win32-certstore 0.6.2 → 0.6.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e832ae077e8be7cd039393f84b74062e58dd331b1317cdcc2a1bb1f13109f176
-  data.tar.gz: 453bd4ad7e2d6a92d3935b0a4df4f241636b657256a39f1ac35bc81d2d34030b
+  metadata.gz: b4a48182fe9aada5c09a9e0205bc5a3a53fd1b50da8fa3a5abfd649adce8fac0
+  data.tar.gz: 2803b6ddc28e7575f2c9f3709c42e8509c42cef7c5b6ca9e85884dd51be14dd9
 SHA512:
-  metadata.gz: a3254affc58f8eb862a585b78cc5c5451c61db3398ef1de59ffcb6580755f5e24338c2a1caf16e89e46db4e8ee7c9f431a1c4372768cb7ff08bd76265d1b53da
-  data.tar.gz: bab7b27e4c0c6d780556a6410836283f6de31c64d559fb1b331b679c3d671b68673b6313f53560916e0a5c89f83fff658fd3335f965cfa3024b5066860393b3b
+  metadata.gz: b4569f5dcf1f73d12dd9d82515b2ee0f2d270488118c0c0f0b7f4f079ba7c65cc8dcf7e1321221c68f4465c4858195c752a78c19de3345e795b618ecab616e4f
+  data.tar.gz: c0d0e669883c027786d41eea3eea9b85c66bc7391675f63a60c8f5229115b73a2e617268a415d741d164a3621688c98902871d1eb764e4c07c2b5ef88a4f3aa8

data/lib/win32/certstore/mixin/assertions.rb

@@ -37,13 +37,13 @@ module Win32
         # Validate certificate Object
         def validate_certificate_obj(cert_obj)
           unless cert_obj.class == OpenSSL::X509::Certificate
-            raise ArgumentError, "Invalid Certificate object."
+            raise ArgumentError, "Invalid Certificate object. This is not a properly formatted x509 object"
           end
         end
 
         # Validate thumbprint
         def validate_thumbprint(cert_thumbprint)
-          if cert_thumbprint.nil? || cert_thumbprint.strip.empty?
+          if cert_thumbprint.nil? || cert_thumbprint.empty? || cert_thumbprint.strip.empty?
             raise ArgumentError, "Invalid certificate thumbprint."
           end
         end
@@ -82,7 +82,7 @@ module Win32
         # ROOT -> Root certificates.
         # SPC -> Software Publisher Certificate.
         def valid_store_name
-          %w{MY CA ROOT AUTHROOT DISALLOWED SPC TRUST TRUSTEDPEOPLE TRUSTEDPUBLISHER CLIENTAUTHISSUER TRUSTEDDEVICES SMARTCARDROOT WEBHOSTING REMOTE\ DESKTOP}
+          ["MY", "CA", "ROOT", "AUTHROOT", "DISALLOWED", "SPC", "TRUST", "TRUSTEDPEOPLE", "TRUSTEDPUBLISHER", "CLIENTAUTHISSUER", "TRUSTEDDEVICES", "SMARTCARDROOT", "WEBHOSTING", "REMOTE DESKTOP"]
         end
       end
     end

data/lib/win32/certstore/mixin/helper.rb

@@ -22,17 +22,20 @@ module Win32
     module Mixin
       module Helper
         def cert_ps_cmd(thumbprint, store_location: "LocalMachine", store_name: "My")
+          # the PowerShell block below uses a "Here-String" - it is explicitly formatted against the left margin.
           <<-EOH
-            $cert = Get-ChildItem Cert:\\#{store_location}\\#{store_name} -Recurse | Where { $_.Thumbprint -eq "#{thumbprint}" }
+            $cert = Get-ChildItem Cert:\\#{store_location}\\#{store_name} -Recurse | Where-Object { $_.Thumbprint -eq "#{thumbprint}" }
 
+            $certdata = [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
             $content = $null
             if($null -ne $cert)
             {
-              $content = @(
-                '-----BEGIN CERTIFICATE-----'
-                [System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
-                '-----END CERTIFICATE-----'
-              )
+              $content =
+@"
+-----BEGIN CERTIFICATE-----
+$($certdata)
+-----END CERTIFICATE-----
+"@
             }
             $content
           EOH

data/lib/win32/certstore/store_base.rb

@@ -17,20 +17,25 @@
 
 require_relative "mixin/crypto"
 require_relative "mixin/string"
-require_relative "mixin/shell_exec"
 require_relative "mixin/unicode"
 require "openssl" unless defined?(OpenSSL)
 require "json" unless defined?(JSON)
 
+begin
+  require "chef-powershell"
+rescue LoadError
+  puts "Not loading powershell_exec during testing"
+end
+
 module Win32
   class Certstore
     module StoreBase
       include Win32::Certstore::Mixin::Crypto
       include Win32::Certstore::Mixin::Assertions
       include Win32::Certstore::Mixin::String
-      include Win32::Certstore::Mixin::ShellExec
       include Win32::Certstore::Mixin::Unicode
       include Win32::Certstore::Mixin::Helper
+      include ChefPowerShell::ChefPowerShellModule::PowerShellExec
 
       # Adding new certification in open certificate and return boolean
       # store_handler => Open certificate store handler
@@ -87,18 +92,13 @@ module Win32
 
       # Get certificate from open certificate store and return certificate object
       # certificate_thumbprint => thumbprint is a hash. which could be sha1 or md5.
-      def cert_get(certificate_thumbprint, store_name:, store_location:)
+      def cert_get(certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
-        cert_pem = get_cert_pem(thumbprint, store_name: store_name, store_location: store_location)
+        cert_pem = get_cert_pem(thumbprint)
         cert_pem = format_pem(cert_pem)
-        if cert_pem.empty?
-          raise ArgumentError, "Unable to retrieve the certificate"
-        end
-
-        unless cert_pem.empty?
-          build_openssl_obj(cert_pem)
-        end
+        verify_certificate(cert_pem)
+        build_openssl_obj(cert_pem)
       end
 
       # Listing certificate of open certstore and return list in json
@@ -125,6 +125,7 @@ module Win32
       def cert_delete(store_handler, certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
+
         cert_delete_flag = false
         begin
           cert_args = cert_find_args(store_handler, thumbprint)
@@ -142,12 +143,14 @@ module Win32
       # Verify certificate from open certificate store and return boolean or exceptions
       # store_handler => Open certificate store handler
       # certificate_thumbprint => thumbprint is a hash. which could be sha1 or md5.
-      def cert_validate(certificate_thumbprint, store_location:, store_name:)
+      def cert_validate(certificate_thumbprint)
         validate_thumbprint(certificate_thumbprint)
         thumbprint = update_thumbprint(certificate_thumbprint)
-        cert_pem = get_cert_pem(thumbprint, store_name: store_name, store_location: store_location)
+        cert_pem = get_cert_pem(thumbprint)
+        return cert_pem  if cert_pem == "Certificate Not Found"
         cert_pem = format_pem(cert_pem)
-        verify_certificate(cert_pem)
+        result = verify_certificate(cert_pem)
+        result == false ? "Certificate Has Expired" : result
       end
 
       # Search certificate from open certificate store and return list
@@ -171,6 +174,29 @@ module Win32
         certificate_list
       end
 
+      # how can I find a cert if I don't have the thumbprint? This should be replaced by a call to CertFindCertificateInStore
+      def cert_lookup_by_token(search_token, store_name: @store_name, store_location: @store_location, timeout: -1)
+        raise ArgumentError, "Invalid search token" if !search_token || search_token.strip.empty?
+
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
+                            "LocalMachine"
+                          else
+                            "CurrentUser"
+                          end
+        powershell_cmd = <<~EOH
+            $result = Get-ChildItem -Path Cert:\\#{converted_store}\\#{store_name} | Where-Object { $_.Subject -match "#{search_token.strip}" } | Select-Object Thumbprint
+            if ([string]::IsNullOrEmpty($result)){
+              return "Certificate Not Found"
+            }
+            return $result[0].Thumbprint
+        EOH
+
+        powershell_exec!(powershell_cmd, :powershell, timeout: timeout).result
+
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        raise ArgumentError, "PowerShell threw an error retreiving the certificate. You asked for a cert with this Search Token : #{search_token}, located in this store : #{store_name}, at this location : #{store_location}"
+      end
+
       # To close and destroy pointer of open certificate store handler
       def close_cert_store(certstore_handler = @certstore_handler)
         closed = CertCloseStore(certstore_handler, CERT_CLOSE_STORE_FORCE_FLAG)
@@ -194,6 +220,11 @@ module Win32
         [certstore_handler, cert_context, CERT_STORE_ADD_REPLACE_EXISTING, nil]
       end
 
+      # Remove extra space and : from thumbprint
+      def update_thumbprint(certificate_thumbprint)
+        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
+      end
+
       # Match certificate CN exist in cert_rdn
       def is_cn_match?(cert_rdn, certificate_name)
         cert_rdn.read_wstring.match(/(^|\W)#{certificate_name}($|\W)/i)
@@ -216,14 +247,9 @@ module Win32
         [pcert_context, search_type, CERT_NAME_ISSUER_FLAG, nil, cert_name, 1024]
       end
 
-      # Remove extra space and : from thumbprint
-      def update_thumbprint(certificate_thumbprint)
-        certificate_thumbprint.gsub(/[^A-Za-z0-9]/, "")
-      end
-
       # Verify OpenSSL::X509::Certificate object
       def verify_certificate(cert_pem)
-        return "Certificate not found" if cert_pem.empty?
+        raise ArgumentError, "Certificate not found" if cert_pem.empty?
 
         valid_duration?(build_openssl_obj(cert_pem))
       end
@@ -233,15 +259,17 @@ module Win32
         FFI::MemoryPointer.from_string(cert_obj.to_der)
       end
 
-      # Get certificate pem
-      def get_cert_pem(thumbprint, store_name:, store_location:)
-        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE
+      # Get certificate pem.
+      def get_cert_pem(thumbprint, store_name: @store_name, store_location: @store_location, timeout: -1)
+        converted_store = if store_location == CERT_SYSTEM_STORE_LOCAL_MACHINE || store_location == 131072
                             "LocalMachine"
                           else
                             "CurrentUser"
                           end
-        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store, store_name: store_name))
-        get_data.stdout
+        get_data = powershell_exec!(cert_ps_cmd(thumbprint, store_location: converted_store, store_name: store_name), :powershell, timeout: timeout)
+        get_data.result
+      rescue ChefPowerShell::PowerShellExceptions::PowerShellCommandFailed
+        raise ArgumentError, "PowerShell threw an error retreiving the certificate. You asked for a cert with this thumbprint : #{thumbprint}, located in this store : #{store_name}, at this location : #{store_location}"
       end
 
       # Format pem

data/lib/win32/certstore/version.rb

@@ -1,6 +1,6 @@
 module Win32
   class Certstore
-    VERSION = "0.6.2".freeze
+    VERSION = "0.6.12".freeze
     MAJOR, MINOR, TINY = VERSION.split(".")
   end
 end

data/lib/win32/certstore.rb

@@ -29,23 +29,23 @@ module Win32
     include Win32::Certstore::Mixin::String
     include Win32::Certstore::StoreBase
 
-    attr_accessor :store_name
+    attr_accessor :store_name, :store_location
 
     # Initializes a new instance of a certificate store.
     # takes 2 parameters - the store name (My, Root, etc) and the location (CurrentUser or LocalMachine), it defaults to LocalMachine for backwards compatibility
-    def initialize(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def initialize(store_name, store_location)
       @store_name = store_name
       @store_location = store_location
-      @certstore_handler = open(store_name, store_location: store_location)
+      @certstore_handler = open(store_name, store_location)
     end
 
     # To open given certificate store
     def self.open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
       validate_store(store_name)
       if block_given?
-        yield new(store_name, store_location: store_location)
+        yield new(store_name, store_location)
       else
-        new(store_name, store_location: store_location)
+        new(store_name, store_location)
       end
     end
 
@@ -74,8 +74,19 @@ module Win32
     # Return `OpenSSL::X509` certificate object
     # @param request [thumbprint<string>] of certificate
     # @return [Object] of certificates in OpenSSL::X509 format
-    def get(certificate_thumbprint, store_name: @store_name, store_location: @store_location)
-      cert_get(certificate_thumbprint, store_name: store_name, store_location: store_location)
+    def get(certificate_thumbprint)
+      cert_get(certificate_thumbprint)
+    end
+
+    # Return `OpenSSL::X509` certificate object if present otherwise raise a "Certificate not found!" error
+    # @param request [thumbprint<string>] of certificate
+    # @return [Object] of certificates in OpenSSL::X509 format
+    def get!(certificate_thumbprint)
+      cert_pem = cert_get(certificate_thumbprint)
+
+      raise ArgumentError, "Unable to retrieve the certificate" if cert_pem.empty? || cert_pem == "Certificate Not Found"
+
+      cert_pem
     end
 
     # Returns all the certificates in a store
@@ -99,11 +110,15 @@ module Win32
       cert_search(certstore_handler, search_token)
     end
 
+    def get_thumbprint(search_token)
+      cert_lookup_by_token(search_token)
+    end
+
     # Validates a certificate in a certificate store on the basis of time validity
     # @param request[thumbprint<string>] of certificate
     # @return [true, false] only true or false
-    def valid?(certificate_thumbprint, store_location: "", store_name: "")
-      cert_validate(certificate_thumbprint, store_location: store_location, store_name: store_name)
+    def valid?(certificate_thumbprint)
+      cert_validate(certificate_thumbprint)
     end
 
     # To close and destroy pointer of open certificate store handler
@@ -122,7 +137,7 @@ module Win32
 
     # To open certstore and return open certificate store pointer
 
-    def open(store_name, store_location: CERT_SYSTEM_STORE_LOCAL_MACHINE)
+    def open(store_name, store_location)
       certstore_handler = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, nil, store_location, wstring(store_name))
       unless certstore_handler
         last_error = FFI::LastError.error

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: win32-certstore
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.6.12
 platform: ruby
 authors:
 - Chef Software
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-15 00:00:00.000000000 Z
+date: 2022-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: mixlib-shellout
+  name: ffi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,19 +53,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: ffi
+  name: chef-powershell
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.0.12
 description: 
 email:
 - oss@chef.io
@@ -79,7 +79,6 @@ files:
 - lib/win32/certstore/mixin/assertions.rb
 - lib/win32/certstore/mixin/crypto.rb
 - lib/win32/certstore/mixin/helper.rb
-- lib/win32/certstore/mixin/shell_exec.rb
 - lib/win32/certstore/mixin/string.rb
 - lib/win32/certstore/mixin/unicode.rb
 - lib/win32/certstore/store_base.rb

data/lib/win32/certstore/mixin/shell_exec.rb

@@ -1,105 +0,0 @@
-#
-# Author:: Daniel DeLeo (<dan@chef.io>)
-# Copyright:: Copyright (c) 2017 Chef Software, Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require "mixlib/shellout" unless defined?(Mixlib::ShellOut)
-
-module Win32
-  class Certstore
-    module Mixin
-      module ShellExec
-        def shell_out_command(*command_args)
-          cmd = Mixlib::ShellOut.new(*command_args)
-          cmd.live_stream
-          cmd.run_command
-          if cmd.error!
-            raise Mixlib::ShellOut::ShellCommandFailed, cmd.error!
-          end
-
-          cmd
-        end
-
-        # Run a command under powershell with the same API as shell_out.  The
-        # options hash is extended to take an "architecture" flag which
-        # can be set to :i386 or :x86_64 to force the windows architecture.
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec(*command_args)
-          script = command_args.first
-          options = command_args.last.is_a?(Hash) ? command_args.last : nil
-
-          run_command_with_os_architecture(script, options)
-        end
-
-        # Run a command under powershell with the same API as shell_out!
-        # (raises exceptions on errors)
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def powershell_exec!(*command_args)
-          cmd = powershell_exec(*command_args)
-          cmd.error!
-          cmd
-        end
-
-        private
-
-        # Helper function to run shell_out and wrap it with the correct
-        # flags to possibly disable WOW64 redirection (which we often need
-        # because chef-client runs as a 32-bit app on 64-bit windows).
-        #
-        # @param script [String] script to run
-        # @param options [Hash] options hash
-        # @return [Mixlib::Shellout] mixlib-shellout object
-        def run_command_with_os_architecture(script, options)
-          options ||= {}
-          options = options.dup
-
-          shell_out_command(
-            build_powershell_command(script),
-            options
-          )
-        end
-
-        # Helper to build a powershell command around the script to run.
-        #
-        # @param script [String] script to run
-        # @return [String] powershell command to execute
-        def build_powershell_command(script)
-          flags = [
-            # Hides the copyright banner at startup.
-            "-NoLogo",
-            # Does not present an interactive prompt to the user.
-            "-NonInteractive",
-            # Does not load the Windows PowerShell profile.
-            "-NoProfile",
-            # always set the ExecutionPolicy flag
-            # see http://technet.microsoft.com/en-us/library/ee176961.aspx
-            "-ExecutionPolicy Unrestricted",
-            # Powershell will hang if STDIN is redirected
-            # http://connect.microsoft.com/PowerShell/feedback/details/572313/powershell-exe-can-hang-if-stdin-is-redirected
-            "-InputFormat None",
-          ]
-
-          "powershell.exe #{flags.join(" ")} -Command \"#{script.gsub('"', '\"')}\""
-        end
-      end
-    end
-  end
-end