diff options
| author | Justin Chase <justin.m.chase@gmail.com> | 2021-08-07 07:49:38 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-08-07 14:49:38 +0200 |
| commit | 02c74fb70970fcadb7d1e6dab857eeb2cea20e09 (patch) | |
| tree | 03a1490e063bca34be660eee73bccc8342b0bff2 /cli/standalone.rs | |
| parent | fddeb4cea2687b32a32f7829f336b7cf5092c714 (diff) | |
feat(tls): Optionally support loading native certs (#11491)
This commit adds "DENO_TLS_CA_STORE" env variable to support
optionally loading certificates from the users local certificate store.
This will allow them to successfully connect via tls with corporate
and self signed certs provided they have them installed in their keystore.
It also allows them to deal with revoked certs by simply updating
their keystore without having to upgrade Deno.
Currently supported values are "mozilla", "system" or empty value.
Diffstat (limited to 'cli/standalone.rs')
| -rw-r--r-- | cli/standalone.rs | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/cli/standalone.rs b/cli/standalone.rs index 3c8dabd3a..460ee23d0 100644 --- a/cli/standalone.rs +++ b/cli/standalone.rs @@ -8,6 +8,7 @@ use crate::ops; use crate::program_state::ProgramState; use crate::version; use data_url::DataUrl; +use deno_core::error::anyhow; use deno_core::error::type_error; use deno_core::error::uri_error; use deno_core::error::AnyError; @@ -29,11 +30,14 @@ use deno_runtime::permissions::Permissions; use deno_runtime::permissions::PermissionsOptions; use deno_runtime::worker::MainWorker; use deno_runtime::worker::WorkerOptions; +use deno_tls::create_default_root_cert_store; use log::Level; use std::cell::RefCell; use std::convert::TryInto; use std::env::current_exe; use std::fs::File; +use std::io::BufReader; +use std::io::Cursor; use std::io::Read; use std::io::Seek; use std::io::SeekFrom; @@ -51,6 +55,7 @@ pub struct Metadata { pub location: Option<Url>, pub v8_flags: Vec<String>, pub log_level: Option<Level>, + pub ca_stores: Option<Vec<String>>, pub ca_data: Option<Vec<u8>>, } @@ -201,6 +206,7 @@ fn metadata_to_flags(metadata: &Metadata) -> Flags { allow_write: permissions.allow_write, v8_flags: metadata.v8_flags.clone(), log_level: metadata.log_level, + ca_stores: metadata.ca_stores.clone(), ..Default::default() } } @@ -227,13 +233,26 @@ pub async fn run( .collect::<Vec<_>>(), ); + let mut root_cert_store = program_state + .root_cert_store + .clone() + .unwrap_or_else(create_default_root_cert_store); + + if let Some(cert) = metadata.ca_data { + let reader = &mut BufReader::new(Cursor::new(cert)); + // This function does not return specific errors, if it fails give a generic message. + if let Err(_err) = root_cert_store.add_pem_file(reader) { + return Err(anyhow!("Unable to add pem file to certificate store")); + } + } + let options = WorkerOptions { apply_source_maps: false, args: metadata.argv, debug_flag: metadata.log_level.map_or(false, |l| l == log::Level::Debug), user_agent: version::get_user_agent(), unstable: metadata.unstable, - ca_data: metadata.ca_data, + root_cert_store: Some(root_cert_store), seed: metadata.seed, js_error_create_fn: None, create_web_worker_cb, |