|
|
/*++
Copyright (c) 1997 Microsoft Corporation
Module Name:
certupgr.cxx
Abstract:
Functions used in upgrading server certs from K2 [server cert in metabase] to Avalanche [server cert in CAPI store].
Author:
Alex Mallet (amallet) 07-Dec-1997 Boyd Multerer (boydm) 20-Jan-1998 Converted to be useful in setup
--*/
#include "stdafx.h"
#include <objbase.h>
#ifndef _CHICAGO_
#include "oidenc.h"
// keyring include
#include "intrlkey.h"
//
//Local includes
//
#include "certupgr.h"
//#include "certtools.h"
// The below define is in some interal schannel header file. John Banes
// told me to just redefine it below as such........ - Boyd
LPCSTR SGC_KEY_SALT = "SGCKEYSALT";
// prototypes
BOOL DecodeAndImportPrivateKey( PBYTE pbEncodedPrivateKey IN, DWORD cbEncodedPrivateKey IN, PCHAR pszPassword IN, PWCHAR pszKeyContainerIN, CRYPT_KEY_PROV_INFO *pCryptKeyProvInfo );BOOL UpdateCSPInfo( PCCERT_CONTEXT pcCertContext );
BOOL FImportAndStoreRequest( PCCERT_CONTEXT pCert, PVOID pbPKCS10req, DWORD cbPKCS10req );
//-------------------------------------------------------------------------
PCCERT_CONTEXT CopyKRCertToCAPIStore_A( PVOID pbPrivateKey, DWORD cbPrivateKey, PVOID pbPublicKey, DWORD cbPublicKey, PVOID pbPKCS10req, DWORD cbPKCS10req, PCHAR pszPassword, PCHAR pszCAPIStore) { PCCERT_CONTEXT pCert = NULL;
// prep the wide strings
PWCHAR pszwCAPIStore = NULL; DWORD lenStore = (strlen(pszCAPIStore)+1) * sizeof(WCHAR); pszwCAPIStore = (PWCHAR)GlobalAlloc( GPTR, lenStore ); if ( !pszwCAPIStore ) goto cleanup;
// convert the strings
MultiByteToWideChar( CP_ACP, MB_PRECOMPOSED, pszCAPIStore, -1, pszwCAPIStore, lenStore );
// do the real call
pCert = CopyKRCertToCAPIStore_W( pbPrivateKey, cbPrivateKey, pbPublicKey, cbPublicKey, pbPKCS10req, cbPKCS10req, pszPassword, pszwCAPIStore );
cleanup: // preserve the last error state
DWORD err = GetLastError();
// clean up the strings
if ( pszwCAPIStore ) GlobalFree( pszwCAPIStore );
// reset the last error state
SetLastError( err );
// return the cert
return pCert; }
//--------------------------------------------------------------------------------------------
// Copies an old Key-Ring style cert to the CAPI store. This cert comes in as two binaries and a password.
PCCERT_CONTEXT CopyKRCertToCAPIStore_W( PVOID pbPrivateKey, DWORD cbPrivateKey, PVOID pbPublicKey, DWORD cbPublicKey, PVOID pbPKCS10req, DWORD cbPKCS10req, PCHAR pszPassword, PWCHAR pszCAPIStore)/*++
Routine Description:
Upgrades K2 server certs to Avalanche server certs - reads server cert out of K2 metabase, creates cert context and stores it in CAPI2 "MY" store and writes relevant information back to metabase.
Arguments:
pMDObject - pointer to Metabase object pszOldMBPath - path to where server cert is stored in old MB, relative to SSL_W3_KEYS_MD_PATH pszNewMBPath - fully qualified path to where server cert info should be stored in new MB
Returns:
BOOL indicating success/failure
--*/ { BOOL fSuccess = FALSE;
HCERTSTORE hStore = NULL; PCCERT_CONTEXT pcCertContext = NULL; LPOLESTR polestr = NULL;
// start by opening the CAPI store that we will be saving the certificate into
hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, pszCAPIStore ); if ( !hStore ) {// iisDebugOut((_T("Error 0x%x calling CertOpenStore \n"), GetLastError());
goto EndUpgradeServerCert; }
// at this point we check to see if a certificate was passed in. If none was, then we need
// to create a dummy-temporary certificate that markes the private key as incomplete. That
// way, then the real certificate comes back from verisign the regular tools can be used
// to complete the key.
//CertCreateSelfSignCertificate()
//
//Create cert context to be stored in CAPI store
//
pbPublicKey = (PVOID)((PBYTE)pbPublicKey + CERT_DER_PREFIX); cbPublicKey -= CERT_DER_PREFIX; pcCertContext = CertCreateCertificateContext( X509_ASN_ENCODING, (PUCHAR)pbPublicKey, cbPublicKey); if ( pcCertContext ) {
// the private key gets stored in a seperate location from the certificate and gets referred to
// by the certificate. We should try to pick a unique name so that some other cert won't step
// on it by accident. There is no formal format for this name whatsoever. Some groups use a
// human-readable string, some use a hash of the cert, and some use a GUID string. All are valid
// although for generated certs the hash or the GUID are probably better.
// get the 128 big md5 hash of the cert for the name
DWORD dwHashSize; BOOL fHash;
BYTE MD5Hash[16]; // give it some extra size
dwHashSize = sizeof(MD5Hash); fHash = CertGetCertificateContextProperty( pcCertContext, CERT_MD5_HASH_PROP_ID, (VOID *) MD5Hash, &dwHashSize );
// Since the MD5 hash is the same size as a guid, we can use the guid utilities to make a
// nice string out of it.
HRESULT hresult; hresult = StringFromCLSID( (REFCLSID)MD5Hash, &polestr );
//
// Now decode private key blob and import it into CAPI1 private key
//
CRYPT_KEY_PROV_INFO CryptKeyProvInfo;
if ( DecodeAndImportPrivateKey( (PUCHAR)pbPrivateKey, cbPrivateKey, pszPassword, polestr, &CryptKeyProvInfo ) ) { //
// Add the private key to the cert context
//
BOOL f; f = CertSetCertificateContextProperty( pcCertContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &CryptKeyProvInfo ); f = UpdateCSPInfo( pcCertContext ); if ( f ) { //
// Store it in the provided store
//
if ( CertAddCertificateContextToStore( hStore, pcCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL ) ) { fSuccess = TRUE;
// Write out the original request as a property on the cert
FImportAndStoreRequest( pcCertContext, pbPKCS10req, cbPKCS10req ); } else {// iisDebugOut((_T("Error 0x%x calling CertAddCertificateContextToStore"), GetLastError());
} } else {// iisDebugOut((_T("Error 0x%x calling CertSetCertificateContextProperty"), GetLastError());
} } } else {// iisDebugOut((_T("Error 0x%x calling CertCreateCertificateContext"), GetLastError());
}
//
//Cleanup that's done only on failure
//
if ( !fSuccess ) { if ( pcCertContext ) { CertFreeCertificateContext( pcCertContext ); } pcCertContext = NULL; }
EndUpgradeServerCert: // cleanup
if ( hStore ) CertCloseStore ( hStore, 0 );
if ( polestr ) CoTaskMemFree( polestr );
// return the answer
return pcCertContext; }
//--------------------------------------------------------------------------------------------
BOOL UpdateCSPInfo( PCCERT_CONTEXT pcCertContext ) { BYTE cbData[1000]; CRYPT_KEY_PROV_INFO* pProvInfo = (CRYPT_KEY_PROV_INFO *) cbData; DWORD dwFoo = 1000; BOOL fSuccess = TRUE;
if ( ! CertGetCertificateContextProperty( pcCertContext, CERT_KEY_PROV_INFO_PROP_ID, pProvInfo, &dwFoo ) ) { fSuccess = FALSE;// iisDebugOut((_T("Fudge. failed to get property : 0x%x"), GetLastError());
} else { pProvInfo->dwProvType = PROV_RSA_SCHANNEL; pProvInfo->pwszProvName = NULL; if ( !CertSetCertificateContextProperty( pcCertContext, CERT_KEY_PROV_INFO_PROP_ID, 0, pProvInfo ) ) { fSuccess = FALSE;// iisDebugOut((_T("Fudge. failed to set property : 0x%x"), GetLastError());
} }
// return success
return fSuccess; }
//--------------------------------------------------------------------------------------------
BOOL DecodeAndImportPrivateKey( PBYTE pbEncodedPrivateKey IN, DWORD cbEncodedPrivateKey IN, PCHAR pszPassword IN, PWCHAR pszKeyContainer IN, CRYPT_KEY_PROV_INFO *pCryptKeyProvInfo ) /*++
Routine Description:
Converts the private key stored in the metabase, in Schannel-internal format, into a key that can be imported via CryptImportKey() to create a CAP1 key blob.
Arguments:
pbEncodedPrivateKey - pointer to [encoded] private key cbEncodedPrivateKey - size of encoded private key blob pszPassword - password used to encode private key pszKeyContainer - container name for private key pCryptKeyProvInfo - pointer to CRYPT_KEY_PROV_INFO structure filled in on success
Returns:
BOOL indicating success/failure
--*/ { BOOL fSuccess = FALSE; DWORD cbPassword = strlen(pszPassword); PPRIVATE_KEY_FILE_ENCODE pPrivateFile = NULL; DWORD cbPrivateFile = 0; MD5_CTX md5Ctx; struct RC4_KEYSTRUCT rc4Key; DWORD i; HCRYPTPROV hProv = NULL; HCRYPTKEY hPrivateKey = NULL; DWORD cbDecodedPrivateKey = 0; PBYTE pbDecodedPrivateKey = NULL;
DWORD err; //
//HACK HACK HACK - need to make sure Schannel is initialized, so it registers
//its custom decoders, which we make use of in the following code. So, make a
//bogus call to an Schannel function
// Note: on NT5, the AcquireCredentialsHandle operates in the lsass process and
// thus will not properly initialize the stuff we need in our process. Thus we
// call SslGenerateRandomBits instead.
//
DWORD dw; SslGenerateRandomBits( (PUCHAR)&dw, sizeof(dw) );
// We have to do a little fixup here. Old versions of
// schannel wrote the wrong header data into the ASN
// for private key files, so we must fix the size data.
pbEncodedPrivateKey[2] = (BYTE) (((cbEncodedPrivateKey - 4) & 0xFF00) >> 8); //Get MSB
pbEncodedPrivateKey[3] = (BYTE) ((cbEncodedPrivateKey - 4) & 0xFF); //Get LSB
//
// ASN.1 decode the private key.
//
//
// Figure out the size of the buffer needed
//
if( !CryptDecodeObject(X509_ASN_ENCODING, szPrivateKeyFileEncode, pbEncodedPrivateKey, cbEncodedPrivateKey, 0, NULL, &cbPrivateFile) ) { err = GetLastError();// iisDebugOut((_T("Error 0x%x decoding the private key"), err);
goto EndDecodeKey; }
pPrivateFile = (PPRIVATE_KEY_FILE_ENCODE) LocalAlloc( LPTR, cbPrivateFile );
if(pPrivateFile == NULL) { SetLastError( ERROR_OUTOFMEMORY ); goto EndDecodeKey; }
//
// Actually fill in the buffer
//
if( !CryptDecodeObject( X509_ASN_ENCODING, szPrivateKeyFileEncode, pbEncodedPrivateKey, cbEncodedPrivateKey, 0, pPrivateFile, &cbPrivateFile ) ) { err = GetLastError();// iisDebugOut((_T("Error 0x%x decoding the private key"), err);
goto EndDecodeKey; }
//
// Decrypt the decoded private key using the password.
//
MD5Init(&md5Ctx); MD5Update(&md5Ctx, (PBYTE) pszPassword, cbPassword); MD5Final(&md5Ctx);
rc4_key( &rc4Key, 16, md5Ctx.digest );// memset( &md5Ctx, 0, sizeof(md5Ctx) );
rc4( &rc4Key, pPrivateFile->EncryptedBlob.cbData, pPrivateFile->EncryptedBlob.pbData );
//
// Build a PRIVATEKEYBLOB from the decrypted private key.
//
//
// Figure out size of buffer needed
//
if( !CryptDecodeObject( X509_ASN_ENCODING, szPrivateKeyInfoEncode, pPrivateFile->EncryptedBlob.pbData, pPrivateFile->EncryptedBlob.cbData, 0, NULL, &cbDecodedPrivateKey ) ) { // NOTE: This stuff is complicated!!! The following code came
// from John Banes. Heck this whole routine pretty much came
// from John Banes. -- Boyd
// Maybe this was a SGC style key.
// Re-encrypt it, and build the SGC decrypting
// key, and re-decrypt it.
BYTE md5Digest[MD5DIGESTLEN];
rc4_key(&rc4Key, 16, md5Ctx.digest); rc4(&rc4Key, pPrivateFile->EncryptedBlob.cbData, pPrivateFile->EncryptedBlob.pbData); CopyMemory(md5Digest, md5Ctx.digest, MD5DIGESTLEN);
MD5Init(&md5Ctx); MD5Update(&md5Ctx, md5Digest, MD5DIGESTLEN); MD5Update(&md5Ctx, (PUCHAR)SGC_KEY_SALT, strlen(SGC_KEY_SALT)); MD5Final(&md5Ctx); rc4_key(&rc4Key, 16, md5Ctx.digest); rc4(&rc4Key, pPrivateFile->EncryptedBlob.cbData, pPrivateFile->EncryptedBlob.pbData);
// Try again...
if(!CryptDecodeObject(X509_ASN_ENCODING, szPrivateKeyInfoEncode, pPrivateFile->EncryptedBlob.pbData, pPrivateFile->EncryptedBlob.cbData, 0, NULL, &cbDecodedPrivateKey)) { ZeroMemory(&md5Ctx, sizeof(md5Ctx)); err = GetLastError(); goto EndDecodeKey; } }
pbDecodedPrivateKey = (PBYTE) LocalAlloc( LPTR, cbDecodedPrivateKey );
if( pbDecodedPrivateKey == NULL ) { SetLastError( ERROR_OUTOFMEMORY ); goto EndDecodeKey; }
//
// Actually fill in the buffer
//
if( !CryptDecodeObject( X509_ASN_ENCODING, szPrivateKeyInfoEncode, pPrivateFile->EncryptedBlob.pbData, pPrivateFile->EncryptedBlob.cbData, 0, pbDecodedPrivateKey, &cbDecodedPrivateKey ) ) { err = GetLastError();// iisDebugOut((_T("Error 0x%x decoding the private key"), err);
goto EndDecodeKey; }
// On NT 4 the ff holds true : <- from Alex Mallet
// Although key is going to be used for key exchange, mark it as being
// used for signing, because only 512-bit key exchange keys are supported
// in the non-domestic rsabase.dll, whereas signing keys can be up to
// 2048 bits.
//
// On NT 5, PROV_RSA_FULL should be changed to PROV_RSA_SCHANNEL, and
// aiKeyAlg to CALG_RSA_KEYX, because PROV_RSA_SCHANNEL, which is only
// installed on NT 5, supports 1024-bit private keys for key exchange
//
// On NT4, Schannel doesn't care whether a key is marked for signing or exchange,
// but on NT5 it does, so aiKeyAlg must be set appropriately
//
((BLOBHEADER *) pbDecodedPrivateKey)->aiKeyAlg = CALG_RSA_KEYX;
//
// Clean out the key container, pszKeyContainer
//
CryptAcquireContext(&hProv, pszKeyContainer, NULL, PROV_RSA_SCHANNEL, CRYPT_DELETEKEYSET | CRYPT_MACHINE_KEYSET); //
// Create a CryptoAPI key container in which to store the key.
//
if( !CryptAcquireContext( &hProv, pszKeyContainer, NULL, PROV_RSA_SCHANNEL, CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET)) { err = GetLastError();// iisDebugOut((_T("Error 0x%x calling CryptAcquireContext"), err);
goto EndDecodeKey; }
//
// Import the private key blob into the key container.
//
if( !CryptImportKey( hProv, pbDecodedPrivateKey, cbDecodedPrivateKey, 0, CRYPT_EXPORTABLE, //so we can export it later
&hPrivateKey ) ) { err = GetLastError();// iisDebugOut((_T("Error 0x%x importing PRIVATEKEYBLOB"), err);
goto EndDecodeKey; }
//
// Fill in the CRYPT_KEY_PROV_INFO structure, with the same parameters we
// used in the call to CryptAcquireContext() above
//
//
// container name in the structure is a unicode string, so we need to convert
//
if ( pszKeyContainer != NULL ) { // point the key container name to the passed in string
// WARNING: this does not actually copy the string, just the pointer
// to it. So the strings needs to remain valid until the ProvInfo is commited.
pCryptKeyProvInfo->pwszContainerName = pszKeyContainer; } else { pCryptKeyProvInfo->pwszContainerName = NULL; }
pCryptKeyProvInfo->pwszProvName = NULL; pCryptKeyProvInfo->dwProvType = PROV_RSA_FULL; pCryptKeyProvInfo->dwFlags = 0x20; // allow the cert to be exchanged
pCryptKeyProvInfo->cProvParam = 0; pCryptKeyProvInfo->rgProvParam = NULL; pCryptKeyProvInfo->dwKeySpec = AT_KEYEXCHANGE; // allow the cert to be exchanged
fSuccess = TRUE;
EndDecodeKey:
//
// Clean-up that happens regardless of success/failure
//
if ( pPrivateFile ) { LocalFree( pPrivateFile ); }
if ( pbDecodedPrivateKey ) { LocalFree( pbDecodedPrivateKey ); }
if ( hPrivateKey ) { CryptDestroyKey( hPrivateKey ); }
if ( hProv ) { CryptReleaseContext( hProv, 0 ); }
return fSuccess;
} //DecodeAndImportPrivateKey
//--------------------------------------------------------------------------------------------
/*++
Routine Description:
Takes an incoming PKCS10 request and saves it as a property attached to the key. It also checks if the request is in the old internal Keyring format or not......
Arguments:
pCert - CAPI certificate context pointer for the cert to save the request on pbPKCS10req - pointer to the request cbPKCS10req - size of the request
Returns:
BOOL indicating success/failure
--*/BOOL FImportAndStoreRequest( PCCERT_CONTEXT pCert, PVOID pbPKCS10req, DWORD cbPKCS10req ){ BOOL f; DWORD err;
// if any NULLS are passed in, fail gracefully
if ( !pCert || !pbPKCS10req || !cbPKCS10req ) return FALSE;
// first, check if the incoming request is actually pointing to an old KeyRing internal
// request format. That just means that the real request is actuall slightly into
// the block. The way you tell is by testing the first DWORD to see it
// is REQUEST_HEADER_IDENTIFIER
// start by seeing if this is a new style key request
LPREQUEST_HEADER pHeader = (LPREQUEST_HEADER)pbPKCS10req; if ( pHeader->Identifier == REQUEST_HEADER_IDENTIFIER ) { // update the request pointer and data count
pbPKCS10req = (PBYTE)pbPKCS10req + pHeader->cbSizeOfHeader; cbPKCS10req = pHeader->cbRequestSize; }
// now save the request onto the key
CRYPT_DATA_BLOB dataBlob; ZeroMemory( &dataBlob, sizeof(dataBlob) ); dataBlob.pbData = (PBYTE)pbPKCS10req; // pointer to blob data
dataBlob.cbData = cbPKCS10req; // blob length info
f = CertSetCertificateContextProperty( pCert, CERTWIZ_REQUEST_PROP_ID, 0, &dataBlob ); err = GetLastError();
/*
HRESULT hRes = CertTool_SetBinaryBlobProp( pCert, // cert context to set the prop on
pbPKCS10req, // pointer to blob data
cbPKCS10req, // blob length info
CERTWIZ_REQUEST_PROP_ID,// property ID for context
TRUE // the request is already encoded
);*/
return f;}
#endif //_CHICAGO_
|
