From: Jakub Jirutka Date: Sat, 26 Nov 2016 01:32:00 +0200 Subject: Use system-provided CA certificates instead of bundled ones Forwarded: need some feedback before submitting the matter upstream Author: Jérémy Lal Last-Update: 2014-03-02 Modified 2014-05-02 by T.C. Hollingsworth with the correct path for Fedora Modified 2015-12-01 by Stephen Gallagher to update for Node.js 4.2 Modified 2016-03-04 by Stephen Gallagher to update for Node.js 5.4.1 Modified 2016-07-26 by Haikel Guemar to update for Node.js 4.4.7 Modified 2016-11-26 by Jakub Jirutka for Alpine Linux --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name = static Mutex* mutexes; -const char* const root_certs[] = { -#include "node_root_certs.h" // NOLINT(build/include_order) +const char* root_certs[] = { + NULL }; X509_STORE* root_cert_store; @@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { CHECK_EQ(sc->ca_store_, nullptr); if (!root_cert_store) { - root_cert_store = X509_STORE_new(); - - for (size_t i = 0; i < arraysize(root_certs); i++) { - BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); - if (bp == nullptr) { - return; - } - - X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); - if (x509 == nullptr) { - BIO_free_all(bp); - return; - } - - X509_STORE_add_cert(root_cert_store, x509); - - BIO_free_all(bp); - X509_free(x509); + if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) { + root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); + } else { + // empty store + root_cert_store = X509_STORE_new(); } + } else { + SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); } sc->ca_store_ = root_cert_store; - SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); } -- 2.9.0