PKIFBCryptPublicKey.cpp

Go to the documentation of this file.

#include "PKIFBCryptPublicKey.h"

#include <wincrypt.h>
#include <iostream>
#include <sstream>

#include "PKIFKeyMaterial.h"
#include "PKIFCryptoPPKeyMaterial.h"
#include "Buffer.h"

#include "Certificate.h"
#include "AlgorithmIdentifier.h"
#include "SubjectPublicKeyInfo.h"

#include "PKIFException.h"
#include "PKIFCryptoException.h"
#include "ToolkitUtils.h"
#include "components.h"
#include "PKIFCommonErrors.h"
#include "PKIFCNGUtils.h"
#include "PKIFCAPIErrors.h"

#ifndef NT_SUCCESS
#define NT_SUCCESS(Status)          (((NTSTATUS)(Status)) >= 0)
#endif

using namespace std;

bool GetCAPI1ProvType(
    PCERT_PUBLIC_KEY_INFO spki,
    DWORD & prov)
{
    //inspect the subject public key algorithm to determine the type of provider to create
    if(0 == strcmp(szOID_X957_DSA, spki->Algorithm.pszObjId) ||
        0 == strcmp(szOID_X957_SHA1DSA, spki->Algorithm.pszObjId))
        prov = PROV_DSS;
    else if(0 == strcmp(szOID_RSA_RSA, spki->Algorithm.pszObjId) ||
        0 == strcmp(szOID_RSA_MD5RSA, spki->Algorithm.pszObjId) ||
        0 == strcmp(szOID_RSA_SHA1RSA, spki->Algorithm.pszObjId)) 
        prov =  PROV_RSA_FULL;
    else
        return false;
    return true;
}
CPKIFBCryptPublicKey::CPKIFBCryptPublicKey()
:m_hKey(NULL),m_hAlg(NULL),m_spki((CPKIFSubjectPublicKeyInfo *)0)
{
}
CPKIFBCryptPublicKey::~CPKIFBCryptPublicKey()
{
    this->clear();
}

BCRYPT_KEY_HANDLE CPKIFBCryptPublicKey::Initialize(const CPKIFBufferPtr & km)
{
    LOG_STRING_DEBUG("CPKIFBCryptPublicKey::Initialize(const CPKIFKeyMaterial& key)", TOOLKIT_CRYPTO_CAPIRAW, 0, NULL);
    this->clear();


    SECURITY_STATUS cngStatus = ERROR_SUCCESS;
    NTSTATUS ntrv = 0L;

    // these _PKIF CAPI structures are scoped pointers that know how to free 
    // themselves. interface is like std::auto_ptr, with implicit casts
    PCERT_PUBLIC_KEY_INFO_PKIF capiSpki(0);
    DWORD capiSpkiLen = 0;
    if(!CryptDecodeObjectEx(X509_ASN_ENCODING,X509_PUBLIC_KEY_INFO,
                        km->GetBuffer(),(DWORD)km->GetLength(),
                        CRYPT_DECODE_ALLOC_FLAG,
                        NULL,
                        &capiSpki,&capiSpkiLen))
    {
        std::ostringstream os;
        os << "CryptDecodeObjectEx failed to decode subjectPublicKeyInfo structure: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
    }
    CPKIFOIDPtr spkiOID(new CPKIFOID(CPKIFStringPtr(new string(capiSpki->Algorithm.pszObjId))));
    CPKIFBufferPtr spkiParams(new CPKIFBuffer(false,capiSpki->Algorithm.Parameters.pbData,capiSpki->Algorithm.Parameters.cbData));
    CPKIFAlgorithmIdentifierPtr algID(new CPKIFAlgorithmIdentifier(spkiOID,spkiParams));
    CPKIFBufferPtr keyBuf(new CPKIFBuffer(false,capiSpki->PublicKey.pbData,capiSpki->PublicKey.cbData));
    CPKIFSubjectPublicKeyInfoPtr decodedSPKI(new CPKIFSubjectPublicKeyInfo(algID,keyBuf));
    CPKIFCryptoPPKeyMaterial cppKM(decodedSPKI);
    return Initialize(cppKM);

}


BCRYPT_KEY_HANDLE CPKIFBCryptPublicKey::Initialize(const CPKIFKeyMaterial & km)
{
    LOG_STRING_DEBUG("CPKIFBCryptPublicKey::Initialize(const CPKIFKeyMaterial& key)", TOOLKIT_CRYPTO_CAPIRAW, 0, NULL);
    this->clear();


    SECURITY_STATUS cngStatus = ERROR_SUCCESS;
    NTSTATUS ntrv = 0L;


    LPCWSTR cngAlg = NULL;
    // these _PKIF CAPI structures are scoped pointers that know how to free 
    // themselves. interface is like std::auto_ptr, with implicit casts
    PCERT_PUBLIC_KEY_INFO_PKIF capiSpki(0);
    // this is very much like a boost::scoped_array_ptr with implicit casts
    pkif_byte_array paramsGuard(0);

    // the neatest way (and "neat" is admittedly pushing it a bit...) to get
    // a key from a cert into CAPI NG is with the ASN.1 subjectPublicKeyInfo structure.
    // Unless it's a DSA key. Then you're simply facing a mess.
    CPKIFSubjectPublicKeyInfoPtr spki = km.GetSubjectPublicKeyInfo();
    
    // If the key material object didn't have that populated, look for a cert and
    // decode it.
    if(!spki) {
        CPKIFCertificatePtr keyCert(new CPKIFCertificate());
        keyCert->Decode(km.GetCertificate(),km.GetCertificateLength());
        spki = keyCert->GetSubjectPublicKeyInfo();
    }
    
    // If there's still no luck, we don't have key material we can use for a signature
    // verification operation. Bail.
    if(!spki)
    {
        RAISE_CRYPTO_EXCEPTION("A CPKIFKeyMaterial object without a public key was passed to Verify()",
            TOOLKIT_CRYPTO, COMMON_INVALID_INPUT, NULL);
    }
    m_spki = spki;

    // a minor hack... the Crypto++ key material object's handling of
    // subjectPublicKeyInfo makes this code more substantially more readable
    CPKIFCryptoPPKeyMaterialPtr cppkm(new CPKIFCryptoPPKeyMaterial(spki));
    CPKIFBufferPtr rawSPKI = cppkm->GetRawSPKI();
    DWORD capiSpkiLen = 0;
    if(!CryptDecodeObjectEx(X509_ASN_ENCODING,X509_PUBLIC_KEY_INFO,
                        rawSPKI->GetBuffer(),(DWORD)rawSPKI->GetLength(),
                        CRYPT_DECODE_ALLOC_FLAG,
                        NULL,
                        &capiSpki,&capiSpkiLen))
    {
        std::ostringstream os;
        os << "CryptDecodeObjectEx failed to decode subjectPublicKeyInfo structure: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
    }

    // XXX *** Is there any case where we don't want to inherit?
    CPKIFAlgorithmIdentifierPtr workingParams = km.GetWorkingParameters();
    if(0 == capiSpki->Algorithm.Parameters.cbData &&
        workingParams != (CPKIFAlgorithmIdentifier*)NULL)
    {
        CPKIFBufferPtr params = workingParams->parameters();
        capiSpki->Algorithm.Parameters.cbData = params->GetLength();
        capiSpki->Algorithm.Parameters.pbData = new unsigned char[params->GetLength()];
        memcpy(capiSpki->Algorithm.Parameters.pbData, (BYTE*)params->GetBuffer(), params->GetLength());
        paramsGuard.reset(capiSpki->Algorithm.Parameters.pbData);
    }

    if(!CryptImportPublicKeyInfoEx2(X509_ASN_ENCODING,capiSpki,0,0,&m_hKey))
    {
        // Having failed the "neat" way, there are a couple hoops to jump through
        DWORD provType;
        if(!GetCAPI1ProvType(capiSpki,provType))
        {
            std::ostringstream os;
            os << "CryptImportPublicKeyInfoEx2 failed: " << GetLastError();
            os << ", then we were unable to get provider type for " << capiSpki->Algorithm.pszObjId << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        LPCWSTR oldBlobType = 0;
        LPCWSTR newProvAlgId = 0;
        switch(provType)
        {
        case PROV_DSS:
            oldBlobType = LEGACY_DSA_PUBLIC_BLOB;
            newProvAlgId = BCRYPT_DSA_ALGORITHM;
            break;
        case PROV_RSA_FULL:
            oldBlobType = LEGACY_RSAPUBLIC_BLOB;
            newProvAlgId = BCRYPT_RSA_ALGORITHM;
            break;
        default:
        {
            std::ostringstream os;
            os << "CryptImportPublicKeyInfoEx2 failed: " << GetLastError();
            os << ", then we got an unanticipated provider type for " << capiSpki->Algorithm.pszObjId << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
            break;
        }

        // 1. Import the key using the old CAPI interface
        HCRYPTPROV_PKIF hProv;
        if(!CryptAcquireContext(&hProv,NULL,NULL,provType,CRYPT_VERIFYCONTEXT)) {
            std::ostringstream os;
            os << "Unable to acquire context for " << capiSpki->Algorithm.pszObjId << " provider: " << GetLastError() << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        HCRYPTKEY_PKIF hcapikey;
        if(!CryptImportPublicKeyInfo(hProv,X509_ASN_ENCODING,capiSpki,&hcapikey))
        {
            std::ostringstream os;
            os << "CAPI1 was unable to import a key with alg ID " << capiSpki->Algorithm.pszObjId << " after CNG failed: " << GetLastError() << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        // 2. Now attempt to export from CAPI.
        DWORD cbBlob = 0;
        // CRYPT_BLOB_VER3 is absolutely required on Vista and 2008.
        if(!CryptExportKey(hcapikey,0,PUBLICKEYBLOB,CRYPT_BLOB_VER3,NULL,&cbBlob))
        {
            std::ostringstream os;
            os << "CAPI1 was unable to export a key with alg ID " << capiSpki->Algorithm.pszObjId << " for CNG import: " << GetLastError() << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        pkif_byte_array pbBlob(new unsigned char[cbBlob]);
        if(!CryptExportKey(hcapikey,0,PUBLICKEYBLOB,CRYPT_BLOB_VER3,pbBlob,&cbBlob))
        {
            std::ostringstream os;
            os << "CAPI1 was unable to export a key with alg ID " << capiSpki->Algorithm.pszObjId << " for CNG import: " << GetLastError() << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        
        // 3. Now attempt to import the blob as an NCRYPT_KEY_HANDLE.
        NCRYPT_PROV_HANDLE_PKIF hNCProv;
        if(FAILED(cngStatus = NCryptOpenStorageProvider(&hNCProv, MS_KEY_STORAGE_PROVIDER,0)))
        {
            std::ostringstream os;
            os << "Unable to Open " << MS_KEY_STORAGE_PROVIDER << " for CNG import: (" 
                << GetLastError() << ")" << "(SECURITY_STATUS code " << cngStatus << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        NCRYPT_KEY_HANDLE_PKIF hTmpKey;
        if(FAILED(cngStatus = NCryptImportKey(hNCProv,NULL,oldBlobType,NULL,&hTmpKey,
                                        pbBlob,cbBlob,0)))
        {
            std::ostringstream os;
            os << "Unable to import blob into " << MS_KEY_STORAGE_PROVIDER << ": (" 
                << GetLastError() << ")" << "(SECURITY_STATUS code " << cngStatus << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }

        // 4. Now export as a BCRYPT blob
        DWORD cbNewBlob = 0;
        if(FAILED(cngStatus = NCryptExportKey(hTmpKey,NULL,BCRYPT_PUBLIC_KEY_BLOB,NULL,NULL,0,&cbNewBlob,0)))
        {
            std::ostringstream os;
            os << "Unable to export blob from " << MS_KEY_STORAGE_PROVIDER << " for CNG import: (" 
                << GetLastError() << ")" << "(SECURITY_STATUS code " << cngStatus << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        pkif_byte_array pbNewBlob(new unsigned char[cbNewBlob]);
        if(FAILED(cngStatus = NCryptExportKey(hTmpKey,NULL,BCRYPT_PUBLIC_KEY_BLOB,NULL,pbNewBlob,cbNewBlob,&cbNewBlob,0)))
        {
            std::ostringstream os;
            os << "Unable to export blob from " << MS_KEY_STORAGE_PROVIDER << " for CNG import: (" 
                << GetLastError() << ")" << "(SECURITY_STATUS code " << cngStatus << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }

        // 5. Now it *should* be importable to a BCRYPT_KEY_HANDLE
        if(!NT_SUCCESS(ntrv = BCryptOpenAlgorithmProvider(&m_hAlg,newProvAlgId,NULL,0)))
        {
            std::ostringstream os;
            os << "Couldn't open BCrypt algorithm provider for " << capiSpki->Algorithm.pszObjId << " :(" 
                << GetLastError() << ")" << "(NTSTATUS code " << ntrv << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        if(!NT_SUCCESS(ntrv = BCryptImportKeyPair(m_hAlg,NULL,BCRYPT_PUBLIC_KEY_BLOB,&m_hKey,pbNewBlob,cbNewBlob,0))) {
            std::ostringstream os;
            os << "Couldn't import key for algorithm " << capiSpki->Algorithm.pszObjId << " into CNG:(" 
                << GetLastError() << ")" << "(NTSTATUS code " << cngStatus << ")" << endl;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_KEY_IMPORT_FAILED, NULL);
        }
        // having reached around my elbow, I can now scratch my rear end.

    }
    return this->GetCNGHandle();

}
CPKIFAlgorithmIdentifierPtr CPKIFBCryptPublicKey::GetAlgId() const
{
    CPKIFAlgorithmIdentifierPtr empty;
    if(!m_spki) return empty;
    return m_spki->alg();
}
BCRYPT_KEY_HANDLE CPKIFBCryptPublicKey::GetCNGHandle() const
{
    return m_hKey;
}
void CPKIFBCryptPublicKey::clear()
{
    if(m_hKey) {
        BCryptDestroyKey(m_hKey);
        m_hKey = NULL;
    }
    if(m_hAlg) {
        BCryptCloseAlgorithmProvider(m_hAlg,0);
        m_hAlg = NULL;
    }
    CPKIFSubjectPublicKeyInfoPtr empty;
    m_spki = empty;
}