-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: add pfx
certs as CA certs too
#5109
Conversation
cc @nodejs/crypto |
Probably needs to land on v5 too. |
@@ -990,7 +1001,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) { | |||
if (cert != nullptr) | |||
X509_free(cert); | |||
if (extra_certs != nullptr) | |||
sk_X509_free(extra_certs); | |||
sk_X509_pop_free(extra_certs, X509_free); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unrelated bugfix for a memory leak, not sure if I should submit it separately. It won't have a test case anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might make sense to put as two commits for back-porting purposes... I don't see why they couldn't both come in on this PR though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, force pushed.
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself.
LGTM |
@jasnell thank you! May have an additional LGTM from @bnoordhuis or @shigeki, before landing? |
@indutny The fixes are LGTM but no tests. I've just made tests to check them as in We should have changed the API to add a new option of |
Ouch, I just forgot to include it in PR. Sorry! Included it. |
@indutny The test is fine. LGTM. |
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Looks like this landed with a failing test in CI. https://ci.nodejs.org/job/node-test-commit-linux-fips/834/nodes=ubuntu1404-64/console So, uh, CI will fail every time... |
The pfx file created by pkcs12 command of openssl causes an error in FIPS mode because its certificate is encrypted with RC2 by default. Adding `-descert` option resolves the error. Fix: nodejs#5144 Fix: nodejs#5109
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100 PR-URL: nodejs#5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: nodejs#5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
The pfx file created by pkcs12 command of openssl causes an error in FIPS mode because its certificate is encrypted with RC2 by default. Adding `-descert` option resolves the error. Fix: nodejs#5144 Fix: nodejs#5109 PR-URL: nodejs#5150 Reviewed-By: Rich Trott <rtrott@gmail.com>
According to documentation all certificates specified in
pfx
optionshould be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.
Fix: #5100