win32-certstore 0.5.3 → 0.6.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b391e4d81e324162538a2a3644aea74f0da1f8679409733a58dcf4c590734a6c
-  data.tar.gz: 5ed7821ec5bffe58cb09608cfc008b287874b5ddafe8556662fa27f42a25c1b1
+  metadata.gz: 5a55969ab67094eb7c246c946a77807c596afb12d76fd4eef07d48076ffa43b7
+  data.tar.gz: 711f553c79a83a4edb8ed2b572ca4ddac1478658b910d57fdb097d2323b4985f
 SHA512:
-  metadata.gz: fc5c77cd659695ac3a58480ab875a6c5daa2b93cd83e45f1fcdfcd1bd89e0cf9653d38d63ae9e5260ecff90a7277f6ee600b91137665d53e672fbb77e1543cfb
-  data.tar.gz: 5b6a8025b85ae8ce026a9a7b603a35137000525ba182bbbcc8fc9667fb78dd6cf179ad1cfbb1cbdcdf582dd4749f82795a17df01181720d7f77a36a4477dc639
+  metadata.gz: 79af95ff03edc99c69c77cb2b333258929afda17bd3c7068cfc08f3fac65619d4723e2b0042f6f1b77fd6b34f0c2136d0136931275dc1514f2e5e78252a05d79
+  data.tar.gz: c8d84f2111d7ff052bacf7c3384552a519a17c9f49feec1e11e924115708c6838b2d034a3c9ecefafddf0ca08b3a0d1a0a4ef10b9863811abb684d92bb52c743

data/lib/win32/certstore/mixin/assertions.rb

@@ -37,13 +37,13 @@ module Win32
         # Validate certificate Object
         def validate_certificate_obj(cert_obj)
           unless cert_obj.class == OpenSSL::X509::Certificate
-            raise ArgumentError, "Invalid Certificate object."
+            raise ArgumentError, "Invalid Certificate object. This is not a properly formatted x509 object"
           end
         end
 
         # Validate thumbprint
         def validate_thumbprint(cert_thumbprint)
-          if cert_thumbprint.nil? || cert_thumbprint.strip.empty?
+          if cert_thumbprint.nil? || cert_thumbprint.empty? || cert_thumbprint.strip.empty?
             raise ArgumentError, "Invalid certificate thumbprint."
           end
         end
@@ -82,7 +82,7 @@ module Win32
         # ROOT -> Root certificates.
         # SPC -> Software Publisher Certificate.
         def valid_store_name
-          %w{MY CA ROOT AUTHROOT DISALLOWED SPC TRUST TRUSTEDPEOPLE TRUSTEDPUBLISHER CLIENTAUTHISSUER TRUSTEDDEVICES SMARTCARDROOT WEBHOSTING REMOTE\ DESKTOP}
+          ["MY", "CA", "ROOT", "AUTHROOT", "DISALLOWED", "SPC", "TRUST", "TRUSTEDPEOPLE", "TRUSTEDPUBLISHER", "CLIENTAUTHISSUER", "TRUSTEDDEVICES", "SMARTCARDROOT", "WEBHOSTING", "REMOTE DESKTOP"]
         end
       end
     end

data/lib/win32/certstore/mixin/helper.rb

@@ -21,18 +21,21 @@ module Win32
   class Certstore
     module Mixin
       module Helper
-        # PSCommand to search certificate from thumbprint and convert in pem
-        def cert_ps_cmd(thumbprint, store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+        def cert_ps_cmd(thumbprint, store_location: "LocalMachine", store_name: "My")
+          # the PowerShell block below uses a "Here-String" - it is explicitly formatted against the left margin.
           <<-EOH
+            $cert = Get-ChildItem Cert:\\#{store_location}\\#{store_name} -Recurse | Where-Object { $_.Thumbprint -eq "#{thumbprint}" }
+
+            $certdata = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
             $content = $null
-            $cert = Get-ChildItem Cert:\\'#{store_location}'\\'#{store_name}' -Recurse | Where { $_.Thumbprint -eq '#{thumbprint}' }
-            if($cert -ne $null)
+            if($null -ne $cert)
             {
-            $content = @(
-              '-----BEGIN CERTIFICATE-----'
-              [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
-              '-----END CERTIFICATE-----'
-            )
+              $content =
+@"
+-----BEGIN CERTIFICATE-----
+$($certdata)
+-----END CERTIFICATE-----
+"@
             }
             $content
           EOH

data/lib/win32/certstore/mixin/string.rb

@@ -36,14 +36,12 @@ module Win32
           ustring += "\000\000" if ustring.length == 0 || ustring[-1].chr != "\000"
 
           # encode it all as UTF-16LE AKA Windows Wide Character AKA Windows Unicode
-          ustring = begin
-            if ustring.respond_to?(:encode)
-              ustring.encode("UTF-16LE")
-            else
-              require "iconv"
-              Iconv.conv("UTF-16LE", "UTF-8", ustring)
-            end
-          end
+          ustring = if ustring.respond_to?(:encode)
+                      ustring.encode("UTF-16LE")
+                    else
+                      require "iconv"
+                      Iconv.conv("UTF-16LE", "UTF-8", ustring)
+                    end
           ustring
         end
 
@@ -53,14 +51,12 @@ module Win32
           wstring = wstring.force_encoding("UTF-16LE") if wstring.respond_to?(:force_encoding)
 
           # encode it all as UTF-8
-          wstring = begin
-            if wstring.respond_to?(:encode)
-              wstring.encode("UTF-8")
-            else
-              require "iconv"
-              Iconv.conv("UTF-8", "UTF-16LE", wstring)
-            end
-          end
+          wstring = if wstring.respond_to?(:encode)
+                      wstring.encode("UTF-8")
+                    else
+                      require "iconv"
+                      Iconv.conv("UTF-8", "UTF-16LE", wstring)
+                    end
           # remove trailing CRLF and NULL characters
           wstring.strip!
           wstring

data/lib/win32/certstore/store_base.rb

@@ -17,20 +17,25 @@
 
 require_relative "mixin/crypto"
 require_relative "mixin/string"
-require_relative "mixin/shell_exec"
 require_relative "mixin/unicode"
 require "openssl" unless defined?(OpenSSL)
 require "json" unless defined?(JSON)
 
+begin
+  require "chef-powershell"
+rescue LoadError
+  puts "Not loading powershell_exec during testing"
+end
+
 module Win32
   class Certstore
     module StoreBase
       include Win32::Certstore::Mixin::Crypto
       include Win32::Certstore::Mixin::Assertions
       include Win32::Certstore::Mixin::String
-      include Win32::Certstore::Mixin::ShellExec
       include Win32::Certstore::Mixin::Unicode
       include Win32::Certstore::Mixin::Helper
+      include ChefPowerShell::ChefPowerShellModule::PowerShellExec
 
       # Adding new certification in open certificate and return boolean
       # store_handler => Open certificate store handler
@@ -92,9 +97,8 @@ module Win32
         thumbprint = update_thumbprint(certificate_thumbprint)
         cert_pem = get_cert_pem(thumbprint)
         cert_pem = format_pem(cert_pem)
-        unless cert_pem.empty?
-          build_openssl_obj(cert_pem)
-        end
+        verify_certificate(cert_pem)
+        build_openssl_obj(cert_pem)
       end
 
       # Listing certificate of open certstore and return list in json
@@ -121,6 +125,7 @@ module Win32
       def cert_delete(store_handler, certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
+
         cert_delete_flag = false
         begin
           cert_args = cert_find_args(store_handler, thumbprint)
@@ -141,6 +146,7 @@ module Win32
       def cert_validate(certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
+
         cert_pem = get_cert_pem(thumbprint)
         cert_pem = format_pem(cert_pem)
         verify_certificate(cert_pem)
@@ -167,6 +173,26 @@ module Win32
         certificate_list
       end
 
+      # how can I find a cert if I don't have the thumbprint? This should be replaced by a call to CertFindCertificateInStore
+      def cert_lookup_by_token(search_token, store_name: @store_name, store_location: @store_location, timeout: -1)
+        raise ArgumentError, "Invalid search token" if !search_token || search_token.strip.empty?
+
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
+                            "LocalMachine"
+                          else
+                            "CurrentUser"
+                          end
+        powershell_cmd = <<~EOH
+            $result = Get-ChildItem -Path Cert:\\#{converted_store}\\#{store_name} | Where-Object { $_.Subject -match "#{search_token.strip}" } | Select-Object Thumbprint
+            return $result[0].Thumbprint
+        EOH
+
+        powershell_exec!(powershell_cmd, :powershell, timeout: timeout).result
+
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        raise ArgumentError, "Certificate not found while looking for certificate : #{search_token} in store : #{store_name} at this location : #{store_location}"
+      end
+
       # To close and destroy pointer of open certificate store handler
       def close_cert_store(certstore_handler = @certstore_handler)
         closed = CertCloseStore(certstore_handler, CERT_CLOSE_STORE_FORCE_FLAG)
@@ -190,6 +216,11 @@ module Win32
         [certstore_handler, cert_context, CERT_STORE_ADD_REPLACE_EXISTING, nil]
       end
 
+      # Remove extra space and : from thumbprint
+      def update_thumbprint(certificate_thumbprint)
+        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
+      end
+
       # Match certificate CN exist in cert_rdn
       def is_cn_match?(cert_rdn, certificate_name)
         cert_rdn.read_wstring.match(/(^|\W)#{certificate_name}($|\W)/i)
@@ -212,14 +243,9 @@ module Win32
         [pcert_context, search_type, CERT_NAME_ISSUER_FLAG, nil, cert_name, 1024]
       end
 
-      # Remove extra space and : from thumbprint
-      def update_thumbprint(certificate_thumbprint)
-        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
-      end
-
       # Verify OpenSSL::X509::Certificate object
       def verify_certificate(cert_pem)
-        return "Certificate not found" if cert_pem.empty?
+        raise ArgumentError, "Certificate not found" if cert_pem.empty?
 
         valid_duration?(build_openssl_obj(cert_pem))
       end
@@ -229,16 +255,17 @@ module Win32
         FFI::MemoryPointer.from_string(cert_obj.to_der)
       end
 
-      # Get certificate pem
-      def get_cert_pem(thumbprint)
-        converted_store = if @store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
+      # Get certificate pem.
+      def get_cert_pem(thumbprint, store_name: @store_name, store_location: @store_location, timeout: -1)
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
                             "LocalMachine"
                           else
                             "CurrentUser"
                           end
-        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_name, store_location: converted_store))
-        get_data.stdout
-        # get_data.result
+        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store, store_name: store_name), :powershell, timeout: timeout)
+        get_data.result
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        raise ArgumentError, "PowerShell threw an error retreiving the certificate. You asked for a cert with this thumbprint : #{thumbprint}, located in this store : #{store_name}, at this location : #{store_location}"
       end
 
       # Format pem

data/lib/win32/certstore/version.rb

@@ -1,6 +1,6 @@
 module Win32
   class Certstore
-    VERSION = "0.5.3".freeze
+    VERSION = "0.6.10".freeze
     MAJOR, MINOR, TINY = VERSION.split(".")
   end
 end

data/lib/win32/certstore.rb

@@ -29,23 +29,23 @@ module Win32
     include Win32::Certstore::Mixin::String
     include Win32::Certstore::StoreBase
 
-    attr_accessor :store_name
+    attr_accessor :store_name, :store_location
 
     # Initializes a new instance of a certificate store.
     # takes 2 parameters - the store name (My, Root, etc) and the location (CurrentUser or LocalMachine), it defaults to LocalMachine for backwards compatibility
-    def initialize(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def initialize(store_name, store_location)
       @store_name = store_name
       @store_location = store_location
-      @certstore_handler = open(store_name, store_location: store_location)
+      @certstore_handler = open(store_name, store_location)
     end
 
     # To open given certificate store
     def self.open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
       validate_store(store_name)
       if block_given?
-        yield new(store_name, store_location: store_location)
+        yield new(store_name, store_location)
       else
-        new(store_name, store_location: store_location)
+        new(store_name, store_location)
       end
     end
 
@@ -78,6 +78,17 @@ module Win32
       cert_get(certificate_thumbprint)
     end
 
+    # Return `OpenSSL::X509` certificate object if present otherwise raise a "Certificate not found!" error
+    # @param request [thumbprint<string>] of certificate
+    # @return [Object] of certificates in OpenSSL::X509 format
+    def get!(certificate_thumbprint)
+      cert_pem = cert_get(certificate_thumbprint)
+
+      raise ArgumentError, "Unable to retrieve the certificate" if cert_pem.empty?
+
+      cert_pem
+    end
+
     # Returns all the certificates in a store
     # @param [nil]
     # @return [Array] array of certificates list
@@ -99,11 +110,21 @@ module Win32
       cert_search(certstore_handler, search_token)
     end
 
+    def get_thumbprint(search_token)
+      cert_lookup_by_token(search_token)
+    end
+
     # Validates a certificate in a certificate store on the basis of time validity
     # @param request[thumbprint<string>] of certificate
     # @return [true, false] only true or false
     def valid?(certificate_thumbprint)
-      cert_validate(certificate_thumbprint)
+      cert_validate(certificate_thumbprint).yield_self do |x|
+        if x.is_a?(TrueClass) || x.is_a?(FalseClass)
+          x
+        else
+          false
+        end
+      end
     end
 
     # To close and destroy pointer of open certificate store handler
@@ -122,7 +143,7 @@ module Win32
 
     # To open certstore and return open certificate store pointer
 
-    def open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def open(store_name, store_location)
       certstore_handler = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, nil, store_location, wstring(store_name))
       unless certstore_handler
         last_error = FFI::LastError.error

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: win32-certstore
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.6.10
 platform: ruby
 authors:
 - Chef Software
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-01 00:00:00.000000000 Z
+date: 2022-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: mixlib-shellout
+  name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,19 +53,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: ffi
+  name: chef-powershell
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
 description: 
 email:
 - oss@chef.io
@@ -79,7 +79,6 @@ files:
 - lib/win32/certstore/mixin/assertions.rb
 - lib/win32/certstore/mixin/crypto.rb
 - lib/win32/certstore/mixin/helper.rb
-- lib/win32/certstore/mixin/shell_exec.rb
 - lib/win32/certstore/mixin/string.rb
 - lib/win32/certstore/mixin/unicode.rb
 - lib/win32/certstore/store_base.rb

data/lib/win32/certstore/mixin/shell_exec.rb

@@ -1,105 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) 2017 Chef Software, Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
-
-module Win32
-  class Certstore
-    module Mixin
-      module ShellExec
-        def shell_out_command(*command_args)
-          cmd = Mixlib::ShellOut.new(*command_args)
-          cmd.live_stream
-          cmd.run_command
-          if cmd.error!
-            raise Mixlib::ShellOut::ShellCommandFailed, cmd.error!
-          end
-
-          cmd
-        end
-
-        # Run a command under powershell with the same API as shell_out.  The
-        # options hash is extended to take an "architecture" flag which
-        # can be set to :i386 or :x86_64 to force the windows architecture.
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec(*command_args)
-          script = command_args.first
-          options = command_args.last.is_a?(Hash) ? command_args.last : nil
-
-          run_command_with_os_architecture(script, options)
-        end
-
-        # Run a command under powershell with the same API as shell_out!
-        # (raises exceptions on errors)
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec!(*command_args)
-          cmd = powershell_exec(*command_args)
-          cmd.error!
-          cmd
-        end
-
-        private
-
-        # Helper function to run shell_out and wrap it with the correct
-        # flags to possibly disable WOW64 redirection (which we often need
-        # because chef-client runs as a 32-bit app on 64-bit windows).
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def run_command_with_os_architecture(script, options)
-          options ||= {}
-          options = options.dup
-
-          shell_out_command(
-            build_powershell_command(script),
-            options
-          )
-        end
-
-        # Helper to build a powershell command around the script to run.
-        #
-        # @param script [String] script to run
-        # @return [String] powershell command to execute
-        def build_powershell_command(script)
-          flags = [
-            # Hides the copyright banner at startup.
-            "-NoLogo",
-            # Does not present an interactive prompt to the user.
-            "-NonInteractive",
-            # Does not load the Windows PowerShell profile.
-            "-NoProfile",
-            # always set the ExecutionPolicy flag
-            # see http://technet.microsoft.com/en-us/library/ee176961.aspx
-            "-ExecutionPolicy Unrestricted",
-            # Powershell will hang if STDIN is redirected
-            # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
-            "-InputFormat None",
-          ]
-
-          "powershell.exe #{flags.join(" ")} -Command \"#{script.gsub('"', '\"')}\""
-        end
-      end
-    end
-  end
-end