jfrog · RemiBou · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · vitaliil-jfrog
diff --git a/auth/cert/loader.go b/auth/cert/loader.go
@@ -44,7 +44,6 @@ func LoadCertificate(clientCertPath, clientCertKeyPath string) (certificate tls.
 }
 
 func GetTransportWithLoadedCert(certificatesDirPath string, insecureTls bool, transport *http.Transport) (*http.Transport, error) {
-	// Remove once SystemCertPool supports windows
 	caCertPool, err := loadSystemRoots()
 	err = errorutils.CheckError(err)
 	if err != nil {

diff --git a/auth/cert/loader_test.go b/auth/cert/loader_test.go
@@ -0,0 +1,34 @@
+package cert
+
+import (
+	"crypto/tls"
+	"net/http"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLoadSystemRootsNeverReturnsNilPool(t *testing.T) {
+	pool, err := loadSystemRoots()
+	require.NoError(t, err)
+	assert.NotNil(t, pool)
+}
+
+func TestGetTransportWithLoadedCert(t *testing.T) {
+	transport := &http.Transport{}
+	result, err := GetTransportWithLoadedCert(filepath.Join(t.TempDir(), "missing-certs"), false, transport)
+	require.NoError(t, err)
+	require.NotNil(t, result.TLSClientConfig)
+	assert.NotNil(t, result.TLSClientConfig.RootCAs)
+	assert.Equal(t, uint16(tls.VersionTLS12), result.TLSClientConfig.MinVersion)
+	assert.False(t, result.TLSClientConfig.InsecureSkipVerify)
+}
+
+func TestGetTransportWithLoadedCertInsecureTls(t *testing.T) {
+	transport := &http.Transport{}
+	result, err := GetTransportWithLoadedCert("", true, transport)
+	require.NoError(t, err)
+	assert.True(t, result.TLSClientConfig.InsecureSkipVerify)
+}
diff --git a/auth/cert/sslutils_default.go b/auth/cert/sslutils_default.go
@@ -8,5 +8,9 @@ import (
 )
 
 func loadSystemRoots() (*x509.CertPool, error) {
-	return x509.SystemCertPool()
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+	return pool, nil
 }
diff --git a/auth/cert/sslutils_windows.go b/auth/cert/sslutils_windows.go
@@ -5,41 +5,15 @@ package cert
 
 import (
 	"crypto/x509"
-	"syscall"
-	"unsafe"
 )
 
 func loadSystemRoots() (*x509.CertPool, error) {
-	const CRYPT_E_NOT_FOUND = 0x80092004
-
-	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+	pool, err := x509.SystemCertPool()
 	if err != nil {
 		return nil, err
 	}
-	defer syscall.CertCloseStore(store, 0)
-
-	roots := x509.NewCertPool()
-	var cert *syscall.CertContext
-	for {
-		cert, err = syscall.CertEnumCertificatesInStore(store, cert)
-		if err != nil {
-			if errno, ok := err.(syscall.Errno); ok {
-				if errno == CRYPT_E_NOT_FOUND {
-					break
-				}
-			}
-			return nil, err
-		}
-		if cert == nil {
-			break
-		}
-		// Copy the buf, since ParseCertificate does not create its own copy.
-		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
-		buf2 := make([]byte, cert.Length)
-		copy(buf2, buf)
-		if c, err := x509.ParseCertificate(buf2); err == nil {
-			roots.AddCert(c)
-		}
+	if pool == nil {
+		pool = x509.NewCertPool()
 	}
-	return roots, nil
+	return pool, nil
 }