Use system cert pool

everesio · everesio · commit 9abe85172777 · 2025-01-19T12:19:40.000+01:00
diff --git a/tls/client/roundtripper.go b/tls/client/roundtripper.go
@@ -35,7 +35,10 @@ func WithClientCertsStore(source *source.ClientCertsStore) RoundTripperOption {
 }
 
 func WithRootCA(cert *x509.Certificate) RoundTripperOption {
-	certPool := x509.NewCertPool()
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
 	certPool.AddCert(cert)
 	return WithRootCAs(certPool)
 }
diff --git a/tls/client/source/pems.go b/tls/client/source/pems.go
@@ -39,7 +39,10 @@ func (s ClientPEMs) RootCAs() (*x509.CertPool, error) {
 	if len(s.RootCAsPEMBlock) == 0 {
 		return nil, nil
 	}
-	certPool := x509.NewCertPool()
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
 	if !certPool.AppendCertsFromPEM(s.RootCAsPEMBlock) {
 		return nil, errors.New("client PEMs: building client CAs failed")
 	}
diff --git a/tls/server/source/pems.go b/tls/server/source/pems.go
@@ -40,7 +40,10 @@ func (s ServerPEMs) ClientCAs() (*x509.CertPool, error) {
 	if len(s.ClientAuthPEMBlock) == 0 {
 		return nil, nil
 	}
-	certPool := x509.NewCertPool()
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
 	if !certPool.AppendCertsFromPEM(s.ClientAuthPEMBlock) {
 		return nil, errors.New("server PEMs: building client CAs failed")
 	}

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,10 @@ func WithClientCertsStore(source *source.ClientCertsStore) RoundTripperOption {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`func WithRootCA(cert *x509.Certificate) RoundTripperOption {`
`38`		`- certPool := x509.NewCertPool()`
	`38`	`+ certPool, err := x509.SystemCertPool()`
	`39`	`+ if err != nil {`
	`40`	`+ certPool = x509.NewCertPool()`
	`41`	`+ }`
`39`	`42`	`certPool.AddCert(cert)`
`40`	`43`	`return WithRootCAs(certPool)`
`41`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,10 @@ func (s ClientPEMs) RootCAs() (*x509.CertPool, error) {`
`39`	`39`	`if len(s.RootCAsPEMBlock) == 0 {`
`40`	`40`	`return nil, nil`
`41`	`41`	`}`
`42`		`- certPool := x509.NewCertPool()`
	`42`	`+ certPool, err := x509.SystemCertPool()`
	`43`	`+ if err != nil {`
	`44`	`+ certPool = x509.NewCertPool()`
	`45`	`+ }`
`43`	`46`	`if !certPool.AppendCertsFromPEM(s.RootCAsPEMBlock) {`
`44`	`47`	`return nil, errors.New("client PEMs: building client CAs failed")`
`45`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,10 @@ func (s ServerPEMs) ClientCAs() (*x509.CertPool, error) {`
`40`	`40`	`if len(s.ClientAuthPEMBlock) == 0 {`
`41`	`41`	`return nil, nil`
`42`	`42`	`}`
`43`		`- certPool := x509.NewCertPool()`
	`43`	`+ certPool, err := x509.SystemCertPool()`
	`44`	`+ if err != nil {`
	`45`	`+ certPool = x509.NewCertPool()`
	`46`	`+ }`
`44`	`47`	`if !certPool.AppendCertsFromPEM(s.ClientAuthPEMBlock) {`
`45`	`48`	`return nil, errors.New("server PEMs: building client CAs failed")`
`46`	`49`	`}`