Update CryptoAPI ENGINE from HEAD.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 4 Jun 2008 18:49:44 +0000 (18:49 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 4 Jun 2008 18:49:44 +0000 (18:49 +0000)
engines/e_capi.c
engines/e_capi_err.c
engines/e_capi_err.h

index deea50c723dad06a8030f3573df4bf5c5cdccd1a..ec8dab0f0767e2a091d6da8424fc5f8952153cbd 100644 (file)
@@ -71,6 +71,8 @@
 #include <windows.h>
 #include <wincrypt.h>
 
+#undef X509_NAME
+
 #include "e_capi_err.h"
 #include "e_capi_err.c"
 
@@ -90,6 +92,7 @@ static int capi_list_providers(CAPI_CTX *ctx, BIO *out);
 static int capi_list_containers(CAPI_CTX *ctx, BIO *out);
 int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *storename);
 void capi_free_key(CAPI_KEY *key);
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs);
 
 static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore);
 
@@ -108,6 +111,10 @@ static int capi_rsa_free(RSA *rsa);
 static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
                                                        DSA *dsa);
 static int capi_dsa_free(DSA *dsa);
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
        
 /* This structure contains CAPI ENGINE specific data:
  * it contains various global options and affects how
@@ -126,6 +133,7 @@ struct CAPI_CTX_st {
        DWORD csptype;
        /* Certificate store name to use */
        LPTSTR storename;
+       LPTSTR ssl_client_store;
 
 /* Lookup string meanings in load_private_key */
 /* Substring of subject: uses "storename" */
@@ -158,18 +166,19 @@ static void capi_ctx_free(CAPI_CTX *ctx);
 static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int check);
 static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx);
 
-#define CAPI_CMD_LIST_CERTS                    ENGINE_CMD_BASE
+#define CAPI_CMD_LIST_CERTS            ENGINE_CMD_BASE
 #define CAPI_CMD_LOOKUP_CERT           (ENGINE_CMD_BASE + 1)
 #define CAPI_CMD_DEBUG_LEVEL           (ENGINE_CMD_BASE + 2)
-#define CAPI_CMD_DEBUG_FILE                    (ENGINE_CMD_BASE + 3)
-#define CAPI_CMD_KEYTYPE                       (ENGINE_CMD_BASE + 4)
-#define CAPI_CMD_LIST_CSPS                     (ENGINE_CMD_BASE + 5)
+#define CAPI_CMD_DEBUG_FILE            (ENGINE_CMD_BASE + 3)
+#define CAPI_CMD_KEYTYPE               (ENGINE_CMD_BASE + 4)
+#define CAPI_CMD_LIST_CSPS             (ENGINE_CMD_BASE + 5)
 #define CAPI_CMD_SET_CSP_IDX           (ENGINE_CMD_BASE + 6)
 #define CAPI_CMD_SET_CSP_NAME          (ENGINE_CMD_BASE + 7)
 #define CAPI_CMD_SET_CSP_TYPE          (ENGINE_CMD_BASE + 8)
 #define CAPI_CMD_LIST_CONTAINERS       (ENGINE_CMD_BASE + 9)
 #define CAPI_CMD_LIST_OPTIONS          (ENGINE_CMD_BASE + 10)
 #define CAPI_CMD_LOOKUP_METHOD         (ENGINE_CMD_BASE + 11)
+#define CAPI_CMD_STORE_NAME            (ENGINE_CMD_BASE + 12)
 
 static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
        {CAPI_CMD_LIST_CERTS,
@@ -221,6 +230,10 @@ static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
                "lookup_method",
                "Set key lookup method (1=substring, 2=friendlyname, 3=container name)",
                ENGINE_CMD_FLAG_NUMERIC},
+       {CAPI_CMD_STORE_NAME,
+               "store_name",
+               "certificate store name, default \"MY\"",
+               ENGINE_CMD_FLAG_STRING},
 
        {0, NULL, NULL, 0}
        };
@@ -228,9 +241,10 @@ static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
 static int capi_idx = -1;
 static int rsa_capi_idx = -1;
 static int dsa_capi_idx = -1;
+static int cert_capi_idx = -1;
 
 static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-{
+       {
        int ret = 1;
        CAPI_CTX *ctx;
        BIO *out;
@@ -259,6 +273,13 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
                ret = capi_list_containers(ctx, out);
                break;
 
+               case CAPI_CMD_STORE_NAME:
+               if (ctx->storename)
+                       OPENSSL_free(ctx->storename);
+               ctx->storename = BUF_strdup(p);
+               CAPI_trace(ctx, "Setting store name to %s\n", p);
+               break;
+
                case CAPI_CMD_DEBUG_LEVEL:
                ctx->debug_level = (int)i;
                CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
@@ -307,7 +328,7 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
        BIO_free(out);
        return ret;
 
-}
+       }
 
 static RSA_METHOD capi_rsa_method =
        {
@@ -348,6 +369,7 @@ static int capi_init(ENGINE *e)
        const RSA_METHOD *ossl_rsa_meth;
        const DSA_METHOD *ossl_dsa_meth;
        capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
+       cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
 
        ctx = capi_ctx_new();
        if (!ctx || (capi_idx < 0))
@@ -380,7 +402,6 @@ static int capi_init(ENGINE *e)
 
 static int capi_destroy(ENGINE *e)
        {
-
        ERR_unload_CAPI_strings();
        return 1;
        }
@@ -402,8 +423,11 @@ static int capi_finish(ENGINE *e)
 
 struct CAPI_KEY_st
        {
+       /* Associated certificate context (if any) */
+       PCCERT_CONTEXT pcert;
        HCRYPTPROV hprov;
        HCRYPTKEY key;
+       DWORD keyspec;
        };
 
 static int bind_capi(ENGINE *e)
@@ -416,6 +440,8 @@ static int bind_capi(ENGINE *e)
                || !ENGINE_set_RSA(e, &capi_rsa_method)
                || !ENGINE_set_DSA(e, &capi_dsa_method)
                || !ENGINE_set_load_privkey_function(e, capi_load_privkey)
+               || !ENGINE_set_load_ssl_client_cert_function(e,
+                                               capi_load_ssl_client_cert)
                || !ENGINE_set_cmd_defns(e, capi_cmd_defns)
                || !ENGINE_set_ctrl_function(e, capi_ctrl))
                        return 0;
@@ -482,34 +508,19 @@ static int lend_tobn(BIGNUM *bn, unsigned char *bin, int binlen)
        return 1;
        }
 
-static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
-       UI_METHOD *ui_method, void *callback_data)
+/* Given a CAPI_KEY get an EVP_PKEY structure */
+
+static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY *key)
        {
-       EVP_PKEY *ret = NULL;
-       CAPI_CTX *ctx;
-       CAPI_KEY *key;
        unsigned char *pubkey = NULL;
        DWORD len;
        BLOBHEADER *bh;
        RSA *rkey = NULL;
        DSA *dkey = NULL;
-       ctx = ENGINE_get_ex_data(eng, capi_idx);
-
-       if (!ctx)
-               {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
-               return NULL;
-               }
-
-       key = capi_find_key(ctx, key_id);
-
-       if (!key)
-               return NULL;
-
-       len = 0;
+       EVP_PKEY *ret = NULL;
        if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, NULL, &len))
                {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_LENGTH_ERROR);
                capi_addlasterror();
                return NULL;
                }
@@ -521,7 +532,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
 
        if (!CryptExportKey(key->key, 0, PUBLICKEYBLOB, 0, pubkey, &len))
                {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_PUBKEY_EXPORT_ERROR);
                capi_addlasterror();
                goto err;
                }
@@ -529,7 +540,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
        bh = (BLOBHEADER *)pubkey;
        if (bh->bType != PUBLICKEYBLOB)
                {
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_PUBLIC_KEY_BLOB);
                goto err;
                }
        if (bh->aiKeyAlg == CALG_RSA_SIGN || bh->aiKeyAlg == CALG_RSA_KEYX)
@@ -542,7 +553,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                        {
                        char magstr[10];
                        BIO_snprintf(magstr, 10, "%lx", rp->magic);
-                       CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                       CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_RSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
                        ERR_add_error_data(2, "magic=0x", magstr);
                        goto err;
                        }
@@ -583,7 +594,7 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                        {
                        char magstr[10];
                        BIO_snprintf(magstr, 10, "%lx", dp->magic);
-                       CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
+                       CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_INVALID_DSA_PUBLIC_KEY_BLOB_MAGIC_NUMBER);
                        ERR_add_error_data(2, "magic=0x", magstr);
                        goto err;
                        }
@@ -623,11 +634,12 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                {
                char algstr[10];
                BIO_snprintf(algstr, 10, "%lx", bh->aiKeyAlg);
-               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
+               CAPIerr(CAPI_F_CAPI_GET_PKEY, CAPI_R_UNSUPPORTED_PUBLIC_KEY_ALGORITHM);
                ERR_add_error_data(2, "aiKeyAlg=0x", algstr);
                goto err;
                }
 
+
        err:
        if (pubkey)
                OPENSSL_free(pubkey);
@@ -637,8 +649,6 @@ static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
                        RSA_free(rkey);
                if (dkey)
                        DSA_free(dkey);
-               if (key)
-                       capi_free_key(key);
                }
 
        return ret;
@@ -649,6 +659,33 @@ memerr:
 
        }
 
+static EVP_PKEY *capi_load_privkey(ENGINE *eng, const char *key_id,
+       UI_METHOD *ui_method, void *callback_data)
+       {
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       EVP_PKEY *ret;
+       ctx = ENGINE_get_ex_data(eng, capi_idx);
+
+       if (!ctx)
+               {
+               CAPIerr(CAPI_F_CAPI_LOAD_PRIVKEY, CAPI_R_CANT_FIND_CAPI_CONTEXT);
+               return NULL;
+               }
+
+       key = capi_find_key(ctx, key_id);
+
+       if (!key)
+               return NULL;
+
+       ret = capi_get_pkey(eng, key);
+
+       if (!ret)
+               capi_free_key(key);
+       return ret;
+
+       }
+
 /* CryptoAPI RSA operations */
 
 int capi_rsa_priv_enc(int flen, const unsigned char *from,
@@ -680,7 +717,8 @@ int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
                return -1;
                }
 /* Convert the signature type to a CryptoAPI algorithm ID */
-       switch(dtype) {
+       switch(dtype)
+               {
        case NID_sha1:
                alg = CALG_SHA1;
                break;
@@ -705,38 +743,43 @@ int capi_rsa_sign(int dtype, const unsigned char *m, unsigned int m_len,
 
 
 /* Create the hash object */
-       if(!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash)) {
+       if(!CryptCreateHash(capi_key->hprov, alg, 0, 0, &hash))
+               {
                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
                capi_addlasterror();
                return -1;
-       }
+               }
 /* Set the hash value to the value passed */
 
-       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0)) {
+       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)m, 0))
+               {
                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
                capi_addlasterror();
                goto err;
-       }
+               }
 
 
 /* Finally sign it */
        slen = RSA_size(rsa);
-       if(!CryptSignHash(hash, AT_KEYEXCHANGE, NULL, 0, sigret, &slen)) {
+       if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, sigret, &slen))
+               {
                CAPIerr(CAPI_F_CAPI_RSA_SIGN, CAPI_R_ERROR_SIGNING_HASH);
                capi_addlasterror();
                goto err;
-       } else {
+               }
+       else
+               {
                ret = 1;
                /* Inplace byte reversal of signature */
-               for(i = 0; i < slen / 2; i++) {
+               for(i = 0; i < slen / 2; i++)
+                       {
                        unsigned char c;
                        c = sigret[i];
                        sigret[i] = sigret[slen - i - 1];
                        sigret[slen - i - 1] = c;
-               }
+                       }
                *siglen = slen;
-       }
-
+               }
 
        /* Now cleanup */
 
@@ -744,11 +787,11 @@ err:
        CryptDestroyHash(hash);
 
        return ret;
-}
+       }
 
 int capi_rsa_priv_dec(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa, int padding)
-{
+       {
        int i;
        unsigned char *tmpbuf;
        CAPI_KEY *capi_key;
@@ -796,7 +839,7 @@ int capi_rsa_priv_dec(int flen, const unsigned char *from,
        OPENSSL_free(tmpbuf);
 
        return flen;
-}
+       }
 
 static int capi_rsa_free(RSA *rsa)
        {
@@ -838,23 +881,25 @@ static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen,
                }
 
        /* Create the hash object */
-       if(!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash)) {
+       if(!CryptCreateHash(capi_key->hprov, CALG_SHA1, 0, 0, &hash))
+               {
                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_CREATE_HASH_OBJECT);
                capi_addlasterror();
                return NULL;
-       }
+               }
 
        /* Set the hash value to the value passed */
-       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0)) {
+       if(!CryptSetHashParam(hash, HP_HASHVAL, (unsigned char *)digest, 0))
+               {
                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_CANT_SET_HASH_VALUE);
                capi_addlasterror();
                goto err;
-       }
+               }
 
 
        /* Finally sign it */
        slen = sizeof(csigbuf);
-       if(!CryptSignHash(hash, AT_SIGNATURE, NULL, 0, csigbuf, &slen))
+       if(!CryptSignHash(hash, capi_key->keyspec, NULL, 0, csigbuf, &slen))
                {
                CAPIerr(CAPI_F_CAPI_DSA_DO_SIGN, CAPI_R_ERROR_SIGNING_HASH);
                capi_addlasterror();
@@ -1022,29 +1067,29 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
 
        for (idx = 0;;idx++)
                {
-                       clen = buflen;
-                       cname[0] = 0;
-
-                       if (idx == 0)
-                               flags = CRYPT_FIRST;
-                       else
-                               flags = 0;
-                       if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
-                               {
-                               err = GetLastError();
-                               if (err == ERROR_NO_MORE_ITEMS)
-                                       goto done;
-                               CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
-                               capi_adderror(err);
-                               goto err;
-                               }
-                       CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", cname, clen, idx, flags);
-                       if (!cname[0] && (clen == buflen))
-                               {
-                               CAPI_trace(ctx, "Enumerate bug: using workaround\n");
+               clen = buflen;
+               cname[0] = 0;
+
+               if (idx == 0)
+                       flags = CRYPT_FIRST;
+               else
+                       flags = 0;
+               if(!CryptGetProvParam(hprov, PP_ENUMCONTAINERS, cname, &clen, flags))
+                       {
+                       err = GetLastError();
+                       if (err == ERROR_NO_MORE_ITEMS)
                                goto done;
-                               }
-                       BIO_printf(out, "%d. %s\n", idx, cname);
+                       CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
+                       capi_adderror(err);
+                       goto err;
+                       }
+               CAPI_trace(ctx, "Container name %s, len=%d, index=%d, flags=%d\n", cname, clen, idx, flags);
+               if (!cname[0] && (clen == buflen))
+                       {
+                       CAPI_trace(ctx, "Enumerate bug: using workaround\n");
+                       goto done;
+                       }
+               BIO_printf(out, "%d. %s\n", idx, cname);
                }
        err:
 
@@ -1245,8 +1290,9 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h
        switch(ctx->lookup_method)
                {
                case CAPI_LU_SUBSTR:
-                       return CertFindCertificateInStore(hstore, X509_ASN_ENCODING, 0, 
-                                                                                       CERT_FIND_SUBJECT_STR_A, id, NULL);
+                       return CertFindCertificateInStore(hstore,
+                                       X509_ASN_ENCODING, 0,
+                                       CERT_FIND_SUBJECT_STR_A, id, NULL);
                case CAPI_LU_FNAME:
                        for(;;)
                                {
@@ -1275,7 +1321,7 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
        CAPI_KEY *key;
        key = OPENSSL_malloc(sizeof(CAPI_KEY));
        CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 
-                                                                                                                       contname, provname, ptype);
+                                               contname, provname, ptype);
        if (!CryptAcquireContext(&key->hprov, contname, provname, ptype, 0))
                {
                CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
@@ -1289,6 +1335,8 @@ static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provnam
                CryptReleaseContext(key->hprov, 0);
                goto err;
                }
+       key->keyspec = keyspec;
+       key->pcert = NULL;
        return key;
 
        err:
@@ -1309,7 +1357,8 @@ static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
        if (!provname || !contname)
                return 0;
 
-       key = capi_get_key(ctx, contname, provname, pinfo->dwProvType, pinfo->dwKeySpec);
+       key = capi_get_key(ctx, contname, provname,
+                               pinfo->dwProvType, pinfo->dwKeySpec);
 
        err:
        if (pinfo)
@@ -1343,7 +1392,8 @@ CAPI_KEY *capi_find_key(CAPI_CTX *ctx, const char *id)
                break;
 
                case CAPI_LU_CONTNAME:
-               key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype, ctx->keytype);
+               key = capi_get_key(ctx, id, ctx->cspname, ctx->csptype,
+                                                       ctx->keytype);
                break;
                }
 
@@ -1356,6 +1406,8 @@ void capi_free_key(CAPI_KEY *key)
                return;
        CryptDestroyKey(key->key);
        CryptReleaseContext(key->hprov, 0);
+       if (key->pcert)
+               CertFreeCertificateContext(key->pcert);
        OPENSSL_free(key);
        }
 
@@ -1376,6 +1428,7 @@ static CAPI_CTX *capi_ctx_new()
        ctx->dump_flags = CAPI_DMP_SUMMARY|CAPI_DMP_FNAME;
        ctx->keytype = AT_KEYEXCHANGE;
        ctx->storename = NULL;
+       ctx->ssl_client_store = NULL;
        ctx->lookup_method = CAPI_LU_SUBSTR;
        ctx->debug_level = 0;
        ctx->debug_file = NULL;
@@ -1393,6 +1446,8 @@ static void capi_ctx_free(CAPI_CTX *ctx)
                OPENSSL_free(ctx->debug_file);
        if (ctx->storename)
                OPENSSL_free(ctx->storename);
+       if (ctx->ssl_client_store)
+               OPENSSL_free(ctx->ssl_client_store);
        OPENSSL_free(ctx);
        }
 
@@ -1402,7 +1457,8 @@ static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int che
        if (check)
                {
                HCRYPTPROV hprov;
-               if (!CryptAcquireContext(&hprov, NULL, pname, type, CRYPT_VERIFYCONTEXT))
+               if (!CryptAcquireContext(&hprov, NULL, pname, type,
+                                               CRYPT_VERIFYCONTEXT))
                        {
                        CAPIerr(CAPI_F_CAPI_CTX_SET_PROVNAME, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
                        capi_addlasterror();
@@ -1424,5 +1480,214 @@ static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
        return capi_ctx_set_provname(ctx, pname, type, 0);
        }
 
+static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
+       {
+       int i;
+       X509_NAME *nm;
+       /* Special case: empty list: match anything */
+       if (sk_X509_NAME_num(ca_dn) <= 0)
+               return 1;
+       for (i = 0; i < sk_X509_NAME_num(ca_dn); i++)
+               {
+               nm = sk_X509_NAME_value(ca_dn, i);
+               if (!X509_NAME_cmp(nm, X509_get_issuer_name(x)))
+                               return 1;
+               }
+       return 0;
+       }
+
+
+
+static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+       {
+       STACK_OF(X509) *certs = NULL;
+       X509 *x;
+       char *storename;
+       const char *p;
+       int i, client_cert_idx;
+       HCERTSTORE hstore;
+       PCCERT_CONTEXT cert = NULL, excert = NULL;
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       ctx = ENGINE_get_ex_data(e, capi_idx);
+
+       *pcert = NULL;
+       *pkey = NULL;
+
+       storename = ctx->ssl_client_store;
+       if (!storename)
+               storename = "MY";
+
+       hstore = capi_open_store(ctx, storename);
+       if (!hstore)
+               return 0;
+       /* Enumerate all certificates collect any matches */
+       for(i = 0;;i++)
+               {
+               cert = CertEnumCertificatesInStore(hstore, cert);
+               if (!cert)
+                       break;
+               p = cert->pbCertEncoded;
+               x = d2i_X509(NULL, &p, cert->cbCertEncoded);
+               if (!x)
+                       {
+                       CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
+                       continue;
+                       }
+               if (cert_issuer_match(ca_dn, x))
+                       {
+                       key = capi_get_cert_key(ctx, cert);
+                       if (!key)
+                               continue;
+                       /* Match found: attach extra data to it so
+                        * we can retrieve the key later.
+                        */
+                       excert = CertDuplicateCertificateContext(cert);
+                       key->pcert = excert;
+                       X509_set_ex_data(x, cert_capi_idx, key);
+
+                       if (!certs)
+                               certs = sk_X509_new_null();
+
+                       sk_X509_push(certs, x);
+                       }
+               else
+                       X509_free(x);
+
+               }
+
+       if (cert)
+               CertFreeCertificateContext(cert);
+       if (hstore)
+               CertCloseStore(hstore, 0);
+
+       if (!certs)
+               return 0;
+
+
+       /* Select the appropriate certificate */
+
+       client_cert_idx = client_cert_select(e, ssl, certs);
+
+       /* Set the selected certificate and free the rest */
+
+       for(i = 0; i < sk_X509_num(certs); i++)
+               {
+               x = sk_X509_value(certs, i);
+               if (i == client_cert_idx)
+                       *pcert = x;
+               else
+                       {
+                       key = X509_get_ex_data(x, cert_capi_idx);
+                       capi_free_key(key);
+                       X509_free(x);
+                       }
+               }
+
+       sk_X509_free(certs);
+
+       if (!*pcert)
+               return 0;
+
+       /* Setup key for selected certificate */
+
+       key = X509_get_ex_data(*pcert, cert_capi_idx);
+       *pkey = capi_get_pkey(e, key);
+       X509_set_ex_data(*pcert, cert_capi_idx, NULL);
+
+       return 1;
+
+       }
+
+#ifndef OPENSSL_CAPIENG_DIALOG
+
+/* Simple client cert selection function: always select first */
+
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+       {
+       return 0;
+       }
+
+#else
+
+/* More complex cert selection function, using standard function
+ * CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
+ */
+
+#include <cryptuiapi.h>
+
+#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
+#define dlg_prompt L"Select a certificate to use for authentication"
+
+static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs)
+       {
+       X509 *x;
+       HCERTSTORE dstore;
+       PCCERT_CONTEXT cert;
+       CAPI_CTX *ctx;
+       CAPI_KEY *key;
+       HWND hwnd;
+       int i, idx = -1;
+       ctx = ENGINE_get_ex_data(e, capi_idx);
+       /* Create an in memory store of certificates */
+       dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+                                       CERT_STORE_CREATE_NEW_FLAG, NULL);
+       if (!dstore)
+               {
+               CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_CREATING_STORE);
+               capi_addlasterror();
+               goto err;
+               }
+       /* Add all certificates to store */
+       for(i = 0; i < sk_X509_num(certs); i++)
+               {
+               x = sk_X509_value(certs, i);
+               key = X509_get_ex_data(x, cert_capi_idx);
+
+               if (!CertAddCertificateContextToStore(dstore, key->pcert,
+                                               CERT_STORE_ADD_NEW, NULL))
+                       {
+                       CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_ADDING_CERT);
+                       capi_addlasterror();
+                       goto err;
+                       }
+
+               }
+       hwnd = GetActiveWindow();
+       if (!hwnd)
+               hwnd = GetConsoleWindow();
+       /* Call dialog to select one */
+       cert = CryptUIDlgSelectCertificateFromStore(dstore, hwnd,
+                                                       dlg_title, dlg_prompt,
+                                                       0, 0, NULL);
+
+       /* Find matching cert from list */
+       if (cert)
+               {
+               for(i = 0; i < sk_X509_num(certs); i++)
+                       {
+                       x = sk_X509_value(certs, i);
+                       key = X509_get_ex_data(x, cert_capi_idx);
+                       if (CertCompareCertificate(
+                               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                       cert->pCertInfo,
+                                       key->pcert->pCertInfo))
+                               {
+                               idx = i;
+                               break;
+                               }
+                       }
+               }
+
+       err:
+       if (dstore)
+               CertCloseStore(dstore, 0);
+       return idx;
+
+       }
+#endif
+
 #endif
 #endif
index 6ffd5bf5741b535db2150144e582b2a2fffbfb53..64d7f7237bde8b90dd047552853213a53883d370 100644 (file)
@@ -76,6 +76,7 @@ static ERR_STRING_DATA CAPI_str_functs[]=
 {ERR_FUNC(CAPI_F_CAPI_CTX_SET_PROVNAME),       "CAPI_CTX_SET_PROVNAME"},
 {ERR_FUNC(CAPI_F_CAPI_DSA_DO_SIGN),    "CAPI_DSA_DO_SIGN"},
 {ERR_FUNC(CAPI_F_CAPI_GET_KEY),        "CAPI_GET_KEY"},
+{ERR_FUNC(CAPI_F_CAPI_GET_PKEY),       "CAPI_GET_PKEY"},
 {ERR_FUNC(CAPI_F_CAPI_GET_PROVNAME),   "CAPI_GET_PROVNAME"},
 {ERR_FUNC(CAPI_F_CAPI_GET_PROV_INFO),  "CAPI_GET_PROV_INFO"},
 {ERR_FUNC(CAPI_F_CAPI_INIT),   "CAPI_INIT"},
@@ -85,6 +86,7 @@ static ERR_STRING_DATA CAPI_str_functs[]=
 {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_DEC),   "CAPI_RSA_PRIV_DEC"},
 {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_ENC),   "CAPI_RSA_PRIV_ENC"},
 {ERR_FUNC(CAPI_F_CAPI_RSA_SIGN),       "CAPI_RSA_SIGN"},
+{ERR_FUNC(CAPI_F_CLIENT_CERT_SELECT),  "CLIENT_CERT_SELECT"},
 {ERR_FUNC(CAPI_F_WIDE_TO_ASC), "WIDE_TO_ASC"},
 {0,NULL}
        };
@@ -100,6 +102,8 @@ static ERR_STRING_DATA CAPI_str_reasons[]=
 {ERR_REASON(CAPI_R_DECRYPT_ERROR)        ,"decrypt error"},
 {ERR_REASON(CAPI_R_ENGINE_NOT_INITIALIZED),"engine not initialized"},
 {ERR_REASON(CAPI_R_ENUMCONTAINERS_ERROR) ,"enumcontainers error"},
+{ERR_REASON(CAPI_R_ERROR_ADDING_CERT)    ,"error adding cert"},
+{ERR_REASON(CAPI_R_ERROR_CREATING_STORE) ,"error creating store"},
 {ERR_REASON(CAPI_R_ERROR_GETTING_FRIENDLY_NAME),"error getting friendly name"},
 {ERR_REASON(CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO),"error getting key provider info"},
 {ERR_REASON(CAPI_R_ERROR_OPENING_STORE)  ,"error opening store"},
index cb801140b972cfb0d3261032e9fde3231952dddb..c8cf4671ee2e0e5ac5627ff199012ecfe148aa60 100644 (file)
@@ -73,6 +73,7 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line);
 #define CAPI_F_CAPI_CTX_SET_PROVNAME                    102
 #define CAPI_F_CAPI_DSA_DO_SIGN                                 114
 #define CAPI_F_CAPI_GET_KEY                             103
+#define CAPI_F_CAPI_GET_PKEY                            115
 #define CAPI_F_CAPI_GET_PROVNAME                        104
 #define CAPI_F_CAPI_GET_PROV_INFO                       105
 #define CAPI_F_CAPI_INIT                                106
@@ -82,6 +83,7 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line);
 #define CAPI_F_CAPI_RSA_PRIV_DEC                        110
 #define CAPI_F_CAPI_RSA_PRIV_ENC                        111
 #define CAPI_F_CAPI_RSA_SIGN                            112
+#define CAPI_F_CLIENT_CERT_SELECT                       116
 #define CAPI_F_WIDE_TO_ASC                              113
 
 /* Reason codes. */
@@ -94,6 +96,8 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line);
 #define CAPI_R_DECRYPT_ERROR                            105
 #define CAPI_R_ENGINE_NOT_INITIALIZED                   106
 #define CAPI_R_ENUMCONTAINERS_ERROR                     107
+#define CAPI_R_ERROR_ADDING_CERT                        125
+#define CAPI_R_ERROR_CREATING_STORE                     126
 #define CAPI_R_ERROR_GETTING_FRIENDLY_NAME              108
 #define CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO          109
 #define CAPI_R_ERROR_OPENING_STORE                      110