hakril/PythonForWindows

RFE: crypt32.CryptUIWizImport imports ALMOST perfectly (to a remote system)

Closed this issue ยท 1 comments

smanross commented

Im sorry for the long read.๐Ÿ˜’

I'm trying to 100% successfully import a PFX encrypted certificate for use on a remote computer to the "local machine" certificate store, for use in creating a WinRM HTTPS Listener on that remote computer without having Python on the remote machine. Both computers are connected to the same Windows Domain

  • It should be noted that running a similar script as below, while run locally on the remote host with python installed works as needed, but my issues are centered around running this remotely as I do not want to install python everywhere, nor do I want to transfer the PFX to the local system just to import it to the local certificate store and then delete the PFX file from the system I am trying to manipulate.
  • My code below is using a newly created certificate generated from an internal Windows CA, and the resulting certificate and key are written out to a file, and then a PFX is created from that certificate and key with a password (the cryptography module requires the creation of a PFX with a password).
  • This import code is 99% working (when run remotely) - because it imports the certificate to the remote local machine certificate store, but there's a problem somewhere because when I try to use the imported PFX to create the WinRM HTTPS Listener it fails with a very cryptic message suggesting my logon session isn't active anymore and or terminated unexpectedly.
    • Presumably, creating the HTTPS Listener dies in the middle of the SOAP call because the PFX has something that isn't perfectly imported/generated. This is the error that the call to WSMan creates in the application logs on the remote system:
      • A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001. The SSPI client process is SYSTEM (PID: 4).
      • UAC is disabled on the client and remote systems, and the command prompt that I am using is admin-elevated
    • As well, this is the error on the python client that is generated when creating the wsman listener: "Error when creating the WinRM listener: WSManFaultError: Received a WSManFault message. (Code: 1312, Machine: winvm005.somedomain.com, Reason: A specified logon session does not exist. It may already have been terminated., Provider: Config provider, Provider Path: %systemroot%\system32\WsmSvc.dll)"
  • another interesting thing about this oddity is that if I "start to export the certificate for the imported PFX" that was imported from this script by opening and using the MMC Certificates application, I can then use the certificate successfully in the WsMan/WInRM https listener creation (from python remotely)
    • I don't actually need to finish the export, I only need to start the export, and press Next a few times time (this presumably fixes whatever is missing in some validation step prior to the export).
  • I'm only asking this question here since I saw your reference to

    PythonForWindows/windows/crypto/certificate.py

    Line 184 in 13d0b6b

    # PKCS12_NO_PERSIST_KEY -> do not save it in a key container on disk
    this where you suggested you were having similar oddities in a somewhat similar scenario (i.e. the imported PFX wasn't usable)

If you can help me understand where I am going wrong or how to progress on this further, I'd certainly appreciate it, but this is definitely not something wrong with your module so I understand there's nothing for you to fix.

This is an amazing module, and I've grown to love it in my minimal experience with it.

If it matters:

  • the winvm005 VM is running Windows Server 2022 Evaluation Edition with up to date windows patches (September 2024), and
  • The python client is running Windows 11, and I've also tried it running the python script on Windows Server 2022 (in case there were incompatabilities because of the client OS)
  • This is all tested with Python 3.9 and 3.11 (again, in case of incompatabilities)
  • I've traced the remote windows VM with procmon64.exe to try and locate any helpful data during the import and during the listener creation without success.

Here's my code that doesn't perfectly import the PFX file to the certificate store. I'm not worried about the password in clear text (as it was generated randomly).

import ctypes
from ctypes import wintypes
from windows.generated_def.winstructs import HCERTSTORE, DWORD, HCRYPTPROV_LEGACY

cryptui = ctypes.WinDLL('CryptUI.dll')
crypt32 = ctypes.WinDLL("crypt32.dll")

# constants
CERT_STORE_PROV_SYSTEM = 10
CERT_SYSTEM_STORE_LOCAL_MACHINE = 0x00020000
CERT_STORE_MAXIMUM_ALLOWED_FLAG = 0x00001000
CRYPT_MACHINE_KEYSET = 0x00000020
CRYPT_EXPORTABLE = 0x00000001
CRYPTUI_WIZ_IMPORT_SUBJECT_FILE = 1
CRYPTUI_WIZ_NO_UI = 0x0001


# Define the CRYPTUI_WIZ_IMPORT_SRC_INFO structure
class CRYPTUI_WIZ_IMPORT_SRC_INFO(ctypes.Structure):
    _fields_ = [
        ("dwSize", wintypes.DWORD),
        ("dwSubjectChoice", wintypes.DWORD),
        ("pwszFileName", wintypes.LPWSTR),
        ("dwFlags", wintypes.DWORD),
        ("pwszPassword", wintypes.LPWSTR)
    ]


# method mappings
crypt32.CertOpenStore.argtypes = [DWORD, DWORD, HCRYPTPROV_LEGACY, DWORD, wintypes.LPCWSTR]
crypt32.CertOpenStore.restype = HCERTSTORE

crypt32.CertCloseStore.argtypes = [HCERTSTORE, DWORD]
crypt32.CertCloseStore.restype = wintypes.BOOL

cryptui.CryptUIWizImport.argtypes = [
    wintypes.DWORD,          # dwFlags
    wintypes.HWND,           # hwndParent
    wintypes.LPCWSTR,        # pwszWizardTitle
    ctypes.POINTER(CRYPTUI_WIZ_IMPORT_SRC_INFO),  # pImportSrc
    HCERTSTORE      # hDestCertStore
]
cryptui.CryptUIWizImport.restype = wintypes.BOOL


def import_pfx_to_my_remote_machine_store(computername, filename, password, flags=CRYPT_EXPORTABLE | CRYPT_MACHINE_KEYSET, cert_store_name="My", debug=False):

    # Open certificate store for the remote computer using the "local machine" certificate store
    hCertStore = crypt32.CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, None, CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_MAXIMUM_ALLOWED_FLAG, f"\\\\{computername}\\{cert_store_name}")
    if not hCertStore:
        raise Exception(f"Error opening remote machine ({computername}) Cert Store ({cert_store_name}): {ctypes.GetLastError()}")

    # Initialize the import source info
    import_src = CRYPTUI_WIZ_IMPORT_SRC_INFO()
    import_src.dwSize = ctypes.sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO)
    import_src.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE
    import_src.pwszFileName = filename
    import_src.dwFlags = flags
    import_src.pwszPassword = password

    # Call the CryptUIWizImport function to import the certificate without a UI
    result = cryptui.CryptUIWizImport(
        CRYPTUI_WIZ_NO_UI,
        None,
        None,
        ctypes.byref(import_src),
        hCertStore
    )
    if result and debug:
        # the import succeeds even though the imported PFX isn't 100% usable
        print("import was a success: (supposedly)", result)

    if not result:
        c_err = ctypes.GetLastError()
        crypt32.CertCloseStore(hCertStore, 0)
        raise Exception(f"Error remotely importing the Certificate using CryptUIWizImport: error {c_err}")

    return hCertStore

if __name__ == "__main__":
    from windows.crypto import CertificateStore

    # the method will generate an exception if the call fails, or return a certificate store handle that we can use to look at the certificates in the store
    cert_store_handle = import_pfx_to_my_remote_machine_store(computername="winvm005.somedomain.com", filename="c:\\scripts\\certs\\winvm005.somedomain.com-winrm.pfx", password="96WM9tCcj4og3tz6S7wbGzj2ysACvS8d", flags=CRYPT_EXPORTABLE | CRYPT_MACHINE_KEYSET, cert_store_name="My")

    cert_store = CertificateStore(cert_store_handle)
    for cert in cert_store.certs:
        if cert.serial == "2d 00 00 01 cf ac a0 63 a4 a7 69 a8 8d 00 01 00 00 01 cf":
            # this is the imported certificate
            print(cert)
            # outputs <Certificate "winvm005.somedomain.com" serial="2d 00 00 01 cf ac a0 63 a4 a7 69 a8 8d 00 01 00 00 01 cf">
hakril commented

Hi,

I read you code and I am sorry to say that I have no real advice or insight to give you.
My use of the cryptoAPI is exclusively local as I rarely work in an AD context not use it for Administration task.

The use of PKCS12_NO_PERSIST_KEY was for a precise use-case where I want to decrypt some file with a PFX without having a local save of the key. The goal is to have a need for the PFX each time with a minimal impact and edge effects of the decrypting computer.

Your code and the definitions seem to make sense. The only thing that may be of interest to explore are the following things:
- MagnumDB define 0x8009030D as SEC_E_UNKNOWN_CREDENTIALS (https://www.magnumdb.com/search?q=0x8009030D). Is that only an effect of the session expiration ?
- I see some interesting flags in the documentation of CryptUIWizImport like CRYPTUI_WIZ_IMPORT_ALLOW_CERT & CRYPTUI_WIZ_IMPORT_REMOTE_DEST_STORE. I guess you tried some of these ?

Sorry I cannot help more. If you find a solution to your problem, I would be glad to ear it !

  • ๐Ÿ‘1