From b1ee00c75860deaf931652374d1e1334847479c0 Mon Sep 17 00:00:00 2001
From: Ashmita Bohara <ashmita.bohara152@gmail.com>
Date: Tue, 2 Feb 2021 02:14:35 +0800
Subject: [PATCH 1/5] Use workaround for windows x509.SystemCertPool()

Signed-off-by: Ashmita Bohara <ashmita.bohara152@gmail.com>
---
 pkg/config/tlscfg/options.go         |  7 ++++
 pkg/config/tlscfg/options_unix.go    | 23 ++++++++++++
 pkg/config/tlscfg/options_windows.go | 56 ++++++++++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 pkg/config/tlscfg/options_unix.go
 create mode 100644 pkg/config/tlscfg/options_windows.go

diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
index 0ed83cc11ce6..c13e386fa8ee 100644
--- a/pkg/config/tlscfg/options.go
+++ b/pkg/config/tlscfg/options.go
@@ -90,6 +90,13 @@ func (p Options) loadCertPool() (*x509.CertPool, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
 		}
+		if certPool == nil {
+			certPool = x509.NewCertPool()
+		}
+		certPool, err = appendCerts(certPool)
+		if err != nil {
+			return nil, fmt.Errorf("failed to append SystemCertPool: %w", err)
+		}
 		return certPool, nil
 	}
 	certPool := x509.NewCertPool()
diff --git a/pkg/config/tlscfg/options_unix.go b/pkg/config/tlscfg/options_unix.go
new file mode 100644
index 000000000000..0486881c4bed
--- /dev/null
+++ b/pkg/config/tlscfg/options_unix.go
@@ -0,0 +1,23 @@
+// Copyright (c) 2021 The Jaeger Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !windows
+
+package tlscfg
+
+import "crypto/x509"
+
+func appendCerts(rootCAs *x509.CertPool) (*x509.CertPool, error) {
+	return rootCAs, nil
+}
diff --git a/pkg/config/tlscfg/options_windows.go b/pkg/config/tlscfg/options_windows.go
new file mode 100644
index 000000000000..415d1383e209
--- /dev/null
+++ b/pkg/config/tlscfg/options_windows.go
@@ -0,0 +1,56 @@
+// Copyright (c) 2021 The Jaeger Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build windows
+
+package tlscfg
+
+const (
+	// CRYPT_E_NOT_FOUND is an error code specific to windows cert pool.
+	// See https://github.com/golang/go/issues/16736#issuecomment-540373689.
+	CRYPT_E_NOT_FOUND = 0x80092004
+)
+
+// workaround https://github.com/golang/go/issues/16736
+// fix borrowed from Sensu: https://github.com/sensu/sensu-go/pull/4018
+func appendCerts(rootCAs *x509.CertPool) (*x509.CertPool, error) {
+	storeHandle, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("Root"))
+	if err != nil {
+		return nil, err
+	}
+
+	var cert *syscall.CertContext
+	for {
+		cert, err = syscall.CertEnumCertificatesInStore(storeHandle, cert)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok {
+				if errno == CRYPT_E_NOT_FOUND {
+					break
+				}
+			}
+			return nil, err
+		}
+		if cert == nil {
+			break
+		}
+		// Copy the buf, since ParseCertificate does not create its own copy.
+		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		buf2 := make([]byte, cert.Length)
+		copy(buf2, buf)
+		if c, err := x509.ParseCertificate(buf2); err == nil {
+			rootCAs.AddCert(c)
+		}
+	}
+	return rootCAs, nil
+}

From 772c2ab4048f0b73d4fcb1e52d1f54f301471ed4 Mon Sep 17 00:00:00 2001
From: Ashmita Bohara <ashmita.bohara152@gmail.com>
Date: Tue, 2 Feb 2021 02:42:48 +0800
Subject: [PATCH 2/5] Use workaround for windows x509.SystemCertPool()

Signed-off-by: Ashmita Bohara <ashmita.bohara152@gmail.com>
---
 pkg/config/tlscfg/options_windows.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/config/tlscfg/options_windows.go b/pkg/config/tlscfg/options_windows.go
index 415d1383e209..c57e1e62f22b 100644
--- a/pkg/config/tlscfg/options_windows.go
+++ b/pkg/config/tlscfg/options_windows.go
@@ -16,6 +16,12 @@
 
 package tlscfg
 
+import (
+	"crypto/x509"
+	"syscall"
+	"unsafe"
+)
+
 const (
 	// CRYPT_E_NOT_FOUND is an error code specific to windows cert pool.
 	// See https://github.com/golang/go/issues/16736#issuecomment-540373689.

From 1dc1f7361c18345503e10b3e1ad9e18e11565622 Mon Sep 17 00:00:00 2001
From: Ashmita Bohara <ashmita.bohara152@gmail.com>
Date: Thu, 4 Feb 2021 21:22:29 +0800
Subject: [PATCH 3/5] Feedbacks

Signed-off-by: Ashmita Bohara <ashmita.bohara152@gmail.com>
---
 pkg/config/tlscfg/options.go         | 11 ++---------
 pkg/config/tlscfg/options_unix.go    | 13 ++++++++++---
 pkg/config/tlscfg/options_windows.go | 15 +++++++++++++++
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
index c13e386fa8ee..2eac2e4e38c9 100644
--- a/pkg/config/tlscfg/options.go
+++ b/pkg/config/tlscfg/options.go
@@ -86,16 +86,9 @@ func (p *Options) Config(logger *zap.Logger) (*tls.Config, error) {
 
 func (p Options) loadCertPool() (*x509.CertPool, error) {
 	if len(p.CAPath) == 0 { // no truststore given, use SystemCertPool
-		certPool, err := systemCertPool()
+		certPool, err := createCertPool()
 		if err != nil {
-			return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
-		}
-		if certPool == nil {
-			certPool = x509.NewCertPool()
-		}
-		certPool, err = appendCerts(certPool)
-		if err != nil {
-			return nil, fmt.Errorf("failed to append SystemCertPool: %w", err)
+			return nil, fmt.Errorf("failed to create CertPool: %w", err)
 		}
 		return certPool, nil
 	}
diff --git a/pkg/config/tlscfg/options_unix.go b/pkg/config/tlscfg/options_unix.go
index 0486881c4bed..ee4897a1d73b 100644
--- a/pkg/config/tlscfg/options_unix.go
+++ b/pkg/config/tlscfg/options_unix.go
@@ -16,8 +16,15 @@
 
 package tlscfg
 
-import "crypto/x509"
+import (
+	"crypto/x509"
+	"fmt"
+)
 
-func appendCerts(rootCAs *x509.CertPool) (*x509.CertPool, error) {
-	return rootCAs, nil
+func createCertPool() (*x509.CertPool, error) {
+	certPool, err := systemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
+	}
+	return certPool, nil
 }
diff --git a/pkg/config/tlscfg/options_windows.go b/pkg/config/tlscfg/options_windows.go
index c57e1e62f22b..69760982917f 100644
--- a/pkg/config/tlscfg/options_windows.go
+++ b/pkg/config/tlscfg/options_windows.go
@@ -60,3 +60,18 @@ func appendCerts(rootCAs *x509.CertPool) (*x509.CertPool, error) {
 	}
 	return rootCAs, nil
 }
+
+func createCertPool() (*x509.CertPool, error) {
+	certPool, err := systemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
+	}
+	if certPool == nil {
+		certPool = x509.NewCertPool()
+	}
+	certPool, err = appendCerts(certPool)
+	if err != nil {
+		return nil, fmt.Errorf("failed to append SystemCertPool: %w", err)
+	}
+	return certPool, nil
+}

From 6c3e469ede7418a3a211c9fc5c2fc0951945ce57 Mon Sep 17 00:00:00 2001
From: Ashmita Bohara <ashmita.bohara152@gmail.com>
Date: Thu, 4 Feb 2021 21:33:28 +0800
Subject: [PATCH 4/5] Feedbacks

Signed-off-by: Ashmita Bohara <ashmita.bohara152@gmail.com>
---
 pkg/config/tlscfg/options_windows.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/config/tlscfg/options_windows.go b/pkg/config/tlscfg/options_windows.go
index 69760982917f..35863adab9a4 100644
--- a/pkg/config/tlscfg/options_windows.go
+++ b/pkg/config/tlscfg/options_windows.go
@@ -18,6 +18,7 @@ package tlscfg
 
 import (
 	"crypto/x509"
+	"fmt"
 	"syscall"
 	"unsafe"
 )

From 931e7648a1a98235603ff0d45f644a9afe0cb1a1 Mon Sep 17 00:00:00 2001
From: Ashmita Bohara <ashmita.bohara152@gmail.com>
Date: Fri, 5 Feb 2021 00:30:48 +0800
Subject: [PATCH 5/5] Feedbacks

Signed-off-by: Ashmita Bohara <ashmita.bohara152@gmail.com>
---
 .../tlscfg/{options_unix.go => certpool_unix.go}      |  9 ++-------
 .../{options_windows.go => certpool_windows.go}       | 11 +++--------
 pkg/config/tlscfg/options.go                          |  4 ++--
 3 files changed, 7 insertions(+), 17 deletions(-)
 rename pkg/config/tlscfg/{options_unix.go => certpool_unix.go} (76%)
 rename pkg/config/tlscfg/{options_windows.go => certpool_windows.go} (87%)

diff --git a/pkg/config/tlscfg/options_unix.go b/pkg/config/tlscfg/certpool_unix.go
similarity index 76%
rename from pkg/config/tlscfg/options_unix.go
rename to pkg/config/tlscfg/certpool_unix.go
index ee4897a1d73b..952e698fbdc3 100644
--- a/pkg/config/tlscfg/options_unix.go
+++ b/pkg/config/tlscfg/certpool_unix.go
@@ -18,13 +18,8 @@ package tlscfg
 
 import (
 	"crypto/x509"
-	"fmt"
 )
 
-func createCertPool() (*x509.CertPool, error) {
-	certPool, err := systemCertPool()
-	if err != nil {
-		return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
-	}
-	return certPool, nil
+func loadSystemCertPool() (*x509.CertPool, error) {
+	return systemCertPool()
 }
diff --git a/pkg/config/tlscfg/options_windows.go b/pkg/config/tlscfg/certpool_windows.go
similarity index 87%
rename from pkg/config/tlscfg/options_windows.go
rename to pkg/config/tlscfg/certpool_windows.go
index 35863adab9a4..e595f9939c57 100644
--- a/pkg/config/tlscfg/options_windows.go
+++ b/pkg/config/tlscfg/certpool_windows.go
@@ -18,7 +18,6 @@ package tlscfg
 
 import (
 	"crypto/x509"
-	"fmt"
 	"syscall"
 	"unsafe"
 )
@@ -62,17 +61,13 @@ func appendCerts(rootCAs *x509.CertPool) (*x509.CertPool, error) {
 	return rootCAs, nil
 }
 
-func createCertPool() (*x509.CertPool, error) {
+func loadSystemCertPool() (*x509.CertPool, error) {
 	certPool, err := systemCertPool()
 	if err != nil {
-		return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
+		return nil, err
 	}
 	if certPool == nil {
 		certPool = x509.NewCertPool()
 	}
-	certPool, err = appendCerts(certPool)
-	if err != nil {
-		return nil, fmt.Errorf("failed to append SystemCertPool: %w", err)
-	}
-	return certPool, nil
+	return appendCerts(certPool)
 }
diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
index 2eac2e4e38c9..e1fcb5f36458 100644
--- a/pkg/config/tlscfg/options.go
+++ b/pkg/config/tlscfg/options.go
@@ -86,9 +86,9 @@ func (p *Options) Config(logger *zap.Logger) (*tls.Config, error) {
 
 func (p Options) loadCertPool() (*x509.CertPool, error) {
 	if len(p.CAPath) == 0 { // no truststore given, use SystemCertPool
-		certPool, err := createCertPool()
+		certPool, err := loadSystemCertPool()
 		if err != nil {
-			return nil, fmt.Errorf("failed to create CertPool: %w", err)
+			return nil, fmt.Errorf("failed to load SystemCertPool: %w", err)
 		}
 		return certPool, nil
 	}