From 08ed2337eaecf58b747e4d01ae18cbe4f1cf45ef Mon Sep 17 00:00:00 2001 From: Alba Mendez Date: Sun, 6 Dec 2020 19:06:07 +0100 Subject: [PATCH] tls: forward new SecureContext options We have a few places where we individually forward each parameter to tls.createSecureContext(). In #28973 and others, we added new SecureContext options but forgot to keep these places up to date. As per https.Agent#getName, I understand that at least `privateKeyIdentifier` and `privateKeyEngine` should be added too, since they're a substitute for `key`. I've also added sigalgs. Fixes: https://github.com/nodejs/node/issues/36322 Refs: https://github.com/nodejs/node/pull/28973 PR-URL: https://github.com/nodejs/node/pull/36416 Reviewed-By: James M Snell Reviewed-By: Rich Trott --- lib/_tls_wrap.js | 12 +++++++++++- lib/https.js | 13 +++++++++++++ test/parallel/test-https-agent-getname.js | 10 +++++++--- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index c5f30c01fa18e7..e63bcaaf6a7ce9 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -1320,6 +1320,9 @@ Server.prototype.setSecureContext = function(options) { if (options.ticketKeys) this.ticketKeys = options.ticketKeys; + this.privateKeyIdentifier = options.privateKeyIdentifier; + this.privateKeyEngine = options.privateKeyEngine; + this._sharedCreds = tls.createSecureContext({ pfx: this.pfx, key: this.key, @@ -1339,7 +1342,9 @@ Server.prototype.setSecureContext = function(options) { crl: this.crl, sessionIdContext: this.sessionIdContext, ticketKeys: this.ticketKeys, - sessionTimeout: this.sessionTimeout + sessionTimeout: this.sessionTimeout, + privateKeyIdentifier: this.privateKeyIdentifier, + privateKeyEngine: this.privateKeyEngine, }); }; @@ -1405,6 +1410,11 @@ Server.prototype.setOptions = deprecate(function(options) { } if (options.pskCallback) this[kPskCallback] = options.pskCallback; if (options.pskIdentityHint) this[kPskIdentityHint] = options.pskIdentityHint; + if (options.sigalgs) this.sigalgs = options.sigalgs; + if (options.privateKeyIdentifier !== undefined) + this.privateKeyIdentifier = options.privateKeyIdentifier; + if (options.privateKeyEngine !== undefined) + this.privateKeyEngine = options.privateKeyEngine; }, 'Server.prototype.setOptions() is deprecated', 'DEP0122'); // SNI Contexts High-Level API diff --git a/lib/https.js b/lib/https.js index 6aafef6cb639e1..e1f0936b631ade 100644 --- a/lib/https.js +++ b/lib/https.js @@ -24,6 +24,7 @@ const { ObjectAssign, ObjectSetPrototypeOf, + JSONStringify, } = primordials; require('internal/util').assertCrypto(); @@ -236,6 +237,18 @@ Agent.prototype.getName = function getName(options) { if (options.sessionIdContext) name += options.sessionIdContext; + name += ':'; + if (options.sigalgs) + name += JSONStringify(options.sigalgs); + + name += ':'; + if (options.privateKeyIdentifier) + name += options.privateKeyIdentifier; + + name += ':'; + if (options.privateKeyEngine) + name += options.privateKeyEngine; + return name; }; diff --git a/test/parallel/test-https-agent-getname.js b/test/parallel/test-https-agent-getname.js index dabb08f074af9a..6f8c32b299a669 100644 --- a/test/parallel/test-https-agent-getname.js +++ b/test/parallel/test-https-agent-getname.js @@ -12,7 +12,7 @@ const agent = new https.Agent(); // empty options assert.strictEqual( agent.getName({}), - 'localhost:::::::::::::::::::' + 'localhost::::::::::::::::::::::' ); // Pass all options arguments @@ -34,11 +34,15 @@ const options = { secureOptions: 0, secureProtocol: 'secureProtocol', servername: 'localhost', - sessionIdContext: 'sessionIdContext' + sessionIdContext: 'sessionIdContext', + sigalgs: 'sigalgs', + privateKeyIdentifier: 'privateKeyIdentifier', + privateKeyEngine: 'privateKeyEngine', }; assert.strictEqual( agent.getName(options), '0.0.0.0:443:192.168.1.1:ca:cert:dynamic:ciphers:key:pfx:false:localhost:' + - '::secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext' + '::secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext:' + + '"sigalgs":privateKeyIdentifier:privateKeyEngine' );