3 files changed, 74 insertions, 2 deletions

diff --git a/version/wintrust/certificate_windows.go b/version/wintrust/certificate_windows.go
new file mode 100644
index 00000000..8a0b5f2f
--- /dev/null
+++ b/version/wintrust/certificate_windows.go
@@ -0,0 +1,58 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package wintrust
+
+import (
+	"crypto/x509"
+	"golang.org/x/sys/windows"
+	"syscall"
+	"unsafe"
+)
+
+const (
+	CERT_QUERY_OBJECT_FILE                     = 1
+	CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED = 1024
+	CERT_QUERY_FORMAT_FLAG_ALL                 = 14
+)
+
+//sys CryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlags uint32, expectedFormatTypeFlags uint32, flags uint32, msgAndCertEncodingType *uint32, contentType *uint32, formatType *uint32, certStore *windows.Handle, msg *windows.Handle, context *uintptr) (err error) = crypt32.CryptQueryObject
+
+func ExtractCertificates(path string) ([]x509.Certificate, error) {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, err
+	}
+	var certStore windows.Handle
+	err = CryptQueryObject(CERT_QUERY_OBJECT_FILE, uintptr(unsafe.Pointer(path16)), CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, CERT_QUERY_FORMAT_FLAG_ALL, 0, nil, nil, nil, &certStore, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer windows.CertCloseStore(certStore, 0)
+	var certs []x509.Certificate
+	var cert *windows.CertContext
+	for {
+		cert, err = windows.CertEnumCertificatesInStore(certStore, cert)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok {
+				if errno == syscall.Errno(windows.CRYPT_E_NOT_FOUND) {
+					break
+				}
+			}
+			return nil, err
+		}
+		if cert == nil {
+			break
+		}
+		buf := make([]byte, cert.Length)
+		copy(buf, (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:])
+		if c, err := x509.ParseCertificate(buf); err == nil {
+			certs = append(certs, *c)
+		} else {
+			return nil, err
+		}
+	}
+	return certs, nil
+}
diff --git a/version/wintrust/mksyscall.go b/version/wintrust/mksyscall.go
index 0a5df80d..5f78d375 100644
--- a/version/wintrust/mksyscall.go
+++ b/version/wintrust/mksyscall.go
@@ -5,4 +5,4 @@
 
 package wintrust
 
-//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go wintrust_windows.go
+//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go wintrust_windows.go certificate_windows.go
diff --git a/version/wintrust/zsyscall_windows.go b/version/wintrust/zsyscall_windows.go
index 775f38ba..8aa315c0 100644
--- a/version/wintrust/zsyscall_windows.go
+++ b/version/wintrust/zsyscall_windows.go
@@ -38,8 +38,10 @@ func errnoErr(e syscall.Errno) error {
 
 var (
 	modwintrust = windows.NewLazySystemDLL("wintrust.dll")
+	modcrypt32  = windows.NewLazySystemDLL("crypt32.dll")
 
-	procWinVerifyTrust = modwintrust.NewProc("WinVerifyTrust")
+	procWinVerifyTrust   = modwintrust.NewProc("WinVerifyTrust")
+	procCryptQueryObject = modcrypt32.NewProc("CryptQueryObject")
 )
 
 func WinVerifyTrust(hWnd windows.Handle, actionId *windows.GUID, data *WinTrustData) (err error) {
@@ -53,3 +55,15 @@ func WinVerifyTrust(hWnd windows.Handle, actionId *windows.GUID, data *WinTrustD
 	}
 	return
 }
+
+func CryptQueryObject(objectType uint32, object uintptr, expectedContentTypeFlags uint32, expectedFormatTypeFlags uint32, flags uint32, msgAndCertEncodingType *uint32, contentType *uint32, formatType *uint32, certStore *windows.Handle, msg *windows.Handle, context *uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall12(procCryptQueryObject.Addr(), 11, uintptr(objectType), uintptr(object), uintptr(expectedContentTypeFlags), uintptr(expectedFormatTypeFlags), uintptr(flags), uintptr(unsafe.Pointer(msgAndCertEncodingType)), uintptr(unsafe.Pointer(contentType)), uintptr(unsafe.Pointer(formatType)), uintptr(unsafe.Pointer(certStore)), uintptr(unsafe.Pointer(msg)), uintptr(unsafe.Pointer(context)), 0)
+	if r1 == 0 {
+		if e1 != 0 {
+			err = errnoErr(e1)
+		} else {
+			err = syscall.EINVAL
+		}
+	}
+	return
+}