-
Notifications
You must be signed in to change notification settings - Fork 29.8k
/
test-tls-add-ca-cert.js
54 lines (41 loc) · 1.32 KB
/
test-tls-add-ca-cert.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
'use strict';
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
// Test interaction of compiled-in CAs with user-provided CAs.
const assert = require('assert');
const fs = require('fs');
const fixtures = require('../common/fixtures');
const tls = require('tls');
function filenamePEM(n) {
return fixtures.path('keys', `${n}.pem`);
}
function loadPEM(n) {
return fs.readFileSync(filenamePEM(n));
}
const caCert = loadPEM('ca1-cert');
const opts = {
host: 'www.nodejs.org',
port: 443,
rejectUnauthorized: true
};
// Success relies on the compiled in well-known root CAs
tls.connect(opts, common.mustCall(end));
// The .ca option replaces the well-known roots, so connection fails.
opts.ca = caCert;
tls.connect(opts, fail).on('error', common.mustCall((err) => {
assert.strictEqual(err.message, 'unable to get local issuer certificate');
}));
function fail() {
assert.fail('should fail to connect');
}
// New secure contexts have the well-known root CAs.
opts.secureContext = tls.createSecureContext();
tls.connect(opts, common.mustCall(end));
// Explicit calls to addCACert() add to the default well-known roots, instead
// of replacing, so connection still succeeds.
opts.secureContext.context.addCACert(caCert);
tls.connect(opts, common.mustCall(end));
function end() {
this.end();
}