-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: fix missing extra ca in tls.rootCertificates #32075
Conversation
Fixes tls.rootCertificates missing certificates loaded from NODE_EXTRA_CA_CERTS. Fixes: nodejs#32074
@nodejs/crypto |
Seems reasonable to me. I don't think that adding a NL to the PEM is semver-major, particularly since PEM tooling is robust to extra NLs. In other words if people used to be adding a NL while concatenation certs and were getting "END X -----\n-----BEGIN ..." between certs and now get "END X -----\n\n-----BEGIN ...", IMO, the output is still within spec. All bug fixes have a non-zero chance of breaking code which depends on implementation details. |
Looks as though all of the node ASAN builds were failing across the node.js ecosystem when this PR was submitted. Doesn't appear to be related to this PR. |
- Moved X509ToPEM function to node_crypto.cc - Removed braces for single line statements - Modified X509ToPEM so that it throws crypto errors for unexpected OpenSSL errors
Landed in 091444a |
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
Fixes tls.rootCertificates missing certificates loaded from NODE_EXTRA_CA_CERTS.
Fixes: #32074
Potentially contains a semver-major breaking change. Change adheres to all existing specifications, but there is a non-zero risk that callers may have written code that does not expect changes to the contents of the
tls.rootCertificates
array.tls.rootCertificates
now includes certificate loaded fromNODE_EXTRA_CA_CERTS
environment variable.tls.rootCertificates
is now terminated with a\n
line break. This adheres to the PEM file format specification and is generally preferred - many non node.js systems fail if the line-break is not specified.Notes for code reviewers:
X509_STORE*
to ensure thattls.rootCertificates
reflects the true certificates used bySecureContext
and to avoid synchronizing/maintaining a separate variable innode_crypto.cc
.X509ToPEM
function was placed innode_crypto_common.cc
since it pairs with the existingX509ToObject
function.GetRootCertificates
function returns without setting a JavaScript return value when an unexpected error occurs (e.g. error callingPEM_write_bio_X509
). This was done to remain consistent with the previous implementation ofGetRootCertificates
.Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes