Merge pull request #43 from aws/fix/RolesAnywhere-4667

Fix/RolesAnywhere-4667
aws · Aug 4, 2023 · b5229e3 · b5229e3
2 parents 989ae54 + 485eea3
commit b5229e3
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/aws_signing_helper/darwin_cert_store_signer.go b/aws_signing_helper/darwin_cert_store_signer.go
@@ -73,19 +73,23 @@ func GetMatchingCertsAndIdentity(certIdentifier CertIdentifier) (C.SecIdentityRe
 	var certContainers []CertificateContainer
 	var certRef C.SecCertificateRef
 	var identRef C.SecIdentityRef
+	var isMatch bool
 	for _, curIdentRef := range identRefs {
 		curCertRef, err := getCertRef(C.SecIdentityRef(curIdentRef))
 		if err != nil {
 			return 0, 0, nil, errors.New("unable to get cert ref")
 		}
-		curCert, err := getCert(curCertRef)
+		curCert, err := exportCertRef(curCertRef)
 		if err != nil {
-			return 0, 0, nil, errors.New("unable to get cert")
+			if Debug {
+				fmt.Fprintf(os.Stderr, "unable to parse certificate with error (%s) - skipping\n", err)
+			}
+			goto nextIteration
 		}
 
 		// Find whether there is a matching certificate
-		certMatches := certMatches(certIdentifier, *curCert)
-		if certMatches {
+		isMatch = certMatches(certIdentifier, *curCert)
+		if isMatch {
 			certContainers = append(certContainers, CertificateContainer{curCert, ""})
 			// Assign to certRef and identRef at most once in the loop
 			// Both values are only useful if there is exactly one match in the certificate store
@@ -95,6 +99,8 @@ func GetMatchingCertsAndIdentity(certIdentifier CertIdentifier) (C.SecIdentityRe
 				identRef = C.SecIdentityRef(curIdentRef)
 			}
 		}
+
+	nextIteration:
 	}
 
 	if Debug {
@@ -153,16 +159,6 @@ func GetCertStoreSigner(certIdentifier CertIdentifier) (signer Signer, signingAl
 	return &DarwinCertStoreSigner{identRef, keyRef, certRef, cert, nil}, signingAlgorithm, nil
 }
 
-// Gets a pointer to the certificate from a certificate reference
-func getCert(certRef C.SecCertificateRef) (*x509.Certificate, error) {
-	cert, err := exportCertRef(certRef)
-	if err != nil {
-		return nil, errors.New("unable to export certificate reference to x509.Certificate")
-	}
-
-	return cert, nil
-}
-
 // Gets the certificate associated with this DarwinCertStoreSigner
 func (signer *DarwinCertStoreSigner) Certificate() (*x509.Certificate, error) {
 	if signer.cert != nil {
@@ -174,7 +170,7 @@ func (signer *DarwinCertStoreSigner) Certificate() (*x509.Certificate, error) {
 		return nil, err
 	}
 
-	cert, err := getCert(certRef)
+	cert, err := exportCertRef(certRef)
 	if err != nil {
 		return nil, err
 	}

diff --git a/aws_signing_helper/windows_cert_store_signer.go b/aws_signing_helper/windows_cert_store_signer.go
@@ -122,6 +122,7 @@ func GetMatchingCertsAndChain(certIdentifier CertIdentifier) (store windows.Hand
 	paramsPtr = unsafe.Pointer(&params)
 
 	var curCertCtx *windows.CertContext
+	var curCert *x509.Certificate
 	for {
 		// Previous chainCtx should be freed here if it isn't nil
 		chainCtx, err = windows.CertFindChainInStore(store, encoding, flags, findType, paramsPtr, chainCtx)
@@ -155,11 +156,14 @@ func GetMatchingCertsAndChain(certIdentifier CertIdentifier) (store windows.Hand
 			curCertCtx = chainElts[j].CertContext
 			x509CertChain[j], err = exportCertContext(curCertCtx)
 			if err != nil {
-				goto fail
+				if Debug {
+					fmt.Fprintf(os.Stderr, "unable to parse certificate with error (%s) - skipping\n", err)
+				}
+				goto nextIteration
 			}
 		}
 
-		curCert := x509CertChain[0]
+		curCert = x509CertChain[0]
 		if certMatches(certIdentifier, *curCert) {
 			certContainers = append(certContainers, CertificateContainer{curCert, ""})
 
@@ -175,6 +179,8 @@ func GetMatchingCertsAndChain(certIdentifier CertIdentifier) (store windows.Hand
 				windows.CertDuplicateCertificateContext(certCtx)
 			}
 		}
+
+	nextIteration:
 	}
 
 	if Debug {