-1

I am trying to implement a multiplatform device/client certificate chck in my app. I want to implement for Windows and Mac, so the common implementation in c++ with few platform specific code. I have OpenSSL integrated too.

I have Client cert installed in Windows personal store and for Mac in login key chain.

I have a the CA chain as form of .pem file.

I wanted to get the leaf CA from Pem file using openssl, than use the issuer name and use platform specific code to get matching client cert from device. Than I want to get the context of clinet cert and use openssl to verify againt the CA chain

The problem for me here is, 1. how to get the leaf from the PEM 2. How to retrive the public part of installed client cert in both Windos/mac?

Regards, Birajendu

Birajendu
  • 29
  • 5
  • I am able to search the client cert form Personal store with the help of issuer name, and able to get cert context in case of Windows. – Birajendu Sep 10 '16 at 18:21

1 Answers1

0

here is the piece of code

X509_STORE      *openssl_store = NULL;
X509_STORE_CTX  *vrfy_ctx = NULL;

OpenSSL_add_all_algorithms();

if (!(openssl_store=X509_STORE_new())) {
    printf("Error creating X509_STORE_CTX object");
    return false;
}
vrfy_ctx = X509_STORE_CTX_new();
if (NULL == vrfy_ctx) {
    printf("X509_STORE_CTX_new failed");
    return false;
}

if (1 != X509_STORE_load_locations(openssl_store, tmpCertFile.c_str(), NULL)) {
    printf("Error loading CA cert or chain file");
    return false;
}

HCERTSTORE hStore = NULL;
BYTE *pCert = NULL; 
DWORD dwCert = 0;
PCCERT_CONTEXT pCertContext = NULL;

//Open Personal Certificate Store
hStore = CertOpenSystemStore(0, TEXT("MY"));
if (hStore == NULL) {
    printf("CertOpenSystemStore failed, error : %d", GetLastError());
    return false;
} 

//Enumerate Certificate Store
while (pCertContext = CertEnumCertificatesInStore(hStore, pCertContext)) {

    const unsigned char *cert_data = pCertContext->pbCertEncoded;

    X509 *cert = d2i_X509(NULL, &cert_data, pCertContext->cbCertEncoded);

    X509_STORE_CTX_init(vrfy_ctx, openssl_store, cert, NULL);
    int ret = X509_verify_cert(vrfy_ctx);
    X509_STORE_CTX_cleanup(vrfy_ctx);

    if (1 == ret) {
        printf("Matching client certificate found");
        return true;
    }

    if (cert) {
        X509_free(cert);
    }
}
if (hStore) {
    CertCloseStore(hStore, CERT_CLOSE_STORE_CHECK_FLAG);
}
Birajendu
  • 29
  • 5