fix: exception when reading system certificates via nodejs (#49028)

2026-01-09 15:38:08 -05:00 · 2025-11-22 00:35:05 +09:00
parent 2200a70e8d
commit 79e17ce4be
2 changed files with 75 additions and 0 deletions
--- a/patches/node/.patches
+++ b/patches/node/.patches
@@ -42,3 +42,4 @@ api_promote_deprecation_of_v8_context_and_v8_object_api_methods.patch
 src_use_cp_utf8_for_wide_file_names_on_win32.patch
 fix_ensure_traverseparent_bails_on_resource_path_exit.patch
 reland_temporal_unflag_temporal.patch
 src_handle_der_decoding_errors_from_system_certificates.patch
--- a/patches/node/src_handle_der_decoding_errors_from_system_certificates.patch
+++ b/patches/node/src_handle_der_decoding_errors_from_system_certificates.patch
@@ -0,0 +1,74 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Joyee Cheung <joyeec9h3@gmail.com>
 Date: Thu, 20 Nov 2025 13:50:28 +0900
 Subject: src: handle DER decoding errors from system certificates
 When decoding certificates from the system store, it's not actually
 guaranteed to succeed. In case the system returns a certificate
 that cannot be decoded (might be related to SSL implementation issues),
 skip them.
 diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
 index 96f6ea29525bc2c60297e7be5bc1d0b74cd568e1..9b83f8d6b2c7639044e739a7f055e457882370a2 100644
 --- a/src/crypto/crypto_context.cc
 +++ b/src/crypto/crypto_context.cc
@@ -507,7 +507,11 @@ void ReadMacOSKeychainCertificates(
   CFRelease(search);
   if (ortn) {
 -    fprintf(stderr, "ERROR: SecItemCopyMatching failed %d\n", ortn);
 +    per_process::Debug(DebugCategory::CRYPTO,
 +                       "Cannot read certificates from system because "
 +                       "SecItemCopyMatching failed %d\n",
 +                       ortn);
 +    return;
   }
   CFIndex count = CFArrayGetCount(curr_anchors);
@@ -518,7 +522,9 @@ void ReadMacOSKeychainCertificates(
     CFDataRef der_data = SecCertificateCopyData(cert_ref);
     if (!der_data) {
 -      fprintf(stderr, "ERROR: SecCertificateCopyData failed\n");
 +      per_process::Debug(DebugCategory::CRYPTO,
 +                         "Skipping read of a system certificate "
 +                         "because SecCertificateCopyData failed\n");
       continue;
     }
     auto data_buffer_pointer = CFDataGetBytePtr(der_data);
@@ -526,9 +532,19 @@ void ReadMacOSKeychainCertificates(
     X509* cert =
         d2i_X509(nullptr, &data_buffer_pointer, CFDataGetLength(der_data));
     CFRelease(der_data);
 +
 +    if (cert == nullptr) {
 +      per_process::Debug(DebugCategory::CRYPTO,
 +                         "Skipping read of a system certificate "
 +                         "because decoding failed\n");
 +      continue;
 +    }
 +
     bool is_valid = IsCertificateTrustedForPolicy(cert, cert_ref);
     if (is_valid) {
       system_root_certificates_X509->emplace_back(cert);
 +    } else {
 +      X509_free(cert);
     }
   }
   CFRelease(curr_anchors);
@@ -638,7 +654,14 @@ void GatherCertsForLocation(std::vector<X509*>* vector,
         reinterpret_cast<const unsigned char*>(cert_from_store->pbCertEncoded);
     const size_t cert_size = cert_from_store->cbCertEncoded;
 -    vector->emplace_back(d2i_X509(nullptr, &cert_data, cert_size));
 +    X509* x509 = d2i_X509(nullptr, &cert_data, cert_size);
 +    if (x509 == nullptr) {
 +      per_process::Debug(DebugCategory::CRYPTO,
 +                         "Skipping read of a system certificate "
 +                         "because decoding failed\n");
 +    } else {
 +      vector->emplace_back(x509);
 +    }
   }
 }