mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-04-11 16:51:54 +02:00
106 lines
3.6 KiB
Diff
106 lines
3.6 KiB
Diff
From: Jakub Jirutka <jakub@jirutka.cz>
|
|
Date: Sat, 15 Jul 2023 21:29:34 +0200
|
|
Subject: [PATCH] Don't bundle CA certificates, FFS!
|
|
|
|
--- a/ext/tls/Cargo.toml
|
|
+++ b/ext/tls/Cargo.toml
|
|
@@ -22,4 +22,3 @@ rustls = { workspace = true, features = ["dangerous_configuration"] }
|
|
rustls-webpki.workspace = true
|
|
serde.workspace = true
|
|
tokio.workspace = true
|
|
-webpki-roots.workspace = true
|
|
--- a/ext/tls/lib.rs
|
|
+++ b/ext/tls/lib.rs
|
|
@@ -4,7 +4,7 @@ pub use deno_native_certs;
|
|
pub use rustls;
|
|
pub use rustls_pemfile;
|
|
pub use webpki;
|
|
-pub use webpki_roots;
|
|
+//pub use webpki_roots; XXX-Patched
|
|
|
|
use deno_core::anyhow::anyhow;
|
|
use deno_core::error::custom_error;
|
|
@@ -144,16 +144,15 @@ pub struct BasicAuth {
|
|
|
|
pub fn create_default_root_cert_store() -> RootCertStore {
|
|
let mut root_cert_store = RootCertStore::empty();
|
|
- // TODO(@justinmchase): Consider also loading the system keychain here
|
|
- root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
|
|
- |ta| {
|
|
- rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
|
|
- ta.subject,
|
|
- ta.spki,
|
|
- ta.name_constraints,
|
|
- )
|
|
- },
|
|
- ));
|
|
+
|
|
+ // XXX-Patched: load system-provided CA certs instead of bundled from webpki_roots.
|
|
+ let roots = deno_native_certs::load_native_certs()
|
|
+ .expect("could not load platform certs");
|
|
+ for root in roots {
|
|
+ root_cert_store
|
|
+ .add(&rustls::Certificate(root.0))
|
|
+ .expect("Failed to add platform cert to root cert store");
|
|
+ }
|
|
root_cert_store
|
|
}
|
|
|
|
--- a/cli/args/flags.rs
|
|
+++ b/cli/args/flags.rs
|
|
@@ -909,8 +909,8 @@
|
|
(e.g. "abcde12345@deno.land;54321edcba@github.com")
|
|
|
|
<g>DENO_TLS_CA_STORE</> Comma-separated list of order dependent certificate
|
|
- stores. Possible values: "system", "mozilla".
|
|
- Defaults to "mozilla".
|
|
+ stores. Possible values: "system".
|
|
+ Defaults to "system".
|
|
|
|
<g>DENO_CERT</> Load certificate authority from PEM encoded file
|
|
|
|
--- a/cli/args/mod.rs
|
|
+++ b/cli/args/mod.rs
|
|
@@ -49,7 +49,7 @@ use deno_runtime::deno_tls::deno_native_certs::load_native_certs;
|
|
use deno_runtime::deno_tls::rustls;
|
|
use deno_runtime::deno_tls::rustls::RootCertStore;
|
|
use deno_runtime::deno_tls::rustls_pemfile;
|
|
-use deno_runtime::deno_tls::webpki_roots;
|
|
+//use deno_runtime::deno_tls::webpki_roots; // XXX-Patched
|
|
use deno_runtime::inspector_server::InspectorServer;
|
|
use deno_runtime::permissions::PermissionsOptions;
|
|
use dotenvy::from_filename;
|
|
@@ -509,22 +509,19 @@ pub fn get_root_cert_store(
|
|
.collect(),
|
|
)
|
|
})
|
|
- .unwrap_or_else(|| vec!["mozilla".to_string()]);
|
|
+ .unwrap_or_else(|| vec!["system".to_string()]); // XXX-Patched: replaced "mozilla" with "system"
|
|
|
|
for store in ca_stores.iter() {
|
|
match store.as_str() {
|
|
- "mozilla" => {
|
|
- root_cert_store.add_trust_anchors(
|
|
- webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
|
|
- rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
|
|
- ta.subject,
|
|
- ta.spki,
|
|
- ta.name_constraints,
|
|
- )
|
|
- }),
|
|
- );
|
|
- }
|
|
- "system" => {
|
|
+ // XXX-Patched: removed support for bundled CA certificates
|
|
+ "mozilla" | "system" => {
|
|
+ if store == "mozilla" {
|
|
+ log::info!("DENO_TLS_CA_STORE=mozilla is not supported on Alpine Linux, using \"system\"");
|
|
+ if ca_stores.contains(&"system".to_string()) {
|
|
+ continue
|
|
+ }
|
|
+ }
|
|
+
|
|
let roots = load_native_certs().expect("could not load platform certs");
|
|
for root in roots {
|
|
root_cert_store
|