-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added support for reading certificates from macOS system store #56599
base: main
Are you sure you want to change the base?
Conversation
Review requested:
|
8fd32ce
to
f3c212c
Compare
std::vector<X509*> system_root_certificates_X509; | ||
for (int i = 0; i < count ; ++i) { | ||
SecCertificateRef certRef = (SecCertificateRef) CFArrayGetValueAtIndex( | ||
currAnchors, i); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should use reinterpret_cast
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fails to build with:
../../src/crypto/crypto_context.cc:447:33: error: reinterpret_cast from 'const void *' to 'SecCertificateRef' (aka '__SecCertificate *') casts away qualifiers
447 | SecCertificateRef certRef = reinterpret_cast<SecCertificateRef>(CFArrayGetValueAtIndex(
The linter hasn't asked me to change to it and it did in most of the other places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then it's const_cast + reinterpret_cast here, I guess :)
Would it be possible for someone to re-open the feature request please? #39657. It was closed due to being stale / no progress on it. |
src/crypto/crypto_context.cc
Outdated
} | ||
|
||
bool IsSelfSigned(X509* cert) { | ||
auto issuerName = getX509Name(X509_get_issuer_name(cert)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can simply wrap it with an ncrypto::X509View
and use getSubject()
etc. to get the data and then strncmp
the two.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any pointers? I'm struggling to find where/ how an example of how one gets an ncrypto::X509View
(I'll keep looking though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried:
ncrypto::X509View x509_view = ncrypto::X509View::From(cert);
But that takes an SSLPointer&
which I haven't figured out yet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using ncrypto::X509View x509_view(cert);
seems to compile although not quite sure on the next steps.
currently at:
ncrypto::X509View x509_view(cert);
auto subject = x509_view.getSubject();
auto issuer = x509_view.getIssuer();
if (strncmp(subject, issuer, 30) == 0) {
fprintf(stderr, "Self-signed certificate detected\n");
return true;
} else {
fprintf(stderr, "Self-signed certificate detected\n");
return false;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something like this? 9cb41b0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why I would strncmp
here as the string could be the same up to a point but still differ after. But I could be misunderstanding.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I realized that we can simply use X509_NAME_cmp
and save all these copying/reading?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks thats a lot simpler: e525465
combined_root_certs.emplace_back(root_certs[i]); | ||
} | ||
|
||
if (per_process::cli_options->use_system_ca) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW existing code in the same area uses per_process for the same thing from my understanding:
node/src/crypto/crypto_context.cc
Line 242 in 1238f0a
if (per_process::cli_options->ssl_openssl_cert_store == false) { |
(I don't know the difference as-of yet though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, ideally these should all be per-env configuration options I'd say 👍
Co-authored-by: Joyee Cheung <[email protected]>
Fixes #39657
Builds on #44532 but for macOS
TODO:
Make it work, it works 🥳Review that all CF resources are being appropriately released, I think its right nowReview whether and where tests are appropriate- Added although disabled by defaultI can take a look at the Windows one after, resolving the conflicts and addressing the review comments as well.
Happy to refactor heavily, I haven't used c++ before and I wrote it initially in objective c and ported it across.
This is heavily based upon chromium and some of OpenJDK along with a PR I have open with OpenJDK
Testing
I'm using https://github.com/timja/openjdk-intermediate-ca-reproducer as a reproducer:
Install the certificates, either by adding to keychain manually (see README) or using
/usr/bin/security
(see what the test is doing in this PR.main.js
/Users/$USER/projects/node/out/Release/node --use-system-ca main.js
I've also tested this through a ZScaler MiTM setup.