Skip to content

Allow locating certificates using issuer + subject CN in CAPI KMS. #696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 1, 2025
Merged

Allow locating certificates using issuer + subject CN in CAPI KMS. #696

merged 13 commits into from
May 1, 2025

Conversation

joshdrake
Copy link
Contributor

@joshdrake joshdrake commented Feb 7, 2025
edited
Loading

This PR provides support a cn argument in CAPIKMS URIs. It must be provided in conjunction with the issuer name. Since these parameters may not be enough to uniquely identity certificates, the first certificate matching the criteria is returned.

💔Thank you!

@joshdrake joshdrake marked this pull request as draft February 7, 2025 15:57
@maraino maraino self-requested a review April 30, 2025 23:05
@maraino maraino marked this pull request as ready for review April 30, 2025 23:05
maraino
maraino requested changes Apr 30, 2025
View reviewed changes
joshdrake
joshdrake commented May 1, 2025
View reviewed changes
kms/capi/ncrypt_windows.go
return uintptr(kh), nil
}

func cryptFindCertificateKeyContainerName(certContext *windows.CertContext) (string, error) {
Copy link
Contributor Author

@joshdrake joshdrake May 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maraino This function is not currently used, and I think it will ultimately need to change a bit, but I'm leaving it in. Right now, it will populate the certificate context when the DLL calls succeed, and the error handling is now correct based on feedback.

@joshdrake joshdrake requested a review from maraino May 1, 2025 16:37
maraino
maraino approved these changes May 1, 2025
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

kms/capi/capi.go
Comment on lines +968 to +970
if rsaOpts.SaltLength == rsa.PSSSaltLengthEqualsHash {
rsaOpts.SaltLength = rsaOpts.Hash.Size()
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not cryptical, I can do this later, but when SaltLength is rsa.PSSSaltLengthAuto the salt length is:

(modulus_key_size - 1 + 7)/8 - hash_length - 2

For example, for a 4096-bit modules key and SHA256 it should be:

(4096 - 1 + 7)/8 - 32 - 2 = 478

See https://golang.org/cl/302230

@maraino maraino merged commit 57b0893 into master May 1, 2025
12 checks passed
@maraino maraino deleted the josh/capi-find-by-issuer+cn branch May 1, 2025 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joshdrake @maraino