diff options
Diffstat (limited to 'main/nodejs/use-system-ca-certs.patch')
| -rw-r--r-- | main/nodejs/use-system-ca-certs.patch | 90 |
1 files changed, 39 insertions, 51 deletions
diff --git a/main/nodejs/use-system-ca-certs.patch b/main/nodejs/use-system-ca-certs.patch index 014b1cedf1..6e46c74b40 100644 --- a/main/nodejs/use-system-ca-certs.patch +++ b/main/nodejs/use-system-ca-certs.patch @@ -1,28 +1,10 @@ From: Jakub Jirutka <jakub@jirutka.cz> -Date: Sat, 26 Nov 2016 01:32:00 +0200 +Date: Sat, 26 Nov 2016 21:18:00 +0200 Subject: Use system-provided CA certificates instead of bundled ones -Forwarded: need some feedback before submitting the matter upstream -Author: Jérémy Lal <kapouer@melix.org> -Last-Update: 2014-03-02 - -Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the -correct path for Fedora - -Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for -Node.js 4.2 - -Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for -Node.js 5.4.1 - -Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for -Node.js 4.4.7 - -Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux - --- a/src/node_crypto.cc +++ b/src/node_crypto.cc -@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name = +@@ -116,8 +116,8 @@ static Mutex* mutexes; @@ -33,43 +15,49 @@ Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux }; X509_STORE* root_cert_store; -@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) { - CHECK_EQ(sc->ca_store_, nullptr); +@@ -688,25 +688,33 @@ + + + static X509_STORE* NewRootCertStore() { ++ X509_STORE* store = X509_STORE_new(); ++ + if (!root_certs_vector) { + root_certs_vector = new std::vector<X509*>; - if (!root_cert_store) { -- root_cert_store = X509_STORE_new(); -- - for (size_t i = 0; i < arraysize(root_certs); i++) { - BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); -- if (bp == nullptr) { -- return; -- } -- - X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); +- BIO_free(bp); +- - if (x509 == nullptr) { -- BIO_free_all(bp); -- return; +- // Parse errors from the built-in roots are fatal. +- ABORT(); +- return nullptr; - } -- -- X509_STORE_add_cert(root_cert_store, x509); -- -- BIO_free_all(bp); -- X509_free(x509); -+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) { -+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_); -+ } else { -+ // empty store -+ root_cert_store = X509_STORE_new(); ++ BIO* bio = BIO_new(BIO_s_file()); ++ if (bio == nullptr) { ++ abort(); ++ return nullptr; ++ } ++ ++ if (BIO_read_filename(bio, "/etc/ssl/certs/ca-certificates.crt") == 1) { ++ STACK_OF(X509_INFO)* certs = PEM_X509_INFO_read_bio(bio, nullptr, nullptr, nullptr); + +- root_certs_vector->push_back(x509); ++ for (int i = 0; i < sk_X509_INFO_num(certs); i++) { ++ X509* cert = sk_X509_INFO_value(certs, i)->x509; ++ ++ if (cert) { ++ X509_up_ref(cert); ++ root_certs_vector->push_back(cert); ++ } ++ } ++ sk_X509_INFO_pop_free(certs, X509_INFO_free); } -+ } else { -+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store); ++ BIO_free_all(bio); } - sc->ca_store_ = root_cert_store; -- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); - } - - --- -2.9.0 - +- X509_STORE* store = X509_STORE_new(); + for (auto& cert : *root_certs_vector) { + X509_up_ref(cert); + X509_STORE_add_cert(store, cert); |