Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: support --use-system-ca on non-Windows and non-macOS #57009

Merged
merged 3 commits into from
Feb 15, 2025
Merged

crypto: support --use-system-ca on non-Windows and non-macOS #57009

merged 3 commits into from
Feb 15, 2025

Conversation

joyeecheung
Copy link
Member

@joyeecheung joyeecheung commented Feb 12, 2025
edited
Loading

crypto: support --use-system-ca on non-Windows and non-macOS

On other platforms, load from the OpenSSL default certificate
file and diretory.
This is different from --use-openssl-ca in that it caches
the certificates on first load, instead of always reading
from disk every time a new root store is needed.

When used together with the statically-linked OpenSSL, the
default configuration usually leads to this behavior:

  • If SSL_CERT_FILE is used, load from SSL_CERT_FILE. Otherwise
    load from /etc/ssl/cert.pem
  • If SSL_CERT_DIR is used, load from all the files under
    SSL_CERT_DIR. Otherwise, load from all the files under
    /etc/ssl/certs

I've only checked Ubuntu and RHEL so far. It may be worth checking whether this works on other popular distributions - from what I can tell, though, it seems the hard-coded configurations always leads to default locations under /etc/ssl/, which seems to be a location that most Linux distros would either use or link to anyway - for example, Ubuntu symlinks all the managed certificates to files under /etc/ssl/certs, while RHEL 9 just bundles all managed certificates to /etc/ssl/certs/ca-bundle.crt, so the current approach would usually just work.

If this somehow turns out to be sufficient, we can come back adding specific fallbacks for other systems similar to what go does which is basically listing all the directories that are known to be used for this purpose - but from what I can tell this can be slow and lead to duplicates since they might get symlinked to each other, so ideally if X509_get_default_cert_dir() and X509_get_default_cert_file() works on a platform, it's better not to look further to avoid unnecessary costs.

There is also the question of whether we should use NSS shared DB, like what Chrome does, but since most command line tools rely on the directory/file-based system-wide storage instead (like go listed above, and e.g. every rust tool using the rustls-native-certs crate), and it seems to be losing the point if we statically link NSS, I didn't go with this route. In any case it seems various distros already consolidates the NSS shared DB somehow into these default locations when they manage their certificate stores, or at least NSS DB can be loaded via environment variable overrides, so the current approach looks good enough.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Feb 12, 2025
@joyeecheung joyeecheung marked this pull request as draft February 12, 2025 01:25
@codecov Codecov
Copy link

codecov bot commented Feb 12, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 2.43902% with 40 lines in your changes missing coverage. Please review.

Project coverage is 89.09%. Comparing base (79f96b6) to head (76aaa29).
Report is 16 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 2.43% 40 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #57009      +/-   ##
==========================================
- Coverage   89.10%   89.09%   -0.02%     
==========================================
  Files         665      665              
  Lines      193203   193245      +42     
  Branches    37220    37223       +3     
==========================================
+ Hits       172158   172167       +9     
- Misses      13771    13807      +36     
+ Partials     7274     7271       -3
Files with missing lines Coverage Δ
src/crypto/crypto_context.cc 65.19% <2.43%> (-2.84%) ⬇️

... and 24 files with indirect coverage changes

@joyeecheung joyeecheung marked this pull request as ready for review February 13, 2025 21:46
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 13, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 13, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65194/

@joyeecheung joyeecheung force-pushed the certs-others branch 2 times, most recently from c78e1bb to 0d6c04a Compare February 13, 2025 23:46
@joyeecheung
crypto: support --use-system-ca on non-Windows and non-macOS
891de46 
On other platforms, load from the OpenSSL default certificate
file and diretory.
This is different from --use-openssl-ca in that it caches
the certificates on first load, instead of always reading
from disk every time a new root store is needed.

When used together with the statically-linked OpenSSL, the
default configuration usually leads to this behavior:

- If SSL_CERT_FILE is used, load from SSL_CERT_FILE. Otherwise
  load from /etc/ssl/cert.pem
- If SSL_CERT_DIR is used, load from all the files under
  SSL_CERT_DIR. Otherwise, load from all the files under
  /etc/ssl/certs
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 13, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 13, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65196/

@joyeecheung
Copy link
Member Author

CI is green. @jasnell @addaleax maybe you'll be interested in reviewing this since you've reviewed support for other systems?

richardlau
richardlau reviewed Feb 14, 2025
View reviewed changes
doc/api/cli.md Outdated Show resolved Hide resolved
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 14, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 14, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65204/

jasnell
jasnell reviewed Feb 15, 2025
View reviewed changes
src/crypto/crypto_context.cc

uv_fs_t stats_req;
auto cleanup_stats =
OnScopeLeave([&stats_req]() { uv_fs_req_cleanup(&stats_req); });
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for this PR, just thinking out loud... it would be nice if we had smart pointer type wrappers for these so we could simplify this kind of code.

@jasnell
Copy link
Member

jasnell commented Feb 15, 2025

Looks like there's a minor linting issue but otherwise LGTM

@joyeecheung
Copy link
Member Author

joyeecheung commented Feb 15, 2025
edited
Loading

Fixed the linter error (TIL "UNIX" is a trademark but "Unix" isnt?!) 🤯

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 15, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 15, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65221/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65234/

@joyeecheung joyeecheung added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Feb 15, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 15, 2025
@nodejs-github-bot nodejs-github-bot merged commit 579fc67 into nodejs:main Feb 15, 2025
61 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 579fc67

targos pushed a commit that referenced this pull request Feb 17, 2025
@joyeecheung @targos
crypto: support --use-system-ca on non-Windows and non-macOS
b50fc42 
On other platforms, load from the OpenSSL default certificate
file and diretory.
This is different from --use-openssl-ca in that it caches
the certificates on first load, instead of always reading
from disk every time a new root store is needed.

When used together with the statically-linked OpenSSL, the
default configuration usually leads to this behavior:

- If SSL_CERT_FILE is used, load from SSL_CERT_FILE. Otherwise
  load from /etc/ssl/cert.pem
- If SSL_CERT_DIR is used, load from all the files under
  SSL_CERT_DIR. Otherwise, load from all the files under
  /etc/ssl/certs

PR-URL: #57009
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell approved these changes

@richardlau richardlau richardlau approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joyeecheung @nodejs-github-bot @jasnell @richardlau