tls: openssl: Implement flexible certstore loading on Windows #11200
+130
−13
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WalkthroughParses optional Windows certstore prefixes (e.g., "Root/My" or "Cert:\LocalMachine\My") into a resolved triplet (configured_name, store_name, store_location) and uses that to open the appropriate Windows certificate store when loading TLS certificates; preserves legacy behavior when no prefix is present unless enterprise override is requested. Changes
Sequence Diagram(s)sequenceDiagram
participant Config as Configuration
participant Resolver as windows_resolve_certstore_location
participant Loader as Store Opening Logic
participant WinAPI as Windows Cert APIs
Config->>Resolver: certstore_name (e.g. "Root/My" or "Cert:\LocalMachine\My")
activate Resolver
Resolver->>Resolver: Parse -> configured_name, store_name, store_location
Resolver-->>Loader: configured_name, store_name, store_location
deactivate Resolver
Loader->>Loader: Choose open method by store_location
alt Current User
Loader->>WinAPI: CertOpenSystemStoreA(store_name)
else Other Location
Loader->>WinAPI: CertOpenStore(store_location, store_name)
end
WinAPI-->>Loader: Cert store handle / error
Loader->>Loader: Enumerate certificates / match thumbprints
note right of Loader `#DDEEFF`: Logs reference configured_name in messages
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Suggested reviewers
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: CodeRabbit UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
With this patch, we can load certificates from Windows CertStore as: * My -> no prefix, leave location untouched * CurrentUser\My -> CERT_SYSTEM_STORE_CURRENT_USER, "My" * HKCU\My -> CERT_SYSTEM_STORE_CURRENT_USER, "My" * LocalMachine\My -> CERT_SYSTEM_STORE_LOCAL_MACHINE, "My" * HKLM\My -> CERT_SYSTEM_STORE_LOCAL_MACHINE, "My" * LocalMachineEnterprise\My -> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, "My" * HKLME\My -> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, "My" Signed-off-by: Hiroshi Hatake <[email protected]>
cosmo0920
force-pushed
the
cosmo0920-implement-flexible-certostore-loading
branch
from
ed457a7 to
ef28bf3
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/tls/openssl.c(5 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
- GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
- GitHub Check: pr-compile-centos-7
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
- GitHub Check: PR - fuzzing test
- GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
🔇 Additional comments (3)
src/tls/openssl.c (3)
436-449: LGTM!The conditional store opening logic correctly uses
CertOpenSystemStoreAfor current user (preserving legacy behavior) andCertOpenStorewith the appropriate location flags for machine and enterprise stores. Error handling is in place at line 451-454.
504-507: LGTM!Using
configured_namein log messages provides better context for users debugging certificate loading issues, as it shows the original configuration value.
305-319: Good design for flexible certstore location parsing.The function handles multiple syntaxes (PowerShell style, abbreviated prefixes, both separators) and maintains backward compatibility for unrecognized inputs. The documentation in the comment block clearly explains the supported formats.
Signed-off-by: Hiroshi Hatake <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fluent Bit will handle the prefixes which should be compatible for PowerShell Cert:/ prefix for Get-Item or other Cmdlets.
This patch introduces a flexible syntax to select Windows certificate store locations:
My → CurrentUser\My (legacy behavior)
CurrentUser\My, HKCU\My
LocalMachine\My, HKLM\My
LocalMachineEnterprise\My, HKLME\My
Cert:\LocalMachine\My (PowerShell style)
Key points:
Prefix has higher priority than tls.windows.use_enterprise_store
If no prefix is given, existing behavior remains unchanged
CertOpenSystemStoreA() is still used for CurrentUser for compatibility
CertOpenStore() is used for LocalMachine / Enterprise stores
This allows Fluent Bit to read certificates from any Windows CertStore location commonly used in enterprise environments, AD-managed hosts, or custom security deployments.
Fixes #11162.
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.
Summary by CodeRabbit
New Features
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.