证书与WinHTTP的API钉住 [英] Certificate pinning with WinHTTP API
问题描述
是否有可能实现证书使用Win32 API的WinHTTP寄托,如果又如何?即我怎么能检查对一个已知好之一,$ P $返回的服务器证书pferably而无需将证书永久写入到本地证书存储区。
Is it possible to implement certificate pinning using the Win32 WinHTTP API, and if so how? I.e. how can I check the returned server certificate against a 'known good' one, preferably without having to permanently write the cert into the local certificate store.
推荐答案
(由JWW的回答启发)
(inspired by jww's answer)
首先,我发现此页面是出色的背景阅读钉扎之间的选择证书和公钥钉扎。
Firstly I found this page to be excellent background reading about pinning and the choice between certificate and public key pinning.
我实现了证书使用的WinHTTP API如下锁定:
I implemented certificate pinning using WinHTTP API as follows:
-
在WinHttpOpen但WinHttpConnect之前,设置当请求被发送回调:
After WinHttpOpen but before WinHttpConnect, setup a callback for when requests are sent:
WinHttpSetStatusCallback(hSession,&安培; callbackFunc,WINHTTP_CALLBACK_SENDING_REQUEST,NULL);
在回调函数,获取原始证书BLOB:
In the callback function, retrieve the raw certificate blob:
PCCERT_CONTEXT pCert = NULL;
DWORD的dwSize = sizeof的(pCert);
WinHttpQueryOption(HINTERNET,WINHTTP_OPTION_SERVER_CERT_CONTEXT,&安培; pCert,&安培;的dwSize);
那么,如果做满证书钉扎,比较 SHA1(pCert-> pbCertEn codeD)。
针对已知良好的证书SHA1指纹
Then if doing full certificate pinning, compare sha1(pCert->pbCertEncoded)
against a known good certificate SHA1 thumbprint.
- 或 - 如果做公共密钥,而不是寄托,比较 SHA1(pCert-> pCertInfo-> SubjectPublicKeyInfo.PublicKey.cbData)
针对已知良好SHA1服务器的公钥。
-Or- if doing public key pinning instead, compare sha1(pCert->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData)
against a known good SHA1 of a server public key.
这篇关于证书与WinHTTP的API钉住的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!