Skip to content

Commit e72749b

Browse files
AdamMajerMylesBorins
authored andcommitted
crypto: ability to select cert store at runtime
PR-URL: #8334 Backport-PR-URL: #11794 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
1 parent fd9bb56 commit e72749b

File tree

5 files changed

+96
-9
lines changed

5 files changed

+96
-9
lines changed

doc/api/cli.md

+36
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,24 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
243243
used to enable FIPS-compliant crypto if Node.js is built with
244244
`./configure --openssl-fips`.
245245

246+
### `--use-openssl-ca`, `--use-bundled-ca`
247+
<!-- YAML
248+
added: REPLACEME
249+
-->
250+
251+
Use OpenSSL's default CA store or use bundled Mozilla CA store as supplied by
252+
current NodeJS version. The default store is selectable at build-time.
253+
254+
Using OpenSSL store allows for external modifications of the store. For most
255+
Linux and BSD distributions, this store is maintained by the distribution
256+
maintainers and system administrators. OpenSSL CA store location is dependent on
257+
configuration of the OpenSSL library but this can be altered at runtime using
258+
environmental variables.
259+
260+
The bundled CA store, as supplied by NodeJS, is a snapshot of Mozilla CA store
261+
that is fixed at release time. It is identical on all supported platforms.
262+
263+
See `SSL_CERT_DIR` and `SSL_CERT_FILE`.
246264

247265
### `--icu-data-dir=file`
248266
<!-- YAML
@@ -340,6 +358,24 @@ used to enable FIPS-compliant crypto if Node.js is built with `./configure
340358
If the [`--openssl-config`][] command line option is used, the environment
341359
variable is ignored.
342360

361+
### `SSL_CERT_DIR=dir`
362+
363+
If `--use-openssl-ca` is enabled, this overrides and sets OpenSSL's directory
364+
containing trusted certificates.
365+
366+
Note: Be aware that unless the child environment is explicitly set, this
367+
evironment variable will be inherited by any child processes, and if they use
368+
OpenSSL, it may cause them to trust the same CAs as node.
369+
370+
### `SSL_CERT_FILE=file`
371+
372+
If `--use-openssl-ca` is enabled, this overrides and sets OpenSSL's file
373+
containing trusted certificates.
374+
375+
Note: Be aware that unless the child environment is explicitly set, this
376+
evironment variable will be inherited by any child processes, and if they use
377+
OpenSSL, it may cause them to trust the same CAs as node.
378+
343379
[emit_warning]: process.html#process_process_emitwarning_warning_name_ctor
344380
[Buffer]: buffer.html#buffer_buffer
345381
[debugger]: debugger.html

doc/node.1

+25
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,22 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
172172
used to enable FIPS-compliant crypto if Node.js is built with
173173
\fB./configure \-\-openssl\-fips\fR.
174174

175+
.TP
176+
.BR \-\-use\-openssl\-ca,\-\-use\-bundled\-ca
177+
Use OpenSSL's default CA store or use bundled Mozilla CA store as supplied by
178+
current NodeJS version. The default store is selectable at build-time.
179+
180+
Using OpenSSL store allows for external modifications of the store. For most
181+
Linux and BSD distributions, this store is maintained by the distribution
182+
maintainers and system administrators. OpenSSL CA store location is dependent on
183+
configuration of the OpenSSL library but this can be altered at runtime using
184+
environmental variables.
185+
186+
The bundled CA store, as supplied by NodeJS, is a snapshot of Mozilla CA store
187+
that is fixed at release time. It is identical on all supported platforms.
188+
189+
See \fBSSL_CERT_DIR\fR and \fBSSL_CERT_FILE\fR.
190+
175191
.TP
176192
.BR \-\-icu\-data\-dir =\fIfile\fR
177193
Specify ICU data load path. (overrides \fBNODE_ICU_DATA\fR)
@@ -216,6 +232,7 @@ Setting this will void any guarantee that stdio will not be interleaved or
216232
dropped at program exit. \fBAvoid use.\fR
217233

218234
.TP
235+
219236
.BR OPENSSL_CONF = \fIfile\fR
220237
Load an OpenSSL configuration file on startup. Among other uses, this can be
221238
used to enable FIPS-compliant crypto if Node.js is built with
@@ -225,6 +242,14 @@ If the
225242
\fB\-\-openssl\-config\fR
226243
command line option is used, the environment variable is ignored.
227244

245+
.BR SSL_CERT_DIR = \fIdir\fR
246+
If \fB\-\-use\-openssl\-ca\fR is enabled, this overrides and sets OpenSSL's directory
247+
containing trusted certificates.
248+
249+
.TP
250+
.BR SSL_CERT_FILE = \fIfile\fR
251+
If \fB\-\-use\-openssl\-ca\fR is enabled, this overrides and sets OpenSSL's
252+
file containing trusted certificates.
228253

229254
.SH BUGS
230255
Bugs are tracked in GitHub Issues:

src/node.cc

+24-1
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,14 @@ static std::string icu_data_dir; // NOLINT(runtime/string)
174174
bool no_deprecation = false;
175175

176176
#if HAVE_OPENSSL
177+
// use OpenSSL's cert store instead of bundled certs
178+
bool ssl_openssl_cert_store =
179+
#if defined(NODE_OPENSSL_CERT_STORE)
180+
true;
181+
#else
182+
false;
183+
#endif
184+
177185
# if NODE_FIPS_MODE
178186
// used by crypto module
179187
bool enable_fips_crypto = false;
@@ -3685,7 +3693,18 @@ static void PrintHelp() {
36853693
" --v8-options print v8 command line options\n"
36863694
" --v8-pool-size=num set v8's thread pool size\n"
36873695
#if HAVE_OPENSSL
3688-
" --tls-cipher-list=val use an alternative default TLS cipher list\n"
3696+
" --tls-cipher-list=val use an alternative default TLS cipher "
3697+
"list\n"
3698+
" --use-bundled-ca use bundled CA store"
3699+
#if !defined(NODE_OPENSSL_CERT_STORE)
3700+
" (default)"
3701+
#endif
3702+
"\n"
3703+
" --use-openssl-ca use OpenSSL's default CA store"
3704+
#if defined(NODE_OPENSSL_CERT_STORE)
3705+
" (default)"
3706+
#endif
3707+
"\n"
36893708
#if NODE_FIPS_MODE
36903709
" --enable-fips enable FIPS crypto at startup\n"
36913710
" --force-fips force FIPS crypto (cannot be disabled)\n"
@@ -3854,6 +3873,10 @@ static void ParseArgs(int* argc,
38543873
#if HAVE_OPENSSL
38553874
} else if (strncmp(arg, "--tls-cipher-list=", 18) == 0) {
38563875
default_cipher_list = arg + 18;
3876+
} else if (strncmp(arg, "--use-openssl-ca", 16) == 0) {
3877+
ssl_openssl_cert_store = true;
3878+
} else if (strncmp(arg, "--use-bundled-ca", 16) == 0) {
3879+
ssl_openssl_cert_store = false;
38573880
#if NODE_FIPS_MODE
38583881
} else if (strcmp(arg, "--enable-fips") == 0) {
38593882
enable_fips_crypto = true;

src/node.h

+4-1
Original file line numberDiff line numberDiff line change
@@ -179,9 +179,12 @@ typedef intptr_t ssize_t;
179179
namespace node {
180180

181181
NODE_EXTERN extern bool no_deprecation;
182-
#if HAVE_OPENSSL && NODE_FIPS_MODE
182+
#if HAVE_OPENSSL
183+
NODE_EXTERN extern bool ssl_openssl_cert_store;
184+
# if NODE_FIPS_MODE
183185
NODE_EXTERN extern bool enable_fips_crypto;
184186
NODE_EXTERN extern bool force_fips_crypto;
187+
# endif
185188
#endif
186189

187190
NODE_EXTERN int Start(int argc, char *argv[]);

src/node_crypto.cc

+7-7
Original file line numberDiff line numberDiff line change
@@ -708,14 +708,14 @@ static X509_STORE* NewRootCertStore() {
708708
}
709709

710710
X509_STORE* store = X509_STORE_new();
711-
#if defined(NODE_OPENSSL_CERT_STORE)
712-
X509_STORE_set_default_paths(store);
713-
#else
714-
for (X509 *cert : root_certs_vector) {
715-
X509_up_ref(cert);
716-
X509_STORE_add_cert(store, cert);
711+
if (ssl_openssl_cert_store) {
712+
X509_STORE_set_default_paths(store);
713+
} else {
714+
for (X509 *cert : root_certs_vector) {
715+
X509_up_ref(cert);
716+
X509_STORE_add_cert(store, cert);
717+
}
717718
}
718-
#endif
719719

720720
return store;
721721
}

0 commit comments

Comments
 (0)