Merge pull request #493 from wakatime/bugfix/fix-system-root-certs-on…

…-windows

Load system root CA certs on Windows

pkg/api/transport.go

@@ -105,7 +105,7 @@ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 
 // CACerts returns a root cert pool with the system's cacerts and LetsEncrypt's root certs.
 func CACerts() *x509.CertPool {
- certs, err := x509.SystemCertPool()
+ certs, err := loadSystemRoots()
  if err != nil {
  log.Warnf("unable to use system cert pool: %s", err)
  }

pkg/api/transport_other.go

@@ -0,0 +1,11 @@
+// +build !windows
+
+package api
+
+import (
+ "crypto/x509"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+ return x509.SystemCertPool()
+}

pkg/api/transport_windows.go

@@ -0,0 +1,44 @@
+// +build windows
+
+package api
+
+import (
+ "crypto/x509"
+ "syscall"
+ "unsafe"
+)
+
+func loadSystemRoots() (*x509.CertPool, error) {
+ const CRYPT_E_NOT_FOUND = 0x80092004
+
+ store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+ if err != nil {
+ return nil, err
+ }
+ defer syscall.CertCloseStore(store, 0)
+
+ roots := x509.NewCertPool()
+ var cert *syscall.CertContext
+ for {
+ cert, err = syscall.CertEnumCertificatesInStore(store, cert)
+ if err != nil {
+ if errno, ok := err.(syscall.Errno); ok {
+ if errno == CRYPT_E_NOT_FOUND {
+ break
+ }
+ }
+ return nil, err
+ }
+ if cert == nil {
+ break
+ }
+ // Copy the buf, since ParseCertificate does not create its own copy.
+ buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:cert.Length:cert.Length]
+ buf2 := make([]byte, cert.Length)
+ copy(buf2, buf)
+ if c, err := x509.ParseCertificate(buf2); err == nil {
+ roots.AddCert(c)
+ }
+ }
+ return roots, nil
+}