src: modify SecureContext::SetCACert to not use root_certs

nodejs · Dec 18, 2024 · e9e0a97 · e9e0a97
1 parent 8253290
commit e9e0a97
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -785,9 +785,17 @@ void SecureContext::SetCACert(const BIOPointer& bio) {
   if (!bio) return;
   while (X509Pointer x509 = X509Pointer(PEM_read_bio_X509_AUX(
              bio.get(), nullptr, NoPasswordCallback, nullptr))) {
-    CHECK_EQ(1,
-             X509_STORE_add_cert(GetCertStoreOwnedByThisSecureContext(),
-                                 x509.get()));
+    // Avoid calling GetCertStoreOwnedByThisSecureContext() in SetCACert method, 
+    // because it will create X509_STORE based on root_certs (more than 150), 
+    // which is very slow
+    X509_STORE* cert_store;
+    if (own_cert_store_cache_)
+      cert_store = own_cert_store_cache_;
+    else
+      SSL_CTX_set_cert_store(ctx_.get(), own_cert_store_cache_ = cert_store = X509_STORE_new());
+      // No need to call X509_STORE_free manually, 
+      // SSL_CTX_set_cert_store will take over the ownership of X509_STORE
+    CHECK_EQ(1, X509_STORE_add_cert(cert_store, x509.get()));
     CHECK_EQ(1, SSL_CTX_add_client_CA(ctx_.get(), x509.get()));
   }
 }