generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-12-07 18:24:01 +01:00
Code Issues Projects Releases Wiki Activity

Find certificate from Windows store using its thumbprint (replaces PR #2125) (#5023)

Browse Source 
* Find certificate from Windows store using its thumbprint

* Address review comments

---------

Co-authored-by: Hussein Ismail <hussein.ismail@m-files.com>
This commit is contained in:
Matej Kenda
2025-09-12 11:30:28 +02:00
committed by GitHub
parent dbc800083e
commit e2920f36da
4 changed files with 78 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
NetSSL_Win/include/Poco/Net/Context.h
View File

@@ -127,11 +127,13 @@ public:
OPT_LOAD_CERT_FROM_FILE = 0x10,
/// Load certificate and private key from a PKCS #12 (.pfx) file,
/// and not from the certificate store.
OPT_USE_CERT_HASH = 0x20,
/// Find the certificate using thumbprint.
OPT_DEFAULTS = OPT_PERFORM_REVOCATION_CHECK | OPT_TRUST_ROOTS_WIN_CERT_STORE | OPT_USE_STRONG_CRYPTO
};
Context(Usage usage,
const std::string& certificateNameOrPath,
const std::string& certificateInfoOrPath,
VerificationMode verMode = VERIFY_RELAXED,
int options = OPT_DEFAULTS,
const std::string& certificateStoreName = CERT_STORE_MY);
@@ -139,7 +141,7 @@ public:
///
/// * usage specifies whether the context is used by a client or server,
/// as well as which protocol to use.
/// * certificateNameOrPath specifies either the subject name of the certificate to use,
/// * certificateInfoOrPath specifies either the subject name or thumbprint of the certificate to use,
/// or the path of a PKCS #12 file containing the certificate and corresponding private key.
/// If a subject name is specified, the certificate must be located in the certificate
/// store specified by certificateStoreName. If a path is given, the OPT_LOAD_CERT_FROM_FILE
@@ -240,7 +242,7 @@ private:
int _options;
int _disabledProtocols;
bool _extendedCertificateVerification;
std::string _certNameOrPath;
std::string _certInfoOrPath;
std::string _certStoreName;
HCERTSTORE _hMemCertStore;
HCERTSTORE _hCollectionCertStore;

6
NetSSL_Win/include/Poco/Net/SSLManager.h
View File

@@ -73,6 +73,8 @@ class NetSSL_Win_API SSLManager
/// <schannel>
/// <server|client>
/// <certificateName>cert Id</certificateName>
/// <certificateHash>cert thumbprint</certificateHash>
/// <certificatePath>path of a certificate</certificatePath>
/// <certificateStore>MY</certificateStore>
/// <verificationMode>none|relaxed|strict</verificationMode>
/// <revocationCheck>true|false</revocationCheck>
@@ -103,6 +105,8 @@ class NetSSL_Win_API SSLManager
///
/// - certificateName (string): The subject name of the certificate to use. The certificate must
/// be available in the Windows user or machine certificate store.
/// - certificateHash (string): The thumbprint of the certificate to use. Alternative for certificateName.
/// The certificate must be available in the Windows user or machine certificate store.
/// - certificatePath (string): The path of a certificate and private key file in PKCS #12 format.
/// - certificateStore (string): The certificate store location to use.
/// Valid values are "MY", "Root", "Trust" or "CA". Defaults to "MY".
@@ -269,6 +273,8 @@ private:
static const std::string CFG_CERT_NAME;
static const std::string VAL_CERT_NAME;
static const std::string CFG_CERT_HASH;
static const std::string VAL_CERT_HASH;
static const std::string CFG_CERT_PATH;
static const std::string VAL_CERT_PATH;
static const std::string CFG_CERT_STORE;

72
NetSSL_Win/src/Context.cpp
View File

@@ -23,8 +23,10 @@
#include "Poco/MemoryStream.h"
#include "Poco/Base64Decoder.h"
#include "Poco/Buffer.h"
#include <sstream>
#include <algorithm>
#include <cctype>
#include <stdio.h>
namespace Poco {
@@ -39,7 +41,7 @@ const std::string Context::CERT_STORE_USERDS("USERDS");
Context::Context(Usage usage,
const std::string& certNameOrPath,
const std::string& certificateInfoOrPath,
VerificationMode verMode,
int options,
const std::string& certStore):
@@ -48,7 +50,7 @@ Context::Context(Usage usage,
_options(options),
_disabledProtocols(0),
_extendedCertificateVerification(true),
_certNameOrPath(certNameOrPath),
_certInfoOrPath(certificateInfoOrPath),
_certStoreName(certStore),
_hMemCertStore(0),
_hCollectionCertStore(0),
@@ -145,7 +147,7 @@ Poco::Net::X509Certificate Context::certificate()
if (_pCert)
return Poco::Net::X509Certificate(_pCert, true);
if (_certNameOrPath.empty())
if (_certInfoOrPath.empty())
throw NoCertificateException("Certificate requested, but no certificate name or path provided");
if (_options & OPT_LOAD_CERT_FROM_FILE)
@@ -168,36 +170,70 @@ void Context::loadCertificate()
if (!_hCertStore)
{
if (_options & OPT_USE_MACHINE_STORE)
_hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, wcertStoreName.c_str());
_hCertStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM, 0, 0,
CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_OPEN_EXISTING_FLAG,
wcertStoreName.c_str()
);
else
_hCertStore = CertOpenSystemStoreW(0, wcertStoreName.c_str());
}
if (!_hCertStore) throw CertificateException("Failed to open certificate store", _certStoreName, GetLastError());
// Find the certificate either using name or hash.
if(_options & OPT_USE_CERT_HASH)
{
// Sanity check for the hash value.
if(_certInfoOrPath.size() < 40 || _certInfoOrPath.size() % 2) throw CertificateException(Poco::format("Invalid certificate hash %s", _certInfoOrPath));
CERT_RDN_ATTR cert_rdn_attr;
char cmnName[] = szOID_COMMON_NAME;
cert_rdn_attr.pszObjId = cmnName;
cert_rdn_attr.dwValueType = CERT_RDN_ANY_TYPE;
cert_rdn_attr.Value.cbData = (DWORD) _certNameOrPath.size();
cert_rdn_attr.Value.pbData = (BYTE *) _certNameOrPath.c_str();
// Convert hex to binary.
BYTE buffer[256] = {};
int bufferSize = 0;
int byte = 0;
std::string szHex;
for(int counter = 0; counter < _certInfoOrPath.size() / 2; counter++)
{
szHex = _certInfoOrPath.substr(2 * counter, 2);
if( sscanf(szHex.c_str(), "%02x", OUT &byte ) != 1)
throw CertificateException(Poco::format("Invalid certificate hash %s", _certInfoOrPath));
buffer[counter] = (BYTE) byte;
bufferSize += 1;
}
CERT_RDN cert_rdn;
cert_rdn.cRDNAttr = 1;
cert_rdn.rgRDNAttr = &cert_rdn_attr;
CRYPT_HASH_BLOB chBlob;
chBlob.cbData = bufferSize;
chBlob.pbData = buffer;
_pCert = CertFindCertificateInStore(_hCertStore, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_ATTR, &cert_rdn, NULL);
if (!_pCert) throw NoCertificateException(Poco::format("Failed to find certificate %s in store %s", _certNameOrPath, _certStoreName));
_pCert = CertFindCertificateInStore(_hCertStore, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, CERT_FIND_HASH, &chBlob, NULL);
if (!_pCert) throw NoCertificateException(Poco::format("Failed to find certificate %s in store %s", _certInfoOrPath, _certStoreName));
}
else
{
CERT_RDN_ATTR cert_rdn_attr;
char cmnName[] = szOID_COMMON_NAME;
cert_rdn_attr.pszObjId = cmnName;
cert_rdn_attr.dwValueType = CERT_RDN_ANY_TYPE;
cert_rdn_attr.Value.cbData = (DWORD) _certInfoOrPath.size();
cert_rdn_attr.Value.pbData = (BYTE *) _certInfoOrPath.c_str();
CERT_RDN cert_rdn;
cert_rdn.cRDNAttr = 1;
cert_rdn.rgRDNAttr = &cert_rdn_attr;
_pCert = CertFindCertificateInStore(_hCertStore, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_ATTR, &cert_rdn, NULL);
if (!_pCert) throw NoCertificateException(Poco::format("Failed to find certificate %s in store %s", _certInfoOrPath, _certStoreName));
}
}
void Context::importCertificate()
{
Poco::File certFile(_certNameOrPath);
if (!certFile.exists()) throw Poco::FileNotFoundException(_certNameOrPath);
Poco::File certFile(_certInfoOrPath);
if (!certFile.exists()) throw Poco::FileNotFoundException(_certInfoOrPath);
Poco::File::FileSize size = certFile.getSize();
if (size > 4096) throw Poco::DataFormatException("PKCS #12 certificate file too large", _certInfoOrPath);
Poco::Buffer<char> buffer(static_cast<std::size_t>(size));
Poco::FileInputStream istr(_certNameOrPath);
Poco::FileInputStream istr(_certInfoOrPath);
istr.read(buffer.begin(), buffer.size());
if (istr.gcount() != size) throw Poco::IOException("error reading PKCS #12 certificate file");
importCertificate(buffer.begin(), buffer.size());

16
NetSSL_Win/src/SSLManager.cpp
View File

@@ -33,6 +33,8 @@ namespace Net {
const std::string SSLManager::CFG_CERT_NAME("certificateName");
const std::string SSLManager::VAL_CERT_NAME("");
const std::string SSLManager::CFG_CERT_HASH("certificateHash");
const std::string SSLManager::VAL_CERT_HASH("");
const std::string SSLManager::CFG_CERT_PATH("certificatePath");
const std::string SSLManager::VAL_CERT_PATH("");
const std::string SSLManager::CFG_CERT_STORE("certificateStore");
@@ -188,7 +190,8 @@ void SSLManager::initDefaultContext(bool server)
const std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Poco::Util::AbstractConfiguration& config = appConfig();
std::string certName = config.getString(prefix + CFG_CERT_NAME, VAL_CERT_NAME);
std::string certInfo = config.getString(prefix + CFG_CERT_NAME, VAL_CERT_NAME);
std::string certHash = config.getString(prefix + CFG_CERT_HASH, VAL_CERT_HASH);
std::string certPath = config.getString(prefix + CFG_CERT_PATH, VAL_CERT_PATH);
std::string certStore = config.getString(prefix + CFG_CERT_STORE, VAL_CERT_STORE);
@@ -218,7 +221,12 @@ void SSLManager::initDefaultContext(bool server)
if (!certPath.empty())
{
options |= Context::OPT_LOAD_CERT_FROM_FILE;
certName = certPath;
certInfo = certPath;
}
if (certInfo.empty() && !certHash.empty())
{
options |= Context::OPT_USE_CERT_HASH;
certInfo = certHash;
}
Context::Usage usage;
@@ -234,7 +242,7 @@ void SSLManager::initDefaultContext(bool server)
usage = Context::TLSV1_SERVER_USE;
else
usage = Context::SERVER_USE;
_ptrDefaultServerContext = new Context(usage, certName, verMode, options, certStore);
_ptrDefaultServerContext = new Context(usage, certInfo, verMode, options, certStore);
}
else
{
@@ -248,7 +256,7 @@ void SSLManager::initDefaultContext(bool server)
usage = Context::TLSV1_CLIENT_USE;
else
usage = Context::CLIENT_USE;
_ptrDefaultClientContext = new Context(usage, certName, verMode, options, certStore);
_ptrDefaultClientContext = new Context(usage, certInfo, verMode, options, certStore);
}
}