From: Jakub Jirutka <jakub@jirutka.cz>
Date: Sat, 15 Jul 2023 21:29:34 +0200
Subject: [PATCH] Don't bundle CA certificates, FFS!

--- a/cli/args/flags.rs
+++ b/cli/args/flags.rs
@@ -1211,7 +1211,7 @@
   <g>DENO_SERVE_ADDRESS</>     Override address for Deno.serve
                          Example: "tcp:0.0.0.0:8080", "unix:/tmp/deno.sock", or "vsock:1234:5678"
   <g>DENO_TLS_CA_STORE</>      Comma-separated list of order dependent certificate stores.
-                         Possible values: "system", "mozilla" <p(245)>(defaults to "mozilla")</>
+                         Possible values: "system" <p(245)>(defaults to "system")</>
   <g>DENO_TRACE_PERMISSIONS</> Environmental variable to enable stack traces in permission prompts.
   <g>FORCE_COLOR</>            Set force color output even if stdout isn't a tty
   <g>HTTP_PROXY</>             Proxy address for HTTP requests
--- a/cli/lib/args.rs
+++ b/cli/lib/args.rs
@@ -14,7 +14,7 @@
 use deno_runtime::deno_tls::rustls;
 use deno_runtime::deno_tls::rustls::RootCertStore;
 use deno_runtime::deno_tls::rustls_pemfile;
-use deno_runtime::deno_tls::webpki_roots;
+//use deno_runtime::deno_tls::webpki_roots;  // XXX-Patched
 use deno_semver::npm::NpmPackageReqReference;
 use serde::Deserialize;
 use serde::Serialize;
@@ -53,7 +53,7 @@
 #[class(generic)]
 pub enum RootCertStoreLoadError {
   #[error(
-    "Unknown certificate store \"{0}\" specified (allowed: \"system,mozilla\")"
+    "Unknown certificate store \"{0}\" specified (allowed: \"system\")"
   )]
   UnknownStore(String),
   #[error("Unable to add pem file to certificate store: {0}")]
@@ -83,14 +83,18 @@
           .collect(),
       )
     })
-    .unwrap_or_else(|| vec!["mozilla".to_string()]);
+    .unwrap_or_else(|| vec!["system".to_string()]);
 
   for store in ca_stores.iter() {
     match store.as_str() {
-      "mozilla" => {
-        root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.to_vec());
-      }
-      "system" => {
+      // XXX-Patched: removed support for bundled CA certificates
+      "system" | "system" => {
+        if store == "mozilla" {
+          log::info!("DENO_TLS_CA_STORE=mozilla is not supported on Alpine Linux, using \"system\"");
+          if ca_stores.contains(&"system".to_string()) {
+            continue
+          }
+        }
         let roots = load_native_certs().map_err(|err| {
           RootCertStoreLoadError::FailedNativeCerts(err.to_string())
         })?;
--- a/ext/tls/Cargo.toml
+++ b/ext/tls/Cargo.toml
@@ -24,4 +24,3 @@
 serde.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
-webpki-roots.workspace = true
--- a/ext/tls/lib.rs
+++ b/ext/tls/lib.rs
@@ -26,7 +26,7 @@
 pub use rustls_tokio_stream::*;
 use serde::Deserialize;
 pub use webpki;
-pub use webpki_roots;
+//pub use webpki_roots;  XXX-Patched
 
 mod tls_key;
 pub use tls_key::*;
@@ -174,9 +174,15 @@
 }
 
 pub fn create_default_root_cert_store() -> RootCertStore {
-  let root_cert_store = rustls::RootCertStore {
-    roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
-  };
+  // XXX-Patched: load system-provided CA certs instead of bundled from webpki_roots.
+  let mut root_cert_store = RootCertStore::empty();
+  let roots = deno_native_certs::load_native_certs()
+    .expect("could not load platform certs");
+  for root in roots {
+    root_cert_store
+      .add(rustls::pki_types::CertificateDer::from(root.0))
+      .expect("Failed to add platform cert to root cert store");
+  }
   debug_assert!(!root_cert_store.is_empty());
   root_cert_store
 }