Add support for loading root CAs from Windows crypto API

Fixes #18020.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18070)

1 files changed, 18 insertions, 6 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 5a5bc9d91f..9bc1a91c94 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -179,12 +179,24 @@ OpenSSL 3.1
 
    *Hugo Landau*
 
- * The `SSL_CERT_URI` environment variable has been added, which can be used
-   to specify a default URI for certificate stores. Previously, the
-   `SSL_CERT_DIR` environment variable was used for this purpose, and could
-   accept either a URI or a delimiter-separated list of paths. This usage is now
-   deprecated; to specify a delimiter-separated list of paths, use
-   `SSL_CERT_DIR`, and to specify a URI, use `SSL_CERT_URI`.
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
+   `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
+   `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
+   paths which are searched for root certificates.
+
+   The existing `SSL_CERT_DIR` environment variable is deprecated.
+   `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
+   list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
+   `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
+   directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
+   for the purposes of determining root certificate stores.
+
+   *Hugo Landau*
+
+ * Support for loading root certificates from the Windows certificate store
+   has been added. The support is in the form of a store which recognises the
+   URI string of `org.openssl.winstore://`. This store is enabled by default and
+   can be disabled using the new compile-time option `no-winstore`.
 
    *Hugo Landau*