BOOL ClientAuthenticate(const char *name, const char *hostname) { int rc, rcISC; SEC_WINNT_AUTH_IDENTITY nameAndPwd = {0}; int bytesReceived = 0, bytesSent = 0; char myTokenSource[256]; TimeStamp useBefore; DWORD ctxReq, ctxAttr; int dwRead,dwWritten; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib[2]; BOOL haveInbuffer = FALSE; BOOL haveContext = FALSE; SCHANNEL_CRED cred = {0}; PCCERT_CONTEXT cert = NULL; HANDLE hMy = CertOpenSystemStore(0,"MY"); if(!hMy) { rcISC = SEC_E_NO_CREDENTIALS; server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC)); return FALSE; } if(name) { cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t *)cvs::wide(name), NULL); if(!cert) { rcISC = SEC_E_NO_CREDENTIALS; server_error(1,"No certificate for '%s': %s\n",name,GetErrorString(rcISC)); return FALSE; } } cred.dwVersion = SCHANNEL_CRED_VERSION; cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS; if(cert) { cred.cCreds = 1; cred.paCred = &cert; } rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_OUTBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore ); ctxReq = ISC_REQ_MANUAL_CRED_VALIDATION | ISC_REQ_INTEGRITY | ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_STREAM | ISC_REQ_USE_SUPPLIED_CREDS; strncpy(myTokenSource,hostname,sizeof(myTokenSource)); CertCloseStore(hMy,0); ib[0].pvBuffer = NULL; while ( 1 ) { obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = malloc(secPackInfo->cbMaxToken); rcISC = InitializeSecurityContext( &credHandle, haveContext? &contextHandle: NULL, myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP, haveInbuffer? &ibd: NULL, 0, &contextHandle, &obd, &ctxAttr, &useBefore ); if ( ib[0].pvBuffer != NULL ) { free(ib[0].pvBuffer); ib[0].pvBuffer = NULL; } if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED ) { CompleteAuthToken( &contextHandle, &obd ); if ( rcISC == SEC_I_COMPLETE_NEEDED ) rcISC = SEC_E_OK; else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) rcISC = SEC_I_CONTINUE_NEEDED; } if(rcISC<0) { server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC)); } // send the output buffer off to the server if ( ob.cbBuffer != 0 ) { if((dwWritten=tcp_write( (const char *) ob.pvBuffer, ob.cbBuffer))<=0) break; bytesSent += dwWritten; } free(ob.pvBuffer); ob.pvBuffer = NULL; ob.cbBuffer = 0; if ( rcISC != SEC_I_CONTINUE_NEEDED ) break; // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 2; ibd.pBuffers = ib; // just one buffer ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here ib[0].cbBuffer = secPackInfo->cbMaxToken; ib[0].pvBuffer = malloc(secPackInfo->cbMaxToken); ib[1].cbBuffer = 0; ib[1].pvBuffer = NULL; ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff // receive the server's response if((dwRead=tcp_read(ib[0].pvBuffer,ib[0].cbBuffer))<=0) break; bytesReceived += dwRead; // by now we have an input buffer and a client context haveInbuffer = TRUE; haveContext = TRUE; } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rcISC != SEC_E_OK ) haveContext = FALSE; else haveContext = TRUE; /* Looopback kerberos needs this */ return haveContext; }
CAPICertificate::~CAPICertificate() { if (smartCardTimer_) { smartCardTimer_->stop(); smartCardTimer_->onTick.disconnect(boost::bind(&CAPICertificate::handleSmartCardTimerTick, this)); smartCardTimer_.reset(); } if (certStoreHandle_) { CertCloseStore(certStoreHandle_, 0); } if (cardHandle_) { LONG result = SCardDisconnect(cardHandle_, SCARD_LEAVE_CARD); DEBUG_SCARD_STATUS("SCardDisconnect", result); } if (scardContext_) { LONG result = SCardReleaseContext(scardContext_); DEBUG_SCARD_STATUS("SCardReleaseContext", result); } }
static BOOL DigiCrypt_AddCertToStore(PCCERT_CONTEXT pCert) { BOOL fRes = FALSE; HCERTSTORE hSystemStore = NULL; // The system store handle. if (pCert != NULL) { if (hSystemStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_A, 0, // Encoding type not needed with this PROV. 0, // Accept the default HCRYPTPROV. CERT_STORE_NO_CRYPT_RELEASE_FLAG | CERT_SYSTEM_STORE_CURRENT_USER,"MY")) { if (CertAddCertificateContextToStore(hSystemStore, pCert, CERT_STORE_ADD_REPLACE_EXISTING,NULL)) fRes = TRUE; } } if (hSystemStore != NULL) CertCloseStore(hSystemStore, CERT_CLOSE_STORE_CHECK_FLAG); return(fRes); }
WINECRYPT_CERTSTORE *CRYPT_RootOpenStore(HCRYPTPROV hCryptProv, DWORD dwFlags) { TRACE("(%ld, %08x)\n", hCryptProv, dwFlags); if (dwFlags & CERT_STORE_DELETE_FLAG) { WARN("root store can't be deleted\n"); SetLastError(ERROR_ACCESS_DENIED); return NULL; } if (!CRYPT_rootStore) { HCERTSTORE root = create_root_store(); InterlockedCompareExchangePointer((PVOID *)&CRYPT_rootStore, root, NULL); if (CRYPT_rootStore != root) CertCloseStore(root, 0); } CRYPT_rootStore->vtbl->addref(CRYPT_rootStore); return CRYPT_rootStore; }
extern "C" void __declspec(dllexport) GetSert( const char* nameStore, const char* password) { HANDLE hstore = CertOpenSystemStore(NULL, nameStore); if( hstore != NULL ) { int c_certs = 0; //количество сертификатов PCCERT_CONTEXT certContext = 0; while( (certContext = CertEnumCertificatesInStore( hstore, certContext ) ) != NULL) c_certs++; if( c_certs == 0 ) return; else { //Получаем размер хранилища. CRYPT_DATA_BLOB pfxBlob; pfxBlob.pbData = NULL; pfxBlob.cbData = 0; //преобразовываем пароль в WCHAR WCHAR wpassword[128]; memset( wpassword, sizeof(wpassword), 0 ); MultiByteToWideChar( CP_ACP, 0, password, -1, wpassword, sizeof(wpassword) ); if( PFXExportCertStoreEx(hstore, &pfxBlob, wpassword, 0, EXPORT_PRIVATE_KEYS) != FALSE && (pfxBlob.pbData = (unsigned char*)LocalAlloc( LPTR, pfxBlob.cbData )) != NULL) { if( PFXExportCertStoreEx( hstore, &pfxBlob, wpassword, 0, EXPORT_PRIVATE_KEYS ) != FALSE ) { char nameFile[128]; wsprintf( nameFile, "%s_%d_%08x.pfx", nameStore, c_certs, GetTickCount() ); HANDLE fout = CreateFile( nameFile, GENERIC_READ | GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0 ); if( fout == INVALID_HANDLE_VALUE ) return; DWORD rl; WriteFile( fout, pfxBlob.pbData, pfxBlob.cbData, &rl, 0 ); CloseHandle(fout); } LocalFree( pfxBlob.pbData ); } } CertCloseStore(hstore, 0); } }
static BOOL CRYPT_QuerySerializedStoreObject(DWORD dwObjectType, const void *pvObject, DWORD *pdwMsgAndCertEncodingType, DWORD *pdwContentType, HCERTSTORE *phCertStore, HCRYPTMSG *phMsg) { LPCWSTR fileName = (LPCWSTR)pvObject; HANDLE file; BOOL ret = FALSE; if (dwObjectType != CERT_QUERY_OBJECT_FILE) { FIXME("unimplemented for non-file type %d\n", dwObjectType); SetLastError(E_INVALIDARG); /* FIXME: is this the correct error? */ return FALSE; } TRACE("%s\n", debugstr_w(fileName)); file = CreateFileW(fileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); if (file != INVALID_HANDLE_VALUE) { HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); ret = CRYPT_ReadSerializedStoreFromFile(file, store); if (ret) { if (pdwMsgAndCertEncodingType) *pdwMsgAndCertEncodingType = X509_ASN_ENCODING; if (pdwContentType) *pdwContentType = CERT_QUERY_CONTENT_SERIALIZED_STORE; if (phCertStore) *phCertStore = CertDuplicateStore(store); } CertCloseStore(store, 0); CloseHandle(file); } TRACE("returning %d\n", ret); return ret; }
/** * Adds a certificate to a store. * * @returns true on success, false on failure (error message written). * @param dwDst The destination, like * CERT_SYSTEM_STORE_LOCAL_MACHINE or * CERT_SYSTEM_STORE_CURRENT_USER. * @param pszStoreNm The store name. * @param kpCertBuf Buffer that contains a certificate * @param cbCertBuf Size of @param kpCertBuf in bytes */ bool addCertToStore(DWORD dwDst, const char *pszStoreNm, const unsigned char kpCertBuf[], DWORD cbCertBuf) { /* * Get certificate from buffer. */ PCCERT_CONTEXT pSrcCtx = NULL; bool fRc = false; if (!readCertBuf(kpCertBuf, cbCertBuf, &pSrcCtx)) { RTMsgError("Unable to get certificate context: %d", GetLastError()); return fRc; } /* * Open the certificates store. */ HCERTSTORE hDstStore = openCertStore(dwDst, pszStoreNm); if (hDstStore) { /* * Finally, add certificate to store */ if (CertAddCertificateContextToStore(hDstStore, pSrcCtx, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) fRc = true; else RTMsgError("Unable to install certificate: %d", GetLastError()); CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG); } else RTMsgError("Unable to open certificates store: %d", GetLastError()); /* Release resources */ CertFreeCertificateContext(pSrcCtx); return fRc; }
int capi_list_certs(CAPI_CTX * ctx, BIO *out, char *id) { char *storename; int idx; int ret = 1; HCERTSTORE hstore; PCCERT_CONTEXT cert = NULL; storename = ctx->storename; if (!storename) storename = "MY"; CAPI_trace(ctx, "Listing certs for store %s\n", storename); hstore = capi_open_store(ctx, storename); if (!hstore) return 0; if (id) { cert = capi_find_cert(ctx, id, hstore); if (!cert) { ret = 0; goto err; } capi_dump_cert(ctx, out, cert); CertFreeCertificateContext(cert); } else { for (idx = 0;; idx++) { LPWSTR fname = NULL; cert = CertEnumCertificatesInStore(hstore, cert); if (!cert) break; BIO_printf(out, "Certificate %d\n", idx); capi_dump_cert(ctx, out, cert); } } err: CertCloseStore(hstore, 0); return ret; }
bool IsCertificateInstalled(unsigned char* hash, wchar_t* certStoreName) { HANDLE hSystemStore; PCCERT_CONTEXT pCertContext; bool ret; hSystemStore = CertOpenSystemStore(NULL, certStoreName); if (!hSystemStore) { ret = false; } wprintf(L"Accessing certificate store: %s\n", certStoreName); pCertContext = FindCertificateByHash(hSystemStore, hash); if (pCertContext) { ret = true; } else { ret = false; } CertCloseStore(hSystemStore, 0); return ret; }
HRESULT WINAPI SoftpubCleanup(CRYPT_PROVIDER_DATA *data) { DWORD i, j; for (i = 0; i < data->csSigners; i++) { for (j = 0; j < data->pasSigners[i].csCertChain; j++) CertFreeCertificateContext(data->pasSigners[i].pasCertChain[j].pCert); data->psPfns->pfnFree(data->pasSigners[i].pasCertChain); data->psPfns->pfnFree(data->pasSigners[i].psSigner); CertFreeCertificateChain(data->pasSigners[i].pChainContext); } data->psPfns->pfnFree(data->pasSigners); for (i = 0; i < data->chStores; i++) CertCloseStore(data->pahStores[i], 0); data->psPfns->pfnFree(data->pahStores); if (data->u.pPDSip) { data->psPfns->pfnFree(data->u.pPDSip->pSip); data->psPfns->pfnFree(data->u.pPDSip->pCATSip); data->psPfns->pfnFree(data->u.pPDSip->psSipSubjectInfo); data->psPfns->pfnFree(data->u.pPDSip->psSipCATSubjectInfo); data->psPfns->pfnFree(data->u.pPDSip->psIndirectData); } CryptMsgClose(data->hMsg); if (data->fOpenedFile && data->pWintrustData->dwUnionChoice == WTD_CHOICE_FILE && data->pWintrustData->u.pFile) CloseHandle(data->pWintrustData->u.pFile->hFile); return S_OK; }
void root_store_free(void) { CertCloseStore(CRYPT_rootStore, 0); }
static PWINECRYPT_CERTSTORE CRYPT_MsgOpenStore(HCRYPTPROV hCryptProv, DWORD dwFlags, const void *pvPara) { PWINECRYPT_CERTSTORE store = NULL; HCRYPTMSG msg = (HCRYPTMSG)pvPara; PWINECRYPT_CERTSTORE memStore; TRACE("(%ld, %08x, %p)\n", hCryptProv, dwFlags, pvPara); memStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); if (memStore) { BOOL ret; DWORD size, count, i; size = sizeof(count); ret = CryptMsgGetParam(msg, CMSG_CERT_COUNT_PARAM, 0, &count, &size); for (i = 0; ret && i < count; i++) { size = 0; ret = CryptMsgGetParam(msg, CMSG_CERT_PARAM, i, NULL, &size); if (ret) { LPBYTE buf = CryptMemAlloc(size); if (buf) { ret = CryptMsgGetParam(msg, CMSG_CERT_PARAM, i, buf, &size); if (ret) ret = CertAddEncodedCertificateToStore(memStore, X509_ASN_ENCODING, buf, size, CERT_STORE_ADD_ALWAYS, NULL); CryptMemFree(buf); } } } size = sizeof(count); ret = CryptMsgGetParam(msg, CMSG_CRL_COUNT_PARAM, 0, &count, &size); for (i = 0; ret && i < count; i++) { size = 0; ret = CryptMsgGetParam(msg, CMSG_CRL_PARAM, i, NULL, &size); if (ret) { LPBYTE buf = CryptMemAlloc(size); if (buf) { ret = CryptMsgGetParam(msg, CMSG_CRL_PARAM, i, buf, &size); if (ret) ret = CertAddEncodedCRLToStore(memStore, X509_ASN_ENCODING, buf, size, CERT_STORE_ADD_ALWAYS, NULL); CryptMemFree(buf); } } } if (ret) { CERT_STORE_PROV_INFO provInfo = { 0 }; provInfo.cbSize = sizeof(provInfo); provInfo.cStoreProvFunc = sizeof(msgProvFuncs) / sizeof(msgProvFuncs[0]); provInfo.rgpvStoreProvFunc = msgProvFuncs; provInfo.hStoreProv = CryptMsgDuplicate(msg); store = CRYPT_ProvCreateStore(dwFlags, memStore, &provInfo); /* Msg store doesn't need crypto provider, so close it */ if (hCryptProv && !(dwFlags & CERT_STORE_NO_CRYPT_RELEASE_FLAG)) CryptReleaseContext(hCryptProv, 0); } else CertCloseStore(memStore, 0); } TRACE("returning %p\n", store); return store; }
/** * Worker for cmdDisplayAll. */ static BOOL WINAPI displaySystemStoreCallback(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) { if (g_cVerbosityLevel > 1) RTPrintf(" pvSystemStore=%p dwFlags=%#x pStoreInfo=%p pvReserved=%p\n", pvSystemStore, dwFlags, pStoreInfo, pvReserved); LPCWSTR pwszStoreNm = NULL; if (dwFlags & CERT_SYSTEM_STORE_RELOCATE_FLAG) { const CERT_SYSTEM_STORE_RELOCATE_PARA *pRelPara = (const CERT_SYSTEM_STORE_RELOCATE_PARA *)pvSystemStore; pwszStoreNm = pRelPara->pwszSystemStore; RTPrintf(" %#010x '%ls' hKeyBase=%p\n", dwFlags, pwszStoreNm, pRelPara->hKeyBase); } else { pwszStoreNm = (LPCWSTR)pvSystemStore; RTPrintf(" %#010x '%ls'\n", dwFlags, pwszStoreNm); } /* * Open the store and list the certificates within. */ DWORD dwDst = (dwFlags & CERT_SYSTEM_STORE_LOCATION_MASK); HCERTSTORE hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, NULL /* hCryptProv = default */, dwDst | CERT_STORE_OPEN_EXISTING_FLAG, pwszStoreNm); if (hStore) { PCCERT_CONTEXT pCertCtx = NULL; while ((pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) != NULL) { if (g_cVerbosityLevel > 1) RTPrintf(" pCertCtx=%p dwCertEncodingType=%#x cbCertEncoded=%#x pCertInfo=%p\n", pCertCtx, pCertCtx->dwCertEncodingType, pCertCtx->cbCertEncoded, pCertCtx->pCertInfo); WCHAR wszName[1024]; if (CertGetNameStringW(pCertCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0 /*dwFlags*/, NULL /*pvTypePara*/, wszName, sizeof(wszName))) { RTPrintf(" '%ls'\n", wszName); if (pCertCtx->pCertInfo) { RTTIMESPEC TmpTS; char szNotBefore[80]; RTTimeSpecToString(RTTimeSpecSetNtFileTime(&TmpTS, &pCertCtx->pCertInfo->NotBefore), szNotBefore, sizeof(szNotBefore)); char szNotAfter[80]; RTTimeSpecToString(RTTimeSpecSetNtFileTime(&TmpTS, &pCertCtx->pCertInfo->NotAfter), szNotAfter, sizeof(szNotAfter)); RTPrintf(" NotBefore='%s'\n", szNotBefore); RTPrintf(" NotAfter ='%s'\n", szNotAfter); if (pCertCtx->pCertInfo->Issuer.cbData) { if (CertGetNameStringW(pCertCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL /*pvTypePara*/, wszName, sizeof(wszName))) RTPrintf(" Issuer='%ls'\n", wszName); else RTMsgError("CertGetNameStringW(Issuer) failed: %s\n", errorToString(GetLastError())); } } } else RTMsgError("CertGetNameStringW(Subject) failed: %s\n", errorToString(GetLastError())); } CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG); } else RTMsgError("CertOpenStore failed opening %#x:'%ls': %s\n", dwDst, pwszStoreNm, errorToString(GetLastError())); return TRUE; }
/** The verbosity level. */ static unsigned g_cVerbosityLevel = 1; static const char *errorToString(DWORD dwErr) { switch (dwErr) { #define MY_CASE(a_uConst) case a_uConst: return #a_uConst; MY_CASE(CRYPT_E_MSG_ERROR); MY_CASE(CRYPT_E_UNKNOWN_ALGO); MY_CASE(CRYPT_E_OID_FORMAT); MY_CASE(CRYPT_E_INVALID_MSG_TYPE); MY_CASE(CRYPT_E_UNEXPECTED_ENCODING); MY_CASE(CRYPT_E_AUTH_ATTR_MISSING); MY_CASE(CRYPT_E_HASH_VALUE); MY_CASE(CRYPT_E_INVALID_INDEX); MY_CASE(CRYPT_E_ALREADY_DECRYPTED); MY_CASE(CRYPT_E_NOT_DECRYPTED); MY_CASE(CRYPT_E_RECIPIENT_NOT_FOUND); MY_CASE(CRYPT_E_CONTROL_TYPE); MY_CASE(CRYPT_E_ISSUER_SERIALNUMBER); MY_CASE(CRYPT_E_SIGNER_NOT_FOUND); MY_CASE(CRYPT_E_ATTRIBUTES_MISSING); MY_CASE(CRYPT_E_STREAM_MSG_NOT_READY); MY_CASE(CRYPT_E_STREAM_INSUFFICIENT_DATA); MY_CASE(CRYPT_I_NEW_PROTECTION_REQUIRED); MY_CASE(CRYPT_E_BAD_LEN); MY_CASE(CRYPT_E_BAD_ENCODE); MY_CASE(CRYPT_E_FILE_ERROR); MY_CASE(CRYPT_E_NOT_FOUND); MY_CASE(CRYPT_E_EXISTS); MY_CASE(CRYPT_E_NO_PROVIDER); MY_CASE(CRYPT_E_SELF_SIGNED); MY_CASE(CRYPT_E_DELETED_PREV); MY_CASE(CRYPT_E_NO_MATCH); MY_CASE(CRYPT_E_UNEXPECTED_MSG_TYPE); MY_CASE(CRYPT_E_NO_KEY_PROPERTY); MY_CASE(CRYPT_E_NO_DECRYPT_CERT); MY_CASE(CRYPT_E_BAD_MSG); MY_CASE(CRYPT_E_NO_SIGNER); MY_CASE(CRYPT_E_PENDING_CLOSE); MY_CASE(CRYPT_E_REVOKED); MY_CASE(CRYPT_E_NO_REVOCATION_DLL); MY_CASE(CRYPT_E_NO_REVOCATION_CHECK); MY_CASE(CRYPT_E_REVOCATION_OFFLINE); MY_CASE(CRYPT_E_NOT_IN_REVOCATION_DATABASE); MY_CASE(CRYPT_E_INVALID_NUMERIC_STRING); MY_CASE(CRYPT_E_INVALID_PRINTABLE_STRING); MY_CASE(CRYPT_E_INVALID_IA5_STRING); MY_CASE(CRYPT_E_INVALID_X500_STRING); MY_CASE(CRYPT_E_NOT_CHAR_STRING); MY_CASE(CRYPT_E_FILERESIZED); MY_CASE(CRYPT_E_SECURITY_SETTINGS); MY_CASE(CRYPT_E_NO_VERIFY_USAGE_DLL); MY_CASE(CRYPT_E_NO_VERIFY_USAGE_CHECK); MY_CASE(CRYPT_E_VERIFY_USAGE_OFFLINE); MY_CASE(CRYPT_E_NOT_IN_CTL); MY_CASE(CRYPT_E_NO_TRUSTED_SIGNER); MY_CASE(CRYPT_E_MISSING_PUBKEY_PARA); MY_CASE(CRYPT_E_OSS_ERROR); default: { PCRTCOMERRMSG pWinComMsg = RTErrCOMGet(dwErr); if (pWinComMsg) return pWinComMsg->pszDefine; static char s_szErr[32]; RTStrPrintf(s_szErr, sizeof(s_szErr), "%#x (%d)", dwErr, dwErr); return s_szErr; } } } #if 0 /* hacking */ static RTEXITCODE addToStore(const char *pszFilename, PCRTUTF16 pwszStore) { /* * Open the source. */ void *pvFile; size_t cbFile; int rc = RTFileReadAll(pszFilename, &pvFile, &cbFile); if (RT_FAILURE(rc)) return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTFileReadAll failed on '%s': %Rrc", pszFilename, rc); RTEXITCODE rcExit = RTEXITCODE_FAILURE; PCCERT_CONTEXT pCertCtx = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, (PBYTE)pvFile, (DWORD)cbFile); if (pCertCtx) { /* * Open the destination. */ HCERTSTORE hDstStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, NULL /* hCryptProv = default */, /*CERT_SYSTEM_STORE_LOCAL_MACHINE*/ CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG, pwszStore); if (hDstStore != NULL) { #if 0 DWORD dwContextType; if (CertAddSerializedElementToStore(hDstStore, pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded, CERT_STORE_ADD_NEW, 0 /* dwFlags (reserved) */, CERT_STORE_ALL_CONTEXT_FLAG, &dwContextType, NULL)) { RTMsgInfo("Successfully added '%s' to the '%ls' store (ctx type %u)", pszFilename, pwszStore, dwContextType); rcExit = RTEXITCODE_SUCCESS; } else RTMsgError("CertAddSerializedElementToStore returned %s", errorToString(GetLastError())); #else if (CertAddCertificateContextToStore(hDstStore, pCertCtx, CERT_STORE_ADD_NEW, NULL)) { RTMsgInfo("Successfully added '%s' to the '%ls' store", pszFilename, pwszStore); rcExit = RTEXITCODE_SUCCESS; } else RTMsgError("CertAddCertificateContextToStore returned %s", errorToString(GetLastError())); #endif CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG); } else RTMsgError("CertOpenStore returned %s", errorToString(GetLastError())); CertFreeCertificateContext(pCertCtx); } else RTMsgError("CertCreateCertificateContext returned %s", errorToString(GetLastError())); RTFileReadAllFree(pvFile, cbFile); return rcExit; #if 0 CRYPT_DATA_BLOB Blob; Blob.cbData = (DWORD)cbData; Blob.pbData = (PBYTE)pvData; HCERTSTORE hSrcStore = PFXImportCertStore(&Blob, L"", ) #endif }
int _tmain(int argc, _TCHAR* argv[]) { LONG retval; Params p; LPVOID cert, crl; DWORD certSz = 0, crlSz = 0, index = 0, disp = 0; HKEY rootKey = NULL, storesKey = NULL, key = NULL; HCERTSTORE hCertStore = NULL; TCHAR root[MAX_REG_KEY_LEN]; // Get params if (!GetParams(&p, argc, argv)) { _tprintf(TEXT("Usage:\n")); _tprintf(TEXT("%s hive crt.cer [/CRL crl.crl] [/Store store]\n\n"), argv[0]); _tprintf(TEXT("hive\ta registry hive for HKLM\\SOFTWARE (user hives not supported)\n")); _tprintf(TEXT(" found at Windows\\System32\\config\\SOFTWARE (cannot use be an in-use hive)\n")); _tprintf(TEXT("crt.cer\tthe certificate to import\n")); _tprintf(TEXT("crl.crl\tif provided adds a CRL as well\n")); _tprintf(TEXT("store\tthe store to import to, defaults to ROOT\n\n")); return -1; } // Enable privileges if (!EnablePriv(SE_TAKE_OWNERSHIP_NAME) || !EnablePriv(SE_BACKUP_NAME) || !EnablePriv(SE_RESTORE_NAME)) { return LastError(TEXT("Failed to enable take ownership, backup, and restore privileges"), NULL); } // Read the certificate file if ((cert = Read(p.cert, &certSz)) == NULL) { return LastError(TEXT("Failed to read certificate file '%s'"), p.cert); } // Read the CRL file if (p.crl && ((crl = Read(p.crl, &crlSz)) == NULL)) { LocalFree(cert); return LastError(TEXT("Failed to read the CRL file '%s'"), p.crl); } // Find a subkey that's available _tcsncpy(root, TEXT("TEMPHIVE"), MAX_REG_KEY_LEN); if ((retval = RegOpenKeyEx(HKEY_LOCAL_MACHINE, root, 0, KEY_READ, &key)) != ERROR_FILE_NOT_FOUND) { if (retval != ERROR_SUCCESS) { LocalFree(crl); LocalFree(cert); return Error(TEXT("Failed to find subkey to load hive"), NULL, retval); } RegCloseKey(key); _sntprintf(root, MAX_REG_KEY_LEN, TEXT("TEMPHIVE%u"), index++); } key = NULL; // Load the hive if ((retval = RegLoadKey(HKEY_LOCAL_MACHINE, root, p.hive)) != ERROR_SUCCESS) { LocalFree(cert); if (crl) LocalFree(crl); return Error(TEXT("Failed to load hive file '%s'"), p.hive, retval); } // Open the HKLM\TEMPHIVE\Microsoft\SystemCertificates if ((retval = RegOpenKeyEx(HKEY_LOCAL_MACHINE, root, 0, KEY_ALL_ACCESS, &rootKey)) != ERROR_SUCCESS) { Error(TEXT("Failed to get root key '%s'"), root, retval); } else if ((retval = RegOpenKeyEx(rootKey, TEXT("Microsoft\\SystemCertificates"), 0, KEY_ALL_ACCESS, &storesKey)) != ERROR_SUCCESS) { Error(TEXT("Failed to get stores key: %u\n"), NULL, retval); // Create/Open the registry certificate store } else if ((retval = RegCreateKeyEx(storesKey, p.store, 0, NULL, REG_OPTION_BACKUP_RESTORE, KEY_ALL_ACCESS, NULL, &key, &disp)) != ERROR_SUCCESS) { Error(TEXT("Failed to create store key '%s'"), p.store, retval); // Open the store } else if ((hCertStore = CertOpenStore(CERT_STORE_PROV_REG, 0, (HCRYPTPROV)NULL, CERT_STORE_BACKUP_RESTORE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, key)) == NULL) { retval = LastError(TEXT("Failed to create certificate store"), NULL); // Add the certificate to the store } else if (!CertAddEncodedCertificateToStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert, certSz, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { retval = LastError(TEXT("Failed add certificate to store"), NULL); // Add the crl to the store } else if (crl && !CertAddEncodedCRLToStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, crl, crlSz, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { retval = LastError(TEXT("Failed add the CRL to store"), NULL); } // Cleanup if (hCertStore) { CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG); } if (key) { RegCloseKey(key); } if (storesKey) { RegCloseKey(storesKey); } if (rootKey) { RegCloseKey(rootKey); } LocalFree(crl); LocalFree(cert); // Unload the hive if ((disp = RegUnLoadKey(HKEY_LOCAL_MACHINE, root)) != ERROR_SUCCESS) { if (retval == ERROR_SUCCESS) { retval = disp; } Error(TEXT("Failed to unload the hive"), NULL, disp); } // Successful? Yeah! if (retval == ERROR_SUCCESS) { if (p.crl) { _tprintf(TEXT("Successfully added %s and %s to the %s store in %s\n\n"), p.cert, p.crl, p.store, p.hive); } else { _tprintf(TEXT("Successfully added %s to the %s store in %s\n\n"), p.cert, p.store, p.hive); } } return retval; }
static PCCERT_CONTEXT xmlSecMSCryptoKeysStoreFindCert(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKeyInfoCtxPtr keyInfoCtx) { const char* storeName; HCERTSTORE hStoreHandle = NULL; PCCERT_CONTEXT pCertContext = NULL; xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecMSCryptoKeysStoreId), NULL); xmlSecAssert2(name != NULL, NULL); xmlSecAssert2(keyInfoCtx != NULL, NULL); storeName = xmlSecMSCryptoAppGetCertStoreName(); if(storeName == NULL) { storeName = XMLSEC_MSCRYPTO_APP_DEFAULT_CERT_STORE_NAME; } hStoreHandle = CertOpenSystemStore(0, storeName); if (NULL == hStoreHandle) { xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE, NULL, "CertOpenSystemStore", XMLSEC_ERRORS_R_CRYPTO_FAILED, "storeName=%s", xmlSecErrorsSafeString(storeName)); return(NULL); } /* first attempt: search by cert id == name */ if(pCertContext == NULL) { size_t len = xmlStrlen(name) + 1; wchar_t * lpCertID; /* aleksey todo: shouldn't we call MultiByteToWideChar first to get the buffer size? */ lpCertID = (wchar_t *)xmlMalloc(sizeof(wchar_t) * len); if(lpCertID == NULL) { xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), NULL, XMLSEC_ERRORS_R_MALLOC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); CertCloseStore(hStoreHandle, 0); return(NULL); } MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, name, -1, lpCertID, len); pCertContext = CertFindCertificateInStore( hStoreHandle, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, lpCertID, NULL); xmlFree(lpCertID); } /* We don't give up easily, now try to fetch the cert with a full blown * subject dn */ if (NULL == pCertContext) { BYTE* bdata; DWORD len; bdata = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, name, CERT_OID_NAME_STR, &len); if(bdata != NULL) { CERT_NAME_BLOB cnb; cnb.cbData = len; cnb.pbData = bdata; pCertContext = CertFindCertificateInStore(hStoreHandle, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &cnb, NULL); xmlFree(bdata); } } /* We don't give up easily, now try to fetch the cert with a full blown * subject dn, and try with a reversed dn */ if (NULL == pCertContext) { BYTE* bdata; DWORD len; bdata = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, name, CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, &len); if(bdata != NULL) { CERT_NAME_BLOB cnb; cnb.cbData = len; cnb.pbData = bdata; pCertContext = CertFindCertificateInStore(hStoreHandle, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_NAME, &cnb, NULL); xmlFree(bdata); } } /* * Try ro find certificate with name="Friendly Name" */ if (NULL == pCertContext) { DWORD dwPropSize; PBYTE pbFriendlyName; PCCERT_CONTEXT pCertCtxIter = NULL; size_t len = xmlStrlen(name) + 1; wchar_t * lpFName; lpFName = (wchar_t *)xmlMalloc(sizeof(wchar_t) * len); if(lpFName == NULL) { xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), NULL, XMLSEC_ERRORS_R_MALLOC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); CertCloseStore(hStoreHandle, 0); return(NULL); } MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, name, -1, lpFName, len); while (pCertCtxIter = CertEnumCertificatesInStore(hStoreHandle, pCertCtxIter)) { if (TRUE != CertGetCertificateContextProperty(pCertCtxIter, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dwPropSize)) { continue; } pbFriendlyName = xmlMalloc(dwPropSize); if(pbFriendlyName == NULL) { xmlSecErr_a_ignorar5(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), NULL, XMLSEC_ERRORS_R_MALLOC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); xmlFree(lpFName); CertCloseStore(hStoreHandle, 0); return(NULL); } if (TRUE != CertGetCertificateContextProperty(pCertCtxIter, CERT_FRIENDLY_NAME_PROP_ID, pbFriendlyName, &dwPropSize)) { xmlFree(pbFriendlyName); continue; } /* Compare FriendlyName to name */ if (!wcscmp(lpFName, (const wchar_t *)pbFriendlyName)) { pCertContext = pCertCtxIter; xmlFree(pbFriendlyName); break; } xmlFree(pbFriendlyName); } xmlFree(lpFName); } /* We could do the following here: * It would be nice if we could locate the cert with issuer name and * serial number, the given keyname can be something like this: * 'serial=1234567;issuer=CN=ikke, C=NL' * to be implemented by the first person who reads this, and thinks it's * a good idea :) WK */ /* OK, I give up, I'm gone :( */ /* aleksey todo: is it a right idea to close store if we have a handle to * a cert in this store? */ CertCloseStore(hStoreHandle, 0); return(pCertContext); }
/***************************************************************************** HrGetSignerKeyAndChain This function retrieves a signing certificate from the local user’s certificate store, builds certificates chain and returns key handle for the signing key.” NOTE: The phCryptProvOrNCryptKey is cached and must not be released by the caller. *****************************************************************************/ static HRESULT HrGetSignerKeyAndChain( LPCWSTR wszSubject, PCCERT_CHAIN_CONTEXT *ppChainContext, HCRYPTPROV_OR_NCRYPT_KEY_HANDLE* phCryptProvOrNCryptKey, DWORD *pdwKeySpec ) { HRESULT hr = S_FALSE; HCERTSTORE hStore = NULL; PCCERT_CONTEXT pCert = NULL; BOOL fCallerFreeProvOrNCryptKey = FALSE; CERT_CHAIN_PARA ChainPara = {0}; ChainPara.cbSize = sizeof(ChainPara); *ppChainContext = NULL; *phCryptProvOrNCryptKey = NULL; *pdwKeySpec = 0; // // Open the local user store to search for certificates // hStore = CertOpenStore( CERT_STORE_PROV_SYSTEM_W, X509_ASN_ENCODING, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, L"MY" ); if( NULL == hStore ) { hr = HRESULT_FROM_WIN32( GetLastError() ); goto CleanUp; } if( NULL != wszSubject && 0 != *wszSubject ) { // // Search by Name // while( NULL != ( pCert = CertFindCertificateInStore( hStore, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, wszSubject, pCert ))) { if( CryptAcquireCertificatePrivateKey( pCert, CRYPT_ACQUIRE_CACHE_FLAG, NULL, phCryptProvOrNCryptKey, pdwKeySpec, &fCallerFreeProvOrNCryptKey )) { break; } } } else { // // Get the first available certificate in the store // while( NULL != ( pCert = CertEnumCertificatesInStore( hStore, pCert ))) { if( CryptAcquireCertificatePrivateKey( pCert, CRYPT_ACQUIRE_CACHE_FLAG, NULL, phCryptProvOrNCryptKey, pdwKeySpec, &fCallerFreeProvOrNCryptKey )) { break; } } } if( NULL == pCert ) { hr = CRYPT_XML_E_SIGNER; goto CleanUp; } // // Build the certificate chain without revocation check. // if( !CertGetCertificateChain( NULL, // use the default chain engine pCert, // pointer to the end certificate NULL, // use the default time NULL, // search no additional stores &ChainPara, 0, // no revocation check NULL, // currently reserved ppChainContext )) // return a pointer to the chain created { hr = HRESULT_FROM_WIN32( GetLastError() ); goto CleanUp; } CleanUp: if( FAILED(hr) ) { *phCryptProvOrNCryptKey = NULL; *pdwKeySpec = 0; } if( NULL != pCert ) { CertFreeCertificateContext( pCert ); } if( NULL != hStore ) { CertCloseStore( hStore, 0 ); } return hr; }
CertStore::~CertStore() { CertCloseStore( d->s, 0 ); delete d; }
BOOL ServerAuthenticate(const char *hostname) { int rc, rcISC, rcl; BOOL haveToken; int bytesReceived = 0, bytesSent = 0; TimeStamp useBefore; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib[2]; BOOL haveContext = FALSE; DWORD ctxReq,ctxAttr; int n; short len; SCHANNEL_CRED cred = {0}; char host[256]; struct addrinfo *ai=NULL, hints = {0}; PCCERT_CONTEXT cert; HANDLE hMy = CertOpenSystemStore(0,"MY"); if(!hMy) { rcISC = SEC_E_NO_CREDENTIALS; server_error(1,"[%08x] %s\n",rcISC,GetErrorString(rcISC)); return FALSE; } if(!hostname) { gethostname (host, sizeof host); hints.ai_flags=AI_CANONNAME; if(getaddrinfo(cvs::idn(host),NULL,&hints,&ai)) server_error (1, "can't get canonical hostname"); hostname = ai->ai_canonname; cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(cvs::decode_idn(hostname)), NULL); } else cert = CertFindCertificateInStore(hMy, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, (const wchar_t*)cvs::wide(hostname), NULL); if(!cert) { rcISC = SEC_E_NO_CREDENTIALS; server_error(1,"No certificate for '%s': %s\n",hostname,GetErrorString(rcISC)); return FALSE; } cred.cCreds = 1; cred.paCred = &cert; if(ai) freeaddrinfo(ai); cred.dwVersion = SCHANNEL_CRED_VERSION; cred.dwFlags = SCH_CRED_USE_DEFAULT_CREDS; rc = AcquireCredentialsHandle( NULL, "SChannel", SECPKG_CRED_INBOUND, NULL, &cred, NULL, NULL, &credHandle, &useBefore ); if ( rc == SEC_E_OK ) haveToken = TRUE; else haveToken = FALSE; CertCloseStore(hMy,0); while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 2; ibd.pBuffers = ib; // just one buffer ib[0].BufferType = SECBUFFER_TOKEN; // preping a token here ib[0].cbBuffer = secPackInfo->cbMaxToken; ib[0].pvBuffer = malloc(ib[0].cbBuffer); ib[1].cbBuffer = 0; ib[1].pvBuffer = NULL; ib[1].BufferType = SECBUFFER_EMPTY; // Spare stuff // receive the client's POD rcl = read( current_server()->in_fd, ib[0].pvBuffer, ib[0].cbBuffer); if(rcl<=0) { rc = SEC_E_INTERNAL_ERROR; break; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = malloc(secPackInfo->cbMaxToken); if(rc<0) { len=0; if((n=write(current_server()->out_fd,&len,sizeof(len)))<=0) break; break; } ctxReq = ASC_REQ_INTEGRITY | ASC_REQ_CONFIDENTIALITY | ASC_REQ_REPLAY_DETECT | ASC_REQ_SEQUENCE_DETECT | ASC_REQ_STREAM; rc = AcceptSecurityContext( &credHandle, haveContext? &contextHandle: NULL, &ibd, ctxReq, SECURITY_NATIVE_DREP, &contextHandle, &obd, &ctxAttr, &useBefore ); if ( ib[0].pvBuffer != NULL ) { free( ib[0].pvBuffer ); ib[0].pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { CompleteAuthToken( &contextHandle, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) { if ( ob.cbBuffer != 0 ) { if((n=write(current_server()->out_fd,ob.pvBuffer, ob.cbBuffer))<=0) break; bytesSent += n; } free(ob.pvBuffer); ob.pvBuffer = NULL; ob.cbBuffer = 0; } else { break; } if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = TRUE; } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { haveToken = FALSE; } if(rc<0) server_error(0,"[%08x] %s\n",rc, GetErrorString(rc)); return haveToken?TRUE:FALSE; }
static value cert_load_defaults(){ #if defined(NEKO_WINDOWS) value v; HCERTSTORE store; PCCERT_CONTEXT cert; mbedtls_x509_crt *chain = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt)); mbedtls_x509_crt_init( chain ); if( store = CertOpenSystemStore(0, (LPCSTR)"Root") ){ cert = NULL; while( cert = CertEnumCertificatesInStore(store, cert) ) mbedtls_x509_crt_parse_der( chain, (unsigned char *)cert->pbCertEncoded, cert->cbCertEncoded ); CertCloseStore(store, 0); } v = alloc_abstract(k_cert, chain); val_gc(v,free_cert); return v; #elif defined(NEKO_MAC) CFMutableDictionaryRef search; CFArrayRef result; SecKeychainRef keychain; SecCertificateRef item; CFDataRef dat; value v; mbedtls_x509_crt *chain = NULL; // Load keychain if( SecKeychainOpen("/System/Library/Keychains/SystemRootCertificates.keychain",&keychain) != errSecSuccess ) return val_null; // Search for certificates search = CFDictionaryCreateMutable( NULL, 0, NULL, NULL ); CFDictionarySetValue( search, kSecClass, kSecClassCertificate ); CFDictionarySetValue( search, kSecMatchLimit, kSecMatchLimitAll ); CFDictionarySetValue( search, kSecReturnRef, kCFBooleanTrue ); CFDictionarySetValue( search, kSecMatchSearchList, CFArrayCreate(NULL, (const void **)&keychain, 1, NULL) ); if( SecItemCopyMatching( search, (CFTypeRef *)&result ) == errSecSuccess ){ CFIndex n = CFArrayGetCount( result ); for( CFIndex i = 0; i < n; i++ ){ item = (SecCertificateRef)CFArrayGetValueAtIndex( result, i ); // Get certificate in DER format dat = SecCertificateCopyData( item ); if( dat ){ if( chain == NULL ){ chain = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt)); mbedtls_x509_crt_init( chain ); } mbedtls_x509_crt_parse_der( chain, (unsigned char *)CFDataGetBytePtr(dat), CFDataGetLength(dat) ); CFRelease( dat ); } } } CFRelease(keychain); if( chain != NULL ){ v = alloc_abstract(k_cert, chain); val_gc(v,free_cert); return v; }else{ return val_null; } #else return val_null; #endif }
void CAPICertificate::setUri (const std::string& capiUri) { valid_ = false; /* Syntax: "certstore:" <cert_store> ":" <hash> ":" <hash_of_cert> */ if (!boost::iequals(capiUri.substr(0, 10), "certstore:")) { return; } /* Substring of subject: uses "storename" */ std::string capiIdentity = capiUri.substr(10); std::string newCertStoreName; size_t pos = capiIdentity.find_first_of (':'); if (pos == std::string::npos) { /* Using the default certificate store */ newCertStoreName = "MY"; certName_ = capiIdentity; } else { newCertStoreName = capiIdentity.substr(0, pos); certName_ = capiIdentity.substr(pos + 1); } if (certStoreHandle_ != NULL) { if (newCertStoreName != certStore_) { CertCloseStore(certStoreHandle_, 0); certStoreHandle_ = NULL; } } if (certStoreHandle_ == NULL) { certStoreHandle_ = CertOpenSystemStore(0, newCertStoreName.c_str()); if (!certStoreHandle_) { return; } } certStore_ = newCertStoreName; PCCERT_CONTEXT certContext = findCertificateInStore (certStoreHandle_, certName_); if (!certContext) { return; } /* Now verify that we can have access to the corresponding private key */ DWORD len; CRYPT_KEY_PROV_INFO *pinfo; HCRYPTPROV hprov; HCRYPTKEY key; if (!CertGetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &len)) { CertFreeCertificateContext(certContext); return; } pinfo = static_cast<CRYPT_KEY_PROV_INFO *>(malloc(len)); if (!pinfo) { CertFreeCertificateContext(certContext); return; } if (!CertGetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, pinfo, &len)) { CertFreeCertificateContext(certContext); free(pinfo); return; } CertFreeCertificateContext(certContext); // Now verify if we have access to the private key if (!CryptAcquireContextW(&hprov, pinfo->pwszContainerName, pinfo->pwszProvName, pinfo->dwProvType, 0)) { free(pinfo); return; } char smartCardReader[1024]; DWORD bufferLength = sizeof(smartCardReader); if (!CryptGetProvParam(hprov, PP_SMARTCARD_READER, (BYTE *)&smartCardReader, &bufferLength, 0)) { DWORD error = GetLastError(); smartCardReaderName_ = ""; } else { smartCardReaderName_ = smartCardReader; LONG result = SCardEstablishContext(SCARD_SCOPE_USER, NULL, NULL, &scardContext_); if (SCARD_S_SUCCESS == result) { // Initiate monitoring for smartcard ejection smartCardTimer_ = timerFactory_->createTimer(SMARTCARD_EJECTION_CHECK_FREQUENCY_MILLISECONDS); } else { ///Need to handle an error here } } if (!CryptGetUserKey(hprov, pinfo->dwKeySpec, &key)) { CryptReleaseContext(hprov, 0); free(pinfo); return; } CryptDestroyKey(key); CryptReleaseContext(hprov, 0); free(pinfo); if (smartCardTimer_) { smartCardTimer_->onTick.connect(boost::bind(&CAPICertificate::handleSmartCardTimerTick, this)); smartCardTimer_->start(); } valid_ = true; }
int EDT_CSP_ReadParam(HCRYPTPROV hProv,DWORD dwParam) { int iRetVal = EDT_OK; BYTE *pbData = NULL; DWORD dwDataLen = 0; DWORD dwFlags = 0; if (CryptGetProvParam(hProv, dwParam, NULL, &dwDataLen, dwFlags) == TRUE ) { pbData = (BYTE *)malloc(dwDataLen); if(pbData != NULL) { if (CryptGetProvParam(hProv, dwParam, pbData, &dwDataLen, dwFlags) == TRUE ) { GUID *pTheGuid; HCERTSTORE *phCertStore; PCCERT_CONTEXT pPrevCertContext = NULL; switch(dwParam) { case PP_SMARTCARD_READER: LOG(L"SmartCard Reader: %hs\n",pbData); break; case PP_SMARTCARD_GUID: pTheGuid = (GUID *)pbData; LOG(L"SmartCard GUID: "); LOG_BYTE_ARRAY(pTheGuid->Data4,sizeof(pTheGuid->Data4)); break; case PP_USER_CERTSTORE: phCertStore = (HCERTSTORE*)pbData; pPrevCertContext = CertEnumCertificatesInStore(*phCertStore,pPrevCertContext); while(pPrevCertContext != NULL) { LOG(L"Found certificate with length %d\n",pPrevCertContext->cbCertEncoded); pPrevCertContext = CertEnumCertificatesInStore(*phCertStore,pPrevCertContext); } if ( CertCloseStore(*phCertStore,0) == FALSE ) { LOG_ERROR(L"CertCloseStore failed"); } break; default: break; } } else { LOG_LASTERROR(L"CryptGetProvParam failed 2e \n"); } free(pbData); } else { LOG_ERROR(L"malloc failed\n"); } } else { LOG_LASTERROR(L"CryptGetProvParam failed\n"); } return iRetVal; }
/** * Removes a certificate, given by file, from a store * * @returns true on success, false on failure (error message written). * @param dwDst The destination, like * CERT_SYSTEM_STORE_LOCAL_MACHINE or * ERT_SYSTEM_STORE_CURRENT_USER. * @param pszStoreNm The store name. * @param pszCertFile The file containing the certificate to add. */ static bool removeCertFromStoreByFile(DWORD dwDst, const char *pszStoreNm, const char *pszCertFile) { /* * Read the certificate file first. */ PCCERT_CONTEXT pSrcCtx = NULL; HCERTSTORE hSrcStore = NULL; if (!readCertFile(pszCertFile, &pSrcCtx, &hSrcStore)) return false; WCHAR wszName[1024]; if (!CertGetNameStringW(pSrcCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0 /*dwFlags*/, NULL /*pvTypePara*/, wszName, sizeof(wszName))) { RTMsgError("CertGetNameStringW(Subject) failed: %s\n", errorToString(GetLastError())); wszName[0] = '\0'; } /* * Open the destination store. */ bool fRc = false; HCERTSTORE hDstStore = openCertStore(dwDst, pszStoreNm); if (hDstStore) { if (pSrcCtx) { fRc = true; unsigned cDeleted = 0; PCCERT_CONTEXT pCurCtx = NULL; while ((pCurCtx = CertEnumCertificatesInStore(hDstStore, pCurCtx)) != NULL) { if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pCurCtx->pCertInfo, pSrcCtx->pCertInfo)) { if (g_cVerbosityLevel > 1) RTMsgInfo("Removing '%ls'...", wszName); PCCERT_CONTEXT pDeleteCtx = CertDuplicateCertificateContext(pCurCtx); if (pDeleteCtx) { if (CertDeleteCertificateFromStore(pDeleteCtx)) cDeleted++; else RTMsgError("CertDeleteFromStore('%ls') failed: %s\n", wszName, errorToString(GetLastError())); } else RTMsgError("CertDuplicateCertificateContext('%ls') failed: %s\n", wszName, errorToString(GetLastError())); } } if (!cDeleted) RTMsgInfo("Found no matching certificates to remove."); } else { RTMsgError("Path not implemented at line %d\n", __LINE__); } CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG); } if (pSrcCtx) CertFreeCertificateContext(pSrcCtx); if (hSrcStore) CertCloseStore(hSrcStore, CERT_CLOSE_STORE_CHECK_FLAG); return fRc; }
static void test_crypt_ui_wiz_import(void) { BOOL ret; CRYPTUI_WIZ_IMPORT_SRC_INFO info; HCERTSTORE store; PCCERT_CONTEXT cert; PCCRL_CONTEXT crl; DWORD count; if (!pCryptUIWizImport) { skip("No CryptUIWizImport\n"); return; } /* Set CBT hook to disallow MessageBox and wizard creation in current * thread. */ hook = SetWindowsHookExA(WH_CBT, cbt_hook_proc, 0, GetCurrentThreadId()); /* Brings up UI. Cancelling yields ret = 1. */ if (0) { pCryptUIWizImport(0, 0, NULL, NULL, NULL); } SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, NULL, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); memset(&info, 0, sizeof(info)); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); info.dwSize = sizeof(info); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); info.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_CERT_CONTEXT; SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); /* Check allowed vs. given type mismatches */ info.u.pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, v1CertWithValidPubKey, sizeof(v1CertWithValidPubKey)); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CRL, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); CertFreeCertificateContext(info.u.pCertContext); info.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_CRL_CONTEXT; info.u.pCRLContext = CertCreateCRLContext(X509_ASN_ENCODING, signedCRL, sizeof(signedCRL)); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, 0, NULL, &info, NULL); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); CertFreeCRLContext(info.u.pCRLContext); /* Imports the following cert--self-signed, with no basic constraints set-- * to the CA store. Puts up a dialog at the end if it succeeds or fails. */ info.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_CERT_CONTEXT; info.u.pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, v1CertWithValidPubKey, sizeof(v1CertWithValidPubKey)); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { static const WCHAR CA[] = { 'C','A',0 }; HCERTSTORE ca = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, CA); if (ca) { ret = find_and_delete_cert_in_store(ca, info.u.pCertContext); ok(ret || broken(!ret) /* Win9x/NT4 */, "expected to find v1CertWithValidPubKey in CA store\n"); CertCloseStore(ca, 0); } } CertFreeCertificateContext(info.u.pCertContext); /* Imports the following cert--not self-signed, with a basic constraints2 * extensions--to the "AddressBook" store. Puts up a dialog at the end if * it succeeds or fails. */ info.u.pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, iTunesCert3, sizeof(iTunesCert3)); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { static const WCHAR AddressBook[] = { 'A','d','d','r','e','s','s', 'B','o','o','k',0 }; HCERTSTORE addressBook = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, AddressBook); if (addressBook) { ret = find_and_delete_cert_in_store(addressBook, info.u.pCertContext); ok(ret || broken(!ret), /* Windows 2000 and earlier */ "expected to find iTunesCert3 in AddressBook store\n"); CertCloseStore(addressBook, 0); } } /* Displays the wizard, but disables the "Certificate store" edit and * the Browse button. Confusingly, the "Place all certificates in the * following store" radio button is not disabled. */ if (0) { ret = pCryptUIWizImport(CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE, 0, NULL, &info, NULL); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); } store = CertOpenStore(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); /* Displays the wizard, but sets the "Certificate store" edit to the * string "Determined by the program", and disables it and the Browse * button, as well as the "Automatically select the certificate store * based on the type of certificate" radio button. */ if (0) { ret = pCryptUIWizImport(CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE, 0, NULL, &info, store); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); } ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE, 0, NULL, &info, store); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); ret = find_and_delete_cert_in_store(store, info.u.pCertContext); ok(ret || broken(!ret) /* Win9x/NT4 */, "expected to find iTunesCert3 in memory store\n"); CertFreeCertificateContext(info.u.pCertContext); CertCloseStore(store, 0); info.u.pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, iTunesCert1, sizeof(iTunesCert1)); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { static const WCHAR AddressBook[] = { 'A','d','d','r','e','s','s', 'B','o','o','k',0 }; HCERTSTORE addressBook = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, AddressBook); if (addressBook) { ret = find_and_delete_cert_in_store(addressBook, info.u.pCertContext); ok(ret || broken(!ret), /* Windows 2000 and earlier */ "expected to find iTunesCert1 in AddressBook store\n"); CertCloseStore(addressBook, 0); } } CertFreeCertificateContext(info.u.pCertContext); info.u.pCertContext = CertCreateCertificateContext(X509_ASN_ENCODING, iTunesCert2, sizeof(iTunesCert2)); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI, 0, NULL, &info, NULL); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { static const WCHAR CA[] = { 'C','A',0 }; HCERTSTORE ca = CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, CA); if (ca) { ret = find_and_delete_cert_in_store(ca, info.u.pCertContext); ok(ret || broken(!ret) /* Win9x/NT4 */, "expected to find iTunesCert2 in CA store\n"); CertCloseStore(ca, 0); } } CertFreeCertificateContext(info.u.pCertContext); info.u.hCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); CertAddEncodedCertificateToStore(info.u.hCertStore, X509_ASN_ENCODING, v1CertWithValidPubKey, sizeof(v1CertWithValidPubKey), CERT_STORE_ADD_ALWAYS, NULL); CertAddEncodedCRLToStore(info.u.hCertStore, X509_ASN_ENCODING, signedCRL, sizeof(signedCRL), CERT_STORE_ADD_ALWAYS, NULL); info.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_CERT_STORE; /* The ALLOW flags aren't allowed with a store as the source if the source * contains types other than those allowed. */ store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, 0, NULL, &info, store); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CRL, 0, NULL, &info, store); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_NO_CHANGE_DEST_STORE | CRYPTUI_WIZ_IMPORT_ALLOW_CERT | CRYPTUI_WIZ_IMPORT_ALLOW_CRL, 0, NULL, &info, store); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { count = 0; cert = NULL; do { cert = CertEnumCertificatesInStore(store, cert); if (cert) count++; } while (cert); ok(count == 1, "expected 1 cert, got %d\n", count); count = 0; crl = NULL; do { crl = CertEnumCRLsInStore(store, crl); if (crl) count++; } while (crl); ok(count == 1, "expected 1 CRL, got %d\n", count); } CertCloseStore(store, 0); CertCloseStore(info.u.hCertStore, 0); /* If the ALLOW flags match the content of the store, the store can be * imported. */ info.u.hCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); CertAddEncodedCertificateToStore(info.u.hCertStore, X509_ASN_ENCODING, v1CertWithValidPubKey, sizeof(v1CertWithValidPubKey), CERT_STORE_ADD_ALWAYS, NULL); store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, 0, NULL, &info, store); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { count = 0; cert = NULL; do { cert = CertEnumCertificatesInStore(store, cert); if (cert) count++; } while (cert); ok(count == 1, "expected 1 cert, got %d\n", count); count = 0; crl = NULL; do { crl = CertEnumCRLsInStore(store, crl); if (crl) count++; } while (crl); ok(count == 0, "expected 0 CRLs, got %d\n", count); } SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CRL, 0, NULL, &info, store); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); CertCloseStore(store, 0); CertCloseStore(info.u.hCertStore, 0); /* Again, if the ALLOW flags match the content of the store, the store can * be imported. */ info.u.hCertStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); CertAddEncodedCRLToStore(info.u.hCertStore, X509_ASN_ENCODING, signedCRL, sizeof(signedCRL), CERT_STORE_ADD_ALWAYS, NULL); store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CRL, 0, NULL, &info, store); ok(ret, "CryptUIWizImport failed: %08x\n", GetLastError()); if (ret) { count = 0; cert = NULL; do { cert = CertEnumCertificatesInStore(store, cert); if (cert) count++; } while (cert); ok(count == 0, "expected 0 certs, got %d\n", count); count = 0; crl = NULL; do { crl = CertEnumCRLsInStore(store, crl); if (crl) count++; } while (crl); ok(count == 1, "expected 1 CRL, got %d\n", count); } SetLastError(0xdeadbeef); ret = pCryptUIWizImport(CRYPTUI_WIZ_NO_UI | CRYPTUI_WIZ_IMPORT_ALLOW_CERT, 0, NULL, &info, store); ok(!ret && GetLastError() == E_INVALIDARG, "expected E_INVALIDARG, got %08x\n", GetLastError()); CertCloseStore(store, 0); CertCloseStore(info.u.hCertStore, 0); UnhookWindowsHookEx(hook); }
static PWINECRYPT_CERTSTORE CRYPT_SysOpenStoreW(HCRYPTPROV hCryptProv, DWORD dwFlags, const void *pvPara) { HCERTSTORE store = 0; BOOL ret; TRACE("(%ld, %08x, %s)\n", hCryptProv, dwFlags, debugstr_w(pvPara)); if (!pvPara) { SetLastError(ERROR_FILE_NOT_FOUND); return NULL; } /* This returns a different error than system registry stores if the * location is invalid. */ switch (dwFlags & CERT_SYSTEM_STORE_LOCATION_MASK) { case CERT_SYSTEM_STORE_LOCAL_MACHINE: case CERT_SYSTEM_STORE_CURRENT_USER: case CERT_SYSTEM_STORE_CURRENT_SERVICE: case CERT_SYSTEM_STORE_SERVICES: case CERT_SYSTEM_STORE_USERS: case CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY: case CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY: case CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE: ret = TRUE; break; default: SetLastError(ERROR_FILE_NOT_FOUND); ret = FALSE; } if (ret) { HCERTSTORE regStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W, 0, 0, dwFlags, pvPara); if (regStore) { store = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); CertAddStoreToCollection(store, regStore, dwFlags & CERT_STORE_READONLY_FLAG ? 0 : CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0); CertCloseStore(regStore, 0); /* CERT_SYSTEM_STORE_CURRENT_USER returns both the HKCU and HKLM * stores. */ if ((dwFlags & CERT_SYSTEM_STORE_LOCATION_MASK) == CERT_SYSTEM_STORE_CURRENT_USER) { dwFlags &= ~CERT_SYSTEM_STORE_CURRENT_USER; dwFlags |= CERT_SYSTEM_STORE_LOCAL_MACHINE; regStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W, 0, 0, dwFlags, pvPara); if (regStore) { CertAddStoreToCollection(store, regStore, dwFlags & CERT_STORE_READONLY_FLAG ? 0 : CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0); CertCloseStore(regStore, 0); } } /* System store doesn't need crypto provider, so close it */ if (hCryptProv && !(dwFlags & CERT_STORE_NO_CRYPT_RELEASE_FLAG)) CryptReleaseContext(hCryptProv, 0); } } return store; }
/** * Checks to see if a file stored at filePath matches the specified info. This * only supports the name and issuer attributes currently. * * @param filePath The PE file path to check * @param infoToMatch The acceptable information to match * @return ERROR_SUCCESS if successful, ERROR_NOT_FOUND if the info * does not match, or the last error otherwise. */ DWORD CheckCertificateForPEFile(LPCWSTR filePath, CertificateCheckInfo &infoToMatch) { HCERTSTORE certStore = NULL; HCRYPTMSG cryptMsg = NULL; PCCERT_CONTEXT certContext = NULL; PCMSG_SIGNER_INFO signerInfo = NULL; DWORD lastError = ERROR_SUCCESS; // Get the HCERTSTORE and HCRYPTMSG from the signed file. DWORD encoding, contentType, formatType; BOOL result = CryptQueryObject(CERT_QUERY_OBJECT_FILE, filePath, CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, CERT_QUERY_CONTENT_FLAG_ALL, 0, &encoding, &contentType, &formatType, &certStore, &cryptMsg, NULL); if (!result) { lastError = GetLastError(); goto cleanup; } // Pass in NULL to get the needed signer information size. DWORD signerInfoSize; result = CryptMsgGetParam(cryptMsg, CMSG_SIGNER_INFO_PARAM, 0, NULL, &signerInfoSize); if (!result) { lastError = GetLastError(); goto cleanup; } // Allocate the needed size for the signer information. signerInfo = (PCMSG_SIGNER_INFO)LocalAlloc(LPTR, signerInfoSize); if (!signerInfo) { lastError = GetLastError(); goto cleanup; } // Get the signer information (PCMSG_SIGNER_INFO). // In particular we want the issuer and serial number. result = CryptMsgGetParam(cryptMsg, CMSG_SIGNER_INFO_PARAM, 0, (PVOID)signerInfo, &signerInfoSize); if (!result) { lastError = GetLastError(); goto cleanup; } // Search for the signer certificate in the certificate store. CERT_INFO certInfo; certInfo.Issuer = signerInfo->Issuer; certInfo.SerialNumber = signerInfo->SerialNumber; certContext = CertFindCertificateInStore(certStore, ENCODING, 0, CERT_FIND_SUBJECT_CERT, (PVOID)&certInfo, NULL); if (!certContext) { lastError = GetLastError(); goto cleanup; } if (!DoCertificateAttributesMatch(certContext, infoToMatch)) { lastError = ERROR_NOT_FOUND; goto cleanup; } cleanup: if (signerInfo) { LocalFree(signerInfo); } if (certContext) { CertFreeCertificateContext(certContext); } if (certStore) { CertCloseStore(certStore, 0); } if (cryptMsg) { CryptMsgClose(cryptMsg); } return lastError; }
/** * gnutls_x509_trust_list_add_system_trust: * @list: The structure of the list * @tl_flags: GNUTLS_TL_* * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL * * This function adds the system's default trusted certificate * authorities to the trusted list. Note that on unsupported system * this function returns %GNUTLS_E_UNIMPLEMENTED_FEATURE. * * Returns: The number of added elements or a negative error code on error. * * Since: 3.1 **/ int gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, unsigned int tl_vflags) { #if !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(_WIN32) return GNUTLS_E_UNIMPLEMENTED_FEATURE; #else int ret, r = 0; const char* crl_file = # ifdef DEFAULT_CRL_FILE DEFAULT_CRL_FILE; # else NULL; # endif # ifdef _WIN32 unsigned int i; for (i=0;i<2;i++) { HCERTSTORE store; const CERT_CONTEXT *cert; const CRL_CONTEXT *crl; gnutls_datum_t data; if (i==0) store = CertOpenSystemStore(0, "ROOT"); else store = CertOpenSystemStore(0, "CA"); if (store == NULL) return GNUTLS_E_FILE_ERROR; cert = CertEnumCertificatesInStore(store, NULL); crl = Loaded_CertEnumCRLsInStore(store, NULL); while(cert != NULL) { if (cert->dwCertEncodingType == X509_ASN_ENCODING) { data.data = cert->pbCertEncoded; data.size = cert->cbCertEncoded; if (gnutls_x509_trust_list_add_trust_mem(list, &data, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0) r++; } cert = CertEnumCertificatesInStore(store, cert); } while(crl != NULL) { if (crl->dwCertEncodingType == X509_ASN_ENCODING) { data.data = crl->pbCrlEncoded; data.size = crl->cbCrlEncoded; gnutls_x509_trust_list_add_trust_mem(list, NULL, &data, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); } crl = Loaded_CertEnumCRLsInStore(store, crl); } CertCloseStore(store, 0); } # endif # if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_PKCS11, crl_file, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); if (ret > 0) r += ret; # endif # ifdef DEFAULT_TRUST_STORE_FILE ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE, crl_file, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags); if (ret > 0) r += ret; # endif return r; #endif }
static PCCERT_CONTEXT xmlSecMSCryptoKeysStoreFindCert(xmlSecKeyStorePtr store, const xmlChar* name, xmlSecKeyInfoCtxPtr keyInfoCtx) { LPCTSTR storeName; HCERTSTORE hStoreHandle = NULL; PCCERT_CONTEXT pCertContext = NULL; LPTSTR wcName = NULL; xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecMSCryptoKeysStoreId), NULL); xmlSecAssert2(name != NULL, NULL); xmlSecAssert2(keyInfoCtx != NULL, NULL); storeName = xmlSecMSCryptoAppGetCertStoreName(); if(storeName == NULL) { storeName = XMLSEC_MSCRYPTO_APP_DEFAULT_CERT_STORE_NAME; } hStoreHandle = CertOpenSystemStore(0, storeName); if (NULL == hStoreHandle) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "CertOpenSystemStore", XMLSEC_ERRORS_R_CRYPTO_FAILED, "storeName=%s", xmlSecErrorsSafeString(storeName)); return(NULL); } /* convert name to unicode */ wcName = xmlSecMSCryptoConvertUtf8ToTstr(name); if(wcName == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), "xmlSecMSCryptoConvertUtf8ToUnicode", XMLSEC_ERRORS_R_XMLSEC_FAILED, "wcName"); CertCloseStore(hStoreHandle, 0); return(NULL); } /* first attempt: try to find the cert with a full blown subject dn */ if(NULL == pCertContext) { pCertContext = xmlSecMSCryptoX509FindCertBySubject( hStoreHandle, wcName, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING); } /* * Try ro find certificate with name="Friendly Name" */ if (NULL == pCertContext) { DWORD dwPropSize; PBYTE pbFriendlyName; PCCERT_CONTEXT pCertCtxIter = NULL; while (pCertCtxIter = CertEnumCertificatesInStore(hStoreHandle, pCertCtxIter)) { if (TRUE != CertGetCertificateContextProperty(pCertCtxIter, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dwPropSize)) { continue; } pbFriendlyName = xmlMalloc(dwPropSize); if(pbFriendlyName == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), NULL, XMLSEC_ERRORS_R_MALLOC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); xmlFree(wcName); CertCloseStore(hStoreHandle, 0); return(NULL); } if (TRUE != CertGetCertificateContextProperty(pCertCtxIter, CERT_FRIENDLY_NAME_PROP_ID, pbFriendlyName, &dwPropSize)) { xmlFree(pbFriendlyName); continue; } /* Compare FriendlyName to name */ if (!lstrcmp(wcName, (LPCTSTR)pbFriendlyName)) { pCertContext = pCertCtxIter; xmlFree(pbFriendlyName); break; } xmlFree(pbFriendlyName); } } /* We don't give up easily, now try to find cert with part of the name */ if (NULL == pCertContext) { pCertContext = CertFindCertificateInStore( hStoreHandle, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, wcName, NULL); } /* We could do the following here: * It would be nice if we could locate the cert with issuer name and * serial number, the given keyname can be something like this: * 'serial=1234567;issuer=CN=ikke, C=NL' * to be implemented by the first person who reads this, and thinks it's * a good idea :) WK */ /* OK, I give up, I'm gone :( */ /* aleksey todo: is it a right idea to close store if we have a handle to * a cert in this store? */ xmlFree(wcName); CertCloseStore(hStoreHandle, 0); return(pCertContext); }
// // Retrieve the thumbprint of the certificate // DWORD GetCertificate(IN WCHAR* pwcTrustRootCA, IN PBYTE pbCertHash, IN DWORD* pcbCertHash) { HCERTSTORE hCertStore; WCHAR *pwcSubjectName; DWORD cwcSubjectName; PBYTE pbSHA1; DWORD cbSHA1; PCCERT_CONTEXT pCertContext = NULL; DWORD dwRet; dwRet = NO_ERROR; if( ( hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, ( HCRYPTPROV ) NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"ROOT" ) ) ) { BOOL bFoundCert = FALSE; while( ( pCertContext = CertEnumCertificatesInStore( hCertStore, pCertContext ) ) && bFoundCert == FALSE ) { if( ( cwcSubjectName = CertGetNameString( pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, NULL, 0 ) ) > 0 ) { if( ( pwcSubjectName = ( WCHAR* ) malloc( cwcSubjectName * sizeof( WCHAR ) ) ) ) { if( CertGetNameStringW( pCertContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pwcSubjectName, cwcSubjectName ) > 0 ) { //printf("Found the certificate [%ws] in the system store\n", pwcSubjectName); if ( wcscmp(pwcTrustRootCA, pwcSubjectName) == 0) { bFoundCert = TRUE; // Retrieve information on the property by first getting the property size. if(CertGetCertificateContextProperty( pCertContext, CERT_SHA1_HASH_PROP_ID , // work fine on XP NULL, &cbSHA1)) { // Use the size to allocate the memory for the property if ( pbSHA1 = (BYTE *) malloc(cbSHA1 * sizeof(BYTE) ) ) { // Retrieve HASH of the certificate if(CertGetCertificateContextProperty( pCertContext, CERT_SHA1_HASH_PROP_ID , pbSHA1, &cbSHA1)) { memcpy(pbCertHash, pbSHA1, cbSHA1); *pcbCertHash = cbSHA1; } else { printf("->GetCertificate :: Error retrieving certificate HASH.\n"); dwRet = ERROR_CANTOPEN; } free(pbSHA1); } else { printf("->GetCertificate :: Error allocating memory.\n"); dwRet = ERROR_NOT_ENOUGH_MEMORY; } } else { printf("->GetCertificate :: Error getting certificate property.\n"); dwRet = ERROR_CANTOPEN; } } } else { printf("->GetCertificate :: Error getting certificate name string.\n"); dwRet = ERROR_CANTOPEN; } free( pwcSubjectName ); cwcSubjectName = 0; } else { printf("->GetCertificate :: Error allocating memory.\n"); dwRet = ERROR_NOT_ENOUGH_MEMORY; } } else dwRet = ERROR_CANTOPEN; } if( !bFoundCert ) { printf("->GetCertificate :: Error looking for the certificate in the system store.\n"); dwRet = ERROR_CANTOPEN; } if( dwRet != NO_ERROR ) { if( pCertContext ) CertFreeCertificateContext( pCertContext ); } CertCloseStore( hCertStore, CERT_CLOSE_STORE_CHECK_FLAG ); } else { printf("->GetCertificate :: Error opening system store.\n"); dwRet = ERROR_CANTOPEN; } return dwRet; }
void get_cert_time_left( char *realm, CTimeSpan *ptimeLeft ) { HCERTSTORE hStoreHandle = NULL; PCCERT_CONTEXT pCertContext = NULL; PCCERT_CONTEXT prev_pCertContext = NULL; DWORD dwCertEncodingType = X509_ASN_ENCODING | PKCS_7_ASN_ENCODING; DWORD dwAddDisposition = CERT_STORE_ADD_REPLACE_EXISTING; DWORD dwFindFlags = 0; # define OID_KCA_AUTHREALM "1.3.6.1.4.1.250.42.1" DWORD dwFindType = CERT_FIND_ANY; CERT_INFO *pCertInfo = NULL; PCERT_EXTENSION pCertExt = NULL; CRYPT_OBJID_BLOB *p = NULL; int i = 0; char tmpRealm[250] = { 0 }; CTime startTime = 0; CTime endTime = 0; memset(ptimeLeft, 0, sizeof(*ptimeLeft)); if (!realm || !strlen(realm)) return; //-------------------------------------------------------------------- // Open a store as the source of the certificates to be deleted and added if(!(hStoreHandle = CertOpenSystemStore( 0, MY_STORE))) { HandleError("get_cert_time_left: Strange. Unable to access your place in the Registry for certificates"); goto EXIT_RTN; } // Find first MY store cert issued by our Certificate Authority while ((pCertContext = CertFindCertificateInStore( hStoreHandle, // in dwCertEncodingType, // in dwFindFlags, // in dwFindType, // in NULL, // in prev_pCertContext // in ))) { if (pCertInfo = pCertContext->pCertInfo) for (i = pCertInfo->cExtension; i; i--) { pCertExt = &pCertInfo->rgExtension[i-1]; if (!strcmp(pCertExt->pszObjId, OID_KCA_AUTHREALM)) { log_printf("get_cert_time_left: Found KCA_AUTHREALM Extension\n"); p = &pCertExt->Value; memcpy(tmpRealm, &p->pbData[2], p->cbData-2); tmpRealm[p->cbData-2] ='\0'; log_printf("get_cert_time_left: value is: '%s'\n", tmpRealm); /* only match if realm of current TGT matches AuthRealm of this cert */ if (realm && !strcmp(realm, tmpRealm)) { // It matches, determine remaining certificate's remaining minutes startTime = CTime::GetCurrentTime(); endTime = pCertContext->pCertInfo->NotAfter; *ptimeLeft = endTime - startTime; goto EXIT_RTN; } } } prev_pCertContext = pCertContext; } EXIT_RTN: if ((prev_pCertContext != pCertContext) && pCertContext) { CertFreeCertificateContext(pCertContext); pCertContext = NULL; } if (pCertContext) CertFreeCertificateContext(pCertContext); if(hStoreHandle &&!CertCloseStore( hStoreHandle, #ifdef DEBUG CERT_CLOSE_STORE_CHECK_FLAG #else // !DEBUG CERT_CLOSE_STORE_FORCE_FLAG #endif // ! DEBUG )) { log_printf("get_cert_time_left: The store was closed, but certificates still in use.\n"); } } // get_cert_time_left