From 9407a3ee096bb0d9e4f9fdf4b0e66bf4a53927f4 Mon Sep 17 00:00:00 2001
From: Robo <hop2deep@gmail.com>
Date: Fri, 1 Oct 2021 07:56:31 -0700
Subject: [PATCH] fix: remove expired DST Root CA X3 (#31219)

* Revert "fix: Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL (#31218)"

This reverts commit d788d817ee5f54ac49b5ce505494547968b8e667.

* fix: remove expired DST Root CA X3
---
 patches/boringssl/.patches                    |  1 -
 ...nable_x509_v_flag_trusted_first_flag.patch | 20 ---------
 patches/node/.patches                         |  1 +
 .../fix_remove_expired_dst_root_ca_x3.patch   | 42 +++++++++++++++++++
 4 files changed, 43 insertions(+), 21 deletions(-)
 delete mode 100644 patches/boringssl/enable_x509_v_flag_trusted_first_flag.patch
 create mode 100644 patches/node/fix_remove_expired_dst_root_ca_x3.patch

diff --git a/patches/boringssl/.patches b/patches/boringssl/.patches
index 21fb526862dce..a812a6b79a6dc 100644
--- a/patches/boringssl/.patches
+++ b/patches/boringssl/.patches
@@ -2,4 +2,3 @@ expose_ripemd160.patch
 expose_aes-cfb.patch
 expose_des-ede3.patch
 fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch
-enable_x509_v_flag_trusted_first_flag.patch
diff --git a/patches/boringssl/enable_x509_v_flag_trusted_first_flag.patch b/patches/boringssl/enable_x509_v_flag_trusted_first_flag.patch
deleted file mode 100644
index 5c3c96ccb3f4e..0000000000000
--- a/patches/boringssl/enable_x509_v_flag_trusted_first_flag.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Juan Cruz Viotti <jv@jviotti.com>
-Date: Thu, 30 Sep 2021 13:39:23 -0400
-Subject: Enable X509_V_FLAG_TRUSTED_FIRST flag
-
-Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
-
-diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
-index 5a881d64c30076404cc800fff9e943bb0b30d2ac..29d5341efc8eb7ae6f90bdde5a8032e99f75c98e 100644
---- a/crypto/x509/x509_vpm.c
-+++ b/crypto/x509/x509_vpm.c
-@@ -528,7 +528,7 @@ static const X509_VERIFY_PARAM default_table[] = {
-      (char *)"default",         /* X509 default parameters */
-      0,                         /* Check time */
-      0,                         /* internal flags */
--     0,                         /* flags */
-+     X509_V_FLAG_TRUSTED_FIRST, /* flags */
-      0,                         /* purpose */
-      0,                         /* trust */
-      100,                       /* depth */
diff --git a/patches/node/.patches b/patches/node/.patches
index 4a210077e91ec..5adaec080afc4 100644
--- a/patches/node/.patches
+++ b/patches/node/.patches
@@ -28,3 +28,4 @@ fix_use_new_v8_error_message_property_access_format.patch
 add_should_read_node_options_from_env_option_to_disable_node_options.patch
 repl_fix_crash_when_sharedarraybuffer_disabled.patch
 fix_crash_creating_private_key_with_unsupported_algorithm.patch
+fix_remove_expired_dst_root_ca_x3.patch
diff --git a/patches/node/fix_remove_expired_dst_root_ca_x3.patch b/patches/node/fix_remove_expired_dst_root_ca_x3.patch
new file mode 100644
index 0000000000000..ef5b3d1a16828
--- /dev/null
+++ b/patches/node/fix_remove_expired_dst_root_ca_x3.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: deepak1556 <hop2deep@gmail.com>
+Date: Fri, 1 Oct 2021 07:21:11 +0900
+Subject: fix: remove expired DST Root CA X3
+
+The alternative ISRG Root X1 trusted certificate is
+already available in this bundle.
+
+https://letsencrypt.org/docs/certificate-compatibility/
+https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
+
+diff --git a/src/node_root_certs.h b/src/node_root_certs.h
+index 47beb730f4b853f1bf248a7fd1b1cd7d726bdf7e..94ac882ec7e4e2eb61d1f0094f79fb6f603d978c 100644
+--- a/src/node_root_certs.h
++++ b/src/node_root_certs.h
+@@ -525,26 +525,6 @@
+ "yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K\n"
+ "-----END CERTIFICATE-----",
+ 
+-/* DST Root CA X3 */
+-"-----BEGIN CERTIFICATE-----\n"
+-"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYD\n"
+-"VQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENB\n"
+-"IFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRh\n"
+-"bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJ\n"
+-"KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdA\n"
+-"wRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwG\n"
+-"MoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4X\n"
+-"Lh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n"
+-"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkq\n"
+-"tilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+-"HQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiyb\n"
+-"FwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR\n"
+-"6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaL\n"
+-"bumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\n"
+-"/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06Xyx\n"
+-"V3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n"
+-"-----END CERTIFICATE-----",
+-
+ /* SwissSign Gold CA - G2 */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNI\n"