问题
- This is an evolution of my previous question, which was about WinHttp.
- I hope this is the right way to do this...
I'm trying to communicate in https with a server using WinInet (from the Win32 API).
Here is a very minimalist code :
HINTERNET ses = InternetOpen("test",INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0) ;
HINTERNET con = InternetOpenUrl( ses,"https://stackoverflow.com",NULL,0,0,0 ) ;
DWORD read ;
char str [3000] ;
InternetReadFile( con,reinterpret_cast<void*>( str ),sizeof( str )-1,&read ) ;
str[read] = 0 ;
cout << &str[0] ;
InternetCloseHandle( con ) ;
InternetCloseHandle( ses ) ;
As long as I communicate with a "classic" https server, like stackoverflow.com, everything goes well. The problem is when I try to communicate with a server that requests an authentication of the client.
I have 3 .pem files : a certificate and a private key for my client, and a root certificate that authenticates my client certificate (i.e. a certificate chain of length 2).
For information, I can connect my server using this cULR command line :
curl https://my.server --cert Client_cert.pem --key Client_key.pem --cacert Root_cert.pem
This is the proof that it's possible!
Reading the WinInet documentation, I found a page named "Handling Authentication", but it's all about username:password, and there's nothing about certificate.
I found out that I have to use the Crypt32 library : I have to create a certificate context with CertCreateCertificateContext and then insert it in a certificat store, and then use that store for my connection...
Well, I must admit that I would be glad to find a good tutorial or some code sample !
By the way, I don't have a piece of clue about how to insert my private key into that stuff...
Thanks in advance !
回答1:
You have to pass your certificate to WinInet using INTERNET_OPTION_CLIENT_CERT_CONTEXT with a call to InternetSetOption():
INTERNET_OPTION_CLIENT_CERT_CONTEXT
84
This flag is not supported by InternetQueryOption. The lpBuffer parameter must be a pointer to a CERT_CONTEXT structure and not a pointer to a CERT_CONTEXT pointer. If an application receives ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, it must call InternetErrorDlg or use InternetSetOption to supply a certificate before retrying the request. CertDuplicateCertificateContext is then called so that the certificate context passed can be independently released by the application.
So, for example:
InternetSetOption(hI,INTERNET_OPTION_CLIENT_CERT_CONTEXT,(void*)cert,sizeof(CERT_CONTEXT));
Btw, curl calls are not good examples because curl uses libcurl which uses OpenSSL.
来源:https://stackoverflow.com/questions/55297953/client-authentication-certificat-private-key-using-wininet