Add built-in root certificate fallbacks

Blank-importing golang.org/x/crypto/x509roots/fallback bundles a set of root fallback certificates from Mozilla into the resulting binary. This allows the program to run in environments where the system root certificates are not available, for example inside a minimal container. These are _fallbacks_, meaning that if the system _does have_ a set of root certificates, those will be given priority. The binary size will increase a little (~ 220 kB). It's added to main.go instead of somewhere else because the recommendation is for the package to be imported from binaries, not from libraries. Calling x509.SetFallbackRoots (what the imported package does in its init function) more than once will cause the program to panic. In principle, the Go import system will prevent the package from being imported twice, so that shouldn't be a problem, but it's probably better to keep this very visible, therefore main.go. Signed-off-by: Marcelo E. Magallon <[email protected]>
grafana · Nov 3, 2023 · 12a0441 · 12a0441
1 parent 70c6284
commit 12a0441
Show file tree

Hide file tree

Showing 7 changed files with 3,900 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -40,6 +40,7 @@ require (
 	github.com/tidwall/gjson v1.17.0
 	go.uber.org/goleak v1.2.1
 	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1
 	golang.org/x/net v0.17.0
 	golang.org/x/term v0.13.0
 	golang.org/x/time v0.3.0

diff --git a/go.sum b/go.sum
@@ -201,6 +201,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1 h1:wQ75dCmVn5ExryuIUzbi2MC1/10fUNIL1FP918r4jx8=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=

diff --git a/main.go b/main.go
@@ -2,6 +2,15 @@ package main
 
 import (
 	"go.k6.io/k6/cmd"
+
+	// Blank-importing golang.org/x/crypto/x509roots/fallback bundles a set of
+	// root fallback certificates from Mozilla into the resulting binary. This
+	// allows the program to run in environments where the system root
+	// certificates are not available, for example inside a minimal container.
+	// These are _fallbacks_, meaning that if the system _does have_ a set of
+	// root certificates, those will be given priority. The binary size will
+	// increase a little (~ 220 kB).
+	_ "golang.org/x/crypto/x509roots/fallback"
 )
 
 func main() {

diff --git a/vendor/golang.org/x/crypto/x509roots/fallback/LICENSE b/vendor/golang.org/x/crypto/x509roots/fallback/LICENSE
diff --git a/vendor/golang.org/x/crypto/x509roots/fallback/bundle.go b/vendor/golang.org/x/crypto/x509roots/fallback/bundle.go
diff --git a/vendor/golang.org/x/crypto/x509roots/fallback/fallback.go b/vendor/golang.org/x/crypto/x509roots/fallback/fallback.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -312,6 +312,9 @@ go.uber.org/goleak/internal/stack
 golang.org/x/crypto/md4
 golang.org/x/crypto/ocsp
 golang.org/x/crypto/ripemd160
+# golang.org/x/crypto/x509roots/fallback v0.0.0-20231030152948-74c2ba9521f1
+## explicit; go 1.20
+golang.org/x/crypto/x509roots/fallback
 # golang.org/x/net v0.17.0
 ## explicit; go 1.17
 golang.org/x/net/html