1/* engines/e_capi.c */ 2/* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2008-2018 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 */ 54 55#include <stdio.h> 56#include <string.h> 57#include <stdlib.h> 58 59#include <openssl/crypto.h> 60 61#ifdef OPENSSL_SYS_WIN32 62# ifndef OPENSSL_NO_CAPIENG 63 64# include <openssl/buffer.h> 65# include <openssl/bn.h> 66# include <openssl/rsa.h> 67 68# ifndef _WIN32_WINNT 69# define _WIN32_WINNT 0x0400 70# endif 71 72# include <windows.h> 73# include <wincrypt.h> 74# include <malloc.h> 75# ifndef alloca 76# define alloca _alloca 77# endif 78 79/* 80 * This module uses several "new" interfaces, among which is 81 * CertGetCertificateContextProperty. CERT_KEY_PROV_INFO_PROP_ID is 82 * one of possible values you can pass to function in question. By 83 * checking if it's defined we can see if wincrypt.h and accompanying 84 * crypt32.lib are in shape. The native MingW32 headers up to and 85 * including __W32API_VERSION 3.14 lack of struct DSSPUBKEY and the 86 * defines CERT_STORE_PROV_SYSTEM_A and CERT_STORE_READONLY_FLAG, 87 * so we check for these too and avoid compiling. 88 * Yes, it's rather "weak" test and if compilation fails, 89 * then re-configure with -DOPENSSL_NO_CAPIENG. 90 */ 91# if defined(CERT_KEY_PROV_INFO_PROP_ID) && \ 92 defined(CERT_STORE_PROV_SYSTEM_A) && \ 93 defined(CERT_STORE_READONLY_FLAG) 94# define __COMPILE_CAPIENG 95# endif /* CERT_KEY_PROV_INFO_PROP_ID */ 96# endif /* OPENSSL_NO_CAPIENG */ 97#endif /* OPENSSL_SYS_WIN32 */ 98 99#ifdef __COMPILE_CAPIENG 100 101# undef X509_EXTENSIONS 102# undef X509_CERT_PAIR 103 104/* Definitions which may be missing from earlier version of headers */ 105# ifndef CERT_STORE_OPEN_EXISTING_FLAG 106# define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 107# endif 108 109# ifndef CERT_STORE_CREATE_NEW_FLAG 110# define CERT_STORE_CREATE_NEW_FLAG 0x00002000 111# endif 112 113# ifndef CERT_SYSTEM_STORE_CURRENT_USER 114# define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000 115# endif 116 117# ifndef ALG_SID_SHA_256 118# define ALG_SID_SHA_256 12 119# endif 120# ifndef ALG_SID_SHA_384 121# define ALG_SID_SHA_384 13 122# endif 123# ifndef ALG_SID_SHA_512 124# define ALG_SID_SHA_512 14 125# endif 126 127# ifndef CALG_SHA_256 128# define CALG_SHA_256 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256) 129# endif 130# ifndef CALG_SHA_384 131# define CALG_SHA_384 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_384) 132# endif 133# ifndef CALG_SHA_512 134# define CALG_SHA_512 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512) 135# endif 136 137# include <openssl/engine.h> 138# include <openssl/pem.h> 139# include <openssl/x509v3.h> 140 141# include "e_capi_err.h" 142# include "e_capi_err.c" 143 144static const char *engine_capi_id = "capi"; 145static const char *engine_capi_name = "CryptoAPI ENGINE"; 146 147typedef struct CAPI_CTX_st CAPI_CTX; 148typedef struct CAPI_KEY_st CAPI_KEY; 149 150static void capi_addlasterror(void); 151static void capi_adderror(DWORD err); 152 153static void CAPI_trace(CAPI_CTX * ctx, char *format, ...); 154 155static int capi_list_providers(CAPI_CTX * ctx, BIO *out); 156static int capi_list_containers(CAPI_CTX * ctx, BIO *out); 157int capi_list_certs(CAPI_CTX * ctx, BIO *out, char *storename); 158void capi_free_key(CAPI_KEY * key); 159 160static PCCERT_CONTEXT capi_find_cert(CAPI_CTX * ctx, const char *id, 161 HCERTSTORE hstore); 162 163CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char *id); 164 165static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id, 166 UI_METHOD *ui_method, void *callback_data); 167static int capi_rsa_sign(int dtype, const unsigned char *m, 168 unsigned int m_len, unsigned char *sigret, 169 unsigned int *siglen, const RSA *rsa); 170static int capi_rsa_priv_enc(int flen, const unsigned char *from, 171 unsigned char *to, RSA *rsa, int padding); 172static int capi_rsa_priv_dec(int flen, const unsigned char *from, 173 unsigned char *to, RSA *rsa, int padding); 174static int capi_rsa_free(RSA *rsa); 175 176static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen, 177 DSA *dsa); 178static int capi_dsa_free(DSA *dsa); 179 180static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, 181 STACK_OF(X509_NAME) *ca_dn, X509 **pcert, 182 EVP_PKEY **pkey, STACK_OF(X509) **pother, 183 UI_METHOD *ui_method, 184 void *callback_data); 185 186static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 187# ifdef OPENSSL_CAPIENG_DIALOG 188static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 189# endif 190 191typedef PCCERT_CONTEXT(WINAPI *CERTDLG) (HCERTSTORE, HWND, LPCWSTR, 192 LPCWSTR, DWORD, DWORD, void *); 193typedef HWND(WINAPI *GETCONSWIN) (void); 194 195/* 196 * This structure contains CAPI ENGINE specific data: it contains various 197 * global options and affects how other functions behave. 198 */ 199 200# define CAPI_DBG_TRACE 2 201# define CAPI_DBG_ERROR 1 202 203struct CAPI_CTX_st { 204 int debug_level; 205 char *debug_file; 206 /* Parameters to use for container lookup */ 207 DWORD keytype; 208 LPSTR cspname; 209 DWORD csptype; 210 /* Certificate store name to use */ 211 LPSTR storename; 212 LPSTR ssl_client_store; 213 /* System store flags */ 214 DWORD store_flags; 215/* Lookup string meanings in load_private_key */ 216/* Substring of subject: uses "storename" */ 217# define CAPI_LU_SUBSTR 1 218/* Friendly name: uses storename */ 219# define CAPI_LU_FNAME 2 220/* Container name: uses cspname, keytype */ 221# define CAPI_LU_CONTNAME 3 222 int lookup_method; 223/* Info to dump with dumpcerts option */ 224/* Issuer and serial name strings */ 225# define CAPI_DMP_SUMMARY 0x1 226/* Friendly name */ 227# define CAPI_DMP_FNAME 0x2 228/* Full X509_print dump */ 229# define CAPI_DMP_FULL 0x4 230/* Dump PEM format certificate */ 231# define CAPI_DMP_PEM 0x8 232/* Dump pseudo key (if possible) */ 233# define CAPI_DMP_PSKEY 0x10 234/* Dump key info (if possible) */ 235# define CAPI_DMP_PKEYINFO 0x20 236 DWORD dump_flags; 237 int (*client_cert_select) (ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 238 CERTDLG certselectdlg; 239 GETCONSWIN getconswindow; 240}; 241 242static CAPI_CTX *capi_ctx_new(); 243static void capi_ctx_free(CAPI_CTX * ctx); 244static int capi_ctx_set_provname(CAPI_CTX * ctx, LPSTR pname, DWORD type, 245 int check); 246static int capi_ctx_set_provname_idx(CAPI_CTX * ctx, int idx); 247 248# define CAPI_CMD_LIST_CERTS ENGINE_CMD_BASE 249# define CAPI_CMD_LOOKUP_CERT (ENGINE_CMD_BASE + 1) 250# define CAPI_CMD_DEBUG_LEVEL (ENGINE_CMD_BASE + 2) 251# define CAPI_CMD_DEBUG_FILE (ENGINE_CMD_BASE + 3) 252# define CAPI_CMD_KEYTYPE (ENGINE_CMD_BASE + 4) 253# define CAPI_CMD_LIST_CSPS (ENGINE_CMD_BASE + 5) 254# define CAPI_CMD_SET_CSP_IDX (ENGINE_CMD_BASE + 6) 255# define CAPI_CMD_SET_CSP_NAME (ENGINE_CMD_BASE + 7) 256# define CAPI_CMD_SET_CSP_TYPE (ENGINE_CMD_BASE + 8) 257# define CAPI_CMD_LIST_CONTAINERS (ENGINE_CMD_BASE + 9) 258# define CAPI_CMD_LIST_OPTIONS (ENGINE_CMD_BASE + 10) 259# define CAPI_CMD_LOOKUP_METHOD (ENGINE_CMD_BASE + 11) 260# define CAPI_CMD_STORE_NAME (ENGINE_CMD_BASE + 12) 261# define CAPI_CMD_STORE_FLAGS (ENGINE_CMD_BASE + 13) 262 263static const ENGINE_CMD_DEFN capi_cmd_defns[] = { 264 {CAPI_CMD_LIST_CERTS, 265 "list_certs", 266 "List all certificates in store", 267 ENGINE_CMD_FLAG_NO_INPUT}, 268 {CAPI_CMD_LOOKUP_CERT, 269 "lookup_cert", 270 "Lookup and output certificates", 271 ENGINE_CMD_FLAG_STRING}, 272 {CAPI_CMD_DEBUG_LEVEL, 273 "debug_level", 274 "debug level (1=errors, 2=trace)", 275 ENGINE_CMD_FLAG_NUMERIC}, 276 {CAPI_CMD_DEBUG_FILE, 277 "debug_file", 278 "debugging filename)", 279 ENGINE_CMD_FLAG_STRING}, 280 {CAPI_CMD_KEYTYPE, 281 "key_type", 282 "Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE", 283 ENGINE_CMD_FLAG_NUMERIC}, 284 {CAPI_CMD_LIST_CSPS, 285 "list_csps", 286 "List all CSPs", 287 ENGINE_CMD_FLAG_NO_INPUT}, 288 {CAPI_CMD_SET_CSP_IDX, 289 "csp_idx", 290 "Set CSP by index", 291 ENGINE_CMD_FLAG_NUMERIC}, 292 {CAPI_CMD_SET_CSP_NAME, 293 "csp_name", 294 "Set CSP name, (default CSP used if not specified)", 295 ENGINE_CMD_FLAG_STRING}, 296 {CAPI_CMD_SET_CSP_TYPE, 297 "csp_type", 298 "Set CSP type, (default RSA_PROV_FULL)", 299 ENGINE_CMD_FLAG_NUMERIC}, 300 {CAPI_CMD_LIST_CONTAINERS, 301 "list_containers", 302 "list container names", 303 ENGINE_CMD_FLAG_NO_INPUT}, 304 {CAPI_CMD_LIST_OPTIONS, 305 "list_options", 306 "Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, " 307 "32=private key info)", 308 ENGINE_CMD_FLAG_NUMERIC}, 309 {CAPI_CMD_LOOKUP_METHOD, 310 "lookup_method", 311 "Set key lookup method (1=substring, 2=friendlyname, 3=container name)", 312 ENGINE_CMD_FLAG_NUMERIC}, 313 {CAPI_CMD_STORE_NAME, 314 "store_name", 315 "certificate store name, default \"MY\"", 316 ENGINE_CMD_FLAG_STRING}, 317 {CAPI_CMD_STORE_FLAGS, 318 "store_flags", 319 "Certificate store flags: 1 = system store", 320 ENGINE_CMD_FLAG_NUMERIC}, 321 322 {0, NULL, NULL, 0} 323}; 324 325static int capi_idx = -1; 326static int rsa_capi_idx = -1; 327static int dsa_capi_idx = -1; 328static int cert_capi_idx = -1; 329 330static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) 331{ 332 int ret = 1; 333 CAPI_CTX *ctx; 334 BIO *out; 335 if (capi_idx == -1) { 336 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_ENGINE_NOT_INITIALIZED); 337 return 0; 338 } 339 ctx = ENGINE_get_ex_data(e, capi_idx); 340 out = BIO_new_fp(stdout, BIO_NOCLOSE); 341 switch (cmd) { 342 case CAPI_CMD_LIST_CSPS: 343 ret = capi_list_providers(ctx, out); 344 break; 345 346 case CAPI_CMD_LIST_CERTS: 347 ret = capi_list_certs(ctx, out, NULL); 348 break; 349 350 case CAPI_CMD_LOOKUP_CERT: 351 ret = capi_list_certs(ctx, out, p); 352 break; 353 354 case CAPI_CMD_LIST_CONTAINERS: 355 ret = capi_list_containers(ctx, out); 356 break; 357 358 case CAPI_CMD_STORE_NAME: 359 if (ctx->storename) 360 OPENSSL_free(ctx->storename); 361 ctx->storename = BUF_strdup(p); 362 CAPI_trace(ctx, "Setting store name to %s\n", p); 363 break; 364 365 case CAPI_CMD_STORE_FLAGS: 366 if (i & 1) { 367 ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE; 368 ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER; 369 } else { 370 ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER; 371 ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE; 372 } 373 CAPI_trace(ctx, "Setting flags to %d\n", i); 374 break; 375 376 case CAPI_CMD_DEBUG_LEVEL: 377 ctx->debug_level = (int)i; 378 CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level); 379 break; 380 381 case CAPI_CMD_DEBUG_FILE: 382 ctx->debug_file = BUF_strdup(p); 383 CAPI_trace(ctx, "Setting debug file to %s\n", ctx->debug_file); 384 break; 385 386 case CAPI_CMD_KEYTYPE: 387 ctx->keytype = i; 388 CAPI_trace(ctx, "Setting key type to %d\n", ctx->keytype); 389 break; 390 391 case CAPI_CMD_SET_CSP_IDX: 392 ret = capi_ctx_set_provname_idx(ctx, i); 393 break; 394 395 case CAPI_CMD_LIST_OPTIONS: 396 ctx->dump_flags = i; 397 break; 398 399 case CAPI_CMD_LOOKUP_METHOD: 400 if (i < 1 || i > 3) { 401 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD); 402 return 0; 403 } 404 ctx->lookup_method = i; 405 break; 406 407 case CAPI_CMD_SET_CSP_NAME: 408 ret = capi_ctx_set_provname(ctx, p, ctx->csptype, 1); 409 break; 410 411 case CAPI_CMD_SET_CSP_TYPE: 412 ctx->csptype = i; 413 break; 414 415 default: 416 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_UNKNOWN_COMMAND); 417 ret = 0; 418 } 419 420 BIO_free(out); 421 return ret; 422 423} 424 425static RSA_METHOD capi_rsa_method = { 426 "CryptoAPI RSA method", 427 0, /* pub_enc */ 428 0, /* pub_dec */ 429 capi_rsa_priv_enc, /* priv_enc */ 430 capi_rsa_priv_dec, /* priv_dec */ 431 0, /* rsa_mod_exp */ 432 0, /* bn_mod_exp */ 433 0, /* init */ 434 capi_rsa_free, /* finish */ 435 RSA_FLAG_SIGN_VER, /* flags */ 436 NULL, /* app_data */ 437 capi_rsa_sign, /* rsa_sign */ 438 0 /* rsa_verify */ 439}; 440 441static DSA_METHOD capi_dsa_method = { 442 "CryptoAPI DSA method", 443 capi_dsa_do_sign, /* dsa_do_sign */ 444 0, /* dsa_sign_setup */ 445 0, /* dsa_do_verify */ 446 0, /* dsa_mod_exp */ 447 0, /* bn_mod_exp */ 448 0, /* init */ 449 capi_dsa_free, /* finish */ 450 0, /* flags */ 451 NULL, /* app_data */ 452 0, /* dsa_paramgen */ 453 0 /* dsa_keygen */ 454}; 455 456static int capi_init(ENGINE *e) 457{ 458 CAPI_CTX *ctx; 459 const RSA_METHOD *ossl_rsa_meth; 460 const DSA_METHOD *ossl_dsa_meth; 461 462 if (capi_idx < 0) { 463 capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0); 464 if (capi_idx < 0) 465 goto memerr; 466 467 cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0); 468 469 /* Setup RSA_METHOD */ 470 rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0); 471 ossl_rsa_meth = RSA_PKCS1_SSLeay(); 472 capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc; 473 capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec; 474 capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp; 475 capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp; 476 477 /* Setup DSA Method */ 478 dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0); 479 ossl_dsa_meth = DSA_OpenSSL(); 480 capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify; 481 capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp; 482 capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp; 483 } 484 485 ctx = capi_ctx_new(); 486 if (!ctx) 487 goto memerr; 488 489 ENGINE_set_ex_data(e, capi_idx, ctx); 490 491# ifdef OPENSSL_CAPIENG_DIALOG 492 { 493 HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL")); 494 HMODULE kernel = GetModuleHandle(TEXT("KERNEL32.DLL")); 495 if (cryptui) 496 ctx->certselectdlg = 497 (CERTDLG) GetProcAddress(cryptui, 498 "CryptUIDlgSelectCertificateFromStore"); 499 if (kernel) 500 ctx->getconswindow = 501 (GETCONSWIN) GetProcAddress(kernel, "GetConsoleWindow"); 502 if (cryptui && !OPENSSL_isservice()) 503 ctx->client_cert_select = cert_select_dialog; 504 } 505# endif 506 507 return 1; 508 509 memerr: 510 CAPIerr(CAPI_F_CAPI_INIT, ERR_R_MALLOC_FAILURE); 511 return 0; 512 513 return 1; 514} 515 516static int capi_destroy(ENGINE *e) 517{ 518 ERR_unload_CAPI_strings(); 519 return 1; 520} 521 522static int capi_finish(ENGINE *e) 523{ 524 CAPI_CTX *ctx; 525 ctx = ENGINE_get_ex_data(e, capi_idx); 526 capi_ctx_free(ctx); 527 ENGINE_set_ex_data(e, capi_idx, NULL); 528 return 1; 529} 530 531/* 532 * CryptoAPI key application data. This contains a handle to the private key 533 * container (for sign operations) and a handle to the key (for decrypt 534 * operations). 535 */ 536 537struct CAPI_KEY_st { 538 /* Associated certificate context (if any) */ 539 PCCERT_CONTEXT pcert; 540 HCRYPTPROV hprov; 541 HCRYPTKEY key; 542 DWORD keyspec; 543}; 544 545static int bind_capi(ENGINE *e) 546{ 547 if (!ENGINE_set_id(e, engine_capi_id) 548 || !ENGINE_set_name(e, engine_capi_name) 549 || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) 550 || !ENGINE_set_init_function(e, capi_init) 551 || !ENGINE_set_finish_function(e, capi_finish) 552 || !ENGINE_set_destroy_function(e, capi_destroy) 553 || !ENGINE_set_RSA(e, &capi_rsa_method) 554 || !ENGINE_set_DSA(e, &capi_dsa_method) 555 || !ENGINE_set_load_privkey_function(e, capi_load_privkey) 556 || !ENGINE_set_load_ssl_client_cert_function(e, 557 capi_load_ssl_client_cert) 558 || !ENGINE_set_cmd_defns(e, capi_cmd_defns) 559 || !ENGINE_set_ctrl_function(e, capi_ctrl)) 560 return 0; 561 ERR_load_CAPI_strings(); 562 563 return 1; 564 565} 566 567# ifndef OPENSSL_NO_DYNAMIC_ENGINE 568static int bind_helper(ENGINE *e, const char *id) 569{ 570 if (id && (strcmp(id, engine_capi_id) != 0)) 571 return 0; 572 if (!bind_capi(e)) 573 return 0; 574 return 1; 575} 576 577IMPLEMENT_DYNAMIC_CHECK_FN() 578 IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) 579# else 580static ENGINE *engine_capi(void) 581{ 582 ENGINE *ret = ENGINE_new(); 583 if (!ret) 584 return NULL; 585 if (!bind_capi(ret)) { 586 ENGINE_free(ret); 587 return NULL; 588 } 589 return ret; 590} 591 592void ENGINE_load_capi(void) 593{ 594 /* Copied from eng_[openssl|dyn].c */ 595 ENGINE *toadd = engine_capi(); 596 if (!toadd) 597 return; 598 ENGINE_add(toadd); 599 ENGINE_free(toadd); 600 ERR_clear_error(); 601} 602# endif 603 604static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen) 605{ 606 int i; 607 /* 608 * Reverse buffer in place: since this is a keyblob structure that will 609 * be freed up after conversion anyway it doesn't matter if we change 610 * it. 611 */ 612 for (i = 0; i < binlen / 2; i++) { 613 unsigned char c; 614 c = bin[i]; 615 bin[i] = bin[binlen - i - 1]; 616 bin[binlen - i - 1] = c; 617 } 618 619 if (!BN_bin2bn(bin, binlen, bn)) 620 return 0; 621 return 1; 622} 623 624/* Given a CAPI_KEY get an EVP_PKEY structure */ 625 626static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY * key) 627{ 628 unsigned char *pubkey = NULL; 629 DWORD len; 630 BLOBHEADER *bh; 631 RSA *rkey = NULL; 632 DSA *dkey = NULL; 633 EVP_PKEY *ret = NULL; 634 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len)) { 635 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR); 636 capi_addlasterror(); 637 return NULL; 638 } 639 640 pubkey = OPENSSL_malloc(len); 641 642 if (!pubkey) 643 goto memerr; 644 645 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len)) { 646 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR); 647 capi_addlasterror(); 648 goto err; 649 } 650 651 bh = (BLOBHEADER *) pubkey; 652 if (bh->bType != PUBLICKEYBLOB) { 653 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB); 654 goto err; 655 } 656 if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX) { 657 RSAPUBKEY *rp; 658 DWORD rsa_modlen; 659 unsigned char *rsa_modulus; 660 rp = (RSAPUBKEY *) (bh + 1); 661 if (rp->magic != 0x31415352) { 662 char magstr[10]; 663 BIO_snprintf(magstr, 10, "%lx", rp->magic); 664 CAPIerr(CAPI_F_CAPI_GET_PKEY, 665 CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); 666 ERR_add_error_data(2, "magic=0x", magstr); 667 goto err; 668 } 669 rsa_modulus = (unsigned char *)(rp + 1); 670 rkey = RSA_new_method(eng); 671 if (!rkey) 672 goto memerr; 673 674 rkey->e = BN_new(); 675 rkey->n = BN_new(); 676 677 if (!rkey->e || !rkey->n) 678 goto memerr; 679 680 if (!BN_set_word(rkey->e, rp->pubexp)) 681 goto memerr; 682 683 rsa_modlen = rp->bitlen / 8; 684 if (!lend_tobn(rkey->n, rsa_modulus, rsa_modlen)) 685 goto memerr; 686 687 RSA_set_ex_data(rkey, rsa_capi_idx, key); 688 689 if (!(ret = EVP_PKEY_new())) 690 goto memerr; 691 692 EVP_PKEY_assign_RSA(ret, rkey); 693 rkey = NULL; 694 695 } else if (bh->aiKeyAlg == CALG_DSS_SIGN) { 696 DSSPUBKEY *dp; 697 DWORD dsa_plen; 698 unsigned char *btmp; 699 dp = (DSSPUBKEY *) (bh + 1); 700 if (dp->magic != 0x31535344) { 701 char magstr[10]; 702 BIO_snprintf(magstr, 10, "%lx", dp->magic); 703 CAPIerr(CAPI_F_CAPI_GET_PKEY, 704 CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); 705 ERR_add_error_data(2, "magic=0x", magstr); 706 goto err; 707 } 708 dsa_plen = dp->bitlen / 8; 709 btmp = (unsigned char *)(dp + 1); 710 dkey = DSA_new_method(eng); 711 if (!dkey) 712 goto memerr; 713 dkey->p = BN_new(); 714 dkey->q = BN_new(); 715 dkey->g = BN_new(); 716 dkey->pub_key = BN_new(); 717 if (!dkey->p || !dkey->q || !dkey->g || !dkey->pub_key) 718 goto memerr; 719 if (!lend_tobn(dkey->p, btmp, dsa_plen)) 720 goto memerr; 721 btmp += dsa_plen; 722 if (!lend_tobn(dkey->q, btmp, 20)) 723 goto memerr; 724 btmp += 20; 725 if (!lend_tobn(dkey->g, btmp, dsa_plen)) 726 goto memerr; 727 btmp += dsa_plen; 728 if (!lend_tobn(dkey->pub_key, btmp, dsa_plen)) 729 goto memerr; 730 btmp += dsa_plen; 731 732 DSA_set_ex_data(dkey, dsa_capi_idx, key); 733 734 if (!(ret = EVP_PKEY_new())) 735 goto memerr; 736 737 EVP_PKEY_assign_DSA(ret, dkey); 738 dkey = NULL; 739 } else { 740 char algstr[10]; 741 BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg); 742 CAPIerr(CAPI_F_CAPI_GET_PKEY, 743 CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM); 744 ERR_add_error_data(2, "aiKeyAlg=0x", algstr); 745 goto err; 746 } 747 748 err: 749 if (pubkey) 750 OPENSSL_free(pubkey); 751 if (!ret) { 752 if (rkey) 753 RSA_free(rkey); 754 if (dkey) 755 DSA_free(dkey); 756 } 757 758 return ret; 759 760 memerr: 761 CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); 762 goto err; 763 764} 765 766static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id, 767 UI_METHOD *ui_method, void *callback_data) 768{ 769 CAPI_CTX *ctx; 770 CAPI_KEY *key; 771 EVP_PKEY *ret; 772 ctx = ENGINE_get_ex_data(eng, capi_idx); 773 774 if (!ctx) { 775 CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT); 776 return NULL; 777 } 778 779 key = capi_find_key(ctx, key_id); 780 781 if (!key) 782 return NULL; 783 784 ret = capi_get_pkey(eng, key); 785 786 if (!ret) 787 capi_free_key(key); 788 return ret; 789 790} 791 792/* CryptoAPI RSA operations */ 793 794int capi_rsa_priv_enc(int flen, const unsigned char *from, 795 unsigned char *to, RSA *rsa, int padding) 796{ 797 CAPIerr(CAPI_F_CAPI_RSA_PRIV_ENC, CAPI_R_FUNCTION_NOT_SUPPORTED); 798 return -1; 799} 800 801int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len, 802 unsigned char *sigret, unsigned int *siglen, const RSA *rsa) 803{ 804 ALG_ID alg; 805 HCRYPTHASH hash; 806 DWORD slen; 807 unsigned int i; 808 int ret = -1; 809 CAPI_KEY *capi_key; 810 CAPI_CTX *ctx; 811 812 ctx = ENGINE_get_ex_data(rsa->engine, capi_idx); 813 814 CAPI_trace(ctx, "Called CAPI_rsa_sign()\n"); 815 816 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 817 if (!capi_key) { 818 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_GET_KEY); 819 return -1; 820 } 821/* Convert the signature type to a CryptoAPI algorithm ID */ 822 switch (dtype) { 823 case NID_sha256: 824 alg = CALG_SHA_256; 825 break; 826 827 case NID_sha384: 828 alg = CALG_SHA_384; 829 break; 830 831 case NID_sha512: 832 alg = CALG_SHA_512; 833 break; 834 835 case NID_sha1: 836 alg = CALG_SHA1; 837 break; 838 839 case NID_md5: 840 alg = CALG_MD5; 841 break; 842 843 case NID_md5_sha1: 844 alg = CALG_SSL3_SHAMD5; 845 break; 846 default: 847 { 848 char algstr[10]; 849 BIO_snprintf(algstr, 10, "%lx", dtype); 850 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_UNSUPPORTED_ALGORITHM_NID); 851 ERR_add_error_data(2, "NID=0x", algstr); 852 return -1; 853 } 854 } 855 856/* Create the hash object */ 857 if (!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash)) { 858 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT); 859 capi_addlasterror(); 860 return -1; 861 } 862/* Set the hash value to the value passed */ 863 864 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0)) { 865 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE); 866 capi_addlasterror(); 867 goto err; 868 } 869 870/* Finally sign it */ 871 slen = RSA_size(rsa); 872 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen)) { 873 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH); 874 capi_addlasterror(); 875 goto err; 876 } else { 877 ret = 1; 878 /* Inplace byte reversal of signature */ 879 for (i = 0; i < slen / 2; i++) { 880 unsigned char c; 881 c = sigret[i]; 882 sigret[i] = sigret[slen - i - 1]; 883 sigret[slen - i - 1] = c; 884 } 885 *siglen = slen; 886 } 887 888 /* Now cleanup */ 889 890 err: 891 CryptDestroyHash(hash); 892 893 return ret; 894} 895 896int capi_rsa_priv_dec(int flen, const unsigned char *from, 897 unsigned char *to, RSA *rsa, int padding) 898{ 899 int i; 900 unsigned char *tmpbuf; 901 CAPI_KEY *capi_key; 902 CAPI_CTX *ctx; 903 DWORD flags = 0; 904 905 ctx = ENGINE_get_ex_data(rsa->engine, capi_idx); 906 907 CAPI_trace(ctx, "Called capi_rsa_priv_dec()\n"); 908 909 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 910 if (!capi_key) { 911 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_CANT_GET_KEY); 912 return -1; 913 } 914 915 switch (padding) { 916 case RSA_PKCS1_PADDING: 917 /* Nothing to do */ 918 break; 919#ifdef CRYPT_DECRYPT_RSA_NO_PADDING_CHECK 920 case RSA_NO_PADDING: 921 flags = CRYPT_DECRYPT_RSA_NO_PADDING_CHECK; 922 break; 923#endif 924 default: 925 { 926 char errstr[10]; 927 BIO_snprintf(errstr, 10, "%d", padding); 928 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); 929 ERR_add_error_data(2, "padding=", errstr); 930 return -1; 931 } 932 } 933 934 /* Create temp reverse order version of input */ 935 if (!(tmpbuf = OPENSSL_malloc(flen))) { 936 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, ERR_R_MALLOC_FAILURE); 937 return -1; 938 } 939 for (i = 0; i < flen; i++) 940 tmpbuf[flen - i - 1] = from[i]; 941 942 /* Finally decrypt it */ 943 if (!CryptDecrypt(capi_key->key, 0, TRUE, flags, tmpbuf, &flen)) { 944 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); 945 capi_addlasterror(); 946 OPENSSL_cleanse(tmpbuf, flen); 947 OPENSSL_free(tmpbuf); 948 return -1; 949 } else { 950 memcpy(to, tmpbuf, flen); 951 } 952 953 OPENSSL_cleanse(tmpbuf, flen); 954 OPENSSL_free(tmpbuf); 955 956 return flen; 957} 958 959static int capi_rsa_free(RSA *rsa) 960{ 961 CAPI_KEY *capi_key; 962 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 963 capi_free_key(capi_key); 964 RSA_set_ex_data(rsa, rsa_capi_idx, 0); 965 return 1; 966} 967 968/* CryptoAPI DSA operations */ 969 970static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen, 971 DSA *dsa) 972{ 973 HCRYPTHASH hash; 974 DWORD slen; 975 DSA_SIG *ret = NULL; 976 CAPI_KEY *capi_key; 977 CAPI_CTX *ctx; 978 unsigned char csigbuf[40]; 979 980 ctx = ENGINE_get_ex_data(dsa->engine, capi_idx); 981 982 CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n"); 983 984 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx); 985 986 if (!capi_key) { 987 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_GET_KEY); 988 return NULL; 989 } 990 991 if (dlen != 20) { 992 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_INVALID_DIGEST_LENGTH); 993 return NULL; 994 } 995 996 /* Create the hash object */ 997 if (!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash)) { 998 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT); 999 capi_addlasterror(); 1000 return NULL; 1001 } 1002 1003 /* Set the hash value to the value passed */ 1004 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0)) { 1005 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE); 1006 capi_addlasterror(); 1007 goto err; 1008 } 1009 1010 /* Finally sign it */ 1011 slen = sizeof(csigbuf); 1012 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen)) { 1013 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH); 1014 capi_addlasterror(); 1015 goto err; 1016 } else { 1017 ret = DSA_SIG_new(); 1018 if (!ret) 1019 goto err; 1020 ret->r = BN_new(); 1021 ret->s = BN_new(); 1022 if (!ret->r || !ret->s) 1023 goto err; 1024 if (!lend_tobn(ret->r, csigbuf, 20) 1025 || !lend_tobn(ret->s, csigbuf + 20, 20)) { 1026 DSA_SIG_free(ret); 1027 ret = NULL; 1028 goto err; 1029 } 1030 } 1031 1032 /* Now cleanup */ 1033 1034 err: 1035 OPENSSL_cleanse(csigbuf, 40); 1036 CryptDestroyHash(hash); 1037 return ret; 1038} 1039 1040static int capi_dsa_free(DSA *dsa) 1041{ 1042 CAPI_KEY *capi_key; 1043 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx); 1044 capi_free_key(capi_key); 1045 DSA_set_ex_data(dsa, dsa_capi_idx, 0); 1046 return 1; 1047} 1048 1049static void capi_vtrace(CAPI_CTX * ctx, int level, char *format, 1050 va_list argptr) 1051{ 1052 BIO *out; 1053 1054 if (!ctx || (ctx->debug_level < level) || (!ctx->debug_file)) 1055 return; 1056 out = BIO_new_file(ctx->debug_file, "a+"); 1057 BIO_vprintf(out, format, argptr); 1058 BIO_free(out); 1059} 1060 1061static void CAPI_trace(CAPI_CTX * ctx, char *format, ...) 1062{ 1063 va_list args; 1064 va_start(args, format); 1065 capi_vtrace(ctx, CAPI_DBG_TRACE, format, args); 1066 va_end(args); 1067} 1068 1069static void capi_addlasterror(void) 1070{ 1071 capi_adderror(GetLastError()); 1072} 1073 1074static void capi_adderror(DWORD err) 1075{ 1076 char errstr[10]; 1077 BIO_snprintf(errstr, 10, "%lX", err); 1078 ERR_add_error_data(2, "Error code= 0x", errstr); 1079} 1080 1081static char *wide_to_asc(LPCWSTR wstr) 1082{ 1083 char *str; 1084 int len_0, sz; 1085 1086 if (!wstr) 1087 return NULL; 1088 len_0 = (int)wcslen(wstr) + 1; /* WideCharToMultiByte expects int */ 1089 sz = WideCharToMultiByte(CP_ACP, 0, wstr, len_0, NULL, 0, NULL, NULL); 1090 if (!sz) { 1091 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); 1092 return NULL; 1093 } 1094 str = OPENSSL_malloc(sz); 1095 if (!str) { 1096 CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE); 1097 return NULL; 1098 } 1099 if (!WideCharToMultiByte(CP_ACP, 0, wstr, len_0, str, sz, NULL, NULL)) { 1100 OPENSSL_free(str); 1101 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); 1102 return NULL; 1103 } 1104 return str; 1105} 1106 1107static int capi_get_provname(CAPI_CTX * ctx, LPSTR * pname, DWORD * ptype, 1108 DWORD idx) 1109{ 1110 DWORD len, err; 1111 LPTSTR name; 1112 CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx); 1113 if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len)) { 1114 err = GetLastError(); 1115 if (err == ERROR_NO_MORE_ITEMS) 1116 return 2; 1117 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR); 1118 capi_adderror(err); 1119 return 0; 1120 } 1121 if (sizeof(TCHAR) != sizeof(char)) 1122 name = alloca(len); 1123 else 1124 name = OPENSSL_malloc(len); 1125 if (name == NULL) { 1126 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE); 1127 return 0; 1128 } 1129 if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) { 1130 err = GetLastError(); 1131 if (err == ERROR_NO_MORE_ITEMS) 1132 return 2; 1133 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR); 1134 capi_adderror(err); 1135 return 0; 1136 } 1137 if (sizeof(TCHAR) != sizeof(char)) 1138 *pname = wide_to_asc((WCHAR *)name); 1139 else 1140 *pname = (char *)name; 1141 CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", *pname, 1142 *ptype); 1143 1144 return 1; 1145} 1146 1147static int capi_list_providers(CAPI_CTX * ctx, BIO *out) 1148{ 1149 DWORD idx, ptype; 1150 int ret; 1151 LPSTR provname = NULL; 1152 CAPI_trace(ctx, "capi_list_providers\n"); 1153 BIO_printf(out, "Available CSPs:\n"); 1154 for (idx = 0;; idx++) { 1155 ret = capi_get_provname(ctx, &provname, &ptype, idx); 1156 if (ret == 2) 1157 break; 1158 if (ret == 0) 1159 break; 1160 BIO_printf(out, "%d. %s, type %d\n", idx, provname, ptype); 1161 OPENSSL_free(provname); 1162 } 1163 return 1; 1164} 1165 1166static int capi_list_containers(CAPI_CTX * ctx, BIO *out) 1167{ 1168 int ret = 1; 1169 HCRYPTPROV hprov; 1170 DWORD err, idx, flags, buflen = 0, clen; 1171 LPSTR cname; 1172 LPTSTR cspname = NULL; 1173 1174 CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname, 1175 ctx->csptype); 1176 if (ctx->cspname && sizeof(TCHAR) != sizeof(char)) { 1177 if ((clen = 1178 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, NULL, 0))) { 1179 cspname = alloca(clen * sizeof(WCHAR)); 1180 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, (WCHAR *)cspname, 1181 clen); 1182 } 1183 if (!cspname) { 1184 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE); 1185 capi_addlasterror(); 1186 return 0; 1187 } 1188 } else 1189 cspname = (TCHAR *)ctx->cspname; 1190 if (!CryptAcquireContext 1191 (&hprov, NULL, cspname, ctx->csptype, CRYPT_VERIFYCONTEXT)) { 1192 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, 1193 CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1194 capi_addlasterror(); 1195 return 0; 1196 } 1197 if (!CryptGetProvParam 1198 (hprov, PP_ENUMCONTAINERS, NULL, &buflen, CRYPT_FIRST)) { 1199 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR); 1200 capi_addlasterror(); 1201 CryptReleaseContext(hprov, 0); 1202 return 0; 1203 } 1204 CAPI_trace(ctx, "Got max container len %d\n", buflen); 1205 if (buflen == 0) 1206 buflen = 1024; 1207 cname = OPENSSL_malloc(buflen); 1208 if (!cname) { 1209 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE); 1210 goto err; 1211 } 1212 1213 for (idx = 0;; idx++) { 1214 clen = buflen; 1215 cname[0] = 0; 1216 1217 if (idx == 0) 1218 flags = CRYPT_FIRST; 1219 else 1220 flags = 0; 1221 if (!CryptGetProvParam 1222 (hprov, PP_ENUMCONTAINERS, (BYTE *) cname, &clen, flags)) { 1223 err = GetLastError(); 1224 if (err == ERROR_NO_MORE_ITEMS) 1225 goto done; 1226 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR); 1227 capi_adderror(err); 1228 goto err; 1229 } 1230 CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", 1231 cname, clen, idx, flags); 1232 if (!cname[0] && (clen == buflen)) { 1233 CAPI_trace(ctx, "Enumerate bug: using workaround\n"); 1234 goto done; 1235 } 1236 BIO_printf(out, "%d. %s\n", idx, cname); 1237 } 1238 err: 1239 1240 ret = 0; 1241 1242 done: 1243 if (cname) 1244 OPENSSL_free(cname); 1245 CryptReleaseContext(hprov, 0); 1246 1247 return ret; 1248} 1249 1250CRYPT_KEY_PROV_INFO *capi_get_prov_info(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1251{ 1252 DWORD len; 1253 CRYPT_KEY_PROV_INFO *pinfo; 1254 1255 if (!CertGetCertificateContextProperty 1256 (cert, CERT_KEY_PROV_INFO_PROP_ID, NULL, &len)) 1257 return NULL; 1258 pinfo = OPENSSL_malloc(len); 1259 if (!pinfo) { 1260 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, ERR_R_MALLOC_FAILURE); 1261 return NULL; 1262 } 1263 if (!CertGetCertificateContextProperty 1264 (cert, CERT_KEY_PROV_INFO_PROP_ID, pinfo, &len)) { 1265 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, 1266 CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO); 1267 capi_addlasterror(); 1268 OPENSSL_free(pinfo); 1269 return NULL; 1270 } 1271 return pinfo; 1272} 1273 1274static void capi_dump_prov_info(CAPI_CTX * ctx, BIO *out, 1275 CRYPT_KEY_PROV_INFO * pinfo) 1276{ 1277 char *provname = NULL, *contname = NULL; 1278 if (!pinfo) { 1279 BIO_printf(out, " No Private Key\n"); 1280 return; 1281 } 1282 provname = wide_to_asc(pinfo->pwszProvName); 1283 contname = wide_to_asc(pinfo->pwszContainerName); 1284 if (!provname || !contname) 1285 goto err; 1286 1287 BIO_printf(out, " Private Key Info:\n"); 1288 BIO_printf(out, " Provider Name: %s, Provider Type %d\n", provname, 1289 pinfo->dwProvType); 1290 BIO_printf(out, " Container Name: %s, Key Type %d\n", contname, 1291 pinfo->dwKeySpec); 1292 err: 1293 if (provname) 1294 OPENSSL_free(provname); 1295 if (contname) 1296 OPENSSL_free(contname); 1297} 1298 1299char *capi_cert_get_fname(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1300{ 1301 LPWSTR wfname; 1302 DWORD dlen; 1303 1304 CAPI_trace(ctx, "capi_cert_get_fname\n"); 1305 if (!CertGetCertificateContextProperty 1306 (cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen)) 1307 return NULL; 1308 wfname = OPENSSL_malloc(dlen); 1309 if (wfname == NULL) { 1310 CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, ERR_R_MALLOC_FAILURE); 1311 return NULL; 1312 } 1313 if (CertGetCertificateContextProperty 1314 (cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) { 1315 char *fname = wide_to_asc(wfname); 1316 OPENSSL_free(wfname); 1317 return fname; 1318 } 1319 CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, CAPI_R_ERROR_GETTING_FRIENDLY_NAME); 1320 capi_addlasterror(); 1321 1322 OPENSSL_free(wfname); 1323 return NULL; 1324} 1325 1326void capi_dump_cert(CAPI_CTX * ctx, BIO *out, PCCERT_CONTEXT cert) 1327{ 1328 X509 *x; 1329 unsigned char *p; 1330 unsigned long flags = ctx->dump_flags; 1331 if (flags & CAPI_DMP_FNAME) { 1332 char *fname; 1333 fname = capi_cert_get_fname(ctx, cert); 1334 if (fname) { 1335 BIO_printf(out, " Friendly Name \"%s\"\n", fname); 1336 OPENSSL_free(fname); 1337 } else 1338 BIO_printf(out, " <No Friendly Name>\n"); 1339 } 1340 1341 p = cert->pbCertEncoded; 1342 x = d2i_X509(NULL, &p, cert->cbCertEncoded); 1343 if (!x) 1344 BIO_printf(out, " <Can't parse certificate>\n"); 1345 if (flags & CAPI_DMP_SUMMARY) { 1346 BIO_printf(out, " Subject: "); 1347 X509_NAME_print_ex(out, X509_get_subject_name(x), 0, XN_FLAG_ONELINE); 1348 BIO_printf(out, "\n Issuer: "); 1349 X509_NAME_print_ex(out, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE); 1350 BIO_printf(out, "\n"); 1351 } 1352 if (flags & CAPI_DMP_FULL) 1353 X509_print_ex(out, x, XN_FLAG_ONELINE, 0); 1354 1355 if (flags & CAPI_DMP_PKEYINFO) { 1356 CRYPT_KEY_PROV_INFO *pinfo; 1357 pinfo = capi_get_prov_info(ctx, cert); 1358 capi_dump_prov_info(ctx, out, pinfo); 1359 if (pinfo) 1360 OPENSSL_free(pinfo); 1361 } 1362 1363 if (flags & CAPI_DMP_PEM) 1364 PEM_write_bio_X509(out, x); 1365 X509_free(x); 1366} 1367 1368HCERTSTORE capi_open_store(CAPI_CTX * ctx, char *storename) 1369{ 1370 HCERTSTORE hstore; 1371 1372 if (!storename) 1373 storename = ctx->storename; 1374 if (!storename) 1375 storename = "MY"; 1376 CAPI_trace(ctx, "Opening certificate store %s\n", storename); 1377 1378 hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, 1379 ctx->store_flags, storename); 1380 if (!hstore) { 1381 CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE); 1382 capi_addlasterror(); 1383 } 1384 return hstore; 1385} 1386 1387int capi_list_certs(CAPI_CTX * ctx, BIO *out, char *id) 1388{ 1389 char *storename; 1390 int idx; 1391 int ret = 1; 1392 HCERTSTORE hstore; 1393 PCCERT_CONTEXT cert = NULL; 1394 1395 storename = ctx->storename; 1396 if (!storename) 1397 storename = "MY"; 1398 CAPI_trace(ctx, "Listing certs for store %s\n", storename); 1399 1400 hstore = capi_open_store(ctx, storename); 1401 if (!hstore) 1402 return 0; 1403 if (id) { 1404 cert = capi_find_cert(ctx, id, hstore); 1405 if (!cert) { 1406 ret = 0; 1407 goto err; 1408 } 1409 capi_dump_cert(ctx, out, cert); 1410 CertFreeCertificateContext(cert); 1411 } else { 1412 for (idx = 0;; idx++) { 1413 cert = CertEnumCertificatesInStore(hstore, cert); 1414 if (!cert) 1415 break; 1416 BIO_printf(out, "Certificate %d\n", idx); 1417 capi_dump_cert(ctx, out, cert); 1418 } 1419 } 1420 err: 1421 CertCloseStore(hstore, 0); 1422 return ret; 1423} 1424 1425static PCCERT_CONTEXT capi_find_cert(CAPI_CTX * ctx, const char *id, 1426 HCERTSTORE hstore) 1427{ 1428 PCCERT_CONTEXT cert = NULL; 1429 char *fname = NULL; 1430 int match; 1431 switch (ctx->lookup_method) { 1432 case CAPI_LU_SUBSTR: 1433 return CertFindCertificateInStore(hstore, 1434 X509_ASN_ENCODING, 0, 1435 CERT_FIND_SUBJECT_STR_A, id, NULL); 1436 case CAPI_LU_FNAME: 1437 for (;;) { 1438 cert = CertEnumCertificatesInStore(hstore, cert); 1439 if (!cert) 1440 return NULL; 1441 fname = capi_cert_get_fname(ctx, cert); 1442 if (fname) { 1443 if (strcmp(fname, id)) 1444 match = 0; 1445 else 1446 match = 1; 1447 OPENSSL_free(fname); 1448 if (match) 1449 return cert; 1450 } 1451 } 1452 default: 1453 return NULL; 1454 } 1455} 1456 1457static CAPI_KEY *capi_get_key(CAPI_CTX * ctx, const TCHAR *contname, 1458 TCHAR *provname, DWORD ptype, DWORD keyspec) 1459{ 1460 CAPI_KEY *key; 1461 DWORD dwFlags = 0; 1462 key = OPENSSL_malloc(sizeof(CAPI_KEY)); 1463 if (key == NULL) { 1464 CAPIerr(CAPI_F_CAPI_GET_KEY, ERR_R_MALLOC_FAILURE); 1465 capi_addlasterror(); 1466 goto err; 1467 } 1468 if (sizeof(TCHAR) == sizeof(char)) 1469 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 1470 contname, provname, ptype); 1471 else if (ctx && ctx->debug_level >= CAPI_DBG_TRACE && ctx->debug_file) { 1472 /* above 'if' is optimization to minimize malloc-ations */ 1473 char *_contname = wide_to_asc((WCHAR *)contname); 1474 char *_provname = wide_to_asc((WCHAR *)provname); 1475 1476 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 1477 _contname, _provname, ptype); 1478 if (_provname) 1479 OPENSSL_free(_provname); 1480 if (_contname) 1481 OPENSSL_free(_contname); 1482 } 1483 if (ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE) 1484 dwFlags = CRYPT_MACHINE_KEYSET; 1485 if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, dwFlags)) { 1486 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1487 capi_addlasterror(); 1488 goto err; 1489 } 1490 if (!CryptGetUserKey(key->hprov, keyspec, &key->key)) { 1491 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_GETUSERKEY_ERROR); 1492 capi_addlasterror(); 1493 CryptReleaseContext(key->hprov, 0); 1494 goto err; 1495 } 1496 key->keyspec = keyspec; 1497 key->pcert = NULL; 1498 return key; 1499 1500 err: 1501 OPENSSL_free(key); 1502 return NULL; 1503} 1504 1505static CAPI_KEY *capi_get_cert_key(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1506{ 1507 CAPI_KEY *key = NULL; 1508 CRYPT_KEY_PROV_INFO *pinfo = NULL; 1509 char *provname = NULL, *contname = NULL; 1510 pinfo = capi_get_prov_info(ctx, cert); 1511 if (!pinfo) 1512 goto err; 1513 if (sizeof(TCHAR) != sizeof(char)) 1514 key = capi_get_key(ctx, (TCHAR *)pinfo->pwszContainerName, 1515 (TCHAR *)pinfo->pwszProvName, 1516 pinfo->dwProvType, pinfo->dwKeySpec); 1517 else { 1518 provname = wide_to_asc(pinfo->pwszProvName); 1519 contname = wide_to_asc(pinfo->pwszContainerName); 1520 if (!provname || !contname) 1521 goto err; 1522 key = capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname, 1523 pinfo->dwProvType, pinfo->dwKeySpec); 1524 } 1525 1526 err: 1527 if (pinfo) 1528 OPENSSL_free(pinfo); 1529 if (provname) 1530 OPENSSL_free(provname); 1531 if (contname) 1532 OPENSSL_free(contname); 1533 return key; 1534} 1535 1536CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char *id) 1537{ 1538 PCCERT_CONTEXT cert; 1539 HCERTSTORE hstore; 1540 CAPI_KEY *key = NULL; 1541 switch (ctx->lookup_method) { 1542 case CAPI_LU_SUBSTR: 1543 case CAPI_LU_FNAME: 1544 hstore = capi_open_store(ctx, NULL); 1545 if (!hstore) 1546 return NULL; 1547 cert = capi_find_cert(ctx, id, hstore); 1548 if (cert) { 1549 key = capi_get_cert_key(ctx, cert); 1550 CertFreeCertificateContext(cert); 1551 } 1552 CertCloseStore(hstore, 0); 1553 break; 1554 1555 case CAPI_LU_CONTNAME: 1556 if (sizeof(TCHAR) != sizeof(char)) { 1557 WCHAR *contname, *provname; 1558 DWORD len; 1559 1560 if ((len = MultiByteToWideChar(CP_ACP, 0, id, -1, NULL, 0)) && 1561 (contname = alloca(len * sizeof(WCHAR)), 1562 MultiByteToWideChar(CP_ACP, 0, id, -1, contname, len)) && 1563 (len = 1564 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, NULL, 0)) 1565 && (provname = 1566 alloca(len * sizeof(WCHAR)), MultiByteToWideChar(CP_ACP, 1567 0, 1568 ctx->cspname, 1569 -1, 1570 provname, 1571 len))) 1572 key = 1573 capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname, 1574 ctx->csptype, ctx->keytype); 1575 } else 1576 key = capi_get_key(ctx, (TCHAR *)id, 1577 (TCHAR *)ctx->cspname, 1578 ctx->csptype, ctx->keytype); 1579 break; 1580 } 1581 1582 return key; 1583} 1584 1585void capi_free_key(CAPI_KEY * key) 1586{ 1587 if (!key) 1588 return; 1589 CryptDestroyKey(key->key); 1590 CryptReleaseContext(key->hprov, 0); 1591 if (key->pcert) 1592 CertFreeCertificateContext(key->pcert); 1593 OPENSSL_free(key); 1594} 1595 1596/* Initialize a CAPI_CTX structure */ 1597 1598static CAPI_CTX *capi_ctx_new() 1599{ 1600 CAPI_CTX *ctx; 1601 ctx = OPENSSL_malloc(sizeof(CAPI_CTX)); 1602 if (!ctx) { 1603 CAPIerr(CAPI_F_CAPI_CTX_NEW, ERR_R_MALLOC_FAILURE); 1604 return NULL; 1605 } 1606 ctx->cspname = NULL; 1607 ctx->csptype = PROV_RSA_FULL; 1608 ctx->dump_flags = CAPI_DMP_SUMMARY | CAPI_DMP_FNAME; 1609 ctx->keytype = AT_KEYEXCHANGE; 1610 ctx->storename = NULL; 1611 ctx->ssl_client_store = NULL; 1612 ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG | 1613 CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER; 1614 ctx->lookup_method = CAPI_LU_SUBSTR; 1615 ctx->debug_level = 0; 1616 ctx->debug_file = NULL; 1617 ctx->client_cert_select = cert_select_simple; 1618 return ctx; 1619} 1620 1621static void capi_ctx_free(CAPI_CTX * ctx) 1622{ 1623 CAPI_trace(ctx, "Calling capi_ctx_free with %lx\n", ctx); 1624 if (!ctx) 1625 return; 1626 if (ctx->cspname) 1627 OPENSSL_free(ctx->cspname); 1628 if (ctx->debug_file) 1629 OPENSSL_free(ctx->debug_file); 1630 if (ctx->storename) 1631 OPENSSL_free(ctx->storename); 1632 if (ctx->ssl_client_store) 1633 OPENSSL_free(ctx->ssl_client_store); 1634 OPENSSL_free(ctx); 1635} 1636 1637static int capi_ctx_set_provname(CAPI_CTX * ctx, LPSTR pname, DWORD type, 1638 int check) 1639{ 1640 CAPI_trace(ctx, "capi_ctx_set_provname, name=%s, type=%d\n", pname, type); 1641 if (check) { 1642 HCRYPTPROV hprov; 1643 LPTSTR name = NULL; 1644 1645 if (sizeof(TCHAR) != sizeof(char)) { 1646 DWORD len; 1647 if ((len = MultiByteToWideChar(CP_ACP, 0, pname, -1, NULL, 0))) { 1648 name = alloca(len * sizeof(WCHAR)); 1649 MultiByteToWideChar(CP_ACP, 0, pname, -1, (WCHAR *)name, len); 1650 } 1651 } else 1652 name = (TCHAR *)pname; 1653 1654 if (!name || !CryptAcquireContext(&hprov, NULL, name, type, 1655 CRYPT_VERIFYCONTEXT)) { 1656 CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, 1657 CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1658 capi_addlasterror(); 1659 return 0; 1660 } 1661 CryptReleaseContext(hprov, 0); 1662 } 1663 if (ctx->cspname) 1664 OPENSSL_free(ctx->cspname); 1665 ctx->cspname = BUF_strdup(pname); 1666 ctx->csptype = type; 1667 return 1; 1668} 1669 1670static int capi_ctx_set_provname_idx(CAPI_CTX * ctx, int idx) 1671{ 1672 LPSTR pname; 1673 DWORD type; 1674 int res; 1675 if (capi_get_provname(ctx, &pname, &type, idx) != 1) 1676 return 0; 1677 res = capi_ctx_set_provname(ctx, pname, type, 0); 1678 OPENSSL_free(pname); 1679 return res; 1680} 1681 1682static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x) 1683{ 1684 int i; 1685 X509_NAME *nm; 1686 /* Special case: empty list: match anything */ 1687 if (sk_X509_NAME_num(ca_dn) <= 0) 1688 return 1; 1689 for (i = 0; i < sk_X509_NAME_num(ca_dn); i++) { 1690 nm = sk_X509_NAME_value(ca_dn, i); 1691 if (!X509_NAME_cmp(nm, X509_get_issuer_name(x))) 1692 return 1; 1693 } 1694 return 0; 1695} 1696 1697static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, 1698 STACK_OF(X509_NAME) *ca_dn, X509 **pcert, 1699 EVP_PKEY **pkey, STACK_OF(X509) **pother, 1700 UI_METHOD *ui_method, 1701 void *callback_data) 1702{ 1703 STACK_OF(X509) *certs = NULL; 1704 X509 *x; 1705 char *storename; 1706 const char *p; 1707 int i, client_cert_idx; 1708 HCERTSTORE hstore; 1709 PCCERT_CONTEXT cert = NULL, excert = NULL; 1710 CAPI_CTX *ctx; 1711 CAPI_KEY *key; 1712 ctx = ENGINE_get_ex_data(e, capi_idx); 1713 1714 *pcert = NULL; 1715 *pkey = NULL; 1716 1717 storename = ctx->ssl_client_store; 1718 if (!storename) 1719 storename = "MY"; 1720 1721 hstore = capi_open_store(ctx, storename); 1722 if (!hstore) 1723 return 0; 1724 /* Enumerate all certificates collect any matches */ 1725 for (i = 0;; i++) { 1726 cert = CertEnumCertificatesInStore(hstore, cert); 1727 if (!cert) 1728 break; 1729 p = cert->pbCertEncoded; 1730 x = d2i_X509(NULL, &p, cert->cbCertEncoded); 1731 if (!x) { 1732 CAPI_trace(ctx, "Can't Parse Certificate %d\n", i); 1733 continue; 1734 } 1735 if (cert_issuer_match(ca_dn, x) 1736 && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0)) { 1737 key = capi_get_cert_key(ctx, cert); 1738 if (!key) { 1739 X509_free(x); 1740 continue; 1741 } 1742 /* 1743 * Match found: attach extra data to it so we can retrieve the 1744 * key later. 1745 */ 1746 excert = CertDuplicateCertificateContext(cert); 1747 key->pcert = excert; 1748 X509_set_ex_data(x, cert_capi_idx, key); 1749 1750 if (!certs) 1751 certs = sk_X509_new_null(); 1752 1753 sk_X509_push(certs, x); 1754 } else 1755 X509_free(x); 1756 1757 } 1758 1759 if (cert) 1760 CertFreeCertificateContext(cert); 1761 if (hstore) 1762 CertCloseStore(hstore, 0); 1763 1764 if (!certs) 1765 return 0; 1766 1767 /* Select the appropriate certificate */ 1768 1769 client_cert_idx = ctx->client_cert_select(e, ssl, certs); 1770 1771 /* Set the selected certificate and free the rest */ 1772 1773 for (i = 0; i < sk_X509_num(certs); i++) { 1774 x = sk_X509_value(certs, i); 1775 if (i == client_cert_idx) 1776 *pcert = x; 1777 else { 1778 key = X509_get_ex_data(x, cert_capi_idx); 1779 capi_free_key(key); 1780 X509_free(x); 1781 } 1782 } 1783 1784 sk_X509_free(certs); 1785 1786 if (!*pcert) 1787 return 0; 1788 1789 /* Setup key for selected certificate */ 1790 1791 key = X509_get_ex_data(*pcert, cert_capi_idx); 1792 *pkey = capi_get_pkey(e, key); 1793 X509_set_ex_data(*pcert, cert_capi_idx, NULL); 1794 1795 return 1; 1796 1797} 1798 1799/* Simple client cert selection function: always select first */ 1800 1801static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) 1802{ 1803 return 0; 1804} 1805 1806# ifdef OPENSSL_CAPIENG_DIALOG 1807 1808/* 1809 * More complex cert selection function, using standard function 1810 * CryptUIDlgSelectCertificateFromStore() to produce a dialog box. 1811 */ 1812 1813/* 1814 * Definitions which are in cryptuiapi.h but this is not present in older 1815 * versions of headers. 1816 */ 1817 1818# ifndef CRYPTUI_SELECT_LOCATION_COLUMN 1819# define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010 1820# define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004 1821# endif 1822 1823# define dlg_title L"OpenSSL Application SSL Client Certificate Selection" 1824# define dlg_prompt L"Select a certificate to use for authentication" 1825# define dlg_columns CRYPTUI_SELECT_LOCATION_COLUMN \ 1826 |CRYPTUI_SELECT_INTENDEDUSE_COLUMN 1827 1828static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) 1829{ 1830 X509 *x; 1831 HCERTSTORE dstore; 1832 PCCERT_CONTEXT cert; 1833 CAPI_CTX *ctx; 1834 CAPI_KEY *key; 1835 HWND hwnd; 1836 int i, idx = -1; 1837 if (sk_X509_num(certs) == 1) 1838 return 0; 1839 ctx = ENGINE_get_ex_data(e, capi_idx); 1840 /* Create an in memory store of certificates */ 1841 dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 1842 CERT_STORE_CREATE_NEW_FLAG, NULL); 1843 if (!dstore) { 1844 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE); 1845 capi_addlasterror(); 1846 goto err; 1847 } 1848 /* Add all certificates to store */ 1849 for (i = 0; i < sk_X509_num(certs); i++) { 1850 x = sk_X509_value(certs, i); 1851 key = X509_get_ex_data(x, cert_capi_idx); 1852 1853 if (!CertAddCertificateContextToStore(dstore, key->pcert, 1854 CERT_STORE_ADD_NEW, NULL)) { 1855 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT); 1856 capi_addlasterror(); 1857 goto err; 1858 } 1859 1860 } 1861 hwnd = GetForegroundWindow(); 1862 if (!hwnd) 1863 hwnd = GetActiveWindow(); 1864 if (!hwnd && ctx->getconswindow) 1865 hwnd = ctx->getconswindow(); 1866 /* Call dialog to select one */ 1867 cert = ctx->certselectdlg(dstore, hwnd, dlg_title, dlg_prompt, 1868 dlg_columns, 0, NULL); 1869 1870 /* Find matching cert from list */ 1871 if (cert) { 1872 for (i = 0; i < sk_X509_num(certs); i++) { 1873 x = sk_X509_value(certs, i); 1874 key = X509_get_ex_data(x, cert_capi_idx); 1875 if (CertCompareCertificate 1876 (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, 1877 key->pcert->pCertInfo)) { 1878 idx = i; 1879 break; 1880 } 1881 } 1882 } 1883 1884 err: 1885 if (dstore) 1886 CertCloseStore(dstore, 0); 1887 return idx; 1888 1889} 1890# endif 1891 1892#else /* !__COMPILE_CAPIENG */ 1893# include <openssl/engine.h> 1894# ifndef OPENSSL_NO_DYNAMIC_ENGINE 1895OPENSSL_EXPORT 1896 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); 1897OPENSSL_EXPORT 1898 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) 1899{ 1900 return 0; 1901} 1902 1903IMPLEMENT_DYNAMIC_CHECK_FN() 1904# else 1905void ENGINE_load_capi(void) 1906{ 1907} 1908# endif 1909#endif 1910