Opened 2 years ago

Last modified 7 weeks ago

#6371 enhancement new

Support native Windows trusted CA database for SSL certificate validation

Reported by: itamar Owned by: aronbierbaum
Priority: normal Milestone:
Component: core Keywords:
Cc: adi@… Branch: branches/windows-trust-root-6371
(diff, github, buildbot, log)
Author: glyph Launchpad Bug:


This was originally part of #5446, where Glyph wrote:

On Windows - and this is purely from a quick glance at the reference documentation, so take it with a grain of salt - I believe the right way to do this is to use CertOpenSystemStore with the string "CA", or possibly "ROOT", or maybe both, and then do CertEnumCertificatesInStore or maybe just PFXExportCertStoreEx to dump the certs into a format we can import into OpenSSL.

Attachments (3)

windows_trust_root.patch (4.4 KB) - added by aronbierbaum 6 months ago.
windows_trust_root2.patch (4.4 KB) - added by aronbierbaum 6 months ago.
windows-trust-root-6371-2.patch (4.4 KB) - added by aronbierbaum 6 months ago.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 2 years ago by exarkun

There is a Python library to help out with this too:

This may be easier than writing C, or Cython, or using ctypes or cffi. Or maybe not, I haven't investigated much. But it's something to look at I guess.

comment:2 Changed 14 months ago by itamar

wincertstore is written with ctypes.

comment:3 Changed 14 months ago by aronbierbaum

I have been working on an implementation that uses for ctypes also. In the spirit of not duplicating effort, is anyone else also working on a solution?

comment:4 Changed 14 months ago by itamar

Assuming wincertstore does what it says it does, presumably that's who you should talk to. Unless you want to add something to Twisted, in which case using wincertstore seems like a good start.

Changed 6 months ago by aronbierbaum

comment:5 Changed 6 months ago by aronbierbaum

  • Keywords review ssl added

I have added an initial pass at adding support for certificate verification on Windows using the wincertstore package. Please provide feedback and required changes.

Changed 6 months ago by aronbierbaum

Changed 6 months ago by aronbierbaum

comment:6 Changed 4 months ago by glyph

  • Keywords ssl removed

We use keywords for workflow, and ssl is not a workflow state. Therefore, removing that keyword.

comment:7 Changed 4 months ago by glyph

  • Author set to glyph
  • Branch set to branches/windows-trust-root-6371

(In [43870]) Branching to windows-trust-root-6371.

comment:8 Changed 4 months ago by glyph

  • Keywords review removed
  • Owner set to aronbierbaum

Hi aronbierbaum! Thanks very much for this contribution - it's an important building block of Twisted's client TLS subsystem, and I'm glad someone is working on this :).

Unfortunately this first cut at the patch looks like it's not in great shape:

  1. there are a number of coding-standard violations.
  2. some of the tests are failing on some platforms
  3. wincertstore should really be included in the list of setuptools extras for the tls extra on Windows.

However, the general idea of using wincertstore is pretty good, and it looks like the implementation is basically correct. I'm looking forward to re-reviewing this!

comment:9 Changed 7 weeks ago by adiroiban

  • Cc adi@… added
Note: See TracTickets for help on using tickets.