Prefer CA bundle set by SSL_CERT_FILE and SSL_CERT_DIR (common part)

- **library/cpp/openssl: prefer CA set by SSL_CERT_FILE and SSL_CERT_DIR**
- **contrib/tools/python3: prefer CA set by SSL_CERT_FILE and SSL_CERT_DIR**
- **library/python/certifi: prefer CA set by SSL_CERT_FILE and SSL_CERT_DIR**

First three commits from PR #1607 to change common part separately.

---

Pull Request resolved: https://github.com/ytsaurus/ytsaurus/pull/1635

Co-authored-by: shadchin <[email protected]>
Co-authored-by: shadchin <[email protected]>
commit_hash:21db0cd5fe3b4af267dcf5ec4d2753fbdd49ba1e

3 files changed, 63 insertions, 11 deletions

diff --git a/library/cpp/openssl/io/stream.cpp b/library/cpp/openssl/io/stream.cpp
index 2666988728f..8bfcdce2ebc 100644
--- a/library/cpp/openssl/io/stream.cpp
+++ b/library/cpp/openssl/io/stream.cpp
@@ -3,6 +3,7 @@
 #include <util/generic/deque.h>
 #include <util/generic/singleton.h>
 #include <util/generic/yexception.h>
+#include <util/system/env.h>
 
 #include <library/cpp/openssl/method/io.h>
 #include <library/cpp/resource/resource.h>
@@ -180,10 +181,9 @@ namespace {
             Y_ENSURE(X509_VERIFY_PARAM_set1_host(param, VerifyCert_->Hostname_.data(), VerifyCert_->Hostname_.size()));
             SSL_set_tlsext_host_name(ssl, VerifyCert_->Hostname_.data()); // TLS extenstion: SNI
 
-            SSL_CTX_set_cert_store(Ctx.Get(), GetBuiltinOpenSslX509Store().Release());
+            SSL_CTX_set_cert_store(Ctx.Get(), GetDefaultOpenSslX509Store().Release());
 
-            Y_ENSURE_EX(1 == SSL_CTX_set_default_verify_paths(Ctx.Get()),
-                        TSslError());
+            // FIXME: This piece seems redundant, but users are unknown.
             // it is OK to ignore result of SSL_CTX_load_verify_locations():
             // Dir "/etc/ssl/certs/" may be missing
             SSL_CTX_load_verify_locations(Ctx.Get(),
@@ -230,7 +230,7 @@ namespace {
         TSslContextPtr Ctx;
         TSslPtr Ssl;
     };
-}
+} // namespace
 
 struct TOpenSslClientIO::TImpl: public TSslIO {
     inline TImpl(IInputStream* in, IOutputStream* out, const TOptions& opts)
@@ -270,6 +270,8 @@ namespace NPrivate {
     }
 }
 
+namespace {
+
 class TBuiltinCerts {
 public:
     TBuiltinCerts() {
@@ -296,9 +298,7 @@ public:
         Y_ENSURE_EX(!Certs.empty(), TSslError());
     }
 
-    TOpenSslX509StorePtr GetX509Store() const {
-        TOpenSslX509StorePtr store(X509_STORE_new());
-
+    void AddCerts(const TOpenSslX509StorePtr& store) const {
         for (const TX509Ptr& c : Certs) {
             if (0 == X509_STORE_add_cert(store.Get(), c.Get())) {
                 int err = GetLastSslError();
@@ -309,14 +309,29 @@ public:
                 }
             }
         }
-
-        return store;
     }
 
 private:
     TDeque<TX509Ptr> Certs;
 };
 
+} // namespace
+
 TOpenSslX509StorePtr GetBuiltinOpenSslX509Store() {
-    return Singleton<TBuiltinCerts>()->GetX509Store();
+    TOpenSslX509StorePtr store(X509_STORE_new());
+    Singleton<TBuiltinCerts>()->AddCerts(store);
+    return store;
+}
+
+TOpenSslX509StorePtr GetDefaultOpenSslX509Store() {
+    TOpenSslX509StorePtr store(X509_STORE_new());
+
+    if (!TryGetEnv("SSL_CERT_FILE") && !TryGetEnv("SSL_CERT_DIR")) {
+        Singleton<TBuiltinCerts>()->AddCerts(store);
+    }
+
+    Y_ENSURE_EX(1 == X509_STORE_set_default_paths(store.Get()),
+        TSslError());
+
+    return store;
 }
diff --git a/library/cpp/openssl/io/stream.h b/library/cpp/openssl/io/stream.h
index 7bca8f80ef8..0b8746051e2 100644
--- a/library/cpp/openssl/io/stream.h
+++ b/library/cpp/openssl/io/stream.h
@@ -47,4 +47,11 @@ namespace NPrivate {
 }
 
 using TOpenSslX509StorePtr = THolder<x509_store_st, NPrivate::TSslDestroy>;
+
 TOpenSslX509StorePtr GetBuiltinOpenSslX509Store();
+
+// Builds default Certificate Authority bundle which includes:
+// - builtin "certs/cacert.pem" when SSL_CERT_FILE and SSL_CERT_DIR both unset
+// - SSL_CERT_FILE when set or /usr/local/ssl/cert.pem when unset
+// - SSL_CERT_DIR when set or /usr/local/ssl/certs when unset
+TOpenSslX509StorePtr GetDefaultOpenSslX509Store();
diff --git a/library/cpp/openssl/io/ut/builtin_ut.cpp b/library/cpp/openssl/io/ut/builtin_ut.cpp
index 987cd084922..fb7adc53157 100644
--- a/library/cpp/openssl/io/ut/builtin_ut.cpp
+++ b/library/cpp/openssl/io/ut/builtin_ut.cpp
@@ -1,9 +1,39 @@
 #include <library/cpp/openssl/io/stream.h>
+
 #include <library/cpp/testing/unittest/registar.h>
+#include <library/cpp/testing/unittest/gtest.h>
+
+#include <util/system/env.h>
+
+#include <openssl/x509.h>
+
+int GetObjectsCount(const TOpenSslX509StorePtr& store) {
+    return sk_X509_OBJECT_num(X509_STORE_get0_objects(store.Get()));
+}
 
 Y_UNIT_TEST_SUITE(Builtin) {
-    Y_UNIT_TEST(Init) {
+    Y_UNIT_TEST(Builtin) {
         UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store());
         UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store());
+        EXPECT_GT(GetObjectsCount(GetBuiltinOpenSslX509Store()), 0);
+    }
+    Y_UNIT_TEST(Default) {
+        UNIT_ASSERT_NO_EXCEPTION(GetDefaultOpenSslX509Store());
+        UNIT_ASSERT_NO_EXCEPTION(GetDefaultOpenSslX509Store());
+        EXPECT_GT(GetObjectsCount(GetDefaultOpenSslX509Store()), 0);
+    }
+    Y_UNIT_TEST(OpensslDefaults) {
+        UNIT_ASSERT_STRINGS_EQUAL(X509_get_default_cert_file(), "/usr/local/ssl/cert.pem");
+        UNIT_ASSERT_STRINGS_EQUAL(X509_get_default_cert_dir(), "/usr/local/ssl/certs");
+        UNIT_ASSERT_STRINGS_EQUAL(X509_get_default_cert_file_env(), "SSL_CERT_FILE");
+        UNIT_ASSERT_STRINGS_EQUAL(X509_get_default_cert_dir_env(), "SSL_CERT_DIR");
+    }
+    Y_UNIT_TEST(EnvironmentOptions) {
+        SetEnv("SSL_CERT_FILE", "_non_existing_file_");
+        SetEnv("SSL_CERT_DIR", "_non_existing_dir_");
+        UNIT_ASSERT_NO_EXCEPTION(GetBuiltinOpenSslX509Store());
+        UNIT_ASSERT_NO_EXCEPTION(GetDefaultOpenSslX509Store());
+        EXPECT_GT(GetObjectsCount(GetBuiltinOpenSslX509Store()), 0);
+        EXPECT_EQ(GetObjectsCount(GetDefaultOpenSslX509Store()), 0);
     }
 }