Skip to content

Commit

Permalink
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Browse files Browse the repository at this point in the history
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
sam-github authored and BethGriggs committed Dec 17, 2018
1 parent 016e352 commit 390e050
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 7 deletions.
7 changes: 5 additions & 2 deletions doc/api/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -1054,6 +1054,9 @@ argument.
<!-- YAML
added: v0.11.13
changes:
- version: REPLACEME
pr-url: REPLACEME
description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
- version: v11.4.0
pr-url: https://github.com/nodejs/node/pull/24405
description: The `minVersion` and `maxVersion` can be used to restrict
Expand Down Expand Up @@ -1092,8 +1095,8 @@ changes:
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
"CERTIFICATE".
For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
"X509 CERTIFICATE", and "CERTIFICATE".
* `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
chain should be provided per private key. Each cert chain should consist of
the PEM formatted certificate for a provided private `key`, followed by the
Expand Down
2 changes: 1 addition & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -801,7 +801,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
return;

X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
while (X509* x509 = PEM_read_bio_X509(
while (X509* x509 = PEM_read_bio_X509_AUX(
bio.get(), nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) {
cert_store = NewRootCertStore();
Expand Down
8 changes: 4 additions & 4 deletions test/parallel/test-tls-client-auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ connect({
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
Expand All @@ -269,11 +269,11 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
assert.ifError(err);
return cleanup();
});

// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
// Confirm support for "BEGIN TRUSTED CERTIFICATE".
connect({
client: {
key: client.key,
Expand All @@ -288,7 +288,7 @@ connect({
requestCert: true,
},
}, function(err, pair, cleanup) {
assert.strictEqual(err.code, 'ECONNRESET');
assert.ifError(err);
return cleanup();
});

Expand Down

0 comments on commit 390e050

Please sign in to comment.