git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 28 Jan 2023 22:34:18 +0000 (17:34 -0500)
committer	Gert Doering <gert@greenie.muc.de>
	Tue, 14 Feb 2023 15:23:00 +0000 (16:23 +0100)
commit	b9e0e4060798ed88d2170702f2935754616b1200
tree	85806ddf2c45194be5dfe9905886923a45cdf97e	tree \| snapshot
parent	94bbe98b2b135b2da74b694358e6c94c1defbffd	commit \| diff

Option --cryptoapicert: support issuer name as a selector

- Certificate selection string can now specify a partial
  issuer name string as "--cryptoapicert ISSUER:<string>" where
  <string> is matched as a substring of the issuer (CA) name in
  the certificate.

  Partial case-insensitive matching against the "issuer name" is
  used. Here "issuer name" is a text representation of the RDN's
  separated by commas.

  E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA".

  See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR
  as "FindType" for more details.

  As the order of RDN's is not well-defined[*] and type names like "OU"
  or "CN" are not included, its best to match against a single attribute
  like the CN of the issuer:

  E.g., --cryptoapicert "ISSUER:Acme Root"

[*] Windows appears to order RDN's in the reverse order to which
its written in the certificate but do not rely on this.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

doc/man-sections/windows-options.rst		diff \| blob \| blame \| history
src/openvpn/cryptoapi.c		diff \| blob \| blame \| history