/*

 * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

//=--------------------------------------------------------------------------=

// security.cpp    by Stanley Man-Kit Ho

//=--------------------------------------------------------------------------=

//

#include <jni.h>

#include <stdlib.h>

#include <windows.h>

#include <BaseTsd.h>

#include <wincrypt.h>

#include <stdio.h>

#define OID_EKU_ANY         "2.5.29.37.0"

#define CERTIFICATE_PARSING_EXCEPTION \

                            "java/security/cert/CertificateParsingException"

#define INVALID_KEY_EXCEPTION \

                            "java/security/InvalidKeyException"

#define KEY_EXCEPTION       "java/security/KeyException"

#define KEYSTORE_EXCEPTION  "java/security/KeyStoreException"

#define PROVIDER_EXCEPTION  "java/security/ProviderException"

#define SIGNATURE_EXCEPTION "java/security/SignatureException"

extern "C" {

/*

 * Throws an arbitrary Java exception.

 * The exception message is a Windows system error message.

 */

void ThrowException(JNIEnv *env, char *exceptionName, DWORD dwError)

{

    char szMessage[1024];

    szMessage[0] = '\0';

    FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwError, NULL, szMessage,

        1024, NULL);

    jclass exceptionClazz = env->FindClass(exceptionName);

    env->ThrowNew(exceptionClazz, szMessage);

}

/*

 * Maps the name of a hash algorithm to an algorithm identifier.

 */

ALG_ID MapHashAlgorithm(JNIEnv *env, jstring jHashAlgorithm) {

    const char* pszHashAlgorithm = NULL;

    ALG_ID algId = 0;

    if ((pszHashAlgorithm = env->GetStringUTFChars(jHashAlgorithm, NULL))

        == NULL) {

        return algId;

    }

    if ((strcmp("SHA", pszHashAlgorithm) == 0) ||

        (strcmp("SHA1", pszHashAlgorithm) == 0) ||

        (strcmp("SHA-1", pszHashAlgorithm) == 0)) {

        algId = CALG_SHA1;

    } else if (strcmp("SHA1+MD5", pszHashAlgorithm) == 0) {

        algId = CALG_SSL3_SHAMD5; // a 36-byte concatenation of SHA-1 and MD5

    } else if (strcmp("SHA-256", pszHashAlgorithm) == 0) {

        algId = CALG_SHA_256;

    } else if (strcmp("SHA-384", pszHashAlgorithm) == 0) {

        algId = CALG_SHA_384;

    } else if (strcmp("SHA-512", pszHashAlgorithm) == 0) {

        algId = CALG_SHA_512;

    } else if (strcmp("MD5", pszHashAlgorithm) == 0) {

        algId = CALG_MD5;

    } else if (strcmp("MD2", pszHashAlgorithm) == 0) {

        algId = CALG_MD2;

    }

    if (pszHashAlgorithm)

        env->ReleaseStringUTFChars(jHashAlgorithm, pszHashAlgorithm);

   return algId;

}

/*

 * Returns a certificate chain context given a certificate context and key

 * usage identifier.

 */

bool GetCertificateChain(LPSTR lpszKeyUsageIdentifier, PCCERT_CONTEXT pCertContext, PCCERT_CHAIN_CONTEXT* ppChainContext)

{

    CERT_ENHKEY_USAGE        EnhkeyUsage;

    CERT_USAGE_MATCH         CertUsage;

    CERT_CHAIN_PARA          ChainPara;

    DWORD                    dwFlags = 0;

    LPSTR                    szUsageIdentifierArray[1];

    szUsageIdentifierArray[0] = lpszKeyUsageIdentifier;

    EnhkeyUsage.cUsageIdentifier = 1;

    EnhkeyUsage.rgpszUsageIdentifier = szUsageIdentifierArray;

    CertUsage.dwType = USAGE_MATCH_TYPE_AND;

    CertUsage.Usage  = EnhkeyUsage;

    ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);

    ChainPara.RequestedUsage=CertUsage;

    // Build a chain using CertGetCertificateChain

    // and the certificate retrieved.

    return (::CertGetCertificateChain(NULL,     // use the default chain engine

                pCertContext,   // pointer to the end certificate

                NULL,           // use the default time

                NULL,           // search no additional stores

                &ChainPara,     // use AND logic and enhanced key usage

                                //  as indicated in the ChainPara

                                //  data structure

                dwFlags,

                NULL,           // currently reserved

                ppChainContext) == TRUE);       // return a pointer to the chain created

}

/////////////////////////////////////////////////////////////////////////////

//

/*

 * Class:     sun_security_mscapi_PRNG

 * Method:    generateSeed

 * Signature: (I[B)[B

 */

JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed

  (JNIEnv *env, jclass clazz, jint length, jbyteArray seed)

{

    HCRYPTPROV hCryptProv = NULL;

    BYTE*      pbData = NULL;

    jbyte*     reseedBytes = NULL;

    jbyte*     seedBytes = NULL;

    jbyteArray result = NULL;

    __try

    {

        //  Acquire a CSP context.

        if(::CryptAcquireContext(

           &hCryptProv,

           NULL,

           NULL,

           PROV_RSA_FULL,

           CRYPT_VERIFYCONTEXT) == FALSE)

        {

            ThrowException(env, PROVIDER_EXCEPTION, GetLastError());

            __leave;

        }

        /*

         * If length is negative then use the supplied seed to re-seed the

         * generator and return null.

         * If length is non-zero then generate a new seed according to the

         * requested length and return the new seed.

         * If length is zero then overwrite the supplied seed with a new

         * seed of the same length and return the seed.

         */

        if (length < 0) {

            length = env->GetArrayLength(seed);

            if ((reseedBytes = env->GetByteArrayElements(seed, 0)) == NULL) {

                __leave;

            }

            if (::CryptGenRandom(

                hCryptProv,

                length,

                (BYTE *) reseedBytes) == FALSE) {

                ThrowException(env, PROVIDER_EXCEPTION, GetLastError());

                __leave;

            }

            result = NULL;

        } else if (length > 0) {

            pbData = new BYTE[length];

            if (::CryptGenRandom(

                hCryptProv,

                length,

                pbData) == FALSE) {

                ThrowException(env, PROVIDER_EXCEPTION, GetLastError());

                __leave;

            }

            result = env->NewByteArray(length);

            env->SetByteArrayRegion(result, 0, length, (jbyte*) pbData);

        } else { // length == 0

            length = env->GetArrayLength(seed);

            if ((seedBytes = env->GetByteArrayElements(seed, 0)) == NULL) {

                __leave;

            }

            if (::CryptGenRandom(

                hCryptProv,

                length,

                (BYTE *) seedBytes) == FALSE) {

                ThrowException(env, PROVIDER_EXCEPTION, GetLastError());

                __leave;

            }

            result = seed; // seed will be updated when seedBytes gets released

        }

    }

    __finally

    {

        //--------------------------------------------------------------------

        // Clean up.

        if (reseedBytes)

            env->ReleaseByteArrayElements(seed, reseedBytes, JNI_ABORT);

        if (pbData)

            delete [] pbData;

        if (seedBytes)

            env->ReleaseByteArrayElements(seed, seedBytes, 0); // update orig

        if (hCryptProv)

            ::CryptReleaseContext(hCryptProv, 0);

    }

    return result;

}

/*

 * Class:     sun_security_mscapi_KeyStore

 * Method:    loadKeysOrCertificateChains

 * Signature: (Ljava/lang/String;Ljava/util/Collection;)V

 */

JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateChains

  (JNIEnv *env, jobject obj, jstring jCertStoreName, jobject jCollections)

{

    /**

     * Certificate in cert store has enhanced key usage extension

     * property (or EKU property) that is not part of the certificate itself. To determine

     * if the certificate should be returned, both the enhanced key usage in certificate

     * extension block and the extension property stored along with the certificate in

     * certificate store should be examined. Otherwise, we won't be able to determine

     * the proper key usage from the Java side because the information is not stored as

     * part of the encoded certificate.

     */

    const char* pszCertStoreName = NULL;

    HCERTSTORE hCertStore = NULL;

    PCCERT_CONTEXT pCertContext = NULL;

    char* pszNameString = NULL; // certificate's friendly name

    DWORD cchNameString = 0;

    __try

    {

        // Open a system certificate store.

        if ((pszCertStoreName = env->GetStringUTFChars(jCertStoreName, NULL))

            == NULL) {

            __leave;

        }

        if ((hCertStore = ::CertOpenSystemStore(NULL, pszCertStoreName))

            == NULL) {

            ThrowException(env, KEYSTORE_EXCEPTION, GetLastError());

            __leave;

        }

        // Determine clazz and method ID to generate certificate

        jclass clazzArrayList = env->FindClass("java/util/ArrayList");

        jmethodID mNewArrayList = env->GetMethodID(clazzArrayList, "<init>", "()V");

        jmethodID mGenCert = env->GetMethodID(env->GetObjectClass(obj),

                                              "generateCertificate",

                                              "([BLjava/util/Collection;)V");

        // Determine method ID to generate certificate chain

        jmethodID mGenCertChain = env->GetMethodID(env->GetObjectClass(obj),

                                                   "generateCertificateChain",

                                                   "(Ljava/lang/String;Ljava/util/Collection;Ljava/util/Collection;)V");

        // Determine method ID to generate RSA certificate chain

        jmethodID mGenRSAKeyAndCertChain = env->GetMethodID(env->GetObjectClass(obj),

                                                   "generateRSAKeyAndCertificateChain",

                                                   "(Ljava/lang/String;JJILjava/util/Collection;Ljava/util/Collection;)V");

        // Use CertEnumCertificatesInStore to get the certificates

        // from the open store. pCertContext must be reset to

        // NULL to retrieve the first certificate in the store.

        while (pCertContext = ::CertEnumCertificatesInStore(hCertStore, pCertContext))

        {

            // Check if private key available - client authentication certificate

            // must have private key available.

            HCRYPTPROV hCryptProv = NULL;

            DWORD dwKeySpec = 0;

            HCRYPTKEY hUserKey = NULL;

            BOOL bCallerFreeProv = FALSE;

            BOOL bHasNoPrivateKey = FALSE;

            DWORD dwPublicKeyLength = 0;

            if (::CryptAcquireCertificatePrivateKey(pCertContext, NULL, NULL,

                                                    &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)

            {

                bHasNoPrivateKey = TRUE;

            } else {

                // Private key is available

            BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);

            // Skip certificate if cannot find private key

            if (bGetUserKey == FALSE)

            {

                if (bCallerFreeProv)

                    ::CryptReleaseContext(hCryptProv, NULL);

                continue;

            }

            // Set cipher mode to ECB

            DWORD dwCipherMode = CRYPT_MODE_ECB;

            ::CryptSetKeyParam(hUserKey, KP_MODE, (BYTE*)&dwCipherMode, NULL);

            // If the private key is present in smart card, we may not be able to

            // determine the key length by using the private key handle. However,

            // since public/private key pairs must have the same length, we could

            // determine the key length of the private key by using the public key

            // in the certificate.

            dwPublicKeyLength = ::CertGetPublicKeyLength(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,

                                                               &(pCertContext->pCertInfo->SubjectPublicKeyInfo));

}

            PCCERT_CHAIN_CONTEXT pCertChainContext = NULL;

            // Build certificate chain by using system certificate store.

            // Add cert chain into collection for any key usage.

            //

            if (GetCertificateChain(OID_EKU_ANY, pCertContext,

                &pCertChainContext))

            {

                for (unsigned int i=0; i < pCertChainContext->cChain; i++)

                {

                    // Found cert chain

                    PCERT_SIMPLE_CHAIN rgpChain =

                        pCertChainContext->rgpChain[i];

                    // Create ArrayList to store certs in each chain

                    jobject jArrayList =

                        env->NewObject(clazzArrayList, mNewArrayList);

                    for (unsigned int j=0; j < rgpChain->cElement; j++)

                    {

                        PCERT_CHAIN_ELEMENT rgpElement =

                            rgpChain->rgpElement[j];

                        PCCERT_CONTEXT pc = rgpElement->pCertContext;

                        // Retrieve the friendly name of the first certificate

                        // in the chain

                        if (j == 0) {

                            // If the cert's name cannot be retrieved then

                            // pszNameString remains set to NULL.

                            // (An alias name will be generated automatically

                            // when storing this cert in the keystore.)

                            // Get length of friendly name

                            if ((cchNameString = CertGetNameString(pc,

                                CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL,

                                NULL, 0)) > 1) {

                                // Found friendly name

                                pszNameString = new char[cchNameString];

                                CertGetNameString(pc,

                                    CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL,

                                    pszNameString, cchNameString);

                            }

                        }

                        BYTE* pbCertEncoded = pc->pbCertEncoded;

                        DWORD cbCertEncoded = pc->cbCertEncoded;

                        // Allocate and populate byte array

                        jbyteArray byteArray = env->NewByteArray(cbCertEncoded);

                        env->SetByteArrayRegion(byteArray, 0, cbCertEncoded,

                            (jbyte*) pbCertEncoded);

                        // Generate certificate from byte array and store into

                        // cert collection

                        env->CallVoidMethod(obj, mGenCert, byteArray, jArrayList);

                    }

                    if (bHasNoPrivateKey)

                    {

                        // Generate certificate chain and store into cert chain

                        // collection

                        env->CallVoidMethod(obj, mGenCertChain,

                            env->NewStringUTF(pszNameString),

                            jArrayList, jCollections);

                    }

                    else

                    {

                    // Determine key type: RSA or DSA

                    DWORD dwData = CALG_RSA_KEYX;

                    DWORD dwSize = sizeof(DWORD);

                    ::CryptGetKeyParam(hUserKey, KP_ALGID, (BYTE*)&dwData,

                        &dwSize, NULL);

                    if ((dwData & ALG_TYPE_RSA) == ALG_TYPE_RSA)

                    {

                        // Generate RSA certificate chain and store into cert

                        // chain collection

                        env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,

                            env->NewStringUTF(pszNameString),

                            (jlong) hCryptProv, (jlong) hUserKey,

                            dwPublicKeyLength, jArrayList, jCollections);

                    }

}

                }

                // Free cert chain

                if (pCertChainContext)

                    ::CertFreeCertificateChain(pCertChainContext);

            }

        }

    }

    __finally

    {

        if (hCertStore)

            ::CertCloseStore(hCertStore, 0);

        if (pszCertStoreName)

            env->ReleaseStringUTFChars(jCertStoreName, pszCertStoreName);

        if (pszNameString)

            delete [] pszNameString;

    }

}

/*

 * Class:     sun_security_mscapi_Key

 * Method:    cleanUp

 * Signature: (JJ)V

 */

JNIEXPORT void JNICALL Java_sun_security_mscapi_Key_cleanUp

  (JNIEnv *env, jclass clazz, jlong hCryptProv, jlong hCryptKey)

{

    if (hCryptKey != NULL)

        ::CryptDestroyKey((HCRYPTKEY) hCryptKey);

    if (hCryptProv != NULL)

        ::CryptReleaseContext((HCRYPTPROV) hCryptProv, NULL);

}

/*

 * Class:     sun_security_mscapi_RSASignature

 * Method:    signHash

 * Signature: (Z[BILjava/lang/String;JJ)[B

 */

JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSASignature_signHash

  (JNIEnv *env, jclass clazz, jboolean noHashOID, jbyteArray jHash,

        jint jHashSize, jstring jHashAlgorithm, jlong hCryptProv,

        jlong hCryptKey)

{

    HCRYPTHASH hHash = NULL;

    jbyte* pHashBuffer = NULL;

    jbyte* pSignedHashBuffer = NULL;

    jbyteArray jSignedHash = NULL;

    HCRYPTPROV hCryptProvAlt = NULL;

    __try

    {

        // Map hash algorithm

        ALG_ID algId = MapHashAlgorithm(env, jHashAlgorithm);

        // Acquire a hash object handle.

        if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) == FALSE)

        {

            // Failover to using the PROV_RSA_AES CSP

            DWORD cbData = 256;

            BYTE pbData[256];

            pbData[0] = '\0';

            // Get name of the key container

            ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER,

                (BYTE *)pbData, &cbData, 0);

            // Acquire an alternative CSP handle

            if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL,

                PROV_RSA_AES, 0) == FALSE)

            {

                ThrowException(env, SIGNATURE_EXCEPTION, GetLastError());