From f57d69cdf4d180e9ff308ef9e625c249b83e2c17 Mon Sep 17 00:00:00 2001 From: Ajay Gupta Date: Thu, 31 Aug 2023 14:13:20 -0400 Subject: [PATCH] RolesAnywhere-V996803711: Attempt to silence UIs displayed by providers when signing --- aws_signing_helper/windows_cert_store_signer.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/aws_signing_helper/windows_cert_store_signer.go b/aws_signing_helper/windows_cert_store_signer.go index b0c5850..5aef7c5 100644 --- a/aws_signing_helper/windows_cert_store_signer.go +++ b/aws_signing_helper/windows_cert_store_signer.go @@ -76,6 +76,9 @@ const ( // NTE_BAD_ALGID — Invalid algorithm specified NTE_BAD_ALGID = 0x80090008 + // NTE_SILENT_CONTEXT - KSP must display UI to operate + NTE_SILENT_CONTEXT = 0x80090022 + // WIN_API_FLAG specifies the flags that should be passed to // CryptAcquireCertificatePrivateKey. This impacts whether the CryptoAPI or CNG // API will be used. @@ -441,9 +444,16 @@ func (signer *WindowsCertStoreSigner) cngSignHash(digest []byte, hash crypto.Has // Get signature sig := make([]byte, sigLen) sigPtr := (*C.BYTE)(&sig[0]) - if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err != nil { + if err := checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags|C.NCRYPT_SLIENT_FLAG)); err != nil { + if err == NTE_SILENT_CONTEXT { + if err = checkStatus(C.NCryptSignHash(*cngKeyHandle, padPtr, digestPtr, digestLen, sigPtr, sigLen, &sigLen, flags)); err == nil { + goto got_signature + } + } + return nil, fmt.Errorf("failed to sign digest: %w", err) } +got_signature: // CNG returns a raw ECDSA signature, but we want ASN.1 DER encoding if _, isEC := privateKey.publicKey.(*ecdsa.PublicKey); isEC {