[GitHub] drill pull request #950: DRILL-5431: SSL Support

Tue, 26 Sep 2017 22:58:23 -0700 

Github user sohami commented on a diff in the pull request:

    https://github.com/apache/drill/pull/950#discussion_r141247355
  
    --- Diff: contrib/native/client/src/clientlib/wincert.ipp ---
    @@ -0,0 +1,91 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +#if defined(IS_SSL_ENABLED)
    +
    +#include <openssl/x509.h>
    +#include <openssl/ssl.h>
    +
    +#if defined _WIN32  || defined _WIN64
    +
    +#include <stdio.h>
    +#include <windows.h>
    +#include <wincrypt.h>
    +#include <cryptuiapi.h>
    +#include <iostream>
    +#include <tchar.h>
    +
    +
    +#pragma comment (lib, "crypt32.lib")
    +#pragma comment (lib, "cryptui.lib")
    +
    +#define MY_ENCODING_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
    +
    +inline
    +int loadSystemTrustStore(const SSL *ssl) {
    +    HCERTSTORE hStore;
    +    PCCERT_CONTEXT pContext = NULL;
    +    X509 *x509;
    +   char* stores[] = {
    +       "CA",
    +           "MY",
    +           "ROOT",
    +           "SPC"
    +   };
    +     
    +    SSL_CTX * ctx = SSL_get_SSL_CTX(ssl);
    +    X509_STORE *store = SSL_CTX_get_cert_store(ctx);
    +
    +   for(int i=0; i<4; i++){
    +    hStore = CertOpenSystemStore(NULL, stores[i]);
    +
    +    if (!hStore)
    +        return 1;
    --- End diff --
    
    This means we will return with failure while opening any of the 4 system 
store. Should we instead try all 4 system stores and log the ones for which 
failure happened (by appending the names to string param suggested in above 
comment) but still succeed if anyone store was successfully opened ? 
    
    But then I think we should also check if there is atleast one certificate 
which was added to X509 store out of these system store ?


---

Reply via email to