win32-certstore 0.2.4 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b07544eeb10d6d5d218064ac922283b7654a4e6a683999f645792ff27fa45d5
-  data.tar.gz: c7be876bba7975484a85507e241d9d8f6c590194ea32290edc5189540e647f69
+  metadata.gz: 63c8c4f2aaa89a78a8123d98079710df407a3930b0f4b5a6ef3ff2232c11ba05
+  data.tar.gz: 8641dfff337fe7b702783becfcfbfbba6b2a66af189eeb511897c2f0cb5e7d6c
 SHA512:
-  metadata.gz: 772ca2195c9e4aa5b522d2e1196730cfc3cb777a05779c99d17a770eae954280e5a555986ee8718fbf785a94d9490b55b419515548c0740ed7f08f20839cf43b
-  data.tar.gz: 167436e45e6ae7b64cd4de5ce95eced68d7b16ed759585b3bd5a682a6f63b6c8b26c31c13c59e448006a6bb298ce89986bb33d987efcbbaee3959f6542ff733f
+  metadata.gz: 4f255e439feee57642565bd9fca87f19140b5f95c38eed0a1e8621326749dd5274c0b72c8211bddfbec265820bff4b8d2ad9460ebbf5c30fa1d6607a7e81f204
+  data.tar.gz: 4efd363fb264fc8501f0f9e105e79f7537319838aafc0cb751387a73360386186d326dedd51522907aa131fe74c1b3ba07bd7b3f6f16a1283f5f59203d96a6a7

data/lib/win32/certstore.rb

@@ -31,18 +31,21 @@ module Win32
 
     attr_accessor :store_name
 
-    def initialize(store_name)
+    # Initializes a new instance of a certificate store.
+    # takes 2 parameters - the store name (My, Root, etc) and the location (CurrentUser or LocalMachine), it defaults to LocalMachine for backwards compatibility
+    def initialize(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
       @store_name = store_name
-      @certstore_handler = open(store_name)
+      @store_location = store_location
+      @certstore_handler = open(store_name, store_location: store_location)
     end
 
     # To open given certificate store
-    def self.open(store_name)
+    def self.open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
       validate_store(store_name)
       if block_given?
-        yield new(store_name)
+        yield new(store_name, store_location: store_location)
       else
-        new(store_name)
+        new(store_name, store_location: store_location)
       end
     end
 
@@ -60,11 +63,12 @@ module Win32
     #
     # @param path [String] Path of the certificate that should be imported
     # @param password [String] Password of the certificate if it is protected
+    # @param key_properties [Integer] dwFlags used to specify properties of the pfx key, see certstore/store_base.rb cert_add_pfx function
     #
     # @return [Boolean]
     #
-    def add_pfx(path, password)
-      cert_add_pfx(certstore_handler, path, password)
+    def add_pfx(path, password, key_properties = 0)
+      cert_add_pfx(certstore_handler, path, password, key_properties)
     end
 
     # Return `OpenSSL::X509` certificate object
@@ -74,6 +78,18 @@ module Win32
       cert_get(certificate_thumbprint)
     end
 
+    # Returns a filepath to a PKCS12 container. The filepath is in a temporary folder so normal housekeeping by the OS should clear it.
+    # However, you should delete it yourself anyway.
+    # @param certificate_thumbprint [String] Is the thumbprint of the pfx blob you want to capture
+    # @param store_location: [String] A location in the Cert store where the pfx is located, typically 'LocalMachine'
+    # @param export_password: [String] The password to export with. P12 objects are an encrypted container that have a private key in \
+    # them and a password is required to export them.
+    # @param output_path: [String] The path where the you want P12 exported to.
+    # @return [Object] of certificate set in PKSC12 format at the path specified above
+    def get_pfx(certificate_thumbprint, store_location: @store_location, export_password:, output_path: "")
+      get_cert_pfx(certificate_thumbprint, store_location: store_location, export_password: export_password, output_path: output_path)
+    end
+
     # Returns all the certificates in a store
     # @param [nil]
     # @return [Array] array of certificates list
@@ -117,8 +133,9 @@ module Win32
     attr_reader :certstore_handler
 
     # To open certstore and return open certificate store pointer
-    def open(store_name)
-      certstore_handler = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, nil, CERT_SYSTEM_STORE_LOCAL_MACHINE, wstring(store_name))
+
+    def open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+      certstore_handler = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, nil, store_location, wstring(store_name))
       unless certstore_handler
         last_error = FFI::LastError.error
         raise SystemCallError.new("Unable to open the Certificate Store `#{store_name}`.", last_error)

data/lib/win32/certstore/mixin/assertions.rb

@@ -14,7 +14,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-require "openssl"
+require "openssl" unless defined?(OpenSSL)
 
 module Win32
   class Certstore

data/lib/win32/certstore/mixin/crypto.rb

@@ -16,7 +16,7 @@
 # limitations under the License.
 #
 
-require "ffi"
+require "ffi" unless defined?(FFI)
 
 module Win32
   class Certstore
@@ -88,6 +88,9 @@ module Win32
 
         CERT_STORE_PROV_SYSTEM                              = 10
         CERT_SYSTEM_STORE_LOCAL_MACHINE                     = 0x00020000
+        CERT_SYSTEM_STORE_CURRENT_USER                      = 0x00010000
+        CERT_SYSTEM_STORE_SERVICES                          = 0x00050000
+        CERT_SYSTEM_STORE_USERS                             = 0x00060000
 
         # Define ffi pointer
         HCERTSTORE                                          = FFI::TypeDefs[:pointer]
@@ -113,17 +116,17 @@ module Win32
 
         class FILETIME < FFI::Struct
           layout :dwLowDateTime, DWORD,
-                 :dwHighDateTime, DWORD
+            :dwHighDateTime, DWORD
         end
 
         class CRYPT_INTEGER_BLOB < FFI::Struct
           layout :cbData, DWORD, # Count, in bytes, of data
-                 :pbData, :pointer # Pointer to data buffer
+            :pbData, :pointer # Pointer to data buffer
         end
 
         class CRYPT_NAME_BLOB < FFI::Struct
           layout :cbData, DWORD, # Count, in bytes, of data
-                 :pbData, :pointer # Pointer to data buffer
+            :pbData, :pointer # Pointer to data buffer
           def initialize(str = nil)
             super(nil)
             if str
@@ -134,7 +137,7 @@ module Win32
 
         class CRYPT_HASH_BLOB < FFI::Struct
           layout :cbData, DWORD, # Count, in bytes, of data
-                 :pbData, :pointer # Pointer to data buffer
+            :pbData, :pointer # Pointer to data buffer
 
           def initialize(str = nil)
             super(nil)
@@ -151,7 +154,7 @@ module Win32
 
         class CRYPT_DATA_BLOB < FFI::Struct
           layout :cbData, DWORD, # Count, in bytes, of data
-                 :pbData, :pointer # Pointer to data buffer
+            :pbData, :pointer # Pointer to data buffer
 
           def initialize(str = nil)
             super(nil)
@@ -164,47 +167,47 @@ module Win32
 
         class CERT_EXTENSION < FFI::Struct
           layout :pszObjId, LPTSTR,
-                 :fCritical, BOOL,
-                 :Value, CRYPT_INTEGER_BLOB
+            :fCritical, BOOL,
+            :Value, CRYPT_INTEGER_BLOB
         end
 
         class CRYPT_BIT_BLOB < FFI::Struct
           layout :cbData, DWORD,
-                 :pbData, BYTE,
-                 :cUnusedBits, DWORD
+            :pbData, BYTE,
+            :cUnusedBits, DWORD
         end
 
         class CRYPT_ALGORITHM_IDENTIFIER < FFI::Struct
           layout :pszObjId, LPSTR,
-                 :Parameters, CRYPT_INTEGER_BLOB
+            :Parameters, CRYPT_INTEGER_BLOB
         end
 
         class CERT_PUBLIC_KEY_INFO < FFI::Struct
           layout :Algorithm, CRYPT_ALGORITHM_IDENTIFIER,
-                 :PublicKey, CRYPT_BIT_BLOB
+            :PublicKey, CRYPT_BIT_BLOB
         end
 
         class CERT_INFO < FFI::Struct
           layout :dwVersion, DWORD,
-               :SerialNumber, CRYPT_INTEGER_BLOB,
-               :SignatureAlgorithm, CRYPT_ALGORITHM_IDENTIFIER,
-               :Issuer, CRYPT_NAME_BLOB,
-               :NotBefore, FILETIME,
-               :NotAfter, FILETIME,
-               :Subject, CRYPT_NAME_BLOB,
-               :SubjectPublicKeyInfo, CERT_PUBLIC_KEY_INFO,
-               :IssuerUniqueId, CRYPT_BIT_BLOB,
-               :SubjectUniqueId, CRYPT_BIT_BLOB,
-               :cExtension, DWORD,
-               :rgExtension, CERT_EXTENSION
+            :SerialNumber, CRYPT_INTEGER_BLOB,
+            :SignatureAlgorithm, CRYPT_ALGORITHM_IDENTIFIER,
+            :Issuer, CRYPT_NAME_BLOB,
+            :NotBefore, FILETIME,
+            :NotAfter, FILETIME,
+            :Subject, CRYPT_NAME_BLOB,
+            :SubjectPublicKeyInfo, CERT_PUBLIC_KEY_INFO,
+            :IssuerUniqueId, CRYPT_BIT_BLOB,
+            :SubjectUniqueId, CRYPT_BIT_BLOB,
+            :cExtension, DWORD,
+            :rgExtension, CERT_EXTENSION
         end
 
         class CERT_CONTEXT < FFI::Struct
           layout :dwCertEncodingType, DWORD,
-                 :pbCertEncoded, BYTE,
-                 :cbCertEncoded, DWORD,
-                 :pCertInfo, CERT_INFO,
-                 :hCertStore, HCERTSTORE
+            :pbCertEncoded, BYTE,
+            :cbCertEncoded, DWORD,
+            :pCertInfo, CERT_INFO,
+            :hCertStore, HCERTSTORE
         end
 
         ###############################################################################

data/lib/win32/certstore/mixin/helper.rb

@@ -21,21 +21,52 @@ module Win32
   class Certstore
     module Mixin
       module Helper
-
-        # PSCommand to search certificate from thumbprint and convert in pem
-        def cert_ps_cmd(thumbprint, store_name)
+        # PSCommand to search certificate from thumbprint and either turn it into a pem or return a path to a pfx object
+        def cert_ps_cmd(thumbprint, store_location: "LocalMachine", export_password: "1234", output_path: "")
           <<-EOH
-            $content = $null
-            $cert = Get-ChildItem Cert:\\LocalMachine\\'#{store_name}' -Recurse | Where { $_.Thumbprint -eq '#{thumbprint}' }
-            if($cert -ne $null)
-            {
-            $content = @(
-              '-----BEGIN CERTIFICATE-----'
-              [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
-              '-----END CERTIFICATE-----'
-            )
+            $cert = Get-ChildItem Cert:\'#{store_location}' -Recurse | Where { $_.Thumbprint -eq '#{thumbprint}' }
+
+            # The function and the code below test to see if a) the cert has a private key and b) it has a
+            # Enhanced Usage of Client Auth. Those 2 attributes would mean this is a pfx-able object
+            function test_cert_values{
+              $usagelist = ($cert).EnhancedKeyUsageList
+              foreach($use in $usagelist){
+                if($use.FriendlyName -like "Client Authentication" ){
+                    return $true
+                }
+              }
+              return $false
+            }
+
+            $result = test_cert_values
+
+            $output_path = "#{output_path}"
+            if([string]::IsNullOrEmpty($output_path)){
+              $temproot = [System.IO.Path]::GetTempPath()
+            }
+            else{
+              $temproot = $output_path
+            }
+
+            if((($cert).HasPrivateKey) -and ($result -eq $true)){
+              $file_name = '#{thumbprint}'
+              $file_path = $(Join-Path -Path $temproot -ChildPath "$file_name.pfx")
+              $mypwd = ConvertTo-SecureString -String '#{export_password}' -Force -AsPlainText
+              $cert | Export-PfxCertificate -FilePath $file_path -Password $mypwd | Out-Null
+              $file_path
+            }
+            else {
+              $content = $null
+              if($cert -ne $null)
+              {
+              $content = @(
+                '-----BEGIN CERTIFICATE-----'
+                [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
+                '-----END CERTIFICATE-----'
+              )
+              }
+              $content
             }
-            $content
           EOH
         end
 
@@ -43,7 +74,6 @@ module Win32
         def valid_duration?(cert_obj)
           cert_obj.not_before < Time.now.utc && cert_obj.not_after > Time.now.utc
         end
-
       end
     end
   end

data/lib/win32/certstore/mixin/{shell_out.rb → shell_exec.rb}

@@ -15,12 +15,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "mixlib/shellout"
+require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
 
 module Win32
   class Certstore
     module Mixin
-      module ShellOut
+      module ShellExec
         def shell_out_command(*command_args)
           cmd = Mixlib::ShellOut.new(*command_args)
           cmd.live_stream
@@ -28,6 +28,7 @@ module Win32
           if cmd.error!
             raise Mixlib::ShellOut::ShellCommandFailed, cmd.error!
           end
+
           cmd
         end
 
@@ -38,7 +39,7 @@ module Win32
         # @param script [String] script to run
         # @param options [Hash] options hash
         # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_out(*command_args)
+        def powershell_exec(*command_args)
           script = command_args.first
           options = command_args.last.is_a?(Hash) ? command_args.last : nil
 
@@ -51,8 +52,8 @@ module Win32
         # @param script [String] script to run
         # @param options [Hash] options hash
         # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_out!(*command_args)
-          cmd = powershell_out(*command_args)
+        def powershell_exec!(*command_args)
+          cmd = powershell_exec(*command_args)
           cmd.error!
           cmd
         end
@@ -96,7 +97,7 @@ module Win32
             "-InputFormat None",
           ]
 
-          "powershell.exe #{flags.join(' ')} -Command \"#{script.gsub('"', '\"')}\""
+          "powershell.exe #{flags.join(" ")} -Command \"#{script.gsub('"', '\"')}\""
         end
       end
     end

data/lib/win32/certstore/store_base.rb

@@ -17,10 +17,10 @@
 
 require_relative "mixin/crypto"
 require_relative "mixin/string"
-require_relative "mixin/shell_out"
+require_relative "mixin/shell_exec"
 require_relative "mixin/unicode"
-require "openssl"
-require "json"
+require "openssl" unless defined?(OpenSSL)
+require "json" unless defined?(JSON)
 
 module Win32
   class Certstore
@@ -28,7 +28,7 @@ module Win32
       include Win32::Certstore::Mixin::Crypto
       include Win32::Certstore::Mixin::Assertions
       include Win32::Certstore::Mixin::String
-      include Win32::Certstore::Mixin::ShellOut
+      include Win32::Certstore::Mixin::ShellExec
       include Win32::Certstore::Mixin::Unicode
       include Win32::Certstore::Mixin::Helper
 
@@ -57,22 +57,25 @@ module Win32
       # @param certstore_handler [FFI::Pointer] Handle of the store where certificate should be imported
       # @param path [String] Path of the certificate that should be imported
       # @param password [String] Password of the certificate
+      # @param key_properties [Integer] dwFlags used to specify properties of the pfx key, see link above
       #
       # @return [Boolean]
       #
       # @raise [SystemCallError] when Crypt API would not be able to perform some action
       #
-      def cert_add_pfx(certstore_handler, path, password = "")
+      def cert_add_pfx(certstore_handler, path, password = "", key_properties = 0)
+        cert_added = false
         # Imports a PFX BLOB and returns the handle of a store
-        pfx_cert_store = PFXImportCertStore(CRYPT_DATA_BLOB.new(File.binread(path)), wstring(password), 0)
+        pfx_cert_store = PFXImportCertStore(CRYPT_DATA_BLOB.new(File.binread(path)), wstring(password), key_properties)
         raise if pfx_cert_store.null?
-        # Find the certificate context in certificate store
-        cert_context = CertFindCertificateInStore(pfx_cert_store, ENCODING_TYPE, 0, CERT_FIND_ANY, nil, nil)
-        raise if cert_context.null?
-        # Add certificate context to the certificate store
-        args = add_certcontxt_args(certstore_handler, cert_context)
-        cert_added = CertAddCertificateContextToStore(*args)
-        raise unless cert_added
+
+        # Find all the certificate contexts in certificate store and add them ino the store
+        while (cert_context = CertEnumCertificatesInStore(pfx_cert_store, cert_context)) && (not cert_context.null?)
+          # Add certificate context to the certificate store
+          args = add_certcontxt_args(certstore_handler, cert_context)
+          cert_added = CertAddCertificateContextToStore(*args)
+          raise unless cert_added
+        end
         cert_added
       rescue
         lookup_error("Add a PFX")
@@ -122,7 +125,7 @@ module Win32
         begin
           cert_args = cert_find_args(store_handler, thumbprint)
           pcert_context = CertFindCertificateInStore(*cert_args)
-          if !pcert_context.null?
+          unless pcert_context.null?
             cert_delete_flag = CertDeleteCertificateFromStore(CertDuplicateCertificateContext(pcert_context)) || lookup_error
           end
           CertFreeCertificateContext(pcert_context)
@@ -148,6 +151,7 @@ module Win32
       # search_token => CN, RDN or any certificate attribute
       def cert_search(store_handler, search_token)
         raise ArgumentError, "Invalid search token" if !search_token || search_token.strip.empty?
+
         certificate_list = []
         begin
           while (pcert_context = CertEnumCertificatesInStore(store_handler, pcert_context)) && !pcert_context.null?
@@ -216,6 +220,7 @@ module Win32
       # Verify OpenSSL::X509::Certificate object
       def verify_certificate(cert_pem)
         return "Certificate not found" if cert_pem.empty?
+
         valid_duration?(build_openssl_obj(cert_pem))
       end
 
@@ -226,7 +231,23 @@ module Win32
 
       # Get certificate pem
       def get_cert_pem(thumbprint)
-        get_data = powershell_out!(cert_ps_cmd(thumbprint, store_name))
+        converted_store = if @store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
+                            "LocalMachine"
+                          else
+                            "CurrentUser"
+                          end
+        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store))
+        get_data.stdout
+      end
+
+      # Get PFX object
+      def get_cert_pfx(thumbprint, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE, export_password:, output_path: )
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
+                            "LocalMachine"
+                          else
+                            "CurrentUser"
+                          end
+        get_data = powershell_exec!(cert_ps_cmd(thumbprint, export_password: export_password, store_location: converted_store, output_path: output_path))
         get_data.stdout
       end
 

data/lib/win32/certstore/version.rb

@@ -1,6 +1,6 @@
 module Win32
   class Certstore
-    VERSION = "0.2.4".freeze
+    VERSION = "0.6.1".freeze
     MAJOR, MINOR, TINY = VERSION.split(".")
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: win32-certstore
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.6.1
 platform: ruby
 authors:
 - Chef Software
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-04 00:00:00.000000000 Z
+date: 2021-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -79,7 +79,7 @@ files:
 - lib/win32/certstore/mixin/assertions.rb
 - lib/win32/certstore/mixin/crypto.rb
 - lib/win32/certstore/mixin/helper.rb
-- lib/win32/certstore/mixin/shell_out.rb
+- lib/win32/certstore/mixin/shell_exec.rb
 - lib/win32/certstore/mixin/string.rb
 - lib/win32/certstore/mixin/unicode.rb
 - lib/win32/certstore/store_base.rb
@@ -97,16 +97,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
-summary: Ruby library for accessing the certificate store on Windows.
+summary: Ruby library for accessing the certificate stores on Windows.
 test_files: []