Use windows API to update missing CA roots

Windows ships with a minimal set of CA roots.
When using windows API to verify a certificate, it will fetch the
root certificate from windows update (assuming it is part of the
Microsoft trust program).

As we are using openssl, this does not happen transparently.

If SSL errors occur which indicate a broken chain then attempt
to fix it using the windows API before emitting sslErrors.

If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.

Key usage is specified, so that windows will return not trusted
status if the root is not suitable for SSL (server auth or
client auth OID).

Testability:
 - to test, must delete the CA cert(s) from the "third party
   root certification authorities" section of the cert store
   using mmc.exe.
 - If the workaround of installing the windows XP cert bundle was
   performed, then you also need to delete certs from the "trusted
   root certification authorities" section.
   This is dangerous, be careful not to delete the required
   certificates which are documented on MS website
 - Naturally, modifying these areas of the cert store requires
   elevated privilege.

Task-number: QTBUG-24827
Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

1 files changed, 2 insertions, 0 deletions

diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri
index 87bcc9378a..c81e461d3f 100644
--- a/src/network/ssl/ssl.pri
+++ b/src/network/ssl/ssl.pri
@@ -28,4 +28,6 @@ contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
 
     # Add optional SSL libs
     LIBS_PRIVATE += $$OPENSSL_LIBS
+
+    windows:LIBS += -lcrypt32
 }