Windows上的OpenSSL可以使用系统证书存储吗？

Question

Some working C++ code that I'm porting from Linux to Windows is failing on windows because SSL_get_verify_result() is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY .

The code was using SSL_CTX_set_default_verify_paths() on Linux to tell SSL to just look in the standard default locations for the certificate store.

Is it possible to get OpenSSL to use the system certificate store?

Answer 1

I have done it earlier. Hope this helps, if this is exactly what you are looking for.

1. Load your certificate (in PCCERT_CONTEXT structure) from Windows Cert store using Crypto APIs.
2. Get encrypted content of it in binary format as it is. [ PCCERT_CONTEXT->pbCertEncoded ].
3. Parse this binary buffer into X509 certificate Object using OpenSSL's d2i_X509() method.
4. Get handle to OpenSSL's trust store using SSL_CTX_get_cert_store() method.
5. Load above parsed X509 certificate into this trust store using X509_STORE_add_cert() method.
6. You are done!

Answer 2

For those of you still struggling with this as I have been, here is a sample code to get you started:

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <cryptuiapi.h>
#include <iostream>
#include <tchar.h>

#include "openssl\x509.h"

#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "cryptui.lib")

#define MY_ENCODING_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)

int main(void)
{
    HCERTSTORE hStore;
    PCCERT_CONTEXT pContext = NULL;
    X509 *x509;
    X509_STORE *store = X509_STORE_new();

    hStore = CertOpenSystemStore(NULL, L"ROOT");

    if (!hStore)
        return 1;

    while (pContext = CertEnumCertificatesInStore(hStore, pContext))
    {
        //uncomment the line below if you want to see the certificates as pop ups
        //CryptUIDlgViewContext(CERT_STORE_CERTIFICATE_CONTEXT, pContext,   NULL, NULL, 0, NULL);

        x509 = NULL;
        x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
        if (x509)
        {
            int i = X509_STORE_add_cert(store, x509);

            if (i == 1)
                std::cout << "certificate added" << std::endl;

            X509_free(x509);
        }
    }

CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
system("pause");
return 0;

}

Answer 3

No. Not out of the box.

No it is not possible out of the box. It would require additional programming. With OpenSSL you have two (out of the box) options:

1. Use OpenSSL's own cert store (it is a hierarchy of directories created by perl script provided with OpenSSL)
2. Use only a certificate chain file created by you (it is a text file with all PEM-encoded certificates in a chain of trust). Creating such a file is easy (just appending it)

Answer 4

Yes

It is possible to use OpenSSL for operation-as-usual, and use CryptoAPI only for the certificate verification process. I see several threads around here on this topic, and most are tiptoed around/through.

With CryptoAPI you have to:

• decode PEM to DER with CryptStringToBinary() ,
• create a CERT_CONTEXT object with CertCreateCertificateContext()

• and verify the certificate in this form by well known/documented procedure. (For example here at ETutorials .)

  For last step to work, you also need to initialize HCERTSTORE for one of MY , ROOT , CA system stores, or iterate through them... depending on the behavior you want.