RolesAnywhere-V996803711: Attempt to silence UIs displayed by provide…

…rs when signing
aws · Aug 31, 2023 · f57d69c · f57d69c
1 parent 5395f57
commit f57d69c
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/aws_signing_helper/windows_cert_store_signer.go b/aws_signing_helper/windows_cert_store_signer.go
@@ -76,6 +76,9 @@ const (
 	// NTE_BAD_ALGID — Invalid algorithm specified
 	NTE_BAD_ALGID = 0x80090008
 
+	// NTE_SILENT_CONTEXT - KSP must display UI to operate
+	NTE_SILENT_CONTEXT = 0x80090022
+
 	// WIN_API_FLAG specifies the flags that should be passed to
 	// CryptAcquireCertificatePrivateKey. This impacts whether the CryptoAPI or CNG
 	// API will be used.
@@ -441,9 +444,16 @@ func (signer *WindowsCertStoreSigner) cngSignHash(digest []byte, hash crypto.Has
 	// Get signature
 	sig := make([]byte, sigLen)
 	sigPtr := (*C.BYTE)(&sig[0])
-	if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err != nil {
+	if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags|C.NCRYPT_SLIENT_FLAG)); err != nil {
+		if err == NTE_SILENT_CONTEXT {
+			if err = checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err == nil {
+				goto got_signature
+			}
+		}
+
 		return nil, fmt.Errorf("failed to sign digest: %w", err)
 	}
+got_signature:
 
 	// CNG returns a raw ECDSA signature, but we want ASN.1 DER encoding
 	if _, isEC := privateKey.publicKey.(*ecdsa.PublicKey); isEC {