[client] use embedded root CA if system certpool is empty (#3272)

* Implement custom TLS certificate handling with fallback to embedded roots
2025-08-09 23:27:58 +02:00 · 2025-02-04 18:17:59 +03:00
parent 7d385b8dc3
commit 0125cd97d8
8 changed files with 160 additions and 6 deletions
--- a/util/embeddedroots/embeddedroots.go
+++ b/util/embeddedroots/embeddedroots.go
@ -0,0 +1,42 @@
+package embeddedroots
+
+import (
+	"crypto/x509"
+	_ "embed"
+	"sync"
+)
+
+func Get() *x509.CertPool {
+	rootsVar.load()
+	return rootsVar.p
+}
+
+type roots struct {
+	once sync.Once
+	p    *x509.CertPool
+}
+
+var rootsVar roots
+
+func (r *roots) load() {
+	r.once.Do(func() {
+		p := x509.NewCertPool()
+		p.AppendCertsFromPEM([]byte(isrgRootX1RootPEM))
+		p.AppendCertsFromPEM([]byte(isrgRootX2RootPEM))
+		r.p = p
+	})
+}
+
+// Subject: O = Internet Security Research Group, CN = ISRG Root X1
+// Key type: RSA 4096
+// Validity: until 2030-06-04 (generated 2015-06-04)
+//
+//go:embed isrg-root-x1.pem
+var isrgRootX1RootPEM string
+
+// Subject: O = Internet Security Research Group, CN = ISRG Root X2
+// Key type: ECDSA P-384
+// Validity: until 2035-09-04 (generated 2020-09-04)
+//
+//go:embed isrg-root-x2.pem
+var isrgRootX2RootPEM string