archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/include/certsd.h

264 lines
7.6 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: certsd.h
  3. // Contents: CA's security descriptor class declaration
  4. //---------------------------------------------------------------------------
  5. #ifndef __CERTSD_H__
  6. #define __CERTSD_H__
  8. namespace CertSrv
  9. {
  11. typedef struct _SID_LIST
  12. {
  13. DWORD dwSidCount;
  14. DWORD SidListStart[ANYSIZE_ARRAY];
  16. } SID_LIST, *PSID_LIST;
  18. HRESULT GetWellKnownSID(
  19. PSID *ppSid,
  20. SID_IDENTIFIER_AUTHORITY *pAuth,
  21. BYTE SubauthorityCount,
  22. DWORD SubAuthority1,
  23. DWORD SubAuthority2=0,
  24. DWORD SubAuthority3=0,
  25. DWORD SubAuthority4=0,
  26. DWORD SubAuthority5=0,
  27. DWORD SubAuthority6=0,
  28. DWORD SubAuthority7=0,
  29. DWORD SubAuthority8=0);
  31. // caller is responsible for LocalFree'ing PSID
  32. HRESULT GetEveryoneSID(PSID *ppSid);
  33. HRESULT GetLocalSystemSID(PSID *ppSid);
  34. HRESULT GetBuiltinAdministratorsSID(PSID *ppSid);
  36. // This class wraps a SD with single writer multiple reader access control on
  37. // it. Allows any number of threads to LockGet() the pointer to the SD if no
  38. // thread is in the middle of a Set(). Set() is blocked until all threads
  39. // that already retrieved the SD released it (calling Unlock)
  40. //
  41. // Also provides the support for persistently saving/loading the SD to registy
  43. class CProtectedSecurityDescriptor
  44. {
  45. public:
  47. CProtectedSecurityDescriptor() :
  48. m_pSD(NULL),
  49. m_fInitialized(false),
  50. m_cReaders(0),
  51. m_hevtNoReaders(NULL),
  52. m_pcwszSanitizedName(NULL),
  53. m_pcwszPersistRegVal(NULL)
  54. {};
  55. ~CProtectedSecurityDescriptor()
  56. {
  57. Uninitialize();
  58. }
  60. void Uninitialize()
  61. {
  62. if(m_pSD)
  63. {
  64. LocalFree(m_pSD);
  65. m_pSD = NULL;
  66. }
  67. if(m_hevtNoReaders)
  68. {
  69. CloseHandle(m_hevtNoReaders);
  70. m_hevtNoReaders = NULL;
  71. }
  72. m_pcwszSanitizedName = NULL;
  73. m_fInitialized = false;
  74. m_cReaders = 0;
  75. if(IsInitialized())
  76. {
  77. DeleteCriticalSection(&m_csWrite);
  78. }
  79. }
  81. BOOL IsInitialized() const { return m_fInitialized;}
  83. // init, loading SD from the registry
  84. HRESULT Initialize(LPCWSTR pwszSanitizedName);
  85. // init from supplied SD
  86. HRESULT Initialize(const PSECURITY_DESCRIPTOR pSD, LPCWSTR pwszSanitizedName);
  88. HRESULT InitializeFromTemplate(LPCWSTR pcwszTemplate, LPCWSTR pwszSanitizedName);
  90. HRESULT Set(const PSECURITY_DESCRIPTOR pSD);
  91. HRESULT LockGet(PSECURITY_DESCRIPTOR *ppSD);
  92. HRESULT Unlock();
  94. PSECURITY_DESCRIPTOR Get() { return m_pSD; };
  96. // load SD from registry
  97. HRESULT Load();
  98. // save SD to registry
  99. HRESULT Save();
  100. // delete SD from registry
  101. HRESULT Delete();
  103. LPCWSTR GetPersistRegistryVal() { return m_pcwszPersistRegVal;}
  105. void ImportResourceStrings(LPCWSTR *pcwszStrings)
  106. {m_pcwszResources = pcwszStrings;};
  108. protected:
  110. HRESULT Init(LPCWSTR pwszSanitizedName);
  111. HRESULT SetSD(PSECURITY_DESCRIPTOR pSD);
  113. PSECURITY_DESCRIPTOR m_pSD;
  114. bool m_fInitialized;
  115. LONG m_cReaders;
  116. HANDLE m_hevtNoReaders;
  117. CRITICAL_SECTION m_csWrite;
  118. LPCWSTR m_pcwszSanitizedName; // no free
  119. LPCWSTR m_pcwszPersistRegVal; // no free
  121. static LPCWSTR const *m_pcwszResources; // no free
  123. }; //class CProtectedSecurityDescriptor
  127. // The class stores a list of officers/groups and the principals they are
  128. // allowed to manage certificates for:
  129. //
  130. // officerSID1 -> clientSID1, clientSID2...
  131. // officerSID2 -> clientSID3, clientSID4...
  132. //
  133. // The information is stored as a DACL containing callback ACEs .
  134. // The officer SID is stored as in the ACE's SID and the list of client
  135. // SIDs are stored in the custom data space following the officer SID
  136. // (see definition of _ACCESS_*_CALLBACK_ACE)
  137. //
  138. // The DACL will be used to AccessCheck if an officer is allowed to perform
  139. // an action over a certificate.
  140. //
  141. // The SD contains only the officer DACL, SACL or other data is not used.
  143. class COfficerRightsSD : public CProtectedSecurityDescriptor
  144. {
  145. public:
  147. COfficerRightsSD() : m_fEnabled(FALSE)
  148. { m_pcwszPersistRegVal = wszREGOFFICERRIGHTS; }
  150. HRESULT InitializeEmpty();
  151. HRESULT Initialize(LPCWSTR pwszSanitizedName);
  153. // The officer rights have to be in sync with the CA security descriptor.
  154. // An officer ACE for a certain SID can exist only if the principal is
  155. // an officer as defined by the CA SD.
  156. // Merge sets the internal officer DACL making sure it's in sync
  157. // with the CA SD:
  158. // - removes any ACE found in the officer DACL which is not present as an
  159. // allow ACE in the CA DACL
  160. // - add an Everyone ACE in the officer DACL for each allow ACE in CA DACL
  161. // that is not already present
  162. HRESULT Merge(
  163. PSECURITY_DESCRIPTOR pOfficerSD,
  164. PSECURITY_DESCRIPTOR pCASD);
  166. // Same as above but using the internal officer SD. Used to generate the
  167. // initial officer SD and to update it when CA SD changes
  168. HRESULT Adjust(
  169. PSECURITY_DESCRIPTOR pCASD);
  171. BOOL IsEnabled() { return m_fEnabled; }
  172. void SetEnable(BOOL fEnable) { m_fEnabled = fEnable;}
  173. HRESULT Save();
  174. HRESULT Load();
  175. HRESULT Validate() { return S_OK; }
  177. static HRESULT ConvertToString(
  178. IN PSECURITY_DESCRIPTOR pSD,
  179. OUT LPWSTR& rpwszSD);
  181. protected:
  183. static HRESULT ConvertAceToString(
  184. IN PACCESS_ALLOWED_CALLBACK_ACE pAce,
  185. OUT OPTIONAL PDWORD pdwSize,
  186. IN OUT OPTIONAL LPWSTR pwszSD);
  189. BOOL m_fEnabled;
  190. }; // class COfficerRightsSD
  192. class CCertificateAuthoritySD : public CProtectedSecurityDescriptor
  193. {
  194. public:
  196. CCertificateAuthoritySD() :
  197. m_pDefaultDSSD(NULL),
  198. m_pDefaultServiceSD(NULL),
  199. m_pDefaultDSAcl(NULL),
  200. m_pDefaultServiceAcl(NULL),
  201. m_pwszComputerSID(NULL)
  202. { m_pcwszPersistRegVal = wszREGCASECURITY; }
  204. ~CCertificateAuthoritySD()
  205. {
  206. if(m_pDefaultDSSD)
  207. LocalFree(m_pDefaultDSSD);
  208. if(m_pDefaultServiceSD)
  209. LocalFree(m_pDefaultServiceSD);
  210. if(m_pwszComputerSID)
  211. LocalFree(m_pwszComputerSID);
  212. }
  214. // Sets a new CA SD. Uses the new DACL but keeps the old owner, group and
  215. // SACL.
  216. // Also rebuilds the DACL for objects CA owns (eg DS pKIEnrollmentService,
  217. // service). The new DACL contains a default DACL plus additional aces
  218. // depending on the object:
  219. // DS - add an enroll ace for each enroll ace found in CA DACL
  220. // Service - add a full control ace for each CA admin ace
  221. HRESULT Set(const PSECURITY_DESCRIPTOR pSD, bool fSetDSSecurity);
  222. static HRESULT Validate(const PSECURITY_DESCRIPTOR pSD);
  223. HRESULT ResetSACL();
  224. HRESULT MapAndSetDaclOnObjects(bool fSetDSSecurity);
  226. // Upgrade SD from Win2k.
  227. HRESULT UpgradeWin2k(bool fUseEnterpriseAcl);
  229. static HRESULT ConvertToString(
  230. IN PSECURITY_DESCRIPTOR pSD,
  231. OUT LPWSTR& rpwszSD);
  233. protected:
  235. enum ObjType
  236. {
  237. ObjType_DS,
  238. ObjType_Service,
  239. };
  241. HRESULT MapAclGetSize(PVOID pAce, ObjType type, DWORD& dwSize);
  242. HRESULT MapAclAddAce(PACL pAcl, ObjType type, PVOID pAce);
  243. HRESULT SetDefaultAcl(ObjType type);
  244. HRESULT SetComputerSID();
  245. HRESULT MapAclSetOnDS(const PACL pAcl);
  246. HRESULT MapAclSetOnService(const PACL pAcl);
  248. DWORD GetUpgradeAceSizeAndType(PVOID pAce, DWORD *pdwType, PSID *ppSid);
  250. static HRESULT ConvertAceToString(
  251. IN PACCESS_ALLOWED_ACE pAce,
  252. OUT OPTIONAL PDWORD pdwSize,
  253. IN OUT OPTIONAL LPWSTR pwszSD);
  256. PSECURITY_DESCRIPTOR m_pDefaultDSSD;
  257. PSECURITY_DESCRIPTOR m_pDefaultServiceSD;
  258. PACL m_pDefaultDSAcl; // no free
  259. PACL m_pDefaultServiceAcl; // no free
  260. LPWSTR m_pwszComputerSID;
  261. };
  263. } // namespace CertSrv
  265. #endif //__CERTSD_H__