From c58197f8484c5ad5d7b204c323e6c481930c05b7 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Fri, 5 Feb 2016 23:13:30 -0500 Subject: [PATCH 1/3] crypto: add `pfx` certs as CA certs too According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 --- src/node_crypto.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index b4e6662009cd10..92cf0efda1950b 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -982,6 +982,17 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { &sc->cert_, &sc->issuer_) && SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) { + // Add CA certs too + for (int i = 0; i < sk_X509_num(extra_certs); i++) { + X509* ca = sk_X509_value(extra_certs, i); + + if (!sc->ca_store_) { + sc->ca_store_ = X509_STORE_new(); + SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); + } + X509_STORE_add_cert(sc->ca_store_, ca); + SSL_CTX_add_client_CA(sc->ctx_, ca); + } ret = true; } From b5d9dcfa2c05820a0c73554faad5773da2abb849 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Fri, 5 Feb 2016 23:13:36 -0500 Subject: [PATCH 2/3] crypto: fix memory leak in LoadPKCS12 `sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. --- src/node_crypto.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 92cf0efda1950b..6fdf95a59dc75d 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -1001,7 +1001,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { if (cert != nullptr) X509_free(cert); if (extra_certs != nullptr) - sk_X509_free(extra_certs); + sk_X509_pop_free(extra_certs, X509_free); PKCS12_free(p12); BIO_free_all(in); From ad378a92a6d8ffde0d4b9121f6064936965c3ee4 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Mon, 8 Feb 2016 00:02:42 -0500 Subject: [PATCH 3/3] test --- test/parallel/test-tls-pfx-gh-5100-regr.js | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 test/parallel/test-tls-pfx-gh-5100-regr.js diff --git a/test/parallel/test-tls-pfx-gh-5100-regr.js b/test/parallel/test-tls-pfx-gh-5100-regr.js new file mode 100644 index 00000000000000..865ac2ba3f299a --- /dev/null +++ b/test/parallel/test-tls-pfx-gh-5100-regr.js @@ -0,0 +1,36 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) { + console.log('1..0 # Skipped: node compiled without crypto.'); + return; +} + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const pfx = fs.readFileSync( + path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); + +const server = tls.createServer({ + pfx: pfx, + passphrase: 'sample', + requestCert: true, + rejectUnauthorized: false +}, common.mustCall(function(c) { + assert(c.authorizationError === null, 'authorizationError must be null'); + c.end(); +})).listen(common.PORT, function() { + var client = tls.connect({ + port: common.PORT, + pfx: pfx, + passphrase: 'sample', + rejectUnauthorized: false + }, function() { + client.end(); + server.close(); + }); +});