Windows system cert store

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Windows system cert store

Matthew Stickney
Back in 2010, there was some discussion on this list of adding code to
load certificates from the system cert store on Windows by default,
since the default verification paths typically don't point to anything
(this was ticket #2158, which was ultimately rejected). I have some
interest in picking up where this was left off, but I'm a little out
of my depth and have some questions.

Last time around, the sticking point was certificate purposes: we
don't want to add a certificate that's only trusted for client
authentication as trusted for server authentication. I still need to
figure out how to extract purposes from the windows certs, but I'm
also having a hard time seeing how you'd set x509 purposes in openssl.
Where should I be looking?

-Matt Stickney
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Richard Levitte - VMS Whacker-2
In message <CAKH_Ld4faVY8v9RY=[hidden email]> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <[hidden email]> said:

mtstickney> Back in 2010, there was some discussion on this list of adding code to
mtstickney> load certificates from the system cert store on Windows by default,
mtstickney> since the default verification paths typically don't point to anything
mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
mtstickney> interest in picking up where this was left off, but I'm a little out
mtstickney> of my depth and have some questions.
mtstickney>
mtstickney> Last time around, the sticking point was certificate purposes: we
mtstickney> don't want to add a certificate that's only trusted for client
mtstickney> authentication as trusted for server authentication. I still need to
mtstickney> figure out how to extract purposes from the windows certs, but I'm
mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
mtstickney> Where should I be looking?

I'm don't know the Windows cert API enough to know if there are
purpose settings outside of the cert itself, so I won't be able to
answer that.

However, in the cert itself, there may be an extension called Extended
Key Usage.  Have a look at RFC 5280, 4.2.1.12 [0] for more info on
them.  You set them like any other extension, when creating a cert.

Also, regarding retrieving arbitrary stuff (like certificates) from
arbitrary sources (such as the system cert store), I'd like to point
out the CAPI engine (engines/e_capi.c), which does have such
functionality (it's quite a hack, in the most positive sense of the
word), and to the recently added OSSL_STORE module (which was created
for exactly this sort of purpose).  The latter is still evolving, but
the base line is in place.

Cheers,
Richard

-----
[0] https://tools.ietf.org/html/rfc5280#section-4.2.1.12

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

alok sharma-2
Ljkikh9

On 09-Jul-2017 12:45 PM, "Richard Levitte" <[hidden email]> wrote:
In message <CAKH_Ld4faVY8v9RY=[hidden email]> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <[hidden email]> said:

mtstickney> Back in 2010, there was some discussion on this list of adding code to
mtstickney> load certificates from the system cert store on Windows by default,
mtstickney> since the default verification paths typically don't point to anything
mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
mtstickney> interest in picking up where this was left off, but I'm a little out
mtstickney> of my depth and have some questions.
mtstickney>
mtstickney> Last time around, the sticking point was certificate purposes: we
mtstickney> don't want to add a certificate that's only trusted for client
mtstickney> authentication as trusted for server authentication. I still need to
mtstickney> figure out how to extract purposes from the windows certs, but I'm
mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
mtstickney> Where should I be looking?

I'm don't know the Windows cert API enough to know if there are
purpose settings outside of the cert itself, so I won't be able to
answer that.

However, in the cert itself, there may be an extension called Extended
Key Usage.  Have a look at RFC 5280, 4.2.1.12 [0] for more info on
them.  You set them like any other extension, when creating a cert.

Also, regarding retrieving arbitrary stuff (like certificates) from
arbitrary sources (such as the system cert store), I'd like to point
out the CAPI engine (engines/e_capi.c), which does have such
functionality (it's quite a hack, in the most positive sense of the
word), and to the recently added OSSL_STORE module (which was created
for exactly this sort of purpose).  The latter is still evolving, but
the base line is in place.

Cheers,
Richard

-----
[0] https://tools.ietf.org/html/rfc5280#section-4.2.1.12

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

OpenSSL - Dev mailing list
In reply to this post by Matthew Stickney
On 7/8/17 11:22 PM, Matthew Stickney wrote:

> Back in 2010, there was some discussion on this list of adding code to
> load certificates from the system cert store on Windows by default,
> since the default verification paths typically don't point to anything
> (this was ticket #2158, which was ultimately rejected). I have some
> interest in picking up where this was left off, but I'm a little out
> of my depth and have some questions.
>
> Last time around, the sticking point was certificate purposes: we
> don't want to add a certificate that's only trusted for client
> authentication as trusted for server authentication. I still need to
> figure out how to extract purposes from the windows certs, but I'm
> also having a hard time seeing how you'd set x509 purposes in openssl.
> Where should I be looking?
>
> -Matt Stickney


I remember seeing that discussion, I'm not sure if additional certificate
validation is necessary if you're just enumerating the ROOT certificate
store in Windows.

Here's code we use, obviously it would be good to know if this isn't
correct for some reason from a security perspective:

int SSL_CTX_load_os_trust(SSL_CTX *ctx)
{
        HCERTSTORE     hStore;
        PCCERT_CONTEXT pContext = NULL;
        X509_STORE    *store;
        size_t         count    = 0;

        if (ctx == NULL)
                return 0;

        hStore = CertOpenSystemStore(0, "ROOT");
        if (hStore == NULL)
                return 0;

        store = SSL_CTX_get_cert_store(ctx);

        while ((pContext=CertEnumCertificatesInStore(hStore, pContext)) != NULL) {
                X509 *x509 = d2i_X509(NULL, &pContext->pbCertEncoded, (long)pContext->cbCertEncoded);
                if (x509) {
                        if (X509_STORE_add_cert(store, x509))
                                count++;
                        X509_free(x509);
                }
        }

        CertFreeCertificateContext(pContext);
        CertCloseStore(hStore, 0);

        if (!count)
                return 0;
        return 1;
}

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Kurt Roeckx
In reply to this post by Richard Levitte - VMS Whacker-2
On Sun, Jul 09, 2017 at 09:15:32AM +0200, Richard Levitte wrote:

> In message <CAKH_Ld4faVY8v9RY=[hidden email]> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <[hidden email]> said:
>
> mtstickney> Back in 2010, there was some discussion on this list of adding code to
> mtstickney> load certificates from the system cert store on Windows by default,
> mtstickney> since the default verification paths typically don't point to anything
> mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
> mtstickney> interest in picking up where this was left off, but I'm a little out
> mtstickney> of my depth and have some questions.
> mtstickney>
> mtstickney> Last time around, the sticking point was certificate purposes: we
> mtstickney> don't want to add a certificate that's only trusted for client
> mtstickney> authentication as trusted for server authentication. I still need to
> mtstickney> figure out how to extract purposes from the windows certs, but I'm
> mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
> mtstickney> Where should I be looking?
>
> I'm don't know the Windows cert API enough to know if there are
> purpose settings outside of the cert itself, so I won't be able to
> answer that.
>
> However, in the cert itself, there may be an extension called Extended
> Key Usage.  Have a look at RFC 5280, 4.2.1.12 [0] for more info on
> them.  You set them like any other extension, when creating a cert.

I think the point is that he wants to have additional contraints
on the root certificate that aren't in the X509 certificate
itself. The root certificate mostly don't have an EKU.

I would like to say that on Linux most people will also not have
such additinal restrictions even if the root store provides such
restrictions.

OpenSSL allows you to set some restrictions with "trusted
certificates", which are in a X509_AUX structure. See the x509 man
page.


Kurt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Matthew Stickney
The Certificate Manager in Windows does allow you to change the trust
settings for root certs (including the purposes reported by openssl
x509 -purpose), although those changes don't appear to be reflected in
the cert dumped from the store (so they must be stored externally).

I think the original concern could have been one of two things (or
possibly both): 1) assuming the cert itself has purpose information,
that needs to be reflected in its use after being added to the cert
store (I assume the verification code is already checking this if it's
a property of the cert), or 2) that a user's choice to (un-)trust
certain certificates is respected, however unusual. I'm not aware of
any facility on Linux to modify the trust status of certs, so I think
this is an issue unique to Windows.

-Matt Stickney

On Sun, Jul 9, 2017 at 7:08 AM, Kurt Roeckx <[hidden email]> wrote:

> On Sun, Jul 09, 2017 at 09:15:32AM +0200, Richard Levitte wrote:
>> In message <CAKH_Ld4faVY8v9RY=[hidden email]> on Sat, 8 Jul 2017 23:22:28 -0400, Matthew Stickney <[hidden email]> said:
>>
>> mtstickney> Back in 2010, there was some discussion on this list of adding code to
>> mtstickney> load certificates from the system cert store on Windows by default,
>> mtstickney> since the default verification paths typically don't point to anything
>> mtstickney> (this was ticket #2158, which was ultimately rejected). I have some
>> mtstickney> interest in picking up where this was left off, but I'm a little out
>> mtstickney> of my depth and have some questions.
>> mtstickney>
>> mtstickney> Last time around, the sticking point was certificate purposes: we
>> mtstickney> don't want to add a certificate that's only trusted for client
>> mtstickney> authentication as trusted for server authentication. I still need to
>> mtstickney> figure out how to extract purposes from the windows certs, but I'm
>> mtstickney> also having a hard time seeing how you'd set x509 purposes in openssl.
>> mtstickney> Where should I be looking?
>>
>> I'm don't know the Windows cert API enough to know if there are
>> purpose settings outside of the cert itself, so I won't be able to
>> answer that.
>>
>> However, in the cert itself, there may be an extension called Extended
>> Key Usage.  Have a look at RFC 5280, 4.2.1.12 [0] for more info on
>> them.  You set them like any other extension, when creating a cert.
>
> I think the point is that he wants to have additional contraints
> on the root certificate that aren't in the X509 certificate
> itself. The root certificate mostly don't have an EKU.
>
> I would like to say that on Linux most people will also not have
> such additinal restrictions even if the root store provides such
> restrictions.
>
> OpenSSL allows you to set some restrictions with "trusted
> certificates", which are in a X509_AUX structure. See the x509 man
> page.
>
>
> Kurt
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Dr. Stephen Henson
On Sun, Jul 09, 2017, Matthew Stickney wrote:

> The Certificate Manager in Windows does allow you to change the trust
> settings for root certs (including the purposes reported by openssl
> x509 -purpose), although those changes don't appear to be reflected in
> the cert dumped from the store (so they must be stored externally).
>

Yes they're external properties. The certificate encoding returned can't be
modified of course because that would break the signature.

I think I did some experiments with CertGetEnhancedKeyUsage() and
CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG before. IIRC this reflected system
settings but not those visible in the MSIE dialogs: that is changing the
setting in MSIE didn't change the values returned by that API.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Matthew Stickney
On Wed, Jul 12, 2017 at 8:48 AM, Dr. Stephen Henson <[hidden email]> wrote:
> Yes they're external properties. The certificate encoding returned can't be
> modified of course because that would break the signature.

That's a good point (I'm a little embarassed to have missed that).


> I think I did some experiments with CertGetEnhancedKeyUsage()[...]

It looks like another good candidate might be
CertGetCertificateContextProperty() with the CERT_CTL_USAGE_PROP_ID
flag. At least in principle, that's pulling usage information from the
cert context, rather than the cert itself. I'll do some testing after
work tonight.

-Matt Stickney
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Matthew Stickney
I should have read the previous post more carefully:
CertGetEnhancedKeyUsage() is definitely the function for returning the
certificate usages reported by the system store manager (either the
ones set in the cert itself, the ones in the "extended property" that
can be set at will, or the effective combination of the two depending
on the flags passed).

You may have been looking at a different version of IE than what I've
got on my Windows 7 VM, but at least here IE doesn't allow you to set
certificate purposes: it has a dialog that looks just like that (under
the "Advanced" button in the certificate list), but that's only used
to select the set of usages you want to display if you choose
"<Advanced Purposes>" in the "Intended Purpose" dropdown at the top
(it's effectively just a customizable display filter).

I've been reading through OpenSSL's verification code a bit, and from
what I'm seeing it looks like purposes could be set for an existing
certificate by setting the appropriate bits in the ex_kusage or
ex_xkusage fields, at least for standard usages. Is that right?

-Matt Stickney

On Wed, Jul 12, 2017 at 11:26 AM, Matthew Stickney <[hidden email]> wrote:

> On Wed, Jul 12, 2017 at 8:48 AM, Dr. Stephen Henson <[hidden email]> wrote:
>> Yes they're external properties. The certificate encoding returned can't be
>> modified of course because that would break the signature.
>
> That's a good point (I'm a little embarassed to have missed that).
>
>
>> I think I did some experiments with CertGetEnhancedKeyUsage()[...]
>
> It looks like another good candidate might be
> CertGetCertificateContextProperty() with the CERT_CTL_USAGE_PROP_ID
> flag. At least in principle, that's pulling usage information from the
> cert context, rather than the cert itself. I'll do some testing after
> work tonight.
>
> -Matt Stickney
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Windows system cert store

Dr. Stephen Henson
On Thu, Jul 13, 2017, Matthew Stickney wrote:

>
> You may have been looking at a different version of IE than what I've
> got on my Windows 7 VM, but at least here IE doesn't allow you to set
> certificate purposes: it has a dialog that looks just like that (under
> the "Advanced" button in the certificate list), but that's only used
> to select the set of usages you want to display if you choose
> "<Advanced Purposes>" in the "Intended Purpose" dropdown at the top
> (it's effectively just a customizable display filter).
>

It's been a while since I looked at it yes. IIRC before when you selected
a root (or other) certificate under the Details tab you could select "Edit
Properties..." now the box is greyed out unless you run as administrator
or select a user added certificate.

> I've been reading through OpenSSL's verification code a bit, and from
> what I'm seeing it looks like purposes could be set for an existing
> certificate by setting the appropriate bits in the ex_kusage or
> ex_xkusage fields, at least for standard usages. Is that right?
>

No those are just caches of the contents of the key usage and extended key
usage extensions. The function you need to call is X509_add1_trust_object()
for each trust setting. You could also call X509_alias_set1 to set the
friendly name of the certificate.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...