[openssl-dev] Windows system cert store

Richard Levitte levitte at openssl.org
Sun Jul 9 07:15:32 UTC 2017


In message <CAKH_Ld4faVY8v9RY=OdfZzukHt7APQz5mV_qmsbGgyDhheb1HA at mail.gmail.com> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <mtstickney at gmail.com> said:

mtstickney> Back in 2010, there was some discussion on this list of adding code to
mtstickney> load certificates from the system cert store on Windows by default,
mtstickney> since the default verification paths typically don't point to anything
mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
mtstickney> interest in picking up where this was left off, but I'm a little out
mtstickney> of my depth and have some questions.
mtstickney> 
mtstickney> Last time around, the sticking point was certificate purposes: we
mtstickney> don't want to add a certificate that's only trusted for client
mtstickney> authentication as trusted for server authentication. I still need to
mtstickney> figure out how to extract purposes from the windows certs, but I'm
mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
mtstickney> Where should I be looking?

I'm don't know the Windows cert API enough to know if there are
purpose settings outside of the cert itself, so I won't be able to
answer that.

However, in the cert itself, there may be an extension called Extended
Key Usage.  Have a look at RFC 5280, 4.2.1.12 [0] for more info on
them.  You set them like any other extension, when creating a cert.

Also, regarding retrieving arbitrary stuff (like certificates) from
arbitrary sources (such as the system cert store), I'd like to point
out the CAPI engine (engines/e_capi.c), which does have such
functionality (it's quite a hack, in the most positive sense of the
word), and to the recently added OSSL_STORE module (which was created
for exactly this sort of purpose).  The latter is still evolving, but
the base line is in place.

Cheers,
Richard

-----
[0] https://tools.ietf.org/html/rfc5280#section-4.2.1.12

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/


More information about the openssl-dev mailing list