The system CA implementation now correctly follows Node.js certificate
loading order instead of replacing bundled certificates:
Node.js loading order:
1. Default root certs (bundled Mozilla certificates)
2. System certs (when --use-system-ca is enabled)
3. Extra certs (NODE_EXTRA_CA_CERTS)
Key changes:
- Always load bundled root certificates first
- Add system CAs as additional certificates when --use-system-ca is set
- Keep NODE_EXTRA_CA_CERTS loading last
- System CAs are now additive, not replacement
- Updated tests to reflect additive behavior
This matches PR #21092 behavior where system CAs supplement rather than
replace the bundled certificate store, providing both comprehensive
coverage and system-specific trust settings.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Make --use-system-ca CLI flag the only way to enable system CA loading.
This simplifies the implementation and removes potential confusion
between environment variables and CLI flags.
Changes:
- Remove environment variable fallback from Bun__useSystemCA()
- Update tests to only test CLI flag functionality
- Add tests for default behavior and flag position independence
- Update comments to clarify CLI flag only support
The implementation now only respects the --use-system-ca CLI flag,
making the behavior more predictable and consistent with other
Bun CLI features.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This comprehensive update adapts the implementation from PR #21092 to use
dynamic loading with bun.sys.dlopen instead of static linking.
Key changes:
- Complete Security framework function coverage with dynamic loading
- Comprehensive trust evaluation logic matching PR #21092
- CLI flag support: --use-system-ca (primary) + env var fallback
- Advanced certificate validation using SecTrustEvaluateWithError
- Trust settings evaluation across user and admin domains
- SSL policy-specific certificate filtering
- Proper SecItemCopyMatching implementation for keychain access
- Enhanced error handling and warning system
Architecture:
- Zig: Dynamic framework loading + function pointer management
- C++: Trust evaluation logic + certificate processing
- CLI: --use-system-ca flag with precedence over env vars
- Backward compatibility with BUN_USE_SYSTEM_CA environment variable
Benefits over static linking:
- No build system changes required
- Runtime-only dependency on Security framework
- Follows existing Bun patterns (fs_events.zig)
- Graceful degradation if frameworks unavailable
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This implementation uses Zig's bun.sys.dlopen to dynamically load
the macOS Security framework and CoreFoundation functions, then
implements the CA loading logic in C++ for better integration
with the existing OpenSSL certificate store.
Key features:
- Uses BUN_USE_SYSTEM_CA environment variable to enable feature
- Dynamically loads Security.framework without static linking
- Integrates system CAs with existing bundled and extra CAs
- Follows existing Bun patterns for framework loading
- Platform-specific code only runs on macOS
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
There are many situations where using `catch unreachable` is a reasonable or sometimes necessary decision. This rule causes many, many merge conflicts.
