src: refactor GetPeerCertificate

[danbev]

These commits split the GetPeerCertificate function into smaller function as described in the TODO comment:

// TODO(indutny): Split it into multiple smaller functions

I've mostly left the code as it was and want to trigger CI to pick up any issues.

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• commit message follows commit guidelines

Affected core subsystem(s)

src

[danbev]

CI: https://ci.nodejs.org/job/node-test-pull-request/11777/

[addaleax]

Why is this a pointer?

[danbev]

The reason was so that code in GetPeerCertificate depends on the value being pointed to by info be updated. But I realise that info does not have to be a pointer and we only need update it's pointer for this to work. Not sure if that made sense but I'll add a commit and hopefully this will become clearer. Thanks for pointing this out.

[addaleax]

Feel free to switch this over to the non-deprecated overload of Set() if you like :)

[danbev]

Ah good point, I'll update to use the function taking a context. Thanks

[bnoordhuis]

Related: it would be more efficient to move these two lines out of the loop. Likewise in GetLastIssuedCert().

[addaleax]

Similar question here

[bnoordhuis]

You don't have to pass a pointer since you don't replace the Object, just add properties to it.

[danbev]

Thanks, I've changed this now (locally).

[bnoordhuis]

Not a hugely useful comment. If you call the function AddIssuerToObject(), it's self-documenting.

[danbev]

I like that, I'll rename the function.

[bnoordhuis]

Since you're here, can you punctuate the comments?

[danbev]

Absolutely.

[bnoordhuis]

Unrelated observation: I think this could just be for (;;) { - the same check is effectively done at the end of the loop when i == 0.

[danbev]

Nice, I'll take a closer look at this.

[bnoordhuis]

It might be nicer (certainly more Obviously Correct) to move the sk_X509_pop_free() on error into this function.

[danbev]

I'll take a look and fix this. Thanks

[danbev]

I've pushed a few commit but I've not addressed this yet. Will revisit this next week. I was wondering if you meant that I add sk_X509_pop_free() to this function in addition to the one in GetPeerCertificate which I think is needed as peer_cert is used after this function?

[bnoordhuis]

Related: it would be more efficient to move these two lines out of the loop. Likewise in GetLastIssuedCert().

[bnoordhuis]

Can you drop the braces for consistency with the surrounding code?

[danbev]

Yeah, I'll remove them

[bnoordhuis]

peer_certs can't be const because it's modified inside the function.

[danbev]

Thanks, I've changed that now.

[danbev]

Related: it would be more efficient to move these two lines out of the loop. Likewise in > GetLastIssuedCert().

I've pushed a few commit but I've not addressed this yet. Will revisit this next week.

[danbev]

Rebased CI: https://ci.nodejs.org/job/node-test-pull-request/11852/

[danbev]

Local<Object> ca_info = X509ToObject(env, ca);
info->Set(env->issuercert_string(), ca_info);

Related: it would be more efficient to move these two lines out of the loop. Likewise in GetLastIssuedCert().

@bnoordhuis I've been looking into moving these lines out of the loop and ran into an issue. My understanding is that this code is creating a link/chain of #issuerCertificate from the object instance. Something like:

object -> #issuerCertificate -> ca_info -> #issuerCertificate -> ca_info

Without setting the #issuerCertificate in the loop a certificates would be skipped. Sorry if I'm missing something here, I've been looking at this for a while now and think I need some help.

[danbev]

CI: https://ci.nodejs.org/job/node-test-pull-request/11881/

[addaleax]

nit: destruct → destroy? :)

[danbev]

Perhaps this comment could be remove now. Just reading it again perhaps the method signature should be changed to:

if (CloneSSLCerts(&cert, ssl_certs, &peer_certs)) {

What do you think, would that be clear without the comment?

[bnoordhuis]

Yep, self-explanatory now.

[bnoordhuis]

I think we've settled on .FromJust() (232 vs 44 hits for .ToChecked() at the time of writing.)

[danbev]

Thanks, I'll correct these.

[bnoordhuis]

Likewise.

[bnoordhuis]

You're right you can't factor out the .Set() calls because they build up a linked list but that arguably makes AddIssuerToObject() a bit of a misnomer.

Can you try to pass arguments in the same order to both functions?

[danbev]

Perhaps a better name would be AddIssuerChainToObject?

Can you try to pass arguments in the same order to both functions?

Yep, I'll update the order. Thanks

[bnoordhuis]

Yep, self-explanatory now.

[addaleax]

CI: https://ci.nodejs.org/job/node-test-commit/14720/

[danbev]

test/windows-fanned failure looks unrelated

console output:

ERROR: Error fetching remote repo 'jenkins_tmp'
hudson.plugins.git.GitException: Failed to fetch from git@github.com:janeasystems/node_binary_tmp.git
	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:825)
	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1092)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1123)
	at hudson.scm.SCM.checkout(SCM.java:495)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1202)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:574)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
	at hudson.model.Run.execute(Run.java:1724)
	at hudson.matrix.MatrixRun.run(MatrixRun.java:146)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:421)
Caused by: hudson.plugins.git.GitException: Command "git reset --hard" returned status code 128:
stdout: 
stderr: fatal: Unable to create 'c:/workspace/node-test-binary-windows/.git/index.lock': File exists.

[danbev]

@bnoordhuis When you get a chance would you be able to take a look at the lastest updates and see what you think?

[bnoordhuis]

LGTM with two requests.

[bnoordhuis]

In a similar vein, can you add *peer_certs = nullptr;?

[bnoordhuis]

Just a suggestion but it would be better if this function didn't mutate and invalidate peer_certs.

Failing that, perhaps pass peer_certs as an indirect pointer and set *peer_certs = nullptr; here?

[danbev]

Sounds good, I'll take a look. Thanks

[jasnell]

LGTM with @bnoordhuis suggestion

[BridgeAR]

@danbev would you be so kind and please update this accordingly to the suggestions? :-)

[danbev]

@BridgeAR I hope to revisit this next week (though I've got a sick kid here and I might not be working at all next week by the looks of it)

[BridgeAR]

Ping @danbev

[BridgeAR]

Ping @danbev

[danbev]

@BridgeAR I've just not had time to revisit this yet but intend to.

[BridgeAR]

CI https://ci.nodejs.org/job/node-test-pull-request/13433/

[BridgeAR]

@bnoordhuis @jasnell @addaleax PTAL

[danbev]

I'm setting this to in-progress as I've not hade time to look closer at @bnoordhuis latest suggestions. I hope to make some time for this soon.

[bnoordhuis]

#19087 - had 30 minutes to kill. :-)

[danbev]

Closing in favour of #19087