src: refactor GetPeerCertificate #17372
Conversation
nodejs-github-bot
added
c++
src/node_crypto.cc
Outdated
| // Put issuer inside the object | ||
| static void AddIssuer(X509** cert, | ||
| const STACK_OF(X509)* const peer_certs, | ||
| Local<Object>* const info, |
There was a problem hiding this comment.
The reason was so that code in GetPeerCertificate depends on the value being pointed to by info be updated. But I realise that info does not have to be a pointer and we only need update it's pointer for this to work. Not sure if that made sense but I'll add a commit and hopefully this will become clearer. Thanks for pointing this out.
src/node_crypto.cc
Outdated
| continue; | ||
|
|
||
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| (*info)->Set(env->issuercert_string(), ca_info); |
There was a problem hiding this comment.
Feel free to switch this over to the non-deprecated overload of Set() if you like :)
There was a problem hiding this comment.
Ah good point, I'll update to use the function taking a context. Thanks
There was a problem hiding this comment.
Related: it would be more efficient to move these two lines out of the loop. Likewise in GetLastIssuedCert().
src/node_crypto.cc
Outdated
|
|
||
| static X509* GetLastIssuedCert(X509** cert, | ||
| const SSL* const ssl, | ||
| Local<Object>* const info, |
src/node_crypto.cc
Outdated
| // Put issuer inside the object | ||
| static void AddIssuer(X509** cert, | ||
| const STACK_OF(X509)* const peer_certs, | ||
| Local<Object>* const info, |
There was a problem hiding this comment.
You don't have to pass a pointer since you don't replace the Object, just add properties to it.
There was a problem hiding this comment.
Thanks, I've changed this now (locally).
src/node_crypto.cc
Outdated
| @@ -1974,7 +1974,78 @@ static Local<Object> X509ToObject(Environment* env, X509* cert) { | |||
| } | |||
|
|
|||
|
|
|||
| // TODO(indutny): Split it into multiple smaller functions | |||
| // Put issuer inside the object | |||
There was a problem hiding this comment.
Not a hugely useful comment. If you call the function AddIssuerToObject(), it's self-documenting.
There was a problem hiding this comment.
I like that, I'll rename the function.
src/node_crypto.cc
Outdated
| (*info)->Set(env->issuercert_string(), ca_info); | ||
| *info = ca_info; | ||
|
|
||
| // NOTE: Intentionally freeing cert that is not used anymore |
There was a problem hiding this comment.
Since you're here, can you punctuate the comments?
src/node_crypto.cc
Outdated
| Local<Object>* const info, | ||
| Environment* const env) { | ||
| *cert = sk_X509_delete(peer_certs, 0); | ||
| while (sk_X509_num(peer_certs) > 0) { |
There was a problem hiding this comment.
Unrelated observation: I think this could just be for (;;) { - the same check is effectively done at the end of the loop when i == 0.
There was a problem hiding this comment.
Nice, I'll take a closer look at this.
src/node_crypto.cc
Outdated
| return false; | ||
| } | ||
| return true; | ||
| } |
There was a problem hiding this comment.
It might be nicer (certainly more Obviously Correct) to move the sk_X509_pop_free() on error into this function.
There was a problem hiding this comment.
I'll take a look and fix this. Thanks
There was a problem hiding this comment.
I've pushed a few commit but I've not addressed this yet. Will revisit this next week. I was wondering if you meant that I add sk_X509_pop_free() to this function in addition to the one in GetPeerCertificate which I think is needed as peer_cert is used after this function?
src/node_crypto.cc
Outdated
| continue; | ||
|
|
||
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| (*info)->Set(env->issuercert_string(), ca_info); |
There was a problem hiding this comment.
Related: it would be more efficient to move these two lines out of the loop. Likewise in GetLastIssuedCert().
src/node_crypto.cc
Outdated
| if (!sk_X509_push(peer_certs, cert)) | ||
| goto done; | ||
| if (!CloneSSLCerts(&cert, &peer_certs, ssl_certs)) { | ||
| goto done; | ||
| } |
There was a problem hiding this comment.
Can you drop the braces for consistency with the surrounding code?
There was a problem hiding this comment.
Yeah, I'll remove them
src/node_crypto.cc
Outdated
| // TODO(indutny): Split it into multiple smaller functions | ||
| // Put issuer inside the object | ||
| static void AddIssuer(X509** cert, | ||
| const STACK_OF(X509)* const peer_certs, |
There was a problem hiding this comment.
peer_certs can't be const because it's modified inside the function.
There was a problem hiding this comment.
Thanks, I've changed that now.
danbev
force-pushed
the
refactor_getpeercertificate
branch
from
7042685
to
476e116
Compare
I've pushed a few commit but I've not addressed this yet. Will revisit this next week. |
@bnoordhuis I've been looking into moving these lines out of the loop and ran into an issue. My understanding is that this code is creating a link/chain of Without setting the |
src/node_crypto.cc
Outdated
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| info->Set(env->issuercert_string(), ca_info); | ||
| info = ca_info; | ||
| // Clone `ssl_certs`, because we are going to destruct it. |
There was a problem hiding this comment.
Perhaps this comment could be remove now. Just reading it again perhaps the method signature should be changed to:
if (CloneSSLCerts(&cert, ssl_certs, &peer_certs)) {What do you think, would that be clear without the comment?
src/node_crypto.cc
Outdated
| continue; | ||
|
|
||
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| object->Set(context, env->issuercert_string(), ca_info).ToChecked(); |
There was a problem hiding this comment.
I think we've settled on .FromJust() (232 vs 44 hits for .ToChecked() at the time of writing.)
There was a problem hiding this comment.
Thanks, I'll correct these.
src/node_crypto.cc
Outdated
| break; | ||
|
|
||
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| issuer_chain->Set(context, env->issuercert_string(), ca_info).ToChecked(); |
src/node_crypto.cc
Outdated
| // NOTE: Intentionally freeing cert that is not used anymore | ||
| X509_free(cert); | ||
| issuer_chain = AddIssuerToObject(result, &cert, peer_certs, env); | ||
| issuer_chain = GetLastIssuedCert(&cert, w->ssl_, issuer_chain, env); |
There was a problem hiding this comment.
You're right you can't factor out the .Set() calls because they build up a linked list but that arguably makes AddIssuerToObject() a bit of a misnomer.
Can you try to pass arguments in the same order to both functions?
There was a problem hiding this comment.
Perhaps a better name would be AddIssuerChainToObject?
Can you try to pass arguments in the same order to both functions?
Yep, I'll update the order. Thanks
src/node_crypto.cc
Outdated
| Local<Object> ca_info = X509ToObject(env, ca); | ||
| info->Set(env->issuercert_string(), ca_info); | ||
| info = ca_info; | ||
| // Clone `ssl_certs`, because we are going to destruct it. |
test/windows-fanned failure looks unrelatedERROR: Error fetching remote repo 'jenkins_tmp'
hudson.plugins.git.GitException: Failed to fetch from [email protected]:janeasystems/node_binary_tmp.git
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:825)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1092)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1123)
at hudson.scm.SCM.checkout(SCM.java:495)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1202)
at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:574)
at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
at hudson.model.Run.execute(Run.java:1724)
at hudson.matrix.MatrixRun.run(MatrixRun.java:146)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
Caused by: hudson.plugins.git.GitException: Command "git reset --hard" returned status code 128:
stdout:
stderr: fatal: Unable to create 'c:/workspace/node-test-binary-windows/.git/index.lock': File exists. |
|
@bnoordhuis When you get a chance would you be able to take a look at the lastest updates and see what you think? |
| } | ||
| } | ||
| if (!result) { | ||
| sk_X509_pop_free(*peer_certs, X509_free); |
There was a problem hiding this comment.
In a similar vein, can you add *peer_certs = nullptr;?
| } | ||
| sk_X509_pop_free(peer_certs, X509_free); | ||
| return object; | ||
| } |
There was a problem hiding this comment.
Just a suggestion but it would be better if this function didn't mutate and invalidate peer_certs.
Failing that, perhaps pass peer_certs as an indirect pointer and set *peer_certs = nullptr; here?
There was a problem hiding this comment.
Sounds good, I'll take a look. Thanks
|
@danbev would you be so kind and please update this accordingly to the suggestions? :-) |
|
@BridgeAR I hope to revisit this next week (though I've got a sick kid here and I might not be working at all next week by the looks of it) |
|
Ping @danbev |
1 similar comment
|
Ping @danbev |
|
@BridgeAR I've just not had time to revisit this yet but intend to. |
danbev
force-pushed
the
refactor_getpeercertificate
branch
from
9806458
to
d00841b
Compare
BridgeAR
added
author ready
|
@bnoordhuis @jasnell @addaleax PTAL |
|
I'm setting this to |
PR-URL: nodejs#17372 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]>
|
#19087 - had 30 minutes to kill. :-) |
|
Closing in favour of #19087 |
These commits split the GetPeerCertificate function into smaller function as described in the TODO comment:
// TODO(indutny): Split it into multiple smaller functionsI've mostly left the code as it was and want to trigger CI to pick up any issues.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
src