cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Using certificates created from Windows certificate store

From: Alex Loukissas <alex_at_maginatics.com>
Date: Wed, 14 Mar 2012 15:20:45 -0700

Since this has helped me _a lot_, feel free to put this code snippet
on the the libcurl website for others' reference. Feel free to use the
code below. The code below can very easily be extended to handle also
PKCS7 certificates (replacing the X509*** methods with the equivalent
PKCS7***).

Thanks!
Alex

On Tue, Mar 13, 2012 at 8:54 PM, Alex Loukissas <alex_at_maginatics.com> wrote:
> Hi Guenter,
>
> I've actually figured out what was the issue, it was user error :-)
> Here's the snippet of code I used:
>
> int writePubKey(const unsigned char* input, int length, FILE* fp) {
>    int status = 0;
>    X509* x = NULL;
>
>    // Create a new empty X509 object.
>    x = X509_new();
>    if (x == NULL) {
>        goto exit;
>    }
>
>    // Decode the X.509 certificate
>    d2i_X509(&x, &input, length);
>
>    // Write the decoded certificate to the file
>    PEM_write_X509(fp, x);
> exit:
>    if (x != NULL) {
>        X509_free(x);
>    }
>    return status;
> }
>
> I call the above method like below:
>
> PCCERT_CONTEXT pCertCtx;
> FILE* fp;
> int status = writePubKey(pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded, fp);
>
> Folks can find more info on PCCERT_CONTEXT and how to interact with
> the Certificate Store from the crypt32 API:
> http://msdn.microsoft.com/en-us/library/ms867086.aspx
>
> Thanks for your help!
> Alex
>
> On Tue, Mar 13, 2012 at 6:15 PM, Guenter <lists_at_gknw.net> wrote:
>>
>> Hi Alex,
>> Am 13.03.2012 19:22, schrieb Alex Loukissas:
>>
>>> I've been trying to remove the requirement of having to bundle a
>>> certificate file, as described here
>>> [http://curl.haxx.se/docs/caextract.html], by using the appropriate
>>> methods from openSSL to extract certificates from the Windows
>>> certificate store. However, when trying to replace the ca-bundle.crt
>>> with the file that my code creates, curl throws me an error:
>>>
>>> Error: [77] - error setting certificate verify locations:
>>> CAfile: C:\Program Files\Client\ca-bundle.crt
>>> CApath: none
>>>
>>> Any idea of what I could be missing here? I'll briefly describe what I'm
>>> doing below so that readers have a clearer picture:
>>
>> I believe the easiest way to find out would be to compare the results of your file against one created by our tools; problems like these might be related to f.e. different char enconding ...
>>
>>
>>> 1. Use the crypt32 API to open the certificate store and iterate through
>>> the installed certificates. Of these, I only use the ones with "Enhanced
>>> Key Usage" is Client Authentication or Server Authentication or All
>>> (i.e. discarding those with timestamp signing, etc), and of course those
>>> which aren't expired.
>>> 2. Use the X.509 and PEM API from openSSL to decode these certificates
>>> and write the public key portion of them to the generated file.
>>>
>>> Any ideas? I really doubt that Windows-bundled certificates (they come
>>> from Verisign, Thawte, etc) aren't valid for common use. If this works,
>>> it would nicely eliminate the pain of having to bundle up certificate
>>> files with apps using cURL and I'd be happy to share the complete code.
>>
>> You dont have to bundle ca-files but can always let the user create fresh ones self with the scripts we provide for this; but nevertheless I'm interested into your code, and probably I can narrow doen the issue you see, so are you willing to share it with us? Either send it to me directly, or attach it here as file if you want to let others play wih it too.
>>
>> thanks, Gün.
>>
>>
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette:  http://curl.haxx.se/mail/etiquette.html
>
>
>
>
> --
> Alex Loukissas
> Member of Technical Staff - Maginatics, Inc.
> www.maginatics.com

-- 
Alex Loukissas
Member of Technical Staff - Maginatics, Inc.
www.maginatics.com
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-03-14