Revert "version: use crypt32 instead of go x509 for cn extraction for file size"

This reverts commit 4cdc8fef9973a8d82593bff4e7cb350a20e0fa78.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

4 files changed, 15 insertions, 59 deletions

diff --git a/version/official_windows.go b/version/official_windows.go
index d9f041f6..b0f62250 100644
--- a/version/official_windows.go
+++ b/version/official_windows.go
@@ -67,12 +67,12 @@ func IsRunningOfficialVersion() bool {
 
 	// This below tests is easily circumvented. False certificates can be appended, and just checking the
 	// common name is not very good. But that's okay, as this isn't security related.
-	names, err := wintrust.ExtractCertificateNames(path)
+	certs, err := wintrust.ExtractCertificates(path)
 	if err != nil {
 		return false
 	}
-	for _, name := range names {
-		if name == officialCommonName {
+	for _, cert := range certs {
+		if cert.Subject.CommonName == officialCommonName {
 			return true
 		}
 	}
diff --git a/version/wintrust/certificate_test.go b/version/wintrust/certificate_test.go
deleted file mode 100644
index 19007351..00000000
--- a/version/wintrust/certificate_test.go
+++ /dev/null
@@ -1,28 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
- */
-
-package wintrust
-
-import (
-	"fmt"
-	"path/filepath"
-	"testing"
-
-	"golang.org/x/sys/windows"
-)
-
-func TestExtractCertificateNames(t *testing.T) {
-	system32, err := windows.GetSystemDirectory()
-	if err != nil {
-		t.Fatal(err)
-	}
-	names, err := ExtractCertificateNames(filepath.Join(system32, "ntoskrnl.exe"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	for i, name := range names {
-		fmt.Printf("%d: %s\n", i, name)
-	}
-}
diff --git a/version/wintrust/certificate_windows.go b/version/wintrust/certificate_windows.go
index 8c933f11..1e145095 100644
--- a/version/wintrust/certificate_windows.go
+++ b/version/wintrust/certificate_windows.go
@@ -6,6 +6,7 @@
 package wintrust
 
 import (
+	"crypto/x509"
 	"syscall"
 	"unsafe"
 
@@ -16,13 +17,11 @@ const (
 	_CERT_QUERY_OBJECT_FILE                     = 1
 	_CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED = 1024
 	_CERT_QUERY_FORMAT_FLAG_ALL                 = 14
-	_CERT_NAME_SIMPLE_DISPLAY_TYPE              = 4
 )
 
 //sys	cryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlags uint32, expectedFormatTypeFlags uint32, flags uint32, msgAndCertEncodingType *uint32, contentType *uint32, formatType *uint32, certStore *windows.Handle, msg *windows.Handle, context *uintptr) (err error) = crypt32.CryptQueryObject
-//sys	certGetNameString(certContext *windows.CertContext, nameType uint32, flags uint32, typePara uintptr, name *uint16, size uint32) (chars uint32) = crypt32.CertGetNameStringW
 
-func ExtractCertificateNames(path string) ([]string, error) {
+func ExtractCertificates(path string) ([]x509.Certificate, error) {
 	path16, err := windows.UTF16PtrFromString(path)
 	if err != nil {
 		return nil, err
@@ -33,8 +32,8 @@ func ExtractCertificateNames(path string) ([]string, error) {
 		return nil, err
 	}
 	defer windows.CertCloseStore(certStore, 0)
+	var certs []x509.Certificate
 	var cert *windows.CertContext
-	var names []string
 	for {
 		cert, err = windows.CertEnumCertificatesInStore(certStore, cert)
 		if err != nil {
@@ -48,21 +47,13 @@ func ExtractCertificateNames(path string) ([]string, error) {
 		if cert == nil {
 			break
 		}
-		nameLen := certGetNameString(cert, _CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, 0, nil, 0)
-		if nameLen == 0 {
-			continue
-		}
-		name16 := make([]uint16, nameLen)
-		if certGetNameString(cert, _CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, 0, &name16[0], nameLen) != nameLen {
-			continue
-		}
-		if name16[0] == 0 {
-			continue
+		buf := make([]byte, cert.Length)
+		copy(buf, (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:])
+		if c, err := x509.ParseCertificate(buf); err == nil {
+			certs = append(certs, *c)
+		} else {
+			return nil, err
 		}
-		names = append(names, windows.UTF16ToString(name16))
-	}
-	if names == nil {
-		return nil, syscall.Errno(windows.CRYPT_E_NOT_FOUND)
 	}
-	return names, nil
+	return certs, nil
 }
diff --git a/version/wintrust/zsyscall_windows.go b/version/wintrust/zsyscall_windows.go
index 7c742938..4d73cc5e 100644
--- a/version/wintrust/zsyscall_windows.go
+++ b/version/wintrust/zsyscall_windows.go
@@ -40,9 +40,8 @@ var (
 	modwintrust = windows.NewLazySystemDLL("wintrust.dll")
 	modcrypt32  = windows.NewLazySystemDLL("crypt32.dll")
 
-	procWinVerifyTrust     = modwintrust.NewProc("WinVerifyTrust")
-	procCryptQueryObject   = modcrypt32.NewProc("CryptQueryObject")
-	procCertGetNameStringW = modcrypt32.NewProc("CertGetNameStringW")
+	procWinVerifyTrust   = modwintrust.NewProc("WinVerifyTrust")
+	procCryptQueryObject = modcrypt32.NewProc("CryptQueryObject")
 )
 
 func WinVerifyTrust(hWnd windows.Handle, actionId *windows.GUID, data *WinTrustData) (err error) {
@@ -68,9 +67,3 @@ func cryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlag
 	}
 	return
 }
-
-func certGetNameString(certContext *windows.CertContext, nameType uint32, flags uint32, typePara uintptr, name *uint16, size uint32) (chars uint32) {
-	r0, _, _ := syscall.Syscall6(procCertGetNameStringW.Addr(), 6, uintptr(unsafe.Pointer(certContext)), uintptr(nameType), uintptr(flags), uintptr(typePara), uintptr(unsafe.Pointer(name)), uintptr(size))
-	chars = uint32(r0)
-	return
-}