From patchwork Sat Jan 28 22:34:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3018 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp2226844dyk; Sat, 28 Jan 2023 14:35:07 -0800 (PST) X-Google-Smtp-Source: AMrXdXsQQhZlzFXgf5JZYBbAUXdeiE1uNuKQwPgF0bT1jgdlzV1Y6zbgyV0dmwcQPX+ojlfov1bt X-Received: by 2002:a17:902:aa97:b0:189:a6be:85db with SMTP id d23-20020a170902aa9700b00189a6be85dbmr44664195plr.39.1674945307548; Sat, 28 Jan 2023 14:35:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674945307; cv=none; d=google.com; s=arc-20160816; b=XvZIpaZjldH85Uv96YUNNqGbz6ZNVxLtrKcN+NJOxCktZeJeYMvb5oOYyuMz4XzAOe wujdL1eH3vNPrbpriVDKfFYeb+TmFLkIw5EkcUvwchCVFbkG9FxfhyN0IZYT9lycgs3l Z9Ywf3y20I1+EeOAEJG5XBg9bsahZGR+n8tfD6I2Or9MTYAzr8VlIB84eK+erDOqzNfO nOoxTWRVjcTNlPrL3YaW2Q2+efktc60LI2eKzizCreGcuBinK7GL8rLaRQwvAdh8qWb8 W32sHAxckkNZSKVDGYLUdaU7bGo4wBC1TE6wv5niUcN0C9bQXYKn4qV1ztS3Qe+3jK1M B07w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Ha2gwcBKOJlkzSCI6+HLZSYqCcCiGoHQj88Mz1K7D1E=; b=jg939VQaC9muZ5GC4P2P1/CcT7aLOmyMylIDsxHMpq7iMkTxhYi3NNn/DpM1eJxKkj ZBwNOEAxlq0YAYy2GAONlBN6GMASV+poA2uADJsO336w5ZNK4NTpSV5Yd3/2Lc1KoB7R EaDZEiWd1Q7MUfkHxSJ7rK9+jr1tPrSXrClXhnVmd+IvfRUrkdy0wdCG2yDphPs0gxz4 AZ2QpLxFg0Q6+nMwIkoG2C0KsswJMAUiLkzI5HxLPKwGR93hDK1qD7rc0zXwfsf78QY6 UscSwDmc5H4val3/Ga7s8iYfMkkK9F/RsC/o9iZfdR7BuI1D5GMpOORrs2ByWY+vsFOZ La0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F2fNpRy/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EgiY9lcg; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=J5NfluZV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id w17-20020a170902e89100b001949ad4bd39si9783771plg.45.2023.01.28.14.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Jan 2023 14:35:07 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F2fNpRy/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EgiY9lcg; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=J5NfluZV; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pLtmf-0007d3-74; Sat, 28 Jan 2023 22:34:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pLtmb-0007cs-EX for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=F2fNpRy/PSO9RpKY/dg2+nmUQ6 55snh2WNgS5x98cUcc28tP63rYUkr1URvyUWl9q96yXczW5byedLL5C39KGTFRKgYLzdhhiTrV7Ez zrlawOFIoqc0ytgiPHgyTQyo7X2b83vP9Te9XzKpiVPQPL9Wyw2pMt1Tt6sZb+xofCP4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=EgiY9lcg3MDOQT5a8aqZe4P+pb tm6GToy0OwJLsrXyxrPNYc3rqe4sF1tc7n4YY03kNdD0av03wJeFg1+jHiLKFnpDZykWAbclH/2K2 IhAPw1BXUcHmi6s3jhoMXnVaN2uN3cZq2lQ7J7urdi0h5hmcLvzB3GdAyV07YxGL5CxU=; Received: from mail-io1-f53.google.com ([209.85.166.53]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pLtmV-001xws-CE for openvpn-devel@lists.sourceforge.net; Sat, 28 Jan 2023 22:34:47 +0000 Received: by mail-io1-f53.google.com with SMTP id b4so1609089ioj.0 for ; Sat, 28 Jan 2023 14:34:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=J5NfluZV167wNZM7Zy/hOmFQWSFjq16WOsOYcPk00z00+pkJJCsknA7TArASn52VH5 K8sD1CTlfSW2k6td24TCiRHVDKwthL35s7+QUT5CeX1DGGtCKgV51O0BvSj43vIExDiz MpmRoDJ/sencInqsXp64MHWWsf8vhSHamcJFTHz9eTUKn8V9dWVVychZuyxOZlUeFCLo Gs97Px1baBerH/puijZ1OCrVHNmwk5rPRnb44IwX/rRTM0vn70nrgRlHcPan6NX3Psg+ zrAaUPFdaA5GrkHHs23Y/5UyKPmtzvwkY7FkTVtie6dnr239Ykni5yhd9XClEPnPk53X T3kQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a8KrX5e9AzdQVop/a4V6UkVaipqAHSrQDLzDSeFw0SM=; b=pzyDJpG1LDhiDFJmwzDLY0ALmQ9TxGS9Pl/RJoeJyDbvZbXX6wBZiUtXxBjKaUkrkv zj4Go/Ulm56K3SxLc9V8jXrW4+Gjt8wtqhtO/GpVHXZetZEiNKbRsLawcllpJfwCAx6M gQcwbyBBxuBePkFo74IE/SKZj7jC5zBMpMPKuX97NgLqi3I0gTVOijtqqYoSe1zSydLz fzrMfNJusvB/uIUT5S3kkFJQVjHMFwxp+vkkQ6xJGhTigmM+112MlLaLx+jej0vGTWmq jW4UAUUP/nU4jMNraOzi3QIeJNy255S7xkWyWE4HI4j6+CSEwyyXtHYQzq+m8nol/zvb +VAw== X-Gm-Message-State: AO0yUKVKdDLRMJ46LhGzo7Y+oEy4O14N6F1de5fZ/LF4M9m2pwo9JGcu dJZcbBgEe72a5rRWJ6NIA88A/CGf7II= X-Received: by 2002:a5e:dc04:0:b0:718:2903:780f with SMTP id b4-20020a5edc04000000b007182903780fmr366730iok.2.1674945276864; Sat, 28 Jan 2023 14:34:36 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id ay25-20020a5d9d99000000b006bba42f7822sm103930iob.52.2023.01.28.14.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Jan 2023 14:34:36 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Jan 2023 17:34:18 -0500 Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230128223421.2207802-1-selva.nair@gmail.com> References: <20230128223421.2207802-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.53 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pLtmV-001xws-CE Subject: [Openvpn-devel] [PATCH 1/4] Option --cryptoapicert: support issuer name as a selector X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1756307450530752517?= X-GMAIL-MSGID: =?utf-8?q?1756307450530752517?= From: Selva Nair - Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:" where is matched as a substring of the issuer (CA) name in the certificate. Partial case-insensitive matching against the "issuer name" is used. Here "issuer name" is a text representation of the RDN's separated by commas. E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA". See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR as "FindType" for more details. As the order of RDN's is not well-defined[*] and type names like "OU" or "CN" are not included, its best to match against a single attribute like the CN of the issuer: E.g., --cryptoapicert "ISSUER:Acme Root" [*] Windows appears to order RDN's in the reverse order to which its written in the certificate but do not rely on this. Signed-off-by: Selva Nair Acked-by: Gert Doering --- doc/man-sections/windows-options.rst | 13 +++++++++++-- src/openvpn/cryptoapi.c | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index 368f7b19..e87291f4 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -41,13 +41,22 @@ Windows-Specific Options cryptoapicert "SUBJ:Peter Runestig" - To select a certificate, based on certificate's thumbprint: + To select a certificate, based on certificate's thumbprint (SHA1 hash): :: cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copy-and-pasted from the Windows - Certificate Store GUI. + Certificate Store GUI. The embedded spaces in the hex string are optional. + + To select a certificate based on a substring in certificate's + issuer name: + :: + + cryptoapicert "ISSUER:Sample CA" + + The first non-expired certificate found in the user's store or the + machine store that matches the select-string is used. --dhcp-release Ask Windows to release the TAP adapter lease on shutdown. This option diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 661a9a6d..39eeec1b 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -459,6 +459,11 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) find_param = wide_string(cert_prop + 5, &gc); find_type = CERT_FIND_SUBJECT_STR_W; } + else if (!strncmp(cert_prop, "ISSUER:", 7)) + { + find_param = wide_string(cert_prop + 7, &gc); + find_type = CERT_FIND_ISSUER_STR_W; + } else if (!strncmp(cert_prop, "THUMB:", 6)) { const char *p;