tls: Improve getCACertificates() caching and test

Author: haramj

lib/tls.js

@@ -168,6 +168,8 @@ function cacheDefaultCACertificates() {
   return defaultCACertificates;
 }
 
+const certificateCache = { __proto__: null };
+
 function getCACertificates(options = {}) {
   if (typeof options === 'string') {
     options = { type: options };
@@ -177,11 +179,37 @@ function getCACertificates(options = {}) {
 
   const {
     type = 'default',
-    format = 'string',
+    format = 'pem',
   } = options;
 
   validateString(type, 'type');
-  validateOneOf(format, 'format', ['string', 'buffer', 'x509']);
+  validateOneOf(format, 'format', ['pem', 'der', 'x509', 'string', 'buffer']);
+
+  let effectiveFormat = format;
+  if (format === 'string') {
+    effectiveFormat = 'pem';
+  } else if (format === 'buffer') {
+    effectiveFormat = 'der';
+  }
+
+  if (certificateCache[type]) {
+    const cachedCerts = certificateCache[type];
+
+    if (effectiveFormat === 'pem') {
+      return cachedCerts;
+    }
+
+    const buffers = cachedCerts.map((cert) => {
+      const base64 = cert.replace(/(?:\s|-----BEGIN CERTIFICATE-----|-----END CERTIFICATE-----)+/g, '');
+      return Buffer.from(base64, 'base64');
+    });
+
+    if (effectiveFormat === 'der') {
+      return buffers;
+    }
+
+    return buffers.map((buf) => new X509Certificate(buf));
+  }
 
   let certs;
   switch (type) {
@@ -192,32 +220,28 @@ function getCACertificates(options = {}) {
     default: throw new ERR_INVALID_ARG_VALUE('type', type);
   }
 
-  if (format === 'string') {
-    // Return PEM strings directly
-    return certs.map((cert) => {
-      if (typeof cert === 'string') return cert;
-      if (Buffer.isBuffer(cert)) return cert.toString('ascii');
-      throw new ERR_INVALID_ARG_VALUE('cert', cert);
-    });
-  }
-
-  const buffers = certs.map((cert) => {
-    if (Buffer.isBuffer(cert)) return cert;
+  const pemCerts = certs.map((cert) => {
     if (typeof cert === 'string') {
-      const base64 = cert
-        .replace(/-----BEGIN CERTIFICATE-----/g, '')
-        .replace(/-----END CERTIFICATE-----/g, '')
-        .replace(/\s+/g, '');
-      return Buffer.from(base64, 'base64');
+      return cert;
     }
-    throw new ERR_INVALID_ARG_VALUE('cert', cert);
+    return `-----BEGIN CERTIFICATE-----\n${cert.toString('base64').match(/.{1,64}/g).join('\n')}\n-----END CERTIFICATE-----`;
+  });
+  certificateCache[type] = pemCerts;
+
+  if (effectiveFormat === 'pem') {
+    return pemCerts;
+  }
+
+  const derBuffers = pemCerts.map((cert) => {
+    const base64 = cert.replace(/(?:\s|-----BEGIN CERTIFICATE-----|-----END CERTIFICATE-----)+/g, '');
+    return Buffer.from(base64, 'base64');
   });
 
-  if (format === 'buffer') {
-    return buffers;
+  if (effectiveFormat === 'der') {
+    return derBuffers;
   }
 
-  return buffers.map((buf) => new X509Certificate(buf));
+  return derBuffers.map((buf) => new X509Certificate(buf));
 }
 
 exports.getCACertificates = getCACertificates;

test/parallel/test-tls-get-ca-certificates-bundled.js

@@ -20,3 +20,4 @@ const certs2 = tls.getCACertificates('bundled');
 assertIsCAArray(certs2);
 
 assert.deepStrictEqual(certs2, tls.rootCertificates);
+assert.strictEqual(certs, tls.getCACertificates({ type: 'bundled', format: 'string' }));

test/parallel/test-tls-get-ca-certificates-default.js

@@ -16,7 +16,8 @@ assert.deepStrictEqual(certs, certs2);
 
 assert.deepStrictEqual(certs, tls.getCACertificates({ type: 'default', format: 'string' }));
 
-const certs3 = tls.getCACertificates('bundled');
+const certs3 = tls.getCACertificates('default');
 assertIsCAArray(certs3);
 
 assert.deepStrictEqual(certs3, tls.rootCertificates);
+assert.strictEqual(certs2, tls.getCACertificates({ type: 'default', format: 'string' }));

test/parallel/test-tls-get-ca-certificates-system.js

@@ -31,3 +31,4 @@ const certs = tls.getCACertificates('bundled');
 assertIsCAArray(certs);
 
 assert.deepStrictEqual(certs, tls.rootCertificates);
+assert.strictEqual(systemCerts, tls.getCACertificates({ type: 'system', format: 'string' }));