(windows) when using OpenSSL, the system store is used to populate the cacert. No need to ship a cacert.pem file with your app.

2020-04-04 18:33:01 -07:00
parent d1cd5e62ac
commit f9d75c9374
3 changed files with 63 additions and 1 deletions
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All changes to this project will be documented in this file.

+## [9.2.1] - 2020-04-04
+
+(windows) when using OpenSSL, the system store is used to populate the cacert. No need to ship a cacert.pem file with your app.
+
 ## [9.2.0] - 2020-04-04

 (windows) ci: windows build with TLS (mbedtls) + verify that we can be build with OpenSSL
--- a/ixwebsocket/IXSocketOpenSSL.cpp
+++ b/ixwebsocket/IXSocketOpenSSL.cpp
@@ -21,6 +21,57 @@
 #endif
 #define socketerrno errno

+#ifdef _WIN32
+namespace
+{
+    bool loadWindowsSystemCertificates(SSL_CTX* ssl, std::string& errorMsg)
+    {
+        DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
+                      CERT_SYSTEM_STORE_CURRENT_USER;
+        HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root");
+
+        if (!systemStore)
+        {
+            errorMsg = "CertOpenStore failed with ";
+            errorMsg += std::to_string(GetLastError());
+            return false;
+        }
+
+        PCCERT_CONTEXT certificateIterator = NULL;
+        X509_STORE* opensslStore = SSL_CTX_get_cert_store(ssl);
+
+        int certificateCount = 0;
+        while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator))
+        {
+            X509* x509 = d2i_X509(NULL,
+                                  (const unsigned char**) &certificateIterator->pbCertEncoded,
+                                  certificateIterator->cbCertEncoded);
+
+            if (x509)
+            {
+                if (X509_STORE_add_cert(opensslStore, x509) == 1)
+                {
+                    ++certificateCount;
+                }
+
+                X509_free(x509);
+            }
+        }
+
+        CertFreeCertificateContext(certificateIterator);
+        CertCloseStore(systemStore, 0);
+
+        if (certificateCount == 0)
+        {
+            errorMsg = "No certificates found";
+            return false;
+        }
+
+        return true;
+    }
+} // namespace
+#endif
+
 namespace ix
 {
    const std::string kDefaultCiphers =
@@ -336,6 +387,12 @@ namespace ix
        {
            if (_tlsOptions.isUsingSystemDefaults())
            {
+#ifdef _WIN32
+                if (!loadWindowsSystemCertificates(_ssl_context, errMsg))
+                {
+                    return false;
+                }
+#else
                if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
                {
                    auto sslErr = ERR_get_error();
@@ -343,6 +400,7 @@ namespace ix
                    errMsg += ERR_error_string(sslErr, nullptr);
                    return false;
                }
+#endif
            }
            else if (SSL_CTX_load_verify_locations(
                         _ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1)
--- a/ixwebsocket/IXWebSocketVersion.h
+++ b/ixwebsocket/IXWebSocketVersion.h
@@ -6,4 +6,4 @@

 #pragma once

-#define IX_WEBSOCKET_VERSION "9.2.0"
+#define IX_WEBSOCKET_VERSION "9.2.1"