1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: support "BEGIN TRUSTED CERTIFICATE" for ca:

Browse Source 
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: https://github.com/nodejs/node/issues/24761

PR-URL: https://github.com/nodejs/node/pull/24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit is contained in:
Sam Roberts 2018-11-30 11:20:55 -08:00
parent e5878eaf5e
commit 2e4a163012
3 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/api/tls.md
View File

@ -1054,6 +1054,9 @@ argument.
<!-- YAML <!-- YAML
added: v0.11.13 added: v0.11.13
changes: changes:
- version: REPLACEME
pr-url: REPLACEME
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
- version: v11.4.0 - version: v11.4.0
pr-url: https://github.com/nodejs/node/pull/24405 pr-url: https://github.com/nodejs/node/pull/24405
description: The `minVersion` and `maxVersion` can be used to restrict description: The `minVersion` and `maxVersion` can be used to restrict
@ -1092,8 +1095,8 @@ changes:
certificate can match or chain to. certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be For self-signed certificates, the certificate is its own CA, and must be
provided. provided.
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
"CERTIFICATE". "X509 CERTIFICATE", and "CERTIFICATE".
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert * `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
chain should be provided per private key. Each cert chain should consist of chain should be provided per private key. Each cert chain should consist of
the PEM formatted certificate for a provided private `key`, followed by the the PEM formatted certificate for a provided private `key`, followed by the

2
src/node_crypto.cc
View File

@ -819,7 +819,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
return; return;
X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get()); X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
while (X509* x509 = PEM_read_bio_X509( while (X509* x509 = PEM_read_bio_X509_AUX(
bio.get(), nullptr, NoPasswordCallback, nullptr)) { bio.get(), nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) { if (cert_store == root_cert_store) {
cert_store = NewRootCertStore(); cert_store = NewRootCertStore();

8
test/parallel/test-tls-client-auth.js
View File

@ -254,7 +254,7 @@ connect({
return cleanup(); return cleanup();
}); });
// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE". // Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({ connect({
client: { client: {
key: client.key, key: client.key,
@ -269,11 +269,11 @@ connect({
requestCert: true, requestCert: true,
}, },
}, function(err, pair, cleanup) { }, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'); assert.ifError(err);
return cleanup(); return cleanup();
}); });
// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE". // Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({ connect({
client: { client: {
key: client.key, key: client.key,
@ -288,7 +288,7 @@ connect({
requestCert: true, requestCert: true,
}, },
}, function(err, pair, cleanup) { }, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'ECONNRESET'); assert.ifError(err);
return cleanup(); return cleanup();
}); });