crypto: cleanup root certificates and skip PEM deserialization#56999
Merged
nodejs-github-bot merged 4 commits intonodejs:mainfrom Feb 13, 2025
Merged
crypto: cleanup root certificates and skip PEM deserialization#56999nodejs-github-bot merged 4 commits intonodejs:mainfrom
nodejs-github-bot merged 4 commits intonodejs:mainfrom
Conversation
Member
joyeecheung
commented
Feb 10, 2025
joyeecheung
commented
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly.
- The cached global X509 structures were previously never cleaned up. Clean them up at process teardown.
- Use function-local static to ensure thread-safety in initialization.
- Add more comments about how the various options differ.
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ.
Collaborator
|
Review requested:
|
nodejs-github-bot
added
c++
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #56999 +/- ##
==========================================
- Coverage 89.14% 89.10% -0.04%
==========================================
Files 665 665
Lines 193174 193203 +29
Branches 37189 37226 +37
==========================================
- Hits 172202 172151 -51
- Misses 13735 13764 +29
- Partials 7237 7288 +51
|
addaleax
approved these changes
Feb 11, 2025
Member
Author
|
Fixed a typo and linter/formatter errors. |
This was referenced Feb 12, 2025
github-actions
bot
removed
the
request-ci
Collaborator
Member
Author
|
Fixed without-ssl builds |
github-actions
bot
removed
the
request-ci
Collaborator
anonrig
reviewed
Feb 12, 2025
| size_t bundled_root_cert_count = arraysize(root_certs); | ||
| for (size_t i = 0; i < bundled_root_cert_count; i++) { | ||
| X509* x509 = PEM_read_bio_X509( | ||
| NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])).get(), |
Member
There was a problem hiding this comment.
Can we avoid strlen() from this function somehow?
Member
Author
There was a problem hiding this comment.
I don't think so, not without changing the perl script that generates the root certificates. Note that this code is not new, it just reverts the copying added by #56599 (which still leads to something like strlen in the string constructor). It has been using strlen since Node.js v0.x days or probably ever since Node.js started implementing TLS..(so > 10 years)
|
|
||
| static std::string extra_root_certs_file; // NOLINT(runtime/string) | ||
|
|
||
| static std::atomic<bool> has_cached_bundled_root_certs{false}; |
Member
There was a problem hiding this comment.
Why do we need thread safety here? Wouldn't the bundled root certs be only cached once on the initial boot, or am I missing something here?
Member
Author
There was a problem hiding this comment.
They are initialized when the root store is first used e.g. when a TLS connection is first made. Not when e.g. the program is started to read a file and does not need to use TLS at all. If multiple workers are starting TLS connection at the same time then there can be a race in initialization.
github-actions
bot
removed
the
request-ci
Collaborator
Collaborator
Collaborator
Member
Author
anonrig
approved these changes
Feb 13, 2025
anonrig
added
author ready
joyeecheung
added
the
commit-queue-squash
nodejs-github-bot
removed
the
commit-queue
Collaborator
|
Landed in 79f96b6 |
targos
pushed a commit
that referenced
this pull request
Feb 17, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
acidiney
pushed a commit
to acidiney/node
that referenced
this pull request
Feb 23, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: nodejs#56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
aduh95
pushed a commit
that referenced
this pull request
Apr 2, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
aduh95
pushed a commit
that referenced
this pull request
Apr 3, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
RafaelGSS
pushed a commit
that referenced
this pull request
Apr 16, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
RafaelGSS
pushed a commit
that referenced
this pull request
Apr 17, 2025
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.