-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathtruststore_windows.go
139 lines (128 loc) · 4.56 KB
/
truststore_windows.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
package cert
import (
"crypto/x509"
"encoding/pem"
"io/ioutil"
"math/big"
"os"
"syscall"
"unsafe"
"github.com/pkg/errors"
)
var (
FirefoxProfiles = []string{os.Getenv("USERPROFILE") + "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles"}
CertutilInstallHelp = "" // certutil unsupported on Windows
NSSBrowsers = "Firefox"
)
var (
modcrypt32 = syscall.NewLazyDLL("crypt32.dll")
procCertAddEncodedCertificateToStore = modcrypt32.NewProc("CertAddEncodedCertificateToStore")
procCertCloseStore = modcrypt32.NewProc("CertCloseStore")
procCertDeleteCertificateFromStore = modcrypt32.NewProc("CertDeleteCertificateFromStore")
procCertDuplicateCertificateContext = modcrypt32.NewProc("CertDuplicateCertificateContext")
procCertEnumCertificatesInStore = modcrypt32.NewProc("CertEnumCertificatesInStore")
procCertOpenSystemStoreW = modcrypt32.NewProc("CertOpenSystemStoreW")
)
func (ca *CA) installPlatform() error {
// Load cert
cert, err := ioutil.ReadFile(ca.rootpath)
if err != nil {
return errors.Wrap(err, "failed to read root certificate")
}
// Decode PEM
if certBlock, _ := pem.Decode(cert); certBlock == nil || certBlock.Type != "CERTIFICATE" {
return errors.New("Invalid PEM data")
} else {
cert = certBlock.Bytes
}
// Open root store
store, err := openWindowsRootStore()
if err != nil {
return errors.Wrap(err, "open root store")
}
defer store.close()
// Add cert
if err := store.addCert(cert); err != nil {
return errors.Wrap(err, "add cert")
}
return nil
}
func (ca *CA) uninstallPlatform() error {
// We'll just remove all certs with the same serial number
// Open root store
store, err := openWindowsRootStore()
if err != nil {
return errors.Wrap(err, "open root store")
}
defer store.close()
// Do the deletion
deletedAny, err := store.deleteCertsWithSerial(ca.cert.SerialNumber)
if err == nil && !deletedAny {
err = errors.New("No certs found")
}
if err != nil {
return errors.Wrap(err, "delete cert")
}
return nil
}
type windowsRootStore uintptr
func openWindowsRootStore() (windowsRootStore, error) {
store, _, err := procCertOpenSystemStoreW.Call(0, uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("ROOT"))))
if store != 0 {
return windowsRootStore(store), nil
}
return 0, errors.Wrap(err, "failed to open windows root store")
}
func (w windowsRootStore) close() error {
ret, _, err := procCertCloseStore.Call(uintptr(w), 0)
if ret != 0 {
return nil
}
return errors.Wrap(err, "failed to close windows root store")
}
func (w windowsRootStore) addCert(cert []byte) error {
// TODO: ok to always overwrite?
ret, _, err := procCertAddEncodedCertificateToStore.Call(
uintptr(w), // HCERTSTORE hCertStore
uintptr(syscall.X509_ASN_ENCODING|syscall.PKCS_7_ASN_ENCODING), // DWORD dwCertEncodingType
uintptr(unsafe.Pointer(&cert[0])), // const BYTE *pbCertEncoded
uintptr(len(cert)), // DWORD cbCertEncoded
3, // DWORD dwAddDisposition (CERT_STORE_ADD_REPLACE_EXISTING is 3)
0, // PCCERT_CONTEXT *ppCertContext
)
if ret != 0 {
return nil
}
return errors.Wrap(err, "failed adding cert")
}
func (w windowsRootStore) deleteCertsWithSerial(serial *big.Int) (bool, error) {
// Go over each, deleting the ones we find
var cert *syscall.CertContext
deletedAny := false
for {
// Next enum
certPtr, _, err := procCertEnumCertificatesInStore.Call(uintptr(w), uintptr(unsafe.Pointer(cert)))
if cert = (*syscall.CertContext)(unsafe.Pointer(certPtr)); cert == nil {
if errno, ok := err.(syscall.Errno); ok && errno == 0x80092004 {
break
}
return deletedAny, errors.Wrap(err, "failed enumerating certs")
}
// Parse cert
certBytes := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:cert.Length]
parsedCert, err := x509.ParseCertificate(certBytes)
// We'll just ignore parse failures for now
if err == nil && parsedCert.SerialNumber != nil && parsedCert.SerialNumber.Cmp(serial) == 0 {
// Duplicate the context so it doesn't stop the enum when we delete it
dupCertPtr, _, err := procCertDuplicateCertificateContext.Call(uintptr(unsafe.Pointer(cert)))
if dupCertPtr == 0 {
return deletedAny, errors.Wrap(err, "failed duplicating context")
}
if ret, _, err := procCertDeleteCertificateFromStore.Call(dupCertPtr); ret == 0 {
return deletedAny, errors.Wrap(err, "failed deleting certificate")
}
deletedAny = true
}
}
return deletedAny, nil
}