tls: load NODE_EXTRA_CA_CERTS at startup

This commit makes node load extra certificates at startup instead
of first use.

PR-URL: https://github.com/nodejs/node/pull/23354
Fixes: https://github.com/nodejs/node/issues/20434
Refs: https://github.com/nodejs/node/issues/20432
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>

2 files changed, 62 insertions, 0 deletions

diff --git a/test/parallel/test-tls-env-extra-ca-file-load.js b/test/parallel/test-tls-env-extra-ca-file-load.js
new file mode 100644
index 0000000000..fa97d7c0c6
--- /dev/null
+++ b/test/parallel/test-tls-env-extra-ca-file-load.js
@@ -0,0 +1,40 @@
+'use strict';
+// Flags: --expose-internals
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fixtures = require('../common/fixtures');
+const { internalBinding } = require('internal/test/binding');
+const binding = internalBinding('crypto');
+
+const { fork } = require('child_process');
+
+// This test ensures that extra certificates are loaded at startup.
+if (process.argv[2] !== 'child') {
+  if (process.env.CHILD_USE_EXTRA_CA_CERTS === 'yes') {
+    assert.strictEqual(binding.isExtraRootCertsFileLoaded(), true);
+  } else if (process.env.CHILD_USE_EXTRA_CA_CERTS === 'no') {
+    assert.strictEqual(binding.isExtraRootCertsFileLoaded(), false);
+    tls.createServer({});
+    assert.strictEqual(binding.isExtraRootCertsFileLoaded(), false);
+  }
+} else {
+  const NODE_EXTRA_CA_CERTS = fixtures.path('keys', 'ca1-cert.pem');
+  const extendsEnv = (obj) => Object.assign({}, process.env, obj);
+
+  [
+    extendsEnv({ CHILD_USE_EXTRA_CA_CERTS: 'yes', NODE_EXTRA_CA_CERTS }),
+    extendsEnv({ CHILD_USE_EXTRA_CA_CERTS: 'no' }),
+  ].forEach((processEnv) => {
+    fork(__filename, ['child'], { env: processEnv })
+    .on('exit', common.mustCall((status) => {
+      // client did not succeed in connecting
+      assert.strictEqual(status, 0);
+    }));
+  });
+}
diff --git a/test/parallel/test-tls-env-extra-ca-no-crypto.js b/test/parallel/test-tls-env-extra-ca-no-crypto.js
new file mode 100644
index 0000000000..06399c5d23
--- /dev/null
+++ b/test/parallel/test-tls-env-extra-ca-no-crypto.js
@@ -0,0 +1,22 @@
+'use strict';
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+const assert = require('assert');
+const { fork } = require('child_process');
+
+// This test ensures that trying to load extra certs won't throw even when
+// there is no crypto support, i.e., built with "./configure --without-ssl".
+if (process.argv[2] === 'child') {
+  // exit
+} else {
+  const NODE_EXTRA_CA_CERTS = fixtures.path('keys', 'ca1-cert.pem');
+
+  fork(
+    __filename,
+    ['child'],
+    { env: Object.assign({}, process.env, { NODE_EXTRA_CA_CERTS }) },
+  ).on('exit', common.mustCall(function(status) {
+    // client did not succeed in connecting
+    assert.strictEqual(status, 0);
+  }));
+}