Gowri Visweswaran's Technical Blog

Thoughts on Technology.

Add a Windows CA root trust store to OpenSSL trust store.

OpenSSL on Windows does not have support currently to directly read the Windows CA root trust. Here is the source code for a wincrypt adapter to read CA trust certs from Windows CA store. This code was tested on Mingw 32 Version 3.X, on a Windows 8.1 machine.

/* For windows, the CA trust store is not read by openssl. 
Add code to open the trust store using wincrypt API and add
the root certs into openssl trust store */
static int 
add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
{
	HCERTSTORE      hSystemStore;
	PCCERT_CONTEXT  pTargetCert = NULL;

	/* load just once per context lifetime for this version of getdns
	   TODO: dynamically update CA trust changes as they are available */
	if (!tls_ctx)
		return 0;

	/* Call wincrypt's CertOpenStore to open the CA root store. */

	if ((hSystemStore = CertOpenStore(
		CERT_STORE_PROV_SYSTEM,
		0,
		0,
		/* NOTE: mingw versions 3.X do not have this const: replace with 1 << 16 from code 
		   CERT_SYSTEM_STORE_CURRENT_USER, */
		1 << 16,
		L"root")) == 0)
	{
		return 0;
	}

	X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
	if (!store)
		return 0;

	/* failure if the CA store is empty or the call fails */
	if ((pTargetCert = CertEnumCertificatesInStore(
		hSystemStore, pTargetCert)) == 0) {
		printf("*** %s(%s %d:%s)\n", __FUNCTION__,
			"CA certificate store for Windows is empty.");
			return 0;
	}
	/* iterate over the windows cert store and add to openssl store */
	do 
	{
		X509 *cert1 = d2i_X509(NULL, 
			(const unsigned char **)&pTargetCert->pbCertEncoded,
			pTargetCert->cbCertEncoded);
		if (!cert1) {
			/* return error if a cert fails */
			printf("*** %s(%s %d:%s)\n", __FUNCTION__,
				"unable to parse certificate in memory",
				ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
			return 0;
		}
		else {
			/* return error if a cert add to store fails */
			if (X509_STORE_add_cert(store, cert1) == 0) {
				printf("*** %s(%s %d:%s)\n", __FUNCTION__,
					"error adding certificate", ERR_get_error(),
					ERR_error_string(ERR_get_error(), NULL));
				return 0;
			}
			X509_free(cert1);
		}
	} while ((pTargetCert = CertEnumCertificatesInStore(
		hSystemStore, pTargetCert)) != 0);

	/* Clean up memory and quit. */
	if (pTargetCert)
		CertFreeCertificateContext(pTargetCert);
	if (hSystemStore)
	{
		if (!CertCloseStore(
			hSystemStore, 0))
			return 0;
	}
	return 1;
}
	    


Demonstrating an alternative root using dnsviz.net

For purely research purposes, there might be a need or a desire to see how an alternative root setup behaves. One such example is the asepsis. Here is an example using dnsviz.net, where you can set additional root zone keys which are part of a chain of trust for DNSSEC.

The link showing the result of such a delegation for a sample domain, getdnsapi.net using the Yeti root servers is here

Steps to accomplish this are as follows:

Go to dnsviz.net and select the Analyze Advanced Options (Forced ancestor analysis) and pick . (ie root) and in the text edit box for authoritative Servers enter the list of authoritative servers one per line. The next step is to specify the root trust anchor. Select DNSSEC and DNSSEC Options and paste the trust root anchor in the text edit field labeled "Additional trusted keys:" making sure to include the entire line starting with ". IN DNSKEY.... ".


getdns 0.9.0!

This is a new release of the version 0.9.0 of getdns available here.

This release brings the implementation on par with the December 2015 version of the specification and has (almost) all of the still remaining functionality from the specification implemented.

These include:

* Respecting the given dns root servers in recursive resolution modus

* TSIG authentication. Specification of upstreams with getdns_query has been extended to configure a TSIG name and secret.

* Operation of suffixes and the "append_name" setting.

* The add_warning_for_bad_dns extension.

Other new features and noteworthy improvements are:

* Functions to convert getdns_dicts representing resource records to and from wire- and zone file format.

* TCP Fast Open support whenever available on the platform (including Mac-OS X (new)).

* Client side edns-tcp-keepalive support

* Pinning of upstream certificate's public keys with pinsets (with TLS transport)

* Initial support for Windows, this version is built using Mingw32 and tested on Windows 8.1.

IETF-94 Hackathon adventures!

We did it again, the DNS team were in the top 3 at the IETF-93 Hackathon in Prague and repeated the win at Yokahama! Our team was titled "DNS “Best Internet Security Improvement”"!

More information about the fantastic work done by the team and the team members is found here!

My entry was getdns “Check TLS at Recursive” tool, authored using the getdns node.js bindings. the demo of my project is available rapturousness


Hello Blog

Welcome and thank you for reading my blog! I will be posting on the work that I am doing in the DNS Ecosystem.