From 06b5121d9eaebad3a8f1ff52cb7fd9d58a321823 Mon Sep 17 00:00:00 2001
From: wwqgtxx <wwqgtxx@gmail.com>
Date: Thu, 28 Mar 2024 19:26:41 +0800
Subject: [PATCH] chore: embed ca-certificates.crt

---
 .github/workflows/build.yml      |  6 ++++++
 component/ca/ca-certificates.crt |  0
 component/ca/config.go           | 18 ++++++++++++++++--
 3 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 component/ca/ca-certificates.crt

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bad84cd1..f9bbbba9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -141,6 +141,12 @@ jobs:
       run: |
         go test ./...
 
+    - name: Update UA
+      run: |
+        sudo apt-get install ca-certificates
+        sudo update-ca-certificates
+        cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
+
     - name: Build core
       env:
         GOOS: ${{matrix.jobs.goos}}
diff --git a/component/ca/ca-certificates.crt b/component/ca/ca-certificates.crt
new file mode 100644
index 00000000..e69de29b
diff --git a/component/ca/config.go b/component/ca/config.go
index 03fb007c..53cb98ab 100644
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -5,10 +5,12 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	_ "embed"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
 )
@@ -18,6 +20,11 @@ var globalCertPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMatch = errors.New("certificate fingerprints do not match")
 
+//go:embed ca-certificates.crt
+var _CaCertificates []byte
+var DisableEmbedCa, _ = strconv.ParseBool(os.Getenv("DISABLE_EMBED_CA"))
+var DisableSystemCa, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_CA"))
+
 func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
@@ -34,13 +41,20 @@ func AddCertificate(certificate string) error {
 
 func initializeCertPool() {
 	var err error
-	globalCertPool, err = x509.SystemCertPool()
-	if err != nil {
+	if DisableSystemCa {
 		globalCertPool = x509.NewCertPool()
+	} else {
+		globalCertPool, err = x509.SystemCertPool()
+		if err != nil {
+			globalCertPool = x509.NewCertPool()
+		}
 	}
 	for _, cert := range trustCerts {
 		globalCertPool.AddCert(cert)
 	}
+	if !DisableEmbedCa {
+		globalCertPool.AppendCertsFromPEM(_CaCertificates)
+	}
 }
 
 func ResetCertificate() {