File: root_certs.rb

package info (click to toggle)
puppet-agent 7.23.0-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 19,092 kB
  • sloc: ruby: 245,074; sh: 456; makefile: 38; xml: 33
file content (108 lines) | stat: -rw-r--r-- 3,216 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
require_relative '../../../puppet/util/windows'
require_relative '../../../puppet/ssl/openssl_loader'
require 'ffi'

# Represents a collection of trusted root certificates.
#
# @api public
class Puppet::Util::Windows::RootCerts
  include Enumerable
  extend FFI::Library

  def initialize(roots)
    @roots = roots
  end

  # Enumerates each root certificate.
  # @yieldparam cert [OpenSSL::X509::Certificate] each root certificate
  # @api public
  def each
    @roots.each {|cert| yield cert}
  end

  # Returns a new instance.
  # @return [Puppet::Util::Windows::RootCerts] object constructed from current root certificates
  def self.instance
    new(self.load_certs)
  end

  # Returns an array of root certificates.
  #
  # @return [Array<[OpenSSL::X509::Certificate]>] an array of root certificates
  # @api private
  def self.load_certs
    certs = []

    # This is based on a patch submitted to openssl:
    # https://www.mail-archive.com/openssl-dev@openssl.org/msg26958.html
    ptr = FFI::Pointer::NULL
    store = CertOpenSystemStoreA(nil, "ROOT")
    begin
      while (ptr = CertEnumCertificatesInStore(store, ptr)) and not ptr.null?
        context = CERT_CONTEXT.new(ptr)
        cert_buf = context[:pbCertEncoded].read_bytes(context[:cbCertEncoded])
        begin
          certs << OpenSSL::X509::Certificate.new(cert_buf)
        rescue => detail
          Puppet.warning(_("Failed to import root certificate: %{detail}") % { detail: detail.inspect })
        end
      end
    ensure
      CertCloseStore(store, 0)
    end

    certs
  end

  ffi_convention :stdcall
  # typedef void *HCERTSTORE;

  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa377189(v=vs.85).aspx
  # typedef struct _CERT_CONTEXT {
  #   DWORD      dwCertEncodingType;
  #   BYTE       *pbCertEncoded;
  #   DWORD      cbCertEncoded;
  #   PCERT_INFO pCertInfo;
  #   HCERTSTORE hCertStore;
  # } CERT_CONTEXT, *PCERT_CONTEXT;typedef const CERT_CONTEXT *PCCERT_CONTEXT;
  class CERT_CONTEXT < FFI::Struct
    layout(
      :dwCertEncodingType, :dword,
      :pbCertEncoded,      :pointer,
      :cbCertEncoded,      :dword,
      :pCertInfo,          :pointer,
      :hCertStore,         :handle
    )
  end

  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa376560(v=vs.85).aspx
  # HCERTSTORE
  # WINAPI
  # CertOpenSystemStoreA(
  #   __in_opt HCRYPTPROV_LEGACY hProv,
  #   __in LPCSTR szSubsystemProtocol
  #   );
  # typedef ULONG_PTR HCRYPTPROV_LEGACY;
  ffi_lib :crypt32
  attach_function_private :CertOpenSystemStoreA, [:ulong_ptr, :lpcstr], :handle

  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa376050(v=vs.85).aspx
  # PCCERT_CONTEXT
  # WINAPI
  # CertEnumCertificatesInStore(
  #   __in HCERTSTORE hCertStore,
  #   __in_opt PCCERT_CONTEXT pPrevCertContext
  #   );
  ffi_lib :crypt32
  attach_function_private :CertEnumCertificatesInStore, [:handle, :pointer], :pointer

  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa376026(v=vs.85).aspx
  # BOOL
  # WINAPI
  # CertCloseStore(
  #   __in_opt HCERTSTORE hCertStore,
  #   __in DWORD dwFlags
  #   );
  ffi_lib :crypt32
  attach_function_private :CertCloseStore, [:handle, :dword], :win32_bool
end