feat(tls): custom in memory CA certificates (#12219)

This adds support for using in memory CA certificates for `Deno.startTLS`, `Deno.connectTLS` and `Deno.createHttpClient`. `certFile` is deprecated in `startTls` and `connectTls`, and removed from `Deno.createHttpClient`.
author: Luca Casonato <hello@lcas.dev> 2021-09-30 09:26:15 +0200
committer: GitHub <noreply@github.com> 2021-09-30 09:26:15 +0200
commit: 0d7a417f332a57fb3e89250a1ce250b929d0b2f7 (patch)
tree: 8f63043fcf6c5419d6d213a196c54a8b421e3d8b /ext/net
parent: 62920e4ef5bed131c125c4b8b5bdb8250584946f (diff)
3 files changed, 42 insertions, 20 deletions
diff --git a/ext/net/02_tls.js b/ext/net/02_tls.js
index 343ec2e4f..9f8fb314c 100644
--- a/ext/net/02_tls.js
+++ b/ext/net/02_tls.js
@@ -28,6 +28,7 @@
     hostname = "127.0.0.1",
     transport = "tcp",
     certFile = undefined,
+    caCerts = [],
     certChain = undefined,
     privateKey = undefined,
   }) {
@@ -36,6 +37,7 @@
       hostname,
       transport,
       certFile,
+      caCerts,
       certChain,
       privateKey,
     });
@@ -70,12 +72,13 @@
 
   async function startTls(
     conn,
-    { hostname = "127.0.0.1", certFile } = {},
+    { hostname = "127.0.0.1", certFile = undefined, caCerts = [] } = {},
   ) {
     const res = await opStartTls({
       rid: conn.rid,
       hostname,
       certFile,
+      caCerts,
     });
     return new Conn(res.rid, res.remoteAddr, res.localAddr);
   }
diff --git a/ext/net/lib.deno_net.d.ts b/ext/net/lib.deno_net.d.ts
index dd2e4677d..45f1194fb 100644
--- a/ext/net/lib.deno_net.d.ts
+++ b/ext/net/lib.deno_net.d.ts
@@ -121,8 +121,18 @@ declare namespace Deno {
     /** A literal IP address or host name that can be resolved to an IP address.
      * If not specified, defaults to `127.0.0.1`. */
     hostname?: string;
-    /** Server certificate file. */
+    /**
+     * @deprecated This option is deprecated and will be removed in a future
+     * release.
+     *
+     * Server certificate file.
+     */
     certFile?: string;
+    /** A list of root certificates that will be used in addition to the
+     * default root certificates to verify the peer's certificate.
+     *
+     * Must be in PEM format. */
+    caCerts?: string[];
   }
 
   /** Establishes a secure connection over TLS (transport layer security) using
@@ -131,10 +141,11 @@ declare namespace Deno {
    * be used (see also https://github.com/ctz/webpki-roots for specifics)
    *
    * ```ts
+   * const caCert = await Deno.readTextFile("./certs/my_custom_root_CA.pem");
    * const conn1 = await Deno.connectTls({ port: 80 });
-   * const conn2 = await Deno.connectTls({ certFile: "./certs/my_custom_root_CA.pem", hostname: "192.0.2.1", port: 80 });
+   * const conn2 = await Deno.connectTls({ caCerts: [caCert], hostname: "192.0.2.1", port: 80 });
    * const conn3 = await Deno.connectTls({ hostname: "[2001:db8::1]", port: 80 });
-   * const conn4 = await Deno.connectTls({ certFile: "./certs/my_custom_root_CA.pem", hostname: "golang.org", port: 80});
+   * const conn4 = await Deno.connectTls({ caCerts: [caCert], hostname: "golang.org", port: 80});
    * ```
    *
    * Requires `allow-net` permission.
diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs
index 17367af54..d6618440f 100644
--- a/ext/net/ops_tls.rs
+++ b/ext/net/ops_tls.rs
@@ -649,6 +649,7 @@ pub struct ConnectTlsArgs {
   hostname: String,
   port: u16,
   cert_file: Option<String>,
+  ca_certs: Vec<String>,
   cert_chain: Option<String>,
   private_key: Option<String>,
 }
@@ -658,6 +659,7 @@ pub struct ConnectTlsArgs {
 struct StartTlsArgs {
   rid: ResourceId,
   cert_file: Option<String>,
+  ca_certs: Vec<String>,
   hostname: String,
 }
 
@@ -685,13 +687,16 @@ where
     }
   }
 
-  let ca_data = match cert_file {
-    Some(path) => {
-      let mut buf = Vec::new();
-      File::open(path)?.read_to_end(&mut buf)?;
-      Some(buf)
-    }
-    _ => None,
+  let mut ca_certs = args
+    .ca_certs
+    .into_iter()
+    .map(|s| s.into_bytes())
+    .collect::<Vec<_>>();
+
+  if let Some(path) = cert_file {
+    let mut buf = Vec::new();
+    File::open(path)?.read_to_end(&mut buf)?;
+    ca_certs.push(buf);
   };
 
   let hostname_dns = DNSNameRef::try_from_ascii_str(hostname)
@@ -724,7 +729,7 @@ where
 
   let tls_config = Arc::new(create_client_config(
     root_cert_store,
-    ca_data,
+    ca_certs,
     unsafely_ignore_certificate_errors,
   )?);
   let tls_stream =
@@ -786,13 +791,16 @@ where
     }
   }
 
-  let ca_data = match cert_file {
-    Some(path) => {
-      let mut buf = Vec::new();
-      File::open(path)?.read_to_end(&mut buf)?;
-      Some(buf)
-    }
-    _ => None,
+  let mut ca_certs = args
+    .ca_certs
+    .into_iter()
+    .map(|s| s.into_bytes())
+    .collect::<Vec<_>>();
+
+  if let Some(path) = cert_file {
+    let mut buf = Vec::new();
+    File::open(path)?.read_to_end(&mut buf)?;
+    ca_certs.push(buf);
   };
 
   let root_cert_store = state
@@ -812,7 +820,7 @@ where
   let remote_addr = tcp_stream.peer_addr()?;
   let mut tls_config = create_client_config(
     root_cert_store,
-    ca_data,
+    ca_certs,
     unsafely_ignore_certificate_errors,
   )?;
author	Luca Casonato <hello@lcas.dev>	2021-09-30 09:26:15 +0200
committer	GitHub <noreply@github.com>	2021-09-30 09:26:15 +0200
commit	0d7a417f332a57fb3e89250a1ce250b929d0b2f7 (patch)
tree	8f63043fcf6c5419d6d213a196c54a8b421e3d8b /ext/net
parent	62920e4ef5bed131c125c4b8b5bdb8250584946f (diff)