From 0a3aa58f150c8a251e290599d8130cd94971cb93 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Tue, 30 Mar 2021 15:55:36 +0200 Subject: [PATCH 01/14] test: ensure node doesnt crash with some selfsigned certificates Refs: https://github.com/nodejs/node/issues/37757 Refs: https://github.com/nodejs/node/issues/37889 --- ...ttps-selfsigned-no-keycertsign-no-crash.js | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js diff --git a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js new file mode 100644 index 00000000000000..1066c568bc1c7d --- /dev/null +++ b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js @@ -0,0 +1,87 @@ +'use strict'; +const common = require('../common'); + +// This test starts an https server on port 33333 and tries +// to connect to it using a self-signed certificate. +// This certificate´s keyUsage does not include the keyCertSign +// bit, which used to crash node. The test ensures node +// will not crash. Key and certificate are from #37889. +// Note: This test only cares about wether node will crash or not, +// not about the success of the connection. + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const https = require('https'); + +const key = `-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA0y3pMvD2AjG5xGBkGfyjBq8QgwB13ExOOQeJHuMZ9oGu+9VM +HzKawiLPD9ApMA2a7avcQ6p5H0e3bkpkUrE4oIMx3dooeG3fwcidcgXoJB7xzk/T +GxUpkBaR6WXyiEvTkSwWlysk4Mh0d9qi84Ou1fzDVZ7GoOxSg9B0STukhInYeGZf +Ol/tCZXTRTHwn7ri/alODz8L1WClKDETiheV8kSp1IgDMYNP5Vf3oZZdOHtCouOJ +D1P3pAdQkScHHRKvis72ZjaU5AbjTxC4ItH+eDYn6VjH7TdILwuruWu23gzToV+v +xNBGCkMCORTRiK1u7KwPleC0J4WrQWLe/XPvTQIDAQABAoIBAFIlWMIVE0z1NNLb +v/SP3oaaEK00v6QLFp5+fOtD4fSOq5eQeATmtWZxDeSTz4G+uRZctNipdmYhiovf +ajj0cReXEQ3Ab9+wtcp2lDAndg6e7uaXDIJLcBh5fxawLnCwNkMRSFRTVwwNTajV +pm9dOORKZ11l3tP4OXzG2IUoKy3Wj/1SKLL4zrdHi7802+L/GstK6/BGma+NFrFz +U6yNqpvuzv7BH7w9G3nSz7u+8SjcY22Vs6q69GAQG3yf356cYCJhV7QIJXU0/VAF +GFx5UDwlsOT2NhoOd/b9Q9RexKDl+qDupXQo0YFOObHIjHs8UGLOZkBtv4apCarA +6u+BOwECgYEA9GbrP/5SfmN8xvF2XVjqjk9IUcvWAuTM4Bxav72e6aR9IOdye9vi ++GhwM6qON+LOnMVNhUKJ0+R/jjLy6Jq+00uKU65Q79x7lCBVSDDXWacV0IFIoAOp +P4LkykjRZyzpIvjK5HGL1JYqZi89im93uuOiyMjoFS2syU+19b83UUECgYEA3TNk +JVGWYLMcD3uVTe2e/yZSsX+0+QL8hm3bUSOIJ/mIe2dqCXb6MK0ndMS0aCLGtDSt +wGTWwuc4rFattHYEI8Iro+tshgQs9bLM037hmiCrZvmcQsgt+3FNuYv4oCGp5U85 +mWYF5SVUYRyv8M9aZoKTjc8meR0Wv3ZGGC9iDw0CgYA0XKyAPGO+MmB0Wx1J6Jfw +P2o2JB7I5e5DAbArrluSoSwx1YSApt6c6/tGBn+L16r+iYMPTu8ql6UAeUfzr9u8 +d02+mfU7Ppi3Zqn+2n/49ERHNLuzlLU5JzkPYcSDf2q/lGAby3vy4u1YkTx1IWac +gtLIg8q9ZtjDFLHeYcZfQQKBgCCOpdjQT1/gPOsSd4FGzjYjv9wcPdjA1cY7eSJS +JoIruijfqb3G40Ay3DHVmfAR3kk7z68XqHx7Z94Fy/9Zt3ZD6ARybEC1cKChNoCS +lkYHNPMtHhC+QfZWUOhUb72x9r2nkYTAfXGisu6wOD0rZ9TatzkSGkmNPIHluJ9q +qfYpAoGAPJiBBdSt7DC9ZZraQGMEHfRkE5CxEIRbIHJ9+U3Z7LTQT6MJ1y3VfcGs +PetHcWtbU0Cl8blShaSwpxyCI01x3tUPw/b7tXMan/ImzjUgRe7kQXh2sf39V3b/ +fvzKXWBvOvc1lgG0pFgI/2xtGQQGTe74MzX5xFgw6eadRUnJeKI= +-----END RSA PRIVATE KEY-----`; +const cert = `-----BEGIN CERTIFICATE----- +MIIC9jCCAd6gAwIBAgIJANHflGRpZM1IMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yMTAzMTUwOTEzMjdaFw0yMjAzMTUwOTEzMjdaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANMt6TLw9gIxucRgZBn8owavEIMAddxMTjkHiR7jGfaBrvvVTB8ymsIizw/Q +KTANmu2r3EOqeR9Ht25KZFKxOKCDMd3aKHht38HInXIF6CQe8c5P0xsVKZAWkell +8ohL05EsFpcrJODIdHfaovODrtX8w1WexqDsUoPQdEk7pISJ2HhmXzpf7QmV00Ux +8J+64v2pTg8/C9VgpSgxE4oXlfJEqdSIAzGDT+VX96GWXTh7QqLjiQ9T96QHUJEn +Bx0Sr4rO9mY2lOQG408QuCLR/ng2J+lYx+03SC8Lq7lrtt4M06Ffr8TQRgpDAjkU +0YitbuysD5XgtCeFq0Fi3v1z700CAwEAAaNLMEkwCwYDVR0PBAQDAgWgMBMGA1Ud +JQQMMAoGCCsGAQUFBwMBMCUGA1UdEQQeMByCCTEyNy4wLjAuMYIJbG9jYWxob3N0 +hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQDAUCt/8Le2EO0ONOkQYUcPmSut6Siz +UIQrJ8Lwfs0fb+Zk9ElNGLwYTzooKDgzK8cLQ8g8F2WkolBEPXDsy1Ab+e66WkJH +NH/zAgEyG6cXXRNc+ObM5KbjY0YuDGiajKcndknuuCB+onlC1Pv5oFUSNa3/06+S +sziFloGbg5S0AHT6lYnwZSM6G7Pre8mcRNRxL6Yw1FOOUpQZKPd7juy4GBRlCucn +wmp/Fl0wIBDs91Vprig2TO+U6GvtqJ3n/RKXUz1ykUKETtRneSkqa6hFYjwRzawd +ANpjy/orrVkqXriAbI/1xvBMInWdcMpXNeiOkxQeQdy8TLBk0ZViSJnf +-----END CERTIFICATE-----`; + +const serverOptions = { + key: key, + cert: cert +}; +const clientOptions = { + hostname: '127.0.0.1', + port: 33333, + ca: cert +}; +// start the server +const httpsServer = https.createServer(serverOptions, (req, res) => { + res.writeHead(200); + res.end('hello world\n'); +}); +httpsServer.listen(33333); + +// try to connect +const req = https.request(clientOptions, (res) => { + httpsServer.close(); +}); + +req.on('error', (e) => { + httpsServer.close(); +}); +req.end(); From 00aca61cf3c6816598daf1fee42eda8d31c0b777 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Tue, 30 Mar 2021 18:46:29 +0200 Subject: [PATCH 02/14] test: add empty line for readability --- test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js | 1 + 1 file changed, 1 insertion(+) diff --git a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js index 1066c568bc1c7d..06750fa64cb086 100644 --- a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js @@ -41,6 +41,7 @@ qfYpAoGAPJiBBdSt7DC9ZZraQGMEHfRkE5CxEIRbIHJ9+U3Z7LTQT6MJ1y3VfcGs PetHcWtbU0Cl8blShaSwpxyCI01x3tUPw/b7tXMan/ImzjUgRe7kQXh2sf39V3b/ fvzKXWBvOvc1lgG0pFgI/2xtGQQGTe74MzX5xFgw6eadRUnJeKI= -----END RSA PRIVATE KEY-----`; + const cert = `-----BEGIN CERTIFICATE----- MIIC9jCCAd6gAwIBAgIJANHflGRpZM1IMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV BAMMCWxvY2FsaG9zdDAeFw0yMTAzMTUwOTEzMjdaFw0yMjAzMTUwOTEzMjdaMBQx From d4dd0b46703ae81ceae58f44fccc63e291dbfb17 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Wed, 31 Mar 2021 13:15:04 +0200 Subject: [PATCH 03/14] test: let server choose a port to use --- ...ttps-selfsigned-no-keycertsign-no-crash.js | 35 +++++++++++-------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js index 06750fa64cb086..2a705411944cd0 100644 --- a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js @@ -1,7 +1,7 @@ 'use strict'; const common = require('../common'); -// This test starts an https server on port 33333 and tries +// This test starts an https server and tries // to connect to it using a self-signed certificate. // This certificate´s keyUsage does not include the keyCertSign // bit, which used to crash node. The test ensures node @@ -65,24 +65,29 @@ const serverOptions = { key: key, cert: cert }; -const clientOptions = { - hostname: '127.0.0.1', - port: 33333, - ca: cert -}; -// start the server + +// Start the server const httpsServer = https.createServer(serverOptions, (req, res) => { res.writeHead(200); res.end('hello world\n'); }); -httpsServer.listen(33333); +httpsServer.listen(0); -// try to connect -const req = https.request(clientOptions, (res) => { - httpsServer.close(); -}); +httpsServer.on('listening', () => { + // Once the server started listening, built the client config + // with the server´s used port + const clientOptions = { + hostname: '127.0.0.1', + port: httpsServer.address().port, + ca: cert + }; + // Try to connect + const req = https.request(clientOptions, (res) => { + httpsServer.close(); + }); -req.on('error', (e) => { - httpsServer.close(); + req.on('error', (e) => { + httpsServer.close(); + }); + req.end(); }); -req.end(); From 832811d780fa30ae30ec148c8bcfc1baf8d7c2e7 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Wed, 31 Mar 2021 13:17:47 +0200 Subject: [PATCH 04/14] test: move https selfsigned to parallel --- .../test-https-selfsigned-no-keycertsign-no-crash.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename test/{sequential => parallel}/test-https-selfsigned-no-keycertsign-no-crash.js (100%) diff --git a/test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js similarity index 100% rename from test/sequential/test-https-selfsigned-no-keycertsign-no-crash.js rename to test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js From 5dca179bd8c95570f6f5fc034c5c9bbd6b4f6b83 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Wed, 31 Mar 2021 13:44:09 +0200 Subject: [PATCH 05/14] test: wrap callbacks in common.must[Not]Call --- .../test-https-selfsigned-no-keycertsign-no-crash.js | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index 2a705411944cd0..1570b4a5489fd8 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -6,8 +6,7 @@ const common = require('../common'); // This certificate´s keyUsage does not include the keyCertSign // bit, which used to crash node. The test ensures node // will not crash. Key and certificate are from #37889. -// Note: This test only cares about wether node will crash or not, -// not about the success of the connection. +// Note: This test assumes that the connection will succeed. if (!common.hasCrypto) common.skip('missing crypto'); @@ -82,12 +81,12 @@ httpsServer.on('listening', () => { ca: cert }; // Try to connect - const req = https.request(clientOptions, (res) => { + const req = https.request(clientOptions, common.mustCall((res) => { httpsServer.close(); - }); + })); - req.on('error', (e) => { + req.on('error', common.mustNotCall((e) => { httpsServer.close(); - }); + })); req.end(); }); From e3bd5f5a2b1c3d69a853506520b6e8624b4daa99 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Tue, 30 Mar 2021 16:58:32 +0200 Subject: [PATCH 06/14] crypto: exit potentially infinite loop in GetLastIssuedCert if stuck Fixes: https://github.com/nodejs/node/issues/37757 Refs: https://github.com/nodejs/node/issues/37889 --- src/crypto/crypto_common.cc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index 1b863a1241edb3..a785ca3e2e3415 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -480,8 +480,17 @@ MaybeLocal GetLastIssuedCert( return MaybeLocal(); issuer_chain = ca_info; + // Take the value of cert->get() before and after the call to cert->reset() + // in order to compare them and provide a way to exit this loop + // in case it gets stuck + X509* value_before_reset = cert->get(); + // Delete previous cert and continue aggregating issuers. cert->reset(ca); + + X509* value_after_reset = cert->get(); + if (value_before_reset == value_after_reset) + break; } return MaybeLocal(issuer_chain); } From 0734ad09df8ad9390fee3839a7cffc235ac4e768 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Wed, 31 Mar 2021 16:48:01 +0200 Subject: [PATCH 07/14] crypto: more compact solution to detect endless loop --- src/crypto/crypto_common.cc | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index a785ca3e2e3415..22aa0f7f692a37 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -480,17 +480,14 @@ MaybeLocal GetLastIssuedCert( return MaybeLocal(); issuer_chain = ca_info; - // Take the value of cert->get() before and after the call to cert->reset() - // in order to compare them and provide a way to exit this loop - // in case it gets stuck - X509* value_before_reset = cert->get(); + // Take the value of cert->get(), compare it with the value of ca + // and provide a way to exit this loop + // in case it gets stuck. + if (cert->get() == ca) + break; // Delete previous cert and continue aggregating issuers. cert->reset(ca); - - X509* value_after_reset = cert->get(); - if (value_before_reset == value_after_reset) - break; } return MaybeLocal(issuer_chain); } From 374335d019c15f603dbe6227434d94942438324c Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Thu, 1 Apr 2021 13:35:19 +0200 Subject: [PATCH 08/14] Revert "crypto: more compact solution to detect endless loop" This reverts commit bd978e14fcf12f982ad361878f80ece3dbf5aa8c. --- src/crypto/crypto_common.cc | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index 22aa0f7f692a37..a785ca3e2e3415 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -480,14 +480,17 @@ MaybeLocal GetLastIssuedCert( return MaybeLocal(); issuer_chain = ca_info; - // Take the value of cert->get(), compare it with the value of ca - // and provide a way to exit this loop - // in case it gets stuck. - if (cert->get() == ca) - break; + // Take the value of cert->get() before and after the call to cert->reset() + // in order to compare them and provide a way to exit this loop + // in case it gets stuck + X509* value_before_reset = cert->get(); // Delete previous cert and continue aggregating issuers. cert->reset(ca); + + X509* value_after_reset = cert->get(); + if (value_before_reset == value_after_reset) + break; } return MaybeLocal(issuer_chain); } From fe0fcbb6f967599e4a5ec6e9bff14dc229573bb5 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Thu, 1 Apr 2021 13:39:35 +0200 Subject: [PATCH 09/14] crypto: put the condition at the very end of the loop --- src/crypto/crypto_common.cc | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index a785ca3e2e3415..f4b7bd3ad8548a 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -480,16 +480,15 @@ MaybeLocal GetLastIssuedCert( return MaybeLocal(); issuer_chain = ca_info; - // Take the value of cert->get() before and after the call to cert->reset() - // in order to compare them and provide a way to exit this loop - // in case it gets stuck + // Take the value of cert->get() before the call to cert->reset() + // in order to compare it to ca after and provide a way to exit this loop + // in case it gets stuck. X509* value_before_reset = cert->get(); // Delete previous cert and continue aggregating issuers. cert->reset(ca); - X509* value_after_reset = cert->get(); - if (value_before_reset == value_after_reset) + if (value_before_reset == ca) break; } return MaybeLocal(issuer_chain); From b59150b83b5c4ddf77829adb365022217962b2ef Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Sat, 3 Apr 2021 14:04:35 +0200 Subject: [PATCH 10/14] test: skip for OpenSSL<=1.1.1h --- .../test-https-selfsigned-no-keycertsign-no-crash.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index 1570b4a5489fd8..916f905aa13976 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -11,6 +11,14 @@ const common = require('../common'); if (!common.hasCrypto) common.skip('missing crypto'); +const crypto = require('crypto'); + +// This test will fail for OpenSSL <= 1.1.1h +const minOpenSSL = 269488271; + +if (crypto.constants.OPENSSL_VERSION_NUMBER <= minOpenSSL) + common.skip('OpenSSL <= 1.1.1h'); + const https = require('https'); const key = `-----BEGIN RSA PRIVATE KEY----- From b5b0c91bd7bf386060173a88496aca9c271c4ef3 Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Sat, 3 Apr 2021 16:43:24 +0200 Subject: [PATCH 11/14] test: remove unnecessary body from .mustNotCall --- .../parallel/test-https-selfsigned-no-keycertsign-no-crash.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index 916f905aa13976..07b3ab587d126b 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -93,8 +93,6 @@ httpsServer.on('listening', () => { httpsServer.close(); })); - req.on('error', common.mustNotCall((e) => { - httpsServer.close(); - })); + req.on('error', common.mustNotCall()); req.end(); }); From bb5bfde2eeadd500186df2400a645b13afe7175e Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Sun, 4 Apr 2021 11:09:33 +0200 Subject: [PATCH 12/14] test: fix typo, '<' instead of '<=' --- .../test-https-selfsigned-no-keycertsign-no-crash.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index 07b3ab587d126b..8f27e8c9a3f3dc 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -13,11 +13,11 @@ if (!common.hasCrypto) const crypto = require('crypto'); -// This test will fail for OpenSSL <= 1.1.1h +// This test will fail for OpenSSL < 1.1.1h const minOpenSSL = 269488271; -if (crypto.constants.OPENSSL_VERSION_NUMBER <= minOpenSSL) - common.skip('OpenSSL <= 1.1.1h'); +if (crypto.constants.OPENSSL_VERSION_NUMBER < minOpenSSL) + common.skip('OpenSSL < 1.1.1h'); const https = require('https'); From 080ac2e3df5156c25226f6070a12c5b90b5e173c Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Sun, 4 Apr 2021 11:46:19 +0200 Subject: [PATCH 13/14] test: improve test readability by moving key and cert as files to fixtures --- .../keys/selfsigned-no-keycertsign/README.md | 2 + .../keys/selfsigned-no-keycertsign/cert.conf | 17 +++++++ .../keys/selfsigned-no-keycertsign/cert.pem | 18 +++++++ .../https_renew_cert.sh | 6 +++ .../keys/selfsigned-no-keycertsign/key.pem | 27 ++++++++++ ...ttps-selfsigned-no-keycertsign-no-crash.js | 51 +++---------------- 6 files changed, 76 insertions(+), 45 deletions(-) create mode 100644 test/fixtures/keys/selfsigned-no-keycertsign/README.md create mode 100644 test/fixtures/keys/selfsigned-no-keycertsign/cert.conf create mode 100644 test/fixtures/keys/selfsigned-no-keycertsign/cert.pem create mode 100644 test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh create mode 100644 test/fixtures/keys/selfsigned-no-keycertsign/key.pem diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/README.md b/test/fixtures/keys/selfsigned-no-keycertsign/README.md new file mode 100644 index 00000000000000..0dcd69007a9142 --- /dev/null +++ b/test/fixtures/keys/selfsigned-no-keycertsign/README.md @@ -0,0 +1,2 @@ +# Self-signed certificate without keyCertSign bit +The self-signed certificate ([cert.pem](./cert.pem)) and the key ([key.pem](./key.pem)) in this folder are used by the test [test-https-selfsigned-no-keycertsign-no-crash](../../../parallel/test-https-selfsigned-no-keycertsign-no-crash.js). The config ([cert.conf](./cert.conf)) and the file used to generate key and certificate in this folder ([https-renew-cert.sh](./https_renew_cert.sh)) are not used by the test but for reference. diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/cert.conf b/test/fixtures/keys/selfsigned-no-keycertsign/cert.conf new file mode 100644 index 00000000000000..60901bb26d6937 --- /dev/null +++ b/test/fixtures/keys/selfsigned-no-keycertsign/cert.conf @@ -0,0 +1,17 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = DE +CN = localhost + +[v3_req] +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = 127.0.0.1 +DNS.2 = localhost +IP.1 = 127.0.0.1 diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem b/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem new file mode 100644 index 00000000000000..c0829b82caf8d3 --- /dev/null +++ b/test/fixtures/keys/selfsigned-no-keycertsign/cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9jCCAd6gAwIBAgIJANHflGRpZM1IMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0yMTAzMTUwOTEzMjdaFw0yMjAzMTUwOTEzMjdaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANMt6TLw9gIxucRgZBn8owavEIMAddxMTjkHiR7jGfaBrvvVTB8ymsIizw/Q +KTANmu2r3EOqeR9Ht25KZFKxOKCDMd3aKHht38HInXIF6CQe8c5P0xsVKZAWkell +8ohL05EsFpcrJODIdHfaovODrtX8w1WexqDsUoPQdEk7pISJ2HhmXzpf7QmV00Ux +8J+64v2pTg8/C9VgpSgxE4oXlfJEqdSIAzGDT+VX96GWXTh7QqLjiQ9T96QHUJEn +Bx0Sr4rO9mY2lOQG408QuCLR/ng2J+lYx+03SC8Lq7lrtt4M06Ffr8TQRgpDAjkU +0YitbuysD5XgtCeFq0Fi3v1z700CAwEAAaNLMEkwCwYDVR0PBAQDAgWgMBMGA1Ud +JQQMMAoGCCsGAQUFBwMBMCUGA1UdEQQeMByCCTEyNy4wLjAuMYIJbG9jYWxob3N0 +hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQDAUCt/8Le2EO0ONOkQYUcPmSut6Siz +UIQrJ8Lwfs0fb+Zk9ElNGLwYTzooKDgzK8cLQ8g8F2WkolBEPXDsy1Ab+e66WkJH +NH/zAgEyG6cXXRNc+ObM5KbjY0YuDGiajKcndknuuCB+onlC1Pv5oFUSNa3/06+S +sziFloGbg5S0AHT6lYnwZSM6G7Pre8mcRNRxL6Yw1FOOUpQZKPd7juy4GBRlCucn +wmp/Fl0wIBDs91Vprig2TO+U6GvtqJ3n/RKXUz1ykUKETtRneSkqa6hFYjwRzawd +ANpjy/orrVkqXriAbI/1xvBMInWdcMpXNeiOkxQeQdy8TLBk0ZViSJnf +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh b/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh new file mode 100644 index 00000000000000..092f27a8867cbb --- /dev/null +++ b/test/fixtures/keys/selfsigned-no-keycertsign/https_renew_cert.sh @@ -0,0 +1,6 @@ +#!/bin/bash +openssl genrsa -out rsa.pem 2048 +openssl rsa -in rsa.pem -out key.pem +openssl req -sha256 -new -key key.pem -out csr.pem -subj "/CN=localhost" +openssl x509 -req -extfile cert.conf -extensions v3_req -days 365 -in csr.pem -signkey key.pem -out cert.pem + diff --git a/test/fixtures/keys/selfsigned-no-keycertsign/key.pem b/test/fixtures/keys/selfsigned-no-keycertsign/key.pem new file mode 100644 index 00000000000000..5f0549276a4cae --- /dev/null +++ b/test/fixtures/keys/selfsigned-no-keycertsign/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA0y3pMvD2AjG5xGBkGfyjBq8QgwB13ExOOQeJHuMZ9oGu+9VM +HzKawiLPD9ApMA2a7avcQ6p5H0e3bkpkUrE4oIMx3dooeG3fwcidcgXoJB7xzk/T +GxUpkBaR6WXyiEvTkSwWlysk4Mh0d9qi84Ou1fzDVZ7GoOxSg9B0STukhInYeGZf +Ol/tCZXTRTHwn7ri/alODz8L1WClKDETiheV8kSp1IgDMYNP5Vf3oZZdOHtCouOJ +D1P3pAdQkScHHRKvis72ZjaU5AbjTxC4ItH+eDYn6VjH7TdILwuruWu23gzToV+v +xNBGCkMCORTRiK1u7KwPleC0J4WrQWLe/XPvTQIDAQABAoIBAFIlWMIVE0z1NNLb +v/SP3oaaEK00v6QLFp5+fOtD4fSOq5eQeATmtWZxDeSTz4G+uRZctNipdmYhiovf +ajj0cReXEQ3Ab9+wtcp2lDAndg6e7uaXDIJLcBh5fxawLnCwNkMRSFRTVwwNTajV +pm9dOORKZ11l3tP4OXzG2IUoKy3Wj/1SKLL4zrdHi7802+L/GstK6/BGma+NFrFz +U6yNqpvuzv7BH7w9G3nSz7u+8SjcY22Vs6q69GAQG3yf356cYCJhV7QIJXU0/VAF +GFx5UDwlsOT2NhoOd/b9Q9RexKDl+qDupXQo0YFOObHIjHs8UGLOZkBtv4apCarA +6u+BOwECgYEA9GbrP/5SfmN8xvF2XVjqjk9IUcvWAuTM4Bxav72e6aR9IOdye9vi ++GhwM6qON+LOnMVNhUKJ0+R/jjLy6Jq+00uKU65Q79x7lCBVSDDXWacV0IFIoAOp +P4LkykjRZyzpIvjK5HGL1JYqZi89im93uuOiyMjoFS2syU+19b83UUECgYEA3TNk +JVGWYLMcD3uVTe2e/yZSsX+0+QL8hm3bUSOIJ/mIe2dqCXb6MK0ndMS0aCLGtDSt +wGTWwuc4rFattHYEI8Iro+tshgQs9bLM037hmiCrZvmcQsgt+3FNuYv4oCGp5U85 +mWYF5SVUYRyv8M9aZoKTjc8meR0Wv3ZGGC9iDw0CgYA0XKyAPGO+MmB0Wx1J6Jfw +P2o2JB7I5e5DAbArrluSoSwx1YSApt6c6/tGBn+L16r+iYMPTu8ql6UAeUfzr9u8 +d02+mfU7Ppi3Zqn+2n/49ERHNLuzlLU5JzkPYcSDf2q/lGAby3vy4u1YkTx1IWac +gtLIg8q9ZtjDFLHeYcZfQQKBgCCOpdjQT1/gPOsSd4FGzjYjv9wcPdjA1cY7eSJS +JoIruijfqb3G40Ay3DHVmfAR3kk7z68XqHx7Z94Fy/9Zt3ZD6ARybEC1cKChNoCS +lkYHNPMtHhC+QfZWUOhUb72x9r2nkYTAfXGisu6wOD0rZ9TatzkSGkmNPIHluJ9q +qfYpAoGAPJiBBdSt7DC9ZZraQGMEHfRkE5CxEIRbIHJ9+U3Z7LTQT6MJ1y3VfcGs +PetHcWtbU0Cl8blShaSwpxyCI01x3tUPw/b7tXMan/ImzjUgRe7kQXh2sf39V3b/ +fvzKXWBvOvc1lgG0pFgI/2xtGQQGTe74MzX5xFgw6eadRUnJeKI= +-----END RSA PRIVATE KEY----- diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index 8f27e8c9a3f3dc..d61f76939c9c2e 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -1,5 +1,6 @@ 'use strict'; const common = require('../common'); +const fixtures = require('../common/fixtures'); // This test starts an https server and tries // to connect to it using a self-signed certificate. @@ -20,53 +21,13 @@ if (crypto.constants.OPENSSL_VERSION_NUMBER < minOpenSSL) common.skip('OpenSSL < 1.1.1h'); const https = require('https'); +const path = require('path'); -const key = `-----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEA0y3pMvD2AjG5xGBkGfyjBq8QgwB13ExOOQeJHuMZ9oGu+9VM -HzKawiLPD9ApMA2a7avcQ6p5H0e3bkpkUrE4oIMx3dooeG3fwcidcgXoJB7xzk/T -GxUpkBaR6WXyiEvTkSwWlysk4Mh0d9qi84Ou1fzDVZ7GoOxSg9B0STukhInYeGZf -Ol/tCZXTRTHwn7ri/alODz8L1WClKDETiheV8kSp1IgDMYNP5Vf3oZZdOHtCouOJ -D1P3pAdQkScHHRKvis72ZjaU5AbjTxC4ItH+eDYn6VjH7TdILwuruWu23gzToV+v -xNBGCkMCORTRiK1u7KwPleC0J4WrQWLe/XPvTQIDAQABAoIBAFIlWMIVE0z1NNLb -v/SP3oaaEK00v6QLFp5+fOtD4fSOq5eQeATmtWZxDeSTz4G+uRZctNipdmYhiovf -ajj0cReXEQ3Ab9+wtcp2lDAndg6e7uaXDIJLcBh5fxawLnCwNkMRSFRTVwwNTajV -pm9dOORKZ11l3tP4OXzG2IUoKy3Wj/1SKLL4zrdHi7802+L/GstK6/BGma+NFrFz -U6yNqpvuzv7BH7w9G3nSz7u+8SjcY22Vs6q69GAQG3yf356cYCJhV7QIJXU0/VAF -GFx5UDwlsOT2NhoOd/b9Q9RexKDl+qDupXQo0YFOObHIjHs8UGLOZkBtv4apCarA -6u+BOwECgYEA9GbrP/5SfmN8xvF2XVjqjk9IUcvWAuTM4Bxav72e6aR9IOdye9vi -+GhwM6qON+LOnMVNhUKJ0+R/jjLy6Jq+00uKU65Q79x7lCBVSDDXWacV0IFIoAOp -P4LkykjRZyzpIvjK5HGL1JYqZi89im93uuOiyMjoFS2syU+19b83UUECgYEA3TNk -JVGWYLMcD3uVTe2e/yZSsX+0+QL8hm3bUSOIJ/mIe2dqCXb6MK0ndMS0aCLGtDSt -wGTWwuc4rFattHYEI8Iro+tshgQs9bLM037hmiCrZvmcQsgt+3FNuYv4oCGp5U85 -mWYF5SVUYRyv8M9aZoKTjc8meR0Wv3ZGGC9iDw0CgYA0XKyAPGO+MmB0Wx1J6Jfw -P2o2JB7I5e5DAbArrluSoSwx1YSApt6c6/tGBn+L16r+iYMPTu8ql6UAeUfzr9u8 -d02+mfU7Ppi3Zqn+2n/49ERHNLuzlLU5JzkPYcSDf2q/lGAby3vy4u1YkTx1IWac -gtLIg8q9ZtjDFLHeYcZfQQKBgCCOpdjQT1/gPOsSd4FGzjYjv9wcPdjA1cY7eSJS -JoIruijfqb3G40Ay3DHVmfAR3kk7z68XqHx7Z94Fy/9Zt3ZD6ARybEC1cKChNoCS -lkYHNPMtHhC+QfZWUOhUb72x9r2nkYTAfXGisu6wOD0rZ9TatzkSGkmNPIHluJ9q -qfYpAoGAPJiBBdSt7DC9ZZraQGMEHfRkE5CxEIRbIHJ9+U3Z7LTQT6MJ1y3VfcGs -PetHcWtbU0Cl8blShaSwpxyCI01x3tUPw/b7tXMan/ImzjUgRe7kQXh2sf39V3b/ -fvzKXWBvOvc1lgG0pFgI/2xtGQQGTe74MzX5xFgw6eadRUnJeKI= ------END RSA PRIVATE KEY-----`; +const key = + fixtures.readKey(path.join('selfsigned-no-keycertsign', 'key.pem')); -const cert = `-----BEGIN CERTIFICATE----- -MIIC9jCCAd6gAwIBAgIJANHflGRpZM1IMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV -BAMMCWxvY2FsaG9zdDAeFw0yMTAzMTUwOTEzMjdaFw0yMjAzMTUwOTEzMjdaMBQx -EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANMt6TLw9gIxucRgZBn8owavEIMAddxMTjkHiR7jGfaBrvvVTB8ymsIizw/Q -KTANmu2r3EOqeR9Ht25KZFKxOKCDMd3aKHht38HInXIF6CQe8c5P0xsVKZAWkell -8ohL05EsFpcrJODIdHfaovODrtX8w1WexqDsUoPQdEk7pISJ2HhmXzpf7QmV00Ux -8J+64v2pTg8/C9VgpSgxE4oXlfJEqdSIAzGDT+VX96GWXTh7QqLjiQ9T96QHUJEn -Bx0Sr4rO9mY2lOQG408QuCLR/ng2J+lYx+03SC8Lq7lrtt4M06Ffr8TQRgpDAjkU -0YitbuysD5XgtCeFq0Fi3v1z700CAwEAAaNLMEkwCwYDVR0PBAQDAgWgMBMGA1Ud -JQQMMAoGCCsGAQUFBwMBMCUGA1UdEQQeMByCCTEyNy4wLjAuMYIJbG9jYWxob3N0 -hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQDAUCt/8Le2EO0ONOkQYUcPmSut6Siz -UIQrJ8Lwfs0fb+Zk9ElNGLwYTzooKDgzK8cLQ8g8F2WkolBEPXDsy1Ab+e66WkJH -NH/zAgEyG6cXXRNc+ObM5KbjY0YuDGiajKcndknuuCB+onlC1Pv5oFUSNa3/06+S -sziFloGbg5S0AHT6lYnwZSM6G7Pre8mcRNRxL6Yw1FOOUpQZKPd7juy4GBRlCucn -wmp/Fl0wIBDs91Vprig2TO+U6GvtqJ3n/RKXUz1ykUKETtRneSkqa6hFYjwRzawd -ANpjy/orrVkqXriAbI/1xvBMInWdcMpXNeiOkxQeQdy8TLBk0ZViSJnf ------END CERTIFICATE-----`; +const cert = + fixtures.readKey(path.join('selfsigned-no-keycertsign', 'cert.pem')); const serverOptions = { key: key, From a44ed4b93c775460d754ec2b9569c1acbce8e5be Mon Sep 17 00:00:00 2001 From: Nils Dralle Date: Wed, 14 Apr 2021 15:41:27 +0200 Subject: [PATCH 14/14] test: skip test when openssl_is_fips --- .../parallel/test-https-selfsigned-no-keycertsign-no-crash.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js index d61f76939c9c2e..2dd46ac878c5b0 100644 --- a/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js +++ b/test/parallel/test-https-selfsigned-no-keycertsign-no-crash.js @@ -14,6 +14,10 @@ if (!common.hasCrypto) const crypto = require('crypto'); +// See #37990 for details on why this is problematic with FIPS. +if (process.config.variables.openssl_is_fips) + common.skip('Skipping as test uses non-fips compliant EC curve'); + // This test will fail for OpenSSL < 1.1.1h const minOpenSSL = 269488271;