I am considering overriding the default certificate verification procedure with one that uses the Windows system store (via SSL_CTX_set_cert_verify_callback). The application is a web client and I need to accept company-wide self-signed certificates added to the system store.
Once I have a (possibly incomplete) chain, I
- create an in-memory WinCrypt store,
- add the server-supplied chain (except the final cert) to it
- build a complete chain using WinCrypt from the temp and system stores
- validate the chain using WinCrypt (passing the servername value from the SSL object)
But X509_STORE_CTX_get1_chain() returns the trusted chain, which is only available after X509_verify_cert() runs.
What I need is X509_STORE_CTX::untrusted (which has just the certs from the handshake) but it's apparently not exported via the API.
I could just pass the final cert to WinCrypt but that would mean downloading the intermediate certs which I want to avoid.
My question is, am I doing something backwards ? Should I let openssl build the chain and do the validation, and then redo it using WinCrypt ? That seems gross. I can add a X509_STORE_CTX_get_untrusted() function and rebuild libeay32.dll but I'd rather not.