open the cert store readonly

Patch from Chi Hsuan Yen.

2 files changed, 8 insertions, 2 deletions

diff --git a/Misc/NEWS b/Misc/NEWS
index 5f1929d..f9ccc04 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #25939: On Windows open the cert store readonly in ssl.enum_certificates.
+
 - Issue #22570: Add 'path' attribute to pathlib.Path objects,
   returning the same as str(), to make it more similar to DirEntry.
   Library code can now write getattr(p, 'path', p) to get the path as
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index d918671..02971a7 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3597,7 +3597,9 @@ PySSL_enum_certificates(PyObject *self, PyObject *args, PyObject *kwds)
     if (result == NULL) {
         return NULL;
     }
-    hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name);
+    hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, (HCRYPTPROV)NULL,
+                            CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_LOCAL_MACHINE,
+                            store_name);
     if (hStore == NULL) {
         Py_DECREF(result);
         return PyErr_SetFromWindowsErr(GetLastError());
@@ -3685,7 +3687,9 @@ PySSL_enum_crls(PyObject *self, PyObject *args, PyObject *kwds)
     if (result == NULL) {
         return NULL;
     }
-    hStore = CertOpenSystemStore((HCRYPTPROV)NULL, store_name);
+    hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, (HCRYPTPROV)NULL,
+                            CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_LOCAL_MACHINE,
+                            store_name);
     if (hStore == NULL) {
         Py_DECREF(result);
         return PyErr_SetFromWindowsErr(GetLastError());