fix(ext/node): accept ArrayBufferView in tls.setDefaultCACertificates (#33700)

Enables `test-tls-set-default-ca-certificates-mixed-types` in
node_compat suite.

Co-authored-by: Divy Srivastava <dj.srivastava23@gmail.com>

Author: divybot

ext/node/polyfills/tls.ts

@@ -16,13 +16,19 @@ import {
   op_set_default_ca_certificates,
 } from "ext:core/ops";
 import { core, primordials } from "ext:core/mod.js";
+import { isArrayBufferView } from "ext:deno_node/internal/util/types.ts";
+import { ERR_INVALID_ARG_TYPE } from "ext:deno_node/internal/errors.ts";
 
+const { isTypedArray } = core;
 const {
   ArrayIsArray,
   ArrayPrototypeIncludes,
   ArrayPrototypeForEach,
   ArrayPrototypeMap,
   ArrayPrototypePush,
+  DataViewPrototypeGetBuffer,
+  DataViewPrototypeGetByteLength,
+  DataViewPrototypeGetByteOffset,
   ObjectDefineProperty,
   ObjectKeys,
   ObjectFreeze,
@@ -40,9 +46,36 @@ const {
   StringPrototypeSplit,
   StringPrototypeTrim,
   StringPrototypeToLowerCase,
-  TypeError,
+  TypedArrayPrototypeGetBuffer,
+  TypedArrayPrototypeGetByteLength,
+  TypedArrayPrototypeGetByteOffset,
+  Uint8Array,
 } = primordials;
 
+// Lazy-init: tls.ts is loaded into the startup snapshot before TextDecoder
+// is registered as a global, so a top-level `new TextDecoder()` would throw.
+let utf8Decoder: TextDecoder | null = null;
+
+// deno-lint-ignore no-explicit-any
+function arrayBufferViewToString(view: any): string {
+  // Use the matching prototype getter so a forged accessor on the view
+  // can't redirect us to a different ArrayBuffer / out-of-bounds region.
+  const isTA = isTypedArray(view);
+  const buffer = isTA
+    ? TypedArrayPrototypeGetBuffer(view)
+    : DataViewPrototypeGetBuffer(view);
+  const byteOffset = isTA
+    ? TypedArrayPrototypeGetByteOffset(view)
+    : DataViewPrototypeGetByteOffset(view);
+  const byteLength = isTA
+    ? TypedArrayPrototypeGetByteLength(view)
+    : DataViewPrototypeGetByteLength(view);
+  if (utf8Decoder === null) {
+    utf8Decoder = new TextDecoder("utf-8");
+  }
+  return utf8Decoder.decode(new Uint8Array(buffer, byteOffset, byteLength));
+}
+
 // openssl -> rustls
 const cipherMap = {
   "__proto__": null,
@@ -187,28 +220,43 @@ export class CryptoStream {}
 export class SecurePair {}
 export const Server = tlsWrap.Server;
 
-export function setDefaultCACertificates(certs: string[]) {
+export function setDefaultCACertificates(
+  certs: (string | ArrayBufferView)[],
+) {
   if (!ArrayIsArray(certs)) {
-    throw new TypeError(
-      "The argument 'certs' must be an array of strings",
-    );
+    throw new ERR_INVALID_ARG_TYPE("certs", "Array", certs);
   }
 
+  const normalized: string[] = [];
   for (let i = 0; i < certs.length; ++i) {
     const cert = certs[i];
-    if (typeof cert !== "string") {
-      throw new TypeError(
-        "Each certificate in 'certs' must be a string",
+    if (typeof cert === "string") {
+      ArrayPrototypePush(normalized, cert);
+    } else if (isArrayBufferView(cert)) {
+      ArrayPrototypePush(normalized, arrayBufferViewToString(cert));
+    } else {
+      throw new ERR_INVALID_ARG_TYPE(
+        `certs[${i}]`,
+        ["string", "ArrayBufferView"],
+        cert,
       );
     }
   }
 
-  op_set_default_ca_certificates(certs);
+  op_set_default_ca_certificates(normalized);
 
-  lazyRootCertificates = null;
+  // The bundled root certificates (`rootCertificates` proxy /
+  // `lazyRootCertificates`) come from the webpki Mozilla bundle and don't
+  // change here, so don't invalidate them: doing so would re-enter
+  // `ensureLazyRootCertificates` and try to mutate a frozen target.
+  // Only the 'default' cache reflects what we just wrote.
   ArrayPrototypeForEach(
     ObjectKeys(cachedCACertificates),
-    (key) => delete cachedCACertificates[key],
+    (key) => {
+      if (key !== "bundled") {
+        delete cachedCACertificates[key];
+      }
+    },
   );
 }
 

tests/node_compat/config.jsonc

@@ -3313,6 +3313,7 @@
     "parallel/test-tls-server-verify.js": {},
     "parallel/test-tls-session-cache.js": {},
     "parallel/test-tls-session-timeout-errors.js": {},
+    "parallel/test-tls-set-default-ca-certificates-mixed-types.js": {},
     "parallel/test-tls-set-encoding.js": {},
     "parallel/test-tls-snicallback-error.js": {},
     "parallel/test-tls-socket-allow-half-open-option.js": {},

tests/unit_node/tls_test.ts

@@ -624,18 +624,18 @@ Deno.test("tls.setDefaultCACertificates validates input - must be array", () =>
       (tls as any).setDefaultCACertificates("not an array");
     },
     TypeError,
-    "must be an array",
+    "must be an instance of Array",
   );
 });
 
-Deno.test("tls.setDefaultCACertificates validates input - array elements must be strings", () => {
+Deno.test("tls.setDefaultCACertificates validates input - array elements must be strings or ArrayBufferView", () => {
   assertThrows(
     () => {
       // deno-lint-ignore no-explicit-any
       (tls as any).setDefaultCACertificates([123, 456]);
     },
     TypeError,
-    "must be a string",
+    "must be of type string or an instance of ArrayBufferView",
   );
 });