From c3dd21b7a0032a20b1cd3d8a587b519ed1e5ade9 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 25 Jan 2021 16:38:51 -0800
Subject: [PATCH] tls: add ability to get cert/peer cert as X509Certificate
 object

Signed-off-by: James M Snell <jasnell@gmail.com>
---
 doc/api/crypto.md                             | 10 ++++
 doc/api/tls.md                                | 24 ++++++++
 lib/_tls_wrap.js                              | 13 ++++
 lib/internal/crypto/x509.js                   | 29 ++++++---
 src/crypto/crypto_tls.cc                      | 26 ++++++++
 src/crypto/crypto_tls.h                       |  4 ++
 src/crypto/crypto_x509.cc                     | 60 +++++++++++--------
 src/crypto/crypto_x509.h                      | 13 ++--
 test/parallel/test-tls-getcertificate-x509.js | 43 +++++++++++++
 9 files changed, 183 insertions(+), 39 deletions(-)
 create mode 100644 test/parallel/test-tls-getcertificate-x509.js

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 4afb6d27d38706..03f34a29a12cc4 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -1804,6 +1804,16 @@ added: v15.6.0
 
 The issuer identification included in this certificate.
 
+### `x509.issuerCertificate`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {X509Certificate}
+
+The issuer certificate (if known). Will be `undefined` if the issuer
+certificate is not available.
+
 ### `x509.keyUsage`
 <!-- YAML
 added: v15.6.0
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 2c8414f2988c9c..7843d99882c439 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1213,6 +1213,30 @@ It may be useful for debugging.
 
 See [Session Resumption][] for more information.
 
+### `tlsSocket.getPeerX509Certificate()`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Returns: {X509Certificate}
+
+Returns the peer certificate as an {X509Certificate} object.
+
+If there is no peer certificate, or the socket has been destroyed,
+`undefined` will be returned.
+
+### `tlsSocket.getX509Certificate()`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Returns: {X509Certificate}
+
+Returns the local certificate as an {X509Certificate} object.
+
+If there is no local certificate, or the socket has been destroyed,
+`undefined` will be returned.
+
 ### `tlsSocket.isSessionReused()`
 <!-- YAML
 added: v0.5.6
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index b5fbe4d36b2578..0ec69c25711558 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -89,6 +89,9 @@ const {
   validateBuffer,
   validateUint32
 } = require('internal/validators');
+const {
+  InternalX509Certificate
+} = require('internal/crypto/x509');
 const traceTls = getOptionValue('--trace-tls');
 const tlsKeylog = getOptionValue('--tls-keylog');
 const { appendFile } = require('fs');
@@ -999,6 +1002,16 @@ TLSSocket.prototype.getCertificate = function() {
   return null;
 };
 
+TLSSocket.prototype.getPeerX509Certificate = function(detailed) {
+  const cert = this._handle?.getPeerX509Certificate();
+  return cert ? new InternalX509Certificate(cert) : undefined;
+};
+
+TLSSocket.prototype.getX509Certificate = function() {
+  const cert = this._handle?.getX509Certificate();
+  return cert ? new InternalX509Certificate(cert) : undefined;
+};
+
 // Proxy TLSSocket handle methods
 function makeSocketMethodProxy(name) {
   return function socketMethodProxy(...args) {
diff --git a/lib/internal/crypto/x509.js b/lib/internal/crypto/x509.js
index e925236bd7be3d..ff8e6086576662 100644
--- a/lib/internal/crypto/x509.js
+++ b/lib/internal/crypto/x509.js
@@ -90,6 +90,15 @@ function getFlags(options = {}) {
   return flags;
 }
 
+class InternalX509Certificate extends JSTransferable {
+  [kInternalState] = new SafeMap();
+
+  constructor(handle) {
+    super();
+    this[kHandle] = handle;
+  }
+}
+
 class X509Certificate extends JSTransferable {
   [kInternalState] = new SafeMap();
 
@@ -168,6 +177,17 @@ class X509Certificate extends JSTransferable {
     return value;
   }
 
+  get issuerCertificate() {
+    let value = this[kInternalState].get('issuerCertificate');
+    if (value === undefined) {
+      const cert = this[kHandle].getIssuerCert();
+      if (cert)
+        value = new InternalX509Certificate(this[kHandle].getIssuerCert());
+      this[kInternalState].set('issuerCertificate', value);
+    }
+    return value;
+  }
+
   get infoAccess() {
     let value = this[kInternalState].get('infoAccess');
     if (value === undefined) {
@@ -313,15 +333,6 @@ class X509Certificate extends JSTransferable {
   }
 }
 
-class InternalX509Certificate extends JSTransferable {
-  [kInternalState] = new SafeMap();
-
-  constructor(handle) {
-    super();
-    this[kHandle] = handle;
-  }
-}
-
 InternalX509Certificate.prototype.constructor = X509Certificate;
 ObjectSetPrototypeOf(
   InternalX509Certificate.prototype,
diff --git a/src/crypto/crypto_tls.cc b/src/crypto/crypto_tls.cc
index 52e57ab9862021..398509bc5cefe6 100644
--- a/src/crypto/crypto_tls.cc
+++ b/src/crypto/crypto_tls.cc
@@ -1591,6 +1591,20 @@ void TLSWrap::GetPeerCertificate(const FunctionCallbackInfo<Value>& args) {
     args.GetReturnValue().Set(ret);
 }
 
+void TLSWrap::GetPeerX509Certificate(const FunctionCallbackInfo<Value>& args) {
+  TLSWrap* w;
+  ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
+  Environment* env = w->env();
+
+  X509Certificate::GetPeerCertificateFlag flag = w->is_server()
+      ? X509Certificate::GetPeerCertificateFlag::SERVER
+      : X509Certificate::GetPeerCertificateFlag::NONE;
+
+  Local<Value> ret;
+  if (X509Certificate::GetPeerCert(env, w->ssl_, flag).ToLocal(&ret))
+    args.GetReturnValue().Set(ret);
+}
+
 void TLSWrap::GetCertificate(const FunctionCallbackInfo<Value>& args) {
   TLSWrap* w;
   ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
@@ -1601,6 +1615,15 @@ void TLSWrap::GetCertificate(const FunctionCallbackInfo<Value>& args) {
     args.GetReturnValue().Set(ret);
 }
 
+void TLSWrap::GetX509Certificate(const FunctionCallbackInfo<Value>& args) {
+  TLSWrap* w;
+  ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
+  Environment* env = w->env();
+  Local<Value> ret;
+  if (X509Certificate::GetCert(env, w->ssl_).ToLocal(&ret))
+    args.GetReturnValue().Set(ret);
+}
+
 void TLSWrap::GetFinished(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
@@ -2051,11 +2074,14 @@ void TLSWrap::Initialize(
   env->SetProtoMethodNoSideEffect(t, "getALPNNegotiatedProtocol",
                                   GetALPNNegotiatedProto);
   env->SetProtoMethodNoSideEffect(t, "getCertificate", GetCertificate);
+  env->SetProtoMethodNoSideEffect(t, "getX509Certificate", GetX509Certificate);
   env->SetProtoMethodNoSideEffect(t, "getCipher", GetCipher);
   env->SetProtoMethodNoSideEffect(t, "getEphemeralKeyInfo",
                                   GetEphemeralKeyInfo);
   env->SetProtoMethodNoSideEffect(t, "getFinished", GetFinished);
   env->SetProtoMethodNoSideEffect(t, "getPeerCertificate", GetPeerCertificate);
+  env->SetProtoMethodNoSideEffect(t, "getPeerX509Certificate",
+                                  GetPeerX509Certificate);
   env->SetProtoMethodNoSideEffect(t, "getPeerFinished", GetPeerFinished);
   env->SetProtoMethodNoSideEffect(t, "getProtocol", GetProtocol);
   env->SetProtoMethodNoSideEffect(t, "getSession", GetSession);
diff --git a/src/crypto/crypto_tls.h b/src/crypto/crypto_tls.h
index 6bcd3f411c71fe..6dda31d22be8a6 100644
--- a/src/crypto/crypto_tls.h
+++ b/src/crypto/crypto_tls.h
@@ -184,12 +184,16 @@ class TLSWrap : public AsyncWrap,
   static void GetALPNNegotiatedProto(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetCertificate(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetX509Certificate(
+      const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetEphemeralKeyInfo(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetFinished(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetPeerCertificate(
       const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetPeerX509Certificate(
+      const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetPeerFinished(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetProtocol(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetServername(const v8::FunctionCallbackInfo<v8::Value>& args);
diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
index 0ea91bca877564..574a3a194de82f 100644
--- a/src/crypto/crypto_x509.cc
+++ b/src/crypto/crypto_x509.cc
@@ -15,7 +15,6 @@
 
 namespace node {
 
-using v8::Array;
 using v8::ArrayBufferView;
 using v8::Context;
 using v8::EscapableHandleScope;
@@ -82,6 +81,7 @@ Local<FunctionTemplate> X509Certificate::GetConstructorTemplate(
     env->SetProtoMethod(tmpl, "checkPrivateKey", CheckPrivateKey);
     env->SetProtoMethod(tmpl, "verify", Verify);
     env->SetProtoMethod(tmpl, "toLegacy", ToLegacy);
+    env->SetProtoMethod(tmpl, "getIssuerCert", GetIssuerCert);
     env->set_x509_constructor_template(tmpl);
   }
   return tmpl;
@@ -93,14 +93,16 @@ bool X509Certificate::HasInstance(Environment* env, Local<Object> object) {
 
 MaybeLocal<Object> X509Certificate::New(
     Environment* env,
-    X509Pointer cert) {
+    X509Pointer cert,
+    STACK_OF(X509)* issuer_chain) {
   std::shared_ptr<ManagedX509> mcert(new ManagedX509(std::move(cert)));
-  return New(env, std::move(mcert));
+  return New(env, std::move(mcert), issuer_chain);
 }
 
 MaybeLocal<Object> X509Certificate::New(
     Environment* env,
-    std::shared_ptr<ManagedX509> cert) {
+    std::shared_ptr<ManagedX509> cert,
+    STACK_OF(X509)* issuer_chain) {
   EscapableHandleScope scope(env->isolate());
   Local<Function> ctor;
   if (!GetConstructorTemplate(env)->GetFunction(env->context()).ToLocal(&ctor))
@@ -110,7 +112,7 @@ MaybeLocal<Object> X509Certificate::New(
   if (!ctor->NewInstance(env->context()).ToLocal(&obj))
     return MaybeLocal<Object>();
 
-  new X509Certificate(env, obj, std::move(cert));
+  new X509Certificate(env, obj, std::move(cert), issuer_chain);
   return scope.Escape(obj);
 }
 
@@ -122,7 +124,7 @@ MaybeLocal<Object> X509Certificate::GetCert(
   if (cert == nullptr)
     return MaybeLocal<Object>();
 
-  X509Pointer ptr(cert);
+  X509Pointer ptr(X509_dup(cert));
   return New(env, std::move(ptr));
 }
 
@@ -130,16 +132,12 @@ MaybeLocal<Object> X509Certificate::GetPeerCert(
     Environment* env,
     const SSLPointer& ssl,
     GetPeerCertificateFlag flag) {
-  EscapableHandleScope scope(env->isolate());
   ClearErrorOnReturn clear_error_on_return;
   Local<Object> obj;
   MaybeLocal<Object> maybe_cert;
 
   bool is_server =
       static_cast<int>(flag) & static_cast<int>(GetPeerCertificateFlag::SERVER);
-  bool abbreviated =
-      static_cast<int>(flag)
-      & static_cast<int>(GetPeerCertificateFlag::ABBREVIATED);
 
   X509Pointer cert(is_server ? SSL_get_peer_certificate(ssl.get()) : nullptr);
   STACK_OF(X509)* ssl_certs = SSL_get_peer_cert_chain(ssl.get());
@@ -148,23 +146,14 @@ MaybeLocal<Object> X509Certificate::GetPeerCert(
 
   std::vector<Local<Value>> certs;
 
-  if (!cert) cert.reset(sk_X509_value(ssl_certs, 0));
-  if (!X509Certificate::New(env, std::move(cert)).ToLocal(&obj))
-    return MaybeLocal<Object>();
-
-  certs.push_back(obj);
-
-  int count = sk_X509_num(ssl_certs);
-  if (!abbreviated) {
-    for (int i = 0; i < count; i++) {
-      cert.reset(X509_dup(sk_X509_value(ssl_certs, i)));
-      if (!cert || !X509Certificate::New(env, std::move(cert)).ToLocal(&obj))
-        return MaybeLocal<Object>();
-      certs.push_back(obj);
-    }
+  if (!cert) {
+    cert.reset(sk_X509_value(ssl_certs, 0));
+    sk_X509_delete(ssl_certs, 0);
   }
 
-  return scope.Escape(Array::New(env->isolate(), certs.data(), certs.size()));
+  return sk_X509_num(ssl_certs)
+      ? New(env, std::move(cert), ssl_certs)
+      : New(env, std::move(cert));
 }
 
 void X509Certificate::Parse(const FunctionCallbackInfo<Value>& args) {
@@ -475,13 +464,32 @@ void X509Certificate::ToLegacy(const FunctionCallbackInfo<Value>& args) {
     args.GetReturnValue().Set(ret);
 }
 
+void X509Certificate::GetIssuerCert(const FunctionCallbackInfo<Value>& args) {
+  X509Certificate* cert;
+  ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());
+  if (cert->issuer_cert_)
+    args.GetReturnValue().Set(cert->issuer_cert_->object());
+}
+
 X509Certificate::X509Certificate(
     Environment* env,
     Local<Object> object,
-    std::shared_ptr<ManagedX509> cert)
+    std::shared_ptr<ManagedX509> cert,
+    STACK_OF(X509)* issuer_chain)
     : BaseObject(env, object),
       cert_(std::move(cert)) {
   MakeWeak();
+
+  if (issuer_chain != nullptr && sk_X509_num(issuer_chain)) {
+    X509Pointer cert(X509_dup(sk_X509_value(issuer_chain, 0)));
+    sk_X509_delete(issuer_chain, 0);
+    Local<Object> obj = sk_X509_num(issuer_chain)
+        ? X509Certificate::New(env, std::move(cert), issuer_chain)
+            .ToLocalChecked()
+        : X509Certificate::New(env, std::move(cert))
+            .ToLocalChecked();
+    issuer_cert_.reset(Unwrap<X509Certificate>(obj));
+  }
 }
 
 void X509Certificate::MemoryInfo(MemoryTracker* tracker) const {
diff --git a/src/crypto/crypto_x509.h b/src/crypto/crypto_x509.h
index 4d46e43889b3a6..3bebc8e37d158b 100644
--- a/src/crypto/crypto_x509.h
+++ b/src/crypto/crypto_x509.h
@@ -38,7 +38,7 @@ class ManagedX509 : public MemoryRetainer {
 class X509Certificate : public BaseObject {
  public:
   enum class GetPeerCertificateFlag {
-    ABBREVIATED,
+    NONE,
     SERVER
   };
 
@@ -49,11 +49,13 @@ class X509Certificate : public BaseObject {
 
   static v8::MaybeLocal<v8::Object> New(
       Environment* env,
-      X509Pointer cert);
+      X509Pointer cert,
+      STACK_OF(X509)* issuer_chain = nullptr);
 
   static v8::MaybeLocal<v8::Object> New(
       Environment* env,
-      std::shared_ptr<ManagedX509> cert);
+      std::shared_ptr<ManagedX509> cert,
+      STACK_OF(X509)* issuer_chain = nullptr);
 
   static v8::MaybeLocal<v8::Object> GetCert(
       Environment* env,
@@ -91,6 +93,7 @@ class X509Certificate : public BaseObject {
   static void CheckPrivateKey(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Verify(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void ToLegacy(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetIssuerCert(const v8::FunctionCallbackInfo<v8::Value>& args);
 
   X509* get() { return cert_->get(); }
 
@@ -124,9 +127,11 @@ class X509Certificate : public BaseObject {
   X509Certificate(
       Environment* env,
       v8::Local<v8::Object> object,
-      std::shared_ptr<ManagedX509> cert);
+      std::shared_ptr<ManagedX509> cert,
+      STACK_OF(X509)* issuer_chain = nullptr);
 
   std::shared_ptr<ManagedX509> cert_;
+  BaseObjectPtr<X509Certificate> issuer_cert_;
 };
 
 }  // namespace crypto
diff --git a/test/parallel/test-tls-getcertificate-x509.js b/test/parallel/test-tls-getcertificate-x509.js
new file mode 100644
index 00000000000000..5be788f6793113
--- /dev/null
+++ b/test/parallel/test-tls-getcertificate-x509.js
@@ -0,0 +1,43 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fixtures = require('../common/fixtures');
+const { X509Certificate } = require('crypto');
+
+const options = {
+  key: fixtures.readKey('agent6-key.pem'),
+  cert: fixtures.readKey('agent6-cert.pem')
+};
+
+const server = tls.createServer(options, function(cleartext) {
+  cleartext.end('World');
+});
+
+server.once('secureConnection', common.mustCall(function(socket) {
+  const cert = socket.getX509Certificate();
+  assert(cert instanceof X509Certificate);
+  assert.strictEqual(
+    cert.serialNumber,
+    'D0082F458B6EFBE8');
+}));
+
+server.listen(0, common.mustCall(function() {
+  const socket = tls.connect({
+    port: this.address().port,
+    rejectUnauthorized: false
+  }, common.mustCall(function() {
+    const peerCert = socket.getPeerX509Certificate();
+    assert(peerCert.issuerCertificate instanceof X509Certificate);
+    assert.strictEqual(peerCert.issuerCertificate.issuerCertificate, undefined);
+    assert.strictEqual(
+      peerCert.issuerCertificate.serialNumber,
+      'ECC9B856270DA9A7'
+    );
+    server.close();
+  }));
+  socket.end('Hello');
+}));