#include <windows.h>
#include <wincrypt.h>
+#undef X509_NAME
+
#include "e_capi_err.h"
#include "e_capi_err.c"
static int capi_list_containers(CAPI_CTX *ctx, BIO *out);
int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *storename);
void capi_free_key(CAPI_KEY *key);
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore);
struct CAPI_KEY_st
{
/* Associated certificate context (if any) */
- PCERT_CONTEXT pcert;
+ PCCERT_CONTEXT pcert;
HCRYPTPROV hprov;
HCRYPTKEY key;
DWORD keyspec;
return 0;
}
-static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
- {
-fprintf(stderr, "%d certificates\n", sk_X509_num(certs));
- return 0;
- }
+
static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
hstore = capi_open_store(ctx, storename);
if (!hstore)
return 0;
- /* Enumerate all certificates looking for a match */
+ /* Enumerate all certificates collect any matches */
for(i = 0;;i++)
{
cert = CertEnumCertificatesInStore(hstore, cert);
key = capi_get_cert_key(ctx, cert);
if (!key)
continue;
+ /* Match found: attach extra data to it so
+ * we can retrieve the key later.
+ */
excert = CertDuplicateCertificateContext(cert);
+ key->pcert = excert;
X509_set_ex_data(x, cert_capi_idx, key);
if (!certs)
certs = sk_X509_new_null();
sk_X509_push(certs, x);
-#if 0
- pk = capi_get_pkey(e, key);
- if (!pk)
- {
- capi_free_key(key);
- continue;
- }
- *pcert = x;
- *pkey = pk;
-#endif
}
else
X509_free(x);
if (cert)
CertFreeCertificateContext(cert);
+ if (hstore)
+ CertCloseStore(hstore, 0);
if (!certs)
return 0;
+
+ /* Select the appropriate certificate */
+
client_cert_idx = client_cert_select(e, ssl, certs);
+ /* Set the selected certificate and free the rest */
+
for(i = 0; i < sk_X509_num(certs); i++)
{
x = sk_X509_value(certs, i);
if (!*pcert)
return 0;
+ /* Setup key for selected certificate */
+
key = X509_get_ex_data(*pcert, cert_capi_idx);
*pkey = capi_get_pkey(e, key);
X509_set_ex_data(*pcert, cert_capi_idx, NULL);
}
+#ifndef OPENSSL_CAPIENG_DIALOG
+
+/* Simple client cert selection function: always select first */
+
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+ {
+ return 0;
+ }
+
+#else
+
+/* More complex cert selection function, using standard function
+ * CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
+ */
+
+#include <cryptuiapi.h>
+
+#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
+#define dlg_prompt L"Select a certificate to use for authentication"
+#define dlg_columns CRYPTUI_SELECT_LOCATION_COLUMN \
+ |CRYPTUI_SELECT_INTENDEDUSE_COLUMN
+
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+ {
+ X509 *x;
+ HCERTSTORE dstore;
+ PCCERT_CONTEXT cert;
+ CAPI_CTX *ctx;
+ CAPI_KEY *key;
+ HWND hwnd;
+ int i, idx = -1;
+ ctx = ENGINE_get_ex_data(e, capi_idx);
+ /* Create an in memory store of certificates */
+ dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+ CERT_STORE_CREATE_NEW_FLAG, NULL);
+ if (!dstore)
+ {
+ CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_CREATING_STORE);
+ capi_addlasterror();
+ goto err;
+ }
+ /* Add all certificates to store */
+ for(i = 0; i < sk_X509_num(certs); i++)
+ {
+ x = sk_X509_value(certs, i);
+ key = X509_get_ex_data(x, cert_capi_idx);
+
+ if (!CertAddCertificateContextToStore(dstore, key->pcert,
+ CERT_STORE_ADD_NEW, NULL))
+ {
+ CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_ADDING_CERT);
+ capi_addlasterror();
+ goto err;
+ }
+
+ }
+ hwnd = GetActiveWindow();
+ if (!hwnd)
+ hwnd = GetConsoleWindow();
+ /* Call dialog to select one */
+ cert = CryptUIDlgSelectCertificateFromStore(dstore, hwnd,
+ dlg_title, dlg_prompt,
+ dlg_columns, 0, NULL);
+
+ /* Find matching cert from list */
+ if (cert)
+ {
+ for(i = 0; i < sk_X509_num(certs); i++)
+ {
+ x = sk_X509_value(certs, i);
+ key = X509_get_ex_data(x, cert_capi_idx);
+ if (CertCompareCertificate(
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ cert->pCertInfo,
+ key->pcert->pCertInfo))
+ {
+ idx = i;
+ break;
+ }
+ }
+ }
+
+ err:
+ if (dstore)
+ CertCloseStore(dstore, 0);
+ return idx;
+
+ }
+#endif
+
#endif
#endif
projects / openssl.git / blobdiff