src: make --use-system-ca per-env rather than per-process

Aditi-1400 · Aditi-1400 · commit d87558c46c61 · 2025-11-11T15:56:21.000+05:30
diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
@@ -61,7 +61,7 @@ MaybeLocal<Value> GetValidationErrorReason(Environment* env, int err) {
       (err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) ||
       (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
       ((err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) &&
-       !per_process::cli_options->use_system_ca);
+     !env->options()->use_system_ca);
 
   if (suggest_system_ca) {
     reason.append("; if the root CA is installed locally, "
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -850,7 +850,7 @@ static void LoadCACertificates(void* data) {
 
   {
     Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);
-    if (!per_process::cli_options->use_system_ca) {
+    if (!per_process::cli_options->per_isolate->per_env->use_system_ca) {
       return;
     }
   }
@@ -959,7 +959,7 @@ X509_STORE* NewRootCertStore() {
     for (X509* cert : GetBundledRootCertificates()) {
       CHECK_EQ(1, X509_STORE_add_cert(store, cert));
     }
-    if (per_process::cli_options->use_system_ca) {
+    if (per_process::cli_options->per_isolate->per_env->use_system_ca) {
       for (X509* cert : GetSystemStoreCACertificates()) {
         CHECK_EQ(1, X509_STORE_add_cert(store, cert));
       }
diff --git a/src/node.cc b/src/node.cc
@@ -871,15 +871,6 @@ static ExitCode InitializeNodeWithArgsInternal(
   // default value.
   V8::SetFlagsFromString("--rehash-snapshot");
 
-#if HAVE_OPENSSL
-  // TODO(joyeecheung): make this a per-env option and move the normalization
-  // into HandleEnvOptions.
-  std::string use_system_ca;
-  if (credentials::SafeGetenv("NODE_USE_SYSTEM_CA", &use_system_ca) &&
-      use_system_ca == "1") {
-    per_process::cli_options->use_system_ca = true;
-  }
-#endif  // HAVE_OPENSSL
   HandleEnvOptions(per_process::cli_options->per_isolate->per_env);
 
   std::string node_options;
diff --git a/src/node_options.cc b/src/node_options.cc
@@ -993,6 +993,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
       &EnvironmentOptions::trace_env_native_stack,
       kAllowedInEnvvar);
 
+  AddOption("--use-system-ca",
+      "use system's CA store",
+      &EnvironmentOptions::use_system_ca,
+      kAllowedInEnvvar);
+
   AddOption(
       "--trace-require-module",
       "Print access to require(esm). Options are 'all' (print all usage) and "
@@ -1332,10 +1337,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             ,
             &PerProcessOptions::use_openssl_ca,
             kAllowedInEnvvar);
-  AddOption("--use-system-ca",
-            "use system's CA store",
-            &PerProcessOptions::use_system_ca,
-            kAllowedInEnvvar);
   AddOption("--use-bundled-ca",
             "use bundled CA store"
 #if !defined(NODE_OPENSSL_CERT_STORE)
@@ -2074,6 +2075,10 @@ void HandleEnvOptions(std::shared_ptr<EnvironmentOptions> env_options,
 
   env_options->use_env_proxy = opt_getter("NODE_USE_ENV_PROXY") == "1";
 
+  #if HAVE_OPENSSL
+  env_options->use_system_ca = opt_getter("NODE_USE_SYSTEM_CA") == "1";
+  #endif  // HAVE_OPENSSL
+
   if (env_options->redirect_warnings.empty())
     env_options->redirect_warnings = opt_getter("NODE_REDIRECT_WARNINGS");
 }
diff --git a/src/node_options.h b/src/node_options.h
@@ -221,6 +221,7 @@ class EnvironmentOptions : public Options {
   bool trace_env = false;
   bool trace_env_js_stack = false;
   bool trace_env_native_stack = false;
+  bool use_system_ca = false;
   std::string trace_require_module;
   bool extra_info_on_fatal_exception = true;
   std::string unhandled_rejections;
@@ -357,7 +358,6 @@ class PerProcessOptions : public Options {
   bool ssl_openssl_cert_store = false;
 #endif
   bool use_openssl_ca = false;
-  bool use_system_ca = false;
   bool use_bundled_ca = false;
   bool enable_fips_crypto = false;
   bool force_fips_crypto = false;
diff --git a/test/parallel/test-cli-node-options.js b/test/parallel/test-cli-node-options.js
@@ -68,7 +68,7 @@ if (common.hasCrypto) {
   if (!hasOpenSSL3)
     expectNoWorker('--openssl-config=_ossl_cfg', 'B\n');
   if (common.isMacOS) {
-    expectNoWorker('--use-system-ca', 'B\n');
+    expect('--use-system-ca', 'B\n');
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -850,7 +850,7 @@ static void LoadCACertificates(void* data) {`
`850`	`850`
`851`	`851`	`{`
`852`	`852`	`Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);`
`853`		`- if (!per_process::cli_options->use_system_ca) {`
	`853`	`+ if (!per_process::cli_options->per_isolate->per_env->use_system_ca) {`
`854`	`854`	`return;`
`855`	`855`	`}`
`856`	`856`	`}`
`@@ -959,7 +959,7 @@ X509_STORE* NewRootCertStore() {`
`959`	`959`	`for (X509* cert : GetBundledRootCertificates()) {`
`960`	`960`	`CHECK_EQ(1, X509_STORE_add_cert(store, cert));`
`961`	`961`	`}`
`962`		`- if (per_process::cli_options->use_system_ca) {`
	`962`	`+ if (per_process::cli_options->per_isolate->per_env->use_system_ca) {`
`963`	`963`	`for (X509* cert : GetSystemStoreCACertificates()) {`
`964`	`964`	`CHECK_EQ(1, X509_STORE_add_cert(store, cert));`
`965`	`965`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ if (common.hasCrypto) {`
`68`	`68`	`if (!hasOpenSSL3)`
`69`	`69`	`expectNoWorker('--openssl-config=_ossl_cfg', 'B\n');`
`70`	`70`	`if (common.isMacOS) {`
`71`		`- expectNoWorker('--use-system-ca', 'B\n');`
	`71`	`+ expect('--use-system-ca', 'B\n');`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`