You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9983 lines
298 KiB
9983 lines
298 KiB
//+-------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (C) Microsoft Corporation, 1997 - 2000
|
|
//
|
|
// File: autoenro.cpp
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
#include <windows.h>
|
|
#include <winuser.h>
|
|
#include <wincrypt.h>
|
|
#include <stdio.h>
|
|
#include <cryptui.h>
|
|
#include <lmcons.h>
|
|
#include <lmapibuf.h>
|
|
#include <dsgetdc.h>
|
|
#include <oleauto.h>
|
|
#define SECURITY_WIN32
|
|
#include <rpc.h>
|
|
#include <security.h>
|
|
#include <winldap.h>
|
|
#include <dsrole.h>
|
|
#include <shobjidl.h>
|
|
#include <shellapi.h>
|
|
#include <commctrl.h>
|
|
#include <winscard.h>
|
|
#include <Rpcdce.h>
|
|
|
|
#include <certca.h>
|
|
#include <certsrv.h>
|
|
#include <autoenr.h>
|
|
#include <autoenro.h>
|
|
#include <autolog.h>
|
|
#include <resource.h>
|
|
#include <xenroll.h>
|
|
|
|
//*******************************************************************************
|
|
//
|
|
//
|
|
// Global Defines and Data Structures
|
|
//
|
|
//
|
|
//*******************************************************************************
|
|
|
|
|
|
HINSTANCE g_hmodThisDll = NULL; // Handle to this DLL itself.
|
|
|
|
#if DBG
|
|
DWORD g_AutoenrollDebugLevel = AE_ERROR; //| AE_WARNING | AE_INFO | AE_TRACE;
|
|
#endif
|
|
|
|
//when we look at supersede relationship, we based on the following order
|
|
DWORD g_rgdwSupersedeOrder[]={CERT_REQUEST_STATUS_OBTAINED,
|
|
CERT_REQUEST_STATUS_ACTIVE,
|
|
CERT_REQUEST_STATUS_PENDING,
|
|
CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE};
|
|
|
|
DWORD g_dwSupersedeOrder=sizeof(g_rgdwSupersedeOrder)/sizeof(g_rgdwSupersedeOrder[0]);
|
|
|
|
|
|
//the list of certificate store to update
|
|
AE_STORE_INFO g_rgStoreInfo[]={
|
|
L"ROOT", L"ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,%s?cACertificate?one?objectCategory=certificationAuthority",
|
|
L"NTAuth", L"ldap:///CN=Public Key Services,CN=Services,%s?cACertificate?one?cn=NTAuthCertificates",
|
|
L"CA", L"ldap:///CN=AIA,CN=Public Key Services,CN=Services,%s?crossCertificatePair,cACertificate?one?objectCategory=certificationAuthority"
|
|
};
|
|
|
|
DWORD g_dwStoreInfo=sizeof(g_rgStoreInfo)/sizeof(g_rgStoreInfo[0]);
|
|
|
|
typedef IEnroll4 * (WINAPI *PFNPIEnroll4GetNoCOM)();
|
|
|
|
static WCHAR * s_wszLocation = L"CN=Public Key Services,CN=Services,";
|
|
|
|
|
|
|
|
//*******************************************************************************
|
|
//
|
|
//
|
|
// Implementation of IQueryContinue for use autoenrollment notification
|
|
//
|
|
//
|
|
//*******************************************************************************
|
|
//--------------------------------------------------------------------------
|
|
// CQueryContinue
|
|
//--------------------------------------------------------------------------
|
|
CQueryContinue::CQueryContinue()
|
|
{
|
|
m_cRef=1;
|
|
m_pIUserNotification=NULL;
|
|
m_hTimer=NULL;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
// ~CQueryContinue
|
|
//--------------------------------------------------------------------------
|
|
CQueryContinue::~CQueryContinue()
|
|
{
|
|
|
|
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
// CQueryContinue
|
|
//--------------------------------------------------------------------------
|
|
HRESULT CQueryContinue::QueryInterface(REFIID riid, void **ppv)
|
|
{
|
|
if(IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_IQueryContinue))
|
|
{
|
|
*ppv=(LPVOID)this;
|
|
AddRef();
|
|
return S_OK;
|
|
}
|
|
|
|
return E_NOINTERFACE;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
// AddRef
|
|
//--------------------------------------------------------------------------
|
|
STDMETHODIMP_(ULONG) CQueryContinue::AddRef()
|
|
{
|
|
return InterlockedIncrement(&m_cRef);
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
// Release
|
|
//--------------------------------------------------------------------------
|
|
STDMETHODIMP_(ULONG) CQueryContinue::Release()
|
|
{
|
|
if (InterlockedDecrement(&m_cRef))
|
|
return m_cRef;
|
|
|
|
delete this;
|
|
return 0;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
// CQueryContinue
|
|
//--------------------------------------------------------------------------
|
|
HRESULT CQueryContinue::QueryContinue()
|
|
{
|
|
//disable the balloon
|
|
if(m_pIUserNotification)
|
|
m_pIUserNotification->SetBalloonInfo(NULL, NULL, NIIF_INFO);
|
|
|
|
//wait for the timer to be activated
|
|
if(m_hTimer)
|
|
{
|
|
if(WAIT_OBJECT_0 == WaitForSingleObject(m_hTimer, 0))
|
|
return S_FALSE;
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
// DoBalloon()
|
|
//--------------------------------------------------------------------------
|
|
HRESULT CQueryContinue::DoBalloon()
|
|
{
|
|
|
|
HRESULT hr=E_FAIL;
|
|
WCHAR wszTitle[MAX_DN_SIZE];
|
|
WCHAR wszText[MAX_DN_SIZE];
|
|
HICON hIcon=NULL;
|
|
LARGE_INTEGER DueTime;
|
|
|
|
if(S_OK != (hr=CoCreateInstance(CLSID_UserNotification,
|
|
NULL,
|
|
CLSCTX_ALL,
|
|
IID_IUserNotification,
|
|
(void **)&m_pIUserNotification)))
|
|
goto Ret;
|
|
|
|
if(NULL==m_pIUserNotification)
|
|
{
|
|
hr=E_FAIL;
|
|
goto Ret;
|
|
}
|
|
|
|
//create a waitable timer with default security setting
|
|
m_hTimer=CreateWaitableTimer(NULL, TRUE, NULL);
|
|
|
|
if(NULL==m_hTimer)
|
|
{
|
|
hr=E_FAIL;
|
|
goto Ret;
|
|
}
|
|
|
|
//set the timer
|
|
DueTime.QuadPart = Int32x32To64(-10000, AUTO_ENROLLMENT_BALLOON_LENGTH * 1000);
|
|
|
|
if(!SetWaitableTimer(m_hTimer, &DueTime, 0, NULL, 0, FALSE))
|
|
{
|
|
hr=E_FAIL;
|
|
goto Ret;
|
|
}
|
|
|
|
|
|
if(S_OK != (hr=m_pIUserNotification->SetBalloonRetry(AUTO_ENROLLMENT_SHOW_TIME * 1000,
|
|
AUTO_ENROLLMENT_INTERVAL * 1000,
|
|
AUTO_ENROLLMENT_RETRIAL)))
|
|
goto Ret;
|
|
|
|
if((!LoadStringW(g_hmodThisDll,IDS_ICON_TIP, wszText, MAX_DN_SIZE)) ||
|
|
(NULL==(hIcon=LoadIcon(g_hmodThisDll, MAKEINTRESOURCE(IDI_AUTOENROLL_ICON)))))
|
|
{
|
|
hr=E_FAIL;
|
|
goto Ret;
|
|
}
|
|
|
|
if(S_OK != (hr=m_pIUserNotification->SetIconInfo(hIcon, wszText)))
|
|
goto Ret;
|
|
|
|
|
|
if((!LoadStringW(g_hmodThisDll,IDS_BALLOON_TITLE, wszTitle, MAX_DN_SIZE)) ||
|
|
(!LoadStringW(g_hmodThisDll,IDS_BALLOON_TEXT, wszText, MAX_DN_SIZE)))
|
|
{
|
|
hr=E_FAIL;
|
|
goto Ret;
|
|
}
|
|
|
|
if(S_OK !=(hr=m_pIUserNotification->SetBalloonInfo(wszTitle, wszText, NIIF_INFO)))
|
|
goto Ret;
|
|
|
|
//user did not click on the icon or we time out
|
|
hr= m_pIUserNotification->Show(this, AUTO_ENROLLMENT_QUERY_INTERVAL * 1000);
|
|
|
|
Ret:
|
|
if(m_hTimer)
|
|
{
|
|
CloseHandle(m_hTimer);
|
|
m_hTimer=NULL;
|
|
}
|
|
|
|
|
|
if(m_pIUserNotification)
|
|
{
|
|
m_pIUserNotification->Release();
|
|
m_pIUserNotification=NULL;
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//*******************************************************************************
|
|
//
|
|
//
|
|
// Functions for autoenrollment
|
|
//
|
|
//
|
|
//*******************************************************************************
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// Name: FindCertificateInOtherStore
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
PCCERT_CONTEXT FindCertificateInOtherStore(
|
|
IN HCERTSTORE hOtherStore,
|
|
IN PCCERT_CONTEXT pCert
|
|
)
|
|
{
|
|
BYTE rgbHash[SHA1_HASH_LENGTH];
|
|
CRYPT_DATA_BLOB HashBlob;
|
|
|
|
HashBlob.pbData = rgbHash;
|
|
HashBlob.cbData = SHA1_HASH_LENGTH;
|
|
if (!CertGetCertificateContextProperty(
|
|
pCert,
|
|
CERT_SHA1_HASH_PROP_ID,
|
|
rgbHash,
|
|
&HashBlob.cbData
|
|
) || SHA1_HASH_LENGTH != HashBlob.cbData)
|
|
return NULL;
|
|
|
|
return CertFindCertificateInStore(
|
|
hOtherStore,
|
|
ENCODING_TYPE, // dwCertEncodingType
|
|
0, // dwFindFlags
|
|
CERT_FIND_SHA1_HASH,
|
|
(const void *) &HashBlob,
|
|
NULL //pPrevCertContext
|
|
);
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEUpdateCertificateStore
|
|
//
|
|
// Description: This function enumerates all of the certificate in the DS based
|
|
// LdapPath, and moves them into the corresponding local machine store.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
HRESULT WINAPI AEUpdateCertificateStore(LDAP *pld,
|
|
LPWSTR pwszConfig,
|
|
LPWSTR pwszStoreName,
|
|
LPWSTR pwszLdapPath)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
CERT_LDAP_STORE_OPENED_PARA CertOpenStoreParam;
|
|
PCCERT_CONTEXT pContext = NULL,
|
|
pOtherCert = NULL;
|
|
|
|
LPWSTR pwszLdapStore = NULL;
|
|
HCERTSTORE hEnterpriseStore = NULL,
|
|
hLocalStore = NULL;
|
|
|
|
if((NULL==pld) || (NULL==pwszConfig) || (NULL==pwszStoreName) || (NULL==pwszLdapPath))
|
|
{
|
|
hr = E_INVALIDARG;
|
|
goto error;
|
|
}
|
|
|
|
pwszLdapStore = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(pwszConfig)+wcslen(pwszLdapPath)+1));
|
|
if(pwszLdapStore == NULL)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
goto error;
|
|
}
|
|
|
|
wsprintf(pwszLdapStore,
|
|
pwszLdapPath,
|
|
pwszConfig);
|
|
|
|
|
|
hLocalStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_REGISTRY_W,
|
|
0,
|
|
0,
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
|
|
pwszStoreName);
|
|
if(hLocalStore == NULL)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
AE_DEBUG((AE_ERROR, L"Unable to open ROOT store (%lx)\n\r", hr));
|
|
goto error;
|
|
}
|
|
|
|
memset(&CertOpenStoreParam, 0, sizeof(CertOpenStoreParam));
|
|
CertOpenStoreParam.pvLdapSessionHandle=pld;
|
|
CertOpenStoreParam.pwszLdapUrl=pwszLdapStore;
|
|
|
|
hEnterpriseStore = CertOpenStore(CERT_STORE_PROV_LDAP,
|
|
0,
|
|
0,
|
|
CERT_STORE_READONLY_FLAG | CERT_LDAP_STORE_SIGN_FLAG |
|
|
CERT_LDAP_STORE_OPENED_FLAG,
|
|
&CertOpenStoreParam);
|
|
|
|
if(hEnterpriseStore == NULL)
|
|
{
|
|
DWORD err = GetLastError();
|
|
|
|
if((err == ERROR_FILE_NOT_FOUND))
|
|
{
|
|
// There was no store, so there are no certs
|
|
hr = S_OK;
|
|
goto error;
|
|
}
|
|
|
|
|
|
hr = HRESULT_FROM_WIN32(err);
|
|
|
|
AE_DEBUG((AE_ERROR, L"Unable to open ROOT store (%lx)\n\r", hr));
|
|
goto error;
|
|
}
|
|
|
|
|
|
while(pContext = CertEnumCertificatesInStore(hEnterpriseStore, pContext))
|
|
{
|
|
if (pOtherCert = FindCertificateInOtherStore(hLocalStore, pContext)) {
|
|
CertFreeCertificateContext(pOtherCert);
|
|
}
|
|
else
|
|
{
|
|
CertAddCertificateContextToStore(hLocalStore,
|
|
pContext,
|
|
CERT_STORE_ADD_ALWAYS,
|
|
NULL);
|
|
}
|
|
}
|
|
|
|
while(pContext = CertEnumCertificatesInStore(hLocalStore, pContext))
|
|
{
|
|
if (pOtherCert = FindCertificateInOtherStore(hEnterpriseStore, pContext)) {
|
|
CertFreeCertificateContext(pOtherCert);
|
|
}
|
|
else
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pContext));
|
|
}
|
|
}
|
|
|
|
|
|
error:
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
AELogAutoEnrollmentEvent(
|
|
STATUS_SEVERITY_ERROR, //this event will always be logged
|
|
TRUE,
|
|
hr,
|
|
EVENT_FAIL_DOWNLOAD_CERT,
|
|
TRUE,
|
|
NULL,
|
|
2,
|
|
pwszStoreName,
|
|
pwszLdapStore);
|
|
|
|
}
|
|
|
|
if(pwszLdapStore)
|
|
{
|
|
LocalFree(pwszLdapStore);
|
|
}
|
|
|
|
if(hEnterpriseStore)
|
|
{
|
|
CertCloseStore(hEnterpriseStore,0);
|
|
}
|
|
|
|
if(hLocalStore)
|
|
{
|
|
CertCloseStore(hLocalStore,0);
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AENeedToUpdateDSCache
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AENeedToUpdateDSCache(LDAP *pld, LPWSTR pwszDCInvocationID, LPWSTR pwszConfig, AE_DS_INFO *pAEDSInfo)
|
|
{
|
|
BOOL fNeedToUpdate=TRUE;
|
|
DWORD dwRegObject=0;
|
|
ULARGE_INTEGER maxRegUSN;
|
|
ULARGE_INTEGER maxDsUSN;
|
|
DWORD dwType=0;
|
|
DWORD dwSize=0;
|
|
DWORD dwDisp=0;
|
|
struct l_timeval timeout;
|
|
LPWSTR rgwszAttrs[] = {AUTO_ENROLLMENT_USN_ATTR, NULL};
|
|
LDAPMessage *Entry=NULL;
|
|
|
|
LPWSTR *awszValue = NULL;
|
|
HKEY hDSKey=NULL;
|
|
HKEY hDCKey=NULL;
|
|
LDAPMessage *SearchResult = NULL;
|
|
LPWSTR pwszContainer=NULL;
|
|
|
|
|
|
if((NULL==pld) || (NULL==pwszDCInvocationID) || (NULL==pwszConfig) || (NULL==pAEDSInfo))
|
|
goto error;
|
|
|
|
//init
|
|
memset(pAEDSInfo, 0, sizeof(AE_DS_INFO));
|
|
|
|
//compute the # of objects and maxUSN from the directory
|
|
pwszContainer=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (1 + wcslen(pwszConfig) + wcslen(s_wszLocation)));
|
|
if(NULL == pwszContainer)
|
|
goto error;
|
|
|
|
wcscpy(pwszContainer, s_wszLocation);
|
|
wcscat(pwszContainer, pwszConfig);
|
|
|
|
timeout.tv_sec = 300;
|
|
timeout.tv_usec = 0;
|
|
|
|
if(LDAP_SUCCESS != ldap_search_stW(
|
|
pld,
|
|
pwszContainer,
|
|
LDAP_SCOPE_SUBTREE,
|
|
L"(objectCategory=certificationAuthority)",
|
|
rgwszAttrs,
|
|
0,
|
|
&timeout,
|
|
&SearchResult))
|
|
goto error;
|
|
|
|
//get the # of objects
|
|
pAEDSInfo->dwObjects = ldap_count_entries(pld, SearchResult);
|
|
|
|
for(Entry = ldap_first_entry(pld, SearchResult); Entry != NULL; Entry = ldap_next_entry(pld, Entry))
|
|
{
|
|
|
|
awszValue = ldap_get_values(pld, Entry, AUTO_ENROLLMENT_USN_ATTR);
|
|
|
|
if(NULL==awszValue)
|
|
goto error;
|
|
|
|
if(NULL==awszValue[0])
|
|
goto error;
|
|
|
|
maxDsUSN.QuadPart=0;
|
|
|
|
maxDsUSN.QuadPart=_wtoi64(awszValue[0]);
|
|
|
|
//if any error happens, maxDsUSN will be 0.
|
|
if(0 == maxDsUSN.QuadPart)
|
|
goto error;
|
|
|
|
if((pAEDSInfo->maxUSN).QuadPart < maxDsUSN.QuadPart)
|
|
(pAEDSInfo->maxUSN).QuadPart = maxDsUSN.QuadPart;
|
|
|
|
ldap_value_free(awszValue);
|
|
awszValue=NULL;
|
|
}
|
|
|
|
//signal that we have retrieved correct data from the directory
|
|
pAEDSInfo->fValidData=TRUE;
|
|
|
|
//find if we have cached any information about the DC of interest
|
|
if(ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
|
|
AUTO_ENROLLMENT_DS_KEY,
|
|
0,
|
|
TEXT(""),
|
|
REG_OPTION_NON_VOLATILE,
|
|
KEY_ALL_ACCESS,
|
|
NULL,
|
|
&hDSKey,
|
|
&dwDisp))
|
|
goto error;
|
|
|
|
|
|
if(ERROR_SUCCESS != RegOpenKeyEx(
|
|
hDSKey,
|
|
pwszDCInvocationID,
|
|
0,
|
|
KEY_ALL_ACCESS,
|
|
&hDCKey))
|
|
goto error;
|
|
|
|
|
|
dwSize=sizeof(dwRegObject);
|
|
|
|
if(ERROR_SUCCESS != RegQueryValueEx(
|
|
hDCKey,
|
|
AUTO_ENROLLMENT_DS_OBJECT,
|
|
NULL,
|
|
&dwType,
|
|
(PBYTE)(&dwRegObject),
|
|
&dwSize))
|
|
goto error;
|
|
|
|
if(REG_DWORD != dwType)
|
|
goto error;
|
|
|
|
|
|
dwSize=sizeof(maxRegUSN);
|
|
|
|
if(ERROR_SUCCESS != RegQueryValueEx(
|
|
hDCKey,
|
|
AUTO_ENROLLMENT_DS_USN,
|
|
NULL,
|
|
&dwType,
|
|
(PBYTE)(&(maxRegUSN)),
|
|
&dwSize))
|
|
goto error;
|
|
|
|
if(REG_BINARY != dwType)
|
|
goto error;
|
|
|
|
|
|
//compare the registry data with the data from directory
|
|
if(dwRegObject != (pAEDSInfo->dwObjects))
|
|
goto error;
|
|
|
|
if(maxRegUSN.QuadPart != ((pAEDSInfo->maxUSN).QuadPart))
|
|
goto error;
|
|
|
|
fNeedToUpdate=FALSE;
|
|
|
|
error:
|
|
|
|
if(awszValue)
|
|
ldap_value_free(awszValue);
|
|
|
|
if(pwszContainer)
|
|
LocalFree(pwszContainer);
|
|
|
|
if(hDCKey)
|
|
RegCloseKey(hDCKey);
|
|
|
|
if(hDSKey)
|
|
RegCloseKey(hDSKey);
|
|
|
|
if(SearchResult)
|
|
ldap_msgfree(SearchResult);
|
|
|
|
//remove the temporary data
|
|
if(pAEDSInfo)
|
|
{
|
|
if(FALSE == fNeedToUpdate)
|
|
memset(pAEDSInfo, 0, sizeof(AE_DS_INFO));
|
|
}
|
|
|
|
|
|
return fNeedToUpdate;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEUpdateDSCache
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEUpdateDSCache(LPWSTR pwszDCInvocationID, AE_DS_INFO *pAEDSInfo)
|
|
{
|
|
|
|
BOOL fResult=FALSE;
|
|
DWORD dwDisp=0;
|
|
|
|
HKEY hDSKey=NULL;
|
|
HKEY hDCKey=NULL;
|
|
|
|
if((NULL==pwszDCInvocationID) || (NULL==pAEDSInfo))
|
|
goto error;
|
|
|
|
if(ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
|
|
AUTO_ENROLLMENT_DS_KEY,
|
|
0,
|
|
TEXT(""),
|
|
REG_OPTION_NON_VOLATILE,
|
|
KEY_ALL_ACCESS,
|
|
NULL,
|
|
&hDSKey,
|
|
&dwDisp))
|
|
goto error;
|
|
|
|
|
|
//create the key named by the DC
|
|
if(ERROR_SUCCESS != RegCreateKeyEx(hDSKey,
|
|
pwszDCInvocationID,
|
|
0,
|
|
TEXT(""),
|
|
REG_OPTION_NON_VOLATILE,
|
|
KEY_ALL_ACCESS,
|
|
NULL,
|
|
&hDCKey,
|
|
&dwDisp))
|
|
goto error;
|
|
|
|
//set the # of objects value
|
|
if(ERROR_SUCCESS != RegSetValueEx(hDCKey,
|
|
AUTO_ENROLLMENT_DS_OBJECT,
|
|
NULL,
|
|
REG_DWORD,
|
|
(PBYTE)&(pAEDSInfo->dwObjects),
|
|
sizeof(pAEDSInfo->dwObjects)))
|
|
goto error;
|
|
|
|
//set the max uSN value
|
|
if(ERROR_SUCCESS != RegSetValueEx(hDCKey,
|
|
AUTO_ENROLLMENT_DS_USN,
|
|
NULL,
|
|
REG_BINARY,
|
|
(PBYTE)&(pAEDSInfo->maxUSN),
|
|
sizeof(pAEDSInfo->maxUSN)))
|
|
goto error;
|
|
|
|
fResult=TRUE;
|
|
|
|
error:
|
|
|
|
if(hDCKey)
|
|
RegCloseKey(hDCKey);
|
|
|
|
if(hDSKey)
|
|
RegCloseKey(hDSKey);
|
|
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERetrieveInvocationID
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERetrieveInvocationID(LDAP *pld, LPWSTR *ppwszID)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
struct l_timeval timeout;
|
|
LPWSTR rgwszDSAttrs[] = {L"dsServiceName", NULL};
|
|
LPWSTR rgwszIDAttr[] = {L"invocationId", NULL};
|
|
LDAPMessage *Entry=NULL;
|
|
|
|
LPWSTR *awszValues = NULL;
|
|
LDAPMessage *SearchResults = NULL;
|
|
struct berval **apUUID = NULL;
|
|
LDAPMessage *SearchIDResult = NULL;
|
|
BYTE *pbUUID=NULL;
|
|
|
|
|
|
|
|
if((NULL==pld) || (NULL==ppwszID))
|
|
goto error;
|
|
|
|
*ppwszID=NULL;
|
|
|
|
//retrieve the dsSerivceName attribute
|
|
timeout.tv_sec = 300;
|
|
timeout.tv_usec = 0;
|
|
|
|
if(LDAP_SUCCESS != ldap_search_stW(
|
|
pld,
|
|
NULL, //NULL DN for dsServiceName
|
|
LDAP_SCOPE_BASE,
|
|
L"(objectCategory=*)",
|
|
rgwszDSAttrs,
|
|
0,
|
|
&timeout,
|
|
&SearchResults))
|
|
goto error;
|
|
|
|
|
|
Entry = ldap_first_entry(pld, SearchResults);
|
|
|
|
if(NULL == Entry)
|
|
goto error;
|
|
|
|
awszValues = ldap_get_values(pld, Entry, rgwszDSAttrs[0]);
|
|
|
|
if(NULL==awszValues)
|
|
goto error;
|
|
|
|
if(NULL==awszValues[0])
|
|
goto error;
|
|
|
|
//retrieve the invocationId attribute
|
|
timeout.tv_sec = 300;
|
|
timeout.tv_usec = 0;
|
|
|
|
if(LDAP_SUCCESS != ldap_search_stW(
|
|
pld,
|
|
awszValues[0],
|
|
LDAP_SCOPE_BASE,
|
|
L"(objectCategory=*)",
|
|
rgwszIDAttr,
|
|
0,
|
|
&timeout,
|
|
&SearchIDResult))
|
|
goto error;
|
|
|
|
|
|
Entry = ldap_first_entry(pld, SearchIDResult);
|
|
|
|
if(NULL == Entry)
|
|
goto error;
|
|
|
|
apUUID = ldap_get_values_len(pld, Entry, rgwszIDAttr[0]);
|
|
|
|
if(NULL == apUUID)
|
|
goto error;
|
|
|
|
if(NULL == (*apUUID))
|
|
goto error;
|
|
|
|
pbUUID = (BYTE *)LocalAlloc(LPTR, (*apUUID)->bv_len);
|
|
|
|
if(NULL == (pbUUID))
|
|
goto error;
|
|
|
|
if(0 == ((*apUUID)->bv_len))
|
|
goto error;
|
|
|
|
if(NULL == ((*apUUID)->bv_val))
|
|
goto error;
|
|
|
|
memcpy(pbUUID, (*apUUID)->bv_val, (*apUUID)->bv_len);
|
|
|
|
if(RPC_S_OK != UuidToStringW((UUID *)pbUUID, ppwszID))
|
|
goto error;
|
|
|
|
fResult=TRUE;
|
|
|
|
error:
|
|
|
|
if(pbUUID)
|
|
LocalFree(pbUUID);
|
|
|
|
if(apUUID)
|
|
ldap_value_free_len(apUUID);
|
|
|
|
if(SearchIDResult)
|
|
ldap_msgfree(SearchIDResult);
|
|
|
|
if(awszValues)
|
|
ldap_value_free(awszValues);
|
|
|
|
if(SearchResults)
|
|
ldap_msgfree(SearchResults);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEDownloadStore
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AEDownloadStore(LDAP *pld)
|
|
{
|
|
BOOL fResult = TRUE;
|
|
DWORD dwIndex = 0;
|
|
AE_DS_INFO AEDSInfo;
|
|
|
|
LPWSTR wszConfig = NULL;
|
|
LPWSTR pwszDCInvocationID = NULL;
|
|
|
|
memset(&AEDSInfo, 0, sizeof(AEDSInfo));
|
|
|
|
if(S_OK != AEGetConfigDN(pld, &wszConfig))
|
|
{
|
|
fResult=FALSE;
|
|
goto error;
|
|
}
|
|
|
|
//get the pwszDCInvocationID. NULL means AENeedToUpdateDSCache will return TRUE
|
|
AERetrieveInvocationID(pld, &pwszDCInvocationID);
|
|
|
|
if(AENeedToUpdateDSCache(pld, pwszDCInvocationID, wszConfig, &AEDSInfo))
|
|
{
|
|
for(dwIndex =0; dwIndex < g_dwStoreInfo; dwIndex++)
|
|
{
|
|
fResult = fResult && (S_OK == AEUpdateCertificateStore(
|
|
pld,
|
|
wszConfig,
|
|
g_rgStoreInfo[dwIndex].pwszStoreName,
|
|
g_rgStoreInfo[dwIndex].pwszLdapPath));
|
|
}
|
|
|
|
//only update the new DS cached information if we have a successful download
|
|
if((fResult) && (TRUE == AEDSInfo.fValidData) && (pwszDCInvocationID))
|
|
AEUpdateDSCache(pwszDCInvocationID, &AEDSInfo);
|
|
}
|
|
|
|
|
|
error:
|
|
|
|
if(pwszDCInvocationID)
|
|
RpcStringFreeW(&pwszDCInvocationID);
|
|
|
|
if(wszConfig)
|
|
{
|
|
LocalFree(wszConfig);
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AESetWakeUpFlag
|
|
//
|
|
// We set the flag to tell winlogon if autoenrollment should be waken up
|
|
// during each policy check
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AESetWakeUpFlag(BOOL fMachine, BOOL fWakeUp)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
DWORD dwDisp = 0;
|
|
DWORD dwFlags = 0;
|
|
|
|
HKEY hAEKey = NULL;
|
|
|
|
if(ERROR_SUCCESS != RegCreateKeyEx(
|
|
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
|
|
AUTO_ENROLLMENT_FLAG_KEY,
|
|
0,
|
|
L"",
|
|
REG_OPTION_NON_VOLATILE,
|
|
KEY_ALL_ACCESS,
|
|
NULL,
|
|
&hAEKey,
|
|
&dwDisp))
|
|
goto Ret;
|
|
|
|
if(fWakeUp)
|
|
dwFlags = AUTO_ENROLLMENT_WAKE_UP_REQUIRED;
|
|
|
|
if(ERROR_SUCCESS != RegSetValueEx(
|
|
hAEKey,
|
|
AUTO_ENROLLMENT_FLAG,
|
|
0,
|
|
REG_DWORD,
|
|
(PBYTE)&dwFlags,
|
|
sizeof(dwFlags)))
|
|
goto Ret;
|
|
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
if(hAEKey)
|
|
RegCloseKey(hAEKey);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AESetWakeUpTimer
|
|
//
|
|
// Set the timer to wake us up in 8 hrs
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AESetWakeUpTimer(BOOL fMachine, LARGE_INTEGER *pPreTime, LARGE_INTEGER *pPostTime)
|
|
{
|
|
HRESULT hr;
|
|
HKEY hKey;
|
|
HKEY hCurrent;
|
|
DWORD dwType, dwSize, dwResult;
|
|
LONG lTimeout;
|
|
LARGE_INTEGER DueTime;
|
|
WCHAR * wszTimerName;
|
|
LARGE_INTEGER EnrollmentTime;
|
|
|
|
// must be cleaned up
|
|
HANDLE hTimer=NULL;
|
|
|
|
// Build a timer event to ping us in about 8 hours if we don't get notified sooner.
|
|
lTimeout=AE_DEFAULT_REFRESH_RATE;
|
|
|
|
// Query for the refresh timer value
|
|
if (ERROR_SUCCESS==RegOpenKeyEx((fMachine?HKEY_LOCAL_MACHINE:HKEY_CURRENT_USER), SYSTEM_POLICIES_KEY, 0, KEY_READ, &hKey)) {
|
|
dwSize=sizeof(lTimeout);
|
|
if(ERROR_SUCCESS != RegQueryValueEx(hKey, TEXT("AutoEnrollmentRefreshTime"), NULL, &dwType, (LPBYTE) &lTimeout, &dwSize))
|
|
{
|
|
lTimeout=AE_DEFAULT_REFRESH_RATE;
|
|
}
|
|
else
|
|
{
|
|
if(REG_DWORD != dwType)
|
|
lTimeout=AE_DEFAULT_REFRESH_RATE;
|
|
}
|
|
RegCloseKey(hKey);
|
|
}
|
|
|
|
// Limit the timeout to once every 240 hours (10 days)
|
|
if (lTimeout>=240) {
|
|
lTimeout=240;
|
|
} else if (lTimeout<0) {
|
|
lTimeout=0;
|
|
}
|
|
|
|
// Convert hours to milliseconds
|
|
lTimeout=lTimeout*60*60*1000;
|
|
|
|
// Special case 0 milliseconds to be 7 seconds
|
|
if (lTimeout==0) {
|
|
lTimeout=7000;
|
|
}
|
|
|
|
// convert to 10^-7s. not yet negative values are relative
|
|
DueTime.QuadPart=Int32x32To64(-10000, lTimeout);
|
|
|
|
// if user has hold on the UI for too long and the cycle passed the 8 hours.
|
|
// we set the time for 1 hour
|
|
EnrollmentTime.QuadPart=pPostTime->QuadPart - pPreTime->QuadPart;
|
|
|
|
if(EnrollmentTime.QuadPart > 0)
|
|
{
|
|
if((-(DueTime.QuadPart)) > EnrollmentTime.QuadPart)
|
|
{
|
|
DueTime.QuadPart = DueTime.QuadPart + EnrollmentTime.QuadPart;
|
|
}
|
|
else
|
|
{
|
|
// Convert hours to milliseconds
|
|
lTimeout=AE_DEFAULT_POSTPONE*60*60*1000;
|
|
DueTime.QuadPart = Int32x32To64(-10000, lTimeout);
|
|
}
|
|
}
|
|
|
|
|
|
// find the timer
|
|
if (fMachine) {
|
|
wszTimerName=L"Global\\" MACHINE_AUTOENROLLMENT_TIMER_NAME;
|
|
} else {
|
|
wszTimerName=USER_AUTOENROLLMENT_TIMER_NAME;
|
|
}
|
|
hTimer=OpenWaitableTimer(TIMER_MODIFY_STATE, false, wszTimerName);
|
|
if (NULL==hTimer) {
|
|
hr=HRESULT_FROM_WIN32(GetLastError());
|
|
AE_DEBUG((AE_ERROR, L"OpenWaitableTimer(%s) failed with 0x%08X.\n", wszTimerName, hr));
|
|
goto error;
|
|
}
|
|
|
|
// set the timer
|
|
if (!SetWaitableTimer (hTimer, &DueTime, 0, NULL, 0, FALSE)) {
|
|
hr=HRESULT_FROM_WIN32(GetLastError());
|
|
AE_DEBUG((AE_ERROR, L"SetWaitableTimer failed with 0x%08X.\n", hr));
|
|
goto error;
|
|
}
|
|
|
|
AE_DEBUG((AE_INFO, L"Set wakeup timer.\n"));
|
|
|
|
hr=S_OK;
|
|
error:
|
|
if (NULL!=hTimer) {
|
|
CloseHandle(hTimer);
|
|
}
|
|
return (S_OK==hr);
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEGetPendingRequestProperty
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEGetPendingRequestProperty(IEnroll4 *pIEnroll4,
|
|
DWORD dwIndex,
|
|
DWORD dwProp,
|
|
LPVOID pProp)
|
|
{
|
|
CRYPT_DATA_BLOB *pBlob=NULL;
|
|
BOOL fResult=FALSE;
|
|
|
|
if((NULL==pIEnroll4) || (NULL==pProp))
|
|
return FALSE;
|
|
|
|
switch(dwProp)
|
|
{
|
|
case XEPR_REQUESTID:
|
|
case XEPR_DATE:
|
|
case XEPR_VERSION:
|
|
fResult = (S_OK == pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp));
|
|
break;
|
|
|
|
|
|
case XEPR_CANAME:
|
|
case XEPR_CAFRIENDLYNAME:
|
|
case XEPR_CADNS:
|
|
case XEPR_V1TEMPLATENAME:
|
|
case XEPR_V2TEMPLATEOID:
|
|
case XEPR_HASH:
|
|
|
|
pBlob=(CRYPT_DATA_BLOB *)pProp;
|
|
|
|
pBlob->cbData=0;
|
|
pBlob->pbData=NULL;
|
|
|
|
if(S_OK != pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp))
|
|
goto Ret;
|
|
|
|
if(0 == pBlob->cbData)
|
|
goto Ret;
|
|
|
|
pBlob->pbData=(BYTE *)LocalAlloc(LPTR, pBlob->cbData);
|
|
if(NULL == pBlob->pbData)
|
|
goto Ret;
|
|
|
|
fResult = (S_OK == pIEnroll4->enumPendingRequestWStr(dwIndex, dwProp, pProp));
|
|
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
Ret:
|
|
if(FALSE==fResult)
|
|
{
|
|
if(pBlob)
|
|
{
|
|
if(pBlob->pbData)
|
|
LocalFree(pBlob->pbData);
|
|
|
|
memset(pBlob, 0, sizeof(CRYPT_DATA_BLOB));
|
|
}
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERetrieveRequestProperty
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERetrieveRequestProperty(IEnroll4 *pIEnroll4,
|
|
DWORD dwIndex,
|
|
DWORD *pdwCount,
|
|
DWORD *pdwMax,
|
|
CRYPT_DATA_BLOB **prgblobHash)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
CRYPT_DATA_BLOB *pblobHash=NULL;
|
|
|
|
if((NULL==pIEnroll4) || (NULL==pdwCount) || (NULL==pdwMax) || (NULL==prgblobHash) ||
|
|
(NULL==*prgblobHash))
|
|
goto Ret;
|
|
|
|
//need to alloc more memory
|
|
if((*pdwCount) >= (*pdwMax))
|
|
{
|
|
pblobHash=*prgblobHash;
|
|
|
|
*prgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR,
|
|
((*pdwMax) + PENDING_ALLOC_SIZE) * sizeof(CRYPT_DATA_BLOB));
|
|
if(NULL==(*prgblobHash))
|
|
{
|
|
*prgblobHash=pblobHash;
|
|
pblobHash=NULL;
|
|
goto Ret;
|
|
}
|
|
|
|
memset(*prgblobHash, 0, ((*pdwMax) + PENDING_ALLOC_SIZE) * sizeof(CRYPT_DATA_BLOB));
|
|
|
|
//copy the old memmory
|
|
memcpy(*prgblobHash, pblobHash, (*pdwMax) * sizeof(CRYPT_DATA_BLOB));
|
|
|
|
*pdwMax=(*pdwMax) + PENDING_ALLOC_SIZE;
|
|
}
|
|
|
|
|
|
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_HASH,
|
|
&((*prgblobHash)[*pdwCount])))
|
|
goto Ret;
|
|
|
|
(*pdwCount)=(*pdwCount) + 1;
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pblobHash)
|
|
LocalFree(pblobHash);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERemovePendingRequest
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERemovePendingRequest(IEnroll4 *pIEnroll4,
|
|
DWORD dwCount,
|
|
CRYPT_DATA_BLOB *rgblobHash)
|
|
{
|
|
DWORD dwIndex=0;
|
|
BOOL fResult=TRUE;
|
|
|
|
if((NULL==pIEnroll4) || (NULL==rgblobHash))
|
|
return FALSE;
|
|
|
|
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
|
|
{
|
|
if(S_OK != (pIEnroll4->removePendingRequestWStr(rgblobHash[dwIndex])))
|
|
fResult=FALSE;
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreePendingRequests
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreePendingRequests(DWORD dwCount, CRYPT_DATA_BLOB *rgblobHash)
|
|
{
|
|
DWORD dwIndex=0;
|
|
|
|
if(rgblobHash)
|
|
{
|
|
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
|
|
{
|
|
if(rgblobHash[dwIndex].pbData)
|
|
LocalFree(rgblobHash[dwIndex].pbData);
|
|
}
|
|
|
|
LocalFree(rgblobHash);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEValidVersionCert
|
|
//
|
|
// Verify the certificate returned from CA has the latest version info.
|
|
// If so, copy the certificate to the hIssuedStore for potentical publishing
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEValidVersionCert(AE_CERTTYPE_INFO *pCertType, IEnroll4 *pIEnroll4, CRYPT_DATA_BLOB *pBlobPKCS7)
|
|
{
|
|
BOOL fValid=FALSE;
|
|
|
|
PCCERT_CONTEXT pCertContext=NULL;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
if((NULL==pCertType) || (NULL==pIEnroll4) || (NULL==pBlobPKCS7))
|
|
goto Ret;
|
|
|
|
if(NULL==(pBlobPKCS7->pbData))
|
|
goto Ret;
|
|
|
|
if(S_OK != pIEnroll4->getCertContextFromResponseBlob(pBlobPKCS7, &pCertContext))
|
|
goto Ret;
|
|
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
|
|
if(AETemplateInfo.pwszOid)
|
|
{
|
|
if(AETemplateInfo.dwVersion >= (pCertType->dwVersion))
|
|
fValid=TRUE;
|
|
}
|
|
else
|
|
{
|
|
//V1 template
|
|
if(NULL == AETemplateInfo.pwszName)
|
|
goto Ret;
|
|
|
|
fValid=TRUE;
|
|
}
|
|
|
|
if(pCertContext && (TRUE == fValid))
|
|
{
|
|
CertAddCertificateContextToStore(pCertType->hIssuedStore,
|
|
pCertContext,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
}
|
|
|
|
Ret:
|
|
if(pCertContext)
|
|
CertFreeCertificateContext(pCertContext);
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fValid;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AECopyPendingBlob
|
|
//
|
|
// Copy the issued PKCS7 and request hash.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AECopyPendingBlob(CRYPT_DATA_BLOB *pBlobPKCS7,
|
|
IEnroll4 *pIEnroll4,
|
|
DWORD dwXenrollIndex,
|
|
AE_CERTTYPE_INFO *pCertType)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwIndex=0;
|
|
|
|
AE_PEND_INFO *pPendInfo=NULL;
|
|
|
|
if((NULL==pBlobPKCS7)||(NULL==pIEnroll4)||(NULL==pCertType))
|
|
goto Ret;
|
|
|
|
if(NULL==(pBlobPKCS7->pbData))
|
|
goto Ret;
|
|
|
|
dwIndex=pCertType->dwPendCount;
|
|
|
|
//increase the memory array
|
|
if(0 != dwIndex)
|
|
{
|
|
pPendInfo=pCertType->rgPendInfo;
|
|
|
|
pCertType->rgPendInfo=(AE_PEND_INFO *)LocalAlloc(LPTR,
|
|
(dwIndex + 1) * sizeof(AE_PEND_INFO));
|
|
|
|
if(NULL==(pCertType->rgPendInfo))
|
|
{
|
|
pCertType->rgPendInfo=pPendInfo;
|
|
pPendInfo=NULL;
|
|
goto Ret;
|
|
}
|
|
|
|
memset(pCertType->rgPendInfo, 0, (dwIndex + 1) * sizeof(AE_PEND_INFO));
|
|
|
|
//copy the old memmory
|
|
memcpy(pCertType->rgPendInfo, pPendInfo, (dwIndex) * sizeof(AE_PEND_INFO));
|
|
}
|
|
else
|
|
{
|
|
pCertType->rgPendInfo=(AE_PEND_INFO *)LocalAlloc(LPTR, sizeof(AE_PEND_INFO));
|
|
|
|
if(NULL==(pCertType->rgPendInfo))
|
|
goto Ret;
|
|
|
|
memset(pCertType->rgPendInfo, 0, sizeof(AE_PEND_INFO));
|
|
}
|
|
|
|
|
|
//copy the issued PKCS7 blob
|
|
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData=(BYTE *)LocalAlloc(
|
|
LPTR,
|
|
pBlobPKCS7->cbData);
|
|
|
|
if(NULL == ((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData))
|
|
goto Ret;
|
|
|
|
memcpy((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData,
|
|
pBlobPKCS7->pbData,
|
|
pBlobPKCS7->cbData);
|
|
|
|
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.cbData=pBlobPKCS7->cbData;
|
|
|
|
//copy the hash of the request
|
|
if(!AEGetPendingRequestProperty(pIEnroll4, dwXenrollIndex, XEPR_HASH,
|
|
&((pCertType->rgPendInfo)[dwIndex].blobHash)))
|
|
{
|
|
LocalFree((pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData);
|
|
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.pbData=NULL;
|
|
(pCertType->rgPendInfo)[dwIndex].blobPKCS7.cbData=0;
|
|
goto Ret;
|
|
}
|
|
|
|
(pCertType->dwPendCount)++;
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
if(pPendInfo)
|
|
LocalFree(pPendInfo);
|
|
|
|
return fResult;
|
|
}
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEProcessUIPendingRequest
|
|
//
|
|
// In this function, we install the issued pending certificate request
|
|
// that will require UI.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AEProcessUIPendingRequest(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex=0;
|
|
DWORD dwPendIndex=0;
|
|
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
BOOL fInit=FALSE;
|
|
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
|
|
HMODULE hXenroll=NULL;
|
|
HRESULT hr=E_FAIL;
|
|
|
|
IEnroll4 *pIEnroll4=NULL;
|
|
|
|
if(NULL==pAE_General_Info)
|
|
goto Ret;
|
|
|
|
//has to be in the UI mode
|
|
if(FALSE == pAE_General_Info->fUIProcess)
|
|
goto Ret;
|
|
|
|
if(NULL==pCertTypeInfo)
|
|
goto Ret;
|
|
|
|
hXenroll=pAE_General_Info->hXenroll;
|
|
|
|
if(NULL==hXenroll)
|
|
goto Ret;
|
|
|
|
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
|
|
hXenroll,
|
|
"PIEnroll4GetNoCOM")))
|
|
goto Ret;
|
|
|
|
|
|
if(FAILED(CoInitialize(NULL)))
|
|
goto Ret;
|
|
|
|
fInit=TRUE;
|
|
|
|
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
|
|
goto Ret;
|
|
|
|
//Set the request store flag based on fMachine
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
|
|
goto Ret;
|
|
}
|
|
|
|
//initialize the enumerator
|
|
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
|
|
goto Ret;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
pCertType = &(pCertTypeInfo[dwIndex]);
|
|
|
|
if(pCertType->dwPendCount)
|
|
{
|
|
for(dwPendIndex=0; dwPendIndex < pCertType->dwPendCount; dwPendIndex++)
|
|
{
|
|
//check if cancel button is clicked
|
|
if(AECancelled(pAE_General_Info->hCancelEvent))
|
|
break;
|
|
|
|
//report the current enrollment action
|
|
AEUIProgressReport(TRUE, pCertType, pAE_General_Info->hwndDlg, pAE_General_Info->hCancelEvent);
|
|
|
|
//install the certificate
|
|
if(S_OK == (hr = pIEnroll4->acceptResponseBlob(
|
|
&((pCertType->rgPendInfo)[dwPendIndex].blobPKCS7))))
|
|
{
|
|
//mark the status to obtained if required
|
|
//this is a valid certificate
|
|
if(AEValidVersionCert(pCertType, pIEnroll4, &((pCertType->rgPendInfo)[dwPendIndex].blobPKCS7)))
|
|
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
|
|
|
|
//the certificate is successfully issued and installed
|
|
//remove the request from the request store
|
|
pIEnroll4->removePendingRequestWStr((pCertType->rgPendInfo)[dwPendIndex].blobHash);
|
|
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_PENDING_INSTALLED,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
|
|
}
|
|
else
|
|
{
|
|
//doing this for summary page
|
|
if((SCARD_E_CANCELLED != hr) && (SCARD_W_CANCELLED_BY_USER != hr))
|
|
pCertType->idsSummary=IDS_SUMMARY_INSTALL;
|
|
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
TRUE,
|
|
hr,
|
|
EVENT_PENDING_FAILED,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
}
|
|
|
|
//advance progress
|
|
AEUIProgressAdvance(pAE_General_Info);
|
|
}
|
|
}
|
|
}
|
|
|
|
Ret:
|
|
if(pIEnroll4)
|
|
pIEnroll4->Release();
|
|
|
|
if(fInit)
|
|
CoUninitialize();
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEProcessPendingRequest -- UIless call.
|
|
//
|
|
// In this function, we check each pending requests in the request store.
|
|
// We install the certificate is the request has been issued by the CA, and
|
|
// mark the certificate type status to obtained if the certificate is issued
|
|
// and of correct version
|
|
//
|
|
// We remove any requests that are stale based on the # of days defined
|
|
// in the registry. If no value is defined in the registry, use
|
|
// AE_PENDING_REQUEST_ACTIVE_PERIOD (60 days).
|
|
//
|
|
// Also, if there is no more pending requests active in the request store,
|
|
// we set the registry value to indicate that winlogon should not wake us up.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AEProcessPendingRequest(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwRequestID=0;
|
|
LONG dwDisposition=0;
|
|
DWORD dwIndex=0;
|
|
DWORD dwCount=0;
|
|
DWORD dwMax=PENDING_ALLOC_SIZE;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
|
|
BOOL fInit=FALSE;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
CRYPT_DATA_BLOB blobPKCS7;
|
|
HMODULE hXenroll=NULL;
|
|
VARIANT varCMC;
|
|
HRESULT hr=E_FAIL;
|
|
|
|
|
|
IEnroll4 *pIEnroll4=NULL;
|
|
ICertRequest2 *pICertRequest=NULL;
|
|
BSTR bstrCert=NULL;
|
|
LPWSTR pwszCAConfig=NULL;
|
|
BSTR bstrConfig=NULL;
|
|
CRYPT_DATA_BLOB *rgblobHash=NULL;
|
|
CRYPT_DATA_BLOB blobCAName;
|
|
CRYPT_DATA_BLOB blobCALocation;
|
|
CRYPT_DATA_BLOB blobName;
|
|
|
|
|
|
if(NULL==pAE_General_Info)
|
|
goto Ret;
|
|
|
|
//init the dwUIPendCount to 0
|
|
pAE_General_Info->dwUIPendCount=0;
|
|
|
|
//has to be in the UIless mode
|
|
if(TRUE == pAE_General_Info->fUIProcess)
|
|
goto Ret;
|
|
|
|
hXenroll=pAE_General_Info->hXenroll;
|
|
|
|
if(NULL==hXenroll)
|
|
goto Ret;
|
|
|
|
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
|
|
hXenroll,
|
|
"PIEnroll4GetNoCOM")))
|
|
goto Ret;
|
|
|
|
|
|
if(FAILED(CoInitialize(NULL)))
|
|
goto Ret;
|
|
|
|
fInit=TRUE;
|
|
|
|
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
|
|
goto Ret;
|
|
|
|
|
|
if(S_OK != CoCreateInstance(CLSID_CCertRequest,
|
|
NULL,
|
|
CLSCTX_INPROC_SERVER,
|
|
IID_ICertRequest2,
|
|
(void **)&pICertRequest))
|
|
goto Ret;
|
|
|
|
//Set the request store flag based on fMachine
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
|
|
goto Ret;
|
|
}
|
|
|
|
memset(&blobCAName, 0, sizeof(blobCAName));
|
|
memset(&blobCALocation, 0, sizeof(blobCALocation));
|
|
memset(&blobName, 0, sizeof(blobName));
|
|
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
|
|
|
|
rgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR, dwMax * sizeof(CRYPT_DATA_BLOB));
|
|
if(NULL==rgblobHash)
|
|
goto Ret;
|
|
|
|
memset(rgblobHash, 0, dwMax * sizeof(CRYPT_DATA_BLOB));
|
|
|
|
//initialize the enumerator
|
|
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
|
|
goto Ret;
|
|
|
|
//initlialize the variant
|
|
VariantInit(&varCMC);
|
|
|
|
while(AEGetPendingRequestProperty(
|
|
pIEnroll4,
|
|
dwIndex,
|
|
XEPR_REQUESTID,
|
|
&dwRequestID))
|
|
{
|
|
|
|
//query the status of the requests to the CA
|
|
if(!AEGetPendingRequestProperty(
|
|
pIEnroll4,
|
|
dwIndex,
|
|
XEPR_CANAME,
|
|
&blobCAName))
|
|
goto Next;
|
|
|
|
if(!AEGetPendingRequestProperty(
|
|
pIEnroll4,
|
|
dwIndex,
|
|
XEPR_CADNS,
|
|
&blobCALocation))
|
|
goto Next;
|
|
|
|
//build the config string
|
|
pwszCAConfig=(LPWSTR)LocalAlloc(LPTR,
|
|
sizeof(WCHAR) * (wcslen((LPWSTR)(blobCALocation.pbData)) + wcslen((LPWSTR)(blobCAName.pbData)) + wcslen(L"\\") + 1));
|
|
|
|
if(NULL==pwszCAConfig)
|
|
goto Next;
|
|
|
|
wcscpy(pwszCAConfig, (LPWSTR)(blobCALocation.pbData));
|
|
wcscat(pwszCAConfig, L"\\");
|
|
wcscat(pwszCAConfig, (LPWSTR)(blobCAName.pbData));
|
|
|
|
//conver to bstr
|
|
bstrConfig=SysAllocString(pwszCAConfig);
|
|
if(NULL==bstrConfig)
|
|
goto Next;
|
|
|
|
//find the template information
|
|
//get the version and the template name of the request
|
|
if(AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V2TEMPLATEOID, &blobName))
|
|
{
|
|
AETemplateInfo.pwszOid=(LPWSTR)blobName.pbData;
|
|
}
|
|
else
|
|
{
|
|
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V1TEMPLATENAME, &blobName))
|
|
goto Next;
|
|
|
|
AETemplateInfo.pwszName=(LPWSTR)blobName.pbData;
|
|
}
|
|
|
|
//find the template
|
|
if(NULL==(pCertType=AEFindTemplateInRequestTree(
|
|
&AETemplateInfo, pAE_General_Info)))
|
|
goto Next;
|
|
|
|
|
|
if(S_OK != pICertRequest->RetrievePending(
|
|
dwRequestID,
|
|
bstrConfig,
|
|
&dwDisposition))
|
|
goto Next;
|
|
|
|
switch(dwDisposition)
|
|
{
|
|
case CR_DISP_ISSUED:
|
|
if(S_OK != pICertRequest->GetFullResponseProperty(
|
|
FR_PROP_FULLRESPONSE, 0, PROPTYPE_BINARY, CR_OUT_BINARY,
|
|
&varCMC))
|
|
{
|
|
goto Next;
|
|
}
|
|
|
|
// Check to make sure we've gotten a BSTR back:
|
|
if (VT_BSTR != varCMC.vt)
|
|
{
|
|
goto Next;
|
|
}
|
|
|
|
bstrCert = varCMC.bstrVal;
|
|
|
|
// Marshal the cert into a CRYPT_DATA_BLOB:
|
|
blobPKCS7.cbData = (DWORD)SysStringByteLen(bstrCert);
|
|
blobPKCS7.pbData = (BYTE *)bstrCert;
|
|
|
|
// we will keep the PKCS7 blob for installation
|
|
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag))
|
|
{
|
|
//signal that we should pop up the UI balloon
|
|
(pAE_General_Info->dwUIPendCount)++;
|
|
|
|
//copy the PKCS7 blob from the cert server
|
|
AECopyPendingBlob(&blobPKCS7,
|
|
pIEnroll4,
|
|
dwIndex,
|
|
pCertType);
|
|
}
|
|
else
|
|
{
|
|
//install the certificate
|
|
if(S_OK != (hr = pIEnroll4->acceptResponseBlob(&blobPKCS7)))
|
|
{
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
TRUE,
|
|
hr,
|
|
EVENT_PENDING_FAILED,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
|
|
goto Next;
|
|
}
|
|
|
|
//mark the status to obtained if required
|
|
//this is a valid certificate
|
|
if(AEValidVersionCert(pCertType, pIEnroll4, &blobPKCS7))
|
|
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
|
|
|
|
//the certificate is successfully issued and installed
|
|
//remove the request from the request store
|
|
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
|
|
}
|
|
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_PENDING_ISSUED,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
2,
|
|
pCertType->awszDisplay[0],
|
|
pwszCAConfig);
|
|
break;
|
|
|
|
case CR_DISP_UNDER_SUBMISSION:
|
|
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_PENDING_PEND,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
2,
|
|
pCertType->awszDisplay[0],
|
|
pwszCAConfig);
|
|
|
|
|
|
break;
|
|
|
|
case CR_DISP_INCOMPLETE:
|
|
case CR_DISP_ERROR:
|
|
case CR_DISP_DENIED:
|
|
case CR_DISP_ISSUED_OUT_OF_BAND: //we consider it a failure in this case
|
|
case CR_DISP_REVOKED:
|
|
default:
|
|
//requests failed. remove the request from the request store
|
|
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
|
|
|
|
if(S_OK == pICertRequest->GetLastStatus(&hr))
|
|
{
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
TRUE,
|
|
hr,
|
|
EVENT_PENDING_DENIED,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
2,
|
|
pwszCAConfig,
|
|
pCertType->awszDisplay[0]);
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
Next:
|
|
if(pwszCAConfig)
|
|
LocalFree(pwszCAConfig);
|
|
pwszCAConfig=NULL;
|
|
|
|
if(bstrConfig)
|
|
SysFreeString(bstrConfig);
|
|
bstrConfig=NULL;
|
|
|
|
if(bstrCert)
|
|
SysFreeString(bstrCert);
|
|
bstrCert=NULL;
|
|
|
|
if(blobCAName.pbData)
|
|
LocalFree(blobCAName.pbData);
|
|
memset(&blobCAName, 0, sizeof(blobCAName));
|
|
|
|
if(blobCALocation.pbData)
|
|
LocalFree(blobCALocation.pbData);
|
|
memset(&blobCALocation, 0, sizeof(blobCALocation));
|
|
|
|
if(blobName.pbData)
|
|
LocalFree(blobName.pbData);
|
|
memset(&blobName, 0, sizeof(blobName));
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
|
|
|
|
VariantInit(&varCMC);
|
|
|
|
dwIndex++;
|
|
}
|
|
|
|
//remove the requests based the hash
|
|
AERemovePendingRequest(pIEnroll4, dwCount, rgblobHash);
|
|
|
|
Ret:
|
|
|
|
AEFreePendingRequests(dwCount, rgblobHash);
|
|
|
|
if(pICertRequest)
|
|
pICertRequest->Release();
|
|
|
|
if(pIEnroll4)
|
|
pIEnroll4->Release();
|
|
|
|
if(fInit)
|
|
CoUninitialize();
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEIsLocalSystem
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
BOOL
|
|
AEIsLocalSystem(BOOL *pfIsLocalSystem)
|
|
{
|
|
HANDLE hToken = 0;
|
|
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
|
|
BOOL fRet = FALSE;
|
|
BOOL fRevertToSelf = FALSE;
|
|
|
|
PSID psidLocalSystem = NULL;
|
|
|
|
*pfIsLocalSystem = FALSE;
|
|
|
|
if (!OpenThreadToken(
|
|
GetCurrentThread(),
|
|
TOKEN_QUERY,
|
|
TRUE,
|
|
&hToken))
|
|
{
|
|
if (ERROR_NO_TOKEN != GetLastError())
|
|
goto Ret;
|
|
|
|
//we need to impersonateself and get the thread token again
|
|
if(!ImpersonateSelf(SecurityImpersonation))
|
|
goto Ret;
|
|
|
|
fRevertToSelf = TRUE;
|
|
|
|
if (!OpenThreadToken(
|
|
GetCurrentThread(),
|
|
TOKEN_QUERY,
|
|
TRUE,
|
|
&hToken))
|
|
goto Ret;
|
|
}
|
|
|
|
//build the well known local system SID (s-1-5-18)
|
|
if (!AllocateAndInitializeSid(
|
|
&siaNtAuthority,
|
|
1,
|
|
SECURITY_LOCAL_SYSTEM_RID,
|
|
0, 0, 0, 0, 0, 0, 0,
|
|
&psidLocalSystem
|
|
))
|
|
goto Ret;
|
|
|
|
fRet = CheckTokenMembership(
|
|
hToken,
|
|
psidLocalSystem,
|
|
pfIsLocalSystem);
|
|
|
|
Ret:
|
|
|
|
if(fRevertToSelf)
|
|
RevertToSelf();
|
|
|
|
if(psidLocalSystem)
|
|
FreeSid(psidLocalSystem);
|
|
|
|
if (hToken)
|
|
CloseHandle(hToken);
|
|
|
|
return fRet;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEInSafeBoot
|
|
//
|
|
// copied from the service controller code
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AEInSafeBoot()
|
|
{
|
|
DWORD dwSafeBoot = 0;
|
|
DWORD cbSafeBoot = sizeof(dwSafeBoot);
|
|
DWORD dwType = 0;
|
|
|
|
HKEY hKeySafeBoot = NULL;
|
|
|
|
if(ERROR_SUCCESS == RegOpenKeyW(
|
|
HKEY_LOCAL_MACHINE,
|
|
L"system\\currentcontrolset\\control\\safeboot\\option",
|
|
&hKeySafeBoot))
|
|
{
|
|
// we did in fact boot under safeboot control
|
|
if(ERROR_SUCCESS != RegQueryValueExW(
|
|
hKeySafeBoot,
|
|
L"OptionValue",
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE)&dwSafeBoot,
|
|
&cbSafeBoot))
|
|
{
|
|
dwSafeBoot = 0;
|
|
}
|
|
|
|
if(hKeySafeBoot)
|
|
RegCloseKey(hKeySafeBoot);
|
|
}
|
|
|
|
return (0 != dwSafeBoot);
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEIsDomainMember
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL WINAPI AEIsDomainMember()
|
|
{
|
|
DWORD dwErr;
|
|
BOOL bIsDomainMember=FALSE;
|
|
|
|
// must be cleaned up
|
|
DSROLE_PRIMARY_DOMAIN_INFO_BASIC * pDomInfo=NULL;
|
|
|
|
dwErr=DsRoleGetPrimaryDomainInformation(NULL, DsRolePrimaryDomainInfoBasic, (BYTE **)&pDomInfo);
|
|
if (ERROR_SUCCESS==dwErr)
|
|
{
|
|
if (DsRole_RoleStandaloneWorkstation!=pDomInfo->MachineRole
|
|
&& DsRole_RoleStandaloneServer!=pDomInfo->MachineRole)
|
|
{
|
|
//no autoenrollment on NT4
|
|
if(NULL != (pDomInfo->DomainNameDns))
|
|
{
|
|
bIsDomainMember=TRUE;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (NULL!=pDomInfo)
|
|
{
|
|
DsRoleFreeMemory(pDomInfo);
|
|
}
|
|
|
|
return bIsDomainMember;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEGetPolicyFlag
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEGetPolicyFlag(BOOL fMachine, DWORD *pdwPolicy)
|
|
{
|
|
DWORD dwPolicy = 0;
|
|
DWORD cbPolicy = sizeof(dwPolicy);
|
|
DWORD dwType = 0;
|
|
|
|
HKEY hKey = NULL;
|
|
|
|
if(ERROR_SUCCESS == RegOpenKeyW(
|
|
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
|
|
AUTO_ENROLLMENT_KEY,
|
|
&hKey))
|
|
{
|
|
if(ERROR_SUCCESS != RegQueryValueExW(
|
|
hKey,
|
|
AUTO_ENROLLMENT_POLICY,
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE)&dwPolicy,
|
|
&cbPolicy))
|
|
{
|
|
dwPolicy = 0;
|
|
}
|
|
else
|
|
{
|
|
if(REG_DWORD != dwType)
|
|
dwPolicy=0;
|
|
}
|
|
|
|
if(hKey)
|
|
RegCloseKey(hKey);
|
|
|
|
}
|
|
|
|
*pdwPolicy=dwPolicy;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AERetrieveLogLevel
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AERetrieveLogLevel(BOOL fMachine, DWORD *pdwLogLevel)
|
|
{
|
|
DWORD dwLogLevel = STATUS_SEVERITY_ERROR; //we default to highest logging level
|
|
DWORD cbLogLevel = sizeof(dwLogLevel);
|
|
DWORD dwType = 0;
|
|
|
|
HKEY hKey = NULL;
|
|
|
|
if(ERROR_SUCCESS == RegOpenKeyW(
|
|
fMachine ? HKEY_LOCAL_MACHINE : HKEY_CURRENT_USER,
|
|
AUTO_ENROLLMENT_EVENT_LEVEL_KEY,
|
|
&hKey))
|
|
{
|
|
if(ERROR_SUCCESS != RegQueryValueExW(
|
|
hKey,
|
|
AUTO_ENROLLMENT_EVENT_LEVEL,
|
|
NULL,
|
|
&dwType,
|
|
(LPBYTE)&dwLogLevel,
|
|
&cbLogLevel))
|
|
{
|
|
dwLogLevel = STATUS_SEVERITY_ERROR;
|
|
}
|
|
else
|
|
{
|
|
if(REG_DWORD != dwType)
|
|
dwLogLevel = STATUS_SEVERITY_ERROR;
|
|
}
|
|
|
|
if(hKey)
|
|
RegCloseKey(hKey);
|
|
|
|
}
|
|
|
|
*pdwLogLevel=dwLogLevel;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AERetrieveTemplateInfo
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AERetrieveTemplateInfo(PCCERT_CONTEXT pCertCurrent,
|
|
AE_TEMPLATE_INFO *pTemplateInfo)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
PCERT_EXTENSION pExt = NULL;
|
|
DWORD cbData=0;
|
|
|
|
CERT_NAME_VALUE *pbName = NULL;
|
|
CERT_TEMPLATE_EXT *pbTemplate = NULL;
|
|
|
|
if((NULL==pCertCurrent) || (NULL==pTemplateInfo))
|
|
goto Ret;
|
|
|
|
memset(pTemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
//try to find V2 template extension first
|
|
if(pExt = CertFindExtension(szOID_CERTIFICATE_TEMPLATE,
|
|
pCertCurrent->pCertInfo->cExtension,
|
|
pCertCurrent->pCertInfo->rgExtension))
|
|
{
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERTIFICATE_TEMPLATE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbTemplate = (CERT_TEMPLATE_EXT *)LocalAlloc(LPTR, cbData);
|
|
|
|
if(NULL==pbTemplate)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERTIFICATE_TEMPLATE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbTemplate,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
//copy the version
|
|
pTemplateInfo->dwVersion=pbTemplate->dwMajorVersion;
|
|
|
|
//copy the extension oid
|
|
if(NULL==pbTemplate->pszObjId)
|
|
goto Ret;
|
|
|
|
if(0 == (cbData = MultiByteToWideChar(CP_ACP,
|
|
0,
|
|
pbTemplate->pszObjId,
|
|
-1,
|
|
NULL,
|
|
0)))
|
|
goto Ret;
|
|
|
|
if(NULL==(pTemplateInfo->pwszOid=(LPWSTR)LocalAlloc(LPTR, cbData * sizeof(WCHAR))))
|
|
goto Ret;
|
|
|
|
if(0 == MultiByteToWideChar(CP_ACP,
|
|
0,
|
|
pbTemplate->pszObjId,
|
|
-1,
|
|
pTemplateInfo->pwszOid,
|
|
cbData))
|
|
goto Ret;
|
|
|
|
}
|
|
else
|
|
{
|
|
|
|
//try V1 template extension
|
|
if(NULL == (pExt = CertFindExtension(
|
|
szOID_ENROLL_CERTTYPE_EXTENSION,
|
|
pCertCurrent->pCertInfo->cExtension,
|
|
pCertCurrent->pCertInfo->rgExtension)))
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
X509_UNICODE_ANY_STRING,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbName = (CERT_NAME_VALUE *)LocalAlloc(LPTR, cbData);
|
|
|
|
if(NULL==pbName)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
X509_UNICODE_ANY_STRING,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbName,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
if(!AEAllocAndCopy((LPWSTR)(pbName->Value.pbData),
|
|
&(pTemplateInfo->pwszName)))
|
|
goto Ret;
|
|
}
|
|
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pbTemplate)
|
|
LocalFree(pbTemplate);
|
|
|
|
if(pbName)
|
|
LocalFree(pbName);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEFreeTemplateInfo
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEFreeTemplateInfo(AE_TEMPLATE_INFO *pAETemplateInfo)
|
|
{
|
|
if(pAETemplateInfo->pwszName)
|
|
LocalFree(pAETemplateInfo->pwszName);
|
|
|
|
if(pAETemplateInfo->pwszOid)
|
|
LocalFree(pAETemplateInfo->pwszOid);
|
|
|
|
memset(pAETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEFindTemplateInRequestTree
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
AE_CERTTYPE_INFO *AEFindTemplateInRequestTree(AE_TEMPLATE_INFO *pTemplateInfo,
|
|
AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex = 0;
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
|
|
if(NULL == (rgCertTypeInfo=pAE_General_Info->rgCertTypeInfo))
|
|
return NULL;
|
|
|
|
if( (NULL == pTemplateInfo->pwszName) && (NULL == pTemplateInfo->pwszOid))
|
|
return NULL;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(pTemplateInfo->pwszOid)
|
|
{
|
|
//we are guaranteed to have an OID if the schema is greater than or equal to 2
|
|
if(rgCertTypeInfo[dwIndex].dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
|
|
{
|
|
if(0 == wcscmp(pTemplateInfo->pwszOid, (rgCertTypeInfo[dwIndex].awszOID)[0]))
|
|
{
|
|
pCertType = &(rgCertTypeInfo[dwIndex]);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//we are guaranteed to have a name
|
|
if(0 == wcscmp(pTemplateInfo->pwszName, (rgCertTypeInfo[dwIndex].awszName)[0]))
|
|
{
|
|
pCertType = &(rgCertTypeInfo[dwIndex]);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return pCertType;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEGetDNSNameFromCertificate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEGetDNSNameFromCertificate(PCCERT_CONTEXT pCertContext,
|
|
LPWSTR *ppwszDnsName)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
PCERT_EXTENSION pExt=NULL;
|
|
DWORD cbData=0;
|
|
DWORD iAltName=0;
|
|
DWORD dwSize=0;
|
|
|
|
PCERT_ALT_NAME_INFO pAltName=NULL;
|
|
|
|
if((NULL==pCertContext) || (NULL==ppwszDnsName))
|
|
goto Ret;
|
|
|
|
*ppwszDnsName=NULL;
|
|
|
|
if(NULL == (pExt = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension)))
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_SUBJECT_ALT_NAME2,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pAltName=(PCERT_ALT_NAME_INFO)LocalAlloc(LPTR, cbData);
|
|
if(NULL == pAltName)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_SUBJECT_ALT_NAME2,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pAltName,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
//compare the data in the certificate with what is returned from GetComputerNameEx
|
|
for(iAltName=0; iAltName < pAltName->cAltEntry; iAltName++)
|
|
{
|
|
if(CERT_ALT_NAME_DNS_NAME == ((pAltName->rgAltEntry)[iAltName].dwAltNameChoice))
|
|
{
|
|
if(pAltName->rgAltEntry[iAltName].pwszDNSName)
|
|
{
|
|
dwSize=wcslen(pAltName->rgAltEntry[iAltName].pwszDNSName);
|
|
|
|
if(0 == dwSize)
|
|
goto Ret;
|
|
|
|
*ppwszDnsName=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (dwSize + 1));
|
|
if(NULL == (*ppwszDnsName))
|
|
goto Ret;
|
|
|
|
wcscpy(*ppwszDnsName, pAltName->rgAltEntry[iAltName].pwszDNSName);
|
|
|
|
fResult=TRUE;
|
|
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
Ret:
|
|
|
|
if(pAltName)
|
|
LocalFree(pAltName);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsSameDNS
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsSameDNS(PCCERT_CONTEXT pFirstCert, PCCERT_CONTEXT pSecondCert)
|
|
{
|
|
BOOL fSame=FALSE;
|
|
|
|
LPWSTR pwszFirst=NULL;
|
|
LPWSTR pwszSecond=NULL;
|
|
|
|
AEGetDNSNameFromCertificate(pFirstCert, &pwszFirst);
|
|
|
|
AEGetDNSNameFromCertificate(pSecondCert, &pwszSecond);
|
|
|
|
if(NULL == pwszFirst)
|
|
{
|
|
if(NULL == pwszSecond)
|
|
{
|
|
fSame=TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if(NULL != pwszSecond)
|
|
{
|
|
if(0 == _wcsicmp(pwszFirst, pwszSecond))
|
|
{
|
|
fSame=TRUE;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(pwszFirst)
|
|
LocalFree(pwszFirst);
|
|
|
|
if(pwszSecond)
|
|
LocalFree(pwszSecond);
|
|
|
|
return fSame;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEGetRetryProperty
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEGetRetryProperty(PCCERT_CONTEXT pCertContext,
|
|
AE_RETRY_INFO **ppAE_Retry_Info)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD cbData=0;
|
|
|
|
AE_RETRY_INFO *pRetry_Info=NULL;
|
|
|
|
if((NULL==pCertContext) || (NULL==ppAE_Retry_Info))
|
|
goto Ret;
|
|
|
|
*ppAE_Retry_Info=NULL;
|
|
|
|
if(!CertGetCertificateContextProperty(
|
|
pCertContext,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pRetry_Info=(AE_RETRY_INFO *)LocalAlloc(LPTR, cbData);
|
|
if(NULL == pRetry_Info)
|
|
goto Ret;
|
|
|
|
if(!CertGetCertificateContextProperty(
|
|
pCertContext,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
pRetry_Info,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
//verify the integrity of the property on the certificate
|
|
if(cbData < sizeof(AE_RETRY_INFO))
|
|
goto Ret;
|
|
|
|
if((pRetry_Info->cbSize) < sizeof(AE_RETRY_INFO))
|
|
goto Ret;
|
|
|
|
*ppAE_Retry_Info=pRetry_Info;
|
|
pRetry_Info=NULL;
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pRetry_Info)
|
|
LocalFree(pRetry_Info);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEFasterRetrialSchedule
|
|
//
|
|
// Determine if the 1st certificate context has a faster retrial schedule
|
|
// than the second certifcate based on the CERT_AUTO_ENROLL_RETRY_PROP_ID property
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEFasterRetrialSchedule(PCCERT_CONTEXT pFirstContext,
|
|
PCCERT_CONTEXT pSecondContext)
|
|
{
|
|
BOOL fFaster=FALSE;
|
|
|
|
AE_RETRY_INFO *pFirst_Retry=NULL;
|
|
AE_RETRY_INFO *pSecond_Retry=NULL;
|
|
|
|
//if the property does not exist, it is always the immediate retrial
|
|
if(!AEGetRetryProperty(pFirstContext, &pFirst_Retry))
|
|
{
|
|
fFaster=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//if the property exists on the 1st certificate, but not on the
|
|
//second certificate, the second is always faster
|
|
if(!AEGetRetryProperty(pSecondContext, &pSecond_Retry))
|
|
{
|
|
fFaster=FALSE;
|
|
goto Ret;
|
|
}
|
|
|
|
//now both has the property
|
|
//if the second has exceeded the limit, the first is always faster
|
|
if(AE_RETRY_LIMIT < pSecond_Retry->dwRetry)
|
|
{
|
|
fFaster=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//the second has not exceeded the limit, while the first has exceeded the limit;
|
|
//the second is faster
|
|
if(AE_RETRY_LIMIT < pFirst_Retry->dwRetry)
|
|
{
|
|
fFaster=FALSE;
|
|
goto Ret;
|
|
}
|
|
|
|
//neither has exceeded the limit
|
|
if(pFirst_Retry->dwRetry <= pSecond_Retry->dwRetry)
|
|
{
|
|
fFaster=TRUE;
|
|
}
|
|
else
|
|
{
|
|
fFaster=FALSE;
|
|
}
|
|
|
|
Ret:
|
|
|
|
if(pFirst_Retry)
|
|
LocalFree(pFirst_Retry);
|
|
|
|
if(pSecond_Retry)
|
|
LocalFree(pSecond_Retry);
|
|
|
|
return fFaster;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEUpdateRetryProperty
|
|
//
|
|
// The newly aquired certificate has the same DNS name of the old
|
|
// certificate, and the DNS Name is not the same as the local machine.
|
|
//
|
|
// Update the CERT_AUTO_ENROLL_RETRY_PROP_ID property
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEUpdateRetryProperty(AE_GENERAL_INFO *pAE_General_Info,
|
|
LPWSTR pwszTemplateDisplay,
|
|
PCCERT_CONTEXT pNewContext,
|
|
PCCERT_CONTEXT pOldContext)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
ULARGE_INTEGER ftTime;
|
|
ULONG lSecond=0;
|
|
CRYPT_DATA_BLOB blobProp;
|
|
WCHAR wsz[SHA1_HASH_LENGTH];
|
|
|
|
AE_RETRY_INFO *pAE_Retry_Info=NULL;
|
|
|
|
if((NULL == pAE_General_Info) || (NULL == pNewContext) || (NULL == pOldContext))
|
|
goto Ret;
|
|
|
|
if(!AEGetRetryProperty(pOldContext, &pAE_Retry_Info))
|
|
{
|
|
//make up a default one
|
|
pAE_Retry_Info=(AE_RETRY_INFO *)LocalAlloc(LPTR, sizeof(AE_RETRY_INFO));
|
|
if(NULL == pAE_Retry_Info)
|
|
goto Ret;
|
|
|
|
memset(pAE_Retry_Info, 0, sizeof(AE_RETRY_INFO));
|
|
|
|
pAE_Retry_Info->cbSize=sizeof(AE_RETRY_INFO);
|
|
pAE_Retry_Info->dwRetry=0; //first attempt
|
|
}
|
|
|
|
|
|
//increment the count and set the next update date
|
|
if(pAE_Retry_Info->dwRetry <= AE_RETRY_LIMIT)
|
|
{
|
|
(pAE_Retry_Info->dwRetry)++;
|
|
|
|
//get the current time
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
|
|
|
|
// Convert 24 hours to seconds
|
|
lSecond=(pAE_Retry_Info->dwRetry)*24*60*60;
|
|
|
|
//lSecond=(pAE_Retry_Info->dwRetry)*2*60;
|
|
|
|
ftTime.QuadPart += UInt32x32To64(FILETIME_TICKS_PER_SECOND, lSecond);
|
|
(pAE_Retry_Info->dueTime).QuadPart = ftTime.QuadPart;
|
|
}
|
|
|
|
//copy the property on the certificate
|
|
memset(&blobProp, 0, sizeof(CRYPT_DATA_BLOB));
|
|
|
|
blobProp.cbData=sizeof(AE_RETRY_INFO);
|
|
blobProp.pbData=(BYTE *)pAE_Retry_Info;
|
|
|
|
if(!CertSetCertificateContextProperty(
|
|
pNewContext,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
0,
|
|
&blobProp))
|
|
goto Ret;
|
|
|
|
//log the event
|
|
if(pAE_Retry_Info->dwRetry <= AE_RETRY_LIMIT)
|
|
{
|
|
|
|
_itow(((pAE_Retry_Info->dwRetry) * 24), wsz, 10);
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_MISMATCH_DNS_RETRY,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 2, pwszTemplateDisplay, wsz);
|
|
}
|
|
else
|
|
{
|
|
_itow(AE_RETRY_LIMIT, wsz, 10);
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_MISMATCH_DNS,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 2, pwszTemplateDisplay, wsz);
|
|
}
|
|
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pAE_Retry_Info)
|
|
LocalFree(pAE_Retry_Info);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEVerifyDNSName
|
|
//
|
|
// Verify the DNS name in the certificate match what is returned
|
|
// from GetComputerNameEx, either ComputerNameDnsFullyQualified or
|
|
// ComputerNameNetBIOS. For V2 template, perform the verification
|
|
// only when the template specify so.
|
|
//
|
|
// By default, we assume the DNS will match. The function will only
|
|
// signal an error if it successfully obtained DNS name from GetComputerNameEx
|
|
// and from the certificate and they do not match.
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEVerifyDNSName(AE_GENERAL_INFO *pAE_General_Info,
|
|
PCCERT_CONTEXT pCertCurrent)
|
|
{
|
|
BOOL fDNSMatch=TRUE;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
DWORD dwValue=0;
|
|
BOOL fDnsName=TRUE;
|
|
BOOL fNetBIOS=TRUE;
|
|
|
|
LPWSTR pwszDnsName=NULL;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
//find the template that the certificate belongs to
|
|
if(!AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
|
|
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
if(S_OK != CAGetCertTypeFlagsEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_SUBJECT_NAME_FLAG,
|
|
&dwValue))
|
|
goto Ret;
|
|
|
|
if((CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT & dwValue) ||
|
|
(CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME & dwValue))
|
|
goto Ret;
|
|
|
|
//no need to verify non-template certificates or non-DNS specified template
|
|
if(AETemplateInfo.pwszOid)
|
|
{
|
|
if( 0 == (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS & dwValue))
|
|
goto Ret;
|
|
}
|
|
|
|
//get the DNS entry from the certificate
|
|
if(!AEGetDNSNameFromCertificate(pCertCurrent, &pwszDnsName))
|
|
{
|
|
fDNSMatch=FALSE;
|
|
goto Ret;
|
|
}
|
|
|
|
//compare the data in the certificate with what is returned from GetComputerNameEx
|
|
if(pAE_General_Info->pwszDns)
|
|
{
|
|
if(0 != _wcsicmp(pwszDnsName, pAE_General_Info->pwszDns))
|
|
{
|
|
fDnsName=FALSE;
|
|
}
|
|
}
|
|
|
|
if(pAE_General_Info->pwszNetBIOS)
|
|
{
|
|
if(0 != _wcsicmp(pwszDnsName, pAE_General_Info->pwszNetBIOS))
|
|
{
|
|
fNetBIOS=FALSE;
|
|
}
|
|
}
|
|
|
|
//either DNS or NetBIOS name should match
|
|
if((FALSE == fDnsName) && (FALSE == fNetBIOS))
|
|
{
|
|
fDNSMatch=FALSE;
|
|
}
|
|
|
|
|
|
Ret:
|
|
if(pwszDnsName)
|
|
LocalFree(pwszDnsName);
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fDNSMatch;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEVerifyDNSNameWithRetry
|
|
////
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEVerifyDNSNameWithRetry(AE_GENERAL_INFO *pAE_General_Info,
|
|
PCCERT_CONTEXT pCertCurrent)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
ULARGE_INTEGER ftTime;
|
|
|
|
AE_RETRY_INFO *pAE_Retry_Info=NULL;
|
|
|
|
//detect if DNS name in the certificate matches the local machine
|
|
//Success means no need to re-enroll
|
|
if(TRUE == AEVerifyDNSName(pAE_General_Info, pCertCurrent))
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//now that the DNS name does not match, check the CERT_AUTO_ENROLL_RETRY_PROP_ID
|
|
//property on the pCertCurrent to determine the correct action
|
|
|
|
//property does not exit. Allow for re-enrollment by marking a failure
|
|
if(!AEGetRetryProperty(pCertCurrent, &pAE_Retry_Info))
|
|
{
|
|
fResult=FALSE;
|
|
goto Ret;
|
|
}
|
|
|
|
//property exit
|
|
|
|
//the Maximum # of trial has reached. Disallow for re-enrollment by returning a success
|
|
if(AE_RETRY_LIMIT < pAE_Retry_Info->dwRetry)
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//get the current time
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
|
|
|
|
//the time limit has not reached. Disallow for re-enrollment by returning a success
|
|
if(ftTime.QuadPart < (pAE_Retry_Info->dueTime).QuadPart)
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//the rest should be re-enrolled by returning a failure
|
|
fResult=FALSE;
|
|
|
|
Ret:
|
|
|
|
if(pAE_Retry_Info)
|
|
LocalFree(pAE_Retry_Info);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsLogonDCCertificate
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsLogonDCCertificate(PCCERT_CONTEXT pCertContext)
|
|
{
|
|
BOOL fDCCert=FALSE;
|
|
PCERT_EXTENSION pExt = NULL;
|
|
DWORD cbData = 0;
|
|
DWORD dwIndex = 0;
|
|
BOOL fFound = FALSE;
|
|
|
|
CERT_ENHKEY_USAGE *pbKeyUsage=NULL;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
|
|
if(NULL==pCertContext)
|
|
return FALSE;
|
|
|
|
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
|
|
if(AETemplateInfo.pwszName)
|
|
{
|
|
//this is a V1 template. Search for the hard coded DC template name
|
|
if(0 == _wcsicmp(wszCERTTYPE_DC, AETemplateInfo.pwszName))
|
|
fDCCert=TRUE;
|
|
}
|
|
else
|
|
{
|
|
//this is a V2 template. Search for the smart card logon OID
|
|
if(NULL==(pExt=CertFindExtension(szOID_ENHANCED_KEY_USAGE,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension)))
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbKeyUsage=(CERT_ENHKEY_USAGE *)LocalAlloc(LPTR, cbData);
|
|
if(NULL==pbKeyUsage)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbKeyUsage,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
for(dwIndex=0; dwIndex < pbKeyUsage->cUsageIdentifier; dwIndex++)
|
|
{
|
|
if(0==_stricmp(szOID_KP_SMARTCARD_LOGON,(pbKeyUsage->rgpszUsageIdentifier)[dwIndex]))
|
|
{
|
|
fDCCert=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
Ret:
|
|
|
|
if(pbKeyUsage)
|
|
LocalFree(pbKeyUsage);
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fDCCert;
|
|
|
|
}
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEValidateCertificateInfo
|
|
//
|
|
// This function verifies if the certificate needs to be renewed or
|
|
// re-enrolled based on:
|
|
//
|
|
// 1. Presence of the private key
|
|
// 2. Chaining of the certificate
|
|
// 3. If the certificate is close to expiration
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEValidateCertificateInfo(AE_GENERAL_INFO *pAE_General_Info,
|
|
AE_CERTTYPE_INFO *pCertType,
|
|
BOOL fCheckForPrivateKey,
|
|
PCCERT_CONTEXT pCertCurrent,
|
|
AE_CERT_INFO *pAECertInfo)
|
|
{
|
|
BOOL fResult = TRUE;
|
|
DWORD cbData = 0;
|
|
CERT_CHAIN_PARA ChainParams;
|
|
CERT_CHAIN_POLICY_PARA ChainPolicy;
|
|
CERT_CHAIN_POLICY_STATUS PolicyStatus;
|
|
LARGE_INTEGER ftTime;
|
|
HRESULT hrChainStatus = S_OK;
|
|
LARGE_INTEGER ftHalfLife;
|
|
BOOL fReset=FALSE;
|
|
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
|
|
if((NULL==pCertCurrent) || (NULL==pAECertInfo) || (NULL==pAE_General_Info))
|
|
{
|
|
SetLastError(E_INVALIDARG);
|
|
fResult = FALSE;
|
|
goto Ret;
|
|
}
|
|
|
|
//assume the certificate is bad
|
|
pAECertInfo->fValid = FALSE;
|
|
pAECertInfo->fRenewal = FALSE;
|
|
|
|
//////////////////////////////////////////////////
|
|
//
|
|
//check for the private key information
|
|
//
|
|
//////////////////////////////////////////////////
|
|
if(fCheckForPrivateKey)
|
|
{
|
|
if(!CertGetCertificateContextProperty(
|
|
pCertCurrent,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
NULL,
|
|
&cbData))
|
|
{
|
|
fReset=TRUE;
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
/////////////////////////////////////////////////////////
|
|
//
|
|
//check for chaining, revoke status and expiration of the certificate
|
|
//
|
|
/////////////////////////////////////////////////////////
|
|
|
|
memset(&ChainParams, 0, sizeof(ChainParams));
|
|
ChainParams.cbSize = sizeof(ChainParams);
|
|
ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
|
|
|
ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
|
|
ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
|
|
|
|
// Build a small time skew into the chain building in order to deal
|
|
// with servers that may skew slightly fast.
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
|
|
ftTime.QuadPart += Int32x32To64(FILETIME_TICKS_PER_SECOND, AE_DEFAULT_SKEW);
|
|
|
|
// Build a cert chain for the current status of the cert..
|
|
if(!CertGetCertificateChain(pAE_General_Info->fMachine?HCCE_LOCAL_MACHINE:HCCE_CURRENT_USER,
|
|
pCertCurrent,
|
|
(LPFILETIME)&ftTime,
|
|
NULL,
|
|
&ChainParams,
|
|
CERT_CHAIN_REVOCATION_CHECK_CHAIN,
|
|
NULL,
|
|
&pChainContext))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"Could not build certificate chain (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//validate the certificate chain
|
|
|
|
//special case for domain controller certificate.
|
|
//it should not have any revocation error, even for status unknown case
|
|
|
|
//check against the base policy
|
|
memset(&ChainPolicy, 0, sizeof(ChainPolicy));
|
|
ChainPolicy.cbSize = sizeof(ChainPolicy);
|
|
ChainPolicy.dwFlags = 0; // ignore nothing
|
|
ChainPolicy.pvExtraPolicyPara = NULL;
|
|
|
|
memset(&PolicyStatus, 0, sizeof(PolicyStatus));
|
|
PolicyStatus.cbSize = sizeof(PolicyStatus);
|
|
PolicyStatus.dwError = 0;
|
|
PolicyStatus.lChainIndex = -1;
|
|
PolicyStatus.lElementIndex = -1;
|
|
PolicyStatus.pvExtraPolicyStatus = NULL;
|
|
|
|
if(!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE,
|
|
pChainContext,
|
|
&ChainPolicy,
|
|
&PolicyStatus))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"Base Chain Policy failed (%lx) - must get new cert\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
hrChainStatus = PolicyStatus.dwError;
|
|
|
|
if((S_OK == hrChainStatus) ||
|
|
(CRYPT_E_NO_REVOCATION_CHECK == hrChainStatus) ||
|
|
(CRYPT_E_REVOCATION_OFFLINE == hrChainStatus))
|
|
{
|
|
// The cert is still currently acceptable by trust standards, so we can renew it
|
|
pAECertInfo->fRenewal = TRUE;
|
|
}
|
|
else
|
|
{
|
|
fReset=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
if(pChainContext)
|
|
{
|
|
CertFreeCertificateChain(pChainContext);
|
|
pChainContext = NULL;
|
|
}
|
|
|
|
/////////////////////////////////////////////////////////
|
|
//
|
|
//check the DNS name in the machine certificate. It has
|
|
//to match with the computer's DNS name
|
|
//
|
|
/////////////////////////////////////////////////////////
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(!AEVerifyDNSNameWithRetry(pAE_General_Info, pCertCurrent))
|
|
{
|
|
pAECertInfo->fRenewal = FALSE;
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
/////////////////////////////////////////////////////////
|
|
//
|
|
// Check if the certificate is close to expire
|
|
//
|
|
///////////////////////////////////////////////////////////////////////
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
// Nudge the evaluation of the cert chain by the expiration
|
|
// offset so we know if is expired by that time in the future.
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftTime);
|
|
|
|
// Build the certificate chain for trust operations
|
|
memset(&ChainParams, 0, sizeof(ChainParams));
|
|
ChainParams.cbSize = sizeof(ChainParams);
|
|
ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
|
|
|
ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
|
|
ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
|
|
|
|
//get the 80% lifetime of the certificate
|
|
ftHalfLife.QuadPart = ((((LARGE_INTEGER UNALIGNED *)&(pCertCurrent->pCertInfo->NotAfter))->QuadPart -
|
|
((LARGE_INTEGER UNALIGNED *)&(pCertCurrent->pCertInfo->NotBefore))->QuadPart)/10) * 8;
|
|
|
|
//check if the old cert is time nesting invalid
|
|
if(ftHalfLife.QuadPart < 0)
|
|
goto Ret;
|
|
|
|
//check if the offset was specified in a relative value
|
|
if(pCertType->ftExpirationOffset.QuadPart < 0)
|
|
{
|
|
if(ftHalfLife.QuadPart > (- pCertType->ftExpirationOffset.QuadPart))
|
|
{
|
|
ftTime.QuadPart -= pCertType->ftExpirationOffset.QuadPart;
|
|
}
|
|
else
|
|
{
|
|
ftTime.QuadPart += ftHalfLife.QuadPart;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//the offset was specified in an absolute value
|
|
if(0 < pCertType->ftExpirationOffset.QuadPart)
|
|
ftTime = pCertType->ftExpirationOffset;
|
|
else
|
|
//use the half time mark if the offset is 0
|
|
ftTime.QuadPart += ftHalfLife.QuadPart;
|
|
}
|
|
|
|
//check the certificate chain at a future time
|
|
if(!CertGetCertificateChain(pAE_General_Info->fMachine?HCCE_LOCAL_MACHINE:HCCE_CURRENT_USER,
|
|
pCertCurrent,
|
|
(LPFILETIME)&ftTime,
|
|
NULL, //no additional store
|
|
&ChainParams,
|
|
0, //no revocation check
|
|
NULL, //Reserved
|
|
&pChainContext))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"Could not build certificate chain (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
// Verify expiration of the certificate
|
|
memset(&ChainPolicy, 0, sizeof(ChainPolicy));
|
|
ChainPolicy.cbSize = sizeof(ChainPolicy);
|
|
ChainPolicy.dwFlags = 0; // ignore nothing
|
|
ChainPolicy.pvExtraPolicyPara = NULL;
|
|
|
|
memset(&PolicyStatus, 0, sizeof(PolicyStatus));
|
|
PolicyStatus.cbSize = sizeof(PolicyStatus);
|
|
PolicyStatus.dwError = 0;
|
|
PolicyStatus.lChainIndex = -1;
|
|
PolicyStatus.lElementIndex = -1;
|
|
PolicyStatus.pvExtraPolicyStatus = NULL;
|
|
|
|
if(!CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE,
|
|
pChainContext,
|
|
&ChainPolicy,
|
|
&PolicyStatus))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"Base Chain Policy failed (%lx) - must get new cert\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
hrChainStatus = PolicyStatus.dwError;
|
|
|
|
if((S_OK != hrChainStatus) &&
|
|
(CRYPT_E_NO_REVOCATION_CHECK != hrChainStatus) &&
|
|
(CRYPT_E_REVOCATION_OFFLINE != hrChainStatus))
|
|
{
|
|
// The cert is close to expire. we must re-renewal
|
|
goto Ret;
|
|
}
|
|
|
|
//the certificate is good
|
|
pAECertInfo->fValid = TRUE;
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(TRUE == fReset)
|
|
{
|
|
//clear out the retry logic
|
|
CertSetCertificateContextProperty(
|
|
pCertCurrent,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
0,
|
|
NULL);
|
|
}
|
|
|
|
}
|
|
|
|
|
|
if(pChainContext)
|
|
CertFreeCertificateChain(pChainContext);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AESameOID
|
|
//
|
|
// Check if the two OIDs are the same
|
|
//-----------------------------------------------------------------------
|
|
BOOL AESameOID(LPWSTR pwszOID, LPSTR pszOID)
|
|
{
|
|
DWORD cbChar=0;
|
|
BOOL fSame=FALSE;
|
|
|
|
LPSTR pszNewOID=NULL;
|
|
|
|
if((NULL==pwszOID) || (NULL==pszOID))
|
|
return FALSE;
|
|
|
|
cbChar= WideCharToMultiByte(
|
|
CP_ACP, // codepage
|
|
0, // dwFlags
|
|
pwszOID,
|
|
-1,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
NULL);
|
|
|
|
if(0 == cbChar)
|
|
goto Ret;
|
|
|
|
if(NULL==(pszNewOID=(LPSTR)LocalAlloc(LPTR, cbChar)))
|
|
goto Ret;
|
|
|
|
cbChar= WideCharToMultiByte(
|
|
CP_ACP, // codepage
|
|
0, // dwFlags
|
|
pwszOID,
|
|
-1,
|
|
pszNewOID,
|
|
cbChar,
|
|
NULL,
|
|
NULL);
|
|
|
|
if(0 == cbChar)
|
|
goto Ret;
|
|
|
|
|
|
if(0 == _stricmp(pszNewOID, pszOID))
|
|
fSame=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pszNewOID)
|
|
LocalFree(pszNewOID);
|
|
|
|
return fSame;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEValidRAPolicyWithProperty
|
|
//
|
|
// Check if the certificate matches the RA signature requirement
|
|
// of the certificate type
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEValidRAPolicyWithProperty(PCCERT_CONTEXT pCertContext,
|
|
LPWSTR *rgwszPolicy,
|
|
LPWSTR *rgwszAppPolicy)
|
|
{
|
|
PCERT_EXTENSION pExt = NULL;
|
|
DWORD cbData = 0;
|
|
DWORD dwIndex = 0;
|
|
DWORD dwFindIndex=0;
|
|
BOOL fFound = FALSE;
|
|
BOOL fValid = FALSE;
|
|
|
|
CERT_ENHKEY_USAGE *pbKeyUsage=NULL;
|
|
CERT_POLICIES_INFO *pbAppPolicy=NULL;
|
|
CERT_POLICIES_INFO *pbPolicy=NULL;
|
|
|
|
//find the EKUs
|
|
if(pExt=CertFindExtension(szOID_ENHANCED_KEY_USAGE,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension))
|
|
{
|
|
cbData=0;
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbKeyUsage=(CERT_ENHKEY_USAGE *)LocalAlloc(LPTR, cbData);
|
|
if(NULL==pbKeyUsage)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_ENHANCED_KEY_USAGE,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbKeyUsage,
|
|
&cbData))
|
|
goto Ret;
|
|
}
|
|
|
|
//get the cert issurance policy
|
|
if(pExt=CertFindExtension(szOID_CERT_POLICIES,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension))
|
|
{
|
|
cbData=0;
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERT_POLICIES,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbPolicy=(CERT_POLICIES_INFO *)LocalAlloc(LPTR, cbData);
|
|
if(NULL==pbPolicy)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERT_POLICIES,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbPolicy,
|
|
&cbData))
|
|
goto Ret;
|
|
}
|
|
|
|
|
|
//get the cert application policy
|
|
if(pExt=CertFindExtension(szOID_APPLICATION_CERT_POLICIES,
|
|
pCertContext->pCertInfo->cExtension,
|
|
pCertContext->pCertInfo->rgExtension))
|
|
{
|
|
cbData=0;
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERT_POLICIES,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
NULL,
|
|
&cbData))
|
|
goto Ret;
|
|
|
|
pbAppPolicy=(CERT_POLICIES_INFO *)LocalAlloc(LPTR, cbData);
|
|
if(NULL==pbAppPolicy)
|
|
goto Ret;
|
|
|
|
if(!CryptDecodeObject(X509_ASN_ENCODING,
|
|
szOID_CERT_POLICIES,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
pbAppPolicy,
|
|
&cbData))
|
|
goto Ret;
|
|
}
|
|
|
|
|
|
if(rgwszPolicy)
|
|
{
|
|
if(rgwszPolicy[0])
|
|
{
|
|
if(NULL==pbPolicy)
|
|
goto Ret;
|
|
|
|
dwIndex=0;
|
|
while(rgwszPolicy[dwIndex])
|
|
{
|
|
fFound=FALSE;
|
|
|
|
for(dwFindIndex=0; dwFindIndex < pbPolicy->cPolicyInfo; dwFindIndex++)
|
|
{
|
|
if(AESameOID(rgwszPolicy[dwIndex], (pbPolicy->rgPolicyInfo)[dwFindIndex].pszPolicyIdentifier))
|
|
{
|
|
fFound=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if(FALSE == fFound)
|
|
goto Ret;
|
|
|
|
dwIndex++;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(rgwszAppPolicy)
|
|
{
|
|
if(rgwszAppPolicy[0])
|
|
{
|
|
if((NULL==pbAppPolicy) && (NULL==pbKeyUsage))
|
|
goto Ret;
|
|
|
|
dwIndex=0;
|
|
while(rgwszAppPolicy[dwIndex])
|
|
{
|
|
fFound=FALSE;
|
|
|
|
if(pbAppPolicy)
|
|
{
|
|
for(dwFindIndex=0; dwFindIndex < pbAppPolicy->cPolicyInfo; dwFindIndex++)
|
|
{
|
|
if(AESameOID(rgwszAppPolicy[dwIndex], (pbAppPolicy->rgPolicyInfo)[dwFindIndex].pszPolicyIdentifier))
|
|
{
|
|
fFound=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if((FALSE == fFound) && (pbKeyUsage))
|
|
{
|
|
for(dwFindIndex=0; dwFindIndex < pbKeyUsage->cUsageIdentifier; dwFindIndex++)
|
|
{
|
|
if(AESameOID(rgwszAppPolicy[dwIndex],(pbKeyUsage->rgpszUsageIdentifier)[dwFindIndex]))
|
|
{
|
|
fFound=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(FALSE == fFound)
|
|
goto Ret;
|
|
|
|
dwIndex++;
|
|
}
|
|
}
|
|
}
|
|
|
|
fValid=TRUE;
|
|
|
|
Ret:
|
|
if(pbKeyUsage)
|
|
LocalFree(pbKeyUsage);
|
|
|
|
if(pbPolicy)
|
|
LocalFree(pbPolicy);
|
|
|
|
if(pbAppPolicy)
|
|
LocalFree(pbAppPolicy);
|
|
|
|
return fValid;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEValidRAPolicy
|
|
//
|
|
// Check if the certificate matches the RA signature requirement
|
|
// of the certificate type
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEValidRAPolicy(PCCERT_CONTEXT pCertContext, AE_CERTTYPE_INFO *pCertType)
|
|
{
|
|
BOOL fValid=FALSE;
|
|
|
|
LPWSTR *rgwszPolicy=NULL;
|
|
LPWSTR *rgwszAppPolicy=NULL;
|
|
|
|
if((NULL==pCertType) || (NULL==pCertContext))
|
|
return FALSE;
|
|
|
|
//get the certificate type properties
|
|
CAGetCertTypePropertyEx(pCertType->hCertType,
|
|
CERTTYPE_PROP_RA_POLICY,
|
|
&rgwszPolicy);
|
|
|
|
|
|
CAGetCertTypePropertyEx(pCertType->hCertType,
|
|
CERTTYPE_PROP_RA_APPLICATION_POLICY,
|
|
&rgwszAppPolicy);
|
|
|
|
fValid = AEValidRAPolicyWithProperty(pCertContext, rgwszPolicy, rgwszAppPolicy);
|
|
|
|
|
|
if(rgwszPolicy)
|
|
CAFreeCertTypeProperty(pCertType->hCertType, rgwszPolicy);
|
|
|
|
if(rgwszAppPolicy)
|
|
CAFreeCertTypeProperty(pCertType->hCertType, rgwszAppPolicy);
|
|
|
|
return fValid;
|
|
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AESomeCSPSupported
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AESomeCSPSupported(HCERTTYPE hCertType)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwIndex=0;
|
|
DWORD dwCSPIndex=0;
|
|
DWORD dwProviderType=0;
|
|
DWORD cbSize=0;
|
|
|
|
LPWSTR *awszCSP=NULL;
|
|
LPWSTR pwszProviderName=NULL;
|
|
HCRYPTPROV hProv=NULL;
|
|
|
|
|
|
if(NULL==hCertType)
|
|
goto Ret;
|
|
|
|
//no CSPs means all CSPs are fine
|
|
if((S_OK != CAGetCertTypePropertyEx(
|
|
hCertType,
|
|
CERTTYPE_PROP_CSP_LIST,
|
|
&awszCSP)) || (NULL == awszCSP))
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//no CSP means all CSPs are fine
|
|
if(NULL == awszCSP[0])
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
for(dwIndex=0; NULL != awszCSP[dwIndex]; dwIndex++)
|
|
{
|
|
for (dwCSPIndex = 0;
|
|
CryptEnumProvidersW(dwCSPIndex, 0, 0, &dwProviderType, NULL, &cbSize);
|
|
dwCSPIndex++)
|
|
{
|
|
pwszProviderName = (LPWSTR)LocalAlloc(LPTR, cbSize);
|
|
|
|
if(NULL == pwszProviderName)
|
|
goto Ret;
|
|
|
|
//get the provider name and type
|
|
if(!CryptEnumProvidersW(dwCSPIndex,
|
|
0,
|
|
0,
|
|
&dwProviderType,
|
|
pwszProviderName,
|
|
&cbSize))
|
|
goto Ret;
|
|
|
|
if(0 == _wcsicmp(pwszProviderName, awszCSP[dwIndex]))
|
|
{
|
|
//find the CSP. See if it is present in the box
|
|
if(CryptAcquireContextW(
|
|
&hProv,
|
|
NULL,
|
|
awszCSP[dwIndex],
|
|
dwProviderType,
|
|
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
|
|
{
|
|
|
|
CryptReleaseContext(hProv, 0);
|
|
hProv=NULL;
|
|
|
|
fResult=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
//keep the CSP enumeration
|
|
if(pwszProviderName)
|
|
LocalFree(pwszProviderName);
|
|
|
|
pwszProviderName=NULL;
|
|
cbSize=0;
|
|
dwProviderType=0;
|
|
}
|
|
|
|
//detect if a valid CSP if found
|
|
if(TRUE == fResult)
|
|
{
|
|
break;
|
|
}
|
|
|
|
cbSize=0;
|
|
dwProviderType=0;
|
|
}
|
|
|
|
Ret:
|
|
if(pwszProviderName)
|
|
LocalFree(pwszProviderName);
|
|
|
|
if(hProv)
|
|
CryptReleaseContext(hProv, 0);
|
|
|
|
if(awszCSP)
|
|
CAFreeCertTypeProperty(hCertType, awszCSP);
|
|
|
|
return fResult;
|
|
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEFindCSPType
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEFindCSPType(LPWSTR pwszCSP, DWORD *pdwType)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwIndex=0;
|
|
DWORD dwProviderType=0;
|
|
DWORD cbSize=0;
|
|
|
|
LPWSTR pwszCSPName=NULL;
|
|
|
|
if((NULL==pwszCSP) || (NULL==pdwType))
|
|
goto Ret;
|
|
|
|
*pdwType=0;
|
|
|
|
//enum all the providers on the system
|
|
while(CryptEnumProviders(
|
|
dwIndex,
|
|
0,
|
|
0,
|
|
&dwProviderType,
|
|
NULL,
|
|
&cbSize))
|
|
{
|
|
|
|
pwszCSPName=(LPWSTR)LocalAlloc(LPTR, cbSize);
|
|
|
|
if(NULL==pwszCSPName)
|
|
goto Ret;
|
|
|
|
//get the CSP name and the type
|
|
if(!CryptEnumProviders(
|
|
dwIndex,
|
|
0,
|
|
0,
|
|
&dwProviderType,
|
|
pwszCSPName,
|
|
&cbSize))
|
|
goto Ret;
|
|
|
|
if(0 == _wcsicmp(pwszCSPName, pwszCSP))
|
|
{
|
|
//find the CSP
|
|
*pdwType=dwProviderType;
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
dwIndex++;
|
|
dwProviderType=0;
|
|
cbSize=0;
|
|
|
|
if(pwszCSPName)
|
|
{
|
|
LocalFree(pwszCSPName);
|
|
pwszCSPName=NULL;
|
|
}
|
|
}
|
|
|
|
Ret:
|
|
|
|
if(pwszCSPName)
|
|
LocalFree(pwszCSPName);
|
|
|
|
return fResult;
|
|
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AESmartcardOnlyTemplate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AESmartcardOnlyTemplate(HCERTTYPE hCertType)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwIndex=0;
|
|
DWORD dwImpType=0;
|
|
DWORD cbData=0;
|
|
DWORD dwSCCount=0;
|
|
DWORD dwCSPType=0;
|
|
|
|
LPWSTR *awszCSP=NULL;
|
|
HCRYPTPROV hProv = NULL;
|
|
|
|
if(NULL==hCertType)
|
|
goto Ret;
|
|
|
|
if(S_OK != CAGetCertTypePropertyEx(
|
|
hCertType,
|
|
CERTTYPE_PROP_CSP_LIST,
|
|
&awszCSP))
|
|
goto Ret;
|
|
|
|
if(NULL==awszCSP)
|
|
goto Ret;
|
|
|
|
for(dwIndex=0; NULL != awszCSP[dwIndex]; dwIndex++)
|
|
{
|
|
dwImpType=0;
|
|
dwCSPType=0;
|
|
|
|
//find the CSP type based on the CSP name
|
|
if(AEFindCSPType(awszCSP[dwIndex], &dwCSPType))
|
|
{
|
|
if(CryptAcquireContextW(
|
|
&hProv,
|
|
NULL,
|
|
awszCSP[dwIndex],
|
|
dwCSPType,
|
|
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
|
|
{
|
|
|
|
cbData = sizeof(dwImpType);
|
|
|
|
if(CryptGetProvParam(hProv,
|
|
PP_IMPTYPE,
|
|
(BYTE *)(&dwImpType),
|
|
&cbData,
|
|
0))
|
|
{
|
|
if((CRYPT_IMPL_REMOVABLE & dwImpType) && (CRYPT_IMPL_MIXED & dwImpType))
|
|
dwSCCount++;
|
|
}
|
|
|
|
CryptReleaseContext(hProv, 0);
|
|
hProv=NULL;
|
|
}
|
|
else
|
|
{
|
|
//not supported CSP. Count it as part of the SmartCard CSP count since this
|
|
//CSP will not work when the smart card subsystem is not present
|
|
dwSCCount++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//not supported CSP. Count it as part of the SmartCard CSP count since this
|
|
//CSP will not work when the smart card subsystem is not present
|
|
dwSCCount++;
|
|
}
|
|
}
|
|
|
|
//smart card CSP only if all CSPs are for smart card only
|
|
if((0 != dwIndex) && (dwIndex==dwSCCount))
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
if(hProv)
|
|
CryptReleaseContext(hProv, 0);
|
|
|
|
if(awszCSP)
|
|
CAFreeCertTypeProperty(hCertType, awszCSP);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEUserProtectionForTemplate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEUserProtectionForTemplate(AE_GENERAL_INFO *pAE_General_Info, PCERT_CONTEXT pCertContext)
|
|
{
|
|
BOOL fUserProtection=FALSE;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
if((NULL == pAE_General_Info) || (NULL == pCertContext))
|
|
goto Ret;
|
|
|
|
//get the template information for the certificate
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
|
|
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
if(CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED & (pCertType->dwPrivateKeyFlag))
|
|
fUserProtection=TRUE;
|
|
|
|
Ret:
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fUserProtection;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEUISetForTemplate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEUISetForTemplate(AE_GENERAL_INFO *pAE_General_Info, PCERT_CONTEXT pCertContext)
|
|
{
|
|
BOOL fUI=FALSE;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
if((NULL == pAE_General_Info) || (NULL == pCertContext))
|
|
goto Ret;
|
|
|
|
//get the template information for the certificate
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
|
|
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag))
|
|
fUI=TRUE;
|
|
|
|
Ret:
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fUI;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECanEnrollCertType
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECanEnrollCertType(HANDLE hToken, AE_CERTTYPE_INFO *pCertType, AE_GENERAL_INFO *pAE_General_Info, BOOL *pfUserProtection)
|
|
{
|
|
DWORD dwValue = 0;
|
|
PCCERT_CONTEXT pCertCurrent=NULL;
|
|
AE_CERT_INFO AECertInfo;
|
|
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
|
|
*pfUserProtection=FALSE;
|
|
|
|
//check enrollment ACL
|
|
if(S_OK != CACertTypeAccessCheckEx(
|
|
pCertType->hCertType,
|
|
hToken,
|
|
CERTTYPE_ACCESS_CHECK_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
|
|
return FALSE;
|
|
|
|
|
|
//check the subject requirements
|
|
if(S_OK != CAGetCertTypeFlagsEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_SUBJECT_NAME_FLAG,
|
|
&dwValue))
|
|
return FALSE;
|
|
|
|
if((CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT & dwValue) ||
|
|
(CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME & dwValue))
|
|
return FALSE;
|
|
|
|
//check if we are doing smart card CSPs and there is no reader installed
|
|
if(FALSE == (pAE_General_Info->fSmartcardSystem))
|
|
{
|
|
if(AESmartcardOnlyTemplate(pCertType->hCertType))
|
|
return FALSE;
|
|
}
|
|
|
|
//check if all CSPs on the template is not supported
|
|
{
|
|
if(!AESomeCSPSupported(pCertType->hCertType))
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//we might not get the RA property for V1 template
|
|
dwValue = 0;
|
|
|
|
//check the RA support
|
|
if(S_OK != CAGetCertTypePropertyEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_PROP_RA_SIGNATURE,
|
|
&dwValue))
|
|
return TRUE;
|
|
|
|
if(0==dwValue)
|
|
return TRUE;
|
|
|
|
//self-template RA
|
|
if((CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT & (pCertType->dwEnrollmentFlag)) &&
|
|
((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
)
|
|
{
|
|
//the request has to be RAed
|
|
pCertType->fNeedRA=TRUE;
|
|
return TRUE;
|
|
}
|
|
|
|
//autoenrollment only deal with one RA signature.
|
|
//it is sufficient for autoenrollment RA scenarios
|
|
if(1!=dwValue)
|
|
return FALSE;
|
|
|
|
//the certificate template requires one and only one RA signature
|
|
|
|
//cross-template RA
|
|
//enumerate all certificate in store
|
|
while(pCertCurrent = CertEnumCertificatesInStore(pAE_General_Info->hMyStore, pCertCurrent))
|
|
{
|
|
//check if we need to enroll/renewal for the certificate
|
|
AEValidateCertificateInfo(pAE_General_Info,
|
|
NULL,
|
|
TRUE, //valid private key
|
|
pCertCurrent,
|
|
&AECertInfo);
|
|
|
|
//the certificate is good enough for RA signature purpose
|
|
if(AECertInfo.fRenewal)
|
|
{
|
|
if(AEValidRAPolicy(pCertCurrent, pCertType))
|
|
{
|
|
if(AEUserProtectionForTemplate(pAE_General_Info, (PCERT_CONTEXT)pCertCurrent))
|
|
{
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
*pfUserProtection=TRUE;
|
|
continue;
|
|
}
|
|
else
|
|
{
|
|
if(0==(CT_FLAG_USER_INTERACTION_REQUIRED & (pCertType->dwEnrollmentFlag)))
|
|
{
|
|
*pfUserProtection=TRUE;
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
|
|
pCertType->fRenewal=TRUE;
|
|
|
|
if(pCertType->pOldCert)
|
|
{
|
|
CertFreeCertificateContext(pCertType->pOldCert);
|
|
pCertType->pOldCert=NULL;
|
|
}
|
|
|
|
//we will free the certificate context later
|
|
pCertType->pOldCert=(PCERT_CONTEXT)pCertCurrent;
|
|
|
|
//we mark UI required if the RAing certificate template requires UI
|
|
if(AEUISetForTemplate(pAE_General_Info, pCertType->pOldCert))
|
|
pCertType->fUIActive=TRUE;
|
|
|
|
//we mark the requests has to be RAed.
|
|
pCertType->fNeedRA=TRUE;
|
|
|
|
//we mark that we are doing cross RAing.
|
|
pCertType->fCrossRA=TRUE;
|
|
|
|
*pfUserProtection=FALSE;
|
|
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
}
|
|
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEMarkAutoenrollment
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEMarkAutoenrollment(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex = 0;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(CT_FLAG_AUTO_ENROLLMENT & ((pAE_General_Info->rgCertTypeInfo)[dwIndex].dwEnrollmentFlag))
|
|
{
|
|
//check the autoenrollment ACL
|
|
if(S_OK != CACertTypeAccessCheckEx(
|
|
(pAE_General_Info->rgCertTypeInfo)[dwIndex].hCertType,
|
|
pAE_General_Info->hToken,
|
|
CERTTYPE_ACCESS_CHECK_AUTO_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
|
|
continue;
|
|
|
|
|
|
//mark the template nees to be auto-enrolled
|
|
(pAE_General_Info->rgCertTypeInfo)[dwIndex].dwStatus=CERT_REQUEST_STATUS_ACTIVE;
|
|
(pAE_General_Info->rgCertTypeInfo)[dwIndex].fCheckMyStore=TRUE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// IsACRSStoreEmpty
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL IsACRSStoreEmpty(BOOL fMachine)
|
|
{
|
|
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_READONLY_FLAG;
|
|
LPSTR pszCTLUsageOID = NULL;
|
|
BOOL fEmpty = TRUE;
|
|
CERT_PHYSICAL_STORE_INFO PhysicalStoreInfo;
|
|
CTL_FIND_USAGE_PARA CTLFindUsage;
|
|
|
|
PCCTL_CONTEXT pCTLContext = NULL;
|
|
HCERTSTORE hStoreACRS=NULL;
|
|
|
|
memset(&PhysicalStoreInfo, 0, sizeof(PhysicalStoreInfo));
|
|
memset(&CTLFindUsage, 0, sizeof(CTLFindUsage));
|
|
|
|
|
|
// if the auto enrollment is for a user then we need to shut off inheritance
|
|
// from the local machine store so that we don't try and enroll for certs
|
|
// which are meant to be for the machine
|
|
if (FALSE == fMachine)
|
|
{
|
|
dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG;
|
|
|
|
PhysicalStoreInfo.cbSize = sizeof(PhysicalStoreInfo);
|
|
PhysicalStoreInfo.dwFlags = CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG;
|
|
|
|
if (!CertRegisterPhysicalStore(ACRS_STORE,
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME,
|
|
&PhysicalStoreInfo,
|
|
NULL))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Could not register ACRS store: (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
// open the ACRS store and fine the CTL based on the auto enrollment usage
|
|
if (NULL == (hStoreACRS = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenStoreFlags,
|
|
ACRS_STORE)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Could not open ACRS store: (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//find the template name specified in the CTLContext
|
|
CTLFindUsage.cbSize = sizeof(CTLFindUsage);
|
|
CTLFindUsage.SubjectUsage.cUsageIdentifier = 1;
|
|
pszCTLUsageOID = szOID_AUTO_ENROLL_CTL_USAGE;
|
|
CTLFindUsage.SubjectUsage.rgpszUsageIdentifier = &pszCTLUsageOID;
|
|
|
|
while(pCTLContext = CertFindCTLInStore(hStoreACRS,
|
|
X509_ASN_ENCODING,
|
|
CTL_FIND_SAME_USAGE_FLAG,
|
|
CTL_FIND_USAGE,
|
|
&CTLFindUsage,
|
|
pCTLContext))
|
|
{
|
|
fEmpty=FALSE;
|
|
break;
|
|
}
|
|
|
|
|
|
Ret:
|
|
|
|
if(pCTLContext)
|
|
CertFreeCTLContext(pCTLContext);
|
|
|
|
if(hStoreACRS)
|
|
CertCloseStore(hStoreACRS, 0);
|
|
|
|
return fEmpty;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEMarkAEObject
|
|
//
|
|
// Mark the active status based on ACRS store
|
|
//
|
|
// INFORMATION:
|
|
// we do not honor the CA specified in the autoenrollment object anymore. All CAs
|
|
// in the enterprise should be treated equal; and once the CA is renewed, it certificate
|
|
// will be changed anyway.
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEMarkAEObject(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_READONLY_FLAG;
|
|
PCCTL_CONTEXT pCTLContext = NULL;
|
|
LPSTR pszCTLUsageOID = NULL;
|
|
LPWSTR wszCertTypeName = NULL;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
CERT_PHYSICAL_STORE_INFO PhysicalStoreInfo;
|
|
CTL_FIND_USAGE_PARA CTLFindUsage;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
HCERTSTORE hStoreACRS=NULL;
|
|
|
|
memset(&PhysicalStoreInfo, 0, sizeof(PhysicalStoreInfo));
|
|
memset(&CTLFindUsage, 0, sizeof(CTLFindUsage));
|
|
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
|
|
|
|
|
|
// if the auto enrollment is for a user then we need to shut off inheritance
|
|
// from the local machine store so that we don't try and enroll for certs
|
|
// which are meant to be for the machine
|
|
if (FALSE == (pAE_General_Info->fMachine))
|
|
{
|
|
dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG;
|
|
|
|
PhysicalStoreInfo.cbSize = sizeof(PhysicalStoreInfo);
|
|
PhysicalStoreInfo.dwFlags = CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG;
|
|
|
|
if (!CertRegisterPhysicalStore(ACRS_STORE,
|
|
CERT_SYSTEM_STORE_CURRENT_USER,
|
|
CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME,
|
|
&PhysicalStoreInfo,
|
|
NULL))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Could not register ACRS store: (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
// open the ACRS store and fine the CTL based on the auto enrollment usage
|
|
if (NULL == (hStoreACRS = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenStoreFlags,
|
|
ACRS_STORE)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Could not open ACRS store: (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//find the template name specified in the CTLContext
|
|
CTLFindUsage.cbSize = sizeof(CTLFindUsage);
|
|
CTLFindUsage.SubjectUsage.cUsageIdentifier = 1;
|
|
pszCTLUsageOID = szOID_AUTO_ENROLL_CTL_USAGE;
|
|
CTLFindUsage.SubjectUsage.rgpszUsageIdentifier = &pszCTLUsageOID;
|
|
|
|
while(pCTLContext = CertFindCTLInStore(hStoreACRS,
|
|
X509_ASN_ENCODING,
|
|
CTL_FIND_SAME_USAGE_FLAG,
|
|
CTL_FIND_USAGE,
|
|
&CTLFindUsage,
|
|
pCTLContext))
|
|
{
|
|
if(NULL== (pCTLContext->pCtlInfo->ListIdentifier.pbData))
|
|
continue;
|
|
|
|
wszCertTypeName = wcschr((LPWSTR)pCTLContext->pCtlInfo->ListIdentifier.pbData, L'|');
|
|
if(wszCertTypeName)
|
|
{
|
|
wszCertTypeName++;
|
|
}
|
|
else
|
|
{
|
|
wszCertTypeName = (LPWSTR)pCTLContext->pCtlInfo->ListIdentifier.pbData;
|
|
}
|
|
|
|
AETemplateInfo.pwszName = wszCertTypeName;
|
|
|
|
if(pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info))
|
|
{
|
|
if(0 == pCertType->dwStatus)
|
|
{
|
|
//mark the template needs to be auto-enrolled
|
|
pCertType->dwStatus=CERT_REQUEST_STATUS_ACTIVE;
|
|
pCertType->fCheckMyStore=TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//log that the template is invalid
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_INVALID_ACRS_OBJECT,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, wszCertTypeName);
|
|
}
|
|
|
|
}
|
|
|
|
|
|
Ret:
|
|
|
|
if(hStoreACRS)
|
|
CertCloseStore(hStoreACRS, 0);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEManageAndMarkMyStore
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEManageAndMarkMyStore(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
AE_CERT_INFO AECertInfo;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
BOOL fNeedToValidate=TRUE;
|
|
PCCERT_CONTEXT pCertCurrent = NULL;
|
|
DWORD cbData=0;
|
|
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
//enumerate all certificate in store
|
|
while(pCertCurrent = CertEnumCertificatesInStore(pAE_General_Info->hMyStore, pCertCurrent))
|
|
{
|
|
//only interested in certificate with template information
|
|
if(AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
|
|
{
|
|
if(pCertType=AEFindTemplateInRequestTree(
|
|
&AETemplateInfo, pAE_General_Info))
|
|
{
|
|
//if we are not supposed to check for my store, only search
|
|
//for template with ACTIVE status
|
|
if(0 == (AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy)))
|
|
{
|
|
if(!(pCertType->fCheckMyStore))
|
|
goto Next;
|
|
}
|
|
|
|
//make sure the version of the certificate template is up to date
|
|
//we do not have version for V1 template
|
|
if(AETemplateInfo.pwszOid)
|
|
{
|
|
if(AETemplateInfo.dwVersion < pCertType->dwVersion)
|
|
{
|
|
AECertInfo.fValid=FALSE;
|
|
AECertInfo.fRenewal = FALSE;
|
|
|
|
//self-RA renewal
|
|
if(CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT & pCertType->dwEnrollmentFlag)
|
|
{
|
|
if(CertGetCertificateContextProperty(
|
|
pCertCurrent,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
NULL,
|
|
&cbData))
|
|
AECertInfo.fRenewal = TRUE;
|
|
}
|
|
|
|
fNeedToValidate=FALSE;
|
|
}
|
|
}
|
|
|
|
if(fNeedToValidate)
|
|
{
|
|
//check if we need to enroll/renewal for the certificate
|
|
AEValidateCertificateInfo(pAE_General_Info,
|
|
pCertType,
|
|
TRUE, //valid private key
|
|
pCertCurrent,
|
|
&AECertInfo);
|
|
}
|
|
|
|
if(AECertInfo.fValid)
|
|
{
|
|
//if the certificate is valid, mark as obtained. And copy the
|
|
//certificate to the obtained store. Keep the archive store.
|
|
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
|
|
|
|
CertAddCertificateContextToStore(
|
|
pCertType->hObtainedStore,
|
|
pCertCurrent,
|
|
CERT_STORE_ADD_ALWAYS,
|
|
NULL);
|
|
|
|
}
|
|
else
|
|
{
|
|
//the certificate is not valid
|
|
//mark the status to active if it is not obtained
|
|
if(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus)
|
|
{
|
|
pCertType->dwStatus = CERT_REQUEST_STATUS_ACTIVE;
|
|
|
|
if(AECertInfo.fRenewal)
|
|
{
|
|
//we only need to copy renewal information once
|
|
if(!pCertType->fRenewal)
|
|
{
|
|
pCertType->fRenewal=TRUE;
|
|
pCertType->pOldCert=(PCERT_CONTEXT)CertDuplicateCertificateContext(pCertCurrent);
|
|
}
|
|
}
|
|
}
|
|
|
|
//copy the certificate to the Archive certificate store
|
|
CertAddCertificateContextToStore(
|
|
pCertType->hArchiveStore,
|
|
pCertCurrent,
|
|
CERT_STORE_ADD_ALWAYS,
|
|
NULL);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//log that the template is invalid
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_INVALID_TEMPLATE_MY_STORE,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
1,
|
|
AETemplateInfo.pwszName ? AETemplateInfo.pwszName : AETemplateInfo.pwszOid);
|
|
|
|
}
|
|
}
|
|
|
|
Next:
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
fNeedToValidate=TRUE;
|
|
cbData=0;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEOpenUserDSStore
|
|
//
|
|
// INFORMATION: We could just open the "UserDS" store as if it is "My"
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
HCERTSTORE AEOpenUserDSStore(AE_GENERAL_INFO *pAE_General_Info, DWORD dwOpenFlag)
|
|
{
|
|
LPWSTR pwszPath=L"ldap:///%s?userCertificate?base?objectCategory=user";
|
|
DWORD dwSize=0;
|
|
WCHAR wszDN[MAX_DN_SIZE];
|
|
|
|
LPWSTR pwszDN=NULL;
|
|
LPWSTR pwszStore=NULL;
|
|
HCERTSTORE hStore=NULL;
|
|
|
|
dwSize=MAX_DN_SIZE;
|
|
|
|
if(!GetUserNameExW(NameFullyQualifiedDN, wszDN, &dwSize))
|
|
{
|
|
if(dwSize > MAX_DN_SIZE)
|
|
{
|
|
pwszDN=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
|
|
|
|
if(NULL==pwszDN)
|
|
goto Ret;
|
|
|
|
if(!GetUserNameExW(NameFullyQualifiedDN, pwszDN, &dwSize))
|
|
goto Ret;
|
|
}
|
|
else
|
|
goto Ret;
|
|
}
|
|
|
|
pwszStore = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(pwszDN ? pwszDN : wszDN)+wcslen(pwszPath)+1));
|
|
if(pwszStore == NULL)
|
|
goto Ret;
|
|
|
|
wsprintf(pwszStore,
|
|
pwszPath,
|
|
pwszDN ? pwszDN : wszDN);
|
|
|
|
hStore = CertOpenStore(CERT_STORE_PROV_LDAP,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenFlag | CERT_LDAP_STORE_SIGN_FLAG,
|
|
pwszStore);
|
|
|
|
Ret:
|
|
|
|
if(pwszStore)
|
|
LocalFree(pwszStore);
|
|
|
|
if(pwszDN)
|
|
LocalFree(pwszDN);
|
|
|
|
return hStore;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECheckUserDSStore
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECheckUserDSStore(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
PCCERT_CONTEXT pCertCurrent = NULL;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
BOOL fNeedToValidate=TRUE;
|
|
AE_CERT_INFO AECertInfo;
|
|
|
|
HCERTSTORE hUserDS = NULL;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
pCertType=pAE_General_Info->rgCertTypeInfo;
|
|
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
if(NULL== (hUserDS = AEOpenUserDSStore(pAE_General_Info, CERT_STORE_READONLY_FLAG)))
|
|
goto Ret;
|
|
|
|
pCertType = NULL;
|
|
while(pCertCurrent = CertEnumCertificatesInStore(hUserDS, pCertCurrent))
|
|
{
|
|
//only interested in certificate with template information
|
|
if(AERetrieveTemplateInfo(pCertCurrent, &AETemplateInfo))
|
|
{
|
|
if(pCertType=AEFindTemplateInRequestTree(
|
|
&AETemplateInfo, pAE_General_Info))
|
|
{
|
|
//if we are not supposed to check for UserDS store, only search
|
|
//for template with ACTIVE status
|
|
if(0 == (AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy)))
|
|
{
|
|
if(!(pCertType->fCheckMyStore))
|
|
goto Next;
|
|
}
|
|
|
|
//make sure the version of the certificate template is up to date
|
|
//we do not have version for V1 template
|
|
if(AETemplateInfo.pwszOid)
|
|
{
|
|
if(AETemplateInfo.dwVersion < pCertType->dwVersion)
|
|
{
|
|
AECertInfo.fValid=FALSE;
|
|
AECertInfo.fRenewal=FALSE;
|
|
fNeedToValidate=FALSE;
|
|
}
|
|
}
|
|
|
|
if(fNeedToValidate)
|
|
{
|
|
//check if we need to enroll/renewal for the certificate
|
|
AEValidateCertificateInfo(pAE_General_Info,
|
|
pCertType,
|
|
FALSE, //does not valid private key
|
|
pCertCurrent,
|
|
&AECertInfo);
|
|
}
|
|
|
|
//we only interested in any valid certificate
|
|
if(AECertInfo.fValid)
|
|
{
|
|
if((CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE & (pCertType->dwEnrollmentFlag)) &&
|
|
(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus))
|
|
{
|
|
//mark the status as obtained.
|
|
pCertType->dwStatus = CERT_REQUEST_STATUS_OBTAINED;
|
|
}
|
|
|
|
CertAddCertificateContextToStore(
|
|
pCertType->hObtainedStore,
|
|
pCertCurrent,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
|
|
}
|
|
else
|
|
{
|
|
//copy the certificate to the Archive certificate store
|
|
CertAddCertificateContextToStore(
|
|
pCertType->hArchiveStore,
|
|
pCertCurrent,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
}
|
|
}
|
|
}
|
|
|
|
Next:
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
fNeedToValidate=TRUE;
|
|
}
|
|
Ret:
|
|
|
|
if(hUserDS)
|
|
CertCloseStore(hUserDS, 0);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECheckPendingRequests
|
|
//
|
|
// If we have pending update-to-date certificate requests, no need
|
|
// to enroll/renew for duplicates.
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECheckPendingRequests(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex=0;
|
|
DWORD dwVersion=0;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
BOOL fValid=FALSE;
|
|
DWORD dwCount=0;
|
|
DWORD dwMax=PENDING_ALLOC_SIZE;
|
|
PFNPIEnroll4GetNoCOM pfnPIEnroll4GetNoCOM=NULL;
|
|
FILETIME ftTime;
|
|
LARGE_INTEGER ftRequestTime;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
IEnroll4 *pIEnroll4=NULL;
|
|
CRYPT_DATA_BLOB *rgblobHash=NULL;
|
|
CRYPT_DATA_BLOB blobName;
|
|
|
|
//init before any goto Ret
|
|
memset(&blobName, 0, sizeof(blobName));
|
|
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
|
|
|
|
if(NULL==pAE_General_Info->hXenroll)
|
|
goto Ret;
|
|
|
|
if(NULL==(pfnPIEnroll4GetNoCOM=(PFNPIEnroll4GetNoCOM)GetProcAddress(
|
|
pAE_General_Info->hXenroll,
|
|
"PIEnroll4GetNoCOM")))
|
|
goto Ret;
|
|
|
|
if(NULL==(pIEnroll4=pfnPIEnroll4GetNoCOM()))
|
|
goto Ret;
|
|
|
|
GetSystemTimeAsFileTime(&ftTime);
|
|
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_LOCAL_MACHINE))
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
if(S_OK != pIEnroll4->put_RequestStoreFlags(CERT_SYSTEM_STORE_CURRENT_USER))
|
|
goto Ret;
|
|
}
|
|
|
|
//enumerate all the pending requests
|
|
|
|
rgblobHash=(CRYPT_DATA_BLOB *)LocalAlloc(LPTR, dwMax * sizeof(CRYPT_DATA_BLOB));
|
|
if(NULL==rgblobHash)
|
|
goto Ret;
|
|
|
|
memset(rgblobHash, 0, dwMax * sizeof(CRYPT_DATA_BLOB));
|
|
|
|
//initialize the enumerator
|
|
if(S_OK != pIEnroll4->enumPendingRequestWStr(XEPR_ENUM_FIRST, 0, NULL))
|
|
goto Ret;
|
|
|
|
while(AEGetPendingRequestProperty(
|
|
pIEnroll4,
|
|
dwIndex,
|
|
XEPR_DATE,
|
|
&ftRequestTime))
|
|
{
|
|
ftRequestTime.QuadPart += Int32x32To64(FILETIME_TICKS_PER_SECOND,
|
|
AE_PENDING_REQUEST_ACTIVE_PERIOD * 24 * 3600);
|
|
|
|
//remove the request if out of date
|
|
if(0 <= CompareFileTime(&ftTime, (LPFILETIME)&ftRequestTime))
|
|
{
|
|
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
|
|
}
|
|
else
|
|
{
|
|
//get the version and the template name of the request
|
|
if(AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V2TEMPLATEOID, &blobName))
|
|
{
|
|
//this is a V2 template
|
|
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_VERSION, &dwVersion))
|
|
goto Next;
|
|
|
|
AETemplateInfo.pwszOid=(LPWSTR)blobName.pbData;
|
|
|
|
}
|
|
else
|
|
{
|
|
if(!AEGetPendingRequestProperty(pIEnroll4, dwIndex, XEPR_V1TEMPLATENAME, &blobName))
|
|
goto Next;
|
|
|
|
AETemplateInfo.pwszName=(LPWSTR)blobName.pbData;
|
|
}
|
|
|
|
//find the template
|
|
if(NULL==(pCertType=AEFindTemplateInRequestTree(
|
|
&AETemplateInfo, pAE_General_Info)))
|
|
goto Next;
|
|
|
|
if(AETemplateInfo.pwszName)
|
|
fValid=TRUE;
|
|
else
|
|
{
|
|
if(dwVersion >= pCertType->dwVersion)
|
|
fValid=TRUE;
|
|
}
|
|
|
|
if(fValid)
|
|
{
|
|
//this is a valid pending request
|
|
if(CERT_REQUEST_STATUS_OBTAINED != pCertType->dwStatus)
|
|
pCertType->dwStatus=CERT_REQUEST_STATUS_PENDING;
|
|
}
|
|
else
|
|
{
|
|
if(CERT_REQUEST_STATUS_OBTAINED == pCertType->dwStatus)
|
|
AERetrieveRequestProperty(pIEnroll4, dwIndex, &dwCount, &dwMax, &rgblobHash);
|
|
}
|
|
}
|
|
|
|
Next:
|
|
|
|
if(blobName.pbData)
|
|
LocalFree(blobName.pbData);
|
|
memset(&blobName, 0, sizeof(blobName));
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AETemplateInfo));
|
|
|
|
fValid=FALSE;
|
|
dwVersion=0;
|
|
|
|
dwIndex++;
|
|
}
|
|
|
|
//remove the requests based the hash
|
|
if(dwCount)
|
|
{
|
|
AERemovePendingRequest(pIEnroll4, dwCount, rgblobHash);
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_PENDING_INVALID, pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
|
|
}
|
|
|
|
Ret:
|
|
|
|
AEFreePendingRequests(dwCount, rgblobHash);
|
|
|
|
if(blobName.pbData)
|
|
LocalFree(blobName.pbData);
|
|
|
|
if(pIEnroll4)
|
|
pIEnroll4->Release();
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECheckSupersedeRequest
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECheckSupersedeRequest(DWORD dwCurIndex,
|
|
AE_CERTTYPE_INFO *pCurCertType,
|
|
AE_CERTTYPE_INFO *pSupersedingCertType,
|
|
AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fFound=FALSE;
|
|
|
|
LPWSTR *awszSuperseding=NULL;
|
|
|
|
if(S_OK == CAGetCertTypePropertyEx(
|
|
pSupersedingCertType->hCertType,
|
|
CERTTYPE_PROP_SUPERSEDE,
|
|
&(awszSuperseding)))
|
|
{
|
|
if(awszSuperseding && awszSuperseding[0])
|
|
{
|
|
if(AEIfSupersede(pCurCertType->awszName[0], awszSuperseding, pAE_General_Info))
|
|
{
|
|
switch(pCurCertType->dwStatus)
|
|
{
|
|
case CERT_REQUEST_STATUS_ACTIVE:
|
|
case CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE:
|
|
//remove the active status if it is superseded by an obtained certificate
|
|
if(CERT_REQUEST_STATUS_OBTAINED != pSupersedingCertType->dwStatus)
|
|
{
|
|
pCurCertType->dwStatus = CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE;
|
|
pSupersedingCertType->prgActive[pSupersedingCertType->dwActive]=dwCurIndex;
|
|
(pSupersedingCertType->dwActive)++;
|
|
|
|
}
|
|
else
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
}
|
|
|
|
case CERT_REQUEST_STATUS_PENDING:
|
|
AECopyCertStore(pCurCertType->hArchiveStore,
|
|
pSupersedingCertType->hArchiveStore);
|
|
|
|
break;
|
|
|
|
case CERT_REQUEST_STATUS_OBTAINED:
|
|
|
|
AECopyCertStore(pCurCertType->hObtainedStore,
|
|
pSupersedingCertType->hArchiveStore);
|
|
|
|
break;
|
|
|
|
default:
|
|
AECopyCertStore(pCurCertType->hArchiveStore,
|
|
pSupersedingCertType->hArchiveStore);
|
|
|
|
break;
|
|
}
|
|
|
|
//we consider that we find a valid superseding template only if the status
|
|
//is obtained. If the status is anyting else, we need to keep searching since
|
|
//enrollment/renewal requests might not be granted
|
|
if(CERT_REQUEST_STATUS_OBTAINED == pSupersedingCertType->dwStatus)
|
|
fFound=TRUE;
|
|
}
|
|
|
|
//clear the visited flag in AE_General_Info
|
|
AEClearVistedFlag(pAE_General_Info);
|
|
}
|
|
|
|
//free the property
|
|
if(awszSuperseding)
|
|
CAFreeCertTypeProperty(
|
|
pSupersedingCertType->hCertType,
|
|
awszSuperseding);
|
|
|
|
awszSuperseding=NULL;
|
|
}
|
|
|
|
return fFound;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsCALonger
|
|
//
|
|
// For renewal, the CA's certificate has to live longer than the
|
|
// renewing certificate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsCALonger(HCAINFO hCAInfo, PCERT_CONTEXT pOldCert)
|
|
{
|
|
BOOL fCALonger=TRUE;
|
|
|
|
PCCERT_CONTEXT pCACert=NULL;
|
|
|
|
//we assume the CA is good unless we found something wrong
|
|
if((NULL == hCAInfo) || (NULL == pOldCert))
|
|
goto Ret;
|
|
|
|
if(S_OK != CAGetCACertificate(hCAInfo, &pCACert))
|
|
goto Ret;
|
|
|
|
if(NULL == pCACert)
|
|
goto Ret;
|
|
|
|
//CA cert's NotAfter should be longer than the issued certificate' NotAfger
|
|
if(1 == CompareFileTime(&(pCACert->pCertInfo->NotAfter), &(pOldCert->pCertInfo->NotAfter)))
|
|
goto Ret;
|
|
|
|
fCALonger=FALSE;
|
|
|
|
Ret:
|
|
|
|
if(pCACert)
|
|
CertFreeCertificateContext(pCACert);
|
|
|
|
return fCALonger;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECanFindCAForCertType
|
|
//
|
|
// Check if there exists a CA that can issue the specified certificate
|
|
// template.
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECanFindCAForCertType(AE_GENERAL_INFO *pAE_General_Info, AE_CERTTYPE_INFO *pCertType)
|
|
{
|
|
DWORD dwIndex=0;
|
|
BOOL fFound=FALSE;
|
|
AE_CA_INFO *prgCAInfo=pAE_General_Info->rgCAInfo;
|
|
BOOL fRenewal=FALSE;
|
|
|
|
|
|
//detect if we are performing an enrollment or renewal
|
|
if((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
{
|
|
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
|
|
fRenewal=FALSE;
|
|
else
|
|
fRenewal=TRUE;
|
|
}
|
|
else
|
|
fRenewal=FALSE;
|
|
|
|
if(prgCAInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCA; dwIndex++)
|
|
{
|
|
//make sure the CA supports the specific template
|
|
if(AEIsAnElement((pCertType->awszName)[0],
|
|
(prgCAInfo[dwIndex]).awszCertificateTemplate))
|
|
{
|
|
if(FALSE == fRenewal)
|
|
{
|
|
fFound=TRUE;
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
if(AEIsCALonger(prgCAInfo[dwIndex].hCAInfo, pCertType->pOldCert))
|
|
{
|
|
fFound=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return fFound;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEManageActiveTemplates
|
|
//
|
|
// We make sure that for all active templates, we can in deed enroll
|
|
// for it.
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEManageActiveTemplates(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex=0;
|
|
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
|
|
AE_CERTTYPE_INFO *pCurCertType=NULL;
|
|
BOOL fCanEnrollCertType=FALSE;
|
|
BOOL fUserProtection=FALSE;
|
|
DWORD dwEventID=0;
|
|
|
|
if(pCertTypeInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
pCurCertType = &(pCertTypeInfo[dwIndex]);
|
|
|
|
fCanEnrollCertType=FALSE;
|
|
fUserProtection=FALSE;
|
|
|
|
if(CERT_REQUEST_STATUS_PENDING == pCurCertType->dwStatus)
|
|
{
|
|
//check if UI is required
|
|
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag))
|
|
{
|
|
pCurCertType->fUIActive=TRUE;
|
|
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that user does not have access right to the template
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_ACCESS_ACRS_OBJECT,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
}
|
|
}
|
|
|
|
continue;
|
|
}
|
|
|
|
|
|
if(CERT_REQUEST_STATUS_ACTIVE != pCurCertType->dwStatus)
|
|
continue;
|
|
|
|
//check for V1 smart card User or smart card logon certificate template
|
|
if((0 == _wcsicmp(wszCERTTYPE_SMARTCARD_USER, (pCurCertType->awszName)[0])) ||
|
|
(0 == _wcsicmp(wszCERTTYPE_USER_SMARTCARD_LOGON,(pCurCertType->awszName)[0]))
|
|
)
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that user does not have access right to the template
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_V1_SCARD,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
|
|
continue;
|
|
}
|
|
|
|
//check if CRYPT_USER_PROTECTED is used for machine certificate template
|
|
if(CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED & pCurCertType->dwPrivateKeyFlag)
|
|
{
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that machine template should not require user password
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_USER_PROTECTION_FOR_MACHINE,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
|
|
continue;
|
|
}
|
|
else
|
|
{
|
|
if(0 == (CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag)))
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that user interaction is not set
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_USER_INTERACTION,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
|
|
fCanEnrollCertType=AECanEnrollCertType(pAE_General_Info->hToken, pCurCertType, pAE_General_Info, &fUserProtection);
|
|
|
|
if((!fCanEnrollCertType) ||
|
|
(!AECanFindCAForCertType(pAE_General_Info, pCurCertType))
|
|
)
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that user does not have access right to the template
|
|
if(FALSE == fUserProtection)
|
|
{
|
|
dwEventID=EVENT_NO_ACCESS_ACRS_OBJECT;
|
|
}
|
|
else
|
|
{
|
|
if(pAE_General_Info->fMachine)
|
|
dwEventID=EVENT_NO_USER_PROTECTION_FOR_MACHINE_RA;
|
|
else
|
|
dwEventID=EVENT_NO_USER_INTERACTION_RA;
|
|
}
|
|
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, dwEventID,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
}
|
|
else
|
|
{
|
|
//check if UI is required
|
|
if(CT_FLAG_USER_INTERACTION_REQUIRED & (pCurCertType->dwEnrollmentFlag))
|
|
{
|
|
pCurCertType->fUIActive=TRUE;
|
|
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
pCurCertType->dwStatus = 0;
|
|
|
|
//log that user does not have access right to the template
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_NO_ACCESS_ACRS_OBJECT,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 1, (pCurCertType->awszDisplay)[0]);
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEManageSupersedeRequests
|
|
// remove duplicated requests based on "Supersede" relationship
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEManageSupersedeRequests(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex=0;
|
|
DWORD dwSuperseding=0;
|
|
DWORD dwOrder=0;
|
|
AE_CERTTYPE_INFO *pCertTypeInfo=pAE_General_Info->rgCertTypeInfo;
|
|
AE_CERTTYPE_INFO *pCurCertType=NULL;
|
|
AE_CERTTYPE_INFO *pSupersedingCertType=NULL;
|
|
BOOL fFound=FALSE;
|
|
|
|
if(pCertTypeInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
pCurCertType = &(pCertTypeInfo[dwIndex]);
|
|
|
|
//we only consider templates with valid status
|
|
if((0 == pCurCertType->dwStatus) && (TRUE == AEIsEmptyStore(pCurCertType->hArchiveStore)))
|
|
continue;
|
|
|
|
fFound=FALSE;
|
|
|
|
for(dwOrder=0; dwOrder < g_dwSupersedeOrder; dwOrder++)
|
|
{
|
|
for(dwSuperseding=0; dwSuperseding < pAE_General_Info->dwCertType; dwSuperseding++)
|
|
{
|
|
//one can not be superseded by itself
|
|
if(dwIndex == dwSuperseding)
|
|
continue;
|
|
|
|
pSupersedingCertType = &(pCertTypeInfo[dwSuperseding]);
|
|
|
|
//we consider templates with obtained status first
|
|
if(g_rgdwSupersedeOrder[dwOrder] != pSupersedingCertType->dwStatus)
|
|
continue;
|
|
|
|
fFound = AECheckSupersedeRequest(dwIndex, pCurCertType, pSupersedingCertType, pAE_General_Info);
|
|
|
|
//we find a valid superseding template
|
|
if(fFound)
|
|
break;
|
|
}
|
|
|
|
//we find a valid superseding template
|
|
if(fFound)
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEDoOneEnrollment
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
/*BOOL AEDoOneEnrollment(HWND hwndParent,
|
|
BOOL fUIProcess,
|
|
BOOL fMachine,
|
|
LPWSTR pwszMachineName,
|
|
AE_CERTTYPE_INFO *pCertType,
|
|
AE_CA_INFO *pCAInfo,
|
|
DWORD *pdwStatus)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
CRYPTUI_WIZ_CERT_REQUEST_INFO CertRequestInfo;
|
|
CRYPTUI_WIZ_CERT_TYPE CertWizType;
|
|
CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW CertPvkNew;
|
|
CRYPT_KEY_PROV_INFO KeyProvInfo;
|
|
|
|
memset(&CertRequestInfo, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_INFO));
|
|
memset(&CertWizType, 0, sizeof(CRYPTUI_WIZ_CERT_TYPE));
|
|
memset(&CertPvkNew, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW));
|
|
memset(&KeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
|
|
|
|
CertRequestInfo.dwSize = sizeof(CRYPTUI_WIZ_CERT_REQUEST_INFO);
|
|
|
|
//enroll or renewal
|
|
if((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
{
|
|
CertRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_RENEW;
|
|
CertRequestInfo.pRenewCertContext = pCertType->pOldCert;
|
|
}
|
|
else
|
|
CertRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_ENROLL;
|
|
|
|
//machine name
|
|
if(fMachine)
|
|
{
|
|
CertRequestInfo.pwszMachineName = pwszMachineName;
|
|
}
|
|
|
|
//private key information
|
|
CertRequestInfo.dwPvkChoice = CRYPTUI_WIZ_CERT_REQUEST_PVK_CHOICE_NEW;
|
|
CertRequestInfo.pPvkNew = &CertPvkNew;
|
|
|
|
CertPvkNew.dwSize = sizeof(CertPvkNew);
|
|
CertPvkNew.pKeyProvInfo = &KeyProvInfo;
|
|
CertPvkNew.dwGenKeyFlags = 0; //no need to specify the exportable flags
|
|
|
|
//SILENT is always set for machine
|
|
if(fMachine)
|
|
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET | CRYPT_SILENT;
|
|
else
|
|
{
|
|
if(fUIProcess)
|
|
KeyProvInfo.dwFlags = 0;
|
|
else
|
|
KeyProvInfo.dwFlags = CRYPT_SILENT;
|
|
}
|
|
|
|
//CA information
|
|
CertRequestInfo.pwszCALocation = pCAInfo->awszCADNS[0];
|
|
CertRequestInfo.pwszCAName = pCAInfo->awszCAName[0];
|
|
|
|
//enroll for the template
|
|
CertRequestInfo.dwCertChoice = CRYPTUI_WIZ_CERT_REQUEST_CERT_TYPE;
|
|
CertRequestInfo.pCertType = &CertWizType;
|
|
|
|
CertWizType.dwSize = sizeof(CertWizType);
|
|
CertWizType.cCertType = 1;
|
|
CertWizType.rgwszCertType = &(pCertType->awszName[0]);
|
|
|
|
//ISSUE: we need to call Duncanb's new no-DS look up API
|
|
//for faster performance
|
|
fResult = CryptUIWizCertRequest(CRYPTUI_WIZ_NO_UI_EXCEPT_CSP | CRYPTUI_WIZ_NO_INSTALL_ROOT,
|
|
hwndParent,
|
|
NULL,
|
|
&CertRequestInfo,
|
|
NULL, //pCertContext
|
|
pdwStatus);
|
|
return fResult;
|
|
} */
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECreateEnrollmentRequest
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECreateEnrollmentRequest(
|
|
HWND hwndParent,
|
|
BOOL fUIProcess,
|
|
BOOL fMachine,
|
|
LPWSTR pwszMachineName,
|
|
AE_CERTTYPE_INFO *pCertType,
|
|
AE_CA_INFO *pCAInfo,
|
|
HANDLE *phRequest,
|
|
DWORD *pdwLastError)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
CRYPTUI_WIZ_CREATE_CERT_REQUEST_INFO CreateRequestInfo;
|
|
CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW CertPvkNew;
|
|
CRYPT_KEY_PROV_INFO KeyProvInfo;
|
|
DWORD dwFlags=CRYPTUI_WIZ_NO_UI_EXCEPT_CSP |
|
|
CRYPTUI_WIZ_NO_INSTALL_ROOT |
|
|
CRYPTUI_WIZ_ALLOW_ALL_TEMPLATES |
|
|
CRYPTUI_WIZ_ALLOW_ALL_CAS;
|
|
DWORD dwSize=0;
|
|
DWORD dwAcquireFlags=0;
|
|
BOOL fResetProv=FALSE;
|
|
|
|
CRYPT_KEY_PROV_INFO *pKeyProvInfo=NULL;
|
|
HANDLE hRequest=NULL;
|
|
|
|
memset(&CreateRequestInfo, 0, sizeof(CRYPTUI_WIZ_CREATE_CERT_REQUEST_INFO));
|
|
memset(&CertPvkNew, 0, sizeof(CRYPTUI_WIZ_CERT_REQUEST_PVK_NEW));
|
|
memset(&KeyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
|
|
|
|
CreateRequestInfo.dwSize = sizeof(CreateRequestInfo);
|
|
|
|
|
|
//enroll or renewal
|
|
if((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
{
|
|
CreateRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_RENEW;
|
|
CreateRequestInfo.pRenewCertContext = pCertType->pOldCert;
|
|
|
|
//we should not archive renewal certificate for cross template RA
|
|
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
|
|
dwFlags |= CRYPTUI_WIZ_NO_ARCHIVE_RENEW_CERT;
|
|
|
|
//we should disalbe UI for machine or non-UI enrollment renew/RA certificate
|
|
if((TRUE == fMachine) || (FALSE == fUIProcess))
|
|
{
|
|
dwSize=0;
|
|
if(!CertGetCertificateContextProperty(pCertType->pOldCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
NULL,
|
|
&dwSize))
|
|
goto error;
|
|
|
|
pKeyProvInfo=(CRYPT_KEY_PROV_INFO *)LocalAlloc(LPTR, dwSize);
|
|
|
|
if(NULL == pKeyProvInfo)
|
|
goto error;
|
|
|
|
if(!CertGetCertificateContextProperty(pCertType->pOldCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
pKeyProvInfo,
|
|
&dwSize))
|
|
goto error;
|
|
|
|
dwAcquireFlags=pKeyProvInfo->dwFlags;
|
|
|
|
pKeyProvInfo->dwFlags |= CRYPT_SILENT;
|
|
|
|
//set the property
|
|
if(!CertSetCertificateContextProperty(pCertType->pOldCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG,
|
|
pKeyProvInfo))
|
|
goto error;
|
|
|
|
fResetProv=TRUE;
|
|
}
|
|
}
|
|
else
|
|
CreateRequestInfo.dwPurpose = CRYPTUI_WIZ_CERT_ENROLL;
|
|
|
|
//cert template information
|
|
CreateRequestInfo.hCertType = pCertType->hCertType;
|
|
|
|
//machine name
|
|
if(fMachine)
|
|
{
|
|
CreateRequestInfo.fMachineContext = TRUE;
|
|
}
|
|
|
|
//private key information
|
|
CreateRequestInfo.dwPvkChoice = CRYPTUI_WIZ_CERT_REQUEST_PVK_CHOICE_NEW;
|
|
CreateRequestInfo.pPvkNew = &CertPvkNew;
|
|
|
|
CertPvkNew.dwSize = sizeof(CertPvkNew);
|
|
CertPvkNew.pKeyProvInfo = &KeyProvInfo;
|
|
CertPvkNew.dwGenKeyFlags = 0; //no need to specify the exportable flags
|
|
|
|
//SILENT is always set for machine
|
|
if(fMachine)
|
|
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET | CRYPT_SILENT;
|
|
else
|
|
{
|
|
if(fUIProcess)
|
|
KeyProvInfo.dwFlags = 0;
|
|
else
|
|
KeyProvInfo.dwFlags = CRYPT_SILENT;
|
|
}
|
|
|
|
|
|
//CA information
|
|
CreateRequestInfo.pwszCALocation = pCAInfo->awszCADNS[0];
|
|
CreateRequestInfo.pwszCAName = pCAInfo->awszCAName[0];
|
|
|
|
if(!CryptUIWizCreateCertRequestNoDS(
|
|
dwFlags,
|
|
hwndParent,
|
|
&CreateRequestInfo,
|
|
&hRequest))
|
|
goto error;
|
|
|
|
|
|
if(NULL==hRequest)
|
|
goto error;
|
|
|
|
*phRequest=hRequest;
|
|
|
|
hRequest=NULL;
|
|
|
|
|
|
fResult = TRUE;
|
|
|
|
error:
|
|
|
|
//get the last error
|
|
if(FALSE == fResult)
|
|
{
|
|
*pdwLastError=GetLastError();
|
|
}
|
|
|
|
//reset the property
|
|
if(TRUE == fResetProv)
|
|
{
|
|
if((pKeyProvInfo) && (pCertType->pOldCert))
|
|
{
|
|
pKeyProvInfo->dwFlags = dwAcquireFlags;
|
|
|
|
//set the property
|
|
CertSetCertificateContextProperty(pCertType->pOldCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG,
|
|
pKeyProvInfo);
|
|
}
|
|
}
|
|
|
|
if(pKeyProvInfo)
|
|
LocalFree(pKeyProvInfo);
|
|
|
|
if(hRequest)
|
|
CryptUIWizFreeCertRequestNoDS(hRequest);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AECancelled
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AECancelled(HANDLE hCancelEvent)
|
|
{
|
|
if(NULL==hCancelEvent)
|
|
return FALSE;
|
|
|
|
//test if the event is signalled
|
|
if(WAIT_OBJECT_0 == WaitForSingleObject(hCancelEvent, 0))
|
|
return TRUE;
|
|
|
|
return FALSE;
|
|
}
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEDoEnrollment
|
|
//
|
|
// return TRUE is no need to do another renewal.
|
|
// *pdwStatus contain the real enrollment status.
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEDoEnrollment(HWND hwndParent,
|
|
HANDLE hCancelEvent,
|
|
BOOL fUIProcess,
|
|
DWORD dwLogLevel,
|
|
HANDLE hToken,
|
|
BOOL fMachine,
|
|
LPWSTR pwszMachineName,
|
|
AE_CERTTYPE_INFO *pCertType,
|
|
DWORD dwCA,
|
|
AE_CA_INFO *rgCAInfo,
|
|
DWORD *pdwStatus)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
DWORD dwIndex = 0;
|
|
DWORD dwCAIndex = 0;
|
|
BOOL fRenewal = FALSE;
|
|
DWORD dwEventID = 0;
|
|
BOOL fFoundCA = FALSE;
|
|
DWORD idsSummary = 0; //keep the last failure case
|
|
DWORD dwLastError = 0;
|
|
|
|
CRYPTUI_WIZ_QUERY_CERT_REQUEST_INFO QueryCertRequestInfo;
|
|
|
|
HANDLE hRequest=NULL;
|
|
PCCERT_CONTEXT pCertContext=NULL;
|
|
|
|
|
|
//init the out parameter
|
|
*pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR;
|
|
|
|
//detect if we are performing an enrollment or renewal
|
|
if((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
{
|
|
if((pCertType->fNeedRA) && (pCertType->fCrossRA))
|
|
fRenewal=FALSE;
|
|
else
|
|
fRenewal=TRUE;
|
|
}
|
|
else
|
|
fRenewal=FALSE;
|
|
|
|
|
|
//loop through all the CAs
|
|
for(dwIndex =0; dwIndex < dwCA; dwIndex++)
|
|
{
|
|
dwCAIndex = (dwIndex + pCertType->dwRandomCAIndex) % dwCA;
|
|
|
|
if(AECancelled(hCancelEvent))
|
|
{
|
|
//no need to renew any more
|
|
fResult=TRUE;
|
|
|
|
//log that autoenrollment is cancelled
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_AUTOENROLL_CANCELLED,
|
|
fMachine,
|
|
hToken,
|
|
0);
|
|
|
|
break;
|
|
}
|
|
|
|
//make sure the CA supports the specific template
|
|
if(!AEIsAnElement((pCertType->awszName)[0],
|
|
rgCAInfo[dwCAIndex].awszCertificateTemplate))
|
|
continue;
|
|
|
|
//make sure the CA's validity period of more than the renewing certificate
|
|
if(TRUE == fRenewal)
|
|
{
|
|
if(!AEIsCALonger(rgCAInfo[dwCAIndex].hCAInfo, pCertType->pOldCert))
|
|
continue;
|
|
}
|
|
|
|
//enroll to the CA
|
|
*pdwStatus = CRYPTUI_WIZ_CERT_REQUEST_STATUS_REQUEST_ERROR;
|
|
fFoundCA = TRUE;
|
|
|
|
//create a certificate request
|
|
if(NULL==hRequest)
|
|
{
|
|
if(!AECreateEnrollmentRequest(hwndParent, fUIProcess, fMachine, pwszMachineName, pCertType, &(rgCAInfo[dwCAIndex]), &hRequest, &dwLastError))
|
|
{
|
|
//check if user cancelled the enrollment. If so, no
|
|
//need to try another CA.
|
|
if((HRESULT_FROM_WIN32(ERROR_CANCELLED) == dwLastError) ||
|
|
(SCARD_W_CANCELLED_BY_USER == dwLastError))
|
|
{
|
|
//no need to renewal anymore
|
|
fResult = TRUE;
|
|
|
|
//log that autoenrollment is cancelled
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_AUTOENROLL_CANCELLED_TEMPLATE,
|
|
fMachine,
|
|
hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
|
|
break;
|
|
|
|
}
|
|
else
|
|
{
|
|
idsSummary=IDS_SUMMARY_REQUEST;
|
|
|
|
if(CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL & pCertType->dwPrivateKeyFlag)
|
|
{
|
|
//we have a chance of success with another CA
|
|
if(hRequest)
|
|
{
|
|
CryptUIWizFreeCertRequestNoDS(hRequest);
|
|
hRequest=NULL;
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
|
else
|
|
{
|
|
//we have no hope to create a request successfully
|
|
//mark dwIndex to the dwCA so that we will log an event at the end of the loop
|
|
dwIndex=dwCA;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//check the cancel again because significant time can pass during
|
|
//request creation
|
|
if(AECancelled(hCancelEvent))
|
|
{
|
|
//no need to renew any more
|
|
fResult=TRUE;
|
|
|
|
//log that autoenrollment is cancelled
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_AUTOENROLL_CANCELLED,
|
|
fMachine,
|
|
hToken,
|
|
0);
|
|
|
|
break;
|
|
}
|
|
|
|
if(CryptUIWizSubmitCertRequestNoDS(
|
|
hRequest,
|
|
hwndParent,
|
|
rgCAInfo[dwCAIndex].awszCAName[0],
|
|
rgCAInfo[dwCAIndex].awszCADNS[0],
|
|
pdwStatus,
|
|
&pCertContext))
|
|
{
|
|
//no need to try another CA if the request is successful or pending
|
|
if((CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == (*pdwStatus)) ||
|
|
(CRYPTUI_WIZ_CERT_REQUEST_STATUS_UNDER_SUBMISSION == (*pdwStatus))
|
|
)
|
|
{
|
|
//no need to renewal anymore
|
|
fResult = TRUE;
|
|
|
|
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == (*pdwStatus))
|
|
{
|
|
//we copy the certificate to publishing
|
|
if(pCertContext)
|
|
{
|
|
CertAddCertificateContextToStore(pCertType->hIssuedStore,
|
|
pCertContext,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
|
|
CertFreeCertificateContext(pCertContext);
|
|
pCertContext=NULL;
|
|
}
|
|
|
|
dwEventID=fRenewal ? EVENT_RENEWAL_SUCCESS_ONCE : EVENT_ENROLL_SUCCESS_ONCE;
|
|
}
|
|
else
|
|
{
|
|
dwEventID=fRenewal ? EVENT_RENEWAL_PENDING_ONCE : EVENT_ENROLL_PENDING_ONCE;
|
|
}
|
|
|
|
//log the enrollment sucess or pending event
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
dwEventID,
|
|
fMachine,
|
|
hToken,
|
|
3,
|
|
pCertType->awszDisplay[0],
|
|
rgCAInfo[dwCAIndex].awszCADisplay[0],
|
|
rgCAInfo[dwCAIndex].awszCADNS[0]);
|
|
|
|
//log if the private key is re-used
|
|
memset(&QueryCertRequestInfo, 0, sizeof(QueryCertRequestInfo));
|
|
QueryCertRequestInfo.dwSize=sizeof(QueryCertRequestInfo);
|
|
|
|
if(CryptUIWizQueryCertRequestNoDS(hRequest,
|
|
&QueryCertRequestInfo))
|
|
{
|
|
if(CRYPTUI_WIZ_QUERY_CERT_REQUEST_STATUS_CREATE_REUSED_PRIVATE_KEY &
|
|
(QueryCertRequestInfo.dwStatus))
|
|
{
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
FALSE,
|
|
S_OK,
|
|
EVENT_PRIVATE_KEY_REUSED,
|
|
fMachine,
|
|
hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
}
|
|
}
|
|
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
//get the last error
|
|
dwLastError=GetLastError();
|
|
|
|
idsSummary=IDS_SUMMARY_CA;
|
|
|
|
//log the one enrollment warning
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
TRUE,
|
|
HRESULT_FROM_WIN32(dwLastError),
|
|
fRenewal ? EVENT_RENEWAL_FAIL_ONCE : EVENT_ENROLL_FAIL_ONCE,
|
|
fMachine,
|
|
hToken,
|
|
3,
|
|
pCertType->awszDisplay[0],
|
|
rgCAInfo[dwCAIndex].awszCADisplay[0],
|
|
rgCAInfo[dwCAIndex].awszCADNS[0]);
|
|
|
|
|
|
//we should recreate the request for key archival
|
|
if(CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL & pCertType->dwPrivateKeyFlag)
|
|
{
|
|
if(hRequest)
|
|
{
|
|
CryptUIWizFreeCertRequestNoDS(hRequest);
|
|
hRequest=NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
//log all enrollments error
|
|
//the loop will exit only if CANCEL, or SUCCEED, or we run out of CAs to try or
|
|
//the request can not be created
|
|
if(dwIndex == dwCA)
|
|
{
|
|
//we either run out of CAs to try or the request can not be created
|
|
if(0 != idsSummary)
|
|
pCertType->idsSummary=idsSummary;
|
|
|
|
if(fFoundCA)
|
|
{
|
|
dwEventID = fRenewal ? EVENT_RENEWAL_FAIL : EVENT_ENROLL_FAIL;
|
|
}
|
|
else
|
|
{
|
|
//if there is no CA, no need to try re-enrollment
|
|
if(fRenewal)
|
|
pCertType->fRenewal=FALSE;
|
|
|
|
dwEventID = fRenewal ? EVENT_RENEWAL_NO_CA_FAIL : EVENT_ENROLL_NO_CA_FAIL;
|
|
}
|
|
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
fFoundCA ? TRUE : FALSE,
|
|
HRESULT_FROM_WIN32(dwLastError),
|
|
dwEventID,
|
|
fMachine,
|
|
hToken,
|
|
1,
|
|
pCertType->awszDisplay[0]);
|
|
}
|
|
|
|
if(hRequest)
|
|
CryptUIWizFreeCertRequestNoDS(hRequest);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEEnrollmentCertificates
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEEnrollmentCertificates(AE_GENERAL_INFO *pAE_General_Info, DWORD dwEnrollStatus)
|
|
{
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
|
|
DWORD dwIndex =0 ;
|
|
DWORD dwStatus= 0;
|
|
DWORD dwRandom = 0;
|
|
|
|
HCRYPTPROV hProv = NULL;
|
|
|
|
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
|
|
|
|
if(NULL == rgCertTypeInfo)
|
|
return FALSE;
|
|
|
|
if((0 == pAE_General_Info->dwCA) || (NULL==pAE_General_Info->rgCAInfo))
|
|
return FALSE;
|
|
|
|
if(!CryptAcquireContextW(&hProv,
|
|
NULL,
|
|
MS_DEF_PROV_W,
|
|
PROV_RSA_FULL,
|
|
CRYPT_VERIFYCONTEXT))
|
|
hProv=NULL;
|
|
|
|
|
|
//going through all the active requests
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
//we enroll/renew for templates that are active
|
|
if(dwEnrollStatus != rgCertTypeInfo[dwIndex].dwStatus)
|
|
continue;
|
|
|
|
if(pAE_General_Info->fUIProcess != rgCertTypeInfo[dwIndex].fUIActive)
|
|
continue;
|
|
|
|
//select a random CA index to balance the load
|
|
if((hProv) && (CryptGenRandom(hProv, sizeof(dwRandom), (BYTE *)(&dwRandom))))
|
|
{
|
|
rgCertTypeInfo[dwIndex].dwRandomCAIndex = dwRandom % (pAE_General_Info->dwCA);
|
|
}
|
|
else
|
|
rgCertTypeInfo[dwIndex].dwRandomCAIndex = 0;
|
|
|
|
|
|
//enroll
|
|
dwStatus=0;
|
|
|
|
//report progress
|
|
if(pAE_General_Info->fUIProcess)
|
|
{
|
|
//continue if user choose CANCEL in view RA dialogue
|
|
if(!AEUIProgressReport(FALSE, &(rgCertTypeInfo[dwIndex]),pAE_General_Info->hwndDlg, pAE_General_Info->hCancelEvent))
|
|
{
|
|
AEUIProgressAdvance(pAE_General_Info);
|
|
continue;
|
|
}
|
|
|
|
}
|
|
|
|
if(AEDoEnrollment( pAE_General_Info->hwndDlg ? pAE_General_Info->hwndDlg : pAE_General_Info->hwndParent,
|
|
pAE_General_Info->hCancelEvent,
|
|
pAE_General_Info->fUIProcess,
|
|
pAE_General_Info->dwLogLevel,
|
|
pAE_General_Info->hToken,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->wszMachineName,
|
|
&(rgCertTypeInfo[dwIndex]),
|
|
pAE_General_Info->dwCA,
|
|
pAE_General_Info->rgCAInfo,
|
|
&dwStatus))
|
|
{
|
|
//mark the status
|
|
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == dwStatus)
|
|
rgCertTypeInfo[dwIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
|
|
}
|
|
else
|
|
{
|
|
//if renewal failed, we try to re-enrollment if no RA is required
|
|
if((rgCertTypeInfo[dwIndex].fRenewal) && (FALSE == (rgCertTypeInfo[dwIndex].fNeedRA)))
|
|
{
|
|
rgCertTypeInfo[dwIndex].fRenewal=FALSE;
|
|
dwStatus=0;
|
|
|
|
if(AEDoEnrollment( pAE_General_Info->hwndDlg ? pAE_General_Info->hwndDlg : pAE_General_Info->hwndParent,
|
|
pAE_General_Info->hCancelEvent,
|
|
pAE_General_Info->fUIProcess,
|
|
pAE_General_Info->dwLogLevel,
|
|
pAE_General_Info->hToken,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->wszMachineName,
|
|
&(rgCertTypeInfo[dwIndex]),
|
|
pAE_General_Info->dwCA,
|
|
pAE_General_Info->rgCAInfo,
|
|
&dwStatus))
|
|
{
|
|
//mark the status
|
|
if(CRYPTUI_WIZ_CERT_REQUEST_STATUS_SUCCEEDED == dwStatus)
|
|
rgCertTypeInfo[dwIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
|
|
}
|
|
}
|
|
}
|
|
|
|
//advance progress
|
|
if(pAE_General_Info->fUIProcess)
|
|
{
|
|
AEUIProgressAdvance(pAE_General_Info);
|
|
}
|
|
|
|
}
|
|
|
|
if(hProv)
|
|
CryptReleaseContext(hProv, 0);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsDeletableCert
|
|
// Decide if we should archive or delete the certificate
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsDeletableCert(PCCERT_CONTEXT pCertContext, AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
BOOL fDelete=FALSE;
|
|
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
//only interested in certificate with template information
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
pCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
|
|
|
|
if(NULL==pCertType)
|
|
goto Ret;
|
|
|
|
if(CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE & (pCertType->dwEnrollmentFlag))
|
|
fDelete=TRUE;
|
|
else
|
|
fDelete=FALSE;
|
|
Ret:
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fDelete;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsSupersedeTemplate
|
|
//
|
|
// Check if pArchiveCert is superseded by pCertType
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsSupersedeTemplate(PCCERT_CONTEXT pArchiveCert, AE_CERTTYPE_INFO *pCertType, AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fSuperSede=FALSE;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
AE_CERTTYPE_INFO *pArchiveCertType=NULL;
|
|
|
|
LPWSTR *awszSuperseding=NULL;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
//only interested in certificate with template information
|
|
if(!AERetrieveTemplateInfo(pArchiveCert, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
pArchiveCertType=AEFindTemplateInRequestTree(&AETemplateInfo, pAE_General_Info);
|
|
|
|
if(NULL==pArchiveCertType)
|
|
goto Ret;
|
|
|
|
//clear the visited flag in AE_General_Info
|
|
AEClearVistedFlag(pAE_General_Info);
|
|
|
|
if(S_OK == CAGetCertTypePropertyEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_PROP_SUPERSEDE,
|
|
&(awszSuperseding)))
|
|
{
|
|
if(awszSuperseding && awszSuperseding[0])
|
|
{
|
|
if(AEIfSupersede(pArchiveCertType->awszName[0], awszSuperseding, pAE_General_Info))
|
|
{
|
|
fSuperSede=TRUE;
|
|
}
|
|
|
|
//clear the visited flag in AE_General_Info
|
|
AEClearVistedFlag(pAE_General_Info);
|
|
}
|
|
|
|
//free the property
|
|
if(awszSuperseding)
|
|
CAFreeCertTypeProperty(pCertType->hCertType, awszSuperseding);
|
|
}
|
|
|
|
Ret:
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fSuperSede;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEIsSameTemplate
|
|
//
|
|
// Check if the certificate is of the same template of pCertType
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEIsSameTemplate(PCCERT_CONTEXT pCertContext, AE_CERTTYPE_INFO *pCertType, BOOL fVersionCheck)
|
|
{
|
|
BOOL fSame=FALSE;
|
|
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
if((NULL == pCertType) || (NULL == pCertContext))
|
|
goto Ret;
|
|
|
|
//get the template information for the certificate
|
|
if(!AERetrieveTemplateInfo(pCertContext, &AETemplateInfo))
|
|
goto Ret;
|
|
|
|
if( (NULL == AETemplateInfo.pwszName) && (NULL == AETemplateInfo.pwszOid))
|
|
goto Ret;
|
|
|
|
if(AETemplateInfo.pwszOid)
|
|
{
|
|
//we are guaranteed to have an OID if the schema is greater than or equal to 2
|
|
if(pCertType->dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
|
|
{
|
|
if(0 == wcscmp(AETemplateInfo.pwszOid, (pCertType->awszOID)[0]))
|
|
{
|
|
if(fVersionCheck)
|
|
{
|
|
if(AETemplateInfo.dwVersion == pCertType->dwVersion)
|
|
{
|
|
fSame=TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
fSame=TRUE;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//we are guaranteed to have a name
|
|
if(0 == wcscmp(AETemplateInfo.pwszName, (pCertType->awszName)[0]))
|
|
{
|
|
fSame=TRUE;
|
|
}
|
|
}
|
|
|
|
Ret:
|
|
|
|
AEFreeTemplateInfo(&AETemplateInfo);
|
|
|
|
return fSame;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEArchiveObsoleteCertificates
|
|
// archive old certificate after the enrollment/renewal
|
|
//
|
|
// clean up the hUserDS store (delete the expired or revoked certificate)
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEArchiveObsoleteCertificates(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
|
|
DWORD dwIndex = 0;
|
|
CRYPT_DATA_BLOB Archived;
|
|
BOOL fArchived = FALSE;
|
|
BOOL fDSArchived = FALSE;
|
|
AE_CERT_INFO AECertInfo;
|
|
BOOL fRepublish=FALSE;
|
|
BYTE rgbHash[SHA1_HASH_LENGTH];
|
|
CRYPT_HASH_BLOB blobHash;
|
|
BOOL fHash=FALSE;
|
|
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER;
|
|
DWORD dwProp=CERT_ARCHIVED_PROP_ID;
|
|
BOOL fSameDns=TRUE;
|
|
|
|
HCERTSTORE hUserDS = NULL;
|
|
HCERTSTORE hMyArchive = NULL;
|
|
PCCERT_CONTEXT pCertContext = NULL;
|
|
PCCERT_CONTEXT pMyContext = NULL;
|
|
PCCERT_CONTEXT pDSContext = NULL;
|
|
PCCERT_CONTEXT pIssuedContext = NULL;
|
|
PCCERT_CONTEXT pDnsContext = NULL;
|
|
PCCERT_CONTEXT pDnsOldContext = NULL;
|
|
PCCERT_CONTEXT pSelectedContext = NULL;
|
|
PCCERT_CONTEXT pMyDnsContext = NULL;
|
|
PCCERT_CONTEXT pMyArchiveCert = NULL;
|
|
|
|
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
|
|
|
|
if(NULL == rgCertTypeInfo)
|
|
return FALSE;
|
|
|
|
memset(&Archived, 0, sizeof(CRYPT_DATA_BLOB));
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
|
|
//open the UserDS store
|
|
if(!(pAE_General_Info->fMachine))
|
|
{
|
|
hUserDS = AEOpenUserDSStore(pAE_General_Info, 0);
|
|
}
|
|
|
|
//verify the DNS name of issued certificate.
|
|
//mark the CERT_AUTO_ENROLL_RETRY_PROP_ID property
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
if(rgCertTypeInfo[dwIndex].hIssuedStore)
|
|
{
|
|
if(pDnsContext = CertEnumCertificatesInStore(
|
|
rgCertTypeInfo[dwIndex].hIssuedStore, NULL))
|
|
{
|
|
pMyDnsContext = FindCertificateInOtherStore(
|
|
pAE_General_Info->hMyStore,
|
|
pDnsContext);
|
|
|
|
if(pMyDnsContext)
|
|
{
|
|
//detect if DSN name match
|
|
if(AEVerifyDNSName(pAE_General_Info, pMyDnsContext))
|
|
{
|
|
//the DNS name match;
|
|
//clear the CERT_AUTO_ENROLL_RETRY_PROP_ID property
|
|
CertSetCertificateContextProperty(
|
|
pMyDnsContext,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
0,
|
|
NULL);
|
|
}
|
|
else
|
|
{
|
|
fSameDns=TRUE;
|
|
pDnsOldContext=NULL;
|
|
pSelectedContext=NULL;
|
|
|
|
while(pDnsOldContext = CertEnumCertificatesInStore(
|
|
rgCertTypeInfo[dwIndex].hArchiveStore, pDnsOldContext))
|
|
{
|
|
//only consider same template scenario for retrial purpose
|
|
//only consider certificates with same version
|
|
if(AEIsSameTemplate(pDnsOldContext, &(rgCertTypeInfo[dwIndex]), TRUE))
|
|
{
|
|
if(!AEIsSameDNS(pMyDnsContext, pDnsOldContext))
|
|
{
|
|
fSameDns=FALSE;
|
|
|
|
CertFreeCertificateContext(pDnsOldContext);
|
|
pDnsOldContext=NULL;
|
|
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
if(NULL == pSelectedContext)
|
|
{
|
|
pSelectedContext=CertDuplicateCertificateContext(pDnsOldContext);
|
|
}
|
|
else
|
|
{
|
|
//we use the least retrial wait amoung all old DNS certificates
|
|
//of the same certificate template
|
|
if(!AEFasterRetrialSchedule(pSelectedContext, pDnsOldContext))
|
|
{
|
|
CertFreeCertificateContext(pSelectedContext);
|
|
pSelectedContext = NULL;
|
|
pSelectedContext=CertDuplicateCertificateContext(pDnsOldContext);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//start over again if the DNS from the new certificate is
|
|
//different from existing ones or this is the 1st time
|
|
//a mis-match DNS has occurred
|
|
if((NULL == pSelectedContext) || (FALSE == fSameDns))
|
|
{
|
|
//clear the CERT_AUTO_ENROLL_RETRY_PROP_ID property
|
|
CertSetCertificateContextProperty(
|
|
pMyDnsContext,
|
|
CERT_AUTO_ENROLL_RETRY_PROP_ID,
|
|
0,
|
|
NULL);
|
|
}
|
|
else
|
|
{
|
|
AEUpdateRetryProperty(pAE_General_Info, (rgCertTypeInfo[dwIndex].awszDisplay)[0], pMyDnsContext, pSelectedContext);
|
|
}
|
|
|
|
if(pSelectedContext)
|
|
{
|
|
CertFreeCertificateContext(pSelectedContext);
|
|
pSelectedContext = NULL;
|
|
}
|
|
}
|
|
|
|
CertFreeCertificateContext(pMyDnsContext);
|
|
pMyDnsContext = NULL;
|
|
}
|
|
|
|
CertFreeCertificateContext(pDnsContext);
|
|
pDnsContext = NULL;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//archive certificates
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
fHash=FALSE;
|
|
fRepublish=FALSE;
|
|
|
|
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
//get the hash of newly enrolled certificate
|
|
blobHash.cbData=SHA1_HASH_LENGTH;
|
|
blobHash.pbData=rgbHash;
|
|
|
|
if(rgCertTypeInfo[dwIndex].hIssuedStore)
|
|
{
|
|
if(pIssuedContext = CertEnumCertificatesInStore(
|
|
rgCertTypeInfo[dwIndex].hIssuedStore, NULL))
|
|
{
|
|
if(CryptHashCertificate(
|
|
NULL,
|
|
0,
|
|
X509_ASN_ENCODING,
|
|
pIssuedContext->pbCertEncoded,
|
|
pIssuedContext->cbCertEncoded,
|
|
blobHash.pbData,
|
|
&(blobHash.cbData)))
|
|
{
|
|
fHash=TRUE;
|
|
}
|
|
}
|
|
|
|
//free the cert context
|
|
if(pIssuedContext)
|
|
{
|
|
CertFreeCertificateContext(pIssuedContext);
|
|
pIssuedContext = NULL;
|
|
}
|
|
}
|
|
|
|
pCertContext=NULL;
|
|
|
|
while(pCertContext = CertEnumCertificatesInStore(
|
|
rgCertTypeInfo[dwIndex].hArchiveStore, pCertContext))
|
|
{
|
|
//archive or delete the certificate from my store
|
|
pMyContext = FindCertificateInOtherStore(
|
|
pAE_General_Info->hMyStore,
|
|
pCertContext);
|
|
|
|
|
|
if(pMyContext)
|
|
{
|
|
//set the Hash of the newly enrolled certificate
|
|
if(fHash)
|
|
{
|
|
CertSetCertificateContextProperty(
|
|
pMyContext,
|
|
CERT_RENEWAL_PROP_ID,
|
|
0,
|
|
&blobHash);
|
|
}
|
|
|
|
if(AEIsDeletableCert(pMyContext, pAE_General_Info))
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyContext));
|
|
}
|
|
else
|
|
{
|
|
// We force an archive on the old cert and close it.
|
|
CertSetCertificateContextProperty(pMyContext,
|
|
CERT_ARCHIVED_PROP_ID,
|
|
0,
|
|
&Archived);
|
|
|
|
}
|
|
|
|
fArchived=TRUE;
|
|
|
|
CertFreeCertificateContext(pMyContext);
|
|
pMyContext = NULL;
|
|
}
|
|
|
|
//check the DS store. remove the certificates from DS store
|
|
if(hUserDS)
|
|
{
|
|
if(pMyContext = FindCertificateInOtherStore(
|
|
hUserDS,
|
|
pCertContext))
|
|
{
|
|
CertDeleteCertificateFromStore(pMyContext);
|
|
fDSArchived=TRUE;
|
|
pMyContext = NULL;
|
|
fRepublish=TRUE;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//we remove archived certificates from my store
|
|
//open my store with CERT_STORE_ENUM_ARCHIVED_FLAG
|
|
if(pAE_General_Info->fMachine)
|
|
dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
|
|
|
|
//open my store
|
|
hMyArchive= CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_W,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenStoreFlags | CERT_STORE_ENUM_ARCHIVED_FLAG,
|
|
MY_STORE);
|
|
|
|
//loop through all templates
|
|
if(hMyArchive)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
//loop through all archived certificates and remove certificates of same template
|
|
//or certificates that are superseded
|
|
pMyArchiveCert=NULL;
|
|
while(pMyArchiveCert=CertFindCertificateInStore(
|
|
hMyArchive, ENCODING_TYPE, 0, CERT_FIND_PROPERTY, &dwProp, pMyArchiveCert))
|
|
{
|
|
if(AEIsSameTemplate(pMyArchiveCert, &(rgCertTypeInfo[dwIndex]), FALSE))
|
|
{
|
|
if(CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE & rgCertTypeInfo[dwIndex].dwEnrollmentFlag)
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyArchiveCert));
|
|
fArchived=TRUE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if(AEIsDeletableCert(pMyArchiveCert, pAE_General_Info))
|
|
{
|
|
if(AEIsSupersedeTemplate(pMyArchiveCert, &(rgCertTypeInfo[dwIndex]), pAE_General_Info))
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pMyArchiveCert));
|
|
fArchived=TRUE;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//now we are done with archiving, we clean up user DS store
|
|
if(AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT & (pAE_General_Info->dwPolicy))
|
|
{
|
|
if(hUserDS)
|
|
{
|
|
pDSContext=NULL;
|
|
|
|
while(pDSContext = CertEnumCertificatesInStore(hUserDS, pDSContext))
|
|
{
|
|
AEValidateCertificateInfo(pAE_General_Info,
|
|
NULL, //do not evaluate soon to expire
|
|
FALSE, //do not valid private key
|
|
pDSContext,
|
|
&AECertInfo);
|
|
|
|
if(FALSE == AECertInfo.fRenewal)
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pDSContext));
|
|
fDSArchived=TRUE;
|
|
fRepublish=TRUE;
|
|
}
|
|
|
|
memset(&AECertInfo, 0, sizeof(AE_CERT_INFO));
|
|
}
|
|
}
|
|
}
|
|
|
|
//we have to republish the certificates as we have rewritten the user DS store
|
|
//CA might has just published to the location
|
|
if(fRepublish)
|
|
{
|
|
if(hUserDS)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
if((rgCertTypeInfo[dwIndex].hIssuedStore) &&
|
|
(CT_FLAG_PUBLISH_TO_DS & rgCertTypeInfo[dwIndex].dwEnrollmentFlag)
|
|
)
|
|
{
|
|
pCertContext=NULL;
|
|
while(pCertContext = CertEnumCertificatesInStore(
|
|
rgCertTypeInfo[dwIndex].hIssuedStore, pCertContext))
|
|
{
|
|
CertAddCertificateContextToStore(hUserDS,
|
|
pCertContext,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//report the event if archival has happened
|
|
if(fArchived)
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_ARCHIVE_CERT,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
|
|
|
|
if(fDSArchived)
|
|
AELogAutoEnrollmentEvent(pAE_General_Info->dwLogLevel, FALSE, S_OK, EVENT_ARCHIVE_DS_CERT,
|
|
pAE_General_Info->fMachine, pAE_General_Info->hToken, 0);
|
|
|
|
if(hUserDS)
|
|
CertCloseStore(hUserDS, 0);
|
|
|
|
if(hMyArchive)
|
|
CertCloseStore(hMyArchive, 0);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AERemoveSupersedeActive
|
|
// Remove supersedeActive flag after any successful the enrollment/renewal
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AERemoveSupersedeActive(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
|
|
DWORD dwIndex = 0;
|
|
DWORD dwActiveIndex = 0;
|
|
DWORD dwMarkIndex = 0;
|
|
|
|
|
|
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
|
|
|
|
if(NULL == rgCertTypeInfo)
|
|
return FALSE;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(CERT_REQUEST_STATUS_OBTAINED == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
for(dwActiveIndex=0; dwActiveIndex < rgCertTypeInfo[dwIndex].dwActive; dwActiveIndex++)
|
|
{
|
|
dwMarkIndex = rgCertTypeInfo[dwIndex].prgActive[dwActiveIndex];
|
|
rgCertTypeInfo[dwMarkIndex].dwStatus=CERT_REQUEST_STATUS_OBTAINED;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEEnrollmentWalker
|
|
//
|
|
// This functin performs enrollment tasks
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEEnrollmentWalker(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
|
|
BOOL fResult = FALSE;
|
|
|
|
//we need to set the range for the progress bar in the
|
|
//UI case
|
|
if((pAE_General_Info->fUIProcess) && (pAE_General_Info->hwndDlg))
|
|
{
|
|
//set the range
|
|
if(0 != (pAE_General_Info->dwUIEnrollCount))
|
|
{
|
|
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
|
|
PBM_SETRANGE,
|
|
0,
|
|
MAKELPARAM(0, ((pAE_General_Info->dwUIEnrollCount) & (0xFFFF)))
|
|
);
|
|
|
|
|
|
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
|
|
PBM_SETSTEP,
|
|
(WPARAM)1,
|
|
0);
|
|
|
|
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
|
|
PBM_SETPOS,
|
|
(WPARAM)0,
|
|
0);
|
|
}
|
|
}
|
|
|
|
//retrieve the pending request. Mark the status to obtained if the
|
|
//certificate is issued and of the correct version
|
|
if(AUTO_ENROLLMENT_ENABLE_PENDING_FETCH & (pAE_General_Info->dwPolicy))
|
|
{
|
|
if(FALSE == pAE_General_Info->fUIProcess)
|
|
{
|
|
if(!AEProcessPendingRequest(pAE_General_Info))
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
if(!AEProcessUIPendingRequest(pAE_General_Info))
|
|
goto Ret;
|
|
}
|
|
}
|
|
|
|
//remove duplicated requests based on "Supersede" relationship
|
|
//supress active templates that are superseded by other templates
|
|
if(!AEManageSupersedeRequests(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//do enrollment/renewal
|
|
if(!AEEnrollmentCertificates(pAE_General_Info, CERT_REQUEST_STATUS_ACTIVE))
|
|
goto Ret;
|
|
|
|
|
|
//We try to get the superseded templates if supserseding templates failed.
|
|
//Only for machine for the case of two V2 DC templates.
|
|
/*if(TRUE == pAE_General_Info->fMachine)
|
|
{
|
|
//remove supersedeActive based on the obtained flag
|
|
if(!AERemoveSupersedeActive(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//do enrollment/renewal again since we migh fail to get superseding templates
|
|
if(!AEEnrollmentCertificates(pAE_General_Info, CERT_REQUEST_STATUS_SUPERSEDE_ACTIVE))
|
|
goto Ret;
|
|
}*/
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEUIProgressAdvance
|
|
//
|
|
// Increase the progress bar by one step
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEUIProgressAdvance(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
|
|
if(NULL==pAE_General_Info)
|
|
goto Ret;
|
|
|
|
if(NULL==(pAE_General_Info->hwndDlg))
|
|
goto Ret;
|
|
|
|
//check if CANCEL button is clicked
|
|
if(AECancelled(pAE_General_Info->hCancelEvent))
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
//advance the progress bar
|
|
SendMessage(GetDlgItem(pAE_General_Info->hwndDlg, IDC_ENROLL_PROGRESS),
|
|
PBM_STEPIT,
|
|
0,
|
|
0);
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEUIGetNameFromCert
|
|
//
|
|
// Retrieve a unique string to identify the certificate.
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEUIGetNameFromCert(PCCERT_CONTEXT pCertContext, LPWSTR *ppwszRACert)
|
|
{
|
|
|
|
BOOL fResult=FALSE;
|
|
DWORD dwChar=0;
|
|
DWORD cbOID=0;
|
|
PCCRYPT_OID_INFO pOIDInfo=NULL;
|
|
|
|
LPWSTR pwszRACert=NULL;
|
|
AE_TEMPLATE_INFO TemplateInfo;
|
|
LPSTR szOID=NULL;
|
|
|
|
if((NULL==pCertContext) || (NULL==ppwszRACert))
|
|
goto Ret;
|
|
|
|
*ppwszRACert=NULL;
|
|
|
|
memset(&TemplateInfo, 0, sizeof(TemplateInfo));
|
|
|
|
//get the template name first
|
|
if(!AERetrieveTemplateInfo(pCertContext, &TemplateInfo))
|
|
goto Ret;
|
|
|
|
if(TemplateInfo.pwszName)
|
|
{
|
|
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(TemplateInfo.pwszName) + 1));
|
|
if(NULL == pwszRACert)
|
|
goto Ret;
|
|
|
|
wcscpy(pwszRACert, TemplateInfo.pwszName);
|
|
}
|
|
else
|
|
{
|
|
if(NULL==(TemplateInfo.pwszOid))
|
|
goto Ret;
|
|
|
|
//find the OID
|
|
if(0 == (cbOID = WideCharToMultiByte(CP_ACP,
|
|
0,
|
|
TemplateInfo.pwszOid,
|
|
-1,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
NULL)))
|
|
goto Ret;
|
|
|
|
szOID=(LPSTR)LocalAlloc(LPTR, cbOID);
|
|
|
|
if(NULL==szOID)
|
|
goto Ret;
|
|
|
|
if(0 == WideCharToMultiByte(CP_ACP,
|
|
0,
|
|
TemplateInfo.pwszOid,
|
|
-1,
|
|
szOID,
|
|
cbOID,
|
|
NULL,
|
|
NULL))
|
|
goto Ret;
|
|
|
|
pOIDInfo=CryptFindOIDInfo(
|
|
CRYPT_OID_INFO_OID_KEY,
|
|
szOID,
|
|
CRYPT_TEMPLATE_OID_GROUP_ID);
|
|
|
|
|
|
if(pOIDInfo)
|
|
{
|
|
if(pOIDInfo->pwszName)
|
|
{
|
|
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(pOIDInfo->pwszName) + 1));
|
|
if(NULL== pwszRACert)
|
|
goto Ret;
|
|
|
|
wcscpy(pwszRACert, pOIDInfo->pwszName);
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
//if template name does not exist. Get the subject name for now
|
|
/* if(NULL==pwszRACert)
|
|
{
|
|
if(0 == (dwChar=CertGetNameStringW(
|
|
pCertContext,
|
|
CERT_NAME_SIMPLE_DISPLAY_TYPE,
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
0)))
|
|
goto Ret;
|
|
|
|
pwszRACert=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (dwChar));
|
|
if(NULL== pwszRACert)
|
|
goto Ret;
|
|
|
|
if(0 == (dwChar=CertGetNameStringW(
|
|
pCertContext,
|
|
CERT_NAME_SIMPLE_DISPLAY_TYPE,
|
|
0,
|
|
NULL,
|
|
pwszRACert,
|
|
dwChar)))
|
|
goto Ret;
|
|
} */
|
|
|
|
*ppwszRACert = pwszRACert;
|
|
pwszRACert=NULL;
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pwszRACert)
|
|
LocalFree(pwszRACert);
|
|
|
|
if(szOID)
|
|
LocalFree(szOID);
|
|
|
|
AEFreeTemplateInfo(&TemplateInfo);
|
|
|
|
|
|
return fResult;
|
|
|
|
}
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEGetRACertInfo
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEGetRACertInfo(PCERT_CONTEXT pRAContext,
|
|
LPWSTR pwszRATemplate,
|
|
LPWSTR *ppwszRACertInfo)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
UINT idsMessage=0;
|
|
DWORD dwSize=0;
|
|
|
|
LPWSTR pwszIssuer=NULL;
|
|
|
|
if(NULL==pRAContext)
|
|
goto Ret;
|
|
|
|
if(pwszRATemplate)
|
|
idsMessage=IDS_VIEW_RA_INFO;
|
|
else
|
|
idsMessage=IDS_VIEW_RA_INFO_GENERAL;
|
|
|
|
//the cert has to have an issuer
|
|
if(0 == (dwSize=CertNameToStrW(
|
|
ENCODING_TYPE,
|
|
&(pRAContext->pCertInfo->Issuer),
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
NULL,
|
|
0)))
|
|
goto Ret;
|
|
|
|
pwszIssuer=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
|
|
if(NULL==pwszIssuer)
|
|
goto Ret;
|
|
|
|
if(0 == CertNameToStrW(
|
|
ENCODING_TYPE,
|
|
&(pRAContext->pCertInfo->Issuer),
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
pwszIssuer,
|
|
dwSize))
|
|
goto Ret;
|
|
|
|
|
|
if(!FormatMessageUnicode(
|
|
ppwszRACertInfo,
|
|
idsMessage,
|
|
pwszIssuer,
|
|
pwszRATemplate))
|
|
goto Ret;
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pwszIssuer)
|
|
LocalFree(pwszIssuer);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// WinProc for the view RA certificate dialogue
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
INT_PTR CALLBACK AEViewRADlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
|
|
{
|
|
BOOL fPropertyChanged = FALSE;
|
|
AE_VIEW_RA_INFO *pAEViewRAInfo = NULL;
|
|
CRYPTUI_VIEWCERTIFICATE_STRUCT CertViewStruct;
|
|
|
|
LPWSTR pwszRACertInfo=NULL;
|
|
|
|
switch (msg)
|
|
{
|
|
case WM_INITDIALOG:
|
|
pAEViewRAInfo=(AE_VIEW_RA_INFO *)lParam;
|
|
|
|
if(NULL==pAEViewRAInfo)
|
|
break;
|
|
|
|
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAEViewRAInfo);
|
|
|
|
//display the RA template and issuer dynamically
|
|
if(AEGetRACertInfo(pAEViewRAInfo->pRAContext,
|
|
pAEViewRAInfo->pwszRATemplate,
|
|
&pwszRACertInfo))
|
|
{
|
|
SetDlgItemTextW(hwndDlg, IDC_EDIT3, pwszRACertInfo);
|
|
|
|
LocalFree((HLOCAL)pwszRACertInfo);
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_NOTIFY:
|
|
break;
|
|
|
|
case WM_CLOSE:
|
|
EndDialog(hwndDlg, IDC_BUTTON3);
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_COMMAND:
|
|
switch (LOWORD(wParam))
|
|
{
|
|
//view certificate
|
|
case IDC_BUTTON1:
|
|
if(NULL==(pAEViewRAInfo=(AE_VIEW_RA_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
|
|
break;
|
|
|
|
if(NULL==pAEViewRAInfo->pRAContext)
|
|
break;
|
|
|
|
//show the certificate
|
|
memset(&CertViewStruct, 0, sizeof(CRYPTUI_VIEWCERTIFICATE_STRUCT));
|
|
CertViewStruct.dwSize=sizeof(CRYPTUI_VIEWCERTIFICATE_STRUCT);
|
|
CertViewStruct.hwndParent=hwndDlg;
|
|
CertViewStruct.dwFlags=CRYPTUI_DISABLE_EDITPROPERTIES;
|
|
CertViewStruct.pCertContext=pAEViewRAInfo->pRAContext;
|
|
|
|
fPropertyChanged=FALSE;
|
|
|
|
CryptUIDlgViewCertificate(&CertViewStruct, &fPropertyChanged);
|
|
|
|
return TRUE;
|
|
|
|
//OK
|
|
case IDC_BUTTON2:
|
|
EndDialog(hwndDlg, IDC_BUTTON2);
|
|
return TRUE;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
return FALSE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEUIProgressReport
|
|
//
|
|
// Report the current enrollment action. Return FALSE if no progress status
|
|
// can be reported.
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEUIProgressReport(BOOL fPending, AE_CERTTYPE_INFO *pCertType, HWND hwndDlg, HANDLE hCancelEvent)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
UINT idsMessage=0;
|
|
INT_PTR ret=0;
|
|
AE_VIEW_RA_INFO AEViewRAInfo;
|
|
|
|
LPWSTR *awszFriendlyName=NULL;
|
|
LPWSTR pwszRACert=NULL;
|
|
LPWSTR pwszReport=NULL;
|
|
|
|
memset(&AEViewRAInfo, 0, sizeof(AE_VIEW_RA_INFO));
|
|
|
|
if((NULL==pCertType) || (NULL==hwndDlg))
|
|
goto Ret;
|
|
|
|
if(NULL==(pCertType->hCertType))
|
|
goto Ret;
|
|
|
|
if(AECancelled(hCancelEvent))
|
|
{
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
if(fPending)
|
|
idsMessage=IDS_REPORT_PENDING;
|
|
else
|
|
{
|
|
if((pCertType->fRenewal) && (pCertType->pOldCert))
|
|
{
|
|
if(pCertType->fNeedRA)
|
|
{
|
|
if(FALSE == (pCertType->fCrossRA))
|
|
idsMessage=IDS_REPORT_RENEW;
|
|
else
|
|
idsMessage=IDS_REPORT_ENROLL_RA;
|
|
}
|
|
else
|
|
idsMessage=IDS_REPORT_RENEW;
|
|
}
|
|
else
|
|
idsMessage=IDS_REPORT_ENROLL;
|
|
}
|
|
|
|
//retrieve the template's friendly name
|
|
if(S_OK != CAGetCertTypePropertyEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_PROP_FRIENDLY_NAME,
|
|
&awszFriendlyName))
|
|
goto Ret;
|
|
|
|
if(NULL==awszFriendlyName)
|
|
goto Ret;
|
|
|
|
if(NULL==(awszFriendlyName[0]))
|
|
goto Ret;
|
|
|
|
|
|
//retrieve the RA certificate's template name
|
|
if(IDS_REPORT_ENROLL_RA == idsMessage)
|
|
{
|
|
if(!AEUIGetNameFromCert(pCertType->pOldCert, &pwszRACert))
|
|
{
|
|
pwszRACert=NULL;
|
|
}
|
|
}
|
|
|
|
if(!FormatMessageUnicode(&pwszReport, idsMessage, awszFriendlyName[0]))
|
|
goto Ret;
|
|
|
|
if(0 == SetDlgItemTextW(hwndDlg, IDC_EDIT2, pwszReport))
|
|
goto Ret;
|
|
|
|
//we will give user an opportunity to view the RA certificate before we go on
|
|
//format the view message
|
|
if(IDS_REPORT_ENROLL_RA != idsMessage)
|
|
{
|
|
//no need to do anything more
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
AEViewRAInfo.pRAContext=pCertType->pOldCert;
|
|
AEViewRAInfo.pwszRATemplate=pwszRACert;
|
|
|
|
//ask user if he/she wants to view the RA certificate
|
|
ret=DialogBoxParam(g_hmodThisDll,
|
|
(LPCWSTR)MAKEINTRESOURCE(IDD_VIEW_RA_CERTIFICATE_DLG),
|
|
hwndDlg,
|
|
AEViewRADlgProc,
|
|
(LPARAM)(&AEViewRAInfo));
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
if(pwszRACert)
|
|
LocalFree(pwszRACert);
|
|
|
|
if(awszFriendlyName)
|
|
CAFreeCertTypeProperty(pCertType->hCertType, awszFriendlyName);
|
|
|
|
if(pwszReport)
|
|
LocalFree((HLOCAL) pwszReport);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// the call back function to compare summary column
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
int CALLBACK CompareSummary(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
|
|
{
|
|
AE_CERTTYPE_INFO *pCertTypeOne=NULL;
|
|
AE_CERTTYPE_INFO *pCertTypeTwo=NULL;
|
|
DWORD dwColumn=0;
|
|
int iCompare=0;
|
|
|
|
LPWSTR pwszOne=NULL;
|
|
LPWSTR pwszTwo=NULL;
|
|
|
|
pCertTypeOne=(AE_CERTTYPE_INFO *)lParam1;
|
|
pCertTypeTwo=(AE_CERTTYPE_INFO *)lParam2;
|
|
|
|
dwColumn=(DWORD)lParamSort;
|
|
|
|
if((NULL==pCertTypeOne) || (NULL==pCertTypeTwo))
|
|
goto Ret;
|
|
|
|
switch(dwColumn & 0x0000FFFF)
|
|
{
|
|
case AE_SUMMARY_COLUMN_TYPE:
|
|
//we should use wcsicoll instead of wcsicmp since wcsicoll use the
|
|
//lexicographic order of current code page.
|
|
iCompare=CompareStringW(LOCALE_USER_DEFAULT,
|
|
NORM_IGNORECASE,
|
|
pCertTypeOne->awszDisplay[0],
|
|
-1,
|
|
pCertTypeTwo->awszDisplay[0],
|
|
-1);
|
|
break;
|
|
|
|
case AE_SUMMARY_COLUMN_REASON:
|
|
pwszOne=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (MAX_DN_SIZE));
|
|
pwszTwo=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (MAX_DN_SIZE));
|
|
|
|
if((NULL==pwszOne) || (NULL==pwszTwo))
|
|
goto Ret;
|
|
|
|
|
|
if(0 == LoadStringW(g_hmodThisDll,
|
|
pCertTypeOne->idsSummary,
|
|
pwszOne,
|
|
MAX_DN_SIZE))
|
|
goto Ret;
|
|
|
|
|
|
if(0 == LoadStringW(g_hmodThisDll,
|
|
pCertTypeTwo->idsSummary,
|
|
pwszTwo,
|
|
MAX_DN_SIZE))
|
|
goto Ret;
|
|
|
|
//we should use wcsicoll instead of wcsicmp since wcsicoll use the
|
|
//lexicographic order of current code page.
|
|
iCompare=CompareStringW(LOCALE_USER_DEFAULT,
|
|
NORM_IGNORECASE,
|
|
pwszOne,
|
|
-1,
|
|
pwszTwo,
|
|
-1);
|
|
|
|
|
|
break;
|
|
default:
|
|
goto Ret;
|
|
break;
|
|
}
|
|
|
|
switch(iCompare)
|
|
{
|
|
case CSTR_LESS_THAN:
|
|
|
|
iCompare=-1;
|
|
break;
|
|
|
|
case CSTR_EQUAL:
|
|
|
|
iCompare=0;
|
|
break;
|
|
|
|
case CSTR_GREATER_THAN:
|
|
|
|
iCompare=1;
|
|
break;
|
|
|
|
default:
|
|
goto Ret;
|
|
break;
|
|
}
|
|
|
|
if(dwColumn & SORT_COLUMN_DESCEND)
|
|
iCompare = 0-iCompare;
|
|
|
|
Ret:
|
|
|
|
if(pwszOne)
|
|
LocalFree(pwszOne);
|
|
|
|
if(pwszTwo)
|
|
LocalFree(pwszTwo);
|
|
|
|
return iCompare;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEDisplaySummaryInfo
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEDisplaySummaryInfo(HWND hWndListView, AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
|
|
DWORD dwIndex =0;
|
|
DWORD dwItem=0;
|
|
LV_ITEMW lvItem;
|
|
WCHAR wszReason[MAX_DN_SIZE];
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
|
|
if((NULL==hWndListView) || (NULL==pAE_General_Info))
|
|
goto Ret;
|
|
|
|
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
|
|
|
|
if(NULL == rgCertTypeInfo)
|
|
goto Ret;
|
|
|
|
// set up the fields in the list view item struct that don't change from item to item
|
|
lvItem.mask = LVIF_TEXT | LVIF_PARAM;
|
|
lvItem.state = 0;
|
|
lvItem.stateMask = 0;
|
|
lvItem.iItem=0;
|
|
lvItem.iSubItem=0;
|
|
lvItem.iImage = 0;
|
|
lvItem.lParam = NULL;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if((TRUE == rgCertTypeInfo[dwIndex].fUIActive) && (0 != rgCertTypeInfo[dwIndex].idsSummary))
|
|
{
|
|
if(0 != LoadStringW(g_hmodThisDll,
|
|
rgCertTypeInfo[dwIndex].idsSummary,
|
|
wszReason,
|
|
MAX_DN_SIZE))
|
|
{
|
|
lvItem.iItem=dwItem;
|
|
lvItem.iSubItem=0;
|
|
dwItem++;
|
|
|
|
pCertType=&(rgCertTypeInfo[dwIndex]);
|
|
|
|
lvItem.lParam = (LPARAM)(pCertType);
|
|
|
|
//template name
|
|
lvItem.pszText=rgCertTypeInfo[dwIndex].awszDisplay[0];
|
|
|
|
ListView_InsertItem(hWndListView, &lvItem);
|
|
|
|
//reason
|
|
lvItem.iSubItem++;
|
|
|
|
ListView_SetItemText(hWndListView, lvItem.iItem, lvItem.iSubItem, wszReason);
|
|
}
|
|
}
|
|
}
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// WinProc for the summary page
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
INT_PTR CALLBACK AESummaryDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
|
|
{
|
|
|
|
AE_GENERAL_INFO *pAE_General_Info=NULL;
|
|
HWND hWndListView=NULL;
|
|
UINT rgIDS[]={IDS_COLUMN_TYPE,
|
|
IDS_COLUMN_REASON};
|
|
DWORD dwIndex=0;
|
|
DWORD dwCount=0;
|
|
LV_COLUMNW lvC;
|
|
WCHAR wszText[AE_SUMMARY_COLUMN_SIZE];
|
|
NM_LISTVIEW *pnmv=NULL;
|
|
DWORD dwSortParam=0;
|
|
static DWORD rgdwSortParam[]=
|
|
{AE_SUMMARY_COLUMN_TYPE | SORT_COLUMN_ASCEND,
|
|
AE_SUMMARY_COLUMN_REASON | SORT_COLUMN_DESCEND};
|
|
|
|
switch (msg)
|
|
{
|
|
case WM_INITDIALOG:
|
|
pAE_General_Info=(AE_GENERAL_INFO *)lParam;
|
|
|
|
if(NULL==pAE_General_Info)
|
|
break;
|
|
|
|
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAE_General_Info);
|
|
|
|
//init the list view control
|
|
//add the colums to the list view
|
|
hWndListView = GetDlgItem(hwndDlg, IDC_LIST2);
|
|
|
|
if(NULL==hWndListView)
|
|
break;
|
|
|
|
dwCount=sizeof(rgIDS)/sizeof(rgIDS[0]);
|
|
|
|
//set up the common info for the column
|
|
memset(&lvC, 0, sizeof(LV_COLUMNW));
|
|
|
|
lvC.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM;
|
|
lvC.fmt = LVCFMT_LEFT; // Left-align the column.
|
|
lvC.cx = 150; // Width of the column, in pixels.
|
|
lvC.iSubItem=0;
|
|
lvC.pszText = wszText; // The text for the column.
|
|
|
|
//insert the column one at a time
|
|
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
|
|
{
|
|
//get the column header
|
|
wszText[0]=L'\0';
|
|
|
|
if(0 != LoadStringW(g_hmodThisDll, rgIDS[dwIndex], wszText, AE_SUMMARY_COLUMN_SIZE))
|
|
{
|
|
ListView_InsertColumn(hWndListView, dwIndex, &lvC);
|
|
}
|
|
}
|
|
|
|
// set the style in the list view so that it highlights an entire line
|
|
SendMessage(hWndListView, LVM_SETEXTENDEDLISTVIEWSTYLE, 0, LVS_EX_FULLROWSELECT);
|
|
|
|
AEDisplaySummaryInfo(hWndListView, pAE_General_Info);
|
|
|
|
//autosize the columns
|
|
for(dwIndex=0; dwIndex < dwCount; dwIndex++)
|
|
{
|
|
ListView_SetColumnWidth(hWndListView, dwIndex, LVSCW_AUTOSIZE);
|
|
}
|
|
|
|
//sort 1st column of the list view
|
|
dwSortParam=rgdwSortParam[0];
|
|
|
|
SendDlgItemMessage(hwndDlg,
|
|
IDC_LIST2,
|
|
LVM_SORTITEMS,
|
|
(WPARAM) (LPARAM) dwSortParam,
|
|
(LPARAM) (PFNLVCOMPARE)CompareSummary);
|
|
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_NOTIFY:
|
|
switch (((NMHDR FAR *) lParam)->code)
|
|
{
|
|
//the column has been changed
|
|
case LVN_COLUMNCLICK:
|
|
|
|
pnmv = (NM_LISTVIEW *) lParam;
|
|
|
|
dwSortParam=0;
|
|
|
|
//get the column number
|
|
switch(pnmv->iSubItem)
|
|
{
|
|
case 0:
|
|
case 1:
|
|
dwSortParam=rgdwSortParam[pnmv->iSubItem];
|
|
break;
|
|
default:
|
|
dwSortParam=0;
|
|
break;
|
|
}
|
|
|
|
if(0!=dwSortParam)
|
|
{
|
|
//remember to flip the ascend ording
|
|
if(dwSortParam & SORT_COLUMN_ASCEND)
|
|
{
|
|
dwSortParam &= 0x0000FFFF;
|
|
dwSortParam |= SORT_COLUMN_DESCEND;
|
|
}
|
|
else
|
|
{
|
|
if(dwSortParam & SORT_COLUMN_DESCEND)
|
|
{
|
|
dwSortParam &= 0x0000FFFF;
|
|
dwSortParam |= SORT_COLUMN_ASCEND;
|
|
}
|
|
}
|
|
|
|
//sort the column
|
|
SendDlgItemMessage(hwndDlg,
|
|
IDC_LIST2,
|
|
LVM_SORTITEMS,
|
|
(WPARAM) (LPARAM) dwSortParam,
|
|
(LPARAM) (PFNLVCOMPARE)CompareSummary);
|
|
|
|
rgdwSortParam[pnmv->iSubItem]=dwSortParam;
|
|
}
|
|
|
|
break;
|
|
}
|
|
break;
|
|
|
|
case WM_CLOSE:
|
|
EndDialog(hwndDlg, IDC_BUTTON1);
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_COMMAND:
|
|
switch (LOWORD(wParam))
|
|
{
|
|
case IDC_BUTTON1:
|
|
EndDialog(hwndDlg, IDC_BUTTON1);
|
|
return TRUE;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
return FALSE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// AEDisplaySummaryPage
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEDisplaySummaryPage(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwIndex=0;
|
|
BOOL fSummary=FALSE;
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
|
|
AE_CERTTYPE_INFO *pCertType=NULL;
|
|
|
|
//decide if there is need to show the summary page.
|
|
//Checking for idsSummary for each template
|
|
if(NULL == pAE_General_Info)
|
|
goto Ret;
|
|
|
|
if(NULL == (rgCertTypeInfo=pAE_General_Info->rgCertTypeInfo))
|
|
goto Ret;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if((TRUE == rgCertTypeInfo[dwIndex].fUIActive) && (0 != rgCertTypeInfo[dwIndex].idsSummary))
|
|
{
|
|
fSummary=TRUE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
//show the summary dialogue
|
|
if(TRUE == fSummary)
|
|
{
|
|
if(pAE_General_Info->hwndDlg)
|
|
{
|
|
DialogBoxParam(g_hmodThisDll,
|
|
(LPCWSTR)MAKEINTRESOURCE(IDD_USER_SUMMARY_DLG),
|
|
pAE_General_Info->hwndDlg,
|
|
AESummaryDlgProc,
|
|
(LPARAM)(pAE_General_Info));
|
|
}
|
|
}
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
return fResult;
|
|
}
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
// WinProc for the autoenrollment progress window
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
INT_PTR CALLBACK progressDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
|
|
{
|
|
AE_GENERAL_INFO *pAE_General_Info = NULL;
|
|
|
|
switch (msg)
|
|
{
|
|
case WM_INITDIALOG:
|
|
pAE_General_Info=(AE_GENERAL_INFO *)lParam;
|
|
|
|
//copy the hwndDlg to the enrollment thread
|
|
pAE_General_Info->hwndDlg=hwndDlg;
|
|
|
|
//start the interacive enrollment thread
|
|
if(1 != ResumeThread(pAE_General_Info->hThread))
|
|
{
|
|
pAE_General_Info->hwndDlg=NULL;
|
|
|
|
//we have to end the dialogue
|
|
EndDialog(hwndDlg, IDC_BUTTON1);
|
|
return TRUE;
|
|
}
|
|
|
|
SetWindowLongPtr(hwndDlg, DWLP_USER, (LONG_PTR)pAE_General_Info);
|
|
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_NOTIFY:
|
|
break;
|
|
|
|
case WM_CLOSE:
|
|
|
|
if(NULL==(pAE_General_Info=(AE_GENERAL_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
|
|
break;
|
|
|
|
//disable the cancel button
|
|
EnableWindow(GetDlgItem(hwndDlg,IDC_BUTTON1), FALSE);
|
|
|
|
//signal the cancel event
|
|
if(pAE_General_Info->hCancelEvent)
|
|
SetEvent(pAE_General_Info->hCancelEvent);
|
|
|
|
//close the dialogue if the enrollment work is completed
|
|
if(WAIT_OBJECT_0 == WaitForSingleObject(pAE_General_Info->hCompleteEvent, 0))
|
|
{
|
|
EndDialog(hwndDlg, IDC_BUTTON1);
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
break;
|
|
|
|
case WM_COMMAND:
|
|
switch (LOWORD(wParam))
|
|
{
|
|
case IDC_BUTTON1:
|
|
if(NULL==(pAE_General_Info=(AE_GENERAL_INFO *)GetWindowLongPtr(hwndDlg, DWLP_USER)))
|
|
break;
|
|
|
|
//disable the cancel button
|
|
EnableWindow(GetDlgItem(hwndDlg,IDC_BUTTON1), FALSE);
|
|
|
|
//signal the cancel event
|
|
if(pAE_General_Info->hCancelEvent)
|
|
SetEvent(pAE_General_Info->hCancelEvent);
|
|
|
|
|
|
return TRUE;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
return FALSE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
// AEInteractiveThreadProc
|
|
//
|
|
// The thread procedue to do interactive enrollment
|
|
//-----------------------------------------------------------------------------
|
|
DWORD WINAPI AEInteractiveThreadProc(LPVOID lpParameter)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
AE_GENERAL_INFO *pAE_General_Info = NULL;
|
|
|
|
if(NULL==lpParameter)
|
|
return FALSE;
|
|
|
|
__try
|
|
{
|
|
|
|
pAE_General_Info=(AE_GENERAL_INFO *)lpParameter;
|
|
|
|
pAE_General_Info->fUIProcess=TRUE;
|
|
|
|
fResult = AEEnrollmentWalker(pAE_General_Info);
|
|
|
|
//show the summary page if not canceled
|
|
if(!AECancelled(pAE_General_Info->hCancelEvent))
|
|
{
|
|
AEDisplaySummaryPage(pAE_General_Info);
|
|
}
|
|
|
|
//signal that the process is completed
|
|
SetEvent(pAE_General_Info->hCompleteEvent);
|
|
|
|
//signal the progress window that we are done
|
|
if(pAE_General_Info->hwndDlg)
|
|
{
|
|
//click the close button
|
|
SendMessage(pAE_General_Info->hwndDlg,
|
|
WM_CLOSE, //WM_COMMAND,
|
|
0, //IDC_BUTTON1,
|
|
NULL);
|
|
}
|
|
}
|
|
__except ( EXCEPTION_EXECUTE_HANDLER )
|
|
{
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
// AEInteractiveEnrollment
|
|
//
|
|
// We are doing interactive enrollment
|
|
//-----------------------------------------------------------------------------
|
|
BOOL AEInteractiveEnrollment(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwThreadID=0;
|
|
BOOL fResult=FALSE;
|
|
|
|
|
|
//create a notification event for cancel process
|
|
pAE_General_Info->hCancelEvent=CreateEvent(
|
|
NULL,
|
|
TRUE, // bmanual reset type
|
|
FALSE, // initial state
|
|
NULL);
|
|
|
|
if(NULL==(pAE_General_Info->hCancelEvent))
|
|
goto ret;
|
|
|
|
//create a notification event for complete process
|
|
pAE_General_Info->hCompleteEvent=CreateEvent(
|
|
NULL,
|
|
TRUE, // bmanual reset type
|
|
FALSE, // initial state
|
|
NULL);
|
|
|
|
if(NULL==(pAE_General_Info->hCompleteEvent))
|
|
goto ret;
|
|
|
|
//spawn a thread
|
|
pAE_General_Info->hThread = CreateThread(NULL,
|
|
0,
|
|
AEInteractiveThreadProc,
|
|
pAE_General_Info,
|
|
CREATE_SUSPENDED, //suspend execution
|
|
&dwThreadID);
|
|
|
|
if(NULL==(pAE_General_Info->hThread))
|
|
goto ret;
|
|
|
|
//create the dialogue
|
|
DialogBoxParam(
|
|
g_hmodThisDll,
|
|
MAKEINTRESOURCE(IDD_USER_AUTOENROLL_GENERAL_DLG),
|
|
pAE_General_Info->hwndParent,
|
|
progressDlgProc,
|
|
(LPARAM)(pAE_General_Info));
|
|
|
|
//wait for thread to finish
|
|
if(WAIT_FAILED == WaitForSingleObject(pAE_General_Info->hThread, INFINITE))
|
|
goto ret;
|
|
|
|
fResult=TRUE;
|
|
|
|
ret:
|
|
|
|
//log the event
|
|
if(!fResult)
|
|
{
|
|
AELogAutoEnrollmentEvent(
|
|
pAE_General_Info->dwLogLevel,
|
|
TRUE,
|
|
HRESULT_FROM_WIN32(GetLastError()),
|
|
EVENT_FAIL_INTERACTIVE_START,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
0);
|
|
}
|
|
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------------
|
|
//
|
|
// WinProc for the confirmation to start certificate autoenrollment
|
|
//
|
|
//-----------------------------------------------------------------------------
|
|
INT_PTR CALLBACK AEConfirmDlgProc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
|
|
{
|
|
switch (msg)
|
|
{
|
|
case WM_INITDIALOG:
|
|
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_NOTIFY:
|
|
break;
|
|
|
|
case WM_CLOSE:
|
|
EndDialog(hwndDlg, IDC_BUTTON2);
|
|
return TRUE;
|
|
break;
|
|
|
|
case WM_COMMAND:
|
|
switch (LOWORD(wParam))
|
|
{
|
|
case IDC_BUTTON1:
|
|
EndDialog(hwndDlg, IDC_BUTTON1);
|
|
return TRUE;
|
|
|
|
case IDC_BUTTON2:
|
|
EndDialog(hwndDlg, IDC_BUTTON2);
|
|
return TRUE;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
return FALSE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AERegisterSysTrayApp
|
|
//
|
|
// This functin registers autoenrollment in the sys tray area
|
|
// as an notification
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AERegisterSysTrayApp(HWND hwndParent)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
BOOL fInit=FALSE;
|
|
INT_PTR ret=0;
|
|
DWORD dwError=0;
|
|
|
|
CQueryContinue *pCQueryContinue=NULL;
|
|
|
|
|
|
if(FAILED(CoInitialize(NULL)))
|
|
goto Ret;
|
|
|
|
fInit=TRUE;
|
|
|
|
pCQueryContinue=new CQueryContinue();
|
|
|
|
if(NULL==pCQueryContinue)
|
|
goto Ret;
|
|
|
|
if(S_OK != pCQueryContinue->DoBalloon())
|
|
goto Ret;
|
|
|
|
//ask user if autoenrollment should be performed
|
|
ret=DialogBox(g_hmodThisDll,
|
|
(LPCWSTR)MAKEINTRESOURCE(IDD_USER_AUTOENROLL_INFO_DLG),
|
|
hwndParent,
|
|
AEConfirmDlgProc);
|
|
|
|
if(IDC_BUTTON1 != ret)
|
|
{
|
|
dwError=GetLastError();
|
|
goto Ret;
|
|
}
|
|
|
|
fResult=TRUE;
|
|
|
|
|
|
Ret:
|
|
|
|
if(pCQueryContinue)
|
|
{
|
|
delete pCQueryContinue;
|
|
}
|
|
|
|
if(fInit)
|
|
CoUninitialize();
|
|
|
|
return fResult;
|
|
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEUIDisabled
|
|
//
|
|
// Detect if the user notification balloon is disabled by user
|
|
// setting the autoenrollment registry key in current user
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEUIDisabled()
|
|
{
|
|
BOOL fResult=FALSE;
|
|
|
|
HKEY hKey=NULL;
|
|
|
|
if(ERROR_SUCCESS == RegOpenKeyEx(
|
|
HKEY_CURRENT_USER, // handle to open key
|
|
AUTO_ENROLLMENT_DISABLE_KEY, // subkey name
|
|
0, // reserved
|
|
KEY_READ, // security access mask
|
|
&hKey)) // handle to open key
|
|
{
|
|
fResult=TRUE;
|
|
}
|
|
|
|
if(hKey)
|
|
RegCloseKey(hKey);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEUIRequired
|
|
//
|
|
// Detect if the user notification balloon is needed
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEUIRequired(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fUI=FALSE;
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo = NULL;
|
|
DWORD dwIndex = 0;
|
|
|
|
if(NULL==pAE_General_Info)
|
|
return FALSE;
|
|
|
|
rgCertTypeInfo = pAE_General_Info->rgCertTypeInfo;
|
|
|
|
pAE_General_Info->dwUIEnrollCount=0;
|
|
|
|
if(NULL == rgCertTypeInfo)
|
|
return FALSE;
|
|
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
if(rgCertTypeInfo[dwIndex].fUIActive)
|
|
{
|
|
if(CERT_REQUEST_STATUS_ACTIVE == rgCertTypeInfo[dwIndex].dwStatus)
|
|
{
|
|
fUI=TRUE;
|
|
(pAE_General_Info->dwUIEnrollCount)++;
|
|
}
|
|
}
|
|
}
|
|
|
|
//add the pending count
|
|
if(pAE_General_Info->dwUIPendCount)
|
|
{
|
|
fUI=TRUE;
|
|
(pAE_General_Info->dwUIEnrollCount) +=(pAE_General_Info->dwUIPendCount);
|
|
}
|
|
|
|
return fUI;
|
|
}
|
|
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEProcessEnrollment
|
|
//
|
|
// This functin does the autoenrollment based on ACL and manage MY
|
|
// store.
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEProcessEnrollment(HWND hwndParent, BOOL fMachine, LDAP *pld, DWORD dwPolicy, DWORD dwLogLevel)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
|
|
AE_GENERAL_INFO *pAE_General_Info=NULL;
|
|
|
|
pAE_General_Info=(AE_GENERAL_INFO *)LocalAlloc(LPTR, sizeof(AE_GENERAL_INFO));
|
|
|
|
if(NULL==pAE_General_Info)
|
|
goto Ret;
|
|
|
|
memset(pAE_General_Info, 0, sizeof(AE_GENERAL_INFO));
|
|
|
|
if(NULL==pld)
|
|
goto Ret;
|
|
|
|
//we obtain all information needed for process enrollment
|
|
pAE_General_Info->hwndParent = hwndParent;
|
|
pAE_General_Info->pld = pld;
|
|
pAE_General_Info->fMachine = fMachine;
|
|
pAE_General_Info->dwPolicy = dwPolicy;
|
|
pAE_General_Info->dwLogLevel = dwLogLevel;
|
|
|
|
__try
|
|
{
|
|
|
|
if(!AERetrieveGeneralInfo(pAE_General_Info))
|
|
{
|
|
AELogAutoEnrollmentEvent(dwLogLevel,
|
|
TRUE,
|
|
HRESULT_FROM_WIN32(GetLastError()),
|
|
EVENT_FAIL_GENERAL_INFOMATION,
|
|
fMachine,
|
|
pAE_General_Info->hToken,
|
|
0);
|
|
goto Ret;
|
|
}
|
|
|
|
if((0 == pAE_General_Info->dwCertType) || (NULL==pAE_General_Info->rgCertTypeInfo))
|
|
{
|
|
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK,
|
|
EVENT_NO_CERT_TEMPLATE, fMachine, pAE_General_Info->hToken,0);
|
|
|
|
AE_DEBUG((AE_WARNING, L"No CertType's available for auto-enrollment\n\r"));
|
|
goto Ret;
|
|
}
|
|
|
|
//we build the auto-enrollment requests based on the ACL on the DS
|
|
if(AUTO_ENROLLMENT_ENABLE_TEMPLATE_CHECK & (pAE_General_Info->dwPolicy))
|
|
{
|
|
if(!AEMarkAutoenrollment(pAE_General_Info))
|
|
goto Ret;
|
|
}
|
|
|
|
//we build the auto-enrollment requests based on the ARCS store
|
|
//this is enabled by default and can only be disabled if autoenrollment is
|
|
//completely disabled
|
|
if(!AEMarkAEObject(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//manage MY store. Check if we already have required certificates
|
|
//we should always check my store with different behavior based on
|
|
//AUTO_ENROLLMENT_ENABLE_MY_STORE_MANAGEMENT flag
|
|
if(!AEManageAndMarkMyStore(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//manage UserDS store for user autoenrollment
|
|
if(!fMachine)
|
|
{
|
|
if(!AECheckUserDSStore(pAE_General_Info))
|
|
goto Ret;
|
|
}
|
|
|
|
//manage pending request store. Remove expired pending requests
|
|
if(AUTO_ENROLLMENT_ENABLE_PENDING_FETCH & (pAE_General_Info->dwPolicy))
|
|
{
|
|
if(!AECheckPendingRequests(pAE_General_Info))
|
|
goto Ret;
|
|
}
|
|
|
|
//get CA information
|
|
if(!AERetrieveCAInfo(pAE_General_Info->pld,
|
|
pAE_General_Info->fMachine,
|
|
pAE_General_Info->hToken,
|
|
&(pAE_General_Info->dwCA),
|
|
&(pAE_General_Info->rgCAInfo)))
|
|
{
|
|
|
|
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, HRESULT_FROM_WIN32(GetLastError()),
|
|
EVENT_FAIL_CA_INFORMATION, fMachine, pAE_General_Info->hToken, 0);
|
|
|
|
|
|
AE_DEBUG((AE_ERROR, L"Unable to retrieve CA information (%lx)\n\r", GetLastError()));
|
|
|
|
goto Ret;
|
|
}
|
|
|
|
if((0 == pAE_General_Info->dwCA) || (NULL==pAE_General_Info->rgCAInfo))
|
|
{
|
|
//we do not have any CAs on the domain. All we need to do is to archive
|
|
|
|
//archive old certificate after the enrollment/renewal
|
|
AEArchiveObsoleteCertificates(pAE_General_Info);
|
|
|
|
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK,
|
|
EVENT_NO_CA, fMachine, pAE_General_Info->hToken, 0);
|
|
|
|
AE_DEBUG((AE_WARNING, L"No CA's available for auto-enrollment\n\r"));
|
|
|
|
goto Ret;
|
|
}
|
|
|
|
//we check if active templates do have a CA that we can enroll for
|
|
if(!AEManageActiveTemplates(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//perform autoenrollment as the background
|
|
pAE_General_Info->fUIProcess=FALSE;
|
|
if(!AEEnrollmentWalker(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
//perform autoenrollment as a sys tray application for user only
|
|
if(FALSE == fMachine)
|
|
{
|
|
//test if the notification balloon is disabled
|
|
if(!AEUIDisabled())
|
|
{
|
|
//test if the notification balloon is needed
|
|
if(AEUIRequired(pAE_General_Info))
|
|
{
|
|
//register the sys tray application
|
|
if(AERegisterSysTrayApp(pAE_General_Info->hwndParent))
|
|
{
|
|
//perform autoenrollment in interactive mode
|
|
AEInteractiveEnrollment(pAE_General_Info);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//archive old certificate after the enrollment/renewal
|
|
if(!AEArchiveObsoleteCertificates(pAE_General_Info))
|
|
goto Ret;
|
|
|
|
}
|
|
__except ( EXCEPTION_EXECUTE_HANDLER )
|
|
{
|
|
goto Ret;
|
|
}
|
|
|
|
fResult=TRUE;
|
|
|
|
Ret:
|
|
|
|
//free memory only if no thread is created
|
|
if(pAE_General_Info)
|
|
{
|
|
AEFreeGeneralInfo(pAE_General_Info);
|
|
LocalFree(pAE_General_Info);
|
|
}
|
|
|
|
return fResult;
|
|
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEExpress
|
|
//
|
|
// Detect if the user autoenrollment has the express key set. If the
|
|
// Express key is set, user autoenrollment will not wait for machine
|
|
// autoenrollment to complete on root certificates download
|
|
//
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
BOOL AEExpress()
|
|
{
|
|
BOOL fResult=FALSE;
|
|
|
|
HKEY hKey=NULL;
|
|
|
|
if(ERROR_SUCCESS == RegOpenKeyEx(
|
|
HKEY_CURRENT_USER, // handle to open key
|
|
AUTO_ENROLLMENT_EXPRESS_KEY, // subkey name
|
|
0, // reserved
|
|
KEY_READ, // security access mask
|
|
&hKey)) // handle to open key
|
|
{
|
|
fResult=TRUE;
|
|
}
|
|
|
|
if(hKey)
|
|
RegCloseKey(hKey);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//-----------------------------------------------------------------------
|
|
//
|
|
// AEMainThreadProc
|
|
//
|
|
// The background thread for non-blocking autoenrollment background
|
|
// processing.
|
|
//
|
|
//-----------------------------------------------------------------------
|
|
DWORD WINAPI AEMainThreadProc(LPVOID lpParameter)
|
|
{
|
|
HRESULT hr=S_OK;
|
|
BOOL fMachine=FALSE;
|
|
DWORD dwPolicy=0;
|
|
DWORD dwLogLevel=STATUS_SEVERITY_ERROR;
|
|
HWND hwndParent=0;
|
|
DWORD dwStatus=0;
|
|
LARGE_INTEGER ftPreTimeStamp;
|
|
LARGE_INTEGER ftPostTimeStamp;
|
|
BOOL fNeedToSetupTimer=FALSE;
|
|
|
|
LDAP *pld = NULL;
|
|
|
|
//get the system time stamp
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftPreTimeStamp);
|
|
|
|
//the two input parameters are not yet used
|
|
if(NULL==lpParameter)
|
|
goto CommonReturn;
|
|
|
|
hwndParent = ((AE_MAIN_THREAD_INFO *)lpParameter)->hwndParent;
|
|
dwStatus = ((AE_MAIN_THREAD_INFO *)lpParameter)->dwStatus;
|
|
|
|
AE_DEBUG((AE_INFO, L"Beginning CertAutoEnrollment(%s).\n", (CERT_AUTO_ENROLLMENT_START_UP==dwStatus?L"START_UP":L"WAKE_UP")));
|
|
|
|
//no autoenrollment in the safe boot mode
|
|
//no autoenrollment if we are not in a domain
|
|
if(AEInSafeBoot() || !AEIsDomainMember())
|
|
goto CommonReturn;
|
|
|
|
//we need to set up the timer
|
|
fNeedToSetupTimer=TRUE;
|
|
|
|
//detect if we are running under user or machine context
|
|
if(!AEIsLocalSystem(&fMachine))
|
|
goto CommonReturn;
|
|
AE_DEBUG((AE_INFO, L"CertAutoEnrollment running as %s.\n", (fMachine?L"machine":L"user")));
|
|
|
|
AESetWakeUpFlag(fMachine, TRUE);
|
|
|
|
//we wait for 70 seconds for user case to give enough time for
|
|
//machine autoenrollment to complete, which will download certificates
|
|
//from the directory
|
|
if(!fMachine)
|
|
{
|
|
if(!AEExpress())
|
|
{
|
|
Sleep(USER_AUTOENROLL_DELAY_FOR_MACHINE * 1000);
|
|
}
|
|
}
|
|
|
|
//get the autoenrollment log level
|
|
if(!AERetrieveLogLevel(fMachine, &dwLogLevel))
|
|
goto CommonReturn;
|
|
|
|
//log the autoenrollment start event
|
|
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK, EVENT_AUTOENROLL_START, fMachine, NULL, 0);
|
|
|
|
//get the autoenrollment policy flag
|
|
if(!AEGetPolicyFlag(fMachine, &dwPolicy))
|
|
goto CommonReturn;
|
|
|
|
//no need to do anything if autoenrollment is completely disabled
|
|
if(AUTO_ENROLLMENT_DISABLE_ALL & dwPolicy)
|
|
goto CommonReturn;
|
|
|
|
|
|
//download NTAuth And Enterprise root store for machine
|
|
if(fMachine)
|
|
{
|
|
//bind to the DS
|
|
if(S_OK != (hr=AERobustLdapBind(&pld)))
|
|
{
|
|
SetLastError(hr);
|
|
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, hr, EVENT_FAIL_BIND_TO_DS, fMachine, NULL, 0);
|
|
goto CommonReturn;
|
|
}
|
|
|
|
AEDownloadStore(pld);
|
|
}
|
|
|
|
//if we are required to do a WIN2K style autoenrollment, and the machine/user's
|
|
//ACRS store is empty, just return as we done.
|
|
if(0 == dwPolicy)
|
|
{
|
|
if(IsACRSStoreEmpty(fMachine))
|
|
goto CommonReturn;
|
|
}
|
|
|
|
if(NULL==pld)
|
|
{
|
|
//bind to the DS
|
|
if(S_OK != (hr=AERobustLdapBind(&pld)))
|
|
{
|
|
SetLastError(hr);
|
|
AELogAutoEnrollmentEvent(dwLogLevel, TRUE, hr, EVENT_FAIL_BIND_TO_DS, fMachine, NULL, 0);
|
|
goto CommonReturn;
|
|
}
|
|
}
|
|
|
|
AEProcessEnrollment(hwndParent, fMachine, pld, dwPolicy, dwLogLevel);
|
|
|
|
CommonReturn:
|
|
|
|
//get the system time
|
|
GetSystemTimeAsFileTime((LPFILETIME)&ftPostTimeStamp);
|
|
|
|
//set up the timer for next time
|
|
if(TRUE == fNeedToSetupTimer)
|
|
{
|
|
// we will need to do this again in a few hours.
|
|
AESetWakeUpTimer(fMachine, &ftPreTimeStamp, &ftPostTimeStamp);
|
|
}
|
|
|
|
if(pld)
|
|
ldap_unbind(pld);
|
|
|
|
if(lpParameter)
|
|
LocalFree((HLOCAL)lpParameter);
|
|
|
|
AELogAutoEnrollmentEvent(dwLogLevel, FALSE, S_OK, EVENT_AUTOENROLL_COMPLETE, fMachine, NULL, 0);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// CertAutoEnrollment
|
|
//
|
|
// Function to perform autoenrollment actions. It creates a working
|
|
// thread and return immediately so that it is non-blocking.
|
|
//
|
|
// Parameters:
|
|
// IN hwndParent: The parent window
|
|
// IN dwStatus: The status under which the function is called.
|
|
// It can be one of the following:
|
|
// CERT_AUTO_ENROLLMENT_START_UP
|
|
// CERT_AUTO_ENROLLMENT_WAKE_UP
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
HANDLE
|
|
WINAPI
|
|
CertAutoEnrollment(IN HWND hwndParent,
|
|
IN DWORD dwStatus)
|
|
{
|
|
DWORD dwThreadID=0;
|
|
//memory will be freed in the main thread
|
|
AE_MAIN_THREAD_INFO *pAE_Main_Thread_Info=NULL;
|
|
|
|
HANDLE hThread=NULL;
|
|
|
|
pAE_Main_Thread_Info=(AE_MAIN_THREAD_INFO *)LocalAlloc(LPTR, sizeof(AE_MAIN_THREAD_INFO));
|
|
if(NULL==pAE_Main_Thread_Info)
|
|
return NULL;
|
|
|
|
memset(pAE_Main_Thread_Info, 0, sizeof(AE_MAIN_THREAD_INFO));
|
|
pAE_Main_Thread_Info->hwndParent=hwndParent;
|
|
pAE_Main_Thread_Info->dwStatus=dwStatus;
|
|
|
|
hThread = CreateThread(NULL,
|
|
0,
|
|
AEMainThreadProc,
|
|
pAE_Main_Thread_Info,
|
|
0, //execute immediately
|
|
&dwThreadID);
|
|
|
|
//set the thread priority to low so that we will not compete with the shell
|
|
SetThreadPriority(hThread, THREAD_PRIORITY_BELOW_NORMAL);
|
|
|
|
return hThread;
|
|
}
|
|
|
|
//--------------------------------------------------------------------
|
|
//
|
|
// AERetrieveClientToken
|
|
//
|
|
//--------------------------------------------------------------------
|
|
BOOL AERetrieveClientToken(HANDLE *phToken)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
HANDLE hHandle = NULL;
|
|
HANDLE hClientToken = NULL;
|
|
|
|
hHandle = GetCurrentThread();
|
|
if (NULL == hHandle)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
else
|
|
{
|
|
|
|
if (!OpenThreadToken(hHandle,
|
|
TOKEN_QUERY,
|
|
TRUE, // open as self
|
|
&hClientToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
}
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
hHandle = GetCurrentProcess();
|
|
if (NULL == hHandle)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
else
|
|
{
|
|
HANDLE hProcessToken = NULL;
|
|
hr = S_OK;
|
|
|
|
|
|
if (!OpenProcessToken(hHandle,
|
|
TOKEN_DUPLICATE,
|
|
&hProcessToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
else
|
|
{
|
|
if(!DuplicateToken(hProcessToken,
|
|
SecurityImpersonation,
|
|
&hClientToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32(GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
CloseHandle(hProcessToken);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if(S_OK == hr)
|
|
*phToken = hClientToken;
|
|
|
|
if(hHandle)
|
|
CloseHandle(hHandle);
|
|
|
|
return (S_OK == hr);
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEGetComputerName
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
LPWSTR AEGetComputerName(COMPUTER_NAME_FORMAT NameType)
|
|
{
|
|
DWORD dwSize=0;
|
|
|
|
LPWSTR pwszName=NULL;
|
|
|
|
if(!GetComputerNameEx(NameType, NULL, &dwSize))
|
|
{
|
|
if(ERROR_MORE_DATA != GetLastError())
|
|
goto Ret;
|
|
}
|
|
else
|
|
{
|
|
//this is to work around a bug in cluster code that it returns TRUE
|
|
//to retrive the size
|
|
dwSize++;
|
|
}
|
|
|
|
pwszName=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSize);
|
|
if(NULL == pwszName)
|
|
goto Ret;
|
|
|
|
if(!GetComputerNameEx(NameType, pwszName, &dwSize))
|
|
{
|
|
LocalFree(pwszName);
|
|
pwszName=NULL;
|
|
goto Ret;
|
|
}
|
|
|
|
Ret:
|
|
|
|
return pwszName;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERetrieveGeneralInfo
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERetrieveGeneralInfo(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
DWORD dwOpenStoreFlags = CERT_SYSTEM_STORE_CURRENT_USER;
|
|
DWORD cMachineName = MAX_COMPUTERNAME_LENGTH + 2;
|
|
LONG dwResult = 0;
|
|
|
|
SCARDCONTEXT hSCContext=NULL;
|
|
|
|
//get the client token
|
|
if(pAE_General_Info->fMachine)
|
|
{
|
|
if(!AENetLogonUser(NULL, NULL, NULL, &(pAE_General_Info->hToken)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Obtain local system's token (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if(!AERetrieveClientToken(&(pAE_General_Info->hToken)))
|
|
goto Ret;
|
|
}
|
|
|
|
//get the machine name
|
|
if (!GetComputerNameW(pAE_General_Info->wszMachineName,
|
|
&cMachineName))
|
|
goto Ret;
|
|
|
|
if(pAE_General_Info->fMachine)
|
|
dwOpenStoreFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
|
|
|
|
//open my store
|
|
if (NULL == (pAE_General_Info->hMyStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_W,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenStoreFlags,
|
|
MY_STORE)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Unable to open MY store (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
if(!CertControlStore(pAE_General_Info->hMyStore,
|
|
0,
|
|
CERT_STORE_CTRL_AUTO_RESYNC,
|
|
NULL))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Unable configure MY store for auto-resync(%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//open request store
|
|
if (NULL == (pAE_General_Info->hRequestStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_W,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
dwOpenStoreFlags,
|
|
REQUEST_STORE)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Unable to open Request store (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//get CertType information
|
|
if(!AERetrieveCertTypeInfo( pAE_General_Info->pld,
|
|
pAE_General_Info->fMachine,
|
|
&(pAE_General_Info->dwCertType),
|
|
&(pAE_General_Info->rgCertTypeInfo)))
|
|
{
|
|
AE_DEBUG((AE_ERROR, L"Unable to retrieve CertType information (%lx)\n\r", GetLastError()));
|
|
goto Ret;
|
|
}
|
|
|
|
//load xenroll module. No need to check errors since this is not a fatal error
|
|
pAE_General_Info->hXenroll = LoadLibrary(L"xenroll.dll");
|
|
|
|
|
|
//detect if the smart card subsystem if running for users only
|
|
if(FALSE == pAE_General_Info->fMachine)
|
|
{
|
|
dwResult = SCardEstablishContext(
|
|
SCARD_SCOPE_USER,
|
|
NULL,
|
|
NULL,
|
|
&hSCContext );
|
|
|
|
if((0 == dwResult) && (NULL != hSCContext))
|
|
pAE_General_Info->fSmartcardSystem=TRUE;
|
|
}
|
|
|
|
//get the NetBIOS name and the DNS name of the computer. This is different from
|
|
//wszMachineName, since it will be the physicalNetBIOS name
|
|
//No need to check errors since this is not a fatal error
|
|
|
|
pAE_General_Info->pwszDns=AEGetComputerName(ComputerNameDnsFullyQualified);
|
|
|
|
pAE_General_Info->pwszNetBIOS=AEGetComputerName(ComputerNameNetBIOS);
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
if(hSCContext)
|
|
SCardReleaseContext(hSCContext);
|
|
|
|
if(FALSE == fResult)
|
|
AEFreeGeneralInfo(pAE_General_Info);
|
|
|
|
return fResult;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreeGeneralInfo
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreeGeneralInfo(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
if(pAE_General_Info)
|
|
{
|
|
if(pAE_General_Info->hToken)
|
|
CloseHandle(pAE_General_Info->hToken);
|
|
|
|
if(pAE_General_Info->hMyStore)
|
|
CertCloseStore(pAE_General_Info->hMyStore, 0);
|
|
|
|
if(pAE_General_Info->hRequestStore)
|
|
CertCloseStore(pAE_General_Info->hRequestStore, 0);
|
|
|
|
//free CA information
|
|
AEFreeCAInfo(pAE_General_Info->dwCA, pAE_General_Info->rgCAInfo);
|
|
|
|
//free CertType information
|
|
AEFreeCertTypeInfo(pAE_General_Info->dwCertType, pAE_General_Info->rgCertTypeInfo);
|
|
|
|
if(pAE_General_Info->hXenroll)
|
|
FreeLibrary(pAE_General_Info->hXenroll);
|
|
|
|
if(pAE_General_Info->hCancelEvent)
|
|
CloseHandle(pAE_General_Info->hCancelEvent);
|
|
|
|
if(pAE_General_Info->hCompleteEvent)
|
|
CloseHandle(pAE_General_Info->hCompleteEvent);
|
|
|
|
if(pAE_General_Info->hThread)
|
|
CloseHandle(pAE_General_Info->hThread);
|
|
|
|
if(pAE_General_Info->pwszDns)
|
|
LocalFree(pAE_General_Info->pwszDns);
|
|
|
|
if(pAE_General_Info->pwszNetBIOS)
|
|
LocalFree(pAE_General_Info->pwszNetBIOS);
|
|
|
|
memset(pAE_General_Info, 0, sizeof(AE_GENERAL_INFO));
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERetrieveCertTypeInfo
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERetrieveCertTypeInfo(LDAP *pld, BOOL fMachine, DWORD *pdwCertType, AE_CERTTYPE_INFO **prgCertType)
|
|
{
|
|
BOOL fResult=FALSE;
|
|
DWORD dwCount=0;
|
|
DWORD dwCertType=0;
|
|
DWORD dwIndex=0;
|
|
HRESULT hr=E_FAIL;
|
|
|
|
HCERTTYPE hCTCurrent = NULL;
|
|
HCERTTYPE hCTNew = NULL;
|
|
AE_CERTTYPE_INFO *rgCertTypeInfo=NULL;
|
|
|
|
*pdwCertType=0;
|
|
*prgCertType=NULL;
|
|
|
|
if(S_OK != (hr = CAEnumCertTypesEx(
|
|
(LPCWSTR)pld,
|
|
fMachine?CT_ENUM_MACHINE_TYPES | CT_FIND_LOCAL_SYSTEM | CT_FLAG_SCOPE_IS_LDAP_HANDLE: CT_ENUM_USER_TYPES | CT_FLAG_SCOPE_IS_LDAP_HANDLE,
|
|
&hCTCurrent)))
|
|
{
|
|
SetLastError(hr);
|
|
goto Ret;
|
|
}
|
|
|
|
if((NULL == hCTCurrent) || (0 == (dwCount = CACountCertTypes(hCTCurrent))))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"No CT's available for auto-enrollment\n\r"));
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
rgCertTypeInfo=(AE_CERTTYPE_INFO *)LocalAlloc(LPTR, sizeof(AE_CERTTYPE_INFO) * dwCount);
|
|
if(NULL==rgCertTypeInfo)
|
|
{
|
|
SetLastError(E_OUTOFMEMORY);
|
|
goto Ret;
|
|
}
|
|
|
|
memset(rgCertTypeInfo, 0, sizeof(AE_CERTTYPE_INFO) * dwCount);
|
|
|
|
for(dwIndex = 0; dwIndex < dwCount; dwIndex++ )
|
|
{
|
|
|
|
//check if we have a new certificate template
|
|
if(dwIndex > 0)
|
|
{
|
|
hr = CAEnumNextCertType(hCTCurrent, &hCTNew);
|
|
|
|
if((S_OK != hr) || (NULL == hCTNew))
|
|
{
|
|
// Clean up from previous calls
|
|
if(dwCertType < dwCount)
|
|
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwCertType]));
|
|
|
|
break;
|
|
}
|
|
|
|
hCTCurrent = hCTNew;
|
|
}
|
|
|
|
// Clean up from previous calls
|
|
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwCertType]));
|
|
|
|
//copy the new CertType' data
|
|
//hCertType
|
|
rgCertTypeInfo[dwCertType].hCertType = hCTCurrent;
|
|
|
|
//CTName
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_DN,
|
|
&(rgCertTypeInfo[dwCertType].awszName));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCertTypeInfo[dwCertType].awszName) ||
|
|
(NULL == (rgCertTypeInfo[dwCertType].awszName)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No name property for CertType\n\r"));
|
|
continue;
|
|
}
|
|
|
|
//FriendlyName
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_FRIENDLY_NAME,
|
|
&(rgCertTypeInfo[dwCertType].awszDisplay));
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCertTypeInfo[dwCertType].awszDisplay) ||
|
|
(NULL == (rgCertTypeInfo[dwCertType].awszDisplay)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No display property for CertType\n\r"));
|
|
|
|
//get the DN as the display name
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_DN,
|
|
&(rgCertTypeInfo[dwCertType].awszDisplay));
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCertTypeInfo[dwCertType].awszDisplay) ||
|
|
(NULL == (rgCertTypeInfo[dwCertType].awszDisplay)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No name property for CertType\n\r"));
|
|
continue;
|
|
}
|
|
}
|
|
|
|
//dwSchemaVersion
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_SCHEMA_VERSION,
|
|
&(rgCertTypeInfo[dwCertType].dwSchemaVersion));
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No schema version for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//dwVersion
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_REVISION,
|
|
&(rgCertTypeInfo[dwCertType].dwVersion));
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No major version for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//dwEnrollmentFlag
|
|
hr = CAGetCertTypeFlagsEx(
|
|
hCTCurrent,
|
|
CERTTYPE_ENROLLMENT_FLAG,
|
|
&(rgCertTypeInfo[dwCertType].dwEnrollmentFlag));
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No enrollment flag for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//dwPrivatekeyFlag
|
|
hr = CAGetCertTypeFlagsEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PRIVATE_KEY_FLAG,
|
|
&(rgCertTypeInfo[dwCertType].dwPrivateKeyFlag));
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No private key flag for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//expiration offset
|
|
hr = CAGetCertTypeExpiration(
|
|
hCTCurrent,
|
|
NULL,
|
|
(LPFILETIME)&(rgCertTypeInfo[dwCertType].ftExpirationOffset));
|
|
|
|
//we might not get the expiration date
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"Could not get cert type expirations: %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
}
|
|
|
|
//oid
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_OID,
|
|
&(rgCertTypeInfo[dwCertType].awszOID));
|
|
|
|
//we might not get the oid property
|
|
if(rgCertTypeInfo[dwCertType].dwSchemaVersion >= CERTTYPE_SCHEMA_VERSION_2)
|
|
{
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCertTypeInfo[dwCertType].awszOID) ||
|
|
(NULL == (rgCertTypeInfo[dwCertType].awszOID)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No oid for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
}
|
|
|
|
|
|
//supersede
|
|
hr = CAGetCertTypePropertyEx(
|
|
hCTCurrent,
|
|
CERTTYPE_PROP_SUPERSEDE,
|
|
&(rgCertTypeInfo[dwCertType].awszSupersede));
|
|
|
|
//we might not get the supersede property
|
|
if(hr != S_OK)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No supersede for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
}
|
|
|
|
//hArchiveStore
|
|
if(NULL == (rgCertTypeInfo[dwCertType].hArchiveStore=CertOpenStore(
|
|
CERT_STORE_PROV_MEMORY,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
0,
|
|
NULL)))
|
|
|
|
{
|
|
AE_DEBUG((AE_INFO, L"Unable to open archive cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//hObtainedStore
|
|
if(NULL == (rgCertTypeInfo[dwCertType].hObtainedStore=CertOpenStore(
|
|
CERT_STORE_PROV_MEMORY,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
0,
|
|
NULL)))
|
|
|
|
{
|
|
AE_DEBUG((AE_INFO, L"Unable to open obtained cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//hIssuedStore
|
|
if(NULL == (rgCertTypeInfo[dwCertType].hIssuedStore=CertOpenStore(
|
|
CERT_STORE_PROV_MEMORY,
|
|
ENCODING_TYPE,
|
|
NULL,
|
|
0,
|
|
NULL)))
|
|
|
|
{
|
|
AE_DEBUG((AE_INFO, L"Unable to open issued cert store for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//allocate memory
|
|
rgCertTypeInfo[dwCertType].prgActive=(DWORD *)LocalAlloc(LPTR, sizeof(DWORD) * dwCount);
|
|
if(NULL == rgCertTypeInfo[dwCertType].prgActive)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"Unable to allocate memory for CT %ls\n\r", (rgCertTypeInfo[dwCertType].awszName)[0]));
|
|
continue;
|
|
}
|
|
|
|
memset(rgCertTypeInfo[dwCertType].prgActive, 0, sizeof(DWORD) * dwCount);
|
|
|
|
dwCertType++;
|
|
}
|
|
|
|
*pdwCertType=dwCertType;
|
|
*prgCertType=rgCertTypeInfo;
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreeCertTypeInfo
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreeCertTypeInfo(DWORD dwCertType, AE_CERTTYPE_INFO *rgCertTypeInfo)
|
|
{
|
|
DWORD dwIndex=0;
|
|
|
|
if(rgCertTypeInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < dwCertType; dwIndex++)
|
|
AEFreeCertTypeStruct(&(rgCertTypeInfo[dwIndex]));
|
|
|
|
LocalFree(rgCertTypeInfo);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreeCertTypeStruct
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreeCertTypeStruct(AE_CERTTYPE_INFO *pCertTypeInfo)
|
|
{
|
|
DWORD dwIndex=0;
|
|
|
|
if(pCertTypeInfo)
|
|
{
|
|
if(pCertTypeInfo->hCertType)
|
|
{
|
|
if(pCertTypeInfo->awszName)
|
|
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszName);
|
|
|
|
if(pCertTypeInfo->awszDisplay)
|
|
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszDisplay);
|
|
|
|
if(pCertTypeInfo->awszOID)
|
|
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszOID);
|
|
|
|
if(pCertTypeInfo->awszSupersede)
|
|
CAFreeCertTypeProperty(pCertTypeInfo->hCertType, pCertTypeInfo->awszSupersede);
|
|
|
|
CACloseCertType(pCertTypeInfo->hCertType);
|
|
}
|
|
|
|
if(pCertTypeInfo->prgActive)
|
|
LocalFree(pCertTypeInfo->prgActive);
|
|
|
|
if(pCertTypeInfo->pOldCert)
|
|
CertFreeCertificateContext(pCertTypeInfo->pOldCert);
|
|
|
|
if(pCertTypeInfo->hArchiveStore)
|
|
CertCloseStore(pCertTypeInfo->hArchiveStore, 0);
|
|
|
|
if(pCertTypeInfo->hObtainedStore)
|
|
CertCloseStore(pCertTypeInfo->hObtainedStore, 0);
|
|
|
|
if(pCertTypeInfo->hIssuedStore)
|
|
CertCloseStore(pCertTypeInfo->hIssuedStore, 0);
|
|
|
|
if(pCertTypeInfo->dwPendCount)
|
|
{
|
|
if(pCertTypeInfo->rgPendInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < pCertTypeInfo->dwPendCount; dwIndex++)
|
|
{
|
|
if((pCertTypeInfo->rgPendInfo[dwIndex]).blobPKCS7.pbData)
|
|
LocalFree((pCertTypeInfo->rgPendInfo[dwIndex]).blobPKCS7.pbData);
|
|
|
|
if((pCertTypeInfo->rgPendInfo[dwIndex]).blobHash.pbData)
|
|
LocalFree((pCertTypeInfo->rgPendInfo[dwIndex]).blobHash.pbData);
|
|
}
|
|
|
|
LocalFree(pCertTypeInfo->rgPendInfo);
|
|
}
|
|
}
|
|
|
|
memset(pCertTypeInfo, 0, sizeof(AE_CERTTYPE_INFO));
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERetrieveCAInfo
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AERetrieveCAInfo(LDAP *pld, BOOL fMachine, HANDLE hToken, DWORD *pdwCA, AE_CA_INFO **prgCAInfo)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
DWORD dwCount=0;
|
|
DWORD dwCA=0;
|
|
DWORD dwIndex=0;
|
|
HRESULT hr=E_FAIL;
|
|
|
|
HCAINFO hCACurrent = NULL;
|
|
HCAINFO hCANew = NULL;
|
|
AE_CA_INFO *rgCAInfo=NULL;
|
|
|
|
*pdwCA=0;
|
|
*prgCAInfo=NULL;
|
|
|
|
if(S_OK != (hr = CAEnumFirstCA(
|
|
(LPCWSTR)pld,
|
|
CA_FLAG_SCOPE_IS_LDAP_HANDLE | (fMachine?CA_FIND_LOCAL_SYSTEM:0),
|
|
&hCACurrent)))
|
|
{
|
|
SetLastError(hr);
|
|
goto Ret;
|
|
}
|
|
|
|
if((NULL == hCACurrent) || (0 == (dwCount = CACountCAs(hCACurrent))))
|
|
{
|
|
AE_DEBUG((AE_WARNING, L"No CA's available for auto-enrollment\n\r"));
|
|
fResult=TRUE;
|
|
goto Ret;
|
|
}
|
|
|
|
rgCAInfo=(AE_CA_INFO *)LocalAlloc(LPTR, sizeof(AE_CA_INFO) * dwCount);
|
|
if(NULL==rgCAInfo)
|
|
{
|
|
SetLastError(E_OUTOFMEMORY);
|
|
goto Ret;
|
|
}
|
|
|
|
memset(rgCAInfo, 0, sizeof(AE_CA_INFO) * dwCount);
|
|
|
|
for(dwIndex = 0; dwIndex < dwCount; dwIndex++ )
|
|
{
|
|
|
|
//check if we have a new CA
|
|
if(dwIndex > 0)
|
|
{
|
|
hr = CAEnumNextCA(hCACurrent, &hCANew);
|
|
|
|
if((S_OK != hr) || (NULL == hCANew))
|
|
{
|
|
// Clean up from previous calls
|
|
if(dwCA < dwCount)
|
|
AEFreeCAStruct(&(rgCAInfo[dwCA]));
|
|
|
|
break;
|
|
}
|
|
|
|
hCACurrent = hCANew;
|
|
}
|
|
|
|
// Clean up from previous calls
|
|
AEFreeCAStruct(&(rgCAInfo[dwCA]));
|
|
|
|
//copy the new CA' data
|
|
//hCAInfo
|
|
rgCAInfo[dwCA].hCAInfo = hCACurrent;
|
|
|
|
//CAName
|
|
hr = CAGetCAProperty(hCACurrent,
|
|
CA_PROP_NAME,
|
|
&(rgCAInfo[dwCA].awszCAName));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCAInfo[dwCA].awszCAName) ||
|
|
(NULL == (rgCAInfo[dwCA].awszCAName)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No name property for ca\n\r"));
|
|
continue;
|
|
}
|
|
|
|
//access check
|
|
if(S_OK != CAAccessCheckEx(rgCAInfo[dwCA].hCAInfo, hToken, CERTTYPE_ACCESS_CHECK_ENROLL | CERTTYPE_ACCESS_CHECK_NO_MAPPING))
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No access for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//CA Display
|
|
hr = CAGetCAProperty(hCACurrent,
|
|
CA_PROP_DISPLAY_NAME,
|
|
&(rgCAInfo[dwCA].awszCADisplay));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCAInfo[dwCA].awszCADisplay) ||
|
|
(NULL == (rgCAInfo[dwCA].awszCADisplay)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No display name property for ca\n\r"));
|
|
|
|
hr = CAGetCAProperty(hCACurrent,
|
|
CA_PROP_NAME,
|
|
&(rgCAInfo[dwCA].awszCADisplay));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCAInfo[dwCA].awszCADisplay) ||
|
|
(NULL == (rgCAInfo[dwCA].awszCADisplay)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No name property for ca\n\r"));
|
|
continue;
|
|
}
|
|
}
|
|
|
|
//CADNS
|
|
hr = CAGetCAProperty(hCACurrent,
|
|
CA_PROP_DNSNAME,
|
|
&(rgCAInfo[dwCA].awszCADNS));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCAInfo[dwCA].awszCADNS) ||
|
|
(NULL == (rgCAInfo[dwCA].awszCADNS)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No DNS property for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
|
|
continue;
|
|
}
|
|
|
|
//CACertificateTemplate
|
|
hr = CAGetCAProperty(hCACurrent,
|
|
CA_PROP_CERT_TYPES,
|
|
&(rgCAInfo[dwCA].awszCertificateTemplate));
|
|
|
|
if((S_OK != hr) ||
|
|
(NULL == rgCAInfo[dwCA].awszCertificateTemplate) ||
|
|
(NULL == (rgCAInfo[dwCA].awszCertificateTemplate)[0])
|
|
)
|
|
{
|
|
AE_DEBUG((AE_INFO, L"No CertType property for CA %ls\n\r", (rgCAInfo[dwCA].awszCAName)[0]));
|
|
continue;
|
|
}
|
|
|
|
dwCA++;
|
|
}
|
|
|
|
*pdwCA=dwCA;
|
|
*prgCAInfo=rgCAInfo;
|
|
|
|
fResult = TRUE;
|
|
|
|
Ret:
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreeCAInfo
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreeCAInfo(DWORD dwCA, AE_CA_INFO *rgCAInfo)
|
|
{
|
|
DWORD dwIndex=0;
|
|
|
|
if(rgCAInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < dwCA; dwIndex++)
|
|
AEFreeCAStruct(&(rgCAInfo[dwIndex]));
|
|
|
|
LocalFree(rgCAInfo);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEFreeCAStruct
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEFreeCAStruct(AE_CA_INFO *pCAInfo)
|
|
{
|
|
if(pCAInfo)
|
|
{
|
|
if(pCAInfo->hCAInfo)
|
|
{
|
|
if(pCAInfo->awszCAName)
|
|
{
|
|
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCAName);
|
|
}
|
|
if(pCAInfo->awszCADisplay)
|
|
{
|
|
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCADisplay);
|
|
}
|
|
if(pCAInfo->awszCADNS)
|
|
{
|
|
CAFreeCAProperty(pCAInfo->hCAInfo, pCAInfo->awszCADNS);
|
|
}
|
|
if(pCAInfo->awszCertificateTemplate)
|
|
{
|
|
CAFreeCAProperty(pCAInfo->hCAInfo,pCAInfo->awszCertificateTemplate);
|
|
}
|
|
|
|
CACloseCA(pCAInfo->hCAInfo);
|
|
}
|
|
|
|
memset(pCAInfo, 0, sizeof(AE_CA_INFO));
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEClearVistedFlag
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEClearVistedFlag(AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
DWORD dwIndex=0;
|
|
|
|
if(pAE_General_Info)
|
|
{
|
|
if(pAE_General_Info->rgCertTypeInfo)
|
|
{
|
|
for(dwIndex=0; dwIndex < pAE_General_Info->dwCertType; dwIndex++)
|
|
{
|
|
(pAE_General_Info->rgCertTypeInfo)[dwIndex].fSupersedeVisited=FALSE;
|
|
}
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEIfSupersede
|
|
//
|
|
// Recursively find if pwsz is superseded by one of the template in awsz.
|
|
// Notice that we should not loop in the superseding relationship.
|
|
// Superseding tree should be one directional tree without duplicated nodes.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEIfSupersede(LPWSTR pwsz, LPWSTR *awsz, AE_GENERAL_INFO *pAE_General_Info)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
LPWSTR *pwszArray = awsz;
|
|
AE_TEMPLATE_INFO AETemplateInfo;
|
|
AE_CERTTYPE_INFO *pCertType = NULL;
|
|
|
|
LPWSTR *awszSupersede=NULL;
|
|
|
|
if((NULL==pwsz) || (NULL==awsz))
|
|
return FALSE;
|
|
|
|
while(*pwszArray)
|
|
{
|
|
if(0 == wcscmp(pwsz, *pwszArray))
|
|
{
|
|
fResult = TRUE;
|
|
break;
|
|
}
|
|
|
|
//find the template
|
|
memset(&AETemplateInfo, 0, sizeof(AE_TEMPLATE_INFO));
|
|
|
|
AETemplateInfo.pwszName=*pwszArray;
|
|
|
|
pCertType = AEFindTemplateInRequestTree(
|
|
&AETemplateInfo,
|
|
pAE_General_Info);
|
|
|
|
if(pCertType)
|
|
{
|
|
if(!(pCertType->fSupersedeVisited))
|
|
{
|
|
//mark that we have visited superseding relationship for this template
|
|
pCertType->fSupersedeVisited=TRUE;
|
|
|
|
if(S_OK == CAGetCertTypePropertyEx(
|
|
pCertType->hCertType,
|
|
CERTTYPE_PROP_SUPERSEDE,
|
|
&(awszSupersede)))
|
|
{
|
|
fResult = AEIfSupersede(pwsz, awszSupersede, pAE_General_Info);
|
|
|
|
if(awszSupersede)
|
|
CAFreeCertTypeProperty(
|
|
pCertType->hCertType,
|
|
awszSupersede);
|
|
|
|
awszSupersede=NULL;
|
|
|
|
if(TRUE == fResult)
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
pwszArray++;
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEIsAnElement
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEIsAnElement(LPWSTR pwsz, LPWSTR *awsz)
|
|
{
|
|
BOOL fResult = FALSE;
|
|
LPWSTR *pwszArray = awsz;
|
|
|
|
if((NULL==pwsz) || (NULL==awsz))
|
|
return FALSE;
|
|
|
|
while(*pwszArray)
|
|
{
|
|
if(0 == wcscmp(pwsz, *pwszArray))
|
|
{
|
|
fResult = TRUE;
|
|
break;
|
|
}
|
|
|
|
pwszArray++;
|
|
}
|
|
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AECopyCertStore
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AECopyCertStore(HCERTSTORE hSrcStore,
|
|
HCERTSTORE hDesStore)
|
|
{
|
|
PCCERT_CONTEXT pCertContext=NULL;
|
|
|
|
if((NULL==hSrcStore) || (NULL==hDesStore))
|
|
return FALSE;
|
|
|
|
while(pCertContext = CertEnumCertificatesInStore(hSrcStore, pCertContext))
|
|
{
|
|
CertAddCertificateContextToStore(hDesStore,
|
|
pCertContext,
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
NULL);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEIsEmptyStore
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL AEIsEmptyStore(HCERTSTORE hCertStore)
|
|
{
|
|
PCCERT_CONTEXT pCertContext=NULL;
|
|
|
|
if(NULL == hCertStore)
|
|
return TRUE;
|
|
|
|
if(pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext))
|
|
{
|
|
CertFreeCertificateContext(pCertContext);
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEGetConfigDN
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
HRESULT
|
|
AEGetConfigDN(
|
|
IN LDAP *pld,
|
|
OUT LPWSTR *pwszConfigDn
|
|
)
|
|
{
|
|
|
|
HRESULT hr;
|
|
ULONG LdapError;
|
|
|
|
LDAPMessage *SearchResult = NULL;
|
|
LDAPMessage *Entry = NULL;
|
|
WCHAR *Attr = NULL;
|
|
BerElement *BerElement;
|
|
WCHAR **Values = NULL;
|
|
|
|
WCHAR *AttrArray[3];
|
|
struct l_timeval timeout;
|
|
|
|
WCHAR *ConfigurationNamingContext = L"configurationNamingContext";
|
|
WCHAR *ObjectClassFilter = L"objectCategory=*";
|
|
|
|
//
|
|
// Set the out parameters to null
|
|
//
|
|
if(pwszConfigDn)
|
|
{
|
|
*pwszConfigDn = NULL;
|
|
}
|
|
|
|
timeout.tv_sec = 300;
|
|
timeout.tv_usec = 0;
|
|
//
|
|
// Query for the ldap server oerational attributes to obtain the default
|
|
// naming context.
|
|
//
|
|
AttrArray[0] = ConfigurationNamingContext;
|
|
AttrArray[1] = NULL; // this is the sentinel
|
|
|
|
LdapError = ldap_search_ext_s(pld,
|
|
NULL,
|
|
LDAP_SCOPE_BASE,
|
|
ObjectClassFilter,
|
|
AttrArray,
|
|
FALSE,
|
|
NULL,
|
|
NULL,
|
|
&timeout,
|
|
10000,
|
|
&SearchResult);
|
|
|
|
hr = HRESULT_FROM_WIN32(LdapMapErrorToWin32(LdapError));
|
|
|
|
if (S_OK == hr)
|
|
{
|
|
|
|
Entry = ldap_first_entry(pld, SearchResult);
|
|
|
|
if (Entry)
|
|
{
|
|
|
|
Values = ldap_get_values(pld,
|
|
Entry,
|
|
ConfigurationNamingContext);
|
|
|
|
if (Values && Values[0])
|
|
{
|
|
(*pwszConfigDn) = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(Values[0])+1));
|
|
|
|
if(NULL==(*pwszConfigDn))
|
|
hr=E_OUTOFMEMORY;
|
|
else
|
|
wcscpy((*pwszConfigDn), Values[0]);
|
|
}
|
|
|
|
ldap_value_free(Values);
|
|
}
|
|
|
|
if (pwszConfigDn && (!(*pwszConfigDn)))
|
|
{
|
|
// We could not get the default domain or out of memory - bail out
|
|
if(E_OUTOFMEMORY != hr)
|
|
hr = HRESULT_FROM_WIN32(ERROR_CANT_ACCESS_DOMAIN_INFO);
|
|
}
|
|
|
|
if(SearchResult)
|
|
{
|
|
ldap_msgfree(SearchResult);
|
|
}
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERobustLdapBind
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
HRESULT
|
|
AERobustLdapBind(
|
|
OUT LDAP ** ppldap)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
BOOL fForceRediscovery = FALSE;
|
|
DWORD dwDSNameFlags= DS_RETURN_DNS_NAME | DS_BACKGROUND_ONLY;
|
|
LDAP *pld = NULL;
|
|
ULONG ulOptions = 0;
|
|
ULONG ldaperr=LDAP_SERVER_DOWN;
|
|
|
|
do {
|
|
|
|
if(fForceRediscovery)
|
|
{
|
|
dwDSNameFlags |= DS_FORCE_REDISCOVERY;
|
|
}
|
|
|
|
ldaperr = LDAP_SERVER_DOWN;
|
|
|
|
if(NULL != pld)
|
|
{
|
|
ldap_unbind(pld);
|
|
pld=NULL;
|
|
}
|
|
|
|
// bind to ds
|
|
if((pld = ldap_initW(NULL, LDAP_PORT)) == NULL)
|
|
{
|
|
ldaperr = LdapGetLastError();
|
|
}
|
|
else
|
|
{
|
|
ldaperr = ldap_set_option(pld, LDAP_OPT_GETDSNAME_FLAGS, (VOID *)&dwDSNameFlags);
|
|
|
|
if(LDAP_SUCCESS == ldaperr)
|
|
{
|
|
ldaperr = ldap_set_option(pld, LDAP_OPT_SIGN, LDAP_OPT_ON);
|
|
|
|
if (LDAP_SUCCESS == ldaperr)
|
|
{
|
|
ldaperr = ldap_bind_sW(pld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
|
|
}
|
|
}
|
|
}
|
|
|
|
hr = HRESULT_FROM_WIN32(LdapMapErrorToWin32(ldaperr));
|
|
|
|
if(fForceRediscovery)
|
|
{
|
|
break;
|
|
}
|
|
|
|
fForceRediscovery = TRUE;
|
|
|
|
} while(ldaperr == LDAP_SERVER_DOWN);
|
|
|
|
|
|
if(S_OK != hr)
|
|
goto error;
|
|
|
|
*ppldap = pld;
|
|
pld = NULL;
|
|
|
|
hr=S_OK;
|
|
|
|
error:
|
|
|
|
if(pld)
|
|
{
|
|
ldap_unbind(pld);
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//---------------------------------------------------------------------------
|
|
//
|
|
// AEAllocAndCopy
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
BOOL AEAllocAndCopy(LPWSTR pwszSrc, LPWSTR *ppwszDest)
|
|
{
|
|
if((NULL==ppwszDest) || (NULL==pwszSrc))
|
|
{
|
|
SetLastError(E_INVALIDARG);
|
|
return FALSE;
|
|
}
|
|
|
|
*ppwszDest=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (wcslen(pwszSrc) + 1));
|
|
if(NULL==(*ppwszDest))
|
|
{
|
|
SetLastError(E_OUTOFMEMORY);
|
|
return FALSE;
|
|
}
|
|
|
|
wcscpy(*ppwszDest, pwszSrc);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
// Name: AELogAutoEnrollmentEvent
|
|
//
|
|
// Description: This function registers an event in the event log of the
|
|
// local machine. Takes an optional argument list.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
void AELogAutoEnrollmentEvent(IN DWORD dwLogLevel,
|
|
IN BOOL fError,
|
|
IN HRESULT hr,
|
|
IN DWORD dwEventId,
|
|
IN BOOL fMachine,
|
|
IN HANDLE hToken,
|
|
IN DWORD dwParamCount,
|
|
...
|
|
)
|
|
{
|
|
BYTE FastBuffer[MAX_DN_SIZE];
|
|
DWORD cbUser =0;
|
|
BOOL fAlloced = FALSE;
|
|
PSID pSID = NULL;
|
|
WORD dwEventType = 0;
|
|
LPWSTR awszStrings[PENDING_ALLOC_SIZE + 3];
|
|
WORD cStrings = 0;
|
|
LPWSTR wszString = NULL;
|
|
WCHAR wszMsg[MAX_DN_SIZE];
|
|
WCHAR wszUser[MAX_DN_SIZE];
|
|
DWORD dwIndex=0;
|
|
DWORD dwSize=0;
|
|
|
|
HANDLE hEventSource = NULL;
|
|
LPWSTR wszHR=NULL;
|
|
PTOKEN_USER ptgUser = NULL;
|
|
|
|
|
|
va_list ArgList;
|
|
|
|
|
|
//check the log level; log errors and success by default
|
|
if(((dwEventId >> 30) < dwLogLevel) && ((dwEventId >> 30) != STATUS_SEVERITY_SUCCESS))
|
|
return;
|
|
|
|
if(NULL==(hEventSource = RegisterEventSourceW(NULL, EVENT_AUTO_NAME)))
|
|
return;
|
|
|
|
//copy the user/machine string
|
|
wszUser[0]=L'\0';
|
|
|
|
//use the user name for user case
|
|
if(FALSE == fMachine)
|
|
{
|
|
dwSize=MAX_DN_SIZE;
|
|
|
|
if(!GetUserNameEx(
|
|
NameSamCompatible, // name format
|
|
wszUser, // name buffer
|
|
&dwSize)) // size of name buffer
|
|
{
|
|
LoadStringW(g_hmodThisDll, IDS_USER, wszUser, MAX_DN_SIZE);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
LoadStringW(g_hmodThisDll, IDS_MACHINE, wszUser, MAX_DN_SIZE);
|
|
}
|
|
|
|
awszStrings[cStrings++] = wszUser;
|
|
|
|
//copy the variable strings if present
|
|
va_start(ArgList, dwParamCount);
|
|
|
|
for(dwIndex=0; dwIndex < dwParamCount; dwIndex++)
|
|
{
|
|
wszString = va_arg(ArgList, LPWSTR);
|
|
|
|
awszStrings[cStrings++] = wszString;
|
|
|
|
if(cStrings >= PENDING_ALLOC_SIZE)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
|
|
va_end(ArgList);
|
|
|
|
//copy the hr error code
|
|
if(fError)
|
|
{
|
|
|
|
if(S_OK == hr)
|
|
hr=E_FAIL;
|
|
|
|
wsprintfW(wszMsg, L"0x%lx", hr);
|
|
awszStrings[cStrings++] = wszMsg;
|
|
|
|
|
|
if(0 != FormatMessage(
|
|
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
|
|
NULL,
|
|
hr,
|
|
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
|
(WCHAR *)&wszHR,
|
|
0,
|
|
NULL))
|
|
{
|
|
if(wszHR)
|
|
{
|
|
awszStrings[cStrings++] = wszHR;
|
|
}
|
|
else
|
|
{
|
|
awszStrings[cStrings++]=L" ";
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//provide an empty event log so that there will be no insertion strings
|
|
awszStrings[cStrings++]=L" ";
|
|
}
|
|
}
|
|
|
|
// check if the token is non zero is so then impersonating so get the SID
|
|
if((FALSE == fMachine) && (hToken))
|
|
{
|
|
ptgUser = (PTOKEN_USER)FastBuffer; // try fast buffer first
|
|
cbUser = MAX_DN_SIZE;
|
|
|
|
if (!GetTokenInformation(
|
|
hToken, // identifies access token
|
|
TokenUser, // TokenUser info type
|
|
ptgUser, // retrieved info buffer
|
|
cbUser, // size of buffer passed-in
|
|
&cbUser // required buffer size
|
|
))
|
|
{
|
|
if(GetLastError() == ERROR_INSUFFICIENT_BUFFER)
|
|
{
|
|
if (NULL != (ptgUser = (PTOKEN_USER)LocalAlloc(LPTR, cbUser)))
|
|
{
|
|
fAlloced = TRUE;
|
|
|
|
// get the user info and assign the sid if able to
|
|
if (GetTokenInformation(
|
|
hToken, // identifies access token
|
|
TokenUser, // TokenUser info type
|
|
ptgUser, // retrieved info buffer
|
|
cbUser, // size of buffer passed-in
|
|
&cbUser // required buffer size
|
|
))
|
|
{
|
|
pSID = ptgUser->User.Sid;
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
// assign the sid when fast buffer worked
|
|
pSID = ptgUser->User.Sid;
|
|
}
|
|
}
|
|
|
|
|
|
switch(dwEventId >> 30)
|
|
{
|
|
case 0:
|
|
dwEventType = EVENTLOG_SUCCESS;
|
|
break;
|
|
|
|
case 1:
|
|
dwEventType = EVENTLOG_INFORMATION_TYPE;
|
|
break;
|
|
|
|
case 2:
|
|
dwEventType = EVENTLOG_WARNING_TYPE;
|
|
break;
|
|
|
|
case 3:
|
|
dwEventType = EVENTLOG_ERROR_TYPE;
|
|
break;
|
|
}
|
|
|
|
ReportEventW(hEventSource, // handle of event source
|
|
dwEventType, // event type
|
|
0, // event category
|
|
dwEventId, // event ID
|
|
pSID, // current user's SID
|
|
cStrings, // strings in lpszStrings
|
|
0, // no bytes of raw data
|
|
(LPCWSTR*)awszStrings, // array of error strings
|
|
NULL // no raw data
|
|
);
|
|
|
|
if (hEventSource)
|
|
DeregisterEventSource(hEventSource);
|
|
|
|
if(fAlloced)
|
|
{
|
|
if(ptgUser)
|
|
LocalFree(ptgUser);
|
|
}
|
|
|
|
if(wszHR)
|
|
LocalFree(wszHR);
|
|
|
|
return;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// FormatMessageUnicode
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL FormatMessageUnicode(LPWSTR * ppwszFormat, UINT ids, ...)
|
|
{
|
|
// get format string from resources
|
|
WCHAR wszFormat[MAX_DN_SIZE];
|
|
va_list argList;
|
|
DWORD cbMsg=0;
|
|
BOOL fResult=FALSE;
|
|
|
|
if(NULL == ppwszFormat)
|
|
goto Ret;
|
|
|
|
if(!LoadStringW(g_hmodThisDll, ids, wszFormat, sizeof(wszFormat) / sizeof(wszFormat[0])))
|
|
goto Ret;
|
|
|
|
// format message into requested buffer
|
|
va_start(argList, ids);
|
|
|
|
cbMsg = FormatMessageW(
|
|
FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING,
|
|
wszFormat,
|
|
0, // dwMessageId
|
|
0, // dwLanguageId
|
|
(LPWSTR) (ppwszFormat),
|
|
0, // minimum size to allocate
|
|
&argList);
|
|
|
|
va_end(argList);
|
|
|
|
if(!cbMsg)
|
|
goto Ret;
|
|
|
|
fResult=TRUE;
|
|
|
|
|
|
Ret:
|
|
return fResult;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AENetLogonUser
|
|
//
|
|
//Abstract:
|
|
//
|
|
// This module implements the network logon type by interfacing
|
|
// with the NT Lan Man Security Support Provider (NTLMSSP).
|
|
//
|
|
// If the logon succeds via the provided credentials, we duplicate
|
|
// the resultant Impersonation token to a Primary level token.
|
|
// This allows the result to be used in a call to CreateProcessAsUser
|
|
//
|
|
//Author:
|
|
//
|
|
// Scott Field (sfield) 09-Jun-96
|
|
//--------------------------------------------------------------------------
|
|
BOOL
|
|
AENetLogonUser(
|
|
LPTSTR UserName,
|
|
LPTSTR DomainName,
|
|
LPTSTR Password,
|
|
PHANDLE phToken
|
|
)
|
|
{
|
|
SECURITY_STATUS SecStatus;
|
|
CredHandle CredentialHandle1;
|
|
CredHandle CredentialHandle2;
|
|
|
|
CtxtHandle ClientContextHandle;
|
|
CtxtHandle ServerContextHandle;
|
|
SecPkgCredentials_Names sNames;
|
|
|
|
ULONG ContextAttributes;
|
|
|
|
ULONG PackageCount;
|
|
ULONG PackageIndex;
|
|
PSecPkgInfo PackageInfo;
|
|
DWORD cbMaxToken=0;
|
|
|
|
TimeStamp Lifetime;
|
|
SEC_WINNT_AUTH_IDENTITY AuthIdentity;
|
|
|
|
SecBufferDesc NegotiateDesc;
|
|
SecBuffer NegotiateBuffer;
|
|
|
|
SecBufferDesc ChallengeDesc;
|
|
SecBuffer ChallengeBuffer;
|
|
|
|
|
|
BOOL bSuccess = FALSE ; // assume this function will fail
|
|
|
|
NegotiateBuffer.pvBuffer = NULL;
|
|
ChallengeBuffer.pvBuffer = NULL;
|
|
sNames.sUserName = NULL;
|
|
ClientContextHandle.dwUpper = -1;
|
|
ClientContextHandle.dwLower = -1;
|
|
ServerContextHandle.dwUpper = -1;
|
|
ServerContextHandle.dwLower = -1;
|
|
CredentialHandle1.dwUpper = -1;
|
|
CredentialHandle1.dwLower = -1;
|
|
CredentialHandle2.dwUpper = -1;
|
|
CredentialHandle2.dwLower = -1;
|
|
|
|
|
|
//
|
|
// << this section could be cached in a repeat caller scenario >>
|
|
//
|
|
|
|
//
|
|
// Get info about the security packages.
|
|
//
|
|
|
|
if(EnumerateSecurityPackages(
|
|
&PackageCount,
|
|
&PackageInfo
|
|
) != SEC_E_OK) return FALSE;
|
|
|
|
//
|
|
// loop through the packages looking for NTLM
|
|
//
|
|
|
|
for(PackageIndex = 0 ; PackageIndex < PackageCount ; PackageIndex++ ) {
|
|
if(PackageInfo[PackageIndex].Name != NULL) {
|
|
if(CompareStringW(LOCALE_INVARIANT, NORM_IGNORECASE, PackageInfo[PackageIndex].Name, -1, MICROSOFT_KERBEROS_NAME, -1) == CSTR_EQUAL) {
|
|
cbMaxToken = PackageInfo[PackageIndex].cbMaxToken;
|
|
bSuccess = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
FreeContextBuffer( PackageInfo );
|
|
|
|
if(!bSuccess) return FALSE;
|
|
|
|
bSuccess = FALSE; // reset to assume failure
|
|
|
|
//
|
|
// << end of cached section >>
|
|
//
|
|
|
|
//
|
|
// Acquire a credential handle for the server side
|
|
//
|
|
|
|
SecStatus = AcquireCredentialsHandle(
|
|
NULL, // New principal
|
|
MICROSOFT_KERBEROS_NAME, // Package Name
|
|
SECPKG_CRED_INBOUND,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&CredentialHandle1,
|
|
&Lifetime
|
|
);
|
|
|
|
if ( SecStatus != SEC_E_OK ) {
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Acquire a credential handle for the client side
|
|
//
|
|
|
|
ZeroMemory( &AuthIdentity, sizeof(AuthIdentity) );
|
|
|
|
if ( DomainName != NULL ) {
|
|
AuthIdentity.Domain = DomainName;
|
|
AuthIdentity.DomainLength = lstrlen(DomainName);
|
|
}
|
|
|
|
if ( UserName != NULL ) {
|
|
AuthIdentity.User = UserName;
|
|
AuthIdentity.UserLength = lstrlen(UserName);
|
|
}
|
|
|
|
if ( Password != NULL ) {
|
|
AuthIdentity.Password = Password;
|
|
AuthIdentity.PasswordLength = lstrlen(Password);
|
|
}
|
|
|
|
AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
|
|
|
|
SecStatus = AcquireCredentialsHandle(
|
|
NULL, // New principal
|
|
MICROSOFT_KERBEROS_NAME, // Package Name
|
|
SECPKG_CRED_OUTBOUND,
|
|
NULL,
|
|
(DomainName == NULL && UserName == NULL && Password == NULL) ?
|
|
NULL : &AuthIdentity,
|
|
NULL,
|
|
NULL,
|
|
&CredentialHandle2,
|
|
&Lifetime
|
|
);
|
|
|
|
if ( SecStatus != SEC_E_OK ) {
|
|
goto cleanup;
|
|
}
|
|
|
|
SecStatus = QueryCredentialsAttributes(&CredentialHandle1, SECPKG_CRED_ATTR_NAMES, &sNames);
|
|
if ( SecStatus != SEC_E_OK ) {
|
|
goto cleanup;
|
|
}
|
|
//
|
|
// Get the NegotiateMessage (ClientSide)
|
|
//
|
|
|
|
NegotiateDesc.ulVersion = 0;
|
|
NegotiateDesc.cBuffers = 1;
|
|
NegotiateDesc.pBuffers = &NegotiateBuffer;
|
|
|
|
NegotiateBuffer.cbBuffer = cbMaxToken;
|
|
NegotiateBuffer.BufferType = SECBUFFER_TOKEN;
|
|
NegotiateBuffer.pvBuffer = LocalAlloc( LMEM_FIXED, NegotiateBuffer.cbBuffer );
|
|
|
|
if ( NegotiateBuffer.pvBuffer == NULL ) {
|
|
goto cleanup;
|
|
}
|
|
|
|
SecStatus = InitializeSecurityContext(
|
|
&CredentialHandle2,
|
|
NULL, // No Client context yet
|
|
sNames.sUserName, // target name
|
|
ISC_REQ_SEQUENCE_DETECT,
|
|
0, // Reserved 1
|
|
SECURITY_NATIVE_DREP,
|
|
NULL, // No initial input token
|
|
0, // Reserved 2
|
|
&ClientContextHandle,
|
|
&NegotiateDesc,
|
|
&ContextAttributes,
|
|
&Lifetime
|
|
);
|
|
if(SecStatus != SEC_E_OK)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the ChallengeMessage (ServerSide)
|
|
//
|
|
|
|
NegotiateBuffer.BufferType |= SECBUFFER_READONLY;
|
|
ChallengeDesc.ulVersion = 0;
|
|
ChallengeDesc.cBuffers = 1;
|
|
ChallengeDesc.pBuffers = &ChallengeBuffer;
|
|
|
|
ChallengeBuffer.cbBuffer = cbMaxToken;
|
|
ChallengeBuffer.BufferType = SECBUFFER_TOKEN;
|
|
ChallengeBuffer.pvBuffer = LocalAlloc( LMEM_FIXED, ChallengeBuffer.cbBuffer );
|
|
|
|
if ( ChallengeBuffer.pvBuffer == NULL ) {
|
|
goto cleanup;
|
|
}
|
|
|
|
SecStatus = AcceptSecurityContext(
|
|
&CredentialHandle1,
|
|
NULL, // No Server context yet
|
|
&NegotiateDesc,
|
|
ISC_REQ_SEQUENCE_DETECT,
|
|
SECURITY_NATIVE_DREP,
|
|
&ServerContextHandle,
|
|
&ChallengeDesc,
|
|
&ContextAttributes,
|
|
&Lifetime
|
|
);
|
|
if(SecStatus != SEC_E_OK)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
if(QuerySecurityContextToken(&ServerContextHandle, phToken) != SEC_E_OK)
|
|
goto cleanup;
|
|
|
|
bSuccess = TRUE;
|
|
|
|
cleanup:
|
|
|
|
//
|
|
// Delete context
|
|
//
|
|
|
|
if((ClientContextHandle.dwUpper != -1) ||
|
|
(ClientContextHandle.dwLower != -1))
|
|
{
|
|
DeleteSecurityContext( &ClientContextHandle );
|
|
}
|
|
if((ServerContextHandle.dwUpper != -1) ||
|
|
(ServerContextHandle.dwLower != -1))
|
|
{
|
|
DeleteSecurityContext( &ServerContextHandle );
|
|
}
|
|
|
|
//
|
|
// Free credential handles
|
|
//
|
|
if((CredentialHandle1.dwUpper != -1) ||
|
|
(CredentialHandle1.dwLower != -1))
|
|
{
|
|
FreeCredentialsHandle( &CredentialHandle1 );
|
|
}
|
|
if((CredentialHandle2.dwUpper != -1) ||
|
|
(CredentialHandle2.dwLower != -1))
|
|
{
|
|
FreeCredentialsHandle( &CredentialHandle2 );
|
|
}
|
|
|
|
if ( NegotiateBuffer.pvBuffer != NULL ) {
|
|
|
|
//
|
|
// NegotiateBuffer.cbBuffer may change on the error path --
|
|
// use the original allocation size.
|
|
//
|
|
|
|
SecureZeroMemory( NegotiateBuffer.pvBuffer, cbMaxToken );
|
|
LocalFree( NegotiateBuffer.pvBuffer );
|
|
}
|
|
|
|
if ( ChallengeBuffer.pvBuffer != NULL ) {
|
|
|
|
//
|
|
// ChallengeBuffer.cbBuffer may change on the error path --
|
|
// use the original allocation size.
|
|
//
|
|
|
|
SecureZeroMemory( ChallengeBuffer.pvBuffer, cbMaxToken );
|
|
LocalFree( ChallengeBuffer.pvBuffer );
|
|
}
|
|
|
|
if ( sNames.sUserName != NULL ) {
|
|
FreeContextBuffer( sNames.sUserName );
|
|
}
|
|
|
|
return bSuccess;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AEDebugLog
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
#if DBG
|
|
void
|
|
AEDebugLog(long Mask, LPCWSTR Format, ...)
|
|
{
|
|
va_list ArgList;
|
|
int iOut;
|
|
WCHAR wszOutString[MAX_DEBUG_BUFFER];
|
|
|
|
if (Mask & g_AutoenrollDebugLevel)
|
|
{
|
|
// Make the prefix first: "Process.Thread> GINA-XXX"
|
|
|
|
iOut=wsprintfW(wszOutString, L"%3u.%3u> AUTOENRL: ", GetCurrentProcessId(), GetCurrentThreadId());
|
|
|
|
if((iOut > 0) && (iOut < MAX_DEBUG_BUFFER - 1))
|
|
{
|
|
va_start(ArgList, Format);
|
|
_vsnwprintf(&wszOutString[iOut], MAX_DEBUG_BUFFER - iOut, Format, ArgList);
|
|
|
|
//null terminating the string
|
|
wszOutString[MAX_DEBUG_BUFFER - 1]=L'\0';
|
|
|
|
va_end(ArgList);
|
|
|
|
OutputDebugStringW(wszOutString);
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// AERemoveRegKey
|
|
//
|
|
// Remove the registry key for local system and all its sub keys.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
DWORD AERemoveRegKey(LPWSTR pwszRegKey)
|
|
{
|
|
DWORD dwLastError=0; //we should try to clean up as much as possible
|
|
DWORD dwIndex=0;
|
|
DWORD dwSubKey=0;
|
|
DWORD dwSubKeyLen=0;
|
|
DWORD dwData=0;
|
|
|
|
HKEY hDSKey=NULL;
|
|
LPWSTR pwszSubKey=NULL;
|
|
|
|
//remove the optimization registry. OK if the key does not exist
|
|
if(ERROR_SUCCESS != RegOpenKeyEx(
|
|
HKEY_LOCAL_MACHINE,
|
|
pwszRegKey,
|
|
0,
|
|
KEY_ALL_ACCESS,
|
|
&hDSKey))
|
|
goto Ret;
|
|
|
|
//remove all subkeys of hDSKey
|
|
if(ERROR_SUCCESS != (dwLastError = RegQueryInfoKey(
|
|
hDSKey,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&dwSubKey,
|
|
&dwSubKeyLen,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL)))
|
|
goto Ret;
|
|
|
|
//terminating NULL
|
|
dwSubKeyLen++;
|
|
|
|
pwszSubKey=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * dwSubKeyLen);
|
|
|
|
if(NULL == pwszSubKey)
|
|
{
|
|
dwLastError=ERROR_NOT_ENOUGH_MEMORY;
|
|
goto Ret;
|
|
}
|
|
|
|
for(dwIndex=0; dwIndex < dwSubKey; dwIndex++)
|
|
{
|
|
dwData = dwSubKeyLen;
|
|
|
|
if(ERROR_SUCCESS == (dwLastError = RegEnumKeyEx(
|
|
hDSKey,
|
|
0, // As we delete, the index changes
|
|
pwszSubKey,
|
|
&dwData,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL)))
|
|
{
|
|
RegDeleteKey(hDSKey, pwszSubKey);
|
|
}
|
|
}
|
|
|
|
//remove the root registry key
|
|
dwLastError=RegDeleteKey(HKEY_LOCAL_MACHINE, pwszRegKey);
|
|
|
|
Ret:
|
|
|
|
if(pwszSubKey)
|
|
LocalFree(pwszSubKey);
|
|
|
|
if(hDSKey)
|
|
RegCloseKey(hDSKey);
|
|
|
|
return dwLastError;
|
|
}
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// CertAutoRemove
|
|
//
|
|
// Function to remove enterprise specific public key trust upon domain disjoin.
|
|
// Should be called under local admin's context.
|
|
//
|
|
// The function will:
|
|
// remove autoenrollment directory cache registry;
|
|
// remove certificates under root enterprise store;
|
|
// remove certificates under NTAuth enterprise store;
|
|
// remove certificates under CA enterprise store;
|
|
//
|
|
//
|
|
// Parameters:
|
|
// IN dwFlags:
|
|
// CERT_AUTO_REMOVE_COMMIT
|
|
// CERT_AUTO_REMOVE_ROLL_BACK
|
|
//
|
|
// Return Value:
|
|
// BOOL: TURE is upon success
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
BOOL
|
|
WINAPI
|
|
CertAutoRemove(IN DWORD dwFlags)
|
|
{
|
|
DWORD dwError=0;
|
|
DWORD dwLastError=0; //we should try to clean up as much as possible
|
|
DWORD dwIndex=0;
|
|
PCCERT_CONTEXT pContext=NULL;
|
|
WCHAR wszNameBuf[64];
|
|
|
|
HANDLE hEvent=NULL;
|
|
HCERTSTORE hLocalStore=NULL;
|
|
|
|
if((CERT_AUTO_REMOVE_COMMIT != dwFlags) &&
|
|
(CERT_AUTO_REMOVE_ROLL_BACK != dwFlags))
|
|
{
|
|
dwLastError=ERROR_INVALID_PARAMETER;
|
|
goto Ret;
|
|
}
|
|
|
|
if(CERT_AUTO_REMOVE_ROLL_BACK == dwFlags)
|
|
{
|
|
//start machine autoenrollment
|
|
wcscpy(wszNameBuf, L"Global\\");
|
|
wcscat(wszNameBuf, MACHINE_AUTOENROLLMENT_TRIGGER_EVENT);
|
|
|
|
hEvent=OpenEvent(EVENT_MODIFY_STATE, FALSE, wszNameBuf);
|
|
if (NULL == hEvent)
|
|
{
|
|
dwLastError=GetLastError();
|
|
goto Ret;
|
|
}
|
|
|
|
if (!SetEvent(hEvent))
|
|
{
|
|
dwLastError=GetLastError();
|
|
goto Ret;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//remove all downloaded certificates
|
|
for(dwIndex =0; dwIndex < g_dwStoreInfo; dwIndex++)
|
|
{
|
|
hLocalStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W,
|
|
0,
|
|
0,
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
|
|
g_rgStoreInfo[dwIndex].pwszStoreName);
|
|
|
|
if(hLocalStore)
|
|
{
|
|
while(pContext = CertEnumCertificatesInStore(hLocalStore, pContext))
|
|
{
|
|
CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pContext));
|
|
}
|
|
|
|
CertCloseStore(hLocalStore,0);
|
|
hLocalStore=NULL;
|
|
}
|
|
}
|
|
|
|
//remove the local machine's DC GUID cache
|
|
dwLastError=AERemoveRegKey(AUTO_ENROLLMENT_DS_KEY);
|
|
|
|
dwError=AERemoveRegKey(AUTO_ENROLLMENT_TEMPLATE_KEY);
|
|
|
|
if(0 == dwLastError)
|
|
dwLastError=dwError;
|
|
}
|
|
|
|
Ret:
|
|
|
|
if(hLocalStore)
|
|
CertCloseStore(hLocalStore,0);
|
|
|
|
if (hEvent)
|
|
CloseHandle(hEvent);
|
|
|
|
|
|
if(0 != dwLastError)
|
|
{
|
|
SetLastError(dwLastError);
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
//--------------------------------------------------------------------------
|
|
//
|
|
// DLLMain
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
extern "C"
|
|
BOOL WINAPI
|
|
DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
|
|
{
|
|
BOOL fResult=TRUE;
|
|
INITCOMMONCONTROLSEX initcomm = {
|
|
sizeof(initcomm), ICC_NATIVEFNTCTL_CLASS | ICC_LISTVIEW_CLASSES | ICC_PROGRESS_CLASS
|
|
};
|
|
|
|
switch( dwReason )
|
|
{
|
|
case DLL_PROCESS_ATTACH:
|
|
g_hmodThisDll=hInstance;
|
|
DisableThreadLibraryCalls( hInstance );
|
|
|
|
//Init common control for progress bar
|
|
InitCommonControlsEx(&initcomm);
|
|
|
|
break;
|
|
|
|
case DLL_PROCESS_DETACH:
|
|
break;
|
|
}
|
|
|
|
return fResult;
|
|
}
|