ssl.enum_certificates() regression

[schlenk]

BPO	35941
Nosy	@pfmoore, @tiran, @tjguk, @zware, @zooba, @miss-islington, @kctherookie, @christian-intra2net, @neonene
PRs	bpo-35941: Fix ssl certificate enumeration for windows #11923 bpo-35941: Fix ssl certificate enumeration for windows #12486 [3.7] bpo-35941: Fix ssl certificate enumeration for windows (GH-12486) #12609 bpo-35941: Fix performance regression in new code #12610 [3.8] bpo-35941: Fix performance regression in SSL certificate code (GH-12610) #15803 [3.7] bpo-35941: Fix performance regression in SSL certificate code (GH-12610) #15804

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2019-09-10.11:19:16.194>
created_at = <Date 2019-02-08.14:43:29.692>
labels = ['expert-SSL', 'type-bug', 'OS-windows']
title = 'ssl.enum_certificates() regression'
updated_at = <Date 2019-09-10.11:19:16.193>
user = 'https://bugs.python.org/schlenk'

bugs.python.org fields:

activity = <Date 2019-09-10.11:19:16.193>
actor = 'christian.heimes'
assignee = 'none'
closed = True
closed_date = <Date 2019-09-10.11:19:16.194>
closer = 'christian.heimes'
components = ['Windows', 'SSL']
creation = <Date 2019-02-08.14:43:29.692>
creator = 'schlenk'
dependencies = []
files = []
hgrepos = []
issue_num = 35941
keywords = ['patch']
message_count = 20.0
messages = ['335084', '335085', '335087', '335983', '336011', '338555', '338558', '338561', '338564', '339066', '339068', '339069', '339073', '347726', '347744', '347752', '351514', '351591', '351596', '351598']
nosy_count = 10.0
nosy_names = ['paul.moore', 'christian.heimes', 'tim.golden', 'zach.ware', 'steve.dower', 'schlenk', 'miss-islington', 'kc', 'christian-intra2net', 'neonene']
pr_nums = ['11923', '12486', '12609', '12610', '15803', '15804']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue35941'
versions = ['Python 2.7']

[schlenk]

The introduction of the ReadOnly flag in the ssl.enum_certificates() function implementation has introduced a regression.

The old version returned certificates for both the current user and the local system, the new function only enumerates system wide certificates and ignores the current user.

The old function before Patch from https://bugs.python.org/issue25939 used a different function to open the certificate store (CertOpenStore vs. CertOpenSystemStore). Probably some of the param flags are not identical, the new code explictly lists only local system.

Testing:

1. Import a self signed CA only into the 'current user' trustworthy certificates.
2. Use IE to Connect to a https:// website using that trust root. Works.
3. Try to open the website with old python and new python.
   Old one works, new one fails.

Or just enum certificates:

1. Import a self signed CA into the current_user trusted store.
2. Compare outputs of:
   import ssl
   len(ssl.enum_certificates('ROOT'))

[tiran]

I guess the flags are wrong. https://hg.python.org/cpython/rev/d6474257ef38 changed flags to CERT_SYSTEM_STORE_LOCAL_MACHINE. To get local user certs, the flag should probably be CERT_SYSTEM_STORE_CURRENT_USER.

[schlenk]

It probably is even worse.

The flag seems to specifiy the physical locations, and just using CERT_SYSTEM_STORE_LOCAL_SYSTEM probably misses the certificates distributed by Group Policy or AD too, in addition to the stores for the current user.

See https://blogs.msdn.microsoft.com/muaddib/2013/10/18/understanding-and-managing-the-certificate-stores-used-for-smart-card-logon/

[zooba]

The PR requires PEP-7 to be applied thoroughly, but I think the concept is sound enough.

[kctherookie]

Adjusted the code to conform with PEP-7.

[christian-intra2net]

Hi, I encountered this problem as well. May I know why you have withdrawn your pull request?