From 73631bbcc83888ec61a0aebf4eff3904e9384a2e Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Mon, 1 Sep 2014 18:44:57 +0400 Subject: [PATCH] tls: support multiple keys/certs Required to serve website with both ECDSA/RSA certificates. --- doc/api/tls.markdown | 8 ++-- lib/_tls_common.js | 26 +++++++++-- test/simple/test-tls-multi-key.js | 74 +++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+), 8 deletions(-) create mode 100644 test/simple/test-tls-multi-key.js diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 57d1db9a199..36d88a7f53d 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -122,12 +122,12 @@ automatically set as a listener for the [secureConnection][] event. The the `key`, `cert` and `ca` options.) - `key`: A string or `Buffer` containing the private key of the server in - PEM format. (Required) + PEM format. (Could be an array of keys). (Required) - `passphrase`: A string of passphrase for the private key or pfx. - `cert`: A string or `Buffer` containing the certificate key of the server in - PEM format. (Required) + PEM format. (Could be an array of certs). (Required) - `ca`: An array of strings or `Buffer`s of trusted certificates in PEM format. If this is omitted several well known "root" CAs will be used, @@ -303,12 +303,12 @@ Creates a new client connection to the given `port` and `host` (old API) or CA certs of the client in PFX or PKCS12 format. - `key`: A string or `Buffer` containing the private key of the client in - PEM format. + PEM format. (Could be an array of keys). - `passphrase`: A string of passphrase for the private key or pfx. - `cert`: A string or `Buffer` containing the certificate key of the client in - PEM format. + PEM format. (Could be an array of certs). - `ca`: An array of strings or `Buffer`s of trusted certificates in PEM format. If this is omitted several well known "root" CAs will be used, diff --git a/lib/_tls_common.js b/lib/_tls_common.js index f7f2ad86e5c..01efcebc14a 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -64,10 +64,21 @@ exports.createSecureContext = function createSecureContext(options, context) { if (context) return c; if (options.key) { - if (options.passphrase) { - c.context.setKey(options.key, options.passphrase); + if (Array.isArray(options.key)) { + for (var i = 0; i < options.key.length; i++) { + var key = options.key[i]; + + if (key.passphrase) + c.context.setKey(key.pem, key.passphrase); + else + c.context.setKey(key); + } } else { - c.context.setKey(options.key); + if (options.passphrase) { + c.context.setKey(options.key, options.passphrase); + } else { + c.context.setKey(options.key); + } } } @@ -85,7 +96,14 @@ exports.createSecureContext = function createSecureContext(options, context) { c.context.addRootCerts(); } - if (options.cert) c.context.setCert(options.cert); + if (options.cert) { + if (Array.isArray(options.cert)) { + for (var i = 0; i < options.cert.length; i++) + c.context.setCert(options.cert[i]); + } else { + c.context.setCert(options.cert); + } + } if (options.ciphers) c.context.setCiphers(options.ciphers); diff --git a/test/simple/test-tls-multi-key.js b/test/simple/test-tls-multi-key.js new file mode 100644 index 00000000000..e00c4040934 --- /dev/null +++ b/test/simple/test-tls-multi-key.js @@ -0,0 +1,74 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +if (!process.versions.openssl) { + console.error('Skipping because node compiled without OpenSSL.'); + process.exit(0); +} + +var common = require('../common'); +var assert = require('assert'); +var tls = require('tls'); +var fs = require('fs'); + +var options = { + key: [ + fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), + fs.readFileSync(common.fixturesDir + '/keys/ec-key.pem') + ], + cert: [ + fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'), + fs.readFileSync(common.fixturesDir + '/keys/ec-cert.pem') + ] +}; + +var ciphers = []; + +var server = tls.createServer(options, function(conn) { + conn.end('ok'); +}).listen(common.PORT, function() { + var ecdsa = tls.connect(common.PORT, { + ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', + rejectUnauthorized: false + }, function() { + var rsa = tls.connect(common.PORT, { + ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', + rejectUnauthorized: false + }, function() { + ecdsa.destroy(); + rsa.destroy(); + + ciphers.push(ecdsa.getCipher()); + ciphers.push(rsa.getCipher()); + server.close(); + }); + }); +}); + +process.on('exit', function() { + assert.deepEqual(ciphers, [{ + name: 'ECDHE-ECDSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }, { + name: 'ECDHE-RSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }]); +});