------=_Part_40611_12071121.1195839607558
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I tried to use Windows CryptoAPI functions to dump the certificates to a PEM
file. OpenSSL seems is able to load the PEM file and works correctly.

The code is like this:

int _tmain(int argc, _TCHAR* argv[])
{
if ( argc == 1 )
{
std::cout << "certsync [store]" << endl;
return 0;
}

HCERTSTORE hStore = CertOpenSystemStore(NULL, argv[1]);

for ( PCCERT_CONTEXT pCertCtx = CertEnumCertificatesInStore(hStore, NULL);
pCertCtx != NULL;
pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx) )
{
OutputType outputType = IsPKCS7(pCertCtx->dwCertEncodingType) ? PKCS7 :
Certificate;
DisplayPEM(outputType, pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded);
}

for ( PCCRL_CONTEXT pCrlCtx = CertEnumCRLsInStore(hStore, NULL);
pCrlCtx != NULL;
pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx) )
{
OutputType outputType = IsPKCS7(pCrlCtx->dwCertEncodingType) ? PKCS7 :
X509CRL;
DisplayPEM(outputType, pCrlCtx->pbCrlEncoded, pCrlCtx->cbCrlEncoded);
}

CertCloseStore(hStore, 0);
return 0;
}


Some helper functions are like this:

enum OutputType
{
Unknown,
Certificate,
PKCS7,
X509CRL,
};

char const* GetTypeName(OutputType type)
{
switch (type)
{
case Certificate:
return "CERTIFICATE";
case PKCS7:
return "PKCS7";
case X509CRL:
return "X509 CRL";
case Unknown:
return NULL;
default:
break;
}

assert(false);
return NULL;
}

bool IsPKCS7(DWORD encodeType)
{
return ((encodeType & PKCS_7_ASN_ENCODING) == PKCS_7_ASN_ENCODING);
}

void DisplayPEM(OutputType outputType, BYTE const* pData, DWORD cbLength)
{
char const* type = GetTypeName(outputType);
if ( type == NULL ) return;

std::cout << "-----BEGIN " << type << "-----" << endl;

std::cout << base64_Encode(pData, cbLength) << endl;

std::cout << "-----END " << type << "-----" << endl;
}


On Nov 23, 2007 8:29 PM, Dave Bound wrote:
>
>
> Hi
>
> I ship my own PEM file "cacerts.pem" containing trusted certificates with

my
> application. Then, I use "SSL_CTX_load_verify_locations" to tell OpenSSL

to
> use cacerts.pem during certificate verification.
>
> However, given that Windows already has a certificate store (Control
> Panel->Internet Options-> Content Tab->Certificates), I'm wondering

whether
> there is a way to tell OpenSSL to look here instead. This would mean I

would
> not need to ship my own PEM file.
>
> Any help appreciated.
>
> Thanks
>
> Dave


------=_Part_40611_12071121.1195839607558
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

I tried to use Windows CryptoAPI functions to dump the certificates to a PEM file. OpenSSL seems is able to load the PEM file and works correctly.

The code is like this:


int _tmain(int argc, _TCHAR* argv[])
{
  if ( argc == 1 )
  {
    std::cout << "certsync [store]" << endl;
    return 0;
  }

 HCERTSTORE hStore = CertOpenSystemStore(NULL, argv[1]);


 for ( PCCERT_CONTEXT pCertCtx = CertEnumCertificatesInStore(hStore, NULL);

       pCertCtx != NULL;

       pCertCtx = CertEnumCertificatesInStore(hStore, pCertCtx) )

 {

   OutputType outputType = IsPKCS7(pCertCtx->dwCertEncodingType) ? PKCS7 : Certificate;

   DisplayPEM(outputType, pCertCtx->pbCertEncoded, pCertCtx->cbCertEncoded);

 }


 for ( PCCRL_CONTEXT pCrlCtx = CertEnumCRLsInStore(hStore, NULL);

       pCrlCtx != NULL;

       pCrlCtx = CertEnumCRLsInStore(hStore, pCrlCtx) )

 {
   OutputType outputType = IsPKCS7(pCrlCtx->dwCertEncodingType) ? PKCS7 : X509CRL;

   DisplayPEM(outputType, pCrlCtx->pbCrlEncoded, pCrlCtx->cbCrlEncoded);

 }

 CertCloseStore(hStore, 0);

 return 0;

}


Some helper functions are like this:

enum OutputType

{

  Unknown,

  Certificate,

  PKCS7,

  X509CRL,

};


char const* GetTypeName(OutputType type)

{

  switch (type)

  {

  case Certificate:

    return "CERTIFICATE";

  case PKCS7:

    return "PKCS7";

  case X509CRL:

    return "X509 CRL";

  case Unknown:

    return NULL;

  default:

    break;

  }


  assert(false);

  return NULL;
}


bool IsPKCS7(DWORD encodeType)

{

  return ((encodeType & PKCS_7_ASN_ENCODING) == PKCS_7_ASN_ENCODING);

}

void DisplayPEM(OutputType outputType, BYTE const* pData, DWORD cbLength)

{
 char const* type = GetTypeName(outputType);

 if ( type == NULL ) return;


 std::cout << "-----BEGIN " << type << "-----" << endl;



 std::cout << base64_Encode(pData, cbLength) << endl;


 std::cout << "-----END " << type << "-----" << endl;

}




On Nov 23, 2007 8:29 PM, Dave Bound <ave.Bound@scalix.com">Dave.Bound@scalix.com> wrote:
>  

>  
> Hi
>  
> I ship my own PEM file "cacerts.pem" containing trusted certificates with my
> application. Then, I use "SSL_CTX_load_verify_locations" to tell OpenSSL to
> use cacerts.pem
during certificate verification.
>  
> However, given that Windows already has a certificate store (Control
> Panel->Internet Options-> Content Tab->Certificates), I'm wondering whether
> there is a way to tell OpenSSL to look here instead. This would mean I would

> not need to ship my own PEM file.
>  
> Any help appreciated.
>  
> Thanks
>  
> Dave



------=_Part_40611_12071121.1195839607558--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org