//*****************************************************************************
//
//??THIS?CODE?AND?INFORMATION?IS?PROVIDED?“AS?IS“?WITHOUT?WARRANTY?OF?ANY?KIND
//??EITHER?EXPRESSED?OR?IMPLIED?INCLUDING?BUT?NOT?LIMITED?TO?THE?IMPLIED
//??WARRANTIES?OF?MERCHANTABILITY?AND/OR?FITNESS?FOR?A?PARTICULAR?PURPOSE.
//
//??isapiCertPolicy?by?Jim?Harkins
//
//??This?sample?code?demonstrates?how?the?Capicom?Certificate?and?Chain?objects
//??can?be?used?to?implement?a?simple?ISAPI?filter?to?enforce?additional
//??restrictions?on?Client?Certificates?used?for?an?SSL?session.
//
//??When?using?SSL?and?Client?Certificates?IIS?supports?Certificate?Trust
//??Lists?to?limit?the?Root?Certificates?used?to?authenticate?Client
//??Certificates.??In?some?applications?it‘s?desirable?to?have?finer?grained
//??control?over?which?Client?Certificates?are?accepted.
//
//??This?ISAPI?filter?uses?capicom?to?simplify?the?implementation?of?the
//??following?additional?Client?Certificate?checks:
//
//??????A?set?of?required?Extended?Key?Usage?OIDs?are?matched?in?the
//??????Client?Certificate.??In?this?example?we?check?for?“Smart?Card
//??????Logon“?but?the?same?technique?can?be?used?to?require?any
//??????EKU.?Following?accepted?practice?for?X.509?certs?if?no?EKUs
//??????are?present?the?certificate?is?assumed?good?for?all?purposes
//??????and?this?check?is?passed.
//
//??????Issuing?Certificate‘s?Thumbprint?matches?an?entry?in?a?short?list
//??????of?accepted?Thumbprints.??This?is?an?effective?and?recommended
//??????way?to?limit?accepted?Client?Certificates?to?a?specific?set?of
//??????Intermediate?issuing?authorities.
//
//??If?no?Client?Certificate?is?available?this?filter?allows?the?connection.
//??A?certificate?should?be?available?when?IIS?is?configured?to?Require?Client
//??Certificates.??But?even?secure?sites?can?allow?some?public?content?for
//??example?a?start?page?containing?information?and?instructions.??In?this?case
//??there?may?be?no?requirement?for?Client?Certificates?or?even?SLL?and?it‘s
//??appropriate?to?bypass?the?additional?checks?this?filter?implements.
//
//??This?structure?and?capicom?make?it?easy?to?implement?additional?checks.
//
//??Copyright?（C）?2002.??Microsoft?Corporation.??All?rights?reserved.
//
//*****************************************************************************

//?ISAPICERTPOLICY.CPP?-?Implementation?file?for?your?Internet?Server
//????isapiCertPolicy?Filter

#include?“stdafx.h“
#include?“isapiCertPolicy.h“
#include?“ErrorTxt.h“

#define?ARRAY_SIZE（a）?（sizeof（a）/sizeof（*（a）））

const?LPWSTR?CAPICOM_SMART_CARD_LOGON_OID_W?=?L“1.3.6.1.4.1.311.20.2.2“;
const?LPWSTR?CORP_HIGH_ASSUR_OID_W?=?L“1.3.6.1.4.1.311.42.2.1“;

const?LPWSTR?MS_INTRA_L2_USER_1_THUMBPRINT?=
????L“15B1691A542A99D7BC3724ABA68FBA7C01B2DEE1“;

const?LPWSTR?MS_INTRA_L2_USER_2_THUMBPRINT?=
????L“FA744DC332740D6BD34A708453B79026BBD92DC4“;

const?LPWSTR?MS_INTRA_L2_USER_3_THUMBPRINT?=
????L“528567A45B2D