Remove pinned CA file

Author: nickdnk

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 8.x (UNOFFICIAL)
 
+- 8.0.1
+    - Removed pinned [DigiCert High Assurance EV Root CA](https://knowledge.digicert.com/general-information/digicert-trusted-root-authority-certificates).
+OS-supplied CA is now used by default.
+
 - 8.0.0
     - Requires PHP 8.1.
     - Defaults to Facebook Graph v20.0, instead of v2.10 which is no longer accessible.

src/Facebook/HttpClients/FacebookCurlHttpClient.php

@@ -91,9 +91,6 @@ public function openConnection(string $url, string $method, ?string $body, array
             CURLOPT_TIMEOUT => $timeOut,
             CURLOPT_RETURNTRANSFER => true, // Return response as string
             CURLOPT_HEADER => true, // Enable header processing
-            CURLOPT_SSL_VERIFYHOST => 2,
-            CURLOPT_SSL_VERIFYPEER => true,
-            CURLOPT_CAINFO => __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem',
         ];
 
         if ($method !== "GET" && $body) {

src/Facebook/HttpClients/FacebookGuzzleHttpClient.php

@@ -56,7 +56,6 @@ public function send(string $url, string $method, ?string $body, array $headers,
             'timeout'         => $timeOut,
             'http_errors'     => false,
             'connect_timeout' => 10,
-            'verify'          => __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem',
         ];
 
         if ($body) {

src/Facebook/HttpClients/FacebookStreamHttpClient.php

@@ -54,12 +54,6 @@ public function send(string $url, string $method, ?string $body, array $headers,
                 'timeout' => $timeOut,
                 'ignore_errors' => true
             ],
-            'ssl' => [
-                'verify_peer' => true,
-                'verify_peer_name' => true,
-                'allow_self_signed' => true, // All root certificates are self-signed
-                'cafile' => __DIR__ . '/certs/DigiCertHighAssuranceEVRootCA.pem',
-            ],
         ];
 
         $this->facebookStream->streamContextCreate($options);

src/Facebook/HttpClients/certs/DigiCertHighAssuranceEVRootCA.pem

@@ -68,22 +68,14 @@ public function testCanOpenGetCurlConnection(): void
                 }
                 unset($arg[CURLOPT_HTTPHEADER]);
 
-                $caInfo = array_diff($arg, [
+                if (array_diff_assoc($arg, [
                     CURLOPT_CUSTOMREQUEST => 'GET',
                     CURLOPT_URL => 'http://foo.com',
                     CURLOPT_CONNECTTIMEOUT => 10,
                     CURLOPT_TIMEOUT => 123,
                     CURLOPT_RETURNTRANSFER => true,
                     CURLOPT_HEADER => true,
-                    CURLOPT_SSL_VERIFYHOST => 2,
-                    CURLOPT_SSL_VERIFYPEER => true,
-                ]);
-
-                if (count($caInfo) !== 1) {
-                    return false;
-                }
-
-                if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+                ])) {
                     return false;
                 }
 
@@ -111,23 +103,15 @@ public function testCanOpenCurlConnectionWithPostBody(): void
                 }
                 unset($arg[CURLOPT_HTTPHEADER]);
 
-                $caInfo = array_diff($arg, [
+                if (array_diff_assoc($arg, [
                     CURLOPT_CUSTOMREQUEST => 'POST',
                     CURLOPT_URL => 'http://bar.com',
                     CURLOPT_CONNECTTIMEOUT => 10,
                     CURLOPT_TIMEOUT => 60,
                     CURLOPT_RETURNTRANSFER => true,
                     CURLOPT_HEADER => true,
-                    CURLOPT_SSL_VERIFYHOST => 2,
-                    CURLOPT_SSL_VERIFYPEER => true,
                     CURLOPT_POSTFIELDS => 'baz=bar',
-                ]);
-
-                if (count($caInfo) !== 1) {
-                    return false;
-                }
-
-                if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo[CURLOPT_CAINFO])) {
+                ])) {
                     return false;
                 }
 

tests/HttpClients/FacebookCurlHttpClientTest.php

@@ -65,18 +65,12 @@ public function testCanSendNormalRequest()
                 }
                 unset($arg['headers']);
 
-                $caInfo = array_diff_assoc($arg, [
+                if (array_diff_assoc($arg, [
                     'body'            => 'foo_body',
                     'timeout'         => 123,
                     'http_errors'     => false,
                     'connect_timeout' => 10,
-                ]);
-
-                if (count($caInfo) !== 1) {
-                    return false;
-                }
-
-                if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo['verify'])) {
+                ])) {
                     return false;
                 }
 
@@ -108,18 +102,12 @@ public function testThrowsExceptionOnClientError()
                 }
                 unset($arg['headers']);
 
-                $caInfo = array_diff_assoc($arg, [
+                if (array_diff_assoc($arg, [
                     'body'            => 'foo_body',
                     'timeout'         => 60,
                     'http_errors'     => false,
                     'connect_timeout' => 10,
-                ]);
-
-                if (count($caInfo) !== 1) {
-                    return false;
-                }
-
-                if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo['verify'])) {
+                ])) {
                     return false;
                 }
 

tests/HttpClients/FacebookGuzzleHttpClientTest.php

@@ -24,7 +24,6 @@
 namespace Facebook\Tests\HttpClients;
 
 use Facebook\Exceptions\FacebookSDKException;
-use Facebook\Http\GraphRawResponse;
 use Facebook\HttpClients\FacebookStream;
 use Mockery as m;
 use Facebook\HttpClients\FacebookStreamHttpClient;
@@ -57,7 +56,7 @@ public function testCanSendNormalRequest()
             ->shouldReceive('streamContextCreate')
             ->once()
             ->with(m::on(function ($arg) {
-                if (!isset($arg['http']) || !isset($arg['ssl'])) {
+                if (!isset($arg['http'])) {
                     return false;
                 }
 
@@ -72,20 +71,6 @@ public function testCanSendNormalRequest()
                     return false;
                 }
 
-                $caInfo = array_diff_assoc($arg['ssl'], [
-                    'verify_peer' => true,
-                    'verify_peer_name' => true,
-                    'allow_self_signed' => true,
-                ]);
-
-                if (count($caInfo) !== 1) {
-                    return false;
-                }
-
-                if (1 !== preg_match('/.+\/certs\/DigiCertHighAssuranceEVRootCA\.pem$/', $caInfo['cafile'])) {
-                    return false;
-                }
-
                 return true;
             }))
             ->andReturn(null);
@@ -101,7 +86,6 @@ public function testCanSendNormalRequest()
 
         $response = $this->streamClient->send('http://foo.com/', 'GET', 'foo_body', ['X-foo' => 'bar'], 123);
 
-        $this->assertInstanceOf(GraphRawResponse::class, $response);
         $this->assertEquals($this->fakeRawBody, $response->getBody());
         $this->assertEquals($this->fakeHeadersAsArray, $response->getHeaders());
         $this->assertEquals(200, $response->getHttpResponseCode());