Skip to content

src: enable X509sToArrayOfStrings to skip errors#61784

Open
StefanStojanovic wants to merge 1 commit intonodejs:mainfrom
JaneaSystems:mefi-cert-fix
Open

src: enable X509sToArrayOfStrings to skip errors#61784
StefanStojanovic wants to merge 1 commit intonodejs:mainfrom
JaneaSystems:mefi-cert-fix

Conversation

@StefanStojanovic
Copy link
Contributor

@StefanStojanovic StefanStojanovic commented Feb 12, 2026

As suggested in the linked issue, this PR relaxes the X509 to PEM conversion by skipping failures for system certs. If conversion fails, Node.js will try to give info about the failed certs if it can. This new behavior is used only on system certs, since for others, the user has control. AFAIK, there is no way to add a reliable test for this, but if someone has an idea, feel free to share it with me.

Fixes: #61636

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 12, 2026

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Feb 12, 2026
@codecov
Copy link

codecov bot commented Feb 12, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 22.58065% with 24 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.72%. Comparing base (9a237cd) to head (88ad793).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 22.58% 22 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #61784      +/-   ##
==========================================
- Coverage   89.73%   89.72%   -0.02%     
==========================================
  Files         675      675              
  Lines      204674   204700      +26     
  Branches    39330    39338       +8     
==========================================
  Hits       183667   183667              
- Misses      13283    13307      +24     
- Partials     7724     7726       +2
Files with missing lines Coverage Δ
src/crypto/crypto_context.cc 69.62% <22.58%> (-1.22%) ⬇️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

addaleax
addaleax reviewed Feb 12, 2026
View reviewed changes
src/crypto/crypto_context.cc
Comment on lines +1103 to +1108
std::string subject_str = "<unknown>";
if (subject_bio) {
auto subject_size =
BIO_get_mem_data(subject_bio.get(), &subject_data);
if (subject_size > 0 && subject_data) {
subject_str = std::string(subject_data, subject_size);
Copy link
Member

@addaleax addaleax Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
std::string subject_str = "<unknown>";
if (subject_bio) {
auto subject_size =
BIO_get_mem_data(subject_bio.get(), &subject_data);
if (subject_size > 0 && subject_data) {
subject_str = std::string(subject_data, subject_size);
std::string_view subject_str = "<unknown>";
if (subject_bio) {
auto subject_size =
BIO_get_mem_data(subject_bio.get(), &subject_data);
if (subject_size > 0 && subject_data) {
subject_str = std::string_view(subject_data, subject_size);

No good reason to do an extra heap allocation here

src/crypto/crypto_context.cc
per_process::Debug(DebugCategory::CRYPTO,
"Skipping system certificate with subject "
"'%s' because X509 to PEM conversion failed\n",
subject_str.c_str());
Copy link
Member

@addaleax addaleax Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
subject_str.c_str());
subject_str);

joyeecheung
joyeecheung reviewed Feb 12, 2026
View reviewed changes
src/crypto/crypto_context.cc
}

if (skipped > 0) {
ProcessEmitWarning(
Copy link
Member

@joyeecheung joyeecheung Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should make this an option to the API instead of unconditionally emitting a warning? So if the user uses tls.getCACertifcate, they can choose warn, ignore, throw (or even get a list of errors on the side) when there's an error in parsing these certificates. For NODE_USE_SYSTEM_CA/--use-system-ca, warn is a sensible behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleax addaleax addaleax left review comments

@joyeecheung joyeecheung joyeecheung left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve ergonomics of tls.getCACertificates('system') errors on Windows

4 participants

@StefanStojanovic @nodejs-github-bot @addaleax @joyeecheung