From a8ff15ce49b69816b64387e3387b9a310891d12a Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sat, 28 Jan 2023 17:34:18 -0500 Subject: [PATCH] Option --cryptoapicert: support issuer name as a selector - Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate. Partial case-insensitive matching against the "issuer name" is used. Here "issuer name" is a text representation of the RDN's separated by commas. E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA". See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR as "FindType" for more details. As the order of RDN's is not well-defined[*] and type names like "OU" or "CN" are not included, its best to match against a single attribute like the CN of the issuer: E.g., --cryptoapicert "ISSUER:Acme Root" [*] Windows appears to order RDN's in the reverse order to which its written in the certificate but do not rely on this. Signed-off-by: Selva Nair Acked-by: Gert Doering Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html Signed-off-by: Gert Doering (cherry picked from commit b9e0e4060798ed88d2170702f2935754616b1200) --- doc/man-sections/windows-options.rst | 13 +++++++++++-- src/openvpn/cryptoapi.c | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index 368f7b190..e87291f46 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -41,13 +41,22 @@ Windows-Specific Options cryptoapicert "SUBJ:Peter Runestig" - To select a certificate, based on certificate's thumbprint: + To select a certificate, based on certificate's thumbprint (SHA1 hash): :: cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copy-and-pasted from the Windows - Certificate Store GUI. + Certificate Store GUI. The embedded spaces in the hex string are optional. + + To select a certificate based on a substring in certificate's + issuer name: + :: + + cryptoapicert "ISSUER:Sample CA" + + The first non-expired certificate found in the user's store or the + machine store that matches the select-string is used. --dhcp-release Ask Windows to release the TAP adapter lease on shutdown. This option diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 6f6be9092..136c6ffc8 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -236,6 +236,11 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) find_param = wide_string(cert_prop + 5, &gc); find_type = CERT_FIND_SUBJECT_STR_W; } + else if (!strncmp(cert_prop, "ISSUER:", 7)) + { + find_param = wide_string(cert_prop + 7, &gc); + find_type = CERT_FIND_ISSUER_STR_W; + } else if (!strncmp(cert_prop, "THUMB:", 6)) { find_type = CERT_FIND_HASH; -- 2.47.3