-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: fix CAs missing from secure contexts #32315
Conversation
/cc @nodejs/crypto PTAL |
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
c351a0e
to
1b0f50b
Compare
@ebickle we've had some changes to CI (specifically removing the ASAN job that failed) so I rebased your PR. Just a heads up in case you go to make changes |
Thanks, appreciate it! |
ping @nodejs/crypto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kind of regret addding tls.rootCertificates
and signing off on that other PR if it results in complexity like this...
I have some misgivings about this PR:
-
Ad hoc locking. I don't want to have to re-review whether the locking is sound every time nearby code is changed. (The current code is pretty ad hoc too, I'll give you that.)
-
Performance. Having to lock every time the cert store is queried is a serialization bottleneck, certainly when the critical section contains things like (possibly many) calls to
X509ToPEM()
.
I have some ideas on how to fix that but I'm going to take the Socratic approach first.
I agree. The issue I ran into was that all code paths involving root certificates were readonly other than Solving #32010 requires adding the loaded
Both are imperfect solutions.
This was a memory/perf/code simplicity tradeoff. One alternative would be to copy the
I'm open to reverting/undoing the other PR if it's the best option. We'd still need to look at solving #32010 separately, so quite a bit of the complexity would still remain.
The code could be reverted and documentation changed to indicate it only returns the default root certificates instead of the actual certificates used for verifying peer certificates. It could even be deprecated at that point. Mind you, the reason Take a look at ebickle@b9e0b7a if you have a bit of time. The end result of that commit would be:
|
Adds CAs from NODE_EXTRA_CA_CERTS to root_certs_vector in node_crypto.cc so that the extra certificates are always added to SecureContext instances. tls.rootCertificates restored to previous behavior of returning built-in Node.js certificates when --openssl-use-def-ca-store CLI option is set. Fixes: nodejs#32229 Fixes: nodejs#32010 Refs: nodejs#32075
…bickle/node into fix/missing-rootcertificates-2
Removed extraneous braces and superfluous scope comments.
af49f0a
to
7c337f7
Compare
@bnoordhuis If you have a moment, I'm still curious what your ideas on this are. I'm willing to pull this PR or heavily modify it in favor of a different approach if it's a better for for the Node codebase :) |
Adds CAs from
NODE_EXTRA_CA_CERTS
toroot_certs_vector
innode_crypto.cc
so that the extra certificates are always added to SecureContext instances. The extra certificates were omitted ifcrl
orpfx
were specified as options tocreateSecureContext
.tls.rootCertificates
restored to previous behavior of returning built-in Node.js certificates (+NODE_EXTRA_CA_CERTS
) when--openssl-use-def-ca-store CLI
option orNODE_OPENSSL_SYSTEM_CERT_PATH
compiler define are set.Fixes: #32229
Fixes: #32010
Refs: #32075
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesNotes for reviewers
X509_up_ref
when building theroot_certs_vector
in the oldNewRootCertStore()
function was a double reference counting bug.X509_STORE_add_cert
increments the reference count.root_certs_vector_mutex
lock to an absolute minimum and avoid any unnecessary function calls within the lock.AddCertsFromFile
was changed toAddRootCertsFromFile
to make it possible to directly modifyroot_certs_vector
. The function is not used anywhere else.tls.rootCertificates
returning the built-in node.js root CAs when--openssl-use-def-ca-store
is set was the behavior v13.11.0 and has been restored in this PR. Returning the OpenSSL certificates from the file system caused syncronous IO and leaving the behavior of v13.11.0 of returning a blank array created a high risk of a breaking change and was non-deterministic when a file system certificate was cached.