PKIFCNGCAPI.cpp

Go to the documentation of this file.

#include "PKIFCNGCAPI.h"
#include "ToolkitUtils.h"
#include "CAPIUtils.h"
#include "PKIFCAPICredential2.h"
#include "PKIFCAPICryptContext2.h"
#include "PKIFCNGKeyAgreeContext.h"
#include "PKIFBCryptPublicKey.h"
#include "PKIFCryptoPPKeyMaterial.h"
#include "PKIFAlgorithm.h"

#include "PKIFCryptoErrors.h"
#include "PKIFCAPIErrors.h"
#include "PKIFCryptoException.h"

#include "SubjectPublicKeyInfo.h"
#include "Certificate.h"
#include "KeyUsage.h"


#include "boost/numeric/conversion/cast.hpp"

using boost::numeric_cast;
using boost::bad_numeric_cast;

#include <atlbase.h>
#include <sstream>
using namespace std;

#include "PKIFCNGUtils.h"

#define NT_SUCCESS(Status)          (((NTSTATUS)(Status)) >= 0)
#define STATUS_UNSUCCESSFUL         ((NTSTATUS)0xC0000001L)


struct CPKIFCNGCAPIImpl
{
    CPKIFCNGCAPI* m_parent;
    CPKIFCNGCAPIImpl ()
    {
        m_parent = NULL;
    }
    CPKIFCNGCAPIImpl (CPKIFCNGCAPI  *p) 
    {
        m_parent = p;
    }
    HCRYPTPROV m_hProv;
    HCERTSTORE m_hCertStore;
    DWORD m_flags;

    char* m_provider;
    int m_sysStoRegLoc; 
    int m_provType;

    bool CertCanBeUsedByCurrentColleague(PCCERT_CONTEXT cert) const;
    
    CPKIFCAPICredential2* MakeCAPICredential(PCCERT_CONTEXT cert) const;
};

CPKIFCNGCAPI::CPKIFCNGCAPI(
    const char* provider,
    int provType,
    int sysStoRegLoc)
    :m_impl (new CPKIFCNGCAPIImpl), IPKIFCAPISource(sysStoRegLoc, NULL)
{
    LOG_STRING_DEBUG("CPKIFCAPI::CPKIFCAPI(void)", TOOLKIT_CRYPTO_CAPI, 0, this);

    m_impl->m_parent = this;
    m_impl->m_provType = provType;
    m_impl->m_sysStoRegLoc = sysStoRegLoc;
    m_impl->m_provider = NULL;

    size_t len = 0;
    if(provider)
    {
        len = strlen(provider);
        m_impl->m_provider = new char[len + 1];

        //reviewed 4/23/2006
        strcpy(m_impl->m_provider, provider);
    }

    m_impl->m_hProv = NULL;
    m_impl->m_hCertStore = NULL;

    //added 9/9/03 to facilitate usage from a service targeting local machine store
    m_impl->m_flags = 0;
    if(CERT_SYSTEM_STORE_LOCAL_MACHINE == m_impl->m_sysStoRegLoc)
        m_impl->m_flags = CRYPT_MACHINE_KEYSET;
}
CPKIFCNGCAPI::~CPKIFCNGCAPI(void)
{
    LOG_STRING_DEBUG("CPKIFCAPI::~CPKIFCAPI(void)", TOOLKIT_CRYPTO_CAPI, 0, this);

    if(m_impl->m_provider)
        delete[] m_impl->m_provider;

    if(NULL != m_impl->m_hProv)
    {
        CryptReleaseContext(m_impl->m_hProv, 0); m_impl->m_hProv = NULL;
    }

    if(NULL != m_impl->m_hCertStore)
    {
        BOOL certSucc = CertCloseStore(m_impl->m_hCertStore,CERT_CLOSE_STORE_CHECK_FLAG);
#ifdef _DEBUG
        int ceerr = GetLastError();
#endif
        m_impl->m_hCertStore = NULL;
    }

    delete m_impl;
    m_impl = NULL;
}
void CPKIFCNGCAPI::Initialize()
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Initialize()", TOOLKIT_CRYPTO_CAPI, 0, this);
    // no longer critical to initialize before there's a particular key
    // to be used. Do we want a flag so we can throw to enforce the documented
    // pattern?
}


bool CPKIFCNGCAPIImpl::CertCanBeUsedByCurrentColleague(
    PCCERT_CONTEXT cert) const
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::CertCanBeUsedByCurrentColleague(PCCERT_CONTEXT cert)", TOOLKIT_CRYPTO_CAPI, 0, this);

    try
    {
        //create a temp credential and see if we own it using OwnsKey
        CPKIFCAPICredential2 tmp(m_provider, m_provType, m_sysStoRegLoc);
        tmp.m_certContext = CertDuplicateCertificateContext(cert);
        return m_parent->OwnsKey(tmp);
    }
    catch(CPKIFException& )
    {
        //delete e;
        return false;
    }
    catch(...)
    {
        _ASSERT(false);
        return false;
    }
}
CPKIFCAPICredential2* CPKIFCNGCAPIImpl::MakeCAPICredential(
    PCCERT_CONTEXT cert) const
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::MakeCAPICredential(PCCERT_CONTEXT cert)", TOOLKIT_CRYPTO_CAPI, 0, this);

    pkif_char_array name(0);
    std::auto_ptr<CPKIFCAPICredential2> newKeyID((CPKIFCAPICredential2*) 0);


    //The following call to CertGetNameString should behave as follows:
    //Checks the certificate for a CERT_FRIENDLY_NAME_PROP_ID property. If the certificate 
    //has this property, it is returned. If the certificate does not have the property, 
    //the CERT_NAME_SIMPLE_DISPLAY_TYPE is returned.
    //
    //CERT_NAME_SIMPLE_DISPLAY_TYPE iterates through the following list of name attributes 
    //and uses the Subject Name or the Subject Alternative Name extension for the first 
    //occurrence of: szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, 
    //or szOID_RSA_emailAddr. If one of these attributes is not found, uses the Subject 
    //Alternative Name extension for a rfc822Name choice. If there is still no match, uses 
    //the first attribute.
    DWORD ccount = CertGetNameString(cert,CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, 0, 0, 0);
    if(1 == ccount)
    {
        std::ostringstream os;
        os << "CertGetNameString failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_GET_NAME_FAILED, this);
    }

    // character count includes the terminating 0 character
    name.reset(new char[ccount]);
    ccount = CertGetNameString(cert,CERT_NAME_FRIENDLY_DISPLAY_TYPE,0,NULL, name, ccount);
    if(1 == ccount)
    {
        std::ostringstream os;
        os << "CertGetNameString failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_GET_NAME_FAILED, this);
    }

    //determine the length of the key info
    DWORD tmpKeyIDLen = 0;

    BOOL succ = CertGetCertificateContextProperty(cert, CERT_KEY_IDENTIFIER_PROP_ID ,
        NULL, &tmpKeyIDLen);
    if(!succ)
    {
        std::ostringstream os;
        os << "CertGetCertificateContextProperty failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_KEY_PROV_INFO_FAILED, this);
    }
    pkif_byte_array tmpKeyID(new unsigned char[tmpKeyIDLen]);
    //get the info into the temp object
    succ = CertGetCertificateContextProperty(cert,
                CERT_KEY_IDENTIFIER_PROP_ID, (void *)tmpKeyID.get(), &tmpKeyIDLen);
    if(!succ)
    {
        std::ostringstream os;
        os << "CertGetCertificateContextProperty failed: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, PKIFCAPI_KEY_PROV_INFO_FAILED, this);
    }

    pkif_char_array tmpKeyIDASCII(new char[(tmpKeyIDLen*2) + 1]);
    btoa((const char*)tmpKeyID.get(), tmpKeyIDASCII.get(), tmpKeyIDLen);

    try
    {
        newKeyID.reset(new CPKIFCAPICredential2(m_provider, m_provType, m_sysStoRegLoc));
        CPKIFStringPtr tmpSP(new std::string(name));
        newKeyID->m_name = tmpSP;
        CPKIFStringPtr tmpSP2(new std::string(tmpKeyIDASCII));
        newKeyID->m_id = tmpSP2;
        newKeyID->m_certContext = CertDuplicateCertificateContext(cert);
        return newKeyID.release();
    }
    catch(...)
    {
        std::ostringstream os;
        os << "Unknown error creating credential: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), m_parent->thisComponent, COMMON_UNKNOWN_ERROR, this);
    }
}

//For ownership to be declared, either this instance must not be locked down to a specific m_provider
//or the m_provider and m_provider type from the key itself must match those of this instance.
bool CPKIFCNGCAPI::OwnsKey(
    const CPKIFCredential& keyID) const
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::OwnsKey(const CPKIFCredential& keyID)", TOOLKIT_CRYPTO_CAPI, 0, this);

    //attempt to cast the keyID param to the type this class would've returned
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&keyID);

    //if the cast fails then we don't "own" this key - we only deal in CPKIFCAPICredential objects
    if(NULL == ck2)
        return false;

    //if it succeeded and this instance is a general CAPI instance then we do "own" it
    if(NULL == m_impl->m_provider && 0 == m_impl->m_provType)
        return true;

    //otherwise have the key compare our info with the its info
    return ck2->ProviderInfoMatches(m_impl->m_provider, m_impl->m_provType);
}

void CPKIFCNGCAPI::GetKeyList(
    CPKIFCredentialList& v,
    CPKIFKeyUsagePtr& ku)
{
    bitset<9> tmp = ku->GetKeyUsage();
    GetKeyList(v, &tmp);
}

void CPKIFCNGCAPI::GetKeyList(
    CPKIFCredentialList& v,
    bitset<9>* ku)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::GetKeyList(CPKIFCredentialList& v, bitset<9>* ku)", TOOLKIT_CRYPTO_CAPI, 0, this);

    HRESULT hr = S_OK;
    DWORD dw = 0;

    const size_t originalCount = v.size();

    USES_CONVERSION;

    //we always look in the MY store of the specified location when listing certs
    //we require that the store exist
    if(NULL == m_impl->m_hCertStore)
    {
        m_impl->m_hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, 
                                CERT_STORE_OPEN_EXISTING_FLAG | m_impl->m_sysStoRegLoc, T2OLE("MY"));
        if(NULL == m_impl->m_hCertStore)
        {
            std::ostringstream os;
            os << "CertOpenStore failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_FAILED_TO_OPEN_CERT_STORE, this);
        }
    }

    PCCERT_CONTEXT pPrevCertContext = NULL;
    BOOL keyUsagePresent = false;
    BYTE kuBits[2];
    CPKIFCAPICredential2* keyID = NULL;

    try
    {
        // continue using this instead of an equivalent NCrypt function because I couldn't
        // find one that was as easily constrainted to keys with certs, and PKIF can't really
        // use a key without a cert. This appears to work with CNG keys as well as with CAPI ones.
        pPrevCertContext = CertEnumCertificatesInStore(m_impl->m_hCertStore, pPrevCertContext);
        while(NULL != pPrevCertContext)
        {
            //get the key usage of the current certificate
            keyUsagePresent = CertGetIntendedKeyUsage(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, pPrevCertContext->pCertInfo, (BYTE*)&kuBits, sizeof(kuBits));

            //make sure the context has an associated private key - we are only interested in listing
            //certs for which we hold the private keys
            if(CertHasKey(pPrevCertContext) && m_impl->CertCanBeUsedByCurrentColleague(pPrevCertContext) &&
                (!keyUsagePresent || (keyUsagePresent && keyUsageTest(kuBits, ku))))
            {
                //make a credential from the cert context
                keyID = m_impl->MakeCAPICredential(pPrevCertContext);

                //and push it into the vector
                CPKIFCredentialPtr tmpCred(keyID);
                v.push_back(tmpCred);

                keyID = NULL;
            }

            pPrevCertContext = CertEnumCertificatesInStore(m_impl->m_hCertStore, pPrevCertContext);
        }
    }
    catch(...)
    {
        if(NULL != keyID)
        {
            //if we threw before completing the push_back statment, clean up
            delete keyID; keyID = NULL;
        }

        if(NULL != pPrevCertContext)
        {
            //if we threw before freeing cert context, clean up
            CertFreeCertificateContext(pPrevCertContext); pPrevCertContext = NULL;
        }

        std::ostringstream os;
        os << "Unknown failure in GetKeyList.  GetLastError returns: " << GetLastError();
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, COMMON_UNKNOWN_ERROR, this);
    }
}

//this function takes a key ID (ascii hex SHA1 hash typically) and creates a CPKIFCAPICredential that may be
//used with the Sign and Decrypt functions.  If a matching key could not be found NULL is returned.
CPKIFCredentialPtr CPKIFCNGCAPI::MakeKeyID(
    const std::string& asciiHexKeyID)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::MakeKeyID(const std::string& asciiHexKeyID)", TOOLKIT_CRYPTO_CAPI, 0, this);

    pkif_char_array bin(NULL);
    PCCERT_CONTEXT_PKIF cert(0);

    std::auto_ptr<CPKIFCAPICredential2> newKeyID; //don't free - this is what gets returned

    //convert the input from ascii hex to binary
    const char* hex = asciiHexKeyID.c_str();
    unsigned int len = 0;

    try 
    {
        len = numeric_cast<unsigned int>(asciiHexKeyID.length()/2);
    }
    catch(bad_numeric_cast &) 
    {
        throw CPKIFException(TOOLKIT_CRYPTO, COMMON_INVALID_INPUT, "Key identifier is an impossibly long number.");
    }
    bin.reset(new char[len]);
    if(0 != atob(bin, const_cast<char*>(hex), &len))
    {
        std::string reason;
        FormatErrorMessage(reason, "Key ID contains non-ASCII hexadecimal characters.", -1, __FILE__, __LINE__);
        throw CPKIFCryptoException(thisComponent, COMMON_INVALID_INPUT, reason.c_str());
    }

    //set up a hash blob containing the binary key ID and length
    CRYPT_HASH_BLOB b;
    b.cbData = len;
    b.pbData = (BYTE*)bin.get();

    //open the cert store
    USES_CONVERSION;
    if(NULL == m_impl->m_hCertStore)
    {
        m_impl->m_hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, NULL, CERT_STORE_OPEN_EXISTING_FLAG | m_impl->m_sysStoRegLoc, T2OLE("MY"));
        if(NULL == m_impl->m_hCertStore)
        {
            std::ostringstream os;
            os << "CertOpenStore failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_FAILED_TO_OPEN_CERT_STORE, this);
        }
    }

    cert.reset(CertFindCertificateInStore(m_impl->m_hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_KEY_IDENTIFIER, (void*)&b, NULL));

    if(NULL != cert.get() && true == m_impl->CertCanBeUsedByCurrentColleague(cert))
    {
        //make a credential from the cert context
        newKeyID.reset(m_impl->MakeCAPICredential(cert));
    }

    CPKIFCredentialPtr rv(newKeyID.release());
    return rv;
}

void CPKIFCNGCAPI::Sign(
    const CPKIFCredential& key,
    unsigned char* pHashData,
    int nHashDataLen,
    unsigned char* pSignature,
    int* nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Sign(const CPKIFCredential& key,...", TOOLKIT_CRYPTO_CAPI, 0, this);

    NCRYPT_PROV_HANDLE_PKIF     hProvider(0);
    NCRYPT_KEY_HANDLE_PKIF      hKey(0);
    SECURITY_STATUS             cngStatus       = ERROR_SUCCESS;
    DWORD                       cbSignature     = 0;
    BCRYPT_PKCS1_PADDING_INFO   PKCS1PaddingInfo= {0};

    NCRYPT_KEY_HANDLE hKeyPtr = 0;

    //m_impl->GetContext();

    int err = 0;

    //set up a pointer to a context and an indication of whether or not to free context then get the hash alg
    //we use the length of the data to determine the hash alg.  If the hash alg is not known GetHashAlg throws
    HCRYPTPROV tmpHashCtx = NULL;
    bool freeContext = false;

    //convert the key to a CAPI key object and see if the key info has been loaded
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&key);
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    if(NULL == ck2->m_keyProviderInfo)
    {
        //if key info hasn't been loaded - load it - if load fails SetKeyProviderInfo throws
        CPKIFCAPICredential2* k2 = const_cast<CPKIFCAPICredential2*>(ck2);
        k2->SetKeyProviderInfo();
    }



    if(FAILED(cngStatus = NCryptOpenStorageProvider(
                                            &hProvider, 
                                            MS_KEY_STORAGE_PROVIDER, 
                                            0)))
    {
        std::ostringstream os;
        os << "NCryptOpenStorageProvider failed: " << cngStatus;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_OPEN_STORAGE_PROVIDER_FAILED, NULL);
    }

    if(FAILED(cngStatus = NCryptOpenKey(
                                        hProvider, 
                                        &hKey, 
                                        ck2->m_keyProviderInfo->pwszContainerName,
                                        0,
                                        0)))
    {
        DWORD ks = 0;
        BOOL gottaFree = FALSE;
        HCRYPTPROV_OR_NCRYPT_KEY_HANDLE tmpKey;
        if(!CryptAcquireCertificatePrivateKey(ck2->m_certContext,
            CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG,NULL,&tmpKey,&ks,&gottaFree))
        {
            std::ostringstream os;
            os << "Unable to access key material: " << cngStatus;
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_OPEN_KEY_FAILED, NULL);
        }
        if(ks == CERT_NCRYPT_KEY_SPEC) {
            hKey.reset(tmpKey);
        } else {
            if(FAILED(cngStatus = NCryptTranslateHandle(
                NULL,&hKey,tmpKey,NULL,ks,0)))
            {
                // if this didn't work, the CNG colleague just can't work with the key
                // free it and move on.
                if(gottaFree) {
                    CryptReleaseContext(tmpKey,0);
                }
                std::ostringstream os;
                os << "Unable to access legacy key material from CAPING: " << cngStatus;
                RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_OPEN_KEY_FAILED, NULL);
            }
        }
        // CNG may or may not need us to free this key. If it doesn't, our
        // scope guard object needs to let go.
        if(!gottaFree)
        {
            hKeyPtr = hKey.release();
        } else {
            hKeyPtr = hKey.get();
        }


    }
    else
    {
        hKeyPtr = hKey.get();
    }

    //see if the password has been provided for use in UI-less environment
    if(NULL != ck2->m_password)
    {
        USES_CONVERSION;
        if( FAILED(cngStatus = NCryptSetProperty(
            hKeyPtr,
            NCRYPT_PIN_PROPERTY,
            ck2->m_password, // XXX *** I don't have a way to test this right now.
                             // There may be some need to convert the password, though this
                             // responsibility is best placed on the Setter, I think.
            ck2->m_nPasswordLen,
            0)))
        {
            std::ostringstream os;
            os << "CryptSetProvParam failed: " << GetLastError();
            RAISE_CRYPTO_EXCEPTION(os.str().c_str(), thisComponent, PKIFCAPI_SET_PASSWORD_FAILED, this);
        }

    }
    
    LPCWSTR sHashAlg = NULL;
    switch(hashAlg)
    {
    case PKIFCRYPTO::SHA1:
        PKCS1PaddingInfo.pszAlgId = BCRYPT_SHA1_ALGORITHM;
        sHashAlg = NCRYPT_SHA1_ALGORITHM;
        break;
    case PKIFCRYPTO::SHA256:
        PKCS1PaddingInfo.pszAlgId = BCRYPT_SHA256_ALGORITHM;
        sHashAlg = NCRYPT_SHA256_ALGORITHM;
        break;
    case PKIFCRYPTO::SHA384:
        PKCS1PaddingInfo.pszAlgId = BCRYPT_SHA384_ALGORITHM;
        sHashAlg = NCRYPT_SHA384_ALGORITHM;
        break;
    case PKIFCRYPTO::SHA512:
        PKCS1PaddingInfo.pszAlgId = BCRYPT_SHA512_ALGORITHM;
        sHashAlg = NCRYPT_SHA512_ALGORITHM;
        break;
    default:
        std::ostringstream os;
        os << "Unsupported hash algorithm encountered: " << hashAlg;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, CRYPTO_ALG_NOT_SUPPORTED, NULL);
    }

    BCRYPT_PKCS1_PADDING_INFO * pi = 0;
    DWORD pflags = 0;
    // if this is an RSA signature, need to set those properly.
    // if it's not an RSA signature, CNG gets angry if you do :-/
    DWORD algPropSize = 0;
    if(FAILED(cngStatus = NCryptGetProperty(hKeyPtr,NCRYPT_ALGORITHM_GROUP_PROPERTY,
                                            NULL,0,&algPropSize,0)))
    {
        RAISE_CRYPTO_EXCEPTION("Unable to obtain signature algorithm group for key", TOOLKIT_CRYPTO, CRYPTO_ALG_NOT_SUPPORTED, NULL);
    }
    pkif_byte_array algName(new unsigned char[algPropSize]);
    memset(algName,0x00,algPropSize);
    if(FAILED(cngStatus = NCryptGetProperty(hKeyPtr,NCRYPT_ALGORITHM_GROUP_PROPERTY,
                                            algName,algPropSize,&algPropSize,0)))
    {
        RAISE_CRYPTO_EXCEPTION("Unable to obtain signature algorithm group for key", TOOLKIT_CRYPTO, CRYPTO_ALG_NOT_SUPPORTED, NULL);
    }
    if(0 == wcscmp(NCRYPT_RSA_ALGORITHM_GROUP,(wchar_t *)algName.get()))
    {
        pi = &PKCS1PaddingInfo;
        pflags = BCRYPT_PAD_PKCS1;
    }

    if(FAILED(cngStatus = NCryptSignHash(hKeyPtr,pi,(PBYTE)pHashData,nHashDataLen,pSignature,
                                    *nSignatureLen,&cbSignature,pflags)))
    {
        std::ostringstream os;
        os << "NCryptSignHash failed to sign hash: " << cngStatus;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_SIGN_HASH_FAILED, NULL);
    }

    *nSignatureLen = cbSignature;

}

void CPKIFCNGCAPI::Decrypt(
    const CPKIFCredential& key,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult, 
    int* pnResultLen)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Decrypt(const CPKIFCredential& key,...", TOOLKIT_CRYPTO_CAPI, 0, this);

    NCRYPT_PROV_HANDLE_PKIF hProvider(0);
    NCRYPT_KEY_HANDLE_PKIF  hKey(0);
    SECURITY_STATUS         secStatus = ERROR_SUCCESS;
    DWORD                   cbCipherText                = 0; 

    USES_CONVERSION;

    HCRYPTPROV tmpCtx = NULL;
    BOOL freeContext = false;

    //convert the key to a CAPI key object and see if the key info has been loaded
    const CPKIFCAPICredential2* ck2 = dynamic_cast<const CPKIFCAPICredential2*>(&key);
    if(NULL == ck2)
    {
        throw CPKIFCryptoException(thisComponent, CRYPTO_UNRECOGNIZED_CREDENTIAL, "Credential type not recognized.");
    }

    if(NULL == ck2->m_keyProviderInfo)
    {
        //if key info hasn't been loaded - load it - if load fails SetKeyProviderInfo throws
        CPKIFCAPICredential2* k2 = const_cast<CPKIFCAPICredential2*>(ck2);
        k2->SetKeyProviderInfo();
    }

    // Open Microsoft KSP
    if(FAILED(secStatus = NCryptOpenStorageProvider(
                                            &hProvider, 
                                            MS_KEY_STORAGE_PROVIDER, 
                                            0)))
    {
        std::ostringstream os;
        os << "NCryptOpenStorageProvider failed: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_OPEN_STORAGE_PROVIDER_FAILED, NULL);
    }

    if(FAILED(secStatus = NCryptOpenKey(
                                        hProvider, 
                                        &hKey, 
                                        ck2->m_keyProviderInfo->pwszContainerName,
                                        0,
                                        0)))
    {
        std::ostringstream os;
        os << "NCryptOpenKey failed: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_OPEN_KEY_FAILED, NULL);
    }

    int paddingFlag = NCRYPT_PAD_PKCS1_FLAG;

    if(FAILED(secStatus = NCryptDecrypt(
                                    hKey,
                                    (PBYTE)pData,
                                    nDataLen,
                                    NULL,
                                    NULL,
                                    0,
                                    &cbCipherText,
                                    paddingFlag)))    
    {
        std::ostringstream os;
        os << "NCryptDecrypt failed: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_DECRYPT_FAILED, NULL);

    }
    if(FAILED(secStatus = NCryptDecrypt(
                                    hKey,
                                    (PBYTE)pData,
                                    nDataLen,
                                    NULL,
                                    pResult,
                                    *pnResultLen,
                                    &cbCipherText,
                                    paddingFlag)))
    {
        std::ostringstream os;
        os << "NCryptDecrypt failed: " << GetLastError();;
        RAISE_CRYPTO_EXCEPTION(os.str().c_str(), TOOLKIT_CRYPTO, PKIFCAPING_DECRYPT_FAILED, NULL);
    }
    *pnResultLen = cbCipherText;
}

void CPKIFCNGCAPI::Encrypt(
    const CPKIFCredential& key,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult,
    int* pnResultLen)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Encrypt(const CPKIFCredential& key, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen)", TOOLKIT_CRYPTO_CAPI, 0, this);

    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Encrypt operations are not implemented for stored key material");
}

bool CPKIFCNGCAPI::Verify(
    const CPKIFCredential& key, 
    unsigned char* pHashData,
    int nHashDataLen,
    unsigned char* pSignature,
    int nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Verify(const CPKIFCredential& key, unsigned char* pHashData, int nHashDataLen, unsigned char* pSignature, int nSignatureLen)", TOOLKIT_CRYPTO_CAPI, 0, this);

    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Verify operations are not implemented for stored key material");
}

IPKIFCryptContext* CPKIFCNGCAPI::CryptInit(
    CPKIFCredentialPtr& key,
    bool pad)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::CryptInit(CPKIFCredentialPtr& key)", TOOLKIT_CRYPTO_CAPI, 0, this);

    RAISE_CRYPTO_EXCEPTION("Context-based operations are unimplemented for CNG stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
    return 0;
    
}

void CPKIFCNGCAPI::Decrypt(
    IPKIFCryptContext* cryptContext,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult, 
    int* pnResultLen,
    bool final)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Decrypt(IPKIFCryptContext* cryptContext, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen, bool final)", TOOLKIT_CRYPTO_CAPI, 0, this);
    RAISE_CRYPTO_EXCEPTION("Context-based operations are unimplemented for CNG stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
}

void CPKIFCNGCAPI::Encrypt(
    IPKIFCryptContext* cryptContext,
    unsigned char* pData,
    int nDataLen,
    unsigned char* pResult,
    int* pnResultLen,
    bool final)
{
    LOG_STRING_DEBUG("CPKIFCNGCAPI::Encrypt(IPKIFCryptContext* cryptContext, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen, bool final)", TOOLKIT_CRYPTO_CAPI, 0, this);
    RAISE_CRYPTO_EXCEPTION("Context-based operations are unimplemented for CNG stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
}

// Key Agreement stuff

IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        CPKIFCredentialPtr& myPrivateKey,
                                        const CPKIFCertificatePtr& theirCert,
                                        const CPKIFAlgorithm * alg)
{
    LOG_STRING_DEBUG("SecretAgree(CPKIFCredentialPtr& myPrivateKey, const CPKIFCertificatePtr& theirCert,const CPKIFAlgorithm * alg)", TOOLKIT_CRYPTO_CAPI, 0, this);
    // use a CPKIFCryptoPPKeyMaterial object for ease of subjectPublicKeyInfo access
    CPKIFCryptoPPKeyMaterialPtr km(new CPKIFCryptoPPKeyMaterial(*theirCert));
    CPKIFBufferPtr rawKey = km->GetRawSPKI();
    return SecretAgree(myPrivateKey, rawKey, alg);
}

IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        CPKIFCredentialPtr& myPrivateKey,
                                        const CPKIFBufferPtr& theirPublicKey,
                                        const CPKIFAlgorithm * alg)
{
    IPKIFKeyAgreeContextPtr rv;
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "Not yet implemented.");
    return rv;
}

// originator interfaces for authenticated key agreement
IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        const CPKIFCredentialPtr& myPrivateKey,
                                        CPKIFCredentialPtr & ephemeralKeyPair,
                                        const CPKIFCertificatePtr& theirCert,
                                        const CPKIFAlgorithm * alg)
{
    IPKIFKeyAgreeContextPtr rv;
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "CNG does not provide authenticated key agreement.");
    return rv;
}

IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        const CPKIFCredentialPtr& myPrivateKey,
                                        CPKIFCredentialPtr & ephemeralKeyPair,
                                        const CPKIFBufferPtr& theirPublicKey,
                                        const CPKIFAlgorithm * alg)
{
    IPKIFKeyAgreeContextPtr rv;
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "CNG does not provide authenticated key agreement.");
    return rv;
}

// recipient interfaces for authenticated key agreement

IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        const CPKIFCredentialPtr& myPrivateKey,
                                        const CPKIFBufferPtr& ephemeralPublicKey,
                                        const CPKIFCertificatePtr& theirCert,
                                        const CPKIFAlgorithm * alg)
{
    IPKIFKeyAgreeContextPtr rv;
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "CNG does not provide authenticated key agreement.");
    return rv;
}

IPKIFKeyAgreeContextPtr CPKIFCNGCAPI::SecretAgree(
                                        const CPKIFCredentialPtr& myPrivateKey,
                                        const CPKIFBufferPtr& ephemeralPublicKey,
                                        const CPKIFBufferPtr& theirPublicKey,
                                        const CPKIFAlgorithm * alg)
{
    IPKIFKeyAgreeContextPtr rv;
    throw CPKIFCryptoException(thisComponent, COMMON_NOT_IMPLEMENTED, "CNG does not provide authenticated key agreement.");
    return rv;
}

CPKIFKeyMaterialPtr CPKIFCNGCAPI::DeriveKey(
                                                    const IPKIFKeyAgreeContextPtr & context,
                                                    unsigned long keyLen
                                                    )
{
    CPKIFKeyMaterialPtr key;
    return key;
}