WinHttp:如何使用临时证书存储?
我有一个 C++ 应用程序,它与我们的一台服务器建立 HTTPS 连接。 在我的理想世界中,我希望发生以下情况:
- 应用程序启动
- 应用程序使 Windows 信任服务器的根 CA(请不要使用 GUI,只需系统调用)
- 应用程序与服务器对话,执行其工作等。
- 应用程序使 Windows 忘记服务器的根 CA根 CA
- 完成
我不希望此根 CA 一定受到其他应用程序的信任。因此我不想在系统范围内安装证书。 如果用户不需要管理员权限,我也希望它。
我最初的计划是创建一个内存中 (CERT_STORE_PROV_MEMORY) 存储,将我的证书添加到其中,然后使用 CertAddStoreToCollection 将该内存中存储添加到系统存储中。
虽然所有 CryptoAPI 函数调用都成功,但 WinHttp 不喜欢它。
这是我正在做的事情的骨架 - 也许有人知道一个技巧? 或者也许这从一开始就是错误的?
hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);
// Then later on...
WinHttpSendRequest(...)
一些注意事项:
- 当我使用 WinHttp 的 SECURITY_FLAG_IGNORE_UNKNOWN_CA 时,一切正常,所以我相当确定这确实是问题所在。
- 我已经看过 这个问题 - 它很接近,但没有解决在应用程序运行时使证书仅暂时受信任的问题。
谢谢!
I have a C++ application that makes a HTTPS connection to one of our servers.
In my ideal world, I would like the following to occur:
- App Starts
- App makes Windows trust the server's root CA (no GUI please, just system calls)
- App talks to server, does its work, etc.
- App makes windows forget about the server's root CA
- done
I do NOT want this root CA to necessarily be trusted by other apps. Therefore I don't want to install the cert system-wide.
I also would like it if the user did not need Admin privileges.
My initial plan was to create an in-memory (CERT_STORE_PROV_MEMORY) store, add my cert to that, then add that in-memory store to the system store using CertAddStoreToCollection.
While all the CryptoAPI function calls succeed, WinHttp does not like it.
Here is the skeleton of what I'm doing - perhaps someone knows a trick?
Or perhaps this is wrong-headed in the first place?
hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);
// Then later on...
WinHttpSendRequest(...)
A few notes:
- Everything works when I use WinHttp's SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm fairly sure this really is the issue.
- I have already seen this SO question - it is close, but does not address the issue of making the cert only temporarily trusted, while the app runs.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
由于您不希望其他应用程序信任此证书,因此您需要自己完成部分证书验证。使用选项 SECURITY_FLAG_IGNORE_UNKNOWN_CA 禁用 CA 检查,然后获取连接到服务器的回调 WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER。在该回调中,使用 WINHTTP_OPTION_SERVER_CERT_CONTEXT 获取证书并进行验证。如果不是您想要的人,请取消/关闭请求;如果正确,则继续请求。
Since you don't want other applications to trust this cert, you need to do part of the certificate validation yourself. Disable the CA check with the option SECURITY_FLAG_IGNORE_UNKNOWN_CA and then get the call back for connecting to the server WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER. In that callback fetch the cert with WINHTTP_OPTION_SERVER_CERT_CONTEXT and do your validation. Cancel/Close the request if it's not who you want, continue the request if it's correct.