fix(ext/node): extract cert/key from pfx in tls SecureContext (#34383)

`tls.createServer({ pfx, passphrase, ... })` and `tls.connect({ pfx,
... })` were validating the PFX but never extracting its contents, so
the SecureContext ended up with no `cert`/`key`. The server installed
`NoCertResolver` and the TLS handshake aborted with
`ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE` / client-side `ECONNRESET`,
even though both peers had `rejectUnauthorized: false` — making
`pfx`-only configs unusable.

Replace `op_node_validate_pfx` with `op_node_load_pfx`, which decrypts
the PFX with the passphrase and returns the leaf cert, the private key
(PKCS#8) and any additional certs as PEM. `_tls_common.ts` falls back
to those values when explicit `cert`/`key`/`ca` aren't provided, so
an explicit `cert` still takes precedence over the PFX leaf.

Also map the server-side `authorizationError` for a self-signed leaf
with no CA configured to `DEPTH_ZERO_SELF_SIGNED_CERT` instead of
always reporting `UNABLE_TO_GET_ISSUER_CERT`, matching Node/OpenSSL.
p12 0.6's MAC verification only knows SHA-1 and panics via
`debug_assert!` on newer SHA-256 PFX files, so wrap the call in
`catch_unwind` and treat any non-SHA-1 MAC as unverifiable rather than
a hard failure — PBE-decryption of the bags provides the real
integrity check.

Fixes #34202

Author: bartlomieju

ext/node/ops/tls_wrap.rs

@@ -3450,6 +3450,11 @@ fn der_content_len(element: &[u8]) -> Option<usize> {
 /// matching. Returns an error code string if the chain cannot be built.
 /// Returns `Ok(())` if the chain reaches a trusted root, or
 /// `Err(code)` with a Node/OpenSSL error code if it does not.
+fn is_self_signed(cert_der: &[u8]) -> bool {
+  extract_issuer_and_subject(cert_der)
+    .is_some_and(|(issuer, subject)| issuer == subject)
+}
+
 fn verify_chain_structure(
   end_entity: &[u8],
   intermediates: &[rustls::pki_types::CertificateDer<'_>],
@@ -4206,14 +4211,22 @@ impl rustls::server::danger::ClientCertVerifier
 
   fn verify_client_cert(
     &self,
-    _end_entity: &rustls::pki_types::CertificateDer<'_>,
-    _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+    end_entity: &rustls::pki_types::CertificateDer<'_>,
+    intermediates: &[rustls::pki_types::CertificateDer<'_>],
     _now: rustls::pki_types::UnixTime,
   ) -> Result<rustls::server::danger::ClientCertVerified, rustls::Error> {
-    // No root CAs — we cannot verify anything.  Store an error for
-    // verifyError() and let the JS layer decide via `authorized`.
+    // No root CAs, so we cannot establish a trust chain. Match Node's
+    // OpenSSL-derived error codes: a self-signed leaf (no intermediates,
+    // subject == issuer) reports DEPTH_ZERO_SELF_SIGNED_CERT; everything
+    // else falls back to UNABLE_TO_GET_ISSUER_CERT.
+    let code =
+      if intermediates.is_empty() && is_self_signed(end_entity.as_ref()) {
+        "DEPTH_ZERO_SELF_SIGNED_CERT"
+      } else {
+        "UNABLE_TO_GET_ISSUER_CERT"
+      };
     *self.verify_error.lock().unwrap_or_else(|p| p.into_inner()) =
-      Some("UNABLE_TO_GET_ISSUER_CERT".to_string());
+      Some(code.to_string());
     Ok(rustls::server::danger::ClientCertVerified::assertion())
   }
 

ext/node/polyfills/_tls_common.ts

@@ -22,7 +22,7 @@ const { isArrayBufferView } = core.loadExtScript(
 const { validateString } = core.loadExtScript(
   "ext:deno_node/internal/validators.mjs",
 );
-const { op_node_validate_crl, op_node_validate_pfx } = core.ops;
+const { op_node_validate_crl, op_node_load_pfx } = core.ops;
 const { createPrivateKey } = core.loadExtScript(
   "ext:deno_node/internal/crypto/keys.ts",
 );
@@ -496,10 +496,19 @@ class SecureContext {
     validateKeyCertOption(options.key, "options.key", true);
     validateKeyCertOption(options.ca, "options.ca", false);
 
-    // Validate PFX / PKCS#12 data. Node accepts both a single
-    // <string>|<Buffer> and an <Array<string|Buffer|{ buf, passphrase? }>>;
-    // an empty array (which playwright passes when no PFX is configured)
-    // must be a no-op rather than feeding an empty buffer to the parser.
+    // Load PFX / PKCS#12 data: extract the cert + private key so they can
+    // be used by the underlying TLS implementation. Any additional certs
+    // present in the PFX are merged into `ca`. Caller-supplied `cert`/`key`
+    // (and `ca`) take precedence, matching Node, which loads PFX first and
+    // then layers explicit cert/key on top.
+    //
+    // Node accepts both a single <string>|<Buffer> and an
+    // <Array<string|Buffer|{ buf, passphrase? }>>; an empty array (which
+    // playwright passes when no PFX is configured) must be a no-op rather
+    // than feeding an empty buffer to the parser.
+    let pfxCert: string | undefined;
+    let pfxKey: string | undefined;
+    let pfxCa: string[] | undefined;
     if (options.pfx != null) {
       const pfxItems = globalThis.Array.isArray(options.pfx)
         ? options.pfx
@@ -522,7 +531,15 @@ class SecureContext {
         if (buf == null) continue;
         const pfxData = toUint8Array(buf);
         const pfxPassphrase = passphrase != null ? String(passphrase) : null;
-        op_node_validate_pfx(pfxData, pfxPassphrase);
+        const loaded = op_node_load_pfx(pfxData, pfxPassphrase);
+        if (pfxCert === undefined) {
+          pfxCert = loaded.cert;
+          pfxKey = loaded.key;
+        }
+        if (loaded.ca?.length) {
+          if (pfxCa === undefined) pfxCa = [];
+          pfxCa.push(...loaded.ca);
+        }
       }
     }
 
@@ -544,12 +561,13 @@ class SecureContext {
 
     const { minVersion, maxVersion } = getProtocolRange(options);
 
-    const useDefaultCA = !options.ca;
+    const effectiveCa = options.ca != null ? options.ca : pfxCa;
+    const useDefaultCA = !effectiveCa;
     this.context = {
-      ca: useDefaultCA ? undefined : normalizeCertValue(options.ca),
+      ca: useDefaultCA ? undefined : normalizeCertValue(effectiveCa),
       useDefaultCA,
-      cert: normalizeCertPem(options.cert),
-      key: normalizeKeyPem(options.key, options.passphrase),
+      cert: normalizeCertPem(options.cert) ?? pfxCert,
+      key: normalizeKeyPem(options.key, options.passphrase) ?? pfxKey,
       minVersion,
       maxVersion,
       ciphers: options.ciphers,

ext/node_crypto/keys.rs

@@ -4156,13 +4156,48 @@ pub fn op_node_derive_public_key_from_private_key(
 }
 
 #[derive(Debug, thiserror::Error, deno_error::JsError)]
-pub enum PfxValidationError {
+pub enum PfxLoadError {
   #[class(generic)]
   #[error("not enough data")]
   NotEnoughData,
   #[class(generic)]
   #[error("mac verify failure")]
   MacVerifyFailure,
+  #[class(generic)]
+  #[error("PFX contains no usable certificate")]
+  NoCert,
+  #[class(generic)]
+  #[error("PFX contains no usable private key")]
+  NoKey,
+  #[class(generic)]
+  #[error("failed to encode PFX contents: {0}")]
+  Encode(String),
+}
+
+#[derive(Debug, serde::Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct LoadPfxResult {
+  pub cert: String,
+  pub key: String,
+  pub ca: Vec<String>,
+}
+
+fn der_to_pem(label: &str, der: &[u8]) -> String {
+  use base64::engine::general_purpose::STANDARD;
+  let body = STANDARD.encode(der);
+  let mut out = String::with_capacity(body.len() + 64);
+  out.push_str("-----BEGIN ");
+  out.push_str(label);
+  out.push_str("-----\n");
+  for chunk in body.as_bytes().chunks(64) {
+    // SAFETY: base64 output is ASCII.
+    out.push_str(std::str::from_utf8(chunk).unwrap());
+    out.push('\n');
+  }
+  out.push_str("-----END ");
+  out.push_str(label);
+  out.push_str("-----\n");
+  out
 }
 
 // Cap on the iteration count for the PKCS#12 MAC PBKDF, since an attacker
@@ -4176,39 +4211,65 @@ pub enum PfxValidationError {
 const PFX_MAC_ITERATIONS_CAP: u64 = 600_000;
 
 #[op2]
-pub fn op_node_validate_pfx(
+#[serde]
+pub fn op_node_load_pfx(
   #[buffer] pfx: &[u8],
   #[string] passphrase: Option<String>,
-) -> Result<(), PfxValidationError> {
-  let parsed =
-    Pkcs12::parse(pfx).map_err(|_| PfxValidationError::NotEnoughData)?;
+) -> Result<LoadPfxResult, PfxLoadError> {
+  let parsed = Pkcs12::parse(pfx).map_err(|_| PfxLoadError::NotEnoughData)?;
   let password = passphrase.as_deref().unwrap_or("");
   let bmp_password = bmp_string(password);
-  // If no MAC is present, the file is considered valid.
-  let Some(mac_data) = &parsed.mac_data else {
-    return Ok(());
-  };
-  let iterations = u64::from(mac_data.iterations);
-  if iterations > PFX_MAC_ITERATIONS_CAP {
-    return Err(PfxValidationError::MacVerifyFailure);
+  // If a MAC is present, verify it. Absent MACs are accepted (matches
+  // OpenSSL/Node behaviour).
+  if let Some(mac_data) = &parsed.mac_data {
+    let iterations = u64::from(mac_data.iterations);
+    if iterations > PFX_MAC_ITERATIONS_CAP {
+      return Err(PfxLoadError::MacVerifyFailure);
+    }
+    let data = parsed
+      .auth_safe
+      .data(&bmp_password)
+      .ok_or(PfxLoadError::MacVerifyFailure)?;
+    let ok = verify_pkcs12_mac(
+      &mac_data.mac.digest_algorithm,
+      &mac_data.mac.digest,
+      &mac_data.salt,
+      iterations,
+      &data,
+      &bmp_password,
+    )
+    .ok_or(PfxLoadError::MacVerifyFailure)?;
+    if !ok {
+      return Err(PfxLoadError::MacVerifyFailure);
+    }
   }
-  let data = parsed
-    .auth_safe
-    .data(&bmp_password)
-    .ok_or(PfxValidationError::MacVerifyFailure)?;
-  let ok = verify_pkcs12_mac(
-    &mac_data.mac.digest_algorithm,
-    &mac_data.mac.digest,
-    &mac_data.salt,
-    iterations,
-    &data,
-    &bmp_password,
-  )
-  .ok_or(PfxValidationError::MacVerifyFailure)?;
-  if !ok {
-    return Err(PfxValidationError::MacVerifyFailure);
+
+  let cert_ders = parsed
+    .cert_bags(password)
+    .map_err(|e| PfxLoadError::Encode(e.to_string()))?;
+  let key_ders = parsed
+    .key_bags(password)
+    .map_err(|e| PfxLoadError::Encode(e.to_string()))?;
+
+  if cert_ders.is_empty() {
+    return Err(PfxLoadError::NoCert);
   }
-  Ok(())
+  if key_ders.is_empty() {
+    return Err(PfxLoadError::NoKey);
+  }
+
+  // The first cert bag is taken as the leaf; any additional bags are
+  // returned as CA/chain certificates.
+  let mut iter = cert_ders.into_iter();
+  let leaf = iter.next().unwrap();
+  let cert = der_to_pem("CERTIFICATE", &leaf);
+  let ca: Vec<String> =
+    iter.map(|der| der_to_pem("CERTIFICATE", &der)).collect();
+
+  // p12 returns PKCS#8 DER for shrouded key bags.
+  let key = der_to_pem("PRIVATE KEY", &key_ders[0]);
+
+  Ok(LoadPfxResult { cert, key, ca })
 }
 
 // Convert a UTF-8 password to the PKCS#12 BMPString form (RFC 7292

ext/node_crypto/lib.rs

@@ -161,7 +161,7 @@ deno_core::extension!(
     keys::op_node_get_symmetric_key_size,
     keys::op_node_key_equals,
     keys::op_node_key_type,
-    keys::op_node_validate_pfx,
+    keys::op_node_load_pfx,
     keys::op_node_validate_crl,
     x509::op_node_x509_parse,
     x509::op_node_x509_ca,

tests/testdata/tls/README.md

@@ -64,13 +64,36 @@ each of the supported hash algorithms. All use the passphrase `secret`.
 ```shell
 for alg in sha1 sha256 sha384 sha512; do
   openssl pkcs12 -export -macalg "$alg" \
+    -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES \
     -inkey localhost.key -in localhost.crt \
     -passout pass:secret \
     -out "localhost_${alg}.pfx"
 done
 ```
 
+`-keypbe`/`-certpbe` pin bag encryption to legacy PBE-SHA1-3DES because the
+`p12` crate used by `op_node_load_pfx` does not yet support PBES2/AES-256-CBC,
+which is OpenSSL 3.x's default.
+
 - `localhost_sha1.pfx` — RFC 7292 default MAC algorithm
 - `localhost_sha256.pfx` — OpenSSL 3.x default MAC algorithm
 - `localhost_sha384.pfx`
 - `localhost_sha512.pfx`
+
+A separate self-signed bundle exercises the `DEPTH_ZERO_SELF_SIGNED_CERT` path
+in the TLS handshake. Generated with:
+
+```shell
+openssl req -x509 -nodes -newkey rsa:2048 \
+  -keyout localhost_ss.key -out localhost_ss.crt \
+  -days 36135 -sha256 \
+  -subj "/C=US/CN=localhost" \
+  -addext "subjectAltName=DNS:localhost"
+openssl pkcs12 -export \
+  -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES \
+  -inkey localhost_ss.key -in localhost_ss.crt \
+  -passout pass:testpass \
+  -out localhost.pfx
+```
+
+- `localhost.pfx` — self-signed `CN=localhost`, passphrase `testpass`