1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From: Jakub Jirutka <jakub@jirutka.cz>
Date: Sat, 26 Nov 2016 21:18:00 +0200
Subject: Use system-provided CA certificates instead of bundled ones
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -116,8 +116,8 @@
static Mutex* mutexes;
-const char* const root_certs[] = {
-#include "node_root_certs.h" // NOLINT(build/include_order)
+const char* root_certs[] = {
+ NULL
};
X509_STORE* root_cert_store;
@@ -688,25 +688,33 @@
static X509_STORE* NewRootCertStore() {
+ X509_STORE* store = X509_STORE_new();
+
if (!root_certs_vector) {
root_certs_vector = new std::vector<X509*>;
- for (size_t i = 0; i < arraysize(root_certs); i++) {
- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
- BIO_free(bp);
-
- if (x509 == nullptr) {
- // Parse errors from the built-in roots are fatal.
- ABORT();
- return nullptr;
- }
+ BIO* bio = BIO_new(BIO_s_file());
+ if (bio == nullptr) {
+ abort();
+ return nullptr;
+ }
+
+ if (BIO_read_filename(bio, "/etc/ssl/certs/ca-certificates.crt") == 1) {
+ STACK_OF(X509_INFO)* certs = PEM_X509_INFO_read_bio(bio, nullptr, nullptr, nullptr);
- root_certs_vector->push_back(x509);
+ for (int i = 0; i < sk_X509_INFO_num(certs); i++) {
+ X509* cert = sk_X509_INFO_value(certs, i)->x509;
+
+ if (cert) {
+ X509_up_ref(cert);
+ root_certs_vector->push_back(cert);
+ }
+ }
+ sk_X509_INFO_pop_free(certs, X509_INFO_free);
}
+ BIO_free_all(bio);
}
- X509_STORE* store = X509_STORE_new();
for (auto& cert : *root_certs_vector) {
X509_up_ref(cert);
X509_STORE_add_cert(store, cert);
|
