Skip to content

(v6.x backport) Doc and test cert apis #12468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sam-github wants to merge 6 commits into from
Closed

(v6.x backport) Doc and test cert apis #12468

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cc1d02d
test: getgroups() may contain duplicate GIDs
sam-github Dec 21, 2016
05039c3
doc,test: tls .ca option supports multi-PEM files
sam-github Dec 21, 2016
d59c9f5
test: tls cert chain completion scenarios
sam-github Dec 20, 2016
7c6aec6
doc: use correct tls certificate property name
sam-github Dec 20, 2016
fd97d25
test: check tls server verification with addCACert
sam-github Dec 20, 2016
8db0443
test: move common tls connect setup into fixtures
sam-github Dec 17, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
test: check tls server verification with addCACert 
SecureContext.addCACert() adds to the existing root store,
preserving root cert entries. option.ca is applied without
calling SecureContext.addRootCerts() so should add to
the default, empty, root store.

This test confirms that the built-in root CAs are not included
when options.ca is used.

Based on:

shigeki@acd5837

PR-URL: #10389
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
@sam-github
sam-github committed Apr 17, 2017
commit fd97d258c502f70b34410ef410d1c51d1a1abd64
55 changes: 55 additions & 0 deletions test/internet/test-tls-add-ca-cert.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
'use strict';
const common = require('../common');

if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}

// Test interaction of compiled-in CAs with user-provided CAs.

const assert = require('assert');
const fs = require('fs');
const tls = require('tls');

function filenamePEM(n) {
return require('path').join(common.fixturesDir, 'keys', n + '.pem');
}

function loadPEM(n) {
return fs.readFileSync(filenamePEM(n));
}

const caCert = loadPEM('ca1-cert');

var opts = {
host: 'www.nodejs.org',
port: 443,
rejectUnauthorized: true
};

// Success relies on the compiled in well-known root CAs
tls.connect(opts, common.mustCall(end));

// The .ca option replaces the well-known roots, so connection fails.
opts.ca = caCert;
tls.connect(opts, fail).on('error', common.mustCall((err) => {
assert.strictEqual(err.message, 'unable to get local issuer certificate');
}));

function fail() {
assert(false, 'should fail to connect');
}

// New secure contexts have the well-known root CAs.
opts.secureContext = tls.createSecureContext();
tls.connect(opts, common.mustCall(end));

// Explicit calls to addCACert() add to the default well-known roots, instead
// of replacing, so connection still succeeds.
opts.secureContext.context.addCACert(caCert);
tls.connect(opts, common.mustCall(end));

function end() {
this.end();
}