From dfd842926924e1a637d5cadde6a3697423413a77 Mon Sep 17 00:00:00 2001
From: Christian Meier <m.kristian@web.de>
Date: Mon, 10 Aug 2015 11:45:55 +0200
Subject: [PATCH] keep in line with MRI if possible

keep the default x509 certs and directories in line with MRI, only if
they do not exists fallback on cacerts from the java.home/lib/security/cacerts

fixes #49 and keeps the idea of https://github.com/jruby/jruby-openssl/commit/b914091011bc68d313f6f25a623906057c888874

Sponsored by Lookout Inc.
---
 .../ext/openssl/x509store/X509Utils.java      | 46 +++++++++++++++++--
 1 file changed, 41 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java b/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
index 8842152a..1d1ab657 100644
--- a/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
+++ b/src/main/java/org/jruby/ext/openssl/x509store/X509Utils.java
@@ -28,6 +28,7 @@
 package org.jruby.ext.openssl.x509store;
 
 
+import java.io.File;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.util.Arrays;
@@ -292,13 +293,48 @@ else if ( keyUsage != null && ! keyUsage[5] ) { // KU_KEY_CERT_SIGN
     public static final String X509_PRIVATE_DIR;
 
     static {
-        OPENSSLDIR = "/usr/local/openssl"; // NOTE: blindly follow?!
+        // roughly following the ideas from https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+        // and falling back to trust store from java to be on the save side 
+        
         // TODO usability in limited environments should be tested/reviewed
         final String JAVA_HOME = SafePropertyAccessor.getProperty("java.home", "");
-        X509_CERT_AREA = JAVA_HOME + "/lib/security";
-        X509_CERT_DIR = X509_CERT_AREA;
-        X509_CERT_FILE = X509_CERT_DIR + "/cacerts";
-        X509_PRIVATE_DIR = "/usr/lib/ssl/private"; // NOTE: blindly follow?!
+
+        // if the default files/dirs exist we use them. with this a switch
+        // from MRI to JRuby produces the same results. otherwise we use the
+        // certs from JAVA_HOME.
+        final String MAYBE_CERT_FILE;
+        final String LINUX_CERT_AREA = "/etc/ssl";
+        final String MACOS_CERT_AREA = "/System/Library/OpenSSL";
+        final String MAYBE_PKI_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt";
+        if (new File(LINUX_CERT_AREA).exists()) {
+            X509_CERT_AREA = LINUX_CERT_AREA;
+            X509_CERT_DIR = X509_CERT_AREA + "/certs";
+            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
+            MAYBE_CERT_FILE = X509_CERT_DIR + "/cert.pem";
+        }
+        else if (new File(MACOS_CERT_AREA).exists()) {
+            X509_CERT_AREA = MACOS_CERT_AREA;
+            X509_CERT_DIR = X509_CERT_AREA + "/certs";
+            X509_PRIVATE_DIR = X509_CERT_AREA + "/private";
+            MAYBE_CERT_FILE = X509_CERT_AREA + "/cert.pem";
+        }
+        else {
+            X509_CERT_AREA = JAVA_HOME + "/lib/security";
+            X509_CERT_DIR = X509_CERT_AREA;
+            X509_PRIVATE_DIR = X509_CERT_AREA;
+            MAYBE_CERT_FILE = MAYBE_PKI_CERT_FILE;
+        }
+        if (new File(MAYBE_PKI_CERT_FILE).exists()) {
+            X509_CERT_FILE = MAYBE_PKI_CERT_FILE;
+        }
+        else if (new File(MAYBE_CERT_FILE).exists()) {
+            X509_CERT_FILE = MAYBE_CERT_FILE;
+        }
+        else {
+            X509_CERT_FILE = JAVA_HOME + "/lib/security/cacerts";
+        }
+        // keep it with some meaninful content as it is a public constant
+        OPENSSLDIR = X509_CERT_AREA;
     }
 
     public static final String X509_CERT_DIR_EVP = "SSL_CERT_DIR";