Merge pull request #16536 from jiangtaoli2016/system_root

Turn loading system root certificates as default
7 years ago · 23afefe79b
parent 19ed319a94 e361d0f691
commit 23afefe79b
3 changed files with 8 additions and 13 deletions
--- a/src/core/lib/security/security_connector/security_connector.cc
+++ b/src/core/lib/security/security_connector/security_connector.cc
@ -59,8 +59,8 @@ static const char* installed_roots_path =

 /** Environment variable used as a flag to enable/disable loading system root
    certificates from the OS trust store. */
-#ifndef GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR
-#define GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_USE_SYSTEM_SSL_ROOTS"
+#ifndef GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR
+#define GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_NOT_USE_SYSTEM_SSL_ROOTS"
 #endif

 #ifndef TSI_OPENSSL_ALPN_SUPPORT
@ -1192,10 +1192,10 @@ const char* DefaultSslRootStore::GetPemRootCerts() {

 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
  grpc_slice result = grpc_empty_slice();
-  char* use_system_roots_env_value =
-      gpr_getenv(GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
-  const bool use_system_roots = gpr_is_true(use_system_roots_env_value);
-  gpr_free(use_system_roots_env_value);
+  char* not_use_system_roots_env_value =
+      gpr_getenv(GRPC_NOT_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
+  const bool not_use_system_roots = gpr_is_true(not_use_system_roots_env_value);
+  gpr_free(not_use_system_roots_env_value);
  // First try to load the roots from the environment.
  char* default_root_certs_path =
      gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
@ -1218,7 +1218,7 @@ grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
    gpr_free(pem_root_certs);
  }
  // Try loading roots from OS trust store if flag is enabled.
-  if (GRPC_SLICE_IS_EMPTY(result) && use_system_roots) {
+  if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
    result = LoadSystemRootCerts();
  }
  // Fallback to roots manually shipped with gRPC.
--- a/test/core/security/linux_system_roots_test.cc
+++ b/test/core/security/linux_system_roots_test.cc
@ -41,10 +41,6 @@

 #include "gtest/gtest.h"

-#ifndef GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR
-#define GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR "GRPC_USE_SYSTEM_SSL_ROOTS"
-#endif
-
 namespace grpc {
 namespace {

@ -68,7 +64,6 @@ TEST(CreateRootCertsBundleTest, ReturnsEmpty) {
 }

 TEST(CreateRootCertsBundleTest, BundlesCorrectly) {
-  gpr_setenv(GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR, "true");
  // Test that CreateRootCertsBundle returns a correct slice.
  grpc_slice roots_bundle = grpc_empty_slice();
  GRPC_LOG_IF_ERROR(
@ -81,7 +76,6 @@ TEST(CreateRootCertsBundleTest, BundlesCorrectly) {
  char* bundle_str = grpc_slice_to_c_string(roots_bundle);
  EXPECT_STREQ(result_str, bundle_str);
  // Clean up.
-  unsetenv(GRPC_USE_SYSTEM_SSL_ROOTS_ENV_VAR);
  gpr_free(result_str);
  gpr_free(bundle_str);
  grpc_slice_unref(roots_bundle);
--- a/test/core/security/security_connector_test.cc
+++ b/test/core/security/security_connector_test.cc
@ -415,6 +415,7 @@ static void test_default_ssl_roots(void) {

  /* Now setup a permanent failure for the overridden roots and we should get
     an empty slice. */
+  gpr_setenv("GRPC_NOT_USE_SYSTEM_SSL_ROOTS", "true");
  grpc_set_ssl_roots_override_callback(override_roots_permanent_failure);
  roots = grpc_core::TestDefaultSslRootStore::ComputePemRootCertsForTesting();
  GPR_ASSERT(GRPC_SLICE_IS_EMPTY(roots));