Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: get the local certificate after tls handshake #24261

Closed
wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Nov 8, 2018
@sam-github sam-github added the semver-minor PRs that contain new features and should be released in the next minor version. label Nov 8, 2018
* Returns: {Object}

Returns an object representing the local certificate. The returned object has
some properties corresponding to the fields of the certificate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific than "some"?

Copy link
Contributor Author

@sam-github sam-github Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty vague, isn't it! ;-) This is the extent of the current documentation for parsed cert objects, unchanged since 0c42fac51596a68a6be02ea537e5ec03f228844b. Its on my list to fix, but for now I'd like to leave as-is. The wording of these docs are close to identical as possible to the docs for https://nodejs.org/api/tls.html#tls_tlssocket_getpeercertificate_detailed. I'm working on a PR to add EC and DH key info to X509ToObject, and I promise to doc the cert format then, and reorganize the docs, since the cert can show up in a handful of APIs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/to @bnoordhuis as promised, #24358

doc/api/tls.md Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sam, LGTM.

One thing: you may want to stick in an exports.translatePeerCertificate = exports.translateCertChain to stop it from being semver-major.

@sam-github
Copy link
Contributor Author

I don't want it to be semver-major, I'll put the original name back.

Whats the current way to hide our internal API? Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

@sam-github
Copy link
Contributor Author

@bnoordhuis
Copy link
Member

Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

Yep.

@sam-github
Copy link
Contributor Author

doc/api/tls.md Outdated Show resolved Hide resolved
doc/api/tls.md Outdated Show resolved Hide resolved
@sam-github
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/18588/

James, Anna - thanks for catching the typo.

src/node_crypto.cc Outdated Show resolved Hide resolved
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095
@sam-github
Copy link
Contributor Author

Landed in db35fee

@sam-github sam-github closed this Nov 14, 2018
@sam-github sam-github deleted the tls-get-cert branch November 14, 2018 04:43
sam-github added a commit that referenced this pull request Nov 14, 2018
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 14, 2018
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
kiyomizumia pushed a commit to kiyomizumia/node that referenced this pull request Nov 15, 2018
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 15, 2018
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
addaleax added a commit to addaleax/node that referenced this pull request Jan 14, 2019
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217
@addaleax
Copy link
Member

If this is backported to LTS, it should go with #25490.

addaleax added a commit that referenced this pull request Jan 21, 2019
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
addaleax added a commit that referenced this pull request Jan 23, 2019
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
zcbenz pushed a commit to electron/node that referenced this pull request Mar 27, 2019
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs/node#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs/node#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
sam-github added a commit to sam-github/node that referenced this pull request Apr 29, 2019
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
sam-github pushed a commit to sam-github/node that referenced this pull request Apr 29, 2019
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Ability to check TLS contexts, servernames, altnames
6 participants