[packages/nodejs.git] / nodejs-use-system-certs.patch

Description: do not bundle CA certificates, openssl on Debian have them
 As a consequence, nodejs must depend on ca-certificates.
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02

Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the correct path for Fedora
Modified 2014-08-11 by Elan Ruusamäe <glen@delfi.ee> with the correct path for PLD
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -64,7 +64,6 @@
 namespace node {
 
 const char* root_certs[] = {
-#include "node_root_certs.h"  // NOLINT(build/include_order)
   NULL
 };
 
@@ -561,32 +560,16 @@
   assert(sc->ca_store_ == NULL);
 
   if (!root_cert_store) {
-    root_cert_store = X509_STORE_new();
-
-    for (int i = 0; root_certs[i]; i++) {
-      BIO *bp = BIO_new(BIO_s_mem());
-
-      if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
-        BIO_free(bp);
-        return False();
-      }
-
-      X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
-
-      if (x509 == NULL) {
-        BIO_free(bp);
-        return False();
-      }
-
-      X509_STORE_add_cert(root_cert_store, x509);
-
-      BIO_free(bp);
-      X509_free(x509);
+    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/certs/ca-certificates.crt", NULL) == 1) {
+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+    } else {
+      // empty store
+      root_cert_store = X509_STORE_new();
     }
+  } else {
+    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
   }
-
   sc->ca_store_ = root_cert_store;
-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
 
   return True();
 }
Commit	Line	Data
58e86022 ER	1	Description: do not bundle CA certificates, openssl on Debian have them
	2	As a consequence, nodejs must depend on ca-certificates.
	3	Forwarded: need some feedback before submitting the matter upstream
	4	Author: Jérémy Lal <kapouer@melix.org>
	5	Last-Update: 2014-03-02
	6
	7	Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the correct path for Fedora
	8	Modified 2014-08-11 by Elan Ruusamäe <glen@delfi.ee> with the correct path for PLD
	9	--- a/src/node_crypto.cc
	10	+++ b/src/node_crypto.cc
	11	@@ -64,7 +64,6 @@
	12	namespace node {
	13
	14	const char* root_certs[] = {
	15	-#include "node_root_certs.h" // NOLINT(build/include_order)
	16	NULL
	17	};
	18
	19	@@ -561,32 +560,16 @@
	20	assert(sc->ca_store_ == NULL);
	21
	22	if (!root_cert_store) {
	23	- root_cert_store = X509_STORE_new();
	24	-
	25	- for (int i = 0; root_certs[i]; i++) {
	26	- BIO *bp = BIO_new(BIO_s_mem());
	27	-
	28	- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
	29	- BIO_free(bp);
	30	- return False();
	31	- }
	32	-
	33	- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
	34	-
	35	- if (x509 == NULL) {
	36	- BIO_free(bp);
	37	- return False();
	38	- }
	39	-
	40	- X509_STORE_add_cert(root_cert_store, x509);
	41	-
	42	- BIO_free(bp);
	43	- X509_free(x509);
	44	+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/certs/ca-certificates.crt", NULL) == 1) {
	45	+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
	46	+ } else {
	47	+ // empty store
	48	+ root_cert_store = X509_STORE_new();
	49	}
	50	+ } else {
	51	+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
	52	}
	53	-
	54	sc->ca_store_ = root_cert_store;
	55	- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
	56
	57	return True();
	58	}