Random Coder wrote:
> I'm not sure if the wget maintainers would be interested, but I've
> been carrying this patch around in my private builds of wget for a
> while. It allows wget to load SSL certs from the default Windows cert
> store.
I've applied your patch. It seems to work fine. Nice!
But in a message like:
X509 certificate successfully verified and matches host
www.ssllabs.com
it would be nice to know if it succeeded because of WinCrypt or
OpenSSL.
> + /* Loop through all the certs in the Windows cert store */
> + for ( pCertCtx = Local_CertEnumCertificatesInStore(hStore, NULL);
> + pCertCtx != NULL;
> + pCertCtx = Local_CertEnumCertificatesInStore(hStore, pCertCtx) )
> + {
> + if (!((pCertCtx->dwCertEncodingType & PKCS_7_ASN_ENCODING) ==
> PKCS_7_ASN_ENCODING))
> + {
> + /* Add all certs we find to OpenSSL's store */
How does this prevent an expired Cert to be used?
I see in the 'CERT_INFO' structure a 'NotAfter' member. But this
struct seems to support for WINAPI_PARTITION_APP only :-(
I assume this could be used to check expired certificates.
--
--gv
