@@ -601,27 +601,31 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
* SUBJ:<certificate substring to match>
* THUMB:<certificate thumbprint hex value>, e.g.
* THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
+ * The first matching certificate that has not expired is returned.
*/
const CERT_CONTEXT *rv = NULL;
+ DWORD find_type;
+ const void *find_param;
+ unsigned char hash[255];
+ CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
if (!strncmp(cert_prop, "SUBJ:", 5))
{
/* skip the tag */
- cert_prop += 5;
- rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_SUBJECT_STR_A, cert_prop, NULL);
-
+ find_param = cert_prop + 5;
+ find_type = CERT_FIND_SUBJECT_STR_A;
}
else if (!strncmp(cert_prop, "THUMB:", 6))
{
- unsigned char hash[255];
- char *p;
+ const char *p;
int i, x = 0;
- CRYPT_HASH_BLOB blob;
+ find_type = CERT_FIND_HASH;
+ find_param = &blob;
/* skip the tag */
cert_prop += 6;
- for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+ for (p = cert_prop, i = 0; *p && i < sizeof(hash); i++)
+ {
if (*p >= '0' && *p <= '9')
{
x = (*p - '0') << 4;
@@ -636,7 +640,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
}
if (!*++p) /* unexpected end of string */
{
- break;
+ msg(M_WARN, "WARNING: cryptoapicert: error parsing <THUMB:%s>.", cert_prop);
+ return NULL;
}
if (*p >= '0' && *p <= '9')
{
@@ -657,10 +662,23 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
}
}
blob.cbData = i;
- blob.pbData = (unsigned char *) &hash;
+ }
+ while(true)
+ {
+ int validity = 1;
+ /* this frees previous rv, if not NULL */
rv = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
- 0, CERT_FIND_HASH, &blob, NULL);
-
+ 0, find_type, find_param, rv);
+ if (rv)
+ {
+ validity = CertVerifyTimeValidity(NULL, rv->pCertInfo);
+ }
+ if (!rv || validity == 0)
+ {
+ break;
+ }
+ msg(M_WARN, "WARNING: cryptoapicert: ignoring certificate in store %s.",
+ validity < 0 ? "not yet valid" : "that has expired");
}
return rv;