Added Pkcs12Flags to control how to import chains from the PKCS#12

Cargo.toml

@@ -19,6 +19,7 @@ no-default-features = true
 rustls = { git = "https://github.com/rustls/rustls.git", default-features = false, features = ["std"] }
 rustls-pki-types = "1"
 time = { version = "0.3.43", default-features = false, optional = true }
+bitflags = "2"
 windows-sys = { version = "0.61", features = ["Win32_Foundation", "Win32_Security_Cryptography"] }
 
 [dev-dependencies]

examples/client.rs

@@ -1,3 +1,11 @@
+use std::{
+    hash::Hasher,
+    io::{Read, Write},
+    net::{Shutdown, TcpStream},
+    path::PathBuf,
+    sync::Arc,
+};
+
 use clap::Parser;
 use rustls::{
     ClientConfig, ClientConnection, RootCertStore, Stream,
@@ -6,17 +14,10 @@ use rustls::{
     enums::CertificateType,
 };
 use rustls_pki_types::{CertificateDer, ServerName};
-use std::hash::Hasher;
-use std::{
-    io::{Read, Write},
-    net::{Shutdown, TcpStream},
-    path::PathBuf,
-    sync::Arc,
-};
 
 use rustls_cng::{
     signer::CngSigningKey,
-    store::{CertStore, CertStoreType},
+    store::{CertStore, CertStoreType, Pkcs12Flags},
 };
 
 const PORT: u16 = 8000;
@@ -110,7 +111,11 @@ fn main() -> anyhow::Result<()> {
 
     let store = if let Some(ref keystore) = params.keystore {
         let data = std::fs::read(keystore)?;
-        CertStore::from_pkcs12(&data, params.password.as_deref().unwrap_or_default())?
+        CertStore::from_pkcs12(
+            &data,
+            params.password.as_deref().unwrap_or_default(),
+            Pkcs12Flags::default(),
+        )?
     } else {
         CertStore::open(CertStoreType::CurrentUser, "my")?
     };

examples/server.rs

@@ -11,6 +11,7 @@ use rustls::{
     crypto::{Credentials, Identity, SelectedCredential, aws_lc_rs},
     server::{ClientHello, ServerCredentialResolver, WebPkiClientVerifier},
 };
+use rustls_cng::store::Pkcs12Flags;
 use rustls_cng::{
     signer::CngSigningKey,
     store::{CertStore, CertStoreType},
@@ -132,7 +133,11 @@ fn main() -> anyhow::Result<()> {
 
     let store = if let Some(ref keystore) = params.keystore {
         let data = std::fs::read(keystore)?;
-        CertStore::from_pkcs12(&data, params.password.as_deref().unwrap_or_default())?
+        CertStore::from_pkcs12(
+            &data,
+            params.password.as_deref().unwrap_or_default(),
+            Pkcs12Flags::default(),
+        )?
     } else {
         CertStore::open(CertStoreType::CurrentUser, "my")?
     };

src/store.rs

@@ -1,7 +1,7 @@
 //! Windows certificate store wrapper
 
+use bitflags::bitflags;
 use std::{os::raw::c_void, ptr};
-
 use windows_sys::Win32::Security::Cryptography::*;
 
 use crate::{Result, cert::CertContext, error::CngError};
@@ -22,6 +22,24 @@ pub enum CertStoreType {
     CurrentService,
 }
 
+bitflags! {
+    /// Set of flags to pass to the ` CertStore::from_pkcs12 ` method.
+    #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
+    pub struct Pkcs12Flags: u32 {
+        const INCLUDE_EXTENDED_PROPERTIES = 0x0010;
+        const PREFER_CNG_KSP = 0x0000_0100;
+        const ALWAYS_CNG_KSP = 0x0000_0200;
+        const ALLOW_OVERWRITE_KEY = 0x0000_4000;
+        const NO_PERSIST_KEY = 0x0000_8000;
+    }
+}
+
+impl Default for Pkcs12Flags {
+    fn default() -> Self {
+        Pkcs12Flags::INCLUDE_EXTENDED_PROPERTIES | Pkcs12Flags::PREFER_CNG_KSP
+    }
+}
+
 impl CertStoreType {
     fn as_flags(&self) -> u32 {
         match self {
@@ -71,19 +89,16 @@ impl CertStore {
     }
 
     /// Import certificate store from PKCS12 file
-    pub fn from_pkcs12(data: &[u8], password: &str) -> Result<CertStore> {
+    pub fn from_pkcs12(data: &[u8], password: &str, flags: Pkcs12Flags) -> Result<CertStore> {
         unsafe {
             let blob = CRYPT_INTEGER_BLOB {
                 cbData: data.len() as u32,
                 pbData: data.as_ptr() as _,
             };
 
             let password = utf16z!(password);
-            let store = PFXImportCertStore(
-                &blob,
-                password.as_ptr(),
-                CRYPT_EXPORTABLE | PKCS12_INCLUDE_EXTENDED_PROPERTIES | PKCS12_PREFER_CNG_KSP,
-            );
+            let store =
+                PFXImportCertStore(&blob, password.as_ptr(), CRYPT_EXPORTABLE | flags.bits());
             if store.is_null() {
                 Err(CngError::from_win32_error())
             } else {

tests/test_client_server.rs

@@ -4,21 +4,25 @@ const SERVER_PFX: &[u8] = include_bytes!("assets/rustls-server.pfx");
 const PASSWORD: &str = "changeit";
 
 mod client {
+    use std::{
+        hash::Hasher,
+        io::{Read, Write},
+        net::{Shutdown, TcpStream},
+        sync::Arc,
+    };
+
     use rustls::{
         ClientConfig, ClientConnection, RootCertStore, Stream,
         client::{ClientCredentialResolver, CredentialRequest},
         crypto::{Credentials, Identity, SelectedCredential, aws_lc_rs},
         enums::CertificateType,
     };
     use rustls_pki_types::CertificateDer;
-    use std::hash::Hasher;
-    use std::{
-        io::{Read, Write},
-        net::{Shutdown, TcpStream},
-        sync::Arc,
-    };
 
-    use rustls_cng::{signer::CngSigningKey, store::CertStore};
+    use rustls_cng::{
+        signer::CngSigningKey,
+        store::{CertStore, Pkcs12Flags},
+    };
 
     #[derive(Debug)]
     pub struct ClientCertResolver(CertStore, String);
@@ -59,7 +63,8 @@ mod client {
     }
 
     pub fn run_client(port: u16) -> anyhow::Result<()> {
-        let store = CertStore::from_pkcs12(super::CLIENT_PFX, super::PASSWORD)?;
+        let store =
+            CertStore::from_pkcs12(super::CLIENT_PFX, super::PASSWORD, Pkcs12Flags::default())?;
 
         let ca_cert_context = store.find_by_subject_str(super::CA_SUBJECT)?;
         let ca_cert = ca_cert_context.first().unwrap();
@@ -105,7 +110,10 @@ mod server {
         crypto::{Credentials, Identity, SelectedCredential, aws_lc_rs},
         server::{ClientHello, ServerCredentialResolver, WebPkiClientVerifier},
     };
-    use rustls_cng::{signer::CngSigningKey, store::CertStore};
+    use rustls_cng::{
+        signer::CngSigningKey,
+        store::{CertStore, Pkcs12Flags},
+    };
 
     #[derive(Debug)]
     pub struct ServerCertResolver(CertStore);
@@ -155,7 +163,8 @@ mod server {
     }
 
     pub fn run_server(sender: Sender<u16>) -> anyhow::Result<()> {
-        let store = CertStore::from_pkcs12(super::SERVER_PFX, super::PASSWORD)?;
+        let store =
+            CertStore::from_pkcs12(super::SERVER_PFX, super::PASSWORD, Pkcs12Flags::default())?;
 
         let ca_cert_context = store.find_by_subject_str(super::CA_SUBJECT)?;
         let ca_cert = ca_cert_context.first().unwrap();

tests/test_find.rs

@@ -1,11 +1,12 @@
-use rustls_cng::store::CertStore;
+use rustls_cng::store::{CertStore, Pkcs12Flags};
 
 const PFX: &[u8] = include_bytes!("assets/rustls-ec.p12");
 const PASSWORD: &str = "changeit";
 
 #[test]
 fn test_find_by_subject_str() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store
         .find_by_subject_str("rustls")
@@ -17,7 +18,8 @@ fn test_find_by_subject_str() {
 
 #[test]
 fn test_find_by_subject_name() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store
         .find_by_subject_name("CN=rustls-ec")
@@ -29,7 +31,8 @@ fn test_find_by_subject_name() {
 
 #[test]
 fn test_find_by_issuer_str() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store
         .find_by_issuer_str("Inforce")
@@ -41,7 +44,8 @@ fn test_find_by_issuer_str() {
 
 #[test]
 fn test_find_by_issuer_name() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store
         .find_by_issuer_name("O=Inforce Technologies, CN=Inforce Technologies CA")
@@ -53,7 +57,8 @@ fn test_find_by_issuer_name() {
 
 #[test]
 fn test_find_by_hash() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let sha1 = [
         0x66, 0xBF, 0xFD, 0xE5, 0xD2, 0x9D, 0x57, 0x97, 0x1B, 0x17, 0xBB, 0x81, 0x5D, 0x7A, 0xF8,
@@ -65,7 +70,8 @@ fn test_find_by_hash() {
 
 #[test]
 fn test_find_by_hash256() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let sha256 = [
         0xC9, 0x7C, 0xD6, 0xA1, 0x3F, 0xF6, 0xBD, 0xF6, 0xD4, 0xE2, 0xFB, 0x0E, 0xCD, 0x74, 0x2F,
@@ -79,7 +85,8 @@ fn test_find_by_hash256() {
 
 #[test]
 fn test_find_all() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store.find_all().unwrap().into_iter().next();
     assert!(context.is_some());

tests/test_sign.rs

@@ -1,13 +1,17 @@
 use rustls::crypto::{SignatureScheme, SigningKey};
-use rustls_cng::{signer::CngSigningKey, store::CertStore};
+use rustls_cng::{
+    signer::CngSigningKey,
+    store::{CertStore, Pkcs12Flags},
+};
 
 const PFX: &[u8] = include_bytes!("assets/rustls-ec.p12");
 const PASSWORD: &str = "changeit";
 const MESSAGE: &str = "Security is our business";
 
 #[test]
 fn test_sign() {
-    let store = CertStore::from_pkcs12(PFX, PASSWORD).expect("Cannot open cert store");
+    let store = CertStore::from_pkcs12(PFX, PASSWORD, Pkcs12Flags::default())
+        .expect("Cannot open cert store");
 
     let context = store
         .find_by_subject_str("rustls")