feat: added support for reading certificates from windows system store

[twitharshil]

Description of Change

MITM-based proxy environments like ZScaler intercepts the requests sent to a certain endpoint from the user machine and serve a redirect to their own servers ( for eg: https://gateway.zscloud.net/ ) before finally redirecting back to the original endpoint. We have observed root certificates of these proxy vendors present on the user system store. These certificates are needed for the request's SSL certificate verification.

Chrome reads certificates from the system store hence the certificate verification step passes when a request is sent out of the user machine through chrome as a client.
Node uses a statically compiled, hardcoded list of certificate authorities, rather than relying on the system's trust store, hence request going out from node as a client fails at the SSL verification step behind such environments.

This PR targets to read the certificates from the user system store and embed them with the existing list of root certificates with the node.

Note:

1. These changes will make a huge impact on the applications that use open source projects like electron which uses node in their networking layers.

2. In my current implementation, I've added logic to read the certificates from the system store and embed it with the existing list together in a single file. I am open to suggestions if we want the certificate read logic to be written somewhere else.

3. This PR only targets the windows platform for now. All the users from which we collected feedback were windows users only. Changes made in the PR are feature flagged behind a runtime CLI option named --node-use-system-ca

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[bnoordhuis]

Related: #39657 (comment)

Having such functionality in node isn't completely out of the question but the default behavior should be consistent across platforms, meaning it should almost certainly be opt-in.

[twitharshil]

@bnoordhuis Thanks for taking a look at the draft PR. I've taken a quick look at the thread mentioned in your comment. It seems like for windows we can go ahead with the current approach of reading system store and implement the solution behind an opt-in flag. I believe it will be a build-time flag.

[RaisinTen]

I believe it will be a build-time flag.

Why not a regular cli option?

[twitharshil]

@RaisinTen I choose a build time flag rather than a regular cli option more from my understanding so far. I see a similar use case with node which reads the default OpenSSL cert store for certificates when built with openssl-use-def-ca-store.

[RaisinTen]

@twitharshil that one is actually a runtime flag accompanied by a build time flag. --use-bundled-ca and --use-openssl-ca are the runtime flags. --openssl-use-def-ca-store is the build time flag that is used to select which one of those 2 runtime flags would be enabled by default.

[twitharshil]

Hey @bnoordhuis @RaisinTen
I've opened the PR for review, PTAL. Thanks :)

[bnoordhuis]

Left some comments. I've commented on some of the technical aspects but I'm still on the fence as to whether it's a desirable feature.

Speaking for myself, the fact that so far it's Windows-only counts against it.

[bnoordhuis]

This manual formatting of a certificate is kind of questionable. If you have the certificate in DER format, you can pass it to openssl directly:

X509Pointer cert(d2i_X509(nullptr, buf, len));
if (cert) {
  // ...
}

openssl has utility functions like X509_print_ex() for formatting it as PEM, which I guess you're doing so they show up in tls.rootCertificates?

[twitharshil]

Left some comments. I've commented on some of the technical aspects, but I'm still unsure whether it's a desirable feature.

Speaking for myself, the fact that so far it's Windows-only counts against it.

@bnoordhuis I think this feature has been one of the most demanding features for quite some time now. In recent times I worked closely to support these MITM-based proxies environment only for the windows platform so I thought of upstreaming this feature to node.

Over the years no one picked up this work, so I believe supporting the windows platform at least is better than nothing? We can iteratively get this done for other platforms as well in separate PRs. I am open if someone else wants to pick this work for macOS & Linux otherwise I will pick it up once I find more time.

[twitharshil]

Hey, @bnoordhuis @jasnell I've addressed the PR comments, can I get another round of review on my PR?

[bnoordhuis]

Generally LGTM but this should probably be reviewed by someone more familiar with the Windows crypto API than I am.

[bnoordhuis]

Suggested change

	const HCERTSTORE hStore = CertOpenSystemStoreW(0, L"ROOT");
	const HCERTSTORE hStore = CertOpenSystemStoreW(nullptr, L"ROOT");

Because the first arg is a pointer, right? How likely is it for this method to fail?

[bnoordhuis]

Prefer something like this for readability reasons:

Suggested change

	while ((certificate_context_ptr = CertEnumCertificatesInStore(
	hStore, certificate_context_ptr)) != nullptr) {
	for (;;) {
	certificate_context_ptr =
	CertEnumCertificatesInStore(hStore, certificate_context_ptr);
	if (certificate_context_ptr == nullptr) break;

[bnoordhuis]

Suggested change

	bio.reset();

Not necessary to reset manually, the destructor does that automatically when it goes out of scope.

[bnoordhuis]

Suggested change

	PEM_read_bio_X509(NodeBIO::NewFixed(combined_root_certs[i].c_str(),
	PEM_read_bio_X509(NodeBIO::NewFixed(combined_root_certs[i].data(),

[bnoordhuis]

Minor optimization:

Suggested change

	reinterpret_cast<const uint8_t*>(combined_root_certs[i].c_str()))
	reinterpret_cast<const uint8_t*>(combined_root_certs[i].data()),
	v8::NewStringType::kNormal,
	combined_root_certs[i].size())

[joyeecheung]

It seems this PR has stalled. @twitharshil Do you plan to finish it?