-
Notifications
You must be signed in to change notification settings - Fork 30k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tls: add
allowPartialTrustChain
flag
This commit exposes the `X509_V_FLAG_PARTIAL_CHAIN` OpenSSL flag to users. This is behavior that has been requested repeatedly in the Github issues, and allows aligning behavior with other TLS libraries and commonly used applications (e.g. `curl`). As a drive-by, simplify the `SecureContext` source by deduplicating call sites at which a new custom certificate store was created for the `secureContext` in question. Fixes: #36453 PR-URL: #54790 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: James M Snell <jasnell@gmail.com>
- Loading branch information
Showing
5 changed files
with
103 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
test/parallel/test-tls-client-allow-partial-trust-chain.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
'use strict'; | ||
const common = require('../common'); | ||
if (!common.hasCrypto) { common.skip('missing crypto'); } | ||
|
||
const assert = require('assert'); | ||
const { once } = require('events'); | ||
const fixtures = require('../common/fixtures'); | ||
|
||
// agent6-cert.pem is signed by intermediate cert of ca3. | ||
// The server has a cert chain of agent6->ca3->ca1(root). | ||
|
||
const { it, beforeEach, afterEach, describe } = require('node:test'); | ||
|
||
describe('allowPartialTrustChain', { skip: !common.hasCrypto }, function() { | ||
const tls = require('tls'); | ||
let server; | ||
let client; | ||
let opts; | ||
|
||
beforeEach(async function() { | ||
server = tls.createServer({ | ||
ca: fixtures.readKey('ca3-cert.pem'), | ||
key: fixtures.readKey('agent6-key.pem'), | ||
cert: fixtures.readKey('agent6-cert.pem'), | ||
}, (socket) => socket.resume()); | ||
server.listen(0); | ||
await once(server, 'listening'); | ||
|
||
opts = { | ||
port: server.address().port, | ||
ca: fixtures.readKey('ca3-cert.pem'), | ||
checkServerIdentity() {} | ||
}; | ||
}); | ||
|
||
afterEach(async function() { | ||
client?.destroy(); | ||
server?.close(); | ||
}); | ||
|
||
it('can connect successfully with allowPartialTrustChain: true', async function() { | ||
client = tls.connect({ ...opts, allowPartialTrustChain: true }); | ||
await once(client, 'secureConnect'); // Should not throw | ||
}); | ||
|
||
it('fails without with allowPartialTrustChain: true for an intermediate cert in the CA', async function() { | ||
// Consistency check: Connecting fails without allowPartialTrustChain: true | ||
await assert.rejects(async () => { | ||
const client = tls.connect(opts); | ||
await once(client, 'secureConnect'); | ||
}, { code: 'UNABLE_TO_GET_ISSUER_CERT' }); | ||
}); | ||
}); |