Re: Can OpenSSL use Windows Certificate store?

Fri, 23 Nov 2007 09:40:43 -0800 

Hi,

I tried to use Windows CryptoAPI functions to dump the certificates to a PEM
file. OpenSSL seems is able to load the PEM file and works correctly.

The code is like this:

int _tmain(int argc, _TCHAR* argv[])
{
  if ( argc == 1 )
  {
    std::cout << "certsync [store]" << endl;
    return 0;
  }

 HCERTSTORE hStore = CertOpenSystemStore(NULL, argv[1]);

 for ( PCCERT_CONTEXT pCertCtx = CertEnumCertificatesInStore(hStore, NULL);
       pCertCtx != NULL;
       pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx) )
 {
   OutputType outputType = IsPKCS7(pCertCtx->dwCertEncodingType) ? PKCS7 :
Certificate;
   DisplayPEM(outputType, pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded);
 }

 for ( PCCRL_CONTEXT pCrlCtx = CertEnumCRLsInStore(hStore, NULL);
       pCrlCtx != NULL;
       pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx) )
 {
   OutputType outputType = IsPKCS7(pCrlCtx->dwCertEncodingType) ? PKCS7 :
X509CRL;
   DisplayPEM(outputType, pCrlCtx->pbCrlEncoded, pCrlCtx->cbCrlEncoded);
 }

 CertCloseStore(hStore, 0);
 return 0;
}


Some helper functions are like this:

enum OutputType
{
  Unknown,
  Certificate,
  PKCS7,
  X509CRL,
};

char const* GetTypeName(OutputType type)
{
  switch (type)
  {
  case Certificate:
    return "CERTIFICATE";
  case PKCS7:
    return "PKCS7";
  case X509CRL:
    return "X509 CRL";
  case Unknown:
    return NULL;
  default:
    break;
  }

  assert(false);
  return NULL;
}

bool IsPKCS7(DWORD encodeType)
{
  return ((encodeType & PKCS_7_ASN_ENCODING) == PKCS_7_ASN_ENCODING);
}

void DisplayPEM(OutputType outputType, BYTE const* pData, DWORD cbLength)
{
 char const* type = GetTypeName(outputType);
 if ( type == NULL ) return;

 std::cout << "-----BEGIN " << type << "-----" << endl;

 std::cout << base64_Encode(pData, cbLength) << endl;

 std::cout << "-----END " << type << "-----" << endl;
}


On Nov 23, 2007 8:29 PM, Dave Bound <[EMAIL PROTECTED]> wrote:
>
>
> Hi
>
> I ship my own PEM file "cacerts.pem" containing trusted certificates with
my
> application. Then, I use "SSL_CTX_load_verify_locations" to tell OpenSSL
to
> use cacerts.pem during certificate verification.
>
> However, given that Windows already has a certificate store (Control
> Panel->Internet Options-> Content Tab->Certificates), I'm wondering
whether
> there is a way to tell OpenSSL to look here instead. This would mean I
would
> not need to ship my own PEM file.
>
> Any help appreciated.
>
> Thanks
>
> Dave

Reply via email to