# win-ca [![Build status](https://ci.appveyor.com/api/projects/status/e6xhpp9d7aml95j2?svg=true)](https://ci.appveyor.com/project/ukoloff/win-ca) [![NPM version](https://badge.fury.io/js/win-ca.svg)](http://badge.fury.io/js/win-ca) [![Store Roots](https://github.com/ukoloff/win-ca/workflows/Store%20Roots/badge.svg)](https://github.com/ukoloff/win-ca/actions) Get Windows System Root certificates for [Node.js]. ## Rationale Unlike [Ruby][], [Node.js][] on Windows **allows** HTTPS requests out-of-box. But it is implemented in a rather bizarre way: > Node uses a > [statically compiled, manually updated, hardcoded list][node.pem] > of certificate authorities, > rather than relying on the system's trust store... > [Read more][node/4175] It's somewhat non-intuitive under any OS, but Windows differs from most of them by having its own trust store, fully incompatible with [OpenSSL]. This package is intended to fetch Root CAs from Windows' store (*Trusted Root Certification Authorities*) and make them available to [Node.js] application with minimal efforts. ### Advantages - No internet access is required at all - Windows store is updated automatically (in most modern environments) - Manually installed Root certificates are used - Enterprise trusted certificates (GPO etc.) are made available too ## Usage For 95% of users: 1. Just say `npm install --save win-ca` 2. Then call `require('win-ca')`. 3. That's it! If you need more - proceed to [API](#api) section below. By the way, `win-ca` is safe to be used under other OSes (not M$ Windows). It does nothing there. ### Electron `win-ca` was adapted to run inside Electron applications with no additional configuration ([asar] supported). See [Minimal Electron application using win-ca][electron-win-ca] for usage example. ### VS Code extension Special [extension](vscode) for [VS Code] was created to import `win-ca` in context of VS Code's Extension Host. Since all VS Code extensions share the same process, root certificates imported by one of them are immediately available to others. This can allow VS Code extensions to connect to (properly configured) intranet sites from Windows machines. ## API
Click to view... First versions of `win-ca` opened Windows' *Trusted Root Certificate Store*, fetched certificates, deduplicated them and installed to `https.globalAgent.options.ca`, so they are automatically used for all requests with Node.js' `https` module. But sometimes one needs to get these certificates to do something else. For that case, full featured API was devised. It is the only function with numerous parameters and operation modes, eg: ```js const ca = require('win-ca') rootCAs = [] // Fetch all certificates in PEM format ca({ format: ca.der2.pem, ondata: crt => rootCAs.push(crt) }) ``` ### Entry points `win-ca` offers three ways of importing: 1. Regular `require('win-ca')` 2. Fallback `require('win-ca/fallback')` 3. Pure API `require('win-ca/api')` They all export the same API, but differ in initialization: 1. `win-ca` *does* fetch certificates from `Root` store, saves them to disk and makes them available to `https` module with no effort. 2. `win-ca/fallback` does the same, but it never uses [N-API](#n-api) for fetching certificates, so it should work in all versions of Node.js as well as inside Electron application. 3. `win-ca/api` does *nothing*, just exports API, so you decide yourself what to do. ## API Parameters API function may be called with no parameters, but that makes little sense. One should pass it object with some fields, ie: - `format` defines representation of certificates to fetch. Available values are: | Constant | Value | Meaning |---|---:|--- |der2.der | 0 | DER-format (binary, Node's [Buffer][]) |der2.pem | 1 | PEM-format (text, Base64-encoded) |der2.txt | 2 | PEM-format plus some laconic header |der2.asn1| 3 | ASN.1-parsed certificate |der2.x509| 4 | Certificate in `node-forge` format (RSA only!) Default value is `der`. See also [der2](#der2) function below. - `store` - which Windows' store to use. Default is `Root` (ie *Trusted Root Certification Authorities*). Windows has a whole lot of Certificate stores (eg `Root`, `CA`, `My`, `TrustedPublisher` etc.) One can list certificates from any of them (knowing its name) or several stores at once (using array for `store` parameter). ```js var list = [] require('win-ca/api')({store: ['root', 'ca'], ondata: list}) ``` - `unique` whether certificates list should be deduplicated. Default is `true` (no duplicates returned). Use `{unique: false}` to see all certificates in store. - `ondata` - callback fired for each certificate found. Every certificate will be converted to `format` and passed as the first (the only) parameter. As a syntactic sugar, array can be passed instead of function, it will be populated with certificates. - `onend` - callback fired (with no parameters) at the end of retrieval Useful for asynchronous invocations, but works in any case. - `fallback` - boolean flag, indicating [N-API](#n-api) shouldn't be used even if it is available. Default value depends on Node.js version (4, 5 and 7 `{fallback: true}`; modern versions `{fallback: false}`). It is also `true` if Electron is detected. Finally, if `win-ca` has been required as `win-ca/fallback`, default value for this flag is also set to `true`. Note, that one can force [N-API](#n-api) by setting `{fallback: false}`, but if Node.js cannot proceed, exception will be thrown. It can be catched, but Node.js will nevertheless remain in unstable state, so beware. - `async` - boolean flag to make retrieval process asynchronous (`false` by default) If `true`, API call returns immediately, certificates will be fetched later and feed to `ondata` callback. Finally `onend` callback will be called. - `generator` - boolean flag to emulate ES6 generator (default: `false`) If called with this flag, ES6 iterator object is immediately returned (regular or asynchronous - according to `async` flag). ```js const ca = require('win-ca/api') // Iterate for (let der of ca({generator: true})) { // Process(der) } // Or thus (Node.js v>=6) let list = [...ca({generator: true})] // Or even (Node.js v>=10) for await(let der of ca({generator: true, async: true})) { // await Process(der) } ``` Note, that if callbacks are set along with `generator` flag, they will be *also* fired. - `inject` - how to install certificates (default: `false`, ie just fetch from store, do not install) If set to `true`, certificated fetched will be also added to `https.globalAgent.options.ca` (in PEM format, regardless of `format` parameter), so all subsequent calls to `https` client methods (https.request, https.get etc.) will silently use them *instead* of built-in ones. If set to `'+'`, new *experimental* method is used instead: `tls.createSecureContext()` is patched and fetched certificates are used *in addition* to built-in ones (and not only for `https`, but for all secure connections). Injection mode can be later changed (or disabled) with [.inject()](#inject) helper function. - `save` - how to save certificates to disk (default: `false`, ie use *no* I/O at all) If set to string, or array of strings, they will be treated as list of candidate folders to save certificates to. First one that exists or can be (recursively) created will be used. If no valid folder path found, saving will be silently discarded. If `{save: true}` used, predefined list of folders will be tried: + `pem` folder inside `win-ca` module itself + `.local/win-ca/pem` folder inside user's profile Certificates will be stored into the folder in two formats: + Each certificate as separate text file with special file name (mimics behavour of [OpenSSL]'s `c_rehash` utility) - suitable for `SSL_CERT_DIR` + All certificates in single `roots.pem` file - suitable for `SSL_CERT_FILE` If `win-ca` is required not via `win-ca/api`, it calls itself with `{inject: true, save: true}` and additionaly sets `ca.path` field and `SSL_CERT_DIR` environment variable to the folder with certificates saved. - `onsave` - callback called at the end of saving (if `save` is truthy). Path to a folder is passed to callback, or no parameters (`undefined`) if it has been impossible to save certificates to disk. ## Helper functions Some internal functions are exposed: ### der2 ```js var certificate = ca.der2(format, certificate_in_der_format) ``` Converts certificate from DER to [format](#api-parameters) specified in first parameter. Function `.der2()` is curried: ```js var toPEM = ca.der2(ca.der2.pem) var pem = toPEM(der) ``` ### hash ```js var hash = ca.hash(version, certificate_in_der_format) ``` Gives certificate hash (aka X509_NAME_hash), ie 8-character hexadecimal string, derived from certificate subject. If version (first parameter) is 0, an old algorithm is used (aka X509_NAME_hash_old, used in OpenSSL v0.\*), else - the new one (X509_NAME_hash of OpenSSL v1.\*). Function `.hash()` is also curried: ```js var hasher = ca.hash() console.log(hasher(der)) ``` ### inject ```js ca.inject(mode) // or: ca.inject(mode, array_of_certificates) ``` Manages the way certificates are passed to other modules. This function is internally called by API when `{inject:}` parameter used. First argument (`mode`) is injection mode: - `false`: no injection, built-in certificates are used - `true`: put certificates to `https.globalAgent.options.ca` and use them *instead* of built-in ones for `https` module - `'+'`: new *experimental* mode: `tls.createSecureContext()` is patched and certificates are used *along with* built-in ones. This mode should affect all secure connections, not just `https` module. Second parameter (`array_of_certificates`) is list of certificates to inject. If it is omitted, previous list is used (only inject mode is changed). For example, simplest way to test new injection mode is: ```js const ca = require('win-ca') // Fetch certificates and start injecting (old way) ca.inject('+') // Switch to new injection mode ``` Note, that this function should be called before first secure connection is established, since every secure connection populates different caches, that are extremely hard to invalidate. Changing injection mode in the middle of secure communication can lead to unpredictable results. ### exe Applications that use `win-ca` are sometimes packed / bundled. In this case one should find appropriate place for binary utility `roots.exe` (used in fallback mode, which is always the case with Electron apps) and then make `win-ca` to find the binary. Function `.exe()` is intended to provide this functionality. You must call it **before** first invocation of library itself, eg: ```js var ca = require('win-ca/api') ca.exe('/full/path/to/roots.exe') ca({fallback: true, inject: true}) ``` `.exe()` with no parameters switches to default location (inside `lib` folder). In any case it returns previous path to `roots.exe`: ``` console.log(require('win-ca').exe()) // Where is my root.exe? ``` ## Legacy API
Click to view... `win-ca` v2 had another API, which is preserved for compatibility, but discouraged to use. It consists of three functions: * Synchronous: + `.all()` + `.each()` * Asynchronous: + `.each.async()` ``` var ca = require('win-ca') do.something.with(ca.all(ca.der2.pem)) ``` Note: 1. All three yield certificates in [node-forge][]'s format by default (unlike [modern API](#api), that returns DER if unspecified by user). Unfortunately, `node-forge` at the time of writing is unable to parse non-RSA certificates (namely, ECC certificates becoming more popular). If your *Trusted Root Certification Authorities* store contains modern certificates, legacy API calls will throw exception. To tackle the problem - pass them [format](#api-parameters) as the first parameter. 2. `.all()` deduplicates certificates (like [regular API](#api)), while both `.each` calls may return duplicates (`{unique: false}` applied) 3. `Root` store always used (no way for `store:` option) 4. Both `.each` calls require callback (with optional `format`) Synchronous `.each()` callback gets single argument - certificate (in specified format) ```js var ca = require('win-ca') ca.each(ca.der2.x509, crt=> console.log(crt.serialNumber) ) ``` Asynchronous `.each.async()` callback gets two parameters: + `error` (which is always `undefined` in this version) + `result` - certificate in requested `format` or `undefined` to signal end of retrieval ```js let ca = require('win-ca') ca.each.async((error, crt)=> { if (error) throw error; if(crt) console.log(forge.pki.certificateToPem(crt)) else console.log("That's all folks!") }) ```
## N-API Current version uses [N-API], so it can be used in [Node.js versions with N-API support][N-API-support], i.e. v6 and all versions starting from v8. Thanks to N-API, it is possible to precompile [Windows DLL](n-api/crypt32.cpp) and save it to package, so no compilation is needed at installation time. For other Node.js versions (v4, 5 or 7) special [fallback utility](n-api/roots.c) is called in the background to fetch the list anyway. If you wish to use this fallback engine (even for modern Node.js), you can ```js require('win-ca/fallback') ```
## Caveats Windows 10 tends to have only a few certificates in its *Trusted Root Certification Authorities* store and [lazily add them to it on first use][win.lazy]. If your OS does so, `win-ca` will still help to connect to your own sites (protected by self-signed certificates, or by the ones, distributed with GPO), but will make connection to well-known sites (like Google or Twitter) impossible! The simplest remedy is to *once* open desired site in Internet Explorer / Google Chrome (certificate will be *silently* added to Root store). Another option is to switch to new *experimental* [injection](#inject) method: ```js require('win-ca').inject('+') ``` ### Clear `pem` folder on publish If you use `win-ca` in some Electron app or VS Code extension, be warned that `node_modules/win-ca/pem` folder is *highly likely* to be packed into your bundle with all root certificates on development machine. You had better remove said folder before publishing (eg. in `prepack` npm script if it applies). ## Building - npm install - npm run pretest - npm run [nvm$] - npm publish This builds both `x86` and `x64` versions with [N-API](#n-api) support. For older Node.js versions standalone binary utility is built. ## See also - [OpenSSL::Win::Root][] for Ruby version - [mac-ca][] for Mac OS version ## Credits Uses [node-forge][] and used to use [node-ffi-napi][] (ancestor of [node-ffi][]). [node-ffi]: https://github.com/node-ffi/node-ffi [node-ffi-napi]: https://github.com/node-ffi-napi/node-ffi-napi [node-forge]: https://github.com/digitalbazaar/forge [OpenSSL::Win::Root]: https://github.com/ukoloff/openssl-win-root [Node.js]: http://nodejs.org/ [Buffer]: https://nodejs.org/api/buffer.html [Ruby]: https://www.ruby-lang.org/ [node.pem]: https://github.com/nodejs/node/blob/master/src/node_root_certs.h [node/4175]: https://github.com/nodejs/node/issues/4175 [OpenSSL]: https://www.openssl.org/ [nvm$]: https://github.com/ukoloff/nvms [N-API]: https://nodejs.org/api/n-api.html [N-API-support]: https://github.com/nodejs/node-addon-api/blob/master/index.js#L17 [VS Code]: https://code.visualstudio.com/ [mac-ca]: https://github.com/jfromaniello/mac-ca [Electron]: https://electronjs.org/ [electron-win-ca]: https://github.com/ukoloff/electron-win-ca [win.lazy]: https://social.technet.microsoft.com/wiki/contents/articles/3147.pki-certificate-chaining-engine-cce.aspx [asar]: https://github.com/electron/asar