crypto: add pfx certs as CA certs too
#5109
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
cc @nodejs/crypto |
indutny
added
tls
|
Probably needs to land on v5 too. |
| @@ -990,7 +1001,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) { | |||
| if (cert != nullptr) | |||
| X509_free(cert); | |||
| if (extra_certs != nullptr) | |||
| sk_X509_free(extra_certs); | |||
| sk_X509_pop_free(extra_certs, X509_free); | |||
There was a problem hiding this comment.
This is unrelated bugfix for a memory leak, not sure if I should submit it separately. It won't have a test case anyway.
There was a problem hiding this comment.
might make sense to put as two commits for back-porting purposes... I don't see why they couldn't both come in on this PR though
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself.
|
LGTM |
|
@jasnell thank you! May have an additional LGTM from @bnoordhuis or @shigeki, before landing? |
|
@indutny The fixes are LGTM but no tests. I've just made tests to check them as in We should have changed the API to add a new option of |
|
Ouch, I just forgot to include it in PR. Sorry! Included it. |
|
@indutny The test is fine. LGTM. |
indutny
added a commit
that referenced
this pull request
Feb 8, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
indutny
added a commit
that referenced
this pull request
Feb 8, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
|
Looks like this landed with a failing test in CI. https://ci.nodejs.org/job/node-test-commit-linux-fips/834/nodes=ubuntu1404-64/console So, uh, CI will fail every time... |
This was referenced Feb 8, 2016
shigeki
pushed a commit
to shigeki/node
that referenced
this pull request
Feb 9, 2016
The pfx file created by pkcs12 command of openssl causes an error in FIPS mode because its certificate is encrypted with RC2 by default. Adding `-descert` option resolves the error. Fix: nodejs#5144 Fix: nodejs#5109
rvagg
pushed a commit
that referenced
this pull request
Feb 9, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
rvagg
pushed a commit
that referenced
this pull request
Feb 9, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
rvagg
pushed a commit
that referenced
this pull request
Feb 9, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
rvagg
pushed a commit
that referenced
this pull request
Feb 9, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 18, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 18, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 18, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 18, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Merged
MylesBorins
pushed a commit
that referenced
this pull request
Mar 2, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: #5100 PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 2, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: #5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
According to documentation all certificates specified in `pfx` option should be treated as a CA certificates too. While it doesn't seem to be logically correct to me, we can't afford to break API stability at this point. Fix: nodejs#5100 PR-URL: nodejs#5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all items in queue too, not just the queue itself. PR-URL: nodejs#5109 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
The pfx file created by pkcs12 command of openssl causes an error in FIPS mode because its certificate is encrypted with RC2 by default. Adding `-descert` option resolves the error. Fix: nodejs#5144 Fix: nodejs#5109 PR-URL: nodejs#5150 Reviewed-By: Rich Trott <rtrott@gmail.com>
This was referenced Apr 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to documentation all certificates specified in
pfxoptionshould be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.
Fix: #5100