Skip to content

Commit

Permalink
crypto: add pfx certs as CA certs too
Browse files Browse the repository at this point in the history
According to documentation all certificates specified in `pfx` option
should be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.

Fix: nodejs#5100
PR-URL: nodejs#5109
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
  • Loading branch information
indutny authored and Michael Scovetta committed Apr 2, 2016
1 parent 0b59340 commit c539504
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -982,6 +982,17 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
&sc->cert_,
&sc->issuer_) &&
SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) {
// Add CA certs too
for (int i = 0; i < sk_X509_num(extra_certs); i++) {
X509* ca = sk_X509_value(extra_certs, i);

if (!sc->ca_store_) {
sc->ca_store_ = X509_STORE_new();
SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
}
X509_STORE_add_cert(sc->ca_store_, ca);
SSL_CTX_add_client_CA(sc->ctx_, ca);
}
ret = true;
}

Expand Down
36 changes: 36 additions & 0 deletions test/parallel/test-tls-pfx-gh-5100-regr.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
'use strict';

const common = require('../common');

if (!common.hasCrypto) {
console.log('1..0 # Skipped: node compiled without crypto.');
return;
}

const assert = require('assert');
const tls = require('tls');
const fs = require('fs');
const path = require('path');

const pfx = fs.readFileSync(
path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));

const server = tls.createServer({
pfx: pfx,
passphrase: 'sample',
requestCert: true,
rejectUnauthorized: false
}, common.mustCall(function(c) {
assert(c.authorizationError === null, 'authorizationError must be null');
c.end();
})).listen(common.PORT, function() {
var client = tls.connect({
port: common.PORT,
pfx: pfx,
passphrase: 'sample',
rejectUnauthorized: false
}, function() {
client.end();
server.close();
});
});

0 comments on commit c539504

Please sign in to comment.