fix: preserve system certs when adding Mozilla roots#706
Open
AyaanFaisal21 wants to merge 1 commit into
Open
Conversation
Comment on lines
+30
to
35
| fn get_root_cert_store_with( | ||
| ca_stores: &[String], | ||
| mut add_mozilla_roots: impl FnMut(&mut RootCertStore), | ||
| mut add_system_roots: impl FnMut(&mut RootCertStore), | ||
| ) -> Result<RootCertStore, AnyError> { | ||
| let mut root_cert_store = RootCertStore::empty(); |
Member
There was a problem hiding this comment.
Couldn't it be simpler?
Any special reason why receiving it as closures?
I think the match expression below could just call the original fn directly
Comment on lines
+101
to
+102
| |root_cert_store| add_test_root(root_cert_store, b"mozilla"), | ||
| |root_cert_store| add_test_root(root_cert_store, b"system"), |
Member
There was a problem hiding this comment.
Following my comment above, I couldn't get the idea about passing it down as closures using custom test functions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix.
Fixes #705.
What is the current behavior?
The environment variable configuration
DENO_TLS_CA_STORE=system,mozillaloads system roots first, but then themozillabranch replaces the existingRootCertStore, which drops the system roots that were just added.This makes CA store behavior order-dependent:
mozilla,systempreserves both stores, whilesystem,mozillaonly keeps Mozilla/webpki roots.What is the new behavior?
The
mozillabranch now appends Mozilla/webpki roots to the existingRootCertStoreinstead of replacing it entirely.This preserves system roots for the documented
DENO_TLS_CA_STORE=system,mozillaenvironment variable configuration and makessystem,mozilla/mozilla,systemproduce the same effective trust-anchor set.I also added a deterministic regression test covering both orderings without depending on the host machine’s system certificate store.
Additional context
Verification run locally:
cargo fmt --checkcargo test -p deno_facade ca_store_order_does_not_drop_system_rootscargo test -p deno_facadegit diff --check