OpenVPN 2.6 cryptoapicert ISSUER not viable

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
techjockeynet
OpenVpn Newbie
Posts: 1
Joined: Fri Mar 03, 2023 7:45 pm

OpenVPN 2.6 cryptoapicert ISSUER not viable

Post by techjockeynet » Fri Mar 03, 2023 7:46 pm

I've been trying to find a way for OpenVPN to detect the correct cert in the windows certstore using the issuer and specifying our internal CA. I found it is possible to use cryptoapicert ISSUER: according to this code on github.. https://github.com/OpenVPN/openvpn/blob ... ryptoapi.c with the following section:

Code: Select all

  find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
{
    /* Find, and use, the desired certificate from the store. The
     * 'cert_prop' certificate search string can look like this:
     * SUBJ:<certificate substring to match>
     * THUMB:<certificate thumbprint hex value>, e.g.
     *     THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a b6 28
     * The first matching certificate that has not expired is returned.
     */
    const CERT_CONTEXT *rv = NULL;
    DWORD find_type;
    const void *find_param;
    unsigned char hash[255];
    CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
    struct gc_arena gc = gc_new();

    if (!strncmp(cert_prop, "SUBJ:", 5))
    {
        /* skip the tag */
        find_param = wide_string(cert_prop + 5, &gc);
        find_type = CERT_FIND_SUBJECT_STR_W;
    }
    else if (!strncmp(cert_prop, "ISSUER:", 7))
    {
        find_param = wide_string(cert_prop + 7, &gc);
        find_type = CERT_FIND_ISSUER_STR_W;
    }
    else if (!strncmp(cert_prop, "THUMB:", 6))
    {
        find_type = CERT_FIND_HASH;
        find_param = &blob;

        blob.cbData = parse_hexstring(cert_prop + 6, hash, sizeof(hash));
        if (blob.cbData == 0)
        {
            msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing <%s>.", cert_prop);
            goto out;
        }
    }
    else
    {
        msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate specification <%s>", cert_prop);
        goto out;
    }
Am I wrong in assuming ISSUER: is a search parameter under cryptoapicert?

I've tried it in a lab and receive the message *"unsupported certificate specification <ISSUER:....>"*

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN 2.6 cryptoapicert ISSUER not viable

Post by Pippin » Fri Mar 03, 2023 8:49 pm

Hi,

This question probably gets more attraction on the openvpn-users list:
https://sourceforge.net/projects/openvp ... nvpn-users
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Post Reply