mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3119 lines
66 KiB
3119 lines
66 KiB
//+--------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1996 - 1999
|
|
//
|
|
// File: crypt.cpp
|
|
//
|
|
// Contents: Cert Server wrapper routines
|
|
//
|
|
// History: 17-Oct-96 vich created
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
|
|
#include <pch.cpp>
|
|
|
|
#pragma hdrstop
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include "csdisp.h"
|
|
#include "cscsp.h"
|
|
#include "csprop.h"
|
|
#include "csber.h"
|
|
|
|
|
|
HRESULT
|
|
myGenerateKeys(
|
|
IN WCHAR const *pwszContainer,
|
|
OPTIONAL IN WCHAR const *pwszProvName,
|
|
IN BOOL fMachineKeySet,
|
|
IN DWORD dwKeySpec,
|
|
IN DWORD dwProvType,
|
|
IN DWORD dwKeySize,
|
|
OUT HCRYPTPROV *phProv)
|
|
{
|
|
HRESULT hr;
|
|
HCRYPTKEY hKey = NULL;
|
|
DWORD dwFlags = 0;
|
|
|
|
*phProv = NULL;
|
|
|
|
if (fMachineKeySet)
|
|
{
|
|
dwFlags |= CRYPT_MACHINE_KEYSET;
|
|
}
|
|
|
|
// see if the container already exists
|
|
|
|
if (CryptAcquireContext(
|
|
phProv,
|
|
pwszContainer,
|
|
pwszProvName,
|
|
dwProvType,
|
|
dwFlags))
|
|
{
|
|
if (NULL != *phProv)
|
|
{
|
|
CryptReleaseContext(*phProv, 0);
|
|
*phProv = NULL;
|
|
}
|
|
|
|
// container exists -- remove old keys and generate new ones.
|
|
|
|
if (!CryptAcquireContext(
|
|
phProv,
|
|
pwszContainer,
|
|
pwszProvName,
|
|
dwProvType,
|
|
CRYPT_DELETEKEYSET | dwFlags))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptAcquireContextEx");
|
|
}
|
|
}
|
|
|
|
// create new container
|
|
|
|
if (!CryptAcquireContext(
|
|
phProv,
|
|
pwszContainer,
|
|
pwszProvName,
|
|
dwProvType,
|
|
CRYPT_NEWKEYSET | dwFlags)) // force new container
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptAcquireContextEx");
|
|
}
|
|
|
|
// create keys
|
|
|
|
if (!CryptGenKey(*phProv, dwKeySpec, dwKeySize << 16, &hKey))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptGenKey");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != hKey)
|
|
{
|
|
CryptDestroyKey(hKey);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptExportPrivateKey(
|
|
IN HCRYPTKEY hKey,
|
|
OUT BYTE **ppbKey,
|
|
OUT DWORD *pcbKey)
|
|
{
|
|
HRESULT hr;
|
|
BYTE *pbKey = NULL;
|
|
|
|
*ppbKey = NULL;
|
|
|
|
// export the key set to a CAPI blob
|
|
|
|
if (!CryptExportKey(hKey, NULL, PRIVATEKEYBLOB, 0, NULL, pcbKey))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError2(hr, error, "CryptExportKey", NTE_BAD_KEY_STATE);
|
|
}
|
|
|
|
pbKey = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbKey);
|
|
if (NULL == pbKey)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
|
|
if (!CryptExportKey(hKey, NULL, PRIVATEKEYBLOB, 0, pbKey, pcbKey))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptExportKey");
|
|
}
|
|
|
|
*ppbKey = pbKey;
|
|
pbKey = NULL;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pbKey)
|
|
{
|
|
LocalFree(pbKey);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myVerifyPublicKey(
|
|
IN OPTIONAL CERT_CONTEXT const *pCert,
|
|
IN BOOL fV1Cert,
|
|
IN OPTIONAL CRYPT_KEY_PROV_INFO const *pKeyProvInfo,
|
|
IN OPTIONAL CERT_PUBLIC_KEY_INFO const *pPublicKeyInfo,
|
|
OPTIONAL OUT BOOL *pfMatchingKey)
|
|
{
|
|
HRESULT hr;
|
|
HCRYPTPROV hProv = NULL;
|
|
DWORD dwKeySpec;
|
|
DWORD cb;
|
|
CERT_PUBLIC_KEY_INFO *pPublicKeyInfoExported = NULL;
|
|
|
|
if (NULL != pfMatchingKey)
|
|
{
|
|
*pfMatchingKey = FALSE;
|
|
}
|
|
if (NULL == pCert ||
|
|
!CryptAcquireCertificatePrivateKey(
|
|
pCert,
|
|
0, // dwFlags
|
|
NULL, // pvReserved
|
|
&hProv,
|
|
&dwKeySpec,
|
|
NULL)) // pfCallerFreeProv
|
|
{
|
|
if (NULL != pKeyProvInfo)
|
|
{
|
|
// ok, try passed kpi
|
|
|
|
if (!myCertSrvCryptAcquireContext(
|
|
&hProv,
|
|
pKeyProvInfo->pwszContainerName,
|
|
pKeyProvInfo->pwszProvName,
|
|
pKeyProvInfo->dwProvType,
|
|
~CRYPT_MACHINE_KEYSET & pKeyProvInfo->dwFlags,
|
|
(CRYPT_MACHINE_KEYSET & pKeyProvInfo->dwFlags)? TRUE : FALSE))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpErrorStr(
|
|
hr,
|
|
error,
|
|
"myCertSrvCryptAcquireContextEx",
|
|
pKeyProvInfo->pwszContainerName);
|
|
}
|
|
dwKeySpec = pKeyProvInfo->dwKeySpec;
|
|
}
|
|
else if (NULL != pCert)
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptAcquireCertificatePrivateKey");
|
|
}
|
|
else
|
|
{
|
|
hr = E_POINTER;
|
|
_JumpError(hr, error, "No cert & no KeyProvInfo");
|
|
}
|
|
}
|
|
|
|
if (!myCryptExportPublicKeyInfo(
|
|
hProv,
|
|
dwKeySpec,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
&pPublicKeyInfoExported,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myCryptExportPublicKeyInfo");
|
|
}
|
|
|
|
if (NULL == pPublicKeyInfo)
|
|
{
|
|
if (NULL == pCert)
|
|
{
|
|
hr = E_POINTER;
|
|
_JumpError(hr, error, "No cert & no SubjectPublicKeyInfo");
|
|
}
|
|
pPublicKeyInfo = &pCert->pCertInfo->SubjectPublicKeyInfo;
|
|
}
|
|
if (!myCertComparePublicKeyInfo(
|
|
X509_ASN_ENCODING,
|
|
fV1Cert,
|
|
pPublicKeyInfoExported,
|
|
pPublicKeyInfo))
|
|
{
|
|
// by design, (my)CertComparePublicKeyInfo doesn't set last error!
|
|
|
|
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
|
|
_JumpError(hr, error, "myCertComparePublicKeyInfo");
|
|
}
|
|
if (NULL != pfMatchingKey)
|
|
{
|
|
*pfMatchingKey = TRUE;
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pPublicKeyInfoExported)
|
|
{
|
|
LocalFree(pPublicKeyInfoExported);
|
|
}
|
|
if (NULL != hProv)
|
|
{
|
|
CryptReleaseContext(hProv, 0);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
DWORD
|
|
GetLengthIndex(
|
|
IN BYTE bBERTag,
|
|
IN DWORD iStart,
|
|
IN BYTE const *pb,
|
|
IN DWORD cb)
|
|
{
|
|
DWORD Index = MAXDWORD;
|
|
|
|
pb += iStart;
|
|
if (iStart + 4 < cb && bBERTag == pb[0])
|
|
{
|
|
// make sure there's room to increment the length in place.
|
|
|
|
if (0x7f > pb[1])
|
|
{
|
|
Index = iStart + 1;
|
|
}
|
|
else if (0x81 == pb[1] && 0xff > pb[2])
|
|
{
|
|
Index = iStart + 2;
|
|
}
|
|
}
|
|
return(Index);
|
|
}
|
|
|
|
|
|
// by design, (my)CertComparePublicKeyInfo doesn't set last error!
|
|
|
|
BOOL
|
|
myCertComparePublicKeyInfo(
|
|
IN DWORD dwCertEncodingType,
|
|
IN BOOL fV1Cert,
|
|
IN CERT_PUBLIC_KEY_INFO const *pPublicKey1,
|
|
IN CERT_PUBLIC_KEY_INFO const *pPublicKey2)
|
|
{
|
|
BOOL fMatch = FALSE;
|
|
BYTE *pbKeyNew = NULL;
|
|
CERT_PUBLIC_KEY_INFO PublicKey;
|
|
|
|
if (CertComparePublicKeyInfo(
|
|
X509_ASN_ENCODING,
|
|
const_cast<CERT_PUBLIC_KEY_INFO *>(pPublicKey1),
|
|
const_cast<CERT_PUBLIC_KEY_INFO *>(pPublicKey2)))
|
|
{
|
|
fMatch = TRUE;
|
|
goto error;
|
|
}
|
|
|
|
// If this is a V1 X509 cert with the sign bit set in the first public key
|
|
// byte -- without a leading zero pad byte, and there's a wasted byte at
|
|
// the end of the public key, insert the zero byte and bump up the lengths.
|
|
|
|
PublicKey = *pPublicKey2;
|
|
if (fV1Cert && BER_SEQUENCE == PublicKey.PublicKey.pbData[0])
|
|
{
|
|
DWORD iLenSequence;
|
|
DWORD iLenModulus;
|
|
BYTE *pbKey = PublicKey.PublicKey.pbData;
|
|
DWORD cbKey = PublicKey.PublicKey.cbData;
|
|
|
|
iLenSequence = GetLengthIndex(BER_SEQUENCE, 0, pbKey, cbKey);
|
|
if (MAXDWORD == iLenSequence)
|
|
{
|
|
goto error;
|
|
}
|
|
iLenModulus = GetLengthIndex(
|
|
BER_INTEGER,
|
|
iLenSequence + 1,
|
|
pbKey,
|
|
cbKey);
|
|
if (MAXDWORD == iLenSequence)
|
|
{
|
|
goto error;
|
|
}
|
|
if (0x80 & pbKey[iLenModulus + 1] &&
|
|
(DWORD) (iLenSequence + 1 + pbKey[iLenSequence]) < cbKey)
|
|
{
|
|
pbKeyNew = (BYTE *) LocalAlloc(LMEM_FIXED, cbKey);
|
|
if (NULL == pbKeyNew)
|
|
{
|
|
_JumpError(E_OUTOFMEMORY, error, "LocalAlloc");
|
|
}
|
|
CopyMemory(pbKeyNew, pbKey, iLenModulus + 1);
|
|
pbKeyNew[iLenSequence]++;
|
|
pbKeyNew[iLenModulus]++;
|
|
pbKeyNew[iLenModulus + 1] = 0;
|
|
CopyMemory(
|
|
&pbKeyNew[iLenModulus + 2],
|
|
&pbKey[iLenModulus + 1],
|
|
cbKey - (iLenModulus + 2));
|
|
|
|
PublicKey.PublicKey.pbData = pbKeyNew;
|
|
if (CertComparePublicKeyInfo(
|
|
X509_ASN_ENCODING,
|
|
const_cast<CERT_PUBLIC_KEY_INFO *>(pPublicKey1),
|
|
&PublicKey))
|
|
{
|
|
fMatch = TRUE;
|
|
}
|
|
}
|
|
}
|
|
|
|
error:
|
|
if (NULL != pbKeyNew)
|
|
{
|
|
LocalFree(pbKeyNew);
|
|
}
|
|
return(fMatch);
|
|
}
|
|
|
|
|
|
BOOL
|
|
myCryptSignMessage(
|
|
IN CRYPT_SIGN_MESSAGE_PARA const *pcsmp,
|
|
IN BYTE const *pbToBeSigned,
|
|
IN DWORD cbToBeSigned,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbSignedBlob,
|
|
OUT DWORD *pcbSignedBlob)
|
|
{
|
|
BOOL b;
|
|
|
|
*ppbSignedBlob = NULL;
|
|
*pcbSignedBlob = 0;
|
|
while (TRUE)
|
|
{
|
|
b = CryptSignMessage(
|
|
const_cast<CRYPT_SIGN_MESSAGE_PARA *>(pcsmp),
|
|
TRUE, // fDetachedSignature
|
|
1, // cToBeSigned
|
|
&pbToBeSigned, // rgpbToBeSigned
|
|
&cbToBeSigned, // rgcbToBeSigned
|
|
*ppbSignedBlob,
|
|
pcbSignedBlob);
|
|
if (b && 0 == *pcbSignedBlob)
|
|
{
|
|
SetLastError(HRESULT_FROM_WIN32(ERROR_INVALID_DATA));
|
|
b = FALSE;
|
|
}
|
|
if (!b)
|
|
{
|
|
if (NULL != *ppbSignedBlob)
|
|
{
|
|
myFree(*ppbSignedBlob, allocType);
|
|
*ppbSignedBlob = NULL;
|
|
}
|
|
break;
|
|
}
|
|
if (NULL != *ppbSignedBlob)
|
|
{
|
|
break;
|
|
}
|
|
*ppbSignedBlob = (BYTE *) myAlloc(*pcbSignedBlob, allocType);
|
|
if (NULL == *ppbSignedBlob)
|
|
{
|
|
b = FALSE;
|
|
break;
|
|
}
|
|
}
|
|
return(b);
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeCert(
|
|
IN DWORD dwEncodingType,
|
|
IN CERT_SIGNED_CONTENT_INFO const *pInfo,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_CERT,
|
|
pInfo,
|
|
0,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeName(
|
|
IN DWORD dwEncodingType,
|
|
IN CERT_NAME_INFO const *pInfo,
|
|
IN DWORD dwFlags,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_UNICODE_NAME,
|
|
pInfo,
|
|
dwFlags,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeKeyAttributes(
|
|
IN DWORD dwEncodingType,
|
|
IN CERT_KEY_ATTRIBUTES_INFO const *pInfo,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_KEY_ATTRIBUTES,
|
|
pInfo,
|
|
0,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeKeyUsage(
|
|
IN DWORD dwEncodingType,
|
|
IN CRYPT_BIT_BLOB const *pInfo,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_KEY_USAGE,
|
|
pInfo,
|
|
0,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeKeyAuthority2(
|
|
IN DWORD dwEncodingType,
|
|
IN CERT_AUTHORITY_KEY_ID2_INFO const *pInfo,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_AUTHORITY_KEY_ID2,
|
|
pInfo,
|
|
0,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myEncodeToBeSigned(
|
|
DWORD dwEncodingType,
|
|
CERT_INFO const *pInfo,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
BYTE **ppbEncoded,
|
|
DWORD *pcbEncoded)
|
|
{
|
|
return(myEncodeObject(
|
|
dwEncodingType,
|
|
X509_CERT_TO_BE_SIGNED,
|
|
pInfo,
|
|
0,
|
|
allocType,
|
|
ppbEncoded,
|
|
pcbEncoded));
|
|
}
|
|
|
|
BOOL
|
|
myDecodeName(
|
|
IN DWORD dwEncodingType,
|
|
IN LPCSTR lpszStructType,
|
|
IN BYTE const *pbEncoded,
|
|
IN DWORD cbEncoded,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CERT_NAME_INFO **ppNameInfo,
|
|
OUT DWORD *pcbNameInfo)
|
|
{
|
|
return(myDecodeObject(
|
|
dwEncodingType,
|
|
lpszStructType,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
allocType,
|
|
(VOID **) ppNameInfo,
|
|
pcbNameInfo));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myDecodeKeyAuthority(
|
|
IN DWORD dwEncodingType,
|
|
IN BYTE const *pbEncoded,
|
|
IN DWORD cbEncoded,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CERT_AUTHORITY_KEY_ID_INFO const **ppInfo,
|
|
OUT DWORD *pcbInfo)
|
|
{
|
|
return(myDecodeObject(
|
|
dwEncodingType,
|
|
X509_AUTHORITY_KEY_ID,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
allocType,
|
|
(VOID **) ppInfo,
|
|
pcbInfo));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myDecodeKeyAuthority2(
|
|
IN DWORD dwEncodingType,
|
|
IN BYTE const *pbEncoded,
|
|
IN DWORD cbEncoded,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CERT_AUTHORITY_KEY_ID2_INFO const **ppInfo,
|
|
OUT DWORD *pcbInfo)
|
|
{
|
|
return(myDecodeObject(
|
|
dwEncodingType,
|
|
X509_AUTHORITY_KEY_ID2,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
allocType,
|
|
(VOID **) ppInfo,
|
|
pcbInfo));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myDecodeExtensions(
|
|
IN DWORD dwEncodingType,
|
|
IN BYTE const *pbEncoded,
|
|
IN DWORD cbEncoded,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CERT_EXTENSIONS **ppInfo,
|
|
OUT DWORD *pcbInfo)
|
|
{
|
|
return(myDecodeObject(
|
|
dwEncodingType,
|
|
X509_NAME,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
allocType,
|
|
(VOID **) ppInfo,
|
|
pcbInfo));
|
|
}
|
|
|
|
|
|
BOOL
|
|
myDecodeKeyGenRequest(
|
|
IN BYTE const *pbRequest,
|
|
IN DWORD cbRequest,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CERT_KEYGEN_REQUEST_INFO **ppKeyGenRequest,
|
|
OUT DWORD *pcbKeyGenRequest)
|
|
{
|
|
return(myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_KEYGEN_REQUEST_TO_BE_SIGNED,
|
|
pbRequest,
|
|
cbRequest,
|
|
allocType,
|
|
(VOID **) ppKeyGenRequest,
|
|
pcbKeyGenRequest));
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myDecodeCSPProviderAttribute(
|
|
IN BYTE const *pbCSPEncoded,
|
|
IN DWORD cbCSPEncoded,
|
|
OUT CRYPT_CSP_PROVIDER **ppccp)
|
|
{
|
|
HRESULT hr;
|
|
CRYPT_SEQUENCE_OF_ANY *pCSPProviderSeq = NULL;
|
|
CERT_NAME_VALUE *pCSPProviderName = NULL;
|
|
DWORD cb;
|
|
CRYPT_CSP_PROVIDER *pccp;
|
|
DWORD dwKeySpec;
|
|
CERT_NAME_VALUE *pName = NULL;
|
|
CRYPT_BIT_BLOB *pBlob = NULL;
|
|
BYTE *pb;
|
|
|
|
*ppccp = NULL;
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_SEQUENCE_OF_ANY,
|
|
pbCSPEncoded,
|
|
cbCSPEncoded,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pCSPProviderSeq,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
if (3 > pCSPProviderSeq->cValue)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(ERROR_INVALID_DATA);
|
|
_JumpError(hr, error, "Sequence count < 3");
|
|
}
|
|
|
|
dwKeySpec = 0;
|
|
if (NULL != pCSPProviderSeq->rgValue[0].pbData &&
|
|
0 != pCSPProviderSeq->rgValue[0].cbData)
|
|
{
|
|
cb = sizeof(dwKeySpec);
|
|
if (!CryptDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_INTEGER,
|
|
pCSPProviderSeq->rgValue[0].pbData,
|
|
pCSPProviderSeq->rgValue[0].cbData,
|
|
0,
|
|
&dwKeySpec,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptDecodeObject");
|
|
}
|
|
}
|
|
if (NULL != pCSPProviderSeq->rgValue[1].pbData &&
|
|
0 != pCSPProviderSeq->rgValue[1].cbData)
|
|
{
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_UNICODE_ANY_STRING,
|
|
pCSPProviderSeq->rgValue[1].pbData,
|
|
pCSPProviderSeq->rgValue[1].cbData,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pName,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
}
|
|
if (NULL != pCSPProviderSeq->rgValue[2].pbData &&
|
|
0 != pCSPProviderSeq->rgValue[2].cbData)
|
|
{
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_BITS,
|
|
pCSPProviderSeq->rgValue[2].pbData,
|
|
pCSPProviderSeq->rgValue[2].cbData,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pBlob,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
}
|
|
cb = sizeof(*pccp);
|
|
if (NULL != pName && NULL != pName->Value.pbData)
|
|
{
|
|
cb += POINTERROUND((wcslen((WCHAR const *) pName->Value.pbData) + 1) *
|
|
sizeof(WCHAR));
|
|
}
|
|
if (NULL != pBlob && NULL != pBlob->pbData)
|
|
{
|
|
cb += POINTERROUND(pBlob->cbData);
|
|
}
|
|
pccp = (CRYPT_CSP_PROVIDER *) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, cb);
|
|
if (NULL == pccp)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
*ppccp = pccp;
|
|
pb = (BYTE *) (pccp + 1);
|
|
pccp->dwKeySpec = dwKeySpec;
|
|
if (NULL != pName->Value.pbData)
|
|
{
|
|
pccp->pwszProviderName = (WCHAR *) pb;
|
|
wcscpy(pccp->pwszProviderName, (WCHAR const *) pName->Value.pbData);
|
|
pb += POINTERROUND((wcslen((WCHAR const *) pName->Value.pbData) + 1) *
|
|
sizeof(WCHAR));
|
|
}
|
|
if (NULL != pBlob && NULL != pBlob->pbData)
|
|
{
|
|
pccp->Signature.pbData = pb;
|
|
pccp->Signature.cbData = pBlob->cbData;
|
|
pccp->Signature.cUnusedBits = pBlob->cUnusedBits;
|
|
CopyMemory(pccp->Signature.pbData, pBlob->pbData, pBlob->cbData);
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pCSPProviderSeq)
|
|
{
|
|
LocalFree(pCSPProviderSeq);
|
|
}
|
|
if (NULL != pName)
|
|
{
|
|
LocalFree(pName);
|
|
}
|
|
if (NULL != pBlob)
|
|
{
|
|
LocalFree(pBlob);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
BOOL
|
|
myCertGetCertificateContextProperty(
|
|
IN CERT_CONTEXT const *pCertContext,
|
|
IN DWORD dwPropId,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT VOID **ppvData,
|
|
OUT DWORD *pcbData)
|
|
{
|
|
BOOL b;
|
|
|
|
*ppvData = NULL;
|
|
*pcbData = 0;
|
|
while (TRUE)
|
|
{
|
|
b = CertGetCertificateContextProperty(
|
|
pCertContext,
|
|
dwPropId,
|
|
*ppvData,
|
|
pcbData);
|
|
if (b && 0 == *pcbData)
|
|
{
|
|
SetLastError(HRESULT_FROM_WIN32(ERROR_INVALID_DATA));
|
|
b = FALSE;
|
|
}
|
|
if (!b)
|
|
{
|
|
if (NULL != *ppvData)
|
|
{
|
|
myFree(*ppvData, allocType);
|
|
*ppvData = NULL;
|
|
}
|
|
break;
|
|
}
|
|
if (NULL != *ppvData)
|
|
{
|
|
break;
|
|
}
|
|
*ppvData = (VOID *) myAlloc(*pcbData, allocType);
|
|
if (NULL == *ppvData)
|
|
{
|
|
b = FALSE;
|
|
break;
|
|
}
|
|
}
|
|
return(b);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCertGetKeyProviderInfo(
|
|
IN CERT_CONTEXT const *pCert,
|
|
OUT CRYPT_KEY_PROV_INFO **ppkpi)
|
|
{
|
|
HRESULT hr;
|
|
DWORD cb;
|
|
|
|
*ppkpi = NULL;
|
|
|
|
if (!CertGetCertificateContextProperty(
|
|
pCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
NULL,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError2(
|
|
hr,
|
|
error,
|
|
"CertGetCertificateContextProperty",
|
|
CRYPT_E_NOT_FOUND);
|
|
}
|
|
|
|
*ppkpi = (CRYPT_KEY_PROV_INFO *) LocalAlloc(LMEM_FIXED, cb);
|
|
if (NULL == *ppkpi)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
|
|
if (!CertGetCertificateContextProperty(
|
|
pCert,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
*ppkpi,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CertGetCertificateContextProperty");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptExportKey(
|
|
IN HCRYPTKEY hKey,
|
|
IN HCRYPTKEY hKeyExp,
|
|
IN DWORD dwBlobType,
|
|
IN DWORD dwFlags,
|
|
OUT BYTE **ppbKey,
|
|
OUT DWORD *pcbKey)
|
|
{
|
|
HRESULT hr;
|
|
|
|
if (!CryptExportKey(hKey, hKeyExp, dwBlobType, dwFlags, NULL, pcbKey))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptExportKey");
|
|
}
|
|
|
|
*ppbKey = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbKey);
|
|
if (NULL == *ppbKey)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
|
|
if (!CryptExportKey(hKey, hKeyExp, dwBlobType, dwFlags, *ppbKey, pcbKey))
|
|
{
|
|
hr = myHLastError();
|
|
LocalFree(*ppbKey);
|
|
*ppbKey = NULL;
|
|
_JumpError(hr, error, "CryptExportKey");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptEncrypt(
|
|
IN HCRYPTKEY hKey,
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT BYTE **ppbEncrypted,
|
|
OUT DWORD *pcbEncrypted)
|
|
{
|
|
HRESULT hr;
|
|
BYTE *pbEncrypted = NULL;
|
|
DWORD cbEncrypted;
|
|
DWORD cbAlloc;
|
|
BOOL fRetried = FALSE;
|
|
|
|
cbAlloc = cbIn + 64; // may be enough to prevent overflow
|
|
while (TRUE)
|
|
{
|
|
cbEncrypted = cbIn;
|
|
pbEncrypted = (BYTE *) LocalAlloc(LMEM_FIXED, cbAlloc);
|
|
if (NULL == pbEncrypted)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
CopyMemory(pbEncrypted, pbIn, cbIn);
|
|
|
|
if (!CryptEncrypt(
|
|
hKey,
|
|
NULL, // hHash
|
|
TRUE, // Final
|
|
0, // dwFlags
|
|
pbEncrypted, // pbData
|
|
&cbEncrypted, // pdwDataLen
|
|
cbAlloc)) // dwBufLen
|
|
{
|
|
hr = myHLastError();
|
|
if (!fRetried && HRESULT_FROM_WIN32(ERROR_MORE_DATA) == hr)
|
|
{
|
|
LocalFree(pbEncrypted);
|
|
pbEncrypted = NULL;
|
|
DBGPRINT((
|
|
DBG_SS_CERTLIB,
|
|
"CryptEncrypt(MORE DATA): %u -> %u\n",
|
|
cbAlloc,
|
|
cbEncrypted));
|
|
cbAlloc = cbEncrypted;
|
|
fRetried = TRUE;
|
|
continue;
|
|
}
|
|
_JumpError(hr, error, "CryptEncrypt");
|
|
}
|
|
break;
|
|
}
|
|
*ppbEncrypted = pbEncrypted;
|
|
*pcbEncrypted = cbEncrypted;
|
|
pbEncrypted = NULL;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pbEncrypted)
|
|
{
|
|
LocalFree(pbEncrypted);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptDecrypt(
|
|
IN HCRYPTKEY hKey,
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT BYTE **ppbDecrypted,
|
|
OUT DWORD *pcbDecrypted)
|
|
{
|
|
HRESULT hr;
|
|
BYTE *pbDecrypted = NULL;
|
|
DWORD cbDecrypted;
|
|
|
|
// init
|
|
*ppbDecrypted = NULL;
|
|
*pcbDecrypted = 0;
|
|
|
|
cbDecrypted = cbIn;
|
|
pbDecrypted = (BYTE *) LocalAlloc(LMEM_FIXED, cbIn);
|
|
if (NULL == pbDecrypted)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
CopyMemory(pbDecrypted, pbIn, cbIn);
|
|
|
|
if (!CryptDecrypt(
|
|
hKey,
|
|
NULL, // hHash
|
|
TRUE, // Final
|
|
0, // dwFlags
|
|
pbDecrypted, // pbData
|
|
&cbDecrypted)) // pdwDataLen
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptDecrypt");
|
|
}
|
|
*ppbDecrypted = pbDecrypted;
|
|
*pcbDecrypted = cbDecrypted;
|
|
pbDecrypted = NULL;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pbDecrypted)
|
|
{
|
|
LocalFree(pbDecrypted);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptEncryptMessage(
|
|
IN ALG_ID algId,
|
|
IN DWORD cCertRecipient,
|
|
IN CERT_CONTEXT const **rgCertRecipient,
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
IN OPTIONAL HCRYPTPROV hCryptProv,
|
|
OUT BYTE **ppbEncrypted,
|
|
OUT DWORD *pcbEncrypted)
|
|
{
|
|
HRESULT hr;
|
|
CRYPT_ENCRYPT_MESSAGE_PARA cemp;
|
|
CRYPT_OID_INFO const *pOidInfo;
|
|
CERT_CONTEXT const *pcc = NULL;
|
|
|
|
// Convert to an Object Id
|
|
|
|
pOidInfo = CryptFindOIDInfo(
|
|
CRYPT_OID_INFO_ALGID_KEY,
|
|
&algId,
|
|
CRYPT_ENCRYPT_ALG_OID_GROUP_ID);
|
|
if (NULL == pOidInfo)
|
|
{
|
|
// function is not doc'd to set GetLastError()
|
|
|
|
hr = CRYPT_E_NOT_FOUND;
|
|
DBGPRINT((DBG_SS_ERROR, "algId = %x\n", algId));
|
|
_JumpError(hr, error, "CryptFindOIDInfo");
|
|
}
|
|
|
|
// Encrypt the data with the public key
|
|
|
|
ZeroMemory(&cemp, sizeof(cemp));
|
|
cemp.cbSize = sizeof(cemp);
|
|
cemp.dwMsgEncodingType = PKCS_7_ASN_ENCODING | CRYPT_ASN_ENCODING;
|
|
cemp.ContentEncryptionAlgorithm.pszObjId = const_cast<char *>(pOidInfo->pszOID);
|
|
cemp.hCryptProv = hCryptProv;
|
|
|
|
*pcbEncrypted = 0;
|
|
while (TRUE)
|
|
{
|
|
if (!CryptEncryptMessage(
|
|
&cemp,
|
|
cCertRecipient, // cRecipientCert
|
|
rgCertRecipient, // rgpRecipientCert IN
|
|
pbIn, // pbToBeEncrypted
|
|
cbIn, // cbToBeEncrypted
|
|
*ppbEncrypted, // pbEncryptedBlob
|
|
pcbEncrypted)) // pcbEncryptedBlob
|
|
{
|
|
hr = myHLastError();
|
|
if (NULL != *ppbEncrypted)
|
|
{
|
|
LocalFree(*ppbEncrypted);
|
|
*ppbEncrypted = NULL;
|
|
}
|
|
_JumpError(hr, error, "CryptEncryptMessage");
|
|
}
|
|
if (NULL != *ppbEncrypted)
|
|
{
|
|
break;
|
|
}
|
|
*ppbEncrypted = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbEncrypted);
|
|
if (NULL == *ppbEncrypted)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
CSASSERT(S_OK == hr || FAILED(hr));
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCryptDecryptMessage(
|
|
IN HCERTSTORE hStore,
|
|
IN BYTE const *pbEncrypted,
|
|
IN DWORD cbEncrypted,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT BYTE **ppbDecrypted,
|
|
OUT DWORD *pcbDecrypted)
|
|
{
|
|
HRESULT hr;
|
|
CRYPT_DECRYPT_MESSAGE_PARA cdmp;
|
|
|
|
ZeroMemory(&cdmp, sizeof(cdmp));
|
|
cdmp.cbSize = sizeof(cdmp);
|
|
cdmp.dwMsgAndCertEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
|
|
cdmp.cCertStore = 1;
|
|
cdmp.rghCertStore = &hStore;
|
|
|
|
*ppbDecrypted = NULL;
|
|
*pcbDecrypted = 0;
|
|
while (TRUE)
|
|
{
|
|
if (!CryptDecryptMessage(
|
|
&cdmp,
|
|
pbEncrypted,
|
|
cbEncrypted,
|
|
*ppbDecrypted,
|
|
pcbDecrypted,
|
|
NULL)) // ppXchgCert
|
|
{
|
|
hr = myHLastError();
|
|
if (NULL != *ppbDecrypted)
|
|
{
|
|
myFree(*ppbDecrypted, allocType);
|
|
*ppbDecrypted = NULL;
|
|
}
|
|
_JumpError(hr, error, "CryptDecryptMessage");
|
|
}
|
|
if (NULL != *ppbDecrypted)
|
|
{
|
|
break;
|
|
}
|
|
*ppbDecrypted = (BYTE *) myAlloc(*pcbDecrypted, allocType);
|
|
if (NULL == *ppbDecrypted)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "myAlloc");
|
|
}
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myGetInnerPKCS10(
|
|
IN HCRYPTMSG hMsg,
|
|
IN char const *pszInnerContentObjId,
|
|
OUT CERT_REQUEST_INFO **ppRequest)
|
|
{
|
|
HRESULT hr;
|
|
BYTE *pbContent = NULL;
|
|
DWORD cbContent;
|
|
CMC_DATA_INFO *pcmcData = NULL;
|
|
DWORD cbcmcData;
|
|
CMC_TAGGED_CERT_REQUEST const *pTaggedCertRequest;
|
|
DWORD cbRequest;
|
|
|
|
*ppRequest = NULL;
|
|
#define szOID_CT_PKI_DATA_OLDRFC "1.3.6.1.5.5.7.5.2" // BUGBUG: temporary!!!
|
|
|
|
if (0 != strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA) &&
|
|
0 != strcmp(pszInnerContentObjId, szOID_CT_PKI_DATA_OLDRFC))
|
|
{
|
|
hr = CRYPT_E_INVALID_MSG_TYPE;
|
|
_JumpError(hr, error, "Not a CMC request");
|
|
}
|
|
|
|
// Get the request content, then search for the PKCS10's public key.
|
|
|
|
hr = myCryptMsgGetParam(
|
|
hMsg,
|
|
CMSG_CONTENT_PARAM,
|
|
0,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pbContent,
|
|
&cbContent);
|
|
_JumpIfError(hr, error, "myCryptMsgGetParam");
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
CMC_DATA,
|
|
pbContent,
|
|
cbContent,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pcmcData,
|
|
&cbcmcData))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
|
|
if (1 != pcmcData->cTaggedRequest ||
|
|
CMC_TAGGED_CERT_REQUEST_CHOICE !=
|
|
pcmcData->rgTaggedRequest[0].dwTaggedRequestChoice)
|
|
{
|
|
hr = CRYPT_E_INVALID_MSG_TYPE;
|
|
_JumpError(hr, error, "Must be 1 PKCS10");
|
|
}
|
|
pTaggedCertRequest = pcmcData->rgTaggedRequest[0].pTaggedCertRequest;
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_CERT_REQUEST_TO_BE_SIGNED,
|
|
pTaggedCertRequest->SignedCertRequest.pbData,
|
|
pTaggedCertRequest->SignedCertRequest.cbData,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) ppRequest,
|
|
&cbRequest))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pbContent)
|
|
{
|
|
LocalFree(pbContent);
|
|
}
|
|
if (NULL != pcmcData)
|
|
{
|
|
LocalFree(pcmcData);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSEncodeString(
|
|
IN WCHAR const *pwsz,
|
|
OUT BYTE **ppbOut,
|
|
OUT DWORD *pcbOut)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
CERT_NAME_VALUE cnv;
|
|
|
|
// encode the string as an IA5 string
|
|
|
|
cnv.dwValueType = CERT_RDN_IA5_STRING;
|
|
cnv.Value.pbData = (BYTE *) pwsz;
|
|
cnv.Value.cbData = 0; // Use L'\0' termination for the length
|
|
|
|
if (!myEncodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_UNICODE_NAME_VALUE,
|
|
&cnv,
|
|
0,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
ppbOut,
|
|
pcbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myEncodeObject");
|
|
}
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSDecodeString(
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT WCHAR **ppwszOut)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
CERT_NAME_VALUE *pcnv = NULL;
|
|
DWORD cbOut;
|
|
|
|
*ppwszOut = NULL;
|
|
|
|
// decode the string from an IA5 string
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_UNICODE_NAME_VALUE,
|
|
pbIn,
|
|
cbIn,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &pcnv,
|
|
&cbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
if (CERT_RDN_IA5_STRING != pcnv->dwValueType)
|
|
{
|
|
hr = E_INVALIDARG;
|
|
_JumpError(hr, error, "Not an IA5 string");
|
|
}
|
|
cbOut = (wcslen((WCHAR const *) pcnv->Value.pbData) + 1) * sizeof(WCHAR);
|
|
*ppwszOut = (WCHAR *) LocalAlloc(LMEM_FIXED, cbOut);
|
|
if (NULL == *ppwszOut)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
CopyMemory(*ppwszOut, pcnv->Value.pbData, cbOut);
|
|
|
|
error:
|
|
if (NULL != pcnv)
|
|
{
|
|
LocalFree(pcnv);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSEncodeLong(
|
|
IN LONG Value,
|
|
OUT BYTE **ppbOut,
|
|
OUT DWORD *pcbOut)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
// encode the long value
|
|
|
|
if (!myEncodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_INTEGER,
|
|
&Value,
|
|
0,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
ppbOut,
|
|
pcbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myEncodeObject");
|
|
}
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSDecodeLong(
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT LONG **ppValue)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
DWORD cbOut;
|
|
|
|
// encode the long value
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_INTEGER,
|
|
pbIn,
|
|
cbIn,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) ppValue,
|
|
&cbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
CSASSERT(sizeof(**ppValue) == cbOut);
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSEncodeDate(
|
|
IN FILETIME const *pft,
|
|
OUT BYTE **ppbOut,
|
|
OUT DWORD *pcbOut)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
|
|
// encode the time value
|
|
|
|
if (!myEncodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_CHOICE_OF_TIME,
|
|
pft,
|
|
0,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
ppbOut,
|
|
pcbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myEncodeObject");
|
|
}
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myPKCSDecodeDate(
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT FILETIME **ppftOut)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
DWORD cbOut;
|
|
|
|
// encode the time value
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_CHOICE_OF_TIME,
|
|
pbIn,
|
|
cbIn,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) ppftOut,
|
|
&cbOut))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
CSASSERT(sizeof(**ppftOut) == cbOut);
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myEncodeExtension(
|
|
IN DWORD Flags,
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT BYTE **ppbOut,
|
|
OUT DWORD *pcbOut)
|
|
{
|
|
HRESULT hr = E_INVALIDARG;
|
|
|
|
// everyone assumes pbIn != NULL
|
|
|
|
if (NULL == pbIn || 0 == cbIn)
|
|
{
|
|
_JumpError(hr, error, "NULL param");
|
|
}
|
|
|
|
switch (PROPTYPE_MASK & Flags)
|
|
{
|
|
case PROPTYPE_STRING:
|
|
if (0 == (PROPMARSHAL_LOCALSTRING & Flags) &&
|
|
sizeof(WCHAR) <= cbIn)
|
|
{
|
|
cbIn -= sizeof(WCHAR);
|
|
}
|
|
if (wcslen((WCHAR const *) pbIn) * sizeof(WCHAR) != cbIn)
|
|
{
|
|
_JumpError(hr, error, "bad string len");
|
|
}
|
|
hr = myPKCSEncodeString((WCHAR const *) pbIn, ppbOut, pcbOut);
|
|
_JumpIfError(hr, error, "myPKCSEncodeString");
|
|
|
|
break;
|
|
|
|
case PROPTYPE_LONG:
|
|
CSASSERT(sizeof(DWORD) == cbIn);
|
|
hr = myPKCSEncodeLong(*(DWORD const *) pbIn, ppbOut, pcbOut);
|
|
_JumpIfError(hr, error, "myPKCSEncodeLong");
|
|
|
|
break;
|
|
|
|
case PROPTYPE_DATE:
|
|
CSASSERT(sizeof(FILETIME) == cbIn);
|
|
hr = myPKCSEncodeDate((FILETIME const *) pbIn, ppbOut, pcbOut);
|
|
_JumpIfError(hr, error, "myPKCSEncodeDate");
|
|
|
|
break;
|
|
|
|
default:
|
|
_JumpError(hr, error, "variant type/value");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myDecodeExtension(
|
|
IN DWORD Flags,
|
|
IN BYTE const *pbIn,
|
|
IN DWORD cbIn,
|
|
OUT BYTE **ppbOut,
|
|
OUT DWORD *pcbOut)
|
|
{
|
|
HRESULT hr;
|
|
|
|
switch (PROPTYPE_MASK & Flags)
|
|
{
|
|
case PROPTYPE_STRING:
|
|
hr = myPKCSDecodeString(pbIn, cbIn, (WCHAR **) ppbOut);
|
|
_JumpIfError(hr, error, "myPKCSDecodeString");
|
|
|
|
*pcbOut = wcslen((WCHAR const *) *ppbOut) * sizeof(WCHAR);
|
|
break;
|
|
|
|
case PROPTYPE_LONG:
|
|
hr = myPKCSDecodeLong(pbIn, cbIn, (LONG **) ppbOut);
|
|
_JumpIfError(hr, error, "myPKCSDecodeLong");
|
|
|
|
*pcbOut = sizeof(LONG);
|
|
break;
|
|
|
|
case PROPTYPE_DATE:
|
|
hr = myPKCSDecodeDate(pbIn, cbIn, (FILETIME **) ppbOut);
|
|
_JumpIfError(hr, error, "myPKCSDecodeDate");
|
|
|
|
*pcbOut = sizeof(FILETIME);
|
|
break;
|
|
|
|
default:
|
|
hr = E_INVALIDARG;
|
|
_JumpError(hr, error, "Flags: Invalid type");
|
|
}
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
// szOID_ENROLLMENT_NAME_VALUE_PAIR
|
|
|
|
BOOL
|
|
myDecodeNameValuePair(
|
|
IN DWORD dwEncodingType,
|
|
IN BYTE const *pbEncoded,
|
|
IN DWORD cbEncoded,
|
|
IN CERTLIB_ALLOCATOR allocType,
|
|
OUT CRYPT_ENROLLMENT_NAME_VALUE_PAIR **ppInfo,
|
|
OUT DWORD *pcbInfo)
|
|
{
|
|
|
|
return(myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
szOID_ENROLLMENT_NAME_VALUE_PAIR,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
allocType,
|
|
(VOID **) ppInfo,
|
|
pcbInfo));
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
// myVerifyObjIdA - verify the passed pszObjId is valid as per X.208
|
|
//
|
|
// Encode and Decode the Object Id and make sure it survives the round trip.
|
|
// The first number must be 0, 1 or 2.
|
|
// Enforce all characters are digits and dots.
|
|
// Enforce that no dot starts or ends the Object Id, and disallow double dots.
|
|
// Enforce there is at least one dot separator.
|
|
// If the first number is 0 or 1, the second number must be between 0 & 39.
|
|
// If the first number is 2, the second number can be any value.
|
|
//--------------------------------------------------------------------------
|
|
|
|
HRESULT
|
|
myVerifyObjIdA(
|
|
IN CHAR const *pszObjId)
|
|
{
|
|
HRESULT hr;
|
|
BYTE *pbEncoded = NULL;
|
|
DWORD cbEncoded;
|
|
CRYPT_ATTRIBUTE ainfo;
|
|
CRYPT_ATTRIBUTE *painfo = NULL;
|
|
DWORD cbainfo;
|
|
char const *psz;
|
|
int i;
|
|
BOOL fNoisy = FALSE;
|
|
|
|
hr = E_INVALIDARG;
|
|
for (psz = pszObjId; '\0' != *psz; psz++)
|
|
{
|
|
// must be a digit or a dot separator
|
|
|
|
if (!isdigit(*psz))
|
|
{
|
|
if ('.' != *psz)
|
|
{
|
|
_JumpError2(hr, error, "bad ObjId: bad char", hr);
|
|
}
|
|
|
|
// can't have dot at start, double dots or dot at end
|
|
|
|
if (psz == pszObjId || '.' == psz[1] || '\0' == psz[1])
|
|
{
|
|
_JumpError2(hr, error, "bad ObjId: dot location", hr);
|
|
}
|
|
}
|
|
}
|
|
psz = strchr(pszObjId, '.');
|
|
if (NULL == psz)
|
|
{
|
|
_JumpError2(hr, error, "bad ObjId: must have at least one dot", hr);
|
|
}
|
|
i = atoi(pszObjId);
|
|
switch (i)
|
|
{
|
|
case 0:
|
|
case 1:
|
|
i = atoi(++psz);
|
|
if (0 > i || 39 < i)
|
|
{
|
|
_JumpError(hr, error, "bad ObjId: 0. or 1. must be followed by 0..39");
|
|
}
|
|
break;
|
|
|
|
case 2:
|
|
break;
|
|
|
|
default:
|
|
fNoisy = TRUE;
|
|
_JumpError(hr, error, "bad ObjId: must start with 0, 1 or 2");
|
|
}
|
|
|
|
fNoisy = TRUE;
|
|
ainfo.pszObjId = const_cast<char *>(pszObjId);
|
|
ainfo.cValue = 0;
|
|
ainfo.rgValue = NULL;
|
|
|
|
if (!myEncodeObject(
|
|
X509_ASN_ENCODING,
|
|
PKCS_ATTRIBUTE,
|
|
&ainfo,
|
|
0,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
&pbEncoded,
|
|
&cbEncoded))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myEncodeObject");
|
|
}
|
|
|
|
if (!myDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
PKCS_ATTRIBUTE,
|
|
pbEncoded,
|
|
cbEncoded,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
(VOID **) &painfo,
|
|
&cbainfo))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeObject");
|
|
}
|
|
|
|
if (0 != strcmp(pszObjId, painfo->pszObjId))
|
|
{
|
|
hr = E_INVALIDARG;
|
|
_JumpError(hr, error, "bad ObjId: decode mismatch");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (S_OK != hr)
|
|
{
|
|
DBGPRINT((
|
|
fNoisy? DBG_SS_CERTLIB : DBG_SS_CERTLIBI,
|
|
"myVerifyObjIdA(%hs): %x\n",
|
|
pszObjId,
|
|
hr));
|
|
}
|
|
if (NULL != pbEncoded)
|
|
{
|
|
LocalFree(pbEncoded);
|
|
}
|
|
if (NULL != painfo)
|
|
{
|
|
LocalFree(painfo);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myVerifyObjId(
|
|
IN WCHAR const *pwszObjId)
|
|
{
|
|
HRESULT hr;
|
|
CHAR *pszObjId = NULL;
|
|
|
|
if (!ConvertWszToSz(&pszObjId, pwszObjId, -1))
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "ConvertWszToSz");
|
|
}
|
|
hr = myVerifyObjIdA(pszObjId);
|
|
_JumpIfErrorStr2(hr, error, "myVerifyObjIdA", pwszObjId, E_INVALIDARG);
|
|
|
|
error:
|
|
if (NULL != pszObjId)
|
|
{
|
|
LocalFree(pszObjId);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
// The returned pszObjId is a constant that must not be freed. CryptFindOIDInfo
|
|
// has a static internal database that is valid until crypt32.dll is unloaded.
|
|
|
|
#define GON_GROUP 0x00000001
|
|
#define GON_GENERIC 0x00000002
|
|
|
|
typedef struct _OIDNAME
|
|
{
|
|
char const *pszObjId;
|
|
WCHAR const *pwszDisplayName;
|
|
} OIDNAME;
|
|
|
|
#if DBG
|
|
#define wszCERTLIB L"(certlib)"
|
|
#else
|
|
#define wszCERTLIB L""
|
|
#endif
|
|
|
|
OIDNAME s_aOIDName[] = {
|
|
{ szOID_CT_PKI_DATA, L"CMC Data" wszCERTLIB, },
|
|
{ szOID_CT_PKI_RESPONSE, L"CMC Response" wszCERTLIB, },
|
|
{ szOID_CMC, L"Unsigned CMC Request" wszCERTLIB, },
|
|
{ szOID_CMC_TRANSACTION_ID, L"Transaction Id" wszCERTLIB, },
|
|
{ szOID_CMC_SENDER_NONCE, L"Sender Nonce" wszCERTLIB, },
|
|
{ szOID_CMC_RECIPIENT_NONCE, L"Recipient Nonce" wszCERTLIB, },
|
|
{ szOID_CMC_REG_INFO, L"Reg Info" wszCERTLIB, },
|
|
{ szOID_CMC_GET_CERT, L"Get Certificate" wszCERTLIB, },
|
|
{ szOID_CMC_GET_CRL, L"Get CRL" wszCERTLIB, },
|
|
{ szOID_CMC_REVOKE_REQUEST, L"Revoke Request" wszCERTLIB, },
|
|
{ szOID_CMC_QUERY_PENDING, L"Query Pending" wszCERTLIB, },
|
|
{ szOID_CMC_ID_CONFIRM_CERT_ACCEPTANCE, L"Confirm Certificate Acceptance" wszCERTLIB, },
|
|
{ szOID_CMC_STATUS_INFO, L"Unsigned CMC Response" wszCERTLIB, },
|
|
{ szOID_CMC_ADD_EXTENSIONS, L"CMC Extensions" wszCERTLIB, },
|
|
{ szOID_CMC_ADD_ATTRIBUTES, L"CMC Attributes" wszCERTLIB, },
|
|
{ szOID_VERISIGN_ONSITE_JURISDICTION_HASH, L"Jurisdiction Hash" wszCERTLIB, },
|
|
{ szOID_PKCS_7_DATA, L"PKCS 7 Data" wszCERTLIB, },
|
|
{ szOID_ARCHIVED_KEY_ATTR, L"Archived Key" wszCERTLIB, },
|
|
{ szOID_CTL, L"Certifcate Trust List" wszCERTLIB, },
|
|
{ szOID_ARCHIVED_KEY_CERT_HASH, L"Archived Key Certificate Hash" wszCERTLIB, },
|
|
{ szOID_ROOT_LIST_SIGNER, L"Root List Signer" wszCERTLIB, },
|
|
{ szOID_PRIVATEKEY_USAGE_PERIOD, L"Private Key Usage Period" wszCERTLIB, },
|
|
{ szOID_REQUEST_CLIENT_INFO, L"Client Information" wszCERTLIB, },
|
|
};
|
|
|
|
WCHAR const *
|
|
myGetOIDNameA(
|
|
IN char const *pszObjId)
|
|
{
|
|
CRYPT_OID_INFO const *pInfo = NULL;
|
|
WCHAR const *pwszName = L"";
|
|
DWORD Flags = GON_GROUP | GON_GENERIC;
|
|
|
|
if ('+' == *pszObjId)
|
|
{
|
|
Flags = GON_GROUP; // Group lookup only
|
|
pszObjId++;
|
|
}
|
|
else
|
|
if ('-' == *pszObjId)
|
|
{
|
|
Flags = GON_GENERIC; // Generic lookup only
|
|
pszObjId++;
|
|
}
|
|
|
|
// First try looking up the ObjectId as an Extension or Attribute, because
|
|
// we get a better Display Name, especially for Subject RDNs: CN, L, etc.
|
|
// If that fails, look it up withoput restricting the group.
|
|
|
|
if (GON_GROUP & Flags)
|
|
{
|
|
pInfo = CryptFindOIDInfo(
|
|
CRYPT_OID_INFO_OID_KEY,
|
|
(VOID *) pszObjId,
|
|
CRYPT_EXT_OR_ATTR_OID_GROUP_ID);
|
|
}
|
|
if ((GON_GENERIC & Flags) &&
|
|
(NULL == pInfo ||
|
|
NULL == pInfo->pwszName ||
|
|
L'\0' == pInfo->pwszName[0]))
|
|
{
|
|
pInfo = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY, (VOID *) pszObjId, 0);
|
|
}
|
|
if (NULL != pInfo && NULL != pInfo->pwszName && L'\0' != pInfo->pwszName[0])
|
|
{
|
|
pwszName = pInfo->pwszName;
|
|
}
|
|
else
|
|
{
|
|
OIDNAME const *pOIDName;
|
|
|
|
for (pOIDName = s_aOIDName;
|
|
pOIDName < &s_aOIDName[ARRAYSIZE(s_aOIDName)];
|
|
pOIDName++)
|
|
{
|
|
if (0 == strcmp(pOIDName->pszObjId, pszObjId))
|
|
{
|
|
pwszName = pOIDName->pwszDisplayName;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
return(pwszName);
|
|
}
|
|
|
|
|
|
WCHAR const *
|
|
myGetOIDName(
|
|
IN WCHAR const *pwszObjId)
|
|
{
|
|
char *pszObjId = NULL;
|
|
WCHAR const *pwszName = L"";
|
|
|
|
if (!ConvertWszToSz(&pszObjId, pwszObjId, -1))
|
|
{
|
|
_JumpError(E_OUTOFMEMORY, error, "ConvertWszToSz");
|
|
}
|
|
pwszName = myGetOIDNameA(pszObjId);
|
|
|
|
error:
|
|
if (NULL != pszObjId)
|
|
{
|
|
LocalFree(pszObjId);
|
|
}
|
|
return(pwszName);
|
|
}
|
|
|
|
|
|
typedef struct _DUMPFLAGS
|
|
{
|
|
DWORD Mask;
|
|
DWORD Value;
|
|
WCHAR const *pwszDescription;
|
|
} DUMPFLAGS;
|
|
|
|
|
|
#define _DFBIT(def) { (def), (def), L#def }
|
|
#define _DFBIT2(mask, def) { (mask), (def), L#def }
|
|
|
|
|
|
DUMPFLAGS g_adfErrorStatus[] =
|
|
{
|
|
_DFBIT(CERT_TRUST_IS_NOT_TIME_VALID),
|
|
_DFBIT(CERT_TRUST_IS_NOT_TIME_NESTED),
|
|
_DFBIT(CERT_TRUST_IS_REVOKED),
|
|
_DFBIT(CERT_TRUST_IS_NOT_SIGNATURE_VALID),
|
|
_DFBIT(CERT_TRUST_IS_NOT_VALID_FOR_USAGE),
|
|
_DFBIT(CERT_TRUST_IS_UNTRUSTED_ROOT),
|
|
_DFBIT(CERT_TRUST_REVOCATION_STATUS_UNKNOWN),
|
|
_DFBIT(CERT_TRUST_IS_CYCLIC),
|
|
|
|
_DFBIT(CERT_TRUST_INVALID_EXTENSION),
|
|
_DFBIT(CERT_TRUST_INVALID_POLICY_CONSTRAINTS),
|
|
_DFBIT(CERT_TRUST_INVALID_BASIC_CONSTRAINTS),
|
|
_DFBIT(CERT_TRUST_INVALID_NAME_CONSTRAINTS),
|
|
_DFBIT(CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT),
|
|
_DFBIT(CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT),
|
|
_DFBIT(CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT),
|
|
_DFBIT(CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT),
|
|
|
|
_DFBIT(CERT_TRUST_IS_OFFLINE_REVOCATION),
|
|
_DFBIT(CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY),
|
|
|
|
_DFBIT(CERT_TRUST_IS_PARTIAL_CHAIN),
|
|
_DFBIT(CERT_TRUST_CTL_IS_NOT_TIME_VALID),
|
|
_DFBIT(CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID),
|
|
_DFBIT(CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE),
|
|
|
|
{ 0, 0, NULL }
|
|
};
|
|
|
|
DUMPFLAGS g_adfInfoStatus[] =
|
|
{
|
|
_DFBIT(CERT_TRUST_HAS_EXACT_MATCH_ISSUER),
|
|
_DFBIT(CERT_TRUST_HAS_KEY_MATCH_ISSUER),
|
|
_DFBIT(CERT_TRUST_HAS_NAME_MATCH_ISSUER),
|
|
_DFBIT(CERT_TRUST_IS_SELF_SIGNED),
|
|
|
|
_DFBIT(CERT_TRUST_HAS_PREFERRED_ISSUER),
|
|
_DFBIT(CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY),
|
|
_DFBIT(CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS),
|
|
|
|
_DFBIT(CERT_TRUST_IS_COMPLEX_CHAIN),
|
|
{ 0, 0, NULL }
|
|
};
|
|
|
|
|
|
VOID
|
|
DumpFlags(
|
|
IN DWORD Flags,
|
|
IN WCHAR const *pwsz,
|
|
IN DUMPFLAGS const *pdf)
|
|
{
|
|
for ( ; NULL != pdf->pwszDescription; pdf++)
|
|
{
|
|
if ((Flags & pdf->Mask) == pdf->Value)
|
|
{
|
|
CONSOLEPRINT2((
|
|
MAXDWORD,
|
|
"%ws = %ws\n",
|
|
pwsz,
|
|
pdf->pwszDescription));
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
DumpUsage(
|
|
IN WCHAR const *pwsz,
|
|
OPTIONAL IN CERT_ENHKEY_USAGE const *pUsage)
|
|
{
|
|
DWORD i;
|
|
|
|
if (NULL != pUsage)
|
|
{
|
|
for (i = 0; i < pUsage->cUsageIdentifier; i++)
|
|
{
|
|
CONSOLEPRINT4((
|
|
MAXDWORD,
|
|
"%ws[%u] = %hs %ws\n",
|
|
pwsz,
|
|
i,
|
|
pUsage->rgpszUsageIdentifier[i],
|
|
myGetOIDNameA(pUsage->rgpszUsageIdentifier[i])));
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
HRESULT
|
|
WriteBlob(
|
|
IN FILE *pf,
|
|
IN BYTE const *pb,
|
|
IN DWORD cb,
|
|
IN DWORD Flags)
|
|
{
|
|
HRESULT hr;
|
|
char *pszBase64 = NULL;
|
|
|
|
hr = myCryptBinaryToStringA(
|
|
pb,
|
|
cb,
|
|
Flags | CRYPT_STRING_NOCR,
|
|
&pszBase64);
|
|
_JumpIfError(hr, error, "myCryptBinaryToStringA");
|
|
|
|
fputs(pszBase64, pf);
|
|
fflush(pf);
|
|
if (ferror(pf))
|
|
{
|
|
hr = HRESULT_FROM_WIN32(ERROR_DISK_FULL);
|
|
_JumpError(hr, error, "fputs");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pszBase64)
|
|
{
|
|
LocalFree(pszBase64);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
VOID
|
|
WriteChain(
|
|
IN CERT_SIMPLE_CHAIN const *pChain,
|
|
IN DWORD SaveIndex,
|
|
IN DWORD ChainIndex)
|
|
{
|
|
HRESULT hr;
|
|
char szPath[MAX_PATH];
|
|
DWORD i;
|
|
FILE *pf = NULL;
|
|
|
|
if (0 == GetEnvironmentVariableA("temp", szPath, ARRAYSIZE(szPath)))
|
|
{
|
|
strcpy(szPath, "\\");
|
|
}
|
|
i = strlen(szPath);
|
|
if (0 == i || '\\' != szPath[i - 1])
|
|
{
|
|
szPath[i++] = '\\';
|
|
}
|
|
sprintf(&szPath[i], "Chain%d_%d.txt", SaveIndex, ChainIndex);
|
|
pf = fopen(szPath, "w");
|
|
if (NULL == pf)
|
|
{
|
|
hr = errno;
|
|
_JumpError(hr, error, "fopen");
|
|
}
|
|
for (i = 0; i < pChain->cElement; i++)
|
|
{
|
|
CERT_CHAIN_ELEMENT const *pElement = pChain->rgpElement[i];
|
|
CERT_REVOCATION_INFO *pRevocationInfo;
|
|
|
|
if (0 < i)
|
|
{
|
|
fputs("\n", pf);
|
|
}
|
|
fprintf(pf, "Certificate %d:\n", i);
|
|
|
|
hr = WriteBlob(
|
|
pf,
|
|
pElement->pCertContext->pbCertEncoded,
|
|
pElement->pCertContext->cbCertEncoded,
|
|
CRYPT_STRING_BASE64HEADER);
|
|
_JumpIfError(hr, error, "WriteBlob");
|
|
|
|
pRevocationInfo = pElement->pRevocationInfo;
|
|
|
|
if (NULL != pRevocationInfo &&
|
|
CCSIZEOF_STRUCT(CERT_REVOCATION_INFO, pCrlInfo) <=
|
|
pRevocationInfo->cbSize &&
|
|
NULL != pRevocationInfo->pCrlInfo)
|
|
{
|
|
CERT_REVOCATION_CRL_INFO *pCrlInfo;
|
|
|
|
pCrlInfo = pRevocationInfo->pCrlInfo;
|
|
if (NULL != pCrlInfo)
|
|
{
|
|
if (NULL != pCrlInfo->pBaseCrlContext)
|
|
{
|
|
fprintf(pf, "\nCRL %d:\n", i);
|
|
hr = WriteBlob(
|
|
pf,
|
|
pCrlInfo->pBaseCrlContext->pbCrlEncoded,
|
|
pCrlInfo->pBaseCrlContext->cbCrlEncoded,
|
|
CRYPT_STRING_BASE64X509CRLHEADER);
|
|
_JumpIfError(hr, error, "WriteBlob");
|
|
}
|
|
if (NULL != pCrlInfo->pDeltaCrlContext)
|
|
{
|
|
fprintf(pf, "\nDelta CRL %d:\n", i);
|
|
hr = WriteBlob(
|
|
pf,
|
|
pCrlInfo->pDeltaCrlContext->pbCrlEncoded,
|
|
pCrlInfo->pDeltaCrlContext->cbCrlEncoded,
|
|
CRYPT_STRING_BASE64X509CRLHEADER);
|
|
_JumpIfError(hr, error, "WriteBlob");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
error:
|
|
if (NULL != pf)
|
|
{
|
|
fclose(pf);
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
DumpChain(
|
|
IN HRESULT hrVerify,
|
|
IN DWORD dwFlags,
|
|
IN CERT_CONTEXT const *pCert,
|
|
OPTIONAL IN WCHAR const *pwszMissingIssuer,
|
|
IN CERT_CHAIN_CONTEXT const *pChainContext)
|
|
{
|
|
HRESULT hr;
|
|
DWORD i;
|
|
DWORD j;
|
|
static BOOL s_fEnvChecked = FALSE;
|
|
static BOOL s_fDumpEnabled = FALSE;
|
|
static DWORD s_SaveCount = 0;
|
|
static DWORD s_SaveIndex;
|
|
BOOL fDump;
|
|
BOOL fSave;
|
|
|
|
if (!s_fEnvChecked)
|
|
{
|
|
WCHAR wszBuf[20];
|
|
|
|
if (0 != GetEnvironmentVariable(
|
|
L"CertSrv_Chain",
|
|
wszBuf,
|
|
ARRAYSIZE(wszBuf)))
|
|
{
|
|
s_fDumpEnabled = TRUE;
|
|
s_SaveCount = _wtoi(wszBuf);
|
|
s_SaveIndex = s_SaveCount;
|
|
}
|
|
s_fEnvChecked = TRUE;
|
|
}
|
|
fSave = 0 != s_SaveCount || (CA_VERIFY_FLAGS_SAVE_CHAIN & dwFlags);
|
|
fDump = s_fDumpEnabled ||
|
|
S_OK != hrVerify ||
|
|
(CA_VERIFY_FLAGS_DUMP_CHAIN & dwFlags);
|
|
#if DBG_CERTSRV
|
|
if (DbgIsSSActive(DBG_SS_CERTLIBI))
|
|
{
|
|
fDump = TRUE;
|
|
}
|
|
#endif
|
|
if (!fSave && !fDump)
|
|
{
|
|
return;
|
|
}
|
|
if (0 != s_SaveCount)
|
|
{
|
|
if (++s_SaveIndex >= s_SaveCount)
|
|
{
|
|
s_SaveIndex = 0;
|
|
}
|
|
}
|
|
if (fDump)
|
|
{
|
|
DBGPRINT((MAXDWORD, "-------- Chain Start --------\n"));
|
|
DumpFlags(
|
|
pChainContext->TrustStatus.dwInfoStatus,
|
|
L"ChainContext.dwInfoStatus",
|
|
g_adfInfoStatus);
|
|
DumpFlags(
|
|
pChainContext->TrustStatus.dwErrorStatus,
|
|
L"ChainContext.dwErrorStatus",
|
|
g_adfErrorStatus);
|
|
}
|
|
for (i = 0; i < pChainContext->cChain; i++)
|
|
{
|
|
if (fSave)
|
|
{
|
|
WriteChain(pChainContext->rgpChain[i], s_SaveIndex, i);
|
|
}
|
|
if (fDump)
|
|
{
|
|
DumpFlags(
|
|
pChainContext->rgpChain[i]->TrustStatus.dwInfoStatus,
|
|
L"SimpleChain.dwInfoStatus",
|
|
g_adfInfoStatus);
|
|
DumpFlags(
|
|
pChainContext->rgpChain[i]->TrustStatus.dwErrorStatus,
|
|
L"SimpleChain.dwErrorStatus",
|
|
g_adfErrorStatus);
|
|
}
|
|
for (j = 0; j < pChainContext->rgpChain[i]->cElement; j++)
|
|
{
|
|
CERT_CHAIN_ELEMENT const *pElement;
|
|
|
|
pElement = pChainContext->rgpChain[i]->rgpElement[j];
|
|
|
|
if (fDump ||
|
|
S_OK != hrVerify ||
|
|
0 != pElement->TrustStatus.dwErrorStatus)
|
|
{
|
|
WCHAR *pwsz;
|
|
CERT_REVOCATION_INFO *pRevocationInfo;
|
|
|
|
CONSOLEPRINT4((
|
|
MAXDWORD,
|
|
"CertContext[%u][%u]: dwInfoStatus=%x dwErrorStatus=%x\n",
|
|
i,
|
|
j,
|
|
pElement->TrustStatus.dwInfoStatus,
|
|
pElement->TrustStatus.dwErrorStatus));
|
|
|
|
pwsz = NULL;
|
|
hr = myCertNameToStr(
|
|
X509_ASN_ENCODING,
|
|
&pElement->pCertContext->pCertInfo->Issuer,
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
&pwsz);
|
|
_PrintIfError(hr, "myCertNameToStr");
|
|
if (NULL != pwsz)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, " Issuer: %ws\n", pwsz));
|
|
LocalFree(pwsz);
|
|
}
|
|
|
|
pwsz = NULL;
|
|
hr = myCertNameToStr(
|
|
X509_ASN_ENCODING,
|
|
&pElement->pCertContext->pCertInfo->Subject,
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
&pwsz);
|
|
_PrintIfError(hr, "myCertNameToStr");
|
|
if (NULL != pwsz)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, " Subject: %ws\n", pwsz));
|
|
LocalFree(pwsz);
|
|
}
|
|
DumpFlags(
|
|
pElement->TrustStatus.dwInfoStatus,
|
|
L" CertContext.dwInfoStatus",
|
|
g_adfInfoStatus);
|
|
DumpFlags(
|
|
pElement->TrustStatus.dwErrorStatus,
|
|
L" CertContext.dwErrorStatus",
|
|
g_adfErrorStatus);
|
|
|
|
pRevocationInfo = pElement->pRevocationInfo;
|
|
|
|
if (NULL != pRevocationInfo &&
|
|
CCSIZEOF_STRUCT(CERT_REVOCATION_INFO, pCrlInfo) <=
|
|
pRevocationInfo->cbSize &&
|
|
NULL != pRevocationInfo->pCrlInfo)
|
|
{
|
|
CERT_REVOCATION_CRL_INFO *pCrlInfo;
|
|
|
|
pCrlInfo = pRevocationInfo->pCrlInfo;
|
|
if (NULL != pCrlInfo)
|
|
{
|
|
if (NULL != pCrlInfo->pBaseCrlContext)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, " CRL %d:\n", i));
|
|
}
|
|
if (NULL != pCrlInfo->pDeltaCrlContext)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, " Delta CRL %d:\n", i));
|
|
}
|
|
}
|
|
}
|
|
|
|
if (FIELD_OFFSET(CERT_CHAIN_ELEMENT, pIssuanceUsage) <
|
|
pElement->cbSize)
|
|
{
|
|
DumpUsage(L" Issuance", pElement->pIssuanceUsage);
|
|
}
|
|
if (FIELD_OFFSET(CERT_CHAIN_ELEMENT, pApplicationUsage) <
|
|
pElement->cbSize)
|
|
{
|
|
DumpUsage(L" Application", pElement->pApplicationUsage);
|
|
}
|
|
if (FIELD_OFFSET(CERT_CHAIN_ELEMENT, pwszExtendedErrorInfo) <
|
|
pElement->cbSize &&
|
|
NULL != pElement->pwszExtendedErrorInfo)
|
|
{
|
|
CONSOLEPRINT1((
|
|
MAXDWORD,
|
|
" %ws",
|
|
pElement->pwszExtendedErrorInfo));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (fDump)
|
|
{
|
|
if (S_OK != hrVerify)
|
|
{
|
|
WCHAR *pwszCertSubject;
|
|
WCHAR const *pwszErr = myGetErrorMessageText(hrVerify, TRUE);
|
|
|
|
if (NULL != pwszMissingIssuer)
|
|
{
|
|
CONSOLEPRINT1((
|
|
MAXDWORD,
|
|
"Missing Issuer: %ws\n",
|
|
pwszMissingIssuer));
|
|
}
|
|
hr = myCertNameToStr(
|
|
X509_ASN_ENCODING,
|
|
&pCert->pCertInfo->Subject,
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
&pwszCertSubject);
|
|
_PrintIfError(hr, "myCertNameToStr");
|
|
if (S_OK == hr)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, "Subject: %ws\n", pwszCertSubject));
|
|
LocalFree(pwszCertSubject);
|
|
}
|
|
if (NULL != pwszErr)
|
|
{
|
|
CONSOLEPRINT1((MAXDWORD, "%ws\n", pwszErr));
|
|
LocalFree(const_cast<WCHAR *>(pwszErr));
|
|
}
|
|
}
|
|
DBGPRINT((MAXDWORD, "-------- Chain End --------\n"));
|
|
}
|
|
}
|
|
|
|
|
|
HRESULT
|
|
SavePolicies(
|
|
OPTIONAL IN CERT_ENHKEY_USAGE const *pUsage,
|
|
OUT WCHAR **ppwszzPolicies)
|
|
{
|
|
HRESULT hr;
|
|
DWORD i;
|
|
DWORD cwc;
|
|
char const *psz;
|
|
WCHAR *pwsz;
|
|
|
|
if (NULL != pUsage &&
|
|
0 != pUsage->cUsageIdentifier &&
|
|
NULL != pUsage->rgpszUsageIdentifier)
|
|
{
|
|
cwc = 1;
|
|
for (i = 0; i < pUsage->cUsageIdentifier; i++)
|
|
{
|
|
cwc += strlen(pUsage->rgpszUsageIdentifier[i]) + 1;
|
|
}
|
|
pwsz = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR));
|
|
if (NULL == pwsz)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
*ppwszzPolicies = pwsz;
|
|
for (i = 0; i < pUsage->cUsageIdentifier; i++)
|
|
{
|
|
psz = pUsage->rgpszUsageIdentifier[i];
|
|
while (*pwsz++ = *psz++)
|
|
;
|
|
}
|
|
*pwsz++ = L'\0';
|
|
CSASSERT(pwsz == &(*ppwszzPolicies)[cwc]);
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myVerifyCertContextEx(
|
|
IN CERT_CONTEXT const *pCert,
|
|
IN DWORD dwFlags,
|
|
IN DWORD cUsageOids,
|
|
OPTIONAL IN CHAR const * const *apszUsageOids,
|
|
OPTIONAL IN HCERTCHAINENGINE hChainEngine,
|
|
OPTIONAL IN FILETIME const *pft,
|
|
OPTIONAL IN HCERTSTORE hAdditionalStore,
|
|
OPTIONAL OUT WCHAR **ppwszMissingIssuer,
|
|
OPTIONAL OUT WCHAR **ppwszzIssuancePolicies,
|
|
OPTIONAL OUT WCHAR **ppwszzApplicationPolicies)
|
|
{
|
|
HRESULT hr;
|
|
CERT_CHAIN_PARA ChainParams;
|
|
CERT_CHAIN_POLICY_PARA ChainPolicy;
|
|
CERT_CHAIN_POLICY_STATUS PolicyStatus;
|
|
CERT_CHAIN_CONTEXT const *pChainContext = NULL;
|
|
LPCSTR pszChainPolicyFlags;
|
|
WCHAR *pwszMissingIssuer = NULL;
|
|
CERT_CHAIN_ELEMENT const *pElement;
|
|
|
|
if (NULL != ppwszMissingIssuer)
|
|
{
|
|
*ppwszMissingIssuer = NULL;
|
|
}
|
|
if (NULL != ppwszzIssuancePolicies)
|
|
{
|
|
*ppwszzIssuancePolicies = NULL;
|
|
}
|
|
if (NULL != ppwszzApplicationPolicies)
|
|
{
|
|
*ppwszzApplicationPolicies = NULL;
|
|
}
|
|
ZeroMemory(&ChainParams, sizeof(ChainParams));
|
|
ChainParams.cbSize = sizeof(ChainParams);
|
|
ChainParams.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
|
//ChainParams.RequestedUsage.Usage.cUsageIdentifier = 0;
|
|
//ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = NULL;
|
|
ChainParams.RequestedUsage.Usage.cUsageIdentifier = cUsageOids;
|
|
ChainParams.RequestedUsage.Usage.rgpszUsageIdentifier = (char **) apszUsageOids;
|
|
|
|
DBGPRINT((DBG_SS_CERTLIBI, "Calling CertGetCertificateChain...\n"));
|
|
|
|
// Get the chain and verify the cert:
|
|
|
|
if (!CertGetCertificateChain(
|
|
hChainEngine, // hChainEngine
|
|
pCert, // pCertContext
|
|
const_cast<FILETIME *>(pft), // pTime
|
|
hAdditionalStore, // hAdditionalStore
|
|
&ChainParams, // pChainPara
|
|
(dwFlags & CA_VERIFY_FLAGS_NO_REVOCATION)?
|
|
0 : CERT_CHAIN_REVOCATION_CHECK_CHAIN,
|
|
NULL, // pvReserved
|
|
&pChainContext)) // ppChainContext
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CertGetCertificateChain");
|
|
}
|
|
DBGPRINT((DBG_SS_CERTLIBI, "CertGetCertificateChain done\n"));
|
|
|
|
ZeroMemory(&ChainPolicy, sizeof(ChainPolicy));
|
|
ChainPolicy.cbSize = sizeof(ChainPolicy);
|
|
ChainPolicy.dwFlags = CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG;
|
|
//ChainPolicy.pvExtraPolicyPara = NULL;
|
|
|
|
ZeroMemory(&PolicyStatus, sizeof(PolicyStatus));
|
|
PolicyStatus.cbSize = sizeof(PolicyStatus);
|
|
//PolicyStatus.dwError = 0;
|
|
PolicyStatus.lChainIndex = -1;
|
|
PolicyStatus.lElementIndex = -1;
|
|
//PolicyStatus.pvExtraPolicyStatus = NULL;
|
|
|
|
// use NTAuth policy if (usage oids being added) & (caller asks us to check(EntCA))
|
|
pszChainPolicyFlags =
|
|
(NULL != apszUsageOids && (CA_VERIFY_FLAGS_NT_AUTH & dwFlags))?
|
|
CERT_CHAIN_POLICY_NT_AUTH : CERT_CHAIN_POLICY_BASE;
|
|
if (!CertVerifyCertificateChainPolicy(
|
|
pszChainPolicyFlags,
|
|
pChainContext,
|
|
&ChainPolicy,
|
|
&PolicyStatus))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CertVerifyCertificateChainPolicy");
|
|
}
|
|
|
|
hr = myHError(PolicyStatus.dwError);
|
|
if ((CA_VERIFY_FLAGS_IGNORE_OFFLINE | CA_VERIFY_FLAGS_NO_REVOCATION) & dwFlags)
|
|
{
|
|
if (CRYPT_E_NO_REVOCATION_CHECK == hr ||
|
|
CRYPT_E_REVOCATION_OFFLINE == hr)
|
|
{
|
|
hr = S_OK;
|
|
}
|
|
}
|
|
if (CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT & dwFlags)
|
|
{
|
|
if (CERT_E_UNTRUSTEDROOT == hr)
|
|
{
|
|
hr = S_OK;
|
|
}
|
|
}
|
|
if (S_OK != hr &&
|
|
0 < pChainContext->cChain &&
|
|
0 < pChainContext->rgpChain[0]->cElement)
|
|
{
|
|
pElement = pChainContext->rgpChain[0]->rgpElement[
|
|
pChainContext->rgpChain[0]->cElement - 1];
|
|
|
|
if (0 == (CERT_TRUST_IS_SELF_SIGNED & pElement->TrustStatus.dwInfoStatus))
|
|
{
|
|
HRESULT hr2;
|
|
|
|
hr2 = myCertNameToStr(
|
|
X509_ASN_ENCODING,
|
|
&pElement->pCertContext->pCertInfo->Issuer,
|
|
CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
|
|
&pwszMissingIssuer);
|
|
_PrintIfError(hr2, "myCertNameToStr");
|
|
}
|
|
}
|
|
DumpChain(hr, dwFlags, pCert, pwszMissingIssuer, pChainContext);
|
|
|
|
if (NULL != ppwszMissingIssuer)
|
|
{
|
|
*ppwszMissingIssuer = pwszMissingIssuer;
|
|
pwszMissingIssuer = NULL;
|
|
}
|
|
_JumpIfError(hr, error, "PolicyStatus.dwError");
|
|
|
|
pElement = pChainContext->rgpChain[0]->rgpElement[0];
|
|
|
|
if (NULL != ppwszzIssuancePolicies &&
|
|
FIELD_OFFSET(CERT_CHAIN_ELEMENT, pIssuanceUsage) < pElement->cbSize)
|
|
{
|
|
hr = SavePolicies(
|
|
pElement->pIssuanceUsage,
|
|
ppwszzIssuancePolicies);
|
|
_JumpIfError(hr, error, "SavePolicies");
|
|
}
|
|
if (NULL != ppwszzApplicationPolicies &&
|
|
FIELD_OFFSET(CERT_CHAIN_ELEMENT, pApplicationUsage) < pElement->cbSize)
|
|
{
|
|
hr = SavePolicies(
|
|
pElement->pApplicationUsage,
|
|
ppwszzApplicationPolicies);
|
|
_JumpIfError(hr, error, "SavePolicies");
|
|
}
|
|
|
|
error:
|
|
if (S_OK != hr)
|
|
{
|
|
if (NULL != ppwszzIssuancePolicies && NULL != *ppwszzIssuancePolicies)
|
|
{
|
|
LocalFree(*ppwszzIssuancePolicies);
|
|
*ppwszzIssuancePolicies = NULL;
|
|
}
|
|
}
|
|
if (NULL != pwszMissingIssuer)
|
|
{
|
|
LocalFree(pwszMissingIssuer);
|
|
}
|
|
if (NULL != pChainContext)
|
|
{
|
|
CertFreeCertificateChain(pChainContext);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myVerifyCertContext(
|
|
IN CERT_CONTEXT const *pCert,
|
|
IN DWORD dwFlags,
|
|
IN DWORD cUsageOids,
|
|
OPTIONAL IN CHAR const * const *apszUsageOids,
|
|
OPTIONAL IN HCERTCHAINENGINE hChainEngine,
|
|
OPTIONAL IN HCERTSTORE hAdditionalStore,
|
|
OPTIONAL OUT WCHAR **ppwszMissingIssuer)
|
|
{
|
|
HRESULT hr;
|
|
|
|
hr = myVerifyCertContextEx(
|
|
pCert,
|
|
dwFlags,
|
|
cUsageOids,
|
|
apszUsageOids,
|
|
hChainEngine,
|
|
NULL, // pft
|
|
hAdditionalStore,
|
|
ppwszMissingIssuer,
|
|
NULL, // ppwszzIssuancePolicies
|
|
NULL); // ppwszzApplicationPolicies
|
|
_JumpIfError2(hr, error, "myVerifyCertContextEx", hr);
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myIsFirstSigner(
|
|
IN CERT_NAME_BLOB const *pNameBlob,
|
|
OUT BOOL *pfFirst)
|
|
{
|
|
HRESULT hr;
|
|
CERT_NAME_INFO *pNameInfo = NULL;
|
|
DWORD cbNameInfo;
|
|
DWORD i;
|
|
|
|
*pfFirst = FALSE;
|
|
|
|
if (!myDecodeName(
|
|
X509_ASN_ENCODING,
|
|
X509_UNICODE_NAME,
|
|
pNameBlob->pbData,
|
|
pNameBlob->cbData,
|
|
CERTLIB_USE_LOCALALLOC,
|
|
&pNameInfo,
|
|
&cbNameInfo))
|
|
{
|
|
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "myDecodeName");
|
|
}
|
|
for (i = 0; i < pNameInfo->cRDN; i++)
|
|
{
|
|
CERT_RDN const *prdn;
|
|
DWORD j;
|
|
|
|
prdn = &pNameInfo->rgRDN[i];
|
|
|
|
for (j = 0; j < prdn->cRDNAttr; j++)
|
|
{
|
|
if (0 == strcmp(
|
|
prdn->rgRDNAttr[j].pszObjId,
|
|
szOID_RDN_DUMMY_SIGNER))
|
|
{
|
|
*pfFirst = TRUE;
|
|
i = pNameInfo->cRDN; // terminate outer loop
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pNameInfo)
|
|
{
|
|
LocalFree(pNameInfo);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HCERTSTORE
|
|
myPFXImportCertStore(
|
|
IN CRYPT_DATA_BLOB *ppfx,
|
|
OPTIONAL IN WCHAR const *pwszPassword,
|
|
IN DWORD dwFlags)
|
|
{
|
|
HCERTSTORE hStore;
|
|
HRESULT hr;
|
|
|
|
if (NULL == pwszPassword)
|
|
{
|
|
pwszPassword = L""; // Try empty password first, then NULL
|
|
}
|
|
|
|
while (TRUE)
|
|
{
|
|
hStore = PFXImportCertStore(ppfx, pwszPassword, dwFlags);
|
|
if (NULL == hStore)
|
|
{
|
|
hr = myHLastError();
|
|
if (HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD) != hr ||
|
|
NULL == pwszPassword ||
|
|
L'\0' != *pwszPassword)
|
|
{
|
|
_JumpError2(
|
|
hr,
|
|
error,
|
|
"PFXImportCertStore",
|
|
HRESULT_FROM_WIN32(ERROR_INVALID_PASSWORD));
|
|
}
|
|
pwszPassword = NULL; // empty password failed; try NULL
|
|
continue;
|
|
}
|
|
break;
|
|
}
|
|
|
|
|
|
error:
|
|
return(hStore);
|
|
}
|
|
|
|
|
|
// No longer support versions before IE3.02 - Auth2 update, advisory only
|
|
|
|
HRESULT
|
|
CertCheck7f(
|
|
IN CERT_CONTEXT const *pcc)
|
|
{
|
|
HRESULT hr;
|
|
DWORD State;
|
|
DWORD Index1;
|
|
DWORD Index2;
|
|
DWORD cwcField;
|
|
WCHAR wszField[128];
|
|
DWORD cwcObjectId;
|
|
WCHAR wszObjectId[128];
|
|
WCHAR const *pwszObjectIdDescription = NULL;
|
|
|
|
cwcField = sizeof(wszField)/sizeof(wszField[0]);
|
|
cwcObjectId = sizeof(wszObjectId)/sizeof(wszObjectId[0]);
|
|
hr = myCheck7f(
|
|
pcc->pbCertEncoded,
|
|
pcc->cbCertEncoded,
|
|
FALSE,
|
|
&State,
|
|
&Index1,
|
|
&Index2,
|
|
&cwcField,
|
|
wszField,
|
|
&cwcObjectId,
|
|
wszObjectId,
|
|
&pwszObjectIdDescription); // Static: do not free!
|
|
_JumpIfError(hr, error, "myCheck7f");
|
|
|
|
if (CHECK7F_NONE != State)
|
|
{
|
|
hr = CERTSRV_E_ENCODING_LENGTH;
|
|
|
|
#if DBG_CERTSRV
|
|
WCHAR wszBuf[2048];
|
|
|
|
wcscpy(wszBuf, wszField);
|
|
if (0 != Index1)
|
|
{
|
|
wsprintf(
|
|
&wszBuf[wcslen(wszBuf)],
|
|
0 != Index2? L"[%u,%u]" : L"[%u]",
|
|
Index1 - 1,
|
|
Index2 - 1);
|
|
}
|
|
|
|
if (0 != cwcObjectId)
|
|
{
|
|
wcscat(wszBuf, L" ObjectId=");
|
|
wcscat(wszBuf, wszObjectId);
|
|
}
|
|
if (NULL != pwszObjectIdDescription)
|
|
{
|
|
wcscat(wszBuf, L" (");
|
|
wcscat(wszBuf, pwszObjectIdDescription);
|
|
wcscat(wszBuf, L")");
|
|
}
|
|
DBGPRINT((DBG_SS_CERTLIB, "CertCheck7f: %ws, hr=%x\n", wszBuf, hr));
|
|
#endif // DBG_CERTSRV
|
|
}
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myAddCertToStore(
|
|
IN HCERTSTORE hStore,
|
|
IN CERT_CONTEXT const *pCertContext,
|
|
OPTIONAL IN CRYPT_KEY_PROV_INFO const *pkpi,
|
|
OPTIONAL OUT CERT_CONTEXT const **ppCert)
|
|
{
|
|
HRESULT hr;
|
|
CERT_CONTEXT const *pcc = NULL;
|
|
|
|
if (NULL != ppCert)
|
|
{
|
|
*ppCert = NULL;
|
|
}
|
|
|
|
// for root cert, if it shows related private key, it will
|
|
// pfx import failure for other applications
|
|
|
|
// Add as encoded blob to avoid all properties, key prov info, etc.
|
|
|
|
if (!CertAddEncodedCertificateToStore(
|
|
hStore,
|
|
X509_ASN_ENCODING,
|
|
pCertContext->pbCertEncoded,
|
|
pCertContext->cbCertEncoded,
|
|
NULL != pkpi?
|
|
CERT_STORE_ADD_REPLACE_EXISTING :
|
|
CERT_STORE_ADD_USE_EXISTING,
|
|
&pcc)) // ppCertContext
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CertAddEncodedCertificateToStore");
|
|
}
|
|
if (NULL != pkpi)
|
|
{
|
|
if (!CertSetCertificateContextProperty(
|
|
pcc,
|
|
CERT_KEY_PROV_INFO_PROP_ID,
|
|
0,
|
|
pkpi))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CertSetCertificateContextProperty");
|
|
}
|
|
}
|
|
if (NULL != ppCert)
|
|
{
|
|
*ppCert = pcc;
|
|
pcc = NULL;
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pcc)
|
|
{
|
|
CertFreeCertificateContext(pcc);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
mySaveChainAndKeys(
|
|
IN CERT_SIMPLE_CHAIN const *pSimpleChain,
|
|
IN WCHAR const *pwszStore,
|
|
IN DWORD dwStoreFlags,
|
|
IN CRYPT_KEY_PROV_INFO const *pkpi,
|
|
OPTIONAL IN CERT_CONTEXT const **ppCert)
|
|
{
|
|
HRESULT hr;
|
|
HCERTSTORE hRootStore = NULL;
|
|
HCERTSTORE hCAStore = NULL;
|
|
HCERTSTORE hMyStore = NULL;
|
|
DWORD i;
|
|
|
|
if (NULL != ppCert)
|
|
{
|
|
*ppCert = NULL;
|
|
}
|
|
hRootStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_REGISTRY_W,
|
|
X509_ASN_ENCODING,
|
|
NULL, // hProv
|
|
dwStoreFlags,
|
|
wszROOT_CERTSTORE);
|
|
if (NULL == hRootStore)
|
|
{
|
|
hr = myHLastError();
|
|
_JumpErrorStr(hr, error, "CertOpenStore", wszROOT_CERTSTORE);
|
|
}
|
|
|
|
hCAStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_REGISTRY_W,
|
|
X509_ASN_ENCODING,
|
|
NULL, // hProv
|
|
dwStoreFlags,
|
|
wszCA_CERTSTORE);
|
|
if (NULL == hCAStore)
|
|
{
|
|
hr = myHLastError();
|
|
_JumpErrorStr(hr, error, "CertOpenStore", wszCA_CERTSTORE);
|
|
}
|
|
|
|
hMyStore = CertOpenStore(
|
|
CERT_STORE_PROV_SYSTEM_REGISTRY_W,
|
|
X509_ASN_ENCODING,
|
|
NULL, // hProv
|
|
dwStoreFlags,
|
|
pwszStore);
|
|
if (NULL == hMyStore)
|
|
{
|
|
hr = myHLastError();
|
|
_JumpErrorStr(hr, error, "CertOpenStore", pwszStore);
|
|
}
|
|
|
|
for (i = 0; i < pSimpleChain->cElement; i++)
|
|
{
|
|
CERT_CONTEXT const *pcc = pSimpleChain->rgpElement[i]->pCertContext;
|
|
HCERTSTORE hStore;
|
|
|
|
// CertCheck7f(pcc);
|
|
|
|
// if leaf CA cert, add to MY store
|
|
|
|
if (0 == i)
|
|
{
|
|
PCCERT_CONTEXT pFoundCC = CertFindCertificateInStore(
|
|
hMyStore,
|
|
X509_ASN_ENCODING,
|
|
0,
|
|
CERT_FIND_EXISTING,
|
|
pcc,
|
|
NULL);
|
|
|
|
if(!pFoundCC)
|
|
{
|
|
hr = myAddCertToStore(hMyStore, pcc, pkpi, ppCert);
|
|
_JumpIfError(hr, error, "myAddCertToStore");
|
|
}
|
|
else
|
|
{
|
|
if(ppCert)
|
|
{
|
|
*ppCert = pFoundCC;
|
|
}
|
|
else
|
|
{
|
|
CertFreeCertificateContext(pFoundCC);
|
|
}
|
|
}
|
|
}
|
|
|
|
// if root cert, add to ROOT store (without key); else add to CA store
|
|
|
|
hStore = hCAStore;
|
|
|
|
if (CERT_TRUST_IS_SELF_SIGNED &
|
|
pSimpleChain->rgpElement[i]->TrustStatus.dwInfoStatus)
|
|
{
|
|
hStore = hRootStore;
|
|
}
|
|
|
|
hr = myAddCertToStore(hStore, pcc, NULL, NULL);
|
|
_JumpIfError(hr, error, "myAddCertToStore");
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != hRootStore)
|
|
{
|
|
CertCloseStore(hRootStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
|
}
|
|
if (NULL != hCAStore)
|
|
{
|
|
CertCloseStore(hCAStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
|
}
|
|
if (NULL != hMyStore)
|
|
{
|
|
CertCloseStore(hMyStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myGetNameId(
|
|
IN CERT_CONTEXT const *pCACert,
|
|
OUT DWORD *pdwNameId)
|
|
{
|
|
HRESULT hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
|
|
CERT_EXTENSION const *pExt;
|
|
DWORD NameId;
|
|
DWORD cb;
|
|
|
|
*pdwNameId = MAXDWORD;
|
|
pExt = CertFindExtension(
|
|
szOID_CERTSRV_CA_VERSION,
|
|
pCACert->pCertInfo->cExtension,
|
|
pCACert->pCertInfo->rgExtension);
|
|
if (NULL == pExt)
|
|
{
|
|
// This API doesn't set LastError
|
|
_JumpError(hr, error, "CertFindExtension(CA Version)");
|
|
}
|
|
cb = sizeof(NameId);
|
|
NameId = 0;
|
|
if (!CryptDecodeObject(
|
|
X509_ASN_ENCODING,
|
|
X509_INTEGER,
|
|
pExt->Value.pbData,
|
|
pExt->Value.cbData,
|
|
0,
|
|
&NameId,
|
|
&cb))
|
|
{
|
|
hr = myHLastError();
|
|
_JumpError(hr, error, "CryptDecodeObject");
|
|
}
|
|
*pdwNameId = NameId;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCertGetNameString(
|
|
IN CERT_CONTEXT const *pcc,
|
|
IN DWORD dwType,
|
|
OUT WCHAR **ppwszSimpleName)
|
|
{
|
|
HRESULT hr;
|
|
WCHAR *pwsz = NULL;
|
|
DWORD cwc;
|
|
|
|
*ppwszSimpleName = NULL;
|
|
cwc = 0;
|
|
while (TRUE)
|
|
{
|
|
cwc = CertGetNameString(
|
|
pcc,
|
|
CERT_NAME_SIMPLE_DISPLAY_TYPE,
|
|
0, // dwFlags
|
|
NULL, // pvTypePara
|
|
pwsz,
|
|
cwc);
|
|
if (1 >= cwc)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(ERROR_OBJECT_NOT_FOUND);
|
|
_JumpError(hr, error, "CertGetNameString");
|
|
}
|
|
if (NULL != pwsz)
|
|
{
|
|
break;
|
|
}
|
|
pwsz = (WCHAR *) LocalAlloc(LMEM_FIXED, cwc * sizeof(WCHAR));
|
|
if (NULL == pwsz)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
}
|
|
*ppwszSimpleName = pwsz;
|
|
pwsz = NULL;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pwsz)
|
|
{
|
|
LocalFree(pwsz);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCertStrToName(
|
|
IN DWORD dwCertEncodingType,
|
|
IN LPCWSTR pszX500,
|
|
IN DWORD dwStrType,
|
|
IN OPTIONAL void *pvReserved,
|
|
OUT BYTE **ppbEncoded,
|
|
OUT DWORD *pcbEncoded,
|
|
OUT OPTIONAL LPCWSTR *ppszError)
|
|
{
|
|
HRESULT hr;
|
|
|
|
*ppbEncoded = NULL;
|
|
*pcbEncoded = 0;
|
|
|
|
while (TRUE)
|
|
{
|
|
if (!CertStrToName(
|
|
dwCertEncodingType,
|
|
pszX500,
|
|
dwStrType,
|
|
pvReserved,
|
|
*ppbEncoded,
|
|
pcbEncoded,
|
|
ppszError))
|
|
{
|
|
hr = myHLastError();
|
|
if (NULL != *ppbEncoded)
|
|
{
|
|
LocalFree(*ppbEncoded);
|
|
*ppbEncoded = NULL;
|
|
}
|
|
_JumpError(hr, error, "CertStrToName");
|
|
}
|
|
if (NULL != *ppbEncoded)
|
|
{
|
|
break;
|
|
}
|
|
*ppbEncoded = (BYTE *) LocalAlloc(LMEM_FIXED, *pcbEncoded);
|
|
if (NULL == *ppbEncoded)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
}
|
|
hr = S_OK;
|
|
|
|
error:
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myCertNameToStr(
|
|
IN DWORD dwCertEncodingType,
|
|
IN CERT_NAME_BLOB const *pName,
|
|
IN DWORD dwStrType,
|
|
OUT WCHAR **ppwszName)
|
|
{
|
|
HRESULT hr;
|
|
DWORD cwc = 0;
|
|
WCHAR *pwszName = NULL;
|
|
|
|
while (TRUE)
|
|
{
|
|
cwc = CertNameToStr(
|
|
dwCertEncodingType,
|
|
const_cast<CERT_NAME_BLOB *>(pName),
|
|
dwStrType,
|
|
pwszName,
|
|
cwc);
|
|
if (1 > cwc)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
|
|
_JumpError(hr, error, "CertNameToStr");
|
|
}
|
|
if (NULL != pwszName)
|
|
{
|
|
break;
|
|
}
|
|
pwszName = (WCHAR *) LocalAlloc(
|
|
LMEM_FIXED,
|
|
(cwc + 1) * sizeof(WCHAR));
|
|
if (NULL == pwszName)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
_JumpError(hr, error, "LocalAlloc");
|
|
}
|
|
}
|
|
*ppwszName = pwszName;
|
|
pwszName = NULL;
|
|
hr = S_OK;
|
|
|
|
error:
|
|
if (NULL != pwszName)
|
|
{
|
|
LocalFree(pwszName);
|
|
}
|
|
return(hr);
|
|
}
|
|
|
|
|
|
HRESULT
|
|
myVerifyKRACertContext(
|
|
IN CERT_CONTEXT const *pCert,
|
|
IN DWORD dwFlags)
|
|
{
|
|
HRESULT hr;
|
|
WCHAR *pwszzAppPolicies = NULL;
|
|
WCHAR *pwszCrt;
|
|
|
|
hr = myVerifyCertContextEx(
|
|
pCert,
|
|
dwFlags,
|
|
0, // cUsageOids
|
|
NULL, // apszUsageOids
|
|
HCCE_LOCAL_MACHINE, // hChainEngine
|
|
NULL, // pft
|
|
NULL, // hAdditionalStore
|
|
NULL, // ppwszMissingIssuer
|
|
NULL, // ppwszzIssuancePolicies
|
|
&pwszzAppPolicies);
|
|
_JumpIfError(hr, error, "myVerifyCertContextEx");
|
|
|
|
hr = CERT_E_WRONG_USAGE;
|
|
|
|
for(pwszCrt = pwszzAppPolicies;
|
|
pwszCrt && L'\0' != *pwszCrt;
|
|
pwszCrt = pwszCrt + wcslen(pwszzAppPolicies) + 1)
|
|
{
|
|
if(0==wcscmp(TEXT(szOID_KP_KEY_RECOVERY_AGENT), pwszCrt))
|
|
{
|
|
hr = S_OK;
|
|
break;
|
|
}
|
|
}
|
|
_JumpIfError(hr, error, "myVerifyKRACertContext");
|
|
|
|
error:
|
|
if(pwszzAppPolicies)
|
|
{
|
|
LocalFree(pwszzAppPolicies);
|
|
}
|
|
return(hr);
|
|
}
|