1 | /* $Id: VBoxCertUtil.cpp 93115 2022-01-01 11:31:46Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * VBoxCertUtil - VBox Certificate Utility - Windows Only.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2012-2022 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | */
|
---|
17 |
|
---|
18 |
|
---|
19 | /*********************************************************************************************************************************
|
---|
20 | * Header Files *
|
---|
21 | *********************************************************************************************************************************/
|
---|
22 | #include <iprt/win/windows.h>
|
---|
23 | #include <Wincrypt.h>
|
---|
24 |
|
---|
25 | #include <iprt/buildconfig.h>
|
---|
26 | #include <iprt/errcore.h>
|
---|
27 | #include <iprt/file.h>
|
---|
28 | #include <iprt/getopt.h>
|
---|
29 | #include <iprt/initterm.h>
|
---|
30 | #include <iprt/message.h>
|
---|
31 | #include <iprt/path.h>
|
---|
32 | #include <iprt/stream.h>
|
---|
33 | #include <iprt/string.h>
|
---|
34 | #include <iprt/time.h>
|
---|
35 | #include <iprt/utf16.h>
|
---|
36 |
|
---|
37 |
|
---|
38 | /*********************************************************************************************************************************
|
---|
39 | * Global Variables *
|
---|
40 | *********************************************************************************************************************************/
|
---|
41 | /** The verbosity level. */
|
---|
42 | static unsigned g_cVerbosityLevel = 1;
|
---|
43 |
|
---|
44 |
|
---|
45 | static const char *errorToString(DWORD dwErr)
|
---|
46 | {
|
---|
47 | switch (dwErr)
|
---|
48 | {
|
---|
49 | #define MY_CASE(a_uConst) case a_uConst: return #a_uConst;
|
---|
50 | MY_CASE(CRYPT_E_MSG_ERROR);
|
---|
51 | MY_CASE(CRYPT_E_UNKNOWN_ALGO);
|
---|
52 | MY_CASE(CRYPT_E_OID_FORMAT);
|
---|
53 | MY_CASE(CRYPT_E_INVALID_MSG_TYPE);
|
---|
54 | MY_CASE(CRYPT_E_UNEXPECTED_ENCODING);
|
---|
55 | MY_CASE(CRYPT_E_AUTH_ATTR_MISSING);
|
---|
56 | MY_CASE(CRYPT_E_HASH_VALUE);
|
---|
57 | MY_CASE(CRYPT_E_INVALID_INDEX);
|
---|
58 | MY_CASE(CRYPT_E_ALREADY_DECRYPTED);
|
---|
59 | MY_CASE(CRYPT_E_NOT_DECRYPTED);
|
---|
60 | MY_CASE(CRYPT_E_RECIPIENT_NOT_FOUND);
|
---|
61 | MY_CASE(CRYPT_E_CONTROL_TYPE);
|
---|
62 | MY_CASE(CRYPT_E_ISSUER_SERIALNUMBER);
|
---|
63 | MY_CASE(CRYPT_E_SIGNER_NOT_FOUND);
|
---|
64 | MY_CASE(CRYPT_E_ATTRIBUTES_MISSING);
|
---|
65 | MY_CASE(CRYPT_E_STREAM_MSG_NOT_READY);
|
---|
66 | MY_CASE(CRYPT_E_STREAM_INSUFFICIENT_DATA);
|
---|
67 | MY_CASE(CRYPT_I_NEW_PROTECTION_REQUIRED);
|
---|
68 | MY_CASE(CRYPT_E_BAD_LEN);
|
---|
69 | MY_CASE(CRYPT_E_BAD_ENCODE);
|
---|
70 | MY_CASE(CRYPT_E_FILE_ERROR);
|
---|
71 | MY_CASE(CRYPT_E_NOT_FOUND);
|
---|
72 | MY_CASE(CRYPT_E_EXISTS);
|
---|
73 | MY_CASE(CRYPT_E_NO_PROVIDER);
|
---|
74 | MY_CASE(CRYPT_E_SELF_SIGNED);
|
---|
75 | MY_CASE(CRYPT_E_DELETED_PREV);
|
---|
76 | MY_CASE(CRYPT_E_NO_MATCH);
|
---|
77 | MY_CASE(CRYPT_E_UNEXPECTED_MSG_TYPE);
|
---|
78 | MY_CASE(CRYPT_E_NO_KEY_PROPERTY);
|
---|
79 | MY_CASE(CRYPT_E_NO_DECRYPT_CERT);
|
---|
80 | MY_CASE(CRYPT_E_BAD_MSG);
|
---|
81 | MY_CASE(CRYPT_E_NO_SIGNER);
|
---|
82 | MY_CASE(CRYPT_E_PENDING_CLOSE);
|
---|
83 | MY_CASE(CRYPT_E_REVOKED);
|
---|
84 | MY_CASE(CRYPT_E_NO_REVOCATION_DLL);
|
---|
85 | MY_CASE(CRYPT_E_NO_REVOCATION_CHECK);
|
---|
86 | MY_CASE(CRYPT_E_REVOCATION_OFFLINE);
|
---|
87 | MY_CASE(CRYPT_E_NOT_IN_REVOCATION_DATABASE);
|
---|
88 | MY_CASE(CRYPT_E_INVALID_NUMERIC_STRING);
|
---|
89 | MY_CASE(CRYPT_E_INVALID_PRINTABLE_STRING);
|
---|
90 | MY_CASE(CRYPT_E_INVALID_IA5_STRING);
|
---|
91 | MY_CASE(CRYPT_E_INVALID_X500_STRING);
|
---|
92 | MY_CASE(CRYPT_E_NOT_CHAR_STRING);
|
---|
93 | MY_CASE(CRYPT_E_FILERESIZED);
|
---|
94 | MY_CASE(CRYPT_E_SECURITY_SETTINGS);
|
---|
95 | MY_CASE(CRYPT_E_NO_VERIFY_USAGE_DLL);
|
---|
96 | MY_CASE(CRYPT_E_NO_VERIFY_USAGE_CHECK);
|
---|
97 | MY_CASE(CRYPT_E_VERIFY_USAGE_OFFLINE);
|
---|
98 | MY_CASE(CRYPT_E_NOT_IN_CTL);
|
---|
99 | MY_CASE(CRYPT_E_NO_TRUSTED_SIGNER);
|
---|
100 | MY_CASE(CRYPT_E_MISSING_PUBKEY_PARA);
|
---|
101 | MY_CASE(CRYPT_E_OSS_ERROR);
|
---|
102 | default:
|
---|
103 | {
|
---|
104 | static char s_szErr[80];
|
---|
105 | if (RTErrWinQueryDefine(dwErr, s_szErr, sizeof(s_szErr), true /*fFailIfUnknown*/) == VERR_NOT_FOUND)
|
---|
106 | RTStrPrintf(s_szErr, sizeof(s_szErr), "%#x (%d)", dwErr, dwErr);
|
---|
107 | return s_szErr;
|
---|
108 | }
|
---|
109 | }
|
---|
110 | }
|
---|
111 |
|
---|
112 | #if 0 /* hacking */
|
---|
113 | static RTEXITCODE addToStore(const char *pszFilename, PCRTUTF16 pwszStore)
|
---|
114 | {
|
---|
115 | /*
|
---|
116 | * Open the source.
|
---|
117 | */
|
---|
118 | void *pvFile;
|
---|
119 | size_t cbFile;
|
---|
120 | int rc = RTFileReadAll(pszFilename, &pvFile, &cbFile);
|
---|
121 | if (RT_FAILURE(rc))
|
---|
122 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTFileReadAll failed on '%s': %Rrc", pszFilename, rc);
|
---|
123 |
|
---|
124 | RTEXITCODE rcExit = RTEXITCODE_FAILURE;
|
---|
125 |
|
---|
126 | PCCERT_CONTEXT pCertCtx = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
---|
127 | (PBYTE)pvFile,
|
---|
128 | (DWORD)cbFile);
|
---|
129 | if (pCertCtx)
|
---|
130 | {
|
---|
131 | /*
|
---|
132 | * Open the destination.
|
---|
133 | */
|
---|
134 | HCERTSTORE hDstStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
---|
135 | PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
|
---|
136 | NULL /* hCryptProv = default */,
|
---|
137 | /*CERT_SYSTEM_STORE_LOCAL_MACHINE*/ CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG,
|
---|
138 | pwszStore);
|
---|
139 | if (hDstStore != NULL)
|
---|
140 | {
|
---|
141 | #if 0
|
---|
142 | DWORD dwContextType;
|
---|
143 | if (CertAddSerializedElementToStore(hDstStore,
|
---|
144 | pCertCtx->pbCertEncoded,
|
---|
145 | pCertCtx->cbCertEncoded,
|
---|
146 | CERT_STORE_ADD_NEW,
|
---|
147 | 0 /* dwFlags (reserved) */,
|
---|
148 | CERT_STORE_ALL_CONTEXT_FLAG,
|
---|
149 | &dwContextType,
|
---|
150 | NULL))
|
---|
151 | {
|
---|
152 | RTMsgInfo("Successfully added '%s' to the '%ls' store (ctx type %u)", pszFilename, pwszStore, dwContextType);
|
---|
153 | rcExit = RTEXITCODE_SUCCESS;
|
---|
154 | }
|
---|
155 | else
|
---|
156 | RTMsgError("CertAddSerializedElementToStore returned %s", errorToString(GetLastError()));
|
---|
157 | #else
|
---|
158 | if (CertAddCertificateContextToStore(hDstStore, pCertCtx, CERT_STORE_ADD_NEW, NULL))
|
---|
159 | {
|
---|
160 | RTMsgInfo("Successfully added '%s' to the '%ls' store", pszFilename, pwszStore);
|
---|
161 | rcExit = RTEXITCODE_SUCCESS;
|
---|
162 | }
|
---|
163 | else
|
---|
164 | RTMsgError("CertAddCertificateContextToStore returned %s", errorToString(GetLastError()));
|
---|
165 | #endif
|
---|
166 |
|
---|
167 | CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
168 | }
|
---|
169 | else
|
---|
170 | RTMsgError("CertOpenStore returned %s", errorToString(GetLastError()));
|
---|
171 | CertFreeCertificateContext(pCertCtx);
|
---|
172 | }
|
---|
173 | else
|
---|
174 | RTMsgError("CertCreateCertificateContext returned %s", errorToString(GetLastError()));
|
---|
175 | RTFileReadAllFree(pvFile, cbFile);
|
---|
176 | return rcExit;
|
---|
177 |
|
---|
178 | #if 0
|
---|
179 |
|
---|
180 | CRYPT_DATA_BLOB Blob;
|
---|
181 | Blob.cbData = (DWORD)cbData;
|
---|
182 | Blob.pbData = (PBYTE)pvData;
|
---|
183 | HCERTSTORE hSrcStore = PFXImportCertStore(&Blob, L"", )
|
---|
184 |
|
---|
185 | #endif
|
---|
186 | }
|
---|
187 | #endif /* hacking */
|
---|
188 |
|
---|
189 |
|
---|
190 | /**
|
---|
191 | * Reads a certificate from a file, returning a context or a the handle to a
|
---|
192 | * temporary memory store.
|
---|
193 | *
|
---|
194 | * @returns true on success, false on failure (error message written).
|
---|
195 | * @param pszCertFile The name of the file containing the
|
---|
196 | * certificates.
|
---|
197 | * @param ppOutCtx Where to return the certificate context.
|
---|
198 | * @param phSrcStore Where to return the handle to the temporary
|
---|
199 | * memory store.
|
---|
200 | */
|
---|
201 | static bool readCertFile(const char *pszCertFile, PCCERT_CONTEXT *ppOutCtx, HCERTSTORE *phSrcStore)
|
---|
202 | {
|
---|
203 | *ppOutCtx = NULL;
|
---|
204 | *phSrcStore = NULL;
|
---|
205 |
|
---|
206 | bool fRc = false;
|
---|
207 | void *pvFile;
|
---|
208 | size_t cbFile;
|
---|
209 | int rc = RTFileReadAll(pszCertFile, &pvFile, &cbFile);
|
---|
210 | if (RT_SUCCESS(rc))
|
---|
211 | {
|
---|
212 | *ppOutCtx = CertCreateCertificateContext(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
---|
213 | (PBYTE)pvFile, (DWORD)cbFile);
|
---|
214 | if (*ppOutCtx)
|
---|
215 | fRc = true;
|
---|
216 | else
|
---|
217 | {
|
---|
218 | /** @todo figure out if it's some other format... */
|
---|
219 | RTMsgError("CertCreateCertificateContext returned %s parsing the content of '%s'",
|
---|
220 | errorToString(GetLastError()), pszCertFile);
|
---|
221 | }
|
---|
222 | RTFileReadAllFree(pvFile, cbFile);
|
---|
223 | }
|
---|
224 | else
|
---|
225 | RTMsgError("RTFileReadAll failed on '%s': %Rrc", pszCertFile, rc);
|
---|
226 | return fRc;
|
---|
227 | }
|
---|
228 |
|
---|
229 |
|
---|
230 | /**
|
---|
231 | * Opens a certificate store.
|
---|
232 | *
|
---|
233 | * @returns true on success, false on failure (error message written).
|
---|
234 | * @param dwDst The destination, like
|
---|
235 | * CERT_SYSTEM_STORE_LOCAL_MACHINE or
|
---|
236 | * CERT_SYSTEM_STORE_CURRENT_USER.
|
---|
237 | * @param pszStoreNm The store name.
|
---|
238 | */
|
---|
239 | static HCERTSTORE openCertStore(DWORD dwDst, const char *pszStoreNm)
|
---|
240 | {
|
---|
241 | HCERTSTORE hStore = NULL;
|
---|
242 | PRTUTF16 pwszStoreNm;
|
---|
243 | int rc = RTStrToUtf16(pszStoreNm, &pwszStoreNm);
|
---|
244 | if (RT_SUCCESS(rc))
|
---|
245 | {
|
---|
246 | if (g_cVerbosityLevel > 1)
|
---|
247 | RTMsgInfo("Opening store %#x:'%s'", dwDst, pszStoreNm);
|
---|
248 |
|
---|
249 | /*
|
---|
250 | * Make sure CERT_STORE_OPEN_EXISTING_FLAG is not set. This causes Windows XP
|
---|
251 | * to return ACCESS_DENIED when installing TrustedPublisher certificates via
|
---|
252 | * CertAddCertificateContextToStore() if the TrustedPublisher store never has
|
---|
253 | * been used (through certmgr.exe and friends) yet.
|
---|
254 | *
|
---|
255 | * According to MSDN, if neither CERT_STORE_OPEN_EXISTING_FLAG nor
|
---|
256 | * CERT_STORE_CREATE_NEW_FLAG is set, the store will be either opened or
|
---|
257 | * created accordingly.
|
---|
258 | */
|
---|
259 | dwDst &= ~CERT_STORE_OPEN_EXISTING_FLAG;
|
---|
260 |
|
---|
261 | hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
---|
262 | PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
|
---|
263 | NULL /* hCryptProv = default */,
|
---|
264 | dwDst,
|
---|
265 | pwszStoreNm);
|
---|
266 | if (hStore == NULL)
|
---|
267 | RTMsgError("CertOpenStore failed opening %#x:'%s': %s",
|
---|
268 | dwDst, pszStoreNm, errorToString(GetLastError()));
|
---|
269 |
|
---|
270 | RTUtf16Free(pwszStoreNm);
|
---|
271 | }
|
---|
272 | return hStore;
|
---|
273 | }
|
---|
274 |
|
---|
275 | /**
|
---|
276 | * Removes a certificate, given by file, from a store
|
---|
277 | *
|
---|
278 | * @returns true on success, false on failure (error message written).
|
---|
279 | * @param dwDst The destination, like
|
---|
280 | * CERT_SYSTEM_STORE_LOCAL_MACHINE or
|
---|
281 | * CERT_SYSTEM_STORE_CURRENT_USER.
|
---|
282 | * @param pszStoreNm The store name.
|
---|
283 | * @param pszCertFile The file containing the certificate to add.
|
---|
284 | */
|
---|
285 | static bool removeCertFromStoreByFile(DWORD dwDst, const char *pszStoreNm, const char *pszCertFile)
|
---|
286 | {
|
---|
287 | /*
|
---|
288 | * Read the certificate file first.
|
---|
289 | */
|
---|
290 | PCCERT_CONTEXT pSrcCtx = NULL;
|
---|
291 | HCERTSTORE hSrcStore = NULL;
|
---|
292 | if (!readCertFile(pszCertFile, &pSrcCtx, &hSrcStore))
|
---|
293 | return false;
|
---|
294 |
|
---|
295 | WCHAR wszName[1024];
|
---|
296 | if (!CertGetNameStringW(pSrcCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0 /*dwFlags*/, NULL /*pvTypePara*/,
|
---|
297 | wszName, sizeof(wszName)))
|
---|
298 | {
|
---|
299 | RTMsgError("CertGetNameStringW(Subject) failed: %s\n", errorToString(GetLastError()));
|
---|
300 | wszName[0] = '\0';
|
---|
301 | }
|
---|
302 |
|
---|
303 | /*
|
---|
304 | * Open the destination store.
|
---|
305 | */
|
---|
306 | bool fRc = false;
|
---|
307 | HCERTSTORE hDstStore = openCertStore(dwDst, pszStoreNm);
|
---|
308 | if (hDstStore)
|
---|
309 | {
|
---|
310 | if (pSrcCtx)
|
---|
311 | {
|
---|
312 | fRc = true;
|
---|
313 | unsigned cDeleted = 0;
|
---|
314 | PCCERT_CONTEXT pCurCtx = NULL;
|
---|
315 | while ((pCurCtx = CertEnumCertificatesInStore(hDstStore, pCurCtx)) != NULL)
|
---|
316 | {
|
---|
317 | if (CertCompareCertificate(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pCurCtx->pCertInfo, pSrcCtx->pCertInfo))
|
---|
318 | {
|
---|
319 | if (g_cVerbosityLevel > 1)
|
---|
320 | RTMsgInfo("Removing '%ls'...", wszName);
|
---|
321 | PCCERT_CONTEXT pDeleteCtx = CertDuplicateCertificateContext(pCurCtx);
|
---|
322 | if (pDeleteCtx)
|
---|
323 | {
|
---|
324 | if (CertDeleteCertificateFromStore(pDeleteCtx))
|
---|
325 | cDeleted++;
|
---|
326 | else
|
---|
327 | RTMsgError("CertDeleteFromStore('%ls') failed: %s\n", wszName, errorToString(GetLastError()));
|
---|
328 | }
|
---|
329 | else
|
---|
330 | RTMsgError("CertDuplicateCertificateContext('%ls') failed: %s\n", wszName, errorToString(GetLastError()));
|
---|
331 | }
|
---|
332 | }
|
---|
333 |
|
---|
334 | if (!cDeleted)
|
---|
335 | RTMsgInfo("Found no matching certificates to remove.");
|
---|
336 | }
|
---|
337 | else
|
---|
338 | {
|
---|
339 | RTMsgError("Path not implemented at line %d\n", __LINE__);
|
---|
340 | }
|
---|
341 |
|
---|
342 | CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
343 | }
|
---|
344 | if (pSrcCtx)
|
---|
345 | CertFreeCertificateContext(pSrcCtx);
|
---|
346 | if (hSrcStore)
|
---|
347 | CertCloseStore(hSrcStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
348 | return fRc;
|
---|
349 | }
|
---|
350 |
|
---|
351 | /**
|
---|
352 | * Adds a certificate to a store.
|
---|
353 | *
|
---|
354 | * @returns true on success, false on failure (error message written).
|
---|
355 | * @param dwDst The destination, like
|
---|
356 | * CERT_SYSTEM_STORE_LOCAL_MACHINE or
|
---|
357 | * CERT_SYSTEM_STORE_CURRENT_USER.
|
---|
358 | * @param pszStoreNm The store name.
|
---|
359 | * @param pszCertFile The file containing the certificate to add.
|
---|
360 | * @param dwDisposition The disposition towards existing certificates when
|
---|
361 | * adding it. CERT_STORE_ADD_NEW is a safe one.
|
---|
362 | */
|
---|
363 | static bool addCertToStore(DWORD dwDst, const char *pszStoreNm, const char *pszCertFile, DWORD dwDisposition)
|
---|
364 | {
|
---|
365 | /*
|
---|
366 | * Read the certificate file first.
|
---|
367 | */
|
---|
368 | PCCERT_CONTEXT pSrcCtx = NULL;
|
---|
369 | HCERTSTORE hSrcStore = NULL;
|
---|
370 | if (!readCertFile(pszCertFile, &pSrcCtx, &hSrcStore))
|
---|
371 | return false;
|
---|
372 |
|
---|
373 | /*
|
---|
374 | * Open the destination store.
|
---|
375 | */
|
---|
376 | bool fRc = false;
|
---|
377 | HCERTSTORE hDstStore = openCertStore(dwDst, pszStoreNm);
|
---|
378 | if (hDstStore)
|
---|
379 | {
|
---|
380 | if (pSrcCtx)
|
---|
381 | {
|
---|
382 | if (g_cVerbosityLevel > 1)
|
---|
383 | RTMsgInfo("Adding '%s' to %#x:'%s'... (disp %d)", pszCertFile, dwDst, pszStoreNm, dwDisposition);
|
---|
384 |
|
---|
385 | if (CertAddCertificateContextToStore(hDstStore, pSrcCtx, dwDisposition, NULL))
|
---|
386 | fRc = true;
|
---|
387 | else
|
---|
388 | RTMsgError("CertAddCertificateContextToStore returned %s", errorToString(GetLastError()));
|
---|
389 | }
|
---|
390 | else
|
---|
391 | RTMsgError("Path not implemented at line %d\n", __LINE__);
|
---|
392 |
|
---|
393 | CertCloseStore(hDstStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
394 | }
|
---|
395 | if (pSrcCtx)
|
---|
396 | CertFreeCertificateContext(pSrcCtx);
|
---|
397 | if (hSrcStore)
|
---|
398 | CertCloseStore(hSrcStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
399 | return fRc;
|
---|
400 | }
|
---|
401 |
|
---|
402 | /**
|
---|
403 | * Worker for cmdDisplayAll.
|
---|
404 | */
|
---|
405 | static BOOL WINAPI displaySystemStoreCallback(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo,
|
---|
406 | void *pvReserved, void *pvArg) RT_NOTHROW_DEF
|
---|
407 | {
|
---|
408 | RT_NOREF(pvArg);
|
---|
409 | if (g_cVerbosityLevel > 1)
|
---|
410 | RTPrintf(" pvSystemStore=%p dwFlags=%#x pStoreInfo=%p pvReserved=%p\n", pvSystemStore, dwFlags, pStoreInfo, pvReserved);
|
---|
411 | LPCWSTR pwszStoreNm = NULL;
|
---|
412 | if (dwFlags & CERT_SYSTEM_STORE_RELOCATE_FLAG)
|
---|
413 | {
|
---|
414 | const CERT_SYSTEM_STORE_RELOCATE_PARA *pRelPara = (const CERT_SYSTEM_STORE_RELOCATE_PARA *)pvSystemStore;
|
---|
415 | pwszStoreNm = pRelPara->pwszSystemStore;
|
---|
416 | RTPrintf(" %#010x '%ls' hKeyBase=%p\n", dwFlags, pwszStoreNm, pRelPara->hKeyBase);
|
---|
417 | }
|
---|
418 | else
|
---|
419 | {
|
---|
420 | pwszStoreNm = (LPCWSTR)pvSystemStore;
|
---|
421 | RTPrintf(" %#010x '%ls'\n", dwFlags, pwszStoreNm);
|
---|
422 | }
|
---|
423 |
|
---|
424 | /*
|
---|
425 | * Open the store and list the certificates within.
|
---|
426 | */
|
---|
427 | DWORD dwDst = (dwFlags & CERT_SYSTEM_STORE_LOCATION_MASK);
|
---|
428 | HCERTSTORE hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
---|
429 | PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
|
---|
430 | NULL /* hCryptProv = default */,
|
---|
431 | dwDst | CERT_STORE_OPEN_EXISTING_FLAG,
|
---|
432 | pwszStoreNm);
|
---|
433 | if (hStore)
|
---|
434 | {
|
---|
435 | PCCERT_CONTEXT pCertCtx = NULL;
|
---|
436 | while ((pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx)) != NULL)
|
---|
437 | {
|
---|
438 | if (g_cVerbosityLevel > 1)
|
---|
439 | RTPrintf(" pCertCtx=%p dwCertEncodingType=%#x cbCertEncoded=%#x pCertInfo=%p\n",
|
---|
440 | pCertCtx, pCertCtx->dwCertEncodingType, pCertCtx->cbCertEncoded, pCertCtx->pCertInfo);
|
---|
441 | WCHAR wszName[1024];
|
---|
442 | if (CertGetNameStringW(pCertCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0 /*dwFlags*/, NULL /*pvTypePara*/,
|
---|
443 | wszName, sizeof(wszName)))
|
---|
444 | {
|
---|
445 | RTPrintf(" '%ls'\n", wszName);
|
---|
446 | if (pCertCtx->pCertInfo)
|
---|
447 | {
|
---|
448 | RTTIMESPEC TmpTS;
|
---|
449 | char szNotBefore[80];
|
---|
450 | RTTimeSpecToString(RTTimeSpecSetNtFileTime(&TmpTS, &pCertCtx->pCertInfo->NotBefore),
|
---|
451 | szNotBefore, sizeof(szNotBefore));
|
---|
452 | char szNotAfter[80];
|
---|
453 | RTTimeSpecToString(RTTimeSpecSetNtFileTime(&TmpTS, &pCertCtx->pCertInfo->NotAfter),
|
---|
454 | szNotAfter, sizeof(szNotAfter));
|
---|
455 |
|
---|
456 | RTPrintf(" NotBefore='%s'\n", szNotBefore);
|
---|
457 | RTPrintf(" NotAfter ='%s'\n", szNotAfter);
|
---|
458 | if (pCertCtx->pCertInfo->Issuer.cbData)
|
---|
459 | {
|
---|
460 | if (CertGetNameStringW(pCertCtx, CERT_NAME_SIMPLE_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL /*pvTypePara*/,
|
---|
461 | wszName, sizeof(wszName)))
|
---|
462 | RTPrintf(" Issuer='%ls'\n", wszName);
|
---|
463 | else
|
---|
464 | RTMsgError("CertGetNameStringW(Issuer) failed: %s\n", errorToString(GetLastError()));
|
---|
465 | }
|
---|
466 | }
|
---|
467 | }
|
---|
468 | else
|
---|
469 | RTMsgError("CertGetNameStringW(Subject) failed: %s\n", errorToString(GetLastError()));
|
---|
470 |
|
---|
471 | }
|
---|
472 |
|
---|
473 | CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG);
|
---|
474 | }
|
---|
475 | else
|
---|
476 | RTMsgError("CertOpenStore failed opening %#x:'%ls': %s\n", dwDst, pwszStoreNm, errorToString(GetLastError()));
|
---|
477 |
|
---|
478 | return TRUE;
|
---|
479 | }
|
---|
480 |
|
---|
481 | /**
|
---|
482 | * Worker for cmdDisplayAll.
|
---|
483 | */
|
---|
484 | static BOOL WINAPI
|
---|
485 | displaySystemStoreLocation(LPCWSTR pwszStoreLocation, DWORD dwFlags, void *pvReserved, void *pvArg) RT_NOTHROW_DEF
|
---|
486 | {
|
---|
487 | NOREF(pvReserved); NOREF(pvArg);
|
---|
488 | RTPrintf("System store location: %#010x '%ls'\n", dwFlags, pwszStoreLocation);
|
---|
489 | if (!CertEnumSystemStore(dwFlags, NULL, NULL /*pvArg*/, displaySystemStoreCallback))
|
---|
490 | RTMsgError("CertEnumSystemStore failed on %#x:'%ls': %s\n",
|
---|
491 | dwFlags, pwszStoreLocation, errorToString(GetLastError()));
|
---|
492 |
|
---|
493 | return TRUE;
|
---|
494 | }
|
---|
495 |
|
---|
496 | /**
|
---|
497 | * Handler for the 'display-all' command.
|
---|
498 | */
|
---|
499 | static RTEXITCODE cmdDisplayAll(int argc, char **argv)
|
---|
500 | {
|
---|
501 | RT_NOREF(argv);
|
---|
502 | if (argc != 1)
|
---|
503 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "the display-all command takes no arguments\n");
|
---|
504 |
|
---|
505 | if (!CertEnumSystemStoreLocation(0, NULL /*pvArg*/, displaySystemStoreLocation))
|
---|
506 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "CertEnumSystemStoreLocation failed: %s\n", errorToString(GetLastError()));
|
---|
507 |
|
---|
508 | return RTEXITCODE_SUCCESS;
|
---|
509 | }
|
---|
510 |
|
---|
511 | /**
|
---|
512 | * Handler for the 'remove-trusted-publisher' command.
|
---|
513 | */
|
---|
514 | static RTEXITCODE cmdRemoveTrustedPublisher(int argc, char **argv)
|
---|
515 | {
|
---|
516 | /*
|
---|
517 | * Parse arguments.
|
---|
518 | */
|
---|
519 | static const RTGETOPTDEF s_aOptions[] =
|
---|
520 | {
|
---|
521 | { "--root", 'r', RTGETOPT_REQ_STRING },
|
---|
522 | };
|
---|
523 |
|
---|
524 | const char *pszRootCert = NULL;
|
---|
525 | const char *pszTrustedCert = NULL;
|
---|
526 |
|
---|
527 | int rc;
|
---|
528 | RTGETOPTUNION ValueUnion;
|
---|
529 | RTGETOPTSTATE GetState;
|
---|
530 | RTGetOptInit(&GetState, argc, argv, s_aOptions, RT_ELEMENTS(s_aOptions), 1, 0);
|
---|
531 | while ((rc = RTGetOpt(&GetState, &ValueUnion)))
|
---|
532 | {
|
---|
533 | switch (rc)
|
---|
534 | {
|
---|
535 | case 'h':
|
---|
536 | RTPrintf("Usage: VBoxCertUtil remove-trusted-publisher [--root <root-cert>] <trusted-cert>\n");
|
---|
537 | break;
|
---|
538 |
|
---|
539 | case 'V':
|
---|
540 | RTPrintf("%sr%d\n", RTBldCfgVersion(), RTBldCfgRevision());
|
---|
541 | return RTEXITCODE_SUCCESS;
|
---|
542 |
|
---|
543 | case 'r':
|
---|
544 | if (pszRootCert)
|
---|
545 | return RTMsgErrorExit(RTEXITCODE_SUCCESS,
|
---|
546 | "You've already specified '%s' as root certificate.",
|
---|
547 | pszRootCert);
|
---|
548 | pszRootCert = ValueUnion.psz;
|
---|
549 | break;
|
---|
550 |
|
---|
551 | case VINF_GETOPT_NOT_OPTION:
|
---|
552 | if (pszTrustedCert)
|
---|
553 | return RTMsgErrorExit(RTEXITCODE_SUCCESS,
|
---|
554 | "You've already specified '%s' as trusted certificate.",
|
---|
555 | pszRootCert);
|
---|
556 | pszTrustedCert = ValueUnion.psz;
|
---|
557 | break;
|
---|
558 |
|
---|
559 | default:
|
---|
560 | return RTGetOptPrintError(rc, &ValueUnion);
|
---|
561 | }
|
---|
562 | }
|
---|
563 | if (!pszTrustedCert)
|
---|
564 | return RTMsgErrorExit(RTEXITCODE_SUCCESS, "No trusted certificate specified.");
|
---|
565 |
|
---|
566 | /*
|
---|
567 | * Do the job.
|
---|
568 | */
|
---|
569 | if ( pszRootCert
|
---|
570 | && !removeCertFromStoreByFile(CERT_SYSTEM_STORE_LOCAL_MACHINE, "Root", pszRootCert))
|
---|
571 | return RTEXITCODE_FAILURE;
|
---|
572 | if (!removeCertFromStoreByFile(CERT_SYSTEM_STORE_LOCAL_MACHINE, "TrustedPublisher", pszTrustedCert))
|
---|
573 | return RTEXITCODE_FAILURE;
|
---|
574 |
|
---|
575 | if (g_cVerbosityLevel > 0)
|
---|
576 | {
|
---|
577 | if (pszRootCert)
|
---|
578 | RTMsgInfo("Successfully removed '%s' as root and '%s' as trusted publisher", pszRootCert, pszTrustedCert);
|
---|
579 | else
|
---|
580 | RTMsgInfo("Successfully removed '%s' as trusted publisher", pszTrustedCert);
|
---|
581 | }
|
---|
582 | return RTEXITCODE_SUCCESS;
|
---|
583 | }
|
---|
584 |
|
---|
585 |
|
---|
586 | /**
|
---|
587 | * Handler for the 'add-trusted-publisher' command.
|
---|
588 | */
|
---|
589 | static RTEXITCODE cmdAddTrustedPublisher(int argc, char **argv)
|
---|
590 | {
|
---|
591 | /*
|
---|
592 | * Parse arguments and execute imports as we move along.
|
---|
593 | */
|
---|
594 | static const RTGETOPTDEF s_aOptions[] =
|
---|
595 | {
|
---|
596 | { "--root", 'r', RTGETOPT_REQ_STRING },
|
---|
597 | };
|
---|
598 |
|
---|
599 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
600 | unsigned cImports = 0;
|
---|
601 | RTGETOPTUNION ValueUnion;
|
---|
602 | RTGETOPTSTATE GetState;
|
---|
603 | int rc = RTGetOptInit(&GetState, argc, argv, s_aOptions, RT_ELEMENTS(s_aOptions), 1, 0);
|
---|
604 | AssertRC(rc);
|
---|
605 | while ((rc = RTGetOpt(&GetState, &ValueUnion)))
|
---|
606 | {
|
---|
607 | switch (rc)
|
---|
608 | {
|
---|
609 | case 'h':
|
---|
610 | RTPrintf("Usage: VBoxCertUtil add-trusted-publisher [--root <root-cert>] <trusted-cert>\n");
|
---|
611 | break;
|
---|
612 |
|
---|
613 | case 'V':
|
---|
614 | RTPrintf("%sr%d\n", RTBldCfgVersion(), RTBldCfgRevision());
|
---|
615 | return RTEXITCODE_SUCCESS;
|
---|
616 |
|
---|
617 | case 'r':
|
---|
618 | case VINF_GETOPT_NOT_OPTION:
|
---|
619 | {
|
---|
620 | const char * const pszStoreNm = rc == 'r' ? "Root" : "TrustedPublisher";
|
---|
621 | const char * const pszStoreDesc = rc == 'r' ? "root" : "trusted publisher";
|
---|
622 | PCRTPATHGLOBENTRY pResultHead;
|
---|
623 | rc = RTPathGlob(ValueUnion.psz, RTPATHGLOB_F_NO_DIRS, &pResultHead, NULL);
|
---|
624 | if (RT_SUCCESS(rc))
|
---|
625 | {
|
---|
626 | for (PCRTPATHGLOBENTRY pCur = pResultHead; pCur; pCur = pCur->pNext)
|
---|
627 | {
|
---|
628 | if (addCertToStore(CERT_SYSTEM_STORE_LOCAL_MACHINE, pszStoreNm, pCur->szPath, CERT_STORE_ADD_NEW))
|
---|
629 | RTMsgInfo("Successfully added '%s' as %s", pCur->szPath, pszStoreDesc);
|
---|
630 | else
|
---|
631 | rcExit = RTEXITCODE_FAILURE;
|
---|
632 | cImports++;
|
---|
633 | }
|
---|
634 | RTPathGlobFree(pResultHead);
|
---|
635 | }
|
---|
636 | else
|
---|
637 | {
|
---|
638 | rcExit = RTMsgErrorExit(RTEXITCODE_SUCCESS, "glob failed on '%s': %Rrc", ValueUnion.psz, rc);
|
---|
639 | cImports++;
|
---|
640 | }
|
---|
641 | break;
|
---|
642 | }
|
---|
643 |
|
---|
644 | default:
|
---|
645 | return RTGetOptPrintError(rc, &ValueUnion);
|
---|
646 | }
|
---|
647 | }
|
---|
648 | if (cImports == 0)
|
---|
649 | return RTMsgErrorExit(RTEXITCODE_SUCCESS, "No trusted or root certificates specified.");
|
---|
650 | return rcExit;
|
---|
651 | }
|
---|
652 |
|
---|
653 |
|
---|
654 | /**
|
---|
655 | * Displays the usage info.
|
---|
656 | * @param argv0 Program name.
|
---|
657 | */
|
---|
658 | static void showUsage(const char *argv0)
|
---|
659 | {
|
---|
660 | RTPrintf("Usage: %Rbn [-v[v]] <command>\n"
|
---|
661 | " or %Rbn <-V|--version>\n"
|
---|
662 | " or %Rbn <-h|--help>\n"
|
---|
663 | "\n"
|
---|
664 | "Available commands:\n"
|
---|
665 | " add-trusted-publisher, remove-trusted-publisher,\n"
|
---|
666 | " display-all\n"
|
---|
667 | , argv0, argv0, argv0);
|
---|
668 | }
|
---|
669 |
|
---|
670 |
|
---|
671 | int main(int argc, char **argv)
|
---|
672 | {
|
---|
673 | int rc = RTR3InitExe(argc, &argv, 0);
|
---|
674 | if (RT_FAILURE(rc))
|
---|
675 | return RTMsgInitFailure(rc);
|
---|
676 |
|
---|
677 | /*
|
---|
678 | * Parse arguments up to the command and pass it on to the command handlers.
|
---|
679 | */
|
---|
680 | typedef enum
|
---|
681 | {
|
---|
682 | VCUACTION_ADD_TRUSTED_PUBLISHER = 1000,
|
---|
683 | VCUACTION_REMOVE_TRUSTED_PUBLISHER,
|
---|
684 | VCUACTION_DISPLAY_ALL,
|
---|
685 | VCUACTION_END
|
---|
686 | } VCUACTION;
|
---|
687 |
|
---|
688 | static const RTGETOPTDEF s_aOptions[] =
|
---|
689 | {
|
---|
690 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
691 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
692 | { "add-trusted-publisher", VCUACTION_ADD_TRUSTED_PUBLISHER, RTGETOPT_REQ_NOTHING },
|
---|
693 | { "remove-trusted-publisher", VCUACTION_REMOVE_TRUSTED_PUBLISHER, RTGETOPT_REQ_NOTHING },
|
---|
694 | { "display-all", VCUACTION_DISPLAY_ALL, RTGETOPT_REQ_NOTHING },
|
---|
695 | };
|
---|
696 |
|
---|
697 | RTGETOPTUNION ValueUnion;
|
---|
698 | RTGETOPTSTATE GetState;
|
---|
699 | RTGetOptInit(&GetState, argc, argv, s_aOptions, RT_ELEMENTS(s_aOptions), 1, 0);
|
---|
700 | while ((rc = RTGetOpt(&GetState, &ValueUnion)))
|
---|
701 | {
|
---|
702 | switch (rc)
|
---|
703 | {
|
---|
704 | case 'v':
|
---|
705 | g_cVerbosityLevel++;
|
---|
706 | break;
|
---|
707 |
|
---|
708 | case 'q':
|
---|
709 | if (g_cVerbosityLevel > 0)
|
---|
710 | g_cVerbosityLevel--;
|
---|
711 | break;
|
---|
712 |
|
---|
713 | case 'h':
|
---|
714 | showUsage(argv[0]);
|
---|
715 | return RTEXITCODE_SUCCESS;
|
---|
716 |
|
---|
717 | case 'V':
|
---|
718 | RTPrintf("%sr%d\n", RTBldCfgVersion(), RTBldCfgRevision());
|
---|
719 | return RTEXITCODE_SUCCESS;
|
---|
720 |
|
---|
721 | case VCUACTION_ADD_TRUSTED_PUBLISHER:
|
---|
722 | return cmdAddTrustedPublisher(argc - GetState.iNext + 1, argv + GetState.iNext - 1);
|
---|
723 |
|
---|
724 | case VCUACTION_REMOVE_TRUSTED_PUBLISHER:
|
---|
725 | return cmdRemoveTrustedPublisher(argc - GetState.iNext + 1, argv + GetState.iNext - 1);
|
---|
726 |
|
---|
727 | case VCUACTION_DISPLAY_ALL:
|
---|
728 | return cmdDisplayAll(argc - GetState.iNext + 1, argv + GetState.iNext - 1);
|
---|
729 |
|
---|
730 | default:
|
---|
731 | return RTGetOptPrintError(rc, &ValueUnion);
|
---|
732 | }
|
---|
733 | }
|
---|
734 |
|
---|
735 | RTMsgError("Missing command...");
|
---|
736 | showUsage(argv[0]);
|
---|
737 | return RTEXITCODE_SYNTAX;
|
---|
738 | }
|
---|
739 |
|
---|