feat: support NODE_EXTRA_CA_CERTS

docs/api/environment-variables.md

@@ -51,6 +51,14 @@ Unsupported options are:
 --http-parser
 ```
 
+### `NODE_EXTRA_CA_CERTS`
+
+See [Node.js cli documentation](https://github.com/nodejs/node/blob/main/doc/api/cli.md#node_extra_ca_certsfile) for details.
+
+```sh
+export NODE_EXTRA_CA_CERTS=/path/to/cert.pem 
+```
+
 ### `GOOGLE_API_KEY`
 
 Geolocation support in Electron requires the use of Google Cloud Platform's

patches/node/feat_optionally_prevent_calling_v8_enablewebassemblytraphandler.patch

@@ -10,7 +10,7 @@ already been called.
 This should be upstreamed.
 
 diff --git a/src/node.cc b/src/node.cc
-index 524f80ee69ee5248e045a2b61faf5610c9ba4285..971668792eabe5be299849b5a3fd8a2790a2210a 100644
+index 2bed5aec6a1bc362ef4e1e0d6715951537676270..f19948f50fef3518ec3a78b6d685dc35eeec5418 100644
 --- a/src/node.cc
 +++ b/src/node.cc
 @@ -605,6 +605,7 @@ static void PlatformInit(ProcessInitializationFlags::Flags flags) {

patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch

@@ -373,6 +373,38 @@ index 5734d8fdc5505e1586f571c19b840bd56e9c9f1f..3034b114e081e2b32dd5b71653927a41
  }
  }  // namespace
 
+diff --git a/src/node.cc b/src/node.cc
+index 524f80ee69ee5248e045a2b61faf5610c9ba4285..2bed5aec6a1bc362ef4e1e0d6715951537676270 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -1027,7 +1027,8 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
+   }
+
+   if (!(flags & ProcessInitializationFlags::kNoInitOpenSSL)) {
+-#if HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
++#if HAVE_OPENSSL
++#if !defined(OPENSSL_IS_BORINGSSL)
+     auto GetOpenSSLErrorString = []() -> std::string {
+       std::string ret;
+       ERR_print_errors_cb(
+@@ -1118,7 +1119,7 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
+
+     // Ensure CSPRNG is properly seeded.
+     CHECK(crypto::CSPRNG(nullptr, 0).is_ok());
+-
++#endif // !defined(OPENSSL_IS_BORINGSSL)
+     V8::SetEntropySource([](unsigned char* buffer, size_t length) {
+       // V8 falls back to very weak entropy when this function fails
+       // and /dev/urandom isn't available. That wouldn't be so bad if
+@@ -1133,7 +1134,7 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
+       if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+         crypto::UseExtraCaCerts(extra_ca_certs);
+     }
+-#endif  // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
++#endif  // HAVE_OPENSSL
+   }
+
+   if (!(flags & ProcessInitializationFlags::kNoInitializeNodeV8Platform)) {
 diff --git a/src/node_metadata.cc b/src/node_metadata.cc
 index b88cfb98e75aca426224e19376b3ff4c23b92e53..b66f4e2b5cbd8f36af42f82a8921207302360e39 100644
 --- a/src/node_metadata.cc

script/node-disabled-tests.json

@@ -62,8 +62,6 @@
   "parallel/test-snapshot-worker",
   "parallel/test-strace-openat-openssl",
   "parallel/test-tls-alpn-server-client",
-  "parallel/test-tls-cert-chains-concat",
-  "parallel/test-tls-cert-chains-in-ca",
   "parallel/test-tls-cli-max-version-1.2",
   "parallel/test-tls-cli-max-version-1.3",
   "parallel/test-tls-cli-min-version-1.1",
@@ -77,8 +75,6 @@
   "parallel/test-tls-cnnic-whitelist",
   "parallel/test-tls-disable-renegotiation",
   "parallel/test-tls-empty-sni-context",
-  "parallel/test-tls-env-bad-extra-ca",
-  "parallel/test-tls-env-extra-ca",
   "parallel/test-tls-finished",
   "parallel/test-tls-generic-stream",
   "parallel/test-tls-getcipher",

shell/common/node_bindings.cc

@@ -338,7 +338,7 @@ bool IsAllowedOption(const std::string_view option) {
 // Initialize NODE_OPTIONS to pass to Node.js
 // See https://nodejs.org/api/cli.html#cli_node_options_options
 void SetNodeOptions(base::Environment* env) {
-  // Options that are unilaterally disallowed
+  // Options that are expressly disallowed
   static constexpr auto disallowed = base::MakeFixedFlatSet<std::string_view>({
       "--enable-fips",
       "--experimental-policy",