Ljkikh9 On 09-Jul-2017 12:45 PM, "Richard Levitte" <levi...@openssl.org> wrote:
In message <CAKH_Ld4faVY8v9RY=OdfZzukHt7APQz5mV_qmsbGgyDhheb1HA@mail. gmail.com> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney < mtstick...@gmail.com> said: mtstickney> Back in 2010, there was some discussion on this list of adding code to mtstickney> load certificates from the system cert store on Windows by default, mtstickney> since the default verification paths typically don't point to anything mtstickney> (this was ticket #2158, which was ultimately rejected). I have some mtstickney> interest in picking up where this was left off, but I'm a little out mtstickney> of my depth and have some questions. mtstickney> mtstickney> Last time around, the sticking point was certificate purposes: we mtstickney> don't want to add a certificate that's only trusted for client mtstickney> authentication as trusted for server authentication. I still need to mtstickney> figure out how to extract purposes from the windows certs, but I'm mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl. mtstickney> Where should I be looking? I'm don't know the Windows cert API enough to know if there are purpose settings outside of the cert itself, so I won't be able to answer that. However, in the cert itself, there may be an extension called Extended Key Usage. Have a look at RFC 5280, 4.2.1.12 [0] for more info on them. You set them like any other extension, when creating a cert. Also, regarding retrieving arbitrary stuff (like certificates) from arbitrary sources (such as the system cert store), I'd like to point out the CAPI engine (engines/e_capi.c), which does have such functionality (it's quite a hack, in the most positive sense of the word), and to the recently added OSSL_STORE module (which was created for exactly this sort of purpose). The latter is still evolving, but the base line is in place. Cheers, Richard ----- [0] https://tools.ietf.org/html/rfc5280#section-4.2.1.12 -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
