Using Windows certificate store through OpenSSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Windows certificate store through OpenSSL

gperrow

I’d like to add the ability for my (client) application to use the Windows certificate store to verify a server’s certificate during an SSL handshake. I’ve created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server’s certificate and can also enumerate through the certificates in the certificate store.

 

But then what? Is there a way to tell OpenSSL “Please verify the server’s certificate using this trusted certificate”? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them?

 

Thanks for any advice

Graeme Perrow

 

Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Jan Just Keijser-2
Perrow, Graeme wrote:

I’d like to add the ability for my (client) application to use the Windows certificate store to verify a server’s certificate during an SSL handshake. I’ve created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server’s certificate and can also enumerate through the certificates in the certificate store.

 

But then what? Is there a way to tell OpenSSL “Please verify the server’s certificate using this trusted certificate”? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them?


wasn't support for this added via the crypto engine 'capieng' ? Rebuild openssl using
  ./config enable-capieng

and use the CAPI engine.

HTH,

JJK

Reply | Threaded
Open this post in threaded view
|

RE: Using Windows certificate store through OpenSSL

gperrow

Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:

 

1. Is there any documentation anywhere on this engine? All I’ve found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.

 

2. If I’m building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I’m guessing it’s in capi.dll but I have no idea how to load and use it through that interface.

 

Graeme

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jan Just Keijser
Sent: Monday, October 07, 2013 10:38 AM
To: [hidden email]
Subject: Re: Using Windows certificate store through OpenSSL

 

Perrow, Graeme wrote:

I’d like to add the ability for my (client) application to use the Windows certificate store to verify a server’s certificate during an SSL handshake. I’ve created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server’s certificate and can also enumerate through the certificates in the certificate store.

 

But then what? Is there a way to tell OpenSSL “Please verify the server’s certificate using this trusted certificate”? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them?


wasn't support for this added via the crypto engine 'capieng' ? Rebuild openssl using
  ./config enable-capieng

and use the CAPI engine.

HTH,

JJK

Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Dr. Stephen Henson
On Tue, Oct 08, 2013, Perrow, Graeme wrote:

> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>
> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>
> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>

The CAPI engine doesn't support verification through a Windows certifcate
store. There are some debugging options which can dump a whole Windows
store to a file which might be of some use, though you can do the same with
the Windows certificate wizards. If that's of interest let me know.

A problem with using the Windows stores is which certificates to actually use.
The stores contain root CAs which should be used only for verification of
servers, clients, email and some other pruposes too. I never found out a way
using Windows APIs to extract this information. If someone knows how I'd
appreciate some pointers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Brad House-2
On 10/9/13 10:20 AM, Dr. Stephen Henson wrote:

> The CAPI engine doesn't support verification through a Windows certifcate
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.

I was researching that a while back and came across this discussion chain:
http://www.mail-archive.com/openssl-dev@.../msg26958.html

It appears an RT ticket with patch was filed here:
http://rt.openssl.org/Ticket/Display.html?id=2158

I believe it contains the info you're looking for.

-Brad
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Frank Gross
In reply to this post by Dr. Stephen Henson
To use Windows keystore in openssl, I did following:

  At application startup, I use the windows API to get all trusted
certificates from Key store. Then for each of them, I create the openssl
X509 one via d2i_X509() and register it into the openssl store via
X509_STORE_add_cert().

Sample to create a Windows Certificate to a openssl X509 one :

X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
   X509* myX509=NULL;
   unsigned char* buffer=cert->pbCertEncoded;
   int len=cert->cbCertEncoded;
   if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
     myX509=d2i_X509(NULL,&buffer,len);
  }

Frank


Le 09/10/2013 16:20, Dr. Stephen Henson a écrit :

> On Tue, Oct 08, 2013, Perrow, Graeme wrote:
>
>> Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
>>
>> 1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications.
>>
>> 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface.
>>
> The CAPI engine doesn't support verification through a Windows certifcate
> store. There are some debugging options which can dump a whole Windows
> store to a file which might be of some use, though you can do the same with
> the Windows certificate wizards. If that's of interest let me know.
>
> A problem with using the Windows stores is which certificates to actually use.
> The stores contain root CAs which should be used only for verification of
> servers, clients, email and some other pruposes too. I never found out a way
> using Windows APIs to extract this information. If someone knows how I'd
> appreciate some pointers.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]
>

--
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Dr. Stephen Henson
On Wed, Oct 09, 2013, Frank Gross wrote:

> To use Windows keystore in openssl, I did following:
>
>  At application startup, I use the windows API to get all trusted
> certificates from Key store. Then for each of them, I create the
> openssl X509 one via d2i_X509() and register it into the openssl
> store via X509_STORE_add_cert().
>
> Sample to create a Windows Certificate to a openssl X509 one :
>
> X509* CryptoCreateX509Certificate(PCCERT_CONTEXT cert) {
>   X509* myX509=NULL;
>   unsigned char* buffer=cert->pbCertEncoded;
>   int len=cert->cbCertEncoded;
>   if (cert->dwCertEncodingType&X509_ASN_ENCODING) {
>     myX509=d2i_X509(NULL,&buffer,len);
>  }
>

Before I get flooded with suggestions.. I know how to get a Windows
certificate into an X509 structure: I wrote the CAPI engine code that does it.

What I don't know (and which no thread I've read helps with) is how to
retrieve the trust settings which are rather important if you want to handle
this properly. By that I mean the list of checkboxes marked "certificate
purposes" which appear if you click on "advanced" in the certificates dialog
box.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Brad House-2
On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
> Before I get flooded with suggestions.. I know how to get a Windows
> certificate into an X509 structure: I wrote the CAPI engine code that does it.
>
> What I don't know (and which no thread I've read helps with) is how to
> retrieve the trust settings which are rather important if you want to handle
> this properly. By that I mean the list of checkboxes marked "certificate
> purposes" which appear if you click on "advanced" in the certificates dialog
> box.


I think you should be using CertGetCertificateContextProperty  with a propid of
CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
these might be aliased as I think both have a value of 9):
http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx

The returned data is ASN.1 encoded so you might have to decode it before
you can use the OIDs returned.

Here's a powershell example which does a DLLImport call to that function
which might be useful:
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=69
The program output from their example appears to show the settings you
are after, so I think this is a good starting point.

-Brad
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Dr. Stephen Henson
On Wed, Oct 09, 2013, Brad House wrote:

> On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
> >Before I get flooded with suggestions.. I know how to get a Windows
> >certificate into an X509 structure: I wrote the CAPI engine code that does it.
> >
> >What I don't know (and which no thread I've read helps with) is how to
> >retrieve the trust settings which are rather important if you want to handle
> >this properly. By that I mean the list of checkboxes marked "certificate
> >purposes" which appear if you click on "advanced" in the certificates dialog
> >box.
>
>
> I think you should be using CertGetCertificateContextProperty  with a propid of
> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
> these might be aliased as I think both have a value of 9):
> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
>
> The returned data is ASN.1 encoded so you might have to decode it before
> you can use the OIDs returned.
>

Thanks for the link. That is *VERY* interesting and I'll be looking into it as
soon and my (alas rather hectic) schedule permits.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Christian Heimes
Am 10.10.2013 13:58, schrieb Dr. Stephen Henson:

>> I think you should be using CertGetCertificateContextProperty  with a propid of
>> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
>> these might be aliased as I think both have a value of 9):
>> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
>>
>> The returned data is ASN.1 encoded so you might have to decode it before
>> you can use the OIDs returned.
>>
>
> Thanks for the link. That is *VERY* interesting and I'll be looking into it as
> soon and my (alas rather hectic) schedule permits.

It's even easier to get the enhanced key usage for a certificate in
Windows' cert store. CertGetEnhancedKeyUsage() returns a
CERT_ENHKEY_USAGE struct with the EKU OIDs as char*, e.g.
1.3.6.1.5.5.7.3.1. The flag controls if the functions returns the EKU
OIDs from the properties (certmgr.msc settings) or X509v3 extension. I
have some C as well as some Python+ctypes code here.

Chrome Browser uses Windows' cert store to verify peer certs. IIRC Adam
Langley and Ryan Sleevi have developed that feature. The code in
CertVerifyProcWin::VerifyInternal() looks straight forward... Of course
it's much easier to understand existing code than to come up with it in
the first place.

Christian
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Dr. Stephen Henson
On Sat, Nov 09, 2013, Christian Heimes wrote:

> Am 10.10.2013 13:58, schrieb Dr. Stephen Henson:
> >> I think you should be using CertGetCertificateContextProperty  with a propid of
> >> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
> >> these might be aliased as I think both have a value of 9):
> >> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx
> >>
> >> The returned data is ASN.1 encoded so you might have to decode it before
> >> you can use the OIDs returned.
> >>
> >
> > Thanks for the link. That is *VERY* interesting and I'll be looking into it as
> > soon and my (alas rather hectic) schedule permits.
>
> It's even easier to get the enhanced key usage for a certificate in
> Windows' cert store. CertGetEnhancedKeyUsage() returns a
> CERT_ENHKEY_USAGE struct with the EKU OIDs as char*, e.g.
> 1.3.6.1.5.5.7.3.1. The flag controls if the functions returns the EKU
> OIDs from the properties (certmgr.msc settings) or X509v3 extension. I
> have some C as well as some Python+ctypes code here.
>

I've finally had a chance to check out some of these suggested methods of
retrieving the trust settings.

Everything I've tried so far just returns a copy of the certificate's extended
key usage extension in various forms. This is useless and I can get that from
the certificate anyway. To double check I try setting or clearing a value in
the UI and it makes no difference :-(

If anyone has any other ideas (and please double check that they really
reflect the UI settings by changing them) I'd be interested to know the
details.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows certificate store through OpenSSL

Dr. Stephen Henson
On Sun, Nov 10, 2013, Dr. Stephen Henson wrote:

>
> I've finally had a chance to check out some of these suggested methods of
> retrieving the trust settings.
>
> Everything I've tried so far just returns a copy of the certificate's extended
> key usage extension in various forms. This is useless and I can get that from
> the certificate anyway. To double check I try setting or clearing a value in
> the UI and it makes no difference :-(
>

Hmmm... may have spoken too soon. I was changing the setting through IE and
not seeing any difference. Changing them with services.msc *does* seem to make
a difference. Will investigate further.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]