diff options
author | Tim Smith <tsmith@chef.io> | 2021-02-04 14:11:49 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-04 14:11:49 -0800 |
commit | cf29be97a11a91e977b374c2eef426bc96b0e168 (patch) | |
tree | d4fbc71c1bdf82329c970303c51a395b9f259fd7 | |
parent | 4b7a0b8e02598b6ef6c2c9dbef53561a06d24be6 (diff) | |
parent | ef9a9904f5e0351b52ac645b4c1ec96797c98d3e (diff) | |
download | chef-cf29be97a11a91e977b374c2eef426bc96b0e168.tar.gz |
Merge pull request #10987 from chef/windows_cert_16
windows_certificate: Fix the user_store property to actually install certificates to the user store
-rw-r--r-- | Gemfile.lock | 2 | ||||
-rw-r--r-- | chef-universal-mingw32.gemspec | 2 | ||||
-rw-r--r-- | cspell.json | 4 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem | 36 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem | 73 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem | 35 | ||||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx | bin | 0 -> 4405 bytes | |||
-rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/windows.rb | 25 | ||||
-rw-r--r-- | lib/chef/resource/windows_certificate.rb | 64 |
9 files changed, 221 insertions, 20 deletions
diff --git a/Gemfile.lock b/Gemfile.lock index 0548c8eed4..75ec2eb22f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -96,7 +96,7 @@ PATH tty-table (~> 0.11) uuidtools (>= 2.1.5, < 3.0) win32-api (~> 1.5.3) - win32-certstore (~> 0.3) + win32-certstore (~> 0.5) win32-event (~> 0.6.1) win32-eventlog (= 0.6.3) win32-mmap (~> 0.4.1) diff --git a/chef-universal-mingw32.gemspec b/chef-universal-mingw32.gemspec index fa95de76f5..bfa2fab2a2 100644 --- a/chef-universal-mingw32.gemspec +++ b/chef-universal-mingw32.gemspec @@ -14,7 +14,7 @@ gemspec.add_dependency "win32-service", ">= 2.1.5", "< 3.0" gemspec.add_dependency "wmi-lite", "~> 1.0" gemspec.add_dependency "win32-taskscheduler", "~> 2.0" gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out -gemspec.add_dependency "win32-certstore", "~> 0.3" +gemspec.add_dependency "win32-certstore", "~> 0.5" # 0.5+ required for specifying user vs. system store gemspec.extensions << "ext/win32-eventlog/Rakefile" gemspec.files += Dir.glob("{distro,ext}/**/*") diff --git a/cspell.json b/cspell.json index a55b2bfc40..a96f5ec54b 100644 --- a/cspell.json +++ b/cspell.json @@ -14,6 +14,7 @@ "dictionaries": ["chef"], // words - list of words to be always considered correct "words": [ + "northwindbaking", "abcz", "Abdulin", "ABORTIFHUNG", @@ -567,6 +568,7 @@ "getremotelogin", "getspnam", "gettext", + "GETTHUMBPRINTCODE", "gettimezone", "gettype", "gids", @@ -1911,7 +1913,7 @@ "lib/chef/provider/package/yum/simplejson/**/*", "lib/chef/provider/package/yum/simplejson/*", "omnibus/resources/chef/**/*", - "kitchen-tests/cookbooks/end_to_end/files/*", + "kitchen-tests/cookbooks/end_to_end/files/**/*", "spec/**", "docs_site", "distro/ruby_bin_folder/**/*" diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem new file mode 100644 index 0000000000..2bb30a7b18 --- /dev/null +++ b/kitchen-tests/cookbooks/end_to_end/files/certs/ca.cert.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGRTCCBC2gAwIBAgIUKR+fpIUUvQMvhGba1Ky/ScpiysUwDQYJKoZIhvcNAQEL +BQAwgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRs +ZTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJp +bmcxITAfBgNVBAMMGE5vcnRod2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3 +DQEJARYYam9obi5tY2NyYWVAcHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MTQxNloX +DTQwMTIxMzE3MTQxNlowgakxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEQMA4G +A1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UE +CwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRod2luZCBCYWtpbmcgUm9vdCBD +QTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVAcHJvZ3Jlc3MuY29tMIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqQScpelNtPUrdX8K7kp8s0vLw9wB +VEEQ0hV/hIFWjLYORmFLP4MISsL/ESu9rdGvZktCkURIivSUF9iAIaxaydUFGNLo +lJY5LMb7Llezyy5C+W+xUUGlj9KIw6YBdXEFnaMrPDRJuPfoJREHn37U75KLlrM0 +SkYuAT5LDPXluJvB1iPpGixuaq8rmr+fSjhBZxnutJTFpnDcivzwPYmMsUrP6Hu7 +WB0Z8YrN0kv2Idw5LQikPoapnwgK4ygSiv0kIEKqsmLUG3V7NRyCE2SwMiBbRpyf +Ehhy5JmxcIIJNAAFRkbPeHs3THC9mZJXJe5IGV91V0Jjixn9E3as+k7JwqEwViO0 +43hEg9dvrw5kshmjZxU6/9qB7WR8DsCHPZF3x6n5Z23BDYTXFcKqza17LtfbGpKL +tPE/E5vYYogpXmNNEI55NcpTvexHrMpAasbqFysLSH0W9XKo7bmCKlaJbrMOPsyp +WLD5jbjQm6ieNB2D992VnQkOm66Hd6FldoJoUhF4MIQ+2fDDfUDTsqG/dPO6UBZL +vAnZAEQVkKq/1OWUizmx5WmC8b1Oyu3i+ghDFVuh3yKr/0RWdQdduGj98uMg6/jo +46VYq5f9F9phE5A3NW1VBX5foOXyTp5xFbMJmN9MSyrXq/NCcdw9GYAGLlPjCVyc +UpbazMzUyehfpzsCAwEAAaNjMGEwHQYDVR0OBBYEFLEKaqLFZyyT1nYDzMg/Vryr ++jVJMB8GA1UdIwQYMBaAFLEKaqLFZyyT1nYDzMg/Vryr+jVJMA8GA1UdEwEB/wQF +MAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCSfXsBf5I3 +Lt5EDV73sC5hV3mcP7F+Betu0PeVCdDCKEIOve3hrV6cSpA8xoRY7kqWJ+bbR0HZ +/fX8bCOt3Em5SZXGQMSirEoZ+pYPz+YOZ2RKPcf/wZIshpLzZ23Z0D06Cyxt+M2f +fqRvEXXR5k4gPuikm+u/X16olBRI/ULW5IA3eri818JD840yjwxTu7a97rVKEhZR +PSORvvgWgtA7HPfibgJ7DBjbY9B8YSiq0RxaJsmSmh/zZ2i0SMjztLcTvmWs0o8m +3E42zVDXyy9A0fr9AoasyH17nHjKlAL6v6TfGvFDNgn5fIYELOrf+l1CD5Ij+coZ +w4QiVKREiPA26CNC9kYWqBXhAKEr31DvgVSSlZTDF35QpE0DofYKRRTQ8P68h8hM +vKqG7Wa3/9ZCeTK15CU9q8blZtcjF2dV1GKCs7WPCPct9DdQpkuSyuc9CQgiLhCR +ZxgxpXX15AOa/RI8qRla4MBw3j3YP9Z5q6NsG239NdyckPUGqJUIs+oyaBRcxA0o +QHG4JUWPBlOTxwOzfmMSZtCfcNuNOWK39s5pJiSyLPvaPCj3D79OKkskuO00lVAK +Es5m/VexGB/XnM9vTLn72YESxUfl0+nP+vyAqKletXnwf8C6wt004TgM/YIoC2zR +l4wX7Vl8hG7lYg3yEBoDQM3Ipq2V8S9G5A== +-----END CERTIFICATE----- diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem new file mode 100644 index 0000000000..846bbf9dcb --- /dev/null +++ b/kitchen-tests/cookbooks/end_to_end/files/certs/chef.northwindbaking.com.chained.cert.pem @@ -0,0 +1,73 @@ +-----BEGIN CERTIFICATE----- +MIIGkDCCBHigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJha2luZzEUMBIGA1UE +CwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBCYWtpbmcgSW50ZXJt +ZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3JhZUBwcm9ncmVzcy5j +b20wHhcNMjAxMjE4MjM0MTI2WhcNMjExMjI4MjM0MTI2WjCBqTELMAkGA1UEBhMC +VVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRkwFwYDVQQKDBBOb3J0 +aHdpbmQgQmFraW5nMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEhMB8GA1UEAwwYY2hl +Zi5ub3J0aHdpbmRiYWtpbmcuY29tMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh +ZUBwcm9ncmVzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq +YMuo4lujFqZJq0awJ90RPVz28hmonIHi0lvHFj61q6yqYnTMg2ZzvEF4oJkkkPgJ +C6TgLcYM+cJlqoqOdemLJzs0fiYXO5mlmFslHKAkoLAGDHFQcgXrFpsFW7QjDxcC +XhgYHVD4usl+btMTKjvH8Vf1ElQZM1KEWIQRCuCXbz4tGow9tBsYV+HUJygHse5f +SY5tITEUwmfrFUHjOTqBophBWFRd/hFcmV4IGgEKEYk/POl6AsOCxnr3QBPj8B0d +ou/ETgCZ74c5yujfkm5GhN7iBawEGCl/38Xr6xxc7M+CkQMJajkpRjvXAtwWImwW +MgFcazlpXYrxcp8izEJLAgMBAAGjggHIMIIBxDAJBgNVHRMEAjAAMBEGCWCGSAGG ++EIBAQQEAwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2Vy +dmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBReJLWsKMwg+qRi6C3rlJJ/wFjIXDCB +1wYDVR0jBIHPMIHMgBTnmVEOPRX1Padx4GQtoVyXKFUigKGBr6SBrDCBqTELMAkG +A1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRkwFwYDVQQK +DBBOb3J0aHdpbmQgQmFraW5nMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEhMB8GA1UE +AwwYTm9ydGh3aW5kIEJha2luZyBSb290IENBMScwJQYJKoZIhvcNAQkBFhhqb2hu +Lm1jY3JhZUBwcm9ncmVzcy5jb22CAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE +DDAKBggrBgEFBQcDATBRBgNVHREESjBIghd3d3cubm9ydGh3aW5kYmFraW5nLmNv +bYITbm9ydGh3aW5kYmFraW5nLmNvbYIYY2hlZi5ub3J0aHdpbmRiYWtpbmcuY29t +MA0GCSqGSIb3DQEBCwUAA4ICAQBaCLsFRcwRqBafvBSaCfyaufigYE1tFZ9JSdZz +KpJeRz9xNoF79Hh+WlQb8tmS8/1w2OI4oRxkd9Gm+IzShSGzmOwRoAvTNp4p4znM +K79HOLxqQ5YZ4iYaSPzfHH7FNnzlA09Vm05Rj71W24wvJT7O0UO0BbCJDhFYpfQ7 +1DkVPG0ytIgz8jZI/mLLL9pwLO1vA7M36meL8XjnjXfQ1xt+N3NqaM5/t3ZLeMWH +Hi96tVP7CaK4N+uCKkg0zGoeamvLUPVQm8wCrCM2k6rNYJnmvwzLp8NnCTjCQzst +BnM35c/rnpljfFz9Qwjzkqvs5NLVZhu/YltWTpEIRSFScr3Wq4LYxF2TEgHu7QQ9 +HW4vY7vGByiWRNzD3A1ZAHPFg3sj+Fcx+XHI8F9gyUZ13wdZswmTGGAc1RfSgd/e +X7g/rixCSuPiKeqBQB62JkYH2nGcdNXHvJorMbw+aUI+Vg8i/tIgOxzHgxeY5uW8 +s7PSkLBX6kM3Oi4UaglDzv7FiezPG4uAKH/aYIEdv8bQMvjlrzfcjsYuJQfHTbu8 +cRpZpyG1lLp8fISe3RbxBX+1YplYZlTmeg0KRm88/ifg+Ru7z2mUMeEoDw5cpxKV +lJy3OLXr+EBa+nJyg/AextAmlJBwDg65Fi6rQUd14FvVK9jHkV/eO9fT8WuQaBBS +mbiXvA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGLDCCBBSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3 +aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRo +d2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVA +cHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MjczNloXDTMwMTIxNjE3MjczNlowgZ8x +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJh +a2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBC +YWtpbmcgSW50ZXJtZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh +ZUBwcm9ncmVzcy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd +pjPv+HSfwiVhdCrA3xpMB3UM68GuFXKr9EPzTKexZVW+NPnFO7wSzxNZ2x9+IjRa +7xPhMdBm3nBSXLpg87NCzS5Z+bQBHPi8M2RlOXyDXYz/Nqh2UIAaodmlGEa7Fwkr +JgG9RBfuPZumtTWU1aTS4ldg3IyO/XpiNB+6p/XdgJOtYWKvfPO6KFjWkxouCSN3 +antHE9ZpB4L78rO+DK+n+UkXUDMLUFejxy2MCj1zmMqk9Qlt0RIobE/uvC05FNdE +9xmhQ4rROteY68miy938hIKLlRs/A+7Q8wUTgrTuPxQVi62+WHxdl/zewa9s7zlk +brQoIXhv6kQQ6ZiHRbjFvAsXcBD6tt0YKeILPMpRAPhgZJFjiS8qWz/28Nn3l2vt +6nQgVmauw/dJ3wyiNWQ/WuX8HpwzXZ76IiTBzpzaYA4qX1k/PfJQxRPCJBqjmWfa +bUb1PN6KM5/XYEBY2/VMFk/DdBo+PP8aDAOC37lmyyXYRRwyTyQxNaNUNdNXTWSv +mrqq8q4IvW4qPpSn4tf7bjiTAa/xNBIPTS+axXojOQ8wBJ4r0rnjLZaLkd5015p3 +WM0bFqvHRtNUgpKd7WAbz9ZZXbzJS/ofxtAHu1JcDYJZ0UlfFBJLPB8Px2dcvWu9 +8gqnTZzMXhFYOf3Kfg54w6Rx0xDof1lTDOgbZDNarQIDAQABo2YwZDAdBgNVHQ4E +FgQU55lRDj0V9T2nceBkLaFclyhVIoAwHwYDVR0jBBgwFoAUsQpqosVnLJPWdgPM +yD9WvKv6NUkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ +KoZIhvcNAQELBQADggIBAIktkQHQruRdIcqRSTEeety+ws21E8cqZyCvbBS6iYiW +lGkXE1KtpT997doEYIqldL/q+PUhY3ruLMVEzd/zl16APVLIfQ94Y9/V+bQoiPTj +PTpNv713ItSrtFZGIqC1vOFfIwHkTETNpODNM0DXv79IEyz14/sVSsG/kE+qOHyw +B8DFgzAZWQ4Pa+17CePNeDuUjpE7lkThTL4qVZVZBFKG9UYya/xCvqRL3CKJ8nmD +EPZtl9fy+FdMswGaTBPb8mEuO/d2p7rv3cMHD0GMn6k052yTc9/XDrKu49rOq/cp +zRBn/By/vuk3kLPjxyj+kLJWdyAA6I78HgX4/785v0nDki/kM7H+q2UjIFotu4FG +O5VEgNM4GIWxF8Pjm9OdHnudopk4o+ODk8cAEdePIAl+jWY6bry0nCTKwvhPbtL+ +m1b3ZjZxe3tzHQUbAuCK9B8QDDwJJhsRNij+AcefD8Orwbh/5b9slzJcfcOxVd3L +9+ARIuOhUy4BbFWclxAPj56VHDti3yDi2JkjsfWHpZO/JXjzXBARMAHzR2KuT/IJ +lxYL48dtoY/DGqiwoUbcTIa4DSONkf1BTzvcK3AyISBUd5+/IO5SlMXvM6om7EsZ +KxD5nMoV3VepQUz7ZZEqcWx46kiWY/C8SOpAhcMd2ElKtbbBKd2tPKhKhKxCcLNe +-----END CERTIFICATE----- diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem b/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem new file mode 100644 index 0000000000..d7e6b6d0a2 --- /dev/null +++ b/kitchen-tests/cookbooks/end_to_end/files/certs/intermediate.cert.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGLDCCBBSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEZMBcGA1UECgwQTm9ydGh3 +aW5kIEJha2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxITAfBgNVBAMMGE5vcnRo +d2luZCBCYWtpbmcgUm9vdCBDQTEnMCUGCSqGSIb3DQEJARYYam9obi5tY2NyYWVA +cHJvZ3Jlc3MuY29tMB4XDTIwMTIxODE3MjczNloXDTMwMTIxNjE3MjczNlowgZ8x +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJXQTEZMBcGA1UECgwQTm9ydGh3aW5kIEJh +a2luZzEUMBIGA1UECwwLRW5naW5lZXJpbmcxKTAnBgNVBAMMIE5vcnRod2luZCBC +YWtpbmcgSW50ZXJtZWRpYXRlIENBMScwJQYJKoZIhvcNAQkBFhhqb2huLm1jY3Jh +ZUBwcm9ncmVzcy5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd +pjPv+HSfwiVhdCrA3xpMB3UM68GuFXKr9EPzTKexZVW+NPnFO7wSzxNZ2x9+IjRa +7xPhMdBm3nBSXLpg87NCzS5Z+bQBHPi8M2RlOXyDXYz/Nqh2UIAaodmlGEa7Fwkr +JgG9RBfuPZumtTWU1aTS4ldg3IyO/XpiNB+6p/XdgJOtYWKvfPO6KFjWkxouCSN3 +antHE9ZpB4L78rO+DK+n+UkXUDMLUFejxy2MCj1zmMqk9Qlt0RIobE/uvC05FNdE +9xmhQ4rROteY68miy938hIKLlRs/A+7Q8wUTgrTuPxQVi62+WHxdl/zewa9s7zlk +brQoIXhv6kQQ6ZiHRbjFvAsXcBD6tt0YKeILPMpRAPhgZJFjiS8qWz/28Nn3l2vt +6nQgVmauw/dJ3wyiNWQ/WuX8HpwzXZ76IiTBzpzaYA4qX1k/PfJQxRPCJBqjmWfa +bUb1PN6KM5/XYEBY2/VMFk/DdBo+PP8aDAOC37lmyyXYRRwyTyQxNaNUNdNXTWSv +mrqq8q4IvW4qPpSn4tf7bjiTAa/xNBIPTS+axXojOQ8wBJ4r0rnjLZaLkd5015p3 +WM0bFqvHRtNUgpKd7WAbz9ZZXbzJS/ofxtAHu1JcDYJZ0UlfFBJLPB8Px2dcvWu9 +8gqnTZzMXhFYOf3Kfg54w6Rx0xDof1lTDOgbZDNarQIDAQABo2YwZDAdBgNVHQ4E +FgQU55lRDj0V9T2nceBkLaFclyhVIoAwHwYDVR0jBBgwFoAUsQpqosVnLJPWdgPM +yD9WvKv6NUkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJ +KoZIhvcNAQELBQADggIBAIktkQHQruRdIcqRSTEeety+ws21E8cqZyCvbBS6iYiW +lGkXE1KtpT997doEYIqldL/q+PUhY3ruLMVEzd/zl16APVLIfQ94Y9/V+bQoiPTj +PTpNv713ItSrtFZGIqC1vOFfIwHkTETNpODNM0DXv79IEyz14/sVSsG/kE+qOHyw +B8DFgzAZWQ4Pa+17CePNeDuUjpE7lkThTL4qVZVZBFKG9UYya/xCvqRL3CKJ8nmD +EPZtl9fy+FdMswGaTBPb8mEuO/d2p7rv3cMHD0GMn6k052yTc9/XDrKu49rOq/cp +zRBn/By/vuk3kLPjxyj+kLJWdyAA6I78HgX4/785v0nDki/kM7H+q2UjIFotu4FG +O5VEgNM4GIWxF8Pjm9OdHnudopk4o+ODk8cAEdePIAl+jWY6bry0nCTKwvhPbtL+ +m1b3ZjZxe3tzHQUbAuCK9B8QDDwJJhsRNij+AcefD8Orwbh/5b9slzJcfcOxVd3L +9+ARIuOhUy4BbFWclxAPj56VHDti3yDi2JkjsfWHpZO/JXjzXBARMAHzR2KuT/IJ +lxYL48dtoY/DGqiwoUbcTIa4DSONkf1BTzvcK3AyISBUd5+/IO5SlMXvM6om7EsZ +KxD5nMoV3VepQUz7ZZEqcWx46kiWY/C8SOpAhcMd2ElKtbbBKd2tPKhKhKxCcLNe +-----END CERTIFICATE----- diff --git a/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx b/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx Binary files differnew file mode 100644 index 0000000000..097c7075ff --- /dev/null +++ b/kitchen-tests/cookbooks/end_to_end/files/certs/steveb.pfx diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb index ea5f0f7421..7eeb4ef5be 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/windows.rb @@ -114,3 +114,28 @@ end user "phil" do action :remove end + +directory 'C:\mordor' do + rights :full_control, "everyone" +end + +cookbook_file "c:\\mordor\\steveb.pfx" do + source "/certs/steveb.pfx" + action :create_if_missing +end + +windows_certificate "c:/mordor/steveb.pfx" do + pfx_password "1234" + action :create + user_store true + store_name "MY" +end + +cookbook_file "c:\\mordor\\ca.cert.pem" do + source "/certs/ca.cert.pem" + action :create_if_missing +end + +windows_certificate "c:/mordor/ca.cert.pem" do + store_name "ROOT" +end diff --git a/lib/chef/resource/windows_certificate.rb b/lib/chef/resource/windows_certificate.rb index 5800fe0f45..0879f04636 100644 --- a/lib/chef/resource/windows_certificate.rb +++ b/lib/chef/resource/windows_certificate.rb @@ -76,7 +76,7 @@ class Chef default: "MY", equal_to: ["TRUSTEDPUBLISHER", "TrustedPublisher", "CLIENTAUTHISSUER", "REMOTE DESKTOP", "ROOT", "TRUSTEDDEVICES", "WEBHOSTING", "CA", "AUTHROOT", "TRUSTEDPEOPLE", "MY", "SMARTCARDROOT", "TRUST", "DISALLOWED"] property :user_store, [TrueClass, FalseClass], - description: "Use the user store of the local machine store if set to false.", + description: "Use the `CurrentUser` store instead of the default `LocalMachine` store. Note: Prior to #{ChefUtils::Dist::Infra::CLIENT}. 16.10 this property was ignored.", default: false property :cert_path, String, @@ -119,7 +119,7 @@ class Chef code_script << acl_script(hash) guard_script << cert_exists_script(hash) - powershell_script "setting the acls on #{new_resource.source} in #{cert_location}\\#{new_resource.store_name}" do + powershell_script "setting the acls on #{new_resource.source} in #{ps_cert_location}\\#{new_resource.store_name}" do convert_boolean_return true code code_script only_if guard_script @@ -161,25 +161,47 @@ class Chef end action_class do + + CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000 + CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000 + def add_cert(cert_obj) - store = ::Win32::Certstore.open(new_resource.store_name) + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) store.add(cert_obj) end def add_pfx_cert exportable = new_resource.exportable ? 1 : 0 - store = ::Win32::Certstore.open(new_resource.store_name) + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) store.add_pfx(new_resource.source, new_resource.pfx_password, exportable) end def delete_cert - store = ::Win32::Certstore.open(new_resource.store_name) - store.delete(new_resource.source) + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) + store.delete(resolve_thumbprint(new_resource.source)) end def fetch_cert - store = ::Win32::Certstore.open(new_resource.store_name) - store.get(new_resource.source) + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) + store.get(resolve_thumbprint(new_resource.source)) + end + + # Thumbprints should be exactly 40 Hex characters + def valid_thumbprint?(string) + string.scan(/\H/).empty? && string.length == 40 + end + + def get_thumbprint(store_name, location, source) + <<-GETTHUMBPRINTCODE + $content = Get-ChildItem -Path Cert:\\#{location}\\#{store_name} | Where-Object {$_.Subject -Match "#{source}"} | Select-Object Thumbprint + $content.thumbprint + GETTHUMBPRINTCODE + end + + def resolve_thumbprint(thumbprint) + return thumbprint if valid_thumbprint?(thumbprint) + + powershell_exec!(get_thumbprint(new_resource.store_name, ps_cert_location, new_resource.source)).result end # Checks whether a certificate with the given thumbprint @@ -187,9 +209,11 @@ class Chef # If the certificate is not present, verify_cert returns a String: "Certificate not found" # But if it is present but expired, it returns a Boolean: false # Otherwise, it returns a Boolean: true + # updated this method to accept either a subject name or a thumbprint - 1/29/2021 + def verify_cert(thumbprint = new_resource.source) - store = ::Win32::Certstore.open(new_resource.store_name) - store.valid?(thumbprint) + store = ::Win32::Certstore.open(new_resource.store_name, store_location: native_cert_location) + store.valid?(resolve_thumbprint(thumbprint)) end def show_or_store_cert(cert_obj) @@ -230,13 +254,19 @@ class Chef out_file.close end - def cert_location - @location ||= new_resource.user_store ? "CurrentUser" : "LocalMachine" + # this array structure is solving 2 problems. The first is that we need to have support for both the CurrentUser AND LocalMachine stores + # Secondly, we need to pass the proper constant name for each store to win32-certstore but also pass the short name to powershell scripts used here + def ps_cert_location + new_resource.user_store ? "CurrentUser" : "LocalMachine" + end + + def native_cert_location + new_resource.user_store ? CERT_SYSTEM_STORE_CURRENT_USER : CERT_SYSTEM_STORE_LOCAL_MACHINE end def cert_script(persist) cert_script = "$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2" - file = Chef::Util::PathHelper.cleanpath(new_resource.source) + file = Chef::Util::PathHelper.cleanpath(new_resource.source, ps_cert_location) cert_script << " \"#{file}\"" if ::File.extname(file.downcase) == ".pfx" cert_script << ", \"#{new_resource.pfx_password}\"" @@ -252,14 +282,14 @@ class Chef def cert_exists_script(hash) <<-EOH $hash = #{hash} - Test-Path "Cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash" + Test-Path "Cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash" EOH end def within_store_script inner_script = yield "$store" <<-EOH - $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{cert_location}) + $store = New-Object System.Security.Cryptography.X509Certificates.X509Store "#{new_resource.store_name}", ([System.Security.Cryptography.X509Certificates.StoreLocation]::#{ps_cert_location}) $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite) #{inner_script} $store.Close() @@ -273,7 +303,7 @@ class Chef # and from https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778(v=vs.85).aspx set_acl_script = <<-EOH $hash = #{hash} - $storeCert = Get-ChildItem "cert:\\#{cert_location}\\#{new_resource.store_name}\\$hash" + $storeCert = Get-ChildItem "cert:\\#{ps_cert_location}\\#{new_resource.store_name}\\$hash" if ($storeCert -eq $null) { throw 'no key exists.' } $keyname = $storeCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName if ($keyname -eq $null) { throw 'no private key exists.' } @@ -340,7 +370,7 @@ class Chef if verify_cert(thumbprint) == true Chef::Log.debug("Certificate is already present") else - converge_by("Adding certificate #{new_resource.source} into Store #{new_resource.store_name}") do + converge_by("Adding certificate #{new_resource.source} into #{ps_cert_location} Store #{new_resource.store_name}") do if is_pfx add_pfx_cert else |