|
|
//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1996 - 1999
//
// File: pkcs.cpp
//
// Contents: Cert Server Extension interfaces -- PKCS implementation
//
//---------------------------------------------------------------------------
#include <pch.cpp>
#pragma hdrstop
#include <stdio.h>
#include <time.h>
#define SECURITY_WIN32
#include <security.h>
#include "resource.h"
#include "cscom.h"
#include "csprop.h"
#include "elog.h"
#include "certlog.h"
#include "csdisp.h"
#include "cscsp.h"
#include <certca.h>
#include <esent.h>
#include <winldap.h>
#include "csldap.h"
#include "cainfop.h"
#define __dwFILE__ __dwFILE_CERTSRV_PKCS_CPP_
CSURLTEMPLATE *g_paRevURL = NULL;DWORD g_caRevURL = 0;
CSURLTEMPLATE *g_paCACertURL = NULL;DWORD g_caCACertURL = 0;
BSTR g_strDomainDN = NULL;BSTR g_strConfigDN = NULL;
WCHAR *g_pwszKRAPublishURL = NULL;WCHAR *g_pwszAIACrossCertPublishURL = NULL;WCHAR *g_pwszRootTrustCrossCertPublishURL = NULL;
// Note on Renewal and Key reuse:
//
// Cert Indexes, Key Indexes and CRL Name Indexes are all zero based.
//
// One CRL is issued by this CA for each unique key. Each CRL covers all of
// the certs issued by this CA for one key, even though the key may have been
// used by multiple renewal certs.
//
// The database IssuerNameID PROPTYPE_LONG column holds the Key Index in the
// top 16 bits and the Cert Index in the bottom 16 bits. This allows a pair of
// query restrictions to reduce the result row set to those revoked certs
// that will be placed into a single CRL.
//
// When Cert File, Key Container, CRL File or DS Object name templates include
// an Index Suffix, an empty string suffix, "", is used when the index is zero.
// Otherwise the Suffix is "(%u)", where the index itself is passed to wsprintf
// to construct the %u field.
//
// Cert Indexes increment each time the CA cert is renewed. Because 16 bit
// Cert Indexes are stored in the database, a CA may have up to 64k certs,
// and be renewed a maximum of 64k-1 times.
//
// The Cert File Name Suffix is built from the Cert Index.
//
// Key Indexes: The original installed CA cert uses a Key Index of 0.
// If a renewal cert uses the same key as any previous cert used by this CA,
// the Key Index for the new CA cert is taken from the previous CA cert.
// If a renewal cert uses a new Key, the Cert Index is used for the Key Index.
// The primary reason sequential Key Indexes are not used for new keys is that
// too much context information is required to determine the next Key Index --
// which is particularly difficult to obtain when performing PFX restore.
//
// The Key Container Name Suffix is built from the Key Index.
//
//
// CRL Indexes: same as Key Index.
// CRL File Name Suffix: same as Key Container Name Suffix.
//
// Example: Cert CertName Key KeyName CRL CRLName
// Index Suffix Index Suffix Index Suffix
// Original Install 0 "" 0 "" 0 ""
//
// Renew, new Key 1 "(1)" 1 "(1)" 1 "(1)"
// *Renew, reuse Key 2 "(2)" 1 "(1)" 1 "(1)"
// *Renew, reuse Key 3 "(3)" 1 "(1)" 1 "(1)"
//
// Renew, new Key 4 "(4)" 4 "(4)" 4 "(4)"
// *Renew, reuse Key 5 "(5)" 4 "(4)" 4 "(4)"
//
// Renew, new Key 6 "(6)" 6 "(6)" 6 "(6)"
// *Renew, reuse Key 7 "(7)" 6 "(6)" 6 "(6)"
//
//
// CCertRequest::GetCACertificate can be used to fetch Certs and CRLs by Index.
// This API always accepts a Cert Index.
//
// When fetching a certificate: If the Cert Index is valid, the appropriate
// certificate or chain is returned, even if it is expired or revoked.
//
// When fetching a CRL: If the Cert Index is valid AND if the Cert Index
// MATCHES the Key Index for the indexed Cert, the appropriate CRL is returned.
// This means that an error will be returned when requesting CRLs associated
// with entries in the above table that reused keys (marked with an asterisk
// in the first column). The nearest previous unmarked entry's CRL covers
// revocations for the marked entries.
//
//
// CCertServer{Policy,Exit}::GetCertificateProperty can be used to fetch
// information about Certs and CRLs. This API allows an optional numeric
// suffix on the property name, as in "RawCRL.3". The suffix is always
// interpreted as a Cert Index.
//
// wszPROPCERTCOUNT: Returns total CA Cert count, including expired and
// revoked certs. No numeric Cert Index suffix is allowed.
//
// wszPROPRAWCACERTIFICATE: Returns the Cert for the passed Cert Index.
// Returns the Cert for the most recent Cert Index if no Cert Index is
// specified. Expired and revoked certs are still retrievable.
//
// wszPROPCERTSTATE: Returns the Cert State for the passed Cert Index.
// Returns the Cert State for the most recent Cert Index if no Cert Index is
// specified.
// Values for wszPROPCERTSTATE (see certadm.h):
// CA_DISP_REVOKED // This Cert has been revoked.
// CA_DISP_VALID // This Cert is still valid
// CA_DISP_INVALID // This Cert has expired.
// CA_DISP_ERROR // Cert unavailable (placehholder in registry?)
//
// wszPROPCERTSUFFIX: Returns the Cert FileName Suffix for the passed Cert
// Index. Returns the Cert FileName Suffix for the most recent Cert Index if
// no Cert Index is specified.
//
// wszPROPRAWCRL: Returns the CRL for the passed Cert Index. As with
// CCertRequest::GetCACertificate, it is an error to fetch a CRL for a Cert
// that reused keys. In the above table, only "RawCRL.0", "RawCRL.1",
// "RawCRL.4", "RawCRL.6" & "RawCRL" are allowed. "RawCRL" will fetch the most
// recent CRL. Use the wszPROPCRLSTATE with a numeric Cert Index suffix to
// determine which CRLs are valid to fetch. CA_DISP_ERROR indicates the
// CRL cannot be fetched. CA_DISP_REVOKED and CA_DISP_INVALID CRLs are still
// retrievable via this method call.
//
// All of the other CRL-related property fetches are supported for all valid
// Cert Index values:
//
// wszPROPCRLINDEX: Returns the CRL Index value for the passed Cert Index.
// Returns the CRL Index value for the most recent Cert Index if no Cert Index
// is specified.
//
// wszPROPCRLSTATE: Returns the CRL State for the passed Cert Index.
// Returns the CRL State for the most recent Cert Index if no Cert Index is
// specified.
// Values for wszPROPCRLSTATE (see certadm.h):
// CA_DISP_REVOKED // All unexpired certs using this Cert's CRL have been
// // revoked.
// CA_DISP_VALID // This Cert is still publishing CRLs as needed.
// CA_DISP_INVALID // All certs using this Cert's CRL are expired.
// CA_DISP_ERROR // This Cert's CRL is managed by another Cert.
//
// wszPROPCRLSUFFIX: Returns the CRL FileName Suffix for the passed Cert Index.
// Returns the CRL FileName Suffix for the most recent Cert Index if no Cert
// Index is specified.
CACTX *g_aCAContext; // allocated array of CACTXs
CACTX *g_pCAContextCurrent; // current CACTX is last g_aCAContext element
CERT_CONTEXT const **g_rgKRACerts = NULL;BSTR *g_rgstrKRAHashes = NULL;DWORD g_cKRAHashes = 0;DWORD g_cKRACertsRoundRobin = 0;DWORD g_iKRACerts; // Next KRA cert to be used by this CA
HRESULT g_hrKRALoad = S_OK;
DWORD g_cCAKeys; // Total number of unique CA keys managed by this CA
DWORD g_cCACerts; // Total number of CA certs managed by this CA
DWORD g_cKRACerts; // Total number of KRA certs used by this CA
CAXCHGCTX *g_aCAXchgContext; // allocated array of CAXCHGCTXs
CAXCHGCTX *g_pCAXchgContextCurrent; // current CAXCHGCTX is last element
DWORD g_cCAXchgCerts; // number of CA Xchg certs managed by this CA
HCERTSTORE g_hStoreCAXchg = NULL;DWORD g_dwXchgProvType;WCHAR *g_pwszXchgProvName = NULL;ALG_ID g_XchgidAlg;BOOL g_fXchgMachineKeyset;DWORD g_dwXchgKeySize;
LONG g_lValidityPeriodCount = dwVALIDITYPERIODCOUNTDEFAULT_STANDALONE;enum ENUM_PERIOD g_enumValidityPeriod = dwVALIDITYPERIODENUMDEFAULT;
enum ENUM_PERIOD g_enumCAXchgValidityPeriod = dwCAXCHGVALIDITYPERIODENUMDEFAULT;LONG g_lCAXchgValidityPeriodCount = dwCAXCHGVALIDITYPERIODCOUNTDEFAULT;
enum ENUM_PERIOD g_enumCAXchgOverlapPeriod = dwCAXCHGOVERLAPPERIODENUMDEFAULT;LONG g_lCAXchgOverlapPeriodCount = dwCAXCHGOVERLAPPERIODCOUNTDEFAULT;
typedef enum { ST_COUNTRY = 0, ST_ORGANIZATION, ST_ORGANIZATIONALUNIT, ST_COMMONNAME, ST_LOCALITY, ST_STATEORPROVINCE, ST_TITLE, ST_GIVENNAME, ST_INITIALS, ST_SURNAME, ST_DOMAINCOMPONENT, ST_EMAIL, ST_STREETADDRESS, ST_UNSTRUCTUREDNAME, ST_UNSTRUCTUREDADDRESS, ST_DEVICESERIALNUMBER, ST_NULL};
typedef struct _SUBJECTTABLE{ WCHAR const *pwszPropName; CHAR const *pszObjId; WCHAR const * const *apwszAttributeName; DWORD cchMax; DWORD dwValueType; DWORD dwSubjectTableValue;} SUBJECTTABLE;
WCHAR const *apwszAttrCountry[] = { wszATTRCOUNTRY1, wszATTRCOUNTRY2, TEXT(szOID_COUNTRY_NAME), NULL};
WCHAR const *apwszAttrOrg[] = { wszATTRORG1, wszATTRORG2, wszATTRORG3, TEXT(szOID_ORGANIZATION_NAME), NULL};
WCHAR const *apwszAttrOrgUnit[] = { wszATTRORGUNIT1, wszATTRORGUNIT2, wszATTRORGUNIT3, wszATTRORGUNIT4, TEXT(szOID_ORGANIZATIONAL_UNIT_NAME), NULL};
WCHAR const *apwszAttrCommonName[] = { wszATTRCOMMONNAME1, wszATTRCOMMONNAME2, TEXT(szOID_COMMON_NAME), NULL};
WCHAR const *apwszAttrLocality[] = { wszATTRLOCALITY1, wszATTRLOCALITY2, TEXT(szOID_LOCALITY_NAME), NULL};
WCHAR const *apwszAttrState[] = { wszATTRSTATE1, wszATTRSTATE2, wszATTRSTATE3, TEXT(szOID_STATE_OR_PROVINCE_NAME), NULL};
WCHAR const *apwszAttrTitle[] = { wszATTRTITLE1, wszATTRTITLE2, TEXT(szOID_TITLE), NULL};
WCHAR const *apwszAttrGivenName[] = { wszATTRGIVENNAME1, wszATTRGIVENNAME2, TEXT(szOID_GIVEN_NAME), NULL};
WCHAR const *apwszAttrInitials[] = { wszATTRINITIALS1, wszATTRINITIALS2, TEXT(szOID_INITIALS), NULL};
WCHAR const *apwszAttrSurName[] = { wszATTRSURNAME1, wszATTRSURNAME2, TEXT(szOID_SUR_NAME), NULL};
WCHAR const *apwszAttrDomComp[] = { wszATTRDOMAINCOMPONENT1, wszATTRDOMAINCOMPONENT2, TEXT(szOID_DOMAIN_COMPONENT), NULL};
WCHAR const *apwszAttrEMail[] = { wszATTREMAIL1, wszATTREMAIL2, TEXT(szOID_RSA_emailAddr), NULL};
WCHAR const *apwszAttrStreetAddr[] = { wszATTRSTREETADDRESS1, wszATTRSTREETADDRESS2, TEXT(szOID_STREET_ADDRESS), NULL};
WCHAR const *apwszAttrUnstructName[] = { wszATTRUNSTRUCTUREDNAME1, TEXT(szOID_RSA_unstructName), NULL};
WCHAR const *apwszAttrUnstructAddr[] = { wszATTRUNSTRUCTUREDADDRESS1, TEXT(szOID_RSA_unstructAddr), NULL};
WCHAR const *apwszAttrDeviceSerialNumber[] = { wszATTRDEVICESERIALNUMBER1, TEXT(szOID_DEVICE_SERIAL_NUMBER), NULL};
SUBJECTTABLE const pkcs_subject[] ={ { // "Country",
g_wszPropSubjectCountry, szOID_COUNTRY_NAME, apwszAttrCountry, cchCOUNTRYNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_COUNTRY, }, { // "Organization",
g_wszPropSubjectOrganization, szOID_ORGANIZATION_NAME, apwszAttrOrg, cchORGANIZATIONNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_ORGANIZATION, }, { // "OrganizationalUnit",
g_wszPropSubjectOrgUnit, szOID_ORGANIZATIONAL_UNIT_NAME, apwszAttrOrgUnit, cchORGANIZATIONALUNITNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_ORGANIZATIONALUNIT, }, { // "CommonName",
g_wszPropSubjectCommonName, szOID_COMMON_NAME, apwszAttrCommonName, cchCOMMONNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_COMMONNAME, }, { // "Locality",
g_wszPropSubjectLocality, szOID_LOCALITY_NAME, apwszAttrLocality, cchLOCALITYMANAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_LOCALITY, }, { // "StateOrProvince",
g_wszPropSubjectState, szOID_STATE_OR_PROVINCE_NAME, apwszAttrState, cchSTATEORPROVINCENAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_STATEORPROVINCE, }, { // "Title",
g_wszPropSubjectTitle, szOID_TITLE, apwszAttrTitle, cchTITLEMAX, CERT_RDN_PRINTABLE_STRING, ST_TITLE, }, { // "GivenName",
g_wszPropSubjectGivenName, szOID_GIVEN_NAME, apwszAttrGivenName, cchGIVENNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_GIVENNAME, }, { // "Initials",
g_wszPropSubjectInitials, szOID_INITIALS, apwszAttrInitials, cchINITIALSMAX, CERT_RDN_PRINTABLE_STRING, ST_INITIALS, }, { // "SurName",
g_wszPropSubjectSurName, szOID_SUR_NAME, apwszAttrSurName, cchSURNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_SURNAME, }, { // "DomainComponent",
g_wszPropSubjectDomainComponent, szOID_DOMAIN_COMPONENT, apwszAttrDomComp, cchDOMAINCOMPONENTMAX, CERT_RDN_PRINTABLE_STRING, ST_DOMAINCOMPONENT, }, { // "EMail",
g_wszPropSubjectEMail, szOID_RSA_emailAddr, apwszAttrEMail, cchEMAILMAX, CERT_RDN_PRINTABLE_STRING, ST_EMAIL, }, { // "StreetAddress",
g_wszPropSubjectStreetAddress, szOID_STREET_ADDRESS, apwszAttrStreetAddr, cchSTREETADDRESSMAX, CERT_RDN_PRINTABLE_STRING, ST_STREETADDRESS, }, { // "UnstructuredName",
g_wszPropSubjectUnstructuredName, szOID_RSA_unstructName, apwszAttrUnstructName, cchUNSTRUCTUREDNAMEMAX, CERT_RDN_PRINTABLE_STRING, ST_UNSTRUCTUREDNAME, }, { // "UnstructuredAddress",
g_wszPropSubjectUnstructuredAddress, szOID_RSA_unstructAddr, apwszAttrUnstructAddr, cchUNSTRUCTUREDADDRESSMAX, CERT_RDN_PRINTABLE_STRING, ST_UNSTRUCTUREDADDRESS, }, { // "DeviceSerialNumber",
g_wszPropSubjectDeviceSerialNumber, szOID_DEVICE_SERIAL_NUMBER, apwszAttrDeviceSerialNumber, cchDEVICESERIALNUMBERMAX, CERT_RDN_PRINTABLE_STRING, ST_DEVICESERIALNUMBER, }, { NULL, NULL, NULL, 0, 0, ST_NULL, },};
#define CSUBJECTTABLE (sizeof(pkcs_subject) / sizeof(pkcs_subject[0]))
SUBJECTTABLE const *pkcs_apSubject[CSUBJECTTABLE];SUBJECTTABLE const **pkcs_ppSubjectLast;BOOL pkcsfSubjectTemplate = FALSE;
WCHAR const g_wszCNXchgSuffix[] = wszCNXCHGSUFFIX;
WCHAR const g_wszNTAuth[]=L"ldap:///CN=Public Key Services,CN=Services,%s?cACertificate?one?cn=NTAuthCertificates";
#define SHA1_HASH_LENGTH 20
VOIDpkcsSetDistinguishedName( IN ICertDBRow *prow, IN DWORD dwTable, IN CERT_NAME_BLOB const *pSubject){ DWORD cwc; WCHAR awcName[CCH_DBMAXTEXT_DN + 1]; HRESULT hr;
CSASSERT(PROPTABLE_REQUEST == dwTable || PROPTABLE_CERTIFICATE == dwTable);
cwc = CertNameToStr( X509_ASN_ENCODING, const_cast<CERT_NAME_BLOB *>(pSubject), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, awcName, ARRAYSIZE(awcName)); if (0 != cwc && L'\0' != awcName[0]) {#if DBG_CERTSRV
DWORD ReqId;
prow->GetRowId(&ReqId); DBGPRINT(( DBG_SS_CERTSRVI, "%ws DN(%u): '%ws'\n", PROPTABLE_REQUEST == dwTable? L"Request" : L"Certificate", ReqId, awcName));#endif
if (wcslen(awcName) == ARRAYSIZE(awcName) - 1) { DBGPRINT(( DBG_SS_CERTSRV, "pkcsSetDistinguishedName: possible DN truncation: %u chars: '%ws'\n", ARRAYSIZE(awcName) - 1, awcName)); } hr = prow->SetProperty( g_wszPropSubjectDistinguishedName, PROPTYPE_STRING | PROPCALLER_SERVER | dwTable, MAXDWORD, (BYTE const *) awcName); _PrintIfError(hr, "SetProperty(DN)"); }}
WCHAR const *PKCSMapAttributeName( OPTIONAL IN WCHAR const *pwszAttributeName, OPTIONAL IN CHAR const *pszObjId, OUT DWORD *pdwIndex, OUT DWORD *pcchMax){ SUBJECTTABLE const *pSubjectTable; WCHAR const *pwszPropName = NULL;
for (pSubjectTable = pkcs_subject; ; pSubjectTable++) { WCHAR const * const *ppwsz;
if (NULL == pSubjectTable->pwszPropName) { goto error; } if (NULL != pwszAttributeName) { for (ppwsz = pSubjectTable->apwszAttributeName; NULL != *ppwsz; ppwsz++) { if (0 == lstrcmpi(pwszAttributeName, *ppwsz)) { break; } } if (NULL != *ppwsz || 0 == lstrcmpi(pwszAttributeName, pSubjectTable->pwszPropName)) { break; } } if (NULL != pszObjId && 0 == strcmp(pszObjId, pSubjectTable->pszObjId)) { break; } } CSASSERT(NULL != pSubjectTable->pwszPropName); pwszPropName = pSubjectTable->pwszPropName; *pdwIndex = pSubjectTable->dwSubjectTableValue; *pcchMax = pSubjectTable->cchMax;
error: return(pwszPropName);}
HRESULTpkcsFindCAContext( IN DWORD iCert, // MAXDWORD -> use current
IN DWORD iKey, // MAXDWORD -> use current
OUT CACTX **ppCAContext){ HRESULT hr = E_INVALIDARG; DWORD i; CACTX *pCAContext;
*ppCAContext = NULL;
// Lookup is either by cert index OR by key index, but not both or neither
CSASSERT((MAXDWORD == iCert) ^ (MAXDWORD == iKey));
if (MAXDWORD != iCert) { if ((~_16BITMASK & iCert) || iCert >= g_cCACerts) { _JumpError(hr, error, "bad cert index"); } *ppCAContext = &g_aCAContext[iCert]; CSASSERT(iCert == (*ppCAContext)->iCert); } else { CSASSERT(MAXDWORD != iKey);
if ((~_16BITMASK & iKey) || iKey >= g_cCAKeys) { _JumpError(hr, error, "bad key index"); } for (i = g_cCACerts; ; i--) { if (0 == i) { _JumpError(hr, error, "key index not found"); } pCAContext = &g_aCAContext[i - 1]; if (iKey == pCAContext->iKey) { *ppCAContext = pCAContext; break; } } } hr = S_OK; // found it!
error: return(hr);}
// Returns Cert Index in *piCert on success.
//
// returned in *piCert:
// If iCert input value is not MAXDWORD, validate & return iCert.
// If iCert input value is MAXDWORD, return the most current Cert Index.
HRESULTPKCSMapCertIndex( IN DWORD iCert, OUT DWORD *piCert, OUT DWORD *pState){ HRESULT hr; CACTX *pCAContext; DBGCODE(DWORD iCertSave = iCert);
*pState = CA_DISP_ERROR; if (MAXDWORD == iCert) { iCert = g_cCACerts - 1; } if (iCert >= g_cCACerts) { hr = E_INVALIDARG; _JumpError(hr, error, "bad CertIndex"); } pCAContext = &g_aCAContext[iCert]; PKCSVerifyCAState(pCAContext);
*pState = CA_DISP_VALID; if (CTXF_CERTMISSING & pCAContext->Flags) { *pState = CA_DISP_ERROR; } else if (CTXF_REVOKED & pCAContext->Flags) { *pState = CA_DISP_REVOKED; } else if (CTXF_EXPIRED & pCAContext->Flags) { *pState = CA_DISP_INVALID; } *piCert = iCert; hr = S_OK;
error: DBGPRINT(( DBG_SS_CERTSRVI, "PKCSMapCertIndex(%u) --> %u, s=%u, hr=%x\n", iCertSave, *piCert, *pState, hr)); return(hr);}
// Returns Cert Index in *piCert and CRL Index in *piCRL on success.
//
// returned in *piCert:
// If iCert input value is not MAXDWORD, validate iCert. Look up the newest
// Cert Index that uses the same key as the passed iCert.
// If iCert input value is MAXDWORD, return the most current Cert Index.
//
// returned in *piCRL:
// CRL index (same as Key Index)
//
HRESULTPKCSMapCRLIndex( IN DWORD iCert, OUT DWORD *piCert, // returns newest iCert w/matching iKey for passed iCert
OUT DWORD *piCRL, OUT DWORD *pState){ HRESULT hr; CACTX *pCAContext; CACTX *pCAContextNewest; DWORD i; DBGCODE(DWORD iCertSave = iCert);
hr = PKCSMapCertIndex(iCert, piCert, pState); _JumpIfError(hr, error, "PKCSMapCertIndex");
// Now we know *piCert is a valid Cert Index:
pCAContext = &g_aCAContext[*piCert]; *piCRL = pCAContext->iKey;
// find the newest iCert with matching iKey
for (i = *piCert + 1; i < g_cCACerts; i++) { if (*piCRL == g_aCAContext[i].iKey) { *piCert = i; } } pCAContextNewest = &g_aCAContext[*piCert];
if (CTXF_CRLZOMBIE & pCAContext->Flags) { *pState = CA_DISP_VALID; } else if (pCAContext->iCert != pCAContext->iKey) { *pState = CA_DISP_ERROR; } else if (CTXF_EXPIRED == ((CTXF_EXPIRED | CTXF_SKIPCRL) & pCAContextNewest->Flags)) { *pState = CA_DISP_VALID; } hr = S_OK;
error: DBGPRINT(( DBG_SS_CERTSRVI, "PKCSMapCRLIndex(%u) --> %u, iCRL=%u, s=%u, hr=%x\n", iCertSave, *piCert, *piCRL, *pState, hr)); return(hr);}
HRESULTPKCSGetCACertStatusCode( IN DWORD iCert, OUT HRESULT *phrCAStatusCode){ HRESULT hr; DWORD State; *phrCAStatusCode = E_FAIL;
hr = PKCSMapCertIndex(iCert, &iCert, &State); _JumpIfError(hr, error, "PKCSMapCertIndex");
*phrCAStatusCode = g_aCAContext[iCert].hrVerifyStatus; hr = S_OK;
error: return(hr);}
HRESULTPKCSGetCAState( IN BOOL fCertState, OUT BYTE *pb){ HRESULT hr; DWORD i;
for (i = 0; i < g_cCACerts; i++) { DWORD iCert; DWORD iCRL; DWORD State;
if (fCertState) { hr = PKCSMapCertIndex(i, &iCert, &State); _JumpIfError(hr, error, "PKCSMapCertIndex"); } else { hr = PKCSMapCRLIndex(i, &iCert, &iCRL, &State); _JumpIfError(hr, error, "PKCSMapCRLIndex"); } CSASSERT(0 == (~0xff & State)); *pb++ = (BYTE) State; }
error: return(hr);}
inline DWORD MapHRESULTToKRADisposition(HRESULT hr){ switch(hr) {
case CERT_E_EXPIRED: return KRA_DISP_EXPIRED;
case CRYPT_E_NOT_FOUND: return KRA_DISP_NOTFOUND;
case CRYPT_E_REVOKED: return KRA_DISP_REVOKED;
case S_OK: return KRA_DISP_VALID;
case CERT_E_UNTRUSTEDROOT: case CERT_E_CHAINING: return KRA_DISP_UNTRUSTED;
case ERROR_NOT_FOUND: return KRA_DISP_NOTLOADED;
default: return KRA_DISP_INVALID; }}
HRESULTPKCSGetKRAState( IN DWORD cKRA, OUT BYTE *pb){ HRESULT hr = S_OK; DWORD dwCount = 0, dwUsedCount; HCERTSTORE hKRAStore = NULL; CERT_CONTEXT const *pCertContext = NULL;
hKRAStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING, NULL, // hProv
CERT_SYSTEM_STORE_LOCAL_MACHINE, wszKRA_CERTSTORE); _JumpIfError(hr, error, "CertOpenStore KRA");
for (dwCount = 0, dwUsedCount = 0; dwCount < cKRA; dwCount++) { hr = myFindCACertByHashIndex( hKRAStore, g_wszSanitizedName, CSRH_CAKRACERT, dwCount, NULL, &pCertContext); if (S_OK == hr) { hr = myVerifyKRACertContext( pCertContext, (CRLF_REVCHECK_IGNORE_OFFLINE & g_dwCRLFlags)? CA_VERIFY_FLAGS_IGNORE_OFFLINE : 0); // check if the CA is using this cert (was able to
// load it last time it started)
if(S_OK==hr) { hr = ERROR_NOT_FOUND; for(dwUsedCount=0; dwUsedCount< g_cKRACerts; dwUsedCount++) { if(CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pCertContext->pCertInfo, g_rgKRACerts[dwUsedCount]->pCertInfo)) { // the CA is using this KRA cert
hr = S_OK; break; } } } }
CSASSERT(0 == (~0xff & MapHRESULTToKRADisposition(hr))); pb[dwCount] = (BYTE)MapHRESULTToKRADisposition(hr); hr = S_OK; CertFreeCertificateContext(pCertContext); pCertContext = NULL; }
error:
if(NULL != pCertContext) { CertFreeCertificateContext(pCertContext); }
if (NULL != hKRAStore) { CertCloseStore(hKRAStore, CERT_CLOSE_STORE_CHECK_FLAG); }
return hr;}
HRESULTpkcsSetRequestNameInfo( IN ICertDBRow *prow, IN CERT_NAME_BLOB const *pSubject, OPTIONAL IN WCHAR const *pwszCNSuffix, IN OUT DWORD *pdwRequestFlags, OUT BOOL *pfSubjectNameSet){ HRESULT hr; CERT_RDN *prdn; CERT_RDN *prdnEnd; CERT_NAME_INFO *pNameInfo = NULL; WCHAR const *pwszPropName; DWORD cbNameInfo; DWORD dwIndex; DWORD cchMax; BYTE afSubjectTable[CSUBJECTTABLE]; // see PKCSParseAttributes note
SUBJECTTABLE const *pSubjectTable;
*pfSubjectNameSet = FALSE; ZeroMemory(&afSubjectTable, sizeof(afSubjectTable)); CSASSERT(0 == FALSE);
hr = prow->SetProperty( g_wszPropSubjectRawName, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, pSubject->cbData, pSubject->pbData); _JumpIfError(hr, error, "SetProperty");
pkcsSetDistinguishedName(prow, PROPTABLE_REQUEST, pSubject);
if (!myDecodeName( X509_ASN_ENCODING, X509_UNICODE_NAME, pSubject->pbData, pSubject->cbData, CERTLIB_USE_LOCALALLOC, &pNameInfo, &cbNameInfo)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeName"); }
if (ENUM_TELETEX_ON == (ENUM_TELETEX_MASK & g_fForceTeletex)) { *pdwRequestFlags |= CR_FLG_FORCETELETEX; } if (ENUM_TELETEX_UTF8 & g_fForceTeletex) { *pdwRequestFlags |= CR_FLG_FORCEUTF8; }
for ( prdn = pNameInfo->rgRDN, prdnEnd = &prdn[pNameInfo->cRDN]; prdn < prdnEnd; prdn++) { CERT_RDN_ATTR *prdna; CERT_RDN_ATTR *prdnaEnd;
for ( prdna = prdn->rgRDNAttr, prdnaEnd = &prdna[prdn->cRDNAttr]; prdna < prdnaEnd; prdna++) { CSASSERT( prdna->dwValueType == CERT_RDN_PRINTABLE_STRING || prdna->dwValueType == CERT_RDN_UNICODE_STRING || prdna->dwValueType == CERT_RDN_TELETEX_STRING || prdna->dwValueType == CERT_RDN_IA5_STRING || prdna->dwValueType == CERT_RDN_UTF8_STRING);
if (NULL == prdna->Value.pbData || sizeof(WCHAR) > prdna->Value.cbData || L'\0' == *(WCHAR *) prdna->Value.pbData) { continue; }
if (CERT_RDN_TELETEX_STRING == prdna->dwValueType && ENUM_TELETEX_AUTO == (ENUM_TELETEX_MASK & g_fForceTeletex)) { *pdwRequestFlags |= CR_FLG_FORCETELETEX; }
pwszPropName = PKCSMapAttributeName( NULL, prdna->pszObjId, &dwIndex, &cchMax); if (NULL != pwszPropName) { BOOL fCN;
// CAPI null-terminates strings
CSASSERT( sizeof(WCHAR) * wcslen((WCHAR const *) prdna->Value.pbData) == prdna->Value.cbData);
fCN = 0 == strcmp(szOID_COMMON_NAME, prdna->pszObjId);
hr = PropSetAttributeProperty( prow, afSubjectTable[dwIndex], // fConcatenateRDNs
PROPTABLE_REQUEST, cchMax, fCN? pwszCNSuffix : NULL, pwszPropName, (WCHAR const *) prdna->Value.pbData); if (HRESULT_FROM_WIN32(ERROR_BUFFER_OVERFLOW) == hr) { hr = CERTSRV_E_BAD_REQUESTSUBJECT; } _JumpIfError(hr, error, "PropSetAttributeProperty");
afSubjectTable[dwIndex] = TRUE; *pfSubjectNameSet = TRUE;
if (fCN) { pwszCNSuffix = NULL; } } } } hr = S_OK;
error: if (NULL != pNameInfo) { LocalFree(pNameInfo); } return(hr);}
HRESULTPKCSSetRequestFlags( IN ICertDBRow *prow, IN BOOL fSet, IN DWORD dwChange){ HRESULT hr; DWORD dwOld; DWORD dwNew; DWORD cb; cb = sizeof(dwOld); hr = prow->GetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *) &dwOld); _JumpIfError(hr, error, "GetProperty");
if (fSet) { dwNew = dwOld | dwChange; } else { dwNew = dwOld & ~dwChange; }
if (dwOld != dwNew) { hr = prow->SetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(dwNew), (BYTE const *) &dwNew); _JumpIfError(hr, error, "SetProperty(RequestFlags)"); }
error: return(hr);}
HRESULTpkcsSetAttributeProperty( IN ICertDBRow *prow, IN WCHAR const *pwszName, IN WCHAR const *pwszValue, IN DWORD dwTable, IN BYTE afSubjectTable[], OUT BOOL *pfSubjectModified, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf){ HRESULT hr; WCHAR const *pwszPropName; DWORD dwIndex; DWORD cwcMax; BOOL fConcatenateRDNs;
*pfSubjectModified = FALSE; if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; }
// See if the attribute name can be mapped to a standard property.
pwszPropName = PKCSMapAttributeName(pwszName, NULL, &dwIndex, &cwcMax); if (NULL != pwszPropName) { fConcatenateRDNs = afSubjectTable[dwIndex]; afSubjectTable[dwIndex] = TRUE; *pfSubjectModified = TRUE; } else { pwszPropName = pwszName; cwcMax = MAXDWORD; fConcatenateRDNs = FALSE; dwTable = PROPTABLE_ATTRIBUTE;
if (0 == lstrcmpi(g_wszPropRequesterName, pwszPropName)) { if (NULL == pfEnrollOnBehalfOf) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "NULL pfEnrollOnBehalfOf"); } *pfEnrollOnBehalfOf = TRUE; dwTable = PROPTABLE_REQUEST; } } hr = PropSetAttributeProperty( prow, fConcatenateRDNs, dwTable, cwcMax, NULL, // pwszSuffix
pwszPropName, pwszValue); _JumpIfError(hr, error, "PropSetAttributeProperty");
error: return(hr);}
// Note on Request Attribute and Subject RDN processing:
//
// Subject RDN strings and Request Attributes may be set several ways, in
// the following order. Subsequent changes overwrite earlier changes, so the
// order implies precedence:
//
// - Subject in the inner PKCS10 (if no PKCS10 subject, then use the Subject
// in the PKCS7 renewal cert)
// - the next outer PKCS7 or CMC Attributes
// - ...
// - the most outer PKCS7 or CMC Attributes
// - Request Attribute string passed with the request when first submitted
// - Policy Module may set subject RDNs in the certificate table
// - ICertAdmin::SetAttributes' Request Attribute string (if request pending)
//
// "PKCS7 or CMC Attributes" means either of the following:
// 1) Authenticated Attributes associated with a (non-CMC) PKCS7 signer info.
// 2) Tagged Attributes and/or RegInfo Control Attributes in a CMC request.
//
// None of the secured attributes listed in the registry (which is set to
// wszzDEFAULTSIGNEDATTRIBUTES by default) may be set unless the source is
// PKCS7 or CMC Attributes.
//
// The original request attribute string is stored in the RequestAttributes
// column in the request table. It is never modified after that. Individual
// request attribute values are parsed out of this string (when the request is
// submitted and when ICertAdmin::SetAttributes is called) and stored in a
// Subject RDN column of the request or certificate table if the attribute
// name matches an alias for a Subject RDN, or in a unique row in the
// attribute table otherwise.
//
// Individual Subject RDNs may be specified multiple times (multiple "OU",
// "CN", strings). If all of the RDNs were set from the same source,
// they must be concatenated, but if some RDNs were specified from one source,
// then modified by another source, the previous set of RDNs should be
// overwritten by the new ones. If the original Request Attribute string
// specified "CN:foo\nOU:ou2\nCN:bar", the two CN strings should be
// concatenated. If one or more CN values are also specified later by a
// single call to ICertAdmin::SetAttributes, the original CN values should be
// overwritten by the new value(s).
//
// It is possible to have the CN strings specified by one source and the OU
// strings specified by another.
//
// Before the policy module gets control, all Subject RDN changes are written
// to the Request table. Just before dispatching to the policy module, the
// Request Subject RDNs are copied to the Certificate Table RDNs. The policy
// module may modify the Certificate Table RDNs only.
//
// If the request is made pending, ICertAdmin::SetAttributes may be used to
// modify request attributes and Certificate Table RDNs.
//
// The certificate Subject is constructed from the Certificate Table RDNs.
HRESULTPKCSParseAttributes( IN ICertDBRow *prow, IN WCHAR const *pwszAttributes, IN BOOL fRegInfo, IN DWORD dwRDNTable, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf){ HRESULT hr; WCHAR *pwszDup = NULL; WCHAR *pwszBuf; WCHAR const *pwszName; WCHAR const *pwszValue; WCHAR const *pwszSecuredAttr; BYTE afSubjectTable[CSUBJECTTABLE]; // see PKCSParseAttributes note
WCHAR *pwszNameAlloc = NULL; WCHAR *pwszValueAlloc = NULL; BOOL fSubjectModified = FALSE;
if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; } if (NULL == pwszAttributes) { hr = S_OK; goto error; // silently ignore empty string
}
hr = myDupString(pwszAttributes, &pwszDup); _JumpIfError(hr, error, "myDupString");
pwszBuf = pwszDup;
ZeroMemory(&afSubjectTable, sizeof(afSubjectTable)); CSASSERT(0 == FALSE);
while (TRUE) { hr = myParseNextAttribute(&pwszBuf, fRegInfo, &pwszName, &pwszValue); if (S_FALSE == hr) { break; } _JumpIfError(hr, error, "myParseNextAttribute");
if (fRegInfo) { if (NULL != pwszNameAlloc) { LocalFree(pwszNameAlloc); pwszNameAlloc = NULL; } if (NULL != pwszValueAlloc) { LocalFree(pwszValueAlloc); pwszValueAlloc = NULL; } hr = myUncanonicalizeURLParm(pwszName, &pwszNameAlloc); _JumpIfError(hr, error, "myUncanonicalizeURLParm");
hr = myUncanonicalizeURLParm(pwszValue, &pwszValueAlloc); _JumpIfError(hr, error, "myUncanonicalizeURLParm");
pwszName = pwszNameAlloc; pwszValue = pwszValueAlloc; }
if (!fRegInfo) { // Only set the attribute if it's not one of the attributes
// that is required to be secure.
for (pwszSecuredAttr = g_wszzSecuredAttributes; NULL != pwszSecuredAttr && L'\0' != *pwszSecuredAttr; pwszSecuredAttr += wcslen(pwszSecuredAttr) + 1) { if (0 == lstrcmpi(pwszSecuredAttr, pwszName)) { break; } } }
if (fRegInfo || NULL == pwszSecuredAttr || L'\0' == *pwszSecuredAttr) { BOOL fEnrollOnBehalfOf = FALSE; BOOL fSubjectModifiedT = FALSE;
hr = pkcsSetAttributeProperty( prow, pwszName, pwszValue, dwRDNTable, afSubjectTable, &fSubjectModified, NULL != pfEnrollOnBehalfOf? &fEnrollOnBehalfOf : NULL); _JumpIfError(hr, error, "PKCSSetRequestFlags");
if (fSubjectModifiedT) { fSubjectModified = TRUE; } if (fEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = TRUE; } } } if (fSubjectModified) { hr = PKCSSetRequestFlags(prow, FALSE, CR_FLG_SUBJECTUNMODIFIED); _JumpIfError(hr, error, "PKCSSetRequestFlags"); } hr = S_OK;
error: if (NULL != pwszNameAlloc) { LocalFree(pwszNameAlloc); } if (NULL != pwszValueAlloc) { LocalFree(pwszValueAlloc); } if (NULL != pwszDup) { LocalFree(pwszDup); } return(hr);}
HRESULTpkcsSetAltSubjectNameExtension( IN ICertDBRow *prow, IN DWORD ExtFlags, IN CERT_EXTENSION const *rgExtension, IN DWORD cExtension, IN DWORD cAltSubjectExtension){ HRESULT hr = S_OK; CERT_ALT_NAME_INFO **apInfo = NULL; DWORD i; DWORD j; DWORD cInfo = 0; DWORD cb; CERT_ALT_NAME_INFO ResultInfo; DWORD cbResult; BYTE *pbResult = NULL;
ResultInfo.cAltEntry = 0; ResultInfo.rgAltEntry = NULL;
apInfo = (CERT_ALT_NAME_INFO **) LocalAlloc( LMEM_FIXED, sizeof(CERT_ALT_NAME_INFO *) * cAltSubjectExtension); if (NULL == apInfo) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
// Decode all AltNames
for (i = 0; i < cExtension; i++) { // This is an OID, generated by capi2, so we don't need to
// do a case-insensitive comparison
if (0 == strcmp(rgExtension[i].pszObjId, szOID_SUBJECT_ALT_NAME2)) { CSASSERT(cInfo < cAltSubjectExtension);
// Decode to plain text
if (!myDecodeObject( X509_ASN_ENCODING, X509_ALTERNATE_NAME, rgExtension[i].Value.pbData, rgExtension[i].Value.cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &apInfo[cInfo], &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } if (rgExtension[i].fCritical) { ExtFlags |= EXTENSION_CRITICAL_FLAG; } ResultInfo.cAltEntry += apInfo[cInfo]->cAltEntry; cInfo++; } } CSASSERT(cInfo == cAltSubjectExtension);
ResultInfo.rgAltEntry = (CERT_ALT_NAME_ENTRY *) LocalAlloc( LMEM_FIXED, ResultInfo.cAltEntry * sizeof(CERT_ALT_NAME_ENTRY)); if (NULL == ResultInfo.rgAltEntry) { hr = E_OUTOFMEMORY; _JumpIfError(hr, error, "LocalAlloc"); }
j = 0; for (i = 0; i < cInfo; i++) { CopyMemory( &ResultInfo.rgAltEntry[j], apInfo[i]->rgAltEntry, apInfo[i]->cAltEntry * sizeof(CERT_ALT_NAME_ENTRY)); j += apInfo[i]->cAltEntry; }
if (!myEncodeObject( X509_ASN_ENCODING, X509_ALTERNATE_NAME, &ResultInfo, 0, CERTLIB_USE_LOCALALLOC, &pbResult, &cbResult)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_REQUEST, TEXT(szOID_SUBJECT_ALT_NAME2), ExtFlags, cbResult, pbResult); _JumpIfError(hr, error, "PropSetExtension");
error: if (NULL != apInfo) { for (i = 0; i < cInfo; i++) { if (NULL != apInfo[i]) { LocalFree(apInfo[i]); } } LocalFree(apInfo); } if (NULL != ResultInfo.rgAltEntry) { LocalFree(ResultInfo.rgAltEntry); } if (NULL != pbResult) { LocalFree(pbResult); } return(hr);}
// Scan extension array, and merge all the AltSubjectName Extensions into one.
HRESULTpkcsSetExtensions( IN ICertDBRow *prow, IN DWORD ExtFlags, IN CERT_EXTENSION const *rgExtension, IN DWORD cExtension){ HRESULT hr; WCHAR *pwszObjId = NULL; CERT_EXTENSION const *pExt; CERT_EXTENSION const *pExtEnd; DWORD cAltSubjectExtension = 0;
pExtEnd = &rgExtension[cExtension]; for (pExt = rgExtension; pExt < pExtEnd; pExt++) { DWORD ExtFlagsT;
if (EXTENSION_ORIGIN_RENEWALCERT == (EXTENSION_ORIGIN_MASK & ExtFlags)) { char const * const *ppszObjId; static char const * const apszObjIdFilter[] = { szOID_CERTSRV_CA_VERSION, szOID_AUTHORITY_INFO_ACCESS, szOID_CRL_DIST_POINTS, szOID_AUTHORITY_KEY_IDENTIFIER2, szOID_SUBJECT_KEY_IDENTIFIER, NULL }; for (ppszObjId = apszObjIdFilter; NULL != *ppszObjId; ppszObjId++) { if (0 == strcmp(*ppszObjId, pExt->pszObjId)) { break; } } if (NULL != *ppszObjId) { continue; // skip this extension
} }
if (NULL != pwszObjId) { LocalFree(pwszObjId); pwszObjId = NULL; } if (!ConvertSzToWsz(&pwszObjId, pExt->pszObjId, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "ConvertSzToWsz(ObjId)"); } ExtFlagsT = ExtFlags; if (pExt->fCritical) { ExtFlagsT |= EXTENSION_CRITICAL_FLAG; }
// AltSubjectName needs to be merged, so we do that later.
// This is an OID, generated by capi2, so we don't need to
// do a case-insensitive comparison.
if (0 == lstrcmp(pwszObjId, TEXT(szOID_SUBJECT_ALT_NAME2))) { cAltSubjectExtension++; continue; }
hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_REQUEST, pwszObjId, ExtFlagsT, pExt->Value.cbData, pExt->Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
DBGPRINT(( DBG_SS_CERTSRVI, "PropSetExtension(%ws, f=%x, cb=%x, pb=%x)\n", pwszObjId, ExtFlagsT, pExt->Value.cbData, pExt->Value.pbData)); }
if (0 != cAltSubjectExtension) { hr = pkcsSetAltSubjectNameExtension( prow, ExtFlags, rgExtension, cExtension, cAltSubjectExtension); _JumpIfError(hr, error, "pkcsSetAltSubjectNameExtension"); } hr = S_OK;
error: if (NULL != pwszObjId) { LocalFree(pwszObjId); } return(hr);}
HRESULTpkcsSetOSVersion( IN ICertDBRow *prow, IN CRYPT_ATTR_BLOB *pAttrBlob){ HRESULT hr; CERT_NAME_VALUE *pOSVersionString = NULL; BSTR strVersion = NULL; DWORD cb;
if (!myDecodeObject( X509_ASN_ENCODING, X509_ANY_STRING, pAttrBlob->pbData, pAttrBlob->cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pOSVersionString, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } if (NULL != pOSVersionString) { if (!IS_CERT_RDN_CHAR_STRING(pOSVersionString->dwValueType)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "version string is numeric data"); }
// If it's an 8 bit string, convert it to UNICODE
if (CERT_RDN_UNIVERSAL_STRING > pOSVersionString->dwValueType) { // Pass byte count in to allocate enough characters for
// the converted Unicode string
strVersion = SysAllocStringLen( NULL, pOSVersionString->Value.cbData);
// This is expected to be only numbers and '.'s,
if (NULL == strVersion) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "SysAllocStringLen"); } mbstowcs( strVersion, (char const *) pOSVersionString->Value.pbData, pOSVersionString->Value.cbData); } else if (CERT_RDN_BMP_STRING == pOSVersionString->dwValueType || CERT_RDN_UNICODE_STRING == pOSVersionString->dwValueType) { strVersion = SysAllocStringLen( (WCHAR *) pOSVersionString->Value.pbData, pOSVersionString->Value.cbData/sizeof(WCHAR)); if (NULL == strVersion) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "SysAllocStringLen"); } } else { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "unknown string type"); }
hr = prow->SetProperty( g_wszPropRequestOSVersion, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, SysStringByteLen(strVersion), (BYTE *) strVersion); _JumpIfError(hr, error, "SetProperty"); } hr = S_OK;
error: if (NULL != strVersion) { SysFreeString(strVersion); } if (NULL != pOSVersionString) { LocalFree(pOSVersionString); } return(hr);}
HRESULTpkcsSetCSPProvider( IN ICertDBRow *prow, IN CRYPT_ATTR_BLOB *pAttrBlob){ HRESULT hr; CRYPT_CSP_PROVIDER *pccp = NULL;
hr = myDecodeCSPProviderAttribute( pAttrBlob->pbData, pAttrBlob->cbData, &pccp); _JumpIfError(hr, error, "myDecodeCSPProviderAttribute");
if (NULL != pccp->pwszProviderName && L'\0' != *pccp->pwszProviderName) { hr = prow->SetProperty( g_wszPropRequestCSPProvider, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, MAXDWORD, (BYTE const *) pccp->pwszProviderName); _JumpIfError(hr, error, "SetProperty"); } hr = S_OK;
error: if (NULL != pccp) { LocalFree(pccp); } return(hr);}
HRESULTpkcsSetExtensionsFromAttributeBlob( IN ICertDBRow *prow, IN DWORD ExtFlags, IN CRYPT_ATTRIBUTE const *pAttrib){ HRESULT hr; CRYPT_ATTR_BLOB *pAttrBlob; CERT_NAME_VALUE *pNameInfo = NULL; CERT_EXTENSIONS *pCertExtensions = NULL; DWORD cb;
pAttrBlob = pAttrib->rgValue; while (TRUE) { if (NULL != pCertExtensions) { LocalFree(pCertExtensions); pCertExtensions = NULL; } if (myDecodeObject( X509_ASN_ENCODING, X509_EXTENSIONS, pAttrBlob->pbData, pAttrBlob->cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pCertExtensions, &cb)) { break; // success
} hr = myHLastError();
// if we already decoded the attribute as a T61 string, or if it is
// not a PKCS 9.14 attribute, fail -- we don't know what it contains.
if (NULL != pNameInfo || 0 != strcmp(pAttrib->pszObjId, szOID_RSA_certExtensions)) { _JumpError(hr, error, "myDecodeObject"); }
// Decode the attribute as a T61 string. Some implementations wrap the
// PKCS 9.14 extension array in an extra level of encoding as a Teletex
// string.
if (!myDecodeObject( X509_ASN_ENCODING, X509_ANY_STRING, pAttrBlob->pbData, pAttrBlob->cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pNameInfo, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
// Loop again and try to decode the raw name blob as X509_EXTENSIONS.
pAttrBlob = &pNameInfo->Value; } hr = pkcsSetExtensions( prow, EXTENSION_DISABLE_FLAG | ExtFlags, pCertExtensions->rgExtension, pCertExtensions->cExtension); _JumpIfError(hr, error, "pkcsSetExtensions(attributes)");
error: if (NULL != pNameInfo) { LocalFree(pNameInfo); } if (NULL != pCertExtensions) { LocalFree(pCertExtensions); } return(hr);}
HRESULTPKCSGetProperty( IN ICertDBRow *prow, IN WCHAR const *pwszPropName, IN DWORD Flags, OPTIONAL OUT DWORD *pcbData, OUT BYTE **ppbData){ HRESULT hr; BYTE *pbData = NULL; DWORD cbData;
if (NULL != pcbData) { *pcbData = 0; } *ppbData = NULL;
cbData = 0; hr = prow->GetProperty(pwszPropName, Flags, &cbData, pbData); _JumpIfError2(hr, error, "GetProperty", CERTSRV_E_PROPERTY_EMPTY);
pbData = (BYTE *) LocalAlloc(LMEM_FIXED, cbData); if (NULL == pbData) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } hr = prow->GetProperty(pwszPropName, Flags, &cbData, pbData); _JumpIfError(hr, error, "GetProperty");
if (NULL != pcbData) { *pcbData = cbData; } *ppbData = pbData; pbData = NULL;
error: if (NULL != pbData) { LocalFree(pbData); } return(hr);}
VOIDpkcsFreePublicKeyInfo( IN OUT CERT_PUBLIC_KEY_INFO *pPublicKeyInfo){ if (NULL != pPublicKeyInfo->Algorithm.pszObjId) { LocalFree(pPublicKeyInfo->Algorithm.pszObjId); } if (NULL != pPublicKeyInfo->Algorithm.Parameters.pbData) { LocalFree(pPublicKeyInfo->Algorithm.Parameters.pbData); } if (NULL != pPublicKeyInfo->PublicKey.pbData) { LocalFree(pPublicKeyInfo->PublicKey.pbData); } ZeroMemory(pPublicKeyInfo, sizeof(*pPublicKeyInfo));}
HRESULTpkcsGetPublicKeyInfo( IN ICertDBRow *prow, OUT CERT_PUBLIC_KEY_INFO *pPublicKeyInfo){ HRESULT hr; WCHAR *pwszObjId = NULL;
ZeroMemory(pPublicKeyInfo, sizeof(*pPublicKeyInfo)); hr = PKCSGetProperty( prow, g_wszPropCertificatePublicKeyAlgorithm, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, NULL, (BYTE **) &pwszObjId); _JumpIfError(hr, error, "PKCSGetProperty");
if (!ConvertWszToSz(&pPublicKeyInfo->Algorithm.pszObjId, pwszObjId, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "ConvertWszToSz(AlgObjId)"); }
hr = PKCSGetProperty( prow, g_wszPropCertificateRawPublicKeyAlgorithmParameters, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &pPublicKeyInfo->Algorithm.Parameters.cbData, &pPublicKeyInfo->Algorithm.Parameters.pbData); if (CERTSRV_E_PROPERTY_EMPTY != hr) { _JumpIfError(hr, error, "PKCSGetProperty"); }
hr = PKCSGetProperty( prow, g_wszPropCertificateRawPublicKey, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &pPublicKeyInfo->PublicKey.cbData, &pPublicKeyInfo->PublicKey.pbData); _JumpIfError(hr, error, "PKCSGetProperty");
error: if (S_OK != hr) { pkcsFreePublicKeyInfo(pPublicKeyInfo); } if (NULL != pwszObjId) { LocalFree(pwszObjId); } return(hr);}
HRESULTpkcsEncryptPrivateKey( IN BYTE *pbDecrypted, IN DWORD cbDecrypted, OUT BYTE **ppbEncrypted, OUT DWORD *pcbEncrypted, OUT WCHAR **ppwszKRAHashes){ HRESULT hr; DWORD i; DWORD iKRACert; DWORD cwc; WCHAR *pwszKRAHashes = NULL; CERT_CONTEXT const **rgKRACerts = NULL; static bool fUseCAProv = true;
*ppbEncrypted = NULL; *ppwszKRAHashes = NULL;
CSASSERT( NULL != g_rgKRACerts && 0 != g_cKRACerts && 0 != g_cKRACertsRoundRobin && NULL != g_rgstrKRAHashes);
for (cwc = 0, i = 0; i < g_cKRACertsRoundRobin; i++) { iKRACert = (g_iKRACerts + i) % g_cKRACerts; cwc += wcslen(g_rgstrKRAHashes[iKRACert]) + 1; } pwszKRAHashes = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR)); if (NULL == pwszKRAHashes) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
rgKRACerts = (CERT_CONTEXT const **) LocalAlloc( LMEM_FIXED, g_cKRACertsRoundRobin * sizeof(rgKRACerts[0])); if (NULL == rgKRACerts) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
pwszKRAHashes[0] = L'\0'; for (i = 0; i < g_cKRACertsRoundRobin; i++) { iKRACert = (g_iKRACerts + i) % g_cKRACerts; rgKRACerts[i] = g_rgKRACerts[iKRACert]; if (0 != i) { wcscat(pwszKRAHashes, L"\n"); } wcscat(pwszKRAHashes, g_rgstrKRAHashes[iKRACert]); } CSASSERT(wcslen(pwszKRAHashes) + 1 == cwc);
hr = myCryptEncryptMessage( CALG_3DES, g_cKRACertsRoundRobin, // cCertRecipient
rgKRACerts, // rgCertRecipient
pbDecrypted, cbDecrypted, fUseCAProv? g_pCAContextCurrent->hProvCA : NULL, ppbEncrypted, pcbEncrypted); if (FAILED(hr) && fUseCAProv) { // Failed to use the CA HCRYPTPROV, fall back to
// default
fUseCAProv = false; hr = myCryptEncryptMessage( CALG_3DES, g_cKRACertsRoundRobin, // cCertRecipient
rgKRACerts, // rgCertRecipient
pbDecrypted, cbDecrypted, NULL, ppbEncrypted, pcbEncrypted); } _JumpIfError(hr, error, "myCryptEncryptMessage");
*ppwszKRAHashes = pwszKRAHashes; pwszKRAHashes = NULL;
error: if (NULL != pwszKRAHashes) { LocalFree(pwszKRAHashes); } if (NULL != rgKRACerts) { LocalFree(rgKRACerts); } return(hr);}
HRESULTPKCSArchivePrivateKey( IN ICertDBRow *prow, IN BOOL fV1Cert, IN BOOL fOverwrite, IN CRYPT_ATTR_BLOB const *pBlobEncrypted, OPTIONAL IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; BYTE *pbDecrypted = NULL; DWORD cbDecrypted; BYTE *pbEncrypted = NULL; DWORD cbEncrypted; DWORD iCertSig; BYTE *pbCert; // do not free!
DWORD cbCert; WCHAR *pwszKRAHashes = NULL; CERT_PUBLIC_KEY_INFO PublicKeyInfo; WCHAR *pwszUserName = NULL; DWORD cb; BYTE *pbKeyHash = NULL; DWORD cbKeyHash;
ZeroMemory(&PublicKeyInfo, sizeof(PublicKeyInfo));
if (0 == g_cKRACerts) { if (0 == g_cKRAHashes) { hr = CERTSRV_E_KEY_ARCHIVAL_NOT_CONFIGURED; } else { hr = CERTSRV_E_NO_VALID_KRA; } _JumpError(hr, error, "no KRA encryption certs"); }
if (NULL != pResult) { if (NULL == pResult->pbKeyHashIn) { if (0 == (CRLF_ACCEPT_OLDRFC_CMC & g_dwCRLFlags)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "missing encrypted key hash"); } } else { hr = myCalculateKeyArchivalHash( pBlobEncrypted->pbData, pBlobEncrypted->cbData, &pbKeyHash, &cbKeyHash); _JumpIfError(hr, error, "myCalculateKeyArchivalHash");
if (pResult->cbKeyHashIn != cbKeyHash || 0 != memcmp(pResult->pbKeyHashIn, pbKeyHash, cbKeyHash)) { hr = S_OK; _JumpError(S_FALSE, error, "Ignoring key: hash mismatch"); } } } hr = prow->GetProperty( g_wszPropRequestRawArchivedKey, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, NULL); if (CERTSRV_E_PROPERTY_EMPTY != hr) { if (S_OK == hr && !fOverwrite) { hr = HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS); } _JumpIfError2( hr, error, "GetProperty", HRESULT_FROM_WIN32(ERROR_OBJECT_ALREADY_EXISTS)); }
hr = PKCSGetProperty( prow, g_wszPropRequesterName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, NULL, (BYTE **) &pwszUserName); _JumpIfError(hr, error, "PKCSGetProperty");
if (NULL == g_hStoreCAXchg) { hr = PKCSGetCAXchgCert(0, pwszUserName, &iCertSig, &pbCert, &cbCert); _JumpIfError(hr, error, "PKCSGetCAXchgCert"); } CSASSERT(NULL != g_hStoreCAXchg); hr = myCryptDecryptMessage( g_hStoreCAXchg, pBlobEncrypted->pbData, pBlobEncrypted->cbData, CERTLIB_USE_LOCALALLOC, &pbDecrypted, &cbDecrypted); _JumpIfError(hr, error, "myCryptDecryptMessage");
DBGDUMPHEX((DBG_SS_CERTSRVI, 0, pbDecrypted, cbDecrypted));
hr = pkcsGetPublicKeyInfo(prow, &PublicKeyInfo); _JumpIfError(hr, error, "pkcsGetPublicKeyInfo");
hr = myValidateKeyBlob( pbDecrypted, cbDecrypted, &PublicKeyInfo, fV1Cert, NULL); _JumpIfError(hr, error, "myValidateKeyBlob");
hr = pkcsEncryptPrivateKey( pbDecrypted, cbDecrypted, &pbEncrypted, &cbEncrypted, &pwszKRAHashes); _JumpIfError(hr, error, "pkcsEncryptPrivateKey");
hr = prow->SetProperty( g_wszPropRequestRawArchivedKey, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, cbEncrypted, pbEncrypted); _JumpIfError(hr, error, "PKCSArchivePrivateKey:SetProperty");
hr = prow->SetProperty( g_wszPropRequestKeyRecoveryHashes, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszKRAHashes); _JumpIfError(hr, error, "SetProperty");
if (NULL != pResult && NULL == pResult->pbKeyHashOut) { pResult->pbKeyHashOut = pbKeyHash; pResult->cbKeyHashOut = cbKeyHash; pbKeyHash = NULL; }
{ CertSrv::CAuditEvent audit(SE_AUDITID_CERTSRV_KEYARCHIVED, g_dwAuditFilter); DWORD dwRequestID = 0; DWORD cb = sizeof(DWORD);
if (audit.IsEventEnabled()) { hr = prow->GetProperty( g_wszPropRequestRequestID, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *)&dwRequestID); _JumpIfError(hr, error, "Report");
hr = audit.AddData(dwRequestID); // %1 request ID
_JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.AddData(pwszUserName); // %2 requester
_JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.AddData(pwszKRAHashes);// %3 KRA hashes
_JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.Report(); _JumpIfError(hr, error, "Report"); } }
error: pkcsFreePublicKeyInfo(&PublicKeyInfo); if (NULL != pbDecrypted) { ZeroMemory(pbDecrypted, cbDecrypted); // Private Key Material!
LocalFree(pbDecrypted); } if (NULL != pbEncrypted) { LocalFree(pbEncrypted); } if (NULL != pwszKRAHashes) { LocalFree(pwszKRAHashes); } if (NULL != pwszUserName) { LocalFree(pwszUserName); } if (NULL != pbKeyHash) { LocalFree(pbKeyHash); } return(hr);}
HRESULTpkcsSaveRequestWithoutArchivedKey( IN ICertDBRow *prow, IN DWORD cbIn, IN BYTE const *pbIn){ HRESULT hr; HCRYPTMSG hMsg = NULL; DWORD cSigner; DWORD iSigner; DWORD i; DWORD cb; BYTE *pbWithoutKey = NULL; DWORD cbWithoutKey; CRYPT_ATTRIBUTES *pAttrib = NULL; BOOL fKeyDeleted = FALSE;
hMsg = CryptMsgOpenToDecode( PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, // dwFlags
0, // dwMsgType
NULL, // hCryptProv
NULL, // pRecipientInfo
NULL); // pStreamInfo
if (NULL == hMsg) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgOpenToDecode"); }
if (!CryptMsgUpdate(hMsg, pbIn, cbIn, TRUE)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgUpdate"); }
cb = sizeof(cSigner); if (!CryptMsgGetParam( hMsg, CMSG_SIGNER_COUNT_PARAM, 0, &cSigner, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgGetParam(signer count)"); }
DBGPRINT((DBG_SS_CERTSRV, "cSigner=%u\n", cSigner));
for (iSigner = 0; iSigner < cSigner; iSigner++) { hr = myCryptMsgGetParam( hMsg, CMSG_SIGNER_UNAUTH_ATTR_PARAM, iSigner, // dwIndex
CERTLIB_USE_LOCALALLOC, (VOID **) &pAttrib, &cb); _PrintIfError2(hr, "myCryptMsgGetParam(content)", hr); if (S_FALSE == hr) { continue; } _JumpIfError(hr, error, "myCryptMsgGetParam(content)");
DBGPRINT(( DBG_SS_CERTSRV, "iSigner=%u, cAttr=%u\n", iSigner, pAttrib->cAttr));
// Loop through deleting attributes from the end to avoid invalidated
// indexes, which may result from deleting earlier attributes.
for (i = 0; i < pAttrib->cAttr; i++) { CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA DelPara; DWORD iAttr = pAttrib->cAttr - i - 1;
DBGPRINT(( DBG_SS_CERTSRV, "iSigner=%u, iAttr=%u %hs\n", iSigner, iAttr, pAttrib->rgAttr[iAttr].pszObjId)); if (0 == strcmp( pAttrib->rgAttr[iAttr].pszObjId, szOID_ARCHIVED_KEY_ATTR)) { ZeroMemory(&DelPara, sizeof(DelPara)); DelPara.cbSize = sizeof(DelPara); DelPara.dwSignerIndex = iSigner; DelPara.dwUnauthAttrIndex = iAttr;
DBGPRINT(( DBG_SS_CERTSRV, "Delete Key(signer=%u, attrib=%u)\n", DelPara.dwSignerIndex, DelPara.dwUnauthAttrIndex));
if (!CryptMsgControl( hMsg, 0, CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR, &DelPara)) { hr = myHLastError(); _PrintError(hr, "CryptMsgControl"); } fKeyDeleted = TRUE; } } LocalFree(pAttrib); pAttrib = NULL; } if (!fKeyDeleted) { hr = S_FALSE; _JumpError(hr, error, "no Encrypted Key attribute"); }
hr = myCryptMsgGetParam( hMsg, CMSG_ENCODED_MESSAGE, 0, // dwIndex
CERTLIB_USE_LOCALALLOC, (VOID **) &pbWithoutKey, &cbWithoutKey); _JumpIfError(hr, error, "myCryptMsgGetParam(content)");
hr = prow->SetProperty( g_wszPropRequestRawRequest, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, cbWithoutKey, pbWithoutKey); _JumpIfError(hr, error, "SetProperty(request)");
error: if (NULL != pAttrib) { LocalFree(pAttrib); } if (NULL != pbWithoutKey) { LocalFree(pbWithoutKey); } if (NULL != hMsg) { CryptMsgClose(hMsg); } return(hr);}
#define PSA_DISALLOW_EXTENSIONS 0x00000001
#define PSA_DISALLOW_NAMEVALUEPAIRS 0x00000002
#define PSA_DISALLOW_ARCHIVEDKEY 0x00000004
HRESULTpkcsSetAttributes( IN ICertDBRow *prow, IN DWORD ExtFlags, IN DWORD dwDisallowFlags, IN CRYPT_ATTRIBUTE const *rgAttrib, IN DWORD cAttrib, IN DWORD cbRequest, OPTIONAL IN BYTE const *pbRequest, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; CRYPT_ATTRIBUTE const *pAttrib; CRYPT_ATTRIBUTE const *pAttribEnd; DWORD i; BYTE afSubjectTable[CSUBJECTTABLE]; // see PKCSParseAttributes note
CRYPT_DATA_BLOB *pBlob = NULL; BOOL fSubjectModified = FALSE;
ZeroMemory(&afSubjectTable, sizeof(afSubjectTable)); CSASSERT(0 == FALSE);
if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; }
pAttribEnd = &rgAttrib[cAttrib]; for (pAttrib = rgAttrib; pAttrib < pAttribEnd; pAttrib++) { if (0 == strcmp(pAttrib->pszObjId, szOID_OS_VERSION)) { if (1 != pAttrib->cValue) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Attribute Value count != 1"); } hr = pkcsSetOSVersion(prow, pAttrib->rgValue); _JumpIfError(hr, error, "pkcsSetOSVersion"); } else if (0 == strcmp(pAttrib->pszObjId, szOID_ENROLLMENT_CSP_PROVIDER)) { // Check to see if we have a CSPPROVIDER attribute. We use this in
// the policy module to determine if xenroll generated the request,
// so we can behave differently for old xenroll requests (put the
// UPN in the subject to avoid enrollment loops)
if (1 != pAttrib->cValue) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Attribute Value count != 1"); } hr = pkcsSetCSPProvider(prow, pAttrib->rgValue); _JumpIfError(hr, error, "pkcsSetCSPProvider"); } else if (0 == strcmp(pAttrib->pszObjId, szOID_ENCRYPTED_KEY_HASH)) { DWORD cb; if (NULL != pResult->pbKeyHashIn || NULL != pBlob) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Multiple key hashes"); } if (1 != pAttrib->cValue) { _JumpError(hr, error, "Attribute Value count != 1"); } if (!myDecodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, pAttrib->rgValue[0].pbData, pAttrib->rgValue[0].cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pBlob, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } pResult->pbKeyHashIn = (BYTE *) LocalAlloc( LMEM_FIXED, pBlob->cbData); if (NULL == pResult->pbKeyHashIn) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } CopyMemory(pResult->pbKeyHashIn, pBlob->pbData, pBlob->cbData); pResult->cbKeyHashIn = pBlob->cbData; } else if (0 == strcmp(pAttrib->pszObjId, szOID_ARCHIVED_KEY_ATTR)) { // Pull encrypted private key out of the attribute for archival.
//
// Save request in database without private key now, to keep the
// error path from saving the request later *with* the key.
if (NULL != pbRequest) { hr = pkcsSaveRequestWithoutArchivedKey( prow, cbRequest, pbRequest); _PrintIfError(hr, "pkcsSaveRequestWithoutArchivedKey"); if (S_OK == hr) { pResult->fKeyArchived = TRUE; } }
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (PSA_DISALLOW_ARCHIVEDKEY & dwDisallowFlags) { hr = CERTSRV_E_BAD_REQUEST_KEY_ARCHIVAL; _JumpError(hr, error, "archived key disallowed"); } if (1 != pAttrib->cValue) { _JumpError(hr, error, "Attribute Value count != 1"); } hr = PKCSArchivePrivateKey( prow, FALSE, FALSE, &pAttrib->rgValue[0], pResult); _JumpIfError(hr, error, "PKCSArchivePrivateKey"); } else if (0 == strcmp(pAttrib->pszObjId, szOID_CERT_EXTENSIONS) || 0 == strcmp(pAttrib->pszObjId, szOID_RSA_certExtensions)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (PSA_DISALLOW_EXTENSIONS & dwDisallowFlags) { _JumpError(hr, error, "extensions disallowed"); } if (1 != pAttrib->cValue) { _JumpError(hr, error, "Attribute Value count != 1"); } hr = pkcsSetExtensionsFromAttributeBlob( prow, ExtFlags, pAttrib); _JumpIfError(hr, error, "pkcsSetExtensionsFromAttributeBlob"); } else if (0 == strcmp(pAttrib->pszObjId, szOID_ENROLLMENT_NAME_VALUE_PAIR)) { // Can't apply name value pair attributes to a renewal or CMC
if (PSA_DISALLOW_NAMEVALUEPAIRS & dwDisallowFlags) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "name/value pairs disallowed"); }
for (i = 0; i < pAttrib->cValue; i++) { CRYPT_ENROLLMENT_NAME_VALUE_PAIR *pInfo = NULL; DWORD cbInfo = 0; CRYPT_ATTR_BLOB const *pvalue = &pAttrib->rgValue[i];
WCHAR const *pwszPropName; BOOL fConcatenateRDNs; DWORD dwIndex; DWORD cchMax; DWORD dwTable;
if (!myDecodeNameValuePair( X509_ASN_ENCODING, pvalue->pbData, pvalue->cbData, CERTLIB_USE_LOCALALLOC, &pInfo, &cbInfo)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "myDecodeNameValuePair");
// if the attribute name & value are both non-empty ...
}
BOOL fEnrollOnBehalfOf = FALSE; BOOL fSubjectModifiedT = FALSE;
hr = pkcsSetAttributeProperty( prow, pInfo->pwszName, pInfo->pwszValue, PROPTABLE_REQUEST, afSubjectTable, &fSubjectModified, NULL != pfEnrollOnBehalfOf? &fEnrollOnBehalfOf : NULL); if (fSubjectModifiedT) { fSubjectModified = TRUE; } if (fEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = TRUE; } if (NULL != pInfo) { LocalFree(pInfo); } _JumpIfError(hr, error, "pkcsSetAttributeProperty"); } } else { DBGPRINT(( DBG_SS_CERTSRVI, "Skipping authenticated attribute %hs\n", pAttrib->pszObjId)); } } if (fSubjectModified) { hr = PKCSSetRequestFlags(prow, FALSE, CR_FLG_SUBJECTUNMODIFIED); _JumpIfError(hr, error, "PKCSSetRequestFlags"); } hr = S_OK;
error: if (NULL != pBlob) { LocalFree(pBlob); } return(hr);}
HRESULTpkcsVerifyCertContext( OPTIONAL IN FILETIME const *pft, IN BOOL fTimeOnly, IN CERT_CONTEXT const *pcc){ HRESULT hr; FILETIME ft;
if (NULL == pft) { GetSystemTimeAsFileTime(&ft); pft = &ft; } if (0 > CompareFileTime(pft, &pcc->pCertInfo->NotBefore)) { hr = CERT_E_EXPIRED; _JumpError(hr, error, "cert not yet valid"); } if (0 < CompareFileTime(pft, &pcc->pCertInfo->NotAfter)) { hr = CERT_E_EXPIRED; _JumpError(hr, error, "cert is expired"); } if (!fTimeOnly) { hr = myVerifyCertContext( pcc, // pCert
(CRLF_REVCHECK_IGNORE_OFFLINE & g_dwCRLFlags)? CA_VERIFY_FLAGS_IGNORE_OFFLINE : 0, // dwFlags
0, // cUsageOids
NULL, // apszUsageOids
HCCE_LOCAL_MACHINE, // hChainEngine
NULL, // hAdditionalStore
NULL); // ppwszMissingIssuer
_JumpIfError(hr, error, "myVerifyCertContext"); } hr = S_OK;
error: return(hr);}
HRESULTpkcsSetValidityPeriod( IN ICertDBRow *prow, IN LONG lValidityPeriodCount, IN enum ENUM_PERIOD enumValidityPeriod){ HRESULT hr; FILETIME ftNotBefore; FILETIME ftNotAfter; LONGLONG delta; CACTX *pCAContext = g_pCAContextCurrent;
GetSystemTimeAsFileTime(&ftNotBefore);
hr = pkcsVerifyCertContext(&ftNotBefore, TRUE, pCAContext->pccCA); _JumpIfErrorStr(hr, error, "pkcsVerifyCertContext", L"CA cert expired");
ftNotAfter = ftNotBefore;
// Set the start date to the current time minus clock skew. But ensure the
// new cert's start date is not before the CA certificate's start date.
delta = g_dwClockSkewMinutes * CVT_MINUTES; myAddToFileTime(&ftNotBefore, -delta * CVT_BASE);
if (0 > CompareFileTime( &ftNotBefore, &pCAContext->pccCA->pCertInfo->NotBefore)) { ftNotBefore = pCAContext->pccCA->pCertInfo->NotBefore; }
hr = prow->SetProperty( g_wszPropCertificateNotBeforeDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(ftNotBefore), (BYTE *) &ftNotBefore); _JumpIfError(hr, error, "pkcsSetValidityPeriod:SetProperty");
// Set the end date to the start date plus the registry-configured
// validity period. Then clamp the new cert's end date to the CA
// certificate's end date.
myMakeExprDateTime(&ftNotAfter, lValidityPeriodCount, enumValidityPeriod);
if (0 < CompareFileTime( &ftNotAfter, &pCAContext->pccCA->pCertInfo->NotAfter)) { ftNotAfter = pCAContext->pccCA->pCertInfo->NotAfter; }
hr = prow->SetProperty( g_wszPropCertificateNotAfterDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(ftNotAfter), (BYTE *) &ftNotAfter); _JumpIfError(hr, error, "pkcsSetValidityPeriod:SetProperty");
error: return(hr);}
HRESULTpkcsSetServerExtension( IN ICertDBRow *prow, IN WCHAR const *pwszObjId, IN DWORD cbExt, IN BYTE const *pbExt){ HRESULT hr; BYTE *pbOld = NULL; DWORD cbOld; DWORD ExtFlags;
ExtFlags = 0; if (NULL == pbExt) { CSASSERT(0 == cbExt);
hr = PropGetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, pwszObjId, &ExtFlags, &cbOld, &pbOld); if (S_OK != hr) { ExtFlags = 0; } if (CERTSRV_E_PROPERTY_EMPTY != hr) { ExtFlags |= EXTENSION_DISABLE_FLAG; } } if (NULL != pbExt || (EXTENSION_DISABLE_FLAG & ExtFlags)) { ExtFlags &= ~EXTENSION_ORIGIN_MASK; ExtFlags |= EXTENSION_ORIGIN_SERVER; hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, pwszObjId, ExtFlags, cbExt, pbExt); _JumpIfError(hr, error, "PropSetExtension"); } hr = S_OK;
error: if (NULL != pbOld) { LocalFree(pbOld); } return(hr);}
HRESULTPKCSSetServerProperties( IN ICertDBRow *prow, IN LONG lValidityPeriodCount, IN enum ENUM_PERIOD enumValidityPeriod){ HRESULT hr; CACTX *pCAContext = g_pCAContextCurrent;
hr = pkcsSetServerExtension( prow, TEXT(szOID_AUTHORITY_KEY_IDENTIFIER2), pCAContext->KeyAuthority2Cert.cbData, pCAContext->KeyAuthority2Cert.pbData); _JumpIfError(hr, error, "pkcsSetServerExtension");
hr = pkcsSetServerExtension( prow, TEXT(szOID_CRL_DIST_POINTS), pCAContext->CDPCert.cbData, pCAContext->CDPCert.pbData); _JumpIfError(hr, error, "pkcsSetServerExtension");
hr = pkcsSetServerExtension( prow, TEXT(szOID_AUTHORITY_INFO_ACCESS), pCAContext->AIACert.cbData, pCAContext->AIACert.pbData); _JumpIfError(hr, error, "pkcsSetServerExtension");
hr = pkcsSetValidityPeriod(prow, lValidityPeriodCount, enumValidityPeriod); _JumpIfError(hr, error, "pkcsSetValidityPeriod");
error: return(hr);}
HRESULTpkcsSetPublicKeyProperties( IN ICertDBRow *prow, IN CERT_PUBLIC_KEY_INFO const *pSubjectPublicKeyInfo){ HRESULT hr; WCHAR *pwszExtensionName; WCHAR *pwszObjId = NULL; CACTX *pCAContext = g_pCAContextCurrent; CERT_EXTENSION ext; DWORD ExtFlags; DWORD dwCaller; DWORD cbitKey;
ext.Value.pbData = NULL;
// Public Key size must be a multiple of 8 bits.
if (0 != pSubjectPublicKeyInfo->PublicKey.cUnusedBits) { hr = NTE_BAD_KEY; _JumpError(hr, error, "PublicKey.cUnusedBits"); } hr = prow->SetProperty( g_wszPropCertificateRawPublicKey, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, pSubjectPublicKeyInfo->PublicKey.cbData, pSubjectPublicKeyInfo->PublicKey.pbData); _JumpIfError(hr, error, "SetProperty");
cbitKey = CertGetPublicKeyLength( X509_ASN_ENCODING, const_cast<CERT_PUBLIC_KEY_INFO *>(pSubjectPublicKeyInfo)); hr = prow->SetProperty( g_wszPropCertificatePublicKeyLength, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(cbitKey), (BYTE const *) &cbitKey); _JumpIfError(hr, error, "SetProperty(KeyLength)");
if (!ConvertSzToWsz( &pwszObjId, pSubjectPublicKeyInfo->Algorithm.pszObjId, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "ConvertSzToWsz(AlgObjId)"); } hr = prow->SetProperty( g_wszPropCertificatePublicKeyAlgorithm, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE const *) pwszObjId); _JumpIfError(hr, error, "SetProperty");
if (NULL != pSubjectPublicKeyInfo->Algorithm.Parameters.pbData) { hr = prow->SetProperty( g_wszPropCertificateRawPublicKeyAlgorithmParameters, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, pSubjectPublicKeyInfo->Algorithm.Parameters.cbData, pSubjectPublicKeyInfo->Algorithm.Parameters.pbData); _JumpIfError(hr, error, "SetProperty"); }
// Subject Key Identifier extension:
hr = PropGetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, TEXT(szOID_SUBJECT_KEY_IDENTIFIER), &ExtFlags, &ext.Value.cbData, &ext.Value.pbData); if (CERTSRV_E_PROPERTY_EMPTY != hr) { _JumpIfError(hr, error, "PropGetExtension");
dwCaller = PROPCALLER_REQUEST; ExtFlags &= ~EXTENSION_DISABLE_FLAG; } else { dwCaller = PROPCALLER_SERVER; ExtFlags = EXTENSION_ORIGIN_SERVER;
hr = myCreateSubjectKeyIdentifierExtension( pSubjectPublicKeyInfo, &ext.Value.pbData, &ext.Value.cbData); _JumpIfError(hr, error, "myCreateSubjectKeyIdentifierExtension"); }
hr = PropSetExtension( prow, PROPTYPE_BINARY | dwCaller, TEXT(szOID_SUBJECT_KEY_IDENTIFIER), ExtFlags, ext.Value.cbData, ext.Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
error: if (NULL != ext.Value.pbData) { LocalFree(ext.Value.pbData); } if (NULL != pwszObjId) { LocalFree(pwszObjId); } return(hr);}
HRESULTpkcsParsePKCS10Request( IN DWORD dwFlags, IN ICertDBRow *prow, IN DWORD cbRequest, IN BYTE const *pbRequest, IN CERT_CONTEXT const *pSigningAuthority, OUT BOOL *pfRenewal, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; DWORD cbCertInfo; CERT_REQUEST_INFO *pRequestInfo = NULL; CRYPT_ATTRIBUTE const *pAttrib; CRYPT_ATTRIBUTE const *pAttribEnd; CRYPT_ATTR_BLOB *pAttrBlob; CERT_CONTEXT const *pOldCert = NULL; DWORD dwRequestFlags = 0; BOOL fRenewal = FALSE; BOOL fSubjectNameSet;
CSASSERT(CR_IN_PKCS10 == (CR_IN_FORMATMASK & dwFlags)); CSASSERT( CR_IN_PKCS10 == (CR_IN_FORMATMASK & pResult->dwFlagsTop) || CR_IN_PKCS7 == (CR_IN_FORMATMASK & pResult->dwFlagsTop) || CR_IN_CMC == (CR_IN_FORMATMASK & pResult->dwFlagsTop));
if (!myDecodeObject( X509_ASN_ENCODING, X509_CERT_REQUEST_TO_BE_SIGNED, pbRequest, cbRequest, CERTLIB_USE_LOCALALLOC, (VOID **) &pRequestInfo, &cbCertInfo)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
// verify with the public key passed in the PKCS10
if (!CryptVerifyCertificateSignature( NULL, X509_ASN_ENCODING, const_cast<BYTE *>(pbRequest), cbRequest, &pRequestInfo->SubjectPublicKeyInfo)) { hr = myHLastError(); _PrintError3( hr, "CryptVerifyCertificateSignature", E_INVALIDARG, CRYPT_E_ASN1_BADTAG); if (CR_IN_CMC == (CR_IN_FORMATMASK & pResult->dwFlagsTop)) { if (E_INVALIDARG == hr) // NULL signature?
{ CRYPT_DATA_BLOB Blob; Blob.cbData = cbRequest; Blob.pbData = const_cast<BYTE *>(pbRequest); if (!CryptVerifyCertificateSignatureEx( NULL, // hCryptProv
X509_ASN_ENCODING, CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB, &Blob, CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL, NULL, // pvIssuer
0, // dwFlags
NULL)) // pvReserved
{ HRESULT hr2 = myHLastError();
_PrintError(hr2, "CryptVerifyCertificateSignatureEx"); } else { hr = S_OK; } } else if ((CRLF_ACCEPT_OLDRFC_CMC & g_dwCRLFlags) && CRYPT_E_ASN1_BADTAG == hr) // No signature?
{ hr = S_OK; } } if (E_INVALIDARG == hr || CRYPT_E_ASN1_BADTAG == hr) { hr = NTE_BAD_SIGNATURE; } _JumpIfError(hr, error, "CryptVerifyCertificateSignature"); }
// handle renewal certificate extensions BEFORE processing the rest of
// the request attributes (which may also contain extensions)
pAttribEnd = &pRequestInfo->rgAttribute[pRequestInfo->cAttribute]; for (pAttrib = pRequestInfo->rgAttribute; pAttrib < pAttribEnd; pAttrib++) { if (0 == strcmp(pAttrib->pszObjId, szOID_RENEWAL_CERTIFICATE)) { hr = CERTSRV_E_BAD_RENEWAL_CERT_ATTRIBUTE; if (fRenewal) { _JumpError(hr, error, "Multiple renewal certs!"); } if (CR_IN_PKCS7 != (CR_IN_FORMATMASK & pResult->dwFlagsTop) && CR_IN_CMC != (CR_IN_FORMATMASK & pResult->dwFlagsTop)) { _JumpError(hr, error, "renewal cert must be in PKCS7 or CMC"); } if (1 != pAttrib->cValue) { _JumpError(hr, error, "Attribute Value count != 1"); } pAttrBlob = pAttrib->rgValue;
pOldCert = CertCreateCertificateContext( X509_ASN_ENCODING, pAttrBlob->pbData, pAttrBlob->cbData); if (NULL == pOldCert) { _JumpError(hr, error, "CertCreateCertificateContext"); }
// The old raw certificate, and the signer of the PKCS7 must match!
if (NULL == pSigningAuthority || !CertCompareCertificate( pSigningAuthority->dwCertEncodingType, pSigningAuthority->pCertInfo, pOldCert->pCertInfo)) { _JumpError(hr, error, "CertCompareCertificate"); }
// This is a renewal, mark it as such.
hr = prow->SetProperty( g_wszPropRequestRawOldCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, pAttrBlob->cbData, pAttrBlob->pbData); _JumpIfError(hr, error, "SetProperty(old cert)");
hr = pkcsSetExtensions( prow, EXTENSION_ORIGIN_RENEWALCERT | EXTENSION_DISABLE_FLAG, pOldCert->pCertInfo->rgExtension, pOldCert->pCertInfo->cExtension); _JumpIfError(hr, error, "pkcsSetExtensions(old cert)");
fRenewal = TRUE; } }
// handle certificate extensions/known atributes
hr = pkcsSetAttributes( prow, EXTENSION_ORIGIN_REQUEST, PSA_DISALLOW_ARCHIVEDKEY, pRequestInfo->rgAttribute, pRequestInfo->cAttribute, 0, NULL, NULL, pResult); _JumpIfError(hr, error, "pkcsSetAttributes(PKCS10)");
hr = pkcsSetRequestNameInfo( prow, &pRequestInfo->Subject, NULL, // pwszCNSuffix
&dwRequestFlags, &fSubjectNameSet); _JumpIfError(hr, error, "pkcsSetRequestNameInfo");
if (fSubjectNameSet) { dwRequestFlags |= CR_FLG_SUBJECTUNMODIFIED; }
if (fRenewal) { if (!fSubjectNameSet) { CSASSERT(NULL != pOldCert); CSASSERT(NULL != pOldCert->pCertInfo); hr = pkcsSetRequestNameInfo( prow, &pOldCert->pCertInfo->Subject, NULL, // pwszCNSuffix
&dwRequestFlags, &fSubjectNameSet); _JumpIfError(hr, error, "pkcsSetRequestNameInfo"); } dwRequestFlags |= CR_FLG_RENEWAL; }
hr = prow->SetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(dwRequestFlags), (BYTE const *) &dwRequestFlags); _JumpIfError(hr, error, "SetProperty(RequestFlags)");
hr = pkcsSetPublicKeyProperties(prow, &pRequestInfo->SubjectPublicKeyInfo); _JumpIfError(hr, error, "pkcsSetPublicKeyProperties");
hr = PKCSSetServerProperties( prow, g_lValidityPeriodCount, g_enumValidityPeriod); _JumpIfError(hr, error, "PKCSSetServerProperties");
if (NULL != pfRenewal) { *pfRenewal = fRenewal; }
error: if (NULL != pOldCert) { CertFreeCertificateContext(pOldCert); } if (NULL != pRequestInfo) { LocalFree(pRequestInfo); } return(hr);}
HRESULTPKCSVerifyChallengeString( IN ICertDBRow *prow){ HRESULT hr; DWORD cb; WCHAR wszPassed[MAX_PATH]; WCHAR wszExpected[MAX_PATH];
cb = sizeof(wszExpected); hr = prow->GetProperty( g_wszPropExpectedChallenge, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, &cb, (BYTE *) wszExpected); if (S_OK != hr || L'\0' == wszExpected[0]) { hr = S_OK; // no challenge expected
goto error; }
cb = sizeof(wszPassed); hr = prow->GetProperty( g_wszPropChallenge, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, &cb, (BYTE *) wszPassed); if (S_OK != hr) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD); _JumpError(hr, error, "Missing Challenge String"); } if (0 != wcscmp(wszExpected, wszPassed)) { CONSOLEPRINT2(( DBG_SS_CERTSRV, "Challenge: passed(%ws) expected(%ws)\n", wszPassed, wszExpected));
hr = HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD); _JumpError(hr, error, "Invalid Challenge String"); } hr = prow->SetProperty( g_wszPropExpectedChallenge, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, 0, NULL); _PrintIfError(hr, "SetProperty");
hr = S_OK;
error: return(hr);}
HRESULTpkcsParseKeyGenRequest( IN DWORD dwFlags, IN ICertDBRow *prow, IN DWORD cbRequest, IN BYTE const *pbRequest, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; DWORD cbKeyGenRequest; CERT_KEYGEN_REQUEST_INFO *pKeyGenRequest = NULL; DWORD dwRequestFlags;
CSASSERT(CR_IN_KEYGEN == (CR_IN_FORMATMASK & dwFlags));
// Decode KeyGenRequest structure
if (!myDecodeKeyGenRequest( pbRequest, cbRequest, CERTLIB_USE_LOCALALLOC, &pKeyGenRequest, &cbKeyGenRequest)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeKeyGen"); }
// verify with the public key passed in the PKCS10
if (!CryptVerifyCertificateSignature( NULL, X509_ASN_ENCODING, (BYTE *) pbRequest, cbRequest, &pKeyGenRequest->SubjectPublicKeyInfo)) { hr = myHLastError(); _JumpError(hr, error, "CryptVerifyCertificateSignature"); }
hr = pkcsSetPublicKeyProperties( prow, &pKeyGenRequest->SubjectPublicKeyInfo); _JumpIfError(hr, error, "pkcsSetPublicKeyProperties");
hr = PKCSSetServerProperties( prow, g_lValidityPeriodCount, g_enumValidityPeriod); _JumpIfError(hr, error, "PKCSSetServerProperties");
hr = prow->SetProperty( g_wszPropExpectedChallenge, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_ATTRIBUTE, MAXDWORD, (BYTE *) pKeyGenRequest->pwszChallengeString); _JumpIfError(hr, error, "SetProperty");
dwRequestFlags = 0; switch (ENUM_TELETEX_MASK & g_fForceTeletex) { case ENUM_TELETEX_ON: case ENUM_TELETEX_AUTO: dwRequestFlags |= CR_FLG_FORCETELETEX; break; } if (ENUM_TELETEX_UTF8 & g_fForceTeletex) { dwRequestFlags |= CR_FLG_FORCEUTF8; }
hr = prow->SetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(dwRequestFlags), (BYTE const *) &dwRequestFlags); _JumpIfError(hr, error, "SetProperty(RequestFlags)");
error: if (NULL != pKeyGenRequest) { LocalFree(pKeyGenRequest); } return(hr);}
// Validate the certificate:
// Signed by CA Certificate
// issuer name == CA Certificate subject
// NotBefore >= CA Certificate NotBefore
// NotAfter <= CA Certificate NotAfter
// if KEYID2 issuer KeyId set: == CA Certificate KeyId
// if KEYID2 issuer Name set: == CA Certificate Issuer
// if KEYID2 issuer Serial Number set: == CA Certificate serial number
HRESULTpkcsVerifyCertIssuer( IN CERT_CONTEXT const *pCert, IN CACTX const *pCAContext){ HRESULT hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); CERT_INFO const *pCertInfo = pCert->pCertInfo; CERT_INFO const *pCACertInfo = pCAContext->pccCA->pCertInfo; CERT_EXTENSION const *pExt; CERT_EXTENSION const *pExtEnd; CERT_AUTHORITY_KEY_ID2_INFO *pkeyAuth = NULL; DWORD cbkeyAuth; CERT_NAME_BLOB const *pName;
// verify with the CA cert's public key
if (!CryptVerifyCertificateSignature( NULL, X509_ASN_ENCODING, pCert->pbCertEncoded, pCert->cbCertEncoded, const_cast<CERT_PUBLIC_KEY_INFO *>( &pCACertInfo->SubjectPublicKeyInfo))) { hr = myHLastError(); _JumpError2( hr, error, "CryptVerifyCertificateSignature", NTE_BAD_SIGNATURE); }
// Check Issuer name:
if (!myAreBlobsSame( pCACertInfo->Subject.pbData, pCACertInfo->Subject.cbData, pCertInfo->Issuer.pbData, pCertInfo->Issuer.cbData)) { _JumpError(hr, error, "Bad Issuer Name"); }
// Check that NotBefore >= CA Certificate NotBefore
if (0 > CompareFileTime(&pCertInfo->NotBefore, &pCACertInfo->NotBefore)) { _JumpError(hr, error, "NotBefore too early"); }
// Check that NotAfter <= CA Certificate NotAfter
if (0 < CompareFileTime(&pCertInfo->NotAfter, &pCACertInfo->NotAfter)) { _JumpError(hr, error, "NotAfter too late"); }
pExtEnd = &pCert->pCertInfo->rgExtension[pCert->pCertInfo->cExtension]; for (pExt = pCert->pCertInfo->rgExtension; pExt < pExtEnd; pExt++) { if (0 == strcmp(pExt->pszObjId, szOID_AUTHORITY_KEY_IDENTIFIER2)) { if (!myDecodeObject( X509_ASN_ENCODING, X509_AUTHORITY_KEY_ID2, pExt->Value.pbData, pExt->Value.cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pkeyAuth, &cbkeyAuth)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
// Check Issuer KeyId:
if (NULL != pCAContext->IssuerKeyId.pbData && NULL != pkeyAuth->KeyId.pbData && !myAreBlobsSame( pCAContext->IssuerKeyId.pbData, pCAContext->IssuerKeyId.cbData, pkeyAuth->KeyId.pbData, pkeyAuth->KeyId.cbData)) { _JumpError(hr, error, "Bad AuthorityKeyId KeyId"); }
// Check Issuer name:
if (1 == pkeyAuth->AuthorityCertIssuer.cAltEntry && CERT_ALT_NAME_DIRECTORY_NAME == pkeyAuth->AuthorityCertIssuer.rgAltEntry[0].dwAltNameChoice) { pName = &pkeyAuth->AuthorityCertIssuer.rgAltEntry[0].DirectoryName;
if (NULL != pName->pbData && !myAreBlobsSame( pCACertInfo->Issuer.pbData, pCACertInfo->Issuer.cbData, pName->pbData, pName->cbData)) { _JumpError(hr, error, "Bad AuthorityKeyId Issuer Name"); } }
// Check Issuer SerialNumber:
if (NULL != pkeyAuth->AuthorityCertSerialNumber.pbData && !myAreSerialNumberBlobsSame( &pCACertInfo->SerialNumber, &pkeyAuth->AuthorityCertSerialNumber)) { _JumpError(hr, error, "Bad AuthorityKeyId Issuer Serial Number"); } break; } } hr = S_OK;
error: if (NULL != pkeyAuth) { LocalFree(pkeyAuth); } return(hr);}
HRESULTPKCSVerifyIssuedCertificate( IN CERT_CONTEXT const *pCert, OUT CACTX **ppCAContext){ HRESULT hr; DWORD i; CACTX *pCAContext;
*ppCAContext = NULL;
CSASSERT(0 != g_cCACerts); for (i = g_cCACerts; i > 0; i--) { pCAContext = &g_aCAContext[i - 1];
hr = pkcsVerifyCertIssuer(pCert, pCAContext); if (S_OK == hr) { *ppCAContext = pCAContext; break; } _PrintError2(hr, "pkcsVerifyCertIssuer", NTE_BAD_SIGNATURE); }
//error:
return(hr);}
HRESULTpkcsSetCertHash( IN ICertDBRow *prow, IN CERT_CONTEXT const *pcc){ HRESULT hr; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; DWORD cbHash; BSTR strHash = NULL; CACTX *pCAContext = g_pCAContextCurrent;
cbHash = sizeof(abHash); if (!CertGetCertificateContextProperty( pcc, CERT_SHA1_HASH_PROP_ID, abHash, &cbHash)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); }
hr = MultiByteIntegerToBstr(TRUE, cbHash, abHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
hr = prow->SetProperty( g_wszPropCertificateHash, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE const *) strHash); _JumpIfError(hr, error, "SetProperty");
error: if (NULL != strHash) { SysFreeString(strHash); } return(hr);}
HRESULTpkcsSetCertAndKeyHashes( IN ICertDBRow *prow, IN CERT_CONTEXT const *pcc){ HRESULT hr; BYTE *pbHash = NULL; DWORD cbHash; BSTR strHash = NULL;
hr = pkcsSetCertHash(prow, pcc); _JumpIfError(hr, error, "pkcsSetCertHash");
hr = myGetPublicKeyHash( pcc->pCertInfo, &pcc->pCertInfo->SubjectPublicKeyInfo, &pbHash, &cbHash); _JumpIfError(hr, error, "myGetPublicKeyHash");
hr = MultiByteIntegerToBstr(TRUE, cbHash, pbHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
hr = prow->SetProperty( g_wszPropCertificateSubjectKeyIdentifier, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE const *) strHash); _JumpIfError(hr, error, "SetProperty");
error: if (NULL != strHash) { SysFreeString(strHash); } if (NULL != pbHash) { LocalFree(pbHash); } return(hr);}
HRESULTPKCSParseImportedCertificate( IN DWORD Disposition, IN ICertDBRow *prow, OPTIONAL IN CACTX const *pCAContext, IN CERT_CONTEXT const *pCert){ HRESULT hr; CERT_INFO const *pCertInfo = pCert->pCertInfo; DWORD dwRequestFlags = 0; BOOL fSubjectNameSet; HRESULT ErrCode = S_OK; BSTR strSerialNumber = NULL;
// set raw cert property in the db
hr = prow->SetProperty( g_wszPropRawCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, pCert->cbCertEncoded, pCert->pbCertEncoded); _JumpIfError(hr, error, "SetProperty");
// set extensions
hr = pkcsSetExtensions( prow, EXTENSION_ORIGIN_IMPORTEDCERT, pCertInfo->rgExtension, pCertInfo->cExtension); _JumpIfError(hr, error, "pkcsSetExtensions");
// set request name info
hr = pkcsSetRequestNameInfo( prow, &pCertInfo->Subject, NULL, // pwszCNSuffix
&dwRequestFlags, &fSubjectNameSet); _JumpIfError(hr, error, "pkcsSetRequestNameInfo");
hr = pkcsSetPublicKeyProperties(prow, &pCertInfo->SubjectPublicKeyInfo); _JumpIfError(hr, error, "pkcsSetPublicKeyProperties");
hr = prow->CopyRequestNames(); _JumpIfError(hr, error, "CopyRequestNames");
hr = pkcsSetCertAndKeyHashes(prow, pCert); _JumpIfError(hr, error, "pkcsSetCertAndKeyHashes");
hr = prow->SetProperty( g_wszPropCertificateNotBeforeDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(pCertInfo->NotBefore), (BYTE *) &pCertInfo->NotBefore); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( g_wszPropCertificateNotAfterDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(pCertInfo->NotAfter), (BYTE *) &pCertInfo->NotAfter); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( g_wszPropSubjectRawName, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, pCertInfo->Subject.cbData, pCertInfo->Subject.pbData); _JumpIfError(hr, error, "SetProperty");
// set distinguished name
pkcsSetDistinguishedName( prow, PROPTABLE_CERTIFICATE, &pCertInfo->Subject);
// set disposition issued
hr = prow->SetProperty( g_wszPropRequestDisposition, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(Disposition), (BYTE const *) &Disposition); _JumpIfError(hr, error, "SetProperty(disposition)");
// set disposition status code
hr = prow->SetProperty( g_wszPropRequestStatusCode, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(ErrCode), (BYTE const *) &ErrCode); _JumpIfError(hr, error, "SetProperty(status code)");
if (NULL != pCAContext) { hr = prow->SetProperty( g_wszPropCertificateIssuerNameID, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(pCAContext->NameId), (BYTE *) &pCAContext->NameId); _JumpIfError(hr, error, "SetProperty"); }
hr = PropSetRequestTimeProperty(prow, g_wszPropRequestResolvedWhen); _JumpIfError(hr, error, "PropSetRequestTimeProperty");
// Convert serial number to string and set in DB
hr = MultiByteIntegerToBstr( FALSE, pCertInfo->SerialNumber.cbData, pCertInfo->SerialNumber.pbData, &strSerialNumber); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
hr = prow->SetProperty( g_wszPropCertificateSerialNumber, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE *) strSerialNumber); _JumpIfError(hr, error, "SetProperty");
error: if (NULL != strSerialNumber) { SysFreeString(strSerialNumber); } return(hr);}
// Return TRUE if Data and Cert references apply to the specified CMC message
BOOLpkcsCMCReferenceMatch( IN DWORD DataReference, // nested CMC message Body Part Id
IN DWORD CertReference, // PKCS10 Cert Request Body Part Id
IN DWORD dwCmcDataReference, IN DWORD cCertReference, IN DWORD const *rgdwCertReference){ BOOL fMatch = FALSE; DWORD i;
if (MAXDWORD != DataReference && dwCmcDataReference == DataReference) { fMatch = TRUE; } else if (MAXDWORD != CertReference && 0 == dwCmcDataReference) { for (i = 0; i < cCertReference; i++) { if (rgdwCertReference[i] == CertReference) { fMatch = TRUE; break; } } } return(fMatch);}
HRESULTpkcsSetCMCExtensions( IN ICertDBRow *prow, IN DWORD DataReference, // nested CMC message Body Part Id
IN DWORD CertReference, // PKCS10 Cert Request Body Part Id
IN BYTE const *pbData, IN DWORD cbData){ HRESULT hr; CMC_ADD_EXTENSIONS_INFO *pcmcExt = NULL; DWORD cb;
// Decode CMC_ADD_EXTENSIONS_INFO from Attribute Blob
CSASSERT(NULL == pcmcExt); if (!myDecodeObject( X509_ASN_ENCODING, CMC_ADD_EXTENSIONS, pbData, cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pcmcExt, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
if (pkcsCMCReferenceMatch( DataReference, CertReference, pcmcExt->dwCmcDataReference, pcmcExt->cCertReference, pcmcExt->rgdwCertReference)) { hr = pkcsSetExtensions( prow, EXTENSION_ORIGIN_CMC | EXTENSION_DISABLE_FLAG, pcmcExt->rgExtension, pcmcExt->cExtension); _JumpIfError(hr, error, "pkcsSetExtensions(request)"); } hr = S_OK;
error: if (NULL != pcmcExt) { LocalFree(pcmcExt); } return(hr);}
HRESULTpkcsSetCMCAttributes( IN ICertDBRow *prow, IN DWORD DataReference, // nested CMC message Body Part Id
IN DWORD CertReference, // PKCS10 Cert Request Body Part Id
IN BYTE const *pbData, IN DWORD cbData, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; CMC_ADD_ATTRIBUTES_INFO *pcmcAttrib = NULL; DWORD cb;
if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; }
// Decode CMC_ADD_ATTRIBUTES_INFO from Attribute Blob
CSASSERT(NULL == pcmcAttrib); if (!myDecodeObject( X509_ASN_ENCODING, CMC_ADD_ATTRIBUTES, pbData, cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pcmcAttrib, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } if (pkcsCMCReferenceMatch( DataReference, CertReference, pcmcAttrib->dwCmcDataReference, pcmcAttrib->cCertReference, pcmcAttrib->rgdwCertReference)) { hr = pkcsSetAttributes( prow, EXTENSION_ORIGIN_CMC, PSA_DISALLOW_EXTENSIONS | PSA_DISALLOW_ARCHIVEDKEY, pcmcAttrib->rgAttribute, pcmcAttrib->cAttribute, 0, NULL, pfEnrollOnBehalfOf, pResult); _JumpIfError(hr, error, "pkcsSetAttributes(CMC)"); } hr = S_OK;
error: if (NULL != pcmcAttrib) { LocalFree(pcmcAttrib); } return(hr);}
// map "email_mail" to "email"
// map "email_*" to "*"?
// mail_firstName=Terry&mail_lastName=Cheung+CMC+Zero+2&mail_email=
// tcheung%40verisign%2Ecom&challenge=test&
HRESULTpkcsSetCMCRegInfo( IN ICertDBRow *prow, IN BYTE const *pbOctet, IN DWORD cbOctet, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf){ HRESULT hr; WCHAR *pwszRA = NULL;
if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; } hr = myDecodeCMCRegInfo(pbOctet, cbOctet, &pwszRA); _JumpIfError(hr, error, "myDecodeCMCRegInfo");
hr = PKCSParseAttributes( prow, pwszRA, TRUE, PROPTABLE_REQUEST, pfEnrollOnBehalfOf); _JumpIfError(hr, error, "PKCSParseAttributes");
error: if (NULL != pwszRA) { LocalFree(pwszRA); } return(hr);}
HRESULTpkcsSetTaggedAttributes( IN ICertDBRow *prow, IN DWORD DataReference, // nested CMC message Body Part Id
IN DWORD CertReference, // PKCS10 Cert Request Body Part Id
IN CMC_TAGGED_ATTRIBUTE const *pTaggedAttribute, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; DWORD i; CRYPT_ATTRIBUTE const *pAttribute = &pTaggedAttribute->Attribute; DWORD cb; BOOL fEnrollOnBehalfOf;
if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; } for (i = 0; i < pAttribute->cValue; i++) { if (0 == strcmp(szOID_CMC_ADD_EXTENSIONS, pAttribute->pszObjId)) { hr = pkcsSetCMCExtensions( prow, DataReference, CertReference, pAttribute->rgValue[i].pbData, pAttribute->rgValue[i].cbData); _JumpIfError(hr, error, "pkcsSetCMCExtensions"); } else if (0 == strcmp(szOID_CMC_ADD_ATTRIBUTES, pAttribute->pszObjId)) { fEnrollOnBehalfOf = FALSE;
hr = pkcsSetCMCAttributes( prow, DataReference, CertReference, pAttribute->rgValue[i].pbData, pAttribute->rgValue[i].cbData, NULL != pfEnrollOnBehalfOf? &fEnrollOnBehalfOf : NULL, pResult); _JumpIfError(hr, error, "pkcsSetCMCAttributes");
if (fEnrollOnBehalfOf) { CSASSERT(NULL != pfEnrollOnBehalfOf); *pfEnrollOnBehalfOf = TRUE; } } else if (0 == strcmp(szOID_CMC_REG_INFO, pAttribute->pszObjId)) { fEnrollOnBehalfOf = FALSE;
hr = pkcsSetCMCRegInfo( prow, pAttribute->rgValue[i].pbData, pAttribute->rgValue[i].cbData, NULL != pfEnrollOnBehalfOf? &fEnrollOnBehalfOf : NULL); _JumpIfError(hr, error, "pkcsSetCMCRegInfo");
if (fEnrollOnBehalfOf) { CSASSERT(NULL != pfEnrollOnBehalfOf); *pfEnrollOnBehalfOf = TRUE; } } else if (0 == strcmp(szOID_CMC_TRANSACTION_ID, pAttribute->pszObjId)) { DWORD dwTransactionId; cb = sizeof(dwTransactionId); dwTransactionId = 0; if (!CryptDecodeObject( X509_ASN_ENCODING, X509_INTEGER, pAttribute->rgValue[i].pbData, pAttribute->rgValue[i].cbData, 0, &dwTransactionId, &cb)) { hr = myHLastError(); _JumpError(hr, error, "CryptDecodeObject"); } pResult->fTransactionId = TRUE; pResult->dwTransactionId = dwTransactionId; } else if (0 == strcmp(szOID_CMC_SENDER_NONCE, pAttribute->pszObjId)) { CRYPT_DATA_BLOB *pBlob; BYTE *pb;
if (!myDecodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, pAttribute->rgValue[i].pbData, pAttribute->rgValue[i].cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pBlob, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); } pb = (BYTE *) LocalAlloc(LMEM_FIXED, pBlob->cbData); if (NULL == pb) { hr = E_OUTOFMEMORY; } else { CopyMemory(pb, pBlob->pbData, pBlob->cbData); if (NULL != pResult->pbSenderNonce) { LocalFree(pResult->pbSenderNonce); } pResult->pbSenderNonce = pb; pResult->cbSenderNonce = pBlob->cbData; hr = S_OK; } LocalFree(pBlob); _JumpIfError(hr, error, "LocalAlloc"); } else if (0 == (CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES & g_dwCRLFlags)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "unknown tagged attribute"); } } hr = S_OK;
error: return(hr);}
//+------------------------------------------------------------------------
// pkcsParseCMCRequest
//
// Crack a CMC request and dig the goodies out of it.
// Crack the contents of the CMC request recursively.
//-------------------------------------------------------------------------
HRESULTpkcsParseCMCRequest( IN ICertDBRow *prow, IN DWORD cbIn, IN BYTE const *pbIn, OPTIONAL IN CERT_CONTEXT const *pCertSigner, OPTIONAL OUT BOOL *pfRenewal, OPTIONAL OUT BOOL *pfEnrollOnBehalfOf, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; DWORD cb; CMC_DATA_INFO const *pcmcData = NULL; DWORD i; DWORD DataReference = MAXDWORD; // nested CMC message Body Part Id
DWORD CertReference = MAXDWORD; // PKCS10 Cert Request Body Part Id
if (NULL != pfRenewal) { *pfRenewal = FALSE; } if (NULL != pfEnrollOnBehalfOf) { *pfEnrollOnBehalfOf = FALSE; } if (!myDecodeObject( X509_ASN_ENCODING, CMC_DATA, pbIn, cbIn, CERTLIB_USE_LOCALALLOC, (VOID **) &pcmcData, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
if (0 != pcmcData->cTaggedOtherMsg) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "unknown other message"); }
// Process nested CMC messages
if (0 != pcmcData->cTaggedContentInfo) { CMC_TAGGED_CONTENT_INFO const *pTaggedContentInfo;
// Only handle one CMC message at a time for now.
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (1 < pcmcData->cTaggedContentInfo) { _JumpError(hr, error, "multiple nested CMC messages"); }
// Disallow CMC message recursion below a PKCS10 request.
if (0 != pcmcData->cTaggedRequest) { _JumpError(hr, error, "recursion below PKCS10 request"); }
// Recurse on the nested CMC message
pTaggedContentInfo = &pcmcData->rgTaggedContentInfo[0];
hr = PKCSParseRequest( CR_IN_CMC | (~CR_IN_FORMATMASK & pResult->dwFlagsTop), prow, pTaggedContentInfo->EncodedContentInfo.cbData, pTaggedContentInfo->EncodedContentInfo.pbData, pCertSigner, pfRenewal, pResult); _JumpIfError(hr, error, "PKCSParseRequest");
DataReference = pTaggedContentInfo->dwBodyPartID; }
// Process nested PKCS10 requests
if (0 != pcmcData->cTaggedRequest) { CMC_TAGGED_REQUEST const *pTaggedRequest; CMC_TAGGED_CERT_REQUEST const *pTaggedCertRequest;
// Only handle one request at a time for now.
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); if (1 < pcmcData->cTaggedRequest) { _JumpError(hr, error, "multiple PKCS10 requests"); }
pTaggedRequest = &pcmcData->rgTaggedRequest[0];
// The request must be a PKCS10 request
if (CMC_TAGGED_CERT_REQUEST_CHOICE != pTaggedRequest->dwTaggedRequestChoice) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "recursion below PKCS10 request"); }
pTaggedCertRequest = pTaggedRequest->pTaggedCertRequest;
hr = PKCSParseRequest( CR_IN_PKCS10 | (~CR_IN_FORMATMASK & pResult->dwFlagsTop), prow, pTaggedCertRequest->SignedCertRequest.cbData, pTaggedCertRequest->SignedCertRequest.pbData, pCertSigner, pfRenewal, pResult); _JumpIfError(hr, error, "PKCSParseRequest");
CertReference = pTaggedCertRequest->dwBodyPartID; }
// Process extensions and attributes
for (i = 0; i < pcmcData->cTaggedAttribute; i++) { hr = pkcsSetTaggedAttributes( prow, DataReference, CertReference, &pcmcData->rgTaggedAttribute[i], pfEnrollOnBehalfOf, pResult); _JumpIfError(hr, error, "pkcsSetTaggedAttributes"); } hr = S_OK;
error: if (NULL != pcmcData) { LocalFree((VOID *) pcmcData); } return(hr);}
HRESULTpkcsAppendPolicies( IN ICertDBRow *prow, IN WCHAR const *pwszPropName, OPTIONAL IN WCHAR const *pwszzPolicies){ HRESULT hr; WCHAR *pwszOld = NULL; WCHAR *pwszNew = NULL; WCHAR const *pwszIn; WCHAR *pwsz; DWORD cwc = 0; DWORD cb;
hr = PKCSGetProperty( prow, pwszPropName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE **) &pwszOld); _PrintIfError2(hr, "PKCSGetProperty", hr); if (S_OK != hr) { pwszOld = NULL; } if (NULL != pwszOld) { cwc = wcslen(pwszOld) + 1; // allow for \n separator
} if (NULL == pwszzPolicies || L'\0' == *pwszzPolicies) { pwszzPolicies = L"-\0"; } for (pwszIn = pwszzPolicies; L'\0' != *pwszIn; pwszIn += wcslen(pwszIn) + 1) ;
cwc += SAFE_SUBTRACT_POINTERS(pwszIn, pwszzPolicies); pwszNew = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR)); if (NULL == pwszNew) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } pwsz = pwszNew;
if (NULL != pwszOld) { wcscpy(pwsz, pwszOld); pwsz += wcslen(pwsz);
wcscpy(pwsz, L"\n"); pwsz++; }
for (pwszIn = pwszzPolicies; L'\0' != *pwszIn; pwszIn += wcslen(pwszIn) + 1) { if (pwszIn != pwszzPolicies) { wcscpy(pwsz, L","); pwsz++; } wcscpy(pwsz, pwszIn); pwsz += wcslen(pwsz); } CSASSERT(&pwsz[1] == &pwszNew[cwc]);
hr = prow->SetProperty( pwszPropName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszNew); _JumpIfError(hr, error, "SetProperty");
error: if (NULL != pwszOld) { LocalFree(pwszOld); } if (NULL != pwszNew) { LocalFree(pwszNew); } return(hr);}
//+------------------------------------------------------------------------
// pkcsParsePKCS7Request
//
// Crack a PKCS7 and dig the goodies out of it.
// Verify the signature of the 7 against the cert given in the 7.
// Crack the contents of the 7 recursively.
//-------------------------------------------------------------------------
HRESULTpkcsParsePKCS7Request( IN BOOL fTopLevel, IN DWORD dwFlags, IN ICertDBRow *prow, IN DWORD cbIn, IN BYTE const *pbIn, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr; BYTE *pbContents = NULL; DWORD cbContents; CERT_CONTEXT const *pCertSigner = NULL; HCERTSTORE hStore = NULL; HCRYPTMSG hMsg = NULL; char *pszInnerContentObjId = NULL; DWORD i; BOOL fCMC; BOOL fRenewal = FALSE; DWORD cbAttrib; char *apszEnrollOids[] = {szOID_ENROLLMENT_AGENT}; DWORD dwVerifyContextFlags; DWORD dwMsgType; DWORD cSigner; DWORD cFirstSigner; BOOL fFirstSigner; DWORD cRecipient; DWORD cb; CMSG_CMS_SIGNER_INFO *pcsi = NULL; DWORD dwDisallowFlags; DWORD iElement; WCHAR *pwszzIssuancePolicies = NULL; WCHAR *pwszzApplicationPolicies = NULL; CERT_REQUEST_INFO *pRequest = NULL; BOOL fEnrollOnBehalfOf;
CSASSERT( CR_IN_PKCS7 == (CR_IN_FORMATMASK & dwFlags) || CR_IN_CMC == (CR_IN_FORMATMASK & dwFlags));
// Crack the 7 and verify the signature.
hr = myDecodePKCS7( pbIn, cbIn, &pbContents, &cbContents, &dwMsgType, &pszInnerContentObjId, &cSigner, &cRecipient, &hStore, &hMsg); _JumpIfError(hr, error, "myDecodePKCS7");
if (CMSG_SIGNED != dwMsgType || 0 == cSigner) { hr = CRYPT_E_NO_SIGNER; _JumpIfError(hr, error, "myDecodePKCS7(no signing cert)"); }
#define szOID_CT_PKI_DATA_OLDRFC "1.3.6.1.5.5.7.5.2" // BUGBUG: temporary!
fCMC = NULL != pszInnerContentObjId && (0 == strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA) || (0 == strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA_OLDRFC) && (CRLF_ACCEPT_OLDRFC_CMC & g_dwCRLFlags)));
// Decode the contents.
if (fCMC) { if (CR_IN_CMC != (CR_IN_FORMATMASK & dwFlags)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "dwFlags"); } // CMC renewal requests may have one 'first' signer (non-NULL KeyId or
// Dummy signer) and one additional Issuer+Serial signer. If the
// request has the appropriate signatures, pass the cert to the lowest
// level to see if it really is a renewal request.
if (1 <= cSigner && 2 >= cSigner) { DWORD iCertSigner = MAXDWORD;
cFirstSigner = 0; for (i = 0; i < cSigner; i++) { if (NULL != pcsi) { LocalFree(pcsi); pcsi = NULL; } hr = myCryptMsgGetParam( hMsg, CMSG_CMS_SIGNER_INFO_PARAM, i, CERTLIB_USE_LOCALALLOC, (VOID **) &pcsi, &cb); _JumpIfError(hr, error, "myCryptMsgGetParam");
fFirstSigner = FALSE; if (CERT_ID_KEY_IDENTIFIER == pcsi->SignerId.dwIdChoice || (NULL != pcsi->HashEncryptionAlgorithm.pszObjId && 0 == strcmp( szOID_PKIX_NO_SIGNATURE, pcsi->HashEncryptionAlgorithm.pszObjId))) { fFirstSigner = TRUE; } else if ((CRLF_ACCEPT_OLDRFC_CMC & g_dwCRLFlags) && CERT_ID_ISSUER_SERIAL_NUMBER == pcsi->SignerId.dwIdChoice) { hr = myIsFirstSigner( &pcsi->SignerId.IssuerSerialNumber.Issuer, &fFirstSigner); _JumpIfError(hr, error, "myIsFirstSigner"); }
if (fFirstSigner) { cFirstSigner++; } else { if (MAXDWORD != iCertSigner) { iCertSigner = MAXDWORD; // must not be a renewal
break; } iCertSigner = i; } } if (MAXDWORD != iCertSigner && 1 >= cFirstSigner) { iElement = iCertSigner; if (!CryptMsgGetAndVerifySigner( hMsg, 0, // cSignerStore
NULL, // rghSignerStore
CMSG_USE_SIGNER_INDEX_FLAG, &pCertSigner, &iElement)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgGetAndVerifySigner"); } } } fEnrollOnBehalfOf = FALSE; hr = pkcsParseCMCRequest( prow, cbContents, pbContents, pCertSigner, &fRenewal, &fEnrollOnBehalfOf, pResult); _JumpIfError(hr, error, "pkcsParseCMCRequest");
if (fEnrollOnBehalfOf) { pResult->fEnrollOnBehalfOf = TRUE; } if (0 == strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA_OLDRFC)) { hr = PKCSSetRequestFlags(prow, TRUE, CR_FLG_OLDRFCCMC); _JumpIfError(hr, error, "PKCSSetRequestFlags"); } } else { if (CR_IN_PKCS7 != (CR_IN_FORMATMASK & dwFlags)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "dwFlags"); }
// Expect only one signer for PKCS7 renewal requests. Pass the cert
// to the lowest level to see if it really is a renewal request.
iElement = 0; if (!CryptMsgGetAndVerifySigner( hMsg, 0, // cSignerStore
NULL, // rghSignerStore
CMSG_USE_SIGNER_INDEX_FLAG, &pCertSigner, &iElement)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgGetAndVerifySigner"); } hr = PKCSParseRequest( CR_IN_FORMATANY | (~CR_IN_FORMATMASK & pResult->dwFlagsTop), prow, cbContents, pbContents, pCertSigner, &fRenewal, pResult); _JumpIfError(hr, error, "PKCSParseRequest"); }
// Loop through the signers, verifying signatures and saving attributes.
cFirstSigner = 0; for (i = 0; i < cSigner; i++) { BOOL fNTAuth; BOOL fEnrollOnBehalfOf;
if (NULL != pcsi) { LocalFree(pcsi); pcsi = NULL; } if (NULL != pwszzIssuancePolicies) { LocalFree(pwszzIssuancePolicies); pwszzIssuancePolicies = NULL; } if (NULL != pwszzApplicationPolicies) { LocalFree(pwszzApplicationPolicies); pwszzApplicationPolicies = NULL; } if (NULL != pCertSigner) { CertFreeCertificateContext(pCertSigner); pCertSigner = NULL; } hr = myCryptMsgGetParam( hMsg, CMSG_CMS_SIGNER_INFO_PARAM, i, CERTLIB_USE_LOCALALLOC, (VOID **) &pcsi, &cb); _JumpIfError(hr, error, "myCryptMsgGetParam");
fFirstSigner = FALSE; if (fCMC && (CERT_ID_KEY_IDENTIFIER == pcsi->SignerId.dwIdChoice || (NULL != pcsi->HashEncryptionAlgorithm.pszObjId && 0 == strcmp( szOID_PKIX_NO_SIGNATURE, pcsi->HashEncryptionAlgorithm.pszObjId)))) { CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA cvse;
fFirstSigner = TRUE; ZeroMemory(&cvse, sizeof(cvse)); cvse.cbSize = sizeof(cvse); cvse.dwSignerIndex = i;
if (CERT_ID_KEY_IDENTIFIER == pcsi->SignerId.dwIdChoice) { if (NULL == pRequest) { hr = myGetInnerPKCS10( hMsg, pszInnerContentObjId, &pRequest); _JumpIfError(hr, error, "myGetInnerPKCS10"); } cvse.dwSignerType = CMSG_VERIFY_SIGNER_PUBKEY; cvse.pvSigner = &pRequest->SubjectPublicKeyInfo; } else { cvse.dwSignerType = CMSG_VERIFY_SIGNER_NULL; }
if (!CryptMsgControl( hMsg, 0, // dwFlags
CMSG_CTRL_VERIFY_SIGNATURE_EX, &cvse)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgControl(VerifySig)"); } } else { if (fCMC && (CRLF_ACCEPT_OLDRFC_CMC & g_dwCRLFlags) && CERT_ID_ISSUER_SERIAL_NUMBER == pcsi->SignerId.dwIdChoice) { hr = myIsFirstSigner( &pcsi->SignerId.IssuerSerialNumber.Issuer, &fFirstSigner); _JumpIfError(hr, error, "myIsFirstSigner"); } iElement = i; if (!CryptMsgGetAndVerifySigner( hMsg, 0, // cSignerStore
NULL, // rghSignerStore
CMSG_USE_SIGNER_INDEX_FLAG, &pCertSigner, &iElement)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgGetAndVerifySigner"); } }
// Only enroll-on-behalf-of requests may contain Name, Value pairs.
// Only enroll-on-behalf-of requests and renewal requests may contain
// certificate extensions.
dwDisallowFlags = PSA_DISALLOW_ARCHIVEDKEY; if (fRenewal) { dwDisallowFlags |= PSA_DISALLOW_NAMEVALUEPAIRS; } if (fCMC) { dwDisallowFlags |= PSA_DISALLOW_EXTENSIONS | PSA_DISALLOW_NAMEVALUEPAIRS; } fEnrollOnBehalfOf = FALSE; hr = pkcsSetAttributes( prow, EXTENSION_ORIGIN_PKCS7, dwDisallowFlags, pcsi->AuthAttrs.rgAttr, pcsi->AuthAttrs.cAttr, 0, NULL, &fEnrollOnBehalfOf, pResult); _JumpIfError(hr, error, "pkcsSetAttributes(Authenticated)");
if (fEnrollOnBehalfOf) { pResult->fEnrollOnBehalfOf = TRUE; }
// Pull encrypted private key out of unauthenticated attributes
hr = pkcsSetAttributes( prow, EXTENSION_ORIGIN_PKCS7, ((fTopLevel && fFirstSigner)? 0 : PSA_DISALLOW_ARCHIVEDKEY) | PSA_DISALLOW_EXTENSIONS | PSA_DISALLOW_NAMEVALUEPAIRS, pcsi->UnauthAttrs.rgAttr, pcsi->UnauthAttrs.cAttr, cbIn, fTopLevel? pbIn : NULL, NULL, pResult); _JumpIfError(hr, error, "pkcsSetAttributes(UNauthenticated)");
if (fFirstSigner) { cFirstSigner++; } else { // This is a renewal request, an enroll-on-behalf-of request, a CMC
// request or just a request inside a PKCS 7 -- verify the cert
// chain for all signers. If enroll-on-behalf-of on an Enterprise
// CA (if requester name is set in the authenticated attributes),
// check the signing cert via NTAuth policy and check for
// szOID_ENROLLMENT_AGENT usage. NtAuth verification was added to
// control the ability of enroll-on-behalf agents to add usernames
// to the PKCS7 wrapper.
fNTAuth = pResult->fEnrollOnBehalfOf && IsEnterpriseCA(g_CAType); dwVerifyContextFlags = 0; if (CRLF_REVCHECK_IGNORE_OFFLINE & g_dwCRLFlags) { dwVerifyContextFlags |= CA_VERIFY_FLAGS_IGNORE_OFFLINE; } if (fNTAuth) { dwVerifyContextFlags |= CA_VERIFY_FLAGS_NT_AUTH; }
hr = myVerifyCertContextEx( pCertSigner, dwVerifyContextFlags, (DWORD)(fNTAuth? ARRAYSIZE(apszEnrollOids) : 0), fNTAuth? apszEnrollOids : NULL, HCCE_LOCAL_MACHINE, // hChainEngine
NULL, // pft
hStore, // hAdditionalStore
NULL, // ppwszMissingIssuer
&pwszzIssuancePolicies, &pwszzApplicationPolicies); _JumpIfError(hr, error, "myVerifyCertContextEx");
if (fTopLevel) { // save Issuance Policies
hr = pkcsAppendPolicies( prow, wszPROPSIGNERPOLICIES, pwszzIssuancePolicies); _JumpIfError(hr, error, "pkcsAppendPolicies");
// save Application Policies
hr = pkcsAppendPolicies( prow, wszPROPSIGNERAPPLICATIONPOLICIES, pwszzApplicationPolicies); _JumpIfError(hr, error, "pkcsAppendPolicies"); } } } if (pResult->fEnrollOnBehalfOf) { hr = PKCSSetRequestFlags(prow, TRUE, CR_FLG_ENROLLONBEHALFOF); _JumpIfError(hr, error, "PKCSSetRequestFlags");
if (fCMC && cSigner == cFirstSigner) { hr = CRYPT_E_NO_TRUSTED_SIGNER; _JumpError(hr, error, "No NTAuth signer"); } } if ((fCMC && 1 < cFirstSigner) || (!fCMC && 0 < cFirstSigner)) { hr = NTE_BAD_SIGNATURE; _JumpError(hr, error, "cFirstSigner"); }
error: if (NULL != pRequest) { LocalFree(pRequest); } if (NULL != pcsi) { LocalFree(pcsi); } if (NULL != pwszzIssuancePolicies) { LocalFree(pwszzIssuancePolicies); } if (NULL != pwszzApplicationPolicies) { LocalFree(pwszzApplicationPolicies); } if (NULL != hMsg) { CryptMsgClose(hMsg); } if (NULL != pCertSigner) { CertFreeCertificateContext(pCertSigner); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } if (NULL != pbContents) { LocalFree(pbContents); } if (NULL != pszInnerContentObjId) { LocalFree(pszInnerContentObjId); } return(hr);}
typedef struct _REQUESTFORMATS{ char const *pszFormat; DWORD dwFlags;} REQUESTFORMATS;
REQUESTFORMATS g_arf[] = { { X509_CERT_REQUEST_TO_BE_SIGNED, CR_IN_PKCS10 }, { X509_KEYGEN_REQUEST_TO_BE_SIGNED, CR_IN_KEYGEN },};#define CREQUESTFORMATS ARRAYSIZE(g_arf)
HRESULTpkcsCrackRequestType( IN DWORD cbRequest, IN BYTE const *pbRequest, OUT DWORD *pdwFlags){ HRESULT hr; DWORD cb; BYTE *pbDecoded = NULL; REQUESTFORMATS const *prf; REQUESTFORMATS const *prfEnd; HCRYPTMSG hMsg = NULL; char *pszInnerContentObjId = NULL;
prfEnd = &g_arf[CREQUESTFORMATS]; for (prf = g_arf; prf < prfEnd; prf++) { CSASSERT(NULL == pbDecoded); if (myDecodeObject( X509_ASN_ENCODING, prf->pszFormat, pbRequest, cbRequest, CERTLIB_USE_LOCALALLOC, (VOID **) &pbDecoded, &cb)) { *pdwFlags = prf->dwFlags; break; } hr = myHLastError(); CSASSERT(S_OK != hr); } if (prf >= prfEnd) { CSASSERT(S_OK != hr);
hr = myDecodePKCS7( pbRequest, cbRequest, NULL, // ppbContents
NULL, // pcbContents
NULL, // pdwMsgType
&pszInnerContentObjId, NULL, // pcSigner
NULL, // pcRecipient
NULL, // phStore
&hMsg); _JumpIfError(hr, error, "myDecodePKCS7");
*pdwFlags = CR_IN_PKCS7; // default to renewal
if (NULL != pszInnerContentObjId && (0 == strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA) || 0 == strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA_OLDRFC))) { *pdwFlags = CR_IN_CMC; } } hr = S_OK;
error: if (NULL != hMsg) { CryptMsgClose(hMsg); } if (NULL != pszInnerContentObjId) { LocalFree(pszInnerContentObjId); } if (NULL != pbDecoded) { LocalFree(pbDecoded); } return(hr);}
HRESULTPKCSParseRequest( IN DWORD dwFlags, IN ICertDBRow *prow, IN DWORD cbRequest, IN BYTE const *pbRequest, IN CERT_CONTEXT const *pSigningAuthority, OPTIONAL OUT BOOL *pfRenewal, IN OUT CERTSRV_RESULT_CONTEXT *pResult){ HRESULT hr;
if (NULL != pfRenewal) { *pfRenewal = FALSE; }
if (CR_IN_FORMATANY == (CR_IN_FORMATMASK & dwFlags)) { hr = pkcsCrackRequestType(cbRequest, pbRequest, &dwFlags); _JumpIfError(hr, error, "pkcsCrackRequestType");
dwFlags |= ~CR_IN_FORMATMASK & pResult->dwFlagsTop;
// If this is the top level caller, store a more specific request type:
if (NULL == pfRenewal) { pResult->dwFlagsTop = dwFlags; hr = prow->SetProperty( g_wszPropRequestType, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(dwFlags), (BYTE const *) &dwFlags); _JumpIfError(hr, error, "SetProperty(reqtype)"); } }
switch (CR_IN_FORMATMASK & dwFlags) { case CR_IN_PKCS10: hr = pkcsParsePKCS10Request( dwFlags, prow, cbRequest, pbRequest, pSigningAuthority, pfRenewal, pResult); _JumpIfError(hr, error, "pkcsParsePKCS10Request"); break;
case CR_IN_KEYGEN: hr = pkcsParseKeyGenRequest( dwFlags, prow, cbRequest, pbRequest, pResult); _JumpIfError(hr, error, "pkcsParseKeyGenRequest"); break;
case CR_IN_CMC: case CR_IN_PKCS7: // PKCS7 requests can either be an 'enroll on behalf of', renewal
// request or a CMC request. We need to recursively unwrap it to
// process it.
hr = pkcsParsePKCS7Request( NULL == pfRenewal, // fTopLevel
dwFlags, prow, cbRequest, pbRequest, pResult); _JumpIfError(hr, error, "pkcsParsePKCS7Request");
break;
default: hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "dwFlags"); }
error: if (NULL == pfRenewal) { HRESULT hr2; DWORD cbData;
hr2 = prow->GetProperty( g_wszPropRequestRawRequest, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbData, NULL); if (S_OK != hr2) { hr2 = prow->SetProperty( g_wszPropRequestRawRequest, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, cbRequest, pbRequest); _PrintIfError(hr2, "SetProperty(request)"); if (S_OK == hr) { hr = hr2; } } } return(hr);}
HRESULTPKCSGetCRLList( IN BOOL fDelta, IN DWORD iCert, OUT WCHAR const * const **ppapwszCRLList){ HRESULT hr = E_INVALIDARG;
*ppapwszCRLList = NULL; if (iCert < g_cCACerts) { CACTX *pCAContext = &g_aCAContext[iCert];
if (NULL == pCAContext->pccCA) { hr = S_FALSE; goto error; } *ppapwszCRLList = fDelta? pCAContext->papwszDeltaCRLFiles : pCAContext->papwszCRLFiles; if (NULL != *ppapwszCRLList) { hr = S_OK; } }error: return(hr);}
HRESULTpkcsBuildCRLList( IN BOOL fDelta, IN OUT CACTX *pCAContext, OUT WCHAR ***ppapwszOut){ HRESULT hr; DWORD cFiles; CSURLTEMPLATE const *pTemplate; CSURLTEMPLATE const *pTemplateEnd;
cFiles = 0; pTemplateEnd = &g_paRevURL[g_caRevURL]; for (pTemplate = g_paRevURL; pTemplate < pTemplateEnd; pTemplate++) { if (CSURL_SERVERPUBLISH & pTemplate->Flags) { cFiles++; } } *ppapwszOut = (WCHAR **) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, (cFiles + 1) * sizeof((*ppapwszOut)[0])); if (NULL == *ppapwszOut) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } DBGPRINT(( DBG_SS_CERTSRVI, "CRLList alloc[%u] = %x @%x\n", cFiles, *ppapwszOut, ppapwszOut));
CSASSERT(NULL != g_strDomainDN && NULL != g_strConfigDN); cFiles = 0; for (pTemplate = g_paRevURL; pTemplate < pTemplateEnd; pTemplate++) { if (CSURL_SERVERPUBLISH & pTemplate->Flags) { hr = myFormatCertsrvStringArray( FALSE, // fURL
g_pwszServerName, // pwszServerName_p1_2
g_wszSanitizedName, // pwszSanitizedName_p3_7
pCAContext->iKey, // iCert_p4 -- use iKey!!
g_strDomainDN, // pwszDomainDN_p5
g_strConfigDN, // pwszConfigDN_p6
pCAContext->iKey, // iCRL_p8
fDelta, // fDeltaCRL_p9
FALSE, // fDSAttrib_p10_11
1, // cStrings
(LPCWSTR *) &pTemplate->pwszURL, // apwszStringsIn
&(*ppapwszOut)[cFiles]); // apwszStringsOut
_JumpIfError(hr, error, "myFormatCertsrvStringArray");
DBGPRINT(( DBG_SS_CERTSRVI, "CRLList format[%u] = %x @%x (%ws)\n", cFiles, (*ppapwszOut)[cFiles], &(*ppapwszOut)[cFiles], (*ppapwszOut)[cFiles]));
cFiles++; } } (*ppapwszOut)[cFiles] = NULL; hr = S_OK;
error: // Freeing the CACTX structure during shutdown will free orphaned CRL paths
return(hr);}
HRESULTpkcsBuildKeyAuthority2( IN DWORD EditFlags, IN CACTX const *pCAContext, OUT CRYPT_OBJID_BLOB *pKeyAuthority2){ HRESULT hr = S_OK; CERT_AUTHORITY_KEY_ID2_INFO keyAuth; CERT_ALT_NAME_ENTRY AltNameEntry;
if (0 == ((EDITF_ENABLEAKIKEYID | EDITF_ENABLEAKIISSUERNAME | EDITF_ENABLEAKIISSUERSERIAL) & EditFlags)) { goto error; } ZeroMemory(&keyAuth, sizeof(keyAuth));
// Issuer's KeyId:
if ((EDITF_ENABLEAKIKEYID & EditFlags) && NULL != pCAContext->IssuerKeyId.pbData) { keyAuth.KeyId = pCAContext->IssuerKeyId; }
// The Issuer's Issuer name and the Issuer's SerialNumber combined
// should uniquely identify the Issuer cert.
// Issuer's Issuer name:
// -------- ------ ----
if (EDITF_ENABLEAKIISSUERNAME & EditFlags) { AltNameEntry.dwAltNameChoice = CERT_ALT_NAME_DIRECTORY_NAME; AltNameEntry.DirectoryName = pCAContext->pccCA->pCertInfo->Issuer; keyAuth.AuthorityCertIssuer.cAltEntry = 1; keyAuth.AuthorityCertIssuer.rgAltEntry = &AltNameEntry; }
// Issuer's SerialNumber:
if (EDITF_ENABLEAKIISSUERSERIAL & EditFlags) { keyAuth.AuthorityCertSerialNumber = pCAContext->pccCA->pCertInfo->SerialNumber; }
// put in Key Authority Info
if (!myEncodeKeyAuthority2( X509_ASN_ENCODING, &keyAuth, CERTLIB_USE_LOCALALLOC, &pKeyAuthority2->pbData, &pKeyAuthority2->cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeKeyAuthority2"); }
error: return(hr);}
HRESULTpkcsBuildCDP( IN DWORD Flags, IN BOOL fDelta, IN CACTX const *pCAContext, OUT CRYPT_OBJID_BLOB *pCDP){ HRESULT hr; DWORD i; CSURLTEMPLATE const *pTemplate; CSURLTEMPLATE const *pTemplateEnd; CRL_DIST_POINTS_INFO CRLDistInfo; CRL_DIST_POINT CRLDistPoint; CERT_ALT_NAME_INFO *pAltInfo;
ZeroMemory(&CRLDistPoint, sizeof(CRLDistPoint)); pAltInfo = &CRLDistPoint.DistPointName.FullName;
pCDP->pbData = NULL; pCDP->cbData = 0;
if (0 != g_caRevURL) { pTemplateEnd = &g_paRevURL[g_caRevURL]; for (pTemplate = g_paRevURL; pTemplate < pTemplateEnd; pTemplate++) { if (Flags & pTemplate->Flags) { pAltInfo->cAltEntry++; } } } if (0 == pAltInfo->cAltEntry) { hr = S_FALSE; goto error; }
CRLDistInfo.cDistPoint = 1; CRLDistInfo.rgDistPoint = &CRLDistPoint;
CRLDistPoint.DistPointName.dwDistPointNameChoice = CRL_DIST_POINT_FULL_NAME;
pAltInfo->rgAltEntry = (CERT_ALT_NAME_ENTRY *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, pAltInfo->cAltEntry * sizeof(pAltInfo->rgAltEntry[0])); if (NULL == pAltInfo->rgAltEntry) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
CSASSERT(NULL != g_strDomainDN && NULL != g_strConfigDN); i = 0; for (pTemplate = g_paRevURL; pTemplate < pTemplateEnd; pTemplate++) { if (Flags & pTemplate->Flags) { hr = myFormatCertsrvStringArray( TRUE, // fURL
g_pwszServerName, // pwszServerName_p1_2
g_wszSanitizedName, // pwszSanitizedName_p3_7
pCAContext->iCert, // iCert_p4
g_strDomainDN, // pwszDomainDN_p5
g_strConfigDN, // pwszConfigDN_p6
pCAContext->iKey, // iCRL_p8
fDelta, // fDeltaCRL_p9
TRUE, // fDSAttrib_p10_11
1, // cStrings
(LPCWSTR *) &pTemplate->pwszURL, // apwszStringsIn
&pAltInfo->rgAltEntry[i].pwszURL); // apwszStringsOut
_JumpIfError(hr, error, "myFormatCertsrvStringArray");
pAltInfo->rgAltEntry[i].dwAltNameChoice = CERT_ALT_NAME_URL; i++; } } CSASSERT(pAltInfo->cAltEntry == i);
if (!myEncodeObject( X509_ASN_ENCODING, X509_CRL_DIST_POINTS, &CRLDistInfo, 0, CERTLIB_USE_LOCALALLOC, &pCDP->pbData, &pCDP->cbData)) { hr = myHLastError(); _JumpIfError(hr, error, "myEncodeObject"); } hr = S_OK;
error: if (NULL != pAltInfo->rgAltEntry) { for (i = 0; i < pAltInfo->cAltEntry; i++) { if (NULL != pAltInfo->rgAltEntry[i].pwszURL) { LocalFree(pAltInfo->rgAltEntry[i].pwszURL); } } LocalFree(pAltInfo->rgAltEntry); } return(hr);}
HRESULTpkcsBuildAIA( IN DWORD Flags, IN CACTX const *pCAContext, OUT CRYPT_OBJID_BLOB *pAIA){ HRESULT hr; DWORD cAIA; DWORD i; CSURLTEMPLATE const *pTemplate; CSURLTEMPLATE const *pTemplateEnd; CERT_AUTHORITY_INFO_ACCESS caio; CERT_ACCESS_DESCRIPTION *pcad;
caio.cAccDescr = 0; caio.rgAccDescr = NULL;
pAIA->pbData = NULL; pAIA->cbData = 0;
cAIA = 0; if (0 != g_caRevURL) { pTemplateEnd = &g_paCACertURL[g_caCACertURL]; for (pTemplate = g_paCACertURL; pTemplate < pTemplateEnd; pTemplate++) { if (Flags & pTemplate->Flags) { cAIA++; } } } if (0 == cAIA) { hr = S_FALSE; goto error; }
caio.rgAccDescr = (CERT_ACCESS_DESCRIPTION *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cAIA * sizeof(caio.rgAccDescr[0])); if (NULL == caio.rgAccDescr) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
CSASSERT(NULL != g_strDomainDN && NULL != g_strConfigDN); for (pTemplate = g_paCACertURL; pTemplate < pTemplateEnd; pTemplate++) { if (Flags & pTemplate->Flags) { pcad = &caio.rgAccDescr[caio.cAccDescr];
pcad->pszAccessMethod = (CSURL_ADDTOCERTOCSP & pTemplate->Flags)? szOID_PKIX_OCSP : szOID_PKIX_CA_ISSUERS; pcad->AccessLocation.dwAltNameChoice = CERT_ALT_NAME_URL;
hr = myFormatCertsrvStringArray( TRUE, // fURL
g_pwszServerName, // pwszServerName_p1_2
g_wszSanitizedName, // pwszSanitizedName_p3_7
pCAContext->iCert, // iCert_p4
g_strDomainDN, // pwszDomainDN_p5
g_strConfigDN, // pwszConfigDN_p6
pCAContext->iKey, // iCRL_p8
FALSE, // fDeltaCRL_p9
TRUE, // fDSAttrib_p10_11
1, // cStrings
(LPCWSTR *) &pTemplate->pwszURL, // apwszStringsIn
&pcad->AccessLocation.pwszURL); // apwszStringsOut
_JumpIfError(hr, error, "myFormatCertsrvStringArray");
caio.cAccDescr++; } } CSASSERT(caio.cAccDescr == cAIA);
if (!myEncodeObject( X509_ASN_ENCODING, X509_AUTHORITY_INFO_ACCESS, &caio, 0, CERTLIB_USE_LOCALALLOC, &pAIA->pbData, &pAIA->cbData)) { hr = myHLastError(); _JumpIfError(hr, error, "myEncodeObject"); } hr = S_OK;
error: if (NULL != caio.rgAccDescr) { for (i = 0; i < caio.cAccDescr; i++) { pcad = &caio.rgAccDescr[i]; if (NULL != pcad->AccessLocation.pwszURL) { LocalFree(pcad->AccessLocation.pwszURL); } } LocalFree(caio.rgAccDescr); } return(hr);}
// Find the newest cert with the matching key container name:
HRESULTpkcsFindMatchingKeyContext( OPTIONAL IN CERT_PUBLIC_KEY_INFO *pPublicKeyInfo, IN DWORD iKey, OUT CACTX **ppCAContext){ HRESULT hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); DWORD i; CACTX *pCAContext;
*ppCAContext = NULL; for (i = g_cCACerts; i > 0; i--) { pCAContext = &g_aCAContext[i - 1];
if ((MAXDWORD != iKey && iKey == pCAContext->iKey) || (NULL != pCAContext->pccCA && NULL != pPublicKeyInfo && CertComparePublicKeyInfo( X509_ASN_ENCODING, pPublicKeyInfo, &pCAContext->pccCA->pCertInfo->SubjectPublicKeyInfo))) { // by design, CertComparePublicKeyInfo doesn't set last error!
*ppCAContext = pCAContext; hr = S_OK; break; } } return(hr);}
HRESULTpkcsLoadTemplates( IN WCHAR const *pwszRegName, OUT CSURLTEMPLATE **ppaURL, OUT DWORD *pcaURL){ HRESULT hr; WCHAR *pwszzTemplates = NULL; WCHAR *pwsz; DWORD cTemplate = 0; CSURLTEMPLATE *pTemplate; DWORD Flags; WCHAR *pwsz2;
*ppaURL = NULL; *pcaURL = 0;
// get (multiple) path templates
hr = myGetCertRegMultiStrValue( g_wszSanitizedName, NULL, NULL, pwszRegName, &pwszzTemplates); _JumpIfError(hr, error, "myGetCertRegStrValue");
for (pwsz = pwszzTemplates; L'\0' != *pwsz; pwsz += wcslen(pwsz) + 1) { Flags = _wtoi(pwsz); pwsz2 = pwsz; while (iswdigit(*pwsz2)) { pwsz2++; } if (0 != Flags && pwsz2 > pwsz && L':' == *pwsz2) { cTemplate++; } } if (0 != cTemplate) { *ppaURL = (CSURLTEMPLATE *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cTemplate * sizeof((*ppaURL)[0])); if (NULL == *ppaURL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } pTemplate = *ppaURL; *pcaURL = cTemplate;
for (pwsz = pwszzTemplates; L'\0' != *pwsz; pwsz += wcslen(pwsz) + 1) { Flags = _wtoi(pwsz); pwsz2 = pwsz; while (iswdigit(*pwsz2)) { pwsz2++; } if (0 != Flags && pwsz2 > pwsz && L':' == *pwsz2) { pTemplate->Flags = Flags;
hr = myDupString(&pwsz2[1], &pTemplate->pwszURL); _JumpIfError(hr, error, "myDupString");
pTemplate++; } } CSASSERT(pTemplate == &(*ppaURL)[*pcaURL]); }
error: if (NULL != pwszzTemplates) { LocalFree(pwszzTemplates); } return(hr);}
VOIDpkcsFreeTemplates( IN OUT CSURLTEMPLATE **ppaURL, IN OUT DWORD *pcaURL){ CSURLTEMPLATE *pTemplate; CSURLTEMPLATE *pTemplateEnd;
if (0 != *pcaURL && NULL != *ppaURL) { pTemplateEnd = &(*ppaURL)[*pcaURL]; for (pTemplate = *ppaURL; pTemplate < pTemplateEnd; pTemplate++) { if (NULL != pTemplate->pwszURL) { LocalFree(pTemplate->pwszURL); } } LocalFree(*ppaURL); *ppaURL = NULL; }}
HRESULTpkcsGetCertFilename( IN WCHAR const *pwszSanitizedName, IN DWORD iCert, OUT WCHAR **ppwszCertFile){ HRESULT hr; WCHAR wszBuf[MAX_PATH]; WCHAR *pwszIndexedName = NULL; DWORD cwc;
*ppwszCertFile = NULL;
hr = myAllocIndexedName( pwszSanitizedName, iCert, &pwszIndexedName); _JumpIfError(hr, error, "myAllocIndexedName");
if (0 == GetEnvironmentVariable(L"SystemRoot", wszBuf, ARRAYSIZE(wszBuf))) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); _JumpError(hr, error, "GetEnvironmentVariable"); } cwc = wcslen(wszBuf) + WSZARRAYSIZE(L"\\System32\\" wszCERTENROLLSHAREPATH L"\\") + wcslen(g_pwszServerName) + WSZARRAYSIZE(L"_") + wcslen(pwszIndexedName) + WSZARRAYSIZE(L".crt") + 1;
*ppwszCertFile = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR)); if (NULL == *ppwszCertFile) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
wcscpy(*ppwszCertFile, wszBuf); wcscat(*ppwszCertFile, L"\\System32\\" wszCERTENROLLSHAREPATH L"\\"); wcscat(*ppwszCertFile, g_pwszServerName); wcscat(*ppwszCertFile, L"_"); wcscat(*ppwszCertFile, pwszIndexedName); wcscat(*ppwszCertFile, L".crt"); CSASSERT(1 + wcslen(*ppwszCertFile) == cwc);
error: if (NULL != pwszIndexedName) { LocalFree(pwszIndexedName); } return(hr);}
HRESULTpkcsReloadMissingCertByHash( IN HCERTSTORE hStore, IN WCHAR const *pwszSanitizedName, IN DWORD dwRegHashChoice, IN BYTE const *pbHashReg, IN DWORD cbHashReg, IN DWORD iHash){ HRESULT hr; DWORD cbHash; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; BSTR strHash = NULL; ICertDBRow *prow = NULL; DWORD cbCert; BYTE *pbCert = NULL; WCHAR *pwszCertFile = NULL; CERT_CONTEXT const *pcc = NULL;
hr = MultiByteIntegerToBstr(TRUE, cbHashReg, pbHashReg, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
DBGPRINT(( DBG_SS_CERTSRV, "Reloading %wsContext[%u]\n %ws\n", CSRH_CASIGCERT == dwRegHashChoice? L"CA" : L"KRA", iHash, strHash));
hr = g_pCertDB->OpenRow( PROPOPEN_READONLY | PROPOPEN_CERTHASH | PROPTABLE_REQCERT, 0, strHash, &prow); _PrintIfErrorStr(hr, "OpenRow", strHash); if (S_OK == hr) { hr = PKCSGetProperty( prow, g_wszPropRawCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbCert, (BYTE **) &pbCert); _JumpIfError(hr, error, "PKCSGetProperty(cert)"); } else if (CSRH_CASIGCERT != dwRegHashChoice) { _JumpError(hr, error, "OpenRow"); } else { hr = pkcsGetCertFilename( pwszSanitizedName, iHash, &pwszCertFile); _JumpIfError(hr, error, "myGetCertFilename");
hr = DecodeFileW(pwszCertFile, &pbCert, &cbCert, CRYPT_STRING_ANY); _JumpIfError(hr, error, "DecodeFileW"); }
pcc = CertCreateCertificateContext(X509_ASN_ENCODING, pbCert, cbCert); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
cbHash = sizeof(abHash); if (!CertGetCertificateContextProperty( pcc, CERT_SHA1_HASH_PROP_ID, abHash, &cbHash)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); } if (cbHash != cbHashReg || 0 != memcmp(abHash, pbHashReg, cbHash)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "wrong Cert"); }
// Add as encoded blob to avoid all properties, key prov info, etc.
if (!CertAddEncodedCertificateToStore( hStore, X509_ASN_ENCODING, pbCert, cbCert, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) // ppCertContext
{ hr = myHLastError(); _JumpError(hr, error, "CertAddEncodedCertificateToStore"); } DBGPRINT(( DBG_SS_CERTSRV, "Reloaded %wsContext[%u]\n", CSRH_CASIGCERT == dwRegHashChoice? L"CA" : L"KRA", iHash)); hr = S_OK;
error: if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (NULL != pwszCertFile) { LocalFree(pwszCertFile); } if (NULL != prow) { prow->Release(); } if (NULL != pbCert) { LocalFree(pbCert); } if (NULL != strHash) { SysFreeString(strHash); } return(hr);}
HRESULTpkcsReloadMissingCAOrKRACert( IN HCERTSTORE hStore, IN WCHAR const *pwszSanitizedName, IN DWORD dwRegHashChoice, IN DWORD iHash){ HRESULT hr; BYTE *pbHashReg = NULL; DWORD cbHashReg;
hr = myGetCARegHash( pwszSanitizedName, dwRegHashChoice, iHash, &pbHashReg, &cbHashReg); _JumpIfError(hr, error, "myGetCARegHash");
hr = pkcsReloadMissingCertByHash( hStore, pwszSanitizedName, dwRegHashChoice, pbHashReg, cbHashReg, iHash); _JumpIfError(hr, error, "pkcsReloadMissingCertByHash");
error: if (NULL != pbHashReg) { LocalFree(pbHashReg); } return(hr);}
VOIDpkcsFreeBlobArray( IN DWORD cBlob, CERT_BLOB *rgBlob){ DWORD i;
for (i = 0; i < cBlob; i++) { if (NULL != rgBlob[cBlob].pbData) { LocalFree(rgBlob[i].pbData); } } LocalFree(rgBlob);}
HRESULTpkcsGetKRACertBlobs( IN ICertDBRow *prow, OUT DWORD *pcCertBlob, OUT CERT_BLOB **prgCertBlob){ HRESULT hr; WCHAR *pwszHashes = NULL; WCHAR *pwsz; DWORD cb; DWORD cHash; DWORD i; CERT_BLOB *rgBlob = NULL; HCERTSTORE hStore = NULL; CRYPT_DATA_BLOB HashBlob; DWORD cBlobLoaded; CERT_CONTEXT const *pcc = NULL;
HashBlob.pbData = NULL;
hr = PKCSGetProperty( prow, g_wszPropRequestKeyRecoveryHashes, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE **) &pwszHashes); _JumpIfError(hr, error, "PKCSGetProperty(KRA hashes)");
cHash = 1; pwsz = pwszHashes; while (TRUE) { pwsz = wcschr(pwsz, L'\n'); if (NULL == pwsz) { break; } *pwsz++ = L'\0'; cHash++; } cBlobLoaded = 0; rgBlob = (CERT_BLOB *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cHash * sizeof(rgBlob[0])); if (NULL == rgBlob) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
// open KRA store
hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING, NULL, // hProv
CERT_SYSTEM_STORE_LOCAL_MACHINE, wszKRA_CERTSTORE); if (NULL == hStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
pwsz = pwszHashes; for (i = 0; i < cHash; i++) { BOOL fReloaded;
hr = WszToMultiByteInteger( TRUE, pwsz, &HashBlob.cbData, &HashBlob.pbData); _JumpIfError(hr, error, "WszToMultiByteInteger");
fReloaded = FALSE; while (TRUE) { pcc = CertFindCertificateInStore( hStore, X509_ASN_ENCODING, 0, CERT_FIND_HASH, &HashBlob, NULL); if (fReloaded || NULL != pcc) { break; } hr = pkcsReloadMissingCertByHash( hStore, g_wszSanitizedName, CSRH_CAKRACERT, HashBlob.pbData, HashBlob.cbData, i); _PrintIfError(hr, "pkcsReloadMissingCertByHash"); fReloaded = TRUE; } if (NULL == pcc) { hr = myHLastError(); _PrintError(hr, "CertFindCertificateInStore"); } else { rgBlob[cBlobLoaded].pbData = (BYTE *) LocalAlloc( LMEM_FIXED, pcc->cbCertEncoded); if (NULL == rgBlob[cBlobLoaded].pbData) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } rgBlob[cBlobLoaded].cbData = pcc->cbCertEncoded; CopyMemory( rgBlob[cBlobLoaded].pbData, pcc->pbCertEncoded, pcc->cbCertEncoded); cBlobLoaded++;
CertFreeCertificateContext(pcc); pcc = NULL; } pwsz += wcslen(pwsz) + 1; LocalFree(HashBlob.pbData); HashBlob.pbData = NULL; } *pcCertBlob = cBlobLoaded; *prgCertBlob = rgBlob; rgBlob = NULL;
error: if (NULL != rgBlob) { pkcsFreeBlobArray(cBlobLoaded, rgBlob); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (NULL != HashBlob.pbData) { LocalFree(HashBlob.pbData); } if (NULL != pwszHashes) { LocalFree(pwszHashes); } return(hr);}
HRESULTpkcsGetHashAsOctet( IN ICertDBRow *prow, OUT BYTE **ppbData, OUT DWORD *pcbData){ HRESULT hr; WCHAR *pwszHash = NULL; DWORD cb; CRYPT_DATA_BLOB Blob; DWORD cbHash;
*ppbData = NULL; Blob.pbData = NULL;
hr = PKCSGetProperty( prow, g_wszPropCertificateHash, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cb, (BYTE **) &pwszHash); _JumpIfError(hr, error, "PKCSGetProperty(hash)");
hr = WszToMultiByteInteger(TRUE, pwszHash, &Blob.cbData, &Blob.pbData); _JumpIfError(hr, error, "WszToMultiByteInteger");
if (!myEncodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, &Blob, 0, CERTLIB_USE_LOCALALLOC, ppbData, pcbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } hr = S_OK;
error: if (NULL != pwszHash) { LocalFree(pwszHash); } if (NULL != Blob.pbData) { LocalFree(Blob.pbData); } return(hr);}
VOIDAddCertBlobToArray( IN CERT_CONTEXT const *pcc, IN CERT_BLOB *rgCertBlobAll, IN CERT_BLOB **ppCertBlob){ CERT_BLOB *pCertBlob = *ppCertBlob; DWORD i; DWORD cBlob;
cBlob = SAFE_SUBTRACT_POINTERS(pCertBlob, rgCertBlobAll); for (i = 0; i < cBlob; i++) { if (rgCertBlobAll[i].cbData == pcc->cbCertEncoded && 0 == memcmp( rgCertBlobAll[i].pbData, pcc->pbCertEncoded, pcc->cbCertEncoded)) { DBGPRINT(( DBG_SS_CERTSRV, "Duplicate Recovery Blob Cert[%u]\n", i)); goto error; } } DBGPRINT(( DBG_SS_CERTSRV, "Adding Recovery Blob Cert[%u]\n", cBlob)); pCertBlob->cbData = pcc->cbCertEncoded; pCertBlob->pbData = pcc->pbCertEncoded; pCertBlob++;
*ppCertBlob = pCertBlob;
error: ;}
HRESULTPKCSGetArchivedKey( IN DWORD dwRequestId, OUT BYTE **ppbArchivedKey, // CoTaskMem*
OUT DWORD *pcbArchivedKey){ HRESULT hr; ICertDBRow *prow = NULL; BYTE *pbKey = NULL; DWORD cbKey; BYTE *pbCertUser = NULL; DWORD cbCertUser; DWORD cb; HCRYPTMSG hMsg = NULL; CACTX *pCAContext; CMSG_SIGNED_ENCODE_INFO SignedMsgEncodeInfo; CMSG_SIGNER_ENCODE_INFO SignerEncodeInfo; CERT_CONTEXT const *pccUser = NULL; CERT_CHAIN_CONTEXT const *pCertChainContextUser = NULL; CERT_CHAIN_PARA CertChainPara; CERT_BLOB *rgCertBlobKRA = NULL; DWORD cCertBlobKRA; CERT_BLOB *rgCertBlobAll = NULL; DWORD cCertBlobAll; CERT_BLOB *pCertBlob; CRYPT_ATTRIBUTE HashAttrib; CRYPT_ATTR_BLOB HashAttribBlob; DWORD i;
*ppbArchivedKey = NULL; HashAttribBlob.pbData = NULL;
hr = g_pCertDB->OpenRow( PROPOPEN_READONLY | PROPTABLE_REQCERT, dwRequestId, NULL, &prow); _JumpIfError(hr, error, "OpenRow");
hr = PKCSGetProperty( prow, g_wszPropRequestRawArchivedKey, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbKey, &pbKey); _JumpIfError(hr, error, "PKCSGetProperty(key)");
hr = pkcsGetKRACertBlobs(prow, &cCertBlobKRA, &rgCertBlobKRA); _JumpIfError(hr, error, "pkcsGetKRACertBlobs");
hr = pkcsGetHashAsOctet( prow, &HashAttribBlob.pbData, &HashAttribBlob.cbData); _JumpIfError(hr, error, "pkcsGetHashAsOctet");
HashAttrib.pszObjId = szOID_ARCHIVED_KEY_CERT_HASH; HashAttrib.cValue = 1; HashAttrib.rgValue = &HashAttribBlob;
hr = PKCSGetProperty( prow, g_wszPropRawCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbCertUser, &pbCertUser); _JumpIfError(hr, error, "PKCSGetProperty(cert)");
pccUser = CertCreateCertificateContext( X509_ASN_ENCODING, pbCertUser, cbCertUser); if (NULL == pccUser) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
// build the user cert chain
ZeroMemory(&CertChainPara, sizeof(CertChainPara)); CertChainPara.cbSize = sizeof(CertChainPara);
if (!CertGetCertificateChain( HCCE_LOCAL_MACHINE, pccUser, NULL, NULL, &CertChainPara, 0, NULL, &pCertChainContextUser)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateChain"); }
// make sure there is at least 1 simple chain
if (0 == pCertChainContextUser->cChain) { hr = E_INVALIDARG; _JumpError(hr, error, "No user chain"); }
// Encode the encrypted key into a PKCS 7, signed by the current CA cert.
// Initialize the CMSG_SIGNER_ENCODE_INFO structure for one signer.
pCAContext = g_pCAContextCurrent; cCertBlobAll = cCertBlobKRA + pCAContext->cCACertChain + pCertChainContextUser->rgpChain[0]->cElement;
rgCertBlobAll = (CERT_BLOB *) LocalAlloc( LMEM_FIXED, cCertBlobAll * sizeof(rgCertBlobAll[0])); if (NULL == rgCertBlobAll) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } pCertBlob = rgCertBlobAll;
CopyMemory(pCertBlob, rgCertBlobKRA, cCertBlobKRA * sizeof(pCertBlob[0])); pCertBlob += cCertBlobKRA;
// Add the current CA cert chain
for (i = 0; i < pCAContext->cCACertChain; i++) { AddCertBlobToArray( pCAContext->apCACertChain[i], rgCertBlobAll, &pCertBlob); }
// Add the user cert chain
{ CERT_SIMPLE_CHAIN *pSimpleChain;
pSimpleChain = pCertChainContextUser->rgpChain[0]; for (i = 0; i < pSimpleChain->cElement; i++) { AddCertBlobToArray( pSimpleChain->rgpElement[i]->pCertContext, rgCertBlobAll, &pCertBlob); } } CSASSERT(pCertBlob <= &rgCertBlobAll[cCertBlobAll]); DBGPRINT(( DBG_SS_CERTSRV, "Recovery Certs: %u --> %u\n", cCertBlobAll, SAFE_SUBTRACT_POINTERS(pCertBlob, rgCertBlobAll))); cCertBlobAll = SAFE_SUBTRACT_POINTERS(pCertBlob, rgCertBlobAll);
ZeroMemory(&SignerEncodeInfo, sizeof(SignerEncodeInfo)); SignerEncodeInfo.cbSize = sizeof(SignerEncodeInfo); SignerEncodeInfo.pCertInfo = pCAContext->pccCA->pCertInfo; SignerEncodeInfo.hCryptProv = pCAContext->hProvCA; SignerEncodeInfo.dwKeySpec = AT_SIGNATURE; SignerEncodeInfo.HashAlgorithm.pszObjId = szOID_OIWSEC_sha1; SignerEncodeInfo.cAuthAttr = 1; SignerEncodeInfo.rgAuthAttr = &HashAttrib; //SignerEncodeInfo.cUnauthAttr = 0;
//SignerEncodeInfo.rgUnauthAttr = NULL;
//SignerEncodeInfo.HashEncryptionAlgorithm.pszObjId = ???;
// CERT_ID_SHA1_HASH is not yet implemented in CryptMsgOpenToEncode
//SignerEncodeInfo.SignerId.dwIdChoice = CERT_ID_SHA1_HASH;
//SignerEncodeInfo.SignerId.HashId.cbData = cb;
//SignerEncodeInfo.SignerId.HashId.pbData = abHash;
ZeroMemory(&SignedMsgEncodeInfo, sizeof(SignedMsgEncodeInfo)); SignedMsgEncodeInfo.cbSize = sizeof(SignedMsgEncodeInfo); SignedMsgEncodeInfo.cSigners = 1; SignedMsgEncodeInfo.rgSigners = &SignerEncodeInfo; SignedMsgEncodeInfo.cCertEncoded = cCertBlobAll; SignedMsgEncodeInfo.rgCertEncoded = rgCertBlobAll; //SignedMsgEncodeInfo.cCrlEncoded = 0;
//SignedMsgEncodeInfo.rgCrlEncoded = NULL;
hMsg = CryptMsgOpenToEncode( PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, // dwFlags
CMSG_SIGNED, // dwMsgType
&SignedMsgEncodeInfo, // pvMsgEncodeInfo
NULL, // pszInnerContentObjID
NULL); // pStreamInfo
if (NULL == hMsg) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgOpenToDecode"); }
if (!CryptMsgUpdate(hMsg, pbKey, cbKey, TRUE)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgUpdate"); }
// Return the encoded and signed content.
// Use CMSG_CONTENT_PARAM to get the signed message.
hr = myCryptMsgGetParam( hMsg, CMSG_CONTENT_PARAM, 0, CERTLIB_USE_COTASKMEMALLOC, (VOID **) ppbArchivedKey, pcbArchivedKey); _JumpIfError(hr, error, "myCryptMsgGetParam");
error: if (pCertChainContextUser != NULL) { CertFreeCertificateChain(pCertChainContextUser); } if (NULL != pccUser) { CertFreeCertificateContext(pccUser); } if (NULL != hMsg) { CryptMsgClose(hMsg); } if (NULL != rgCertBlobKRA) { pkcsFreeBlobArray(cCertBlobKRA, rgCertBlobKRA); } if (NULL != rgCertBlobAll) { LocalFree(rgCertBlobAll); } if (NULL != HashAttribBlob.pbData) { LocalFree(HashAttribBlob.pbData); } if (NULL != pbKey) { LocalFree(pbKey); } if (NULL != pbCertUser) { LocalFree(pbCertUser); } if (NULL != prow) { prow->Release(); } return(hr);}
HRESULTpkcsGetKeyContainerName( IN CERT_CONTEXT const *pccCA, OUT WCHAR **ppwszKeyContainerName){ HRESULT hr; CRYPT_HASH_BLOB KeyIdentifier; CRYPT_KEY_PROV_INFO *pkpi = NULL; DWORD cb;
KeyIdentifier.pbData = NULL; *ppwszKeyContainerName = NULL;
hr = myGetPublicKeyHash( pccCA->pCertInfo, &pccCA->pCertInfo->SubjectPublicKeyInfo, &KeyIdentifier.pbData, &KeyIdentifier.cbData); _JumpIfError(hr, error, "myGetPublicKeyHash");
cb = 0; while (TRUE) { if (!CryptGetKeyIdentifierProperty( &KeyIdentifier, CERT_KEY_PROV_INFO_PROP_ID, CRYPT_KEYID_MACHINE_FLAG, NULL, // pwszComputerName
NULL, // pvReserved
pkpi, &cb)) { hr = myHLastError(); _JumpError(hr, error, "Cert index"); } if (NULL != pkpi) { break; } pkpi = (CRYPT_KEY_PROV_INFO *) LocalAlloc(LMEM_FIXED, cb); if (NULL == pkpi) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } } hr = myDupString(pkpi->pwszContainerName, ppwszKeyContainerName); _JumpIfError(hr, error, "myDupString");
error: if (NULL != pkpi) { LocalFree(pkpi); } if (NULL != KeyIdentifier.pbData) { LocalFree(KeyIdentifier.pbData); } return(hr);}
HRESULTpkcsLoadCAContext( IN WCHAR const *pwszSanitizedName, IN WCHAR *pwszProvName, IN DWORD dwProvType, IN ALG_ID idAlg, IN BOOL fMachineKeyset, IN DWORD iHash, IN HCERTSTORE hMyStore){ HRESULT hr; HCRYPTPROV hProvCA = NULL; char *pszObjIdSignatureAlgorithm = NULL; WCHAR *pwszKeyContainerName = NULL; CERT_CONTEXT const *pccCA = NULL; DWORD cCACertChain; CERT_CONTEXT const **apCACertChain = NULL; CERT_CHAIN_CONTEXT const *pCertChainContext = NULL; CERT_CHAIN_PARA CertChainPara; CRYPT_KEY_PROV_INFO *pKey = NULL; CACTX *pCAContext; DWORD i; DWORD cbKey; DWORD iCert; DWORD iKey; DWORD NameId; BOOL fReloaded;
hr = myGetSigningOID( NULL, // hProv
pwszProvName, dwProvType, idAlg, &pszObjIdSignatureAlgorithm); _JumpIfError(hr, error, "myGetSigningOID");
if (~_16BITMASK & iHash) { hr = E_INVALIDARG; _JumpError(hr, error, "Cert index"); }
fReloaded = FALSE; while (TRUE) { hr = myFindCACertByHashIndex( hMyStore, pwszSanitizedName, CSRH_CASIGCERT, iHash, &NameId, &pccCA); iCert = iHash; iKey = iCert; if (S_OK == hr) { break; }
// if no hash entry exists for this index, fake up a CA Context
// as a place holder.
if (S_FALSE == hr) { CSASSERT(MAXDWORD == NameId); CSASSERT(NULL == pccCA); break; } if (fReloaded || CRYPT_E_NOT_FOUND != hr) { _JumpError(hr, error, "myFindCACertByHashIndex"); } _PrintError(hr, "myFindCACertByHashIndex");
// The CA cert is missing from the HKLM "my" store -- look it up in
// the DB or the CertEnroll directory, and put it back in the store.
hr = pkcsReloadMissingCAOrKRACert( hMyStore, pwszSanitizedName, CSRH_CASIGCERT, iHash); _JumpIfError(hr, error, "pkcsReloadMissingCAOrKRACert");
fReloaded = TRUE; }
CSASSERT(S_FALSE == hr || S_OK == hr); if (S_OK == hr) { if (MAXDWORD != NameId && iCert != CANAMEIDTOICERT(NameId)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); DBGPRINT(( DBG_SS_CERTSRV, "NameId=%u.%u iCert=%u\n", CANAMEIDTOICERT(NameId), CANAMEIDTOIKEY(NameId), iCert)); _JumpError(hr, error, "bad iCert"); }
fReloaded = FALSE; while (TRUE) { if (NULL != pwszKeyContainerName) { LocalFree(pwszKeyContainerName); pwszKeyContainerName = NULL; } if (!fReloaded) { // get the private key provider info
if (!myCertGetCertificateContextProperty( pccCA, CERT_KEY_PROV_INFO_PROP_ID, CERTLIB_USE_LOCALALLOC, (VOID **) &pKey, &cbKey)) { hr = myHLastError(); if (CRYPT_E_NOT_FOUND != hr) { _JumpError(hr, error, "myCertGetCertificateContextProperty"); } _PrintError(hr, "CertGetCertificateContextProperty");
// The Key Provider Info is missing -- use the sanitized
// name and key index to construct the key container name.
// If that key matches, we'll write out the new Key
// Provider Info below.
hr = myAllocIndexedName( pwszSanitizedName, MAXDWORD != NameId? CANAMEIDTOIKEY(NameId) : iCert, &pwszKeyContainerName); _JumpIfError(hr, error, "myAllocIndexedName"); } else { hr = myDupString(pKey->pwszContainerName, &pwszKeyContainerName); _JumpIfError(hr, error, "myDupString"); } } else { hr = pkcsGetKeyContainerName(pccCA, &pwszKeyContainerName); _JumpIfError(hr, error, "pkcsGetKeyContainerName"); }
// signing testing
hr = myValidateHashForSigning( pwszKeyContainerName, pwszProvName, dwProvType, fMachineKeyset, &pccCA->pCertInfo->SubjectPublicKeyInfo, idAlg); if (S_OK == hr) { break; } if (fReloaded) { _JumpError(hr, error, "myValidateHashForSigning"); } _PrintError(hr, "myValidateHashForSigning");
fReloaded = TRUE; }
// If the Key Provider Info is missing, write out new Key Provider Info
if (NULL == pKey) { CRYPT_KEY_PROV_INFO kpi;
ZeroMemory(&kpi, sizeof(kpi)); kpi.pwszContainerName = pwszKeyContainerName; kpi.pwszProvName = pwszProvName; kpi.dwProvType = dwProvType; kpi.dwFlags = fMachineKeyset? CRYPT_MACHINE_KEYSET : 0; kpi.dwKeySpec = AT_SIGNATURE;
if (!CertSetCertificateContextProperty( pccCA, CERT_KEY_PROV_INFO_PROP_ID, 0, &kpi)) { hr = myHLastError(); _JumpError(hr, error, "CertSetCertificateContextProperty"); } DBGPRINT(( DBG_SS_CERTSRV, "Reloaded CAContext[%u] KeyProvInfo[%u]\n", iCert, iKey)); }
hr = pkcsFindMatchingKeyContext( &pccCA->pCertInfo->SubjectPublicKeyInfo, MAXDWORD, &pCAContext); if (S_OK != hr && MAXDWORD != NameId) { iKey = CANAMEIDTOIKEY(NameId); if (iKey < iCert) { hr = pkcsFindMatchingKeyContext(NULL, iKey, &pCAContext); _JumpIfError(hr, error, "pkcsFindMatchingKeyContext"); } } if (S_OK == hr) { iKey = pCAContext->iKey; if (MAXDWORD != NameId && iKey != CANAMEIDTOIKEY(NameId)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "bad iKey"); } if (NULL == pCAContext->pccCA) { CSASSERT(pCAContext->Flags & CTXF_CERTMISSING); pCAContext->Flags |= CTXF_CRLZOMBIE; } else { CSASSERT(0 == (pCAContext->Flags & CTXF_CERTMISSING)); pCAContext->Flags |= CTXF_SKIPCRL; } } else { g_cCAKeys++; // this key has not previously been loaded
}
DBGPRINT(( DBG_SS_CERTSRV, "CAContext[%u]: Key %u: %ws\n", iCert, iKey, pwszKeyContainerName));
// get private key handler for later use if current CA
if (!myCertSrvCryptAcquireContext( &hProvCA, pwszKeyContainerName, pwszProvName, dwProvType, g_fCryptSilent? CRYPT_SILENT : 0, fMachineKeyset)) { hr = myHLastError(); _JumpErrorStr( hr, error, "myCertSrvCryptAcquireContext", pwszKeyContainerName); }
// now try to figure out the chain
ZeroMemory(&CertChainPara, sizeof(CertChainPara)); CertChainPara.cbSize = sizeof(CertChainPara);
if (!CertGetCertificateChain( HCCE_LOCAL_MACHINE, pccCA, NULL, NULL, &CertChainPara, 0, NULL, &pCertChainContext)) { hr = myHLastError(); goto error; }
// make sure there is at least 1 simple chain
if (pCertChainContext->cChain == 0) { hr = E_INVALIDARG; _JumpError(hr, error, "No valid trust chain could be formed"); }
// tell global how many elements we have in our chain
cCACertChain = pCertChainContext->rgpChain[0]->cElement;
// Allocate memory for global. Allocate one extra pointer to allow loop
// to assign NULL pointer in place in array. Leave the count set to the
// actual number of CA cert contexts, excluding the NULL pointer.
apCACertChain = (CERT_CONTEXT const **) LocalAlloc( LMEM_FIXED, (cCACertChain + 1) * sizeof(apCACertChain[0])); if (NULL == apCACertChain) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
// copy chain in reverse order: from parent to child
{ int i;
for (i = cCACertChain - 1; i >= 0; i--) { apCACertChain[i] = CertDuplicateCertificateContext( pCertChainContext->rgpChain[0]->rgpElement[i]->pCertContext);
if (NULL == apCACertChain[i]) { hr = myHLastError(); _JumpError(hr, error, "CertDuplicateCertificateContext"); } } } }
for (i = 0; i < g_cCACerts; i++) { if (iCert < g_aCAContext[i].iCert) { MoveMemory( &g_aCAContext[i + 1], &g_aCAContext[i], (g_cCACerts - i) * sizeof(g_aCAContext[0])); break; } } g_cCACerts++;
pCAContext = &g_aCAContext[i]; ZeroMemory(pCAContext, sizeof(*pCAContext));
if (NULL == pccCA) { pCAContext->Flags |= CTXF_CERTMISSING | CTXF_SKIPCRL; } pCAContext->iCert = iCert; pCAContext->iKey = iKey; pCAContext->NameId = MAKECANAMEID(iCert, iKey);
pCAContext->hProvCA = hProvCA; hProvCA = NULL;
pCAContext->pccCA = pccCA; pccCA = NULL;
if (NULL != apCACertChain) { pCAContext->cCACertChain = cCACertChain; pCAContext->apCACertChain = apCACertChain; apCACertChain = NULL; }
pCAContext->pszObjIdSignatureAlgorithm = pszObjIdSignatureAlgorithm; pszObjIdSignatureAlgorithm = NULL;
pCAContext->pwszKeyContainerName = pwszKeyContainerName; pwszKeyContainerName = NULL;
// Ignore failure from here on -- collected data is optional
if (NULL != pCAContext->pccCA) { hr = myGetPublicKeyHash( pCAContext->pccCA->pCertInfo, &pCAContext->pccCA->pCertInfo->SubjectPublicKeyInfo, &pCAContext->IssuerKeyId.pbData, &pCAContext->IssuerKeyId.cbData); _PrintIfError(hr, "myGetPublicKeyHash");
if (0 == (CTXF_SKIPCRL & pCAContext->Flags)) { hr = pkcsBuildKeyAuthority2( g_CRLEditFlags, pCAContext, &pCAContext->KeyAuthority2CRL); _PrintIfError(hr, "pkcsBuildKeyAuthority2");
hr = pkcsBuildCDP( CSURL_ADDTOFRESHESTCRL, TRUE, pCAContext, &pCAContext->CDPCRLFreshest); _PrintIfError(hr, "pkcsBuildCDP");
hr = pkcsBuildCDP( CSURL_ADDTOCRLCDP, FALSE, pCAContext, &pCAContext->CDPCRLBase); _PrintIfError(hr, "pkcsBuildCDP");
hr = pkcsBuildCDP( CSURL_ADDTOCRLCDP, TRUE, pCAContext, &pCAContext->CDPCRLDelta); _PrintIfError(hr, "pkcsBuildCDP");
hr = pkcsBuildCRLList( FALSE, pCAContext, &pCAContext->papwszCRLFiles); _JumpIfError(hr, error, "pkcsBuildCRLList");
hr = pkcsBuildCRLList( TRUE, pCAContext, &pCAContext->papwszDeltaCRLFiles); _JumpIfError(hr, error, "pkcsBuildCRLList"); } } hr = S_OK;
error: if (NULL != hProvCA) { CryptReleaseContext(hProvCA, 0); } if (NULL != pszObjIdSignatureAlgorithm) { LocalFree(pszObjIdSignatureAlgorithm); } if (NULL != pwszKeyContainerName) { LocalFree(pwszKeyContainerName); } if (NULL != pKey) { LocalFree(pKey); } if (pCertChainContext != NULL) { CertFreeCertificateChain(pCertChainContext); } if (NULL != pccCA) { CertFreeCertificateContext(pccCA); } return(hr);}
HRESULTpkcsLoadCAContextArray( IN WCHAR const *pwszCommonName, IN WCHAR const *pwszSanitizedName){ HRESULT hr; DWORD cCACerts; HCERTSTORE hMyStore = NULL; WCHAR *pwszProvName = NULL; DWORD dwProvType; ALG_ID idAlg; BOOL fMachineKeyset; DWORD iHash;
// get provider name
hr = myGetCertSrvCSP( FALSE, // fEncryptionCSP
pwszSanitizedName, &dwProvType, &pwszProvName, &idAlg, &fMachineKeyset, NULL); // pdwKeySize
_JumpIfError(hr, error, "myGetCertSrvCSP");
// open MY store
hMyStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING, NULL, // hProv
CERT_SYSTEM_STORE_LOCAL_MACHINE, wszMY_CERTSTORE); if (NULL == hMyStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
// find & load CA certs, etc.
hr = myGetCARegHashCount(pwszSanitizedName, CSRH_CASIGCERT, &cCACerts); if (S_OK == hr && 0 == cCACerts) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); } _JumpIfError(hr, error, "myGetCARegHashCount");
g_aCAContext = (CACTX *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cCACerts * sizeof(g_aCAContext[0])); if (NULL == g_aCAContext) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
for (iHash = 0; iHash < cCACerts; iHash++) { hr = pkcsLoadCAContext( pwszSanitizedName, pwszProvName, dwProvType, idAlg, fMachineKeyset, iHash, hMyStore); if (S_FALSE == hr) { continue; } _JumpIfError(hr, error, "pkcsLoadCAContext"); }
g_pCAContextCurrent = &g_aCAContext[g_cCACerts - 1];
// Only build a Key Authority extension for the current CACTX -- it's the
// only one used to issue certs.
hr = pkcsBuildKeyAuthority2( EDITF_ENABLEAKIKEYID | EDITF_ENABLEAKIISSUERNAME | EDITF_ENABLEAKIISSUERSERIAL, g_pCAContextCurrent, &g_pCAContextCurrent->KeyAuthority2Cert); _PrintIfError(hr, "pkcsBuildKeyAuthority2");
// Only build a CDP extension for the current CACTX -- it's the
// only one used to issue certs.
hr = pkcsBuildCDP( CSURL_ADDTOCERTCDP, FALSE, g_pCAContextCurrent, &g_pCAContextCurrent->CDPCert); _PrintIfError(hr, "pkcsBuildCDP");
// Only build a CDP extension for the current CACTX -- it's the
// only one used to issue certs.
hr = pkcsBuildAIA( CSURL_ADDTOCERTCDP | CSURL_ADDTOCERTOCSP, g_pCAContextCurrent, &g_pCAContextCurrent->AIACert); _PrintIfError(hr, "pkcsBuildAIA");
hr = S_OK;
error: if (NULL != pwszProvName) { LocalFree(pwszProvName); } if (NULL != hMyStore) { CertCloseStore(hMyStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTpkcsImportCAOrKRACert( IN CERT_CONTEXT const *pcc, IN DWORD DBDisposition, OPTIONAL IN CACTX const *pCAContext){ HRESULT hr; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; DWORD cbHash; BSTR strHash = NULL; ICertDBRow *prow = NULL; WCHAR *pwszUserName = NULL; DWORD cb; BOOL fCommit = FALSE; BOOL fCommitted = FALSE;
cbHash = sizeof(abHash); if (!CertGetCertificateContextProperty( pcc, CERT_HASH_PROP_ID, abHash, &cbHash)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); }
hr = MultiByteIntegerToBstr(TRUE, cbHash, abHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
// Import Cert if it doesn't already exist in DB:
hr = g_pCertDB->OpenRow( PROPOPEN_CERTHASH | PROPTABLE_REQCERT, 0, strHash, &prow); if (S_OK != hr) { CSASSERT(CERTSRV_E_PROPERTY_EMPTY == hr);
hr = g_pCertDB->OpenRow(PROPTABLE_REQCERT, 0, NULL, &prow); _JumpIfError(hr, error, "OpenRow");
hr = PKCSParseImportedCertificate( DBDisposition, prow, pCAContext, pcc); _JumpIfError(hr, error, "PKCSParseImportedCertificate");
fCommit = TRUE; }
// Set requester name if missing
hr = prow->GetProperty( g_wszPropRequesterName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, NULL); if (CERTSRV_E_PROPERTY_EMPTY == hr) { hr = myGetComputerObjectName(NameSamCompatible, &pwszUserName); if (S_OK != hr) { _PrintError(hr, "myGetComputerObjectName");
hr = myGetUserNameEx(NameSamCompatible, &pwszUserName); _JumpIfError(hr, error, "myGetUserNameEx"); }
hr = prow->SetProperty( g_wszPropRequesterName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszUserName); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( g_wszPropCallerName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszUserName); _JumpIfError(hr, error, "SetProperty");
fCommit = TRUE; } hr = prow->CommitTransaction(fCommit); _JumpIfError(hr, error, "CommitTransaction");
fCommitted = TRUE; hr = S_OK;
error: if (NULL != prow) { if (S_OK != hr && !fCommitted) { HRESULT hr2 = prow->CommitTransaction(FALSE); _PrintIfError(hr2, "CommitTransaction"); } prow->Release(); } if (NULL != pwszUserName) { LocalFree(pwszUserName); } if (NULL != strHash) { SysFreeString(strHash); } return(hr);}
HRESULTpkcsImportCAContext( IN CACTX const *pCAContext){ HRESULT hr; HRESULT hr2; DWORD i;
hr = S_OK; for (i = 0; i < pCAContext->cCACertChain; i++) { CERT_CONTEXT const *pCert = pCAContext->apCACertChain[i];
hr2 = pkcsImportCAOrKRACert( pCert, 0 == i? DB_DISP_CA_CERT : DB_DISP_CA_CERT_CHAIN, pCAContext); if (S_OK != hr2) { if (S_OK == hr) { hr = hr2; // return first error
} _PrintError(hr2, "pkcsImportCAOrKRACert"); continue; } } _JumpIfError(hr, error, "pkcsImportCAOrKRACert");
error: return(hr);}
HRESULTpkcsImportCAContextArray(){ HRESULT hr = S_OK; HRESULT hr2; DWORD i;
for (i = 0; i < g_cCACerts; i++) { CACTX *pCAContext = &g_aCAContext[i];
if (NULL == pCAContext->pccCA) { continue; } hr2 = pkcsImportCAContext(pCAContext); if (S_OK != hr2) { _PrintError(hr2, "pkcsImportCAContext"); if (S_OK == hr) { hr = hr2; // return first error
} } }
//error:
return(hr);}
PCCERT_CONTEXT pkcsFindCertificateInOtherStore( IN HCERTSTORE hOtherStore, IN PCCERT_CONTEXT pCert ){ BYTE rgbHash[SHA1_HASH_LENGTH]; CRYPT_DATA_BLOB HashBlob;
HashBlob.pbData = rgbHash; HashBlob.cbData = SHA1_HASH_LENGTH; if (!CertGetCertificateContextProperty( pCert, CERT_SHA1_HASH_PROP_ID, rgbHash, &HashBlob.cbData ) || SHA1_HASH_LENGTH != HashBlob.cbData) return NULL;
return CertFindCertificateInStore( hOtherStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, // dwCertEncodingType
0, // dwFindFlags
CERT_FIND_SHA1_HASH, (const void *) &HashBlob, NULL //pPrevCertContext
);}
HRESULT pkcsObtainNTAuthStore(IN HCERTSTORE *phCertStore){ HRESULT hr=E_INVALIDARG; HCERTSTORE hEnterpriseStore = NULL;
LPWSTR pwszLdapStore=NULL;
if((NULL==phCertStore) || (NULL==g_strConfigDN)) _JumpError(hr, error, "LocalAlloc for pwazLdapStore");
*phCertStore=NULL;
pwszLdapStore = (LPWSTR)LocalAlloc(LPTR, sizeof(WCHAR)*(wcslen(g_strConfigDN)+wcslen(g_wszNTAuth)));
if(pwszLdapStore == NULL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc for pwazLdapStore"); }
wsprintf(pwszLdapStore, g_wszNTAuth, g_strConfigDN);
hEnterpriseStore = CertOpenStore(CERT_STORE_PROV_LDAP, 0, 0, CERT_STORE_READONLY_FLAG | CERT_LDAP_STORE_SIGN_FLAG, pwszLdapStore);
if(NULL == hEnterpriseStore) { hr=myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
*phCertStore=hEnterpriseStore;
hr = S_OK; error:
if(pwszLdapStore) LocalFree(pwszLdapStore);
return hr;}
HRESULTpkcsVerifySignatureCertContext( IN WCHAR const * pwszCommonName, IN HCERTSTORE hNTAuthStore, IN DWORD dwCAIndex, IN OUT CACTX *pCAContext, OUT DWORD *pLogMsg, OUT BOOL *pfWarn){ HRESULT hr; WCHAR awc[11]; WCHAR const *apwsz[2];
PCCERT_CONTEXT pCertContext = NULL;
*pLogMsg = 0; *pfWarn = FALSE; hr = myVerifyCertContext( pCAContext->pccCA, // pCert
0, // dwFlags
0, // cUsageOids
NULL, // apszUsageOids
HCCE_LOCAL_MACHINE, // hChainEngine
NULL, // hAdditionalStore
NULL); // ppwszMissingIssuer
pCAContext->hrVerifyStatus = hr; if (S_OK != hr) { _PrintError2(hr, "myVerifyCertContext", CRYPT_E_REVOCATION_OFFLINE); if (CERT_E_EXPIRED == hr) { pCAContext->Flags |= CTXF_EXPIRED; if (0 == (CRLF_PUBLISH_EXPIRED_CERT_CRLS & g_dwCRLFlags)) { pCAContext->Flags |= CTXF_SKIPCRL; } *pLogMsg = MSG_E_CA_CERT_EXPIRED; } else if (CRYPT_E_REVOKED == hr) { pCAContext->Flags |= CTXF_REVOKED | CTXF_SKIPCRL; *pLogMsg = MSG_E_CA_CERT_REVOKED; } else if (CRYPT_E_REVOCATION_OFFLINE == hr) { DWORD dwState;
hr = GetSetupStatus(NULL, &dwState); if ((S_OK != hr || 0 == (SETUP_CREATEDB_FLAG & dwState)) && CERTLOG_WARNING <= g_dwLogLevel) { *pLogMsg = MSG_E_CA_CERT_REVOCATION_OFFLINE; *pfWarn = TRUE; } else { hr = S_OK; } } else if (CRYPT_E_NO_REVOCATION_CHECK == hr) { if (CERTLOG_VERBOSE <= g_dwLogLevel) { *pLogMsg = MSG_E_CA_CERT_REVOCATION_NOT_CHECKED; *pfWarn = TRUE; } else { hr = S_OK; } } else { *pLogMsg = MSG_E_CA_CHAIN; } _JumpIfError(hr, error, "myVerifyCertContext"); }
//the CA's certificate looks good. We verify the CA's
//certificate is in the NTAuth store
if(hNTAuthStore) { if(NULL == (pCertContext=pkcsFindCertificateInOtherStore( hNTAuthStore, pCAContext->pccCA)))
{ wsprintf(awc, L"%u", dwCAIndex); apwsz[0] = awc; apwsz[1] = pwszCommonName;
LogEvent(EVENTLOG_WARNING_TYPE, MSG_CA_CERT_NO_IN_AUTH, ARRAYSIZE(apwsz), apwsz); }
if(pCertContext) CertFreeCertificateContext(pCertContext); }
error: return(hr);}
HRESULTpkcsVerifySignatureCertContextArray( IN WCHAR const * pwszCommonName, OUT DWORD *pLogMsg, OUT BOOL *pfWarn){ HRESULT hr; DWORD i; WCHAR const *apwsz[1];
HCERTSTORE hNTAuthStore=NULL;
CSASSERT(0 != g_cCACerts);
//we need to verify CA's certificates should be in
//the NTAuth store if the certificate is not yet expired or revoked
if(IsEnterpriseCA(g_CAType)) { pkcsObtainNTAuthStore(&hNTAuthStore);
if(NULL == hNTAuthStore) { apwsz[0] = pwszCommonName;
LogEvent(EVENTLOG_WARNING_TYPE, MSG_CA_CERT_NO_AUTH_STORE, ARRAYSIZE(apwsz), apwsz); } }
for (i = 0; i < g_cCACerts; i++) { CACTX *pCAContext = &g_aCAContext[i];
if (NULL == pCAContext->pccCA) { continue; }
// Ignore all errors except for the current CA (last entry in array)
hr = pkcsVerifySignatureCertContext( pwszCommonName, hNTAuthStore, i, pCAContext, pLogMsg, pfWarn); }
if(hNTAuthStore) CertCloseStore(hNTAuthStore, 0);
return(hr);}
VOIDPKCSVerifyCAState( IN OUT CACTX *pCAContext){ HRESULT hr; if (0 == pCAContext->Flags && NULL != pCAContext->pccCA) { DWORD LogMsg = MAXDWORD; BOOL fWarn = FALSE;
hr = pkcsVerifySignatureCertContext(NULL, NULL, 0, pCAContext, &LogMsg, &fWarn); if (S_OK != hr) { CSASSERT(MAXDWORD != LogMsg); LogEventStringHResult( fWarn? EVENTLOG_WARNING_TYPE : EVENTLOG_ERROR_TYPE, LogMsg, g_wszCommonName, hr); } }}
HRESULTpkcsVerifyDSCACert( IN LDAP *pld){ HRESULT hr; HCAINFO hCAInfo = NULL; PCCERT_CONTEXT pDSCertContext = NULL;
// BUGBUG: verify all of this CA's unexpired signature certs are in the DS.
// Republish any that aren't. Cleans up DS replication conflicts.
CSASSERT(g_pCAContextCurrent && g_pCAContextCurrent->pccCA);
hr = CAFindByName( g_wszSanitizedName, NULL, CA_FIND_LOCAL_SYSTEM | CA_FIND_INCLUDE_UNTRUSTED, // this will cause findbyname to skip
&hCAInfo); // ca cert checking
_JumpIfErrorStr(hr, error, "CAFindByName", g_wszSanitizedName);
hr = CAGetCACertificate(hCAInfo, &pDSCertContext); _JumpIfError(hr, error, "CAGetCACertificate");
if(!pDSCertContext || pDSCertContext->cbCertEncoded != g_pCAContextCurrent->pccCA->cbCertEncoded || 0 != memcmp(pDSCertContext->pbCertEncoded, g_pCAContextCurrent->pccCA->pbCertEncoded, g_pCAContextCurrent->pccCA->cbCertEncoded)) { // published cert is invalid or old, publish the current one
hr = CASetCACertificate( hCAInfo, g_pCAContextCurrent->pccCA); _JumpIfError(hr, error, "CASetCACertificate");
hr = CAUpdateCA(hCAInfo); _JumpIfError(hr, error, "CAUpdateCA");
{ CAuditEvent audit(SE_AUDITID_CERTSRV_PUBLISHCACERT, g_dwAuditFilter);
hr = audit.AddData( // %1 Certificate Hash
g_pCAContextCurrent->pccCA->pCertInfo->SerialNumber.pbData, g_pCAContextCurrent->pccCA->pCertInfo->SerialNumber.cbData); _JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.AddData(g_pCAContextCurrent->pccCA->pCertInfo->NotBefore); // %2 Valid From
_JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.AddData(g_pCAContextCurrent->pccCA->pCertInfo->NotAfter); //%3 Valid To
_JumpIfError(hr, error, "CAuditEvent::AddData");
hr = audit.Report(); _JumpIfError(hr, error, "CAuditEvent::Report"); } }
hr = S_OK;error:
if(hCAInfo) { CACloseCA(hCAInfo); } if(pDSCertContext) { CertFreeCertificateContext(pDSCertContext); } return(hr);}
VOIDpkcsReleaseKRACertArray(){ DWORD i;
if (NULL != g_rgKRACerts) { for (i = 0; i < g_cKRACerts; i++) { if (NULL != g_rgKRACerts[i]) { CertFreeCertificateContext(g_rgKRACerts[i]); } } LocalFree(g_rgKRACerts); g_rgKRACerts = NULL; } if (NULL != g_rgstrKRAHashes) { for (i = 0; i < g_cKRACerts; i++) { if (NULL != g_rgstrKRAHashes[i]) { SysFreeString(g_rgstrKRAHashes[i]); } } LocalFree(g_rgstrKRAHashes); g_rgstrKRAHashes = NULL; } g_cKRACerts = 0; g_hrKRALoad = S_OK;}
VOIDpkcsLogKRACertError( IN DWORD LogMsg, IN DWORD iHash, OPTIONAL IN CERT_CONTEXT const *pcc, IN HRESULT hrLog){ HRESULT hr; WCHAR awc[11]; WCHAR *pwszName = NULL; WCHAR const *pwszError = NULL; WCHAR const *apwsz[3];
wsprintf(awc, L"%u", iHash); apwsz[0] = awc;
if (NULL != pcc) { hr = myCertNameToStr( X509_ASN_ENCODING, &pcc->pCertInfo->Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszName); _PrintIfError(hr, "myCertNameToStr"); } apwsz[1] = NULL != pwszName? pwszName : L"";
pwszError = myGetErrorMessageText(hrLog, TRUE); apwsz[2] = NULL != pwszError? pwszError : L"";
LogEvent(EVENTLOG_ERROR_TYPE, LogMsg, ARRAYSIZE(apwsz), apwsz);
//error:
if (NULL != pwszName) { LocalFree(pwszName); } if (NULL != pwszError) { LocalFree(const_cast<WCHAR *>(pwszError)); }}
HRESULTpkcsLoadKRACertContext( IN DWORD iHash, IN HCERTSTORE hStore){ HRESULT hr; CERT_CONTEXT const *pcc = NULL; BSTR strHash = NULL; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; DWORD cbHash; DWORD LogMsg = 0; BOOL fReloaded;
DBGPRINT((DBG_SS_CERTSRV, "Loading KRA Cert[%u]:\n", iHash));
fReloaded = FALSE; while (TRUE) { hr = myFindCACertByHashIndex( hStore, g_wszSanitizedName, CSRH_CAKRACERT, iHash, NULL, // pNameId
&pcc); if (S_OK == hr) { break; } if (fReloaded || CRYPT_E_NOT_FOUND != hr) { _JumpError(hr, error, "myFindCACertByHashIndex"); } _PrintError(hr, "myFindCACertByHashIndex");
// The KRA cert is missing from the HKLM "kra" store -- look it up in
// the DB, and put it back in the store.
hr = pkcsReloadMissingCAOrKRACert( hStore, g_wszSanitizedName, CSRH_CAKRACERT, iHash); _JumpIfError(hr, error, "pkcsReloadMissingCAOrKRACert");
fReloaded = TRUE; }
hr = myVerifyKRACertContext( pcc, (CRLF_REVCHECK_IGNORE_OFFLINE & g_dwCRLFlags)? CA_VERIFY_FLAGS_IGNORE_OFFLINE : 0); if (S_OK != hr) { LogMsg = MSG_E_INVALID_KRA_CERT; _JumpErrorStr(hr, error, "myVerifyKRACertContext", L"KRA cert invalid"); }
hr = pkcsImportCAOrKRACert(pcc, DB_DISP_KRA_CERT, NULL); _JumpIfError(hr, error, "pkcsReloadMissingCAOrKRACert");
cbHash = sizeof(abHash); if (!CertGetCertificateContextProperty( pcc, CERT_SHA1_HASH_PROP_ID, abHash, &cbHash)) { hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateContextProperty"); } hr = MultiByteIntegerToBstr(TRUE, cbHash, abHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
g_rgstrKRAHashes[g_cKRACerts] = strHash; g_rgKRACerts[g_cKRACerts] = pcc; g_cKRACerts++; strHash = NULL; pcc = NULL; hr = S_OK;
error: if (S_OK != hr) { if (0 == LogMsg) { LogMsg = MSG_E_CANNOT_LOAD_KRA_CERT; } pkcsLogKRACertError(LogMsg, iHash, pcc, hr); } if (NULL != strHash) { SysFreeString(strHash); } if (NULL != pcc) { CertFreeCertificateContext(pcc); } return(hr);}
HRESULTpkcsLoadKRACertArray(){ HRESULT hr; DWORD iHash; DWORD i; HCERTSTORE hStore = NULL; DWORD LogMsg = 0;
if (!g_fAdvancedServer) { LogMsg = MSG_E_KRA_NOT_ADVANCED_SERVER; hr = HRESULT_FROM_WIN32(ERROR_NOT_SUPPORTED); _JumpError(hr, error, "!g_fAdvancedServer"); }
// open KRA store
hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING, NULL, // hProv
CERT_SYSTEM_STORE_LOCAL_MACHINE, wszKRA_CERTSTORE); if (NULL == hStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); }
// find & load KRA certs
hr = myGetCARegHashCount(g_wszSanitizedName, CSRH_CAKRACERT, &g_cKRAHashes); if (S_OK == hr && 0 == g_cKRAHashes) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); } _JumpIfError(hr, error, "myGetCARegHashCount");
g_rgKRACerts = (CERT_CONTEXT const **) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, g_cKRAHashes * sizeof(g_rgKRACerts[0])); if (NULL == g_rgKRACerts) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } g_rgstrKRAHashes = (BSTR *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, g_cKRAHashes * sizeof(g_rgstrKRAHashes[0])); if (NULL == g_rgstrKRAHashes) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
for (iHash = 0; iHash < g_cKRAHashes; iHash++) { hr = pkcsLoadKRACertContext(iHash, hStore); if (S_OK != hr) { _PrintError(hr, "pkcsLoadKRACertContext"); g_hrKRALoad = hr; } } if (0 == g_cKRACerts) { LogMsg = MSG_E_NO_VALID_KRA_CERTS; hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); _JumpError(hr, error, "g_cKRACerts == 0"); } g_iKRACerts = 0; if (g_cKRACerts > g_cKRACertsRoundRobin) { srand((unsigned) time(NULL)); g_iKRACerts = rand() % g_cKRACerts; } else { g_cKRACertsRoundRobin = g_cKRACerts; } hr = S_OK;
error: if (S_OK != hr) { if (0 == LogMsg) { LogMsg = MSG_E_LOADING_KRA_CERTS; } LogEventHResult(EVENTLOG_ERROR_TYPE, LogMsg, hr); pkcsReleaseKRACertArray(); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTpkcsExpandURL( IN WCHAR const *pwszURLTemplate, OUT WCHAR **ppwszURL){ HRESULT hr;
*ppwszURL = NULL;
CSASSERT(NULL != g_strDomainDN && NULL != g_strConfigDN); hr = myFormatCertsrvStringArray( FALSE, // fURL
g_pwszServerName, // pwszServerName_p1_2
g_wszSanitizedName, // pwszSanitizedName_p3_7
0, // iCert_p4
g_strDomainDN, // pwszDomainDN_p5
g_strConfigDN, // pwszConfigDN_p6
0, // iCRL_p8
FALSE, // fDeltaCRL_p9
FALSE, // fDSAttrib_p10_11
1, // cStrings
&pwszURLTemplate, // apwszStringsIn
ppwszURL); // apwszStringsOut
_JumpIfError(hr, error, "myFormatCertsrvStringArray");
error: return(hr);}
HRESULTpkcsPatchDN( IN HRESULT hrFail, IN WCHAR const *pwszRegName, IN OUT BSTR *pstrDSValue){ HRESULT hr; WCHAR *pwszRegValue = NULL; hr = myGetCertRegStrValue( g_wszSanitizedName, NULL, NULL, pwszRegName, &pwszRegValue); _PrintIfErrorStr(hr, "myGetCertRegStrValue", pwszRegName);
if (NULL != *pstrDSValue) { if (NULL == pwszRegValue || 0 != lstrcmp(*pstrDSValue, pwszRegValue)) { // set reg value
hr = mySetCertRegStrValue( g_wszSanitizedName, NULL, NULL, pwszRegName, *pstrDSValue); _PrintIfErrorStr(hr, "mySetCertRegStrValue", pwszRegName); } } else { if (NULL == pwszRegValue || L'\0' == *pwszRegValue) { hr = hrFail; _JumpError(hr, error, "both DS and Reg NULL"); } if (!ConvertWszToBstr(pstrDSValue, pwszRegValue, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "ConvertWszToBstr"); } } hr = S_OK;
error: if (NULL != pwszRegValue) { LocalFree(pwszRegValue); } return(hr);}
HRESULTpkcsGetAuthoritativeDomainDn( IN WCHAR const *pwszCommonName, OUT LDAP **ppld, OUT BSTR *pstrDomainDN, OUT BSTR *pstrConfigDN){ HRESULT hr; WCHAR *pwszConfigDN = NULL; WCHAR *pwszDomainDN = NULL;
// Get domain and config containers (%5, %6)
*ppld = NULL; *pstrDomainDN = NULL; *pstrConfigDN = NULL;
if (g_fUseDS) { HRESULT hr2;
hr = myRobustLdapBind(ppld, FALSE); if (S_OK != hr) { _PrintError(hr, "myRobustLdapBind"); } else { hr = myGetAuthoritativeDomainDn(*ppld, pstrDomainDN, pstrConfigDN); _PrintIfError(hr, "myGetAuthoritativeDomainDn"); } if (S_OK != hr) { LogEventStringHResult( EVENTLOG_ERROR_TYPE, MSG_E_DS_RETRY, pwszCommonName, hr); } hr2 = hr;
hr = pkcsPatchDN(hr2, wszREGDSCONFIGDN, pstrConfigDN); _JumpIfError(hr, error, "pkcsPatchDN");
hr = pkcsPatchDN(hr2, wszREGDSDOMAINDN, pstrDomainDN); _JumpIfError(hr, error, "pkcsPatchDN"); } else { *pstrDomainDN = SysAllocString(L""); *pstrConfigDN = SysAllocString(L""); if (NULL == *pstrDomainDN || NULL == *pstrConfigDN) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "SysAllocString"); } } hr = S_OK;
error: return(hr);}
HRESULTPKCSSetup( IN WCHAR const *pwszCommonName, IN WCHAR const *pwszSanitizedName){ HRESULT hr; LDAP *pld = NULL; DWORD LogMsg = MAXDWORD; BOOL fWarn = FALSE;
// set crypt handles and load certificate chain
hr = pkcsGetAuthoritativeDomainDn( pwszCommonName, &pld, &g_strDomainDN, &g_strConfigDN); if (S_OK != hr) { LogMsg = MSG_E_NO_DS; _JumpError(hr, error, "pkcsGetAuthoritativeDomainDn"); }
// get (multiple) CRL path templates
hr = pkcsLoadTemplates( wszREGCRLPUBLICATIONURLS, &g_paRevURL, &g_caRevURL); _PrintIfErrorStr(hr, "pkcsLoadTemplates", wszREGCRLPUBLICATIONURLS);
// get (multiple) CA Cert path templates
hr = pkcsLoadTemplates( wszREGCACERTPUBLICATIONURLS, &g_paCACertURL, &g_caCACertURL); _PrintIfErrorStr(hr, "pkcsLoadTemplates", wszREGCACERTPUBLICATIONURLS);
hr = DBOpen(pwszSanitizedName); if (S_OK != hr) { LogMsg = MSG_E_DB_INIT_FAILED; _JumpError(hr, error, "PKCSSetup:DBOpen"); }
hr = pkcsLoadCAContextArray(pwszCommonName, pwszSanitizedName); if (S_OK != hr) { LogMsg = MSG_E_CA_CHAIN; _JumpError(hr, error, "pkcsLoadCAContextArray"); }
hr = pkcsImportCAContextArray(); _PrintIfError(hr, "pkcsImportCAContextArray");
hr = pkcsVerifySignatureCertContextArray(pwszCommonName, &LogMsg, &fWarn); _JumpIfError(hr, error, "pkcsVerifySignatureCertContextArray");
if (0 != g_cKRACertsRoundRobin) { hr = pkcsLoadKRACertArray(); _PrintIfError(hr, "pkcsLoadKRACertArray"); }
hr = pkcsExpandURL(g_wszzLDAPKRACertURLTemplate, &g_pwszKRAPublishURL); _JumpIfError(hr, error, "pkcsExpandURL");
hr = pkcsExpandURL( g_wszzLDAPIssuerCertURLTemplate, &g_pwszAIACrossCertPublishURL); _JumpIfError(hr, error, "pkcsExpandURL");
hr = pkcsExpandURL( g_wszLDAPRootTrustURLTemplate, &g_pwszRootTrustCrossCertPublishURL); _JumpIfError(hr, error, "pkcsExpandURL");
if (NULL != pld) { hr = pkcsVerifyDSCACert(pld); _PrintIfError(hr, "pkcsVerifyDSCACert"); }
hr = S_OK;
error: if (NULL != pld) { ldap_unbind(pld); } if (S_OK != hr) { CSASSERT(MAXDWORD != LogMsg); if (!fWarn) { PKCSTerminate(); } LogEventStringHResult( fWarn? EVENTLOG_WARNING_TYPE : EVENTLOG_ERROR_TYPE, LogMsg, pwszCommonName, hr); if (fWarn) { hr = S_OK; } } return(hr);}
VOIDpkcsReleaseCACertificateChain( CERT_CONTEXT const **apCACertChain, DWORD cCACertChain){ DWORD i;
if (NULL != apCACertChain) { for (i = 0; i < cCACertChain; ++i) { CertFreeCertificateContext(apCACertChain[i]); } LocalFree(apCACertChain); }}
VOIDpkcsReleaseCAContext( IN OUT CACTX *pCAContext){ pkcsReleaseCACertificateChain( pCAContext->apCACertChain, pCAContext->cCACertChain); //pCAContext->apCACertChain = NULL;
//pCAContext->pccCA = NULL;
if (NULL != pCAContext->hProvCA) { CryptReleaseContext(pCAContext->hProvCA, 0); } if (NULL != pCAContext->IssuerKeyId.pbData) { LocalFree(pCAContext->IssuerKeyId.pbData); } if (NULL != pCAContext->pszObjIdSignatureAlgorithm) { LocalFree(pCAContext->pszObjIdSignatureAlgorithm); } if (NULL != pCAContext->KeyAuthority2Cert.pbData) { LocalFree(pCAContext->KeyAuthority2Cert.pbData); } if (NULL != pCAContext->KeyAuthority2CRL.pbData) { LocalFree(pCAContext->KeyAuthority2CRL.pbData); } if (NULL != pCAContext->CDPCert.pbData) { LocalFree(pCAContext->CDPCert.pbData); } if (NULL != pCAContext->CDPCRLFreshest.pbData) { LocalFree(pCAContext->CDPCRLFreshest.pbData); } if (NULL != pCAContext->CDPCRLBase.pbData) { LocalFree(pCAContext->CDPCRLBase.pbData); } if (NULL != pCAContext->CDPCRLDelta.pbData) { LocalFree(pCAContext->CDPCRLDelta.pbData); } if (NULL != pCAContext->AIACert.pbData) { LocalFree(pCAContext->AIACert.pbData); } if (NULL != pCAContext->pwszKeyContainerName) { LocalFree(pCAContext->pwszKeyContainerName); } if (NULL != pCAContext->papwszCRLFiles) { WCHAR **ppwsz;
for (ppwsz = pCAContext->papwszCRLFiles; NULL != *ppwsz; ppwsz++) { LocalFree(*ppwsz); } LocalFree(pCAContext->papwszCRLFiles); } if (NULL != pCAContext->papwszDeltaCRLFiles) { WCHAR **ppwsz;
for (ppwsz = pCAContext->papwszDeltaCRLFiles; NULL != *ppwsz; ppwsz++) { LocalFree(*ppwsz); } LocalFree(pCAContext->papwszDeltaCRLFiles); }}
VOIDpkcsReleaseCAContextArray(){ DWORD i;
if (NULL != g_aCAContext) { for (i = 0; i < g_cCACerts; i++) { pkcsReleaseCAContext(&g_aCAContext[i]); } LocalFree(g_aCAContext); g_aCAContext = NULL; } g_cCACerts = 0; g_pCAContextCurrent = NULL;}
// Trim off leading and trailing whitespace and separator characters
WCHAR *pkcsTrimToken( IN WCHAR *pwszIn, IN WCHAR wchSeparator){ WCHAR *pwsz;
while (wchSeparator == *pwszIn || iswspace(*pwszIn)) { pwszIn++; } pwsz = &pwszIn[wcslen(pwszIn)]; while (--pwsz >= pwszIn && (wchSeparator == *pwsz || iswspace(*pwsz))) { *pwsz = L'\0'; } if (L'\0' == *pwszIn) { pwszIn = NULL; } return(pwszIn);}
WCHAR *PKCSSplitToken( IN OUT WCHAR **ppwszIn, IN WCHAR *pwcSeparator, OUT BOOL *pfSplit){ WCHAR *pwszOut = NULL; WCHAR *pwszNext = NULL; BOOL fSplit = FALSE; WCHAR *pwszIn; WCHAR *pwsz;
pwszIn = *ppwszIn; if (NULL != pwszIn) { pwszOut = pwszIn; if (NULL != pwcSeparator) { pwsz = wcschr(pwszIn, *pwcSeparator); if (NULL != pwsz) { *pwsz = L'\0';
pwszNext = pkcsTrimToken(&pwsz[1], *pwcSeparator); pwszOut = pkcsTrimToken(pwszOut, *pwcSeparator); fSplit = TRUE; } } } *ppwszIn = pwszNext; *pfSplit = fSplit; return(pwszOut);}
HRESULTPKCSSetSubjectTemplate( IN WCHAR const *pwszzTemplate){ HRESULT hr; BOOL fSplit; WCHAR const *pwszz; WCHAR const *pwszPropName; BSTR bstrToken; SUBJECTTABLE const **ppSubject; SUBJECTTABLE const **pps; SUBJECTTABLE const *pSubject; DWORD dwIndex; DWORD cchMax;
hr = E_INVALIDARG; if (NULL == pwszzTemplate) { _JumpError(hr, error, "pwszzTemplate NULL"); } ppSubject = pkcs_apSubject; // fill in this empty subject array with string matches
for (pwszz = pwszzTemplate; L'\0' != *pwszz; pwszz += wcslen(pwszz) + 1) { pwszPropName = PKCSMapAttributeName(pwszz, NULL, &dwIndex, &cchMax); if (NULL == pwszPropName) { hr = E_INVALIDARG; _JumpErrorStr(hr, error, "PKCSMapAttributeName", pwszz); }
for (pSubject = pkcs_subject; ; pSubject++) { if (NULL == pSubject->pwszPropName) { _JumpError(hr, error, "pkcs_subject lookup"); } if (0 == lstrcmpi(pSubject->pwszPropName, pwszPropName)) { break; } } for (pps = pkcs_apSubject; pps < ppSubject; pps++) { if (*pps == pSubject) { _JumpErrorStr(hr, error, "pkcs_subject duplicate", pwszz); } } if (ppSubject >= &pkcs_apSubject[CSUBJECTTABLE]) { _JumpError(hr, error, "pkcs_subject overflow"); } DBGPRINT(( DBG_SS_CERTSRVI, "Subject Template[%u]: %hs -- %ws\n", SAFE_SUBTRACT_POINTERS(ppSubject, pkcs_apSubject), pSubject->pszObjId, pSubject->pwszPropName)); *ppSubject++ = pSubject; } CSASSERT(ppSubject <= &pkcs_apSubject[CSUBJECTTABLE]);
if (ppSubject == pkcs_apSubject) { _JumpError(hr, error, "pwszzTemplate empty"); } pkcs_ppSubjectLast = ppSubject - 1; pkcsfSubjectTemplate = TRUE; hr = S_OK;
error: return(hr);}
HRESULTpkcsSplitRDNComponents( IN SUBJECTTABLE const *pSubjectTable, IN OUT WCHAR *pwszRDN, // Parsing stomps string in-place
IN DWORD cAttrMax, OUT DWORD *pcAttr, OUT CERT_RDN_ATTR *rgAttr){ HRESULT hr; DWORD cAttr; DWORD i; DWORD cwc; WCHAR *pwszRemain; WCHAR const *pwszToken; WCHAR *pwszT; BOOL fSplit;
*pcAttr = 0; cAttr = 0; if (NULL != pwszRDN) { // Allocate memory for each RDN component filled in:
pwszRemain = pwszRDN; while (TRUE) { pwszToken = PKCSSplitToken( &pwszRemain, wszNAMESEPARATORDEFAULT, &fSplit); if (NULL == pwszToken) { break; }
if (cAttr >= cAttrMax) { hr = CERTSRV_E_BAD_REQUESTSUBJECT; _JumpError(hr, error, "Subject RDN overflow"); }
cwc = wcslen(pwszToken); if (g_fEnforceRDNNameLengths && cwc > pSubjectTable->cchMax) { DBGPRINT(( DBG_SS_CERTSRV, "RDN component too long: %u/%u: %ws[%u]=\"%ws\"\n", cwc, pSubjectTable->cchMax, pSubjectTable->pwszPropName, cAttr, pwszToken)); hr = CERTSRV_E_BAD_REQUESTSUBJECT; _JumpErrorStr(hr, error, "RDN component too long", pwszToken); } pwszT = (WCHAR *) LocalAlloc(LMEM_FIXED, (cwc + 1) * sizeof(WCHAR)); if (NULL == pwszT) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc(pwszToken)"); } wcscpy(pwszT, pwszToken);
rgAttr[cAttr].pszObjId = (char *) pSubjectTable->pszObjId; rgAttr[cAttr].dwValueType = CERT_RDN_ANY_TYPE; // 'best' encoding
rgAttr[cAttr].Value.pbData = (BYTE *) pwszT; rgAttr[cAttr].Value.cbData = 0; // Indicate Unicode input
cAttr++; } } *pcAttr = cAttr; hr = S_OK;
error: if (S_OK != hr) { for (i = 0; i < cAttr; i++) { LocalFree(rgAttr[i].Value.pbData); } } return(hr);}
#define CSUBJECTRDNMAX (4 * CSUBJECTTABLE)
HRESULTpkcsEncodeSubjectName( IN ICertDBRow *prow, IN CERT_RDN_ATTR const *rgAttr, IN DWORD cAttr, OUT BYTE **ppbData, OUT DWORD *pcbData){ HRESULT hr; DWORD i; DWORD cbprop; DWORD dwRequestFlags; DWORD dwFlags; CERT_RDN rgRDN[CSUBJECTRDNMAX]; CERT_NAME_INFO nameinfo;
CSASSERT(ARRAYSIZE(rgRDN) >= cAttr); for (i = 0; i < cAttr; i++) { rgRDN[i].cRDNAttr = 1; rgRDN[i].rgRDNAttr = (CERT_RDN_ATTR *) &rgAttr[i]; } nameinfo.cRDN = cAttr; nameinfo.rgRDN = rgRDN;
cbprop = sizeof(dwRequestFlags); hr = prow->GetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbprop, (BYTE *) &dwRequestFlags); _JumpIfError(hr, error, "GetProperty");
CSASSERT(sizeof(dwRequestFlags) == cbprop); dwFlags = 0; if (CR_FLG_FORCETELETEX & dwRequestFlags) { dwFlags |= CERT_RDN_ENABLE_T61_UNICODE_FLAG; } if (CR_FLG_FORCEUTF8 & dwRequestFlags) { dwFlags |= CERT_RDN_ENABLE_UTF8_UNICODE_FLAG; }
if (!myEncodeName( X509_ASN_ENCODING, &nameinfo, dwFlags, CERTLIB_USE_LOCALALLOC, ppbData, pcbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeName"); }
error: return(hr);}
HRESULTpkcsBuildSubjectFromNamesTable( IN ICertDBRow *prow, OUT CERT_NAME_BLOB *pSubject){ HRESULT hr; DWORD cbData = 0; DWORD i; DWORD cAttr; DWORD cAttrT; CERT_RDN_ATTR rgAttr[CSUBJECTRDNMAX]; SUBJECTTABLE const * const *ppSubject; WCHAR *pwszData = NULL;
pSubject->pbData = NULL; CSASSERT(NULL != pkcs_ppSubjectLast);
cAttr = 0; for ( ppSubject = pkcs_ppSubjectLast; ppSubject >= pkcs_apSubject; ppSubject--) { hr = PKCSGetProperty( prow, (*ppSubject)->pwszPropName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbData, (BYTE **) &pwszData); if (S_OK != hr) { continue; } if (0 != cbData) {
// Allocates memory for each RDN component filled in:
hr = pkcsSplitRDNComponents( *ppSubject, pwszData, ARRAYSIZE(rgAttr) - cAttr, &cAttrT, &rgAttr[cAttr]); _JumpIfError(hr, error, "SplitRDNComponents");
cAttr += cAttrT; } LocalFree(pwszData); pwszData = NULL; }
// done building string of subject entries, time to encode
hr = pkcsEncodeSubjectName( prow, rgAttr, cAttr, &pSubject->pbData, &pSubject->cbData); _JumpIfError(hr, error, "pkcsEncodeSubjectName");
hr = prow->SetProperty( g_wszPropSubjectRawName, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, pSubject->cbData, pSubject->pbData); _JumpIfError(hr, error, "SetProperty");
pkcsSetDistinguishedName(prow, PROPTABLE_CERTIFICATE, pSubject);
error: for (i = 0; i < cAttr; i++) { LocalFree(rgAttr[i].Value.pbData); } if (NULL != pwszData) { LocalFree(pwszData); } return(hr);}
HRESULTpkcsCheck7f( IN ICertDBRow *prow, IN BYTE const *pbCert, IN DWORD cbCert, OUT BOOL *pfErrorLogged){ HRESULT hr; DWORD cbProp; WCHAR awcSubject[1024]; WCHAR wszDword[2+8+1]; WCHAR wszRequestId[11+1]; WCHAR const *pwszDword; WORD cString = 0; WCHAR const *apwsz[4];
DWORD State; DWORD Index1; DWORD Index2; DWORD cwcField; WCHAR wszField[128]; DWORD cwcObjectId; WCHAR wszObjectId[128]; WCHAR const *pwszObjectIdDescription = NULL; WCHAR *wszBuf=NULL; const DWORD dwDefaultBufSize = 2048*sizeof(WCHAR);
*pfErrorLogged = FALSE; cwcField = sizeof(wszField)/sizeof(wszField[0]); cwcObjectId = sizeof(wszObjectId)/sizeof(wszObjectId[0]); hr = myCheck7f( pbCert, cbCert, FALSE, &State, &Index1, &Index2, &cwcField, wszField, &cwcObjectId, wszObjectId, &pwszObjectIdDescription); // Static: do not free!
_JumpIfError(hr, error, "myCheck7f");
if (CHECK7F_NONE != State) { DWORD ReqId;
wszBuf = (WCHAR*)LocalAlloc(LMEM_FIXED, dwDefaultBufSize); if (NULL == wszBuf) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
prow->GetRowId(&ReqId); wsprintf(wszRequestId, L"%u", ReqId); apwsz[cString++] = wszRequestId; apwsz[cString++] = wszDword;
cbProp = sizeof(awcSubject); hr = prow->GetProperty( g_wszPropSubjectDistinguishedName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbProp, (BYTE *) awcSubject); if (S_OK != hr) { _PrintError(hr, "GetProperty(DN)"); wcscpy(awcSubject, L"???"); } apwsz[cString++] = awcSubject;
wcscpy(wszBuf, wszField); if (0 != Index1) { wsprintf( &wszBuf[wcslen(wszBuf)], 0 != Index2? L"[%u,%u]" : L"[%u]", Index1 - 1, Index2 - 1); }
if (0 != cwcObjectId) { wcscat(wszBuf, L" ObjectId="); wcscat(wszBuf, wszObjectId); } if (NULL != pwszObjectIdDescription) { // If buffer too small, reallocate enough space for old buffer,
// OID description, () and trailing zero
DWORD dwBufLen = (wcslen(wszBuf)+wcslen(pwszObjectIdDescription)+3)* sizeof(WCHAR); if(dwDefaultBufSize<dwBufLen) { WCHAR *pTempBuf = (WCHAR*)LocalReAlloc( wszBuf, dwBufLen, LMEM_MOVEABLE); if(NULL == pTempBuf) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalReAlloc"); } wszBuf = pTempBuf; }
wcscat(wszBuf, L" ("); wcscat(wszBuf, pwszObjectIdDescription); wcscat(wszBuf, L")"); } apwsz[cString++] = wszBuf;
hr = CERTSRV_E_ENCODING_LENGTH; wsprintf(wszDword, L"0x%x", hr);
if (CERTLOG_ERROR <= g_dwLogLevel) { LogEvent( EVENTLOG_ERROR_TYPE, MSG_E_BADCERTLENGTHFIELD, cString, apwsz); }
CONSOLEPRINT4(( DBG_SS_CERTSRV, "CertSrv Request %u: rc=%x: Bad encoded length detected: %ws \"%ws\"\n", ReqId, hr, wszBuf, awcSubject)); *pfErrorLogged = TRUE; }error:
if (NULL != wszBuf) { LocalFree(wszBuf); } return(hr);}
HRESULTpkcsCreateCertSerialNumber( IN ICertDBRow *prow, IN CACTX const *pCAContext, OUT BSTR *pstrSerialNumber){ HRESULT hr; DWORD dw; USHORT us; BYTE abRandom[8]; BYTE abSerial[max( sizeof(dw) + sizeof(us) + sizeof(dw), sizeof(dw) + sizeof(us) + sizeof(abRandom) + sizeof(dw) + sizeof(BYTE))]; BSTR strSerialNumber = NULL; DWORD cbSerial; BYTE *pb; DWORD cb;//#define TEST_SPECIAL_SERIAL_NUMBERS
#ifdef TEST_SPECIAL_SERIAL_NUMBERS
BOOL fAddZeroByte = FALSE;#endif
*pstrSerialNumber = NULL; pb = abSerial;
prow->GetRowId(&dw); CopyMemory(pb, &dw, sizeof(dw)); pb += sizeof(dw);
us = (USHORT) pCAContext->iCert; CopyMemory(pb, &us, sizeof(us)); pb += sizeof(us);
if (0 != g_dwHighSerial) { if (!CryptGenRandom( g_pCAContextCurrent->hProvCA, ARRAYSIZE(abRandom), abRandom)) { hr = myHLastError(); _PrintError(hr, "CryptGenRandom"); memset(abRandom, g_dwHighSerial, sizeof(abRandom)); } CopyMemory(pb, abRandom, sizeof(abRandom)); pb += sizeof(abRandom);
CopyMemory(pb, &dw, sizeof(dw)); pb += sizeof(dw);
*pb++ = (BYTE) g_dwHighSerial; } else { dw = GetTickCount(); CopyMemory(pb, &dw, sizeof(dw)); pb += sizeof(dw); } cbSerial = SAFE_SUBTRACT_POINTERS(pb, abSerial);
// Make sure the sreial number doesn't overflow the buffer:
CSASSERT(sizeof(abSerial) >= cbSerial);
// IETF max serial number length is 20 bytes:
CSASSERT(20 >= cbSerial);
pb--; if (0 == *pb) { *pb = 'a'; } else if (0 == (0xf0 & *pb)) { *pb |= 0x10; // make high nibble non-zero
} *pb &= 0x7f; // Some clients can't handle negative serial numbers:
#ifdef TEST_SPECIAL_SERIAL_NUMBERS
if (1 & abSerial[0]) { *pb |= 0x80; // Test negative serial numbers:
if (2 & abSerial[0]) { *pb-- = 0; // Test high zero byte serial numbers:
*pb |= 0x80; // Test negative serial numbers:
fAddZeroByte = TRUE; } }#endif
hr = MultiByteIntegerToBstr(FALSE, cbSerial, abSerial, &strSerialNumber); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
#ifdef TEST_SPECIAL_SERIAL_NUMBERS
if (fAddZeroByte) { BSTR str = NULL;
str = SysAllocStringLen(NULL, 2 + wcslen(strSerialNumber)); if (NULL != str) { wcscpy(str, L"00"); wcscat(str, strSerialNumber); SysFreeString(strSerialNumber); strSerialNumber = str; } }#endif
*pstrSerialNumber = strSerialNumber; strSerialNumber = NULL; hr = S_OK;
error: if (NULL != strSerialNumber) { SysFreeString(strSerialNumber); } return(hr);}
HRESULTPKCSVerifySubjectRDN( IN ICertDBRow *prow, IN WCHAR const *pwszPropertyName, OPTIONAL IN WCHAR const *pwszPropertyValue, OUT BOOL *pfSubjectDot){ HRESULT hr; WCHAR const *pwsz; WCHAR const *pwszName = pwszPropertyName; WCHAR wszPrefix[ARRAYSIZE(wszPROPSUBJECTDOT)]; SUBJECTTABLE const *pSubjectTable; DWORD i; DWORD cAttr = 0; CERT_RDN_ATTR rgAttr[CSUBJECTRDNMAX]; WCHAR *pwszValue = NULL; DWORD cbData; BYTE *pbData = NULL;
hr = S_OK; *pfSubjectDot = FALSE;
// Check to see if the request is for L"Subject.".
pwsz = wcschr(pwszName, L'.'); if (NULL != pwsz && SAFE_SUBTRACT_POINTERS(pwsz, pwszName) + 2 == ARRAYSIZE(wszPrefix)) { pwsz++; // skip past L'.'
CopyMemory( wszPrefix, pwszName, (SAFE_SUBTRACT_POINTERS(pwsz, pwszName) * sizeof(WCHAR))); wszPrefix[ARRAYSIZE(wszPrefix) - 1] = L'\0';
if (0 == lstrcmpi(wszPrefix, wszPROPSUBJECTDOT)) { pwszName = pwsz; if (L'\0' == *pwszName) { *pfSubjectDot = TRUE; } } }
if (!*pfSubjectDot) { for (pSubjectTable = pkcs_subject; ; pSubjectTable++) { WCHAR const * const *ppwsz;
if (NULL == pSubjectTable->pwszPropName) { goto error; }
// Check for matching full name without "Subject." prefix:
pwsz = wcschr(pSubjectTable->pwszPropName, L'.'); if (NULL != pwsz && 0 == lstrcmpi(pwszName, &pwsz[1])) { break; }
// Check for matching OID:
if (!iswdigit(*pwszName)) { continue; } for ( ppwsz = pSubjectTable->apwszAttributeName; NULL != *ppwsz; ppwsz++) { if (*pwszName == **ppwsz && 0 == lstrcmp(pwszName, *ppwsz)) { break; } } if (NULL != *ppwsz) { break; } } }
// It's a valid Certificate Table Subject RDN. Call pkcsSplitRDNComponents
// to split the string into individual RDN components and optionally
// enforce each component is under the maximum length.
DBGPRINT(( DBG_SS_CERTSRVI, "PKCSVerifySubjectRDN(%ws) --> '%ws'\n", pwszPropertyName, pwszName));
if (!*pfSubjectDot && NULL != pwszPropertyValue) { pwszValue = (WCHAR *) LocalAlloc( LMEM_FIXED, (wcslen(pwszPropertyValue) + 1) * sizeof(WCHAR)); if (NULL == pwszValue) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } wcscpy(pwszValue, pwszPropertyValue);
hr = pkcsSplitRDNComponents( pSubjectTable, pwszValue, ARRAYSIZE(rgAttr), &cAttr, rgAttr); _JumpIfError(hr, error, "SplitRDNComponents");
// Call myEncodeName merely to test for valid string data.
// Some RDN OIDs are restricted to IA5 strings.
hr = pkcsEncodeSubjectName(prow, rgAttr, cAttr, &pbData, &cbData); _JumpIfError(hr, error, "pkcsEncodeSubjectName"); } hr = PKCSSetRequestFlags(prow, FALSE, CR_FLG_SUBJECTUNMODIFIED); _JumpIfError(hr, error, "PKCSSetRequestFlags");
error: for (i = 0; i < cAttr; i++) { LocalFree(rgAttr[i].Value.pbData); } if (NULL != pbData) { LocalFree(pbData); } if (NULL != pwszValue) { LocalFree(pwszValue); } return(hr);}
HRESULTPKCSDeleteAllSubjectRDNs( IN ICertDBRow *prow, IN DWORD Flags){ HRESULT hr; SUBJECTTABLE const *pSubjectTable; WCHAR const *pwszPropName = NULL;
for (pSubjectTable = pkcs_subject; ; pSubjectTable++) { if (NULL == pSubjectTable->pwszPropName) { break; } hr = prow->SetProperty(pSubjectTable->pwszPropName, Flags, 0, NULL); _JumpIfError(hr, error, "SetProperty"); } hr = S_OK;
error: return(hr);}
HRESULTpkcsverifyIssuedPolices( IN CERT_CONTEXT const *pcc, IN CHAR const *pszObjId, OPTIONAL IN WCHAR const *pwszzPolicies){ HRESULT hr; CERT_EXTENSION const *pExt; CERT_POLICIES_INFO *pcpsi = NULL; DWORD cb; DWORD i; WCHAR const *pwsz; WCHAR *pwszObjId = NULL;
if (NULL == pwszzPolicies) { hr = S_OK; goto error; } pExt = CertFindExtension( pszObjId, pcc->pCertInfo->cExtension, pcc->pCertInfo->rgExtension); if (NULL == pExt) { hr = S_OK; goto error; } if (!myDecodeObject( X509_ASN_ENCODING, X509_CERT_POLICIES, pExt->Value.pbData, pExt->Value.cbData, CERTLIB_USE_LOCALALLOC, (VOID **) &pcpsi, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myDecodeObject"); }
for (i = 0; i < pcpsi->cPolicyInfo; i++) { CSASSERT(NULL == pwszObjId);
if (!myConvertSzToWsz( &pwszObjId, pcpsi->rgPolicyInfo[i].pszPolicyIdentifier, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "myConvertSzToWsz(ObjId)"); } for (pwsz = pwszzPolicies; ; pwsz += wcslen(pwsz) + 1) { if (L'\0' == *pwsz) { hr = CERT_E_INVALID_POLICY; _JumpErrorStr(hr, error, "Chain invalidates policy", pwszObjId); } if (0 == lstrcmp(pwsz, pwszObjId)) { break; } } LocalFree(pwszObjId); pwszObjId = NULL; } hr = S_OK;
error: if (NULL != pcpsi) { LocalFree(pcpsi); } if (NULL != pwszObjId) { LocalFree(pwszObjId); } return(hr);}
HRESULTpkcsEncodeSubjectCert( IN ICertDBRow *prow, IN CACTX const *pCAContext, OUT BYTE **ppbEncoded, // CoTaskMem*
OUT DWORD *pcbEncoded, OUT BOOL *pfErrorLogged){ HRESULT hr; HRESULT hrValidate = S_OK; BYTE *pbCertEncoded = NULL; DWORD cbCertEncoded; DWORD ExtFlags; BSTR strSerialNumber = NULL; IEnumCERTDBNAME *penum = NULL; CERTDBNAME cdbn; FILETIME ftNotBefore; DWORD dwRequestFlags; WCHAR *pwszIssuer = NULL; WCHAR *pwszSubject = NULL;
CERT_INFO Cert; CERT_EXTENSION *pExt = NULL; DWORD cExt = INCREMENT_EXTENSIONS;
DWORD cbprop; DWORD i; CHAR *pChar; CHAR szObjId[MAX_PATH]; BYTE *pb; CERT_CONTEXT const *pcc = NULL; WCHAR *pwszzIssuancePolicies = NULL; WCHAR *pwszzApplicationPolicies = NULL;
cdbn.pwszName = NULL; *pfErrorLogged = FALSE;
// CERT
ZeroMemory(&Cert, sizeof(Cert)); pExt = (CERT_EXTENSION *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cExt * sizeof(*pExt)); if (NULL == pExt) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
Cert.dwVersion = CERT_V3;
hr = pkcsCreateCertSerialNumber(prow, pCAContext, &strSerialNumber); _JumpIfError(hr, error, "pkcsCreateCertSerialNumber");
// convert to int
hr = WszToMultiByteInteger( FALSE, strSerialNumber, &Cert.SerialNumber.cbData, &Cert.SerialNumber.pbData); _JumpIfError(hr, error, "WszToMultiByteInteger");
Cert.SignatureAlgorithm.pszObjId = pCAContext->pszObjIdSignatureAlgorithm; Cert.Issuer = pCAContext->pccCA->pCertInfo->Subject;
cbprop = sizeof(Cert.NotBefore); hr = prow->GetProperty( g_wszPropCertificateNotBeforeDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbprop, (BYTE *) &Cert.NotBefore); _JumpIfError(hr, error, "GetProperty");
CSASSERT(sizeof(Cert.NotBefore) == cbprop);
cbprop = sizeof(Cert.NotAfter); hr = prow->GetProperty( g_wszPropCertificateNotAfterDate, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbprop, (BYTE *) &Cert.NotAfter); _JumpIfError(hr, error, "GetProperty");
CSASSERT(sizeof(Cert.NotAfter) == cbprop);
CSASSERT(NULL == Cert.Subject.pbData);
cbprop = sizeof(dwRequestFlags); hr = prow->GetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbprop, (BYTE *) &dwRequestFlags); _JumpIfError(hr, error, "GetProperty");
if (!pkcsfSubjectTemplate || ((CRLF_REBUILD_MODIFIED_SUBJECT_ONLY & g_dwCRLFlags) && (CR_FLG_SUBJECTUNMODIFIED & dwRequestFlags))) { hr = PKCSGetProperty( prow, g_wszPropSubjectRawName, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_REQUEST, &Cert.Subject.cbData, &Cert.Subject.pbData); if (S_OK == hr && 0 == Cert.Subject.cbData && NULL != Cert.Subject.pbData) { LocalFree(Cert.Subject.pbData); Cert.Subject.pbData = NULL; } }
if (NULL == Cert.Subject.pbData) { hr = pkcsBuildSubjectFromNamesTable(prow, &Cert.Subject); _JumpIfError(hr, error, "pkcsBuildSubjectFromNamesTable"); }
if (CertCompareCertificateName( X509_ASN_ENCODING, &Cert.Issuer, &Cert.Subject)) { hr = CERTSRV_E_BAD_REQUESTSUBJECT; _JumpError(hr, error, "Subject matches Issuer"); } hr = myCertNameToStr( X509_ASN_ENCODING, &Cert.Issuer, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszIssuer); _JumpIfError(hr, error, "myCertNameToStr");
hr = myCertNameToStr( X509_ASN_ENCODING, &Cert.Subject, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &pwszSubject); _JumpIfError(hr, error, "myCertNameToStr");
if (0 == lstrcmpi(pwszIssuer, pwszSubject)) { hr = CERTSRV_E_BAD_REQUESTSUBJECT; _JumpError(hr, error, "Subject string matches Issuer"); }
hr = pkcsGetPublicKeyInfo(prow, &Cert.SubjectPublicKeyInfo); _JumpIfError(hr, error, "pkcsGetPublicKeyInfo");
Cert.rgExtension = pExt; i = 0;
hr = prow->EnumCertDBName(CIE_TABLE_EXTENSIONS, &penum); _JumpIfError(hr, error, "EnumCertDBName");
hr = CERTSRV_E_PROPERTY_EMPTY; while (TRUE) { ULONG celtFetched;
if (cExt == i) { CERT_EXTENSION *pExtT;
// reached max, increse size
cExt += INCREMENT_EXTENSIONS; pExtT = (CERT_EXTENSION *) LocalReAlloc( pExt, cExt * sizeof(*pExt), LMEM_ZEROINIT | LMEM_MOVEABLE); if (NULL == pExtT) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalReAlloc"); } pExt = pExtT; Cert.rgExtension = pExt; }
hr = penum->Next(1, &cdbn, &celtFetched); if (S_FALSE == hr) { break; } _JumpIfError(hr, error, "Next");
CSASSERT(1 == celtFetched); CSASSERT(NULL != cdbn.pwszName);
if (!ConvertWszToSz( &Cert.rgExtension[i].pszObjId, cdbn.pwszName, -1)) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "ConvertWszToSz(ExtObjId)"); }
hr = PropGetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, cdbn.pwszName, &ExtFlags, &Cert.rgExtension[i].Value.cbData, &Cert.rgExtension[i].Value.pbData); _JumpIfError(hr, error, "PropGetExtension");
DBGPRINT(( DBG_SS_CERTSRVI, "pkcsEncodeSubjectCert: Ext=%ws, ExtFlags=%x, len=%x\n", cdbn.pwszName, ExtFlags, Cert.rgExtension[i].Value.cbData));
Cert.rgExtension[i].fCritical = (EXTENSION_CRITICAL_FLAG & ExtFlags)? TRUE : FALSE;
CoTaskMemFree(cdbn.pwszName); cdbn.pwszName = NULL;
if (EXTENSION_DISABLE_FLAG & ExtFlags) { if (NULL != pExt[i].pszObjId) { LocalFree(pExt[i].pszObjId); pExt[i].pszObjId = NULL; } if (NULL != pExt[i].Value.pbData) { LocalFree(pExt[i].Value.pbData); pExt[i].Value.pbData = NULL; } continue; } i++; }
Cert.cExtension = i;
// encode the cert contents
if (!myEncodeObject( X509_ASN_ENCODING, X509_CERT_TO_BE_SIGNED, &Cert, 0, CERTLIB_USE_LOCALALLOC, &pbCertEncoded, &cbCertEncoded)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
// sign the cert, then encode the signed info
hr = myEncodeSignedContent( pCAContext->hProvCA, X509_ASN_ENCODING, Cert.SignatureAlgorithm.pszObjId, pbCertEncoded, cbCertEncoded, CERTLIB_USE_COTASKMEMALLOC, ppbEncoded, pcbEncoded); // use CoTaskMem*
_JumpIfError(hr, error, "myEncodeSignedContent");
pcc = CertCreateCertificateContext( X509_ASN_ENCODING, *ppbEncoded, *pcbEncoded); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
if (g_fCertEnrollCompatible) { hr = pkcsCheck7f( prow, *ppbEncoded, *pcbEncoded, pfErrorLogged); if (S_OK != hr) { CoTaskMemFree(*ppbEncoded); *ppbEncoded = NULL; _JumpError(hr, error, "pkcsCheck7f"); } }
ftNotBefore = pcc->pCertInfo->NotBefore; myMakeExprDateTime(&ftNotBefore, g_dwClockSkewMinutes, ENUM_PERIOD_MINUTES);
hr = myVerifyCertContextEx( pcc, // pCert
(CRLF_REVCHECK_IGNORE_OFFLINE & g_dwCRLFlags)? CA_VERIFY_FLAGS_IGNORE_OFFLINE : 0, // dwFlags
0, // cUsageOids
NULL, // apszUsageOids
HCCE_LOCAL_MACHINE, // hChainEngine
&ftNotBefore, // pft
NULL, // hAdditionalStore
NULL, // ppwszMissingIssuer
&pwszzIssuancePolicies, &pwszzApplicationPolicies); _PrintIfError(hr, "myVerifyCertContextEx"); if (S_OK != hr) { if (0 == (CRLF_SAVE_FAILED_CERTS & g_dwCRLFlags)) { goto error; } hrValidate = hr; }
if (S_OK == hrValidate && 0 == (CRLF_IGNORE_INVALID_POLICIES & g_dwCRLFlags)) { hr = pkcsverifyIssuedPolices( pcc, szOID_CERT_POLICIES, pwszzIssuancePolicies); _PrintIfError(hr, "pkcsverifyIssuedPolices"); if (S_OK != hr) { if (0 == (CRLF_SAVE_FAILED_CERTS & g_dwCRLFlags)) { goto error; } if (S_OK == hrValidate) { hrValidate = hr; } }
hr = pkcsverifyIssuedPolices( pcc, szOID_APPLICATION_CERT_POLICIES, pwszzApplicationPolicies); _PrintIfError(hr, "pkcsverifyIssuedPolices"); if (S_OK != hr) { if (0 == (CRLF_SAVE_FAILED_CERTS & g_dwCRLFlags)) { goto error; } if (S_OK == hrValidate) { hrValidate = hr; } } }
hr = pkcsSetCertAndKeyHashes(prow, pcc); _JumpIfError(hr, error, "pkcsSetCertAndKeyHashes");
hr = prow->SetProperty( g_wszPropCertificateIssuerNameID, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, sizeof(pCAContext->NameId), (BYTE *) &pCAContext->NameId); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( g_wszPropCertificateSerialNumber, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE *) strSerialNumber); _JumpIfError(hr, error, "SetProperty");
#ifdef TEST_SPECIAL_SERIAL_NUMBERS
if (L'0' == strSerialNumber[0] && L'0' == strSerialNumber[1]) { hr = prow->SetProperty( g_wszPropCertificateSerialNumber, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE *) &strSerialNumber[2]); _JumpIfError(hr, error, "SetProperty"); }#endif
error: if (S_OK != hrValidate) { hr = hrValidate; } if (NULL != pwszIssuer) { LocalFree(pwszIssuer); } if (NULL != pwszSubject) { LocalFree(pwszSubject); } if (NULL != pwszzIssuancePolicies) { LocalFree(pwszzIssuancePolicies); } if (NULL != pwszzApplicationPolicies) { LocalFree(pwszzApplicationPolicies); } if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (NULL != pExt) { i = 0; if (NULL != cdbn.pwszName) { CoTaskMemFree(cdbn.pwszName); } while (cExt != i) { if (NULL != pExt[i].pszObjId) { LocalFree(pExt[i].pszObjId); } if (NULL != pExt[i].Value.pbData) { LocalFree(pExt[i].Value.pbData); } i++; } LocalFree(pExt); } if (NULL != penum) { penum->Release(); } if (NULL != Cert.SerialNumber.pbData) { LocalFree(Cert.SerialNumber.pbData); } if (NULL != Cert.Subject.pbData) { LocalFree(Cert.Subject.pbData); } pkcsFreePublicKeyInfo(&Cert.SubjectPublicKeyInfo); if (NULL != pbCertEncoded) { LocalFree(pbCertEncoded); } if (NULL != strSerialNumber) { SysFreeString(strSerialNumber); } return(hr);}
VOIDpkcsFreeCRLChain( IN DWORD cCert, OPTIONAL IN OUT CERT_BLOB *prgCertBlob, OPTIONAL IN OUT CERT_CONTEXT const **rgCert, IN DWORD cCRL, OPTIONAL IN OUT CRL_BLOB *rgCRLBlob, OPTIONAL IN OUT CRL_CONTEXT const **rgCRL){ DWORD i;
if (NULL != prgCertBlob) { LocalFree(prgCertBlob); } if (NULL != rgCert) { for (i = 0; i < cCert; i++) { if (NULL != rgCert[i]) { CertFreeCertificateContext(rgCert[i]); } } LocalFree(rgCert); } if (NULL != rgCRLBlob) { LocalFree(rgCRLBlob); } if (NULL != rgCRL) { for (i = 0; i < cCRL; i++) { if (NULL != rgCRL[i]) { CertFreeCRLContext(rgCRL[i]); } } LocalFree(rgCRL); }}
// Build the CA's cert chain and collect all paremt CA CRLs.
// Add in the optional passed leaf cert and the CA's CRLs.
// This ensures that the chain includes at least this CA's correct cert & CRLs.
HRESULTpkcsBuildCRLChain( OPTIONAL IN CACTX *pCAContext, OPTIONAL IN BYTE const *pbCertLeaf, IN DWORD cbCertLeaf, IN BOOL fIncludeCRLs, OUT DWORD *pcCert, OPTIONAL OUT CERT_BLOB **prgCertBlob, OUT CERT_CONTEXT const ***prgCert, OUT DWORD *pcCRLBlob, OPTIONAL OUT CRL_BLOB **prgCRLBlob, OUT CRL_CONTEXT const ***prgCRL){ HRESULT hr; CERT_CHAIN_PARA ChainParams; CERT_CHAIN_CONTEXT const *pChainContext = NULL; DWORD cElement; CERT_CHAIN_ELEMENT **rgpElement; DWORD cCert; CERT_CONTEXT const **rgpCert = NULL; CERT_CONTEXT const *pccCertLeaf = NULL; CERT_BLOB *rgCertBlob = NULL; DWORD cCRL; CRL_CONTEXT const **rgpCRL = NULL; CRL_BLOB *rgCRLBlob = NULL; DWORD i; DWORD iCert; DWORD iCRL;
if (NULL != prgCertBlob) { *prgCertBlob = NULL; } *prgCert = NULL; if (NULL != prgCRLBlob) { *prgCRLBlob = NULL; } *prgCRL = NULL;
if (NULL != pbCertLeaf) { pccCertLeaf = CertCreateCertificateContext( X509_ASN_ENCODING, pbCertLeaf, cbCertLeaf); if (NULL == pccCertLeaf) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } } CSASSERT(NULL != pCAContext || NULL != pccCertLeaf); if (NULL == pCAContext || fIncludeCRLs) { // Get the CA cert chain and parent CA CRLs:
ZeroMemory(&ChainParams, sizeof(ChainParams)); ChainParams.cbSize = sizeof(ChainParams); //ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
//ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
//ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
if (!CertGetCertificateChain( HCCE_LOCAL_MACHINE, // hChainEngine
NULL != pCAContext? pCAContext->pccCA : pccCertLeaf, NULL, // pTime
NULL, // hAdditionalStore
&ChainParams, // pChainPara
CERT_CHAIN_REVOCATION_CHECK_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN, NULL, // pvReserved
&pChainContext)) // ppChainContext
{ hr = myHLastError(); _JumpError(hr, error, "CertGetCertificateChain"); } if (0 == pChainContext->cChain || 0 == pChainContext->rgpChain[0]->cElement) { hr = CRYPT_E_NOT_FOUND; _JumpError(hr, error, "No chain"); } cElement = pChainContext->rgpChain[0]->cElement; rgpElement = pChainContext->rgpChain[0]->rgpElement; } else { cElement = pCAContext->cCACertChain; } cCert = cElement; cCRL = 2 * (cCert + 1); // Worst case. *Always* include this CA's CRLs
if (NULL != pbCertLeaf) { cCert++; } rgpCert = (CERT_CONTEXT const **) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cCert * sizeof(rgpCert[0])); if (NULL == rgpCert) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } if (fIncludeCRLs) { rgpCRL = (CRL_CONTEXT const **) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cCRL * sizeof(rgpCRL[0])); if (NULL == rgpCRL) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } }
iCert = 0; iCRL = 0;
// Add parent CA certs and CRLs:
if (NULL == pCAContext || fIncludeCRLs) { for (i = 0; i < cElement; i++) { CERT_CHAIN_ELEMENT const *pElement = rgpElement[i]; CERT_REVOCATION_INFO *pRevocationInfo;
rgpCert[iCert] = CertDuplicateCertificateContext( pElement->pCertContext); if (NULL != rgpCert[iCert]) { iCert++; } pRevocationInfo = pElement->pRevocationInfo;
if (fIncludeCRLs && NULL != pRevocationInfo && CCSIZEOF_STRUCT(CERT_REVOCATION_INFO, pCrlInfo) <= pRevocationInfo->cbSize && NULL != pRevocationInfo->pCrlInfo) { CERT_REVOCATION_CRL_INFO *pCrlInfo;
pCrlInfo = pRevocationInfo->pCrlInfo; if (NULL != pCrlInfo) { if (NULL != pCrlInfo->pBaseCrlContext) { rgpCRL[iCRL] = CertDuplicateCRLContext( pCrlInfo->pBaseCrlContext); if (NULL != rgpCRL[iCRL]) { iCRL++; } } if (NULL != pCrlInfo->pDeltaCrlContext) { rgpCRL[iCRL] = CertDuplicateCRLContext( pCrlInfo->pDeltaCrlContext); if (NULL != rgpCRL[iCRL]) { iCRL++; } } } } } } else { for (i = 0; i < pCAContext->cCACertChain; i++) { rgpCert[iCert] = CertDuplicateCertificateContext( pCAContext->apCACertChain[i]); if (NULL != rgpCert[iCert]) { iCert++; } } }
if (NULL != pCAContext) { // Add issued cert at the end -- optional Leaf cert:
if (NULL != pbCertLeaf) { for (i = 0; i < iCert; i++) { if (cbCertLeaf == rgpCert[i]->cbCertEncoded && 0 == memcmp( pbCertLeaf, rgpCert[i]->pbCertEncoded, cbCertLeaf)) { break; } } if (i == iCert) // if not found in existing array
{ rgpCert[iCert] = CertDuplicateCertificateContext(pccCertLeaf); if (NULL != rgpCert[iCert]) { iCert++; } } }
// Add current CA's Base and delta CRLs:
if (fIncludeCRLs) { hr = CRLGetCRL( pCAContext->iKey, FALSE, // fDelta
&rgpCRL[iCRL], NULL); // pdwCRLPublishFlags
_JumpIfError(hr, error, "CRLGetCRL(base)"); // Base CRL must exist
iCRL++;
hr = CRLGetCRL( pCAContext->iKey, TRUE, // fDelta
&rgpCRL[iCRL], NULL); // pdwCRLPublishFlags
_PrintIfError(hr, "CRLGetCRL(delta)"); // Delta CRL might not exist
if (S_OK == hr) { iCRL++; } } } CSASSERT(iCert <= cCert); CSASSERT(iCRL <= cCRL);
if (NULL != prgCertBlob) { rgCertBlob = (CERT_BLOB *) LocalAlloc( LMEM_FIXED, iCert * sizeof(rgCertBlob[0])); if (NULL == rgCertBlob) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } for (i = 0; i < iCert; i++) { rgCertBlob[i].cbData = rgpCert[i]->cbCertEncoded; rgCertBlob[i].pbData = rgpCert[i]->pbCertEncoded; } } if (NULL != prgCRLBlob && 0 != iCRL) { rgCRLBlob = (CERT_BLOB *) LocalAlloc( LMEM_FIXED, iCRL * sizeof(rgCRLBlob[0])); if (NULL == rgCRLBlob) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); } for (i = 0; i < iCRL; i++) { rgCRLBlob[i].cbData = rgpCRL[i]->cbCrlEncoded; rgCRLBlob[i].pbData = rgpCRL[i]->pbCrlEncoded; } } *pcCert = iCert; *prgCert = rgpCert; rgpCert = NULL; if (NULL != prgCertBlob) { *prgCertBlob = rgCertBlob; rgCertBlob = NULL; }
*pcCRLBlob = iCRL; *prgCRL = rgpCRL; rgpCRL = NULL; if (NULL != prgCRLBlob) { *prgCRLBlob = rgCRLBlob; rgCRLBlob = NULL; }
hr = S_OK;
error: pkcsFreeCRLChain(cCert, rgCertBlob, rgpCert, cCRL, rgCRLBlob, rgpCRL); if (NULL != pccCertLeaf) { CertFreeCertificateContext(pccCertLeaf); } if (NULL != pChainContext) { CertFreeCertificateChain(pChainContext); } return(hr);}
// Build a PKCS7 CMC response
HRESULTPKCSEncodeFullResponse( OPTIONAL IN ICertDBRow *prow, IN CERTSRV_RESULT_CONTEXT const *pResult, IN HRESULT hrRequest, IN WCHAR *pwszDispositionString, OPTIONAL IN CACTX *pCAContext, OPTIONAL IN BYTE const *pbCertLeaf, IN DWORD cbCertLeaf, IN BOOL fIncludeCRLs, OUT BYTE **ppbResponse, // CoTaskMem*
OUT DWORD *pcbResponse){ HRESULT hr; CMC_RESPONSE_INFO Response; CMC_STATUS_INFO Status; BYTE *pbContent = NULL; DWORD cbContent; DWORD dwBodyPartIdOfRequest = 1; DWORD dwCMCDataReference = 0; DWORD dwBodyPartId = 1; CMC_TAGGED_ATTRIBUTE aTaggedAttribute[5]; DWORD ita = 0; CRYPT_ATTRIBUTE aAttr[2]; DWORD iAttr = 0; CRYPT_ATTR_BLOB aAttrBlob[7]; DWORD iblob = 0; CMSG_SIGNER_ENCODE_INFO SignerEncodeInfo; CMSG_SIGNED_ENCODE_INFO SignedMsgEncodeInfo; CMC_PEND_INFO PendInfo; DWORD ReqId; DWORD dwRequestFlags; DWORD cb; DWORD i; HCRYPTMSG hMsg = NULL; CERT_CONTEXT const **prgCert = NULL; CRL_CONTEXT const **prgCRL = NULL; CHAR szNonce[(11 + 1) + (8 + 1) * 3];
ZeroMemory(aAttrBlob, sizeof(aAttrBlob)); ZeroMemory(&Status, sizeof(Status)); ZeroMemory(&Response, sizeof(Response));
ZeroMemory(&SignedMsgEncodeInfo, sizeof(SignedMsgEncodeInfo)); SignedMsgEncodeInfo.cbSize = sizeof(SignedMsgEncodeInfo); SignedMsgEncodeInfo.cSigners = 1; SignedMsgEncodeInfo.rgSigners = &SignerEncodeInfo; //SignedMsgEncodeInfo.cCertEncoded = 0;
//SignedMsgEncodeInfo.rgCertEncoded = NULL;
//SignedMsgEncodeInfo.cCrlEncoded = 0;
//SignedMsgEncodeInfo.rgCrlEncoded = NULL;
Status.cBodyList = 1; Status.dwOtherInfoChoice = CMC_OTHER_INFO_NO_CHOICE; Status.rgdwBodyList = &dwBodyPartIdOfRequest; Status.pwszStatusString = pwszDispositionString;
switch (*pResult->pdwDisposition) { case CR_DISP_ISSUED: case CR_DISP_ISSUED_OUT_OF_BAND: case CR_DISP_REVOKED: // map revoked to CMC_STATUS_FAILED?
Status.dwStatus = CMC_STATUS_SUCCESS; break;
case CR_DISP_UNDER_SUBMISSION: Status.dwStatus = CMC_STATUS_PENDING; Status.dwOtherInfoChoice = CMC_OTHER_INFO_PEND_CHOICE; Status.pPendInfo = &PendInfo;
CSASSERT(NULL != prow); prow->GetRowId(&ReqId);
PendInfo.PendToken.cbData = sizeof(ReqId); PendInfo.PendToken.pbData = (BYTE *) &ReqId;
cb = sizeof(PendInfo.PendTime); hr = prow->GetProperty( g_wszPropRequestSubmittedWhen, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *) &PendInfo.PendTime); _JumpIfError(hr, error, "GetProperty");
break;
//case CR_DISP_INCOMPLETE:
//case CR_DISP_ERROR:
//case CR_DISP_DENIED:
default: Status.dwStatus = CMC_STATUS_FAILED; if (NULL != prow) { cb = sizeof(hrRequest); hr = prow->GetProperty( g_wszPropRequestStatusCode, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *) &hrRequest); _JumpIfError(hr, error, "GetProperty(status code)"); } switch (hrRequest) { case CERTSRV_E_BAD_REQUESTSUBJECT: Status.dwFailInfo = CMC_FAIL_BAD_REQUEST; Status.dwOtherInfoChoice = CMC_OTHER_INFO_FAIL_CHOICE; break; } break; }
// Encode control attributes for Status, Transaction Id, Sender and
// Recipient Nonces and Issued Cert Hash.
ZeroMemory(aTaggedAttribute, sizeof(aTaggedAttribute));
// Status:
if (!myEncodeObject( X509_ASN_ENCODING, CMC_STATUS, &Status, 0, CERTLIB_USE_LOCALALLOC, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
aTaggedAttribute[ita].dwBodyPartID = dwBodyPartId++; aTaggedAttribute[ita].Attribute.pszObjId = szOID_CMC_STATUS_INFO; aTaggedAttribute[ita].Attribute.cValue = 1; aTaggedAttribute[ita].Attribute.rgValue = &aAttrBlob[iblob]; iblob++; ita++;
// Transaction Id:
if (pResult->fTransactionId) { if (!myEncodeObject( X509_ASN_ENCODING, X509_INTEGER, &pResult->dwTransactionId, 0, CERTLIB_USE_LOCALALLOC, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } aTaggedAttribute[ita].dwBodyPartID = dwBodyPartId++; aTaggedAttribute[ita].Attribute.pszObjId = szOID_CMC_TRANSACTION_ID; aTaggedAttribute[ita].Attribute.cValue = 1; aTaggedAttribute[ita].Attribute.rgValue = &aAttrBlob[iblob]; iblob++; ita++; }
if (NULL != pResult->pbSenderNonce && 0 != pResult->cbSenderNonce) { CRYPT_DATA_BLOB Blob; FILETIME ft; DWORD dw; DWORD cch;
// Recipient Nonce:
Blob.pbData = const_cast<BYTE *>(pResult->pbSenderNonce); Blob.cbData = pResult->cbSenderNonce;
if (!myEncodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, &Blob, 0, CERTLIB_USE_LOCALALLOC, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } aTaggedAttribute[ita].dwBodyPartID = dwBodyPartId++; aTaggedAttribute[ita].Attribute.pszObjId = szOID_CMC_RECIPIENT_NONCE; aTaggedAttribute[ita].Attribute.cValue = 1; aTaggedAttribute[ita].Attribute.rgValue = &aAttrBlob[iblob]; iblob++; ita++;
// Sender Nonce:
GetSystemTimeAsFileTime(&ft); dw = GetTickCount();
cch = sprintf( szNonce, "%u %08lx %08lx-%08lx", *pResult->pdwRequestId, dw, ft.dwHighDateTime, ft.dwLowDateTime); CSASSERT(ARRAYSIZE(szNonce) > cch);
Blob.pbData = (BYTE *) szNonce; Blob.cbData = cch;
if (!myEncodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, &Blob, 0, CERTLIB_USE_LOCALALLOC, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } aTaggedAttribute[ita].dwBodyPartID = dwBodyPartId++; aTaggedAttribute[ita].Attribute.pszObjId = szOID_CMC_SENDER_NONCE; aTaggedAttribute[ita].Attribute.cValue = 1; aTaggedAttribute[ita].Attribute.rgValue = &aAttrBlob[iblob]; iblob++; ita++; }
// Issued Cert Hash:
if (NULL != pbCertLeaf) { CSASSERT(NULL != prow); hr = pkcsGetHashAsOctet( prow, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData); _JumpIfError(hr, error, "pkcsGetHashAsOctet");
aAttr[iAttr].pszObjId = szOID_ISSUED_CERT_HASH; aAttr[iAttr].cValue = 1; aAttr[iAttr].rgValue = &aAttrBlob[iblob]; iblob++; iAttr++; }
// Computed hash of private key encrypted to this CA, for client
// confirmation.
if (NULL != pResult->pbKeyHashOut) { CRYPT_DATA_BLOB Blob;
Blob.pbData = pResult->pbKeyHashOut; Blob.cbData = pResult->cbKeyHashOut; if (!myEncodeObject( X509_ASN_ENCODING, X509_OCTET_STRING, &Blob, 0, CERTLIB_USE_LOCALALLOC, &aAttrBlob[iblob].pbData, &aAttrBlob[iblob].cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } aAttr[iAttr].pszObjId = szOID_ENCRYPTED_KEY_HASH; aAttr[iAttr].cValue = 1; aAttr[iAttr].rgValue = &aAttrBlob[iblob]; iblob++; iAttr++; }
if (0 != iAttr) { hr = BuildCMCAttributes( iAttr, // cAttribute
aAttr, // rgAttribute
dwCMCDataReference, dwBodyPartIdOfRequest, dwBodyPartId++, &aTaggedAttribute[ita], &aAttrBlob[iblob]); _JumpIfError(hr, error, "BuildCMCAttributes");
iblob++; ita++; }
CSASSERT(ARRAYSIZE(aTaggedAttribute) >= ita); CSASSERT(ARRAYSIZE(aAttr) >= iAttr); CSASSERT(ARRAYSIZE(aAttrBlob) >= iblob);
Response.cTaggedAttribute = ita; Response.rgTaggedAttribute = aTaggedAttribute;
if (!myEncodeObject( X509_ASN_ENCODING, CMC_RESPONSE, &Response, 0, CERTLIB_USE_LOCALALLOC, &pbContent, &cbContent)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); }
if (NULL == pCAContext) { pCAContext = g_pCAContextCurrent; } ZeroMemory(&SignerEncodeInfo, sizeof(SignerEncodeInfo)); SignerEncodeInfo.cbSize = sizeof(SignerEncodeInfo); SignerEncodeInfo.pCertInfo = pCAContext->pccCA->pCertInfo; SignerEncodeInfo.hCryptProv = pCAContext->hProvCA; SignerEncodeInfo.dwKeySpec = AT_SIGNATURE; SignerEncodeInfo.HashAlgorithm.pszObjId = szOID_OIWSEC_sha1; //SignerEncodeInfo.pvHashAuxInfo = NULL;
//SignerEncodeInfo.cAuthAttr = 0;
//SignerEncodeInfo.rgAuthAttr = NULL;
//SignerEncodeInfo.cUnauthAttr = 0;
//SignerEncodeInfo.rgUnauthAttr = NULL;
if (NULL != pbCertLeaf) { hr = pkcsBuildCRLChain( pCAContext, pbCertLeaf, cbCertLeaf, fIncludeCRLs, &SignedMsgEncodeInfo.cCertEncoded, &SignedMsgEncodeInfo.rgCertEncoded, &prgCert, &SignedMsgEncodeInfo.cCrlEncoded, &SignedMsgEncodeInfo.rgCrlEncoded, &prgCRL); _JumpIfError(hr, error, "pkcsBuildCRLChain"); }
dwRequestFlags = 0; if (NULL != prow) { cb = sizeof(dwRequestFlags); hr = prow->GetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *) &dwRequestFlags); _JumpIfError(hr, error, "GetProperty"); }
#define szOID_CT_PKI_RESPONSE_OLDRFC "1.3.6.1.5.5.7.5.3" // BUGBUG: temporary!
hMsg = CryptMsgOpenToEncode( PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, CMSG_CMS_ENCAPSULATED_CONTENT_FLAG, // dwFlags
CMSG_SIGNED, &SignedMsgEncodeInfo, (CR_FLG_OLDRFCCMC & dwRequestFlags)? szOID_CT_PKI_RESPONSE_OLDRFC : szOID_CT_PKI_RESPONSE, NULL); // pStreamInfo
if (NULL == hMsg) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgOpenToEncode"); }
if (!CryptMsgUpdate(hMsg, pbContent, cbContent, TRUE)) { hr = myHLastError(); _JumpError(hr, error, "CryptMsgUpdate"); }
// Return the encoded and signed content.
// Use CMSG_CONTENT_PARAM to get the signed message.
hr = myCryptMsgGetParam( hMsg, CMSG_CONTENT_PARAM, 0, CERTLIB_USE_COTASKMEMALLOC, (VOID **) ppbResponse, pcbResponse); _JumpIfError(hr, error, "myCryptMsgGetParam");
error: pkcsFreeCRLChain( SignedMsgEncodeInfo.cCertEncoded, SignedMsgEncodeInfo.rgCertEncoded, prgCert, SignedMsgEncodeInfo.cCrlEncoded, SignedMsgEncodeInfo.rgCrlEncoded, prgCRL); for (i = 0; i < ARRAYSIZE(aAttrBlob); i++) { if (NULL != aAttrBlob[i].pbData) { LocalFree(aAttrBlob[i].pbData); } } if (NULL != hMsg) { CryptMsgClose(hMsg); } if (NULL != pbContent) { LocalFree(pbContent); } return(hr);}
// Build a PKCS7 NULL signature with encapsulated certs
HRESULTpkcsEncodeCertChain( OPTIONAL IN CACTX *pCAContext, OPTIONAL IN BYTE const *pbCertLeaf, IN DWORD cbCertLeaf, IN BYTE const *pbToBeSigned, IN DWORD cbToBeSigned, IN BOOL fIncludeCRLs, OUT BYTE **ppbCertChain, // CoTaskMem*
OUT DWORD *pcbCertChain){ HRESULT hr; CRYPT_SIGN_MESSAGE_PARA csmp; CRYPT_ALGORITHM_IDENTIFIER DigestAlgorithm = { szOID_OIWSEC_sha1, 0, 0 };
// init csmp for empty signature
ZeroMemory(&csmp, sizeof(csmp)); csmp.cbSize = sizeof(csmp); csmp.dwMsgEncodingType = PKCS_7_ASN_ENCODING; //csmp.pSigningCert = NULL;
csmp.HashAlgorithm = DigestAlgorithm; //csmp.cMsgCert = 0;
//csmp.rgpMsgCert = NULL;
//csmp.cMsgCrl = 0;
//csmp.rgpMsgCrl = NULL;
hr = pkcsBuildCRLChain( pCAContext, pbCertLeaf, cbCertLeaf, fIncludeCRLs, &csmp.cMsgCert, NULL, &csmp.rgpMsgCert, &csmp.cMsgCrl, NULL, &csmp.rgpMsgCrl); _JumpIfError(hr, error, "pkcsBuildCRLChain");
if (!myCryptSignMessage( &csmp, pbToBeSigned, cbToBeSigned, CERTLIB_USE_COTASKMEMALLOC, ppbCertChain, pcbCertChain)) { hr = myHLastError(); _JumpError(hr, error, "myCryptSignMessage"); } hr = S_OK;
error: pkcsFreeCRLChain( csmp.cMsgCert, NULL, csmp.rgpMsgCert, csmp.cMsgCrl, NULL, csmp.rgpMsgCrl); return(hr);}
HRESULTPKCSGetCACert( IN DWORD iCert, OUT BYTE **ppbCACert, OUT DWORD *pcbCACert){ HRESULT hr; DWORD State; CACTX *pCAContext;
hr = PKCSMapCertIndex(iCert, &iCert, &State); _JumpIfError(hr, error, "PKCSMapCertIndex");
// Now we know iCert is a valid Cert Index:
pCAContext = &g_aCAContext[iCert]; if (NULL == pCAContext->pccCA) { hr = E_INVALIDARG; _JumpError(hr, error, "invalid cert"); } *pcbCACert = pCAContext->pccCA->cbCertEncoded; *ppbCACert = pCAContext->pccCA->pbCertEncoded;
error: return(hr);}
HRESULTPKCSGetCAChain( IN DWORD iCert, IN BOOL fIncludeCRLs, OUT BYTE **ppbCAChain, // CoTaskMem*
OUT DWORD *pcbCAChain){ HRESULT hr; DWORD State; CACTX *pCAContext;
hr = PKCSMapCertIndex(iCert, &iCert, &State); _JumpIfError(hr, error, "PKCSMapCertIndex");
// Now we know iCert is a valid Cert Index:
pCAContext = &g_aCAContext[iCert]; if (NULL == pCAContext->pccCA) { hr = E_INVALIDARG; _JumpError(hr, error, "invalid cert"); } hr = pkcsEncodeCertChain( pCAContext, NULL, // pbCertLeaf
0, // cbCertLeaf
pCAContext->pccCA->pbCertEncoded, // pbToBeSigned
pCAContext->pccCA->cbCertEncoded, // cbToBeSigned
fIncludeCRLs, ppbCAChain, // CoTaskMem*
pcbCAChain); _JumpIfError(hr, error, "PKCSEncodeCertChain");
error: return(hr);}
HRESULTpkcsFormXchgKeyContainerName( IN DWORD dwRequestId, OUT WCHAR **ppwszKeyContainer){ HRESULT hr; DWORD cwcSuffix; DWORD cwcName; WCHAR wszSuffix[32]; WCHAR wszKeyContainer[MAX_PATH];
*ppwszKeyContainer = NULL;
cwcSuffix = wsprintf(wszSuffix, L"%ws(%u)", g_wszCNXchgSuffix, dwRequestId); CSASSERT(ARRAYSIZE(wszSuffix) > cwcSuffix);
cwcName = wcslen(g_wszSanitizedName); if (cwcName > MAX_PATH - cwcSuffix) { cwcName = MAX_PATH - cwcSuffix; } CSASSERT(ARRAYSIZE(wszKeyContainer) > cwcName); wcscpy(wszKeyContainer, g_wszSanitizedName); wcscpy(&wszKeyContainer[cwcName], wszSuffix);
hr = myDupString(wszKeyContainer, ppwszKeyContainer); _JumpIfError(hr, error, "myDupString");
DBGPRINT(( DBG_SS_CERTSRV, "pkcsFormXchgKeyContainerName: %ws\n", *ppwszKeyContainer));
error: return(hr);}
HRESULTpkcsAcquireKey( OPTIONAL IN WCHAR const *pwszKeyContainer, OUT HCRYPTPROV *phProv){ HRESULT hr;
*phProv = NULL; if (!CryptAcquireContext( phProv, pwszKeyContainer, g_pwszXchgProvName, g_dwXchgProvType, g_fXchgMachineKeyset? CRYPT_MACHINE_KEYSET : 0)) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); } hr = S_OK;
error: return(hr);}
VOIDpkcsDeleteKey( OPTIONAL IN WCHAR const *pwszKeyContainer){ HRESULT hr; HCRYPTPROV hProv;
if (NULL != pwszKeyContainer) { if (!CryptAcquireContext( &hProv, pwszKeyContainer, g_pwszXchgProvName, g_dwXchgProvType, CRYPT_DELETEKEYSET | (g_fXchgMachineKeyset? CRYPT_MACHINE_KEYSET : 0))) { hr = myHLastError(); _JumpError(hr, error, "CryptAcquireContext"); } }error: ;}
VOIDpkcsLoadCAXchgCSPInfo( IN BOOL fSetDefaults){ HRESULT hr = S_FALSE;
if (NULL != g_pwszXchgProvName) { LocalFree(g_pwszXchgProvName); g_pwszXchgProvName = NULL; } if (!fSetDefaults) { hr = myGetCertSrvCSP( TRUE, // fEncryptionCSP
g_wszSanitizedName, &g_dwXchgProvType, &g_pwszXchgProvName, &g_XchgidAlg, &g_fXchgMachineKeyset, &g_dwXchgKeySize); if (S_OK != hr) { _PrintError(hr, "myGetCertSrvCSP(CAXchg)"); } } if (S_OK != hr) { g_dwXchgProvType = PROV_RSA_FULL; g_pwszXchgProvName = NULL; g_XchgidAlg = CALG_3DES; g_fXchgMachineKeyset = TRUE; g_dwXchgKeySize = 0; } if (0 == g_dwXchgKeySize) { g_dwXchgKeySize = 1024; }}
HRESULTpkcsCreateNewCAXchgCert( IN WCHAR const *pwszUserName){ HRESULT hr; ICertDBRow *prow = NULL; DWORD dwRequestFlags = CR_FLG_CAXCHGCERT; BOOL fSubjectNameSet; BOOL fErrorLogged; CERT_PUBLIC_KEY_INFO *pPubKey = NULL; DWORD cb; CAXCHGCTX CAXchgContext; CAXCHGCTX *rgCAXchgContext; CERT_EXTENSION aExt[4]; DWORD cExt; DWORD i; CERTTRANSBLOB ctbCert; // CoTaskMem*
CERTSRV_RESULT_CONTEXT Result; WCHAR *pwszDisposition = NULL; WCHAR *pwszMachineRequesterName = NULL; BOOL fCommitted = FALSE; static char *s_apszObjId[] = { szOID_KP_CA_EXCHANGE, };
ZeroMemory(&CAXchgContext, sizeof(CAXchgContext)); ZeroMemory(&aExt, sizeof(aExt)); ZeroMemory(&ctbCert, sizeof(ctbCert));
hr = g_pCertDB->OpenRow(PROPTABLE_REQCERT, 0, NULL, &prow); _JumpIfError(hr, error, "OpenRow");
prow->GetRowId(&CAXchgContext.ReqId);
hr = myGetComputerObjectName(NameSamCompatible, &pwszMachineRequesterName); if (S_OK != hr) { _PrintError(hr, "myGetComputerObjectName");
hr = myGetUserNameEx(NameSamCompatible, &pwszMachineRequesterName); _JumpIfError(hr, error, "myGetUserNameEx"); }
hr = prow->SetProperty( g_wszPropRequesterName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszMachineRequesterName); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( g_wszPropCallerName, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_REQUEST, MAXDWORD, (BYTE const *) pwszUserName); _JumpIfError(hr, error, "SetProperty");
hr = prow->SetProperty( wszPROPCERTIFICATETEMPLATE, PROPTYPE_STRING | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, MAXDWORD, (BYTE const *) wszCERTTYPE_CA_EXCHANGE); _JumpIfError(hr, error, "SetProperty");
hr = pkcsFormXchgKeyContainerName( CAXchgContext.ReqId, &CAXchgContext.pwszKeyContainerName); _JumpIfError(hr, error, "pkcsFormXchgKeyContainerName");
for (i = 0; ; i++) { hr = myGenerateKeys( CAXchgContext.pwszKeyContainerName, g_pwszXchgProvName, g_fXchgMachineKeyset, AT_KEYEXCHANGE, g_dwXchgProvType, g_dwXchgKeySize, &CAXchgContext.hProvCA); if (S_OK == hr) { break; } _PrintErrorStr(hr, "myGenerateKeys", g_pwszXchgProvName); LogEventHResult( EVENTLOG_ERROR_TYPE, NULL == g_pwszXchgProvName? MSG_E_BAD_DEFAULT_CA_XCHG_CSP : MSG_E_BAD_REGISTRY_CA_XCHG_CSP, hr); if (0 != i || NULL == g_pwszXchgProvName) { _JumpError(hr, error, "myGenerateKeys"); } pkcsLoadCAXchgCSPInfo(TRUE); // switch to default CSP
} if (0 != i) { hr = LogEvent( EVENTLOG_WARNING_TYPE, MSG_E_USE_DEFAULT_CA_XCHG_CSP, 0, // cpwsz
NULL); // apwsz
_PrintIfError(hr, "LogEvent"); }
if (!myCryptExportPublicKeyInfo( CAXchgContext.hProvCA, AT_KEYEXCHANGE, CERTLIB_USE_LOCALALLOC, &pPubKey, &cb)) { hr = myHLastError(); _JumpError(hr, error, "myCryptExportPublicKeyInfo"); }
hr = PropSetRequestTimeProperty(prow, g_wszPropRequestSubmittedWhen); _JumpIfError(hr, error, "PropSetRequestTimeProperty");
hr = CoreSetDisposition(prow, DB_DISP_ACTIVE); _JumpIfError(hr, error, "CoreSetDisposition");
hr = pkcsSetRequestNameInfo( prow, &g_pCAContextCurrent->pccCA->pCertInfo->Subject, g_wszCNXchgSuffix, &dwRequestFlags, &fSubjectNameSet); _JumpIfError(hr, error, "pkcsSetRequestNameInfo");
hr = prow->SetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, sizeof(dwRequestFlags), (BYTE const *) &dwRequestFlags); _JumpIfError(hr, error, "SetProperty(RequestFlags)");
CSASSERT(fSubjectNameSet);
hr = pkcsSetPublicKeyProperties(prow, pPubKey); _JumpIfError(hr, error, "pkcsSetPublicKeyProperties");
hr = prow->CopyRequestNames(); _JumpIfError(hr, error, "CopyRequestNames");
hr = PKCSSetServerProperties( prow, g_lCAXchgValidityPeriodCount, g_enumCAXchgValidityPeriod); _JumpIfError(hr, error, "PKCSSetServerProperties");
cExt = 0;
// szOID_KEY_USAGE
{ CRYPT_BIT_BLOB KeyUsage; BYTE abKeyUsage[1] = { CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_KEY_AGREEMENT_KEY_USAGE };
KeyUsage.pbData = abKeyUsage; KeyUsage.cbData = sizeof(abKeyUsage); KeyUsage.cUnusedBits = 0;
if (!myEncodeKeyUsage( X509_ASN_ENCODING, &KeyUsage, CERTLIB_USE_LOCALALLOC, &aExt[cExt].Value.pbData, &aExt[cExt].Value.cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeKeyUsage"); } } hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, TEXT(szOID_KEY_USAGE), 0, // ExtFlags
aExt[cExt].Value.cbData, aExt[cExt].Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
cExt++;
// szOID_ENHANCED_KEY_USAGE
{ CERT_ENHKEY_USAGE eku;
eku.cUsageIdentifier = ARRAYSIZE(s_apszObjId); eku.rgpszUsageIdentifier = s_apszObjId;
if (!myEncodeObject( X509_ASN_ENCODING, X509_ENHANCED_KEY_USAGE, &eku, 0, CERTLIB_USE_LOCALALLOC, &aExt[cExt].Value.pbData, &aExt[cExt].Value.cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } } hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, TEXT(szOID_ENHANCED_KEY_USAGE), 0, // ExtFlags
aExt[cExt].Value.cbData, aExt[cExt].Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
cExt++;
// szOID_APPLICATION_CERT_POLICIES
{ CERT_POLICY_INFO acpi[ARRAYSIZE(s_apszObjId)]; CERT_POLICIES_INFO cps;
ZeroMemory(&acpi, sizeof(acpi)); cps.cPolicyInfo = ARRAYSIZE(s_apszObjId); cps.rgPolicyInfo = acpi; for (i = 0; i < ARRAYSIZE(s_apszObjId); i++) { acpi[i].pszPolicyIdentifier = s_apszObjId[i]; } if (!myEncodeObject( X509_ASN_ENCODING, X509_CERT_POLICIES, &cps, 0, CERTLIB_USE_LOCALALLOC, &aExt[cExt].Value.pbData, &aExt[cExt].Value.cbData)) { hr = myHLastError(); _JumpError(hr, error, "myEncodeObject"); } } hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, TEXT(szOID_APPLICATION_CERT_POLICIES), 0, // ExtFlags
aExt[cExt].Value.cbData, aExt[cExt].Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
cExt++;
// szOID_ENROLL_CERTTYPE_EXTENSION
hr = myBuildCertTypeExtension(wszCERTTYPE_CA_EXCHANGE, &aExt[cExt]); _JumpIfError(hr, error, "myBuildCertTypeExtension");
hr = PropSetExtension( prow, PROPTYPE_BINARY | PROPCALLER_SERVER, TEXT(szOID_ENROLL_CERTTYPE_EXTENSION), 0, // ExtFlags
aExt[cExt].Value.cbData, aExt[cExt].Value.pbData); _JumpIfError(hr, error, "PropSetExtension");
cExt++; CSASSERT(cExt == ARRAYSIZE(aExt));
ZeroMemory(&Result, sizeof(Result)); Result.pctbCert = &ctbCert; hr = PKCSCreateCertificate( prow, DB_DISP_ISSUED, FALSE, &fErrorLogged, NULL, &Result); _JumpIfError(hr, error, "PKCSCreateCertificate");
CAXchgContext.pccCA = CertCreateCertificateContext( X509_ASN_ENCODING, ctbCert.pb, ctbCert.cb); if (NULL == CAXchgContext.pccCA) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
if (NULL == g_aCAXchgContext) { CSASSERT(0 == g_cCAXchgCerts); rgCAXchgContext = (CAXCHGCTX *) LocalAlloc( LMEM_FIXED, sizeof(rgCAXchgContext[0])); } else { rgCAXchgContext = (CAXCHGCTX *) LocalReAlloc( g_aCAXchgContext, (g_cCAXchgCerts + 1) * sizeof(rgCAXchgContext[0]), LMEM_MOVEABLE); } if (NULL == rgCAXchgContext) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc/ReAlloc"); } g_aCAXchgContext = rgCAXchgContext; g_aCAXchgContext[g_cCAXchgCerts] = CAXchgContext;
pwszDisposition = CoreBuildDispositionString( g_pwszRequestedBy, pwszUserName, NULL, NULL, S_OK, FALSE);
hr = CoreSetRequestDispositionFields( prow, S_OK, DB_DISP_ISSUED, pwszDisposition); _JumpIfError(hr, error, "CoreSetRequestDispositionFields");
hr = prow->CommitTransaction(TRUE); _JumpIfError(hr, error, "CommitTransaction");
fCommitted = TRUE;
g_pCAXchgContextCurrent = &g_aCAXchgContext[g_cCAXchgCerts];
g_cCAXchgCerts++; ZeroMemory(&CAXchgContext, sizeof(CAXchgContext));
error: if (NULL != pwszMachineRequesterName) { LocalFree(pwszMachineRequesterName); } if (NULL != pwszDisposition) { LocalFree(pwszDisposition); } for (i = 0; i < ARRAYSIZE(aExt); i++) { if (NULL != aExt[i].Value.pbData) { LocalFree(aExt[i].Value.pbData); } } if (NULL != prow) { if (S_OK != hr && !fCommitted) { HRESULT hr2 = prow->CommitTransaction(FALSE); _PrintIfError(hr2, "CommitTransaction"); } prow->Release(); } if (NULL != ctbCert.pb) { CoTaskMemFree(ctbCert.pb); } if (NULL != pPubKey) { LocalFree(pPubKey); } if (NULL != CAXchgContext.pccCA) { CertFreeCertificateContext(CAXchgContext.pccCA); } if (NULL != CAXchgContext.hProvCA) { CryptReleaseContext(CAXchgContext.hProvCA, 0); pkcsDeleteKey(CAXchgContext.pwszKeyContainerName); } if (NULL != CAXchgContext.pwszKeyContainerName) { LocalFree(CAXchgContext.pwszKeyContainerName); } return(hr);}
VOIDpkcsReleaseCAXchgContext( IN OUT CAXCHGCTX *pCAXchgContext){ if (NULL != pCAXchgContext->hProvCA) { CryptReleaseContext(pCAXchgContext->hProvCA, 0); pCAXchgContext->hProvCA = NULL; } if (NULL != pCAXchgContext->pccCA) { CertFreeCertificateContext(pCAXchgContext->pccCA); pCAXchgContext->pccCA = NULL; } if (NULL != pCAXchgContext->pwszKeyContainerName) { LocalFree(pCAXchgContext->pwszKeyContainerName); pCAXchgContext->pwszKeyContainerName = NULL; }}
VOIDpkcsReleaseCAXchgContextArray(){ DWORD i;
if (NULL != g_aCAXchgContext) { for (i = 0; i < g_cCAXchgCerts; i++) { pkcsReleaseCAXchgContext(&g_aCAXchgContext[i]); } LocalFree(g_aCAXchgContext); g_aCAXchgContext = NULL; } g_cCAXchgCerts = 0; g_pCAContextCurrent = NULL;}
HRESULTpkcsLoadCAXchgContext( IN DWORD iHash){ HRESULT hr; CAXCHGCTX *pCAXchgContext; DWORD dwRequestFlags; DWORD NameId; HCRYPTPROV hProv = NULL; WCHAR *pwszKeyContainer = NULL; WCHAR *pwszHash = NULL; BYTE abHash[CBMAX_CRYPT_HASH_LEN]; BYTE *pbHash = NULL; DWORD cbHash; BYTE *pbCert = NULL; DWORD cbCert; DWORD cb; BSTR strHash = NULL; ICertDBRow *prow = NULL; DWORD dwRequestId; CERT_CONTEXT const *pcc = NULL; BOOL fDeleteKey = FALSE; DWORD i;
hr = myGetCARegHash( g_wszSanitizedName, CSRH_CAXCHGCERT, iHash, &pbHash, &cbHash); _JumpIfError2(hr, error, "myGetCARegHash", S_FALSE);
hr = MultiByteIntegerToBstr(TRUE, cbHash, pbHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
DBGPRINT(( DBG_SS_CERTSRV, "Reloading Xchg CAContext[%u]:\n %ws\n", iHash, strHash));
hr = g_pCertDB->OpenRow( PROPOPEN_READONLY | PROPOPEN_CERTHASH | PROPTABLE_REQCERT, 0, strHash, &prow); _JumpIfError(hr, error, "OpenRow(xchg cert)");
prow->GetRowId(&dwRequestId);
hr = pkcsFormXchgKeyContainerName(dwRequestId, &pwszKeyContainer); _JumpIfError(hr, error, "pkcsFormXchgKeyContainerName");
cb = sizeof(dwRequestFlags); hr = prow->GetProperty( g_wszPropRequestFlags, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cb, (BYTE *) &dwRequestFlags); _JumpIfError(hr, error, "GetProperty(RequestFlags)");
if (0 == (CR_FLG_CAXCHGCERT & dwRequestFlags)) { hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA); _JumpError(hr, error, "Not a CA Xchg cert"); }
cb = sizeof(NameId); hr = prow->GetProperty( g_wszPropCertificateIssuerNameID, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cb, (BYTE *) &NameId); _JumpIfError(hr, error, "GetProperty");
hr = PKCSGetProperty( prow, g_wszPropRawCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, &cbCert, (BYTE **) &pbCert); _JumpIfError(hr, error, "PKCSGetProperty(xchg cert)");
pcc = CertCreateCertificateContext(X509_ASN_ENCODING, pbCert, cbCert); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); }
for (i = 0; ; i++) { hr = pkcsAcquireKey(pwszKeyContainer, &hProv); _PrintIfErrorStr(hr, "pkcsAcquireKey", g_pwszXchgProvName);
if (S_OK == hr) { hr = myValidateKeyForEncrypting( hProv, &pcc->pCertInfo->SubjectPublicKeyInfo, CALG_3DES); _PrintIfErrorStr(hr, "myValidateKeyForEncrypting", g_pwszXchgProvName); } if (S_OK == hr) { break; } LogEventHResult( EVENTLOG_ERROR_TYPE, NULL == g_pwszXchgProvName? MSG_E_BAD_DEFAULT_CA_XCHG_CSP : MSG_E_BAD_REGISTRY_CA_XCHG_CSP, hr); if (0 != i || NULL == g_pwszXchgProvName) { fDeleteKey = TRUE; _JumpError(hr, error, "pkcsAcquireKey/myValidateKeyForEncrypting"); } pkcsLoadCAXchgCSPInfo(TRUE); // switch to default CSP
} if (0 != i) { hr = LogEvent( EVENTLOG_WARNING_TYPE, MSG_E_USE_DEFAULT_CA_XCHG_CSP, 0, // cpwsz
NULL); // apwsz
_PrintIfError(hr, "LogEvent"); }
hr = pkcsVerifyCertContext(NULL, FALSE, pcc); if (S_OK != hr) { fDeleteKey = TRUE; _JumpErrorStr(hr, error, "pkcsVerifyCertContext", L"CAXchg cert invalid"); }
pCAXchgContext = &g_aCAXchgContext[g_cCAXchgCerts]; ZeroMemory(pCAXchgContext, sizeof(*pCAXchgContext));
pCAXchgContext->ReqId = dwRequestId;
pCAXchgContext->pccCA = pcc; pcc = NULL;
pCAXchgContext->hProvCA = hProv; hProv = NULL;
pCAXchgContext->pwszKeyContainerName = pwszKeyContainer; pwszKeyContainer = NULL;
pCAXchgContext->iCertSig = CANAMEIDTOICERT(NameId); g_cCAXchgCerts++; hr = S_OK;
error: if (NULL != hProv) { CryptReleaseContext(hProv, 0); } if (fDeleteKey) { pkcsDeleteKey(pwszKeyContainer); } if (NULL != prow) { prow->Release(); } if (NULL != pbCert) { LocalFree(pbCert); } if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (NULL != pwszKeyContainer) { LocalFree(pwszKeyContainer); } if (NULL != pbHash) { LocalFree(pbHash); } if (NULL != strHash) { SysFreeString(strHash); } return(hr);}
HRESULTpkcsLoadCAXchgContextArray( OUT BOOL *pfIncompleteLoad){ HRESULT hr; DWORD cCAXchgCerts; DWORD iHash; DWORD i;
// get provider name, etc.
pkcsLoadCAXchgCSPInfo(FALSE);
// find & load CA Xchg certs, etc.
*pfIncompleteLoad = TRUE; hr = myGetCARegHashCount( g_wszSanitizedName, CSRH_CAXCHGCERT, &cCAXchgCerts); if (S_OK == hr && 0 == cCAXchgCerts) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); } _JumpIfError(hr, error, "myGetCARegHashCount");
g_aCAXchgContext = (CAXCHGCTX *) LocalAlloc( LMEM_FIXED | LMEM_ZEROINIT, cCAXchgCerts * sizeof(g_aCAXchgContext[0])); if (NULL == g_aCAXchgContext) { hr = E_OUTOFMEMORY; _JumpError(hr, error, "LocalAlloc"); }
for (iHash = 0; iHash < cCAXchgCerts; iHash++) { hr = pkcsLoadCAXchgContext(iHash); _PrintIfError(hr, "pkcsLoadCAXchgContext"); } if (0 == g_cCAXchgCerts) { hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); _JumpError(hr, error, "g_cCAXchgCerts"); } g_pCAXchgContextCurrent = &g_aCAXchgContext[0]; for (i = 1; i < g_cCAXchgCerts; i++) { if (0 < CompareFileTime( &g_aCAXchgContext[i].pccCA->pCertInfo->NotAfter, &g_pCAXchgContextCurrent->pccCA->pCertInfo->NotAfter)) { g_pCAXchgContextCurrent = &g_aCAXchgContext[i]; } } if (cCAXchgCerts == g_cCAXchgCerts) { *pfIncompleteLoad = FALSE; } hr = S_OK;
error: if (S_OK != hr) { if (NULL != g_aCAXchgContext) { LocalFree(g_aCAXchgContext); g_aCAXchgContext = NULL; } g_cCAXchgCerts = 0; g_pCAXchgContextCurrent = NULL; } return(hr);}
HRESULTpkcsUpdateCAXchgStoreAndRegistry( IN BOOL fUpdateRegistry){ HRESULT hr; DWORD i; DWORD iHash; CAXCHGCTX *pCAXchgContext; HCERTSTORE hStore = NULL; CERT_KEY_CONTEXT ckc; CERT_CONTEXT const *pccStore = NULL;
hStore = CertOpenStore( CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, // hProv
0, // dwFlags
NULL); // pvPara
if (NULL == hStore) { hr = myHLastError(); _JumpError(hr, error, "CertOpenStore"); } if (fUpdateRegistry) { hr = myDeleteCertRegValue( g_wszSanitizedName, NULL, NULL, g_wszRegCAXchgCertHash); _PrintIfError(hr, "myDeleteCertRegValue"); }
ZeroMemory(&ckc, sizeof(ckc)); ckc.cbSize = sizeof(ckc); ckc.dwKeySpec = AT_KEYEXCHANGE;
iHash = 0; for (i = 0; i < g_cCAXchgCerts; i++) { pCAXchgContext = &g_aCAXchgContext[i]; if (CTXF_EXPIRED & pCAXchgContext->Flags) { continue; }
// Add as encoded blob to avoid all properties, key prov info, etc.
if (!CertAddEncodedCertificateToStore( hStore, X509_ASN_ENCODING, pCAXchgContext->pccCA->pbCertEncoded, pCAXchgContext->pccCA->cbCertEncoded, CERT_STORE_ADD_REPLACE_EXISTING, &pccStore)) // ppCertContext
{ hr = myHLastError(); _JumpError(hr, error, "CertAddEncodedCertificateToStore"); } ckc.hCryptProv = pCAXchgContext->hProvCA; if (!CertSetCertificateContextProperty( pccStore, CERT_KEY_CONTEXT_PROP_ID, CERT_STORE_NO_CRYPT_RELEASE_FLAG, &ckc)) { hr = myHLastError(); _JumpError(hr, error, "CertSetCertificateContextProperty"); } CertFreeCertificateContext(pccStore); pccStore = NULL;
DBGPRINT(( DBG_SS_CERTSRV, "Add to CA Xchg memory store: '%ws'\n", pCAXchgContext->pwszKeyContainerName));
if (fUpdateRegistry) { hr = mySetCARegHash( g_wszSanitizedName, CSRH_CAXCHGCERT, iHash, pCAXchgContext->pccCA); if (S_OK != hr) { _PrintError(hr, "mySetCARegHash"); continue; } } iHash++; } if (NULL != g_hStoreCAXchg) { CertCloseStore(g_hStoreCAXchg, CERT_CLOSE_STORE_CHECK_FLAG); } g_hStoreCAXchg = hStore; hStore = NULL; hr = S_OK;
error: if (NULL != pccStore) { CertFreeCertificateContext(pccStore); } if (NULL != hStore) { CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } return(hr);}
HRESULTPKCSIsRevoked( IN DWORD RequestId, OPTIONAL IN WCHAR const *pwszSerialNumber, OUT LONG *pRevocationReason, OUT LONG *pDisposition){ HRESULT hr; ICertDBRow *prow = NULL; BYTE *pbHash = NULL; DWORD cbHash; BSTR strHash = NULL; DWORD Disposition; DWORD cbProp; FILETIME ftRevoked; FILETIME ftCurrent;
*pRevocationReason = CRL_REASON_UNSPECIFIED; *pDisposition = CA_DISP_INVALID;
hr = g_pCertDB->OpenRow( PROPOPEN_READONLY | PROPTABLE_REQCERT, RequestId, pwszSerialNumber, &prow); _PrintIfErrorStr2(hr, "OpenRow", pwszSerialNumber, CERTSRV_E_PROPERTY_EMPTY);
if (CERTSRV_E_PROPERTY_EMPTY == hr && NULL != pwszSerialNumber) { _PrintErrorStr2( hr, "OpenRow(serial)", pwszSerialNumber, CERTSRV_E_PROPERTY_EMPTY);
hr = WszToMultiByteInteger(TRUE, pwszSerialNumber, &cbHash, &pbHash); _JumpIfError(hr, error, "WszToMultiByteInteger");
hr = MultiByteIntegerToBstr(TRUE, cbHash, pbHash, &strHash); _JumpIfError(hr, error, "MultiByteIntegerToBstr");
hr = g_pCertDB->OpenRow( PROPOPEN_READONLY | PROPOPEN_CERTHASH | PROPTABLE_REQCERT, RequestId, strHash, &prow); _PrintIfErrorStr2(hr, "OpenRow", strHash, CERTSRV_E_PROPERTY_EMPTY); } if (S_OK != hr) { if (CERTSRV_E_PROPERTY_EMPTY == hr) { hr = S_OK; // disposition indicates cert is invalid
} goto error; }
cbProp = sizeof(Disposition); hr = prow->GetProperty( g_wszPropRequestDisposition, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbProp, (BYTE *) &Disposition); _JumpIfError(hr, error, "GetProperty(Disposition)");
if (DB_DISP_ISSUED == Disposition || (DB_DISP_CA_CERT == Disposition && IsRootCA(g_CAType))) { *pDisposition = CA_DISP_VALID; goto error; }
if (DB_DISP_REVOKED != Disposition) { goto error; }
cbProp = sizeof(ftRevoked); hr = prow->GetProperty( g_wszPropRequestRevokedEffectiveWhen, PROPTYPE_DATE | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbProp, (BYTE *) &ftRevoked);
if (CERTSRV_E_PROPERTY_EMPTY == hr) { *pDisposition = CA_DISP_VALID; hr = S_OK; goto error; } _JumpIfError(hr, error, "GetProperty(RevokedEffectiveWhen)");
GetSystemTimeAsFileTime(&ftCurrent); if (0 < CompareFileTime(&ftRevoked, &ftCurrent)) { *pDisposition = CA_DISP_VALID; goto error; }
cbProp = sizeof(*pRevocationReason); hr = prow->GetProperty( g_wszPropRequestRevokedReason, PROPTYPE_LONG | PROPCALLER_SERVER | PROPTABLE_REQUEST, &cbProp, (BYTE *) pRevocationReason); _JumpIfError(hr, error, "GetProperty(RevokedReason)");
*pDisposition = CA_DISP_REVOKED;
error: if (NULL != pbHash) { LocalFree(pbHash); } if (NULL != strHash) { SysFreeString(strHash); } if (NULL != prow) { prow->Release(); } return(hr);}
HRESULTPKCSGetCAXchgCert( IN DWORD iCert, IN WCHAR const *pwszUserName, OUT DWORD *piCertSig, OUT BYTE **ppbCACert, OUT DWORD *pcbCACert){ HRESULT hr; DWORD State; BOOL fNewCert = FALSE; BOOL fIncompleteLoad = FALSE; FILETIME ft;
if (MAXDWORD != iCert && 0 != iCert) { hr = E_INVALIDARG; _JumpError(hr, error, "bad Xchg CertIndex"); } if (NULL == g_pCAXchgContextCurrent || NULL == g_pCAXchgContextCurrent->pccCA) { hr = pkcsLoadCAXchgContextArray(&fIncompleteLoad); _PrintIfError(hr, "pkcsLoadCAXchgContextArray");
if (S_OK != hr) { fNewCert = TRUE; } } if (NULL != g_pCAXchgContextCurrent && NULL != g_pCAXchgContextCurrent->pccCA) { CERT_INFO const *pCertInfo = g_pCAXchgContextCurrent->pccCA->pCertInfo; GetSystemTimeAsFileTime(&ft);
if (0 < CompareFileTime(&ft, &pCertInfo->NotAfter)) { g_pCAXchgContextCurrent->Flags |= CTXF_EXPIRED; hr = CERT_E_EXPIRED; _PrintError(hr, "CA Xchg certificate is expired -- delete key");
pkcsDeleteKey(g_pCAXchgContextCurrent->pwszKeyContainerName); fNewCert = TRUE; } else if (0 > CompareFileTime(&ft, &pCertInfo->NotBefore)) { hr = CERT_E_EXPIRED; _PrintError(hr, "CA Xchg certificate not yet valid"); fNewCert = TRUE; } else { myMakeExprDateTime( &ft, g_lCAXchgOverlapPeriodCount, g_enumCAXchgOverlapPeriod);
if (0 < CompareFileTime(&ft, &pCertInfo->NotAfter)) { hr = CERT_E_EXPIRED; _PrintError(hr, "CA Xchg certificate expires too soon"); fNewCert = TRUE; } else { hr = pkcsVerifyCertIssuer( g_pCAXchgContextCurrent->pccCA, g_pCAContextCurrent); if (S_OK != hr) { _PrintError(hr, "CA Xchg cert not issued by current CA"); fNewCert = TRUE; } else { LONG RevocationReason; LONG Disposition;
hr = PKCSIsRevoked( g_pCAXchgContextCurrent->ReqId, NULL, // pwszSerialNumber
&RevocationReason, &Disposition); if (S_OK != hr) { _PrintError(hr, "PKCSIsRevoked"); fNewCert = TRUE; } else if (CA_DISP_VALID != Disposition) { hr = CRYPT_E_REVOKED; _PrintError(hr, "revoked or bad CA Xchg certificate"); fNewCert = TRUE; } } } } } if (fNewCert) { hr = pkcsCreateNewCAXchgCert(pwszUserName); _JumpIfError(hr, error, "pkcsCreateNewCAXchgCert"); } hr = pkcsUpdateCAXchgStoreAndRegistry(fNewCert || fIncompleteLoad); _JumpIfError(hr, error, "pkcsUpdateCAXchgStoreAndRegistry");
*piCertSig = g_pCAXchgContextCurrent->iCertSig; *pcbCACert = g_pCAXchgContextCurrent->pccCA->cbCertEncoded; *ppbCACert = g_pCAXchgContextCurrent->pccCA->pbCertEncoded; hr = S_OK;
error: return(hr);}
HRESULTPKCSGetCAXchgChain( IN DWORD iCert, IN WCHAR const *pwszUserName, IN BOOL fIncludeCRLs, OUT BYTE **ppbCAChain, // CoTaskMem*
OUT DWORD *pcbCAChain){ HRESULT hr; BYTE *pbCACert; DWORD cbCACert; CACTX *pCAContext;
hr = PKCSGetCAXchgCert(iCert, pwszUserName, &iCert, &pbCACert, &cbCACert); _JumpIfError(hr, error, "PKCSGetCAXchgCert");
// iCert now indexes the signature cert that signed the current Xchg cert
pCAContext = &g_aCAContext[iCert]; if (NULL == pCAContext->pccCA) { hr = E_INVALIDARG; _JumpError(hr, error, "invalid cert"); } hr = pkcsEncodeCertChain( pCAContext, pbCACert, // pbCertLeaf
cbCACert, // cbCertLeaf
pbCACert, // pbToBeSigned
cbCACert, // cbToBeSigned
fIncludeCRLs, ppbCAChain, // CoTaskMem*
pcbCAChain); _JumpIfError(hr, error, "PKCSEncodeCertChain");
error: return(hr);}
VOIDPKCSTerminate(VOID){ pkcsReleaseCAContextArray(); pkcsReleaseCAXchgContextArray(); if (NULL != g_hStoreCAXchg) { CertCloseStore(g_hStoreCAXchg, CERT_CLOSE_STORE_CHECK_FLAG); g_hStoreCAXchg = NULL; } pkcsLoadCAXchgCSPInfo(TRUE); pkcsReleaseKRACertArray();
pkcsFreeTemplates(&g_paRevURL, &g_caRevURL); pkcsFreeTemplates(&g_paCACertURL, &g_caCACertURL); if (NULL != g_pwszKRAPublishURL) { LocalFree(g_pwszKRAPublishURL); g_pwszKRAPublishURL = NULL; } if (NULL != g_pwszAIACrossCertPublishURL) { LocalFree(g_pwszAIACrossCertPublishURL); g_pwszAIACrossCertPublishURL = NULL; } if (NULL != g_pwszRootTrustCrossCertPublishURL) { LocalFree(g_pwszRootTrustCrossCertPublishURL); g_pwszRootTrustCrossCertPublishURL = NULL; } if (NULL != g_strDomainDN) { SysFreeString(g_strDomainDN); g_strDomainDN = NULL; } if (NULL != g_strConfigDN) { SysFreeString(g_strConfigDN); g_strConfigDN = NULL; }}
// PKCSCreateCertificate -- Create certificate & build PKCS 7 or Full Response.
//
// If pResult->pctbCert is non-NULL and pResult->pctbCert->pb is NULL:
// CR_IN_NEW:
// Build, store and return cert
// Use current CA Context
// Build and return PKCS 7 or Full Response
//
// If pResult->pctbCert is non-NULL and pResult->pctbCert->pb is non-NULL:
// CR_IN_RETRIEVEPENDING:
// Use passed cert
// Find matching CA Context
// Build and return PKCS 7 or Full Response
//
// If pResult->pctbCert is NULL:
// CR_IN_RESUBMIT:
// Build and store cert -- don't return cert
// Use current CA Context
// Don't build or return PKCS 7 or Full Response
HRESULTPKCSCreateCertificate( IN ICertDBRow *prow, IN DWORD Disposition, IN BOOL fIncludeCRLs, OUT BOOL *pfErrorLogged, OPTIONAL OUT CACTX **ppCAContext, IN OUT CERTSRV_RESULT_CONTEXT *pResult) // CoTaskMem*
{ HRESULT hr; BYTE *pbCert = NULL; DWORD cbCert; BYTE *pbCertChain = NULL; DWORD cbCertChain; DWORD cCert; BOOL fCreated = FALSE; DWORD i; CACTX *pCAContext; CERT_CONTEXT const *pcc = NULL;
if (NULL != ppCAContext) { *ppCAContext = NULL; } *pfErrorLogged = FALSE; CSASSERT(NULL == pResult->pctbCertChain || NULL == pResult->pctbCertChain->pb); CSASSERT(NULL == pResult->pctbFullResponse || NULL == pResult->pctbFullResponse->pb);
if (NULL != pResult->pctbCert && NULL != pResult->pctbCert->pb) { pbCert = pResult->pctbCert->pb; cbCert = pResult->pctbCert->cb;
pcc = CertCreateCertificateContext(X509_ASN_ENCODING, pbCert, cbCert); if (NULL == pcc) { hr = myHLastError(); _JumpError(hr, error, "CertCreateCertificateContext"); } pCAContext = NULL; if (DB_DISP_CA_CERT != Disposition && DB_DISP_CA_CERT_CHAIN != Disposition) { hr = PKCSVerifyIssuedCertificate(pcc, &pCAContext); _JumpIfError(hr, error, "PKCSVerifyIssuedCertificate"); } } else { pCAContext = g_pCAContextCurrent; cbCert = 0; hr = pkcsEncodeSubjectCert( prow, pCAContext, &pbCert, // CoTaskMem*
&cbCert, pfErrorLogged); _JumpIfError(hr, error, "pkcsEncodeSubjectCert");
fCreated = TRUE;
hr = prow->SetProperty( g_wszPropRawCertificate, PROPTYPE_BINARY | PROPCALLER_SERVER | PROPTABLE_CERTIFICATE, cbCert, pbCert); _JumpIfError(hr, error, "SetProperty"); }
if (NULL != pResult->pctbCertChain) { hr = pkcsEncodeCertChain( pCAContext, pbCert, // pbCertLeaf
cbCert, // cbCertLeaf
pbCert, // pbToBeSigned
cbCert, // cbToBeSigned
fIncludeCRLs, &pbCertChain, // CoTaskMem*
&cbCertChain); _JumpIfError(hr, error, "pkcsEncodeCertChain"); } if (fCreated && NULL != pResult->pctbCert) { pResult->pctbCert->pb = pbCert; pResult->pctbCert->cb = cbCert; pbCert = NULL; } if (NULL != pResult->pctbCertChain) { pResult->pctbCertChain->pb = pbCertChain; pResult->pctbCertChain->cb = cbCertChain; pbCertChain = NULL; } if (NULL != ppCAContext) { *ppCAContext = pCAContext; } hr = S_OK;
error: if (NULL != pcc) { CertFreeCertificateContext(pcc); } if (fCreated && NULL != pbCert) { CoTaskMemFree(pbCert); } if (fCreated && NULL != pbCertChain) { CoTaskMemFree(pbCertChain); } CSASSERT( NULL == pResult->pctbCertChain || ((S_OK == hr) ^ (NULL == pResult->pctbCertChain->pb))); return(hr);}
HRESULTPKCSGetKRACert( IN DWORD iCert, OUT BYTE **ppbCert, OUT DWORD *pcbCert){ HRESULT hr = S_OK; DWORD State;
if (MAXDWORD == iCert) { iCert = g_iKRACerts; } if (iCert >= g_cKRACerts) { hr = E_INVALIDARG; _JumpError(hr, error, "bad CertIndex"); }
*pcbCert = g_rgKRACerts[iCert]->cbCertEncoded; *ppbCert = g_rgKRACerts[iCert]->pbCertEncoded;
error: return(hr);}
|
