diff options
| author | Fabio Alessandrelli <fabio.alessandrelli@gmail.com> | 2023-04-13 21:17:55 +0200 |
|---|---|---|
| committer | Fabio Alessandrelli <fabio.alessandrelli@gmail.com> | 2023-05-12 09:58:23 +0200 |
| commit | 6fd99823581dd05d27a1ff773b67a8ea616993cc (patch) | |
| tree | 1baf791a581f4ce5a73433434400546b4a4051fe /modules/mbedtls | |
| parent | 4e1d5be9d33e8a14254f0ccd0910743073970413 (diff) | |
| download | redot-engine-6fd99823581dd05d27a1ff773b67a8ea616993cc.tar.gz | |
[TLS] Add support for platform-specific CA bundles.
Adds a new OS::get_system_ca_certs method which can be implemented by
platforms to retrieve the list of trusted CA certificates using OS
specific APIs.
The function should return the certificates in PEM format, and is
currently implemented for Windows/macOS/LinuxBSD(*)/Android.
mbedTLS will fall back to bundled certificates when the OS returns no
certificates.
(*) LinuxBSD does not have a standardized certificates store location.
The current implementation will test for common locations and may
return an empty string on some distributions (falling back to the
bundled certificates).
Diffstat (limited to 'modules/mbedtls')
| -rw-r--r-- | modules/mbedtls/crypto_mbedtls.cpp | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp index 6ae36daffe..68b213d79e 100644 --- a/modules/mbedtls/crypto_mbedtls.cpp +++ b/modules/mbedtls/crypto_mbedtls.cpp @@ -36,6 +36,7 @@ #include "core/config/project_settings.h" #include "core/io/certs_compressed.gen.h" #include "core/io/compression.h" +#include "core/os/os.h" #ifdef TOOLS_ENABLED #include "editor/editor_settings.h" @@ -337,20 +338,26 @@ void CryptoMbedTLS::load_default_certificates(String p_path) { if (!p_path.is_empty()) { // Use certs defined in project settings. default_certs->load(p_path); - } + } else { + // Try to use system certs otherwise. + String system_certs = OS::get_singleton()->get_system_ca_certificates(); + if (!system_certs.is_empty()) { + CharString cs = system_certs.utf8(); + default_certs->load_from_memory((const uint8_t *)cs.get_data(), cs.size()); + print_verbose("Loaded system CA certificates"); + } #ifdef BUILTIN_CERTS_ENABLED - else { - // Use builtin certs only if user did not override it in project settings. - PackedByteArray out; - out.resize(_certs_uncompressed_size + 1); - Compression::decompress(out.ptrw(), _certs_uncompressed_size, _certs_compressed, _certs_compressed_size, Compression::MODE_DEFLATE); - out.write[_certs_uncompressed_size] = 0; // Make sure it ends with string terminator -#ifdef DEBUG_ENABLED - print_verbose("Loaded builtin certs"); + else { + // Use builtin certs if there are no system certs. + PackedByteArray certs; + certs.resize(_certs_uncompressed_size + 1); + Compression::decompress(certs.ptrw(), _certs_uncompressed_size, _certs_compressed, _certs_compressed_size, Compression::MODE_DEFLATE); + certs.write[_certs_uncompressed_size] = 0; // Make sure it ends with string terminator + default_certs->load_from_memory(certs.ptr(), certs.size()); + print_verbose("Loaded builtin CA certificates"); + } #endif - default_certs->load_from_memory(out.ptr(), out.size()); } -#endif } Ref<CryptoKey> CryptoMbedTLS::generate_rsa(int p_bytes) { |