feat(tls): Optionally support loading native certs (#11491)

This commit adds "DENO_TLS_CA_STORE" env variable to support optionally loading certificates from the users local certificate store. This will allow them to successfully connect via tls with corporate and self signed certs provided they have them installed in their keystore. It also allows them to deal with revoked certs by simply updating their keystore without having to upgrade Deno. Currently supported values are "mozilla", "system" or empty value.
author: Justin Chase <justin.m.chase@gmail.com> 2021-08-07 07:49:38 -0500
committer: GitHub <noreply@github.com> 2021-08-07 14:49:38 +0200
commit: 02c74fb70970fcadb7d1e6dab857eeb2cea20e09 (patch)
tree: 03a1490e063bca34be660eee73bccc8342b0bff2 /runtime
parent: fddeb4cea2687b32a32f7829f336b7cf5092c714 (diff)
6 files changed, 21 insertions, 10 deletions
diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
index b2bad9844..78bc369ef 100644
--- a/runtime/Cargo.toml
+++ b/runtime/Cargo.toml
@@ -27,6 +27,7 @@ deno_ffi = { version = "0.1.0", path = "../extensions/ffi" }
 deno_http = { version = "0.4.0", path = "../extensions/http" }
 deno_net = { version = "0.4.0", path = "../extensions/net" }
 deno_timers = { version = "0.11.0", path = "../extensions/timers" }
+deno_tls = { version = "0.1.0", path = "../extensions/tls" }
 deno_url = { version = "0.13.0", path = "../extensions/url" }
 deno_web = { version = "0.44.0", path = "../extensions/web" }
 deno_webgpu = { version = "0.14.0", path = "../extensions/webgpu" }
@@ -48,6 +49,7 @@ deno_ffi = { version = "0.1.0", path = "../extensions/ffi" }
 deno_http = { version = "0.4.0", path = "../extensions/http" }
 deno_net = { version = "0.4.0", path = "../extensions/net" }
 deno_timers = { version = "0.11.0", path = "../extensions/timers" }
+deno_tls = { version = "0.1.0", path = "../extensions/tls" }
 deno_url = { version = "0.13.0", path = "../extensions/url" }
 deno_web = { version = "0.44.0", path = "../extensions/web" }
 deno_webgpu = { version = "0.14.0", path = "../extensions/webgpu" }
diff --git a/runtime/build.rs b/runtime/build.rs
index bb7947f36..e6f7de641 100644
--- a/runtime/build.rs
+++ b/runtime/build.rs
@@ -41,6 +41,7 @@ fn create_runtime_snapshot(snapshot_path: &Path, files: Vec<PathBuf>) {
     deno_webidl::init(),
     deno_console::init(),
     deno_url::init(),
+    deno_tls::init(),
     deno_web::init(deno_web::BlobStore::default(), Default::default()),
     deno_fetch::init::<deno_fetch::NoFetchPermissions>(
       "".to_owned(),
diff --git a/runtime/examples/hello_runtime.rs b/runtime/examples/hello_runtime.rs
index 4883ee7c7..eaedcac10 100644
--- a/runtime/examples/hello_runtime.rs
+++ b/runtime/examples/hello_runtime.rs
@@ -27,7 +27,7 @@ async fn main() -> Result<(), AnyError> {
     args: vec![],
     debug_flag: false,
     unstable: false,
-    ca_data: None,
+    root_cert_store: None,
     user_agent: "hello_runtime".to_string(),
     seed: None,
     js_error_create_fn: None,
diff --git a/runtime/lib.rs b/runtime/lib.rs
index d7aaa8eec..37d48def1 100644
--- a/runtime/lib.rs
+++ b/runtime/lib.rs
@@ -8,6 +8,7 @@ pub use deno_ffi;
 pub use deno_http;
 pub use deno_net;
 pub use deno_timers;
+pub use deno_tls;
 pub use deno_url;
 pub use deno_web;
 pub use deno_webgpu;
diff --git a/runtime/web_worker.rs b/runtime/web_worker.rs
index 74e5fbafe..3f68fc4e6 100644
--- a/runtime/web_worker.rs
+++ b/runtime/web_worker.rs
@@ -29,6 +29,7 @@ use deno_core::ModuleLoader;
 use deno_core::ModuleSpecifier;
 use deno_core::RuntimeOptions;
 use deno_core::SharedArrayBufferStore;
+use deno_tls::rustls::RootCertStore;
 use deno_web::create_entangled_message_port;
 use deno_web::BlobStore;
 use deno_web::MessagePort;
@@ -252,7 +253,7 @@ pub struct WebWorkerOptions {
   pub args: Vec<String>,
   pub debug_flag: bool,
   pub unstable: bool,
-  pub ca_data: Option<Vec<u8>>,
+  pub root_cert_store: Option<RootCertStore>,
   pub user_agent: String,
   pub seed: Option<u64>,
   pub module_loader: Rc<dyn ModuleLoader>,
@@ -300,13 +301,13 @@ impl WebWorker {
       deno_web::init(options.blob_store.clone(), Some(main_module.clone())),
       deno_fetch::init::<Permissions>(
         options.user_agent.clone(),
-        options.ca_data.clone(),
+        options.root_cert_store.clone(),
         None,
         None,
       ),
       deno_websocket::init::<Permissions>(
         options.user_agent.clone(),
-        options.ca_data.clone(),
+        options.root_cert_store.clone(),
       ),
       deno_broadcast_channel::init(
         options.broadcast_channel.clone(),
@@ -336,8 +337,9 @@ impl WebWorker {
       vec![
         ops::fs_events::init(),
         ops::fs::init(),
+        deno_tls::init(),
         deno_net::init::<Permissions>(
-          options.ca_data.clone(),
+          options.root_cert_store.clone(),
           options.unstable,
         ),
         ops::os::init(),
diff --git a/runtime/worker.rs b/runtime/worker.rs
index c64ef2baf..69602d0dd 100644
--- a/runtime/worker.rs
+++ b/runtime/worker.rs
@@ -22,6 +22,7 @@ use deno_core::ModuleLoader;
 use deno_core::ModuleSpecifier;
 use deno_core::RuntimeOptions;
 use deno_core::SharedArrayBufferStore;
+use deno_tls::rustls::RootCertStore;
 use deno_web::BlobStore;
 use log::debug;
 use std::env;
@@ -49,7 +50,7 @@ pub struct WorkerOptions {
   pub args: Vec<String>,
   pub debug_flag: bool,
   pub unstable: bool,
-  pub ca_data: Option<Vec<u8>>,
+  pub root_cert_store: Option<RootCertStore>,
   pub user_agent: String,
   pub seed: Option<u64>,
   pub module_loader: Rc<dyn ModuleLoader>,
@@ -99,13 +100,13 @@ impl MainWorker {
       deno_web::init(options.blob_store.clone(), options.location.clone()),
       deno_fetch::init::<Permissions>(
         options.user_agent.clone(),
-        options.ca_data.clone(),
+        options.root_cert_store.clone(),
         None,
         None,
       ),
       deno_websocket::init::<Permissions>(
         options.user_agent.clone(),
-        options.ca_data.clone(),
+        options.root_cert_store.clone(),
       ),
       deno_webstorage::init(options.origin_storage_dir.clone()),
       deno_crypto::init(options.seed),
@@ -126,7 +127,11 @@ impl MainWorker {
       ops::fs::init(),
       ops::io::init(),
       ops::io::init_stdio(),
-      deno_net::init::<Permissions>(options.ca_data.clone(), options.unstable),
+      deno_tls::init(),
+      deno_net::init::<Permissions>(
+        options.root_cert_store.clone(),
+        options.unstable,
+      ),
       ops::os::init(),
       ops::permissions::init(),
       ops::process::init(),
@@ -295,7 +300,7 @@ mod tests {
       args: vec![],
       debug_flag: false,
       unstable: false,
-      ca_data: None,
+      root_cert_store: None,
       seed: None,
       js_error_create_fn: None,
       create_web_worker_cb: Arc::new(|_| unreachable!()),
author	Justin Chase <justin.m.chase@gmail.com>	2021-08-07 07:49:38 -0500
committer	GitHub <noreply@github.com>	2021-08-07 14:49:38 +0200
commit	02c74fb70970fcadb7d1e6dab857eeb2cea20e09 (patch)
tree	03a1490e063bca34be660eee73bccc8342b0bff2 /runtime
parent	fddeb4cea2687b32a32f7829f336b7cf5092c714 (diff)