tls: Load system certificates on Windows

Signed-off-by: Jesse Schwartzentruber <[email protected]>
fluent · Feb 12, 2022 · c802088 · c802088
1 parent 66a6938
commit c802088
Showing 1 changed file with 50 additions and 1 deletion.
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -133,14 +133,63 @@ static void tls_context_destroy(void *ctx_backend)
     flb_free(ctx);
 }
 
+#ifdef _MSC_VER
+static int windows_load_system_certificates(struct tls_context *ctx)
+{
+    int ret;
+    HANDLE win_store;
+    PCCERT_CONTEXT win_cert = NULL;
+    const unsigned char *win_cert_data;
+    X509_STORE *ossl_store = SSL_CTX_get_cert_store(ctx->ctx);
+    X509 *ossl_cert;
+
+    win_store = CertOpenSystemStoreA(0, "Root");
+    if (win_store == NULL) {
+        flb_error("[tls] Cannot open cert store: %i", GetLastError());
+        return -1;
+    }
+
+    while (win_cert = CertEnumCertificatesInStore(win_store, win_cert)) {
+        if (win_cert->dwCertEncodingType & X509_ASN_ENCODING) {
+            /*
+             * Decode the certificate into X509 struct.
+             *
+             * The additional pointer variable is necessary per OpenSSL docs because the
+             * pointer is incremented by d2i_X509.
+             */
+            win_cert_data = win_cert->pbCertEncoded;
+            ossl_cert = d2i_X509(NULL, &win_cert_data, win_cert->cbCertEncoded);
+            if (!ossl_cert) {
+                flb_debug("[tls] Cannot parse a certificate. skipping...");
+                continue;
+            }
+
+            /* Add X509 struct to the openssl cert store */
+            ret = X509_STORE_add_cert(ossl_store, ossl_cert);
+            if (!ret) {
+                flb_warn("[tls] Failed to add a certificate to the store: %lu: %s",
+                         ERR_get_error(), ERR_error_string(ERR_get_error(), NULL));
+            }
+            X509_free(ossl_cert);
+        }
+    }
+
+    if (!CertCloseStore(win_store, 0)) {
+        flb_error("[tls] Cannot close cert store: %i", GetLastError());
+        return -1;
+    }
+    return 0;
+}
+#endif
+
 static int load_system_certificates(struct tls_context *ctx)
 {
     int ret;
     const char ca_path[] = "/etc/ssl/certs/";
 
     /* For Windows use specific API to read the certs store */
 #ifdef _MSC_VER
-    //return windows_load_system_certificates(ctx);
+    return windows_load_system_certificates(ctx);
 #endif
 
     if (access(RHEL_DEFAULT_CA, R_OK) == 0) {