Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: added support for reading certificates from macOS system store #56599

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: added support for reading certificates from macOS system store #56599

wants to merge 3 commits into from
+319 −7

Conversation

timja
Copy link

@timja timja commented Jan 14, 2025
edited
Loading

Fixes #39657

Builds on #44532 but for macOS

TODO:

  • Make it work, see review
  • Review that all CF resources are being appropriately released (they probably aren't all atm)
  • Review whether and where tests are appropriate

Happy to refactor heavily, I haven't used c++ before and I wrote it initially in objective c and ported it across.
This is heavily based upon chromium and some of OpenJDK along with a PR I have open with OpenJDK

Testing

I'm using https://github.com/timja/openjdk-intermediate-ca-reproducer as a reproducer:

docker compose up --build

Install the certificates, either by adding to keychain manually (see README) or using /usr/bin/security (see what the test is doing in this PR.

main.js

let resp = await fetch("https://localhost:8443");
console.log(resp.status); // 200
console.log(resp.headers.get("Content-Type")); // "text/html"
console.log(await resp.text()); // "Hello, World!"
/Users/$USER/projects/node/out/Release/node --use-system-ca main.js

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/gyp

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jan 14, 2025
@timja timja mentioned this pull request Jan 14, 2025
Closed
@timja timja force-pushed the macos-system-ca-support branch from 8fd32ce to f3c212c Compare January 14, 2025 16:32
addaleax
addaleax reviewed Jan 14, 2025
View reviewed changes
src/crypto/crypto_context.cc
ReadSystemStoreCertificates(&combined_root_certs);
}

std::vector<Local<Value>> result(combined_root_certs.size());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a LocalVector

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to use GitHub's suggestion feature please? I've tried a few options and not quite sure how to make it work.

src/crypto/crypto_context.cc
std::vector<X509*> system_root_certificates_X509;
for (int i = 0; i < count ; ++i) {
SecCertificateRef certRef = (SecCertificateRef) CFArrayGetValueAtIndex(
currAnchors, i);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should use reinterpret_cast

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fails to build with:

../../src/crypto/crypto_context.cc:447:33: error: reinterpret_cast from 'const void *' to 'SecCertificateRef' (aka '__SecCertificate *') casts away qualifiers
  447 |     SecCertificateRef certRef = reinterpret_cast<SecCertificateRef>(CFArrayGetValueAtIndex(

The linter hasn't asked me to change to it and it did in most of the other places.

src/crypto/crypto_context.cc Outdated
Comment on lines 283 to 287
char* issuer = reinterpret_cast<char *>(calloc(resultLen + 1, 1));
BIO_read(bio, issuer, resultLen);
BIO_free_all(bio);

std::string str(issuer);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to doubly allocate the string, doing it like in stdStringFromCF should be fine

@anonrig anonrig requested a review from jasnell January 14, 2025 17:29
@timja
Copy link
Author

timja commented Jan 15, 2025
edited
Loading

Would it be possible for someone to re-open the feature request please? #39657. It was closed due to being stale / no progress on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax left review comments

@jasnell jasnell Awaiting requested review from jasnell

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow Node to use certificates from the macOS Keychain when making HTTPS requests
3 participants
@timja @nodejs-github-bot @addaleax