From ffd600a7f54f8f22687ac83285a37c76e98cb79e Mon Sep 17 00:00:00 2001 From: Andrew Kaster Date: Sun, 6 Jul 2025 09:11:28 -0600 Subject: [PATCH] Meta+RequestServer: Remove local download of ca-certificates We haven't required a local copy of the ca-certificates since switching to OpenSSL as the backend for TLS. Remove the script to download the PEM file, and update the tests to use the system's CA certificates. --- Meta/CMake/ca_certificates_data.cmake | 28 ------------------- Meta/CMake/common_options.cmake | 2 -- Meta/Lagom/CMakeLists.txt | 1 - Meta/WPT.sh | 1 - Meta/gn/secondary/Ladybird/BUILD.gn | 16 ----------- .../Userland/Libraries/LibTLS/BUILD.gn | 24 ---------------- Services/RequestServer/main.cpp | 14 ++-------- Tests/LibDNS/TestDNSResolver.cpp | 17 +---------- Tests/LibTLS/TestTLSHandshake.cpp | 17 +---------- UI/cmake/AndroidExtras.cmake | 6 ---- UI/cmake/ResourceFiles.cmake | 10 ------- Utilities/dns.cpp | 5 ++-- 12 files changed, 7 insertions(+), 134 deletions(-) delete mode 100644 Meta/CMake/ca_certificates_data.cmake diff --git a/Meta/CMake/ca_certificates_data.cmake b/Meta/CMake/ca_certificates_data.cmake deleted file mode 100644 index 99d44772b8b..00000000000 --- a/Meta/CMake/ca_certificates_data.cmake +++ /dev/null @@ -1,28 +0,0 @@ -include(${CMAKE_CURRENT_LIST_DIR}/utils.cmake) - -set(CACERT_VERSION "2025-05-20") -set(CACERT_SHA256 "ab3ee3651977a4178a702b0b828a4ee7b2bbb9127235b0ab740e2e15974bf5db") - -set(CACERT_PATH "${LADYBIRD_CACHE_DIR}/CACERT" CACHE PATH "Download location for cacert.pem") -set(CACERT_VERSION_FILE "${CACERT_PATH}/version.txt") - -set(CACERT_FILE cacert-${CACERT_VERSION}.pem) -set(CACERT_URL https://curl.se/ca/${CACERT_FILE}) -set(CACERT_INSTALL_FILE cacert.pem) - -if (ENABLE_CACERT_DOWNLOAD) - remove_path_if_version_changed("${CACERT_VERSION}" "${CACERT_VERSION_FILE}" "${CACERT_PATH}") - - if (ENABLE_NETWORK_DOWNLOADS) - download_file("${CACERT_URL}" "${CACERT_PATH}/${CACERT_FILE}" SHA256 "${CACERT_SHA256}") - else() - message(STATUS "Skipping download of ${CACERT_URL}, expecting it to have been downloaded to ${CACERT_PATH}") - endif() - - if (NOT "${CMAKE_STAGING_PREFIX}" STREQUAL "") - set(CACERT_INSTALL_PATH ${CMAKE_STAGING_PREFIX}/etc/${CACERT_INSTALL_FILE}) - else() - set(CACERT_INSTALL_PATH ${CMAKE_CURRENT_BINARY_DIR}/${CACERT_INSTALL_FILE}) - endif() - configure_file(${CACERT_PATH}/${CACERT_FILE} ${CACERT_INSTALL_PATH} COPYONLY) -endif() diff --git a/Meta/CMake/common_options.cmake b/Meta/CMake/common_options.cmake index 9f1cb1533b4..f2735feded2 100644 --- a/Meta/CMake/common_options.cmake +++ b/Meta/CMake/common_options.cmake @@ -25,8 +25,6 @@ ladybird_option(ENABLE_ALL_DEBUG_FACILITIES OFF CACHE BOOL "Enable all noisy deb ladybird_option(ENABLE_COMPILETIME_HEADER_CHECK OFF CACHE BOOL "Enable compiletime check that each library header compiles stand-alone") ladybird_option(INCLUDE_WASM_SPEC_TESTS OFF CACHE BOOL "Download and include the WebAssembly spec testsuite") -ladybird_option(INCLUDE_FLAC_SPEC_TESTS OFF CACHE BOOL "Download and include the FLAC spec testsuite") -ladybird_option(ENABLE_CACERT_DOWNLOAD ON CACHE BOOL "Enable download of cacert.pem at build time") ladybird_option(LADYBIRD_CACHE_DIR "${PROJECT_BINARY_DIR}/../caches" CACHE PATH "Location of shared cache of downloaded files") ladybird_option(ENABLE_NETWORK_DOWNLOADS ON CACHE BOOL "Allow downloads of required files. If OFF, required files must already be present in LADYBIRD_CACHE_DIR") diff --git a/Meta/Lagom/CMakeLists.txt b/Meta/Lagom/CMakeLists.txt index c84109651be..c6793327fba 100644 --- a/Meta/Lagom/CMakeLists.txt +++ b/Meta/Lagom/CMakeLists.txt @@ -78,7 +78,6 @@ if (ENABLE_FUZZERS OR CMAKE_CROSSCOMPILING) set(BUILD_LAGOM_TOOLS OFF) endif() -include(ca_certificates_data) include(lagom_compile_options) set(CMAKE_EXPORT_COMPILE_COMMANDS ON) diff --git a/Meta/WPT.sh b/Meta/WPT.sh index cc38b83949b..073bc907c75 100755 --- a/Meta/WPT.sh +++ b/Meta/WPT.sh @@ -77,7 +77,6 @@ TEST_WEB_BINARY=${TEST_WEB_BINARY:-"${BUILD_DIR}/bin/test-web"} WPT_PROCESSES=${WPT_PROCESSES:-$(get_number_of_processing_units)} WPT_CERTIFICATES=( "tools/certs/cacert.pem" - "${BUILD_DIR}/Lagom/cacert.pem" ) WPT_ARGS=( "--binary=${LADYBIRD_BINARY}" diff --git a/Meta/gn/secondary/Ladybird/BUILD.gn b/Meta/gn/secondary/Ladybird/BUILD.gn index 7bc55789d9a..cd7e59cc094 100644 --- a/Meta/gn/secondary/Ladybird/BUILD.gn +++ b/Meta/gn/secondary/Ladybird/BUILD.gn @@ -154,7 +154,6 @@ executable("ladybird_executable") { } else { data_deps += [ ":ladybird_copy_about_pages", - ":ladybird_copy_cacert", ":ladybird_copy_config_resources", ":ladybird_copy_fonts", ":ladybird_copy_icons_128x128", @@ -280,8 +279,6 @@ web_templates = [ "//Base/res/ladybird/templates/version.html", ] -cacert = [ "$root_build_dir/cacert.pem" ] - config_resources = [ "//Base/res/ladybird/default-config/BrowserContentFilters.txt", "//Base/res/ladybird/default-config/bookmarks.json", @@ -341,12 +338,6 @@ if (current_os != "mac") { [ "$root_out_dir/share/Lagom/ladybird/templates/{{source_file_part}}" ] } - copy("ladybird_copy_cacert") { - public_deps = [ "//Userland/Libraries/LibTLS:ca_certificates_download" ] - sources = cacert - outputs = [ "$root_out_dir/share/Lagom/ladybird/{{source_file_part}}" ] - } - copy("ladybird_copy_config_resources") { sources = config_resources outputs = [ @@ -495,12 +486,6 @@ if (current_os != "mac") { [ "{{bundle_resources_dir}}/ladybird/templates/{{source_file_part}}" ] } - bundle_data("ladybird_cacert") { - public_deps = [ "//Userland/Libraries/LibTLS:ca_certificates_download" ] - sources = cacert - outputs = [ "{{bundle_resources_dir}}/ladybird/{{source_file_part}}" ] - } - bundle_data("ladybird_config_resources") { sources = config_resources outputs = [ @@ -553,7 +538,6 @@ if (current_os != "mac") { ":ladybird_bundle_executables", ":ladybird_bundle_info_plist", ":ladybird_bundle_libs", - ":ladybird_cacert", ":ladybird_config_resources", ":ladybird_fonts", ":ladybird_icon", diff --git a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn index 692afbea82f..5816d21fcc6 100644 --- a/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn +++ b/Meta/gn/secondary/Userland/Libraries/LibTLS/BUILD.gn @@ -1,26 +1,3 @@ -import("//Meta/gn/build/download_cache.gni") -import("//Meta/gn/build/download_file.gni") - -declare_args() { - # If true, Download root CA certificate bundle from curl.se - # Data will be downloaded to $cache_path/CACERT and used by LibTLS - enable_cacert_download = true -} - -cacert_cache = cache_path + "CACERT/" - -cacert_version = "2025-05-20" - -if (enable_cacert_download) { - download_file("ca_certificates_download") { - version = cacert_version - url = "https://curl.se/ca/cacert-$version.pem" - output = "$root_build_dir/cacert.pem" - version_file = cacert_cache + "version.txt" - sha256 = "ab3ee3651977a4178a702b0b828a4ee7b2bbb9127235b0ab740e2e15974bf5db" - } -} - shared_library("LibTLS") { output_name = "tls" include_dirs = [ "//Userland/Libraries" ] @@ -36,7 +13,6 @@ shared_library("LibTLS") { "TLSv12.cpp", ] deps = [ - ":ca_certificates_download", "//AK", "//Userland/Libraries/LibCore", "//Userland/Libraries/LibCrypto", diff --git a/Services/RequestServer/main.cpp b/Services/RequestServer/main.cpp index b0c881c9e13..7e3ce0035de 100644 --- a/Services/RequestServer/main.cpp +++ b/Services/RequestServer/main.cpp @@ -28,14 +28,6 @@ extern ByteString g_default_certificate_path; } -static ErrorOr find_certificates(StringView serenity_resource_root) -{ - auto cert_path = ByteString::formatted("{}/ladybird/cacert.pem", serenity_resource_root); - if (!FileSystem::exists(cert_path)) - return Error::from_string_literal("Don't know how to load certs!"); - return cert_path; -} - ErrorOr serenity_main(Main::Arguments arguments) { AK::set_rich_debug_enabled(true); @@ -55,10 +47,8 @@ ErrorOr serenity_main(Main::Arguments arguments) if (wait_for_debugger) Core::Process::wait_for_debugger_and_break(); - // Ensure the certificates are read out here. - if (certificates.is_empty()) - certificates.append(TRY(find_certificates(serenity_resource_root))); - else + // FIXME: Update RequestServer to support multiple custom root certificates. + if (!certificates.is_empty()) RequestServer::g_default_certificate_path = certificates.first(); Core::EventLoop event_loop; diff --git a/Tests/LibDNS/TestDNSResolver.cpp b/Tests/LibDNS/TestDNSResolver.cpp index 69fa18ed7a6..3a0a7e1e00c 100644 --- a/Tests/LibDNS/TestDNSResolver.cpp +++ b/Tests/LibDNS/TestDNSResolver.cpp @@ -6,7 +6,6 @@ #include #include -#include #include #include @@ -72,19 +71,6 @@ TEST_CASE(test_tcp) EXPECT_EQ(0, loop.exec()); } -static StringView ca_certs_file = "./cacert.pem"sv; -static Optional locate_ca_certs_file() -{ - if (FileSystem::exists(ca_certs_file)) { - return ca_certs_file; - } - auto on_target_path = ByteString("/etc/cacert.pem"); - if (FileSystem::exists(on_target_path)) { - return on_target_path; - } - return {}; -} - TEST_CASE(test_tls) { Core::EventLoop loop; @@ -93,8 +79,7 @@ TEST_CASE(test_tls) [&] -> ErrorOr { Core::SocketAddress addr = { IPv4Address::from_string("1.1.1.1"sv).value(), static_cast(853) }; - TLS::Options options; - options.root_certificates_path = locate_ca_certs_file(); + TLS::Options options = {}; return DNS::Resolver::SocketResult { MaybeOwned(TRY(TLS::TLSv12::connect(addr, "1.1.1.1", move(options)))), diff --git a/Tests/LibTLS/TestTLSHandshake.cpp b/Tests/LibTLS/TestTLSHandshake.cpp index ccb2c3ebe54..47e95323edd 100644 --- a/Tests/LibTLS/TestTLSHandshake.cpp +++ b/Tests/LibTLS/TestTLSHandshake.cpp @@ -11,11 +11,9 @@ #include #include #include -#include #include #include -static StringView ca_certs_file = "./cacert.pem"sv; static int port = 443; constexpr auto DEFAULT_SERVER = "www.google.com"sv; @@ -25,24 +23,11 @@ static ByteBuffer operator""_b(char const* string, size_t length) return ByteBuffer::copy(string, length).release_value(); } -static Optional locate_ca_certs_file() -{ - if (FileSystem::exists(ca_certs_file)) { - return ca_certs_file; - } - auto on_target_path = ByteString("/etc/cacert.pem"); - if (FileSystem::exists(on_target_path)) { - return on_target_path; - } - return {}; -} - TEST_CASE(test_TLS_hello_handshake) { Core::EventLoop loop; - TLS::Options options; - options.root_certificates_path = locate_ca_certs_file(); + TLS::Options options = {}; auto tls = TRY_OR_FAIL(Core::BufferedSocket::create(TRY_OR_FAIL(TLS::TLSv12::connect(DEFAULT_SERVER, port, move(options))))); diff --git a/UI/cmake/AndroidExtras.cmake b/UI/cmake/AndroidExtras.cmake index 5109e92cbad..f6c95cba982 100644 --- a/UI/cmake/AndroidExtras.cmake +++ b/UI/cmake/AndroidExtras.cmake @@ -22,12 +22,6 @@ copy_res_folder(fonts) copy_res_folder(icons) copy_res_folder(emoji) copy_res_folder(themes) -add_custom_target(copy-certs - COMMAND ${CMAKE_COMMAND} -E copy_if_different - "${Lagom_BINARY_DIR}/cacert.pem" - "asset-bundle/res/ladybird/cacert.pem" -) -add_dependencies(archive-assets copy-certs) add_custom_target(copy-assets COMMAND ${CMAKE_COMMAND} -E copy_if_different ladybird-assets.tar "${CMAKE_SOURCE_DIR}/UI/Android/src/main/assets/") add_dependencies(copy-assets archive-assets) add_dependencies(ladybird copy-assets) diff --git a/UI/cmake/ResourceFiles.cmake b/UI/cmake/ResourceFiles.cmake index 03fe7ad2785..bb5ba130f26 100644 --- a/UI/cmake/ResourceFiles.cmake +++ b/UI/cmake/ResourceFiles.cmake @@ -103,11 +103,6 @@ set(CONFIG_RESOURCES ) list(TRANSFORM CONFIG_RESOURCES PREPEND "${LADYBIRD_SOURCE_DIR}/Base/res/ladybird/default-config/") -set(DOWNLOADED_RESOURCES - cacert.pem -) -list(TRANSFORM DOWNLOADED_RESOURCES PREPEND "${Lagom_BINARY_DIR}/") - function(copy_resource_set subdir) cmake_parse_arguments(PARSE_ARGV 1 "COPY" "" "TARGET;DESTINATION" "RESOURCES") set(inputs ${COPY_RESOURCES}) @@ -192,10 +187,6 @@ function(copy_resources_to_build base_directory bundle_target) DESTINATION ${base_directory} TARGET ${bundle_target} ) - copy_resource_set(ladybird RESOURCES ${DOWNLOADED_RESOURCES} - DESTINATION ${base_directory} TARGET ${bundle_target} - ) - add_dependencies(${bundle_target} "${bundle_target}_build_resource_files") endfunction() @@ -209,5 +200,4 @@ function(install_ladybird_resources destination component) install(FILES ${ABOUT_PAGES} DESTINATION "${destination}/ladybird/about-pages" COMPONENT ${component}) install(FILES ${WEB_TEMPLATES} DESTINATION "${destination}/ladybird/templates" COMPONENT ${component}) install(FILES ${CONFIG_RESOURCES} DESTINATION "${destination}/ladybird/default-config" COMPONENT ${component}) - install(FILES ${DOWNLOADED_RESOURCES} DESTINATION "${destination}/ladybird" COMPONENT ${component}) endfunction() diff --git a/Utilities/dns.cpp b/Utilities/dns.cpp index 74ce2314282..76ffc54d12b 100644 --- a/Utilities/dns.cpp +++ b/Utilities/dns.cpp @@ -25,7 +25,7 @@ ErrorOr serenity_main(Main::Arguments arguments) bool dnssec = false; Core::ArgsParser args_parser; - args_parser.add_option(cert_path, "Path to the CA certificate file", "ca-certs", 'C', "file"); + args_parser.add_option(cert_path, "Path to a root CA certificate file", "ca-certs", 'C', "file"); args_parser.add_option(server_address, "The address of the DNS server to query", "server", 's', "addr"); args_parser.add_option(use_tls, "Use TLS to connect to the server", "tls", 0); args_parser.add_option(dnssec, "Validate DNSSEC records locally", "dnssec", 0); @@ -78,7 +78,8 @@ ErrorOr serenity_main(Main::Arguments arguments) auto make_resolver = [&](Core::SocketAddress const& address) -> ErrorOr { if (use_tls) { TLS::Options options; - options.root_certificates_path = cert_path; + if (!cert_path.is_empty()) + options.root_certificates_path = cert_path; auto tls = TRY(TLS::TLSv12::connect(address, server_address, move(options))); return DNS::Resolver::SocketResult { move(tls), DNS::Resolver::ConnectionMode::TCP };