From 1bc25d3150e71ccbc73704c1ade596ebe6282731 Mon Sep 17 00:00:00 2001
From: Kai Tamkun <kai@tamkun.io>
Date: Thu, 5 Jun 2025 19:53:39 -0700
Subject: [PATCH] addRootCerts

---
 src/bun.js/bindings/NodeTLS.cpp | 16 ++++++++++++++++
 src/bun.js/bindings/NodeTLS.h   |  1 +
 2 files changed, 17 insertions(+)

diff --git a/src/bun.js/bindings/NodeTLS.cpp b/src/bun.js/bindings/NodeTLS.cpp
index 8a4768bf7a..d5d458a9cf 100644
--- a/src/bun.js/bindings/NodeTLS.cpp
+++ b/src/bun.js/bindings/NodeTLS.cpp
@@ -145,6 +145,14 @@ void NodeTLSSecureContext::setCACert(const ncrypto::BIOPointer& bio)
     }
 }
 
+void NodeTLSSecureContext::setRootCerts()
+{
+    ncrypto::ClearErrorOnReturn clearErrorOnReturn;
+    X509_STORE* store = getCertStore();
+    X509_STORE_up_ref(store);
+    SSL_CTX_set_cert_store(context(), store);
+}
+
 void NodeTLSSecureContext::setX509StoreFlag(unsigned long flags)
 {
     RELEASE_ASSERT(X509_STORE_set_flags(getCertStore(), flags) == 1);
@@ -395,11 +403,19 @@ JSC_DEFINE_HOST_FUNCTION(secureContextSetECDHCurve, (JSGlobalObject * globalObje
     return JSC::encodedJSUndefined();
 }
 
+JSC_DEFINE_HOST_FUNCTION(secureContextAddRootCerts, (JSGlobalObject * globalObject, CallFrame* callFrame))
+{
+    auto* thisObject = jsCast<NodeTLSSecureContext*>(callFrame->thisValue());
+    thisObject->setRootCerts();
+    return JSC::encodedJSUndefined();
+}
+
 static const HashTableValue NodeTLSSecureContextPrototypeTableValues[] = {
     { "init"_s, static_cast<unsigned>(PropertyAttribute::Function | PropertyAttribute::DontEnum), NoIntrinsic, { HashTableValue::NativeFunctionType, secureContextInit, 3 } },
     { "setCiphers"_s, static_cast<unsigned>(PropertyAttribute::Function | PropertyAttribute::DontEnum), NoIntrinsic, { HashTableValue::NativeFunctionType, secureContextSetCiphers, 1 } },
     { "addCACert"_s, static_cast<unsigned>(PropertyAttribute::Function | PropertyAttribute::DontEnum), NoIntrinsic, { HashTableValue::NativeFunctionType, secureContextAddCACert, 1 } },
     { "setECDHCurve"_s, static_cast<unsigned>(PropertyAttribute::Function | PropertyAttribute::DontEnum), NoIntrinsic, { HashTableValue::NativeFunctionType, secureContextSetECDHCurve, 1 } },
+    { "addRootCerts"_s, static_cast<unsigned>(PropertyAttribute::Function | PropertyAttribute::DontEnum), NoIntrinsic, { HashTableValue::NativeFunctionType, secureContextAddRootCerts, 0 } },
 };
 
 static EncodedJSValue constructSecureContext(JSGlobalObject* globalObject, CallFrame* callFrame, JSValue newTarget = {})
diff --git a/src/bun.js/bindings/NodeTLS.h b/src/bun.js/bindings/NodeTLS.h
index bf3c1f9a88..1590194514 100644
--- a/src/bun.js/bindings/NodeTLS.h
+++ b/src/bun.js/bindings/NodeTLS.h
@@ -104,6 +104,7 @@ public:
     void context(SSL_CTX* ctx) { m_context = { ctx, SSL_CTX_free }; }
 
     void setCACert(const ncrypto::BIOPointer& bio);
+    void setRootCerts();
 
 private:
     std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)> m_context { nullptr, nullptr };