#include <stdio.h>
#include <string.h>
+#include <stdlib.h>
+
#include <openssl/crypto.h>
-#include <openssl/buffer.h>
-#include <openssl/rsa.h>
-#include <openssl/bn.h>
#ifdef OPENSSL_SYS_WIN32
#ifndef OPENSSL_NO_CAPIENG
+#include <openssl/buffer.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0400
+#endif
+
#include <windows.h>
#include <wincrypt.h>
+#include <malloc.h>
+#ifndef alloca
+# define alloca _alloca
+#endif
+
+/*
+ * This module uses several "new" interfaces, among which is
+ * CertGetCertificateContextProperty. CERT_KEY_PROV_INFO_PROP_ID is
+ * one of possible values you can pass to function in question. By
+ * checking if it's defined we can see if wincrypt.h and accompanying
+ * crypt32.lib are in shape. The native MingW32 headers up to and
+ * including __W32API_VERSION 3.14 lack of struct DSSPUBKEY and the
+ * defines CERT_STORE_PROV_SYSTEM_A and CERT_STORE_READONLY_FLAG,
+ * so we check for these too and avoid compiling.
+ * Yes, it's rather "weak" test and if compilation fails,
+ * then re-configure with -DOPENSSL_NO_CAPIENG.
+ */
+#if defined(CERT_KEY_PROV_INFO_PROP_ID) && \
+ defined(CERT_STORE_PROV_SYSTEM_A) && \
+ defined(CERT_STORE_READONLY_FLAG)
+# define __COMPILE_CAPIENG
+#endif /* CERT_KEY_PROV_INFO_PROP_ID */
+#endif /* OPENSSL_NO_CAPIENG */
+#endif /* OPENSSL_SYS_WIN32 */
+
+#ifdef __COMPILE_CAPIENG
#undef X509_EXTENSIONS
#undef X509_CERT_PAIR
+/* Definitions which may be missing from earlier version of headers */
+#ifndef CERT_STORE_OPEN_EXISTING_FLAG
+#define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
+#endif
+
+#ifndef CERT_STORE_CREATE_NEW_FLAG
+#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
+#endif
+
+#ifndef CERT_SYSTEM_STORE_CURRENT_USER
+#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
+#endif
+
#include <openssl/engine.h>
#include <openssl/pem.h>
+#include <openssl/x509v3.h>
#include "e_capi_err.h"
#include "e_capi_err.c"
char *debug_file;
/* Parameters to use for container lookup */
DWORD keytype;
- LPTSTR cspname;
+ LPSTR cspname;
DWORD csptype;
/* Certificate store name to use */
- LPTSTR storename;
- LPTSTR ssl_client_store;
+ LPSTR storename;
+ LPSTR ssl_client_store;
+ /* System store flags */
+ DWORD store_flags;
/* Lookup string meanings in load_private_key */
/* Substring of subject: uses "storename" */
-#define CAPI_LU_SUBSTR 0
+#define CAPI_LU_SUBSTR 1
/* Friendly name: uses storename */
-#define CAPI_LU_FNAME 1
+#define CAPI_LU_FNAME 2
/* Container name: uses cspname, keytype */
-#define CAPI_LU_CONTNAME 2
+#define CAPI_LU_CONTNAME 3
int lookup_method;
/* Info to dump with dumpcerts option */
/* Issuer and serial name strings */
#define CAPI_CMD_LIST_OPTIONS (ENGINE_CMD_BASE + 10)
#define CAPI_CMD_LOOKUP_METHOD (ENGINE_CMD_BASE + 11)
#define CAPI_CMD_STORE_NAME (ENGINE_CMD_BASE + 12)
+#define CAPI_CMD_STORE_FLAGS (ENGINE_CMD_BASE + 13)
static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
{CAPI_CMD_LIST_CERTS,
"store_name",
"certificate store name, default \"MY\"",
ENGINE_CMD_FLAG_STRING},
+ {CAPI_CMD_STORE_FLAGS,
+ "store_flags",
+ "Certificate store flags: 1 = system store",
+ ENGINE_CMD_FLAG_NUMERIC},
{0, NULL, NULL, 0}
};
CAPI_trace(ctx, "Setting store name to %s\n", p);
break;
+ case CAPI_CMD_STORE_FLAGS:
+ if (i & 1)
+ {
+ ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE;
+ ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER;
+ }
+ else
+ {
+ ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER;
+ ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE;
+ }
+ CAPI_trace(ctx, "Setting flags to %d\n", i);
+ break;
+
case CAPI_CMD_DEBUG_LEVEL:
ctx->debug_level = (int)i;
CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
CAPI_CTX *ctx;
const RSA_METHOD *ossl_rsa_meth;
const DSA_METHOD *ossl_dsa_meth;
- capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
- cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
+
+ if (capi_idx < 0)
+ {
+ capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
+ if (capi_idx < 0)
+ goto memerr;
+
+ cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
+
+ /* Setup RSA_METHOD */
+ rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+ ossl_rsa_meth = RSA_PKCS1_SSLeay();
+ capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
+ capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
+ capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
+ capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
+
+ /* Setup DSA Method */
+ dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
+ ossl_dsa_meth = DSA_OpenSSL();
+ capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
+ capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
+ capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
+ }
ctx = capi_ctx_new();
- if (!ctx || (capi_idx < 0))
+ if (!ctx)
goto memerr;
ENGINE_set_ex_data(e, capi_idx, ctx);
- /* Setup RSA_METHOD */
- rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
- ossl_rsa_meth = RSA_PKCS1_SSLeay();
- capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
- capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
- capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
- capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
-
- /* Setup DSA Method */
- dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
- ossl_dsa_meth = DSA_OpenSSL();
- capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
- capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
- capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
#ifdef OPENSSL_CAPIENG_DIALOG
{
HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL"));
- HMODULE kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
+ HMODULE kernel = GetModuleHandle(TEXT("KERNEL32.DLL"));
if (cryptui)
ctx->certselectdlg = (CERTDLG)GetProcAddress(cryptui, "CryptUIDlgSelectCertificateFromStore");
if (kernel)
ctx->getconswindow = (GETCONSWIN)GetProcAddress(kernel, "GetConsoleWindow");
- if (cryptui)
-// if (cryptui && !OPENSSL_isservice())
+ if (cryptui && !OPENSSL_isservice())
ctx->client_cert_select = cert_select_dialog;
}
#endif
{
if (!ENGINE_set_id(e, engine_capi_id)
|| !ENGINE_set_name(e, engine_capi_name)
+ || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
|| !ENGINE_set_init_function(e, capi_init)
|| !ENGINE_set_finish_function(e, capi_finish)
|| !ENGINE_set_destroy_function(e, capi_destroy)
return ret;
memerr:
- CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+ CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE);
goto err;
}
ERR_add_error_data(2, "Error code= 0x", errstr);
}
-static char *wide_to_asc(LPWSTR wstr)
+static char *wide_to_asc(LPCWSTR wstr)
{
char *str;
+ int len_0,sz;
+
if (!wstr)
return NULL;
- str = OPENSSL_malloc(wcslen(wstr) + 1);
+ len_0 = (int)wcslen(wstr)+1; /* WideCharToMultiByte expects int */
+ sz = WideCharToMultiByte(CP_ACP,0,wstr,len_0,NULL,0,NULL,NULL);
+ if (!sz)
+ {
+ CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR);
+ return NULL;
+ }
+ str = OPENSSL_malloc(sz);
if (!str)
{
CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE);
return NULL;
}
- sprintf(str, "%S", wstr);
+ if (!WideCharToMultiByte(CP_ACP,0,wstr,len_0,str,sz,NULL,NULL))
+ {
+ OPENSSL_free(str);
+ CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR);
+ return NULL;
+ }
return str;
}
static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype, DWORD idx)
{
- LPSTR name;
DWORD len, err;
+ LPTSTR name;
CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx);
if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len))
{
capi_adderror(err);
return 0;
}
- name = OPENSSL_malloc(len);
- if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len))
+ if (sizeof(TCHAR) != sizeof(char))
+ name = alloca(len);
+ else
+ name = OPENSSL_malloc(len);
+ if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len))
{
err = GetLastError();
if (err == ERROR_NO_MORE_ITEMS)
capi_adderror(err);
return 0;
}
- *pname = name;
- CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", name, *ptype);
+ if (sizeof(TCHAR) != sizeof(char))
+ *pname = wide_to_asc((WCHAR *)name);
+ else
+ *pname = (char *)name;
+ CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", *pname, *ptype);
return 1;
}
{
DWORD idx, ptype;
int ret;
- LPTSTR provname = NULL;
+ LPSTR provname = NULL;
CAPI_trace(ctx, "capi_list_providers\n");
BIO_printf(out, "Available CSPs:\n");
for(idx = 0; ; idx++)
HCRYPTPROV hprov;
DWORD err, idx, flags, buflen = 0, clen;
LPSTR cname;
+ LPTSTR cspname = NULL;
+
CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname, ctx->csptype);
- if (!CryptAcquireContext(&hprov, NULL, ctx->cspname, ctx->csptype, CRYPT_VERIFYCONTEXT))
+ if (ctx->cspname && sizeof(TCHAR)!=sizeof(char))
+ {
+ if ((clen=MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,NULL,0)))
+ {
+ cspname = alloca(clen*sizeof(WCHAR));
+ MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,(WCHAR *)cspname,clen);
+ }
+ if (!cspname)
+ {
+ CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE);
+ capi_addlasterror();
+ return 0;
+ }
+ }
+ else
+ cspname = (TCHAR *)ctx->cspname;
+ if (!CryptAcquireContext(&hprov, NULL, cspname, ctx->csptype, CRYPT_VERIFYCONTEXT))
{
CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
capi_addlasterror();
{
CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
capi_addlasterror();
+ CryptReleaseContext(hprov, 0);
return 0;
}
CAPI_trace(ctx, "Got max container len %d\n", buflen);
flags = CRYPT_FIRST;
else
flags = 0;
- if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
+ if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, (BYTE *)cname, &clen, flags))
{
err = GetLastError();
if (err == ERROR_NO_MORE_ITEMS)
storename = "MY";
CAPI_trace(ctx, "Opening certificate store %s\n", storename);
- hstore = CertOpenSystemStore(0, storename);
+ hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0,
+ ctx->store_flags, storename);
if (!hstore)
{
CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE);
{
for(idx = 0;;idx++)
{
- LPWSTR fname = NULL;
cert = CertEnumCertificatesInStore(hstore, cert);
if (!cert)
break;
}
}
-static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec)
+static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const TCHAR *contname, TCHAR *provname, DWORD ptype, DWORD keyspec)
{
CAPI_KEY *key;
+ DWORD dwFlags = 0;
key = OPENSSL_malloc(sizeof(CAPI_KEY));
- CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
+ if (sizeof(TCHAR)==sizeof(char))
+ CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
contname, provname, ptype);
- if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0))
+ else if (ctx && ctx->debug_level>=CAPI_DBG_TRACE && ctx->debug_file)
+ {
+ /* above 'if' is optimization to minimize malloc-ations */
+ char *_contname = wide_to_asc((WCHAR *)contname);
+ char *_provname = wide_to_asc((WCHAR *)provname);
+
+ CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
+ _contname, _provname, ptype);
+ if (_provname) OPENSSL_free(_provname);
+ if (_contname) OPENSSL_free(_contname);
+ }
+ if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE)
+ dwFlags = CRYPT_MACHINE_KEYSET;
+ if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, dwFlags))
{
CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
capi_addlasterror();
static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
{
- CAPI_KEY *key;
+ CAPI_KEY *key = NULL;
CRYPT_KEY_PROV_INFO *pinfo = NULL;
char *provname = NULL, *contname = NULL;
pinfo = capi_get_prov_info(ctx, cert);
if (!pinfo)
goto err;
- provname = wide_to_asc(pinfo->pwszProvName);
- contname = wide_to_asc(pinfo->pwszContainerName);
- if (!provname || !contname)
- return 0;
-
- key = capi_get_key(ctx, contname, provname,
+ if (sizeof(TCHAR) != sizeof(char))
+ key = capi_get_key(ctx, (TCHAR *)pinfo->pwszContainerName,
+ (TCHAR *)pinfo->pwszProvName,
+ pinfo->dwProvType, pinfo->dwKeySpec);
+ else
+ {
+ provname = wide_to_asc(pinfo->pwszProvName);
+ contname = wide_to_asc(pinfo->pwszContainerName);
+ if (!provname || !contname)
+ goto err;
+ key = capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname,
pinfo->dwProvType, pinfo->dwKeySpec);
+ }
err:
if (pinfo)
break;
case CAPI_LU_CONTNAME:
- key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype,
- ctx->keytype);
+ if (sizeof(TCHAR)!=sizeof(char))
+ {
+ WCHAR *contname, *provname;
+ DWORD len;
+
+ if ((len=MultiByteToWideChar(CP_ACP,0,id,-1,NULL,0)) &&
+ (contname=alloca(len*sizeof(WCHAR)),
+ MultiByteToWideChar(CP_ACP,0,id,-1,contname,len)) &&
+ (len=MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,NULL,0)) &&
+ (provname=alloca(len*sizeof(WCHAR)),
+ MultiByteToWideChar(CP_ACP,0,ctx->cspname,-1,provname,len)))
+ key = capi_get_key(ctx,(TCHAR *)contname,
+ (TCHAR *)provname,
+ ctx->csptype,ctx->keytype);
+ }
+ else
+ key = capi_get_key(ctx, (TCHAR *)id,
+ (TCHAR *)ctx->cspname,
+ ctx->csptype,ctx->keytype);
break;
}
ctx->keytype = AT_KEYEXCHANGE;
ctx->storename = NULL;
ctx->ssl_client_store = NULL;
+ ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG |
+ CERT_STORE_READONLY_FLAG |
+ CERT_SYSTEM_STORE_CURRENT_USER;
ctx->lookup_method = CAPI_LU_SUBSTR;
ctx->debug_level = 0;
ctx->debug_file = NULL;
if (check)
{
HCRYPTPROV hprov;
- if (!CryptAcquireContext(&hprov, NULL, pname, type,
+ LPTSTR name=NULL;
+
+ if (sizeof(TCHAR)!=sizeof(char))
+ {
+ DWORD len;
+ if ((len=MultiByteToWideChar(CP_ACP,0,pname,-1,NULL,0)))
+ {
+ name = alloca(len*sizeof(WCHAR));
+ MultiByteToWideChar(CP_ACP,0,pname,-1,(WCHAR *)name,len);
+ }
+ }
+ else
+ name = (TCHAR *)pname;
+
+ if (!name || !CryptAcquireContext(&hprov, NULL, name, type,
CRYPT_VERIFYCONTEXT))
{
CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
}
CryptReleaseContext(hprov, 0);
}
+ if (ctx->cspname)
+ OPENSSL_free(ctx->cspname);
ctx->cspname = BUF_strdup(pname);
ctx->csptype = type;
return 1;
{
LPSTR pname;
DWORD type;
+ int res;
if (capi_get_provname(ctx, &pname, &type, idx) != 1)
return 0;
- return capi_ctx_set_provname(ctx, pname, type, 0);
+ res = capi_ctx_set_provname(ctx, pname, type, 0);
+ OPENSSL_free(pname);
+ return res;
}
static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
continue;
}
- if (cert_issuer_match(ca_dn, x))
+ if (cert_issuer_match(ca_dn, x)
+ && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0))
{
key = capi_get_cert_key(ctx, cert);
if (!key)
+ {
+ X509_free(x);
continue;
+ }
/* Match found: attach extra data to it so
* we can retrieve the key later.
*/
* CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
*/
-#include <PrSht.h>
-#include <cryptuiapi.h>
+/* Definitions which are in cryptuiapi.h but this is not present in older
+ * versions of headers.
+ */
+
+#ifndef CRYPTUI_SELECT_LOCATION_COLUMN
+#define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010
+#define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004
+#endif
#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
#define dlg_prompt L"Select a certificate to use for authentication"
CERT_STORE_CREATE_NEW_FLAG, NULL);
if (!dstore)
{
- CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_CREATING_STORE);
+ CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE);
capi_addlasterror();
goto err;
}
if (!CertAddCertificateContextToStore(dstore, key->pcert,
CERT_STORE_ADD_NEW, NULL))
{
- CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_ADDING_CERT);
+ CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT);
capi_addlasterror();
goto err;
}
}
- hwnd = GetActiveWindow();
+ hwnd = GetForegroundWindow();
+ if (!hwnd)
+ hwnd = GetActiveWindow();
if (!hwnd && ctx->getconswindow)
hwnd = ctx->getconswindow();
/* Call dialog to select one */
}
#endif
+#else /* !__COMPILE_CAPIENG */
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+#else
+void ENGINE_load_capi(void){}
#endif
#endif