> From:
owner-ope...@openssl.org On Behalf Of Charles Mills
> Sent: Friday, 31 August, 2012 12:00
> To:
openss...@openssl.org
> Subject: SSL_CTX_set_default_verify_paths and Windows?
UTSL (although in this case you must go through several layers).
_set_default_verify is effectively _load_verify_locations
using env vars SSL_CERT_FILE SSL_CERT_DIR if they exist
and otherwise X509_get_default_cert_{file,dir}() which return
a compiled-in file and directory normally file "cert.pem" and
subdir "certs" under OPENSSLDIR, which is configurable at build
time and can be seen with commandline openssl version -d .
If you're using the ShiningLight builds (as I am) they seem
to make OPENSSLDIR /usr/local/ssl, a directory that doesn't
normally exist on Windows systems (it does on many Unixes).
It is still a file and/or directory in OpenSSL format, not MS.
>
> I have an application working on Windows using explicit PEM
> certificate
> files: SSL_CTX_load_verify_locations(SslCtx, "myCert.pem", NULL);
>
> My interest is in the possibility of using the "built-in"
> certificate store
> in Windows. Is that possible with OpenSSL? Is
> SSL_CTX_set_default_verify_paths() relevant? Is there an
> overview document
> somewhere?
1. OpenSSL X509_STORE logic (like several others) is extensible,
i.e. you write code implementing the same interface and plug it
in. I'm sure it's possible to write a store that fetches from MS
instead of from a file or directory like the builtin ones do.
But this looks like a pretty big job. Someone else may already
have done this, but if so I haven't heard or seen of it.
2. OpenSSL has an "ENGINE" feature that was originally created
to handle hardware devices mostly doing low-level crypto operations
(a digest, a symmetric encrypt or decrypt, a publickey encrypt or
decrypt, etc.) It has gradually been adding more functions, rather
like a scifi movie monster feeding on nuclear bomb radiation.
There is definitely an engine for MS CAPI, and I thought I had
heard mention that the engine interface was adding at least some
truststore function. But looking in 1.0.1c I don't see any trace
of such, so maybe I misunderstood or maybe it isn't cooked yet.
Or of course you could just read the certs from MS truststore
and put them in a file or dir in OpenSSL format. The only downside
of that I see is that you won't honor new inserts (or possibly
deletes) unless and until you repeat the process.