From f87a4221c6da8a799e0207fd3a94c85fca7432e2 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Fri, 4 Nov 2016 18:19:20 +0900 Subject: [PATCH] crypto: add cert check issued by StartCom/WoSign When tls client connects to the server with certification issued by either StartCom or WoSign listed in StartComAndWoSignData.inc, check notBefore of the server certificate and CERT_REVOKED error returns if it is after 00:00:00 on October 21, 2016. See for details in https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/, https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html and https://support.apple.com/en-us/HT204132 Fixes: https://github.com/nodejs/node/issues/9434 PR-URL: https://github.com/nodejs/node/pull/9469 Reviewed-By: James M Snell Reviewed-By: Fedor Indutny Reviewed-By: Ben Noordhuis --- src/StartComAndWoSignData.inc | 89 ++++++++++++++++++ src/node_crypto.cc | 44 ++++++++- test/fixtures/keys/Makefile | 68 ++++++++++++++ test/fixtures/keys/agent8-cert.pem | 20 ++++ test/fixtures/keys/agent8-csr.pem | 17 ++++ test/fixtures/keys/agent8-key.pem | 27 ++++++ test/fixtures/keys/agent8.cnf | 17 ++++ test/fixtures/keys/agent9-cert.pem | 20 ++++ test/fixtures/keys/agent9-csr.pem | 17 ++++ test/fixtures/keys/agent9-key.pem | 27 ++++++ test/fixtures/keys/agent9.cnf | 17 ++++ .../fixtures/keys/fake-startcom-root-cert.pem | 22 +++++ test/fixtures/keys/fake-startcom-root-csr.pem | 18 ++++ .../keys/fake-startcom-root-database.txt | 2 + .../keys/fake-startcom-root-database.txt.attr | 1 + .../fake-startcom-root-database.txt.attr.old | 1 + .../keys/fake-startcom-root-database.txt.old | 1 + .../fake-startcom-root-issued-certs/01.pem | 20 ++++ .../fake-startcom-root-issued-certs/02.pem | 20 ++++ test/fixtures/keys/fake-startcom-root-key.pem | 27 ++++++ test/fixtures/keys/fake-startcom-root-serial | 1 + .../keys/fake-startcom-root-serial.old | 1 + test/fixtures/keys/fake-startcom-root.cnf | 46 ++++++++++ .../test-tls-startcom-wosign-whitelist.js | 91 +++++++++++++++++++ 24 files changed, 611 insertions(+), 3 deletions(-) create mode 100644 src/StartComAndWoSignData.inc create mode 100644 test/fixtures/keys/agent8-cert.pem create mode 100644 test/fixtures/keys/agent8-csr.pem create mode 100644 test/fixtures/keys/agent8-key.pem create mode 100644 test/fixtures/keys/agent8.cnf create mode 100644 test/fixtures/keys/agent9-cert.pem create mode 100644 test/fixtures/keys/agent9-csr.pem create mode 100644 test/fixtures/keys/agent9-key.pem create mode 100644 test/fixtures/keys/agent9.cnf create mode 100644 test/fixtures/keys/fake-startcom-root-cert.pem create mode 100644 test/fixtures/keys/fake-startcom-root-csr.pem create mode 100644 test/fixtures/keys/fake-startcom-root-database.txt create mode 100644 test/fixtures/keys/fake-startcom-root-database.txt.attr create mode 100644 test/fixtures/keys/fake-startcom-root-database.txt.attr.old create mode 100644 test/fixtures/keys/fake-startcom-root-database.txt.old create mode 100644 test/fixtures/keys/fake-startcom-root-issued-certs/01.pem create mode 100644 test/fixtures/keys/fake-startcom-root-issued-certs/02.pem create mode 100644 test/fixtures/keys/fake-startcom-root-key.pem create mode 100644 test/fixtures/keys/fake-startcom-root-serial create mode 100644 test/fixtures/keys/fake-startcom-root-serial.old create mode 100644 test/fixtures/keys/fake-startcom-root.cnf create mode 100644 test/parallel/test-tls-startcom-wosign-whitelist.js diff --git a/src/StartComAndWoSignData.inc b/src/StartComAndWoSignData.inc new file mode 100644 index 00000000000000..3ba643397c7ff9 --- /dev/null +++ b/src/StartComAndWoSignData.inc @@ -0,0 +1,89 @@ +// /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 +// Using a consistent naming convention, this would actually be called +// 'CA沃通根证书DN', but since GCC 6.2.1 apparently can't handle UTF-8 +// identifiers, this will have to do. +static const uint8_t CAWoSignRootDN[72] = { + 0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, + 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x0C, 0x12, 0x43, 0x41, 0x20, 0xE6, 0xB2, 0x83, 0xE9, 0x80, 0x9A, 0xE6, 0xA0, + 0xB9, 0xE8, 0xAF, 0x81, 0xE4, 0xB9, 0xA6, +}; + +// /C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root +static const uint8_t CAWoSignECCRootDN[72] = { + 0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, + 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x12, 0x43, 0x41, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x45, + 0x43, 0x43, 0x20, 0x52, 0x6F, 0x6F, 0x74, +}; + +// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign +static const uint8_t CertificationAuthorityofWoSignDN[87] = { + 0x30, 0x55, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, + 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x2A, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x21, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20, + 0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, +}; + +// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2 +static const uint8_t CertificationAuthorityofWoSignG2DN[90] = { + 0x30, 0x58, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, + 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D, + 0x69, 0x74, 0x65, 0x64, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x24, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20, + 0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x47, 0x32, +}; + +// /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority +static const uint8_t StartComCertificationAuthorityDN[127] = { + 0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D, + 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E, + 0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x22, 0x53, 0x65, + 0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6C, 0x20, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53, + 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, + 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, +}; + +// /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2 +static const uint8_t StartComCertificationAuthorityG2DN[85] = { + 0x30, 0x53, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D, + 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E, + 0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74, + 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, + 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32, +}; + +struct DataAndLength { + const uint8_t* data; + uint32_t len; +}; + +static const DataAndLength StartComAndWoSignDNs[]= { + { CAWoSignRootDN, + sizeof(CAWoSignRootDN) }, + { CAWoSignECCRootDN, + sizeof(CAWoSignECCRootDN) }, + { CertificationAuthorityofWoSignDN, + sizeof(CertificationAuthorityofWoSignDN) }, + { CertificationAuthorityofWoSignG2DN, + sizeof(CertificationAuthorityofWoSignG2DN) }, + { StartComCertificationAuthorityDN, + sizeof(StartComCertificationAuthorityDN) }, + { StartComCertificationAuthorityG2DN, + sizeof(StartComCertificationAuthorityG2DN) }, +}; diff --git a/src/node_crypto.cc b/src/node_crypto.cc index b06c1d698be8c1..eac56c7ff0f419 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -17,6 +17,10 @@ // https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/ // certverifier/CNNICHashWhitelist.inc #include "CNNICHashWhitelist.inc" +// StartCom and WoSign root CA list is taken from +// https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/ +// StartComAndWoSignData.inc +#include "StartComAndWoSignData.inc" #include #include // INT_MAX @@ -2677,9 +2681,40 @@ inline X509* FindRoot(STACK_OF(X509)* sk) { } -// Whitelist check for certs issued by CNNIC. See +inline bool CertIsStartComOrWoSign(X509_NAME* name) { + const unsigned char* startcom_wosign_data; + X509_NAME* startcom_wosign_name; + + for (const auto& dn : StartComAndWoSignDNs) { + startcom_wosign_data = dn.data; + startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data, + dn.len); + if (X509_NAME_cmp(name, startcom_wosign_name) == 0) + return true; + } + + return false; +} + +// Revoke the certificates issued by StartCom or WoSign that has +// notBefore after 00:00:00 on October 21, 2016 (1477008000 in epoch). +inline bool CheckStartComOrWoSign(X509_NAME* root_name, X509* cert) { + if (!CertIsStartComOrWoSign(root_name)) + return true; + + time_t october_21_2016 = static_cast(1477008000); + if (X509_cmp_time(X509_get_notBefore(cert), &october_21_2016) < 0) + return true; + + return false; +} + + +// Whitelist check for certs issued by CNNIC, StartCom and WoSign. See // https://blog.mozilla.org/security/2015/04/02 -// /distrusting-new-cnnic-certificates/ +// /distrusting-new-cnnic-certificates/ and +// https://blog.mozilla.org/security/2016/10/24/ +// distrusting-new-wosign-and-startcom-certificates inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) { unsigned char hash[CNNIC_WHITELIST_HASH_LEN]; unsigned int hashlen = CNNIC_WHITELIST_HASH_LEN; @@ -2698,11 +2733,14 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) { root_name = X509_get_subject_name(root_cert); } + X509* leaf_cert = sk_X509_value(chain, 0); + if (!CheckStartComOrWoSign(root_name, leaf_cert)) + return CHECK_CERT_REVOKED; + // When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV // ROOT CA, check a hash of its leaf cert if it is in the whitelist. if (X509_NAME_cmp(root_name, cnnic_name) == 0 || X509_NAME_cmp(root_name, cnnic_ev_name) == 0) { - X509* leaf_cert = sk_X509_value(chain, 0); int ret = X509_digest(leaf_cert, EVP_sha256(), hash, &hashlen); CHECK(ret); diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index 277734aa174562..c7390eda0eefc4 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -57,6 +57,20 @@ fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem -out fake-cnnic-root-cert.pem \ -config fake-cnnic-root.cnf +# +# Create Fake StartCom Root Certificate Authority: fake-startcom-root +# +fake-startcom-root-key.pem: + openssl genrsa -out fake-startcom-root-key.pem 2048 + +fake-startcom-root-cert.pem: fake-startcom-root.cnf \ + fake-startcom-root-key.pem + openssl req -new -x509 -days 9999 -config \ + fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \ + fake-startcom-root-cert.pem + echo '01' > fake-startcom-root-serial + touch fake-startcom-root-database.txt + # # agent1 is signed by ca1. # @@ -254,6 +268,60 @@ agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem +# +# agent8 is signed by fake-startcom-root with notBefore +# of Oct 20 23:59:59 2016 GMT +# + +agent8-key.pem: + openssl genrsa -out agent8-key.pem 2048 + +agent8-csr.pem: agent8.cnf agent8-key.pem + openssl req -new -config agent8.cnf -key agent8-key.pem \ + -out agent8-csr.pem + +agent8-cert.pem: agent8-csr.pem + openssl ca \ + -config fake-startcom-root.cnf \ + -keyfile fake-startcom-root-key.pem \ + -cert fake-startcom-root-cert.pem \ + -batch \ + -days 9999 \ + -passin "pass:password" \ + -in agent8-csr.pem \ + -startdate 20161020235959Z \ + -notext -out agent8-cert.pem + + +agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem + openssl verify -CAfile fake-startcom-root-cert.pem \ + agent8-cert.pem + + +# +# agent9 is signed by fake-startcom-root with notBefore +# of Oct 21 00:00:01 2016 GMT +# +agent9-key.pem: + openssl genrsa -out agent9-key.pem 2048 + +agent9-csr.pem: agent9.cnf agent9-key.pem + openssl req -new -config agent9.cnf -key agent9-key.pem \ + -out agent9-csr.pem + + +agent9-cert.pem: agent9-csr.pem + openssl ca \ + -config fake-startcom-root.cnf \ + -keyfile fake-startcom-root-key.pem \ + -cert fake-startcom-root-cert.pem \ + -batch \ + -days 9999 \ + -passin "pass:password" \ + -in agent9-csr.pem \ + -startdate 20161021000001Z \ + -notext -out agent9-cert.pem + ec-key.pem: openssl ecparam -genkey -out ec-key.pem -name prime256v1 diff --git a/test/fixtures/keys/agent8-cert.pem b/test/fixtures/keys/agent8-cert.pem new file mode 100644 index 00000000000000..86de1d44a64a98 --- /dev/null +++ b/test/fixtures/keys/agent8-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV +BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp +ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw +CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO +T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ +qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F +9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN +N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB +ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U +C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB +MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO +6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr +i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf ++LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6 +LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ +65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent8-csr.pem b/test/fixtures/keys/agent8-csr.pem new file mode 100644 index 00000000000000..af749bcd1c8287 --- /dev/null +++ b/test/fixtures/keys/agent8-csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH +EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDgxEjAQBgNVBAMT +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5FUj+l +8VqQZUo6qmr8Doaad+mhSaiyu30acUfn9D3UPViWowxInMcClhhakARPneQY6qwA ++fS9kBmUNlThfVS2chc9xfUyJZHeMrfTndKhPfMiKLgwTVru1GarzcpwHuXGg+Yt +TIMiFEKiFDp2cDNtYcKmDTfzhEn9/APE37r4dwC1J+8wRFclD1iFk2D4RR0gliLE +tlEWf6gy5PBmr6YZKl3RQYot1fE4eZ4j7aSLERekIcIfEivrNM4ed6NKpJgjaVy3 +fzyUEAMAu9Fkau53C+A/lAtYJwy9I/Us6I10Lt9ZF7PFGU2u0RZ8ea/oA4gP4Bqy +7OCIsAyYVRzMdJ0CAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw +YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAykAWr5pOZh1BMc7NZgc66J16VkjN +KM2deMQNl7r3BFB336At+zmpudnjdT/tPaH34FT/Idh/DPfiSdpuDQWDA+E7xady +S7KoKfNesPFjV4rR1WgNtoix0B5EaaNxdR8ljwL30N/LbsMDWxIK7rWyhvuw3DXr +C90PbsOTCLbW1HGItgYCQFJnpXK1O1Vx0Bo55F//oxDGVTzkUqb0lsVGHLLCg0s2 +DxX3++FqFy/NjzZ5R/k1o+WIom1PzhLXJ+cqQsqYT9kBIVHTtvTAnDM70dZ8EeSW +/O4w+gb+OSJjClz7p4DuX4idDG+0cISxBOYFPyTFlGrXQ0ZXULP4pihsUA== +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent8-key.pem b/test/fixtures/keys/agent8-key.pem new file mode 100644 index 00000000000000..c1773f7cff4d02 --- /dev/null +++ b/test/fixtures/keys/agent8-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJqLK7fRpxR+f0PdQ9WJaj +DEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F9TIlkd4yt9Od0qE98yIo +uDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYNN/OESf38A8Tfuvh3ALUn +7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFBii3V8Th5niPtpIsRF6Qh +wh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+UC1gnDL0j9SzojXQu31kX +s8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQABAoIBAHHp5KdT3Ht4XQfm +aDEXLGp3qhtzQDuTIWnQjZj5Z3Ax4wMmhbsF6tcY/Y1LjldjJL5QaGE/VMstWQRX +Tr4HnXCIJW/iZI2p+Qean4XXr0QgWhcI2VYHDuFWHiTpYogW7WlV/YfDooqU6n12 +BxfWStaL5L5bd9dbe8ZlJqVqN2iISfqGNIz9YKM04rHycTcicNmf0J0smkHlnHJE +ROQR73IXjDDOmkwdG75qyGRBQ0j0KEDu//n1axcOKf48F+8BQk2PFMq+RhkGGqJD +zTQK3kB33HRWeNWbykLPzYGcPtSlvaecCTc/q9wbbxh5AFlvSrPz3VzdRHECocM3 +v/o2vqECgYEA/uZib1ZYczuihcvLKxo8e/IBNYUKUcyosHDqAmJ5q8Y+Vg35ACfM +mJAhT1SXXAmm2tHuTnztfLDMQAOGVItuf5U8nuJYuWrvhMCtBT40XPeUVPD8b2D1 +9y5EipiB7huH8kMb1aAPUNgQhmqT93+4qcGf6PcNTkk6uHCCXFZEc7UCgYEAzyk1 +/T+Ah3p9+c1s+AjqkWj3Qa9lOKclJOT2O88AG+4fGQhSdUvkLDAMX3L6ri3gVZzr +wH3DJIwJx1uCW4eNJFVmh8AyP4SkfzQp1FqsIzBMQuPz6Hqtclh/UPx1yOe3NseO +xVM6Z5RbOOWyDaWxxbQHZnHkqSKcTB8K1lJ/XkkCgYAaStlMcrOc70HMW0ERqRsk +DcpiIt71oQ6lZIA+zrmOJly3s6lDgtdvxS4qaKdULwqu94iFQA2fFv16fOKWReuX +7WTbXq2YMpeSMe2m5Mux6ze5q0HemznDzVn0kdaVIPHc418zodbyl9bchpHMrbf2 +iqpb9V/B+3u7Gp/Xtm5JIQKBgBFrjr2wBFfgJg3Gh35ICamWoQwl+qYL8CStGEOp +QYIXwQey2nRAoHxSwgeYvJm/A9lPK8fxC2LcX8oi2NBnkqfWgpuxvsf2mHqV4VqZ +EVaYLiGF17HZ9xHhfTtLL4Boc9CocUoImKWzJQSg1BsvrsZIQEMOGsNaRLhl99xT +7Z/5AoGBAIxgzOGLVVrIv8vRc4YouPf0OGBmUawnEZxYVD1Mo4Tt97XjxH93B1iz +hof62zDCL7WEdKuwnOs1towBmLjC7qrAbkUgNVYmI5sG9c8+1NKClTOJGsHHiMLF +n8GxnsNU5FVTmJ/PZfOU+eru7uDYZHTkii0tkaHWUzg13pkhka5E +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent8.cnf b/test/fixtures/keys/agent8.cnf new file mode 100644 index 00000000000000..bb50a0e7199283 --- /dev/null +++ b/test/fixtures/keys/agent8.cnf @@ -0,0 +1,17 @@ +[ req ] +default_bits = 2048 +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = NODEJS +OU = agent8 +CN = localhost + +[ req_attributes ] +challengePassword = A challenge password diff --git a/test/fixtures/keys/agent9-cert.pem b/test/fixtures/keys/agent9-cert.pem new file mode 100644 index 00000000000000..196922986cdb6e --- /dev/null +++ b/test/fixtures/keys/agent9-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV +BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp +ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw +CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO +T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o +33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x +TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga +bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+ +4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2 +0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB +MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD +4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe +iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0 +0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl +QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/ +u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent9-csr.pem b/test/fixtures/keys/agent9-csr.pem new file mode 100644 index 00000000000000..bba87d631f15b3 --- /dev/null +++ b/test/fixtures/keys/agent9-csr.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH +EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDkxEjAQBgNVBAMT +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKU+pwEk +sfXtov7dGh0nfQcTEQ/dqN9/4mol1swTijCae48QlgIOkp6Y6xbMo08WgKoPntc5 +ZtdGAU+g4aJbLX380KitsUyhlTkCuI8V9t8CZa5+Zg5NH2oAbWOPS9ShcvA8Saio +Le7sc+tRhlFsCllxu1Z4Gm5Kg3faN2Re2zqu5jEL3w8z68GCPLk408UfEdfbsTTT +hrRzE58Lw3nM05rU6MfFPuDdoTdrHA2b0QceWkALZ10cmYQKJACTGKI4p8fYqpVR +UIt3LediyIbHGuspqXw3NtMgOGklX6FuzZarJ760zleJ7d1G68RhqYhOxJvB3XMN +hDBfo6gkyxrbKmECAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw +YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAKlz52i1TpqNFQQu2YCl2YlTKbu2s ++92Qq+9b8wKoTweEFxDYtfq8d6rgYtetDbJDh+CDSjG3REINHtbPB0BjFdmZq/Q6 +7JHLjmWKacmhaZJIp6xtrAX93qXYfbqH2S/DNSAO1e1sUa/gKL+wuVcrM8My7mzo +cMEgc7mHJCbSjYIcYPELas+rADoCE4mgiX8wwYQjFqxj/cdlcMzVS3ZuARAiPzA7 +60Zk3/NnbXd/OBOcf/FvbrYIQ45eV4JlMowtcdLtxP91N5/X3BBMFsXt4mPoXETC +V78wipSWtfiKTox1Ze7PSJsYm9E9TOYYPh9kSGizIFzrgnk9H15+Iy5Ixg== +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent9-key.pem b/test/fixtures/keys/agent9-key.pem new file mode 100644 index 00000000000000..1156fddfa68d4b --- /dev/null +++ b/test/fixtures/keys/agent9-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o33/iaiXWzBOKMJp7jxCW +Ag6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2xTKGVOQK4jxX23wJlrn5m +Dk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7VngabkqDd9o3ZF7bOq7mMQvf +DzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+4N2hN2scDZvRBx5aQAtn +XRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc20yA4aSVfoW7NlqsnvrTO +V4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQABAoIBAE7FXAUOggry2hVW +PuGQ9mfN7f87MgpAwyTInukvk1tx+N6NEIUwfzI9QSvgJyVHW9Q1mAmO4nhSdcOI +tKaZgkkhoDIYgoE+MY04v9Ptq35JfUE+HdZJa2UziPHB2Gsm/0yH4LEWYrcXXnbZ +qQbdUt2qepxQqoDS4nLawjcFhMom24ns24eMCsFW7yrxhyvQwFKqGOKXauCpClp2 +oPXhd2wljutuIGJjMmeqMw7CuyfZMee6BsuXNWWr/kso0NaQwxKoFnGlyaOl6oUV +ypr5ADXv0NNaSqDgyfEfJedsGQul+WWnkjz6PFbWZtbG5SIKb5PCJ2aWD7mvcHdI +85BL4jUCgYEA0yPogvmlK/hSpckk/AkRtHWwjUdkgdoZzxiJV/D01y8EtB+yL46t +Gzl23Y1VtLXxn+CZdj2putS5z1Rg1LA0oMZ+TwhxGskURBPP7mym83Qn1huRcnWw +df9flCg4IwRLqI6QfsQ2Q6j549j5u8P+tqVi/yZQY0V2SGcXTXaqIksCgYEAyFpy +24+AW33ypNxr9sOIx2YQyn0UDK2K6LQYRmjwhpCZEtBdoUqKGP/9UUycM4TN9D32 +p0le+3TJVk9tVqyvwFeGBkguO/3dXD6KTsqrCfMFNj/R6QRYFEaLWjkG8EI5TXOK +a/CbhtyGaRY5QzwLRjLdEYIph3r1d2uedVzwGoMCgYEAvPV59R2u8LcAYFavvs/v +BG3/X7DxBjVGu8zdvdJrjNkLgJiNQ3qQ+bhn5MfEWEIsyESdkvCEoiwXTrHZJv+7 +WdfK2rhXYP1sIbEJefvLPj5KGJf7h1BEaJXv2AxWkSAbBfLw5kJ7vfnQClX4yk4R ++yvweSC0+OMFhK6ecDku8hkCgYAJPRJ6yV0z2tTrgTaBRHb0KuKvU6EvDHmRTWyp +IoGk0tocIfuPSm6fxH4b15qETaVpk8nh4OI+Wh5GmpcCHihkiCSn+YAYSBaDAGdE +RtgoN0qQO9UkF40wMiiO2n5VadhWl/NUEt45E8Ym5l1xmj0y2XmUKxpbIvJatV2z +L7vqnQKBgCuV47rGYLaPz+gVgwIz0PvNFgp2fdSBYYQUf70XsaEU1bQtim6q5jxd ++ePUiT65k42Iw7oLWyGtxdyxmmKgQ18i5aDNjT2SLr3RAC2BSR5Fs1W1PLi24nV6 +QW7fepI9tOBTbwbLG8ARRzx2YXrBf9PqvmDbrMiTi0WGFGlVJatX +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent9.cnf b/test/fixtures/keys/agent9.cnf new file mode 100644 index 00000000000000..a9f5a5f16a3a10 --- /dev/null +++ b/test/fixtures/keys/agent9.cnf @@ -0,0 +1,17 @@ +[ req ] +default_bits = 2048 +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = NODEJS +OU = agent9 +CN = localhost + +[ req_attributes ] +challengePassword = A challenge password diff --git a/test/fixtures/keys/fake-startcom-root-cert.pem b/test/fixtures/keys/fake-startcom-root-cert.pem new file mode 100644 index 00000000000000..b3ebbacf753d6a --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIJAKDrU4iaFPb+MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV +BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg +RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD +ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjExMDQwOTUwMTNaFw00NDAzMjEw +OTUwMTNaMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw +KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD +VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALvhAZtGU3u3uyB4lHn5X85XJdyPAnOY0hGc +SVMzfQ/BBEvBPkcdhJvZPLqcWTnJplsJXH+GHz9q73DbyLekdF/f6dNVcRmDjvZq +pZ6KgT8D4GmudNPMEuHs9+bqI+l5p7Mh1mEmot5JYtXvGD3UiN2ZUQ/trhf5xiJq +MEaiQHBxhJESkY+RYV2GK0njCJ2ypmtAAzyGUlNgHqxBy1PrBBqh0xbSOa2pwRyz +9u7EkYN4BCQKNCBJbOaX9rH+j836YlEHEymutjYDuYiHaOve0yJCHsQqsx7+p9aB +UxCS9mTj9q9bz9GJR9tfT04+HmQRjtSZYt7fHIixgS0vT4/6QlsCAwEAAaMQMA4w +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAiIgJ9EGWepY/Qk6n6Kcj +YQFZXeV6ugnWz96sxYc0xmo/XNkYQFLxVneyWanlUxAbvScEdC8rJ5rUrwVMhfaS +goneP2Otjcg0XcMrsf5RaJk0H8uGUdvdgWUHO85pseMOFgqXxJgEux7wcFS41qhw +thc/obZ5keOPJf3tsOffV5OJc6owwgaviz3RNFRJUleZU5r3swjWIEDK89sz9q+S +qcwostbKRrEcjyltblhFKR9s4Qyn9FYWntPApFHq7M0/jA/4iiHRcltFfc19mslb +lhRBZZ/vds3VEtfs7uPhcodXBTv5d5xUk6pybSSFhKTTtHc8OpdvbM+5LchzTc23 +pA== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/fake-startcom-root-csr.pem b/test/fixtures/keys/fake-startcom-root-csr.pem new file mode 100644 index 00000000000000..56da4e65b4a4fe --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-csr.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC5zCCAc8CAQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0 +ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx +KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAww1iG1Oq6uIEN5u4W0jWnDFvaKGp +R6XSYPK3D1VJTqr7XUfzbVG2Acc5B7WTmerFsxOADXe8kpC3U6QxcyLvMv90Bpju +dasttLnoBU2XqJxWTpmJyM8RfbSZEKfNIdKzG2uQQVHIJOV/bm6yhQIT2cDKNZDx +M0OPiCeeQMezD4/Y98zFDyWjTI2zW6kyBzdjPSLJ3DMJs+4EC6LJhKrp9kBbJHhU +QdIrQ1C3ycJ0lKv8uV8xWsgz/CsPkp92H/iUDxBnFgMcdFmgt/XgPDf1Q9ipfq7B +5Ef8RlQuDsqer+/UPOXLHWHtE+5QbkL4hzCjJEszkl5QbSPdiK1rcIkEvQIDAQAB +oCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3 +DQEBCwUAA4IBAQCwvK3cFAA9ShrFNhSuZ//xFgrXxqQXS4o571jDCLYh+QAgcRUU +ATPM0GQ4CKUR3gWD14Ji922PiVZCpKgvkEVrvMYq6jgydT2urki0hL/po7msdnLQ +2FWMwgpINaTmhmUNBxHBQbopW4HWDzcCfSQwGN/iCElNmawXGIN1LRcDAl08h/cW +hTP9agZXpmoZ2wHg+ZRHcJwJm4QL4Rm7JfyNN3fZWUFgn3Pfkwgiu9PMhU92KRU/ +5PJ3tcyw9qSQJsw6CPuijRI9kaKdFIj6BsOGmsSyYq9OoqtlfqXqgXXv3XfKQmmh +Hntg6KSQhReXDHCSTgtBZFa6+kwg3mgr8I7N +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/fake-startcom-root-database.txt b/test/fixtures/keys/fake-startcom-root-database.txt new file mode 100644 index 00000000000000..b1f582201ae32d --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-database.txt @@ -0,0 +1,2 @@ +V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost +V 440321100702Z 02 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent9/CN=localhost diff --git a/test/fixtures/keys/fake-startcom-root-database.txt.attr b/test/fixtures/keys/fake-startcom-root-database.txt.attr new file mode 100644 index 00000000000000..8f7e63a3475ce8 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-database.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/test/fixtures/keys/fake-startcom-root-database.txt.attr.old b/test/fixtures/keys/fake-startcom-root-database.txt.attr.old new file mode 100644 index 00000000000000..8f7e63a3475ce8 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-database.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/test/fixtures/keys/fake-startcom-root-database.txt.old b/test/fixtures/keys/fake-startcom-root-database.txt.old new file mode 100644 index 00000000000000..66c1d034dd47cd --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-database.txt.old @@ -0,0 +1 @@ +V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost diff --git a/test/fixtures/keys/fake-startcom-root-issued-certs/01.pem b/test/fixtures/keys/fake-startcom-root-issued-certs/01.pem new file mode 100644 index 00000000000000..86de1d44a64a98 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-issued-certs/01.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV +BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp +ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw +CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO +T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ +qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F +9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN +N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB +ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U +C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB +MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO +6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr +i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf ++LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6 +LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ +65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/fake-startcom-root-issued-certs/02.pem b/test/fixtures/keys/fake-startcom-root-issued-certs/02.pem new file mode 100644 index 00000000000000..196922986cdb6e --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-issued-certs/02.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV +BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp +ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw +CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO +T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o +33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x +TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga +bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+ +4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2 +0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB +MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD +4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe +iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0 +0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl +QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/ +u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/fake-startcom-root-key.pem b/test/fixtures/keys/fake-startcom-root-key.pem new file mode 100644 index 00000000000000..d8f727d2be6780 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAu+EBm0ZTe7e7IHiUeflfzlcl3I8Cc5jSEZxJUzN9D8EES8E+ +Rx2Em9k8upxZOcmmWwlcf4YfP2rvcNvIt6R0X9/p01VxGYOO9mqlnoqBPwPgaa50 +08wS4ez35uoj6XmnsyHWYSai3kli1e8YPdSI3ZlRD+2uF/nGImowRqJAcHGEkRKR +j5FhXYYrSeMInbKma0ADPIZSU2AerEHLU+sEGqHTFtI5ranBHLP27sSRg3gEJAo0 +IEls5pf2sf6PzfpiUQcTKa62NgO5iIdo697TIkIexCqzHv6n1oFTEJL2ZOP2r1vP +0YlH219PTj4eZBGO1Jli3t8ciLGBLS9Pj/pCWwIDAQABAoIBAFOQL2O9stH7FTrL +Btb9iJRBBLEF1oRNu1lj1uUvqHdCVUPQbn+47EtZIv6pHbJrMxeYoVCC+hD94gOj +bbHobm5aLCj3/rbnYcXOB13torDBa6X1lzbAtMFR4a0OBO0KVAGDklNhmN0fbNtU +XcbaagmN8JUSFPXK/Uo/SruP3PNldfPVtf/EnBlK4LOI5/WDyiwLQxlVf389poKp +wXwhVgL9Kh0uzxD31HH0NOL+D1KOI6j7gNrOAOZFFGTwVAtQFI28wIwftKf3qicQ +TZvV/O+Aw+oIZsOfX9Pg6dNehhEC25F6UcGrX7b7fI/Rbx6L/VxfjMHfbvsUtTxz +iwW1H5ECgYEA85U2LiBicAB4QkclUHjLPrPl7W0bDvKFKJkxXJ44y/ziFjOhksuF +J1xYXhVhP7mdXwGVlt2X9PSjkW06I+DFqi2IbGDBqJ/0hJrAr/+5J5OySCFlx2kC +TwIAYJIud0Vgk8FdToijOKq8I3KFmUsc6k0UMmCdCy4HXz0Qy3RqsekCgYEAxXTZ +3orr/ItfjVFz9bkcNUMutRVvsyewYJOemgaejdSHLYl8lTcLQDLSnA/Sd7JtXOyS +3M7GVpiBZqW15UJry5fpkRNhqOXqXz6/Hp9E3hG9RnS2EkZDR2vIrRwa3o6zKq8P +XYOOOzjdYq881khhRhafXCon0XvLdZAsOKfDQ6MCgYEAqsDw6Ej/eLB7nUqul8j2 +AZCvIE+Z5lKQkjNB7UFlY2p1O0cafwN45mzP7bRjJf8CmPVNXiMdQTS17V56oWgS +aQfeWMtDNuhayxKI/Vfw/hOFqRbweGfenHA0v336YNYbq7ijpkgW08SsetTvXtTP +AljiTaZ4sLulo1f1jAqiOPECgYA1CgJL6P0ixT1RdIO1iZeuJvGw6qUqdorGJmD/ +9q84YdI9xSSV4EdBY2V3Tji2tlLyFwoMDe7w6942eGS3xHO4KIIw2gftmnSuSOiF +jTqufA1fk5IkroL7+FPbTCVbivFNkeCKuf/GoKu3CmNJHAAlF4aO9zPi7WHlnmiC +f23QCQKBgET2u4cPsUAZJ8utCyQ+ZhKJUTcYDN/Nlpd/yVC+dS9BZAc2tH1EfRN2 +pxSzm9Qgd6Cjc7cVJ/T745b85nbPjd1MsOgvPCKr0TFARmlGpu4RtKEHrROSaahX +7vR7HiYqhbeYlVRz9lZ5N+J1BT7sq7+Rond89UtL/O7g0wEs/N3V +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/fake-startcom-root-serial b/test/fixtures/keys/fake-startcom-root-serial new file mode 100644 index 00000000000000..75016ea3625245 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-serial @@ -0,0 +1 @@ +03 diff --git a/test/fixtures/keys/fake-startcom-root-serial.old b/test/fixtures/keys/fake-startcom-root-serial.old new file mode 100644 index 00000000000000..9e22bcb8e34408 --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root-serial.old @@ -0,0 +1 @@ +02 diff --git a/test/fixtures/keys/fake-startcom-root.cnf b/test/fixtures/keys/fake-startcom-root.cnf new file mode 100644 index 00000000000000..d6a9557bc8778d --- /dev/null +++ b/test/fixtures/keys/fake-startcom-root.cnf @@ -0,0 +1,46 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = . +name_opt = CA_default +cert_opt = CA_default +default_crl_days = 999 +default_md = sha256 +database = fake-startcom-root-database.txt +serial = fake-startcom-root-serial +private_key = fake-startcom-root-key.pem +certificate = fake-startcom-root-cert.pem +new_certs_dir = fake-startcom-root-issued-certs +email_in_dn = no +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 2048 +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = password +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = IL +O = StartCom Ltd. +OU = Secure Digital Certificate Signing +CN = StartCom Certification Authority + +[ req_attributes ] +challengePassword = A challenge password + +[ v3_ca ] +basicConstraints = CA:TRUE diff --git a/test/parallel/test-tls-startcom-wosign-whitelist.js b/test/parallel/test-tls-startcom-wosign-whitelist.js new file mode 100644 index 00000000000000..fd20e0d8e9745c --- /dev/null +++ b/test/parallel/test-tls-startcom-wosign-whitelist.js @@ -0,0 +1,91 @@ +'use strict'; +const common = require('../common'); +const assert = require('assert'); + +if (!common.hasCrypto) { + common.skip('missing crypto'); + return; +} + +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); +let finished = 0; + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', n + '.pem'); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const testCases = [ + { // agent8 is signed by fake-startcom-root with notBefore of + // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent8-key'), + cert: loadPEM('agent8-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_OK' + }, + { // agent9 is signed by fake-startcom-root with notBefore of + // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent9-key'), + cert: loadPEM('agent9-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_REVOKED' + } +]; + + +function runNextTest(server, tindex) { + server.close(function() { + finished++; + runTest(tindex + 1); + }); +} + + +function runTest(tindex) { + const tcase = testCases[tindex]; + + if (!tcase) return; + + const server = tls.createServer(tcase.serverOpts, function(s) { + s.resume(); + }).listen(0, function() { + tcase.clientOpts.port = this.address().port; + const client = tls.connect(tcase.clientOpts); + client.on('error', function(e) { + assert.strictEqual(e.code, tcase.errorCode); + runNextTest(server, tindex); + }); + + client.on('secureConnect', function() { + // agent8 can pass StartCom/WoSign check so that the secureConnect + // is established. + assert.strictEqual(tcase.errorCode, 'CERT_OK'); + client.end(); + runNextTest(server, tindex); + }); + }); +} + + +runTest(0); + +process.on('exit', function() { + assert.strictEqual(finished, testCases.length); +});