Skip to content

Commit

Permalink
BACKPORT: Merge system certificate pool with custom certificates
Browse files Browse the repository at this point in the history
Upstream reference: moby#27918
Upstream reference: moby#12756

Signed-off-by: Antonio Murdaca <[email protected]>
  • Loading branch information
runcom committed Dec 16, 2016
1 parent e772208 commit 91633b5
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 138 deletions.
133 changes: 0 additions & 133 deletions pkg/tlsconfig/config.go

This file was deleted.

8 changes: 5 additions & 3 deletions registry/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package registry

import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io/ioutil"
Expand Down Expand Up @@ -64,8 +63,11 @@ func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
for _, f := range fs {
if strings.HasSuffix(f.Name(), ".crt") {
if tlsConfig.RootCAs == nil {
// TODO(dmcgowan): Copy system pool
tlsConfig.RootCAs = x509.NewCertPool()
systemPool, err := tlsconfig.SystemCertPool()
if err != nil {
return fmt.Errorf("unable to get system cert pool: %v", err)
}
tlsConfig.RootCAs = systemPool
}
logrus.Debugf("crt: %s", filepath.Join(directory, f.Name()))
data, err := ioutil.ReadFile(filepath.Join(directory, f.Name()))
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// +build go1.7

package tlsconfig

import (
"crypto/x509"
"runtime"

"github.com/Sirupsen/logrus"
)

// SystemCertPool returns a copy of the system cert pool,
// returns an error if failed to load or empty pool on windows.
func SystemCertPool() (*x509.CertPool, error) {
certpool, err := x509.SystemCertPool()
if err != nil && runtime.GOOS == "windows" {
logrus.Warnf("Unable to use system certificate pool: %v", err)
return x509.NewCertPool(), nil
}
return certpool, err
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
// +build !go1.7

package tlsconfig

import (
"crypto/x509"

"github.com/Sirupsen/logrus"
)

// SystemCertPool returns an new empty cert pool,
// accessing system cert pool is supported in go 1.7
func SystemCertPool() (*x509.CertPool, error) {
logrus.Warn("Unable to use system certificate pool: requires building with go 1.7 or later")
return x509.NewCertPool(), nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,13 @@ var ClientDefault = tls.Config{
func certPool(caFile string) (*x509.CertPool, error) {
// If we should verify the server, we need to load a trusted ca
certPool := x509.NewCertPool()
certPool, err := SystemCertPool()
if err != nil {
return nil, fmt.Errorf("failed to read system certificates: %v", err)
}
pem, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, fmt.Errorf("Could not read CA certificate %q: %v", caFile, err)
return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
}
if !certPool.AppendCertsFromPEM(pem) {
return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (
"github.com/BurntSushi/toml"
log "github.com/Sirupsen/logrus"
"github.com/docker/docker/pkg/discovery"
"github.com/docker/docker/pkg/tlsconfig"
"github.com/docker/go-connections/tlsconfig"
"github.com/docker/libkv/store"
"github.com/docker/libnetwork/cluster"
"github.com/docker/libnetwork/datastore"
Expand Down

0 comments on commit 91633b5

Please sign in to comment.