fix(tls): Optionally support loading native certs

[justinmchase]

Overview

This changes Deno to support optionally loading certificates from the users local certificate store. This will allow them to successfully connect via tls with corporate and self signed certs provided they have them installed in their keystore. It also allows them to deal with revoked certs by simply updating their keystore without having to upgrade Deno.

Potentially in the future Deno could consider modifying its default behavior to load from the certificate store but for now it is only optionally enabled by specifying it in the new flag described below.

This change also adds a new flag DENO_TLS_CA_STORE which can have the values system,mozilla and will load them in the order they are specified and defaults to mozilla. system controls loading certs from the users certificate store and mozilla controls loading the bundled mozilla certs.

Issues

Fixes #11482
Related To #10312

Testing

I have access through VPN to an internal website which is using a certificate issued by my companies internal CA. With latest Deno I am unable to access that site because the only certificate I have is installed in my system keychain by my IT department.

The app code:

const { ok, status } = await fetch('http://example-app.acme.com')
console.log(`${ok ? 'OK' : 'FAIL'} ${status}`)

To see this error I am able to run:

$ deno run --unstable -A main.ts
Check file:///Users/jchase24/code/example/main.ts
Sending fatal alert BadCertificate
error: Uncaught (in promise) TypeError: error sending request for url (https://example-app.acme.com/#undefined): error trying to connect: invalid certificate: UnknownIssuer
    at deno:core/core.js:86:46
    at unwrapOpResult (deno:core/core.js:106:13)
    at async mainFetch (deno:extensions/fetch/26_fetch.js:229:14)

Now with these changes I've run

$ cd ~/code/deno
$ cargo build

$ cd ~/code/example
$ DENO_TLS_CA_STORE=system ../deno/target/debug/deno run -A main.ts
Check file:///Users/jchase24/code/example/main.ts
OK 200

Using the flag to remove the certificate store, results in the error again (as expected)

DENO_TLS_CA_STORE=mozilla ../deno/target/debug/deno run -A main.ts
Sending fatal alert BadCertificate
error: Uncaught (in promise) TypeError: error sending request for url (https://example-app.acme.com/#undefined): error trying to connect: invalid certificate: UnknownIssuer
    at deno:core/01_core.js:106:46
    at unwrapOpResult (deno:core/01_core.js:126:13)
    at async mainFetch (deno:extensions/fetch/26_fetch.js:265:14)

[CLAassistant]

All committers have signed the CLA.

[justinmchase]

Outstanding Issues

• There should probably be one function in all of Deno for initializing the ClientBuilder and tls config
• There should be one cache for tls persistence
• Unit tests.

[lucacasonato]

There is now a lot of duplicated logic. I would suggest the following:

On ProgramState creation, create a single rustls::RootCertStore should be created containing certificates based on the user requested CA stores, and the certificate provided by --cert. This rustls::RootCertStore should then be injected into create_http_client (and deno_fetch), and all other places where we use TLS (deno_net etc).

This would also allow you to remove all the places we inject ca_data, because that would already be part of the rustls::RootCertStore.

[justinmchase]

Ok this was refactored and updated to:

1. Consolidate duplicate code up into deno_core deno_tls
2. Replace passing ca_data,ca_file with root_cert_store.
3. Default behavior is to only load the mozilla certs as it does today, the system certs are only loaded if specified via the flag.
4. Some places in code such as op_* functions can have arguments which pass certs directly in, that behavior should not have been changed and they get added to a clone of the base store per function call.
5. Some modules such as rustls were bumped up to deno_core deno_tls and are referenced directly there rather than having each other module have a duplicate dependency.

[bnoordhuis]

Drive-by review.

[bartlomieju]

@justinmchase nice work! I pointed out some nitpicks and how to solve problem with adding multiple TLS related crates to deno_core crate.

[justinmchase]

Ok thanks @bartlomieju I know how to proceed.

[justinmchase]

Ok merged with main and all PR comments addressed and two unit tests were added, which need to be reviewed.

The new tests call https://deno.land since its signed with a valid root CA covered by the mozilla certs. Arguably this is a forbidden action but I'm not sure how else to test it specifically.

These tests positively test that the mozilla certs connect to deno.land and positively test that not loading any ca certs (an empty root_cert_store) fails to connect to deno.land.

The only other test vector that isn't covered by existing tests would be to then put the right cert into the system keystore and test loading that... I don't know how to do that consistently across systems without some really complicated automation and frankly... it feels a bit tautological to test as that entire functionality exists in a different dependency we are adding which has its own testing.

I've been testing manually and can confirm that adding the new flag allows me to connect to my internal company sites successfully.

I'll leave it up to the maintainers to decide which tests are needed.

[justinmchase]

Curious... on Windows it seems to successfully make a request even without certs. Does it not have tls support by default? Or maybe its loading certs from the certificate store regardless? I'm not sure.

[bnoordhuis]

Left some comments but your PR mostly looks (very!) good.

Node supports all these use-cases via esoteric OpenSSL env vars. We can centralize and clean this up.

We'll be doing even better. Node can only use the system's openssl certificate bundle, whereas we will be able to use the native macos and windows stores.

It's an often-requested feature that never happened because openssl can't do it. Take nodejs/node#39657 - a feature request from < 24 hours ago.

[bnoordhuis]

Cloning the store every time is somewhat inefficient. On my system it copies ~200 kB of data.

It's not really a regression though because we currently copy webpki_roots::TLS_SERVER_ROOTS and that's about the same size.

Ideally, we create and cache the Arc<rustls::ClientConfig> so it can be reused instead of created anew for every connection...

...but that's something that can wait for a follow-up PR, it doesn't have to block this one.

[justinmchase]

That is why I did that, the roots were cloned before and this ended up following that pattern for better or worse.

[justinmchase]

Given how this already feels to be max size for this PR I'm happy to leave this for a future refactor.

[bartlomieju]

That's fine, but please add a TODO here so we don't forget about it :)

[ry]

If Ben and Luca are ok with this, then I have no objections. We just need to make sure this is properly documented after this patch lands.

[justinmchase]

@ry If Ben and Luca are ok with this, then I have no objections

Just to be clear by "this" I assume you mean keeping the functionality as it is in this pr right now? To have the DENO_TLS_CA_STORE with string[] arguments, not the DENO_SYSTEM_CA_STORE=1 boolean flag?

If so then this PR is ready I believe. I linted, formatted and squashed the changes in the branch as well as manually tested one more time.

[bnoordhuis]

For posterity: I don't have opinions on how this feature should be activated. Bartek or Luca are more qualified to make that call.

[bartlomieju]

@ry If Ben and Luca are ok with this, then I have no objections

Just to be clear by "this" I assume you mean keeping the functionality as it is in this pr right now? To have the DENO_TLS_CA_STORE with string[] arguments, not the DENO_SYSTEM_CA_STORE=1 boolean flag?

If so then this PR is ready I believe. I linted, formatted and squashed the changes in the branch as well as manually tested one more time.

That's right, I'll give this PR another review tonight.

Could you please open a PR in https://github.com/denoland/manual that describes this functionality? Turning Luca's comment into some kind of doc would be awesome.

[bartlomieju]

@justinmchase this PR is really well implemented, very nice work! I have only a couple minor nitpicks left and we're good to merge.

[bartlomieju]

Yikes 😬 it comes from rustls-native-certs and it doesn't seem it could be in any way skipped (no feature flags in that crate). I looked up that crate's code and it doesn't do any interaction with OpenSSL so I guess we can live with that.

[justinmchase]

Interesting, I think it does say something about it in the docs now that you mention it:

On Linux and other UNIX-like operating systems, the openssl-probe crate is used to discover the filename of the system CA bundle.

[bartlomieju]

That's fine, but please add a TODO here so we don't forget about it :)

[justinmchase]

One of the tests returned this result, I'm not sure how to run it locally to debug it. It passed in a previous iteration, so it's an interesting result. How can I tell which test is failing here exactly?

[bartlomieju]

One of the tests returned this result, I'm not sure how to run it locally to debug it. It passed in a previous iteration, so it's an interesting result. How can I tell which test is failing here exactly?

@justinmchase it looks like this error was returned when pulling code for deno_std - before any test was run - ie. when process was starting up and downloading dependencies.

[justinmchase]

Succeeded this time, I didn't change anything. Weird. 🤷

All comments have been addressed I believe. Thanks all.

[bartlomieju]

LGTM, thank you @justinmchase!