src: make --use-system-ca per-env rather than per-process

Author: Aditi-1400

src/crypto/crypto_context.cc

@@ -101,11 +101,11 @@ static thread_local X509_STORE* root_cert_store = nullptr;
 // from this set.
 static thread_local std::unique_ptr<X509Set> root_certs_from_users;
 
-X509_STORE* GetOrCreateRootCertStore() {
+X509_STORE* GetOrCreateRootCertStore(Environment* env) {
   if (root_cert_store != nullptr) {
     return root_cert_store;
   }
-  root_cert_store = NewRootCertStore();
+  root_cert_store = NewRootCertStore(env);
   return root_cert_store;
 }
 
@@ -861,6 +861,7 @@ static std::vector<X509*>& GetExtraCACertificates() {
 }
 
 static void LoadCACertificates(void* data) {
+  Environment* env = static_cast<Environment*>(data);
   per_process::Debug(DebugCategory::CRYPTO,
                      "Started loading bundled root certificates off-thread\n");
   GetBundledRootCertificates();
@@ -873,7 +874,7 @@ static void LoadCACertificates(void* data) {
 
   {
     Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);
-    if (!per_process::cli_options->per_isolate->per_env->use_system_ca) {
+    if (!env->options()->use_system_ca) {
       return;
     }
   }
@@ -917,7 +918,8 @@ void StartLoadingCertificatesOffThread(
       return;
     }
     tried_cert_loading_off_thread.store(true);
-    int r = uv_thread_create(&cert_loading_thread, LoadCACertificates, nullptr);
+    Environment* env = Environment::GetCurrent(args);
+    int r = uv_thread_create(&cert_loading_thread, LoadCACertificates, env);
     cert_loading_thread_started.store(r == 0);
     if (r != 0) {
       FPrintF(stderr,
@@ -947,13 +949,13 @@ void StartLoadingCertificatesOffThread(
 //    with all the other flags.
 // 7. Certificates from --use-bundled-ca, --use-system-ca and
 //    NODE_EXTRA_CA_CERTS are cached after first load. Certificates
-//    from --use-system-ca are not cached and always reloaded from
+//    from --use-openssl-ca are not cached and always reloaded from
 //    disk.
 // 8. If users have reset the root cert store by calling
 //    tls.setDefaultCACertificates(), the store will be populated with
 //    the certificates provided by users.
 // TODO(joyeecheung): maybe these rules need a bit of consolidation?
-X509_STORE* NewRootCertStore() {
+X509_STORE* NewRootCertStore(Environment* env) {
   X509_STORE* store = X509_STORE_new();
   CHECK_NOT_NULL(store);
 
@@ -982,7 +984,7 @@ X509_STORE* NewRootCertStore() {
     for (X509* cert : GetBundledRootCertificates()) {
       CHECK_EQ(1, X509_STORE_add_cert(store, cert));
     }
-    if (per_process::cli_options->per_isolate->per_env->use_system_ca) {
+    if (env->options()->use_system_ca) {
       for (X509* cert : GetSystemStoreCACertificates()) {
         CHECK_EQ(1, X509_STORE_add_cert(store, cert));
       }
@@ -1189,7 +1191,7 @@ void ResetRootCertStore(const FunctionCallbackInfo<Value>& args) {
 
   // TODO(joyeecheung): we can probably just reset it to nullptr
   // and let the next call to NewRootCertStore() create a new one.
-  root_cert_store = NewRootCertStore();
+  root_cert_store = nullptr;
 }
 
 void GetSystemCACertificates(const FunctionCallbackInfo<Value>& args) {
@@ -1700,11 +1702,12 @@ void SecureContext::SetX509StoreFlag(unsigned long flags) {
 }
 
 X509_STORE* SecureContext::GetCertStoreOwnedByThisSecureContext() {
+  Environment* env = this->env();
   if (own_cert_store_cache_ != nullptr) return own_cert_store_cache_;
 
   X509_STORE* cert_store = SSL_CTX_get_cert_store(ctx_.get());
-  if (cert_store == GetOrCreateRootCertStore()) {
-    cert_store = NewRootCertStore();
+  if (cert_store == GetOrCreateRootCertStore(env)) {
+    cert_store = NewRootCertStore(env);
     SSL_CTX_set_cert_store(ctx_.get(), cert_store);
   }
 
@@ -1777,7 +1780,8 @@ void SecureContext::AddCRL(const FunctionCallbackInfo<Value>& args) {
 
 void SecureContext::SetRootCerts() {
   ClearErrorOnReturn clear_error_on_return;
-  auto store = GetOrCreateRootCertStore();
+  Environment* env = this->env();
+  auto store = GetOrCreateRootCertStore(env);
 
   // Increment reference count so global store is not deleted along with CTX.
   X509_STORE_up_ref(store);

src/crypto/crypto_context.h

@@ -19,9 +19,9 @@ constexpr int kMaxSupportedVersion = TLS1_3_VERSION;
 void GetRootCertificates(
     const v8::FunctionCallbackInfo<v8::Value>& args);
 
-X509_STORE* NewRootCertStore();
+X509_STORE* NewRootCertStore(Environment* env);
 
-X509_STORE* GetOrCreateRootCertStore();
+X509_STORE* GetOrCreateRootCertStore(Environment* env);
 
 ncrypto::BIOPointer LoadBIO(Environment* env, v8::Local<v8::Value> v);
 

src/quic/endpoint.cc

@@ -895,7 +895,7 @@ void Endpoint::Listen(const Session::Options& options) {
                        "not what you want.");
   }
 
-  auto context = TLSContext::CreateServer(options.tls_options);
+  auto context = TLSContext::CreateServer(env(), options.tls_options);
   if (!*context) {
     THROW_ERR_INVALID_STATE(
         env(), "Failed to create TLS context: %s", context->validation_error());
@@ -928,7 +928,7 @@ BaseObjectPtr<Session> Endpoint::Connect(
         config,
         session_ticket.has_value() ? "yes" : "no");
 
-  auto tls_context = TLSContext::CreateClient(options.tls_options);
+  auto tls_context = TLSContext::CreateClient(env(), options.tls_options);
   if (!*tls_context) {
     THROW_ERR_INVALID_STATE(env(),
                             "Failed to create TLS context: %s",

src/quic/tlscontext.cc

@@ -293,16 +293,18 @@ bool OSSLContext::ConfigureClient() const {
 
 // ============================================================================
 
-std::shared_ptr<TLSContext> TLSContext::CreateClient(const Options& options) {
-  return std::make_shared<TLSContext>(Side::CLIENT, options);
+std::shared_ptr<TLSContext> TLSContext::CreateClient(Environment* env,
+                                                     const Options& options) {
+  return std::make_shared<TLSContext>(env, Side::CLIENT, options);
 }
 
-std::shared_ptr<TLSContext> TLSContext::CreateServer(const Options& options) {
-  return std::make_shared<TLSContext>(Side::SERVER, options);
+std::shared_ptr<TLSContext> TLSContext::CreateServer(Environment* env,
+                                                     const Options& options) {
+  return std::make_shared<TLSContext>(env, Side::SERVER, options);
 }
 
-TLSContext::TLSContext(Side side, const Options& options)
-    : side_(side), options_(options), ctx_(Initialize()) {}
+TLSContext::TLSContext(Environment* env, Side side, const Options& options)
+    : side_(side), options_(options), env_(env), ctx_(Initialize()) {}
 
 TLSContext::operator SSL_CTX*() const {
   DCHECK(ctx_);
@@ -460,14 +462,14 @@ SSLCtxPointer TLSContext::Initialize() {
   {
     ClearErrorOnReturn clear_error_on_return;
     if (options_.ca.empty()) {
-      auto store = crypto::GetOrCreateRootCertStore();
+      auto store = crypto::GetOrCreateRootCertStore(env_);
       X509_STORE_up_ref(store);
       SSL_CTX_set_cert_store(ctx.get(), store);
     } else {
       for (const auto& ca : options_.ca) {
         uv_buf_t buf = ca;
         if (buf.len == 0) {
-          auto store = crypto::GetOrCreateRootCertStore();
+          auto store = crypto::GetOrCreateRootCertStore(env_);
           X509_STORE_up_ref(store);
           SSL_CTX_set_cert_store(ctx.get(), store);
         } else {
@@ -477,8 +479,8 @@ SSLCtxPointer TLSContext::Initialize() {
           while (
               auto x509 = X509Pointer(PEM_read_bio_X509_AUX(
                   bio.get(), nullptr, crypto::NoPasswordCallback, nullptr))) {
-            if (cert_store == crypto::GetOrCreateRootCertStore()) {
-              cert_store = crypto::NewRootCertStore();
+            if (cert_store == crypto::GetOrCreateRootCertStore(env_)) {
+              cert_store = crypto::NewRootCertStore(env_);
               SSL_CTX_set_cert_store(ctx.get(), cert_store);
             }
             CHECK_EQ(1, X509_STORE_add_cert(cert_store, x509.get()));
@@ -535,8 +537,8 @@ SSLCtxPointer TLSContext::Initialize() {
       }
 
       X509_STORE* cert_store = SSL_CTX_get_cert_store(ctx.get());
-      if (cert_store == crypto::GetOrCreateRootCertStore()) {
-        cert_store = crypto::NewRootCertStore();
+      if (cert_store == crypto::GetOrCreateRootCertStore(env_)) {
+        cert_store = crypto::NewRootCertStore(env_);
         SSL_CTX_set_cert_store(ctx.get(), cert_store);
       }
 

src/quic/tlscontext.h

@@ -229,10 +229,12 @@ class TLSContext final : public MemoryRetainer,
     std::string ToString() const;
   };
 
-  static std::shared_ptr<TLSContext> CreateClient(const Options& options);
-  static std::shared_ptr<TLSContext> CreateServer(const Options& options);
+  static std::shared_ptr<TLSContext> CreateClient(Environment* env,
+                                                  const Options& options);
+  static std::shared_ptr<TLSContext> CreateServer(Environment* env,
+                                                  const Options& options);
 
-  TLSContext(Side side, const Options& options);
+  TLSContext(Environment* env, Side side, const Options& options);
   DISALLOW_COPY_AND_MOVE(TLSContext)
 
   // Each QUIC Session has exactly one TLSSession. Each TLSSession maintains
@@ -242,6 +244,7 @@ class TLSContext final : public MemoryRetainer,
 
   inline Side side() const { return side_; }
   inline const Options& options() const { return options_; }
+  inline Environment* env() const { return env_; }
   inline operator bool() const { return ctx_ != nullptr; }
   inline operator const ncrypto::SSLCtxPointer&() const { return ctx_; }
 
@@ -269,6 +272,7 @@ class TLSContext final : public MemoryRetainer,
 
   Side side_;
   Options options_;
+  Environment* env_;
   ncrypto::X509Pointer cert_;
   ncrypto::X509Pointer issuer_;
   ncrypto::SSLCtxPointer ctx_;

test/cctest/test_node_crypto.cc

@@ -15,7 +15,7 @@
  */
 TEST(NodeCrypto, NewRootCertStore) {
   node::per_process::cli_options->ssl_openssl_cert_store = true;
-  X509_STORE* store = node::crypto::NewRootCertStore();
+  X509_STORE* store = node::crypto::NewRootCertStore(nullptr);
   ASSERT_TRUE(store);
   ASSERT_EQ(ERR_peek_error(), 0UL) << "NewRootCertStore should not have left "
                                       "any errors on the OpenSSL error stack\n";

test/parallel/test-cli-node-options.js

@@ -68,7 +68,7 @@ if (common.hasCrypto) {
   if (!hasOpenSSL3)
     expectNoWorker('--openssl-config=_ossl_cfg', 'B\n');
   if (common.isMacOS) {
-    expectNoWorker('--use-system-ca', 'B\n');
+    expect('--use-system-ca', 'B\n');
   }
 }
 

test/system-ca/test-use-system-ca-worker-disable.mjs

@@ -0,0 +1,103 @@
+// Flags: --use-system-ca
+
+// Verify that a worker can disable the system CA store while the parent uses it.
+
+import * as common from '../common/index.mjs';
+import assert from 'node:assert/strict';
+import https from 'node:https';
+import fixtures from '../common/fixtures.js';
+import { it, beforeEach, afterEach, describe } from 'node:test';
+import { once } from 'events';
+import {
+  Worker,
+  isMainThread,
+  parentPort,
+  workerData,
+} from 'node:worker_threads';
+
+if (!common.hasCrypto) {
+  common.skip('requires crypto');
+}
+
+// To run this test, the system needs to be configured to trust
+// the CA certificate first (which needs an interactive GUI approval, e.g. TouchID):
+// see the README.md in this folder for instructions on how to do this.
+const handleRequest = (req, res) => {
+  const path = req.url;
+  switch (path) {
+    case '/hello-world':
+      res.writeHead(200);
+      res.end('hello world\n');
+      break;
+    default:
+      common.mustNotCall(`Unexpected path: ${path}`)();
+  }
+};
+
+describe('use-system-ca', function() {
+  async function setupServer(key, cert) {
+    const theServer = https.createServer(
+      {
+        key: fixtures.readKey(key),
+        cert: fixtures.readKey(cert),
+      },
+      handleRequest,
+    );
+    theServer.listen(0);
+    await once(theServer, 'listening');
+
+    return theServer;
+  }
+
+  let server;
+
+  beforeEach(async function() {
+    if (isMainThread) {
+      server = await setupServer('agent8-key.pem', 'agent8-cert.pem');
+    } else {
+      server = undefined;
+    }
+  });
+
+  it('trusts a valid root certificate', async function() {
+    if (isMainThread) {
+      const worker = new Worker(new URL(import.meta.url), {
+        execArgv: ['--no-use-system-ca'],
+        workerData: {
+          url: `https://localhost:${server.address().port}/hello-world`,
+        },
+      });
+      await fetch(`https://localhost:${server.address().port}/hello-world`);
+
+      const [message] = await once(worker, 'message');
+      assert.strictEqual(message.ok, false);
+      assert(
+        message.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' ||
+          message.code === 'SELF_SIGNED_CERT_IN_CHAIN',
+        `Expected certificate verification error but got: ${JSON.stringify(
+          message,
+        )}`,
+      );
+
+      const [exitCode] = await once(worker, 'exit');
+      assert.strictEqual(exitCode, 0);
+    } else {
+      const { url } = workerData;
+      try {
+        const res = await fetch(url);
+        const text = await res.text();
+        parentPort.postMessage({ ok: true, status: res.status, text });
+      } catch (err) {
+        parentPort.postMessage({
+          ok: false,
+          code: err?.cause?.code,
+          message: err.message,
+        });
+      }
+    }
+  });
+
+  afterEach(async function() {
+    server?.close();
+  });
+});