Wt HTTP client: use Windows CA certificates

RockinRoel · RockinRoel · commit ad4a73b63811 · 2019-04-12T09:08:52.000+02:00
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -547,6 +547,9 @@ ENDIF(ENABLE_LIBWTTEST)
 IF(HAVE_SSL)
   TARGET_LINK_LIBRARIES(wt PRIVATE ${SSL_LIBRARIES})
   INCLUDE_DIRECTORIES(${SSL_INCLUDE_DIRS})
+  IF(WIN32)
+    TARGET_LINK_LIBRARIES(wt PRIVATE Crypt32.lib)
+  ENDIF(WIN32)
 ELSE(HAVE_SSL)
   MESSAGE("** Disabling crypto support (Auth::SHA1HashFunction, HTTPS support): requires OpenSSL.")
   IF(ENABLE_SSL)
diff --git a/src/Wt/Http/Client.C b/src/Wt/Http/Client.C
@@ -26,6 +26,10 @@
 
 #define VERIFY_CERTIFICATE
 
+#ifdef WT_WIN32
+#include "web/SslUtils.h"
+#endif // WT_WIN32
+
 #endif // WT_WITH_SSL
 
 #ifdef WT_WIN32
@@ -972,10 +976,13 @@ bool Client::request(Http::Method method, const std::string& url,
 
     context.set_options(sslOptions);
 
-
 #ifdef VERIFY_CERTIFICATE
-    if (verifyEnabled_)
+    if (verifyEnabled_) {
       context.set_default_verify_paths();
+#ifdef WT_WIN32
+      Ssl::addWindowsCACertificates(context);
+#endif // WT_WIN32
+    }
 
     if (!verifyFile_.empty() || !verifyPath_.empty()) {
       if (!verifyFile_.empty())
diff --git a/src/web/SslUtils.C b/src/web/SslUtils.C
@@ -3,11 +3,22 @@
  *
  * See the LICENSE file for terms of use.
  */
+#include <Wt/WConfig.h>
+
+#ifdef WT_WITH_SSL
+#ifdef WT_WIN32
+#include <Wt/AsioWrapper/ssl.hpp>
+#endif // WT_WIN32
+#endif // WT_WITH_SSL
 
 #include "SslUtils.h"
 
 #ifdef WT_WITH_SSL
 #include <openssl/ssl.h>
+
+#ifdef WT_WIN32
+#include <wincrypt.h>
+#endif // WT_WIN32
 #endif //WT_WITH_SSL
 
 #ifdef WT_WITH_SSL
@@ -166,6 +177,32 @@ namespace Wt {
       
       return certificate;
     }
+
+#ifdef WT_WIN32
+    void addWindowsCACertificates(asio::ssl::context &ctx) {
+      HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT");
+      if (hStore == NULL) {
+        return;
+      }
+
+      X509_STORE *store = X509_STORE_new();
+      PCCERT_CONTEXT pContext = NULL;
+      while ((pContext = CertEnumCertificatesInStore(hStore, pContext)) != NULL) {
+        X509 *x509 = d2i_X509(NULL,
+          (const unsigned char **)&pContext->pbCertEncoded,
+          pContext->cbCertEncoded);
+        if (x509 != NULL) {
+          X509_STORE_add_cert(store, x509);
+          X509_free(x509);
+        }
+      }
+
+      CertFreeCertificateContext(pContext);
+      CertCloseStore(hStore, 0);
+
+      SSL_CTX_set_cert_store(ctx.native_handle(), store);
+    }
+#endif // WT_WIN32
   }
 }
 #endif //WT_WITH_SSL
diff --git a/src/web/SslUtils.h b/src/web/SslUtils.h
@@ -7,6 +7,8 @@
 #ifndef SSLUTILS_H_
 #define SSLUTILS_H_
 
+#include <Wt/WConfig.h>
+
 #include <string>
 #include <vector>
 
@@ -16,6 +18,25 @@
 #ifdef WT_WITH_SSL
 #include <openssl/ssl.h>
 
+#ifdef WT_WIN32
+#ifdef WT_ASIO_IS_BOOST_ASIO
+namespace boost {
+  namespace asio {
+    namespace ssl {
+      class context;
+    }
+  }
+}
+namespace asio = boost::asio;
+#else // WT_ASIO_IS_STANDALONE_ASIO
+namespace asio {
+  namespace ssl {
+    class context;
+  }
+}
+#endif // WT_ASIO_IS_STANDALONE_ASIO
+#endif // WT_WIN32
+
 namespace Wt {
   namespace Ssl {
     std::vector<Wt::WSslCertificate::DnAttribute>
@@ -28,6 +49,10 @@ namespace Wt {
     std::string exportToPem(struct x509_st *x509);
 
     struct x509_st *readFromPem(const std::string &pem);
+
+#ifdef WT_WIN32
+    extern void addWindowsCACertificates(asio::ssl::context &ctx);
+#endif // WT_WIN32
   }
 }
 #endif //WT_WITH_SSL
