Currently, the module path is hardcoded in the build_pkinit_args function.
Let's obtain the module path from provider as a preparation for the
follow-up changes.
Optionally build the SDL client with Qt WebEngine to create a popup
browser for authentication to AAD. Also change the URL output on the
command line to use the "nativeclient" redirect for easier copy/pasting
of the authorization code.
When a PKCS11 module was provided, the CSP could not be set by command line
arguments, leading to an error when loading the ncrypt module, and an empty
smartcard list.
When enumerating smartcard certificates we check if we have duplicates
in our certificate list. In case we detect a duplicate we just return
`TRUE` (indicating that we consumed the certificate info) but do not
free the smartcard info instance.
Windows seems to favor using the legacy Crypto API (CAPI) for
enumerating RSA key containers and only relies on the newer CNG APIs for
ECC keys.
This PR adds support for CAPI key container enumeration on Windows.
The PR also fixes an issue where the CSP was always set to the MS Base
Smart Card Provider during NLA authentication.
* Use new ConvertUtf8ToWChar, ConvertUtf8NToWChar,
ConvertUtf8ToWCharAlloc and ConvertUtf8NToWCharAlloc
* Use new ConvertWCharToUtf8, ConvertWCharNToUtf8,
ConvertWCharToUtf8Alloc and ConvertWCharNToUtf8Alloc
* Use new Stream UTF16 to/from UTF8 read/write functions
* Use new settings UTF16 to/from UTF8 read/write functions
list_provider_keys() returns a Boolean, true == success. But
smartcard_hw_enumerateCerts() expects the return value on success to
be ERROR_SUCCESS == 0, and so inverts success/failure.
Windows expects the containerName field in TSSmartCardCreds to be what
it would use for a smartcard key's name. Try to accomodate that (at
least for PIV and GIDS cards).
This commit fixes various bugs that I've noticed on some windows systems with
smartcards that contains multiple certificates:
* With some drivers if you retrieve the ATR while enumerating the NCrypt keys, it seems to
confuse the NCrypt key context (and you're unable to retrieve certificate property). As
we don't use the ATR, let's remove the ATR retrieval.
* if don't give any user or domain on the command line, in settings you get User=Domain=NULL,
but if you pass /u:user, you get User="user" and Domain = ""(empty string not NULL). The
smartcard filtering by user/domain was not ready for that.
When smartcard emulation was enabled we were dumping the key and cert to
temporary files for PKINIT call, but they were deleted before we have
actually done the PKINIT. This patch fixes it.
It also add debug statement for the listing of smartcard keys / certs.
This also fixes the listing of smartcard on certain windows configurations
were we have to force NCRYPT_SILENT when doing a NCryptOpenKey.
When no CSP is provided, we were listing smartcard materials by querying the
MS_SCARD_PROV_A CSP, unfortunately on some windows hosts, the smartcards aren't
listed in that CSP. So this patch does the key listing by browsing all CSPs
instead of just a default one. You can still force a CSP and you'll get keys only
from this one.
This patch also address cases where the certificate on the smartcard doesn't
have a UPN attribute, if that happen we try to get a UPN from the email address.
* Fixed format strings to match arguments
Reviewed and replaced all %d specifiers to match proper type
* Added proxy dynamic channel command type to log messages.
There was a bug in smartcard listing that was leading to be unable to open a key
with slotId != 0. When any error or skipped item was happening during listing
the code was crashing.