Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: support --use-system-ca on Windows #56833

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

crypto: support --use-system-ca on Windows #56833

wants to merge 2 commits into from
+281 −68

Conversation

joyeecheung
Copy link
Member

@joyeecheung joyeecheung commented Jan 30, 2025
edited
Loading

This patch adds support for --use-system-ca on Windows, the
certificates are collected following Chromium's policy,
though the following are left as TODO and out of this patch.

  • Support for user-added intermediate certificates
  • Support for distrusted certificates

Since those aren't typically supported by other runtimes/tools
either, and what's implemented in this patch is sufficient for
enough use cases already.

This PR re-implements #44532 but is based on the support added for macOS in #56599 with the following modifications to match Chromium's policy:

  1. We also collect certificates from local machine, enterprise policies and trusted people
  2. We check that the extended key usage (if it exists) is suitable for TLS use.

The first commit comes from #56832 to fix a leak from the macOS PR.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jan 30, 2025
@joyeecheung joyeecheung mentioned this pull request Jan 30, 2025
Open
@joyeecheung
crypto: fix X509* leak in --use-system-ca
8fdaad7 
The X509 structures are never freed. Use ncrypto::X509Pointer to
manage it automatically and move the X509* to PEM conversion into
a helper to be reused by integration in other systems.
@joyeecheung joyeecheung force-pushed the win-certs branch 3 times, most recently from c007259 to dc737dd Compare January 30, 2025 19:13
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 30, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 30, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@joyeecheung
crypto: support --use-system-ca on Windows
faf7592 
This patch adds support for --use-system-ca on Windows, the
certificates are collected following Chromium's policy,
though the following are left as TODO and out of this patch.

- Support for user-added intermediate certificates
- Support for distrusted certificates

Since those aren't typically supported by other runtimes/tools
either, and what's implemented in this patch is sufficient for
enough use cases already.
@joyeecheung joyeecheung added the semver-minor PRs that contain new features and should be released in the next minor version. label Jan 30, 2025
@joyeecheung joyeecheung marked this pull request as ready for review January 30, 2025 19:23
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 30, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 30, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/64855/

@codecov Codecov
Copy link

codecov bot commented Jan 30, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 16 lines in your changes missing coverage. Please review.

Project coverage is 89.21%. Comparing base (304bb9c) to head (faf7592).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 0.00% 16 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #56833   +/-   ##
=======================================
  Coverage   89.20%   89.21%           
=======================================
  Files         663      663           
  Lines      192012   192028   +16     
  Branches    36929    36931    +2     
=======================================
+ Hits       171286   171319   +33     
- Misses      13582    13595   +13     
+ Partials     7144     7114   -30
Files with missing lines Coverage Δ
src/crypto/crypto_context.cc 67.49% <0.00%> (-1.20%) ⬇️

... and 31 files with indirect coverage changes

@timja
Copy link
Contributor

timja commented Jan 30, 2025
edited
Loading

Nice work!

What sort of testing have you done on this? - I see the integration test added

I'll look to get someone on windows behind our ZScaler enterprise setup next week to test it.

(and potentially with https://github.com/timja/openjdk-intermediate-ca-reproducer both root -> leaf and root -> intermediate -> leaf, unless you've tested something similar)

@joyeecheung
Copy link
Member Author

joyeecheung commented Jan 31, 2025
edited
Loading

What sort of testing have you done on this? - I see the integration test added

So far only the test I modified in test-native-certs.mjs - basically the same as the macOS test, just running it first to see that it fails, then adding that certificate locally to Windows, run the test and see that it works, and removing that certificate. From what I can tell the real-world use cases I have only require the root CA certificates from either local machine or the current users to be trusted. I will try verifying it a bit on my end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joyeecheung @nodejs-github-bot @timja @jasnell