A first proposal patch for using Windows certificate store when compiling with openssl

Sun, 09 Sep 2018 12:36:59 -0700 

Starting from the stackoverflow article, I made a patch against
lib/vtls/openssl.c

I worked against commit
https://github.com/curl/curl/commit/6684653b682bae0be75ea62bb473b126923952f1

 

It run well for me

 

Before commiting on git, there is probably two questions :

-          Is the #if defined(HAVE_WINDOWS_H) test good to decide include
Wincrypt.h and this code? Or another macro?

-          And if both HAVE_WINDOWS_H (or alternate macro) and
CURL_CA_FALLBACK are defined ?

 

Here is the patch

 

 

*** openssl.git                Sun Sep 09 21:15:17 2018

--- openssl.gv    Sun Sep 09 21:18:03 2018

***************

*** 2184,2189 ****

--- 2184,2195 ----

    return CURLE_OK;

  }

  

+ 

+ #if defined(HAVE_WINDOWS_H)

+ #include <Wincrypt.h>

+ #pragma comment(lib, "crypt32.lib")

+ #endif

+ 

  static CURLcode ossl_connect_step1(struct connectdata *conn, int
sockindex)

  {

    CURLcode result = CURLE_OK;

***************

*** 2521,2527 ****

            ssl_cafile ? ssl_cafile : "none",

            ssl_capath ? ssl_capath : "none");

    }

! #ifdef CURL_CA_FALLBACK

    else if(verifypeer) {

      /* verfying the peer without any CA certificates won't

         work so use openssl's built in default as fallback */

--- 2527,2563 ----

            ssl_cafile ? ssl_cafile : "none",

            ssl_capath ? ssl_capath : "none");

    }

! 

! #if defined(HAVE_WINDOWS_H) && !defined(CURL_CA_FALLBACK)

!   else if (verifypeer) {

!     // read
https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-s
ystem-certificate-store/15451831

!     // 

!     if ((!ssl_cafile) && (!ssl_capath)) {

!       X509_STORE *store = SSL_CTX_get_cert_store(BACKEND->ctx);

!       PCCERT_CONTEXT pContext = NULL;

! 

!       HCERTSTORE hStore = CertOpenSystemStoreW((HCRYPTPROV_LEGACY)NULL,
L"ROOT");

! 

!       if (hStore) {

!         while (pContext = CertEnumCertificatesInStore(hStore, pContext))

!         {

!           const unsigned char *encoded_cert = (const unsigned char
*)pContext->pbCertEncoded;

!           X509 *x509 = d2i_X509(NULL, &encoded_cert,
pContext->cbCertEncoded);

! 

!           if (x509)

!           {

!             X509_STORE_add_cert(store, x509);

!             X509_free(x509);

!           }

!         }

! 

!         CertFreeCertificateContext(pContext);

!         CertCloseStore(hStore, 0);

!       }

!     }

!   }

! #endif

! #if defined(CURL_CA_FALLBACK)

    else if(verifypeer) {

      /* verfying the peer without any CA certificates won't

         work so use openssl's built in default as fallback */

 

 


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to