From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 2AC434E091 for ; Sun, 6 Jul 2025 18:38:37 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id DE006691211; Sun, 6 Jul 2025 21:37:08 +0300 (EEST) Received: from btbn.de (btbn.de [144.76.60.213]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id ED5A16911E5 for ; Sun, 6 Jul 2025 21:36:53 +0300 (EEST) Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id 0608B27FFCC29; Sun, 06 Jul 2025 20:36:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothenpieler.org; s=mail; t=1751827008; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WA2dptosZK9c7fBupfMDRUumfIv0+VHPzar+rLjQBVk=; b=QGg9L38eEHr7zUlWit44/gWiuncrCjOwANUjFd4VCXFohKaY/v5IwlO5ENZVN0sP0tfS/x kaRjSZvSihMa4uzM4FGKuJfNVBY20C2OySxTwmmQNHlQG7D5P7ofy4YbVImQzRdYIvshPM 9wl6ylVJVIYfR6yyxWu/Z5DzUG3rALyMkK+Tci6IMZcnb6ky/NbOvg8jncP7UVCpsTQsH3 eYsuo86MkYYvT3i7SCm3tCEFNd2HdnCW5SGczp+DJoEmTcv1TayRHUUHU68RXiIPn9CE35 HGEq7A1ap08INtuJ8gQoeNUSg7QgkCJp94uaAy/yU+gKCAEMXl456bJoyxxy6w== From: Timo Rothenpieler To: ffmpeg-devel@ffmpeg.org Date: Sun, 6 Jul 2025 20:36:28 +0200 Message-ID: <20250706183634.38579-8-timo@rothenpieler.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250706183634.38579-1-timo@rothenpieler.org> References: <20250706183634.38579-1-timo@rothenpieler.org> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 7/8] avformat/tls_schannel: add option to load server certificate from store X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Timo Rothenpieler Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --- libavformat/tls_schannel.c | 47 ++++++++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index b985576b72..90d5765a80 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -502,6 +502,32 @@ end: return ret; } +static int tls_cert_from_store(void *logctx, const char *cert_store_name, const char *cert_subj, PCCERT_CONTEXT *crtctx) +{ + HCERTSTORE cert_store = NULL; + int ret = 0; + + cert_store = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, cert_store_name); + if (!cert_store) { + av_log(logctx, AV_LOG_ERROR, "Opening user cert store %s failed\n", cert_store_name); + ret = AVERROR_EXTERNAL; + goto end; + } + + *crtctx = CertFindCertificateInStore(cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR_A, cert_subj, NULL); + if (!*crtctx) { + av_log(logctx, AV_LOG_ERROR, "Could not find certificate in store\n"); + ret = AVERROR_EXTERNAL; + goto end; + } + +end: + if (cert_store) + CertCloseStore(cert_store, 0); + + return ret; +} + static int tls_load_key_cert(char *key_url, char *cert_url, NCRYPT_KEY_HANDLE *key, PCCERT_CONTEXT *crtctx) { AVBPrint key_bp, cert_bp; @@ -561,6 +587,9 @@ typedef struct TLSContext { const AVClass *class; TLSShared tls_shared; + char *cert_store_subject; + char *cert_store_name; + CredHandle cred_handle; TimeStamp cred_timestamp; @@ -1047,21 +1076,20 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op schannel_cred.dwVersion = SCHANNEL_CRED_VERSION; if (s->listen) { - if (s->key_buf && s->cert_buf) { + if (c->cert_store_name && c->cert_store_subject) { + ret = tls_cert_from_store(h, c->cert_store_name, c->cert_store_subject, &crtctx); + } else if (s->key_buf && s->cert_buf) { ret = tls_import_key_cert(s->key_buf, s->cert_buf, &key, &crtctx); - if (ret < 0) - goto fail; } else if (s->key_file && s->cert_file) { ret = tls_load_key_cert(s->key_file, s->cert_file, &key, &crtctx); - if (ret < 0) - goto fail; } else { av_log(h, AV_LOG_VERBOSE, "No server certificate provided, using self-signed\n"); ret = tls_gen_self_signed(&key, &crtctx); - if (ret < 0) - goto fail; } + if (ret < 0) + goto fail; + schannel_cred.cCreds = 1; schannel_cred.paCred = &crtctx; @@ -1353,8 +1381,13 @@ static int tls_get_short_seek(URLContext *h) return ffurl_get_short_seek(s->is_dtls ? s->udp : s->tcp); } +#define OFFSET(x) offsetof(TLSContext, x) static const AVOption options[] = { TLS_COMMON_OPTIONS(TLSContext, tls_shared), + { "cert_store_subject", "Load certificate (and associated key) from users keystore by subject", + OFFSET(cert_store_subject), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, + { "cert_store_name", "Name of the specific cert store to search in (for cert_store_subject)", + OFFSET(cert_store_name), AV_OPT_TYPE_STRING, { .str = "MY" }, .flags = TLS_OPTFL }, { NULL } }; -- 2.49.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".