Skip to content

[v6.x backport] src: add openssl-system-ca-path configure option #18173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
danbev wants to merge 14 commits into from
Closed

[v6.x backport] src: add openssl-system-ca-path configure option #18173

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0a1cc9e
crypto: add randomFill and randomFillSync
evanlucas Dec 9, 2016
c715c1a
doc: improve randomfill and fix broken link
thefourtheye Apr 20, 2017
97c290d
lib: return this from net.Socket.end()
sam-github Jun 5, 2017
5ef33a8
net: return this from getConnections()
sam-github Jun 7, 2017
e48d7df
repl: improve require() autocompletion
aqrln Jul 21, 2017
17fb9fa
console: add console.count() and console.clear()
jasnell Apr 26, 2017
3717b23
dgram: added setMulticastInterface()
lostnet Jul 23, 2016
d3ffbfa
test: crypto createClass instanceof Class
bengl Aug 19, 2016
236fe82
crypto: expose ECDH class
bengl Aug 19, 2016
f1f3377
test: fix flaky test-crypto-classes.js
bengl Sep 28, 2017
2400fc2
tools, build: refactor macOS installer
jpwesselink Sep 4, 2017
7951a33
deps: upgrade libuv to 1.16.1
cjihrig Nov 10, 2017
5f6f460
src: add process.ppid
cjihrig Oct 30, 2017
0bdf6d2
src: add openssl-system-ca-path configure option
danbev Nov 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
src: add openssl-system-ca-path configure option 
The motivation for this commit is that we need to specify system CA
certificates when building node. While we are aware of the environment
variable NODE_EXTRA_CA_CERTS this is not a great solution as we build
an RPM and we also don't want users to be able to unset them.

The suggestion is to add a configure time property like this:

--openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH
             Use the specified path to system CA (PEM format) in
             addition to the OpenSSL supplied CA store or compiled-
             in Mozilla CA copy.

Usage example:
$ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt

This would add the specified CA certificates in addition to the ones
already being used.

PR-URL: #16790
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
@danbev
danbev committed Jan 16, 2018
commit 0bdf6d2a90d0eca062ed185cfede5a33a89bada7
8 changes: 8 additions & 0 deletions configure
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,12 @@ parser.add_option('--openssl-use-def-ca-store',
dest='use_openssl_ca_store',
help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')

parser.add_option('--openssl-system-ca-path',
action='store',
dest='openssl_system_ca_path',
help='Use the specified path to system CA (PEM format) in addition to '
'the OpenSSL supplied CA store or compiled-in Mozilla CA copy.')

shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
Expand Down Expand Up @@ -988,6 +994,8 @@ def configure_openssl(o):
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.use_openssl_ca_store:
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_system_ca_path:
o['variables']['openssl_system_ca_path'] = options.openssl_system_ca_path
o['variables']['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
Expand Down
10 changes: 10 additions & 0 deletions node.gyp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,18 +231,28 @@
'<(SHARED_INTERMEDIATE_DIR)/node_javascript.cc',
],

'variables': {
'openssl_system_ca_path%': '',
},

'defines': [
'NODE_ARCH="<(target_arch)"',
'NODE_PLATFORM="<(OS)"',
'NODE_WANT_INTERNALS=1',
# Warn when using deprecated V8 APIs.
'V8_DEPRECATION_WARNINGS=1',
'NODE_OPENSSL_SYSTEM_CERT_PATH="<(openssl_system_ca_path)"',
],
'conditions': [
[ 'node_shared=="true" and node_module_version!="" and OS!="win"', {
'product_extension': '<(shlib_suffix)',
}]
],
'direct_dependent_settings': {
'defines': [
'NODE_OPENSSL_SYSTEM_CERT_PATH="<(openssl_system_ca_path)"',
],
},
},
{
'target_name': 'mkssldef',
Expand Down
5 changes: 5 additions & 0 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,8 @@ static const char* const root_certs[] = {
#include "node_root_certs.h" // NOLINT(build/include_order)
};

static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH;

static std::string extra_root_certs_file; // NOLINT(runtime/string)

static X509_STORE* root_cert_store;
Expand Down Expand Up @@ -724,6 +726,9 @@ static X509_STORE* NewRootCertStore() {
}

X509_STORE* store = X509_STORE_new();
if (*system_cert_path != '\0') {
X509_STORE_load_locations(store, system_cert_path, nullptr);
}
if (ssl_openssl_cert_store) {
X509_STORE_set_default_paths(store);
} else {
Expand Down
4 changes: 3 additions & 1 deletion test/parallel/test-process-config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ if (!fs.existsSync(configPath)) {
let config = fs.readFileSync(configPath, 'utf8');

// Clean up comment at the first line.
config = config.split('\n').slice(1).join('\n').replace(/'/g, '"');
config = config.split('\n').slice(1).join('\n');
config = config.replace(/"/g, '\\"');
config = config.replace(/'/g, '"');
config = JSON.parse(config, function(key, value) {
if (value === 'true') return true;
if (value === 'false') return false;
Expand Down