chore: upgrade to rustls 0.20 (#12488)

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com> Co-authored-by: Bert Belder <bertbelder@gmail.com>
denoland · Dec 6, 2021 · a2f1357 · a2f1357
1 parent b91e6fd
commit a2f1357
Show file tree

Hide file tree

Showing 15 changed files with 422 additions and 359 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cli/proc_state.rs b/cli/proc_state.rs
@@ -38,9 +38,11 @@ use deno_graph::MediaType;
 use deno_graph::ModuleGraphError;
 use deno_graph::Range;
 use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel;
+use deno_runtime::deno_tls::rustls;
 use deno_runtime::deno_tls::rustls::RootCertStore;
 use deno_runtime::deno_tls::rustls_native_certs::load_native_certs;
-use deno_runtime::deno_tls::webpki_roots::TLS_SERVER_ROOTS;
+use deno_runtime::deno_tls::rustls_pemfile;
+use deno_runtime::deno_tls::webpki_roots;
 use deno_runtime::deno_web::BlobStore;
 use deno_runtime::inspector_server::InspectorServer;
 use deno_runtime::permissions::Permissions;
@@ -206,13 +208,24 @@ impl ProcState {
     for store in ca_stores.iter() {
       match store.as_str() {
         "mozilla" => {
-          root_cert_store.add_server_trust_anchors(&TLS_SERVER_ROOTS);
+          root_cert_store.add_server_trust_anchors(
+            webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+              rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                ta.subject,
+                ta.spki,
+                ta.name_constraints,
+              )
+            }),
+          );
         }
         "system" => {
-          let roots = load_native_certs()
-            .expect("could not load platform certs")
-            .roots;
-          root_cert_store.roots.extend(roots);
+          let roots =
+            load_native_certs().expect("could not load platform certs");
+          for root in roots {
+            root_cert_store
+              .add(&rustls::Certificate(root.0))
+              .expect("Failed to add platform cert to root cert store");
+          }
         }
         _ => {
           return Err(anyhow!("Unknown certificate store \"{}\" specified (allowed: \"system,mozilla\")", store));
@@ -225,9 +238,16 @@ impl ProcState {
       let certfile = File::open(&ca_file)?;
       let mut reader = BufReader::new(certfile);
 
-      // This function does not return specific errors, if it fails give a generic message.
-      if let Err(_err) = root_cert_store.add_pem_file(&mut reader) {
-        return Err(anyhow!("Unable to add pem file to certificate store"));
+      match rustls_pemfile::certs(&mut reader) {
+        Ok(certs) => {
+          root_cert_store.add_parsable_certificates(&certs);
+        }
+        Err(e) => {
+          return Err(anyhow!(
+            "Unable to add pem file to certificate store: {}",
+            e
+          ));
+        }
       }
     }
 

diff --git a/cli/standalone.rs b/cli/standalone.rs
@@ -22,6 +22,7 @@ use deno_core::ModuleLoader;
 use deno_core::ModuleSpecifier;
 use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel;
 use deno_runtime::deno_tls::create_default_root_cert_store;
+use deno_runtime::deno_tls::rustls_pemfile;
 use deno_runtime::deno_web::BlobStore;
 use deno_runtime::permissions::Permissions;
 use deno_runtime::permissions::PermissionsOptions;
@@ -221,9 +222,16 @@ pub async fn run(
 
   if let Some(cert) = metadata.ca_data {
     let reader = &mut BufReader::new(Cursor::new(cert));
-    // This function does not return specific errors, if it fails give a generic message.
-    if let Err(_err) = root_cert_store.add_pem_file(reader) {
-      return Err(anyhow!("Unable to add pem file to certificate store"));
+    match rustls_pemfile::certs(reader) {
+      Ok(certs) => {
+        root_cert_store.add_parsable_certificates(&certs);
+      }
+      Err(e) => {
+        return Err(anyhow!(
+          "Unable to add pem file to certificate store: {}",
+          e
+        ));
+      }
     }
   }