Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

9983 lines
298 KiB

//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1997 - 2000
//
// File: autoenro.cpp
//
//--------------------------------------------------------------------------
#include <windows.h>
#include <winuser.h>
#include <wincrypt.h>
#include <stdio.h>
#include <cryptui.h>
#include <lmcons.h>
#include <lmapibuf.h>
#include <dsgetdc.h>
#include <oleauto.h>
#define SECURITY_WIN32
#include <rpc.h>
#include <security.h>
#include <winldap.h>
#include <dsrole.h>
#include <shobjidl.h>
#include <shellapi.h>
#include <commctrl.h>
#include <winscard.h>
#include <Rpcdce.h>
#include <certca.h>
#include <certsrv.h>
#include <autoenr.h>
#include <autoenro.h>
#include <autolog.h>
#include <resource.h>
#include <xenroll.h>
//*******************************************************************************
//
//
// Global Defines and Data Structures
//
//
//*******************************************************************************
HINSTANCE g_hmodThisDll = NULL; // Handle to this DLL itself.
#if DBG
DWORD g_AutoenrollDebugLevel = AE_ERROR; //| AE_WARNING | AE_INFO | AE_TRACE;
#endif
//when we look at supersede relationship, we based on the following order
DWORD g_rgdwSupersedeOrder[]={CERT_REQUEST_STATUS_OBTAINED,
CERT_REQUEST_STATUS_ACTIVE,
CERT_REQUEST_STATUS_PENDING,
CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE};
DWORD g_dwSupersedeOrder=sizeof(g_rgdwSupersedeOrder)/sizeof(g_rgdwSupersedeOrder[0]);
//the list of certificate store to update
AE_STORE_INFO g_rgStoreInfo[]={
L"ROOT", L"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,%s?cACertificate?one?objectCategory=certificationAuthority",
L"NTAuth", L"ldap:///CN=Public Key Services,CN=Services,%s?cACertificate?one?cn=NTAuthCertificates",
L"CA", L"ldap:///CN=AIA,CN=Public Key Services,CN=Services,%s?crossCertificatePair,cACertificate?one?objectCategory=certificationAuthority"
};
DWORD g_dwStoreInfo=sizeof(g_rgStoreInfo)/sizeof(g_rgStoreInfo[0]);
typedef IEnroll4 * (WINAPI *PFNPIEnroll4GetNoCOM)();
static WCHAR * s_wszLocation = L"CN=Public Key Services,CN=Services,";
//*******************************************************************************
//
//
// Implementation of IQueryContinue for use autoenrollment notification
//
//
//*******************************************************************************
//--------------------------------------------------------------------------
// CQueryContinue
//--------------------------------------------------------------------------
CQueryContinue::CQueryContinue()
{
m_cRef=1;
m_pIUserNotification=NULL;
m_hTimer=NULL;
}
//--------------------------------------------------------------------------
// ~CQueryContinue
//--------------------------------------------------------------------------
CQueryContinue::~CQueryContinue()
{
}
//--------------------------------------------------------------------------
// CQueryContinue
//--------------------------------------------------------------------------
HRESULT CQueryContinue::QueryInterface(REFIID riid, void **ppv)
{
if(IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_IQueryContinue))
{
*ppv=(LPVOID)this;
AddRef();
return S_OK;
}
return E_NOINTERFACE;
}
//--------------------------------------------------------------------------
// AddRef
//--------------------------------------------------------------------------
STDMETHODIMP_(ULONG) CQueryContinue::AddRef()
{
return InterlockedIncrement(&m_cRef);
}
//--------------------------------------------------------------------------
// Release
//--------------------------------------------------------------------------
STDMETHODIMP_(ULONG) CQueryContinue::Release()
{
if (InterlockedDecrement(&m_cRef))
return m_cRef;
delete this;
return 0;
}
//--------------------------------------------------------------------------
// CQueryContinue
//--------------------------------------------------------------------------
HRESULT CQueryContinue::QueryContinue()
{
//disable the balloon
if(m_pIUserNotification)
m_pIUserNotification->SetBalloonInfo(NULL, NULL, NIIF_INFO);
//wait for the timer to be activated
if(m_hTimer)
{
if(WAIT_OBJECT_0 == WaitForSingleObject(m_hTimer, 0))
return S_FALSE;
}
return S_OK;
}
//--------------------------------------------------------------------------
// DoBalloon()
//--------------------------------------------------------------------------
HRESULT CQueryContinue::DoBalloon()
{
HRESULT hr=E_FAIL;
WCHAR wszTitle[MAX_DN_SIZE];
WCHAR wszText[MAX_DN_SIZE];
HICON hIcon=NULL;
LARGE_INTEGER DueTime;
if(S_OK != (hr=CoCreateInstance(CLSID_UserNotification,
NULL,
CLSCTX_ALL,
IID_IUserNotification,
(void **)&m_pIUserNotification)))
goto Ret;
if(NULL==m_pIUserNotification)
{
hr=E_FAIL;
goto Ret;
}
//create a waitable timer with default security setting
m_hTimer=CreateWaitableTimer(NULL, TRUE, NULL);
if(NULL==m_hTimer)
{
hr=E_FAIL;
goto Ret;
}
//set the timer
DueTime.QuadPart = Int32x32To64(-10000, AUTO_ENROLLMENT_BALLOON_LENGTH * 1000);
if(!SetWaitableTimer(m_hTimer, &DueTime, 0, NULL, 0, FALSE))
{
hr=E_FAIL;
goto Ret;
}
if(S_OK != (hr=m_pIUserNotification->SetBalloonRetry(AUTO_ENROLLMENT_SHOW_TIME * 1000,
AUTO_ENROLLMENT_INTERVAL * 1000,
AUTO_ENROLLMENT_RETRIAL)))
goto Ret;
if((!LoadStringW(g_hmodThisDll,IDS_ICON_TIP, wszText, MAX_DN_SIZE)) ||
(NULL==(hIcon=LoadIcon(g_hmodThisDll, MAKEINTRESOURCE(IDI_AUTOENROLL_ICON)))))
{
hr=E_FAIL;
goto Ret;
}
if(S_OK != (hr=m_pIUserNotification->SetIconInfo(hIcon, wszText)))
goto Ret;
if((!LoadStringW(g_hmodThisDll,IDS_BALLOON_TITLE, wszTitle, MAX_DN_SIZE)) ||
(!LoadStringW(g_hmodThisDll,IDS_BALLOON_TEXT, wszText, MAX_DN_SIZE)))
{
hr=E_FAIL;
goto Ret;
}
if(S_OK !=(hr=m_pIUserNotification->SetBalloonInfo(wszTitle, wszText, NIIF_INFO)))
goto Ret;
//user did not click on the icon or we time out
hr= m_pIUserNotification->Show(this, AUTO_ENROLLMENT_QUERY_INTERVAL * 1000);
Ret:
if(m_hTimer)
{
CloseHandle(m_hTimer);
m_hTimer=NULL;
}
if(m_pIUserNotification)
{
m_pIUserNotification->Release();
m_pIUserNotification=NULL;
}
return hr;
}
//*******************************************************************************
//
//
// Functions for autoenrollment
//
//
//*******************************************************************************
//--------------------------------------------------------------------------
//
// Name: FindCertificateInOtherStore
//
//--------------------------------------------------------------------------
PCCERT_CONTEXT FindCertificateInOtherStore(
IN HCERTSTORE hOtherStore,
IN PCCERT_CONTEXT pCert
)
{
BYTE rgbHash[SHA1_HASH_LENGTH];
CRYPT_DATA_BLOB HashBlob;
HashBlob.pbData = rgbHash;
HashBlob.cbData = SHA1_HASH_LENGTH;
if (!CertGetCertificateContextProperty(
pCert,
CERT_SHA1_HASH_PROP_ID,
rgbHash,
&HashBlob.cbData
) || SHA1_HASH_LENGTH != HashBlob.cbData)
return NULL;
return CertFindCertificateInStore(
hOtherStore,
ENCODING_TYPE, // dwCertEncodingType
0, // dwFindFlags
CERT_FIND_SHA1_HASH,
(const void *) &HashBlob,
NULL //pPrevCertContext
);
}
//--------------------------------------------------------------------------
//
// AEUpdateCertificateStore
//
// Description: This function enumerates all of the certificate in the DS based
// LdapPath, and moves them into the corresponding local machine store.
//
//--------------------------------------------------------------------------
HRESULT WINAPI AEUpdateCertificateStore(LDAP *pld,
LPWSTR pwszConfig,
LPWSTR pwszStoreName,
LPWSTR pwszLdapPath)
{
HRESULT hr = S_OK;
CERT_LDAP_STORE_OPENED_PARA CertOpenStoreParam;
PCCERT_CONTEXT pContext = NULL,
pOtherCert = NULL;
LPWSTR pwszLdapStore = NULL;
HCERTSTORE hEnterpriseStore = NULL,
hLocalStore = NULL;
if((NULL==pld) || (NULL==pwszConfig) || (NULL==pwszStoreName) || (NULL==pwszLdapPath))
{
hr = E_INVALIDARG;
goto error;
}
pwszLdapStore = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(pwszConfig)+wcslen(pwszLdapPath)+1));
if(pwszLdapStore == NULL)
{
hr = E_OUTOFMEMORY;
goto error;
}
wsprintf(pwszLdapStore,
pwszLdapPath,
pwszConfig);
hLocalStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_REGISTRY_W,
0,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
pwszStoreName);
if(hLocalStore == NULL)
{
hr = HRESULT_FROM_WIN32(GetLastError());
AE_DEBUG((AE_ERROR, L"Unable to open ROOT store (%lx)\n\r", hr));
goto error;
}
memset(&CertOpenStoreParam, 0, sizeof(CertOpenStoreParam));
CertOpenStoreParam.pvLdapSessionHandle=pld;
CertOpenStoreParam.pwszLdapUrl=pwszLdapStore;
hEnterpriseStore = CertOpenStore(CERT_STORE_PROV_LDAP,
0,
0,
CERT_STORE_READONLY_FLAG | CERT_LDAP_STORE_SIGN_FLAG |
CERT_LDAP_STORE_OPENED_FLAG,
&CertOpenStoreParam);
if(hEnterpriseStore == NULL)
{
DWORD err = GetLastError();
if((err == ERROR_FILE_NOT_FOUND))
{
// There was no store, so there are no certs
hr = S_OK;
goto error;
}
hr = HRESULT_FROM_WIN32(err);
AE_DEBUG((AE_ERROR, L"Unable to open ROOT store (%lx)\n\r", hr));
goto error;
}
while(pContext = CertEnumCertificatesInStore(hEnterpriseStore, pContext))
{
if (pOtherCert = FindCertificateInOtherStore(hLocalStore, pContext)) {
CertFreeCertificateContext(pOtherCert);
}
else
{
CertAddCertificateContextToStore(hLocalStore,
pContext,
CERT_STORE_ADD_ALWAYS,
NULL);
}
}
while(pContext = CertEnumCertificatesInStore(hLocalStore, pContext))
{
if (pOtherCert = FindCertificateInOtherStore(hEnterpriseStore, pContext)) {
CertFreeCertificateContext(pOtherCert);
}
else
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pContext));
}
}
error:
if(hr != S_OK)
{
AELogAutoEnrollmentEvent(
STATUS_SEVERITY_ERROR, //this event will always be logged
TRUE,
hr,
EVENT_FAIL_DOWNLOAD_CERT,
TRUE,
NULL,
2,
pwszStoreName,
pwszLdapStore);
}
if(pwszLdapStore)
{
LocalFree(pwszLdapStore);
}
if(hEnterpriseStore)
{
CertCloseStore(hEnterpriseStore,0);
}
if(hLocalStore)
{
CertCloseStore(hLocalStore,0);
}
return hr;
}
//--------------------------------------------------------------------------
//
// AENeedToUpdateDSCache
//
//--------------------------------------------------------------------------
BOOL AENeedToUpdateDSCache(LDAP *pld, LPWSTR pwszDCInvocationID, LPWSTR pwszConfig, AE_DS_INFO *pAEDSInfo)
{
BOOL fNeedToUpdate=TRUE;
DWORD dwRegObject=0;
ULARGE_INTEGER maxRegUSN;
ULARGE_INTEGER maxDsUSN;
DWORD dwType=0;
DWORD dwSize=0;
DWORD dwDisp=0;
struct l_timeval timeout;
LPWSTR rgwszAttrs[] = {AUTO_ENROLLMENT_USN_ATTR, NULL};
LDAPMessage *Entry=NULL;
LPWSTR *awszValue = NULL;
HKEY hDSKey=NULL;
HKEY hDCKey=NULL;
LDAPMessage *SearchResult = NULL;
LPWSTR pwszContainer=NULL;
if((NULL==pld) || (NULL==pwszDCInvocationID) || (NULL==pwszConfig) || (NULL==pAEDSInfo))
goto error;
//init
memset(pAEDSInfo, 0, sizeof(AE_DS_INFO));
//compute the # of objects and maxUSN from the directory
pwszContainer=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (1 + wcslen(pwszConfig) + wcslen(s_wszLocation)));
if(NULL == pwszContainer)
goto error;
wcscpy(pwszContainer, s_wszLocation);
wcscat(pwszContainer, pwszConfig);
timeout.tv_sec = 300;
timeout.tv_usec = 0;
if(LDAP_SUCCESS != ldap_search_stW(
pld,
pwszContainer,
LDAP_SCOPE_SUBTREE,
L"(objectCategory=certificationAuthority)",
rgwszAttrs,
0,
&timeout,
&SearchResult))
goto error;
//get the # of objects
pAEDSInfo->dwObjects = ldap_count_entries(pld, SearchResult);
for(Entry = ldap_first_entry(pld, SearchResult); Entry != NULL; Entry = ldap_next_entry(pld, Entry))
{
awszValue = ldap_get_values(pld, Entry, AUTO_ENROLLMENT_USN_ATTR);
if(NULL==awszValue)
goto error;
if(NULL==awszValue[0])
goto error;
maxDsUSN.QuadPart=0;
maxDsUSN.QuadPart=_wtoi64(awszValue[0]);
//if any error happens, maxDsUSN will be 0.
if(0 == maxDsUSN.QuadPart)
goto error;
if((pAEDSInfo->maxUSN).QuadPart < maxDsUSN.QuadPart)
(pAEDSInfo->maxUSN).QuadPart = maxDsUSN.QuadPart;
ldap_value_free(awszValue);
awszValue=NULL;
}
//signal that we have retrieved correct data from the directory
pAEDSInfo->fValidData=TRUE;
//find if we have cached any information about the DC of interest
if(ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
AUTO_ENROLLMENT_DS_KEY,
0,
TEXT(""),
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hDSKey,
&dwDisp))
goto error;
if(ERROR_SUCCESS != RegOpenKeyEx(
hDSKey,
pwszDCInvocationID,
0,
KEY_ALL_ACCESS,
&hDCKey))
goto error;
dwSize=sizeof(dwRegObject);
if(ERROR_SUCCESS != RegQueryValueEx(
hDCKey,
AUTO_ENROLLMENT_DS_OBJECT,
NULL,
&dwType,
(PBYTE)(&dwRegObject),
&dwSize))
goto error;
if(REG_DWORD != dwType)
goto error;
dwSize=sizeof(maxRegUSN);
if(ERROR_SUCCESS != RegQueryValueEx(
hDCKey,
AUTO_ENROLLMENT_DS_USN,
NULL,
&dwType,
(PBYTE)(&(maxRegUSN)),
&dwSize))
goto error;
if(REG_BINARY != dwType)
goto error;
//compare the registry data with the data from directory
if(dwRegObject != (pAEDSInfo->dwObjects))
goto error;
if(maxRegUSN.QuadPart != ((pAEDSInfo->maxUSN).QuadPart))
goto error;
fNeedToUpdate=FALSE;
error:
if(awszValue)
ldap_value_free(awszValue);
if(pwszContainer)
LocalFree(pwszContainer);
if(hDCKey)
RegCloseKey(hDCKey);
if(hDSKey)
RegCloseKey(hDSKey);
if(SearchResult)
ldap_msgfree(SearchResult);
//remove the temporary data
if(pAEDSInfo)
{
if(FALSE == fNeedToUpdate)
memset(pAEDSInfo, 0, sizeof(AE_DS_INFO));
}
return fNeedToUpdate;
}
//--------------------------------------------------------------------------
//
// AEUpdateDSCache
//
//--------------------------------------------------------------------------
BOOL AEUpdateDSCache(LPWSTR pwszDCInvocationID, AE_DS_INFO *pAEDSInfo)
{
BOOL fResult=FALSE;
DWORD dwDisp=0;
HKEY hDSKey=NULL;
HKEY hDCKey=NULL;
if((NULL==pwszDCInvocationID) || (NULL==pAEDSInfo))
goto error;
if(ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
AUTO_ENROLLMENT_DS_KEY,
0,
TEXT(""),
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hDSKey,
&dwDisp))
goto error;
//create the key named by the DC
if(ERROR_SUCCESS != RegCreateKeyEx(hDSKey,
pwszDCInvocationID,
0,
TEXT(""),
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hDCKey,
&dwDisp))
goto error;
//set the # of objects value
if(ERROR_SUCCESS != RegSetValueEx(hDCKey,
AUTO_ENROLLMENT_DS_OBJECT,
NULL,
REG_DWORD,
(PBYTE)&(pAEDSInfo->dwObjects),
sizeof(pAEDSInfo->dwObjects)))
goto error;
//set the max uSN value
if(ERROR_SUCCESS != RegSetValueEx(hDCKey,
AUTO_ENROLLMENT_DS_USN,
NULL,
REG_BINARY,
(PBYTE)&(pAEDSInfo->maxUSN),
sizeof(pAEDSInfo->maxUSN)))
goto error;
fResult=TRUE;
error:
if(hDCKey)
RegCloseKey(hDCKey);
if(hDSKey)
RegCloseKey(hDSKey);
return fResult;
}
//--------------------------------------------------------------------------
//
// AERetrieveInvocationID
//
//--------------------------------------------------------------------------
BOOL AERetrieveInvocationID(LDAP *pld, LPWSTR *ppwszID)
{
BOOL fResult=FALSE;
struct l_timeval timeout;
LPWSTR rgwszDSAttrs[] = {L"dsServiceName", NULL};
LPWSTR rgwszIDAttr[] = {L"invocationId", NULL};
LDAPMessage *Entry=NULL;
LPWSTR *awszValues = NULL;
LDAPMessage *SearchResults = NULL;
struct berval **apUUID = NULL;
LDAPMessage *SearchIDResult = NULL;
BYTE *pbUUID=NULL;
if((NULL==pld) || (NULL==ppwszID))
goto error;
*ppwszID=NULL;
//retrieve the dsSerivceName attribute
timeout.tv_sec = 300;
timeout.tv_usec = 0;
if(LDAP_SUCCESS != ldap_search_stW(
pld,
NULL, //NULL DN for dsServiceName
LDAP_SCOPE_BASE,
L"(objectCategory=*)",
rgwszDSAttrs,
0,
&timeout,
&SearchResults))
goto error;
Entry = ldap_first_entry(pld, SearchResults);
if(NULL == Entry)
goto error;
awszValues = ldap_get_values(pld, Entry, rgwszDSAttrs[0]);
if(NULL==awszValues)
goto error;
if(NULL==awszValues[0])
goto error;
//retrieve the invocationId attribute
timeout.tv_sec = 300;
timeout.tv_usec = 0;
if(LDAP_SUCCESS != ldap_search_stW(
pld,
awszValues[0],
LDAP_SCOPE_BASE,
L"(objectCategory=*)",
rgwszIDAttr,
0,
&timeout,
&SearchIDResult))
goto error;
Entry = ldap_first_entry(pld, SearchIDResult);
if(NULL == Entry)
goto error;
apUUID = ldap_get_values_len(pld, Entry, rgwszIDAttr[0]);
if(NULL == apUUID)
goto error;
if(NULL == (*apUUID))
goto error;
pbUUID = (BYTE *)LocalAlloc(LPTR, (*apUUID)->bv_len);
if(NULL == (pbUUID))
goto error;
if(0 == ((*apUUID)->bv_len))
goto error;
if(NULL == ((*apUUID)->bv_val))
goto error;
memcpy(pbUUID, (*apUUID)->bv_val, (*apUUID)->bv_len);
if(RPC_S_OK != UuidToStringW((UUID *)pbUUID, ppwszID))
goto error;
fResult=TRUE;
error:
if(pbUUID)
LocalFree(pbUUID);
if(apUUID)
ldap_value_free_len(apUUID);
if(SearchIDResult)
ldap_msgfree(SearchIDResult);
if(awszValues)
ldap_value_free(awszValues);
if(SearchResults)
ldap_msgfree(SearchResults);
return fResult;
}
//--------------------------------------------------------------------------
//
// AEDownloadStore
//
//--------------------------------------------------------------------------
BOOL WINAPI AEDownloadStore(LDAP *pld)
{
BOOL fResult = TRUE;
DWORD dwIndex = 0;
AE_DS_INFO AEDSInfo;
LPWSTR wszConfig = NULL;
LPWSTR pwszDCInvocationID = NULL;
memset(&AEDSInfo, 0, sizeof(AEDSInfo));
if(S_OK != AEGetConfigDN(pld, &wszConfig))
{
fResult=FALSE;
goto error;
}
//get the pwszDCInvocationID. NULL means AENeedToUpdateDSCache will return TRUE
AERetrieveInvocationID(pld, &pwszDCInvocationID);
if(AENeedToUpdateDSCache(pld, pwszDCInvocationID, wszConfig, &AEDSInfo))
{
for(dwIndex =0; dwIndex < g_dwStoreInfo; dwIndex++)
{
fResult = fResult && (S_OK == AEUpdateCertificateStore(
pld,
wszConfig,
g_rgStoreInfo[dwIndex].pwszStoreName,
g_rgStoreInfo[dwIndex].pwszLdapPath));
}
//only update the new DS cached information if we have a successful download
if((fResult) && (TRUE == AEDSInfo.fValidData) && (pwszDCInvocationID))
AEUpdateDSCache(pwszDCInvocationID, &AEDSInfo);
}
error:
if(pwszDCInvocationID)
RpcStringFreeW(&pwszDCInvocationID);
if(wszConfig)
{
LocalFree(wszConfig);
}
return fResult;
}
//--------------------------------------------------------------------------
//
// AESetWakeUpFlag
//
// We set the flag to tell winlogon if autoenrollment should be waken up
// during each policy check
//
//--------------------------------------------------------------------------
BOOL WINAPI AESetWakeUpFlag(BOOL fMachine, BOOL fWakeUp)
{
BOOL fResult = FALSE;
DWORD dwDisp = 0;
DWORD dwFlags = 0;
HKEY hAEKey = NULL;
if(ERROR_SUCCESS != RegCreateKeyEx(
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
AUTO_ENROLLMENT_FLAG_KEY,
0,
L"",
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hAEKey,
&dwDisp))
goto Ret;
if(fWakeUp)
dwFlags = AUTO_ENROLLMENT_WAKE_UP_REQUIRED;
if(ERROR_SUCCESS != RegSetValueEx(
hAEKey,
AUTO_ENROLLMENT_FLAG,
0,
REG_DWORD,
(PBYTE)&dwFlags,
sizeof(dwFlags)))
goto Ret;
fResult=TRUE;
Ret:
if(hAEKey)
RegCloseKey(hAEKey);
return fResult;
}
//--------------------------------------------------------------------------
//
// AESetWakeUpTimer
//
// Set the timer to wake us up in 8 hrs
//
//--------------------------------------------------------------------------
BOOL WINAPI AESetWakeUpTimer(BOOL fMachine, LARGE_INTEGER *pPreTime, LARGE_INTEGER *pPostTime)
{
HRESULT hr;
HKEY hKey;
HKEY hCurrent;
DWORD dwType, dwSize, dwResult;
LONG lTimeout;
LARGE_INTEGER DueTime;
WCHAR * wszTimerName;
LARGE_INTEGER EnrollmentTime;
// must be cleaned up
HANDLE hTimer=NULL;
// Build a timer event to ping us in about 8 hours if we don't get notified sooner.
lTimeout=AE_DEFAULT_REFRESH_RATE;
// Query for the refresh timer value
if (ERROR_SUCCESS==RegOpenKeyEx((fMachine?HKEY_LOCAL_MACHINE:HKEY_CURRENT_USER), SYSTEM_POLICIES_KEY, 0, KEY_READ, &hKey)) {
dwSize=sizeof(lTimeout);
if(ERROR_SUCCESS != RegQueryValueEx(hKey, TEXT("AutoEnrollmentRefreshTime"), NULL, &dwType, (LPBYTE) &lTimeout, &dwSize))
{
lTimeout=AE_DEFAULT_REFRESH_RATE;
}
else
{
if(REG_DWORD != dwType)
lTimeout=AE_DEFAULT_REFRESH_RATE;
}
RegCloseKey(hKey);
}
// Limit the timeout to once every 240 hours (10 days)
if (lTimeout>=240) {
lTimeout=240;
} else if (lTimeout<0) {
lTimeout=0;
}
// Convert hours to milliseconds
lTimeout=lTimeout*60*60*1000;
// Special case 0 milliseconds to be 7 seconds
if (lTimeout==0) {
lTimeout=7000;
}
// convert to 10^-7s. not yet negative values are relative
DueTime.QuadPart=Int32x32To64(-10000, lTimeout);
// if user has hold on the UI for too long and the cycle passed the 8 hours.
// we set the time for 1 hour
EnrollmentTime.QuadPart=pPostTime->QuadPart - pPreTime->QuadPart;
if(EnrollmentTime.QuadPart > 0)
{
if((-(DueTime.QuadPart)) > EnrollmentTime.QuadPart)
{
DueTime.QuadPart = DueTime.QuadPart + EnrollmentTime.QuadPart;
}
else
{
// Convert hours to milliseconds
lTimeout=AE_DEFAULT_POSTPONE*60*60*1000;
DueTime.QuadPart = Int32x32To64(-10000, lTimeout);
}
}
// find the timer
if (fMachine) {
wszTimerName=L"Global\\" MACHINE_AUTOENROLLMENT_TIMER_NAME;
} else {
wszTimerName=USER_AUTOENROLLMENT_TIMER_NAME;
}
hTimer=OpenWaitableTimer(TIMER_MODIFY_STATE, false, wszTimerName);
if (NULL==hTimer) {
hr=HRESULT_FROM_WIN32(GetLastError());
AE_DEBUG((AE_ERROR, L"OpenWaitableTimer(%s) failed with 0x%08X.\n", wszTimerName, hr));
goto error;
}
// set the timer
if (!SetWaitableTimer (hTimer, &DueTime, 0, NULL, 0, FALSE)) {
hr=HRESULT_FROM_WIN32(GetLastError());
AE_DEBUG((AE_ERROR, L"SetWaitableTimer failed with 0x%08X.\n", hr));
goto error;
}
AE_DEBUG((AE_INFO, L"Set wakeup timer.\n"));
hr=S_OK;
error:
if (NULL!=hTimer) {
CloseHandle(hTimer);
}
return (S_OK==hr);
}
//--------------------------------------------------------------------------
//
// AEGetPendingRequestProperty
//
//--------------------------------------------------------------------------
BOOL AEGetPendingRequestProperty(IEnroll4 *pIEnroll4,
DWORD dwIndex,
DWORD dwProp,
LPVOID pProp)
{
CRYPT_DATA_BLOB *pBlob=NULL;
BOOL fResult=FALSE;
if((NULL==pIEnroll4) || (NULL==pProp))
return FALSE;
switch(dwProp)
{
case XEPR_REQUESTID:
case XEPR_DATE:
case XEPR_VERSION:
fResult = (S_OK == pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp));
break;
case XEPR_CANAME:
case XEPR_CAFRIENDLYNAME:
case XEPR_CADNS:
case XEPR_V1TEMPLATENAME:
case XEPR_V2TEMPLATEOID:
case XEPR_HASH:
pBlob=(CRYPT_DATA_BLOB *)pProp;
pBlob->cbData=0;
pBlob->pbData=NULL;
if(S_OK != pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp))
goto Ret;
if(0 == pBlob->cbData)
goto Ret;
pBlob->pbData=(BYTE *)LocalAlloc(LPTR, pBlob->cbData);
if(NULL == pBlob->pbData)
goto Ret;
fResult = (S_OK == pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp));
break;
default:
break;
}
Ret:
if(FALSE==fResult)
{
if(pBlob)
{
if(pBlob->pbData)
LocalFree(pBlob->pbData);
memset(pBlob, 0, sizeof(CRYPT_DATA_BLOB));
}
}
return fResult;
}
//--------------------------------------------------------------------------
//
// AERetrieveRequestProperty
//
//--------------------------------------------------------------------------
BOOL AERetrieveRequestProperty(IEnroll4 *pIEnroll4,
DWORD dwIndex,
DWORD *pdwCount,
DWORD *pdwMax,
CRYPT_DATA_BLOB **prgblobHash)
{
BOOL fResult=FALSE;
CRYPT_DATA_BLOB *pblobHash=NULL;
if((NULL==pIEnroll4) || (NULL==pdwCount) || (NULL==pdwMax) || (NULL==prgblobHash) ||
(NULL==*prgblobHash))
goto Ret;
//need to alloc more memory
if((*pdwCount) >= (*pdwMax))
{
pblobHash=*prgblobHash;
*prgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR,
((*pdwMax) + PENDING_ALLOC_SIZE) * sizeof(CRYPT_DATA_BLOB));
if(NULL==(*prgblobHash))
{
*prgblobHash=pblobHash;
pblobHash=NULL;
goto Ret;
}
memset(*prgblobHash, 0, ((*pdwMax) + PENDING_ALLOC_SIZE) * sizeof(CRYPT_DATA_BLOB));
//copy the old memmory
memcpy(*prgblobHash, pblobHash, (*pdwMax) * sizeof(CRYPT_DATA_BLOB));
*pdwMax=(*pdwMax) + PENDING_ALLOC_SIZE;
}
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_HASH,
&((*prgblobHash)[*pdwCount])))
goto Ret;
(*pdwCount)=(*pdwCount) + 1;
fResult=TRUE;
Ret:
if(pblobHash)
LocalFree(pblobHash);
return fResult;
}
//--------------------------------------------------------------------------
//
// AERemovePendingRequest
//
//--------------------------------------------------------------------------
BOOL AERemovePendingRequest(IEnroll4 *pIEnroll4,
DWORD dwCount,
CRYPT_DATA_BLOB *rgblobHash)
{
DWORD dwIndex=0;
BOOL fResult=TRUE;
if((NULL==pIEnroll4) || (NULL==rgblobHash))
return FALSE;
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
{
if(S_OK != (pIEnroll4->removePendingRequestWStr(rgblobHash[dwIndex])))
fResult=FALSE;
}
return fResult;
}
//--------------------------------------------------------------------------
//
// AEFreePendingRequests
//
//--------------------------------------------------------------------------
BOOL AEFreePendingRequests(DWORD dwCount, CRYPT_DATA_BLOB *rgblobHash)
{
DWORD dwIndex=0;
if(rgblobHash)
{
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
{
if(rgblobHash[dwIndex].pbData)
LocalFree(rgblobHash[dwIndex].pbData);
}
LocalFree(rgblobHash);
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEValidVersionCert
//
// Verify the certificate returned from CA has the latest version info.
// If so, copy the certificate to the hIssuedStore for potentical publishing
//
//--------------------------------------------------------------------------
BOOL AEValidVersionCert(AE_CERTTYPE_INFO *pCertType, IEnroll4 *pIEnroll4, CRYPT_DATA_BLOB *pBlobPKCS7)
{
BOOL fValid=FALSE;
PCCERT_CONTEXT pCertContext=NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
if((NULL==pCertType) || (NULL==pIEnroll4) || (NULL==pBlobPKCS7))
goto Ret;
if(NULL==(pBlobPKCS7->pbData))
goto Ret;
if(S_OK != pIEnroll4->getCertContextFromResponseBlob(pBlobPKCS7, &pCertContext))
goto Ret;
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
if(AETemplateInfo.pwszOid)
{
if(AETemplateInfo.dwVersion >= (pCertType->dwVersion))
fValid=TRUE;
}
else
{
//V1 template
if(NULL == AETemplateInfo.pwszName)
goto Ret;
fValid=TRUE;
}
if(pCertContext && (TRUE == fValid))
{
CertAddCertificateContextToStore(pCertType->hIssuedStore,
pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL);
}
Ret:
if(pCertContext)
CertFreeCertificateContext(pCertContext);
AEFreeTemplateInfo(&AETemplateInfo);
return fValid;
}
//--------------------------------------------------------------------------
//
// AECopyPendingBlob
//
// Copy the issued PKCS7 and request hash.
//
//--------------------------------------------------------------------------
BOOL AECopyPendingBlob(CRYPT_DATA_BLOB *pBlobPKCS7,
IEnroll4 *pIEnroll4,
DWORD dwXenrollIndex,
AE_CERTTYPE_INFO *pCertType)
{
BOOL fResult=FALSE;
DWORD dwIndex=0;
AE_PEND_INFO *pPendInfo=NULL;
if((NULL==pBlobPKCS7)||(NULL==pIEnroll4)||(NULL==pCertType))
goto Ret;
if(NULL==(pBlobPKCS7->pbData))
goto Ret;
dwIndex=pCertType->dwPendCount;
//increase the memory array
if(0 != dwIndex)
{
pPendInfo=pCertType->rgPendInfo;
pCertType->rgPendInfo=(AE_PEND_INFO *)LocalAlloc(LPTR,
(dwIndex + 1) * sizeof(AE_PEND_INFO));
if(NULL==(pCertType->rgPendInfo))
{
pCertType->rgPendInfo=pPendInfo;
pPendInfo=NULL;
goto Ret;
}
memset(pCertType->rgPendInfo, 0, (dwIndex + 1) * sizeof(AE_PEND_INFO));
//copy the old memmory
memcpy(pCertType->rgPendInfo, pPendInfo, (dwIndex) * sizeof(AE_PEND_INFO));
}
else
{
pCertType->rgPendInfo=(AE_PEND_INFO *)LocalAlloc(LPTR, sizeof(AE_PEND_INFO));
if(NULL==(pCertType->rgPendInfo))
goto Ret;
memset(pCertType->rgPendInfo, 0, sizeof(AE_PEND_INFO));
}
//copy the issued PKCS7 blob
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData=(BYTE *)LocalAlloc(
LPTR,
pBlobPKCS7->cbData);
if(NULL == ((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData))
goto Ret;
memcpy((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData,
pBlobPKCS7->pbData,
pBlobPKCS7->cbData);
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.cbData=pBlobPKCS7->cbData;
//copy the hash of the request
if(!AEGetPendingRequestProperty(pIEnroll4, dwXenrollIndex, XEPR_HASH,
&((pCertType->rgPendInfo)[dwIndex].blobHash)))
{
LocalFree((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData);
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData=NULL;
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.cbData=0;
goto Ret;
}
(pCertType->dwPendCount)++;
fResult=TRUE;
Ret:
if(pPendInfo)
LocalFree(pPendInfo);
return fResult;
}
//--------------------------------------------------------------------------
//
// AEProcessUIPendingRequest
//
// In this function, we install the issued pending certificate request
// that will require UI.
//
//--------------------------------------------------------------------------
BOOL WINAPI AEProcessUIPendingRequest(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex=0;
DWORD dwPendIndex=0;
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
AE_CERTTYPE_INFO *pCertType=NULL;
BOOL fInit=FALSE;
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
HMODULE hXenroll=NULL;
HRESULT hr=E_FAIL;
IEnroll4 *pIEnroll4=NULL;
if(NULL==pAE_General_Info)
goto Ret;
//has to be in the UI mode
if(FALSE == pAE_General_Info->fUIProcess)
goto Ret;
if(NULL==pCertTypeInfo)
goto Ret;
hXenroll=pAE_General_Info->hXenroll;
if(NULL==hXenroll)
goto Ret;
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
hXenroll,
"PIEnroll4GetNoCOM")))
goto Ret;
if(FAILED(CoInitialize(NULL)))
goto Ret;
fInit=TRUE;
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
goto Ret;
//Set the request store flag based on fMachine
if(pAE_General_Info->fMachine)
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
goto Ret;
}
else
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
goto Ret;
}
//initialize the enumerator
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
goto Ret;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
pCertType = &(pCertTypeInfo[dwIndex]);
if(pCertType->dwPendCount)
{
for(dwPendIndex=0; dwPendIndex < pCertType->dwPendCount; dwPendIndex++)
{
//check if cancel button is clicked
if(AECancelled(pAE_General_Info->hCancelEvent))
break;
//report the current enrollment action
AEUIProgressReport(TRUE, pCertType, pAE_General_Info->hwndDlg, pAE_General_Info->hCancelEvent);
//install the certificate
if(S_OK == (hr = pIEnroll4->acceptResponseBlob(
&((pCertType->rgPendInfo)[dwPendIndex].blobPKCS7))))
{
//mark the status to obtained if required
//this is a valid certificate
if(AEValidVersionCert(pCertType, pIEnroll4, &((pCertType->rgPendInfo)[dwPendIndex].blobPKCS7)))
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
//the certificate is successfully issued and installed
//remove the request from the request store
pIEnroll4->removePendingRequestWStr((pCertType->rgPendInfo)[dwPendIndex].blobHash);
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
FALSE,
S_OK,
EVENT_PENDING_INSTALLED,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
1,
pCertType->awszDisplay[0]);
}
else
{
//doing this for summary page
if((SCARD_E_CANCELLED != hr) && (SCARD_W_CANCELLED_BY_USER != hr))
pCertType->idsSummary=IDS_SUMMARY_INSTALL;
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
TRUE,
hr,
EVENT_PENDING_FAILED,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
1,
pCertType->awszDisplay[0]);
}
//advance progress
AEUIProgressAdvance(pAE_General_Info);
}
}
}
Ret:
if(pIEnroll4)
pIEnroll4->Release();
if(fInit)
CoUninitialize();
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEProcessPendingRequest -- UIless call.
//
// In this function, we check each pending requests in the request store.
// We install the certificate is the request has been issued by the CA, and
// mark the certificate type status to obtained if the certificate is issued
// and of correct version
//
// We remove any requests that are stale based on the # of days defined
// in the registry. If no value is defined in the registry, use
// AE_PENDING_REQUEST_ACTIVE_PERIOD (60 days).
//
// Also, if there is no more pending requests active in the request store,
// we set the registry value to indicate that winlogon should not wake us up.
//
//--------------------------------------------------------------------------
BOOL WINAPI AEProcessPendingRequest(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwRequestID=0;
LONG dwDisposition=0;
DWORD dwIndex=0;
DWORD dwCount=0;
DWORD dwMax=PENDING_ALLOC_SIZE;
AE_CERTTYPE_INFO *pCertType=NULL;
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
BOOL fInit=FALSE;
AE_TEMPLATE_INFO AETemplateInfo;
CRYPT_DATA_BLOB blobPKCS7;
HMODULE hXenroll=NULL;
VARIANT varCMC;
HRESULT hr=E_FAIL;
IEnroll4 *pIEnroll4=NULL;
ICertRequest2 *pICertRequest=NULL;
BSTR bstrCert=NULL;
LPWSTR pwszCAConfig=NULL;
BSTR bstrConfig=NULL;
CRYPT_DATA_BLOB *rgblobHash=NULL;
CRYPT_DATA_BLOB blobCAName;
CRYPT_DATA_BLOB blobCALocation;
CRYPT_DATA_BLOB blobName;
if(NULL==pAE_General_Info)
goto Ret;
//init the dwUIPendCount to 0
pAE_General_Info->dwUIPendCount=0;
//has to be in the UIless mode
if(TRUE == pAE_General_Info->fUIProcess)
goto Ret;
hXenroll=pAE_General_Info->hXenroll;
if(NULL==hXenroll)
goto Ret;
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
hXenroll,
"PIEnroll4GetNoCOM")))
goto Ret;
if(FAILED(CoInitialize(NULL)))
goto Ret;
fInit=TRUE;
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
goto Ret;
if(S_OK != CoCreateInstance(CLSID_CCertRequest,
NULL,
CLSCTX_INPROC_SERVER,
IID_ICertRequest2,
(void **)&pICertRequest))
goto Ret;
//Set the request store flag based on fMachine
if(pAE_General_Info->fMachine)
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
goto Ret;
}
else
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
goto Ret;
}
memset(&blobCAName, 0, sizeof(blobCAName));
memset(&blobCALocation, 0, sizeof(blobCALocation));
memset(&blobName, 0, sizeof(blobName));
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
rgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR, dwMax * sizeof(CRYPT_DATA_BLOB));
if(NULL==rgblobHash)
goto Ret;
memset(rgblobHash, 0, dwMax * sizeof(CRYPT_DATA_BLOB));
//initialize the enumerator
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
goto Ret;
//initlialize the variant
VariantInit(&varCMC);
while(AEGetPendingRequestProperty(
pIEnroll4,
dwIndex,
XEPR_REQUESTID,
&dwRequestID))
{
//query the status of the requests to the CA
if(!AEGetPendingRequestProperty(
pIEnroll4,
dwIndex,
XEPR_CANAME,
&blobCAName))
goto Next;
if(!AEGetPendingRequestProperty(
pIEnroll4,
dwIndex,
XEPR_CADNS,
&blobCALocation))
goto Next;
//build the config string
pwszCAConfig=(LPWSTR)LocalAlloc(LPTR,
sizeof(WCHAR) * (wcslen((LPWSTR)(blobCALocation.pbData)) + wcslen((LPWSTR)(blobCAName.pbData)) + wcslen(L"\\") + 1));
if(NULL==pwszCAConfig)
goto Next;
wcscpy(pwszCAConfig, (LPWSTR)(blobCALocation.pbData));
wcscat(pwszCAConfig, L"\\");
wcscat(pwszCAConfig, (LPWSTR)(blobCAName.pbData));
//conver to bstr
bstrConfig=SysAllocString(pwszCAConfig);
if(NULL==bstrConfig)
goto Next;
//find the template information
//get the version and the template name of the request
if(AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V2TEMPLATEOID, &blobName))
{
AETemplateInfo.pwszOid=(LPWSTR)blobName.pbData;
}
else
{
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V1TEMPLATENAME, &blobName))
goto Next;
AETemplateInfo.pwszName=(LPWSTR)blobName.pbData;
}
//find the template
if(NULL==(pCertType=AEFindTemplateInRequestTree(
&AETemplateInfo, pAE_General_Info)))
goto Next;
if(S_OK != pICertRequest->RetrievePending(
dwRequestID,
bstrConfig,
&dwDisposition))
goto Next;
switch(dwDisposition)
{
case CR_DISP_ISSUED:
if(S_OK != pICertRequest->GetFullResponseProperty(
FR_PROP_FULLRESPONSE, 0, PROPTYPE_BINARY, CR_OUT_BINARY,
&varCMC))
{
goto Next;
}
// Check to make sure we've gotten a BSTR back:
if (VT_BSTR != varCMC.vt)
{
goto Next;
}
bstrCert = varCMC.bstrVal;
// Marshal the cert into a CRYPT_DATA_BLOB:
blobPKCS7.cbData = (DWORD)SysStringByteLen(bstrCert);
blobPKCS7.pbData = (BYTE *)bstrCert;
// we will keep the PKCS7 blob for installation
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag))
{
//signal that we should pop up the UI balloon
(pAE_General_Info->dwUIPendCount)++;
//copy the PKCS7 blob from the cert server
AECopyPendingBlob(&blobPKCS7,
pIEnroll4,
dwIndex,
pCertType);
}
else
{
//install the certificate
if(S_OK != (hr = pIEnroll4->acceptResponseBlob(&blobPKCS7)))
{
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
TRUE,
hr,
EVENT_PENDING_FAILED,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
1,
pCertType->awszDisplay[0]);
goto Next;
}
//mark the status to obtained if required
//this is a valid certificate
if(AEValidVersionCert(pCertType, pIEnroll4, &blobPKCS7))
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
//the certificate is successfully issued and installed
//remove the request from the request store
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
}
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
FALSE,
S_OK,
EVENT_PENDING_ISSUED,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
2,
pCertType->awszDisplay[0],
pwszCAConfig);
break;
case CR_DISP_UNDER_SUBMISSION:
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
FALSE,
S_OK,
EVENT_PENDING_PEND,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
2,
pCertType->awszDisplay[0],
pwszCAConfig);
break;
case CR_DISP_INCOMPLETE:
case CR_DISP_ERROR:
case CR_DISP_DENIED:
case CR_DISP_ISSUED_OUT_OF_BAND: //we consider it a failure in this case
case CR_DISP_REVOKED:
default:
//requests failed. remove the request from the request store
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
if(S_OK == pICertRequest->GetLastStatus(&hr))
{
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
TRUE,
hr,
EVENT_PENDING_DENIED,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
2,
pwszCAConfig,
pCertType->awszDisplay[0]);
}
break;
}
Next:
if(pwszCAConfig)
LocalFree(pwszCAConfig);
pwszCAConfig=NULL;
if(bstrConfig)
SysFreeString(bstrConfig);
bstrConfig=NULL;
if(bstrCert)
SysFreeString(bstrCert);
bstrCert=NULL;
if(blobCAName.pbData)
LocalFree(blobCAName.pbData);
memset(&blobCAName, 0, sizeof(blobCAName));
if(blobCALocation.pbData)
LocalFree(blobCALocation.pbData);
memset(&blobCALocation, 0, sizeof(blobCALocation));
if(blobName.pbData)
LocalFree(blobName.pbData);
memset(&blobName, 0, sizeof(blobName));
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
VariantInit(&varCMC);
dwIndex++;
}
//remove the requests based the hash
AERemovePendingRequest(pIEnroll4, dwCount, rgblobHash);
Ret:
AEFreePendingRequests(dwCount, rgblobHash);
if(pICertRequest)
pICertRequest->Release();
if(pIEnroll4)
pIEnroll4->Release();
if(fInit)
CoUninitialize();
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEIsLocalSystem
//
//--------------------------------------------------------------------------
BOOL
AEIsLocalSystem(BOOL *pfIsLocalSystem)
{
HANDLE hToken = 0;
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
BOOL fRet = FALSE;
BOOL fRevertToSelf = FALSE;
PSID psidLocalSystem = NULL;
*pfIsLocalSystem = FALSE;
if (!OpenThreadToken(
GetCurrentThread(),
TOKEN_QUERY,
TRUE,
&hToken))
{
if (ERROR_NO_TOKEN != GetLastError())
goto Ret;
//we need to impersonateself and get the thread token again
if(!ImpersonateSelf(SecurityImpersonation))
goto Ret;
fRevertToSelf = TRUE;
if (!OpenThreadToken(
GetCurrentThread(),
TOKEN_QUERY,
TRUE,
&hToken))
goto Ret;
}
//build the well known local system SID (s-1-5-18)
if (!AllocateAndInitializeSid(
&siaNtAuthority,
1,
SECURITY_LOCAL_SYSTEM_RID,
0, 0, 0, 0, 0, 0, 0,
&psidLocalSystem
))
goto Ret;
fRet = CheckTokenMembership(
hToken,
psidLocalSystem,
pfIsLocalSystem);
Ret:
if(fRevertToSelf)
RevertToSelf();
if(psidLocalSystem)
FreeSid(psidLocalSystem);
if (hToken)
CloseHandle(hToken);
return fRet;
}
//--------------------------------------------------------------------------
//
// AEInSafeBoot
//
// copied from the service controller code
//--------------------------------------------------------------------------
BOOL WINAPI AEInSafeBoot()
{
DWORD dwSafeBoot = 0;
DWORD cbSafeBoot = sizeof(dwSafeBoot);
DWORD dwType = 0;
HKEY hKeySafeBoot = NULL;
if(ERROR_SUCCESS == RegOpenKeyW(
HKEY_LOCAL_MACHINE,
L"system\\currentcontrolset\\control\\safeboot\\option",
&hKeySafeBoot))
{
// we did in fact boot under safeboot control
if(ERROR_SUCCESS != RegQueryValueExW(
hKeySafeBoot,
L"OptionValue",
NULL,
&dwType,
(LPBYTE)&dwSafeBoot,
&cbSafeBoot))
{
dwSafeBoot = 0;
}
if(hKeySafeBoot)
RegCloseKey(hKeySafeBoot);
}
return (0 != dwSafeBoot);
}
//--------------------------------------------------------------------------
//
// AEIsDomainMember
//
//--------------------------------------------------------------------------
BOOL WINAPI AEIsDomainMember()
{
DWORD dwErr;
BOOL bIsDomainMember=FALSE;
// must be cleaned up
DSROLE_PRIMARY_DOMAIN_INFO_BASIC * pDomInfo=NULL;
dwErr=DsRoleGetPrimaryDomainInformation(NULL, DsRolePrimaryDomainInfoBasic, (BYTE **)&pDomInfo);
if (ERROR_SUCCESS==dwErr)
{
if (DsRole_RoleStandaloneWorkstation!=pDomInfo->MachineRole
&& DsRole_RoleStandaloneServer!=pDomInfo->MachineRole)
{
//no autoenrollment on NT4
if(NULL != (pDomInfo->DomainNameDns))
{
bIsDomainMember=TRUE;
}
}
}
if (NULL!=pDomInfo)
{
DsRoleFreeMemory(pDomInfo);
}
return bIsDomainMember;
}
//-----------------------------------------------------------------------
//
// AEGetPolicyFlag
//
//-----------------------------------------------------------------------
BOOL AEGetPolicyFlag(BOOL fMachine, DWORD *pdwPolicy)
{
DWORD dwPolicy = 0;
DWORD cbPolicy = sizeof(dwPolicy);
DWORD dwType = 0;
HKEY hKey = NULL;
if(ERROR_SUCCESS == RegOpenKeyW(
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
AUTO_ENROLLMENT_KEY,
&hKey))
{
if(ERROR_SUCCESS != RegQueryValueExW(
hKey,
AUTO_ENROLLMENT_POLICY,
NULL,
&dwType,
(LPBYTE)&dwPolicy,
&cbPolicy))
{
dwPolicy = 0;
}
else
{
if(REG_DWORD != dwType)
dwPolicy=0;
}
if(hKey)
RegCloseKey(hKey);
}
*pdwPolicy=dwPolicy;
return TRUE;
}
//-----------------------------------------------------------------------
//
// AERetrieveLogLevel
//
//-----------------------------------------------------------------------
BOOL AERetrieveLogLevel(BOOL fMachine, DWORD *pdwLogLevel)
{
DWORD dwLogLevel = STATUS_SEVERITY_ERROR; //we default to highest logging level
DWORD cbLogLevel = sizeof(dwLogLevel);
DWORD dwType = 0;
HKEY hKey = NULL;
if(ERROR_SUCCESS == RegOpenKeyW(
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
AUTO_ENROLLMENT_EVENT_LEVEL_KEY,
&hKey))
{
if(ERROR_SUCCESS != RegQueryValueExW(
hKey,
AUTO_ENROLLMENT_EVENT_LEVEL,
NULL,
&dwType,
(LPBYTE)&dwLogLevel,
&cbLogLevel))
{
dwLogLevel = STATUS_SEVERITY_ERROR;
}
else
{
if(REG_DWORD != dwType)
dwLogLevel = STATUS_SEVERITY_ERROR;
}
if(hKey)
RegCloseKey(hKey);
}
*pdwLogLevel=dwLogLevel;
return TRUE;
}
//-----------------------------------------------------------------------
//
// AERetrieveTemplateInfo
//
//-----------------------------------------------------------------------
BOOL AERetrieveTemplateInfo(PCCERT_CONTEXT pCertCurrent,
AE_TEMPLATE_INFO *pTemplateInfo)
{
BOOL fResult = FALSE;
PCERT_EXTENSION pExt = NULL;
DWORD cbData=0;
CERT_NAME_VALUE *pbName = NULL;
CERT_TEMPLATE_EXT *pbTemplate = NULL;
if((NULL==pCertCurrent) || (NULL==pTemplateInfo))
goto Ret;
memset(pTemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
//try to find V2 template extension first
if(pExt = CertFindExtension(szOID_CERTIFICATE_TEMPLATE,
pCertCurrent->pCertInfo->cExtension,
pCertCurrent->pCertInfo->rgExtension))
{
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERTIFICATE_TEMPLATE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbTemplate = (CERT_TEMPLATE_EXT *)LocalAlloc(LPTR, cbData);
if(NULL==pbTemplate)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERTIFICATE_TEMPLATE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbTemplate,
&cbData))
goto Ret;
//copy the version
pTemplateInfo->dwVersion=pbTemplate->dwMajorVersion;
//copy the extension oid
if(NULL==pbTemplate->pszObjId)
goto Ret;
if(0 == (cbData = MultiByteToWideChar(CP_ACP,
0,
pbTemplate->pszObjId,
-1,
NULL,
0)))
goto Ret;
if(NULL==(pTemplateInfo->pwszOid=(LPWSTR)LocalAlloc(LPTR, cbData * sizeof(WCHAR))))
goto Ret;
if(0 == MultiByteToWideChar(CP_ACP,
0,
pbTemplate->pszObjId,
-1,
pTemplateInfo->pwszOid,
cbData))
goto Ret;
}
else
{
//try V1 template extension
if(NULL == (pExt = CertFindExtension(
szOID_ENROLL_CERTTYPE_EXTENSION,
pCertCurrent->pCertInfo->cExtension,
pCertCurrent->pCertInfo->rgExtension)))
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
X509_UNICODE_ANY_STRING,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbName = (CERT_NAME_VALUE *)LocalAlloc(LPTR, cbData);
if(NULL==pbName)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
X509_UNICODE_ANY_STRING,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbName,
&cbData))
goto Ret;
if(!AEAllocAndCopy((LPWSTR)(pbName->Value.pbData),
&(pTemplateInfo->pwszName)))
goto Ret;
}
fResult = TRUE;
Ret:
if(pbTemplate)
LocalFree(pbTemplate);
if(pbName)
LocalFree(pbName);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEFreeTemplateInfo
//
//-----------------------------------------------------------------------
BOOL AEFreeTemplateInfo(AE_TEMPLATE_INFO *pAETemplateInfo)
{
if(pAETemplateInfo->pwszName)
LocalFree(pAETemplateInfo->pwszName);
if(pAETemplateInfo->pwszOid)
LocalFree(pAETemplateInfo->pwszOid);
memset(pAETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEFindTemplateInRequestTree
//
//-----------------------------------------------------------------------
AE_CERTTYPE_INFO *AEFindTemplateInRequestTree(AE_TEMPLATE_INFO *pTemplateInfo,
AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex = 0;
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
AE_CERTTYPE_INFO *pCertType=NULL;
if(NULL == (rgCertTypeInfo=pAE_General_Info->rgCertTypeInfo))
return NULL;
if( (NULL == pTemplateInfo->pwszName) && (NULL == pTemplateInfo->pwszOid))
return NULL;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(pTemplateInfo->pwszOid)
{
//we are guaranteed to have an OID if the schema is greater than or equal to 2
if(rgCertTypeInfo[dwIndex].dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
{
if(0 == wcscmp(pTemplateInfo->pwszOid, (rgCertTypeInfo[dwIndex].awszOID)[0]))
{
pCertType = &(rgCertTypeInfo[dwIndex]);
break;
}
}
}
else
{
//we are guaranteed to have a name
if(0 == wcscmp(pTemplateInfo->pwszName, (rgCertTypeInfo[dwIndex].awszName)[0]))
{
pCertType = &(rgCertTypeInfo[dwIndex]);
break;
}
}
}
return pCertType;
}
//-----------------------------------------------------------------------
//
// AEGetDNSNameFromCertificate
//
//-----------------------------------------------------------------------
BOOL AEGetDNSNameFromCertificate(PCCERT_CONTEXT pCertContext,
LPWSTR *ppwszDnsName)
{
BOOL fResult=FALSE;
PCERT_EXTENSION pExt=NULL;
DWORD cbData=0;
DWORD iAltName=0;
DWORD dwSize=0;
PCERT_ALT_NAME_INFO pAltName=NULL;
if((NULL==pCertContext) || (NULL==ppwszDnsName))
goto Ret;
*ppwszDnsName=NULL;
if(NULL == (pExt = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
pCertContext->pCertInfo->cExtension,
pCertContext->pCertInfo->rgExtension)))
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_SUBJECT_ALT_NAME2,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pAltName=(PCERT_ALT_NAME_INFO)LocalAlloc(LPTR, cbData);
if(NULL == pAltName)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_SUBJECT_ALT_NAME2,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pAltName,
&cbData))
goto Ret;
//compare the data in the certificate with what is returned from GetComputerNameEx
for(iAltName=0; iAltName < pAltName->cAltEntry; iAltName++)
{
if(CERT_ALT_NAME_DNS_NAME == ((pAltName->rgAltEntry)[iAltName].dwAltNameChoice))
{
if(pAltName->rgAltEntry[iAltName].pwszDNSName)
{
dwSize=wcslen(pAltName->rgAltEntry[iAltName].pwszDNSName);
if(0 == dwSize)
goto Ret;
*ppwszDnsName=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (dwSize + 1));
if(NULL == (*ppwszDnsName))
goto Ret;
wcscpy(*ppwszDnsName, pAltName->rgAltEntry[iAltName].pwszDNSName);
fResult=TRUE;
break;
}
}
}
Ret:
if(pAltName)
LocalFree(pAltName);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEIsSameDNS
//
//-----------------------------------------------------------------------
BOOL AEIsSameDNS(PCCERT_CONTEXT pFirstCert, PCCERT_CONTEXT pSecondCert)
{
BOOL fSame=FALSE;
LPWSTR pwszFirst=NULL;
LPWSTR pwszSecond=NULL;
AEGetDNSNameFromCertificate(pFirstCert, &pwszFirst);
AEGetDNSNameFromCertificate(pSecondCert, &pwszSecond);
if(NULL == pwszFirst)
{
if(NULL == pwszSecond)
{
fSame=TRUE;
}
}
else
{
if(NULL != pwszSecond)
{
if(0 == _wcsicmp(pwszFirst, pwszSecond))
{
fSame=TRUE;
}
}
}
if(pwszFirst)
LocalFree(pwszFirst);
if(pwszSecond)
LocalFree(pwszSecond);
return fSame;
}
//-----------------------------------------------------------------------
//
// AEGetRetryProperty
//
//-----------------------------------------------------------------------
BOOL AEGetRetryProperty(PCCERT_CONTEXT pCertContext,
AE_RETRY_INFO **ppAE_Retry_Info)
{
BOOL fResult=FALSE;
DWORD cbData=0;
AE_RETRY_INFO *pRetry_Info=NULL;
if((NULL==pCertContext) || (NULL==ppAE_Retry_Info))
goto Ret;
*ppAE_Retry_Info=NULL;
if(!CertGetCertificateContextProperty(
pCertContext,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
NULL,
&cbData))
goto Ret;
pRetry_Info=(AE_RETRY_INFO *)LocalAlloc(LPTR, cbData);
if(NULL == pRetry_Info)
goto Ret;
if(!CertGetCertificateContextProperty(
pCertContext,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
pRetry_Info,
&cbData))
goto Ret;
//verify the integrity of the property on the certificate
if(cbData < sizeof(AE_RETRY_INFO))
goto Ret;
if((pRetry_Info->cbSize) < sizeof(AE_RETRY_INFO))
goto Ret;
*ppAE_Retry_Info=pRetry_Info;
pRetry_Info=NULL;
fResult=TRUE;
Ret:
if(pRetry_Info)
LocalFree(pRetry_Info);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEFasterRetrialSchedule
//
// Determine if the 1st certificate context has a faster retrial schedule
// than the second certifcate based on the CERT_AUTO_ENROLL_RETRY_PROP_ID property
//
//-----------------------------------------------------------------------
BOOL AEFasterRetrialSchedule(PCCERT_CONTEXT pFirstContext,
PCCERT_CONTEXT pSecondContext)
{
BOOL fFaster=FALSE;
AE_RETRY_INFO *pFirst_Retry=NULL;
AE_RETRY_INFO *pSecond_Retry=NULL;
//if the property does not exist, it is always the immediate retrial
if(!AEGetRetryProperty(pFirstContext, &pFirst_Retry))
{
fFaster=TRUE;
goto Ret;
}
//if the property exists on the 1st certificate, but not on the
//second certificate, the second is always faster
if(!AEGetRetryProperty(pSecondContext, &pSecond_Retry))
{
fFaster=FALSE;
goto Ret;
}
//now both has the property
//if the second has exceeded the limit, the first is always faster
if(AE_RETRY_LIMIT < pSecond_Retry->dwRetry)
{
fFaster=TRUE;
goto Ret;
}
//the second has not exceeded the limit, while the first has exceeded the limit;
//the second is faster
if(AE_RETRY_LIMIT < pFirst_Retry->dwRetry)
{
fFaster=FALSE;
goto Ret;
}
//neither has exceeded the limit
if(pFirst_Retry->dwRetry <= pSecond_Retry->dwRetry)
{
fFaster=TRUE;
}
else
{
fFaster=FALSE;
}
Ret:
if(pFirst_Retry)
LocalFree(pFirst_Retry);
if(pSecond_Retry)
LocalFree(pSecond_Retry);
return fFaster;
}
//-----------------------------------------------------------------------
//
// AEUpdateRetryProperty
//
// The newly aquired certificate has the same DNS name of the old
// certificate, and the DNS Name is not the same as the local machine.
//
// Update the CERT_AUTO_ENROLL_RETRY_PROP_ID property
//
//-----------------------------------------------------------------------
BOOL AEUpdateRetryProperty(AE_GENERAL_INFO *pAE_General_Info,
LPWSTR pwszTemplateDisplay,
PCCERT_CONTEXT pNewContext,
PCCERT_CONTEXT pOldContext)
{
BOOL fResult=FALSE;
ULARGE_INTEGER ftTime;
ULONG lSecond=0;
CRYPT_DATA_BLOB blobProp;
WCHAR wsz[SHA1_HASH_LENGTH];
AE_RETRY_INFO *pAE_Retry_Info=NULL;
if((NULL == pAE_General_Info) || (NULL == pNewContext) || (NULL == pOldContext))
goto Ret;
if(!AEGetRetryProperty(pOldContext, &pAE_Retry_Info))
{
//make up a default one
pAE_Retry_Info=(AE_RETRY_INFO *)LocalAlloc(LPTR, sizeof(AE_RETRY_INFO));
if(NULL == pAE_Retry_Info)
goto Ret;
memset(pAE_Retry_Info, 0, sizeof(AE_RETRY_INFO));
pAE_Retry_Info->cbSize=sizeof(AE_RETRY_INFO);
pAE_Retry_Info->dwRetry=0; //first attempt
}
//increment the count and set the next update date
if(pAE_Retry_Info->dwRetry <= AE_RETRY_LIMIT)
{
(pAE_Retry_Info->dwRetry)++;
//get the current time
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
// Convert 24 hours to seconds
lSecond=(pAE_Retry_Info->dwRetry)*24*60*60;
//lSecond=(pAE_Retry_Info->dwRetry)*2*60;
ftTime.QuadPart += UInt32x32To64(FILETIME_TICKS_PER_SECOND, lSecond);
(pAE_Retry_Info->dueTime).QuadPart = ftTime.QuadPart;
}
//copy the property on the certificate
memset(&blobProp, 0, sizeof(CRYPT_DATA_BLOB));
blobProp.cbData=sizeof(AE_RETRY_INFO);
blobProp.pbData=(BYTE *)pAE_Retry_Info;
if(!CertSetCertificateContextProperty(
pNewContext,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
0,
&blobProp))
goto Ret;
//log the event
if(pAE_Retry_Info->dwRetry <= AE_RETRY_LIMIT)
{
_itow(((pAE_Retry_Info->dwRetry) * 24), wsz, 10);
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_MISMATCH_DNS_RETRY,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 2, pwszTemplateDisplay, wsz);
}
else
{
_itow(AE_RETRY_LIMIT, wsz, 10);
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_MISMATCH_DNS,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 2, pwszTemplateDisplay, wsz);
}
fResult=TRUE;
Ret:
if(pAE_Retry_Info)
LocalFree(pAE_Retry_Info);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEVerifyDNSName
//
// Verify the DNS name in the certificate match what is returned
// from GetComputerNameEx, either ComputerNameDnsFullyQualified or
// ComputerNameNetBIOS. For V2 template, perform the verification
// only when the template specify so.
//
// By default, we assume the DNS will match. The function will only
// signal an error if it successfully obtained DNS name from GetComputerNameEx
// and from the certificate and they do not match.
//
//-----------------------------------------------------------------------
BOOL AEVerifyDNSName(AE_GENERAL_INFO *pAE_General_Info,
PCCERT_CONTEXT pCertCurrent)
{
BOOL fDNSMatch=TRUE;
AE_CERTTYPE_INFO *pCertType=NULL;
DWORD dwValue=0;
BOOL fDnsName=TRUE;
BOOL fNetBIOS=TRUE;
LPWSTR pwszDnsName=NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
//find the template that the certificate belongs to
if(!AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
goto Ret;
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
if(NULL==pCertType)
goto Ret;
if(S_OK != CAGetCertTypeFlagsEx(
pCertType->hCertType,
CERTTYPE_SUBJECT_NAME_FLAG,
&dwValue))
goto Ret;
if((CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT & dwValue) ||
(CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME & dwValue))
goto Ret;
//no need to verify non-template certificates or non-DNS specified template
if(AETemplateInfo.pwszOid)
{
if( 0 == (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS & dwValue))
goto Ret;
}
//get the DNS entry from the certificate
if(!AEGetDNSNameFromCertificate(pCertCurrent, &pwszDnsName))
{
fDNSMatch=FALSE;
goto Ret;
}
//compare the data in the certificate with what is returned from GetComputerNameEx
if(pAE_General_Info->pwszDns)
{
if(0 != _wcsicmp(pwszDnsName, pAE_General_Info->pwszDns))
{
fDnsName=FALSE;
}
}
if(pAE_General_Info->pwszNetBIOS)
{
if(0 != _wcsicmp(pwszDnsName, pAE_General_Info->pwszNetBIOS))
{
fNetBIOS=FALSE;
}
}
//either DNS or NetBIOS name should match
if((FALSE == fDnsName) && (FALSE == fNetBIOS))
{
fDNSMatch=FALSE;
}
Ret:
if(pwszDnsName)
LocalFree(pwszDnsName);
AEFreeTemplateInfo(&AETemplateInfo);
return fDNSMatch;
}
//-----------------------------------------------------------------------
//
// AEVerifyDNSNameWithRetry
////
//-----------------------------------------------------------------------
BOOL AEVerifyDNSNameWithRetry(AE_GENERAL_INFO *pAE_General_Info,
PCCERT_CONTEXT pCertCurrent)
{
BOOL fResult=FALSE;
ULARGE_INTEGER ftTime;
AE_RETRY_INFO *pAE_Retry_Info=NULL;
//detect if DNS name in the certificate matches the local machine
//Success means no need to re-enroll
if(TRUE == AEVerifyDNSName(pAE_General_Info, pCertCurrent))
{
fResult=TRUE;
goto Ret;
}
//now that the DNS name does not match, check the CERT_AUTO_ENROLL_RETRY_PROP_ID
//property on the pCertCurrent to determine the correct action
//property does not exit. Allow for re-enrollment by marking a failure
if(!AEGetRetryProperty(pCertCurrent, &pAE_Retry_Info))
{
fResult=FALSE;
goto Ret;
}
//property exit
//the Maximum # of trial has reached. Disallow for re-enrollment by returning a success
if(AE_RETRY_LIMIT < pAE_Retry_Info->dwRetry)
{
fResult=TRUE;
goto Ret;
}
//get the current time
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
//the time limit has not reached. Disallow for re-enrollment by returning a success
if(ftTime.QuadPart < (pAE_Retry_Info->dueTime).QuadPart)
{
fResult=TRUE;
goto Ret;
}
//the rest should be re-enrolled by returning a failure
fResult=FALSE;
Ret:
if(pAE_Retry_Info)
LocalFree(pAE_Retry_Info);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEIsLogonDCCertificate
//
//
//-----------------------------------------------------------------------
BOOL AEIsLogonDCCertificate(PCCERT_CONTEXT pCertContext)
{
BOOL fDCCert=FALSE;
PCERT_EXTENSION pExt = NULL;
DWORD cbData = 0;
DWORD dwIndex = 0;
BOOL fFound = FALSE;
CERT_ENHKEY_USAGE *pbKeyUsage=NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
if(NULL==pCertContext)
return FALSE;
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
if(AETemplateInfo.pwszName)
{
//this is a V1 template. Search for the hard coded DC template name
if(0 == _wcsicmp(wszCERTTYPE_DC, AETemplateInfo.pwszName))
fDCCert=TRUE;
}
else
{
//this is a V2 template. Search for the smart card logon OID
if(NULL==(pExt=CertFindExtension(szOID_ENHANCED_KEY_USAGE,
pCertContext->pCertInfo->cExtension,
pCertContext->pCertInfo->rgExtension)))
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbKeyUsage=(CERT_ENHKEY_USAGE *)LocalAlloc(LPTR, cbData);
if(NULL==pbKeyUsage)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbKeyUsage,
&cbData))
goto Ret;
for(dwIndex=0; dwIndex < pbKeyUsage->cUsageIdentifier; dwIndex++)
{
if(0==_stricmp(szOID_KP_SMARTCARD_LOGON,(pbKeyUsage->rgpszUsageIdentifier)[dwIndex]))
{
fDCCert=TRUE;
break;
}
}
}
Ret:
if(pbKeyUsage)
LocalFree(pbKeyUsage);
AEFreeTemplateInfo(&AETemplateInfo);
return fDCCert;
}
//-----------------------------------------------------------------------
//
// AEValidateCertificateInfo
//
// This function verifies if the certificate needs to be renewed or
// re-enrolled based on:
//
// 1. Presence of the private key
// 2. Chaining of the certificate
// 3. If the certificate is close to expiration
//
//-----------------------------------------------------------------------
BOOL AEValidateCertificateInfo(AE_GENERAL_INFO *pAE_General_Info,
AE_CERTTYPE_INFO *pCertType,
BOOL fCheckForPrivateKey,
PCCERT_CONTEXT pCertCurrent,
AE_CERT_INFO *pAECertInfo)
{
BOOL fResult = TRUE;
DWORD cbData = 0;
CERT_CHAIN_PARA ChainParams;
CERT_CHAIN_POLICY_PARA ChainPolicy;
CERT_CHAIN_POLICY_STATUS PolicyStatus;
LARGE_INTEGER ftTime;
HRESULT hrChainStatus = S_OK;
LARGE_INTEGER ftHalfLife;
BOOL fReset=FALSE;
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
if((NULL==pCertCurrent) || (NULL==pAECertInfo) || (NULL==pAE_General_Info))
{
SetLastError(E_INVALIDARG);
fResult = FALSE;
goto Ret;
}
//assume the certificate is bad
pAECertInfo->fValid = FALSE;
pAECertInfo->fRenewal = FALSE;
//////////////////////////////////////////////////
//
//check for the private key information
//
//////////////////////////////////////////////////
if(fCheckForPrivateKey)
{
if(!CertGetCertificateContextProperty(
pCertCurrent,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&cbData))
{
fReset=TRUE;
goto Ret;
}
}
/////////////////////////////////////////////////////////
//
//check for chaining, revoke status and expiration of the certificate
//
/////////////////////////////////////////////////////////
memset(&ChainParams, 0, sizeof(ChainParams));
ChainParams.cbSize = sizeof(ChainParams);
ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
// Build a small time skew into the chain building in order to deal
// with servers that may skew slightly fast.
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
ftTime.QuadPart += Int32x32To64(FILETIME_TICKS_PER_SECOND, AE_DEFAULT_SKEW);
// Build a cert chain for the current status of the cert..
if(!CertGetCertificateChain(pAE_General_Info->fMachine?HCCE_LOCAL_MACHINE:HCCE_CURRENT_USER,
pCertCurrent,
(LPFILETIME)&ftTime,
NULL,
&ChainParams,
CERT_CHAIN_REVOCATION_CHECK_CHAIN,
NULL,
&pChainContext))
{
AE_DEBUG((AE_WARNING, L"Could not build certificate chain (%lx)\n\r", GetLastError()));
goto Ret;
}
//validate the certificate chain
//special case for domain controller certificate.
//it should not have any revocation error, even for status unknown case
//check against the base policy
memset(&ChainPolicy, 0, sizeof(ChainPolicy));
ChainPolicy.cbSize = sizeof(ChainPolicy);
ChainPolicy.dwFlags = 0; // ignore nothing
ChainPolicy.pvExtraPolicyPara = NULL;
memset(&PolicyStatus, 0, sizeof(PolicyStatus));
PolicyStatus.cbSize = sizeof(PolicyStatus);
PolicyStatus.dwError = 0;
PolicyStatus.lChainIndex = -1;
PolicyStatus.lElementIndex = -1;
PolicyStatus.pvExtraPolicyStatus = NULL;
if(!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE,
pChainContext,
&ChainPolicy,
&PolicyStatus))
{
AE_DEBUG((AE_WARNING, L"Base Chain Policy failed (%lx) - must get new cert\n\r", GetLastError()));
goto Ret;
}
hrChainStatus = PolicyStatus.dwError;
if((S_OK == hrChainStatus) ||
(CRYPT_E_NO_REVOCATION_CHECK == hrChainStatus) ||
(CRYPT_E_REVOCATION_OFFLINE == hrChainStatus))
{
// The cert is still currently acceptable by trust standards, so we can renew it
pAECertInfo->fRenewal = TRUE;
}
else
{
fReset=TRUE;
goto Ret;
}
if(pChainContext)
{
CertFreeCertificateChain(pChainContext);
pChainContext = NULL;
}
/////////////////////////////////////////////////////////
//
//check the DNS name in the machine certificate. It has
//to match with the computer's DNS name
//
/////////////////////////////////////////////////////////
if(pAE_General_Info->fMachine)
{
if(!AEVerifyDNSNameWithRetry(pAE_General_Info, pCertCurrent))
{
pAECertInfo->fRenewal = FALSE;
goto Ret;
}
}
/////////////////////////////////////////////////////////
//
// Check if the certificate is close to expire
//
///////////////////////////////////////////////////////////////////////
if(NULL==pCertType)
goto Ret;
// Nudge the evaluation of the cert chain by the expiration
// offset so we know if is expired by that time in the future.
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
// Build the certificate chain for trust operations
memset(&ChainParams, 0, sizeof(ChainParams));
ChainParams.cbSize = sizeof(ChainParams);
ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
//get the 80% lifetime of the certificate
ftHalfLife.QuadPart = ((((LARGE_INTEGER UNALIGNED *)&(pCertCurrent->pCertInfo->NotAfter))->QuadPart -
((LARGE_INTEGER UNALIGNED *)&(pCertCurrent->pCertInfo->NotBefore))->QuadPart)/10) * 8;
//check if the old cert is time nesting invalid
if(ftHalfLife.QuadPart < 0)
goto Ret;
//check if the offset was specified in a relative value
if(pCertType->ftExpirationOffset.QuadPart < 0)
{
if(ftHalfLife.QuadPart > (- pCertType->ftExpirationOffset.QuadPart))
{
ftTime.QuadPart -= pCertType->ftExpirationOffset.QuadPart;
}
else
{
ftTime.QuadPart += ftHalfLife.QuadPart;
}
}
else
{
//the offset was specified in an absolute value
if(0 < pCertType->ftExpirationOffset.QuadPart)
ftTime = pCertType->ftExpirationOffset;
else
//use the half time mark if the offset is 0
ftTime.QuadPart += ftHalfLife.QuadPart;
}
//check the certificate chain at a future time
if(!CertGetCertificateChain(pAE_General_Info->fMachine?HCCE_LOCAL_MACHINE:HCCE_CURRENT_USER,
pCertCurrent,
(LPFILETIME)&ftTime,
NULL, //no additional store
&ChainParams,
0, //no revocation check
NULL, //Reserved
&pChainContext))
{
AE_DEBUG((AE_WARNING, L"Could not build certificate chain (%lx)\n\r", GetLastError()));
goto Ret;
}
// Verify expiration of the certificate
memset(&ChainPolicy, 0, sizeof(ChainPolicy));
ChainPolicy.cbSize = sizeof(ChainPolicy);
ChainPolicy.dwFlags = 0; // ignore nothing
ChainPolicy.pvExtraPolicyPara = NULL;
memset(&PolicyStatus, 0, sizeof(PolicyStatus));
PolicyStatus.cbSize = sizeof(PolicyStatus);
PolicyStatus.dwError = 0;
PolicyStatus.lChainIndex = -1;
PolicyStatus.lElementIndex = -1;
PolicyStatus.pvExtraPolicyStatus = NULL;
if(!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE,
pChainContext,
&ChainPolicy,
&PolicyStatus))
{
AE_DEBUG((AE_WARNING, L"Base Chain Policy failed (%lx) - must get new cert\n\r", GetLastError()));
goto Ret;
}
hrChainStatus = PolicyStatus.dwError;
if((S_OK != hrChainStatus) &&
(CRYPT_E_NO_REVOCATION_CHECK != hrChainStatus) &&
(CRYPT_E_REVOCATION_OFFLINE != hrChainStatus))
{
// The cert is close to expire. we must re-renewal
goto Ret;
}
//the certificate is good
pAECertInfo->fValid = TRUE;
fResult = TRUE;
Ret:
if(pAE_General_Info->fMachine)
{
if(TRUE == fReset)
{
//clear out the retry logic
CertSetCertificateContextProperty(
pCertCurrent,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
0,
NULL);
}
}
if(pChainContext)
CertFreeCertificateChain(pChainContext);
return fResult;
}
//-----------------------------------------------------------------------
//
// AESameOID
//
// Check if the two OIDs are the same
//-----------------------------------------------------------------------
BOOL AESameOID(LPWSTR pwszOID, LPSTR pszOID)
{
DWORD cbChar=0;
BOOL fSame=FALSE;
LPSTR pszNewOID=NULL;
if((NULL==pwszOID) || (NULL==pszOID))
return FALSE;
cbChar= WideCharToMultiByte(
CP_ACP, // codepage
0, // dwFlags
pwszOID,
-1,
NULL,
0,
NULL,
NULL);
if(0 == cbChar)
goto Ret;
if(NULL==(pszNewOID=(LPSTR)LocalAlloc(LPTR, cbChar)))
goto Ret;
cbChar= WideCharToMultiByte(
CP_ACP, // codepage
0, // dwFlags
pwszOID,
-1,
pszNewOID,
cbChar,
NULL,
NULL);
if(0 == cbChar)
goto Ret;
if(0 == _stricmp(pszNewOID, pszOID))
fSame=TRUE;
Ret:
if(pszNewOID)
LocalFree(pszNewOID);
return fSame;
}
//-----------------------------------------------------------------------
//
// AEValidRAPolicyWithProperty
//
// Check if the certificate matches the RA signature requirement
// of the certificate type
//-----------------------------------------------------------------------
BOOL AEValidRAPolicyWithProperty(PCCERT_CONTEXT pCertContext,
LPWSTR *rgwszPolicy,
LPWSTR *rgwszAppPolicy)
{
PCERT_EXTENSION pExt = NULL;
DWORD cbData = 0;
DWORD dwIndex = 0;
DWORD dwFindIndex=0;
BOOL fFound = FALSE;
BOOL fValid = FALSE;
CERT_ENHKEY_USAGE *pbKeyUsage=NULL;
CERT_POLICIES_INFO *pbAppPolicy=NULL;
CERT_POLICIES_INFO *pbPolicy=NULL;
//find the EKUs
if(pExt=CertFindExtension(szOID_ENHANCED_KEY_USAGE,
pCertContext->pCertInfo->cExtension,
pCertContext->pCertInfo->rgExtension))
{
cbData=0;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbKeyUsage=(CERT_ENHKEY_USAGE *)LocalAlloc(LPTR, cbData);
if(NULL==pbKeyUsage)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbKeyUsage,
&cbData))
goto Ret;
}
//get the cert issurance policy
if(pExt=CertFindExtension(szOID_CERT_POLICIES,
pCertContext->pCertInfo->cExtension,
pCertContext->pCertInfo->rgExtension))
{
cbData=0;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERT_POLICIES,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbPolicy=(CERT_POLICIES_INFO *)LocalAlloc(LPTR, cbData);
if(NULL==pbPolicy)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERT_POLICIES,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbPolicy,
&cbData))
goto Ret;
}
//get the cert application policy
if(pExt=CertFindExtension(szOID_APPLICATION_CERT_POLICIES,
pCertContext->pCertInfo->cExtension,
pCertContext->pCertInfo->rgExtension))
{
cbData=0;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERT_POLICIES,
pExt->Value.pbData,
pExt->Value.cbData,
0,
NULL,
&cbData))
goto Ret;
pbAppPolicy=(CERT_POLICIES_INFO *)LocalAlloc(LPTR, cbData);
if(NULL==pbAppPolicy)
goto Ret;
if(!CryptDecodeObject(X509_ASN_ENCODING,
szOID_CERT_POLICIES,
pExt->Value.pbData,
pExt->Value.cbData,
0,
pbAppPolicy,
&cbData))
goto Ret;
}
if(rgwszPolicy)
{
if(rgwszPolicy[0])
{
if(NULL==pbPolicy)
goto Ret;
dwIndex=0;
while(rgwszPolicy[dwIndex])
{
fFound=FALSE;
for(dwFindIndex=0; dwFindIndex < pbPolicy->cPolicyInfo; dwFindIndex++)
{
if(AESameOID(rgwszPolicy[dwIndex], (pbPolicy->rgPolicyInfo)[dwFindIndex].pszPolicyIdentifier))
{
fFound=TRUE;
break;
}
}
if(FALSE == fFound)
goto Ret;
dwIndex++;
}
}
}
if(rgwszAppPolicy)
{
if(rgwszAppPolicy[0])
{
if((NULL==pbAppPolicy) && (NULL==pbKeyUsage))
goto Ret;
dwIndex=0;
while(rgwszAppPolicy[dwIndex])
{
fFound=FALSE;
if(pbAppPolicy)
{
for(dwFindIndex=0; dwFindIndex < pbAppPolicy->cPolicyInfo; dwFindIndex++)
{
if(AESameOID(rgwszAppPolicy[dwIndex], (pbAppPolicy->rgPolicyInfo)[dwFindIndex].pszPolicyIdentifier))
{
fFound=TRUE;
break;
}
}
}
if((FALSE == fFound) && (pbKeyUsage))
{
for(dwFindIndex=0; dwFindIndex < pbKeyUsage->cUsageIdentifier; dwFindIndex++)
{
if(AESameOID(rgwszAppPolicy[dwIndex],(pbKeyUsage->rgpszUsageIdentifier)[dwFindIndex]))
{
fFound=TRUE;
break;
}
}
}
if(FALSE == fFound)
goto Ret;
dwIndex++;
}
}
}
fValid=TRUE;
Ret:
if(pbKeyUsage)
LocalFree(pbKeyUsage);
if(pbPolicy)
LocalFree(pbPolicy);
if(pbAppPolicy)
LocalFree(pbAppPolicy);
return fValid;
}
//-----------------------------------------------------------------------
//
// AEValidRAPolicy
//
// Check if the certificate matches the RA signature requirement
// of the certificate type
//-----------------------------------------------------------------------
BOOL AEValidRAPolicy(PCCERT_CONTEXT pCertContext, AE_CERTTYPE_INFO *pCertType)
{
BOOL fValid=FALSE;
LPWSTR *rgwszPolicy=NULL;
LPWSTR *rgwszAppPolicy=NULL;
if((NULL==pCertType) || (NULL==pCertContext))
return FALSE;
//get the certificate type properties
CAGetCertTypePropertyEx(pCertType->hCertType,
CERTTYPE_PROP_RA_POLICY,
&rgwszPolicy);
CAGetCertTypePropertyEx(pCertType->hCertType,
CERTTYPE_PROP_RA_APPLICATION_POLICY,
&rgwszAppPolicy);
fValid = AEValidRAPolicyWithProperty(pCertContext, rgwszPolicy, rgwszAppPolicy);
if(rgwszPolicy)
CAFreeCertTypeProperty(pCertType->hCertType, rgwszPolicy);
if(rgwszAppPolicy)
CAFreeCertTypeProperty(pCertType->hCertType, rgwszAppPolicy);
return fValid;
}
//-----------------------------------------------------------------------
//
// AESomeCSPSupported
//
//-----------------------------------------------------------------------
BOOL AESomeCSPSupported(HCERTTYPE hCertType)
{
BOOL fResult=FALSE;
DWORD dwIndex=0;
DWORD dwCSPIndex=0;
DWORD dwProviderType=0;
DWORD cbSize=0;
LPWSTR *awszCSP=NULL;
LPWSTR pwszProviderName=NULL;
HCRYPTPROV hProv=NULL;
if(NULL==hCertType)
goto Ret;
//no CSPs means all CSPs are fine
if((S_OK != CAGetCertTypePropertyEx(
hCertType,
CERTTYPE_PROP_CSP_LIST,
&awszCSP)) || (NULL == awszCSP))
{
fResult=TRUE;
goto Ret;
}
//no CSP means all CSPs are fine
if(NULL == awszCSP[0])
{
fResult=TRUE;
goto Ret;
}
for(dwIndex=0; NULL != awszCSP[dwIndex]; dwIndex++)
{
for (dwCSPIndex = 0;
CryptEnumProvidersW(dwCSPIndex, 0, 0, &dwProviderType, NULL, &cbSize);
dwCSPIndex++)
{
pwszProviderName = (LPWSTR)LocalAlloc(LPTR, cbSize);
if(NULL == pwszProviderName)
goto Ret;
//get the provider name and type
if(!CryptEnumProvidersW(dwCSPIndex,
0,
0,
&dwProviderType,
pwszProviderName,
&cbSize))
goto Ret;
if(0 == _wcsicmp(pwszProviderName, awszCSP[dwIndex]))
{
//find the CSP. See if it is present in the box
if(CryptAcquireContextW(
&hProv,
NULL,
awszCSP[dwIndex],
dwProviderType,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
CryptReleaseContext(hProv, 0);
hProv=NULL;
fResult=TRUE;
break;
}
}
//keep the CSP enumeration
if(pwszProviderName)
LocalFree(pwszProviderName);
pwszProviderName=NULL;
cbSize=0;
dwProviderType=0;
}
//detect if a valid CSP if found
if(TRUE == fResult)
{
break;
}
cbSize=0;
dwProviderType=0;
}
Ret:
if(pwszProviderName)
LocalFree(pwszProviderName);
if(hProv)
CryptReleaseContext(hProv, 0);
if(awszCSP)
CAFreeCertTypeProperty(hCertType, awszCSP);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEFindCSPType
//
//-----------------------------------------------------------------------
BOOL AEFindCSPType(LPWSTR pwszCSP, DWORD *pdwType)
{
BOOL fResult=FALSE;
DWORD dwIndex=0;
DWORD dwProviderType=0;
DWORD cbSize=0;
LPWSTR pwszCSPName=NULL;
if((NULL==pwszCSP) || (NULL==pdwType))
goto Ret;
*pdwType=0;
//enum all the providers on the system
while(CryptEnumProviders(
dwIndex,
0,
0,
&dwProviderType,
NULL,
&cbSize))
{
pwszCSPName=(LPWSTR)LocalAlloc(LPTR, cbSize);
if(NULL==pwszCSPName)
goto Ret;
//get the CSP name and the type
if(!CryptEnumProviders(
dwIndex,
0,
0,
&dwProviderType,
pwszCSPName,
&cbSize))
goto Ret;
if(0 == _wcsicmp(pwszCSPName, pwszCSP))
{
//find the CSP
*pdwType=dwProviderType;
fResult=TRUE;
goto Ret;
}
dwIndex++;
dwProviderType=0;
cbSize=0;
if(pwszCSPName)
{
LocalFree(pwszCSPName);
pwszCSPName=NULL;
}
}
Ret:
if(pwszCSPName)
LocalFree(pwszCSPName);
return fResult;
}
//-----------------------------------------------------------------------
//
// AESmartcardOnlyTemplate
//
//-----------------------------------------------------------------------
BOOL AESmartcardOnlyTemplate(HCERTTYPE hCertType)
{
BOOL fResult=FALSE;
DWORD dwIndex=0;
DWORD dwImpType=0;
DWORD cbData=0;
DWORD dwSCCount=0;
DWORD dwCSPType=0;
LPWSTR *awszCSP=NULL;
HCRYPTPROV hProv = NULL;
if(NULL==hCertType)
goto Ret;
if(S_OK != CAGetCertTypePropertyEx(
hCertType,
CERTTYPE_PROP_CSP_LIST,
&awszCSP))
goto Ret;
if(NULL==awszCSP)
goto Ret;
for(dwIndex=0; NULL != awszCSP[dwIndex]; dwIndex++)
{
dwImpType=0;
dwCSPType=0;
//find the CSP type based on the CSP name
if(AEFindCSPType(awszCSP[dwIndex], &dwCSPType))
{
if(CryptAcquireContextW(
&hProv,
NULL,
awszCSP[dwIndex],
dwCSPType,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
cbData = sizeof(dwImpType);
if(CryptGetProvParam(hProv,
PP_IMPTYPE,
(BYTE *)(&dwImpType),
&cbData,
0))
{
if((CRYPT_IMPL_REMOVABLE & dwImpType) && (CRYPT_IMPL_MIXED & dwImpType))
dwSCCount++;
}
CryptReleaseContext(hProv, 0);
hProv=NULL;
}
else
{
//not supported CSP. Count it as part of the SmartCard CSP count since this
//CSP will not work when the smart card subsystem is not present
dwSCCount++;
}
}
else
{
//not supported CSP. Count it as part of the SmartCard CSP count since this
//CSP will not work when the smart card subsystem is not present
dwSCCount++;
}
}
//smart card CSP only if all CSPs are for smart card only
if((0 != dwIndex) && (dwIndex==dwSCCount))
fResult=TRUE;
Ret:
if(hProv)
CryptReleaseContext(hProv, 0);
if(awszCSP)
CAFreeCertTypeProperty(hCertType, awszCSP);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEUserProtectionForTemplate
//
//-----------------------------------------------------------------------
BOOL AEUserProtectionForTemplate(AE_GENERAL_INFO *pAE_General_Info, PCERT_CONTEXT pCertContext)
{
BOOL fUserProtection=FALSE;
AE_CERTTYPE_INFO *pCertType=NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
if((NULL == pAE_General_Info) || (NULL == pCertContext))
goto Ret;
//get the template information for the certificate
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
if(NULL==pCertType)
goto Ret;
if(CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED & (pCertType->dwPrivateKeyFlag))
fUserProtection=TRUE;
Ret:
AEFreeTemplateInfo(&AETemplateInfo);
return fUserProtection;
}
//-----------------------------------------------------------------------
//
// AEUISetForTemplate
//
//-----------------------------------------------------------------------
BOOL AEUISetForTemplate(AE_GENERAL_INFO *pAE_General_Info, PCERT_CONTEXT pCertContext)
{
BOOL fUI=FALSE;
AE_CERTTYPE_INFO *pCertType=NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
if((NULL == pAE_General_Info) || (NULL == pCertContext))
goto Ret;
//get the template information for the certificate
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
if(NULL==pCertType)
goto Ret;
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag))
fUI=TRUE;
Ret:
AEFreeTemplateInfo(&AETemplateInfo);
return fUI;
}
//-----------------------------------------------------------------------
//
// AECanEnrollCertType
//
//-----------------------------------------------------------------------
BOOL AECanEnrollCertType(HANDLE hToken, AE_CERTTYPE_INFO *pCertType, AE_GENERAL_INFO *pAE_General_Info, BOOL *pfUserProtection)
{
DWORD dwValue = 0;
PCCERT_CONTEXT pCertCurrent=NULL;
AE_CERT_INFO AECertInfo;
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
*pfUserProtection=FALSE;
//check enrollment ACL
if(S_OK != CACertTypeAccessCheckEx(
pCertType->hCertType,
hToken,
CERTTYPE_ACCESS_CHECK_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
return FALSE;
//check the subject requirements
if(S_OK != CAGetCertTypeFlagsEx(
pCertType->hCertType,
CERTTYPE_SUBJECT_NAME_FLAG,
&dwValue))
return FALSE;
if((CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT & dwValue) ||
(CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME & dwValue))
return FALSE;
//check if we are doing smart card CSPs and there is no reader installed
if(FALSE == (pAE_General_Info->fSmartcardSystem))
{
if(AESmartcardOnlyTemplate(pCertType->hCertType))
return FALSE;
}
//check if all CSPs on the template is not supported
{
if(!AESomeCSPSupported(pCertType->hCertType))
return FALSE;
}
//we might not get the RA property for V1 template
dwValue = 0;
//check the RA support
if(S_OK != CAGetCertTypePropertyEx(
pCertType->hCertType,
CERTTYPE_PROP_RA_SIGNATURE,
&dwValue))
return TRUE;
if(0==dwValue)
return TRUE;
//self-template RA
if((CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT & (pCertType->dwEnrollmentFlag)) &&
((pCertType->fRenewal) && (pCertType->pOldCert))
)
{
//the request has to be RAed
pCertType->fNeedRA=TRUE;
return TRUE;
}
//autoenrollment only deal with one RA signature.
//it is sufficient for autoenrollment RA scenarios
if(1!=dwValue)
return FALSE;
//the certificate template requires one and only one RA signature
//cross-template RA
//enumerate all certificate in store
while(pCertCurrent = CertEnumCertificatesInStore(pAE_General_Info->hMyStore, pCertCurrent))
{
//check if we need to enroll/renewal for the certificate
AEValidateCertificateInfo(pAE_General_Info,
NULL,
TRUE, //valid private key
pCertCurrent,
&AECertInfo);
//the certificate is good enough for RA signature purpose
if(AECertInfo.fRenewal)
{
if(AEValidRAPolicy(pCertCurrent, pCertType))
{
if(AEUserProtectionForTemplate(pAE_General_Info, (PCERT_CONTEXT)pCertCurrent))
{
if(pAE_General_Info->fMachine)
{
*pfUserProtection=TRUE;
continue;
}
else
{
if(0==(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag)))
{
*pfUserProtection=TRUE;
continue;
}
}
}
pCertType->fRenewal=TRUE;
if(pCertType->pOldCert)
{
CertFreeCertificateContext(pCertType->pOldCert);
pCertType->pOldCert=NULL;
}
//we will free the certificate context later
pCertType->pOldCert=(PCERT_CONTEXT)pCertCurrent;
//we mark UI required if the RAing certificate template requires UI
if(AEUISetForTemplate(pAE_General_Info, pCertType->pOldCert))
pCertType->fUIActive=TRUE;
//we mark the requests has to be RAed.
pCertType->fNeedRA=TRUE;
//we mark that we are doing cross RAing.
pCertType->fCrossRA=TRUE;
*pfUserProtection=FALSE;
return TRUE;
}
}
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
}
return FALSE;
}
//-----------------------------------------------------------------------
//
// AEMarkAutoenrollment
//
//-----------------------------------------------------------------------
BOOL AEMarkAutoenrollment(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex = 0;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(CT_FLAG_AUTO_ENROLLMENT & ((pAE_General_Info->rgCertTypeInfo)[dwIndex].dwEnrollmentFlag))
{
//check the autoenrollment ACL
if(S_OK != CACertTypeAccessCheckEx(
(pAE_General_Info->rgCertTypeInfo)[dwIndex].hCertType,
pAE_General_Info->hToken,
CERTTYPE_ACCESS_CHECK_AUTO_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
continue;
//mark the template nees to be auto-enrolled
(pAE_General_Info->rgCertTypeInfo)[dwIndex].dwStatus=CERT_REQUEST_STATUS_ACTIVE;
(pAE_General_Info->rgCertTypeInfo)[dwIndex].fCheckMyStore=TRUE;
}
}
return TRUE;
}
//-----------------------------------------------------------------------
//
// IsACRSStoreEmpty
//
//
//-----------------------------------------------------------------------
BOOL IsACRSStoreEmpty(BOOL fMachine)
{
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_READONLY_FLAG;
LPSTR pszCTLUsageOID = NULL;
BOOL fEmpty = TRUE;
CERT_PHYSICAL_STORE_INFO PhysicalStoreInfo;
CTL_FIND_USAGE_PARA CTLFindUsage;
PCCTL_CONTEXT pCTLContext = NULL;
HCERTSTORE hStoreACRS=NULL;
memset(&PhysicalStoreInfo, 0, sizeof(PhysicalStoreInfo));
memset(&CTLFindUsage, 0, sizeof(CTLFindUsage));
// if the auto enrollment is for a user then we need to shut off inheritance
// from the local machine store so that we don't try and enroll for certs
// which are meant to be for the machine
if (FALSE == fMachine)
{
dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG;
PhysicalStoreInfo.cbSize = sizeof(PhysicalStoreInfo);
PhysicalStoreInfo.dwFlags = CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG;
if (!CertRegisterPhysicalStore(ACRS_STORE,
CERT_SYSTEM_STORE_CURRENT_USER,
CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME,
&PhysicalStoreInfo,
NULL))
{
AE_DEBUG((AE_ERROR, L"Could not register ACRS store: (%lx)\n\r", GetLastError()));
goto Ret;
}
}
// open the ACRS store and fine the CTL based on the auto enrollment usage
if (NULL == (hStoreACRS = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
ENCODING_TYPE,
NULL,
dwOpenStoreFlags,
ACRS_STORE)))
{
AE_DEBUG((AE_ERROR, L"Could not open ACRS store: (%lx)\n\r", GetLastError()));
goto Ret;
}
//find the template name specified in the CTLContext
CTLFindUsage.cbSize = sizeof(CTLFindUsage);
CTLFindUsage.SubjectUsage.cUsageIdentifier = 1;
pszCTLUsageOID = szOID_AUTO_ENROLL_CTL_USAGE;
CTLFindUsage.SubjectUsage.rgpszUsageIdentifier = &pszCTLUsageOID;
while(pCTLContext = CertFindCTLInStore(hStoreACRS,
X509_ASN_ENCODING,
CTL_FIND_SAME_USAGE_FLAG,
CTL_FIND_USAGE,
&CTLFindUsage,
pCTLContext))
{
fEmpty=FALSE;
break;
}
Ret:
if(pCTLContext)
CertFreeCTLContext(pCTLContext);
if(hStoreACRS)
CertCloseStore(hStoreACRS, 0);
return fEmpty;
}
//-----------------------------------------------------------------------
//
// AEMarkAEObject
//
// Mark the active status based on ACRS store
//
// INFORMATION:
// we do not honor the CA specified in the autoenrollment object anymore. All CAs
// in the enterprise should be treated equal; and once the CA is renewed, it certificate
// will be changed anyway.
//-----------------------------------------------------------------------
BOOL AEMarkAEObject(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_READONLY_FLAG;
PCCTL_CONTEXT pCTLContext = NULL;
LPSTR pszCTLUsageOID = NULL;
LPWSTR wszCertTypeName = NULL;
AE_CERTTYPE_INFO *pCertType=NULL;
CERT_PHYSICAL_STORE_INFO PhysicalStoreInfo;
CTL_FIND_USAGE_PARA CTLFindUsage;
AE_TEMPLATE_INFO AETemplateInfo;
HCERTSTORE hStoreACRS=NULL;
memset(&PhysicalStoreInfo, 0, sizeof(PhysicalStoreInfo));
memset(&CTLFindUsage, 0, sizeof(CTLFindUsage));
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
// if the auto enrollment is for a user then we need to shut off inheritance
// from the local machine store so that we don't try and enroll for certs
// which are meant to be for the machine
if (FALSE == (pAE_General_Info->fMachine))
{
dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG;
PhysicalStoreInfo.cbSize = sizeof(PhysicalStoreInfo);
PhysicalStoreInfo.dwFlags = CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG;
if (!CertRegisterPhysicalStore(ACRS_STORE,
CERT_SYSTEM_STORE_CURRENT_USER,
CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME,
&PhysicalStoreInfo,
NULL))
{
AE_DEBUG((AE_ERROR, L"Could not register ACRS store: (%lx)\n\r", GetLastError()));
goto Ret;
}
}
// open the ACRS store and fine the CTL based on the auto enrollment usage
if (NULL == (hStoreACRS = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
ENCODING_TYPE,
NULL,
dwOpenStoreFlags,
ACRS_STORE)))
{
AE_DEBUG((AE_ERROR, L"Could not open ACRS store: (%lx)\n\r", GetLastError()));
goto Ret;
}
//find the template name specified in the CTLContext
CTLFindUsage.cbSize = sizeof(CTLFindUsage);
CTLFindUsage.SubjectUsage.cUsageIdentifier = 1;
pszCTLUsageOID = szOID_AUTO_ENROLL_CTL_USAGE;
CTLFindUsage.SubjectUsage.rgpszUsageIdentifier = &pszCTLUsageOID;
while(pCTLContext = CertFindCTLInStore(hStoreACRS,
X509_ASN_ENCODING,
CTL_FIND_SAME_USAGE_FLAG,
CTL_FIND_USAGE,
&CTLFindUsage,
pCTLContext))
{
if(NULL== (pCTLContext->pCtlInfo->ListIdentifier.pbData))
continue;
wszCertTypeName = wcschr((LPWSTR)pCTLContext->pCtlInfo->ListIdentifier.pbData, L'|');
if(wszCertTypeName)
{
wszCertTypeName++;
}
else
{
wszCertTypeName = (LPWSTR)pCTLContext->pCtlInfo->ListIdentifier.pbData;
}
AETemplateInfo.pwszName = wszCertTypeName;
if(pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info))
{
if(0 == pCertType->dwStatus)
{
//mark the template needs to be auto-enrolled
pCertType->dwStatus=CERT_REQUEST_STATUS_ACTIVE;
pCertType->fCheckMyStore=TRUE;
}
}
else
{
//log that the template is invalid
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_INVALID_ACRS_OBJECT,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, wszCertTypeName);
}
}
Ret:
if(hStoreACRS)
CertCloseStore(hStoreACRS, 0);
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEManageAndMarkMyStore
//
//-----------------------------------------------------------------------
BOOL AEManageAndMarkMyStore(AE_GENERAL_INFO *pAE_General_Info)
{
AE_CERT_INFO AECertInfo;
AE_CERTTYPE_INFO *pCertType=NULL;
BOOL fNeedToValidate=TRUE;
PCCERT_CONTEXT pCertCurrent = NULL;
DWORD cbData=0;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
//enumerate all certificate in store
while(pCertCurrent = CertEnumCertificatesInStore(pAE_General_Info->hMyStore, pCertCurrent))
{
//only interested in certificate with template information
if(AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
{
if(pCertType=AEFindTemplateInRequestTree(
&AETemplateInfo, pAE_General_Info))
{
//if we are not supposed to check for my store, only search
//for template with ACTIVE status
if(0 == (AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy)))
{
if(!(pCertType->fCheckMyStore))
goto Next;
}
//make sure the version of the certificate template is up to date
//we do not have version for V1 template
if(AETemplateInfo.pwszOid)
{
if(AETemplateInfo.dwVersion < pCertType->dwVersion)
{
AECertInfo.fValid=FALSE;
AECertInfo.fRenewal = FALSE;
//self-RA renewal
if(CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT & pCertType->dwEnrollmentFlag)
{
if(CertGetCertificateContextProperty(
pCertCurrent,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&cbData))
AECertInfo.fRenewal = TRUE;
}
fNeedToValidate=FALSE;
}
}
if(fNeedToValidate)
{
//check if we need to enroll/renewal for the certificate
AEValidateCertificateInfo(pAE_General_Info,
pCertType,
TRUE, //valid private key
pCertCurrent,
&AECertInfo);
}
if(AECertInfo.fValid)
{
//if the certificate is valid, mark as obtained. And copy the
//certificate to the obtained store. Keep the archive store.
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
CertAddCertificateContextToStore(
pCertType->hObtainedStore,
pCertCurrent,
CERT_STORE_ADD_ALWAYS,
NULL);
}
else
{
//the certificate is not valid
//mark the status to active if it is not obtained
if(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus)
{
pCertType->dwStatus = CERT_REQUEST_STATUS_ACTIVE;
if(AECertInfo.fRenewal)
{
//we only need to copy renewal information once
if(!pCertType->fRenewal)
{
pCertType->fRenewal=TRUE;
pCertType->pOldCert=(PCERT_CONTEXT)CertDuplicateCertificateContext(pCertCurrent);
}
}
}
//copy the certificate to the Archive certificate store
CertAddCertificateContextToStore(
pCertType->hArchiveStore,
pCertCurrent,
CERT_STORE_ADD_ALWAYS,
NULL);
}
}
else
{
//log that the template is invalid
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
FALSE,
S_OK,
EVENT_INVALID_TEMPLATE_MY_STORE,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
1,
AETemplateInfo.pwszName ? AETemplateInfo.pwszName : AETemplateInfo.pwszOid);
}
}
Next:
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
AEFreeTemplateInfo(&AETemplateInfo);
fNeedToValidate=TRUE;
cbData=0;
}
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEOpenUserDSStore
//
// INFORMATION: We could just open the "UserDS" store as if it is "My"
//
//-----------------------------------------------------------------------
HCERTSTORE AEOpenUserDSStore(AE_GENERAL_INFO *pAE_General_Info, DWORD dwOpenFlag)
{
LPWSTR pwszPath=L"ldap:///%s?userCertificate?base?objectCategory=user";
DWORD dwSize=0;
WCHAR wszDN[MAX_DN_SIZE];
LPWSTR pwszDN=NULL;
LPWSTR pwszStore=NULL;
HCERTSTORE hStore=NULL;
dwSize=MAX_DN_SIZE;
if(!GetUserNameExW(NameFullyQualifiedDN, wszDN, &dwSize))
{
if(dwSize > MAX_DN_SIZE)
{
pwszDN=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
if(NULL==pwszDN)
goto Ret;
if(!GetUserNameExW(NameFullyQualifiedDN, pwszDN, &dwSize))
goto Ret;
}
else
goto Ret;
}
pwszStore = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(pwszDN ? pwszDN : wszDN)+wcslen(pwszPath)+1));
if(pwszStore == NULL)
goto Ret;
wsprintf(pwszStore,
pwszPath,
pwszDN ? pwszDN : wszDN);
hStore = CertOpenStore(CERT_STORE_PROV_LDAP,
ENCODING_TYPE,
NULL,
dwOpenFlag | CERT_LDAP_STORE_SIGN_FLAG,
pwszStore);
Ret:
if(pwszStore)
LocalFree(pwszStore);
if(pwszDN)
LocalFree(pwszDN);
return hStore;
}
//-----------------------------------------------------------------------
//
// AECheckUserDSStore
//
//-----------------------------------------------------------------------
BOOL AECheckUserDSStore(AE_GENERAL_INFO *pAE_General_Info)
{
PCCERT_CONTEXT pCertCurrent = NULL;
AE_CERTTYPE_INFO *pCertType=NULL;
BOOL fNeedToValidate=TRUE;
AE_CERT_INFO AECertInfo;
HCERTSTORE hUserDS = NULL;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
pCertType=pAE_General_Info->rgCertTypeInfo;
if(NULL==pCertType)
goto Ret;
if(NULL== (hUserDS = AEOpenUserDSStore(pAE_General_Info, CERT_STORE_READONLY_FLAG)))
goto Ret;
pCertType = NULL;
while(pCertCurrent = CertEnumCertificatesInStore(hUserDS, pCertCurrent))
{
//only interested in certificate with template information
if(AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
{
if(pCertType=AEFindTemplateInRequestTree(
&AETemplateInfo, pAE_General_Info))
{
//if we are not supposed to check for UserDS store, only search
//for template with ACTIVE status
if(0 == (AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy)))
{
if(!(pCertType->fCheckMyStore))
goto Next;
}
//make sure the version of the certificate template is up to date
//we do not have version for V1 template
if(AETemplateInfo.pwszOid)
{
if(AETemplateInfo.dwVersion < pCertType->dwVersion)
{
AECertInfo.fValid=FALSE;
AECertInfo.fRenewal=FALSE;
fNeedToValidate=FALSE;
}
}
if(fNeedToValidate)
{
//check if we need to enroll/renewal for the certificate
AEValidateCertificateInfo(pAE_General_Info,
pCertType,
FALSE, //does not valid private key
pCertCurrent,
&AECertInfo);
}
//we only interested in any valid certificate
if(AECertInfo.fValid)
{
if((CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE & (pCertType->dwEnrollmentFlag)) &&
(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus))
{
//mark the status as obtained.
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
}
CertAddCertificateContextToStore(
pCertType->hObtainedStore,
pCertCurrent,
CERT_STORE_ADD_USE_EXISTING,
NULL);
}
else
{
//copy the certificate to the Archive certificate store
CertAddCertificateContextToStore(
pCertType->hArchiveStore,
pCertCurrent,
CERT_STORE_ADD_USE_EXISTING,
NULL);
}
}
}
Next:
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
AEFreeTemplateInfo(&AETemplateInfo);
fNeedToValidate=TRUE;
}
Ret:
if(hUserDS)
CertCloseStore(hUserDS, 0);
return TRUE;
}
//-----------------------------------------------------------------------
//
// AECheckPendingRequests
//
// If we have pending update-to-date certificate requests, no need
// to enroll/renew for duplicates.
//-----------------------------------------------------------------------
BOOL AECheckPendingRequests(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex=0;
DWORD dwVersion=0;
AE_CERTTYPE_INFO *pCertType=NULL;
BOOL fValid=FALSE;
DWORD dwCount=0;
DWORD dwMax=PENDING_ALLOC_SIZE;
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
FILETIME ftTime;
LARGE_INTEGER ftRequestTime;
AE_TEMPLATE_INFO AETemplateInfo;
IEnroll4 *pIEnroll4=NULL;
CRYPT_DATA_BLOB *rgblobHash=NULL;
CRYPT_DATA_BLOB blobName;
//init before any goto Ret
memset(&blobName, 0, sizeof(blobName));
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
if(NULL==pAE_General_Info->hXenroll)
goto Ret;
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
pAE_General_Info->hXenroll,
"PIEnroll4GetNoCOM")))
goto Ret;
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
goto Ret;
GetSystemTimeAsFileTime(&ftTime);
if(pAE_General_Info->fMachine)
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
goto Ret;
}
else
{
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
goto Ret;
}
//enumerate all the pending requests
rgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR, dwMax * sizeof(CRYPT_DATA_BLOB));
if(NULL==rgblobHash)
goto Ret;
memset(rgblobHash, 0, dwMax * sizeof(CRYPT_DATA_BLOB));
//initialize the enumerator
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
goto Ret;
while(AEGetPendingRequestProperty(
pIEnroll4,
dwIndex,
XEPR_DATE,
&ftRequestTime))
{
ftRequestTime.QuadPart += Int32x32To64(FILETIME_TICKS_PER_SECOND,
AE_PENDING_REQUEST_ACTIVE_PERIOD * 24 * 3600);
//remove the request if out of date
if(0 <= CompareFileTime(&ftTime, (LPFILETIME)&ftRequestTime))
{
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
}
else
{
//get the version and the template name of the request
if(AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V2TEMPLATEOID, &blobName))
{
//this is a V2 template
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_VERSION, &dwVersion))
goto Next;
AETemplateInfo.pwszOid=(LPWSTR)blobName.pbData;
}
else
{
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V1TEMPLATENAME, &blobName))
goto Next;
AETemplateInfo.pwszName=(LPWSTR)blobName.pbData;
}
//find the template
if(NULL==(pCertType=AEFindTemplateInRequestTree(
&AETemplateInfo, pAE_General_Info)))
goto Next;
if(AETemplateInfo.pwszName)
fValid=TRUE;
else
{
if(dwVersion >= pCertType->dwVersion)
fValid=TRUE;
}
if(fValid)
{
//this is a valid pending request
if(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus)
pCertType->dwStatus=CERT_REQUEST_STATUS_PENDING;
}
else
{
if(CERT_REQUEST_STATUS_OBTAINED == pCertType->dwStatus)
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
}
}
Next:
if(blobName.pbData)
LocalFree(blobName.pbData);
memset(&blobName, 0, sizeof(blobName));
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
fValid=FALSE;
dwVersion=0;
dwIndex++;
}
//remove the requests based the hash
if(dwCount)
{
AERemovePendingRequest(pIEnroll4, dwCount, rgblobHash);
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_PENDING_INVALID, pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
}
Ret:
AEFreePendingRequests(dwCount, rgblobHash);
if(blobName.pbData)
LocalFree(blobName.pbData);
if(pIEnroll4)
pIEnroll4->Release();
return TRUE;
}
//-----------------------------------------------------------------------
//
// AECheckSupersedeRequest
//
//-----------------------------------------------------------------------
BOOL AECheckSupersedeRequest(DWORD dwCurIndex,
AE_CERTTYPE_INFO *pCurCertType,
AE_CERTTYPE_INFO *pSupersedingCertType,
AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fFound=FALSE;
LPWSTR *awszSuperseding=NULL;
if(S_OK == CAGetCertTypePropertyEx(
pSupersedingCertType->hCertType,
CERTTYPE_PROP_SUPERSEDE,
&(awszSuperseding)))
{
if(awszSuperseding && awszSuperseding[0])
{
if(AEIfSupersede(pCurCertType->awszName[0], awszSuperseding, pAE_General_Info))
{
switch(pCurCertType->dwStatus)
{
case CERT_REQUEST_STATUS_ACTIVE:
case CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE:
//remove the active status if it is superseded by an obtained certificate
if(CERT_REQUEST_STATUS_OBTAINED != pSupersedingCertType->dwStatus)
{
pCurCertType->dwStatus = CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE;
pSupersedingCertType->prgActive[pSupersedingCertType->dwActive]=dwCurIndex;
(pSupersedingCertType->dwActive)++;
}
else
{
pCurCertType->dwStatus = 0;
}
case CERT_REQUEST_STATUS_PENDING:
AECopyCertStore(pCurCertType->hArchiveStore,
pSupersedingCertType->hArchiveStore);
break;
case CERT_REQUEST_STATUS_OBTAINED:
AECopyCertStore(pCurCertType->hObtainedStore,
pSupersedingCertType->hArchiveStore);
break;
default:
AECopyCertStore(pCurCertType->hArchiveStore,
pSupersedingCertType->hArchiveStore);
break;
}
//we consider that we find a valid superseding template only if the status
//is obtained. If the status is anyting else, we need to keep searching since
//enrollment/renewal requests might not be granted
if(CERT_REQUEST_STATUS_OBTAINED == pSupersedingCertType->dwStatus)
fFound=TRUE;
}
//clear the visited flag in AE_General_Info
AEClearVistedFlag(pAE_General_Info);
}
//free the property
if(awszSuperseding)
CAFreeCertTypeProperty(
pSupersedingCertType->hCertType,
awszSuperseding);
awszSuperseding=NULL;
}
return fFound;
}
//-----------------------------------------------------------------------
//
// AEIsCALonger
//
// For renewal, the CA's certificate has to live longer than the
// renewing certificate
//
//-----------------------------------------------------------------------
BOOL AEIsCALonger(HCAINFO hCAInfo, PCERT_CONTEXT pOldCert)
{
BOOL fCALonger=TRUE;
PCCERT_CONTEXT pCACert=NULL;
//we assume the CA is good unless we found something wrong
if((NULL == hCAInfo) || (NULL == pOldCert))
goto Ret;
if(S_OK != CAGetCACertificate(hCAInfo, &pCACert))
goto Ret;
if(NULL == pCACert)
goto Ret;
//CA cert's NotAfter should be longer than the issued certificate' NotAfger
if(1 == CompareFileTime(&(pCACert->pCertInfo->NotAfter), &(pOldCert->pCertInfo->NotAfter)))
goto Ret;
fCALonger=FALSE;
Ret:
if(pCACert)
CertFreeCertificateContext(pCACert);
return fCALonger;
}
//-----------------------------------------------------------------------
//
// AECanFindCAForCertType
//
// Check if there exists a CA that can issue the specified certificate
// template.
//
//-----------------------------------------------------------------------
BOOL AECanFindCAForCertType(AE_GENERAL_INFO *pAE_General_Info, AE_CERTTYPE_INFO *pCertType)
{
DWORD dwIndex=0;
BOOL fFound=FALSE;
AE_CA_INFO *prgCAInfo=pAE_General_Info->rgCAInfo;
BOOL fRenewal=FALSE;
//detect if we are performing an enrollment or renewal
if((pCertType->fRenewal) && (pCertType->pOldCert))
{
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
fRenewal=FALSE;
else
fRenewal=TRUE;
}
else
fRenewal=FALSE;
if(prgCAInfo)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCA; dwIndex++)
{
//make sure the CA supports the specific template
if(AEIsAnElement((pCertType->awszName)[0],
(prgCAInfo[dwIndex]).awszCertificateTemplate))
{
if(FALSE == fRenewal)
{
fFound=TRUE;
break;
}
else
{
if(AEIsCALonger(prgCAInfo[dwIndex].hCAInfo, pCertType->pOldCert))
{
fFound=TRUE;
break;
}
}
}
}
}
return fFound;
}
//-----------------------------------------------------------------------
//
// AEManageActiveTemplates
//
// We make sure that for all active templates, we can in deed enroll
// for it.
//
//-----------------------------------------------------------------------
BOOL AEManageActiveTemplates(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex=0;
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
AE_CERTTYPE_INFO *pCurCertType=NULL;
BOOL fCanEnrollCertType=FALSE;
BOOL fUserProtection=FALSE;
DWORD dwEventID=0;
if(pCertTypeInfo)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
pCurCertType = &(pCertTypeInfo[dwIndex]);
fCanEnrollCertType=FALSE;
fUserProtection=FALSE;
if(CERT_REQUEST_STATUS_PENDING == pCurCertType->dwStatus)
{
//check if UI is required
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag))
{
pCurCertType->fUIActive=TRUE;
if(pAE_General_Info->fMachine)
{
pCurCertType->dwStatus = 0;
//log that user does not have access right to the template
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_ACCESS_ACRS_OBJECT,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
}
}
continue;
}
if(CERT_REQUEST_STATUS_ACTIVE != pCurCertType->dwStatus)
continue;
//check for V1 smart card User or smart card logon certificate template
if((0 == _wcsicmp(wszCERTTYPE_SMARTCARD_USER, (pCurCertType->awszName)[0])) ||
(0 == _wcsicmp(wszCERTTYPE_USER_SMARTCARD_LOGON,(pCurCertType->awszName)[0]))
)
{
pCurCertType->dwStatus = 0;
//log that user does not have access right to the template
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_V1_SCARD,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
continue;
}
//check if CRYPT_USER_PROTECTED is used for machine certificate template
if(CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED & pCurCertType->dwPrivateKeyFlag)
{
if(pAE_General_Info->fMachine)
{
pCurCertType->dwStatus = 0;
//log that machine template should not require user password
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_USER_PROTECTION_FOR_MACHINE,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
continue;
}
else
{
if(0 == (CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag)))
{
pCurCertType->dwStatus = 0;
//log that user interaction is not set
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_USER_INTERACTION,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
continue;
}
}
}
fCanEnrollCertType=AECanEnrollCertType(pAE_General_Info->hToken, pCurCertType, pAE_General_Info, &fUserProtection);
if((!fCanEnrollCertType) ||
(!AECanFindCAForCertType(pAE_General_Info, pCurCertType))
)
{
pCurCertType->dwStatus = 0;
//log that user does not have access right to the template
if(FALSE == fUserProtection)
{
dwEventID=EVENT_NO_ACCESS_ACRS_OBJECT;
}
else
{
if(pAE_General_Info->fMachine)
dwEventID=EVENT_NO_USER_PROTECTION_FOR_MACHINE_RA;
else
dwEventID=EVENT_NO_USER_INTERACTION_RA;
}
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, dwEventID,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
}
else
{
//check if UI is required
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag))
{
pCurCertType->fUIActive=TRUE;
if(pAE_General_Info->fMachine)
{
pCurCertType->dwStatus = 0;
//log that user does not have access right to the template
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_ACCESS_ACRS_OBJECT,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
}
}
}
}
}
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEManageSupersedeRequests
// remove duplicated requests based on "Supersede" relationship
//
//
//-----------------------------------------------------------------------
BOOL AEManageSupersedeRequests(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex=0;
DWORD dwSuperseding=0;
DWORD dwOrder=0;
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
AE_CERTTYPE_INFO *pCurCertType=NULL;
AE_CERTTYPE_INFO *pSupersedingCertType=NULL;
BOOL fFound=FALSE;
if(pCertTypeInfo)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
pCurCertType = &(pCertTypeInfo[dwIndex]);
//we only consider templates with valid status
if((0 == pCurCertType->dwStatus) && (TRUE == AEIsEmptyStore(pCurCertType->hArchiveStore)))
continue;
fFound=FALSE;
for(dwOrder=0; dwOrder < g_dwSupersedeOrder; dwOrder++)
{
for(dwSuperseding=0; dwSuperseding < pAE_General_Info->dwCertType; dwSuperseding++)
{
//one can not be superseded by itself
if(dwIndex == dwSuperseding)
continue;
pSupersedingCertType = &(pCertTypeInfo[dwSuperseding]);
//we consider templates with obtained status first
if(g_rgdwSupersedeOrder[dwOrder] != pSupersedingCertType->dwStatus)
continue;
fFound = AECheckSupersedeRequest(dwIndex, pCurCertType, pSupersedingCertType, pAE_General_Info);
//we find a valid superseding template
if(fFound)
break;
}
//we find a valid superseding template
if(fFound)
break;
}
}
}
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEDoOneEnrollment
//
//-----------------------------------------------------------------------
/*BOOL AEDoOneEnrollment(HWND hwndParent,
BOOL fUIProcess,
BOOL fMachine,
LPWSTR pwszMachineName,
AE_CERTTYPE_INFO *pCertType,
AE_CA_INFO *pCAInfo,
DWORD *pdwStatus)
{
BOOL fResult = FALSE;
CRYPTUI_WIZ_CERT_REQUEST_INFO CertRequestInfo;
CRYPTUI_WIZ_CERT_TYPE CertWizType;
CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW CertPvkNew;
CRYPT_KEY_PROV_INFO KeyProvInfo;
memset(&CertRequestInfo, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_INFO));
memset(&CertWizType, 0, sizeof(CRYPTUI_WIZ_CERT_TYPE));
memset(&CertPvkNew, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW));
memset(&KeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
CertRequestInfo.dwSize = sizeof(CRYPTUI_WIZ_CERT_REQUEST_INFO);
//enroll or renewal
if((pCertType->fRenewal) && (pCertType->pOldCert))
{
CertRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_RENEW;
CertRequestInfo.pRenewCertContext = pCertType->pOldCert;
}
else
CertRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_ENROLL;
//machine name
if(fMachine)
{
CertRequestInfo.pwszMachineName = pwszMachineName;
}
//private key information
CertRequestInfo.dwPvkChoice = CRYPTUI_WIZ_CERT_REQUEST_PVK_CHOICE_NEW;
CertRequestInfo.pPvkNew = &CertPvkNew;
CertPvkNew.dwSize = sizeof(CertPvkNew);
CertPvkNew.pKeyProvInfo = &KeyProvInfo;
CertPvkNew.dwGenKeyFlags = 0; //no need to specify the exportable flags
//SILENT is always set for machine
if(fMachine)
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET | CRYPT_SILENT;
else
{
if(fUIProcess)
KeyProvInfo.dwFlags = 0;
else
KeyProvInfo.dwFlags = CRYPT_SILENT;
}
//CA information
CertRequestInfo.pwszCALocation = pCAInfo->awszCADNS[0];
CertRequestInfo.pwszCAName = pCAInfo->awszCAName[0];
//enroll for the template
CertRequestInfo.dwCertChoice = CRYPTUI_WIZ_CERT_REQUEST_CERT_TYPE;
CertRequestInfo.pCertType = &CertWizType;
CertWizType.dwSize = sizeof(CertWizType);
CertWizType.cCertType = 1;
CertWizType.rgwszCertType = &(pCertType->awszName[0]);
//ISSUE: we need to call Duncanb's new no-DS look up API
//for faster performance
fResult = CryptUIWizCertRequest(CRYPTUI_WIZ_NO_UI_EXCEPT_CSP | CRYPTUI_WIZ_NO_INSTALL_ROOT,
hwndParent,
NULL,
&CertRequestInfo,
NULL, //pCertContext
pdwStatus);
return fResult;
} */
//-----------------------------------------------------------------------
//
// AECreateEnrollmentRequest
//
//
//-----------------------------------------------------------------------
BOOL AECreateEnrollmentRequest(
HWND hwndParent,
BOOL fUIProcess,
BOOL fMachine,
LPWSTR pwszMachineName,
AE_CERTTYPE_INFO *pCertType,
AE_CA_INFO *pCAInfo,
HANDLE *phRequest,
DWORD *pdwLastError)
{
BOOL fResult = FALSE;
CRYPTUI_WIZ_CREATE_CERT_REQUEST_INFO CreateRequestInfo;
CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW CertPvkNew;
CRYPT_KEY_PROV_INFO KeyProvInfo;
DWORD dwFlags=CRYPTUI_WIZ_NO_UI_EXCEPT_CSP |
CRYPTUI_WIZ_NO_INSTALL_ROOT |
CRYPTUI_WIZ_ALLOW_ALL_TEMPLATES |
CRYPTUI_WIZ_ALLOW_ALL_CAS;
DWORD dwSize=0;
DWORD dwAcquireFlags=0;
BOOL fResetProv=FALSE;
CRYPT_KEY_PROV_INFO *pKeyProvInfo=NULL;
HANDLE hRequest=NULL;
memset(&CreateRequestInfo, 0, sizeof(CRYPTUI_WIZ_CREATE_CERT_REQUEST_INFO));
memset(&CertPvkNew, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW));
memset(&KeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
CreateRequestInfo.dwSize = sizeof(CreateRequestInfo);
//enroll or renewal
if((pCertType->fRenewal) && (pCertType->pOldCert))
{
CreateRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_RENEW;
CreateRequestInfo.pRenewCertContext = pCertType->pOldCert;
//we should not archive renewal certificate for cross template RA
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
dwFlags |= CRYPTUI_WIZ_NO_ARCHIVE_RENEW_CERT;
//we should disalbe UI for machine or non-UI enrollment renew/RA certificate
if((TRUE == fMachine) || (FALSE == fUIProcess))
{
dwSize=0;
if(!CertGetCertificateContextProperty(pCertType->pOldCert,
CERT_KEY_PROV_INFO_PROP_ID,
NULL,
&dwSize))
goto error;
pKeyProvInfo=(CRYPT_KEY_PROV_INFO *)LocalAlloc(LPTR, dwSize);
if(NULL == pKeyProvInfo)
goto error;
if(!CertGetCertificateContextProperty(pCertType->pOldCert,
CERT_KEY_PROV_INFO_PROP_ID,
pKeyProvInfo,
&dwSize))
goto error;
dwAcquireFlags=pKeyProvInfo->dwFlags;
pKeyProvInfo->dwFlags |= CRYPT_SILENT;
//set the property
if(!CertSetCertificateContextProperty(pCertType->pOldCert,
CERT_KEY_PROV_INFO_PROP_ID,
CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG,
pKeyProvInfo))
goto error;
fResetProv=TRUE;
}
}
else
CreateRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_ENROLL;
//cert template information
CreateRequestInfo.hCertType = pCertType->hCertType;
//machine name
if(fMachine)
{
CreateRequestInfo.fMachineContext = TRUE;
}
//private key information
CreateRequestInfo.dwPvkChoice = CRYPTUI_WIZ_CERT_REQUEST_PVK_CHOICE_NEW;
CreateRequestInfo.pPvkNew = &CertPvkNew;
CertPvkNew.dwSize = sizeof(CertPvkNew);
CertPvkNew.pKeyProvInfo = &KeyProvInfo;
CertPvkNew.dwGenKeyFlags = 0; //no need to specify the exportable flags
//SILENT is always set for machine
if(fMachine)
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET | CRYPT_SILENT;
else
{
if(fUIProcess)
KeyProvInfo.dwFlags = 0;
else
KeyProvInfo.dwFlags = CRYPT_SILENT;
}
//CA information
CreateRequestInfo.pwszCALocation = pCAInfo->awszCADNS[0];
CreateRequestInfo.pwszCAName = pCAInfo->awszCAName[0];
if(!CryptUIWizCreateCertRequestNoDS(
dwFlags,
hwndParent,
&CreateRequestInfo,
&hRequest))
goto error;
if(NULL==hRequest)
goto error;
*phRequest=hRequest;
hRequest=NULL;
fResult = TRUE;
error:
//get the last error
if(FALSE == fResult)
{
*pdwLastError=GetLastError();
}
//reset the property
if(TRUE == fResetProv)
{
if((pKeyProvInfo) && (pCertType->pOldCert))
{
pKeyProvInfo->dwFlags = dwAcquireFlags;
//set the property
CertSetCertificateContextProperty(pCertType->pOldCert,
CERT_KEY_PROV_INFO_PROP_ID,
CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG,
pKeyProvInfo);
}
}
if(pKeyProvInfo)
LocalFree(pKeyProvInfo);
if(hRequest)
CryptUIWizFreeCertRequestNoDS(hRequest);
return fResult;
}
//-----------------------------------------------------------------------
//
// AECancelled
//
//-----------------------------------------------------------------------
BOOL AECancelled(HANDLE hCancelEvent)
{
if(NULL==hCancelEvent)
return FALSE;
//test if the event is signalled
if(WAIT_OBJECT_0 == WaitForSingleObject(hCancelEvent, 0))
return TRUE;
return FALSE;
}
//-----------------------------------------------------------------------
//
// AEDoEnrollment
//
// return TRUE is no need to do another renewal.
// *pdwStatus contain the real enrollment status.
//
//-----------------------------------------------------------------------
BOOL AEDoEnrollment(HWND hwndParent,
HANDLE hCancelEvent,
BOOL fUIProcess,
DWORD dwLogLevel,
HANDLE hToken,
BOOL fMachine,
LPWSTR pwszMachineName,
AE_CERTTYPE_INFO *pCertType,
DWORD dwCA,
AE_CA_INFO *rgCAInfo,
DWORD *pdwStatus)
{
BOOL fResult = FALSE;
DWORD dwIndex = 0;
DWORD dwCAIndex = 0;
BOOL fRenewal = FALSE;
DWORD dwEventID = 0;
BOOL fFoundCA = FALSE;
DWORD idsSummary = 0; //keep the last failure case
DWORD dwLastError = 0;
CRYPTUI_WIZ_QUERY_CERT_REQUEST_INFO QueryCertRequestInfo;
HANDLE hRequest=NULL;
PCCERT_CONTEXT pCertContext=NULL;
//init the out parameter
*pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR;
//detect if we are performing an enrollment or renewal
if((pCertType->fRenewal) && (pCertType->pOldCert))
{
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
fRenewal=FALSE;
else
fRenewal=TRUE;
}
else
fRenewal=FALSE;
//loop through all the CAs
for(dwIndex =0; dwIndex < dwCA; dwIndex++)
{
dwCAIndex = (dwIndex + pCertType->dwRandomCAIndex) % dwCA;
if(AECancelled(hCancelEvent))
{
//no need to renew any more
fResult=TRUE;
//log that autoenrollment is cancelled
AELogAutoEnrollmentEvent(dwLogLevel,
FALSE,
S_OK,
EVENT_AUTOENROLL_CANCELLED,
fMachine,
hToken,
0);
break;
}
//make sure the CA supports the specific template
if(!AEIsAnElement((pCertType->awszName)[0],
rgCAInfo[dwCAIndex].awszCertificateTemplate))
continue;
//make sure the CA's validity period of more than the renewing certificate
if(TRUE == fRenewal)
{
if(!AEIsCALonger(rgCAInfo[dwCAIndex].hCAInfo, pCertType->pOldCert))
continue;
}
//enroll to the CA
*pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR;
fFoundCA = TRUE;
//create a certificate request
if(NULL==hRequest)
{
if(!AECreateEnrollmentRequest(hwndParent, fUIProcess, fMachine, pwszMachineName, pCertType, &(rgCAInfo[dwCAIndex]), &hRequest, &dwLastError))
{
//check if user cancelled the enrollment. If so, no
//need to try another CA.
if((HRESULT_FROM_WIN32(ERROR_CANCELLED) == dwLastError) ||
(SCARD_W_CANCELLED_BY_USER == dwLastError))
{
//no need to renewal anymore
fResult = TRUE;
//log that autoenrollment is cancelled
AELogAutoEnrollmentEvent(dwLogLevel,
FALSE,
S_OK,
EVENT_AUTOENROLL_CANCELLED_TEMPLATE,
fMachine,
hToken,
1,
pCertType->awszDisplay[0]);
break;
}
else
{
idsSummary=IDS_SUMMARY_REQUEST;
if(CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL & pCertType->dwPrivateKeyFlag)
{
//we have a chance of success with another CA
if(hRequest)
{
CryptUIWizFreeCertRequestNoDS(hRequest);
hRequest=NULL;
}
continue;
}
else
{
//we have no hope to create a request successfully
//mark dwIndex to the dwCA so that we will log an event at the end of the loop
dwIndex=dwCA;
break;
}
}
}
}
//check the cancel again because significant time can pass during
//request creation
if(AECancelled(hCancelEvent))
{
//no need to renew any more
fResult=TRUE;
//log that autoenrollment is cancelled
AELogAutoEnrollmentEvent(dwLogLevel,
FALSE,
S_OK,
EVENT_AUTOENROLL_CANCELLED,
fMachine,
hToken,
0);
break;
}
if(CryptUIWizSubmitCertRequestNoDS(
hRequest,
hwndParent,
rgCAInfo[dwCAIndex].awszCAName[0],
rgCAInfo[dwCAIndex].awszCADNS[0],
pdwStatus,
&pCertContext))
{
//no need to try another CA if the request is successful or pending
if((CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == (*pdwStatus)) ||
(CRYPTUI_WIZ_CERT_REQUEST_STATUS_UNDER_SUBMISSION == (*pdwStatus))
)
{
//no need to renewal anymore
fResult = TRUE;
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == (*pdwStatus))
{
//we copy the certificate to publishing
if(pCertContext)
{
CertAddCertificateContextToStore(pCertType->hIssuedStore,
pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL);
CertFreeCertificateContext(pCertContext);
pCertContext=NULL;
}
dwEventID=fRenewal ? EVENT_RENEWAL_SUCCESS_ONCE : EVENT_ENROLL_SUCCESS_ONCE;
}
else
{
dwEventID=fRenewal ? EVENT_RENEWAL_PENDING_ONCE : EVENT_ENROLL_PENDING_ONCE;
}
//log the enrollment sucess or pending event
AELogAutoEnrollmentEvent(dwLogLevel,
FALSE,
S_OK,
dwEventID,
fMachine,
hToken,
3,
pCertType->awszDisplay[0],
rgCAInfo[dwCAIndex].awszCADisplay[0],
rgCAInfo[dwCAIndex].awszCADNS[0]);
//log if the private key is re-used
memset(&QueryCertRequestInfo, 0, sizeof(QueryCertRequestInfo));
QueryCertRequestInfo.dwSize=sizeof(QueryCertRequestInfo);
if(CryptUIWizQueryCertRequestNoDS(hRequest,
&QueryCertRequestInfo))
{
if(CRYPTUI_WIZ_QUERY_CERT_REQUEST_STATUS_CREATE_REUSED_PRIVATE_KEY &
(QueryCertRequestInfo.dwStatus))
{
AELogAutoEnrollmentEvent(dwLogLevel,
FALSE,
S_OK,
EVENT_PRIVATE_KEY_REUSED,
fMachine,
hToken,
1,
pCertType->awszDisplay[0]);
}
}
break;
}
}
//get the last error
dwLastError=GetLastError();
idsSummary=IDS_SUMMARY_CA;
//log the one enrollment warning
AELogAutoEnrollmentEvent(dwLogLevel,
TRUE,
HRESULT_FROM_WIN32(dwLastError),
fRenewal ? EVENT_RENEWAL_FAIL_ONCE : EVENT_ENROLL_FAIL_ONCE,
fMachine,
hToken,
3,
pCertType->awszDisplay[0],
rgCAInfo[dwCAIndex].awszCADisplay[0],
rgCAInfo[dwCAIndex].awszCADNS[0]);
//we should recreate the request for key archival
if(CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL & pCertType->dwPrivateKeyFlag)
{
if(hRequest)
{
CryptUIWizFreeCertRequestNoDS(hRequest);
hRequest=NULL;
}
}
}
//log all enrollments error
//the loop will exit only if CANCEL, or SUCCEED, or we run out of CAs to try or
//the request can not be created
if(dwIndex == dwCA)
{
//we either run out of CAs to try or the request can not be created
if(0 != idsSummary)
pCertType->idsSummary=idsSummary;
if(fFoundCA)
{
dwEventID = fRenewal ? EVENT_RENEWAL_FAIL : EVENT_ENROLL_FAIL;
}
else
{
//if there is no CA, no need to try re-enrollment
if(fRenewal)
pCertType->fRenewal=FALSE;
dwEventID = fRenewal ? EVENT_RENEWAL_NO_CA_FAIL : EVENT_ENROLL_NO_CA_FAIL;
}
AELogAutoEnrollmentEvent(dwLogLevel,
fFoundCA ? TRUE : FALSE,
HRESULT_FROM_WIN32(dwLastError),
dwEventID,
fMachine,
hToken,
1,
pCertType->awszDisplay[0]);
}
if(hRequest)
CryptUIWizFreeCertRequestNoDS(hRequest);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEEnrollmentCertificates
//
//-----------------------------------------------------------------------
BOOL AEEnrollmentCertificates(AE_GENERAL_INFO *pAE_General_Info, DWORD dwEnrollStatus)
{
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
DWORD dwIndex =0 ;
DWORD dwStatus= 0;
DWORD dwRandom = 0;
HCRYPTPROV hProv = NULL;
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
if(NULL == rgCertTypeInfo)
return FALSE;
if((0 == pAE_General_Info->dwCA) || (NULL==pAE_General_Info->rgCAInfo))
return FALSE;
if(!CryptAcquireContextW(&hProv,
NULL,
MS_DEF_PROV_W,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
hProv=NULL;
//going through all the active requests
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
//we enroll/renew for templates that are active
if(dwEnrollStatus != rgCertTypeInfo[dwIndex].dwStatus)
continue;
if(pAE_General_Info->fUIProcess != rgCertTypeInfo[dwIndex].fUIActive)
continue;
//select a random CA index to balance the load
if((hProv) && (CryptGenRandom(hProv, sizeof(dwRandom), (BYTE *)(&dwRandom))))
{
rgCertTypeInfo[dwIndex].dwRandomCAIndex = dwRandom % (pAE_General_Info->dwCA);
}
else
rgCertTypeInfo[dwIndex].dwRandomCAIndex = 0;
//enroll
dwStatus=0;
//report progress
if(pAE_General_Info->fUIProcess)
{
//continue if user choose CANCEL in view RA dialogue
if(!AEUIProgressReport(FALSE, &(rgCertTypeInfo[dwIndex]),pAE_General_Info->hwndDlg, pAE_General_Info->hCancelEvent))
{
AEUIProgressAdvance(pAE_General_Info);
continue;
}
}
if(AEDoEnrollment( pAE_General_Info->hwndDlg ? pAE_General_Info->hwndDlg : pAE_General_Info->hwndParent,
pAE_General_Info->hCancelEvent,
pAE_General_Info->fUIProcess,
pAE_General_Info->dwLogLevel,
pAE_General_Info->hToken,
pAE_General_Info->fMachine,
pAE_General_Info->wszMachineName,
&(rgCertTypeInfo[dwIndex]),
pAE_General_Info->dwCA,
pAE_General_Info->rgCAInfo,
&dwStatus))
{
//mark the status
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == dwStatus)
rgCertTypeInfo[dwIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
}
else
{
//if renewal failed, we try to re-enrollment if no RA is required
if((rgCertTypeInfo[dwIndex].fRenewal) && (FALSE == (rgCertTypeInfo[dwIndex].fNeedRA)))
{
rgCertTypeInfo[dwIndex].fRenewal=FALSE;
dwStatus=0;
if(AEDoEnrollment( pAE_General_Info->hwndDlg ? pAE_General_Info->hwndDlg : pAE_General_Info->hwndParent,
pAE_General_Info->hCancelEvent,
pAE_General_Info->fUIProcess,
pAE_General_Info->dwLogLevel,
pAE_General_Info->hToken,
pAE_General_Info->fMachine,
pAE_General_Info->wszMachineName,
&(rgCertTypeInfo[dwIndex]),
pAE_General_Info->dwCA,
pAE_General_Info->rgCAInfo,
&dwStatus))
{
//mark the status
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == dwStatus)
rgCertTypeInfo[dwIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
}
}
}
//advance progress
if(pAE_General_Info->fUIProcess)
{
AEUIProgressAdvance(pAE_General_Info);
}
}
if(hProv)
CryptReleaseContext(hProv, 0);
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEIsDeletableCert
// Decide if we should archive or delete the certificate
//
//-----------------------------------------------------------------------
BOOL AEIsDeletableCert(PCCERT_CONTEXT pCertContext, AE_GENERAL_INFO *pAE_General_Info)
{
AE_CERTTYPE_INFO *pCertType=NULL;
BOOL fDelete=FALSE;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
//only interested in certificate with template information
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
if(NULL==pCertType)
goto Ret;
if(CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE & (pCertType->dwEnrollmentFlag))
fDelete=TRUE;
else
fDelete=FALSE;
Ret:
AEFreeTemplateInfo(&AETemplateInfo);
return fDelete;
}
//-----------------------------------------------------------------------
//
// AEIsSupersedeTemplate
//
// Check if pArchiveCert is superseded by pCertType
//
//-----------------------------------------------------------------------
BOOL AEIsSupersedeTemplate(PCCERT_CONTEXT pArchiveCert, AE_CERTTYPE_INFO *pCertType, AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fSuperSede=FALSE;
AE_TEMPLATE_INFO AETemplateInfo;
AE_CERTTYPE_INFO *pArchiveCertType=NULL;
LPWSTR *awszSuperseding=NULL;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
//only interested in certificate with template information
if(!AERetrieveTemplateInfo(pArchiveCert, &AETemplateInfo))
goto Ret;
pArchiveCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
if(NULL==pArchiveCertType)
goto Ret;
//clear the visited flag in AE_General_Info
AEClearVistedFlag(pAE_General_Info);
if(S_OK == CAGetCertTypePropertyEx(
pCertType->hCertType,
CERTTYPE_PROP_SUPERSEDE,
&(awszSuperseding)))
{
if(awszSuperseding && awszSuperseding[0])
{
if(AEIfSupersede(pArchiveCertType->awszName[0], awszSuperseding, pAE_General_Info))
{
fSuperSede=TRUE;
}
//clear the visited flag in AE_General_Info
AEClearVistedFlag(pAE_General_Info);
}
//free the property
if(awszSuperseding)
CAFreeCertTypeProperty(pCertType->hCertType, awszSuperseding);
}
Ret:
AEFreeTemplateInfo(&AETemplateInfo);
return fSuperSede;
}
//-----------------------------------------------------------------------
//
// AEIsSameTemplate
//
// Check if the certificate is of the same template of pCertType
//
//-----------------------------------------------------------------------
BOOL AEIsSameTemplate(PCCERT_CONTEXT pCertContext, AE_CERTTYPE_INFO *pCertType, BOOL fVersionCheck)
{
BOOL fSame=FALSE;
AE_TEMPLATE_INFO AETemplateInfo;
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
if((NULL == pCertType) || (NULL == pCertContext))
goto Ret;
//get the template information for the certificate
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
goto Ret;
if( (NULL == AETemplateInfo.pwszName) && (NULL == AETemplateInfo.pwszOid))
goto Ret;
if(AETemplateInfo.pwszOid)
{
//we are guaranteed to have an OID if the schema is greater than or equal to 2
if(pCertType->dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
{
if(0 == wcscmp(AETemplateInfo.pwszOid, (pCertType->awszOID)[0]))
{
if(fVersionCheck)
{
if(AETemplateInfo.dwVersion == pCertType->dwVersion)
{
fSame=TRUE;
}
}
else
{
fSame=TRUE;
}
}
}
}
else
{
//we are guaranteed to have a name
if(0 == wcscmp(AETemplateInfo.pwszName, (pCertType->awszName)[0]))
{
fSame=TRUE;
}
}
Ret:
AEFreeTemplateInfo(&AETemplateInfo);
return fSame;
}
//-----------------------------------------------------------------------
//
// AEArchiveObsoleteCertificates
// archive old certificate after the enrollment/renewal
//
// clean up the hUserDS store (delete the expired or revoked certificate)
//-----------------------------------------------------------------------
BOOL AEArchiveObsoleteCertificates(AE_GENERAL_INFO *pAE_General_Info)
{
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
DWORD dwIndex = 0;
CRYPT_DATA_BLOB Archived;
BOOL fArchived = FALSE;
BOOL fDSArchived = FALSE;
AE_CERT_INFO AECertInfo;
BOOL fRepublish=FALSE;
BYTE rgbHash[SHA1_HASH_LENGTH];
CRYPT_HASH_BLOB blobHash;
BOOL fHash=FALSE;
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER;
DWORD dwProp=CERT_ARCHIVED_PROP_ID;
BOOL fSameDns=TRUE;
HCERTSTORE hUserDS = NULL;
HCERTSTORE hMyArchive = NULL;
PCCERT_CONTEXT pCertContext = NULL;
PCCERT_CONTEXT pMyContext = NULL;
PCCERT_CONTEXT pDSContext = NULL;
PCCERT_CONTEXT pIssuedContext = NULL;
PCCERT_CONTEXT pDnsContext = NULL;
PCCERT_CONTEXT pDnsOldContext = NULL;
PCCERT_CONTEXT pSelectedContext = NULL;
PCCERT_CONTEXT pMyDnsContext = NULL;
PCCERT_CONTEXT pMyArchiveCert = NULL;
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
if(NULL == rgCertTypeInfo)
return FALSE;
memset(&Archived, 0, sizeof(CRYPT_DATA_BLOB));
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
//open the UserDS store
if(!(pAE_General_Info->fMachine))
{
hUserDS = AEOpenUserDSStore(pAE_General_Info, 0);
}
//verify the DNS name of issued certificate.
//mark the CERT_AUTO_ENROLL_RETRY_PROP_ID property
if(pAE_General_Info->fMachine)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
{
if(rgCertTypeInfo[dwIndex].hIssuedStore)
{
if(pDnsContext = CertEnumCertificatesInStore(
rgCertTypeInfo[dwIndex].hIssuedStore, NULL))
{
pMyDnsContext = FindCertificateInOtherStore(
pAE_General_Info->hMyStore,
pDnsContext);
if(pMyDnsContext)
{
//detect if DSN name match
if(AEVerifyDNSName(pAE_General_Info, pMyDnsContext))
{
//the DNS name match;
//clear the CERT_AUTO_ENROLL_RETRY_PROP_ID property
CertSetCertificateContextProperty(
pMyDnsContext,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
0,
NULL);
}
else
{
fSameDns=TRUE;
pDnsOldContext=NULL;
pSelectedContext=NULL;
while(pDnsOldContext = CertEnumCertificatesInStore(
rgCertTypeInfo[dwIndex].hArchiveStore, pDnsOldContext))
{
//only consider same template scenario for retrial purpose
//only consider certificates with same version
if(AEIsSameTemplate(pDnsOldContext, &(rgCertTypeInfo[dwIndex]), TRUE))
{
if(!AEIsSameDNS(pMyDnsContext, pDnsOldContext))
{
fSameDns=FALSE;
CertFreeCertificateContext(pDnsOldContext);
pDnsOldContext=NULL;
break;
}
else
{
if(NULL == pSelectedContext)
{
pSelectedContext=CertDuplicateCertificateContext(pDnsOldContext);
}
else
{
//we use the least retrial wait amoung all old DNS certificates
//of the same certificate template
if(!AEFasterRetrialSchedule(pSelectedContext, pDnsOldContext))
{
CertFreeCertificateContext(pSelectedContext);
pSelectedContext = NULL;
pSelectedContext=CertDuplicateCertificateContext(pDnsOldContext);
}
}
}
}
}
//start over again if the DNS from the new certificate is
//different from existing ones or this is the 1st time
//a mis-match DNS has occurred
if((NULL == pSelectedContext) || (FALSE == fSameDns))
{
//clear the CERT_AUTO_ENROLL_RETRY_PROP_ID property
CertSetCertificateContextProperty(
pMyDnsContext,
CERT_AUTO_ENROLL_RETRY_PROP_ID,
0,
NULL);
}
else
{
AEUpdateRetryProperty(pAE_General_Info, (rgCertTypeInfo[dwIndex].awszDisplay)[0], pMyDnsContext, pSelectedContext);
}
if(pSelectedContext)
{
CertFreeCertificateContext(pSelectedContext);
pSelectedContext = NULL;
}
}
CertFreeCertificateContext(pMyDnsContext);
pMyDnsContext = NULL;
}
CertFreeCertificateContext(pDnsContext);
pDnsContext = NULL;
}
}
}
}
}
//archive certificates
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
fHash=FALSE;
fRepublish=FALSE;
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
{
//get the hash of newly enrolled certificate
blobHash.cbData=SHA1_HASH_LENGTH;
blobHash.pbData=rgbHash;
if(rgCertTypeInfo[dwIndex].hIssuedStore)
{
if(pIssuedContext = CertEnumCertificatesInStore(
rgCertTypeInfo[dwIndex].hIssuedStore, NULL))
{
if(CryptHashCertificate(
NULL,
0,
X509_ASN_ENCODING,
pIssuedContext->pbCertEncoded,
pIssuedContext->cbCertEncoded,
blobHash.pbData,
&(blobHash.cbData)))
{
fHash=TRUE;
}
}
//free the cert context
if(pIssuedContext)
{
CertFreeCertificateContext(pIssuedContext);
pIssuedContext = NULL;
}
}
pCertContext=NULL;
while(pCertContext = CertEnumCertificatesInStore(
rgCertTypeInfo[dwIndex].hArchiveStore, pCertContext))
{
//archive or delete the certificate from my store
pMyContext = FindCertificateInOtherStore(
pAE_General_Info->hMyStore,
pCertContext);
if(pMyContext)
{
//set the Hash of the newly enrolled certificate
if(fHash)
{
CertSetCertificateContextProperty(
pMyContext,
CERT_RENEWAL_PROP_ID,
0,
&blobHash);
}
if(AEIsDeletableCert(pMyContext, pAE_General_Info))
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyContext));
}
else
{
// We force an archive on the old cert and close it.
CertSetCertificateContextProperty(pMyContext,
CERT_ARCHIVED_PROP_ID,
0,
&Archived);
}
fArchived=TRUE;
CertFreeCertificateContext(pMyContext);
pMyContext = NULL;
}
//check the DS store. remove the certificates from DS store
if(hUserDS)
{
if(pMyContext = FindCertificateInOtherStore(
hUserDS,
pCertContext))
{
CertDeleteCertificateFromStore(pMyContext);
fDSArchived=TRUE;
pMyContext = NULL;
fRepublish=TRUE;
}
}
}
}
}
//we remove archived certificates from my store
//open my store with CERT_STORE_ENUM_ARCHIVED_FLAG
if(pAE_General_Info->fMachine)
dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
//open my store
hMyArchive= CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
ENCODING_TYPE,
NULL,
dwOpenStoreFlags | CERT_STORE_ENUM_ARCHIVED_FLAG,
MY_STORE);
//loop through all templates
if(hMyArchive)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
{
//loop through all archived certificates and remove certificates of same template
//or certificates that are superseded
pMyArchiveCert=NULL;
while(pMyArchiveCert=CertFindCertificateInStore(
hMyArchive, ENCODING_TYPE, 0, CERT_FIND_PROPERTY, &dwProp, pMyArchiveCert))
{
if(AEIsSameTemplate(pMyArchiveCert, &(rgCertTypeInfo[dwIndex]), FALSE))
{
if(CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE & rgCertTypeInfo[dwIndex].dwEnrollmentFlag)
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyArchiveCert));
fArchived=TRUE;
}
}
else
{
if(AEIsDeletableCert(pMyArchiveCert, pAE_General_Info))
{
if(AEIsSupersedeTemplate(pMyArchiveCert, &(rgCertTypeInfo[dwIndex]), pAE_General_Info))
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyArchiveCert));
fArchived=TRUE;
}
}
}
}
}
}
}
//now we are done with archiving, we clean up user DS store
if(AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy))
{
if(hUserDS)
{
pDSContext=NULL;
while(pDSContext = CertEnumCertificatesInStore(hUserDS, pDSContext))
{
AEValidateCertificateInfo(pAE_General_Info,
NULL, //do not evaluate soon to expire
FALSE, //do not valid private key
pDSContext,
&AECertInfo);
if(FALSE == AECertInfo.fRenewal)
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pDSContext));
fDSArchived=TRUE;
fRepublish=TRUE;
}
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
}
}
}
//we have to republish the certificates as we have rewritten the user DS store
//CA might has just published to the location
if(fRepublish)
{
if(hUserDS)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
{
if((rgCertTypeInfo[dwIndex].hIssuedStore) &&
(CT_FLAG_PUBLISH_TO_DS & rgCertTypeInfo[dwIndex].dwEnrollmentFlag)
)
{
pCertContext=NULL;
while(pCertContext = CertEnumCertificatesInStore(
rgCertTypeInfo[dwIndex].hIssuedStore, pCertContext))
{
CertAddCertificateContextToStore(hUserDS,
pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL);
}
}
}
}
}
}
//report the event if archival has happened
if(fArchived)
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_ARCHIVE_CERT,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
if(fDSArchived)
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_ARCHIVE_DS_CERT,
pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
if(hUserDS)
CertCloseStore(hUserDS, 0);
if(hMyArchive)
CertCloseStore(hMyArchive, 0);
return TRUE;
}
//-----------------------------------------------------------------------
//
// AERemoveSupersedeActive
// Remove supersedeActive flag after any successful the enrollment/renewal
//
//-----------------------------------------------------------------------
BOOL AERemoveSupersedeActive(AE_GENERAL_INFO *pAE_General_Info)
{
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
DWORD dwIndex = 0;
DWORD dwActiveIndex = 0;
DWORD dwMarkIndex = 0;
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
if(NULL == rgCertTypeInfo)
return FALSE;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
{
for(dwActiveIndex=0; dwActiveIndex < rgCertTypeInfo[dwIndex].dwActive; dwActiveIndex++)
{
dwMarkIndex = rgCertTypeInfo[dwIndex].prgActive[dwActiveIndex];
rgCertTypeInfo[dwMarkIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
}
}
}
return TRUE;
}
//-----------------------------------------------------------------------
//
// AEEnrollmentWalker
//
// This functin performs enrollment tasks
//
//
//-----------------------------------------------------------------------
BOOL AEEnrollmentWalker(AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult = FALSE;
//we need to set the range for the progress bar in the
//UI case
if((pAE_General_Info->fUIProcess) && (pAE_General_Info->hwndDlg))
{
//set the range
if(0 != (pAE_General_Info->dwUIEnrollCount))
{
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
PBM_SETRANGE,
0,
MAKELPARAM(0, ((pAE_General_Info->dwUIEnrollCount) & (0xFFFF)))
);
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
PBM_SETSTEP,
(WPARAM)1,
0);
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
PBM_SETPOS,
(WPARAM)0,
0);
}
}
//retrieve the pending request. Mark the status to obtained if the
//certificate is issued and of the correct version
if(AUTO_ENROLLMENT_ENABLE_PENDING_FETCH & (pAE_General_Info->dwPolicy))
{
if(FALSE == pAE_General_Info->fUIProcess)
{
if(!AEProcessPendingRequest(pAE_General_Info))
goto Ret;
}
else
{
if(!AEProcessUIPendingRequest(pAE_General_Info))
goto Ret;
}
}
//remove duplicated requests based on "Supersede" relationship
//supress active templates that are superseded by other templates
if(!AEManageSupersedeRequests(pAE_General_Info))
goto Ret;
//do enrollment/renewal
if(!AEEnrollmentCertificates(pAE_General_Info, CERT_REQUEST_STATUS_ACTIVE))
goto Ret;
//We try to get the superseded templates if supserseding templates failed.
//Only for machine for the case of two V2 DC templates.
/*if(TRUE == pAE_General_Info->fMachine)
{
//remove supersedeActive based on the obtained flag
if(!AERemoveSupersedeActive(pAE_General_Info))
goto Ret;
//do enrollment/renewal again since we migh fail to get superseding templates
if(!AEEnrollmentCertificates(pAE_General_Info, CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE))
goto Ret;
}*/
fResult = TRUE;
Ret:
return fResult;
}
//-----------------------------------------------------------------------------
//
// AEUIProgressAdvance
//
// Increase the progress bar by one step
//-----------------------------------------------------------------------------
BOOL AEUIProgressAdvance(AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult=FALSE;
if(NULL==pAE_General_Info)
goto Ret;
if(NULL==(pAE_General_Info->hwndDlg))
goto Ret;
//check if CANCEL button is clicked
if(AECancelled(pAE_General_Info->hCancelEvent))
{
fResult=TRUE;
goto Ret;
}
//advance the progress bar
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
PBM_STEPIT,
0,
0);
fResult=TRUE;
Ret:
return fResult;
}
//-----------------------------------------------------------------------------
//
// AEUIGetNameFromCert
//
// Retrieve a unique string to identify the certificate.
//-----------------------------------------------------------------------------
BOOL AEUIGetNameFromCert(PCCERT_CONTEXT pCertContext, LPWSTR *ppwszRACert)
{
BOOL fResult=FALSE;
DWORD dwChar=0;
DWORD cbOID=0;
PCCRYPT_OID_INFO pOIDInfo=NULL;
LPWSTR pwszRACert=NULL;
AE_TEMPLATE_INFO TemplateInfo;
LPSTR szOID=NULL;
if((NULL==pCertContext) || (NULL==ppwszRACert))
goto Ret;
*ppwszRACert=NULL;
memset(&TemplateInfo, 0, sizeof(TemplateInfo));
//get the template name first
if(!AERetrieveTemplateInfo(pCertContext, &TemplateInfo))
goto Ret;
if(TemplateInfo.pwszName)
{
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(TemplateInfo.pwszName) + 1));
if(NULL == pwszRACert)
goto Ret;
wcscpy(pwszRACert, TemplateInfo.pwszName);
}
else
{
if(NULL==(TemplateInfo.pwszOid))
goto Ret;
//find the OID
if(0 == (cbOID = WideCharToMultiByte(CP_ACP,
0,
TemplateInfo.pwszOid,
-1,
NULL,
0,
NULL,
NULL)))
goto Ret;
szOID=(LPSTR)LocalAlloc(LPTR, cbOID);
if(NULL==szOID)
goto Ret;
if(0 == WideCharToMultiByte(CP_ACP,
0,
TemplateInfo.pwszOid,
-1,
szOID,
cbOID,
NULL,
NULL))
goto Ret;
pOIDInfo=CryptFindOIDInfo(
CRYPT_OID_INFO_OID_KEY,
szOID,
CRYPT_TEMPLATE_OID_GROUP_ID);
if(pOIDInfo)
{
if(pOIDInfo->pwszName)
{
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(pOIDInfo->pwszName) + 1));
if(NULL== pwszRACert)
goto Ret;
wcscpy(pwszRACert, pOIDInfo->pwszName);
}
}
}
//if template name does not exist. Get the subject name for now
/* if(NULL==pwszRACert)
{
if(0 == (dwChar=CertGetNameStringW(
pCertContext,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
0,
NULL,
NULL,
0)))
goto Ret;
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (dwChar));
if(NULL== pwszRACert)
goto Ret;
if(0 == (dwChar=CertGetNameStringW(
pCertContext,
CERT_NAME_SIMPLE_DISPLAY_TYPE,
0,
NULL,
pwszRACert,
dwChar)))
goto Ret;
} */
*ppwszRACert = pwszRACert;
pwszRACert=NULL;
fResult=TRUE;
Ret:
if(pwszRACert)
LocalFree(pwszRACert);
if(szOID)
LocalFree(szOID);
AEFreeTemplateInfo(&TemplateInfo);
return fResult;
}
//-----------------------------------------------------------------------------
//
// AEGetRACertInfo
//
//-----------------------------------------------------------------------------
BOOL AEGetRACertInfo(PCERT_CONTEXT pRAContext,
LPWSTR pwszRATemplate,
LPWSTR *ppwszRACertInfo)
{
BOOL fResult=FALSE;
UINT idsMessage=0;
DWORD dwSize=0;
LPWSTR pwszIssuer=NULL;
if(NULL==pRAContext)
goto Ret;
if(pwszRATemplate)
idsMessage=IDS_VIEW_RA_INFO;
else
idsMessage=IDS_VIEW_RA_INFO_GENERAL;
//the cert has to have an issuer
if(0 == (dwSize=CertNameToStrW(
ENCODING_TYPE,
&(pRAContext->pCertInfo->Issuer),
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
NULL,
0)))
goto Ret;
pwszIssuer=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
if(NULL==pwszIssuer)
goto Ret;
if(0 == CertNameToStrW(
ENCODING_TYPE,
&(pRAContext->pCertInfo->Issuer),
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
pwszIssuer,
dwSize))
goto Ret;
if(!FormatMessageUnicode(
ppwszRACertInfo,
idsMessage,
pwszIssuer,
pwszRATemplate))
goto Ret;
fResult=TRUE;
Ret:
if(pwszIssuer)
LocalFree(pwszIssuer);
return fResult;
}
//-----------------------------------------------------------------------------
//
// WinProc for the view RA certificate dialogue
//
//-----------------------------------------------------------------------------
INT_PTR CALLBACK AEViewRADlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
BOOL fPropertyChanged = FALSE;
AE_VIEW_RA_INFO *pAEViewRAInfo = NULL;
CRYPTUI_VIEWCERTIFICATE_STRUCT CertViewStruct;
LPWSTR pwszRACertInfo=NULL;
switch (msg)
{
case WM_INITDIALOG:
pAEViewRAInfo=(AE_VIEW_RA_INFO *)lParam;
if(NULL==pAEViewRAInfo)
break;
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAEViewRAInfo);
//display the RA template and issuer dynamically
if(AEGetRACertInfo(pAEViewRAInfo->pRAContext,
pAEViewRAInfo->pwszRATemplate,
&pwszRACertInfo))
{
SetDlgItemTextW(hwndDlg, IDC_EDIT3, pwszRACertInfo);
LocalFree((HLOCAL)pwszRACertInfo);
}
return TRUE;
break;
case WM_NOTIFY:
break;
case WM_CLOSE:
EndDialog(hwndDlg, IDC_BUTTON3);
return TRUE;
break;
case WM_COMMAND:
switch (LOWORD(wParam))
{
//view certificate
case IDC_BUTTON1:
if(NULL==(pAEViewRAInfo=(AE_VIEW_RA_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
break;
if(NULL==pAEViewRAInfo->pRAContext)
break;
//show the certificate
memset(&CertViewStruct, 0, sizeof(CRYPTUI_VIEWCERTIFICATE_STRUCT));
CertViewStruct.dwSize=sizeof(CRYPTUI_VIEWCERTIFICATE_STRUCT);
CertViewStruct.hwndParent=hwndDlg;
CertViewStruct.dwFlags=CRYPTUI_DISABLE_EDITPROPERTIES;
CertViewStruct.pCertContext=pAEViewRAInfo->pRAContext;
fPropertyChanged=FALSE;
CryptUIDlgViewCertificate(&CertViewStruct, &fPropertyChanged);
return TRUE;
//OK
case IDC_BUTTON2:
EndDialog(hwndDlg, IDC_BUTTON2);
return TRUE;
}
break;
default:
return FALSE;
}
return FALSE;
}
//-----------------------------------------------------------------------------
//
// AEUIProgressReport
//
// Report the current enrollment action. Return FALSE if no progress status
// can be reported.
//-----------------------------------------------------------------------------
BOOL AEUIProgressReport(BOOL fPending, AE_CERTTYPE_INFO *pCertType, HWND hwndDlg, HANDLE hCancelEvent)
{
BOOL fResult=FALSE;
UINT idsMessage=0;
INT_PTR ret=0;
AE_VIEW_RA_INFO AEViewRAInfo;
LPWSTR *awszFriendlyName=NULL;
LPWSTR pwszRACert=NULL;
LPWSTR pwszReport=NULL;
memset(&AEViewRAInfo, 0, sizeof(AE_VIEW_RA_INFO));
if((NULL==pCertType) || (NULL==hwndDlg))
goto Ret;
if(NULL==(pCertType->hCertType))
goto Ret;
if(AECancelled(hCancelEvent))
{
fResult=TRUE;
goto Ret;
}
if(fPending)
idsMessage=IDS_REPORT_PENDING;
else
{
if((pCertType->fRenewal) && (pCertType->pOldCert))
{
if(pCertType->fNeedRA)
{
if(FALSE == (pCertType->fCrossRA))
idsMessage=IDS_REPORT_RENEW;
else
idsMessage=IDS_REPORT_ENROLL_RA;
}
else
idsMessage=IDS_REPORT_RENEW;
}
else
idsMessage=IDS_REPORT_ENROLL;
}
//retrieve the template's friendly name
if(S_OK != CAGetCertTypePropertyEx(
pCertType->hCertType,
CERTTYPE_PROP_FRIENDLY_NAME,
&awszFriendlyName))
goto Ret;
if(NULL==awszFriendlyName)
goto Ret;
if(NULL==(awszFriendlyName[0]))
goto Ret;
//retrieve the RA certificate's template name
if(IDS_REPORT_ENROLL_RA == idsMessage)
{
if(!AEUIGetNameFromCert(pCertType->pOldCert, &pwszRACert))
{
pwszRACert=NULL;
}
}
if(!FormatMessageUnicode(&pwszReport, idsMessage, awszFriendlyName[0]))
goto Ret;
if(0 == SetDlgItemTextW(hwndDlg, IDC_EDIT2, pwszReport))
goto Ret;
//we will give user an opportunity to view the RA certificate before we go on
//format the view message
if(IDS_REPORT_ENROLL_RA != idsMessage)
{
//no need to do anything more
fResult=TRUE;
goto Ret;
}
AEViewRAInfo.pRAContext=pCertType->pOldCert;
AEViewRAInfo.pwszRATemplate=pwszRACert;
//ask user if he/she wants to view the RA certificate
ret=DialogBoxParam(g_hmodThisDll,
(LPCWSTR)MAKEINTRESOURCE(IDD_VIEW_RA_CERTIFICATE_DLG),
hwndDlg,
AEViewRADlgProc,
(LPARAM)(&AEViewRAInfo));
fResult=TRUE;
Ret:
if(pwszRACert)
LocalFree(pwszRACert);
if(awszFriendlyName)
CAFreeCertTypeProperty(pCertType->hCertType, awszFriendlyName);
if(pwszReport)
LocalFree((HLOCAL) pwszReport);
return fResult;
}
//-----------------------------------------------------------------------------
//
// the call back function to compare summary column
//
//-----------------------------------------------------------------------------
int CALLBACK CompareSummary(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
{
AE_CERTTYPE_INFO *pCertTypeOne=NULL;
AE_CERTTYPE_INFO *pCertTypeTwo=NULL;
DWORD dwColumn=0;
int iCompare=0;
LPWSTR pwszOne=NULL;
LPWSTR pwszTwo=NULL;
pCertTypeOne=(AE_CERTTYPE_INFO *)lParam1;
pCertTypeTwo=(AE_CERTTYPE_INFO *)lParam2;
dwColumn=(DWORD)lParamSort;
if((NULL==pCertTypeOne) || (NULL==pCertTypeTwo))
goto Ret;
switch(dwColumn & 0x0000FFFF)
{
case AE_SUMMARY_COLUMN_TYPE:
//we should use wcsicoll instead of wcsicmp since wcsicoll use the
//lexicographic order of current code page.
iCompare=CompareStringW(LOCALE_USER_DEFAULT,
NORM_IGNORECASE,
pCertTypeOne->awszDisplay[0],
-1,
pCertTypeTwo->awszDisplay[0],
-1);
break;
case AE_SUMMARY_COLUMN_REASON:
pwszOne=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (MAX_DN_SIZE));
pwszTwo=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (MAX_DN_SIZE));
if((NULL==pwszOne) || (NULL==pwszTwo))
goto Ret;
if(0 == LoadStringW(g_hmodThisDll,
pCertTypeOne->idsSummary,
pwszOne,
MAX_DN_SIZE))
goto Ret;
if(0 == LoadStringW(g_hmodThisDll,
pCertTypeTwo->idsSummary,
pwszTwo,
MAX_DN_SIZE))
goto Ret;
//we should use wcsicoll instead of wcsicmp since wcsicoll use the
//lexicographic order of current code page.
iCompare=CompareStringW(LOCALE_USER_DEFAULT,
NORM_IGNORECASE,
pwszOne,
-1,
pwszTwo,
-1);
break;
default:
goto Ret;
break;
}
switch(iCompare)
{
case CSTR_LESS_THAN:
iCompare=-1;
break;
case CSTR_EQUAL:
iCompare=0;
break;
case CSTR_GREATER_THAN:
iCompare=1;
break;
default:
goto Ret;
break;
}
if(dwColumn & SORT_COLUMN_DESCEND)
iCompare = 0-iCompare;
Ret:
if(pwszOne)
LocalFree(pwszOne);
if(pwszTwo)
LocalFree(pwszTwo);
return iCompare;
}
//-----------------------------------------------------------------------------
//
// AEDisplaySummaryInfo
//
//-----------------------------------------------------------------------------
BOOL AEDisplaySummaryInfo(HWND hWndListView, AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult=FALSE;
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
DWORD dwIndex =0;
DWORD dwItem=0;
LV_ITEMW lvItem;
WCHAR wszReason[MAX_DN_SIZE];
AE_CERTTYPE_INFO *pCertType=NULL;
if((NULL==hWndListView) || (NULL==pAE_General_Info))
goto Ret;
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
if(NULL == rgCertTypeInfo)
goto Ret;
// set up the fields in the list view item struct that don't change from item to item
lvItem.mask = LVIF_TEXT | LVIF_PARAM;
lvItem.state = 0;
lvItem.stateMask = 0;
lvItem.iItem=0;
lvItem.iSubItem=0;
lvItem.iImage = 0;
lvItem.lParam = NULL;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if((TRUE == rgCertTypeInfo[dwIndex].fUIActive) && (0 != rgCertTypeInfo[dwIndex].idsSummary))
{
if(0 != LoadStringW(g_hmodThisDll,
rgCertTypeInfo[dwIndex].idsSummary,
wszReason,
MAX_DN_SIZE))
{
lvItem.iItem=dwItem;
lvItem.iSubItem=0;
dwItem++;
pCertType=&(rgCertTypeInfo[dwIndex]);
lvItem.lParam = (LPARAM)(pCertType);
//template name
lvItem.pszText=rgCertTypeInfo[dwIndex].awszDisplay[0];
ListView_InsertItem(hWndListView, &lvItem);
//reason
lvItem.iSubItem++;
ListView_SetItemText(hWndListView, lvItem.iItem, lvItem.iSubItem, wszReason);
}
}
}
fResult=TRUE;
Ret:
return fResult;
}
//-----------------------------------------------------------------------------
//
// WinProc for the summary page
//
//-----------------------------------------------------------------------------
INT_PTR CALLBACK AESummaryDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
AE_GENERAL_INFO *pAE_General_Info=NULL;
HWND hWndListView=NULL;
UINT rgIDS[]={IDS_COLUMN_TYPE,
IDS_COLUMN_REASON};
DWORD dwIndex=0;
DWORD dwCount=0;
LV_COLUMNW lvC;
WCHAR wszText[AE_SUMMARY_COLUMN_SIZE];
NM_LISTVIEW *pnmv=NULL;
DWORD dwSortParam=0;
static DWORD rgdwSortParam[]=
{AE_SUMMARY_COLUMN_TYPE | SORT_COLUMN_ASCEND,
AE_SUMMARY_COLUMN_REASON | SORT_COLUMN_DESCEND};
switch (msg)
{
case WM_INITDIALOG:
pAE_General_Info=(AE_GENERAL_INFO *)lParam;
if(NULL==pAE_General_Info)
break;
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAE_General_Info);
//init the list view control
//add the colums to the list view
hWndListView = GetDlgItem(hwndDlg, IDC_LIST2);
if(NULL==hWndListView)
break;
dwCount=sizeof(rgIDS)/sizeof(rgIDS[0]);
//set up the common info for the column
memset(&lvC, 0, sizeof(LV_COLUMNW));
lvC.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM;
lvC.fmt = LVCFMT_LEFT; // Left-align the column.
lvC.cx = 150; // Width of the column, in pixels.
lvC.iSubItem=0;
lvC.pszText = wszText; // The text for the column.
//insert the column one at a time
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
{
//get the column header
wszText[0]=L'\0';
if(0 != LoadStringW(g_hmodThisDll, rgIDS[dwIndex], wszText, AE_SUMMARY_COLUMN_SIZE))
{
ListView_InsertColumn(hWndListView, dwIndex, &lvC);
}
}
// set the style in the list view so that it highlights an entire line
SendMessage(hWndListView, LVM_SETEXTENDEDLISTVIEWSTYLE, 0, LVS_EX_FULLROWSELECT);
AEDisplaySummaryInfo(hWndListView, pAE_General_Info);
//autosize the columns
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
{
ListView_SetColumnWidth(hWndListView, dwIndex, LVSCW_AUTOSIZE);
}
//sort 1st column of the list view
dwSortParam=rgdwSortParam[0];
SendDlgItemMessage(hwndDlg,
IDC_LIST2,
LVM_SORTITEMS,
(WPARAM) (LPARAM) dwSortParam,
(LPARAM) (PFNLVCOMPARE)CompareSummary);
return TRUE;
break;
case WM_NOTIFY:
switch (((NMHDR FAR *) lParam)->code)
{
//the column has been changed
case LVN_COLUMNCLICK:
pnmv = (NM_LISTVIEW *) lParam;
dwSortParam=0;
//get the column number
switch(pnmv->iSubItem)
{
case 0:
case 1:
dwSortParam=rgdwSortParam[pnmv->iSubItem];
break;
default:
dwSortParam=0;
break;
}
if(0!=dwSortParam)
{
//remember to flip the ascend ording
if(dwSortParam & SORT_COLUMN_ASCEND)
{
dwSortParam &= 0x0000FFFF;
dwSortParam |= SORT_COLUMN_DESCEND;
}
else
{
if(dwSortParam & SORT_COLUMN_DESCEND)
{
dwSortParam &= 0x0000FFFF;
dwSortParam |= SORT_COLUMN_ASCEND;
}
}
//sort the column
SendDlgItemMessage(hwndDlg,
IDC_LIST2,
LVM_SORTITEMS,
(WPARAM) (LPARAM) dwSortParam,
(LPARAM) (PFNLVCOMPARE)CompareSummary);
rgdwSortParam[pnmv->iSubItem]=dwSortParam;
}
break;
}
break;
case WM_CLOSE:
EndDialog(hwndDlg, IDC_BUTTON1);
return TRUE;
break;
case WM_COMMAND:
switch (LOWORD(wParam))
{
case IDC_BUTTON1:
EndDialog(hwndDlg, IDC_BUTTON1);
return TRUE;
}
break;
default:
return FALSE;
}
return FALSE;
}
//-----------------------------------------------------------------------------
//
// AEDisplaySummaryPage
//
//-----------------------------------------------------------------------------
BOOL AEDisplaySummaryPage(AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult=FALSE;
DWORD dwIndex=0;
BOOL fSummary=FALSE;
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
AE_CERTTYPE_INFO *pCertType=NULL;
//decide if there is need to show the summary page.
//Checking for idsSummary for each template
if(NULL == pAE_General_Info)
goto Ret;
if(NULL == (rgCertTypeInfo=pAE_General_Info->rgCertTypeInfo))
goto Ret;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if((TRUE == rgCertTypeInfo[dwIndex].fUIActive) && (0 != rgCertTypeInfo[dwIndex].idsSummary))
{
fSummary=TRUE;
break;
}
}
//show the summary dialogue
if(TRUE == fSummary)
{
if(pAE_General_Info->hwndDlg)
{
DialogBoxParam(g_hmodThisDll,
(LPCWSTR)MAKEINTRESOURCE(IDD_USER_SUMMARY_DLG),
pAE_General_Info->hwndDlg,
AESummaryDlgProc,
(LPARAM)(pAE_General_Info));
}
}
fResult=TRUE;
Ret:
return fResult;
}
//-----------------------------------------------------------------------------
// WinProc for the autoenrollment progress window
//
//-----------------------------------------------------------------------------
INT_PTR CALLBACK progressDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
AE_GENERAL_INFO *pAE_General_Info = NULL;
switch (msg)
{
case WM_INITDIALOG:
pAE_General_Info=(AE_GENERAL_INFO *)lParam;
//copy the hwndDlg to the enrollment thread
pAE_General_Info->hwndDlg=hwndDlg;
//start the interacive enrollment thread
if(1 != ResumeThread(pAE_General_Info->hThread))
{
pAE_General_Info->hwndDlg=NULL;
//we have to end the dialogue
EndDialog(hwndDlg, IDC_BUTTON1);
return TRUE;
}
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAE_General_Info);
return TRUE;
break;
case WM_NOTIFY:
break;
case WM_CLOSE:
if(NULL==(pAE_General_Info=(AE_GENERAL_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
break;
//disable the cancel button
EnableWindow(GetDlgItem(hwndDlg,IDC_BUTTON1), FALSE);
//signal the cancel event
if(pAE_General_Info->hCancelEvent)
SetEvent(pAE_General_Info->hCancelEvent);
//close the dialogue if the enrollment work is completed
if(WAIT_OBJECT_0 == WaitForSingleObject(pAE_General_Info->hCompleteEvent, 0))
{
EndDialog(hwndDlg, IDC_BUTTON1);
}
return TRUE;
break;
case WM_COMMAND:
switch (LOWORD(wParam))
{
case IDC_BUTTON1:
if(NULL==(pAE_General_Info=(AE_GENERAL_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
break;
//disable the cancel button
EnableWindow(GetDlgItem(hwndDlg,IDC_BUTTON1), FALSE);
//signal the cancel event
if(pAE_General_Info->hCancelEvent)
SetEvent(pAE_General_Info->hCancelEvent);
return TRUE;
}
break;
default:
return FALSE;
}
return FALSE;
}
//-----------------------------------------------------------------------------
// AEInteractiveThreadProc
//
// The thread procedue to do interactive enrollment
//-----------------------------------------------------------------------------
DWORD WINAPI AEInteractiveThreadProc(LPVOID lpParameter)
{
BOOL fResult=FALSE;
AE_GENERAL_INFO *pAE_General_Info = NULL;
if(NULL==lpParameter)
return FALSE;
__try
{
pAE_General_Info=(AE_GENERAL_INFO *)lpParameter;
pAE_General_Info->fUIProcess=TRUE;
fResult = AEEnrollmentWalker(pAE_General_Info);
//show the summary page if not canceled
if(!AECancelled(pAE_General_Info->hCancelEvent))
{
AEDisplaySummaryPage(pAE_General_Info);
}
//signal that the process is completed
SetEvent(pAE_General_Info->hCompleteEvent);
//signal the progress window that we are done
if(pAE_General_Info->hwndDlg)
{
//click the close button
SendMessage(pAE_General_Info->hwndDlg,
WM_CLOSE, //WM_COMMAND,
0, //IDC_BUTTON1,
NULL);
}
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
}
return fResult;
}
//-----------------------------------------------------------------------------
// AEInteractiveEnrollment
//
// We are doing interactive enrollment
//-----------------------------------------------------------------------------
BOOL AEInteractiveEnrollment(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwThreadID=0;
BOOL fResult=FALSE;
//create a notification event for cancel process
pAE_General_Info->hCancelEvent=CreateEvent(
NULL,
TRUE, // bmanual reset type
FALSE, // initial state
NULL);
if(NULL==(pAE_General_Info->hCancelEvent))
goto ret;
//create a notification event for complete process
pAE_General_Info->hCompleteEvent=CreateEvent(
NULL,
TRUE, // bmanual reset type
FALSE, // initial state
NULL);
if(NULL==(pAE_General_Info->hCompleteEvent))
goto ret;
//spawn a thread
pAE_General_Info->hThread = CreateThread(NULL,
0,
AEInteractiveThreadProc,
pAE_General_Info,
CREATE_SUSPENDED, //suspend execution
&dwThreadID);
if(NULL==(pAE_General_Info->hThread))
goto ret;
//create the dialogue
DialogBoxParam(
g_hmodThisDll,
MAKEINTRESOURCE(IDD_USER_AUTOENROLL_GENERAL_DLG),
pAE_General_Info->hwndParent,
progressDlgProc,
(LPARAM)(pAE_General_Info));
//wait for thread to finish
if(WAIT_FAILED == WaitForSingleObject(pAE_General_Info->hThread, INFINITE))
goto ret;
fResult=TRUE;
ret:
//log the event
if(!fResult)
{
AELogAutoEnrollmentEvent(
pAE_General_Info->dwLogLevel,
TRUE,
HRESULT_FROM_WIN32(GetLastError()),
EVENT_FAIL_INTERACTIVE_START,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
0);
}
return fResult;
}
//-----------------------------------------------------------------------------
//
// WinProc for the confirmation to start certificate autoenrollment
//
//-----------------------------------------------------------------------------
INT_PTR CALLBACK AEConfirmDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
switch (msg)
{
case WM_INITDIALOG:
return TRUE;
break;
case WM_NOTIFY:
break;
case WM_CLOSE:
EndDialog(hwndDlg, IDC_BUTTON2);
return TRUE;
break;
case WM_COMMAND:
switch (LOWORD(wParam))
{
case IDC_BUTTON1:
EndDialog(hwndDlg, IDC_BUTTON1);
return TRUE;
case IDC_BUTTON2:
EndDialog(hwndDlg, IDC_BUTTON2);
return TRUE;
}
break;
default:
return FALSE;
}
return FALSE;
}
//-----------------------------------------------------------------------
//
// AERegisterSysTrayApp
//
// This functin registers autoenrollment in the sys tray area
// as an notification
//
//
//-----------------------------------------------------------------------
BOOL AERegisterSysTrayApp(HWND hwndParent)
{
BOOL fResult=FALSE;
BOOL fInit=FALSE;
INT_PTR ret=0;
DWORD dwError=0;
CQueryContinue *pCQueryContinue=NULL;
if(FAILED(CoInitialize(NULL)))
goto Ret;
fInit=TRUE;
pCQueryContinue=new CQueryContinue();
if(NULL==pCQueryContinue)
goto Ret;
if(S_OK != pCQueryContinue->DoBalloon())
goto Ret;
//ask user if autoenrollment should be performed
ret=DialogBox(g_hmodThisDll,
(LPCWSTR)MAKEINTRESOURCE(IDD_USER_AUTOENROLL_INFO_DLG),
hwndParent,
AEConfirmDlgProc);
if(IDC_BUTTON1 != ret)
{
dwError=GetLastError();
goto Ret;
}
fResult=TRUE;
Ret:
if(pCQueryContinue)
{
delete pCQueryContinue;
}
if(fInit)
CoUninitialize();
return fResult;
}
//-----------------------------------------------------------------------
//
// AEUIDisabled
//
// Detect if the user notification balloon is disabled by user
// setting the autoenrollment registry key in current user
//
//
//-----------------------------------------------------------------------
BOOL AEUIDisabled()
{
BOOL fResult=FALSE;
HKEY hKey=NULL;
if(ERROR_SUCCESS == RegOpenKeyEx(
HKEY_CURRENT_USER, // handle to open key
AUTO_ENROLLMENT_DISABLE_KEY, // subkey name
0, // reserved
KEY_READ, // security access mask
&hKey)) // handle to open key
{
fResult=TRUE;
}
if(hKey)
RegCloseKey(hKey);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEUIRequired
//
// Detect if the user notification balloon is needed
//
//
//-----------------------------------------------------------------------
BOOL AEUIRequired(AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fUI=FALSE;
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
DWORD dwIndex = 0;
if(NULL==pAE_General_Info)
return FALSE;
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
pAE_General_Info->dwUIEnrollCount=0;
if(NULL == rgCertTypeInfo)
return FALSE;
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
if(rgCertTypeInfo[dwIndex].fUIActive)
{
if(CERT_REQUEST_STATUS_ACTIVE == rgCertTypeInfo[dwIndex].dwStatus)
{
fUI=TRUE;
(pAE_General_Info->dwUIEnrollCount)++;
}
}
}
//add the pending count
if(pAE_General_Info->dwUIPendCount)
{
fUI=TRUE;
(pAE_General_Info->dwUIEnrollCount) +=(pAE_General_Info->dwUIPendCount);
}
return fUI;
}
//-----------------------------------------------------------------------
//
// AEProcessEnrollment
//
// This functin does the autoenrollment based on ACL and manage MY
// store.
//
//
//-----------------------------------------------------------------------
BOOL AEProcessEnrollment(HWND hwndParent, BOOL fMachine, LDAP *pld, DWORD dwPolicy, DWORD dwLogLevel)
{
BOOL fResult=FALSE;
AE_GENERAL_INFO *pAE_General_Info=NULL;
pAE_General_Info=(AE_GENERAL_INFO *)LocalAlloc(LPTR, sizeof(AE_GENERAL_INFO));
if(NULL==pAE_General_Info)
goto Ret;
memset(pAE_General_Info, 0, sizeof(AE_GENERAL_INFO));
if(NULL==pld)
goto Ret;
//we obtain all information needed for process enrollment
pAE_General_Info->hwndParent = hwndParent;
pAE_General_Info->pld = pld;
pAE_General_Info->fMachine = fMachine;
pAE_General_Info->dwPolicy = dwPolicy;
pAE_General_Info->dwLogLevel = dwLogLevel;
__try
{
if(!AERetrieveGeneralInfo(pAE_General_Info))
{
AELogAutoEnrollmentEvent(dwLogLevel,
TRUE,
HRESULT_FROM_WIN32(GetLastError()),
EVENT_FAIL_GENERAL_INFOMATION,
fMachine,
pAE_General_Info->hToken,
0);
goto Ret;
}
if((0 == pAE_General_Info->dwCertType) || (NULL==pAE_General_Info->rgCertTypeInfo))
{
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK,
EVENT_NO_CERT_TEMPLATE, fMachine, pAE_General_Info->hToken,0);
AE_DEBUG((AE_WARNING, L"No CertType's available for auto-enrollment\n\r"));
goto Ret;
}
//we build the auto-enrollment requests based on the ACL on the DS
if(AUTO_ENROLLMENT_ENABLE_TEMPLATE_CHECK & (pAE_General_Info->dwPolicy))
{
if(!AEMarkAutoenrollment(pAE_General_Info))
goto Ret;
}
//we build the auto-enrollment requests based on the ARCS store
//this is enabled by default and can only be disabled if autoenrollment is
//completely disabled
if(!AEMarkAEObject(pAE_General_Info))
goto Ret;
//manage MY store. Check if we already have required certificates
//we should always check my store with different behavior based on
//AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT flag
if(!AEManageAndMarkMyStore(pAE_General_Info))
goto Ret;
//manage UserDS store for user autoenrollment
if(!fMachine)
{
if(!AECheckUserDSStore(pAE_General_Info))
goto Ret;
}
//manage pending request store. Remove expired pending requests
if(AUTO_ENROLLMENT_ENABLE_PENDING_FETCH & (pAE_General_Info->dwPolicy))
{
if(!AECheckPendingRequests(pAE_General_Info))
goto Ret;
}
//get CA information
if(!AERetrieveCAInfo(pAE_General_Info->pld,
pAE_General_Info->fMachine,
pAE_General_Info->hToken,
&(pAE_General_Info->dwCA),
&(pAE_General_Info->rgCAInfo)))
{
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, HRESULT_FROM_WIN32(GetLastError()),
EVENT_FAIL_CA_INFORMATION, fMachine, pAE_General_Info->hToken, 0);
AE_DEBUG((AE_ERROR, L"Unable to retrieve CA information (%lx)\n\r", GetLastError()));
goto Ret;
}
if((0 == pAE_General_Info->dwCA) || (NULL==pAE_General_Info->rgCAInfo))
{
//we do not have any CAs on the domain. All we need to do is to archive
//archive old certificate after the enrollment/renewal
AEArchiveObsoleteCertificates(pAE_General_Info);
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK,
EVENT_NO_CA, fMachine, pAE_General_Info->hToken, 0);
AE_DEBUG((AE_WARNING, L"No CA's available for auto-enrollment\n\r"));
goto Ret;
}
//we check if active templates do have a CA that we can enroll for
if(!AEManageActiveTemplates(pAE_General_Info))
goto Ret;
//perform autoenrollment as the background
pAE_General_Info->fUIProcess=FALSE;
if(!AEEnrollmentWalker(pAE_General_Info))
goto Ret;
//perform autoenrollment as a sys tray application for user only
if(FALSE == fMachine)
{
//test if the notification balloon is disabled
if(!AEUIDisabled())
{
//test if the notification balloon is needed
if(AEUIRequired(pAE_General_Info))
{
//register the sys tray application
if(AERegisterSysTrayApp(pAE_General_Info->hwndParent))
{
//perform autoenrollment in interactive mode
AEInteractiveEnrollment(pAE_General_Info);
}
}
}
}
//archive old certificate after the enrollment/renewal
if(!AEArchiveObsoleteCertificates(pAE_General_Info))
goto Ret;
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
goto Ret;
}
fResult=TRUE;
Ret:
//free memory only if no thread is created
if(pAE_General_Info)
{
AEFreeGeneralInfo(pAE_General_Info);
LocalFree(pAE_General_Info);
}
return fResult;
}
//-----------------------------------------------------------------------
//
// AEExpress
//
// Detect if the user autoenrollment has the express key set. If the
// Express key is set, user autoenrollment will not wait for machine
// autoenrollment to complete on root certificates download
//
//
//-----------------------------------------------------------------------
BOOL AEExpress()
{
BOOL fResult=FALSE;
HKEY hKey=NULL;
if(ERROR_SUCCESS == RegOpenKeyEx(
HKEY_CURRENT_USER, // handle to open key
AUTO_ENROLLMENT_EXPRESS_KEY, // subkey name
0, // reserved
KEY_READ, // security access mask
&hKey)) // handle to open key
{
fResult=TRUE;
}
if(hKey)
RegCloseKey(hKey);
return fResult;
}
//-----------------------------------------------------------------------
//
// AEMainThreadProc
//
// The background thread for non-blocking autoenrollment background
// processing.
//
//-----------------------------------------------------------------------
DWORD WINAPI AEMainThreadProc(LPVOID lpParameter)
{
HRESULT hr=S_OK;
BOOL fMachine=FALSE;
DWORD dwPolicy=0;
DWORD dwLogLevel=STATUS_SEVERITY_ERROR;
HWND hwndParent=0;
DWORD dwStatus=0;
LARGE_INTEGER ftPreTimeStamp;
LARGE_INTEGER ftPostTimeStamp;
BOOL fNeedToSetupTimer=FALSE;
LDAP *pld = NULL;
//get the system time stamp
GetSystemTimeAsFileTime((LPFILETIME)&ftPreTimeStamp);
//the two input parameters are not yet used
if(NULL==lpParameter)
goto CommonReturn;
hwndParent = ((AE_MAIN_THREAD_INFO *)lpParameter)->hwndParent;
dwStatus = ((AE_MAIN_THREAD_INFO *)lpParameter)->dwStatus;
AE_DEBUG((AE_INFO, L"Beginning CertAutoEnrollment(%s).\n", (CERT_AUTO_ENROLLMENT_START_UP==dwStatus?L"START_UP":L"WAKE_UP")));
//no autoenrollment in the safe boot mode
//no autoenrollment if we are not in a domain
if(AEInSafeBoot() || !AEIsDomainMember())
goto CommonReturn;
//we need to set up the timer
fNeedToSetupTimer=TRUE;
//detect if we are running under user or machine context
if(!AEIsLocalSystem(&fMachine))
goto CommonReturn;
AE_DEBUG((AE_INFO, L"CertAutoEnrollment running as %s.\n", (fMachine?L"machine":L"user")));
AESetWakeUpFlag(fMachine, TRUE);
//we wait for 70 seconds for user case to give enough time for
//machine autoenrollment to complete, which will download certificates
//from the directory
if(!fMachine)
{
if(!AEExpress())
{
Sleep(USER_AUTOENROLL_DELAY_FOR_MACHINE * 1000);
}
}
//get the autoenrollment log level
if(!AERetrieveLogLevel(fMachine, &dwLogLevel))
goto CommonReturn;
//log the autoenrollment start event
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK, EVENT_AUTOENROLL_START, fMachine, NULL, 0);
//get the autoenrollment policy flag
if(!AEGetPolicyFlag(fMachine, &dwPolicy))
goto CommonReturn;
//no need to do anything if autoenrollment is completely disabled
if(AUTO_ENROLLMENT_DISABLE_ALL & dwPolicy)
goto CommonReturn;
//download NTAuth And Enterprise root store for machine
if(fMachine)
{
//bind to the DS
if(S_OK != (hr=AERobustLdapBind(&pld)))
{
SetLastError(hr);
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, hr, EVENT_FAIL_BIND_TO_DS, fMachine, NULL, 0);
goto CommonReturn;
}
AEDownloadStore(pld);
}
//if we are required to do a WIN2K style autoenrollment, and the machine/user's
//ACRS store is empty, just return as we done.
if(0 == dwPolicy)
{
if(IsACRSStoreEmpty(fMachine))
goto CommonReturn;
}
if(NULL==pld)
{
//bind to the DS
if(S_OK != (hr=AERobustLdapBind(&pld)))
{
SetLastError(hr);
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, hr, EVENT_FAIL_BIND_TO_DS, fMachine, NULL, 0);
goto CommonReturn;
}
}
AEProcessEnrollment(hwndParent, fMachine, pld, dwPolicy, dwLogLevel);
CommonReturn:
//get the system time
GetSystemTimeAsFileTime((LPFILETIME)&ftPostTimeStamp);
//set up the timer for next time
if(TRUE == fNeedToSetupTimer)
{
// we will need to do this again in a few hours.
AESetWakeUpTimer(fMachine, &ftPreTimeStamp, &ftPostTimeStamp);
}
if(pld)
ldap_unbind(pld);
if(lpParameter)
LocalFree((HLOCAL)lpParameter);
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK, EVENT_AUTOENROLL_COMPLETE, fMachine, NULL, 0);
return TRUE;
}
//--------------------------------------------------------------------------
//
// CertAutoEnrollment
//
// Function to perform autoenrollment actions. It creates a working
// thread and return immediately so that it is non-blocking.
//
// Parameters:
// IN hwndParent: The parent window
// IN dwStatus: The status under which the function is called.
// It can be one of the following:
// CERT_AUTO_ENROLLMENT_START_UP
// CERT_AUTO_ENROLLMENT_WAKE_UP
//
//--------------------------------------------------------------------------
HANDLE
WINAPI
CertAutoEnrollment(IN HWND hwndParent,
IN DWORD dwStatus)
{
DWORD dwThreadID=0;
//memory will be freed in the main thread
AE_MAIN_THREAD_INFO *pAE_Main_Thread_Info=NULL;
HANDLE hThread=NULL;
pAE_Main_Thread_Info=(AE_MAIN_THREAD_INFO *)LocalAlloc(LPTR, sizeof(AE_MAIN_THREAD_INFO));
if(NULL==pAE_Main_Thread_Info)
return NULL;
memset(pAE_Main_Thread_Info, 0, sizeof(AE_MAIN_THREAD_INFO));
pAE_Main_Thread_Info->hwndParent=hwndParent;
pAE_Main_Thread_Info->dwStatus=dwStatus;
hThread = CreateThread(NULL,
0,
AEMainThreadProc,
pAE_Main_Thread_Info,
0, //execute immediately
&dwThreadID);
//set the thread priority to low so that we will not compete with the shell
SetThreadPriority(hThread, THREAD_PRIORITY_BELOW_NORMAL);
return hThread;
}
//--------------------------------------------------------------------
//
// AERetrieveClientToken
//
//--------------------------------------------------------------------
BOOL AERetrieveClientToken(HANDLE *phToken)
{
HRESULT hr = S_OK;
HANDLE hHandle = NULL;
HANDLE hClientToken = NULL;
hHandle = GetCurrentThread();
if (NULL == hHandle)
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
else
{
if (!OpenThreadToken(hHandle,
TOKEN_QUERY,
TRUE, // open as self
&hClientToken))
{
hr = HRESULT_FROM_WIN32(GetLastError());
CloseHandle(hHandle);
hHandle = NULL;
}
}
if(hr != S_OK)
{
hHandle = GetCurrentProcess();
if (NULL == hHandle)
{
hr = HRESULT_FROM_WIN32(GetLastError());
}
else
{
HANDLE hProcessToken = NULL;
hr = S_OK;
if (!OpenProcessToken(hHandle,
TOKEN_DUPLICATE,
&hProcessToken))
{
hr = HRESULT_FROM_WIN32(GetLastError());
CloseHandle(hHandle);
hHandle = NULL;
}
else
{
if(!DuplicateToken(hProcessToken,
SecurityImpersonation,
&hClientToken))
{
hr = HRESULT_FROM_WIN32(GetLastError());
CloseHandle(hHandle);
hHandle = NULL;
}
CloseHandle(hProcessToken);
}
}
}
if(S_OK == hr)
*phToken = hClientToken;
if(hHandle)
CloseHandle(hHandle);
return (S_OK == hr);
}
//--------------------------------------------------------------------------
//
// AEGetComputerName
//
//
//--------------------------------------------------------------------------
LPWSTR AEGetComputerName(COMPUTER_NAME_FORMAT NameType)
{
DWORD dwSize=0;
LPWSTR pwszName=NULL;
if(!GetComputerNameEx(NameType, NULL, &dwSize))
{
if(ERROR_MORE_DATA != GetLastError())
goto Ret;
}
else
{
//this is to work around a bug in cluster code that it returns TRUE
//to retrive the size
dwSize++;
}
pwszName=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
if(NULL == pwszName)
goto Ret;
if(!GetComputerNameEx(NameType, pwszName, &dwSize))
{
LocalFree(pwszName);
pwszName=NULL;
goto Ret;
}
Ret:
return pwszName;
}
//--------------------------------------------------------------------------
//
// AERetrieveGeneralInfo
//
//
//--------------------------------------------------------------------------
BOOL AERetrieveGeneralInfo(AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult = FALSE;
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER;
DWORD cMachineName = MAX_COMPUTERNAME_LENGTH + 2;
LONG dwResult = 0;
SCARDCONTEXT hSCContext=NULL;
//get the client token
if(pAE_General_Info->fMachine)
{
if(!AENetLogonUser(NULL, NULL, NULL, &(pAE_General_Info->hToken)))
{
AE_DEBUG((AE_ERROR, L"Obtain local system's token (%lx)\n\r", GetLastError()));
goto Ret;
}
}
else
{
if(!AERetrieveClientToken(&(pAE_General_Info->hToken)))
goto Ret;
}
//get the machine name
if (!GetComputerNameW(pAE_General_Info->wszMachineName,
&cMachineName))
goto Ret;
if(pAE_General_Info->fMachine)
dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
//open my store
if (NULL == (pAE_General_Info->hMyStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
ENCODING_TYPE,
NULL,
dwOpenStoreFlags,
MY_STORE)))
{
AE_DEBUG((AE_ERROR, L"Unable to open MY store (%lx)\n\r", GetLastError()));
goto Ret;
}
if(!CertControlStore(pAE_General_Info->hMyStore,
0,
CERT_STORE_CTRL_AUTO_RESYNC,
NULL))
{
AE_DEBUG((AE_ERROR, L"Unable configure MY store for auto-resync(%lx)\n\r", GetLastError()));
goto Ret;
}
//open request store
if (NULL == (pAE_General_Info->hRequestStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
ENCODING_TYPE,
NULL,
dwOpenStoreFlags,
REQUEST_STORE)))
{
AE_DEBUG((AE_ERROR, L"Unable to open Request store (%lx)\n\r", GetLastError()));
goto Ret;
}
//get CertType information
if(!AERetrieveCertTypeInfo( pAE_General_Info->pld,
pAE_General_Info->fMachine,
&(pAE_General_Info->dwCertType),
&(pAE_General_Info->rgCertTypeInfo)))
{
AE_DEBUG((AE_ERROR, L"Unable to retrieve CertType information (%lx)\n\r", GetLastError()));
goto Ret;
}
//load xenroll module. No need to check errors since this is not a fatal error
pAE_General_Info->hXenroll = LoadLibrary(L"xenroll.dll");
//detect if the smart card subsystem if running for users only
if(FALSE == pAE_General_Info->fMachine)
{
dwResult = SCardEstablishContext(
SCARD_SCOPE_USER,
NULL,
NULL,
&hSCContext );
if((0 == dwResult) && (NULL != hSCContext))
pAE_General_Info->fSmartcardSystem=TRUE;
}
//get the NetBIOS name and the DNS name of the computer. This is different from
//wszMachineName, since it will be the physicalNetBIOS name
//No need to check errors since this is not a fatal error
pAE_General_Info->pwszDns=AEGetComputerName(ComputerNameDnsFullyQualified);
pAE_General_Info->pwszNetBIOS=AEGetComputerName(ComputerNameNetBIOS);
fResult = TRUE;
Ret:
if(hSCContext)
SCardReleaseContext(hSCContext);
if(FALSE == fResult)
AEFreeGeneralInfo(pAE_General_Info);
return fResult;
}
//--------------------------------------------------------------------------
//
// AEFreeGeneralInfo
//
//
//--------------------------------------------------------------------------
BOOL AEFreeGeneralInfo(AE_GENERAL_INFO *pAE_General_Info)
{
if(pAE_General_Info)
{
if(pAE_General_Info->hToken)
CloseHandle(pAE_General_Info->hToken);
if(pAE_General_Info->hMyStore)
CertCloseStore(pAE_General_Info->hMyStore, 0);
if(pAE_General_Info->hRequestStore)
CertCloseStore(pAE_General_Info->hRequestStore, 0);
//free CA information
AEFreeCAInfo(pAE_General_Info->dwCA, pAE_General_Info->rgCAInfo);
//free CertType information
AEFreeCertTypeInfo(pAE_General_Info->dwCertType, pAE_General_Info->rgCertTypeInfo);
if(pAE_General_Info->hXenroll)
FreeLibrary(pAE_General_Info->hXenroll);
if(pAE_General_Info->hCancelEvent)
CloseHandle(pAE_General_Info->hCancelEvent);
if(pAE_General_Info->hCompleteEvent)
CloseHandle(pAE_General_Info->hCompleteEvent);
if(pAE_General_Info->hThread)
CloseHandle(pAE_General_Info->hThread);
if(pAE_General_Info->pwszDns)
LocalFree(pAE_General_Info->pwszDns);
if(pAE_General_Info->pwszNetBIOS)
LocalFree(pAE_General_Info->pwszNetBIOS);
memset(pAE_General_Info, 0, sizeof(AE_GENERAL_INFO));
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AERetrieveCertTypeInfo
//
//--------------------------------------------------------------------------
BOOL AERetrieveCertTypeInfo(LDAP *pld, BOOL fMachine, DWORD *pdwCertType, AE_CERTTYPE_INFO **prgCertType)
{
BOOL fResult=FALSE;
DWORD dwCount=0;
DWORD dwCertType=0;
DWORD dwIndex=0;
HRESULT hr=E_FAIL;
HCERTTYPE hCTCurrent = NULL;
HCERTTYPE hCTNew = NULL;
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
*pdwCertType=0;
*prgCertType=NULL;
if(S_OK != (hr = CAEnumCertTypesEx(
(LPCWSTR)pld,
fMachine?CT_ENUM_MACHINE_TYPES | CT_FIND_LOCAL_SYSTEM | CT_FLAG_SCOPE_IS_LDAP_HANDLE: CT_ENUM_USER_TYPES | CT_FLAG_SCOPE_IS_LDAP_HANDLE,
&hCTCurrent)))
{
SetLastError(hr);
goto Ret;
}
if((NULL == hCTCurrent) || (0 == (dwCount = CACountCertTypes(hCTCurrent))))
{
AE_DEBUG((AE_WARNING, L"No CT's available for auto-enrollment\n\r"));
fResult=TRUE;
goto Ret;
}
rgCertTypeInfo=(AE_CERTTYPE_INFO *)LocalAlloc(LPTR, sizeof(AE_CERTTYPE_INFO) * dwCount);
if(NULL==rgCertTypeInfo)
{
SetLastError(E_OUTOFMEMORY);
goto Ret;
}
memset(rgCertTypeInfo, 0, sizeof(AE_CERTTYPE_INFO) * dwCount);
for(dwIndex = 0; dwIndex < dwCount; dwIndex++ )
{
//check if we have a new certificate template
if(dwIndex > 0)
{
hr = CAEnumNextCertType(hCTCurrent, &hCTNew);
if((S_OK != hr) || (NULL == hCTNew))
{
// Clean up from previous calls
if(dwCertType < dwCount)
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwCertType]));
break;
}
hCTCurrent = hCTNew;
}
// Clean up from previous calls
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwCertType]));
//copy the new CertType' data
//hCertType
rgCertTypeInfo[dwCertType].hCertType = hCTCurrent;
//CTName
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_DN,
&(rgCertTypeInfo[dwCertType].awszName));
if((S_OK != hr) ||
(NULL == rgCertTypeInfo[dwCertType].awszName) ||
(NULL == (rgCertTypeInfo[dwCertType].awszName)[0])
)
{
AE_DEBUG((AE_INFO, L"No name property for CertType\n\r"));
continue;
}
//FriendlyName
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_FRIENDLY_NAME,
&(rgCertTypeInfo[dwCertType].awszDisplay));
if((S_OK != hr) ||
(NULL == rgCertTypeInfo[dwCertType].awszDisplay) ||
(NULL == (rgCertTypeInfo[dwCertType].awszDisplay)[0])
)
{
AE_DEBUG((AE_INFO, L"No display property for CertType\n\r"));
//get the DN as the display name
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_DN,
&(rgCertTypeInfo[dwCertType].awszDisplay));
if((S_OK != hr) ||
(NULL == rgCertTypeInfo[dwCertType].awszDisplay) ||
(NULL == (rgCertTypeInfo[dwCertType].awszDisplay)[0])
)
{
AE_DEBUG((AE_INFO, L"No name property for CertType\n\r"));
continue;
}
}
//dwSchemaVersion
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_SCHEMA_VERSION,
&(rgCertTypeInfo[dwCertType].dwSchemaVersion));
if(hr != S_OK)
{
AE_DEBUG((AE_INFO, L"No schema version for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//dwVersion
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_REVISION,
&(rgCertTypeInfo[dwCertType].dwVersion));
if(hr != S_OK)
{
AE_DEBUG((AE_INFO, L"No major version for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//dwEnrollmentFlag
hr = CAGetCertTypeFlagsEx(
hCTCurrent,
CERTTYPE_ENROLLMENT_FLAG,
&(rgCertTypeInfo[dwCertType].dwEnrollmentFlag));
if(hr != S_OK)
{
AE_DEBUG((AE_INFO, L"No enrollment flag for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//dwPrivatekeyFlag
hr = CAGetCertTypeFlagsEx(
hCTCurrent,
CERTTYPE_PRIVATE_KEY_FLAG,
&(rgCertTypeInfo[dwCertType].dwPrivateKeyFlag));
if(hr != S_OK)
{
AE_DEBUG((AE_INFO, L"No private key flag for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//expiration offset
hr = CAGetCertTypeExpiration(
hCTCurrent,
NULL,
(LPFILETIME)&(rgCertTypeInfo[dwCertType].ftExpirationOffset));
//we might not get the expiration date
if(hr != S_OK)
{
AE_DEBUG((AE_WARNING, L"Could not get cert type expirations: %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
}
//oid
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_OID,
&(rgCertTypeInfo[dwCertType].awszOID));
//we might not get the oid property
if(rgCertTypeInfo[dwCertType].dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
{
if((S_OK != hr) ||
(NULL == rgCertTypeInfo[dwCertType].awszOID) ||
(NULL == (rgCertTypeInfo[dwCertType].awszOID)[0])
)
{
AE_DEBUG((AE_INFO, L"No oid for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
}
//supersede
hr = CAGetCertTypePropertyEx(
hCTCurrent,
CERTTYPE_PROP_SUPERSEDE,
&(rgCertTypeInfo[dwCertType].awszSupersede));
//we might not get the supersede property
if(hr != S_OK)
{
AE_DEBUG((AE_INFO, L"No supersede for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
}
//hArchiveStore
if(NULL == (rgCertTypeInfo[dwCertType].hArchiveStore=CertOpenStore(
CERT_STORE_PROV_MEMORY,
ENCODING_TYPE,
NULL,
0,
NULL)))
{
AE_DEBUG((AE_INFO, L"Unable to open archive cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//hObtainedStore
if(NULL == (rgCertTypeInfo[dwCertType].hObtainedStore=CertOpenStore(
CERT_STORE_PROV_MEMORY,
ENCODING_TYPE,
NULL,
0,
NULL)))
{
AE_DEBUG((AE_INFO, L"Unable to open obtained cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//hIssuedStore
if(NULL == (rgCertTypeInfo[dwCertType].hIssuedStore=CertOpenStore(
CERT_STORE_PROV_MEMORY,
ENCODING_TYPE,
NULL,
0,
NULL)))
{
AE_DEBUG((AE_INFO, L"Unable to open issued cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
//allocate memory
rgCertTypeInfo[dwCertType].prgActive=(DWORD *)LocalAlloc(LPTR, sizeof(DWORD) * dwCount);
if(NULL == rgCertTypeInfo[dwCertType].prgActive)
{
AE_DEBUG((AE_INFO, L"Unable to allocate memory for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
continue;
}
memset(rgCertTypeInfo[dwCertType].prgActive, 0, sizeof(DWORD) * dwCount);
dwCertType++;
}
*pdwCertType=dwCertType;
*prgCertType=rgCertTypeInfo;
fResult = TRUE;
Ret:
return fResult;
}
//--------------------------------------------------------------------------
//
// AEFreeCertTypeInfo
//
//
//--------------------------------------------------------------------------
BOOL AEFreeCertTypeInfo(DWORD dwCertType, AE_CERTTYPE_INFO *rgCertTypeInfo)
{
DWORD dwIndex=0;
if(rgCertTypeInfo)
{
for(dwIndex=0; dwIndex < dwCertType; dwIndex++)
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwIndex]));
LocalFree(rgCertTypeInfo);
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEFreeCertTypeStruct
//
//
//--------------------------------------------------------------------------
BOOL AEFreeCertTypeStruct(AE_CERTTYPE_INFO *pCertTypeInfo)
{
DWORD dwIndex=0;
if(pCertTypeInfo)
{
if(pCertTypeInfo->hCertType)
{
if(pCertTypeInfo->awszName)
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszName);
if(pCertTypeInfo->awszDisplay)
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszDisplay);
if(pCertTypeInfo->awszOID)
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszOID);
if(pCertTypeInfo->awszSupersede)
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszSupersede);
CACloseCertType(pCertTypeInfo->hCertType);
}
if(pCertTypeInfo->prgActive)
LocalFree(pCertTypeInfo->prgActive);
if(pCertTypeInfo->pOldCert)
CertFreeCertificateContext(pCertTypeInfo->pOldCert);
if(pCertTypeInfo->hArchiveStore)
CertCloseStore(pCertTypeInfo->hArchiveStore, 0);
if(pCertTypeInfo->hObtainedStore)
CertCloseStore(pCertTypeInfo->hObtainedStore, 0);
if(pCertTypeInfo->hIssuedStore)
CertCloseStore(pCertTypeInfo->hIssuedStore, 0);
if(pCertTypeInfo->dwPendCount)
{
if(pCertTypeInfo->rgPendInfo)
{
for(dwIndex=0; dwIndex < pCertTypeInfo->dwPendCount; dwIndex++)
{
if((pCertTypeInfo->rgPendInfo[dwIndex]).blobPKCS7.pbData)
LocalFree((pCertTypeInfo->rgPendInfo[dwIndex]).blobPKCS7.pbData);
if((pCertTypeInfo->rgPendInfo[dwIndex]).blobHash.pbData)
LocalFree((pCertTypeInfo->rgPendInfo[dwIndex]).blobHash.pbData);
}
LocalFree(pCertTypeInfo->rgPendInfo);
}
}
memset(pCertTypeInfo, 0, sizeof(AE_CERTTYPE_INFO));
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AERetrieveCAInfo
//
//
//--------------------------------------------------------------------------
BOOL AERetrieveCAInfo(LDAP *pld, BOOL fMachine, HANDLE hToken, DWORD *pdwCA, AE_CA_INFO **prgCAInfo)
{
BOOL fResult = FALSE;
DWORD dwCount=0;
DWORD dwCA=0;
DWORD dwIndex=0;
HRESULT hr=E_FAIL;
HCAINFO hCACurrent = NULL;
HCAINFO hCANew = NULL;
AE_CA_INFO *rgCAInfo=NULL;
*pdwCA=0;
*prgCAInfo=NULL;
if(S_OK != (hr = CAEnumFirstCA(
(LPCWSTR)pld,
CA_FLAG_SCOPE_IS_LDAP_HANDLE | (fMachine?CA_FIND_LOCAL_SYSTEM:0),
&hCACurrent)))
{
SetLastError(hr);
goto Ret;
}
if((NULL == hCACurrent) || (0 == (dwCount = CACountCAs(hCACurrent))))
{
AE_DEBUG((AE_WARNING, L"No CA's available for auto-enrollment\n\r"));
fResult=TRUE;
goto Ret;
}
rgCAInfo=(AE_CA_INFO *)LocalAlloc(LPTR, sizeof(AE_CA_INFO) * dwCount);
if(NULL==rgCAInfo)
{
SetLastError(E_OUTOFMEMORY);
goto Ret;
}
memset(rgCAInfo, 0, sizeof(AE_CA_INFO) * dwCount);
for(dwIndex = 0; dwIndex < dwCount; dwIndex++ )
{
//check if we have a new CA
if(dwIndex > 0)
{
hr = CAEnumNextCA(hCACurrent, &hCANew);
if((S_OK != hr) || (NULL == hCANew))
{
// Clean up from previous calls
if(dwCA < dwCount)
AEFreeCAStruct(&(rgCAInfo[dwCA]));
break;
}
hCACurrent = hCANew;
}
// Clean up from previous calls
AEFreeCAStruct(&(rgCAInfo[dwCA]));
//copy the new CA' data
//hCAInfo
rgCAInfo[dwCA].hCAInfo = hCACurrent;
//CAName
hr = CAGetCAProperty(hCACurrent,
CA_PROP_NAME,
&(rgCAInfo[dwCA].awszCAName));
if((S_OK != hr) ||
(NULL == rgCAInfo[dwCA].awszCAName) ||
(NULL == (rgCAInfo[dwCA].awszCAName)[0])
)
{
AE_DEBUG((AE_INFO, L"No name property for ca\n\r"));
continue;
}
//access check
if(S_OK != CAAccessCheckEx(rgCAInfo[dwCA].hCAInfo, hToken, CERTTYPE_ACCESS_CHECK_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
{
AE_DEBUG((AE_INFO, L"No access for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
continue;
}
//CA Display
hr = CAGetCAProperty(hCACurrent,
CA_PROP_DISPLAY_NAME,
&(rgCAInfo[dwCA].awszCADisplay));
if((S_OK != hr) ||
(NULL == rgCAInfo[dwCA].awszCADisplay) ||
(NULL == (rgCAInfo[dwCA].awszCADisplay)[0])
)
{
AE_DEBUG((AE_INFO, L"No display name property for ca\n\r"));
hr = CAGetCAProperty(hCACurrent,
CA_PROP_NAME,
&(rgCAInfo[dwCA].awszCADisplay));
if((S_OK != hr) ||
(NULL == rgCAInfo[dwCA].awszCADisplay) ||
(NULL == (rgCAInfo[dwCA].awszCADisplay)[0])
)
{
AE_DEBUG((AE_INFO, L"No name property for ca\n\r"));
continue;
}
}
//CADNS
hr = CAGetCAProperty(hCACurrent,
CA_PROP_DNSNAME,
&(rgCAInfo[dwCA].awszCADNS));
if((S_OK != hr) ||
(NULL == rgCAInfo[dwCA].awszCADNS) ||
(NULL == (rgCAInfo[dwCA].awszCADNS)[0])
)
{
AE_DEBUG((AE_INFO, L"No DNS property for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
continue;
}
//CACertificateTemplate
hr = CAGetCAProperty(hCACurrent,
CA_PROP_CERT_TYPES,
&(rgCAInfo[dwCA].awszCertificateTemplate));
if((S_OK != hr) ||
(NULL == rgCAInfo[dwCA].awszCertificateTemplate) ||
(NULL == (rgCAInfo[dwCA].awszCertificateTemplate)[0])
)
{
AE_DEBUG((AE_INFO, L"No CertType property for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
continue;
}
dwCA++;
}
*pdwCA=dwCA;
*prgCAInfo=rgCAInfo;
fResult = TRUE;
Ret:
return fResult;
}
//--------------------------------------------------------------------------
//
// AEFreeCAInfo
//
//
//--------------------------------------------------------------------------
BOOL AEFreeCAInfo(DWORD dwCA, AE_CA_INFO *rgCAInfo)
{
DWORD dwIndex=0;
if(rgCAInfo)
{
for(dwIndex=0; dwIndex < dwCA; dwIndex++)
AEFreeCAStruct(&(rgCAInfo[dwIndex]));
LocalFree(rgCAInfo);
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEFreeCAStruct
//
//
//--------------------------------------------------------------------------
BOOL AEFreeCAStruct(AE_CA_INFO *pCAInfo)
{
if(pCAInfo)
{
if(pCAInfo->hCAInfo)
{
if(pCAInfo->awszCAName)
{
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCAName);
}
if(pCAInfo->awszCADisplay)
{
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCADisplay);
}
if(pCAInfo->awszCADNS)
{
CAFreeCAProperty(pCAInfo->hCAInfo, pCAInfo->awszCADNS);
}
if(pCAInfo->awszCertificateTemplate)
{
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCertificateTemplate);
}
CACloseCA(pCAInfo->hCAInfo);
}
memset(pCAInfo, 0, sizeof(AE_CA_INFO));
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEClearVistedFlag
//
//--------------------------------------------------------------------------
BOOL AEClearVistedFlag(AE_GENERAL_INFO *pAE_General_Info)
{
DWORD dwIndex=0;
if(pAE_General_Info)
{
if(pAE_General_Info->rgCertTypeInfo)
{
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
{
(pAE_General_Info->rgCertTypeInfo)[dwIndex].fSupersedeVisited=FALSE;
}
}
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEIfSupersede
//
// Recursively find if pwsz is superseded by one of the template in awsz.
// Notice that we should not loop in the superseding relationship.
// Superseding tree should be one directional tree without duplicated nodes.
//
//--------------------------------------------------------------------------
BOOL AEIfSupersede(LPWSTR pwsz, LPWSTR *awsz, AE_GENERAL_INFO *pAE_General_Info)
{
BOOL fResult = FALSE;
LPWSTR *pwszArray = awsz;
AE_TEMPLATE_INFO AETemplateInfo;
AE_CERTTYPE_INFO *pCertType = NULL;
LPWSTR *awszSupersede=NULL;
if((NULL==pwsz) || (NULL==awsz))
return FALSE;
while(*pwszArray)
{
if(0 == wcscmp(pwsz, *pwszArray))
{
fResult = TRUE;
break;
}
//find the template
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
AETemplateInfo.pwszName=*pwszArray;
pCertType = AEFindTemplateInRequestTree(
&AETemplateInfo,
pAE_General_Info);
if(pCertType)
{
if(!(pCertType->fSupersedeVisited))
{
//mark that we have visited superseding relationship for this template
pCertType->fSupersedeVisited=TRUE;
if(S_OK == CAGetCertTypePropertyEx(
pCertType->hCertType,
CERTTYPE_PROP_SUPERSEDE,
&(awszSupersede)))
{
fResult = AEIfSupersede(pwsz, awszSupersede, pAE_General_Info);
if(awszSupersede)
CAFreeCertTypeProperty(
pCertType->hCertType,
awszSupersede);
awszSupersede=NULL;
if(TRUE == fResult)
break;
}
}
}
pwszArray++;
}
return fResult;
}
//--------------------------------------------------------------------------
//
// AEIsAnElement
//
//
//--------------------------------------------------------------------------
BOOL AEIsAnElement(LPWSTR pwsz, LPWSTR *awsz)
{
BOOL fResult = FALSE;
LPWSTR *pwszArray = awsz;
if((NULL==pwsz) || (NULL==awsz))
return FALSE;
while(*pwszArray)
{
if(0 == wcscmp(pwsz, *pwszArray))
{
fResult = TRUE;
break;
}
pwszArray++;
}
return fResult;
}
//--------------------------------------------------------------------------
//
// AECopyCertStore
//
//
//--------------------------------------------------------------------------
BOOL AECopyCertStore(HCERTSTORE hSrcStore,
HCERTSTORE hDesStore)
{
PCCERT_CONTEXT pCertContext=NULL;
if((NULL==hSrcStore) || (NULL==hDesStore))
return FALSE;
while(pCertContext = CertEnumCertificatesInStore(hSrcStore, pCertContext))
{
CertAddCertificateContextToStore(hDesStore,
pCertContext,
CERT_STORE_ADD_USE_EXISTING,
NULL);
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEIsEmptyStore
//
//
//--------------------------------------------------------------------------
BOOL AEIsEmptyStore(HCERTSTORE hCertStore)
{
PCCERT_CONTEXT pCertContext=NULL;
if(NULL == hCertStore)
return TRUE;
if(pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext))
{
CertFreeCertificateContext(pCertContext);
return FALSE;
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// AEGetConfigDN
//
//
//--------------------------------------------------------------------------
HRESULT
AEGetConfigDN(
IN LDAP *pld,
OUT LPWSTR *pwszConfigDn
)
{
HRESULT hr;
ULONG LdapError;
LDAPMessage *SearchResult = NULL;
LDAPMessage *Entry = NULL;
WCHAR *Attr = NULL;
BerElement *BerElement;
WCHAR **Values = NULL;
WCHAR *AttrArray[3];
struct l_timeval timeout;
WCHAR *ConfigurationNamingContext = L"configurationNamingContext";
WCHAR *ObjectClassFilter = L"objectCategory=*";
//
// Set the out parameters to null
//
if(pwszConfigDn)
{
*pwszConfigDn = NULL;
}
timeout.tv_sec = 300;
timeout.tv_usec = 0;
//
// Query for the ldap server oerational attributes to obtain the default
// naming context.
//
AttrArray[0] = ConfigurationNamingContext;
AttrArray[1] = NULL; // this is the sentinel
LdapError = ldap_search_ext_s(pld,
NULL,
LDAP_SCOPE_BASE,
ObjectClassFilter,
AttrArray,
FALSE,
NULL,
NULL,
&timeout,
10000,
&SearchResult);
hr = HRESULT_FROM_WIN32(LdapMapErrorToWin32(LdapError));
if (S_OK == hr)
{
Entry = ldap_first_entry(pld, SearchResult);
if (Entry)
{
Values = ldap_get_values(pld,
Entry,
ConfigurationNamingContext);
if (Values && Values[0])
{
(*pwszConfigDn) = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(Values[0])+1));
if(NULL==(*pwszConfigDn))
hr=E_OUTOFMEMORY;
else
wcscpy((*pwszConfigDn), Values[0]);
}
ldap_value_free(Values);
}
if (pwszConfigDn && (!(*pwszConfigDn)))
{
// We could not get the default domain or out of memory - bail out
if(E_OUTOFMEMORY != hr)
hr = HRESULT_FROM_WIN32(ERROR_CANT_ACCESS_DOMAIN_INFO);
}
if(SearchResult)
{
ldap_msgfree(SearchResult);
}
}
return hr;
}
//--------------------------------------------------------------------------
//
// AERobustLdapBind
//
//--------------------------------------------------------------------------
HRESULT
AERobustLdapBind(
OUT LDAP ** ppldap)
{
HRESULT hr = S_OK;
BOOL fForceRediscovery = FALSE;
DWORD dwDSNameFlags= DS_RETURN_DNS_NAME | DS_BACKGROUND_ONLY;
LDAP *pld = NULL;
ULONG ulOptions = 0;
ULONG ldaperr=LDAP_SERVER_DOWN;
do {
if(fForceRediscovery)
{
dwDSNameFlags |= DS_FORCE_REDISCOVERY;
}
ldaperr = LDAP_SERVER_DOWN;
if(NULL != pld)
{
ldap_unbind(pld);
pld=NULL;
}
// bind to ds
if((pld = ldap_initW(NULL, LDAP_PORT)) == NULL)
{
ldaperr = LdapGetLastError();
}
else
{
ldaperr = ldap_set_option(pld, LDAP_OPT_GETDSNAME_FLAGS, (VOID *)&dwDSNameFlags);
if(LDAP_SUCCESS == ldaperr)
{
ldaperr = ldap_set_option(pld, LDAP_OPT_SIGN, LDAP_OPT_ON);
if (LDAP_SUCCESS == ldaperr)
{
ldaperr = ldap_bind_sW(pld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
}
}
}
hr = HRESULT_FROM_WIN32(LdapMapErrorToWin32(ldaperr));
if(fForceRediscovery)
{
break;
}
fForceRediscovery = TRUE;
} while(ldaperr == LDAP_SERVER_DOWN);
if(S_OK != hr)
goto error;
*ppldap = pld;
pld = NULL;
hr=S_OK;
error:
if(pld)
{
ldap_unbind(pld);
}
return hr;
}
//---------------------------------------------------------------------------
//
// AEAllocAndCopy
//
//---------------------------------------------------------------------------
BOOL AEAllocAndCopy(LPWSTR pwszSrc, LPWSTR *ppwszDest)
{
if((NULL==ppwszDest) || (NULL==pwszSrc))
{
SetLastError(E_INVALIDARG);
return FALSE;
}
*ppwszDest=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(pwszSrc) + 1));
if(NULL==(*ppwszDest))
{
SetLastError(E_OUTOFMEMORY);
return FALSE;
}
wcscpy(*ppwszDest, pwszSrc);
return TRUE;
}
//--------------------------------------------------------------------------
// Name: AELogAutoEnrollmentEvent
//
// Description: This function registers an event in the event log of the
// local machine. Takes an optional argument list.
//
//--------------------------------------------------------------------------
void AELogAutoEnrollmentEvent(IN DWORD dwLogLevel,
IN BOOL fError,
IN HRESULT hr,
IN DWORD dwEventId,
IN BOOL fMachine,
IN HANDLE hToken,
IN DWORD dwParamCount,
...
)
{
BYTE FastBuffer[MAX_DN_SIZE];
DWORD cbUser =0;
BOOL fAlloced = FALSE;
PSID pSID = NULL;
WORD dwEventType = 0;
LPWSTR awszStrings[PENDING_ALLOC_SIZE + 3];
WORD cStrings = 0;
LPWSTR wszString = NULL;
WCHAR wszMsg[MAX_DN_SIZE];
WCHAR wszUser[MAX_DN_SIZE];
DWORD dwIndex=0;
DWORD dwSize=0;
HANDLE hEventSource = NULL;
LPWSTR wszHR=NULL;
PTOKEN_USER ptgUser = NULL;
va_list ArgList;
//check the log level; log errors and success by default
if(((dwEventId >> 30) < dwLogLevel) && ((dwEventId >> 30) != STATUS_SEVERITY_SUCCESS))
return;
if(NULL==(hEventSource = RegisterEventSourceW(NULL, EVENT_AUTO_NAME)))
return;
//copy the user/machine string
wszUser[0]=L'\0';
//use the user name for user case
if(FALSE == fMachine)
{
dwSize=MAX_DN_SIZE;
if(!GetUserNameEx(
NameSamCompatible, // name format
wszUser, // name buffer
&dwSize)) // size of name buffer
{
LoadStringW(g_hmodThisDll, IDS_USER, wszUser, MAX_DN_SIZE);
}
}
else
{
LoadStringW(g_hmodThisDll, IDS_MACHINE, wszUser, MAX_DN_SIZE);
}
awszStrings[cStrings++] = wszUser;
//copy the variable strings if present
va_start(ArgList, dwParamCount);
for(dwIndex=0; dwIndex < dwParamCount; dwIndex++)
{
wszString = va_arg(ArgList, LPWSTR);
awszStrings[cStrings++] = wszString;
if(cStrings >= PENDING_ALLOC_SIZE)
{
break;
}
}
va_end(ArgList);
//copy the hr error code
if(fError)
{
if(S_OK == hr)
hr=E_FAIL;
wsprintfW(wszMsg, L"0x%lx", hr);
awszStrings[cStrings++] = wszMsg;
if(0 != FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
hr,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(WCHAR *)&wszHR,
0,
NULL))
{
if(wszHR)
{
awszStrings[cStrings++] = wszHR;
}
else
{
awszStrings[cStrings++]=L" ";
}
}
else
{
//provide an empty event log so that there will be no insertion strings
awszStrings[cStrings++]=L" ";
}
}
// check if the token is non zero is so then impersonating so get the SID
if((FALSE == fMachine) && (hToken))
{
ptgUser = (PTOKEN_USER)FastBuffer; // try fast buffer first
cbUser = MAX_DN_SIZE;
if (!GetTokenInformation(
hToken, // identifies access token
TokenUser, // TokenUser info type
ptgUser, // retrieved info buffer
cbUser, // size of buffer passed-in
&cbUser // required buffer size
))
{
if(GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
if (NULL != (ptgUser = (PTOKEN_USER)LocalAlloc(LPTR, cbUser)))
{
fAlloced = TRUE;
// get the user info and assign the sid if able to
if (GetTokenInformation(
hToken, // identifies access token
TokenUser, // TokenUser info type
ptgUser, // retrieved info buffer
cbUser, // size of buffer passed-in
&cbUser // required buffer size
))
{
pSID = ptgUser->User.Sid;
}
}
}
}
else
{
// assign the sid when fast buffer worked
pSID = ptgUser->User.Sid;
}
}
switch(dwEventId >> 30)
{
case 0:
dwEventType = EVENTLOG_SUCCESS;
break;
case 1:
dwEventType = EVENTLOG_INFORMATION_TYPE;
break;
case 2:
dwEventType = EVENTLOG_WARNING_TYPE;
break;
case 3:
dwEventType = EVENTLOG_ERROR_TYPE;
break;
}
ReportEventW(hEventSource, // handle of event source
dwEventType, // event type
0, // event category
dwEventId, // event ID
pSID, // current user's SID
cStrings, // strings in lpszStrings
0, // no bytes of raw data
(LPCWSTR*)awszStrings, // array of error strings
NULL // no raw data
);
if (hEventSource)
DeregisterEventSource(hEventSource);
if(fAlloced)
{
if(ptgUser)
LocalFree(ptgUser);
}
if(wszHR)
LocalFree(wszHR);
return;
}
//--------------------------------------------------------------------------
//
// FormatMessageUnicode
//
//--------------------------------------------------------------------------
BOOL FormatMessageUnicode(LPWSTR * ppwszFormat, UINT ids, ...)
{
// get format string from resources
WCHAR wszFormat[MAX_DN_SIZE];
va_list argList;
DWORD cbMsg=0;
BOOL fResult=FALSE;
if(NULL == ppwszFormat)
goto Ret;
if(!LoadStringW(g_hmodThisDll, ids, wszFormat, sizeof(wszFormat) / sizeof(wszFormat[0])))
goto Ret;
// format message into requested buffer
va_start(argList, ids);
cbMsg = FormatMessageW(
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING,
wszFormat,
0, // dwMessageId
0, // dwLanguageId
(LPWSTR) (ppwszFormat),
0, // minimum size to allocate
&argList);
va_end(argList);
if(!cbMsg)
goto Ret;
fResult=TRUE;
Ret:
return fResult;
}
//--------------------------------------------------------------------------
//
// AENetLogonUser
//
//Abstract:
//
// This module implements the network logon type by interfacing
// with the NT Lan Man Security Support Provider (NTLMSSP).
//
// If the logon succeds via the provided credentials, we duplicate
// the resultant Impersonation token to a Primary level token.
// This allows the result to be used in a call to CreateProcessAsUser
//
//Author:
//
// Scott Field (sfield) 09-Jun-96
//--------------------------------------------------------------------------
BOOL
AENetLogonUser(
LPTSTR UserName,
LPTSTR DomainName,
LPTSTR Password,
PHANDLE phToken
)
{
SECURITY_STATUS SecStatus;
CredHandle CredentialHandle1;
CredHandle CredentialHandle2;
CtxtHandle ClientContextHandle;
CtxtHandle ServerContextHandle;
SecPkgCredentials_Names sNames;
ULONG ContextAttributes;
ULONG PackageCount;
ULONG PackageIndex;
PSecPkgInfo PackageInfo;
DWORD cbMaxToken=0;
TimeStamp Lifetime;
SEC_WINNT_AUTH_IDENTITY AuthIdentity;
SecBufferDesc NegotiateDesc;
SecBuffer NegotiateBuffer;
SecBufferDesc ChallengeDesc;
SecBuffer ChallengeBuffer;
BOOL bSuccess = FALSE ; // assume this function will fail
NegotiateBuffer.pvBuffer = NULL;
ChallengeBuffer.pvBuffer = NULL;
sNames.sUserName = NULL;
ClientContextHandle.dwUpper = -1;
ClientContextHandle.dwLower = -1;
ServerContextHandle.dwUpper = -1;
ServerContextHandle.dwLower = -1;
CredentialHandle1.dwUpper = -1;
CredentialHandle1.dwLower = -1;
CredentialHandle2.dwUpper = -1;
CredentialHandle2.dwLower = -1;
//
// << this section could be cached in a repeat caller scenario >>
//
//
// Get info about the security packages.
//
if(EnumerateSecurityPackages(
&PackageCount,
&PackageInfo
) != SEC_E_OK) return FALSE;
//
// loop through the packages looking for NTLM
//
for(PackageIndex = 0 ; PackageIndex < PackageCount ; PackageIndex++ ) {
if(PackageInfo[PackageIndex].Name != NULL) {
if(CompareStringW(LOCALE_INVARIANT, NORM_IGNORECASE, PackageInfo[PackageIndex].Name, -1, MICROSOFT_KERBEROS_NAME, -1) == CSTR_EQUAL) {
cbMaxToken = PackageInfo[PackageIndex].cbMaxToken;
bSuccess = TRUE;
break;
}
}
}
FreeContextBuffer( PackageInfo );
if(!bSuccess) return FALSE;
bSuccess = FALSE; // reset to assume failure
//
// << end of cached section >>
//
//
// Acquire a credential handle for the server side
//
SecStatus = AcquireCredentialsHandle(
NULL, // New principal
MICROSOFT_KERBEROS_NAME, // Package Name
SECPKG_CRED_INBOUND,
NULL,
NULL,
NULL,
NULL,
&CredentialHandle1,
&Lifetime
);
if ( SecStatus != SEC_E_OK ) {
goto cleanup;
}
//
// Acquire a credential handle for the client side
//
ZeroMemory( &AuthIdentity, sizeof(AuthIdentity) );
if ( DomainName != NULL ) {
AuthIdentity.Domain = DomainName;
AuthIdentity.DomainLength = lstrlen(DomainName);
}
if ( UserName != NULL ) {
AuthIdentity.User = UserName;
AuthIdentity.UserLength = lstrlen(UserName);
}
if ( Password != NULL ) {
AuthIdentity.Password = Password;
AuthIdentity.PasswordLength = lstrlen(Password);
}
AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
SecStatus = AcquireCredentialsHandle(
NULL, // New principal
MICROSOFT_KERBEROS_NAME, // Package Name
SECPKG_CRED_OUTBOUND,
NULL,
(DomainName == NULL && UserName == NULL && Password == NULL) ?
NULL : &AuthIdentity,
NULL,
NULL,
&CredentialHandle2,
&Lifetime
);
if ( SecStatus != SEC_E_OK ) {
goto cleanup;
}
SecStatus = QueryCredentialsAttributes(&CredentialHandle1, SECPKG_CRED_ATTR_NAMES, &sNames);
if ( SecStatus != SEC_E_OK ) {
goto cleanup;
}
//
// Get the NegotiateMessage (ClientSide)
//
NegotiateDesc.ulVersion = 0;
NegotiateDesc.cBuffers = 1;
NegotiateDesc.pBuffers = &NegotiateBuffer;
NegotiateBuffer.cbBuffer = cbMaxToken;
NegotiateBuffer.BufferType = SECBUFFER_TOKEN;
NegotiateBuffer.pvBuffer = LocalAlloc( LMEM_FIXED, NegotiateBuffer.cbBuffer );
if ( NegotiateBuffer.pvBuffer == NULL ) {
goto cleanup;
}
SecStatus = InitializeSecurityContext(
&CredentialHandle2,
NULL, // No Client context yet
sNames.sUserName, // target name
ISC_REQ_SEQUENCE_DETECT,
0, // Reserved 1
SECURITY_NATIVE_DREP,
NULL, // No initial input token
0, // Reserved 2
&ClientContextHandle,
&NegotiateDesc,
&ContextAttributes,
&Lifetime
);
if(SecStatus != SEC_E_OK)
{
goto cleanup;
}
//
// Get the ChallengeMessage (ServerSide)
//
NegotiateBuffer.BufferType |= SECBUFFER_READONLY;
ChallengeDesc.ulVersion = 0;
ChallengeDesc.cBuffers = 1;
ChallengeDesc.pBuffers = &ChallengeBuffer;
ChallengeBuffer.cbBuffer = cbMaxToken;
ChallengeBuffer.BufferType = SECBUFFER_TOKEN;
ChallengeBuffer.pvBuffer = LocalAlloc( LMEM_FIXED, ChallengeBuffer.cbBuffer );
if ( ChallengeBuffer.pvBuffer == NULL ) {
goto cleanup;
}
SecStatus = AcceptSecurityContext(
&CredentialHandle1,
NULL, // No Server context yet
&NegotiateDesc,
ISC_REQ_SEQUENCE_DETECT,
SECURITY_NATIVE_DREP,
&ServerContextHandle,
&ChallengeDesc,
&ContextAttributes,
&Lifetime
);
if(SecStatus != SEC_E_OK)
{
goto cleanup;
}
if(QuerySecurityContextToken(&ServerContextHandle, phToken) != SEC_E_OK)
goto cleanup;
bSuccess = TRUE;
cleanup:
//
// Delete context
//
if((ClientContextHandle.dwUpper != -1) ||
(ClientContextHandle.dwLower != -1))
{
DeleteSecurityContext( &ClientContextHandle );
}
if((ServerContextHandle.dwUpper != -1) ||
(ServerContextHandle.dwLower != -1))
{
DeleteSecurityContext( &ServerContextHandle );
}
//
// Free credential handles
//
if((CredentialHandle1.dwUpper != -1) ||
(CredentialHandle1.dwLower != -1))
{
FreeCredentialsHandle( &CredentialHandle1 );
}
if((CredentialHandle2.dwUpper != -1) ||
(CredentialHandle2.dwLower != -1))
{
FreeCredentialsHandle( &CredentialHandle2 );
}
if ( NegotiateBuffer.pvBuffer != NULL ) {
//
// NegotiateBuffer.cbBuffer may change on the error path --
// use the original allocation size.
//
SecureZeroMemory( NegotiateBuffer.pvBuffer, cbMaxToken );
LocalFree( NegotiateBuffer.pvBuffer );
}
if ( ChallengeBuffer.pvBuffer != NULL ) {
//
// ChallengeBuffer.cbBuffer may change on the error path --
// use the original allocation size.
//
SecureZeroMemory( ChallengeBuffer.pvBuffer, cbMaxToken );
LocalFree( ChallengeBuffer.pvBuffer );
}
if ( sNames.sUserName != NULL ) {
FreeContextBuffer( sNames.sUserName );
}
return bSuccess;
}
//--------------------------------------------------------------------------
//
// AEDebugLog
//
//--------------------------------------------------------------------------
#if DBG
void
AEDebugLog(long Mask, LPCWSTR Format, ...)
{
va_list ArgList;
int iOut;
WCHAR wszOutString[MAX_DEBUG_BUFFER];
if (Mask & g_AutoenrollDebugLevel)
{
// Make the prefix first: "Process.Thread> GINA-XXX"
iOut=wsprintfW(wszOutString, L"%3u.%3u> AUTOENRL: ", GetCurrentProcessId(), GetCurrentThreadId());
if((iOut > 0) && (iOut < MAX_DEBUG_BUFFER - 1))
{
va_start(ArgList, Format);
_vsnwprintf(&wszOutString[iOut], MAX_DEBUG_BUFFER - iOut, Format, ArgList);
//null terminating the string
wszOutString[MAX_DEBUG_BUFFER - 1]=L'\0';
va_end(ArgList);
OutputDebugStringW(wszOutString);
}
}
}
#endif
//--------------------------------------------------------------------------
//
// AERemoveRegKey
//
// Remove the registry key for local system and all its sub keys.
//
//--------------------------------------------------------------------------
DWORD AERemoveRegKey(LPWSTR pwszRegKey)
{
DWORD dwLastError=0; //we should try to clean up as much as possible
DWORD dwIndex=0;
DWORD dwSubKey=0;
DWORD dwSubKeyLen=0;
DWORD dwData=0;
HKEY hDSKey=NULL;
LPWSTR pwszSubKey=NULL;
//remove the optimization registry. OK if the key does not exist
if(ERROR_SUCCESS != RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
pwszRegKey,
0,
KEY_ALL_ACCESS,
&hDSKey))
goto Ret;
//remove all subkeys of hDSKey
if(ERROR_SUCCESS != (dwLastError = RegQueryInfoKey(
hDSKey,
NULL,
NULL,
NULL,
&dwSubKey,
&dwSubKeyLen,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL)))
goto Ret;
//terminating NULL
dwSubKeyLen++;
pwszSubKey=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSubKeyLen);
if(NULL == pwszSubKey)
{
dwLastError=ERROR_NOT_ENOUGH_MEMORY;
goto Ret;
}
for(dwIndex=0; dwIndex < dwSubKey; dwIndex++)
{
dwData = dwSubKeyLen;
if(ERROR_SUCCESS == (dwLastError = RegEnumKeyEx(
hDSKey,
0, // As we delete, the index changes
pwszSubKey,
&dwData,
NULL,
NULL,
NULL,
NULL)))
{
RegDeleteKey(hDSKey, pwszSubKey);
}
}
//remove the root registry key
dwLastError=RegDeleteKey(HKEY_LOCAL_MACHINE, pwszRegKey);
Ret:
if(pwszSubKey)
LocalFree(pwszSubKey);
if(hDSKey)
RegCloseKey(hDSKey);
return dwLastError;
}
//--------------------------------------------------------------------------
//
// CertAutoRemove
//
// Function to remove enterprise specific public key trust upon domain disjoin.
// Should be called under local admin's context.
//
// The function will:
// remove autoenrollment directory cache registry;
// remove certificates under root enterprise store;
// remove certificates under NTAuth enterprise store;
// remove certificates under CA enterprise store;
//
//
// Parameters:
// IN dwFlags:
// CERT_AUTO_REMOVE_COMMIT
// CERT_AUTO_REMOVE_ROLL_BACK
//
// Return Value:
// BOOL: TURE is upon success
//
//--------------------------------------------------------------------------
BOOL
WINAPI
CertAutoRemove(IN DWORD dwFlags)
{
DWORD dwError=0;
DWORD dwLastError=0; //we should try to clean up as much as possible
DWORD dwIndex=0;
PCCERT_CONTEXT pContext=NULL;
WCHAR wszNameBuf[64];
HANDLE hEvent=NULL;
HCERTSTORE hLocalStore=NULL;
if((CERT_AUTO_REMOVE_COMMIT != dwFlags) &&
(CERT_AUTO_REMOVE_ROLL_BACK != dwFlags))
{
dwLastError=ERROR_INVALID_PARAMETER;
goto Ret;
}
if(CERT_AUTO_REMOVE_ROLL_BACK == dwFlags)
{
//start machine autoenrollment
wcscpy(wszNameBuf, L"Global\\");
wcscat(wszNameBuf, MACHINE_AUTOENROLLMENT_TRIGGER_EVENT);
hEvent=OpenEvent(EVENT_MODIFY_STATE, FALSE, wszNameBuf);
if (NULL == hEvent)
{
dwLastError=GetLastError();
goto Ret;
}
if (!SetEvent(hEvent))
{
dwLastError=GetLastError();
goto Ret;
}
}
else
{
//remove all downloaded certificates
for(dwIndex =0; dwIndex < g_dwStoreInfo; dwIndex++)
{
hLocalStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W,
0,
0,
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
g_rgStoreInfo[dwIndex].pwszStoreName);
if(hLocalStore)
{
while(pContext = CertEnumCertificatesInStore(hLocalStore, pContext))
{
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pContext));
}
CertCloseStore(hLocalStore,0);
hLocalStore=NULL;
}
}
//remove the local machine's DC GUID cache
dwLastError=AERemoveRegKey(AUTO_ENROLLMENT_DS_KEY);
dwError=AERemoveRegKey(AUTO_ENROLLMENT_TEMPLATE_KEY);
if(0 == dwLastError)
dwLastError=dwError;
}
Ret:
if(hLocalStore)
CertCloseStore(hLocalStore,0);
if (hEvent)
CloseHandle(hEvent);
if(0 != dwLastError)
{
SetLastError(dwLastError);
return FALSE;
}
return TRUE;
}
//--------------------------------------------------------------------------
//
// DLLMain
//
//
//--------------------------------------------------------------------------
extern "C"
BOOL WINAPI
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
BOOL fResult=TRUE;
INITCOMMONCONTROLSEX initcomm = {
sizeof(initcomm), ICC_NATIVEFNTCTL_CLASS | ICC_LISTVIEW_CLASSES | ICC_PROGRESS_CLASS
};
switch( dwReason )
{
case DLL_PROCESS_ATTACH:
g_hmodThisDll=hInstance;
DisableThreadLibraryCalls( hInstance );
//Init common control for progress bar
InitCommonControlsEx(&initcomm);
break;
case DLL_PROCESS_DETACH:
break;
}
return fResult;
}