From: Selva Nair <selva.n...@gmail.com>
Have the cryptoapicert option find the first matching certificate
in store that is valid at the present time. Currently the first
found item, even if expired, is returned.
This makes it possible to update certifiates in store without having
to delete old ones. As a side effect, if only expired certificates are
found, the connection fails.
Also remove some unnecessary casts.
Tested on Windows 10.
Trac #966
Signed-off-by: Selva Nair <selva.n...@gmail.com>
---
v3: nudging again with a rebase to master
src/openvpn/cryptoapi.c | 41 +++++++++++++++++++++++++++++------------
1 file changed, 29 insertions(+), 12 deletions(-)
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 2f2eee7..3b70c33 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -739,27 +739,30 @@ find_certificate_in_store(const char *cert_prop,
HCERTSTORE cert_store)
* SUBJ:<certificate substring to match>
* THUMB:<certificate thumbprint hex value>, e.g.
* THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+ * The first matching certificate that has not expired is returned.
*/
const CERT_CONTEXT *rv = NULL;
+ DWORD find_type;
+ const void *find_param;
+ unsigned char hash[255];
+ CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
if (!strncmp(cert_prop, "SUBJ:", 5))
{
/* skip the tag */
- cert_prop += 5;
- rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING |
PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_SUBJECT_STR_A, cert_prop,
NULL);
-
+ find_param = cert_prop + 5;
+ find_type = CERT_FIND_SUBJECT_STR_A;
}
else if (!strncmp(cert_prop, "THUMB:", 6))
{
- unsigned char hash[255];
- char *p;
+ const char *p;
int i, x = 0;
- CRYPT_HASH_BLOB blob;
+ find_type = CERT_FIND_HASH;
+ find_param = &blob;
/* skip the tag */
cert_prop += 6;
- for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+ for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
{
if (*p >= '0' && *p <= '9')
{
@@ -775,7 +778,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE
cert_store)
}
if (!*++p) /* unexpected end of string */
{
- break;
+ msg(M_WARN, "WARNING: cryptoapicert: error parsing
<THUMB:%s>.", cert_prop);
+ return NULL;
}
if (*p >= '0' && *p <= '9')
{
@@ -796,10 +800,23 @@ find_certificate_in_store(const char *cert_prop,
HCERTSTORE cert_store)
}
}
blob.cbData = i;
- blob.pbData = (unsigned char *) &hash;
+ }
+ while(true)
+ {
+ int validity = 1;
+ /* this frees previous rv, if not NULL */
rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING |
PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_HASH, &blob, NULL);
-
+ 0, find_type, find_param, rv);
+ if (rv)
+ {
+ validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+ }
+ if (!rv || validity == 0)
+ {
+ break;
+ }
+ msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store
%s.",
+ validity < 0 ? "not yet valid" : "that has expired");
}
return rv;
--
2.1.4
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
