如何编写 KSP 连接到 KERB_CERTIFICATE_LOGON

How to write a KSP to hook up into KERB_CERTIFICATE_LOGON

大家好,我写了一个自定义的 credentialprovider,它在使用 username/password 作为凭据时工作正常,密码是通过蓝牙传输的。 毕竟这并不难,因为文档会告诉您要实现哪些接口。

现在我想更改凭据以改为使用证书。我看到我应该为此使用 KERB_CERTIFICATE_LOGON 结构。深入研究该主题后,我发现我应该按照 this article by microsoft 中的描述实施自定义密钥存储提供程序。这就是我迷路的地方。也许我搜索正确的文档太愚蠢了,但我只是找不到我必须实现哪些接口才能拥有我可以在 KERB_CERTIFICATE_LOGON 结构的 CspData 字段中引用的 KSP。我只是找到了一堆方法并快速搜索 NCRYPT_CERTIFICATE_PROPERTY(在上面的链接文章中提到)显示了惊人的 two 结果 google.

我发现 可以帮助我连接 credentialprovider 和 KSP,但它没有说明如何编写 KSP。 :-(

任何人都可以指导我在哪里可以找到信息或展示在类似场景中使用的 KSP 的简短示例(只是方法声明,以及如何在对 KERB_CERTIFICATE_LOGON 的调用中使用生成的 KSP)?

这个 Microsoft Cryptographic Provider Development Kit 有一个很好的 KSP 样本。

除了此示例之外,您唯一需要做的就是实施 SmartCardKeyCertificate 属性。 代码将是这样的:

SECURITY_STATUS
WINAPI
KSPGetKeyProperty(
__in    NCRYPT_PROV_HANDLE hProvider,
__in    NCRYPT_KEY_HANDLE hKey,
__in    LPCWSTR pszProperty,
__out_bcount_part_opt(cbOutput, *pcbResult) PBYTE pbOutput,
__in    DWORD   cbOutput,
__out   DWORD * pcbResult,
__in    DWORD   dwFlags)
{

    ...

    if (wcscmp(pszProperty, NCRYPT_CERTIFICATE_PROPERTY) == 0)
    {
        dwProperty = SAMPLEKSP_CERTIFICATE_PROPERTY;
        cbResult = GetCertificateSize(); //the size of the certificate that is associated with the key
    }

    *pcbResult = cbResult;
    if(pbOutput == NULL)
    {
        Status = ERROR_SUCCESS;
        goto cleanup;
    }

    if(cbOutput < *pcbResult)
    {
         Status = NTE_BUFFER_TOO_SMALL;
         goto cleanup;
    }

    if (wcscmp(pszProperty, NCRYPT_CERTIFICATE_PROPERTY) == 0)
    {
        CopyMemory(pbOutput, crt, sizeof(crt));
    }


    switch(dwProperty)
    {
    case SAMPLEKSP_CERTIFICATE_PROPERTY:
        CopyMemory(pbOutput, GetCertificate(), cbResult); //Copy to pbOutput the certificate in binary form 
        break;

    ...

    }

    ...

}

在您实施并注册 KSP 后,您的 CredentialProvider 可以与其交互:

HRESULT MyCredential::GetSerialization(
    CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr,
    CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcs,
    PWSTR* ppwszOptionalStatusText,
    CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon
    )
{

    ...

    ULONG ulAuthPackage;
    HRESULT hr = RetrieveNegotiateAuthPackage(&ulAuthPackage);
    ConstructAuthInfo(&pcpcs->rgbSerialization, &pcpcs->cbSerialization);

    if (SUCCEEDED(hr))
    {
        pcpcs->ulAuthenticationPackage = ulAuthPackage;
        pcpcs->clsidCredentialProvider = CLSID_MyCredentialProvider;

        // At this point the credential has created the serialized credential used for logon
        // By setting this to CPGSR_RETURN_CREDENTIAL_FINISHED we are letting logonUI know
        // that we have all the information we need and it should attempt to submit the 
        // serialized credential.
        *pcpgsr = CPGSR_RETURN_CREDENTIAL_FINISHED;
    }

    return hr;
}

HRESULT RetrieveNegotiateAuthPackage(ULONG * pulAuthPackage)
{
    HRESULT hr = S_OK;
    HANDLE hLsa = NULL;

    NTSTATUS status = LsaConnectUntrusted(&hLsa);
    if (SUCCEEDED(HRESULT_FROM_NT(status)))
    {

        ULONG ulAuthPackage;
        LSA_STRING lsaszKerberosName;
        LsaInitString(&lsaszKerberosName, MICROSOFT_KERBEROS_NAME_A);
        status = LsaLookupAuthenticationPackage(hLsa, &lsaszKerberosName, &ulAuthPackage);
        if (SUCCEEDED(HRESULT_FROM_NT(status)))
        {
            *pulAuthPackage = ulAuthPackage;
            hr = S_OK;
        }
        else
        {
            hr = HRESULT_FROM_NT(status);
        }
        LsaDeregisterLogonProcess(hLsa);
    }
    else
    {
        hr = HRESULT_FROM_NT(status);
    }

    return hr;
}

void ConstructAuthInfo(LPBYTE* ppbAuthInfo, ULONG *pulAuthInfoLen)
{
    WCHAR szCardName[] = L""; // no card name specified but you can put one if you want
    WCHAR szContainerName[] = L"my_key_name";
    WCHAR szReaderName[] = L"";
    WCHAR szCspName[] = L"My Key Storage Provider";
    WCHAR szPin[] = L"11111111";
    ULONG ulPinByteLen = wcslen(szPin) * sizeof(WCHAR);
    WCHAR szUserName[] = L"user";
    ULONG ulUserByteLen = wcslen(szUserName) * sizeof(WCHAR);
    WCHAR szDomainName[] = L"testdomain.com";
    ULONG ulDomainByteLen = wcslen(szDomainName) * sizeof(WCHAR);
    LPBYTE pbAuthInfo = NULL;
    ULONG  ulAuthInfoLen = 0;
    KERB_CERTIFICATE_LOGON *pKerbCertLogon;
    KERB_SMARTCARD_CSP_INFO *pKerbCspInfo;
    LPBYTE pbDomainBuffer, pbUserBuffer, pbPinBuffer;
    LPBYTE pbCspData;
    LPBYTE pbCspDataContent;

    ULONG ulCspDataLen = sizeof(KERB_SMARTCARD_CSP_INFO)-sizeof(TCHAR)+
        (wcslen(szCardName) + 1) * sizeof(WCHAR)+
        (wcslen(szCspName) + 1) * sizeof(WCHAR)+
        (wcslen(szContainerName) + 1) * sizeof(WCHAR)+
        (wcslen(szReaderName) + 1) * sizeof(WCHAR);

    ulAuthInfoLen = sizeof(KERB_CERTIFICATE_LOGON)+
        ulDomainByteLen + sizeof(WCHAR)+
        ulUserByteLen + sizeof(WCHAR)+
        ulPinByteLen + sizeof(WCHAR)+
        ulCspDataLen;

    pbAuthInfo = (LPBYTE)CoTaskMemAlloc(ulAuthInfoLen);
    ZeroMemory(pbAuthInfo, ulAuthInfoLen);

    pbDomainBuffer = pbAuthInfo + sizeof(KERB_CERTIFICATE_LOGON);
    pbUserBuffer = pbDomainBuffer + ulDomainByteLen + sizeof(WCHAR);
    pbPinBuffer = pbUserBuffer + ulUserByteLen + sizeof(WCHAR);
    pbCspData = pbPinBuffer + ulPinByteLen + sizeof(WCHAR);

    memcpy(pbDomainBuffer, szDomainName, ulDomainByteLen);
    memcpy(pbUserBuffer, szUserName, ulUserByteLen);
    memcpy(pbPinBuffer, szPin, ulPinByteLen);

    pKerbCertLogon = (KERB_CERTIFICATE_LOGON*)pbAuthInfo;

    pKerbCertLogon->MessageType = KerbCertificateLogon;
    pKerbCertLogon->DomainName.Length = (USHORT)ulDomainByteLen;
    pKerbCertLogon->DomainName.MaximumLength = (USHORT)(ulDomainByteLen + sizeof(WCHAR));
    pKerbCertLogon->DomainName.Buffer = (PWSTR)(pbDomainBuffer-pbAuthInfo);
    pKerbCertLogon->UserName.Length = (USHORT)ulUserByteLen;
    pKerbCertLogon->UserName.MaximumLength = (USHORT)(ulUserByteLen + sizeof(WCHAR));
    pKerbCertLogon->UserName.Buffer = (PWSTR)(pbUserBuffer-pbAuthInfo);
    pKerbCertLogon->Pin.Length = (USHORT)ulPinByteLen;
    pKerbCertLogon->Pin.MaximumLength = (USHORT)(ulPinByteLen + sizeof(WCHAR));
    pKerbCertLogon->Pin.Buffer = (PWSTR)(pbPinBuffer-pbAuthInfo);

    pKerbCertLogon->CspDataLength = ulCspDataLen;
    pKerbCertLogon->CspData = (PUCHAR)(pbCspData-pbAuthInfo);

    pKerbCspInfo = (KERB_SMARTCARD_CSP_INFO*)pbCspData;
    pKerbCspInfo->dwCspInfoLen = ulCspDataLen;
    pKerbCspInfo->MessageType = 1;
    pKerbCspInfo->KeySpec = CERT_NCRYPT_KEY_SPEC;

    pKerbCspInfo->nCardNameOffset = 0;
    pKerbCspInfo->nReaderNameOffset = pKerbCspInfo->nCardNameOffset + wcslen(szCardName) + 1;
    pKerbCspInfo->nContainerNameOffset = pKerbCspInfo->nReaderNameOffset + wcslen(szReaderName) + 1;
    pKerbCspInfo->nCSPNameOffset = pKerbCspInfo->nContainerNameOffset + wcslen(szContainerName) + 1;

    pbCspDataContent = pbCspData + sizeof(KERB_SMARTCARD_CSP_INFO)-sizeof(TCHAR);
    memcpy(pbCspDataContent + (pKerbCspInfo->nCardNameOffset * sizeof(WCHAR)), szCardName, wcslen(szCardName) * sizeof(WCHAR));
    memcpy(pbCspDataContent + (pKerbCspInfo->nReaderNameOffset * sizeof(WCHAR)), szReaderName, wcslen(szReaderName) * sizeof(WCHAR));
    memcpy(pbCspDataContent + (pKerbCspInfo->nContainerNameOffset * sizeof(WCHAR)), szContainerName, wcslen(szContainerName) * sizeof(WCHAR));
    memcpy(pbCspDataContent + (pKerbCspInfo->nCSPNameOffset * sizeof(WCHAR)), szCspName, wcslen(szCspName) * sizeof(WCHAR));

    *ppbAuthInfo = pbAuthInfo;
    *pulAuthInfoLen = ulAuthInfoLen;
}

这段代码主要有两点:

  1. 为了与 KSP 交互,pKerbCspInfo->KeySpec 必须 CERT_NCRYPT_KEY_SPEC.
  2. 为了正确的结构序列化,根据答案:

    pKerbCertLogon->DomainName.Buffer = (PWSTR)(pbDomainBuffer-pbAuthInfo); pKerbCertLogon->UserName.Buffer = (PWSTR)(pbUserBuffer-pbAuthInfo); pKerbCertLogon->Pin.Buffer = (PWSTR)(pbPinBuffer-pbAuthInfo); pKerbCertLogon->CspData = (PUCHAR)(pbCspData-pbAuthInfo);

域控制器还应使用 "Kerberos Authentication" 模板颁发证书。