starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-01-11 22:30:54 +01:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity

[PR #378] [CLOSED] Improve handling of CA certificates #528

New Issue
Closed
opened 2025-12-30 01:25:09 +01:00 by adam · 0 comments
adam commented 2025-12-30 01:25:09 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/apple/pkl/pull/378
Author: @odenix
Created: 3/29/2024
Status: Closed

Base: mainHead: improve-certs

📝 Commits (5)

  • 01e3c74 Improve handling of CA certificates
  • 02c72f1 Ensure that OCSP is enabled for all CLIs
  • 85eee8b Remove ability to load CA certificate file via jar: or file: URI
  • e50dbc2 Rename certificateFiles to certificatePaths
  • e4b5823 Fix test

📊 Changes

24 files changed (+159 additions, -323 deletions)

View changed files

📝 docs/modules/pkl-cli/partials/cli-common-options.adoc (+5 -3)
pkl-certs/pkl-certs.gradle.kts (+0 -19)
📝 pkl-cli/pkl-cli.gradle.kts (+36 -1)
📝 pkl-cli/src/certs/PklCARoots.pem (+0 -0)
📝 pkl-cli/src/test/kotlin/org/pkl/cli/CliEvaluatorTest.kt (+3 -6)
📝 pkl-commons-cli/pkl-commons-cli.gradle.kts (+0 -1)
📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliBaseOptions.kt (+17 -14)
📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt (+4 -0)
📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/commands/BaseOptions.kt (+1 -1)
📝 pkl-commons-test/pkl-commons-test.gradle.kts (+0 -1)
📝 pkl-commons-test/src/main/kotlin/org/pkl/commons/test/FileTestUtils.kt (+0 -5)
📝 pkl-core/src/main/java/org/pkl/core/http/HttpClient.java (+8 -45)
📝 pkl-core/src/main/java/org/pkl/core/http/HttpClientBuilder.java (+6 -64)
📝 pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java (+22 -25)
📝 pkl-core/src/main/java/org/pkl/core/service/ExecutorSpiImpl.java (+13 -25)
📝 pkl-core/src/main/resources/org/pkl/core/errorMessages.properties (+4 -0)
📝 pkl-core/src/test/kotlin/org/pkl/core/http/HttpClientTest.kt (+8 -46)
📝 pkl-core/src/test/kotlin/org/pkl/core/http/LazyHttpClientTest.kt (+10 -4)
pkl-core/src/test/resources/org/pkl/core/http/brokenCerts.pem (+0 -1)
pkl-core/src/test/resources/org/pkl/core/http/emptyCerts.pem (+0 -0)

...and 4 more files

📄 Description

Instead of bundling Pkl's built-in CA certificates as a class path resource and loading them at runtime, pass them to the native image compiler as the default SSL context's trust store. This results in faster SSL initialization and is more consistent with how default certificates are handled when running on the JVM.

Further related improvements:

  • Change --ca-certificates and corresponding APIs to accept directories in addition to files. Passing a directory has the same effect as passing each of the directory's regular files.
  • Set the ~/.pkl/cacerts CLI default directly in CliBaseOptions.
  • Remove HttpClientBuilder methods addDefaultCliCertificates and addBuiltInCertificates.
  • Remove pkl-certs subproject and the optional dependencies on it.
  • Move PklCARoots.pem to pkl-cli/src/certs.
  • Rename occurrences of certificateFiles to certificatePaths.
  • Fix certificate related error messages that were missing an argument.
  • Prevent PklBugException if initialization of CliBaseOptions.httpClient fails.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/apple/pkl/pull/378 **Author:** [@odenix](https://github.com/odenix) **Created:** 3/29/2024 **Status:** ❌ Closed **Base:** `main` ← **Head:** `improve-certs` --- ### 📝 Commits (5) - [`01e3c74`](https://github.com/apple/pkl/commit/01e3c7427bc41d8c8f4556cb954f5c769a92f224) Improve handling of CA certificates - [`02c72f1`](https://github.com/apple/pkl/commit/02c72f1aa9b282469ded71f443c9a3775a1707c6) Ensure that OCSP is enabled for all CLIs - [`85eee8b`](https://github.com/apple/pkl/commit/85eee8bcfc2dcf5257486bf5ee46a2f1d8157de4) Remove ability to load CA certificate file via jar: or file: URI - [`e50dbc2`](https://github.com/apple/pkl/commit/e50dbc223c0dd9ada1e46932709689e2b5e87dda) Rename certificateFiles to certificatePaths - [`e4b5823`](https://github.com/apple/pkl/commit/e4b5823fee0626a991b3dd22a841a7921c3e9f32) Fix test ### 📊 Changes **24 files changed** (+159 additions, -323 deletions) <details> <summary>View changed files</summary> 📝 `docs/modules/pkl-cli/partials/cli-common-options.adoc` (+5 -3) ➖ `pkl-certs/pkl-certs.gradle.kts` (+0 -19) 📝 `pkl-cli/pkl-cli.gradle.kts` (+36 -1) 📝 `pkl-cli/src/certs/PklCARoots.pem` (+0 -0) 📝 `pkl-cli/src/test/kotlin/org/pkl/cli/CliEvaluatorTest.kt` (+3 -6) 📝 `pkl-commons-cli/pkl-commons-cli.gradle.kts` (+0 -1) 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliBaseOptions.kt` (+17 -14) 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt` (+4 -0) 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/commands/BaseOptions.kt` (+1 -1) 📝 `pkl-commons-test/pkl-commons-test.gradle.kts` (+0 -1) 📝 `pkl-commons-test/src/main/kotlin/org/pkl/commons/test/FileTestUtils.kt` (+0 -5) 📝 `pkl-core/src/main/java/org/pkl/core/http/HttpClient.java` (+8 -45) 📝 `pkl-core/src/main/java/org/pkl/core/http/HttpClientBuilder.java` (+6 -64) 📝 `pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java` (+22 -25) 📝 `pkl-core/src/main/java/org/pkl/core/service/ExecutorSpiImpl.java` (+13 -25) 📝 `pkl-core/src/main/resources/org/pkl/core/errorMessages.properties` (+4 -0) 📝 `pkl-core/src/test/kotlin/org/pkl/core/http/HttpClientTest.kt` (+8 -46) 📝 `pkl-core/src/test/kotlin/org/pkl/core/http/LazyHttpClientTest.kt` (+10 -4) ➖ `pkl-core/src/test/resources/org/pkl/core/http/brokenCerts.pem` (+0 -1) ➖ `pkl-core/src/test/resources/org/pkl/core/http/emptyCerts.pem` (+0 -0) _...and 4 more files_ </details> ### 📄 Description Instead of bundling Pkl's built-in CA certificates as a class path resource and loading them at runtime, pass them to the native image compiler as the default SSL context's trust store. This results in faster SSL initialization and is more consistent with how default certificates are handled when running on the JVM. Further related improvements: - Change `--ca-certificates` and corresponding APIs to accept directories in addition to files. Passing a directory has the same effect as passing each of the directory's regular files. - Set the `~/.pkl/cacerts` CLI default directly in `CliBaseOptions`. - Remove HttpClientBuilder methods `addDefaultCliCertificates` and `addBuiltInCertificates`. - Remove pkl-certs subproject and the optional dependencies on it. - Move `PklCARoots.pem` to `pkl-cli/src/certs`. - Rename occurrences of `certificateFiles` to `certificatePaths`. - Fix certificate related error messages that were missing an argument. - Prevent PklBugException if initialization of `CliBaseOptions.httpClient` fails. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-30 01:25:09 +01:00
adam closed this issue 2025-12-30 01:25:09 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pkl#528
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?