Add support for loading user CA certs from a configurable Windows cert store.

kareem-wolfssl · kareem-wolfssl · commit e5df6ac6eec3 · 2024-11-15T16:04:04.000-07:00
diff --git a/apps/wolfsshd/configuration.c b/apps/wolfsshd/configuration.c
@@ -80,6 +80,9 @@ struct WOLFSSHD_CONFIG {
     char* authKeysFile;
     char* forceCmd;
     char* pidFile;
+    char* winUserStores;
+    char* winUserDwFlags;
+    char* winUserPvPara;
     WOLFSSHD_CONFIG* next; /* next config in list */
     long  loginTimer;
     word16 port;
@@ -90,6 +93,7 @@ struct WOLFSSHD_CONFIG {
     byte permitEmptyPasswords:1;
     byte authKeysFileSet:1; /* if not set then no explicit authorized keys */
     byte useSystemCA:1;
+    byte useUserCAStore:1;
 };
 
 int CountWhitespace(const char* in, int inSz, byte inv);
@@ -313,6 +317,9 @@ void wolfSSHD_ConfigFree(WOLFSSHD_CONFIG* conf)
         FreeString(&current->hostKeyFile,   heap);
         FreeString(&current->hostCertFile,  heap);
         FreeString(&current->pidFile,  heap);
+        FreeString(&current->winUserStores, heap);
+        FreeString(&current->winUserDwFlags, heap);
+        FreeString(&current->winUserPvPara, heap);
 
         WFREE(current, heap, DYNTYPE_SSHD);
         current = next;
@@ -352,9 +359,13 @@ enum {
     OPT_PIDFILE                 = 22,
     OPT_BANNER                  = 23,
     OPT_TRUSTED_SYSTEM_CA_KEYS  = 24,
+    OPT_TRUSTED_USER_CA_STORE   = 25,
+    OPT_WIN_USER_STORES         = 26,
+    OPT_WIN_USER_DW_FLAGS       = 27,
+    OPT_WIN_USER_PV_PARA        = 28
 };
 enum {
-    NUM_OPTIONS = 24
+    NUM_OPTIONS = 29
 };
 
 static const CONFIG_OPTION options[NUM_OPTIONS] = {
@@ -383,6 +394,10 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_TRUSTED_SYSTEM_CA_KEYS,  "TrustedSystemCAKeys"},
     {OPT_PIDFILE,                 "PidFile"},
     {OPT_BANNER,                  "Banner"},
+    {OPT_TRUSTED_USER_CA_STORE,   "TrustedUserCaStore"},
+    {OPT_WIN_USER_STORES,         "WinUserStores"},
+    {OPT_WIN_USER_DW_FLAGS,       "WinUserDwFlags"},
+    {OPT_WIN_USER_PV_PARA,        "WinUserPvPara"},
 };
 
 /* returns WS_SUCCESS on success */
@@ -1033,6 +1048,18 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
         case OPT_BANNER:
             ret = SetFileString(&(*conf)->banner, value, (*conf)->heap);
             break;
+        case OPT_TRUSTED_USER_CA_STORE:
+            ret = wolfSSHD_ConfigSetUserCAStore(*conf, value);
+            break;
+        case OPT_WIN_USER_STORES:
+            ret = wolfSSHD_ConfigSetWinUserStores(*conf, value);
+            break;
+        case OPT_WIN_USER_DW_FLAGS:
+            ret = wolfSSHD_ConfigSetWinUserDwFlags(*conf, value);
+            break;
+        case OPT_WIN_USER_PV_PARA:
+            ret = wolfSSHD_ConfigSetWinUserPvPara(*conf, value);
+            break;
         default:
             break;
     }
@@ -1352,6 +1379,119 @@ int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value)
     return ret;
 }
 
+/* getter function for if using user CA store
+ * return 1 if true and 0 if false */
+int wolfSSHD_ConfigGetUserCAStore(const WOLFSSHD_CONFIG* conf)
+{
+    if (conf != NULL) {
+        return conf->useUserCAStore;
+    }
+    return 0;
+}
+
+
+/* setter function for if using user CA store
+ * 'yes' if true and 'no' if false
+ * returns WS_SUCCESS on success */
+int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf != NULL) {
+        if (WSTRCMP(value, "yes") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store enabled.  Note this "
+                                     "is currently only supported on Windows.");
+            conf->useUserCAStore = 1;
+        }
+        else if (WSTRCMP(value, "no") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store disabled");
+            conf->useUserCAStore = 0;
+        }
+        else {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store unexpected flag");
+            ret = WS_FATAL_ERROR;
+        }
+    }
+
+    return ret;
+}
+
+char* wolfSSHD_ConfigGetWinUserStores(WOLFSSHD_CONFIG* conf) {
+    if (conf != NULL) {
+        if (conf->winUserStores == NULL) {
+            /* If no value was specified, default to CERT_STORE_PROV_SYSTEM */
+            CreateString(&conf->winUserStores, "CERT_STORE_PROV_SYSTEM", 
+                         (int)WSTRLEN("CERT_STORE_PROV_SYSTEM"), conf->heap);
+        }
+
+        return conf->winUserStores;
+    }
+
+    return NULL;
+}
+
+int wolfSSHD_ConfigSetWinUserStores(WOLFSSHD_CONFIG* conf, const char* value) {
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    ret = CreateString(&conf->winUserStores, value, (int)WSTRLEN(value), conf->heap);
+
+    return ret;
+}
+
+char* wolfSSHD_ConfigGetWinUserDwFlags(WOLFSSHD_CONFIG* conf) {
+    if (conf != NULL) {
+        if (conf->winUserDwFlags == NULL) {
+            /* If no value was specified, default to CERT_SYSTEM_STORE_CURRENT_USER */
+            CreateString(&conf->winUserDwFlags, "CERT_SYSTEM_STORE_CURRENT_USER", 
+                         (int)WSTRLEN("CERT_SYSTEM_STORE_CURRENT_USER"), conf->heap);
+        }
+
+        return conf->winUserDwFlags;
+    }
+
+    return NULL;
+}
+
+int wolfSSHD_ConfigSetWinUserDwFlags(WOLFSSHD_CONFIG* conf, const char* value) {
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    ret = CreateString(&conf->winUserDwFlags, value, (int)WSTRLEN(value), conf->heap);
+
+    return ret;
+}
+
+char* wolfSSHD_ConfigGetWinUserPvPara(WOLFSSHD_CONFIG* conf) {
+    if (conf != NULL) {
+        if (conf->winUserPvPara == NULL) {
+            /* If no value was specified, default to MY */
+            CreateString(&conf->winUserPvPara, "MY", (int)WSTRLEN("MY"), conf->heap);
+        }
+
+        return conf->winUserPvPara;
+    }
+
+    return NULL;
+}
+
+int wolfSSHD_ConfigSetWinUserPvPara(WOLFSSHD_CONFIG* conf, const char* value) {
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    ret = CreateString(&conf->winUserPvPara, value, (int)WSTRLEN(value), conf->heap);
+
+    return ret;
+}
 
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf)
 {
diff --git a/apps/wolfsshd/configuration.h b/apps/wolfsshd/configuration.h
@@ -44,6 +44,14 @@ int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
 int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
 int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value);
 int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf);
+int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value);
+int wolfSSHD_ConfigGetUserCAStore(const WOLFSSHD_CONFIG* conf);
+char* wolfSSHD_ConfigGetWinUserStores(WOLFSSHD_CONFIG* conf);
+int wolfSSHD_ConfigSetWinUserStores(WOLFSSHD_CONFIG* conf, const char* value);
+char* wolfSSHD_ConfigGetWinUserDwFlags(WOLFSSHD_CONFIG* conf);
+int wolfSSHD_ConfigSetWinUserDwFlags(WOLFSSHD_CONFIG* conf, const char* value);
+char* wolfSSHD_ConfigGetWinUserPvPara(WOLFSSHD_CONFIG* conf);
+int wolfSSHD_ConfigSetWinUserPvPara(WOLFSSHD_CONFIG* conf, const char* value);
 int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file);
 word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf);
diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
@@ -423,9 +423,10 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
 #endif /* WOLFSSH_OSSH_CERTS || WOLFSSH_CERTS */
 
 #ifdef WOLFSSH_CERTS
-    /* check if loading in system CA certs */
+    /* check if loading in system and/or user CA certs */
     #ifdef WOLFSSL_SYS_CA_CERTS
-    if (ret == WS_SUCCESS && wolfSSHD_ConfigGetSystemCA(conf)) {
+    if (ret == WS_SUCCESS && (wolfSSHD_ConfigGetSystemCA(conf)
+                              || wolfSSHD_ConfigGetUserCAStore(conf))) {
         WOLFSSL_CTX* sslCtx;
 
         wolfSSH_Log(WS_LOG_INFO, "[SSHD] Using system CAs");
@@ -436,9 +437,23 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
         }
 
         if (ret == WS_SUCCESS) {
-            if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) {
-                wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs");
-                ret = WS_FATAL_ERROR;
+            if (wolfSSHD_ConfigGetSystemCA(conf)) {
+                if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) {
+                    wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs");
+                    ret = WS_FATAL_ERROR;
+                }
+            }
+        }
+
+        if (ret == WS_SUCCESS) {
+            if (wolfSSHD_ConfigGetUserCAStore(conf)) {
+                if (wolfSSL_CTX_load_windows_user_CA_certs(sslCtx,
+                    wolfSSHD_ConfigGetWinUserStores(conf),
+                    wolfSSHD_ConfigGetWinUserDwFlags(conf),
+                    wolfSSHD_ConfigGetWinUserPvPara(conf)) != WOLFSSL_SUCCESS) {
+                    wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading user CAs");
+                    ret = WS_FATAL_ERROR;
+                }
             }
         }
 
