diff --git a/cli/dts/lib.deno.unstable.d.ts b/cli/dts/lib.deno.unstable.d.ts index f9ef1fb2fc..e8d484ec3a 100644 --- a/cli/dts/lib.deno.unstable.d.ts +++ b/cli/dts/lib.deno.unstable.d.ts @@ -1266,6 +1266,10 @@ declare namespace Deno { * Requires `allow-read` permission. */ caFile?: string; + + /** A certificate authority to use when validating TLS certificates. Certificate data must be PEM encoded. + */ + caData?: string; } /** **UNSTABLE**: New API, yet to be vetted. diff --git a/cli/tests/unit/fetch_test.ts b/cli/tests/unit/fetch_test.ts index 6a5cff164f..6f90a1847c 100644 --- a/cli/tests/unit/fetch_test.ts +++ b/cli/tests/unit/fetch_test.ts @@ -959,7 +959,7 @@ unitTest(function fetchResponseEmptyConstructor(): void { unitTest( { perms: { net: true, read: true } }, - async function fetchCustomHttpClientSuccess(): Promise< + async function fetchCustomHttpClientFileCertificateSuccess(): Promise< void > { const client = Deno.createHttpClient( @@ -974,3 +974,42 @@ unitTest( client.close(); }, ); + +unitTest( + { perms: { net: true } }, + async function fetchCustomHttpClientParamCertificateSuccess(): Promise< + void + > { + const client = Deno.createHttpClient( + { + caData: `-----BEGIN CERTIFICATE----- +MIIDIzCCAgugAwIBAgIJAMKPPW4tsOymMA0GCSqGSIb3DQEBCwUAMCcxCzAJBgNV +BAYTAlVTMRgwFgYDVQQDDA9FeGFtcGxlLVJvb3QtQ0EwIBcNMTkxMDIxMTYyODIy +WhgPMjExODA5MjcxNjI4MjJaMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9FeGFt +cGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMH/IO +2qtHfyBKwANNPB4K0q5JVSg8XxZdRpTTlz0CwU0oRO3uHrI52raCCfVeiQutyZop +eFZTDWeXGudGAFA2B5m3orWt0s+touPi8MzjsG2TQ+WSI66QgbXTNDitDDBtTVcV +5G3Ic+3SppQAYiHSekLISnYWgXLl+k5CnEfTowg6cjqjVr0KjL03cTN3H7b+6+0S +ws4rYbW1j4ExR7K6BFNH6572yq5qR20E6GqlY+EcOZpw4CbCk9lS8/CWuXze/vMs +OfDcc6K+B625d27wyEGZHedBomT2vAD7sBjvO8hn/DP1Qb46a8uCHR6NSfnJ7bXO +G1igaIbgY1zXirNdAgMBAAGjUDBOMB0GA1UdDgQWBBTzut+pwwDfqmMYcI9KNWRD +hxcIpTAfBgNVHSMEGDAWgBTzut+pwwDfqmMYcI9KNWRDhxcIpTAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB9AqSbZ+hEglAgSHxAMCqRFdhVu7MvaQM0 +P090mhGlOCt3yB7kdGfsIrUW6nQcTz7PPQFRaJMrFHPvFvPootkBUpTYR4hTkdce +H6RCRu2Jxl4Y9bY/uezd9YhGCYfUtfjA6/TH9FcuZfttmOOlxOt01XfNvVMIR6RM +z/AYhd+DeOXjr35F/VHeVpnk+55L0PYJsm1CdEbOs5Hy1ecR7ACuDkXnbM4fpz9I +kyIWJwk2zJReKcJMgi1aIinDM9ao/dca1G99PHOw8dnr4oyoTiv8ao6PWiSRHHMi +MNf4EgWfK+tZMnuqfpfO9740KzfcVoMNo4QJD4yn5YxroUOO/Azi +-----END CERTIFICATE----- +`, + }, + ); + const response = await fetch( + "https://localhost:5545/cli/tests/fixture.json", + { client }, + ); + const json = await response.json(); + assertEquals(json.name, "deno"); + client.close(); + }, +); diff --git a/op_crates/fetch/lib.rs b/op_crates/fetch/lib.rs index c2c08d2cff..4bc37b998c 100644 --- a/op_crates/fetch/lib.rs +++ b/op_crates/fetch/lib.rs @@ -260,6 +260,7 @@ where #[serde(default)] struct CreateHttpClientOptions { ca_file: Option, + ca_data: Option, } let args: CreateHttpClientOptions = serde_json::from_value(args)?; @@ -269,7 +270,9 @@ where permissions.check_read(&PathBuf::from(ca_file))?; } - let client = create_http_client(args.ca_file.as_deref()).unwrap(); + let client = + create_http_client(args.ca_file.as_deref(), args.ca_data.as_deref()) + .unwrap(); let rid = state.resource_table.add(HttpClientResource::new(client)); Ok(json!(rid)) @@ -277,9 +280,16 @@ where /// Create new instance of async reqwest::Client. This client supports /// proxies and doesn't follow redirects. -fn create_http_client(ca_file: Option<&str>) -> Result { +fn create_http_client( + ca_file: Option<&str>, + ca_data: Option<&str>, +) -> Result { let mut builder = Client::builder().redirect(Policy::none()).use_rustls_tls(); - if let Some(ca_file) = ca_file { + if let Some(ca_data) = ca_data { + let ca_data_vec = ca_data.as_bytes().to_vec(); + let cert = reqwest::Certificate::from_pem(&ca_data_vec)?; + builder = builder.add_root_certificate(cert); + } else if let Some(ca_file) = ca_file { let mut buf = Vec::new(); File::open(ca_file)?.read_to_end(&mut buf)?; let cert = reqwest::Certificate::from_pem(&buf)?;