tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: https://github.com/nodejs/node/issues/24761 PR-URL: https://github.com/nodejs/node/pull/24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit is contained in:
parent
e5878eaf5e
commit
2e4a163012
@ -1054,6 +1054,9 @@ argument.
|
||||
<!-- YAML
|
||||
added: v0.11.13
|
||||
changes:
|
||||
- version: REPLACEME
|
||||
pr-url: REPLACEME
|
||||
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
|
||||
- version: v11.4.0
|
||||
pr-url: https://github.com/nodejs/node/pull/24405
|
||||
description: The `minVersion` and `maxVersion` can be used to restrict
|
||||
@ -1092,8 +1095,8 @@ changes:
|
||||
certificate can match or chain to.
|
||||
For self-signed certificates, the certificate is its own CA, and must be
|
||||
provided.
|
||||
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
|
||||
"CERTIFICATE".
|
||||
For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
|
||||
"X509 CERTIFICATE", and "CERTIFICATE".
|
||||
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
|
||||
chain should be provided per private key. Each cert chain should consist of
|
||||
the PEM formatted certificate for a provided private `key`, followed by the
|
||||
|
@ -819,7 +819,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
|
||||
return;
|
||||
|
||||
X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
|
||||
while (X509* x509 = PEM_read_bio_X509(
|
||||
while (X509* x509 = PEM_read_bio_X509_AUX(
|
||||
bio.get(), nullptr, NoPasswordCallback, nullptr)) {
|
||||
if (cert_store == root_cert_store) {
|
||||
cert_store = NewRootCertStore();
|
||||
|
@ -254,7 +254,7 @@ connect({
|
||||
return cleanup();
|
||||
});
|
||||
|
||||
// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
|
||||
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
|
||||
connect({
|
||||
client: {
|
||||
key: client.key,
|
||||
@ -269,11 +269,11 @@ connect({
|
||||
requestCert: true,
|
||||
},
|
||||
}, function(err, pair, cleanup) {
|
||||
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
|
||||
assert.ifError(err);
|
||||
return cleanup();
|
||||
});
|
||||
|
||||
// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
|
||||
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
|
||||
connect({
|
||||
client: {
|
||||
key: client.key,
|
||||
@ -288,7 +288,7 @@ connect({
|
||||
requestCert: true,
|
||||
},
|
||||
}, function(err, pair, cleanup) {
|
||||
assert.strictEqual(err.code, 'ECONNRESET');
|
||||
assert.ifError(err);
|
||||
return cleanup();
|
||||
});
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user