add Windows cert store use with signing and add example arguments

Author: JacobBarthelmeh

apps/wolfsshd/configuration.c

@@ -74,6 +74,13 @@ struct WOLFSSHD_CONFIG {
     char* hostKeyFile;
     char* hostCertFile;
     char* userCAKeysFile;
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+    char* hostKeyStore;
+    char* hostKeyStoreSubject;
+    char* hostKeyStoreFlags;
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
     char* hostKeyAlgos;
     char* kekAlgos;
     char* listenAddress;
@@ -316,6 +323,13 @@ void wolfSSHD_ConfigFree(WOLFSSHD_CONFIG* conf)
         FreeString(&current->authKeysFile,  heap);
         FreeString(&current->hostKeyFile,   heap);
         FreeString(&current->hostCertFile,  heap);
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+        FreeString(&current->hostKeyStore,       heap);
+        FreeString(&current->hostKeyStoreSubject, heap);
+        FreeString(&current->hostKeyStoreFlags,  heap);
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
         FreeString(&current->pidFile,  heap);
         FreeString(&current->winUserStores, heap);
         FreeString(&current->winUserDwFlags, heap);
@@ -346,6 +360,13 @@ enum {
     OPT_PROTOCOL                = 9,
     OPT_LOGIN_GRACE_TIME        = 10,
     OPT_HOST_KEY                = 11,
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+    OPT_HOST_KEY_STORE          = 50,
+    OPT_HOST_KEY_STORE_SUBJECT  = 51,
+    OPT_HOST_KEY_STORE_FLAGS    = 52,
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
     OPT_PASSWORD_AUTH           = 12,
     OPT_PORT                    = 13,
     OPT_PERMIT_ROOT             = 14,
@@ -366,6 +387,11 @@ enum {
 };
 enum {
     NUM_OPTIONS = 29
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+    + 3
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
 };
 
 static const CONFIG_OPTION options[NUM_OPTIONS] = {
@@ -380,6 +406,17 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_ACCEPT_ENV,              "AcceptEnv"},
     {OPT_PROTOCOL,                "Protocol"},
     {OPT_LOGIN_GRACE_TIME,        "LoginGraceTime"},
+    /* The config parser uses strncmp with the option-name length, so longer
+     * option names that share a common prefix MUST appear before the shorter
+     * one.  HostKeyStoreSubject/HostKeyStoreFlags before HostKeyStore,
+     * and all HostKeyStore* before HostKey. */
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+    {OPT_HOST_KEY_STORE_SUBJECT,  "HostKeyStoreSubject"},
+    {OPT_HOST_KEY_STORE_FLAGS,    "HostKeyStoreFlags"},
+    {OPT_HOST_KEY_STORE,          "HostKeyStore"},
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
     {OPT_HOST_KEY,                "HostKey"},
     {OPT_PASSWORD_AUTH,           "PasswordAuthentication"},
     {OPT_PORT,                    "Port"},
@@ -397,7 +434,7 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_TRUSTED_USER_CA_STORE,   "wolfSSH_TrustedUserCaStore"},
     {OPT_WIN_USER_STORES,         "wolfSSH_WinUserStores"},
     {OPT_WIN_USER_DW_FLAGS,       "wolfSSH_WinUserDwFlags"},
-    {OPT_WIN_USER_PV_PARA,        "wolfSSH_WinUserPvPara"},
+    {OPT_WIN_USER_PV_PARA,        "wolfSSH_WinUserPvPara"}
 };
 
 /* returns WS_SUCCESS on success */
@@ -1060,6 +1097,27 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
         case OPT_WIN_USER_PV_PARA:
             ret = wolfSSHD_ConfigSetWinUserPvPara(*conf, value);
             break;
+    #ifdef USE_WINDOWS_API
+    #ifdef WOLFSSH_CERTS
+        case OPT_HOST_KEY_STORE:
+            wolfSSH_Log(WS_LOG_INFO,
+                "[SSHD] Parsed HostKeyStore = '%s'", value);
+            ret = SetFileString(&(*conf)->hostKeyStore, value, (*conf)->heap);
+            break;
+        case OPT_HOST_KEY_STORE_SUBJECT:
+            wolfSSH_Log(WS_LOG_INFO,
+                "[SSHD] Parsed HostKeyStoreSubject = '%s'", value);
+            ret = SetFileString(&(*conf)->hostKeyStoreSubject, value,
+                (*conf)->heap);
+            break;
+        case OPT_HOST_KEY_STORE_FLAGS:
+            wolfSSH_Log(WS_LOG_INFO,
+                "[SSHD] Parsed HostKeyStoreFlags = '%s'", value);
+            ret = SetFileString(&(*conf)->hostKeyStoreFlags, value,
+                (*conf)->heap);
+            break;
+    #endif /* WOLFSSH_CERTS */
+    #endif /* USE_WINDOWS_API */
         default:
             break;
     }
@@ -1526,6 +1584,45 @@ int SetFileString(char** dst, const char* src, void* heap)
     return ret;
 }
 
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+char* wolfSSHD_ConfigGetHostKeyStore(const WOLFSSHD_CONFIG* conf)
+{
+    char* ret = NULL;
+
+    if (conf != NULL) {
+        ret = conf->hostKeyStore;
+    }
+
+    return ret;
+}
+
+
+char* wolfSSHD_ConfigGetHostKeyStoreSubject(const WOLFSSHD_CONFIG* conf)
+{
+    char* ret = NULL;
+
+    if (conf != NULL) {
+        ret = conf->hostKeyStoreSubject;
+    }
+
+    return ret;
+}
+
+
+char* wolfSSHD_ConfigGetHostKeyStoreFlags(const WOLFSSHD_CONFIG* conf)
+{
+    char* ret = NULL;
+
+    if (conf != NULL) {
+        ret = conf->hostKeyStoreFlags;
+    }
+
+    return ret;
+}
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
+
 int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file)
 {
     int ret = WS_SUCCESS;

apps/wolfsshd/configuration.h

@@ -42,6 +42,13 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
 int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+char* wolfSSHD_ConfigGetHostKeyStore(const WOLFSSHD_CONFIG* conf);
+char* wolfSSHD_ConfigGetHostKeyStoreSubject(const WOLFSSHD_CONFIG* conf);
+char* wolfSSHD_ConfigGetHostKeyStoreFlags(const WOLFSSHD_CONFIG* conf);
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
 int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value);
 int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value);

apps/wolfsshd/wolfsshd.c

@@ -38,6 +38,20 @@
 #include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+    #include <windows.h>
+    #include <wincrypt.h>
+    #include <ncrypt.h>
+    #ifndef CERT_SYSTEM_STORE_CURRENT_USER
+        #define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
+    #endif
+    #ifndef CERT_SYSTEM_STORE_LOCAL_MACHINE
+        #define CERT_SYSTEM_STORE_LOCAL_MACHINE 0x00020000
+    #endif
+#endif /* WOLFSSH_CERTS */
+#endif /* USE_WINDOWS_API */
+
 #define WOLFSSH_TEST_SERVER
 #include <wolfssh/test.h>
 
@@ -340,14 +354,80 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
 
     /* Load in host private key */
     if (ret == WS_SUCCESS) {
+#ifdef USE_WINDOWS_API
+#ifdef WOLFSSH_CERTS
+        char* hostKeyStore = wolfSSHD_ConfigGetHostKeyStore(conf);
+        char* hostKeyStoreSubject = wolfSSHD_ConfigGetHostKeyStoreSubject(conf);
+        char* hostKeyStoreFlags = wolfSSHD_ConfigGetHostKeyStoreFlags(conf);
 
-        char* hostKey = wolfSSHD_ConfigGetHostKeyFile(conf);
+        wolfSSH_Log(WS_LOG_INFO,
+            "[SSHD] Cert store code compiled in. "
+            "hostKeyStore=%s, hostKeyStoreSubject=%s, hostKeyStoreFlags=%s",
+            hostKeyStore ? hostKeyStore : "(null)",
+            hostKeyStoreSubject ? hostKeyStoreSubject : "(null)",
+            hostKeyStoreFlags ? hostKeyStoreFlags : "(null)");
+
+        if (hostKeyStore != NULL && hostKeyStoreSubject != NULL) {
+            /* Use cert store host key */
+            wchar_t* wStoreName = NULL;
+            wchar_t* wSubjectName = NULL;
+            DWORD dwFlags = CERT_SYSTEM_STORE_CURRENT_USER;
+            int storeNameLen, subjectNameLen;
+            
+            /* Parse flags if provided */
+            if (hostKeyStoreFlags != NULL) {
+                if (WSTRCMP(hostKeyStoreFlags, "CURRENT_USER") == 0) {
+                    dwFlags = CERT_SYSTEM_STORE_CURRENT_USER;
+                } else if (WSTRCMP(hostKeyStoreFlags, "LOCAL_MACHINE") == 0) {
+                    dwFlags = CERT_SYSTEM_STORE_LOCAL_MACHINE;
+                } else {
+                    dwFlags = (DWORD)atoi(hostKeyStoreFlags);
+                }
+            }
+            
+            /* Convert to wide strings */
+            storeNameLen = MultiByteToWideChar(CP_UTF8, 0, hostKeyStore, -1, NULL, 0);
+            subjectNameLen = MultiByteToWideChar(CP_UTF8, 0, hostKeyStoreSubject, -1, NULL, 0);
+            
+            wStoreName = (wchar_t*)WMALLOC(storeNameLen * sizeof(wchar_t), heap, DYNTYPE_SSHD);
+            wSubjectName = (wchar_t*)WMALLOC(subjectNameLen * sizeof(wchar_t), heap, DYNTYPE_SSHD);
+            
+            if (wStoreName == NULL || wSubjectName == NULL) {
+                wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Memory allocation failed for cert store strings");
+                ret = WS_MEMORY_E;
+            } else {
+                MultiByteToWideChar(CP_UTF8, 0, hostKeyStore, -1, wStoreName, storeNameLen);
+                MultiByteToWideChar(CP_UTF8, 0, hostKeyStoreSubject, -1, wSubjectName, subjectNameLen);
+                
+                ret = wolfSSH_CTX_UsePrivateKey_fromStore(*ctx, wStoreName, dwFlags, wSubjectName);
+                if (ret != WS_SUCCESS) {
+                    wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Failed to load host key from certificate store");
+                }
+                
+                WFREE(wStoreName, heap, DYNTYPE_SSHD);
+                WFREE(wSubjectName, heap, DYNTYPE_SSHD);
+            }
+        } else
+#else
+        wolfSSH_Log(WS_LOG_INFO,
+            "[SSHD] WOLFSSH_CERTS not defined - cert store support disabled");
+#endif /* WOLFSSH_CERTS */
+#else
+        wolfSSH_Log(WS_LOG_INFO,
+            "[SSHD] USE_WINDOWS_API not defined - cert store support disabled");
+#endif /* USE_WINDOWS_API */
+        {
+            char* hostKey = wolfSSHD_ConfigGetHostKeyFile(conf);
 
-        if (hostKey == NULL) {
-            wolfSSH_Log(WS_LOG_ERROR, "[SSHD] No host private key set");
-            ret = WS_BAD_ARGUMENT;
-        }
-        else {
+            wolfSSH_Log(WS_LOG_INFO,
+                "[SSHD] File-based host key path entered. hostKey=%s",
+                hostKey ? hostKey : "(null)");
+
+            if (hostKey == NULL) {
+                wolfSSH_Log(WS_LOG_ERROR, "[SSHD] No host private key set");
+                ret = WS_BAD_ARGUMENT;
+            }
+            else {
             byte* data;
             word32 dataSz = 0;
 
@@ -384,6 +464,7 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
                 wc_FreeDer(&der);
             }
         }
+        }
     }
 
 #if defined(WOLFSSH_OSSH_CERTS) || defined(WOLFSSH_CERTS)
@@ -440,7 +521,7 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
         WOLFSSL_CTX* sslCtx;
 
         wolfSSH_Log(WS_LOG_INFO, "[SSHD] Using system CAs");
-        sslCtx = wolfSSL_CTX_new(wolfSSLv23_method());
+        sslCtx = wolfSSL_CTX_new(wolfSSLv23_server_method());
         if (sslCtx == NULL) {
             wolfSSH_Log(WS_LOG_INFO, "[SSHD] Unable to create temporary CTX");
             ret = WS_FATAL_ERROR;
@@ -457,13 +538,19 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
 
         if (ret == WS_SUCCESS) {
             if (wolfSSHD_ConfigGetUserCAStore(conf)) {
+#if defined(_WIN32)
                 if (wolfSSL_CTX_load_windows_user_CA_certs(sslCtx,
-                    wolfSSHD_ConfigGetWinUserStores(conf),
-                    wolfSSHD_ConfigGetWinUserDwFlags(conf),
-                    wolfSSHD_ConfigGetWinUserPvPara(conf)) != WOLFSSL_SUCCESS) {
+                        wolfSSHD_ConfigGetWinUserStores(conf),
+                        wolfSSHD_ConfigGetWinUserDwFlags(conf),
+                        wolfSSHD_ConfigGetWinUserPvPara(conf)) != WOLFSSL_SUCCESS) {
                     wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading user CAs");
                     ret = WS_FATAL_ERROR;
                 }
+#else
+                wolfSSH_Log(WS_LOG_INFO,
+                    "[SSHD] User CA store is only supported on Windows");
+                ret = WS_BAD_ARGUMENT;
+#endif /* _WIN32 */
             }
         }
 
@@ -2451,6 +2538,24 @@ static int StartSSHD(int argc, char** argv)
         }
     }
 
+    if (logFile == NULL) {
+        logFile = stderr;
+    }
+#ifdef _WIN32
+    /* The early -D detection (wide-string comparison of cmdArgs before
+     * conversion) may have set ServiceDebugCb even when -D was supplied.
+     * Now that mygetopt has been processed, restore the file-based
+     * callback in any case where output should go to logFile:
+     *   - isDaemon==0  → running interactively, logs to logFile (stderr)
+     *   - isDaemon==1 but -E was used → logs to the specified file
+     * This must happen BEFORE config/SetupCTX so their log messages are
+     * captured in the file (or stderr) rather than lost to
+     * OutputDebugString. */
+    if (!isDaemon || logFile != stderr) {
+        wolfSSH_SetLoggingCb(wolfSSHDLoggingCb);
+    }
+#endif
+
     if (ret == WS_SUCCESS) {
         ret = wolfSSHD_ConfigLoad(conf, configFile);
         if (ret != WS_SUCCESS) {
@@ -2482,10 +2587,6 @@ static int StartSSHD(int argc, char** argv)
         }
     }
 
-    if (logFile == NULL) {
-        logFile = stderr;
-    }
-
     /* run as a daemon or service */
 #ifndef WIN32
     if (ret == WS_SUCCESS && isDaemon) {