-
-
Notifications
You must be signed in to change notification settings - Fork 33.5k
feat: added support for reading certificates from windows system store #44532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added support for reading certificates from windows system store #44532
Conversation
Review requested:
|
285a83d
to
f35fe3c
Compare
Related: #39657 (comment) Having such functionality in node isn't completely out of the question but the default behavior should be consistent across platforms, meaning it should almost certainly be opt-in. |
@bnoordhuis Thanks for taking a look at the draft PR. I've taken a quick look at the thread mentioned in your comment. It seems like for windows we can go ahead with the current approach of reading system store and implement the solution behind an opt-in flag. I believe it will be a build-time flag. |
Why not a regular cli option? |
@RaisinTen I choose a build time flag rather than a regular cli option more from my understanding so far. I see a similar use case with node which reads the default OpenSSL cert store for certificates when built with |
@twitharshil that one is actually a runtime flag accompanied by a build time flag. |
193496f
to
87a7def
Compare
Hey @bnoordhuis @RaisinTen |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. I've commented on some of the technical aspects but I'm still on the fence as to whether it's a desirable feature.
Speaking for myself, the fact that so far it's Windows-only counts against it.
src/crypto/crypto_context.cc
Outdated
} | ||
|
||
base64_string_output = "-----BEGIN CERTIFICATE-----\n" + | ||
base64_string_output + "\n-----END CERTIFICATE-----"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This manual formatting of a certificate is kind of questionable. If you have the certificate in DER format, you can pass it to openssl directly:
X509Pointer cert(d2i_X509(nullptr, buf, len));
if (cert) {
// ...
}
openssl has utility functions like X509_print_ex() for formatting it as PEM, which I guess you're doing so they show up in tls.rootCertificates
?
@bnoordhuis I think this feature has been one of the most demanding features for quite some time now. In recent times I worked closely to support these MITM-based proxies environment only for the windows platform so I thought of upstreaming this feature to node. Over the years no one picked up this work, so I believe supporting the windows platform at least is better than nothing? We can iteratively get this done for other platforms as well in separate PRs. I am open if someone else wants to pick this work for macOS & Linux otherwise I will pick it up once I find more time. |
8fce134
to
f61d113
Compare
fed9bf6
to
012f11e
Compare
52fbf17
to
5082ab3
Compare
5082ab3
to
1b0265f
Compare
8493223
to
f17bec7
Compare
69d7cff
to
00f666a
Compare
Hey, @bnoordhuis @jasnell I've addressed the PR comments, can I get another round of review on my PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM but this should probably be reviewed by someone more familiar with the Windows crypto API than I am.
void ReadSystemStoreCertificates( | ||
std::vector<std::string>* system_root_certificates) { | ||
#ifdef _WIN32 | ||
const HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT"); | |
const HCERTSTORE hStore = CertOpenSystemStoreW(nullptr, L"ROOT"); |
Because the first arg is a pointer, right? How likely is it for this method to fail?
while ((certificate_context_ptr = CertEnumCertificatesInStore( | ||
hStore, certificate_context_ptr)) != nullptr) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer something like this for readability reasons:
while ((certificate_context_ptr = CertEnumCertificatesInStore( | |
hStore, certificate_context_ptr)) != nullptr) { | |
for (;;) { | |
certificate_context_ptr = | |
CertEnumCertificatesInStore(hStore, certificate_context_ptr); | |
if (certificate_context_ptr == nullptr) break; |
|
||
bio.reset(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bio.reset(); |
Not necessary to reset manually, the destructor does that automatically when it goes out of scope.
PEM_read_bio_X509(NodeBIO::NewFixed(root_certs[i], | ||
strlen(root_certs[i])).get(), | ||
nullptr, // no re-use of X509 structure | ||
PEM_read_bio_X509(NodeBIO::NewFixed(combined_root_certs[i].c_str(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PEM_read_bio_X509(NodeBIO::NewFixed(combined_root_certs[i].c_str(), | |
PEM_read_bio_X509(NodeBIO::NewFixed(combined_root_certs[i].data(), |
reinterpret_cast<const uint8_t*>(root_certs[i])) | ||
.ToLocal(&result[i])) { | ||
env->isolate(), | ||
reinterpret_cast<const uint8_t*>(combined_root_certs[i].c_str())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor optimization:
reinterpret_cast<const uint8_t*>(combined_root_certs[i].c_str())) | |
reinterpret_cast<const uint8_t*>(combined_root_certs[i].data()), | |
v8::NewStringType::kNormal, | |
combined_root_certs[i].size()) |
It seems this PR has stalled. @twitharshil Do you plan to finish it? |
I'll take it over. |
@joyeecheung in case you want to pick this up I've pushed a branch here with conflicts resolved: let me know either way |
void ReadSystemStoreCertificates( | ||
std::vector<std::string>* system_root_certificates) { | ||
#ifdef _WIN32 | ||
const HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth taking a look at this change to openjdk and thinking about is the system store enough:
openjdk/jdk@5e5500c
https://bugs.openjdk.org/browse/JDK-6782021
There's also the Jetbrains implementation that accesses a number of stores and aggregates them:
https://github.com/JetBrains/jvm-native-trusted-roots/blob/trunk/src/main/java/org/jetbrains/nativecerts/win32/Crypt32ExtUtil.java#L30-L36
I've had confirmation that the jetbrains one doesn't work with intermediate certificates, awaiting confirmation with the OpenJDK one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To make matters a bit more complex - Windows has this feature of revoking certificates through the "disallowed" store, that Chromium implements, for example https://github.com/chromium/chromium/blob/a5cf86ae718b86764946713e7abae12f1fa42d08/net/cert/internal/trust_store_win.cc#L334
Though I feel that for an initial implementation, not supporting that is fine because apparently many runtimes do not support it either (also we do not respect that when using the bundled certificates, anyway)
@timja I opened #56833 which rewrites the code a bit to make it easier to add more certificates other than the root CA of the current user (what this PR allows). There is a pretty extensive list of stores that Chromium considers that is documented here https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/faq.md#does-the-chrome-certificate-verifier-consider-local-trust-decisions - maybe it's not necessary to implement them all in the first iteration, but it would be nice to follow them all eventually. And to match what Chromium does we should also check that the certificates are configured for TLS use, which I left a TODO there as well, will look into that tomorrow before I open the PR for review. |
@joyeecheung / someone mind closing this? It was resolved as part of #56833 |
#56833 has already landed and released, so I'll close this. Thanks for initiating the work Harshil! :) |
Description of Change
MITM-based proxy environments like ZScaler intercepts the requests sent to a certain endpoint from the user machine and serve a redirect to their own servers ( for eg: https://gateway.zscloud.net/ ) before finally redirecting back to the original endpoint. We have observed root certificates of these proxy vendors present on the user system store. These certificates are needed for the request's SSL certificate verification.
Chrome reads certificates from the system store hence the certificate verification step passes when a request is sent out of the user machine through chrome as a client.
Node uses a statically compiled, hardcoded list of certificate authorities, rather than relying on the system's trust store, hence request going out from node as a client fails at the SSL verification step behind such environments.
This PR targets to read the certificates from the user system store and embed them with the existing list of root certificates with the node.
Note:
These changes will make a huge impact on the applications that use open source projects like electron which uses node in their networking layers.
In my current implementation, I've added logic to read the certificates from the system store and embed it with the existing list together in a single file. I am open to suggestions if we want the certificate read logic to be written somewhere else.
This PR only targets the windows platform for now. All the users from which we collected feedback were windows users only. Changes made in the PR are feature flagged behind a runtime CLI option named
--node-use-system-ca