From fc4d62ff9fc3c669abd4020ada01092e4cd24573 Mon Sep 17 00:00:00 2001
From: Joyee Cheung <joyeec9h3@gmail.com>
Date: Mon, 10 Feb 2025 19:59:57 +0100
Subject: [PATCH 1/3] tls: implement tls.getCACertificates()

To accompany --use-system-ca, this adds a new API that allows
querying various kinds of CA certificates.

- If the first argument `type` is `"default"` or undefined,
  it returns the CA certificates that will be used by Node.js
  TLS clients by default, which includes the Mozilla CA
  if --use-bundled-ca is enabled or --use-openssl-ca is not
  enabled, and the system certificates if --use-system-ca
  is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS
  is used.
- If `type` is `"system"` this returns the system certificates,
  regardless of whether --use-system-ca is enabeld or not.
- If `type` is `"bundled"` this is the same as `tls.rootCertificates`
  and returns the Mozilla CA certificates.
- If `type` is `"extra"` this returns the certificates parsed
  from the path specified by NODE_EXTRA_CA_CERTS.

Drive-by: remove the inaccurate description in `tls.rootCertificates`
about including system certificates, since it in fact does not include
them, and also it is contradicting the previous description about
`tls.rootCertificates` always returning the Mozilla CA store and
staying the same across platforms.
---
 doc/api/tls.md                                | 55 ++++++++++--
 lib/tls.js                                    | 88 +++++++++++++++++--
 src/crypto/crypto_context.cc                  | 76 ++++++++++++++--
 test/common/tls.js                            | 13 +++
 .../tls-check-extra-ca-certificates.js        | 17 ++++
 test/fixtures/tls-get-ca-certificates.js      | 11 +++
 ...-tls-get-ca-certificates-bundled-subset.js | 17 ++++
 .../test-tls-get-ca-certificates-bundled.js   | 20 +++++
 .../test-tls-get-ca-certificates-default.js   | 20 +++++
 .../test-tls-get-ca-certificates-error.js     | 20 +++++
 ...est-tls-get-ca-certificates-extra-empty.js | 29 ++++++
 ...st-tls-get-ca-certificates-extra-subset.js | 16 ++++
 .../test-tls-get-ca-certificates-extra.js     | 29 ++++++
 ...get-ca-certificates-system-without-flag.js | 36 ++++++++
 .../test-tls-get-ca-certificates-system.js    | 32 +++++++
 test/testpy/__init__.py                       |  7 +-
 16 files changed, 463 insertions(+), 23 deletions(-)
 create mode 100644 test/fixtures/tls-check-extra-ca-certificates.js
 create mode 100644 test/fixtures/tls-get-ca-certificates.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-bundled-subset.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-bundled.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-default.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-error.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-extra-empty.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-extra-subset.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-extra.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-system-without-flag.js
 create mode 100644 test/parallel/test-tls-get-ca-certificates-system.js

diff --git a/doc/api/tls.md b/doc/api/tls.md
index 8da9d66c350030..86644cea76b6a3 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1985,9 +1985,13 @@ changes:
   * `allowPartialTrustChain` {boolean} Treat intermediate (non-self-signed)
     certificates in the trust CA certificate list as trusted.
   * `ca` {string|string\[]|Buffer|Buffer\[]} Optionally override the trusted CA
-    certificates. Default is to trust the well-known CAs curated by Mozilla.
-    Mozilla's CAs are completely replaced when CAs are explicitly specified
-    using this option. The value can be a string or `Buffer`, or an `Array` of
+    certificates. If not specified, the CA certificates trusted by default are
+    the same as the ones returned by [`tls.getCACertificates()`][] using the
+    `default` type.  If specified, the default list would be completely replaced
+    (instead of being concatenated) by the certificates in the `ca` option.
+    Users need to concatenate manually if they wish to add additional certificates
+    instead of completely overriding the default.
+    The value can be a string or `Buffer`, or an `Array` of
     strings and/or `Buffer`s. Any string or `Buffer` can contain multiple PEM
     CAs concatenated together. The peer's certificate must be chainable to a CA
     trusted by the server for the connection to be authenticated. When using
@@ -2001,7 +2005,6 @@ changes:
     provided.
     For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
     "X509 CERTIFICATE", and "CERTIFICATE".
-    See also [`tls.rootCertificates`][].
   * `cert` {string|string\[]|Buffer|Buffer\[]} Cert chains in PEM format. One
     cert chain should be provided per private key. Each cert chain should
     consist of the PEM formatted certificate for a provided private `key`,
@@ -2364,6 +2367,39 @@ openssl pkcs12 -certpbe AES-256-CBC -export -out client-cert.pem \
 The server can be tested by connecting to it using the example client from
 [`tls.connect()`][].
 
+## `tls.getCACertificates([type])`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* `type` {string|undefined} The type of CA certificates that will be returned. Valid values
+  are `"default"`, `"system"`, `"bundled"` and `"extra"`.
+  **Default:** `"default"`.
+* Returns: {string\[]} An array of PEM-encoded certificates. The array may contain duplicates
+  if the same certificate is repeatedly stored in multiple sources.
+
+Returns an array containing the CA certificates from various sources, depending on `type`:
+
+* `"default"`: return the CA certificates that will be used by the Node.js TLS clients by default.
+  * When [`--use-bundled-ca`][] is enabled (default), or [`--use-openssl-ca`][] is not enabled,
+    this would include CA certificates from the bundled Mozilla CA store.
+  * When [`--use-system-ca`][] is enabled, this would also include certificates from the system's
+    trusted store.
+  * When [`NODE_EXTRA_CA_CERTS`][] is used, this would also include certificates loaded from the specified
+    file.
+* `"system"`: return the CA certificates that are loaded from the system's trusted store, according
+  to rules set by [`--use-system-ca`][]. This can be used to get the certificates from the system
+  when [`--use-system-ca`][] is not enabled.
+* `"bundled"`: return the CA certificates from the bundled Mozilla CA store. This would be the same
+  as [`tls.rootCertificates`][].
+* `"extra"`: return the CA certificates loaded from [`NODE_EXTRA_CA_CERTS`][]. It's an empty array if
+  [`NODE_EXTRA_CA_CERTS`][] is not set.
+
+<!-- YAML
+added: v0.10.2
+-->
+
 ## `tls.getCiphers()`
 
 <!-- YAML
@@ -2400,8 +2436,10 @@ from the bundled Mozilla CA store as supplied by the current Node.js version.
 The bundled CA store, as supplied by Node.js, is a snapshot of Mozilla CA store
 that is fixed at release time. It is identical on all supported platforms.
 
-On macOS if `--use-system-ca` is passed then trusted certificates
-from the user and system keychains are also included.
+To get the actual CA certificates used by the current Node.js instance, which
+may include certificates loaded from the system store (if `--use-system-ca` is used)
+or loaded from a file indicated by `NODE_EXTRA_CA_CERTS`, use
+[`tls.getCACertificates()`][].
 
 ## `tls.DEFAULT_ECDH_CURVE`
 
@@ -2487,7 +2525,11 @@ added:
 [`'secureConnection'`]: #event-secureconnection
 [`'session'`]: #event-session
 [`--tls-cipher-list`]: cli.md#--tls-cipher-listlist
+[`--use-bundled-ca`]: cli.md#--use-bundled-ca---use-openssl-ca
+[`--use-openssl-ca`]: cli.md#--use-bundled-ca---use-openssl-ca
+[`--use-system-ca`]: cli.md#--use-system-ca
 [`Duplex`]: stream.md#class-streamduplex
+[`NODE_EXTRA_CA_CERTS`]: cli.md#node_extra_ca_certsfile
 [`NODE_OPTIONS`]: cli.md#node_optionsoptions
 [`SSL_export_keying_material`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html
 [`SSL_get_version`]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html
@@ -2516,6 +2558,7 @@ added:
 [`tls.createSecureContext()`]: #tlscreatesecurecontextoptions
 [`tls.createSecurePair()`]: #tlscreatesecurepaircontext-isserver-requestcert-rejectunauthorized-options
 [`tls.createServer()`]: #tlscreateserveroptions-secureconnectionlistener
+[`tls.getCACertificates()`]: #tlsgetcacertificatestype
 [`tls.getCiphers()`]: #tlsgetciphers
 [`tls.rootCertificates`]: #tlsrootcertificates
 [`x509.checkHost()`]: crypto.md#x509checkhostname-options
diff --git a/lib/tls.js b/lib/tls.js
index 0c1b3350618020..b4657c08ec94bf 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -24,6 +24,8 @@
 const {
   Array,
   ArrayIsArray,
+  // eslint-disable-next-line no-restricted-syntax
+  ArrayPrototypePush,
   JSONParse,
   ObjectDefineProperty,
   ObjectFreeze,
@@ -34,6 +36,7 @@ const {
   ERR_TLS_CERT_ALTNAME_FORMAT,
   ERR_TLS_CERT_ALTNAME_INVALID,
   ERR_OUT_OF_RANGE,
+  ERR_INVALID_ARG_VALUE,
 } = require('internal/errors').codes;
 const internalUtil = require('internal/util');
 internalUtil.assertCrypto();
@@ -44,12 +47,18 @@ const {
 
 const net = require('net');
 const { getOptionValue } = require('internal/options');
-const { getRootCertificates, getSSLCiphers } = internalBinding('crypto');
+const {
+  getBundledRootCertificates,
+  getExtraCACertificates,
+  getSystemCACertificates,
+  getSSLCiphers,
+} = internalBinding('crypto');
 const { Buffer } = require('buffer');
 const { canonicalizeIP } = internalBinding('cares_wrap');
 const _tls_common = require('_tls_common');
 const _tls_wrap = require('_tls_wrap');
 const { createSecurePair } = require('internal/tls/secure-pair');
+const { validateString } = require('internal/validators');
 
 // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
 // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
@@ -85,23 +94,84 @@ exports.getCiphers = internalUtil.cachedResult(
   () => internalUtil.filterDuplicateStrings(getSSLCiphers(), true),
 );
 
-let rootCertificates;
+let bundledRootCertificates;
+function cacheBundledRootCertificates() {
+  bundledRootCertificates ||= ObjectFreeze(getBundledRootCertificates());
 
-function cacheRootCertificates() {
-  rootCertificates = ObjectFreeze(getRootCertificates());
+  return bundledRootCertificates;
 }
 
 ObjectDefineProperty(exports, 'rootCertificates', {
   __proto__: null,
   configurable: false,
   enumerable: true,
-  get: () => {
-    // Out-of-line caching to promote inlining the getter.
-    if (!rootCertificates) cacheRootCertificates();
-    return rootCertificates;
-  },
+  get: cacheBundledRootCertificates,
 });
 
+let extraCACertificates;
+function cacheExtraCACertificates() {
+  extraCACertificates ||= ObjectFreeze(getExtraCACertificates());
+
+  return extraCACertificates;
+}
+
+let systemCACertificates;
+function cacheSystemCACertificates() {
+  systemCACertificates ||= ObjectFreeze(getSystemCACertificates());
+
+  return systemCACertificates;
+}
+
+let defaultCACertificates;
+function cacheDefaultCACertificates() {
+  if (defaultCACertificates) { return defaultCACertificates; }
+  defaultCACertificates = [];
+
+  if (!getOptionValue('--use-openssl-ca')) {
+    const bundled = cacheBundledRootCertificates();
+    for (let i = 0; i < bundled.length; ++i) {
+      ArrayPrototypePush(defaultCACertificates, bundled[i]);
+    }
+    if (getOptionValue('--use-system-ca')) {
+      const system = cacheSystemCACertificates();
+      for (let i = 0; i < system.length; ++i) {
+
+        ArrayPrototypePush(defaultCACertificates, system[i]);
+      }
+    }
+  }
+
+  if (process.env.NODE_EXTRA_CA_CERTS) {
+    const extra = cacheExtraCACertificates();
+    for (let i = 0; i < extra.length; ++i) {
+
+      ArrayPrototypePush(defaultCACertificates, extra[i]);
+    }
+  }
+
+  ObjectFreeze(defaultCACertificates);
+  return defaultCACertificates;
+}
+
+// TODO(joyeecheung): support X509Certificate output?
+function getCACertificates(type = 'default') {
+  validateString(type, 'type');
+
+  switch (type) {
+    case 'default':
+      return cacheDefaultCACertificates();
+    case 'bundled':
+      return cacheBundledRootCertificates();
+    case 'system':
+      return cacheSystemCACertificates();
+    case 'extra':
+      return cacheExtraCACertificates();
+    default:
+      throw new ERR_INVALID_ARG_VALUE('type', type);
+  }
+}
+exports.getCACertificates = getCACertificates;
+
 // Convert protocols array into valid OpenSSL protocols list
 // ("\x06spdy/2\x08http/1.1\x08http/1.0")
 function convertProtocols(protocols) {
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index 3e4b517fa462ef..2d1f2a30b3de96 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -42,11 +42,13 @@ using ncrypto::MarkPopErrorOnReturn;
 using ncrypto::SSLPointer;
 using ncrypto::StackOfX509;
 using ncrypto::X509Pointer;
+using ncrypto::X509View;
 using v8::Array;
 using v8::ArrayBufferView;
 using v8::Boolean;
 using v8::Context;
 using v8::DontDelete;
+using v8::EscapableHandleScope;
 using v8::Exception;
 using v8::External;
 using v8::FunctionCallbackInfo;
@@ -57,7 +59,9 @@ using v8::Integer;
 using v8::Isolate;
 using v8::JustVoid;
 using v8::Local;
+using v8::LocalVector;
 using v8::Maybe;
+using v8::MaybeLocal;
 using v8::Nothing;
 using v8::Object;
 using v8::PropertyAttribute;
@@ -760,7 +764,7 @@ static std::vector<X509*> InitializeSystemStoreCertificates() {
   return system_store_certs;
 }
 
-static std::vector<X509*>& GetSystemStoreRootCertificates() {
+static std::vector<X509*>& GetSystemStoreCACertificates() {
   // Use function-local static to guarantee thread safety.
   static std::vector<X509*> system_store_certs =
       InitializeSystemStoreCertificates();
@@ -832,7 +836,7 @@ X509_STORE* NewRootCertStore() {
       CHECK_EQ(1, X509_STORE_add_cert(store, cert));
     }
     if (per_process::cli_options->use_system_ca) {
-      for (X509* cert : GetSystemStoreRootCertificates()) {
+      for (X509* cert : GetSystemStoreCACertificates()) {
         CHECK_EQ(1, X509_STORE_add_cert(store, cert));
       }
     }
@@ -854,7 +858,7 @@ void CleanupCachedRootCertificates() {
     }
   }
   if (has_cached_system_root_certs.load()) {
-    for (X509* cert : GetSystemStoreRootCertificates()) {
+    for (X509* cert : GetSystemStoreCACertificates()) {
       X509_free(cert);
     }
   }
@@ -866,7 +870,7 @@ void CleanupCachedRootCertificates() {
   }
 }
 
-void GetRootCertificates(const FunctionCallbackInfo<Value>& args) {
+void GetBundledRootCertificates(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
   Local<Value> result[arraysize(root_certs)];
 
@@ -883,6 +887,58 @@ void GetRootCertificates(const FunctionCallbackInfo<Value>& args) {
       Array::New(env->isolate(), result, arraysize(root_certs)));
 }
 
+MaybeLocal<Array> X509sToArrayOfStrings(Environment* env,
+                                        const std::vector<X509*>& certs) {
+  ClearErrorOnReturn clear_error_on_return;
+  EscapableHandleScope scope(env->isolate());
+
+  LocalVector<Value> result(env->isolate(), certs.size());
+  for (size_t i = 0; i < certs.size(); ++i) {
+    X509View view(certs[i]);
+    auto pem_bio = view.toPEM();
+    if (!pem_bio) {
+      ThrowCryptoError(env, ERR_get_error(), "X509 to PEM conversion");
+      return MaybeLocal<Array>();
+    }
+
+    char* pem_data = nullptr;
+    auto pem_size = BIO_get_mem_data(pem_bio.get(), &pem_data);
+    if (pem_size <= 0 || !pem_data) {
+      ThrowCryptoError(env, ERR_get_error(), "Reading PEM data");
+      return MaybeLocal<Array>();
+    }
+    // PEM is base64-encoded, so it must be one-byte.
+    if (!String::NewFromOneByte(env->isolate(),
+                                reinterpret_cast<uint8_t*>(pem_data),
+                                v8::NewStringType::kNormal,
+                                pem_size)
+             .ToLocal(&result[i])) {
+      return MaybeLocal<Array>();
+    }
+  }
+  return scope.Escape(Array::New(env->isolate(), result.data(), result.size()));
+}
+
+void GetSystemCACertificates(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  Local<Array> results;
+  if (X509sToArrayOfStrings(env, GetSystemStoreCACertificates())
+          .ToLocal(&results)) {
+    args.GetReturnValue().Set(results);
+  }
+}
+
+void GetExtraCACertificates(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  if (extra_root_certs_file.empty()) {
+    return args.GetReturnValue().Set(Array::New(env->isolate()));
+  }
+  Local<Array> results;
+  if (X509sToArrayOfStrings(env, GetExtraCACertificates()).ToLocal(&results)) {
+    args.GetReturnValue().Set(results);
+  }
+}
+
 bool SecureContext::HasInstance(Environment* env, const Local<Value>& value) {
   return GetConstructorTemplate(env)->HasInstance(value);
 }
@@ -966,8 +1022,14 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
                          GetConstructorTemplate(env),
                          SetConstructorFunctionFlag::NONE);
 
+  SetMethodNoSideEffect(context,
+                        target,
+                        "getBundledRootCertificates",
+                        GetBundledRootCertificates);
+  SetMethodNoSideEffect(
+      context, target, "getSystemCACertificates", GetSystemCACertificates);
   SetMethodNoSideEffect(
-      context, target, "getRootCertificates", GetRootCertificates);
+      context, target, "getExtraCACertificates", GetExtraCACertificates);
 }
 
 void SecureContext::RegisterExternalReferences(
@@ -1007,7 +1069,9 @@ void SecureContext::RegisterExternalReferences(
 
   registry->Register(CtxGetter);
 
-  registry->Register(GetRootCertificates);
+  registry->Register(GetBundledRootCertificates);
+  registry->Register(GetSystemCACertificates);
+  registry->Register(GetExtraCACertificates);
 }
 
 SecureContext* SecureContext::Create(Environment* env) {
diff --git a/test/common/tls.js b/test/common/tls.js
index d212fbe076072c..bbc37df19c5549 100644
--- a/test/common/tls.js
+++ b/test/common/tls.js
@@ -3,6 +3,7 @@
 'use strict';
 const crypto = require('crypto');
 const net = require('net');
+const assert = require('assert');
 
 exports.ccs = Buffer.from('140303000101', 'hex');
 
@@ -173,4 +174,16 @@ function P_hash(algo, secret, seed, size) {
   return result;
 }
 
+exports.assertIsCAArray = function assertIsCAArray(certs) {
+  assert(Array.isArray(certs));
+  assert(certs.length > 0);
+
+  // The certificates looks PEM-encoded.
+  for (const cert of certs) {
+    const trimmed = cert.trim();
+    assert.match(trimmed, /^-----BEGIN CERTIFICATE-----/);
+    assert.match(trimmed, /-----END CERTIFICATE-----$/);
+  }
+};
+
 exports.TestTLSSocket = TestTLSSocket;
diff --git a/test/fixtures/tls-check-extra-ca-certificates.js b/test/fixtures/tls-check-extra-ca-certificates.js
new file mode 100644
index 00000000000000..ee12992604d1b6
--- /dev/null
+++ b/test/fixtures/tls-check-extra-ca-certificates.js
@@ -0,0 +1,17 @@
+'use strict';
+
+const tls = require('tls');
+const assert = require('assert');
+
+const defaultSet = new Set(tls.getCACertificates('default'));
+const extraSet = new Set(tls.getCACertificates('extra'));
+console.log(defaultSet.size, 'default certificates');
+console.log(extraSet.size, 'extra certificates')
+
+// Parent process is supposed to call this with
+// NODE_EXTRA_CA_CERTS set to test/fixtures/keys/ca1-cert.pem.
+assert.strictEqual(extraSet.size, 1);
+
+// Check that default set is a super set of extra set.
+assert.deepStrictEqual(defaultSet.intersection(extraSet),
+                       extraSet);
diff --git a/test/fixtures/tls-get-ca-certificates.js b/test/fixtures/tls-get-ca-certificates.js
new file mode 100644
index 00000000000000..e21f06b81b34ea
--- /dev/null
+++ b/test/fixtures/tls-get-ca-certificates.js
@@ -0,0 +1,11 @@
+'use strict';
+// This fixture just writes tls.getCACertificates() outputs to process.env.CA_OUT
+const tls = require('tls');
+const fs = require('fs');
+const assert = require('assert');
+assert(process.env.CA_TYPE);
+assert(process.env.CA_OUT);
+
+const certs = tls.getCACertificates(process.env.CA_TYPE);
+
+fs.writeFileSync(process.env.CA_OUT, JSON.stringify(certs), 'utf8');
diff --git a/test/parallel/test-tls-get-ca-certificates-bundled-subset.js b/test/parallel/test-tls-get-ca-certificates-bundled-subset.js
new file mode 100644
index 00000000000000..b9fe43b965dbe9
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-bundled-subset.js
@@ -0,0 +1,17 @@
+'use strict';
+// Flags: --no-use-openssl-ca
+// This tests that tls.getCACertificates() returns the bundled
+// certificates correctly.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const defaultSet = new Set(tls.getCACertificates('default'));
+const bundledSet = new Set(tls.getCACertificates('bundled'));
+
+// When --use-openssl-ca is false (i.e. bundled CA is sued),
+// default is a superset of bundled certificates.
+assert.deepStrictEqual(defaultSet.intersection(bundledSet), bundledSet);
diff --git a/test/parallel/test-tls-get-ca-certificates-bundled.js b/test/parallel/test-tls-get-ca-certificates-bundled.js
new file mode 100644
index 00000000000000..5dbe254bcabd5a
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-bundled.js
@@ -0,0 +1,20 @@
+'use strict';
+// This tests that tls.getCACertificates() returns the bundled
+// certificates correctly.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const { assertIsCAArray } = require('../common/tls');
+
+const certs = tls.getCACertificates('bundled');
+assertIsCAArray(certs);
+
+// It's the same as tls.rootCertificates - both are
+// Mozilla CA stores across platform.
+assert.strictEqual(certs, tls.rootCertificates);
+
+// It's cached on subsequent accesses.
+assert.strictEqual(certs, tls.getCACertificates('bundled'));
diff --git a/test/parallel/test-tls-get-ca-certificates-default.js b/test/parallel/test-tls-get-ca-certificates-default.js
new file mode 100644
index 00000000000000..29fb2a29a8cb33
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-default.js
@@ -0,0 +1,20 @@
+'use strict';
+
+// This tests that tls.getCACertificates() returns the default
+// certificates correctly.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const { assertIsCAArray } = require('../common/tls');
+
+const certs = tls.getCACertificates();
+assertIsCAArray(certs);
+
+const certs2 = tls.getCACertificates('default');
+assert.strictEqual(certs, certs2);
+
+// It's cached on subsequent accesses.
+assert.strictEqual(certs, tls.getCACertificates('default'));
diff --git a/test/parallel/test-tls-get-ca-certificates-error.js b/test/parallel/test-tls-get-ca-certificates-error.js
new file mode 100644
index 00000000000000..da40b8fdf4e120
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-error.js
@@ -0,0 +1,20 @@
+'use strict';
+
+// This tests that tls.getCACertificates() throws error when being
+// passed an invalid argument.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+for (const invalid of [1, null, () => {}, true]) {
+  assert.throws(() => tls.getCACertificates(invalid), {
+    code: 'ERR_INVALID_ARG_TYPE'
+  });
+}
+
+assert.throws(() => tls.getCACertificates('test'), {
+  code: 'ERR_INVALID_ARG_VALUE'
+});
diff --git a/test/parallel/test-tls-get-ca-certificates-extra-empty.js b/test/parallel/test-tls-get-ca-certificates-extra-empty.js
new file mode 100644
index 00000000000000..f099a039624e98
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-extra-empty.js
@@ -0,0 +1,29 @@
+'use strict';
+// This tests that tls.getCACertificates('extra') returns an empty
+// array if NODE_EXTRA_CA_CERTS is empty.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+
+const assert = require('assert');
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
+const fixtures = require('../common/fixtures');
+
+tmpdir.refresh();
+const certsJSON = tmpdir.resolve('certs.json');
+
+// If NODE_EXTRA_CA_CERTS is not set, it should be an empty array.
+spawnSyncAndExitWithoutError(process.execPath, [fixtures.path('tls-get-ca-certificates.js')], {
+  env: {
+    ...process.env,
+    NODE_EXTRA_CA_CERTS: undefined,
+    CA_TYPE: 'extra',
+    CA_OUT: certsJSON,
+  }
+});
+
+const parsed = JSON.parse(fs.readFileSync(certsJSON, 'utf-8'));
+assert.deepStrictEqual(parsed, []);
diff --git a/test/parallel/test-tls-get-ca-certificates-extra-subset.js b/test/parallel/test-tls-get-ca-certificates-extra-subset.js
new file mode 100644
index 00000000000000..5fd3da47bd5b13
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-extra-subset.js
@@ -0,0 +1,16 @@
+'use strict';
+// This tests that tls.getCACertificates('defulat') returns a superset
+// of tls.getCACertificates('extra') when NODE_EXTRA_CA_CERTS is used.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
+const fixtures = require('../common/fixtures');
+
+spawnSyncAndExitWithoutError(process.execPath, [fixtures.path('tls-check-extra-ca-certificates.js')], {
+  env: {
+    ...process.env,
+    NODE_EXTRA_CA_CERTS: fixtures.path('keys', 'ca1-cert.pem'),
+  }
+});
diff --git a/test/parallel/test-tls-get-ca-certificates-extra.js b/test/parallel/test-tls-get-ca-certificates-extra.js
new file mode 100644
index 00000000000000..1ff6a51079295e
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-extra.js
@@ -0,0 +1,29 @@
+'use strict';
+// This tests that tls.getCACertificates('extra') returns the extra
+// certificates from NODE_EXTRA_CA_CERTS correctly.
+
+const common = require('../common');
+
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+const assert = require('assert');
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
+const fixtures = require('../common/fixtures');
+
+tmpdir.refresh();
+const certsJSON = tmpdir.resolve('certs.json');
+
+// If NODE_EXTRA_CA_CERTS is set, it should contain a list of certificates.
+spawnSyncAndExitWithoutError(process.execPath, [fixtures.path('tls-get-ca-certificates.js')], {
+  env: {
+    ...process.env,
+    NODE_EXTRA_CA_CERTS: fixtures.path('keys', 'ca1-cert.pem'),
+    CA_TYPE: 'extra',
+    CA_OUT: certsJSON,
+  }
+});
+
+const parsed = JSON.parse(fs.readFileSync(certsJSON, 'utf-8'));
+assert.deepStrictEqual(parsed, [fixtures.readKey('ca1-cert.pem', 'utf8')]);
diff --git a/test/parallel/test-tls-get-ca-certificates-system-without-flag.js b/test/parallel/test-tls-get-ca-certificates-system-without-flag.js
new file mode 100644
index 00000000000000..026e44fcaedad2
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-system-without-flag.js
@@ -0,0 +1,36 @@
+'use strict';
+
+// This tests that tls.getCACertificates() returns the system
+// certificates correctly when --use-system-ca is disabled.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+
+const assert = require('assert');
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
+const fixtures = require('../common/fixtures');
+const tls = require('tls');
+
+const certs = tls.getCACertificates('system');
+if (certs.length === 0) {
+  common.skip('No trusted system certificates installed. Skip.');
+}
+
+tmpdir.refresh();
+const certsJSON = tmpdir.resolve('certs.json');
+spawnSyncAndExitWithoutError(process.execPath, [
+  '--no-use-system-ca',
+  fixtures.path('tls-get-ca-certificates.js'),
+], {
+  env: {
+    ...process.env,
+    CA_TYPE: 'system',
+    CA_OUT: certsJSON,
+  }
+});
+
+const parsed = JSON.parse(fs.readFileSync(certsJSON, 'utf-8'));
+assert.deepStrictEqual(parsed, certs);
diff --git a/test/parallel/test-tls-get-ca-certificates-system.js b/test/parallel/test-tls-get-ca-certificates-system.js
new file mode 100644
index 00000000000000..0dfed80af92ceb
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-system.js
@@ -0,0 +1,32 @@
+'use strict';
+// Flags: --use-system-ca
+// This tests that tls.getCACertificates() returns the system
+// certificates correctly.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const { assertIsCAArray } = require('../common/tls');
+
+const systemCerts = tls.getCACertificates('system');
+// Usually Windows come with some certificates installed by default.
+// This can't be said about other systems, in that case check that
+// at least systemCerts is an array (which may be empty).
+if (common.isWindows) {
+  assertIsCAArray(systemCerts);
+} else {
+  assert(Array.isArray(systemCerts));
+}
+
+// When --use-system-ca is true, default is a superset of system
+// certificates.
+const defaultCerts = tls.getCACertificates('default');
+assert(defaultCerts.length >= systemCerts.length);
+const defaultSet = new Set(defaultCerts);
+const systemSet = new Set(systemCerts);
+assert.deepStrictEqual(defaultSet.intersection(systemSet), systemSet);
+
+// It's cached on subsequent accesses.
+assert.strictEqual(systemCerts, tls.getCACertificates('system'));
diff --git a/test/testpy/__init__.py b/test/testpy/__init__.py
index 46abdf6e53c919..91d076dbb35381 100644
--- a/test/testpy/__init__.py
+++ b/test/testpy/__init__.py
@@ -68,16 +68,19 @@ def GetCommand(self):
       # is currently when Node is configured --without-ssl and the tests should
       # still be runnable but skip any tests that require ssl (which includes the
       # inspector related tests). Also, if there is no ssl support the options
-      # '--use-bundled-ca' and '--use-openssl-ca' will also cause a similar
-      # failure so such tests are also skipped.
+      # '--use-bundled-ca', '--use-system-ca' and '--use-openssl-ca' will also
+      # cause a similar failure so such tests are also skipped.
       if (any(flag.startswith('--inspect') for flag in flags) and
           not self.context.v8_enable_inspector):
         print(': Skipping as node was compiled without inspector support')
       elif (('--use-bundled-ca' in flags or
           '--use-openssl-ca' in flags or
+          '--use-system-ca' in flags or
           '--tls-v1.0' in flags or
           '--tls-v1.1' in flags) and
           not self.context.node_has_crypto):
+        # TODO(joyeecheung): add this to the status file variables so that we can
+        # list the crypto dependency in the status files explicitly instead.
         print(': Skipping as node was compiled without crypto support')
       else:
         result += flags

From 4ef5c4081857079265fba90e7a19518c4bd6ff0c Mon Sep 17 00:00:00 2001
From: Joyee Cheung <joyeec9h3@gmail.com>
Date: Mon, 24 Feb 2025 16:44:17 +0800
Subject: [PATCH 2/3] fixup! tls: implement tls.getCACertificates()

---
 src/crypto/crypto_context.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index 2d1f2a30b3de96..cc585b6b395b8a 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -661,9 +661,6 @@ static void LoadCertsFromDir(std::vector<X509*>* certs,
     return;
   }
 
-  uv_fs_t stats_req;
-  auto cleanup_stats =
-      OnScopeLeave([&stats_req]() { uv_fs_req_cleanup(&stats_req); });
   for (;;) {
     uv_dirent_t ent;
 
@@ -680,12 +677,14 @@ static void LoadCertsFromDir(std::vector<X509*>* certs,
       return;
     }
 
+    uv_fs_t stats_req;
     std::string file_path = std::string(cert_dir) + "/" + ent.name;
     int stats_r = uv_fs_stat(nullptr, &stats_req, file_path.c_str(), nullptr);
     if (stats_r == 0 &&
         (static_cast<uv_stat_t*>(stats_req.ptr)->st_mode & S_IFREG)) {
       LoadCertsFromFile(certs, file_path.c_str());
     }
+    uv_fs_req_cleanup(&stats_req);
   }
 }
 

From 85599bfe7d6fffc1644c0a596c784b158651c349 Mon Sep 17 00:00:00 2001
From: Joyee Cheung <joyeec9h3@gmail.com>
Date: Tue, 4 Mar 2025 12:48:48 +0100
Subject: [PATCH 3/3] fixup! fixup! tls: implement tls.getCACertificates()

---
 test/testpy/__init__.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/test/testpy/__init__.py b/test/testpy/__init__.py
index 91d076dbb35381..b5d9ea726ff76b 100644
--- a/test/testpy/__init__.py
+++ b/test/testpy/__init__.py
@@ -76,6 +76,9 @@ def GetCommand(self):
       elif (('--use-bundled-ca' in flags or
           '--use-openssl-ca' in flags or
           '--use-system-ca' in flags or
+          '--no-use-bundled-ca' in flags or
+          '--no-use-openssl-ca' in flags or
+          '--no-use-system-ca' in flags or
           '--tls-v1.0' in flags or
           '--tls-v1.1' in flags) and
           not self.context.node_has_crypto):