Permalink
Browse files

tls: support "BEGIN TRUSTED CERTIFICATE" for ca:

Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information...
sam-github committed Nov 30, 2018
1 parent e5878ea commit 2e4a163012d9a960f014935272cd279e5e72a93b
Showing with 10 additions and 7 deletions.
  1. +5 −2 doc/api/tls.md
  2. +1 −1 src/node_crypto.cc
  3. +4 −4 test/parallel/test-tls-client-auth.js
@@ -1054,6 +1054,9 @@ argument.
<!-- YAML
added: v0.11.13
changes:
- version: REPLACEME
pr-url: REPLACEME
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
- version: v11.4.0
pr-url: https://github.com/nodejs/node/pull/24405
description: The `minVersion` and `maxVersion` can be used to restrict
@@ -1092,8 +1095,8 @@ changes:
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
"CERTIFICATE".
For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
"X509 CERTIFICATE", and "CERTIFICATE".
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
chain should be provided per private key. Each cert chain should consist of
the PEM formatted certificate for a provided private `key`, followed by the
@@ -819,7 +819,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
return;

X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
while (X509* x509 = PEM_read_bio_X509(
while (X509* x509 = PEM_read_bio_X509_AUX(
bio.get(), nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) {
cert_store = NewRootCertStore();
@@ -254,7 +254,7 @@ connect({
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -269,11 +269,11 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
assert.ifError(err);
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -288,7 +288,7 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'ECONNRESET');
assert.ifError(err);
return cleanup();
});

0 comments on commit 2e4a163

Please sign in to comment.