Use capi LoadCertificateChain and StoreCertificateChain

Author: maraino

kms/capi/capi.go

@@ -4,12 +4,12 @@ package capi
 
 import (
 	"bytes"
+	"cmp"
 	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
-	"crypto/sha1"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	stdans1 "encoding/asn1"
@@ -18,11 +18,14 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	"net/url"
 	"reflect"
+	"strconv"
 	"strings"
 	"unsafe"
 
 	"github.com/pkg/errors"
+	"go.step.sm/crypto/fingerprint"
 	"go.step.sm/crypto/kms/apiv1"
 	"go.step.sm/crypto/kms/uri"
 	"go.step.sm/crypto/randutil"
@@ -53,6 +56,7 @@ const (
 const (
 	MachineStore = "machine"
 	UserStore    = "user"
+	MyStore      = "My"
 	CAStore      = "CA" // TODO(hs): verify "CA" works for "machine" certs too
 )
 
@@ -71,7 +75,6 @@ var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]string{
 }
 
 type uriAttributes struct {
-	ProviderName              string
 	ContainerName             string
 	Hash                      []byte
 	StoreLocation             string
@@ -83,7 +86,7 @@ type uriAttributes struct {
 	SerialNumber              string
 	IssuerName                string
 	KeySpec                   string
-	SkipFindCertificateKey    string
+	SkipFindCertificateKey    bool
 	Pin                       string
 }
 
@@ -108,19 +111,18 @@ func parseURI(rawuri string) (*uriAttributes, error) {
 	}
 
 	return &uriAttributes{
-		ProviderName:              u.Get(ProviderNameArg),
 		ContainerName:             u.Get(ContainerNameArg),
 		Hash:                      hashValue,
-		StoreLocation:             u.Get(StoreLocationArg),
-		StoreName:                 u.Get(StoreNameArg),
-		IntermediateStoreLocation: u.Get(IntermediateStoreLocationArg),
-		IntermediateStoreName:     u.Get(IntermediateStoreNameArg),
+		StoreLocation:             cmp.Or(u.Get(StoreLocationArg), UserStore),
+		StoreName:                 cmp.Or(u.Get(StoreNameArg), MyStore),
+		IntermediateStoreLocation: cmp.Or(u.Get(IntermediateStoreLocationArg), UserStore),
+		IntermediateStoreName:     cmp.Or(u.Get(IntermediateStoreNameArg), CAStore),
 		KeyID:                     keyIDValue,
 		SubjectCN:                 u.Get(SubjectCNArg),
 		SerialNumber:              u.Get(SerialNumberArg),
 		IssuerName:                u.Get(IssuerNameArg),
 		KeySpec:                   u.Get(KeySpec),
-		SkipFindCertificateKey:    u.Get(SkipFindCertificateKey),
+		SkipFindCertificateKey:    u.GetBool(SkipFindCertificateKey),
 		Pin:                       u.Pin(),
 	}, nil
 }
@@ -359,16 +361,6 @@ func (k *CAPIKMS) Close() error {
 // getCertContext returns a pointer to a X.509 certificate context based on the provided URI
 // callers are responsible for freeing the context
 func (k *CAPIKMS) getCertContext(u *uriAttributes) (*windows.CertContext, error) {
-	// Default to the 'My' store
-	if u.StoreName == "" {
-		u.StoreName = "My"
-	}
-
-	// Default to the user store
-	if u.StoreLocation == "" {
-		u.StoreLocation = UserStore
-	}
-
 	// The hash argument is a SHA-1
 	if len(u.Hash) > 0 && len(u.Hash) != 20 {
 		return nil, fmt.Errorf("decoded %s has length %d; expected 20 bytes for SHA-1", HashArg, len(u.Hash))
@@ -745,7 +737,7 @@ func (k *CAPIKMS) LoadCertificate(req *apiv1.LoadCertificateRequest) (*x509.Cert
 	return certContextToX509(certHandle)
 }
 
-func (k *CAPIKMS) LoadCertificateChain(req *apiv1.LoadCertificateRequest) ([]*x509.Certificate, error) {
+func (k *CAPIKMS) LoadCertificateChain(req *apiv1.LoadCertificateChainRequest) ([]*x509.Certificate, error) {
 	u, err := parseURI(req.Name)
 	if err != nil {
 		return nil, err
@@ -773,7 +765,11 @@ func (k *CAPIKMS) LoadCertificateChain(req *apiv1.LoadCertificateRequest) ([]*x5
 	for i := 0; i < maximumIterations; i++ { // loop a maximum number of times
 		authorityKeyID := hex.EncodeToString(child.AuthorityKeyId)
 		parent, err := k.LoadCertificate(&apiv1.LoadCertificateRequest{
-			Name: fmt.Sprintf("capi:key-id=%s;store-location=%s;store=%s", authorityKeyID, u.IntermediateStoreLocation, u.IntermediateStoreName),
+			Name: uri.New(Scheme, url.Values{
+				KeyIDArg:         []string{authorityKeyID},
+				StoreLocationArg: []string{u.IntermediateStoreLocation},
+				StoreNameArg:     []string{u.IntermediateStoreName},
+			}).String(),
 		})
 		if err != nil {
 			if errors.Is(err, apiv1.NotFoundError{}) {
@@ -803,29 +799,19 @@ func (k *CAPIKMS) LoadCertificateChain(req *apiv1.LoadCertificateRequest) ([]*x5
 }
 
 func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
-	u, err := uri.ParseWithScheme(Scheme, req.Name)
+	u, err := parseURI(req.Name)
 	if err != nil {
-		return fmt.Errorf("failed to parse URI: %w", err)
-	}
-
-	var storeLocation string
-	if storeLocation = u.Get(StoreLocationArg); storeLocation == "" {
-		storeLocation = UserStore
+		return err
 	}
 
 	var certStoreLocation uint32
-	switch storeLocation {
+	switch u.StoreLocation {
 	case UserStore:
 		certStoreLocation = certStoreCurrentUser
 	case MachineStore:
 		certStoreLocation = certStoreLocalMachine
 	default:
-		return fmt.Errorf("invalid cert store location %q", storeLocation)
-	}
-
-	var storeName string
-	if storeName = u.Get(StoreNameArg); storeName == "" {
-		storeName = "My"
+		return fmt.Errorf("invalid cert store location %q", u.StoreLocation)
 	}
 
 	certContext, err := windows.CertCreateCertificateContext(
@@ -841,7 +827,7 @@ func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 	// so that looking up the private key for e.g. intermediate certificates can be skipped.
 	// If not skipped, looking up a private key can prompt the user to insert/select a smart
 	// card, which is usually not what we want to happen.
-	if !u.GetBool(SkipFindCertificateKey) {
+	if !u.SkipFindCertificateKey {
 		// TODO: not finding the associated private key is not a dealbreaker, but maybe a warning should be issued
 		cryptFindCertificateKeyProvInfo(certContext)
 	}
@@ -851,9 +837,9 @@ func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 		0,
 		0,
 		certStoreLocation,
-		uintptr(unsafe.Pointer(wide(storeName))))
+		uintptr(unsafe.Pointer(wide(u.StoreName))))
 	if err != nil {
-		return fmt.Errorf("CertOpenStore for the %q store %q returned: %w", storeLocation, storeName, err)
+		return fmt.Errorf("CertOpenStore for the %q store %q returned: %w", u.StoreLocation, u.StoreName, err)
 	}
 
 	// Add the cert context to the system certificate store
@@ -864,6 +850,60 @@ func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 	return nil
 }
 
+func (k *CAPIKMS) StoreCertificateChain(req *apiv1.StoreCertificateChainRequest) error {
+	u, err := parseURI(req.Name)
+	if err != nil {
+		return err
+	}
+
+	leaf := req.CertificateChain[0]
+	fp, err := fingerprint.New(leaf.Raw, crypto.SHA1, fingerprint.HexFingerprint)
+	if err != nil {
+		return fmt.Errorf("failed calculating certificate SHA1 fingerprint: %w", err)
+	}
+
+	if err := k.StoreCertificate(&apiv1.StoreCertificateRequest{
+		Name: uri.New("capi", url.Values{
+			HashArg:                []string{fp},
+			StoreLocationArg:       []string{u.StoreLocation},
+			StoreNameArg:           []string{u.StoreName},
+			SkipFindCertificateKey: []string{strconv.FormatBool(u.SkipFindCertificateKey)},
+		}).String(),
+		Certificate: leaf,
+	}); err != nil {
+		return fmt.Errorf("failed storing certificate using Windows platform cryptography provider: %w", err)
+	}
+
+	if len(req.CertificateChain) == 1 {
+		return nil
+	}
+
+	for _, c := range req.CertificateChain[1:] {
+		if err := validateIntermediateCertificate(c); err != nil {
+			return fmt.Errorf("invalid intermediate certificate provided in chain: %w", err)
+		}
+
+		fp, err := fingerprint.New(c.Raw, crypto.SHA1, fingerprint.HexFingerprint)
+		if err != nil {
+			return fmt.Errorf("failed calculating certificate SHA1 fingerprint: %w", err)
+		}
+
+		if err := k.StoreCertificate(&apiv1.StoreCertificateRequest{
+			Name: uri.New("capi", url.Values{
+				HashArg:                []string{fp},
+				StoreLocationArg:       []string{u.IntermediateStoreLocation},
+				StoreNameArg:           []string{u.IntermediateStoreName},
+				SkipFindCertificateKey: []string{"true"},
+			}).String(),
+			Certificate: c,
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // DeleteCertificate deletes a certificate from the Windows certificate store. It uses
 // largely the same logic for searching for the certificate as [LoadCertificate], but
 // deletes it as soon as it's found.
@@ -873,61 +913,43 @@ func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 // Notice: This method is EXPERIMENTAL and may be changed or removed in a later
 // release.
 func (k *CAPIKMS) DeleteCertificate(req *apiv1.DeleteCertificateRequest) error {
-	u, err := uri.ParseWithScheme(Scheme, req.Name)
-	if err != nil {
-		return fmt.Errorf("failed to parse URI: %w", err)
-	}
-
-	sha1Hash, err := u.GetHexEncoded(HashArg)
+	u, err := parseURI(req.Name)
 	if err != nil {
-		return fmt.Errorf("failed getting %s from URI %q: %w", HashArg, req.Name, err)
-	}
-	keyID := u.Get(KeyIDArg)
-	issuerName := u.Get(IssuerNameArg)
-	serialNumber := u.Get(SerialNumberArg)
-
-	var storeLocation string
-	if storeLocation = u.Get(StoreLocationArg); storeLocation == "" {
-		storeLocation = UserStore
+		return err
 	}
 
 	var certStoreLocation uint32
-	switch storeLocation {
+	switch u.StoreLocation {
 	case UserStore:
 		certStoreLocation = certStoreCurrentUser
 	case MachineStore:
 		certStoreLocation = certStoreLocalMachine
 	default:
-		return fmt.Errorf("invalid cert store location %q", storeLocation)
-	}
-
-	var storeName string
-	if storeName = u.Get(StoreNameArg); storeName == "" {
-		storeName = "My"
+		return fmt.Errorf("invalid cert store location %q", u.StoreLocation)
 	}
 
 	st, err := windows.CertOpenStore(
 		certStoreProvSystem,
 		0,
 		0,
 		certStoreLocation,
-		uintptr(unsafe.Pointer(wide(storeName))))
+		uintptr(unsafe.Pointer(wide(u.StoreName))))
 	if err != nil {
-		return fmt.Errorf("CertOpenStore for the %q store %q returned: %w", storeLocation, storeName, err)
+		return fmt.Errorf("CertOpenStore for the %q store %q returned: %w", u.StoreLocation, u.StoreName, err)
 	}
 
 	var certHandle *windows.CertContext
 
 	switch {
-	case len(sha1Hash) > 0:
-		if len(sha1Hash) != 20 {
-			return fmt.Errorf("decoded %s has length %d; expected 20 bytes for SHA-1", HashArg, len(sha1Hash))
+	case len(u.Hash) > 0:
+		if len(u.Hash) != 20 {
+			return fmt.Errorf("decoded %s has length %d; expected 20 bytes for SHA-1", HashArg, len(u.Hash))
 		}
 		searchData := CERT_ID_KEYIDORHASH{
 			idChoice: CERT_ID_SHA1_HASH,
 			KeyIDOrHash: CRYPTOAPI_BLOB{
-				len:  uint32(len(sha1Hash)),
-				data: uintptr(unsafe.Pointer(&sha1Hash[0])),
+				len:  uint32(len(u.Hash)),
+				data: uintptr(unsafe.Pointer(&u.Hash[0])),
 			},
 		}
 		certHandle, err = findCertificateInStore(st,
@@ -946,18 +968,12 @@ func (k *CAPIKMS) DeleteCertificate(req *apiv1.DeleteCertificateRequest) error {
 			return fmt.Errorf("failed removing certificate: %w", err)
 		}
 		return nil
-	case keyID != "":
-		keyID = strings.TrimPrefix(keyID, "0x") // Support specifying the hash as 0x like with serial
-
-		keyIDBytes, err := hex.DecodeString(keyID)
-		if err != nil {
-			return fmt.Errorf("%s must be in hex format: %w", KeyIDArg, err)
-		}
+	case len(u.KeyID) > 0:
 		searchData := CERT_ID_KEYIDORHASH{
 			idChoice: CERT_ID_KEY_IDENTIFIER,
 			KeyIDOrHash: CRYPTOAPI_BLOB{
-				len:  uint32(len(keyIDBytes)),
-				data: uintptr(unsafe.Pointer(&keyIDBytes[0])),
+				len:  uint32(len(u.KeyID)),
+				data: uintptr(unsafe.Pointer(&u.KeyID[0])),
 			},
 		}
 		certHandle, err = findCertificateInStore(st,
@@ -976,21 +992,21 @@ func (k *CAPIKMS) DeleteCertificate(req *apiv1.DeleteCertificateRequest) error {
 			return fmt.Errorf("failed removing certificate: %w", err)
 		}
 		return nil
-	case issuerName != "" && serialNumber != "":
+	case u.IssuerName != "" && u.SerialNumber != "":
 		// TODO: Replace this search with a CERT_ID + CERT_ISSUER_SERIAL_NUMBER search instead
 		// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id
 		// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_issuer_serial_number
 		var serialBytes []byte
-		if strings.HasPrefix(serialNumber, "0x") {
-			serialNumber = strings.TrimPrefix(serialNumber, "0x")
-			serialNumber = strings.TrimPrefix(serialNumber, "00") // Comparison fails if leading 00 is not removed
-			serialBytes, err = hex.DecodeString(serialNumber)
+		if strings.HasPrefix(u.SerialNumber, "0x") {
+			u.SerialNumber = strings.TrimPrefix(u.SerialNumber, "0x")
+			u.SerialNumber = strings.TrimPrefix(u.SerialNumber, "00") // Comparison fails if leading 00 is not removed
+			serialBytes, err = hex.DecodeString(u.SerialNumber)
 			if err != nil {
 				return fmt.Errorf("invalid hex format for %s: %w", SerialNumberArg, err)
 			}
 		} else {
 			bi := new(big.Int)
-			bi, ok := bi.SetString(serialNumber, 10)
+			bi, ok := bi.SetString(u.SerialNumber, 10)
 			if !ok {
 				return fmt.Errorf("invalid %s - must be in hex or integer format", SerialNumberArg)
 			}
@@ -1002,7 +1018,7 @@ func (k *CAPIKMS) DeleteCertificate(req *apiv1.DeleteCertificateRequest) error {
 				encodingX509ASN|encodingPKCS7,
 				0,
 				findIssuerStr,
-				uintptr(unsafe.Pointer(wide(issuerName))), prevCert)
+				uintptr(unsafe.Pointer(wide(u.IssuerName))), prevCert)
 			if err != nil {
 				return fmt.Errorf("findCertificateInStore failed: %w", err)
 			}
@@ -1145,18 +1161,19 @@ type subjectPublicKeyInfo struct {
 	SubjectPublicKey stdans1.BitString
 }
 
-func generateWindowsSubjectKeyID(pub crypto.PublicKey) (string, error) {
-	b, err := x509.MarshalPKIXPublicKey(pub)
-	if err != nil {
-		return "", err
-	}
-	var info subjectPublicKeyInfo
-	if _, err = stdans1.Unmarshal(b, &info); err != nil {
-		return "", err
+func validateIntermediateCertificate(c *x509.Certificate) error {
+	switch {
+	case !c.IsCA:
+		return fmt.Errorf("certificate with serial %q is not a CA certificate", c.SerialNumber.String())
+	case !c.BasicConstraintsValid:
+		return fmt.Errorf("certificate with serial %q has invalid basic constraints", c.SerialNumber.String())
+	case bytes.Equal(c.AuthorityKeyId, c.SubjectKeyId):
+		return fmt.Errorf("certificate with serial %q has equal subject and authority key IDs", c.SerialNumber.String())
+	case c.CheckSignatureFrom(c) == nil:
+		return fmt.Errorf("certificate with serial %q is self-signed root CA", c.SerialNumber.String())
 	}
-	hash := sha1.Sum(info.SubjectPublicKey.Bytes) //nolint:gosec // required for Windows key ID calculation
 
-	return hex.EncodeToString(hash[:]), nil
+	return nil
 }
 
 var _ apiv1.CertificateManager = (*CAPIKMS)(nil)