Skip to content

Commit

Permalink
crypto: add cert check issued by StartCom/WoSign
Browse files Browse the repository at this point in the history
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: #9434
PR-URL: #9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
shigeki authored and italoacasas committed Feb 14, 2017
1 parent 322fc20 commit 5e98e34
Showing 24 changed files with 611 additions and 3 deletions.
89 changes: 89 additions & 0 deletions src/StartComAndWoSignData.inc
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
// /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
// Using a consistent naming convention, this would actually be called
// 'CA沃通根证书DN', but since GCC 6.2.1 apparently can't handle UTF-8
// identifiers, this will have to do.
static const uint8_t CAWoSignRootDN[72] = {
0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
0x0C, 0x12, 0x43, 0x41, 0x20, 0xE6, 0xB2, 0x83, 0xE9, 0x80, 0x9A, 0xE6, 0xA0,
0xB9, 0xE8, 0xAF, 0x81, 0xE4, 0xB9, 0xA6,
};

// /C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
static const uint8_t CAWoSignECCRootDN[72] = {
0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
0x13, 0x12, 0x43, 0x41, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x45,
0x43, 0x43, 0x20, 0x52, 0x6F, 0x6F, 0x74,
};

// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
static const uint8_t CertificationAuthorityofWoSignDN[87] = {
0x30, 0x55, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
0x69, 0x74, 0x65, 0x64, 0x31, 0x2A, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03,
0x13, 0x21, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E,
};

// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
static const uint8_t CertificationAuthorityofWoSignG2DN[90] = {
0x30, 0x58, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
0x69, 0x74, 0x65, 0x64, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03,
0x13, 0x24, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x47, 0x32,
};

// /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
static const uint8_t StartComCertificationAuthorityDN[127] = {
0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x22, 0x53, 0x65,
0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6C, 0x20,
0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53,
0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55,
0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20,
0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79,
};

// /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
static const uint8_t StartComCertificationAuthorityG2DN[85] = {
0x30, 0x53, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74,
0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F,
0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
};

struct DataAndLength {
const uint8_t* data;
uint32_t len;
};

static const DataAndLength StartComAndWoSignDNs[]= {
{ CAWoSignRootDN,
sizeof(CAWoSignRootDN) },
{ CAWoSignECCRootDN,
sizeof(CAWoSignECCRootDN) },
{ CertificationAuthorityofWoSignDN,
sizeof(CertificationAuthorityofWoSignDN) },
{ CertificationAuthorityofWoSignG2DN,
sizeof(CertificationAuthorityofWoSignG2DN) },
{ StartComCertificationAuthorityDN,
sizeof(StartComCertificationAuthorityDN) },
{ StartComCertificationAuthorityG2DN,
sizeof(StartComCertificationAuthorityG2DN) },
};
44 changes: 41 additions & 3 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
@@ -17,6 +17,10 @@
// https://hg.mozilla.org/mozilla-central/raw-file/98820360ab66/security/
// certverifier/CNNICHashWhitelist.inc
#include "CNNICHashWhitelist.inc"
// StartCom and WoSign root CA list is taken from
// https://hg.mozilla.org/mozilla-central/file/tip/security/certverifier/
// StartComAndWoSignData.inc
#include "StartComAndWoSignData.inc"

#include <errno.h>
#include <limits.h> // INT_MAX
@@ -2761,9 +2765,40 @@ inline X509* FindRoot(STACK_OF(X509)* sk) {
}


// Whitelist check for certs issued by CNNIC. See
inline bool CertIsStartComOrWoSign(X509_NAME* name) {
const unsigned char* startcom_wosign_data;
X509_NAME* startcom_wosign_name;

for (const auto& dn : StartComAndWoSignDNs) {
startcom_wosign_data = dn.data;
startcom_wosign_name = d2i_X509_NAME(nullptr, &startcom_wosign_data,
dn.len);
if (X509_NAME_cmp(name, startcom_wosign_name) == 0)
return true;
}

return false;
}

// Revoke the certificates issued by StartCom or WoSign that has
// notBefore after 00:00:00 on October 21, 2016 (1477008000 in epoch).
inline bool CheckStartComOrWoSign(X509_NAME* root_name, X509* cert) {
if (!CertIsStartComOrWoSign(root_name))
return true;

time_t october_21_2016 = static_cast<time_t>(1477008000);
if (X509_cmp_time(X509_get_notBefore(cert), &october_21_2016) < 0)
return true;

return false;
}


// Whitelist check for certs issued by CNNIC, StartCom and WoSign. See
// https://blog.mozilla.org/security/2015/04/02
// /distrusting-new-cnnic-certificates/
// /distrusting-new-cnnic-certificates/ and
// https://blog.mozilla.org/security/2016/10/24/
// distrusting-new-wosign-and-startcom-certificates
inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
unsigned char hash[CNNIC_WHITELIST_HASH_LEN];
unsigned int hashlen = CNNIC_WHITELIST_HASH_LEN;
@@ -2782,11 +2817,14 @@ inline CheckResult CheckWhitelistedServerCert(X509_STORE_CTX* ctx) {
root_name = X509_get_subject_name(root_cert);
}

X509* leaf_cert = sk_X509_value(chain, 0);
if (!CheckStartComOrWoSign(root_name, leaf_cert))
return CHECK_CERT_REVOKED;

// When the cert is issued from either CNNNIC ROOT CA or CNNNIC EV
// ROOT CA, check a hash of its leaf cert if it is in the whitelist.
if (X509_NAME_cmp(root_name, cnnic_name) == 0 ||
X509_NAME_cmp(root_name, cnnic_ev_name) == 0) {
X509* leaf_cert = sk_X509_value(chain, 0);
int ret = X509_digest(leaf_cert, EVP_sha256(), hash,
&hashlen);
CHECK(ret);
68 changes: 68 additions & 0 deletions test/fixtures/keys/Makefile
Original file line number Diff line number Diff line change
@@ -57,6 +57,20 @@ fake-cnnic-root-cert.pem: fake-cnnic-root.cnf fake-cnnic-root-key.pem
-out fake-cnnic-root-cert.pem \
-config fake-cnnic-root.cnf

#
# Create Fake StartCom Root Certificate Authority: fake-startcom-root
#
fake-startcom-root-key.pem:
openssl genrsa -out fake-startcom-root-key.pem 2048

fake-startcom-root-cert.pem: fake-startcom-root.cnf \
fake-startcom-root-key.pem
openssl req -new -x509 -days 9999 -config \
fake-startcom-root.cnf -key fake-startcom-root-key.pem -out \
fake-startcom-root-cert.pem
echo '01' > fake-startcom-root-serial
touch fake-startcom-root-database.txt

#
# agent1 is signed by ca1.
#
@@ -254,6 +268,60 @@ agent7-cert.pem: agent7-csr.pem fake-cnnic-root-cert.pem fake-cnnic-root-key.pem
agent7-verify: agent7-cert.pem fake-cnnic-root-cert.pem
openssl verify -CAfile fake-cnnic-root-cert.pem agent7-cert.pem

#
# agent8 is signed by fake-startcom-root with notBefore
# of Oct 20 23:59:59 2016 GMT
#

agent8-key.pem:
openssl genrsa -out agent8-key.pem 2048

agent8-csr.pem: agent8.cnf agent8-key.pem
openssl req -new -config agent8.cnf -key agent8-key.pem \
-out agent8-csr.pem

agent8-cert.pem: agent8-csr.pem
openssl ca \
-config fake-startcom-root.cnf \
-keyfile fake-startcom-root-key.pem \
-cert fake-startcom-root-cert.pem \
-batch \
-days 9999 \
-passin "pass:password" \
-in agent8-csr.pem \
-startdate 20161020235959Z \
-notext -out agent8-cert.pem


agent8-verify: agent8-cert.pem fake-startcom-root-cert.pem
openssl verify -CAfile fake-startcom-root-cert.pem \
agent8-cert.pem


#
# agent9 is signed by fake-startcom-root with notBefore
# of Oct 21 00:00:01 2016 GMT
#
agent9-key.pem:
openssl genrsa -out agent9-key.pem 2048

agent9-csr.pem: agent9.cnf agent9-key.pem
openssl req -new -config agent9.cnf -key agent9-key.pem \
-out agent9-csr.pem


agent9-cert.pem: agent9-csr.pem
openssl ca \
-config fake-startcom-root.cnf \
-keyfile fake-startcom-root-key.pem \
-cert fake-startcom-root-cert.pem \
-batch \
-days 9999 \
-passin "pass:password" \
-in agent9-csr.pem \
-startdate 20161021000001Z \
-notext -out agent9-cert.pem

ec-key.pem:
openssl ecparam -genkey -out ec-key.pem -name prime256v1

20 changes: 20 additions & 0 deletions test/fixtures/keys/agent8-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ
qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F
9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN
N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB
ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U
C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO
6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr
i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf
+LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6
LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ
65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent8-csr.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDgxEjAQBgNVBAMT
CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5FUj+l
8VqQZUo6qmr8Doaad+mhSaiyu30acUfn9D3UPViWowxInMcClhhakARPneQY6qwA
+fS9kBmUNlThfVS2chc9xfUyJZHeMrfTndKhPfMiKLgwTVru1GarzcpwHuXGg+Yt
TIMiFEKiFDp2cDNtYcKmDTfzhEn9/APE37r4dwC1J+8wRFclD1iFk2D4RR0gliLE
tlEWf6gy5PBmr6YZKl3RQYot1fE4eZ4j7aSLERekIcIfEivrNM4ed6NKpJgjaVy3
fzyUEAMAu9Fkau53C+A/lAtYJwy9I/Us6I10Lt9ZF7PFGU2u0RZ8ea/oA4gP4Bqy
7OCIsAyYVRzMdJ0CAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAykAWr5pOZh1BMc7NZgc66J16VkjN
KM2deMQNl7r3BFB336At+zmpudnjdT/tPaH34FT/Idh/DPfiSdpuDQWDA+E7xady
S7KoKfNesPFjV4rR1WgNtoix0B5EaaNxdR8ljwL30N/LbsMDWxIK7rWyhvuw3DXr
C90PbsOTCLbW1HGItgYCQFJnpXK1O1Vx0Bo55F//oxDGVTzkUqb0lsVGHLLCg0s2
DxX3++FqFy/NjzZ5R/k1o+WIom1PzhLXJ+cqQsqYT9kBIVHTtvTAnDM70dZ8EeSW
/O4w+gb+OSJjClz7p4DuX4idDG+0cISxBOYFPyTFlGrXQ0ZXULP4pihsUA==
-----END CERTIFICATE REQUEST-----
27 changes: 27 additions & 0 deletions test/fixtures/keys/agent8-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJqLK7fRpxR+f0PdQ9WJaj
DEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F9TIlkd4yt9Od0qE98yIo
uDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYNN/OESf38A8Tfuvh3ALUn
7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFBii3V8Th5niPtpIsRF6Qh
wh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+UC1gnDL0j9SzojXQu31kX
s8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQABAoIBAHHp5KdT3Ht4XQfm
aDEXLGp3qhtzQDuTIWnQjZj5Z3Ax4wMmhbsF6tcY/Y1LjldjJL5QaGE/VMstWQRX
Tr4HnXCIJW/iZI2p+Qean4XXr0QgWhcI2VYHDuFWHiTpYogW7WlV/YfDooqU6n12
BxfWStaL5L5bd9dbe8ZlJqVqN2iISfqGNIz9YKM04rHycTcicNmf0J0smkHlnHJE
ROQR73IXjDDOmkwdG75qyGRBQ0j0KEDu//n1axcOKf48F+8BQk2PFMq+RhkGGqJD
zTQK3kB33HRWeNWbykLPzYGcPtSlvaecCTc/q9wbbxh5AFlvSrPz3VzdRHECocM3
v/o2vqECgYEA/uZib1ZYczuihcvLKxo8e/IBNYUKUcyosHDqAmJ5q8Y+Vg35ACfM
mJAhT1SXXAmm2tHuTnztfLDMQAOGVItuf5U8nuJYuWrvhMCtBT40XPeUVPD8b2D1
9y5EipiB7huH8kMb1aAPUNgQhmqT93+4qcGf6PcNTkk6uHCCXFZEc7UCgYEAzyk1
/T+Ah3p9+c1s+AjqkWj3Qa9lOKclJOT2O88AG+4fGQhSdUvkLDAMX3L6ri3gVZzr
wH3DJIwJx1uCW4eNJFVmh8AyP4SkfzQp1FqsIzBMQuPz6Hqtclh/UPx1yOe3NseO
xVM6Z5RbOOWyDaWxxbQHZnHkqSKcTB8K1lJ/XkkCgYAaStlMcrOc70HMW0ERqRsk
DcpiIt71oQ6lZIA+zrmOJly3s6lDgtdvxS4qaKdULwqu94iFQA2fFv16fOKWReuX
7WTbXq2YMpeSMe2m5Mux6ze5q0HemznDzVn0kdaVIPHc418zodbyl9bchpHMrbf2
iqpb9V/B+3u7Gp/Xtm5JIQKBgBFrjr2wBFfgJg3Gh35ICamWoQwl+qYL8CStGEOp
QYIXwQey2nRAoHxSwgeYvJm/A9lPK8fxC2LcX8oi2NBnkqfWgpuxvsf2mHqV4VqZ
EVaYLiGF17HZ9xHhfTtLL4Boc9CocUoImKWzJQSg1BsvrsZIQEMOGsNaRLhl99xT
7Z/5AoGBAIxgzOGLVVrIv8vRc4YouPf0OGBmUawnEZxYVD1Mo4Tt97XjxH93B1iz
hof62zDCL7WEdKuwnOs1towBmLjC7qrAbkUgNVYmI5sG9c8+1NKClTOJGsHHiMLF
n8GxnsNU5FVTmJ/PZfOU+eru7uDYZHTkii0tkaHWUzg13pkhka5E
-----END RSA PRIVATE KEY-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent8.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[ req ]
default_bits = 2048
days = 999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
C = US
ST = CA
L = SF
O = NODEJS
OU = agent8
CN = localhost

[ req_attributes ]
challengePassword = A challenge password
20 changes: 20 additions & 0 deletions test/fixtures/keys/agent9-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o
33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x
TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga
bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+
4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2
0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD
4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe
iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0
0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl
QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/
u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent9-csr.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxzCCAa8CAQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH
EwJTRjEPMA0GA1UEChMGTk9ERUpTMQ8wDQYDVQQLEwZhZ2VudDkxEjAQBgNVBAMT
CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKU+pwEk
sfXtov7dGh0nfQcTEQ/dqN9/4mol1swTijCae48QlgIOkp6Y6xbMo08WgKoPntc5
ZtdGAU+g4aJbLX380KitsUyhlTkCuI8V9t8CZa5+Zg5NH2oAbWOPS9ShcvA8Saio
Le7sc+tRhlFsCllxu1Z4Gm5Kg3faN2Re2zqu5jEL3w8z68GCPLk408UfEdfbsTTT
hrRzE58Lw3nM05rU6MfFPuDdoTdrHA2b0QceWkALZ10cmYQKJACTGKI4p8fYqpVR
UIt3LediyIbHGuspqXw3NtMgOGklX6FuzZarJ760zleJ7d1G68RhqYhOxJvB3XMN
hDBfo6gkyxrbKmECAwEAAaAlMCMGCSqGSIb3DQEJBzEWExRBIGNoYWxsZW5nZSBw
YXNzd29yZDANBgkqhkiG9w0BAQUFAAOCAQEAKlz52i1TpqNFQQu2YCl2YlTKbu2s
+92Qq+9b8wKoTweEFxDYtfq8d6rgYtetDbJDh+CDSjG3REINHtbPB0BjFdmZq/Q6
7JHLjmWKacmhaZJIp6xtrAX93qXYfbqH2S/DNSAO1e1sUa/gKL+wuVcrM8My7mzo
cMEgc7mHJCbSjYIcYPELas+rADoCE4mgiX8wwYQjFqxj/cdlcMzVS3ZuARAiPzA7
60Zk3/NnbXd/OBOcf/FvbrYIQ45eV4JlMowtcdLtxP91N5/X3BBMFsXt4mPoXETC
V78wipSWtfiKTox1Ze7PSJsYm9E9TOYYPh9kSGizIFzrgnk9H15+Iy5Ixg==
-----END CERTIFICATE REQUEST-----
27 changes: 27 additions & 0 deletions test/fixtures/keys/agent9-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o33/iaiXWzBOKMJp7jxCW
Ag6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2xTKGVOQK4jxX23wJlrn5m
Dk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7VngabkqDd9o3ZF7bOq7mMQvf
DzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+4N2hN2scDZvRBx5aQAtn
XRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc20yA4aSVfoW7NlqsnvrTO
V4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQABAoIBAE7FXAUOggry2hVW
PuGQ9mfN7f87MgpAwyTInukvk1tx+N6NEIUwfzI9QSvgJyVHW9Q1mAmO4nhSdcOI
tKaZgkkhoDIYgoE+MY04v9Ptq35JfUE+HdZJa2UziPHB2Gsm/0yH4LEWYrcXXnbZ
qQbdUt2qepxQqoDS4nLawjcFhMom24ns24eMCsFW7yrxhyvQwFKqGOKXauCpClp2
oPXhd2wljutuIGJjMmeqMw7CuyfZMee6BsuXNWWr/kso0NaQwxKoFnGlyaOl6oUV
ypr5ADXv0NNaSqDgyfEfJedsGQul+WWnkjz6PFbWZtbG5SIKb5PCJ2aWD7mvcHdI
85BL4jUCgYEA0yPogvmlK/hSpckk/AkRtHWwjUdkgdoZzxiJV/D01y8EtB+yL46t
Gzl23Y1VtLXxn+CZdj2putS5z1Rg1LA0oMZ+TwhxGskURBPP7mym83Qn1huRcnWw
df9flCg4IwRLqI6QfsQ2Q6j549j5u8P+tqVi/yZQY0V2SGcXTXaqIksCgYEAyFpy
24+AW33ypNxr9sOIx2YQyn0UDK2K6LQYRmjwhpCZEtBdoUqKGP/9UUycM4TN9D32
p0le+3TJVk9tVqyvwFeGBkguO/3dXD6KTsqrCfMFNj/R6QRYFEaLWjkG8EI5TXOK
a/CbhtyGaRY5QzwLRjLdEYIph3r1d2uedVzwGoMCgYEAvPV59R2u8LcAYFavvs/v
BG3/X7DxBjVGu8zdvdJrjNkLgJiNQ3qQ+bhn5MfEWEIsyESdkvCEoiwXTrHZJv+7
WdfK2rhXYP1sIbEJefvLPj5KGJf7h1BEaJXv2AxWkSAbBfLw5kJ7vfnQClX4yk4R
+yvweSC0+OMFhK6ecDku8hkCgYAJPRJ6yV0z2tTrgTaBRHb0KuKvU6EvDHmRTWyp
IoGk0tocIfuPSm6fxH4b15qETaVpk8nh4OI+Wh5GmpcCHihkiCSn+YAYSBaDAGdE
RtgoN0qQO9UkF40wMiiO2n5VadhWl/NUEt45E8Ym5l1xmj0y2XmUKxpbIvJatV2z
L7vqnQKBgCuV47rGYLaPz+gVgwIz0PvNFgp2fdSBYYQUf70XsaEU1bQtim6q5jxd
+ePUiT65k42Iw7oLWyGtxdyxmmKgQ18i5aDNjT2SLr3RAC2BSR5Fs1W1PLi24nV6
QW7fepI9tOBTbwbLG8ARRzx2YXrBf9PqvmDbrMiTi0WGFGlVJatX
-----END RSA PRIVATE KEY-----
17 changes: 17 additions & 0 deletions test/fixtures/keys/agent9.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[ req ]
default_bits = 2048
days = 999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no

[ req_distinguished_name ]
C = US
ST = CA
L = SF
O = NODEJS
OU = agent9
CN = localhost

[ req_attributes ]
challengePassword = A challenge password
22 changes: 22 additions & 0 deletions test/fixtures/keys/fake-startcom-root-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIJAKDrU4iaFPb+MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg
RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjExMDQwOTUwMTNaFw00NDAzMjEw
OTUwMTNaMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD
VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALvhAZtGU3u3uyB4lHn5X85XJdyPAnOY0hGc
SVMzfQ/BBEvBPkcdhJvZPLqcWTnJplsJXH+GHz9q73DbyLekdF/f6dNVcRmDjvZq
pZ6KgT8D4GmudNPMEuHs9+bqI+l5p7Mh1mEmot5JYtXvGD3UiN2ZUQ/trhf5xiJq
MEaiQHBxhJESkY+RYV2GK0njCJ2ypmtAAzyGUlNgHqxBy1PrBBqh0xbSOa2pwRyz
9u7EkYN4BCQKNCBJbOaX9rH+j836YlEHEymutjYDuYiHaOve0yJCHsQqsx7+p9aB
UxCS9mTj9q9bz9GJR9tfT04+HmQRjtSZYt7fHIixgS0vT4/6QlsCAwEAAaMQMA4w
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAiIgJ9EGWepY/Qk6n6Kcj
YQFZXeV6ugnWz96sxYc0xmo/XNkYQFLxVneyWanlUxAbvScEdC8rJ5rUrwVMhfaS
goneP2Otjcg0XcMrsf5RaJk0H8uGUdvdgWUHO85pseMOFgqXxJgEux7wcFS41qhw
thc/obZ5keOPJf3tsOffV5OJc6owwgaviz3RNFRJUleZU5r3swjWIEDK89sz9q+S
qcwostbKRrEcjyltblhFKR9s4Qyn9FYWntPApFHq7M0/jA/4iiHRcltFfc19mslb
lhRBZZ/vds3VEtfs7uPhcodXBTv5d5xUk6pybSSFhKTTtHc8OpdvbM+5LchzTc23
pA==
-----END CERTIFICATE-----
18 changes: 18 additions & 0 deletions test/fixtures/keys/fake-startcom-root-csr.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC5zCCAc8CAQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0
ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx
KTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAww1iG1Oq6uIEN5u4W0jWnDFvaKGp
R6XSYPK3D1VJTqr7XUfzbVG2Acc5B7WTmerFsxOADXe8kpC3U6QxcyLvMv90Bpju
dasttLnoBU2XqJxWTpmJyM8RfbSZEKfNIdKzG2uQQVHIJOV/bm6yhQIT2cDKNZDx
M0OPiCeeQMezD4/Y98zFDyWjTI2zW6kyBzdjPSLJ3DMJs+4EC6LJhKrp9kBbJHhU
QdIrQ1C3ycJ0lKv8uV8xWsgz/CsPkp92H/iUDxBnFgMcdFmgt/XgPDf1Q9ipfq7B
5Ef8RlQuDsqer+/UPOXLHWHtE+5QbkL4hzCjJEszkl5QbSPdiK1rcIkEvQIDAQAB
oCUwIwYJKoZIhvcNAQkHMRYTFEEgY2hhbGxlbmdlIHBhc3N3b3JkMA0GCSqGSIb3
DQEBCwUAA4IBAQCwvK3cFAA9ShrFNhSuZ//xFgrXxqQXS4o571jDCLYh+QAgcRUU
ATPM0GQ4CKUR3gWD14Ji922PiVZCpKgvkEVrvMYq6jgydT2urki0hL/po7msdnLQ
2FWMwgpINaTmhmUNBxHBQbopW4HWDzcCfSQwGN/iCElNmawXGIN1LRcDAl08h/cW
hTP9agZXpmoZ2wHg+ZRHcJwJm4QL4Rm7JfyNN3fZWUFgn3Pfkwgiu9PMhU92KRU/
5PJ3tcyw9qSQJsw6CPuijRI9kaKdFIj6BsOGmsSyYq9OoqtlfqXqgXXv3XfKQmmh
Hntg6KSQhReXDHCSTgtBZFa6+kwg3mgr8I7N
-----END CERTIFICATE REQUEST-----
2 changes: 2 additions & 0 deletions test/fixtures/keys/fake-startcom-root-database.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost
V 440321100702Z 02 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent9/CN=localhost
1 change: 1 addition & 0 deletions test/fixtures/keys/fake-startcom-root-database.txt.attr
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
unique_subject = yes
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
unique_subject = yes
1 change: 1 addition & 0 deletions test/fixtures/keys/fake-startcom-root-database.txt.old
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
V 440321100639Z 01 unknown /C=US/ST=CA/L=SF/O=NODEJS/OU=agent8/CN=localhost
20 changes: 20 additions & 0 deletions test/fixtures/keys/fake-startcom-root-issued-certs/01.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDUDCCAjgCAQEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MCAYDzIwMTYxMDIwMjM1OTU5WhcNNDQwMzIxMTAwNjM5WjBdMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
T0RFSlMxDzANBgNVBAsTBmFnZW50ODESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkVSP6XxWpBlSjqqavwOhpp36aFJ
qLK7fRpxR+f0PdQ9WJajDEicxwKWGFqQBE+d5BjqrAD59L2QGZQ2VOF9VLZyFz3F
9TIlkd4yt9Od0qE98yIouDBNWu7UZqvNynAe5caD5i1MgyIUQqIUOnZwM21hwqYN
N/OESf38A8Tfuvh3ALUn7zBEVyUPWIWTYPhFHSCWIsS2URZ/qDLk8GavphkqXdFB
ii3V8Th5niPtpIsRF6Qhwh8SK+s0zh53o0qkmCNpXLd/PJQQAwC70WRq7ncL4D+U
C1gnDL0j9SzojXQu31kXs8UZTa7RFnx5r+gDiA/gGrLs4IiwDJhVHMx0nQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQA7iMlm+rgZnlps+LFsoXG4dGNPaOhKI9t/XBrO
6O64LLyx/FPIQSaYi130QNB7Zy0uw8xqrH6cGRTJ9RCfBFFP4rzgIX3wEAHnmwMr
i4dGEixBUIIjhw6fAVxAhrkzmgUpUt0qIP9otGgESEYXIg7bFkXIHit0Im1VOdvf
+LnUKZw9o7UEesKIDVkuAsjoKKkrsO0kdf0dgAj6Ix5xmAtBsDvkH0aOSdPfTZG6
LQrnZf/quBotog3NmDzrvQaH8GNpTJcYNjKlxD2z0PvQUyp0FD8oCC+oD+EGv2zZ
65scEXU/n8kTmdJkCjx4nb39HttYzOlNlTgMxAfxgL7A/PcT
-----END CERTIFICATE-----
20 changes: 20 additions & 0 deletions test/fixtures/keys/fake-startcom-root-issued-certs/02.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDUDCCAjgCAQIwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp
ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MCAYDzIwMTYxMDIxMDAwMDAxWhcNNDQwMzIxMTAwNzAyWjBdMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZO
T0RFSlMxDzANBgNVBAsTBmFnZW50OTESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApT6nASSx9e2i/t0aHSd9BxMRD92o
33/iaiXWzBOKMJp7jxCWAg6SnpjrFsyjTxaAqg+e1zlm10YBT6DholstffzQqK2x
TKGVOQK4jxX23wJlrn5mDk0fagBtY49L1KFy8DxJqKgt7uxz61GGUWwKWXG7Vnga
bkqDd9o3ZF7bOq7mMQvfDzPrwYI8uTjTxR8R19uxNNOGtHMTnwvDeczTmtTox8U+
4N2hN2scDZvRBx5aQAtnXRyZhAokAJMYojinx9iqlVFQi3ct52LIhsca6ympfDc2
0yA4aSVfoW7NlqsnvrTOV4nt3UbrxGGpiE7Em8Hdcw2EMF+jqCTLGtsqYQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQCMjKFycVQh7Puz/FpQh3NhJ99Ic3rzr+3nAKFD
4Kcl3L8szH3zjLCw46/y2jqPiAbg2zg9miYkI/2W/G+m2VQEQvp2SwjVr/Rj2Soe
iTonruUpDFF7LG01q3kpZ7nYWRGvVgn5D9BGk4/SWuzxiWRdwlzJf2e8cXLExVS0
0CgRsb5nRoZ+RZmVIrGMfIi8CI7uTlcHtQzD7B7gpHtOSMlQoSSeqOy6F498duvl
QhhQhJBxmjSegw/lawWQSDFArJimK/rwyb6ZFbRfBgg6o/k5W9G5l0oG5abQMp+/
u8Fd+QUNwR6OovE0AqL6wNHCnqzNnihTL6/hRVer6i5Hfxmb
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions test/fixtures/keys/fake-startcom-root-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAu+EBm0ZTe7e7IHiUeflfzlcl3I8Cc5jSEZxJUzN9D8EES8E+
Rx2Em9k8upxZOcmmWwlcf4YfP2rvcNvIt6R0X9/p01VxGYOO9mqlnoqBPwPgaa50
08wS4ez35uoj6XmnsyHWYSai3kli1e8YPdSI3ZlRD+2uF/nGImowRqJAcHGEkRKR
j5FhXYYrSeMInbKma0ADPIZSU2AerEHLU+sEGqHTFtI5ranBHLP27sSRg3gEJAo0
IEls5pf2sf6PzfpiUQcTKa62NgO5iIdo697TIkIexCqzHv6n1oFTEJL2ZOP2r1vP
0YlH219PTj4eZBGO1Jli3t8ciLGBLS9Pj/pCWwIDAQABAoIBAFOQL2O9stH7FTrL
Btb9iJRBBLEF1oRNu1lj1uUvqHdCVUPQbn+47EtZIv6pHbJrMxeYoVCC+hD94gOj
bbHobm5aLCj3/rbnYcXOB13torDBa6X1lzbAtMFR4a0OBO0KVAGDklNhmN0fbNtU
XcbaagmN8JUSFPXK/Uo/SruP3PNldfPVtf/EnBlK4LOI5/WDyiwLQxlVf389poKp
wXwhVgL9Kh0uzxD31HH0NOL+D1KOI6j7gNrOAOZFFGTwVAtQFI28wIwftKf3qicQ
TZvV/O+Aw+oIZsOfX9Pg6dNehhEC25F6UcGrX7b7fI/Rbx6L/VxfjMHfbvsUtTxz
iwW1H5ECgYEA85U2LiBicAB4QkclUHjLPrPl7W0bDvKFKJkxXJ44y/ziFjOhksuF
J1xYXhVhP7mdXwGVlt2X9PSjkW06I+DFqi2IbGDBqJ/0hJrAr/+5J5OySCFlx2kC
TwIAYJIud0Vgk8FdToijOKq8I3KFmUsc6k0UMmCdCy4HXz0Qy3RqsekCgYEAxXTZ
3orr/ItfjVFz9bkcNUMutRVvsyewYJOemgaejdSHLYl8lTcLQDLSnA/Sd7JtXOyS
3M7GVpiBZqW15UJry5fpkRNhqOXqXz6/Hp9E3hG9RnS2EkZDR2vIrRwa3o6zKq8P
XYOOOzjdYq881khhRhafXCon0XvLdZAsOKfDQ6MCgYEAqsDw6Ej/eLB7nUqul8j2
AZCvIE+Z5lKQkjNB7UFlY2p1O0cafwN45mzP7bRjJf8CmPVNXiMdQTS17V56oWgS
aQfeWMtDNuhayxKI/Vfw/hOFqRbweGfenHA0v336YNYbq7ijpkgW08SsetTvXtTP
AljiTaZ4sLulo1f1jAqiOPECgYA1CgJL6P0ixT1RdIO1iZeuJvGw6qUqdorGJmD/
9q84YdI9xSSV4EdBY2V3Tji2tlLyFwoMDe7w6942eGS3xHO4KIIw2gftmnSuSOiF
jTqufA1fk5IkroL7+FPbTCVbivFNkeCKuf/GoKu3CmNJHAAlF4aO9zPi7WHlnmiC
f23QCQKBgET2u4cPsUAZJ8utCyQ+ZhKJUTcYDN/Nlpd/yVC+dS9BZAc2tH1EfRN2
pxSzm9Qgd6Cjc7cVJ/T745b85nbPjd1MsOgvPCKr0TFARmlGpu4RtKEHrROSaahX
7vR7HiYqhbeYlVRz9lZ5N+J1BT7sq7+Rond89UtL/O7g0wEs/N3V
-----END RSA PRIVATE KEY-----
1 change: 1 addition & 0 deletions test/fixtures/keys/fake-startcom-root-serial
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
03
1 change: 1 addition & 0 deletions test/fixtures/keys/fake-startcom-root-serial.old
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
02
46 changes: 46 additions & 0 deletions test/fixtures/keys/fake-startcom-root.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = .
name_opt = CA_default
cert_opt = CA_default
default_crl_days = 999
default_md = sha256
database = fake-startcom-root-database.txt
serial = fake-startcom-root-serial
private_key = fake-startcom-root-key.pem
certificate = fake-startcom-root-cert.pem
new_certs_dir = fake-startcom-root-issued-certs
email_in_dn = no
policy = policy_anything

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 2048
days = 999
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = password
x509_extensions = v3_ca

[ req_distinguished_name ]
C = IL
O = StartCom Ltd.
OU = Secure Digital Certificate Signing
CN = StartCom Certification Authority

[ req_attributes ]
challengePassword = A challenge password

[ v3_ca ]
basicConstraints = CA:TRUE
91 changes: 91 additions & 0 deletions test/parallel/test-tls-startcom-wosign-whitelist.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
'use strict';
const common = require('../common');
const assert = require('assert');

if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}

const tls = require('tls');
const fs = require('fs');
const path = require('path');
let finished = 0;

function filenamePEM(n) {
return path.join(common.fixturesDir, 'keys', n + '.pem');
}

function loadPEM(n) {
return fs.readFileSync(filenamePEM(n));
}

const testCases = [
{ // agent8 is signed by fake-startcom-root with notBefore of
// Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check.
serverOpts: {
key: loadPEM('agent8-key'),
cert: loadPEM('agent8-cert')
},
clientOpts: {
ca: loadPEM('fake-startcom-root-cert'),
port: undefined,
rejectUnauthorized: true
},
errorCode: 'CERT_OK'
},
{ // agent9 is signed by fake-startcom-root with notBefore of
// Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check.
serverOpts: {
key: loadPEM('agent9-key'),
cert: loadPEM('agent9-cert')
},
clientOpts: {
ca: loadPEM('fake-startcom-root-cert'),
port: undefined,
rejectUnauthorized: true
},
errorCode: 'CERT_REVOKED'
}
];


function runNextTest(server, tindex) {
server.close(function() {
finished++;
runTest(tindex + 1);
});
}


function runTest(tindex) {
const tcase = testCases[tindex];

if (!tcase) return;

const server = tls.createServer(tcase.serverOpts, function(s) {
s.resume();
}).listen(0, function() {
tcase.clientOpts.port = this.address().port;
const client = tls.connect(tcase.clientOpts);
client.on('error', function(e) {
assert.strictEqual(e.code, tcase.errorCode);
runNextTest(server, tindex);
});

client.on('secureConnect', function() {
// agent8 can pass StartCom/WoSign check so that the secureConnect
// is established.
assert.strictEqual(tcase.errorCode, 'CERT_OK');
client.end();
runNextTest(server, tindex);
});
});
}


runTest(0);

process.on('exit', function() {
assert.strictEqual(finished, testCases.length);
});

0 comments on commit 5e98e34

Please sign in to comment.