Add support for SSL env vars to cert pool watcher

tmshort · tmshort · commit 2774d78ecbaf · 2025-01-30T11:36:37.000-05:00
The SystemRoot store looks at the SSL_CERT_DIR and SSL_CERT_FILE
environment variables for certificate locations. Because these
variables are under control of the user, we should assume that
the user wants to control the contents of the SystemRoot, and
subsequently that those contents could change (as compared to certs
located in the default /etc/pki location).

Thus, we should watch those locations if they exist.

Signed-off-by: Todd Short &lt;tshort@redhat.com&gt;
diff --git a/internal/httputil/certpoolwatcher.go b/internal/httputil/certpoolwatcher.go
@@ -4,6 +4,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -44,8 +45,38 @@ func NewCertPoolWatcher(caDir string, log logr.Logger) (*CertPoolWatcher, error)
 	if err != nil {
 		return nil, err
 	}
-	if err = watcher.Add(caDir); err != nil {
-		return nil, err
+
+	if caDir != "" {
+		// only watch if we can Stat() it
+		if _, err := os.Stat(caDir); err == nil {
+			if err = watcher.Add(caDir); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	// If the SSL_CERT_DIR or SSL_CERT_FILE environment variables are
+	// specified, this means that we have some control over the system root
+	// location, thus they may change, thus we should watch those locations.
+	if d := os.Getenv("SSL_CERT_DIR"); d != "" {
+		dirs := strings.Split(d, ":")
+		for _, dir := range dirs {
+			// only watch if we can Stat() it
+			if _, err := os.Stat(dir); err == nil {
+				if err = watcher.Add(dir); err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	if f := os.Getenv("SSL_CERT_FILE"); f != "" {
+		// only watch if we can Stat() it
+		if _, err := os.Stat(f); err == nil {
+			if err = watcher.Add(f); err != nil {
+				return nil, err
+			}
+		}
 	}
 
 	cpw := &CertPoolWatcher{
diff --git a/internal/httputil/certpoolwatcher_test.go b/internal/httputil/certpoolwatcher_test.go
@@ -72,6 +72,10 @@ func TestCertPoolWatcher(t *testing.T) {
 	t.Logf("Create cert file at %q\n", certName)
 	createCert(t, certName)
 
+	// Update environment variables for the watcher - some of these should not exist
+	os.Setenv("SSL_CERT_DIR", tmpDir+":/tmp/does-not-exist.dir")
+	os.Setenv("SSL_CERT_FILE", "/tmp/does-not-exist.file")
+
 	// Create the cert pool watcher
 	cpw, err := httputil.NewCertPoolWatcher(tmpDir, log.FromContext(context.Background()))
 	require.NoError(t, err)
