CertOpenStore access denied - c++

I have a pice of code in c++ that gets certificate from store:
// Open CA system store
m_hCertStore = ::CertOpenStore(
CERT_STORE_PROV_SYSTEM,
0,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER,
//CERT_SYSTEM_STORE_LOCAL_MACHINE,
Store
);
if( !m_hCertStore )
throw MY_WIN32_TO_HRESULT(GetLastError());
// Locate "iScala License Key Generator" certificate
m_pCCertContext = ::CertFindCertificateInStore(
m_hCertStore,
PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
0,
CERT_FIND_SUBJECT_STR,
CertSubject,
NULL
);
When it tries to open the Cert Store I get an access denied error.
The certificate is in the Certificates/Current User, Intermediate Certification Authorities.

Related

gss_accept_sec_context() failed: An unsupported mechanism was requested

I have a client on windows which is sending a kerberos token obtained from windows using sspi. When I pass in client's token to gss_accept_sec_context on server (Linux Redhat 8) , I get "An unsupported mechanism was requested"
I am calling the gss_accept_sec_context as below:
j_stat = gss_accept_sec_context(&min_stat, context,
*server_creds, &recv_tok,
GSS_C_NO_CHANNEL_BINDINGS,
&client, &doid, &send_tok,
NULL,
NULL, /* time_rec */
NULL); /* del_cred_handle */
I acquire the credentials as :
OM_uint32 maj_stat, min_stat;
maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME,
GSS_C_INDEFINITE ,
GSS_C_NO_OID_SET,
GSS_C_ACCEPT,
server_creds,
NULL, NULL);
What could be the problem?
I hightly doubt that. It is likely an NTLM or SPNEGO token.

Client authentication (certificat + private key) using WinHttp

I'm trying to communicate in https with a server using the Win32 API.
Here is a very minimalist code :
HINTERNET ses = WinHttpOpen(L"test",WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,WINHTTP_NO_PROXY_NAME,WINHTTP_NO_PROXY_BYPASS,0 ) ;
HINTERNET con = WinHttpConnect(ses,L"stackoverflow.com",INTERNET_DEFAULT_HTTPS_PORT,0 ) ;
HINTERNET req = WinHttpOpenRequest(con,L"GET",NULL,NULL,WINHTTP_NO_REFERER,WINHTTP_DEFAULT_ACCEPT_TYPES,WINHTTP_FLAG_SECURE ) ;
WinHttpSendRequest( req,WINHTTP_NO_ADDITIONAL_HEADERS,0,WINHTTP_NO_REQUEST_DATA,0,0,0 ) ;
WinHttpReceiveResponse( req,NULL ) ;
char buffer [10000] ;
unsigned long size ;
WinHttpReadData( req,reinterpret_cast<void*>( buffer ),sizeof( buffer )-1,&size ) ;
buffer[size] = 0 ;
cout << buffer << endl ;
As long as I communicate with a "classic" https server like stackoverflow.com everything goes well.
The problem is when I try to communicate with a server that requests an authentication of the client.
I have 3 .pem files : a certificate and a private key for my client, and a root certificate that authenticates my client certificate (i.e. a certificate chain of length 2).
For information, I can connect my server using this cULR command line :
curl https://my.server --cert Client_cert.pem --key Client_key.pem --cacert Root_cert.pem
So I kown it's possible!
Reading the win32 API documentation, I figured out that the key is to call
WinHttpSetOption but it's not clear between the options WINHTTP_OPTION_CLIENT_CERT_CONTEXT and WINHTTP_OPTION_CLIENT_CERT_ISSUER_LIST...
And I did not find out how to pass my data (cert+key files).
Any wise advice ?
Thanks in advance !

gSOAP SSL - converting existing code to ssl

The earlier Version of this question got no Response, so I'm updating the entire Thing:
I have a test gSOAP Client and server on my machine. The client does an MTOM upload of various files to the server.
When attempting to convert the code to ssl I get the following error:
The server reports:
"SSL_ERROR_SSL
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher"
The client reports:
An SSL error occured
SOAP 1.2 fault SOAP-ENV:Receiver [no subcode]
"SSL_ERROR_SSL
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure"
Detail: SSL_connect error in tcp_connect()
it runs without the "SSL" option. Can someone advise me as to what I'm doing wrong?
Applicable client code -
if(fSSL)
soap_ssl_init();
. . .
soap_init1(&my_soap, SOAP_ENC_MTOM); /* Enable MTOM */
. . .
if(fSSL)
{
if (soap_ssl_client_context(&my_soap,
SOAP_SSL_NO_AUTHENTICATION + SOAP_TLSv1_2,
NULL, // client keyfile
NULL, // passphrase for keyfile
NULL, // certified authority certificate
NULL, // directory for trusted certificates
NULL))// random data for seed
{
soap_print_fault(&my_soap, stderr);
...
}
}
...
long gsoap_status = soap_call___ns1__upload(&my_soap, endpoint.c_str(), NULL, &upload_parms, &upload_response);
Applicable server code -
if(fSSL)
soap_ssl_init();
. . .
soap_init1(&my_soap, SOAP_ENC_MTOM); /* Enable MTOM */
. . .
if(fSSL)
{
if (soap_ssl_server_context(&my_soap,
SOAP_SSL_NO_AUTHENTICATION + SOAP_TLSv1_2, // per EMAIL - option 1
NULL, // Keyfile - required for authentication
NULL, // passphrase
NULL, // password to read Keyfile
NULL, // optional cacert file
NULL, // DH Filename or DH key len bits
NULL, // Randfile
NULL)) // optional server identification (enable SSL session cache)
{
soap_print_fault(&my_soap, stderr);
exit(0);
}
}
. . .
my_soap.connect_timeout = 20;
my_soap.send_timeout = 60;
my_soap.recv_timeout = 60;
if(!soap_valid_socket(soap_bind(&my_soap, NULL, port, 100)))
{
soap_print_fault(&my_soap, stderr);
exit(1);
}
fprintf(stderr, "Bind to port %d successful\n", port);
// server loop starts
for (;;)
printf("server loop sta\n");
int t_socket = soap_accept(&my_soap);
struct soap* t_soap = 0;
t_soap = soap_copy(&my_soap);
if(fSSL)
{
if(soap_ssl_accept(&my_soap)) <------ FAILS HERE
{
printf("NOT Accepting (ssl) socket=%d connection from IP: %d.%d.%d.%d ...", t_socket,
(int)my_soap.ip>>24&0xFF,
(int)my_soap.ip>>16&0xFF,
(int)my_soap.ip>>8&0xFF,
(int)my_soap.ip&0xFF);
soap_print_fault(&my_soap, stderr);
soap_destroy(&my_soap);
soap_end(&my_soap);
continue;
}
}
. . .
if(soap_serve(&my_soap))
...
Server Console output:
Bind to port 8080 successful
server loop sta
NOT Accepting (ssl) socket=364 connection from IP: 127.0.0.1 ...Error 30 fault is internal [no subcode]
"SSL_ERROR_SSL
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher"
Detail: SSL_accept() failed in soap_ssl_accept()
I'm working on this now. I think the errors that you are seeing are because most/all distributions of openSSL do not support anonymous authentication any longer due to man in the middle attacks. A self-signed certificate on the server-side may be the only way to make these examples work.

InternetConnect fails to connect to FTP server via ftp proxy

I am trying to connect to FTP server using WinGate FTP Proxy. The InternetOpen() executes successfully returning appropriate handle in all cases.
In case Proxy Authentication is OFF, InternetConnect() returns proper handle and I can proceed with further ftp operations but in case Proxy Authentication is ON, InternetConnect() returns NULL.
On MSDN they have mentioned for proxies use InternetSetOption() with INTERNET_OPTION_PROXY_USERNAME and INTERNET_OPTION_PROXY_PASSWORD flags to set proxy username and password on handle returned by InternetConnect, but it's returning NULL and on printing GetLastError(), I get the following message:
InternetConnect failed: 12014
220 WinGate Engine FTP Gateway ready
331 send password
530 Auth Failed
if ((hHandle=InternetOpen("Upload", INTERNET_OPEN_TYPE_PROXY, "ftp=ftp://<servername>:<port>", NULL, 0)) == NULL)
{
printf("InternetOpen failed: %d", GetLastError());
printInternetErrorMsg(function);
return false;
}
char buffer[1024];
string proxy_username,proxy_password;
// get ftp proxy username and password
// ..
if ((m_itConnect=InternetConnect(hHandle, ftpserver, INTERNET_DEFAULT_FTP_PORT, ftpusrname, ftppasswd, INTERNET_SERVICE_FTP, NULL, NULL)) == NULL){
printf("InternetConnect failed: %d", GetLastError());
printInternetErrorMsg(function);
//Internet Connect Fails with following error when Proxy Authentication is ON
//InternetConnect failed: 12014
//220 WinGate Engine FTP Gateway ready
//331 send password
//530 Auth Failed
return false;
}
strcpy(buffer,proxy_username.c_str());
if ( !InternetSetOption (m_itConnect, INTERNET_OPTION_PROXY_USERNAME, (LPVOID) buffer, lstrlen (buffer) ))
{
printf("Unable to set proxy authetication settings (username). Error returned: %d", GetLastError() );
return false;
}
strcpy(buffer, proxy_password.c_str());
if ( !InternetSetOption (m_itConnect, INTERNET_OPTION_PROXY_PASSWORD, (LPVOID) buffer, lstrlen (buffer) ))
{
printf("Unable to set proxy authetication settings (password). Error returned: %d", GetLastError() );
return false;
}
}
printf("InternetConnect successful ...");
return true;
Any help is appreciated.
Thanks in Advance.
the problem is you are connecting to an FTP proxy, rather than an HTTP proxy. So you're getting an FTP welcome string back.
When working through a proxy using WinInet, FTP is done over HTTP. The client makes an HTTP request to the HTTP proxy for an FTP URL. the HTTP proxy acts as an FTP client to the FTP server, and translates the response back to HTTP for the client. Strange but true.
So you need to change the proxy port to be the HTTP proxy in WinGate.

CreateNamedPipe causes ERROR_ACCESS_DENIED?

i need to create a named pipe for communication between client and server (in same host), here is the code:
WCHAR wszPipeName[MAX_FILE_LENGTH];
swprintf_s(wszPipeName, MAX_FILE_LENGTH, L"\\\\.\\pipe\\TEST%d", uniqueID);
pipe = CreateNamedPipe(
wszPipeName, // name of the pipe
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_NOWAIT,
1,
MAX_MSG_SIZE,
MAX_MSG_SIZE , //inbound buffer
MAX_READ_DATA_TIMEOUT,
NULL // use default security attributes
);
It the handler get back is always INVALID_HANDLE_VAULE, and the error is ERROR_ACCESS_DENIED.
Is there anything wrong here? It is running on Windows 7/8.
Thanks
This is Python code, but this sets up a security descriptor for the local user and denies remote:
dacl = ACL()
# Deny NT AUTHORITY\NETWORK SID
sid = CreateWellKnownSid(WinNetworkSid)
dacl.AddAccessDeniedAce(ACL_REVISION, GENERIC_ALL, sid)
# Allow current user SID
token = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY)
sid = GetTokenInformation(token, TokenUser)[0]
dacl.AddAccessAllowedAce(ACL_REVISION, GENERIC_READ | GENERIC_WRITE, sid)
security_descriptor = SECURITY_DESCRIPTOR()
security_descriptor.SetSecurityDescriptorDacl(True, dacl, False)
security_attributes = SECURITY_ATTRIBUTES()
security_attributes.SECURITY_DESCRIPTOR = security_descriptor
pipe = CreateNamedPipe(
<your other params here>
security_attributes
)
Found the reason, it is because the security limitation. After providing a suitable security descriptor, it just works!