Re: [Bug-wget] Windows cert store support

[Random Coder]

On Thu, Dec 10, 2015 at 2:13 AM, Gisle Vanem <address@hidden> wrote:
> it would be nice to know if it succeeded because of WinCrypt or
> OpenSSL.

It succeeded because of both.  WinCrypt to load the cert, and OpenSSL
to verify it.  With my patch, you can't actually provide certs from
both an OpenSSL store and a Windows store.  I suppose I could add some
optional information message when WinCrypt is used.  Is there
precedent for such a message?

> How does this prevent an expired Cert to be used?
> I see in the 'CERT_INFO' structure a 'NotAfter' member. But this
> struct seems to support for WINAPI_PARTITION_APP only :-(
> I assume this could be used to check expired certificates.

The certificate itself contains that information encoded in the
pbCertEncoded data blob.  As a quick verification/example, I added the
following bit of code to the loop in my patch that loads the certs.

    /* Before the loop */
    int pickACert = 0;
    /* ... */
    /* after the d2i_X509 call */
    if (pickACert++ == 42) {
      char* certAsString = X509_to_PEM(cert);
      FILE* f=fopen("test.x509.pem","wb");
      fwrite(certAsString,strlen(certAsString),1,f);
      fclose(f);
    }

(I used the X509_to_PEM helper function from this StackOverflow
answer: http://stackoverflow.com/a/23137774 )

That code simply takes the x509 certificate after OpenSSL has parsed
it, and writes it out into a file.

Then, opening the cert in openssl using this command to view it in a
human readable format:

    openssl x509 -in test.x509.pem -text -noout

Along with the rest of the information in the output is this little
tidbit showing the random cert I picked is expired and OpenSSL should
ignore it:

    Validity
        Not Before: Apr  9 00:00:00 1996 GMT
        Not After : Jan  7 23:59:59 2004 GMT