archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
3.8 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/cryptoapi/pki/wincrmsg/msghlpr.cpp

548 lines
16 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1996 - 1999
  6. //
  7. // File: msghlpr.cpp
  8. //
  9. // Contents: Cryptographic Message Helper APIs
  10. //
  11. // APIs: CryptMsgGetAndVerifySigner
  12. // CryptMsgSignCTL
  13. // CryptMsgEncodeAndSignCTL
  14. //
  15. // History: 02-May-97 philh created
  16. //--------------------------------------------------------------------------
  18. #include "global.hxx"
  19. #include "pkialloc.h"
  21. void *ICM_AllocAndGetMsgParam(
  22. IN HCRYPTMSG hMsg,
  23. IN DWORD dwParamType,
  24. IN DWORD dwIndex
  25. )
  26. {
  27. void *pvData;
  28. DWORD cbData;
  30. if (!CryptMsgGetParam(
  31. hMsg,
  32. dwParamType,
  33. dwIndex,
  34. NULL, // pvData
  35. &cbData) || 0 == cbData)
  36. goto GetParamError;
  37. if (NULL == (pvData = ICM_Alloc(cbData)))
  38. goto OutOfMemory;
  39. if (!CryptMsgGetParam(
  40. hMsg,
  41. dwParamType,
  42. dwIndex,
  43. pvData,
  44. &cbData)) {
  45. ICM_Free(pvData);
  46. goto GetParamError;
  47. }
  49. CommonReturn:
  50. return pvData;
  51. ErrorReturn:
  52. pvData = NULL;
  53. goto CommonReturn;
  54. TRACE_ERROR(OutOfMemory)
  55. TRACE_ERROR(GetParamError)
  56. }
  58. #ifdef CMS_PKCS7
  60. BOOL ICM_GetAndVerifySigner(
  61. IN HCRYPTMSG hCryptMsg,
  62. IN DWORD dwSignerIndex,
  63. IN DWORD cSignerStore,
  64. IN OPTIONAL HCERTSTORE *rghSignerStore,
  65. IN DWORD dwFlags,
  66. OUT OPTIONAL PCCERT_CONTEXT *ppSigner
  67. )
  68. {
  69. BOOL fResult;
  70. PCERT_INFO pSignerId = NULL;
  71. PCCERT_CONTEXT pSigner = NULL;
  72. DWORD dwCertEncodingType;
  73. DWORD dwVerifyErr = 0;
  74. HCERTSTORE hCollection = NULL;
  76. if (NULL == (pSignerId = (PCERT_INFO) ICM_AllocAndGetMsgParam(
  77. hCryptMsg,
  78. CMSG_SIGNER_CERT_INFO_PARAM,
  79. dwSignerIndex
  80. ))) goto GetSignerError;
  82. // If no CertEncodingType, then, use the MsgEncodingType
  83. dwCertEncodingType = ((PCRYPT_MSG_INFO) hCryptMsg)->dwEncodingType;
  84. if (0 == (dwCertEncodingType & CERT_ENCODING_TYPE_MASK))
  85. dwCertEncodingType =
  86. (dwCertEncodingType >> 16) & CERT_ENCODING_TYPE_MASK;
  89. if (NULL == (hCollection = CertOpenStore(
  90. CERT_STORE_PROV_COLLECTION,
  91. 0, // dwEncodingType
  92. 0, // hCryptProv
  93. 0, // dwFlags
  94. NULL // pvPara
  95. )))
  96. goto OpenCollectionStoreError;
  98. if (0 == (dwFlags & CMSG_TRUSTED_SIGNER_FLAG)) {
  99. HCERTSTORE hMsgCertStore;
  101. // Open a cert store initialized with certs from the message
  102. // and add to collection
  103. if (hMsgCertStore = CertOpenStore(
  104. CERT_STORE_PROV_MSG,
  105. dwCertEncodingType,
  106. 0, // hCryptProv
  107. 0, // dwFlags
  108. hCryptMsg // pvPara
  109. )) {
  110. CertAddStoreToCollection(
  111. hCollection,
  112. hMsgCertStore,
  113. CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
  114. 0 // dwPriority
  115. );
  116. CertCloseStore(hMsgCertStore, 0);
  117. }
  118. }
  120. // Add all the signer stores to the collection
  121. for ( ; cSignerStore > 0; cSignerStore--, rghSignerStore++) {
  122. HCERTSTORE hSignerStore = *rghSignerStore;
  123. if (NULL == hSignerStore)
  124. continue;
  126. CertAddStoreToCollection(
  127. hCollection,
  128. hSignerStore,
  129. CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG,
  130. 0 // dwPriority
  131. );
  132. }
  134. if (pSigner = CertGetSubjectCertificateFromStore(hCollection,
  135. dwCertEncodingType, pSignerId)) {
  136. CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA CtrlPara;
  138. if (dwFlags & CMSG_SIGNER_ONLY_FLAG)
  139. goto SuccessReturn;
  141. memset(&CtrlPara, 0, sizeof(CtrlPara));
  142. CtrlPara.cbSize = sizeof(CtrlPara);
  143. // CtrlPara.hCryptProv =
  144. CtrlPara.dwSignerIndex = dwSignerIndex;
  145. CtrlPara.dwSignerType = CMSG_VERIFY_SIGNER_CERT;
  146. CtrlPara.pvSigner = (void *) pSigner;
  148. if (CryptMsgControl(
  149. hCryptMsg,
  150. 0, // dwFlags
  151. CMSG_CTRL_VERIFY_SIGNATURE_EX,
  152. &CtrlPara)) goto SuccessReturn;
  153. else {
  154. dwVerifyErr = GetLastError();
  156. if (CRYPT_E_MISSING_PUBKEY_PARA == dwVerifyErr) {
  157. PCCERT_CHAIN_CONTEXT pChainContext;
  158. CERT_CHAIN_PARA ChainPara;
  160. // Build a chain. Hopefully, the signer inherit's its public key
  161. // parameters from up the chain
  163. memset(&ChainPara, 0, sizeof(ChainPara));
  164. ChainPara.cbSize = sizeof(ChainPara);
  165. if (CertGetCertificateChain(
  166. NULL, // hChainEngine
  167. pSigner,
  168. NULL, // pTime
  169. hCollection,
  170. &ChainPara,
  171. CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL,
  172. NULL, // pvReserved
  173. &pChainContext
  174. ))
  175. CertFreeCertificateChain(pChainContext);
  178. // Try again. Hopefully the above chain building updated the
  179. // signer's context property with the missing public key
  180. // parameters
  181. if (CryptMsgControl(
  182. hCryptMsg,
  183. 0, // dwFlags
  184. CMSG_CTRL_VERIFY_SIGNATURE_EX,
  185. &CtrlPara)) goto SuccessReturn;
  186. }
  187. }
  188. CertFreeCertificateContext(pSigner);
  189. pSigner = NULL;
  190. }
  192. if (dwVerifyErr)
  193. goto VerifySignatureError;
  194. else
  195. goto NoSignerError;
  197. SuccessReturn:
  198. fResult = TRUE;
  199. CommonReturn:
  200. if (hCollection)
  201. CertCloseStore(hCollection, 0);
  202. ICM_Free(pSignerId);
  203. if (ppSigner)
  204. *ppSigner = pSigner;
  205. else if (pSigner)
  206. CertFreeCertificateContext(pSigner);
  207. return fResult;
  208. ErrorReturn:
  209. fResult = FALSE;
  210. goto CommonReturn;
  212. TRACE_ERROR(OpenCollectionStoreError)
  213. TRACE_ERROR(GetSignerError)
  214. SET_ERROR(NoSignerError, CRYPT_E_NO_TRUSTED_SIGNER)
  215. SET_ERROR_VAR(VerifySignatureError, dwVerifyErr)
  216. }
  218. #else
  220. BOOL ICM_GetAndVerifySigner(
  221. IN HCRYPTMSG hCryptMsg,
  222. IN DWORD dwSignerIndex,
  223. IN DWORD cSignerStore,
  224. IN OPTIONAL HCERTSTORE *rghSignerStore,
  225. IN DWORD dwFlags,
  226. OUT OPTIONAL PCCERT_CONTEXT *ppSigner
  227. )
  228. {
  229. BOOL fResult;
  230. PCERT_INFO pSignerId = NULL;
  231. PCCERT_CONTEXT pSigner = NULL;
  232. DWORD dwCertEncodingType;
  233. DWORD dwVerifyErr = 0;
  235. if (NULL == (pSignerId = (PCERT_INFO) ICM_AllocAndGetMsgParam(
  236. hCryptMsg,
  237. CMSG_SIGNER_CERT_INFO_PARAM,
  238. dwSignerIndex
  239. ))) goto GetSignerError;
  241. // If no CertEncodingType, then, use the MsgEncodingType
  242. dwCertEncodingType = ((PCRYPT_MSG_INFO) hCryptMsg)->dwEncodingType;
  243. if (0 == (dwCertEncodingType & CERT_ENCODING_TYPE_MASK))
  244. dwCertEncodingType =
  245. (dwCertEncodingType >> 16) & CERT_ENCODING_TYPE_MASK;
  247. if (0 == (dwFlags & CMSG_TRUSTED_SIGNER_FLAG)) {
  248. HCERTSTORE hMsgCertStore;
  250. // Open a cert store initialized with certs from the message
  251. if (hMsgCertStore = CertOpenStore(
  252. CERT_STORE_PROV_MSG,
  253. dwCertEncodingType,
  254. 0, // hCryptProv
  255. 0, // dwFlags
  256. hCryptMsg // pvPara
  257. )) {
  258. pSigner = CertGetSubjectCertificateFromStore(hMsgCertStore,
  259. dwCertEncodingType, pSignerId);
  260. CertCloseStore(hMsgCertStore, 0);
  261. }
  263. if (pSigner) {
  264. if (dwFlags & CMSG_SIGNER_ONLY_FLAG)
  265. goto SuccessReturn;
  266. if (CryptMsgControl(
  267. hCryptMsg,
  268. 0, // dwFlags
  269. CMSG_CTRL_VERIFY_SIGNATURE,
  270. pSigner->pCertInfo)) goto SuccessReturn;
  271. else
  272. dwVerifyErr = GetLastError();
  273. CertFreeCertificateContext(pSigner);
  274. pSigner = NULL;
  275. }
  276. }
  278. for ( ; cSignerStore > 0; cSignerStore--, rghSignerStore++) {
  279. HCERTSTORE hSignerStore = *rghSignerStore;
  280. if (NULL == hSignerStore)
  281. continue;
  282. if (pSigner = CertGetSubjectCertificateFromStore(hSignerStore,
  283. dwCertEncodingType, pSignerId)) {
  284. if (dwFlags & CMSG_SIGNER_ONLY_FLAG)
  285. goto SuccessReturn;
  286. if (CryptMsgControl(
  287. hCryptMsg,
  288. 0, // dwFlags
  289. CMSG_CTRL_VERIFY_SIGNATURE,
  290. pSigner->pCertInfo)) goto SuccessReturn;
  291. else
  292. dwVerifyErr = GetLastError();
  293. CertFreeCertificateContext(pSigner);
  294. pSigner = NULL;
  295. }
  296. }
  298. if (dwVerifyErr)
  299. goto VerifySignatureError;
  300. else
  301. goto NoSignerError;
  303. SuccessReturn:
  304. fResult = TRUE;
  305. CommonReturn:
  306. ICM_Free(pSignerId);
  307. if (ppSigner)
  308. *ppSigner = pSigner;
  309. else if (pSigner)
  310. CertFreeCertificateContext(pSigner);
  311. return fResult;
  312. ErrorReturn:
  313. fResult = FALSE;
  314. goto CommonReturn;
  316. TRACE_ERROR(GetSignerError)
  317. SET_ERROR(NoSignerError, CRYPT_E_NO_TRUSTED_SIGNER)
  318. SET_ERROR_VAR(VerifySignatureError, dwVerifyErr)
  319. }
  321. #endif // CMS_PKCS7
  323. //+-------------------------------------------------------------------------
  324. // Get and verify the signer of a cryptographic message.
  325. //
  326. // If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
  327. // trusted and only search them to find the certificate corresponding to the
  328. // signer's issuer and serial number. Otherwise, the SignerStores are
  329. // optionally provided to supplement the message's store of certificates.
  330. // If a signer certificate is found, its public key is used to verify
  331. // the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
  332. // return the signer without doing the signature verify.
  333. //
  334. // If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
  335. // by *pdwSignerIndex. Otherwise, iterate through all the signers
  336. // until a signer verifies or no more signers.
  337. //
  338. // For a verified signature, *ppSigner is updated with certificate context
  339. // of the signer and *pdwSignerIndex is updated with the index of the signer.
  340. // ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
  341. // interested in getting the CertContext and/or index of the signer.
  342. //--------------------------------------------------------------------------
  343. BOOL
  344. WINAPI
  345. CryptMsgGetAndVerifySigner(
  346. IN HCRYPTMSG hCryptMsg,
  347. IN DWORD cSignerStore,
  348. IN OPTIONAL HCERTSTORE *rghSignerStore,
  349. IN DWORD dwFlags,
  350. OUT OPTIONAL PCCERT_CONTEXT *ppSigner,
  351. IN OUT OPTIONAL DWORD *pdwSignerIndex
  352. )
  353. {
  354. BOOL fResult = FALSE;
  355. DWORD dwSignerCount;
  356. DWORD dwSignerIndex;
  358. if (dwFlags & CMSG_USE_SIGNER_INDEX_FLAG) {
  359. dwSignerCount = 1;
  360. dwSignerIndex = *pdwSignerIndex;
  361. } else {
  362. DWORD cbData;
  364. dwSignerIndex = 0;
  365. if (pdwSignerIndex)
  366. *pdwSignerIndex = 0;
  367. cbData = sizeof(dwSignerCount);
  368. if (!CryptMsgGetParam(
  369. hCryptMsg,
  370. CMSG_SIGNER_COUNT_PARAM,
  371. 0, // dwIndex
  372. &dwSignerCount,
  373. &cbData) || 0 == dwSignerCount)
  374. goto NoSignerError;
  375. }
  377. // Minimum of one iteration
  378. for ( ; dwSignerCount > 0; dwSignerCount--, dwSignerIndex++) {
  379. if (fResult = ICM_GetAndVerifySigner(
  380. hCryptMsg,
  381. dwSignerIndex,
  382. cSignerStore,
  383. rghSignerStore,
  384. dwFlags,
  385. ppSigner)) {
  386. if (pdwSignerIndex && 0 == (dwFlags & CMSG_USE_SIGNER_INDEX_FLAG))
  387. *pdwSignerIndex = dwSignerIndex;
  388. break;
  389. }
  390. }
  392. CommonReturn:
  393. return fResult;
  394. ErrorReturn:
  395. if (ppSigner)
  396. *ppSigner = NULL;
  397. fResult = FALSE;
  398. goto CommonReturn;
  400. SET_ERROR(NoSignerError, CRYPT_E_NO_TRUSTED_SIGNER)
  401. }
  403. //+-------------------------------------------------------------------------
  404. // Sign an encoded CTL.
  405. //--------------------------------------------------------------------------
  406. BOOL
  407. WINAPI
  408. CryptMsgSignCTL(
  409. IN DWORD dwMsgEncodingType,
  410. IN BYTE *pbCtlContent,
  411. IN DWORD cbCtlContent,
  412. IN PCMSG_SIGNED_ENCODE_INFO pSignInfo,
  413. IN DWORD dwFlags,
  414. OUT BYTE *pbEncoded,
  415. IN OUT DWORD *pcbEncoded
  416. )
  417. {
  418. BOOL fResult;
  419. HCRYPTMSG hMsg = NULL;
  421. DWORD dwMsgFlags;
  423. #ifdef CMS_PKCS7
  424. if (dwFlags & CMSG_CMS_ENCAPSULATED_CTL_FLAG)
  425. dwMsgFlags = CMSG_CMS_ENCAPSULATED_CONTENT_FLAG;
  426. else
  427. dwMsgFlags = 0;
  428. #else
  429. dwMsgFlags = 0;
  430. #endif // CMS_PKCS7
  432. if (NULL == pbEncoded) {
  433. if (0 == (*pcbEncoded = CryptMsgCalculateEncodedLength(
  434. dwMsgEncodingType,
  435. dwMsgFlags,
  436. CMSG_SIGNED,
  437. pSignInfo,
  438. szOID_CTL,
  439. cbCtlContent))) goto CalculateEncodedLengthError;
  440. fResult = TRUE;
  441. } else {
  442. if (NULL == (hMsg = CryptMsgOpenToEncode(
  443. dwMsgEncodingType,
  444. dwMsgFlags,
  445. CMSG_SIGNED,
  446. pSignInfo,
  447. szOID_CTL,
  448. NULL // pStreamInfo
  449. ))) goto OpenToEncodeError;
  450. if (!CryptMsgUpdate(
  451. hMsg,
  452. pbCtlContent,
  453. cbCtlContent,
  454. TRUE // fFinal
  455. )) goto UpdateError;
  457. fResult = CryptMsgGetParam(
  458. hMsg,
  459. CMSG_CONTENT_PARAM,
  460. 0, // dwIndex
  461. pbEncoded,
  462. pcbEncoded);
  463. }
  465. CommonReturn:
  466. if (hMsg)
  467. CryptMsgClose(hMsg);
  468. return fResult;
  469. ErrorReturn:
  470. *pcbEncoded = 0;
  471. fResult = FALSE;
  472. goto CommonReturn;
  474. TRACE_ERROR(CalculateEncodedLengthError)
  475. TRACE_ERROR(OpenToEncodeError)
  476. TRACE_ERROR(UpdateError)
  477. }
  480. //+-------------------------------------------------------------------------
  481. // Encode the CTL and create a signed message containing the encoded CTL.
  482. //--------------------------------------------------------------------------
  483. BOOL
  484. WINAPI
  485. CryptMsgEncodeAndSignCTL(
  486. IN DWORD dwMsgEncodingType,
  487. IN PCTL_INFO pCtlInfo,
  488. IN PCMSG_SIGNED_ENCODE_INFO pSignInfo,
  489. IN DWORD dwFlags,
  490. OUT BYTE *pbEncoded,
  491. IN OUT DWORD *pcbEncoded
  492. )
  493. {
  494. BOOL fResult;
  495. BYTE *pbContent = NULL;
  496. DWORD cbContent;
  497. DWORD dwEncodingType;
  498. LPCSTR lpszStructType;
  499. DWORD dwEncodeFlags;
  501. dwEncodingType = (dwMsgEncodingType >> 16) & CERT_ENCODING_TYPE_MASK;
  502. assert(dwEncodingType != 0);
  503. if (0 == dwEncodingType)
  504. goto InvalidArg;
  506. dwEncodeFlags = CRYPT_ENCODE_ALLOC_FLAG;
  507. if (dwFlags & CMSG_ENCODE_SORTED_CTL_FLAG) {
  508. lpszStructType = PKCS_SORTED_CTL;
  509. if (dwFlags & CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG)
  510. dwEncodeFlags |=
  511. CRYPT_SORTED_CTL_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG;
  512. } else {
  513. lpszStructType = PKCS_CTL;
  514. }
  517. if (!CryptEncodeObjectEx(
  518. dwEncodingType,
  519. lpszStructType,
  520. pCtlInfo,
  521. dwEncodeFlags,
  522. &PkiEncodePara,
  523. (void *) &pbContent,
  524. &cbContent
  525. )) goto EncodeError;
  527. fResult = CryptMsgSignCTL(
  528. dwMsgEncodingType,
  529. pbContent,
  530. cbContent,
  531. pSignInfo,
  532. dwFlags,
  533. pbEncoded,
  534. pcbEncoded
  535. );
  537. CommonReturn:
  538. PkiFree(pbContent);
  539. return fResult;
  541. ErrorReturn:
  542. *pcbEncoded = 0;
  543. fResult = FALSE;
  544. goto CommonReturn;
  546. SET_ERROR(InvalidArg, E_INVALIDARG)
  547. TRACE_ERROR(EncodeError)
  548. }