diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index 27fda1eef27c87..ceacd4bdc72b7c 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -1,5 +1,42 @@ -all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem agent5-cert.pem ca2-crl.pem ec-cert.pem dh512.pem dh1024.pem dh2048.pem dsa1025.pem dsa_private_1025.pem dsa_public_1025.pem rsa_private_1024.pem rsa_private_2048.pem rsa_private_4096.pem rsa_public_1024.pem rsa_public_2048.pem rsa_public_4096.pem - +all: \ + ca1-cert.pem \ + ca2-cert.pem \ + ca3-cert.pem \ + ca4-cert.pem \ + ca5-cert.pem \ + ca6-cert.pem \ + agent1-cert.pem \ + agent1.pfx \ + agent2-cert.pem \ + agent3-cert.pem \ + agent4-cert.pem \ + ca2-crl.pem \ + agent5-cert.pem \ + agent6-cert.pem \ + agent6.pfx \ + agent7-cert.pem \ + agent10-cert.pem \ + agent10.pfx \ + ec10-cert.pem \ + ec10.pfx \ + fake-cnnic-root-cert.pem \ + dh1024.pem \ + dh2048.pem \ + dh512.pem \ + dsa1025.pem \ + dsa_private_1025.pem \ + dsa_public_1025.pem \ + ec-cert.pem \ + rsa_private_1024.pem \ + rsa_private_2048.pem \ + rsa_private_4096.pem \ + rsa_public_1024.pem \ + rsa_public_2048.pem \ + rsa_public_4096.pem \ + +# 0-dns-cert.pem contains an subjectAlternativeName with an embedded NUL, and +# cannot be created with standard openssl tooling, which is why it is missing +# from this file. # # Create Certificate Authority: ca1 @@ -18,7 +55,7 @@ ca2-cert.pem: ca2.cnf touch ca2-database.txt # -# Create Subordinate Certificate Authority: ca3 +# Create Subordinate Certificate Authority: ca3 issued by ca1 # ('password' is used for the CA password.) # ca3-key.pem: @@ -43,6 +80,80 @@ ca3-cert.pem: ca3-csr.pem ca3-key.pem ca3.cnf ca1-cert.pem ca1-key.pem -CAcreateserial \ -out ca3-cert.pem +# +# Create Subordinate Certificate Authority: ca4 issued by ca2 +# ('password' is used for the CA password.) +# +ca4-key.pem: + openssl genrsa -out ca4-key.pem 1024 + +ca4-csr.pem: ca4.cnf ca4-key.pem + openssl req -new \ + -extensions v3_ca \ + -config ca4.cnf \ + -key ca4-key.pem \ + -out ca4-csr.pem + +ca4-cert.pem: ca4-csr.pem ca4-key.pem ca4.cnf ca2-cert.pem ca2-key.pem + openssl x509 -req \ + -extfile ca4.cnf \ + -extensions v3_ca \ + -days 9999 \ + -passin "pass:password" \ + -in ca4-csr.pem \ + -CA ca2-cert.pem \ + -CAkey ca2-key.pem \ + -CAcreateserial \ + -out ca4-cert.pem + +# +# Create Certificate Authority: ca5 with ECC +# ('password' is used for the CA password.) +# +ca5-key.pem: + openssl ecparam -genkey -out ca5-key.pem -name prime256v1 + +ca5-csr.pem: ca5-key.pem + openssl req -new \ + -config ca5.cnf \ + -key ca5-key.pem \ + -out ca5-csr.pem + +ca5-cert.pem: ca5.cnf ca5-key.pem ca5-csr.pem + openssl x509 -req \ + -extfile ca5.cnf \ + -days 9999 \ + -passin "pass:password" \ + -in ca5-csr.pem \ + -signkey ca5-key.pem \ + -out ca5-cert.pem + +# +# Create Subordinate Certificate Authority: ca6 issued by ca5 with ECC +# ('password' is used for the CA password.) +# +ca6-key.pem: + openssl ecparam -genkey -out ca6-key.pem -name prime256v1 + +ca6-csr.pem: ca6.cnf ca6-key.pem + openssl req -new \ + -extensions v3_ca \ + -config ca6.cnf \ + -key ca6-key.pem \ + -out ca6-csr.pem + +ca6-cert.pem: ca6-csr.pem ca6-key.pem ca6.cnf ca5-cert.pem ca5-key.pem + openssl x509 -req \ + -extfile ca6.cnf \ + -extensions v3_ca \ + -days 9999 \ + -passin "pass:password" \ + -in ca6-csr.pem \ + -CA ca5-cert.pem \ + -CAkey ca5-key.pem \ + -CAcreateserial \ + -out ca6-cert.pem + # # Create Fake CNNIC Root Certificate Authority: fake-cnnic-root # @@ -93,13 +204,13 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem -CAcreateserial \ -out agent1-cert.pem -agent1-pfx.pem: agent1-cert.pem agent1-key.pem ca1-cert.pem +agent1.pfx: agent1-cert.pem agent1-key.pem ca1-cert.pem openssl pkcs12 -export \ -descert \ -in agent1-cert.pem \ -inkey agent1-key.pem \ -certfile ca1-cert.pem \ - -out agent1-pfx.pem \ + -out agent1.pfx \ -password pass:sample agent1-verify: agent1-cert.pem ca1-cert.pem @@ -220,7 +331,7 @@ agent5-verify: agent5-cert.pem ca2-cert.pem openssl verify -CAfile ca2-cert.pem agent5-cert.pem # -# agent6 is signed by ca3 +# agent6 is a client RSA cert signed by ca3 # agent6-key.pem: @@ -244,6 +355,15 @@ agent6-cert.pem: agent6-csr.pem ca3-cert.pem ca3-key.pem agent6-verify: agent6-cert.pem ca3-cert.pem openssl verify -CAfile ca3-cert.pem agent6-cert.pem +agent6.pfx: agent6-cert.pem agent6-key.pem ca1-cert.pem + openssl pkcs12 -export \ + -descert \ + -in agent6-cert.pem \ + -inkey agent6-key.pem \ + -certfile ca1-cert.pem \ + -out agent6.pfx \ + -password pass:sample + # # agent7 is signed by fake-cnnic-root. # @@ -322,6 +442,74 @@ agent9-cert.pem: agent9-csr.pem -startdate 20161021000001Z \ -notext -out agent9-cert.pem +# agent10 is a server RSA cert signed by ca4 for agent10.example.com +# + +agent10-key.pem: + openssl genrsa -out agent10-key.pem 1024 + +agent10-csr.pem: agent10.cnf agent10-key.pem + openssl req -new -config agent10.cnf -key agent10-key.pem -out agent10-csr.pem + +agent10-cert.pem: agent10-csr.pem ca4-cert.pem ca4-key.pem + openssl x509 -req \ + -days 9999 \ + -passin "pass:password" \ + -in agent10-csr.pem \ + -CA ca4-cert.pem \ + -CAkey ca4-key.pem \ + -CAcreateserial \ + -extfile agent10.cnf \ + -out agent10-cert.pem + cat ca4-cert.pem >> agent10-cert.pem + +agent10-verify: agent10-cert.pem ca4-cert.pem + openssl verify -CAfile ca4-cert.pem agent10-cert.pem + +agent10.pfx: agent10-cert.pem agent10-key.pem ca1-cert.pem + openssl pkcs12 -export \ + -descert \ + -in agent10-cert.pem \ + -inkey agent10-key.pem \ + -certfile ca1-cert.pem \ + -out agent10.pfx \ + -password pass:sample + +# +# ec10 is a server EC cert signed by ca6 for agent10.example.com +# + +ec10-key.pem: + openssl ecparam -genkey -out ec10-key.pem -name prime256v1 + +ec10-csr.pem: ec10-key.pem + openssl req -new -config agent10.cnf -key ec10-key.pem -out ec10-csr.pem + +ec10-cert.pem: ec10-csr.pem ec10-key.pem + openssl x509 -req \ + -days 9999 \ + -passin "pass:password" \ + -in ec10-csr.pem \ + -CA ca6-cert.pem \ + -CAkey ca6-key.pem \ + -CAcreateserial \ + -extfile agent10.cnf \ + -out ec10-cert.pem + cat ca6-cert.pem >> ec10-cert.pem + +ec10.pfx: ec10-cert.pem ec10-key.pem ca6-cert.pem + openssl pkcs12 -export \ + -descert \ + -in ec10-cert.pem \ + -inkey ec10-key.pem \ + -certfile ca6-cert.pem \ + -out ec10.pfx \ + -password pass:sample + + +# +# ec is a self-signed EC cert for CN "agent2" +# ec-key.pem: openssl ecparam -genkey -out ec-key.pem -name prime256v1 @@ -384,5 +572,7 @@ clean: test: agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify +%-cert.pem.print: %-cert.pem + openssl x509 -in $< -text -noout > $@ -.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify +.PHONY: all clean test agent1-verify agent2-verify agent3-verify agent4-verify agent5-verify agent6-verify agent7-verify agent8-verify agent10-verify diff --git a/test/fixtures/keys/agent1-pfx.pem b/test/fixtures/keys/agent1.pfx similarity index 100% rename from test/fixtures/keys/agent1-pfx.pem rename to test/fixtures/keys/agent1.pfx diff --git a/test/fixtures/keys/agent10-cert.pem b/test/fixtures/keys/agent10-cert.pem new file mode 100644 index 00000000000000..0edfc53bb59cdc --- /dev/null +++ b/test/fixtures/keys/agent10-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIICXjCCAcegAwIBAgIJAP2fmGveC9mRMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVu +dDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E0MSAwHgYJKoZIhvcNAQkB +FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xNzAyMTQxNzI3NDlaFw00NDA3MDExNzI3 +NDlaMGgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzAN +BgNVBAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEcMBoGA1UEAwwTYWdlbnQx +MC5leGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2u9KDRih +b+1xQgUW8AR+6iDuiJ5okn8MHjYlAkN0ykjGQWAajffSuMphE4gdt0qK+2j343B5 +lyQhA05VzKo4coeDbQthb/FvaO/a9YTwSV6/UOq3RUxoP5gYS4LTpT+7/J0YQnrX +WZnNW1Q0vzOamGLkQu6EEMu7bnyo6csILG8CAwEAATANBgkqhkiG9w0BAQsFAAOB +gQBdX03nGFuNJecIBOyXwtEikoUM5K4O+6LG5LQ09Td6RsIxI9bHAPwoNVLdFbff +qKfw02LM9juotE8gofFkEgVVokNwOVcTxUJjwIkUrD0/UB6YAmkcnGXyhRrdHqqp +fKkzn1oYm3TKlS5uZsmX4dsayP1Jqex1Qpi1ni0pdQsKYA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICgjCCAeugAwIBAgIJAO6+LOUhGhL8MA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV +BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu +dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB +FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xNjEyMjIyMzAzMjNaFw00NDA1MDgyMzAz +MjNaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzAN +BgNVBAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E0MSAw +HgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA1lPESW5RhC6VfYSLJMye5nEJyoBPBwgKSJmyZ5l9lWfM9V2I +exkI5GtOvVPlF/LxGykpTEUxc91MMrhf4MWlYLg1+rNmpbUmitfZk9dooHZejJbs +STTSLxddWhNBGWTZShJ5VKAsEGD+SW+m5GFWIJM4bG+YgDssXQ1FJSKn8ssCAwEA +AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBIxIMRibNr5Fxc +aYrXrXs48r1K3SHPAvej3h5gJBWPnv3j3RIJiiPw+l/E2t/VYCtX2yEw3jTrznY7 +De2cG50bFI8obZit3H6UqURjQ24bJphcj537PDo/KcxFKuGg9zxrYc4NZfhOPOTM +NyA5bERKgANiokGJ8k4xpga1nq9ByQ== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent10-csr.pem b/test/fixtures/keys/agent10-csr.pem new file mode 100644 index 00000000000000..a2d495965c13a8 --- /dev/null +++ b/test/fixtures/keys/agent10-csr.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBzTCCATYCAQAwaDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH +DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMRwwGgYDVQQD +DBNhZ2VudDEwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDa70oNGKFv7XFCBRbwBH7qIO6InmiSfwweNiUCQ3TKSMZBYBqN99K4ymETiB23 +Sor7aPfjcHmXJCEDTlXMqjhyh4NtC2Fv8W9o79r1hPBJXr9Q6rdFTGg/mBhLgtOl +P7v8nRhCetdZmc1bVDS/M5qYYuRC7oQQy7tufKjpywgsbwIDAQABoCUwIwYJKoZI +hvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3DQEBCwUAA4GB +ABnifUq4MjGM2W+6BCPP/6YQC7IoLA2p3uCziL/JC7p3k3eCmhO2d//ODRdYjG6I +1GYHhWdNgUfB4XIs/LSHWZTjGQTN+cowZEq9khRrEOTHm79d7kYHZbeGWRxp9S5q +Xohfo/XIzTNpPqfdesrsD2uBAF7uLc1o50R0h4Xeel7g +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent10-key.pem b/test/fixtures/keys/agent10-key.pem new file mode 100644 index 00000000000000..9a19ebb3d0f9f1 --- /dev/null +++ b/test/fixtures/keys/agent10-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDa70oNGKFv7XFCBRbwBH7qIO6InmiSfwweNiUCQ3TKSMZBYBqN +99K4ymETiB23Sor7aPfjcHmXJCEDTlXMqjhyh4NtC2Fv8W9o79r1hPBJXr9Q6rdF +TGg/mBhLgtOlP7v8nRhCetdZmc1bVDS/M5qYYuRC7oQQy7tufKjpywgsbwIDAQAB +AoGBAKEvbzt5GNII5EuQ57RJ+w5wtG1NAvxoIQnVHyYtd7y+G4hiMuq2vCNkjFgO +7KHXdb9nJqoCUuKdrNh8Qdrur6L1vHk8NjNBiV3EXEXKkAMYoHeATiyEMinJjC1n +YF30MYjWCemsnQx47j1qmehzm0DWOvgXUx3VZFtR/DJdXKiRAkEA8zsdwJqmwfzT +jT0EWi/VCD1UYCyAwAdK3tJMy+88DAzEFdTvCxiaKPDUB4RpUPKqdA7sn+REiljS +5rgyUCii8wJBAOZtpWZj7tNLfq2jq+F4coJmGVuOd388+8AAUMOd09U2wTdQD6Xp +l0Qm3sEWvZJqBSn+MHcfG3eAl3+d0ZCsl5UCQG/nmuCqRl6pu4sXr5DuwMxxqwg0 +cWfn8wJhLwQEpVPF69E/jltEjmiXpHVw7iNYAiQzWZqWoxIjm6Sayksm5xECQQCQ +ihSnLmY/qepzVuhZDSme/BZJ5Qq2CHXOESSYH+chpi/610CJjQXynQM7UV1mexR0 +K9sQzbV393SQe1laC7klAkEApp4Bk4oQKusPDOJ5OM9r9e9JQyrElV3osx/gxAom +n1kgKyz5CgyLiugOEt0p3nbdY59u90I/TZETrhR9CXXjZA== +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent10.cnf b/test/fixtures/keys/agent10.cnf new file mode 100644 index 00000000000000..72fa62e85738d9 --- /dev/null +++ b/test/fixtures/keys/agent10.cnf @@ -0,0 +1,17 @@ +[ req ] +default_bits = 1024 +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = Joyent +OU = Node.js +CN = agent10.example.com + +[ req_attributes ] +challengePassword = A challenge password diff --git a/test/fixtures/keys/agent10.pfx b/test/fixtures/keys/agent10.pfx new file mode 100644 index 00000000000000..bfaa7ec1aa81b5 Binary files /dev/null and b/test/fixtures/keys/agent10.pfx differ diff --git a/test/fixtures/keys/agent6.pfx b/test/fixtures/keys/agent6.pfx new file mode 100644 index 00000000000000..20c54ae4d90706 Binary files /dev/null and b/test/fixtures/keys/agent6.pfx differ diff --git a/test/fixtures/keys/ca1-cert.srl b/test/fixtures/keys/ca1-cert.srl index c9650b0529c100..47125e096344d6 100644 --- a/test/fixtures/keys/ca1-cert.srl +++ b/test/fixtures/keys/ca1-cert.srl @@ -1 +1 @@ -9A84ABCFB8A72AC0 +9A84ABCFB8A72AC1 diff --git a/test/fixtures/keys/ca2-cert.srl b/test/fixtures/keys/ca2-cert.srl index 18b47ea80f4cf6..b89e856a256fae 100644 --- a/test/fixtures/keys/ca2-cert.srl +++ b/test/fixtures/keys/ca2-cert.srl @@ -1 +1 @@ -EEBE2CE5211A12FB +EEBE2CE5211A12FF diff --git a/test/fixtures/keys/ca4-cert.pem b/test/fixtures/keys/ca4-cert.pem new file mode 100644 index 00000000000000..12bd28bc265f54 --- /dev/null +++ b/test/fixtures/keys/ca4-cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICgjCCAeugAwIBAgIJAO6+LOUhGhL8MA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV +BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu +dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB +FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xNjEyMjIyMzAzMjNaFw00NDA1MDgyMzAz +MjNaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzAN +BgNVBAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E0MSAw +HgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzCBnzANBgkqhkiG9w0BAQEF +AAOBjQAwgYkCgYEA1lPESW5RhC6VfYSLJMye5nEJyoBPBwgKSJmyZ5l9lWfM9V2I +exkI5GtOvVPlF/LxGykpTEUxc91MMrhf4MWlYLg1+rNmpbUmitfZk9dooHZejJbs +STTSLxddWhNBGWTZShJ5VKAsEGD+SW+m5GFWIJM4bG+YgDssXQ1FJSKn8ssCAwEA +AaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBIxIMRibNr5Fxc +aYrXrXs48r1K3SHPAvej3h5gJBWPnv3j3RIJiiPw+l/E2t/VYCtX2yEw3jTrznY7 +De2cG50bFI8obZit3H6UqURjQ24bJphcj537PDo/KcxFKuGg9zxrYc4NZfhOPOTM +NyA5bERKgANiokGJ8k4xpga1nq9ByQ== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca4-cert.srl b/test/fixtures/keys/ca4-cert.srl new file mode 100644 index 00000000000000..dec35c35da1c22 --- /dev/null +++ b/test/fixtures/keys/ca4-cert.srl @@ -0,0 +1 @@ +FD9F986BDE0BD991 diff --git a/test/fixtures/keys/ca4-csr.pem b/test/fixtures/keys/ca4-csr.pem new file mode 100644 index 00000000000000..43bfbe20a17cca --- /dev/null +++ b/test/fixtures/keys/ca4-csr.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIB3zCCAUgCAQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH +DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQD +DANjYTQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMIGfMA0GCSqG +SIb3DQEBAQUAA4GNADCBiQKBgQDWU8RJblGELpV9hIskzJ7mcQnKgE8HCApImbJn +mX2VZ8z1XYh7GQjka069U+UX8vEbKSlMRTFz3UwyuF/gxaVguDX6s2altSaK19mT +12igdl6MluxJNNIvF11aE0EZZNlKEnlUoCwQYP5Jb6bkYVYgkzhsb5iAOyxdDUUl +IqfyywIDAQABoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBhc3N3b3Jk +MA0GCSqGSIb3DQEBCwUAA4GBAMZTllcdlMs5Gp0etJGkJot420x0CqUH8Vt+Hmss +vuTu9Nne18JeAC6zhBYab8HDuXkEfmEKUsdfTHuhY27A3CgfhhCEhmoqqJAuGbv0 +28v5jdHL2BoExS83sPVc3IR4APjsqXqLGy8qAtpxTOBkysDeLHl5x6eYd52zaoM7 +hsv8 +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/ca4-key.pem b/test/fixtures/keys/ca4-key.pem new file mode 100644 index 00000000000000..f758fb57b09657 --- /dev/null +++ b/test/fixtures/keys/ca4-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQDWU8RJblGELpV9hIskzJ7mcQnKgE8HCApImbJnmX2VZ8z1XYh7 +GQjka069U+UX8vEbKSlMRTFz3UwyuF/gxaVguDX6s2altSaK19mT12igdl6MluxJ +NNIvF11aE0EZZNlKEnlUoCwQYP5Jb6bkYVYgkzhsb5iAOyxdDUUlIqfyywIDAQAB +AoGABzRbpchCjzntpoF9F+iU8tQb6yWzAl5/0f7wo1DiitIpbpoNS24FAYCl7fFT +AyIUfsA8dibhSa7Hr/DIsEqUi4L65+avHz88yWXzAa2eodUF6Rn6D0G4osxg8C6d +KR5h6u1BTJ3/MB4x8CTLu2fxEV0hntMX8+1YSTIioy9VueECQQD8ebR3NwSIuAWv ++571Bw49ZtiIx+gVNbcIbVsWxdg2JAS80CBMnPrpps1J2ZQNeVkD0aRtXk4pXmuL +BdxfF0YbAkEA2VG6Xyk/DftnNJpAk8pV870814HH/ZNYN2hRxsE9v9gYsRaRfREa +pqF34QXh2ri4bissU7aIYBocdKuqnKWREQJAN0Y96Eu3Rmdjd1/TMTnWOEMn7Oo3 +OU2FQOcQJjAyYcgI8X1vVNaZaEYIc76a10hV4KwpH3iiDBSL3uftkzP5OQJAdPl0 +4/wDoLcN2ladI+/pTAU0VpvY1jkVZt2UBvPFFRpwUAHh1fv66G5JZKoR4/VB8Kr0 +dSrvRStI3dP5RdAowQJAfy93AFGDYTMmBSkHbTfo2jQDwTGExvLyf3YVLszPFvRY +7AYZ4E5qto47Bg8ZEM5jL1M8aZKQb6eq9xQaXkmJtg== +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/ca4.cnf b/test/fixtures/keys/ca4.cnf new file mode 100644 index 00000000000000..3bbe10c0486b59 --- /dev/null +++ b/test/fixtures/keys/ca4.cnf @@ -0,0 +1,23 @@ +[ req ] +default_bits = 1024 +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = password +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = Joyent +OU = Node.js +CN = ca4 +emailAddress = ry@tinyclouds.org + +[ req_attributes ] +challengePassword = A challenge password + +[ v3_ca ] +basicConstraints = CA:TRUE diff --git a/test/fixtures/keys/ca5-cert.pem b/test/fixtures/keys/ca5-cert.pem new file mode 100644 index 00000000000000..ec16b889577c7f --- /dev/null +++ b/test/fixtures/keys/ca5-cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB6jCCAY+gAwIBAgIJANkPDQ/EmSDpMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVudDEQ +MA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E1MSAwHgYJKoZIhvcNAQkBFhFy +eUB0aW55Y2xvdWRzLm9yZzAeFw0xNjEyMjIyMzA0NDdaFw00NDA1MDgyMzA0NDda +MHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNV +BAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E1MSAwHgYJ +KoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABHOP4RKAT3HEkOyoKTDW9+/Im60NbH41ZEK4Uhbcr6L+W6Vo+vA6G1lq +NKYDpSQkbeQliIlUBILgsKuTOXo1l4QwCgYIKoZIzj0EAwIDSQAwRgIhAIres8b+ +RCtFmwYr2/5ib1f5Q3Y404530UNYkNLBNT+DAiEAuxsDD4UN2jwdsa376rKHhSlw +Q0Effcwfvrh3cy7Gyr4= +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca5-cert.srl b/test/fixtures/keys/ca5-cert.srl new file mode 100644 index 00000000000000..bae4862b3ad30b --- /dev/null +++ b/test/fixtures/keys/ca5-cert.srl @@ -0,0 +1 @@ +99D4C445001087E0 diff --git a/test/fixtures/keys/ca5-csr.pem b/test/fixtures/keys/ca5-csr.pem new file mode 100644 index 00000000000000..8d17650b26cd42 --- /dev/null +++ b/test/fixtures/keys/ca5-csr.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBWzCCAQECAQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH +DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQD +DANjYTUxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAEc4/hEoBPccSQ7KgpMNb378ibrQ1sfjVkQrhSFtyv +ov5bpWj68DobWWo0pgOlJCRt5CWIiVQEguCwq5M5ejWXhKAlMCMGCSqGSIb3DQEJ +BzEWDBRBIGNoYWxsZW5nZSBwYXNzd29yZDAKBggqhkjOPQQDAgNIADBFAiEAkc1r +JiocfQwOvQ2Sfu/rFZC8mjnxKHaelKW3A6P1SHYCIEf1OuQjfz13B5O0wk+rzR+h +pQuKF5B3r/TiCoJpkIsK +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/ca5-key.pem b/test/fixtures/keys/ca5-key.pem new file mode 100644 index 00000000000000..153ff5be0ecb3b --- /dev/null +++ b/test/fixtures/keys/ca5-key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIUlp2R+gyc0uljrDgSEtAHH+jcRO+dyEC53iyFKVaGloAoGCCqGSM49 +AwEHoUQDQgAEc4/hEoBPccSQ7KgpMNb378ibrQ1sfjVkQrhSFtyvov5bpWj68Dob +WWo0pgOlJCRt5CWIiVQEguCwq5M5ejWXhA== +-----END EC PRIVATE KEY----- diff --git a/test/fixtures/keys/ca5.cnf b/test/fixtures/keys/ca5.cnf new file mode 100644 index 00000000000000..ddd2c02570fc10 --- /dev/null +++ b/test/fixtures/keys/ca5.cnf @@ -0,0 +1,31 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +serial = ca5-serial +crl = ca5-crl.pem +database = ca5-database.txt +name_opt = CA_default +cert_opt = CA_default +default_crl_days = 999 +default_md = sha512 + + +[ req ] +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = password + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = Joyent +OU = Node.js +CN = ca5 +emailAddress = ry@tinyclouds.org + +[ req_attributes ] +challengePassword = A challenge password diff --git a/test/fixtures/keys/ca6-cert.pem b/test/fixtures/keys/ca6-cert.pem new file mode 100644 index 00000000000000..5d8f22064c90f1 --- /dev/null +++ b/test/fixtures/keys/ca6-cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+zCCAaGgAwIBAgIJAJnUxEUAEIfgMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVudDEQ +MA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E1MSAwHgYJKoZIhvcNAQkBFhFy +eUB0aW55Y2xvdWRzLm9yZzAeFw0xNjEyMjIyMzA1NDFaFw00NDA1MDgyMzA1NDFa +MHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNV +BAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E2MSAwHgYJ +KoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABLROfPRgKIB7cB1tTPc+JyIUgC92IalTahkhFK1ypg8TmSzeh5L98HLu +if8lrEZhey7ZUTWVJkYbCOKDqdV4ffajEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZI +zj0EAwIDSAAwRQIgA4aBVdtEIZuybs1IR2GOSLZjCPtArG10Hfn4cvfrfdYCIQCo +1Mn9GfAP8RRvXxhPaYVxO40PXzTnxubrXWMX0/NfIQ== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca6-cert.srl b/test/fixtures/keys/ca6-cert.srl new file mode 100644 index 00000000000000..262733f36e7543 --- /dev/null +++ b/test/fixtures/keys/ca6-cert.srl @@ -0,0 +1 @@ +CC6737AF93B92BF0 diff --git a/test/fixtures/keys/ca6-csr.pem b/test/fixtures/keys/ca6-csr.pem new file mode 100644 index 00000000000000..365d7c039e2ab1 --- /dev/null +++ b/test/fixtures/keys/ca6-csr.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBWzCCAQECAQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH +DAJTRjEPMA0GA1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQD +DANjYTYxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFkwEwYHKoZI +zj0CAQYIKoZIzj0DAQcDQgAEtE589GAogHtwHW1M9z4nIhSAL3YhqVNqGSEUrXKm +DxOZLN6Hkv3wcu6J/yWsRmF7LtlRNZUmRhsI4oOp1Xh99qAlMCMGCSqGSIb3DQEJ +BzEWDBRBIGNoYWxsZW5nZSBwYXNzd29yZDAKBggqhkjOPQQDAgNIADBFAiBpglJI +UwncZKV2UD7Tt5B3W29DDOjAGoBNEoWDpi+TSwIhAImr3SIIHn67idAYitVNgCKc +j/Ad2q7Cu1HHMhlEEe2C +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/ca6-key.pem b/test/fixtures/keys/ca6-key.pem new file mode 100644 index 00000000000000..ce69df4bd0353e --- /dev/null +++ b/test/fixtures/keys/ca6-key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIM+0bfos/QT4f/zF++ANZWp3to567NA6eWKw7AniFUaqoAoGCCqGSM49 +AwEHoUQDQgAEtE589GAogHtwHW1M9z4nIhSAL3YhqVNqGSEUrXKmDxOZLN6Hkv3w +cu6J/yWsRmF7LtlRNZUmRhsI4oOp1Xh99g== +-----END EC PRIVATE KEY----- diff --git a/test/fixtures/keys/ca6.cnf b/test/fixtures/keys/ca6.cnf new file mode 100644 index 00000000000000..a545a9fc8b2a8d --- /dev/null +++ b/test/fixtures/keys/ca6.cnf @@ -0,0 +1,22 @@ +[ req ] +days = 999 +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no +output_password = password +x509_extensions = v3_ca + +[ req_distinguished_name ] +C = US +ST = CA +L = SF +O = Joyent +OU = Node.js +CN = ca6 +emailAddress = ry@tinyclouds.org + +[ req_attributes ] +challengePassword = A challenge password + +[ v3_ca ] +basicConstraints = CA:TRUE diff --git a/test/fixtures/keys/dns-cert1.cnf b/test/fixtures/keys/dns-cert1.cnf new file mode 100644 index 00000000000000..3c50e7b7b74d65 Binary files /dev/null and b/test/fixtures/keys/dns-cert1.cnf differ diff --git a/test/fixtures/keys/ec10-cert.pem b/test/fixtures/keys/ec10-cert.pem new file mode 100644 index 00000000000000..659ca8c8c767ce --- /dev/null +++ b/test/fixtures/keys/ec10-cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIB1zCCAX2gAwIBAgIJAMxnN6+TuSvwMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVudDEQ +MA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E2MSAwHgYJKoZIhvcNAQkBFhFy +eUB0aW55Y2xvdWRzLm9yZzAeFw0xNzAyMTQxNzI3NDlaFw00NDA3MDExNzI3NDla +MGgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNV +BAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEcMBoGA1UEAwwTYWdlbnQxMC5l +eGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMyqBR11g1qcuTdc +TYCz5ecqKL7JUlxUNamGgWancQpH3ye8ZJOcRVNh/jDSEcySupdk7h0moCtJQFTP +ocCOyBEwCgYIKoZIzj0EAwIDSAAwRQIhAJ7AWcgLWehn82EScuN3Mb0nUSD0QLVf +hSWMu2xQdZMjAiAu5nl7dZKBzsMm7n1Y07i4zLvsD8Y23aFh6PQBG7ReuQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB+zCCAaGgAwIBAgIJAJnUxEUAEIfgMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVudDEQ +MA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E1MSAwHgYJKoZIhvcNAQkBFhFy +eUB0aW55Y2xvdWRzLm9yZzAeFw0xNjEyMjIyMzA1NDFaFw00NDA1MDgyMzA1NDFa +MHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNV +BAoMBkpveWVudDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E2MSAwHgYJ +KoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABLROfPRgKIB7cB1tTPc+JyIUgC92IalTahkhFK1ypg8TmSzeh5L98HLu +if8lrEZhey7ZUTWVJkYbCOKDqdV4ffajEDAOMAwGA1UdEwQFMAMBAf8wCgYIKoZI +zj0EAwIDSAAwRQIgA4aBVdtEIZuybs1IR2GOSLZjCPtArG10Hfn4cvfrfdYCIQCo +1Mn9GfAP8RRvXxhPaYVxO40PXzTnxubrXWMX0/NfIQ== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ec10-csr.pem b/test/fixtures/keys/ec10-csr.pem new file mode 100644 index 00000000000000..af8929a4c37ab3 --- /dev/null +++ b/test/fixtures/keys/ec10-csr.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBSDCB7wIBADBoMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcM +AlNGMQ8wDQYDVQQKDAZKb3llbnQxEDAOBgNVBAsMB05vZGUuanMxHDAaBgNVBAMM +E2FnZW50MTAuZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATM +qgUddYNanLk3XE2As+XnKii+yVJcVDWphoFmp3EKR98nvGSTnEVTYf4w0hHMkrqX +ZO4dJqArSUBUz6HAjsgRoCUwIwYJKoZIhvcNAQkHMRYMFEEgY2hhbGxlbmdlIHBh +c3N3b3JkMAoGCCqGSM49BAMCA0gAMEUCIQCnDShOBwyzrgN1cAqGA/M4I3r9VZN0 +mPHfLmu9RFHscgIgPsPMc9c7VkPIMUYPysLV3yA3lrJHrKYKm3GW5evO1sM= +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/ec10-key.pem b/test/fixtures/keys/ec10-key.pem new file mode 100644 index 00000000000000..7db9eba041ef82 --- /dev/null +++ b/test/fixtures/keys/ec10-key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIKyYBeIevwsdMwi2OJEBVP5l9Ta64/rfHZMb4QlALlFoAoGCCqGSM49 +AwEHoUQDQgAEzKoFHXWDWpy5N1xNgLPl5yoovslSXFQ1qYaBZqdxCkffJ7xkk5xF +U2H+MNIRzJK6l2TuHSagK0lAVM+hwI7IEQ== +-----END EC PRIVATE KEY----- diff --git a/test/fixtures/keys/ec10.pfx b/test/fixtures/keys/ec10.pfx new file mode 100644 index 00000000000000..3a5db4fa7315b3 Binary files /dev/null and b/test/fixtures/keys/ec10.pfx differ diff --git a/test/parallel/test-tls-honorcipherorder.js b/test/parallel/test-tls-honorcipherorder.js index a9d35a01baca51..4e08fd2b8e926c 100644 --- a/test/parallel/test-tls-honorcipherorder.js +++ b/test/parallel/test-tls-honorcipherorder.js @@ -1,41 +1,38 @@ 'use strict'; const common = require('../common'); + +// Test the honorCipherOrder property + if (!common.hasCrypto) common.skip('missing crypto'); const assert = require('assert'); -const tls = require('tls'); const fs = require('fs'); - -let nconns = 0; +const mustCall = common.mustCall; +const tls = require('tls'); +const util = require('util'); // We explicitly set TLS version to 1.2 so as to be safe when the // default method is updated in the future const SSL_Method = 'TLSv1_2_method'; const localhost = '127.0.0.1'; -process.on('exit', function() { - assert.strictEqual(nconns, 6); -}); - -function test(honorCipherOrder, clientCipher, expectedCipher, cb) { +function test(honorCipherOrder, clientCipher, expectedCipher, defaultCiphers) { const soptions = { secureProtocol: SSL_Method, key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' + 'ECDHE-RSA-AES128-GCM-SHA256', - honorCipherOrder: !!honorCipherOrder + honorCipherOrder: honorCipherOrder, }; - const server = tls.createServer(soptions, function(cleartextStream) { - nconns++; - + const server = tls.createServer(soptions, mustCall(function(clearTextStream) { // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX). - cleartextStream.end(); - }); - server.listen(0, localhost, function() { + clearTextStream.end(); + })); + server.listen(0, localhost, mustCall(function() { const coptions = { rejectUnauthorized: false, secureProtocol: SSL_Method @@ -44,54 +41,50 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) { coptions.ciphers = clientCipher; } const port = this.address().port; - const client = tls.connect(port, localhost, coptions, function() { + const savedDefaults = tls.DEFAULT_CIPHERS; + tls.DEFAULT_CIPHERS = defaultCiphers || savedDefaults; + const client = tls.connect(port, localhost, coptions, mustCall(function() { const cipher = client.getCipher(); client.end(); server.close(); - assert.strictEqual(cipher.name, expectedCipher); - if (cb) cb(); - }); - }); + const msg = util.format( + 'honorCipherOrder=%j, clientCipher=%j, expect=%j, got=%j', + honorCipherOrder, clientCipher, expectedCipher, cipher.name); + assert.strictEqual(cipher.name, expectedCipher, msg); + })); + tls.DEFAULT_CIPHERS = savedDefaults; + })); } -test1(); +// Client explicitly has the preference of cipher suites, not the default. +test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', + 'AES128-GCM-SHA256'); -function test1() { - // Client has the preference of cipher suites by default - test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', - 'AES128-GCM-SHA256', test2); -} +// Server has the preference of cipher suites, and AES256-SHA256 is +// the server's top choice. +test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', + 'AES256-SHA256'); +test(undefined, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', + 'AES256-SHA256'); -function test2() { - // Server has the preference of cipher suites, and AES256-SHA256 is - // the server's top choice. - test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', - 'AES256-SHA256', test3); -} +// Server has the preference of cipher suites. AES128-GCM-SHA256 is given +// higher priority over AES128-SHA256 among client cipher suites. +test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256'); +test(undefined, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256'); -function test3() { - // Server has the preference of cipher suites. AES128-GCM-SHA256 is given - // higher priority over AES128-SHA256 among client cipher suites. - test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4); -} +// As client has only one cipher, server has no choice, irrespective +// of honorCipherOrder. +test(true, 'AES128-SHA256', 'AES128-SHA256'); +test(undefined, 'AES128-SHA256', 'AES128-SHA256'); -function test4() { - // As client has only one cipher, server has no choice, irrespective - // of honorCipherOrder. - test(true, 'AES128-SHA256', 'AES128-SHA256', test5); -} +// Client did not explicitly set ciphers and client offers +// tls.DEFAULT_CIPHERS. All ciphers of the server are included in the +// default list so the negotiated cipher is selected according to the +// server's top preference of AES256-SHA256. +test(true, tls.DEFAULT_CIPHERS, 'AES256-SHA256'); +test(true, null, 'AES256-SHA256'); +test(undefined, null, 'AES256-SHA256'); -function test5() { - // Client did not explicitly set ciphers and client offers - // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the - // default list so the negotiated cipher is selected according to the - // server's top preference of AES256-SHA256. - test(true, null, 'AES256-SHA256', test6); -} - -function test6() { - // Ensure that `tls.DEFAULT_CIPHERS` is used - tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256'; - test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256'); -} +// Ensure that `tls.DEFAULT_CIPHERS` is used when its a limited cipher set. +test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256'); diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js index 6e1a3c8777eeba..8e6be5781d0ee1 100644 --- a/test/parallel/test-tls-multi-key.js +++ b/test/parallel/test-tls-multi-key.js @@ -21,6 +21,9 @@ 'use strict'; const common = require('../common'); + +// Test multi-identity ('key')/multi-algorithm scenarios. + if (!common.hasCrypto) common.skip('missing crypto'); @@ -28,45 +31,158 @@ const assert = require('assert'); const tls = require('tls'); const fs = require('fs'); -const options = { +// Key is ordered as ec, rsa, cert is ordered as rsa, ec. +test({ key: [ - fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ec10-key.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ec10-cert.pem`) + ], + eccCN: 'agent10.example.com', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ca5-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`) + ]}, +}); + +// Key and cert are ordered as ec, rsa. +test({ + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec10-key.pem`), fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), ], cert: [ fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), - fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`) - ] -}; + fs.readFileSync(`${common.fixturesDir}/keys/ec10-cert.pem`), + ], + eccCN: 'agent10.example.com', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ca5-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`), + ]}, +}); + +// Key, cert, and pfx options can be used simultaneously. +test({ + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`), + ], + pfx: fs.readFileSync(`${common.fixturesDir}/keys/agent1.pfx`), + passphrase: 'sample', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`), + ]}, +}); + +// Key and cert with mixed algorithms, and cert chains with intermediate CAs +test({ + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec10-key.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/agent10-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/agent10-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ec10-cert.pem`), + ], + rsaCN: 'agent10.example.com', + eccCN: 'agent10.example.com', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca5-cert.pem`), + ]}, +}); + +// Key and cert with mixed algorithms, and cert chains with intermediate CAs, +// using PFX for EC. +test({ + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/agent10-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/agent10-cert.pem`), + ], + pfx: fs.readFileSync(`${common.fixturesDir}/keys/ec10.pfx`), + passphrase: 'sample', + rsaCN: 'agent10.example.com', + eccCN: 'agent10.example.com', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca5-cert.pem`), + ]}, +}); + +// Key and cert with mixed algorithms, and cert chains with intermediate CAs, +// using PFX for RSA. +test({ + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec10-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec10-cert.pem`), + ], + pfx: fs.readFileSync(`${common.fixturesDir}/keys/agent10.pfx`), + passphrase: 'sample', + rsaCN: 'agent10.example.com', + eccCN: 'agent10.example.com', + client: { ca: [ + fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ca5-cert.pem`), + ]}, +}); -const ciphers = []; +function test(options) { + const rsaCN = options.rsaCN || 'agent1'; + const eccCN = options.eccCN || 'agent2'; + const clientTrustRoots = options.client.ca; + delete options.rsaCN; + delete options.eccCN; + delete options.client; + const server = tls.createServer(options, function(conn) { + conn.end('ok'); + }).listen(0, common.mustCall(connectWithEcdsa)); -const server = tls.createServer(options, function(conn) { - conn.end('ok'); -}).listen(0, function() { - const ecdsa = tls.connect(this.address().port, { - ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', - rejectUnauthorized: false - }, function() { - ciphers.push(ecdsa.getCipher()); + function connectWithEcdsa() { + const ecdsa = tls.connect(this.address().port, { + ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', + rejectUnauthorized: true, + ca: clientTrustRoots, + checkServerIdentity: (_, c) => assert.strictEqual(c.subject.CN, eccCN), + }, common.mustCall(function() { + assert.deepStrictEqual(ecdsa.getCipher(), { + name: 'ECDHE-ECDSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }); + assert.strictEqual(ecdsa.getPeerCertificate().subject.CN, eccCN); + // XXX(sam) certs don't currently include EC key info, so depend on + // absence of RSA key info to indicate key is EC. + assert(!ecdsa.getPeerCertificate().exponent, 'not cert for an RSA key'); + ecdsa.end(); + connectWithRsa(); + })); + } + + function connectWithRsa() { const rsa = tls.connect(server.address().port, { ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', - rejectUnauthorized: false - }, function() { - ciphers.push(rsa.getCipher()); - ecdsa.end(); + rejectUnauthorized: true, + ca: clientTrustRoots, + checkServerIdentity: (_, c) => assert.strictEqual(c.subject.CN, rsaCN), + }, common.mustCall(function() { + assert.deepStrictEqual(rsa.getCipher(), { + name: 'ECDHE-RSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }); + assert.strictEqual(rsa.getPeerCertificate().subject.CN, rsaCN); + assert(rsa.getPeerCertificate().exponent, 'cert for an RSA key'); rsa.end(); server.close(); - }); - }); -}); - -process.on('exit', function() { - assert.deepStrictEqual(ciphers, [{ - name: 'ECDHE-ECDSA-AES256-GCM-SHA384', - version: 'TLSv1/SSLv3' - }, { - name: 'ECDHE-RSA-AES256-GCM-SHA384', - version: 'TLSv1/SSLv3' - }]); -}); + })); + } +} diff --git a/test/parallel/test-tls-pfx-gh-5100-regr.js b/test/parallel/test-tls-pfx-gh-5100-regr.js index dc72b42aa0df91..edb4056c58dbfb 100644 --- a/test/parallel/test-tls-pfx-gh-5100-regr.js +++ b/test/parallel/test-tls-pfx-gh-5100-regr.js @@ -9,7 +9,7 @@ const assert = require('assert'); const tls = require('tls'); const fixtures = require('../common/fixtures'); -const pfx = fixtures.readKey('agent1-pfx.pem'); +const pfx = fixtures.readKey('agent1.pfx'); const server = tls.createServer({ pfx: pfx,