On 05/06/2020 02:04, Feng LI wrote: > SSL_CTX_load_verify_locations > <https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html> is > required for UWP port to load ca file since OpenSSL will not use the CA > of the OS. > > But in UWP build, stdio is disabled > <https://github.com/openssl/openssl/blob/082c041b4233b17b80129d4ac6b33a28014442b0/Configurations/50-win-onecore.conf#L113> by > default. However, SSL_CTX_load_verify_locations relies on the default > X509_STORE file lookup functionality uses stdio (via BIO_s_file). That > basically means no verification of peers and hosts is possible with > OpenSSL on UWP port. > > Is there a way to fix this or if there's a workaround for UWP ? If you can't use the file or dir lookup capabilities then you will have to lookup certs/crls in some other way. There are two possible options that spring to mind: 1) Implement a custom OSSL_STORE_LOADER (this is probably only viable for OpenSSL 3.0) You can implement a custom OSSL_STORE_LOADER via OSSL_STORE_LOADER_new https://www.openssl.org/docs/manmaster/man3/OSSL_STORE_LOADER_new.html You will then need to implement the various functions to find and load the required CA certificates. Perhaps Richard Levitte might comment on how to do that. Once you have a custom OSSL_STORE_LOADER you will need to register it via OSSL_STORE_register_loader() (also documented on the same man page above). Finally, you can set your SSL_CTX to use the store via SSL_CTX_load_verify_store(): https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_store.html 2) Implement a custom X509_LOOKUP_METHOD The file and dir lookup methods that SSL_CTX_load_verify_locations uses are just the built-in ones. It's entirely possible to create your own. Creating a custom X509_LOOKUP_METHOD involves creating the method via a call to X509_LOOKUP_meth_new(). You will then need to additionally set functions to get certs/crls via the different mechanisms, e.g. X509_LOOKUP_meth_set_get_by_subject(), X509_LOOKUP_meth_set_get_by_issuer_serial(), X509_LOOKUP_meth_set_get_by_fingerprint(), X509_LOOKUP_meth_set_get_by_alias(). Probably you can get away with just implementing the "get_by_subject" function as a minimal set. The X509_LOOKUP_METHOD functions are documented here: https://www.openssl.org/docs/manmaster/man3/X509_LOOKUP_meth_new.html Once you have a custom X509_LOOKUP_METHOD then you can add it to your X509_STORE via X509_STORE_add_lookup(): https://www.openssl.org/docs/manmaster/man3/X509_STORE_add_lookup.html To get the X509_STORE associated with your SSL_CTX you can use SSL_CTX_get_cert_store(): https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_cert_store.html Hope, that helps. Matt
