-
Notifications
You must be signed in to change notification settings - Fork 794
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for loading user CA certs from an arbitrary Windows cert store. #7503
base: master
Are you sure you want to change the base?
Conversation
Please do not merge yet, just looking for a review + pipeline tests passing for now. Will merge after customer confirms patch works for them. |
return NULL; | ||
} | ||
|
||
int wolfSSL_CTX_load_windows_user_CA_certs(WOLFSSL_CTX* ctx, const char* userStore, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason not to integrate this with wolfSSL_CTX_load_system_CA_certs
? Is wolfSSL_CTX_load_windows_user_CA_certs
a compatibility API? If not I would avoid making it Windows specific in case we wanted to expand its coverage beyond Windows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The customer has requested the ability to configure which cert store is loaded at runtime in wolfSSH, which requires arguments to be passed in to wolfSSL. This is not an OpenSSL compatibility API, but it didn't make sense to me to add Windows specific arguments to wolfSSL_CTX_load_system_CA_certs. I am not sure how to avoid adding a Windows specific API while still allowing wolfSSH to configure this at runtime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like we could come up with a better name or API that would be easier to extend in the future. @ejohnstown I'd like your input as well on this since it is related to an SSH PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could there be a generic wolfSSL_CTX_load_CA_cert_store()? There can be a ctx pointer to a struct with OS specific data. For Windows, that would have a flag for user or system. Maybe at some point someone will want certs stored in a LDAP database. Perhaps the existing load function can be rewritten as a specific use case for this function.
Description
Add support for loading user CA certs from an arbitrary Windows cert store.
Testing
Tested on Windows machine.
Checklist