output: Handle to load certificates with their thumbprints

cosmo0920 · cosmo0920 · commit aa67c4183df5 · 2025-10-10T19:02:04.000+09:00
Signed-off-by: Hiroshi Hatake &lt;hiroshi@chronosphere.io&gt;
diff --git a/include/fluent-bit/flb_output.h b/include/fluent-bit/flb_output.h
@@ -374,6 +374,7 @@ struct flb_output_instance {
 # if defined(FLB_SYSTEM_WINDOWS)
     char *tls_win_certstore_name;            /* CertStore Name (Windows) */
     int tls_win_use_enterprise_certstore;    /* Use enterprise CertStore */
+    char *tls_win_thumbprints;               /* CertStore Thumbprints (Windows) */
 # endif
 #endif
 
diff --git a/src/flb_output.c b/src/flb_output.c
@@ -98,6 +98,11 @@ struct flb_config_map output_global_properties[] = {
         0, FLB_FALSE, 0,
         "Sets whether using enterprise certstore or not on an output (Windows)"
     },
+    {
+        FLB_CONFIG_MAP_STR, "tls.windows.ca_thumbprints", NULL,
+        0, FLB_FALSE, 0,
+        "Comma-separated list of certificate thumbprints (SHA1/SHA256) to trust from the Windows store (Windows)"
+    },
 
     {0}
 };
@@ -193,6 +198,9 @@ static void flb_output_free_properties(struct flb_output_instance *ins)
     if (ins->tls_win_certstore_name) {
         flb_sds_destroy(ins->tls_win_certstore_name);
     }
+    if (ins->tls_win_thumbprints) {
+        flb_sds_destroy(ins->tls_win_thumbprints);
+    }
 # endif
 #endif
 }
@@ -774,6 +782,7 @@ struct flb_output_instance *flb_output_new(struct flb_config *config,
 # if defined(FLB_SYSTEM_WINDOWS)
     instance->tls_win_certstore_name = NULL;
     instance->tls_win_use_enterprise_certstore = FLB_FALSE;
+    instance->tls_win_thumbprints = NULL;
 # endif
 #endif
 
@@ -1007,6 +1016,9 @@ int flb_output_set_property(struct flb_output_instance *ins,
         ins->tls_win_use_enterprise_certstore = flb_utils_bool(tmp);
         flb_sds_destroy(tmp);
     }
+    else if (prop_key_check("tls.windows.ca_thumbprints", k, len) == 0 && tmp) {
+        flb_utils_set_plugin_string_property("tls.windows.ca_thumbprints", &ins->tls_win_thumbprints, tmp);
+    }
 #  endif
 #endif
     else if (prop_key_check("storage.total_limit_size", k, len) == 0 && tmp) {
@@ -1421,6 +1433,16 @@ int flb_output_init_all(struct flb_config *config)
                 }
             }
 
+            if (ins->tls_win_thumbprints) {
+                ret = flb_tls_set_ca_thumbprints(ins->tls, ins->tls_win_thumbprints);
+                if (ret == -1) {
+                    flb_error("[input %s] error set up to use thumbprints of certificates in TLS context",
+                              ins->name);
+
+                    return -1;
+                }
+            }
+
             if (ins->tls_win_certstore_name) {
                 flb_debug("[output %s] starting to load %s certstore in TLS context",
                           ins->name, ins->tls_win_certstore_name);
