Skip to content

Commit

Permalink
src: add openssl-system-ca-path configure option
Browse files Browse the repository at this point in the history
The motivation for this commit is that we need to specify system CA
certificates when building node. While we are aware of the environment
variable NODE_EXTRA_CA_CERTS this is not a great solution as we build
an RPM and we also don't want users to be able to unset them.

The suggestion is to add a configure time property like this:

--openssl-system-ca-path=OPENSSL_SYSTEM_CA_PATH
             Use the specified path to system CA (PEM format) in
             addition to the OpenSSL supplied CA store or compiled-
             in Mozilla CA copy.

Usage example:
$ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt

This would add the specified CA certificates in addition to the ones
already being used.

PR-URL: #16790
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
danbev authored and evanlucas committed Nov 13, 2017
1 parent 75405a1 commit 0b93bbb
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 1 deletion.
8 changes: 8 additions & 0 deletions configure
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,12 @@ parser.add_option('--openssl-use-def-ca-store',
dest='use_openssl_ca_store',
help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')

parser.add_option('--openssl-system-ca-path',
action='store',
dest='openssl_system_ca_path',
help='Use the specified path to system CA (PEM format) in addition to '
'the OpenSSL supplied CA store or compiled-in Mozilla CA copy.')

shared_optgroup.add_option('--shared-http-parser',
action='store_true',
dest='shared_http_parser',
Expand Down Expand Up @@ -1013,6 +1019,8 @@ def configure_openssl(o):
o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
if options.use_openssl_ca_store:
o['defines'] += ['NODE_OPENSSL_CERT_STORE']
if options.openssl_system_ca_path:
o['variables']['openssl_system_ca_path'] = options.openssl_system_ca_path
o['variables']['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
Expand Down
11 changes: 11 additions & 0 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -297,13 +297,24 @@
'<(SHARED_INTERMEDIATE_DIR)/node_javascript.cc',
],

'variables': {
'openssl_system_ca_path%': '',
},

'defines': [
'NODE_ARCH="<(target_arch)"',
'NODE_PLATFORM="<(OS)"',
'NODE_WANT_INTERNALS=1',
# Warn when using deprecated V8 APIs.
'V8_DEPRECATION_WARNINGS=1',
'NODE_OPENSSL_SYSTEM_CERT_PATH="<(openssl_system_ca_path)"',
],

'direct_dependent_settings': {
'defines': [
'NODE_OPENSSL_SYSTEM_CERT_PATH="<(openssl_system_ca_path)"',
],
},
},
{
'target_name': 'mkssldef',
Expand Down
5 changes: 5 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,8 @@ static const char* const root_certs[] = {
#include "node_root_certs.h" // NOLINT(build/include_order)
};

static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH;

static std::string extra_root_certs_file; // NOLINT(runtime/string)

static X509_STORE* root_cert_store;
Expand Down Expand Up @@ -799,6 +801,9 @@ static X509_STORE* NewRootCertStore() {
}

X509_STORE* store = X509_STORE_new();
if (*system_cert_path != '\0') {
X509_STORE_load_locations(store, system_cert_path, nullptr);
}
if (ssl_openssl_cert_store) {
X509_STORE_set_default_paths(store);
} else {
Expand Down
4 changes: 3 additions & 1 deletion test/parallel/test-process-config.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,9 @@ if (!fs.existsSync(configPath)) {
let config = fs.readFileSync(configPath, 'utf8');

// Clean up comment at the first line.
config = config.split('\n').slice(1).join('\n').replace(/'/g, '"');
config = config.split('\n').slice(1).join('\n');
config = config.replace(/"/g, '\\"');
config = config.replace(/'/g, '"');
config = JSON.parse(config, function(key, value) {
if (value === 'true') return true;
if (value === 'false') return false;
Expand Down

0 comments on commit 0b93bbb

Please sign in to comment.