[openssl-dev] Windows system cert store
Brad House
brad at monetra.com
Sun Jul 9 10:13:10 UTC 2017
On 7/8/17 11:22 PM, Matthew Stickney wrote:
> Back in 2010, there was some discussion on this list of adding code to
> load certificates from the system cert store on Windows by default,
> since the default verification paths typically don't point to anything
> (this was ticket #2158, which was ultimately rejected). I have some
> interest in picking up where this was left off, but I'm a little out
> of my depth and have some questions.
>
> Last time around, the sticking point was certificate purposes: we
> don't want to add a certificate that's only trusted for client
> authentication as trusted for server authentication. I still need to
> figure out how to extract purposes from the windows certs, but I'm
> also having a hard time seeing how you'd set x509 purposes in openssl.
> Where should I be looking?
>
> -Matt Stickney
I remember seeing that discussion, I'm not sure if additional certificate
validation is necessary if you're just enumerating the ROOT certificate
store in Windows.
Here's code we use, obviously it would be good to know if this isn't
correct for some reason from a security perspective:
int SSL_CTX_load_os_trust(SSL_CTX *ctx)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
X509_STORE *store;
size_t count = 0;
if (ctx == NULL)
return 0;
hStore = CertOpenSystemStore(0, "ROOT");
if (hStore == NULL)
return 0;
store = SSL_CTX_get_cert_store(ctx);
while ((pContext=CertEnumCertificatesInStore(hStore, pContext)) != NULL) {
X509 *x509 = d2i_X509(NULL, &pContext->pbCertEncoded, (long)pContext->cbCertEncoded);
if (x509) {
if (X509_STORE_add_cert(store, x509))
count++;
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
if (!count)
return 0;
return 1;
}
More information about the openssl-dev
mailing list