Use 'cert.install' instead of passing in root certificates. (#1116)

Co-authored-by: Kasper Lund <[email protected]>
toitware · Jun 24, 2024 · 56576ba · 56576ba
1 parent a0072eb
commit 56576ba
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 18 deletions.
diff --git a/src/cli/brokers/http/base.toit b/src/cli/brokers/http/base.toit
@@ -28,6 +28,7 @@ class BrokerCliHttp implements BrokerCli:
   client_/http.Client? := null
 
   constructor .server-config_ --.id:
+    server-config_.install-root-certificates
     network_ = net.open
     add-finalizer this:: close
 
@@ -127,13 +128,8 @@ class BrokerCliHttp implements BrokerCli:
 
   send-request_ encoded/ByteArray -> http.Response:
     if not client_:
-      root-names := server-config_.root-certificate-names
-      if root-names:
-        root-certificates := root-names.map:
-          der/tls.RootCertificate := certificate-roots.MAP[it]
-          x509.Certificate.parse der.raw
+      if server-config_.root-certificate-names:
         client_ = http.Client.tls network_
-            --root-certificates=root-certificates
       else:
         client_ = http.Client network_
 

diff --git a/src/cli/cli.toit b/src/cli/cli.toit
@@ -1,5 +1,6 @@
 // Copyright (C) 2022 Toitware ApS. All rights reserved.
 
+import certificate-roots
 import cli
 
 import .cache
@@ -75,6 +76,8 @@ main args:
   main args --config=config --cache=cache --ui=ui
 
 main args --config/Config --cache/Cache --ui/Ui:
+  certificate-roots.install-all-trusted-roots
+
   // We don't want to add a `--version` option to the root command,
   // as that would make the option available to all subcommands.
   // Fundamentally, getting the version isn't really an option, but a

diff --git a/src/cli/utils/utils.toit b/src/cli/utils/utils.toit
@@ -1,6 +1,5 @@
 // Copyright (C) 2023 Toitware ApS. All rights reserved.
 
-import certificate-roots
 import cli
 import encoding.base64
 import encoding.json
@@ -110,7 +109,6 @@ download-url url/string --out-path/string --ui/Ui -> none:
   network := net.open
   try:
     client := http.Client.tls network
-        --root-certificates=certificate-roots.ALL
 
     response := client.get --uri=url
     if response.status-code != http.STATUS-OK:

diff --git a/src/service/brokers/broker.toit b/src/service/brokers/broker.toit
@@ -75,13 +75,12 @@ interface BrokerService:
       if colon-pos >= 0:
         port = int.parse host[colon-pos + 1..]
         host = host[..colon-pos]
-      // TODO(florian): get the path from the config.
       der := supabase-config.root-certificate-der
       http-config := ServerConfigHttp
           server-config.name
           --host=host
           --port=port
-          --path="/functions/v1/b"
+          --path="/functions/v1/b"  // TODO(florian): get the path from the config.
           --poll-interval=supabase-config.poll-interval
           --root-certificate-names=null
           --root-certificate-ders=der ? [der] : null

diff --git a/src/service/brokers/http/connection.toit b/src/service/brokers/http/connection.toit
@@ -1,10 +1,10 @@
 // Copyright (C) 2022 Toitware ApS. All rights reserved.
 
+import certificate-roots
 import encoding.json
 import encoding.base64
 import http
 import net
-import net.x509
 import reader show Reader
 import system.storage
 import certificate-roots
@@ -14,12 +14,13 @@ class HttpConnection_:
   client_/http.Client? := null
   config_/ServerConfigHttp
   network_/net.Interface
-  root-certificates_/List? := null
+  static certificates-are-installed_/bool := false
 
   constructor .network_ .config_:
-    if config_.root-certificate-ders:
-      root-certificates_ = config_.root-certificate-ders.map:
-        x509.Certificate.parse it
+    if not certificates-are-installed_:
+      certificate-roots.install-common-trusted-roots
+      certificates-are-installed_ = true
+    config_.install-root-certificates
     create-fresh-client_
 
   create-fresh-client_ -> none:
@@ -28,9 +29,7 @@ class HttpConnection_:
       client_ = null
 
     if config_.root-certificate-ders:
-      client_ = http.Client.tls network_
-          --root-certificates=root-certificates_
-          --security-store=HttpSecurityStore_
+      client_ = http.Client.tls network_ --security-store=HttpSecurityStore_
     else:
       client_ = http.Client network_
 

diff --git a/src/shared/server-config.toit b/src/shared/server-config.toit
@@ -3,11 +3,13 @@
 import crypto.sha1
 import encoding.base64
 import supabase
+import tls
 
 abstract class ServerConfig:
   name/string
 
   cache-key_/string? := null
+  ders-already-installed_/bool := false
 
   constructor.from-sub_ .name:
 
@@ -58,6 +60,11 @@ abstract class ServerConfig:
   */
   abstract to-service-json [--der-serializer] -> Map
 
+  /**
+  A list of DER certificates that are required for this broker to work.
+  */
+  abstract root-certificate-ders -> List?
+
   /**
   Computes a unique key that can be used for caching.
   */
@@ -71,6 +78,18 @@ abstract class ServerConfig:
       cache-key_ = base64.encode --url-mode (sha1.sha1 compute-cache-key_)
     return cache-key_
 
+  /**
+  Installs the DER certificates if they exist and if they aren't already installed.
+  */
+  install-root-certificates -> none:
+    if ders-already-installed_: return
+    ders-already-installed_ = true
+    ders := root-certificate-ders
+    if ders:
+      ders.do: | der/ByteArray |
+        certificate := tls.RootCertificate der
+        certificate.install
+
 class ServerConfigSupabase extends ServerConfig implements supabase.ServerConfig:
   static DEFAULT-POLL-INTERVAL ::= Duration --s=20
 
@@ -153,6 +172,9 @@ class ServerConfigSupabase extends ServerConfig implements supabase.ServerConfig
   to-service-json [--der-serializer] -> Map:
     return to-json --der-serializer=der-serializer
 
+  root-certificate-ders -> List?:
+    return root-certificate-der and [root-certificate-der]
+
   compute-cache-key_ -> string:
     return host
 

diff --git a/tools/service_image_uploader/downloader.toit b/tools/service_image_uploader/downloader.toit
@@ -3,6 +3,7 @@
 // Copyright (C) 2023 Toitware ApS. All rights reserved.
 
 import ar
+import certificate-roots
 import cli
 import io
 // TODO(florian): these should come from the cli package.
@@ -30,6 +31,8 @@ main args:
   main --config=config --cache=cache --ui=ui args
 
 main --config/cli.Config --cache/cli.Cache --ui/Ui args:
+  certificate-roots.install-all-trusted-roots
+
   cmd := cli.Command "downloader"
       --help="""
         Downloads snapshots from the Artemis server and stores them in the Jaguar cache.

diff --git a/tools/service_image_uploader/sdk-downloader.toit b/tools/service_image_uploader/sdk-downloader.toit
@@ -2,6 +2,7 @@
 
 // Copyright (C) 2023 Toitware ApS. All rights reserved.
 
+import certificate-roots
 import cli
 import log
 // TODO(florian): these should come from the cli package.
@@ -30,6 +31,8 @@ main args:
   main --config=config --cache=cache --ui=ui args
 
 main --config/cli.Config --cache/cli.Cache --ui/ui.Ui args:
+  certificate-roots.install-all-trusted-roots
+
   cmd := cli.Command "sdk downloader"
       --help="Downloads SDKs and envelopes into the cache."
       --options=[

diff --git a/tools/service_image_uploader/uploader.toit b/tools/service_image_uploader/uploader.toit
@@ -3,6 +3,7 @@
 // Copyright (C) 2023 Toitware ApS. All rights reserved.
 
 import ar
+import certificate-roots
 import cli
 import encoding.url as url-encoding
 
@@ -40,6 +41,8 @@ main args:
   main --config=config --cache=cache --ui=ui args
 
 main --config/cli.Config --cache/cli.Cache --ui/ui.Ui args:
+  certificate-roots.install-all-trusted-roots
+
   cmd := cli.Command "uploader"
       --help="""
         Administrative tool to upload CLI snapshots and Artemis service