return system_store_certs;

}

static void LoadSystemCACertificates(void* data) {

GetSystemStoreCACertificates();

}

static uv_thread_t system_ca_thread;

static bool system_ca_thread_started = false;

int LoadSystemCACertificatesOffThread() {

// This is only run once during the initialization of the process, so

// it is safe to use a static thread here.

int r =

uv_thread_create(&system_ca_thread, LoadSystemCACertificates, nullptr);

if (r == 0) {

system_ca_thread_started = true;

}

return r;

}

static std::vector<X509*> InitializeExtraCACertificates() {

std::vector<X509*> extra_certs;

unsigned long err = LoadCertsFromFile( // NOLINT(runtime/int)

return extra_certs;

}

static void LoadCACertificates(void* data) {

per_process::Debug(DebugCategory::CRYPTO,

"Started loading system root certificates off-thread\n");

GetSystemStoreCACertificates();

}

static std::atomic<bool> tried_cert_loading_off_thread = false;

static std::atomic<bool> cert_loading_thread_started = false;

static Mutex start_cert_loading_thread_mutex;

static uv_thread_t cert_loading_thread;

void StartLoadingCertificatesOffThread(

const FunctionCallbackInfo<Value>& args) {

// Load the CA certificates eagerly off the main thread to avoid

// blocking the main thread when the first TLS connection is made. We

// don't need to wait for the thread to finish with code here, as

// Get*CACertificates() functions has a function-local static and any

// actual user of it will wait for that to complete initialization.

{

Mutex::ScopedLock cli_lock(node::per_process::cli_options_mutex);

if (!per_process::cli_options->use_system_ca) {

return;

}

}

// Only try to start the thread once. If it ever fails, we won't try again.

if (tried_cert_loading_off_thread.load()) {

return;

}

{

Mutex::ScopedLock lock(start_cert_loading_thread_mutex);

// Re-check under the lock.

if (tried_cert_loading_off_thread.load()) {

return;

}

tried_cert_loading_off_thread.store(true);

int r = uv_thread_create(&cert_loading_thread, LoadCACertificates, nullptr);

cert_loading_thread_started.store(r == 0);

if (r != 0) {

FPrintF(stderr,

"Warning: Failed to load CA certificates off thread: %s\n",

uv_strerror(r));

}

}

}

// Due to historical reasons the various options of CA certificates

// may invalid one another. The current rule is:

// 1. If the configure-time option --openssl-use-def-ca-store is NOT used

X509_free(cert);

}

}

if (system_ca_thread_started) {

uv_thread_join(&system_ca_thread);

system_ca_thread_started = false;

// Serialize with starter to avoid the race window.

Mutex::ScopedLock lock(start_cert_loading_thread_mutex);

if (tried_cert_loading_off_thread.load() &&

cert_loading_thread_started.load()) {

uv_thread_join(&cert_loading_thread);

}

}

SetMethod(context, target, "resetRootCertStore", ResetRootCertStore);

SetMethodNoSideEffect(

context, target, "getUserRootCertificates", GetUserRootCertificates);

SetMethod(context,

target,

"startLoadingCertificatesOffThread",

StartLoadingCertificatesOffThread);

}

void SecureContext::RegisterExternalReferences(

registry->Register(GetExtraCACertificates);

registry->Register(ResetRootCertStore);

registry->Register(GetUserRootCertificates);

registry->Register(StartLoadingCertificatesOffThread);

}

SecureContext* SecureContext::Create(Environment* env) {