npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

node-windows-root-certs-napi

v1.22.0

Published

Enables read of windows root certificates using ffi, and patching of node to use them

Downloads

76

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

btsimonhbtsimonh

Keywords

rootcertificatecertificatesssltlshttpswindows

Readme

node-windows-root-certs-napi

Enables use of Windows root certificates in nodejs directly, without environment settings or certificate files.

This version runs on node 18, 20, 22 (and possibly others which have n-api v9)

Uses for this module:

In a coporate envionment

If they have a WAF (Web Application Firewall - a man in the middle), the root certificate for the WAF is often installed as a certificate in Windows. NodeJS has no access to this certifcate, and so nodeJS based applications will fail without special measures.

You need to https or tls to a server with a self signed certificate

Enables the root certificate for your server to be added, either by adding in Windows, or manually.

I tried but failed to get this to work in test.js with badssl.com :(

For 'Older' versions of NodeJS

If the certificates inside NodeJS expire, the application will stop working....

What it does

This module provides two features:

reading of the Windows root certificates

A function is provided to read the Windows Root certifcates returning an array similar to node's own rootcertificates array.

patching tls

A function is provided which will patch the tls module such that all HTTPS or other tls based secure communication will use the provided certificates - either a complete certificate list or, a list additional to the internal nodeJS list.

Note: if tls is patched AFTER a successful connection to a site, then it's likely that the new/modified certificates will not be used for a subsequent connection, as the connection itself may be cached.

Usage

npm install node-windows-root-certs-napi

var windowsRootCerts = require('node-windows-root-certs-napi');

// to read windows root certs
var rootCerts = windowsRootCerts.getCerts();

// result:
// ["-----BEGIN CERTIFICATE-----\nMIIF.....Da\n-----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----...."]

// to patch tls with any cert list as above:
windowsRootCerts.patchTls( rootCerts );

or

var windowsRootCerts = require('node-windows-root-certs-napi');
// to read the windows root certs and patch in a single command:
windowsRootCerts.useWindowsCerts();

or - to add just some additional known certificates to the end of the existing NodeJS set:

var windowsRootCerts = require('node-windows-root-certs-napi');
var mycerts = [
  "-----BEGIN CERTIFICATE-----\nMIIF.....Da\n-----END CERTIFICATE-----",
  "-----BEGIN CERTIFICATE-----...."
];
windowsRootCerts.patchTls( mycerts, { includeNodeCerts:true } );

test

npm test

will access https://google.com using windows certificates.

exports

module.exports = {
  // functions
  getCerts: getCerts, 
  patchTls: patchTls,
  unPatchTls: unPatchTls,
  useWindowsCerts: useWindowsCerts,
  
  // variables
  tlsOptions: tlsOptions,
};

getCerts

Reads a list of certificates from a named Windows certificate store.

var certs = windowsRootCerts.getCerts(StoreName, Options);

parameters:

StoreName - the name of the Windows certificate store to read, default 'ROOT'

Options - default { maxcerts: 300 } - maxcerts limits the number of certificates retrieved. My machine had ~90.

returns: an array of strings, each being a certificate.

patchTls

Patches the nodejs tls module to either replace the NodeJS root certificate list, or add to it.

windowsRootCerts.patchTls( certsArray, options );

parameters:

certsArray - an array of strings, each being a base64 encoded certificate like:

"-----BEGIN CERTIFICATE-----\nMIIF.....Da\n-----END CERTIFICATE-----"

options - default { includeNodeCerts:false } - if includeNodeCerts is true, then the certs supplied are Appended to the normal NodeJS root certificate list.

unPatchTls

Restores tls to original.

windowsRootCerts.unPatchTls();

tlsOptions

Object which stores the options fields used in patchTls()

console.log(windowsRootCerts.tlsOptions);

use on non-windows systems

windowsRootCerts.getCerts() will always return [] (an empty array).

However, I see no reason why patchTls and unPatchTls would not work, given certificates.

Technology

windows-root-certs uses

    "ffi-napi": "https://github.com/btsimonh/node-ffi-napi.git",
    "ref-napi": "https://github.com/btsimonh/ref-napi.git",
    "ref-struct-di": "^1.1.1"

In combination, these provide the ability to call windows dll functions directly from nodejs. In this case we use the following functions from Crypt32.dll:

  CertOpenSystemStoreA: [ 'void *', ['void *', 'string']],
  CertEnumCertificatesInStore: [ PCERT_CONTEXT, ['void *', PCERT_CONTEXT]],
  CertFreeCertificateContext: [ 'bool', [PCERT_CONTEXT] ],
  CertCloseStore: [ 'bool', ['void *', 'void *']],

to read a windows certificate store and extract the certificates for use in node.

tls is patched by replacing tls.createSecureContext with our own function, which extends or adds options to include the new certifcates before calling the original tls.createSecureContext function.

Credits

The use of windows API functions directly in node would not be possible without the contributions of @TooTallNate (https://github.com/TooTallNate) - wish he would update his repos for node 12+!

Thanks to these repos for inspiration:

https://github.com/ukoloff/win-ca

https://github.com/capriza/syswide-cas