summaryrefslogtreecommitdiff
path: root/cli
diff options
context:
space:
mode:
Diffstat (limited to 'cli')
-rw-r--r--cli/proc_state.rs38
-rw-r--r--cli/standalone.rs14
-rw-r--r--cli/tests/integration/mod.rs76
-rw-r--r--cli/tests/testdata/listen_tls_alpn.ts8
-rw-r--r--cli/tests/testdata/listen_tls_alpn_fail.ts20
-rw-r--r--cli/tests/testdata/localhost_unsafe_ssl.ts.out2
6 files changed, 108 insertions, 50 deletions
diff --git a/cli/proc_state.rs b/cli/proc_state.rs
index be3213a62..220138e6f 100644
--- a/cli/proc_state.rs
+++ b/cli/proc_state.rs
@@ -38,9 +38,11 @@ use deno_graph::MediaType;
use deno_graph::ModuleGraphError;
use deno_graph::Range;
use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel;
+use deno_runtime::deno_tls::rustls;
use deno_runtime::deno_tls::rustls::RootCertStore;
use deno_runtime::deno_tls::rustls_native_certs::load_native_certs;
-use deno_runtime::deno_tls::webpki_roots::TLS_SERVER_ROOTS;
+use deno_runtime::deno_tls::rustls_pemfile;
+use deno_runtime::deno_tls::webpki_roots;
use deno_runtime::deno_web::BlobStore;
use deno_runtime::inspector_server::InspectorServer;
use deno_runtime::permissions::Permissions;
@@ -206,13 +208,24 @@ impl ProcState {
for store in ca_stores.iter() {
match store.as_str() {
"mozilla" => {
- root_cert_store.add_server_trust_anchors(&TLS_SERVER_ROOTS);
+ root_cert_store.add_server_trust_anchors(
+ webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+ rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+ ta.subject,
+ ta.spki,
+ ta.name_constraints,
+ )
+ }),
+ );
}
"system" => {
- let roots = load_native_certs()
- .expect("could not load platform certs")
- .roots;
- root_cert_store.roots.extend(roots);
+ let roots =
+ load_native_certs().expect("could not load platform certs");
+ for root in roots {
+ root_cert_store
+ .add(&rustls::Certificate(root.0))
+ .expect("Failed to add platform cert to root cert store");
+ }
}
_ => {
return Err(anyhow!("Unknown certificate store \"{}\" specified (allowed: \"system,mozilla\")", store));
@@ -225,9 +238,16 @@ impl ProcState {
let certfile = File::open(&ca_file)?;
let mut reader = BufReader::new(certfile);
- // This function does not return specific errors, if it fails give a generic message.
- if let Err(_err) = root_cert_store.add_pem_file(&mut reader) {
- return Err(anyhow!("Unable to add pem file to certificate store"));
+ match rustls_pemfile::certs(&mut reader) {
+ Ok(certs) => {
+ root_cert_store.add_parsable_certificates(&certs);
+ }
+ Err(e) => {
+ return Err(anyhow!(
+ "Unable to add pem file to certificate store: {}",
+ e
+ ));
+ }
}
}
diff --git a/cli/standalone.rs b/cli/standalone.rs
index 464ff2c2d..47b0e2aa8 100644
--- a/cli/standalone.rs
+++ b/cli/standalone.rs
@@ -22,6 +22,7 @@ use deno_core::ModuleLoader;
use deno_core::ModuleSpecifier;
use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel;
use deno_runtime::deno_tls::create_default_root_cert_store;
+use deno_runtime::deno_tls::rustls_pemfile;
use deno_runtime::deno_web::BlobStore;
use deno_runtime::permissions::Permissions;
use deno_runtime::permissions::PermissionsOptions;
@@ -221,9 +222,16 @@ pub async fn run(
if let Some(cert) = metadata.ca_data {
let reader = &mut BufReader::new(Cursor::new(cert));
- // This function does not return specific errors, if it fails give a generic message.
- if let Err(_err) = root_cert_store.add_pem_file(reader) {
- return Err(anyhow!("Unable to add pem file to certificate store"));
+ match rustls_pemfile::certs(reader) {
+ Ok(certs) => {
+ root_cert_store.add_parsable_certificates(&certs);
+ }
+ Err(e) => {
+ return Err(anyhow!(
+ "Unable to add pem file to certificate store: {}",
+ e
+ ));
+ }
}
}
diff --git a/cli/tests/integration/mod.rs b/cli/tests/integration/mod.rs
index cfb950901..9cd1b2c11 100644
--- a/cli/tests/integration/mod.rs
+++ b/cli/tests/integration/mod.rs
@@ -5,7 +5,7 @@ use deno_core::url;
use deno_runtime::deno_fetch::reqwest;
use deno_runtime::deno_net::ops_tls::TlsStream;
use deno_runtime::deno_tls::rustls;
-use deno_runtime::deno_tls::webpki;
+use deno_runtime::deno_tls::rustls_pemfile;
use std::fs;
use std::io::BufReader;
use std::io::Cursor;
@@ -1143,36 +1143,40 @@ async fn listen_tls_alpn() {
.spawn()
.unwrap();
let stdout = child.stdout.as_mut().unwrap();
- let mut buffer = [0; 5];
- let read = stdout.read(&mut buffer).unwrap();
+ let mut msg = [0; 5];
+ let read = stdout.read(&mut msg).unwrap();
assert_eq!(read, 5);
- let msg = std::str::from_utf8(&buffer).unwrap();
- assert_eq!(msg, "READY");
+ assert_eq!(&msg, b"READY");
- let mut cfg = rustls::ClientConfig::new();
- let reader = &mut BufReader::new(Cursor::new(include_bytes!(
+ let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
"../testdata/tls/RootCA.crt"
)));
- cfg.root_store.add_pem_file(reader).unwrap();
- cfg.alpn_protocols.push("foobar".as_bytes().to_vec());
+ let certs = rustls_pemfile::certs(&mut reader).unwrap();
+ let mut root_store = rustls::RootCertStore::empty();
+ root_store.add_parsable_certificates(&certs);
+ let mut cfg = rustls::ClientConfig::builder()
+ .with_safe_defaults()
+ .with_root_certificates(root_store)
+ .with_no_client_auth();
+ cfg.alpn_protocols.push(b"foobar".to_vec());
let cfg = Arc::new(cfg);
- let hostname =
- webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap();
+ let hostname = rustls::ServerName::try_from("localhost").unwrap();
let tcp_stream = tokio::net::TcpStream::connect("localhost:4504")
.await
.unwrap();
let mut tls_stream =
- TlsStream::new_client_side(tcp_stream, &cfg, hostname);
+ TlsStream::new_client_side(tcp_stream, cfg, hostname);
+
tls_stream.handshake().await.unwrap();
- let (_, session) = tls_stream.get_ref();
- let alpn = session.get_alpn_protocol().unwrap();
- assert_eq!(std::str::from_utf8(alpn).unwrap(), "foobar");
+ let (_, rustls_connection) = tls_stream.get_ref();
+ let alpn = rustls_connection.alpn_protocol().unwrap();
+ assert_eq!(alpn, b"foobar");
- child.kill().unwrap();
- child.wait().unwrap();
+ let status = child.wait().unwrap();
+ assert!(status.success());
})
.await;
}
@@ -1190,41 +1194,45 @@ async fn listen_tls_alpn_fail() {
.arg("--quiet")
.arg("--allow-net")
.arg("--allow-read")
- .arg("./listen_tls_alpn.ts")
+ .arg("./listen_tls_alpn_fail.ts")
.arg("4505")
.stdout(std::process::Stdio::piped())
.spawn()
.unwrap();
let stdout = child.stdout.as_mut().unwrap();
- let mut buffer = [0; 5];
- let read = stdout.read(&mut buffer).unwrap();
+ let mut msg = [0; 5];
+ let read = stdout.read(&mut msg).unwrap();
assert_eq!(read, 5);
- let msg = std::str::from_utf8(&buffer).unwrap();
- assert_eq!(msg, "READY");
+ assert_eq!(&msg, b"READY");
- let mut cfg = rustls::ClientConfig::new();
- let reader = &mut BufReader::new(Cursor::new(include_bytes!(
+ let mut reader = &mut BufReader::new(Cursor::new(include_bytes!(
"../testdata/tls/RootCA.crt"
)));
- cfg.root_store.add_pem_file(reader).unwrap();
- cfg.alpn_protocols.push("boofar".as_bytes().to_vec());
+ let certs = rustls_pemfile::certs(&mut reader).unwrap();
+ let mut root_store = rustls::RootCertStore::empty();
+ root_store.add_parsable_certificates(&certs);
+ let mut cfg = rustls::ClientConfig::builder()
+ .with_safe_defaults()
+ .with_root_certificates(root_store)
+ .with_no_client_auth();
+ cfg.alpn_protocols.push(b"boofar".to_vec());
let cfg = Arc::new(cfg);
- let hostname =
- webpki::DNSNameRef::try_from_ascii_str("localhost").unwrap();
+ let hostname = rustls::ServerName::try_from("localhost").unwrap();
let tcp_stream = tokio::net::TcpStream::connect("localhost:4505")
.await
.unwrap();
let mut tls_stream =
- TlsStream::new_client_side(tcp_stream, &cfg, hostname);
- tls_stream.handshake().await.unwrap();
- let (_, session) = tls_stream.get_ref();
+ TlsStream::new_client_side(tcp_stream, cfg, hostname);
- assert!(session.get_alpn_protocol().is_none());
+ tls_stream.handshake().await.unwrap_err();
- child.kill().unwrap();
- child.wait().unwrap();
+ let (_, rustls_connection) = tls_stream.get_ref();
+ assert!(rustls_connection.alpn_protocol().is_none());
+
+ let status = child.wait().unwrap();
+ assert!(status.success());
})
.await;
}
diff --git a/cli/tests/testdata/listen_tls_alpn.ts b/cli/tests/testdata/listen_tls_alpn.ts
index 5d58065d9..b3ade686e 100644
--- a/cli/tests/testdata/listen_tls_alpn.ts
+++ b/cli/tests/testdata/listen_tls_alpn.ts
@@ -7,6 +7,8 @@ const listener = Deno.listenTls({
console.log("READY");
-for await (const conn of listener) {
- conn.close();
-}
+const conn = await listener.accept() as Deno.TlsConn;
+await conn.handshake();
+conn.close();
+
+listener.close();
diff --git a/cli/tests/testdata/listen_tls_alpn_fail.ts b/cli/tests/testdata/listen_tls_alpn_fail.ts
new file mode 100644
index 000000000..04f9ec11f
--- /dev/null
+++ b/cli/tests/testdata/listen_tls_alpn_fail.ts
@@ -0,0 +1,20 @@
+import { assertRejects } from "../../../test_util/std/testing/asserts.ts";
+
+const listener = Deno.listenTls({
+ port: Number(Deno.args[0]),
+ certFile: "./tls/localhost.crt",
+ keyFile: "./tls/localhost.key",
+ alpnProtocols: ["h2", "http/1.1", "foobar"],
+});
+
+console.log("READY");
+
+const conn = await listener.accept() as Deno.TlsConn;
+await assertRejects(
+ () => conn.handshake(),
+ Deno.errors.InvalidData,
+ "peer doesn't support any known protocol",
+);
+conn.close();
+
+listener.close();
diff --git a/cli/tests/testdata/localhost_unsafe_ssl.ts.out b/cli/tests/testdata/localhost_unsafe_ssl.ts.out
index 66c199417..0bfaeb25d 100644
--- a/cli/tests/testdata/localhost_unsafe_ssl.ts.out
+++ b/cli/tests/testdata/localhost_unsafe_ssl.ts.out
@@ -1,3 +1,3 @@
DANGER: TLS certificate validation is disabled for: deno.land
-error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid certificate: UnknownIssuer
+error: error sending request for url (https://localhost:5545/subdir/mod2.ts): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
at file:///[WILDCARD]/cafile_url_imports.ts:[WILDCARD]
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 02:59:47 +0000