tls: use options in getCACertificates() with X509Certificate

[haramj]

This PR implements the TODO(joyeecheung) note to support X509Certificate output in tls.getCACertificates(). It introduces a new format option, enhancing the function's flexibility and aligning its API with Node.js's broader crypto module.

The function's behavior is now extended as follows:
API Enhancement: Adds an optional format parameter to tls.getCACertificates() to specify the output format.

Output Options:

• 'pem' (default): Returns an array of PEM-encoded certificate strings. This is the new default to align with the name used in other Node.js crypto APIs.
• 'der': Returns an array of certificate data as Buffer objects in DER format.
• 'x509': Returns an array of crypto.X509Certificate instances, providing direct access to certificate properties.

[nodejs-github-bot]

Review requested:

• @nodejs/crypto
• @nodejs/net

[jasnell]

Suggested change

[joyeecheung]

It seems the white spaces are still there? Can you remove them?

[haramj]

Okay. I'll remove the white space

[haramj]

@joyeecheung Removing that white space will cause a format error in the document..

[haramj]

@jasnell Thank you very much for the thorough and detailed reviews.
I really appreciate the time and effort you’re putting into this.
I’ll carefully go through all the feedback and address them step by step.

Additionally,
When building the docs, the tooling failed to recognize the X509Certificate type and composite return types like Array<Buffer|X509Certificate>, causing errors.
I tried fixing type annotations, references, and escape characters, but I'd appreciate guidance on the correct way to document such composite types officially.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.26%. Comparing base (7535aa1) to head (e2879a5).
⚠️ Report is 155 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #59349      +/-   ##
==========================================
- Coverage   89.88%   88.26%   -1.62%     
==========================================
  Files         667      701      +34     
  Lines      195217   206815   +11598     
  Branches    38325    39788    +1463     
==========================================
+ Hits       175472   182553    +7081     
- Misses      12210    16289    +4079     
- Partials     7535     7973     +438     

Files with missing lines	Coverage Δ
lib/tls.js	96.57% <100.00%> (+0.32%)	⬆️

... and 182 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[haramj]

The CI is failing due to a missing documentation anchor:
link not found: all_tls_tlsgetcacertificatestype
This seems unrelated to the changes in this PR — I didn’t modify that anchor or the associated section..

[haramj]

Hi, feedback has been addressed.
Is there anything else needed from me before this can move forward?

[haramj]

If you have some time, could you please review this? @nodejs/net, @joyeecheung

[jasnell]

LGTM! Great job. Let's ask @joyeecheung to also take a look since it was her TODO :-)

[haramj]

LGTM! Great job. Let's ask @joyeecheung to also take a look since it was her TODO :-)

Thank you so much for the review and the LGTM! I really appreciate your time.

During my final testing, I discovered an unexpected failure related to caching, and also found a minor inconsistency with the documentation. I would like to push a fix for those before the PR is ready to merge.

I'll push the updated changes shortly.

[haramj]

@jasnell @joyeecheung
I've confirmed that the logic using the map() method in the getCACertificates function is causing the caching-related assert.strictEqual test to fail, because it creates a new copy every time.

So I added the caching logic, but now other tests are failing.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/69114/

[haramj]

@jasnell @joyeecheung

I've successfully implemented support for new formats by clearly separating the logic for object input while maintaining the existing function's behavior.

All tests have passed, and I believe the PR is ready for review.

Thank you.

[joyeecheung]

It seems to me this can just reuse the original function; keep that as something like function getCACertificatesAsStrings(type = 'default'), and in function getCACertificates(options = undefined) you just normalize the options first, then get the array of strings, then process it from there.

[joyeecheung]

I don't think this branch is needed? It should just return the certs. They are already pem-encoded.

[joyeecheung]

Parsing it after a base64 decoding from JS land is a lot of detour, this can just directly return certs.map(cert => new X509Certificate(buf)) first if the type is x509, the native land would just do the decoding and parsing at once, and it would be simpler in that case because the X509Certificate parser would actually attempt to decode it as PEM first before retrying with d2i_X509_bio anyway.

[haramj]

@joyeecheung I've applied the feedback. Could you take a look?

[haramj]

Could you please take a look at this when you have a moment? Thanks! @joyeecheung