Skip to content

Add support for additional CAPI certificate context properties #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
joshdrake wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add support for additional CAPI certificate context properties #873

joshdrake wants to merge 10 commits into from

Conversation

@joshdrake
Copy link
Contributor

@joshdrake joshdrake commented Oct 14, 2025

This PR adds functionality to the capi KMS to support setting the "friendly name" and "description" certificate properties. The tpmkms passes these through as needed.

💔Thank you!

@joshdrake joshdrake marked this pull request as draft October 14, 2025 02:25
@CLAassistant
Copy link

CLAassistant commented Oct 14, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ joshdrake
❌ darkfronza
You have signed the CLA already but the status is still pending? Let us recheck it.

@joshdrake joshdrake requested a review from hslatman October 14, 2025 02:25
@hslatman hslatman changed the title Josh/capi set cert context props Add support for additional CAPI certificate context properties Oct 14, 2025
darkfronza
darkfronza reviewed Dec 2, 2025
View reviewed changes
joshdrake
joshdrake commented Jan 7, 2026
View reviewed changes
joshdrake
joshdrake commented Jan 7, 2026
View reviewed changes
Copy link
Contributor Author

@joshdrake joshdrake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit/question, otherwise lgtm. Need another reviewer to be able to merge, cc @hslatman

joshdrake and others added 8 commits January 8, 2026 09:58
@joshdrake
Allow certificate retrieval by friendly name or description.
8f8bd18
@joshdrake
Improve friendly name and description CAPI getters.
7593fd6
@joshdrake
Correctly handle NOT_FOUND errors for CAPI certificate props.
be697db
@joshdrake
Add friendly name and description CAPI setters.
103f67b
@joshdrake
Pass through 'friendly-name' and 'description' URI params to CAPI KMS.
ec2d36d
@joshdrake
Handle additional parameters in Windows certificate chain loading.
52bc3a3
@darkfronza @joshdrake
Attempt to lookup certificate by issuer when key-id lookup fails
db7f200 
This fixes an issue with agent, where it was unable to find device
certificates due to using a key-id derived from a random string for
certificate lookups.

If the key-id lookup fails automatically attempt lookup by cert+attr
where attr can be one of the certificate atributes, serial number,
friendly-name, description, etc.
@darkfronza @joshdrake
turn canLookupByIssuer into variable
5505db4 
The function was a relic from past refactoring code, not necessary
anymore.
@joshdrake joshdrake force-pushed the josh/capi-set-cert-context-props branch from b78b8bb to 5505db4 Compare January 8, 2026 16:13
@darkfronza
Fix syntax and logic errors after rebasing
2d69037 
- Wrong variable names.
- Added missing forwarding issuer,description,friendly-name params to CAPI.
@darkfronza darkfronza marked this pull request as ready for review January 8, 2026 21:30
@joshdrake
Copy link
Contributor Author

joshdrake commented Jan 8, 2026

Looks good to me, just need @maraino or @hslatman to take a quick look.

smst-jeff
smst-jeff reviewed Jan 12, 2026
View reviewed changes
kms/capi/ncrypt_windows.go
}

func certSetCertificateContextProperty(certContext *windows.CertContext, propID uint32, pvData uintptr) error {
r0, _, err := procCertSetCertificateContextProperty.Call(
Copy link

@smst-jeff smst-jeff Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is r0? I think this could use a more descriptive name.

Copy link

@darkfronza darkfronza Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually r1, this invokes a system call on windows (whose procedure is found in a DLL), the system call returns r1, r2, error, in general, where r1 represents the return value status from the procedure stored in a register (e.g. on Linux the %rax value), the semantic value of this depends on the procedure invoked, r2 is usually not used but kept for compatibility with platforms that return status on more registers, and the 3rd value return is actually an error, on windows the error is always non nil so we must check r0(r1).
I think we can leave this low level stuff as is, or perhaps considering refactor this in another pr.

Copy link

@smst-jeff smst-jeff Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, that all makes sense. Can you add a comment to these funcs explaining it? With the information you provided above, it's clear, but without it, it's not clear what's happening.

kms/capi/ncrypt_windows.go
Comment on lines +622 to +625
if r0 == 0 {
return err
}
return nil
Copy link

@smst-jeff smst-jeff Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is err assumed to be non-nil here?

If err != nil, and r0 is != 0, is it ok to drop the error?

Copy link

@darkfronza darkfronza Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This invokes CertSetCertificateContextProperty which returns a bool, on success it returns true.
But since this is system call invocation the bool is cast to int, false is zero, so in that case we actually return the error.
We handle this as syscall on windows always return a non nil error even if the function succeeds

Copy link

@smst-jeff smst-jeff Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the above, I think comments helps a lot here.

@darkfronza
cleanup certificate lookup code
59b1bc2 
- Document lookup by issuer strategy.
- Attempt lookup by issuer only when lookup by KeyID fails with not
  found, on error return.
- Simplify code a little bit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darkfronza darkfronza darkfronza left review comments

@smst-jeff smst-jeff smst-jeff left review comments

@hslatman hslatman Awaiting requested review from hslatman

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joshdrake @CLAassistant @darkfronza @smst-jeff