feat: Add ssl-keystore option support

Author: g-bougard

Changes

@@ -4,6 +4,7 @@ Revision history for GLPI agent
 
 core:
 * Prevent certificates overwriting during export from Windows Keystore
+* Add new option to specify or disable Windows KeyStore support
 
 inventory:
 * fix #700: Add TacticalRMM Remote_Mgmt support for MacOSX

bin/glpi-agent

@@ -70,6 +70,7 @@ GetOptions(
     'scan-profiles',
     'server|s=s',
     'ssl-fingerprint=s',
+    'ssl-keystore=s',
     'tag|t=s',
     'tasks=s',
     'timeout=i',

contrib/windows/glpi-agent-packaging.pl

@@ -572,6 +572,7 @@ sub _tree2xml {
                 $result .= $ident ."  ". qq[    <RegistryValue Name="ca-cert-file" Type="string" Value="[CA_CERT_FILE]" />\n];
                 $result .= $ident ."  ". qq[    <RegistryValue Name="ssl-cert-file" Type="string" Value="[SSL_CERT_FILE]" />\n];
                 $result .= $ident ."  ". qq[    <RegistryValue Name="ssl-fingerprint" Type="string" Value="[SSL_FINGERPRINT]" />\n];
+                $result .= $ident ."  ". qq[    <RegistryValue Name="ssl-keystore" Type="string" Value="[SSL_KEYSTORE]" />\n];
                 $result .= $ident ."  ". qq[    <RegistryValue Name="vardir" Type="string" Value="[VARDIR]" />\n];
                 $result .= $ident ."  ". qq[    <RegistryValue Name="listen" Type="string" Value="[LISTEN]" />\n];
                 $result .= $ident ."  ". qq[    <RegistryValue Name="remote" Type="string" Value="[REMOTE]" />\n];

contrib/windows/packaging/MSI_main-v2.wxs.tt

@@ -251,6 +251,12 @@
     <SetProperty Id="CMDLINE_SSL_FINGERPRINT" Before="AppSearch" Value="[SSL_FINGERPRINT]" />
     <SetProperty Id="SSL_FINGERPRINT"         After="AppSearch"  Value="[CMDLINE_SSL_FINGERPRINT]"><![CDATA[CMDLINE_SSL_FINGERPRINT<>"" OR CMDLINE_CONFIG="reset"]]></SetProperty>
 
+    <Property Id="SSL_KEYSTORE" Secure="yes">
+      <RegistrySearch Id="SSLKeyStore" Root="HKLM" Key="[%agent_regpath%]" Name="ssl-keystore" Type="raw"/>
+    </Property>
+    <SetProperty Id="CMDLINE_SSL_KEYSTORE" Before="AppSearch" Value="[SSL_KEYSTORE]" />
+    <SetProperty Id="SSL_KEYSTORE"         After="AppSearch"  Value="[CMDLINE_SSL_KEYSTORE]"><![CDATA[CMDLINE_SSL_KEYSTORE<>"" OR CMDLINE_CONFIG="reset"]]></SetProperty>
+
     <Property Id="SSL_CERT_FILE" Secure="yes">
       <RegistrySearch Id="SSLCertFile" Root="HKLM" Key="[%agent_regpath%]" Name="ssl-cert-file" Type="raw"/>
     </Property>

lib/GLPI/Agent/Config.pm

@@ -53,6 +53,7 @@ my $default = {
     'server'                  => undef,
     'ssl-cert-file'           => undef,
     'ssl-fingerprint'         => undef,
+    'ssl-keystore'            => undef,
     'tag'                     => undef,
     'tasks'                   => undef,
     'timeout'                 => 180,

lib/GLPI/Agent/HTTP/Client.pm

@@ -61,6 +61,7 @@ sub new {
         ca_cert_file    => $ca_cert_file,
         ssl_cert_file   => $ssl_cert_file,
         ssl_fingerprint => $params{ssl_fingerprint} || $config->{'ssl-fingerprint'},
+        ssl_keystore    => $params{ssl_keystore} || $config->{'ssl-keystore'},
         _vardir         => $config->{'vardir'},
     };
     bless $self, $class;
@@ -569,6 +570,9 @@ sub _KeyChain_or_KeyStore_Export {
         }
     }
 
+    # Support --ssl-keystore=none option
+    return if $self->{ssl_keystore} && $self->{ssl_keystore} =~ /^none$/i;
+
     # Read certificates are cached for one hour after the service is started
     return $_SSL_ca->{_certs}
         if $_SSL_ca->{_expiration} && time < $_SSL_ca->{_expiration};
@@ -606,6 +610,36 @@ sub _KeyChain_or_KeyStore_Export {
         @certs = IO::Socket::SSL::Utils::PEM_file2certs($file)
             if -s $file;
     } else {
+        my @certCommands;
+        if ($self->{ssl_keystore})  {
+            foreach my $case (split(/,+/, $self->{ssl_keystore})) {
+                $case = trimWhitespace($case);
+                if ($case =~ /^(Store|Enterprise|GroupPolicy|User)?-?(CA|Root)$/) {
+                    my $store = $2 =~ /CA/i ? "CA" : "Root";
+                    my $option = $1 ? " -$1" : "";
+                    push @certCommands, "certutil -Silent -Split$option -Store $store";
+                } else {
+                    $logger->debug("Unsupported ssl-keystore option definition: $case");
+                }
+            }
+        } else {
+            @certCommands = (
+                "certutil -Silent -Split -Store CA",
+                "certutil -Silent -Split -Store Root",
+                "certutil -Silent -Split -Enterprise -Store CA",
+                "certutil -Silent -Split -Enterprise -Store Root",
+                "certutil -Silent -Split -GroupPolicy -Store CA",
+                "certutil -Silent -Split -GroupPolicy -Store Root",
+                "certutil -Silent -Split -User -Store CA",
+                "certutil -Silent -Split -User -Store Root"
+            );
+        }
+
+        unless (@certCommands) {
+            $logger->debug("No keystore to export server certificates from");
+            return
+        }
+
         # Windows keystore support
         Cwd->require();
         my $cwd = Cwd::cwd();
@@ -619,16 +653,6 @@ sub _KeyChain_or_KeyStore_Export {
         my $certdir = $tmpdir->dirname;
         $certdir =~ s{\\}{/}g;
         if (-d $certdir) {
-            my @certCommands = (
-                "certutil -Silent -Split -Store CA",
-                "certutil -Silent -Split -Store Root",
-                "certutil -Silent -Split -Enterprise -Store CA",
-                "certutil -Silent -Split -Enterprise -Store Root",
-                "certutil -Silent -Split -GroupPolicy -Store CA",
-                "certutil -Silent -Split -GroupPolicy -Store Root",
-                "certutil -Silent -Split -User -Store CA",
-                "certutil -Silent -Split -User -Store Root"
-            );
             $logger->debug2("Changing to '$certdir' temporary folder");
             chdir $certdir;