jruby · headius · Sep 29, 2012 · Sep 10, 2012
diff --git a/src/org/jruby/ext/openssl/X509Store.java b/src/org/jruby/ext/openssl/X509Store.java
@@ -156,11 +156,7 @@ public IRubyObject add_file(IRubyObject arg) {
     @JRubyMethod
     public IRubyObject set_default_paths() {
         try {
-            RubyHash env = (RubyHash)getRuntime().getObject().fastGetConstant("ENV");
+            store.setDefaultPaths();
-            String file = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
-            store.loadLocations(file, null);
-            String path = (String)env.get(getRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
-            store.loadLocations(null, path);
         }
         catch(Exception e) {
             raise("setting default path failed: " + e.getMessage());

diff --git a/src/org/jruby/ext/openssl/x509store/Lookup.java b/src/org/jruby/ext/openssl/x509store/Lookup.java
@@ -46,12 +46,17 @@
 import java.util.Iterator;
 import java.util.List;
 import org.jruby.Ruby;
+import org.jruby.RubyHash;
 import org.jruby.util.io.ChannelDescriptor;
 import org.jruby.util.io.ChannelStream;
 import org.jruby.util.io.FileExistsException;
 import org.jruby.util.io.InvalidValueException;
 import org.jruby.util.io.ModeFlags;
 
+import java.security.KeyStore;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+
 /**
  * X509_LOOKUP
  *
@@ -264,6 +269,31 @@ public int loadCertificateOrCRLFile(String file, int type) throws Exception {
         return count; 
     }
 
+    public int loadDefaultJavaCACertsFile() throws Exception {
+        int count = 0;
+        String certsFile = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
+        FileInputStream fin = new FileInputStream(certsFile);
+        try {
+            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+            // we pass a null password, as the cacerts file isn't password protected
+            keystore.load(fin, null);
+            PKIXParameters params = new PKIXParameters(keystore);
+            for(TrustAnchor trustAnchor : params.getTrustAnchors()) {
+                X509Certificate certificate = trustAnchor.getTrustedCert();
+                store.addCertificate(certificate);
+                count++;
+            }    
+        } finally {
+            if (fin != null) {
+                try {
+                    fin.close();
+                } catch (Exception ignored) {
+                }
+            }
+        }
+        return count;
+    }
+
     private InputStream wrapJRubyNormalizedInputStream(String file) throws IOException {
         Ruby runtime = Ruby.getGlobalRuntime();
         try {
@@ -398,13 +428,14 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
             case X509Utils.X509_L_FILE_LOAD:
                 if (argl == X509Utils.X509_FILETYPE_DEFAULT) {
                     try {
-                        file = System.getenv(X509Utils.getDefaultCertificateFileEnvironment());
+                        RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+                        file = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateFileEnvironment()));
                     } catch (Error error) {
                     }
                     if (file != null) {
                         ok = ctx.loadCertificateOrCRLFile(file, X509Utils.X509_FILETYPE_PEM) != 0 ? 1 : 0;
                     } else {
-                        ok = (ctx.loadCertificateOrCRLFile(X509Utils.getDefaultCertificateFile(), X509Utils.X509_FILETYPE_PEM) != 0) ? 1 : 0;
+                        ok = (ctx.loadDefaultJavaCACertsFile() != 0) ? 1: 0;
                     }
                     if (ok == 0) {
                         X509Error.addError(X509Utils.X509_R_LOADING_DEFAULTS);
@@ -475,7 +506,8 @@ public int call(Object _ctx, Object _cmd, Object _argp, Object _argl, Object _re
             case X509Utils.X509_L_ADD_DIR:
                 if(argl == X509Utils.X509_FILETYPE_DEFAULT) {
                     try {
-                        dir = System.getenv(X509Utils.getDefaultCertificateDirectoryEnvironment());
+                        RubyHash env = (RubyHash)Ruby.getGlobalRuntime().getObject().fastGetConstant("ENV");
+                        dir = (String)env.get(Ruby.getGlobalRuntime().newString(X509Utils.getDefaultCertificateDirectoryEnvironment()));
                     } catch (Error error) {
                     }
                     if(null != dir) {

diff --git a/src/org/jruby/ext/openssl/x509store/Store.java b/src/org/jruby/ext/openssl/x509store/Store.java
@@ -325,9 +325,7 @@ public int loadLocations(String file, String path) throws Exception {
 
     /**
      * c: X509_STORE_set_default_paths
-     * not used for now: invoking this method causes refering System.getenv("SSL_CERT_DIR") etc.
+     */     
-     * We need to get the dir via evaluating "ENV['SSL_CERT_DIR']" instead of it.
-     */
     public int setDefaultPaths() throws Exception { 
         Lookup lookup;