|
|
//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1996 - 1999
//
// File: cainfoc.cpp
//
// Contents: CCAInfo implemenation
//
// History: 16-Dec-97 petesk created
//
//---------------------------------------------------------------------------
#include "pch.cpp"
#pragma hdrstop
#include "cainfoc.h"
#include "certtype.h"
#include "csldap.h"
#include <lm.h>
#include <certca.h>
#include <polreg.h>
#include <dsgetdc.h>
#include <winldap.h>
#include <cainfop.h>
#include <ntldap.h>
#define __dwFILE__ __dwFILE_CERTCLIB_CAINFOC_CPP__
#define wcLBRACE L'{'
#define wcRBRACE L'}'
LPCWSTR g_wszEnrollmentServiceLocation = L"CN=Enrollment Services,CN=Public Key Services,CN=Services,";
#define LDAP_SECURITY_DESCRIPTOR_NAME L"NTSecurityDescriptor"
#define LDAP_CERTIFICATE_TEMPLATES_NAME L"certificateTemplates"
WCHAR *g_awszCAAttrs[] = { CA_PROP_NAME, CA_PROP_DISPLAY_NAME, CA_PROP_FLAGS, CA_PROP_DNSNAME, CA_PROP_DSLOCATION, CA_PROP_CERT_DN, CA_PROP_CERT_TYPES, CA_PROP_SIGNATURE_ALGS, CA_PROP_DESCRIPTION, L"cACertificate", L"objectClass", LDAP_SECURITY_DESCRIPTOR_NAME, NULL};
WCHAR *g_awszCANamedProps[] = { CA_PROP_NAME, CA_PROP_DISPLAY_NAME, CA_PROP_DNSNAME, CA_PROP_DSLOCATION, CA_PROP_CERT_DN, CA_PROP_CERT_TYPES, CA_PROP_SIGNATURE_ALGS, CA_PROP_DESCRIPTION, NULL};
LPWSTR g_awszSignatureAlgs[] = { TEXT(szOID_RSA_MD2RSA), TEXT(szOID_RSA_MD4RSA), TEXT(szOID_RSA_MD5RSA), TEXT(szOID_RSA_SHA1RSA), NULL };
//+--------------------------------------------------------------------------
// CCAInfo::~CCAInfo -- destructor
//
// free memory associated with this instance
//+--------------------------------------------------------------------------
CCAInfo::~CCAInfo(){ _Cleanup();}
//+--------------------------------------------------------------------------
// CCAInfo::_Cleanup -- free memory
//
// free memory associated with this instance
//+--------------------------------------------------------------------------
HRESULTCCAInfo::_Cleanup(){
// Cleanup will only be called if there is no previous element
// to reference this element, and the caller is also releaseing.
// If there is a further element, release it.
if (NULL != m_pNext) { m_pNext->Release(); m_pNext = NULL; }
CCAProperty::DeleteChain(&m_pProperties);
if (NULL != m_pCertificate) { CertFreeCertificateContext(m_pCertificate); m_pCertificate = NULL; }
if (NULL != m_bstrDN) { CertFreeString(m_bstrDN); m_bstrDN = NULL; }
if (NULL != m_pSD) { LocalFree(m_pSD); m_pSD = NULL; } return(S_OK);}
//+--------------------------------------------------------------------------
// CCAInfo::_Cleanup -- add reference
//
//
//+--------------------------------------------------------------------------
DWORDCCAInfo::AddRef(){
return(InterlockedIncrement(&m_cRef));}
//+--------------------------------------------------------------------------
// CCAInfo::Release -- release reference
//
//
//+--------------------------------------------------------------------------
DWORD CCAInfo::Release(){ DWORD cRef;
if (0 == (cRef = InterlockedDecrement(&m_cRef))) { delete this; } return(cRef);}
//+--------------------------------------------------------------------------
// CCAInfo::Find -- Find CA Objects in the DS
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::Find( LPCWSTR wszQuery, LPCWSTR wszScope, DWORD dwFlags, CCAInfo **ppCAInfo)
{ HRESULT hr = S_OK; ULONG ldaperr; LDAP * pld = NULL; // Initialize LDAP session
WCHAR * wszSearch = L"(objectCategory=pKIEnrollmentService)"; DWORD cSearchParam;
CERTSTR bstrSearchParam = NULL; CERTSTR bstrScope = NULL; CERTSTR bstrConfig = NULL; CERTSTR bstrDomain = NULL;
if (NULL == ppCAInfo) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
// short circuit calls to a nonexistant DS
hr = myDoesDSExist(TRUE); _JumpIfError4( hr, error, "myDoesDSExist", HRESULT_FROM_WIN32(ERROR_SERVER_DISABLED), HRESULT_FROM_WIN32(ERROR_NO_SUCH_DOMAIN), HRESULT_FROM_WIN32(ERROR_NETWORK_UNREACHABLE));
__try {
if(CA_FLAG_SCOPE_IS_LDAP_HANDLE & dwFlags) { pld = (LDAP *)wszScope; } else { // bind to ds
hr = myRobustLdapBind(&pld, FALSE);
if(hr != S_OK) { _LeaveError2( hr, "myRobustLdapBind", HRESULT_FROM_WIN32(ERROR_WRONG_PASSWORD)); } if(wszScope) { bstrScope = CertAllocString((LPWSTR)wszScope); if(bstrScope == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocString"); } } }
if(bstrScope == NULL) { // If scope is not specified, set it to the
// current domain scope.
hr = CAGetAuthoritativeDomainDn(pld, &bstrDomain, &bstrConfig); if(S_OK != hr) { _LeaveError(hr, "CAGetAuthoritativeDomainDn"); } bstrScope = CertAllocStringLen( NULL, wcslen(bstrConfig) + wcslen(g_wszEnrollmentServiceLocation)); if(bstrScope == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocStringLen"); } wcscpy(bstrScope, g_wszEnrollmentServiceLocation); wcscat(bstrScope, bstrConfig); }
if (NULL != wszQuery) { // If a query is specified, then combine it with the
// objectCategory=pKIEnrollmentService query
cSearchParam = 2 + wcslen(wszSearch) + wcslen(wszQuery) + 2; bstrSearchParam = CertAllocStringLen(NULL,cSearchParam); if(bstrSearchParam == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocStringLen"); } wcscpy(bstrSearchParam, L"(&"); wcscat(bstrSearchParam, wszSearch);
wcscat(bstrSearchParam, wszQuery); wcscat(bstrSearchParam, L")"); }
hr = _ProcessFind(pld, (wszQuery? bstrSearchParam : wszSearch), bstrScope, dwFlags, ppCAInfo); if(hr != S_OK) { _LeaveError(hr, "_ProcessFind"); }
} __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
error: if (NULL != bstrScope) { CertFreeString(bstrScope); }
if( NULL != bstrConfig) { CertFreeString(bstrConfig); }
if( NULL != bstrDomain) { CertFreeString(bstrDomain); }
if (NULL != bstrSearchParam) { CertFreeString(bstrSearchParam); } if(0 == (CA_FLAG_SCOPE_IS_LDAP_HANDLE & dwFlags)) { if (NULL != pld) { ldap_unbind(pld); } } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::_ProcessFind -- ProcessFind CA Objects in the DS
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::_ProcessFind( LDAP * pld, LPCWSTR wszQuery, LPCWSTR wszScope, DWORD dwFlags, CCAInfo **ppCAInfo)
{ HRESULT hr = S_OK; ULONG ldaperr; CCAInfo *pCAFirst = NULL; CCAInfo *pCACurrent = NULL; // Initialize LDAP session
CHAR sdBerValue[] = {0x30, 0x03, 0x02, 0x01, DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION};
LDAPControl se_info_control = { LDAP_SERVER_SD_FLAGS_OID_W, { 5, sdBerValue }, TRUE };
PLDAPControl server_controls[2] = { &se_info_control, NULL };
LDAPMessage *SearchResult = NULL, *Entry;
struct berval **apCerts; struct berval **apSD;
// Chain verification stuff
CERT_CHAIN_PARA ChainParams; CERT_CHAIN_POLICY_PARA ChainPolicy; CERT_CHAIN_POLICY_STATUS PolicyStatus; PCCERT_CHAIN_CONTEXT pChainContext = NULL; PCCERT_CONTEXT pCert = NULL; DWORD cEntries;
// search timeout
struct l_timeval timeout;
if (NULL == ppCAInfo) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); } *ppCAInfo = NULL;
DBGPRINT(( DBG_SS_CERTLIBI, "_ProcessFind(Query=%ws, Scope=%ws, Flags=%x)\n", wszQuery, wszScope, dwFlags));
timeout.tv_sec = csecLDAPTIMEOUT; timeout.tv_usec = 0;
// Perform search.
ldaperr = ldap_search_ext_sW(pld, (LPWSTR)wszScope, LDAP_SCOPE_SUBTREE, (LPWSTR)wszQuery, g_awszCAAttrs, 0, (PLDAPControl *)&server_controls, NULL, &timeout, 10000, &SearchResult); if(ldaperr == LDAP_NO_SUCH_OBJECT) { // No entries were found.
hr = S_OK; DBGPRINT((DBG_SS_CERTLIBI, "ldap_search_ext_sW: no entries\n")); goto error; }
if(ldaperr != LDAP_SUCCESS) { hr = myHLdapError(pld, ldaperr, NULL); _JumpError(hr, error, "ldap_search_ext_sW"); } cEntries = ldap_count_entries(pld, SearchResult); DBGPRINT((DBG_SS_CERTLIBI, "ldap_count_entries: %u entries\n", cEntries)); if (0 == cEntries) { // No entries were found.
hr = S_OK; goto error; }
hr = S_OK; for(Entry = ldap_first_entry(pld, SearchResult); Entry != NULL; Entry = ldap_next_entry(pld, Entry)) { CCAProperty *pProp; WCHAR ** pwszProp; WCHAR ** wszLdapVal; DWORD dwCAFlags = 0;
if(pCert) { CertFreeCertificateContext(pCert); pCert = NULL; }
if(pChainContext) { CertFreeCertificateChain(pChainContext); pChainContext = NULL; }
wszLdapVal = ldap_get_values(pld, Entry, CA_PROP_FLAGS); if(wszLdapVal != NULL) { if(wszLdapVal[0] != NULL) { dwCAFlags = wcstoul(wszLdapVal[0], NULL, 10); } ldap_value_free(wszLdapVal); } DBGPRINT((DBG_SS_CERTLIBI, "dwCAFlags=%x\n", dwCAFlags));
// Filter of flags
if(( 0 == (dwFlags & CA_FIND_INCLUDE_NON_TEMPLATE_CA)) && ( 0 != (dwCAFlags & CA_FLAG_NO_TEMPLATE_SUPPORT))) { // Don't include standalone CA's unless instructed to
DBGPRINT(( DBG_SS_CERTLIBI, "Skipping non-template CA, dwCAFlags=%x\n", dwCAFlags)); continue; }
// Get the CA Certificate
apCerts = ldap_get_values_len(pld, Entry, L"cACertificate"); if(apCerts && apCerts[0]) { pCert = CertCreateCertificateContext( X509_ASN_ENCODING, (PBYTE)apCerts[0]->bv_val, apCerts[0]->bv_len); ldap_value_free_len(apCerts); }
if(0 == (CA_FIND_INCLUDE_UNTRUSTED & dwFlags)) { if (NULL == pCert) { DBGPRINT((DBG_SS_CERTLIBI, "Skipping cert-less CA\n")); continue; // skip this CA
}
// Verify cert and chain...
hr = myVerifyCertContext( pCert, CA_VERIFY_FLAGS_IGNORE_OFFLINE | CA_VERIFY_FLAGS_NO_REVOCATION, // dwFlags
0, // cUsageOids
NULL, // apszUsageOids
(dwFlags & CA_FIND_LOCAL_SYSTEM)? HCCE_LOCAL_MACHINE : HCCE_CURRENT_USER, NULL, // hAdditionalStore
NULL); // ppwszMissingIssuer
if (S_OK != hr) { HRESULT hr2; WCHAR *pwszSubject = NULL;
hr2 = myCertNameToStr( X509_ASN_ENCODING, &pCert->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszSubject); _PrintIfError(hr2, "myCertNameToStr"); _PrintErrorStr(hr, "myVerifyCertContext", pwszSubject); if (NULL != pwszSubject) { LocalFree(pwszSubject); } hr = S_OK; continue; // skip this CA
} }
// Is this the first one?
if(pCACurrent) { pCACurrent->m_pNext = new CCAInfo; if(pCACurrent->m_pNext == NULL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "new"); }
pCACurrent = pCACurrent->m_pNext; } else { pCAFirst = pCACurrent = new CCAInfo; if(pCAFirst == NULL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "new"); } }
pCACurrent->m_pCertificate = pCert; pCert = NULL;
WCHAR* wszDN = ldap_get_dnW(pld, Entry); if(NULL == wszDN) { hr = myHLdapLastError(pld, NULL); _JumpError(hr, error, "ldap_get_dnW"); } pCACurrent->m_bstrDN = CertAllocString(wszDN);
// ldap_get_dnW rtn value should be freed by calling ldap_memfree
ldap_memfree(wszDN);
// check success of CertAllocString
if(pCACurrent->m_bstrDN == NULL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "CertAllocString"); }
// Add text properties from
// DS lookup.
for (pwszProp = g_awszCANamedProps; *pwszProp != NULL; pwszProp++) { pProp = new CCAProperty(*pwszProp); if(pProp == NULL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "new"); }
wszLdapVal = ldap_get_values(pld, Entry, *pwszProp); hr = pProp->SetValue(wszLdapVal); _PrintIfError(hr, "SetValue");
if(wszLdapVal) { ldap_value_free(wszLdapVal); } if(hr == S_OK) { hr = CCAProperty::Append(&pCACurrent->m_pProperties, pProp); _PrintIfError(hr, "Append"); } if(hr != S_OK) { CCAProperty::DeleteChain(&pProp); _JumpError(hr, error, "SetValue or Append"); } }
pCACurrent->m_dwFlags = dwCAFlags;
// Append the security descriptor...
apSD = ldap_get_values_len(pld, Entry, LDAP_SECURITY_DESCRIPTOR_NAME); if(apSD != NULL) { pCACurrent->m_pSD = LocalAlloc(LMEM_FIXED, (*apSD)->bv_len); if(pCACurrent->m_pSD == NULL) { hr = E_OUTOFMEMORY; ldap_value_free_len(apSD); _JumpError(hr, error, "LocalAlloc"); } CopyMemory(pCACurrent->m_pSD, (*apSD)->bv_val, (*apSD)->bv_len); ldap_value_free_len(apSD); }
pCACurrent->m_fNew = FALSE; }
// May be null if none found.
*ppCAInfo = pCAFirst; pCAFirst = NULL;
error:
if(SearchResult) { ldap_msgfree(SearchResult); }
if (NULL != pCAFirst) { delete pCAFirst; } if(pCert) { CertFreeCertificateContext(pCert); }
if(pChainContext) { CertFreeCertificateChain(pChainContext); } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::Create -- Create CA Object in the DS
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::Create( LPCWSTR wszName, LPCWSTR wszScope, CCAInfo **ppCAInfo)
{ HRESULT hr = S_OK; ULONG ldaperr;
CCAInfo *pCACurrent = NULL; LDAP * pld = NULL;
// Initialize LDAP session
DWORD cFullLocation; CERTSTR bstrScope = NULL;
LPWSTR cnVals[2]; CCAProperty *pProp;
struct berval **apSD;
if (NULL == ppCAInfo || NULL == wszName) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
// short circuit calls to a nonexistant DS
hr = myDoesDSExist(TRUE); _JumpIfError(hr, error, "myDoesDSExist");
__try { // bind to ds
hr = myRobustLdapBind(&pld, FALSE);
if(hr != S_OK) { _LeaveError(hr, "myRobustLdapBind"); }
if(wszScope) { bstrScope = CertAllocString(wszScope); if(bstrScope == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocString"); } } else { // If scope is not specified, set it to the
// current domain scope.
hr = CAGetAuthoritativeDomainDn(pld, NULL, &bstrScope); if(S_OK != hr) { _LeaveError(hr, "CAGetAuthoritativeDomainDn"); }
} pCACurrent = new CCAInfo; if(pCACurrent == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "new"); }
cFullLocation = 4 + wcslen(wszName) + wcslen(g_wszEnrollmentServiceLocation) + wcslen(bstrScope); pCACurrent->m_bstrDN = CertAllocStringLen(NULL, cFullLocation); if(pCACurrent->m_bstrDN == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocStringLen"); } wcscpy(pCACurrent->m_bstrDN, L"CN="); wcscat(pCACurrent->m_bstrDN, wszName); wcscat(pCACurrent->m_bstrDN, L","); wcscat(pCACurrent->m_bstrDN, g_wszEnrollmentServiceLocation); wcscat(pCACurrent->m_bstrDN, bstrScope); pProp = new CCAProperty(CA_PROP_NAME);
if (pProp == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "new"); }
cnVals[0] = (LPWSTR)wszName; cnVals[1] = NULL; pProp->SetValue(cnVals); CCAProperty::Append(&pCACurrent->m_pProperties, pProp); pCACurrent->m_fNew = TRUE; *ppCAInfo = pCACurrent; pCACurrent = NULL; } __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
error: if (NULL != bstrScope) { CertFreeString(bstrScope); } if (NULL != pld) { ldap_unbind(pld); } if (NULL != pCACurrent) { delete pCACurrent; } return(hr);}
HRESULT CCAInfo::Update(VOID){
HRESULT hr = S_OK; ULONG ldaperr; LDAP *pld = NULL; LDAPMod objectClass, cnmod, displaymod, certmod, certdnmod, domainidmod, machinednsmod, certtypesmod, sigalgmods, Flagsmod, sdmod, Descriptionmod;
WCHAR *awszNull[1] = { NULL };
DWORD err; DWORD cName;
TCHAR *objectClassVals[3], *certdnVals[2]; LDAPMod *mods[13];
struct berval certberval; struct berval sdberval; struct berval *certVals[2], *sdVals[2];
CHAR sdBerValue[] = {0x30, 0x03, 0x02, 0x01, DACL_SECURITY_INFORMATION| OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION};
LDAPControl se_info_control = { LDAP_SERVER_SD_FLAGS_OID_W, { 5, sdBerValue }, TRUE };
LDAPControl permissive_modify_control = { LDAP_SERVER_PERMISSIVE_MODIFY_OID_W, { 0, NULL }, FALSE };
PLDAPControl server_controls[3] = { &se_info_control, &permissive_modify_control, NULL };
// for now, modifies don't try to update owner/group
CHAR sdBerValueDaclOnly[] = {0x30, 0x03, 0x02, 0x01, DACL_SECURITY_INFORMATION}; LDAPControl se_info_control_dacl_only = { LDAP_SERVER_SD_FLAGS_OID_W, { 5, sdBerValueDaclOnly }, TRUE }; PLDAPControl server_controls_dacl_only[3] = { &se_info_control_dacl_only, &permissive_modify_control, NULL };
DWORD cCALocation; CERTSTR bstrCALocation = NULL; WCHAR * wszDomainDN, *wszCAs, *wszPKS; WCHAR wszFlags[16], *awszFlags[2];
DWORD iMod = 0;
CERTSTR bstrDomainDN = NULL; certdnVals[0] = NULL;
// Things we free and must put into known state
cnmod.mod_values = NULL; displaymod.mod_values = NULL; machinednsmod.mod_values = NULL; certtypesmod.mod_values = NULL; Descriptionmod.mod_values = NULL;
if (NULL == m_pCertificate) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
// short circuit calls to a nonexistant DS
hr = myDoesDSExist(TRUE); _JumpIfError(hr, error, "myDoesDSExist");
__try { // bind to ds
hr = myRobustLdapBind(&pld, FALSE);
if(hr != S_OK) { _LeaveError(hr, "myRobustLdapBind"); }
objectClass.mod_op = LDAP_MOD_REPLACE; objectClass.mod_type = TEXT("objectclass"); objectClass.mod_values = objectClassVals; objectClassVals[0] = wszDSTOPCLASSNAME; objectClassVals[1] = wszDSENROLLMENTSERVICECLASSNAME; objectClassVals[2] = NULL; mods[iMod++] = &objectClass;
cnmod.mod_op = LDAP_MOD_REPLACE; cnmod.mod_type = CA_PROP_NAME; hr = GetProperty(CA_PROP_NAME, &cnmod.mod_values); if((hr != S_OK) || (cnmod.mod_values == NULL)) { cnmod.mod_values = awszNull; if(!m_fNew) { mods[iMod++] = &cnmod; }
} else { mods[iMod++] = &cnmod; }
displaymod.mod_op = LDAP_MOD_REPLACE; displaymod.mod_type = CA_PROP_DISPLAY_NAME; hr = GetProperty(CA_PROP_DISPLAY_NAME, &displaymod.mod_values); if((hr != S_OK) || (displaymod.mod_values == NULL)) { displaymod.mod_values = awszNull; if(!m_fNew) { mods[iMod++] = &displaymod; } } else { mods[iMod++] = &displaymod; }
Flagsmod.mod_op = LDAP_MOD_REPLACE; Flagsmod.mod_type = CERTTYPE_PROP_FLAGS; Flagsmod.mod_values = awszFlags; awszFlags[0] = wszFlags; awszFlags[1] = NULL; wsprintf(wszFlags, L"%lu", m_dwFlags); mods[iMod++] = &Flagsmod;
certmod.mod_op = LDAP_MOD_BVALUES | LDAP_MOD_REPLACE; certmod.mod_type = TEXT("cACertificate"); certmod.mod_bvalues = certVals; certVals[0] = &certberval; certVals[1] = NULL; certberval.bv_len = m_pCertificate->cbCertEncoded; certberval.bv_val = (char *)m_pCertificate->pbCertEncoded; mods[iMod++] = &certmod;
certdnmod.mod_op = LDAP_MOD_REPLACE; certdnmod.mod_type = TEXT("cACertificateDN"); certdnmod.mod_values = certdnVals;
cName = CertNameToStr(X509_ASN_ENCODING, &m_pCertificate->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
if (0 == cName) { hr = myHLastError(); _LeaveError(hr, "CertNameToStr"); } certdnVals[0] = CertAllocStringLen(NULL, cName); if( certdnVals[0] == NULL) { hr = E_OUTOFMEMORY; _LeaveError(hr, "CertAllocStringLen"); }
if(0 == CertNameToStr(X509_ASN_ENCODING, &m_pCertificate->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, certdnVals[0], cName)) { hr = myHLastError(); _LeaveError(hr, "CertNameToStr"); } certdnVals[1] = NULL; mods[iMod++] = &certdnmod;
machinednsmod.mod_op = LDAP_MOD_REPLACE; machinednsmod.mod_type = CA_PROP_DNSNAME; hr = GetProperty(CA_PROP_DNSNAME, &machinednsmod.mod_values); if((hr != S_OK) || (machinednsmod.mod_values == NULL)) { machinednsmod.mod_values = awszNull; if(!m_fNew) { mods[iMod++] = &machinednsmod; } } else { mods[iMod++] = &machinednsmod; }
certtypesmod.mod_op = LDAP_MOD_REPLACE; certtypesmod.mod_type = LDAP_CERTIFICATE_TEMPLATES_NAME; hr = GetProperty(CA_PROP_CERT_TYPES, &certtypesmod.mod_values); if((hr != S_OK) || (certtypesmod.mod_values == NULL)) { certtypesmod.mod_values = awszNull; if(!m_fNew) { mods[iMod++] = &certtypesmod; } } else { mods[iMod++] = &certtypesmod; }
sdmod.mod_op = LDAP_MOD_BVALUES | LDAP_MOD_REPLACE; sdmod.mod_type = LDAP_SECURITY_DESCRIPTOR_NAME; sdmod.mod_bvalues = sdVals; sdVals[0] = &sdberval; sdVals[1] = NULL; if(IsValidSecurityDescriptor(m_pSD)) { sdberval.bv_len = GetSecurityDescriptorLength(m_pSD); sdberval.bv_val = (char *)m_pSD; } else { sdberval.bv_len = 0; sdberval.bv_val = NULL;
} mods[iMod++] = &sdmod;
Descriptionmod.mod_op = LDAP_MOD_REPLACE; Descriptionmod.mod_type = CA_PROP_DESCRIPTION; hr = GetProperty(CA_PROP_DESCRIPTION, &Descriptionmod.mod_values); if((hr != S_OK) || (Descriptionmod.mod_values == NULL)) { Descriptionmod.mod_values = awszNull; if(!m_fNew) { mods[iMod++] = &Descriptionmod; } } else { mods[iMod++] = &Descriptionmod; }
mods[iMod] = NULL; CSASSERT(ARRAYSIZE(mods) > iMod);
hr = S_OK;
if(m_fNew) { DBGPRINT((DBG_SS_CERTLIBI, "Creating DS PKI Enrollment object: '%ws'\n", m_bstrDN)); ldaperr = ldap_add_ext_sW(pld, m_bstrDN, mods, server_controls, NULL); }
else { // don't attempt to set owner/group for pre-existing objects
DBGPRINT((DBG_SS_CERTLIBI, "Updating DS PKI Enrollment object: '%ws'\n", m_bstrDN)); ldaperr = ldap_modify_ext_sW(pld, m_bstrDN, &mods[2], server_controls_dacl_only, NULL); // skip past objectClass and cn
if(LDAP_ATTRIBUTE_OR_VALUE_EXISTS == ldaperr) { ldaperr = LDAP_SUCCESS; } }
if (LDAP_SUCCESS != ldaperr && LDAP_ALREADY_EXISTS != ldaperr) { hr = myHLdapError(pld, ldaperr, NULL); _LeaveError(ldaperr, m_fNew? "ldap_add_s" : "ldap_modify_sW"); } m_fNew = FALSE; } __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
error: if (NULL != certdnVals[0]) { CertFreeString(certdnVals[0]); } if (NULL != certtypesmod.mod_values && awszNull != certtypesmod.mod_values) { FreeProperty(certtypesmod.mod_values); } if (NULL != machinednsmod.mod_values && awszNull != machinednsmod.mod_values) { FreeProperty(machinednsmod.mod_values); } if (NULL != cnmod.mod_values && awszNull != cnmod.mod_values) { FreeProperty(cnmod.mod_values); } if (NULL != displaymod.mod_values && awszNull != displaymod.mod_values) { FreeProperty(displaymod.mod_values); } if (NULL != Descriptionmod.mod_values && awszNull != Descriptionmod.mod_values) { FreeProperty(Descriptionmod.mod_values); } if (NULL != pld) { ldap_unbind(pld); } return(hr);}
HRESULT CCAInfo::Delete(VOID){ LDAP *pld = NULL; HRESULT hr = S_OK; DWORD ldaperr;
// short circuit calls to a nonexistant DS
hr = myDoesDSExist(TRUE); _JumpIfError(hr, error, "myDoesDSExist");
__try { // bind to ds
hr = myRobustLdapBind(&pld, FALSE); if(hr != S_OK) { _LeaveError(hr, "myRobustLdapBind"); } ldaperr = ldap_delete_s(pld, m_bstrDN); hr = myHLdapError(pld, ldaperr, NULL); } __except(hr = myHEXCEPTIONCODE(), EXCEPTION_EXECUTE_HANDLER) { }
error: if (NULL != pld) { ldap_unbind(pld); } return (hr);}
//+--------------------------------------------------------------------------
// CCAInfo::FindDnsDomain -- Find CA Objects in the DS, given a scope specified
// by a dns domain name.
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::FindDnsDomain( LPCWSTR wszQuery, LPCWSTR wszDnsDomain, DWORD dwFlags, CCAInfo **ppCAInfo){ HRESULT hr = S_OK; DWORD err; WCHAR *wszScope = NULL; DWORD cScope;
if (NULL != wszDnsDomain) { cScope = 0; err = DNStoRFC1779Name(NULL, &cScope, wszDnsDomain); if(err != ERROR_INSUFFICIENT_BUFFER) { hr = myHError(err); _JumpError(hr, error, "DNStoRFC1779Name"); } cScope += 1; wszScope = (WCHAR *) LocalAlloc(LMEM_FIXED, sizeof(WCHAR)*cScope); if (NULL == wszScope) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } err = DNStoRFC1779Name(wszScope, &cScope, wszDnsDomain); if (ERROR_SUCCESS != err) { hr = myHError(err); _JumpError(hr, error, "DNStoRFC1779Name"); } } hr = Find(wszQuery, wszScope, dwFlags, ppCAInfo); _JumpIfError4( hr, error, "Find", HRESULT_FROM_WIN32(ERROR_SERVER_DISABLED), HRESULT_FROM_WIN32(ERROR_NO_SUCH_DOMAIN), HRESULT_FROM_WIN32(ERROR_WRONG_PASSWORD));
error: if (NULL != wszScope) { LocalFree(wszScope); } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::CreateDnsDomain -- Find CA Objects in the DS, given a scope specified
// by a dns domain name.
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::CreateDnsDomain( LPCWSTR wszName, LPCWSTR wszDnsDomain, CCAInfo **ppCAInfo){ HRESULT hr = S_OK; DWORD err; WCHAR *wszScope = NULL; DWORD cScope;
if(wszDnsDomain) { cScope = 0; err = DNStoRFC1779Name(NULL, &cScope, wszDnsDomain); if(err != ERROR_INSUFFICIENT_BUFFER) { hr = myHError(err); _JumpError(hr, error, "DNStoRFC1779Name"); } cScope += 1; wszScope = (WCHAR *) LocalAlloc(LMEM_FIXED, sizeof(WCHAR)*cScope); if (NULL == wszScope) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } err = DNStoRFC1779Name(wszScope, &cScope, wszDnsDomain); if (ERROR_SUCCESS != err) { hr = myHError(err); _JumpError(hr, error, "DNStoRFC1779Name"); } } hr = Create(wszName, wszScope, ppCAInfo); _JumpIfError(hr, error, "Create");
error: if (NULL != wszScope) { LocalFree(wszScope); } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::Next -- Returns the next object in the chain of CA objects
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::Next(CCAInfo **ppCAInfo){ HRESULT hr; if (NULL == ppCAInfo) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); } *ppCAInfo = m_pNext; if (NULL != m_pNext) { m_pNext->AddRef(); } hr = S_OK;
error: return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::GetProperty -- Retrieves the values of a property of the CA object
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::GetProperty( LPCWSTR wszPropertyName, LPWSTR **pawszProperties){ HRESULT hr; DWORD dwChar=0; LPWSTR *awszResult = NULL; LPWSTR pwszName=NULL; CCAProperty *pProp; LPCWSTR wszProp = NULL;
if (NULL == wszPropertyName || NULL == pawszProperties) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
if(lstrcmpi(wszPropertyName, L"machineDNSName") == 0) { wszProp = CA_PROP_DNSNAME; } else if(lstrcmpi(wszPropertyName, L"supportedCertificateTemplates") == 0) { wszProp = CA_PROP_CERT_TYPES; } else if(lstrcmpi(wszPropertyName, L"signatureAlgs") == 0) { wszProp = CA_PROP_SIGNATURE_ALGS; } else { wszProp = wszPropertyName; }
hr = m_pProperties->Find(wszProp, &pProp); _JumpIfErrorStr(hr, error, "Find", wszProp);
if (NULL != pProp) { hr = pProp->GetValue(pawszProperties); _JumpIfError(hr, error, "GetValue"); } else { *pawszProperties = NULL; }
if((lstrcmpi(wszPropertyName, CA_PROP_DISPLAY_NAME) == 0) && ((*pawszProperties == NULL) || ((*pawszProperties)[0] == NULL))) { // DISPLAY_NAME is empty, so we try to return the display name
// of the CA's certificate. if that also failed, just pass back the CN
if(*pawszProperties != NULL) { LocalFree(*pawszProperties); *pawszProperties = NULL; }
if(m_pCertificate) { if((dwChar=CertGetNameStringW( m_pCertificate, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, NULL, 0))) { pwszName=(LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR) * (dwChar)); if(NULL==pwszName) { hr=E_OUTOFMEMORY; _JumpIfError(hr, error, "GetPropertyDisplayName"); }
if(dwChar=CertGetNameStringW( m_pCertificate, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pwszName, dwChar)) { awszResult=(WCHAR **)LocalAlloc(LPTR, (UINT)(sizeof(WCHAR *)*2+(wcslen(pwszName)+1)*sizeof(WCHAR))); if (NULL==awszResult) { hr=E_OUTOFMEMORY; _JumpIfError(hr, error, "GetPropertyDisplayName"); } awszResult[0]=(WCHAR *)(&awszResult[2]); awszResult[1]=NULL; wcscpy(awszResult[0], pwszName); LocalFree(pwszName); *pawszProperties=awszResult; return S_OK; } } }
hr = GetProperty(CA_PROP_NAME, pawszProperties); _JumpIfError(hr, error, "GetProperty"); }
error:
if(pwszName) LocalFree(pwszName);
return(hr);}
//+--------------------------------------------------------------------------
// CCertTypeInfo::SetProperty -- Sets the value of a property
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::SetProperty( LPCWSTR wszPropertyName, LPWSTR *awszProperties){ HRESULT hr; CCAProperty *pProp; CCAProperty *pNewProp = NULL;
if (NULL == wszPropertyName) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
hr = m_pProperties->Find(wszPropertyName, &pProp); if (S_OK != hr) { pNewProp = new CCAProperty(wszPropertyName); if (NULL == pNewProp) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "new"); } hr = pNewProp->SetValue(awszProperties); _JumpIfError(hr, error, "SetValue");
hr = CCAProperty::Append(&m_pProperties, pNewProp); _JumpIfError(hr, error, "Append"); pNewProp = NULL; // remove our reference if we gave it to m_pProperties
} else { hr = pProp->SetValue(awszProperties); _JumpIfError(hr, error, "SetValue"); }
error: if (NULL != pNewProp) CCAProperty::DeleteChain(&pNewProp);
return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::FreeProperty -- Free's a previously returned property array
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::FreeProperty( LPWSTR *pawszProperties){ if (NULL != pawszProperties) { LocalFree(pawszProperties); } return(S_OK);}
//+--------------------------------------------------------------------------
// CCAInfo::GetCertificte -- get the CA certificate
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::GetCertificate( PCCERT_CONTEXT *ppCert){ HRESULT hr;
if (NULL == ppCert) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); } *ppCert = CertDuplicateCertificateContext(m_pCertificate); hr = S_OK;
error: return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::SetCertificte -- get the CA certificate
//
//
//+--------------------------------------------------------------------------
HRESULTCCAInfo::SetCertificate( PCCERT_CONTEXT pCert){
if (NULL != m_pCertificate) { CertFreeCertificateContext(m_pCertificate); m_pCertificate = NULL; }
if (NULL != pCert) { m_pCertificate = CertDuplicateCertificateContext(pCert); } return S_OK;}
//+--------------------------------------------------------------------------
// CCAInfo::EnumCertTypesEx -- Enumerate cert types supported by this CA
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::EnumSupportedCertTypesEx( LPCWSTR wszScope, DWORD dwFlags, CCertTypeInfo **ppCertTypes){ HRESULT hr; CCertTypeInfo *pCTFirst = NULL; CCertTypeInfo *pCTCurrent = NULL;
LPWSTR * awszCertTypes = NULL;
if (NULL == ppCertTypes) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); } *ppCertTypes = NULL;
hr = GetProperty(CA_PROP_CERT_TYPES, &awszCertTypes); _JumpIfError(hr, error, "GetProperty");
if (NULL != awszCertTypes) { // Build a filter based on all of the global
// entries in the cert list.
hr = CCertTypeInfo::FindByNames( (LPCWSTR *)awszCertTypes, wszScope, dwFlags, ppCertTypes); _JumpIfError(hr, error, "FindByNames"); }
error: if (awszCertTypes) { FreeProperty(awszCertTypes); }
return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::EnumCertTypes -- Enumerate cert types supported by this CA
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::EnumSupportedCertTypes( DWORD dwFlags, CCertTypeInfo **ppCertTypes){ return CCAInfo::EnumSupportedCertTypesEx(NULL, dwFlags, ppCertTypes);}
//+--------------------------------------------------------------------------
// CCAInfo::AddCertType -- Add a cert type to this CA
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::AddCertType( CCertTypeInfo *pCertType){ HRESULT hr; LPWSTR *awszCertTypes = NULL; LPWSTR *awszCertTypeName = NULL; LPWSTR *awszNewTypes = NULL;
LPWSTR wszCertTypeShortName = NULL;
LPWSTR awszTypeName;
DWORD cTypes;
if (NULL == pCertType) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
hr = GetProperty(CA_PROP_CERT_TYPES, &awszCertTypes); _JumpIfError(hr, error, "GetProperty");
hr = pCertType->GetProperty(CERTTYPE_PROP_DN, &awszCertTypeName); _JumpIfError(hr, error, "GetProperty");
if (NULL == awszCertTypeName || NULL == awszCertTypeName[0]) { hr = E_POINTER; _JumpError(hr, error, "NULL CertTypeName"); }
if((NULL != (wszCertTypeShortName = wcschr(awszCertTypeName[0], L'|'))) || (NULL != (wszCertTypeShortName = wcschr(awszCertTypeName[0], wcRBRACE)))) { wszCertTypeShortName++; }
if (NULL == awszCertTypes || NULL == awszCertTypes[0]) { // no templates on the CA, add the new one and exit
hr = SetProperty(CA_PROP_CERT_TYPES, awszCertTypeName); _JumpIfError(hr, error, "SetProperty"); } else { // If cert type is already on ca, do nothing
for (cTypes = 0; awszCertTypes[cTypes] != NULL; cTypes++) { if (0 == lstrcmpi(awszCertTypes[cTypes], awszCertTypeName[0])) { hr = S_OK; goto error; } if(wszCertTypeShortName) { if (0 == lstrcmpi(awszCertTypes[cTypes], wszCertTypeShortName)) { hr = S_OK; goto error; } } }
awszNewTypes = (WCHAR **) LocalAlloc( LMEM_FIXED, (cTypes + 2) * sizeof(WCHAR *)); if (NULL == awszNewTypes) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
CopyMemory(awszNewTypes, awszCertTypes, cTypes * sizeof(WCHAR *));
awszNewTypes[cTypes] = awszCertTypeName[0]; awszNewTypes[cTypes + 1] = NULL;
hr = SetProperty(CA_PROP_CERT_TYPES, awszNewTypes); _JumpIfError(hr, error, "SetProperty"); }
error: if (NULL != awszCertTypes) { FreeProperty(awszCertTypes); } if (NULL != awszCertTypeName) { FreeProperty(awszCertTypeName); } if (NULL != awszNewTypes) { LocalFree(awszNewTypes); } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::RemoveCertType -- Remove a cert type from this CA
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::RemoveCertType( CCertTypeInfo *pCertType){ HRESULT hr; WCHAR **awszCertTypes = NULL; WCHAR **awszCertTypeName = NULL; DWORD cTypes, cTypesNew; LPWSTR wszCertTypeName = NULL; LPWSTR wszCurrentCertTypeName = NULL;
if (NULL == pCertType) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
hr = GetProperty(CA_PROP_CERT_TYPES, &awszCertTypes); _JumpIfError(hr, error, "GetProperty");
hr = pCertType->GetProperty(CERTTYPE_PROP_CN, &awszCertTypeName); _JumpIfError(hr, error, "GetProperty"); if (NULL == awszCertTypeName || NULL == awszCertTypeName[0]) { hr = E_POINTER; _JumpError(hr, error, "NULL CertTypeName"); }
if (NULL == awszCertTypes || NULL == awszCertTypes[0]) { hr = S_OK; goto error; } wszCertTypeName = wcschr(awszCertTypeName[0], wcRBRACE); if(wszCertTypeName != NULL) { wszCertTypeName++; } else { wszCertTypeName = awszCertTypeName[0]; }
cTypesNew = 0;
// If cert type is already on ca, do nothing
for (cTypes = 0; awszCertTypes[cTypes] != NULL; cTypes++) { if((NULL != (wszCurrentCertTypeName = wcschr(awszCertTypes[cTypes], L'|'))) || (NULL != (wszCurrentCertTypeName = wcschr(awszCertTypes[cTypes], wcRBRACE))))
{ wszCurrentCertTypeName++; } else { wszCurrentCertTypeName = awszCertTypes[cTypes]; }
if (0 != lstrcmpi(wszCurrentCertTypeName, wszCertTypeName)) { awszCertTypes[cTypesNew++] = awszCertTypes[cTypes]; } } awszCertTypes[cTypesNew] = NULL;
hr = SetProperty(CA_PROP_CERT_TYPES, awszCertTypes); _JumpIfError(hr, error, "SetProperty");
error: if (NULL != awszCertTypes) { FreeProperty(awszCertTypes); } if (NULL != awszCertTypeName) { FreeProperty(awszCertTypeName); } return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::GetExpiration -- Get the expiration period
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::GetExpiration( DWORD *pdwExpiration, DWORD *pdwUnits) { HRESULT hr;
if (NULL == pdwExpiration || NULL == pdwUnits) { hr = E_POINTER; _JumpError(hr, error, "NULL parm"); }
*pdwExpiration = m_dwExpiration; *pdwUnits = m_dwExpUnits; hr = S_OK;
error: return(hr);}
//+--------------------------------------------------------------------------
// CCAInfo::SetExpiration -- Set the expiration period
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::SetExpiration( DWORD dwExpiration, DWORD dwUnits) { m_dwExpiration = dwExpiration; m_dwExpUnits = dwUnits; return(S_OK);}
//+--------------------------------------------------------------------------
// CCAInfo::GetSecurity --
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::GetSecurity(PSECURITY_DESCRIPTOR * ppSD){ HRESULT hr = S_OK; PSECURITY_DESCRIPTOR pResult = NULL;
DWORD cbSD;
if(ppSD == NULL) { return E_POINTER; } if(m_pSD == NULL) { *ppSD = NULL; return S_OK; }
if(!IsValidSecurityDescriptor(m_pSD)) { return HRESULT_FROM_WIN32(ERROR_INVALID_SECURITY_DESCR); } cbSD = GetSecurityDescriptorLength(m_pSD);
pResult = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, cbSD);
if(pResult == NULL) { return E_OUTOFMEMORY; }
CopyMemory(pResult, m_pSD, cbSD);
*ppSD = pResult;
return S_OK;}
//+--------------------------------------------------------------------------
// CCAInfo::GetSecurity --
//
//
//+--------------------------------------------------------------------------
HRESULT CCAInfo::SetSecurity(PSECURITY_DESCRIPTOR pSD){ HRESULT hr = S_OK; PSECURITY_DESCRIPTOR pResult = NULL;
DWORD cbSD;
if(pSD == NULL) { return E_POINTER; }
if(!IsValidSecurityDescriptor(pSD)) { return HRESULT_FROM_WIN32(ERROR_INVALID_SECURITY_DESCR); } cbSD = GetSecurityDescriptorLength(pSD);
pResult = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, cbSD);
if(pResult == NULL) { return E_OUTOFMEMORY; }
CopyMemory(pResult, pSD, cbSD);
if(m_pSD) { LocalFree(m_pSD); }
m_pSD = pResult;
return S_OK;}
HRESULT CCAInfo::AccessCheck(HANDLE ClientToken, DWORD dwOption){
return CAAccessCheckpEx(ClientToken, m_pSD, dwOption);}
|
