WinHttp:如何使用临时证书存储?

发布于 2024-08-07 01:25:28 字数 1134 浏览 7 评论 0原文

我有一个 C++ 应用程序,它与我们的一台服务器建立 HTTPS 连接。 在我的理想世界中,我希望发生以下情况:

  1. 应用程序启动
  2. 应用程序使 Windows 信任服务器的根 CA(请不要使用 GUI,只需系统调用)
  3. 应用程序与服务器对话,执行其工作等。
  4. 应用程序使 Windows 忘记服务器的根 CA根 CA
  5. 完成

希望此根 CA 一定受到其他应用程序的信任。因此我不想在系统范围内安装证书。 如果用户不需要管理员权限,我也希望它。

我最初的计划是创建一个内存中 (CERT_STORE_PROV_MEMORY) 存储,将我的证书添加到其中,然后使用 CertAddStoreToCollection 将该内存中存储添加到系统存储中。

虽然所有 CryptoAPI 函数调用都成功,但 WinHttp 不喜欢它。

这是我正在做的事情的骨架 - 也许有人知道一个技巧? 或者也许这从一开始就是错误的?

hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);

// Then later on...
WinHttpSendRequest(...)

一些注意事项:

  • 当我使用 WinHttp 的 SECURITY_FLAG_IGNORE_UNKNOWN_CA 时,一切正常,所以我相当确定这确实是问题所在。
  • 我已经看过 这个问题 - 它很接近,但没有解决在应用程序运行时使证书仅暂时受信任的问题。

谢谢!

I have a C++ application that makes a HTTPS connection to one of our servers.
In my ideal world, I would like the following to occur:

  1. App Starts
  2. App makes Windows trust the server's root CA (no GUI please, just system calls)
  3. App talks to server, does its work, etc.
  4. App makes windows forget about the server's root CA
  5. done

I do NOT want this root CA to necessarily be trusted by other apps. Therefore I don't want to install the cert system-wide.
I also would like it if the user did not need Admin privileges.

My initial plan was to create an in-memory (CERT_STORE_PROV_MEMORY) store, add my cert to that, then add that in-memory store to the system store using CertAddStoreToCollection.

While all the CryptoAPI function calls succeed, WinHttp does not like it.

Here is the skeleton of what I'm doing - perhaps someone knows a trick?
Or perhaps this is wrong-headed in the first place?

hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);

// Then later on...
WinHttpSendRequest(...)

A few notes:

  • Everything works when I use WinHttp's SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm fairly sure this really is the issue.
  • I have already seen this SO question - it is close, but does not address the issue of making the cert only temporarily trusted, while the app runs.

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

与风相奔跑 2024-08-14 01:25:28

由于您不希望其他应用程序信任此证书,因此您需要自己完成部分证书验证。使用选项 SECURITY_FLAG_IGNORE_UNKNOWN_CA 禁用 CA 检查,然后获取连接到服务器的回调 WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER。在该回调中,使用 WINHTTP_OPTION_SERVER_CERT_CONTEXT 获取证书并进行验证。如果不是您想要的人,请取消/关闭请求;如果正确,则继续请求。

Since you don't want other applications to trust this cert, you need to do part of the certificate validation yourself. Disable the CA check with the option SECURITY_FLAG_IGNORE_UNKNOWN_CA and then get the call back for connecting to the server WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER. In that callback fetch the cert with WINHTTP_OPTION_SERVER_CERT_CONTEXT and do your validation. Cancel/Close the request if it's not who you want, continue the request if it's correct.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文