From 7ca001799d8edb754f248e1bc0ad988264ce99b5 Mon Sep 17 00:00:00 2001 From: Michael Stapelberg Date: Thu, 18 Nov 2021 09:20:26 +0100 Subject: [PATCH] Make available the CA certificates via separate package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is useful in situations where you don’t want to *use* the CA certificates in your program, but just *copy* (or embed) the CA certificates elsewhere. Specifically, we’d like to use this in: https://github.com/gokrazy/gokrazy/issues/98 --- data.go => embedded/data.go | 2 +- embedded/embedded.go | 12 ++++++++++++ generate_data.go | 5 +++-- rootcerts.go | 5 +++-- 4 files changed, 19 insertions(+), 5 deletions(-) rename data.go => embedded/data.go (99%) create mode 100644 embedded/embedded.go diff --git a/data.go b/embedded/data.go similarity index 99% rename from data.go rename to embedded/data.go index a2665a5..eb16821 100644 --- a/data.go +++ b/embedded/data.go @@ -6,7 +6,7 @@ // Use of these certificates is governed by Mozilla Public License 2.0 // that can be found in the LICENSE.certificates file. -package rootcerts +package embedded const data = `-----BEGIN CERTIFICATE----- MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG diff --git a/embedded/embedded.go b/embedded/embedded.go new file mode 100644 index 0000000..ff605df --- /dev/null +++ b/embedded/embedded.go @@ -0,0 +1,12 @@ +// Package embedded makes available the "Mozilla Included CA Certificate List" +// without any side-effects (unlike package rootcerts). +package embedded + +// MozillaCACertificatesPEM returns "Mozilla Included CA Certificate List" +// (https://wiki.mozilla.org/CA/Included_Certificates) in PEM format. +// +// Use of these certificates is governed by Mozilla Public License 2.0 +// that can be found in the LICENSE.certificates file. +func MozillaCACertificatesPEM() string { + return data +} diff --git a/generate_data.go b/generate_data.go index d532c2f..540fca9 100644 --- a/generate_data.go +++ b/generate_data.go @@ -1,3 +1,4 @@ +//go:build ignore // +build ignore // This program generates data.go from Mozilla Included CA Certificate List. @@ -25,7 +26,7 @@ const header = `// Code generated by generate_data. DO NOT EDIT. // Use of these certificates is governed by Mozilla Public License 2.0 // that can be found in the LICENSE.certificates file. -package rootcerts +package embedded const data = ` @@ -43,7 +44,7 @@ func main() { data = bytes.ReplaceAll(data, []byte("\r"), []byte{}) - of, err := os.Create("data.go") + of, err := os.Create("embedded/data.go") if err != nil { fail("error creating data.go: %v", err) } diff --git a/rootcerts.go b/rootcerts.go index 923962c..f6323c3 100644 --- a/rootcerts.go +++ b/rootcerts.go @@ -26,6 +26,8 @@ import ( "crypto/x509" "os" _ "unsafe" // for go:linkname + + "github.com/breml/rootcerts/embedded" ) const forceEnableEnvVar = "GO_ROOTCERTS_ENABLE" @@ -42,7 +44,6 @@ func init() { } roots := x509.NewCertPool() - d := data - roots.AppendCertsFromPEM([]byte(d)) + roots.AppendCertsFromPEM([]byte(embedded.MozillaCACertificatesPEM())) systemRoots = roots }