Merge pull request #678 from jboeuf/installed_ssl_roots

Adding roots.pem from Mozilla and associated logic.
10 years ago · cc69f8d958
parent 6e8d15e7de 161ea23655
commit cc69f8d958
5 changed files with 5139 additions and 7 deletions
--- a/7
+++ b/7
@ -1930,7 +1930,7 @@ $(OBJDIR)/$(CONFIG)/%.o : %.cc
 	$(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $<


-install: install_c install_cxx install-plugins verify-install
+install: install_c install_cxx install-plugins install-certs verify-install

 install_c: install-headers_c install-static_c install-shared_c

@ -2074,6 +2074,11 @@ else
 	$(Q) $(INSTALL) $(BINDIR)/$(CONFIG)/grpc_ruby_plugin $(prefix)/bin/grpc_ruby_plugin
 endif

+install-certs: etc/roots.pem
+	$(E) "[INSTALL] Installing root certificates"
+	$(Q) $(INSTALL) -d $(prefix)/share/grpc
+	$(Q) $(INSTALL) etc/roots.pem $(prefix)/share/grpc/roots.pem
+
 verify-install:
 ifeq ($(SYSTEM_OK),true)
 	@echo "Your system looks ready to go."
--- a/etc/roots.pem
+++ b/etc/roots.pem
--- a/include/grpc/grpc_security.h
+++ b/include/grpc/grpc_security.h
@ -73,8 +73,11 @@ typedef struct {

 /* Creates an SSL credentials object.
   - pem_roots_cert is the NULL-terminated string containing the PEM encoding
-     of the server root certificates. If this parameter is NULL, the default
-     roots will be used.
+     of the server root certificates. If this parameter is NULL, the
+     implementation will first try to dereference the file pointed by the
+     GRPC_DEFAULT_SSL_ROOTS_FILE_PATH environment variable, and if that fails,
+     get the roots from a well-known place on disk (in the grpc install
+     directory).
   - pem_key_cert_pair is a pointer on the object containing client's private
     key and certificate chain. This parameter can be NULL if the client does
     not have such a key/cert pair.  */
--- a/src/core/security/security_context.c
+++ b/src/core/security/security_context.c
@ -61,9 +61,9 @@
  "SHA256:AES256-SHA256"

 #ifndef INSTALL_PREFIX
-static const char *installed_roots_path = "/etc/grpc/roots.pem";
+static const char *installed_roots_path = "/usr/share/grpc/roots.pem";
 #else
-static const char *installed_roots_path = INSTALL_PREFIX "/etc/grpc/roots.pem";
+static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem";
 #endif

 /* -- Common methods. -- */
@ -404,6 +404,7 @@ static grpc_security_context_vtable ssl_server_vtable = {
 static gpr_slice default_pem_root_certs;

 static void init_default_pem_root_certs(void) {
+  /* First try to load the roots from the environment. */
  char *default_root_certs_path =
      gpr_getenv(GRPC_DEFAULT_SSL_ROOTS_FILE_PATH_ENV_VAR);
  if (default_root_certs_path == NULL) {
@ -412,7 +413,11 @@ static void init_default_pem_root_certs(void) {
    default_pem_root_certs = gpr_load_file(default_root_certs_path, NULL);
    gpr_free(default_root_certs_path);
  }
-  (void) installed_roots_path;
+
+  /* Fall back to installed certs if needed. */
+  if (GPR_SLICE_IS_EMPTY(default_pem_root_certs)) {
+    default_pem_root_certs = gpr_load_file(installed_roots_path, NULL);
+  }
 }

 size_t grpc_get_default_ssl_roots(const unsigned char **pem_root_certs) {
--- a/templates/Makefile.template
+++ b/templates/Makefile.template
@ -729,7 +729,7 @@ $(OBJDIR)/$(CONFIG)/%.o : %.cc
 	$(Q) $(CXX) $(CXXFLAGS) $(CPPFLAGS) -MMD -MF $(addsuffix .dep, $(basename $@)) -c -o $@ $<


-install: install_c install_cxx install-plugins verify-install
+install: install_c install_cxx install-plugins install-certs verify-install

 install_c: install-headers_c install-static_c install-shared_c

@ -824,6 +824,11 @@ else
 % endfor
 endif

+install-certs: etc/roots.pem
+	$(E) "[INSTALL] Installing root certificates"
+	$(Q) $(INSTALL) -d $(prefix)/share/grpc
+	$(Q) $(INSTALL) etc/roots.pem $(prefix)/share/grpc/roots.pem
+
 verify-install:
 ifeq ($(SYSTEM_OK),true)
 	@echo "Your system looks ready to go."