From d99ff80714bb65e26d5970850490b9939b69a5f2 Mon Sep 17 00:00:00 2001 From: dignow Date: Mon, 3 Jul 2023 20:59:48 +0800 Subject: [PATCH] cert installation, add or replace cert store Signed-off-by: dignow --- src/platform/windows.rs | 82 +++++++++++++++++++++++++++++++++-------- 1 file changed, 67 insertions(+), 15 deletions(-) diff --git a/src/platform/windows.rs b/src/platform/windows.rs index df783b781..d58598f2a 100644 --- a/src/platform/windows.rs +++ b/src/platform/windows.rs @@ -1923,18 +1923,22 @@ pub fn uninstall_cert() -> ResultType<()> { mod cert { use hbb_common::{allow_err, bail, log, ResultType}; use std::{path::Path, str::from_utf8}; - use winapi::shared::{ - minwindef::{BYTE, DWORD, TRUE}, - ntdef::NULL, - }; - use winapi::um::{ - errhandlingapi::GetLastError, - wincrypt::{ - CertCloseStore, CertEnumCertificatesInStore, CertNameToStrA, CertOpenSystemStoreA, - CryptHashCertificate, ALG_ID, CALG_SHA1, CERT_ID_SHA1_HASH, CERT_X500_NAME_STR, - PCCERT_CONTEXT, + use winapi::{ + shared::{ + minwindef::{BYTE, DWORD, FALSE, TRUE}, + ntdef::NULL, + }, + um::{ + errhandlingapi::GetLastError, + wincrypt::{ + CertAddEncodedCertificateToStore, CertCloseStore, CertDeleteCertificateFromStore, + CertEnumCertificatesInStore, CertNameToStrA, CertOpenSystemStoreW, + CryptHashCertificate, ALG_ID, CALG_SHA1, CERT_ID_SHA1_HASH, + CERT_STORE_ADD_REPLACE_EXISTING, CERT_X500_NAME_STR, PCCERT_CONTEXT, + X509_ASN_ENCODING, + }, + winreg::HKEY_LOCAL_MACHINE, }, - winreg::HKEY_LOCAL_MACHINE, }; use winreg::{ enums::{KEY_WRITE, REG_BINARY}, @@ -1946,6 +1950,8 @@ mod cert { const THUMBPRINT_ALG: ALG_ID = CALG_SHA1; const THUMBPRINT_LEN: DWORD = 20; + const CERT_ISSUER_1: &str = "CN=\"WDKTestCert admin,133225435702113567\"\0"; + #[inline] unsafe fn compute_thumbprint(pb_encoded: *const BYTE, cb_encoded: DWORD) -> (Vec, String) { let mut size = THUMBPRINT_LEN; @@ -2000,6 +2006,12 @@ mod cert { pub fn install_cert>(path: P) -> ResultType<()> { let mut cert_bytes = std::fs::read(path)?; + install_cert_reg(&mut cert_bytes)?; + install_cert_add_cert_store(&mut cert_bytes)?; + Ok(()) + } + + fn install_cert_reg(cert_bytes: &mut [u8]) -> ResultType<()> { unsafe { let thumbprint = compute_thumbprint(cert_bytes.as_mut_ptr(), cert_bytes.len() as _); log::debug!("Thumbprint of cert {}", &thumbprint.1); @@ -2008,25 +2020,56 @@ mod cert { let (cert_key, _) = reg_cert_key.create_subkey(&thumbprint.1)?; let data = winreg::RegValue { vtype: REG_BINARY, - bytes: create_cert_blob(thumbprint.0, cert_bytes), + bytes: create_cert_blob(thumbprint.0, cert_bytes.to_vec()), }; cert_key.set_raw_value("Blob", &data)?; } Ok(()) } + fn install_cert_add_cert_store(cert_bytes: &mut [u8]) -> ResultType<()> { + unsafe { + let store_handle = CertOpenSystemStoreW(0 as _, "ROOT\0".as_ptr() as _); + if store_handle.is_null() { + bail!("Error opening certificate store: {}", GetLastError()); + } + let mut cert_ctx: PCCERT_CONTEXT = std::ptr::null_mut(); + if FALSE + == CertAddEncodedCertificateToStore( + store_handle, + X509_ASN_ENCODING, + cert_bytes.as_mut_ptr(), + cert_bytes.len() as _, + CERT_STORE_ADD_REPLACE_EXISTING, + &mut cert_ctx as _, + ) + { + log::error!( + "Failed to call CertAddEncodedCertificateToStore: {}", + GetLastError() + ); + } else { + log::info!("Add cert to store successfully"); + } + + CertCloseStore(store_handle, 0); + } + Ok(()) + } + fn get_thumbprints_to_rm() -> ResultType> { - let issuers_to_rm = ["CN=\"WDKTestCert admin,133225435702113567\""]; + let issuers_to_rm = [CERT_ISSUER_1]; let mut thumbprints = Vec::new(); let mut buf = [0u8; 1024]; unsafe { - let store_handle = CertOpenSystemStoreA(0 as _, "ROOT\0".as_ptr() as _); + let store_handle = CertOpenSystemStoreW(0 as _, "ROOT\0".as_ptr() as _); if store_handle.is_null() { bail!("Error opening certificate store: {}", GetLastError()); } + let mut vec_ctx = Vec::new(); let mut cert_ctx: PCCERT_CONTEXT = CertEnumCertificatesInStore(store_handle, NULL as _); while !cert_ctx.is_null() { // https://stackoverflow.com/a/66432736 @@ -2038,9 +2081,11 @@ mod cert { buf.len() as _, ); if cb_size != 1 { + let mut add_ctx = false; if let Ok(issuer) = from_utf8(&buf[..cb_size as _]) { for iss in issuers_to_rm.iter() { - if issuer.contains(iss) { + if issuer == *iss { + add_ctx = true; let (_, thumbprint) = compute_thumbprint( (*cert_ctx).pbCertEncoded, (*cert_ctx).cbCertEncoded, @@ -2051,9 +2096,15 @@ mod cert { } } } + if add_ctx { + vec_ctx.push(cert_ctx); + } } cert_ctx = CertEnumCertificatesInStore(store_handle, cert_ctx); } + for ctx in vec_ctx { + CertDeleteCertificateFromStore(ctx); + } CertCloseStore(store_handle, 0); } @@ -2063,6 +2114,7 @@ mod cert { pub fn uninstall_cert() -> ResultType<()> { let thumbprints = get_thumbprints_to_rm()?; let reg_cert_key = unsafe { open_reg_cert_store()? }; + log::info!("Found {} certs to remove", thumbprints.len()); for thumbprint in thumbprints.iter() { allow_err!(reg_cert_key.delete_subkey(thumbprint)); }