cgo windows to syscall

[tg123]

[X] replace cgo with sys call. gcc is not widely used on windows
[X] force use cng. cng is recommend after vista
[X] PSS supported. this is for go app to use keys in cert store to do tls1.3 (https)
[X] add OpenStoreWindows which takes store name and store location.

github/certstore#20

[lgarron]

Thanks for the updated PR!

I'm not sure when we'll have time to re-evaluate smimesign PRs, but I'll defer to @vcsjones on that.

[aloopkin]

@tg123 Thanks a lot for this, it's very helpful!
Could you please add an example on how to use this for TLS cert authentication?
I guess the whole thing is to create a crypto.PrivateKey that crypto/tls will be able to use inside the tls.Certificate, but apparently i'm doing sthg wrong there.

[tg123]

@tg123 Thanks a lot for this, it's very helpful! Could you please add an example on how to use this for TLS cert authentication? I guess the whole thing is to create a crypto.PrivateKey that crypto/tls will be able to use inside the tls.Certificate, but apparently i'm doing sthg wrong there.

take a look how to use it as a tls.Config

https://github.com/tg123/phabrik/blob/main/examples/cert.go#L11

cert := FindCert by thumb in my example above (you can find by anything)

tlsconf := &tls.Config{
		Certificates:       []tls.Certificate{*cert},
}

then you have a regular tlsconfig

[aloopkin]

@tg123 thanks, and this is what i did, but i get: "tls: failed to sign handshake: bad private key" ((

Here's my further code to the request, that works if i load the PrivateKey from file:

tr := &http.Transport{TLSClientConfig: tlsconf}
req, _ := http.NewRequest("POST", "https://myserver/myurl", strings.NewReader("this is a test"))
req.Header.Set("Content-Type", "text/plain")
client := &http.Client{Transport: tr}
_, err = client.Do(req)
if err != nil {
	logger.Fatal("Could not make Request: " + err.Error())
}

[tg123]

@tg123 thanks, and this is what i did, but i get: "tls: failed to sign handshake: bad private key" ((

Here's my further code to the request, that works if i load the PrivateKey from file:

tr := &http.Transport{TLSClientConfig: tlsconf}
req, _ := http.NewRequest("POST", "https://myserver/myurl", strings.NewReader("this is a test"))
req.Header.Set("Content-Type", "text/plain")
client := &http.Client{Transport: tr}
_, err = client.Do(req)
if err != nil {
	logger.Fatal("Could not make Request: " + err.Error())
}

i believe it is due to your private, please check the usage.

This should be discuss in a separate thread BTW

[jspraul]

I was using this until I ran into #116 failing to prompt for smart card PIN.

[tg123]

I was using this until I ran into #116 failing to prompt for smart card PIN.

after using syscall?
do you mean it works on cgo?

[jspraul]

Thanks for following up! This patch works great if the certificate is not on a smart card.

However, now that I'm trying to use a certificate on a smart card, nCryptSignHash fails as explained in #116, returning NTE_SILENT_CONTEXT as per the very end of the Parameters documentation, even though dwFlags = BCRYPT_PAD_PKCS1 (2) and the referenced NCRYPT_SILENT_FLAG = 0x40 (64). It's also worth noting that the expected error text is "Provider could not perform the action since the context was acquired as silent." but the output is "The operation completed successfully.", though the hash is 0's.

I went back to v0.2.0-rc1 and it's working fine. The only thing I could think of would be a need for a parent HWND for the PIN prompt¹, but I haven't found any change removing something like that yet.

[tg123]

@jspraul
https://github.com/tg123/certstore/blob/2c9b55e04c6d99a32cd9cdd0b71c74acf3b834d7/certstore_windows.go#L309

windows.CRYPT_ACQUIRE_SILENT_FLAG