2022-02-02 01:23:34 +03:00
|
|
|
/**
|
|
|
|
* FreeRDP: A Remote Desktop Protocol Implementation
|
|
|
|
* Logging in with smartcards
|
|
|
|
*
|
|
|
|
* Copyright 2022 David Fort <contact@hardening-consulting.com>
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include <openssl/bio.h>
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
#include <openssl/objects.h>
|
|
|
|
|
|
|
|
#include <winpr/error.h>
|
|
|
|
#include <winpr/ncrypt.h>
|
|
|
|
#include <winpr/string.h>
|
|
|
|
#include <winpr/wlog.h>
|
|
|
|
#include <winpr/crypto.h>
|
2022-02-02 17:57:05 +03:00
|
|
|
#include <winpr/path.h>
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
#include <freerdp/log.h>
|
|
|
|
|
2022-02-23 18:26:14 +03:00
|
|
|
#include <freerdp/utils/smartcardlogon.h>
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
#define TAG FREERDP_TAG("smartcardlogon")
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
struct SmartcardKeyInfo_st
|
2022-02-02 17:57:05 +03:00
|
|
|
{
|
|
|
|
char* certPath;
|
|
|
|
char* keyPath;
|
|
|
|
};
|
|
|
|
|
|
|
|
static void delete_file(char* path)
|
|
|
|
{
|
|
|
|
if (!path)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Overwrite data in files before deletion */
|
|
|
|
{
|
|
|
|
FILE* fp = winpr_fopen(path, "r+");
|
|
|
|
if (fp)
|
|
|
|
{
|
2022-10-25 14:46:49 +03:00
|
|
|
const char buffer[8192] = { 0 };
|
2022-02-02 17:57:05 +03:00
|
|
|
INT64 x, size = 0;
|
|
|
|
int rs = _fseeki64(fp, 0, SEEK_END);
|
|
|
|
if (rs == 0)
|
|
|
|
size = _ftelli64(fp);
|
|
|
|
_fseeki64(fp, 0, SEEK_SET);
|
2022-10-25 14:46:49 +03:00
|
|
|
|
|
|
|
for (x = 0; x < size; x += sizeof(buffer))
|
|
|
|
{
|
|
|
|
fwrite(buffer, MIN(sizeof(buffer), size - x), 1, fp);
|
|
|
|
}
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
fclose(fp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-10-25 14:46:49 +03:00
|
|
|
winpr_DeleteFile(path);
|
2022-02-02 17:57:05 +03:00
|
|
|
free(path);
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
static void smartcardKeyInfo_Free(SmartcardKeyInfo* key_info)
|
2022-02-02 17:57:05 +03:00
|
|
|
{
|
2022-10-14 19:58:30 +03:00
|
|
|
if (!key_info)
|
2022-02-02 17:57:05 +03:00
|
|
|
return;
|
2022-10-14 19:58:30 +03:00
|
|
|
|
|
|
|
delete_file(key_info->certPath);
|
|
|
|
delete_file(key_info->keyPath);
|
|
|
|
|
|
|
|
free(key_info);
|
2022-02-02 17:57:05 +03:00
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
void smartcardCertInfo_Free(SmartcardCertInfo* scCert)
|
2022-02-02 17:57:05 +03:00
|
|
|
{
|
|
|
|
if (!scCert)
|
|
|
|
return;
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
free(scCert->csp);
|
|
|
|
free(scCert->reader);
|
|
|
|
crypto_cert_free(scCert->certificate);
|
|
|
|
free(scCert->pkinitArgs);
|
2022-10-16 18:36:20 +03:00
|
|
|
free(scCert->keyName);
|
2022-10-14 19:58:30 +03:00
|
|
|
free(scCert->containerName);
|
|
|
|
free(scCert->upn);
|
|
|
|
free(scCert->userHint);
|
|
|
|
free(scCert->domainHint);
|
|
|
|
free(scCert->subject);
|
|
|
|
free(scCert->issuer);
|
|
|
|
smartcardKeyInfo_Free(scCert->key_info);
|
2022-02-02 17:57:05 +03:00
|
|
|
|
|
|
|
free(scCert);
|
2022-10-14 19:58:30 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void smartcardCertList_Free(SmartcardCertInfo** cert_list, DWORD count)
|
|
|
|
{
|
|
|
|
if (!cert_list)
|
|
|
|
return;
|
|
|
|
|
|
|
|
for (DWORD i = 0; i < count; i++)
|
2022-10-25 14:28:32 +03:00
|
|
|
{
|
|
|
|
SmartcardCertInfo* cert = cert_list[i];
|
|
|
|
smartcardCertInfo_Free(cert);
|
|
|
|
}
|
2022-10-14 19:58:30 +03:00
|
|
|
|
|
|
|
free(cert_list);
|
2022-02-02 17:57:05 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static BOOL treat_sc_cert(SmartcardCertInfo* scCert)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-25 13:39:42 +03:00
|
|
|
WINPR_ASSERT(scCert);
|
|
|
|
|
2022-02-02 01:23:34 +03:00
|
|
|
scCert->upn = crypto_cert_get_upn(scCert->certificate->px509);
|
2022-10-06 13:25:17 +03:00
|
|
|
if (!scCert->upn)
|
2022-10-13 01:09:52 +03:00
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_DBG(TAG, "%s has no UPN, trying emailAddress", scCert->keyName);
|
2022-10-06 13:25:17 +03:00
|
|
|
scCert->upn = crypto_cert_get_email(scCert->certificate->px509);
|
2022-10-13 01:09:52 +03:00
|
|
|
}
|
2022-10-06 13:25:17 +03:00
|
|
|
|
2022-02-02 01:23:34 +03:00
|
|
|
if (scCert->upn)
|
|
|
|
{
|
|
|
|
size_t userLen;
|
|
|
|
const char* atPos = strchr(scCert->upn, '@');
|
|
|
|
|
|
|
|
if (!atPos)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "invalid UPN, for key %s (no @)", scCert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
userLen = (size_t)(atPos - scCert->upn);
|
2022-02-02 01:23:34 +03:00
|
|
|
scCert->userHint = malloc(userLen + 1);
|
2022-07-14 10:32:12 +03:00
|
|
|
scCert->domainHint = _strdup(atPos + 1);
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
if (!scCert->userHint || !scCert->domainHint)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "error allocating userHint or domainHint, for key %s", scCert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
memcpy(scCert->userHint, scCert->upn, userLen);
|
|
|
|
scCert->userHint[userLen] = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
scCert->subject = crypto_cert_subject(scCert->certificate->px509);
|
|
|
|
scCert->issuer = crypto_cert_issuer(scCert->certificate->px509);
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
static int allocating_sprintf(char** dst, const char* fmt, ...)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
va_list ap;
|
|
|
|
|
|
|
|
WINPR_ASSERT(dst);
|
|
|
|
|
|
|
|
va_start(ap, fmt);
|
|
|
|
rc = vsnprintf(NULL, 0, fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
|
|
|
|
{
|
|
|
|
char* tmp = realloc(*dst, rc + 1);
|
|
|
|
if (!tmp)
|
|
|
|
return -1;
|
|
|
|
*dst = tmp;
|
|
|
|
}
|
|
|
|
va_start(ap, fmt);
|
|
|
|
rc = vsnprintf(*dst, rc + 1, fmt, ap);
|
|
|
|
va_end(ap);
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2022-02-02 01:23:34 +03:00
|
|
|
#ifndef _WIN32
|
2022-02-02 17:57:05 +03:00
|
|
|
static BOOL build_pkinit_args(const rdpSettings* settings, SmartcardCertInfo* scCert)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
|
|
|
/* pkinit args only under windows
|
|
|
|
* PKCS11:module_name=opensc-pkcs11.so
|
|
|
|
*/
|
2022-05-02 11:55:44 +03:00
|
|
|
const char* Pkcs11Module = freerdp_settings_get_string(settings, FreeRDP_Pkcs11Module);
|
|
|
|
const char* pkModule = Pkcs11Module ? Pkcs11Module : "opensc-pkcs11.so";
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
if (allocating_sprintf(&scCert->pkinitArgs, "PKCS11:module_name=%s:slotid=%" PRIu16, pkModule,
|
|
|
|
(UINT16)scCert->slotId) <= 0)
|
2022-02-02 01:23:34 +03:00
|
|
|
return FALSE;
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
2022-10-06 13:25:17 +03:00
|
|
|
static BOOL list_provider_keys(const rdpSettings* settings, NCRYPT_PROV_HANDLE provider,
|
|
|
|
LPCWSTR csp, LPCWSTR scope, const char* userFilter,
|
2022-10-14 19:58:30 +03:00
|
|
|
const char* domainFilter, SmartcardCertInfo*** pcerts,
|
|
|
|
size_t* pcount)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
|
|
|
BOOL ret = FALSE;
|
|
|
|
NCryptKeyName* keyName = NULL;
|
2022-10-06 13:25:17 +03:00
|
|
|
PVOID enumState = NULL;
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo** cert_list = *pcerts;
|
2022-10-06 13:25:17 +03:00
|
|
|
size_t count = *pcount;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-04-28 10:56:11 +03:00
|
|
|
while (NCryptEnumKeys(provider, scope, &keyName, &enumState, NCRYPT_SILENT_FLAG) ==
|
2022-02-02 17:57:05 +03:00
|
|
|
ERROR_SUCCESS)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-02-02 17:57:05 +03:00
|
|
|
NCRYPT_KEY_HANDLE phKey = 0;
|
2022-02-02 01:23:34 +03:00
|
|
|
PBYTE certBytes = NULL;
|
2022-10-14 11:10:41 +03:00
|
|
|
DWORD dwFlags = NCRYPT_SILENT_FLAG;
|
2022-02-02 01:23:34 +03:00
|
|
|
DWORD cbOutput;
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo* cert = NULL;
|
2022-03-03 00:00:01 +03:00
|
|
|
BOOL haveError = TRUE;
|
2022-10-06 13:25:17 +03:00
|
|
|
SECURITY_STATUS status;
|
2022-02-02 17:57:05 +03:00
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
cert = calloc(1, sizeof(SmartcardCertInfo));
|
|
|
|
if (!cert)
|
|
|
|
goto out;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-16 18:36:20 +03:00
|
|
|
if (ConvertFromUnicode(CP_UTF8, 0, keyName->pszName, -1, &cert->keyName, 0, NULL, NULL) <=
|
|
|
|
0)
|
2022-02-02 17:57:05 +03:00
|
|
|
goto endofloop;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_DBG(TAG, "opening key %s", cert->keyName);
|
2022-10-13 01:09:52 +03:00
|
|
|
|
2022-10-14 11:10:41 +03:00
|
|
|
status =
|
|
|
|
NCryptOpenKey(provider, &phKey, keyName->pszName, keyName->dwLegacyKeySpec, dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
2022-10-13 01:09:52 +03:00
|
|
|
{
|
|
|
|
WLog_DBG(TAG,
|
|
|
|
"unable to NCryptOpenKey(dwLegacyKeySpec=0x%" PRIx32 " dwFlags=0x%" PRIx32
|
|
|
|
"), status=%s, skipping",
|
|
|
|
status, keyName->dwLegacyKeySpec, keyName->dwFlags,
|
|
|
|
winpr_NCryptSecurityStatusError(status));
|
2022-02-02 17:57:05 +03:00
|
|
|
goto endofloop;
|
2022-10-13 01:09:52 +03:00
|
|
|
}
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
cert->csp = _wcsdup(csp);
|
|
|
|
if (!cert->csp)
|
2022-10-06 13:25:17 +03:00
|
|
|
goto endofloop;
|
|
|
|
|
2022-02-02 01:23:34 +03:00
|
|
|
#ifndef _WIN32
|
2022-10-14 19:58:30 +03:00
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_WINPR_SLOTID, (PBYTE)&cert->slotId, 4, &cbOutput,
|
|
|
|
dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to retrieve slotId for key %s, status=%s", cert->keyName,
|
2022-10-14 19:58:30 +03:00
|
|
|
winpr_NCryptSecurityStatusError(status));
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
|
|
|
/* ====== retrieve key's reader ====== */
|
2022-10-14 11:10:41 +03:00
|
|
|
cbOutput = 0;
|
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_READER_PROPERTY, NULL, 0, &cbOutput, dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_DBG(TAG, "unable to retrieve reader's name length for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
cert->reader = calloc(1, cbOutput + 2);
|
|
|
|
if (!cert->reader)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to allocate reader's name for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_READER_PROPERTY, (PBYTE)cert->reader, cbOutput + 2,
|
|
|
|
&cbOutput, dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to retrieve reader's name for key %s", cert->keyName);
|
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ====== retrieve key container name ====== */
|
|
|
|
/* When using PKCS11, this will try to return what Windows would use for the key's name */
|
|
|
|
cbOutput = 0;
|
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_NAME_PROPERTY, NULL, 0, &cbOutput, dwFlags);
|
|
|
|
if (status == ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
cert->containerName = calloc(1, cbOutput + sizeof(WCHAR));
|
|
|
|
if (!cert->containerName)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to allocate key container name for key %s", cert->keyName);
|
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_NAME_PROPERTY, (BYTE*)cert->containerName,
|
|
|
|
cbOutput, &cbOutput, dwFlags);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to retrieve key container name for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ========= retrieve the certificate ===============*/
|
2022-10-14 11:10:41 +03:00
|
|
|
cbOutput = 0;
|
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_CERTIFICATE_PROPERTY, NULL, 0, &cbOutput, dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
/* can happen that key don't have certificates */
|
2022-10-13 01:09:52 +03:00
|
|
|
WLog_DBG(TAG, "unable to retrieve certificate property len, status=0x%lx, skipping",
|
|
|
|
status);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
certBytes = calloc(1, cbOutput);
|
|
|
|
if (!certBytes)
|
|
|
|
{
|
2022-09-29 15:55:27 +03:00
|
|
|
WLog_ERR(TAG, "unable to allocate %" PRIu32 " certBytes for key %s", cbOutput,
|
2022-10-16 18:36:20 +03:00
|
|
|
cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
status = NCryptGetProperty(phKey, NCRYPT_CERTIFICATE_PROPERTY, certBytes, cbOutput,
|
2022-10-14 11:10:41 +03:00
|
|
|
&cbOutput, dwFlags);
|
2022-02-02 01:23:34 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to retrieve certificate for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (!winpr_Digest(WINPR_MD_SHA1, certBytes, cbOutput, cert->sha1Hash,
|
|
|
|
sizeof(cert->sha1Hash)))
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to compute certificate sha1 for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
cert->certificate = crypto_cert_read(certBytes, cbOutput);
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (!cert->certificate)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-16 18:36:20 +03:00
|
|
|
WLog_ERR(TAG, "unable to parse X509 certificate for key %s", cert->keyName);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-23 21:51:40 +03:00
|
|
|
if (!crypto_check_eku(cert->certificate->px509, NID_ms_smartcard_login))
|
|
|
|
{
|
|
|
|
WLog_DBG(TAG, "discarding certificate without Smartcard Login EKU for key %s",
|
|
|
|
cert->keyName);
|
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (!treat_sc_cert(cert))
|
2022-10-13 01:09:52 +03:00
|
|
|
{
|
|
|
|
WLog_DBG(TAG, "error treating cert");
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
2022-10-13 01:09:52 +03:00
|
|
|
}
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (userFilter && cert->userHint && strcmp(cert->userHint, userFilter) != 0)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-14 19:58:30 +03:00
|
|
|
WLog_DBG(TAG, "discarding non matching cert by user %s@%s", cert->userHint,
|
|
|
|
cert->domainHint);
|
2022-08-30 10:00:47 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (domainFilter && cert->domainHint && strcmp(cert->domainHint, domainFilter) != 0)
|
2022-08-30 10:00:47 +03:00
|
|
|
{
|
2022-10-14 11:10:41 +03:00
|
|
|
WLog_DBG(TAG, "discarding non matching cert by domain(%s) %s@%s", domainFilter,
|
2022-10-14 19:58:30 +03:00
|
|
|
cert->userHint, cert->domainHint);
|
2022-02-02 01:23:34 +03:00
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifndef _WIN32
|
2022-10-14 19:58:30 +03:00
|
|
|
if (!build_pkinit_args(settings, cert))
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "error build pkinit args");
|
|
|
|
goto endofloop;
|
|
|
|
}
|
|
|
|
#endif
|
2022-03-03 00:00:01 +03:00
|
|
|
haveError = FALSE;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
endofloop:
|
2022-02-02 17:57:05 +03:00
|
|
|
free(certBytes);
|
2022-02-05 01:59:16 +03:00
|
|
|
NCryptFreeBuffer(keyName);
|
2022-02-02 17:57:05 +03:00
|
|
|
if (phKey)
|
|
|
|
NCryptFreeObject((NCRYPT_HANDLE)phKey);
|
2022-03-03 00:00:01 +03:00
|
|
|
|
|
|
|
if (haveError)
|
2022-10-14 19:58:30 +03:00
|
|
|
smartcardCertInfo_Free(cert);
|
|
|
|
else
|
2022-03-03 00:00:01 +03:00
|
|
|
{
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo** tmp;
|
|
|
|
|
|
|
|
tmp = realloc(cert_list, sizeof(SmartcardCertInfo*) * (count + 1));
|
|
|
|
if (!tmp)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to reallocate certs");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
cert_list = tmp;
|
|
|
|
cert_list[count++] = cert;
|
2022-03-03 00:00:01 +03:00
|
|
|
}
|
2022-02-02 01:23:34 +03:00
|
|
|
}
|
|
|
|
|
2022-10-06 13:25:17 +03:00
|
|
|
ret = TRUE;
|
|
|
|
out:
|
|
|
|
*pcount = count;
|
2022-10-14 19:58:30 +03:00
|
|
|
*pcerts = cert_list;
|
2022-10-06 13:25:17 +03:00
|
|
|
NCryptFreeBuffer(enumState);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static BOOL smartcard_hw_enumerateCerts(const rdpSettings* settings, LPCWSTR csp,
|
|
|
|
const char* reader, const char* userFilter,
|
2022-10-14 19:58:30 +03:00
|
|
|
const char* domainFilter, SmartcardCertInfo*** scCerts,
|
2022-10-06 13:25:17 +03:00
|
|
|
DWORD* retCount)
|
|
|
|
{
|
|
|
|
BOOL ret = FALSE;
|
|
|
|
LPWSTR scope = NULL;
|
|
|
|
NCRYPT_PROV_HANDLE provider;
|
|
|
|
SECURITY_STATUS status;
|
|
|
|
size_t count = 0;
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo** cert_list = NULL;
|
2022-10-06 13:25:17 +03:00
|
|
|
const char* Pkcs11Module = freerdp_settings_get_string(settings, FreeRDP_Pkcs11Module);
|
|
|
|
|
|
|
|
WINPR_ASSERT(scCerts);
|
|
|
|
WINPR_ASSERT(retCount);
|
|
|
|
|
|
|
|
if (reader)
|
|
|
|
{
|
|
|
|
int res;
|
|
|
|
size_t readerSz = strlen(reader);
|
|
|
|
char* scopeStr = malloc(4 + readerSz + 1 + 1);
|
|
|
|
if (!scopeStr)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
_snprintf(scopeStr, readerSz + 5, "\\\\.\\%s\\", reader);
|
|
|
|
res = ConvertToUnicode(CP_UTF8, 0, scopeStr, -1, &scope, 0);
|
|
|
|
free(scopeStr);
|
|
|
|
|
|
|
|
if (res <= 0)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (Pkcs11Module)
|
|
|
|
{
|
|
|
|
/* load a unique CSP by pkcs11 module path */
|
|
|
|
LPCSTR paths[] = { Pkcs11Module, NULL };
|
|
|
|
|
|
|
|
status = winpr_NCryptOpenStorageProviderEx(&provider, csp, 0, paths);
|
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to open provider given by pkcs11 module");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
status = list_provider_keys(settings, provider, csp, scope, userFilter, domainFilter,
|
2022-10-14 19:58:30 +03:00
|
|
|
&cert_list, &count);
|
2022-10-06 13:25:17 +03:00
|
|
|
NCryptFreeObject((NCRYPT_HANDLE)provider);
|
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "error listing keys from CSP loaded from %s", Pkcs11Module);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2022-10-25 14:28:32 +03:00
|
|
|
NCryptProviderName* names = NULL;
|
2022-10-06 13:25:17 +03:00
|
|
|
DWORD nproviders, i;
|
|
|
|
|
|
|
|
status = NCryptEnumStorageProviders(&nproviders, &names, NCRYPT_SILENT_FLAG);
|
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "error listing providers");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < nproviders; i++)
|
|
|
|
{
|
|
|
|
char providerNameStr[256] = { 0 };
|
2022-10-25 14:28:32 +03:00
|
|
|
const NCryptProviderName* name = &names[i];
|
2022-10-06 13:25:17 +03:00
|
|
|
|
2022-10-25 14:28:32 +03:00
|
|
|
if (WideCharToMultiByte(CP_UTF8, 0, name->pszName, -1, providerNameStr,
|
2022-10-06 13:25:17 +03:00
|
|
|
sizeof(providerNameStr), NULL, FALSE) <= 0)
|
|
|
|
{
|
|
|
|
_snprintf(providerNameStr, sizeof(providerNameStr), "<unknown>");
|
|
|
|
WLog_ERR(TAG, "unable to convert provider name to char*, will show it as '%s'",
|
|
|
|
providerNameStr);
|
|
|
|
}
|
|
|
|
|
|
|
|
WLog_DBG(TAG, "exploring CSP '%s'", providerNameStr);
|
2022-10-25 14:28:32 +03:00
|
|
|
if (csp && _wcscmp(name->pszName, csp) != 0)
|
2022-10-06 13:25:17 +03:00
|
|
|
{
|
|
|
|
WLog_DBG(TAG, "CSP '%s' filtered out", providerNameStr);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2022-10-25 14:28:32 +03:00
|
|
|
status = NCryptOpenStorageProvider(&provider, name->pszName, 0);
|
2022-10-06 13:25:17 +03:00
|
|
|
if (status != ERROR_SUCCESS)
|
|
|
|
continue;
|
|
|
|
|
2022-10-25 14:28:32 +03:00
|
|
|
if (!list_provider_keys(settings, provider, name->pszName, scope, userFilter,
|
2022-10-14 19:58:30 +03:00
|
|
|
domainFilter, &cert_list, &count))
|
2022-10-06 13:25:17 +03:00
|
|
|
WLog_INFO(TAG, "error when retrieving keys in CSP '%s'", providerNameStr);
|
|
|
|
|
|
|
|
NCryptFreeObject((NCRYPT_HANDLE)provider);
|
|
|
|
}
|
|
|
|
|
|
|
|
NCryptFreeBuffer(names);
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
*scCerts = cert_list;
|
2022-02-05 01:59:16 +03:00
|
|
|
*retCount = (DWORD)count;
|
2022-02-02 01:23:34 +03:00
|
|
|
ret = TRUE;
|
|
|
|
|
|
|
|
out:
|
2022-03-03 09:42:44 +03:00
|
|
|
if (!ret)
|
2022-10-14 19:58:30 +03:00
|
|
|
smartcardCertList_Free(cert_list, count);
|
2022-02-02 01:23:34 +03:00
|
|
|
free(scope);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
static BOOL write_pem(const char* file, const char* pem)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
2022-10-25 13:39:42 +03:00
|
|
|
WINPR_ASSERT(file);
|
|
|
|
WINPR_ASSERT(pem);
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
size_t rc, size = strlen(pem) + 1;
|
|
|
|
FILE* fp = winpr_fopen(file, "w");
|
|
|
|
if (!fp)
|
2022-02-02 01:23:34 +03:00
|
|
|
return FALSE;
|
2022-02-02 17:57:05 +03:00
|
|
|
rc = fwrite(pem, 1, size, fp);
|
|
|
|
fclose(fp);
|
|
|
|
return rc == size;
|
|
|
|
}
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
static char* create_temporary_file(void)
|
|
|
|
{
|
|
|
|
BYTE buffer[32];
|
|
|
|
char* hex;
|
|
|
|
char* path;
|
|
|
|
|
|
|
|
winpr_RAND(buffer, sizeof(buffer));
|
|
|
|
hex = winpr_BinToHexString(buffer, sizeof(buffer), FALSE);
|
|
|
|
path = GetKnownSubPath(KNOWN_PATH_TEMP, hex);
|
|
|
|
free(hex);
|
|
|
|
return path;
|
|
|
|
}
|
|
|
|
|
2022-10-25 14:28:32 +03:00
|
|
|
static SmartcardCertInfo* smartcardCertInfo_New(const char* privKeyPEM, const char* certPEM)
|
|
|
|
{
|
|
|
|
WINPR_ASSERT(privKeyPEM);
|
|
|
|
WINPR_ASSERT(certPEM);
|
|
|
|
|
|
|
|
SmartcardCertInfo* cert = calloc(1, sizeof(SmartcardCertInfo));
|
|
|
|
if (!cert)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
SmartcardKeyInfo* info = cert->key_info = calloc(1, sizeof(SmartcardKeyInfo));
|
|
|
|
if (!info)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
cert->certificate = crypto_cert_pem_read(certPEM);
|
|
|
|
if (!cert->certificate)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to read smartcard certificate");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!treat_sc_cert(cert))
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to treat smartcard certificate");
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ConvertToUnicode(CP_UTF8, 0, "FreeRDP Emulator", -1, &cert->reader, 0) < 0)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
if (ConvertToUnicode(CP_UTF8, 0, "Private Key 00", -1, &cert->containerName, 0) < 0)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
/* compute PKINIT args FILE:<cert file>,<key file>
|
|
|
|
*
|
|
|
|
* We need files for PKINIT to read, so write the certificate to some
|
|
|
|
* temporary location and use that.
|
|
|
|
*/
|
|
|
|
info->keyPath = create_temporary_file();
|
|
|
|
WLog_DBG(TAG, "writing PKINIT key to %s", info->keyPath);
|
|
|
|
if (!write_pem(info->keyPath, privKeyPEM))
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
info->certPath = create_temporary_file();
|
|
|
|
WLog_DBG(TAG, "writing PKINIT cert to %s", info->certPath);
|
|
|
|
if (!write_pem(info->certPath, certPEM))
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
int res = allocating_sprintf(&cert->pkinitArgs, "FILE:%s,%s", info->certPath, info->keyPath);
|
|
|
|
if (res <= 0)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
return cert;
|
|
|
|
fail:
|
|
|
|
smartcardCertInfo_Free(cert);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
static BOOL smartcard_sw_enumerateCerts(const rdpSettings* settings, SmartcardCertInfo*** scCerts,
|
2022-02-02 17:57:05 +03:00
|
|
|
DWORD* retCount)
|
|
|
|
{
|
|
|
|
BOOL rc = FALSE;
|
|
|
|
int res;
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo** cert_list = NULL;
|
2022-02-02 17:57:05 +03:00
|
|
|
|
|
|
|
WINPR_ASSERT(settings);
|
|
|
|
WINPR_ASSERT(scCerts);
|
|
|
|
WINPR_ASSERT(retCount);
|
|
|
|
|
2022-10-25 13:39:42 +03:00
|
|
|
const char* privKeyPEM = freerdp_settings_get_string(settings, FreeRDP_SmartcardPrivateKey);
|
|
|
|
const char* certPEM = freerdp_settings_get_string(settings, FreeRDP_SmartcardCertificate);
|
|
|
|
if (!privKeyPEM)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "Invalid smartcard private key PEM, aborting");
|
|
|
|
goto out_error;
|
|
|
|
}
|
|
|
|
if (!certPEM)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "Invalid smartcard certificate PEM, aborting");
|
|
|
|
goto out_error;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
cert_list = calloc(1, sizeof(SmartcardCertInfo*));
|
|
|
|
if (!cert_list)
|
2022-02-02 17:57:05 +03:00
|
|
|
goto out_error;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
{
|
2022-10-25 14:28:32 +03:00
|
|
|
SmartcardCertInfo* cert = smartcardCertInfo_New(privKeyPEM, certPEM);
|
|
|
|
if (!cert)
|
|
|
|
goto out_error;
|
|
|
|
cert_list[0] = cert;
|
2022-02-02 01:23:34 +03:00
|
|
|
}
|
|
|
|
|
2022-02-02 17:57:05 +03:00
|
|
|
rc = TRUE;
|
2022-10-14 19:58:30 +03:00
|
|
|
*scCerts = cert_list;
|
|
|
|
*retCount = 1;
|
2022-02-02 01:23:34 +03:00
|
|
|
|
|
|
|
out_error:
|
2022-02-02 17:57:05 +03:00
|
|
|
if (!rc)
|
2022-10-14 19:58:30 +03:00
|
|
|
smartcardCertList_Free(cert_list, 1);
|
2022-02-02 17:57:05 +03:00
|
|
|
return rc;
|
2022-02-02 01:23:34 +03:00
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
BOOL smartcard_enumerateCerts(const rdpSettings* settings, SmartcardCertInfo*** scCerts,
|
2022-10-16 22:54:59 +03:00
|
|
|
DWORD* retCount, BOOL gateway)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
|
|
|
BOOL ret;
|
2022-10-06 13:25:17 +03:00
|
|
|
LPWSTR csp = NULL;
|
2022-03-24 13:07:49 +03:00
|
|
|
const char* ReaderName = freerdp_settings_get_string(settings, FreeRDP_ReaderName);
|
|
|
|
const char* CspName = freerdp_settings_get_string(settings, FreeRDP_CspName);
|
2022-10-16 22:54:59 +03:00
|
|
|
const char* Username;
|
|
|
|
const char* Domain;
|
|
|
|
|
|
|
|
if (gateway)
|
|
|
|
{
|
|
|
|
Username = freerdp_settings_get_string(settings, FreeRDP_GatewayUsername);
|
|
|
|
Domain = freerdp_settings_get_string(settings, FreeRDP_GatewayDomain);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
Username = freerdp_settings_get_string(settings, FreeRDP_Username);
|
|
|
|
Domain = freerdp_settings_get_string(settings, FreeRDP_Domain);
|
|
|
|
}
|
2022-02-02 17:57:05 +03:00
|
|
|
|
|
|
|
WINPR_ASSERT(settings);
|
|
|
|
WINPR_ASSERT(scCerts);
|
|
|
|
WINPR_ASSERT(retCount);
|
|
|
|
|
2022-10-14 11:10:41 +03:00
|
|
|
if (Domain && !strlen(Domain))
|
|
|
|
Domain = NULL;
|
|
|
|
|
2022-05-02 11:55:44 +03:00
|
|
|
if (freerdp_settings_get_bool(settings, FreeRDP_SmartcardEmulation))
|
2022-02-02 17:57:05 +03:00
|
|
|
return smartcard_sw_enumerateCerts(settings, scCerts, retCount);
|
2022-02-02 01:23:34 +03:00
|
|
|
|
2022-10-06 13:25:17 +03:00
|
|
|
if (CspName && ConvertToUnicode(CP_UTF8, 0, CspName, -1, &csp, 0) <= 0)
|
2022-02-02 01:23:34 +03:00
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "error while converting CSP to WCHAR");
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2022-08-30 10:00:47 +03:00
|
|
|
ret =
|
|
|
|
smartcard_hw_enumerateCerts(settings, csp, ReaderName, Username, Domain, scCerts, retCount);
|
2022-02-02 01:23:34 +03:00
|
|
|
free(csp);
|
|
|
|
return ret;
|
|
|
|
}
|
2022-02-02 17:57:05 +03:00
|
|
|
|
2022-10-16 22:54:59 +03:00
|
|
|
static BOOL set_settings_from_smartcard(rdpSettings* settings, size_t id, const char* value)
|
|
|
|
{
|
|
|
|
WINPR_ASSERT(settings);
|
|
|
|
|
|
|
|
if (!freerdp_settings_get_string(settings, id) && value)
|
|
|
|
if (!freerdp_settings_set_string(settings, id, value))
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOL smartcard_getCert(const rdpContext* context, SmartcardCertInfo** cert, BOOL gateway)
|
2022-02-02 17:57:05 +03:00
|
|
|
{
|
2022-10-14 19:58:30 +03:00
|
|
|
WINPR_ASSERT(context);
|
|
|
|
|
|
|
|
const freerdp* instance = context->instance;
|
2022-10-16 22:54:59 +03:00
|
|
|
rdpSettings* settings = context->settings;
|
2022-10-14 19:58:30 +03:00
|
|
|
SmartcardCertInfo** cert_list;
|
|
|
|
DWORD count;
|
2022-10-16 22:54:59 +03:00
|
|
|
size_t username_setting;
|
|
|
|
size_t domain_setting;
|
2022-10-14 19:58:30 +03:00
|
|
|
|
|
|
|
WINPR_ASSERT(instance);
|
|
|
|
WINPR_ASSERT(settings);
|
|
|
|
|
2022-10-16 22:54:59 +03:00
|
|
|
if (!smartcard_enumerateCerts(settings, &cert_list, &count, gateway))
|
2022-10-14 19:58:30 +03:00
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
if (count < 1)
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "no suitable smartcard certificates were found");
|
|
|
|
return FALSE;
|
|
|
|
}
|
2022-02-02 17:57:05 +03:00
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
if (count > 1)
|
|
|
|
{
|
|
|
|
DWORD index;
|
|
|
|
|
2022-10-16 22:54:59 +03:00
|
|
|
if (!instance->ChooseSmartcard ||
|
|
|
|
!instance->ChooseSmartcard(cert_list, count, &index, gateway))
|
2022-10-14 19:58:30 +03:00
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "more than one suitable smartcard certificate was found");
|
|
|
|
smartcardCertList_Free(cert_list, count);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
*cert = cert_list[index];
|
|
|
|
|
|
|
|
for (DWORD i = 0; i < index; i++)
|
|
|
|
smartcardCertInfo_Free(cert_list[i]);
|
|
|
|
for (DWORD i = index + 1; i < count; i++)
|
|
|
|
smartcardCertInfo_Free(cert_list[i]);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
*cert = cert_list[0];
|
|
|
|
|
2022-10-16 22:54:59 +03:00
|
|
|
username_setting = gateway ? FreeRDP_GatewayUsername : FreeRDP_Username;
|
|
|
|
domain_setting = gateway ? FreeRDP_GatewayDomain : FreeRDP_Domain;
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
free(cert_list);
|
2022-10-16 22:54:59 +03:00
|
|
|
|
|
|
|
if (!set_settings_from_smartcard(settings, username_setting, (*cert)->userHint) ||
|
|
|
|
!set_settings_from_smartcard(settings, domain_setting, (*cert)->domainHint))
|
|
|
|
{
|
|
|
|
WLog_ERR(TAG, "unable to set settings from smartcard!");
|
|
|
|
smartcardCertInfo_Free(*cert);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2022-10-14 19:58:30 +03:00
|
|
|
return TRUE;
|
2022-02-02 17:57:05 +03:00
|
|
|
}
|