fix: load certs on windows from registry (#11016)

fixes #11007
4 years ago · ce0e17b62b
parent 303be1866d
commit ce0e17b62b
3 changed files with 88 additions and 3 deletions
--- a/pkg/certs/ca-certs.go
+++ b/pkg/certs/ca-certs.go
@ -26,10 +26,10 @@ import (
 // GetRootCAs - returns all the root CAs into certPool
 // at the input certsCADir
 func GetRootCAs(certsCAsDir string) (*x509.CertPool, error) {
-	rootCAs, _ := x509.SystemCertPool()
+	rootCAs, _ := loadSystemRoots()
 	if rootCAs == nil {
-		// In some systems (like Windows) system cert pool is
-		// not supported or no certificates are present on the
+		// In some systems system cert pool is not supported
+		// or no certificates are present on the
 		// system - so we create a new cert pool.
 		rootCAs = x509.NewCertPool()
 	}
--- a/pkg/certs/cert_pool_nix.go
+++ b/pkg/certs/cert_pool_nix.go
@ -0,0 +1,25 @@
+// +build !windows
+
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package certs
+
+import "crypto/x509"
+
+func loadSystemRoots() (*x509.CertPool, error) {
+	return x509.SystemCertPool()
+}
--- a/pkg/certs/cert_pool_windows.go
+++ b/pkg/certs/cert_pool_windows.go
@ -0,0 +1,60 @@
+// +build windows
+
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package certs
+
+import (
+	"crypto/x509"
+	"syscall"
+	"unsafe"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+	const CRYPTENOTFOUND = 0x80092004
+
+	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+	if err != nil {
+		return nil, err
+	}
+	defer syscall.CertCloseStore(store, 0)
+
+	roots := x509.NewCertPool()
+	var cert *syscall.CertContext
+	for {
+		cert, err = syscall.CertEnumCertificatesInStore(store, cert)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok {
+				if errno == CRYPTENOTFOUND {
+					break
+				}
+			}
+			return nil, err
+		}
+		if cert == nil {
+			break
+		}
+		// Copy the buf, since ParseCertificate does not create its own copy.
+		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		buf2 := make([]byte, cert.Length)
+		copy(buf2, buf)
+		if c, err := x509.ParseCertificate(buf2); err == nil {
+			roots.AddCert(c)
+		}
+	}
+	return roots, nil
+}