cyryptapi.c: log the selected certificate's name

- With various ways of specifying the selector-string to the
  "--cryptoapicert" option, its not immediately obvious
  which certificate gets selected from the store. Log it.

  The "name" logged is a friendly name (if present), or a
  representative element of the subject (usually the common-name).

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26093.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 661a9a6d742065a296b238fcd399ab818030d797..f698e28c651a28cab4b563cc49569f0dca4f60ef 100644 (file)
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -934,12 +934,31 @@ xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned c
 
 #endif /* HAVE_XKEY_PROVIDER */
 
+static char *
+get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc)
+{
+    DWORD len = CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, NULL, 0);
+    char *name = NULL;
+    if (len)
+    {
+        wchar_t *wname = gc_malloc(len*sizeof(wchar_t), false, gc);
+        if (!wname
+            || CertGetNameStringW(cc, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, wname, len) == 0)
+        {
+            return NULL;
+        }
+        name = utf16to8(wname, gc);
+    }
+    return name;
+}
+
 int
 SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
 {
     HCERTSTORE cs;
     X509 *cert = NULL;
     CAPI_DATA *cd = calloc(1, sizeof(*cd));
+    struct gc_arena gc = gc_new();
 
     if (cd == NULL)
     {
@@ -974,6 +993,13 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
         }
     }
 
+    /* try to log the "name" of the selected certificate */
+    char *cert_name = get_cert_name(cd->cert_context, &gc);
+    if (cert_name)
+    {
+        msg(D_LOW, "cryptapicert: using certificate with name <%s>", cert_name);
+    }
+
     /* cert_context->pbCertEncoded is the cert X509 DER encoded. */
     cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded,
                     cd->cert_context->cbCertEncoded);
@@ -1017,6 +1043,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
     EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey,
                                               xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free);
     SSL_CTX_use_PrivateKey(ssl_ctx, privkey);
+    gc_free(&gc);
     return 1; /* do not free cd -- its kept by xkey provider */
 
 #else  /* ifdef HAVE_XKEY_PROVIDER */
@@ -1042,12 +1069,14 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
         goto err;
     }
     CAPI_DATA_free(cd); /* this will do a ref_count-- */
+    gc_free(gc);
     return 1;
 
 #endif /* HAVE_XKEY_PROVIDER */
 
 err:
     CAPI_DATA_free(cd);
+    gc_free(&gc);
     return 0;
 }
 #endif                          /* _WIN32 */

diff --git a/src/openvpn/win32-util.c b/src/openvpn/win32-util.c
index 35f2a311cc79488978483721cd63a958751d9619..32f7a00b1d5ae4862297c21d23d9449b50ffa5db 100644 (file)
--- a/src/openvpn/win32-util.c
+++ b/src/openvpn/win32-util.c
@@ -48,6 +48,21 @@ wide_string(const char *utf8, struct gc_arena *gc)
     return ucs16;
 }
 
+char *
+utf16to8(const wchar_t *utf16, struct gc_arena *gc)
+{
+    char *utf8 = NULL;
+    int n = WideCharToMultiByte(CP_UTF8, 0, utf16, -1, NULL, 0, NULL, NULL);
+    if (n > 0)
+    {
+        utf8 = gc_malloc(n, true, gc);
+        if (utf8)
+        {
+            WideCharToMultiByte(CP_UTF8, 0, utf16, -1, utf8, n, NULL, NULL);
+        }
+    }
+    return utf8;
+}
 
 /*
  * Return true if filename is safe to be used on Windows,

diff --git a/src/openvpn/win32-util.h b/src/openvpn/win32-util.h
index b24242c8ae5f77c030ff8cb62ad70af441e9d4f1..ac37979ff77c1e3517896167ed6745f90d59dc14 100644 (file)
--- a/src/openvpn/win32-util.h
+++ b/src/openvpn/win32-util.h
@@ -34,6 +34,9 @@
 /* Convert a string from UTF-8 to UCS-2 */
 WCHAR *wide_string(const char *utf8, struct gc_arena *gc);
 
+/* Convert a string from UTF-16 to UTF-8 */
+char *utf16to8(const wchar_t *utf16, struct gc_arena *gc);
+
 /* return true if filename is safe to be used on Windows */
 bool win_safe_filename(const char *fn);