win32-certstore 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3f88b178dce120110256036f506c0643650a851f
+  data.tar.gz: 26e4d3283456a4e3f4297b5d076df2e1a2f677d5
+SHA512:
+  metadata.gz: 2768217e40d97a78ca9c0f393ac1afe154e14f833a7f549fcb7b478ffab5666a2c051df349bbceb9ce32810863d1a366760f4b397097c2a5b9ee52fb1bf7a9f4
+  data.tar.gz: 853495d9d5334d56b268fa34d9b3b4c9e5afa3bf913f7b817b67aec6e5c40516ff17b4060ec63da94eec7f97ffc6dc253006a6596f86d57acb88342fa2d605f2

data/README.md

@@ -0,0 +1,225 @@
+# win32-certstore
+Ruby library for accessing the certificate store on Microsoft Windows:
+
+## Subcommands
+
+This library provides the following features.
+
+### Open certificate store
+
+Any valid certificate store can be opened in two ways:
+
+```
+Win32::Certstore.open("Root") do |store|
+    //your code should be here!
+end
+```
+
+or 
+
+```
+store = Win32::Certstore.open("Root")
+```
+
+### Add certificate
+
+This method adds a new certificate to an open certificate store.
+
+```
+Input   - Certificate Object (OpenSSL::X509)
+Return  - True/False
+```
+
+**Notes: The certificate must be passed as an `OpenSSL::X509` object.**
+
+```
+raw = File.read "C:\GlobalSignRootCA.pem"
+certificate_object = OpenSSL::X509::Certificate.new raw
+
+Win32::Certstore.open('Root') do |store|
+  store.add(certificate_object)
+end
+```
+
+or
+
+```
+raw = File.read "C:\GlobalSignRootCA.pem" 
+certificate_object = OpenSSL::X509::Certificate.new raw
+
+store = Win32::Certstore.open('Root')
+store.add(certificate_object)
+store.close
+```
+
+### Get certificate
+
+Gets a certificate from an open certificate store and returns it as an `OpenSSL::X509` object.
+
+```
+Input   - Certificate thumbprint
+Return  - Certificate Object (OpenSSL::X509)
+```
+
+```
+Win32::Certstore.open("Root") do |store|
+    store.get(certificate_thumbprint)
+end
+```
+
+or
+
+```
+store = Win32::Certstore.open("Root")
+store.get(certificate_thumbprint)
+store.close
+```
+
+### List certificates
+
+Lists all certificates in a certificate store.
+
+```
+Input   - NA
+Return  - Certificate List in JSON format.
+```
+
+```
+Win32::Certstore.open("Root") do |store|
+    store.list
+end
+```
+
+or
+
+```
+store = Win32::Certstore.open("Root")
+store.list
+store.close
+```
+
+### Delete certificate
+
+Deletes a certificate from a certificate store.
+
+```
+Input   - Certificate thumbprint
+Return  - True/False 
+```
+
+```
+Win32::Certstore.open("Root") do |store|
+    store.delete(certificate_thumbprint)
+end
+```
+
+or
+
+```
+store = Win32::Certstore.open("Root")
+store.delete(certificate_thumbprint)
+store.close
+```
+
+### Search certificate
+
+Searches for a certificate in an open certificate store.
+
+```
+Input   - Search Token as: Comman name, Friendly name, RDN and other attributes
+Return  - Matching certificate list 
+```
+
+```
+Win32::Certstore.open("Root") do |store|
+    store.search(search_token)
+end
+```
+
+or
+
+```
+store = Win32::Certstore.open("Root")
+store.search(search_token)
+store.close
+```
+
+### Validate certificate
+
+Validates a certificate in a certificate store on the basis of time validity.
+
+```
+Input   - Certificate thumbprint
+Return  - True/False 
+
+```
+
+```
+Win32::Certstore.open("Root") do |store|
+    store.valid?(certificate_thumbprint)
+end
+```
+
+or
+
+```
+store = Win32::Certstore.open("Root")
+store.valid?(certificate_thumbprint)
+store.close
+```
+
+### Performing multiple operations
+
+To perform more than one operations with single certificate store object
+
+```
+raw = File.read "C:\GlobalSignRootCA.pem"
+certificate_object = OpenSSL::X509::Certificate.new raw
+
+Win32::Certstore.open('Root') do |store|
+  store.add(certificate_object)
+  store.list
+end
+```
+
+or
+
+```
+raw = File.read "C:\GlobalSignRootCA.pem" 
+certificate_object = OpenSSL::X509::Certificate.new raw
+
+store = Win32::Certstore.open('Root')
+store.add(certificate_object)
+store.list
+store.close
+```
+
+## Requirements / setup
+
+### Ruby
+
+Ruby 1.9.3+ is required.
+
+## CONTRIBUTING:
+
+Please file bugs against the WIN32-CERTSTORE project at https://github.com/chef/win32-certstore/issues.
+
+More information on the contribution process for Chef projects can be found in the [Chef Contributions document](http://docs.chef.io/community_contributions.html).
+
+# LICENSE:
+
+Author:: Bryan McLellan (<btm@chef.io>)
+Copyright:: 2017-2018 Chef Software, Inc.
+License:: Apache License, Version 2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/lib/win32-certstore.rb

@@ -0,0 +1,18 @@
+#
+# Author:: Nimisha Sharad (<nimisha.sharad@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "win32/certstore"

data/lib/win32/certstore.rb

@@ -0,0 +1,129 @@
+#
+# Author:: Nimisha Sharad (<nimisha.sharad@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "certstore/mixin/crypto"
+require_relative "certstore/mixin/assertions"
+require_relative "certstore/mixin/helper"
+require_relative "certstore/mixin/string"
+require_relative "certstore/store_base"
+require_relative "certstore/version"
+
+module Win32
+  class Certstore
+    include Win32::Certstore::Mixin::Crypto
+    extend Win32::Certstore::Mixin::Assertions
+    include Win32::Certstore::Mixin::String
+    include Win32::Certstore::StoreBase
+
+    attr_reader :store_name
+
+    def initialize(store_name)
+      @certstore_handler = open(store_name)
+    end
+
+    # To open given certificate store
+    def self.open(store_name)
+      validate_store(store_name)
+      if block_given?
+        yield new(store_name)
+      else
+        new(store_name)
+      end
+    end
+
+    # Adds a new certificate to an open certificate store
+    # @param request [Object] of certificate in OpenSSL::X509::Certificate.new format
+    # @return [true, false] only true or false
+    def add(certificate_obj)
+      cert_add(certstore_handler, certificate_obj)
+    end
+
+    # Return `OpenSSL::X509` certificate object
+    # @param request [thumbprint<string>] of certificate
+    # @return [Object] of certificates in OpenSSL::X509 format
+    def get(certificate_thumbprint)
+      cert_get(certificate_thumbprint)
+    end
+
+    # Returns all the certificates in a store
+    # @param [nil]
+    # @return [Array] array of certificates list
+    def list
+      cert_list(certstore_handler)
+    end
+
+    # Delete existing certificate from open certificate store
+    # @param request [thumbprint<string>] of certificate
+    # @return [true, false] only true or false
+    def delete(certificate_thumbprint)
+      cert_delete(certstore_handler, certificate_thumbprint)
+    end
+
+    # Returns all matching certificates in a store
+    # @param request[search_token<string>] attributes of certificates as: CN, RDN, Friendly Name and other attributes
+    # @return [Array] array of certificates list
+    def search(search_token)
+      cert_search(certstore_handler, search_token)
+    end
+
+    # Validates a certificate in a certificate store on the basis of time validity
+    # @param request[thumbprint<string>] of certificate
+    # @return [true, false] only true or false
+    def valid?(certificate_thumbprint)
+      cert_validate(certificate_thumbprint)
+    end
+
+    # To close and destroy pointer of open certificate store handler
+    def close
+      closed = CertCloseStore(@certstore_handler, CERT_CLOSE_STORE_FORCE_FLAG)
+      unless closed
+        last_error = FFI::LastError.error
+        raise SystemCallError.new("Unable to close the Certificate Store.", last_error)
+      end
+      remove_finalizer
+    end
+
+    private
+
+    attr_reader :certstore_handler
+
+    # To open certstore and return open certificate store pointer
+    def open(store_name)
+      certstore_handler = CertOpenSystemStoreW(nil, wstring(store_name))
+      unless certstore_handler
+        last_error = FFI::LastError.error
+        raise SystemCallError.new("Unable to open the Certificate Store `#{store_name}`.", last_error)
+      end
+      add_finalizer(certstore_handler)
+      certstore_handler
+    end
+
+    # Get all open certificate store handler
+    def add_finalizer(certstore_handler)
+      ObjectSpace.define_finalizer(self, self.class.finalize(certstore_handler))
+    end
+
+    def self.finalize(certstore_handler)
+      proc { puts "DESTROY OBJECT #{certstore_handler}" }
+    end
+
+    # To close all open certificate store at the end
+    def remove_finalizer
+      ObjectSpace.undefine_finalizer(self)
+    end
+  end
+end

data/lib/win32/certstore/mixin/assertions.rb

@@ -0,0 +1,90 @@
+#
+# Author:: Piyush Awasthi (<piyush.awasthi@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require "openssl"
+
+module Win32
+  class Certstore
+    module Mixin
+      module Assertions
+        # Validate certificate store name
+        def validate_store(store_name)
+          unless valid_store_name.include?(store_name&.upcase)
+            raise ArgumentError, "Invalid Certificate Store."
+          end
+        end
+
+        # Validate certificate type
+        def validate_certificate(cert_file_path)
+          unless !cert_file_path.nil? && File.extname(cert_file_path) =~ /.cer|.crt|.pfx|.der/
+            raise ArgumentError, "Invalid Certificate format."
+          end
+        end
+
+        # Validate certificate Object
+        def validate_certificate_obj(cert_obj)
+          unless cert_obj.class == OpenSSL::X509::Certificate
+            raise ArgumentError, "Invalid Certificate object."
+          end
+        end
+
+        # Validate thumbprint
+        def validate_thumbprint(cert_thumbprint)
+          if cert_thumbprint.nil? || cert_thumbprint.strip.empty?
+            raise ArgumentError, "Invalid certificate thumbprint."
+          end
+        end
+
+        # Validate certificate name not nil/empty
+        def validate!(token)
+          raise ArgumentError, "Invalid search token" if !token || token.strip.empty?
+        end
+
+        # Common System call errors
+        def lookup_error(failed_operation = nil)
+          error_no = FFI::LastError.error
+          case error_no
+          when 1223
+            raise SystemCallError.new("The operation was canceled by the user", error_no)
+          when -2146885628
+            raise SystemCallError.new("Cannot find object or property", error_no)
+          when -2146885629
+            raise SystemCallError.new("An error occurred while reading or writing to a file.", error_no)
+          when -2146881269
+            raise SystemCallError.new("ASN1 bad tag value met. -- Is the certificate in DER format?", error_no)
+          when -2146881278
+            raise SystemCallError.new("ASN1 unexpected end of data.", error_no)
+          when -2147024891
+            raise SystemCallError.new("System.UnauthorizedAccessException, Access denied..", error_no)
+          else
+            raise SystemCallError.new("Unable to #{failed_operation} certificate.", error_no)
+          end
+        end
+
+        private
+
+        # These Are Valid certificate store name
+        # CA -> Certification authority certificates.
+        # MY -> A certificate store that holds certificates with associated private keys.
+        # ROOT -> Root certificates.
+        # SPC -> Software Publisher Certificate.
+        def valid_store_name
+          %w{MY CA ROOT SPC}
+        end
+      end
+    end
+  end
+end

data/lib/win32/certstore/mixin/crypto.rb

@@ -0,0 +1,203 @@
+#
+# Author:: Nimisha Sharad (<nimisha.sharad@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "ffi"
+
+module Win32
+  class Certstore
+    module Mixin
+      module Crypto
+        extend FFI::Library
+
+        ffi_lib "Crypt32"
+        ffi_convention :stdcall
+
+        # Attempts to use FFI's attach_function method to link a native Win32
+        # function into the calling module.  If this fails a dummy method is
+        # defined which when called, raises a helpful exception to the end-user.
+        module FFI::Library
+          def safe_attach_function(win32_func, *args)
+            attach_function(win32_func.to_sym, *args)
+          rescue FFI::NotFoundError
+            define_method(win32_func.to_sym) do |*margs|
+              raise NotImplementedError, "This version of Windows does not implement the Win32 function [#{win32_func}]."
+            end
+          end
+        end
+
+        ###############################################
+        # Win32 API Constants
+        ###############################################
+
+        CERT_CLOSE_STORE_CHECK_FLAG                         = 0
+        CERT_CLOSE_STORE_FORCE_FLAG                         = 1
+
+        # cert encoding flags.
+        CRYPT_ASN_ENCODING                                  = 0x00000001
+        CRYPT_NDR_ENCODING                                  = 0x00000002
+        X509_ASN_ENCODING                                   = 0x00000001
+        X509_NDR_ENCODING                                   = 0x00000002
+        PKCS_7_ASN_ENCODING                                 = 0x00010000
+        PKCS_7_NDR_ENCODING                                 = 0x00020000
+        PKCS_7_OR_X509_ASN_ENCODING                         = (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
+
+        # Certificate Display Format
+        CERT_NAME_EMAIL_TYPE                                = 1
+        CERT_NAME_RDN_TYPE                                  = 2
+        CERT_NAME_ATTR_TYPE                                 = 3
+        CERT_NAME_SIMPLE_DISPLAY_TYPE                       = 4
+        CERT_NAME_FRIENDLY_DISPLAY_TYPE                     = 5
+        CERT_NAME_DNS_TYPE                                  = 6
+        CERT_NAME_URL_TYPE                                  = 7
+        CERT_NAME_UPN_TYPE                                  = 8
+
+        # Retrieve Certificates flag
+        CERT_FIND_SUBJECT_STR                               = 0x00080007
+        CERT_FIND_ISSUER_STR                                = 0x00080004
+
+        # List Certificates Flag
+        CERT_NAME_ISSUER_FLAG                               = 0x1
+        CERT_NAME_DISABLE_IE4_UTF8_FLAG                     = 0x00010000
+        CERT_NAME_SEARCH_ALL_NAMES_FLAG                     = 0x2
+        CERT_NAME_STR_ENABLE_PUNYCODE_FLAG                  = 0x00200000
+
+        # Define ffi pointer
+        HCERTSTORE                                          = FFI::TypeDefs[:pointer]
+        HCRYPTPROV_LEGACY                                   = FFI::TypeDefs[:pointer]
+        PCCERT_CONTEXT                                      = FFI::TypeDefs[:pointer]
+        BYTE                                                = FFI::TypeDefs[:pointer]
+        DWORD                                               = FFI::TypeDefs[:uint32]
+        BLOB                                                = FFI::TypeDefs[:ulong]
+        LPSTR                                               = FFI::TypeDefs[:pointer]
+        LPCTSTR                                             = FFI::TypeDefs[:pointer]
+        BOOL                                                = FFI::TypeDefs[:bool]
+        INT_PTR                                             = FFI::TypeDefs[:int]
+        LONG                                                = FFI::TypeDefs[:long]
+        LPVOID                                              = FFI::TypeDefs[:pointer]
+        LPTSTR                                              = FFI::TypeDefs[:pointer]
+        LMSTR                                               = FFI::TypeDefs[:pointer]
+        PWSTR                                               = FFI::TypeDefs[:pointer]
+        LPFILETIME                                          = FFI::TypeDefs[:pointer]
+        PCERT_INFO                                          = FFI::TypeDefs[:pointer]
+        PCTL_USAGE                                          = FFI::TypeDefs[:pointer]
+        PCTL_VERIFY_USAGE_PARA                              = FFI::TypeDefs[:pointer]
+        PCTL_VERIFY_USAGE_STATUS                            = FFI::TypeDefs[:pointer]
+
+        class FILETIME < FFI::Struct
+          layout :dwLowDateTime, DWORD,
+                 :dwHighDateTime, DWORD
+        end
+
+        class CRYPT_INTEGER_BLOB < FFI::Struct
+          layout :cbData, DWORD, # Count, in bytes, of data
+                 :pbData, :pointer # Pointer to data buffer
+        end
+
+        class CRYPT_NAME_BLOB < FFI::Struct
+          layout :cbData, DWORD, # Count, in bytes, of data
+                 :pbData, :pointer # Pointer to data buffer
+          def initialize(str = nil)
+            super(nil)
+            if str
+              self[:pbData] = FFI::MemoryPointer.new(2, 128)
+            end
+          end
+        end
+
+        class CERT_EXTENSION < FFI::Struct
+          layout :pszObjId, LPTSTR,
+                 :fCritical, BOOL,
+                 :Value, CRYPT_INTEGER_BLOB
+        end
+
+        class CRYPT_BIT_BLOB < FFI::Struct
+          layout :cbData, DWORD,
+                 :pbData, BYTE,
+                 :cUnusedBits, DWORD
+        end
+
+        class CRYPT_ALGORITHM_IDENTIFIER < FFI::Struct
+          layout :pszObjId, LPSTR,
+                 :Parameters, CRYPT_INTEGER_BLOB
+        end
+
+        class CERT_PUBLIC_KEY_INFO < FFI::Struct
+          layout :Algorithm, CRYPT_ALGORITHM_IDENTIFIER,
+                 :PublicKey, CRYPT_BIT_BLOB
+        end
+
+        class CERT_INFO < FFI::Struct
+          layout :dwVersion, DWORD,
+               :SerialNumber, CRYPT_INTEGER_BLOB,
+               :SignatureAlgorithm, CRYPT_ALGORITHM_IDENTIFIER,
+               :Issuer, CRYPT_NAME_BLOB,
+               :NotBefore, FILETIME,
+               :NotAfter, FILETIME,
+               :Subject, CRYPT_NAME_BLOB,
+               :SubjectPublicKeyInfo, CERT_PUBLIC_KEY_INFO,
+               :IssuerUniqueId, CRYPT_BIT_BLOB,
+               :SubjectUniqueId, CRYPT_BIT_BLOB,
+               :cExtension, DWORD,
+               :rgExtension, CERT_EXTENSION
+        end
+
+        class CERT_CONTEXT < FFI::Struct
+          layout :dwCertEncodingType, DWORD,
+                 :pbCertEncoded, BYTE,
+                 :cbCertEncoded, DWORD,
+                 :pCertInfo, CERT_INFO,
+                 :hCertStore, HCERTSTORE
+        end
+
+        ###############################################################################
+        # Windows Function
+        # To know description about below windows function
+        # Search Ref: https://msdn.microsoft.com/en-us/library/windows/desktop/aa376560
+        ###############################################################################
+
+        # To opens the most common system certificate store
+        safe_attach_function :CertOpenSystemStoreW, [HCRYPTPROV_LEGACY, LPCTSTR], HCERTSTORE
+        # To close the already open certificate store
+        safe_attach_function :CertCloseStore, [HCERTSTORE, DWORD], BOOL
+        # To create encoded certificate context
+        safe_attach_function :CertCreateCertificateContext, [DWORD, BYTE, DWORD], PCCERT_CONTEXT
+        # To retrieves certificates in a certificate store
+        safe_attach_function :CertEnumCertificatesInStore, [HCERTSTORE, PCCERT_CONTEXT], PCCERT_CONTEXT
+        # To get certificate name
+        safe_attach_function :CertGetNameStringW, [PCCERT_CONTEXT, DWORD, DWORD, LPVOID, LPTSTR, DWORD], DWORD
+        # To find all of the property identifiers for the specified certificate.
+        safe_attach_function :CertEnumCertificateContextProperties, [PCCERT_CONTEXT, DWORD], DWORD
+        # Clean up
+        safe_attach_function :CertFreeCertificateContext, [PCCERT_CONTEXT], BOOL
+        # Add certificate file in certificate store.
+        safe_attach_function :CertAddSerializedElementToStore, [HCERTSTORE, :pointer, DWORD, DWORD, DWORD, DWORD, LMSTR, LPVOID], BOOL
+        # Add certification to certification store - Ref: https://msdn.microsoft.com/en-us/library/windows/desktop/aa376015(v=vs.85).aspx
+        safe_attach_function :CertAddEncodedCertificateToStore, [HCERTSTORE, DWORD, PWSTR, DWORD, INT_PTR, PCCERT_CONTEXT], BOOL
+        safe_attach_function :CertSerializeCertificateStoreElement, [PCCERT_CONTEXT, DWORD, :pointer, DWORD], BOOL
+        # Duplicates a certificate context by incrementing its reference count
+        safe_attach_function :CertDuplicateCertificateContext, [PCCERT_CONTEXT], PCCERT_CONTEXT
+        # Delete certification from certification store
+        safe_attach_function :CertDeleteCertificateFromStore, [PCCERT_CONTEXT], BOOL
+        # To retrieve specific certificates from certificate store
+        safe_attach_function :CertFindCertificateInStore, [HCERTSTORE, DWORD, DWORD, DWORD, LPVOID, PCCERT_CONTEXT], PCCERT_CONTEXT
+        
+        safe_attach_function :PFXExportCertStoreEx, [HCERTSTORE, CRYPT_INTEGER_BLOB, LPCTSTR, LPVOID, DWORD], BOOL
+      end
+    end
+  end
+end

data/lib/win32/certstore/mixin/helper.rb

@@ -0,0 +1,50 @@
+#
+# Author:: Piyush Awasthi (<piyush.awasthi@msystechnologies.com>)
+# Copyright:: Copyright (c) 2018 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'date'
+
+module Win32
+  class Certstore
+    module Mixin
+      module Helper
+
+        # PSCommand to search certificate from thumbprint and convert in pem
+        def cert_ps_cmd(thumbprint)
+          <<-EOH
+            $content = $null
+            $cert = Get-ChildItem Cert:\ -Recurse | Where { $_.Thumbprint -eq '#{thumbprint}' }
+            if($cert -ne $null)
+            {
+            $content = @(
+              '-----BEGIN CERTIFICATE-----'
+              [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
+              '-----END CERTIFICATE-----'
+            )
+            }
+            $content
+          EOH
+        end
+
+        # validate certificate not_before and not_after date in UTC
+        def valid_duration?(cert_obj)
+          cert_obj.not_before < Time.now.utc && cert_obj.not_after > Time.now.utc
+        end
+
+      end
+    end
+  end
+end

data/lib/win32/certstore/mixin/shell_out.rb

@@ -0,0 +1,104 @@
+#
+# Author:: Daniel DeLeo (<dan@chef.io>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "mixlib/shellout"
+
+module Win32
+  class Certstore
+    module Mixin
+      module ShellOut
+        def shell_out_command(*command_args)
+          cmd = Mixlib::ShellOut.new(*command_args)
+          cmd.live_stream
+          cmd.run_command
+          if cmd.error!
+            raise Mixlib::ShellOut::ShellCommandFailed, cmd.error!
+          end
+          cmd
+        end
+        # Run a command under powershell with the same API as shell_out.  The
+        # options hash is extended to take an "architecture" flag which
+        # can be set to :i386 or :x86_64 to force the windows architecture.
+        #
+        # @param script [String] script to run
+        # @param options [Hash] options hash
+        # @return [Mixlib::Shellout] mixlib-shellout object
+        def powershell_out(*command_args)
+          script = command_args.first
+          options = command_args.last.is_a?(Hash) ? command_args.last : nil
+
+          run_command_with_os_architecture(script, options)
+        end
+
+        # Run a command under powershell with the same API as shell_out!
+        # (raises exceptions on errors)
+        #
+        # @param script [String] script to run
+        # @param options [Hash] options hash
+        # @return [Mixlib::Shellout] mixlib-shellout object
+        def powershell_out!(*command_args)
+          cmd = powershell_out(*command_args)
+          cmd.error!
+          cmd
+        end
+
+        private
+
+        # Helper function to run shell_out and wrap it with the correct
+        # flags to possibly disable WOW64 redirection (which we often need
+        # because chef-client runs as a 32-bit app on 64-bit windows).
+        #
+        # @param script [String] script to run
+        # @param options [Hash] options hash
+        # @return [Mixlib::Shellout] mixlib-shellout object
+        def run_command_with_os_architecture(script, options)
+          options ||= {}
+          options = options.dup
+          arch = options.delete(:architecture)
+
+          shell_out_command(
+            build_powershell_command(script),
+            options
+          )
+        end
+
+        # Helper to build a powershell command around the script to run.
+        #
+        # @param script [String] script to run
+        # @return [String] powershell command to execute
+        def build_powershell_command(script)
+          flags = [
+            # Hides the copyright banner at startup.
+            "-NoLogo",
+            # Does not present an interactive prompt to the user.
+            "-NonInteractive",
+            # Does not load the Windows PowerShell profile.
+            "-NoProfile",
+            # always set the ExecutionPolicy flag
+            # see http://technet.microsoft.com/en-us/library/ee176961.aspx
+            "-ExecutionPolicy Unrestricted",
+            # Powershell will hang if STDIN is redirected
+            # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
+            "-InputFormat None",
+          ]
+
+          "powershell.exe #{flags.join(' ')} -Command \"#{script.gsub('"', '\"')}\""
+        end
+      end
+    end
+  end
+end

data/lib/win32/certstore/mixin/string.rb

@@ -0,0 +1,71 @@
+#
+# Author:: Jay Mundrawala(<jdm@chef.io>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Win32
+  class Certstore
+    module Mixin
+      module String
+        def wstring(str)
+          if str.nil? || str.encoding == Encoding::UTF_16LE
+            str
+          else
+            utf8_to_wide(str)
+          end
+        end
+
+        def utf8_to_wide(ustring)
+          # ensure it is actually UTF-8
+          # Ruby likes to mark binary data as ASCII-8BIT
+          ustring = (ustring + "").force_encoding("UTF-8") if ustring.respond_to?(:force_encoding) && ustring.encoding.name != "UTF-8"
+
+          # ensure we have the double-null termination Windows Wide likes
+          ustring += "\000\000" if ustring.length == 0 || ustring[-1].chr != "\000"
+
+          # encode it all as UTF-16LE AKA Windows Wide Character AKA Windows Unicode
+          ustring = begin
+            if ustring.respond_to?(:encode)
+              ustring.encode("UTF-16LE")
+            else
+              require "iconv"
+              Iconv.conv("UTF-16LE", "UTF-8", ustring)
+            end
+          end
+          ustring
+        end
+
+        def wide_to_utf8(wstring)
+          # ensure it is actually UTF-16LE
+          # Ruby likes to mark binary data as ASCII-8BIT
+          wstring = wstring.force_encoding("UTF-16LE") if wstring.respond_to?(:force_encoding)
+
+          # encode it all as UTF-8
+          wstring = begin
+            if wstring.respond_to?(:encode)
+              wstring.encode("UTF-8")
+            else
+              require "iconv"
+              Iconv.conv("UTF-8", "UTF-16LE", wstring)
+            end
+          end
+          # remove trailing CRLF and NULL characters
+          wstring.strip!
+          wstring
+        end
+      end
+    end
+  end
+end

data/lib/win32/certstore/mixin/unicode.rb

@@ -0,0 +1,50 @@
+#
+# Author:: John Keiser (<jkeiser@chef.io>)
+# Author:: Seth Chisamore (<schisamo@chef.io>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "string"
+
+module Win32::Certstore::Mixin::Unicode
+end
+
+module FFI
+  class Pointer
+    include Win32::Certstore::Mixin::String
+    def read_wstring(num_wchars = nil)
+      if num_wchars.nil?
+        # Find the length of the string
+        length = 0
+        last_char = nil
+        while last_char != "\000\000"
+          length += 1
+          last_char = get_bytes(0, length * 2)[-2..-1]
+        end
+
+        num_wchars = length
+      end
+      wide_to_utf8(get_bytes(0, num_wchars * 2))
+    end
+  end
+end
+
+class String
+  include Win32::Certstore::Mixin::String
+
+  def to_wstring
+    utf8_to_wide(self)
+  end
+end

data/lib/win32/certstore/store_base.rb

@@ -0,0 +1,214 @@
+#
+# Author:: Piyush Awasthi (<piyush.awasthi@msystechnologies.com>)
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "mixin/crypto"
+require_relative "mixin/string"
+require_relative "mixin/shell_out"
+require_relative "mixin/unicode"
+require "openssl"
+require "json"
+
+module Win32
+  class Certstore
+    module StoreBase
+      include Win32::Certstore::Mixin::Crypto
+      include Win32::Certstore::Mixin::Assertions
+      include Win32::Certstore::Mixin::String
+      include Win32::Certstore::Mixin::ShellOut
+      include Win32::Certstore::Mixin::Unicode
+      include Win32::Certstore::Mixin::Helper
+
+      # Adding new certification in open certificate and return boolean
+      # store_handler => Open certificate store handler
+      # certificate_obj => certificate object must be in OpenSSL::X509
+      def cert_add(store_handler, certificate_obj)
+        validate_certificate_obj(certificate_obj)
+        begin
+          cert_args = cert_add_args(store_handler, certificate_obj)
+          if CertAddEncodedCertificateToStore(*cert_args)
+            true
+          else
+            lookup_error
+          end
+        rescue Exception => e
+          lookup_error("add")
+        end
+      end
+
+      # Get certificate from open certificate store and return certificate object
+      # store_handler => Open certificate store handler
+      # certificate_thumbprint => thumbprint is a hash. which could be sha1 or md5.
+      def cert_get(certificate_thumbprint)
+        validate_thumbprint(certificate_thumbprint)
+        thumbprint = update_thumbprint(certificate_thumbprint)
+        cert_pem = get_cert_pem(thumbprint)
+        cert_pem = format_pem(cert_pem)
+        unless cert_pem.empty?
+          build_openssl_obj(cert_pem)
+        end
+      end
+
+      # Listing certificate of open certstore and return list in json
+      def cert_list(store_handler)
+        cert_name = memory_ptr
+        cert_list = []
+        begin
+          while (pcert_context = CertEnumCertificatesInStore(store_handler, pcert_context)) && (not pcert_context.null?) do
+            cert_args = cert_get_name_args(pcert_context, cert_name, CERT_NAME_FRIENDLY_DISPLAY_TYPE)
+            if CertGetNameStringW(*cert_args)
+              cert_list << cert_name.read_wstring
+            end
+          end
+          CertFreeCertificateContext(pcert_context)
+        rescue Exception => e
+          lookup_error("list")
+        end
+        cert_list.to_json
+      end
+
+      # Deleting certificate from open certificate store and return boolean
+      # store_handler => Open certificate store handler
+      # certificate_thumbprint => thumbprint is a hash. which could be sha1 or md5.
+      def cert_delete(store_handler, certificate_thumbprint)
+        validate_thumbprint(certificate_thumbprint)
+        cert_name = memory_ptr
+        thumbprint = update_thumbprint(certificate_thumbprint)
+        cert_pem = format_pem(get_cert_pem(thumbprint))
+        cert_rdn = get_rdn(build_openssl_obj(cert_pem))
+        cert_delete_flag = false
+        begin
+          cert_args = cert_find_args(store_handler, cert_rdn)
+          if (pcert_context = CertFindCertificateInStore(*cert_args) and !pcert_context.null?)
+            cert_delete_flag = CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pcert_context)) || lookup_error
+          end
+          CertFreeCertificateContext(pcert_context)
+        rescue Exception => e
+          lookup_error("delete")
+        end
+        cert_delete_flag
+      end
+
+      # Verify certificate from open certificate store and return boolean or exceptions
+      # store_handler => Open certificate store handler
+      # certificate_thumbprint => thumbprint is a hash. which could be sha1 or md5.
+      def cert_validate(certificate_thumbprint)
+        validate_thumbprint(certificate_thumbprint)
+        thumbprint = update_thumbprint(certificate_thumbprint)
+        cert_pem = get_cert_pem(thumbprint)
+        cert_pem = format_pem(cert_pem)
+        verify_certificate(cert_pem)
+      end
+
+      # Search certificate from open certificate store and return list
+      # store_handler => Open certificate store handler
+      # search_token => CN, RDN or any certificate attribute
+      def cert_search(store_handler, search_token)
+        raise ArgumentError, "Invalid search token" if !search_token || search_token.strip.empty?
+        cert_rdn = memory_ptr
+        certificate_list =[]
+        counter = 0
+        begin
+          while (pcert_context = CertEnumCertificatesInStore(store_handler, pcert_context) and !pcert_context.null?)
+            cert_property = get_cert_property(pcert_context)
+            if cert_property.include?(search_token)
+              certificate_list << [cert_property[CERT_NAME_FRIENDLY_DISPLAY_TYPE], cert_property[CERT_NAME_RDN_TYPE]]
+            end
+          end
+          CertFreeCertificateContext(pcert_context)
+        rescue Exception => e
+          lookup_error
+        end
+        certificate_list
+      end
+
+      private
+
+      # Build arguments for CertAddEncodedCertificateToStore
+      def cert_add_args(store_handler, certificate_obj)
+        [store_handler, X509_ASN_ENCODING, der_cert(certificate_obj), certificate_obj.to_s.bytesize, 2, nil]
+      end
+
+      # Build arguments for CertFindCertificateInStore
+      def cert_find_args(store_handler, cert_rdn)
+        [store_handler, X509_ASN_ENCODING, 0, CERT_FIND_ISSUER_STR, cert_rdn.to_wstring, nil]
+      end
+
+      # Match certificate CN exist in cert_rdn 
+      def is_cn_match?(cert_rdn, certificate_name)
+        cert_rdn.read_wstring.match(/(^|\W)#{certificate_name}($|\W)/i)
+      end
+
+      # Get Certificate all properties
+      def get_cert_property(pcert_context)
+        property_value = memory_ptr
+        property_list = []
+        property_list[0] = ""
+        (1..8).to_a.each do |property_type|
+          CertGetNameStringW(pcert_context, property_type, CERT_NAME_ISSUER_FLAG, nil, property_value, 1024)
+          property_list << property_value.read_wstring
+        end
+        property_list
+      end
+
+      # Build argument for CertGetNameStringW
+      def cert_get_name_args(pcert_context, cert_name, search_type)
+        [pcert_context, search_type, CERT_NAME_ISSUER_FLAG, nil, cert_name, 1024]
+      end
+
+      # Remove extra space and : from thumbprint
+      def update_thumbprint(certificate_thumbprint)
+        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, '')
+      end
+
+      # Verify OpenSSL::X509::Certificate object
+      def verify_certificate(cert_pem)
+        return "Certificate not found" if cert_pem.empty?
+        valid_duration?(build_openssl_obj(cert_pem))
+      end
+
+      # Convert OpenSSL::X509::Certificate object in .der formate
+      def der_cert(cert_obj)
+        FFI::MemoryPointer.from_string(cert_obj.to_der)
+      end
+
+      # Get certificate pem
+      def get_cert_pem(thumbprint)
+        get_data =  powershell_out!(cert_ps_cmd(thumbprint))
+        get_data.stdout
+      end
+
+      # To get RDN from certificate object
+      def get_rdn(cert_obj)
+        cert_obj.issuer.to_s.concat("/").scan(/=(.*?)\//).join(", ")
+      end
+
+      # Format pem
+      def format_pem(cert_pem)
+        cert_pem.delete("\r")
+      end
+
+      # Build pem to OpenSSL::X509::Certificate object
+      def build_openssl_obj(cert_pem)
+        OpenSSL::X509::Certificate.new(cert_pem)
+      end
+      # Create empty memory pointer
+      def memory_ptr
+        FFI::MemoryPointer.new(2, 256)
+      end
+    end
+  end
+end

data/lib/win32/certstore/version.rb

@@ -0,0 +1,6 @@
+module Win32
+  class Certstore
+    VERSION = "0.1.0"
+    MAJOR, MINOR, TINY = VERSION.split(".")
+  end
+end

metadata

@@ -0,0 +1,125 @@
+--- !ruby/object:Gem::Specification
+name: win32-certstore
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- nimisha
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-05-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: mixlib-shellout
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- nimisha.sharad@msystechnologies.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/win32-certstore.rb
+- lib/win32/certstore.rb
+- lib/win32/certstore/mixin/assertions.rb
+- lib/win32/certstore/mixin/crypto.rb
+- lib/win32/certstore/mixin/helper.rb
+- lib/win32/certstore/mixin/shell_out.rb
+- lib/win32/certstore/mixin/string.rb
+- lib/win32/certstore/mixin/unicode.rb
+- lib/win32/certstore/store_base.rb
+- lib/win32/certstore/version.rb
+homepage: https://github.com/chef/win32-certstore
+licenses: []
+metadata:
+  yard.run: yri
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: Ruby library for accessing the certificate store on Windows.
+test_files: []