Improve handling of CA certificates (#518)

Instead of bundling Pkl's built-in CA certificates as a class path resource and loading them at runtime, pass them to the native image compiler as the default SSL context's trust store. This results in faster SSL initialization and is more consistent with how default certificates are handled when running on the JVM. Further related improvements: - Remove HttpClientBuilder methods `addDefaultCliCertificates` and `addBuiltInCertificates`. - Remove pkl-certs subproject and the optional dependencies on it. - Move `PklCARoots.pem` to `pkl-cli/src/certs`. - Fix certificate related error messages that were missing an argument. - Prevent PklBugException if initialization of `CliBaseOptions.httpClient` fails. - Add ability to set CA certificates as a byte array - Add CA certificates option to message passing API
2026-03-23 17:41:10 +01:00 · 2024-06-12 17:53:03 -07:00
parent d7a1778199
commit 919de4838c
28 changed files with 240 additions and 275 deletions
--- a/docs/modules/bindings-specification/pages/message-passing-api.adoc
+++ b/docs/modules/bindings-specification/pages/message-passing-api.adoc
@@ -121,7 +121,7 @@ outputFormat: String?
 /// The project dependency settings.
 project: Project?

-/// Configuration of outgoing HTTP requests.
+/// Configuration of outgoing HTTP(s) requests.
 http: Http?

 class ClientResourceReader {
@@ -178,8 +178,27 @@ class Project {
  dependencies: Mapping<String, Project|RemoteDependency>
 }

-/// Settings that control how Pkl talks to HTTP(S) servers.
+class RemoteDependency {
+  type: "remote"
+
+  /// The canonical URI of this dependency
+  packageUri: String?
+
+  /// The checksums of this remote dependency
+  checksums: Checksums?
+}
+
+class Checksums {
+  /// The sha-256 checksum of this dependency's metadata.
+  sha256: String
+}
+
 class Http {
+  /// PEM format certificates to trust when making HTTP requests.
+  ///
+  /// If [null], Pkl will trust its own built-in certificates.
+  caCertificates: Binary?
+
  /// Configuration of the HTTP proxy to use.
  ///
  /// If [null], uses the operating system's proxy configuration.
@@ -226,21 +245,9 @@ class Proxy {
  noProxy: Listing<String>(isDistinct)
 }

-class RemoteDependency {
-  type: "remote"
-
-  /// The canonical URI of this dependency
-  packageUri: String?
-
-  /// The checksums of this remote dependency
-  checksums: Checksums?
-}
-
-class Checksums {
-  /// The sha-256 checksum of this dependency's metadata.
-  sha256: String
-}
+typealias Binary = Any // <1>
 ----
+<1> link:{uri-messagepack-bin}[bin format] (not expressable in Pkl)

 Example:
 [source,json5]