Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cgo windows to syscall #93

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cgo windows to syscall #93

wants to merge 1 commit into from

Conversation

tg123
Copy link

@tg123 tg123 commented Oct 4, 2021

[X] replace cgo with sys call. gcc is not widely used on windows
[X] force use cng. cng is recommend after vista
[X] PSS supported. this is for go app to use keys in cert store to do tls1.3 (https)
[X] add OpenStoreWindows which takes store name and store location.

github/certstore#20

@lgarron
Copy link
Contributor

lgarron commented Oct 4, 2021

Thanks for the updated PR!

I'm not sure when we'll have time to re-evaluate smimesign PRs, but I'll defer to @vcsjones on that.

@aloopkin
Copy link

@tg123 Thanks a lot for this, it's very helpful!
Could you please add an example on how to use this for TLS cert authentication?
I guess the whole thing is to create a crypto.PrivateKey that crypto/tls will be able to use inside the tls.Certificate, but apparently i'm doing sthg wrong there.

@tg123
Copy link
Author

tg123 commented Oct 15, 2021

@tg123 Thanks a lot for this, it's very helpful! Could you please add an example on how to use this for TLS cert authentication? I guess the whole thing is to create a crypto.PrivateKey that crypto/tls will be able to use inside the tls.Certificate, but apparently i'm doing sthg wrong there.

take a look how to use it as a tls.Config

https://github.com/tg123/phabrik/blob/main/examples/cert.go#L11

cert := FindCert by thumb in my example above (you can find by anything)

tlsconf := &tls.Config{
		Certificates:       []tls.Certificate{*cert},
}

then you have a regular tlsconfig

@aloopkin
Copy link

aloopkin commented Oct 15, 2021

@tg123 thanks, and this is what i did, but i get: "tls: failed to sign handshake: bad private key" ((

Here's my further code to the request, that works if i load the PrivateKey from file:

tr := &http.Transport{TLSClientConfig: tlsconf}
req, _ := http.NewRequest("POST", "https://myserver/myurl", strings.NewReader("this is a test"))
req.Header.Set("Content-Type", "text/plain")
client := &http.Client{Transport: tr}
_, err = client.Do(req)
if err != nil {
	logger.Fatal("Could not make Request: " + err.Error())
}

@tg123
Copy link
Author

tg123 commented Oct 15, 2021

@tg123 thanks, and this is what i did, but i get: "tls: failed to sign handshake: bad private key" ((

Here's my further code to the request, that works if i load the PrivateKey from file:

tr := &http.Transport{TLSClientConfig: tlsconf}
req, _ := http.NewRequest("POST", "https://myserver/myurl", strings.NewReader("this is a test"))
req.Header.Set("Content-Type", "text/plain")
client := &http.Client{Transport: tr}
_, err = client.Do(req)
if err != nil {
	logger.Fatal("Could not make Request: " + err.Error())
}

i believe it is due to your private, please check the usage.

This should be discuss in a separate thread BTW

@jspraul
Copy link

jspraul commented Sep 9, 2022

I was using this until I ran into #116 failing to prompt for smart card PIN.

@tg123
Copy link
Author

tg123 commented Sep 9, 2022

I was using this until I ran into #116 failing to prompt for smart card PIN.

after using syscall?
do you mean it works on cgo?

@jspraul
Copy link

jspraul commented Sep 9, 2022

Thanks for following up! This patch works great if the certificate is not on a smart card.

However, now that I'm trying to use a certificate on a smart card, nCryptSignHash fails as explained in #116, returning NTE_SILENT_CONTEXT as per the very end of the Parameters documentation, even though dwFlags = BCRYPT_PAD_PKCS1 (2) and the referenced NCRYPT_SILENT_FLAG = 0x40 (64). It's also worth noting that the expected error text is "Provider could not perform the action since the context was acquired as silent." but the output is "The operation completed successfully.", though the hash is 0's.

I went back to v0.2.0-rc1 and it's working fine. The only thing I could think of would be a need for a parent HWND for the PIN prompt¹, but I haven't found any change removing something like that yet.

@tg123
Copy link
Author

tg123 commented Sep 29, 2022

@jspraul
https://github.com/tg123/certstore/blob/2c9b55e04c6d99a32cd9cdd0b71c74acf3b834d7/certstore_windows.go#L309

windows.CRYPT_ACQUIRE_SILENT_FLAG

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants