Merge pull request #55 from aws/feature/RolesAnywhere-4906

Indirectly support the searching of certificates and private keys in local machine certificate stores

Author: 13ajay

Makefile

@@ -1,4 +1,4 @@
-VERSION=1.1.0
+VERSION=1.1.1
 
 release:
 	go build -buildmode=pie -ldflags "-X 'github.com/aws/rolesanywhere-credential-helper/cmd.Version=${VERSION}' -linkmode=external -w -s" -trimpath -o build/bin/aws_signing_helper main.go

README.md

@@ -71,18 +71,20 @@ If the above is placed in a file called `selector.json`, it can be specified wit
 --cert-selector Key=x509Subject,Value=CN=Subject Key=x509Issuer,Value=CN=Issuer Key=x509Serial,Value=15D19632234BF759A32802C0DA88F9E8AFC8702D
 ```
 
-The example given here is quite simple (they each only contain a single RDN), so it may not be obvious, but the Subject and Issuer values roughly follow the [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253.html) Distinguished Names syntax.
+The example given here is quite simple (the Subject and Issuer each contain only a single RDN), so it may not be obvious, but the Subject and Issuer values roughly follow the [RFC 2253](https://www.rfc-editor.org/rfc/rfc2253.html) Distinguished Names syntax.
 
 ### sign-string
 
 Signs a fixed strings: `"AWS Roles Anywhere Credential Helper Signing Test" || SIGN_STRING_TEST_VERSION || SHA256("IAM RA" || PUBLIC_KEY_BYTE_ARRAY)`. Useful for validating your private key and digest. Either the path to the private key must be provided with the `--private-key` parameter, or a certificate selector must be provided through the `--cert-selector` parameter (if you want to use the OS certificate store integration). Other parameters that can be used are `--digest`, which must be one of `SHA256 (*default*) | SHA384 | SHA512`, and `--format`, which must be one of `text (*default*) | json | bin`.
 
 ### credential-process
 
-Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Currently, only plaintext private keys are supported. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), and `--session-duration` (the duration of the vended session). Instead of passing in paths to the plaintext private key on your file system, another option (depending on your OS) could be to use the `--cert-selector` flag. More details can be found below.
+Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Currently, only plaintext private keys are supported. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), and `--session-duration` (the duration of the vended session). Instead of passing in paths to the plaintext private key on your file system, another option could be to use the [PKCS#11 integration](#pkcs11-integration) (using the `--pkcs11-pin` flag to locate objects in PKCS#11 tokens) or (depending on your OS) use the `--cert-selector` flag. More details about the `--cert-selector` flag can be found in [this section](#cert-selector-flag). 
 
 Note that if more than one certificate matches the `--cert-selector` parameter within the OS-specific secure store, the `credential-process` command will fail. To find the list of certificates that match a given `--cert-selector` parameter, you can use the same flag with the `read-certificate-data` command.
 
+Also note that in Windows, if you would like the credential helper to search a system certificate store other than "MY" ("MY" will be the default) in the `CERT_SYSTEM_STORE_CURRENT_USER` context, you can specify the name of the certificate store through the `--system-store-name` flag. It's not possible for the credential helper to search multiple Windows system certificate stores at once currently. But it will indirectly search certificate stores in the `CERT_SYSTEM_STORE_LOCAL_MACHINE` context since all current user certificate stores will inherit contents of local machine certificate stores. The only exception to this rule is the Current User/Personal ("MY") store. Please see the [Microsoft documentation](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores?source=recommendations) for more details. 
+
 When `credential-process` is used, AWS SDKs store the returned AWS credentials in memory. AWS SDKs will keep track of the credential expiration and generate new AWS session credentials via the credential process, provided the certificate has not expired or been revoked.
 
 When the AWS CLI uses a `credential-process`, the AWS CLI calls the `credential-process` for every CLI command issued, which will result in the creation of a new role session and a slight delay when excuting commands. To avoid this delay from getting new credentials when using the AWS CLI, you can use `serve` or `update`.

aws_signing_helper/signer.go

@@ -36,15 +36,25 @@ type SignerParams struct {
 }
 
 type CertIdentifier struct {
-	Subject      string
-	Issuer       string
-	SerialNumber *big.Int
+	Subject         string
+	Issuer          string
+	SerialNumber    *big.Int
+	SystemStoreName string // Only relevant in the case of Windows
 }
 
 var (
 	// ErrUnsupportedHash is returned by Signer.Sign() when the provided hash
 	// algorithm isn't supported.
 	ErrUnsupportedHash = errors.New("unsupported hash algorithm")
+
+	// Predefined system store names.
+	// See: https://learn.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
+	SystemStoreNames = []string{
+		"MY",
+		"Root",
+		"Trust",
+		"CA",
+	}
 )
 
 // Interface that all signers will have to implement

aws_signing_helper/windows_cert_store_signer.go

@@ -142,10 +142,11 @@ func (secStatus securityStatus) Error() string {
 	return fmt.Sprintf("SECURITY_STATUS %d", int(secStatus))
 }
 
-// Gets the certificates that match the given CertIdentifier within the user's "MY" certificate store.
+// Gets the certificates that match the given CertIdentifier within the user's specified system
+// certificate store. By default, that is "MY".
 // If there is only a single matching certificate, then its chain will be returned too
 func GetMatchingCertsAndChain(certIdentifier CertIdentifier) (store windows.Handle, certCtx *windows.CertContext, certChain []*x509.Certificate, certContainers []CertificateContainer, err error) {
-	storeName, err := windows.UTF16PtrFromString("MY")
+	storeName, err := windows.UTF16PtrFromString(certIdentifier.SystemStoreName)
 	if err != nil {
 		return 0, nil, nil, nil, errors.New("unable to UTF-16 encode personal certificate store name")
 	}

cmd/credentials.go

@@ -27,6 +27,7 @@ var (
 	privateKeyId        string
 	certificateBundleId string
 	certSelector        string
+	systemStoreName     string
 
 	libPkcs11 string
 
@@ -65,14 +66,20 @@ func initCredentialsSubCommand(subCmd *cobra.Command) {
 	subCmd.PersistentFlags().StringVar(&certificateBundleId, "intermediates", "", "Path to intermediate certificate bundle file")
 	subCmd.PersistentFlags().StringVar(&certSelector, "cert-selector", "", "JSON structure to identify a certificate from a certificate store. "+
 		"Can be passed in either as string or a file name (prefixed by \"file://\")")
+	subCmd.PersistentFlags().StringVar(&systemStoreName, "system-store-name", "MY", "Name of the system store to search for within the "+
+		"CERT_SYSTEM_STORE_CURRENT_USER context. Note that this flag is only relevant for Windows certificate stores and will be ignored otherwise")
 	subCmd.PersistentFlags().StringVar(&libPkcs11, "pkcs11-lib", "", "Library for smart card / cryptographic device (OpenSC or vendor specific)")
 	subCmd.PersistentFlags().BoolVar(&reusePin, "reuse-pin", false, "Use the CKU_USER PIN as the CKU_CONTEXT_SPECIFIC PIN for "+
 		"private key objects, when they are first used to sign. If the CKU_USER PIN doesn't work as the CKU_CONTEXT_SPECIFIC PIN "+
 		"for a given private key object, fall back to prompting the user")
 
+	subCmd.MarkFlagsMutuallyExclusive("certificate", "cert-selector")
+	subCmd.MarkFlagsMutuallyExclusive("certificate", "system-store-name")
 	subCmd.MarkFlagsMutuallyExclusive("private-key", "cert-selector")
+	subCmd.MarkFlagsMutuallyExclusive("private-key", "system-store-name")
 	subCmd.MarkFlagsMutuallyExclusive("cert-selector", "intermediates")
 	subCmd.MarkFlagsMutuallyExclusive("cert-selector", "reuse-pin")
+	subCmd.MarkFlagsMutuallyExclusive("system-store-name", "reuse-pin")
 }
 
 // Parses a cert selector string to a map
@@ -173,9 +180,12 @@ func PopulateCertIdentifierFromCertSelectorStr(certSelectorStr string) (helper.C
 
 // Populates a CertIdentifier using a cert selector
 // Note that this method can take in a file name as a the cert selector
-func PopulateCertIdentifier(certSelector string) (helper.CertIdentifier, error) {
-	var certIdentifier helper.CertIdentifier
-	var err error
+func PopulateCertIdentifier(certSelector string, systemStoreName string) (helper.CertIdentifier, error) {
+	var (
+		certIdentifier helper.CertIdentifier
+		err            error
+	)
+
 	if certSelector != "" {
 		if strings.HasPrefix(certSelector, "file://") {
 			certSelectorFile, err := ioutil.ReadFile(strings.TrimPrefix(certSelector, "file://"))
@@ -193,13 +203,24 @@ func PopulateCertIdentifier(certSelector string) (helper.CertIdentifier, error)
 			}
 		}
 	}
+	matchedPredefinedSystemStoreName := false
+	for _, predefinedSystemStoreName := range helper.SystemStoreNames {
+		if strings.EqualFold(systemStoreName, predefinedSystemStoreName) {
+			certIdentifier.SystemStoreName = predefinedSystemStoreName
+			matchedPredefinedSystemStoreName = true
+			break
+		}
+	}
+	if !matchedPredefinedSystemStoreName {
+		certIdentifier.SystemStoreName = systemStoreName
+	}
 
 	return certIdentifier, err
 }
 
 // Populate CredentialsOpts that is used to aggregate all the information required to call CreateSession
 func PopulateCredentialsOptions() error {
-	certIdentifier, err := PopulateCertIdentifier(certSelector)
+	certIdentifier, err := PopulateCertIdentifier(certSelector, systemStoreName)
 	if err != nil {
 		return err
 	}

cmd/credentials_test.go

@@ -18,7 +18,7 @@ func TestValidSelectorParsing(t *testing.T) {
 		"Key=x509Issuer,Value=CN=Issuer",
 	}
 	for _, fixture := range fixtures {
-		_, err := PopulateCertIdentifier(fixture)
+		_, err := PopulateCertIdentifier(fixture, "MY")
 		if err != nil {
 			t.Log("Unable to populate cert identifier from selector")
 			t.Fail()
@@ -36,7 +36,7 @@ func TestInvalidSelectorParsing(t *testing.T) {
 		"Key=aljsdf,Value=aljsdfadsf",
 	}
 	for _, fixture := range fixtures {
-		_, err := PopulateCertIdentifier(fixture)
+		_, err := PopulateCertIdentifier(fixture, "MY")
 		if err == nil {
 			t.Log("Expected parsing failure, but received none")
 			t.Fail()

cmd/read_certificate_data.go

@@ -18,8 +18,13 @@ func init() {
 	readCertificateDataCmd.PersistentFlags().StringVar(&certificateId, "certificate", "", "Path to certificate file")
 	readCertificateDataCmd.PersistentFlags().StringVar(&certSelector, "cert-selector", "", "JSON structure to identify a certificate from a certificate store."+
 		" Can be passed in either as string or a file name (prefixed by \"file://\")")
+	readCertificateDataCmd.PersistentFlags().StringVar(&systemStoreName, "system-store-name", "MY", "Name of the system store to search for within the "+
+		"CERT_SYSTEM_STORE_CURRENT_USER context. Note that this flag is only relevant for Windows certificate stores and will be ignored otherwise")
 	readCertificateDataCmd.PersistentFlags().StringVar(&libPkcs11, "pkcs11-lib", "", "Library for smart card / cryptographic device (OpenSC or vendor specific)")
 	readCertificateDataCmd.PersistentFlags().BoolVar(&debug, "debug", false, "To print debug output")
+
+	readCertificateDataCmd.MarkFlagsMutuallyExclusive("certificate", "cert-selector")
+	readCertificateDataCmd.MarkFlagsMutuallyExclusive("certificate", "system-store-name")
 }
 
 type PrintCertificate func(int, helper.CertificateContainer)
@@ -43,7 +48,7 @@ var readCertificateDataCmd = &cobra.Command{
 	Long: `Diagnostic command to read certificate data, either from files or 
     from a certificate store`,
 	Run: func(cmd *cobra.Command, args []string) {
-		certIdentifier, err := PopulateCertIdentifier(certSelector)
+		certIdentifier, err := PopulateCertIdentifier(certSelector, systemStoreName)
 		if err != nil {
 			log.Println("unable to populate CertIdentifier")
 			os.Exit(1)
@@ -62,7 +67,7 @@ var readCertificateDataCmd = &cobra.Command{
 				log.Println(err)
 				os.Exit(1)
 			}
-		} else if certificateId != "" && certIdentifier == (helper.CertIdentifier{}) {
+		} else if certificateId != "" {
 			data, err := helper.ReadCertificateData(certificateId)
 			if err != nil {
 				os.Exit(1)
@@ -82,9 +87,13 @@ var readCertificateDataCmd = &cobra.Command{
 				os.Exit(1)
 			}
 		}
-		fmt.Printf("Matching identities\n")
-		for index, certContainer := range certContainers {
-			printFunction(index, certContainer)
+		if len(certContainers) == 0 {
+			fmt.Println("No matching identities")
+		} else {
+			fmt.Println("Matching identities")
+			for index, certContainer := range certContainers {
+				printFunction(index, certContainer)
+			}
 		}
 	},
 }

cmd/sign_string.go

@@ -73,17 +73,26 @@ func init() {
 	rootCmd.AddCommand(signStringCmd)
 	format = newEnum([]string{"json", "text", "bin"}, "json")
 	digestArg = newEnum([]string{"SHA256", "SHA384", "SHA512"}, "SHA256")
-	signStringCmd.PersistentFlags().StringVar(&certificateId, "certificate", "", "Path to certificate file or PKCS#11 URI to identify the certificate")
+	signStringCmd.PersistentFlags().StringVar(&certificateId, "certificate", "", "PKCS#11 URI to identify the certificate")
 	signStringCmd.PersistentFlags().StringVar(&privateKeyId, "private-key", "", "Path to private key file or PKCS#11 URI to identify the private key")
 	signStringCmd.PersistentFlags().BoolVar(&debug, "debug", false, "To print debug output")
 	signStringCmd.PersistentFlags().StringVar(&certSelector, "cert-selector", "", "JSON structure to identify a certificate from a certificate store. "+
 		"Can be passed in either as string or a file name (prefixed by \"file://\")")
+	signStringCmd.PersistentFlags().StringVar(&systemStoreName, "system-store-name", "MY", "Name of the system store to search for within the "+
+		"CERT_SYSTEM_STORE_CURRENT_USER context. Note that this flag is only relevant for Windows certificate stores and will be ignored otherwise")
 	signStringCmd.PersistentFlags().StringVar(&libPkcs11, "pkcs11-lib", "", "Library for smart card / cryptographic device (default: p11-kit-proxy.{so, dll, dylib})")
 	signStringCmd.PersistentFlags().BoolVar(&reusePin, "reuse-pin", false, "Use the CKU_USER PIN as the CKU_CONTEXT_SPECIFIC PIN for "+
 		"private key objects, when they are first used to sign. If the CKU_USER PIN doesn't work as the CKU_CONTEXT_SPECIFIC PIN "+
 		"for a given private key object, fall back to prompting the user")
 	signStringCmd.PersistentFlags().Var(format, "format", "Output format. One of json, text, and bin")
 	signStringCmd.PersistentFlags().Var(digestArg, "digest", "One of SHA256, SHA384, and SHA512")
+
+	signStringCmd.MarkFlagsMutuallyExclusive("certificate", "cert-selector")
+	signStringCmd.MarkFlagsMutuallyExclusive("certificate", "system-store-name")
+	signStringCmd.MarkFlagsMutuallyExclusive("private-key", "cert-selector")
+	signStringCmd.MarkFlagsMutuallyExclusive("private-key", "system-store-name")
+	signStringCmd.MarkFlagsMutuallyExclusive("cert-selector", "reuse-pin")
+	signStringCmd.MarkFlagsMutuallyExclusive("system-store-name", "reuse-pin")
 }
 
 func getFixedStringToSign(publicKey crypto.PublicKey) string {