[packages/nodejs.git] / nodejs-use-system-certs.patch

Description: do not bundle CA certificates, openssl on Debian have them
 As a consequence, nodejs must depend on ca-certificates.
Forwarded: https://github.com/nodejs/node/issues/3159
Author: Jérémy Lal <kapouer@melix.org>
Modified 2014-08-11 by Elan Ruusamäe <glen@delfi.ee> with the correct path for PLD
Modified 2015-10-17 by Elan Ruusamäe <glen@delfi.ee> updated for node 4.2.1-LTS
--- nodejs-4.5.0/src/node_crypto.cc.orig	2016-08-16 17:09:50.000000000 +0200
+++ nodejs-4.5.0/src/node_crypto.cc	2016-09-09 23:40:11.959456422 +0200
@@ -117,7 +117,6 @@
 static uv_mutex_t* locks;
 
 const char* const root_certs[] = {
-#include "node_root_certs.h"  // NOLINT(build/include_order)
 };
 
 X509_STORE* root_cert_store;
@@ -754,29 +753,18 @@
   CHECK_EQ(sc->ca_store_, nullptr);
 
   if (!root_cert_store) {
-    root_cert_store = X509_STORE_new();
-
-    for (size_t i = 0; i < arraysize(root_certs); i++) {
-      BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
-      if (bp == nullptr) {
-        return;
-      }
-
-      X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
-      if (x509 == nullptr) {
-        BIO_free_all(bp);
-        return;
-      }
-
-      X509_STORE_add_cert(root_cert_store, x509);
-
-      BIO_free_all(bp);
-      X509_free(x509);
+    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/certs/ca-certificates.crt", NULL) == 1) {
+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+    } else {
+      // new empty store
+      root_cert_store = X509_STORE_new();
     }
+  } else {
+    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
   }
 
+
   sc->ca_store_ = root_cert_store;
-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
 }
Commit	Line	Data
58e86022 ER	1	Description: do not bundle CA certificates, openssl on Debian have them
58e86022 ER	2	As a consequence, nodejs must depend on ca-certificates.
318ea6db	3	Forwarded: https://github.com/nodejs/node/issues/3159
58e86022	4	Author: Jérémy Lal <kapouer@melix.org>
58e86022	5	Modified 2014-08-11 by Elan Ruusamäe <glen@delfi.ee> with the correct path for PLD
3de234b3	6	Modified 2015-10-17 by Elan Ruusamäe <glen@delfi.ee> updated for node 4.2.1-LTS
318ea6db	7	--- nodejs-4.5.0/src/node_crypto.cc.orig 2016-08-16 17:09:50.000000000 +0200
	8	+++ nodejs-4.5.0/src/node_crypto.cc 2016-09-09 23:40:11.959456422 +0200
	9	@@ -117,7 +117,6 @@
3de234b3	10	static uv_mutex_t* locks;
58e86022	11
3de234b3	12	const char* const root_certs[] = {
58e86022	13	-#include "node_root_certs.h" // NOLINT(build/include_order)
58e86022 ER	14	};
58e86022 ER	15
3de234b3	16	X509_STORE* root_cert_store;
318ea6db	17	@@ -754,29 +753,18 @@
3de234b3	18	CHECK_EQ(sc->ca_store_, nullptr);
58e86022 ER	19
	20	if (!root_cert_store) {
	21	- root_cert_store = X509_STORE_new();
	22	-
318ea6db	23	- for (size_t i = 0; i < arraysize(root_certs); i++) {
	24	- BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
	25	- if (bp == nullptr) {
3de234b3	26	- return;
58e86022 ER	27	- }
58e86022 ER	28	-
3de234b3	29	- X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
3de234b3 ER	30	- if (x509 == nullptr) {
	31	- BIO_free_all(bp);
	32	- return;
58e86022 ER	33	- }
	34	-
	35	- X509_STORE_add_cert(root_cert_store, x509);
	36	-
3de234b3	37	- BIO_free_all(bp);
58e86022 ER	38	- X509_free(x509);
	39	+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/certs/ca-certificates.crt", NULL) == 1) {
	40	+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
	41	+ } else {
318ea6db	42	+ // new empty store
58e86022 ER	43	+ root_cert_store = X509_STORE_new();
	44	}
	45	+ } else {
	46	+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
	47	}
3de234b3	48
318ea6db	49	+
58e86022 ER	50	sc->ca_store_ = root_cert_store;
58e86022 ER	51	- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
58e86022	52	}
318ea6db	53
318ea6db	54