|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1997 - 1999
//
// File: certwrap.cpp
//
//--------------------------------------------------------------------------
#include <stdafx.h>
#include "csdisp.h"
#include "certsrv.h"
#include "genpage.h"
#include "progress.h"
#include "misc.h"
#include "certacl.h"
#include <dsgetdc.h>
#include <winldap.h>
#include "csldap.h"
_COM_SMARTPTR_TYPEDEF(IADs, IID_IADs);
//////////////////////////
// CertSvrCA class
CertSvrCA::CertSvrCA(CertSvrMachine* pParent) : m_pParentMachine(pParent){ m_hCACertStore = NULL; m_fCertStoreOpenAttempted = FALSE; m_hrCACertStoreOpen = S_OK;
m_hRootCertStore = NULL; m_fRootStoreOpenAttempted = FALSE; m_hrRootCertStoreOpen = S_OK;
m_hKRACertStore = NULL; m_fKRAStoreOpenAttempted = FALSE; m_hrKRACertStoreOpen = S_OK;
m_bstrConfig = NULL;
m_enumCAType = ENUM_UNKNOWN_CA; m_fCATypeKnown = FALSE;
m_fIsUsingDS = FALSE; m_fIsUsingDSKnown = FALSE;
m_fAdvancedServer = FALSE; m_fAdvancedServerKnown = FALSE;
if(m_pParentMachine) m_pParentMachine->AddRef();
m_dwRoles = 0; m_fRolesKnown = FALSE;}
CertSvrCA::~CertSvrCA(){ if (m_hCACertStore) { CertCloseStore(m_hCACertStore, 0); m_hCACertStore = NULL; }
if (m_hRootCertStore) { CertCloseStore(m_hRootCertStore, 0); m_hRootCertStore = NULL; }
if (m_hKRACertStore) { CertCloseStore(m_hKRACertStore, 0); m_hKRACertStore = NULL; }
if (m_bstrConfig) SysFreeString(m_bstrConfig);
if(m_pParentMachine) m_pParentMachine->Release();}
BOOL CertSvrCA::AccessAllowed(DWORD dwAccess){ return (dwAccess & GetMyRoles())?TRUE:FALSE;}
DWORD CertSvrCA::GetMyRoles(){ HRESULT hr = S_OK; ICertAdmin2Ptr pCertAdmin; LONG dwRoles;
if(!m_fRolesKnown) { hr = m_pParentMachine->GetAdmin2(&pCertAdmin); _JumpIfError(hr, error, "CertSvrMachine::GetAdmin2");
hr = pCertAdmin->GetMyRoles( m_bstrConfig, &dwRoles); _JumpIfError(hr, error, "ICertAdmin2::GetCAProperty");
m_dwRoles = dwRoles; m_fRolesKnown = TRUE; }
error: return m_dwRoles;}
HRESULT CertSvrCA::GetCAFlagsFromDS(PDWORD pdwFlags){ HRESULT hr = S_OK; LPWSTR pwszSanitizedDSName = NULL; HCAINFO hCAInfo = NULL;
hr = mySanitizedNameToDSName(m_strSanitizedName, &pwszSanitizedDSName); _JumpIfError(hr, error, "mySanitizedNameToDSName");
hr = CAFindByName( pwszSanitizedDSName, NULL, 0, &hCAInfo); _JumpIfErrorStr(hr, error, "CAFindByName", pwszSanitizedDSName);
hr = CAGetCAFlags( hCAInfo, pdwFlags); _JumpIfError(hr, error, "CAGetCAFlags");
error: LOCAL_FREE(pwszSanitizedDSName); if(hCAInfo) CACloseCA(hCAInfo);
return hr;}
// CA machine should have full control over the enrollment object in DS.
// This function checks if the machine has the rights and adds a new
// ace allowing CA machine obj (eg TESTDOMAIN\BOGDANTTEST$) full control
// over its enrollment object
// See bug# 193388.
HRESULT CertSvrCA::FixEnrollmentObject(){ HRESULT hr = S_OK; IDirectoryObject *pADEnrollObj = NULL; LPWSTR pwszAttr = L"nTSecurityDescriptor"; PADS_ATTR_INFO paai = NULL; DWORD dwAttrReturned; LPWSTR pwszSanitizedDSName = NULL; CString strEnrollDN; HCAINFO hCAInfo = NULL; PSID pSid = NULL; bool fAllowed = false; PSECURITY_DESCRIPTOR pSDRead = NULL; // no free
PSECURITY_DESCRIPTOR pSDWrite = NULL;
hr = mySanitizedNameToDSName(m_strSanitizedName, &pwszSanitizedDSName); _JumpIfError(hr, error, "mySanitizedNameToDSName");
hr = CAFindByName( pwszSanitizedDSName, NULL, CA_FIND_INCLUDE_UNTRUSTED | CA_FIND_INCLUDE_NON_TEMPLATE_CA, &hCAInfo); _JumpIfErrorStr(hr, error, "CAFindByName", pwszSanitizedDSName);
strEnrollDN = L"LDAP://"; strEnrollDN += myCAGetDN(hCAInfo); if (strEnrollDN.IsEmpty()) { hr = myHLastError(); _JumpError(hr, error, "myCAGetDN"); }
hr = ADsGetObject(strEnrollDN, IID_IDirectoryObject, (void**)&pADEnrollObj); _JumpIfErrorStr(hr, error, "ADsGetObject", strEnrollDN);
hr = pADEnrollObj->GetObjectAttributes( &pwszAttr, 1, &paai, &dwAttrReturned); _JumpIfErrorStr(hr, error, "Get SD", strEnrollDN);
pSDRead = paai[0].pADsValues[0].SecurityDescriptor.lpValue;
CSASSERT(IsValidSecurityDescriptor(pSDRead));
hr = FindComputerObjectSid( m_strServer, pSid); _JumpIfErrorStr(hr, error, "FindCAComputerObjectSid", m_strServer);
// look in DACL for a ace allowing CA full control
hr = IsCAAllowedFullControl( pSDRead, pSid, fAllowed); _JumpIfError(hr, error, "IsCAAllowedFullControl");
if(!fAllowed) { // build new SD allowing CA full control and write it back
// to DS
ADSVALUE snValue; ADS_ATTR_INFO attrInfo[] = {{ pwszAttr, ADS_ATTR_UPDATE, ADSTYPE_NT_SECURITY_DESCRIPTOR, &snValue, 1} };
hr = AllowCAFullControl( pSDRead, pSid, pSDWrite); _JumpIfError(hr, error, "AllowCAFullControl");
CSASSERT(IsValidSecurityDescriptor(pSDWrite));
snValue.dwType = ADSTYPE_NT_SECURITY_DESCRIPTOR; snValue.SecurityDescriptor.dwLength = GetSecurityDescriptorLength(pSDWrite); snValue.SecurityDescriptor.lpValue = (LPBYTE)pSDWrite;
hr = pADEnrollObj->SetObjectAttributes( attrInfo, 1, &dwAttrReturned); _JumpIfErrorStr(hr, error, "Set SD", strEnrollDN); }
error:
if(paai) FreeADsMem(paai); if(pADEnrollObj) pADEnrollObj->Release(); if(hCAInfo) CACloseCA(hCAInfo); LOCAL_FREE(pwszSanitizedDSName); LOCAL_FREE(pSid); LOCAL_FREE(pSDWrite); return hr;}
HRESULT CertSvrCA::IsCAAllowedFullControl( PSECURITY_DESCRIPTOR pSDRead, PSID pSid, bool& fAllowed){ HRESULT hr = S_OK; PACL pDacl; // no free
ACL_SIZE_INFORMATION AclInfo; PACCESS_ALLOWED_ACE pAce; // no free
DWORD dwIndex; fAllowed = false;
hr = myGetSecurityDescriptorDacl( pSDRead, &pDacl); _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
if(!GetAclInformation(pDacl, &AclInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) { hr = myHLastError(); _JumpError(hr, error, "GetAclInformation"); }
for(dwIndex = 0; dwIndex < AclInfo.AceCount; dwIndex++) { if(!GetAce(pDacl, dwIndex, (LPVOID*)&pAce)) { hr = myHLastError(); _JumpError(hr, error, "GetAce"); }
if(pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && (pAce->Mask & ACTRL_CERTSRV_MANAGE) == ACTRL_CERTSRV_MANAGE && EqualSid((PSID)&pAce->SidStart, pSid)) { fAllowed = true; break; } }
error: return hr;}
HRESULT CertSvrCA::AllowCAFullControl( PSECURITY_DESCRIPTOR pSDRead, PSID pSid, PSECURITY_DESCRIPTOR& pSDWrite){ HRESULT hr = S_OK; BOOL fRet = 0; LPBYTE pSDTemp = NULL; PACL pDaclWrite = NULL; PACL pDaclRead = NULL; // no free
PVOID pAce = NULL; // no free
DWORD dwAbsoluteSDSize = 0; DWORD dwDaclSize = 0; DWORD dwSaclSize = 0; DWORD dwOwnerSize = 0; DWORD dwGroupSize = 0; DWORD dwSDWriteSize = 0; DWORD dwDaclWriteSize = 0;
hr = myGetSecurityDescriptorDacl( pSDRead, &pDaclRead); _JumpIfError(hr, error, "myGetSecurityDescriptorDacl"); fRet = MakeAbsoluteSD( pSDRead, NULL, &dwAbsoluteSDSize, NULL, &dwDaclSize, NULL, &dwSaclSize, NULL, &dwOwnerSize, NULL, &dwGroupSize); // should always fail with insufficient buffer
if(fRet || ERROR_INSUFFICIENT_BUFFER!=GetLastError()) { hr = fRet?E_FAIL:HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "MakeAbsoluteSD"); }
// alloc all buffers together
pSDTemp = (LPBYTE)LocalAlloc( LMEM_FIXED, dwAbsoluteSDSize+dwDaclSize+dwSaclSize+dwOwnerSize+dwGroupSize); _JumpIfAllocFailed(pSDTemp, error); fRet = MakeAbsoluteSD( pSDRead, (PSECURITY_DESCRIPTOR)pSDTemp, &dwAbsoluteSDSize, (PACL)(pSDTemp+dwAbsoluteSDSize), &dwDaclSize, (PACL)(pSDTemp+dwAbsoluteSDSize+dwDaclSize), &dwSaclSize, (PSID)(pSDTemp+dwAbsoluteSDSize+dwDaclSize+dwSaclSize), &dwOwnerSize, (PSID)(pSDTemp+dwAbsoluteSDSize+dwDaclSize+dwSaclSize+dwOwnerSize), &dwGroupSize); // should always fail with insufficient buffer
if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "MakeAbsoluteSD"); }
dwDaclWriteSize = dwDaclSize+sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD)+ GetLengthSid(pSid);
pDaclWrite = (PACL) LocalAlloc(LMEM_FIXED, dwDaclWriteSize); _JumpIfAllocFailed(pDaclWrite, error);
fRet = InitializeAcl(pDaclWrite, dwDaclWriteSize, ACL_REVISION_DS); if(!fRet) { hr=HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "InitializeAcl"); }
fRet = GetAce(pDaclRead, 0, &pAce); if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "GetAce"); }
fRet = AddAce(pDaclWrite, ACL_REVISION_DS, 0, pAce, dwDaclSize-sizeof(ACL)); if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "AddAce"); }
fRet = AddAccessAllowedAce( pDaclWrite, ACL_REVISION_DS, ACTRL_CERTSRV_MANAGE_LESS_CONTROL_ACCESS, pSid); if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "AddAccessAllowedAce"); }
fRet = SetSecurityDescriptorDacl( pSDTemp, TRUE, pDaclWrite, FALSE); if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "SetSecurityDescriptorDacl"); }
fRet = MakeSelfRelativeSD( pSDTemp, NULL, &dwSDWriteSize); if(fRet || ERROR_INSUFFICIENT_BUFFER!=GetLastError()) { hr = fRet?E_FAIL:HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "MakeSelfRelativeSD"); }
pSDWrite = LocalAlloc(LMEM_FIXED, dwSDWriteSize); _JumpIfAllocFailed(pSDWrite, error);
fRet = MakeSelfRelativeSD( pSDTemp, pSDWrite, &dwSDWriteSize); if(!fRet) { hr = HRESULT_FROM_WIN32(GetLastError()); _JumpError(hr, error, "MakeSelfRelativeSD"); }
error:
LOCAL_FREE(pSDTemp); LOCAL_FREE(pDaclWrite); return hr;}
BOOL CertSvrCA::FIsUsingDS(){ DWORD dwRet; variant_t varUsingDS;
if (m_fIsUsingDSKnown) return m_fIsUsingDS;
dwRet = GetConfigEntry( NULL, wszREGCAUSEDS, &varUsingDS); _JumpIfError(dwRet, Ret, "GetConfigEntry");
CSASSERT ((V_VT(&varUsingDS)== VT_I4)); m_fIsUsingDS = V_I4(&varUsingDS);
Ret: m_fIsUsingDSKnown = TRUE; return m_fIsUsingDS;}
BOOL CertSvrCA::FIsAdvancedServer(){ HRESULT hr = S_OK; variant_t var; ICertAdmin2Ptr pCertAdmin; CString strCADN, strCALDAP = L"LDAP://"; IADsPtr pADs;
if (!m_fAdvancedServerKnown) {
hr = m_pParentMachine->GetAdmin2(&pCertAdmin); if(S_OK==hr) {
hr = pCertAdmin->GetCAProperty( m_bstrConfig, CR_PROP_ADVANCEDSERVER, // PropId
0, // Index
PROPTYPE_LONG, // PropType
0, // Flags
&var); } if(S_OK != hr) { // couldn't figure it out from CA, try DS
DWORD dwFlags; hr = GetCAFlagsFromDS(&dwFlags); _JumpIfError(hr, error, "GetCAFlags"); m_fAdvancedServer = (dwFlags & CA_FLAG_CA_SERVERTYPE_ADVANCED)? TRUE: FALSE; m_fAdvancedServerKnown = TRUE; } else { CSASSERT ((V_VT(&var)== VT_I4)); m_fAdvancedServer = V_I4(&var); m_fAdvancedServerKnown = TRUE; } _JumpIfError(hr, error, "GetCAProperty"); }
error:
return m_fAdvancedServer;}
ENUM_CATYPES CertSvrCA::GetCAType(){ DWORD dwRet; variant_t varCAType;
if (m_fCATypeKnown) return m_enumCAType;
dwRet = GetConfigEntry( NULL, wszREGCATYPE, &varCAType); _JumpIfError(dwRet, Ret, "GetConfigEntry");
CSASSERT ((V_VT(&varCAType)== VT_I4)); m_enumCAType = (ENUM_CATYPES)V_I4(&varCAType);
Ret: m_fCATypeKnown = TRUE; return m_enumCAType;}
BOOL CertSvrCA::FIsIncompleteInstallation(){ DWORD dwStatus;
if (S_OK == GetSetupStatus(m_strSanitizedName, &dwStatus)) { if(SETUP_SUSPEND_FLAG & dwStatus) return TRUE; }
return FALSE;}
BOOL CertSvrCA::FIsRequestOutstanding(){ DWORD dwStatus;
if (S_OK == GetSetupStatus(m_strSanitizedName, &dwStatus)) { if(SETUP_REQUEST_FLAG & dwStatus) return TRUE; }
return FALSE;}
BOOL CertSvrCA::FDoesSecurityNeedUpgrade(){ DWORD dwStatus;
if (S_OK == GetSetupStatus(m_strSanitizedName, &dwStatus)) { if(SETUP_W2K_SECURITY_NOT_UPGRADED_FLAG & dwStatus) return TRUE; }
return FALSE;}
BOOL CertSvrCA::FDoesServerAllowForeignCerts(){ HRESULT hr; DWORD dwStatus; variant_t varKRAFlags;
hr = GetConfigEntry( NULL, wszREGKRAFLAGS, &varKRAFlags); _JumpIfError(hr, Ret, "GetConfigEntry");
CSASSERT ((V_VT(&varKRAFlags)== VT_I4)); dwStatus = V_I4(&varKRAFlags);
return ((dwStatus & KRAF_ENABLEFOREIGN) != 0);
Ret: return FALSE;}
DWORD CertSvrCA::GetCACertByKeyIndex(PCCERT_CONTEXT* ppCertCtxt, int iKeyIndex){ // don't cache CA cert
DWORD dwErr; ICertAdmin2* pCertAdmin = NULL; // must free this!!
VARIANT varPropertyValue; VariantInit(&varPropertyValue);
*ppCertCtxt = NULL;
dwErr = m_pParentMachine->GetAdmin2(&pCertAdmin); _JumpIfError(dwErr, Ret, "GetAdmin2"); // To get key's Cert
dwErr = pCertAdmin->GetCAProperty( m_bstrConfig, CR_PROP_CASIGCERT, // PropId
iKeyIndex, // PropIndex key index
PROPTYPE_BINARY, // PropType
CR_OUT_BINARY, // Flags
&varPropertyValue); _JumpIfError(dwErr, Ret, "GetCAProperty");
// varPropertyValue.vt will be VT_BSTR
if (VT_BSTR != varPropertyValue.vt) { dwErr = ERROR_INVALID_PARAMETER; _JumpError(dwErr, Ret, "GetCAProperty"); }
*ppCertCtxt = CertCreateCertificateContext( CRYPT_ASN_ENCODING, (PBYTE)varPropertyValue.bstrVal, SysStringByteLen(varPropertyValue.bstrVal)); if (*ppCertCtxt == NULL) { dwErr = GetLastError(); _JumpError(dwErr, Ret, "CertCreateCertContext"); }
dwErr = ERROR_SUCCESS;Ret: VariantClear(&varPropertyValue);
if (pCertAdmin) pCertAdmin->Release();
return dwErr;}
DWORD CertSvrCA::GetCurrentCRL(PCCRL_CONTEXT* ppCRLCtxt, BOOL fBaseCRL){ return GetCRLByKeyIndex(ppCRLCtxt, fBaseCRL, -1);}
DWORD CertSvrCA::GetCRLByKeyIndex(PCCRL_CONTEXT* ppCRLCtxt, BOOL fBaseCRL, int iKeyIndex){ // don't cache CRL
DWORD dwErr; ICertAdmin2* pCertAdmin = NULL; // must free this!!
VARIANT varPropertyValue; VariantInit(&varPropertyValue);
*ppCRLCtxt = NULL;
dwErr = m_pParentMachine->GetAdmin2(&pCertAdmin); _JumpIfError(dwErr, Ret, "GetAdmin2"); // To get each key's BASE CRL
dwErr = pCertAdmin->GetCAProperty( m_bstrConfig, fBaseCRL ? CR_PROP_BASECRL : CR_PROP_DELTACRL, // PropId
iKeyIndex, // PropIndex key index
PROPTYPE_BINARY, // PropType
CR_OUT_BINARY, // Flags
&varPropertyValue); _JumpIfError(dwErr, Ret, "GetCAProperty");
// varPropertyValue.vt will be VT_BSTR
if (VT_BSTR != varPropertyValue.vt) { dwErr = ERROR_INVALID_PARAMETER; _JumpError(dwErr, Ret, "GetCAProperty"); }
*ppCRLCtxt = CertCreateCRLContext( CRYPT_ASN_ENCODING, (PBYTE)varPropertyValue.bstrVal, SysStringByteLen(varPropertyValue.bstrVal)); if (*ppCRLCtxt == NULL) { dwErr = GetLastError(); _JumpError(dwErr, Ret, "CertCreateCRLContext"); }
dwErr = ERROR_SUCCESS;Ret: VariantClear(&varPropertyValue);
if (pCertAdmin) pCertAdmin->Release();
return dwErr;}
HRESULT CertSvrCA::GetConfigEntry( LPWSTR szConfigSubKey, LPWSTR szConfigEntry, VARIANT *pvarOut){ HRESULT hr = S_OK; ICertAdmin2Ptr pAdmin; LPWSTR pwszLocalMachine = NULL; CString strConfig = m_pParentMachine->m_strMachineName;
if(m_pParentMachine->m_strMachineName.IsEmpty()) { hr = myGetMachineDnsName(&pwszLocalMachine); _JumpIfError(hr, Err, "myGetMachineDnsName"); strConfig = pwszLocalMachine; } strConfig += L"\\"; strConfig += m_strSanitizedName;
VariantInit(pvarOut);
hr = m_pParentMachine->GetAdmin2(&pAdmin, true); _JumpIfError(hr, Err, "GetAdmin2");
hr = pAdmin->GetConfigEntry( strConfig.GetBuffer(), szConfigSubKey, szConfigEntry, pvarOut); _JumpIfError2(hr, Err, "GetConfigEntry", HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND));
Err: LOCAL_FREE(pwszLocalMachine); return hr;}
HRESULT CertSvrCA::SetConfigEntry( LPWSTR szConfigSubKey, LPWSTR szConfigEntry, VARIANT *pvarIn){ HRESULT hr = S_OK; ICertAdmin2Ptr pAdmin; LPWSTR pwszLocalMachine = NULL; CString strConfig = m_pParentMachine->m_strMachineName;
if(m_pParentMachine->m_strMachineName.IsEmpty()) { hr = myGetMachineDnsName(&pwszLocalMachine); _JumpIfError(hr, Err, "myGetMachineDnsName"); strConfig = pwszLocalMachine; } strConfig += L"\\"; strConfig += m_strSanitizedName;
hr = m_pParentMachine->GetAdmin2(&pAdmin, true); _JumpIfError(hr, Err, "GetAdmin2");
hr = pAdmin->SetConfigEntry( strConfig.GetBuffer(), szConfigSubKey, szConfigEntry, pvarIn); _JumpIfError(hr, Err, "SetConfigEntry");
Err: LOCAL_FREE(pwszLocalMachine); return hr;}
////////////////////////////////////////////////////////////////
// CertStor stub
DWORD CertSvrCA::GetRootCertStore(HCERTSTORE* phCertStore){ if (m_fRootStoreOpenAttempted) { *phCertStore = m_hRootCertStore; return m_hrRootCertStoreOpen; } m_fRootStoreOpenAttempted = TRUE;
LONG dwRet; CString cstrCertStorePath; if (! m_pParentMachine->IsLocalMachine()) { // if remote, prefix with "\\mattt3\"
cstrCertStorePath = m_strServer; cstrCertStorePath += L"\\"; } cstrCertStorePath += L"ROOT";
m_hRootCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, CRYPT_ASN_ENCODING, NULL, // hCryptProv
CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_MAXIMUM_ALLOWED_FLAG, (const void *)(LPCWSTR)cstrCertStorePath); if (m_hRootCertStore == NULL) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "CertOpenStore"); } dwRet = ERROR_SUCCESS;Ret: *phCertStore = m_hRootCertStore; m_hrRootCertStoreOpen = HRESULT_FROM_WIN32(dwRet);
return dwRet;}
DWORD CertSvrCA::GetCACertStore(HCERTSTORE* phCertStore){ if (m_fCertStoreOpenAttempted) { *phCertStore = m_hCACertStore; return m_hrCACertStoreOpen; } m_fCertStoreOpenAttempted = TRUE;
LONG dwRet; CString cstrCertStorePath; if (! m_pParentMachine->IsLocalMachine()) { // if remote, prefix with "\\mattt3\"
cstrCertStorePath = m_strServer; cstrCertStorePath += L"\\"; } cstrCertStorePath += wszCA_CERTSTORE;
m_hCACertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, CRYPT_ASN_ENCODING, NULL, // hCryptProv
CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_MAXIMUM_ALLOWED_FLAG, (const void *)(LPCWSTR)cstrCertStorePath); if (m_hCACertStore == NULL) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "CertOpenStore"); } dwRet = ERROR_SUCCESS;Ret:
*phCertStore = m_hCACertStore; m_hrCACertStoreOpen = HRESULT_FROM_WIN32(dwRet);
return dwRet;}
DWORD CertSvrCA::GetKRACertStore(HCERTSTORE* phCertStore){ if (m_fKRAStoreOpenAttempted) { *phCertStore = m_hKRACertStore; return m_hrKRACertStoreOpen; } m_fKRAStoreOpenAttempted = TRUE;
LONG dwRet; CString cstrCertStorePath; if (! m_pParentMachine->IsLocalMachine()) { // if remote, prefix with "\\mattt3\"
cstrCertStorePath = m_strServer; cstrCertStorePath += L"\\"; } cstrCertStorePath += wszKRA_CERTSTORE;
m_hKRACertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, CRYPT_ASN_ENCODING, NULL, // hCryptProv
CERT_SYSTEM_STORE_LOCAL_MACHINE| CERT_STORE_MAXIMUM_ALLOWED_FLAG, (const void *)(LPCWSTR)cstrCertStorePath); if (m_hKRACertStore == NULL) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "CertOpenStore"); } dwRet = ERROR_SUCCESS;Ret: *phCertStore = m_hKRACertStore; m_hrKRACertStoreOpen = HRESULT_FROM_WIN32(dwRet);
return dwRet;}
//////////////////////////
// CertSvrMachine class
CertSvrMachine::CertSvrMachine(){ m_dwServiceStatus = ERROR_SERVICE_NOT_ACTIVE;
m_hCachedConfigBaseKey = NULL; m_bAttemptedBaseKeyOpen = FALSE; m_fLocalIsKnown = FALSE;
m_fIsWhistlerMachine = FALSE; m_fIsWhistlerMachineKnown = FALSE;
m_cRef = 1; // one "Release()" will initiate clean up
}
CertSvrMachine::~CertSvrMachine(){ CSASSERT(m_cRef == 0); // delete any CAs that we still hold on to -- we own this memory
for (int i=0; i<m_CAList.GetSize(); i++) { delete m_CAList[i]; }
Init();}
void CertSvrMachine::Init(){ // on initialization, caller owns memory contents of m_CAList --
// we no longer do
m_dwServiceStatus = ERROR_SERVICE_NOT_ACTIVE;
if (m_hCachedConfigBaseKey) { RegCloseKey(m_hCachedConfigBaseKey); m_hCachedConfigBaseKey = NULL; } m_bAttemptedBaseKeyOpen = FALSE;
// clean other objects
m_CAList.Init(); // scope owns memory
m_strMachineNamePersist.Init(); m_strMachineName.Init();}
BOOL CertSvrMachine::FIsWhistlerMachine(){ HRESULT hr = S_OK; VARIANT varTmp; VariantInit(&varTmp);
if(!m_fIsWhistlerMachineKnown) { hr = GetRootConfigEntry( wszREGVERSION, &varTmp); _JumpIfError(hr, Err, "GetConfigEntry");
DBGPRINT((DBG_SS_INFO, "Found version: 0x%x", V_I4(&varTmp)));
CSASSERT ((V_VT(&varTmp)== VT_I4)); m_fIsWhistlerMachine = (V_I4(&varTmp) >= CSVER_WHISTLER); // bigger than or equal to major Whistler version? return TRUE!
m_fIsWhistlerMachineKnown = TRUE; }
Err:
VariantClear(&varTmp); return m_fIsWhistlerMachine;}
HRESULT CertSvrMachine::GetRootConfigEntry( LPWSTR szConfigEntry, VARIANT *pvarOut){ HRESULT hr = S_OK; ICertAdmin2Ptr pAdmin; LPWSTR pwszLocalMachine = NULL; CString strConfig = m_strMachineName;
if(m_strMachineName.IsEmpty()) { hr = myGetMachineDnsName(&pwszLocalMachine); _JumpIfError(hr, Err, "myGetMachineDnsName"); strConfig = pwszLocalMachine; } VariantInit(pvarOut);
hr = GetAdmin2(&pAdmin, true); _JumpIfError(hr, Err, "GetAdmin2");
hr = pAdmin->GetConfigEntry( strConfig.GetBuffer(), NULL, szConfigEntry, pvarOut); _JumpIfError(hr, Err, "GetConfigEntry");
Err: LOCAL_FREE(pwszLocalMachine); return hr;
}
HRESULT CertSvrMachine::GetAdmin(ICertAdmin** ppAdmin){ HRESULT hr; BOOL fCoInit = FALSE;
if (!IsCertSvrServiceRunning()) { *ppAdmin = NULL; return RPC_S_NOT_LISTENING; }
// ensure this thread initialized
hr = CoInitialize(NULL); if ((S_OK == hr) || (S_FALSE == hr)) fCoInit = TRUE;
// create interface, pass back
hr = CoCreateInstance( CLSID_CCertAdmin, NULL, // pUnkOuter
CLSCTX_INPROC_SERVER, IID_ICertAdmin, (void **) ppAdmin); _PrintIfError(hr, "CoCreateInstance");
if (fCoInit) CoUninitialize();
return hr;}
HRESULT CertSvrMachine::GetAdmin2( ICertAdmin2** ppAdmin, bool fIgnoreServiceDown /* = false*/){ HRESULT hr = S_OK, hr1; BOOL fCoInit = FALSE;
if (!fIgnoreServiceDown && !IsCertSvrServiceRunning()) { *ppAdmin = NULL; return RPC_S_NOT_LISTENING; }
hr1 = CoInitialize(NULL); if ((S_OK == hr1) || (S_FALSE == hr1)) fCoInit = TRUE;
// create interface, pass back
hr = CoCreateInstance( CLSID_CCertAdmin, NULL, // pUnkOuter
CLSCTX_INPROC_SERVER, IID_ICertAdmin2, (void **) ppAdmin); _PrintIfError(hr, "CoCreateInstance");
if (fCoInit) CoUninitialize();
return hr;}
#define STARTSTOP_MAX_RETRY_SECONDS 30
DWORD CertSvrMachine::CertSvrStartStopService(HWND hwndParent, BOOL fStartSvc){ DWORD dwRet; SC_HANDLE schService = NULL; SC_HANDLE schSCManager = NULL; SERVICE_STATUS ServiceStatus; HANDLE hProgressDlg = NULL; DWORD dwAttempts = 0;
CWaitCursor cwait;
schSCManager = OpenSCManagerW( GetNullMachineName(&m_strMachineName),// machine (NULL == local)
NULL, // database (NULL == default)
SC_MANAGER_CONNECT // access required
); if ( NULL == schSCManager ) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "OpenSCManagerW"); }
schService = OpenServiceW( schSCManager, wszSERVICE_NAME, ( fStartSvc ? SERVICE_START : SERVICE_STOP ) | SERVICE_QUERY_STATUS );
if (NULL == schService) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "OpenServiceW"); }
// UNDONE: TRY/EXCEPT
hProgressDlg = StartProgressDlg( g_hInstance, hwndParent, STARTSTOP_MAX_RETRY_SECONDS, 0, fStartSvc ? IDS_STARTING_SVC : IDS_STOPPING_SVC);
//
// try to start the service
//
if (fStartSvc) { if (!StartService( schService, 0, NULL)) { dwRet = GetLastError(); if (dwRet == ERROR_SERVICE_ALREADY_RUNNING) dwRet = ERROR_SUCCESS; _JumpError2(dwRet, Ret, "StartService", ERROR_SUCCESS); } } else { if (! ControlService( schService, SERVICE_CONTROL_STOP, &ServiceStatus ) ) { dwRet = GetLastError(); if (dwRet == ERROR_SERVICE_NOT_ACTIVE) dwRet = ERROR_SUCCESS; _JumpError2(dwRet, Ret, "ControlService", ERROR_SUCCESS); } }
while( QueryServiceStatus( schService, &ServiceStatus ) ) { //
// FProgressDlgRunning sets upper time bound on loop
//
if( !FProgressDlgRunning() ) break;
if (fStartSvc) { // demorgan's on (pending OR (running AND !pausable))
if ((ServiceStatus.dwCurrentState != (DWORD) SERVICE_START_PENDING) && // not pending AND
((ServiceStatus.dwCurrentState != (DWORD) SERVICE_RUNNING) || // (not running OR is pausable)
(0 != (ServiceStatus.dwControlsAccepted & (DWORD) SERVICE_ACCEPT_PAUSE_CONTINUE) )) ) break; } else { if (ServiceStatus.dwCurrentState != (DWORD) SERVICE_STOP_PENDING) break; }
Sleep( 500 ); }
if ( ServiceStatus.dwCurrentState != (DWORD)(fStartSvc ? SERVICE_RUNNING : SERVICE_STOPPED)) { dwRet = ServiceStatus.dwWin32ExitCode;
if (ERROR_SERVICE_SPECIFIC_ERROR == dwRet) dwRet = ServiceStatus.dwServiceSpecificExitCode;
_JumpError(dwRet, Ret, "ServiceStatus.dwServiceSpecificExitCode"); }
dwRet = ERROR_SUCCESS;
Ret: if (hProgressDlg) EndProgressDlg(hProgressDlg);
if (schService) CloseServiceHandle(schService); if (schSCManager) CloseServiceHandle(schSCManager);
if (ERROR_SUCCESS == dwRet) m_dwServiceStatus = ServiceStatus.dwCurrentState; else m_dwServiceStatus = SERVICE_STOPPED;
return dwRet;}
DWORD CertSvrMachine::RefreshServiceStatus(){ DWORD dwRet; SC_HANDLE schService = NULL; SC_HANDLE schSCManager = NULL; SERVICE_STATUS ServiceStatus;
HCURSOR hPrevCur = SetCursor(LoadCursor(NULL, IDC_WAIT));
m_dwServiceStatus = 0;
schSCManager = OpenSCManagerW( GetNullMachineName(&m_strMachineName),// machine (NULL == local)
NULL, // database (NULL == default)
SC_MANAGER_CONNECT // access required
); if ( NULL == schSCManager ) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "OpenSCManagerW"); }
schService = OpenServiceW( schSCManager, wszSERVICE_NAME, SERVICE_INTERROGATE );
if (NULL == schService) { dwRet = GetLastError(); _JumpError(dwRet, Ret, "OpenServiceW"); }
if (!ControlService(schService, SERVICE_CONTROL_INTERROGATE, &ServiceStatus) ) { dwRet = GetLastError(); if (dwRet != ERROR_SERVICE_NOT_ACTIVE) { _JumpError(dwRet, Ret, "ControlService"); } }
m_dwServiceStatus = ServiceStatus.dwCurrentState;
dwRet = ERROR_SUCCESS;Ret: SetCursor(hPrevCur);
if (schService) CloseServiceHandle(schService); if (schSCManager) CloseServiceHandle(schSCManager);
return dwRet;}
LPCWSTR CertSvrMachine::GetCaCommonNameAtPos(DWORD iPos){// if (iPos > (m_cCAList-1))
if (iPos > (DWORD)m_CAList.GetUpperBound()) return NULL;
return GetCaAtPos(iPos)->m_strCommonName;}
CertSvrCA* CertSvrMachine::GetCaAtPos(DWORD iPos){// if (iPos > (m_cCAList-1))
if (iPos > (DWORD)m_CAList.GetUpperBound()) return NULL;
return m_CAList[iPos];// return m_rgpCAList[iPos];
}
DWORD CertSvrMachine::PrepareData(HWND hwndParent){ // hwndParent: we will display a dlg describing what we're waiting for
HANDLE hDlg = NULL; DWORD dwRet; __try { CSASSERT(hwndParent); hDlg = StartProgressDlg(g_hInstance, hwndParent, 10, 0, IDS_CA_REDISCOVER); // don't time out
dwRet = RefreshServiceStatus(); _LeaveIfError(dwRet, "RefreshServiceStatus"); dwRet = RetrieveCertSvrCAs(0); _LeaveIfError(dwRet, "RetrieveCertSvrCAs"); } __finally { if (hDlg) EndProgressDlg(hDlg); }
return dwRet;}
#include "csdisp.h"
LPWSTR szConfigFieldDescription[] = { L"Server", L"CommonName", L"OrgUnit", L"Organization", L"Locality", L"State", L"Country", L"Config", L"Comment",};
DWORDCertSvrMachine::RetrieveCertSvrCAs( IN DWORD Flags){ HRESULT hr; LONG i, iEntries; LONG count=0, Index; LPWSTR szTargetMachine = NULL; LPWSTR szTargetMachine2 = NULL; WCHAR* szRegActive; // no delete;
LPWSTR pwszzCAList = NULL; ICertAdmin2Ptr pAdmin; LPWSTR pwszSanitizedName = NULL; LPWSTR pwszCAList = NULL; size_t len; bool fNameIsAlreadySanitized = false; DWORD dwVersion;
// init var containing machine sans whacks
Index = sizeof(szTargetMachine); if (!m_strMachineName.IsEmpty()) { const WCHAR* pch = (LPCWSTR)m_strMachineName; // skip whack whack
if ((pch[0] == '\\') && (pch[1] == '\\')) pch+=2; szTargetMachine = (LPWSTR)LocalAlloc(LPTR, WSZ_BYTECOUNT(pch)); _JumpIfOutOfMemory(hr, error, szTargetMachine);
wcscpy(szTargetMachine, pch); } else { hr = myGetComputerNames(&szTargetMachine, &szTargetMachine2); _JumpIfError(hr, error, "myGetComputerNames"); }
// Don't go to DS for this, just RegConnect
// DS would give us: strConfig, szMachine, and Template info.
// we already can derive strConfig, szMachine; we weren't using template info here
// look for CAs that aren't yet completely set up
do { HKEY hBaseKey; // this is cached
DWORD cbOut, dwType;
hr = myPingCertSrv( szTargetMachine, NULL, &pwszzCAList, NULL, NULL, &dwVersion, NULL);
if(S_OK==hr) { if(dwVersion<2) hr = HRESULT_FROM_WIN32(ERROR_OLD_WIN_VERSION); _JumpIfError(hr, error, "Whistler CA snapin cannot connect to older CAs"); }
// If for any reason we couldn't ping the CA, fail over to
// registry; we currently support only one CA per machine, if this
// changes in the future, replace the code below with an enumeration
// of nodes under configuration regkey.
if(S_OK!=hr) { hr = myGetCertRegValue( szTargetMachine, NULL, NULL, NULL, wszREGACTIVE, (BYTE**)&pwszCAList, NULL, &dwType); _JumpIfError(hr, error, "myGetCertRegValue");
CSASSERT(dwType==REG_SZ);
len = wcslen(pwszCAList)+1; pwszzCAList = (LPWSTR)LocalAlloc(LMEM_FIXED, (len+1)*sizeof(WCHAR)); _JumpIfAllocFailed(pwszzCAList, error);
wcscpy(pwszzCAList, pwszCAList); pwszzCAList[len] = L'\0';
// regactive gives us already sanitized ca name
fNameIsAlreadySanitized = true; } _JumpIfError(hr, error, "myPingCertSrv");
szRegActive = pwszzCAList;
while (szRegActive[0] != '\0') // while we don't hit end-of-string
{ for (int ii=0; ii<m_CAList.GetSize(); ii++) { // Common name match? break early
if (m_CAList[ii]->m_strCommonName.IsEqual(szRegActive)) break; }
// not found?
if (ii == m_CAList.GetSize()) { // and insert it into the list
CertSvrCA* pIssuer = new CertSvrCA(this); _JumpIfOutOfMemory(hr, error, pIssuer);
pIssuer->m_strServer = szTargetMachine;
if(!fNameIsAlreadySanitized) { hr = mySanitizeName(szRegActive, &pwszSanitizedName); _JumpIfError(hr, error, "mySanitizeName");
pIssuer->m_strSanitizedName = pwszSanitizedName; } else { pIssuer->m_strSanitizedName = szRegActive; }
LPWSTR pszString = NULL; DWORD cbString = 0; variant_t varCommonName; // get prettified common name
hr = pIssuer->GetConfigEntry( NULL, wszREGCOMMONNAME, &varCommonName); _JumpIfError(hr, error, "GetConfigEntry");
if (V_VT(&varCommonName)!=VT_BSTR || V_BSTR(&varCommonName)==NULL) { hr = HRESULT_FROM_WIN32(ERROR_NOT_FOUND); _JumpError(hr, error, "GetConfigEntry"); }
pIssuer->m_strCommonName = V_BSTR(&varCommonName); varCommonName.Clear();
// config is common name (not sanitized)
pIssuer->m_strConfig = szTargetMachine; pIssuer->m_strConfig += L"\\"; pIssuer->m_strConfig += pIssuer->m_strCommonName;
// Last: get description if exists
if (S_OK == pIssuer->GetConfigEntry( NULL, wszREGCADESCRIPTION, &varCommonName)) { if (V_VT(&varCommonName)==VT_BSTR && V_BSTR(&varCommonName)!=NULL) { pIssuer->m_strComment = V_BSTR(&varCommonName); } }
// create oft-used bstr
pIssuer->m_bstrConfig = pIssuer->m_strConfig.AllocSysString(); _JumpIfOutOfMemory(hr, error, pIssuer->m_bstrConfig);
m_CAList.Add(pIssuer); }
// REG_MULTI_SZ: fwd to next string
szRegActive += wcslen(szRegActive)+1; }
} while(0);
error:
LOCAL_FREE(pwszzCAList); LOCAL_FREE(pwszSanitizedName); LOCAL_FREE(pwszCAList);
if (szTargetMachine) LocalFree(szTargetMachine);
if (szTargetMachine2) LocalFree(szTargetMachine2);
return(hr);}
STDMETHODIMP CertSvrMachine::Load(IStream *pStm){ CSASSERT(pStm); HRESULT hr;
// no header magic ?
// Read the string
hr = CStringLoad(m_strMachineNamePersist, pStm); m_strMachineName = m_strMachineNamePersist;
if (FAILED(hr)) return E_FAIL;
return S_OK;}
STDMETHODIMP CertSvrMachine::Save(IStream *pStm, BOOL fClearDirty){ CSASSERT(pStm); HRESULT hr;
// no header magic ?
// save the string
hr = CStringSave(m_strMachineNamePersist, pStm, fClearDirty); _PrintIfError(hr, "CStringSave");
// Verify that the write operation succeeded
if (FAILED(hr)) return STG_E_CANTSAVE;
return S_OK;}
STDMETHODIMP CertSvrMachine::GetSizeMax(int *pcbSize){ CSASSERT(pcbSize);
*pcbSize = (m_strMachineNamePersist.GetLength()+1)* sizeof(WCHAR);
return S_OK;}
|
