From cf85f890ee38ee26194a41d33180c72298965b28 Mon Sep 17 00:00:00 2001 From: Jorge Niedbalski Date: Tue, 29 Oct 2024 10:21:49 +0000 Subject: [PATCH] tls: improve windows system certificates load debug information (#9533) gives detailed information on the cause of the failure when loading system certificates. Signed-off-by: Jorge Niedbalski Co-authored-by: Jorge Niedbalski --- src/tls/openssl.c | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/src/tls/openssl.c b/src/tls/openssl.c index 074dace6796..043a065efc4 100644 --- a/src/tls/openssl.c +++ b/src/tls/openssl.c @@ -241,18 +241,28 @@ static int windows_load_system_certificates(struct tls_context *ctx) { int ret; HANDLE win_store; + unsigned long err; PCCERT_CONTEXT win_cert = NULL; const unsigned char *win_cert_data; X509_STORE *ossl_store = SSL_CTX_get_cert_store(ctx->ctx); X509 *ossl_cert; + /* Check if OpenSSL certificate store is available */ + if (!ossl_store) { + flb_error("[tls] failed to retrieve openssl certificate store."); + return -1; + } + + /* Open the Windows system certificate store */ win_store = CertOpenSystemStoreA(0, "Root"); if (win_store == NULL) { - flb_error("[tls] Cannot open cert store: %i", GetLastError()); + flb_error("[tls] cannot open windows certificate store: %lu", GetLastError()); return -1; } - while (win_cert = CertEnumCertificatesInStore(win_store, win_cert)) { + /* Iterate over certificates in the store */ + while ((win_cert = CertEnumCertificatesInStore(win_store, win_cert)) != NULL) { + /* Check if the certificate is encoded in ASN.1 DER format */ if (win_cert->dwCertEncodingType & X509_ASN_ENCODING) { /* * Decode the certificate into X509 struct. @@ -262,25 +272,42 @@ static int windows_load_system_certificates(struct tls_context *ctx) */ win_cert_data = win_cert->pbCertEncoded; ossl_cert = d2i_X509(NULL, &win_cert_data, win_cert->cbCertEncoded); + if (!ossl_cert) { - flb_debug("[tls] Cannot parse a certificate. skipping..."); + flb_debug("[tls] cannot parse a certificate, error code: %lu, skipping...", ERR_get_error()); continue; } /* Add X509 struct to the openssl cert store */ ret = X509_STORE_add_cert(ossl_store, ossl_cert); if (!ret) { - flb_warn("[tls] Failed to add a certificate to the store: %lu: %s", - ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); + err = ERR_get_error(); + if (err == X509_R_CERT_ALREADY_IN_HASH_TABLE) { + flb_debug("[tls] certificate already exists in the store, skipping."); + } + else { + flb_warn("[tls] failed to add certificate to openssl store. error code: %lu - %s", + err, ERR_error_string(err, NULL)); + } } X509_free(ossl_cert); } } + /* Check for errors during enumeration */ + if (GetLastError() != CRYPT_E_NOT_FOUND) { + flb_error("[tls] error occurred while enumerating certificates: %lu", GetLastError()); + CertCloseStore(win_store, 0); + return -1; + } + + /* Close the Windows system certificate store */ if (!CertCloseStore(win_store, 0)) { - flb_error("[tls] Cannot close cert store: %i", GetLastError()); + flb_error("[tls] cannot close windows certificate store: %lu", GetLastError()); return -1; } + + flb_debug("[tls] successfully loaded certificates from windows system store."); return 0; } #endif