Windows 上的 OpenSSL 可以使用系统证书存储吗?

2022-01-07 00:00:00 windows openssl c++

我从 Linux 移植到 Windows 的一些工作 C++ 代码在 Windows 上失败,因为 SSL_get_verify_result() 正在返回 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

Some working C++ code that I'm porting from Linux to Windows is failing on windows because SSL_get_verify_result() is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

该代码在 Linux 上使用 SSL_CTX_set_default_verify_paths() 来告诉 SSL 只查看证书存储的标准默认位置.

The code was using SSL_CTX_set_default_verify_paths() on Linux to tell SSL to just look in the standard default locations for the certificate store.

是否可以让 OpenSSL 使用系统证书存储?

Is it possible to get OpenSSL to use the system certificate store?

推荐答案

我之前做过.希望这会有所帮助,如果这正是您正在寻找的.

I have done it earlier. Hope this helps, if this is exactly what you are looking for.

  1. 使用加密 API 从 Windows 证书存储中加载您的证书(在 PCCERT_CONTEXT 结构中).
  2. 以二进制格式获取它的加密内容.[PCCERT_CONTEXT->pbCertEncoded].
  3. 使用 OpenSSL 的 d2i_X509() 方法将此二进制缓冲区解析为 X509 证书对象.
  4. 使用 SSL_CTX_get_cert_store() 方法获取 OpenSSL 信任存储的句柄.
  5. 使用 X509_STORE_add_cert() 方法将上面解析的 X509 证书加载到此信任存储中.
  6. 大功告成!
  1. Load your certificate (in PCCERT_CONTEXT structure) from Windows Cert store using Crypto APIs.
  2. Get encrypted content of it in binary format as it is. [PCCERT_CONTEXT->pbCertEncoded].
  3. Parse this binary buffer into X509 certificate Object using OpenSSL's d2i_X509() method.
  4. Get handle to OpenSSL's trust store using SSL_CTX_get_cert_store() method.
  5. Load above parsed X509 certificate into this trust store using X509_STORE_add_cert() method.
  6. You are done!

相关文章