src: modify SecureContext::SetCACert to not create root certificate store

[ShenHongFei]

This modification is mainly to optimize the startup performance of http2 and https servers (or may be tls clients's first connection?) When the user specifies a ca, it skips loading more than 100 root certificates built into node.js, and the startup speed is 15 ms faster.

In SecureContext::SetCACert funciton we cound get the existing cert store from the SSL context instead of GetCertStoreOwnedByThisSecureContext() (in which calls NewRootCertStore()) to avoid creating X509_STORE based on root_certs (more than 130), which is very slow.

According to the documentation, when passing in the ca option, you do not add it to the node.js built-in root certificates but replace them, so you do not need to use the built-in root certificate to initialize the x509 store.

node/doc/api/tls.md

Lines 1984 to 2004 in 8253290

	* `options` {Object}
	* `allowPartialTrustChain` {boolean} Treat intermediate (non-self-signed)
	certificates in the trust CA certificate list as trusted.
	* `ca` {string|string\[]|Buffer|Buffer\[]} Optionally override the trusted CA
	certificates. Default is to trust the well-known CAs curated by Mozilla.
	Mozilla's CAs are completely replaced when CAs are explicitly specified
	using this option. The value can be a string or `Buffer`, or an `Array` of
	strings and/or `Buffer`s. Any string or `Buffer` can contain multiple PEM
	CAs concatenated together. The peer's certificate must be chainable to a CA
	trusted by the server for the connection to be authenticated. When using
	certificates that are not chainable to a well-known CA, the certificate's CA
	must be explicitly specified as a trusted or the connection will fail to
	authenticate.
	If the peer uses a certificate that doesn't match or chain to one of the
	default CAs, use the `ca` option to provide a CA certificate that the peer's
	certificate can match or chain to.
	For self-signed certificates, the certificate is its own CA, and must be
	provided.
	For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
	"X509 CERTIFICATE", and "CERTIFICATE".
	See also [`tls.rootCertificates`][].

The slow loading of root certificates is a known issue of openssl3 (openssl/openssl#16871) and has not been fixed. @mhdawson
There are also related issues in node.js:

• Openssl 3 with NODE_EXTRA_CA_CERTS slows down node.js v17 startup (Openssl 3 with NODE_EXTRA_CA_CERTS slows down node.js v17 startup #40524)

before optimization

after optimization

cc @nodejs/crypto @nodejs/tls

If anyone can help me benchmark it, I'd be very grateful.

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[codecov]

Codecov Report

❌ Patch coverage is 65.51724% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.54%. Comparing base (a73c41c) to head (5efa9aa).
⚠️ Report is 2716 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_context.cc	65.51%	7 Missing and 3 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #56301   +/-   ##
=======================================
  Coverage   88.54%   88.54%           
=======================================
  Files         657      657           
  Lines      190290   190323   +33     
  Branches    36533    36547   +14     
=======================================
+ Hits       168488   168525   +37     
+ Misses      14984    14981    -3     
+ Partials     6818     6817    -1     

Files with missing lines	Coverage Δ
src/crypto/crypto_context.cc	68.04% <65.51%> (-0.12%)	⬇️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ShenHongFei]

node.exe D:/1/nodejs/benchmark/compare.js --old T:/node.v23.4.0.exe --new D:/1/nodejs/node.exe --runs 20 --filter create-secure-context tls

                                       confidence improvement accuracy (*)   (**)  (***)
tls\\create-secure-context.js ca=0 n=1        ***     -6.47 %       ±1.09% ±1.48% ±1.99%
tls\\create-secure-context.js ca=0 n=5        ***     -7.62 %       ±0.49% ±0.66% ±0.87%
tls\\create-secure-context.js ca=1 n=1        ***    849.45 %       ±3.56% ±4.86% ±6.59%
tls\\create-secure-context.js ca=1 n=5        ***    847.31 %       ±4.21% ±5.75% ±7.81%

const common = require('../common.js');
const fixtures = require('../../test/common/fixtures');
const tls = require('tls');

const bench = common.createBenchmark(main, {
  n: [1, 5],
  ca: [0, 1],
});

function main(conf) {
  const n = conf.n;

  const options = {
    key: fixtures.readKey('rsa_private.pem'),
    cert: fixtures.readKey('rsa_cert.crt'),
    ca: conf.ca === 1 ? [fixtures.readKey('rsa_ca.crt')] : undefined,
  };

  bench.start();
  tls.createSecureContext(options);
  bench.end(n);
}

[ShenHongFei]

It's been two weeks. Could someone please take a little time to review and move this PR forward? @addaleax @jasnell @tniessen @mgochoa

Let me explain a little more about what I optimized specifically:

When creating SecureContext, the call stack is as follows
function createSecureContext
    const c = new SecureContext(secureProtocol, secureOptions, minVersion, maxVersion);
    
    Configure SecureContext in configSecureContext(c.context, ...)
        if (ca)  // When ca option is passed, according to docs, only need to load provided ca cert, no need to load root certs
            Called context.addCACert(cert);
                sc->SetCACert(bio);
                    !! Old Logic !!
                        X509_STORE* cert_store = GetCertStoreOwnedByThisSecureContext()
                            X509_STORE* cert_store = SSL_CTX_get_cert_store(ctx_.get());
                            
                            // Check if current ssl ctx's cert store is global store, if yes, create a new cert store
                            // This is a typical copy on write scenario
                            if (cert_store == GetOrCreateRootCertStore()) {
                                // GetOrCreateRootCertStore() does
                                // static X509_STORE* store = NewRootCertStore();  // !! Slow operation !!
                                // return store;
                                
                                cert_store = NewRootCertStore();
                                SSL_CTX_set_cert_store(ctx_.get(), cert_store);
                            }
                            
                            return own_cert_store_cache_ = cert_store;
                        
                        X509_STORE_add_cert(own_cert_store_cache_, x509.get())
                    
                    !! New Logic !!
                        X509_STORE* cert_store;
                        
                        // Check if current ssl ctx's cert store is global store, if yes, create a new cert store
                        if (own_cert_store_cache_)
                            cert_store = own_cert_store_cache_;
                        else
                            SSL_CTX_set_cert_store(
                                ctx_.get(),
                                
                                // Same copy on write, but copy directly from ssl ctx (should be empty), don't load root certs
                                own_cert_store_cache_ = CopyX509Store(
                                    SSL_CTX_get_cert_store(ctx_.get())
                                )
                            );
                        
                        X509_STORE_add_cert(own_cert_store_cache_, x509.get())
                
                
            
        else  // If not passed, load default root certs
            context.addRootCerts();

[mcollina]

It's been two weeks. Could someone please take a little time to review and move this PR forward?

Most people take some time off during the holidays. We'll review it eventually.

[mcollina]

Will all the CAs certificates be loaded in case they are needed?

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/64267/

[ShenHongFei]

Will all the CAs certificates be loaded in case they are needed?

@mcollina

• When the user sets the ca option, only the passed ca will take effect and the root certificate will not be loaded.
• When the ca option is not set, all default root certificates will be loaded.

This is also stated in the current document.
https://nodejs.org/docs/latest/api/tls.html#new-tlstlssocketsocket-options:~:text=Optionally%20override%20the%20trusted%20CA%20certificates.

If the user wants both, he can write

import { createSecureContext, rootCertificates } from 'tls'

createSecureContext({
    ca: [userCertificate, ...rootCertificates]
})

[ShenHongFei]

There is a ci error that seems unrelated to this commit, and I don't know how to fix it

      cmd: '/home/iojs/build/workspace/node/out/Release/node --allow-natives-syntax /home/iojs/build/workspace/node/test/fixtures/guess-hash-seed.js',
      stdout: '',
      stderr: '/home/iojs/build/workspace/node/test/fixtures/guess-hash-seed.js:163\n' +
        "  throw new Error('no candidates remaining');\n" +
        '  ^\n' +
        '\n' +
        'Error: no candidates remaining\n' +
        '    at Object.<anonymous> (/home/iojs/build/workspace/node/test/fixtures/guess-hash-seed.js:163:9)\n' +
        '\n' +
        'Node.js v24.0.0-pre\n'