mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1091 lines
29 KiB
1091 lines
29 KiB
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Widows
|
|
// Copyright (C) Microsoft Corporation, 1992 - 1997.
|
|
//
|
|
// File: defcreds.c
|
|
//
|
|
// Contents: Routines for acquiring default credentials.
|
|
//
|
|
// Classes:
|
|
//
|
|
// Functions:
|
|
//
|
|
// History: 12-05-97 jbanes Created.
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
#include <spbase.h>
|
|
#include <softpub.h>
|
|
|
|
void
|
|
GetImplementationType(
|
|
PCCERT_CONTEXT pCertContext,
|
|
PDWORD pdwImpType);
|
|
|
|
|
|
NTSTATUS
|
|
AssignNewClientCredential(
|
|
PSPContext pContext,
|
|
PCCERT_CONTEXT pCertContext,
|
|
BOOL fPromptNow)
|
|
{
|
|
PSPCredential pCred = NULL;
|
|
NTSTATUS Status;
|
|
BOOL fEventLogged;
|
|
LSA_SCHANNEL_SUB_CRED SubCred;
|
|
|
|
//
|
|
// Does this certificate have an acceptable public key type?
|
|
//
|
|
|
|
{
|
|
BOOL fFound;
|
|
DWORD dwKeyType;
|
|
DWORD i;
|
|
|
|
fFound = FALSE;
|
|
dwKeyType = MapOidToCertType(pCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm.pszObjId);
|
|
|
|
for(i = 0; i < pContext->cSsl3ClientCertTypes; i++)
|
|
{
|
|
if(pContext->Ssl3ClientCertTypes[i] == dwKeyType)
|
|
{
|
|
fFound = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if(!fFound)
|
|
{
|
|
// Don't use this certificate.
|
|
Status = SP_LOG_RESULT(PCT_INT_UNKNOWN_CREDENTIAL);
|
|
goto cleanup;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Build a credential structure for the certificate.
|
|
//
|
|
|
|
pCred = SPExternalAlloc(sizeof(SPCredential));
|
|
if(pCred == NULL)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
|
|
goto cleanup;
|
|
}
|
|
|
|
memset(&SubCred, 0, sizeof(SubCred));
|
|
|
|
SubCred.pCert = pCertContext;
|
|
|
|
Status = SPCreateCred(pContext->dwProtocol,
|
|
&SubCred,
|
|
pCred,
|
|
&fEventLogged);
|
|
if(Status != PCT_ERR_OK)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Release the existing credential, if one exists.
|
|
//
|
|
|
|
if(pContext->RipeZombie->pClientCred)
|
|
{
|
|
SPDeleteCred(pContext->RipeZombie->pClientCred);
|
|
pContext->RipeZombie->pClientCred = NULL;
|
|
}
|
|
|
|
|
|
//
|
|
// Assign the credential to the cache element.
|
|
//
|
|
|
|
pContext->RipeZombie->pClientCred = pCred;
|
|
pContext->pActiveClientCred = pCred;
|
|
|
|
if(fPromptNow == FALSE)
|
|
{
|
|
pContext->RipeZombie->dwFlags |= SP_CACHE_FLAG_USE_VALIDATED;
|
|
}
|
|
|
|
Status = PCT_ERR_OK;
|
|
|
|
|
|
cleanup:
|
|
|
|
if(pCred && Status != PCT_ERR_OK)
|
|
{
|
|
SPDeleteCred(pCred);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
NTSTATUS
|
|
QueryCredentialManagerForCert(
|
|
PSPContext pContext,
|
|
LPWSTR pszTarget)
|
|
{
|
|
PCCERT_CONTEXT pCertContext = NULL;
|
|
LUID LogonId;
|
|
PENCRYPTED_CREDENTIALW pCredential = NULL;
|
|
BOOL fImpersonating = FALSE;
|
|
CRYPT_HASH_BLOB HashBlob;
|
|
NTSTATUS Status;
|
|
HCERTSTORE hStore = 0;
|
|
PCERT_CREDENTIAL_INFO pCertInfo = NULL;
|
|
CRED_MARSHAL_TYPE CredType;
|
|
|
|
//
|
|
// Obtain client logon id.
|
|
//
|
|
|
|
Status = SslGetClientLogonId(&LogonId);
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
SP_LOG_RESULT(Status);
|
|
goto cleanup;
|
|
}
|
|
|
|
fImpersonating = SslImpersonateClient();
|
|
|
|
|
|
//
|
|
// Query the credential manager for a certificate.
|
|
//
|
|
|
|
Status = LsaTable->CrediRead(&LogonId,
|
|
CREDP_FLAGS_IN_PROCESS,
|
|
pszTarget,
|
|
CRED_TYPE_DOMAIN_CERTIFICATE,
|
|
0,
|
|
&pCredential);
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
if(Status == STATUS_NOT_FOUND)
|
|
{
|
|
DebugLog((DEB_WARN, "No certificate found in credential manager.\n"));
|
|
}
|
|
else
|
|
{
|
|
SP_LOG_RESULT(Status);
|
|
}
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Extract the certificate thumbprint and (optional) PIN.
|
|
//
|
|
|
|
if(!CredIsMarshaledCredentialW(pCredential->Cred.UserName))
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_UNKNOWN_CREDENTIALS);
|
|
goto cleanup;
|
|
}
|
|
|
|
if(!CredUnmarshalCredentialW(pCredential->Cred.UserName,
|
|
&CredType,
|
|
&pCertInfo))
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_UNKNOWN_CREDENTIALS);
|
|
goto cleanup;
|
|
}
|
|
if(CredType != CertCredential)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_UNKNOWN_CREDENTIALS);
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Look up the certificate in the MY certificate store.
|
|
//
|
|
|
|
hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
|
X509_ASN_ENCODING, 0,
|
|
CERT_SYSTEM_STORE_CURRENT_USER |
|
|
CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG,
|
|
L"MY");
|
|
if(!hStore)
|
|
{
|
|
SP_LOG_RESULT(GetLastError());
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
HashBlob.cbData = sizeof(pCertInfo->rgbHashOfCert);
|
|
HashBlob.pbData = pCertInfo->rgbHashOfCert;
|
|
|
|
pCertContext = CertFindCertificateInStore(hStore,
|
|
X509_ASN_ENCODING,
|
|
0,
|
|
CERT_FIND_HASH,
|
|
&HashBlob,
|
|
NULL);
|
|
if(pCertContext == NULL)
|
|
{
|
|
DebugLog((DEB_ERROR, "Certificate designated by credential manager was not found in certificate store (0x%x).\n", GetLastError()));
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Attempt to add this certificate context to the current credential.
|
|
//
|
|
|
|
Status = AssignNewClientCredential(pContext,
|
|
pCertContext,
|
|
pCredential->Cred.Flags & CRED_FLAGS_PROMPT_NOW);
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
SP_LOG_RESULT(Status);
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
cleanup:
|
|
|
|
if(pCertContext)
|
|
{
|
|
CertFreeCertificateContext(pCertContext);
|
|
}
|
|
|
|
if(hStore)
|
|
{
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
|
|
if(pCredential)
|
|
{
|
|
LsaTable->FreeLsaHeap(pCredential);
|
|
}
|
|
|
|
if(pCertInfo)
|
|
{
|
|
CredFree(pCertInfo);
|
|
}
|
|
|
|
if(fImpersonating)
|
|
{
|
|
RevertToSelf();
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
DWORD
|
|
IsThreadLocalSystem(
|
|
BOOL *pfIsLocalSystem)
|
|
{
|
|
DWORD Status;
|
|
HANDLE hToken = 0;
|
|
UCHAR InfoBuffer[1024];
|
|
DWORD dwInfoBufferSize = sizeof(InfoBuffer);
|
|
PTOKEN_USER SlowBuffer = NULL;
|
|
PTOKEN_USER pTokenUser = (PTOKEN_USER)InfoBuffer;
|
|
PSID psidLocalSystem = NULL;
|
|
PSID psidNetworkService = NULL;
|
|
SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
|
|
|
|
*pfIsLocalSystem = FALSE;
|
|
|
|
//
|
|
// Get SID of calling thread.
|
|
//
|
|
|
|
if(!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken))
|
|
{
|
|
Status = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
if(!GetTokenInformation(hToken, TokenUser, pTokenUser,
|
|
dwInfoBufferSize, &dwInfoBufferSize))
|
|
{
|
|
//
|
|
// if fast buffer wasn't big enough, allocate enough storage
|
|
// and try again.
|
|
//
|
|
|
|
Status = GetLastError();
|
|
if(Status != ERROR_INSUFFICIENT_BUFFER)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
SlowBuffer = (PTOKEN_USER)LocalAlloc(LPTR, dwInfoBufferSize);
|
|
if(NULL == SlowBuffer)
|
|
{
|
|
Status = ERROR_NOT_ENOUGH_MEMORY;
|
|
goto cleanup;
|
|
}
|
|
|
|
pTokenUser = SlowBuffer;
|
|
if(!GetTokenInformation(hToken, TokenUser, pTokenUser,
|
|
dwInfoBufferSize, &dwInfoBufferSize))
|
|
{
|
|
Status = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Check for local system.
|
|
//
|
|
|
|
if(!AllocateAndInitializeSid(&siaNtAuthority,
|
|
1,
|
|
SECURITY_LOCAL_SYSTEM_RID,
|
|
0, 0, 0, 0, 0, 0, 0,
|
|
&psidLocalSystem))
|
|
{
|
|
Status = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
if (EqualSid(psidLocalSystem, pTokenUser->User.Sid))
|
|
{
|
|
DebugLog((DEB_TRACE, "Client is using the LOCAL SYSTEM account.\n"));
|
|
*pfIsLocalSystem = TRUE;
|
|
Status = ERROR_SUCCESS;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Check for network service.
|
|
//
|
|
|
|
if(!AllocateAndInitializeSid(&siaNtAuthority,
|
|
1,
|
|
SECURITY_NETWORK_SERVICE_RID,
|
|
0, 0, 0, 0, 0, 0, 0,
|
|
&psidNetworkService))
|
|
{
|
|
Status = GetLastError();
|
|
goto cleanup;
|
|
}
|
|
|
|
if (EqualSid(psidNetworkService, pTokenUser->User.Sid))
|
|
{
|
|
DebugLog((DEB_TRACE, "Client is using the NETWORK SERVICE account.\n"));
|
|
*pfIsLocalSystem = TRUE;
|
|
Status = ERROR_SUCCESS;
|
|
goto cleanup;
|
|
}
|
|
|
|
Status = ERROR_SUCCESS;
|
|
|
|
cleanup:
|
|
|
|
if(NULL != SlowBuffer)
|
|
{
|
|
LocalFree(SlowBuffer);
|
|
}
|
|
|
|
if(NULL != psidLocalSystem)
|
|
{
|
|
FreeSid(psidLocalSystem);
|
|
}
|
|
if(NULL != psidNetworkService)
|
|
{
|
|
FreeSid(psidNetworkService);
|
|
}
|
|
|
|
if(NULL != hToken)
|
|
{
|
|
CloseHandle(hToken);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
FindClientCertificate(
|
|
PSPContext pContext,
|
|
HCERTSTORE hMyStore,
|
|
CERT_CHAIN_FIND_BY_ISSUER_PARA *pFindByIssuerPara,
|
|
BOOL fSkipExpiredCerts,
|
|
BOOL fSoftwareCspOnly)
|
|
{
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
HTTPSPolicyCallbackData polHttps;
|
|
CERT_CHAIN_POLICY_PARA PolicyPara;
|
|
CERT_CHAIN_POLICY_STATUS PolicyStatus;
|
|
PCCERT_CONTEXT pCertContext;
|
|
NTSTATUS Status;
|
|
ULONG j;
|
|
|
|
pChainContext = NULL;
|
|
|
|
while(TRUE)
|
|
{
|
|
// Find a certificate chain.
|
|
pChainContext = CertFindChainInStore(hMyStore,
|
|
X509_ASN_ENCODING,
|
|
0,
|
|
CERT_CHAIN_FIND_BY_ISSUER,
|
|
pFindByIssuerPara,
|
|
pChainContext);
|
|
if(pChainContext == NULL)
|
|
{
|
|
break;
|
|
}
|
|
|
|
// Make sure that every certificate in the chain either has the
|
|
// client auth EKU or it has no EKUs at all.
|
|
{
|
|
PCERT_SIMPLE_CHAIN pSimpleChain;
|
|
PCCERT_CONTEXT pCurrentCert;
|
|
BOOL fIsAllowed = FALSE;
|
|
|
|
pSimpleChain = pChainContext->rgpChain[0];
|
|
|
|
for(j = 0; j < pSimpleChain->cElement; j++)
|
|
{
|
|
pCurrentCert = pSimpleChain->rgpElement[j]->pCertContext;
|
|
|
|
Status = SPCheckKeyUsage(pCurrentCert,
|
|
szOID_PKIX_KP_CLIENT_AUTH,
|
|
TRUE,
|
|
&fIsAllowed);
|
|
if(Status != SEC_E_OK || !fIsAllowed)
|
|
{
|
|
fIsAllowed = FALSE;
|
|
break;
|
|
}
|
|
}
|
|
if(!fIsAllowed)
|
|
{
|
|
// skip this certificate chain.
|
|
continue;
|
|
}
|
|
}
|
|
|
|
|
|
// Set up validate chain structures.
|
|
ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
|
|
polHttps.cbStruct = sizeof(HTTPSPolicyCallbackData);
|
|
polHttps.dwAuthType = AUTHTYPE_CLIENT;
|
|
polHttps.fdwChecks = 0;
|
|
polHttps.pwszServerName = NULL;
|
|
|
|
ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
|
|
PolicyStatus.cbSize = sizeof(PolicyStatus);
|
|
|
|
ZeroMemory(&PolicyPara, sizeof(PolicyPara));
|
|
PolicyPara.cbSize = sizeof(PolicyPara);
|
|
PolicyPara.pvExtraPolicyPara= &polHttps;
|
|
|
|
PolicyPara.dwFlags = CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG |
|
|
CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
|
|
if(!fSkipExpiredCerts)
|
|
{
|
|
PolicyPara.dwFlags |= CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS;
|
|
}
|
|
|
|
// Validate chain
|
|
if(!CertVerifyCertificateChainPolicy(
|
|
CERT_CHAIN_POLICY_SSL,
|
|
pChainContext,
|
|
&PolicyPara,
|
|
&PolicyStatus))
|
|
{
|
|
DebugLog((DEB_WARN,"Error 0x%x returned by CertVerifyCertificateChainPolicy!\n", GetLastError()));
|
|
continue;
|
|
}
|
|
Status = MapWinTrustError(PolicyStatus.dwError, 0, 0);
|
|
if(Status)
|
|
{
|
|
// Certificate did not validate, move on to the next one.
|
|
DebugLog((DEB_WARN, "Client certificate failed validation with 0x%x\n", Status));
|
|
continue;
|
|
}
|
|
|
|
// Get pointer to leaf certificate context.
|
|
if(pChainContext->cChain == 0 || pChainContext->rgpChain[0] == NULL)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_INTERNAL_ERROR);
|
|
goto cleanup;
|
|
}
|
|
if(pChainContext->rgpChain[0]->cElement == 0 ||
|
|
pChainContext->rgpChain[0]->rgpElement == NULL)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_INTERNAL_ERROR);
|
|
goto cleanup;
|
|
}
|
|
pCertContext = pChainContext->rgpChain[0]->rgpElement[0]->pCertContext;
|
|
|
|
|
|
//
|
|
// Is the private key stored in a software CSP?
|
|
//
|
|
|
|
if(fSoftwareCspOnly)
|
|
{
|
|
DWORD dwImpType;
|
|
|
|
GetImplementationType(pCertContext, &dwImpType);
|
|
|
|
if(dwImpType != CRYPT_IMPL_SOFTWARE)
|
|
{
|
|
// Skip this certificate
|
|
continue;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Assign the certificate to the current context.
|
|
//
|
|
|
|
Status = AssignNewClientCredential(pContext,
|
|
pCertContext,
|
|
FALSE);
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Success! Our work here is done.
|
|
goto cleanup;
|
|
}
|
|
}
|
|
|
|
// No suitable client credential was found.
|
|
Status = SP_LOG_RESULT(SEC_E_INCOMPLETE_CREDENTIALS);
|
|
|
|
cleanup:
|
|
|
|
if(pChainContext)
|
|
{
|
|
CertFreeCertificateChain(pChainContext);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
AcquireDefaultClientCredential(
|
|
PSPContext pContext,
|
|
BOOL fCredManagerOnly)
|
|
{
|
|
CERT_CHAIN_FIND_BY_ISSUER_PARA FindByIssuerPara;
|
|
CERT_NAME_BLOB * prgIssuers = NULL;
|
|
DWORD cIssuers = 0;
|
|
HCERTSTORE hStore = 0;
|
|
NTSTATUS Status;
|
|
BOOL fImpersonating = FALSE;
|
|
BOOL fLocalSystem = FALSE;
|
|
ULONG i;
|
|
|
|
DebugLog((DEB_TRACE,"AcquireDefaultClientCredential\n"));
|
|
|
|
//
|
|
// Is the application running under local system?
|
|
//
|
|
|
|
fImpersonating = SslImpersonateClient();
|
|
|
|
if(fImpersonating)
|
|
{
|
|
Status = IsThreadLocalSystem(&fLocalSystem);
|
|
if(Status)
|
|
{
|
|
DebugLog((DEB_WARN, "IsThreadLocalSystem returned error 0x%x.\n", Status));
|
|
}
|
|
|
|
RevertToSelf();
|
|
fImpersonating = FALSE;
|
|
}
|
|
|
|
|
|
//
|
|
// Ask the credential manager to select a certificate for us.
|
|
//
|
|
|
|
Status = QueryCredentialManagerForCert(
|
|
pContext,
|
|
pContext->pszTarget);
|
|
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_TRACE, "Credential manager found a certificate for us.\n"));
|
|
goto cleanup;
|
|
}
|
|
|
|
if(fCredManagerOnly)
|
|
{
|
|
// No suitable client credential was found.
|
|
Status = SP_LOG_RESULT(SEC_I_INCOMPLETE_CREDENTIALS);
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Get list of trusted issuers as a list of CERT_NAME_BLOBs.
|
|
//
|
|
|
|
if(pContext->pbIssuerList && pContext->cbIssuerList > 2)
|
|
{
|
|
PBYTE pbIssuerList = pContext->pbIssuerList + 2;
|
|
DWORD cbIssuerList = pContext->cbIssuerList - 2;
|
|
PBYTE pbIssuer;
|
|
|
|
// Count issuers.
|
|
cIssuers = 0;
|
|
pbIssuer = pbIssuerList;
|
|
while(pbIssuer + 1 < pbIssuerList + cbIssuerList)
|
|
{
|
|
pbIssuer += 2 + COMBINEBYTES(pbIssuer[0], pbIssuer[1]);
|
|
cIssuers++;
|
|
}
|
|
|
|
// Allocate memory for list of blobs.
|
|
prgIssuers = SPExternalAlloc(cIssuers * sizeof(CERT_NAME_BLOB));
|
|
if(prgIssuers == NULL)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
|
|
goto cleanup;
|
|
}
|
|
|
|
// Build the issuer blob list.
|
|
pbIssuer = pbIssuerList;
|
|
for(i = 0; i < cIssuers; i++)
|
|
{
|
|
prgIssuers[i].pbData = pbIssuer + 2;
|
|
prgIssuers[i].cbData = COMBINEBYTES(pbIssuer[0], pbIssuer[1]);
|
|
|
|
pbIssuer += 2 + prgIssuers[i].cbData;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Enumerate the certificates in the MY store, looking for a suitable
|
|
// client certificate.
|
|
//
|
|
|
|
fImpersonating = SslImpersonateClient();
|
|
|
|
if(fLocalSystem)
|
|
{
|
|
hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
|
X509_ASN_ENCODING, 0,
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE |
|
|
CERT_STORE_READONLY_FLAG |
|
|
CERT_STORE_OPEN_EXISTING_FLAG,
|
|
L"MY");
|
|
}
|
|
else
|
|
{
|
|
hStore = CertOpenSystemStore(0, "MY");
|
|
}
|
|
|
|
if(!hStore)
|
|
{
|
|
SP_LOG_RESULT(GetLastError());
|
|
Status = SEC_E_INTERNAL_ERROR;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
ZeroMemory(&FindByIssuerPara, sizeof(FindByIssuerPara));
|
|
FindByIssuerPara.cbSize = sizeof(FindByIssuerPara);
|
|
FindByIssuerPara.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
|
|
FindByIssuerPara.dwKeySpec = 0;
|
|
FindByIssuerPara.cIssuer = cIssuers;
|
|
FindByIssuerPara.rgIssuer = prgIssuers;
|
|
|
|
|
|
//
|
|
// Attempt to find a suitable certificate.
|
|
//
|
|
|
|
Status = FindClientCertificate(pContext,
|
|
hStore,
|
|
&FindByIssuerPara,
|
|
TRUE, // skip expired certs
|
|
TRUE); // software CSPs only
|
|
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Success! Our work here is done.
|
|
goto cleanup;
|
|
}
|
|
|
|
Status = FindClientCertificate(pContext,
|
|
hStore,
|
|
&FindByIssuerPara,
|
|
TRUE, // skip expired certs
|
|
FALSE); // software CSPs only
|
|
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Success! Our work here is done.
|
|
goto cleanup;
|
|
}
|
|
|
|
Status = FindClientCertificate(pContext,
|
|
hStore,
|
|
&FindByIssuerPara,
|
|
FALSE, // skip expired certs
|
|
TRUE); // software CSPs only
|
|
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Success! Our work here is done.
|
|
goto cleanup;
|
|
}
|
|
|
|
Status = FindClientCertificate(pContext,
|
|
hStore,
|
|
&FindByIssuerPara,
|
|
FALSE, // skip expired certs
|
|
FALSE); // software CSPs only
|
|
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Success! Our work here is done.
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
// No suitable client credential was found.
|
|
Status = SP_LOG_RESULT(SEC_I_INCOMPLETE_CREDENTIALS);
|
|
|
|
|
|
cleanup:
|
|
|
|
|
|
if(hStore)
|
|
{
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
|
|
if(fImpersonating)
|
|
{
|
|
RevertToSelf();
|
|
}
|
|
|
|
if(prgIssuers)
|
|
{
|
|
SPExternalFree(prgIssuers);
|
|
}
|
|
|
|
DebugLog((DEB_TRACE,"AcquireDefaultClientCredential returned 0x%x\n", Status));
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
FindDefaultMachineCred(
|
|
PSPCredentialGroup *ppCred,
|
|
DWORD dwProtocol)
|
|
{
|
|
HTTPSPolicyCallbackData polHttps;
|
|
CERT_CHAIN_POLICY_PARA PolicyPara;
|
|
CERT_CHAIN_POLICY_STATUS PolicyStatus;
|
|
CERT_CHAIN_PARA ChainPara;
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
PCCERT_CONTEXT pCertContext = NULL;
|
|
LSA_SCHANNEL_CRED SchannelCred;
|
|
LSA_SCHANNEL_SUB_CRED SubCred;
|
|
HCERTSTORE hStore = 0;
|
|
|
|
#define SERVER_USAGE_COUNT 3
|
|
LPSTR rgszUsages[SERVER_USAGE_COUNT] = {
|
|
szOID_PKIX_KP_SERVER_AUTH,
|
|
szOID_SERVER_GATED_CRYPTO,
|
|
szOID_SGC_NETSCAPE };
|
|
|
|
LPWSTR pwszMachineName = NULL;
|
|
DWORD cchMachineName;
|
|
DWORD Status;
|
|
DWORD i;
|
|
|
|
// Get the machine name
|
|
cchMachineName = 0;
|
|
if(!GetComputerNameExW(ComputerNameDnsFullyQualified, NULL, &cchMachineName))
|
|
{
|
|
if(GetLastError() != ERROR_MORE_DATA)
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to get computer name size: 0x%x\n",GetLastError()));
|
|
Status = SP_LOG_RESULT(SEC_E_WRONG_PRINCIPAL);
|
|
goto cleanup;
|
|
}
|
|
}
|
|
pwszMachineName = SPExternalAlloc(cchMachineName * sizeof(WCHAR));
|
|
if(pwszMachineName == NULL)
|
|
{
|
|
Status = SP_LOG_RESULT(SEC_E_INSUFFICIENT_MEMORY);
|
|
goto cleanup;
|
|
}
|
|
if(!GetComputerNameExW(ComputerNameDnsFullyQualified, pwszMachineName, &cchMachineName))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to get computer name: 0x%x\n",GetLastError()));
|
|
Status = SP_LOG_RESULT(SEC_E_WRONG_PRINCIPAL);
|
|
goto cleanup;
|
|
}
|
|
|
|
// Remove the trailing "." if any. This can happen in the stand-alone
|
|
// server case.
|
|
cchMachineName = lstrlenW(pwszMachineName);
|
|
if(cchMachineName > 0 && pwszMachineName[cchMachineName - 1] == L'.')
|
|
{
|
|
pwszMachineName[cchMachineName - 1] = L'\0';
|
|
}
|
|
|
|
|
|
DebugLog((DEB_TRACE,"Computer name: %ls\n",pwszMachineName));
|
|
|
|
|
|
// Open the system MY store.
|
|
hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
|
X509_ASN_ENCODING, 0,
|
|
CERT_SYSTEM_STORE_LOCAL_MACHINE |
|
|
CERT_STORE_READONLY_FLAG |
|
|
CERT_STORE_OPEN_EXISTING_FLAG,
|
|
L"MY");
|
|
if(hStore == NULL)
|
|
{
|
|
SP_LOG_RESULT(GetLastError());
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Enumerate the certificates in the MY store, looking for a suitable
|
|
// server certificate. Do this twice, the first time looking for the
|
|
// perfect certificate, and if this fails then look again, this time
|
|
// being a little less picky.
|
|
//
|
|
|
|
for(i = 0; i < 2; i++)
|
|
{
|
|
pCertContext = NULL;
|
|
|
|
while(TRUE)
|
|
{
|
|
// Get leaf certificate in the MY store.
|
|
pCertContext = CertEnumCertificatesInStore(hStore, pCertContext);
|
|
if(pCertContext == NULL)
|
|
{
|
|
// No more certificates.
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Build a certificate chain from the leaf certificate.
|
|
//
|
|
|
|
ZeroMemory(&ChainPara, sizeof(ChainPara));
|
|
ChainPara.cbSize = sizeof(ChainPara);
|
|
ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
|
|
ChainPara.RequestedUsage.Usage.cUsageIdentifier = SERVER_USAGE_COUNT;
|
|
ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = rgszUsages;
|
|
|
|
if(!CertGetCertificateChain(
|
|
NULL,
|
|
pCertContext,
|
|
NULL,
|
|
0,
|
|
&ChainPara,
|
|
CERT_CHAIN_REVOCATION_CHECK_END_CERT,
|
|
NULL,
|
|
&pChainContext))
|
|
{
|
|
DebugLog((DEB_WARN, "Error 0x%x returned by CertGetCertificateChain!\n", GetLastError()));
|
|
continue;
|
|
}
|
|
|
|
// Set up validate chain structures.
|
|
ZeroMemory(&polHttps, sizeof(HTTPSPolicyCallbackData));
|
|
polHttps.cbStruct = sizeof(HTTPSPolicyCallbackData);
|
|
polHttps.dwAuthType = AUTHTYPE_SERVER;
|
|
polHttps.fdwChecks = 0;
|
|
polHttps.pwszServerName = pwszMachineName;
|
|
|
|
ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
|
|
PolicyStatus.cbSize = sizeof(PolicyStatus);
|
|
|
|
ZeroMemory(&PolicyPara, sizeof(PolicyPara));
|
|
PolicyPara.cbSize = sizeof(PolicyPara);
|
|
PolicyPara.pvExtraPolicyPara= &polHttps;
|
|
if(i == 0)
|
|
{
|
|
// Look for the perfect certificate.
|
|
PolicyPara.dwFlags = 0;
|
|
}
|
|
else
|
|
{
|
|
// Ignore expiration.
|
|
PolicyPara.dwFlags = CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS;
|
|
}
|
|
|
|
// Validate chain
|
|
if(!CertVerifyCertificateChainPolicy(
|
|
CERT_CHAIN_POLICY_SSL,
|
|
pChainContext,
|
|
&PolicyPara,
|
|
&PolicyStatus))
|
|
{
|
|
SP_LOG_RESULT(GetLastError());
|
|
CertFreeCertificateChain(pChainContext);
|
|
continue;
|
|
}
|
|
Status = MapWinTrustError(PolicyStatus.dwError,
|
|
0,
|
|
CRED_FLAG_IGNORE_NO_REVOCATION_CHECK | CRED_FLAG_IGNORE_REVOCATION_OFFLINE);
|
|
if(Status)
|
|
{
|
|
// Certificate did not validate, move on to the next one.
|
|
DebugLog((DEB_WARN, "Machine certificate failed validation with 0x%x\n", Status));
|
|
CertFreeCertificateChain(pChainContext);
|
|
continue;
|
|
}
|
|
|
|
CertFreeCertificateChain(pChainContext);
|
|
|
|
|
|
// Build an schannel credential.
|
|
ZeroMemory(&SchannelCred, sizeof(SchannelCred));
|
|
|
|
SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
|
|
SchannelCred.cSubCreds = 1;
|
|
SchannelCred.paSubCred = &SubCred;
|
|
|
|
ZeroMemory(&SubCred, sizeof(SubCred));
|
|
|
|
SubCred.pCert = pCertContext;
|
|
|
|
Status = SPCreateCredential(ppCred,
|
|
dwProtocol,
|
|
&SchannelCred);
|
|
if(Status != PCT_ERR_OK)
|
|
{
|
|
// Don't use this certificate.
|
|
continue;
|
|
}
|
|
|
|
// We have a winner!
|
|
DebugLog((DEB_TRACE, "Machine certificate automatically acquired\n"));
|
|
Status = PCT_ERR_OK;
|
|
goto cleanup;
|
|
}
|
|
}
|
|
|
|
// No suitable machine credential was found.
|
|
Status = SP_LOG_RESULT(SEC_E_NO_CREDENTIALS);
|
|
|
|
cleanup:
|
|
|
|
if(Status != PCT_ERR_OK)
|
|
{
|
|
LogNoDefaultServerCredEvent();
|
|
}
|
|
|
|
if(pwszMachineName)
|
|
{
|
|
SPExternalFree(pwszMachineName);
|
|
}
|
|
|
|
if(pCertContext)
|
|
{
|
|
CertFreeCertificateContext(pCertContext);
|
|
}
|
|
|
|
if(hStore)
|
|
{
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
void
|
|
GetImplementationType(
|
|
PCCERT_CONTEXT pCertContext,
|
|
PDWORD pdwImpType)
|
|
{
|
|
PCRYPT_KEY_PROV_INFO pProvInfo = NULL;
|
|
HCRYPTPROV hProv = 0;
|
|
DWORD cbSize;
|
|
DWORD dwImpType;
|
|
|
|
*pdwImpType = CRYPT_IMPL_UNKNOWN;
|
|
|
|
if(!CertGetCertificateContextProperty(pCertContext,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
NULL,
|
|
&cbSize))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
pProvInfo = SPExternalAlloc(cbSize);
|
|
if(pProvInfo == NULL)
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
if(!CertGetCertificateContextProperty(pCertContext,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
pProvInfo,
|
|
&cbSize))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
// HACKHACK - clear the smart-card specific flag.
|
|
pProvInfo->dwFlags &= ~CERT_SET_KEY_CONTEXT_PROP_ID;
|
|
|
|
if(!CryptAcquireContextW(&hProv,
|
|
pProvInfo->pwszContainerName,
|
|
pProvInfo->pwszProvName,
|
|
pProvInfo->dwProvType,
|
|
pProvInfo->dwFlags | CRYPT_SILENT))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
cbSize = sizeof(dwImpType);
|
|
if(!CryptGetProvParam(hProv,
|
|
PP_IMPTYPE,
|
|
(PBYTE)&dwImpType,
|
|
&cbSize,
|
|
0))
|
|
{
|
|
goto cleanup;
|
|
}
|
|
|
|
*pdwImpType = dwImpType;
|
|
|
|
cleanup:
|
|
|
|
if(pProvInfo)
|
|
{
|
|
SPExternalFree(pProvInfo);
|
|
}
|
|
|
|
if(hProv)
|
|
{
|
|
CryptReleaseContext(hProv, 0);
|
|
}
|
|
}
|
|
|
|
|