Merge remote-tracking branch 'upstream/pr/8920' into maint

OTP-19321 * upstream/pr/8920: Allow setting certificates via application config
erlang · Oct 31, 2024 · 3c63564 · 3c63564
2 parents 2fd0b07 + 13d6a35
commit 3c63564
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/lib/public_key/src/pubkey_os_cacerts.erl b/lib/public_key/src/pubkey_os_cacerts.erl
@@ -37,7 +37,15 @@
 get() ->
     case persistent_term:get(?MODULE, not_loaded) of
         not_loaded ->
-            case load() of
+            _ = application:load(public_key),
+
+            Result =
+                case application:get_env(public_key, cacerts_path) of
+                    {ok, EnvVar} -> load([EnvVar]);
+                    undefined -> load()
+                end,
+
+            case Result of
                 ok ->
                     persistent_term:get(?MODULE);
                 {error, Reason} ->

diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
@@ -2229,7 +2229,20 @@ cacerts_get() ->
 %%--------------------------------------------------------------------
 -doc(#{title => <<"Certificate API">>,
        since => <<"OTP 25.0">>}).
--doc "Loads the OS supplied trusted CA certificates.".
+-doc """
+Loads the OS supplied trusted CA certificates.
+
+This can be overridden by setting the `cacerts_path`
+environment key of the `public_key` application with
+the location of an alternative certificate.
+You can set it via the command line as:
+
+    erl -public_key cacerts_path '"/path/to/certs.pem"'
+
+Use it with care. It is your responsibility to ensure
+that the certificates found in this alternative path
+can be trusted by the running system.
+""".
 
 -spec cacerts_load() -> ok | {error, Reason::term()}.
 %%--------------------------------------------------------------------

diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
@@ -1692,6 +1692,12 @@ cacerts_load(Config) ->
             ok
     end,
 
+    %% Load from application environment
+    application:set_env(public_key, cacerts_path, filename:join(Datadir, "cacerts.pem")),
+    2 = length(public_key:cacerts_get()),
+    application:unset_env(public_key, cacerts_path),
+    true = public_key:cacerts_clear(),
+
     %% Load default OS certs
     %%    there is no default installed OS certs on netbsd
     %%    can be installed with 'pkgin install mozilla-rootcerts'
@@ -1709,7 +1715,7 @@ cacerts_load(Config) ->
     ok = public_key:cacerts_load(filename:join(Datadir, "cacerts.pem")),
     [_TestCert1, _TestCert2] = public_key:cacerts_get(),
 
-    %% Re-Load default OS certs
+    %% Reload default OS certs
     try
         process_flag(trap_exit, true),
         flush(),