Skip to content

Commit

Permalink
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Browse files Browse the repository at this point in the history 
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
@sam-github
sam-github committed Dec 11, 2018
1 parent e5878ea commit 2e4a163
Showing 3 changed files with 10 additions and 7 deletions.
7 changes: 5 additions & 2 deletions doc/api/tls.md
View file
Original file line number Diff line number Diff line change
@@ -1054,6 +1054,9 @@ argument.
<!-- YAML
added: v0.11.13
changes:
- version: REPLACEME
pr-url: REPLACEME
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
- version: v11.4.0
pr-url: https://github.com/nodejs/node/pull/24405
description: The `minVersion` and `maxVersion` can be used to restrict
@@ -1092,8 +1095,8 @@ changes:
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
"CERTIFICATE".
For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
"X509 CERTIFICATE", and "CERTIFICATE".
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
chain should be provided per private key. Each cert chain should consist of
the PEM formatted certificate for a provided private `key`, followed by the
2 changes: 1 addition & 1 deletion src/node_crypto.cc
View file
Original file line number Diff line number Diff line change
@@ -819,7 +819,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
return;

X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
while (X509* x509 = PEM_read_bio_X509(
while (X509* x509 = PEM_read_bio_X509_AUX(
bio.get(), nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) {
cert_store = NewRootCertStore();
8 changes: 4 additions & 4 deletions test/parallel/test-tls-client-auth.js
View file
Original file line number Diff line number Diff line change
@@ -254,7 +254,7 @@ connect({
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -269,11 +269,11 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
assert.ifError(err);
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
@@ -288,7 +288,7 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'ECONNRESET');
assert.ifError(err);
return cleanup();
});

0 comments on commit 2e4a163

Please sign in to comment.