Use OS-provided trusted root certs on Linux

Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags --root-certs-file and
--root-certs-cache.

R=asiva@google.com

Committed: https://github.com/dart-lang/sdk/commit/139db22be5f515b49270f6eae80ff7ecbfab1620

[zra, 2016-09-15 18:12:53]

Description was changed from

==========
Use OS-provided trusted root certs on Linux
==========

to

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags ----root-certs-file and
--root-certs-cache.
==========

[zra, 2016-09-15 18:14:42]

zra@google.com changed reviewers:
+ asiva@google.com, whesse@google.com

[P.Y.L., 2016-09-15 18:24:05]

pylaligand@google.com changed reviewers:
+ pylaligand@google.com

[P.Y.L., 2016-09-15 18:24:06]

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
File runtime/bin/secure_socket_boringssl.cc (right):

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:856: // First, ry to use locations
specified on the command line.
try*

[P.Y.L., 2016-09-15 18:41:48]

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
File runtime/bin/secure_socket_boringssl.cc (right):

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:797: static void
AddCompiledInCerts(SSLContext* context) {
Now that compiled-in certs are a fallback, you might want to change the guards
in root_certificates_unsupported.cc to allow builds with secure socket support
but without this fallback. I think that's what we'd want to use for Fuchsia
host.

[zra, 2016-09-15 19:15:44]

Description was changed from

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags ----root-certs-file and
--root-certs-cache.
==========

to

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags --root-certs-file and
--root-certs-cache.
==========

[zra, 2016-09-15 19:15:44]

Description was changed from

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags ----root-certs-file and
--root-certs-cache.
==========

to

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags --root-certs-file and
--root-certs-cache.
==========

[zra, 2016-09-15 19:18:23]

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
File runtime/bin/secure_socket_boringssl.cc (right):

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:797: static void
AddCompiledInCerts(SSLContext* context) {
On 2016/09/15 18:41:48, P.Y.L. wrote:
> Now that compiled-in certs are a fallback, you might want to change the guards
> in root_certificates_unsupported.cc to allow builds with secure socket support
> but without this fallback. I think that's what we'd want to use for Fuchsia
> host.

I've changed root_certificates_unsupported.cc so that if you define
DART_IO_ROOT_CERTS_DISABLED and don't build in
third_party/root_certificates/root_certificates.cc it should work.

https://codereview.chromium.org/2346683003/diff/20001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:856: // First, ry to use locations
specified on the command line.
On 2016/09/15 18:24:05, P.Y.L. wrote:
> try*

Done.

[siva, 2016-09-16 01:27:12]

LGTM with some comments.

https://codereview.chromium.org/2346683003/diff/60001/CHANGELOG.md
File CHANGELOG.md (right):

https://codereview.chromium.org/2346683003/diff/60001/CHANGELOG.md#newcode16
CHANGELOG.md:16: --root-certs-file and --root-certs-cache.
Should some documentation about these options be added here?

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/main.cc
File runtime/bin/main.cc (right):

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/main.cc#new...
runtime/bin/main.cc:565: #endif  // !defined(TARGET_OS_MACOS)
Do these options have to be added to PrintUsage() so that some kind of help will
be available.

Is this to be supported for windows too?

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
File runtime/bin/secure_socket_boringssl.cc (right):

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:852: }
These functions are not used under TARGET_OS_MACOS so should
this code be guarded under #if defined(TARGET_OS_MACOS) ... #endif

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:868: }
These command lines are not supported under TARGET_OS_MACOS so should
this code be guarded under #if defined(TARGET_OS_MACOS) ... #endif

[zra, 2016-09-16 16:08:02]

https://codereview.chromium.org/2346683003/diff/60001/CHANGELOG.md
File CHANGELOG.md (right):

https://codereview.chromium.org/2346683003/diff/60001/CHANGELOG.md#newcode16
CHANGELOG.md:16: --root-certs-file and --root-certs-cache.
On 2016/09/16 01:27:12, siva wrote:
> Should some documentation about these options be added here?

Done.

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/main.cc
File runtime/bin/main.cc (right):

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/main.cc#new...
runtime/bin/main.cc:565: #endif  // !defined(TARGET_OS_MACOS)
On 2016/09/16 01:27:12, siva wrote:
> Do these options have to be added to PrintUsage() so that some kind of help
will
> be available.

Done

> Is this to be supported for windows too?

Yes, it should work on Windows too since Windows also uses boringssl.

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
File runtime/bin/secure_socket_boringssl.cc (right):

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:852: }
On 2016/09/16 01:27:12, siva wrote:
> These functions are not used under TARGET_OS_MACOS so should
> this code be guarded under #if defined(TARGET_OS_MACOS) ... #endif

On Mac and iOS we use the SecureTransport API from secure_socket_macos.cc and
secure_socket_ios.cc, so this whole file is already not included in the Mac and
iOS builds.

https://codereview.chromium.org/2346683003/diff/60001/runtime/bin/secure_sock...
runtime/bin/secure_socket_boringssl.cc:868: }
On 2016/09/16 01:27:12, siva wrote:
> These command lines are not supported under TARGET_OS_MACOS so should
> this code be guarded under #if defined(TARGET_OS_MACOS) ... #endif

Ditto

[zra, 2016-09-16 16:08:54]

Description was changed from

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags --root-certs-file and
--root-certs-cache.
==========

to

==========
Use OS-provided trusted root certs on Linux

First, the look for trusted root certificates
in standard locations on the file system
(/etc/pki/tls/certs/ca-bundle.crt followed by
/etc/ssl/certs), and only if these do not exist
will we fall back on the compiled-in trusted root
certificates. This behavior can be overridden
with the new flags --root-certs-file and
--root-certs-cache.

R=asiva@google.com

Committed:
https://github.com/dart-lang/sdk/commit/139db22be5f515b49270f6eae80ff7ecbfab1620
==========

[zra, 2016-09-16 16:08:55]

Committed patchset #5 (id:80001) manually as
139db22be5f515b49270f6eae80ff7ecbfab1620 (presubmit successful).