crypto: make --use-system-ca per-env rather than per-process

Aditi-1400 · Aditi-1400 · commit 17dc7de6c4c8 · 2025-12-10T22:38:51.000+05:30
diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
@@ -61,7 +61,7 @@ MaybeLocal<Value> GetValidationErrorReason(Environment* env, int err) {
       (err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
       (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
       ((err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) &&
-       !per_process::cli_options->use_system_ca);
+     !env->options()->use_system_ca);
 
   if (suggest_system_ca) {
     reason.append("; if the root CA is installed locally, "
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -873,7 +873,7 @@ static void LoadCACertificates(void* data) {
 
   {
     Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);
-    if (!per_process::cli_options->use_system_ca) {
+    if (!per_process::cli_options->per_isolate->per_env->use_system_ca) {
       return;
     }
   }
@@ -982,7 +982,7 @@ X509_STORE* NewRootCertStore() {
     for (X509* cert : GetBundledRootCertificates()) {
       CHECK_EQ(1, X509_STORE_add_cert(store, cert));
     }
-    if (per_process::cli_options->use_system_ca) {
+    if (per_process::cli_options->per_isolate->per_env->use_system_ca) {
       for (X509* cert : GetSystemStoreCACertificates()) {
         CHECK_EQ(1, X509_STORE_add_cert(store, cert));
       }
diff --git a/src/node.cc b/src/node.cc
@@ -871,15 +871,6 @@ static ExitCode InitializeNodeWithArgsInternal(
   // default value.
   V8::SetFlagsFromString("--rehash-snapshot");
 
-#if HAVE_OPENSSL
-  // TODO(joyeecheung): make this a per-env option and move the normalization
-  // into HandleEnvOptions.
-  std::string use_system_ca;
-  if (credentials::SafeGetenv("NODE_USE_SYSTEM_CA", &use_system_ca) &&
-      use_system_ca == "1") {
-    per_process::cli_options->use_system_ca = true;
-  }
-#endif  // HAVE_OPENSSL
   HandleEnvOptions(per_process::cli_options->per_isolate->per_env);
 
   std::string node_options;
diff --git a/src/node_options.cc b/src/node_options.cc
@@ -1016,6 +1016,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
       &EnvironmentOptions::trace_env_native_stack,
       kAllowedInEnvvar);
 
+  AddOption("--use-system-ca",
+      "use system's CA store",
+      &EnvironmentOptions::use_system_ca,
+      kAllowedInEnvvar);
+
   AddOption(
       "--trace-require-module",
       "Print access to require(esm). Options are 'all' (print all usage) and "
@@ -1356,10 +1361,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             ,
             &PerProcessOptions::use_openssl_ca,
             kAllowedInEnvvar);
-  AddOption("--use-system-ca",
-            "use system's CA store",
-            &PerProcessOptions::use_system_ca,
-            kAllowedInEnvvar);
   AddOption("--use-bundled-ca",
             "use bundled CA store"
 #if !defined(NODE_OPENSSL_CERT_STORE)
@@ -2098,6 +2099,10 @@ void HandleEnvOptions(std::shared_ptr<EnvironmentOptions> env_options,
 
   env_options->use_env_proxy = opt_getter("NODE_USE_ENV_PROXY") == "1";
 
+  #if HAVE_OPENSSL
+  env_options->use_system_ca = opt_getter("NODE_USE_SYSTEM_CA") == "1";
+  #endif  // HAVE_OPENSSL
+
   if (env_options->redirect_warnings.empty())
     env_options->redirect_warnings = opt_getter("NODE_REDIRECT_WARNINGS");
 }
diff --git a/src/node_options.h b/src/node_options.h
@@ -221,6 +221,7 @@ class EnvironmentOptions : public Options {
   bool trace_env = false;
   bool trace_env_js_stack = false;
   bool trace_env_native_stack = false;
+  bool use_system_ca = false;
   std::string trace_require_module;
   bool extra_info_on_fatal_exception = true;
   std::string unhandled_rejections;
@@ -357,7 +358,6 @@ class PerProcessOptions : public Options {
   bool ssl_openssl_cert_store = false;
 #endif
   bool use_openssl_ca = false;
-  bool use_system_ca = false;
   bool use_bundled_ca = false;
   bool enable_fips_crypto = false;
   bool force_fips_crypto = false;

Original file line number	Diff line number	Diff line change
`@@ -873,7 +873,7 @@ static void LoadCACertificates(void* data) {`
`873`	`873`
`874`	`874`	`{`
`875`	`875`	`Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);`
`876`		`- if (!per_process::cli_options->use_system_ca) {`
	`876`	`+ if (!per_process::cli_options->per_isolate->per_env->use_system_ca) {`
`877`	`877`	`return;`
`878`	`878`	`}`
`879`	`879`	`}`
`@@ -982,7 +982,7 @@ X509_STORE* NewRootCertStore() {`
`982`	`982`	`for (X509* cert : GetBundledRootCertificates()) {`
`983`	`983`	`CHECK_EQ(1, X509_STORE_add_cert(store, cert));`
`984`	`984`	`}`
`985`		`- if (per_process::cli_options->use_system_ca) {`
	`985`	`+ if (per_process::cli_options->per_isolate->per_env->use_system_ca) {`
`986`	`986`	`for (X509* cert : GetSystemStoreCACertificates()) {`
`987`	`987`	`CHECK_EQ(1, X509_STORE_add_cert(store, cert));`
`988`	`988`	`}`