Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Using Windows certificate store through OpenSSL
3,751 views
Skip to first unread message
Perrow, Graeme
Oct 7, 2013, 9:39:35 AM10/7/13
to
I’d like to add the ability for my (client) application to use the Windows certificate store to verify a server’s certificate during an SSL handshake. I’ve created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server’s certificate and can also enumerate through the certificates in the certificate store.
But then what? Is there a way to tell OpenSSL “Please verify the server’s certificate using this trusted certificate”? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them?
Thanks for any advice
Graeme Perrow
Jan Just Keijser
Oct 7, 2013, 10:37:54 AM10/7/13
to
Perrow, Graeme wrote:
I’d like to add the ability for my (client) application to use the Windows certificate store to verify a server’s certificate during an SSL handshake. I’ve created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server’s certificate and can also enumerate through the certificates in the certificate store.
But then what? Is there a way to tell OpenSSL “Please verify the server’s certificate using this trusted certificate”? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them?
wasn't support for this added via the crypto engine 'capieng' ? Rebuild
openssl using
./config enable-capieng
and use the CAPI engine.
HTH,
JJK
./config enable-capieng
and use the CAPI engine.
HTH,
JJK
Perrow, Graeme
Oct 8, 2013, 4:23:01 PM10/8/13
to
Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
1. Is there any documentation anywhere on this engine? All I’ve found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
2. If I’m building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I’m guessing it’s in capi.dll but I have no idea how to load and use it through that interface.
Graeme
Dr. Stephen Henson
Oct 9, 2013, 10:20:51 AM10/9/13
to
On Tue, Oct 08, 2013, Perrow, Graeme wrote:
> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>
> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>
> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>
The CAPI engine doesn't support verification through a Windows certifcate
> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>
> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>
> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>
store. There are some debugging options which can dump a whole Windows
store to a file which might be of some use, though you can do the same with
the Windows certificate wizards. If that's of interest let me know.
A problem with using the Windows stores is which certificates to actually use.
The stores contain root CAs which should be used only for verification of
servers, clients, email and some other pruposes too. I never found out a way
using Windows APIs to extract this information. If someone knows how I'd
appreciate some pointers.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
Brad House
Oct 9, 2013, 10:50:28 AM10/9/13
to
On 10/9/13 10:20 AM, Dr. Stephen Henson wrote:
> The CAPI engine doesn't support verification through a Windows certifcate
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.
I was researching that a while back and came across this discussion chain:
> The CAPI engine doesn't support verification through a Windows certifcate
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.
http://www.mail-archive.com/opens...@openssl.org/msg26958.html
It appears an RT ticket with patch was filed here:
http://rt.openssl.org/Ticket/Display.html?id=2158
I believe it contains the info you're looking for.
-Brad
Frank Gross
Oct 9, 2013, 10:58:30 AM10/9/13
to
To use Windows keystore in openssl, I did following:
At application startup, I use the windows API to get all trusted
certificates from Key store. Then for each of them, I create the openssl
X509 one via d2i_X509() and register it into the openssl store via
X509_STORE_add_cert().
Sample to create a Windows Certificate to a openssl X509 one :
X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
X509* myX509=NULL;
unsigned char* buffer=cert->pbCertEncoded;
int len=cert->cbCertEncoded;
if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
myX509=d2i_X509(NULL,&buffer,len);
}
Frank
Le 09/10/2013 16:20, Dr. Stephen Henson a écrit :
> On Tue, Oct 08, 2013, Perrow, Graeme wrote:
>
>> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>>
>> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>>
>> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>>
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com
At application startup, I use the windows API to get all trusted
certificates from Key store. Then for each of them, I create the openssl
X509 one via d2i_X509() and register it into the openssl store via
X509_STORE_add_cert().
Sample to create a Windows Certificate to a openssl X509 one :
X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
X509* myX509=NULL;
unsigned char* buffer=cert->pbCertEncoded;
int len=cert->cbCertEncoded;
if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
myX509=d2i_X509(NULL,&buffer,len);
}
Frank
Le 09/10/2013 16:20, Dr. Stephen Henson a écrit :
> On Tue, Oct 08, 2013, Perrow, Graeme wrote:
>
>> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>>
>> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>>
>> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>>
> The CAPI engine doesn't support verification through a Windows certifcate
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.
>
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org
>
--
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org
>
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com
Dr. Stephen Henson
Oct 9, 2013, 12:14:33 PM10/9/13
to
On Wed, Oct 09, 2013, Frank Gross wrote:
> To use Windows keystore in openssl, I did following:
>
> At application startup, I use the windows API to get all trusted
> certificates from Key store. Then for each of them, I create the
> openssl X509 one via d2i_X509() and register it into the openssl
> store via X509_STORE_add_cert().
>
> Sample to create a Windows Certificate to a openssl X509 one :
>
> X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
> X509* myX509=NULL;
> unsigned char* buffer=cert->pbCertEncoded;
> int len=cert->cbCertEncoded;
> if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
> myX509=d2i_X509(NULL,&buffer,len);
> }
>
Before I get flooded with suggestions.. I know how to get a Windows
> To use Windows keystore in openssl, I did following:
>
> At application startup, I use the windows API to get all trusted
> certificates from Key store. Then for each of them, I create the
> openssl X509 one via d2i_X509() and register it into the openssl
> store via X509_STORE_add_cert().
>
> Sample to create a Windows Certificate to a openssl X509 one :
>
> X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
> X509* myX509=NULL;
> unsigned char* buffer=cert->pbCertEncoded;
> int len=cert->cbCertEncoded;
> if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
> myX509=d2i_X509(NULL,&buffer,len);
> }
>
certificate into an X509 structure: I wrote the CAPI engine code that does it.
What I don't know (and which no thread I've read helps with) is how to
retrieve the trust settings which are rather important if you want to handle
this properly. By that I mean the list of checkboxes marked "certificate
purposes" which appear if you click on "advanced" in the certificates dialog
box.
Brad House
Oct 9, 2013, 2:02:57 PM10/9/13
to
On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
> Before I get flooded with suggestions.. I know how to get a Windows
> certificate into an X509 structure: I wrote the CAPI engine code that does it.
>
> What I don't know (and which no thread I've read helps with) is how to
> retrieve the trust settings which are rather important if you want to handle
> this properly. By that I mean the list of checkboxes marked "certificate
> purposes" which appear if you click on "advanced" in the certificates dialog
> box.
I think you should be using CertGetCertificateContextProperty with a propid of
> Before I get flooded with suggestions.. I know how to get a Windows
> certificate into an X509 structure: I wrote the CAPI engine code that does it.
>
> What I don't know (and which no thread I've read helps with) is how to
> retrieve the trust settings which are rather important if you want to handle
> this properly. By that I mean the list of checkboxes marked "certificate
> purposes" which appear if you click on "advanced" in the certificates dialog
> box.
CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
these might be aliased as I think both have a value of 9):
http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
The returned data is ASN.1 encoded so you might have to decode it before
you can use the OIDs returned.
Here's a powershell example which does a DLLImport call to that function
which might be useful:
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=69
The program output from their example appears to show the settings you
are after, so I think this is a good starting point.
-Brad
Dr. Stephen Henson
Oct 10, 2013, 7:58:33 AM10/10/13
to
On Wed, Oct 09, 2013, Brad House wrote:
> On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
> >Before I get flooded with suggestions.. I know how to get a Windows
> >certificate into an X509 structure: I wrote the CAPI engine code that does it.
> >
> >What I don't know (and which no thread I've read helps with) is how to
> >retrieve the trust settings which are rather important if you want to handle
> >this properly. By that I mean the list of checkboxes marked "certificate
> >purposes" which appear if you click on "advanced" in the certificates dialog
> >box.
>
>
> I think you should be using CertGetCertificateContextProperty with a propid of
> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
> these might be aliased as I think both have a value of 9):
> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
>
> The returned data is ASN.1 encoded so you might have to decode it before
> you can use the OIDs returned.
>
Thanks for the link. That is *VERY* interesting and I'll be looking into it as
> On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
> >Before I get flooded with suggestions.. I know how to get a Windows
> >certificate into an X509 structure: I wrote the CAPI engine code that does it.
> >
> >What I don't know (and which no thread I've read helps with) is how to
> >retrieve the trust settings which are rather important if you want to handle
> >this properly. By that I mean the list of checkboxes marked "certificate
> >purposes" which appear if you click on "advanced" in the certificates dialog
> >box.
>
>
> I think you should be using CertGetCertificateContextProperty with a propid of
> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
> these might be aliased as I think both have a value of 9):
> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
>
> The returned data is ASN.1 encoded so you might have to decode it before
> you can use the OIDs returned.
>
soon and my (alas rather hectic) schedule permits.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
0 new messages