From 0aa8ac72bad67d5af3f51f62a5fcc541a9a22799 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:38 +0100
Subject: [PATCH 1/3] crypto: do not use pointers to std::vector

The pointer to std::vector is unnecessary, so replace it with standard
instance. Also, make the for() loop more readable by using actual type
instead of inferred - there is no readability benefit here from
obfuscating the type.
---
 src/node_crypto.cc | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 7b3bc406091494..e4ce65d456f7c9 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -123,7 +123,7 @@ const char* const root_certs[] = {
 std::string extra_root_certs_file;  // NOLINT(runtime/string)
 
 X509_STORE* root_cert_store;
-std::vector<X509*>* root_certs_vector;
+std::vector<X509*> root_certs_vector;
 
 // Just to generate static methods
 template class SSLWrap<TLSWrap>;
@@ -693,9 +693,7 @@ static int X509_up_ref(X509* cert) {
 
 
 static X509_STORE* NewRootCertStore() {
-  if (!root_certs_vector) {
-    root_certs_vector = new std::vector<X509*>;
-
+  if (root_certs_vector.empty()) {
     for (size_t i = 0; i < arraysize(root_certs); i++) {
       BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
       X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
@@ -707,12 +705,12 @@ static X509_STORE* NewRootCertStore() {
         return nullptr;
       }
 
-      root_certs_vector->push_back(x509);
+      root_certs_vector.push_back(x509);
     }
   }
 
   X509_STORE* store = X509_STORE_new();
-  for (auto& cert : *root_certs_vector) {
+  for (X509 *cert : root_certs_vector) {
     X509_up_ref(cert);
     X509_STORE_add_cert(store, cert);
   }

From d1e022847b08e1bea4a8d490640290b865dc6b44 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:38 +0100
Subject: [PATCH 2/3] crypto: Use system CAs instead of using bundled ones

NodeJS can already use an external, shared OpenSSL library. This
library knows where to look for OS managed certificates. Allow
a compile-time option to use this CA store by default instead of
using bundled certificates.

In case when using bundled OpenSSL, the paths are also valid for
majority of Linux systems without additional intervention. If
this is not set, we can use SSL_CERT_DIR to point it to correct
location.

Fixes: https://github.com/nodejs/node/issues/3159
PR-URL: https://github.com/nodejs/node/pull/8334
---
 configure          | 7 +++++++
 src/node_crypto.cc | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/configure b/configure
index bf937ca702a550..4cfa1f76ff68f2 100755
--- a/configure
+++ b/configure
@@ -133,6 +133,11 @@ parser.add_option('--openssl-fips',
     dest='openssl_fips',
     help='Build OpenSSL using FIPS canister .o file in supplied folder')
 
+parser.add_option('--openssl-use-def-ca-store',
+    action='store_true',
+    dest='use_openssl_ca_store',
+    help='Use OpenSSL supplied CA store instead of compiled-in Mozilla CA copy.')
+
 shared_optgroup.add_option('--shared-http-parser',
     action='store_true',
     dest='shared_http_parser',
@@ -927,6 +932,8 @@ def configure_openssl(o):
   o['variables']['node_use_openssl'] = b(not options.without_ssl)
   o['variables']['node_shared_openssl'] = b(options.shared_openssl)
   o['variables']['openssl_no_asm'] = 1 if options.openssl_no_asm else 0
+  if options.use_openssl_ca_store:
+    o['defines'] += ['NODE_OPENSSL_CERT_STORE']
   if options.openssl_fips:
     o['variables']['openssl_fips'] = options.openssl_fips
     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index e4ce65d456f7c9..dcaeed9f52bf05 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -710,10 +710,14 @@ static X509_STORE* NewRootCertStore() {
   }
 
   X509_STORE* store = X509_STORE_new();
+#if defined(NODE_OPENSSL_CERT_STORE)
+  X509_STORE_set_default_paths(store);
+#else
   for (X509 *cert : root_certs_vector) {
     X509_up_ref(cert);
     X509_STORE_add_cert(store, cert);
   }
+#endif
 
   return store;
 }

From 1172288a13eb634bd0ff103a19d3d76ab2db182b Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Wed, 21 Dec 2016 11:16:39 +0100
Subject: [PATCH 3/3] crypto: ability to select cert store at runtime

---
 doc/api/cli.md     | 28 ++++++++++++++++++++++++++++
 doc/node.1         | 25 +++++++++++++++++++++++++
 src/node.cc        | 22 ++++++++++++++++++++++
 src/node.h         |  5 ++++-
 src/node_crypto.cc | 14 +++++++-------
 5 files changed, 86 insertions(+), 8 deletions(-)

diff --git a/doc/api/cli.md b/doc/api/cli.md
index 2000c2b3334b74..c7165112bcc243 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -257,6 +257,24 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
 used to enable FIPS-compliant crypto if Node.js is built with
 `./configure --openssl-fips`.
 
+### `--use-openssl-ca`, `--use-bundled-ca`
+<!-- YAML
+added: REPLACEME
+-->
+
+Use OpenSSL's default CA store or use bundled Mozilla CA store as supplied by
+current NodeJS version. The default store is selectable at build-time.
+
+Using OpenSSL store allows for external modifications of the store. For most
+Linux and BSD distributions, this store is maintained by the distribution
+maintainers and system administrators. OpenSSL CA store location is dependent on
+configuration of the OpenSSL library but this can be altered at runtime using
+environmental variables.
+
+The bundled CA store, as supplied by NodeJS, is a snapshot of Mozilla CA store
+that is fixed at release time. It is identical on all supported platforms.
+
+See `SSL_CERT_DIR` and `SSL_CERT_FILE`.
 
 ### `--icu-data-dir=file`
 <!-- YAML
@@ -340,6 +358,16 @@ misformatted, but any errors are otherwise ignored.
 Note that neither the well known nor extra certificates are used when the `ca`
 options property is explicitly specified for a TLS or HTTPS client or server.
 
+### `SSL_CERT_DIR=dir`
+
+If `--use-openssl-ca` is enabled, this overrides and sets OpenSSL's directory
+containing trusted certificates.
+
+### `SSL_CERT_FILE=file`
+
+If `--use-openssl-ca` is enabled, this overrides and sets OpenSSL's file
+containing trusted certificates.
+
 [emit_warning]: process.html#process_process_emitwarning_warning_name_ctor
 [Buffer]: buffer.html#buffer_buffer
 [debugger]: debugger.html
diff --git a/doc/node.1 b/doc/node.1
index ec41a44c7598c3..0848091ddd50b1 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -171,6 +171,22 @@ Load an OpenSSL configuration file on startup. Among other uses, this can be
 used to enable FIPS-compliant crypto if Node.js is built with
 \fB./configure \-\-openssl\-fips\fR.
 
+.TP
+.BR \-\-use\-openssl\-ca,\-\-use\-bundled\-ca
+Use OpenSSL's default CA store or use bundled Mozilla CA store as supplied by
+current NodeJS version. The default store is selectable at build-time.
+
+Using OpenSSL store allows for external modifications of the store. For most
+Linux and BSD distributions, this store is maintained by the distribution
+maintainers and system administrators. OpenSSL CA store location is dependent on
+configuration of the OpenSSL library but this can be altered at runtime using
+environmental variables.
+
+The bundled CA store, as supplied by NodeJS, is a snapshot of Mozilla CA store
+that is fixed at release time. It is identical on all supported platforms.
+
+See \fBSSL_CERT_DIR\fR and \fBSSL_CERT_FILE\fR.
+
 .TP
 .BR \-\-icu\-data\-dir =\fIfile\fR
 Specify ICU data load path. (overrides \fBNODE_ICU_DATA\fR)
@@ -207,6 +223,15 @@ when outputting to a TTY on platforms which support async stdio.
 Setting this will void any guarantee that stdio will not be interleaved or
 dropped at program exit. \fBAvoid use.\fR
 
+.TP
+.BR SSL_CERT_DIR = \fIdir\fR
+If \fB\-\-use\-openssl\-ca\fR is enabled, this overrides and sets OpenSSL's directory
+containing trusted certificates.
+
+.TP
+.BR SSL_CERT_FILE = \fIfile\fR
+If \fB\-\-use\-openssl\-ca\fR is enabled, this overrides and sets OpenSSL's
+file containing trusted certificates.
 
 .SH BUGS
 Bugs are tracked in GitHub Issues:
diff --git a/src/node.cc b/src/node.cc
index 1302dfed169a18..2bc823b06ab553 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -163,6 +163,14 @@ static const char* icu_data_dir = nullptr;
 bool no_deprecation = false;
 
 #if HAVE_OPENSSL
+// use OpenSSL's cert store instead of bundled certs
+bool ssl_openssl_cert_store =
+#if defined(NODE_OPENSSL_CERT_STORE)
+        true;
+#else
+        false;
+#endif
+
 # if NODE_FIPS_MODE
 // used by crypto module
 bool enable_fips_crypto = false;
@@ -3502,6 +3510,16 @@ static void PrintHelp() {
 #if HAVE_OPENSSL
          "  --tls-cipher-list=val    use an alternative default TLS cipher "
          "list\n"
+         "  --use-bundled-ca         use bundled CA store"
+#if !defined(NODE_OPENSSL_CERT_STORE)
+         " (default)"
+#endif
+         "\n"
+         "  --use-openssl-ca         use OpenSSL's default CA store"
+#if defined(NODE_OPENSSL_CERT_STORE)
+         " (default)"
+#endif
+         "\n"
 #if NODE_FIPS_MODE
          "  --enable-fips            enable FIPS crypto at startup\n"
          "  --force-fips             force FIPS crypto (cannot be disabled)\n"
@@ -3672,6 +3690,10 @@ static void ParseArgs(int* argc,
 #if HAVE_OPENSSL
     } else if (strncmp(arg, "--tls-cipher-list=", 18) == 0) {
       default_cipher_list = arg + 18;
+    } else if (strncmp(arg, "--use-openssl-ca", 16) == 0) {
+      ssl_openssl_cert_store = true;
+    } else if (strncmp(arg, "--use-bundled-ca", 16) == 0) {
+      ssl_openssl_cert_store = false;
 #if NODE_FIPS_MODE
     } else if (strcmp(arg, "--enable-fips") == 0) {
       enable_fips_crypto = true;
diff --git a/src/node.h b/src/node.h
index 098339da1a2b9e..24ebce87c8fdfc 100644
--- a/src/node.h
+++ b/src/node.h
@@ -180,9 +180,12 @@ typedef intptr_t ssize_t;
 namespace node {
 
 NODE_EXTERN extern bool no_deprecation;
-#if HAVE_OPENSSL && NODE_FIPS_MODE
+#if HAVE_OPENSSL
+NODE_EXTERN extern bool ssl_openssl_cert_store;
+# if NODE_FIPS_MODE
 NODE_EXTERN extern bool enable_fips_crypto;
 NODE_EXTERN extern bool force_fips_crypto;
+# endif
 #endif
 
 NODE_EXTERN int Start(int argc, char *argv[]);
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index dcaeed9f52bf05..a60c3090f59f17 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -710,14 +710,14 @@ static X509_STORE* NewRootCertStore() {
   }
 
   X509_STORE* store = X509_STORE_new();
-#if defined(NODE_OPENSSL_CERT_STORE)
-  X509_STORE_set_default_paths(store);
-#else
-  for (X509 *cert : root_certs_vector) {
-    X509_up_ref(cert);
-    X509_STORE_add_cert(store, cert);
+  if (ssl_openssl_cert_store) {
+    X509_STORE_set_default_paths(store);
+  } else {
+    for (X509 *cert : root_certs_vector) {
+      X509_up_ref(cert);
+      X509_STORE_add_cert(store, cert);
+    }
   }
-#endif
 
   return store;
 }