Adds macOS Keychain certs to default CA store #6588
Conversation
|
I think this is a great idea, but I think we should dynamically load Core Foundation and the Security framework instead of passing it as a linker flag. Loading more frameworks at start time impacts start time. So we should instead use dlopen() and dlsym() to lazily load the symbols as needed. |
Uses dlopen & dlsym to load CoreFoundation & Security Frameworks only when necessary (when first retrieving the default CA store).
|
@Jarred-Sumner Just pushed a commit to do that. The Core Foundation & Security Frameworks will be dynamically loaded on the first request to |
| @@ -647,6 +949,7 @@ X509_STORE* us_get_default_ca_store() { | |||
| } | |||
|
|
|||
| us_internal_init_root_certs(); | |||
| us_internal_init_native_certs(); | |||
There was a problem hiding this comment.
If we do this, we should just use the native certs and not both right? So on macOS, it would only load native certs and on Linux, it would only load root certs.
I think that we also should see if there's any perf difference in load time as I remember a 30ms perf hit a long time ago when loading native certs using a non-OpenSSL/BoringSSL library and loading from the system trust store.
There was a problem hiding this comment.
I just did some profiling, and the results are not good. The 3 SecTrustSettingsCopyCertificates requests to get all the certificates took 70ms total & the SecTrustSettingsCopyTrustSettings on each certificate to determine whether the system trusts the cert took 78ms total. As of 1.0.6, bun only takes 6ms to load certificates.
That's really disappointing. I was not expecting these APIs to be so slow.
I think a better approach would be to follow what Deno did in denoland/deno#11491. On all platforms, default to embedded Mozilla certs, and have some flag/env variable/config to enable the use of native certs for those who want/need it and are willing to take the first request performance hit.
What does this PR do?
Adds support to
bun-usocketsto load trusted certificates from the native platform certificate store into the default CA store. This PR implements this for the macOS Keychain. Windows Certificate Stores could be added in the future.Partially relevant: #271
Note: All added code is usockets internal. Also change does not update
rootCertificatesininternals/tls.Implementation based on rustls-native-certs.
How did you verify your code works?