fix(ext/node): improve X509Certificate Node.js compatibility#32671
Open
bartlomieju wants to merge 5 commits intodenoland:mainfrom
Open
fix(ext/node): improve X509Certificate Node.js compatibility#32671bartlomieju wants to merge 5 commits intodenoland:mainfrom
bartlomieju wants to merge 5 commits intodenoland:mainfrom
Conversation
Adds infrastructure for custom JS objects to support structured cloning
via `postMessage`/`MessageChannel`. This enables objects like
`CryptoKey` and `X509Certificate` to be cloned across message ports.
The mechanism works by:
1. Objects set `[core.hostObjectBrand]` to a serializer function that
returns `{ type: "<name>", ...data }`
2. Extensions register a deserializer via
`core.registerCloneableResource(name, deserializerFn)`
3. During deserialization, the registry is consulted to reconstruct
the original object
Changes:
- `libs/core/01_core.js`: Add `registerCloneableResource` /
`getCloneableDeserializers` registry, auto-pass deserializers
in `structuredClone`
- `libs/core/ops_builtin_v8.rs`: Mark `op_deserialize` as reentrant
so deserializer callbacks can invoke ops
- `ext/web/13_message_port.js`: Pass cloneable deserializers during
message deserialization
Ref: denoland#12067
Ref: denoland#12734
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes multiple compatibility issues with `crypto.X509Certificate` to pass Node.js test-crypto-x509.js: - Add `isX509Certificate()` to `internal/crypto/x509` module - Fix `emailAddress` label in subject/issuer (was `Email`) - Fix `validFrom`/`validTo` timezone suffix (`+00:00` → `GMT`) - Add `signatureAlgorithm` and `signatureAlgorithmOid` getters - Fix `toLegacyObject()`: return Buffer for `raw`, null-prototype objects for `subject`/`issuer`/`infoAccess`, add `emailAddress` field and `infoAccess` as structured object - Fix RSA modulus to strip ASN.1 leading zero byte - Fix RSA exponent format to `0x`-prefixed hex - Add structured clone support for X509Certificate via MessagePort by introducing a cloneable resource registry in `Deno.core` and marking `op_deserialize` as reentrant Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bartlomieju
force-pushed
the
fix/node-crypto-x509-compat
branch
from
a534e21 to
3cbaef3
Compare
kajukitli
suggested changes
Mar 12, 2026
Contributor
kajukitli
left a comment
kajukitli
left a comment
There was a problem hiding this comment.
toLegacyObject().infoAccess is at risk of being wrong or empty because the new AIA parser does not decode GeneralName correctly. It treats the accessLocation as if a URI were identified by tag value 6 alone, but X.509 encodes uniformResourceIdentifier as context-specific [6], not the universal IA5String tag. This can cause valid OCSP/CA Issuers URIs to be skipped or misread, breaking Node compatibility for certificates that rely on infoAccess.
…ding Properly check that the ASN.1 tag class is ContextSpecific (not just tag number 6) when decoding uniformResourceIdentifier in AIA extensions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kajukitli
approved these changes
Mar 12, 2026
Contributor
kajukitli
left a comment
kajukitli
left a comment
There was a problem hiding this comment.
Reviewed the changes. No issues found.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
crypto.X509Certificateto pass the Node.jstest-crypto-x509.jstest suiteisX509Certificate(),signatureAlgorithm,signatureAlgorithmOidgettersemailAddresslabel, date timezone format,toLegacyObject()output (Buffer raw, null-prototype objects, infoAccess as structured object, RSA modulus/exponent format)Depends on #32672
Test plan
./x test-compat test-crypto-x509passes🤖 Generated with Claude Code