Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/950#discussion_r141247355 --- Diff: contrib/native/client/src/clientlib/wincert.ipp --- @@ -0,0 +1,91 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#if defined(IS_SSL_ENABLED) + +#include <openssl/x509.h> +#include <openssl/ssl.h> + +#if defined _WIN32 || defined _WIN64 + +#include <stdio.h> +#include <windows.h> +#include <wincrypt.h> +#include <cryptuiapi.h> +#include <iostream> +#include <tchar.h> + + +#pragma comment (lib, "crypt32.lib") +#pragma comment (lib, "cryptui.lib") + +#define MY_ENCODING_TYPE (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING) + +inline +int loadSystemTrustStore(const SSL *ssl) { + HCERTSTORE hStore; + PCCERT_CONTEXT pContext = NULL; + X509 *x509; + char* stores[] = { + "CA", + "MY", + "ROOT", + "SPC" + }; + + SSL_CTX * ctx = SSL_get_SSL_CTX(ssl); + X509_STORE *store = SSL_CTX_get_cert_store(ctx); + + for(int i=0; i<4; i++){ + hStore = CertOpenSystemStore(NULL, stores[i]); + + if (!hStore) + return 1; --- End diff -- This means we will return with failure while opening any of the 4 system store. Should we instead try all 4 system stores and log the ones for which failure happened (by appending the names to string param suggested in above comment) but still succeed if anyone store was successfully opened ? But then I think we should also check if there is atleast one certificate which was added to X509 store out of these system store ?
---