feat: added support for reading certificates from macOS system store

[timja]

Fixes #39657

Builds on #44532 but for macOS

TODO:

• Make it work, it works 🥳
• Review that all CF resources are being appropriately released, I think its right now
• Review whether and where tests are appropriate

I can take a look at the Windows one after, resolving the conflicts and addressing the review comments as well.

---

Happy to refactor heavily, I haven't used c++ before and I wrote it initially in objective c and ported it across.
This is heavily based upon chromium and some of OpenJDK along with a PR I have open with OpenJDK

---

Testing

I'm using https://github.com/timja/openjdk-intermediate-ca-reproducer as a reproducer:

docker compose up --build

Install the certificates, either by adding to keychain manually (see README) or using /usr/bin/security (see what the test is doing in this PR.

main.js

let resp = await fetch("https://localhost:8443");
console.log(resp.status); // 200
console.log(resp.headers.get("Content-Type")); // "text/html"
console.log(await resp.text()); // "Hello, World!"

/Users/$USER/projects/node/out/Release/node --use-system-ca main.js

I've also tested this through a ZScaler MiTM setup.

[nodejs-github-bot]

Review requested:

• @nodejs/crypto
• @nodejs/gyp

[addaleax]

This should use reinterpret_cast

[timja]

This fails to build with:

../../src/crypto/crypto_context.cc:447:33: error: reinterpret_cast from 'const void *' to 'SecCertificateRef' (aka '__SecCertificate *') casts away qualifiers
  447 |     SecCertificateRef certRef = reinterpret_cast<SecCertificateRef>(CFArrayGetValueAtIndex(

The linter hasn't asked me to change to it and it did in most of the other places.

[timja]

Would it be possible for someone to re-open the feature request please? #39657. It was closed due to being stale / no progress on it.

[joyeecheung]

I think you can simply wrap it with an ncrypto::X509View and use getSubject() etc. to get the data and then strncmp the two.

[timja]

Any pointers? I'm struggling to find where/ how an example of how one gets an ncrypto::X509View (I'll keep looking though).

[timja]

I've tried:

ncrypto::X509View x509_view = ncrypto::X509View::From(cert);

But that takes an SSLPointer& which I haven't figured out yet

[timja]

Using ncrypto::X509View x509_view(cert); seems to compile although not quite sure on the next steps.

currently at:

  ncrypto::X509View x509_view(cert);
  auto subject = x509_view.getSubject();
  auto issuer = x509_view.getIssuer();

  if (strncmp(subject, issuer, 30) == 0) {
    fprintf(stderr, "Self-signed certificate detected\n");
    return true;
  } else {
    fprintf(stderr, "Self-signed certificate detected\n");
    return false;
  }

[timja]

Something like this? 9cb41b0

[timja]

Not sure why I would strncmp here as the string could be the same up to a point but still differ after. But I could be misunderstanding.

[joyeecheung]

Actually, I realized that we can simply use X509_NAME_cmp and save all these copying/reading?

[joyeecheung]

This question predates this PR I guess, but shouldn't these options be per-env instead of per-process? @addaleax @jasnell

[timja]

FWIW existing code in the same area uses per_process for the same thing from my understanding:

node/src/crypto/crypto_context.cc

Line 242 in 1238f0a

if (per_process::cli_options->ssl_openssl_cert_store == false) {

(I don't know the difference as-of yet though)