archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/ca/certlib/officer.cpp

710 lines
18 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+--------------------------------------------------------------------------
  2. // File: officer.cpp
  3. // Contents: officer rights implementation
  4. //---------------------------------------------------------------------------
  5. #include <pch.cpp>
  6. #include <certsd.h>
  7. #include <certacl.h>
  8. #include <sid.h>
  10. using namespace CertSrv;
  12. HRESULT
  13. COfficerRightsSD::Merge(
  14. PSECURITY_DESCRIPTOR pOfficerSD,
  15. PSECURITY_DESCRIPTOR pCASD)
  16. {
  18. HRESULT hr;
  19. PACL pCAAcl; // no free
  20. PACL pOfficerAcl; // no free
  21. PACL pNewOfficerAcl = NULL;
  22. ACL_SIZE_INFORMATION CAAclInfo, OfficerAclInfo;
  23. PBOOL pCAFound = NULL, pOfficerFound = NULL;
  24. DWORD cCAAce, cOfficerAce;
  25. PACCESS_ALLOWED_ACE pCAAce;
  26. PACCESS_ALLOWED_CALLBACK_ACE pOfficerAce;
  27. PACCESS_ALLOWED_CALLBACK_ACE pNewAce = NULL;
  28. DWORD dwNewAclSize = sizeof(ACL);
  29. PSID pSidEveryone = NULL, pSidBuiltinAdministrators = NULL;
  30. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_WORLD_SID_AUTHORITY;
  31. DWORD dwSidEveryoneSize, dwAceSize, dwSidSize;
  32. PSID_LIST pSidList;
  33. PSECURITY_DESCRIPTOR pNewOfficerSD = NULL;
  34. ACL EmptyAcl;
  35. SECURITY_DESCRIPTOR EmptySD;
  37. CSASSERT(NULL==pOfficerSD || IsValidSecurityDescriptor(pOfficerSD));
  38. CSASSERT(IsValidSecurityDescriptor(pCASD));
  40. // allow NULL officer SD, in that case build an empty SD and use it
  41. if(NULL==pOfficerSD)
  42. {
  43. if(!InitializeAcl(&EmptyAcl, sizeof(ACL), ACL_REVISION))
  44. {
  45. hr = myHLastError();
  46. _JumpError(hr, error, "InitializeAcl");
  47. }
  49. if (!InitializeSecurityDescriptor(&EmptySD, SECURITY_DESCRIPTOR_REVISION))
  50. {
  51. hr = myHLastError();
  52. _JumpError(hr, error, "InitializeSecurityDescriptor");
  53. }
  55. if(!SetSecurityDescriptorDacl(
  56. &EmptySD,
  57. TRUE, // DACL present
  58. &EmptyAcl,
  59. FALSE)) // DACL defaulted
  60. {
  61. hr = myHLastError();
  62. _JumpError(hr, error, "SetSecurityDescriptorControl");
  63. }
  65. pOfficerSD = &EmptySD;
  66. }
  68. hr = myGetSecurityDescriptorDacl(pCASD, &pCAAcl);
  69. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  71. hr = myGetSecurityDescriptorDacl(pOfficerSD, &pOfficerAcl);
  72. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  74. // allocate a bool array for each DACL
  76. if(!GetAclInformation(pCAAcl,
  77. &CAAclInfo,
  78. sizeof(CAAclInfo),
  79. AclSizeInformation))
  80. {
  81. hr = myHLastError();
  82. _JumpError(hr, error, "GetAclInformation");
  83. }
  84. if(!GetAclInformation(pOfficerAcl,
  85. &OfficerAclInfo,
  86. sizeof(OfficerAclInfo),
  87. AclSizeInformation))
  88. {
  89. hr = myHLastError();
  90. _JumpError(hr, error, "GetAclInformation");
  91. }
  93. pCAFound = (PBOOL)LocalAlloc(LMEM_FIXED, sizeof(BOOL)*CAAclInfo.AceCount);
  94. if(!pCAFound)
  95. {
  96. hr = E_OUTOFMEMORY;
  97. _JumpError(hr, error, "LocalAlloc");
  98. }
  99. ZeroMemory(pCAFound, sizeof(BOOL)*CAAclInfo.AceCount);
  101. pOfficerFound = (PBOOL)LocalAlloc(LMEM_FIXED, sizeof(BOOL)*OfficerAclInfo.AceCount);
  102. if(!pOfficerFound)
  103. {
  104. hr = E_OUTOFMEMORY;
  105. _JumpError(hr, error, "LocalAlloc");
  106. }
  107. ZeroMemory(pOfficerFound, sizeof(BOOL)*OfficerAclInfo.AceCount);
  109. hr = GetEveryoneSID(&pSidEveryone);
  110. _JumpIfError(hr, error, "GetEveryoneSID");
  112. dwSidEveryoneSize = GetLengthSid(pSidEveryone);
  114. // mark in the bool arrays each ace whose SID is found in both DACLs;
  115. // also mark CA ACEs we are not interested in (denied ACEs and
  116. // non-officer ACEs)
  118. for(cCAAce=0; cCAAce<CAAclInfo.AceCount; cCAAce++)
  119. {
  120. if(!GetAce(pCAAcl, cCAAce, (PVOID*)&pCAAce))
  121. {
  122. hr = myHLastError();
  123. _JumpError(hr, error, "GetAce");
  124. }
  126. // process only officer allow aces
  127. if(0==(pCAAce->Mask & CA_ACCESS_OFFICER))
  128. {
  129. pCAFound[cCAAce] = TRUE;
  130. continue;
  131. }
  133. // compare SIDs in each officer ace with current CA ace and mark
  134. // corresponding bool in arrays if equal
  135. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  136. {
  137. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  138. {
  139. hr = myHLastError();
  140. _JumpError(hr, error, "GetAce");
  141. }
  142. if(EqualSid((PSID)&pOfficerAce->SidStart,
  143. (PSID)&pCAAce->SidStart))
  144. {
  145. pCAFound[cCAAce] = TRUE;
  146. pOfficerFound[cOfficerAce] = TRUE;
  147. }
  148. }
  150. // if the officer is found in the CA ACL but not in the officer ACL,
  151. // we will add a new ACE allowing him to manage certs for Everyone
  152. if(!pCAFound[cCAAce])
  153. {
  154. dwNewAclSize += sizeof(ACCESS_ALLOWED_CALLBACK_ACE)+
  155. GetLengthSid((PSID)&pCAAce->SidStart)+
  156. dwSidEveryoneSize;
  157. }
  158. }
  160. // Calculate the size of the new officer ACL; we already added in the header
  161. // size and the size of the new ACEs to be added. Now we add the ACEs to be
  162. // copied over from the old ACL
  163. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  164. {
  165. if(pOfficerFound[cOfficerAce])
  166. {
  167. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  168. {
  169. hr = myHLastError();
  170. _JumpError(hr, error, "GetAce");
  171. }
  172. dwNewAclSize += pOfficerAce->Header.AceSize;
  173. }
  174. }
  176. // allocate a new DACL
  178. pNewOfficerAcl = (PACL)LocalAlloc(LMEM_FIXED, dwNewAclSize);
  179. if(!pNewOfficerAcl)
  180. {
  181. hr = E_OUTOFMEMORY;
  182. _JumpError(hr, error, "LocalAlloc");
  183. }
  185. #ifdef _DEBUG
  186. ZeroMemory(pNewOfficerAcl, dwNewAclSize);
  187. #endif
  189. if(!InitializeAcl(pNewOfficerAcl, dwNewAclSize, ACL_REVISION))
  190. {
  191. hr = myHLastError();
  192. _JumpError(hr, error, "InitializeAcl");
  193. }
  195. // build the new DACL
  197. // traverse officer DACL and add only marked ACEs (whose SID was found
  198. // in the CA DACL, ie principal is an officer)
  199. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  200. {
  201. if(pOfficerFound[cOfficerAce])
  202. {
  203. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  204. {
  205. hr = myHLastError();
  206. _JumpError(hr, error, "GetAce");
  207. }
  209. if(!AddAce(
  210. pNewOfficerAcl,
  211. ACL_REVISION,
  212. MAXDWORD,
  213. pOfficerAce,
  214. pOfficerAce->Header.AceSize))
  215. {
  216. hr = myHLastError();
  217. _JumpError(hr, error, "GetAce");
  218. }
  219. }
  220. }
  222. CSASSERT(IsValidAcl(pNewOfficerAcl));
  224. hr = GetBuiltinAdministratorsSID(&pSidBuiltinAdministrators);
  225. _JumpIfError(hr, error, "GetBuiltinAdministratorsSID");
  227. // traverse the CA DACL and add a new officer to list, allowed to manage
  228. // Everyone
  229. for(cCAAce=0; cCAAce<CAAclInfo.AceCount; cCAAce++)
  230. {
  231. if(pCAFound[cCAAce])
  232. continue;
  234. if(!GetAce(pCAAcl, cCAAce, (PVOID*)&pCAAce))
  235. {
  236. hr = myHLastError();
  237. _JumpError(hr, error, "GetAce");
  238. }
  240. // create a new ACE
  241. dwSidSize = GetLengthSid((PSID)&pCAAce->SidStart);
  243. dwAceSize = sizeof(ACCESS_ALLOWED_CALLBACK_ACE)+
  244. dwSidEveryoneSize+dwSidSize;
  246. pNewAce = (ACCESS_ALLOWED_CALLBACK_ACE*) LocalAlloc(LMEM_FIXED, dwAceSize);
  247. if(!pNewAce)
  248. {
  249. hr = E_OUTOFMEMORY;
  250. _JumpError(hr, error, "LocalAlloc");
  251. }
  252. #ifdef _DEBUG
  253. ZeroMemory(pNewAce, dwAceSize);
  254. #endif
  256. pNewAce->Header.AceType = ACCESS_ALLOWED_CALLBACK_ACE_TYPE;
  257. pNewAce->Header.AceFlags= 0;
  258. pNewAce->Header.AceSize = (USHORT)dwAceSize;
  259. pNewAce->Mask = DELETE;
  260. CopySid(dwSidSize,
  261. (PSID)&pNewAce->SidStart,
  262. (PSID)&pCAAce->SidStart);
  263. pSidList = (PSID_LIST)(((BYTE*)&pNewAce->SidStart)+dwSidSize);
  264. pSidList->dwSidCount = 1;
  266. CopySid(dwSidEveryoneSize,
  267. (PSID)&pSidList->SidListStart,
  268. pSidEveryone);
  270. CSASSERT(IsValidSid((PSID)&pNewAce->SidStart));
  272. if(!AddAce(
  273. pNewOfficerAcl,
  274. ACL_REVISION,
  275. MAXDWORD,
  276. pNewAce,
  277. dwAceSize))
  278. {
  279. hr = myHLastError();
  280. _JumpError(hr, error, "AddAce");
  281. }
  283. LocalFree(pNewAce);
  284. pNewAce = NULL;
  285. }
  287. CSASSERT(IsValidAcl(pNewOfficerAcl));
  289. // setup the new security descriptor
  291. pNewOfficerSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  292. SECURITY_DESCRIPTOR_MIN_LENGTH);
  293. if (pNewOfficerSD == NULL)
  294. {
  295. hr = E_OUTOFMEMORY;
  296. _JumpError(hr, error, "LocalAlloc");
  297. }
  298. #ifdef _DEBUG
  299. ZeroMemory(pNewOfficerSD, SECURITY_DESCRIPTOR_MIN_LENGTH);
  300. #endif
  302. if (!InitializeSecurityDescriptor(pNewOfficerSD, SECURITY_DESCRIPTOR_REVISION))
  303. {
  304. hr = myHLastError();
  305. _JumpError(hr, error, "InitializeSecurityDescriptor");
  306. }
  308. if(!SetSecurityDescriptorOwner(
  309. pNewOfficerSD,
  310. pSidBuiltinAdministrators,
  311. FALSE))
  312. {
  313. hr = myHLastError();
  314. _JumpError(hr, error, "SetSecurityDescriptorControl");
  315. }
  317. if(!SetSecurityDescriptorDacl(
  318. pNewOfficerSD,
  319. TRUE, // DACL present
  320. pNewOfficerAcl,
  321. FALSE)) // DACL defaulted
  322. {
  323. hr = myHLastError();
  324. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  325. }
  327. CSASSERT(IsValidSecurityDescriptor(pNewOfficerSD));
  329. hr = Set(pNewOfficerSD);
  330. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Set");
  332. error:
  333. if(pNewAce)
  334. {
  335. LocalFree(pNewAce);
  336. }
  338. if(pSidEveryone)
  339. {
  340. FreeSid(pSidEveryone);
  341. }
  343. if(pSidBuiltinAdministrators)
  344. {
  345. FreeSid(pSidBuiltinAdministrators);
  346. }
  348. if(pNewOfficerAcl)
  349. {
  350. LocalFree(pNewOfficerAcl);
  351. }
  353. if(pNewOfficerSD)
  354. {
  355. LocalFree(pNewOfficerSD);
  356. }
  358. return hr;
  359. }
  361. HRESULT
  362. COfficerRightsSD::Adjust(PSECURITY_DESCRIPTOR pCASD)
  363. {
  364. return Merge(Get(), pCASD);
  365. }
  367. HRESULT
  368. COfficerRightsSD::InitializeEmpty()
  369. {
  370. HRESULT hr = S_OK;
  371. ACL Acl;
  372. SECURITY_DESCRIPTOR SD;
  374. hr = Init(NULL);
  375. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Init");
  377. if(!InitializeAcl(&Acl, sizeof(ACL), ACL_REVISION))
  378. {
  379. hr = myHLastError();
  380. _JumpError(hr, error, "InitializeAcl");
  381. }
  383. if (!InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION))
  384. {
  385. hr = myHLastError();
  386. _JumpError(hr, error, "InitializeSecurityDescriptor");
  387. }
  389. if(!SetSecurityDescriptorDacl(
  390. &SD,
  391. TRUE, // DACL present
  392. &Acl,
  393. FALSE)) // DACL defaulted
  394. {
  395. hr = myHLastError();
  396. _JumpError(hr, error, "SetSecurityDescriptorControl");
  397. }
  399. m_fInitialized = true;
  401. hr = Set(&SD);
  402. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Set");
  404. error:
  405. return hr;
  406. }
  408. HRESULT COfficerRightsSD::Save()
  409. {
  410. HRESULT hr = S_OK;
  412. if(IsEnabled())
  413. {
  414. hr = CProtectedSecurityDescriptor::Save();
  415. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  416. }
  417. else
  418. {
  419. hr = CProtectedSecurityDescriptor::Delete();
  420. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Delete");
  421. }
  423. error:
  424. return hr;
  425. }
  427. HRESULT COfficerRightsSD::Load()
  428. {
  429. HRESULT hr;
  431. hr = CProtectedSecurityDescriptor::Load();
  432. if(S_OK==hr || HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)==hr)
  433. {
  434. SetEnable(S_OK==hr);
  435. hr = S_OK;
  436. }
  437. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  439. error:
  440. return hr;
  441. }
  443. HRESULT COfficerRightsSD::Initialize(LPCWSTR pwszSanitizedName)
  444. {
  445. HRESULT hr;
  447. hr = CProtectedSecurityDescriptor::Initialize(pwszSanitizedName);
  448. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  450. SetEnable(NULL!=m_pSD);
  452. error:
  453. return hr;
  454. }
  456. HRESULT COfficerRightsSD::ConvertToString(
  457. IN PSECURITY_DESCRIPTOR pSD,
  458. OUT LPWSTR& rpwszSD)
  459. {
  460. HRESULT hr = S_OK;
  461. LPCWSTR pcwszHeader = L"\n"; // start with a new line
  462. DWORD dwBufSize = sizeof(WCHAR)*(wcslen(pcwszHeader)+1);
  463. ACL_SIZE_INFORMATION AclInfo;
  464. DWORD dwIndex;
  465. PACCESS_ALLOWED_CALLBACK_ACE pAce; // no free
  466. PACL pDacl; // no free
  467. LPWSTR pwszAce; // no free
  469. CSASSERT(IsValidSecurityDescriptor(pSD));
  471. rpwszSD = NULL;
  473. // get acl
  474. hr = myGetSecurityDescriptorDacl(
  475. pSD,
  476. &pDacl);
  477. _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
  479. if(!GetAclInformation(pDacl,
  480. &AclInfo,
  481. sizeof(ACL_SIZE_INFORMATION),
  482. AclSizeInformation))
  483. {
  484. hr = myHLastError();
  485. _JumpError(hr, error, "GetAclInformation");
  486. }
  489. // calculate text size
  491. for(dwIndex = 0; dwIndex < AclInfo.AceCount; dwIndex++)
  492. {
  493. DWORD dwAceSize;
  494. if(!GetAce(pDacl, dwIndex, (LPVOID*)&pAce))
  495. {
  496. hr = myHLastError();
  497. _JumpError(hr, error, "GetAce");
  498. }
  500. hr = ConvertAceToString(
  501. pAce,
  502. &dwAceSize,
  503. NULL);
  504. _JumpIfError(hr, error, "ConvertAceToString");
  506. dwBufSize += dwAceSize;
  507. }
  509. rpwszSD = (LPWSTR)LocalAlloc(LMEM_FIXED, dwBufSize);
  510. _JumpIfAllocFailed(rpwszSD, error);
  512. // build the output string
  513. wcscpy(rpwszSD, pcwszHeader);
  515. pwszAce = rpwszSD + wcslen(pcwszHeader);
  517. for(dwIndex = 0; dwIndex < AclInfo.AceCount; dwIndex++)
  518. {
  519. DWORD dwAceSize;
  520. if(!GetAce(pDacl, dwIndex, (LPVOID*)&pAce))
  521. {
  522. hr = myHLastError();
  523. _JumpError(hr, error, "GetAce");
  524. }
  526. hr = ConvertAceToString(
  527. pAce,
  528. &dwAceSize,
  529. pwszAce);
  530. _JumpIfError(hr, error, "ConvertAceToString");
  532. pwszAce += dwAceSize/sizeof(WCHAR);
  533. }
  535. error:
  536. return hr;
  537. }
  539. // Returned string has the following format:
  540. //
  541. // [Allow|Deny]\t[OfficerName|SID]\n
  542. // \t[Client1Name|SID]\n
  543. // \t[Client2Name|SID]\n
  544. // ...
  545. //
  546. // Example:
  547. //
  548. // Allow OfficerGroup1
  549. // ClientGroup1
  550. // ClientGroup2
  551. //
  552. // If SID cannot be converted to friendly name it is displayed
  553. // as a string SID
  554. //
  555. HRESULT COfficerRightsSD::ConvertAceToString(
  556. IN PACCESS_ALLOWED_CALLBACK_ACE pAce,
  557. OUT OPTIONAL PDWORD pdwSize,
  558. IN OUT OPTIONAL LPWSTR pwszSD)
  559. {
  560. HRESULT hr = S_OK;
  561. DWORD dwSize = 1; // trailing '\0'
  562. CSid sid((PSID)(&pAce->SidStart));
  563. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pAce->SidStart)+
  564. GetLengthSid(&pAce->SidStart));
  565. PSID pSid;
  566. DWORD cSids;
  568. LPCWSTR pcwszAllow = m_pcwszResources[0];
  569. LPCWSTR pcwszDeny = m_pcwszResources[1];
  571. LPCWSTR pcwszPermissionType =
  572. (ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType)?
  573. pcwszAllow:pcwszDeny;
  574. LPCWSTR pcwszSid; // no free
  576. // asked for size and/or ace string
  577. CSASSERT(pdwSize || pwszSD);
  579. if(pAce->Header.AceType != ACCESS_ALLOWED_CALLBACK_ACE_TYPE &&
  580. pAce->Header.AceType != ACCESS_DENIED_CALLBACK_ACE_TYPE)
  581. {
  582. return E_INVALIDARG;
  583. }
  585. pcwszSid = sid.GetName();
  586. if(!pcwszSid)
  587. {
  588. return E_OUTOFMEMORY;
  589. }
  591. dwSize = wcslen(pcwszSid);
  593. dwSize += wcslen(pcwszPermissionType);
  595. dwSize += 2; // '\t' between sid an permission and a '\n' after
  597. if(pwszSD)
  598. {
  599. wcscat(pwszSD, pcwszPermissionType);
  600. wcscat(pwszSD, L"\t");
  601. wcscat(pwszSD, pcwszSid);
  602. wcscat(pwszSD, L"\n");
  603. }
  605. for(pSid=(PSID)&pSidList->SidListStart, cSids=0; cSids<pSidList->dwSidCount;
  606. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  607. {
  608. CSASSERT(IsValidSid(pSid));
  610. CSid sidClient(pSid);
  611. LPCWSTR pcwszSidClient;
  613. pcwszSidClient = sidClient.GetName();
  614. if(!pcwszSidClient)
  615. {
  616. return E_OUTOFMEMORY;
  617. }
  619. dwSize += wcslen(pcwszSidClient) + 2; // \tClientNameOrSid\n
  621. if(pwszSD)
  622. {
  623. wcscat(pwszSD, L"\t");
  624. wcscat(pwszSD, pcwszSidClient);
  625. wcscat(pwszSD, L"\n");
  626. }
  627. }
  629. dwSize *= sizeof(WCHAR);
  631. if(pdwSize)
  632. {
  633. *pdwSize = dwSize;
  634. }
  636. return hr;
  637. }
  639. HRESULT
  640. CertSrv::GetWellKnownSID(
  641. PSID *ppSid,
  642. SID_IDENTIFIER_AUTHORITY *pAuth,
  643. BYTE SubauthorityCount,
  644. DWORD SubAuthority1,
  645. DWORD SubAuthority2,
  646. DWORD SubAuthority3,
  647. DWORD SubAuthority4,
  648. DWORD SubAuthority5,
  649. DWORD SubAuthority6,
  650. DWORD SubAuthority7,
  651. DWORD SubAuthority8)
  652. {
  653. HRESULT hr = S_OK;
  655. // build Everyone SID
  656. if(!AllocateAndInitializeSid(
  657. pAuth,
  658. SubauthorityCount,
  659. SubAuthority1,
  660. SubAuthority2,
  661. SubAuthority3,
  662. SubAuthority4,
  663. SubAuthority5,
  664. SubAuthority6,
  665. SubAuthority7,
  666. SubAuthority8,
  667. ppSid))
  668. {
  669. hr = myHLastError();
  670. _JumpError(hr, error, "AllocateAndInitializeSid");
  671. }
  673. error:
  674. return hr;
  675. }
  677. // caller is responsible for LocalFree'ing PSID
  678. HRESULT CertSrv::GetEveryoneSID(PSID *ppSid)
  679. {
  680. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_WORLD_SID_AUTHORITY;
  681. return GetWellKnownSID(
  682. ppSid,
  683. &SIDAuth,
  684. 1,
  685. SECURITY_WORLD_RID);
  686. return S_OK;
  687. }
  688. // caller is responsible for LocalFree'ing PSID
  689. HRESULT CertSrv::GetLocalSystemSID(PSID *ppSid)
  690. {
  691. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  692. return GetWellKnownSID(
  693. ppSid,
  694. &SIDAuth,
  695. 1,
  696. SECURITY_LOCAL_SYSTEM_RID);
  697. }
  699. // caller is responsible for LocalFree'ing PSID
  700. HRESULT CertSrv::GetBuiltinAdministratorsSID(PSID *ppSid)
  701. {
  702. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  703. return GetWellKnownSID(
  704. ppSid,
  705. &SIDAuth,
  706. 2,
  707. SECURITY_BUILTIN_DOMAIN_RID,
  708. DOMAIN_ALIAS_RID_ADMINS);
  709. }