Fix cert lookup fallback when findCertificateBySubjectKeyID returns NotFoundError

darkfronza · claude · darkfronza · commit dcefc6c95f95 · 2026-03-24T15:46:29.000-03:00
Previously, any error from findCertificateBySubjectKeyID would cause an
immediate return, preventing the issuer-based fallback from running.
Now only non-NotFoundError errors (or NotFoundError when issuer lookup
is unavailable) are returned early.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/kms/capi/capi.go b/kms/capi/capi.go
@@ -433,11 +433,9 @@ func (k *CAPIKMS) getCertContext(u *uriAttributes) (*windows.CertContext, error)
 		}
 	case len(u.keyID) > 0:
 		if handle, err = findCertificateBySubjectKeyID(st, u.keyID); err != nil {
-			return nil, err
-		}
-
-		if handle == nil && !canLookupByIssuer {
-			return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%s not found", KeyIDArg, u.keyID)}
+			if !errors.Is(err, apiv1.NotFoundError{}) || !canLookupByIssuer {
+				return nil, err
+			}
 		}
 	case u.containerName != "":
 		key, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{
@@ -453,11 +451,9 @@ func (k *CAPIKMS) getCertContext(u *uriAttributes) (*windows.CertContext, error)
 			return nil, fmt.Errorf("error generating SubjectKeyID: %w", err)
 		}
 		if handle, err = findCertificateBySubjectKeyID(st, keyID); err != nil {
-			return nil, err
-		}
-
-		if handle == nil && !canLookupByIssuer {
-			return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%s not found", KeyIDArg, u.keyID)}
+			if !errors.Is(err, apiv1.NotFoundError{}) || !canLookupByIssuer {
+				return nil, err
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -433,11 +433,9 @@ func (k CAPIKMS) getCertContext(u uriAttributes) (*windows.CertContext, error)`
`433`	`433`	`}`
`434`	`434`	`case len(u.keyID) > 0:`
`435`	`435`	`if handle, err = findCertificateBySubjectKeyID(st, u.keyID); err != nil {`
`436`		`- return nil, err`
`437`		`- }`
`438`		`-`
`439`		`- if handle == nil && !canLookupByIssuer {`
`440`		`- return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%s not found", KeyIDArg, u.keyID)}`
	`436`	`+ if !errors.Is(err, apiv1.NotFoundError{}) \|\| !canLookupByIssuer {`
	`437`	`+ return nil, err`
	`438`	`+ }`
`441`	`439`	`}`
`442`	`440`	`case u.containerName != "":`
`443`	`441`	`key, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{`
`@@ -453,11 +451,9 @@ func (k CAPIKMS) getCertContext(u uriAttributes) (*windows.CertContext, error)`
`453`	`451`	`return nil, fmt.Errorf("error generating SubjectKeyID: %w", err)`
`454`	`452`	`}`
`455`	`453`	`if handle, err = findCertificateBySubjectKeyID(st, keyID); err != nil {`
`456`		`- return nil, err`
`457`		`- }`
`458`		`-`
`459`		`- if handle == nil && !canLookupByIssuer {`
`460`		`- return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%s not found", KeyIDArg, u.keyID)}`
	`454`	`+ if !errors.Is(err, apiv1.NotFoundError{}) \|\| !canLookupByIssuer {`
	`455`	`+ return nil, err`
	`456`	`+ }`
`461`	`457`	`}`
`462`	`458`	`}`
`463`	`459`