win32-certstore 0.6.1 → 0.6.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63c8c4f2aaa89a78a8123d98079710df407a3930b0f4b5a6ef3ff2232c11ba05
-  data.tar.gz: 8641dfff337fe7b702783becfcfbfbba6b2a66af189eeb511897c2f0cb5e7d6c
+  metadata.gz: 809701f00c09da8b2bbcf78e30eb51d03e939d33ea7a19b17d45ce51c078fdd4
+  data.tar.gz: dbb26074a01b06639bbc1bae73b45f1937c54035ad57d56bbecc64a3fb377bb6
 SHA512:
-  metadata.gz: 4f255e439feee57642565bd9fca87f19140b5f95c38eed0a1e8621326749dd5274c0b72c8211bddfbec265820bff4b8d2ad9460ebbf5c30fa1d6607a7e81f204
-  data.tar.gz: 4efd363fb264fc8501f0f9e105e79f7537319838aafc0cb751387a73360386186d326dedd51522907aa131fe74c1b3ba07bd7b3f6f16a1283f5f59203d96a6a7
+  metadata.gz: 9ba534e93f989c33a735ea57f525b5357f25cbd0f7c9d2ad0bfe770a0d59f49973dde9669cfb878de35853a81d4af7257d39348d3406879273cdf338b108acd7
+  data.tar.gz: c16cd054c55671396b73d0d41450d89e54dd7157a7b21ea7df0dedadea67c5f376ef45b9e6a70bfaf4eb9ceadfaa520399caa0ee49fb722afec3fcef6e39d405

data/lib/win32/certstore/mixin/assertions.rb

@@ -37,13 +37,13 @@ module Win32
         # Validate certificate Object
         def validate_certificate_obj(cert_obj)
           unless cert_obj.class == OpenSSL::X509::Certificate
-            raise ArgumentError, "Invalid Certificate object."
+            raise ArgumentError, "Invalid Certificate object. This is not a properly formatted x509 object"
           end
         end
 
         # Validate thumbprint
         def validate_thumbprint(cert_thumbprint)
-          if cert_thumbprint.nil? || cert_thumbprint.strip.empty?
+          if cert_thumbprint.nil? || cert_thumbprint.empty? || cert_thumbprint.strip.empty?
             raise ArgumentError, "Invalid certificate thumbprint."
           end
         end
@@ -82,7 +82,7 @@ module Win32
         # ROOT -> Root certificates.
         # SPC -> Software Publisher Certificate.
         def valid_store_name
-          %w{MY CA ROOT AUTHROOT DISALLOWED SPC TRUST TRUSTEDPEOPLE TRUSTEDPUBLISHER CLIENTAUTHISSUER TRUSTEDDEVICES SMARTCARDROOT WEBHOSTING REMOTE\ DESKTOP}
+          ["MY", "CA", "ROOT", "AUTHROOT", "DISALLOWED", "SPC", "TRUST", "TRUSTEDPEOPLE", "TRUSTEDPUBLISHER", "CLIENTAUTHISSUER", "TRUSTEDDEVICES", "SMARTCARDROOT", "WEBHOSTING", "REMOTE DESKTOP"]
         end
       end
     end

data/lib/win32/certstore/mixin/helper.rb

@@ -21,52 +21,23 @@ module Win32
   class Certstore
     module Mixin
       module Helper
-        # PSCommand to search certificate from thumbprint and either turn it into a pem or return a path to a pfx object
-        def cert_ps_cmd(thumbprint, store_location: "LocalMachine", export_password: "1234", output_path: "")
+        def cert_ps_cmd(thumbprint, store_location: "LocalMachine", store_name: "My")
+          # the PowerShell block below uses a "Here-String" - it is explicitly formatted against the left margin.
           <<-EOH
-            $cert = Get-ChildItem Cert:\'#{store_location}' -Recurse | Where { $_.Thumbprint -eq '#{thumbprint}' }
+            $cert = Get-ChildItem Cert:\\#{store_location}\\#{store_name} -Recurse | Where-Object { $_.Thumbprint -eq "#{thumbprint}" }
 
-            # The function and the code below test to see if a) the cert has a private key and b) it has a
-            # Enhanced Usage of Client Auth. Those 2 attributes would mean this is a pfx-able object
-            function test_cert_values{
-              $usagelist = ($cert).EnhancedKeyUsageList
-              foreach($use in $usagelist){
-                if($use.FriendlyName -like "Client Authentication" ){
-                    return $true
-                }
-              }
-              return $false
-            }
-
-            $result = test_cert_values
-
-            $output_path = "#{output_path}"
-            if([string]::IsNullOrEmpty($output_path)){
-              $temproot = [System.IO.Path]::GetTempPath()
-            }
-            else{
-              $temproot = $output_path
-            }
-
-            if((($cert).HasPrivateKey) -and ($result -eq $true)){
-              $file_name = '#{thumbprint}'
-              $file_path = $(Join-Path -Path $temproot -ChildPath "$file_name.pfx")
-              $mypwd = ConvertTo-SecureString -String '#{export_password}' -Force -AsPlainText
-              $cert | Export-PfxCertificate -FilePath $file_path -Password $mypwd | Out-Null
-              $file_path
-            }
-            else {
-              $content = $null
-              if($cert -ne $null)
-              {
-              $content = @(
-                '-----BEGIN CERTIFICATE-----'
-                [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
-                '-----END CERTIFICATE-----'
-              )
-              }
-              $content
+            $certdata = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
+            $content = $null
+            if($null -ne $cert)
+            {
+              $content =
+@"
+-----BEGIN CERTIFICATE-----
+$($certdata)
+-----END CERTIFICATE-----
+"@
             }
+            $content
           EOH
         end
 

data/lib/win32/certstore/mixin/string.rb

@@ -36,14 +36,12 @@ module Win32
           ustring += "\000\000" if ustring.length == 0 || ustring[-1].chr != "\000"
 
           # encode it all as UTF-16LE AKA Windows Wide Character AKA Windows Unicode
-          ustring = begin
-            if ustring.respond_to?(:encode)
-              ustring.encode("UTF-16LE")
-            else
-              require "iconv"
-              Iconv.conv("UTF-16LE", "UTF-8", ustring)
-            end
-          end
+          ustring = if ustring.respond_to?(:encode)
+                      ustring.encode("UTF-16LE")
+                    else
+                      require "iconv"
+                      Iconv.conv("UTF-16LE", "UTF-8", ustring)
+                    end
           ustring
         end
 
@@ -53,14 +51,12 @@ module Win32
           wstring = wstring.force_encoding("UTF-16LE") if wstring.respond_to?(:force_encoding)
 
           # encode it all as UTF-8
-          wstring = begin
-            if wstring.respond_to?(:encode)
-              wstring.encode("UTF-8")
-            else
-              require "iconv"
-              Iconv.conv("UTF-8", "UTF-16LE", wstring)
-            end
-          end
+          wstring = if wstring.respond_to?(:encode)
+                      wstring.encode("UTF-8")
+                    else
+                      require "iconv"
+                      Iconv.conv("UTF-8", "UTF-16LE", wstring)
+                    end
           # remove trailing CRLF and NULL characters
           wstring.strip!
           wstring

data/lib/win32/certstore/store_base.rb

@@ -17,20 +17,25 @@
 
 require_relative "mixin/crypto"
 require_relative "mixin/string"
-require_relative "mixin/shell_exec"
 require_relative "mixin/unicode"
 require "openssl" unless defined?(OpenSSL)
 require "json" unless defined?(JSON)
 
+begin
+  require "chef-powershell"
+rescue LoadError
+  puts "Not loading powershell_exec during testing"
+end
+
 module Win32
   class Certstore
     module StoreBase
       include Win32::Certstore::Mixin::Crypto
       include Win32::Certstore::Mixin::Assertions
       include Win32::Certstore::Mixin::String
-      include Win32::Certstore::Mixin::ShellExec
       include Win32::Certstore::Mixin::Unicode
       include Win32::Certstore::Mixin::Helper
+      include ChefPowerShell::ChefPowerShellModule::PowerShellExec
 
       # Adding new certification in open certificate and return boolean
       # store_handler => Open certificate store handler
@@ -92,9 +97,8 @@ module Win32
         thumbprint = update_thumbprint(certificate_thumbprint)
         cert_pem = get_cert_pem(thumbprint)
         cert_pem = format_pem(cert_pem)
-        unless cert_pem.empty?
-          build_openssl_obj(cert_pem)
-        end
+        verify_certificate(cert_pem)
+        build_openssl_obj(cert_pem)
       end
 
       # Listing certificate of open certstore and return list in json
@@ -121,6 +125,7 @@ module Win32
       def cert_delete(store_handler, certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
+
         cert_delete_flag = false
         begin
           cert_args = cert_find_args(store_handler, thumbprint)
@@ -141,6 +146,7 @@ module Win32
       def cert_validate(certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
+
         cert_pem = get_cert_pem(thumbprint)
         cert_pem = format_pem(cert_pem)
         verify_certificate(cert_pem)
@@ -167,6 +173,26 @@ module Win32
         certificate_list
       end
 
+      # how can I find a cert if I don't have the thumbprint? This should be replaced by a call to CertFindCertificateInStore
+      def cert_lookup_by_token(search_token, store_name: @store_name, store_location: @store_location, timeout: -1)
+        raise ArgumentError, "Invalid search token" if !search_token || search_token.strip.empty?
+
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
+                            "LocalMachine"
+                          else
+                            "CurrentUser"
+                          end
+        powershell_cmd = <<~EOH
+            $result = Get-ChildItem -Path Cert:\\#{converted_store}\\#{store_name} | Where-Object { $_.Subject -match "#{search_token.strip}" } | Select-Object Thumbprint
+            return $result[0].Thumbprint
+        EOH
+
+        powershell_exec!(powershell_cmd, :powershell, timeout: timeout).result
+
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        return "Certificate not found"
+      end
+
       # To close and destroy pointer of open certificate store handler
       def close_cert_store(certstore_handler = @certstore_handler)
         closed = CertCloseStore(certstore_handler, CERT_CLOSE_STORE_FORCE_FLAG)
@@ -190,6 +216,11 @@ module Win32
         [certstore_handler, cert_context, CERT_STORE_ADD_REPLACE_EXISTING, nil]
       end
 
+      # Remove extra space and : from thumbprint
+      def update_thumbprint(certificate_thumbprint)
+        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
+      end
+
       # Match certificate CN exist in cert_rdn
       def is_cn_match?(cert_rdn, certificate_name)
         cert_rdn.read_wstring.match(/(^|\W)#{certificate_name}($|\W)/i)
@@ -212,14 +243,9 @@ module Win32
         [pcert_context, search_type, CERT_NAME_ISSUER_FLAG, nil, cert_name, 1024]
       end
 
-      # Remove extra space and : from thumbprint
-      def update_thumbprint(certificate_thumbprint)
-        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
-      end
-
       # Verify OpenSSL::X509::Certificate object
       def verify_certificate(cert_pem)
-        return "Certificate not found" if cert_pem.empty?
+        raise ArgumentError, "Certificate not found" if cert_pem.empty?
 
         valid_duration?(build_openssl_obj(cert_pem))
       end
@@ -229,26 +255,17 @@ module Win32
         FFI::MemoryPointer.from_string(cert_obj.to_der)
       end
 
-      # Get certificate pem
-      def get_cert_pem(thumbprint)
-        converted_store = if @store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
-                            "LocalMachine"
-                          else
-                            "CurrentUser"
-                          end
-        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store))
-        get_data.stdout
-      end
-
-      # Get PFX object
-      def get_cert_pfx(thumbprint, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE, export_password:, output_path: )
-        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
+      # Get certificate pem.
+      def get_cert_pem(thumbprint, store_name: @store_name, store_location: @store_location, timeout: -1)
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
                             "LocalMachine"
                           else
                             "CurrentUser"
                           end
-        get_data = powershell_exec!(cert_ps_cmd(thumbprint, export_password: export_password, store_location: converted_store, output_path: output_path))
-        get_data.stdout
+        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store, store_name: store_name), :powershell, timeout: timeout)
+        get_data.result
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        raise ArgumentError, "PowerShell threw an error retreiving the certificate. You asked for a cert with this thumbprint : #{thumbprint}, located in this store : #{store_name}, at this location : #{store_location}"
       end
 
       # Format pem

data/lib/win32/certstore/version.rb

@@ -1,6 +1,6 @@
 module Win32
   class Certstore
-    VERSION = "0.6.1".freeze
+    VERSION = "0.6.11".freeze
     MAJOR, MINOR, TINY = VERSION.split(".")
   end
 end

data/lib/win32/certstore.rb

@@ -29,23 +29,23 @@ module Win32
     include Win32::Certstore::Mixin::String
     include Win32::Certstore::StoreBase
 
-    attr_accessor :store_name
+    attr_accessor :store_name, :store_location
 
     # Initializes a new instance of a certificate store.
     # takes 2 parameters - the store name (My, Root, etc) and the location (CurrentUser or LocalMachine), it defaults to LocalMachine for backwards compatibility
-    def initialize(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def initialize(store_name, store_location)
       @store_name = store_name
       @store_location = store_location
-      @certstore_handler = open(store_name, store_location: store_location)
+      @certstore_handler = open(store_name, store_location)
     end
 
     # To open given certificate store
     def self.open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
       validate_store(store_name)
       if block_given?
-        yield new(store_name, store_location: store_location)
+        yield new(store_name, store_location)
       else
-        new(store_name, store_location: store_location)
+        new(store_name, store_location)
       end
     end
 
@@ -78,16 +78,15 @@ module Win32
       cert_get(certificate_thumbprint)
     end
 
-    # Returns a filepath to a PKCS12 container. The filepath is in a temporary folder so normal housekeeping by the OS should clear it.
-    # However, you should delete it yourself anyway.
-    # @param certificate_thumbprint [String] Is the thumbprint of the pfx blob you want to capture
-    # @param store_location: [String] A location in the Cert store where the pfx is located, typically 'LocalMachine'
-    # @param export_password: [String] The password to export with. P12 objects are an encrypted container that have a private key in \
-    # them and a password is required to export them.
-    # @param output_path: [String] The path where the you want P12 exported to.
-    # @return [Object] of certificate set in PKSC12 format at the path specified above
-    def get_pfx(certificate_thumbprint, store_location: @store_location, export_password:, output_path: "")
-      get_cert_pfx(certificate_thumbprint, store_location: store_location, export_password: export_password, output_path: output_path)
+    # Return `OpenSSL::X509` certificate object if present otherwise raise a "Certificate not found!" error
+    # @param request [thumbprint<string>] of certificate
+    # @return [Object] of certificates in OpenSSL::X509 format
+    def get!(certificate_thumbprint)
+      cert_pem = cert_get(certificate_thumbprint)
+
+      raise ArgumentError, "Unable to retrieve the certificate" if cert_pem.empty?
+
+      cert_pem
     end
 
     # Returns all the certificates in a store
@@ -111,11 +110,21 @@ module Win32
       cert_search(certstore_handler, search_token)
     end
 
+    def get_thumbprint(search_token)
+      cert_lookup_by_token(search_token)
+    end
+
     # Validates a certificate in a certificate store on the basis of time validity
     # @param request[thumbprint<string>] of certificate
     # @return [true, false] only true or false
     def valid?(certificate_thumbprint)
-      cert_validate(certificate_thumbprint)
+      cert_validate(certificate_thumbprint).yield_self do |x|
+        if x.is_a?(TrueClass) || x.is_a?(FalseClass)
+          x
+        else
+          false
+        end
+      end
     end
 
     # To close and destroy pointer of open certificate store handler
@@ -134,7 +143,7 @@ module Win32
 
     # To open certstore and return open certificate store pointer
 
-    def open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def open(store_name, store_location)
       certstore_handler = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, nil, store_location, wstring(store_name))
       unless certstore_handler
         last_error = FFI::LastError.error

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: win32-certstore
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.11
 platform: ruby
 authors:
 - Chef Software
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-04 00:00:00.000000000 Z
+date: 2022-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: mixlib-shellout
+  name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,19 +53,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: ffi
+  name: chef-powershell
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
 description: 
 email:
 - oss@chef.io
@@ -79,7 +79,6 @@ files:
 - lib/win32/certstore/mixin/assertions.rb
 - lib/win32/certstore/mixin/crypto.rb
 - lib/win32/certstore/mixin/helper.rb
-- lib/win32/certstore/mixin/shell_exec.rb
 - lib/win32/certstore/mixin/string.rb
 - lib/win32/certstore/mixin/unicode.rb
 - lib/win32/certstore/store_base.rb

data/lib/win32/certstore/mixin/shell_exec.rb

@@ -1,105 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) 2017 Chef Software, Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
-
-module Win32
-  class Certstore
-    module Mixin
-      module ShellExec
-        def shell_out_command(*command_args)
-          cmd = Mixlib::ShellOut.new(*command_args)
-          cmd.live_stream
-          cmd.run_command
-          if cmd.error!
-            raise Mixlib::ShellOut::ShellCommandFailed, cmd.error!
-          end
-
-          cmd
-        end
-
-        # Run a command under powershell with the same API as shell_out.  The
-        # options hash is extended to take an "architecture" flag which
-        # can be set to :i386 or :x86_64 to force the windows architecture.
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec(*command_args)
-          script = command_args.first
-          options = command_args.last.is_a?(Hash) ? command_args.last : nil
-
-          run_command_with_os_architecture(script, options)
-        end
-
-        # Run a command under powershell with the same API as shell_out!
-        # (raises exceptions on errors)
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec!(*command_args)
-          cmd = powershell_exec(*command_args)
-          cmd.error!
-          cmd
-        end
-
-        private
-
-        # Helper function to run shell_out and wrap it with the correct
-        # flags to possibly disable WOW64 redirection (which we often need
-        # because chef-client runs as a 32-bit app on 64-bit windows).
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def run_command_with_os_architecture(script, options)
-          options ||= {}
-          options = options.dup
-
-          shell_out_command(
-            build_powershell_command(script),
-            options
-          )
-        end
-
-        # Helper to build a powershell command around the script to run.
-        #
-        # @param script [String] script to run
-        # @return [String] powershell command to execute
-        def build_powershell_command(script)
-          flags = [
-            # Hides the copyright banner at startup.
-            "-NoLogo",
-            # Does not present an interactive prompt to the user.
-            "-NonInteractive",
-            # Does not load the Windows PowerShell profile.
-            "-NoProfile",
-            # always set the ExecutionPolicy flag
-            # see http://technet.microsoft.com/en-us/library/ee176961.aspx
-            "-ExecutionPolicy Unrestricted",
-            # Powershell will hang if STDIN is redirected
-            # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
-            "-InputFormat None",
-          ]
-
-          "powershell.exe #{flags.join(" ")} -Command \"#{script.gsub('"', '\"')}\""
-        end
-      end
-    end
-  end
-end