Get root certificates from System Store of Windows
NARUSE, Yui
to load root certificates provided by the system
But on Windows, its certificates aren't provided as a file.
So it should be required another way.
Following is a concept code (use Crypt32.dll):
#include <WinCrypt.h>
/* http://msdn.microsoft.com/en-us/library/aa380252(VS.85).aspx */
static void
ossl_x509store_add_certs_win(X509_STORE *store)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
hStore = CertOpenSystemStore(0, "ROOT");
if(!hStore) return;
while (pContext = CertEnumCertificatesInStore(hStore, pContext)) {
BIO *in = BIO_new_mem_buf(pContext->pbCertEncoded, pContext->cbCertEncoded);
if (!in) continue;
X509 *x509 = d2i_X509_bio(in, NULL);
BIO_free(in);
if (x509) {
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
}
I want to merge this to OpenSSL, but I can't propose suitable API.
Thoughts?
--
NARUSE, Yui <nar...@airemix.jp>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
NARUSE, Yui
> try this
> (snip)
Thanks, it works.
So I request X509_STORE_set_default_paths call this.
When this is merge, both Unix user and Windows user can use
the system's default root certificates.
I should file this to Request Tracker as a bug? (even if this is feature request)
Backgrounds:
We maintain a wrapper library of OpenSSL, openssl lib for Ruby.
And we also maintain https library, which depends on openssl.
So when the https library want to verify certificates of web server,
On Unix, we can use X509_STORE_set_default_paths, then users can verify.
But on Windows cannot now.
This patch allow Windows users to verify certificates easily.
Thanks,
this needs to link Crypt32.dll
Index: crypto/x509/x509_d2.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/x509/x509_d2.c,v
retrieving revision 1.7
diff -u -p -r1.7 x509_d2.c
--- crypto/x509/x509_d2.c 19 Feb 2001 16:02:21 -0000 1.7
+++ crypto/x509/x509_d2.c 11 Jan 2010 11:25:57 -0000
@@ -62,6 +62,34 @@
#include <openssl/x509.h>
#ifndef OPENSSL_NO_STDIO
+
+#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0500
+#include <Wincrypt.h>
+void X509_STORE_load_windows_systemstore(X509_STORE *ctx)
+ {
+ HCERTSTORE hStore;
+ PCCERT_CONTEXT pContext = NULL;
+ X509 *x509;
+
+ hStore = CertOpenSystemStore(0, "ROOT");
+ if(!hStore) return;
+
+ while (pContext = CertEnumCertificatesInStore(hStore, pContext))
+ {
+ x509 = NULL;
+ x509 = d2i_X509(NULL, &pContext->pbCertEncoded, pContext->cbCertEncoded);
+ if (x509)
+ {
+ X509_STORE_add_cert(store, x509);
+ X509_free(x509);
+ }
+ }
+
+ CertFreeCertificateContext(pContext);
+ CertCloseStore(hStore, 0);
+ }
+#endif
+
int X509_STORE_set_default_paths(X509_STORE *ctx)
{
X509_LOOKUP *lookup;
@@ -77,6 +105,10 @@ int X509_STORE_set_default_paths(X509_ST
/* clear any errors */
ERR_clear_error();
+#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0500
+ X509_STORE_load_windows_systemstore(X509_STORE *ctx)
+#endif
+
return(1);
Dr. Stephen Henson
> (2010/01/10 23:23), Shahin Khorasani wrote:
> > try this
> > (snip)
>
> Thanks, it works.
>
>
> So I request X509_STORE_set_default_paths call this.
> When this is merge, both Unix user and Windows user can use
> the system's default root certificates.
>
> I should file this to Request Tracker as a bug? (even if this is feature request)
>
Some CryptoAPI handling code already exists in the CryptoAPI ENGINE and I'd
suggest that a ctrl for that would be the best place to put it. There are some
debug options already that can dump a whole store to standard output.
However some additional code would be needed because that just adds the whole
store without any purpose setting code. This could cause security issues if
for example client certificate authorities are used for server signing for
example.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org