Using Secure WinInet

Win32 Internet APIs, also known as WinInet, is another way of building secure distributed applications without having to deal with SSPI directly. Please refer to the WinInet documentation in the SDK for details. Here we give a simple example that uses Secure HTTP via WinInet APIs. Currently the security provider interfaced with WinInet is SCHANNEL.DLL that uses the SSL/PCT authentication protocol. Windows NT 5.0 may allow other security flags to WinInet that will allow you to develop applications using the Kerberos security.

After initializing the WinInet API, you call the InternetConnect API to create a session and all that is needed to turn on security is INTERNET_FLAG_SECURE. The WinInet.Dll under the cover talks to SSPI and gets an authenticated connection using an appropriate provider, which by default is the SSL-based Schannel.Dll at present but can easily be extended to give users a choice of providers by adding flags like INTERNET_FLAG_SECURITY_SSL or INTERNET_FLAG_SECURITY_ KERBEROS.


//
 // Create an HTTPS session. Note that this differs from creating a
 // normal HTTP session in that the INTERNET_FLAG_SECURE flag is specified.
 //

 hConnect = InternetConnect(
      hOpen,       // hInternetSession
      szHostName,      // lpszServerName
      INTERNET_INVALID_PORT_NUMBER, // nServerPort
      "",        // lpszUsername
      "",        // lpszPassword
      INTERNET_SERVICE_HTTP,   // dwService
      INTERNET_FLAG_SECURE,   // dwFlags
      0);        // dwContext
 if(hConnect == 0)
 {
  ErrorOut(GetLastError(), "InternetConnect");
  return 0;
 }

 //
 // Create an HTTPS request handle. Note that this example specifies two
 // security-related flags:
 //
 // INTERNET_FLAG_SECURE
 //  Use the SSL/PCT security protocol.
 //
 // INTERNET_FLAG_CERT_CN_INVALID
 //  During the SSL/PCT handshake phase, the server authenticates itself
 //  by presenting a certificate. Within the certificate, the subject's
 //  common name field, must equal the server's host name. Setting this
 //  flag turns off the automatic checking that HTTPSendRequest normally
 //  does. Instead, this example validates the host name manually.
 //  (Actually, this automatic check seems to be broken in the current
 //  version of Wininet.dll).
 //
hReq = HttpOpenRequest(
      hConnect,       // hHttpSession
      "GET",        // lpszVerb
      "",         // lpszObjectName
      HTTP_VERSION,      // lpszVersion
      "",         // lpszReferer
      NULL,        // lpszAcceptTypes
      INTERNET_FLAG_RELOAD   |
      INTERNET_FLAG_NO_CACHE_WRITE |
      INTERNET_FLAG_SECURE   | // dwFlags
      INTERNET_FLAG_IGNORE_CERT_CN_INVALID,
      0);         // dwContext
 if(hReq == 0)
 {
  ErrorOut (GetLastError(), "HttpOpenRequest");
  return 0;
 }