[nodejs/epel7] use the system certificate store instead of the bundled copy

T.C. Hollingsworth patches at fedoraproject.org
Sat May 3 02:12:23 UTC 2014 

commit e0348637198b64daa13ebf159a3087e543470e6b
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date:   Fri May 2 18:24:05 2014 -0700

    use the system certificate store instead of the bundled copy
    
      both are based on the Mozilla CA list, so the only effect this should have is
      making additional certificates added by the system administrator available to
      node

 nodejs-use-system-certs.patch |   58 +++++++++++++++++++++++++++++++++++++++++
 nodejs.spec                   |   23 +++++++++++++++-
 2 files changed, 79 insertions(+), 2 deletions(-)
---
diff --git a/nodejs-use-system-certs.patch b/nodejs-use-system-certs.patch
new file mode 100644
index 0000000..fe2abab
--- /dev/null
+++ b/nodejs-use-system-certs.patch
@@ -0,0 +1,58 @@
+Description: do not bundle CA certificates, openssl on Debian have them
+ As a consequence, nodejs must depend on ca-certificates.
+Forwarded: need some feedback before submitting the matter upstream
+Author: Jérémy Lal <kapouer at melix.org>
+Last-Update: 2014-03-02
+
+Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth at gmail.com> with the
+correct path for Fedora
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -64,7 +64,6 @@
+ namespace node {
+ 
+ const char* root_certs[] = {
+-#include "node_root_certs.h"  // NOLINT(build/include_order)
+   NULL
+ };
+ 
+@@ -561,32 +560,16 @@
+   assert(sc->ca_store_ == NULL);
+ 
+   if (!root_cert_store) {
+-    root_cert_store = X509_STORE_new();
+-
+-    for (int i = 0; root_certs[i]; i++) {
+-      BIO *bp = BIO_new(BIO_s_mem());
+-
+-      if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
+-        BIO_free(bp);
+-        return False();
+-      }
+-
+-      X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
+-
+-      if (x509 == NULL) {
+-        BIO_free(bp);
+-        return False();
+-      }
+-
+-      X509_STORE_add_cert(root_cert_store, x509);
+-
+-      BIO_free(bp);
+-      X509_free(x509);
++    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/pki/tls/certs/ca-bundle.crt", NULL) == 1) {
++      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
++    } else {
++      // empty store
++      root_cert_store = X509_STORE_new();
+     }
++  } else {
++    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
+   }
+-
+   sc->ca_store_ = root_cert_store;
+-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+ 
+   return True();
+ }
diff --git a/nodejs.spec b/nodejs.spec
index 41fef8d..cf01c5a 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -1,6 +1,6 @@
 Name: nodejs
 Version: 0.10.28
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: JavaScript runtime
 License: MIT and ASL 2.0 and ISC and BSD
 Group: Development/Languages
@@ -23,6 +23,11 @@ Source7: nodejs_native.attr
 # Disable running gyp on bundled deps we don't use
 Patch1: nodejs-disable-gyp-deps.patch
 
+# use system certificates instead of the bundled ones
+# modified version of Debian patch:
+# http://patch-tracker.debian.org/patch/series/view/nodejs/0.10.26~dfsg1-1/2014_donotinclude_root_certs.patch
+Patch2: nodejs-use-system-certs.patch
+
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME,
 # so we need to be more explicit until spot fixes that
 %global v8_ge 1:3.14.5.7
@@ -40,6 +45,9 @@ BuildRequires: openssl-devel >= 1:1.0.1
 Requires: v8%{?_isa} >= %{v8_ge}
 Requires: v8%{?_isa} < %{v8_lt}
 
+# we need the system certificate store when Patch2 is applied
+Requires: ca-certificates
+
 #we need ABI virtual provides where SONAMEs aren't enough/not present so deps
 #break when binary compatibility is broken
 %global nodejs_abi 0.10
@@ -83,10 +91,15 @@ The API documentation for the Node.js JavaScript runtime.
 
 %prep
 %setup -q -n node-v%{version}
-%patch1 -p1
 
+# remove bundled dependencies
+%patch1 -p1
 rm -rf deps
 
+# remove bundled CA certificates
+%patch2 -p1
+rm -f src/node_root_certs.h
+
 %build
 # build with debugging symbols and add defines from libuv (#892601)
 export CFLAGS='%{optflags} -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
@@ -160,6 +173,12 @@ cp -p common.gypi %{buildroot}%{_datadir}/node
 %{_defaultdocdir}/%{name}-docs-%{version}
 
 %changelog
+* Sat May 03 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 0.10.28-2
+- use the system certificate store instead of the bundled copy
+  both are based on the Mozilla CA list, so the only effect this should have is
+  making additional certificates added by the system administrator available to
+  node
+
 * Sat May 03 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 0.10.28-1
 - new upstream release 0.10.28
   There is no dfference between 0.10.27 and 0.10.28 for Fedora, as the only

More information about the scm-commits mailing list