Skip to content

crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts #62254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nodejs-github-bot merged 2 commits into from
Mar 23, 2026
+171 −0
Merged

crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts #62254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b316884
crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts
pimterry Mar 14, 2026
e378906
Handle JS getter exceptions in GetSSLCtx
pimterry Mar 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions src/crypto/crypto_context.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2443,5 +2443,30 @@ void UseExtraCaCerts(std::string_view file) {
extra_root_certs_file = file;
}

NODE_EXTERN SSL_CTX* GetSSLCtx(Local<Context> context, Local<Value> value) {
Environment* env = Environment::GetCurrent(context);
if (env == nullptr) return nullptr;

// TryCatchto swallow any exceptions from Get() (e.g. failing getters)
v8::TryCatch try_catch(env->isolate());

// Unwrap the .context property from the JS SecureContext wrapper
// (as returned by tls.createSecureContext()).
if (value->IsObject()) {
Local<Value> inner;
if (!value.As<v8::Object>()
->Get(context, FIXED_ONE_BYTE_STRING(env->isolate(), "context"))
.ToLocal(&inner)) {
return nullptr;
Comment thread
addaleax marked this conversation as resolved.
}
value = inner;
}

if (!SecureContext::HasInstance(env, value)) return nullptr;
SecureContext* sc = BaseObject::FromJSObject<SecureContext>(value);
if (sc == nullptr) return nullptr;
return sc->ctx().get();
}

} // namespace crypto
} // namespace node
15 changes: 15 additions & 0 deletions src/node.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@
// Forward-declare libuv loop
struct uv_loop_s;
struct napi_module;
struct ssl_ctx_st; // Forward declaration of SSL_CTX for OpenSSL.

// Forward-declare these functions now to stop MSVS from becoming
// terminally confused when it's done in node_internals.h
Expand Down Expand Up @@ -1657,6 +1658,20 @@ NODE_DEPRECATED(
v8::Local<v8::Object> object,
v8::Object::Wrappable* wrappable));

namespace crypto {

// Returns the SSL_CTX* from a SecureContext JS object, as returned by
// tls.createSecureContext().
// Returns nullptr if the value is not a SecureContext instance,
// or if Node.js was built without OpenSSL.
//
// The returned pointer is not owned by the caller and must not be freed.
// It is valid only while the SecureContext JS object remains alive.
NODE_EXTERN struct ssl_ctx_st* GetSSLCtx(v8::Local<v8::Context> context,
v8::Local<v8::Value> secure_context);

} // namespace crypto

} // namespace node

#endif // SRC_NODE_H_
1 change: 1 addition & 0 deletions test/addons/addons.status
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ openssl-binding/test: PASS,FLAKY

[$system==ibmi]
openssl-binding/test: SKIP
openssl-get-ssl-ctx/test: SKIP
openssl-providers/test-default-only-config: SKIP
openssl-providers/test-legacy-provider-config: SKIP
openssl-providers/test-legacy-provider-inactive-config: SKIP
Expand Down
52 changes: 52 additions & 0 deletions test/addons/openssl-get-ssl-ctx/binding.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#include <node.h>
#include <openssl/ssl.h>
Comment thread
addaleax marked this conversation as resolved.

namespace {

// Test: extract SSL_CTX* from a SecureContext object via
// node::crypto::GetSSLCtx.
void GetSSLCtx(const v8::FunctionCallbackInfo<v8::Value>& args) {
v8::Isolate* isolate = args.GetIsolate();
v8::Local<v8::Context> context = isolate->GetCurrentContext();

SSL_CTX* ctx = node::crypto::GetSSLCtx(context, args[0]);
if (ctx == nullptr) {
isolate->ThrowException(v8::Exception::Error(
v8::String::NewFromUtf8(
isolate, "GetSSLCtx returned nullptr for a valid SecureContext")
.ToLocalChecked()));
return;
}

// Verify the pointer is a valid SSL_CTX by calling an OpenSSL function.
const SSL_METHOD* method = SSL_CTX_get_ssl_method(ctx);
if (method == nullptr) {
isolate->ThrowException(v8::Exception::Error(
v8::String::NewFromUtf8(isolate,
"SSL_CTX_get_ssl_method returned nullptr")
.ToLocalChecked()));
return;
}

args.GetReturnValue().Set(true);
}

// Test: passing a non-SecureContext value returns nullptr.
void GetSSLCtxInvalid(const v8::FunctionCallbackInfo<v8::Value>& args) {
v8::Isolate* isolate = args.GetIsolate();
v8::Local<v8::Context> context = isolate->GetCurrentContext();

SSL_CTX* ctx = node::crypto::GetSSLCtx(context, args[0]);
args.GetReturnValue().Set(ctx == nullptr);
}

void Initialize(v8::Local<v8::Object> exports,
v8::Local<v8::Value> module,
v8::Local<v8::Context> context) {
NODE_SET_METHOD(exports, "getSSLCtx", GetSSLCtx);
NODE_SET_METHOD(exports, "getSSLCtxInvalid", GetSSLCtxInvalid);
}

} // anonymous namespace

NODE_MODULE_CONTEXT_AWARE(NODE_GYP_MODULE_NAME, Initialize)
29 changes: 29 additions & 0 deletions test/addons/openssl-get-ssl-ctx/binding.gyp