CAPIUtils.cpp

Go to the documentation of this file.

#include "CAPIUtils.h"
#include "ToolkitUtils.h"
#include "PKIFException.h"
#include "PKIFCryptoErrors.h"
#include "components.h"
void CAC_API ReverseBytes(
    unsigned char* buf,
    int bufLen)
{
    unsigned char tmp;
    int top = bufLen - 1;
    for(int bottom = 0; bottom < top; ++bottom, --top)
    {
        tmp = buf[top];
        buf[top] = buf[bottom];
        buf[bottom] = tmp;
    }
}

//The next two functions (CreatePrivateExponentOneKey and ImportPlainSessionBlob)
//were taken directly from the Microsoft Knowledge Base.  There's a Q article
//there describing that the Microsoft CSPs do not allow import of plaintext
//symmetric keys.  Thus we have to do the dance of these functions to achieve
//that functionality.
BOOL CreatePrivateExponentOneKey(
    LPTSTR szProvider, 
    DWORD dwProvType,
    LPTSTR szContainer,
    DWORD dwKeySpec,
    HCRYPTPROV *hProv, 
    HCRYPTKEY *hPrivateKey)
{
   BOOL succ = FALSE;
   BOOL fReturn = FALSE;
   BOOL fResult;
   unsigned int n;
   LPBYTE keyblob = NULL;
   DWORD dwkeyblob;
   DWORD dwBitLen;
   BYTE *ptr;

   __try
   {
      *hProv = 0;
      *hPrivateKey = 0;

      if ((dwKeySpec != AT_KEYEXCHANGE) && (dwKeySpec != AT_SIGNATURE))  __leave;

      // Try to create new container
      fResult = CryptAcquireContext(hProv, szContainer, szProvider, 
                                    dwProvType, CRYPT_NEWKEYSET);
      if (!fResult)
      {
         // If the container exists, open it
         if (GetLastError() == NTE_EXISTS)
         {
            // delete the keyset, then try again
            fResult = CryptAcquireContext(hProv, szContainer, szProvider, dwProvType, CRYPT_DELETEKEYSET);
            if (!fResult)
            {
               // No good, leave
               __leave;
            }
            fResult = CryptAcquireContext(hProv, szContainer, szProvider, 
                                    dwProvType, CRYPT_NEWKEYSET);
            if (!fResult)
            {
               // No good, leave
               __leave;
            }
         }
         else
         {
            // No good, leave
            __leave;
         }
      }

      // Generate the private key
      fResult = CryptGenKey(*hProv, dwKeySpec, CRYPT_EXPORTABLE, hPrivateKey);
      if (!fResult) __leave;

      // Export the private key, we'll convert it to a private
      // exponent of one key
      fResult = CryptExportKey(*hPrivateKey, 0, PRIVATEKEYBLOB, 0, NULL, &dwkeyblob);
      if (!fResult) __leave;      

      //keyblob = (LPBYTE)LocalAlloc(LPTR, dwkeyblob);
      keyblob = new unsigned char[dwkeyblob];
      if (!keyblob) __leave;

      fResult = CryptExportKey(*hPrivateKey, 0, PRIVATEKEYBLOB, 0, keyblob, &dwkeyblob);
      if (!fResult) __leave;


      succ = CryptDestroyKey(*hPrivateKey);
      *hPrivateKey = 0;

      // Get the bit length of the key
      memcpy(&dwBitLen, &keyblob[12], 4);      

      // Modify the Exponent in Key BLOB format
      // Key BLOB format is documented in SDK

      // Convert pubexp in rsapubkey to 1
      ptr = &keyblob[16];
      for (n = 0; n < 4; n++)
      {
         if (n == 0) ptr[n] = 1;
         else ptr[n] = 0;
      }

      // Skip pubexp
      ptr += 4;
      // Skip modulus, prime1, prime2
      ptr += (dwBitLen/8);
      ptr += (dwBitLen/16);
      ptr += (dwBitLen/16);

      // Convert exponent1 to 1
      for (n = 0; n < (dwBitLen/16); n++)
      {
         if (n == 0) ptr[n] = 1;
         else ptr[n] = 0;
      }

      // Skip exponent1
      ptr += (dwBitLen/16);

      // Convert exponent2 to 1
      for (n = 0; n < (dwBitLen/16); n++)
      {
         if (n == 0) ptr[n] = 1;
         else ptr[n] = 0;
      }

      // Skip exponent2, coefficient
      ptr += (dwBitLen/16);
      ptr += (dwBitLen/16);

      // Convert privateExponent to 1
      for (n = 0; n < (dwBitLen/8); n++)
      {
         if (n == 0) ptr[n] = 1;
         else ptr[n] = 0;
      }
      
      // Import the exponent-of-one private key.      
      if (!CryptImportKey(*hProv, keyblob, dwkeyblob, 0, 0, hPrivateKey))
      {                 
         __leave;
      }

      fReturn = TRUE;
   }
   __finally
   {
      //if (keyblob) LocalFree(keyblob);
      if (keyblob)
      {
          delete[] keyblob; 
          keyblob = NULL;
      }

      if (!fReturn)
      {
         if (*hPrivateKey) CryptDestroyKey(*hPrivateKey);
         if (*hProv) CryptReleaseContext(*hProv, 0);
      }
   }

   return fReturn;
}
BOOL ImportPlainSessionBlob(
    HCRYPTPROV hProv,
    HCRYPTKEY hPrivateKey,
    ALG_ID dwAlgId,
    LPBYTE pbKeyMaterial ,
    DWORD dwKeyMaterial ,
    HCRYPTKEY *hSessionKey)
{
   BOOL succ = FALSE;
   BOOL fResult;   
   BOOL fReturn = FALSE;
   BOOL fFound = FALSE;
   LPBYTE pbSessionBlob = NULL;
   DWORD dwSessionBlob, dwSize, n;
   DWORD dwPublicKeySize;
   DWORD dwProvSessionKeySize;
   ALG_ID dwPrivKeyAlg;
   LPBYTE pbPtr; 
   DWORD dwFlags = CRYPT_FIRST;
   PROV_ENUMALGS_EX ProvEnum;
   HCRYPTKEY hTempKey = 0;

   __try
   {
      // Double check to see if this provider supports this algorithm
      // and key size
      do
      {        
         dwSize = sizeof(ProvEnum);
         fResult = CryptGetProvParam(hProv, PP_ENUMALGS_EX, (LPBYTE)&ProvEnum,
                                     &dwSize, dwFlags);
         if (!fResult) break;

         dwFlags = 0;

         if (ProvEnum.aiAlgid == dwAlgId) fFound = TRUE;
                                     
      } while (!fFound);

      if (!fFound) __leave;

      // We have to get the key size(including padding)
      // from an HCRYPTKEY handle.  PP_ENUMALGS_EX contains
      // the key size without the padding so we can't use it.
      fResult = CryptGenKey(hProv, dwAlgId, 0, &hTempKey);
      if (!fResult) __leave;
      
      dwSize = sizeof(DWORD);
      fResult = CryptGetKeyParam(hTempKey, KP_KEYLEN, (LPBYTE)&dwProvSessionKeySize,
                                 &dwSize, 0);
      if (!fResult) __leave;      
      succ = CryptDestroyKey(hTempKey);
      hTempKey = 0;

      // Our key is too big, leave
      if ((dwKeyMaterial * 8) > dwProvSessionKeySize) __leave;

      // Get private key's algorithm
      dwSize = sizeof(ALG_ID);
      fResult = CryptGetKeyParam(hPrivateKey, KP_ALGID, (LPBYTE)&dwPrivKeyAlg, &dwSize, 0);
      if (!fResult) __leave;

      // Get private key's length in bits
      dwSize = sizeof(DWORD);
      fResult = CryptGetKeyParam(hPrivateKey, KP_KEYLEN, (LPBYTE)&dwPublicKeySize, &dwSize, 0);
      if (!fResult) __leave;

      // calculate Simple blob's length
      dwSessionBlob = (dwPublicKeySize/8) + sizeof(ALG_ID) + sizeof(BLOBHEADER);

      // allocate simple blob buffer
      //pbSessionBlob = (LPBYTE)LocalAlloc(LPTR, dwSessionBlob);
      pbSessionBlob = new unsigned char[dwSessionBlob];
      if (!pbSessionBlob) __leave;

      memset(pbSessionBlob, 0, dwSessionBlob);

      pbPtr = pbSessionBlob;

      // SIMPLEBLOB Format is documented in SDK
      // Copy header to buffer
      ((BLOBHEADER *)pbPtr)->bType = SIMPLEBLOB;
      ((BLOBHEADER *)pbPtr)->bVersion = 2;
      ((BLOBHEADER *)pbPtr)->reserved = 0;
      ((BLOBHEADER *)pbPtr)->aiKeyAlg = dwAlgId;
      pbPtr += sizeof(BLOBHEADER);

      // Copy private key algorithm to buffer
      *((DWORD *)pbPtr) = dwPrivKeyAlg;
      pbPtr += sizeof(ALG_ID);

      // Place the key material in reverse order
      for (n = 0; n < dwKeyMaterial; n++)
      {
         pbPtr[n] = pbKeyMaterial[dwKeyMaterial-n-1];
      }
     
      // 3 is for the first reserved byte after the key material + the 2 reserved bytes at the end.
      dwSize = dwSessionBlob - (sizeof(ALG_ID) + sizeof(BLOBHEADER) + dwKeyMaterial + 3);
      pbPtr += (dwKeyMaterial+1);

      // Generate random data for the rest of the buffer
      // (except that last two bytes)
      fResult = CryptGenRandom(hProv, dwSize, pbPtr);
      if (!fResult) __leave;

      for (n = 0; n < dwSize; n++)
      {
         if (pbPtr[n] == 0) pbPtr[n] = 1;
      }

      pbSessionBlob[dwSessionBlob - 2] = 2;

      fResult = CryptImportKey(hProv, pbSessionBlob , dwSessionBlob, 
                               hPrivateKey, CRYPT_EXPORTABLE, hSessionKey);
      if (!fResult) __leave;

      fReturn = TRUE;           
   }
   __finally
   {
      if (hTempKey) CryptDestroyKey(hTempKey);
      //if (pbSessionBlob) LocalFree(pbSessionBlob);
      if (pbSessionBlob) delete[] pbSessionBlob;
   }
   
   return fReturn;
}

//This function simply determines if there is a private key associated with 
//a given cert.
bool CertHasKey(
    PCCERT_CONTEXT pPrevCertContent)
{
    if(NULL == pPrevCertContent)
        return false;

    DWORD            dwPropId = 0; 
    while(dwPropId = CertEnumCertificateContextProperties(
       pPrevCertContent, // The context whose properties are to be listed.
       dwPropId))    // Number of the last property found. This must 
                     // be zero to find the first property identifier.
    {
        if(CERT_KEY_PROV_INFO_PROP_ID == dwPropId)
            return true;
    }

    return false;
}
ALG_ID GetHashAlg(
    PKIFCRYPTO::HASH_ALG alg)
{
    switch(alg)
    {
    case PKIFCRYPTO::SHA1:
        return CALG_SHA1;
    case PKIFCRYPTO::MD5:
        return CALG_MD5;
    default:
        throw CPKIFException(TOOLKIT_CRYPTO, CRYPTO_ALG_NOT_SUPPORTED, "Hashing algorithm not supported");
    }
}

wchar_t* GetCNGHashAlg(
    PKIFCRYPTO::HASH_ALG alg)
{
    switch(alg)
    {
    case PKIFCRYPTO::SHA1:
        return BCRYPT_SHA1_ALGORITHM;
    case PKIFCRYPTO::SHA256:
        return BCRYPT_SHA256_ALGORITHM;
    case PKIFCRYPTO::SHA384:
        return BCRYPT_SHA384_ALGORITHM;
    case PKIFCRYPTO::SHA512:
        return BCRYPT_SHA512_ALGORITHM;
    case PKIFCRYPTO::MD5:
        return BCRYPT_MD5_ALGORITHM;
    default:
        throw CPKIFException(TOOLKIT_CRYPTO, CRYPTO_ALG_NOT_SUPPORTED, "Hashing algorithm not supported");
    }
}
void StrToName(
    const char* dn,
    unsigned char** enc, 
    DWORD* len)
{
    int err = 0;
    const char* errstr = NULL;

    //expects the DN in LDAP order (i.e. most to least specific)
    BOOL succ = CertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, dn, 
        CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, NULL, len, &errstr);
    if(!succ)
    {
        err = GetLastError();
        *len = 0;
        *enc = NULL;
        return;
    }
    *enc = new unsigned char[(*len) + 1];
    succ = CertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, dn, 
        CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, *enc, len, &errstr);
    if(!succ)
    {
        err = GetLastError();
    }
}