https-client: load certificates from the system cert store on Windows

azat · Sep 17, 2019 · 572a565 · 572a565
1 parent 095c8ae
commit 572a565
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 7 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -977,6 +977,9 @@ macro(add_sample_prog ssl name)
 
     if (${ssl})
         target_link_libraries(${name} event_openssl)
+        if(WIN32)
+            target_link_libraries(${name} crypt32)
+        endif()
     endif()
 endmacro()
 if (NOT EVENT__DISABLE_SAMPLES)

diff --git a/sample/https-client.c b/sample/https-client.c
@@ -118,7 +118,6 @@ err_openssl(const char *func)
 	exit(1);
 }
 
-#ifndef _WIN32
 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
 {
@@ -181,6 +180,35 @@ static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
 		return 0;
 	}
 }
+
+#ifdef _WIN32
+static int
+add_cert_for_store(X509_STORE *store, const char *name)
+{
+	HCERTSTORE sys_store = NULL;
+	PCCERT_CONTEXT ctx = NULL;
+	int r = 0;
+
+	sys_store = CertOpenSystemStore(0, name);
+	if (!sys_store) {
+		err("failed to open system certificate store");
+		return -1;
+	}
+	while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) {
+		X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded,
+			ctx->cbCertEncoded);
+		if (x509) {
+			X509_STORE_add_cert(store, x509);
+			X509_free(x509);
+		} else {
+			r = -1;
+			err_openssl("d2i_X509");
+			break;
+		}
+	}
+	CertCloseStore(sys_store, 0);
+	return r;
+}
 #endif
 
 int
@@ -335,17 +363,22 @@ main(int argc, char **argv)
 		goto error;
 	}
 
-#ifndef _WIN32
-	/* TODO: Add certificate loading on Windows as well */
-
 	if (crt == NULL) {
 		X509_STORE *store;
 		/* Attempt to use the system's trusted root certificates. */
 		store = SSL_CTX_get_cert_store(ssl_ctx);
+#ifdef _WIN32
+		if (add_cert_for_store(store, "CA") < 0 ||
+		    add_cert_for_store(store, "AuthRoot") < 0 ||
+		    add_cert_for_store(store, "ROOT") < 0) {
+			goto error;
+		}
+#else // _WIN32
 		if (X509_STORE_set_default_paths(store) != 1) {
 			err_openssl("X509_STORE_set_default_paths");
 			goto error;
 		}
+#endif // _WIN32
 	} else {
 		if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) {
 			err_openssl("SSL_CTX_load_verify_locations");
@@ -376,9 +409,6 @@ main(int argc, char **argv)
 	 * "wrapping" OpenSSL's routine, not replacing it. */
 	SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
 					  (void *) host);
-#else // _WIN32
-	(void)crt;
-#endif // _WIN32
 
 	// Create event base
 	base = event_base_new();