crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts

pimterry · pimterry · commit b3168849a12b · 2026-03-14T17:39:08.000+01:00
This intended to replace usage of the unsupported _external field,
offering an official API for native addons to access OpenSSL directly
while reducing the JS API and internal field exposure.
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -2443,5 +2443,27 @@ void UseExtraCaCerts(std::string_view file) {
   extra_root_certs_file = file;
 }
 
+NODE_EXTERN SSL_CTX* GetSSLCtx(Local<Context> context, Local<Value> value) {
+  Environment* env = Environment::GetCurrent(context);
+  if (env == nullptr) return nullptr;
+
+  // Unwrap the .context property from the JS SecureContext wrapper
+  // (as returned by tls.createSecureContext()).
+  if (value->IsObject()) {
+    Local<Value> inner;
+    if (!value.As<v8::Object>()
+             ->Get(context, FIXED_ONE_BYTE_STRING(env->isolate(), "context"))
+             .ToLocal(&inner)) {
+      return nullptr;
+    }
+    value = inner;
+  }
+
+  if (!SecureContext::HasInstance(env, value)) return nullptr;
+  SecureContext* sc = BaseObject::FromJSObject<SecureContext>(value);
+  if (sc == nullptr) return nullptr;
+  return sc->ctx().get();
+}
+
 }  // namespace crypto
 }  // namespace node
diff --git a/src/node.h b/src/node.h
@@ -125,6 +125,7 @@
 // Forward-declare libuv loop
 struct uv_loop_s;
 struct napi_module;
+struct ssl_ctx_st;  // Forward declaration of SSL_CTX for OpenSSL.
 
 // Forward-declare these functions now to stop MSVS from becoming
 // terminally confused when it's done in node_internals.h
@@ -1657,6 +1658,20 @@ NODE_DEPRECATED(
                                        v8::Local<v8::Object> object,
                                        v8::Object::Wrappable* wrappable));
 
+namespace crypto {
+
+// Returns the SSL_CTX* from a SecureContext JS object, as returned by
+// tls.createSecureContext().
+// Returns nullptr if the value is not a SecureContext instance,
+// or if Node.js was built without OpenSSL.
+//
+// The returned pointer is not owned by the caller and must not be freed.
+// It is valid only while the SecureContext JS object remains alive.
+NODE_EXTERN struct ssl_ctx_st* GetSSLCtx(v8::Local<v8::Context> context,
+                                         v8::Local<v8::Value> secure_context);
+
+}  // namespace crypto
+
 }  // namespace node
 
 #endif  // SRC_NODE_H_
diff --git a/test/addons/addons.status b/test/addons/addons.status
@@ -12,6 +12,7 @@ openssl-binding/test: PASS,FLAKY
 
 [$system==ibmi]
 openssl-binding/test: SKIP
+openssl-get-ssl-ctx/test: SKIP
 openssl-providers/test-default-only-config: SKIP
 openssl-providers/test-legacy-provider-config: SKIP
 openssl-providers/test-legacy-provider-inactive-config: SKIP
diff --git a/test/addons/openssl-get-ssl-ctx/binding.cc b/test/addons/openssl-get-ssl-ctx/binding.cc
@@ -0,0 +1,52 @@
+#include <node.h>
+#include <openssl/ssl.h>
+
+namespace {
+
+// Test: extract SSL_CTX* from a SecureContext object via
+// node::crypto::GetSSLCtx.
+void GetSSLCtx(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  v8::Local<v8::Context> context = isolate->GetCurrentContext();
+
+  SSL_CTX* ctx = node::crypto::GetSSLCtx(context, args[0]);
+  if (ctx == nullptr) {
+    isolate->ThrowException(v8::Exception::Error(
+        v8::String::NewFromUtf8(
+            isolate, "GetSSLCtx returned nullptr for a valid SecureContext")
+            .ToLocalChecked()));
+    return;
+  }
+
+  // Verify the pointer is a valid SSL_CTX by calling an OpenSSL function.
+  const SSL_METHOD* method = SSL_CTX_get_ssl_method(ctx);
+  if (method == nullptr) {
+    isolate->ThrowException(v8::Exception::Error(
+        v8::String::NewFromUtf8(isolate,
+                                "SSL_CTX_get_ssl_method returned nullptr")
+            .ToLocalChecked()));
+    return;
+  }
+
+  args.GetReturnValue().Set(true);
+}
+
+// Test: passing a non-SecureContext value returns nullptr.
+void GetSSLCtxInvalid(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  v8::Local<v8::Context> context = isolate->GetCurrentContext();
+
+  SSL_CTX* ctx = node::crypto::GetSSLCtx(context, args[0]);
+  args.GetReturnValue().Set(ctx == nullptr);
+}
+
+void Initialize(v8::Local<v8::Object> exports,
+                v8::Local<v8::Value> module,
+                v8::Local<v8::Context> context) {
+  NODE_SET_METHOD(exports, "getSSLCtx", GetSSLCtx);
+  NODE_SET_METHOD(exports, "getSSLCtxInvalid", GetSSLCtxInvalid);
+}
+
+}  // anonymous namespace
+
+NODE_MODULE_CONTEXT_AWARE(NODE_GYP_MODULE_NAME, Initialize)
diff --git a/test/addons/openssl-get-ssl-ctx/binding.gyp b/test/addons/openssl-get-ssl-ctx/binding.gyp
@@ -0,0 +1,29 @@
+{
+  'targets': [
+    {
+      'target_name': 'binding',
+      'includes': ['../common.gypi'],
+      'conditions': [
+        ['node_use_openssl=="true"', {
+          'conditions': [
+            ['OS in "aix os400"', {
+              'variables': {
+                # Used to differentiate `AIX` and `OS400`(IBM i).
+                'aix_variant_name': '<!(uname -s)',
+              },
+              'conditions': [
+                [ '"<(aix_variant_name)"!="OS400"', { # Not `OS400`(IBM i)
+                  'sources': ['binding.cc'],
+                  'include_dirs': ['../../../deps/openssl/openssl/include'],
+                }],
+              ],
+            }, {
+              'sources': ['binding.cc'],
+              'include_dirs': ['../../../deps/openssl/openssl/include'],
+            }],
+          ],
+        }],
+      ],
+    },
+  ],
+}
diff --git a/test/addons/openssl-get-ssl-ctx/test.js b/test/addons/openssl-get-ssl-ctx/test.js
@@ -0,0 +1,40 @@
+'use strict';
+const common = require('../../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const binding = require(`./build/${common.buildType}/binding`);
+
+// Test 1: Pass a SecureContext to getSSLCtx.
+{
+  const ctx = tls.createSecureContext();
+  assert.strictEqual(binding.getSSLCtx(ctx), true);
+}
+
+// Test 2: Passing a non-SecureContext should return nullptr.
+{
+  assert.strictEqual(binding.getSSLCtxInvalid({}), true);
+}
+
+// Test 3: Passing a number should return nullptr.
+{
+  assert.strictEqual(binding.getSSLCtxInvalid(42), true);
+}
+
+// Test 4: Passing undefined should return nullptr.
+{
+  assert.strictEqual(binding.getSSLCtxInvalid(undefined), true);
+}
+
+// Test 5: Passing null should return nullptr.
+{
+  assert.strictEqual(binding.getSSLCtxInvalid(null), true);
+}
+
+// Test 6: An object with a non-SecureContext .context property should return
+// nullptr.
+{
+  assert.strictEqual(binding.getSSLCtxInvalid({ context: 'not a context' }), true);
+}
