Info

I'm not clear how to reproduce this, but a user of the PHP driver (which wraps mongoc) managed to get CertOpenStore() to fail when not providing CERT_STORE_READONLY_FLAG. It appears that certain user accounts need to declare their intent as read only?

Top User Comments

xgen-internal-githook commented on Mon, 10 Jul 2017 20:15:41 +0000: Author: {u'username': u'TedTuckman', u'name': u'Ted Tuckman', u'email': u'ted.tuckman@mongodb.com'} Message: SERVER-27592 open windows certificate store read only Branch: master https://github.com/mongodb/mongo/commit/78fa7ae30d6b4d817750fbb7ff03c5bb0155a864 jonathan.reams@10gen.com commented on Wed, 11 Jan 2017 16:59:41 +0000: I think that as long as you open the cert store with CERT_STORE_PROV_SYSTEM_W and CERT_SYSTEM_STORE_CURRENT_USER_W then you shouldn't have any problems if the user's registry permissions are set correctly because the certificate store will be owned by the current user. This would be easy to repro by removing write permissions from a user's registry hive - which sounds crazy. We should probably do this since there's no reason to have write access to the cert store, but I don't think this is a problem people are likely to hit. bjori commented on Thu, 5 Jan 2017 22:22:55 +0000: The original user confirmed this fixed his problem: https://github.com/mongodb/mongo-php-library/issues/313#issuecomment-268600348 I however don't know how to repro this to determine if the shell and the tools are affected, but since our code is derived from this original server code, I find it highly likely to be affected to bjori commented on Thu, 5 Jan 2017 22:19:59 +0000: Unable to find source-code formatter for language: patch. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c index 056f524..27a4029 100644 --- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c +++ b/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c @@ -54,7 +54,7 @@ static int importCertStoreToX509_STORE( int status = 1; X509* x509Cert = NULL; HCERTSTORE systemStore = - CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation, storeName); + CertOpenStore(CERT_STORE_PROV_SYSTEM_W, 0, (HCRYPTPROV)NULL, storeLocation|CERT_STORE_READONLY_FLAG, storeName); if (systemStore == NULL) { formatError(GetLastError(),"error opening system CA store",err,err_len); status = 0; diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index ed70d6b..fd8a231 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -900,7 +900,7 @@ Status importCertStoreToX509_STORE(const wchar_t* storeName, DWORD storeLocation, X509_STORE* verifyStore) { HCERTSTORE systemStore = CertOpenStore( - CERT_STORE_PROV_SYSTEM_W, 0, NULL, storeLocation, const_cast(storeName)); + CERT_STORE_PROV_SYSTEM_W, 0, NULL, storeLocation|CERT_STORE_READONLY_FLAG, const_cast(storeName)); if (systemStore == NULL) { return {ErrorCodes::InvalidSSLConfiguration, str::stream() << "error opening system CA store: " << errnoWithDescription()};

Steps to Reproduce