Skip to content

crypto: add support for intermediate certs in --use-system-ca #57164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nodejs-github-bot merged 11 commits into from
Mar 5, 2025
Merged

crypto: add support for intermediate certs in --use-system-ca #57164

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
0329748
crypto: add support for intermediate certs in --use-system-ca
timja Feb 21, 2025
e6d4cc0
Add intermediate cert test
timja Feb 21, 2025
0bcaa01
Fix lint
timja Feb 22, 2025
c3b8c05
Add linux instructions
timja Feb 22, 2025
6af913a
Ensure trust fails with non trusted root and trusted intermediate
timja Feb 27, 2025
c04ffa3
Tweaks after running on Windows
timja Feb 27, 2025
f7a2291
Fmt
timja Feb 27, 2025
62c35dd
Fmt
timja Feb 27, 2025
46b5e4c
Move tests to separate folder
timja Mar 3, 2025
a24114e
Remove unneeded file
timja Mar 3, 2025
583c4ce
Fix lint
timja Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Move tests to separate folder
  • Loading branch information
@timja
timja committed Mar 3, 2025
commit 46b5e4ca8e4f43820f55d7f7e3e17c13c903e42a
3 changes: 0 additions & 3 deletions test/parallel/parallel.status
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,6 @@ test-fs-read-stream-concurrent-reads: PASS, FLAKY
# https://github.com/nodejs/build/issues/3043
test-snapshot-incompatible: SKIP

# Requires manual setup for certificates to be trusted by the system
test-native-certs: SKIP

[$system==win32]
# https://github.com/nodejs/node/issues/54808
test-async-context-frame: PASS, FLAKY
Expand Down
156 changes: 0 additions & 156 deletions test/parallel/test-native-certs.mjs
View file
Open in desktop

This file was deleted.

92 changes: 92 additions & 0 deletions test/system-ca/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# system-ca

Tests for [--use-system-ca](../../doc/api/cli.md#--use-system-ca).

On both macOS and Windows interactive dialogs need confirming to add certificates to the OS trust store.

## macOS

**Adding the certificate**

```bash
security add-trusted-cert \
-k /Users/$USER/Library/Keychains/login.keychain-db \
test/fixtures/keys/fake-startcom-root-cert.pem
security add-certificates \
-k /Users/$USER/Library/Keychains/login.keychain-db \
test/fixtures/keys/intermediate-ca.pem
security add-certificates \
-k /Users/$USER/Library/Keychains/login.keychain-db \
test/fixtures/keys/non-trusted-intermediate-ca.pem
```

**Removing the certificate**

```bash
security delete-certificate -c 'StartCom Certification Authority' \
-t /Users/$USER/Library/Keychains/login.keychain-db
security delete-certificate -c 'NodeJS-Test-Intermediate-CA' \
-t /Users/$USER/Library/Keychains/login.keychain-db
security delete-certificate -c 'NodeJS-Non-Trusted-Test-Intermediate-CA' \
-t /Users/$USER/Library/Keychains/login.keychain-db
```

## Windows

**Adding the certificate**

Powershell:

```powershell
Import-Certificate -FilePath .\test\fixtures\keys\fake-startcom-root-cert.cer \
-CertStoreLocation Cert:\CurrentUser\Root
Import-Certificate -FilePath .\test\fixtures\keys\intermediate-ca.pem \
-CertStoreLocation Cert:\CurrentUser\CA
Import-Certificate -FilePath .\test\fixtures\keys\non-trusted-intermediate-ca.pem \
-CertStoreLocation Cert:\CurrentUser\CA
```

**Removing the certificate**

```powershell
$thumbprint = (Get-ChildItem -Path Cert:\CurrentUser\Root | \
Where-Object { $_.Subject -match "StartCom Certification Authority" }).Thumbprint
Remove-Item -Path "Cert:\CurrentUser\Root\$thumbprint"

$thumbprint = (Get-ChildItem -Path Cert:\CurrentUser\CA | \
Where-Object { $_.Subject -match "NodeJS-Test-Intermediate-CA" }).Thumbprint
Remove-Item -Path "Cert:\CurrentUser\CA\$thumbprint"

$thumbprint = (Get-ChildItem -Path Cert:\CurrentUser\CA | \
Where-Object { $_.Subject -match "NodeJS-Non-Trusted-Test-Intermediate-CA" }).Thumbprint
Remove-Item -Path "Cert:\CurrentUser\CA\$thumbprint"
```

## Debian/Ubuntu

**Adding the certificate**

```bash
sudo cp test/fixtures/keys/fake-startcom-root-cert.pem \
/usr/local/share/ca-certificates/fake-startcom-root-cert.crt
sudo cp test/fixtures/keys/intermediate-ca.pem \
/usr/local/share/ca-certificates/intermediate-ca.crt
sudo cp test/fixtures/keys/non-trusted-intermediate-ca.pem \
/usr/local/share/ca-certificates/non-trusted-intermediate-ca.crt
sudo update-ca-certificates
```

**Removing the certificate**

```bash
sudo rm /usr/local/share/ca-certificates/fake-startcom-root-cert.crt \
/usr/local/share/ca-certificates/intermediate-ca.crt \
/usr/local/share/ca-certificates/non-trusted-intermediate-ca.crt
sudo update-ca-certificates --fresh
```

## Other Unix-like systems

For other Unix-like systems, consult their manuals, there are usually
file-based processes similar to the Debian/Ubuntu one but with different
file locations and update commands.
7 changes: 7 additions & 0 deletions test/system-ca/system-ca.status
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
prefix system-ca

# To mark a test as flaky, list the test name in the appropriate section
# below, without ".js", followed by ": PASS,FLAKY". Example:
# sample-test : PASS,FLAKY

[true] # This section applies to all platforms
85 changes: 85 additions & 0 deletions test/system-ca/test-native-intermediate-certs.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
// Flags: --use-system-ca

import * as common from '../common/index.mjs';
import assert from 'node:assert/strict';
import https from 'node:https';
import fixtures from '../common/fixtures.js';
import { it, beforeEach, afterEach, describe } from 'node:test';
import { once } from 'events';

if (!common.hasCrypto) {
common.skip('requires crypto');
}

// To run this test, the system needs to be configured to trust
// the CA certificate first (which needs an interactive GUI approval, e.g. TouchID):
// see the README.md in this folder for instructions on how to do this.
const handleRequest = (req, res) => {
const path = req.url;
switch (path) {
case '/hello-world':
res.writeHead(200);
res.end('hello world\n');
break;
default:
assert(false, `Unexpected path: ${path}`);
}
};

describe('use-system-ca', function() {

async function setupServer(key, cert) {
const theServer = https.createServer({
key: fixtures.readKey(key),
cert: fixtures.readKey(cert),
}, handleRequest);
theServer.listen(0);
await once(theServer, 'listening');

return theServer;
}

describe('signed with an intermediate CA certificate', () => {
let server;

beforeEach(async function() {
server = await setupServer('leaf-from-intermediate-key.pem', 'leaf-from-intermediate-cert.pem');
});

it('can connect successfully', async function() {
await fetch(`https://localhost:${server.address().port}/hello-world`);
});

afterEach(async function() {
server?.close();
});
});

describe('signed with a trusted intermediate but not trusted root CA certificate', () => {
let server;

beforeEach(async function() {
server = await setupServer(
'non-trusted-leaf-from-intermediate-key.pem',
'non-trusted-leaf-from-intermediate-cert.pem'
);
});

it('can connect successfully', async function() {
try {
await fetch(`https://localhost:${server.address().port}/hello-world`);
} catch (err) {
if (common.isWindows) {
assert.strictEqual(err.cause.code, 'UNABLE_TO_GET_ISSUER_CERT');
} else {
assert.strictEqual(err.cause.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
}
}
});

afterEach(async function() {
server?.close();
});
});

});
Loading