1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

TLS: CRL support

Browse Source 
Needs more tests.
This commit is contained in:
Theo Schlossnagle 2010-11-23 13:00:42 -05:00 committed by Ryan Dahl
parent 634e7236f7
commit 01a864a29d
19 changed files with 186 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/crypto.js
View File

@ -57,6 +57,16 @@ exports.createCredentials = function(options) {
c.context.addRootCerts(); c.context.addRootCerts();
} }
if (options.crl) {
if (Array.isArray(options.crl)) {
for(var i = 0, len = options.crl.length; i < len; i++) {
c.context.addCRL(options.crl[i]);
}
} else {
c.context.addCRL(options.crl);
}
}
return c; return c;
}; };

9
lib/tls.js
View File

@ -656,8 +656,12 @@ function Server(/* [options], listener */) {
// constructor call // constructor call
net.Server.call(this, function(socket) { net.Server.call(this, function(socket) {
var creds = crypto.createCredentials( var creds = crypto.createCredentials({
{ key: self.key, cert: self.cert, ca: self.ca }); key: self.key,
cert: self.cert,
ca: self.ca,
crl: self.crl
});
//creds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); //creds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
var pair = new SecurePair(creds, var pair = new SecurePair(creds,
@ -725,6 +729,7 @@ Server.prototype.setOptions = function(options) {
if (options.key) this.key = options.key; if (options.key) this.key = options.key;
if (options.cert) this.cert = options.cert; if (options.cert) this.cert = options.cert;
if (options.ca) this.ca = options.ca; if (options.ca) this.ca = options.ca;
if (options.crl) this.crl = options.crl;
}; };

32
src/node_crypto.cc
View File

@ -44,6 +44,7 @@ void SecureContext::Initialize(Handle<Object> target) {
NODE_SET_PROTOTYPE_METHOD(t, "setKey", SecureContext::SetKey); NODE_SET_PROTOTYPE_METHOD(t, "setKey", SecureContext::SetKey);
NODE_SET_PROTOTYPE_METHOD(t, "setCert", SecureContext::SetCert); NODE_SET_PROTOTYPE_METHOD(t, "setCert", SecureContext::SetCert);
NODE_SET_PROTOTYPE_METHOD(t, "addCACert", SecureContext::AddCACert); NODE_SET_PROTOTYPE_METHOD(t, "addCACert", SecureContext::AddCACert);
NODE_SET_PROTOTYPE_METHOD(t, "addCRL", SecureContext::AddCRL);
NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts); NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts);
NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers); NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers);
NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close); NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close);
@ -303,6 +304,37 @@ Handle<Value> SecureContext::AddCACert(const Arguments& args) {
} }
Handle<Value> SecureContext::AddCRL(const Arguments& args) {
HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
if (args.Length() != 1) {
return ThrowException(Exception::TypeError(String::New("Bad parameter")));
}
BIO *bio = LoadBIO(args[0]);
if (!bio) return False();
X509_CRL *x509 = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
if (x509 == NULL) {
BIO_free(bio);
return False();
}
X509_STORE_add_crl(sc->ca_store_, x509);
X509_STORE_set_flags(sc->ca_store_, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
BIO_free(bio);
X509_CRL_free(x509);
return True();
}
Handle<Value> SecureContext::AddRootCerts(const Arguments& args) { Handle<Value> SecureContext::AddRootCerts(const Arguments& args) {
HandleScope scope; HandleScope scope;

1
src/node_crypto.h
View File

@ -31,6 +31,7 @@ class SecureContext : ObjectWrap {
static v8::Handle<v8::Value> SetKey(const v8::Arguments& args); static v8::Handle<v8::Value> SetKey(const v8::Arguments& args);
static v8::Handle<v8::Value> SetCert(const v8::Arguments& args); static v8::Handle<v8::Value> SetCert(const v8::Arguments& args);
static v8::Handle<v8::Value> AddCACert(const v8::Arguments& args); static v8::Handle<v8::Value> AddCACert(const v8::Arguments& args);
static v8::Handle<v8::Value> AddCRL(const v8::Arguments& args);
static v8::Handle<v8::Value> AddRootCerts(const v8::Arguments& args); static v8::Handle<v8::Value> AddRootCerts(const v8::Arguments& args);
static v8::Handle<v8::Value> SetCiphers(const v8::Arguments& args); static v8::Handle<v8::Value> SetCiphers(const v8::Arguments& args);
static v8::Handle<v8::Value> Close(const v8::Arguments& args); static v8::Handle<v8::Value> Close(const v8::Arguments& args);

23
test/fixtures/keys/Makefile vendored
View File

@ -1,4 +1,4 @@
all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem ca2-crl.pem
# #
@ -14,6 +14,8 @@ ca1-cert.pem: ca1.cnf
# #
ca2-cert.pem: ca2.cnf ca2-cert.pem: ca2.cnf
openssl req -new -x509 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem openssl req -new -x509 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem
echo '01' > ca2-serial
touch ca2-database.txt
# #
@ -111,12 +113,23 @@ agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem
agent4-verify: agent4-cert.pem ca2-cert.pem agent4-verify: agent4-cert.pem ca2-cert.pem
openssl verify -CAfile ca2-cert.pem agent4-cert.pem openssl verify -CAfile ca2-cert.pem agent4-cert.pem
#
# TODO: agent on CRL # Make CRL with agent4 being rejected
#
ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf
openssl ca -revoke agent4-cert.pem \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf
openssl ca \
-keyfile ca2-key.pem \
-cert ca2-cert.pem \
-config ca2.cnf \
-gencrl \
-out ca2-crl.pem
clean: clean:
rm -f *.pem *.srl rm -f *.pem *.srl ca2-database.txt ca2-serial
test: agent1-verify agent2-verify agent3-verify agent4-verify test: agent1-verify agent2-verify agent3-verify agent4-verify

14
test/fixtures/keys/agent3-cert.pem vendored
View File

@ -1,14 +1,14 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICKjCCAZMCCQC9jzMlG+W8DDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV MIICKjCCAZMCCQDMRmF28ReZjTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA
dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDIzMDIwWhcNMTMxMTA1MDIzMDIwWjB9 dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDc1NjU1WhcNMTMxMTA1MDc1NjU1WjB9
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MzEgMB4G EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MzEgMB4G
CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEFAANL CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAy6zp21WUvCB8XknL2c6TggDtXj34e+jr7CvUU+PmoFJYzITeRWCx84kP ADBIAkEAvo97SurQMLbB62avPWW7KZQ4Xw1jhXZ9uoQ+3A+RZoZ7MRkLYT8R+8l/
8VhXkz6nbG/7vpjT9sT/SDFxt0T3/wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBANrA r3ZZo6uYVMrlP14YPZ35qXGs2i7vqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAHde
du9DMhBACSm8dlQVIHxwR2rsScKeY/RigOJ1nkDSHHSLjnIZ2UEzAwd6JsfMmApt DjVjyBmqHJFkZ1bhGOUisChHxg90SX+X9aCxpS7PPWJks56HDlQWMIeU4LmFDX+B
d4DE3PNjSFpLP7pGlCOV9DxFUk/PSzSmQOMn7+t5n6tjCGGfXwvOYNwuI8L65Kqz 1dF8TKSiWb7XHWLChrMaRdF01wDUuM/lgnJvK+YikiHdAz3dndUT93JQwWv8skg1
Q8c9vXcICBLs7EN0/6NDHWcYuWvpi/UzhLmoQsEW 6pHpYaK3A5AsHH+bogz+/sCCuoVwp8hPwcVWJkXK
-----END CERTIFICATE----- -----END CERTIFICATE-----

8
test/fixtures/keys/agent3-csr.pem vendored
View File

@ -2,9 +2,9 @@
MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
EwZhZ2VudDMxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ EwZhZ2VudDMxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
KoZIhvcNAQEBBQADSwAwSAJBAMus6dtVlLwgfF5Jy9nOk4IA7V49+Hvo6+wr1FPj KoZIhvcNAQEBBQADSwAwSAJBAL6Pe0rq0DC2wetmrz1luymUOF8NY4V2fbqEPtwP
5qBSWMyE3kVgsfOJD/FYV5M+p2xv+76Y0/bE/0gxcbdE9/8CAwEAAaAlMCMGCSqG kWaGezEZC2E/EfvJf692WaOrmFTK5T9eGD2d+alxrNou76sCAwEAAaAlMCMGCSqG
SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
AGK5j9t+2Owk6r5h3My5kBpRkCUMZdU57Wlpcm6G8tZ3kz65pvarWOFFwPQzWC40 AJ0eUoKBgimALry2MLT3VktNJQwD8OorIIvnUz0BjG86F0fVX+FWZEqw1aXmblAZ
tR/Fd1a61L20G9KGzB3zjik= WTPvnqq//bzzi2PwvoEJ4Lc=
-----END CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST-----

14
test/fixtures/keys/agent3-key.pem vendored
View File

@ -1,9 +1,9 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMus6dtVlLwgfF5Jy9nOk4IA7V49+Hvo6+wr1FPj5qBSWMyE3kVg MIIBOQIBAAJBAL6Pe0rq0DC2wetmrz1luymUOF8NY4V2fbqEPtwPkWaGezEZC2E/
sfOJD/FYV5M+p2xv+76Y0/bE/0gxcbdE9/8CAwEAAQJAWRD1dx/WmeoO2OCmj0nB EfvJf692WaOrmFTK5T9eGD2d+alxrNou76sCAwEAAQJAcT7Nk4kWLkz900pTzBX/
waEMLCEnb3As8ys7f6/yo3p2ZjRIMgOPZys7dTEmEx5m62uI21EMUQOL9jN+nWPs 80a9dWd8hF0VfNmIjbjGvPkaCW6th6N5TuSJbrwrKcSqyxB9fG8/oY42IsGe+Tj8
MQIhAP1bkf9NaNqHUgQM4/hcKWyhKlNVwXelGEli3xjn0K5XAiEAzcyy0gymOrYS MQIhAN3VnmNLml9/w6ksMfulhddGPKEi7RpNvTe+rq3vVsfTAiEA2+jOzgkA3Vn0
vRpW9FV+hu2onGfJvdza5HRx6pwRqpkCIDq/6in2bFMIQAd6ab6kuGJdOPBcGWHC riBRt7jAH+8OTh9Qxu23akW77nj/6ckCIChCeqpesDegwmvTf4bCNZYqQxqjchCS
IdCaobsnvic/AiEAqh+tMzaBs8cPdoNvnkuObLvJxoGFpA4OZQxdnzOk5wECIAEy B0M0shMTGtbNAiAFEtHynvKOKM0kV0qLWo/ULMe/tak/bayVnxY+4jvFQQIgSToA
7T0nAmXRYTCJhdt4NbET+tmktA8N24Q39c2yZLX9 tCzu09vpDbkH5oXgZbLKSznShbYWpAng1XMJlYI=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

18
test/fixtures/keys/agent4-cert.pem vendored
View File

@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICSDCCAbGgAwIBAgIJAL2PMyUb5bwNMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV MIICSDCCAbGgAwIBAgIJAMxGYXbxF5mOMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu
dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB
FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMTAyMTAwMjMwMjBaFw0xMzExMDUwMjMw FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMTAyMTAwNzU2NTVaFw0xMzExMDUwNzU2
MjBaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN NTVaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN
BgNVBAoTBkpveWVudDEQMA4GA1UECxMHTm9kZS5qczEPMA0GA1UEAxMGYWdlbnQ0 BgNVBAoTBkpveWVudDEQMA4GA1UECxMHTm9kZS5qczEPMA0GA1UEAxMGYWdlbnQ0
MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBcMA0GCSqGSIb3DQEB MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBcMA0GCSqGSIb3DQEB
AQUAA0sAMEgCQQDGlJNGU61zPQE5+KynnUpFSKLNR7hebT+MXf+/JtCMZh4oE26M AQUAA0sAMEgCQQC+eEnKdt2AHzGMt1EkALMiSHk6MLnHLxigi6CCM3jxxNz/lw7Y
iVVxgR+3+g7FDcYsI/pjh4VUT/SYE7wcg3x1AgMBAAGjFzAVMBMGA1UdJQQMMAoG uZfAWyTBr6jjCZsa/SC8DpE7caRZED//F4tFAgMBAAGjFzAVMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAH5NOqmgyD/ZCezX/VGTNeYMXhIj CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAKJu+RhRDKkzVn9BrS8r3hPlJUdS
vaKDBsxoSWCLMA3zzr7ixmeFyYgI1Lt1jZXnQkMCL/K9QrmQxpsEJAiirYNvS9vW ybHfZpsOHpltmzO+PkWaio7jEXT7nnKBjV4VP8ld6wDa4mk+tRyhgt91+nmvrIeT
n0kS5K0it878yAza5pfGNSosFK5ZdJvJOplrzOL10l+JZglPsU30apqydYc1BOq2 yw7I9UBY7RCCDIXy755zSkT3OitOTk7besU70Am8/P3Srg7IyHeYBnJVLqn4FIlz
dAqSyneuVANFbzUE /apIKko90U+bEgk2
-----END CERTIFICATE----- -----END CERTIFICATE-----

8
test/fixtures/keys/agent4-csr.pem vendored
View File

@ -2,9 +2,9 @@
MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
EwZhZ2VudDQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ EwZhZ2VudDQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ
KoZIhvcNAQEBBQADSwAwSAJBAMaUk0ZTrXM9ATn4rKedSkVIos1HuF5tP4xd/78m KoZIhvcNAQEBBQADSwAwSAJBAL54Scp23YAfMYy3USQAsyJIeTowuccvGKCLoIIz
0IxmHigTboyJVXGBH7f6DsUNxiwj+mOHhVRP9JgTvByDfHUCAwEAAaAlMCMGCSqG ePHE3P+XDti5l8BbJMGvqOMJmxr9ILwOkTtxpFkQP/8Xi0UCAwEAAaAlMCMGCSqG
SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB
ALUeDCFkwYvz9/uFAl7oK6tPpeEl1EuPxWfvgP9ldggAIjSVsVfdI3Ailm3OcZ5Y AJc7y8DLaJ+j9wdEmjPV+mt6NuFQ3MHVuTzteMAsdASiJ9ce5U/vNMvS0UXdjzkd
dzVJ/VZyyK5iZfovMoW8APc= y4uuWOqLyZaajVCqDDk5JvE=
-----END CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST-----

14
test/fixtures/keys/agent4-key.pem vendored
View File

@ -1,9 +1,9 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMaUk0ZTrXM9ATn4rKedSkVIos1HuF5tP4xd/78m0IxmHigTboyJ MIIBPQIBAAJBAL54Scp23YAfMYy3USQAsyJIeTowuccvGKCLoIIzePHE3P+XDti5
VXGBH7f6DsUNxiwj+mOHhVRP9JgTvByDfHUCAwEAAQJBAL8mk6G1uJfeGEkiW6g4 l8BbJMGvqOMJmxr9ILwOkTtxpFkQP/8Xi0UCAwEAAQJBALq4g2ZnBpfOfK29HF9W
2x5YLgZmTE3w4aQPc7gf9828aJzlGWgN7KcedGAzhlhsrj+MLDPjNvTWGHUY+gP7 DEZElAs2rzkT82mX198sBJnFOFfdo0GdGkA8LlQVwXEv2yWKlzN5zrkJPK/I/Z6A
RwECIQDkWhHV+L+KrOuH/LAVg1HsNHtG28dxOrN3GVovtLkLwQIhAN6ft7TXPDaN vxUCIQDxRDPGSV0nfnFH5mcs7pnWNIi7tRZecsAhaj2gGBNCfwIhAMoZ94XYslXl
fw+CaYXEDH1XngFf/gIwEGgBzREq7W21AiBGEAyg5i1+0weBNdqg/yXHn2KjnxNW 2eHUDPvVYhzNqdRWXfgD8N89lYXXTMg7AiEAnPwmwCeuYGtKpGEL01WxbYqjSZfr
fnhJ9pFhScXtAQIgDQU4YFpKSkKCUOzmsQ0jUd1i/1+W4pffDcY1MTDajBUCIGqr 5Sq/Tz7EuG3R4lsCIQDIz/pprUKuJUBUqt3n0UO2uQgZq2Odj1TkjQ2oOqDZhwIh
8kxP5se+Y9ihqzMwvvP0/nOtciGeJjEzKlGDrC28 AIydKQ6a35hFleOih3yiHvFPUEE7jOAIhGTOAd3s31LN
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

16
test/fixtures/keys/ca2-cert.pem vendored
View File

@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICazCCAdQCCQC7OMCdtvshmTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV MIICazCCAdQCCQDzyKZgsfidNjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA
dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDIzMDIwWhcNMTEwMzEyMDIzMDIwWjB6 dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDc1NjU1WhcNMTEwMzEyMDc1NjU1WjB6
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqG EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqG
SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAONi4yMjv8R0hfjVtvEM8PoXvPP24e0NQZeJs+mFqVVt4JaRxYbX8qXx MIGJAoGBAMf9gxkjRyoHsgvya+jMlHRRds6qwt43t6tB6tkB6dW/23HBvXOCuHe0
9KiEwCAYdS5FSl1mcotATeKLp2vlCXaG2Fb4xCn0ollFe+ubA2Ud8RiOhw2Pbc3D Ryn2EofWtNaLg6IfJg8JwM6k39/EvGgjr730WeI2iQt2b7+OmBBLiEr+Xkrkeskp
I40LekBKJsZfns6vftRGlwb7URt55Efx9QbBbONwMWHDKbGYA5GPAgMBAAEwDQYJ Wv+3TdbwF08Vh4pV34kPQhD+q2d0PBZUGgBUVhVzcwZ4XWWJDq1DAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEAeQzT6q8xuxUuQ9tmZEjq6vHaUaU2gq5Zp48XBJg3XjNI KoZIhvcNAQEFBQADgYEArEYmxp6S+LRE6Nu7ULVElCXL1ouR+srM03j25D/2G/6O
sxQEy1LreOR48THhS7QrKFELDGfr4bd6gPE0IvEpwAVu6eNNX/ZkrkiE2480W7CY lryRDHGTsNUytBhQFghwi1vPB8mHTVLpWV9NgTbQrQF4qjQHY6CzcM2gnNfkmWql
8hJMtYGXRi09BOSXnpSy0qMh63wjA3v5tTs+DPSwfi3xPsx8RyIz/hBXazoAKAM= mpR3x4hs25a86KR3OzrAx4JOkpvzEf1PJgWOLaKt38JoPxehvhgNMx1sd+MR8kw=
-----END CERTIFICATE----- -----END CERTIFICATE-----

2
test/fixtures/keys/ca2-cert.srl vendored
View File

@ -1 +1 @@
BD8F33251BE5BC0D CC466176F117998E

10
test/fixtures/keys/ca2-crl.pem vendored Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN X509 CRL-----
MIIBXTCBxzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMC
Q0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAOBgNVBAsTB05vZGUu
anMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5v
cmcXDTExMDIxMDA3NTcxMVoXDTEzMTEwNTA3NTcxMVowHDAaAgkAzEZhdvEXmY4X
DTExMDIxMDA3NTY1N1owDQYJKoZIhvcNAQEEBQADgYEAgH9u/zWn48ycNmJezW57
E54QQI2KqwqmnO1S0lt6EDhjktCAxgljoEhjb3rS3221jddbb9FckYVVMKVX3rPP
cUPXF1jLJ8I/jF0mETK4sZQPjA/PIzPQOnUzzQmszfr42b+5x6HQ0gg2RTqN1TC2
wLLY7ihxVXUzhVIHlGIp9Hk=
-----END X509 CRL-----

1
test/fixtures/keys/ca2-database.txt vendored Normal file
View File

@ -0,0 +1 @@
R 131105075655Z 110210075657Z CC466176F117998E unknown /C=US/ST=CA/L=SF/O=Joyent/OU=Node.js/CN=agent4/emailAddress=ry@tinyclouds.org

30
test/fixtures/keys/ca2-key.pem vendored
View File

@ -1,17 +1,17 @@
-----BEGIN ENCRYPTED PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIg0hLO3eutNQCAggA MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzqCAnqkKV5sCAggA
MBQGCCqGSIb3DQMHBAiRtZu32UxWpwSCAoCud1+Lak/kkrYxcdTeNh4RBQwpuEjv MBQGCCqGSIb3DQMHBAgvE1MWZKV5tgSCAoAe0ygwlrXz3uIDRw2hKhgG28XFZaG0
fdoshPagoLVkp8hHWVPfIVJWI3AwjyPtQShusGZwTyjiDF7k6ycTZSNH6+nuc8K2 Py/8vORZ6JknZF/ucZE4ZsJW0OLhLRe0VmoVIErgLQ6bl6ZhlGq7oZ0DCyiHo3TV
ZNGwPFWMEaO510tcraDf/H8yNbeThTvYkudQLwTRseZw3NmuBBkPEThYkJrBibsJ 2uUTn3DXQ9d4aSE2cMlA3wSzYihm1up9PUYvWhrhC90/Sc0fB81OA1Hhv2jS36hY
Z8BsZ0y9FWgF+ufx7sGCC0Dq/Dd/JBGV7Kx75Vm65CpKkTV7W3tMXWa38yER8dBE c4rSVfCkSgaziWy77x9XqbEnxpdVRkngbVnVG4UWFfoBTsza+j+C/ysxR/nXDlei
1vCexF95ih5zXbsRMlBoA0p45QD+0LrHssCSe+iuNAowvX/YHdfrcFRuvHkazzql 5KKe87V9AcdzFKI+qJP52CQBac1DQCg8EQ51v40BllfK/8JB/45tAETqAiu80COI
5j4sxs4647F+U1CTsb2+7C0LlijZBuP0x9GUsJck8M9Zh0s9sfwPbSofjZWhFcdR zSFs56p4UIsQiXUaToZxA9SsLOPJJHrOL9/IQe5aMRrG0ro5u0/CbIYN0uSbR6Om
liy7lxfyFdIbLav1cTfilT06BoyLLRUFp5Zu1XPCdxrf0pHoDjgXO/ToEjhStctM iUAXXk/6Oni8C07qO4VLIjG0NKnnIhDgtGGkyn8XDhtNBKsFLhGzAbmOLOZKKko6
RyVigOIQY+2yvgnzE/cw5niQlXDWDAnsSibYpjU8lJ1k97Iqx/qogqNSTIim8ml4 GgxzY7o52I5bOu8oDN9KLrMZKC9Sow9J+xEf65jCIK40HjpoYiKDiDY/xaSOUL9b
h7aDPHEBlGG9wmTkPV5L18/wI7iGom9rroQFrkgrqQ2JoIAKCXrocDKUjFAVB7QA ig0WkxwMzWCA0RIsA/958ZBzv+R2Ag90iPDz9xF5vMNucvGHqOPuKo56JcM0SGev
mreUdYowm6ee/AUdtsYQpn5hasIa/A/fD/Ia9E41rkplZZS43r9YyyQCTdJFF9Hm Xr1KxZAOVJcP9It3Yv8Of+DLilwo56O9md2Su0HKNxM0wyanowPw2PcGCK5rtu87
TROxSlKrpEoap9RZyFEfhr9hrnw6uQyl3EY5wvRzsTe6KLN60DkUOkLjJVBLx4iE YDSOHfmg05Bt0F3LC2dU5ak1YJfu/DpVj69hQ5/g/c5JMMVYAjmZGyc6IPKWXHYr
QlwMeAknMNBqJS1Uqivw94Pi1yYLlKCY0I0/cf97HCwx8j+97XWEUAQehXvYRwdd P+ECSDdICBrDLkVeCClhKkNgAw1n8xepdgCE0rWSkbxoCmoKDXQDl1kOfs5TWIvL
E6/mC/GGH/cT7A6TF8mN0i0UOmAQ9EjEqlOQXR9tmlhafbOoorFXjGelSILsFnV2 JRqrVYz2yoPAa1Q9gTM3iDtBL3RJwF2jXk4IDySR/1YDf+BbnyhiisIRSMp8GeQS
oxN9847cjGQbGh6wytJYP4fpvJr1xt21SzzctK5h3mqmfHmCXi0Duea0 uX1Ke+bu3QWwFVqa0eYScVPZZzNUADHzviMweRX9l+1aCw0R31po7Fwl
-----END ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----

1
test/fixtures/keys/ca2-serial vendored Normal file
View File

@ -0,0 +1 @@
01

13
test/fixtures/keys/ca2.cnf vendored
View File

@ -1,3 +1,16 @@
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = ca2-serial
crl = ca2-crl.pem
database = ca2-database.txt
name_opt = CA_default
cert_opt = CA_default
default_crl_days = 999
default_md = md5
[ req ] [ req ]
default_bits = 1024 default_bits = 1024
days = 999 days = 999

32
test/simple/test-tls-server-verify.js
View File

@ -59,6 +59,22 @@ var testCases =
{ name: 'nocert', shouldReject: true } { name: 'nocert', shouldReject: true }
] ]
}, },
{ title: "Allow only certs signed by CA2 but not in the CRL",
requestCert: true,
rejectUnauthorized: true,
CAs: ['ca2-cert'],
crl: 'ca2-crl',
clients:
[ { name: 'agent1', shouldReject: true, shouldAuth: false },
{ name: 'agent2', shouldReject: true, shouldAuth: false },
{ name: 'agent3', shouldReject: false, shouldAuth: true },
// Agent4 has a cert in the CRL.
{ name: 'agent4', shouldReject: true, shouldAuth: false },
{ name: 'nocert', shouldReject: true }
]
},
]; ];
@ -92,6 +108,9 @@ function runClient (options, cb) {
var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT]; var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT];
console.log(" connecting with", options.name);
switch (options.name) { switch (options.name) {
case 'agent1': case 'agent1':
// Signed by CA1 // Signed by CA1
@ -118,6 +137,14 @@ function runClient (options, cb) {
args.push(filenamePEM('agent3-cert')); args.push(filenamePEM('agent3-cert'));
break; break;
case 'agent4':
// Signed by CA2 (rejected by ca2-crl)
args.push('-key');
args.push(filenamePEM('agent4-key'));
args.push('-cert');
args.push(filenamePEM('agent4-cert'));
break;
case 'nocert': case 'nocert':
// Do not send certificate // Do not send certificate
break; break;
@ -182,10 +209,13 @@ function runTest (testIndex) {
var cas = tcase.CAs.map(loadPEM); var cas = tcase.CAs.map(loadPEM);
var crl = tcase.crl ? loadPEM(tcase.crl) : null;
var serverOptions = { var serverOptions = {
key: serverKey, key: serverKey,
cert: serverCert, cert: serverCert,
ca: cas, ca: cas,
crl: crl,
requestCert: tcase.requestCert, requestCert: tcase.requestCert,
rejectUnauthorized: tcase.rejectUnauthorized rejectUnauthorized: tcase.rejectUnauthorized
}; };
@ -204,7 +234,7 @@ function runTest (testIndex) {
} }
}); });
function runNextClient (clientIndex) { function runNextClient(clientIndex) {
var options = tcase.clients[clientIndex]; var options = tcase.clients[clientIndex];
if (options) { if (options) {
runClient(options, function () { runClient(options, function () {