nodejs20/nodejs-use-system-certs.patch

Description: do not bundle CA certificates, openssl on Debian have them
 As a consequence, nodejs must depend on ca-certificates.
Forwarded: need some feedback before submitting the matter upstream
Author: Jérémy Lal <kapouer@melix.org>
Last-Update: 2014-03-02

Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
correct path for Fedora
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -64,7 +64,6 @@
 namespace node {
 
 const char* root_certs[] = {
-#include "node_root_certs.h"  // NOLINT(build/include_order)
   NULL
 };
 
@@ -561,32 +560,16 @@
   assert(sc->ca_store_ == NULL);
 
   if (!root_cert_store) {
-    root_cert_store = X509_STORE_new();
-
-    for (int i = 0; root_certs[i]; i++) {
-      BIO *bp = BIO_new(BIO_s_mem());
-
-      if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
-        BIO_free(bp);
-        return False();
-      }
-
-      X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
-
-      if (x509 == NULL) {
-        BIO_free(bp);
-        return False();
-      }
-
-      X509_STORE_add_cert(root_cert_store, x509);
-
-      BIO_free(bp);
-      X509_free(x509);
+    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+    } else {
+      // empty store
+      root_cert_store = X509_STORE_new();
     }
+  } else {
+    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
   }
-
   sc->ca_store_ = root_cert_store;
-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
 
   return True();
 }
use the system certificate store instead of the bundled copy both are based on the Mozilla CA list, so the only effect this should have is making additional certificates added by the system administrator available to node 2014-05-03 01:24:05 +00:00			`Description: do not bundle CA certificates, openssl on Debian have them`
			`As a consequence, nodejs must depend on ca-certificates.`
			`Forwarded: need some feedback before submitting the matter upstream`
			`Author: Jérémy Lal <kapouer@melix.org>`
			`Last-Update: 2014-03-02`

			`Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the`
			`correct path for Fedora`
			`--- a/src/node_crypto.cc`
			`+++ b/src/node_crypto.cc`
			`@@ -64,7 +64,6 @@`
			`namespace node {`

			`const char* root_certs[] = {`
			`-#include "node_root_certs.h" // NOLINT(build/include_order)`
			`NULL`
			`};`

			`@@ -561,32 +560,16 @@`
			`assert(sc->ca_store_ == NULL);`

			`if (!root_cert_store) {`
			`- root_cert_store = X509_STORE_new();`
			`-`
			`- for (int i = 0; root_certs[i]; i++) {`
			`- BIO *bp = BIO_new(BIO_s_mem());`
			`-`
			`- if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {`
			`- BIO_free(bp);`
			`- return False();`
			`- }`
			`-`
			`- X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);`
			`-`
			`- if (x509 == NULL) {`
			`- BIO_free(bp);`
			`- return False();`
			`- }`
			`-`
			`- X509_STORE_add_cert(root_cert_store, x509);`
			`-`
			`- BIO_free(bp);`
			`- X509_free(x509);`
			`+ if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {`
			`+ root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);`
			`+ } else {`
			`+ // empty store`
			`+ root_cert_store = X509_STORE_new();`
			`}`
			`+ } else {`
			`+ SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);`
			`}`
			`-`
			`sc->ca_store_ = root_cert_store;`
			`- SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);`

			`return True();`
			`}`