Skip to content

crypto: improve system certificate enumeration logic on macOS#62576

Draft
deepak1556 wants to merge 4 commits intonodejs:mainfrom
deepak1556:robo/cleanup_macos_system_cert_api
Draft

crypto: improve system certificate enumeration logic on macOS#62576
deepak1556 wants to merge 4 commits intonodejs:mainfrom
deepak1556:robo/cleanup_macos_system_cert_api

Conversation

@deepak1556
Copy link
Copy Markdown
Contributor

@deepak1556 deepak1556 commented Apr 3, 2026

In VSCode we are looking to adopt the builtin system certificate api over our current implementation https://github.com/microsoft/vscode-proxy-agent/blob/59cc268f93f52fdfd0c7ac1f25aadefae74965fb/src/index.ts#L1189-L1201

As part of the rollout we observed a drop in certificate count (some machines also got 0 certs) from the builtin api and I was validating the cases with additional error telemetry https://gist.github.com/deepak1556/ef6c141e0cd3f5381cbf6f37fc590acf. It confirmed the failures are on the valid path, all the certs had no explicit trust settings and were getting filtered under the fallback SecTrustEvaluateWithError path.

The changes in this PR are some cleanups and some misalign in logic with chromium implementation noticed while working on the error api. Each commit has additional context on the change.

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 3, 2026

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Apr 3, 2026
@deepak1556 deepak1556 marked this pull request as draft April 3, 2026 12:40
@deepak1556
crypto: fix macOS default for missing kSecTrustSettingsResult
5674fde 
When kSecTrustSettingsResult is absent from a trust settings dictionary,
Apple specifies kSecTrustSettingsResultTrustRoot as the default value.

Previously, the trust result evaluation (deny check, self-issued check,
TrustAsRoot check) was inside the block that only executed when
kSecTrustSettingsResult was explicitly present. When the key was absent,
the function fell through to return UNSPECIFIED, incorrectly rejecting
self-signed certificates that should have been trusted via the default.

Move the trust result evaluation outside the conditional block so the
default value of kSecTrustSettingsResultTrustRoot flows through the
same code path as explicit values. This aligns with Chromium's
trust_store_mac.cc implementation.
@deepak1556
crypto: fix leak and improve cert enumeration
01fa6e4 
1. Fix CFRelease leak in IsTrustDictionaryTrustedForPolicy: the
   CFDictionaryRef returned by SecPolicyCopyProperties(policy_ref)
   was not released when the policy OID matched kSecPolicyAppleSSL.

2. Deduplicate certificates: SecItemCopyMatching can return the same
   certificate from multiple keychains.

3. Filter expired certificates.
@deepak1556
crypto: add comment for SecTrustEvaluateWithError policy
b3b14fb
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.71%. Comparing base (0dfdec9) to head (2871528).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62576      +/-   ##
==========================================
- Coverage   89.71%   89.71%   -0.01%     
==========================================
  Files         695      695              
  Lines      214154   214441     +287     
  Branches    41009    41061      +52     
==========================================
+ Hits       192132   192383     +251     
- Misses      14075    14106      +31     
- Partials     7947     7952       +5
Files with missing lines Coverage Δ
src/crypto/crypto_context.cc 71.90% <ø> (-0.17%) ⬇️

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@deepak1556 deepak1556 force-pushed the robo/cleanup_macos_system_cert_api branch from 3325bb6 to 2871528 Compare April 3, 2026 14:01
@deepak1556 deepak1556 marked this pull request as ready for review April 3, 2026 14:03
joyeecheung
joyeecheung approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@joyeecheung joyeecheung left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks. Is it possible to add some tests? We have some integration tests in test/system-ca, see the README there for how to add the certificates and how to clean them up.

(caveat: the tests don't actually run without you doing a local mv test/system-ca/test.cfg.py test/system-ca/testcfg.py, it's currently a weird bug we rely on to not run it in the CI because the CI isn't prepped for this..)

@deepak1556 deepak1556 marked this pull request as draft April 3, 2026 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joyeecheung joyeecheung joyeecheung approved these changes

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deepak1556 @nodejs-github-bot @joyeecheung