Merge pull request #77063 from Faless/crypto/i_trusted_win_trusted_root_cas_were_trusted

[TLS/Windows] Skip disallowed certs in the trusted CA list.
This commit is contained in:
Rémi Verschelde 2023-05-15 13:46:07 +02:00
commit 7866050e36
No known key found for this signature in database
GPG Key ID: C3336907360768E1
1 changed files with 11 additions and 1 deletions

View File

@ -1680,10 +1680,20 @@ String OS_Windows::get_system_ca_certificates() {
HCERTSTORE cert_store = CertOpenSystemStoreA(0, "ROOT");
ERR_FAIL_COND_V_MSG(!cert_store, "", "Failed to read the root certificate store.");
FILETIME curr_time;
GetSystemTimeAsFileTime(&curr_time);
String certs;
PCCERT_CONTEXT curr = CertEnumCertificatesInStore(cert_store, nullptr);
while (curr) {
DWORD size = 0;
FILETIME ft;
DWORD size = sizeof(ft);
// Check if the certificate is disallowed.
if (CertGetCertificateContextProperty(curr, CERT_DISALLOWED_FILETIME_PROP_ID, &ft, &size) && CompareFileTime(&curr_time, &ft) != -1) {
curr = CertEnumCertificatesInStore(cert_store, curr);
continue;
}
// Encode and add to certificate list.
bool success = CryptBinaryToStringA(curr->pbCertEncoded, curr->cbCertEncoded, CRYPT_STRING_BASE64HEADER | CRYPT_STRING_NOCR, nullptr, &size);
ERR_CONTINUE(!success);
PackedByteArray pba;