nodejs/test/parallel/test-tls-get-ca-certificates-system.js

'use strict';
// Flags: --use-system-ca
// This tests that tls.getCACertificates() returns the system
// certificates correctly.

const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

const assert = require('assert');
const tls = require('tls');
const { assertIsCAArray } = require('../common/tls');

const systemCerts = tls.getCACertificates('system');
// Usually Windows come with some certificates installed by default.
// This can't be said about other systems, in that case check that
// at least systemCerts is an array (which may be empty).
if (common.isWindows) {
  assertIsCAArray(systemCerts);
} else {
  assert(Array.isArray(systemCerts));
}

// When --use-system-ca is true, default is a superset of system
// certificates.
const defaultCerts = tls.getCACertificates('default');
assert(defaultCerts.length >= systemCerts.length);
const defaultSet = new Set(defaultCerts);
const systemSet = new Set(systemCerts);
assert.deepStrictEqual(defaultSet.intersection(systemSet), systemSet);

// It's cached on subsequent accesses.
assert.strictEqual(systemCerts, tls.getCACertificates('system'));
tls: implement tls.getCACertificates() To accompany --use-system-ca, this adds a new API that allows querying various kinds of CA certificates. - If the first argument `type` is `"default"` or undefined, it returns the CA certificates that will be used by Node.js TLS clients by default, which includes the Mozilla CA if --use-bundled-ca is enabled or --use-openssl-ca is not enabled, and the system certificates if --use-system-ca is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS is used. - If `type` is `"system"` this returns the system certificates, regardless of whether --use-system-ca is enabeld or not. - If `type` is `"bundled"` this is the same as `tls.rootCertificates` and returns the Mozilla CA certificates. - If `type` is `"extra"` this returns the certificates parsed from the path specified by NODE_EXTRA_CA_CERTS. Drive-by: remove the inaccurate description in `tls.rootCertificates` about including system certificates, since it in fact does not include them, and also it is contradicting the previous description about `tls.rootCertificates` always returning the Mozilla CA store and staying the same across platforms. PR-URL: https://github.com/nodejs/node/pull/57107 Reviewed-By: James M Snell <jasnell@gmail.com> 2025-03-06 18:16:27 +01:00			`'use strict';`
			`// Flags: --use-system-ca`
			`// This tests that tls.getCACertificates() returns the system`
			`// certificates correctly.`

			`const common = require('../common');`
			`if (!common.hasCrypto) common.skip('missing crypto');`

			`const assert = require('assert');`
			`const tls = require('tls');`
			`const { assertIsCAArray } = require('../common/tls');`

			`const systemCerts = tls.getCACertificates('system');`
			`// Usually Windows come with some certificates installed by default.`
			`// This can't be said about other systems, in that case check that`
			`// at least systemCerts is an array (which may be empty).`
			`if (common.isWindows) {`
			`assertIsCAArray(systemCerts);`
			`} else {`
			`assert(Array.isArray(systemCerts));`
			`}`

			`// When --use-system-ca is true, default is a superset of system`
			`// certificates.`
			`const defaultCerts = tls.getCACertificates('default');`
			`assert(defaultCerts.length >= systemCerts.length);`
			`const defaultSet = new Set(defaultCerts);`
			`const systemSet = new Set(systemCerts);`
			`assert.deepStrictEqual(defaultSet.intersection(systemSet), systemSet);`

			`// It's cached on subsequent accesses.`
			`assert.strictEqual(systemCerts, tls.getCACertificates('system'));`