Hi Guenter,
I've actually figured out what was the issue, it was user error :-)
Here's the snippet of code I used:
int writePubKey(const unsigned char* input, int length, FILE* fp) {
int status = 0;
X509* x = NULL;
// Create a new empty X509 object.
x = X509_new();
if (x == NULL) {
goto exit;
}
// Decode the X.509 certificate
d2i_X509(&x, &input, length);
// Write the decoded certificate to the file
PEM_write_X509(fp, x);
exit:
if (x != NULL) {
X509_free(x);
}
return status;
}
I call the above method like below:
PCCERT_CONTEXT pCertCtx;
FILE* fp;
int status = writePubKey(pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded, fp);
Folks can find more info on PCCERT_CONTEXT and how to interact with
the Certificate Store from the crypt32 API:
http://msdn.microsoft.com/en-us/library/ms867086.aspx
Thanks for your help!
Alex
On Tue, Mar 13, 2012 at 6:15 PM, Guenter <[email protected]> wrote:
>
> Hi Alex,
> Am 13.03.2012 19:22, schrieb Alex Loukissas:
>
>> I've been trying to remove the requirement of having to bundle a
>> certificate file, as described here
>> [http://curl.haxx.se/docs/caextract.html], by using the appropriate
>> methods from openSSL to extract certificates from the Windows
>> certificate store. However, when trying to replace the ca-bundle.crt
>> with the file that my code creates, curl throws me an error:
>>
>> Error: [77] - error setting certificate verify locations:
>> CAfile: C:\Program Files\Client\ca-bundle.crt
>> CApath: none
>>
>> Any idea of what I could be missing here? I'll briefly describe what I'm
>> doing below so that readers have a clearer picture:
>
> I believe the easiest way to find out would be to compare the results of your
> file against one created by our tools; problems like these might be related
> to f.e. different char enconding ...
>
>
>> 1. Use the crypt32 API to open the certificate store and iterate through
>> the installed certificates. Of these, I only use the ones with "Enhanced
>> Key Usage" is Client Authentication or Server Authentication or All
>> (i.e. discarding those with timestamp signing, etc), and of course those
>> which aren't expired.
>> 2. Use the X.509 and PEM API from openSSL to decode these certificates
>> and write the public key portion of them to the generated file.
>>
>> Any ideas? I really doubt that Windows-bundled certificates (they come
>> from Verisign, Thawte, etc) aren't valid for common use. If this works,
>> it would nicely eliminate the pain of having to bundle up certificate
>> files with apps using cURL and I'd be happy to share the complete code.
>
> You dont have to bundle ca-files but can always let the user create fresh
> ones self with the scripts we provide for this; but nevertheless I'm
> interested into your code, and probably I can narrow doen the issue you see,
> so are you willing to share it with us? Either send it to me directly, or
> attach it here as file if you want to let others play wih it too.
>
> thanks, Gün.
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
--
Alex Loukissas
Member of Technical Staff - Maginatics, Inc.
www.maginatics.com
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
