Merge branch 'epel7'

2014-05-02 19:11:54 -07:00 · 2014-05-02 19:11:54 -07:00 · d281f417b7
commit d281f417b7
parent d8dedefd4f e034863719
2 changed files with 79 additions and 2 deletions
--- a/nodejs-use-system-certs.patch
+++ b/nodejs-use-system-certs.patch
@ -0,0 +1,58 @@
+Description: do not bundle CA certificates, openssl on Debian have them
+ As a consequence, nodejs must depend on ca-certificates.
+Forwarded: need some feedback before submitting the matter upstream
+Author: Jérémy Lal <kapouer@melix.org>
+Last-Update: 2014-03-02
+
+Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
+correct path for Fedora
+--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
+@@ -64,7 +64,6 @@
+ namespace node {
+ 
+ const char* root_certs[] = {
+-#include "node_root_certs.h"  // NOLINT(build/include_order)
+   NULL
+ };
+ 
+@@ -561,32 +560,16 @@
+   assert(sc->ca_store_ == NULL);
+ 
+   if (!root_cert_store) {
+-    root_cert_store = X509_STORE_new();
+-
+-    for (int i = 0; root_certs[i]; i++) {
+-      BIO *bp = BIO_new(BIO_s_mem());
+-
+-      if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
+-        BIO_free(bp);
+-        return False();
+-      }
+-
+-      X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
+-
+-      if (x509 == NULL) {
+-        BIO_free(bp);
+-        return False();
+-      }
+-
+-      X509_STORE_add_cert(root_cert_store, x509);
+-
+-      BIO_free(bp);
+-      X509_free(x509);
+    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
+      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
+    } else {
+      // empty store
+      root_cert_store = X509_STORE_new();
+     }
+  } else {
+    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
+   }
+-
+   sc->ca_store_ = root_cert_store;
+-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+ 
+   return True();
+ }
--- a/nodejs.spec
+++ b/nodejs.spec
@ -1,6 +1,6 @@
 Name: nodejs
 Version: 0.10.28
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: JavaScript runtime
 License: MIT and ASL 2.0 and ISC and BSD
 Group: Development/Languages
@ -23,6 +23,11 @@ Source7: nodejs_native.attr
 # Disable running gyp on bundled deps we don't use
 Patch1: nodejs-disable-gyp-deps.patch

+# use system certificates instead of the bundled ones
+# modified version of Debian patch:
+# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
+Patch2: nodejs-use-system-certs.patch
+
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME,
 # so we need to be more explicit until spot fixes that
 %global v8_ge 1:3.14.5.7
@ -40,6 +45,9 @@ BuildRequires: openssl-devel >= 1:1.0.1
 Requires: v8%{?_isa} >= %{v8_ge}
 Requires: v8%{?_isa} < %{v8_lt}

+# we need the system certificate store when Patch2 is applied
+Requires: ca-certificates
+
 #we need ABI virtual provides where SONAMEs aren't enough/not present so deps
 #break when binary compatibility is broken
 %global nodejs_abi 0.10
@ -83,10 +91,15 @@ The API documentation for the Node.js JavaScript runtime.

 %prep
 %setup -q -n node-v%{version}
-%patch1 -p1

+# remove bundled dependencies
+%patch1 -p1
 rm -rf deps

+# remove bundled CA certificates
+%patch2 -p1
+rm -f src/node_root_certs.h
+
 %build
 # build with debugging symbols and add defines from libuv (#892601)
 export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
@ -166,6 +179,12 @@ cp -p common.gypi %{buildroot}%{_datadir}/node
 %{_pkgdocdir}/html

 %changelog
+* Sat May 03 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.28-2
+- use the system certificate store instead of the bundled copy
+  both are based on the Mozilla CA list, so the only effect this should have is
+  making additional certificates added by the system administrator available to
+  node
+
 * Sat May 03 2014 T.C. Hollingsworth <tchollingsworth@gmail.com> - 0.10.28-1
 - new upstream release 0.10.28
  There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only