-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows-ROOT as truststore #18020
Comments
OpenSSL has never had code to load the Windows certificate store itself. It's a somewhat surprising asymmetry given that it does have code to load the system certificate store on *nix and it already is willing to use the Win32 crypto API for some things (like CryptGenRandom). It's only about 35 lines of code to do this though. Here's some (now rather old) code of mine (not guaranteed, but feel free to use): https://gist.github.com/hlandau/7a9a8146af25a2c972aa1fe400a8a60f @mattcaswell Do we want this functionality? |
You could argue that *nix systems use OpenSSL store mechanisme, not the
other way around.
|
Thanks for the info and code Hugo. |
In general OpenSSL is an open source software which means a feature gets implemented when someone who needs it submits a code that implements the feature. So the answer is that nobody submitted the code that implements Windows cert store support. Why nobody did that that's another question which we probably cannot answer. |
@t8m Would we be interested in this functionality? I have code to do it lying around and it seems like basically anyone using libssl on Windows will need it. I could make a PR. |
I do not see why we would not want it. The difficult question would be how that windows cert store will be enabled. I.E. making it enabled by default on Windows might be considered a too big change for 3.1 by some. |
The question for me is would this impact the 3.1 development times? |
It's not much code. About 35 lines. I already have it from my own projects. Biggest timesink would just be agreeing the API/how it interacts with existing functions. |
Ideally it would be done in terms of OSSL_STORE provider instead of adding certs to X509_STORE which complicates that 35 line code quite some. |
A minimum provider that does this only needs an OSSL_STORE loader with export capabilities. That's enough to handle any key where the key data is programmatically accessible (i.e. exportable) and shouldn't be too hard to do. The main thing will probably be to design the URI scheme and implement its parser. |
... when we do design such a URI scheme, we probably should register it properly too. I know that I've mentioned the sneaky way of avoiding that, but I frankly think making it official is the better move in the long run. |
Ah, thanks for the reminder. |
Fixes openssl#18020. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18070)
Fixes openssl#18020. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18070)
Is there a way to set Windows-ROOT (or any Windows Certificate Store in general) as truststore in openssl?
I think java has some similar feature.
Thanks in advance.
The text was updated successfully, but these errors were encountered: