Skip to content

tls: openssl: Implement flexible certstore loading on Windows #11200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 27, 2025
Merged

tls: openssl: Implement flexible certstore loading on Windows #11200

merged 2 commits into from
Nov 27, 2025
+130 −13

Conversation

@cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Nov 25, 2025
edited by coderabbitai bot
Loading

Fluent Bit will handle the prefixes which should be compatible for PowerShell Cert:/ prefix for Get-Item or other Cmdlets.

This patch introduces a flexible syntax to select Windows certificate store locations:

My → CurrentUser\My (legacy behavior)

CurrentUser\My, HKCU\My

LocalMachine\My, HKLM\My

LocalMachineEnterprise\My, HKLME\My

Cert:\LocalMachine\My (PowerShell style)

Key points:

  • Prefix has higher priority than tls.windows.use_enterprise_store

  • If no prefix is given, existing behavior remains unchanged

  • CertOpenSystemStoreA() is still used for CurrentUser for compatibility

  • CertOpenStore() is used for LocalMachine / Enterprise stores

This allows Fluent Bit to read certificates from any Windows CertStore location commonly used in enterprise environments, AD-managed hosts, or custom security deployments.

Fixes #11162.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • New Features

    • Parse Windows certificate store location prefixes so configured store, resolved store name, and location are handled separately.
    • Respect explicit enterprise-store override when requested.

  • Bug Fixes

    • Preserve legacy behavior when no or unknown prefix is provided.
    • More robust opening of Windows certificate stores and clearer success/failure messages.

✏️ Tip: You can customize this high-level summary in your review settings.

@cosmo0920 cosmo0920 requested a review from edsiper as a code owner November 25, 2025 06:43
@coderabbitai
Copy link

coderabbitai bot commented Nov 25, 2025
edited
Loading

Walkthrough

Parses optional Windows certstore prefixes (e.g., "Root/My" or "Cert:\LocalMachine\My") into a resolved triplet (configured_name, store_name, store_location) and uses that to open the appropriate Windows certificate store when loading TLS certificates; preserves legacy behavior when no prefix is present unless enterprise override is requested.

Changes

Cohort / File(s) Summary
Windows certificate store resolution & loading
src/tls/openssl.c		 Adds internal windows_resolve_certstore_location helper to parse certstore name prefixes and compute store_location and store_name. Replaces direct use of certstore_name with configured_name, store_name, and store_location in the Windows certificate loading flow. Uses CertOpenSystemStoreA for current-user stores and CertOpenStore for other locations. Preserves legacy handling when no explicit prefix is present and honors use_enterprise_store override. Updates log messages to reference configured_name.

Sequence Diagram(s)

sequenceDiagram
    participant Config as Configuration
    participant Resolver as windows_resolve_certstore_location
    participant Loader as Store Opening Logic
    participant WinAPI as Windows Cert APIs

    Config->>Resolver: certstore_name (e.g. "Root/My" or "Cert:\LocalMachine\My")
    activate Resolver
    Resolver->>Resolver: Parse -> configured_name, store_name, store_location
    Resolver-->>Loader: configured_name, store_name, store_location
    deactivate Resolver

    Loader->>Loader: Choose open method by store_location
    alt Current User
        Loader->>WinAPI: CertOpenSystemStoreA(store_name)
    else Other Location
        Loader->>WinAPI: CertOpenStore(store_location, store_name)
    end
    WinAPI-->>Loader: Cert store handle / error
    Loader->>Loader: Enumerate certificates / match thumbprints
    note right of Loader `#DDEEFF`: Logs reference configured_name in messages
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review parsing edge cases for separators and optional "Cert:" prefix.
  • Verify prefix-to-location mapping and enterprise-store override behavior.
  • Confirm correct choice between CertOpenSystemStoreA and CertOpenStore and resource cleanup.
  • Check updated log messages and backward-compatibility when prefix is absent.

Suggested reviewers

  • edsiper
  • fujimotos

Poem

🐰 I sniff the paths where secret certs abide,

From Root to My, through LocalMachine wide.
I hop, I parse, the thumbprints I align,
Old ways stay safe, new routes now shine.
A tiny rabbit cheers — certificates found!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately summarizes the main change: implementing flexible certstore loading on Windows with support for various prefix syntaxes to select different certificate store locations.
Linked Issues check ✅ Passed The implementation addresses the core issue #11162 by enabling loading client TLS certificates from certstore locations other than Root (e.g., My) through flexible prefix syntax and store_location resolution.
Out of Scope Changes check ✅ Passed All changes in src/tls/openssl.c are directly related to implementing flexible certstore loading; no unrelated modifications detected.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch cosmo0920-implement-flexible-certostore-loading
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef28bf3 and 60a6f5d.

📒 Files selected for processing (1)
  • src/tls/openssl.c (5 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/tls/openssl.c
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (31)
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
  • GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-24.04, clang-14)
  • GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-22.04, clang-12)
  • GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, clang, clang++, ubuntu-24.04, clang-14)
  • GitHub Check: pr-compile-system-libs (-DFLB_PREFER_SYSTEM_LIBS=On, 3.31.6, gcc, g++, ubuntu-22.04, clang-12)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
  • GitHub Check: pr-compile-centos-7
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
  • GitHub Check: pr-compile-without-cxx (3.31.6)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
  • GitHub Check: PR - fuzzing test

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@cosmo0920
tls: openssl: Implement flexible certstore loading on Windows
ef28bf3 
With this patch, we can load certificates from Windows CertStore as:

 *   My                        -> no prefix, leave location untouched
 *   CurrentUser\My            -> CERT_SYSTEM_STORE_CURRENT_USER, "My"
 *   HKCU\My                   -> CERT_SYSTEM_STORE_CURRENT_USER, "My"
 *   LocalMachine\My           -> CERT_SYSTEM_STORE_LOCAL_MACHINE, "My"
 *   HKLM\My                   -> CERT_SYSTEM_STORE_LOCAL_MACHINE, "My"
 *   LocalMachineEnterprise\My -> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, "My"
 *   HKLME\My                  -> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, "My"

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
@cosmo0920 cosmo0920 force-pushed the cosmo0920-implement-flexible-certostore-loading branch from ed457a7 to ef28bf3 Compare November 25, 2025 06:46
coderabbitai[bot]
coderabbitai bot reviewed Nov 25, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f4108db and ef28bf3.

📒 Files selected for processing (1)
  • src/tls/openssl.c (5 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit (Arm64), amd64_arm64, -DCMAKE_SYSTEM_NAME=Windows -DCMA...
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 32bit, x86, x86-windows-static, 3.31.6)
  • GitHub Check: pr-windows-build / call-build-windows-package (Windows 64bit, x64, x64-windows-static, 3.31.6)
  • GitHub Check: pr-compile-centos-7
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_COMPILER_STRICT_POINTER_TYPES=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=Off, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_THREAD=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_ARROW=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_COVERAGE=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SIMD=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_UNDEFINED=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SANITIZE_MEMORY=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DSANITIZE_ADDRESS=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, clang, clang++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_SMALL=On, 3.31.6, gcc, g++)
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=On, 3.31.6, clang, clang++)
  • GitHub Check: PR - fuzzing test
  • GitHub Check: run-ubuntu-unit-tests (-DFLB_JEMALLOC=Off, 3.31.6, clang, clang++)
🔇 Additional comments (3)
src/tls/openssl.c (3)

436-449: LGTM!

The conditional store opening logic correctly uses CertOpenSystemStoreA for current user (preserving legacy behavior) and CertOpenStore with the appropriate location flags for machine and enterprise stores. Error handling is in place at line 451-454.

504-507: LGTM!

Using configured_name in log messages provides better context for users debugging certificate loading issues, as it shows the original configuration value.

305-319: Good design for flexible certstore location parsing.

The function handles multiple syntaxes (PowerShell style, abbreviated prefixes, both separators) and maintains backward compatibility for unrecognized inputs. The documentation in the comment block clearly explains the supported formats.

@cosmo0920
tls: openssl: Handle location prefix more strictly
60a6f5d 
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
@cosmo0920 cosmo0920 mentioned this pull request Nov 25, 2025
Closed
@edsiper edsiper merged commit 923dec2 into master Nov 27, 2025
58 checks passed
@edsiper edsiper deleted the cosmo0920-implement-flexible-certostore-loading branch November 27, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feedback for v4.2.0 regarding function of loading TLS cert from Windows Certstore

3 participants

@cosmo0920 @edsiper