577 lines
17 KiB
C++
577 lines
17 KiB
C++
//+-------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (C) Microsoft Corporation, 1998-2002
|
|
//
|
|
// File: SecurityPropertyPage.cpp
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
// casec.cpp
|
|
//
|
|
// ISecurityInformation implementation for CA objects
|
|
// and the new acl editor
|
|
//
|
|
// PURPOSE
|
|
|
|
//
|
|
//
|
|
// DYNALOADED LIBRARIES
|
|
//
|
|
// HISTORY
|
|
// 5-Nov-1998 petesk Copied template from privobsi.cpp sample.
|
|
// 6-Mar-2000 bryanwal Modified to support cert templates
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
#include <stdafx.h>
|
|
#include <accctrl.h>
|
|
//#include <certca.h>
|
|
#include <sddl.h>
|
|
#include "CertTemplate.h"
|
|
|
|
// Important, keep enroll GUID in sync with string define in certacl.h
|
|
const GUID GUID_ENROLL = { /* 0e10c968-78fb-11d2-90d4-00c04f79dc55 */
|
|
0x0e10c968,
|
|
0x78fb,
|
|
0x11d2,
|
|
{0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
|
|
|
|
const GUID GUID_AUTOENROLL = { /* a05b8cc2-17bc-4802-a710-e7c15ab866a2 */
|
|
0xa05b8cc2,
|
|
0x17bc,
|
|
0x4802,
|
|
{0xa7, 0x10, 0xe7, 0xc1, 0x5a, 0xb8, 0x66, 0xa2} };
|
|
|
|
//
|
|
// defined in Security.cpp
|
|
//
|
|
// // define our generic mapping structure for our private objects //
|
|
|
|
|
|
#define INHERIT_FULL (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE)
|
|
|
|
#define ACTRL_CERTSRV_ENROLL (ACTRL_DS_CONTROL_ACCESS)
|
|
|
|
#define ACTRL_CERTSRV_MANAGE (ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_WRITE_PROP | \
|
|
READ_CONTROL | \
|
|
DELETE | \
|
|
WRITE_DAC | \
|
|
WRITE_OWNER | \
|
|
ACTRL_DS_CONTROL_ACCESS | \
|
|
ACTRL_DS_CREATE_CHILD | \
|
|
ACTRL_DS_DELETE_CHILD | \
|
|
ACTRL_DS_LIST | \
|
|
ACTRL_DS_SELF | \
|
|
ACTRL_DS_DELETE_TREE | \
|
|
ACTRL_DS_LIST_OBJECT)
|
|
|
|
#define ACTRL_CERTSRV_READ ( READ_CONTROL | \
|
|
ACTRL_DS_READ_PROP | \
|
|
ACTRL_DS_LIST )
|
|
#define ACTRL_CERTSRV_WRITE ( WRITE_DAC | \
|
|
WRITE_OWNER | \
|
|
ACTRL_DS_WRITE_PROP )
|
|
|
|
GENERIC_MAPPING ObjMap =
|
|
{
|
|
ACTRL_CERTSRV_READ,
|
|
DELETE | WRITE_DAC | WRITE_OWNER | ACTRL_DS_WRITE_PROP,
|
|
0,
|
|
ACTRL_CERTSRV_MANAGE
|
|
};
|
|
|
|
|
|
//
|
|
// DESCRIPTION OF ACCESS FLAG AFFECTS
|
|
//
|
|
// SI_ACCESS_GENERAL shows up on general properties page
|
|
// SI_ACCESS_SPECIFIC shows up on advanced page
|
|
// SI_ACCESS_CONTAINER shows on general page IF object is a container
|
|
//
|
|
SI_ACCESS g_siV1ObjAccesses[] =
|
|
{
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_MANAGE,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_MANAGE),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_READ,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_READ),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_WRITE,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_WRITE),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_ENROLL,
|
|
ACTRL_CERTSRV_ENROLL,
|
|
MAKEINTRESOURCE(IDS_ACTRL_ENROLL),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }
|
|
};
|
|
|
|
SI_ACCESS g_siV2ObjAccesses[] =
|
|
{
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_MANAGE,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_MANAGE),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_READ,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_READ),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_NULL,
|
|
ACTRL_CERTSRV_WRITE,
|
|
MAKEINTRESOURCE(IDS_ACTRL_CERTSRV_WRITE),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_ENROLL,
|
|
ACTRL_CERTSRV_ENROLL,
|
|
MAKEINTRESOURCE(IDS_ACTRL_ENROLL),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
|
|
{ &GUID_AUTOENROLL,
|
|
ACTRL_CERTSRV_ENROLL,
|
|
MAKEINTRESOURCE(IDS_ACTRL_AUTOENROLL),
|
|
SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC }
|
|
};
|
|
|
|
|
|
#define g_iObjDefAccess 1 // DS_GENERIC_READ
|
|
|
|
// The following array defines the inheritance types for my containers.
|
|
SI_INHERIT_TYPE g_siObjInheritTypes[] =
|
|
{
|
|
&GUID_NULL, 0, MAKEINTRESOURCE(IDS_INH_NONE),
|
|
};
|
|
|
|
|
|
class CCertTemplateSecurityObject : public ISecurityInformation
|
|
{
|
|
protected:
|
|
ULONG m_cRef;
|
|
CCertTemplate * m_pCertTemplate;
|
|
PSECURITY_DESCRIPTOR m_pSD;
|
|
|
|
public:
|
|
CCertTemplateSecurityObject() : m_cRef(1),
|
|
m_pCertTemplate (0),
|
|
m_pSD (0)
|
|
{
|
|
}
|
|
virtual ~CCertTemplateSecurityObject();
|
|
|
|
STDMETHOD(Initialize)(CCertTemplate *pCertTemplate);
|
|
|
|
// IUnknown methods
|
|
STDMETHOD(QueryInterface)(REFIID, LPVOID *);
|
|
STDMETHOD_(ULONG, AddRef)();
|
|
STDMETHOD_(ULONG, Release)();
|
|
|
|
// ISecurityInformation methods
|
|
STDMETHOD(GetObjectInformation)(PSI_OBJECT_INFO pObjectInfo);
|
|
STDMETHOD(GetSecurity)(SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR *ppSD,
|
|
BOOL fDefault);
|
|
STDMETHOD(SetSecurity)(SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR pSD);
|
|
STDMETHOD(GetAccessRights)(const GUID* pguidObjectType,
|
|
DWORD dwFlags,
|
|
PSI_ACCESS *ppAccess,
|
|
ULONG *pcAccesses,
|
|
ULONG *piDefaultAccess);
|
|
STDMETHOD(MapGeneric)(const GUID *pguidObjectType,
|
|
UCHAR *pAceFlags,
|
|
ACCESS_MASK *pmask);
|
|
STDMETHOD(GetInheritTypes)(PSI_INHERIT_TYPE *ppInheritTypes,
|
|
ULONG *pcInheritTypes);
|
|
STDMETHOD(PropertySheetPageCallback)(HWND hwnd,
|
|
UINT uMsg,
|
|
SI_PAGE_TYPE uPage);
|
|
};
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// This is the entry point function called from our code that establishes
|
|
// what the ACLUI interface is going to need to know.
|
|
//
|
|
//
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
HRESULT CreateCertTemplateSecurityInfo (
|
|
CCertTemplate *pCertTemplate,
|
|
LPSECURITYINFO *ppObjSI)
|
|
{
|
|
_TRACE (1, L"Entering CreateCertTemplateSecurityInfo\n");
|
|
ASSERT (pCertTemplate && ppObjSI);
|
|
if ( !pCertTemplate || !ppObjSI )
|
|
return E_POINTER;
|
|
|
|
HRESULT hr = S_OK;
|
|
CCertTemplateSecurityObject *psi = new CCertTemplateSecurityObject;
|
|
if ( psi)
|
|
{
|
|
*ppObjSI = NULL;
|
|
|
|
hr = psi->Initialize (pCertTemplate);
|
|
if ( SUCCEEDED (hr) )
|
|
*ppObjSI = psi;
|
|
else
|
|
delete psi;
|
|
}
|
|
else
|
|
hr = E_OUTOFMEMORY;;
|
|
|
|
|
|
_TRACE (-1, L"Leaving CreateCertTemplateSecurityInfo: 0x%x\n", hr);
|
|
return hr;
|
|
}
|
|
|
|
|
|
CCertTemplateSecurityObject::~CCertTemplateSecurityObject()
|
|
{
|
|
if ( m_pSD )
|
|
{
|
|
LocalFree (m_pSD);
|
|
}
|
|
if ( m_pCertTemplate )
|
|
m_pCertTemplate->Release ();
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::Initialize(CCertTemplate *pCertTemplate)
|
|
{
|
|
_TRACE (1, L"Entering CCertTemplateSecurityObject::Initialize\n");
|
|
HRESULT hr = S_OK;
|
|
|
|
if ( pCertTemplate )
|
|
{
|
|
m_pCertTemplate = pCertTemplate;
|
|
m_pCertTemplate->AddRef ();
|
|
|
|
hr = pCertTemplate->GetSecurity (&m_pSD);
|
|
}
|
|
else
|
|
hr = E_POINTER;
|
|
|
|
_TRACE (-1, L"Leaving CCertTemplateSecurityObject::Initialize: 0x%x\n", hr);
|
|
return hr;
|
|
}
|
|
|
|
|
|
///////////////////////////////////////////////////////////
|
|
//
|
|
// IUnknown methods
|
|
//
|
|
///////////////////////////////////////////////////////////
|
|
|
|
STDMETHODIMP_(ULONG)
|
|
CCertTemplateSecurityObject::AddRef()
|
|
{
|
|
return ++m_cRef;
|
|
}
|
|
|
|
STDMETHODIMP_(ULONG)
|
|
CCertTemplateSecurityObject::Release()
|
|
{
|
|
if (--m_cRef == 0)
|
|
{
|
|
delete this;
|
|
return 0;
|
|
}
|
|
|
|
return m_cRef;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::QueryInterface(REFIID riid, LPVOID FAR* ppv)
|
|
{
|
|
if (IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_ISecurityInformation))
|
|
{
|
|
*ppv = (LPSECURITYINFO)this;
|
|
m_cRef++;
|
|
return S_OK;
|
|
}
|
|
else
|
|
{
|
|
*ppv = NULL;
|
|
return E_NOINTERFACE;
|
|
}
|
|
}
|
|
|
|
|
|
///////////////////////////////////////////////////////////
|
|
//
|
|
// ISecurityInformation methods
|
|
//
|
|
///////////////////////////////////////////////////////////
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::GetObjectInformation(PSI_OBJECT_INFO pObjectInfo)
|
|
{
|
|
if ( pObjectInfo == NULL )
|
|
{
|
|
return E_POINTER;
|
|
}
|
|
if ( m_pCertTemplate == NULL )
|
|
{
|
|
return E_POINTER;
|
|
}
|
|
|
|
// security review 2/21/2002 BryanWal ok
|
|
ZeroMemory(pObjectInfo, sizeof (SI_OBJECT_INFO));
|
|
pObjectInfo->dwFlags = SI_EDIT_ALL | SI_NO_ACL_PROTECT | SI_ADVANCED | SI_NO_ADDITIONAL_PERMISSION;
|
|
if ( m_pCertTemplate->ReadOnly () )
|
|
pObjectInfo->dwFlags |= SI_READONLY;
|
|
|
|
AFX_MANAGE_STATE (AfxGetStaticModuleState ());
|
|
pObjectInfo->hInstance = AfxGetResourceHandle (); //AfxGetInstanceHandle ();
|
|
|
|
pObjectInfo->pszObjectName = const_cast<WCHAR *>((LPCTSTR)m_pCertTemplate->GetLDAPPath ());
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::GetSecurity(SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR *ppSD,
|
|
BOOL fDefault)
|
|
{
|
|
_TRACE (1, L"Entering CCertTemplateSecurityObject::GetSecurity\n");
|
|
HRESULT hr = S_OK;
|
|
DWORD dwLength = 0;
|
|
SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED;
|
|
DWORD dwRevision = 0;
|
|
|
|
*ppSD = NULL;
|
|
|
|
if (fDefault)
|
|
return E_NOTIMPL;
|
|
|
|
//
|
|
// Assume that required privileges have already been enabled
|
|
//
|
|
|
|
|
|
hr = S_OK;
|
|
|
|
// find out out much to allocate
|
|
if ( !GetPrivateObjectSecurity(m_pSD, si, NULL, 0, &dwLength) )
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError ());
|
|
if ( hr == HRESULT_FROM_WIN32 (ERROR_INSUFFICIENT_BUFFER) && dwLength )
|
|
{
|
|
hr = S_OK;
|
|
// allocate and
|
|
*ppSD = LocalAlloc(LPTR, dwLength);
|
|
if (*ppSD )
|
|
{
|
|
// retrieve
|
|
if ( GetPrivateObjectSecurity (m_pSD, si, *ppSD, dwLength, &dwLength) )
|
|
{
|
|
if ( GetSecurityDescriptorControl(m_pSD, &Control, &dwRevision))
|
|
{
|
|
Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
|
|
// security review 2/21/2002 BryanWal ok - if it ain't broke, don't fix it
|
|
SetSecurityDescriptorControl (*ppSD,
|
|
SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED,
|
|
Control);
|
|
}
|
|
else
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError ());
|
|
_TRACE (0, L"GetSecurityDescriptorControl failed: 0x%x\n", hr);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
_TRACE (0, L"GetPrivateObjectSecurity failed: 0x%x\n", hr);
|
|
hr = GetLastError();
|
|
LocalFree(*ppSD);
|
|
*ppSD = NULL;
|
|
}
|
|
}
|
|
else
|
|
hr = E_OUTOFMEMORY;
|
|
}
|
|
else if ( FAILED (hr) )
|
|
{
|
|
_TRACE (0, L"GetPrivateObjectSecurity failed: 0x%x\n", hr);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError ());
|
|
}
|
|
|
|
_TRACE (-1, L"Leaving CCertTemplateSecurityObject::GetSecurity: 0x%x\n", hr);
|
|
return hr;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::SetSecurity(SECURITY_INFORMATION si,
|
|
PSECURITY_DESCRIPTOR pSD)
|
|
{
|
|
HRESULT hr = S_OK;
|
|
HANDLE hClientToken = NULL;
|
|
HANDLE hHandle = NULL;
|
|
SECURITY_DESCRIPTOR_CONTROL Control = SE_DACL_PROTECTED;
|
|
DWORD dwRevision = 0;
|
|
|
|
|
|
hHandle = GetCurrentThread();
|
|
if (NULL == hHandle)
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
}
|
|
else
|
|
{
|
|
if (!OpenThreadToken(hHandle,
|
|
TOKEN_QUERY,
|
|
TRUE, // open as self
|
|
&hClientToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
}
|
|
|
|
if(hr != S_OK)
|
|
{
|
|
hHandle = GetCurrentProcess();
|
|
if (NULL == hHandle)
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
}
|
|
else
|
|
{
|
|
HANDLE hProcessToken = NULL;
|
|
hr = S_OK;
|
|
|
|
|
|
if (!OpenProcessToken(hHandle,
|
|
TOKEN_DUPLICATE,
|
|
&hProcessToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
else
|
|
{
|
|
// security review 2/21/2002 BryanWal ok
|
|
if(!DuplicateToken(hProcessToken,
|
|
SecurityImpersonation,
|
|
&hClientToken))
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
CloseHandle(hHandle);
|
|
hHandle = NULL;
|
|
}
|
|
CloseHandle(hProcessToken);
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( SUCCEEDED (hr) )
|
|
{
|
|
//
|
|
// Assume that required privileges have already been enabled
|
|
//
|
|
if ( SetPrivateObjectSecurityEx (si, pSD, &m_pSD, SEF_DACL_AUTO_INHERIT, &ObjMap, hClientToken) )
|
|
{
|
|
if ( si & DACL_SECURITY_INFORMATION )
|
|
{
|
|
if ( GetSecurityDescriptorControl (pSD, &Control, &dwRevision) )
|
|
{
|
|
Control &= SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED;
|
|
// security review 2/21/2002 BryanWal ok
|
|
SetSecurityDescriptorControl(m_pSD,
|
|
SE_DACL_PROTECTED | SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED,
|
|
Control);
|
|
}
|
|
}
|
|
|
|
hr = m_pCertTemplate->SetSecurity (m_pSD);
|
|
}
|
|
else
|
|
{
|
|
hr = HRESULT_FROM_WIN32 (GetLastError());
|
|
_TRACE (0, L"SetPrivateObjectSecurityEx () failed: 0x%x\n", hr);
|
|
}
|
|
}
|
|
|
|
|
|
if ( hClientToken )
|
|
{
|
|
CloseHandle (hClientToken);
|
|
}
|
|
if ( hHandle )
|
|
{
|
|
CloseHandle (hHandle);
|
|
}
|
|
|
|
m_pCertTemplate->FailedToSetSecurity (FAILED (hr) ? true : false);
|
|
|
|
return hr;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::GetAccessRights(const GUID* /*pguidObjectType*/,
|
|
DWORD /*dwFlags*/,
|
|
PSI_ACCESS *ppAccesses,
|
|
ULONG *pcAccesses,
|
|
ULONG *piDefaultAccess)
|
|
{
|
|
if ( !ppAccesses || !pcAccesses || !piDefaultAccess )
|
|
return E_POINTER;
|
|
|
|
if ( 1 == m_pCertTemplate->GetType () )
|
|
{
|
|
*ppAccesses = g_siV1ObjAccesses;
|
|
*pcAccesses = sizeof(g_siV1ObjAccesses)/sizeof(g_siV1ObjAccesses[0]);
|
|
}
|
|
else
|
|
{
|
|
*ppAccesses = g_siV2ObjAccesses;
|
|
*pcAccesses = sizeof(g_siV2ObjAccesses)/sizeof(g_siV2ObjAccesses[0]);
|
|
}
|
|
*piDefaultAccess = g_iObjDefAccess;
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::MapGeneric(const GUID* /*pguidObjectType*/,
|
|
UCHAR * /*pAceFlags*/,
|
|
ACCESS_MASK *pmask)
|
|
{
|
|
MapGenericMask(pmask, &ObjMap);
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::GetInheritTypes(PSI_INHERIT_TYPE *ppInheritTypes,
|
|
ULONG *pcInheritTypes)
|
|
{
|
|
*ppInheritTypes = g_siObjInheritTypes;
|
|
*pcInheritTypes = sizeof(g_siObjInheritTypes)/sizeof(g_siObjInheritTypes[0]);
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
STDMETHODIMP
|
|
CCertTemplateSecurityObject::PropertySheetPageCallback(HWND /*hwnd*/,
|
|
UINT uMsg,
|
|
SI_PAGE_TYPE /*uPage*/)
|
|
{
|
|
if ( PSPCB_CREATE == uMsg )
|
|
return E_NOTIMPL;
|
|
|
|
return S_OK;
|
|
}
|
|
|