MSCNG: add keys store support (lsh123#173)

* mscng: add keysstore support

This also requires changes in the x509 key data class. It's no longer safe to
call CertDeleteCertificateFromStore() for no longer needed certificates, as the
store may be a non-in-memory one, and the user expects that the system store is
only read by xmlsec. Non-deleting also means that we can't assert anymore that
the in-memory cert store is empty when we delete it.

We don't leak memory with this, as the refcount of the certificate contexts is
still properly decremented.

As a side effect 6 TODOs added earlier are now resolved.

* mscng: add initial documentation

Also fix the inconsistency that email address is sometimes stated, sometimes
not. Now it's omitted everywhere and the AUTHORS file has it at a single place.

* mscng: add keysstore test

A manual test is not ideal, but it's better than nothing.

AUTHORS

@@ -4,5 +4,6 @@ Windows port:     Igor Zlatkovic <[email protected]>
 Debian port:      John Belmonte  <[email protected]> 
 xmlsec-nss:       Tej Arora <[email protected]>, AOL Inc.
 xmlsec-mscrypto:  Wouter Ketting <[email protected]>, Cordys R&D BV
+xmlsec-mscng:     Miklos Vajna <[email protected]>
 GOST support:     Dmitry Belyavsky <[email protected]>, Cryptocom LTD (http://www.cryptocom.ru)
 

include/xmlsec/mscng/app.h

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_MSCNG_APP_H__
 #define __XMLSEC_MSCNG_APP_H__
@@ -25,6 +25,7 @@ extern "C" {
  ********************************************************************/
 XMLSEC_CRYPTO_EXPORT int        xmlSecMSCngAppInit                   (const char* config);
 XMLSEC_CRYPTO_EXPORT int        xmlSecMSCngAppShutdown               (void);
+XMLSEC_CRYPTO_EXPORT LPCTSTR    xmlSecMSCngAppGetCertStoreName       (void);
 
 /********************************************************************
  *

include/xmlsec/mscng/certkeys.h

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_MSCNG_CERTKEYS_H__
 #define __XMLSEC_MSCNG_CERTKEYS_H__

include/xmlsec/mscng/crypto.h

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_MSCNG_CRYPTO_H__
 #define __XMLSEC_MSCNG_CRYPTO_H__

include/xmlsec/mscng/keysstore.h

@@ -0,0 +1,41 @@
+/*
+ * XML Security Library (http://www.aleksey.com/xmlsec).
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
+ */
+#ifndef __XMLSEC_MSCNG_KEYSSTORE_H__
+#define __XMLSEC_MSCNG_KEYSSTORE_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#include <xmlsec/xmlsec.h>
+
+/**
+ * xmlSecMSCngKeysStoreId:
+ *
+ * A MSCng keys store klass id.
+ */
+#define xmlSecMSCngKeysStoreId xmlSecMSCngKeysStoreGetKlass()
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId   xmlSecMSCngKeysStoreGetKlass(void);
+XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngKeysStoreAdoptKey(xmlSecKeyStorePtr store,
+                                                                     xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngKeysStoreLoad    (xmlSecKeyStorePtr store,
+                                                                     const char *uri,
+                                                                     xmlSecKeysMngrPtr keysMngr);
+XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngKeysStoreSave    (xmlSecKeyStorePtr store,
+                                                                     const char *filename,
+                                                                     xmlSecKeyDataType type);
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_MSCNG_PCCERT_CONTEXT_H__ */
+
+

include/xmlsec/mscng/symbols.h

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_MSCNG_SYMBOLS_H__
 #define __XMLSEC_MSCNG_SYMBOLS_H__

include/xmlsec/mscng/x509.h

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_MSCNG_X509_H__
 #define __XMLSEC_MSCNG_X509_H__
@@ -55,6 +55,8 @@ XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngKeyDataX509AdoptCert      (xm
 XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngX509StoreAdoptCert        (xmlSecKeyDataStorePtr store,
                                                                               PCCERT_CONTEXT cert,
                                                                               xmlSecKeyDataType type);
+XMLSEC_CRYPTO_EXPORT int                xmlSecMSCngX509StoreAdoptKeyStore    (xmlSecKeyDataStorePtr store,
+                                                                              HCERTSTORE keyStore);
 XMLSEC_CRYPTO_EXPORT PCCERT_CONTEXT     xmlSecMSCngX509StoreVerify           (xmlSecKeyDataStorePtr store,
 									      HCERTSTORE certs,
 									      xmlSecKeyInfoCtx* keyInfoCtx);

src/mscng/README

@@ -0,0 +1,16 @@
+What version of Windows?
+------------------------------------------------------------------------
+
+The Microsoft CNG API is a set of BCrypt* and NCrypt* functions. Taking
+BCryptOpenAlgorithmProvider() as a representative example, the minimum
+supported client is Windows Vista and the minimum supported server is Windows
+Server 2008.
+
+Keys manager with MS Certificate store support.
+------------------------------------------------------------------------
+
+Similarly to the nss and mscrypto backends, the xmlsec-mscng keys manager is
+based on the simple keys store from xmlsec core. If keys are not found in the
+simple keys store, then the MS Certificate store (the "MY" store by default,
+visible as Personal -> Certificates in certmgr.msc) is used to look up keys.
+The certificate store from the OS is a read-only store.

src/mscng/app.c

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #include "globals.h"
 
@@ -23,6 +23,10 @@
 #include <xmlsec/mscng/symbols.h>
 #include <xmlsec/mscng/x509.h>
 #include <xmlsec/mscng/certkeys.h>
+#include <xmlsec/mscng/keysstore.h>
+
+/* config info for the mscng keysstore */
+static LPTSTR gXmlSecMSCngAppCertStoreName = NULL;
 
 /**
  * xmlSecMSCngAppInit:
@@ -36,8 +40,26 @@
  */
 int
 xmlSecMSCngAppInit(const char* config) {
-    UNREFERENCED_PARAMETER(config);
-    /* TODO: initialize MSCng crypto engine */
+    /* initialize MSCng crypto engine */
+
+    /* config parameter is an ms cert store name */
+    if(config != NULL && strlen(config) > 0) {
+        if(gXmlSecMSCngAppCertStoreName != NULL) {
+            /* deny double initialization */
+            xmlSecOtherError2(XMLSEC_ERRORS_R_INVALID_CONFIG, NULL,
+                "config=%s, config already set",
+                xmlSecErrorsSafeString(config));
+            return(-1);
+        }
+
+        gXmlSecMSCngAppCertStoreName = xmlSecMSCngConvertUtf8ToUnicode((const xmlChar*)config);
+        if(gXmlSecMSCngAppCertStoreName == NULL) {
+            xmlSecInternalError2("xmlSecMSCngConvertUtf8ToUnicode", NULL,
+                "config=%s", xmlSecErrorsSafeString(config));
+            return(-1);
+        }
+    }
+
     return(0);
 }
 
@@ -52,11 +74,26 @@ xmlSecMSCngAppInit(const char* config) {
  */
 int
 xmlSecMSCngAppShutdown(void) {
-    /* TODO: shutdown MSCng crypto engine */
-
+    /* shutdown MSCng crypto engine */
+    if(gXmlSecMSCngAppCertStoreName != NULL) {
+        xmlFree(gXmlSecMSCngAppCertStoreName);
+        gXmlSecMSCngAppCertStoreName = NULL;
+    }
     return(0);
 }
 
+/**
+ * xmlSecMSCngAppGetCertStoreName:
+ *
+ * Gets the MS Cng certs store name set by @xmlSecMSCngAppInit function.
+ *
+ * Returns: the MS Cng certs name used by xmlsec-mscng.
+ */
+LPCTSTR
+xmlSecMSCngAppGetCertStoreName(void) {
+    return(gXmlSecMSCngAppCertStoreName);
+}
+
 /**
  * xmlSecMSCngAppKeyLoad:
  * @filename:           the key filename.
@@ -524,17 +561,13 @@ xmlSecMSCngAppDefaultKeysMngrInit(xmlSecKeysMngrPtr mngr) {
 
     xmlSecAssert2(mngr != NULL, -1);
 
-    /* TODO: if MSCng crypto engine has another default
-     * keys storage then use it!
-     */
-
-    /* create simple keys store if needed */
+    /* create MSCng keys store if needed */
     if(xmlSecKeysMngrGetKeysStore(mngr) == NULL) {
         xmlSecKeyStorePtr keysStore;
 
-        keysStore = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
+        keysStore = xmlSecKeyStoreCreate(xmlSecMSCngKeysStoreId);
         if(keysStore == NULL) {
-            xmlSecInternalError("xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId)", NULL);
+            xmlSecInternalError("xmlSecKeyStoreCreate(xmlSecMSCngKeysStoreId)", NULL);
             return(-1);
         }
 
@@ -574,19 +607,15 @@ xmlSecMSCngAppDefaultKeysMngrAdoptKey(xmlSecKeysMngrPtr mngr, xmlSecKeyPtr key)
     xmlSecAssert2(mngr != NULL, -1);
     xmlSecAssert2(key != NULL, -1);
 
-    /* TODO: if MSCng crypto engine has another default
-     * keys storage then use it!
-     */
-
     store = xmlSecKeysMngrGetKeysStore(mngr);
     if(store == NULL) {
         xmlSecInternalError("xmlSecKeysMngrGetKeysStore", NULL);
         return(-1);
     }
 
-    ret = xmlSecSimpleKeysStoreAdoptKey(store, key);
+    ret = xmlSecMSCngKeysStoreAdoptKey(store, key);
     if(ret < 0) {
-        xmlSecInternalError("xmlSecSimpleKeysStoreAdoptKey", NULL);
+        xmlSecInternalError("xmlSecMSCngKeysStoreAdoptKey", NULL);
         return(-1);
     }
 
@@ -611,20 +640,16 @@ xmlSecMSCngAppDefaultKeysMngrLoad(xmlSecKeysMngrPtr mngr, const char* uri) {
     xmlSecAssert2(mngr != NULL, -1);
     xmlSecAssert2(uri != NULL, -1);
 
-    /* TODO: if MSCng crypto engine has another default
-     * keys storage then use it!
-     */
-
     store = xmlSecKeysMngrGetKeysStore(mngr);
     if(store == NULL) {
         xmlSecInternalError("xmlSecKeysMngrGetKeysStore", NULL);
         return(-1);
     }
 
-    ret = xmlSecSimpleKeysStoreLoad(store, uri, mngr);
+    ret = xmlSecMSCngKeysStoreLoad(store, uri, mngr);
     if(ret < 0) {
-        xmlSecInternalError2("xmlSecSimpleKeysStoreLoad", NULL,
-                             "uri=%s", xmlSecErrorsSafeString(uri));
+        xmlSecInternalError2("xmlSecMSCngKeysStoreLoad", NULL, "uri=%s",
+            xmlSecErrorsSafeString(uri));
         return(-1);
     }
 
@@ -649,21 +674,16 @@ xmlSecMSCngAppDefaultKeysMngrSave(xmlSecKeysMngrPtr mngr, const char* filename,
     xmlSecAssert2(mngr != NULL, -1);
     xmlSecAssert2(filename != NULL, -1);
 
-    /* TODO: if MSCng crypto engine has another default
-     * keys storage then use it!
-     */
-
     store = xmlSecKeysMngrGetKeysStore(mngr);
     if(store == NULL) {
         xmlSecInternalError("xmlSecKeysMngrGetKeysStore", NULL);
         return(-1);
     }
 
-    ret = xmlSecSimpleKeysStoreSave(store, filename, type);
+    ret = xmlSecMSCngKeysStoreSave(store, filename, type);
     if(ret < 0) {
-        xmlSecInternalError2("xmlSecSimpleKeysStoreSave", NULL,
-                             "filename=%s",
-                             xmlSecErrorsSafeString(filename));
+        xmlSecInternalError2("xmlSecMSCngKeysStoreSave", NULL, "filename%s",
+            xmlSecErrorsSafeString(filename));
         return(-1);
     }
 

src/mscng/certkeys.c

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #include "globals.h"
 

src/mscng/crypto.c

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #include "globals.h"
 

src/mscng/digests.c

@@ -4,7 +4,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #include "globals.h"
 

src/mscng/globals.h

@@ -6,7 +6,7 @@
  * This is free software; see Copyright file in the source
  * distribution for preciese wording.
  *
- * Copyright (C) 2018 Miklos Vajna <[email protected]>. All Rights Reserved.
+ * Copyright (C) 2018 Miklos Vajna. All Rights Reserved.
  */
 #ifndef __XMLSEC_GLOBALS_H__
 #define __XMLSEC_GLOBALS_H__