asgardius/virtualx-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[TLS/Windows] Skip disallowed certs in the trusted CA list.

Browse source 
Turns out the list of trusted root certificates contains disallowed
certificates (i.e. certificates which are no longer trusted or have been
revoked).

We need to check for the property `CERT_DISALLOWED_FILETIME_PROP_ID` to
check if and when the certificates should be distrusted.
This commit is contained in:
Fabio Alessandrelli 2023-05-14 14:38:46 +02:00
parent 964a5353db
commit 58c6f88802
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
platform/windows/os_windows.cpp
View file

@ -1680,10 +1680,20 @@ String OS_Windows::get_system_ca_certificates() {
HCERTSTORE cert_store = CertOpenSystemStoreA(0, "ROOT");
ERR_FAIL_COND_V_MSG(!cert_store, "", "Failed to read the root certificate store.");
FILETIME curr_time;
GetSystemTimeAsFileTime(&curr_time);
String certs;
PCCERT_CONTEXT curr = CertEnumCertificatesInStore(cert_store, nullptr);
while (curr) {
DWORD size = 0;
FILETIME ft;
DWORD size = sizeof(ft);
// Check if the certificate is disallowed.
if (CertGetCertificateContextProperty(curr, CERT_DISALLOWED_FILETIME_PROP_ID, &ft, &size) && CompareFileTime(&curr_time, &ft) != -1) {
curr = CertEnumCertificatesInStore(cert_store, curr);
continue;
}
// Encode and add to certificate list.
bool success = CryptBinaryToStringA(curr->pbCertEncoded, curr->cbCertEncoded, CRYPT_STRING_BASE64HEADER | CRYPT_STRING_NOCR, nullptr, &size);
ERR_CONTINUE(!success);
PackedByteArray pba;