Skip to content

Make --use-system-ca per-env rather than per-process #60678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aditi-1400 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Make --use-system-ca per-env rather than per-process #60678

Aditi-1400 wants to merge 1 commit into from
+423 −77

Conversation

@Aditi-1400
Copy link
Contributor

@Aditi-1400 Aditi-1400 commented Nov 11, 2025
edited
Loading

Makes the --use-system-ca option a per-environment option rather than a per-process option so that workers can enable/disable them individually

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 11, 2025

Review requested:

  • @nodejs/config
  • @nodejs/crypto
  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Nov 11, 2025
@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from d87558c to 23473b9 Compare November 11, 2025 10:28
@joyeecheung
Copy link
Member

joyeecheung commented Nov 11, 2025
edited
Loading

Hmm, I think this may need more work than just updating the options - the implication of being per-env is that each worker would then be able to toggle this independently. Say when the main thread does not enable it but a worker does, then the worker will have the system CA certs in their default store but the parent doesn't. Can you add a test for this, and the other way around (parent enables it, worker disables it)? My impression is that the default store initialisation code is not yet ready for this and it's still shared across the process (so if a worker enables it, suddenly the parent get it too, which would be unexpected).

@codecov
Copy link

codecov bot commented Nov 11, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.76%. Comparing base (37e4004) to head (aa9f038).
⚠️ Report is 37 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 71.64% 9 Missing and 10 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #60678      +/-   ##
==========================================
- Coverage   89.78%   89.76%   -0.02%     
==========================================
  Files         673      674       +1     
  Lines      203775   204104     +329     
  Branches    39166    39230      +64     
==========================================
+ Hits       182956   183221     +265     
- Misses      13139    13205      +66     
+ Partials     7680     7678       -2
Files with missing lines Coverage Δ
src/crypto/crypto_common.cc 77.47% <100.00%> (ø)
src/crypto/crypto_context.h 100.00% <ø> (ø)
src/node.cc 75.93% <ø> (-0.16%) ⬇️
src/node_options.cc 76.37% <100.00%> (-1.53%) ⬇️
src/node_options.h 97.89% <100.00%> (ø)
src/crypto/crypto_context.cc 71.17% <71.64%> (+0.34%) ⬆️

... and 61 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from f22457c to 780c272 Compare December 2, 2025 14:16
@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 4 times, most recently from 38913f9 to d9fb49d Compare December 12, 2025 18:05
joyeecheung
joyeecheung reviewed Jan 6, 2026
View reviewed changes
Copy link
Member

@joyeecheung joyeecheung left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add some tests to test/parallel that checks this affects tls.getCACertificates('default') in a worker if tls.getCACertificates('system') returns non-empty in a parent? (if there are no system CAs in the testing machine, then the test can be skipped - that way it can run even without the mock certificates installed)

@Aditi-1400 Aditi-1400 force-pushed the ca-per-env branch 2 times, most recently from 77856be to d8281c4 Compare January 15, 2026 13:56
@joyeecheung joyeecheung mentioned this pull request Jan 15, 2026
Open
15 tasks
joyeecheung
joyeecheung reviewed Jan 23, 2026
View reviewed changes
joyeecheung
joyeecheung reviewed Jan 30, 2026
View reviewed changes
joyeecheung
joyeecheung reviewed Feb 2, 2026
View reviewed changes
src/quic/tlscontext.cc
TLSContext::TLSContext(Side side, const Options& options)
: side_(side), options_(options), ctx_(Initialize()) {}
TLSContext::TLSContext(Environment* env, Side side, const Options& options)
: side_(side), options_(options), env_(env), ctx_(Initialize()) {}
Copy link
Member

@joyeecheung joyeecheung Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this initialization is buggy, env_ is declared after ctx_, and member initialization order follows declaration order, not the order in this list, so in Initialize(), env_ is not initialized - this can probably be fixed by just passing the env into Initialize instead (which I think is better because it's more explicit), or just switch the declaration order.

Copy link
Contributor Author

@Aditi-1400 Aditi-1400 Feb 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, from what I see, the env_ is declared before the ctx_. Although, I guess std::string validation_error_ = ""; should be moved above ctx_. But if you prefer, I can change this to pass env into Initialise instead

https://github.com/nodejs/node/pull/60678/files#diff-60a9b54a19f29bc293435249907efb06e7b900bb4b1036b967634d2fbcf18340R273-R278

src/crypto/crypto_context.cc
return root_cert_store;
}
root_cert_store = NewRootCertStore();
root_cert_store = NewRootCertStore(env);
Copy link
Member

@joyeecheung joyeecheung Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this now leaks a X509_STORE for every worker upon shutdown. Previously this was okay because there's only ever one store in the process, but now they come and go with workers. Also while Node.js executable doesn't do this usually, embedders (including cctests) reuse a thread for different Environments, so the store may go stale when the thread gets reused by another Environment. This probably fixes it:

Suggested change
root_cert_store = NewRootCertStore(env);
root_cert_store = NewRootCertStore(env);
env->AddCleanupHook([](void* arg) {
if (root_cert_store != nullptr) {
X509_STORE_free(root_cert_store);
root_cert_store = nullptr;
}
}, nullptr);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joyeecheung joyeecheung joyeecheung left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aditi-1400 @nodejs-github-bot @joyeecheung