tls: support OCSP on client and server
This commit is contained in:
parent
77d1f4a91f
commit
b3ef289ffb
@ -408,6 +408,10 @@ Construct a new TLSSocket object from existing TCP socket.
|
||||
|
||||
- `session`: Optional, a `Buffer` instance, containing TLS session
|
||||
|
||||
- `requestOCSP`: Optional, if `true` - OCSP status request extension would
|
||||
be added to client hello, and `OCSPResponse` event will be emitted on socket
|
||||
before establishing secure communication
|
||||
|
||||
## tls.createSecurePair([context], [isServer], [requestCert], [rejectUnauthorized])
|
||||
|
||||
Stability: 0 - Deprecated. Use tls.TLSSocket instead.
|
||||
@ -508,6 +512,44 @@ NOTE: adding this event listener will have an effect only on connections
|
||||
established after addition of event listener.
|
||||
|
||||
|
||||
### Event: 'OCSPRequest'
|
||||
|
||||
`function (certificate, issuer, callback) { }`
|
||||
|
||||
Emitted when the client sends a certificate status request. You could parse
|
||||
server's current certificate to obtain OCSP url and certificate id, and after
|
||||
obtaining OCSP response invoke `callback(null, resp)`, where `resp` is a
|
||||
`Buffer` instance. Both `certificate` and `issuer` are a `Buffer`
|
||||
DER-representations of the primary and issuer's certificates. They could be used
|
||||
to obtain OCSP certificate id and OCSP endpoint url.
|
||||
|
||||
Alternatively, `callback(null, null)` could be called, meaning that there is no
|
||||
OCSP response.
|
||||
|
||||
Calling `callback(err)` will result in a `socket.destroy(err)` call.
|
||||
|
||||
Typical flow:
|
||||
|
||||
1. Client connects to server and sends `OCSPRequest` to it (via status info
|
||||
extension in ClientHello.)
|
||||
2. Server receives request and invokes `OCSPRequest` event listener if present
|
||||
3. Server grabs OCSP url from either `certificate` or `issuer` and performs an
|
||||
[OCSP request] to the CA
|
||||
4. Server receives `OCSPResponse` from CA and sends it back to client via
|
||||
`callback` argument
|
||||
5. Client validates the response and either destroys socket or performs a
|
||||
handshake.
|
||||
|
||||
NOTE: `issuer` could be null, if certficiate is self-signed or if issuer is not
|
||||
in the root certificates list. (You could provide an issuer via `ca` option.)
|
||||
|
||||
NOTE: adding this event listener will have an effect only on connections
|
||||
established after addition of event listener.
|
||||
|
||||
NOTE: you may want to use some npm module like [asn1.js] to parse the
|
||||
certificates.
|
||||
|
||||
|
||||
### server.listen(port, [host], [callback])
|
||||
|
||||
Begin accepting connections on the specified `port` and `host`. If the
|
||||
@ -577,6 +619,16 @@ If `tlsSocket.authorized === false` then the error can be found in
|
||||
`tlsSocket.authorizationError`. Also if NPN was used - you can check
|
||||
`tlsSocket.npnProtocol` for negotiated protocol.
|
||||
|
||||
### Event: 'OCSPResponse'
|
||||
|
||||
`function (response) { }`
|
||||
|
||||
This event will be emitted if `requestOCSP` option was set. `response` is a
|
||||
buffer object, containing server's OCSP response.
|
||||
|
||||
Traditionally, the `response` is a signed object from the server's CA that
|
||||
contains information about server's certificate revocation status.
|
||||
|
||||
### tlsSocket.encrypted
|
||||
|
||||
Static boolean value, always `true`. May be used to distinguish TLS sockets
|
||||
@ -711,3 +763,5 @@ The numeric representation of the local port.
|
||||
[Forward secrecy]: http://en.wikipedia.org/wiki/Perfect_forward_secrecy
|
||||
[DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
|
||||
[ECDHE]: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman
|
||||
[asn1.js]: http://npmjs.org/package/asn1.js
|
||||
[OCSP request]: http://en.wikipedia.org/wiki/OCSP_stapling
|
||||
|
@ -68,18 +68,8 @@ exports.createSecureContext = function createSecureContext(options, context) {
|
||||
}
|
||||
}
|
||||
|
||||
if (options.cert) c.context.setCert(options.cert);
|
||||
|
||||
if (options.ciphers)
|
||||
c.context.setCiphers(options.ciphers);
|
||||
else
|
||||
c.context.setCiphers(tls.DEFAULT_CIPHERS);
|
||||
|
||||
if (util.isUndefined(options.ecdhCurve))
|
||||
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
|
||||
else if (options.ecdhCurve)
|
||||
c.context.setECDHCurve(options.ecdhCurve);
|
||||
|
||||
// NOTE: It's important to add CA before the cert to be able to load
|
||||
// cert's issuer in C++ code.
|
||||
if (options.ca) {
|
||||
if (util.isArray(options.ca)) {
|
||||
for (var i = 0, len = options.ca.length; i < len; i++) {
|
||||
@ -92,6 +82,18 @@ exports.createSecureContext = function createSecureContext(options, context) {
|
||||
c.context.addRootCerts();
|
||||
}
|
||||
|
||||
if (options.cert) c.context.setCert(options.cert);
|
||||
|
||||
if (options.ciphers)
|
||||
c.context.setCiphers(options.ciphers);
|
||||
else
|
||||
c.context.setCiphers(tls.DEFAULT_CIPHERS);
|
||||
|
||||
if (util.isUndefined(options.ecdhCurve))
|
||||
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
|
||||
else if (options.ecdhCurve)
|
||||
c.context.setECDHCurve(options.ecdhCurve);
|
||||
|
||||
if (options.crl) {
|
||||
if (util.isArray(options.crl)) {
|
||||
for (var i = 0, len = options.crl.length; i < len; i++) {
|
||||
@ -126,3 +128,27 @@ exports.createSecureContext = function createSecureContext(options, context) {
|
||||
|
||||
return c;
|
||||
};
|
||||
|
||||
exports.translatePeerCertificate = function translatePeerCertificate(c) {
|
||||
if (!c)
|
||||
return null;
|
||||
|
||||
if (c.issuer) c.issuer = tls.parseCertString(c.issuer);
|
||||
if (c.subject) c.subject = tls.parseCertString(c.subject);
|
||||
if (c.infoAccess) {
|
||||
var info = c.infoAccess;
|
||||
c.infoAccess = {};
|
||||
|
||||
// XXX: More key validation?
|
||||
info.replace(/([^\n:]*):([^\n]*)(?:\n|$)/g, function(all, key, val) {
|
||||
if (key === '__proto__')
|
||||
return;
|
||||
|
||||
if (c.infoAccess.hasOwnProperty(key))
|
||||
c.infoAccess[key].push(val);
|
||||
else
|
||||
c.infoAccess[key] = [val];
|
||||
});
|
||||
}
|
||||
return c;
|
||||
};
|
||||
|
@ -25,6 +25,7 @@ var events = require('events');
|
||||
var stream = require('stream');
|
||||
var tls = require('tls');
|
||||
var util = require('util');
|
||||
var common = require('_tls_common');
|
||||
|
||||
var Timer = process.binding('timer_wrap').Timer;
|
||||
var Connection = null;
|
||||
@ -378,15 +379,8 @@ CryptoStream.prototype.__defineGetter__('bytesWritten', function() {
|
||||
});
|
||||
|
||||
CryptoStream.prototype.getPeerCertificate = function() {
|
||||
if (this.pair.ssl) {
|
||||
var c = this.pair.ssl.getPeerCertificate();
|
||||
|
||||
if (c) {
|
||||
if (c.issuer) c.issuer = tls.parseCertString(c.issuer);
|
||||
if (c.subject) c.subject = tls.parseCertString(c.subject);
|
||||
return c;
|
||||
}
|
||||
}
|
||||
if (this.pair.ssl)
|
||||
return common.translatePeerCertificate(this.pair.ssl.getPeerCertificate());
|
||||
|
||||
return null;
|
||||
};
|
||||
@ -677,6 +671,11 @@ function onnewsessiondone() {
|
||||
}
|
||||
|
||||
|
||||
function onocspresponse(resp) {
|
||||
this.emit('OCSPResponse', resp);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Provides a pair of streams to do encrypted communication.
|
||||
*/
|
||||
@ -733,6 +732,8 @@ function SecurePair(context, isServer, requestCert, rejectUnauthorized,
|
||||
this.ssl.onnewsession = onnewsession.bind(this);
|
||||
this.ssl.lastHandshakeTime = 0;
|
||||
this.ssl.handshakes = 0;
|
||||
} else {
|
||||
this.ssl.onocspresponse = onocspresponse.bind(this);
|
||||
}
|
||||
|
||||
if (process.features.tls_sni) {
|
||||
@ -764,6 +765,9 @@ function SecurePair(context, isServer, requestCert, rejectUnauthorized,
|
||||
if (self.ssl) {
|
||||
self.ssl.start();
|
||||
|
||||
if (options.requestOCSP)
|
||||
self.ssl.requestOCSP();
|
||||
|
||||
/* In case of cipher suite failures - SSL_accept/SSL_connect may fail */
|
||||
if (self.ssl && self.ssl.error)
|
||||
self.error();
|
||||
|
164
lib/_tls_wrap.js
164
lib/_tls_wrap.js
@ -28,6 +28,7 @@ var crypto = require('crypto');
|
||||
var net = require('net');
|
||||
var tls = require('tls');
|
||||
var util = require('util');
|
||||
var common = require('_tls_common');
|
||||
|
||||
var Timer = process.binding('timer_wrap').Timer;
|
||||
var tls_wrap = process.binding('tls_wrap');
|
||||
@ -73,24 +74,96 @@ function onhandshakedone() {
|
||||
}
|
||||
|
||||
|
||||
function onclienthello(hello) {
|
||||
var self = this,
|
||||
onceSession = false,
|
||||
onceSNI = false;
|
||||
|
||||
function callback(err, session) {
|
||||
if (onceSession)
|
||||
return self.destroy(new Error('TLS session callback was called 2 times'));
|
||||
onceSession = true;
|
||||
function loadSession(self, hello, cb) {
|
||||
var once = false;
|
||||
function onSession(err, session) {
|
||||
if (once)
|
||||
return cb(new Error('TLS session callback was called 2 times'));
|
||||
once = true;
|
||||
|
||||
if (err)
|
||||
return self.destroy(err);
|
||||
return cb(err);
|
||||
|
||||
// NOTE: That we have disabled OpenSSL's internal session storage in
|
||||
// `node_crypto.cc` and hence its safe to rely on getting servername only
|
||||
// from clienthello or this place.
|
||||
var ret = self.ssl.loadSession(session);
|
||||
|
||||
cb(null, ret);
|
||||
}
|
||||
|
||||
if (hello.sessionId.length <= 0 ||
|
||||
hello.tlsTicket ||
|
||||
self.server &&
|
||||
!self.server.emit('resumeSession', hello.sessionId, onSession)) {
|
||||
cb(null);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function loadSNI(self, servername, cb) {
|
||||
if (!servername || !self._SNICallback)
|
||||
return cb(null);
|
||||
|
||||
var once = false;
|
||||
self._SNICallback(servername, function(err, context) {
|
||||
if (once)
|
||||
return cb(new Error('TLS SNI callback was called 2 times'));
|
||||
once = true;
|
||||
|
||||
if (err)
|
||||
return cb(err);
|
||||
|
||||
// TODO(indutny): eventually disallow raw `SecureContext`
|
||||
if (context)
|
||||
self.ssl.sni_context = context.context || context;
|
||||
|
||||
cb(null, self.ssl.sni_context);
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
function requestOCSP(self, hello, ctx, cb) {
|
||||
if (!hello.OCSPRequest || !self.server)
|
||||
return cb(null);
|
||||
|
||||
if (!ctx)
|
||||
ctx = self.server._sharedCreds;
|
||||
if (ctx.context)
|
||||
ctx = ctx.context;
|
||||
|
||||
if (self.server.listeners('OCSPRequest').length === 0) {
|
||||
return cb(null);
|
||||
} else {
|
||||
self.server.emit('OCSPRequest',
|
||||
ctx.getCertificate(),
|
||||
ctx.getIssuer(),
|
||||
onOCSP);
|
||||
}
|
||||
|
||||
var once = false;
|
||||
function onOCSP(err, response) {
|
||||
if (once)
|
||||
return cb(new Error('TLS OCSP callback was called 2 times'));
|
||||
once = true;
|
||||
|
||||
if (err)
|
||||
return cb(err);
|
||||
|
||||
if (response)
|
||||
self.ssl.setOCSPResponse(response);
|
||||
cb(null);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function onclienthello(hello) {
|
||||
var self = this;
|
||||
|
||||
loadSession(self, hello, function(err, session) {
|
||||
if (err)
|
||||
return self.destroy(err);
|
||||
|
||||
// Servername came from SSL session
|
||||
// NOTE: TLS Session ticket doesn't include servername information
|
||||
//
|
||||
@ -104,42 +177,18 @@ function onclienthello(hello) {
|
||||
// session.
|
||||
//
|
||||
// Therefore we should account session loading when dealing with servername
|
||||
if (!self._SNICallback) {
|
||||
self.ssl.endParser();
|
||||
} else if (ret && ret.servername) {
|
||||
self._SNICallback(ret.servername, onSNIResult);
|
||||
} else if (hello.servername && self._SNICallback) {
|
||||
self._SNICallback(hello.servername, onSNIResult);
|
||||
} else {
|
||||
self.ssl.endParser();
|
||||
}
|
||||
}
|
||||
var servername = session && session.servername || hello.servername;
|
||||
loadSNI(self, servername, function(err, ctx) {
|
||||
if (err)
|
||||
return self.destroy(err);
|
||||
requestOCSP(self, hello, ctx, function(err) {
|
||||
if (err)
|
||||
return self.destroy(err);
|
||||
|
||||
function onSNIResult(err, context) {
|
||||
if (onceSNI)
|
||||
return self.destroy(new Error('TLS SNI callback was called 2 times'));
|
||||
onceSNI = true;
|
||||
|
||||
if (err)
|
||||
return self.destroy(err);
|
||||
|
||||
// TODO(indutny): eventually disallow raw `SecureContext`
|
||||
if (context)
|
||||
self.ssl.sni_context = context.context || context;
|
||||
|
||||
self.ssl.endParser();
|
||||
}
|
||||
|
||||
if (hello.sessionId.length <= 0 ||
|
||||
hello.tlsTicket ||
|
||||
this.server &&
|
||||
!this.server.emit('resumeSession', hello.sessionId, callback)) {
|
||||
// Invoke SNI callback, since we've no session to resume
|
||||
if (hello.servername && this._SNICallback)
|
||||
this._SNICallback(hello.servername, onSNIResult);
|
||||
else
|
||||
this.ssl.endParser();
|
||||
}
|
||||
self.ssl.endParser();
|
||||
});
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@ -166,6 +215,11 @@ function onnewsession(key, session) {
|
||||
}
|
||||
|
||||
|
||||
function onocspresponse(resp) {
|
||||
this.emit('OCSPResponse', resp);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Provides a wrap of socket stream to do encrypted communication.
|
||||
*/
|
||||
@ -259,12 +313,14 @@ TLSSocket.prototype._init = function(socket) {
|
||||
|
||||
if (this.server &&
|
||||
(this.server.listeners('resumeSession').length > 0 ||
|
||||
this.server.listeners('newSession').length > 0)) {
|
||||
this.server.listeners('newSession').length > 0 ||
|
||||
this.server.listeners('OCSPRequest').length > 0)) {
|
||||
this.ssl.enableSessionCallbacks();
|
||||
}
|
||||
} else {
|
||||
this.ssl.onhandshakestart = function() {};
|
||||
this.ssl.onhandshakedone = this._finishInit.bind(this);
|
||||
this.ssl.onocspresponse = onocspresponse.bind(this);
|
||||
|
||||
if (options.session)
|
||||
this.ssl.setSession(options.session);
|
||||
@ -402,6 +458,8 @@ TLSSocket.prototype._finishInit = function() {
|
||||
};
|
||||
|
||||
TLSSocket.prototype._start = function() {
|
||||
if (this._tlsOptions.requestOCSP)
|
||||
this.ssl.requestOCSP();
|
||||
this.ssl.start();
|
||||
};
|
||||
|
||||
@ -416,15 +474,8 @@ TLSSocket.prototype.setSession = function(session) {
|
||||
};
|
||||
|
||||
TLSSocket.prototype.getPeerCertificate = function() {
|
||||
if (this.ssl) {
|
||||
var c = this.ssl.getPeerCertificate();
|
||||
|
||||
if (c) {
|
||||
if (c.issuer) c.issuer = tls.parseCertString(c.issuer);
|
||||
if (c.subject) c.subject = tls.parseCertString(c.subject);
|
||||
return c;
|
||||
}
|
||||
}
|
||||
if (this.ssl)
|
||||
return common.translatePeerCertificate(this.ssl.getPeerCertificate());
|
||||
|
||||
return null;
|
||||
};
|
||||
@ -794,7 +845,8 @@ exports.connect = function(/* [port, host], options, cb */) {
|
||||
requestCert: true,
|
||||
rejectUnauthorized: options.rejectUnauthorized,
|
||||
session: options.session,
|
||||
NPNProtocols: NPN.NPNProtocols
|
||||
NPNProtocols: NPN.NPNProtocols,
|
||||
requestOCSP: options.requestOCSP
|
||||
});
|
||||
result = socket;
|
||||
}
|
||||
|
@ -111,6 +111,7 @@ namespace node {
|
||||
V(hostmaster_string, "hostmaster") \
|
||||
V(ignore_string, "ignore") \
|
||||
V(immediate_callback_string, "_immediateCallback") \
|
||||
V(infoaccess_string, "infoAccess") \
|
||||
V(inherit_string, "inherit") \
|
||||
V(ino_string, "ino") \
|
||||
V(input_string, "input") \
|
||||
@ -136,6 +137,7 @@ namespace node {
|
||||
V(nice_string, "nice") \
|
||||
V(nlink_string, "nlink") \
|
||||
V(nsname_string, "nsname") \
|
||||
V(ocsp_request_string, "OCSPRequest") \
|
||||
V(offset_string, "offset") \
|
||||
V(onchange_string, "onchange") \
|
||||
V(onclienthello_string, "onclienthello") \
|
||||
@ -149,6 +151,7 @@ namespace node {
|
||||
V(onmessage_string, "onmessage") \
|
||||
V(onnewsession_string, "onnewsession") \
|
||||
V(onnewsessiondone_string, "onnewsessiondone") \
|
||||
V(onocspresponse_string, "onocspresponse") \
|
||||
V(onread_string, "onread") \
|
||||
V(onselect_string, "onselect") \
|
||||
V(onsignal_string, "onsignal") \
|
||||
@ -207,6 +210,7 @@ namespace node {
|
||||
V(timestamp_string, "timestamp") \
|
||||
V(title_string, "title") \
|
||||
V(tls_npn_string, "tls_npn") \
|
||||
V(tls_ocsp_string, "tls_ocsp") \
|
||||
V(tls_sni_string, "tls_sni") \
|
||||
V(tls_string, "tls") \
|
||||
V(tls_ticket_string, "tlsTicket") \
|
||||
|
@ -2447,6 +2447,13 @@ static Handle<Object> GetFeatures(Environment* env) {
|
||||
#endif
|
||||
obj->Set(env->tls_sni_string(), tls_sni);
|
||||
|
||||
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_CTX_set_tlsext_status_cb)
|
||||
Local<Boolean> tls_ocsp = True(env->isolate());
|
||||
#else
|
||||
Local<Boolean> tls_ocsp = False(env->isolate());
|
||||
#endif // !defined(OPENSSL_NO_TLSEXT) && defined(SSL_CTX_set_tlsext_status_cb)
|
||||
obj->Set(env->tls_ocsp_string(), tls_ocsp);
|
||||
|
||||
obj->Set(env->tls_string(),
|
||||
Boolean::New(env->isolate(), get_builtin_module("crypto") != NULL));
|
||||
|
||||
|
@ -143,6 +143,7 @@ template int SSLWrap<TLSCallbacks>::SelectNextProtoCallback(
|
||||
unsigned int inlen,
|
||||
void* arg);
|
||||
#endif
|
||||
template int SSLWrap<TLSCallbacks>::TLSExtStatusCallback(SSL* s, void* arg);
|
||||
|
||||
|
||||
static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
|
||||
@ -283,6 +284,12 @@ void SecureContext::Initialize(Environment* env, Handle<Object> target) {
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "loadPKCS12", SecureContext::LoadPKCS12);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "getTicketKeys", SecureContext::GetTicketKeys);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "setTicketKeys", SecureContext::SetTicketKeys);
|
||||
NODE_SET_PROTOTYPE_METHOD(t,
|
||||
"getCertificate",
|
||||
SecureContext::GetCertificate<true>);
|
||||
NODE_SET_PROTOTYPE_METHOD(t,
|
||||
"getIssuer",
|
||||
SecureContext::GetCertificate<false>);
|
||||
|
||||
target->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "SecureContext"),
|
||||
t->GetFunction());
|
||||
@ -469,7 +476,10 @@ void SecureContext::SetKey(const FunctionCallbackInfo<Value>& args) {
|
||||
// sent to the peer in the Certificate message.
|
||||
//
|
||||
// Taken from OpenSSL - editted for style.
|
||||
int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, BIO *in) {
|
||||
int SSL_CTX_use_certificate_chain(SSL_CTX *ctx,
|
||||
BIO *in,
|
||||
X509** cert,
|
||||
X509** issuer) {
|
||||
int ret = 0;
|
||||
X509 *x = NULL;
|
||||
|
||||
@ -511,6 +521,11 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, BIO *in) {
|
||||
// added to the chain (while we must free the main
|
||||
// certificate, since its reference count is increased
|
||||
// by SSL_CTX_use_certificate).
|
||||
|
||||
// Find issuer
|
||||
if (*issuer != NULL || X509_check_issued(ca, x) != X509_V_OK)
|
||||
continue;
|
||||
*issuer = ca;
|
||||
}
|
||||
|
||||
// When the while loop ends, it's usually just EOF.
|
||||
@ -524,9 +539,31 @@ int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, BIO *in) {
|
||||
}
|
||||
}
|
||||
|
||||
// Try getting issuer from a cert store
|
||||
if (ret) {
|
||||
if (*issuer == NULL) {
|
||||
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
|
||||
X509_STORE_CTX store_ctx;
|
||||
|
||||
ret = X509_STORE_CTX_init(&store_ctx, store, NULL, NULL);
|
||||
if (!ret)
|
||||
goto end;
|
||||
|
||||
ret = X509_STORE_CTX_get1_issuer(issuer, &store_ctx, x);
|
||||
X509_STORE_CTX_cleanup(&store_ctx);
|
||||
|
||||
ret = ret < 0 ? 0 : 1;
|
||||
// NOTE: get_cert_store doesn't increment reference count,
|
||||
// no need to free `store`
|
||||
} else {
|
||||
// Increment issuer reference count
|
||||
CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
|
||||
}
|
||||
}
|
||||
|
||||
end:
|
||||
if (x != NULL)
|
||||
X509_free(x);
|
||||
*cert = x;
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -545,7 +582,10 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
|
||||
if (!bio)
|
||||
return;
|
||||
|
||||
int rv = SSL_CTX_use_certificate_chain(sc->ctx_, bio);
|
||||
int rv = SSL_CTX_use_certificate_chain(sc->ctx_,
|
||||
bio,
|
||||
&sc->cert_,
|
||||
&sc->issuer_);
|
||||
|
||||
BIO_free_all(bio);
|
||||
|
||||
@ -881,6 +921,30 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
|
||||
}
|
||||
|
||||
|
||||
template <bool primary>
|
||||
void SecureContext::GetCertificate(const FunctionCallbackInfo<Value>& args) {
|
||||
HandleScope scope(args.GetIsolate());
|
||||
SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
|
||||
Environment* env = wrap->env();
|
||||
X509* cert;
|
||||
|
||||
if (primary)
|
||||
cert = wrap->cert_;
|
||||
else
|
||||
cert = wrap->issuer_;
|
||||
if (cert == NULL)
|
||||
return args.GetReturnValue().Set(Null(env->isolate()));
|
||||
|
||||
int size = i2d_X509(cert, NULL);
|
||||
Local<Object> buff = Buffer::New(env, size);
|
||||
unsigned char* serialized = reinterpret_cast<unsigned char*>(
|
||||
Buffer::Data(buff));
|
||||
i2d_X509(cert, &serialized);
|
||||
|
||||
args.GetReturnValue().Set(buff);
|
||||
}
|
||||
|
||||
|
||||
template <class Base>
|
||||
void SSLWrap<Base>::AddMethods(Environment* env, Handle<FunctionTemplate> t) {
|
||||
HandleScope scope(env->isolate());
|
||||
@ -898,6 +962,8 @@ void SSLWrap<Base>::AddMethods(Environment* env, Handle<FunctionTemplate> t) {
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "shutdown", Shutdown);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "getTLSTicket", GetTLSTicket);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "newSessionDone", NewSessionDone);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "setOCSPResponse", SetOCSPResponse);
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "requestOCSP", RequestOCSP);
|
||||
|
||||
#ifdef SSL_set_max_send_fragment
|
||||
NODE_SET_PROTOTYPE_METHOD(t, "setMaxSendFragment", SetMaxSendFragment);
|
||||
@ -926,6 +992,12 @@ void SSLWrap<Base>::InitNPN(SecureContext* sc, Base* base) {
|
||||
SSL_CTX_set_next_proto_select_cb(sc->ctx_, SelectNextProtoCallback, base);
|
||||
#endif // OPENSSL_NPN_NEGOTIATED
|
||||
}
|
||||
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
// OCSP stapling
|
||||
SSL_CTX_set_tlsext_status_cb(sc->ctx_, TLSExtStatusCallback);
|
||||
SSL_CTX_set_tlsext_status_arg(sc->ctx_, base);
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
}
|
||||
|
||||
|
||||
@ -1001,6 +1073,8 @@ void SSLWrap<Base>::OnClientHello(void* arg,
|
||||
}
|
||||
hello_obj->Set(env->tls_ticket_string(),
|
||||
Boolean::New(env->isolate(), hello.has_ticket()));
|
||||
hello_obj->Set(env->ocsp_request_string(),
|
||||
Boolean::New(env->isolate(), hello.ocsp_request()));
|
||||
|
||||
Local<Value> argv[] = { hello_obj };
|
||||
w->MakeCallback(env->onclienthello_string(), ARRAY_SIZE(argv), argv);
|
||||
@ -1042,8 +1116,15 @@ void SSLWrap<Base>::GetPeerCertificate(
|
||||
}
|
||||
(void) BIO_reset(bio);
|
||||
|
||||
int index = X509_get_ext_by_NID(peer_cert, NID_subject_alt_name, -1);
|
||||
if (index >= 0) {
|
||||
int nids[] = { NID_subject_alt_name, NID_info_access };
|
||||
Local<String> keys[] = { env->subjectaltname_string(),
|
||||
env->infoaccess_string() };
|
||||
CHECK_EQ(ARRAY_SIZE(nids), ARRAY_SIZE(keys));
|
||||
for (unsigned int i = 0; i < ARRAY_SIZE(nids); i++) {
|
||||
int index = X509_get_ext_by_NID(peer_cert, nids[i], -1);
|
||||
if (index < 0)
|
||||
continue;
|
||||
|
||||
X509_EXTENSION* ext;
|
||||
int rv;
|
||||
|
||||
@ -1054,7 +1135,7 @@ void SSLWrap<Base>::GetPeerCertificate(
|
||||
assert(rv == 1);
|
||||
|
||||
BIO_get_mem_ptr(bio, &mem);
|
||||
info->Set(env->subjectaltname_string(),
|
||||
info->Set(keys[i],
|
||||
OneByteString(args.GetIsolate(), mem->data, mem->length));
|
||||
|
||||
(void) BIO_reset(bio);
|
||||
@ -1316,6 +1397,34 @@ void SSLWrap<Base>::NewSessionDone(const FunctionCallbackInfo<Value>& args) {
|
||||
}
|
||||
|
||||
|
||||
template <class Base>
|
||||
void SSLWrap<Base>::SetOCSPResponse(
|
||||
const v8::FunctionCallbackInfo<v8::Value>& args) {
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
HandleScope scope(args.GetIsolate());
|
||||
|
||||
Base* w = Unwrap<Base>(args.Holder());
|
||||
if (args.Length() < 1 || !Buffer::HasInstance(args[0]))
|
||||
return w->env()->ThrowTypeError("Must give a Buffer as first argument");
|
||||
|
||||
w->ocsp_response_.Reset(args.GetIsolate(), args[0].As<Object>());
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
}
|
||||
|
||||
|
||||
template <class Base>
|
||||
void SSLWrap<Base>::RequestOCSP(
|
||||
const v8::FunctionCallbackInfo<v8::Value>& args) {
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
HandleScope scope(args.GetIsolate());
|
||||
|
||||
Base* w = Unwrap<Base>(args.Holder());
|
||||
|
||||
SSL_set_tlsext_status_type(w->ssl_, TLSEXT_STATUSTYPE_ocsp);
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
}
|
||||
|
||||
|
||||
#ifdef SSL_set_max_send_fragment
|
||||
template <class Base>
|
||||
void SSLWrap<Base>::SetMaxSendFragment(
|
||||
@ -1547,6 +1656,55 @@ void SSLWrap<Base>::SetNPNProtocols(const FunctionCallbackInfo<Value>& args) {
|
||||
#endif // OPENSSL_NPN_NEGOTIATED
|
||||
|
||||
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
template <class Base>
|
||||
int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
|
||||
Base* w = static_cast<Base*>(arg);
|
||||
Environment* env = w->env();
|
||||
HandleScope handle_scope(env->isolate());
|
||||
|
||||
if (w->is_client()) {
|
||||
// Incoming response
|
||||
const unsigned char* resp;
|
||||
int len = SSL_get_tlsext_status_ocsp_resp(s, &resp);
|
||||
Local<Value> arg;
|
||||
if (resp == NULL) {
|
||||
arg = Null(env->isolate());
|
||||
} else {
|
||||
arg = Buffer::New(
|
||||
env,
|
||||
reinterpret_cast<char*>(const_cast<unsigned char*>(resp)),
|
||||
len);
|
||||
}
|
||||
|
||||
w->MakeCallback(env->onocspresponse_string(), 1, &arg);
|
||||
|
||||
// Somehow, client is expecting different return value here
|
||||
return 1;
|
||||
} else {
|
||||
// Outgoing response
|
||||
if (w->ocsp_response_.IsEmpty())
|
||||
return SSL_TLSEXT_ERR_NOACK;
|
||||
|
||||
Local<Object> obj = PersistentToLocal(env->isolate(), w->ocsp_response_);
|
||||
char* resp = Buffer::Data(obj);
|
||||
size_t len = Buffer::Length(obj);
|
||||
|
||||
// OpenSSL takes control of the pointer after accepting it
|
||||
char* data = reinterpret_cast<char*>(malloc(len));
|
||||
assert(data != NULL);
|
||||
memcpy(data, resp, len);
|
||||
|
||||
if (!SSL_set_tlsext_status_ocsp_resp(s, data, len))
|
||||
free(data);
|
||||
w->ocsp_response_.Reset();
|
||||
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
}
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
|
||||
|
||||
void Connection::OnClientHelloParseEnd(void* arg) {
|
||||
Connection* conn = static_cast<Connection*>(arg);
|
||||
|
||||
|
@ -53,6 +53,9 @@
|
||||
|
||||
#define EVP_F_EVP_DECRYPTFINAL 101
|
||||
|
||||
#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_CTX_set_tlsext_status_cb)
|
||||
# define NODE__HAVE_TLSEXT_STATUS_CB
|
||||
#endif // !defined(OPENSSL_NO_TLSEXT) && defined(SSL_CTX_set_tlsext_status_cb)
|
||||
|
||||
namespace node {
|
||||
namespace crypto {
|
||||
@ -74,6 +77,8 @@ class SecureContext : public BaseObject {
|
||||
|
||||
X509_STORE* ca_store_;
|
||||
SSL_CTX* ctx_;
|
||||
X509* cert_;
|
||||
X509* issuer_;
|
||||
|
||||
static const int kMaxSessionSize = 10 * 1024;
|
||||
|
||||
@ -98,10 +103,15 @@ class SecureContext : public BaseObject {
|
||||
static void GetTicketKeys(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void SetTicketKeys(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
|
||||
template <bool primary>
|
||||
static void GetCertificate(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
|
||||
SecureContext(Environment* env, v8::Local<v8::Object> wrap)
|
||||
: BaseObject(env, wrap),
|
||||
ca_store_(NULL),
|
||||
ctx_(NULL) {
|
||||
ctx_(NULL),
|
||||
cert_(NULL),
|
||||
issuer_(NULL) {
|
||||
MakeWeak<SecureContext>(this);
|
||||
}
|
||||
|
||||
@ -115,8 +125,14 @@ class SecureContext : public BaseObject {
|
||||
ctx_->cert_store = NULL;
|
||||
}
|
||||
SSL_CTX_free(ctx_);
|
||||
if (cert_ != NULL)
|
||||
X509_free(cert_);
|
||||
if (issuer_ != NULL)
|
||||
X509_free(issuer_);
|
||||
ctx_ = NULL;
|
||||
ca_store_ = NULL;
|
||||
cert_ = NULL;
|
||||
issuer_ = NULL;
|
||||
} else {
|
||||
assert(ca_store_ == NULL);
|
||||
}
|
||||
@ -157,6 +173,9 @@ class SSLWrap {
|
||||
npn_protos_.Reset();
|
||||
selected_npn_proto_.Reset();
|
||||
#endif
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
ocsp_response_.Reset();
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
}
|
||||
|
||||
inline SSL* ssl() const { return ssl_; }
|
||||
@ -191,6 +210,8 @@ class SSLWrap {
|
||||
static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void NewSessionDone(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void SetOCSPResponse(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static void RequestOCSP(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
|
||||
#ifdef SSL_set_max_send_fragment
|
||||
static void SetMaxSendFragment(
|
||||
@ -212,6 +233,7 @@ class SSLWrap {
|
||||
unsigned int inlen,
|
||||
void* arg);
|
||||
#endif // OPENSSL_NPN_NEGOTIATED
|
||||
static int TLSExtStatusCallback(SSL* s, void* arg);
|
||||
|
||||
inline Environment* ssl_env() const {
|
||||
return env_;
|
||||
@ -225,6 +247,10 @@ class SSLWrap {
|
||||
bool new_session_wait_;
|
||||
ClientHelloParser hello_parser_;
|
||||
|
||||
#ifdef NODE__HAVE_TLSEXT_STATUS_CB
|
||||
v8::Persistent<v8::Object> ocsp_response_;
|
||||
#endif // NODE__HAVE_TLSEXT_STATUS_CB
|
||||
|
||||
#ifdef OPENSSL_NPN_NEGOTIATED
|
||||
v8::Persistent<v8::Object> npn_protos_;
|
||||
v8::Persistent<v8::Value> selected_npn_proto_;
|
||||
|
@ -123,6 +123,7 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
|
||||
hello.session_id_ = session_id_;
|
||||
hello.session_size_ = session_size_;
|
||||
hello.has_ticket_ = tls_ticket_ != NULL && tls_ticket_size_ != 0;
|
||||
hello.ocsp_request_ = ocsp_request_;
|
||||
hello.servername_ = servername_;
|
||||
hello.servername_size_ = servername_size_;
|
||||
onhello_cb_(cb_arg_, hello);
|
||||
@ -159,6 +160,18 @@ void ClientHelloParser::ParseExtension(ClientHelloParser::ExtensionType type,
|
||||
}
|
||||
}
|
||||
break;
|
||||
case kStatusRequest:
|
||||
// We are ignoring any data, just indicating the presence of extension
|
||||
if (len < kMinStatusRequestSize)
|
||||
return;
|
||||
|
||||
// Unknown type, ignore it
|
||||
if (data[0] != kStatusRequestOCSP)
|
||||
break;
|
||||
|
||||
// Ignore extensions, they won't work with caching on backend anyway
|
||||
ocsp_request_ = 1;
|
||||
break;
|
||||
case kTLSSessionTicket:
|
||||
tls_ticket_size_ = len;
|
||||
tls_ticket_ = data + len;
|
||||
|
@ -34,7 +34,14 @@ class ClientHelloParser {
|
||||
ClientHelloParser() : state_(kEnded),
|
||||
onhello_cb_(NULL),
|
||||
onend_cb_(NULL),
|
||||
cb_arg_(NULL) {
|
||||
cb_arg_(NULL),
|
||||
session_size_(0),
|
||||
session_id_(NULL),
|
||||
servername_size_(0),
|
||||
servername_(NULL),
|
||||
ocsp_request_(0),
|
||||
tls_ticket_size_(0),
|
||||
tls_ticket_(NULL) {
|
||||
Reset();
|
||||
}
|
||||
|
||||
@ -48,6 +55,7 @@ class ClientHelloParser {
|
||||
inline bool has_ticket() const { return has_ticket_; }
|
||||
inline uint8_t servername_size() const { return servername_size_; }
|
||||
inline const uint8_t* servername() const { return servername_; }
|
||||
inline int ocsp_request() const { return ocsp_request_; }
|
||||
|
||||
private:
|
||||
uint8_t session_size_;
|
||||
@ -55,6 +63,7 @@ class ClientHelloParser {
|
||||
bool has_ticket_;
|
||||
uint8_t servername_size_;
|
||||
const uint8_t* servername_;
|
||||
int ocsp_request_;
|
||||
|
||||
friend class ClientHelloParser;
|
||||
};
|
||||
@ -76,6 +85,8 @@ class ClientHelloParser {
|
||||
static const size_t kMaxTLSFrameLen = 16 * 1024 + 5;
|
||||
static const size_t kMaxSSLExFrameLen = 32 * 1024;
|
||||
static const uint8_t kServernameHostname = 0;
|
||||
static const uint8_t kStatusRequestOCSP = 1;
|
||||
static const size_t kMinStatusRequestSize = 5;
|
||||
|
||||
enum ParseState {
|
||||
kWaiting,
|
||||
@ -99,6 +110,7 @@ class ClientHelloParser {
|
||||
|
||||
enum ExtensionType {
|
||||
kServerName = 0,
|
||||
kStatusRequest = 5,
|
||||
kTLSSessionTicket = 35
|
||||
};
|
||||
|
||||
@ -123,6 +135,7 @@ class ClientHelloParser {
|
||||
const uint8_t* session_id_;
|
||||
uint16_t servername_size_;
|
||||
const uint8_t* servername_;
|
||||
uint8_t ocsp_request_;
|
||||
uint16_t tls_ticket_size_;
|
||||
const uint8_t* tls_ticket_;
|
||||
};
|
||||
|
2
test/fixtures/keys/Makefile
vendored
2
test/fixtures/keys/Makefile
vendored
@ -30,6 +30,8 @@ agent1-csr.pem: agent1.cnf agent1-key.pem
|
||||
|
||||
agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
|
||||
openssl x509 -req \
|
||||
-extfile agent1.cnf \
|
||||
-extensions v3_ca \
|
||||
-days 9999 \
|
||||
-passin "pass:password" \
|
||||
-in agent1-csr.pem \
|
||||
|
30
test/fixtures/keys/agent1-cert.pem
vendored
30
test/fixtures/keys/agent1-cert.pem
vendored
@ -1,16 +1,18 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICbjCCAdcCCQCahKvPuKcqtTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
|
||||
UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
|
||||
BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqGSIb3DQEJARYRcnlA
|
||||
dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExODU5WhcNNDAxMjE2MTExODU5WjB9
|
||||
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
|
||||
EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MTEgMB4G
|
||||
CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQAD
|
||||
gY0AMIGJAoGBAMNQTWAcktNJlmpEbu0xKJzjpI0MJfWZauUg5GXD6/CXRGOEQ/Im
|
||||
uqG7Ar23LrFK/y2goHCF+/ffJKaFzJ4iuv2nAlly/HTriQJUtP/dxacfqrC5A1GH
|
||||
EYAA/S1VShPUtpljADZWyEemWBzZacC2SQ5cChkXTmqJ9t3wYBSw/guHAgMBAAEw
|
||||
DQYJKoZIhvcNAQEFBQADgYEAbuPFhXlMbdYX0XpcPiiRamvO2Qha2GEBRSfqg1Qe
|
||||
fZo5oRXlOd+QVh4O8A3AFY06ERKE72Ho01B+KM2MwpJk0izQhmC4a0pks0jrBuyW
|
||||
dGoVczyK8eCtbw3Y2uiALV+60EidhCbOqml+3kIDVF0cXkCYi5FVbHRTls7wL0gR
|
||||
Fe0=
|
||||
MIIC1jCCAj+gAwIBAgIJAJqEq8+4pyq+MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV
|
||||
BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu
|
||||
dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2ExMSAwHgYJKoZIhvcNAQkB
|
||||
FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xNDA0MTUyMTMxMzFaFw00MTA4MzAyMTMx
|
||||
MzFaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN
|
||||
BgNVBAoTBkpveWVudDEQMA4GA1UECxMHTm9kZS5qczEPMA0GA1UEAxMGYWdlbnQx
|
||||
MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzCBnzANBgkqhkiG9w0B
|
||||
AQEFAAOBjQAwgYkCgYEAuOs3hW8rF+7xx5iB9wjmIgd+HTqRFUeKxG+mWV35Hl6A
|
||||
3uzYGXwWznqsOomr4a/UkZrxbPGp5Awqa9g72NF97g3Sysq2DW4a3ycXWAeYYcHS
|
||||
lRxqJGXTjx+vG/0nDCXLBhoDKO00zEccdjGS8xEjjieQQr+KeASmIm0kQmuN5YcC
|
||||
AwEAAaNhMF8wXQYIKwYBBQUHAQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz
|
||||
cC5ub2RlanMub3JnLzAoBggrBgEFBQcwAoYcaHR0cDovL2NhLm5vZGVqcy5vcmcv
|
||||
Y2EuY2VydDANBgkqhkiG9w0BAQUFAAOBgQAx6rhnYbPygJwIm6nidyx+ydJQC4Gk
|
||||
JD+pzbdJkTS+01r+xjVY/Wckn4JAsIlo/MMn055rs2cfdjoQtlj6yjEU6AP/7bfr
|
||||
Mju4lBxDLACJ2y5/rfj3wO4q4Knd4Q4mPWjlS2SwmkHZ21QOqJ6Ig9ps6HPM7syw
|
||||
ZYQ3WQ1LOPAxMg==
|
||||
-----END CERTIFICATE-----
|
||||
|
16
test/fixtures/keys/agent1-csr.pem
vendored
16
test/fixtures/keys/agent1-csr.pem
vendored
@ -2,12 +2,12 @@
|
||||
MIIB4jCCAUsCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
|
||||
EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD
|
||||
EwZhZ2VudDExIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0G
|
||||
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDUE1gHJLTSZZqRG7tMSic46SNDCX1mWrl
|
||||
IORlw+vwl0RjhEPyJrqhuwK9ty6xSv8toKBwhfv33ySmhcyeIrr9pwJZcvx064kC
|
||||
VLT/3cWnH6qwuQNRhxGAAP0tVUoT1LaZYwA2VshHplgc2WnAtkkOXAoZF05qifbd
|
||||
8GAUsP4LhwIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
|
||||
b3JkMA0GCSqGSIb3DQEBBQUAA4GBAFRwfX09wCEqB5fOGTLSAQqK7/Tm47t8TcFy
|
||||
PsCoHcYSHCSSthknJgdnK9nQaVVVqVpDRgmUFmcWC27JOAFQLt79FqOYNLGrmvR/
|
||||
ZaRbz3BBi4TBHClalnyBBzaYJJQz16qbT4j48TmzRQvBGR/gT2FpPoLVDWKU+U6E
|
||||
oU6hMCpb
|
||||
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC46zeFbysX7vHHmIH3COYiB34dOpEVR4rE
|
||||
b6ZZXfkeXoDe7NgZfBbOeqw6iavhr9SRmvFs8ankDCpr2DvY0X3uDdLKyrYNbhrf
|
||||
JxdYB5hhwdKVHGokZdOPH68b/ScMJcsGGgMo7TTMRxx2MZLzESOOJ5BCv4p4BKYi
|
||||
bSRCa43lhwIDAQABoCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3
|
||||
b3JkMA0GCSqGSIb3DQEBBQUAA4GBAC1pwZvvfYfK8IXYyXLD3N47MEbn/Y8C85Qi
|
||||
rYVl7y/7ThurCLtWVlS3e7es3Kr8nxjHTjVZW20RZHOmOGfSOkXoL3uuwew1jvCq
|
||||
ibM2jwPCq1N/I4D94Fzh9LG86Cu8U6PtBlZzgprdK84Fo8U/pFRikPrggApUiPhm
|
||||
MZeWhDyn
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
|
26
test/fixtures/keys/agent1-key.pem
vendored
26
test/fixtures/keys/agent1-key.pem
vendored
@ -1,15 +1,15 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXAIBAAKBgQDDUE1gHJLTSZZqRG7tMSic46SNDCX1mWrlIORlw+vwl0RjhEPy
|
||||
JrqhuwK9ty6xSv8toKBwhfv33ySmhcyeIrr9pwJZcvx064kCVLT/3cWnH6qwuQNR
|
||||
hxGAAP0tVUoT1LaZYwA2VshHplgc2WnAtkkOXAoZF05qifbd8GAUsP4LhwIDAQAB
|
||||
AoGAJI+nrFIs+fhQe9wLl8MYAyZp6y1W/b6WUAX0O0iNph/q4WYlAfNWBGhpfvIH
|
||||
f5C2a+ghoG60WBYhWjq5rvB5aCX/DchIATuaVHgaWcBf7y9NXnWDH9JMtDOTaVI6
|
||||
s7inJwjqIJAHbloa82NGuwz/EN4Ncng6wTmf1gbF6UtOqGECQQD15UNAtpRqpGPz
|
||||
xPAZwT3TkY4gYLlZvqn21r/92P5XVbTJXyBTo9pwY4F7o/pNZAQcq3sPUrZW7T4X
|
||||
t8nPT4RrAkEAy1bvewVS3U10V8ffzCl7F5WiaTEMa39F4e0QqBKOXdnDS2T1FJZl
|
||||
VSVSXiVMd4qFQf4IVgBZCwihS1hpPSo8VQJBAL7vpBY27+4S8k4SaUIGbITBLHR1
|
||||
xtcqFv5F6NUrTuvv8C7Bf++Sdwb4LU4dmTnI5OyCN09Bsba0B5gRLVKd8zsCQAu4
|
||||
AetEHkd0zEy2zzYT+e0dCZQoaH/VgPCJWhlloGDWSQQSWHGMTWC/2uRkH+kPyahI
|
||||
/LAAKyGQqMMP4FjPE1UCQAyPkF3dJy+KRZSQ2rz0bpBVGoUV31hl+SvMigCy0yUy
|
||||
QwvJxgN14LQJP+pCcuJGaSdiPsOjxqhPX7KMg3SiSlA=
|
||||
MIICXgIBAAKBgQC46zeFbysX7vHHmIH3COYiB34dOpEVR4rEb6ZZXfkeXoDe7NgZ
|
||||
fBbOeqw6iavhr9SRmvFs8ankDCpr2DvY0X3uDdLKyrYNbhrfJxdYB5hhwdKVHGok
|
||||
ZdOPH68b/ScMJcsGGgMo7TTMRxx2MZLzESOOJ5BCv4p4BKYibSRCa43lhwIDAQAB
|
||||
AoGBAIXZzPCLDXhffydo3vo/uMT9A26IzCfJB0s1PgYGHaK76TBz4+Bej+uZpD0j
|
||||
FgVgzs8uhn7DVqQ5oiM5++fvi+Sd+KlyVNgLKe7UTBGYE5Nc9DuDDD0GmJtFvso6
|
||||
amsVhECF8sWZVOAwUdrwHhWevp5gJ1cfs3YMTlT9YqdRaWOhAkEA8TJAPfnbEfWf
|
||||
saDhWCjanW+w2QEYPa6wYFt+I5L2XPTeKR/wEQ3EzM++vCWxSF5LNSaXIdic847p
|
||||
BcIGi/0r6QJBAMREt5r1c6Wf5mS6i/Jg6AdCEUjy0feRCeKemJDMKxyl5m/cU+rk
|
||||
p5YBUgwoI8kzc82GEhyg4/NgHQfNcrZdT+8CQFVzChNq21PHgyX46xzCjIDOOwcG
|
||||
PkJMCyx3/X446JMSJUrIh9Ji4F/3EYmyiNYsodRYsZ5KEYCwFpn1nUAnF1ECQQC/
|
||||
uzl54YomJDyX7jzEfLJuVLY6AyvmowN7JN95pFoBVHf2ktBPySuFuKiEQ7oh1Wet
|
||||
QOn0mZ/VovD5LFSBnkp1AkEAgOMkBCJuOfBDvQwrmAAowWQi//7D2x0fhyKcrF6D
|
||||
EZYVV125Wodw3zFxmE9p4vb6Hg3X5jSyGMzdE5ZqMgBD7w==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
7
test/fixtures/keys/agent1.cnf
vendored
7
test/fixtures/keys/agent1.cnf
vendored
@ -4,6 +4,7 @@ days = 999
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
prompt = no
|
||||
x509_extensions = v3_ca
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = US
|
||||
@ -17,3 +18,9 @@ emailAddress = ry@tinyclouds.org
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
|
||||
[ v3_ca ]
|
||||
authorityInfoAccess = @issuer_info
|
||||
|
||||
[ issuer_info ]
|
||||
OCSP;URI.0 = http://ocsp.nodejs.org/
|
||||
caIssuers;URI.0 = http://ca.nodejs.org/ca.cert
|
||||
|
16
test/fixtures/keys/ca1-cert.pem
vendored
16
test/fixtures/keys/ca1-cert.pem
vendored
@ -1,15 +1,15 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICazCCAdQCCQCK8euGRwPfJzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
|
||||
MIICazCCAdQCCQC1CQyJn8L/kzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV
|
||||
UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO
|
||||
BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqGSIb3DQEJARYRcnlA
|
||||
dGlueWNsb3Vkcy5vcmcwHhcNMTMwODAxMTExODU5WhcNNDAxMjE2MTExODU5WjB6
|
||||
dGlueWNsb3Vkcy5vcmcwHhcNMTQwNDE1MjEzMTMxWhcNNDEwODMwMjEzMTMxWjB6
|
||||
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK
|
||||
EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMTEgMB4GCSqG
|
||||
SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
|
||||
MIGJAoGBAKk8iURIH5aHTpddeVkyMUUkiaP4W9M3x2nBqjvFTw7oP1mJYvab52ed
|
||||
/2rA7fRt3kZyf7+lRt4OtXG7emsBj2F6d/iHKnWUfdMZl+cQ61Mtx6/DeO3F55aT
|
||||
QrCeqDpyAOY6FvfhdflZItrEMQa9+PbsbyRBSxDJ/Qs7qhevnlqBAgMBAAEwDQYJ
|
||||
KoZIhvcNAQEFBQADgYEAZwg19wn9cU9Lb7pNw50qi9DeJhUvo4/Jua8FjikvoKX5
|
||||
oQSQ+J/7+83OEuJi2Ii1xH2fAlNN7ZoJzOHY/JU2tx64OmnhEPvnX/nb1/jK3zyn
|
||||
gwJDHcYG6AU6nHGWRewQpkoYYIQ7YQNx26OGQF0QdAJi2ltKZpQKIv/75XWfKrQ=
|
||||
MIGJAoGBALBXMk/xFR2GN2v/wKreZKyIitGphxYGoJ2d//s/wM6qqyIW94aiq3sm
|
||||
1zpmOTPTorT9Pk32A7uKKHfrafB+yA07QXgCYXgzcn17nfFInncDyGdggNFGAO13
|
||||
5JuC3JC8pRJpEokkMszpHJxPdR6gKXIT05blUnpwGT/AmYJ8S59lAgMBAAEwDQYJ
|
||||
KoZIhvcNAQEFBQADgYEAAb+Pye0I+k927Qi2+cUowLS5MtmrEosUbTYwI4rqYSR2
|
||||
aiibqmC3Z55N72ktQ2pJKP8I1t3Rk+j8/yIKWzSn5Jd2GT4ZzqbANrdLKeAsfVDK
|
||||
pnsUR1IV/sdIvuELm+P4kyK5wafJytUjD+A4SH2oWN4EozDR1OidAhJrraXQksw=
|
||||
-----END CERTIFICATE-----
|
||||
|
2
test/fixtures/keys/ca1-cert.srl
vendored
2
test/fixtures/keys/ca1-cert.srl
vendored
@ -1 +1 @@
|
||||
9A84ABCFB8A72AB5
|
||||
9A84ABCFB8A72ABE
|
||||
|
30
test/fixtures/keys/ca1-key.pem
vendored
30
test/fixtures/keys/ca1-key.pem
vendored
@ -1,17 +1,17 @@
|
||||
-----BEGIN ENCRYPTED PRIVATE KEY-----
|
||||
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIWE2PsdhhEj8CAggA
|
||||
MBQGCCqGSIb3DQMHBAjAnjC7zH2c+ASCAoB/e9OPJqGdm2yw6CwNrdNF+besbvTB
|
||||
3aLesJXqttUb7GkIG8D0wmIUfW1BgcROFyvD+Jz31NRES4/KmRpwybEoWOBtpYAZ
|
||||
AbcLFAJm+RYWO6XMwq9kMnQ7I4QtXZzCywJ7TSFQlDt5BJWvhqp5rbQTj6gTGMLl
|
||||
CwB12/GhpEviX9kDj49FvlylLAjkVR151nhAil2Nv9O4Ww/WV0y21tscaajFS2sb
|
||||
2sZ+3iZIZL+PF8qFoBtffJHeEWIKlHtnbjl1BqMtSt67CbS0CJSqtGss3+eVq9Y1
|
||||
OzeG8EAwTCP+HwOBgGNRssJxwnz+SaAZnb7te3x3yn7zac6+8PmZLdPcYBps2krS
|
||||
nDVZUBW0kybi7qGWW02SYdDXKOCBVAqlSILMdhMdArQqF7P3tAac2PJNFLBf/31w
|
||||
bVeqaXHmijbobcTsR7TV8SUMVPJXcDYg5qSsbGa+PLIPPFmQ/ZSSVXn+V7yVfUT5
|
||||
S/HjwBm9jdPj5l9uI6uInD8O1OFXvaP/usjKFAB/B2b3aTjtiBdqXQMAIaFKtVXs
|
||||
BP3GgXxkVjrFWcVE6BXJUNRpx9EeBLz/7s86I3SUKuGduRe7aAfO0Q76dPqh6mwJ
|
||||
zvOuPJXlARTU5BVWiV7FP53KQZ6a+35urMOdnsq/Fzf4qg9yZcXp9hxJAspHgn8P
|
||||
3QKCJ6HnHvl9wpjQLxjLnQgIYBNeYW6vo/hUVRfTruN8VjeKWqoNQVEAOJ5Br4i9
|
||||
/Nsjl8aw0kaRXonYtmlSD6lQycckkV7WkhFlXej8Q+mGTE60ut1gJ85cM+JHwTlk
|
||||
XFDe6qYCSZk17l6MMLNwbYeJjTqSbT0UAYx2lyTtAC4L+L/H8hFedwFp
|
||||
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIJ36Z9tFiv2oCAggA
|
||||
MBQGCCqGSIb3DQMHBAjCAyUwdFh+7gSCAoD9Sv9009MmLb8+wHhYhxmrPrpeYZOt
|
||||
W8xfELfal/2XWFe41WV41Qsa2HyN03VeyQjb+cnKvZX6HUCe5zVMUsf+B91yQBqR
|
||||
jOZgsgoflEC3tFrhW5ogmRnjuok3CbTYLx0f8GMucSRNa9ZPhpfUjrVcCUrKKRJ+
|
||||
owk0VxWQkRqMF/8WJJgHxnm8/jLbNKuHbwY8SSQO/pStyKxqx5rBXAA/YCrAx7EZ
|
||||
aDvc2q9EwRHX+hWIhpIkYna7PwnNAX03Ghv4iiwUlwHoomvgxExdUc9T8HBQu/xP
|
||||
2pmUqwTglAdRb0tNiYrF+yIesAlqBc1qoi7tv2SM3gTowdw2PeHq5MA/ShV21oC8
|
||||
51bc0OxRkEFsHGLIs1v5qzs21JhX0IKvb5LDHAaze2RwODfnCTcQb8jYaFZNmwpt
|
||||
ZrHgBQBwOHSvZ9CCqInDDtGBhYRlQIQRGgj9Ju5fruRYycn8vE58OcIfF52dwLKB
|
||||
7sjTFX0O0b58wpiQSJzbHGbjNlQNRXxdk9v1qfP8vx8rFHLoFSScaZomavp4uijU
|
||||
yLKVwquzEOVOMP8cC+yRk+zkcb9EE2pE1CqG0Mj6MHH1Lha98kakTIAS/VG59/Mp
|
||||
EqZoRtJ6n/DzscrRpHIm+170ufLGmivmTeOXcMyHv1pGp35c5VbmUTZCxcE7A/0f
|
||||
WPLVB3lBPgsvR/4NVx9A6mvXbkp2yngdfbvQgzRDG6pfrE1xeiUAyRCts7dR3Q9/
|
||||
dNHIM2wsiO3A/8Up1vrY6d/dcJt7cwjHRkx2eQFbpeE+a4CCNZ7gXFcwHLigBH8G
|
||||
uTTVZf4HJavjXiYlkY3OFnPuz4KzanJzuqluKeIdJwSEkp9Kra/Id0eO
|
||||
-----END ENCRYPTED PRIVATE KEY-----
|
||||
|
109
test/simple/test-tls-ocsp-callback.js
Normal file
109
test/simple/test-tls-ocsp-callback.js
Normal file
@ -0,0 +1,109 @@
|
||||
// Copyright Joyent, Inc. and other Node contributors.
|
||||
//
|
||||
// Permission is hereby granted, free of charge, to any person obtaining a
|
||||
// copy of this software and associated documentation files (the
|
||||
// "Software"), to deal in the Software without restriction, including
|
||||
// without limitation the rights to use, copy, modify, merge, publish,
|
||||
// distribute, sublicense, and/or sell copies of the Software, and to permit
|
||||
// persons to whom the Software is furnished to do so, subject to the
|
||||
// following conditions:
|
||||
//
|
||||
// The above copyright notice and this permission notice shall be included
|
||||
// in all copies or substantial portions of the Software.
|
||||
//
|
||||
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
|
||||
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
||||
// USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
var common = require('../common');
|
||||
|
||||
if (!process.features.tls_ocsp) {
|
||||
console.error('Skipping because node compiled without OpenSSL or ' +
|
||||
'with old OpenSSL version.');
|
||||
process.exit(0);
|
||||
}
|
||||
if (!common.opensslCli) {
|
||||
console.error('Skipping because node compiled without OpenSSL CLI.');
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
test({ response: false }, function() {
|
||||
test({ response: 'hello world' });
|
||||
});
|
||||
|
||||
function test(testOptions, cb) {
|
||||
var assert = require('assert');
|
||||
var tls = require('tls');
|
||||
var fs = require('fs');
|
||||
var join = require('path').join;
|
||||
var spawn = require('child_process').spawn;
|
||||
|
||||
var keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem');
|
||||
var certFile = join(common.fixturesDir, 'keys', 'agent1-cert.pem');
|
||||
var caFile = join(common.fixturesDir, 'keys', 'ca1-cert.pem');
|
||||
var key = fs.readFileSync(keyFile);
|
||||
var cert = fs.readFileSync(certFile);
|
||||
var ca = fs.readFileSync(caFile);
|
||||
var options = {
|
||||
key: key,
|
||||
cert: cert,
|
||||
ca: [ca]
|
||||
};
|
||||
var requestCount = 0;
|
||||
var ocspCount = 0;
|
||||
var ocspResponse;
|
||||
var session;
|
||||
|
||||
var server = tls.createServer(options, function(cleartext) {
|
||||
cleartext.on('error', function(er) {
|
||||
// We're ok with getting ECONNRESET in this test, but it's
|
||||
// timing-dependent, and thus unreliable. Any other errors
|
||||
// are just failures, though.
|
||||
if (er.code !== 'ECONNRESET')
|
||||
throw er;
|
||||
});
|
||||
++requestCount;
|
||||
cleartext.end();
|
||||
});
|
||||
server.on('OCSPRequest', function(cert, issuer, callback) {
|
||||
++ocspCount;
|
||||
assert.ok(Buffer.isBuffer(cert));
|
||||
assert.ok(Buffer.isBuffer(issuer));
|
||||
|
||||
// Just to check that async really works there
|
||||
setTimeout(function() {
|
||||
callback(null,
|
||||
testOptions.response ? new Buffer(testOptions.response) : null);
|
||||
}, 100);
|
||||
});
|
||||
server.listen(common.PORT, function() {
|
||||
var client = tls.connect({
|
||||
port: common.PORT,
|
||||
requestOCSP: true,
|
||||
rejectUnauthorized: false
|
||||
}, function() {
|
||||
});
|
||||
client.on('OCSPResponse', function(resp) {
|
||||
ocspResponse = resp;
|
||||
if (resp)
|
||||
client.destroy();
|
||||
});
|
||||
client.on('close', function() {
|
||||
server.close(cb);
|
||||
});
|
||||
});
|
||||
|
||||
process.on('exit', function() {
|
||||
if (testOptions.response) {
|
||||
assert.equal(ocspResponse.toString(), testOptions.response);
|
||||
} else {
|
||||
assert.ok(ocspResponse === null);
|
||||
}
|
||||
assert.equal(requestCount, testOptions.response ? 0 : 1);
|
||||
assert.equal(ocspCount, 1);
|
||||
});
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user