C++ 将证书添加到 Windows 中的 Trust Root 存储 [英] C++ adding certificate to Trust Root storage in Windows

问题描述

我有一项任务是将 openssl 库生成的证书(私钥和证书文件)从我的 C++ 程序添加到 Windows 中的 Trust Root Storage.你能展示一些代码示例吗?我想我应该使用 Win Api，但我还没有找到示例.也许有人有相同的任务或可以推荐相关资源.我还发现只有C++ 访问可信根证书但这是相反的问题.而不是我需要在存储中添加证书.

I have a task to add certificate (private key and certificate file) generated by openssl library to Trust Root Storage in Windows from my C++ program. Could you, please, show some code examples? I suppose that I should use Win Api, but I haven’t found examples yet. Maybe someone had the same task or could recommend relevant resources. I still have found only C++ access trusted root certificates but that is inverse issue. Instead of that I need to add certificate in the storage.

推荐答案

我不知道这是否是最好的方法，但至少它对我有用(我假设你想导入到当前用户的存储而不是机器证书存储).

I don't know if this is the best way to do it, but at least it works for me (I assume that you want to import into the current user's store and not the machine certificate store).

首先，您必须将 PFX 文件加载到 CRYPT_DATA_BLOB(它是一个包含指向缓冲区和相关长度的指针的结构).基本上，您将 PFX 读入缓冲区并相应地设置长度.然后，您可以使用 PFXImportCertStore 将该 CRYPT_DATA_BLOB 导入证书存储区.这个证书存储是一个临时的，所以它还没有进入你想要的证书存储.然后，您必须打开要真正将证书导入的证书存储(通过使用 CertOpenSystemStore)，使用 CertEnumCertificatesInStore 从临时证书存储中提取证书对象，并使用 CertAddCertificateContextToStore 将其插入最终证书存储.

First you have to load the PFX file into a CRYPT_DATA_BLOB (it's a struct that contains a pointer to a buffer and associated length). Basically you read the PFX into the buffer and set the length accordingly. You can then import that CRYPT_DATA_BLOB into a cert store by using PFXImportCertStore. This cert store is a temporary one, so it's not yet into the cert store you want. You then have to open the cert store you want to really import the certificate into (by using CertOpenSystemStore), extract the certificate object from the temporary cert store with CertEnumCertificatesInStore and insert it into the final cert store with CertAddCertificateContextToStore.

这段代码或多或少地显示了以上所有内容:

This code shows all of the above more or less:

#include <Windows.h>
#include <wincrypt.h>

int main(int argc, char** argv) {
    UNREFERENCED_PARAMETER(argc);
    UNREFERENCED_PARAMETER(argv);

    unsigned char buffer[8192];
    CRYPT_DATA_BLOB key;
    key.cbData = 0;
    key.pbData = buffer;

    HANDLE h = CreateFile(L"c:\\temp\\server.pfx", FILE_GENERIC_READ, 0, NULL,  OPEN_EXISTING, 0, NULL);
    ReadFile(h, buffer, 8192, &key.cbData, NULL);
    CloseHandle(h);

    HCERTSTORE store = PFXImportCertStore(&key, L"mypassword", 0);
    PCCERT_CONTEXT ctx = CertEnumCertificatesInStore(store, NULL);
    HCERTSTORE rootStore = CertOpenSystemStore(NULL, L"ROOT");
    CertAddCertificateContextToStore(rootStore, ctx, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
    CertCloseStore(store, 0);
    CertCloseStore(rootStore, 0);
    return 0;
}

为简洁起见，代码不包含任何错误检查.它还假设临时存储中只有一个证书(否则您应该将 CertEnumCertificatesInStore 放入循环中).无论如何，我认为您可以从这里构建(您应该检查许多方法可用的选项).

For the sake of brevity, the code does not include any error checks. It also assumes that there is only one certificate in the temporary store (otherwise you should put CertEnumCertificatesInStore in a loop). Anyway, I think that you can build from here (you should check the options available for many of the methods).

记得在项目中添加 crypt32.lib.

Remember to add crypt32.lib to the project.

这篇关于C++ 将证书添加到 Windows 中的 Trust Root 存储的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！