Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: make SystemCertPool work on Windows? #16736

Open
bradfitz opened this issue Aug 16, 2016 · 9 comments · May be fixed by #26770

Comments

@bradfitz
Copy link
Member

commented Aug 16, 2016

https://golang.org/pkg/crypto/x509/#SystemCertPool doesn't work on Windows:

    func SystemCertPool() (*CertPool, error) {
        if runtime.GOOS == "windows" {
            return nil, errors.New("crypto/x509: system root pool is not available on Windows")
        }
        ....

I checked it in with the commit message "SystemCertPool returns an error on Windows. Maybe it's fixable later." (a62ae9f, golang.org/cl/21293, #13335)

This bug is about fixing it.

/cc @alexbrainman

@bradfitz bradfitz added the OS-Windows label Aug 16, 2016

@bradfitz bradfitz added this to the Go1.8Maybe milestone Aug 16, 2016

@alexbrainman

This comment has been minimized.

Copy link
Member

commented Aug 18, 2016

I really don't know, I am not security expert. But I think you want to open LocalMachine\root (or maybe CurrentUser\root) certificate store, and read all certificates there with CertEnumCertificatesInStore or similar. What do you think?

Alex

@bradfitz

This comment has been minimized.

Copy link
Member Author

commented Aug 22, 2016

Sounds plausible.

I don't think this requires a security expert as much as somebody who can read MSDN docs.

@gopherbot

This comment has been minimized.

Copy link

commented Oct 7, 2016

CL https://golang.org/cl/30578 mentions this issue.

@quentinmit quentinmit added the NeedsFix label Oct 10, 2016

@gopherbot gopherbot closed this in 05471e9 Oct 17, 2016

mariash added a commit to concourse/fly that referenced this issue Nov 21, 2016
only append to system cert pool on non-windows os
SystemCertPool is not supported on windows in go 1.7.
see golang/go#16736
Once 1.8 is released we can remove special condition and always append
to system cert pool.

[#133304007]

Signed-off-by: Maria Shaldibina <mshaldibina@pivotal.io>
@jeffallen

This comment has been minimized.

Copy link
Contributor

commented Feb 14, 2017

Note: This change was rolled back in #18609. SystemCertPool on Windows on Go 1.8 still returns nil. @bradfitz Maybe you could re-open this and remove the go1.8maybe tag on it? Thanks.

@alexbrainman alexbrainman modified the milestones: Go1.9, Go1.8Maybe Feb 14, 2017

@alexbrainman alexbrainman reopened this Feb 14, 2017

@alexbrainman

This comment has been minimized.

Copy link
Member

commented Feb 14, 2017

@jeffallen Done.

Alex

@felixbecker

This comment has been minimized.

Copy link

commented Mar 20, 2018

Hi, came from this issue #18609 and try to understand what can help. Maybe as an look over the fence this is how dotnetcore address this (https://github.com/dotnet/corefx/tree/master/src/System.Security.Cryptography.X509Certificates/src/System/Security/Cryptography/X509Certificates). Just trying to get a better understanding what fails and what could help.

@sssilver

This comment has been minimized.

Copy link

commented Apr 17, 2018

Is there an estimate of when will this be fixed/released? Milestone is specified as Go1.11, which is due in July--is this accurate?

@alexbrainman

This comment has been minimized.

Copy link
Member

commented Apr 17, 2018

Is there an estimate of when will this be fixed/released?

I don't believe anyone is working on this.

Alex

@gopherbot

This comment has been minimized.

Copy link

commented Aug 2, 2018

Change https://golang.org/cl/127577 mentions this issue: crypto/x509: make SystemCertPool work on Windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.