diff --git a/doc/api/crypto.md b/doc/api/crypto.md index ef9db7ffc65420..7f77d3f940768c 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -1082,26 +1082,15 @@ deprecated: v0.11.13 > Stability: 0 - Deprecated: Use [`tls.createSecureContext()`][] instead. -The `crypto.createCredentials()` method is a deprecated alias for creating -and returning a `tls.SecureContext` object. The `crypto.createCredentials()` -method should not be used. +- `details` {Object} Identical to [`tls.createSecureContext()`][]. -The optional `details` argument is a hash object with keys: +The `crypto.createCredentials()` method is a deprecated function for creating +and returning a `tls.SecureContext`. It should not be used. Replace it with +[`tls.createSecureContext()`][] which has the exact same arguments and return +value. -* `pfx` : {String|Buffer} - PFX or PKCS12 encoded private - key, certificate and CA certificates -* `key` : {String} - PEM encoded private key -* `passphrase` : {String} - passphrase for the private key or PFX -* `cert` : {String} - PEM encoded certificate -* `ca` : {String|Array} - Either a string or array of strings of PEM encoded CA - certificates to trust. -* `crl` : {String|Array} - Either a string or array of strings of PEM encoded CRLs - (Certificate Revocation List) -* `ciphers`: {String} using the [OpenSSL cipher list format][] describing the - cipher algorithms to use or exclude. - -If no 'ca' details are given, Node.js will use Mozilla's default -[publicly trusted list of CAs][]. +Returns a `tls.SecureContext`, as-if [`tls.createSecureContext()`][] had been +called. ### crypto.createDecipher(algorithm, password) -* `options` {Object} - * `host` {string} Host the client should connect to. - * `port` {number} Port the client should connect to. - * `socket` {net.Socket} Establish secure connection on a given socket rather - than creating a new socket. If this option is specified, `host` and `port` - are ignored. - * `path` {string} Creates unix socket connection to path. If this option is - specified, `host` and `port` are ignored. - * `pfx` {string|Buffer} A string or `Buffer` containing the private key, - certificate, and CA certs of the client in PFX or PKCS12 format. - * `key` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of - strings, or array of `Buffer`s containing the private key of the client in - PEM format. - * `passphrase` {string} A string containing the passphrase for the private key - or pfx. - * `cert` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of - strings, or array of `Buffer`s containing the certificate key of the client - in PEM format. - * `ca` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of strings, - or array of `Buffer`s of trusted certificates in PEM format. If this is - omitted several well known "root" CAs (like VeriSign) will be used. These - are used to authorize connections. - * `ciphers` {string} A string describing the ciphers to use or exclude, - separated by `:`. Uses the same default cipher suite as - [`tls.createServer()`][]. - * `rejectUnauthorized` {boolean} If `true`, the server certificate is verified - against the list of supplied CAs. An `'error'` event is emitted if - verification fails; `err.code` contains the OpenSSL error code. Defaults to - `true`. - * `NPNProtocols` {string[]|Buffer[]} An array of strings or `Buffer`s - containing supported NPN protocols. `Buffer`s should have the format - `[len][name][len][name]...` e.g. `0x05hello0x05world`, where the first - byte is the length of the next protocol name. Passing an array is usually - much simpler, e.g. `['hello', 'world']`. - * `ALPNProtocols`: {string[]|Buffer[]} An array of strings or `Buffer`s - containing the supported ALPN protocols. `Buffer`s should have the format - `[len][name][len][name]...` e.g. `0x05hello0x05world`, where the first byte - is the length of the next protocol name. Passing an array is usually much - simpler: `['hello', 'world']`.) - * `servername`: {string} Server name for the SNI (Server Name Indication) TLS - extension. - * `checkServerIdentity(servername, cert)` {Function} A callback function - to be used when checking the server's hostname against the certificate. - This should throw an error if verification fails. The method should return - `undefined` if the `servername` and `cert` are verified. - * `secureProtocol` {string} The SSL method to use, e.g. `SSLv3_method` to - force SSL version 3. The possible values depend on the version of OpenSSL - installed in the environment and are defined in the constant - [SSL_METHODS][]. - * `secureContext` {object} An optional TLS context object as returned by from - `tls.createSecureContext( ... )`. It can be used for caching client - certificates, keys, and CA certificates. - * `session` {Buffer} A `Buffer` instance, containing TLS session. - * `minDHSize` {number} Minimum size of the DH parameter in bits to accept a - TLS connection. When a server offers a DH parameter with a size less - than `minDHSize`, the TLS connection is destroyed and an error is thrown. - Defaults to `1024`. -* `callback` {Function} +* `port` {number} Default value for `options.port`. +* `host` {string} Optional default value for `options.host`. +* `options` {Object} See [`tls.connect()`][]. +* `callback` {Function} See [`tls.connect()`][]. -Creates a new client connection to the given `options.port` and `options.host` -If `options.host` is omitted, it defaults to `localhost`. +Same as [`tls.connect()`][] except that `port` and `host` can be provided +as arguments instead of options. -The `callback` function, if specified, will be added as a listener for the -[`'secureConnect'`][] event. +*Note*: A port or host option, if specified, will take precedence over any port +or host argument. -`tls.connect()` returns a [`tls.TLSSocket`][] object. +## tls.connect(path[, options][, callback]) + -## tls.connect(port[, host][, options][, callback]) +* `path` {string} Default value for `options.path`. +* `options` {Object} See [`tls.connect()`][]. +* `callback` {Function} See [`tls.connect()`][]. + +Same as [`tls.connect()`][] except that `path` can be provided +as an argument instead of an option. + +*Note*: A path option, if specified, will take precedence over the path +argument. + +## tls.connect(options[, callback]) -* `port` {number} -* `host` {string} * `options` {Object} - * `host` {string} Host the client should connect to. + * `host` {string} Host the client should connect to, defaults to 'localhost'. * `port` {number} Port the client should connect to. - * `socket` {net.Socket} Establish secure connection on a given socket rather - than creating a new socket. If this option is specified, `host` and `port` - are ignored. * `path` {string} Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored. - * `pfx` {string|Buffer} A string or `Buffer` containing the private key, - certificate, and CA certs of the client in PFX or PKCS12 format. - * `key` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of - strings, or array of `Buffer`s containing the private key of the client in - PEM format. - * `passphrase` {string} A string containing the passphrase for the private key - or pfx. - * `cert` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of - strings, or array of `Buffer`s containing the certificate key of the client - in PEM format. - * `ca` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of strings, - or array of `Buffer`s of trusted certificates in PEM format. If this is - omitted several well known "root" CAs (like VeriSign) will be used. These - are used to authorize connections. - * `ciphers` {string} A string describing the ciphers to use or exclude, - separated by `:`. Uses the same default cipher suite as - [`tls.createServer()`][]. + * `socket` {net.Socket} Establish secure connection on a given socket rather + than creating a new socket. If this option is specified, `path`, `host` and + `port` are ignored. Usually, a socket is already connected when passed to + `tls.connect()`, but it can be connected later. Note that + connection/disconnection/destruction of `socket` is the user's + responsibility, calling `tls.connect()` will not cause `net.connect()` to be + called. * `rejectUnauthorized` {boolean} If `true`, the server certificate is verified against the list of supplied CAs. An `'error'` event is emitted if verification fails; `err.code` contains the OpenSSL error code. Defaults to @@ -833,24 +806,21 @@ added: v0.11.3 to be used when checking the server's hostname against the certificate. This should throw an error if verification fails. The method should return `undefined` if the `servername` and `cert` are verified. - * `secureProtocol` {string} The SSL method to use, e.g. `SSLv3_method` to - force SSL version 3. The possible values depend on the version of OpenSSL - installed in the environment and are defined in the constant - [SSL_METHODS][]. - * `secureContext` {object} An optional TLS context object as returned by from - `tls.createSecureContext( ... )`. It can be used for caching client - certificates, keys, and CA certificates. * `session` {Buffer} A `Buffer` instance, containing TLS session. * `minDHSize` {number} Minimum size of the DH parameter in bits to accept a TLS connection. When a server offers a DH parameter with a size less than `minDHSize`, the TLS connection is destroyed and an error is thrown. Defaults to `1024`. + * `secureContext`: Optional TLS context object created with + [`tls.createSecureContext()`][]. If a `secureContext` is _not_ provided, one + will be created by passing the entire `options` object to + `tls.createSecureContext()`. *Note*: In effect, all + [`tls.createSecureContext()`][] options can be provided, but they will be + _completely ignored_ unless the `secureContext` option is missing. + * ...: Optional [`tls.createSecureContext()`][] options can be provided, see + the `secureContext` option for more information. * `callback` {Function} -Creates a new client connection to the given `port` and `host` or -`options.port` and `options.host`. (If `host` is omitted, it defaults to -`localhost`.) - The `callback` function, if specified, will be added as a listener for the [`'secureConnect'`][] event. @@ -918,81 +888,87 @@ added: v0.11.13 --> * `options` {Object} - * `pfx` {string|Buffer} A string or `Buffer` holding the PFX or PKCS12 encoded - private key, certificate, and CA certificates. - * `key` {string|string[]|Buffer|Object[]} The private key of the server in - PEM format. To support multiple keys using different algorithms, an array - can be provided either as an array of key strings or as an array of objects - in the format `{pem: key, passphrase: passphrase}`. This option is - *required* for ciphers that make use of private keys. - * `passphrase` {string} A string containing the passphrase for the private key - or pfx. - * `cert` {string} A string containing the PEM encoded certificate - * `ca`{string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of strings, - or array of `Buffer`s of trusted certificates in PEM format. If omitted, - several well known "root" CAs (like VeriSign) will be used. These are used - to authorize connections. - * `crl` {string|string[]} Either a string or array of strings of PEM encoded - CRLs (Certificate Revocation List). - * `ciphers` {string} A string describing the ciphers to use or exclude. - Consult - - for details on the format. - * `honorCipherOrder` {boolean} If `true`, when a cipher is being selected, - the server's preferences will be used instead of the client preferences. + * `pfx` {string|Buffer} Optional PFX or PKCS12 encoded private key and + certificate chain. `pfx` is an alternative to providing `key` and `cert` + individually. PFX is usually encrypted, if it is, `passphrase` will be used + to decrypt it. + * `key` {string|string[]|Buffer|Buffer[]|Object[]} Optional private keys in + PEM format. Single keys will be decrypted with `passphrase` if necessary. + Multiple keys, probably using different algorithms, can be provided either + as an array of unencrypted key strings or buffers, or an array of objects in + the form `{pem: , passphrase: }`. The object form can + only occur in an array, and it _must_ include a passphrase, even if key is + not encrypted. + * `passphrase` {string} Optional shared passphrase used for a single private + key and/or a PFX. + * `cert` {string|string[]|Buffer|Buffer[]} Optional cert chains in PEM format. + One cert chain should be provided per private key. Each cert chain should + consist of the PEM formatted certificate for a provided private `key`, + followed by the PEM formatted intermediate certificates (if any), in order, + and not including the root CA (the root CA must be pre-known to the peer, + see `ca`). When providing multiple cert chains, they do not have to be in + the same order as their private keys in `key`. If the intermediate + certificates are not provided, the peer will not be able to validate the + certificate, and the handshake will fail. + * `ca`{string|string[]|Buffer|Buffer[]} Optional CA certificates to trust. + Default is the well-known CAs from Mozilla. When connecting to peers that + use certificates issued privately, or self-signed, the private root CA or + self-signed certificate must be provided to verify the peer. + * `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted + CRLs (Certificate Revocation Lists). + * `ciphers` {string} Optional cipher suite specification, replacing the + default. For more information, see [modifying the default cipher suite][]. + * `honorCipherOrder` {boolean} Attempt to use the server's cipher suite + preferences instead of the client's. When `true`, causes + `SSL_OP_CIPHER_SERVER_PREFERENCE` to be set in `secureOptions`, see + [OpenSSL Options][] for more information. + *Note*: [`tls.createServer()`][] sets the default value to `true`, other + APIs that create secure contexts leave it unset. + * `ecdhCurve` {string} A string describing a named curve to use for ECDH key + agreement or `false` to disable ECDH. Defaults to `prime256v1` (NIST P-256). + Use [`crypto.getCurves()`][] to obtain a list of available curve names. On + recent releases, `openssl ecparam -list_curves` will also display the name + and description of each available elliptic curve. + * `dhparam` {string|Buffer} Diffie Hellman parameters, required for + [Perfect Forward Secrecy][]. Use `openssl dhparam` to create the parameters. + The key length must be greater than or equal to 1024 bits, otherwise an + error will be thrown. It is strongly recommended to use 2048 bits or larger + for stronger security. If omitted or invalid, the parameters are silently + discarded and DHE ciphers will not be available. + * `secureProtocol` {string} Optional SSL method to use, default is + `"SSLv23_method"`. The possible values are listed as [SSL_METHODS][], use + the function names as strings. For example, `"SSLv3_method"` to force SSL + version 3. + * `secureOptions` {number} Optionally affect the OpenSSL protocol behaviour, + which is not usually necessary. This should be used carefully if at all! + Value is a numeric bitmask of the `SSL_OP_*` options from + [OpenSSL Options][]. + * `sessionIdContext` {string} Optional opaque identifier used by servers to + ensure session state is not shared between applications. Unused by clients. + *Note*: [`tls.createServer()`][] uses a 128 bit truncated SHA1 hash value + generated from `process.argv`, other APIs that create secure contexts + have no default value. The `tls.createSecureContext()` method creates a credentials object. +A key is *required* for ciphers that make use of certificates. Either `key` or +`pfx` can be used to provide it. + If the 'ca' option is not given, then Node.js will use the default publicly trusted list of CAs as given in . -## tls.createServer(options[, secureConnectionListener]) +## tls.createServer([options][, secureConnectionListener]) * `options` {Object} - * `pfx` {string|Buffer} A string or `Buffer` containing the private key, - certificate and CA certs of the server in PFX or PKCS12 format. (Mutually - exclusive with the `key`, `cert`, and `ca` options.) - * `key` {string|string[]|Buffer|Object[]} The private key of the server in - PEM format. To support multiple keys using different algorithms an array can - be provided either as a plain array of key strings or an array of objects - in the format `{pem: key, passphrase: passphrase}`. This option is - *required* for ciphers that make use of private keys. - * `passphrase` {string} A string containing the passphrase for the private - key or pfx. - * `cert` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of - strings, or array of `Buffer`s containing the certificate key of the server - in PEM format. (Required) - * `ca` {string|string[]|Buffer|Buffer[]} A string, `Buffer`, array of strings, - or array of `Buffer`s of trusted certificates in PEM format. If this is - omitted several well known "root" CAs (like VeriSign) will be used. These - are used to authorize connections. - * `crl` {string|string[]} Either a string or array of strings of PEM encoded - CRLs (Certificate Revocation List). - * `ciphers` {string} A string describing the ciphers to use or exclude, - separated by `:`. - * `ecdhCurve` {string} A string describing a named curve to use for ECDH key - agreement or `false` to disable ECDH. Defaults to `prime256v1` (NIST P-256). - Use [`crypto.getCurves()`][] to obtain a list of available curve names. On - recent releases, `openssl ecparam -list_curves` will also display the name - and description of each available elliptic curve. - * `dhparam` {string|Buffer} A string or `Buffer` containing Diffie Hellman - parameters, required for [Perfect Forward Secrecy][]. Use - `openssl dhparam` to create the parameters. The key length must be greater - than or equal to 1024 bits, otherwise an error will be thrown. It is - strongly recommended to use 2048 bits or larger for stronger security. If - omitted or invalid, the parameters are silently discarded and DHE ciphers - will not be available. * `handshakeTimeout` {number} Abort the connection if the SSL/TLS handshake does not finish in the specified number of milliseconds. Defaults to `120` seconds. A `'clientError'` is emitted on the `tls.Server` object whenever a handshake times out. - * `honorCipherOrder` {boolean} When choosing a cipher, use the server's - preferences instead of the client preferences. Defaults to `true`. * `requestCert` {boolean} If `true` the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to `false`. @@ -1019,58 +995,13 @@ added: v0.3.2 a 16-byte HMAC key, and a 16-byte AES key. This can be used to accept TLS session tickets on multiple instances of the TLS server. *Note* that this is automatically shared between `cluster` module workers. - * `sessionIdContext` {string} A string containing an opaque identifier for - session resumption. If `requestCert` is `true`, the default is a 128 bit - truncated SHA1 hash value generated from the command-line. Otherwise, a - default is not provided. - * `secureProtocol` {string} The SSL method to use, e.g. `SSLv3_method` to - force SSL version 3. The possible values depend on the version of OpenSSL - installed in the environment and are defined in the constant - [SSL_METHODS][]. + * ...: Any [`tls.createSecureContext()`][] options can be provided. For + servers, the identity options (`pfx` or `key`/`cert`) are usually required. * `secureConnectionListener` {Function} Creates a new [tls.Server][]. The `secureConnectionListener`, if provided, is automatically set as a listener for the [`'secureConnection'`][] event. -For the `ciphers` option, the default cipher suite is: - -```text -ECDHE-RSA-AES128-GCM-SHA256: -ECDHE-ECDSA-AES128-GCM-SHA256: -ECDHE-RSA-AES256-GCM-SHA384: -ECDHE-ECDSA-AES256-GCM-SHA384: -DHE-RSA-AES128-GCM-SHA256: -ECDHE-RSA-AES128-SHA256: -DHE-RSA-AES128-SHA256: -ECDHE-RSA-AES256-SHA384: -DHE-RSA-AES256-SHA384: -ECDHE-RSA-AES256-SHA256: -DHE-RSA-AES256-SHA256: -HIGH: -!aNULL: -!eNULL: -!EXPORT: -!DES: -!RC4: -!MD5: -!PSK: -!SRP: -!CAMELLIA -``` - -The default cipher suite prefers GCM ciphers for [Chrome's 'modern -cryptography' setting] and also prefers ECDHE and DHE ciphers for Perfect -Forward Secrecy, while offering *some* backward compatibility. - -128 bit AES is preferred over 192 and 256 bit AES in light of [specific -attacks affecting larger AES key sizes]. - -Old clients that rely on insecure and deprecated RC4 or DES-based ciphers -(like Internet Explorer 6) cannot complete the handshaking process with -the default configuration. If these clients _must_ be supported, the -[TLS recommendations] may offer a compatible cipher suite. For more details -on the format, see the [OpenSSL cipher list format documentation]. - The following illustrates a simple echo server: ```js @@ -1254,6 +1185,8 @@ where `secure_socket` has the same API as `pair.cleartext`. [OpenSSL cipher list format documentation]: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites +[OpenSSL Options]: crypto.html#crypto_openssl_options +[modifying the default cipher suite]: #tls_modifying_the_default_tls_cipher_suite [specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html [`crypto.getCurves()`]: crypto.html#crypto_crypto_getcurves [`tls.createServer()`]: #tls_tls_createserver_options_secureconnectionlistener diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 6e98c1ee4d66d2..9cb70453860484 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -12,9 +12,9 @@ var crypto = null; const binding = process.binding('crypto'); const NativeSecureContext = binding.SecureContext; -function SecureContext(secureProtocol, flags, context) { +function SecureContext(secureProtocol, secureOptions, context) { if (!(this instanceof SecureContext)) { - return new SecureContext(secureProtocol, flags, context); + return new SecureContext(secureProtocol, secureOptions, context); } if (context) { @@ -29,7 +29,7 @@ function SecureContext(secureProtocol, flags, context) { } } - if (flags) this.context.setOptions(flags); + if (secureOptions) this.context.setOptions(secureOptions); } exports.SecureContext = SecureContext; diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index d9dafceb950dc7..434384cec81595 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -745,18 +745,19 @@ TLSSocket.prototype.getProtocol = function() { // "PATH_LENGTH_EXCEEDED", "INVALID_PURPOSE" "CERT_UNTRUSTED", // "CERT_REJECTED" // -function Server(/* [options], listener */) { - var options, listener; +function Server(options, listener) { + if (!(this instanceof Server)) + return new Server(options, listener); - if (arguments[0] !== null && typeof arguments[0] === 'object') { - options = arguments[0]; - listener = arguments[1]; - } else if (typeof arguments[0] === 'function') { + if (typeof options === 'function') { + listener = options; options = {}; - listener = arguments[0]; + } else if (options == null || typeof options === 'object') { + options = options || {}; + } else { + throw new TypeError('options must be an object'); } - if (!(this instanceof Server)) return new Server(options, listener); this._contexts = []; @@ -975,6 +976,11 @@ function normalizeConnectArgs(listArgs) { var options = args[0]; var cb = args[1]; + // If args[0] was options, then normalize dealt with it. + // If args[0] is port, or args[0], args[1] is host,port, we need to + // find the options and merge them in, normalize's options has only + // the host/port/path args that it knows about, not the tls options. + // This means that options.host overrides a host arg. if (listArgs[1] !== null && typeof listArgs[1] === 'object') { options = util._extend(options, listArgs[1]); } else if (listArgs[2] !== null && typeof listArgs[2] === 'object') { @@ -984,7 +990,7 @@ function normalizeConnectArgs(listArgs) { return (cb) ? [options, cb] : [options]; } -exports.connect = function(/* [port, host], options, cb */) { +exports.connect = function(/* [port,] [host,] [options,] [cb] */) { const argsLen = arguments.length; var args = new Array(argsLen); for (var i = 0; i < argsLen; i++) diff --git a/test/fixtures/raw-key.pem b/test/fixtures/raw-key.pem new file mode 100644 index 00000000000000..3e27f9f8870ad0 --- /dev/null +++ b/test/fixtures/raw-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQChmQeFwsaomtQbw9Nm55Dn6KSR9bkY8PDroQUeTNa90BlIbhGs +KYm4l7bERaasFgOrkcQpk45fdDVYPjKxraZiGXXKjSIDYeDAIC/+CkwQKrejgCPm +Js4gV4g+npvwi1gVr2NAg7fkJOyEW2TDp4dsAD8qtG8Aml0C1hJXwFYmBwIDAQAB +AoGAVgZpAsQVjVwe3kj5GSbc9Rfbw/fTeXuKRWWKm/67soA9dVli/wt9zU62dPW/ +LIzrl0IZ8ygh+p6aZ0d1JTEUCPx7e0KocCmNg77i5AG0eK5i/KKjTWB4UGRDylfD +dnBXQc814bK+VB0mrcp46U/7tLGYkV2Kz/LiNpmxKwITS4ECQQDPoA6WIU87Eulq +OuVmJnFIQ2IR3SycVisO7TUq2MItq2U4BwsA3aQ4ehpP/uJdAfJEfwi2omRV5pGb +806pWkfPAkEAxz+igHS8tR11aLck71dD4BRBY7XZCUg6G4zmYYWsqj0yvM6c4Yn0 +HRcrZqFvV/xuMFphWEmMBhrqLvgy66yUSQJBALkei4LeRid0sDswMhMHGaAFvG4T +FtB5n8CaTPpb854GoKP42521ANP+QnGq36dvsdPStDEqz20rvA4hPLSQs08CQCV8 +eWxFikNg+XfsDQzilCiSZwMFcYHnjtckGSv75FJbFTKkhKuCMuVOOKIkeThKi8iZ +GHttyuRTKAASPjJM09ECQBrhlKJwYKuUDMp3qkLBgrXYqbFxZtkS2GeFMUfLcRlx +oMrTFEczz9lZ0huTuQYPeAAOY0Gd84mL0kQqTRTzNLs= +-----END RSA PRIVATE KEY----- diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js index e73ee2e25e6931..e29f5ee522829e 100644 --- a/test/parallel/test-tls-multi-key.js +++ b/test/parallel/test-tls-multi-key.js @@ -11,8 +11,8 @@ var fs = require('fs'); var options = { key: [ + fs.readFileSync(common.fixturesDir + '/keys/ec-key.pem'), fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), - fs.readFileSync(common.fixturesDir + '/keys/ec-key.pem') ], cert: [ fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'), diff --git a/test/parallel/test-tls-no-cert-required.js b/test/parallel/test-tls-no-cert-required.js index de723e73e8a335..3c7cf4462fcd07 100644 --- a/test/parallel/test-tls-no-cert-required.js +++ b/test/parallel/test-tls-no-cert-required.js @@ -1,15 +1,30 @@ 'use strict'; -var common = require('../common'); +const assert = require('assert'); +const common = require('../common'); if (!common.hasCrypto) { common.skip('missing crypto'); return; } -var tls = require('tls'); +const tls = require('tls'); // Omitting the cert or pfx option to tls.createServer() should not throw. // AECDH-NULL-SHA is a no-authentication/no-encryption cipher and hence // doesn't need a certificate. -tls.createServer({ ciphers: 'AECDH-NULL-SHA' }).listen(0, function() { +tls.createServer({ ciphers: 'AECDH-NULL-SHA' }) + .listen(0, common.mustCall(close)); + +tls.createServer(assert.fail) + .listen(0, common.mustCall(close)); + +tls.createServer({}) + .listen(0, common.mustCall(close)); + +assert.throws(() => tls.createServer('this is not valid'), TypeError); + +tls.createServer() + .listen(0, common.mustCall(close)); + +function close() { this.close(); -}); +} diff --git a/test/parallel/test-tls-passphrase.js b/test/parallel/test-tls-passphrase.js index 8999f470187f78..319c3511dce7ee 100644 --- a/test/parallel/test-tls-passphrase.js +++ b/test/parallel/test-tls-passphrase.js @@ -1,21 +1,27 @@ 'use strict'; -var common = require('../common'); -var assert = require('assert'); +const common = require('../common'); +const assert = require('assert'); if (!common.hasCrypto) { common.skip('missing crypto'); return; } -var tls = require('tls'); +const tls = require('tls'); -var fs = require('fs'); -var path = require('path'); +const fs = require('fs'); +const path = require('path'); -var key = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem')); -var cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem')); +const passKey = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem')); +const rawKey = fs.readFileSync(path.join(common.fixturesDir, 'raw-key.pem')); +const cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem')); -var server = tls.Server({ - key: key, +assert(Buffer.isBuffer(passKey)); +assert(Buffer.isBuffer(cert)); +assert.strictEqual(typeof passKey.toString(), 'string'); +assert.strictEqual(typeof cert.toString(), 'string'); + +const server = tls.Server({ + key: passKey, passphrase: 'passphrase', cert: cert, ca: [cert], @@ -26,24 +32,174 @@ var server = tls.Server({ }); server.listen(0, common.mustCall(function() { - var c = tls.connect({ + // Buffer + tls.connect({ port: this.address().port, - key: key, + key: passKey, passphrase: 'passphrase', cert: cert, rejectUnauthorized: false }, common.mustCall(function() {})); - c.on('end', function() { - server.close(); - }); -})); + + tls.connect({ + port: this.address().port, + key: rawKey, + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: rawKey, + passphrase: 'passphrase', // Ignored. + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + // Buffer[] + /* XXX(sam) Should work, but its unimplemented ATM. + tls.connect({ + port: this.address().port, + key: [passKey], + passphrase: 'passphrase', + cert: [cert], + rejectUnauthorized: false + }, common.mustCall(function() {})); + */ + + tls.connect({ + port: this.address().port, + key: [rawKey], + cert: [cert], + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [rawKey], + passphrase: 'passphrase', // Ignored. + cert: [cert], + rejectUnauthorized: false + }, common.mustCall(function() {})); + + // string + tls.connect({ + port: this.address().port, + key: passKey.toString(), + passphrase: 'passphrase', + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: rawKey.toString(), + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: rawKey.toString(), + passphrase: 'passphrase', // Ignored. + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall(function() {})); + + // String[] + /* XXX(sam) Should work, but its unimplemented ATM. + tls.connect({ + port: this.address().port, + key: [passKey.toString()], + passphrase: 'passphrase', + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall(function() {})); + */ + + tls.connect({ + port: this.address().port, + key: [rawKey.toString()], + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [rawKey.toString()], + passphrase: 'passphrase', // Ignored. + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall(function() {})); + + // Object[] + tls.connect({ + port: this.address().port, + key: [{pem: passKey, passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: passKey.toString(), passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey, passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString(), passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + /* XXX(sam) Should work, but unimplemented ATM + tls.connect({ + port: this.address().port, + key: [{pem: rawKey}], + passphrase: 'passphrase', + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString()}], + passphrase: 'passphrase', + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString()}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall(function() {})); + */ +})).unref(); assert.throws(function() { tls.connect({ port: server.address().port, - key: key, + key: passKey, passphrase: 'invalid', cert: cert, rejectUnauthorized: false }); -}); +}, /bad decrypt/);