]> git.ipfire.org Git - thirdparty/openssl.git/blame - engines/e_capi.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
engines/e_capi.c: adhere to CryptAcquireContextW unconditionally.
[thirdparty/openssl.git] / engines / e_capi.c
CommitLineData
0f113f3e 1/*
440e5d80 2 * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
7a18ecb2 3 *
440e5d80
RS		 4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
7a18ecb2
DSH		 8 */
9
f1f5ee17
AP		 10#ifdef _WIN32
11# ifndef _WIN32_WINNT
12# define _WIN32_WINNT 0x0400
13# endif
14# include <windows.h>
15# include <wincrypt.h>
16
17# include <stdio.h>
18# include <string.h>
19# include <stdlib.h>
20# include <malloc.h>
21# ifndef alloca
22# define alloca _alloca
23# endif
cc4c2306 24
f1f5ee17 25# include <openssl/crypto.h>
7a18ecb2 26
0f113f3e 27# ifndef OPENSSL_NO_CAPIENG
7a18ecb2 28
0f113f3e
MC		 29# include <openssl/buffer.h>
30# include <openssl/bn.h>
31# include <openssl/rsa.h>
32# include <openssl/dsa.h>
a0f3679b 33
f87e3078
AP		 34/*
35 * This module uses several "new" interfaces, among which is
36 * CertGetCertificateContextProperty. CERT_KEY_PROV_INFO_PROP_ID is
37 * one of possible values you can pass to function in question. By
38 * checking if it's defined we can see if wincrypt.h and accompanying
6b02f9fa
DSH		 39 * crypt32.lib are in shape. The native MingW32 headers up to and
40 * including __W32API_VERSION 3.14 lack of struct DSSPUBKEY and the
41 * defines CERT_STORE_PROV_SYSTEM_A and CERT_STORE_READONLY_FLAG,
42 * so we check for these too and avoid compiling.
43 * Yes, it's rather "weak" test and if compilation fails,
44 * then re-configure with -DOPENSSL_NO_CAPIENG.
f87e3078 45 */
0f113f3e 46# if defined(CERT_KEY_PROV_INFO_PROP_ID) && \
6b02f9fa
DSH		 47 defined(CERT_STORE_PROV_SYSTEM_A) && \
48 defined(CERT_STORE_READONLY_FLAG)
0f113f3e
MC		 49# define __COMPILE_CAPIENG
50# endif /* CERT_KEY_PROV_INFO_PROP_ID */
51# endif /* OPENSSL_NO_CAPIENG */
f1f5ee17 52#endif /* _WIN32 */
f87e3078
AP		 53
54#ifdef __COMPILE_CAPIENG
55
0f113f3e 56# undef X509_EXTENSIONS
11f3cee9 57
a0f3679b 58/* Definitions which may be missing from earlier version of headers */
0f113f3e
MC		 59# ifndef CERT_STORE_OPEN_EXISTING_FLAG
60# define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
61# endif
62
63# ifndef CERT_STORE_CREATE_NEW_FLAG
64# define CERT_STORE_CREATE_NEW_FLAG 0x00002000
65# endif
66
67# ifndef CERT_SYSTEM_STORE_CURRENT_USER
68# define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
69# endif
70
71# ifndef ALG_SID_SHA_256
e08b444a 72# define ALG_SID_SHA_256 12
0f113f3e
MC		 73# endif
74# ifndef ALG_SID_SHA_384
e08b444a 75# define ALG_SID_SHA_384 13
0f113f3e
MC		 76# endif
77# ifndef ALG_SID_SHA_512
e08b444a 78# define ALG_SID_SHA_512 14
0f113f3e
MC		 79# endif
80
81# ifndef CALG_SHA_256
e08b444a 82# define CALG_SHA_256 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256)
0f113f3e
MC		 83# endif
84# ifndef CALG_SHA_384
e08b444a 85# define CALG_SHA_384 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_384)
0f113f3e
MC		 86# endif
87# ifndef CALG_SHA_512
e08b444a 88# define CALG_SHA_512 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512)
0f113f3e
MC		 89# endif
90
7b548d3f
DSH		 91# ifndef PROV_RSA_AES
92# define PROV_RSA_AES 24
93# endif
94
0f113f3e
MC		 95# include <openssl/engine.h>
96# include <openssl/pem.h>
97# include <openssl/x509v3.h>
98
99# include "e_capi_err.h"
100# include "e_capi_err.c"
7a18ecb2
DSH		 101
102static const char *engine_capi_id = "capi";
103static const char *engine_capi_name = "CryptoAPI ENGINE";
104
105typedef struct CAPI_CTX_st CAPI_CTX;
106typedef struct CAPI_KEY_st CAPI_KEY;
107
108static void capi_addlasterror(void);
109static void capi_adderror(DWORD err);
110
8f0e5888 111static void CAPI_trace(CAPI_CTX *ctx, char *format, ...);
7a18ecb2 112
8f0e5888
AP		 113static int capi_list_providers(CAPI_CTX *ctx, BIO *out);
114static int capi_list_containers(CAPI_CTX *ctx, BIO *out);
115int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *storename);
116void capi_free_key(CAPI_KEY *key);
7a18ecb2 117
8f0e5888 118static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id,
0f113f3e 119 HCERTSTORE hstore);
7a18ecb2 120
8f0e5888 121CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id);
7a18ecb2
DSH		 122
123static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
0f113f3e
MC		 124 UI_METHOD *ui_method, void *callback_data);
125static int capi_rsa_sign(int dtype, const unsigned char *m,
126 unsigned int m_len, unsigned char *sigret,
127 unsigned int *siglen, const RSA *rsa);
7a18ecb2 128static int capi_rsa_priv_enc(int flen, const unsigned char *from,
0f113f3e 129 unsigned char *to, RSA *rsa, int padding);
7a18ecb2 130static int capi_rsa_priv_dec(int flen, const unsigned char *from,
0f113f3e 131 unsigned char *to, RSA *rsa, int padding);
7a18ecb2
DSH		 132static int capi_rsa_free(RSA *rsa);
133
f0483bf7 134# ifndef OPENSSL_NO_DSA
7a18ecb2 135static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
0f113f3e 136 DSA *dsa);
7a18ecb2 137static int capi_dsa_free(DSA *dsa);
f0483bf7 138# endif
b3c8dd4e
DSH		 139
140static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
0f113f3e
MC		 141 STACK_OF(X509_NAME) *ca_dn, X509 **pcert,
142 EVP_PKEY **pkey, STACK_OF(X509) **pother,
143 UI_METHOD *ui_method,
144 void *callback_data);
1cd504e7
DSH		 145
146static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
0f113f3e 147# ifdef OPENSSL_CAPIENG_DIALOG
1cd504e7 148static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
0f113f3e 149# endif
1cd504e7 150
b3599dbb 151void engine_load_capi_int(void);
7b9f8f7f 152
e08b444a
AP		 153typedef PCCERT_CONTEXT(WINAPI *CERTDLG)(HCERTSTORE, HWND, LPCWSTR,
154 LPCWSTR, DWORD, DWORD, void *);
155typedef HWND(WINAPI *GETCONSWIN)(void);
1cd504e7 156
0f113f3e
MC		 157/*
158 * This structure contains CAPI ENGINE specific data: it contains various
159 * global options and affects how other functions behave.
7a18ecb2
DSH		 160 */
161
0f113f3e
MC		 162# define CAPI_DBG_TRACE 2
163# define CAPI_DBG_ERROR 1
7a18ecb2
DSH		 164
165struct CAPI_CTX_st {
0f113f3e
MC		 166 int debug_level;
167 char *debug_file;
168 /* Parameters to use for container lookup */
169 DWORD keytype;
170 LPSTR cspname;
171 DWORD csptype;
172 /* Certificate store name to use */
173 LPSTR storename;
174 LPSTR ssl_client_store;
175 /* System store flags */
176 DWORD store_flags;
7a18ecb2 177/* Lookup string meanings in load_private_key */
e08b444a
AP		 178# define CAPI_LU_SUBSTR 1 /* Substring of subject: uses "storename" */
179# define CAPI_LU_FNAME 2 /* Friendly name: uses storename */
180# define CAPI_LU_CONTNAME 3 /* Container name: uses cspname, keytype */
0f113f3e 181 int lookup_method;
7a18ecb2 182/* Info to dump with dumpcerts option */
e08b444a
AP		 183# define CAPI_DMP_SUMMARY 0x1 /* Issuer and serial name strings */
184# define CAPI_DMP_FNAME 0x2 /* Friendly name */
185# define CAPI_DMP_FULL 0x4 /* Full X509_print dump */
186# define CAPI_DMP_PEM 0x8 /* Dump PEM format certificate */
187# define CAPI_DMP_PSKEY 0x10 /* Dump pseudo key (if possible) */
188# define CAPI_DMP_PKEYINFO 0x20 /* Dump key info (if possible) */
0f113f3e
MC		 189 DWORD dump_flags;
190 int (*client_cert_select) (ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
191 CERTDLG certselectdlg;
192 GETCONSWIN getconswindow;
7a18ecb2
DSH		 193};
194
57ebe748 195static CAPI_CTX *capi_ctx_new(void);
8f0e5888
AP		 196static void capi_ctx_free(CAPI_CTX *ctx);
197static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type,
0f113f3e 198 int check);
8f0e5888 199static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx);
0f113f3e
MC		 200
201# define CAPI_CMD_LIST_CERTS ENGINE_CMD_BASE
202# define CAPI_CMD_LOOKUP_CERT (ENGINE_CMD_BASE + 1)
203# define CAPI_CMD_DEBUG_LEVEL (ENGINE_CMD_BASE + 2)
204# define CAPI_CMD_DEBUG_FILE (ENGINE_CMD_BASE + 3)
205# define CAPI_CMD_KEYTYPE (ENGINE_CMD_BASE + 4)
206# define CAPI_CMD_LIST_CSPS (ENGINE_CMD_BASE + 5)
207# define CAPI_CMD_SET_CSP_IDX (ENGINE_CMD_BASE + 6)
208# define CAPI_CMD_SET_CSP_NAME (ENGINE_CMD_BASE + 7)
209# define CAPI_CMD_SET_CSP_TYPE (ENGINE_CMD_BASE + 8)
210# define CAPI_CMD_LIST_CONTAINERS (ENGINE_CMD_BASE + 9)
211# define CAPI_CMD_LIST_OPTIONS (ENGINE_CMD_BASE + 10)
212# define CAPI_CMD_LOOKUP_METHOD (ENGINE_CMD_BASE + 11)
213# define CAPI_CMD_STORE_NAME (ENGINE_CMD_BASE + 12)
214# define CAPI_CMD_STORE_FLAGS (ENGINE_CMD_BASE + 13)
7a18ecb2
DSH		 215
216static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
0f113f3e
MC		 217 {CAPI_CMD_LIST_CERTS,
218 "list_certs",
219 "List all certificates in store",
220 ENGINE_CMD_FLAG_NO_INPUT},
221 {CAPI_CMD_LOOKUP_CERT,
222 "lookup_cert",
223 "Lookup and output certificates",
224 ENGINE_CMD_FLAG_STRING},
225 {CAPI_CMD_DEBUG_LEVEL,
226 "debug_level",
227 "debug level (1=errors, 2=trace)",
228 ENGINE_CMD_FLAG_NUMERIC},
229 {CAPI_CMD_DEBUG_FILE,
230 "debug_file",
231 "debugging filename)",
232 ENGINE_CMD_FLAG_STRING},
233 {CAPI_CMD_KEYTYPE,
234 "key_type",
235 "Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE",
236 ENGINE_CMD_FLAG_NUMERIC},
237 {CAPI_CMD_LIST_CSPS,
238 "list_csps",
239 "List all CSPs",
240 ENGINE_CMD_FLAG_NO_INPUT},
241 {CAPI_CMD_SET_CSP_IDX,
242 "csp_idx",
243 "Set CSP by index",
244 ENGINE_CMD_FLAG_NUMERIC},
245 {CAPI_CMD_SET_CSP_NAME,
246 "csp_name",
247 "Set CSP name, (default CSP used if not specified)",
248 ENGINE_CMD_FLAG_STRING},
249 {CAPI_CMD_SET_CSP_TYPE,
250 "csp_type",
251 "Set CSP type, (default RSA_PROV_FULL)",
252 ENGINE_CMD_FLAG_NUMERIC},
253 {CAPI_CMD_LIST_CONTAINERS,
254 "list_containers",
255 "list container names",
256 ENGINE_CMD_FLAG_NO_INPUT},
257 {CAPI_CMD_LIST_OPTIONS,
258 "list_options",
259 "Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, "
260 "32=private key info)",
261 ENGINE_CMD_FLAG_NUMERIC},
262 {CAPI_CMD_LOOKUP_METHOD,
263 "lookup_method",
264 "Set key lookup method (1=substring, 2=friendlyname, 3=container name)",
265 ENGINE_CMD_FLAG_NUMERIC},
266 {CAPI_CMD_STORE_NAME,
267 "store_name",
268 "certificate store name, default \"MY\"",
269 ENGINE_CMD_FLAG_STRING},
270 {CAPI_CMD_STORE_FLAGS,
271 "store_flags",
272 "Certificate store flags: 1 = system store",
273 ENGINE_CMD_FLAG_NUMERIC},
274
275 {0, NULL, NULL, 0}
276};
7a18ecb2
DSH		 277
278static int capi_idx = -1;
279static int rsa_capi_idx = -1;
280static int dsa_capi_idx = -1;
7d537d4f 281static int cert_capi_idx = -1;
7a18ecb2 282
0f113f3e
MC		 283static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
284{
285 int ret = 1;
286 CAPI_CTX *ctx;
287 BIO *out;
690b4621 288 LPSTR tmpstr;
0f113f3e
MC		 289 if (capi_idx == -1) {
290 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_ENGINE_NOT_INITIALIZED);
291 return 0;
292 }
293 ctx = ENGINE_get_ex_data(e, capi_idx);
294 out = BIO_new_fp(stdout, BIO_NOCLOSE);
295 if (out == NULL) {
296 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_FILE_OPEN_ERROR);
297 return 0;
298 }
299 switch (cmd) {
300 case CAPI_CMD_LIST_CSPS:
301 ret = capi_list_providers(ctx, out);
302 break;
303
304 case CAPI_CMD_LIST_CERTS:
305 ret = capi_list_certs(ctx, out, NULL);
306 break;
307
308 case CAPI_CMD_LOOKUP_CERT:
309 ret = capi_list_certs(ctx, out, p);
310 break;
311
312 case CAPI_CMD_LIST_CONTAINERS:
313 ret = capi_list_containers(ctx, out);
314 break;
315
316 case CAPI_CMD_STORE_NAME:
690b4621
MC		 317 tmpstr = OPENSSL_strdup(p);
318 if (tmpstr != NULL) {
319 OPENSSL_free(ctx->storename);
320 ctx->storename = tmpstr;
321 CAPI_trace(ctx, "Setting store name to %s\n", p);
322 } else {
323 CAPIerr(CAPI_F_CAPI_CTRL, ERR_R_MALLOC_FAILURE);
324 ret = 0;
325 }
0f113f3e
MC		 326 break;
327
328 case CAPI_CMD_STORE_FLAGS:
329 if (i & 1) {
330 ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE;
331 ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER;
332 } else {
333 ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER;
334 ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE;
335 }
336 CAPI_trace(ctx, "Setting flags to %d\n", i);
337 break;
338
339 case CAPI_CMD_DEBUG_LEVEL:
340 ctx->debug_level = (int)i;
341 CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
342 break;
343
344 case CAPI_CMD_DEBUG_FILE:
690b4621
MC		 345 tmpstr = OPENSSL_strdup(p);
346 if (tmpstr != NULL) {
347 ctx->debug_file = tmpstr;
348 CAPI_trace(ctx, "Setting debug file to %s\n", ctx->debug_file);
349 } else {
350 CAPIerr(CAPI_F_CAPI_CTRL, ERR_R_MALLOC_FAILURE);
351 ret = 0;
352 }
0f113f3e
MC		 353 break;
354
355 case CAPI_CMD_KEYTYPE:
356 ctx->keytype = i;
357 CAPI_trace(ctx, "Setting key type to %d\n", ctx->keytype);
358 break;
359
360 case CAPI_CMD_SET_CSP_IDX:
361 ret = capi_ctx_set_provname_idx(ctx, i);
362 break;
363
364 case CAPI_CMD_LIST_OPTIONS:
365 ctx->dump_flags = i;
366 break;
367
368 case CAPI_CMD_LOOKUP_METHOD:
369 if (i < 1 || i > 3) {
370 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD);
371 BIO_free(out);
372 return 0;
373 }
374 ctx->lookup_method = i;
375 break;
376
377 case CAPI_CMD_SET_CSP_NAME:
378 ret = capi_ctx_set_provname(ctx, p, ctx->csptype, 1);
379 break;
380
381 case CAPI_CMD_SET_CSP_TYPE:
382 ctx->csptype = i;
383 break;
384
385 default:
386 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_UNKNOWN_COMMAND);
387 ret = 0;
388 }
389
390 BIO_free(out);
391 return ret;
392
393}
394
e9c2b100 395static RSA_METHOD *capi_rsa_method = NULL;
f0483bf7 396# ifndef OPENSSL_NO_DSA
6e9fa57c 397static DSA_METHOD *capi_dsa_method = NULL;
f0483bf7 398# endif
7a18ecb2 399
7b548d3f
DSH		 400static int use_aes_csp = 0;
401
0f113f3e
MC		 402static int capi_init(ENGINE *e)
403{
404 CAPI_CTX *ctx;
405 const RSA_METHOD *ossl_rsa_meth;
f0483bf7 406# ifndef OPENSSL_NO_DSA
0f113f3e 407 const DSA_METHOD *ossl_dsa_meth;
f0483bf7 408# endif
7b548d3f 409 HCRYPTPROV hprov;
0f113f3e
MC		 410
411 if (capi_idx < 0) {
412 capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
413 if (capi_idx < 0)
414 goto memerr;
415
416 cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
417
418 /* Setup RSA_METHOD */
419 rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
b0700d2c 420 ossl_rsa_meth = RSA_PKCS1_OpenSSL();
e9c2b100
RL		 421 if ( !RSA_meth_set_pub_enc(capi_rsa_method,
422 RSA_meth_get_pub_enc(ossl_rsa_meth))
423 || !RSA_meth_set_pub_dec(capi_rsa_method,
424 RSA_meth_get_pub_dec(ossl_rsa_meth))
425 || !RSA_meth_set_priv_enc(capi_rsa_method, capi_rsa_priv_enc)
426 || !RSA_meth_set_priv_dec(capi_rsa_method, capi_rsa_priv_dec)
427 || !RSA_meth_set_mod_exp(capi_rsa_method,
428 RSA_meth_get_mod_exp(ossl_rsa_meth))
429 || !RSA_meth_set_bn_mod_exp(capi_rsa_method,
430 RSA_meth_get_bn_mod_exp(ossl_rsa_meth))
431 || !RSA_meth_set_finish(capi_rsa_method, capi_rsa_free)
432 || !RSA_meth_set_sign(capi_rsa_method, capi_rsa_sign)) {
433 goto memerr;
434 }
0f113f3e 435
f0483bf7 436# ifndef OPENSSL_NO_DSA
0f113f3e
MC		 437 /* Setup DSA Method */
438 dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
439 ossl_dsa_meth = DSA_OpenSSL();
a517f7fc
MC		 440 if ( !DSA_meth_set_sign(capi_dsa_method, capi_dsa_do_sign)
441 || !DSA_meth_set_verify(capi_dsa_method,
aa05e7ca 442 DSA_meth_get_verify(ossl_dsa_meth))
a517f7fc
MC		 443 || !DSA_meth_set_finish(capi_dsa_method, capi_dsa_free)
444 || !DSA_meth_set_mod_exp(capi_dsa_method,
aa05e7ca 445 DSA_meth_get_mod_exp(ossl_dsa_meth))
a517f7fc 446 || !DSA_meth_set_bn_mod_exp(capi_dsa_method,
aa05e7ca 447 DSA_meth_get_bn_mod_exp(ossl_dsa_meth))) {
a517f7fc
MC		 448 goto memerr;
449 }
f0483bf7 450# endif
0f113f3e
MC		 451 }
452
453 ctx = capi_ctx_new();
55646005 454 if (ctx == NULL)
0f113f3e
MC		 455 goto memerr;
456
457 ENGINE_set_ex_data(e, capi_idx, ctx);
458
459# ifdef OPENSSL_CAPIENG_DIALOG
460 {
461 HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL"));
462 HMODULE kernel = GetModuleHandle(TEXT("KERNEL32.DLL"));
463 if (cryptui)
464 ctx->certselectdlg =
465 (CERTDLG) GetProcAddress(cryptui,
466 "CryptUIDlgSelectCertificateFromStore");
467 if (kernel)
468 ctx->getconswindow =
469 (GETCONSWIN) GetProcAddress(kernel, "GetConsoleWindow");
470 if (cryptui && !OPENSSL_isservice())
471 ctx->client_cert_select = cert_select_dialog;
472 }
473# endif
474
7b548d3f
DSH		 475 /* See if we support AES CSP */
476
3a5b64b2
AP		 477 if (CryptAcquireContextW(&hprov, NULL, NULL, PROV_RSA_AES,
478 CRYPT_VERIFYCONTEXT)) {
7b548d3f
DSH		 479 use_aes_csp = 1;
480 CryptReleaseContext(hprov, 0);
481 }
482
0f113f3e
MC		 483 return 1;
484
485 memerr:
486 CAPIerr(CAPI_F_CAPI_INIT, ERR_R_MALLOC_FAILURE);
487 return 0;
488
489 return 1;
490}
7a18ecb2
DSH		 491
492static int capi_destroy(ENGINE *e)
0f113f3e 493{
e9c2b100
RL		 494 RSA_meth_free(capi_rsa_method);
495 capi_rsa_method = NULL;
f0483bf7 496# ifndef OPENSSL_NO_DSA
6e9fa57c
MC		 497 DSA_meth_free(capi_dsa_method);
498 capi_dsa_method = NULL;
f0483bf7 499# endif
0f113f3e
MC		 500 ERR_unload_CAPI_strings();
501 return 1;
502}
7a18ecb2
DSH		 503
504static int capi_finish(ENGINE *e)
0f113f3e
MC		 505{
506 CAPI_CTX *ctx;
507 ctx = ENGINE_get_ex_data(e, capi_idx);
508 capi_ctx_free(ctx);
509 ENGINE_set_ex_data(e, capi_idx, NULL);
510 return 1;
511}
512
513/*
514 * CryptoAPI key application data. This contains a handle to the private key
515 * container (for sign operations) and a handle to the key (for decrypt
516 * operations).
7a18ecb2
DSH		 517 */
518
0f113f3e
MC		 519struct CAPI_KEY_st {
520 /* Associated certificate context (if any) */
521 PCCERT_CONTEXT pcert;
522 HCRYPTPROV hprov;
523 HCRYPTKEY key;
524 DWORD keyspec;
525};
7a18ecb2
DSH		 526
527static int bind_capi(ENGINE *e)
0f113f3e 528{
e9c2b100
RL		 529 capi_rsa_method = RSA_meth_new("CryptoAPI RSA method", 0);
530 if (capi_rsa_method == NULL)
531 return 0;
f0483bf7 532# ifndef OPENSSL_NO_DSA
6e9fa57c
MC		 533 capi_dsa_method = DSA_meth_new("CryptoAPI DSA method", 0);
534 if (capi_dsa_method == NULL)
e9c2b100 535 goto memerr;
f0483bf7 536# endif
0f113f3e
MC		 537 if (!ENGINE_set_id(e, engine_capi_id)
538 || !ENGINE_set_name(e, engine_capi_name)
539 || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
540 || !ENGINE_set_init_function(e, capi_init)
541 || !ENGINE_set_finish_function(e, capi_finish)
542 || !ENGINE_set_destroy_function(e, capi_destroy)
e9c2b100 543 || !ENGINE_set_RSA(e, capi_rsa_method)
f0483bf7 544# ifndef OPENSSL_NO_DSA
6e9fa57c 545 || !ENGINE_set_DSA(e, capi_dsa_method)
f0483bf7 546# endif
0f113f3e
MC		 547 || !ENGINE_set_load_privkey_function(e, capi_load_privkey)
548 || !ENGINE_set_load_ssl_client_cert_function(e,
549 capi_load_ssl_client_cert)
550 || !ENGINE_set_cmd_defns(e, capi_cmd_defns)
551 || !ENGINE_set_ctrl_function(e, capi_ctrl))
e9c2b100 552 goto memerr;
0f113f3e
MC		 553 ERR_load_CAPI_strings();
554
555 return 1;
e9c2b100
RL		 556 memerr:
557 RSA_meth_free(capi_rsa_method);
558 capi_rsa_method = NULL;
f0483bf7 559# ifndef OPENSSL_NO_DSA
e9c2b100
RL		 560 DSA_meth_free(capi_dsa_method);
561 capi_dsa_method = NULL;
f0483bf7 562# endif
e9c2b100 563 return 0;
0f113f3e
MC		 564}
565
566# ifndef OPENSSL_NO_DYNAMIC_ENGINE
7a18ecb2 567static int bind_helper(ENGINE *e, const char *id)
0f113f3e
MC		 568{
569 if (id && (strcmp(id, engine_capi_id) != 0))
570 return 0;
571 if (!bind_capi(e))
572 return 0;
573 return 1;
574}
575
7a18ecb2 576IMPLEMENT_DYNAMIC_CHECK_FN()
0f113f3e
MC		 577 IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
578# else
7a18ecb2 579static ENGINE *engine_capi(void)
0f113f3e
MC		 580{
581 ENGINE *ret = ENGINE_new();
55646005 582 if (ret == NULL)
0f113f3e
MC		 583 return NULL;
584 if (!bind_capi(ret)) {
585 ENGINE_free(ret);
586 return NULL;
587 }
588 return ret;
589}
7a18ecb2 590
7e74eaa6 591void engine_load_capi_int(void)
0f113f3e
MC		 592{
593 /* Copied from eng_[openssl|dyn].c */
594 ENGINE *toadd = engine_capi();
595 if (!toadd)
596 return;
597 ENGINE_add(toadd);
598 ENGINE_free(toadd);
599 ERR_clear_error();
600}
601# endif
7a18ecb2
DSH		 602
603static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen)
0f113f3e
MC		 604{
605 int i;
606 /*
607 * Reverse buffer in place: since this is a keyblob structure that will
608 * be freed up after conversion anyway it doesn't matter if we change
609 * it.
610 */
611 for (i = 0; i < binlen / 2; i++) {
612 unsigned char c;
613 c = bin[i];
614 bin[i] = bin[binlen - i - 1];
615 bin[binlen - i - 1] = c;
616 }
617
618 if (!BN_bin2bn(bin, binlen, bn))
619 return 0;
620 return 1;
621}
7a18ecb2 622
b3c8dd4e
DSH		 623/* Given a CAPI_KEY get an EVP_PKEY structure */
624
8f0e5888 625static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key)
0f113f3e
MC		 626{
627 unsigned char *pubkey = NULL;
628 DWORD len;
629 BLOBHEADER *bh;
630 RSA *rkey = NULL;
631 DSA *dkey = NULL;
632 EVP_PKEY *ret = NULL;
633 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len)) {
634 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
635 capi_addlasterror();
636 return NULL;
637 }
638
639 pubkey = OPENSSL_malloc(len);
640
55646005 641 if (pubkey == NULL)
0f113f3e
MC		 642 goto memerr;
643
644 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len)) {
645 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
646 capi_addlasterror();
647 goto err;
648 }
649
650 bh = (BLOBHEADER *) pubkey;
651 if (bh->bType != PUBLICKEYBLOB) {
652 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
653 goto err;
654 }
655 if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX) {
656 RSAPUBKEY *rp;
657 DWORD rsa_modlen;
e9c2b100 658 BIGNUM *e = NULL, *n = NULL;
0f113f3e
MC		 659 unsigned char *rsa_modulus;
660 rp = (RSAPUBKEY *) (bh + 1);
661 if (rp->magic != 0x31415352) {
662 char magstr[10];
663 BIO_snprintf(magstr, 10, "%lx", rp->magic);
664 CAPIerr(CAPI_F_CAPI_GET_PKEY,
665 CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
666 ERR_add_error_data(2, "magic=0x", magstr);
667 goto err;
668 }
669 rsa_modulus = (unsigned char *)(rp + 1);
670 rkey = RSA_new_method(eng);
671 if (!rkey)
672 goto memerr;
673
e9c2b100
RL		 674 e = BN_new();
675 n = BN_new();
0f113f3e 676
e9c2b100
RL		 677 if (e == NULL || n == NULL) {
678 BN_free(e);
679 BN_free(n);
0f113f3e 680 goto memerr;
e9c2b100 681 }
0f113f3e 682
e9c2b100
RL		 683 RSA_set0_key(rkey, n, e, NULL);
684
685 if (!BN_set_word(e, rp->pubexp))
0f113f3e
MC		 686 goto memerr;
687
688 rsa_modlen = rp->bitlen / 8;
e9c2b100 689 if (!lend_tobn(n, rsa_modulus, rsa_modlen))
0f113f3e
MC		 690 goto memerr;
691
692 RSA_set_ex_data(rkey, rsa_capi_idx, key);
693
75ebbd9a 694 if ((ret = EVP_PKEY_new()) == NULL)
0f113f3e
MC		 695 goto memerr;
696
697 EVP_PKEY_assign_RSA(ret, rkey);
698 rkey = NULL;
699
f0483bf7 700# ifndef OPENSSL_NO_DSA
0f113f3e
MC		 701 } else if (bh->aiKeyAlg == CALG_DSS_SIGN) {
702 DSSPUBKEY *dp;
703 DWORD dsa_plen;
704 unsigned char *btmp;
6e9fa57c 705 BIGNUM *p, *q, *g, *pub_key;
0f113f3e
MC		 706 dp = (DSSPUBKEY *) (bh + 1);
707 if (dp->magic != 0x31535344) {
708 char magstr[10];
709 BIO_snprintf(magstr, 10, "%lx", dp->magic);
710 CAPIerr(CAPI_F_CAPI_GET_PKEY,
711 CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
712 ERR_add_error_data(2, "magic=0x", magstr);
713 goto err;
714 }
715 dsa_plen = dp->bitlen / 8;
716 btmp = (unsigned char *)(dp + 1);
717 dkey = DSA_new_method(eng);
718 if (!dkey)
719 goto memerr;
6e9fa57c
MC		 720 p = BN_new();
721 q = BN_new();
722 g = BN_new();
723 pub_key = BN_new();
e9c2b100
RL		 724 if (p == NULL || q == NULL || g == NULL || pub_key == NULL) {
725 BN_free(p);
726 BN_free(q);
727 BN_free(g);
728 BN_free(pub_key);
0f113f3e 729 goto memerr;
e9c2b100 730 }
6e9fa57c
MC		 731 DSA_set0_pqg(dkey, p, q, g);
732 DSA_set0_key(dkey, pub_key, NULL);
733 if (!lend_tobn(p, btmp, dsa_plen))
0f113f3e
MC		 734 goto memerr;
735 btmp += dsa_plen;
6e9fa57c 736 if (!lend_tobn(q, btmp, 20))
0f113f3e
MC		 737 goto memerr;
738 btmp += 20;
6e9fa57c 739 if (!lend_tobn(g, btmp, dsa_plen))
0f113f3e
MC		 740 goto memerr;
741 btmp += dsa_plen;
6e9fa57c 742 if (!lend_tobn(pub_key, btmp, dsa_plen))
0f113f3e
MC		 743 goto memerr;
744 btmp += dsa_plen;
745
746 DSA_set_ex_data(dkey, dsa_capi_idx, key);
747
75ebbd9a 748 if ((ret = EVP_PKEY_new()) == NULL)
0f113f3e
MC		 749 goto memerr;
750
751 EVP_PKEY_assign_DSA(ret, dkey);
752 dkey = NULL;
f0483bf7 753# endif
0f113f3e
MC		 754 } else {
755 char algstr[10];
57ebe748 756 BIO_snprintf(algstr, 10, "%ux", bh->aiKeyAlg);
0f113f3e
MC		 757 CAPIerr(CAPI_F_CAPI_GET_PKEY,
758 CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
759 ERR_add_error_data(2, "aiKeyAlg=0x", algstr);
760 goto err;
761 }
762
763 err:
b548a1f1 764 OPENSSL_free(pubkey);
0f113f3e 765 if (!ret) {
d6407083 766 RSA_free(rkey);
f0483bf7 767# ifndef OPENSSL_NO_DSA
d6407083 768 DSA_free(dkey);
f0483bf7 769# endif
0f113f3e
MC		 770 }
771
772 return ret;
773
774 memerr:
775 CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE);
776 goto err;
777
778}
7a18ecb2 779
b3c8dd4e 780static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
0f113f3e
MC		 781 UI_METHOD *ui_method, void *callback_data)
782{
783 CAPI_CTX *ctx;
784 CAPI_KEY *key;
785 EVP_PKEY *ret;
786 ctx = ENGINE_get_ex_data(eng, capi_idx);
b3c8dd4e 787
0f113f3e
MC		 788 if (!ctx) {
789 CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
790 return NULL;
791 }
b3c8dd4e 792
0f113f3e 793 key = capi_find_key(ctx, key_id);
b3c8dd4e 794
0f113f3e
MC		 795 if (!key)
796 return NULL;
b3c8dd4e 797
0f113f3e 798 ret = capi_get_pkey(eng, key);
b3c8dd4e 799
0f113f3e
MC		 800 if (!ret)
801 capi_free_key(key);
802 return ret;
b3c8dd4e 803
0f113f3e 804}
b3c8dd4e 805
7a18ecb2
DSH		 806/* CryptoAPI RSA operations */
807
808int capi_rsa_priv_enc(int flen, const unsigned char *from,
0f113f3e
MC		 809 unsigned char *to, RSA *rsa, int padding)
810{
811 CAPIerr(CAPI_F_CAPI_RSA_PRIV_ENC, CAPI_R_FUNCTION_NOT_SUPPORTED);
812 return -1;
813}
7a18ecb2
DSH		 814
815int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
0f113f3e
MC		 816 unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
817{
818 ALG_ID alg;
819 HCRYPTHASH hash;
820 DWORD slen;
821 unsigned int i;
822 int ret = -1;
823 CAPI_KEY *capi_key;
824 CAPI_CTX *ctx;
825
e9c2b100 826 ctx = ENGINE_get_ex_data(RSA_get0_engine(rsa), capi_idx);
0f113f3e
MC		 827
828 CAPI_trace(ctx, "Called CAPI_rsa_sign()\n");
829
830 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
831 if (!capi_key) {
832 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_GET_KEY);
833 return -1;
834 }
7a18ecb2 835/* Convert the signature type to a CryptoAPI algorithm ID */
0f113f3e
MC		 836 switch (dtype) {
837 case NID_sha256:
838 alg = CALG_SHA_256;
839 break;
840
841 case NID_sha384:
842 alg = CALG_SHA_384;
843 break;
844
845 case NID_sha512:
846 alg = CALG_SHA_512;
847 break;
848
849 case NID_sha1:
850 alg = CALG_SHA1;
851 break;
852
853 case NID_md5:
854 alg = CALG_MD5;
855 break;
856
857 case NID_md5_sha1:
858 alg = CALG_SSL3_SHAMD5;
859 break;
860 default:
861 {
862 char algstr[10];
57ebe748 863 BIO_snprintf(algstr, 10, "%x", dtype);
0f113f3e
MC		 864 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_UNSUPPORTED_ALGORITHM_NID);
865 ERR_add_error_data(2, "NID=0x", algstr);
866 return -1;
867 }
868 }
7a18ecb2
DSH		 869
870/* Create the hash object */
0f113f3e
MC		 871 if (!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash)) {
872 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
873 capi_addlasterror();
874 return -1;
875 }
7a18ecb2
DSH		 876/* Set the hash value to the value passed */
877
0f113f3e
MC		 878 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0)) {
879 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
880 capi_addlasterror();
881 goto err;
882 }
7a18ecb2
DSH		 883
884/* Finally sign it */
0f113f3e
MC		 885 slen = RSA_size(rsa);
886 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen)) {
887 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH);
888 capi_addlasterror();
889 goto err;
890 } else {
891 ret = 1;
892 /* Inplace byte reversal of signature */
893 for (i = 0; i < slen / 2; i++) {
894 unsigned char c;
895 c = sigret[i];
896 sigret[i] = sigret[slen - i - 1];
897 sigret[slen - i - 1] = c;
898 }
899 *siglen = slen;
900 }
901
902 /* Now cleanup */
903
904 err:
905 CryptDestroyHash(hash);
906
907 return ret;
908}
7a18ecb2
DSH		 909
910int capi_rsa_priv_dec(int flen, const unsigned char *from,
0f113f3e
MC		 911 unsigned char *to, RSA *rsa, int padding)
912{
913 int i;
914 unsigned char *tmpbuf;
915 CAPI_KEY *capi_key;
916 CAPI_CTX *ctx;
57ebe748
AP		 917 DWORD dlen;
918
919 if (flen <= 0)
920 return flen;
921
e9c2b100 922 ctx = ENGINE_get_ex_data(RSA_get0_engine(rsa), capi_idx);
0f113f3e
MC		 923
924 CAPI_trace(ctx, "Called capi_rsa_priv_dec()\n");
925
926 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
927 if (!capi_key) {
928 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_CANT_GET_KEY);
929 return -1;
930 }
931
932 if (padding != RSA_PKCS1_PADDING) {
933 char errstr[10];
934 BIO_snprintf(errstr, 10, "%d", padding);
935 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING);
936 ERR_add_error_data(2, "padding=", errstr);
937 return -1;
938 }
939
940 /* Create temp reverse order version of input */
75ebbd9a 941 if ((tmpbuf = OPENSSL_malloc(flen)) == NULL) {
0f113f3e
MC		 942 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, ERR_R_MALLOC_FAILURE);
943 return -1;
944 }
945 for (i = 0; i < flen; i++)
946 tmpbuf[flen - i - 1] = from[i];
947
948 /* Finally decrypt it */
57ebe748
AP		 949 dlen = flen;
950 if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &dlen)) {
0f113f3e
MC		 951 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR);
952 capi_addlasterror();
953 OPENSSL_free(tmpbuf);
954 return -1;
e08b444a 955 } else {
57ebe748 956 memcpy(to, tmpbuf, (flen = (int)dlen));
e08b444a 957 }
0f113f3e
MC		 958 OPENSSL_free(tmpbuf);
959
960 return flen;
961}
7a18ecb2
DSH		 962
963static int capi_rsa_free(RSA *rsa)
0f113f3e
MC		 964{
965 CAPI_KEY *capi_key;
966 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx);
967 capi_free_key(capi_key);
968 RSA_set_ex_data(rsa, rsa_capi_idx, 0);
969 return 1;
970}
7a18ecb2 971
f0483bf7 972# ifndef OPENSSL_NO_DSA
7a18ecb2
DSH		 973/* CryptoAPI DSA operations */
974
975static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
0f113f3e
MC		 976 DSA *dsa)
977{
978 HCRYPTHASH hash;
979 DWORD slen;
980 DSA_SIG *ret = NULL;
981 CAPI_KEY *capi_key;
982 CAPI_CTX *ctx;
983 unsigned char csigbuf[40];
984
6e9fa57c 985 ctx = ENGINE_get_ex_data(DSA_get0_engine(dsa), capi_idx);
0f113f3e
MC		 986
987 CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n");
988
989 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
990
991 if (!capi_key) {
992 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_GET_KEY);
993 return NULL;
994 }
995
996 if (dlen != 20) {
997 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_INVALID_DIGEST_LENGTH);
998 return NULL;
999 }
1000
1001 /* Create the hash object */
1002 if (!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash)) {
1003 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
1004 capi_addlasterror();
1005 return NULL;
1006 }
1007
1008 /* Set the hash value to the value passed */
1009 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0)) {
1010 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
1011 capi_addlasterror();
1012 goto err;
1013 }
1014
1015 /* Finally sign it */
1016 slen = sizeof(csigbuf);
1017 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen)) {
1018 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH);
1019 capi_addlasterror();
1020 goto err;
1021 } else {
7a533600
AP		 1022 BIGNUM *r = BN_new(), *s = BN_new();
1023
1024 if (r == NULL || s == NULL
1025 || !lend_tobn(r, csigbuf, 20)
1026 || !lend_tobn(s, csigbuf + 20, 20)
1027 || (ret = DSA_SIG_new()) == NULL) {
1028 BN_free(r); /* BN_free checks for BIGNUM * being NULL */
1029 BN_free(s);
0f113f3e
MC		 1030 goto err;
1031 }
7a533600 1032 DSA_SIG_set0(ret, r, s);
0f113f3e
MC		 1033 }
1034
1035 /* Now cleanup */
1036
1037 err:
1038 OPENSSL_cleanse(csigbuf, 40);
1039 CryptDestroyHash(hash);
1040 return ret;
1041}
7a18ecb2
DSH		 1042
1043static int capi_dsa_free(DSA *dsa)
0f113f3e
MC		 1044{
1045 CAPI_KEY *capi_key;
1046 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx);
1047 capi_free_key(capi_key);
1048 DSA_set_ex_data(dsa, dsa_capi_idx, 0);
1049 return 1;
1050}
f0483bf7 1051# endif
0f113f3e 1052
8f0e5888 1053static void capi_vtrace(CAPI_CTX *ctx, int level, char *format,
0f113f3e
MC		 1054 va_list argptr)
1055{
1056 BIO *out;
1057
1058 if (!ctx || (ctx->debug_level < level) || (!ctx->debug_file))
1059 return;
1060 out = BIO_new_file(ctx->debug_file, "a+");
1061 if (out == NULL) {
1062 CAPIerr(CAPI_F_CAPI_VTRACE, CAPI_R_FILE_OPEN_ERROR);
1063 return;
1064 }
1065 BIO_vprintf(out, format, argptr);
1066 BIO_free(out);
1067}
1068
8f0e5888 1069static void CAPI_trace(CAPI_CTX *ctx, char *format, ...)
0f113f3e
MC		 1070{
1071 va_list args;
1072 va_start(args, format);
1073 capi_vtrace(ctx, CAPI_DBG_TRACE, format, args);
1074 va_end(args);
1075}
7a18ecb2
DSH		 1076
1077static void capi_addlasterror(void)
0f113f3e
MC		 1078{
1079 capi_adderror(GetLastError());
1080}
7a18ecb2
DSH		 1081
1082static void capi_adderror(DWORD err)
0f113f3e
MC		 1083{
1084 char errstr[10];
1085 BIO_snprintf(errstr, 10, "%lX", err);
1086 ERR_add_error_data(2, "Error code= 0x", errstr);
1087}
7a18ecb2 1088
cc4c2306 1089static char *wide_to_asc(LPCWSTR wstr)
0f113f3e
MC		 1090{
1091 char *str;
1092 int len_0, sz;
1093
1094 if (!wstr)
1095 return NULL;
1096 len_0 = (int)wcslen(wstr) + 1; /* WideCharToMultiByte expects int */
1097 sz = WideCharToMultiByte(CP_ACP, 0, wstr, len_0, NULL, 0, NULL, NULL);
1098 if (!sz) {
1099 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR);
1100 return NULL;
1101 }
1102 str = OPENSSL_malloc(sz);
55646005 1103 if (str == NULL) {
0f113f3e
MC		 1104 CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE);
1105 return NULL;
1106 }
1107 if (!WideCharToMultiByte(CP_ACP, 0, wstr, len_0, str, sz, NULL, NULL)) {
1108 OPENSSL_free(str);
1109 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR);
1110 return NULL;
1111 }
1112 return str;
1113}
1114
8f0e5888 1115static int capi_get_provname(CAPI_CTX *ctx, LPSTR *pname, DWORD *ptype,
0f113f3e
MC		 1116 DWORD idx)
1117{
1118 DWORD len, err;
1119 LPTSTR name;
1120 CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx);
1121 if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len)) {
1122 err = GetLastError();
1123 if (err == ERROR_NO_MORE_ITEMS)
1124 return 2;
1125 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR);
1126 capi_adderror(err);
1127 return 0;
1128 }
1129 name = OPENSSL_malloc(len);
1130 if (name == NULL) {
1131 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE);
1132 return 0;
1133 }
1134 if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) {
1135 err = GetLastError();
1136 OPENSSL_free(name);
1137 if (err == ERROR_NO_MORE_ITEMS)
1138 return 2;
1139 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR);
1140 capi_adderror(err);
1141 return 0;
1142 }
1143 if (sizeof(TCHAR) != sizeof(char)) {
1144 *pname = wide_to_asc((WCHAR *)name);
1145 OPENSSL_free(name);
1146 if (*pname == NULL)
1147 return 0;
e08b444a 1148 } else {
0f113f3e 1149 *pname = (char *)name;
e08b444a 1150 }
0f113f3e
MC		 1151 CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", *pname,
1152 *ptype);
1153
1154 return 1;
1155}
1156
8f0e5888 1157static int capi_list_providers(CAPI_CTX *ctx, BIO *out)
0f113f3e
MC		 1158{
1159 DWORD idx, ptype;
1160 int ret;
1161 LPSTR provname = NULL;
1162 CAPI_trace(ctx, "capi_list_providers\n");
1163 BIO_printf(out, "Available CSPs:\n");
1164 for (idx = 0;; idx++) {
1165 ret = capi_get_provname(ctx, &provname, &ptype, idx);
1166 if (ret == 2)
1167 break;
1168 if (ret == 0)
1169 break;
57ebe748 1170 BIO_printf(out, "%lu. %s, type %lu\n", idx, provname, ptype);
0f113f3e
MC		 1171 OPENSSL_free(provname);
1172 }
1173 return 1;
1174}
1175
8f0e5888 1176static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
0f113f3e
MC		 1177{
1178 int ret = 1;
1179 HCRYPTPROV hprov;
1180 DWORD err, idx, flags, buflen = 0, clen;
1181 LPSTR cname;
3a5b64b2 1182 LPWSTR cspname = NULL;
0f113f3e
MC		 1183
1184 CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname,
1185 ctx->csptype);
3a5b64b2 1186 if (ctx->cspname != NULL) {
e08b444a
AP		 1187 if ((clen = MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1,
1188 NULL, 0))) {
0f113f3e
MC		 1189 cspname = alloca(clen * sizeof(WCHAR));
1190 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, (WCHAR *)cspname,
1191 clen);
1192 }
3a5b64b2 1193 if (cspname == NULL) {
0f113f3e
MC		 1194 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE);
1195 capi_addlasterror();
1196 return 0;
1197 }
e08b444a 1198 }
3a5b64b2
AP		 1199 if (!CryptAcquireContextW(&hprov, NULL, cspname, ctx->csptype,
1200 CRYPT_VERIFYCONTEXT)) {
0f113f3e
MC		 1201 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS,
1202 CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
1203 capi_addlasterror();
1204 return 0;
1205 }
e08b444a
AP		 1206 if (!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, NULL, &buflen,
1207 CRYPT_FIRST)) {
0f113f3e
MC		 1208 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
1209 capi_addlasterror();
1210 CryptReleaseContext(hprov, 0);
1211 return 0;
1212 }
1213 CAPI_trace(ctx, "Got max container len %d\n", buflen);
1214 if (buflen == 0)
1215 buflen = 1024;
1216 cname = OPENSSL_malloc(buflen);
55646005 1217 if (cname == NULL) {
0f113f3e
MC		 1218 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE);
1219 goto err;
1220 }
1221
1222 for (idx = 0;; idx++) {
1223 clen = buflen;
1224 cname[0] = 0;
1225
1226 if (idx == 0)
1227 flags = CRYPT_FIRST;
1228 else
1229 flags = 0;
e08b444a
AP		 1230 if (!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, (BYTE *)cname,
1231 &clen, flags)) {
0f113f3e
MC		 1232 err = GetLastError();
1233 if (err == ERROR_NO_MORE_ITEMS)
1234 goto done;
1235 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
1236 capi_adderror(err);
1237 goto err;
1238 }
1239 CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n",
1240 cname, clen, idx, flags);
1241 if (!cname[0] && (clen == buflen)) {
1242 CAPI_trace(ctx, "Enumerate bug: using workaround\n");
1243 goto done;
1244 }
57ebe748 1245 BIO_printf(out, "%lu. %s\n", idx, cname);
0f113f3e
MC		 1246 }
1247 err:
1248
1249 ret = 0;
1250
1251 done:
b548a1f1 1252 OPENSSL_free(cname);
0f113f3e
MC		 1253 CryptReleaseContext(hprov, 0);
1254
1255 return ret;
1256}
1257
8f0e5888 1258static CRYPT_KEY_PROV_INFO *capi_get_prov_info(CAPI_CTX *ctx,
e08b444a 1259 PCCERT_CONTEXT cert)
0f113f3e
MC		 1260{
1261 DWORD len;
1262 CRYPT_KEY_PROV_INFO *pinfo;
1263
e08b444a
AP		 1264 if (!CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID,
1265 NULL, &len))
0f113f3e
MC		 1266 return NULL;
1267 pinfo = OPENSSL_malloc(len);
55646005 1268 if (pinfo == NULL) {
0f113f3e
MC		 1269 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, ERR_R_MALLOC_FAILURE);
1270 return NULL;
1271 }
e08b444a
AP		 1272 if (!CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID,
1273 pinfo, &len)) {
0f113f3e
MC		 1274 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO,
1275 CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO);
1276 capi_addlasterror();
1277 OPENSSL_free(pinfo);
1278 return NULL;
1279 }
1280 return pinfo;
1281}
1282
8f0e5888
AP		 1283static void capi_dump_prov_info(CAPI_CTX *ctx, BIO *out,
1284 CRYPT_KEY_PROV_INFO *pinfo)
0f113f3e
MC		 1285{
1286 char *provname = NULL, *contname = NULL;
1287 if (!pinfo) {
1288 BIO_printf(out, " No Private Key\n");
1289 return;
1290 }
1291 provname = wide_to_asc(pinfo->pwszProvName);
1292 contname = wide_to_asc(pinfo->pwszContainerName);
1293 if (!provname || !contname)
1294 goto err;
1295
1296 BIO_printf(out, " Private Key Info:\n");
57ebe748 1297 BIO_printf(out, " Provider Name: %s, Provider Type %lu\n", provname,
0f113f3e 1298 pinfo->dwProvType);
57ebe748 1299 BIO_printf(out, " Container Name: %s, Key Type %lu\n", contname,
0f113f3e
MC		 1300 pinfo->dwKeySpec);
1301 err:
b548a1f1
RS		 1302 OPENSSL_free(provname);
1303 OPENSSL_free(contname);
0f113f3e
MC		 1304}
1305
8f0e5888 1306static char *capi_cert_get_fname(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
0f113f3e
MC		 1307{
1308 LPWSTR wfname;
1309 DWORD dlen;
1310
1311 CAPI_trace(ctx, "capi_cert_get_fname\n");
e08b444a
AP		 1312 if (!CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID,
1313 NULL, &dlen))
0f113f3e
MC		 1314 return NULL;
1315 wfname = OPENSSL_malloc(dlen);
1316 if (wfname == NULL)
1317 return NULL;
e08b444a
AP		 1318 if (CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID,
1319 wfname, &dlen)) {
0f113f3e
MC		 1320 char *fname = wide_to_asc(wfname);
1321 OPENSSL_free(wfname);
1322 return fname;
1323 }
1324 CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, CAPI_R_ERROR_GETTING_FRIENDLY_NAME);
1325 capi_addlasterror();
1326
1327 OPENSSL_free(wfname);
1328 return NULL;
1329}
1330
8f0e5888 1331static void capi_dump_cert(CAPI_CTX *ctx, BIO *out, PCCERT_CONTEXT cert)
0f113f3e
MC		 1332{
1333 X509 *x;
57ebe748 1334 const unsigned char *p;
0f113f3e
MC		 1335 unsigned long flags = ctx->dump_flags;
1336 if (flags & CAPI_DMP_FNAME) {
1337 char *fname;
1338 fname = capi_cert_get_fname(ctx, cert);
1339 if (fname) {
1340 BIO_printf(out, " Friendly Name \"%s\"\n", fname);
1341 OPENSSL_free(fname);
e08b444a 1342 } else {
0f113f3e 1343 BIO_printf(out, " <No Friendly Name>\n");
e08b444a 1344 }
0f113f3e
MC		 1345 }
1346
1347 p = cert->pbCertEncoded;
1348 x = d2i_X509(NULL, &p, cert->cbCertEncoded);
1349 if (!x)
1350 BIO_printf(out, " <Can't parse certificate>\n");
1351 if (flags & CAPI_DMP_SUMMARY) {
1352 BIO_printf(out, " Subject: ");
1353 X509_NAME_print_ex(out, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
1354 BIO_printf(out, "\n Issuer: ");
1355 X509_NAME_print_ex(out, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
1356 BIO_printf(out, "\n");
1357 }
1358 if (flags & CAPI_DMP_FULL)
1359 X509_print_ex(out, x, XN_FLAG_ONELINE, 0);
1360
1361 if (flags & CAPI_DMP_PKEYINFO) {
1362 CRYPT_KEY_PROV_INFO *pinfo;
1363 pinfo = capi_get_prov_info(ctx, cert);
1364 capi_dump_prov_info(ctx, out, pinfo);
b548a1f1 1365 OPENSSL_free(pinfo);
0f113f3e
MC		 1366 }
1367
1368 if (flags & CAPI_DMP_PEM)
1369 PEM_write_bio_X509(out, x);
1370 X509_free(x);
1371}
1372
8f0e5888 1373static HCERTSTORE capi_open_store(CAPI_CTX *ctx, char *storename)
0f113f3e
MC		 1374{
1375 HCERTSTORE hstore;
1376
1377 if (!storename)
1378 storename = ctx->storename;
1379 if (!storename)
1380 storename = "MY";
1381 CAPI_trace(ctx, "Opening certificate store %s\n", storename);
1382
1383 hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0,
1384 ctx->store_flags, storename);
1385 if (!hstore) {
1386 CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE);
1387 capi_addlasterror();
1388 }
1389 return hstore;
1390}
1391
8f0e5888 1392int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *id)
0f113f3e
MC		 1393{
1394 char *storename;
1395 int idx;
1396 int ret = 1;
1397 HCERTSTORE hstore;
1398 PCCERT_CONTEXT cert = NULL;
1399
1400 storename = ctx->storename;
1401 if (!storename)
1402 storename = "MY";
1403 CAPI_trace(ctx, "Listing certs for store %s\n", storename);
1404
1405 hstore = capi_open_store(ctx, storename);
1406 if (!hstore)
1407 return 0;
1408 if (id) {
1409 cert = capi_find_cert(ctx, id, hstore);
1410 if (!cert) {
1411 ret = 0;
1412 goto err;
1413 }
1414 capi_dump_cert(ctx, out, cert);
1415 CertFreeCertificateContext(cert);
1416 } else {
1417 for (idx = 0;; idx++) {
1418 cert = CertEnumCertificatesInStore(hstore, cert);
1419 if (!cert)
1420 break;
1421 BIO_printf(out, "Certificate %d\n", idx);
1422 capi_dump_cert(ctx, out, cert);
1423 }
1424 }
1425 err:
1426 CertCloseStore(hstore, 0);
1427 return ret;
1428}
1429
8f0e5888 1430static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id,
0f113f3e
MC		 1431 HCERTSTORE hstore)
1432{
1433 PCCERT_CONTEXT cert = NULL;
1434 char *fname = NULL;
1435 int match;
1436 switch (ctx->lookup_method) {
1437 case CAPI_LU_SUBSTR:
e08b444a 1438 return CertFindCertificateInStore(hstore, X509_ASN_ENCODING, 0,
0f113f3e
MC		 1439 CERT_FIND_SUBJECT_STR_A, id, NULL);
1440 case CAPI_LU_FNAME:
1441 for (;;) {
1442 cert = CertEnumCertificatesInStore(hstore, cert);
1443 if (!cert)
1444 return NULL;
1445 fname = capi_cert_get_fname(ctx, cert);
1446 if (fname) {
1447 if (strcmp(fname, id))
1448 match = 0;
1449 else
1450 match = 1;
1451 OPENSSL_free(fname);
1452 if (match)
1453 return cert;
1454 }
1455 }
1456 default:
1457 return NULL;
1458 }
1459}
1460
3a5b64b2
AP		 1461static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const WCHAR *contname,
1462 WCHAR *provname, DWORD ptype, DWORD keyspec)
0f113f3e 1463{
0f113f3e 1464 DWORD dwFlags = 0;
b4faea50
RS		 1465 CAPI_KEY *key = OPENSSL_malloc(sizeof(*key));
1466
0f113f3e
MC		 1467 if (key == NULL)
1468 return NULL;
7b548d3f
DSH		 1469 /* If PROV_RSA_AES supported use it instead */
1470 if (ptype == PROV_RSA_FULL && use_aes_csp) {
1471 provname = NULL;
1472 ptype = PROV_RSA_AES;
1473 CAPI_trace(ctx, "capi_get_key, contname=%s, RSA_AES_CSP\n", contname);
1474 } else if (sizeof(TCHAR) == sizeof(char)) {
0f113f3e
MC		 1475 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
1476 contname, provname, ptype);
7b548d3f 1477 } else if (ctx && ctx->debug_level >= CAPI_DBG_TRACE && ctx->debug_file) {
0f113f3e 1478 /* above 'if' is optimization to minimize malloc-ations */
3a5b64b2
AP		 1479 char *_contname = wide_to_asc(contname);
1480 char *_provname = wide_to_asc(provname);
0f113f3e
MC		 1481
1482 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
1483 _contname, _provname, ptype);
b548a1f1
RS		 1484 OPENSSL_free(_provname);
1485 OPENSSL_free(_contname);
0f113f3e
MC		 1486 }
1487 if (ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE)
1488 dwFlags = CRYPT_MACHINE_KEYSET;
3a5b64b2
AP		 1489 if (!CryptAcquireContextW(&key->hprov, contname, provname, ptype,
1490 dwFlags)) {
0f113f3e
MC		 1491 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
1492 capi_addlasterror();
1493 goto err;
1494 }
1495 if (!CryptGetUserKey(key->hprov, keyspec, &key->key)) {
1496 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_GETUSERKEY_ERROR);
1497 capi_addlasterror();
1498 CryptReleaseContext(key->hprov, 0);
1499 goto err;
1500 }
1501 key->keyspec = keyspec;
1502 key->pcert = NULL;
1503 return key;
1504
1505 err:
1506 OPENSSL_free(key);
1507 return NULL;
1508}
1509
8f0e5888 1510static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
0f113f3e
MC		 1511{
1512 CAPI_KEY *key = NULL;
1513 CRYPT_KEY_PROV_INFO *pinfo = NULL;
3a5b64b2 1514
0f113f3e 1515 pinfo = capi_get_prov_info(ctx, cert);
3a5b64b2
AP		 1516
1517 if (pinfo != NULL)
1518 key = capi_get_key(ctx, pinfo->pwszContainerName, pinfo->pwszProvName,
0f113f3e 1519 pinfo->dwProvType, pinfo->dwKeySpec);
0f113f3e 1520
b548a1f1 1521 OPENSSL_free(pinfo);
0f113f3e
MC		 1522 return key;
1523}
1524
8f0e5888 1525CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id)
0f113f3e
MC		 1526{
1527 PCCERT_CONTEXT cert;
1528 HCERTSTORE hstore;
1529 CAPI_KEY *key = NULL;
3a5b64b2 1530
0f113f3e
MC		 1531 switch (ctx->lookup_method) {
1532 case CAPI_LU_SUBSTR:
1533 case CAPI_LU_FNAME:
1534 hstore = capi_open_store(ctx, NULL);
1535 if (!hstore)
1536 return NULL;
1537 cert = capi_find_cert(ctx, id, hstore);
1538 if (cert) {
1539 key = capi_get_cert_key(ctx, cert);
1540 CertFreeCertificateContext(cert);
1541 }
1542 CertCloseStore(hstore, 0);
1543 break;
1544
1545 case CAPI_LU_CONTNAME:
3a5b64b2 1546 {
0f113f3e
MC		 1547 WCHAR *contname, *provname;
1548 DWORD len;
1549
1550 if ((len = MultiByteToWideChar(CP_ACP, 0, id, -1, NULL, 0)) &&
1551 (contname = alloca(len * sizeof(WCHAR)),
1552 MultiByteToWideChar(CP_ACP, 0, id, -1, contname, len)) &&
e08b444a
AP		 1553 (len = MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1,
1554 NULL, 0)) &&
1555 (provname = alloca(len * sizeof(WCHAR)),
1556 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1,
1557 provname, len)))
3a5b64b2 1558 key = capi_get_key(ctx, contname, provname,
e08b444a 1559 ctx->csptype, ctx->keytype);
e08b444a 1560 }
0f113f3e
MC		 1561 break;
1562 }
1563
1564 return key;
1565}
1566
8f0e5888 1567void capi_free_key(CAPI_KEY *key)
0f113f3e
MC		 1568{
1569 if (!key)
1570 return;
1571 CryptDestroyKey(key->key);
1572 CryptReleaseContext(key->hprov, 0);
1573 if (key->pcert)
1574 CertFreeCertificateContext(key->pcert);
1575 OPENSSL_free(key);
1576}
7a18ecb2
DSH		 1577
1578/* Initialize a CAPI_CTX structure */
1579
57ebe748 1580static CAPI_CTX *capi_ctx_new(void)
0f113f3e 1581{
64b25758 1582 CAPI_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
b4faea50 1583
55646005 1584 if (ctx == NULL) {
0f113f3e
MC		 1585 CAPIerr(CAPI_F_CAPI_CTX_NEW, ERR_R_MALLOC_FAILURE);
1586 return NULL;
1587 }
0f113f3e
MC		 1588 ctx->csptype = PROV_RSA_FULL;
1589 ctx->dump_flags = CAPI_DMP_SUMMARY | CAPI_DMP_FNAME;
1590 ctx->keytype = AT_KEYEXCHANGE;
0f113f3e
MC		 1591 ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG |
1592 CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER;
1593 ctx->lookup_method = CAPI_LU_SUBSTR;
0f113f3e
MC		 1594 ctx->client_cert_select = cert_select_simple;
1595 return ctx;
1596}
1597
8f0e5888 1598static void capi_ctx_free(CAPI_CTX *ctx)
0f113f3e
MC		 1599{
1600 CAPI_trace(ctx, "Calling capi_ctx_free with %lx\n", ctx);
1601 if (!ctx)
1602 return;
b548a1f1
RS		 1603 OPENSSL_free(ctx->cspname);
1604 OPENSSL_free(ctx->debug_file);
1605 OPENSSL_free(ctx->storename);
1606 OPENSSL_free(ctx->ssl_client_store);
0f113f3e
MC		 1607 OPENSSL_free(ctx);
1608}
1609
8f0e5888 1610static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type,
0f113f3e
MC		 1611 int check)
1612{
690b4621
MC		 1613 LPSTR tmpcspname;
1614
0f113f3e
MC		 1615 CAPI_trace(ctx, "capi_ctx_set_provname, name=%s, type=%d\n", pname, type);
1616 if (check) {
1617 HCRYPTPROV hprov;
3a5b64b2
AP		 1618 LPWSTR name = NULL;
1619 DWORD len;
0f113f3e 1620
3a5b64b2
AP		 1621 if ((len = MultiByteToWideChar(CP_ACP, 0, pname, -1, NULL, 0))) {
1622 name = alloca(len * sizeof(WCHAR));
1623 MultiByteToWideChar(CP_ACP, 0, pname, -1, (WCHAR *)name, len);
e08b444a 1624 }
3a5b64b2
AP		 1625 if (name == NULL || !CryptAcquireContextW(&hprov, NULL, name, type,
1626 CRYPT_VERIFYCONTEXT)) {
0f113f3e
MC		 1627 CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME,
1628 CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
1629 capi_addlasterror();
1630 return 0;
1631 }
1632 CryptReleaseContext(hprov, 0);
1633 }
690b4621
MC		 1634 tmpcspname = OPENSSL_strdup(pname);
1635 if (tmpcspname == NULL) {
1636 CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, ERR_R_MALLOC_FAILURE);
1637 return 0;
1638 }
b548a1f1 1639 OPENSSL_free(ctx->cspname);
690b4621 1640 ctx->cspname = tmpcspname;
0f113f3e
MC		 1641 ctx->csptype = type;
1642 return 1;
1643}
1644
8f0e5888 1645static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
0f113f3e
MC		 1646{
1647 LPSTR pname;
1648 DWORD type;
1649 int res;
1650 if (capi_get_provname(ctx, &pname, &type, idx) != 1)
1651 return 0;
1652 res = capi_ctx_set_provname(ctx, pname, type, 0);
1653 OPENSSL_free(pname);
1654 return res;
1655}
7a18ecb2 1656
b3c8dd4e 1657static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
0f113f3e
MC		 1658{
1659 int i;
1660 X509_NAME *nm;
1661 /* Special case: empty list: match anything */
1662 if (sk_X509_NAME_num(ca_dn) <= 0)
1663 return 1;
1664 for (i = 0; i < sk_X509_NAME_num(ca_dn); i++) {
1665 nm = sk_X509_NAME_value(ca_dn, i);
1666 if (!X509_NAME_cmp(nm, X509_get_issuer_name(x)))
1667 return 1;
1668 }
1669 return 0;
1670}
7d537d4f 1671
b3c8dd4e 1672static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
0f113f3e
MC		 1673 STACK_OF(X509_NAME) *ca_dn, X509 **pcert,
1674 EVP_PKEY **pkey, STACK_OF(X509) **pother,
1675 UI_METHOD *ui_method,
1676 void *callback_data)
1677{
1678 STACK_OF(X509) *certs = NULL;
1679 X509 *x;
1680 char *storename;
57ebe748 1681 const unsigned char *p;
0f113f3e
MC		 1682 int i, client_cert_idx;
1683 HCERTSTORE hstore;
1684 PCCERT_CONTEXT cert = NULL, excert = NULL;
1685 CAPI_CTX *ctx;
1686 CAPI_KEY *key;
1687 ctx = ENGINE_get_ex_data(e, capi_idx);
1688
1689 *pcert = NULL;
1690 *pkey = NULL;
1691
1692 storename = ctx->ssl_client_store;
1693 if (!storename)
1694 storename = "MY";
1695
1696 hstore = capi_open_store(ctx, storename);
1697 if (!hstore)
1698 return 0;
1699 /* Enumerate all certificates collect any matches */
1700 for (i = 0;; i++) {
1701 cert = CertEnumCertificatesInStore(hstore, cert);
1702 if (!cert)
1703 break;
1704 p = cert->pbCertEncoded;
1705 x = d2i_X509(NULL, &p, cert->cbCertEncoded);
1706 if (!x) {
1707 CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
1708 continue;
1709 }
1710 if (cert_issuer_match(ca_dn, x)
1711 && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0)) {
1712 key = capi_get_cert_key(ctx, cert);
1713 if (!key) {
1714 X509_free(x);
1715 continue;
1716 }
1717 /*
1718 * Match found: attach extra data to it so we can retrieve the
1719 * key later.
1720 */
1721 excert = CertDuplicateCertificateContext(cert);
1722 key->pcert = excert;
1723 X509_set_ex_data(x, cert_capi_idx, key);
1724
1725 if (!certs)
1726 certs = sk_X509_new_null();
1727
1728 sk_X509_push(certs, x);
e08b444a 1729 } else {
0f113f3e 1730 X509_free(x);
e08b444a 1731 }
0f113f3e
MC		 1732 }
1733
1734 if (cert)
1735 CertFreeCertificateContext(cert);
1736 if (hstore)
1737 CertCloseStore(hstore, 0);
1738
1739 if (!certs)
1740 return 0;
1741
1742 /* Select the appropriate certificate */
1743
1744 client_cert_idx = ctx->client_cert_select(e, ssl, certs);
1745
1746 /* Set the selected certificate and free the rest */
1747
1748 for (i = 0; i < sk_X509_num(certs); i++) {
1749 x = sk_X509_value(certs, i);
1750 if (i == client_cert_idx)
1751 *pcert = x;
1752 else {
1753 key = X509_get_ex_data(x, cert_capi_idx);
1754 capi_free_key(key);
1755 X509_free(x);
1756 }
1757 }
1758
1759 sk_X509_free(certs);
1760
1761 if (!*pcert)
1762 return 0;
1763
1764 /* Setup key for selected certificate */
1765
1766 key = X509_get_ex_data(*pcert, cert_capi_idx);
1767 *pkey = capi_get_pkey(e, key);
1768 X509_set_ex_data(*pcert, cert_capi_idx, NULL);
1769
1770 return 1;
1771
1772}
e0f7b872
DSH		 1773
1774/* Simple client cert selection function: always select first */
1775
1cd504e7 1776static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
0f113f3e
MC		 1777{
1778 return 0;
1779}
e0f7b872 1780
0f113f3e 1781# ifdef OPENSSL_CAPIENG_DIALOG
e0f7b872 1782
0f113f3e
MC		 1783/*
1784 * More complex cert selection function, using standard function
e0f7b872
DSH		 1785 * CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
1786 */
1787
0f113f3e
MC		 1788/*
1789 * Definitions which are in cryptuiapi.h but this is not present in older
a0f3679b
DSH		 1790 * versions of headers.
1791 */
1792
0f113f3e
MC		 1793# ifndef CRYPTUI_SELECT_LOCATION_COLUMN
1794# define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010
1795# define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004
1796# endif
e0f7b872 1797
0f113f3e
MC		 1798# define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
1799# define dlg_prompt L"Select a certificate to use for authentication"
1800# define dlg_columns CRYPTUI_SELECT_LOCATION_COLUMN \
1801 |CRYPTUI_SELECT_INTENDEDUSE_COLUMN
1381bf90 1802
1cd504e7 1803static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
0f113f3e
MC		 1804{
1805 X509 *x;
1806 HCERTSTORE dstore;
1807 PCCERT_CONTEXT cert;
1808 CAPI_CTX *ctx;
1809 CAPI_KEY *key;
1810 HWND hwnd;
1811 int i, idx = -1;
1812 if (sk_X509_num(certs) == 1)
1813 return 0;
1814 ctx = ENGINE_get_ex_data(e, capi_idx);
1815 /* Create an in memory store of certificates */
1816 dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
1817 CERT_STORE_CREATE_NEW_FLAG, NULL);
1818 if (!dstore) {
1819 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE);
1820 capi_addlasterror();
1821 goto err;
1822 }
1823 /* Add all certificates to store */
1824 for (i = 0; i < sk_X509_num(certs); i++) {
1825 x = sk_X509_value(certs, i);
1826 key = X509_get_ex_data(x, cert_capi_idx);
1827
1828 if (!CertAddCertificateContextToStore(dstore, key->pcert,
1829 CERT_STORE_ADD_NEW, NULL)) {
1830 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT);
1831 capi_addlasterror();
1832 goto err;
1833 }
1834
1835 }
1836 hwnd = GetForegroundWindow();
1837 if (!hwnd)
1838 hwnd = GetActiveWindow();
1839 if (!hwnd && ctx->getconswindow)
1840 hwnd = ctx->getconswindow();
1841 /* Call dialog to select one */
1842 cert = ctx->certselectdlg(dstore, hwnd, dlg_title, dlg_prompt,
1843 dlg_columns, 0, NULL);
1844
1845 /* Find matching cert from list */
1846 if (cert) {
1847 for (i = 0; i < sk_X509_num(certs); i++) {
1848 x = sk_X509_value(certs, i);
1849 key = X509_get_ex_data(x, cert_capi_idx);
1850 if (CertCompareCertificate
1851 (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo,
1852 key->pcert->pCertInfo)) {
1853 idx = i;
1854 break;
1855 }
1856 }
1857 }
1858
1859 err:
1860 if (dstore)
1861 CertCloseStore(dstore, 0);
1862 return idx;
1863
1864}
1865# endif
1866
1867#else /* !__COMPILE_CAPIENG */
1868# include <openssl/engine.h>
1869# ifndef OPENSSL_NO_DYNAMIC_ENGINE
492279f6 1870OPENSSL_EXPORT
0f113f3e 1871 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);
eb164d0b 1872OPENSSL_EXPORT
0f113f3e
MC		 1873 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns)
1874{
1875 return 0;
1876}
1877
492279f6 1878IMPLEMENT_DYNAMIC_CHECK_FN()
0f113f3e 1879# else
b3599dbb
MC		 1880void engine_load_capi_int(void);
1881void engine_load_capi_int(void)
0f113f3e
MC		 1882{
1883}
1884# endif
7a18ecb2 1885#endif
A mirror of the official openssl repository