-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added support for reading certificates from macOS system store #56599
Conversation
Review requested:
|
8fd32ce
to
f3c212c
Compare
Would it be possible for someone to re-open the feature request please? #39657. It was closed due to being stale / no progress on it. |
Thanks for the reviews all I'll continue actioning tomorrow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some last comments, I think this is getting close. Thanks for following along!
@jasnell does CI need to be triggered on this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need this to compile on non-macOS
There are some linter complaints: https://ci.nodejs.org/job/node-test-linter/58612/testReport/junit/-%[email protected]/parallel/test_native_certs_macos_mjs/ you can run make lint-js-fix locally to fix them up. |
Can someone re-trigger CI please? I think it'll pass now although bit hard to follow through from how CI is setup. |
Starting a CI to see if there are any errors - though FYI before this can land you'll need to at least reword the first commit message to start with |
acfb750
to
c8faee8
Compare
I think needs retriggering due to rebase to reword commit message
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #56599 +/- ##
==========================================
- Coverage 89.22% 89.22% -0.01%
==========================================
Files 663 663
Lines 191974 191995 +21
Branches 36926 36922 -4
==========================================
+ Hits 171286 171299 +13
- Misses 13561 13565 +4
- Partials 7127 7131 +4
|
Landed in efe698e |
I'm happy to although may be a bit before I can get it to the finish, if you want to do it then go for it. It appears to be implemented in OpenJDK in https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp but I haven't checked if it fully works (macOS didn't work with a chain). |
Fixes #39657
Builds on #44532 but for macOS
TODO:
Make it work, it works 🥳Review that all CF resources are being appropriately released, I think its right nowReview whether and where tests are appropriate- Added although disabled by defaultI can take a look at the Windows one after, resolving the conflicts and addressing the review comments as well.
Happy to refactor heavily, I haven't used c++ before and I wrote it initially in objective c and ported it across.
This is heavily based upon chromium and some of OpenJDK along with a PR I have open with OpenJDK
Testing
I'm using https://github.com/timja/openjdk-intermediate-ca-reproducer as a reproducer:
Install the certificates, either by adding to keychain manually (see README) or using
/usr/bin/security
(see what the test is doing in this PR.main.js
/Users/$USER/projects/node/out/Release/node --use-system-ca main.js
I've also tested this through a ZScaler MiTM setup.