Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/x509: add functions to download certificates from windows update, and retrieve certificates from windows x509stores #26950

Open
jeet-parekh opened this issue Aug 13, 2018 · 5 comments

Comments

@jeet-parekh
Copy link
Contributor

commented Aug 13, 2018

SystemCertPool() hasn't been working on Windows (#16736). That issue was fixed once. But since Windows does not ship with all of its root certificates installed, it caused some unexpected behavior (#18609).

The missing certificates can be downloaded from windows update using certutil.exe present on Windows.

There are also other multiple certificate stores on Windows. There are two store locations, and a bunch of stores in each location.

We could retrieve the certificates from windows update and all of the above locations. Then remove the disallowed certificates from that entire collection. That way SystemCertPool() can be fixed.

I have been working on it - CL 127577. While working on it, I created two new functions. One would retrieve the certificates from any location mentioned in the MSDN docs - windows509Store(). And the other would download the certificates from windows update - downloadWUCerts().

I opened this proposal to welcome a discussion regarding whether or not we should export those two new functions to the standard library. The code would be there regardless. Because there are multiple certificate stores on Windows, these functions could provide the end user a bit more control if needed.

@gopherbot gopherbot added this to the Proposal milestone Aug 13, 2018

@gopherbot gopherbot added the Proposal label Aug 13, 2018

@jeet-parekh

This comment has been minimized.

Copy link
Contributor Author

commented Aug 13, 2018

@gopherbot, please add label OS-Windows

@adamdecaf

This comment has been minimized.

Copy link
Contributor

commented Aug 13, 2018

Should there be an environment variable to disable this? What if the network is down/slow?

@jeet-parekh

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2018

Should there be an environment variable to disable this?

Sorry, but I didn't get that. Disable what? If you mean the way Windows downloads the certificates on demand... then no, there isn't a way to disable that.

What if the network is down/slow?

downloadWUCerts() won't work if the network is down.

@adamdecaf

This comment has been minimized.

Copy link
Contributor

commented Aug 14, 2018

If the network is slow that means SystemCertPool() could block, for say a minute (or more)? That's not ideal.

What about environments without a network? Why can't we offer a way to disable this?

@jeet-parekh

This comment has been minimized.

Copy link
Contributor Author

commented Aug 15, 2018

I agree, blocking would not be ideal.

I think giving a way to enable/disable fetching certs from windows update would increase the complexity a bit. If we rely on an environment variable, the user would have to change it whenever their network status changes. Or whenever they want to enable/disable downloading certs from WU.

Instead, we could just return an error mentioning that certs were not downloaded from WU. I described a way to do it in the CL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.