Discussion:
SSL server certificate
(too old to reply)
Matt Fletcher
2004-04-08 08:41:25 UTC
Permalink
Is it possible to extract an SSL server certificate from WinInet? I know
that if I use InternetQueryOption with flag
INTERNET_OPTION_SECURITY_CERTIFICATE or
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT then I can get some information
about the certificate, but how can I get the actual certificate (as IE
itself does).

TIA

Matt Fletcher
Ben Rush
2004-04-09 17:13:46 UTC
Permalink
If anyone knows a way to retrieve the certificate information, that would be
mostly helpful to me as well. I'm about to embark on some work to get it to
work and I would very much appreciate not going down a dead road.

I see that I get to retreive partial information about the certificate; the
question is whether it's enough information to populate the structures
expected by the crypto api to handle a certificate.....
Post by Matt Fletcher
Is it possible to extract an SSL server certificate from WinInet? I know
that if I use InternetQueryOption with flag
INTERNET_OPTION_SECURITY_CERTIFICATE or
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT then I can get some information
about the certificate, but how can I get the actual certificate (as IE
itself does).
TIA
Matt Fletcher
Stephen Sulzer
2004-04-09 21:38:24 UTC
Permalink
Unfortunately, it does not seem possible to get the CERT_CONTEXT pointer to
the server's SSL certificate from WinInet. The IE dialog that shows the
server certificate is implemented inside WinInet, and so has access to the
internal data structure that stores the CERT_CONTEXT handle of the server
certificate.

The lpszSubjectInfo field of the INTERNET_CERTIFICATE_INFO structure
contains the subject name of the server certificate. But the structure does
not provide a handle to the certificate store. Without the certificate store
handle, I don't know how you can map the subject name to a CERT_CONTEXT.
(With the certificate store handle, you could use the
CertFindCertificateInStore API.)

You should ask for help on the microsoft.public.platformsdk.security
newsgroup (where the CryptoAPI experts hang out). Is it possible to somehow
get a handle to the certificate store (that would contain the server
certificate that WinInet has received during the SSL negotiation) using the
Crypto API's? Perhaps there is a way to enumerate all the cert stores, for
example.

Another solution to consider is using the WinHTTP API. WinHTTP is a Win32
API similar to WinInet; it was designed primarily for multi-user
server-based applications and NT services, but can also be used in desktop
client apps. The WinHttpQueryOption API contains a
WINHTTP_OPTION_SERVER_CERT_CONTEXT option that provides the server
certificate's CERT_CONTEXT handle. However, WinHTTP has limited platform
support compared to WinInet (WinHTTP is available in Windows 2000 SP3/SP4,
Windows XP SP1 and Windows Server 2003).

Hope that helps.

Stephen
Post by Matt Fletcher
Is it possible to extract an SSL server certificate from WinInet? I know
that if I use InternetQueryOption with flag
INTERNET_OPTION_SECURITY_CERTIFICATE or
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT then I can get some information
about the certificate, but how can I get the actual certificate (as IE
itself does).
TIA
Matt Fletcher
Matt Fletcher
2004-04-13 09:31:59 UTC
Permalink
Stephen,

thanks for the detailed answer, but I'm not sure it advances the process
other than by confirming that WinInet does not allow access to the server
certificate.

I'm still quite new to CryptoAPI, but I cannot find the SSL certificate in
any of the system stores, either by using IE, or by enumerating the stores
using CertEnumSystemStore. Why would IE place the certificate in a
publically accessible system store and not in its own temporary private (and
therefore inaccessible) store? The code I am working on already creates such
temporary stores.

As we are supporting Win98, WinHTTP is not a possibility - I am considering
looking at replacing WinInet with OpenSSL (which we already use the crypto
side of).

Matt Fletcher
Post by Stephen Sulzer
Unfortunately, it does not seem possible to get the CERT_CONTEXT pointer to
the server's SSL certificate from WinInet. The IE dialog that shows the
server certificate is implemented inside WinInet, and so has access to the
internal data structure that stores the CERT_CONTEXT handle of the server
certificate.
The lpszSubjectInfo field of the INTERNET_CERTIFICATE_INFO structure
contains the subject name of the server certificate. But the structure does
not provide a handle to the certificate store. Without the certificate store
handle, I don't know how you can map the subject name to a CERT_CONTEXT.
(With the certificate store handle, you could use the
CertFindCertificateInStore API.)
You should ask for help on the microsoft.public.platformsdk.security
newsgroup (where the CryptoAPI experts hang out). Is it possible to somehow
get a handle to the certificate store (that would contain the server
certificate that WinInet has received during the SSL negotiation) using the
Crypto API's? Perhaps there is a way to enumerate all the cert stores, for
example.
Another solution to consider is using the WinHTTP API. WinHTTP is a Win32
API similar to WinInet; it was designed primarily for multi-user
server-based applications and NT services, but can also be used in desktop
client apps. The WinHttpQueryOption API contains a
WINHTTP_OPTION_SERVER_CERT_CONTEXT option that provides the server
certificate's CERT_CONTEXT handle. However, WinHTTP has limited platform
support compared to WinInet (WinHTTP is available in Windows 2000 SP3/SP4,
Windows XP SP1 and Windows Server 2003).
Hope that helps.
Stephen
Post by Matt Fletcher
Is it possible to extract an SSL server certificate from WinInet? I know
that if I use InternetQueryOption with flag
INTERNET_OPTION_SECURITY_CERTIFICATE or
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT then I can get some
information
Post by Matt Fletcher
about the certificate, but how can I get the actual certificate (as IE
itself does).
TIA
Matt Fletcher
Continue reading on narkive:
Loading...