Merge pull request #61 from jruby/paths

mkristian · mkristian · commit d717926a8af2 · 2015-08-11T16:07:21.000+02:00
keep trusted certificate stores in line with MRI if possible
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java b/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
@@ -28,6 +28,7 @@
 package org.jruby.ext.openssl.x509store;
 
 
+import java.io.File;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.util.Arrays;
@@ -292,13 +293,48 @@ else if ( keyUsage != null && ! keyUsage[5] ) { // KU_KEY_CERT_SIGN
     public static final String X509_PRIVATE_DIR;
 
     static {
-        OPENSSLDIR = "/usr/local/openssl"; // NOTE: blindly follow?!
+        // roughly following the ideas from https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+        // and falling back to trust store from java to be on the save side 
+        
         // TODO usability in limited environments should be tested/reviewed
         final String JAVA_HOME = SafePropertyAccessor.getProperty("java.home", "");
-        X509_CERT_AREA = JAVA_HOME + "/lib/security";
-        X509_CERT_DIR = X509_CERT_AREA;
-        X509_CERT_FILE = X509_CERT_DIR + "/cacerts";
-        X509_PRIVATE_DIR = "/usr/lib/ssl/private"; // NOTE: blindly follow?!
+
+        // if the default files/dirs exist we use them. with this a switch
+        // from MRI to JRuby produces the same results. otherwise we use the
+        // certs from JAVA_HOME.
+        final String MAYBE_CERT_FILE;
+        final String LINUX_CERT_AREA = "/etc/ssl";
+        final String MACOS_CERT_AREA = "/System/Library/OpenSSL";
+        final String MAYBE_PKI_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt";
+        if (new File(LINUX_CERT_AREA).exists()) {
+            X509_CERT_AREA = LINUX_CERT_AREA;
+            X509_CERT_DIR = X509_CERT_AREA + "/certs";
+            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
+            MAYBE_CERT_FILE = X509_CERT_DIR + "/cert.pem";
+        }
+        else if (new File(MACOS_CERT_AREA).exists()) {
+            X509_CERT_AREA = MACOS_CERT_AREA;
+            X509_CERT_DIR = X509_CERT_AREA + "/certs";
+            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
+            MAYBE_CERT_FILE = X509_CERT_AREA + "/cert.pem";
+        }
+        else {
+            X509_CERT_AREA = JAVA_HOME + "/lib/security";
+            X509_CERT_DIR = X509_CERT_AREA;
+            X509_PRIVATE_DIR = X509_CERT_AREA;
+            MAYBE_CERT_FILE = MAYBE_PKI_CERT_FILE;
+        }
+        if (new File(MAYBE_PKI_CERT_FILE).exists()) {
+            X509_CERT_FILE = MAYBE_PKI_CERT_FILE;
+        }
+        else if (new File(MAYBE_CERT_FILE).exists()) {
+            X509_CERT_FILE = MAYBE_CERT_FILE;
+        }
+        else {
+            X509_CERT_FILE = JAVA_HOME + "/lib/security/cacerts";
+        }
+        // keep it with some meaninful content as it is a public constant
+        OPENSSLDIR = X509_CERT_AREA;
     }
 
     public static final String X509_CERT_DIR_EVP = "SSL_CERT_DIR";
