cryptoapi: add flags for physical store and logical store #4
Conversation
aerth
force-pushed
the
stores
branch
10 times, most recently
from
28528b5
to
b7c9b4c
Compare
|
Since these new command-line flags are specific to CryptoAPI (e.g. they don't directly apply to NSS), maybe we should make a new flag group for this? I'm thinking maybe create a |
| ) | ||
|
|
||
| // In 64-bit Windows, this key is shared between 64-bit and 32-bit applications. | ||
| // See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253.aspx | ||
| const cryptoApiCertStoreRegistryBase = registry.LOCAL_MACHINE | ||
| const cryptoApiCertStoreRegistryKey = `SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates` |
There was a problem hiding this comment.
This PR removes the previously existing functionality of writing to the Enterprise physical store. Would be good to restore that functionality.
There was a problem hiding this comment.
If I understand correctly, this is resolved by adding support for -scope enterprise in e3f4a1b
aerth
force-pushed
the
stores
branch
2 times, most recently
from
f44747e
to
e3f4a1b
Compare
cryptoapi_windows.go
Outdated
| "current-user": Store{registry.CURRENT_USER, `SOFTWARE\Microsoft\SystemCertificates\`, `%s\Certificates`}, | ||
| "system": Store{registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\SystemCertificates\`, `%s\Certificates`}, | ||
| "enterprise": Store{registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\EnterpriseCertificates\`, `%s\Certificates`}, | ||
| "group-policy": Store{registry.LOCAL_MACHINE, `SOFTWARE\Policies\SystemCertificates\`, `%s\Certificates`}, |
There was a problem hiding this comment.
According to my notes, SOFTWARE\Policies\SystemCertificates\ should be SOFTWARE\Policies\Microsoft\SystemCertificates\. Not sure if this is a typo or if you found a different source that's not consistent with my notes.
There was a problem hiding this comment.
typo. good catch, thanks.
There was a problem hiding this comment.
Actually it may be Policy\Microsoft ?
( from https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_current_user_group_policy )
HKEY_CURRENT_USER
Software
Policy
Microsoft
SystemCertificates
and
HKEY_LOCAL_MACHINE
Software
Policy
Microsoft
SystemCertificates
There was a problem hiding this comment.
Confirmed on a windows machine that Policy does not exist, Policies is the one, fixed. 😄
aerth
force-pushed
the
stores
branch
3 times, most recently
from
97720e7
to
686f1e6
Compare
since they are in a flag subgroup, use like so: certinject --certstore.capi.physical-store system --certstore.capi.logical-store Root [certificate-file]
aerth
force-pushed
the
stores
branch
3 times, most recently
from
2e07df8
to
9b13031
Compare
aerth
changed the title
cryptoapi_windows_test.go
Outdated
| tests := []struct { | ||
| Name string // for logs | ||
| Physical string // from user flag | ||
| Logical string // from userflag |
There was a problem hiding this comment.
Missing a space in userflag?
|
utACK 886a2ae except for the missing space (noted above in inline comments). |
|
utACK ee6a585; merging shortly. |
Closes #2
--capi.physical-store <name>names the physical store to inject certificate intosystem)system,current-user,enterprise, andgroup-policy--capi.logical-store <store-name>names the logical store to inject certificate into.Root)Root,Trust,CA,My,Disallowedor any other custom stringCurrently, only
system+Rootcombo passes the powershell test (testdata/ci-failtest.ps1)