Permalink
Browse files

crypto: add PKCS12/PFX support

Fixes #2845.
  • Loading branch information...
1 parent bd90717 commit fb7348ae060bf9dd4b0521ac2533fc1d66c44d8b ssuda committed with bnoordhuis May 13, 2012
View
2 doc/api/crypto.markdown
@@ -14,8 +14,10 @@ It also offers a set of wrappers for OpenSSL's hash, hmac, cipher, decipher, sig
Creates a credentials object, with the optional details being a dictionary with keys:
+* `pfx` : A string or buffer holding the PFX or PKCS12 encoded private key, certificate and CA certificates
* `key` : a string holding the PEM encoded private key
* `cert` : a string holding the PEM encoded certificate
+* `passphrase` : A string of passphrase for the private key or pfx
* `ca` : either a string or list of strings of PEM encoded CA certificates to trust.
* `ciphers`: a string describing the ciphers to use or exclude. Consult
<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT> for details
View
16 doc/api/https.markdown
@@ -32,6 +32,19 @@ Example:
res.end("hello world\n");
}).listen(8000);
+Or
+
+ var https = require('https');
+ var fs = require('fs');
+
+ var options = {
+ pfx: fs.readFileSync('server.pfx')
+ };
+
+ https.createServer(options, function (req, res) {
+ res.writeHead(200);
+ res.end("hello world\n");
+ }).listen(8000);
## https.request(options, callback)
@@ -91,8 +104,9 @@ The options argument has the following options
The following options from [tls.connect()](tls.html#tls.connect) can also be
specified. However, a [globalAgent](#https.globalAgent) silently ignores these.
+- `pfx`: Certificate, Private key and CA certificates to use for SSL. Default `null`.
- `key`: Private key to use for SSL. Default `null`.
-- `passphrase`: A string of passphrase for the private key. Default `null`.
+- `passphrase`: A string of passphrase for the private key or pfx. Default `null`.
- `cert`: Public x509 certificate to use. Default `null`.
- `ca`: An authority certificate or array of authority certificates to check
the remote host against.
View
66 doc/api/tls.markdown
@@ -28,6 +28,17 @@ Alternatively you can send the CSR to a Certificate Authority for signing.
(TODO: docs on creating a CA, for now interested users should just look at
`test/fixtures/keys/Makefile` in the Node source code)
+To create .pfx or .p12, do this:
+
+ openssl pkcs12 -export -in agent5-cert.pem -inkey agent5-key.pem \
+ -certfile ca-cert.pem -out agent5.pfx
+
+ - `in`: certificate
+ - `inkey`: private key
+ - `certfile`: all CA certs concatenated in one file like
+ `cat ca1-cert.pem ca2-cert.pem > ca-cert.pem`
+
+
## Client-initiated renegotiation attack mitigation
<!-- type=misc -->
@@ -72,10 +83,14 @@ The `connectionListener` argument is automatically set as a listener for the
[secureConnection](#event_secureConnection_) event.
The `options` object has these possibilities:
+ - `pfx`: A string or `Buffer` containing the private key, certificate and
+ CA certs of the server in PFX or PKCS12 format. (Mutually exclusive with
+ the `key`, `cert` and `ca` options.)
+
- `key`: A string or `Buffer` containing the private key of the server in
PEM format. (Required)
- - `passphrase`: A string of passphrase for the private key.
+ - `passphrase`: A string of passphrase for the private key or pfx.
- `cert`: A string or `Buffer` containing the certificate key of the server in
PEM format. (Required)
@@ -137,7 +152,29 @@ Here is a simple example echo server:
console.log('server bound');
});
+Or
+
+ var tls = require('tls');
+ var fs = require('fs');
+
+ var options = {
+ pfx: fs.readFileSync('server.pfx'),
+ // This is necessary only if using the client certificate authentication.
+ requestCert: true,
+
+ };
+
+ var server = tls.createServer(options, function(cleartextStream) {
+ console.log('server connected',
+ cleartextStream.authorized ? 'authorized' : 'unauthorized');
+ cleartextStream.write("welcome!\n");
+ cleartextStream.setEncoding('utf8');
+ cleartextStream.pipe(cleartextStream);
+ });
+ server.listen(8000, function() {
+ console.log('server bound');
+ });
You can test this server by connecting to it with `openssl s_client`:
@@ -149,10 +186,13 @@ You can test this server by connecting to it with `openssl s_client`:
Creates a new client connection to the given `port` and `host`. (If `host`
defaults to `localhost`.) `options` should be an object which specifies
+ - `pfx`: A string or `Buffer` containing the private key, certificate and
+ CA certs of the server in PFX or PKCS12 format.
+
- `key`: A string or `Buffer` containing the private key of the client in
PEM format.
- - `passphrase`: A string of passphrase for the private key.
+ - `passphrase`: A string of passphrase for the private key or pfx.
- `cert`: A string or `Buffer` containing the certificate key of the client in
PEM format.
@@ -206,6 +246,28 @@ Here is an example of a client of echo server as described previously:
server.close();
});
+Or
+
+ var tls = require('tls');
+ var fs = require('fs');
+
+ var options = {
+ pfx: fs.readFileSync('client.pfx')
+ };
+
+ var cleartextStream = tls.connect(8000, options, function() {
+ console.log('client connected',
+ cleartextStream.authorized ? 'authorized' : 'unauthorized');
+ process.stdin.pipe(cleartextStream);
+ process.stdin.resume();
+ });
+ cleartextStream.setEncoding('utf8');
+ cleartextStream.on('data', function(data) {
+ console.log(data);
+ });
+ cleartextStream.on('end', function() {
+ server.close();
+ });
## tls.createSecurePair([credentials], [isServer], [requestCert], [rejectUnauthorized])
View
8 lib/crypto.js
@@ -114,6 +114,14 @@ exports.createCredentials = function(options, context) {
c.context.setSessionIdContext(options.sessionIdContext);
}
+ if (options.pfx) {
+ if (options.passphrase) {
+ c.context.loadPKCS12(options.pfx, options.passphrase);
+ } else {
+ c.context.loadPKCS12(options.pfx);
+ }
+ }
+
return c;
};
View
2 lib/tls.js
@@ -912,6 +912,7 @@ function Server(/* [options], listener */) {
this.setOptions(options);
var sharedCreds = crypto.createCredentials({
+ pfx : self.pfx,
key: self.key,
passphrase: self.passphrase,
cert: self.cert,
@@ -996,6 +997,7 @@ Server.prototype.setOptions = function(options) {
this.rejectUnauthorized = false;
}
+ if (options.pfx) this.pfx = options.pfx;
if (options.key) this.key = options.key;
if (options.passphrase) this.passphrase = options.passphrase;
if (options.cert) this.cert = options.cert;
View
79 src/node_crypto.cc
@@ -43,6 +43,7 @@
# include <pthread.h>
#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
# define OPENSSL_CONST const
#else
@@ -169,6 +170,7 @@ void SecureContext::Initialize(Handle<Object> target) {
NODE_SET_PROTOTYPE_METHOD(t, "setSessionIdContext",
SecureContext::SetSessionIdContext);
NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close);
+ NODE_SET_PROTOTYPE_METHOD(t, "loadPKCS12", SecureContext::LoadPKCS12);
target->Set(String::NewSymbol("SecureContext"), t->GetFunction());
}
@@ -595,6 +597,83 @@ Handle<Value> SecureContext::Close(const Arguments& args) {
return False();
}
+//Takes .pfx or .p12 and password in string or buffer format
+Handle<Value> SecureContext::LoadPKCS12(const Arguments& args) {
+ HandleScope scope;
+
+ BIO* in = NULL;
+ PKCS12* p12 = NULL;
+ EVP_PKEY* pkey = NULL;
+ X509* cert = NULL;
+ STACK_OF(X509)* extraCerts = NULL;
+ char* pass = NULL;
+ bool ret = false;
+
+ SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
+
+ if (args.Length() < 1) {
+ return ThrowException(Exception::TypeError(
+ String::New("Bad parameter")));
+ }
+
+ in = LoadBIO(args[0]);
+ if (in == NULL) {
+ return ThrowException(Exception::Error(
+ String::New("Unable to load BIO")));
+ }
+
+ if (args.Length() >= 2) {
+ ASSERT_IS_STRING_OR_BUFFER(args[1]);
+
+ int passlen = DecodeBytes(args[1], BINARY);
+ if (passlen < 0) {
+ BIO_free(in);
+ return ThrowException(Exception::TypeError(
+ String::New("Bad password")));
+ }
+ pass = new char[passlen + 1];
+ int pass_written = DecodeWrite(pass, passlen, args[1], BINARY);
+
+ assert(pass_written == passlen);
+ pass[passlen] = '\0';
+ }
+
+ if (d2i_PKCS12_bio(in, &p12) &&
+ PKCS12_parse(p12, pass, &pkey, &cert, &extraCerts) &&
+ SSL_CTX_use_certificate(sc->ctx_, cert) &&
+ SSL_CTX_use_PrivateKey(sc->ctx_, pkey))
+ {
+ // set extra certs
+ while (X509* x509 = sk_X509_pop(extraCerts)) {
+ if (!sc->ca_store_) {
+ sc->ca_store_ = X509_STORE_new();
+ SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+ }
+
+ X509_STORE_add_cert(sc->ca_store_, x509);
+ SSL_CTX_add_client_CA(sc->ctx_, x509);
+ }
+
+ EVP_PKEY_free(pkey);
+ X509_free(cert);
+ sk_X509_free(extraCerts);
+
+ ret = true;
+ }
+
+ PKCS12_free(p12);
+ BIO_free(in);
+ delete[] pass;
+
+ if (!ret) {
+ unsigned long err = ERR_get_error();
+ const char *str = ERR_reason_error_string(err);
+ return ThrowException(Exception::Error(String::New(str)));
+ }
+
+ return True();
+}
+
#ifdef SSL_PRINT_DEBUG
# define DEBUG_PRINT(...) fprintf (stderr, __VA_ARGS__)
View
2 src/node_crypto.h
@@ -35,6 +35,7 @@
#include <openssl/x509v3.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
+#include <openssl/pkcs12.h>
#ifdef OPENSSL_NPN_NEGOTIATED
#include <node_buffer.h>
@@ -68,6 +69,7 @@ class SecureContext : ObjectWrap {
static v8::Handle<v8::Value> SetOptions(const v8::Arguments& args);
static v8::Handle<v8::Value> SetSessionIdContext(const v8::Arguments& args);
static v8::Handle<v8::Value> Close(const v8::Arguments& args);
+ static v8::Handle<v8::Value> LoadPKCS12(const v8::Arguments& args);
SecureContext() : ObjectWrap() {
ctx_ = NULL;
View
BIN test/fixtures/test_cert.pfx
Binary file not shown.
View
19 test/simple/test-crypto.js
@@ -38,6 +38,7 @@ var path = require('path');
// Test Certificates
var caPem = fs.readFileSync(common.fixturesDir + '/test_ca.pem', 'ascii');
var certPem = fs.readFileSync(common.fixturesDir + '/test_cert.pem', 'ascii');
+var certPfx = fs.readFileSync(common.fixturesDir + '/test_cert.pfx');
var keyPem = fs.readFileSync(common.fixturesDir + '/test_key.pem', 'ascii');
var rsaPubPem = fs.readFileSync(common.fixturesDir + '/test_rsa_pubkey.pem',
'ascii');
@@ -54,8 +55,24 @@ try {
process.exit();
}
-// Test HMAC
+// PFX tests
+assert.doesNotThrow(function() {
+ crypto.createCredentials({pfx:certPfx, passphrase:'sample'});
+});
+assert.throws(function() {
+ crypto.createCredentials({pfx:certPfx});
+}, 'mac verify failure');
+
+assert.throws(function() {
+ crypto.createCredentials({pfx:certPfx, passphrase:'test'});
+}, 'mac verify failure');
+
+assert.throws(function() {
+ crypto.createCredentials({pfx:'sample', passphrase:'test'});
+}, 'not enough data');
+
+// Test HMAC
var h1 = crypto.createHmac('sha1', 'Node')
.update('some data')
.update('to hmac')

0 comments on commit fb7348a

Please sign in to comment.