[openssl-dev] Windows system cert store
Richard Levitte
levitte at openssl.org
Sun Jul 9 07:15:32 UTC 2017
In message <CAKH_Ld4faVY8v9RY=OdfZzukHt7APQz5mV_qmsbGgyDhheb1HA at mail.gmail.com> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <mtstickney at gmail.com> said:
mtstickney> Back in 2010, there was some discussion on this list of adding code to
mtstickney> load certificates from the system cert store on Windows by default,
mtstickney> since the default verification paths typically don't point to anything
mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
mtstickney> interest in picking up where this was left off, but I'm a little out
mtstickney> of my depth and have some questions.
mtstickney>
mtstickney> Last time around, the sticking point was certificate purposes: we
mtstickney> don't want to add a certificate that's only trusted for client
mtstickney> authentication as trusted for server authentication. I still need to
mtstickney> figure out how to extract purposes from the windows certs, but I'm
mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
mtstickney> Where should I be looking?
I'm don't know the Windows cert API enough to know if there are
purpose settings outside of the cert itself, so I won't be able to
answer that.
However, in the cert itself, there may be an extension called Extended
Key Usage. Have a look at RFC 5280, 4.2.1.12 [0] for more info on
them. You set them like any other extension, when creating a cert.
Also, regarding retrieving arbitrary stuff (like certificates) from
arbitrary sources (such as the system cert store), I'd like to point
out the CAPI engine (engines/e_capi.c), which does have such
functionality (it's quite a hack, in the most positive sense of the
word), and to the recently added OSSL_STORE module (which was created
for exactly this sort of purpose). The latter is still evolving, but
the base line is in place.
Cheers,
Richard
-----
[0] https://tools.ietf.org/html/rfc5280#section-4.2.1.12
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-dev
mailing list