|
|
//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1996 - 2001
//
// File: cainfo.cpp
//
// Contents:
//
//---------------------------------------------------------------------------
#include "pch.cpp"
#pragma hdrstop
#include <certca.h>
#include <cainfop.h>
#include <polreg.h>
#include <cainfoc.h>
#include <certtype.h>
#include <winldap.h>
#define __dwFILE__ __dwFILE_CERTCLIB_CAINFO_CPP__
typedef struct _CA_DEFAULT_PROVIDER { DWORD dwFlags; LPWSTR wszName;} CA_DEFAULT_PROVIDER;
CA_DEFAULT_PROVIDER g_DefaultProviders[] = { {0, MS_DEF_PROV_W}, {0, MS_ENHANCED_PROV_W}, {0, MS_DEF_RSA_SIG_PROV_W}, {0, MS_DEF_RSA_SCHANNEL_PROV_W}, {0, MS_DEF_DSS_PROV_W}, {0, MS_DEF_DSS_DH_PROV_W}, {0, MS_ENH_DSS_DH_PROV_W}, {0, MS_DEF_DH_SCHANNEL_PROV_W}, {0, MS_SCARD_PROV_W}};
DWORD g_cDefaultProviders = sizeof(g_DefaultProviders)/sizeof(g_DefaultProviders[0]);
LPCWSTRCAGetDN( IN HCAINFO hCAInfo ){CSASSERT(hCAInfo);return ((CCAInfo*)hCAInfo)->GetDN();}
HRESULTCAFindByName( IN LPCWSTR wszCAName, IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCAINFO * phCAInfo ){ HRESULT hr = S_OK; DWORD err; WCHAR *wszQueryBase = L"(cn="; WCHAR *wszQuery = NULL; DWORD cQuery; if((wszCAName == NULL) || (phCAInfo == NULL)) { return E_POINTER; } // Generate Query
cQuery = wcslen(wszQueryBase) + wcslen(wszCAName) + 2; // 2 for ending paren and null
wszQuery = (WCHAR *)LocalAlloc(LMEM_FIXED, sizeof(WCHAR)*cQuery); if(wszQuery == NULL) { hr = E_OUTOFMEMORY; goto error; } wcscpy(wszQuery, wszQueryBase); wcscat(wszQuery, wszCAName); wcscat(wszQuery, L")");
if(fFlags & CA_FLAG_SCOPE_DNS) { hr = CCAInfo::FindDnsDomain(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); } else { hr = CCAInfo::Find(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); } if((hr == S_OK) && (*phCAInfo == NULL)) { hr = HRESULT_FROM_WIN32(ERROR_NOT_FOUND); }
error: if(wszQuery) { LocalFree(wszQuery); }
return hr;}
HRESULTCAFindByCertType( IN LPCWSTR wszCertType, IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCAINFO * phCAInfo ){ HRESULT hr = S_OK; DWORD err; WCHAR *wszQueryBase = L"(" CA_PROP_CERT_TYPES L"="; WCHAR *wszQuery = NULL; DWORD cQuery; if((wszCertType == NULL) || (phCAInfo == NULL)) { return E_POINTER; } // Generate Query
cQuery = wcslen(wszQueryBase) + wcslen(wszCertType) + 2; // 2 for ending paren and null
wszQuery = (WCHAR *)LocalAlloc(LMEM_FIXED, sizeof(WCHAR)*cQuery); if(wszQuery == NULL) { hr = E_OUTOFMEMORY; goto error; } wcscpy(wszQuery, wszQueryBase); wcscat(wszQuery, wszCertType); wcscat(wszQuery, L")");
if(fFlags & CA_FLAG_SCOPE_DNS) { hr = CCAInfo::FindDnsDomain(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); } else { hr = CCAInfo::Find(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); } if(*phCAInfo == NULL) { hr = HRESULT_FROM_WIN32(ERROR_NOT_FOUND); }
error: if(wszQuery) { LocalFree(wszQuery); }
return hr;}
HRESULTCAFindByIssuerDN( IN CERT_NAME_BLOB const * pIssuerDN, IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCAINFO * phCAInfo ){ HRESULT hr = S_OK; DWORD err; WCHAR *wszQueryBase = wszLPAREN L"cACertificateDN="; WCHAR *wszQuery = NULL; WCHAR *wszNameStr = NULL;
DWORD cQuery; if((pIssuerDN == NULL) || (phCAInfo == NULL)) { return E_POINTER; }
// Generate Query
// Convert the CAPI2 name to a string
hr = myCertNameToStr( X509_ASN_ENCODING, pIssuerDN, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG | CERT_NAME_STR_NO_QUOTING_FLAG, &wszNameStr); _JumpIfError(hr, error, "myCertNameToStr");
// Now quote that string with double quotes
// two for ending paren and null, two for the double quotes
cQuery = wcslen(wszQueryBase) + wcslen(wszNameStr) + 4; wszQuery = (WCHAR *)LocalAlloc(LMEM_FIXED, sizeof(WCHAR)*cQuery); if(wszQuery == NULL) { hr = E_OUTOFMEMORY; goto error; } wcscpy(wszQuery, wszQueryBase); wcscat(wszQuery, L"\""); wcscat(wszQuery, wszNameStr); wcscat(wszQuery, L"\"" wszRPAREN); CSASSERT(cQuery - 1 == wcslen(wszQuery));
if(fFlags & CA_FLAG_SCOPE_DNS) { hr = CCAInfo::FindDnsDomain(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); } else { hr = CCAInfo::Find(wszQuery, wszScope, fFlags, (CCAInfo **)phCAInfo); }
error: if(wszNameStr) { LocalFree(wszNameStr); } if(wszQuery) { LocalFree(wszQuery); } return hr;}
HRESULTCAEnumFirstCA( IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCAINFO * phCAInfo ){ HRESULT hr = S_OK;
if(fFlags & CA_FLAG_SCOPE_DNS) { hr = CCAInfo::FindDnsDomain(NULL, wszScope, fFlags, (CCAInfo **)phCAInfo); } else { hr = CCAInfo::Find(NULL, wszScope, fFlags, (CCAInfo **)phCAInfo); } if (S_OK != hr) { if (HRESULT_FROM_WIN32(ERROR_NETWORK_UNREACHABLE) != hr && HRESULT_FROM_WIN32(ERROR_WRONG_PASSWORD) != hr) { _PrintError3( hr, "FindDnsDomain/Find", HRESULT_FROM_WIN32(ERROR_SERVER_DISABLED), HRESULT_FROM_WIN32(ERROR_NO_SUCH_DOMAIN)); } goto error; }
error: return(hr);}
HRESULTCAEnumNextCA( IN HCAINFO hPrevCA, OUT HCAINFO * phCAInfo ){ CCAInfo *pInfo; if(hPrevCA == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hPrevCA;
return pInfo->Next((CCAInfo **)phCAInfo);}
HRESULT CACreateNewCA( IN LPCWSTR wszCAName, IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCAINFO * phCAInfo ){ HRESULT hr = S_OK; DWORD err;
if((wszCAName == NULL) || (phCAInfo == NULL)) { return E_POINTER; } // Generate Query
if(CA_FLAG_SCOPE_DNS & fFlags) { hr = CCAInfo::CreateDnsDomain(wszCAName, wszScope, (CCAInfo **)phCAInfo); } else { hr = CCAInfo::Create(wszCAName, wszScope, (CCAInfo **)phCAInfo); }
return hr;}
HRESULT CAUpdateCA( IN HCAINFO hCAInfo ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->Update();}
HRESULT CADeleteCA( IN HCAINFO hCAInfo ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->Delete();}
DWORD CACountCAs(IN HCAINFO hCAInfo){ CCAInfo *pInfo; if(hCAInfo == NULL) { return 0; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->Count();}
HRESULTCACloseCA(IN HCAINFO hCAInfo){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->Release();}
HRESULTCAGetCAProperty( IN HCAINFO hCAInfo, IN LPCWSTR wszPropertyName, OUT LPWSTR ** pawszPropertyValue){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->GetProperty(wszPropertyName, pawszPropertyValue);}
HRESULTCAFreeCAProperty( IN HCAINFO hCAInfo, IN LPWSTR * awszPropertyValue ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->FreeProperty(awszPropertyValue);}
HRESULTCASetCAProperty( IN HCAINFO hCAInfo, IN LPCWSTR wszPropertyName, IN LPWSTR * awszPropertyValue){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->SetProperty(wszPropertyName, awszPropertyValue);}
HRESULT CAGetCAFlags( IN HCAINFO hCAInfo, OUT DWORD * pdwFlags ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; }
if(pdwFlags == NULL) { return E_POINTER; }
pInfo = (CCAInfo *)hCAInfo;
*pdwFlags = pInfo->GetFlags(); return S_OK;}
HRESULT CASetCAFlags( IN HCAINFO hCAInfo, IN DWORD dwFlags ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
pInfo->SetFlags(dwFlags); return S_OK;}
HRESULTCAGetCACertificate( IN HCAINFO hCAInfo, OUT PCCERT_CONTEXT *ppCert){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->GetCertificate(ppCert);
}
HRESULTCASetCACertificate( IN HCAINFO hCAInfo, IN PCCERT_CONTEXT pCert){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->SetCertificate(pCert);}
HRESULT CAGetCAExpiration( HCAINFO hCAInfo, DWORD * pdwExpiration, DWORD * pdwUnits ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->GetExpiration(pdwExpiration, pdwUnits);
}
HRESULT CASetCAExpiration( HCAINFO hCAInfo, DWORD dwExpiration, DWORD dwUnits ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->SetExpiration(dwExpiration, dwUnits);}
HRESULT CASetCASecurity( IN HCAINFO hCAInfo, IN PSECURITY_DESCRIPTOR pSD ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->SetSecurity( pSD );}
HRESULT CAGetCASecurity( IN HCAINFO hCAInfo, OUT PSECURITY_DESCRIPTOR * ppSD ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->GetSecurity( ppSD ) ;}
CERTCLIAPIHRESULTWINAPICAAccessCheck( IN HCAINFO hCAInfo, IN HANDLE ClientToken )
{ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->AccessCheck(ClientToken,CERTTYPE_ACCESS_CHECK_ENROLL);}
CERTCLIAPIHRESULTWINAPICAAccessCheckEx( IN HCAINFO hCAInfo, IN HANDLE ClientToken, IN DWORD dwOption )
{ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->AccessCheck(ClientToken,dwOption);}
HRESULTCAEnumCertTypesForCAEx( IN HCAINFO hCAInfo, IN LPCWSTR wszScope, IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo; if(dwFlags & CA_FLAG_ENUM_ALL_TYPES) { return CCertTypeInfo::Enum(wszScope, dwFlags, (CCertTypeInfo **)phCertType); }
return pInfo->EnumSupportedCertTypesEx(wszScope, dwFlags, (CCertTypeInfo **)phCertType);
}
HRESULTCAEnumCertTypesForCA( IN HCAINFO hCAInfo, IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ return CAEnumCertTypesForCAEx(hCAInfo, NULL, dwFlags, phCertType);}
HRESULT CAAddCACertificateType( HCAINFO hCAInfo, HCERTTYPE hCertType ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->AddCertType((CCertTypeInfo *)hCertType);}
HRESULT CARemoveCACertificateType( HCAINFO hCAInfo, HCERTTYPE hCertType ){ CCAInfo *pInfo; if(hCAInfo == NULL) { return E_POINTER; } pInfo = (CCAInfo *)hCAInfo;
return pInfo->RemoveCertType((CCertTypeInfo *)hCertType);}
//
// Certificate Type API's
//
HRESULTCAEnumCertTypes( IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ HRESULT hr;
hr = CCertTypeInfo::Enum(NULL, dwFlags, (CCertTypeInfo **)phCertType); return hr;
}
HRESULTCAEnumCertTypesEx( IN LPCWSTR wszScope, IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ HRESULT hr;
hr = CCertTypeInfo::Enum(wszScope, dwFlags, (CCertTypeInfo **)phCertType); return hr;
}
HRESULT CAFindCertTypeByName( IN LPCWSTR wszCertType, IN HCAINFO hCAInfo, IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ HRESULT hr = S_OK; LPCWSTR awszTypes[2]; if((wszCertType == NULL) || (phCertType == NULL)) { return E_POINTER; }
awszTypes[0] = wszCertType; awszTypes[1] = NULL;
hr = CCertTypeInfo::FindByNames(awszTypes, ((CT_FLAG_SCOPE_IS_LDAP_HANDLE & dwFlags)?(LPWSTR)hCAInfo:NULL), dwFlags, (CCertTypeInfo **)phCertType); if((hr == S_OK) && (*phCertType == NULL)) { hr = HRESULT_FROM_WIN32(ERROR_NOT_FOUND); }
return hr;}
HRESULT CACreateCertType( IN LPCWSTR wszCertType, IN LPCWSTR wszScope, IN DWORD fFlags, OUT HCERTTYPE * phCertType ){ HRESULT hr = S_OK; DWORD err;
if((wszCertType == NULL) || (phCertType == NULL)) { return E_POINTER; }
hr = CCertTypeInfo::Create(wszCertType, wszScope, (CCertTypeInfo **)phCertType);
return hr;}HRESULT CAUpdateCertType( IN HCERTTYPE hCertType ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->Update();}
HRESULT CADeleteCertType( IN HCERTTYPE hCertType ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->Delete();}
//--------------------------------------------------------------------
//
// CertTypeRetrieveClientToken
//
//--------------------------------------------------------------------
BOOL CertTypeRetrieveClientToken(HANDLE *phToken){ HRESULT hr = S_OK;
HANDLE hHandle = NULL; HANDLE hClientToken = NULL;
hHandle = GetCurrentThread(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else {
if (!OpenThreadToken(hHandle, TOKEN_QUERY, TRUE, // open as self
&hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } }
if(hr != S_OK) { hHandle = GetCurrentProcess(); if (NULL == hHandle) { hr = HRESULT_FROM_WIN32(GetLastError()); } else { HANDLE hProcessToken = NULL; hr = S_OK;
if (!OpenProcessToken(hHandle, TOKEN_DUPLICATE, &hProcessToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } else { if(!DuplicateToken(hProcessToken, SecurityImpersonation, &hClientToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); CloseHandle(hHandle); hHandle = NULL; } CloseHandle(hProcessToken); } } }
if(S_OK == hr) *phToken = hClientToken;
if(hHandle) CloseHandle(hHandle);
return (S_OK == hr);}
HRESULTCACloneCertType( IN HCERTTYPE hCertType, IN LPCWSTR wszCertType, IN LPCWSTR wszFriendlyName, IN LPVOID pvldap, IN DWORD dwFlags, OUT HCERTTYPE * phCertType ){ HRESULT hr=E_INVALIDARG; DWORD dwFindCT=CT_FLAG_NO_CACHE_LOOKUP | CT_ENUM_MACHINE_TYPES | CT_ENUM_USER_TYPES; LPWSTR awszProp[2]; DWORD dwEnrollmentFlag=0; DWORD dwSubjectNameFlag=0; DWORD dwGeneralFlag=0; DWORD dwSubjectRequirement=CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH | CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME | CT_FLAG_SUBJECT_REQUIRE_EMAIL | CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN; DWORD dwTokenUserSize=0; DWORD dwAbsSDSize=0; DWORD dwDaclSize=0; DWORD dwSaclSize=0; DWORD dwOwnerSize=0; DWORD dwPriGrpSize=0; DWORD dwRelSDSize=0;
HANDLE hToken=NULL; TOKEN_USER *pTokenUser=NULL; PSECURITY_DESCRIPTOR pSID=NULL; PSECURITY_DESCRIPTOR pAbsSD=NULL; ACL * pAbsDacl=NULL; ACL * pAbsSacl=NULL; SID * pAbsOwner=NULL; SID * pAbsPriGrp=NULL; PSECURITY_DESCRIPTOR pNewSD=NULL; LPWSTR * awszCN=NULL; HCERTTYPE hNewCertType=NULL;
if((NULL==hCertType) || (NULL==wszCertType) || (NULL==phCertType)) goto error;
*phCertType=NULL;
if(pvldap) dwFindCT |= CT_FLAG_SCOPE_IS_LDAP_HANDLE;
//make sure the new name does not exit
if(S_OK == CAFindCertTypeByName( wszCertType, (HCAINFO)pvldap, dwFindCT, &hNewCertType)) { hr=CRYPT_E_EXISTS; goto error; }
//get a new cert type handle
if(S_OK != (hr = CAGetCertTypePropertyEx(hCertType, CERTTYPE_PROP_CN, &awszCN))) goto error;
if((NULL==awszCN) || (NULL==awszCN[0])) { hr=HRESULT_FROM_WIN32(ERROR_NOT_FOUND); goto error; }
if(S_OK != (hr = CAFindCertTypeByName( (LPCWSTR)awszCN[0], (HCAINFO)pvldap, dwFindCT, &hNewCertType))) goto error;
if(NULL==hNewCertType) { hr=HRESULT_FROM_WIN32(ERROR_NOT_FOUND); goto error; }
//clone by setting the CN
awszProp[0]=(LPWSTR)wszCertType; awszProp[1]=NULL;
if(S_OK != (hr=CASetCertTypePropertyEx( hNewCertType, CERTTYPE_PROP_CN, awszProp))) goto error;
//set the friendly name
if(wszFriendlyName) { awszProp[0]=(LPWSTR)wszFriendlyName; awszProp[1]=NULL;
if(S_OK != (hr=CASetCertTypePropertyEx( hNewCertType, CERTTYPE_PROP_FRIENDLY_NAME, awszProp))) goto error; }
//turn off autoenrollment bit
if(0 == (CT_CLONE_KEEP_AUTOENROLLMENT_SETTING & dwFlags)) { if(S_OK != (hr=CAGetCertTypeFlagsEx( hNewCertType, CERTTYPE_ENROLLMENT_FLAG, &dwEnrollmentFlag))) goto error;
dwEnrollmentFlag &= (~CT_FLAG_AUTO_ENROLLMENT);
if(S_OK != (hr=CASetCertTypeFlagsEx( hNewCertType, CERTTYPE_ENROLLMENT_FLAG, dwEnrollmentFlag))) goto error; }
//turn off the subject name requirement for machien template
if(0 == (CT_CLONE_KEEP_SUBJECT_NAME_SETTING & dwFlags)) { if(S_OK != (hr=CAGetCertTypeFlagsEx( hNewCertType, CERTTYPE_GENERAL_FLAG, &dwGeneralFlag))) goto error;
if(CT_FLAG_MACHINE_TYPE & dwGeneralFlag) { if(S_OK != (hr=CAGetCertTypeFlagsEx( hNewCertType, CERTTYPE_SUBJECT_NAME_FLAG, &dwSubjectNameFlag))) goto error;
dwSubjectNameFlag &= (~dwSubjectRequirement);
if(S_OK != (hr=CASetCertTypeFlagsEx( hNewCertType, CERTTYPE_SUBJECT_NAME_FLAG, dwSubjectNameFlag))) goto error;
} }
//get the client token
if(!CertTypeRetrieveClientToken(&hToken)) { hr = HRESULT_FROM_WIN32(GetLastError()); goto error; }
//get the client sid
dwTokenUserSize=0;
if(!GetTokenInformation( hToken, // handle to access token
TokenUser, // token type
NULL, // buffer
0, // size of buffer
&dwTokenUserSize)) // required buffer size
{ if (ERROR_INSUFFICIENT_BUFFER!=GetLastError()) { hr=HRESULT_FROM_WIN32(GetLastError()); goto error; } }
if(NULL==(pTokenUser=(TOKEN_USER *)LocalAlloc(LPTR, dwTokenUserSize))) { hr=E_OUTOFMEMORY; goto error; }
if(!GetTokenInformation( hToken, // handle to access token
TokenUser, // token type
pTokenUser, // buffer
dwTokenUserSize, // size of buffer
&dwTokenUserSize)) // required buffer size
{ hr = HRESULT_FROM_WIN32(GetLastError()); goto error; }
//update the ACLs of the template to have the caller as the owner
//of the ACL
if(S_OK != (hr=CACertTypeGetSecurity( hNewCertType, &pSID))) goto error;
if(!MakeAbsoluteSD(pSID, NULL, &dwAbsSDSize, NULL, &dwDaclSize, NULL, &dwSaclSize, NULL, &dwOwnerSize, NULL, &dwPriGrpSize)) { if (ERROR_INSUFFICIENT_BUFFER!=GetLastError()) { hr=HRESULT_FROM_WIN32(GetLastError()); goto error; } }
// allocate memory
if(NULL==(pAbsSD=(PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwAbsSDSize))) { hr=E_OUTOFMEMORY; goto error; }
if(NULL==(pAbsDacl=(ACL * )LocalAlloc(LPTR, dwDaclSize))) { hr=E_OUTOFMEMORY; goto error; }
if(NULL==(pAbsSacl=(ACL * )LocalAlloc(LPTR, dwSaclSize))) { hr=E_OUTOFMEMORY; goto error; }
if(NULL==(pAbsOwner=(SID *)LocalAlloc(LPTR, dwOwnerSize))) { hr=E_OUTOFMEMORY; goto error; }
if(NULL==(pAbsPriGrp=(SID *)LocalAlloc(LPTR, dwPriGrpSize))) { hr=E_OUTOFMEMORY; goto error; }
// copy the SD to the memory buffers
if(!MakeAbsoluteSD(pSID, pAbsSD, &dwAbsSDSize, pAbsDacl, &dwDaclSize, pAbsSacl, &dwSaclSize, pAbsOwner, &dwOwnerSize, pAbsPriGrp, &dwPriGrpSize)) { hr=HRESULT_FROM_WIN32(GetLastError()); goto error; }
if(!SetSecurityDescriptorOwner( pAbsSD, // SD
(pTokenUser->User).Sid, // SID for owner
FALSE)) // flag for default
{ hr=HRESULT_FROM_WIN32(GetLastError()); goto error; }
//convert the absolute SD to its relative form
if(!MakeSelfRelativeSD(pAbsSD, NULL, &dwRelSDSize)) { if (ERROR_INSUFFICIENT_BUFFER!=GetLastError()) { hr=HRESULT_FROM_WIN32(GetLastError()); goto error; } }
// allocate memory
if(NULL==(pNewSD=(PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwRelSDSize))) { hr=E_OUTOFMEMORY; goto error; }
// copy the SD to the new memory buffer
if (!MakeSelfRelativeSD(pAbsSD, pNewSD, &dwRelSDSize)) { hr=HRESULT_FROM_WIN32(GetLastError()); goto error; }
//set the relative SID
if(S_OK != (hr=CACertTypeSetSecurity( hNewCertType, pNewSD))) goto error;
//update the template
/* if(S_OK != (hr = CAUpdateCertType(hNewCertType)))
goto error;
//update the local machine cache. No need to check the return value
//because the certificate template has been successfully cloned on the directory
CAEnumCertTypesEx((LPCWSTR)pvldap, dwFindCT | CT_FIND_LOCAL_SYSTEM, &hMachineCertType); */
*phCertType=hNewCertType;
hNewCertType=NULL;
hr=S_OK;
error:
if(hToken) CloseHandle(hToken);
if(pTokenUser) LocalFree(pTokenUser);
if(pSID) LocalFree(pSID);
if (NULL!=pAbsSD) LocalFree(pAbsSD); if (NULL!=pAbsDacl) LocalFree(pAbsDacl); if (NULL!=pAbsSacl) LocalFree(pAbsSacl); if (NULL!=pAbsOwner) LocalFree(pAbsOwner); if (NULL!=pAbsPriGrp) LocalFree(pAbsPriGrp); if (NULL!=pNewSD) LocalFree(pNewSD);
if(awszCN) CAFreeCertTypeProperty(hCertType, awszCN);
if(hNewCertType) CACloseCertType(hNewCertType);
return hr;}
HRESULTCAEnumNextCertType( IN HCERTTYPE hPrevCertType, OUT HCERTTYPE * phCertTypeInfo ){ CCertTypeInfo *pInfo; if(hPrevCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hPrevCertType;
return pInfo->Next((CCertTypeInfo **)phCertTypeInfo);}
DWORD CACountCertTypes(IN HCERTTYPE hCertType){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return 0; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->Count();}
HRESULTCACloseCertType(IN HCERTTYPE hCertTypeInfo){ CCertTypeInfo *pInfo; if(hCertTypeInfo == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertTypeInfo;
return pInfo->Release();}
HRESULTCAGetCertTypeProperty( IN HCERTTYPE hCertType, IN LPCWSTR wszPropertyName, OUT LPWSTR ** pawszPropertyValue){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->GetProperty(wszPropertyName, pawszPropertyValue);}
HRESULTCAGetCertTypePropertyEx( IN HCERTTYPE hCertType, IN LPCWSTR wszPropertyName, OUT LPVOID pPropertyValue){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->GetPropertyEx(wszPropertyName, pPropertyValue);}
HRESULT CASetCertTypeProperty( IN HCERTTYPE hCertType, IN LPCWSTR wszPropertyName, IN LPWSTR * awszPropertyValue){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetProperty(wszPropertyName, awszPropertyValue) ;}
HRESULT CASetCertTypePropertyEx( IN HCERTTYPE hCertType, IN LPCWSTR wszPropertyName, IN LPVOID pPropertyValue){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetPropertyEx(wszPropertyName, pPropertyValue) ;}
HRESULTCAFreeCertTypeProperty( IN HCERTTYPE hCertType, LPWSTR * awszPropertyValue ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->FreeProperty(awszPropertyValue) ;}
HRESULTCAGetCertTypeExtensions( IN HCERTTYPE hCertType, OUT PCERT_EXTENSIONS * ppCertExtensions ){ return CAGetCertTypeExtensionsEx(hCertType, 0, NULL, ppCertExtensions);}
HRESULTCAGetCertTypeExtensionsEx( IN HCERTTYPE hCertType, IN DWORD dwFlags, IN LPVOID pParam, OUT PCERT_EXTENSIONS * ppCertExtensions ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->GetExtensions(dwFlags, pParam, ppCertExtensions) ;}
HRESULTCAFreeCertTypeExtensions( IN HCERTTYPE hCertType, IN PCERT_EXTENSIONS pCertExtensions ){
//should alreays free via LocalFree since CryptUIWizCertRequest freed
//it via LocalFree
CCertTypeInfo *pInfo; if(pCertExtensions) { LocalFree(pCertExtensions); } return S_OK;
#if 0
if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->FreeExtensions(pCertExtensions) ;#endif
}
HRESULT CASetCertTypeExtension( IN HCERTTYPE hCertType, IN LPCWSTR wszExtensionName, IN DWORD dwFlags, IN LPVOID pExtension ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetExtension(wszExtensionName, pExtension, dwFlags);}
HRESULT CAGetCertTypeFlags( IN HCERTTYPE hCertType, OUT DWORD * pdwFlags ){ return CAGetCertTypeFlagsEx(hCertType, CERTTYPE_GENERAL_FLAG, pdwFlags);}
HRESULTCAGetCertTypeFlagsEx( IN HCERTTYPE hCertType, IN DWORD dwOption, OUT DWORD * pdwFlags ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; }
if(pdwFlags == NULL) { return E_POINTER; }
pInfo = (CCertTypeInfo *)hCertType;
*pdwFlags = pInfo->GetFlags(dwOption); return S_OK;}
HRESULT CASetCertTypeFlags( IN HCERTTYPE hCertType, IN DWORD dwFlags ){ return CASetCertTypeFlagsEx(hCertType, CERTTYPE_GENERAL_FLAG, dwFlags);}
HRESULTCASetCertTypeFlagsEx( IN HCERTTYPE hCertType, IN DWORD dwOption, IN DWORD dwFlags ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetFlags(dwOption, dwFlags);}
HRESULT CAGetCertTypeKeySpec( IN HCERTTYPE hCertType, OUT DWORD * pdwKeySpec ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; }
if(pdwKeySpec == NULL) { return E_POINTER; }
pInfo = (CCertTypeInfo *)hCertType;
*pdwKeySpec = pInfo->GetKeySpec(); return S_OK;}
HRESULT CASetCertTypeKeySpec( IN HCERTTYPE hCertType, IN DWORD dwKeySpec ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
pInfo->SetKeySpec(dwKeySpec); return S_OK;}
HRESULTCAGetCertTypeExpiration( IN HCERTTYPE hCertType, OUT OPTIONAL FILETIME * pftExpiration, OUT OPTIONAL FILETIME * pftOverlap ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->GetExpiration(pftExpiration, pftOverlap);
}
HRESULTCASetCertTypeExpiration( IN HCERTTYPE hCertType, IN OPTIONAL FILETIME * pftExpiration, IN OPTIONAL FILETIME * pftOverlap ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetExpiration(pftExpiration, pftOverlap);
}
HRESULT CACertTypeSetSecurity( IN HCERTTYPE hCertType, IN PSECURITY_DESCRIPTOR pSD ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->SetSecurity( pSD );}
HRESULT CACertTypeGetSecurity( IN HCERTTYPE hCertType, OUT PSECURITY_DESCRIPTOR * ppSD ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->GetSecurity( ppSD ) ;}
HRESULT CACertTypeAccessCheck( IN HCERTTYPE hCertType, IN HANDLE ClientToken )
{
return CACertTypeAccessCheckEx(hCertType, ClientToken, CERTTYPE_ACCESS_CHECK_ENROLL);}
CERTCLIAPIHRESULTWINAPICACertTypeAccessCheckEx( IN HCERTTYPE hCertType, IN HANDLE ClientToken, IN DWORD dwOption ){ CCertTypeInfo *pInfo; if(hCertType == NULL) { return E_POINTER; } pInfo = (CCertTypeInfo *)hCertType;
return pInfo->AccessCheck(ClientToken, dwOption);}
CERTCLIAPIHRESULTWINAPICAInstallDefaultCertType( IN DWORD dwFlags ){ return CCertTypeInfo::InstallDefaultTypes();}
CERTCLIAPIBOOLWINAPICAIsCertTypeCurrent( IN DWORD dwFlags, IN LPWSTR wszCertType ){ BOOL fCurrent=FALSE; HRESULT hr=E_FAIL; DWORD dwIndex=0; DWORD dwVersion=0;
HCERTTYPE hCertType=NULL;
if(NULL==wszCertType) goto error;
hr=CAFindCertTypeByName( wszCertType, NULL, CT_ENUM_USER_TYPES | CT_FLAG_NO_CACHE_LOOKUP | CT_ENUM_MACHINE_TYPES, &hCertType);
if((S_OK != hr) || (NULL==hCertType)) goto error;
//we assume this is a V2 certificate template
hr=CAGetCertTypePropertyEx( hCertType, CERTTYPE_PROP_REVISION, &dwVersion);
if(S_OK != hr) goto error;
for(dwIndex=0; dwIndex < g_cDefaultCertTypes; dwIndex++) { if (0==lstrcmpi(wszCertType, g_aDefaultCertTypes[dwIndex].wszName)) { if (dwVersion >= g_aDefaultCertTypes[dwIndex].dwRevision) fCurrent=TRUE;
break; } }
//the template is not default
if(dwIndex == g_cDefaultCertTypes) fCurrent=TRUE;
error:
if(hCertType) CACloseCertType(hCertType);
return fCurrent;}
HANDLEmyEnterCriticalPolicySection( IN BOOL bMachine){ HANDLE hPolicy = NULL; HRESULT hr = S_OK; // ?CriticalPolicySection calls are delay loaded. Protect with try/except
__try { hPolicy = EnterCriticalPolicySection(bMachine); // Delayload wrapped
} __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
// (S_OK == hr) does not mean EnterCriticalPolicySection succeeded.
// It just means no exception was raised.
if (myIsDelayLoadHResult(hr)) { hPolicy = (HANDLE) (ULONG_PTR) (bMachine? 37 : 49); hr = S_OK; } return(hPolicy);}
BOOLmyLeaveCriticalPolicySection( IN HANDLE hSection){ HRESULT hr = S_OK; BOOL fOk = FALSE; // ?CriticalPolicySection calls are delay loaded. Protect with try/except
__try { fOk = LeaveCriticalPolicySection(hSection); // Delayload wrapped
} __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
// (S_OK == hr) does not mean LeaveCriticalPolicySection succeeded.
// It just means no exception was raised.
if (myIsDelayLoadHResult(hr)) { fOk = (HANDLE) (ULONG_PTR) 37 == hSection || (HANDLE) (ULONG_PTR) 49 == hSection; hr = S_OK; } return(fOk);}
|
