[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Windows cert store support
|
From: |
Gisle Vanem |
|
Subject: |
Re: [Bug-wget] Windows cert store support |
|
Date: |
Thu, 10 Dec 2015 11:13:06 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
Random Coder wrote:
> I'm not sure if the wget maintainers would be interested, but I've
> been carrying this patch around in my private builds of wget for a
> while. It allows wget to load SSL certs from the default Windows cert
> store.
I've applied your patch. It seems to work fine. Nice!
But in a message like:
X509 certificate successfully verified and matches host
www.ssllabs.com
it would be nice to know if it succeeded because of WinCrypt or
OpenSSL.
> + /* Loop through all the certs in the Windows cert store */
> + for ( pCertCtx = Local_CertEnumCertificatesInStore(hStore, NULL);
> + pCertCtx != NULL;
> + pCertCtx = Local_CertEnumCertificatesInStore(hStore, pCertCtx) )
> + {
> + if (!((pCertCtx->dwCertEncodingType & PKCS_7_ASN_ENCODING) ==
> PKCS_7_ASN_ENCODING))
> + {
> + /* Add all certs we find to OpenSSL's store */
How does this prevent an expired Cert to be used?
I see in the 'CERT_INFO' structure a 'NotAfter' member. But this
struct seems to support for WINAPI_PARTITION_APP only :-(
I assume this could be used to check expired certificates.
--
--gv