From d9e934c71f1c2b87bb837ac808204391c794c95b Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Fri, 5 Feb 2016 23:13:30 -0500 Subject: [PATCH] crypto: add `pfx` certs as CA certs too According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: https://github.com/nodejs/node/pull/5109 Reviewed-By: James M Snell Reviewed-By: Shigeki Ohtsu --- src/node_crypto.cc | 11 +++++++ test/parallel/test-tls-pfx-gh-5100-regr.js | 36 ++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 test/parallel/test-tls-pfx-gh-5100-regr.js diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 2fb6e887d1db9f..0b4f8d60773ae1 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -982,6 +982,17 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { &sc->cert_, &sc->issuer_) && SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) { + // Add CA certs too + for (int i = 0; i < sk_X509_num(extra_certs); i++) { + X509* ca = sk_X509_value(extra_certs, i); + + if (!sc->ca_store_) { + sc->ca_store_ = X509_STORE_new(); + SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); + } + X509_STORE_add_cert(sc->ca_store_, ca); + SSL_CTX_add_client_CA(sc->ctx_, ca); + } ret = true; } diff --git a/test/parallel/test-tls-pfx-gh-5100-regr.js b/test/parallel/test-tls-pfx-gh-5100-regr.js new file mode 100644 index 00000000000000..865ac2ba3f299a --- /dev/null +++ b/test/parallel/test-tls-pfx-gh-5100-regr.js @@ -0,0 +1,36 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) { + console.log('1..0 # Skipped: node compiled without crypto.'); + return; +} + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const pfx = fs.readFileSync( + path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); + +const server = tls.createServer({ + pfx: pfx, + passphrase: 'sample', + requestCert: true, + rejectUnauthorized: false +}, common.mustCall(function(c) { + assert(c.authorizationError === null, 'authorizationError must be null'); + c.end(); +})).listen(common.PORT, function() { + var client = tls.connect({ + port: common.PORT, + pfx: pfx, + passphrase: 'sample', + rejectUnauthorized: false + }, function() { + client.end(); + server.close(); + }); +});