crypto/x509: implement SystemCertPool on Windows

mattn · bradfitz · commit 05471e9ee64a · 2016-10-17T08:29:16.000Z
Fixes #16736 Change-Id: I335d201e3f6738d838de3881087cb640fc7670e8 Reviewed-on: https://go-review.googlesource.com/30578 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/src/crypto/x509/cert_pool.go b/src/crypto/x509/cert_pool.go
@@ -7,8 +7,6 @@ package x509
 import (
 	"bytes"
 	"encoding/pem"
-	"errors"
-	"runtime"
 )
 
 // CertPool is a set of certificates.
@@ -31,9 +29,6 @@ func NewCertPool() *CertPool {
 // Any mutations to the returned pool are not written to disk and do
 // not affect any other pool.
 func SystemCertPool() (*CertPool, error) {
-	if runtime.GOOS == "windows" {
-		return nil, errors.New("crypto/x509: system root pool is not available on Windows")
-	}
 	return loadSystemRoots()
 }
 
diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go
@@ -225,4 +225,37 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 	return chains, nil
 }
 
-func loadSystemRoots() (*CertPool, error) { return nil, nil }
+func loadSystemRoots() (*CertPool, error) {
+	const CRYPT_E_NOT_FOUND = 0x80092004
+
+	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+	if err != nil {
+		return nil, err
+	}
+	defer syscall.CertCloseStore(store, 0)
+
+	roots := NewCertPool()
+	var cert *syscall.CertContext
+	for {
+		cert, err = syscall.CertEnumCertificatesInStore(store, cert)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok {
+				if errno == CRYPT_E_NOT_FOUND {
+					break
+				}
+			}
+			return nil, err
+		}
+		if cert == nil {
+			break
+		}
+		// Copy the buf, since ParseCertificate does not create its own copy.
+		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		buf2 := make([]byte, cert.Length)
+		copy(buf2, buf)
+		if c, err := ParseCertificate(buf2); err == nil {
+			roots.AddCert(c)
+		}
+	}
+	return roots, nil
+}
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
@@ -1457,3 +1457,10 @@ func TestMultipleRDN(t *testing.T) {
 		t.Errorf("got serial number of %q, but want %q", cert.Subject.SerialNumber, want)
 	}
 }
+
+func TestSystemCertPool(t *testing.T) {
+	_, err := SystemCertPool()
+	if err != nil {
+		t.Fatal(err)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -1457,3 +1457,10 @@ func TestMultipleRDN(t *testing.T) {`
`1457`	`1457`	`t.Errorf("got serial number of %q, but want %q", cert.Subject.SerialNumber, want)`
`1458`	`1458`	`}`
`1459`	`1459`	`}`
	`1460`	`+`
	`1461`	`+func TestSystemCertPool(t *testing.T) {`
	`1462`	`+ _, err := SystemCertPool()`
	`1463`	`+ if err != nil {`
	`1464`	`+ t.Fatal(err)`
	`1465`	`+ }`
	`1466`	`+}`