[SERVER-27592] Windows Certificate Store must be opened read-only Created: 05/Jan/17  Updated: 21/Nov/18  Resolved: 10/Jul/17

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 3.4.0
Fix Version/s: 3.5.10

Type: Bug Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Ted Tuckman
Resolution: Done Votes: 0
Labels: neweng, platforms-interns-2017
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to TOOLS-2158 mongodump failing on Windows with "e... Closed
is related to CDRIVER-1964 Windows CA stores should be opened wi... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2017-07-10, Platforms 2017-07-31
Participants:

 Description   

I'm not clear how to reproduce this, but a user of the PHP driver (which wraps mongoc) managed to get CertOpenStore() to fail when not providing CERT_STORE_READONLY_FLAG.

It appears that certain user accounts need to declare their intent as read only?



 Comments   
Comment by Githook User [ 10/Jul/17 ]

Author:

{u'username': u'TedTuckman', u'name': u'Ted Tuckman', u'email': u'ted.tuckman@mongodb.com'}

Message: SERVER-27592 open windows certificate store read only
Branch: master
https://github.com/mongodb/mongo/commit/78fa7ae30d6b4d817750fbb7ff03c5bb0155a864

Comment by Jonathan Reams [ 11/Jan/17 ]

I think that as long as you open the cert store with CERT_STORE_PROV_SYSTEM_W and CERT_SYSTEM_STORE_CURRENT_USER_W then you shouldn't have any problems if the user's registry permissions are set correctly because the certificate store will be owned by the current user. This would be easy to repro by removing write permissions from a user's registry hive - which sounds crazy. We should probably do this since there's no reason to have write access to the cert store, but I don't think this is a problem people are likely to hit.

Comment by Hannes Magnusson [ 05/Jan/17 ]

The original user confirmed this fixed his problem: https://github.com/mongodb/mongo-php-library/issues/313#issuecomment-268600348

I however don't know how to repro this to determine if the shell and the tools are affected, but since our code is derived from this original server code, I find it highly likely to be affected to

Comment by Hannes Magnusson [ 05/Jan/17 ]

diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c
index 056f524..27a4029 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c
+++ b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c
@@ -54,7 +54,7 @@ static int importCertStoreToX509_STORE(
     int status = 1;
     X509* x509Cert = NULL;
     HCERTSTORE systemStore =
-        CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation, storeName);
+        CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation|CERT_STORE_READONLY_FLAG, storeName);
     if (systemStore == NULL) {
        formatError(GetLastError(),"error opening system CA store",err,err_len);
         status = 0;
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index ed70d6b..fd8a231 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -900,7 +900,7 @@ Status importCertStoreToX509_STORE(const wchar_t* storeName,
                                    DWORD storeLocation,
                                    X509_STORE* verifyStore) {
     HCERTSTORE systemStore = CertOpenStore(
-        CERT_STORE_PROV_SYSTEM_W, 0, NULL, storeLocation, const_cast<LPWSTR>(storeName));
+        CERT_STORE_PROV_SYSTEM_W, 0, NULL, storeLocation|CERT_STORE_READONLY_FLAG, const_cast<LPWSTR>(storeName));
     if (systemStore == NULL) {
         return {ErrorCodes::InvalidSSLConfiguration,
                 str::stream() << "error opening system CA store: " << errnoWithDescription()};

Generated at Thu Feb 08 04:15:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.