Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: added support for reading certificates from macOS system store #56599

Merged
merged 1 commit into from
Jan 28, 2025

Conversation

timja
Copy link
Contributor

@timja timja commented Jan 14, 2025

Fixes #39657

Builds on #44532 but for macOS

TODO:

  • Make it work, it works 🥳
  • Review that all CF resources are being appropriately released, I think its right now
  • Review whether and where tests are appropriate - Added although disabled by default

I can take a look at the Windows one after, resolving the conflicts and addressing the review comments as well.


Happy to refactor heavily, I haven't used c++ before and I wrote it initially in objective c and ported it across.
This is heavily based upon chromium and some of OpenJDK along with a PR I have open with OpenJDK


Testing

I'm using https://github.com/timja/openjdk-intermediate-ca-reproducer as a reproducer:

docker compose up --build

Install the certificates, either by adding to keychain manually (see README) or using /usr/bin/security (see what the test is doing in this PR.

main.js

let resp = await fetch("https://localhost:8443");
console.log(resp.status); // 200
console.log(resp.headers.get("Content-Type")); // "text/html"
console.log(await resp.text()); // "Hello, World!"
/Users/$USER/projects/node/out/Release/node --use-system-ca main.js

I've also tested this through a ZScaler MiTM setup.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/gyp

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Jan 14, 2025
@timja timja force-pushed the macos-system-ca-support branch from 8fd32ce to f3c212c Compare January 14, 2025 16:32
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
@anonrig anonrig requested a review from jasnell January 14, 2025 17:29
@timja
Copy link
Contributor Author

timja commented Jan 15, 2025

Would it be possible for someone to re-open the feature request please? #39657. It was closed due to being stale / no progress on it.

doc/api/tls.md Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
@timja timja requested review from joyeecheung and addaleax January 15, 2025 17:03
@timja timja marked this pull request as ready for review January 16, 2025 15:22
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
@timja
Copy link
Contributor Author

timja commented Jan 20, 2025

Thanks for the reviews all I'll continue actioning tomorrow.

@timja timja requested review from jasnell and joyeecheung January 22, 2025 10:44
Copy link
Member

@joyeecheung joyeecheung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some last comments, I think this is getting close. Thanks for following along!

src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
@timja
Copy link
Contributor Author

timja commented Jan 27, 2025

@jasnell does CI need to be triggered on this?

@legendecas legendecas added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@joyeecheung joyeecheung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

Copy link
Member

@joyeecheung joyeecheung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll need this to compile on non-macOS

src/crypto/crypto_context.cc Show resolved Hide resolved
src/crypto/crypto_context.cc Show resolved Hide resolved
@joyeecheung
Copy link
Member

There are some linter complaints: https://ci.nodejs.org/job/node-test-linter/58612/testReport/junit/-%[email protected]/parallel/test_native_certs_macos_mjs/

you can run make lint-js-fix locally to fix them up.

@timja
Copy link
Contributor Author

timja commented Jan 27, 2025

Can someone re-trigger CI please?

I think it'll pass now although bit hard to follow through from how CI is setup.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@joyeecheung
Copy link
Member

joyeecheung commented Jan 27, 2025

Starting a CI to see if there are any errors - though FYI before this can land you'll need to at least reword the first commit message to start with crypto: instead, because feat: is not a valid subsystem - that is what https://github.com/nodejs/node/actions/runs/12998868570/job/36256766869?pr=56599 is complaining about (you might want to squash the commits while you are at it, though it's also fine to leave it stacked as the commit queue is capable of squashing as it land a PR as well).

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 27, 2025
@nodejs-github-bot
Copy link
Collaborator

@timja timja force-pushed the macos-system-ca-support branch from acfb750 to c8faee8 Compare January 27, 2025 23:21
@timja
Copy link
Contributor Author

timja commented Jan 27, 2025

I think needs retriggering due to rebase to reword commit message

Command "git checkout -f acfb75055b4c835487e485935e11ab7159056706" returned status code 128:
18:52:26 stdout: 
18:52:26 stderr: fatal: reference is not a tree: acfb75055b4c835487e485935e11ab7159056706
18:52:26 

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 28, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 28, 2025
@nodejs-github-bot
Copy link
Collaborator

Copy link

codecov bot commented Jan 28, 2025

Codecov Report

Attention: Patch coverage is 58.33333% with 10 lines in your changes missing coverage. Please review.

Project coverage is 89.22%. Comparing base (50d405a) to head (c8faee8).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 54.54% 8 Missing and 2 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #56599      +/-   ##
==========================================
- Coverage   89.22%   89.22%   -0.01%     
==========================================
  Files         663      663              
  Lines      191974   191995      +21     
  Branches    36926    36922       -4     
==========================================
+ Hits       171286   171299      +13     
- Misses      13561    13565       +4     
- Partials     7127     7131       +4     
Files with missing lines Coverage Δ
src/node_options.cc 87.96% <100.00%> (+0.01%) ⬆️
src/node_options.h 98.33% <100.00%> (+<0.01%) ⬆️
src/crypto/crypto_context.cc 68.68% <54.54%> (-0.46%) ⬇️

... and 25 files with indirect coverage changes

@joyeecheung joyeecheung added the commit-queue Add this label to land a pull request using GitHub Actions. label Jan 28, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jan 28, 2025
@nodejs-github-bot nodejs-github-bot merged commit efe698e into nodejs:main Jan 28, 2025
61 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in efe698e

@timja timja deleted the macos-system-ca-support branch January 28, 2025 16:17
@richardlau richardlau added the semver-minor PRs that contain new features and should be released in the next minor version. label Jan 28, 2025
@joyeecheung
Copy link
Member

@timja Do you plan to implement it on Windows as well? I was thinking about bringing #44532 across the finish line, but if you are planning to implement it for OpenJDK as well, that seems to be a nicer plan to me as we'll also get a bit more eyeballing from OpenJDK people.

@timja
Copy link
Contributor Author

timja commented Jan 28, 2025

@timja Do you plan to implement it on Windows as well?

I'm happy to although may be a bit before I can get it to the finish, if you want to do it then go for it.

It appears to be implemented in OpenJDK in https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp but I haven't checked if it fully works (macOS didn't work with a chain).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow Node to use certificates from the macOS Keychain when making HTTPS requests
7 participants