NetSSL_Win certificate verification failure when intermediate certificates are not available in the Windows trusted store

[bhatkarthik]

poco/NetSSL_Win/src/SecureSocketImpl.cpp

Line 1222 in 69d15c5

if (!CertGetCertificateChain(

• Poco is passing the hAdditionalStore parameter as null when calling CertGetCertificateChain.
• When the intermediate certificates are not installed on the machine, looks like hCertStore of the CERT_CONTEXT member needs to be passed as hAdditionalStore parameter to CertGetCertificateChain, for it to be able to build the entire chain.
• Without this, the created certificate chain seems to contain only the leaf certificate and thus the certificate validation fails
  • It fails to find the back of the chain (in this case leaf itself), in the certificate store.

  • poco/NetSSL_Win/src/SecureSocketImpl.cpp

    Line 1288 in 69d15c5

    PCCERT_CONTEXT pResult = CertFindCertificateInStore(trustedCerts, certs.back()->dwCertEncodingType, 0, CERT_FIND_ISSUER_OF, certs.back(), 0);

• Windows (Schannel) gives the handle to the store containing intermediate certificates under hCertStore memeber of CERT_CONTEXT certificate obtained from QueryContextAttributes (Schannel)

Note:

• Curl and Chromium seems to be passing this hAdditionalStore argument
  • https://chromium.googlesource.com/chromium/src/net/+/master/cert/cert_verify_proc_win.cc#1208
  • https://github.com/curl/curl/blob/master/lib/vtls/schannel_verify.c#L669

[grmcdorman]

There is a related issue: if Windows downloads the root CA to the Trusted Root store (LocalMachine\ROOT) when the chain is built, the subsequent check for the root CA fails despite the certificate being present. It appears that there is some sort of caching going in Windows when Poco keeps the root store open; opening the root store again and adding it to the context certificate will allow the verification to pass, i.e. this code as a workaround in the onInvalidCertificate callback:

            auto &manager{ Poco::Net::SSLManager::instance() };
            auto contextPointer{ manager.defaultClientContext() };

            static HCERTSTORE store{ nullptr };
            if (store != nullptr)
            {
                CertRemoveStoreFromCollection(contextPointer->certificateStore(), store);
                CertCloseStore(store, 0);
            }

            store = ::CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_LOCAL_MACHINE, L"Root");

            if (!CertAddStoreToCollection(contextPointer->certificateStore(), store, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 1))
            {
                throw Poco::Net::SSLException("Failed to add root certificate store to collection store", GetLastError());

[github-actions]

This issue is stale because it has been open for 365 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 60 days since being marked as stale.