electron/atom/browser/ui/certificate_trust_win.cc

// Copyright (c) 2017 GitHub, Inc.
// Use of this source code is governed by the MIT license that can be
// found in the LICENSE file.

#include "atom/browser/ui/certificate_trust.h"

#include <windows.h>  // windows.h must be included first

#include <wincrypt.h>

#include "base/callback.h"
#include "net/cert/cert_database.h"
#include "net/cert/x509_util_win.h"

namespace certificate_trust {

// Add the provided certificate to the Trusted Root Certificate Authorities
// store for the current user.
//
// This requires prompting the user to confirm they trust the certificate.
BOOL AddToTrustedRootStore(const PCCERT_CONTEXT cert_context,
                           const scoped_refptr<net::X509Certificate>& cert) {
  auto root_cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL,
                                       CERT_SYSTEM_STORE_CURRENT_USER, L"Root");

  if (root_cert_store == NULL) {
    return false;
  }

  auto result = CertAddCertificateContextToStore(
      root_cert_store, cert_context, CERT_STORE_ADD_REPLACE_EXISTING, NULL);

  if (result) {
    // force Chromium to reload it's database for this certificate
    auto cert_db = net::CertDatabase::GetInstance();
    cert_db->NotifyObserversCertDBChanged();
  }

  CertCloseStore(root_cert_store, CERT_CLOSE_STORE_FORCE_FLAG);

  return result;
}

CERT_CHAIN_PARA GetCertificateChainParameters() {
  CERT_ENHKEY_USAGE enhkey_usage;
  enhkey_usage.cUsageIdentifier = 0;
  enhkey_usage.rgpszUsageIdentifier = NULL;

  CERT_USAGE_MATCH cert_usage;
  // ensure the rules are applied to the entire chain
  cert_usage.dwType = USAGE_MATCH_TYPE_AND;
  cert_usage.Usage = enhkey_usage;

  CERT_CHAIN_PARA params = {sizeof(CERT_CHAIN_PARA)};
  params.RequestedUsage = cert_usage;

  return params;
}

void ShowCertificateTrust(atom::NativeWindow* parent_window,
                          const scoped_refptr<net::X509Certificate>& cert,
                          const std::string& message,
                          const ShowTrustCallback& callback) {
  PCCERT_CHAIN_CONTEXT chain_context;

  auto cert_context = net::x509_util::CreateCertContextWithChain(cert.get());

  auto params = GetCertificateChainParameters();

  if (CertGetCertificateChain(NULL, cert_context.get(), NULL, NULL, &params,
                              NULL, NULL, &chain_context)) {
    auto error_status = chain_context->TrustStatus.dwErrorStatus;
    if (error_status == CERT_TRUST_IS_SELF_SIGNED ||
        error_status == CERT_TRUST_IS_UNTRUSTED_ROOT) {
      // these are the only scenarios we're interested in supporting
      AddToTrustedRootStore(cert_context.get(), cert);
    }

    CertFreeCertificateChain(chain_context);
  }

  callback.Run();
}

}  // namespace certificate_trust
it's 2017 get with the times 2017-04-29 19:29:07 +10:00			`// Copyright (c) 2017 GitHub, Inc.`
stub the windows source file 2017-04-06 11:01:58 +10:00			`// Use of this source code is governed by the MIT license that can be`
			`// found in the LICENSE file.`

			`#include "atom/browser/ui/certificate_trust.h"`

Include missing "windows.h" and fix headers ordering For PCWSTR on line 198. 2018-04-19 14:27:57 +02:00			`#include <windows.h> // windows.h must be included first`

a first pass at the script to import the certificate for Windows 2017-04-20 21:12:32 +10:00			`#include <wincrypt.h>`
stub the windows source file 2017-04-06 11:01:58 +10:00
and this is how we invoke the callback 2017-04-21 12:47:11 +10:00			`#include "base/callback.h"`
reload the current cert database if the certificate was added 2017-04-24 11:10:41 +10:00			`#include "net/cert/cert_database.h"`
Fixed moved cert x509 function issue on Windows 2017-09-21 13:24:57 +00:00			`#include "net/cert/x509_util_win.h"`
and this is how we invoke the callback 2017-04-21 12:47:11 +10:00
stub the windows source file 2017-04-06 11:01:58 +10:00			`namespace certificate_trust {`

tighten up indenting 2017-04-27 15:01:55 +10:00			`// Add the provided certificate to the Trusted Root Certificate Authorities`
			`// store for the current user.`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00			`//`
tighten up indenting 2017-04-27 15:01:55 +10:00			`// This requires prompting the user to confirm they trust the certificate.`
underscore case all the things 2017-04-29 19:28:42 +10:00			`BOOL AddToTrustedRootStore(const PCCERT_CONTEXT cert_context,`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00			`const scoped_refptr<net::X509Certificate>& cert) {`
also format missing .cc files 2018-04-17 21:55:30 -04:00			`auto root_cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL,`
			`CERT_SYSTEM_STORE_CURRENT_USER, L"Root");`
clean up the code a bit 2017-04-24 11:49:55 +10:00
underscore case all the things 2017-04-29 19:28:42 +10:00			`if (root_cert_store == NULL) {`
tighten up indenting 2017-04-27 15:01:55 +10:00			`return false;`
			`}`
clean up the code a bit 2017-04-24 11:49:55 +10:00
focus on the self-signed certificate flow here 2017-04-27 15:06:23 +10:00			`auto result = CertAddCertificateContextToStore(`
also format missing .cc files 2018-04-17 21:55:30 -04:00			`root_cert_store, cert_context, CERT_STORE_ADD_REPLACE_EXISTING, NULL);`
reload the current cert database if the certificate was added 2017-04-24 11:10:41 +10:00
focus on the self-signed certificate flow here 2017-04-27 15:06:23 +10:00			`if (result) {`
			`// force Chromium to reload it's database for this certificate`
			`auto cert_db = net::CertDatabase::GetInstance();`
Update NotifyObserversCertDBChanged call to take no arguments 2017-05-10 10:05:48 -07:00			`cert_db->NotifyObserversCertDBChanged();`
tighten up indenting 2017-04-27 15:01:55 +10:00			`}`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00
underscore case all the things 2017-04-29 19:28:42 +10:00			`CertCloseStore(root_cert_store, CERT_CLOSE_STORE_FORCE_FLAG);`
tighten up indenting 2017-04-27 15:01:55 +10:00
			`return result;`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00			`}`

			`CERT_CHAIN_PARA GetCertificateChainParameters() {`
underscore case all the things 2017-04-29 19:28:42 +10:00			`CERT_ENHKEY_USAGE enhkey_usage;`
			`enhkey_usage.cUsageIdentifier = 0;`
			`enhkey_usage.rgpszUsageIdentifier = NULL;`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00
underscore case all the things 2017-04-29 19:28:42 +10:00			`CERT_USAGE_MATCH cert_usage;`
tighten up indenting 2017-04-27 15:01:55 +10:00			`// ensure the rules are applied to the entire chain`
underscore case all the things 2017-04-29 19:28:42 +10:00			`cert_usage.dwType = USAGE_MATCH_TYPE_AND;`
			`cert_usage.Usage = enhkey_usage;`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00
also format missing .cc files 2018-04-17 21:55:30 -04:00			`CERT_CHAIN_PARA params = {sizeof(CERT_CHAIN_PARA)};`
underscore case all the things 2017-04-29 19:28:42 +10:00			`params.RequestedUsage = cert_usage;`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00
tighten up indenting 2017-04-27 15:01:55 +10:00			`return params;`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00			`}`

			`void ShowCertificateTrust(atom::NativeWindow* parent_window,`
			`const scoped_refptr<net::X509Certificate>& cert,`
			`const std::string& message,`
			`const ShowTrustCallback& callback) {`
underscore case all the things 2017-04-29 19:28:42 +10:00			`PCCERT_CHAIN_CONTEXT chain_context;`
tighten up indenting 2017-04-27 15:01:55 +10:00
Fixed moved cert x509 function issue on Windows 2017-09-21 13:24:57 +00:00			`auto cert_context = net::x509_util::CreateCertContextWithChain(cert.get());`
tighten up indenting 2017-04-27 15:01:55 +10:00
			`auto params = GetCertificateChainParameters();`

also format missing .cc files 2018-04-17 21:55:30 -04:00			`if (CertGetCertificateChain(NULL, cert_context.get(), NULL, NULL, &params,`
			`NULL, NULL, &chain_context)) {`
underscore case all the things 2017-04-29 19:28:42 +10:00			`auto error_status = chain_context->TrustStatus.dwErrorStatus;`
:art: 2017-05-03 16:22:56 -07:00			`if (error_status == CERT_TRUST_IS_SELF_SIGNED \|\|`
			`error_status == CERT_TRUST_IS_UNTRUSTED_ROOT) {`
			`// these are the only scenarios we're interested in supporting`
Fixed moved cert x509 function issue on Windows 2017-09-21 13:24:57 +00:00			`AddToTrustedRootStore(cert_context.get(), cert);`
actually validate the chain before adding 2017-04-27 14:44:58 +10:00			`}`
a first pass at the script to import the certificate for Windows 2017-04-20 21:12:32 +10:00
underscore case all the things 2017-04-29 19:28:42 +10:00			`CertFreeCertificateChain(chain_context);`
tighten up indenting 2017-04-27 15:01:55 +10:00			`}`

			`callback.Run();`
and use the same signature for Windows 2017-04-06 11:09:58 +10:00			`}`
stub the windows source file 2017-04-06 11:01:58 +10:00
			`} // namespace certificate_trust`