1 /* engines/e_capi.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 4 * project. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2008 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 */ 54 55 #include <stdio.h> 56 #include <string.h> 57 #include <stdlib.h> 58 59 #include <openssl/crypto.h> 60 61 #ifdef OPENSSL_SYS_WIN32 62 # ifndef OPENSSL_NO_CAPIENG 63 64 # include <openssl/buffer.h> 65 # include <openssl/bn.h> 66 # include <openssl/rsa.h> 67 68 # ifndef _WIN32_WINNT 69 # define _WIN32_WINNT 0x0400 70 # endif 71 72 # include <windows.h> 73 # include <wincrypt.h> 74 # include <malloc.h> 75 # ifndef alloca 76 # define alloca _alloca 77 # endif 78 79 /* 80 * This module uses several "new" interfaces, among which is 81 * CertGetCertificateContextProperty. CERT_KEY_PROV_INFO_PROP_ID is 82 * one of possible values you can pass to function in question. By 83 * checking if it's defined we can see if wincrypt.h and accompanying 84 * crypt32.lib are in shape. The native MingW32 headers up to and 85 * including __W32API_VERSION 3.14 lack of struct DSSPUBKEY and the 86 * defines CERT_STORE_PROV_SYSTEM_A and CERT_STORE_READONLY_FLAG, 87 * so we check for these too and avoid compiling. 88 * Yes, it's rather "weak" test and if compilation fails, 89 * then re-configure with -DOPENSSL_NO_CAPIENG. 90 */ 91 # if defined(CERT_KEY_PROV_INFO_PROP_ID) && \ 92 defined(CERT_STORE_PROV_SYSTEM_A) && \ 93 defined(CERT_STORE_READONLY_FLAG) 94 # define __COMPILE_CAPIENG 95 # endif /* CERT_KEY_PROV_INFO_PROP_ID */ 96 # endif /* OPENSSL_NO_CAPIENG */ 97 #endif /* OPENSSL_SYS_WIN32 */ 98 99 #ifdef __COMPILE_CAPIENG 100 101 # undef X509_EXTENSIONS 102 # undef X509_CERT_PAIR 103 104 /* Definitions which may be missing from earlier version of headers */ 105 # ifndef CERT_STORE_OPEN_EXISTING_FLAG 106 # define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 107 # endif 108 109 # ifndef CERT_STORE_CREATE_NEW_FLAG 110 # define CERT_STORE_CREATE_NEW_FLAG 0x00002000 111 # endif 112 113 # ifndef CERT_SYSTEM_STORE_CURRENT_USER 114 # define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000 115 # endif 116 117 # ifndef ALG_SID_SHA_256 118 # define ALG_SID_SHA_256 12 119 # endif 120 # ifndef ALG_SID_SHA_384 121 # define ALG_SID_SHA_384 13 122 # endif 123 # ifndef ALG_SID_SHA_512 124 # define ALG_SID_SHA_512 14 125 # endif 126 127 # ifndef CALG_SHA_256 128 # define CALG_SHA_256 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256) 129 # endif 130 # ifndef CALG_SHA_384 131 # define CALG_SHA_384 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_384) 132 # endif 133 # ifndef CALG_SHA_512 134 # define CALG_SHA_512 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512) 135 # endif 136 137 # include <openssl/engine.h> 138 # include <openssl/pem.h> 139 # include <openssl/x509v3.h> 140 141 # include "e_capi_err.h" 142 # include "e_capi_err.c" 143 144 static const char *engine_capi_id = "capi"; 145 static const char *engine_capi_name = "CryptoAPI ENGINE"; 146 147 typedef struct CAPI_CTX_st CAPI_CTX; 148 typedef struct CAPI_KEY_st CAPI_KEY; 149 150 static void capi_addlasterror(void); 151 static void capi_adderror(DWORD err); 152 153 static void CAPI_trace(CAPI_CTX * ctx, char *format, ...); 154 155 static int capi_list_providers(CAPI_CTX * ctx, BIO *out); 156 static int capi_list_containers(CAPI_CTX * ctx, BIO *out); 157 int capi_list_certs(CAPI_CTX * ctx, BIO *out, char *storename); 158 void capi_free_key(CAPI_KEY * key); 159 160 static PCCERT_CONTEXT capi_find_cert(CAPI_CTX * ctx, const char *id, 161 HCERTSTORE hstore); 162 163 CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char *id); 164 165 static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id, 166 UI_METHOD *ui_method, void *callback_data); 167 static int capi_rsa_sign(int dtype, const unsigned char *m, 168 unsigned int m_len, unsigned char *sigret, 169 unsigned int *siglen, const RSA *rsa); 170 static int capi_rsa_priv_enc(int flen, const unsigned char *from, 171 unsigned char *to, RSA *rsa, int padding); 172 static int capi_rsa_priv_dec(int flen, const unsigned char *from, 173 unsigned char *to, RSA *rsa, int padding); 174 static int capi_rsa_free(RSA *rsa); 175 176 static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen, 177 DSA *dsa); 178 static int capi_dsa_free(DSA *dsa); 179 180 static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, 181 STACK_OF(X509_NAME) *ca_dn, X509 **pcert, 182 EVP_PKEY **pkey, STACK_OF(X509) **pother, 183 UI_METHOD *ui_method, 184 void *callback_data); 185 186 static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 187 # ifdef OPENSSL_CAPIENG_DIALOG 188 static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 189 # endif 190 191 typedef PCCERT_CONTEXT(WINAPI *CERTDLG) (HCERTSTORE, HWND, LPCWSTR, 192 LPCWSTR, DWORD, DWORD, void *); 193 typedef HWND(WINAPI *GETCONSWIN) (void); 194 195 /* 196 * This structure contains CAPI ENGINE specific data: it contains various 197 * global options and affects how other functions behave. 198 */ 199 200 # define CAPI_DBG_TRACE 2 201 # define CAPI_DBG_ERROR 1 202 203 struct CAPI_CTX_st { 204 int debug_level; 205 char *debug_file; 206 /* Parameters to use for container lookup */ 207 DWORD keytype; 208 LPSTR cspname; 209 DWORD csptype; 210 /* Certificate store name to use */ 211 LPSTR storename; 212 LPSTR ssl_client_store; 213 /* System store flags */ 214 DWORD store_flags; 215 /* Lookup string meanings in load_private_key */ 216 /* Substring of subject: uses "storename" */ 217 # define CAPI_LU_SUBSTR 1 218 /* Friendly name: uses storename */ 219 # define CAPI_LU_FNAME 2 220 /* Container name: uses cspname, keytype */ 221 # define CAPI_LU_CONTNAME 3 222 int lookup_method; 223 /* Info to dump with dumpcerts option */ 224 /* Issuer and serial name strings */ 225 # define CAPI_DMP_SUMMARY 0x1 226 /* Friendly name */ 227 # define CAPI_DMP_FNAME 0x2 228 /* Full X509_print dump */ 229 # define CAPI_DMP_FULL 0x4 230 /* Dump PEM format certificate */ 231 # define CAPI_DMP_PEM 0x8 232 /* Dump pseudo key (if possible) */ 233 # define CAPI_DMP_PSKEY 0x10 234 /* Dump key info (if possible) */ 235 # define CAPI_DMP_PKEYINFO 0x20 236 DWORD dump_flags; 237 int (*client_cert_select) (ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); 238 CERTDLG certselectdlg; 239 GETCONSWIN getconswindow; 240 }; 241 242 static CAPI_CTX *capi_ctx_new(); 243 static void capi_ctx_free(CAPI_CTX * ctx); 244 static int capi_ctx_set_provname(CAPI_CTX * ctx, LPSTR pname, DWORD type, 245 int check); 246 static int capi_ctx_set_provname_idx(CAPI_CTX * ctx, int idx); 247 248 # define CAPI_CMD_LIST_CERTS ENGINE_CMD_BASE 249 # define CAPI_CMD_LOOKUP_CERT (ENGINE_CMD_BASE + 1) 250 # define CAPI_CMD_DEBUG_LEVEL (ENGINE_CMD_BASE + 2) 251 # define CAPI_CMD_DEBUG_FILE (ENGINE_CMD_BASE + 3) 252 # define CAPI_CMD_KEYTYPE (ENGINE_CMD_BASE + 4) 253 # define CAPI_CMD_LIST_CSPS (ENGINE_CMD_BASE + 5) 254 # define CAPI_CMD_SET_CSP_IDX (ENGINE_CMD_BASE + 6) 255 # define CAPI_CMD_SET_CSP_NAME (ENGINE_CMD_BASE + 7) 256 # define CAPI_CMD_SET_CSP_TYPE (ENGINE_CMD_BASE + 8) 257 # define CAPI_CMD_LIST_CONTAINERS (ENGINE_CMD_BASE + 9) 258 # define CAPI_CMD_LIST_OPTIONS (ENGINE_CMD_BASE + 10) 259 # define CAPI_CMD_LOOKUP_METHOD (ENGINE_CMD_BASE + 11) 260 # define CAPI_CMD_STORE_NAME (ENGINE_CMD_BASE + 12) 261 # define CAPI_CMD_STORE_FLAGS (ENGINE_CMD_BASE + 13) 262 263 static const ENGINE_CMD_DEFN capi_cmd_defns[] = { 264 {CAPI_CMD_LIST_CERTS, 265 "list_certs", 266 "List all certificates in store", 267 ENGINE_CMD_FLAG_NO_INPUT}, 268 {CAPI_CMD_LOOKUP_CERT, 269 "lookup_cert", 270 "Lookup and output certificates", 271 ENGINE_CMD_FLAG_STRING}, 272 {CAPI_CMD_DEBUG_LEVEL, 273 "debug_level", 274 "debug level (1=errors, 2=trace)", 275 ENGINE_CMD_FLAG_NUMERIC}, 276 {CAPI_CMD_DEBUG_FILE, 277 "debug_file", 278 "debugging filename)", 279 ENGINE_CMD_FLAG_STRING}, 280 {CAPI_CMD_KEYTYPE, 281 "key_type", 282 "Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE", 283 ENGINE_CMD_FLAG_NUMERIC}, 284 {CAPI_CMD_LIST_CSPS, 285 "list_csps", 286 "List all CSPs", 287 ENGINE_CMD_FLAG_NO_INPUT}, 288 {CAPI_CMD_SET_CSP_IDX, 289 "csp_idx", 290 "Set CSP by index", 291 ENGINE_CMD_FLAG_NUMERIC}, 292 {CAPI_CMD_SET_CSP_NAME, 293 "csp_name", 294 "Set CSP name, (default CSP used if not specified)", 295 ENGINE_CMD_FLAG_STRING}, 296 {CAPI_CMD_SET_CSP_TYPE, 297 "csp_type", 298 "Set CSP type, (default RSA_PROV_FULL)", 299 ENGINE_CMD_FLAG_NUMERIC}, 300 {CAPI_CMD_LIST_CONTAINERS, 301 "list_containers", 302 "list container names", 303 ENGINE_CMD_FLAG_NO_INPUT}, 304 {CAPI_CMD_LIST_OPTIONS, 305 "list_options", 306 "Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, " 307 "32=private key info)", 308 ENGINE_CMD_FLAG_NUMERIC}, 309 {CAPI_CMD_LOOKUP_METHOD, 310 "lookup_method", 311 "Set key lookup method (1=substring, 2=friendlyname, 3=container name)", 312 ENGINE_CMD_FLAG_NUMERIC}, 313 {CAPI_CMD_STORE_NAME, 314 "store_name", 315 "certificate store name, default \"MY\"", 316 ENGINE_CMD_FLAG_STRING}, 317 {CAPI_CMD_STORE_FLAGS, 318 "store_flags", 319 "Certificate store flags: 1 = system store", 320 ENGINE_CMD_FLAG_NUMERIC}, 321 322 {0, NULL, NULL, 0} 323 }; 324 325 static int capi_idx = -1; 326 static int rsa_capi_idx = -1; 327 static int dsa_capi_idx = -1; 328 static int cert_capi_idx = -1; 329 330 static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) 331 { 332 int ret = 1; 333 CAPI_CTX *ctx; 334 BIO *out; 335 if (capi_idx == -1) { 336 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_ENGINE_NOT_INITIALIZED); 337 return 0; 338 } 339 ctx = ENGINE_get_ex_data(e, capi_idx); 340 out = BIO_new_fp(stdout, BIO_NOCLOSE); 341 switch (cmd) { 342 case CAPI_CMD_LIST_CSPS: 343 ret = capi_list_providers(ctx, out); 344 break; 345 346 case CAPI_CMD_LIST_CERTS: 347 ret = capi_list_certs(ctx, out, NULL); 348 break; 349 350 case CAPI_CMD_LOOKUP_CERT: 351 ret = capi_list_certs(ctx, out, p); 352 break; 353 354 case CAPI_CMD_LIST_CONTAINERS: 355 ret = capi_list_containers(ctx, out); 356 break; 357 358 case CAPI_CMD_STORE_NAME: 359 if (ctx->storename) 360 OPENSSL_free(ctx->storename); 361 ctx->storename = BUF_strdup(p); 362 CAPI_trace(ctx, "Setting store name to %s\n", p); 363 break; 364 365 case CAPI_CMD_STORE_FLAGS: 366 if (i & 1) { 367 ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE; 368 ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER; 369 } else { 370 ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER; 371 ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE; 372 } 373 CAPI_trace(ctx, "Setting flags to %d\n", i); 374 break; 375 376 case CAPI_CMD_DEBUG_LEVEL: 377 ctx->debug_level = (int)i; 378 CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level); 379 break; 380 381 case CAPI_CMD_DEBUG_FILE: 382 ctx->debug_file = BUF_strdup(p); 383 CAPI_trace(ctx, "Setting debug file to %s\n", ctx->debug_file); 384 break; 385 386 case CAPI_CMD_KEYTYPE: 387 ctx->keytype = i; 388 CAPI_trace(ctx, "Setting key type to %d\n", ctx->keytype); 389 break; 390 391 case CAPI_CMD_SET_CSP_IDX: 392 ret = capi_ctx_set_provname_idx(ctx, i); 393 break; 394 395 case CAPI_CMD_LIST_OPTIONS: 396 ctx->dump_flags = i; 397 break; 398 399 case CAPI_CMD_LOOKUP_METHOD: 400 if (i < 1 || i > 3) { 401 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD); 402 return 0; 403 } 404 ctx->lookup_method = i; 405 break; 406 407 case CAPI_CMD_SET_CSP_NAME: 408 ret = capi_ctx_set_provname(ctx, p, ctx->csptype, 1); 409 break; 410 411 case CAPI_CMD_SET_CSP_TYPE: 412 ctx->csptype = i; 413 break; 414 415 default: 416 CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_UNKNOWN_COMMAND); 417 ret = 0; 418 } 419 420 BIO_free(out); 421 return ret; 422 423 } 424 425 static RSA_METHOD capi_rsa_method = { 426 "CryptoAPI RSA method", 427 0, /* pub_enc */ 428 0, /* pub_dec */ 429 capi_rsa_priv_enc, /* priv_enc */ 430 capi_rsa_priv_dec, /* priv_dec */ 431 0, /* rsa_mod_exp */ 432 0, /* bn_mod_exp */ 433 0, /* init */ 434 capi_rsa_free, /* finish */ 435 RSA_FLAG_SIGN_VER, /* flags */ 436 NULL, /* app_data */ 437 capi_rsa_sign, /* rsa_sign */ 438 0 /* rsa_verify */ 439 }; 440 441 static DSA_METHOD capi_dsa_method = { 442 "CryptoAPI DSA method", 443 capi_dsa_do_sign, /* dsa_do_sign */ 444 0, /* dsa_sign_setup */ 445 0, /* dsa_do_verify */ 446 0, /* dsa_mod_exp */ 447 0, /* bn_mod_exp */ 448 0, /* init */ 449 capi_dsa_free, /* finish */ 450 0, /* flags */ 451 NULL, /* app_data */ 452 0, /* dsa_paramgen */ 453 0 /* dsa_keygen */ 454 }; 455 456 static int capi_init(ENGINE *e) 457 { 458 CAPI_CTX *ctx; 459 const RSA_METHOD *ossl_rsa_meth; 460 const DSA_METHOD *ossl_dsa_meth; 461 462 if (capi_idx < 0) { 463 capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0); 464 if (capi_idx < 0) 465 goto memerr; 466 467 cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0); 468 469 /* Setup RSA_METHOD */ 470 rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0); 471 ossl_rsa_meth = RSA_PKCS1_SSLeay(); 472 capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc; 473 capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec; 474 capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp; 475 capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp; 476 477 /* Setup DSA Method */ 478 dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0); 479 ossl_dsa_meth = DSA_OpenSSL(); 480 capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify; 481 capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp; 482 capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp; 483 } 484 485 ctx = capi_ctx_new(); 486 if (!ctx) 487 goto memerr; 488 489 ENGINE_set_ex_data(e, capi_idx, ctx); 490 491 # ifdef OPENSSL_CAPIENG_DIALOG 492 { 493 HMODULE cryptui = LoadLibrary(TEXT("CRYPTUI.DLL")); 494 HMODULE kernel = GetModuleHandle(TEXT("KERNEL32.DLL")); 495 if (cryptui) 496 ctx->certselectdlg = 497 (CERTDLG) GetProcAddress(cryptui, 498 "CryptUIDlgSelectCertificateFromStore"); 499 if (kernel) 500 ctx->getconswindow = 501 (GETCONSWIN) GetProcAddress(kernel, "GetConsoleWindow"); 502 if (cryptui && !OPENSSL_isservice()) 503 ctx->client_cert_select = cert_select_dialog; 504 } 505 # endif 506 507 return 1; 508 509 memerr: 510 CAPIerr(CAPI_F_CAPI_INIT, ERR_R_MALLOC_FAILURE); 511 return 0; 512 513 return 1; 514 } 515 516 static int capi_destroy(ENGINE *e) 517 { 518 ERR_unload_CAPI_strings(); 519 return 1; 520 } 521 522 static int capi_finish(ENGINE *e) 523 { 524 CAPI_CTX *ctx; 525 ctx = ENGINE_get_ex_data(e, capi_idx); 526 capi_ctx_free(ctx); 527 ENGINE_set_ex_data(e, capi_idx, NULL); 528 return 1; 529 } 530 531 /* 532 * CryptoAPI key application data. This contains a handle to the private key 533 * container (for sign operations) and a handle to the key (for decrypt 534 * operations). 535 */ 536 537 struct CAPI_KEY_st { 538 /* Associated certificate context (if any) */ 539 PCCERT_CONTEXT pcert; 540 HCRYPTPROV hprov; 541 HCRYPTKEY key; 542 DWORD keyspec; 543 }; 544 545 static int bind_capi(ENGINE *e) 546 { 547 if (!ENGINE_set_id(e, engine_capi_id) 548 || !ENGINE_set_name(e, engine_capi_name) 549 || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) 550 || !ENGINE_set_init_function(e, capi_init) 551 || !ENGINE_set_finish_function(e, capi_finish) 552 || !ENGINE_set_destroy_function(e, capi_destroy) 553 || !ENGINE_set_RSA(e, &capi_rsa_method) 554 || !ENGINE_set_DSA(e, &capi_dsa_method) 555 || !ENGINE_set_load_privkey_function(e, capi_load_privkey) 556 || !ENGINE_set_load_ssl_client_cert_function(e, 557 capi_load_ssl_client_cert) 558 || !ENGINE_set_cmd_defns(e, capi_cmd_defns) 559 || !ENGINE_set_ctrl_function(e, capi_ctrl)) 560 return 0; 561 ERR_load_CAPI_strings(); 562 563 return 1; 564 565 } 566 567 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 568 static int bind_helper(ENGINE *e, const char *id) 569 { 570 if (id && (strcmp(id, engine_capi_id) != 0)) 571 return 0; 572 if (!bind_capi(e)) 573 return 0; 574 return 1; 575 } 576 577 IMPLEMENT_DYNAMIC_CHECK_FN() 578 IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) 579 # else 580 static ENGINE *engine_capi(void) 581 { 582 ENGINE *ret = ENGINE_new(); 583 if (!ret) 584 return NULL; 585 if (!bind_capi(ret)) { 586 ENGINE_free(ret); 587 return NULL; 588 } 589 return ret; 590 } 591 592 void ENGINE_load_capi(void) 593 { 594 /* Copied from eng_[openssl|dyn].c */ 595 ENGINE *toadd = engine_capi(); 596 if (!toadd) 597 return; 598 ENGINE_add(toadd); 599 ENGINE_free(toadd); 600 ERR_clear_error(); 601 } 602 # endif 603 604 static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen) 605 { 606 int i; 607 /* 608 * Reverse buffer in place: since this is a keyblob structure that will 609 * be freed up after conversion anyway it doesn't matter if we change 610 * it. 611 */ 612 for (i = 0; i < binlen / 2; i++) { 613 unsigned char c; 614 c = bin[i]; 615 bin[i] = bin[binlen - i - 1]; 616 bin[binlen - i - 1] = c; 617 } 618 619 if (!BN_bin2bn(bin, binlen, bn)) 620 return 0; 621 return 1; 622 } 623 624 /* Given a CAPI_KEY get an EVP_PKEY structure */ 625 626 static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY * key) 627 { 628 unsigned char *pubkey = NULL; 629 DWORD len; 630 BLOBHEADER *bh; 631 RSA *rkey = NULL; 632 DSA *dkey = NULL; 633 EVP_PKEY *ret = NULL; 634 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len)) { 635 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR); 636 capi_addlasterror(); 637 return NULL; 638 } 639 640 pubkey = OPENSSL_malloc(len); 641 642 if (!pubkey) 643 goto memerr; 644 645 if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len)) { 646 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR); 647 capi_addlasterror(); 648 goto err; 649 } 650 651 bh = (BLOBHEADER *) pubkey; 652 if (bh->bType != PUBLICKEYBLOB) { 653 CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB); 654 goto err; 655 } 656 if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX) { 657 RSAPUBKEY *rp; 658 DWORD rsa_modlen; 659 unsigned char *rsa_modulus; 660 rp = (RSAPUBKEY *) (bh + 1); 661 if (rp->magic != 0x31415352) { 662 char magstr[10]; 663 BIO_snprintf(magstr, 10, "%lx", rp->magic); 664 CAPIerr(CAPI_F_CAPI_GET_PKEY, 665 CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); 666 ERR_add_error_data(2, "magic=0x", magstr); 667 goto err; 668 } 669 rsa_modulus = (unsigned char *)(rp + 1); 670 rkey = RSA_new_method(eng); 671 if (!rkey) 672 goto memerr; 673 674 rkey->e = BN_new(); 675 rkey->n = BN_new(); 676 677 if (!rkey->e || !rkey->n) 678 goto memerr; 679 680 if (!BN_set_word(rkey->e, rp->pubexp)) 681 goto memerr; 682 683 rsa_modlen = rp->bitlen / 8; 684 if (!lend_tobn(rkey->n, rsa_modulus, rsa_modlen)) 685 goto memerr; 686 687 RSA_set_ex_data(rkey, rsa_capi_idx, key); 688 689 if (!(ret = EVP_PKEY_new())) 690 goto memerr; 691 692 EVP_PKEY_assign_RSA(ret, rkey); 693 rkey = NULL; 694 695 } else if (bh->aiKeyAlg == CALG_DSS_SIGN) { 696 DSSPUBKEY *dp; 697 DWORD dsa_plen; 698 unsigned char *btmp; 699 dp = (DSSPUBKEY *) (bh + 1); 700 if (dp->magic != 0x31535344) { 701 char magstr[10]; 702 BIO_snprintf(magstr, 10, "%lx", dp->magic); 703 CAPIerr(CAPI_F_CAPI_GET_PKEY, 704 CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER); 705 ERR_add_error_data(2, "magic=0x", magstr); 706 goto err; 707 } 708 dsa_plen = dp->bitlen / 8; 709 btmp = (unsigned char *)(dp + 1); 710 dkey = DSA_new_method(eng); 711 if (!dkey) 712 goto memerr; 713 dkey->p = BN_new(); 714 dkey->q = BN_new(); 715 dkey->g = BN_new(); 716 dkey->pub_key = BN_new(); 717 if (!dkey->p || !dkey->q || !dkey->g || !dkey->pub_key) 718 goto memerr; 719 if (!lend_tobn(dkey->p, btmp, dsa_plen)) 720 goto memerr; 721 btmp += dsa_plen; 722 if (!lend_tobn(dkey->q, btmp, 20)) 723 goto memerr; 724 btmp += 20; 725 if (!lend_tobn(dkey->g, btmp, dsa_plen)) 726 goto memerr; 727 btmp += dsa_plen; 728 if (!lend_tobn(dkey->pub_key, btmp, dsa_plen)) 729 goto memerr; 730 btmp += dsa_plen; 731 732 DSA_set_ex_data(dkey, dsa_capi_idx, key); 733 734 if (!(ret = EVP_PKEY_new())) 735 goto memerr; 736 737 EVP_PKEY_assign_DSA(ret, dkey); 738 dkey = NULL; 739 } else { 740 char algstr[10]; 741 BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg); 742 CAPIerr(CAPI_F_CAPI_GET_PKEY, 743 CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM); 744 ERR_add_error_data(2, "aiKeyAlg=0x", algstr); 745 goto err; 746 } 747 748 err: 749 if (pubkey) 750 OPENSSL_free(pubkey); 751 if (!ret) { 752 if (rkey) 753 RSA_free(rkey); 754 if (dkey) 755 DSA_free(dkey); 756 } 757 758 return ret; 759 760 memerr: 761 CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); 762 goto err; 763 764 } 765 766 static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id, 767 UI_METHOD *ui_method, void *callback_data) 768 { 769 CAPI_CTX *ctx; 770 CAPI_KEY *key; 771 EVP_PKEY *ret; 772 ctx = ENGINE_get_ex_data(eng, capi_idx); 773 774 if (!ctx) { 775 CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT); 776 return NULL; 777 } 778 779 key = capi_find_key(ctx, key_id); 780 781 if (!key) 782 return NULL; 783 784 ret = capi_get_pkey(eng, key); 785 786 if (!ret) 787 capi_free_key(key); 788 return ret; 789 790 } 791 792 /* CryptoAPI RSA operations */ 793 794 int capi_rsa_priv_enc(int flen, const unsigned char *from, 795 unsigned char *to, RSA *rsa, int padding) 796 { 797 CAPIerr(CAPI_F_CAPI_RSA_PRIV_ENC, CAPI_R_FUNCTION_NOT_SUPPORTED); 798 return -1; 799 } 800 801 int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len, 802 unsigned char *sigret, unsigned int *siglen, const RSA *rsa) 803 { 804 ALG_ID alg; 805 HCRYPTHASH hash; 806 DWORD slen; 807 unsigned int i; 808 int ret = -1; 809 CAPI_KEY *capi_key; 810 CAPI_CTX *ctx; 811 812 ctx = ENGINE_get_ex_data(rsa->engine, capi_idx); 813 814 CAPI_trace(ctx, "Called CAPI_rsa_sign()\n"); 815 816 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 817 if (!capi_key) { 818 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_GET_KEY); 819 return -1; 820 } 821 /* Convert the signature type to a CryptoAPI algorithm ID */ 822 switch (dtype) { 823 case NID_sha256: 824 alg = CALG_SHA_256; 825 break; 826 827 case NID_sha384: 828 alg = CALG_SHA_384; 829 break; 830 831 case NID_sha512: 832 alg = CALG_SHA_512; 833 break; 834 835 case NID_sha1: 836 alg = CALG_SHA1; 837 break; 838 839 case NID_md5: 840 alg = CALG_MD5; 841 break; 842 843 case NID_md5_sha1: 844 alg = CALG_SSL3_SHAMD5; 845 break; 846 default: 847 { 848 char algstr[10]; 849 BIO_snprintf(algstr, 10, "%lx", dtype); 850 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_UNSUPPORTED_ALGORITHM_NID); 851 ERR_add_error_data(2, "NID=0x", algstr); 852 return -1; 853 } 854 } 855 856 /* Create the hash object */ 857 if (!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash)) { 858 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT); 859 capi_addlasterror(); 860 return -1; 861 } 862 /* Set the hash value to the value passed */ 863 864 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0)) { 865 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE); 866 capi_addlasterror(); 867 goto err; 868 } 869 870 /* Finally sign it */ 871 slen = RSA_size(rsa); 872 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen)) { 873 CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH); 874 capi_addlasterror(); 875 goto err; 876 } else { 877 ret = 1; 878 /* Inplace byte reversal of signature */ 879 for (i = 0; i < slen / 2; i++) { 880 unsigned char c; 881 c = sigret[i]; 882 sigret[i] = sigret[slen - i - 1]; 883 sigret[slen - i - 1] = c; 884 } 885 *siglen = slen; 886 } 887 888 /* Now cleanup */ 889 890 err: 891 CryptDestroyHash(hash); 892 893 return ret; 894 } 895 896 int capi_rsa_priv_dec(int flen, const unsigned char *from, 897 unsigned char *to, RSA *rsa, int padding) 898 { 899 int i; 900 unsigned char *tmpbuf; 901 CAPI_KEY *capi_key; 902 CAPI_CTX *ctx; 903 ctx = ENGINE_get_ex_data(rsa->engine, capi_idx); 904 905 CAPI_trace(ctx, "Called capi_rsa_priv_dec()\n"); 906 907 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 908 if (!capi_key) { 909 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_CANT_GET_KEY); 910 return -1; 911 } 912 913 if (padding != RSA_PKCS1_PADDING) { 914 char errstr[10]; 915 BIO_snprintf(errstr, 10, "%d", padding); 916 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_UNSUPPORTED_PADDING); 917 ERR_add_error_data(2, "padding=", errstr); 918 return -1; 919 } 920 921 /* Create temp reverse order version of input */ 922 if (!(tmpbuf = OPENSSL_malloc(flen))) { 923 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, ERR_R_MALLOC_FAILURE); 924 return -1; 925 } 926 for (i = 0; i < flen; i++) 927 tmpbuf[flen - i - 1] = from[i]; 928 929 /* Finally decrypt it */ 930 if (!CryptDecrypt(capi_key->key, 0, TRUE, 0, tmpbuf, &flen)) { 931 CAPIerr(CAPI_F_CAPI_RSA_PRIV_DEC, CAPI_R_DECRYPT_ERROR); 932 capi_addlasterror(); 933 OPENSSL_free(tmpbuf); 934 return -1; 935 } else 936 memcpy(to, tmpbuf, flen); 937 938 OPENSSL_free(tmpbuf); 939 940 return flen; 941 } 942 943 static int capi_rsa_free(RSA *rsa) 944 { 945 CAPI_KEY *capi_key; 946 capi_key = RSA_get_ex_data(rsa, rsa_capi_idx); 947 capi_free_key(capi_key); 948 RSA_set_ex_data(rsa, rsa_capi_idx, 0); 949 return 1; 950 } 951 952 /* CryptoAPI DSA operations */ 953 954 static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen, 955 DSA *dsa) 956 { 957 HCRYPTHASH hash; 958 DWORD slen; 959 DSA_SIG *ret = NULL; 960 CAPI_KEY *capi_key; 961 CAPI_CTX *ctx; 962 unsigned char csigbuf[40]; 963 964 ctx = ENGINE_get_ex_data(dsa->engine, capi_idx); 965 966 CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n"); 967 968 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx); 969 970 if (!capi_key) { 971 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_GET_KEY); 972 return NULL; 973 } 974 975 if (dlen != 20) { 976 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_INVALID_DIGEST_LENGTH); 977 return NULL; 978 } 979 980 /* Create the hash object */ 981 if (!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash)) { 982 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT); 983 capi_addlasterror(); 984 return NULL; 985 } 986 987 /* Set the hash value to the value passed */ 988 if (!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0)) { 989 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE); 990 capi_addlasterror(); 991 goto err; 992 } 993 994 /* Finally sign it */ 995 slen = sizeof(csigbuf); 996 if (!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen)) { 997 CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH); 998 capi_addlasterror(); 999 goto err; 1000 } else { 1001 ret = DSA_SIG_new(); 1002 if (!ret) 1003 goto err; 1004 ret->r = BN_new(); 1005 ret->s = BN_new(); 1006 if (!ret->r || !ret->s) 1007 goto err; 1008 if (!lend_tobn(ret->r, csigbuf, 20) 1009 || !lend_tobn(ret->s, csigbuf + 20, 20)) { 1010 DSA_SIG_free(ret); 1011 ret = NULL; 1012 goto err; 1013 } 1014 } 1015 1016 /* Now cleanup */ 1017 1018 err: 1019 OPENSSL_cleanse(csigbuf, 40); 1020 CryptDestroyHash(hash); 1021 return ret; 1022 } 1023 1024 static int capi_dsa_free(DSA *dsa) 1025 { 1026 CAPI_KEY *capi_key; 1027 capi_key = DSA_get_ex_data(dsa, dsa_capi_idx); 1028 capi_free_key(capi_key); 1029 DSA_set_ex_data(dsa, dsa_capi_idx, 0); 1030 return 1; 1031 } 1032 1033 static void capi_vtrace(CAPI_CTX * ctx, int level, char *format, 1034 va_list argptr) 1035 { 1036 BIO *out; 1037 1038 if (!ctx || (ctx->debug_level < level) || (!ctx->debug_file)) 1039 return; 1040 out = BIO_new_file(ctx->debug_file, "a+"); 1041 BIO_vprintf(out, format, argptr); 1042 BIO_free(out); 1043 } 1044 1045 static void CAPI_trace(CAPI_CTX * ctx, char *format, ...) 1046 { 1047 va_list args; 1048 va_start(args, format); 1049 capi_vtrace(ctx, CAPI_DBG_TRACE, format, args); 1050 va_end(args); 1051 } 1052 1053 static void capi_addlasterror(void) 1054 { 1055 capi_adderror(GetLastError()); 1056 } 1057 1058 static void capi_adderror(DWORD err) 1059 { 1060 char errstr[10]; 1061 BIO_snprintf(errstr, 10, "%lX", err); 1062 ERR_add_error_data(2, "Error code= 0x", errstr); 1063 } 1064 1065 static char *wide_to_asc(LPCWSTR wstr) 1066 { 1067 char *str; 1068 int len_0, sz; 1069 1070 if (!wstr) 1071 return NULL; 1072 len_0 = (int)wcslen(wstr) + 1; /* WideCharToMultiByte expects int */ 1073 sz = WideCharToMultiByte(CP_ACP, 0, wstr, len_0, NULL, 0, NULL, NULL); 1074 if (!sz) { 1075 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); 1076 return NULL; 1077 } 1078 str = OPENSSL_malloc(sz); 1079 if (!str) { 1080 CAPIerr(CAPI_F_WIDE_TO_ASC, ERR_R_MALLOC_FAILURE); 1081 return NULL; 1082 } 1083 if (!WideCharToMultiByte(CP_ACP, 0, wstr, len_0, str, sz, NULL, NULL)) { 1084 OPENSSL_free(str); 1085 CAPIerr(CAPI_F_WIDE_TO_ASC, CAPI_R_WIN32_ERROR); 1086 return NULL; 1087 } 1088 return str; 1089 } 1090 1091 static int capi_get_provname(CAPI_CTX * ctx, LPSTR * pname, DWORD * ptype, 1092 DWORD idx) 1093 { 1094 DWORD len, err; 1095 LPTSTR name; 1096 CAPI_trace(ctx, "capi_get_provname, index=%d\n", idx); 1097 if (!CryptEnumProviders(idx, NULL, 0, ptype, NULL, &len)) { 1098 err = GetLastError(); 1099 if (err == ERROR_NO_MORE_ITEMS) 1100 return 2; 1101 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR); 1102 capi_adderror(err); 1103 return 0; 1104 } 1105 if (sizeof(TCHAR) != sizeof(char)) 1106 name = alloca(len); 1107 else 1108 name = OPENSSL_malloc(len); 1109 if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) { 1110 err = GetLastError(); 1111 if (err == ERROR_NO_MORE_ITEMS) 1112 return 2; 1113 CAPIerr(CAPI_F_CAPI_GET_PROVNAME, CAPI_R_CRYPTENUMPROVIDERS_ERROR); 1114 capi_adderror(err); 1115 return 0; 1116 } 1117 if (sizeof(TCHAR) != sizeof(char)) 1118 *pname = wide_to_asc((WCHAR *)name); 1119 else 1120 *pname = (char *)name; 1121 CAPI_trace(ctx, "capi_get_provname, returned name=%s, type=%d\n", *pname, 1122 *ptype); 1123 1124 return 1; 1125 } 1126 1127 static int capi_list_providers(CAPI_CTX * ctx, BIO *out) 1128 { 1129 DWORD idx, ptype; 1130 int ret; 1131 LPSTR provname = NULL; 1132 CAPI_trace(ctx, "capi_list_providers\n"); 1133 BIO_printf(out, "Available CSPs:\n"); 1134 for (idx = 0;; idx++) { 1135 ret = capi_get_provname(ctx, &provname, &ptype, idx); 1136 if (ret == 2) 1137 break; 1138 if (ret == 0) 1139 break; 1140 BIO_printf(out, "%d. %s, type %d\n", idx, provname, ptype); 1141 OPENSSL_free(provname); 1142 } 1143 return 1; 1144 } 1145 1146 static int capi_list_containers(CAPI_CTX * ctx, BIO *out) 1147 { 1148 int ret = 1; 1149 HCRYPTPROV hprov; 1150 DWORD err, idx, flags, buflen = 0, clen; 1151 LPSTR cname; 1152 LPTSTR cspname = NULL; 1153 1154 CAPI_trace(ctx, "Listing containers CSP=%s, type = %d\n", ctx->cspname, 1155 ctx->csptype); 1156 if (ctx->cspname && sizeof(TCHAR) != sizeof(char)) { 1157 if ((clen = 1158 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, NULL, 0))) { 1159 cspname = alloca(clen * sizeof(WCHAR)); 1160 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, (WCHAR *)cspname, 1161 clen); 1162 } 1163 if (!cspname) { 1164 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE); 1165 capi_addlasterror(); 1166 return 0; 1167 } 1168 } else 1169 cspname = (TCHAR *)ctx->cspname; 1170 if (!CryptAcquireContext 1171 (&hprov, NULL, cspname, ctx->csptype, CRYPT_VERIFYCONTEXT)) { 1172 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, 1173 CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1174 capi_addlasterror(); 1175 return 0; 1176 } 1177 if (!CryptGetProvParam 1178 (hprov, PP_ENUMCONTAINERS, NULL, &buflen, CRYPT_FIRST)) { 1179 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR); 1180 capi_addlasterror(); 1181 CryptReleaseContext(hprov, 0); 1182 return 0; 1183 } 1184 CAPI_trace(ctx, "Got max container len %d\n", buflen); 1185 if (buflen == 0) 1186 buflen = 1024; 1187 cname = OPENSSL_malloc(buflen); 1188 if (!cname) { 1189 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, ERR_R_MALLOC_FAILURE); 1190 goto err; 1191 } 1192 1193 for (idx = 0;; idx++) { 1194 clen = buflen; 1195 cname[0] = 0; 1196 1197 if (idx == 0) 1198 flags = CRYPT_FIRST; 1199 else 1200 flags = 0; 1201 if (!CryptGetProvParam 1202 (hprov, PP_ENUMCONTAINERS, (BYTE *) cname, &clen, flags)) { 1203 err = GetLastError(); 1204 if (err == ERROR_NO_MORE_ITEMS) 1205 goto done; 1206 CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR); 1207 capi_adderror(err); 1208 goto err; 1209 } 1210 CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", 1211 cname, clen, idx, flags); 1212 if (!cname[0] && (clen == buflen)) { 1213 CAPI_trace(ctx, "Enumerate bug: using workaround\n"); 1214 goto done; 1215 } 1216 BIO_printf(out, "%d. %s\n", idx, cname); 1217 } 1218 err: 1219 1220 ret = 0; 1221 1222 done: 1223 if (cname) 1224 OPENSSL_free(cname); 1225 CryptReleaseContext(hprov, 0); 1226 1227 return ret; 1228 } 1229 1230 CRYPT_KEY_PROV_INFO *capi_get_prov_info(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1231 { 1232 DWORD len; 1233 CRYPT_KEY_PROV_INFO *pinfo; 1234 1235 if (!CertGetCertificateContextProperty 1236 (cert, CERT_KEY_PROV_INFO_PROP_ID, NULL, &len)) 1237 return NULL; 1238 pinfo = OPENSSL_malloc(len); 1239 if (!pinfo) { 1240 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, ERR_R_MALLOC_FAILURE); 1241 return NULL; 1242 } 1243 if (!CertGetCertificateContextProperty 1244 (cert, CERT_KEY_PROV_INFO_PROP_ID, pinfo, &len)) { 1245 CAPIerr(CAPI_F_CAPI_GET_PROV_INFO, 1246 CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO); 1247 capi_addlasterror(); 1248 OPENSSL_free(pinfo); 1249 return NULL; 1250 } 1251 return pinfo; 1252 } 1253 1254 static void capi_dump_prov_info(CAPI_CTX * ctx, BIO *out, 1255 CRYPT_KEY_PROV_INFO * pinfo) 1256 { 1257 char *provname = NULL, *contname = NULL; 1258 if (!pinfo) { 1259 BIO_printf(out, " No Private Key\n"); 1260 return; 1261 } 1262 provname = wide_to_asc(pinfo->pwszProvName); 1263 contname = wide_to_asc(pinfo->pwszContainerName); 1264 if (!provname || !contname) 1265 goto err; 1266 1267 BIO_printf(out, " Private Key Info:\n"); 1268 BIO_printf(out, " Provider Name: %s, Provider Type %d\n", provname, 1269 pinfo->dwProvType); 1270 BIO_printf(out, " Container Name: %s, Key Type %d\n", contname, 1271 pinfo->dwKeySpec); 1272 err: 1273 if (provname) 1274 OPENSSL_free(provname); 1275 if (contname) 1276 OPENSSL_free(contname); 1277 } 1278 1279 char *capi_cert_get_fname(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1280 { 1281 LPWSTR wfname; 1282 DWORD dlen; 1283 1284 CAPI_trace(ctx, "capi_cert_get_fname\n"); 1285 if (!CertGetCertificateContextProperty 1286 (cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen)) 1287 return NULL; 1288 wfname = OPENSSL_malloc(dlen); 1289 if (CertGetCertificateContextProperty 1290 (cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) { 1291 char *fname = wide_to_asc(wfname); 1292 OPENSSL_free(wfname); 1293 return fname; 1294 } 1295 CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, CAPI_R_ERROR_GETTING_FRIENDLY_NAME); 1296 capi_addlasterror(); 1297 1298 OPENSSL_free(wfname); 1299 return NULL; 1300 } 1301 1302 void capi_dump_cert(CAPI_CTX * ctx, BIO *out, PCCERT_CONTEXT cert) 1303 { 1304 X509 *x; 1305 unsigned char *p; 1306 unsigned long flags = ctx->dump_flags; 1307 if (flags & CAPI_DMP_FNAME) { 1308 char *fname; 1309 fname = capi_cert_get_fname(ctx, cert); 1310 if (fname) { 1311 BIO_printf(out, " Friendly Name \"%s\"\n", fname); 1312 OPENSSL_free(fname); 1313 } else 1314 BIO_printf(out, " <No Friendly Name>\n"); 1315 } 1316 1317 p = cert->pbCertEncoded; 1318 x = d2i_X509(NULL, &p, cert->cbCertEncoded); 1319 if (!x) 1320 BIO_printf(out, " <Can't parse certificate>\n"); 1321 if (flags & CAPI_DMP_SUMMARY) { 1322 BIO_printf(out, " Subject: "); 1323 X509_NAME_print_ex(out, X509_get_subject_name(x), 0, XN_FLAG_ONELINE); 1324 BIO_printf(out, "\n Issuer: "); 1325 X509_NAME_print_ex(out, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE); 1326 BIO_printf(out, "\n"); 1327 } 1328 if (flags & CAPI_DMP_FULL) 1329 X509_print_ex(out, x, XN_FLAG_ONELINE, 0); 1330 1331 if (flags & CAPI_DMP_PKEYINFO) { 1332 CRYPT_KEY_PROV_INFO *pinfo; 1333 pinfo = capi_get_prov_info(ctx, cert); 1334 capi_dump_prov_info(ctx, out, pinfo); 1335 if (pinfo) 1336 OPENSSL_free(pinfo); 1337 } 1338 1339 if (flags & CAPI_DMP_PEM) 1340 PEM_write_bio_X509(out, x); 1341 X509_free(x); 1342 } 1343 1344 HCERTSTORE capi_open_store(CAPI_CTX * ctx, char *storename) 1345 { 1346 HCERTSTORE hstore; 1347 1348 if (!storename) 1349 storename = ctx->storename; 1350 if (!storename) 1351 storename = "MY"; 1352 CAPI_trace(ctx, "Opening certificate store %s\n", storename); 1353 1354 hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, 1355 ctx->store_flags, storename); 1356 if (!hstore) { 1357 CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE); 1358 capi_addlasterror(); 1359 } 1360 return hstore; 1361 } 1362 1363 int capi_list_certs(CAPI_CTX * ctx, BIO *out, char *id) 1364 { 1365 char *storename; 1366 int idx; 1367 int ret = 1; 1368 HCERTSTORE hstore; 1369 PCCERT_CONTEXT cert = NULL; 1370 1371 storename = ctx->storename; 1372 if (!storename) 1373 storename = "MY"; 1374 CAPI_trace(ctx, "Listing certs for store %s\n", storename); 1375 1376 hstore = capi_open_store(ctx, storename); 1377 if (!hstore) 1378 return 0; 1379 if (id) { 1380 cert = capi_find_cert(ctx, id, hstore); 1381 if (!cert) { 1382 ret = 0; 1383 goto err; 1384 } 1385 capi_dump_cert(ctx, out, cert); 1386 CertFreeCertificateContext(cert); 1387 } else { 1388 for (idx = 0;; idx++) { 1389 cert = CertEnumCertificatesInStore(hstore, cert); 1390 if (!cert) 1391 break; 1392 BIO_printf(out, "Certificate %d\n", idx); 1393 capi_dump_cert(ctx, out, cert); 1394 } 1395 } 1396 err: 1397 CertCloseStore(hstore, 0); 1398 return ret; 1399 } 1400 1401 static PCCERT_CONTEXT capi_find_cert(CAPI_CTX * ctx, const char *id, 1402 HCERTSTORE hstore) 1403 { 1404 PCCERT_CONTEXT cert = NULL; 1405 char *fname = NULL; 1406 int match; 1407 switch (ctx->lookup_method) { 1408 case CAPI_LU_SUBSTR: 1409 return CertFindCertificateInStore(hstore, 1410 X509_ASN_ENCODING, 0, 1411 CERT_FIND_SUBJECT_STR_A, id, NULL); 1412 case CAPI_LU_FNAME: 1413 for (;;) { 1414 cert = CertEnumCertificatesInStore(hstore, cert); 1415 if (!cert) 1416 return NULL; 1417 fname = capi_cert_get_fname(ctx, cert); 1418 if (fname) { 1419 if (strcmp(fname, id)) 1420 match = 0; 1421 else 1422 match = 1; 1423 OPENSSL_free(fname); 1424 if (match) 1425 return cert; 1426 } 1427 } 1428 default: 1429 return NULL; 1430 } 1431 } 1432 1433 static CAPI_KEY *capi_get_key(CAPI_CTX * ctx, const TCHAR *contname, 1434 TCHAR *provname, DWORD ptype, DWORD keyspec) 1435 { 1436 CAPI_KEY *key; 1437 DWORD dwFlags = 0; 1438 key = OPENSSL_malloc(sizeof(CAPI_KEY)); 1439 if (sizeof(TCHAR) == sizeof(char)) 1440 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 1441 contname, provname, ptype); 1442 else if (ctx && ctx->debug_level >= CAPI_DBG_TRACE && ctx->debug_file) { 1443 /* above 'if' is optimization to minimize malloc-ations */ 1444 char *_contname = wide_to_asc((WCHAR *)contname); 1445 char *_provname = wide_to_asc((WCHAR *)provname); 1446 1447 CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 1448 _contname, _provname, ptype); 1449 if (_provname) 1450 OPENSSL_free(_provname); 1451 if (_contname) 1452 OPENSSL_free(_contname); 1453 } 1454 if (ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE) 1455 dwFlags = CRYPT_MACHINE_KEYSET; 1456 if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, dwFlags)) { 1457 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1458 capi_addlasterror(); 1459 goto err; 1460 } 1461 if (!CryptGetUserKey(key->hprov, keyspec, &key->key)) { 1462 CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_GETUSERKEY_ERROR); 1463 capi_addlasterror(); 1464 CryptReleaseContext(key->hprov, 0); 1465 goto err; 1466 } 1467 key->keyspec = keyspec; 1468 key->pcert = NULL; 1469 return key; 1470 1471 err: 1472 OPENSSL_free(key); 1473 return NULL; 1474 } 1475 1476 static CAPI_KEY *capi_get_cert_key(CAPI_CTX * ctx, PCCERT_CONTEXT cert) 1477 { 1478 CAPI_KEY *key = NULL; 1479 CRYPT_KEY_PROV_INFO *pinfo = NULL; 1480 char *provname = NULL, *contname = NULL; 1481 pinfo = capi_get_prov_info(ctx, cert); 1482 if (!pinfo) 1483 goto err; 1484 if (sizeof(TCHAR) != sizeof(char)) 1485 key = capi_get_key(ctx, (TCHAR *)pinfo->pwszContainerName, 1486 (TCHAR *)pinfo->pwszProvName, 1487 pinfo->dwProvType, pinfo->dwKeySpec); 1488 else { 1489 provname = wide_to_asc(pinfo->pwszProvName); 1490 contname = wide_to_asc(pinfo->pwszContainerName); 1491 if (!provname || !contname) 1492 goto err; 1493 key = capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname, 1494 pinfo->dwProvType, pinfo->dwKeySpec); 1495 } 1496 1497 err: 1498 if (pinfo) 1499 OPENSSL_free(pinfo); 1500 if (provname) 1501 OPENSSL_free(provname); 1502 if (contname) 1503 OPENSSL_free(contname); 1504 return key; 1505 } 1506 1507 CAPI_KEY *capi_find_key(CAPI_CTX * ctx, const char *id) 1508 { 1509 PCCERT_CONTEXT cert; 1510 HCERTSTORE hstore; 1511 CAPI_KEY *key = NULL; 1512 switch (ctx->lookup_method) { 1513 case CAPI_LU_SUBSTR: 1514 case CAPI_LU_FNAME: 1515 hstore = capi_open_store(ctx, NULL); 1516 if (!hstore) 1517 return NULL; 1518 cert = capi_find_cert(ctx, id, hstore); 1519 if (cert) { 1520 key = capi_get_cert_key(ctx, cert); 1521 CertFreeCertificateContext(cert); 1522 } 1523 CertCloseStore(hstore, 0); 1524 break; 1525 1526 case CAPI_LU_CONTNAME: 1527 if (sizeof(TCHAR) != sizeof(char)) { 1528 WCHAR *contname, *provname; 1529 DWORD len; 1530 1531 if ((len = MultiByteToWideChar(CP_ACP, 0, id, -1, NULL, 0)) && 1532 (contname = alloca(len * sizeof(WCHAR)), 1533 MultiByteToWideChar(CP_ACP, 0, id, -1, contname, len)) && 1534 (len = 1535 MultiByteToWideChar(CP_ACP, 0, ctx->cspname, -1, NULL, 0)) 1536 && (provname = 1537 alloca(len * sizeof(WCHAR)), MultiByteToWideChar(CP_ACP, 1538 0, 1539 ctx->cspname, 1540 -1, 1541 provname, 1542 len))) 1543 key = 1544 capi_get_key(ctx, (TCHAR *)contname, (TCHAR *)provname, 1545 ctx->csptype, ctx->keytype); 1546 } else 1547 key = capi_get_key(ctx, (TCHAR *)id, 1548 (TCHAR *)ctx->cspname, 1549 ctx->csptype, ctx->keytype); 1550 break; 1551 } 1552 1553 return key; 1554 } 1555 1556 void capi_free_key(CAPI_KEY * key) 1557 { 1558 if (!key) 1559 return; 1560 CryptDestroyKey(key->key); 1561 CryptReleaseContext(key->hprov, 0); 1562 if (key->pcert) 1563 CertFreeCertificateContext(key->pcert); 1564 OPENSSL_free(key); 1565 } 1566 1567 /* Initialize a CAPI_CTX structure */ 1568 1569 static CAPI_CTX *capi_ctx_new() 1570 { 1571 CAPI_CTX *ctx; 1572 ctx = OPENSSL_malloc(sizeof(CAPI_CTX)); 1573 if (!ctx) { 1574 CAPIerr(CAPI_F_CAPI_CTX_NEW, ERR_R_MALLOC_FAILURE); 1575 return NULL; 1576 } 1577 ctx->cspname = NULL; 1578 ctx->csptype = PROV_RSA_FULL; 1579 ctx->dump_flags = CAPI_DMP_SUMMARY | CAPI_DMP_FNAME; 1580 ctx->keytype = AT_KEYEXCHANGE; 1581 ctx->storename = NULL; 1582 ctx->ssl_client_store = NULL; 1583 ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG | 1584 CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER; 1585 ctx->lookup_method = CAPI_LU_SUBSTR; 1586 ctx->debug_level = 0; 1587 ctx->debug_file = NULL; 1588 ctx->client_cert_select = cert_select_simple; 1589 return ctx; 1590 } 1591 1592 static void capi_ctx_free(CAPI_CTX * ctx) 1593 { 1594 CAPI_trace(ctx, "Calling capi_ctx_free with %lx\n", ctx); 1595 if (!ctx) 1596 return; 1597 if (ctx->cspname) 1598 OPENSSL_free(ctx->cspname); 1599 if (ctx->debug_file) 1600 OPENSSL_free(ctx->debug_file); 1601 if (ctx->storename) 1602 OPENSSL_free(ctx->storename); 1603 if (ctx->ssl_client_store) 1604 OPENSSL_free(ctx->ssl_client_store); 1605 OPENSSL_free(ctx); 1606 } 1607 1608 static int capi_ctx_set_provname(CAPI_CTX * ctx, LPSTR pname, DWORD type, 1609 int check) 1610 { 1611 CAPI_trace(ctx, "capi_ctx_set_provname, name=%s, type=%d\n", pname, type); 1612 if (check) { 1613 HCRYPTPROV hprov; 1614 LPTSTR name = NULL; 1615 1616 if (sizeof(TCHAR) != sizeof(char)) { 1617 DWORD len; 1618 if ((len = MultiByteToWideChar(CP_ACP, 0, pname, -1, NULL, 0))) { 1619 name = alloca(len * sizeof(WCHAR)); 1620 MultiByteToWideChar(CP_ACP, 0, pname, -1, (WCHAR *)name, len); 1621 } 1622 } else 1623 name = (TCHAR *)pname; 1624 1625 if (!name || !CryptAcquireContext(&hprov, NULL, name, type, 1626 CRYPT_VERIFYCONTEXT)) { 1627 CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, 1628 CAPI_R_CRYPTACQUIRECONTEXT_ERROR); 1629 capi_addlasterror(); 1630 return 0; 1631 } 1632 CryptReleaseContext(hprov, 0); 1633 } 1634 if (ctx->cspname) 1635 OPENSSL_free(ctx->cspname); 1636 ctx->cspname = BUF_strdup(pname); 1637 ctx->csptype = type; 1638 return 1; 1639 } 1640 1641 static int capi_ctx_set_provname_idx(CAPI_CTX * ctx, int idx) 1642 { 1643 LPSTR pname; 1644 DWORD type; 1645 int res; 1646 if (capi_get_provname(ctx, &pname, &type, idx) != 1) 1647 return 0; 1648 res = capi_ctx_set_provname(ctx, pname, type, 0); 1649 OPENSSL_free(pname); 1650 return res; 1651 } 1652 1653 static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x) 1654 { 1655 int i; 1656 X509_NAME *nm; 1657 /* Special case: empty list: match anything */ 1658 if (sk_X509_NAME_num(ca_dn) <= 0) 1659 return 1; 1660 for (i = 0; i < sk_X509_NAME_num(ca_dn); i++) { 1661 nm = sk_X509_NAME_value(ca_dn, i); 1662 if (!X509_NAME_cmp(nm, X509_get_issuer_name(x))) 1663 return 1; 1664 } 1665 return 0; 1666 } 1667 1668 static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, 1669 STACK_OF(X509_NAME) *ca_dn, X509 **pcert, 1670 EVP_PKEY **pkey, STACK_OF(X509) **pother, 1671 UI_METHOD *ui_method, 1672 void *callback_data) 1673 { 1674 STACK_OF(X509) *certs = NULL; 1675 X509 *x; 1676 char *storename; 1677 const char *p; 1678 int i, client_cert_idx; 1679 HCERTSTORE hstore; 1680 PCCERT_CONTEXT cert = NULL, excert = NULL; 1681 CAPI_CTX *ctx; 1682 CAPI_KEY *key; 1683 ctx = ENGINE_get_ex_data(e, capi_idx); 1684 1685 *pcert = NULL; 1686 *pkey = NULL; 1687 1688 storename = ctx->ssl_client_store; 1689 if (!storename) 1690 storename = "MY"; 1691 1692 hstore = capi_open_store(ctx, storename); 1693 if (!hstore) 1694 return 0; 1695 /* Enumerate all certificates collect any matches */ 1696 for (i = 0;; i++) { 1697 cert = CertEnumCertificatesInStore(hstore, cert); 1698 if (!cert) 1699 break; 1700 p = cert->pbCertEncoded; 1701 x = d2i_X509(NULL, &p, cert->cbCertEncoded); 1702 if (!x) { 1703 CAPI_trace(ctx, "Can't Parse Certificate %d\n", i); 1704 continue; 1705 } 1706 if (cert_issuer_match(ca_dn, x) 1707 && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0)) { 1708 key = capi_get_cert_key(ctx, cert); 1709 if (!key) { 1710 X509_free(x); 1711 continue; 1712 } 1713 /* 1714 * Match found: attach extra data to it so we can retrieve the 1715 * key later. 1716 */ 1717 excert = CertDuplicateCertificateContext(cert); 1718 key->pcert = excert; 1719 X509_set_ex_data(x, cert_capi_idx, key); 1720 1721 if (!certs) 1722 certs = sk_X509_new_null(); 1723 1724 sk_X509_push(certs, x); 1725 } else 1726 X509_free(x); 1727 1728 } 1729 1730 if (cert) 1731 CertFreeCertificateContext(cert); 1732 if (hstore) 1733 CertCloseStore(hstore, 0); 1734 1735 if (!certs) 1736 return 0; 1737 1738 /* Select the appropriate certificate */ 1739 1740 client_cert_idx = ctx->client_cert_select(e, ssl, certs); 1741 1742 /* Set the selected certificate and free the rest */ 1743 1744 for (i = 0; i < sk_X509_num(certs); i++) { 1745 x = sk_X509_value(certs, i); 1746 if (i == client_cert_idx) 1747 *pcert = x; 1748 else { 1749 key = X509_get_ex_data(x, cert_capi_idx); 1750 capi_free_key(key); 1751 X509_free(x); 1752 } 1753 } 1754 1755 sk_X509_free(certs); 1756 1757 if (!*pcert) 1758 return 0; 1759 1760 /* Setup key for selected certificate */ 1761 1762 key = X509_get_ex_data(*pcert, cert_capi_idx); 1763 *pkey = capi_get_pkey(e, key); 1764 X509_set_ex_data(*pcert, cert_capi_idx, NULL); 1765 1766 return 1; 1767 1768 } 1769 1770 /* Simple client cert selection function: always select first */ 1771 1772 static int cert_select_simple(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) 1773 { 1774 return 0; 1775 } 1776 1777 # ifdef OPENSSL_CAPIENG_DIALOG 1778 1779 /* 1780 * More complex cert selection function, using standard function 1781 * CryptUIDlgSelectCertificateFromStore() to produce a dialog box. 1782 */ 1783 1784 /* 1785 * Definitions which are in cryptuiapi.h but this is not present in older 1786 * versions of headers. 1787 */ 1788 1789 # ifndef CRYPTUI_SELECT_LOCATION_COLUMN 1790 # define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010 1791 # define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004 1792 # endif 1793 1794 # define dlg_title L"OpenSSL Application SSL Client Certificate Selection" 1795 # define dlg_prompt L"Select a certificate to use for authentication" 1796 # define dlg_columns CRYPTUI_SELECT_LOCATION_COLUMN \ 1797 |CRYPTUI_SELECT_INTENDEDUSE_COLUMN 1798 1799 static int cert_select_dialog(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) 1800 { 1801 X509 *x; 1802 HCERTSTORE dstore; 1803 PCCERT_CONTEXT cert; 1804 CAPI_CTX *ctx; 1805 CAPI_KEY *key; 1806 HWND hwnd; 1807 int i, idx = -1; 1808 if (sk_X509_num(certs) == 1) 1809 return 0; 1810 ctx = ENGINE_get_ex_data(e, capi_idx); 1811 /* Create an in memory store of certificates */ 1812 dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 1813 CERT_STORE_CREATE_NEW_FLAG, NULL); 1814 if (!dstore) { 1815 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_CREATING_STORE); 1816 capi_addlasterror(); 1817 goto err; 1818 } 1819 /* Add all certificates to store */ 1820 for (i = 0; i < sk_X509_num(certs); i++) { 1821 x = sk_X509_value(certs, i); 1822 key = X509_get_ex_data(x, cert_capi_idx); 1823 1824 if (!CertAddCertificateContextToStore(dstore, key->pcert, 1825 CERT_STORE_ADD_NEW, NULL)) { 1826 CAPIerr(CAPI_F_CERT_SELECT_DIALOG, CAPI_R_ERROR_ADDING_CERT); 1827 capi_addlasterror(); 1828 goto err; 1829 } 1830 1831 } 1832 hwnd = GetForegroundWindow(); 1833 if (!hwnd) 1834 hwnd = GetActiveWindow(); 1835 if (!hwnd && ctx->getconswindow) 1836 hwnd = ctx->getconswindow(); 1837 /* Call dialog to select one */ 1838 cert = ctx->certselectdlg(dstore, hwnd, dlg_title, dlg_prompt, 1839 dlg_columns, 0, NULL); 1840 1841 /* Find matching cert from list */ 1842 if (cert) { 1843 for (i = 0; i < sk_X509_num(certs); i++) { 1844 x = sk_X509_value(certs, i); 1845 key = X509_get_ex_data(x, cert_capi_idx); 1846 if (CertCompareCertificate 1847 (X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, 1848 key->pcert->pCertInfo)) { 1849 idx = i; 1850 break; 1851 } 1852 } 1853 } 1854 1855 err: 1856 if (dstore) 1857 CertCloseStore(dstore, 0); 1858 return idx; 1859 1860 } 1861 # endif 1862 1863 #else /* !__COMPILE_CAPIENG */ 1864 # include <openssl/engine.h> 1865 # ifndef OPENSSL_NO_DYNAMIC_ENGINE 1866 OPENSSL_EXPORT 1867 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); 1868 OPENSSL_EXPORT 1869 int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) 1870 { 1871 return 0; 1872 } 1873 1874 IMPLEMENT_DYNAMIC_CHECK_FN() 1875 # else 1876 void ENGINE_load_capi(void) 1877 { 1878 } 1879 # endif 1880 #endif 1881