11cb0ef41Sopenharmony_ci# Maintaining the root certificates
21cb0ef41Sopenharmony_ci
31cb0ef41Sopenharmony_ciNode.js contains a compiled-in set of root certificates used as trust anchors
41cb0ef41Sopenharmony_cifor TLS certificate validation.
51cb0ef41Sopenharmony_ci
61cb0ef41Sopenharmony_ciThe certificates come from Mozilla, specifically NSS's `certdata.txt` file.
71cb0ef41Sopenharmony_ci
81cb0ef41Sopenharmony_ciThe PEM encodings of the certificates are converted to C strings, and committed
91cb0ef41Sopenharmony_ciin `src/node_root_certs.h`.
101cb0ef41Sopenharmony_ci
111cb0ef41Sopenharmony_ci## When to update
121cb0ef41Sopenharmony_ci
131cb0ef41Sopenharmony_ciRoot certificates should be updated sometime after Mozilla makes an NSS release,
141cb0ef41Sopenharmony_cicheck the [NSS release schedule][].
151cb0ef41Sopenharmony_ci
161cb0ef41Sopenharmony_ci## Process
171cb0ef41Sopenharmony_ci
181cb0ef41Sopenharmony_ciThe `tools/dep_updaters/update-root-certs.mjs` script automates the update of
191cb0ef41Sopenharmony_cithe root certificates, including:
201cb0ef41Sopenharmony_ci
211cb0ef41Sopenharmony_ci* Downloading `certdata.txt` from Mozilla's source control repository.
221cb0ef41Sopenharmony_ci* Running `tools/mk-ca-bundle.pl` to convert the certificates and generate
231cb0ef41Sopenharmony_ci  `src/node_root_certs.h`.
241cb0ef41Sopenharmony_ci* Using `git diff-files` to determine which certificate have been added and/or
251cb0ef41Sopenharmony_ci  removed.
261cb0ef41Sopenharmony_ci
271cb0ef41Sopenharmony_ciManual instructions are included in the following collapsed section.
281cb0ef41Sopenharmony_ci
291cb0ef41Sopenharmony_ci<details>
301cb0ef41Sopenharmony_ci
311cb0ef41Sopenharmony_ciCommands assume that the current working directory is the root of a checkout of
321cb0ef41Sopenharmony_cithe nodejs/node repository.
331cb0ef41Sopenharmony_ci
341cb0ef41Sopenharmony_ci1. Find NSS metadata for update.
351cb0ef41Sopenharmony_ci
361cb0ef41Sopenharmony_ci   The latest released NSS version, release date, Firefox version, and Firefox
371cb0ef41Sopenharmony_ci   release date can be found in the [NSS release schedule][].
381cb0ef41Sopenharmony_ci
391cb0ef41Sopenharmony_ci   The tag to fetch `certdata.txt` from is found by looking for the release
401cb0ef41Sopenharmony_ci   version in the [tag list][].
411cb0ef41Sopenharmony_ci
421cb0ef41Sopenharmony_ci2. Update `certdata.txt` from the NSS release tag.
431cb0ef41Sopenharmony_ci
441cb0ef41Sopenharmony_ci   Update the tag in the commands below, and run:
451cb0ef41Sopenharmony_ci
461cb0ef41Sopenharmony_ci   ```bash
471cb0ef41Sopenharmony_ci   cd tools/
481cb0ef41Sopenharmony_ci   ./mk-ca-bundle.pl -v 2>_before
491cb0ef41Sopenharmony_ci   curl -O https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
501cb0ef41Sopenharmony_ci   ```
511cb0ef41Sopenharmony_ci
521cb0ef41Sopenharmony_ci   The `_before` file will be used later. Verify that running `mk-ca-bundle`
531cb0ef41Sopenharmony_ci   made no changes to `src/node_root_certs.h`. If it did, something went wrong
541cb0ef41Sopenharmony_ci   with the previous update. Seek help!
551cb0ef41Sopenharmony_ci
561cb0ef41Sopenharmony_ci   Update metadata in the message below, and commit `certdata.txt`:
571cb0ef41Sopenharmony_ci
581cb0ef41Sopenharmony_ci   ```text
591cb0ef41Sopenharmony_ci   tools: update certdata.txt
601cb0ef41Sopenharmony_ci
611cb0ef41Sopenharmony_ci   This is the certdata.txt[0] from NSS 3.41, released on 2018-12-03.
621cb0ef41Sopenharmony_ci
631cb0ef41Sopenharmony_ci   This is the version of NSS that will ship in Firefox 65 on
641cb0ef41Sopenharmony_ci   2018-12-11.
651cb0ef41Sopenharmony_ci
661cb0ef41Sopenharmony_ci   [0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_41_RTM/lib/ckfw/builtins/certdata.txt
671cb0ef41Sopenharmony_ci   ```
681cb0ef41Sopenharmony_ci
691cb0ef41Sopenharmony_ci3. Update `node_root_certs.h` from `certdata.txt`.
701cb0ef41Sopenharmony_ci
711cb0ef41Sopenharmony_ci   Run the command below:
721cb0ef41Sopenharmony_ci
731cb0ef41Sopenharmony_ci   ```bash
741cb0ef41Sopenharmony_ci   ./mk-ca-bundle.pl -v 2>_after
751cb0ef41Sopenharmony_ci   ```
761cb0ef41Sopenharmony_ci
771cb0ef41Sopenharmony_ci   Confirm that `../src/node_root_certs.h` was updated.
781cb0ef41Sopenharmony_ci
791cb0ef41Sopenharmony_ci   Determine what changes were made by diffing the before and after files:
801cb0ef41Sopenharmony_ci
811cb0ef41Sopenharmony_ci   ```console
821cb0ef41Sopenharmony_ci   % diff _before _after
831cb0ef41Sopenharmony_ci   11d10
841cb0ef41Sopenharmony_ci   < Parsing: Visa eCommerce Root
851cb0ef41Sopenharmony_ci   106d104
861cb0ef41Sopenharmony_ci   < Parsing: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
871cb0ef41Sopenharmony_ci   113,117d110
881cb0ef41Sopenharmony_ci   < Parsing: Certplus Root CA G1
891cb0ef41Sopenharmony_ci   < Parsing: Certplus Root CA G2
901cb0ef41Sopenharmony_ci   < Parsing: OpenTrust Root CA G1
911cb0ef41Sopenharmony_ci   < Parsing: OpenTrust Root CA G2
921cb0ef41Sopenharmony_ci   < Parsing: OpenTrust Root CA G3
931cb0ef41Sopenharmony_ci   134c127,136
941cb0ef41Sopenharmony_ci   < Done (133 CA certs processed, 20 skipped).
951cb0ef41Sopenharmony_ci   ---
961cb0ef41Sopenharmony_ci   > Parsing: GlobalSign Root CA - R6
971cb0ef41Sopenharmony_ci   > Parsing: OISTE WISeKey Global Root GC CA
981cb0ef41Sopenharmony_ci   > Parsing: GTS Root R1
991cb0ef41Sopenharmony_ci   > Parsing: GTS Root R2
1001cb0ef41Sopenharmony_ci   > Parsing: GTS Root R3
1011cb0ef41Sopenharmony_ci   > Parsing: GTS Root R4
1021cb0ef41Sopenharmony_ci   > Parsing: UCA Global G2 Root
1031cb0ef41Sopenharmony_ci   > Parsing: UCA Extended Validation Root
1041cb0ef41Sopenharmony_ci   > Parsing: Certigna Root CA
1051cb0ef41Sopenharmony_ci   > Done (135 CA certs processed, 16 skipped).
1061cb0ef41Sopenharmony_ci   ```
1071cb0ef41Sopenharmony_ci
1081cb0ef41Sopenharmony_ci   Use the diff to update the message below, and commit `src/node_root_certs.h`:
1091cb0ef41Sopenharmony_ci
1101cb0ef41Sopenharmony_ci   ```text
1111cb0ef41Sopenharmony_ci   crypto: update root certificates
1121cb0ef41Sopenharmony_ci
1131cb0ef41Sopenharmony_ci   Update the list of root certificates in src/node_root_certs.h with
1141cb0ef41Sopenharmony_ci   tools/mk-ca-bundle.pl.
1151cb0ef41Sopenharmony_ci
1161cb0ef41Sopenharmony_ci   Certificates added:
1171cb0ef41Sopenharmony_ci   - GlobalSign Root CA - R6
1181cb0ef41Sopenharmony_ci   - OISTE WISeKey Global Root GC CA
1191cb0ef41Sopenharmony_ci   - GTS Root R1
1201cb0ef41Sopenharmony_ci   - GTS Root R2
1211cb0ef41Sopenharmony_ci   - GTS Root R3
1221cb0ef41Sopenharmony_ci   - GTS Root R4
1231cb0ef41Sopenharmony_ci   - UCA Global G2 Root
1241cb0ef41Sopenharmony_ci   - UCA Extended Validation Root
1251cb0ef41Sopenharmony_ci   - Certigna Root CA
1261cb0ef41Sopenharmony_ci
1271cb0ef41Sopenharmony_ci   Certificates removed:
1281cb0ef41Sopenharmony_ci   - Visa eCommerce Root
1291cb0ef41Sopenharmony_ci   - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
1301cb0ef41Sopenharmony_ci   - Certplus Root CA G1
1311cb0ef41Sopenharmony_ci   - Certplus Root CA G2
1321cb0ef41Sopenharmony_ci   - OpenTrust Root CA G1
1331cb0ef41Sopenharmony_ci   - OpenTrust Root CA G2
1341cb0ef41Sopenharmony_ci   - OpenTrust Root CA G3
1351cb0ef41Sopenharmony_ci   ```
1361cb0ef41Sopenharmony_ci
1371cb0ef41Sopenharmony_ci</details>
1381cb0ef41Sopenharmony_ci
1391cb0ef41Sopenharmony_ci[NSS release schedule]: https://wiki.mozilla.org/NSS:Release_Versions
1401cb0ef41Sopenharmony_ci[tag list]: https://hg.mozilla.org/projects/nss/tags
141