Windows Security & Cryptography: Advanced Programming Techniques#

Introduction#

Windows provides a comprehensive security architecture with powerful cryptographic APIs, authentication systems, and data protection mechanisms. This guide explores the Windows Security APIs, demonstrating how to build secure applications with encryption, digital signatures, certificate management, and advanced security features.

Windows Security Technologies#

🔐 CryptoAPI: Core cryptographic functions
🛡️ CNG (Cryptography Next Generation): Modern cryptographic API
🔑 DPAPI: Data Protection API for secure storage
📜 Certificate Management: PKI and digital certificates
🔒 Authentication: SSPI, Kerberos, NTLM
🚪 Access Control: Security descriptors, ACLs
🔏 Smart Cards: Hardware-based authentication
🌐 SSL/TLS: Secure communications

Windows Security Architecture#

1
graph TB
2
    subgraph "Windows Security Architecture"
3
        App[Application Layer] --> SecAPI[Security APIs]
4

5
        subgraph "Cryptographic Services"
6
            SecAPI --> CryptoAPI[CryptoAPI 1.0]
7
            SecAPI --> CNG[CNG - Crypto Next Gen]
8
            SecAPI --> DPAPI[Data Protection API]
9
        end
10

11
        subgraph "Authentication"
12
            SecAPI --> SSPI[Security Support Provider Interface]
13
            SSPI --> Kerberos[Kerberos]
14
            SSPI --> NTLM[NTLM]
15
            SSPI --> SSL[SSL/TLS]
16
        end
17

18
        subgraph "Certificate Services"
19
            SecAPI --> CertStore[Certificate Stores]
20
            CertStore --> LocalStore[Local Computer Store]
21
            CertStore --> UserStore[Current User Store]
22
            CertStore --> SmartCard[Smart Card Store]
23
        end
24

25
        subgraph "Access Control"
26
            SecAPI --> ACL[Access Control Lists]
27
            ACL --> DACL[Discretionary ACL]
28
            ACL --> SACL[System ACL]
29
        end
30
    end

CryptoAPI Programming#

1. Basic Encryption and Decryption#

1
// CryptoAPI encryption/decryption implementation
2
#include <windows.h>
3
#include <wincrypt.h>
4
#include <vector>
5
#include <string>
6

7
class CryptoAPIHelper {
8
private:
9
    HCRYPTPROV m_hProv;
10
    HCRYPTKEY m_hKey;
11

12
public:
13
    CryptoAPIHelper() : m_hProv(0), m_hKey(0) {}
14

15
    ~CryptoAPIHelper() {
16
        if (m_hKey) CryptDestroyKey(m_hKey);
17
        if (m_hProv) CryptReleaseContext(m_hProv, 0);
18
    }
19

20
    // Initialize cryptographic context
21
    HRESULT Initialize(DWORD provType = PROV_RSA_AES) {
22
        if (!CryptAcquireContextW(&m_hProv, nullptr, nullptr, provType, CRYPT_VERIFYCONTEXT)) {
23
            return HRESULT_FROM_WIN32(GetLastError());
24
        }
25
        return S_OK;
26
    }
27

28
    // Generate symmetric key from password
29
    HRESULT DeriveKeyFromPassword(const std::wstring& password, ALG_ID algId = CALG_AES_256) {
30
        HCRYPTHASH hHash = 0;
31
        HRESULT hr = S_OK;
32

33
        // Create hash object
34
        if (!CryptCreateHash(m_hProv, CALG_SHA_256, 0, 0, &hHash)) {
35
            return HRESULT_FROM_WIN32(GetLastError());
36
        }
37

38
        // Hash the password
39
        std::string passwordUtf8 = WideStringToUtf8(password);
40
        if (!CryptHashData(hHash, reinterpret_cast<const BYTE*>(passwordUtf8.c_str()),
41
                          static_cast<DWORD>(passwordUtf8.length()), 0)) {
42
            hr = HRESULT_FROM_WIN32(GetLastError());
43
            CryptDestroyHash(hHash);
44
            return hr;
45
        }
46

47
        // Derive key from hash
48
        if (!CryptDeriveKey(m_hProv, algId, hHash, CRYPT_EXPORTABLE, &m_hKey)) {
49
            hr = HRESULT_FROM_WIN32(GetLastError());
50
        }
51

52
        CryptDestroyHash(hHash);
53
        return hr;
54
    }
55

56
    // Generate random symmetric key
57
    HRESULT GenerateKey(ALG_ID algId = CALG_AES_256, DWORD keyLength = 0) {
58
        DWORD flags = CRYPT_EXPORTABLE;
59
        if (keyLength > 0) {
60
            flags |= (keyLength << 16);
61
        }
62

63
        if (!CryptGenKey(m_hProv, algId, flags, &m_hKey)) {
64
            return HRESULT_FROM_WIN32(GetLastError());
65
        }
66

67
        return S_OK;
68
    }
69

70
    // Encrypt data
71
    std::vector<BYTE> EncryptData(const std::vector<BYTE>& data) {
72
        if (!m_hKey) return {};
73

74
        // Make a copy of input data (CryptEncrypt modifies it)
75
        std::vector<BYTE> encryptedData = data;
76
        DWORD dataLen = static_cast<DWORD>(data.size());
77
        DWORD bufferLen = dataLen;
78

79
        // Get required buffer size
80
        if (!CryptEncrypt(m_hKey, 0, TRUE, 0, nullptr, &bufferLen, dataLen)) {
81
            return {};
82
        }
83

84
        // Resize buffer if needed
85
        encryptedData.resize(bufferLen);
86

87
        // Encrypt the data
88
        if (!CryptEncrypt(m_hKey, 0, TRUE, 0, encryptedData.data(), &dataLen, bufferLen)) {
89
            return {};
90
        }
91

92
        encryptedData.resize(dataLen);
93
        return encryptedData;
94
    }
95

96
    // Decrypt data
97
    std::vector<BYTE> DecryptData(const std::vector<BYTE>& encryptedData) {
98
        if (!m_hKey) return {};
99

100
        std::vector<BYTE> decryptedData = encryptedData;
101
        DWORD dataLen = static_cast<DWORD>(encryptedData.size());
102

103
        if (!CryptDecrypt(m_hKey, 0, TRUE, 0, decryptedData.data(), &dataLen)) {
104
            return {};
105
        }
106

107
        decryptedData.resize(dataLen);
108
        return decryptedData;
109
    }
110

111
    // Export key to blob
112
    std::vector<BYTE> ExportKey(DWORD blobType = PLAINTEXTKEYBLOB) {
113
        if (!m_hKey) return {};
114

115
        DWORD blobLen;
116
        if (!CryptExportKey(m_hKey, 0, blobType, 0, nullptr, &blobLen)) {
117
            return {};
118
        }
119

120
        std::vector<BYTE> keyBlob(blobLen);
121
        if (!CryptExportKey(m_hKey, 0, blobType, 0, keyBlob.data(), &blobLen)) {
122
            return {};
123
        }
124

125
        return keyBlob;
126
    }
127

128
    // Import key from blob
129
    HRESULT ImportKey(const std::vector<BYTE>& keyBlob) {
130
        if (m_hKey) {
131
            CryptDestroyKey(m_hKey);
132
            m_hKey = 0;
133
        }
134

135
        if (!CryptImportKey(m_hProv, keyBlob.data(), static_cast<DWORD>(keyBlob.size()),
136
                           0, 0, &m_hKey)) {
137
            return HRESULT_FROM_WIN32(GetLastError());
138
        }
139

140
        return S_OK;
141
    }
142

143
    // Generate random bytes
144
    std::vector<BYTE> GenerateRandomBytes(DWORD length) {
145
        std::vector<BYTE> randomData(length);
146

147
        if (!CryptGenRandom(m_hProv, length, randomData.data())) {
148
            return {};
149
        }
150

151
        return randomData;
152
    }
153

154
private:
155
    std::string WideStringToUtf8(const std::wstring& wstr) {
156
        if (wstr.empty()) return {};
157

158
        int size = WideCharToMultiByte(CP_UTF8, 0, wstr.c_str(), -1, nullptr, 0, nullptr, nullptr);
159
        std::string result(size - 1, 0);
160
        WideCharToMultiByte(CP_UTF8, 0, wstr.c_str(), -1, &result[0], size, nullptr, nullptr);
161

162
        return result;
163
    }
164
};
165

166
// Example usage
167
class SecureFileStorage {
168
private:
169
    CryptoAPIHelper m_crypto;
170

171
public:
172
    HRESULT Initialize() {
173
        return m_crypto.Initialize();
174
    }
175

176
    HRESULT EncryptFile(const std::wstring& inputFile, const std::wstring& outputFile,
177
                       const std::wstring& password) {
178
        HRESULT hr = m_crypto.DeriveKeyFromPassword(password);
179
        if (FAILED(hr)) return hr;
180

181
        // Read input file
182
        std::vector<BYTE> fileData = ReadFileContent(inputFile);
183
        if (fileData.empty()) return E_FAIL;
184

185
        // Encrypt data
186
        std::vector<BYTE> encryptedData = m_crypto.EncryptData(fileData);
187
        if (encryptedData.empty()) return E_FAIL;
188

189
        // Write encrypted file
190
        return WriteFileContent(outputFile, encryptedData);
191
    }
192

193
    HRESULT DecryptFile(const std::wstring& inputFile, const std::wstring& outputFile,
194
                       const std::wstring& password) {
195
        HRESULT hr = m_crypto.DeriveKeyFromPassword(password);
196
        if (FAILED(hr)) return hr;
197

198
        // Read encrypted file
199
        std::vector<BYTE> encryptedData = ReadFileContent(inputFile);
200
        if (encryptedData.empty()) return E_FAIL;
201

202
        // Decrypt data
203
        std::vector<BYTE> decryptedData = m_crypto.DecryptData(encryptedData);
204
        if (decryptedData.empty()) return E_FAIL;
205

206
        // Write decrypted file
207
        return WriteFileContent(outputFile, decryptedData);
208
    }
209

210
private:
211
    std::vector<BYTE> ReadFileContent(const std::wstring& filePath) {
212
        HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_READ, FILE_SHARE_READ,
213
                                  nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
214

215
        if (hFile == INVALID_HANDLE_VALUE) return {};
216

217
        LARGE_INTEGER fileSize;
218
        if (!GetFileSizeEx(hFile, &fileSize)) {
219
            CloseHandle(hFile);
220
            return {};
221
        }
222

223
        std::vector<BYTE> buffer(static_cast<size_t>(fileSize.QuadPart));
224
        DWORD bytesRead;
225

226
        BOOL result = ReadFile(hFile, buffer.data(), static_cast<DWORD>(buffer.size()),
227
                              &bytesRead, nullptr);
228
        CloseHandle(hFile);
229

230
        return result ? buffer : std::vector<BYTE>();
231
    }
232

233
    HRESULT WriteFileContent(const std::wstring& filePath, const std::vector<BYTE>& data) {
234
        HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_WRITE, 0, nullptr,
235
                                  CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);
236

237
        if (hFile == INVALID_HANDLE_VALUE) {
238
            return HRESULT_FROM_WIN32(GetLastError());
239
        }
240

241
        DWORD bytesWritten;
242
        BOOL result = WriteFile(hFile, data.data(), static_cast<DWORD>(data.size()),
243
                               &bytesWritten, nullptr);
244

245
        CloseHandle(hFile);
246

247
        return result && bytesWritten == data.size() ? S_OK : E_FAIL;
248
    }
249
};

2. Hash Functions and Digital Signatures#

1
// Hash and digital signature implementation
2
class HashAndSignature {
3
private:
4
    HCRYPTPROV m_hProv;
5

6
public:
7
    HashAndSignature() : m_hProv(0) {}
8

9
    ~HashAndSignature() {
10
        if (m_hProv) CryptReleaseContext(m_hProv, 0);
11
    }
12

13
    HRESULT Initialize() {
14
        if (!CryptAcquireContextW(&m_hProv, nullptr, nullptr, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
15
            return HRESULT_FROM_WIN32(GetLastError());
16
        }
17
        return S_OK;
18
    }
19

20
    // Calculate hash of data
21
    std::vector<BYTE> CalculateHash(const std::vector<BYTE>& data, ALG_ID algId = CALG_SHA_256) {
22
        HCRYPTHASH hHash = 0;
23

24
        if (!CryptCreateHash(m_hProv, algId, 0, 0, &hHash)) {
25
            return {};
26
        }
27

28
        if (!CryptHashData(hHash, data.data(), static_cast<DWORD>(data.size()), 0)) {
29
            CryptDestroyHash(hHash);
30
            return {};
31
        }
32

33
        DWORD hashLen;
34
        if (!CryptGetHashParam(hHash, HP_HASHSIZE, reinterpret_cast<BYTE*>(&hashLen),
35
                              &(DWORD){sizeof(hashLen)}, 0)) {
36
            CryptDestroyHash(hHash);
37
            return {};
38
        }
39

40
        std::vector<BYTE> hashValue(hashLen);
41
        if (!CryptGetHashParam(hHash, HP_HASHVAL, hashValue.data(), &hashLen, 0)) {
42
            CryptDestroyHash(hHash);
43
            return {};
44
        }
45

46
        CryptDestroyHash(hHash);
47
        return hashValue;
48
    }
49

50
    // Calculate file hash
51
    std::vector<BYTE> CalculateFileHash(const std::wstring& filePath, ALG_ID algId = CALG_SHA_256) {
52
        HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_READ, FILE_SHARE_READ,
53
                                  nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
54

55
        if (hFile == INVALID_HANDLE_VALUE) return {};
56

57
        HCRYPTHASH hHash = 0;
58
        if (!CryptCreateHash(m_hProv, algId, 0, 0, &hHash)) {
59
            CloseHandle(hFile);
60
            return {};
61
        }
62

63
        const DWORD BUFFER_SIZE = 8192;
64
        BYTE buffer[BUFFER_SIZE];
65
        DWORD bytesRead;
66

67
        while (ReadFile(hFile, buffer, BUFFER_SIZE, &bytesRead, nullptr) && bytesRead > 0) {
68
            if (!CryptHashData(hHash, buffer, bytesRead, 0)) {
69
                CryptDestroyHash(hHash);
70
                CloseHandle(hFile);
71
                return {};
72
            }
73
        }
74

75
        CloseHandle(hFile);
76

77
        DWORD hashLen;
78
        if (!CryptGetHashParam(hHash, HP_HASHSIZE, reinterpret_cast<BYTE*>(&hashLen),
79
                              &(DWORD){sizeof(hashLen)}, 0)) {
80
            CryptDestroyHash(hHash);
81
            return {};
82
        }
83

84
        std::vector<BYTE> hashValue(hashLen);
85
        if (!CryptGetHashParam(hHash, HP_HASHVAL, hashValue.data(), &hashLen, 0)) {
86
            CryptDestroyHash(hHash);
87
            return {};
88
        }
89

90
        CryptDestroyHash(hHash);
91
        return hashValue;
92
    }
93

94
    // Generate RSA key pair
95
    HRESULT GenerateKeyPair(HCRYPTKEY* phPrivateKey, HCRYPTKEY* phPublicKey, DWORD keyLength = 2048) {
96
        HCRYPTKEY hKeyPair = 0;
97

98
        if (!CryptGenKey(m_hProv, AT_SIGNATURE, (keyLength << 16) | CRYPT_EXPORTABLE, &hKeyPair)) {
99
            return HRESULT_FROM_WIN32(GetLastError());
100
        }
101

102
        *phPrivateKey = hKeyPair;
103
        *phPublicKey = hKeyPair; // Same handle for RSA key pair
104

105
        return S_OK;
106
    }
107

108
    // Sign data with private key
109
    std::vector<BYTE> SignData(const std::vector<BYTE>& data, HCRYPTKEY hPrivateKey) {
110
        HCRYPTHASH hHash = 0;
111

112
        if (!CryptCreateHash(m_hProv, CALG_SHA_256, 0, 0, &hHash)) {
113
            return {};
114
        }
115

116
        if (!CryptHashData(hHash, data.data(), static_cast<DWORD>(data.size()), 0)) {
117
            CryptDestroyHash(hHash);
118
            return {};
119
        }
120

121
        DWORD sigLen;
122
        if (!CryptSignHashW(hHash, AT_SIGNATURE, nullptr, 0, nullptr, &sigLen)) {
123
            CryptDestroyHash(hHash);
124
            return {};
125
        }
126

127
        std::vector<BYTE> signature(sigLen);
128
        if (!CryptSignHashW(hHash, AT_SIGNATURE, nullptr, 0, signature.data(), &sigLen)) {
129
            CryptDestroyHash(hHash);
130
            return {};
131
        }
132

133
        CryptDestroyHash(hHash);
134
        return signature;
135
    }
136

137
    // Verify signature with public key
138
    bool VerifySignature(const std::vector<BYTE>& data, const std::vector<BYTE>& signature,
139
                        HCRYPTKEY hPublicKey) {
140
        HCRYPTHASH hHash = 0;
141

142
        if (!CryptCreateHash(m_hProv, CALG_SHA_256, 0, 0, &hHash)) {
143
            return false;
144
        }
145

146
        if (!CryptHashData(hHash, data.data(), static_cast<DWORD>(data.size()), 0)) {
147
            CryptDestroyHash(hHash);
148
            return false;
149
        }
150

151
        BOOL result = CryptVerifySignatureW(hHash, signature.data(), static_cast<DWORD>(signature.size()),
152
                                           hPublicKey, nullptr, 0);
153

154
        CryptDestroyHash(hHash);
155
        return result != FALSE;
156
    }
157

158
    // Convert hash to hex string
159
    std::wstring HashToHexString(const std::vector<BYTE>& hash) {
160
        std::wstring hexString;
161
        hexString.reserve(hash.size() * 2);
162

163
        for (BYTE b : hash) {
164
            wchar_t hex[3];
165
            swprintf_s(hex, L"%02X", b);
166
            hexString += hex;
167
        }
168

169
        return hexString;
170
    }
171
};
172

173
// File integrity checker using hashes
174
class FileIntegrityChecker {
175
private:
176
    HashAndSignature m_hasher;
177
    std::map<std::wstring, std::vector<BYTE>> m_fileHashes;
178

179
public:
180
    HRESULT Initialize() {
181
        return m_hasher.Initialize();
182
    }
183

184
    // Add file to monitoring
185
    HRESULT AddFile(const std::wstring& filePath) {
186
        std::vector<BYTE> hash = m_hasher.CalculateFileHash(filePath);
187
        if (hash.empty()) return E_FAIL;
188

189
        m_fileHashes[filePath] = hash;
190
        return S_OK;
191
    }
192

193
    // Check if file has been modified
194
    bool IsFileModified(const std::wstring& filePath) {
195
        auto it = m_fileHashes.find(filePath);
196
        if (it == m_fileHashes.end()) return false;
197

198
        std::vector<BYTE> currentHash = m_hasher.CalculateFileHash(filePath);
199
        if (currentHash.empty()) return true; // Assume modified if can't calculate
200

201
        return it->second != currentHash;
202
    }
203

204
    // Update stored hash for a file
205
    HRESULT UpdateFile(const std::wstring& filePath) {
206
        std::vector<BYTE> hash = m_hasher.CalculateFileHash(filePath);
207
        if (hash.empty()) return E_FAIL;
208

209
        m_fileHashes[filePath] = hash;
210
        return S_OK;
211
    }
212

213
    // Get integrity report for all monitored files
214
    struct IntegrityReport {
215
        std::vector<std::wstring> modifiedFiles;
216
        std::vector<std::wstring> unchangedFiles;
217
        std::vector<std::wstring> errorFiles;
218
    };
219

220
    IntegrityReport GenerateReport() {
221
        IntegrityReport report;
222

223
        for (const auto& [filePath, storedHash] : m_fileHashes) {
224
            std::vector<BYTE> currentHash = m_hasher.CalculateFileHash(filePath);
225

226
            if (currentHash.empty()) {
227
                report.errorFiles.push_back(filePath);
228
            } else if (currentHash != storedHash) {
229
                report.modifiedFiles.push_back(filePath);
230
            } else {
231
                report.unchangedFiles.push_back(filePath);
232
            }
233
        }
234

235
        return report;
236
    }
237
};

DPAPI (Data Protection API)#

1. Secure Data Storage with DPAPI#

1
// DPAPI implementation for secure data storage
2
#include <windows.h>
3
#include <dpapi.h>
4

5
class DPAPIHelper {
6
public:
7
    // Encrypt data using DPAPI
8
    static std::vector<BYTE> ProtectData(const std::vector<BYTE>& plainData,
9
                                        const std::wstring& description = L"",
10
                                        bool forCurrentUser = true) {
11
        DATA_BLOB plainBlob;
12
        plainBlob.pbData = const_cast<BYTE*>(plainData.data());
13
        plainBlob.cbData = static_cast<DWORD>(plainData.size());
14

15
        DATA_BLOB encryptedBlob;
16
        DWORD flags = forCurrentUser ? CRYPTPROTECT_UI_FORBIDDEN : CRYPTPROTECT_LOCAL_MACHINE;
17

18
        BOOL result = CryptProtectData(
19
            &plainBlob,
20
            description.empty() ? nullptr : description.c_str(),
21
            nullptr,        // Optional entropy
22
            nullptr,        // Reserved
23
            nullptr,        // Prompt struct
24
            flags,
25
            &encryptedBlob
26
        );
27

28
        if (!result) {
29
            return {};
30
        }
31

32
        std::vector<BYTE> encryptedData(encryptedBlob.pbData,
33
                                       encryptedBlob.pbData + encryptedBlob.cbData);
34

35
        LocalFree(encryptedBlob.pbData);
36
        return encryptedData;
37
    }
38

39
    // Decrypt data using DPAPI
40
    static std::vector<BYTE> UnprotectData(const std::vector<BYTE>& encryptedData,
41
                                          std::wstring* pDescription = nullptr) {
42
        DATA_BLOB encryptedBlob;
43
        encryptedBlob.pbData = const_cast<BYTE*>(encryptedData.data());
44
        encryptedBlob.cbData = static_cast<DWORD>(encryptedData.size());
45

46
        DATA_BLOB plainBlob;
47
        LPWSTR descriptionOut = nullptr;
48

49
        BOOL result = CryptUnprotectData(
50
            &encryptedBlob,
51
            &descriptionOut,
52
            nullptr,        // Optional entropy
53
            nullptr,        // Reserved
54
            nullptr,        // Prompt struct
55
            CRYPTPROTECT_UI_FORBIDDEN,
56
            &plainBlob
57
        );
58

59
        if (!result) {
60
            if (descriptionOut) LocalFree(descriptionOut);
61
            return {};
62
        }
63

64
        std::vector<BYTE> plainData(plainBlob.pbData, plainBlob.pbData + plainBlob.cbData);
65

66
        if (pDescription && descriptionOut) {
67
            *pDescription = descriptionOut;
68
        }
69

70
        if (descriptionOut) LocalFree(descriptionOut);
71
        LocalFree(plainBlob.pbData);
72

73
        return plainData;
74
    }
75

76
    // Protect string data
77
    static std::vector<BYTE> ProtectString(const std::wstring& plainString,
78
                                          const std::wstring& description = L"") {
79
        std::vector<BYTE> data(reinterpret_cast<const BYTE*>(plainString.c_str()),
80
                              reinterpret_cast<const BYTE*>(plainString.c_str() +
81
                              plainString.length() + 1) * sizeof(wchar_t));
82

83
        return ProtectData(data, description);
84
    }
85

86
    // Unprotect string data
87
    static std::wstring UnprotectString(const std::vector<BYTE>& encryptedData) {
88
        std::vector<BYTE> decryptedData = UnprotectData(encryptedData);
89
        if (decryptedData.empty()) return L"";
90

91
        return std::wstring(reinterpret_cast<const wchar_t*>(decryptedData.data()));
92
    }
93
};
94

95
// Secure configuration storage
96
class SecureConfigStorage {
97
private:
98
    std::wstring m_configFilePath;
99
    std::map<std::wstring, std::vector<BYTE>> m_encryptedValues;
100

101
public:
102
    SecureConfigStorage(const std::wstring& configPath) : m_configFilePath(configPath) {}
103

104
    // Store encrypted configuration value
105
    HRESULT SetValue(const std::wstring& key, const std::wstring& value) {
106
        std::vector<BYTE> encryptedValue = DPAPIHelper::ProtectString(value, key);
107
        if (encryptedValue.empty()) return E_FAIL;
108

109
        m_encryptedValues[key] = encryptedValue;
110
        return SaveToFile();
111
    }
112

113
    // Retrieve and decrypt configuration value
114
    std::wstring GetValue(const std::wstring& key, const std::wstring& defaultValue = L"") {
115
        auto it = m_encryptedValues.find(key);
116
        if (it == m_encryptedValues.end()) return defaultValue;
117

118
        std::wstring decryptedValue = DPAPIHelper::UnprotectString(it->second);
119
        return decryptedValue.empty() ? defaultValue : decryptedValue;
120
    }
121

122
    // Load encrypted configuration from file
123
    HRESULT LoadFromFile() {
124
        HANDLE hFile = CreateFileW(m_configFilePath.c_str(), GENERIC_READ, FILE_SHARE_READ,
125
                                  nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
126

127
        if (hFile == INVALID_HANDLE_VALUE) return HRESULT_FROM_WIN32(GetLastError());
128

129
        LARGE_INTEGER fileSize;
130
        if (!GetFileSizeEx(hFile, &fileSize)) {
131
            CloseHandle(hFile);
132
            return HRESULT_FROM_WIN32(GetLastError());
133
        }
134

135
        std::vector<BYTE> fileData(static_cast<size_t>(fileSize.QuadPart));
136
        DWORD bytesRead;
137

138
        if (!ReadFile(hFile, fileData.data(), static_cast<DWORD>(fileData.size()),
139
                     &bytesRead, nullptr)) {
140
            CloseHandle(hFile);
141
            return HRESULT_FROM_WIN32(GetLastError());
142
        }
143

144
        CloseHandle(hFile);
145

146
        // Parse configuration data (simplified binary format)
147
        return ParseConfigData(fileData);
148
    }
149

150
    // Save encrypted configuration to file
151
    HRESULT SaveToFile() {
152
        std::vector<BYTE> configData = SerializeConfigData();
153

154
        HANDLE hFile = CreateFileW(m_configFilePath.c_str(), GENERIC_WRITE, 0,
155
                                  nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);
156

157
        if (hFile == INVALID_HANDLE_VALUE) return HRESULT_FROM_WIN32(GetLastError());
158

159
        DWORD bytesWritten;
160
        BOOL result = WriteFile(hFile, configData.data(), static_cast<DWORD>(configData.size()),
161
                               &bytesWritten, nullptr);
162

163
        CloseHandle(hFile);
164

165
        return result ? S_OK : HRESULT_FROM_WIN32(GetLastError());
166
    }
167

168
private:
169
    std::vector<BYTE> SerializeConfigData() {
170
        std::vector<BYTE> data;
171

172
        // Write number of entries
173
        DWORD entryCount = static_cast<DWORD>(m_encryptedValues.size());
174
        data.insert(data.end(), reinterpret_cast<BYTE*>(&entryCount),
175
                   reinterpret_cast<BYTE*>(&entryCount) + sizeof(entryCount));
176

177
        // Write each entry
178
        for (const auto& [key, encryptedValue] : m_encryptedValues) {
179
            // Write key length and key
180
            DWORD keyLength = static_cast<DWORD>(key.length() * sizeof(wchar_t));
181
            data.insert(data.end(), reinterpret_cast<BYTE*>(&keyLength),
182
                       reinterpret_cast<BYTE*>(&keyLength) + sizeof(keyLength));
183
            data.insert(data.end(), reinterpret_cast<const BYTE*>(key.c_str()),
184
                       reinterpret_cast<const BYTE*>(key.c_str()) + keyLength);
185

186
            // Write value length and encrypted value
187
            DWORD valueLength = static_cast<DWORD>(encryptedValue.size());
188
            data.insert(data.end(), reinterpret_cast<BYTE*>(&valueLength),
189
                       reinterpret_cast<BYTE*>(&valueLength) + sizeof(valueLength));
190
            data.insert(data.end(), encryptedValue.begin(), encryptedValue.end());
191
        }
192

193
        return data;
194
    }
195

196
    HRESULT ParseConfigData(const std::vector<BYTE>& data) {
197
        if (data.size() < sizeof(DWORD)) return E_INVALIDARG;
198

199
        size_t offset = 0;
200
        DWORD entryCount = *reinterpret_cast<const DWORD*>(data.data() + offset);
201
        offset += sizeof(DWORD);
202

203
        m_encryptedValues.clear();
204

205
        for (DWORD i = 0; i < entryCount; i++) {
206
            if (offset + sizeof(DWORD) > data.size()) return E_INVALIDARG;
207

208
            // Read key
209
            DWORD keyLength = *reinterpret_cast<const DWORD*>(data.data() + offset);
210
            offset += sizeof(DWORD);
211

212
            if (offset + keyLength > data.size()) return E_INVALIDARG;
213

214
            std::wstring key(reinterpret_cast<const wchar_t*>(data.data() + offset),
215
                            keyLength / sizeof(wchar_t));
216
            offset += keyLength;
217

218
            // Read encrypted value
219
            if (offset + sizeof(DWORD) > data.size()) return E_INVALIDARG;
220

221
            DWORD valueLength = *reinterpret_cast<const DWORD*>(data.data() + offset);
222
            offset += sizeof(DWORD);
223

224
            if (offset + valueLength > data.size()) return E_INVALIDARG;
225

226
            std::vector<BYTE> encryptedValue(data.begin() + offset,
227
                                           data.begin() + offset + valueLength);
228
            offset += valueLength;
229

230
            m_encryptedValues[key] = encryptedValue;
231
        }
232

233
        return S_OK;
234
    }
235
};

Certificate Management#

1. Certificate Store Operations#

1
// Certificate management and operations
2
#include <windows.h>
3
#include <wincrypt.h>
4
#include <cryptuiapi.h>
5

6
class CertificateManager {
7
private:
8
    HCERTSTORE m_hCertStore;
9

10
public:
11
    CertificateManager() : m_hCertStore(nullptr) {}
12

13
    ~CertificateManager() {
14
        if (m_hCertStore) {
15
            CertCloseStore(m_hCertStore, 0);
16
        }
17
    }
18

19
    // Open certificate store
20
    HRESULT OpenStore(LPCWSTR storeName = L"MY", DWORD storeLocation = CERT_SYSTEM_STORE_CURRENT_USER) {
21
        m_hCertStore = CertOpenSystemStoreW(0, storeName);
22
        if (!m_hCertStore) {
23
            return HRESULT_FROM_WIN32(GetLastError());
24
        }
25
        return S_OK;
26
    }
27

28
    // Find certificate by subject name
29
    PCCERT_CONTEXT FindCertificateBySubject(const std::wstring& subjectName) {
30
        if (!m_hCertStore) return nullptr;
31

32
        return CertFindCertificateInStore(
33
            m_hCertStore,
34
            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
35
            0,
36
            CERT_FIND_SUBJECT_STR_W,
37
            subjectName.c_str(),
38
            nullptr
39
        );
40
    }
41

42
    // Find certificate by thumbprint
43
    PCCERT_CONTEXT FindCertificateByThumbprint(const std::vector<BYTE>& thumbprint) {
44
        if (!m_hCertStore) return nullptr;
45

46
        CRYPT_HASH_BLOB hashBlob;
47
        hashBlob.cbData = static_cast<DWORD>(thumbprint.size());
48
        hashBlob.pbData = const_cast<BYTE*>(thumbprint.data());
49

50
        return CertFindCertificateInStore(
51
            m_hCertStore,
52
            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
53
            0,
54
            CERT_FIND_SHA1_HASH,
55
            &hashBlob,
56
            nullptr
57
        );
58
    }
59

60
    // Install certificate from file
61
    HRESULT InstallCertificateFromFile(const std::wstring& certFilePath) {
62
        if (!m_hCertStore) return E_FAIL;
63

64
        // Read certificate file
65
        HANDLE hFile = CreateFileW(certFilePath.c_str(), GENERIC_READ, FILE_SHARE_READ,
66
                                  nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
67

68
        if (hFile == INVALID_HANDLE_VALUE) {
69
            return HRESULT_FROM_WIN32(GetLastError());
70
        }
71

72
        LARGE_INTEGER fileSize;
73
        if (!GetFileSizeEx(hFile, &fileSize)) {
74
            CloseHandle(hFile);
75
            return HRESULT_FROM_WIN32(GetLastError());
76
        }
77

78
        std::vector<BYTE> certData(static_cast<size_t>(fileSize.QuadPart));
79
        DWORD bytesRead;
80

81
        if (!ReadFile(hFile, certData.data(), static_cast<DWORD>(certData.size()),
82
                     &bytesRead, nullptr)) {
83
            CloseHandle(hFile);
84
            return HRESULT_FROM_WIN32(GetLastError());
85
        }
86

87
        CloseHandle(hFile);
88

89
        // Create certificate context
90
        PCCERT_CONTEXT pCertContext = CertCreateCertificateContext(
91
            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
92
            certData.data(),
93
            static_cast<DWORD>(certData.size())
94
        );
95

96
        if (!pCertContext) {
97
            return HRESULT_FROM_WIN32(GetLastError());
98
        }
99

100
        // Add certificate to store
101
        BOOL result = CertAddCertificateContextToStore(
102
            m_hCertStore,
103
            pCertContext,
104
            CERT_STORE_ADD_REPLACE_EXISTING,
105
            nullptr
106
        );
107

108
        CertFreeCertificateContext(pCertContext);
109

110
        return result ? S_OK : HRESULT_FROM_WIN32(GetLastError());
111
    }
112

113
    // Generate self-signed certificate
114
    PCCERT_CONTEXT GenerateSelfSignedCertificate(const std::wstring& subjectName,
115
                                                DWORD keyLength = 2048) {
116
        // Create key container
117
        HCRYPTPROV hProv;
118
        std::wstring containerName = L"TempContainer_" + std::to_wstring(GetTickCount64());
119

120
        if (!CryptAcquireContextW(&hProv, containerName.c_str(), nullptr,
121
                                 PROV_RSA_FULL, CRYPT_NEWKEYSET)) {
122
            return nullptr;
123
        }
124

125
        // Generate key pair
126
        HCRYPTKEY hKey;
127
        if (!CryptGenKey(hProv, AT_SIGNATURE, (keyLength << 16) | CRYPT_EXPORTABLE, &hKey)) {
128
            CryptReleaseContext(hProv, 0);
129
            return nullptr;
130
        }
131

132
        // Prepare certificate subject
133
        CERT_NAME_BLOB subjectBlob;
134
        if (!CertStrToNameW(X509_ASN_ENCODING, subjectName.c_str(),
135
                           CERT_X500_NAME_STR, nullptr, nullptr, &subjectBlob.cbData, nullptr)) {
136
            CryptDestroyKey(hKey);
137
            CryptReleaseContext(hProv, 0);
138
            return nullptr;
139
        }
140

141
        subjectBlob.pbData = new BYTE[subjectBlob.cbData];
142
        if (!CertStrToNameW(X509_ASN_ENCODING, subjectName.c_str(),
143
                           CERT_X500_NAME_STR, nullptr, subjectBlob.pbData, &subjectBlob.cbData, nullptr)) {
144
            delete[] subjectBlob.pbData;
145
            CryptDestroyKey(hKey);
146
            CryptReleaseContext(hProv, 0);
147
            return nullptr;
148
        }
149

150
        // Create certificate
151
        SYSTEMTIME startTime, endTime;
152
        GetSystemTime(&startTime);
153
        endTime = startTime;
154
        endTime.wYear += 1; // Valid for 1 year
155

156
        PCCERT_CONTEXT pCertContext = CertCreateSelfSignCertificate(
157
            hProv,
158
            &subjectBlob,
159
            0,
160
            nullptr,
161
            nullptr,
162
            &startTime,
163
            &endTime,
164
            nullptr
165
        );
166

167
        // Cleanup
168
        delete[] subjectBlob.pbData;
169
        CryptDestroyKey(hKey);
170
        CryptReleaseContext(hProv, 0);
171

172
        // Delete temporary container
173
        CryptAcquireContextW(&hProv, containerName.c_str(), nullptr,
174
                            PROV_RSA_FULL, CRYPT_DELETEKEYSET);
175

176
        return pCertContext;
177
    }
178

179
    // Get certificate information
180
    struct CertificateInfo {
181
        std::wstring subject;
182
        std::wstring issuer;
183
        std::wstring serialNumber;
184
        std::vector<BYTE> thumbprint;
185
        FILETIME notBefore;
186
        FILETIME notAfter;
187
        bool hasPrivateKey;
188
    };
189

190
    CertificateInfo GetCertificateInfo(PCCERT_CONTEXT pCertContext) {
191
        CertificateInfo info;
192

193
        if (!pCertContext) return info;
194

195
        // Get subject name
196
        DWORD subjectSize = CertNameToStrW(X509_ASN_ENCODING, &pCertContext->pCertInfo->Subject,
197
                                          CERT_X500_NAME_STR, nullptr, 0);
198
        if (subjectSize > 1) {
199
            std::vector<wchar_t> subjectBuffer(subjectSize);
200
            CertNameToStrW(X509_ASN_ENCODING, &pCertContext->pCertInfo->Subject,
201
                          CERT_X500_NAME_STR, subjectBuffer.data(), subjectSize);
202
            info.subject = subjectBuffer.data();
203
        }
204

205
        // Get issuer name
206
        DWORD issuerSize = CertNameToStrW(X509_ASN_ENCODING, &pCertContext->pCertInfo->Issuer,
207
                                         CERT_X500_NAME_STR, nullptr, 0);
208
        if (issuerSize > 1) {
209
            std::vector<wchar_t> issuerBuffer(issuerSize);
210
            CertNameToStrW(X509_ASN_ENCODING, &pCertContext->pCertInfo->Issuer,
211
                          CERT_X500_NAME_STR, issuerBuffer.data(), issuerSize);
212
            info.issuer = issuerBuffer.data();
213
        }
214

215
        // Get serial number
216
        CRYPT_INTEGER_BLOB* serialBlob = &pCertContext->pCertInfo->SerialNumber;
217
        for (DWORD i = serialBlob->cbData; i > 0; i--) {
218
            wchar_t hex[3];
219
            swprintf_s(hex, L"%02X", serialBlob->pbData[i - 1]);
220
            info.serialNumber += hex;
221
        }
222

223
        // Get thumbprint
224
        DWORD thumbprintSize = 20; // SHA-1 hash size
225
        info.thumbprint.resize(thumbprintSize);
226
        CertGetCertificateContextProperty(pCertContext, CERT_SHA1_HASH_PROP_ID,
227
                                         info.thumbprint.data(), &thumbprintSize);
228

229
        // Get validity period
230
        info.notBefore = pCertContext->pCertInfo->NotBefore;
231
        info.notAfter = pCertContext->pCertInfo->NotAfter;
232

233
        // Check for private key
234
        DWORD keySpecSize = sizeof(DWORD);
235
        DWORD keySpec;
236
        info.hasPrivateKey = CertGetCertificateContextProperty(
237
            pCertContext, CERT_KEY_SPEC_PROP_ID, &keySpec, &keySpecSize);
238

239
        return info;
240
    }
241

242
    // Export certificate to file
243
    HRESULT ExportCertificateToFile(PCCERT_CONTEXT pCertContext, const std::wstring& filePath,
244
                                   bool includePrivateKey = false) {
245
        if (!pCertContext) return E_INVALIDARG;
246

247
        HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_WRITE, 0,
248
                                  nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);
249

250
        if (hFile == INVALID_HANDLE_VALUE) {
251
            return HRESULT_FROM_WIN32(GetLastError());
252
        }
253

254
        DWORD bytesWritten;
255
        BOOL result;
256

257
        if (includePrivateKey) {
258
            // Export as PKCS#12 (requires private key access)
259
            CRYPT_DATA_BLOB pfxBlob = {};
260

261
            if (!PFXExportCertStore(m_hCertStore, &pfxBlob, L"", EXPORT_PRIVATE_KEYS)) {
262
                CloseHandle(hFile);
263
                return HRESULT_FROM_WIN32(GetLastError());
264
            }
265

266
            pfxBlob.pbData = new BYTE[pfxBlob.cbData];
267
            if (!PFXExportCertStore(m_hCertStore, &pfxBlob, L"", EXPORT_PRIVATE_KEYS)) {
268
                delete[] pfxBlob.pbData;
269
                CloseHandle(hFile);
270
                return HRESULT_FROM_WIN32(GetLastError());
271
            }
272

273
            result = WriteFile(hFile, pfxBlob.pbData, pfxBlob.cbData, &bytesWritten, nullptr);
274
            delete[] pfxBlob.pbData;
275
        } else {
276
            // Export as DER (certificate only)
277
            result = WriteFile(hFile, pCertContext->pbCertEncoded,
278
                              pCertContext->cbCertEncoded, &bytesWritten, nullptr);
279
        }
280

281
        CloseHandle(hFile);
282

283
        return result ? S_OK : HRESULT_FROM_WIN32(GetLastError());
284
    }
285

286
    // List all certificates in store
287
    std::vector<CertificateInfo> ListCertificates() {
288
        std::vector<CertificateInfo> certificates;
289

290
        if (!m_hCertStore) return certificates;
291

292
        PCCERT_CONTEXT pCertContext = nullptr;
293

294
        while ((pCertContext = CertEnumCertificatesInStore(m_hCertStore, pCertContext)) != nullptr) {
295
            certificates.push_back(GetCertificateInfo(pCertContext));
296
        }
297

298
        return certificates;
299
    }
300
};

2. SSL/TLS Certificate Validation#

1
// SSL/TLS certificate validation
2
class SSLCertificateValidator {
3
public:
4
    // Validate certificate chain
5
    static bool ValidateCertificateChain(PCCERT_CONTEXT pCertContext) {
6
        if (!pCertContext) return false;
7

8
        // Create certificate chain
9
        CERT_CHAIN_PARA chainPara = { sizeof(chainPara) };
10
        PCCERT_CHAIN_CONTEXT pChainContext = nullptr;
11

12
        BOOL result = CertGetCertificateChain(
13
            nullptr,            // Use default chain engine
14
            pCertContext,       // Certificate to validate
15
            nullptr,            // Use current time
16
            nullptr,            // Additional store
17
            &chainPara,         // Chain building parameters
18
            CERT_CHAIN_REVOCATION_CHECK_ENTIRE_CHAIN,
19
            nullptr,            // Reserved
20
            &pChainContext      // Chain context
21
        );
22

23
        if (!result || !pChainContext) {
24
            return false;
25
        }
26

27
        // Check chain status
28
        bool isValid = true;
29

30
        // Check for critical errors
31
        if (pChainContext->TrustStatus.dwErrorStatus &
32
            (CERT_TRUST_IS_NOT_TIME_VALID |
33
             CERT_TRUST_IS_NOT_TIME_NESTED |
34
             CERT_TRUST_IS_REVOKED |
35
             CERT_TRUST_IS_NOT_SIGNATURE_VALID |
36
             CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
37
             CERT_TRUST_IS_UNTRUSTED_ROOT |
38
             CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
39
             CERT_TRUST_IS_CYCLIC |
40
             CERT_TRUST_INVALID_EXTENSION |
41
             CERT_TRUST_INVALID_POLICY_CONSTRAINTS |
42
             CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
43
             CERT_TRUST_INVALID_NAME_CONSTRAINTS)) {
44
            isValid = false;
45
        }
46

47
        CertFreeCertificateChain(pChainContext);
48
        return isValid;
49
    }
50

51
    // Validate certificate for specific usage
52
    static bool ValidateCertificateUsage(PCCERT_CONTEXT pCertContext,
53
                                        const std::vector<std::string>& requiredUsages) {
54
        if (!pCertContext) return false;
55

56
        // Get enhanced key usage extension
57
        PCERT_EXTENSION pExtension = CertFindExtension(
58
            szOID_ENHANCED_KEY_USAGE,
59
            pCertContext->pCertInfo->cExtension,
60
            pCertContext->pCertInfo->rgExtension
61
        );
62

63
        if (!pExtension) return false;
64

65
        // Decode extension
66
        DWORD usageSize;
67
        if (!CryptDecodeObject(X509_ASN_ENCODING, szOID_ENHANCED_KEY_USAGE,
68
                              pExtension->Value.pbData, pExtension->Value.cbData,
69
                              0, nullptr, &usageSize)) {
70
            return false;
71
        }
72

73
        std::vector<BYTE> usageBuffer(usageSize);
74
        if (!CryptDecodeObject(X509_ASN_ENCODING, szOID_ENHANCED_KEY_USAGE,
75
                              pExtension->Value.pbData, pExtension->Value.cbData,
76
                              0, usageBuffer.data(), &usageSize)) {
77
            return false;
78
        }
79

80
        PCERT_ENHKEY_USAGE pUsage = reinterpret_cast<PCERT_ENHKEY_USAGE>(usageBuffer.data());
81

82
        // Check if all required usages are present
83
        for (const auto& requiredUsage : requiredUsages) {
84
            bool found = false;
85
            for (DWORD i = 0; i < pUsage->cUsageIdentifier; i++) {
86
                if (strcmp(pUsage->rgpszUsageIdentifier[i], requiredUsage.c_str()) == 0) {
87
                    found = true;
88
                    break;
89
                }
90
            }
91
            if (!found) return false;
92
        }
93

94
        return true;
95
    }
96

97
    // Validate hostname against certificate
98
    static bool ValidateHostname(PCCERT_CONTEXT pCertContext, const std::wstring& hostname) {
99
        if (!pCertContext) return false;
100

101
        // Get subject alternative names
102
        PCERT_EXTENSION pSANExtension = CertFindExtension(
103
            szOID_SUBJECT_ALT_NAME2,
104
            pCertContext->pCertInfo->cExtension,
105
            pCertContext->pCertInfo->rgExtension
106
        );
107

108
        if (pSANExtension) {
109
            // Decode SAN extension
110
            DWORD sanSize;
111
            if (!CryptDecodeObject(X509_ASN_ENCODING, szOID_SUBJECT_ALT_NAME2,
112
                                  pSANExtension->Value.pbData, pSANExtension->Value.cbData,
113
                                  0, nullptr, &sanSize)) {
114
                return false;
115
            }
116

117
            std::vector<BYTE> sanBuffer(sanSize);
118
            if (!CryptDecodeObject(X509_ASN_ENCODING, szOID_SUBJECT_ALT_NAME2,
119
                                  pSANExtension->Value.pbData, pSANExtension->Value.cbData,
120
                                  0, sanBuffer.data(), &sanSize)) {
121
                return false;
122
            }
123

124
            PCERT_ALT_NAME_INFO pSAN = reinterpret_cast<PCERT_ALT_NAME_INFO>(sanBuffer.data());
125

126
            // Check DNS names in SAN
127
            for (DWORD i = 0; i < pSAN->cAltEntry; i++) {
128
                if (pSAN->rgAltEntry[i].dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) {
129
                    std::wstring dnsName = pSAN->rgAltEntry[i].pwszDNSName;
130
                    if (MatchHostname(hostname, dnsName)) {
131
                        return true;
132
                    }
133
                }
134
            }
135
        }
136

137
        // Check subject CN if no SAN match
138
        return MatchSubjectCN(pCertContext, hostname);
139
    }
140

141
private:
142
    static bool MatchHostname(const std::wstring& hostname, const std::wstring& pattern) {
143
        // Simple wildcard matching for SSL certificates
144
        if (pattern.find(L'*') == std::wstring::npos) {
145
            return _wcsicmp(hostname.c_str(), pattern.c_str()) == 0;
146
        }
147

148
        // Handle wildcard patterns like *.example.com
149
        if (pattern.length() > 2 && pattern.substr(0, 2) == L"*.") {
150
            std::wstring domain = pattern.substr(2);
151
            size_t dotPos = hostname.find(L'.');
152
            if (dotPos != std::wstring::npos) {
153
                std::wstring hostDomain = hostname.substr(dotPos + 1);
154
                return _wcsicmp(hostDomain.c_str(), domain.c_str()) == 0;
155
            }
156
        }
157

158
        return false;
159
    }
160

161
    static bool MatchSubjectCN(PCCERT_CONTEXT pCertContext, const std::wstring& hostname) {
162
        DWORD subjectSize = CertNameToStrW(X509_ASN_ENCODING,
163
                                          &pCertContext->pCertInfo->Subject,
164
                                          CERT_X500_NAME_STR, nullptr, 0);
165

166
        if (subjectSize <= 1) return false;
167

168
        std::vector<wchar_t> subjectBuffer(subjectSize);
169
        CertNameToStrW(X509_ASN_ENCODING, &pCertContext->pCertInfo->Subject,
170
                      CERT_X500_NAME_STR, subjectBuffer.data(), subjectSize);
171

172
        std::wstring subject = subjectBuffer.data();
173

174
        // Extract CN from subject
175
        size_t cnPos = subject.find(L"CN=");
176
        if (cnPos == std::wstring::npos) return false;
177

178
        size_t cnStart = cnPos + 3;
179
        size_t cnEnd = subject.find(L',', cnStart);
180
        if (cnEnd == std::wstring::npos) cnEnd = subject.length();
181

182
        std::wstring cn = subject.substr(cnStart, cnEnd - cnStart);
183

184
        return MatchHostname(hostname, cn);
185
    }
186
};

Windows Authentication#

1. SSPI Authentication#

1
// SSPI (Security Support Provider Interface) implementation
2
#define SECURITY_WIN32
3
#include <windows.h>
4
#include <sspi.h>
5
#include <security.h>
6

7
class SSPIAuthenticator {
8
private:
9
    CredHandle m_hCredentials;
10
    CtxtHandle m_hContext;
11
    bool m_bCredentialsAcquired;
12
    bool m_bContextEstablished;
13

14
public:
15
    SSPIAuthenticator() : m_bCredentialsAcquired(false), m_bContextEstablished(false) {
16
        SecInvalidateHandle(&m_hCredentials);
17
        SecInvalidateHandle(&m_hContext);
18
    }
19

20
    ~SSPIAuthenticator() {
21
        if (m_bContextEstablished) {
22
            DeleteSecurityContext(&m_hContext);
23
        }
24
        if (m_bCredentialsAcquired) {
25
            FreeCredentialsHandle(&m_hCredentials);
26
        }
27
    }
28

29
    // Acquire credentials for authentication
30
    SECURITY_STATUS AcquireCredentials(const std::wstring& package = L"Negotiate",
31
                                      const std::wstring& principal = L"",
32
                                      ULONG credentialUse = SECPKG_CRED_OUTBOUND) {
33
        TimeStamp expiry;
34

35
        SECURITY_STATUS status = AcquireCredentialsHandleW(
36
            principal.empty() ? nullptr : principal.c_str(),
37
            const_cast<LPWSTR>(package.c_str()),
38
            credentialUse,
39
            nullptr,
40
            nullptr,
41
            nullptr,
42
            nullptr,
43
            &m_hCredentials,
44
            &expiry
45
        );
46

47
        if (status == SEC_E_OK) {
48
            m_bCredentialsAcquired = true;
49
        }
50

51
        return status;
52
    }
53

54
    // Initialize security context (client side)
55
    SECURITY_STATUS InitializeSecurityContext(const std::wstring& targetName,
56
                                             const SecBuffer* pInputBuffer = nullptr,
57
                                             SecBuffer* pOutputBuffer = nullptr) {
58
        if (!m_bCredentialsAcquired) {
59
            return SEC_E_NO_CREDENTIALS;
60
        }
61

62
        SecBufferDesc inputDesc = {};
63
        SecBufferDesc outputDesc = {};
64

65
        // Setup input buffer
66
        if (pInputBuffer) {
67
            inputDesc.ulVersion = SECBUFFER_VERSION;
68
            inputDesc.cBuffers = 1;
69
            inputDesc.pBuffers = const_cast<SecBuffer*>(pInputBuffer);
70
        }
71

72
        // Setup output buffer
73
        if (pOutputBuffer) {
74
            outputDesc.ulVersion = SECBUFFER_VERSION;
75
            outputDesc.cBuffers = 1;
76
            outputDesc.pBuffers = pOutputBuffer;
77
        }
78

79
        ULONG contextAttributes;
80
        TimeStamp expiry;
81

82
        SECURITY_STATUS status = InitializeSecurityContextW(
83
            &m_hCredentials,
84
            m_bContextEstablished ? &m_hContext : nullptr,
85
            const_cast<LPWSTR>(targetName.c_str()),
86
            ISC_REQ_MUTUAL_AUTH | ISC_REQ_CONFIDENTIALITY,
87
            0,
88
            SECURITY_NATIVE_DREP,
89
            pInputBuffer ? &inputDesc : nullptr,
90
            0,
91
            &m_hContext,
92
            pOutputBuffer ? &outputDesc : nullptr,
93
            &contextAttributes,
94
            &expiry
95
        );
96

97
        if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED) {
98
            m_bContextEstablished = true;
99
        }
100

101
        return status;
102
    }
103

104
    // Accept security context (server side)
105
    SECURITY_STATUS AcceptSecurityContext(const SecBuffer* pInputBuffer,
106
                                        SecBuffer* pOutputBuffer) {
107
        if (!m_bCredentialsAcquired) {
108
            return SEC_E_NO_CREDENTIALS;
109
        }
110

111
        SecBufferDesc inputDesc = {};
112
        SecBufferDesc outputDesc = {};
113

114
        // Setup input buffer
115
        if (pInputBuffer) {
116
            inputDesc.ulVersion = SECBUFFER_VERSION;
117
            inputDesc.cBuffers = 1;
118
            inputDesc.pBuffers = const_cast<SecBuffer*>(pInputBuffer);
119
        }
120

121
        // Setup output buffer
122
        if (pOutputBuffer) {
123
            outputDesc.ulVersion = SECBUFFER_VERSION;
124
            outputDesc.cBuffers = 1;
125
            outputDesc.pBuffers = pOutputBuffer;
126
        }
127

128
        ULONG contextAttributes;
129
        TimeStamp expiry;
130

131
        SECURITY_STATUS status = AcceptSecurityContext(
132
            &m_hCredentials,
133
            m_bContextEstablished ? &m_hContext : nullptr,
134
            pInputBuffer ? &inputDesc : nullptr,
135
            ASC_REQ_MUTUAL_AUTH | ASC_REQ_CONFIDENTIALITY,
136
            SECURITY_NATIVE_DREP,
137
            &m_hContext,
138
            pOutputBuffer ? &outputDesc : nullptr,
139
            &contextAttributes,
140
            &expiry
141
        );
142

143
        if (status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED) {
144
            m_bContextEstablished = true;
145
        }
146

147
        return status;
148
    }
149

150
    // Encrypt message
151
    std::vector<BYTE> EncryptMessage(const std::vector<BYTE>& message) {
152
        if (!m_bContextEstablished) return {};
153

154
        SecPkgContext_Sizes sizes;
155
        SECURITY_STATUS status = QueryContextAttributesW(&m_hContext, SECPKG_ATTR_SIZES, &sizes);
156
        if (status != SEC_E_OK) return {};
157

158
        // Calculate buffer sizes
159
        DWORD totalSize = sizes.cbSecurityTrailer + static_cast<DWORD>(message.size()) + sizes.cbBlockSize;
160
        std::vector<BYTE> encryptedBuffer(totalSize);
161

162
        // Setup buffers
163
        SecBuffer buffers[4];
164
        buffers[0].BufferType = SECBUFFER_TOKEN;
165
        buffers[0].cbBuffer = sizes.cbSecurityTrailer;
166
        buffers[0].pvBuffer = encryptedBuffer.data();
167

168
        buffers[1].BufferType = SECBUFFER_DATA;
169
        buffers[1].cbBuffer = static_cast<DWORD>(message.size());
170
        buffers[1].pvBuffer = encryptedBuffer.data() + sizes.cbSecurityTrailer;
171
        memcpy(buffers[1].pvBuffer, message.data(), message.size());
172

173
        buffers[2].BufferType = SECBUFFER_PADDING;
174
        buffers[2].cbBuffer = sizes.cbBlockSize;
175
        buffers[2].pvBuffer = encryptedBuffer.data() + sizes.cbSecurityTrailer + message.size();
176

177
        buffers[3].BufferType = SECBUFFER_EMPTY;
178
        buffers[3].cbBuffer = 0;
179
        buffers[3].pvBuffer = nullptr;
180

181
        SecBufferDesc bufferDesc;
182
        bufferDesc.ulVersion = SECBUFFER_VERSION;
183
        bufferDesc.cBuffers = 4;
184
        bufferDesc.pBuffers = buffers;
185

186
        status = EncryptMessage(&m_hContext, 0, &bufferDesc, 0);
187
        if (status != SEC_E_OK) return {};
188

189
        // Return encrypted data
190
        DWORD encryptedSize = buffers[0].cbBuffer + buffers[1].cbBuffer + buffers[2].cbBuffer;
191
        encryptedBuffer.resize(encryptedSize);
192

193
        return encryptedBuffer;
194
    }
195

196
    // Decrypt message
197
    std::vector<BYTE> DecryptMessage(const std::vector<BYTE>& encryptedMessage) {
198
        if (!m_bContextEstablished) return {};
199

200
        // Make a copy for in-place decryption
201
        std::vector<BYTE> buffer = encryptedMessage;
202

203
        SecBuffer buffers[4];
204
        buffers[0].BufferType = SECBUFFER_STREAM;
205
        buffers[0].cbBuffer = static_cast<DWORD>(buffer.size());
206
        buffers[0].pvBuffer = buffer.data();
207

208
        buffers[1].BufferType = SECBUFFER_EMPTY;
209
        buffers[1].cbBuffer = 0;
210
        buffers[1].pvBuffer = nullptr;
211

212
        buffers[2].BufferType = SECBUFFER_EMPTY;
213
        buffers[2].cbBuffer = 0;
214
        buffers[2].pvBuffer = nullptr;
215

216
        buffers[3].BufferType = SECBUFFER_EMPTY;
217
        buffers[3].cbBuffer = 0;
218
        buffers[3].pvBuffer = nullptr;
219

220
        SecBufferDesc bufferDesc;
221
        bufferDesc.ulVersion = SECBUFFER_VERSION;
222
        bufferDesc.cBuffers = 4;
223
        bufferDesc.pBuffers = buffers;
224

225
        ULONG qop;
226
        SECURITY_STATUS status = DecryptMessage(&m_hContext, &bufferDesc, 0, &qop);
227
        if (status != SEC_E_OK) return {};
228

229
        // Find the data buffer
230
        for (int i = 0; i < 4; i++) {
231
            if (buffers[i].BufferType == SECBUFFER_DATA) {
232
                std::vector<BYTE> decrypted(static_cast<BYTE*>(buffers[i].pvBuffer),
233
                                           static_cast<BYTE*>(buffers[i].pvBuffer) + buffers[i].cbBuffer);
234
                return decrypted;
235
            }
236
        }
237

238
        return {};
239
    }
240

241
    // Get authenticated user name
242
    std::wstring GetAuthenticatedUser() {
243
        if (!m_bContextEstablished) return L"";
244

245
        SecPkgContext_NamesW names;
246
        SECURITY_STATUS status = QueryContextAttributesW(&m_hContext, SECPKG_ATTR_NAMES, &names);
247
        if (status != SEC_E_OK) return L"";
248

249
        std::wstring userName = names.sUserName;
250
        FreeContextBuffer(names.sUserName);
251

252
        return userName;
253
    }
254
};

Best Practices and Security Guidelines#

1. Secure Coding Practices#

1
// Security best practices implementation
2
class SecurityBestPractices {
3
public:
4
    // Secure string comparison (constant time)
5
    static bool SecureStringCompare(const std::vector<BYTE>& a, const std::vector<BYTE>& b) {
6
        if (a.size() != b.size()) return false;
7

8
        volatile BYTE result = 0;
9
        for (size_t i = 0; i < a.size(); i++) {
10
            result |= a[i] ^ b[i];
11
        }
12

13
        return result == 0;
14
    }
15

16
    // Secure memory clearing
17
    static void SecureZeroMemory(void* ptr, size_t size) {
18
        volatile BYTE* vptr = static_cast<volatile BYTE*>(ptr);
19
        for (size_t i = 0; i < size; i++) {
20
            vptr[i] = 0;
21
        }
22
    }
23

24
    // Generate cryptographically secure random bytes
25
    static std::vector<BYTE> GenerateSecureRandom(DWORD length) {
26
        HCRYPTPROV hProv;
27
        if (!CryptAcquireContextW(&hProv, nullptr, nullptr, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
28
            return {};
29
        }
30

31
        std::vector<BYTE> randomBytes(length);
32
        BOOL result = CryptGenRandom(hProv, length, randomBytes.data());
33

34
        CryptReleaseContext(hProv, 0);
35

36
        return result ? randomBytes : std::vector<BYTE>();
37
    }
38

39
    // Validate input for buffer overflow prevention
40
    static bool ValidateBufferSize(size_t inputSize, size_t maxSize) {
41
        return inputSize <= maxSize && inputSize > 0;
42
    }
43

44
    // Secure file operations
45
    static HRESULT SecureDeleteFile(const std::wstring& filePath, DWORD passes = 3) {
46
        HANDLE hFile = CreateFileW(filePath.c_str(), GENERIC_WRITE, 0,
47
                                  nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr);
48

49
        if (hFile == INVALID_HANDLE_VALUE) {
50
            return HRESULT_FROM_WIN32(GetLastError());
51
        }
52

53
        // Get file size
54
        LARGE_INTEGER fileSize;
55
        if (!GetFileSizeEx(hFile, &fileSize)) {
56
            CloseHandle(hFile);
57
            return HRESULT_FROM_WIN32(GetLastError());
58
        }
59

60
        // Overwrite file multiple times
61
        for (DWORD pass = 0; pass < passes; pass++) {
62
            SetFilePointer(hFile, 0, nullptr, FILE_BEGIN);
63

64
            // Generate random data for overwriting
65
            const DWORD BUFFER_SIZE = 4096;
66
            std::vector<BYTE> randomData = GenerateSecureRandom(BUFFER_SIZE);
67

68
            LARGE_INTEGER remaining = fileSize;
69
            while (remaining.QuadPart > 0) {
70
                DWORD writeSize = static_cast<DWORD>(min(remaining.QuadPart, BUFFER_SIZE));
71
                DWORD written;
72

73
                if (!WriteFile(hFile, randomData.data(), writeSize, &written, nullptr)) {
74
                    CloseHandle(hFile);
75
                    return HRESULT_FROM_WIN32(GetLastError());
76
                }
77

78
                remaining.QuadPart -= written;
79
            }
80

81
            FlushFileBuffers(hFile);
82
        }
83

84
        CloseHandle(hFile);
85

86
        // Delete the file
87
        if (!DeleteFileW(filePath.c_str())) {
88
            return HRESULT_FROM_WIN32(GetLastError());
89
        }
90

91
        return S_OK;
92
    }
93
};
94

95
// Secure memory allocator
96
class SecureAllocator {
97
private:
98
    static std::map<void*, size_t> s_allocations;
99
    static std::mutex s_mutex;
100

101
public:
102
    static void* Allocate(size_t size) {
103
        void* ptr = VirtualAlloc(nullptr, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
104
        if (ptr) {
105
            VirtualLock(ptr, size);
106

107
            std::lock_guard<std::mutex> lock(s_mutex);
108
            s_allocations[ptr] = size;
109
        }
110
        return ptr;
111
    }
112

113
    static void Deallocate(void* ptr) {
114
        if (!ptr) return;
115

116
        size_t size;
117
        {
118
            std::lock_guard<std::mutex> lock(s_mutex);
119
            auto it = s_allocations.find(ptr);
120
            if (it == s_allocations.end()) return;
121

122
            size = it->second;
123
            s_allocations.erase(it);
124
        }
125

126
        // Securely clear memory
127
        SecurityBestPractices::SecureZeroMemory(ptr, size);
128
        VirtualUnlock(ptr, size);
129
        VirtualFree(ptr, 0, MEM_RELEASE);
130
    }
131

132
    template<typename T>
133
    static T* AllocateArray(size_t count) {
134
        return static_cast<T*>(Allocate(count * sizeof(T)));
135
    }
136

137
    template<typename T>
138
    static void DeallocateArray(T* ptr) {
139
        Deallocate(ptr);
140
    }
141
};
142

143
// Initialize static members
144
std::map<void*, size_t> SecureAllocator::s_allocations;
145
std::mutex SecureAllocator::s_mutex;

Conclusion#

Windows security and cryptography programming provides powerful tools for building secure applications with robust encryption, authentication, and data protection capabilities. By mastering CryptoAPI, DPAPI, certificate management, and SSPI authentication, developers can create applications that meet enterprise security requirements and protect sensitive data effectively.

The comprehensive examples in this guide demonstrate production-ready implementations that can be adapted for various security scenarios, from file encryption to secure communications and user authentication. Remember to follow security best practices, validate all inputs, and keep cryptographic libraries updated to maintain the highest security standards.