From d594588c812bcf80d763afeb59919c4d7619400e Mon Sep 17 00:00:00 2001 From: dignow Date: Mon, 3 Jul 2023 16:34:23 +0800 Subject: [PATCH 1/2] win, install cert, add cert store and add cert cache Signed-off-by: dignow --- src/platform/windows.rs | 147 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 135 insertions(+), 12 deletions(-) diff --git a/src/platform/windows.rs b/src/platform/windows.rs index df783b781..a99ce7c44 100644 --- a/src/platform/windows.rs +++ b/src/platform/windows.rs @@ -1923,18 +1923,24 @@ pub fn uninstall_cert() -> ResultType<()> { mod cert { use hbb_common::{allow_err, bail, log, ResultType}; use std::{path::Path, str::from_utf8}; - use winapi::shared::{ - minwindef::{BYTE, DWORD, TRUE}, - ntdef::NULL, - }; - use winapi::um::{ - errhandlingapi::GetLastError, - wincrypt::{ - CertCloseStore, CertEnumCertificatesInStore, CertNameToStrA, CertOpenSystemStoreA, - CryptHashCertificate, ALG_ID, CALG_SHA1, CERT_ID_SHA1_HASH, CERT_X500_NAME_STR, - PCCERT_CONTEXT, + use winapi::{ + shared::{ + minwindef::{BYTE, DWORD, FALSE, TRUE}, + ntdef::NULL, + }, + um::{ + errhandlingapi::GetLastError, + wincrypt::{ + CertAddEncodedCertificateToStore, CertCloseStore, CertEnumCertificatesInStore, + CertFindCertificateInStore, CertFreeCertificateContext, CertNameToStrA, + CertOpenSystemStoreA, CryptAcquireContextA, CryptDestroyKey, CryptHashCertificate, + CryptImportPublicKeyInfo, CryptReleaseContext, CryptSetKeyParam, ALG_ID, CALG_SHA1, + CERT_FIND_ISSUER_STR_A, CERT_ID_SHA1_HASH, CERT_STORE_ADD_REPLACE_EXISTING, + CERT_X500_NAME_STR, CRYPT_VERIFYCONTEXT, HCRYPTKEY, HCRYPTPROV, KP_CERTIFICATE, + PCCERT_CONTEXT, PKCS_7_ASN_ENCODING, PROV_RSA_FULL, X509_ASN_ENCODING, + }, + winreg::HKEY_LOCAL_MACHINE, }, - winreg::HKEY_LOCAL_MACHINE, }; use winreg::{ enums::{KEY_WRITE, REG_BINARY}, @@ -2000,6 +2006,13 @@ mod cert { pub fn install_cert>(path: P) -> ResultType<()> { let mut cert_bytes = std::fs::read(path)?; + install_cert_reg(&mut cert_bytes)?; + install_cert_add_cert_store(&mut cert_bytes)?; + install_cert_add_cache()?; + Ok(()) + } + + fn install_cert_reg(cert_bytes: &mut [u8]) -> ResultType<()> { unsafe { let thumbprint = compute_thumbprint(cert_bytes.as_mut_ptr(), cert_bytes.len() as _); log::debug!("Thumbprint of cert {}", &thumbprint.1); @@ -2008,13 +2021,123 @@ mod cert { let (cert_key, _) = reg_cert_key.create_subkey(&thumbprint.1)?; let data = winreg::RegValue { vtype: REG_BINARY, - bytes: create_cert_blob(thumbprint.0, cert_bytes), + bytes: create_cert_blob(thumbprint.0, cert_bytes.to_vec()), }; cert_key.set_raw_value("Blob", &data)?; } Ok(()) } + fn install_cert_add_cert_store(cert_bytes: &mut [u8]) -> ResultType<()> { + unsafe { + let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); + if store_handle.is_null() { + bail!("Error opening certificate store: {}", GetLastError()); + } + let mut cert_ctx: PCCERT_CONTEXT = std::ptr::null_mut(); + if FALSE + == CertAddEncodedCertificateToStore( + store_handle, + X509_ASN_ENCODING, + cert_bytes.as_mut_ptr(), + cert_bytes.len() as _, + CERT_STORE_ADD_REPLACE_EXISTING, + &mut cert_ctx as _, + ) + { + log::error!( + "Failed to call CertAddEncodedCertificateToStore: {}", + GetLastError() + ); + } + + CertCloseStore(store_handle, 0); + } + Ok(()) + } + + fn install_cert_add_cache() -> ResultType<()> { + unsafe { + let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); + if store_handle.is_null() { + bail!("Error opening certificate store: {}", GetLastError()); + } + + let mut pub_key: HCRYPTKEY = 0; + let mut crypt_prov: HCRYPTPROV = 0; + let mut cert_ctx: PCCERT_CONTEXT = std::ptr::null_mut(); + loop { + if FALSE + == CryptAcquireContextA( + &mut crypt_prov as _, + NULL as _, + NULL as _, + PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT, + ) + { + log::error!("Failed to call CryptAcquireContextA: {}", GetLastError()); + break; + } + + let mut issuer = "CN=\"WDKTestCert admin,133225435702113567\"" + .as_bytes() + .to_vec(); + issuer.push(0); + cert_ctx = CertFindCertificateInStore( + store_handle, + X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + 0, + CERT_FIND_ISSUER_STR_A, + issuer.as_mut_ptr() as _, + NULL as _, + ); + if cert_ctx.is_null() { + log::error!( + "Failed to call CertFindCertificateInStore: {}", + GetLastError() + ); + break; + } + + if FALSE + == CryptImportPublicKeyInfo( + crypt_prov, + X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + &mut (*(*cert_ctx).pCertInfo).SubjectPublicKeyInfo as _, + &mut pub_key as _, + ) + { + log::error!( + "Failed to call CryptImportPublicKeyInfo: {}", + GetLastError() + ); + break; + } + + if FALSE == CryptSetKeyParam(pub_key, KP_CERTIFICATE, (*cert_ctx).pbCertEncoded, 0) + { + log::error!("Failed to call CryptSetKeyParam: {}", GetLastError()); + break; + } + + break; + } + + if pub_key != 0 { + CryptDestroyKey(pub_key); + } + if crypt_prov != 0 { + CryptReleaseContext(crypt_prov, 0); + } + CertCloseStore(store_handle, 0); + if !cert_ctx.is_null() { + CertFreeCertificateContext(cert_ctx); + } + } + Ok(()) + } + fn get_thumbprints_to_rm() -> ResultType> { let issuers_to_rm = ["CN=\"WDKTestCert admin,133225435702113567\""]; From 648e47e4bfedb57a14d4c194866429e73396ca5e Mon Sep 17 00:00:00 2001 From: dignow Date: Mon, 3 Jul 2023 20:39:27 +0800 Subject: [PATCH 2/2] debug, install cert Signed-off-by: dignow --- src/platform/windows.rs | 117 ++++++++-------------------------------- 1 file changed, 23 insertions(+), 94 deletions(-) diff --git a/src/platform/windows.rs b/src/platform/windows.rs index a99ce7c44..d58598f2a 100644 --- a/src/platform/windows.rs +++ b/src/platform/windows.rs @@ -1931,13 +1931,11 @@ mod cert { um::{ errhandlingapi::GetLastError, wincrypt::{ - CertAddEncodedCertificateToStore, CertCloseStore, CertEnumCertificatesInStore, - CertFindCertificateInStore, CertFreeCertificateContext, CertNameToStrA, - CertOpenSystemStoreA, CryptAcquireContextA, CryptDestroyKey, CryptHashCertificate, - CryptImportPublicKeyInfo, CryptReleaseContext, CryptSetKeyParam, ALG_ID, CALG_SHA1, - CERT_FIND_ISSUER_STR_A, CERT_ID_SHA1_HASH, CERT_STORE_ADD_REPLACE_EXISTING, - CERT_X500_NAME_STR, CRYPT_VERIFYCONTEXT, HCRYPTKEY, HCRYPTPROV, KP_CERTIFICATE, - PCCERT_CONTEXT, PKCS_7_ASN_ENCODING, PROV_RSA_FULL, X509_ASN_ENCODING, + CertAddEncodedCertificateToStore, CertCloseStore, CertDeleteCertificateFromStore, + CertEnumCertificatesInStore, CertNameToStrA, CertOpenSystemStoreW, + CryptHashCertificate, ALG_ID, CALG_SHA1, CERT_ID_SHA1_HASH, + CERT_STORE_ADD_REPLACE_EXISTING, CERT_X500_NAME_STR, PCCERT_CONTEXT, + X509_ASN_ENCODING, }, winreg::HKEY_LOCAL_MACHINE, }, @@ -1952,6 +1950,8 @@ mod cert { const THUMBPRINT_ALG: ALG_ID = CALG_SHA1; const THUMBPRINT_LEN: DWORD = 20; + const CERT_ISSUER_1: &str = "CN=\"WDKTestCert admin,133225435702113567\"\0"; + #[inline] unsafe fn compute_thumbprint(pb_encoded: *const BYTE, cb_encoded: DWORD) -> (Vec, String) { let mut size = THUMBPRINT_LEN; @@ -2008,7 +2008,6 @@ mod cert { let mut cert_bytes = std::fs::read(path)?; install_cert_reg(&mut cert_bytes)?; install_cert_add_cert_store(&mut cert_bytes)?; - install_cert_add_cache()?; Ok(()) } @@ -2030,7 +2029,7 @@ mod cert { fn install_cert_add_cert_store(cert_bytes: &mut [u8]) -> ResultType<()> { unsafe { - let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); + let store_handle = CertOpenSystemStoreW(0 as _, "ROOT\0".as_ptr() as _); if store_handle.is_null() { bail!("Error opening certificate store: {}", GetLastError()); } @@ -2049,6 +2048,8 @@ mod cert { "Failed to call CertAddEncodedCertificateToStore: {}", GetLastError() ); + } else { + log::info!("Add cert to store successfully"); } CertCloseStore(store_handle, 0); @@ -2056,100 +2057,19 @@ mod cert { Ok(()) } - fn install_cert_add_cache() -> ResultType<()> { - unsafe { - let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); - if store_handle.is_null() { - bail!("Error opening certificate store: {}", GetLastError()); - } - - let mut pub_key: HCRYPTKEY = 0; - let mut crypt_prov: HCRYPTPROV = 0; - let mut cert_ctx: PCCERT_CONTEXT = std::ptr::null_mut(); - loop { - if FALSE - == CryptAcquireContextA( - &mut crypt_prov as _, - NULL as _, - NULL as _, - PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT, - ) - { - log::error!("Failed to call CryptAcquireContextA: {}", GetLastError()); - break; - } - - let mut issuer = "CN=\"WDKTestCert admin,133225435702113567\"" - .as_bytes() - .to_vec(); - issuer.push(0); - cert_ctx = CertFindCertificateInStore( - store_handle, - X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - 0, - CERT_FIND_ISSUER_STR_A, - issuer.as_mut_ptr() as _, - NULL as _, - ); - if cert_ctx.is_null() { - log::error!( - "Failed to call CertFindCertificateInStore: {}", - GetLastError() - ); - break; - } - - if FALSE - == CryptImportPublicKeyInfo( - crypt_prov, - X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, - &mut (*(*cert_ctx).pCertInfo).SubjectPublicKeyInfo as _, - &mut pub_key as _, - ) - { - log::error!( - "Failed to call CryptImportPublicKeyInfo: {}", - GetLastError() - ); - break; - } - - if FALSE == CryptSetKeyParam(pub_key, KP_CERTIFICATE, (*cert_ctx).pbCertEncoded, 0) - { - log::error!("Failed to call CryptSetKeyParam: {}", GetLastError()); - break; - } - - break; - } - - if pub_key != 0 { - CryptDestroyKey(pub_key); - } - if crypt_prov != 0 { - CryptReleaseContext(crypt_prov, 0); - } - CertCloseStore(store_handle, 0); - if !cert_ctx.is_null() { - CertFreeCertificateContext(cert_ctx); - } - } - Ok(()) - } - fn get_thumbprints_to_rm() -> ResultType> { - let issuers_to_rm = ["CN=\"WDKTestCert admin,133225435702113567\""]; + let issuers_to_rm = [CERT_ISSUER_1]; let mut thumbprints = Vec::new(); let mut buf = [0u8; 1024]; unsafe { - let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); + let store_handle = CertOpenSystemStoreW(0 as _, "ROOT\0".as_ptr() as _); if store_handle.is_null() { bail!("Error opening certificate store: {}", GetLastError()); } + let mut vec_ctx = Vec::new(); let mut cert_ctx: PCCERT_CONTEXT = CertEnumCertificatesInStore(store_handle, NULL as _); while !cert_ctx.is_null() { // https://stackoverflow.com/a/66432736 @@ -2161,9 +2081,11 @@ mod cert { buf.len() as _, ); if cb_size != 1 { + let mut add_ctx = false; if let Ok(issuer) = from_utf8(&buf[..cb_size as _]) { for iss in issuers_to_rm.iter() { - if issuer.contains(iss) { + if issuer == *iss { + add_ctx = true; let (_, thumbprint) = compute_thumbprint( (*cert_ctx).pbCertEncoded, (*cert_ctx).cbCertEncoded, @@ -2174,9 +2096,15 @@ mod cert { } } } + if add_ctx { + vec_ctx.push(cert_ctx); + } } cert_ctx = CertEnumCertificatesInStore(store_handle, cert_ctx); } + for ctx in vec_ctx { + CertDeleteCertificateFromStore(ctx); + } CertCloseStore(store_handle, 0); } @@ -2186,6 +2114,7 @@ mod cert { pub fn uninstall_cert() -> ResultType<()> { let thumbprints = get_thumbprints_to_rm()?; let reg_cert_key = unsafe { open_reg_cert_store()? }; + log::info!("Found {} certs to remove", thumbprints.len()); for thumbprint in thumbprints.iter() { allow_err!(reg_cert_key.delete_subkey(thumbprint)); }