tls: multiple PFX support in createSecureContext #14793
Conversation
djphoenix
force-pushed
the
tls-multi-pfx
branch
2 times, most recently
from
1d13a0b
to
41ca43b
Compare
test/parallel/test-tls-multi-pfx.js
Outdated
| buffer: fs.readFileSync(`${common.fixturesDir}/keys/agent1-pfx.pem`), | ||
| passphrase: 'sample' | ||
| }, | ||
| fs.readFileSync(`${common.fixturesDir}/keys/ec-pfx.pem`) |
There was a problem hiding this comment.
I think we should add a third case for when an object is supplied with an encrypted key and the passphrase from options is used.
There was a problem hiding this comment.
ACK (partially). Maybe add separate case out of "multi-pfx" test?
Trott
added
the
semver-minor
test/parallel/test-tls-multi-pfx.js
Outdated
| @@ -0,0 +1,71 @@ | |||
| // Copyright Joyent, Inc. and other Node contributors. | |||
There was a problem hiding this comment.
The copyright and license header should not be added to new files
djphoenix
force-pushed
the
tls-multi-pfx
branch
from
41ca43b
to
581acf9
Compare
lib/_tls_common.js
Outdated
| for (i = 0; i < options.pfx.length; i++) { | ||
| const pfx = options.pfx[i]; | ||
| let buf; | ||
| if (pfx.buffer instanceof Buffer) { |
There was a problem hiding this comment.
Also, should this be limited to just Buffer instances? We likely should allow any Uint8Array
test/parallel/test-tls-multi-pfx.js
Outdated
| const options = { | ||
| pfx: [ | ||
| { | ||
| buffer: fs.readFileSync(`${common.fixturesDir}/keys/agent1-pfx.pem`), |
There was a problem hiding this comment.
Please use the new ../common/fixtures stuff... e.g.
const fixtures = require('../common/fixtures');
/*... */
{
buffer: fixtures.readKey('agent1-pfx.pem')
}
test/parallel/test-tls-multi-pfx.js
Outdated
| const ecdsa = tls.connect(this.address().port, { | ||
| ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', | ||
| rejectUnauthorized: false | ||
| }, function() { |
There was a problem hiding this comment.
@jasnell in listen (L24) also? Or not necessary?
test/parallel/test-tls-multi-pfx.js
Outdated
| const rsa = tls.connect(server.address().port, { | ||
| ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', | ||
| rejectUnauthorized: false | ||
| }, function() { |
djphoenix
force-pushed
the
tls-multi-pfx
branch
from
78a26e9
to
3465940
Compare
|
Fixed FIPS failure (actually bad fixture). @jasnell another try? |
|
ping? |
|
Hey, sorry @djphoenix ... new CI here! https://ci.nodejs.org/job/node-test-pull-request/9862/ |
lib/_tls_common.js
Outdated
| buf = crypto._toBuf(pfx.buffer); | ||
| } else { | ||
| buf = crypto._toBuf(pfx); | ||
| } |
There was a problem hiding this comment.
I am not completely happy with the buffer check here.
I think it would be good to verify that the input is indeed a buffer and that does not happen here.
If the object attribute name would not be buffer it would be easy to distinguish the object from the buffer and you could write something like:
const raw = pfx.buf ? pfx.buf : pfx;
if (!ArrayBuffer.isView(raw))
throw new Error("foobar");
const buf = crypto._toBuf(raw);There was a problem hiding this comment.
Looks as a good proposal. ACK.
doc/api/tls.md
Outdated
| @@ -932,10 +932,14 @@ changes: | |||
| --> | |||
|
|
|||
| * `options` {Object} | |||
| * `pfx` {string|Buffer} Optional PFX or PKCS12 encoded private key and | |||
| certificate chain. `pfx` is an alternative to providing `key` and `cert` | |||
| * `pfx` {Buffer|Buffer[]|Object[]} Optional PFX or PKCS12 encoded private key | |||
There was a problem hiding this comment.
How come string is not supported anymore?
There was a problem hiding this comment.
PKCS12 is very rarely stored in PEM format, by default it's DER-encoded. But I forget about binary strings in JS. Will revert it, ACK.
|
@jasnell CI failures seems like unrelated to changes. |
djphoenix
force-pushed
the
tls-multi-pfx
branch
from
0e32f76
to
d0b000e
Compare
|
cc @shigeki @bnoordhuis PTAL |
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. Fixes: nodejs#14756
|
Still waiting for @shigeki and @bnoordhuis |
|
Landed in 372dc86 |
|
@BridgeAR it seems like @djphoenix was still waiting for a review from @shigeki and @bnoordhuis. Was there a reason it landed before? |
|
Also fwiw I've landed this on v8.x-staging and it is on track to be released in the next 8.x release. Just wanted to confirm that this should be released before doing so |
@MylesBorins not me, but @indutny tagged them before, so I pinged also. Not blocking for me (and for @BridgeAR also as I see). |
|
@MylesBorins to me it looked like a trivial change that was good to go and there was no response since the review request for a week. And as it did not come from @djphoenix it felt more like a "nice to have" in this case. So I went ahead and landed it. |
|
Sgtm
Thanks for responding. Was just trying to figure out what was going on.
…On Sep 11, 2017 3:46 AM, "Ruben Bridgewater" ***@***.***> wrote:
@MylesBorins <https://github.com/mylesborins> to me it looked like a
trivial change that was good to go and there was no response since the
review request for a week. And as it did not come from @djphoenix
<https://github.com/djphoenix> it felt more like a "nice to have" in this
case. So I went ahead and landed it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#14793 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAecV-fzYkngjHFw1rNLe5Al16O7ZJxyks5shJD-gaJpZM4O1d65>
.
|
Notable Changes * build: * Snapshots are now re-enabled in V8 #14875 * console: * Implement minimal `console.group()`. #14910 * deps: * upgrade libuv to 1.14.1 #14866 * update nghttp2 to v1.25.0 #14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. #14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. #15034 * inspector: * Enable async stack traces #13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` #14369 * napi: * implement promise #14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. #14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. #14680 * tls: * multiple PFX in createSecureContext [#14793](#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: #15308
Notable Changes * build: * Snapshots are now re-enabled in V8 #14875 * console: * Implement minimal `console.group()`. #14910 * deps: * upgrade libuv to 1.14.1 #14866 * update nghttp2 to v1.25.0 #14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. #14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. #15034 * inspector: * Enable async stack traces #13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` #14369 * napi: * implement promise #14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. #14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. #14680 * tls: * multiple PFX in createSecureContext [#14793](#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: #15308
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: nodejs#14793 Fixes: nodejs#14756 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Notable Changes * build: * Snapshots are now re-enabled in V8 nodejs#14875 * console: * Implement minimal `console.group()`. nodejs#14910 * deps: * upgrade libuv to 1.14.1 nodejs#14866 * update nghttp2 to v1.25.0 nodejs#14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. nodejs#14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. nodejs#15034 * inspector: * Enable async stack traces nodejs#13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` nodejs#14369 * napi: * implement promise nodejs#14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. nodejs#14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. nodejs#14680 * tls: * multiple PFX in createSecureContext [nodejs#14793](nodejs#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: nodejs#15308
|
Release team were -1 on landing on v6.x, if you disagree let us know. |
|
@gibfahn I’m not sure, so let NodeJS team decide. For me it’s enough to have this feature in latest versions. |
Fixes: #14756
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
tls