Add support for loading root CAs from Windows crypto API

[openssl.git] / crypto / x509 / by_dir.c

diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 599d5463bb0ffede4b84eea020edac70b6b274fb..8d61c27d701137ba4d1c675abaed8ef65f3a08fd 100644 (file)
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
-            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+            /* If SSL_CERT_PATH is provided and non-empty, use that. */
+            const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
 
-            if (dir)
-                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-            else
-                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
-                                   X509_FILETYPE_PEM);
+            /* Fallback to SSL_CERT_DIR. */
+            if (dir == NULL)
+                dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+            /* Fallback to built-in default. */
+            if (dir == NULL)
+                dir = X509_get_default_cert_dir();
+
+            ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             if (!ret) {
                 ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
             }