From c07cb003e1e87f2ac287427535b7867ac1f2b06b Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Sun, 3 Mar 2019 19:36:29 +0100 Subject: [PATCH] tls: expose built-in root certificates Fixes: https://github.com/nodejs/node/issues/25824 --- doc/api/tls.md | 13 + lib/tls.js | 22 +- src/node_crypto.cc | 20 ++ src/node_root_certs.h | 280 ++++++++++---------- test/parallel/test-tls-root-certificates.js | 31 +++ tools/mk-ca-bundle.pl | 2 +- 6 files changed, 225 insertions(+), 143 deletions(-) create mode 100644 test/parallel/test-tls-root-certificates.js diff --git a/doc/api/tls.md b/doc/api/tls.md index 867681d1d2a626..9bd0447a1bcb17 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1384,6 +1384,7 @@ changes: provided. For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE". + See also [`tls.rootCertificates`]. * `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private `key`, followed by the @@ -1594,6 +1595,17 @@ TLSv1.2 and below. console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...] ``` +## tls.rootCertificates + + +* {string[]} + +An immutable array of strings representing the root certificates (in PEM format) +used for verifying peer certificates. This is the default value of the `ca` +option to [`tls.createSecureContext()`]. + ## tls.DEFAULT_ECDH_CURVE