crypto: load system CA certificates off thread

When --use-system-ca is enabled, load the system CA certificates eagerly off the main thread to avoid blocking the main thread when the first TLS connection is made. PR-URL: nodejs#59550 Refs: nodejs#58990 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com>

Author: joyeecheung

src/crypto/crypto_context.cc

@@ -814,6 +814,23 @@ static std::vector<X509*>& GetSystemStoreCACertificates() {
  return system_store_certs;
 }
 
+static void LoadSystemCACertificates(void* data) {
+ GetSystemStoreCACertificates();
+}
+
+static uv_thread_t system_ca_thread;
+static bool system_ca_thread_started = false;
+int LoadSystemCACertificatesOffThread() {
+ // This is only run once during the initialization of the process, so
+ // it is safe to use a static thread here.
+ int r =
+ uv_thread_create(&system_ca_thread, LoadSystemCACertificates, nullptr);
+ if (r == 0) {
+ system_ca_thread_started = true;
+ }
+ return r;
+}
+
 static std::vector<X509*> InitializeExtraCACertificates() {
  std::vector<X509*> extra_certs;
  unsigned long err = LoadCertsFromFile( // NOLINT(runtime/int)
@@ -925,6 +942,10 @@ void CleanupCachedRootCertificates() {
  X509_free(cert);
  }
  }
+ if (system_ca_thread_started) {
+ uv_thread_join(&system_ca_thread);
+ system_ca_thread_started = false;
+ }
 }
 
 void GetBundledRootCertificates(const FunctionCallbackInfo<Value>& args) {

src/crypto/crypto_util.h

@@ -45,6 +45,7 @@ void InitCryptoOnce();
 void InitCrypto(v8::Local<v8::Object> target);
 
 extern void UseExtraCaCerts(std::string_view file);
+extern int LoadSystemCACertificatesOffThread();
 void CleanupCachedRootCertificates();
 
 int PasswordCallback(char* buf, int size, int rwflag, void* u);

src/node.cc

@@ -1200,6 +1200,20 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
  return result;
  }
 
+ if (per_process::cli_options->use_system_ca) {
+ // Load the system CA certificates eagerly off the main thread to avoid
+ // blocking the main thread when the first TLS connection is made. We
+ // don't need to wait for the thread to finish with code here, as
+ // GetSystemStoreCACertificates() has a function-local static and any
+ // actual user of it will wait for that to complete initialization.
+ int r = crypto::LoadSystemCACertificatesOffThread();
+ if (r != 0) {
+ FPrintF(
+ stderr,
+ "Warning: Failed to load system CA certificates off thread: %s\n",
+ uv_strerror(r));
+ }
+ }
  // Ensure CSPRNG is properly seeded.
  CHECK(ncrypto::CSPRNG(nullptr, 0));