PKIFCAPI2.cpp

Go to the documentation of this file.

#include "PKIFCAPI2.h"
#include "ToolkitUtils.h"
#include "CAPIUtils.h" //added here 7/29/2004
#include "PKIFCAPICredential2.h"
#include "PKIFCAPICryptContext2.h"

#include "PKIFCryptoErrors.h"
#include "PKIFCAPIErrors.h"
#include "PKIFCryptoException.h"

#include "SubjectPublicKeyInfo.h"
#include "Certificate.h"
#include "KeyUsage.h"

#include "boost/numeric/conversion/cast.hpp"

using boost::numeric_cast;
using boost::bad_numeric_cast;

#include <atlbase.h>
#include <sstream>
using namespace std;

BYTESREVERSED g_bytesReversed = UNSET;

//#include "PKIFCAPICredential2.h"
//#include "PKIFCAPICryptContext2.h"

struct CPKIFCAPI2Impl
{
    CPKIFCAPI2* m_parent;
    CPKIFCAPI2Impl ()
    {
        m_parent = NULL;
    }
    CPKIFCAPI2Impl (CPKIFCAPI2  *p) 
    {
        m_parent = p;
    }
    HCRYPTPROV m_hProv;
    HCERTSTORE m_hCertStore;
    DWORD m_flags;

    char* m_provider;
    int m_sysStoRegLoc; 
    int m_provType;

    

    void GetContext();
    bool CertMatchesCurContext(PCCERT_CONTEXT cert) const;
    BYTESREVERSED CheckReversed(HCRYPTKEY * key);
    CPKIFCAPICredential2* MakeCAPICredential(PCCERT_CONTEXT cert) const;
};

CPKIFCAPI2::CPKIFCAPI2(
    const char* provider,
    int provType,
    int sysStoRegLoc)
    :m_impl (new CPKIFCAPI2Impl), IPKIFCAPISource(sysStoRegLoc, NULL)
{
    LOG_STRING_DEBUG("CPKIFCAPI::CPKIFCAPI(void)", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->m_parent = this;
    m_impl->m_provType = provType;
    m_impl->m_sysStoRegLoc = sysStoRegLoc;
    m_impl->m_provider = NULL;

    size_t len = 0;
    if(provider)
    {
        len = strlen(provider);
        m_impl->m_provider = new char[len + 1];

        //reviewed 4/23/2006
        strcpy(m_impl->m_provider, provider);
    }

    m_impl->m_hProv = NULL;
    m_impl->m_hCertStore = NULL;

    //added 9/9/03 to facilitate usage from a service targeting local machine store
    m_impl->m_flags = 0;
    if(CERT_SYSTEM_STORE_LOCAL_MACHINE == m_impl->m_sysStoRegLoc)
        m_impl->m_flags = CRYPT_MACHINE_KEYSET;
}
CPKIFCAPI2::~CPKIFCAPI2(void)
{
    LOG_STRING_DEBUG("CPKIFCAPI::~CPKIFCAPI(void)", TOOLKIT_CRYPTO_CAPI, 0, this);

    if(m_impl->m_provider)
        delete[] m_impl->m_provider;

    if(NULL != m_impl->m_hProv)
    {
        CryptReleaseContext(m_impl->m_hProv, 0); m_impl->m_hProv = NULL;
    }

    if(NULL != m_impl->m_hCertStore)
    {
// this was #ifdef'd _DEBUG prior to moving to trunk
        BOOL certSucc = CertCloseStore(m_impl->m_hCertStore,CERT_CLOSE_STORE_CHECK_FLAG); 
        int ceerr = GetLastError();
        m_impl->m_hCertStore = NULL;
#if 0 // this was the #else
        CertCloseStore(m_hCertStore, 0); 
        m_hCertStore = NULL;
#endif
    }

    delete m_impl;
    m_impl = NULL;
}
void CPKIFCAPI2::Initialize()
{
    LOG_STRING_DEBUG("CPKIFCAPI2::Initialize()", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->GetContext();
}

void CPKIFCAPI2Impl::GetContext()
{
    LOG_STRING_DEBUG("CPKIFCAPI2::GetContext()", TOOLKIT_CRYPTO_CAPI, 0, this);

    //m_hProv is not NULL then we've been here before and should have a valid context
    //if m_provider is NULL then we need not get a context because we will always use the default context
    if(NULL == m_hProv && NULL != m_provider)
    {
        DWORD       cbName;
        DWORD       dwType;
        DWORD       dwIndex;
        CHAR        *pszName = NULL; 

        //---------------------------------------------------------------- 
        // Loop through enumerating m_providers.
        dwIndex = 0;
        while(CryptEnumProviders(dwIndex, NULL, 0, &dwType, NULL, &cbName))
        {

            //--------------------------------------------------------------------
            //  cbName returns the length of the name of the next m_provider.
            //  Allocate memory in a buffer to retrieve that name.

            if (!(pszName = (LPTSTR)LocalAlloc(LMEM_ZEROINIT, cbName)))
            {
                throw CPKIFCryptoException(m_parent->thisComponent, COMMON_MEMORY_ALLOC_FAILURE, "");
            }
            //--------------------------------------------------------------------
            //  Get the m_provider name.
            if (CryptEnumProviders(dwIndex++, NULL, 0, &dwType, pszName, &cbName))
            {
                //reviewed 4/23/2006 - added strlen
                if(strlen(pszName) == strlen(m_provider) && 0 == stricmp(pszName, m_provider) && dwType == m_provType)
                {
                    LocalFree(pszName);
                    return;
                }
            }
            else
            {
                LocalFree(pszName);
                std::ostringstream os;
                os << "CryptEnumProviders failed: " << GetLastError();
                RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, this);
            }
            LocalFree(pszName);
        } // End of while loop

        //modified string 2/23/2005.  it's providers had been turned to m_providers.
        RAISE_CRYPTO_EXCEPTION("No provider matching the specified provider name and provider type could be found.", m_parent->thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, this);

        //if(!CryptAcquireContext(&m_hProv, NULL, m_provider, m_provType,m_flags))
        //{
        //  m_hProv = NULL; //just to be sure the state of the object is unchanged upon failure
        //  std::string reason;
        //  FormatErrorMessage(reason, "CryptAcquireContext failed: ", GetLastError(), __FILE__, __LINE__);
        //  throw CPKIFCryptoException(thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, reason.c_str());
        //}
    }
}

bool CPKIFCAPI2Impl::CertMatchesCurContext(
    PCCERT_CONTEXT cert) const
{
    LOG_STRING_DEBUG("CPKIFCAPI2::CertMatchesCurContext(PCCERT_CONTEXT cert)", TOOLKIT_CRYPTO_CAPI, 0, this);

    try
    {
        //create a temp credential and see if we own it using OwnsKey
        CPKIFCAPICredential2 tmp(m_provider, m_provType, m_sysStoRegLoc);
        tmp.m_certContext = CertDuplicateCertificateContext(cert);
        return m_parent->OwnsKey(tmp);
    }
    catch(CPKIFException& )
    {
        //delete e;
        return false;
    }
    catch(...)
    {
        _ASSERT(false);
        return false;
    }
}
CPKIFCAPICredential2* CPKIFCAPI2Impl::MakeCAPICredential(
    PCCERT_CONTEXT cert) const
{
    LOG_STRING_DEBUG("CPKIFCAPI2::MakeCAPICredential(PCCERT_CONTEXT cert)", TOOLKIT_CRYPTO_CAPI, 0, this);

    char* name = NULL;
    CPKIFCAPICredential2* newKeyID = NULL;

    //The following call to CertGetNameString should behave as follows:
    //Checks the certificate for a CERT_FRIENDLY_NAME_PROP_ID property. If the certificate 
    //has this property, it is returned. If the certificate does not have the property, 
    //the CERT_NAME_SIMPLE_DISPLAY_TYPE is returned.
    //
    //CERT_NAME_SIMPLE_DISPLAY_TYPE iterates through the following list of name attributes 
    //and uses the Subject Name or the Subject Alternative Name extension for the first 
    //occurrence of: szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, 
    //or szOID_RSA_emailAddr. If one of these attributes is not found, uses the Subject 
    //Alternative Name extension for a rfc822Name choice. If there is still no match, uses 
    //the first attribute.
    DWORD dw = CertGetNameString(cert,CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, 0, 0, 0);
    if(1 == dw)
    {
        std::ostringstream os;
        os << "CertGetNameString failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_GET_NAME_FAILED, this);
    }

    name = new char[dw + 1];
    dw = CertGetNameString(cert,CERT_NAME_FRIENDLY_DISPLAY_TYPE,0,NULL, name, dw);
    if(1 == dw)
    {
        delete[] name; name = NULL;
        std::ostringstream os;
        os << "CertGetNameString failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_GET_NAME_FAILED, this);
    }

    //determine the length of the key info
    unsigned char* tmpKeyID = NULL;
    DWORD tmpKeyIDLen = 0;

    BOOL succ = CertGetCertificateContextProperty(cert, CERT_KEY_IDENTIFIER_PROP_ID ,
        NULL, &tmpKeyIDLen);
    if(succ)
    {
        //allocate space for the new 
        tmpKeyID = (unsigned char *)malloc(tmpKeyIDLen);
        if(NULL == tmpKeyID) 
        {
            throw CPKIFCryptoException(m_parent->thisComponent, COMMON_MEMORY_ALLOC_FAILURE);
        }
        
        //get the info into the temp object
        succ = CertGetCertificateContextProperty(cert,
            CERT_KEY_IDENTIFIER_PROP_ID,    (void *)tmpKeyID, &tmpKeyIDLen);
        if(!succ)
        {
            free(tmpKeyID); tmpKeyID = NULL;

            std::ostringstream os;
            os << "CertGetCertificateContextProperty failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_KEY_PROV_INFO_FAILED, this);
        }
    }

    char* tmpKeyIDASCII = new char[(tmpKeyIDLen*2) + 1];
    btoa((const char*)tmpKeyID, tmpKeyIDASCII, tmpKeyIDLen);

    try
    {
        newKeyID = new CPKIFCAPICredential2(m_provider, m_provType, m_sysStoRegLoc);
        CPKIFStringPtr tmpSP(new std::string(name));
        newKeyID->m_name = tmpSP;
        CPKIFStringPtr tmpSP2(new std::string(tmpKeyIDASCII));
        newKeyID->m_id = tmpSP2;

        delete[] name; name = NULL;
        free(tmpKeyID); tmpKeyID = NULL;
        delete[] tmpKeyIDASCII; tmpKeyIDASCII = NULL;

        newKeyID->m_certContext = CertDuplicateCertificateContext(cert);
        return newKeyID;
    }
    catch(...)
    {
        if(NULL != name)
        {
            delete[] name; name = NULL;
        }
        if(NULL != newKeyID)
        {
            delete newKeyID;
        }

        std::ostringstream os;
        os << "Unknown error creating credential: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, COMMON_UNKNOWN_ERROR, this);
    }
}

//For ownership to be declared, either this instance must not be locked down to a specific m_provider
//or the m_provider and m_provider type from the key itself must match those of this instance.
bool CPKIFCAPI2::OwnsKey(
    const CPKIFCredential& keyID) const
{
    LOG_STRING_DEBUG("CPKIFCAPI2::OwnsKey(const CPKIFCredential& keyID)", TOOLKIT_CRYPTO_CAPI, 0, this);

    //attempt to cast the keyID param to the type this class would've returned
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&keyID);

    //if the cast fails then we don't "own" this key - we only deal in CPKIFCAPICredential objects
    if(NULL == ck2)
        return false;

    //if it succeeded and this instance is a general CAPI instance then we do "own" it
    if(NULL == m_impl->m_provider && 0 == m_impl->m_provType)
        return true;

    //otherwise have the key compare our info with the its info
    return ck2->ProviderInfoMatches(m_impl->m_provider, m_impl->m_provType);
}

void CPKIFCAPI2::GetKeyList(
    CPKIFCredentialList& v,
    CPKIFKeyUsagePtr& ku)
{
    bitset<9> tmp = ku->GetKeyUsage();
    GetKeyList(v, &tmp);
}

void CPKIFCAPI2::GetKeyList(
    CPKIFCredentialList& v,
    bitset<9>* ku)
{
    LOG_STRING_DEBUG("CPKIFCAPI2::GetKeyList(CPKIFCredentialList& v, bitset<9>* ku)", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->GetContext();

    HRESULT hr = S_OK;
    DWORD dw = 0;

    const size_t originalCount = v.size();

    USES_CONVERSION;

    //we always look in the MY store of the specified location when listing certs
    //we require that the store exist
    if(NULL == m_impl->m_hCertStore)
    {
        m_impl->m_hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 
                                CERT_STORE_OPEN_EXISTING_FLAG | m_impl->m_sysStoRegLoc, T2OLE("MY"));
        if(NULL == m_impl->m_hCertStore)
        {
            std::ostringstream os;
            os << "CertOpenStore failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_FAILED_TO_OPEN_CERT_STORE, this);
        }
    }

    PCCERT_CONTEXT pPrevCertContext = NULL;
    BOOL keyUsagePresent = false;
    BYTE kuBits[2];
    CPKIFCAPICredential2* keyID = NULL;

    try
    {
        pPrevCertContext = CertEnumCertificatesInStore(m_impl->m_hCertStore, pPrevCertContext);
        while(NULL != pPrevCertContext)
        {
            //get the key usage of the current certificate
            keyUsagePresent = CertGetIntendedKeyUsage(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, pPrevCertContext->pCertInfo, (BYTE*)&kuBits, sizeof(kuBits));

            //make sure the context has an associated private key - we are only interested in listing
            //certs for which we hold the private keys
            if(CertHasKey(pPrevCertContext) && m_impl->CertMatchesCurContext(pPrevCertContext) &&
                (!keyUsagePresent || (keyUsagePresent && keyUsageTest(kuBits, ku))))
            {
                //make a credential from the cert context
                keyID = m_impl->MakeCAPICredential(pPrevCertContext);

                //and push it into the vector
                CPKIFCredentialPtr tmpCred(keyID);
                v.push_back(tmpCred);

                keyID = NULL;
            }

            pPrevCertContext = CertEnumCertificatesInStore(m_impl->m_hCertStore, pPrevCertContext);
        }
    }
    catch(...)
    {
        if(NULL != keyID)
        {
            //if we threw before completing the push_back statment, clean up
            delete keyID; keyID = NULL;
        }

        if(NULL != pPrevCertContext)
        {
            //if we threw before freeing cert context, clean up
            CertFreeCertificateContext(pPrevCertContext); pPrevCertContext = NULL;
        }

        std::ostringstream os;
        os << "Unknown failure in GetKeyList.  GetLastError returns: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, COMMON_UNKNOWN_ERROR, this);
    }
}

//this function takes a key ID (ascii hex SHA1 hash typically) and creates a CPKIFCAPICredential that may be
//used with the Sign and Decrypt functions.  If a matching key could not be found NULL is returned.
CPKIFCredentialPtr CPKIFCAPI2::MakeKeyID(
    const std::string& asciiHexKeyID)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if (NULL != bin)  \
    {   delete[] bin; bin = NULL; }  \
    if (NULL != cert)  \
    {   CertFreeCertificateContext(cert); cert = NULL; }  \
} 

    LOG_STRING_DEBUG("CPKIFCAPI2::MakeKeyID(const std::string& asciiHexKeyID)", TOOLKIT_CRYPTO_CAPI, 0, this);

    char* bin = NULL;
    PCCERT_CONTEXT cert = NULL;

    CPKIFCAPICredential2* newKeyID = NULL; //don't free - this is what gets returned

    //convert the input from ascii hex to binary
    const char* hex = asciiHexKeyID.c_str();
    unsigned int len = 0;

    try 
    {
        len = numeric_cast<unsigned int>(asciiHexKeyID.length()/2);
    }
    catch(bad_numeric_cast &) 
    {
        throw CPKIFException(TOOLKIT_CRYPTO, COMMON_INVALID_INPUT, "Key identifier is an impossibly long number.");
    }
    bin = new char[len];
    if(0 != atob(bin, const_cast<char*>(hex), &len))
    {
        CLEANUP;

        std::string reason;
        FormatErrorMessage(reason, "Key ID contains non-ASCII hexadecimal characters.", -1, __FILE__, __LINE__);
        throw CPKIFCryptoException(thisComponent, COMMON_INVALID_INPUT, reason.c_str());
    }

    //set up a hash blob containing the binary key ID and length
    CRYPT_HASH_BLOB b;
    b.cbData = len;
    b.pbData = (BYTE*)bin;

    //open the cert store
    USES_CONVERSION;
    if(NULL == m_impl->m_hCertStore)
    {
        m_impl->m_hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_OPEN_EXISTING_FLAG | m_impl->m_sysStoRegLoc, T2OLE("MY"));
        if(NULL == m_impl->m_hCertStore)
        {
            CLEANUP;

            std::ostringstream os;
            os << "CertOpenStore failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_FAILED_TO_OPEN_CERT_STORE, this);
        }
    }

    cert = CertFindCertificateInStore(m_impl->m_hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_KEY_IDENTIFIER, (void*)&b, NULL);

    try
    {
        if(NULL != cert && true == m_impl->CertMatchesCurContext(cert))
        {
            //make a credential from the cert context
            newKeyID = m_impl->MakeCAPICredential(cert);
        }
    }
    catch(CPKIFException& e)
    {
        if(NULL != newKeyID)
        {
            delete newKeyID; newKeyID = NULL;
        }

        CLEANUP;
        throw e;
    }

    CLEANUP;
    CPKIFCredentialPtr tmp(newKeyID);
    return tmp;
}

void CPKIFCAPI2::Sign(
    const CPKIFCredential& key,
    unsigned char* pHashData,
    int nHashDataLen,
    unsigned char* pSignature,
    int* nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
#undef CLEANUP
#define CLEANUP \
{ \
    if (NULL != hHash)  \
    {   CryptDestroyHash(hHash); hHash = NULL; }  \
    if (NULL != tmpHashCtx && true == freeContext)  \
    {   CryptReleaseContext(tmpHashCtx, 0); tmpHashCtx = NULL; }  \
} 

    LOG_STRING_DEBUG("CPKIFCAPI2::Sign(const CPKIFCredential& key,...", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->GetContext();

    int err = 0;

    //set up a pointer to a context and an indication of whether or not to free context then get the hash alg
    //we use the length of the data to determine the hash alg.  If the hash alg is not known GetHashAlg throws
    HCRYPTPROV tmpHashCtx = NULL;
    HCRYPTHASH hHash = NULL;
    bool freeContext = false;

    ALG_ID HashAlg = GetHashAlg((PKIFCRYPTO::HASH_ALG)nHashDataLen);

    //convert the key to a CAPI key object and see if the key info has been loaded
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&key);
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    if(NULL == ck2->m_keyProviderInfo)
    {
        //if key info hasn't been loaded - load it - if load fails SetKeyProviderInfo throws
        CPKIFCAPICredential2* k2 = const_cast<CPKIFCAPICredential2*>(ck2);
        k2->SetKeyProviderInfo();
    }

    USES_CONVERSION;

    if(NULL == m_impl->m_hProv)
    {
        if(!CryptAcquireContext(&tmpHashCtx, OLE2T(ck2->m_keyProviderInfo->pwszContainerName), OLE2T(ck2->m_keyProviderInfo->pwszProvName), ck2->m_keyProviderInfo->dwProvType, m_impl->m_flags))
        {
            std::ostringstream os;
            os << "CryptAcquireContext failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, this);
        }

        freeContext = true;
    }
    else
        tmpHashCtx = m_impl->m_hProv;

    //see if the password has been provided for use in UI-less environment
    if(NULL != ck2->m_password)
    {
        //if one has been provided try to set it - not all CSPs accept this parameter however
        HCRYPTKEY userKey = NULL;
        if(!CryptGetUserKey(tmpHashCtx, ck2->m_keyProviderInfo->dwKeySpec, &userKey))
        {
            CLEANUP;

            std::ostringstream os;
            os << "CryptGetUserKey failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_GET_USER_KEY_FAILED, this);
        }

        if(!CryptSetProvParam(tmpHashCtx, PP_SIGNATURE_PIN, ck2->m_password, 0))
        {
            CLEANUP;

            CryptDestroyKey(userKey);
            std::ostringstream os;
            os << "CryptSetProvParam failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_SET_PASSWORD_FAILED, this);
        }

        CryptDestroyKey(userKey);
    }

    if(!CryptCreateHash(tmpHashCtx, HashAlg, NULL, 0, &hHash))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptCreateHash failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_CREATE_HASH_FAILED, this);
    }
    DWORD hSize = 0;
    DWORD hSizeSize = sizeof(hSize);
    if(!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hSize, &hSizeSize, 0))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptGetHashParam failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_MISC_HASH_CALL_FAILED, this);
    }

    if(nHashDataLen != hSize)
    {
        CLEANUP;

        std::string reason;
        FormatErrorMessage(reason, "Hash sizes do not match.  Could not set hash object for signing.", -1, __FILE__, __LINE__);
        throw CPKIFCryptoException(thisComponent, PKIFCAPI_MISC_HASH_CALL_FAILED, reason.c_str());
    }

    if(!CryptSetHashParam(hHash, HP_HASHVAL, pHashData, 0))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptSetHashParam failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_MISC_HASH_CALL_FAILED, this);
    }

    if(!CryptSignHash(hHash, ck2->m_keyProviderInfo->dwKeySpec, NULL, 0, pSignature, (DWORD*)nSignatureLen))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptSignHash failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_SIGN_FAILED, this);
    }

    if(DSA_CLASS != GetAlgClass(key.GetCertificate()->SubjectPublicKeyInfo()->alg()))
        ReverseBytes(pSignature, *nSignatureLen);
    else
    {
        ReverseBytes(pSignature, *nSignatureLen/2);
        ReverseBytes(pSignature+(*nSignatureLen/2), *nSignatureLen/2);
    }

    CLEANUP;
}

void CPKIFCAPI2::Decrypt(
    const CPKIFCredential& key,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult, 
    int* pnResultLen)
{
#undef CLEANUP
#define CLEANUP \
{ \
    if (NULL != userKey)  \
    {   CryptDestroyKey(userKey); userKey = NULL; }  \
    if (NULL != tmpCtx && TRUE == freeContext)  \
    {   CryptReleaseContext(tmpCtx, 0); tmpCtx = NULL; }  \
} 

    LOG_STRING_DEBUG("CPKIFCAPI2::Decrypt(const CPKIFCredential& key,...", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->GetContext();

    USES_CONVERSION;

    HCRYPTPROV tmpCtx = NULL;
    BOOL freeContext = false;

    //convert the key to a CAPI key object and see if the key info has been loaded
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&key);
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    if(NULL == ck2->m_keyProviderInfo)
    {
        //if key info hasn't been loaded - load it - if load fails SetKeyProviderInfo throws
        CPKIFCAPICredential2* k2 = const_cast<CPKIFCAPICredential2*>(ck2);
        k2->SetKeyProviderInfo();
    }

    if(NULL == m_impl->m_hProv)
    {
        DWORD keySpec = 0;
//      if(!CryptAcquireContext(&tmpCtx, OLE2T(ck2->m_keyProviderInfo->pwszContainerName), OLE2T(ck2->m_keyProviderInfo->pwszProvName), ck2->m_keyProviderInfo->dwm_provType, 0))
        if(!CryptAcquireCertificatePrivateKey(ck2->m_certContext, 0, 0, &tmpCtx, &keySpec, &freeContext))
        {
            std::ostringstream os;
            os << "CryptAcquireContext failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, this);
        }
    }
    else
        tmpCtx = m_impl->m_hProv;

    HCRYPTKEY userKey = NULL;
    if(!CryptGetUserKey(tmpCtx, ck2->m_keyProviderInfo->dwKeySpec, &userKey))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptGetUserKey failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_GET_USER_KEY_FAILED, this);
    }

    //see if the password has been provided for use in UI-less environment
    if(NULL != ck2->m_password)
    {
        //if one has been provided try to set it - not all CSPs accept this parameter however
        if(!CryptSetProvParam(tmpCtx, PP_SIGNATURE_PIN, ck2->m_password, 0))
        {
            CLEANUP;

            std::ostringstream os;
            os << "CryptSetProvParam failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_SET_PASSWORD_FAILED, this);
        }
    }

    memcpy(pResult, pData, nDataLen);
    *pnResultLen = nDataLen;

    ReverseBytes(pResult, nDataLen);

    if(!CryptDecrypt(userKey, NULL, true, 0, pResult, (DWORD*)pnResultLen))
    {
        CLEANUP;

        std::ostringstream os;
        os << "CryptDecrypt failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_DECRYPT_FAILED, this);
    }

    //due to a copy and paste error at some point, the word provider in the following string literal was
    //changed to m_provider.  This was changed back on 8/20/2004
    //ActiveCard fixed the reversed bytes issue on the new drives a check is added to see if byte reversal is needed. 3/7/2005 Armen

    //reviewed 4/23/2006 - added strlen
    const char* pwszProvName = OLE2T(ck2->m_keyProviderInfo->pwszProvName);
    if(strlen(pwszProvName) == strlen("ActivCard Gold Cryptographic Service Provider") && 
        0 == stricmp("ActivCard Gold Cryptographic Service Provider", pwszProvName))
    {
        if(UNSET == g_bytesReversed)
            g_bytesReversed = m_impl->CheckReversed(&userKey);
        
        if(REV == g_bytesReversed)
            ReverseBytes(pResult, *pnResultLen);
    }
    CLEANUP;
}

void CPKIFCAPI2::Encrypt(
    const CPKIFCredential& key,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult,
    int* pnResultLen)
{
    LOG_STRING_DEBUG("CPKIFCAPI2::Encrypt(const CPKIFCredential& key, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen)", TOOLKIT_CRYPTO_CAPI, 0, this);

    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Encrypt operations are not implemented for stored key material");
}

bool CPKIFCAPI2::Verify(
    const CPKIFCredential& key, 
    unsigned char* pHashData,
    int nHashDataLen,
    unsigned char* pSignature,
    int nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
    LOG_STRING_DEBUG("CPKIFCAPI2::Verify(const CPKIFCredential& key, unsigned char* pHashData, int nHashDataLen, unsigned char* pSignature, int nSignatureLen)", TOOLKIT_CRYPTO_CAPI, 0, this);

    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Verify operations are not implemented for stored key material");
}

IPKIFCryptContext* CPKIFCAPI2::CryptInit(
    CPKIFCredentialPtr& key,
    bool pad)
{
    LOG_STRING_DEBUG("CPKIFCAPI2::CryptInit(CPKIFCredentialPtr& key)", TOOLKIT_CRYPTO_CAPI, 0, this);

    //added check for NULL - 8/18/2004
    if(key == (CPKIFCredential*)NULL)
    {
        throw CPKIFCryptoException(thisComponent, COMMON_INVALID_INPUT, "NULL or invalid key passed to CPKIFCAPI2::CryptInit.");
    }

    m_impl->GetContext();

    USES_CONVERSION;

    //convert the key to a CAPI key object and see if the key info has been loaded
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&(*key));
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    if(NULL == ck2->m_keyProviderInfo)
    {
        //if key info hasn't been loaded - load it - if load fails SetKeyProviderInfo throws
        CPKIFCAPICredential2* k2 = const_cast<CPKIFCAPICredential2*>(ck2);
        k2->SetKeyProviderInfo();
    }

    DWORD keySpec = 0;
    BOOL freeContext = false;
    CPKIFCAPICryptContext2* cryptContext = new CPKIFCAPICryptContext2();
    if(!CryptAcquireCertificatePrivateKey(ck2->m_certContext, 0, 0, &cryptContext->m_cryptContext, &keySpec, &freeContext))
    {
        delete cryptContext;
        std::ostringstream os;
        os << "CryptAcquireContext failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_ACQUIRE_CONTEXT_FAILED, this);
    }

    if(!CryptGetUserKey(cryptContext->m_cryptContext, ck2->m_keyProviderInfo->dwKeySpec, &cryptContext->m_userKey))
    {
        delete cryptContext;
        std::ostringstream os;
        os << "CryptGetUserKey failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_GET_USER_KEY_FAILED, this);
    }

    //see if the password has been provided for use in UI-less environment
    if(NULL != ck2->m_password)
    {
        //if one has been provided try to set it - not all CSPs accept this parameter however
        if(!CryptSetProvParam(cryptContext->m_cryptContext, PP_SIGNATURE_PIN, ck2->m_password, 0))
        {
            std::ostringstream os;
            os << "CryptSetProvParam failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_SET_PASSWORD_FAILED, this);
        }
    }

    cryptContext->m_cred = key;
    return cryptContext;
}

void CPKIFCAPI2::Decrypt(
    IPKIFCryptContext* cryptContext,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult, 
    int* pnResultLen,
    bool final)
{
    LOG_STRING_DEBUG("CPKIFCAPI2::Decrypt(IPKIFCryptContext* cryptContext, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen, bool final)", TOOLKIT_CRYPTO_CAPI, 0, this);

    if(NULL == cryptContext)
        throw CPKIFCryptoException(thisComponent, COMMON_INVALID_INPUT, "NULL or invalid credential passed to CPKIFCAPI2::Decrypt.");

    CPKIFCAPICryptContext2* ccc = dynamic_cast<CPKIFCAPICryptContext2*>(cryptContext);
    
    //added check for NULL - 8/18/2004
    if(NULL == ccc)
        throw CPKIFCryptoException(thisComponent, COMMON_INVALID_INPUT, "NULL or invalid credential passed to CPKIFCAPI2::Decrypt.");

    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&(*cryptContext->GetCredential()));
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    memcpy(pResult, pData, nDataLen);
    *pnResultLen = nDataLen;

    ReverseBytes(pResult, nDataLen);

    if(!CryptDecrypt(ccc->m_userKey, NULL, true, 0, pResult, (DWORD*)pnResultLen))
    {
        std::ostringstream os;
        os << "CryptDecrypt failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_DECRYPT_FAILED, this);
    }

    USES_CONVERSION;
    //ActiveCard fixed the reversed bytes issue on the new drives a check is added to see if byte reversal is needed. 3/7/2005 Armen

    //reviewed 4/23/2006 - added strlen
    const char* pwszProvName = OLE2T(ck2->m_keyProviderInfo->pwszProvName);
    if(strlen(pwszProvName) == strlen("ActivCard Gold Cryptographic Service Provider") && 
        0 == stricmp("ActivCard Gold Cryptographic Service Provider", pwszProvName))
    {
        if(UNSET == g_bytesReversed)
            g_bytesReversed = m_impl->CheckReversed(&(ccc->m_userKey));
        
        if(REV == g_bytesReversed)
            ReverseBytes(pResult, *pnResultLen);
        
    }
}

void CPKIFCAPI2::Encrypt(
    IPKIFCryptContext* cryptContext,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult,
    int* pnResultLen,
    bool final)
{
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Encrypt operations are not implemented for stored key material");
}

BYTESREVERSED CPKIFCAPI2Impl::CheckReversed(
    HCRYPTKEY * key)
{
    //This function was added 3/7/2005 to check if byte reversal is needed for CAC operations
    const unsigned char * testblock = (unsigned char *)"1234";
    DWORD datalen = 4;
    DWORD blocksizelen = sizeof(DWORD);
    DWORD blocksize = 0;
    CryptGetKeyParam(*key,KP_BLOCKLEN,(BYTE *)&blocksize,&blocksizelen,0x00);

    unsigned char* pResult = new unsigned char[blocksize];
    memset(pResult,0x00,blocksize);
    memcpy(pResult,testblock,datalen);

    if(!CryptEncrypt(*key, NULL, true, 0, pResult, &datalen, blocksize))
    {
        std::ostringstream os;
        os << "CryptDecrypt failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, CRYPTO_ENCRYPT_FAILED, this);
    }

    if(!CryptDecrypt(*key, NULL, true, 0, pResult, &datalen))
    {
        std::ostringstream os;
        os << "CryptDecrypt failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_DECRYPT_FAILED, this);
    }
    
    if(memcmp(pResult, "1234", datalen) == 0) 
        return NOTREV;


    return REV;
    
}