Add configuration toggle to enable/disable use of OS native certifica…

…te stores (#419)

google_guest_agent/agentcrypto/mtls_mds_linux.go

@@ -21,6 +21,7 @@ import (
 	"os/exec"
 	"path/filepath"
 
+	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/cfg"
 	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/run"
 	"github.com/GoogleCloudPlatform/guest-agent/utils"
 	"github.com/GoogleCloudPlatform/guest-logging-go/logger"
@@ -59,6 +60,11 @@ func (j *CredsJob) writeRootCACert(ctx context.Context, content []byte, outputFi
 		return err
 	}
 
+	if cfg.Get().MDS.SkipNativeStore {
+		logger.Debugf("SkipNativeStore is enabled, will not write root cert to system store")
+		return nil
+	}
+
 	// Best effort to update system store, don't fail.
 	if err := updateSystemStore(ctx, outputFile); err != nil {
 		logger.Errorf("Failed add Root MDS cert to system trust store with error: %v", err)

google_guest_agent/agentcrypto/mtls_mds_linux_test.go

@@ -20,11 +20,15 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/cfg"
 	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/fakes"
 	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/uefi"
 )
 
 func TestReadAndWriteRootCACert(t *testing.T) {
+	if err := cfg.Load(nil); err != nil {
+		t.Fatalf("Failed to load config: %v", err)
+	}
 	root := t.TempDir()
 	v := uefi.VariableName{Name: "testname", GUID: "testguid", RootDir: root}
 	j := &CredsJob{}

google_guest_agent/agentcrypto/mtls_mds_windows.go

@@ -25,6 +25,7 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/GoogleCloudPlatform/guest-agent/google_guest_agent/cfg"
 	"github.com/GoogleCloudPlatform/guest-agent/utils"
 	"github.com/GoogleCloudPlatform/guest-logging-go/logger"
 	"golang.org/x/sys/windows"
@@ -69,6 +70,11 @@ func (j *CredsJob) writeRootCACert(_ context.Context, cacert []byte, outputFile
 		return err
 	}
 
+	if cfg.Get().MDS.SkipNativeStore {
+		logger.Debugf("SkipNativeStore is enabled, will not write root cert to certstore")
+		return nil
+	}
+
 	x509Cert, err := parseCertificate(cacert)
 	if err != nil {
 		return fmt.Errorf("failed to parse root CA cert: %w", err)
@@ -189,6 +195,11 @@ func (j *CredsJob) writeClientCredentials(creds []byte, outputFile string) error
 		return fmt.Errorf("failed to write PFX file: %w", err)
 	}
 
+	if cfg.Get().MDS.SkipNativeStore {
+		logger.Debugf("SkipNativeStore is enabled, will not write client creds to certstore")
+		return nil
+	}
+
 	blob := windows.CryptDataBlob{
 		Size: uint32(len(pfx)),
 		Data: &pfx[0],

google_guest_agent/cfg/cfg.go

@@ -93,6 +93,7 @@ cert_authentication = true
 
 [MDS]
 mtls_bootstrapping_enabled = true
+skip_native_store = true
 
 [Snapshots]
 enabled = false
@@ -254,6 +255,11 @@ type OSLogin struct {
 type MDS struct {
 	// MTLSBootstrappingEnabled enables/disables the mTLS credential refresher.
 	MTLSBootstrappingEnabled bool `ini:"mtls_bootstrapping_enabled,omitempty"`
+	// SkipNativeStore enables/disables the use of OSs native store. Native
+	// store is Certificate Store on Windows which hosts both Client Credential and
+	// Root certificate where as its trust store that hosts root certs like
+	// `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` on Linux.
+	SkipNativeStore bool `ini:"skip_native_store,omitempty"`
 }
 
 // NetworkInterfaces contains the configurations of NetworkInterfaces section.