[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Windows cert store support
From: |
Random Coder |
Subject: |
Re: [Bug-wget] Windows cert store support |
Date: |
Thu, 10 Dec 2015 09:39:08 -0800 |
On Thu, Dec 10, 2015 at 2:13 AM, Gisle Vanem <address@hidden> wrote:
> it would be nice to know if it succeeded because of WinCrypt or
> OpenSSL.
It succeeded because of both. WinCrypt to load the cert, and OpenSSL
to verify it. With my patch, you can't actually provide certs from
both an OpenSSL store and a Windows store. I suppose I could add some
optional information message when WinCrypt is used. Is there
precedent for such a message?
> How does this prevent an expired Cert to be used?
> I see in the 'CERT_INFO' structure a 'NotAfter' member. But this
> struct seems to support for WINAPI_PARTITION_APP only :-(
> I assume this could be used to check expired certificates.
The certificate itself contains that information encoded in the
pbCertEncoded data blob. As a quick verification/example, I added the
following bit of code to the loop in my patch that loads the certs.
/* Before the loop */
int pickACert = 0;
/* ... */
/* after the d2i_X509 call */
if (pickACert++ == 42) {
char* certAsString = X509_to_PEM(cert);
FILE* f=fopen("test.x509.pem","wb");
fwrite(certAsString,strlen(certAsString),1,f);
fclose(f);
}
(I used the X509_to_PEM helper function from this StackOverflow
answer: http://stackoverflow.com/a/23137774 )
That code simply takes the x509 certificate after OpenSSL has parsed
it, and writes it out into a file.
Then, opening the cert in openssl using this command to view it in a
human readable format:
openssl x509 -in test.x509.pem -text -noout
Along with the rest of the information in the output is this little
tidbit showing the random cert I picked is expired and OpenSSL should
ignore it:
Validity
Not Before: Apr 9 00:00:00 1996 GMT
Not After : Jan 7 23:59:59 2004 GMT