1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: load NODE_EXTRA_CA_CERTS at startup

Browse Source 
This commit makes node load extra certificates at startup instead
of first use.

PR-URL: https://github.com/nodejs/node/pull/23354
Fixes: https://github.com/nodejs/node/issues/20434
Refs: https://github.com/nodejs/node/issues/20432
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit is contained in:
Ouyang Yadong 2018-10-09 08:51:15 -04:00 committed by Refael Ackermann
parent 3e3ce22583
commit 87719d792b
3 changed files with 99 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
src/node_crypto.cc
View File

@ -116,10 +116,10 @@ static const char* const root_certs[] = {
static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH; static const char system_cert_path[] = NODE_OPENSSL_SYSTEM_CERT_PATH;
static std::string extra_root_certs_file; // NOLINT(runtime/string)
static X509_STORE* root_cert_store; static X509_STORE* root_cert_store;
static bool extra_root_certs_loaded = false;
// Just to generate static methods // Just to generate static methods
template void SSLWrap<TLSWrap>::AddMethods(Environment* env, template void SSLWrap<TLSWrap>::AddMethods(Environment* env,
Local<FunctionTemplate> t); Local<FunctionTemplate> t);
@ -832,11 +832,6 @@ void SecureContext::AddCRL(const FunctionCallbackInfo<Value>& args) {
} }
void UseExtraCaCerts(const std::string& file) {
extra_root_certs_file = file;
}
static unsigned long AddCertsFromFile( // NOLINT(runtime/int) static unsigned long AddCertsFromFile( // NOLINT(runtime/int)
X509_STORE* store, X509_STORE* store,
const char* file) { const char* file) {
@ -863,29 +858,43 @@ static unsigned long AddCertsFromFile( // NOLINT(runtime/int)
return err; return err;
} }
void UseExtraCaCerts(const std::string& file) {
ClearErrorOnReturn clear_error_on_return;
if (root_cert_store == nullptr) {
root_cert_store = NewRootCertStore();
if (!file.empty()) {
unsigned long err = AddCertsFromFile( // NOLINT(runtime/int)
root_cert_store,
file.c_str());
if (err) {
fprintf(stderr,
"Warning: Ignoring extra certs from `%s`, load failed: %s\n",
file.c_str(),
ERR_error_string(err, nullptr));
} else {
extra_root_certs_loaded = true;
}
}
}
}
static void IsExtraRootCertsFileLoaded(
const FunctionCallbackInfo<Value>& args) {
return args.GetReturnValue().Set(extra_root_certs_loaded);
}
void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) { void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc; SecureContext* sc;
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
ClearErrorOnReturn clear_error_on_return; ClearErrorOnReturn clear_error_on_return;
if (!root_cert_store) { if (root_cert_store == nullptr) {
root_cert_store = NewRootCertStore(); root_cert_store = NewRootCertStore();
if (!extra_root_certs_file.empty()) {
unsigned long err = AddCertsFromFile( // NOLINT(runtime/int)
root_cert_store,
extra_root_certs_file.c_str());
if (err) {
// We do not call back into JS after this line anyway, so ignoring
// the return value of ProcessEmitWarning does not affect how a
// possible exception would be propagated.
ProcessEmitWarning(sc->env(),
"Ignoring extra certs from `%s`, "
"load failed: %s\n",
extra_root_certs_file.c_str(),
ERR_error_string(err, nullptr));
}
}
} }
// Increment reference count so global store is not deleted along with CTX. // Increment reference count so global store is not deleted along with CTX.
@ -5624,6 +5633,7 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
} }
#endif /* NODE_FIPS_MODE */ #endif /* NODE_FIPS_MODE */
void Initialize(Local<Object> target, void Initialize(Local<Object> target,
Local<Value> unused, Local<Value> unused,
Local<Context> context, Local<Context> context,
@ -5644,6 +5654,9 @@ void Initialize(Local<Object> target,
env->SetMethodNoSideEffect(target, "certVerifySpkac", VerifySpkac); env->SetMethodNoSideEffect(target, "certVerifySpkac", VerifySpkac);
env->SetMethodNoSideEffect(target, "certExportPublicKey", ExportPublicKey); env->SetMethodNoSideEffect(target, "certExportPublicKey", ExportPublicKey);
env->SetMethodNoSideEffect(target, "certExportChallenge", ExportChallenge); env->SetMethodNoSideEffect(target, "certExportChallenge", ExportChallenge);
// Exposed for testing purposes only.
env->SetMethodNoSideEffect(target, "isExtraRootCertsFileLoaded",
IsExtraRootCertsFileLoaded);
env->SetMethodNoSideEffect(target, "ECDHConvertKey", ConvertKey); env->SetMethodNoSideEffect(target, "ECDHConvertKey", ConvertKey);
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE

40
test/parallel/test-tls-env-extra-ca-file-load.js Normal file
View File

@ -0,0 +1,40 @@
'use strict';
// Flags: --expose-internals
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
const assert = require('assert');
const tls = require('tls');
const fixtures = require('../common/fixtures');
const { internalBinding } = require('internal/test/binding');
const binding = internalBinding('crypto');
const { fork } = require('child_process');
// This test ensures that extra certificates are loaded at startup.
if (process.argv[2] !== 'child') {
if (process.env.CHILD_USE_EXTRA_CA_CERTS === 'yes') {
assert.strictEqual(binding.isExtraRootCertsFileLoaded(), true);
} else if (process.env.CHILD_USE_EXTRA_CA_CERTS === 'no') {
assert.strictEqual(binding.isExtraRootCertsFileLoaded(), false);
tls.createServer({});
assert.strictEqual(binding.isExtraRootCertsFileLoaded(), false);
}
} else {
const NODE_EXTRA_CA_CERTS = fixtures.path('keys', 'ca1-cert.pem');
const extendsEnv = (obj) => Object.assign({}, process.env, obj);
[
extendsEnv({ CHILD_USE_EXTRA_CA_CERTS: 'yes', NODE_EXTRA_CA_CERTS }),
extendsEnv({ CHILD_USE_EXTRA_CA_CERTS: 'no' }),
].forEach((processEnv) => {
fork(__filename, ['child'], { env: processEnv })
.on('exit', common.mustCall((status) => {
// client did not succeed in connecting
assert.strictEqual(status, 0);
}));
});
}

22
test/parallel/test-tls-env-extra-ca-no-crypto.js Normal file
View File

@ -0,0 +1,22 @@
'use strict';
const common = require('../common');
const fixtures = require('../common/fixtures');
const assert = require('assert');
const { fork } = require('child_process');
// This test ensures that trying to load extra certs won't throw even when
// there is no crypto support, i.e., built with "./configure --without-ssl".
if (process.argv[2] === 'child') {
// exit
} else {
const NODE_EXTRA_CA_CERTS = fixtures.path('keys', 'ca1-cert.pem');
fork(
__filename,
['child'],
{ env: Object.assign({}, process.env, { NODE_EXTRA_CA_CERTS }) },
).on('exit', common.mustCall(function(status) {
// client did not succeed in connecting
assert.strictEqual(status, 0);
}));
}