Merge pull request #140 from subbu963/main

feat: Add support for custom SSL certificates
second-state · May 31, 2024 · ab18110 · ab18110
2 parents 3161a3e + 3f8a4d4
commit ab18110
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -35,6 +35,7 @@ crypto-wasi = { version = "0.1.1", optional = true }
 chat-prompts = { version = "0.3", optional = true }
 wasi-nn = { git = "https://github.com/second-state/wasmedge-wasi-nn", branch = "ggml", optional = true }
 endpoints = { version = "0.2", optional = true }
+rustls-pemfile = "1.0.4"
 
 [features]
 default = ["tls"]

diff --git a/README.md b/README.md
@@ -13,3 +13,9 @@ cargo build --target wasm32-wasi --release
 wasmedge --dir .:. target/wasm32-wasi/release/wasmedge_quickjs.wasm example_js/hello.js WasmEdge Runtime
 Hello WasmEdge Runtime
 ```
+
+### Usage with custom ssl certs
+```bash
+$  wasmedge --dir .:. --dir /etc/ssl:/etc/ssl:readonly --env SSL_CERT_FILE="/etc/ssl/cert.pem" target/wasm32-wasi/release/wasmedge_quickjs.wasm example_js/wasi_https_fetch.js
+```
+substitute the value of `/etc/ssl` and `/etc/ssl/cert.pem` with the location of your cert folder and cert file
diff --git a/scripts/get_cert.sh b/scripts/get_cert.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Check if a domain is provided as an argument
+if [ -z "$1" ]; then
+    echo "Usage: $0 <domain>"
+    exit 1
+fi
+
+# Retrieve and print the combined TLS certificates
+openssl s_client -showcerts -connect "$1":443 2>/dev/null < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}'
diff --git a/src/event_loop/certs.rs b/src/event_loop/certs.rs
@@ -0,0 +1,20 @@
+use std::{env, io};
+use std::fs::File;
+use std::io::BufReader;
+use rustls::Certificate;
+
+
+const ENV_CERT_FILE: &str = "SSL_CERT_FILE";
+
+pub fn load_certs_from_env() -> io::Result<Vec<Certificate>> {
+    let file_name = match env::var(ENV_CERT_FILE) {
+        Ok(val) => val,
+        Err(_) => {
+         return io::Result::Err(io::Error::from(io::ErrorKind::NotFound));
+        },
+    };
+    let file = File::open(file_name)?;
+    let mut reader = BufReader::new(file);
+    let mut certs = rustls_pemfile::certs(&mut reader)?;
+    Ok(certs.into_iter().map(Certificate).collect())
+}
diff --git a/src/event_loop/mod.rs b/src/event_loop/mod.rs
@@ -1,6 +1,7 @@
 mod poll;
 pub mod wasi_fs;
 mod wasi_sock;
+mod certs;
 
 use crate::{quickjs_sys as qjs, Context, JsClassTool, JsValue};
 use std::borrow::BorrowMut;
@@ -134,13 +135,21 @@ impl AsyncTlsConn {
 
         let io = tokio::net::TcpStream::connect(addr).await?;
         let mut root_store = rustls::RootCertStore::empty();
-        root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        if let Ok(custom_certs) = certs::load_certs_from_env() {
+            log::info!("using custom certs");
+            for cert in custom_certs {
+                root_store.add(&cert).unwrap();
+            }
+        } else {
+            log::info!("falling back to webpki certs");
+            root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
+                OwnedTrustAnchor::from_subject_spki_name_constraints(
+                    ta.subject,
+                    ta.spki,
+                    ta.name_constraints,
+                )
+            }));
+        }
 
         let config = rustls::ClientConfig::builder()
             .with_safe_defaults()