问题
I have a C++ application that makes a HTTPS connection to one of our servers. In my ideal world, I would like the following to occur:
- App Starts
- App makes Windows trust the server's root CA (no GUI please, just system calls)
- App talks to server, does its work, etc.
- App makes windows forget about the server's root CA
- done
I do NOT want this root CA to necessarily be trusted by other apps. Therefore I don't want to install the cert system-wide. I also would like it if the user did not need Admin privileges.
My initial plan was to create an in-memory (CERT_STORE_PROV_MEMORY) store, add my cert to that, then add that in-memory store to the system store using CertAddStoreToCollection.
While all the CryptoAPI function calls succeed, WinHttp does not like it.
Here is the skeleton of what I'm doing - perhaps someone knows a trick? Or perhaps this is wrong-headed in the first place?
hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);
// Then later on...
WinHttpSendRequest(...)
A few notes:
- Everything works when I use WinHttp's SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm fairly sure this really is the issue.
- I have already seen this SO question - it is close, but does not address the issue of making the cert only temporarily trusted, while the app runs.
Thanks!
回答1:
Since you don't want other applications to trust this cert, you need to do part of the certificate validation yourself. Disable the CA check with the option SECURITY_FLAG_IGNORE_UNKNOWN_CA and then get the call back for connecting to the server WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER. In that callback fetch the cert with WINHTTP_OPTION_SERVER_CERT_CONTEXT and do your validation. Cancel/Close the request if it's not who you want, continue the request if it's correct.
来源:https://stackoverflow.com/questions/1557710/winhttp-how-to-use-a-temporary-certificate-store