tls: add OpenSSL CA lookup to getCACertificates#64269
Conversation
|
Review requested:
|
3bea054 to
e73c4ad
Compare
|
@joyeecheung The existing behavior with OpenSSL CAs is that, during TLS connection setup, OpenSSL performs hash-based lookups for certificates. However, that behavior is not synchronized with what tls.getCACertificates('default') returns. Another possibility would be to allow the default type to accept a second lookup argument, but that seems to duplicate the purpose of adding a separate openssl type. Could you review the code by the way ? I really don't know how to support subject parse which maybe implement a |
There's also NODE_EXTRA_CA_CERTS to consider: // Flags: --use-openssl-ca
tls.getCACertificates('default'); // Either warn or error about no issuer name to filter for
tls.getCACertificates('default', cert); // Does not warn and perform a similar hash lookup for system certs, + extra certs from NODE_EXTRA_CA_CERTS if any
tls.getCACertificates('openssl', cert); // Similar, but no certs from NODE_EXTRA_CA_CERTS |
@joyeecheung |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #64269 +/- ##
==========================================
+ Coverage 90.23% 90.24% +0.01%
==========================================
Files 741 741
Lines 241342 241527 +185
Branches 45474 45522 +48
==========================================
+ Hits 217767 217972 +205
+ Misses 15123 15101 -22
- Partials 8452 8454 +2
🚀 New features to boost your workflow:
|
I think starting with a certificate makes sense (or matches a bit more with what you'd expect from OpenSSL). If anyone requests support for subject name string that can be added later.
I think it's fine to allow that to work without the flag. It should return "what would've been used if the flag is used". |
When OpenSSL is the effective default CA store, TLS clients load issuers
from OpenSSL's default certificate file and hashed directories. However,
tls.getCACertificates('default') did not expose the same store, so its
result did not reflect the certificates available to TLS verification.
OpenSSL certificate directories are indexed by subject hash and are
resolved for a specific issuer. They cannot be represented reliably by
enumerating every file in those directories. Add a cert argument and use
X509_STORE_CTX_get1_issuer() so getCACertificates() follows OpenSSL's
issuer lookup behavior.
Add the "openssl" type to query only OpenSSL's default store. When
OpenSSL is the effective default, make "default" query Node.js' complete
default store so NODE_EXTRA_CA_CERTS is considered as well. Require a
certificate for these lookups because there is no issuer key otherwise.
Accept PEM strings, PEM or DER ArrayBufferViews, and X509Certificate
objects. Detect the effective OpenSSL store so build-time
--openssl-use-def-ca-store configurations behave the same as
--use-openssl-ca. Also split path-delimited OpenSSL certificate
directories when loading system CA certificates.
Add regression coverage for certificate files, hashed directories,
extra CAs, supported input types, invalid input, default-store overrides
,and OpenSSL-backed build configurations.
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
d700f3c to
802bc85
Compare
|
@joyeecheung |
Fixes: #64258