tls: improve windows system certificates load debug information (#9533)

niedbalski · Jorge Niedbalski · web-flow · commit cf85f890ee38 · 2024-10-29T11:21:49.000+01:00
gives detailed information on the cause of the failure when
loading system certificates.

Signed-off-by: Jorge Niedbalski &lt;jorge.niedbalski@chronosphere.io&gt;
Co-authored-by: Jorge Niedbalski &lt;jorge.niedbalski@chronosphere.io&gt;
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -241,18 +241,28 @@ static int windows_load_system_certificates(struct tls_context *ctx)
 {
     int ret;
     HANDLE win_store;
+    unsigned long err;
     PCCERT_CONTEXT win_cert = NULL;
     const unsigned char *win_cert_data;
     X509_STORE *ossl_store = SSL_CTX_get_cert_store(ctx->ctx);
     X509 *ossl_cert;
 
+    /* Check if OpenSSL certificate store is available */
+    if (!ossl_store) {
+        flb_error("[tls] failed to retrieve openssl certificate store.");
+        return -1;
+    }
+
+    /* Open the Windows system certificate store */
     win_store = CertOpenSystemStoreA(0, "Root");
     if (win_store == NULL) {
-        flb_error("[tls] Cannot open cert store: %i", GetLastError());
+        flb_error("[tls] cannot open windows certificate store: %lu", GetLastError());
         return -1;
     }
 
-    while (win_cert = CertEnumCertificatesInStore(win_store, win_cert)) {
+    /* Iterate over certificates in the store */
+    while ((win_cert = CertEnumCertificatesInStore(win_store, win_cert)) != NULL) {
+        /* Check if the certificate is encoded in ASN.1 DER format */
         if (win_cert->dwCertEncodingType & X509_ASN_ENCODING) {
             /*
              * Decode the certificate into X509 struct.
@@ -262,25 +272,42 @@ static int windows_load_system_certificates(struct tls_context *ctx)
              */
             win_cert_data = win_cert->pbCertEncoded;
             ossl_cert = d2i_X509(NULL, &win_cert_data, win_cert->cbCertEncoded);
+
             if (!ossl_cert) {
-                flb_debug("[tls] Cannot parse a certificate. skipping...");
+                flb_debug("[tls] cannot parse a certificate, error code: %lu, skipping...", ERR_get_error());
                 continue;
             }
 
             /* Add X509 struct to the openssl cert store */
             ret = X509_STORE_add_cert(ossl_store, ossl_cert);
             if (!ret) {
-                flb_warn("[tls] Failed to add a certificate to the store: %lu: %s",
-                         ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+                err = ERR_get_error();
+                if (err == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+                    flb_debug("[tls] certificate already exists in the store, skipping.");
+                }
+                else {
+                    flb_warn("[tls] failed to add certificate to openssl store. error code: %lu - %s",
+                             err, ERR_error_string(err, NULL));
+                }
             }
             X509_free(ossl_cert);
         }
     }
 
+    /* Check for errors during enumeration */
+    if (GetLastError() != CRYPT_E_NOT_FOUND) {
+        flb_error("[tls] error occurred while enumerating certificates: %lu", GetLastError());
+        CertCloseStore(win_store, 0);
+        return -1;
+    }
+
+    /* Close the Windows system certificate store */
     if (!CertCloseStore(win_store, 0)) {
-        flb_error("[tls] Cannot close cert store: %i", GetLastError());
+        flb_error("[tls] cannot close windows certificate store: %lu", GetLastError());
         return -1;
     }
+
+    flb_debug("[tls] successfully loaded certificates from windows system store.");
     return 0;
 }
 #endif
