Feedback for v4.2.0 regarding function of loading TLS cert from Windows Certstore

[pkqsun]

Bug Report

Describe the bug
This issue is related with new feature in v4.2.0 of #11009.

After testing, the function works but with limitations.
It only could load TLS cert within Windows certstore of Root and does not support for other valid certstores.

tls.windows.certstore_name: Root

Not sure if it is related with default values of

fluent-bit/src/tls/openssl.c

Line 314 in f1ba23a

char *certstore_name = "Root";

.
As this line:

fluent-bit/src/tls/openssl.c

Line 447 in f1ba23a

flb_debug("[tls] successfully loaded certificates from windows system %s store.",

always shows "xxx from windows system Root store.".

To Reproduce

• Steps to reproduce the problem with similar config:

service:
  flush_interval: 2
  log_level: debug

pipeline:
  inputs:
    - name: dummy
      tag: test

  outputs:
    - name: forward
      match: "test"
      host: 127.0.0.1
      port: 24284
      tls:  on
      tls.verify: on
      tls.vhost: localhost

      tls.windows.certstore_name:         Root/My
      tls.windows.use_enterprise_store:   false
      tls.windows.client_thumbprints:     <specific thumbprint>

./fluent-bit-4.2.0.exe -c test-of-above.yaml

Expected behavior

It is expected to load the TLS cert in certstore of My with specific thumbprint, but it failed as below snapshoot shows.

Screenshots

Your Environment
Windows Server 2019 Standand

Additional context

As screenshots shows, the thumbprint xxx17412b5b in certstore My could not be loaded.
However, after I import it to Root, it could be loaded as expected.

Other Request
Indeed, our user case is using output plugin of Loki.
The config yaml looks like:

outputs:
  - name: loki
    xxxx: xxxx
    tls.ca_file:  <path for local CA file>
    tls.windows.certstore_name:         Root
    tls.windows.client_thumbprints:     <specific thumbprint>
    xxxx: xxx

With above WA that imported client cert to Root and I want to combine of using local file and certstore, but it failed：

So, I just wonder that reading from file and from certstore could not be used at same time, right ?
It is as expected per design or it could be enhanced to support this compatibility.

2> Regarding Loki, it needs another CA cert, could we add another filed such as

   tls.windows.ca_thumbprints:     <specific ca cert thumbprint>

to support reading another cert from Windows certstore ?

Appreciate for any discussion or comments.

[pkqsun]

Tagging @edsiper @cosmo0920

[cosmo0920]

As screenshots shows, the thumbprint xxx17412b5b in certstore My could not be loaded.
However, after I import it to Root, it could be loaded as expected.

In the current loading certstore implementation, it reads the Root store at first and then tries to load from the specified store.
From your screenshot, the specified thumbprint is valid for the certificates that are stored in Root certstore and no certficates loaded by thumbprint from 'My'.
So, it seems that just referring My certstore was succeeded and failed to load with the specified thumbprint.

So, could you confirm with the following PowerShell cmdlets?

PS> Get-ChildItem Cert:\CurrentUser\My | Select Thumbprint, Subject

PS> Get-ChildItem Cert:\LocalMachine\My | Select Thumbprint, Subject

Possibly, there's a glitches for the assumed certstore place.

Fluent Bit currently opens the My store under the CurrentUser context when tls.windows.use_enterprise_store: false is used.
It’s possible that the certificate you are referring to is stored only under LocalMachine\My, which would explain why it can be loaded after importing it into Root but not when using the My store with the thumbprint filter.

[pkqsun]

Hi @cosmo0920 ,thanks for your clarification.

Yes, just as you predicted, there is no cert in My store under the CurrentUser.

BTW, I set tls.windows.use_enterprise_store: true and still could not read certs in Cert:\CurrentUser\My.

So, maybe we need another parameter to specify the certstore is within LocalMachine or CurrentUser ?

[cosmo0920]

So, maybe we need another parameter to specify the certstore is within LocalMachine or CurrentUser ?

Yes, we need to implement another parameter which specifies to read from LocalMachine located certstore.

[duj4]

@cosmo0920 May I know which version this enhancement will be added to?

[cosmo0920]

Hi, I wrote a patch to handle this:
#11200

With that patch, y'all can handle LocalMachine store located certs with Cert:\LocalMashine\<Store Name> or Cert:\HKLM\<Store Name>. Cert:\ prefix is not always needed. Just provided for consistency of PowerShell style of certstore locations.

[pkqsun]

Hi @cosmo0920, I will test it once a new release is published.

1>
BTW, does the combined usage of file path and certstore path allowed ?

outputs:
  - name: loki
    xxxx: xxxx
    tls.ca_file:  <path for local CA file>
    tls.windows.certstore_name:         CurrentUser\My
    tls.windows.client_thumbprints:     <specific thumbprint>
    xxxx: xxx

2>
Any plan to add another parameter to read cacert from certstore such as
tls.windows.ca_thumbprints: ?

[cosmo0920]

1> BTW, does the combined usage of file path and certstore path allowed ?

outputs:

• name: loki
  xxxx: xxxx
  tls.ca_file:
  tls.windows.certstore_name: CurrentUser\My
  tls.windows.client_thumbprints:
  xxxx: xxx

No, it doesn't.

2>
Any plan to add another parameter to read cacert from certstore such as
tls.windows.ca_thumbprints: ?

It shouldn't be possible to implement by Windows crypto API. This is because thumbprint selection feature is provided from Windows Crypto API for certificates. So, cacert API is not provided by Windows. And if we do, we need to handle it on OpenSSL side.