Porting Code for Pulling Root Certs from Windows Store to Linux -- How Do I Do It?

DragonOsman

New Member
Joined
Aug 1, 2022
Messages
3
Reaction score
0
Credits
32
Hi, everyone. First post here.

I have this server code I wrote in C++ a few years ago that I'm trying to enable ALPN and HTTP/2 support in. I've added code for ALPN already. I have code for pulling root certs from the Windows Cert Store in there that I want to port to Linux, but I want to ask: how do I do this?

My current code is here. Here's the full code repo.

The reason I want to do this is that I want to use nghttp2 to handle the HTTP/2 requests but I can't do much without Cygwin or WSL. Their ASIO C++ wrapper has to be enabled with a `./configure` flag or it can't be built, and the proxy server requires Cygwin or WSL to be built too.
 


When porting code, or writing portable code, the key thing is to ensure that all library dependencies are portable and available on all platforms that you want your application to support.

The use of Boost in your code is fine. Boost is fully portable.
From a very brief look at your code, the only thing I can see that isn’t portable is the dependency on wincrypt, which is windows only.

So your best bet will probably be to port your application to use OpenSSL, or GnuTLS instead of wincrypt.

OpenSSL and GnuTLS are portable and should work on Windows and Linux.
So it should be fine to fully migrate away from wincrypt.

That should make your codebase about as portable as it ever could be.

Or if you wanted, you could perhaps take the intermediate step of keeping wincrypt in your code for now. And you could use pre-processor macros to separate windows specific code and Linux specific code and perform conditional compilation.

That way your windows version can use wincrypt and your linux version will use OpenSSL, or GnuTLS.

Once you have your Linux build tested and working, you could try removing the wincrypt dependency and all of the conditional compilation stuff and see if the windows build will work with OpenSSL/GnuTLS.

It should just work though. So taking the conditional compilation route might be unnecessary. However, if you do take that route and OpenSSL/GnuTLS do not play nicely in windows, you can always revert your codebase back to the conditional compilation version.

Personally, I’d imagine that completely removing the wincrypt dependency will be fine. As I said earlier, it will instantly make your application more portable. And should build and run on any supported platform.

But you could take the more cautious route and use conditional compilation at first, whilst trying to get your Linux version running. And then try to remove the dependency on wincrypt and the conditional compilation later.
Completely up to you!

I’m not familiar with wincrypt though, so you’ll have to take a look at OpenSSL and GnuTLS and try to work out how to swap out the wincrypt calls with equivalent calls from one of the other libraries.

Likewise, I’m not familiar with nghttp2!
 
Thanks for the advice.

Don't you at least know what OpenSSL functions are for pulling root certs from the root cert store? The wincrypt-specific code I have is for doing that, after all.

I think it'd be simpler to just use OpenSSL instead of going the conditional compilation route.
 
Thanks for the advice.

Don't you at least know what OpenSSL functions are for pulling root certs from the root cert store? The wincrypt-specific code I have is for doing that, after all.

I think it'd be simpler to just use OpenSSL instead of going the conditional compilation route.

Unfortunately, I have no idea. I haven’t really done anything much with SSL. I’ve spent the last 15 years working on desktop CAD applications in C++. I built and maintained some server side applications/micro services at a previous job that probably used SSL, but that was a long time ago!
 
I hope someone has knowledge of the Linux crypto API for this, as it seems I'll have to write conditional compilation code with #if directives after all.

So yeah, how do I do this in Linux? Someone please help. Thanks.
 
So yeah, how do I do this in Linux? Someone please help. Thanks.
Linux systems have a package with the root certificates in it, for example on my Fedora system it's called "ca-certificates". I don't know how to program but I would think you should be able to grab them from there from within your C++ code.
Code:
Name         : ca-certificates
Version      : 2022.2.54
Release      : 1.2.fc36
Architecture : noarch
Size         : 2.2 M
Source       : ca-certificates-2022.2.54-1.2.fc36.src.rpm
Repository   : @System
From repo    : updates
Summary      : The Mozilla CA root certificate bundle
URL          : https://fedoraproject.org/wiki/CA-Certificates
License      : Public Domain
Description  : This package contains the set of CA certificates chosen by the
             : Mozilla Foundation for use with the Internet PKI.
The two bundles are located here on Fedora and when that packages is updated so are the CA certificates.
Code:
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
 
Last edited:

Members online


Top