BOOL ClientAuthenticate(const char *name, const char *hostname)
{
int rc, rcISC;
SEC_WINNT_AUTH_IDENTITY nameAndPwd = {0};
int bytesReceived = 0, bytesSent = 0;
char myTokenSource[256];
TimeStamp useBefore;
DWORD ctxReq, ctxAttr;
int dwRead,dwWritten;
// input and output buffers
SecBufferDesc obd, ibd;
SecBuffer ob, ib[2];
BOOL haveInbuffer = FALSE;
BOOL haveContext = FALSE;
SCHANNEL_CRED cred = {0};
PCCERT_CONTEXT cert = NULL;
HANDLE hMy = CertOpenSystemStore(0,"MY");
if(!hMy)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
return FALSE;
}
if(name)
{
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t *)cvs::wide(name), NULL);
if(!cert)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"No certificate for '%s': %s\n",name,GetErrorString(rcISC));
return FALSE;
}
}
cred.dwVersion = SCHANNEL_CRED_VERSION;
cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS;
if(cert)
{
cred.cCreds = 1;
cred.paCred = &cert;
}
rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore );
ctxReq = ISC_REQ_MANUAL_CRED_VALIDATION | ISC_REQ_INTEGRITY | ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS;
strncpy(myTokenSource,hostname,sizeof(myTokenSource));
CertCloseStore(hMy,0);
ib[0].pvBuffer = NULL;
while ( 1 )
{
obd.ulVersion = SECBUFFER_VERSION;
obd.cBuffers = 1;
obd.pBuffers = &ob; // just one buffer
ob.BufferType = SECBUFFER_TOKEN; // preping a token here
ob.cbBuffer = secPackInfo->cbMaxToken;
ob.pvBuffer = malloc(secPackInfo->cbMaxToken);
rcISC = InitializeSecurityContext( &credHandle, haveContext? &contextHandle: NULL,
myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP, haveInbuffer? &ibd: NULL,
0, &contextHandle, &obd, &ctxAttr, &useBefore );
if ( ib[0].pvBuffer != NULL )
{
free(ib[0].pvBuffer);
ib[0].pvBuffer = NULL;
}
if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED )
{
CompleteAuthToken( &contextHandle, &obd );
if ( rcISC == SEC_I_COMPLETE_NEEDED )
rcISC = SEC_E_OK;
else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE )
rcISC = SEC_I_CONTINUE_NEEDED;
}
if(rcISC<0)
{
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
}
// send the output buffer off to the server
if ( ob.cbBuffer != 0 )
{
if((dwWritten=tcp_write( (const char *) ob.pvBuffer, ob.cbBuffer))<=0)
break;
bytesSent += dwWritten;
}
free(ob.pvBuffer);
ob.pvBuffer = NULL;
ob.cbBuffer = 0;
if ( rcISC != SEC_I_CONTINUE_NEEDED )
break;
// prepare to get the server's response
ibd.ulVersion = SECBUFFER_VERSION;
ibd.cBuffers = 2;
ibd.pBuffers = ib; // just one buffer
ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here
ib[0].cbBuffer = secPackInfo->cbMaxToken;
ib[0].pvBuffer = malloc(secPackInfo->cbMaxToken);
ib[1].cbBuffer = 0;
ib[1].pvBuffer = NULL;
ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff
// receive the server's response
if((dwRead=tcp_read(ib[0].pvBuffer,ib[0].cbBuffer))<=0)
break;
bytesReceived += dwRead;
// by now we have an input buffer and a client context
haveInbuffer = TRUE;
haveContext = TRUE;
}
// we arrive here as soon as InitializeSecurityContext()
// returns != SEC_I_CONTINUE_NEEDED.
if ( rcISC != SEC_E_OK )
haveContext = FALSE;
else
haveContext = TRUE; /* Looopback kerberos needs this */
return haveContext;
}
BOOL MSCAPI_Manager::BuildCertificateChain(HCRYPTPROV provider, OpString &label, OpString &shortname, SSL_ASN1Cert_list &cert)
{
CERT_PUBLIC_KEY_INFO *pubkey = (CERT_PUBLIC_KEY_INFO *) g_memory_manager->GetTempBuf2k();
DWORD len;
label.Empty();
shortname.Empty();
cert.Resize(0);
if(!hMYSystemStore)
return FALSE;
len = g_memory_manager->GetTempBuf2kLen();
if(!CryptExportPublicKeyInfo(provider, /*AT_SIGNATURE*/ AT_KEYEXCHANGE, (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING), pubkey, &len))
{
int err0 = GetLastError();
op_memset(&pubkey, 0, sizeof(pubkey));
len = g_memory_manager->GetTempBufLen();
if(!CryptExportPublicKeyInfo(provider, /* AT_KEYEXCHANGE */ AT_SIGNATURE, (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING), pubkey, &len))
{
int err = GetLastError();
return FALSE;
}
}
PCCERT_CONTEXT cert_item = NULL;
cert_item = CertFindCertificateInStore(hMYSystemStore, (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING), 0, CERT_FIND_PUBLIC_KEY, pubkey, cert_item);
if(!cert_item && hUserDSSystemStore)
cert_item = CertFindCertificateInStore(hUserDSSystemStore, (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING), 0, CERT_FIND_PUBLIC_KEY, pubkey, cert_item);
if(!cert_item)
return FALSE;
len = CertNameToStr((X509_ASN_ENCODING | PKCS_7_ASN_ENCODING),
&cert_item->pCertInfo->Subject, CERT_SIMPLE_NAME_STR, NULL, 0);
if(len)
{
if(shortname.Reserve(len+1) == NULL)
return OpStatus::ERR_NO_MEMORY;
len = CertNameToStr((X509_ASN_ENCODING | PKCS_7_ASN_ENCODING),
&cert_item->pCertInfo->Subject, CERT_SIMPLE_NAME_STR, shortname.DataPtr(), shortname.Capacity());
}
cert.Resize(1);
if(cert.Error())
return FALSE();
cert[0].Set(cert_item->pbCertEncoded, cert_item->cbCertEncoded);
if(cert.Error() || cert[0].GetLength() == 0)
return FALSE;
return TRUE;
}
static const CERT_CONTEXT *find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
{
/* Find, and use, the desired certificate from the store. The
* 'cert_prop' certificate search string can look like this:
* SUBJ:<certificate substring to match>
* THUMB:<certificate thumbprint hex value>, e.g.
* THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
*/
const CERT_CONTEXT *rv = NULL;
if (!strncmp(cert_prop, "SUBJ:", 5)) {
/* skip the tag */
cert_prop += 5;
rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
} else if (!strncmp(cert_prop, "THUMB:", 6)) {
unsigned char hash[255];
char *p;
int i, x = 0;
CRYPT_HASH_BLOB blob;
/* skip the tag */
cert_prop += 6;
for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
if (*p >= '0' && *p <= '9')
x = (*p - '0') << 4;
else if (*p >= 'A' && *p <= 'F')
x = (*p - 'A' + 10) << 4;
else if (*p >= 'a' && *p <= 'f')
x = (*p - 'a' + 10) << 4;
if (!*++p) /* unexpected end of string */
break;
if (*p >= '0' && *p <= '9')
x += *p - '0';
else if (*p >= 'A' && *p <= 'F')
x += *p - 'A' + 10;
else if (*p >= 'a' && *p <= 'f')
x += *p - 'a' + 10;
hash[i] = x;
/* skip any space(s) between hex numbers */
for (p++; *p && *p == ' '; p++);
}
blob.cbData = i;
blob.pbData = (unsigned char *) &hash;
rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0, CERT_FIND_HASH, &blob, NULL);
}
return rv;
}
int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
{
uint8_t id[MAX_WID_SIZE];
HCERTSTORE store = NULL;
size_t id_size;
const CERT_CONTEXT *cert = NULL;
CRYPT_HASH_BLOB blob;
int ret;
gnutls_datum_t data;
if (ncrypt_init == 0)
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
id_size = sizeof(id);
ret = get_id(url, id, &id_size, 0);
if (ret < 0)
return gnutls_assert_val(ret);
blob.cbData = id_size;
blob.pbData = id;
store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
if (store == NULL) {
gnutls_assert();
ret = GNUTLS_E_FILE_ERROR;
goto cleanup;
}
cert = CertFindCertificateInStore(store,
X509_ASN_ENCODING,
0,
CERT_FIND_KEY_IDENTIFIER,
&blob, NULL);
if (cert == NULL) {
char buf[64];
_gnutls_debug_log("cannot find ID: %s from %s\n",
_gnutls_bin2hex(id, id_size,
buf, sizeof(buf), NULL), url);
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
}
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
ret = gnutls_x509_crt_import(crt, &data, GNUTLS_X509_FMT_DER);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
if (cert != 0)
CertFreeCertificateContext(cert);
CertCloseStore(store, 0);
return ret;
}
//Function to obtain the certificate
PCCERT_CONTEXT MyGetCertificate (void)
{
//---------------------------------------------------------
// Declare and initialize variables.
HCERTSTORE hStoreHandle; // The system store handle.
PCCERT_CONTEXT pCert = NULL; // Set to NULL for the first call to
// CertFindCertificateInStore.
//-------------------------------------------------------------------
// Open the certificate store to be searched.
hStoreHandle = CertOpenStore(
CERT_STORE_PROV_SYSTEM, // the store provider type
0, // the encoding type is not needed
NULL, // use the default HCRYPTPROV
CERT_SYSTEM_STORE_CURRENT_USER, // set the store location in a
// registry location
CERT_STORE_NAME); // the store name
if (NULL == hStoreHandle)
{
wprintf( L"Could not open the store.\n");
goto done;
}
else
{
wprintf( L"Opened the store.\n");
}
//-------------------------------------------------------------------
// Get a certificate that has the specified Subject Name
pCert = CertFindCertificateInStore(
hStoreHandle,
CRYPT_ASN_ENCODING, // Use X509_ASN_ENCODING
0, // No dwFlags needed
CERT_FIND_SUBJECT_STR, // Find a certificate with a
// subject that matches the
// string in the next parameter
SUBJECT_NAME, // The Unicode string to be found
// in a certificate's subject
NULL); // NULL for the first call to the
// function; In all subsequent
// calls, it is the last pointer
// returned by the function
if (NULL == pCert)
{
wprintf( L"Could not find the desired certificate.\n");
}
else
{
wprintf( L"The desired certificate was found. \n");
}
done:
if(NULL != hStoreHandle)
{
CertCloseStore( hStoreHandle, 0);
}
return pCert;
}
static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore)
{
PCCERT_CONTEXT cert = NULL;
char *fname = NULL;
int match;
switch(ctx->lookup_method)
{
case CAPI_LU_SUBSTR:
return CertFindCertificateInStore(hstore,
X509_ASN_ENCODING, 0,
CERT_FIND_SUBJECT_STR_A, id, NULL);
case CAPI_LU_FNAME:
for(;;)
{
cert = CertEnumCertificatesInStore(hstore, cert);
if (!cert)
return NULL;
fname = capi_cert_get_fname(ctx, cert);
if (fname)
{
if (strcmp(fname, id))
match = 0;
else
match = 1;
OPENSSL_free(fname);
if (match)
return cert;
}
}
default:
return NULL;
}
}
CertificateCollection qca_get_systemstore(const QString &provider)
{
CertificateCollection col;
HCERTSTORE hSystemStore;
hSystemStore = CertOpenSystemStoreA(0, "ROOT");
if(!hSystemStore)
return col;
PCCERT_CONTEXT pc = NULL;
while(1)
{
pc = CertFindCertificateInStore(
hSystemStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_ANY,
NULL,
pc);
if(!pc)
break;
int size = pc->cbCertEncoded;
QByteArray der(size, 0);
memcpy(der.data(), pc->pbCertEncoded, size);
Certificate cert = Certificate::fromDER(der, 0, provider);
if(!cert.isNull())
col.addCertificate(cert);
}
CertCloseStore(hSystemStore, 0);
return col;
}
/* Returns TRUE if pCert is not in the Disallowed system store, or FALSE if it
* is.
*/
static BOOL CRYPTDLG_IsCertAllowed(PCCERT_CONTEXT pCert)
{
BOOL ret;
BYTE hash[20];
DWORD size = sizeof(hash);
if ((ret = CertGetCertificateContextProperty(pCert,
CERT_SIGNATURE_HASH_PROP_ID, hash, &size)))
{
static const WCHAR disallowedW[] =
{ 'D','i','s','a','l','l','o','w','e','d',0 };
HCERTSTORE disallowed = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING, 0, CERT_SYSTEM_STORE_CURRENT_USER, disallowedW);
if (disallowed)
{
PCCERT_CONTEXT found = CertFindCertificateInStore(disallowed,
X509_ASN_ENCODING, 0, CERT_FIND_SIGNATURE_HASH, hash, NULL);
if (found)
{
ret = FALSE;
CertFreeCertificateContext(found);
}
CertCloseStore(disallowed, 0);
}
}
return ret;
}
bool SelectCertificate(const std::wstring& certStoreName, const std::string& certHash)
{
certStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, certStoreName.c_str());
if (!certStore)
{
std::wcerr << L"Failed to open cert store. Error: " << std::hex << GetLastError() << L", Store: " << certStoreName << std::endl;
return false;
}
CRYPT_HASH_BLOB hashBlob;
hashBlob.pbData = (BYTE*)certHash.data();
hashBlob.cbData = (DWORD)certHash.size();
CERT_ID id;
id.dwIdChoice = CERT_ID_SHA1_HASH;
id.HashId = hashBlob;
certContext = CertFindCertificateInStore(certStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_CERT_ID, (void *)&id, NULL);
if (!certContext)
{
std::cerr << "Failed to open cert context. Error: " << std::hex << GetLastError() << ", Certificate: " << certHash << std::endl;
return false;
}
return true;
}
void CEstEIDCertificate::readFromCertContext() {
PCCERT_CONTEXT certContext = NULL;
HCERTSTORE cert_store = NULL;
cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG, L"MY");
if(!cert_store){
throw CryptoException();
}
if(!CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, NULL)) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
throw CryptoException();
}
while(certContext = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, certContext)) {
BYTE keyUsage;
CertGetIntendedKeyUsage(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, certContext->pCertInfo, &keyUsage, 1);
if (keyUsage & CERT_NON_REPUDIATION_KEY_USAGE) {
this->certificates.push_back(CertDuplicateCertificateContext(certContext));
}
}
//PCCERT_CONTEXT ct = CryptUIDlgSelectCertificateFromStore(cert_store, NULL, L"TIITEL", L"Vali cert:", NULL, 0, 0);
//loadCertContexts(ct);
CCertificateSelectionDlg *dlg = new CCertificateSelectionDlg();
dlg->setCertificate(this->certificates);
INT_PTR selectedItem = dlg->DoModal();
EstEID_log("selected item index = %i", selectedItem);
if(selectedItem == -1) {
throw CryptoException(ESTEID_USER_CANCEL);
}
loadCertContexts(this->certificates[selectedItem]);
if(certContext){
CertFreeCertificateContext(certContext);
}
if(cert_store) {
CertCloseStore(cert_store, CERT_CLOSE_STORE_FORCE_FLAG);
}
}
DWORD StoreAuthorityCert(PCCERT_CONTEXT pCertContext, unsigned char KeyUsageBits)
{
DWORD dwRet = 0;
HCERTSTORE hMemoryStore = NULL;
PCCERT_CONTEXT pDesiredCert = NULL;
if ( 0 == memcmp ( pCertContext->pCertInfo->Issuer.pbData, pCertContext->pCertInfo->Subject.pbData, pCertContext->pCertInfo->Subject.cbData ) )
{
hMemoryStore = CertOpenSystemStore ((HCRYPTPROV_LEGACY)NULL, TEXT("ROOT"));
}
else
{
hMemoryStore = CertOpenSystemStore ((HCRYPTPROV_LEGACY)NULL, TEXT("CA"));
}
if (hMemoryStore == NULL)
{
dwRet = GetLastError();
printf("StoreAuthorityCerts: Unable to open the system certificate store. Error code: %d.\n",dwRet);
return dwRet;
}
pDesiredCert = CertFindCertificateInStore( hMemoryStore
, X509_ASN_ENCODING
, 0
, CERT_FIND_EXISTING
, pCertContext
, NULL
);
if( pDesiredCert )
{
CertFreeCertificateContext(pDesiredCert);
}
else if (GetLastError())
{
CertAddEnhancedKeyUsageIdentifier (pCertContext, szOID_PKIX_KP_EMAIL_PROTECTION);
CertAddEnhancedKeyUsageIdentifier (pCertContext, szOID_PKIX_KP_SERVER_AUTH);
if(CertAddCertificateContextToStore(hMemoryStore, pCertContext, CERT_STORE_ADD_NEWER, NULL))
{
printf("StoreUserCerts: Certificate context added to store.\n");
dwRet = 0;
}
else
{
dwRet = GetLastError();
printf("StoreAuthorityCerts: Unable to add certificate context to store. Error code: %d.\n",dwRet);
}
}
CertCloseStore (hMemoryStore, CERT_CLOSE_STORE_FORCE_FLAG);
return dwRet;
}
PCCERT_CONTEXT GetCertificateContextFromName(
LPTSTR lpszCertificateName,
LPTSTR lpszCertificateStoreName,
DWORD dwCertStoreOpenFlags)
{
PCCERT_CONTEXT pCertContext = NULL;
HCERTSTORE hCertStore = NULL;
LPSTR szStoreProvider;
DWORD dwFindType;
#ifdef UNICODE
szStoreProvider = (LPSTR)CERT_STORE_PROV_SYSTEM_W;
#else
szStoreProvider = (LPSTR)CERT_STORE_PROV_SYSTEM_A;
#endif
// Open the specified certificate store
hCertStore = CertOpenStore(szStoreProvider,
0,
NULL,
CERT_STORE_READONLY_FLAG|
dwCertStoreOpenFlags,
lpszCertificateStoreName);
if (hCertStore == NULL)
{
MyPrintf(_T("CertOpenStore failed with %X\n"), GetLastError());
return pCertContext;
}
#ifdef UNICODE
dwFindType = CERT_FIND_SUBJECT_STR_W;
#else
dwFindType = CERT_FIND_SUBJECT_STR_A;
#endif
// Find the certificate by CN.
pCertContext = CertFindCertificateInStore(
hCertStore,
MY_ENCODING,
0,
dwFindType,
lpszCertificateName,
NULL);
if (pCertContext == NULL)
{
MyPrintf(_T("CertFindCertificateInStore failed with %X\n"), GetLastError());
}
CertCloseStore(hCertStore, 0);
return pCertContext;
}
bool CertStore::find( const QSslCertificate &cert ) const
{
if( !d->s )
return false;
PCCERT_CONTEXT context = d->certContext( cert );
if( !context )
return false;
PCCERT_CONTEXT result = CertFindCertificateInStore( d->s, X509_ASN_ENCODING,
0, CERT_FIND_SUBJECT_CERT, context->pCertInfo, 0 );
CertFreeCertificateContext( context );
return result;
}
std::auto_ptr<Certificate> Store::findCertificate(CERT_INFO* ci)
{
PCCERT_CONTEXT cert = CertFindCertificateInStore(m_hCertStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_CERT,
ci,
NULL);
std::auto_ptr<Certificate> certificate = new Certificate(cert);
return certificate;
}
Certificado* AlmacenCertificadoCAPI::loadCertificado(ClaveBusqueda claveBusqueda, void *data)
{
Certificado *ret;
PCCERT_CONTEXT cert;
DWORD tipoBusqueda;
void *parametros;
bool ok;
// Obtener el certificado.
//
// Para firmar, no vale un certificado cualquiera, sino uno que contenga una clave
// privada. Si lo que queremos es validar una firma, con que tenga clave pública
// (todos la tienen) es suficiente.
//
// La búsqueda del certificado se puede hacer por varios campos de los que aparecen
// en la pestaña "Detalles" del certificado.
//
if (handle == NULL)
return (NULL);
ret = NULL;
parametros = calcularParametrosBusqueda(claveBusqueda, data, tipoBusqueda);
if (tipoBusqueda != 0xFFFFFFFF)
{
cert = CertFindCertificateInStore(handle, TIPO_CODIFICACION, 0,
tipoBusqueda, parametros, NULL);
// una vez terminada la búsqueda, podemos liberar sus parámetros, que desde
// aquí no sabemos de qué tipo son y cuando ocupan
liberarParametrosBusqueda(claveBusqueda, parametros);
if (cert != NULL)
{
// comprobar si el certificado realmente corresponde al CSP (en caso de haber CSP)
if (csp != 0)
ok = CorrespondeCertificadoConCSP(cert);
else
ok = true;
if (ok)
ret = crearCertificado(cert);
}
}
return (ret);
}
PCCERT_CONTEXT findCertificateInStore (HCERTSTORE certStoreHandle, const std::string &certName) {
if (!boost::iequals(certName.substr(0, 5), "sha1:")) {
// Find client certificate. Note that this sample just searches for a
// certificate that contains the user name somewhere in the subject name.
return CertFindCertificateInStore(certStoreHandle, X509_ASN_ENCODING, /*dwFindFlags*/ 0, CERT_FIND_SUBJECT_STR_A, /* *pvFindPara*/certName.c_str(), /*pPrevCertContext*/ NULL);
}
std::string hexstring = certName.substr(5);
ByteArray byteArray = Hexify::unhexify(hexstring);
CRYPT_HASH_BLOB HashBlob;
if (byteArray.size() != SHA1_HASH_LEN) {
return NULL;
}
HashBlob.cbData = SHA1_HASH_LEN;
HashBlob.pbData = static_cast<BYTE *>(vecptr(byteArray));
// Find client certificate. Note that this sample just searches for a
// certificate that contains the user name somewhere in the subject name.
return CertFindCertificateInStore(certStoreHandle, X509_ASN_ENCODING, /* dwFindFlags */ 0, CERT_FIND_HASH, &HashBlob, /* pPrevCertContext */ NULL);
}
PCCERT_CONTEXT FindCertificateByHash(HCERTSTORE hSystemStore, unsigned char *hash)
{
PCCERT_CONTEXT pCertContext = NULL;
CRYPT_HASH_BLOB toFindData;
toFindData.cbData = SK_HASH_LEN;
toFindData.pbData = hash;
pCertContext = CertFindCertificateInStore(hSystemStore,
X509_ASN_ENCODING |
PKCS_7_ASN_ENCODING, 0,
CERT_FIND_HASH, &toFindData,
NULL);
return pCertContext;
}
std::auto_ptr<Certificate> Store::getIssuerOf(Certificate* cert)
{
PCCERT_CONTEXT c = CertFindCertificateInStore(m_hCertStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
&(cert->getContext()->pCertInfo->Issuer),
0);
if(!c)
{
return std::auto_ptr<Certificate>(0);
}
return std::auto_ptr<Certificate>(new Certificate(c));
}
std::auto_ptr<Certificate> Store::getNextCertificate()
{
PCCERT_CONTEXT cert = CertFindCertificateInStore(m_hCertStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_ANY,
0,
m_prevCert);
m_prevCert = cert;
if(!cert)
{
return std::auto_ptr<Certificate>(0);
}
return std::auto_ptr<Certificate>(new Certificate(cert));
}
static BOOL find_and_delete_cert_in_store(HCERTSTORE store, PCCERT_CONTEXT cert)
{
CERT_ID id;
PCCERT_CONTEXT found;
id.dwIdChoice = CERT_ID_ISSUER_SERIAL_NUMBER;
memcpy(&id.u.IssuerSerialNumber.Issuer,
&cert->pCertInfo->Issuer, sizeof(CERT_NAME_BLOB));
memcpy(&id.u.IssuerSerialNumber.SerialNumber,
&cert->pCertInfo->SerialNumber, sizeof(CRYPT_INTEGER_BLOB));
found = CertFindCertificateInStore(store, X509_ASN_ENCODING, 0,
CERT_FIND_CERT_ID, &id, NULL);
if (!found)
return FALSE;
CertDeleteCertificateFromStore(found);
return TRUE;
}
bool StoreCertificateIterator::moveNext()
{
mpCertIterator = CertFindCertificateInStore(
mhCertStore,
X509_ASN_ENCODING,
0,
CERT_FIND_ANY,
NULL,
mpCertIterator);
if (mpCertIterator)
{
PCCERT_CONTEXT pCert = CertDuplicateCertificateContext(mpCertIterator);
mCurrentCertPtr.reset( new Win32Certificate(pCert) );
return true;
}
else
{
mCurrentCertPtr.reset();
return false;
}
}
int main()
{
test();
HCERTSTORE myCertStoreHandle = CertOpenSystemStore(NULL, TEXT("MY"));
const CERT_CONTEXT* pCertificateContext = CertFindCertificateInStore(
myCertStoreHandle,
X509_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
TEXT("localhost"),
NULL);
SchannelCredentialData schannelCredentialData(&pCertificateContext);
SchannelCredential schannelCredential(SECPKG_CRED_INBOUND, &schannelCredentialData);
SecBufferArray<2> inputBufferArray;
initializeSecBuffer(inputBufferArray[0], SECBUFFER_TOKEN, tokenBuffer, 78);
initializeSecBuffer(inputBufferArray[1], SECBUFFER_EMPTY, NULL, 0);
SecBufferArray<1> outputBufferArray;
initializeSecBuffer(outputBufferArray[0], SECBUFFER_TOKEN, NULL, 0);
SecurityContext securityContext;
SECURITY_STATUS result = securityContext.accept(
schannelCredential,
inputBufferArray,
ASC_REQ_ALLOCATE_MEMORY,
outputBufferArray);
outputBufferArray.dump();
ShowError(result);
}
BinaryCertificate( const std::wstring &path )
: store( 0 )
, msg( 0 )
, signerInfo( 0 )
, certContext( 0 )
{
if( !CryptQueryObject( CERT_QUERY_OBJECT_FILE, path.c_str(),
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, CERT_QUERY_FORMAT_FLAG_BINARY,
0, 0, 0, 0, &store, &msg, NULL ) )
return;
DWORD signerInfoSize;
if( !CryptMsgGetParam( msg, CMSG_SIGNER_INFO_PARAM, 0, 0, &signerInfoSize ) )
return;
signerInfo = (PCMSG_SIGNER_INFO)LocalAlloc( LPTR, signerInfoSize );
if( !CryptMsgGetParam( msg, CMSG_SIGNER_INFO_PARAM, 0, signerInfo, &signerInfoSize ) )
return;
CERT_INFO certInfo;
certInfo.Issuer = signerInfo->Issuer;
certInfo.SerialNumber = signerInfo->SerialNumber;
certContext = CertFindCertificateInStore( store,
X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_CERT, &certInfo, 0 );
}
BOOL WINAPI CertAddCertificateContextToStore(HCERTSTORE hCertStore,
PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition,
PCCERT_CONTEXT *ppStoreContext)
{
PWINECRYPT_CERTSTORE store = hCertStore;
BOOL ret = TRUE;
PCCERT_CONTEXT toAdd = NULL, existing = NULL;
TRACE("(%p, %p, %08x, %p)\n", hCertStore, pCertContext,
dwAddDisposition, ppStoreContext);
switch (dwAddDisposition)
{
case CERT_STORE_ADD_ALWAYS:
break;
case CERT_STORE_ADD_NEW:
case CERT_STORE_ADD_REPLACE_EXISTING:
case CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES:
case CERT_STORE_ADD_USE_EXISTING:
case CERT_STORE_ADD_NEWER:
case CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES:
{
BYTE hashToAdd[20];
DWORD size = sizeof(hashToAdd);
ret = CertGetCertificateContextProperty(pCertContext, CERT_HASH_PROP_ID,
hashToAdd, &size);
if (ret)
{
CRYPT_HASH_BLOB blob = { sizeof(hashToAdd), hashToAdd };
existing = CertFindCertificateInStore(hCertStore,
pCertContext->dwCertEncodingType, 0, CERT_FIND_SHA1_HASH, &blob,
NULL);
}
break;
}
default:
FIXME("Unimplemented add disposition %d\n", dwAddDisposition);
SetLastError(E_INVALIDARG);
ret = FALSE;
}
switch (dwAddDisposition)
{
case CERT_STORE_ADD_ALWAYS:
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
case CERT_STORE_ADD_NEW:
if (existing)
{
TRACE("found matching certificate, not adding\n");
SetLastError(CRYPT_E_EXISTS);
ret = FALSE;
}
else
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
case CERT_STORE_ADD_REPLACE_EXISTING:
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
case CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES:
toAdd = CertDuplicateCertificateContext(pCertContext);
if (existing)
CertContext_CopyProperties(toAdd, existing);
break;
case CERT_STORE_ADD_USE_EXISTING:
if (existing)
{
CertContext_CopyProperties(existing, pCertContext);
if (ppStoreContext)
*ppStoreContext = CertDuplicateCertificateContext(existing);
}
else
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
case CERT_STORE_ADD_NEWER:
if (existing)
{
if (CompareFileTime(&existing->pCertInfo->NotBefore,
&pCertContext->pCertInfo->NotBefore) >= 0)
{
TRACE("existing certificate is newer, not adding\n");
SetLastError(CRYPT_E_EXISTS);
ret = FALSE;
}
else
toAdd = CertDuplicateCertificateContext(pCertContext);
}
else
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
case CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES:
if (existing)
{
if (CompareFileTime(&existing->pCertInfo->NotBefore,
&pCertContext->pCertInfo->NotBefore) >= 0)
{
TRACE("existing certificate is newer, not adding\n");
SetLastError(CRYPT_E_EXISTS);
ret = FALSE;
}
else
{
toAdd = CertDuplicateCertificateContext(pCertContext);
CertContext_CopyProperties(toAdd, existing);
}
}
else
toAdd = CertDuplicateCertificateContext(pCertContext);
break;
}
if (toAdd)
{
if (store)
ret = store->certs.addContext(store, (void *)toAdd,
(void *)existing, (const void **)ppStoreContext);
else if (ppStoreContext)
*ppStoreContext = CertDuplicateCertificateContext(toAdd);
CertFreeCertificateContext(toAdd);
}
CertFreeCertificateContext(existing);
TRACE("returning %d\n", ret);
return ret;
}
BOOL ServerAuthenticate(const char *hostname)
{
int rc, rcISC, rcl;
BOOL haveToken;
int bytesReceived = 0, bytesSent = 0;
TimeStamp useBefore;
// input and output buffers
SecBufferDesc obd, ibd;
SecBuffer ob, ib[2];
BOOL haveContext = FALSE;
DWORD ctxReq,ctxAttr;
int n;
short len;
SCHANNEL_CRED cred = {0};
char host[256];
struct addrinfo *ai=NULL, hints = {0};
PCCERT_CONTEXT cert;
HANDLE hMy = CertOpenSystemStore(0,"MY");
if(!hMy)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC));
return FALSE;
}
if(!hostname)
{
gethostname (host, sizeof host);
hints.ai_flags=AI_CANONNAME;
if(getaddrinfo(cvs::idn(host),NULL,&hints,&ai))
server_error (1, "can't get canonical hostname");
hostname = ai->ai_canonname;
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(cvs::decode_idn(hostname)), NULL);
}
else
cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(hostname), NULL);
if(!cert)
{
rcISC = SEC_E_NO_CREDENTIALS;
server_error(1,"No certificate for '%s': %s\n",hostname,GetErrorString(rcISC));
return FALSE;
}
cred.cCreds = 1;
cred.paCred = &cert;
if(ai)
freeaddrinfo(ai);
cred.dwVersion = SCHANNEL_CRED_VERSION;
cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS;
rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_INBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore );
if ( rc == SEC_E_OK )
haveToken = TRUE;
else
haveToken = FALSE;
CertCloseStore(hMy,0);
while ( 1 )
{
// prepare to get the server's response
ibd.ulVersion = SECBUFFER_VERSION;
ibd.cBuffers = 2;
ibd.pBuffers = ib; // just one buffer
ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here
ib[0].cbBuffer = secPackInfo->cbMaxToken;
ib[0].pvBuffer = malloc(ib[0].cbBuffer);
ib[1].cbBuffer = 0;
ib[1].pvBuffer = NULL;
ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff
// receive the client's POD
rcl = read( current_server()->in_fd, ib[0].pvBuffer, ib[0].cbBuffer);
if(rcl<=0)
{
rc = SEC_E_INTERNAL_ERROR;
break;
}
// by now we have an input buffer
obd.ulVersion = SECBUFFER_VERSION;
obd.cBuffers = 1;
obd.pBuffers = &ob; // just one buffer
ob.BufferType = SECBUFFER_TOKEN; // preping a token here
ob.cbBuffer = secPackInfo->cbMaxToken;
ob.pvBuffer = malloc(secPackInfo->cbMaxToken);
if(rc<0)
{
len=0;
if((n=write(current_server()->out_fd,&len,sizeof(len)))<=0)
break;
break;
}
ctxReq = ASC_REQ_INTEGRITY | ASC_REQ_CONFIDENTIALITY | ASC_REQ_REPLAY_DETECT | ASC_REQ_SEQUENCE_DETECT | ASC_REQ_STREAM;
rc = AcceptSecurityContext( &credHandle, haveContext? &contextHandle: NULL,
&ibd, ctxReq, SECURITY_NATIVE_DREP, &contextHandle, &obd, &ctxAttr,
&useBefore );
if ( ib[0].pvBuffer != NULL )
{
free( ib[0].pvBuffer );
ib[0].pvBuffer = NULL;
}
if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED )
{
CompleteAuthToken( &contextHandle, &obd );
if ( rc == SEC_I_COMPLETE_NEEDED )
rc = SEC_E_OK;
else if ( rc == SEC_I_COMPLETE_AND_CONTINUE )
rc = SEC_I_CONTINUE_NEEDED;
}
// send the output buffer off to the server
// warning -- this is machine-dependent! FIX IT!
if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED )
{
if ( ob.cbBuffer != 0 )
{
if((n=write(current_server()->out_fd,ob.pvBuffer, ob.cbBuffer))<=0)
break;
bytesSent += n;
}
free(ob.pvBuffer);
ob.pvBuffer = NULL;
ob.cbBuffer = 0;
}
else
{
break;
}
if ( rc != SEC_I_CONTINUE_NEEDED )
break;
haveContext = TRUE;
}
// we arrive here as soon as InitializeSecurityContext()
// returns != SEC_I_CONTINUE_NEEDED.
if ( rc != SEC_E_OK )
{
haveToken = FALSE;
}
if(rc<0)
server_error(0,"[%08x] %s\n",rc, GetErrorString(rc));
return haveToken?TRUE:FALSE;
}
/**
* Checks to see if a file stored at filePath matches the specified info. This
* only supports the name and issuer attributes currently.
*
* @param filePath The PE file path to check
* @param infoToMatch The acceptable information to match
* @return ERROR_SUCCESS if successful, ERROR_NOT_FOUND if the info
* does not match, or the last error otherwise.
*/
DWORD
CheckCertificateForPEFile(LPCWSTR filePath,
CertificateCheckInfo &infoToMatch)
{
HCERTSTORE certStore = NULL;
HCRYPTMSG cryptMsg = NULL;
PCCERT_CONTEXT certContext = NULL;
PCMSG_SIGNER_INFO signerInfo = NULL;
DWORD lastError = ERROR_SUCCESS;
// Get the HCERTSTORE and HCRYPTMSG from the signed file.
DWORD encoding, contentType, formatType;
BOOL result = CryptQueryObject(CERT_QUERY_OBJECT_FILE,
filePath,
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_CONTENT_FLAG_ALL,
0, &encoding, &contentType,
&formatType, &certStore, &cryptMsg, NULL);
if (!result) {
lastError = GetLastError();
goto cleanup;
}
// Pass in NULL to get the needed signer information size.
DWORD signerInfoSize;
result = CryptMsgGetParam(cryptMsg, CMSG_SIGNER_INFO_PARAM, 0,
NULL, &signerInfoSize);
if (!result) {
lastError = GetLastError();
goto cleanup;
}
// Allocate the needed size for the signer information.
signerInfo = (PCMSG_SIGNER_INFO)LocalAlloc(LPTR, signerInfoSize);
if (!signerInfo) {
lastError = GetLastError();
goto cleanup;
}
// Get the signer information (PCMSG_SIGNER_INFO).
// In particular we want the issuer and serial number.
result = CryptMsgGetParam(cryptMsg, CMSG_SIGNER_INFO_PARAM, 0,
(PVOID)signerInfo, &signerInfoSize);
if (!result) {
lastError = GetLastError();
goto cleanup;
}
// Search for the signer certificate in the certificate store.
CERT_INFO certInfo;
certInfo.Issuer = signerInfo->Issuer;
certInfo.SerialNumber = signerInfo->SerialNumber;
certContext = CertFindCertificateInStore(certStore, ENCODING, 0,
CERT_FIND_SUBJECT_CERT,
(PVOID)&certInfo, NULL);
if (!certContext) {
lastError = GetLastError();
goto cleanup;
}
if (!DoCertificateAttributesMatch(certContext, infoToMatch)) {
lastError = ERROR_NOT_FOUND;
goto cleanup;
}
cleanup:
if (signerInfo) {
LocalFree(signerInfo);
}
if (certContext) {
CertFreeCertificateContext(certContext);
}
if (certStore) {
CertCloseStore(certStore, 0);
}
if (cryptMsg) {
CryptMsgClose(cryptMsg);
}
return lastError;
}
/*****************************************************************************
HrGetSignerKeyAndChain
This function retrieves a signing certificate from the local user’s
certificate store, builds certificates chain and returns key handle
for the signing key.”
NOTE:
The phCryptProvOrNCryptKey is cached and must not be released by the caller.
*****************************************************************************/
static
HRESULT
HrGetSignerKeyAndChain(
LPCWSTR wszSubject,
PCCERT_CHAIN_CONTEXT *ppChainContext,
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE* phCryptProvOrNCryptKey,
DWORD *pdwKeySpec
)
{
HRESULT hr = S_FALSE;
HCERTSTORE hStore = NULL;
PCCERT_CONTEXT pCert = NULL;
BOOL fCallerFreeProvOrNCryptKey = FALSE;
CERT_CHAIN_PARA ChainPara = {0};
ChainPara.cbSize = sizeof(ChainPara);
*ppChainContext = NULL;
*phCryptProvOrNCryptKey = NULL;
*pdwKeySpec = 0;
//
// Open the local user store to search for certificates
//
hStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_W,
X509_ASN_ENCODING,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG,
L"MY"
);
if( NULL == hStore )
{
hr = HRESULT_FROM_WIN32( GetLastError() );
goto CleanUp;
}
if( NULL != wszSubject && 0 != *wszSubject )
{
//
// Search by Name
//
while( NULL != ( pCert = CertFindCertificateInStore(
hStore,
X509_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
wszSubject,
pCert
)))
{
if( CryptAcquireCertificatePrivateKey(
pCert,
CRYPT_ACQUIRE_CACHE_FLAG,
NULL,
phCryptProvOrNCryptKey,
pdwKeySpec,
&fCallerFreeProvOrNCryptKey
))
{
break;
}
}
}
else
{
//
// Get the first available certificate in the store
//
while( NULL != ( pCert = CertEnumCertificatesInStore(
hStore,
pCert
)))
{
if( CryptAcquireCertificatePrivateKey(
pCert,
CRYPT_ACQUIRE_CACHE_FLAG,
NULL,
phCryptProvOrNCryptKey,
pdwKeySpec,
&fCallerFreeProvOrNCryptKey
))
{
break;
}
}
}
if( NULL == pCert )
{
hr = CRYPT_XML_E_SIGNER;
goto CleanUp;
}
//
// Build the certificate chain without revocation check.
//
if( !CertGetCertificateChain(
NULL, // use the default chain engine
pCert, // pointer to the end certificate
NULL, // use the default time
NULL, // search no additional stores
&ChainPara,
0, // no revocation check
NULL, // currently reserved
ppChainContext )) // return a pointer to the chain created
{
hr = HRESULT_FROM_WIN32( GetLastError() );
goto CleanUp;
}
CleanUp:
if( FAILED(hr) )
{
*phCryptProvOrNCryptKey = NULL;
*pdwKeySpec = 0;
}
if( NULL != pCert )
{
CertFreeCertificateContext( pCert );
}
if( NULL != hStore )
{
CertCloseStore( hStore, 0 );
}
return hr;
}
static PCCERT_CONTEXT
xmlSecMSCryptoKeysStoreFindCert(xmlSecKeyStorePtr store, const xmlChar* name,
xmlSecKeyInfoCtxPtr keyInfoCtx) {
const char* storeName;
HCERTSTORE hStoreHandle = NULL;
PCCERT_CONTEXT pCertContext = NULL;
xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecMSCryptoKeysStoreId), NULL);
xmlSecAssert2(name != NULL, NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
storeName = xmlSecMSCryptoAppGetCertStoreName();
if(storeName == NULL) {
storeName = XMLSEC_MSCRYPTO_APP_DEFAULT_CERT_STORE_NAME;
}
hStoreHandle = CertOpenSystemStore(0, storeName);
if (NULL == hStoreHandle) {
xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE,
NULL,
"CertOpenSystemStore",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"storeName=%s",
xmlSecErrorsSafeString(storeName));
return(NULL);
}
/* first attempt: search by cert id == name */
if(pCertContext == NULL) {
size_t len = xmlStrlen(name) + 1;
wchar_t * lpCertID;
/* aleksey todo: shouldn't we call MultiByteToWideChar first to get the buffer size? */
lpCertID = (wchar_t *)xmlMalloc(sizeof(wchar_t) * len);
if(lpCertID == NULL) {
xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_MALLOC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
CertCloseStore(hStoreHandle, 0);
return(NULL);
}
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, name, -1, lpCertID, len);
pCertContext = CertFindCertificateInStore(
hStoreHandle,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
lpCertID,
NULL);
xmlFree(lpCertID);
}
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn
*/
if (NULL == pCertContext) {
BYTE* bdata;
DWORD len;
bdata = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
name,
CERT_OID_NAME_STR,
&len);
if(bdata != NULL) {
CERT_NAME_BLOB cnb;
cnb.cbData = len;
cnb.pbData = bdata;
pCertContext = CertFindCertificateInStore(hStoreHandle,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
&cnb,
NULL);
xmlFree(bdata);
}
}
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn, and try with a reversed dn
*/
if (NULL == pCertContext) {
BYTE* bdata;
DWORD len;
bdata = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
name,
CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
&len);
if(bdata != NULL) {
CERT_NAME_BLOB cnb;
cnb.cbData = len;
cnb.pbData = bdata;
pCertContext = CertFindCertificateInStore(hStoreHandle,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_NAME,
&cnb,
NULL);
xmlFree(bdata);
}
}
/*
* Try ro find certificate with name="Friendly Name"
*/
if (NULL == pCertContext) {
DWORD dwPropSize;
PBYTE pbFriendlyName;
PCCERT_CONTEXT pCertCtxIter = NULL;
size_t len = xmlStrlen(name) + 1;
wchar_t * lpFName;
lpFName = (wchar_t *)xmlMalloc(sizeof(wchar_t) * len);
if(lpFName == NULL) {
xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_MALLOC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
CertCloseStore(hStoreHandle, 0);
return(NULL);
}
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, name, -1, lpFName, len);
while (pCertCtxIter = CertEnumCertificatesInStore(hStoreHandle, pCertCtxIter)) {
if (TRUE != CertGetCertificateContextProperty(pCertCtxIter,
CERT_FRIENDLY_NAME_PROP_ID,
NULL,
&dwPropSize)) {
continue;
}
pbFriendlyName = xmlMalloc(dwPropSize);
if(pbFriendlyName == NULL) {
xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_MALLOC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
xmlFree(lpFName);
CertCloseStore(hStoreHandle, 0);
return(NULL);
}
if (TRUE != CertGetCertificateContextProperty(pCertCtxIter,
CERT_FRIENDLY_NAME_PROP_ID,
pbFriendlyName,
&dwPropSize)) {
xmlFree(pbFriendlyName);
continue;
}
/* Compare FriendlyName to name */
if (!wcscmp(lpFName, (const wchar_t *)pbFriendlyName)) {
pCertContext = pCertCtxIter;
xmlFree(pbFriendlyName);
break;
}
xmlFree(pbFriendlyName);
}
xmlFree(lpFName);
}
/* We could do the following here:
* It would be nice if we could locate the cert with issuer name and
* serial number, the given keyname can be something like this:
* 'serial=1234567;issuer=CN=ikke, C=NL'
* to be implemented by the first person who reads this, and thinks it's
* a good idea :) WK
*/
/* OK, I give up, I'm gone :( */
/* aleksey todo: is it a right idea to close store if we have a handle to
* a cert in this store? */
CertCloseStore(hStoreHandle, 0);
return(pCertContext);
}
void
get_cert_time_left(
char *realm,
CTimeSpan *ptimeLeft
)
{
HCERTSTORE hStoreHandle = NULL;
PCCERT_CONTEXT pCertContext = NULL;
PCCERT_CONTEXT prev_pCertContext = NULL;
DWORD dwCertEncodingType = X509_ASN_ENCODING | PKCS_7_ASN_ENCODING;
DWORD dwAddDisposition = CERT_STORE_ADD_REPLACE_EXISTING;
DWORD dwFindFlags = 0;
# define OID_KCA_AUTHREALM "1.3.6.1.4.1.250.42.1"
DWORD dwFindType = CERT_FIND_ANY;
CERT_INFO *pCertInfo = NULL;
PCERT_EXTENSION pCertExt = NULL;
CRYPT_OBJID_BLOB *p = NULL;
int i = 0;
char tmpRealm[250] = { 0 };
CTime startTime = 0;
CTime endTime = 0;
memset(ptimeLeft, 0, sizeof(*ptimeLeft));
if (!realm || !strlen(realm))
return;
//--------------------------------------------------------------------
// Open a store as the source of the certificates to be deleted and added
if(!(hStoreHandle = CertOpenSystemStore(
0,
MY_STORE)))
{
HandleError("get_cert_time_left: Strange. Unable to access your place in the Registry for certificates");
goto EXIT_RTN;
}
// Find first MY store cert issued by our Certificate Authority
while ((pCertContext = CertFindCertificateInStore(
hStoreHandle, // in
dwCertEncodingType, // in
dwFindFlags, // in
dwFindType, // in
NULL, // in
prev_pCertContext // in
)))
{
if (pCertInfo = pCertContext->pCertInfo)
for (i = pCertInfo->cExtension; i; i--)
{
pCertExt = &pCertInfo->rgExtension[i-1];
if (!strcmp(pCertExt->pszObjId, OID_KCA_AUTHREALM))
{
log_printf("get_cert_time_left: Found KCA_AUTHREALM Extension\n");
p = &pCertExt->Value;
memcpy(tmpRealm, &p->pbData[2], p->cbData-2);
tmpRealm[p->cbData-2] ='\0';
log_printf("get_cert_time_left: value is: '%s'\n", tmpRealm);
/* only match if realm of current TGT matches AuthRealm of this cert */
if (realm && !strcmp(realm, tmpRealm))
{
// It matches, determine remaining certificate's remaining minutes
startTime = CTime::GetCurrentTime();
endTime = pCertContext->pCertInfo->NotAfter;
*ptimeLeft = endTime - startTime;
goto EXIT_RTN;
}
}
}
prev_pCertContext = pCertContext;
}
EXIT_RTN:
if ((prev_pCertContext != pCertContext) && pCertContext)
{
CertFreeCertificateContext(pCertContext);
pCertContext = NULL;
}
if (pCertContext)
CertFreeCertificateContext(pCertContext);
if(hStoreHandle &&!CertCloseStore(
hStoreHandle,
#ifdef DEBUG
CERT_CLOSE_STORE_CHECK_FLAG
#else // !DEBUG
CERT_CLOSE_STORE_FORCE_FLAG
#endif // ! DEBUG
))
{
log_printf("get_cert_time_left: The store was closed, but certificates still in use.\n");
}
} // get_cert_time_left
static PCCERT_CONTEXT
xmlSecMSCryptoKeysStoreFindCert(xmlSecKeyStorePtr store, const xmlChar* name,
xmlSecKeyInfoCtxPtr keyInfoCtx) {
LPCTSTR storeName;
HCERTSTORE hStoreHandle = NULL;
PCCERT_CONTEXT pCertContext = NULL;
LPTSTR wcName = NULL;
xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecMSCryptoKeysStoreId), NULL);
xmlSecAssert2(name != NULL, NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
storeName = xmlSecMSCryptoAppGetCertStoreName();
if(storeName == NULL) {
storeName = XMLSEC_MSCRYPTO_APP_DEFAULT_CERT_STORE_NAME;
}
hStoreHandle = CertOpenSystemStore(0, storeName);
if (NULL == hStoreHandle) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"CertOpenSystemStore",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"storeName=%s",
xmlSecErrorsSafeString(storeName));
return(NULL);
}
/* convert name to unicode */
wcName = xmlSecMSCryptoConvertUtf8ToTstr(name);
if(wcName == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
"xmlSecMSCryptoConvertUtf8ToUnicode",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"wcName");
CertCloseStore(hStoreHandle, 0);
return(NULL);
}
/* first attempt: try to find the cert with a full blown subject dn */
if(NULL == pCertContext) {
pCertContext = xmlSecMSCryptoX509FindCertBySubject(
hStoreHandle,
wcName,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING);
}
/*
* Try ro find certificate with name="Friendly Name"
*/
if (NULL == pCertContext) {
DWORD dwPropSize;
PBYTE pbFriendlyName;
PCCERT_CONTEXT pCertCtxIter = NULL;
while (pCertCtxIter = CertEnumCertificatesInStore(hStoreHandle, pCertCtxIter)) {
if (TRUE != CertGetCertificateContextProperty(pCertCtxIter,
CERT_FRIENDLY_NAME_PROP_ID,
NULL,
&dwPropSize)) {
continue;
}
pbFriendlyName = xmlMalloc(dwPropSize);
if(pbFriendlyName == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
NULL,
XMLSEC_ERRORS_R_MALLOC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
xmlFree(wcName);
CertCloseStore(hStoreHandle, 0);
return(NULL);
}
if (TRUE != CertGetCertificateContextProperty(pCertCtxIter,
CERT_FRIENDLY_NAME_PROP_ID,
pbFriendlyName,
&dwPropSize)) {
xmlFree(pbFriendlyName);
continue;
}
/* Compare FriendlyName to name */
if (!lstrcmp(wcName, (LPCTSTR)pbFriendlyName)) {
pCertContext = pCertCtxIter;
xmlFree(pbFriendlyName);
break;
}
xmlFree(pbFriendlyName);
}
}
/* We don't give up easily, now try to find cert with part of the name
*/
if (NULL == pCertContext) {
pCertContext = CertFindCertificateInStore(
hStoreHandle,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
wcName,
NULL);
}
/* We could do the following here:
* It would be nice if we could locate the cert with issuer name and
* serial number, the given keyname can be something like this:
* 'serial=1234567;issuer=CN=ikke, C=NL'
* to be implemented by the first person who reads this, and thinks it's
* a good idea :) WK
*/
/* OK, I give up, I'm gone :( */
/* aleksey todo: is it a right idea to close store if we have a handle to
* a cert in this store? */
xmlFree(wcName);
CertCloseStore(hStoreHandle, 0);
return(pCertContext);
}
