Re: Using Windows certificate store through OpenSSL

Wed, 09 Oct 2013 08:06:18 -0700 

To use Windows keystore in openssl, I did following:
At application startup, I use the windows API to get all trusted certificates from Key store. Then for each of them, I create the openssl X509 one via d2i_X509() and register it into the openssl store via X509_STORE_add_cert(). 

Sample to create a Windows Certificate to a openssl X509 one :

X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
  X509* myX509=NULL;
  unsigned char* buffer=cert->pbCertEncoded;
  int len=cert->cbCertEncoded;
  if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
    myX509=d2i_X509(NULL,&buffer,len);
 }

Frank


Le 09/10/2013 16:20, Dr. Stephen Henson a écrit :

On Tue, Oct 08, 2013, Perrow, Graeme wrote:


Thanks for your response. I did not know this functionality was in OpenSSL, so 
this may make my work much easier. I have two further questions:

1. Is there any documentation anywhere on this engine? All I've found is a few 
previous postings on this mailing list and a few others on how to configure the 
openssl utility to use it but not 3rd party applications.

2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), 
the ENGINE_load_capi function does not exist in either libeay32.lib or 
ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and 
use it through that interface.


The CAPI engine doesn't support verification through a Windows certifcate
store. There are some debugging options which can dump a whole Windows
store to a file which might be of some use, though you can do the same with
the Windows certificate wizards. If that's of interest let me know.

A problem with using the Windows stores is which certificates to actually use.
The stores contain root CAs which should be used only for verification of
servers, clients, email and some other pruposes too. I never found out a way
using Windows APIs to extract this information. If someone knows how I'd
appreciate some pointers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org



--
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to