crypto: add extra CA certs to all secure contexts
Fixes the NODE_EXTRA_CA_CERTS
root certificates being missing in a SecureContext when the crl
or pfx
options are specified in a call to tls.createSecureContext()
. This was done by loading the NODE_EXTRA_CA_CERTS
into root_certs_vector
, allowing them to be added to secure contexts when NewRootCertStore()
is called.
As part of this change, specifying NODE_EXTRA_CA_CERTS
no longer causes the bundled CA store to be immediately loaded at startup. This improves Node.js startup time and makes the behavior of NODE_EXTRA_CA_CERTS
consistent with the default behavior when NODE_EXTRA_CA_CERTS
is omitted. Although this change effectively reverts #20434 (closed), it does not reintroduce issue #20432 (closed) because the environment variable is read at startup; modifying it at runtime has no effect.
Notes for code reviewers:
-
NewRootStore
now takes anEnvironment*
as a parameter. This was done so thatProcessEmitWarning
could be called when the extra certificates could not be loaded. As a bonus, the warning can now be programatically read via the process warning event. - The new intent of
root_certs_vector
is that it should contain all certificates added toroot_cert_store
, not just the ones loaded fromnode_root_certs.h
. - The existing code contained an incorrect
X509_up_ref
call that resulted in theX509_STORE
's reference count continually increasing. This issue has been resolved.
Fixes: #32010 (closed) Refs: #40524, #23354, #20434 (closed)