Do not enable TLS certificate revocation checks by default (#553)

This addresses an issue where network requests may fail if cert revocation checks
error, which may occur due to availability issues, or due to lack of internet access.

Revocation checking can still be enabled by setting JVM property com.sun.net.ssl.checkRevocation if on the JVM.

Also:
* Load built-in certs from resources, and move them to pkl-commons-cli
* Fix an issue where HttpInitException is not caught when loading a module

pkl-cli/pkl-cli.gradle.kts

@@ -1,6 +1,3 @@
-import java.security.KeyStore
-import java.security.cert.CertificateFactory
-
 plugins {
   pklAllProjects
   pklKotlinLibrary
@@ -38,8 +35,6 @@ val stagedLinuxAarch64Executable: Configuration by configurations.creating
 val stagedAlpineLinuxAmd64Executable: Configuration by configurations.creating
 val stagedWindowsAmd64Executable: Configuration by configurations.creating
 
-val certs: SourceSet by sourceSets.creating
-
 dependencies {
   compileOnly(libs.svm)
 
@@ -148,38 +143,11 @@ tasks.check {
   dependsOn(testStartJavaExecutable)
 }
 
-val trustStore = layout.buildDirectory.dir("generateTrustStore/PklCARoots.p12")
-val trustStorePassword = "password" // no sensitive data to protect
-
-// generate a trust store for Pkl's built-in CA certificates
-val generateTrustStore by tasks.registering {
-  inputs.file(certs.resources.singleFile)
-  outputs.file(trustStore)
-  doLast {
-    val certificates = certs.resources.singleFile.inputStream().use { stream ->
-      CertificateFactory.getInstance("X.509").generateCertificates(stream)
-    }
-    KeyStore.getInstance("PKCS12").apply {
-      load(null, trustStorePassword.toCharArray()) // initialize empty trust store
-      for ((index, certificate) in certificates.withIndex()) {
-        setCertificateEntry("cert-$index", certificate)
-      }
-      val trustStoreFile = trustStore.get().asFile
-      trustStoreFile.parentFile.mkdirs()
-      trustStoreFile.outputStream().use { stream ->
-        store(stream, trustStorePassword.toCharArray())
-      }
-    }
-  }
-}
-
 fun Exec.configureExecutable(
   graalVm: BuildInfo.GraalVm,
   outputFile: Provider<RegularFile>,
   extraArgs: List<String> = listOf()
 ) {
-  dependsOn(generateTrustStore)
-
   inputs.files(sourceSets.main.map { it.output })
     .withPropertyName("mainSourceSets")
     .withPathSensitivity(PathSensitivity.RELATIVE)
@@ -210,14 +178,10 @@ fun Exec.configureExecutable(
       // needed for messagepack-java (see https://github.com/msgpack/msgpack-java/issues/600)
       add("--initialize-at-run-time=org.msgpack.core.buffer.DirectBufferAccess")
       add("--no-fallback")
-      add("-Djavax.net.ssl.trustStore=${trustStore.get().asFile}")
-      add("-Djavax.net.ssl.trustStorePassword=$trustStorePassword")
-      add("-Djavax.net.ssl.trustStoreType=PKCS12")
-      // security property "ocsp.enable=true" is set in Main.kt
-      add("-Dcom.sun.net.ssl.checkRevocation=true")
       add("-H:IncludeResources=org/pkl/core/stdlib/.*\\.pkl")
       add("-H:IncludeResources=org/jline/utils/.*")
       add("-H:IncludeResourceBundles=org.pkl.core.errorMessages")
+      add("-H:IncludeResources=org/pkl/commons/cli/PklCARoots.pem")
       add("--macro:truffle")
       add("-H:Class=org.pkl.cli.Main")
       add("-H:Name=${outputFile.get().asFile.name}")