src: modify SecureContext::SetCACert to not create root certificate store

[ShenHongFei]

This modification is mainly to optimize the startup performance of http2 and https servers (or may be tls clients's first connection?) When the user specifies a ca, it skips loading more than 100 root certificates built into node.js, and the startup speed is 15 ms faster.

In SecureContext::SetCACert funciton we cound get the existing cert store from the SSL context instead of GetCertStoreOwnedByThisSecureContext() (in which calls NewRootCertStore()) to avoid creating X509_STORE based on root_certs (more than 130), which is very slow.

According to the documentation, when passing in the ca option, you do not add it to the node.js built-in root certificates but replace them, so you do not need to use the built-in root certificate to initialize the x509 store.

node/doc/api/tls.md

Lines 1984 to 2004 in 8253290

	* `options` {Object}
	* `allowPartialTrustChain` {boolean} Treat intermediate (non-self-signed)
	certificates in the trust CA certificate list as trusted.
	* `ca` {string|string\[]|Buffer|Buffer\[]} Optionally override the trusted CA
	certificates. Default is to trust the well-known CAs curated by Mozilla.
	Mozilla's CAs are completely replaced when CAs are explicitly specified
	using this option. The value can be a string or `Buffer`, or an `Array` of
	strings and/or `Buffer`s. Any string or `Buffer` can contain multiple PEM
	CAs concatenated together. The peer's certificate must be chainable to a CA
	trusted by the server for the connection to be authenticated. When using
	certificates that are not chainable to a well-known CA, the certificate's CA
	must be explicitly specified as a trusted or the connection will fail to
	authenticate.
	If the peer uses a certificate that doesn't match or chain to one of the
	default CAs, use the `ca` option to provide a CA certificate that the peer's
	certificate can match or chain to.
	For self-signed certificates, the certificate is its own CA, and must be
	provided.
	For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
	"X509 CERTIFICATE", and "CERTIFICATE".
	See also [`tls.rootCertificates`][].

The slow loading of root certificates is a known issue of openssl3 (openssl/openssl#16871) and has not been fixed. @mhdawson
There are also related issues in node.js:

• Openssl 3 with NODE_EXTRA_CA_CERTS slows down node.js v17 startup (Openssl 3 with NODE_EXTRA_CA_CERTS slows down node.js v17 startup #40524)

before optimization

after optimization

cc @nodejs/crypto @nodejs/tls

If anyone can help me benchmark it, I'd be very grateful.

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[codecov]

Codecov Report

Attention: Patch coverage is 62.96296% with 10 lines in your changes missing coverage. Please review.

Project coverage is 88.54%. Comparing base (a73c41c) to head (15e8061).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_context.cc	62.96%	7 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #56301      +/-   ##
==========================================
- Coverage   88.54%   88.54%   -0.01%     
==========================================
  Files         657      657              
  Lines      190290   190316      +26     
  Branches    36533    36541       +8     
==========================================
+ Hits       168488   168507      +19     
- Misses      14984    14989       +5     
- Partials     6818     6820       +2     

Files with missing lines	Coverage Δ
src/crypto/crypto_context.cc	67.97% <62.96%> (-0.19%)	⬇️

... and 25 files with indirect coverage changes

[ShenHongFei]

node.exe D:/1/nodejs/benchmark/compare.js --old T:/node.v23.4.0.exe --new D:/1/nodejs/node.exe --runs 20 --filter create-secure-context tls

                                       confidence improvement accuracy (*)   (**)  (***)
tls\\create-secure-context.js ca=0 n=1        ***     -6.47 %       ±1.09% ±1.48% ±1.99%
tls\\create-secure-context.js ca=0 n=5        ***     -7.62 %       ±0.49% ±0.66% ±0.87%
tls\\create-secure-context.js ca=1 n=1        ***    849.45 %       ±3.56% ±4.86% ±6.59%
tls\\create-secure-context.js ca=1 n=5        ***    847.31 %       ±4.21% ±5.75% ±7.81%

const common = require('../common.js');
const fixtures = require('../../test/common/fixtures');
const tls = require('tls');

const bench = common.createBenchmark(main, {
  n: [1, 5],
  ca: [0, 1],
});

function main(conf) {
  const n = conf.n;

  const options = {
    key: fixtures.readKey('rsa_private.pem'),
    cert: fixtures.readKey('rsa_cert.crt'),
    ca: conf.ca === 1 ? [fixtures.readKey('rsa_ca.crt')] : undefined,
  };

  bench.start();
  tls.createSecureContext(options);
  bench.end(n);
}