From 39e8c077d439720a1633167584190561ef08ad17 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 20 Aug 2024 10:58:06 +0200
Subject: [PATCH] [client,sdl] improve VerifyCertificate message

* Use FreeRDP_CertificateCallbackPreferPEM for callbacks
* Add notBefore and notAfter dates to callback messages
---
 client/SDL/SDL2/dialogs/sdl_dialogs.cpp | 48 ++++++++++++++-----------
 client/SDL/SDL2/sdl_freerdp.cpp         |  3 ++
 client/SDL/SDL3/dialogs/sdl_dialogs.cpp | 48 ++++++++++++++-----------
 client/SDL/SDL3/sdl_freerdp.cpp         |  3 ++
 4 files changed, 60 insertions(+), 42 deletions(-)

diff --git a/client/SDL/SDL2/dialogs/sdl_dialogs.cpp b/client/SDL/SDL2/dialogs/sdl_dialogs.cpp
index 6db8ff2b6..2d535dbbb 100644
--- a/client/SDL/SDL2/dialogs/sdl_dialogs.cpp
+++ b/client/SDL/SDL2/dialogs/sdl_dialogs.cpp
@@ -329,6 +329,30 @@ static DWORD sdl_show_ceritifcate_dialog(rdpContext* context, const char* title,
 	return static_cast<DWORD>(event.user.code);
 }
 
+static char* sdl_pem_cert(const char* pem)
+{
+	rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
+	if (!cert)
+		return NULL;
+
+	char* fp = freerdp_certificate_get_fingerprint(cert);
+	char* start = freerdp_certificate_get_validity(cert, TRUE);
+	char* end = freerdp_certificate_get_validity(cert, FALSE);
+	freerdp_certificate_free(cert);
+
+	char* str = NULL;
+	size_t slen = 0;
+	winpr_asprintf(&str, &slen,
+	               "\tValid from:  %s\n"
+	               "\tValid to:    %s\n"
+	               "\tThumbprint:  %s\n",
+	               start, end, fp);
+	free(fp);
+	free(start);
+	free(end);
+	return str;
+}
+
 DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UINT16 port,
                                         const char* common_name, const char* subject,
                                         const char* issuer, const char* new_fingerprint,
@@ -348,13 +372,7 @@ DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UIN
 	char* new_fp_str = nullptr;
 	size_t len = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&new_fp_str, &len,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               new_fingerprint);
-	}
+		new_fp_str = sdl_pem_cert(new_fingerprint);
 	else
 		winpr_asprintf(&new_fp_str, &len, "Thumbprint:  %s\n", new_fingerprint);
 
@@ -364,13 +382,7 @@ DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UIN
 	char* old_fp_str = nullptr;
 	size_t olen = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&old_fp_str, &olen,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               old_fingerprint);
-	}
+		old_fp_str = sdl_pem_cert(old_fingerprint);
 	else
 		winpr_asprintf(&old_fp_str, &olen, "Thumbprint:  %s\n", old_fingerprint);
 
@@ -431,13 +443,7 @@ DWORD sdl_verify_certificate_ex(freerdp* instance, const char* host, UINT16 port
 	char* fp_str = nullptr;
 	size_t len = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&fp_str, &len,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               fingerprint);
-	}
+		fp_str = sdl_pem_cert(fingerprint);
 	else
 		winpr_asprintf(&fp_str, &len, "Thumbprint:  %s\n", fingerprint);
 
diff --git a/client/SDL/SDL2/sdl_freerdp.cpp b/client/SDL/SDL2/sdl_freerdp.cpp
index 10b00e0d7..20e4abee3 100644
--- a/client/SDL/SDL2/sdl_freerdp.cpp
+++ b/client/SDL/SDL2/sdl_freerdp.cpp
@@ -573,6 +573,9 @@ static BOOL sdl_pre_connect(freerdp* instance)
 	auto settings = instance->context->settings;
 	WINPR_ASSERT(settings);
 
+	if (!freerdp_settings_set_bool(settings, FreeRDP_CertificateCallbackPreferPEM, TRUE))
+		return FALSE;
+
 	/* Optional OS identifier sent to server */
 	if (!freerdp_settings_set_uint32(settings, FreeRDP_OsMajorType, OSMAJORTYPE_UNIX))
 		return FALSE;
diff --git a/client/SDL/SDL3/dialogs/sdl_dialogs.cpp b/client/SDL/SDL3/dialogs/sdl_dialogs.cpp
index b1c5a224e..522d58c39 100644
--- a/client/SDL/SDL3/dialogs/sdl_dialogs.cpp
+++ b/client/SDL/SDL3/dialogs/sdl_dialogs.cpp
@@ -327,6 +327,30 @@ static DWORD sdl_show_ceritifcate_dialog(rdpContext* context, const char* title,
 	return static_cast<DWORD>(event.user.code);
 }
 
+static char* sdl_pem_cert(const char* pem)
+{
+	rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
+	if (!cert)
+		return NULL;
+
+	char* fp = freerdp_certificate_get_fingerprint(cert);
+	char* start = freerdp_certificate_get_validity(cert, TRUE);
+	char* end = freerdp_certificate_get_validity(cert, FALSE);
+	freerdp_certificate_free(cert);
+
+	char* str = NULL;
+	size_t slen = 0;
+	winpr_asprintf(&str, &slen,
+	               "\tValid from:  %s\n"
+	               "\tValid to:    %s\n"
+	               "\tThumbprint:  %s\n",
+	               start, end, fp);
+	free(fp);
+	free(start);
+	free(end);
+	return str;
+}
+
 DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UINT16 port,
                                         const char* common_name, const char* subject,
                                         const char* issuer, const char* new_fingerprint,
@@ -346,13 +370,7 @@ DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UIN
 	char* new_fp_str = nullptr;
 	size_t len = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&new_fp_str, &len,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               new_fingerprint);
-	}
+		new_fp_str = sdl_pem_cert(new_fingerprint);
 	else
 		winpr_asprintf(&new_fp_str, &len, "Thumbprint:  %s\n", new_fingerprint);
 
@@ -362,13 +380,7 @@ DWORD sdl_verify_changed_certificate_ex(freerdp* instance, const char* host, UIN
 	char* old_fp_str = nullptr;
 	size_t olen = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&old_fp_str, &olen,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               old_fingerprint);
-	}
+		old_fp_str = sdl_pem_cert(old_fingerprint);
 	else
 		winpr_asprintf(&old_fp_str, &olen, "Thumbprint:  %s\n", old_fingerprint);
 
@@ -429,13 +441,7 @@ DWORD sdl_verify_certificate_ex(freerdp* instance, const char* host, UINT16 port
 	char* fp_str = nullptr;
 	size_t len = 0;
 	if (flags & VERIFY_CERT_FLAG_FP_IS_PEM)
-	{
-		winpr_asprintf(&fp_str, &len,
-		               "----------- Certificate --------------\n"
-		               "%s\n"
-		               "--------------------------------------\n",
-		               fingerprint);
-	}
+		fp_str = sdl_pem_cert(fingerprint);
 	else
 		winpr_asprintf(&fp_str, &len, "Thumbprint:  %s\n", fingerprint);
 
diff --git a/client/SDL/SDL3/sdl_freerdp.cpp b/client/SDL/SDL3/sdl_freerdp.cpp
index 6252bc6eb..3828bc14d 100644
--- a/client/SDL/SDL3/sdl_freerdp.cpp
+++ b/client/SDL/SDL3/sdl_freerdp.cpp
@@ -571,6 +571,9 @@ static BOOL sdl_pre_connect(freerdp* instance)
 	auto settings = instance->context->settings;
 	WINPR_ASSERT(settings);
 
+	if (!freerdp_settings_set_bool(settings, FreeRDP_CertificateCallbackPreferPEM, TRUE))
+		return FALSE;
+
 	/* Optional OS identifier sent to server */
 	if (!freerdp_settings_set_uint32(settings, FreeRDP_OsMajorType, OSMAJORTYPE_UNIX))
 		return FALSE;