test with echoserver

JacobBarthelmeh · JacobBarthelmeh · commit 034b160f82d2 · 2026-02-02T11:14:55.000-07:00
diff --git a/.github/workflows/windows-cert-store-test.yml b/.github/workflows/windows-cert-store-test.yml
@@ -714,6 +714,17 @@ jobs:
             Write-Host "WARNING: win-cert-store-test.exe not found (standalone cert store test will be skipped)"
         }
 
+        # Find echoserver.exe (used for cert store server test instead of wolfsshd for better debug logs)
+        $echoserverExe = Get-ChildItem -Path $searchRoot -Recurse -Filter "echoserver.exe" -ErrorAction SilentlyContinue | 
+            Where-Object { $_.FullName -like "*Release*" -or $_.FullName -like "*Debug*" } | 
+            Select-Object -First 1
+        if ($echoserverExe) {
+            Write-Host "Found echoserver.exe at: $($echoserverExe.FullName)"
+            Add-Content -Path $env:GITHUB_ENV -Value "ECHOSERVER_PATH=$($echoserverExe.FullName)"
+        } else {
+            Write-Host "WARNING: echoserver.exe not found (cert store server test will need it)"
+        }
+
     - name: Copy wolfSSL DLL to executable directory (if dynamic build)
       working-directory: ${{ github.workspace }}
       shell: pwsh
@@ -978,17 +989,30 @@ jobs:
         }
         Write-Host "Standalone cert store test passed."
 
-    - name: Grant service (LocalSystem) read access to config and keys
+    - name: Grant service (LocalSystem) access to config, keys, and executable
       working-directory: ${{ github.workspace }}\wolfssh
       shell: pwsh
       run: |
-        # wolfsshd runs as LocalSystem; it must be able to read config and key files.
-        # Grant NT AUTHORITY\SYSTEM read access so the service can load config and host key.
-        $configPathFull = (Resolve-Path "sshd_config_test" -ErrorAction Stop).Path
-        $keysDir = (Resolve-Path "keys" -ErrorAction Stop).Path
-        Write-Host "Granting SYSTEM read access to config and keys for LocalSystem service"
-        icacls $configPathFull /grant "NT AUTHORITY\SYSTEM:R" /q
-        icacls $keysDir /grant "NT AUTHORITY\SYSTEM:(OI)(CI)R" /q
+        # wolfsshd runs as LocalSystem; it must be able to read config, key files, and run the exe.
+        # Grant NT AUTHORITY\SYSTEM read+execute on the entire wolfssh tree so the service can:
+        # - run wolfsshd.exe (and load wolfssl.dll if dynamic)
+        # - read sshd_config_test and all files under keys/
+        # /T = apply to existing files and subdirs; (OI)(CI) = inherit to new objects
+        $wolfsshRoot = (Get-Location).Path
+        Write-Host "Granting SYSTEM (RX) on entire wolfssh tree: $wolfsshRoot"
+        icacls $wolfsshRoot /grant "NT AUTHORITY\SYSTEM:(OI)(CI)RX" /T /q
+        if ($LASTEXITCODE -ne 0) {
+          Write-Host "WARNING: icacls on wolfssh root failed, trying config and keys only"
+          $configPathFull = (Resolve-Path "sshd_config_test" -ErrorAction Stop).Path
+          $keysDir = (Resolve-Path "keys" -ErrorAction Stop).Path
+          icacls $configPathFull /grant "NT AUTHORITY\SYSTEM:R" /q
+          icacls $keysDir /grant "NT AUTHORITY\SYSTEM:(OI)(CI)R" /T /q
+          $sshdPath = $env:SSHD_PATH
+          if ($sshdPath -and (Test-Path $sshdPath)) {
+            $sshdDir = (Resolve-Path (Split-Path -Parent $sshdPath)).Path
+            icacls $sshdDir /grant "NT AUTHORITY\SYSTEM:(OI)(CI)RX" /T /q
+          }
+        }
         Write-Host "Done."
 
     - name: Test cert store access as LocalSystem
@@ -1168,7 +1192,51 @@ jobs:
         Remove-Item $scriptPath -ErrorAction SilentlyContinue
         Remove-Item $outputFile -ErrorAction SilentlyContinue
 
+    - name: Start echoserver with cert store (cert store matrix – more debug logs)
+      if: matrix.server_key_source == 'store'
+      working-directory: ${{ github.workspace }}\wolfssh
+      shell: pwsh
+      run: |
+        # For cert store we use echoserver instead of wolfsshd for now (better debug logs).
+        $echoserverPath = $env:ECHOSERVER_PATH
+        if (-not $echoserverPath -or -not (Test-Path $echoserverPath)) {
+          Write-Host "ERROR: echoserver.exe not found (ECHOSERVER_PATH not set or missing)"
+          Get-ChildItem -Path "${{ github.workspace }}" -Recurse -Filter "echoserver.exe" -ErrorAction SilentlyContinue | Select-Object FullName
+          exit 1
+        }
+        $store = "My"
+        $subject = "wolfSSH-Test-Server"
+        $location = "LOCAL_MACHINE"
+        $port = ${{env.TEST_PORT}}
+        Write-Host "=== Starting echoserver with cert store (debug logs) ==="
+        Write-Host "Command: $echoserverPath -W `"${store}:${subject}:${location}`" -p $port"
+        $proc = Start-Process -FilePath $echoserverPath `
+          -ArgumentList "-W", "${store}:${subject}:${location}", "-p", $port `
+          -PassThru -NoNewWindow
+        Add-Content -Path $env:GITHUB_ENV -Value "ECHOSERVER_PID=$($proc.Id)"
+        Write-Host "echoserver started with PID $($proc.Id)"
+        # Wait for port to be listening (max 15 seconds)
+        $timeout = 15
+        $elapsed = 0
+        while ($elapsed -lt $timeout) {
+          Start-Sleep -Seconds 1
+          $elapsed++
+          try {
+            $conn = New-Object System.Net.Sockets.TcpClient("127.0.0.1", $port)
+            if ($conn.Connected) { $conn.Close(); break }
+          } catch {}
+          if (-not $proc.HasExited) { continue }
+          Write-Host "ERROR: echoserver exited early (exit code: $($proc.ExitCode))"
+          exit 1
+        }
+        if ($elapsed -ge $timeout) {
+          Write-Host "WARNING: Port $port not listening after ${timeout}s (echoserver may still be starting)"
+        } else {
+          Write-Host "echoserver is listening on port $port"
+        }
+
     - name: Start wolfSSHd as Windows service
+      if: matrix.server_key_source != 'store'
       working-directory: ${{ github.workspace }}\wolfssh
       shell: pwsh
       run: |
@@ -1849,6 +1917,14 @@ jobs:
       working-directory: ${{ github.workspace }}\wolfssh
       shell: pwsh
       run: |
+        # Stop echoserver if we started it (cert store matrix)
+        $echoserverPid = $env:ECHOSERVER_PID
+        if (-not [string]::IsNullOrEmpty($echoserverPid)) {
+            Write-Host "Stopping echoserver (PID $echoserverPid)"
+            Stop-Process -Id $echoserverPid -Force -ErrorAction SilentlyContinue
+            Start-Sleep -Seconds 1
+        }
+
         # Stop and remove wolfSSHd service
         $serviceName = $env:SSHD_SERVICE_NAME
         if ([string]::IsNullOrEmpty($serviceName)) {
diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
@@ -114,6 +114,16 @@
     #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK
 #endif
 
+#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+    #include <windows.h>
+    #include <wincrypt.h>
+    #ifndef CERT_SYSTEM_STORE_CURRENT_USER
+        #define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
+    #endif
+    #ifndef CERT_SYSTEM_STORE_LOCAL_MACHINE
+        #define CERT_SYSTEM_STORE_LOCAL_MACHINE 0x00020000
+    #endif
+#endif
 
 #ifndef NO_WOLFSSH_SERVER
 
@@ -2314,6 +2324,9 @@ static void ShowUsage(void)
            "               add password to accept from peer\n");
 #ifdef WOLFSSH_CERTS
     printf(" -a <file>     load in a root CA certificate file\n");
+#endif
+#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+    printf(" -W <spec>     Windows cert store: \"store:subject:flags\" (e.g. My:CN=Server:CURRENT_USER)\n");
 #endif
     printf(" -k            set the list of key algos to use\n");
     printf(" -b <num>      test user auth would block\n");
@@ -2372,13 +2385,19 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
     #ifdef WOLFSSH_CERTS
         char* caCert = NULL;
     #endif
+    #if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+        const char* certStoreSpec = NULL;
+    #endif
 
     int     argc = serverArgs->argc;
     char**  argv = serverArgs->argv;
     serverArgs->return_code = EXIT_SUCCESS;
 
+    #if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+        certStoreSpec = getenv("WOLFSSH_CERT_STORE");
+    #endif
     if (argc > 0) {
-        const char* optlist = "?1a:d:efEp:R:Ni:j:I:J:K:P:k:b:";
+        const char* optlist = "?1a:d:efEp:R:Ni:j:I:J:K:P:k:b:W:";
         myoptind = 0;
         while ((ch = mygetopt(argc, argv, optlist)) != -1) {
             switch (ch) {
@@ -2466,6 +2485,12 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
                     userAuthWouldBlock = atoi(myoptarg);
                     break;
 
+                #if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+                case 'W':
+                    certStoreSpec = myoptarg;
+                    break;
+                #endif
+
                 default:
                     ShowUsage();
                     serverArgs->return_code = MY_EX_USAGE;
@@ -2580,28 +2605,94 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
         #endif
         bufSz = EXAMPLE_KEYLOAD_BUFFER_SZ;
 
-        bufSz = load_key(peerEcc, keyLoadBuf, bufSz);
-        if (bufSz == 0) {
-            ES_ERROR("Couldn't load first key file.\n");
-        }
-        if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, keyLoadBuf, bufSz,
-                                             WOLFSSH_FORMAT_ASN1) < 0) {
-            ES_ERROR("Couldn't use first key buffer.\n");
-        }
+#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
+        if (certStoreSpec != NULL) {
+            /* Load host key from Windows certificate store: store:subject:flags */
+            char* specCopy = NULL;
+            char* storeName = NULL;
+            char* subjectName = NULL;
+            char* flagsStr = NULL;
+            wchar_t* wStoreName = NULL;
+            wchar_t* wSubjectName = NULL;
+            DWORD dwFlags = CERT_SYSTEM_STORE_CURRENT_USER;
+            int ret;
+            size_t specLen = WSTRLEN(certStoreSpec) + 1;
 
-        #if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECC)
-        peerEcc = !peerEcc;
-        bufSz = EXAMPLE_KEYLOAD_BUFFER_SZ;
+            specCopy = (char*)WMALLOC(specLen, NULL, 0);
+            if (specCopy == NULL) {
+                ES_ERROR("Memory allocation failed for cert store spec\n");
+            }
+            WSTRNCPY(specCopy, certStoreSpec, specLen);
+
+            storeName = specCopy;
+            subjectName = WSTRCHR(storeName, ':');
+            if (subjectName != NULL) {
+                *subjectName++ = '\0';
+                flagsStr = WSTRCHR(subjectName, ':');
+                if (flagsStr != NULL) {
+                    *flagsStr++ = '\0';
+                    if (WSTRCMP(flagsStr, "CURRENT_USER") == 0) {
+                        dwFlags = CERT_SYSTEM_STORE_CURRENT_USER;
+                    } else if (WSTRCMP(flagsStr, "LOCAL_MACHINE") == 0) {
+                        dwFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                    } else {
+                        dwFlags = (DWORD)atoi(flagsStr);
+                    }
+                }
+            }
+            if (storeName == NULL || subjectName == NULL) {
+                WFREE(specCopy, NULL, 0);
+                ES_ERROR("Invalid cert store spec. Use: store:subject:flags\n");
+            }
 
-        bufSz = load_key(peerEcc, keyLoadBuf, bufSz);
-        if (bufSz == 0) {
-            ES_ERROR("Couldn't load second key file.\n");
-        }
-        if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, keyLoadBuf, bufSz,
-                                             WOLFSSH_FORMAT_ASN1) < 0) {
-            ES_ERROR("Couldn't use second key buffer.\n");
+            {
+                int wStoreNameLen = MultiByteToWideChar(CP_UTF8, 0, storeName, -1, NULL, 0);
+                int wSubjectNameLen = MultiByteToWideChar(CP_UTF8, 0, subjectName, -1, NULL, 0);
+                wStoreName = (wchar_t*)WMALLOC(wStoreNameLen * sizeof(wchar_t), NULL, 0);
+                wSubjectName = (wchar_t*)WMALLOC(wSubjectNameLen * sizeof(wchar_t), NULL, 0);
+                if (wStoreName == NULL || wSubjectName == NULL) {
+                    if (wStoreName != NULL) WFREE(wStoreName, NULL, 0);
+                    if (wSubjectName != NULL) WFREE(wSubjectName, NULL, 0);
+                    WFREE(specCopy, NULL, 0);
+                    ES_ERROR("Memory allocation failed for cert store wide strings\n");
+                }
+                MultiByteToWideChar(CP_UTF8, 0, storeName, -1, wStoreName, wStoreNameLen);
+                MultiByteToWideChar(CP_UTF8, 0, subjectName, -1, wSubjectName, wSubjectNameLen);
+            }
+
+            ret = wolfSSH_CTX_UsePrivateKey_fromStore(ctx, wStoreName, dwFlags, wSubjectName);
+            WFREE(specCopy, NULL, 0);
+            WFREE(wStoreName, NULL, 0);
+            WFREE(wSubjectName, NULL, 0);
+            if (ret != WS_SUCCESS) {
+                ES_ERROR("Couldn't load host key from certificate store.\n");
+            }
+        } else
+#endif
+        {
+            bufSz = load_key(peerEcc, keyLoadBuf, bufSz);
+            if (bufSz == 0) {
+                ES_ERROR("Couldn't load first key file.\n");
+            }
+            if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, keyLoadBuf, bufSz,
+                                                 WOLFSSH_FORMAT_ASN1) < 0) {
+                ES_ERROR("Couldn't use first key buffer.\n");
+            }
+
+            #if !defined(WOLFSSH_NO_RSA) && !defined(WOLFSSH_NO_ECC)
+            peerEcc = !peerEcc;
+            bufSz = EXAMPLE_KEYLOAD_BUFFER_SZ;
+
+            bufSz = load_key(peerEcc, keyLoadBuf, bufSz);
+            if (bufSz == 0) {
+                ES_ERROR("Couldn't load second key file.\n");
+            }
+            if (wolfSSH_CTX_UsePrivateKey_buffer(ctx, keyLoadBuf, bufSz,
+                                                 WOLFSSH_FORMAT_ASN1) < 0) {
+                ES_ERROR("Couldn't use second key buffer.\n");
+            }
+            #endif
         }
-        #endif
 
         #ifndef NO_FILESYSTEM
         if (userPubKey) {
