Add Windows system roots loading support.

The logic in this change is based on the snippet by @RayKoopa: https://github.com/grpc/grpc/issues/25533#issuecomment-1080725304 Tested manually via the Cloud KMS CNG provider (https://github.com/GoogleCloudPlatform/kms-integrations), which has been relying on manually setting the GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable.
1 year ago · 793a5a30cb
parent 554788a6d3
commit 793a5a30cb
16 changed files with 111 additions and 2 deletions
--- a/1
+++ b/1
@ -3335,6 +3335,7 @@ grpc_cc_library(
        "//src/core:lib/security/credentials/tls/tls_utils.cc",
        "//src/core:lib/security/security_connector/load_system_roots_fallback.cc",
        "//src/core:lib/security/security_connector/load_system_roots_supported.cc",
+        "//src/core:lib/security/security_connector/load_system_roots_windows.cc",
        "//src/core:lib/security/util/json_util.cc",
    ],
    hdrs = [
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2377,6 +2377,7 @@ add_library(grpc
  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  src/core/lib/security/security_connector/load_system_roots_fallback.cc
  src/core/lib/security/security_connector/load_system_roots_supported.cc
+  src/core/lib/security/security_connector/load_system_roots_windows.cc
  src/core/lib/security/security_connector/local/local_security_connector.cc
  src/core/lib/security/security_connector/security_connector.cc
  src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
@ -3052,6 +3053,7 @@ add_library(grpc_unsecure
  src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  src/core/lib/security/security_connector/load_system_roots_fallback.cc
  src/core/lib/security/security_connector/load_system_roots_supported.cc
+  src/core/lib/security/security_connector/load_system_roots_windows.cc
  src/core/lib/security/security_connector/security_connector.cc
  src/core/lib/security/transport/client_auth_filter.cc
  src/core/lib/security/transport/secure_endpoint.cc
@ -4949,6 +4951,7 @@ add_library(grpc_authorization_provider
  src/core/lib/security/credentials/tls/tls_utils.cc
  src/core/lib/security/security_connector/load_system_roots_fallback.cc
  src/core/lib/security/security_connector/load_system_roots_supported.cc
+  src/core/lib/security/security_connector/load_system_roots_windows.cc
  src/core/lib/security/security_connector/security_connector.cc
  src/core/lib/security/transport/client_auth_filter.cc
  src/core/lib/security/transport/secure_endpoint.cc
--- a/2
+++ b/2
@ -1640,6 +1640,7 @@ LIBGRPC_SRC = \
    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
    src/core/lib/security/security_connector/load_system_roots_fallback.cc \
    src/core/lib/security/security_connector/load_system_roots_supported.cc \
+    src/core/lib/security/security_connector/load_system_roots_windows.cc \
    src/core/lib/security/security_connector/local/local_security_connector.cc \
    src/core/lib/security/security_connector/security_connector.cc \
    src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
@ -2176,6 +2177,7 @@ LIBGRPC_UNSECURE_SRC = \
    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
    src/core/lib/security/security_connector/load_system_roots_fallback.cc \
    src/core/lib/security/security_connector/load_system_roots_supported.cc \
+    src/core/lib/security/security_connector/load_system_roots_windows.cc \
    src/core/lib/security/security_connector/security_connector.cc \
    src/core/lib/security/transport/client_auth_filter.cc \
    src/core/lib/security/transport/secure_endpoint.cc \
--- a/Package.swift
+++ b/Package.swift
@ -1596,6 +1596,7 @@ let package = Package(
        "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
        "src/core/lib/security/security_connector/load_system_roots_supported.cc",
        "src/core/lib/security/security_connector/load_system_roots_supported.h",
+        "src/core/lib/security/security_connector/load_system_roots_windows.cc",
        "src/core/lib/security/security_connector/local/local_security_connector.cc",
        "src/core/lib/security/security_connector/local/local_security_connector.h",
        "src/core/lib/security/security_connector/security_connector.cc",
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -1712,6 +1712,7 @@ libs:
  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  - src/core/lib/security/security_connector/load_system_roots_fallback.cc
  - src/core/lib/security/security_connector/load_system_roots_supported.cc
+  - src/core/lib/security/security_connector/load_system_roots_windows.cc
  - src/core/lib/security/security_connector/local/local_security_connector.cc
  - src/core/lib/security/security_connector/security_connector.cc
  - src/core/lib/security/security_connector/ssl/ssl_security_connector.cc
@ -2695,6 +2696,7 @@ libs:
  - src/core/lib/security/security_connector/insecure/insecure_security_connector.cc
  - src/core/lib/security/security_connector/load_system_roots_fallback.cc
  - src/core/lib/security/security_connector/load_system_roots_supported.cc
+  - src/core/lib/security/security_connector/load_system_roots_windows.cc
  - src/core/lib/security/security_connector/security_connector.cc
  - src/core/lib/security/transport/client_auth_filter.cc
  - src/core/lib/security/transport/secure_endpoint.cc
@ -4540,6 +4542,7 @@ libs:
  - src/core/lib/security/credentials/tls/tls_utils.cc
  - src/core/lib/security/security_connector/load_system_roots_fallback.cc
  - src/core/lib/security/security_connector/load_system_roots_supported.cc
+  - src/core/lib/security/security_connector/load_system_roots_windows.cc
  - src/core/lib/security/security_connector/security_connector.cc
  - src/core/lib/security/transport/client_auth_filter.cc
  - src/core/lib/security/transport/secure_endpoint.cc
--- a/config.m4
+++ b/config.m4
@ -773,6 +773,7 @@ if test "$PHP_GRPC" != "no"; then
    src/core/lib/security/security_connector/insecure/insecure_security_connector.cc \
    src/core/lib/security/security_connector/load_system_roots_fallback.cc \
    src/core/lib/security/security_connector/load_system_roots_supported.cc \
+    src/core/lib/security/security_connector/load_system_roots_windows.cc \
    src/core/lib/security/security_connector/local/local_security_connector.cc \
    src/core/lib/security/security_connector/security_connector.cc \
    src/core/lib/security/security_connector/ssl/ssl_security_connector.cc \
--- a/config.w32
+++ b/config.w32
@ -738,6 +738,7 @@ if (PHP_GRPC != "no") {
    "src\\core\\lib\\security\\security_connector\\insecure\\insecure_security_connector.cc " +
    "src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
    "src\\core\\lib\\security\\security_connector\\load_system_roots_supported.cc " +
+    "src\\core\\lib\\security\\security_connector\\load_system_roots_windows.cc " +
    "src\\core\\lib\\security\\security_connector\\local\\local_security_connector.cc " +
    "src\\core\\lib\\security\\security_connector\\security_connector.cc " +
    "src\\core\\lib\\security\\security_connector\\ssl\\ssl_security_connector.cc " +
--- a/gRPC-Core.podspec
+++ b/gRPC-Core.podspec
@ -1693,6 +1693,7 @@ Pod::Spec.new do |s|
                      'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
                      'src/core/lib/security/security_connector/load_system_roots_supported.cc',
                      'src/core/lib/security/security_connector/load_system_roots_supported.h',
+                      'src/core/lib/security/security_connector/load_system_roots_windows.cc',
                      'src/core/lib/security/security_connector/local/local_security_connector.cc',
                      'src/core/lib/security/security_connector/local/local_security_connector.h',
                      'src/core/lib/security/security_connector/security_connector.cc',
--- a/grpc.gemspec
+++ b/grpc.gemspec
@ -1598,6 +1598,7 @@ Gem::Specification.new do |s|
  s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )
  s.files += %w( src/core/lib/security/security_connector/load_system_roots_supported.cc )
  s.files += %w( src/core/lib/security/security_connector/load_system_roots_supported.h )
+  s.files += %w( src/core/lib/security/security_connector/load_system_roots_windows.cc )
  s.files += %w( src/core/lib/security/security_connector/local/local_security_connector.cc )
  s.files += %w( src/core/lib/security/security_connector/local/local_security_connector.h )
  s.files += %w( src/core/lib/security/security_connector/security_connector.cc )
--- a/grpc.gyp
+++ b/grpc.gyp
@ -956,6 +956,7 @@
        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
        'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
        'src/core/lib/security/security_connector/load_system_roots_supported.cc',
+        'src/core/lib/security/security_connector/load_system_roots_windows.cc',
        'src/core/lib/security/security_connector/local/local_security_connector.cc',
        'src/core/lib/security/security_connector/security_connector.cc',
        'src/core/lib/security/security_connector/ssl/ssl_security_connector.cc',
@ -1432,6 +1433,7 @@
        'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
        'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
        'src/core/lib/security/security_connector/load_system_roots_supported.cc',
+        'src/core/lib/security/security_connector/load_system_roots_windows.cc',
        'src/core/lib/security/security_connector/security_connector.cc',
        'src/core/lib/security/transport/client_auth_filter.cc',
        'src/core/lib/security/transport/secure_endpoint.cc',
@ -2158,6 +2160,7 @@
        'src/core/lib/security/credentials/tls/tls_utils.cc',
        'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
        'src/core/lib/security/security_connector/load_system_roots_supported.cc',
+        'src/core/lib/security/security_connector/load_system_roots_windows.cc',
        'src/core/lib/security/security_connector/security_connector.cc',
        'src/core/lib/security/transport/client_auth_filter.cc',
        'src/core/lib/security/transport/secure_endpoint.cc',
--- a/package.xml
+++ b/package.xml
@ -1580,6 +1580,7 @@
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_supported.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_supported.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_windows.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/local/local_security_connector.cc" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/local/local_security_connector.h" role="src" />
    <file baseinstalldir="/" name="src/core/lib/security/security_connector/security_connector.cc" role="src" />
--- a/src/core/lib/security/security_connector/load_system_roots_fallback.cc
+++ b/src/core/lib/security/security_connector/load_system_roots_fallback.cc
@ -19,7 +19,7 @@
 #include <grpc/support/port_platform.h>

 #if !defined(GPR_LINUX) && !defined(GPR_ANDROID) && !defined(GPR_FREEBSD) && \
-    !defined(GPR_APPLE)
+    !defined(GPR_APPLE) && !defined(GPR_WINDOWS)

 #include <grpc/slice.h>
 #include <grpc/slice_buffer.h>
@ -32,4 +32,5 @@ grpc_slice LoadSystemRootCerts() { return grpc_empty_slice(); }

 }  // namespace grpc_core

-#endif  // !(GPR_LINUX || GPR_ANDROID || GPR_FREEBSD || GPR_APPLE)
+#endif  // !(GPR_LINUX || GPR_ANDROID || GPR_FREEBSD || GPR_APPLE ||
+        // GPR_WINDOWS)
--- a/src/core/lib/security/security_connector/load_system_roots_windows.cc
+++ b/src/core/lib/security/security_connector/load_system_roots_windows.cc
@ -0,0 +1,87 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#if defined(GPR_WINDOWS)
+
+#pragma comment(lib, "crypt32")
+
+#include <wincrypt.h>
+
+#include <grpc/slice.h>
+#include <grpc/slice_buffer.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/gpr/useful.h"
+#include "src/core/lib/security/security_connector/load_system_roots.h"
+
+namespace grpc_core {
+namespace {
+
+std::string utf8Encode(const std::wstring& wstr) {
+  if (wstr.empty()) return std::string();
+
+  int sizeNeeded = WideCharToMultiByte(CP_UTF8, 0, &wstr[0], (int)wstr.size(),
+                                       NULL, 0, NULL, NULL);
+  std::string strTo(sizeNeeded, 0);
+  WideCharToMultiByte(CP_UTF8, 0, &wstr[0], (int)wstr.size(), &strTo[0],
+                      sizeNeeded, NULL, NULL);
+  return strTo;
+}
+
+}  // namespace
+
+grpc_slice LoadSystemRootCerts() {
+  std::string bundle_string;
+
+  // Open root certificate store.
+  HANDLE hRootCertStore = CertOpenSystemStoreW(NULL, L"ROOT");
+  if (!hRootCertStore) {
+    return grpc_empty_slice();
+  }
+
+  // Load all root certificates from certificate store.
+  PCCERT_CONTEXT pCert = NULL;
+  while ((pCert = CertEnumCertificatesInStore(hRootCertStore, pCert)) != NULL) {
+    // Append each certificate in PEM format.
+    DWORD size = 0;
+    CryptBinaryToStringW(pCert->pbCertEncoded, pCert->cbCertEncoded,
+                         CRYPT_STRING_BASE64HEADER, NULL, &size);
+    std::vector<WCHAR> pem(size);
+    CryptBinaryToStringW(pCert->pbCertEncoded, pCert->cbCertEncoded,
+                         CRYPT_STRING_BASE64HEADER, pem.data(), &size);
+    bundle_string += utf8Encode(pem.data());
+  }
+
+  CertCloseStore(hRootCertStore, 0);
+  if (bundle_string.size() == 0) {
+    return grpc_empty_slice();
+  }
+
+  char* result_bundle_string =
+      static_cast<char*>(gpr_zalloc(bundle_string.size() + 1));
+  strcpy(result_bundle_string, bundle_string.data());
+  return grpc_slice_new(result_bundle_string, bundle_string.size() + 1,
+                        gpr_free);
+}
+
+}  // namespace grpc_core
+
+#endif  // GPR_WINDOWS
--- a/src/python/grpcio/grpc_core_dependencies.py
+++ b/src/python/grpcio/grpc_core_dependencies.py
@ -747,6 +747,7 @@ CORE_SOURCE_FILES = [
    'src/core/lib/security/security_connector/insecure/insecure_security_connector.cc',
    'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
    'src/core/lib/security/security_connector/load_system_roots_supported.cc',
+    'src/core/lib/security/security_connector/load_system_roots_windows.cc',
    'src/core/lib/security/security_connector/local/local_security_connector.cc',
    'src/core/lib/security/security_connector/security_connector.cc',
    'src/core/lib/security/security_connector/ssl/ssl_security_connector.cc',
--- a/tools/doxygen/Doxyfile.c++.internal
+++ b/tools/doxygen/Doxyfile.c++.internal
@ -2595,6 +2595,7 @@ src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_supported.cc \
 src/core/lib/security/security_connector/load_system_roots_supported.h \
+src/core/lib/security/security_connector/load_system_roots_windows.cc \
 src/core/lib/security/security_connector/local/local_security_connector.cc \
 src/core/lib/security/security_connector/local/local_security_connector.h \
 src/core/lib/security/security_connector/security_connector.cc \
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@ -2376,6 +2376,7 @@ src/core/lib/security/security_connector/load_system_roots.h \
 src/core/lib/security/security_connector/load_system_roots_fallback.cc \
 src/core/lib/security/security_connector/load_system_roots_supported.cc \
 src/core/lib/security/security_connector/load_system_roots_supported.h \
+src/core/lib/security/security_connector/load_system_roots_windows.cc \
 src/core/lib/security/security_connector/local/local_security_connector.cc \
 src/core/lib/security/security_connector/local/local_security_connector.h \
 src/core/lib/security/security_connector/security_connector.cc \