From 58c6f8880274f3103ca1391170c64157d4fdb6cd Mon Sep 17 00:00:00 2001
From: Fabio Alessandrelli <fabio.alessandrelli@gmail.com>
Date: Sun, 14 May 2023 14:38:46 +0200
Subject: [PATCH] [TLS/Windows] Skip disallowed certs in the trusted CA list.

Turns out the list of trusted root certificates contains disallowed
certificates (i.e. certificates which are no longer trusted or have been
revoked).

We need to check for the property `CERT_DISALLOWED_FILETIME_PROP_ID` to
check if and when the certificates should be distrusted.
---
 platform/windows/os_windows.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/platform/windows/os_windows.cpp b/platform/windows/os_windows.cpp
index bd7d9f178ab..ae1649c75dc 100644
--- a/platform/windows/os_windows.cpp
+++ b/platform/windows/os_windows.cpp
@@ -1680,10 +1680,20 @@ String OS_Windows::get_system_ca_certificates() {
 	HCERTSTORE cert_store = CertOpenSystemStoreA(0, "ROOT");
 	ERR_FAIL_COND_V_MSG(!cert_store, "", "Failed to read the root certificate store.");
 
+	FILETIME curr_time;
+	GetSystemTimeAsFileTime(&curr_time);
+
 	String certs;
 	PCCERT_CONTEXT curr = CertEnumCertificatesInStore(cert_store, nullptr);
 	while (curr) {
-		DWORD size = 0;
+		FILETIME ft;
+		DWORD size = sizeof(ft);
+		// Check if the certificate is disallowed.
+		if (CertGetCertificateContextProperty(curr, CERT_DISALLOWED_FILETIME_PROP_ID, &ft, &size) && CompareFileTime(&curr_time, &ft) != -1) {
+			curr = CertEnumCertificatesInStore(cert_store, curr);
+			continue;
+		}
+		// Encode and add to certificate list.
 		bool success = CryptBinaryToStringA(curr->pbCertEncoded, curr->cbCertEncoded, CRYPT_STRING_BASE64HEADER | CRYPT_STRING_NOCR, nullptr, &size);
 		ERR_CONTINUE(!success);
 		PackedByteArray pba;