On Thu, Dec 10, 2015 at 2:13 AM, Gisle Vanem <gva...@yahoo.no> wrote: > it would be nice to know if it succeeded because of WinCrypt or > OpenSSL.
It succeeded because of both. WinCrypt to load the cert, and OpenSSL to verify it. With my patch, you can't actually provide certs from both an OpenSSL store and a Windows store. I suppose I could add some optional information message when WinCrypt is used. Is there precedent for such a message? > How does this prevent an expired Cert to be used? > I see in the 'CERT_INFO' structure a 'NotAfter' member. But this > struct seems to support for WINAPI_PARTITION_APP only :-( > I assume this could be used to check expired certificates. The certificate itself contains that information encoded in the pbCertEncoded data blob. As a quick verification/example, I added the following bit of code to the loop in my patch that loads the certs. /* Before the loop */ int pickACert = 0; /* ... */ /* after the d2i_X509 call */ if (pickACert++ == 42) { char* certAsString = X509_to_PEM(cert); FILE* f=fopen("test.x509.pem","wb"); fwrite(certAsString,strlen(certAsString),1,f); fclose(f); } (I used the X509_to_PEM helper function from this StackOverflow answer: http://stackoverflow.com/a/23137774 ) That code simply takes the x509 certificate after OpenSSL has parsed it, and writes it out into a file. Then, opening the cert in openssl using this command to view it in a human readable format: openssl x509 -in test.x509.pem -text -noout Along with the rest of the information in the output is this little tidbit showing the random cert I picked is expired and OpenSSL should ignore it: Validity Not Before: Apr 9 00:00:00 1996 GMT Not After : Jan 7 23:59:59 2004 GMT