Skip to content

Commit

Permalink
RolesAnywhere-V996803711: Attempt to silence UIs displayed by provide…
Browse files Browse the repository at this point in the history
…rs when signing
  • Loading branch information
13ajay committed Sep 1, 2023
1 parent 5395f57 commit d56713e
Showing 1 changed file with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion aws_signing_helper/windows_cert_store_signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ const (
// NTE_BAD_ALGID — Invalid algorithm specified
NTE_BAD_ALGID = 0x80090008

// NTE_SILENT_CONTEXT - KSP must display UI to operate
NTE_SILENT_CONTEXT = 0x80090022

// WIN_API_FLAG specifies the flags that should be passed to
// CryptAcquireCertificatePrivateKey. This impacts whether the CryptoAPI or CNG
// API will be used.
Expand All @@ -89,6 +92,12 @@ const (
WIN_API_FLAG = windows.CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG
)

var (
// ErrRequiresUI is used when providers are required to display
// UI to perform signing operations.
ErrRequiresUI = errors.New("provider requries UI to operate")
)

// Error codes for Windows APIs - implements the error interface
type errCode uint64

Expand Down Expand Up @@ -441,9 +450,16 @@ func (signer *WindowsCertStoreSigner) cngSignHash(digest []byte, hash crypto.Has
// Get signature
sig := make([]byte, sigLen)
sigPtr := (*C.BYTE)(&sig[0])
if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err != nil {
if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags|C.NCRYPT_SILENT_FLAG)); err != nil {
if err == ErrRequiresUI {
if err = checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err == nil {
goto got_signature
}
}

return nil, fmt.Errorf("failed to sign digest: %w", err)
}
got_signature:

// CNG returns a raw ECDSA signature, but we want ASN.1 DER encoding
if _, isEC := privateKey.publicKey.(*ecdsa.PublicKey); isEC {
Expand Down Expand Up @@ -618,6 +634,10 @@ func checkStatus(s C.SECURITY_STATUS) error {
return ErrUnsupportedHash
}

if secStatus == NTE_SILENT_CONTEXT {
return ErrRequiresUI
}

return secStatus
}

Expand Down

0 comments on commit d56713e

Please sign in to comment.