Apply operation to cert from AuthRoot CTL

[JeremyRand]

It would be useful to support a mode in which the specified operations are applied to a cert from the CryptoAPI AuthRoot CTL instead of a cert that's already part of the specified cert store.

[JeremyRand]

Potential ways to do this:

1. certutil -generateSSTFromWU WURoots.sst certutil -addstore AuthRoot WURoots.sst
2. certutil -syncWithWU <dest folder> (might only retrieve a .cab file containing the CTL, not the raw certs?)
3. The raw certs can supposedly be downloaded from http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/$CERTID.crt; not sure what the best way is to import them (since the property metadata will be missing here)... maybe just try to verify the cert with certutil -verify $CERTID.crt and see if it gets imported automatically?

I suspect that if (3) works, it's going to be safer, because it can be run by an application without any privileges to access the cert store (so we can do better sandboxing).

The $CERTID parameter might be the cert's SHA256 fingerprint. Seems to be parseable from the CTL via https://github.com/robstradling/authroot_parser/blob/master/authroot_parser.go .

[JeremyRand]

The following command will download all trusted AuthRoot certs to individual files in the current directory:

certutil -v -syncWithWU -f -f .

Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11

It also downloads authrootstl.cab, disallowedcert.sst, disallowedcertstl.cab, pinrules.sst, and pinrulesstl.cab. In other words, it downloads a trusted cert list, a revoked cert list, and a cert pin list.

Downloading this info (as expected) does not need any elevated privs.

[JeremyRand]

The filenames of each cert are the SHA1 fingerprints in lowercase hex followed by .crt.

[JeremyRand]

And yes, I can confirm that running certutil -v -verify $SHA1.crt on any of the certs downloaded by the above command will result in the cert being imported to the system/AuthRoot store; no elevated privileges are needed for this.

Also note that some of the crt files that show up in that folder verify as "REVOKED". But this should be harmless, since letting CryptoAPI import them to system/AuthRoot doesn't impact their "REVOKED" status.

[JeremyRand]

I believe this is no longer needed, since certutil -verifyCTL does what we want?