我正在编写自定义CNG提供程序(KSP),以与私有HSM API一起使用。当我使用signtool.exe或certutil.exe调用CNG时,HSM API网络调用正在超时。但是,我能够很好地通过CNG提供程序访问API(通过浏览器或HSM SDK)。我觉得Windows正在阻止网络通话。如何为CNG提供商启用网络呼叫?
PS:我尝试过软件和硬件类型的CNG提供程序
编辑:
CNG提供者注册代码
void
RegisterProvider(
void
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
//
// Make CNG aware that our provider
// exists...
//
ntStatus = BCryptRegisterProvider(
SAMPLEKSP_PROVIDER_NAME,
0, // Flags: fail if provider is already registered
&SampleKSPProvider
);
if (!NT_SUCCESS(ntStatus))
{
wprintf(L"BCryptRegisterProvider failed with error code 0x%08x\n", ntStatus);
}
//
// Add the algorithm name to the priority list of the
// symmetric cipher algorithm class. (This makes it
// visible to BCryptResolveProviders.)
//
ntStatus = BCryptAddContextFunction(
CRYPT_LOCAL, // Scope: local machine only
NULL, // Application context: default
NCRYPT_KEY_STORAGE_INTERFACE, // Algorithm class
NCRYPT_KEY_STORAGE_ALGORITHM, // Algorithm name
CRYPT_PRIORITY_TOP // Lowest priority
);
if ( !NT_SUCCESS(ntStatus))
{
wprintf(L"BCryptAddContextFunction failed with error code 0x%08x\n", ntStatus);
}
//
// Identify our new provider as someone who exposes
// an implementation of the new algorithm.
//
ntStatus = BCryptAddContextFunctionProvider(
CRYPT_LOCAL, // Scope: local machine only
NULL, // Application context: default
NCRYPT_KEY_STORAGE_INTERFACE, // Algorithm class
NCRYPT_KEY_STORAGE_ALGORITHM, // Algorithm name
SAMPLEKSP_PROVIDER_NAME, // Provider name
CRYPT_PRIORITY_TOP // Lowest priority
);
if ( !NT_SUCCESS(ntStatus))
{
wprintf(L"BCryptAddContextFunctionProvider failed with error code 0x%08x\n", ntStatus);
}
}
在我的SampleKSP.dll的DllMain中,我添加了一种方法来测试我的HSM网络连接。
SampleKSP.c
BOOL
WINAPI
DllMain(
HMODULE hInstDLL,
DWORD dwReason,
LPVOID lpvReserved)
{
debug("------------------------\n");
debug("In DLL main \n");
BOOL call_success = (BOOL) callHSM();
if (call_success) {
debug("hsm call success\n");
}
else {
debug("hsm call failed\n");
}
UNREFERENCED_PARAMETER(lpvReserved);
g_hInstance = (HINSTANCE)hInstDLL;
if(dwReason == DLL_PROCESS_ATTACH)
{
InitializeListHead(&g_SampleKspEnumStateList);
}
else if(dwReason == DLL_PROCESS_DETACH)
{
if (g_hRSAProvider)
{
BCryptCloseAlgorithmProvider(g_hRSAProvider,0);
}
}
return TRUE;
}
HSMClient.cpp
#include <iostream>
#include <cpprest/http_client.h>
using namespace web::http; // Common HTTP functionality
using namespace web::http::client; // HTTP client features
extern "C" bool callHSM();
bool callHSM()
{
std::cout << "calling HSM" << "\n";
http_client client(L"https://<HSM endpoint>/");
http_response response;
response = client.request(methods::GET, L"/get").get();
std::wostringstream ss;
ss << L"Server returned returned status code " << response.status_code() << L'.' << std::endl;
std::wcout << ss.str();
return true;
}
我正在DllMain中测试我的HSM连接代码,这不是理想的地方。 DllMain中的代码可能依赖于其他未初始化的Dll。将代码从DllMain移到CNG提供程序功能之一起作用。感谢@RbMm指出这一点。