Re: [openssl-dev] Windows system cert store

2017-07-09 Thread Matthew Stickney 
The Certificate Manager in Windows does allow you to change the trust
settings for root certs (including the purposes reported by openssl
x509 -purpose), although those changes don't appear to be reflected in
the cert dumped from the store (so they must be stored externally).

I think the original concern could have been one of two things (or
possibly both): 1) assuming the cert itself has purpose information,
that needs to be reflected in its use after being added to the cert
store (I assume the verification code is already checking this if it's
a property of the cert), or 2) that a user's choice to (un-)trust
certain certificates is respected, however unusual. I'm not aware of
any facility on Linux to modify the trust status of certs, so I think
this is an issue unique to Windows.

-Matt Stickney

On Sun, Jul 9, 2017 at 7:08 AM, Kurt Roeckx  wrote:
> On Sun, Jul 09, 2017 at 09:15:32AM +0200, Richard Levitte wrote:
>> In message 
>>

Re: [openssl-dev] Windows system cert store

2017-07-09 Thread Kurt Roeckx 
On Sun, Jul 09, 2017 at 09:15:32AM +0200, Richard Levitte wrote:
> In message 
>

Re: [openssl-dev] Windows system cert store

2017-07-09 Thread Brad House via openssl-dev 

On 7/8/17 11:22 PM, Matthew Stickney wrote:

Back in 2010, there was some discussion on this list of adding code to
load certificates from the system cert store on Windows by default,
since the default verification paths typically don't point to anything
(this was ticket #2158, which was ultimately rejected). I have some
interest in picking up where this was left off, but I'm a little out
of my depth and have some questions.

Last time around, the sticking point was certificate purposes: we
don't want to add a certificate that's only trusted for client
authentication as trusted for server authentication. I still need to
figure out how to extract purposes from the windows certs, but I'm
also having a hard time seeing how you'd set x509 purposes in openssl.
Where should I be looking?

-Matt Stickney



I remember seeing that discussion, I'm not sure if additional certificate
validation is necessary if you're just enumerating the ROOT certificate
store in Windows.

Here's code we use, obviously it would be good to know if this isn't
correct for some reason from a security perspective:

int SSL_CTX_load_os_trust(SSL_CTX *ctx)
{
HCERTSTORE hStore;
PCCERT_CONTEXT pContext = NULL;
X509_STORE*store;
size_t count= 0;

if (ctx == NULL)
return 0;

hStore = CertOpenSystemStore(0, "ROOT");
if (hStore == NULL)
return 0;

store = SSL_CTX_get_cert_store(ctx);

while ((pContext=CertEnumCertificatesInStore(hStore, pContext)) != 
NULL) {
X509 *x509 = d2i_X509(NULL, >pbCertEncoded, 
(long)pContext->cbCertEncoded);
if (x509) {
if (X509_STORE_add_cert(store, x509))
count++;
X509_free(x509);
}
}

CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);

if (!count)
return 0;
return 1;
}

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Windows system cert store

2017-07-09 Thread Alok Sharma 
Ljkikh9

On 09-Jul-2017 12:45 PM, "Richard Levitte"  wrote:

In message

Re: [openssl-dev] Windows system cert store

2017-07-09 Thread Richard Levitte 
In message