[英]Can OpenSSL on Windows use the system certificate store?
Some working C++ code that I'm porting from Linux to Windows is failing on windows because SSL_get_verify_result()
is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
. 我从Linux移植到Windows的一些
SSL_get_verify_result()
C ++代码在Windows上失败,因为SSL_get_verify_result()
返回X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
。
The code was using SSL_CTX_set_default_verify_paths()
on Linux to tell SSL to just look in the standard default locations for the certificate store. 该代码在Linux上使用
SSL_CTX_set_default_verify_paths()
告诉SSL仅查看证书存储的标准默认位置。
Is it possible to get OpenSSL to use the system certificate store? 是否可以使OpenSSL使用系统证书存储?
I have done it earlier. 我已经做过了。 Hope this helps, if this is exactly what you are looking for.
如果这正是您想要的,希望对您有所帮助。
PCCERT_CONTEXT
structure) from Windows Cert store using Crypto APIs. PCCERT_CONTEXT
结构)。 PCCERT_CONTEXT->pbCertEncoded
]. PCCERT_CONTEXT->pbCertEncoded
]。 d2i_X509()
method. d2i_X509()
方法将此二进制缓冲区解析为X509证书对象。 SSL_CTX_get_cert_store()
method. SSL_CTX_get_cert_store()
方法获取OpenSSL信任存储的句柄。 X509_STORE_add_cert()
method. X509_STORE_add_cert()
方法将上面解析的X509证书加载到此信任存储中。 For those of you still struggling with this as I have been, here is a sample code to get you started: 对于像我一样一直在为此奋斗的那些人,以下示例代码可帮助您入门:
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <cryptuiapi.h>
#include <iostream>
#include <tchar.h>
#include "openssl\x509.h"
#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "cryptui.lib")
#define MY_ENCODING_TYPE (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
int main(void)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
X509 *x509;
X509_STORE *store = X509_STORE_new();
hStore = CertOpenSystemStore(NULL, L"ROOT");
if (!hStore)
return 1;
while (pContext = CertEnumCertificatesInStore(hStore, pContext))
{
//uncomment the line below if you want to see the certificates as pop ups
//CryptUIDlgViewContext(CERT_STORE_CERTIFICATE_CONTEXT, pContext, NULL, NULL, 0, NULL);
x509 = NULL;
x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
if (x509)
{
int i = X509_STORE_add_cert(store, x509);
if (i == 1)
std::cout << "certificate added" << std::endl;
X509_free(x509);
}
}
CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
system("pause");
return 0;
}
No it is not possible out of the box. 不,这是不可能的。 It would require additional programming.
这将需要其他编程。 With OpenSSL you have two (out of the box) options:
使用OpenSSL,您有两个(开箱即用的)选项:
It is possible to use OpenSSL
for operation-as-usual, and use CryptoAPI
only for the certificate verification process. 可以将
OpenSSL
用于常规操作,而仅将CryptoAPI
用于证书验证过程。 I see several threads around here on this topic, and most are tiptoed around/through. 我在此主题附近看到多个主题,并且大多数主题都围绕/贯穿。
With CryptoAPI
you have to: 使用
CryptoAPI
您必须:
PEM
to DER
with CryptStringToBinary()
, CryptStringToBinary()
将PEM
解码为DER
, CERT_CONTEXT
object with CertCreateCertificateContext()
CertCreateCertificateContext()
创建一个CERT_CONTEXT
对象 and verify the certificate in this form by well known/documented procedure. 并通过众所周知的/成文的程序以这种形式验证证书。 (For example here at ETutorials .)
(例如, 此处为ETutorials的内容 。)
For last step to work, you also need to initialize HCERTSTORE
for one of MY
, ROOT
, CA
system stores, or iterate through them... depending on the behavior you want. 为了使最后一步起作用,您还需要为
MY
, ROOT
, CA
系统存储之一初始化HCERTSTORE
,或通过它们迭代……根据您想要的行为。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.