windows-nt/Source/XPSP1/NT/termsrv/remdsk/rds/cert/nmmkcert.cpp

1269 lines
36 KiB
C++
Raw Permalink Normal View History

2020-09-26 03:20:57 -05:00
//+-------------------------------------------------------------------------
//
// RdMkCert - Remote Desktop internal certificate generator
//
// Generates NetMeeting default user certificates. The NetMeeting
// root key and certificate are stored as a program resource.
//
// ClausGi 7/29/98 created based on MAKECERT
//
//--------------------------------------------------------------------------
#include "global.h"
#include <memtrack.h>
#ifdef DEBUG
HDBGZONE ghDbgZone = NULL;
static PTCHAR _rgZonesNmMkCert[] = { TEXT("rdmkcert"), };
#endif /* DEBUG */
//+-------------------------------------------------------------------------
// contants
//--------------------------------------------------------------------------
//allow max 10 extensions per certificate
#define MAX_EXT_CNT 10
//+-------------------------------------------------------------------------
// globals
//--------------------------------------------------------------------------
WCHAR* g_wszSubjectKey = L"_RdMkCert";
WCHAR* g_wszSubjectStore = WSZNMSTORE;
DWORD g_dwSubjectStoreFlag = CERT_SYSTEM_STORE_CURRENT_USER;
DWORD g_dwIssuerKeySpec = AT_SIGNATURE;
DWORD g_dwSubjectKeySpec = AT_KEYEXCHANGE;
WCHAR *g_wszSubjectDisplayName = NULL; // BUGBUG set this?
LPWSTR g_wszIssuerProviderName = NULL;
LPWSTR g_wszSubjectProviderName = NULL;
WCHAR* g_wszSubjectX500Name;
DWORD g_dwProvType = PROV_RSA_FULL;
HMODULE hModule=NULL;
BOOL MakeCert(DWORD dwFlags);
BOOL WINAPI DllMain(HINSTANCE hDllInst, DWORD fdwReason, LPVOID)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
hModule = hDllInst;
ASSERT (hModule != NULL);
DBGINIT(&ghDbgZone, _rgZonesNmMkCert);
DisableThreadLibraryCalls (hDllInst);
DBG_INIT_MEMORY_TRACKING(hDllInst);
break;
}
case DLL_PROCESS_DETACH:
{
DBG_CHECK_MEMORY_TRACKING(hDllInst);
hModule = NULL;
break;
}
default:
break;
}
return (TRUE);
}
//
// X.509 cert strings must be from X.208 printable character set... this
// function enforces that.
//
static const char szPrintable[] = " '()+,-./:=?\""; // along with A-Za-z0-9
VOID MkPrintableString ( LPSTR szString )
{
CHAR * p = szString;
while ( *p )
{
if (!(('a' <= *p && *p <='z') ||
('A' <= *p && *p <='Z') ||
('0' <= *p && *p <='9') ||
_StrChr(szPrintable,*p)))
{
*p = '-';
}
p++;
}
}
DWORD WINAPI NmMakeCert( LPCSTR szFirstName,
LPCSTR szLastName,
LPCSTR szEmailName,
LPCSTR szCity,
LPCSTR szCountry,
DWORD flags)
{
DWORD dwRet = -1;
WARNING_OUT(("NmMakeCert called"));
// Form the unencoded X500 subject string. It would be nice to
// use official constants for the below... CertRDNValueToString?
UINT cbX500Name = ( szFirstName ? lstrlen(szFirstName) : 0 ) +
( szLastName ? lstrlen(szLastName) : 0 ) +
( szEmailName ? lstrlen(szEmailName) : 0 ) +
( szCity ? lstrlen(szCity) : 0 ) +
( szCountry ? lstrlen(szCountry) : 0 ) +
128; // Extra is for RDN OID strings: CN= etc.
char * pX500Name = new char[cbX500Name];
if ( NULL == pX500Name )
{
ERROR_OUT(("couldn't allocate %d bytes for x500 name", cbX500Name));
goto cleanup;
}
ASSERT( ( szFirstName && *szFirstName ) || ( szLastName && *szLastName ) );
wsprintf( pX500Name, "CN=\"%s %s\"", szFirstName ? szFirstName : "", szLastName ? szLastName : "" );
if ( szEmailName && *szEmailName )
wsprintf( pX500Name + lstrlen(pX500Name), ", E=\"%s\"", szEmailName );
if ( szCity && *szCity )
wsprintf( pX500Name + lstrlen(pX500Name), ", S=\"%s\"", szCity );
if ( szCountry && *szCountry )
wsprintf( pX500Name + lstrlen(pX500Name), ", C=\"%s\"", szCountry );
MkPrintableString ( pX500Name );
g_wszSubjectX500Name = AnsiToUnicode ( pX500Name );
ASSERT(g_wszSubjectX500Name);
if ( flags & NMMKCERT_F_LOCAL_MACHINE )
{
// We are being asked to generate a local machine cert...
// change the subject store flag and the key container name
g_dwSubjectStoreFlag = CERT_SYSTEM_STORE_LOCAL_MACHINE;
g_wszSubjectKey = L"_RdMkMchCert";
}
// If we're on NT5 we have to generate the cert using the
// PROV_RSA_SCHANNEL provider, on other platforms this provider type
// doesn't exist.
OSVERSIONINFO osVersion;
ZeroMemory(&osVersion, sizeof(osVersion));
osVersion.dwOSVersionInfoSize = sizeof(osVersion);
GetVersionEx(&osVersion);
if (osVersion.dwPlatformId == VER_PLATFORM_WIN32_NT &&
osVersion.dwMajorVersion >= 5)
{
g_dwProvType = PROV_RSA_SCHANNEL;
}
// Get to work and make the certificate
if (!MakeCert(flags))
{
WARNING_OUT(("NmMakeCert failed."));
}
else
{
dwRet = 1;
}
cleanup:
if ( NULL != g_wszSubjectX500Name )
{
delete g_wszSubjectX500Name;
}
if ( NULL != pX500Name )
{
delete pX500Name;
}
return dwRet;
}
// RUNDLL entry point for certificate uninstall... the prototype is given
// by RUNDLL32.EXE requirements!
void CALLBACK NmMakeCertCleanup ( HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow )
{
// Clean up exisint certs and private keys
MakeCert(NMMKCERT_F_CLEANUP_ONLY);
g_dwSubjectStoreFlag = CERT_SYSTEM_STORE_LOCAL_MACHINE;
g_wszSubjectKey = L"_RdMkMchCert";
MakeCert(NMMKCERT_F_LOCAL_MACHINE|NMMKCERT_F_CLEANUP_ONLY);
}
//+=========================================================================
// Local Support Functions
//==========================================================================
//+=========================================================================
// MakeCert support functions
//==========================================================================
BOOL VerifyIssuerKey( IN HCRYPTPROV hProv,
IN PCERT_PUBLIC_KEY_INFO pIssuerKeyInfo);
HCRYPTPROV GetSubjectProv(OUT LPWSTR *ppwszTmpContainer);
BOOL GetPublicKey(
HCRYPTPROV hProv,
PCERT_PUBLIC_KEY_INFO *ppPubKeyInfo
);
BOOL EncodeSubject(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
);
BOOL CreateSpcCommonName(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
);
BOOL CreateEnhancedKeyUsage(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
);
BOOL SaveCertToStore(HCRYPTPROV hProv,
HCERTSTORE hStore,
DWORD dwFlag,
BYTE *pbEncodedCert,
DWORD cbEncodedCert,
LPWSTR wszPvk,
DWORD dwKeySpecification,
LPWSTR wszCapiProv,
DWORD dwCapiProvType);
//+-------------------------------------------------------------------------
// Get the root's certificate from the program's resources
//--------------------------------------------------------------------------
PCCERT_CONTEXT GetRootCertContext()
{
PCCERT_CONTEXT pCert = NULL;
HRSRC hRes;
//
// The root certificate is stored as a resource of ours.
// Load it...
//
if (0 != (hRes = FindResource(hModule, MAKEINTRESOURCE(IDR_ROOTCERTIFICATE),
"CER"))) {
HGLOBAL hglobRes;
if (NULL != (hglobRes = LoadResource(hModule, hRes))) {
BYTE *pbRes;
DWORD cbRes;
cbRes = SizeofResource(hModule, hRes);
pbRes = (BYTE *) LockResource(hglobRes);
if (cbRes && pbRes)
pCert = CertCreateCertificateContext(X509_ASN_ENCODING,
pbRes, cbRes);
if ( NULL == pCert )
{
DWORD dwError = GetLastError();
}
UnlockResource(hglobRes);
FreeResource(hglobRes);
}
}
if (pCert == NULL)
{
ERROR_OUT(("Error creating root cert: %x", GetLastError()));
}
return pCert;
}
//+-------------------------------------------------------------------------
// Get the root's private key from the program's resources and create
// a temporary key provider container
//--------------------------------------------------------------------------
HCRYPTPROV GetRootProv(OUT LPWSTR *ppwszTmpContainer)
{
HCRYPTPROV hProv = 0;
HRSRC hRes;
WCHAR wszRootSig[] = L"Root Signature";
*ppwszTmpContainer = NULL;
if (0 != (hRes = FindResource(hModule,MAKEINTRESOURCE(IDR_PVKROOT),"PVK")))
{
HGLOBAL hglobRes;
if (NULL != (hglobRes = LoadResource(hModule, hRes))) {
BYTE *pbRes;
DWORD cbRes;
cbRes = SizeofResource(hModule, hRes);
pbRes = (BYTE *) LockResource(hglobRes);
if (cbRes && pbRes) {
PvkPrivateKeyAcquireContextFromMemory(
g_wszIssuerProviderName,
PROV_RSA_FULL,
pbRes,
cbRes,
NULL, // hwndOwner
wszRootSig,
&g_dwIssuerKeySpec,
&hProv
);
}
UnlockResource(hglobRes);
FreeResource(hglobRes);
}
}
if (hProv == 0)
{
ERROR_OUT(("couldn't create root key provider: %x", GetLastError()));
}
return hProv;
}
//+-------------------------------------------------------------------------
// Make the subject certificate. If the subject doesn't have a private
// key, then, create.
//--------------------------------------------------------------------------
BOOL MakeCert(DWORD dwFlags)
{
BOOL fResult;
HCRYPTPROV hIssuerProv = 0;
LPWSTR pwszTmpIssuerContainer = NULL;
PCCERT_CONTEXT pIssuerCertContext = NULL;
PCERT_INFO pIssuerCert =NULL; // not allocated
HCRYPTPROV hSubjectProv = 0;
LPWSTR pwszTmpSubjectContainer = NULL;
PCERT_PUBLIC_KEY_INFO pSubjectPubKeyInfo = NULL; // not allocated
PCERT_PUBLIC_KEY_INFO pAllocSubjectPubKeyInfo = NULL;
BYTE *pbSubjectEncoded = NULL;
DWORD cbSubjectEncoded =0;
BYTE *pbSpcCommonNameEncoded = NULL;
DWORD cbSpcCommonNameEncoded =0;
BYTE *pbCertEncoded = NULL;
DWORD cbCertEncoded =0;
BYTE *pbEKUEncoded = NULL;
DWORD cbEKUEncoded = 0;
CERT_INFO Cert;
GUID SerialNumber;
HCERTSTORE hStore=NULL;
CERT_EXTENSION rgExt[MAX_EXT_CNT];
DWORD cExt = 0;
CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm = {
szOID_RSA_MD5RSA, 0, 0
};
if (0 == (hSubjectProv = GetSubjectProv(&pwszTmpSubjectContainer)))
goto ErrorReturn;
#define TEMP_CLEAN_CODE
#ifdef TEMP_CLEAN_CODE
// open the system store where we used to generate certs
hStore=CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
hSubjectProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG | g_dwSubjectStoreFlag,
L"MY" );
if ( hStore )
{
//
// Delete all old certs
//
PCCERT_CONTEXT pCertContext = NULL;
// Clear out any certificate(s) we may have added before
while ( pCertContext = CertEnumCertificatesInStore(
hStore, (PCERT_CONTEXT)pCertContext ))
{
DWORD dwMagic;
DWORD cbMagic;
cbMagic = sizeof(dwMagic);
if (CertGetCertificateContextProperty(pCertContext,
CERT_FIRST_USER_PROP_ID, &dwMagic, &cbMagic) &&
cbMagic == sizeof(dwMagic) && dwMagic == NMMKCERT_MAGIC )
{
CertDeleteCertificateFromStore(pCertContext);
// Restart the enumeration
pCertContext = NULL;
continue;
}
}
CertCloseStore(hStore,0);
}
#endif // TEMP_CLEAN_CODE
// open a new cert store
hStore=CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
hSubjectProv,
CERT_STORE_NO_CRYPT_RELEASE_FLAG | g_dwSubjectStoreFlag,
g_wszSubjectStore);
if(hStore==NULL)
goto ErrorReturn;
// Empty the store
PCCERT_CONTEXT pCertContext;
while ( pCertContext = CertEnumCertificatesInStore ( hStore, NULL ))
{
if ( !CertDeleteCertificateFromStore ( pCertContext ))
{
WARNING_OUT(("Failed to delete certificate: %x", GetLastError()));
break;
}
}
// If NMMKCERT_F_CLEANUP_ONLY is set, we are done
if ( dwFlags & NMMKCERT_F_CLEANUP_ONLY )
{
// We've just deleted the existing certs, now delete the
// private key container and exit.
CryptAcquireContextU(
&hSubjectProv,
g_wszSubjectKey,
g_wszSubjectProviderName,
g_dwProvType,
CRYPT_DELETEKEYSET |
( g_dwSubjectStoreFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE ?
CRYPT_MACHINE_KEYSET : 0 ));
fResult = TRUE;
goto CommonReturn;
}
//
// Get access to the subject's (public) key, creating it if necessary
//
if (!GetPublicKey(hSubjectProv, &pAllocSubjectPubKeyInfo))
goto ErrorReturn;
pSubjectPubKeyInfo = pAllocSubjectPubKeyInfo;
//
// Encode the subject name
//
if (!EncodeSubject(&pbSubjectEncoded, &cbSubjectEncoded))
goto ErrorReturn;
//
// Get access to the issuer's (private) key
//
hIssuerProv= GetRootProv(&pwszTmpIssuerContainer);
if (NULL == (pIssuerCertContext = GetRootCertContext()))
goto ErrorReturn;
pIssuerCert = pIssuerCertContext->pCertInfo;
if (!VerifyIssuerKey(hIssuerProv, &pIssuerCert->SubjectPublicKeyInfo))
goto ErrorReturn;
//
// Update the CERT_INFO
//
ClearStruct(&Cert);
Cert.dwVersion = CERT_V3;
CoCreateGuid(&SerialNumber);
Cert.SerialNumber.pbData = (BYTE *) &SerialNumber;
Cert.SerialNumber.cbData = sizeof(SerialNumber);
Cert.SignatureAlgorithm = SignatureAlgorithm;
Cert.Issuer.pbData = pIssuerCert->Subject.pbData;
Cert.Issuer.cbData = pIssuerCert->Subject.cbData;
{
SYSTEMTIME st;
// Valid starting now...
GetSystemTimeAsFileTime(&Cert.NotBefore);
// Ending in 2039 (arbitrarily)
ClearStruct(&st);
st.wYear = 2039;
st.wMonth = 12;
st.wDay = 31;
st.wHour = 23;
st.wMinute= 59;
st.wSecond= 59;
SystemTimeToFileTime(&st, &Cert.NotAfter);
}
Cert.Subject.pbData = pbSubjectEncoded;
Cert.Subject.cbData = cbSubjectEncoded;
Cert.SubjectPublicKeyInfo = *pSubjectPubKeyInfo;
// Cert Extensions
if (!CreateEnhancedKeyUsage(
&pbEKUEncoded,
&cbEKUEncoded))
goto ErrorReturn;
rgExt[cExt].pszObjId = szOID_ENHANCED_KEY_USAGE;
rgExt[cExt].fCritical = FALSE;
rgExt[cExt].Value.pbData = pbEKUEncoded;
rgExt[cExt].Value.cbData = cbEKUEncoded;
cExt++;
if (g_wszSubjectDisplayName) {
if (!CreateSpcCommonName(
&pbSpcCommonNameEncoded,
&cbSpcCommonNameEncoded))
goto ErrorReturn;
rgExt[cExt].pszObjId = szOID_COMMON_NAME;
rgExt[cExt].fCritical = FALSE;
rgExt[cExt].Value.pbData = pbSpcCommonNameEncoded;
rgExt[cExt].Value.cbData = cbSpcCommonNameEncoded;
cExt++;
}
Cert.rgExtension = rgExt;
Cert.cExtension = cExt;
//
// Sign and encode the certificate
//
cbCertEncoded = 0;
CryptSignAndEncodeCertificate(
hIssuerProv,
g_dwIssuerKeySpec,
X509_ASN_ENCODING,
X509_CERT_TO_BE_SIGNED,
&Cert,
&Cert.SignatureAlgorithm,
NULL, // pvHashAuxInfo
NULL, // pbEncoded
&cbCertEncoded
);
if (cbCertEncoded == 0) {
ERROR_OUT(("CryptSignAndEncodeCertificate failed: %x", GetLastError()));
goto ErrorReturn;
}
pbCertEncoded = new BYTE[cbCertEncoded];
if (pbCertEncoded == NULL) goto ErrorReturn;
if (!CryptSignAndEncodeCertificate(
hIssuerProv,
g_dwIssuerKeySpec,
X509_ASN_ENCODING,
X509_CERT_TO_BE_SIGNED,
&Cert,
&Cert.SignatureAlgorithm,
NULL, // pvHashAuxInfo
pbCertEncoded,
&cbCertEncoded
)) {
ERROR_OUT(("CryptSignAndEncodeCertificate(2) failed: %x", GetLastError()));
goto ErrorReturn;
}
// Output the encoded certificate to an cerificate store
ASSERT(g_wszSubjectStore);
ASSERT(AT_KEYEXCHANGE == g_dwSubjectKeySpec);
if((!SaveCertToStore(hSubjectProv,
hStore,
g_dwSubjectStoreFlag,
pbCertEncoded,
cbCertEncoded,
g_wszSubjectKey,
g_dwSubjectKeySpec,
g_wszSubjectProviderName,
g_dwProvType)))
{
ERROR_OUT(("SaveCertToStore failed: %x", GetLastError()));
goto ErrorReturn;
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
CommonReturn:
PvkFreeCryptProv(hSubjectProv, g_wszSubjectProviderName,
g_dwProvType,pwszTmpSubjectContainer);
//free the cert store
if(hStore)
CertCloseStore(hStore, 0);
if (pIssuerCertContext)
CertFreeCertificateContext(pIssuerCertContext);
if (pAllocSubjectPubKeyInfo)
delete (pAllocSubjectPubKeyInfo);
if (pbSubjectEncoded)
delete (pbSubjectEncoded);
if (pbEKUEncoded)
delete (pbEKUEncoded);
if (pbSpcCommonNameEncoded)
delete (pbSpcCommonNameEncoded);
if (pbCertEncoded)
delete (pbCertEncoded);
if (hIssuerProv)
CryptReleaseContext(hIssuerProv,0);
return fResult;
}
//+-------------------------------------------------------------------------
// save the certificate to a certificate store. Attach private key information
// to the certificate
//--------------------------------------------------------------------------
BOOL SaveCertToStore(
HCRYPTPROV hProv,
HCERTSTORE hStore, DWORD dwFlag,
BYTE *pbEncodedCert, DWORD cbEncodedCert,
LPWSTR wszPvk,
DWORD dwKeySpecification,
LPWSTR wszCapiProv, DWORD dwCapiProvType)
{
BOOL fResult=FALSE;
PCCERT_CONTEXT pCertContext=NULL;
CRYPT_KEY_PROV_INFO KeyProvInfo;
HCRYPTPROV hDefaultProvName=NULL;
DWORD cbData=0;
LPSTR pszName=NULL;
LPWSTR pwszName=NULL;
//init
ClearStruct(&KeyProvInfo);
//add the encoded certificate to store
if(!CertAddEncodedCertificateToStore(
hStore,
X509_ASN_ENCODING,
pbEncodedCert,
cbEncodedCert,
CERT_STORE_ADD_REPLACE_EXISTING,
&pCertContext))
goto CLEANUP;
//add properties to the certificate
KeyProvInfo.pwszContainerName=wszPvk;
KeyProvInfo.pwszProvName=wszCapiProv,
KeyProvInfo.dwProvType=dwCapiProvType,
KeyProvInfo.dwKeySpec=dwKeySpecification;
if ( g_dwSubjectStoreFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE )
{
// If this is a local machine cert, set the keyset flags
// indicating that the private key will be under HKLM
KeyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
}
ASSERT(AT_KEYEXCHANGE == dwKeySpecification);
//if wszCapiProv is NULL, we get the default provider name
if(NULL==wszCapiProv)
{
//get the default provider
if(CryptAcquireContext(&hDefaultProvName,
NULL,
NULL,
KeyProvInfo.dwProvType,
CRYPT_VERIFYCONTEXT))
{
//get the provider name
if(CryptGetProvParam(hDefaultProvName,
PP_NAME,
NULL,
&cbData,
0) && (0!=cbData))
{
if(pszName= new CHAR[cbData])
{
if(CryptGetProvParam(hDefaultProvName,
PP_NAME,
(BYTE *)pszName,
&cbData,
0))
{
pwszName= AnsiToUnicode(pszName);
KeyProvInfo.pwszProvName=pwszName;
}
}
}
}
}
//free the provider as we want
if(hDefaultProvName)
CryptReleaseContext(hDefaultProvName, 0);
hDefaultProvName=NULL;
//add property related to the key container
if(!CertSetCertificateContextProperty(
pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
0,
&KeyProvInfo))
goto CLEANUP;
//
// Load the display name from resource and create a blob to
// set the cert friendly name.
//
CHAR szFriendlyName[128];
if (!LoadString(hModule, IDS_DEFNAME, szFriendlyName,
sizeof(szFriendlyName)))
{
ERROR_OUT(("LoadString failed: %d", GetLastError()));
goto CLEANUP;
}
WCHAR *pwszFriendlyName;
pwszFriendlyName = AnsiToUnicode ( szFriendlyName );
if ( NULL == pwszFriendlyName )
{
ERROR_OUT(("AnsiToUnicode failed"));
goto CLEANUP;
}
CRYPT_DATA_BLOB FriendlyName;
FriendlyName.pbData = (PBYTE)pwszFriendlyName;
FriendlyName.cbData = ( lstrlenW(pwszFriendlyName) + 1 ) *
sizeof(WCHAR);
if(!CertSetCertificateContextProperty(
pCertContext,
CERT_FRIENDLY_NAME_PROP_ID,
0,
&FriendlyName))
goto CLEANUP;
//
// Add magic ID
//
CRYPT_DATA_BLOB MagicBlob;
DWORD dwMagic;
dwMagic = NMMKCERT_MAGIC;
MagicBlob.pbData = (PBYTE)&dwMagic;
MagicBlob.cbData = sizeof(dwMagic);
if(!CertSetCertificateContextProperty(
pCertContext,
CERT_FIRST_USER_PROP_ID,
0,
&MagicBlob))
goto CLEANUP;
fResult=TRUE;
CLEANUP:
if (pwszFriendlyName)
delete pwszFriendlyName;
//free the cert context
if(pCertContext)
CertFreeCertificateContext(pCertContext);
if(pszName)
delete (pszName);
if(pwszName)
delete pwszName;
if(hDefaultProvName)
CryptReleaseContext(hDefaultProvName, 0);
return fResult;
}
//+-------------------------------------------------------------------------
// Verify the issuer's certificate. The public key in the certificate
// must match the public key associated with the private key in the
// issuer's provider
//--------------------------------------------------------------------------
BOOL VerifyIssuerKey(
IN HCRYPTPROV hProv,
IN PCERT_PUBLIC_KEY_INFO pIssuerKeyInfo
)
{
BOOL fResult;
PCERT_PUBLIC_KEY_INFO pPubKeyInfo = NULL;
DWORD cbPubKeyInfo;
// Get issuer's public key
cbPubKeyInfo = 0;
CryptExportPublicKeyInfo(
hProv,
g_dwIssuerKeySpec,
X509_ASN_ENCODING,
NULL, // pPubKeyInfo
&cbPubKeyInfo
);
if (cbPubKeyInfo == 0)
{
ERROR_OUT(("CryptExportPublicKeyInfo failed: %x", GetLastError()));
goto ErrorReturn;
}
if (NULL == (pPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) new BYTE[cbPubKeyInfo]))
goto ErrorReturn;
if (!CryptExportPublicKeyInfo(
hProv,
g_dwIssuerKeySpec,
X509_ASN_ENCODING,
pPubKeyInfo,
&cbPubKeyInfo
)) {
ERROR_OUT(("CrypteExportPublicKeyInfo(2) failed: %x", GetLastError()));
goto ErrorReturn;
}
if (!CertComparePublicKeyInfo(
X509_ASN_ENCODING,
pIssuerKeyInfo,
pPubKeyInfo)) {
// BUGBUG:: This might be the test root with an incorrectly
// encoded public key. Convert to the capi representation and
// compare.
BYTE rgProvKey[256]; //BUGBUG needs appropriate constant or calc
BYTE rgCertKey[256]; //BUGBUG needs appropriate constant or calc
DWORD cbProvKey = sizeof(rgProvKey);
DWORD cbCertKey = sizeof(rgCertKey);
if (!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB,
pIssuerKeyInfo->PublicKey.pbData,
pIssuerKeyInfo->PublicKey.cbData,
0, // dwFlags
rgProvKey,
&cbProvKey) ||
!CryptDecodeObject(X509_ASN_ENCODING, RSA_CSP_PUBLICKEYBLOB,
pPubKeyInfo->PublicKey.pbData,
pPubKeyInfo->PublicKey.cbData,
0, // dwFlags
rgCertKey,
&cbCertKey) ||
cbProvKey == 0 || cbProvKey != cbCertKey ||
memcmp(rgProvKey, rgCertKey, cbProvKey) != 0) {
ERROR_OUT(("mismatch: %x", GetLastError()));
goto ErrorReturn;
}
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
CommonReturn:
if (pPubKeyInfo)
delete (pPubKeyInfo);
return fResult;
}
//+-------------------------------------------------------------------------
// Get the subject's private key provider
//--------------------------------------------------------------------------
HCRYPTPROV GetSubjectProv(OUT LPWSTR *ppwszTmpContainer)
{
HCRYPTPROV hProv=0;
WCHAR wszKeyName[40] = L"Subject Key";
int ids;
WCHAR *wszRegKeyName=NULL;
BOOL fResult;
HCRYPTKEY hKey=NULL;
GUID TmpContainerUuid;
//try to get the hProv from the private key container
if(S_OK != PvkGetCryptProv(NULL,
wszKeyName,
g_wszSubjectProviderName,
g_dwProvType,
NULL,
g_wszSubjectKey,
&g_dwSubjectKeySpec,
ppwszTmpContainer,
&hProv))
hProv=0;
//generate the private keys
if (0 == hProv)
{
//now that we have to generate private keys, generate
//AT_KEYEXCHANGE key
// If there is an existing container with the name of the
// one we are about to create, attempt to delete it first so
// that creating it won't fail. This should only happen if the
// container exists but we were unable to acquire a context to
// it previously.
CryptAcquireContextU(
&hProv,
g_wszSubjectKey,
g_wszSubjectProviderName,
g_dwProvType,
CRYPT_DELETEKEYSET |
( g_dwSubjectStoreFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE ?
CRYPT_MACHINE_KEYSET : 0 ));
// Open a new key container
if (!CryptAcquireContextU(
&hProv,
g_wszSubjectKey,
g_wszSubjectProviderName,
g_dwProvType,
CRYPT_NEWKEYSET |
( g_dwSubjectStoreFlag == CERT_SYSTEM_STORE_LOCAL_MACHINE ?
CRYPT_MACHINE_KEYSET : 0 )))
{
ERROR_OUT(("CryptAcquireContext failed: %x", GetLastError()));
goto CreateKeyError;
}
//generate new keys in the key container - make sure its EXPORTABLE
//for SCHANNEL! (Note: remove that when SCHANNEL no longer needs it).
if (!CryptGenKey( hProv, g_dwSubjectKeySpec, CRYPT_EXPORTABLE, &hKey))
{
ERROR_OUT(("CryptGenKey failed: %x", GetLastError()));
goto CreateKeyError;
}
else
CryptDestroyKey(hKey);
//try to get the user key
if (CryptGetUserKey( hProv, g_dwSubjectKeySpec, &hKey))
{
CryptDestroyKey(hKey);
}
else
{
// Doesn't have the specified public key
CryptReleaseContext(hProv, 0);
hProv=0;
}
if (0 == hProv )
{
ERROR_OUT(("sub key error: %x", GetLastError()));
goto ErrorReturn;
}
} //hProv==0
goto CommonReturn;
CreateKeyError:
ErrorReturn:
if (hProv)
{
CryptReleaseContext(hProv, 0);
hProv = 0;
}
CommonReturn:
if(wszRegKeyName)
delete (wszRegKeyName);
return hProv;
}
//+-------------------------------------------------------------------------
// Allocate and get the public key info for the provider
//--------------------------------------------------------------------------
BOOL GetPublicKey(
HCRYPTPROV hProv,
PCERT_PUBLIC_KEY_INFO *ppPubKeyInfo
)
{
BOOL fResult;
PCERT_PUBLIC_KEY_INFO pPubKeyInfo = NULL;
DWORD cbPubKeyInfo;
cbPubKeyInfo = 0;
CryptExportPublicKeyInfo(
hProv,
g_dwSubjectKeySpec,
X509_ASN_ENCODING,
NULL, // pPubKeyInfo
&cbPubKeyInfo
);
if (cbPubKeyInfo == 0) {
ERROR_OUT(("CryptExportPublicKeyInfo failed: %x", GetLastError()));
goto ErrorReturn;
}
if (NULL == (pPubKeyInfo = (PCERT_PUBLIC_KEY_INFO) new BYTE[cbPubKeyInfo]))
goto ErrorReturn;
if (!CryptExportPublicKeyInfo(
hProv,
g_dwSubjectKeySpec,
X509_ASN_ENCODING,
pPubKeyInfo,
&cbPubKeyInfo
)) {
ERROR_OUT(("CryptExportPublicKeyInfo(2) failed: %x", GetLastError()));
goto ErrorReturn;
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
fResult = FALSE;
if (pPubKeyInfo) {
delete (pPubKeyInfo);
pPubKeyInfo = NULL;
}
CommonReturn:
*ppPubKeyInfo = pPubKeyInfo;
return fResult;
}
//+-------------------------------------------------------------------------
// Convert and encode the subject's X500 formatted name
//--------------------------------------------------------------------------
BOOL EncodeSubject(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
)
{
BOOL fResult;
DWORD cbEncodedSubject=0;
BYTE *pbEncodedSubject=NULL;
BYTE *pbEncoded = NULL;
DWORD cbEncoded;
//encode the wszSubjectX500Name into an encoded X509_NAME
if(!CertStrToNameW(
X509_ASN_ENCODING,
g_wszSubjectX500Name,
0,
NULL,
NULL,
&cbEncodedSubject,
NULL))
{
ERROR_OUT(("CertStrToNameW failed: %x", GetLastError()));
goto ErrorReturn;
}
pbEncodedSubject = new BYTE[cbEncodedSubject];
if (pbEncodedSubject == NULL) goto ErrorReturn;
if(!CertStrToNameW(
X509_ASN_ENCODING,
g_wszSubjectX500Name,
0,
NULL,
pbEncodedSubject,
&cbEncodedSubject,
NULL))
{
ERROR_OUT(("CertStrToNameW(2) failed: %x", GetLastError()));
goto ErrorReturn;
}
cbEncoded=cbEncodedSubject;
pbEncoded=pbEncodedSubject;
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
if (pbEncoded) {
delete (pbEncoded);
pbEncoded = NULL;
}
cbEncoded = 0;
fResult = FALSE;
CommonReturn:
*ppbEncoded = pbEncoded;
*pcbEncoded = cbEncoded;
return fResult;
}
// The test root's public key isn't encoded properly in the certificate.
// It's missing a leading zero to make it a unsigned integer.
static BYTE rgbTestRoot[] = {
#include "root.h"
};
static CERT_PUBLIC_KEY_INFO TestRootPublicKeyInfo = {
szOID_RSA_RSA, 0, NULL, sizeof(rgbTestRoot), rgbTestRoot, 0
};
static BYTE rgbTestRootInfoAsn[] = {
#include "rootasn.h"
};
//+-------------------------------------------------------------------------
// X509 Extensions: Allocate and Encode functions
//--------------------------------------------------------------------------
BOOL CreateEnhancedKeyUsage(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
)
{
BOOL fResult = TRUE;
LPBYTE pbEncoded =NULL;
DWORD cbEncoded;
PCERT_ENHKEY_USAGE pUsage =NULL;
//
// Allocate a cert enhanced key usage structure and fill it in
//
pUsage = (PCERT_ENHKEY_USAGE) new BYTE[sizeof(CERT_ENHKEY_USAGE) +
2 * sizeof(LPSTR)];
if ( pUsage != NULL )
{
pUsage->cUsageIdentifier = 2;
pUsage->rgpszUsageIdentifier = (LPSTR *)((LPBYTE)pUsage+sizeof(CERT_ENHKEY_USAGE));
pUsage->rgpszUsageIdentifier[0] = szOID_PKIX_KP_CLIENT_AUTH;
pUsage->rgpszUsageIdentifier[1] = szOID_PKIX_KP_SERVER_AUTH;
}
else
{
fResult = FALSE;
}
//
// Encode the usage
//
if ( fResult == TRUE )
{
fResult = CryptEncodeObject(
X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pUsage,
NULL,
&cbEncoded
);
if ( fResult == TRUE )
{
pbEncoded = new BYTE[cbEncoded];
if ( pbEncoded != NULL )
{
fResult = CryptEncodeObject(
X509_ASN_ENCODING,
szOID_ENHANCED_KEY_USAGE,
pUsage,
pbEncoded,
&cbEncoded
);
}
else
{
fResult = FALSE;
}
}
}
//
// Cleanup
//
delete (pUsage);
if ( fResult == TRUE )
{
*ppbEncoded = pbEncoded;
*pcbEncoded = cbEncoded;
}
else
{
delete (pbEncoded);
}
return( fResult );
}
BOOL CreateSpcCommonName(
OUT BYTE **ppbEncoded,
IN OUT DWORD *pcbEncoded
)
{
BOOL fResult;
BYTE *pbEncoded = NULL;
DWORD cbEncoded;
CERT_NAME_VALUE NameValue;
NameValue.dwValueType = CERT_RDN_UNICODE_STRING;
NameValue.Value.pbData = (BYTE *) g_wszSubjectDisplayName;
NameValue.Value.cbData =0;
cbEncoded = 0;
CryptEncodeObject(X509_ASN_ENCODING, X509_UNICODE_NAME_VALUE,
&NameValue,
NULL, // pbEncoded
&cbEncoded
);
if (cbEncoded == 0) {
ERROR_OUT(("CryptEncodeObject failed: %x", GetLastError()));
goto ErrorReturn;
}
pbEncoded = new BYTE[cbEncoded];
if (pbEncoded == NULL) goto ErrorReturn;
if (!CryptEncodeObject(X509_ASN_ENCODING, X509_UNICODE_NAME_VALUE,
&NameValue,
pbEncoded,
&cbEncoded
)) {
ERROR_OUT(("CryptEncodeObject failed: %x", GetLastError()));
goto ErrorReturn;
}
fResult = TRUE;
goto CommonReturn;
ErrorReturn:
if (pbEncoded) {
delete (pbEncoded);
pbEncoded = NULL;
}
cbEncoded = 0;
fResult = FALSE;
CommonReturn:
*ppbEncoded = pbEncoded;
*pcbEncoded = cbEncoded;
return fResult;
}