[Openvpn-users] OpenVPN 2.6 cryptoapicert ISSUER not viable

Sat, 04 Mar 2023 07:52:54 -0800

Hello I posted the follow question here, and was redirect to this mailing list for support. https://forums.openvpn.net/viewtopic.php?t=35445
I've been trying to find a way for OpenVPN to detect the correct cert in the windows certstore using the issuer and specifying our internal CA. I found it is possible to use cryptoapicert ISSUER: according to this code on github.. https://github.com/OpenVPN/openvpn/blob ... ryptoapi.c with the following section: 
CODE: SELECT ALL
find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) 
{
    /* Find, and use, the desired certificate from the store. The
     * 'cert_prop' certificate search string can look like this:
     * SUBJ:<certificate substring to match>
     * THUMB:<certificate thumbprint hex value>, e.g.
* THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28 
     * The first matching certificate that has not expired is returned.
     */
    const CERT_CONTEXT *rv = NULL;
    DWORD find_type;
    const void *find_param;
    unsigned char hash[255];
    CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
    struct gc_arena gc = gc_new();

    if (!strncmp(cert_prop, "SUBJ:", 5))
    {
        /* skip the tag */
        find_param = wide_string(cert_prop + 5, &gc);
        find_type = CERT_FIND_SUBJECT_STR_W;
    }
    else if (!strncmp(cert_prop, "ISSUER:", 7))
    {
        find_param = wide_string(cert_prop + 7, &gc);
        find_type = CERT_FIND_ISSUER_STR_W;
    }
    else if (!strncmp(cert_prop, "THUMB:", 6))
    {
        find_type = CERT_FIND_HASH;
        find_param = &blob;
blob.cbData = parse_hexstring(cert_prop + 6, hash, sizeof(hash)); 
        if (blob.cbData == 0)
        {
msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop); 
            goto out;
        }
    }
    else
    {
msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>", cert_prop); 
        goto out;
    }
Am I wrong in assuming ISSUER: is a search parameter under cryptoapicert?
I've tried it in a lab and receive the message *"unsupported certificate specification <ISSUER:....>"* 


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to