertificates();
|
|
hr2 = AddCurrentUserCACertificates();
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
hr2 = AddCurrentUserDisallowedCertificates();
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
|
|
// Protect the CurrentUser roots and purge any existing
|
|
// protected CurrentUser roots also in LocalMachine
|
|
//
|
|
// Note, once the roots are protected, all subsequent adds are
|
|
// done by a special service executing with System privileges.
|
|
// This special service does secure attention sequence (SAS) UI
|
|
// before doing the add.
|
|
//
|
|
// Note, subsequent purges are exempt from UI. ie, this function
|
|
// doesn't do any SAS UI.
|
|
I_CertProtectFunction(
|
|
CERT_PROT_PURGE_LM_ROOTS_FUNC_ID,
|
|
0, // dwFlags
|
|
NULL, // pwszIn
|
|
NULL, // pbIn
|
|
0, // cbIn
|
|
NULL, // ppbOut
|
|
NULL // pcbOut
|
|
);
|
|
|
|
UpdateMyKeyIdentifiers(CERT_SYSTEM_STORE_CURRENT_USER);
|
|
UpdateMyKeyIdentifiers(CERT_SYSTEM_STORE_LOCAL_MACHINE);
|
|
|
|
CleanupRegistry();
|
|
hr2 = RegisterCryptoDlls(TRUE);
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
|
|
if (!I_CryptCatAdminMigrateToNewCatDB())
|
|
{
|
|
hr2 = HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
else
|
|
{
|
|
hr2 = ERROR_SUCCESS;
|
|
}
|
|
if (hr == ERROR_SUCCESS)
|
|
hr = hr2;
|
|
|
|
break;
|
|
|
|
case 'C':
|
|
case 'c':
|
|
// Win9x migration post setup cleanup. Remove any migrated
|
|
// roots that exist in the AuthRoot store.
|
|
AddLocalMachineRootCertificates();
|
|
AddCurrentUserRootCertificates();
|
|
break;
|
|
|
|
case 'Z':
|
|
case 'z':
|
|
|
|
//
|
|
// This is for componentization install
|
|
//
|
|
|
|
pwszCommand=(LPWSTR)pszCommand;
|
|
|
|
if (_wcsicmp(pwszCommand, L"z CoreCertificateServices") == 0)
|
|
{
|
|
AddLocalMachineRootCertificates();
|
|
AddLocalMachineCACertificates();
|
|
AddLocalMachineDisallowedCertificates();
|
|
|
|
if (!_LoadAndRegister("wintrust.dll", FALSE) ||
|
|
!_LoadAndRegister("mssign32.dll", FALSE) ||
|
|
!_LoadAndRegister("xenroll.dll", FALSE) ||
|
|
!_AdjustPolicyFlags(psPolicySettings))
|
|
{
|
|
hr = S_FALSE;
|
|
}
|
|
|
|
RegisterWinlogonExtension("crypt32chain", "crypt32.dll",
|
|
"ChainWlxLogoffEvent");
|
|
RegisterWinlogonExtension("cryptnet", "cryptnet.dll",
|
|
"CryptnetWlxLogoffEvent");
|
|
|
|
RegisterCrypt32EventSource();
|
|
}
|
|
else if (_wcsicmp(pwszCommand, L"z CertificateUIServices") == 0)
|
|
{
|
|
if (!_LoadAndRegister("cryptui.dll", FALSE))
|
|
{
|
|
hr = S_FALSE;
|
|
}
|
|
}
|
|
else if (_wcsicmp(pwszCommand, L"z CryptographicNetworkServices") == 0)
|
|
{
|
|
if (!_LoadAndRegister("cryptnet.dll", FALSE))
|
|
{
|
|
hr = S_FALSE;
|
|
}
|
|
}
|
|
else if (_wcsicmp(pwszCommand, L"z CertificateUIExtensions") == 0)
|
|
{
|
|
if (!_LoadAndRegister("cryptext.dll", FALSE))
|
|
{
|
|
hr = S_FALSE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hr = E_INVALIDARG;
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
hr = E_INVALIDARG;
|
|
}
|
|
|
|
return( hr );
|
|
}
|
|
|
|
STDAPI DllRegisterServer(void)
|
|
{
|
|
return(DllInstall(TRUE, "A"));
|
|
}
|
|
|
|
STDAPI DllUnregisterServer(void)
|
|
{
|
|
return(UnregisterCryptoDlls());
|
|
}
|
|
|
|
BOOL WINAPI InitializePKI(void)
|
|
{
|
|
if (RegisterCryptoDlls(TRUE) != S_OK)
|
|
{
|
|
return(FALSE);
|
|
}
|
|
|
|
return(TRUE);
|
|
}
|