fix: Refacto win32 keystore usage with win32 API

g-bougard · g-bougard · commit c2c39c9a098b · 2025-12-03T18:13:00.000+01:00
diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm
@@ -630,89 +630,26 @@ sub _KeyChain_or_KeyStore_Export {
         @certs = IO::Socket::SSL::Utils::PEM_file2certs($file)
             if -s $file;
     } else {
-        my @certCommands;
-        if ($self->{ssl_keystore})  {
-            foreach my $case (split(/,+/, $self->{ssl_keystore})) {
-                $case = trimWhitespace($case);
-                if ($case =~ /^(Service|Enterprise|GroupPolicy|User)?-?(My|CA|Root)$/) {
-                    my $store = $2 =~ /CA/i ? "CA" : "Root";
-                    my $option = $1 ? " -$1" : "";
-                    push @certCommands, "certutil -Silent -Split$option -Store $store";
-                } else {
-                    $logger->debug("Unsupported ssl-keystore option definition: $case");
-                }
-            }
+        GLPI::Agent::Tools::Win32::KeyStore->use();
+        if ($EVAL_ERROR) {
+            $logger->debug("Failed to load KeyStore support: $EVAL_ERROR");
         } else {
-            @certCommands = (
-                "certutil -Silent -Split -Store CA",
-                "certutil -Silent -Split -Store Root",
-                "certutil -Silent -Split -Enterprise -Store CA",
-                "certutil -Silent -Split -Enterprise -Store Root",
-                "certutil -Silent -Split -GroupPolicy -Store CA",
-                "certutil -Silent -Split -GroupPolicy -Store Root",
-                "certutil -Silent -Split -User -Store CA",
-                "certutil -Silent -Split -User -Store Root"
-            );
-        }
-
-        unless (@certCommands) {
-            $logger->debug("No keystore to export server certificates from");
-            return
-        }
-
-        # Windows keystore support
-        Cwd->require();
-        my $cwd = Cwd::cwd();
-
-        # Create a temporary folder in vardir to cd & export certificates
-        my $tmpdir = File::Temp->newdir(
-            TEMPLATE    => "$basename-export-XXXXXX",
-            DIR         => $vardir,
-            TMPDIR      => 1,
-        );
-        my $certdir = $tmpdir->dirname;
-        $certdir =~ s{\\}{/}g;
-        if (-d $certdir) {
-            $logger->debug2("Changing to '$certdir' temporary folder");
-            chdir $certdir;
-
-            my @deletefolder;
-            foreach my $command (@certCommands) {
-                my ($kind, $store) = $command =~ /-Split( -\w+)? -Store (\w+)$/;
-                my $storeDirname = $kind && $kind =~ /^ -(\w+)$/ ? "$1-$store" : $store;
-                mkdir $storeDirname;
-                chdir $storeDirname;
-                getAllLines(
-                    command => $command,
-                    logger  => $logger
-                );
-                chdir "..";
-                push @deletefolder, $storeDirname;
-            }
-
-            # Export certificates from keystore as crt files
-
-            # Convert each crt file to base64 encoded cer file and concatenate in certchain file
-            File::Glob->require();
-            foreach my $certfile (File::Glob::bsd_glob("$certdir/*/*")) {
-                if ($certfile =~ m{/([^/]+/[^/]+\.crt)$}) {
-                    getAllLines(
-                        command => "certutil -encode $1 temp.cer",
-                        logger  => $logger
-                    );
-                    push @certs, IO::Socket::SSL::Utils::PEM_file2cert("$certdir/temp.cer")
-                        if -s "$certdir/temp.cer";
-                    unlink "$certdir/temp.cer";
+            GLPI::Agent::Tools::Win32::KeyStore->import("getKeyStore");
+            if ($self->{ssl_keystore})  {
+                foreach my $case (split(/,+/, $self->{ssl_keystore})) {
+                    $case = uc(trimWhitespace($case));
+                    if ($case =~ /^(CA|ROOT|TRUST|MY)$/) {
+                        push @certs, getKeyStore(
+                            logger  => $logger,
+                            store   => $case
+                        );
+                    } else {
+                        $logger->debug("Unsupported ssl-keystore option definition: $case");
+                    }
                 }
-                unlink $certfile;
             }
-
-            # Cleanup temp subfolders
-            map { rmdir $_ } @deletefolder;
-
-            # Get back to current dir
-            $logger->debug2("Changing back to '$cwd' folder");
-            chdir $cwd;
+            push @certs, getKeyStore(logger  => $logger)
+                unless @certs;
         }
     }
 
diff --git a/lib/GLPI/Agent/Tools/Win32/KeyStore.pm b/lib/GLPI/Agent/Tools/Win32/KeyStore.pm
@@ -0,0 +1,141 @@
+package GLPI::Agent::Tools::Win32::KeyStore;
+
+use strict;
+use warnings;
+
+use parent 'Exporter';
+
+use UNIVERSAL::require();
+use English qw(-no_match_vars);
+
+BEGIN {
+    # Only set if you're a developer and need to debug Win32::API usage
+    $Win32::API::DEBUG = 0;
+}
+
+use Net::SSLeay;
+
+Win32::API->require();
+
+use GLPI::Agent::Tools;
+
+use constant    CERT_NAME_SIMPLE_DISPLAY_TYPE   => 4;
+use constant    X509_ASN_ENCODING               => 1;
+
+use constant    _log_prefix                     => "[ssl-keystore] ";
+
+our @EXPORT = qw(
+    getKeyStore
+);
+
+Win32::API::Type->typedef('HCERTSTORE',        'ULONG*');
+Win32::API::Type->typedef('HCRYPTPROV_LEGACY', 'ULONG*');
+
+my $_CertOpenSystemStoreA = Win32::API::More->Import(
+    crypt32 => qq{
+        HCERTSTORE CertOpenSystemStoreA(
+            HCRYPTPROV_LEGACY hProv,
+            LPCSTR szSubSystemProtocol
+        );
+    }
+);
+
+my $CertCloseStore = Win32::API::More->Import(
+    crypt32 => qq{
+        BOOL CertCloseStore(
+            HCERTSTORE hCertStore,
+            DWORD      dwFlags
+        );
+    }
+);
+
+my $_CertEnumCertificatesInStore = Win32::API::More->Import(
+    crypt32 => 'CertEnumCertificatesInStore', 'NN', 'N'
+);
+
+my $CertGetNameStringA = Win32::API::More->Import(
+    crypt32 => "CertGetNameStringA", "NIIPPI", "I"
+);
+
+sub getKeyStore {
+    my (%params) = @_;
+
+    my $logger = $params{logger};
+
+    my @stores = $params{store} ? ($params{store}) : qw(
+        ROOT
+        CA
+        TRUST
+        MY
+    );
+
+    my @certs;
+
+    foreach my $store (@stores) {
+
+        next unless $store;
+
+        my $hCertStore = CertOpenSystemStoreA(0, $store);
+        unless ($hCertStore) {
+            $logger->error(_log_prefix."Failed to open system $store keystore")
+                if $logger;
+            next;
+        }
+
+        my $count;
+        my $pPrev = 0;
+
+        while ($pPrev = CertEnumCertificatesInStore($hCertStore, $pPrev)) {
+            $count++;
+            my $certName = " " x 256;
+            my $length = CertGetNameStringA($pPrev, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, 0, $certName, 256);
+            if ($length) {
+                $certName = trimWhitespace($certName);
+                $logger->debug(_log_prefix."$store-$count: Importing $certName")
+                    if $logger;
+            }
+            my $buffer = Win32::API::ReadMemory($pPrev, 3*16);
+            if (empty($buffer)) {
+                $logger->debug(_log_prefix."Failed to copy CERT_CONTEXT ($count)")
+                    if $logger;
+                next;
+            }
+            my ($dwCertEncodingType, $pbCertEncoded, $cbCertEncoded) = unpack("Q*", $buffer);
+            next unless $dwCertEncodingType && $dwCertEncodingType == X509_ASN_ENCODING;
+            unless ($pbCertEncoded && $cbCertEncoded) {
+                $logger->debug(_log_prefix."Got wrong CERT_CONTEXT copy ($count)")
+                    if $logger;
+                next;
+            }
+            my $certbuffer = Win32::API::ReadMemory($pbCertEncoded, $cbCertEncoded);
+            if (empty($certbuffer)) {
+                $logger->debug(_log_prefix."Failed to copy certificate content ($count)")
+                    if $logger;
+                next;
+            }
+            my $bio = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem());
+            my $rv = Net::SSLeay::BIO_write($bio, $certbuffer);
+            unless ($rv == $cbCertEncoded) {
+                $logger->debug(_log_prefix."Failed to import certificate content ($count)")
+                    if $logger;
+                Net::SSLeay::BIO_free($bio) if $rv > 0;
+                next;
+            }
+            my $cert = Net::SSLeay::d2i_X509_bio($bio);
+            Net::SSLeay::BIO_free($bio);
+            push @certs, $cert;
+        }
+
+        unless (CertCloseStore($hCertStore, 0)) {
+            $logger->debug(_log_prefix."Failed to close $store keystore")
+                if $logger;
+        }
+
+        $logger->debug(_log_prefix."No certificate found in $store keystore")
+            if !$count  && $logger && @stores == 1;
+    }
+
+    return @certs;
+}
+
+1;
diff --git a/t/lib/fake/windows/Win32/API.pm b/t/lib/fake/windows/Win32/API.pm
@@ -1,3 +1,11 @@
 package Win32::API;
 
+package Win32::API::More;
+
+sub Import {}
+
+package Win32::API::Type;
+
+sub typedef {}
+
 1;
