Win32: use the OS list of certificate authorities

Ref #3682 and #3666
Now, we have
[022d6ffc] main tls client debug: TLS client session initialized
instead of
[004e6ffc] gnutls tls client error: Certificate could not be verified

However, this still doesn't work fine, since we got a:
"access_http acccess error: failed to read answer"

Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

diff --git a/configure.ac b/configure.ac
index 87ade39d73962bbe47cca6956f9cd1aaf27925c7..14c729cc69f4e1cf857175ba1f0aecdd7fac479c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -4065,7 +4065,7 @@ AS_IF([test "${enable_gnutls}" != "no"], [
     VLC_ADD_CFLAGS([gnutls], [$GNUTLS_CFLAGS])
     AS_IF([test "${SYS}" = "mingw32"], [
       dnl pkg-config --libs gnutls omits these
-      VLC_ADD_LIBS([gnutls], [-lz ${LTLIBINTL}])
+      VLC_ADD_LIBS([gnutls], [-lz ${LTLIBINTL} -lcrypt32])
     ])
     VLC_ADD_LIBS([gnutls], [${GCRYPT_LIBS}])
     VLC_ADD_CFLAGS([gnutls], [${GCRYPT_CFLAGS}])

diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index cc60b69cc43d1a747312261365525d82f05a2f2a..c0f8a0380b57f4ece9f7efb716481cb2bfaa2176 100644 (file)
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -41,6 +41,7 @@
 #endif
 #ifdef WIN32
 # include <io.h>
+# include <wincrypt.h>
 #else
 # include <unistd.h>
 #endif
@@ -439,6 +440,10 @@ static int
 gnutls_Addx509File( vlc_object_t *p_this,
                     gnutls_certificate_credentials_t cred,
                     const char *psz_path, bool b_priv );
+#ifdef WIN32
+static int gnutls_loadOSCAList(vlc_object_t *p_this,
+                               gnutls_certificate_credentials_t cred);
+#endif
 
 static int
 gnutls_Addx509Directory( vlc_object_t *p_this,
@@ -562,6 +567,37 @@ error:
     return VLC_EGENERIC;
 }
 
+#ifdef WIN32
+static int
+gnutls_loadOSCAList( vlc_object_t *p_this,
+                     gnutls_certificate_credentials cred)
+{
+    HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT");
+    if (!hCertStore)
+    {
+        msg_Warn (p_this, "could not open the Cert SystemStore");
+        return VLC_EGENERIC;
+    }
+
+    PCCERT_CONTEXT pCertContext = CertEnumCertificatesInStore(hCertStore, NULL);
+    while( pCertContext )
+    {
+        gnutls_datum data = {
+            .data = pCertContext->pbCertEncoded,
+            .size = pCertContext->cbCertEncoded,
+        };
+
+        if(!gnutls_certificate_set_x509_trust_mem(cred, &data, GNUTLS_X509_FMT_DER))
+        {
+            msg_Warn (p_this, "cannot add x509 credential");
+            return VLC_EGENERIC;
+        }
+
+        pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext);
+    }
+    return VLC_SUCCESS;
+}
+#endif
 
 /** TLS client session data */
 typedef struct tls_client_sys_t
@@ -626,8 +662,13 @@ static int OpenClient (vlc_object_t *obj)
         char path[strlen (confdir)
                    + sizeof ("/ssl/certs/ca-certificates.crt")];
         sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
+#ifdef WIN32
+        gnutls_loadOSCAList (VLC_OBJECT (p_session),
+                             p_sys->x509_cred);
+#else
         gnutls_Addx509File (VLC_OBJECT (p_session),
                             p_sys->x509_cred, path, false);
+#endif
     }
     p_session->pf_handshake = gnutls_HandshakeAndValidate;
     /*p_session->pf_handshake = gnutls_ContinueHandshake;*/