Can OpenSSL on Windows use the system certificate store?

Question

Some working C++ code that I'm porting from Linux to Windows is failing on windows because SSL_get_verify_result() is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

The code was using SSL_CTX_set_default_verify_paths() on Linux to tell SSL to just look in the standard default locations for the certificate store.

Is it possible to get OpenSSL to use the system certificate store?

Answer 1

I have done it earlier. Hope this helps, if this is exactly what you are looking for.

1. Load your certificate (in PCCERT_CONTEXT structure) from Windows Cert store using Crypto APIs.
2. Get encrypted content of it in binary format as it is. [PCCERT_CONTEXT->pbCertEncoded].
3. Parse this binary buffer into X509 certificate Object using OpenSSL's d2i_X509() method.
4. Get handle to OpenSSL's trust store using SSL_CTX_get_cert_store() method.
5. Load above parsed X509 certificate into this trust store using X509_STORE_add_cert() method.
6. You are done!

Answer 2

For those of you still struggling with this as I have been, here is a sample code to get you started:

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <cryptuiapi.h>
#include <iostream>
#include <tchar.h>

#include "openssl\x509.h"

#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "cryptui.lib")

#define MY_ENCODING_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)

int main(void)
{
    HCERTSTORE hStore;
    PCCERT_CONTEXT pContext = NULL;
    X509 *x509;
    X509_STORE *store = X509_STORE_new();

    hStore = CertOpenSystemStore(NULL, L"ROOT");

    if (!hStore)
        return 1;

    while (pContext = CertEnumCertificatesInStore(hStore, pContext))
    {
        //uncomment the line below if you want to see the certificates as pop ups
        //CryptUIDlgViewContext(CERT_STORE_CERTIFICATE_CONTEXT, pContext,   NULL, NULL, 0, NULL);

        x509 = NULL;
        x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
        if (x509)
        {
            int i = X509_STORE_add_cert(store, x509);

            if (i == 1)
                std::cout << "certificate added" << std::endl;

            X509_free(x509);
        }
    }

CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
system("pause");
return 0;

}

Answer 3

Yes

It is possible to use OpenSSL for operation-as-usual, and use CryptoAPI only for the certificate verification process. I see several threads around here on this topic, and most are tiptoed around/through.

With CryptoAPI you have to:

• decode PEM to DER with CryptStringToBinary(),

• create a CERT_CONTEXT object with CertCreateCertificateContext()

• and verify the certificate in this form by well known/documented procedure. (For example here at ETutorials.)

  For last step to work, you also need to initialize HCERTSTORE for one of MY, ROOT, CA system stores, or iterate through them... depending on the behavior you want.

Answer 4

No. Not out of the box.

No it is not possible out of the box. It would require additional programming. With OpenSSL you have two (out of the box) options:

1. Use OpenSSL's own cert store (it is a hierarchy of directories created by perl script provided with OpenSSL)
2. Use only a certificate chain file created by you (it is a text file with all PEM-encoded certificates in a chain of trust). Creating such a file is easy (just appending it)