You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1785 lines
51 KiB
1785 lines
51 KiB
//+--------------------------------------------------------------------------
|
|
//
|
|
// Copyright (c) 1997-1999 Microsoft Corporation
|
|
//
|
|
// File: gencert.cpp
|
|
//
|
|
// Contents:
|
|
//
|
|
// History:
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
#include "pch.cpp"
|
|
#include "misc.h"
|
|
#include "utils.h"
|
|
#include "gencert.h"
|
|
#include "globals.h"
|
|
|
|
#ifndef UNICODE
|
|
|
|
const DWORD dwCertRdnValueType = CERT_RDN_PRINTABLE_STRING;
|
|
|
|
#else
|
|
|
|
const DWORD dwCertRdnValueType = CERT_RDN_UNICODE_STRING;
|
|
|
|
#endif
|
|
|
|
|
|
#ifndef CertStrToName
|
|
|
|
//
|
|
// Function prototype not found in wincrypt.h or anywhere but
|
|
// is in crypt32.lib
|
|
//
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
BOOL WINAPI
|
|
CertStrToNameA(
|
|
DWORD dwCertEncodingType, // in
|
|
LPCSTR pszX500, // in
|
|
DWORD dwStrType, // in
|
|
void* pvReserved, // in, optional
|
|
BYTE* pbEncoded, // out
|
|
DWORD* pcbEncoded, // in/out
|
|
LPCSTR* ppszError // out, optional
|
|
);
|
|
|
|
CertStrToNameW(
|
|
DWORD dwCertEncodingType, // in
|
|
LPCWSTR pszX500, // in
|
|
DWORD dwStrType, // in
|
|
void* pvReserved, // in, optional
|
|
BYTE* pbEncoded, // out
|
|
DWORD* pcbEncoded, // in/out
|
|
LPCWSTR* ppszError // out, optional
|
|
);
|
|
|
|
#ifdef UNICODE
|
|
#define CertStrToName CertStrToNameW
|
|
#else
|
|
#define CertStrToName CertStrToNameA
|
|
#endif
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif
|
|
|
|
|
|
/*******************************************************************************************
|
|
Function:
|
|
LSEncryptBase64EncodeHWID()
|
|
|
|
Description:
|
|
Encrypt using license server private key then base64 encode the hardware ID
|
|
|
|
Arguments:
|
|
IN PHWID - pointer to HWID to be encrypt/encoded
|
|
OUT DWORD* cbBase64EncodeHwid - size of pointer to encrypted/encoded string
|
|
OUT PBYTE* szBase64EncodeHwid - Pointer to encrypted/encoded string.
|
|
|
|
Returns:
|
|
TRUE if successful, FALSE otherwise, call GetLastError() for detail.
|
|
*******************************************************************************************/
|
|
BOOL
|
|
TLSEncryptBase64EncodeHWID(
|
|
PHWID pHwid,
|
|
DWORD* cbBase64EncodeHwid,
|
|
PBYTE* szBase64EncodeHwid
|
|
)
|
|
{
|
|
DWORD status=ERROR_SUCCESS;
|
|
|
|
//
|
|
// Encrypt HWID
|
|
//
|
|
BYTE tmp_pbEncryptedHwid[sizeof(HWID)*2+2];
|
|
DWORD tmp_cbEncryptedHwid=sizeof(tmp_pbEncryptedHwid);
|
|
|
|
do {
|
|
memset(tmp_pbEncryptedHwid, 0, sizeof(tmp_pbEncryptedHwid));
|
|
if((status=LicenseEncryptHwid(
|
|
pHwid,
|
|
&tmp_cbEncryptedHwid,
|
|
tmp_pbEncryptedHwid,
|
|
g_cbSecretKey,
|
|
g_pbSecretKey) != LICENSE_STATUS_OK))
|
|
{
|
|
break;
|
|
}
|
|
|
|
|
|
//
|
|
// BASE64 Encode Encrypted HWID - printable char. string
|
|
//
|
|
if((status=LSBase64Encode(
|
|
tmp_pbEncryptedHwid,
|
|
tmp_cbEncryptedHwid,
|
|
NULL,
|
|
cbBase64EncodeHwid)) != ERROR_SUCCESS)
|
|
{
|
|
break;
|
|
}
|
|
|
|
*szBase64EncodeHwid=(PBYTE)AllocateMemory(*cbBase64EncodeHwid*(sizeof(TCHAR)+1));
|
|
if(*szBase64EncodeHwid == NULL)
|
|
{
|
|
SetLastError(status = ERROR_OUTOFMEMORY);
|
|
break;
|
|
}
|
|
|
|
// base64 encoding
|
|
status=LSBase64Encode(
|
|
tmp_pbEncryptedHwid,
|
|
tmp_cbEncryptedHwid,
|
|
(TCHAR *)*szBase64EncodeHwid,
|
|
cbBase64EncodeHwid);
|
|
} while(FALSE);
|
|
|
|
return status == ERROR_SUCCESS;
|
|
}
|
|
|
|
/*******************************************************************************************/
|
|
|
|
DWORD
|
|
TLSAddCertAuthorityInfoAccess(
|
|
LPTSTR szIssuerDnsName,
|
|
PCERT_EXTENSION pExtension
|
|
)
|
|
/*
|
|
*/
|
|
{
|
|
LSCERT_AUTHORITY_INFO_ACCESS certInfoAccess;
|
|
LSCERT_ACCESS_DESCRIPTION certAcccessDesc;
|
|
|
|
certAcccessDesc.pszAccessMethod=szOID_X509_ACCESS_PKIX_OCSP;
|
|
certAcccessDesc.AccessLocation.dwAltNameChoice = LSCERT_ALT_NAME_DNS_NAME;
|
|
certAcccessDesc.AccessLocation.pwszDNSName = szIssuerDnsName;
|
|
|
|
certInfoAccess.cAccDescr = 1;
|
|
certInfoAccess.rgAccDescr = &certAcccessDesc;
|
|
|
|
pExtension->pszObjId = szOID_X509_AUTHORITY_ACCESS_INFO;
|
|
pExtension->fCritical = TRUE;
|
|
|
|
return TLSCryptEncodeObject(
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
szOID_X509_AUTHORITY_ACCESS_INFO,
|
|
&certInfoAccess,
|
|
&pExtension->Value.pbData,
|
|
&pExtension->Value.cbData
|
|
);
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSAddCertAuthorityKeyIdExtension(
|
|
LPTSTR szIssuer,
|
|
ULARGE_INTEGER* CertSerialNumber,
|
|
PCERT_EXTENSION pExtension
|
|
)
|
|
/*
|
|
*/
|
|
{
|
|
//
|
|
// Use CERT_AUTHORITY_KEY_ID2_INFO
|
|
// some structure not defined in SP3's wincrypt.h
|
|
//
|
|
LSCERT_ALT_NAME_ENTRY certAltNameEntry;
|
|
LSCERT_AUTHORITY_KEY_ID2_INFO authKeyId2Info;
|
|
|
|
memset(&authKeyId2Info, 0, sizeof(authKeyId2Info));
|
|
authKeyId2Info.AuthorityCertSerialNumber.cbData = sizeof(ULARGE_INTEGER);
|
|
authKeyId2Info.AuthorityCertSerialNumber.pbData = (PBYTE)CertSerialNumber;
|
|
|
|
|
|
memset(&certAltNameEntry, 0, sizeof(certAltNameEntry));
|
|
certAltNameEntry.dwAltNameChoice=CERT_ALT_NAME_DIRECTORY_NAME; //LSCERT_ALT_NAME_RFC822_NAME;
|
|
certAltNameEntry.DirectoryName.cbData = (_tcslen(szIssuer) + 1) * sizeof(TCHAR);
|
|
certAltNameEntry.DirectoryName.pbData = (PBYTE)szIssuer;
|
|
|
|
authKeyId2Info.AuthorityCertIssuer.cAltEntry=1;
|
|
authKeyId2Info.AuthorityCertIssuer.rgAltEntry=&certAltNameEntry;
|
|
|
|
pExtension->pszObjId = szOID_X509_AUTHORITY_KEY_ID2;
|
|
pExtension->fCritical = TRUE;
|
|
|
|
return TLSCryptEncodeObject(
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
szOID_X509_AUTHORITY_KEY_ID2,
|
|
&authKeyId2Info,
|
|
&pExtension->Value.pbData,
|
|
&pExtension->Value.cbData
|
|
);
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSExportPublicKey(
|
|
IN HCRYPTPROV hCryptProv,
|
|
IN DWORD dwKeyType,
|
|
IN OUT PDWORD pcbByte,
|
|
IN OUT PCERT_PUBLIC_KEY_INFO *ppbByte
|
|
)
|
|
/*
|
|
|
|
*/
|
|
{
|
|
BOOL bRetCode=TRUE;
|
|
|
|
*pcbByte=0;
|
|
*ppbByte=NULL;
|
|
|
|
bRetCode = CryptExportPublicKeyInfo(
|
|
hCryptProv,
|
|
dwKeyType,
|
|
X509_ASN_ENCODING,
|
|
NULL,
|
|
pcbByte);
|
|
if(bRetCode == FALSE)
|
|
goto cleanup;
|
|
|
|
if((*ppbByte=(PCERT_PUBLIC_KEY_INFO)AllocateMemory(*pcbByte)) == NULL)
|
|
{
|
|
bRetCode = FALSE;
|
|
goto cleanup;
|
|
}
|
|
|
|
bRetCode = CryptExportPublicKeyInfo(
|
|
hCryptProv,
|
|
dwKeyType,
|
|
X509_ASN_ENCODING,
|
|
*ppbByte,
|
|
pcbByte);
|
|
if(bRetCode == FALSE)
|
|
{
|
|
FreeMemory(*ppbByte);
|
|
*pcbByte = 0;
|
|
}
|
|
|
|
cleanup:
|
|
|
|
return (bRetCode) ? ERROR_SUCCESS : GetLastError();
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSCryptEncodeObject(
|
|
IN DWORD dwEncodingType,
|
|
IN LPCSTR lpszStructType,
|
|
IN const void * pvStructInfo,
|
|
OUT PBYTE* ppbEncoded,
|
|
OUT DWORD* pcbEncoded
|
|
)
|
|
/*
|
|
|
|
Description:
|
|
|
|
Allocate memory and encode object, wrapper for CryptEncodeObject()
|
|
|
|
*/
|
|
{
|
|
DWORD dwStatus = ERROR_SUCCESS;
|
|
|
|
if(!CryptEncodeObject(dwEncodingType, lpszStructType, pvStructInfo, NULL, pcbEncoded) ||
|
|
(*ppbEncoded=(PBYTE)AllocateMemory(*pcbEncoded)) == NULL ||
|
|
!CryptEncodeObject(dwEncodingType, lpszStructType, pvStructInfo, *ppbEncoded, pcbEncoded))
|
|
{
|
|
dwStatus=GetLastError();
|
|
}
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSCryptSignAndEncodeCertificate(
|
|
IN HCRYPTPROV hCryptProv,
|
|
IN DWORD dwKeySpec,
|
|
IN PCERT_INFO pCertInfo,
|
|
IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
|
|
IN OUT PBYTE* ppbEncodedCert,
|
|
IN OUT PDWORD pcbEncodedCert
|
|
)
|
|
/*
|
|
|
|
*/
|
|
{
|
|
BOOL bRetCode;
|
|
|
|
bRetCode = CryptSignAndEncodeCertificate(
|
|
hCryptProv,
|
|
dwKeySpec,
|
|
X509_ASN_ENCODING,
|
|
X509_CERT_TO_BE_SIGNED,
|
|
pCertInfo,
|
|
pSignatureAlgorithm,
|
|
NULL,
|
|
NULL,
|
|
pcbEncodedCert);
|
|
|
|
if(bRetCode == FALSE && GetLastError() != ERROR_MORE_DATA)
|
|
goto cleanup;
|
|
|
|
*ppbEncodedCert=(PBYTE)AllocateMemory(*pcbEncodedCert);
|
|
if(*ppbEncodedCert == FALSE)
|
|
goto cleanup;
|
|
|
|
bRetCode = CryptSignAndEncodeCertificate(
|
|
hCryptProv,
|
|
AT_SIGNATURE,
|
|
X509_ASN_ENCODING,
|
|
X509_CERT_TO_BE_SIGNED,
|
|
pCertInfo,
|
|
pSignatureAlgorithm,
|
|
NULL,
|
|
*ppbEncodedCert,
|
|
pcbEncodedCert);
|
|
|
|
if(bRetCode == FALSE)
|
|
{
|
|
FreeMemory(*ppbEncodedCert);
|
|
*pcbEncodedCert = 0;
|
|
}
|
|
|
|
cleanup:
|
|
|
|
return (bRetCode) ? ERROR_SUCCESS : GetLastError();
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////
|
|
|
|
#define MAX_NUM_CERT_BLOBS 200 // actually, we can't go over 10.
|
|
|
|
|
|
DWORD
|
|
TLSVerifyProprietyChainedCertificate(
|
|
HCRYPTPROV hCryptProv,
|
|
PBYTE pbCert,
|
|
DWORD cbCert
|
|
)
|
|
/*++
|
|
|
|
--*/
|
|
{
|
|
DWORD dwStatus=ERROR_SUCCESS, cbRequired = 0;
|
|
PCert_Chain pCertChain = (PCert_Chain)pbCert;
|
|
UNALIGNED Cert_Blob *pCertificate = NULL;
|
|
PCCERT_CONTEXT pIssuerCert = NULL;
|
|
PCCERT_CONTEXT pSubjectCert = NULL;
|
|
|
|
DWORD dwVerifyFlag = CERT_DATE_DONT_VALIDATE;
|
|
int i;
|
|
|
|
cbRequired = 2 * sizeof(DWORD);
|
|
|
|
if( pCertChain == NULL || ( cbCert < cbRequired ) ||
|
|
MAX_CERT_CHAIN_VERSION < GET_CERTIFICATE_VERSION(pCertChain->dwVersion) ||
|
|
pCertChain->dwNumCertBlobs > MAX_NUM_CERT_BLOBS ||
|
|
pCertChain->dwNumCertBlobs <= 1 ) // must have at least two certificates
|
|
{
|
|
SetLastError(dwStatus = TLS_E_INVALID_DATA);
|
|
return dwStatus;
|
|
}
|
|
|
|
//
|
|
// Verify input data before actually allocate memory
|
|
//
|
|
pCertificate = (PCert_Blob)&(pCertChain->CertBlob[0]);
|
|
for(i=0; i < pCertChain->dwNumCertBlobs; i++)
|
|
{
|
|
cbRequired += (sizeof (DWORD)+ sizeof(BYTE)) ;
|
|
|
|
if(cbCert < cbRequired )
|
|
{
|
|
SetLastError(dwStatus = TLS_E_INVALID_DATA);
|
|
return dwStatus;
|
|
}
|
|
|
|
if (((PBYTE)pCertificate > (cbCert + pbCert - sizeof(Cert_Blob))) ||
|
|
(pCertificate->cbCert == 0) ||
|
|
(pCertificate->cbCert > (DWORD)((pbCert + cbCert) - pCertificate->abCert)))
|
|
{
|
|
return (LICENSE_STATUS_INVALID_INPUT);
|
|
}
|
|
|
|
pCertificate = (PCert_Blob)(pCertificate->abCert + pCertificate->cbCert);
|
|
}
|
|
|
|
//
|
|
// First certificate is root certificate
|
|
//
|
|
pCertificate = (PCert_Blob)&(pCertChain->CertBlob[0]);
|
|
pIssuerCert = CertCreateCertificateContext(
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
&(pCertificate->abCert[0]),
|
|
pCertificate->cbCert
|
|
);
|
|
if(pIssuerCert == NULL)
|
|
{
|
|
dwStatus = GetLastError(); // just for debugging.
|
|
goto cleanup;
|
|
}
|
|
|
|
dwStatus = ERROR_SUCCESS;
|
|
pSubjectCert = CertDuplicateCertificateContext(pIssuerCert);
|
|
|
|
for(i=0; i < pCertChain->dwNumCertBlobs; i++)
|
|
{
|
|
if(pSubjectCert == NULL)
|
|
{
|
|
dwStatus = GetLastError();
|
|
break;
|
|
}
|
|
|
|
//
|
|
// verify subject's certificate
|
|
dwVerifyFlag = CERT_STORE_SIGNATURE_FLAG;
|
|
if(CertVerifySubjectCertificateContext(
|
|
pSubjectCert,
|
|
pIssuerCert,
|
|
&dwVerifyFlag
|
|
) == FALSE)
|
|
{
|
|
dwStatus = GetLastError();
|
|
break;
|
|
}
|
|
|
|
if(dwVerifyFlag != 0)
|
|
{
|
|
// signature verification failed.
|
|
dwStatus = TLS_E_INVALID_DATA;
|
|
break;
|
|
}
|
|
|
|
if(CertFreeCertificateContext(pIssuerCert) == FALSE)
|
|
{
|
|
dwStatus = GetLastError();
|
|
break;
|
|
}
|
|
|
|
pIssuerCert = pSubjectCert;
|
|
|
|
pCertificate = (PCert_Blob)(pCertificate->abCert + pCertificate->cbCert);
|
|
|
|
pSubjectCert = CertCreateCertificateContext(
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
&(pCertificate->abCert[0]),
|
|
pCertificate->cbCert
|
|
);
|
|
}
|
|
|
|
cleanup:
|
|
|
|
if(pSubjectCert != NULL)
|
|
{
|
|
CertFreeCertificateContext(pSubjectCert);
|
|
}
|
|
|
|
if(pIssuerCert != NULL)
|
|
{
|
|
CertFreeCertificateContext(pIssuerCert);
|
|
}
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////
|
|
|
|
BOOL IsHydraClientCertficate( PCERT_INFO pCertInfo )
|
|
{
|
|
CERT_EXTENSION UNALIGNED * pCertExtension=pCertInfo->rgExtension;
|
|
DWORD dwVersion = TERMSERV_CERT_VERSION_UNKNOWN;
|
|
DWORD UNALIGNED * pdwVersion;
|
|
|
|
for(DWORD i=0; i < pCertInfo->cExtension; i++, pCertExtension++)
|
|
{
|
|
if(strcmp(pCertExtension->pszObjId, szOID_PKIX_HYDRA_CERT_VERSION) == 0)
|
|
{
|
|
pdwVersion = (DWORD UNALIGNED *) pCertExtension->Value.pbData;
|
|
|
|
if(pCertExtension->Value.cbData == sizeof(DWORD) &&
|
|
*pdwVersion <= TERMSERV_CERT_VERSION_CURRENT)
|
|
{
|
|
dwVersion = *pdwVersion;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return (dwVersion == TERMSERV_CERT_VERSION_UNKNOWN) ? FALSE : TRUE;
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
ChainProprietyCert(
|
|
HCRYPTPROV hCryptProv,
|
|
HCERTSTORE hCertStore,
|
|
PCCERT_CONTEXT pCertContext,
|
|
PCert_Chain pCertChain,
|
|
DWORD* dwCertOffset,
|
|
DWORD dwBufSize)
|
|
{
|
|
DWORD dwStatus = ERROR_SUCCESS;
|
|
DWORD dwFlags;
|
|
PCCERT_CONTEXT pCertIssuer=NULL;
|
|
|
|
pCertIssuer=NULL;
|
|
dwFlags = CERT_STORE_SIGNATURE_FLAG;
|
|
|
|
|
|
//
|
|
// Get the issuer's certificate from store
|
|
//
|
|
pCertIssuer = CertGetIssuerCertificateFromStore(
|
|
hCertStore,
|
|
pCertContext,
|
|
pCertIssuer,
|
|
&dwFlags
|
|
);
|
|
|
|
if(pCertIssuer != NULL)
|
|
{
|
|
if(dwFlags & CERT_STORE_SIGNATURE_FLAG)
|
|
{
|
|
// invalid signature
|
|
dwStatus = TLS_E_INVALID_DATA;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Recursively find the issuer of the issuer's certificate
|
|
//
|
|
dwStatus = ChainProprietyCert(
|
|
hCryptProv,
|
|
hCertStore,
|
|
pCertIssuer,
|
|
pCertChain,
|
|
dwCertOffset,
|
|
dwBufSize
|
|
);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dwStatus = GetLastError();
|
|
if(dwStatus != CRYPT_E_SELF_SIGNED)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
//
|
|
// Verify issuer's certificate
|
|
//
|
|
if(CryptVerifyCertificateSignature(
|
|
hCryptProv,
|
|
X509_ASN_ENCODING,
|
|
pCertContext->pbCertEncoded,
|
|
pCertContext->cbCertEncoded,
|
|
&pCertContext->pCertInfo->SubjectPublicKeyInfo))
|
|
{
|
|
dwStatus=ERROR_SUCCESS;
|
|
}
|
|
}
|
|
|
|
if(dwStatus == ERROR_SUCCESS)
|
|
{
|
|
//
|
|
// Push certificate into propriety certificate chain
|
|
//
|
|
if((*dwCertOffset + pCertContext->cbCertEncoded) >= dwBufSize)
|
|
{
|
|
dwStatus = ERROR_MORE_DATA;
|
|
goto cleanup;
|
|
}
|
|
|
|
(pCertChain->dwNumCertBlobs)++;
|
|
|
|
UNALIGNED Cert_Blob *pCertBlob = (PCert_Blob)((PBYTE)&(pCertChain->CertBlob) + *dwCertOffset);
|
|
pCertBlob->cbCert = pCertContext->cbCertEncoded;
|
|
memcpy( &(pCertBlob->abCert),
|
|
pCertContext->pbCertEncoded,
|
|
pCertContext->cbCertEncoded);
|
|
|
|
*dwCertOffset += (sizeof(pCertBlob->cbCert) + pCertContext->cbCertEncoded);
|
|
}
|
|
|
|
cleanup:
|
|
|
|
if(pCertIssuer != NULL)
|
|
{
|
|
CertFreeCertificateContext(pCertIssuer);
|
|
}
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
DWORD
|
|
TLSChainProprietyCertificate(
|
|
HCRYPTPROV hCryptProv,
|
|
BOOL bTemp,
|
|
PBYTE pbLicense,
|
|
DWORD cbLicense,
|
|
PBYTE* pbChained,
|
|
DWORD* cbChained
|
|
)
|
|
{
|
|
HCERTSTORE hCertStore=NULL;
|
|
DWORD dwStatus=ERROR_SUCCESS;
|
|
CRYPT_DATA_BLOB Serialized;
|
|
PCCERT_CONTEXT pCertContext=NULL;
|
|
PCCERT_CONTEXT pPrevCertContext=NULL;
|
|
PCERT_INFO pCertInfo;
|
|
BOOL bFound=FALSE;
|
|
|
|
Serialized.pbData = pbLicense;
|
|
Serialized.cbData = cbLicense;
|
|
|
|
DWORD dwCertOffset = 0;
|
|
PCert_Chain pCertChain;
|
|
|
|
DWORD numCerts=0;
|
|
DWORD cbSize=0;
|
|
|
|
if(hCryptProv == NULL)
|
|
{
|
|
SetLastError(dwStatus = ERROR_INVALID_PARAMETER);
|
|
goto cleanup;
|
|
}
|
|
|
|
hCertStore=CertOpenStore(
|
|
sz_CERT_STORE_PROV_PKCS7,
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
hCryptProv,
|
|
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
|
|
&Serialized
|
|
);
|
|
|
|
if(!hCertStore)
|
|
{
|
|
dwStatus=GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
//
|
|
// Get number of certificate and estimated size first - save memory
|
|
//
|
|
do {
|
|
pCertContext = CertEnumCertificatesInStore(
|
|
hCertStore,
|
|
pPrevCertContext
|
|
);
|
|
if(pCertContext == NULL)
|
|
{
|
|
dwStatus = GetLastError();
|
|
if(dwStatus != CRYPT_E_NOT_FOUND)
|
|
goto cleanup;
|
|
|
|
dwStatus = ERROR_SUCCESS;
|
|
break;
|
|
}
|
|
|
|
numCerts++;
|
|
cbSize += pCertContext->cbCertEncoded;
|
|
pPrevCertContext = pCertContext;
|
|
|
|
} while(TRUE);
|
|
|
|
|
|
*cbChained = cbSize + numCerts * sizeof(Cert_Blob) + sizeof(Cert_Chain);
|
|
|
|
//
|
|
// Allocate memory for our propriety certificate chain
|
|
//
|
|
pCertChain=(PCert_Chain)LocalAlloc(LPTR, *cbChained);
|
|
if(pCertChain == NULL)
|
|
{
|
|
dwStatus = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
pCertChain->dwVersion = CERT_CHAIN_VERSION_2 | ((bTemp) ? 0x80000000 : 0);
|
|
|
|
//
|
|
// Enumerate license in certificate to find actual client license.
|
|
//
|
|
pPrevCertContext = NULL;
|
|
do {
|
|
pCertContext=CertEnumCertificatesInStore(hCertStore, pPrevCertContext);
|
|
if(pCertContext == NULL)
|
|
{
|
|
// end certificate in store or error
|
|
if((dwStatus=GetLastError()) != CRYPT_E_NOT_FOUND)
|
|
goto cleanup;
|
|
|
|
dwStatus = ERROR_SUCCESS;
|
|
break;
|
|
}
|
|
|
|
pPrevCertContext = pCertContext;
|
|
|
|
if(IsHydraClientCertficate(pCertContext->pCertInfo))
|
|
{
|
|
bFound = TRUE;
|
|
}
|
|
} while(bFound == FALSE);
|
|
|
|
if(bFound == FALSE)
|
|
{
|
|
dwStatus = ERROR_INVALID_PARAMETER;
|
|
goto cleanup;
|
|
}
|
|
|
|
//
|
|
// Recusively chain certificate in backward.
|
|
//
|
|
dwStatus = ChainProprietyCert(
|
|
hCryptProv,
|
|
hCertStore,
|
|
pCertContext,
|
|
pCertChain,
|
|
&dwCertOffset,
|
|
*cbChained);
|
|
|
|
*pbChained = (PBYTE)pCertChain;
|
|
|
|
cleanup:
|
|
|
|
if(hCertStore)
|
|
CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG);
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSCertSetCertRdnStr(
|
|
IN OUT CERT_NAME_BLOB* pCertNameBlob,
|
|
IN LPTSTR szRdn
|
|
)
|
|
/*
|
|
|
|
Abstract:
|
|
|
|
Add RDN into certificate
|
|
|
|
Parameter:
|
|
|
|
pCertNameBlob -
|
|
szRdn - RDN to be added, see CertStrToName() for help
|
|
|
|
Returns:
|
|
|
|
ERROR_INVALID_PARAMETER
|
|
Memory allocation failed.
|
|
Error returns from CertStrToName()
|
|
|
|
*/
|
|
{
|
|
if(pCertNameBlob == NULL)
|
|
return ERROR_INVALID_PARAMETER;
|
|
|
|
BOOL bRetCode=TRUE;
|
|
|
|
bRetCode = CertStrToName(
|
|
X509_ASN_ENCODING,
|
|
szRdn,
|
|
CERT_X500_NAME_STR | CERT_SIMPLE_NAME_STR,
|
|
NULL,
|
|
pCertNameBlob->pbData,
|
|
&pCertNameBlob->cbData,
|
|
NULL
|
|
);
|
|
|
|
if(bRetCode != TRUE)
|
|
goto cleanup;
|
|
|
|
pCertNameBlob->pbData = (PBYTE)AllocateMemory(pCertNameBlob->cbData);
|
|
if(pCertNameBlob->pbData == NULL)
|
|
goto cleanup;
|
|
|
|
bRetCode = CertStrToName(
|
|
X509_ASN_ENCODING,
|
|
szRdn,
|
|
CERT_X500_NAME_STR | CERT_SIMPLE_NAME_STR,
|
|
NULL,
|
|
pCertNameBlob->pbData,
|
|
&pCertNameBlob->cbData,
|
|
NULL
|
|
);
|
|
|
|
cleanup:
|
|
|
|
return (bRetCode) ? ERROR_SUCCESS : GetLastError();
|
|
}
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSCertSetCertRdnName(
|
|
IN OUT CERT_NAME_BLOB* pCertNameBlob,
|
|
IN CERT_NAME_INFO* pRdn
|
|
)
|
|
/*
|
|
|
|
Abstract:
|
|
|
|
Add RDN into certificate
|
|
|
|
Parameters:
|
|
|
|
pCertNameBlob -
|
|
pRdn -
|
|
|
|
Returns
|
|
|
|
ERROR_INVALID_PARAMETER
|
|
Error code from CryptEncodeObject()
|
|
Memory allocation fail.
|
|
|
|
*/
|
|
{
|
|
if(pCertNameBlob == NULL || pRdn == NULL)
|
|
return ERROR_INVALID_PARAMETER;
|
|
|
|
//
|
|
// CertStrToName() not defined in SP3 build environment
|
|
//
|
|
return TLSCryptEncodeObject(
|
|
CRYPT_ASN_ENCODING,
|
|
X509_NAME,
|
|
pRdn,
|
|
&pCertNameBlob->pbData,
|
|
&pCertNameBlob->cbData
|
|
);
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
DWORD
|
|
TLSSetCertRdn(
|
|
PCERT_NAME_BLOB pCertNameBlob,
|
|
PTLSClientCertRDN pLsCertRdn
|
|
)
|
|
/*
|
|
*/
|
|
{
|
|
DWORD dwStatus=ERROR_SUCCESS;
|
|
|
|
switch(pLsCertRdn->type)
|
|
{
|
|
case LSCERT_RDN_STRING_TYPE:
|
|
dwStatus = TLSCertSetCertRdnStr(
|
|
pCertNameBlob,
|
|
pLsCertRdn->szRdn
|
|
);
|
|
break;
|
|
|
|
case LSCERT_RDN_NAME_INFO_TYPE:
|
|
dwStatus = TLSCertSetCertRdnName(
|
|
pCertNameBlob,
|
|
pLsCertRdn->pCertNameInfo
|
|
);
|
|
|
|
break;
|
|
|
|
case LSCERT_RDN_NAME_BLOB_TYPE:
|
|
*pCertNameBlob = *pLsCertRdn->pNameBlob;
|
|
break;
|
|
|
|
case LSCERT_CLIENT_INFO_TYPE:
|
|
{
|
|
PBYTE szBase64EncodeHwid=NULL;
|
|
DWORD cbBase64EncodeHwid=0;
|
|
|
|
if(!TLSEncryptBase64EncodeHWID(
|
|
pLsCertRdn->ClientInfo.pClientID,
|
|
&cbBase64EncodeHwid,
|
|
&szBase64EncodeHwid))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
dwStatus=TLS_E_ENCRYPTHWID,
|
|
GetLastError()
|
|
);
|
|
|
|
break;
|
|
}
|
|
|
|
CERT_RDN_ATTR rgNameAttr[] = {
|
|
{
|
|
OID_SUBJECT_CLIENT_COMPUTERNAME,
|
|
dwCertRdnValueType,
|
|
_tcslen(pLsCertRdn->ClientInfo.szMachineName) * sizeof(TCHAR),
|
|
(UCHAR *)pLsCertRdn->ClientInfo.szMachineName
|
|
},
|
|
{
|
|
OID_SUBJECT_CLIENT_USERNAME,
|
|
dwCertRdnValueType,
|
|
_tcslen(pLsCertRdn->ClientInfo.szUserName) * sizeof(TCHAR),
|
|
(UCHAR *)pLsCertRdn->ClientInfo.szUserName
|
|
},
|
|
{
|
|
OID_SUBJECT_CLIENT_HWID,
|
|
dwCertRdnValueType,
|
|
cbBase64EncodeHwid*sizeof(TCHAR),
|
|
(UCHAR *)szBase64EncodeHwid
|
|
}
|
|
};
|
|
|
|
CERT_RDN rgRDN[] = {
|
|
sizeof(rgNameAttr)/sizeof(rgNameAttr[0]),
|
|
&rgNameAttr[0]
|
|
};
|
|
|
|
CERT_NAME_INFO Name = {1, rgRDN};
|
|
|
|
dwStatus = TLSCertSetCertRdnName(
|
|
pCertNameBlob,
|
|
&Name
|
|
);
|
|
|
|
FreeMemory(szBase64EncodeHwid);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
|
|
dwStatus = ERROR_INVALID_PARAMETER;
|
|
}
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
|
|
//////////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSGenerateCertificate(
|
|
HCRYPTPROV hCryptProv,
|
|
DWORD dwKeySpec,
|
|
ULARGE_INTEGER* pCertSerialNumber,
|
|
PTLSClientCertRDN pCertIssuer,
|
|
PTLSClientCertRDN pCertSubject,
|
|
FILETIME* ftNotBefore,
|
|
FILETIME* ftNotAfter,
|
|
PCERT_PUBLIC_KEY_INFO pSubjectPublicKey,
|
|
DWORD dwNumExtensions,
|
|
PCERT_EXTENSION pCertExtensions,
|
|
PDWORD pcbEncodedCert,
|
|
PBYTE* ppbEncodedCert
|
|
)
|
|
/*
|
|
|
|
*/
|
|
{
|
|
DWORD dwStatus=ERROR_SUCCESS;
|
|
CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm={ szOID_OIWSEC_sha1RSASign, 0, 0 };
|
|
CERT_INFO CertInfo;
|
|
PCERT_PUBLIC_KEY_INFO pbPublicKeyInfo=NULL;
|
|
DWORD cbPublicKeyInfo=0;
|
|
|
|
|
|
memset(&CertInfo, 0, sizeof(CERT_INFO));
|
|
|
|
CertInfo.dwVersion = CERT_V3;
|
|
CertInfo.SerialNumber.cbData = sizeof(*pCertSerialNumber);
|
|
CertInfo.SerialNumber.pbData = (PBYTE)pCertSerialNumber;
|
|
|
|
CertInfo.SignatureAlgorithm = SignatureAlgorithm;
|
|
|
|
dwStatus = TLSSetCertRdn(
|
|
&CertInfo.Issuer,
|
|
pCertIssuer
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SETCERTISSUER,
|
|
dwStatus
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
CertInfo.NotBefore = *ftNotBefore;
|
|
CertInfo.NotAfter = *ftNotAfter;
|
|
|
|
dwStatus = TLSSetCertRdn(
|
|
&CertInfo.Subject,
|
|
pCertSubject
|
|
);
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SETCERTSUBJECT,
|
|
dwStatus
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
if(pSubjectPublicKey)
|
|
{
|
|
CertInfo.SubjectPublicKeyInfo = *pSubjectPublicKey;
|
|
}
|
|
else
|
|
{
|
|
dwStatus = TLSExportPublicKey(
|
|
hCryptProv,
|
|
dwKeySpec,
|
|
&cbPublicKeyInfo,
|
|
&pbPublicKeyInfo
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_EXPORT_KEY,
|
|
dwStatus
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
CertInfo.SubjectPublicKeyInfo = *pbPublicKeyInfo;
|
|
}
|
|
|
|
CertInfo.cExtension = dwNumExtensions;
|
|
CertInfo.rgExtension = pCertExtensions;
|
|
|
|
dwStatus = TLSCryptSignAndEncodeCertificate(
|
|
hCryptProv,
|
|
dwKeySpec,
|
|
&CertInfo,
|
|
&SignatureAlgorithm,
|
|
ppbEncodedCert,
|
|
pcbEncodedCert
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SIGNENCODECERT,
|
|
dwStatus
|
|
);
|
|
}
|
|
|
|
cleanup:
|
|
|
|
if(pbPublicKeyInfo)
|
|
{
|
|
FreeMemory(pbPublicKeyInfo);
|
|
}
|
|
|
|
if(pCertIssuer->type != LSCERT_RDN_NAME_BLOB_TYPE)
|
|
{
|
|
FreeMemory(CertInfo.Issuer.pbData);
|
|
}
|
|
|
|
if(pCertSubject->type != LSCERT_RDN_NAME_BLOB_TYPE)
|
|
{
|
|
FreeMemory(CertInfo.Subject.pbData);
|
|
}
|
|
return dwStatus;
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSCreateSelfSignCertificate(
|
|
IN HCRYPTPROV hCryptProv,
|
|
IN DWORD dwKeySpec,
|
|
IN PBYTE pbSPK,
|
|
IN DWORD cbSPK,
|
|
IN DWORD dwNumExtensions,
|
|
IN PCERT_EXTENSION pCertExtension,
|
|
OUT PDWORD cbEncoded,
|
|
OUT PBYTE* pbEncoded
|
|
)
|
|
/*
|
|
|
|
*/
|
|
{
|
|
DWORD dwStatus=ERROR_SUCCESS;
|
|
DWORD index;
|
|
|
|
#define MAX_EXTENSIONS_IN_SELFSIGN 40
|
|
|
|
SYSTEMTIME sysTime;
|
|
FILETIME ftTime;
|
|
CERT_EXTENSION rgExtension[MAX_EXTENSIONS_IN_SELFSIGN];
|
|
int iExtCount=0, iExtNotFreeCount=0;
|
|
FILETIME ftNotBefore;
|
|
FILETIME ftNotAfter;
|
|
ULARGE_INTEGER ulSerialNumber;
|
|
TLSClientCertRDN certRdn;
|
|
|
|
CERT_BASIC_CONSTRAINTS2_INFO basicConstraint;
|
|
|
|
// modify here is we want to set to different issuer name
|
|
LPTSTR szIssuerName;
|
|
szIssuerName = g_szComputerName;
|
|
|
|
//static LPTSTR pszEnforce=L"Enforce";
|
|
|
|
|
|
CERT_RDN_ATTR rgNameAttr[] = {
|
|
{
|
|
szOID_COMMON_NAME,
|
|
dwCertRdnValueType,
|
|
_tcslen(szIssuerName) * sizeof(TCHAR),
|
|
(UCHAR *)szIssuerName
|
|
},
|
|
|
|
//#if ENFORCE_LICENSING
|
|
// {
|
|
// szOID_BUSINESS_CATEGORY,
|
|
// dwCertRdnValueType,
|
|
// _tcslen(pszEnforce) * sizeof(TCHAR),
|
|
// (UCHAR *)pszEnforce
|
|
// },
|
|
//#endif
|
|
|
|
{
|
|
szOID_LOCALITY_NAME,
|
|
dwCertRdnValueType,
|
|
_tcslen(g_pszScope) * sizeof(TCHAR),
|
|
(UCHAR *)g_pszScope
|
|
}
|
|
|
|
};
|
|
|
|
CERT_RDN rgRDN[] = { sizeof(rgNameAttr)/sizeof(rgNameAttr[0]), &rgNameAttr[0] };
|
|
CERT_NAME_INFO Name = {1, rgRDN};
|
|
|
|
certRdn.type = LSCERT_RDN_NAME_INFO_TYPE;
|
|
certRdn.pCertNameInfo = &Name;
|
|
|
|
memset(rgExtension, 0, sizeof(rgExtension));
|
|
|
|
//
|
|
// Set validity of self sign certificate
|
|
//
|
|
|
|
//
|
|
// If system time is not in sync, this will cause server
|
|
// can't request cert. from license server
|
|
//
|
|
|
|
memset(&sysTime, 0, sizeof(sysTime));
|
|
GetSystemTime(&sysTime);
|
|
sysTime.wYear = 1970;
|
|
if(TLSSystemTimeToFileTime(&sysTime, &ftNotBefore) == FALSE)
|
|
{
|
|
dwStatus = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
//
|
|
// draft-ietf-pkix-ipki-part1-06.txt section 4.1.2.5.1
|
|
// where year is greater or equal to 50, the year shall be interpreted as 19YY; and
|
|
// where year is less than 50, the year shall be interpreted as 20YY
|
|
//
|
|
sysTime.wYear = PERMANENT_CERT_EXPIRE_DATE;
|
|
if(TLSSystemTimeToFileTime(&sysTime, &ftNotAfter) == FALSE)
|
|
{
|
|
dwStatus = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
ulSerialNumber.LowPart = ftNotBefore.dwLowDateTime;
|
|
ulSerialNumber.HighPart = ftNotBefore.dwHighDateTime;
|
|
|
|
//
|
|
// Add basic constrains extension to indicate this is a CA certificate
|
|
//
|
|
rgExtension[iExtCount].pszObjId = szOID_BASIC_CONSTRAINTS2;
|
|
rgExtension[iExtCount].fCritical = FALSE;
|
|
|
|
basicConstraint.fCA = TRUE; // act as CA
|
|
basicConstraint.fPathLenConstraint = TRUE;
|
|
basicConstraint.dwPathLenConstraint = 0; // can only issue certificates
|
|
// to end-entities and not to further CAs
|
|
dwStatus=TLSCryptEncodeObject(
|
|
X509_ASN_ENCODING,
|
|
szOID_BASIC_CONSTRAINTS2,
|
|
&basicConstraint,
|
|
&(rgExtension[iExtCount].Value.pbData),
|
|
&(rgExtension[iExtCount].Value.cbData)
|
|
);
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SIGNENCODECERT,
|
|
dwStatus
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
iExtCount++;
|
|
|
|
|
|
//
|
|
// From here - extension memory should not be free
|
|
//
|
|
if(pbSPK != NULL && cbSPK != 0)
|
|
{
|
|
rgExtension[iExtCount].pszObjId = szOID_PKIS_TLSERVER_SPK_OID;
|
|
rgExtension[iExtCount].fCritical = FALSE;
|
|
rgExtension[iExtCount].Value.pbData = pbSPK;
|
|
rgExtension[iExtCount].Value.cbData = cbSPK;
|
|
|
|
iExtNotFreeCount++;
|
|
iExtCount++;
|
|
}
|
|
|
|
for(index = 0;
|
|
index < dwNumExtensions;
|
|
index ++, iExtCount++, iExtNotFreeCount++ )
|
|
{
|
|
if (iExtCount >= MAX_EXTENSIONS_IN_SELFSIGN)
|
|
{
|
|
iExtCount--;
|
|
dwStatus = ERROR_INVALID_PARAMETER;
|
|
goto cleanup;
|
|
}
|
|
|
|
rgExtension[iExtCount] = pCertExtension[index];
|
|
}
|
|
|
|
dwStatus = TLSGenerateCertificate(
|
|
hCryptProv,
|
|
dwKeySpec,
|
|
&ulSerialNumber,
|
|
&certRdn,
|
|
&certRdn,
|
|
&ftNotBefore,
|
|
&ftNotAfter,
|
|
NULL,
|
|
iExtCount,
|
|
rgExtension,
|
|
cbEncoded,
|
|
pbEncoded
|
|
);
|
|
cleanup:
|
|
|
|
//
|
|
// Don't free memory for SPK and extensions...
|
|
//
|
|
for(int i=0; i < iExtCount - iExtNotFreeCount; i++)
|
|
{
|
|
FreeMemory(rgExtension[i].Value.pbData);
|
|
}
|
|
|
|
return (dwStatus != ERROR_SUCCESS) ? TLS_E_CREATE_SELFSIGN_CERT : ERROR_SUCCESS;
|
|
}
|
|
|
|
|
|
////////////////////////////////////////////////////////////////////////////
|
|
DWORD
|
|
TLSGenerateSingleCertificate(
|
|
IN HCRYPTPROV hCryptProv,
|
|
IN PCERT_NAME_BLOB pIssuerRdn,
|
|
IN PTLSClientCertRDN pSubjectRdn,
|
|
IN PCERT_PUBLIC_KEY_INFO pSubjectPublicKeyInfo,
|
|
IN PTLSDBLICENSEDPRODUCT pLicProduct,
|
|
OUT PBYTE* ppbEncodedCert,
|
|
IN PDWORD pcbEncodedCert
|
|
)
|
|
/*
|
|
|
|
*/
|
|
{
|
|
DWORD dwStatus = ERROR_SUCCESS;
|
|
|
|
#define MAX_CLIENT_EXTENSION 10
|
|
|
|
CERT_EXTENSION CertExtension[MAX_CLIENT_EXTENSION];
|
|
DWORD dwNumExtensions=0;
|
|
DWORD currentCertVersion=TERMSERV_CERT_VERSION_CURRENT;
|
|
|
|
TLSClientCertRDN IssuerRdn;
|
|
|
|
|
|
#if ENFORCE_LICENSING
|
|
|
|
//
|
|
// Use certificate that CH gets for us
|
|
//
|
|
IssuerRdn.type = LSCERT_RDN_NAME_BLOB_TYPE;
|
|
//IssuerRdn.pNameBlob = &g_LicenseCertContext->pCertInfo->Subject;
|
|
IssuerRdn.pNameBlob = pIssuerRdn;
|
|
|
|
#else
|
|
|
|
LPTSTR szIssuerName;
|
|
|
|
// modify here if we want to set to different issuer name
|
|
szIssuerName = g_szComputerName;
|
|
|
|
CERT_RDN_ATTR rgNameAttr[] = {
|
|
{
|
|
OID_ISSUER_LICENSE_SERVER_NAME,
|
|
dwCertRdnValueType,
|
|
_tcslen(szIssuerName) * sizeof(TCHAR),
|
|
(UCHAR *)szIssuerName
|
|
},
|
|
{
|
|
OID_ISSUER_LICENSE_SERVER_SCOPE,
|
|
dwCertRdnValueType,
|
|
_tcslen(g_pszScope) * sizeof(TCHAR),
|
|
(UCHAR *)g_pszScope
|
|
}
|
|
};
|
|
|
|
CERT_RDN rgRDN[] = {
|
|
sizeof(rgNameAttr)/sizeof(rgNameAttr[0]),
|
|
&rgNameAttr[0]
|
|
};
|
|
CERT_NAME_INFO Name = {1, rgRDN};
|
|
|
|
IssuerRdn.type = LSCERT_RDN_NAME_INFO_TYPE;
|
|
IssuerRdn.pCertNameInfo = &Name;
|
|
|
|
#endif
|
|
|
|
//------------------------------------------------------------------------------------------
|
|
// add extension to certificate
|
|
// WARNING : End of routine free memory allocated for extension's pbData, skip those
|
|
// that can't be free, for example, version stamp extension. all these is just
|
|
// to keep memory fragmentaion low
|
|
//------------------------------------------------------------------------------------------
|
|
|
|
//
|
|
// DO NOT FREE pbData on first two extensions
|
|
//
|
|
|
|
// Hydra Certificate version stamp - DO NOT FREE
|
|
memset(CertExtension, 0, sizeof(CertExtension));
|
|
dwNumExtensions = 0;
|
|
|
|
//
|
|
// Add License Server Info
|
|
//
|
|
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_HYDRA_CERT_VERSION;
|
|
CertExtension[dwNumExtensions].fCritical = TRUE;
|
|
CertExtension[dwNumExtensions].Value.cbData = sizeof(DWORD);
|
|
CertExtension[dwNumExtensions].Value.pbData = (PBYTE)¤tCertVersion;
|
|
dwNumExtensions++;
|
|
|
|
// manufacturer's name, no encoding - DO NOT FREE
|
|
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_MANUFACTURER;
|
|
CertExtension[dwNumExtensions].fCritical = TRUE;
|
|
CertExtension[dwNumExtensions].Value.cbData = (_tcslen(pLicProduct->szCompanyName)+1) * sizeof(TCHAR);
|
|
CertExtension[dwNumExtensions].Value.pbData = (PBYTE)pLicProduct->szCompanyName;
|
|
dwNumExtensions++;
|
|
|
|
//
|
|
// MS Licensed Product Info, no encoding
|
|
//
|
|
LICENSED_VERSION_INFO LicensedInfo;
|
|
|
|
memset(&LicensedInfo, 0, sizeof(LicensedInfo));
|
|
LicensedInfo.wMajorVersion = HIWORD(pLicProduct->dwProductVersion);
|
|
LicensedInfo.wMinorVersion = LOWORD(pLicProduct->dwProductVersion);
|
|
LicensedInfo.dwFlags = (pLicProduct->bTemp) ? LICENSED_VERSION_TEMPORARY : 0;
|
|
|
|
DWORD dwLSVersionMajor;
|
|
DWORD dwLSVersionMinor;
|
|
|
|
dwLSVersionMajor = GET_SERVER_MAJOR_VERSION(TLS_CURRENT_VERSION);
|
|
dwLSVersionMinor = GET_SERVER_MINOR_VERSION(TLS_CURRENT_VERSION);
|
|
LicensedInfo.dwFlags |= ((dwLSVersionMajor << 4 | dwLSVersionMinor) << 16);
|
|
|
|
if(TLSIsBetaNTServer() == FALSE)
|
|
{
|
|
LicensedInfo.dwFlags |= LICENSED_VERSION_RTM;
|
|
}
|
|
|
|
#if ENFORCE_LICENSING
|
|
LicensedInfo.dwFlags |= LICENSE_ISSUER_ENFORCE_TYPE;
|
|
#endif
|
|
|
|
|
|
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_LICENSED_PRODUCT_INFO;
|
|
CertExtension[dwNumExtensions].fCritical = TRUE;
|
|
dwStatus=LSLicensedProductInfoToExtension(
|
|
1,
|
|
pLicProduct->dwPlatformID,
|
|
pLicProduct->dwLanguageID,
|
|
(PBYTE)pLicProduct->szRequestProductId,
|
|
(_tcslen(pLicProduct->szRequestProductId) + 1) * sizeof(TCHAR),
|
|
(PBYTE)pLicProduct->szLicensedProductId,
|
|
(_tcslen(pLicProduct->szLicensedProductId) + 1) * sizeof(TCHAR),
|
|
&LicensedInfo,
|
|
1,
|
|
&(CertExtension[dwNumExtensions].Value.pbData),
|
|
&(CertExtension[dwNumExtensions].Value.cbData)
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
goto cleanup;
|
|
|
|
dwNumExtensions++;
|
|
|
|
//
|
|
// Add license server info into extension
|
|
//
|
|
CertExtension[dwNumExtensions].pszObjId = szOID_PKIX_MS_LICENSE_SERVER_INFO;
|
|
CertExtension[dwNumExtensions].fCritical = TRUE;
|
|
dwStatus=LSMsLicenseServerInfoToExtension(
|
|
g_szComputerName,
|
|
(LPTSTR)g_pszServerPid,
|
|
g_pszScope,
|
|
&(CertExtension[dwNumExtensions].Value.pbData),
|
|
&(CertExtension[dwNumExtensions].Value.cbData)
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
goto cleanup;
|
|
|
|
dwNumExtensions++;
|
|
|
|
//
|
|
// Add policy module specific extension
|
|
if( pLicProduct->pbPolicyData != NULL && pLicProduct->cbPolicyData != 0 )
|
|
{
|
|
CertExtension[dwNumExtensions].pszObjId = szOID_PKIS_PRODUCT_SPECIFIC_OID;
|
|
CertExtension[dwNumExtensions].fCritical = TRUE;
|
|
CertExtension[dwNumExtensions].Value.pbData = pLicProduct->pbPolicyData;
|
|
CertExtension[dwNumExtensions].Value.cbData = pLicProduct->cbPolicyData;
|
|
|
|
dwNumExtensions++;
|
|
}
|
|
|
|
//
|
|
// Add CertAuthorityKeyId2Info for certificate chain
|
|
dwStatus=TLSAddCertAuthorityKeyIdExtension(
|
|
g_szComputerName,
|
|
&pLicProduct->ulSerialNumber,
|
|
CertExtension + dwNumExtensions
|
|
);
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
goto cleanup;
|
|
|
|
dwNumExtensions++;
|
|
|
|
// Add Access info
|
|
|
|
dwStatus = TLSGenerateCertificate(
|
|
hCryptProv,
|
|
AT_SIGNATURE,
|
|
&pLicProduct->ulSerialNumber,
|
|
&IssuerRdn,
|
|
pSubjectRdn,
|
|
&pLicProduct->NotBefore,
|
|
&pLicProduct->NotAfter,
|
|
pLicProduct->pSubjectPublicKeyInfo,
|
|
dwNumExtensions,
|
|
CertExtension,
|
|
pcbEncodedCert,
|
|
ppbEncodedCert
|
|
);
|
|
|
|
cleanup:
|
|
|
|
// Extensions. DO NOT FREE first two extensions
|
|
for(int i=2; i < dwNumExtensions; i++)
|
|
{
|
|
FreeMemory(CertExtension[i].Value.pbData);
|
|
}
|
|
|
|
return (dwStatus != ERROR_SUCCESS) ? TLS_E_CREATE_CERT : ERROR_SUCCESS;
|
|
}
|
|
|
|
|
|
////////////////////////////////////////////////////////////
|
|
|
|
DWORD
|
|
TLSGenerateClientCertificate(
|
|
IN HCRYPTPROV hCryptProv,
|
|
IN DWORD dwNumLicensedProduct,
|
|
IN PTLSDBLICENSEDPRODUCT pLicProduct,
|
|
IN WORD wLicenseChainDetail,
|
|
OUT PBYTE* ppbEncodedCert,
|
|
OUT PDWORD pcbEncodedCert
|
|
)
|
|
/*++
|
|
|
|
|
|
++*/
|
|
{
|
|
DWORD dwStatus = ERROR_SUCCESS;
|
|
HCERTSTORE hStore = NULL;
|
|
PCCERT_CONTEXT pCertContext = NULL;
|
|
PBYTE pbCert=NULL;
|
|
DWORD cbCert=NULL;
|
|
DWORD index;
|
|
TLSClientCertRDN clientCertRdn;
|
|
PCERT_NAME_BLOB pIssuerNameBlob = NULL;
|
|
|
|
|
|
//
|
|
// Create a in-memory store
|
|
//
|
|
hStore=CertOpenStore(
|
|
CERT_STORE_PROV_MEMORY,
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
hCryptProv,
|
|
CERT_STORE_NO_CRYPT_RELEASE_FLAG,
|
|
NULL
|
|
);
|
|
|
|
if(!hStore)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_OPEN_CERT_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
|
|
goto cleanup;
|
|
}
|
|
|
|
#ifndef ENFORCE_LICENSING
|
|
|
|
pIssuerNameBlob = &g_SelfSignCertContext->pCertInfo->Subject;
|
|
|
|
#else
|
|
|
|
if( g_SelfSignCertContext == NULL )
|
|
{
|
|
TLSASSERT(FALSE);
|
|
dwStatus = TLS_E_INTERNAL;
|
|
goto cleanup;
|
|
}
|
|
|
|
if(g_bHasHydraCert && g_hCaStore && wLicenseChainDetail == LICENSE_DETAIL_DETAIL)
|
|
{
|
|
pIssuerNameBlob = &g_LicenseCertContext->pCertInfo->Subject;
|
|
}
|
|
else
|
|
{
|
|
pIssuerNameBlob = &g_SelfSignCertContext->pCertInfo->Subject;
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
//
|
|
// Generate client certificate and add to certstore
|
|
//
|
|
for(index = 0; index < dwNumLicensedProduct; index++)
|
|
{
|
|
if(pCertContext != NULL)
|
|
{
|
|
//
|
|
// Need to keep one pCertContext for later use
|
|
//
|
|
CertFreeCertificateContext(pCertContext);
|
|
pCertContext = NULL;
|
|
}
|
|
|
|
clientCertRdn.type = LSCERT_CLIENT_INFO_TYPE;
|
|
clientCertRdn.ClientInfo.szUserName = pLicProduct[index].szUserName;
|
|
clientCertRdn.ClientInfo.szMachineName = pLicProduct[index].szMachineName;
|
|
clientCertRdn.ClientInfo.pClientID = &pLicProduct[index].ClientHwid;
|
|
|
|
dwStatus = TLSGenerateSingleCertificate(
|
|
hCryptProv,
|
|
pIssuerNameBlob,
|
|
&clientCertRdn,
|
|
pLicProduct[index].pSubjectPublicKeyInfo,
|
|
pLicProduct+index,
|
|
&pbCert,
|
|
&cbCert
|
|
);
|
|
|
|
if(dwStatus != ERROR_SUCCESS)
|
|
{
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Add certificate to store
|
|
//
|
|
pCertContext = CertCreateCertificateContext(
|
|
X509_ASN_ENCODING,
|
|
pbCert,
|
|
cbCert
|
|
);
|
|
|
|
if(pCertContext == NULL)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_CREATE_CERTCONTEXT,
|
|
dwStatus=GetLastError()
|
|
);
|
|
break;
|
|
}
|
|
|
|
//
|
|
// always start from empty so CERT_STORE_ADD_ALWAYS
|
|
//
|
|
if(!CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_ALWAYS, NULL))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_ADD_CERT_TO_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
|
|
break;
|
|
}
|
|
|
|
FreeMemory(pbCert);
|
|
pbCert = NULL;
|
|
}
|
|
|
|
if(dwStatus == ERROR_SUCCESS)
|
|
{
|
|
|
|
#ifndef ENFORCE_LICENSING
|
|
//
|
|
// Add license server's certificate
|
|
if(!CertAddCertificateContextToStore(hStore, g_LicenseCertContext, CERT_STORE_ADD_ALWAYS, NULL))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_ADD_CERT_TO_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
goto cleanup;
|
|
}
|
|
#else
|
|
|
|
//
|
|
// we don't support LICENSE_DETAIL_MODERATE at this time, treat it as LICENSE_DETAIL_SIMPLE
|
|
//
|
|
if(g_bHasHydraCert && g_hCaStore && wLicenseChainDetail == LICENSE_DETAIL_DETAIL)
|
|
{
|
|
//
|
|
// Chain issuer certificate with client certificate
|
|
//
|
|
if(!TLSChainIssuerCertificate(hCryptProv, g_hCaStore, hStore, pCertContext))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_ADD_CERT_TO_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
goto cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Add license server's certificate
|
|
if(!CertAddCertificateContextToStore(hStore, g_SelfSignCertContext, CERT_STORE_ADD_ALWAYS, NULL))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_ADD_CERT_TO_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
goto cleanup;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
CRYPT_DATA_BLOB saveBlob;
|
|
memset(&saveBlob, 0, sizeof(saveBlob));
|
|
|
|
// save certificate into memory
|
|
if(!CertSaveStore(hStore,
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
LICENSE_BLOB_SAVEAS_TYPE,
|
|
CERT_STORE_SAVE_TO_MEMORY,
|
|
&saveBlob,
|
|
0) && (dwStatus=GetLastError()) != ERROR_MORE_DATA)
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SAVE_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
if(!(saveBlob.pbData = (PBYTE)AllocateMemory(saveBlob.cbData)))
|
|
{
|
|
dwStatus=TLS_E_ALLOCATE_MEMORY;
|
|
goto cleanup;
|
|
}
|
|
|
|
// save certificate into memory
|
|
if(!CertSaveStore(hStore,
|
|
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
LICENSE_BLOB_SAVEAS_TYPE,
|
|
CERT_STORE_SAVE_TO_MEMORY,
|
|
&saveBlob,
|
|
0))
|
|
{
|
|
TLSLogEvent(
|
|
EVENTLOG_ERROR_TYPE,
|
|
TLS_E_GENERATECLIENTELICENSE,
|
|
TLS_E_SAVE_STORE,
|
|
dwStatus=GetLastError()
|
|
);
|
|
goto cleanup;
|
|
}
|
|
|
|
*ppbEncodedCert = saveBlob.pbData;
|
|
*pcbEncodedCert = saveBlob.cbData;
|
|
}
|
|
|
|
cleanup:
|
|
|
|
FreeMemory(pbCert);
|
|
|
|
if(pCertContext)
|
|
{
|
|
CertFreeCertificateContext(pCertContext);
|
|
}
|
|
|
|
if(hStore)
|
|
{
|
|
CertCloseStore(hStore, CERT_CLOSE_STORE_FORCE_FLAG);
|
|
}
|
|
|
|
return dwStatus;
|
|
}
|
|
|
|
|
|
|