Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: cleanup root certificates and skip PEM deserialization #56999

Merged
merged 4 commits into from
Feb 13, 2025
Merged

crypto: cleanup root certificates and skip PEM deserialization #56999

merged 4 commits into from
Feb 13, 2025

Conversation

joyeecheung
Copy link
Member

  • We do not actually need them in PEM format, so just pass them around as X509 direcrtly.
  • The cached global X509 structures were previously never cleaned up. Clean them up at process teardown.
  • Use function-local static to ensure thread-safety in initialization.
  • Add more comments about how the various options differ.

@joyeecheung
crypto: cleanup root certificates and skip PEM deserialization
7585fcf 
- We do not actually need them in PEM format, so just pass them
  around as X509 direcrtly.
- The cached global X509 structures were previously never cleaned
  up. Clean them up at process teardown.
- Use function-local static to ensure thread-safety in
  initialization.
- Add more comments about how the various options differ.
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/startup

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Feb 10, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 10, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 63.63636% with 24 lines in your changes missing coverage. Please review.

Project coverage is 89.10%. Comparing base (6ba36b4) to head (a27b3cf).
Report is 30 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 63.07% 15 Missing and 9 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #56999      +/-   ##
==========================================
- Coverage   89.14%   89.10%   -0.04%     
==========================================
  Files         665      665              
  Lines      193174   193203      +29     
  Branches    37189    37226      +37     
==========================================
- Hits       172202   172151      -51     
- Misses      13735    13764      +29     
- Partials     7237     7288      +51
Files with missing lines Coverage Δ
src/crypto/crypto_util.h 76.13% <ø> (ø)
src/node.cc 73.57% <100.00%> (+0.03%) ⬆️
src/crypto/crypto_context.cc 68.02% <63.07%> (+0.52%) ⬆️

... and 41 files with indirect coverage changes

@joyeecheung
Copy link
Member Author

Fixed a typo and linter/formatter errors.

This was referenced Feb 12, 2025
Open
Merged
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65149/

@joyeecheung
Copy link
Member Author

Fixed without-ssl builds

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65158/

anonrig
anonrig reviewed Feb 12, 2025
View reviewed changes
src/crypto/crypto_context.cc Show resolved Hide resolved
src/crypto/crypto_context.cc
size_t bundled_root_cert_count = arraysize(root_certs);
for (size_t i = 0; i < bundled_root_cert_count; i++) {
X509* x509 = PEM_read_bio_X509(
NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])).get(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we avoid strlen() from this function somehow?

Copy link
Member Author

@joyeecheung joyeecheung Feb 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, not without changing the perl script that generates the root certificates. Note that this code is not new, it just reverts the copying added by #56599 (which still leads to something like strlen in the string constructor). It has been using strlen since Node.js v0.x days or probably ever since Node.js started implementing TLS..(so > 10 years)

src/crypto/crypto_context.cc
@@ -74,6 +73,10 @@ static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH;

static std::string extra_root_certs_file; // NOLINT(runtime/string)

static std::atomic<bool> has_cached_bundled_root_certs{false};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need thread safety here? Wouldn't the bundled root certs be only cached once on the initial boot, or am I missing something here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are initialized when the root store is first used e.g. when a TLS connection is first made. Not when e.g. the program is started to read a file and does not need to use TLS at all. If multiple workers are starting TLS connection at the same time then there can be a race in initialization.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 12, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65166/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65176/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65179/

@joyeecheung
Copy link
Member Author

CI is green. PTAL again, thanks @addaleax @anonrig

@anonrig anonrig added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels Feb 13, 2025
@joyeecheung joyeecheung added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Feb 13, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 13, 2025
@nodejs-github-bot nodejs-github-bot merged commit 79f96b6 into nodejs:main Feb 13, 2025
65 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 79f96b6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax approved these changes

@anonrig anonrig anonrig approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joyeecheung @nodejs-github-bot @addaleax @anonrig