-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: support reading multiple cas from one input #4099
Conversation
X509_free(x509); | ||
unsigned cert_count = 0; | ||
if (BIO* bio = LoadBIO(env, args[0])) { | ||
while (X509* x509 = // NOLINT(whitespace/if-one-line) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do while (true)
here, and break in loop if x509 === nullptr
. I don't think that this deserves disabling lint rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The NOLINT works around what I suspect is a bug in the lint rule. If you put the while
on a single line (and s/nullptr/0/
to keep it < 80 columns) it won't trigger.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idk, it doesn't look like a good code style to me, splitting while's condition between lines. That's just my opinion, though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/cc @trevnorris - you can be the arbitrator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the following not possible?
if (BIO* bio = LoadBIO(env, args[0])) {
X509* x509;
while (x509 = PEM_read_bio_X509(bio, nullptr, CryptoPemCallback, nullptr)) {
// ...
If not, I'd say how it is now isn't the prettiest but personally find it easier to logically follow. Which wins for me.
LGTM with lint comment. |
LGTM |
One more CI run: https://ci.nodejs.org/job/node-test-pull-request/954/ |
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Conservatively tagging this semver-minor. |
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: #4099 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>
@bnoordhuis shouldn't this have a doc change too? |
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
I don't know. The report was from someone who assumed a PEM with multiple certificates would Just Work(TM) and that's what I assumed as well. |
But now that I look at tls.markdown, we say different things in different places.
vs.
I'll try to come up with a PR later today that harmonizes them. |
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <me@silverwind.io>
@bnoordhuis if this is semver-minor should it land in lts? |
IMO this is not a big enough deal to warrant shipping in v4, it can wait till v6. |
Should this be labeled |
@Trott yep |
I've taken the liberty/initiative to apply |
+1, although |
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) nodejs#3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) nodejs#3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) nodejs#3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) nodejs#4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) nodejs#4021. PR-URL: nodejs#4181
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <me@silverwind.io>
if the valid `ca` is the first item within the concatinated string then the bug addressed by nodejs#4099 was not getting exposed. This test makes sure the order of valid `ca` should not effect the expected behavior when multiple `ca` certs are concatinated.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/891/