mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-07-16 04:35:13 +03:00
afedb462f2
Note: Change from `cargo:rustc-link-lib=<name>` to `cargo:rustc-link-lib=dylib=<name>` was not required, just to be consistent with the rest of the build.rs. Resolves #15127 (ffi tests are no longer broken on aarch64) Resolves #17030
96 lines
3.5 KiB
Diff
96 lines
3.5 KiB
Diff
From: Jakub Jirutka <jakub@jirutka.cz>
|
|
Date: Sat, 15 Jul 2023 21:29:34 +0200
|
|
Subject: [PATCH] Don't bundle CA certificates, FFS!
|
|
|
|
--- a/cli/args/flags.rs
|
|
+++ b/cli/args/flags.rs
|
|
@@ -1211,7 +1211,7 @@
|
|
<g>DENO_SERVE_ADDRESS</> Override address for Deno.serve
|
|
Example: "tcp:0.0.0.0:8080", "unix:/tmp/deno.sock", or "vsock:1234:5678"
|
|
<g>DENO_TLS_CA_STORE</> Comma-separated list of order dependent certificate stores.
|
|
- Possible values: "system", "mozilla" <p(245)>(defaults to "mozilla")</>
|
|
+ Possible values: "system" <p(245)>(defaults to "system")</>
|
|
<g>DENO_TRACE_PERMISSIONS</> Environmental variable to enable stack traces in permission prompts.
|
|
<g>FORCE_COLOR</> Set force color output even if stdout isn't a tty
|
|
<g>HTTP_PROXY</> Proxy address for HTTP requests
|
|
--- a/cli/lib/args.rs
|
|
+++ b/cli/lib/args.rs
|
|
@@ -14,7 +14,7 @@
|
|
use deno_runtime::deno_tls::rustls;
|
|
use deno_runtime::deno_tls::rustls::RootCertStore;
|
|
use deno_runtime::deno_tls::rustls_pemfile;
|
|
-use deno_runtime::deno_tls::webpki_roots;
|
|
+//use deno_runtime::deno_tls::webpki_roots; // XXX-Patched
|
|
use deno_semver::npm::NpmPackageReqReference;
|
|
use serde::Deserialize;
|
|
use serde::Serialize;
|
|
@@ -53,7 +53,7 @@
|
|
#[class(generic)]
|
|
pub enum RootCertStoreLoadError {
|
|
#[error(
|
|
- "Unknown certificate store \"{0}\" specified (allowed: \"system,mozilla\")"
|
|
+ "Unknown certificate store \"{0}\" specified (allowed: \"system\")"
|
|
)]
|
|
UnknownStore(String),
|
|
#[error("Unable to add pem file to certificate store: {0}")]
|
|
@@ -83,14 +83,18 @@
|
|
.collect(),
|
|
)
|
|
})
|
|
- .unwrap_or_else(|| vec!["mozilla".to_string()]);
|
|
+ .unwrap_or_else(|| vec!["system".to_string()]);
|
|
|
|
for store in ca_stores.iter() {
|
|
match store.as_str() {
|
|
- "mozilla" => {
|
|
- root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.to_vec());
|
|
- }
|
|
- "system" => {
|
|
+ // XXX-Patched: removed support for bundled CA certificates
|
|
+ "system" | "system" => {
|
|
+ if store == "mozilla" {
|
|
+ log::info!("DENO_TLS_CA_STORE=mozilla is not supported on Alpine Linux, using \"system\"");
|
|
+ if ca_stores.contains(&"system".to_string()) {
|
|
+ continue
|
|
+ }
|
|
+ }
|
|
let roots = load_native_certs().map_err(|err| {
|
|
RootCertStoreLoadError::FailedNativeCerts(err.to_string())
|
|
})?;
|
|
--- a/ext/tls/Cargo.toml
|
|
+++ b/ext/tls/Cargo.toml
|
|
@@ -24,4 +24,3 @@
|
|
serde.workspace = true
|
|
thiserror.workspace = true
|
|
tokio.workspace = true
|
|
-webpki-roots.workspace = true
|
|
--- a/ext/tls/lib.rs
|
|
+++ b/ext/tls/lib.rs
|
|
@@ -26,7 +26,7 @@
|
|
pub use rustls_tokio_stream::*;
|
|
use serde::Deserialize;
|
|
pub use webpki;
|
|
-pub use webpki_roots;
|
|
+//pub use webpki_roots; XXX-Patched
|
|
|
|
mod tls_key;
|
|
pub use tls_key::*;
|
|
@@ -174,9 +174,15 @@
|
|
}
|
|
|
|
pub fn create_default_root_cert_store() -> RootCertStore {
|
|
- let root_cert_store = rustls::RootCertStore {
|
|
- roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
|
|
- };
|
|
+ // XXX-Patched: load system-provided CA certs instead of bundled from webpki_roots.
|
|
+ let mut root_cert_store = RootCertStore::empty();
|
|
+ let roots = deno_native_certs::load_native_certs()
|
|
+ .expect("could not load platform certs");
|
|
+ for root in roots {
|
|
+ root_cert_store
|
|
+ .add(rustls::pki_types::CertificateDer::from(root.0))
|
|
+ .expect("Failed to add platform cert to root cert store");
|
|
+ }
|
|
debug_assert!(!root_cert_store.is_empty());
|
|
root_cert_store
|
|
}
|