feature: exclude certificates without private key

capi/wincapi.go

@@ -21,9 +21,10 @@ const (
 )
 
 var (
-	modcrypt32                          = syscall.NewLazyDLL("crypt32.dll")
-	procCryptSignMessage                = modcrypt32.NewProc("CryptSignMessage")
-	procCertDuplicateCertificateContext = modcrypt32.NewProc("CertDuplicateCertificateContext")
+	modcrypt32                            = syscall.NewLazyDLL("crypt32.dll")
+	procCryptSignMessage                  = modcrypt32.NewProc("CryptSignMessage")
+	procCertDuplicateCertificateContext   = modcrypt32.NewProc("CertDuplicateCertificateContext")
+	procCertGetCertificateContextProperty = modcrypt32.NewProc("CertGetCertificateContextProperty")
 )
 
 type cryptoapiBlob struct {
@@ -94,6 +95,15 @@ func certDuplicateCertificateContext(context *syscall.CertContext) (uintptr, err
 	return r0, nil
 }
 
+func certGetCertificateContextProperty(context *syscall.CertContext, dwPropId uint32) int {
+	pvData := uint32(0)
+	pvDataPtr := uintptr(unsafe.Pointer(&pvData))
+	pcbData := uint32(4)
+	pcbDataPtr := uintptr(unsafe.Pointer(&pcbData))
+	r0, _, _ := syscall.Syscall6(procCertGetCertificateContextProperty.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(dwPropId), pvDataPtr, pcbDataPtr, 0, 0)
+	return int(r0)
+}
+
 type Certificate struct {
 	certContext uintptr
 	*x509.Certificate
@@ -121,6 +131,7 @@ func LoadUserCerts() ([]*Certificate, error) {
 		CERT_SYSTEM_STORE_CURRENT_USER = 0x00010000
 		CERT_STORE_READONLY_FLAG       = 0x00008000
 		CRYPT_E_NOT_FOUND              = 0x80092004
+		CERT_KEY_SPEC_PROP_ID          = 6
 	)
 	ptr, _ := syscall.BytePtrFromString("My")
 	store, err := syscall.CertOpenStore(
@@ -150,6 +161,11 @@ func LoadUserCerts() ([]*Certificate, error) {
 		if cert == nil {
 			break
 		}
+		// Check private key
+		propID := certGetCertificateContextProperty(cert, CERT_KEY_SPEC_PROP_ID)
+		if propID == 0 {
+			continue
+		}
 		// Copy the buf, since ParseCertificate does not create its own copy.
 		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
 		buf2 := make([]byte, cert.Length)

go.mod

@@ -0,0 +1,11 @@
+module github.com/buptczq/WinCryptSSHAgent
+
+go 1.14
+
+require (
+	github.com/Microsoft/go-winio v0.4.14
+	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
+	github.com/hattya/go.notify v0.0.0-20200507123844-18670158b53e
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
+	golang.org/x/sys v0.0.0-20200523222454-059865788121
+)

go.sum

@@ -0,0 +1,26 @@
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/hattya/go.notify v0.0.0-20200507123844-18670158b53e h1:Gk1vp0SYbw9pEJdELjDDBaRuFzz0/iGi28lNjaM22RI=
+github.com/hattya/go.notify v0.0.0-20200507123844-18670158b53e/go.mod h1:mINwcH5dRqzDBn/Gp/Ss1ADDLUBI7ZVDJq5uW1FUF2I=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200321134203-328b4cd54aae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zrpzXdb/voyeOuVKS46o=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

versioninfo.json

@@ -3,13 +3,13 @@
         "FileVersion": {
             "Major": 1,
             "Minor": 0,
-            "Patch": 3,
+            "Patch": 4,
             "Build": 0
         },
         "ProductVersion": {
             "Major": 1,
             "Minor": 0,
-            "Patch": 3,
+            "Patch": 4,
             "Build": 0
         },
         "FileFlagsMask": "3f",
@@ -29,7 +29,7 @@
         "OriginalFilename": "WinCryptSSHAgent.exe",
         "PrivateBuild": "",
         "ProductName": "WinCrypt SSH Agent",
-        "ProductVersion": "v1.0.3",
+        "ProductVersion": "v1.0.4",
         "SpecialBuild": ""
     },
     "VarFileInfo": {