aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2005-12-18 02:36:34 (GMT)
committerJouni Malinen <j@w1.fi>2005-12-18 02:36:34 (GMT)
commit7ece73abae989a0f7f84d28780e7d26ea7235830 (patch)
treeca306789dc78cb496b754f17d644c3f78bc3b1f9
parentf425ed4bd8f60316f01b8a39e8a67465b90c31e4 (diff)
downloadhostap-history-7ece73abae989a0f7f84d28780e7d26ea7235830.zip
hostap-history-7ece73abae989a0f7f84d28780e7d26ea7235830.tar.gz
hostap-history-7ece73abae989a0f7f84d28780e7d26ea7235830.tar.bz2
Added support for loading trusted CA certificates from Windows
certificate store: ca_cert="cert_store://<name>", where <name> is likely CA (Intermediate CA certificates) or ROOT (root certificates).
-rw-r--r--wpa_supplicant/ChangeLog3
-rw-r--r--wpa_supplicant/config_ssid.h4
-rw-r--r--wpa_supplicant/tls_openssl.c82
-rw-r--r--wpa_supplicant/wpa_supplicant.conf3
4 files changed, 92 insertions, 0 deletions
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index f86025b..d3dd493 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -54,6 +54,9 @@ ChangeLog for wpa_supplicant
support for using PKCS#12 as a blob
* tls_gnutls: added support for using PKCS#12 files; added support for
session resumption
+ * added support for loading trusted CA certificates from Windows
+ certificate store: ca_cert="cert_store://<name>", where <name> is
+ likely CA (Intermediate CA certificates) or ROOT (root certificates)
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
* l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 80eb4a8..3de1c90 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -259,6 +259,10 @@ struct wpa_ssid {
*
* Alternatively, a named configuration blob can be used by setting
* this to blob://<blob name>.
+ *
+ * On Windows, trusted CA certificates can be loaded from the system
+ * certificate store by setting this to cert_store://<name>, e.g.,
+ * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
*/
u8 *ca_cert;
diff --git a/wpa_supplicant/tls_openssl.c b/wpa_supplicant/tls_openssl.c
index 2211d53..42d58f9 100644
--- a/wpa_supplicant/tls_openssl.c
+++ b/wpa_supplicant/tls_openssl.c
@@ -99,6 +99,11 @@ static BOOL WINAPI
DWORD *pdwKeySpec, BOOL *pfCallerFreeProv)
= NULL; /* to be loaded from crypt32.dll */
+static PCCERT_CONTEXT WINAPI
+(*CertEnumCertificatesInStore)(HCERTSTORE hCertStore,
+ PCCERT_CONTEXT pPrevCertContext)
+= NULL; /* to be loaded from crypt32.dll */
+
static int mingw_load_crypto_func(void)
{
HINSTANCE dll;
@@ -124,6 +129,16 @@ static int mingw_load_crypto_func(void)
"crypt32 library");
return -1;
}
+
+ CertEnumCertificatesInStore = (void *) GetProcAddress(
+ dll, "CertEnumCertificatesInStore");
+ if (CertEnumCertificatesInStore == NULL) {
+ wpa_printf(MSG_DEBUG, "CryptoAPI: Could not get "
+ "CertEnumCertificatesInStore() address from "
+ "crypt32 library");
+ return -1;
+ }
+
return 0;
}
@@ -425,6 +440,62 @@ err:
return -1;
}
+
+static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
+{
+ HCERTSTORE cs;
+ PCCERT_CONTEXT ctx = NULL;
+ X509 *cert;
+ char buf[128];
+
+ if (mingw_load_crypto_func())
+ return -1;
+
+ if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
+ return -1;
+
+ cs = CertOpenSystemStore(0, name + 13);
+ if (cs == NULL) {
+ wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
+ "'%s': error=%d", __func__, name + 13,
+ (int) GetLastError());
+ return -1;
+ }
+
+ while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
+ cert = d2i_X509(NULL,
+ (const unsigned char **) &ctx->pbCertEncoded,
+ ctx->cbCertEncoded);
+ if (cert == NULL) {
+ wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
+ "X509 DER encoding for CA cert");
+ continue;
+ }
+
+ X509_NAME_oneline(X509_get_subject_name(cert), buf,
+ sizeof(buf));
+ wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
+ "system certificate store: subject='%s'", buf);
+
+ if (!X509_STORE_add_cert(ssl_ctx->cert_store, cert)) {
+ tls_show_errors(MSG_WARNING, __func__,
+ "Failed to add ca_cert to OpenSSL "
+ "certificate store");
+ }
+
+ X509_free(cert);
+ }
+
+ if (!CertCloseStore(cs, 0)) {
+ wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
+ "'%s': error=%d", __func__, name + 13,
+ (int) GetLastError());
+ }
+
+ return 0;
+}
+
+
#else /* CONFIG_NATIVE_WINDOWS */
static int tls_cryptoapi_cert(SSL *ssl, const char *name)
@@ -1003,6 +1074,17 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn,
SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
return 0;
}
+
+#ifdef CONFIG_NATIVE_WINDOWS
+ if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
+ 0) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
+ "system certificate store");
+ SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
+ return 0;
+ }
+#endif /* CONFIG_NATIVE_WINDOWS */
+
if (ca_cert || ca_path) {
#ifndef OPENSSL_NO_STDIO
if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index ed3a426..f1ebd98 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -256,6 +256,9 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
# a trusted CA certificate should always be configured when using
# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
# change when wpa_supplicant is run in the background.
+# On Windows, trusted CA certificates can be loaded from the system
+# certificate store by setting this to cert_store://<name>, e.g.,
+# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
# ca_path: Directory path for CA certificate files (PEM). This path may
# contain multiple CA certificates in OpenSSL format. Common use for this
# is to point to system trusted CA list which is often installed into