Skip to content

crypto: add support for intermediate certs in --use-system-ca #57164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nodejs-github-bot merged 11 commits into from
Mar 5, 2025
Merged

crypto: add support for intermediate certs in --use-system-ca #57164

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
0329748
crypto: add support for intermediate certs in --use-system-ca
timja Feb 21, 2025
e6d4cc0
Add intermediate cert test
timja Feb 21, 2025
0bcaa01
Fix lint
timja Feb 22, 2025
c3b8c05
Add linux instructions
timja Feb 22, 2025
6af913a
Ensure trust fails with non trusted root and trusted intermediate
timja Feb 27, 2025
c04ffa3
Tweaks after running on Windows
timja Feb 27, 2025
f7a2291
Fmt
timja Feb 27, 2025
62c35dd
Fmt
timja Feb 27, 2025
46b5e4c
Move tests to separate folder
timja Mar 3, 2025
a24114e
Remove unneeded file
timja Mar 3, 2025
583c4ce
Fix lint
timja Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add intermediate cert test
  • Loading branch information
@timja
timja committed Feb 21, 2025
commit e6d4cc07f2cbeb3117079d663eadc5fe89d7e381
52 changes: 52 additions & 0 deletions test/fixtures/keys/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ all: \
ec-cert.pem \
ec.pfx \
fake-cnnic-root-cert.pem \
intermediate-ca-cert.pem \
intermediate-ca-key.pem \
leaf-from-intermediate-cert.pem \
leaf-from-intermediate-key.pem \
rsa_private.pem \
rsa_private_encrypted.pem \
rsa_private_pkcs8.pem \
Expand Down Expand Up @@ -236,6 +240,54 @@ fake-startcom-root-cert.pem: fake-startcom-root.cnf \
echo '01' > fake-startcom-root-serial
touch fake-startcom-root-database.txt


intermediate-ca-key.pem:
openssl genrsa -out intermediate.key 2048

intermediate-ca-cert.pem: intermediate-ca-key.pem
openssl req -new \
-sha256 \
-nodes \
-key intermediate.key \
-subj "/C=US/ST=CA/L=SF/O=NODEJS/CN=NodeJS-Test-Intermediate-CA" \
-out test-intermediate-ca.csr

openssl x509 -req \
-extensions v3_ca \
-extfile fake-startcom-root.cnf \
-in test-intermediate-ca.csr \
-CA fake-startcom-root-cert.pem \
-CAkey fake-startcom-root-key.pem \
-CAcreateserial \
-out intermediate-ca.pem \
-days 99999 \
-sha256
rm -f test-intermediate-ca.csr

leaf-from-intermediate-key.pem:
openssl genrsa -out leaf-from-intermediate-key.pem 2048

leaf-from-intermediate-cert.pem: leaf-from-intermediate-key.pem
openssl genrsa -out leaf-from-intermediate-key.pem 2048
openssl req -new \
-sha256 \
-nodes \
-key leaf-from-intermediate-key.pem \
-addext "subjectAltName = DNS:localhost" \
-subj "/C=US/ST=CA/L=SF/O=NODEJS/CN=localhost" \
-out leaf-from-intermediate-cert.csr
openssl x509 -req \
-in leaf-from-intermediate-cert.csr \
-CA intermediate-ca.pem \
-CAkey intermediate.key \
-CAcreateserial \
-out leaf-from-intermediate-cert.pem \
-days 99999 \
-copy_extensions copy \
-sha256

rm -f leaf-from-intermediate-cert.csr

#
# agent1 is signed by ca1.
#
Expand Down
25 changes: 25 additions & 0 deletions test/fixtures/keys/intermediate-ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEOTCCAyGgAwIBAgIULe6EHUBNm9nZz+fYRZx1P8uqmGwwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoMDVN0YXJ0Q29tIEx0ZC4xKzApBgNV
BAsMIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMM
IFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTI1MDIyMTIyMTYx
N1oYDzIyOTgxMjA2MjIxNjE3WjBeMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0Ex
CzAJBgNVBAcMAlNGMQ8wDQYDVQQKDAZOT0RFSlMxJDAiBgNVBAMMG05vZGVKUy1U
ZXN0LUludGVybWVkaWF0ZS1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKfGhM1vXISvBuEJv4yapacu1CFnH9hQ6Z7e8p1kjMjaSg+NSvofPeb6byel
Jk7GI9wRN4ZQISpKNxvQAjyc9RqkAwUDPY9KEp38PSQFU4osqvJDP4zf2dn0Hl55
4DW22JzaWdwGgvq0admVwUBMnly4fVGBuxvy1m/j5wM6DHoSbC0Kgs13P2TpaqRT
jz7jzN5YaT16M3kTDKVcTQGzZOCro0JF+V4xIDiOV9v9Cy4F6FRuksHx/e7gWXSF
qaHqzblr9k/c8/3md5aBwHeUGJHe1+U/hhfE4D8IgG3ZdwNFI9KH5Zc8KfGTgr6s
fgbpnNg7p9d5VJNOOM4So8ybig8CAwEAAaOBzTCByjAMBgNVHRMEBTADAQH/MB0G
A1UdDgQWBBR6olPWoViHQBOxuAyYPRUSGaoEYDCBmgYDVR0jBIGSMIGPoYGBpH8w
fTELMAkGA1UEBhMCSUwxFjAUBgNVBAoMDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsM
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMMIFN0
YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggkAgg9vTE81yAowDQYJKoZI
hvcNAQELBQADggEBAC7nBG4JxrSFT/mJlCJxeHfFQj3xqduYePWK5H/h+buuX6OW
pjMA8se2SjQUfVn81GAtNxb1kX8o9HjmaTvkx8bq6iuF9oyJh96N22Hl3kfWXX6H
jy74Ur/pq73gpC90Xx8/DALpAYr9vKOKJM7DHWW9iuksRRvM1yh8kZagO0ewI8xU
I9DLzl6+Zu6ZChosMlIn7yGdXB3Wi5mO+1fN+ryFlOVfTurzeinDbLm4xHb6pLnP
x3VL1kKzQurUcvQvaIT3x3vd/FP+O7B+pWNyUE7HXZ9J4E2maUC+q81cpgAiCFoN
ks7RFmz1z2myhB8opEpgRFYu6lxjCtHsr+meLjo=
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions test/fixtures/keys/intermediate.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCnxoTNb1yErwbh
Cb+MmqWnLtQhZx/YUOme3vKdZIzI2koPjUr6Hz3m+m8npSZOxiPcETeGUCEqSjcb
0AI8nPUapAMFAz2PShKd/D0kBVOKLKryQz+M39nZ9B5eeeA1ttic2lncBoL6tGnZ
lcFATJ5cuH1Rgbsb8tZv4+cDOgx6EmwtCoLNdz9k6WqkU48+48zeWGk9ejN5Ewyl
XE0Bs2Tgq6NCRfleMSA4jlfb/QsuBehUbpLB8f3u4Fl0hamh6s25a/ZP3PP95neW
gcB3lBiR3tflP4YXxOA/CIBt2XcDRSPSh+WXPCnxk4K+rH4G6ZzYO6fXeVSTTjjO
EqPMm4oPAgMBAAECggEAAMP0GSfX6TcPNfmgaRjPhqq9BwX8bDU6S6JCwxsRVV1B
lz6Sx/9affJIjYrAWP2objmZ4j/9Vr8N70+MoxAoQh3bcatpHX0+BoB/Gun3TpsT
kJVj9dWTnd3yQYYW0sfpxxVr8YgKEvC9xuNbBVsUIeIpmDSaUO9TsSD+DdK2+duX
wKPjCe097669ZG994GP9ilG6FdfIlVNWHWPExmFgbx0ydXr97nDuurt72HnqCVRR
95g9SNAbkadUVj7iTSVovuaIQpQY4BMFICsGGRo10mMFGTzpAUwsl6OVZTUZXaST
dg/Wl8ZD98CucVFmk546pJrfPDvk+qLqt0hlkXA5mQKBgQDrqPCNzz/VhsIlTmuO
Dgmf4q9/hglR8JKjMQTuEXLGAhA09ZZrhKsGYSkciXEzmlL5mGZX+83Ss+ns8nI7
21e6ZYm5hokltVbZ2Of2xGyeZ0SZ22QwIm4Eg2MmEpmyXAMTKAfvuvfQW1dC0UXG
JEiRBYq3Chxv82ExmlkU5gZNIwKBgQC2QaCnPVV/VkwF0912lto8IRpwgZ0Jrj4b
xqKTCc7oFNzd4Ua/I0W9qPqR1ORyVpq0li7cjHDmFWCZZMbCgy7+g5eclaZ3qWZZ
Faj4rpv7y7ODKz2W2cmug9fWrrtsr96ohW1rfVn5racbHKAsT4f+RB+Gi1NK6aWp
tOmh4MRMJQKBgQDLSk5RluJTOc/LTO39emCVG4EXejIaDHUC8Ct3j3e6FleSx/S9
xZGfjDth0bLkuBEyHWTUK3UveWKns7IVrq7sLeF0OPmgnOFSRgo81s94ik8khpzT
5S+RFyJ12n/Z3AQPB25pQJm8lL8e9dbCCdTLvcMfCUrkzEgg+Sw1mgT/jwKBgQCM
7xbB/CW/AAZtgzV/3IsJcDe3xCKhN8IDTIiu1yjOQkPAt9EzQJ1PWfnZBx1YZSvg
dTnrhhZPdTxroYgpJbQTT8LPbNF7Ot1QCfXNx4gLH6vCxI8ttV/FuWIQOrHoC99L
xVGlixsmfWf5CRu66A0rS5ZtPhO8nAxkvOblLJ/emQKBgQCQkhBrZTDwgD4W6yxe
juo/H/y6PMD4vp68zk/GmuV7mzHpYg18+gGAI57dQoxWjjMxxhkB8WKpnEkXXiva
5YHq4ARUhXnPuNckvnOBj9jjy8HMeDKTPfZ6frv+B9i1y0N3ArerhPx44zCFpllH
BlVhzBa52wYAtbjg291+/G1ndw==
-----END PRIVATE KEY-----
Empty file added test/fixtures/keys/leaf-from-intermediate-cert.cnf
View file
Open in desktop
Empty file.
22 changes: 22 additions & 0 deletions test/fixtures/keys/leaf-from-intermediate-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkjCCAnqgAwIBAgIUPgpDrWcCOmjk4xOAkLpxa7UTx/4wDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
A1UECgwGTk9ERUpTMSQwIgYDVQQDDBtOb2RlSlMtVGVzdC1JbnRlcm1lZGlhdGUt
Q0EwIBcNMjUwMjIxMjIxNjUyWhgPMjI5ODEyMDYyMjE2NTJaMEwxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBk5PREVKUzES
MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAnnWYLNbVnE2veKzF28rarJh0En4Rd5+1ZwHp7+iP2gjEVmjBaSGK/F80MV9l
S/wtZskUoZH0aKwiq9ly6Jp9IETte9Tk1Td6jTUeG8Vs9N6zoZcXM2Q359xbA+0X
YzvHwD6TM5LQ6l3RKhJT2BRNz0oOCVQGHGepbcLbX99E3yXW0yXvZKAIcZY0NEk2
AZ1eDz7QAhdPQ6W8QuYjlqOa+wmxqzVb3RReMg3zrL9jfd4AgCT9IN7HMB0FkQys
y78EUHa12wlJkzHzz9N8+Qjt0537LjDpBuUBgnPn7Ukvz1kzD6q8a/dbB2RIbfVK
7o0I/P9hJuXPhRpZQeDRQmDt+QIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhv
c3QwHQYDVR0OBBYEFJHfQLpEP+M7+PYoxk/bY1vuDv/4MB8GA1UdIwQYMBaAFHqi
U9ahWIdAE7G4DJg9FRIZqgRgMA0GCSqGSIb3DQEBCwUAA4IBAQCXckUku5JZiXSb
qvlFH1JS7/SVeugquYZyI+boIzS2ykrLBkCVCbg6dD75Nu5VlcEGq4UNlY7vdfhk
wG/jHNe6Hm36Lm2vbwH3z21IIGZlkw4cbNzdeT5WQuQNoembtbaZSsE7s1Hs052l
kVJnq0ZJ7YgO54/0C9mE7dqhWHHWm9wPUC4emucqCKYcu1M9/onZgjjmAh39G473
1qlWuTacywQHHCg8B0w+iZlV1rJ93dTyxJvg+fgmQj2FqBNqOXu6ojhOWHt62D3Y
55zXFoUqToY6kgF+e9Rkn2vbZsSQO+cXSKVyRjnfIOCC4zO37yl31q02ouVv1Uct
ubqxlcPA
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions test/fixtures/keys/leaf-from-intermediate-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCedZgs1tWcTa94
rMXbytqsmHQSfhF3n7VnAenv6I/aCMRWaMFpIYr8XzQxX2VL/C1myRShkfRorCKr
2XLomn0gRO171OTVN3qNNR4bxWz03rOhlxczZDfn3FsD7RdjO8fAPpMzktDqXdEq
ElPYFE3PSg4JVAYcZ6ltwttf30TfJdbTJe9koAhxljQ0STYBnV4PPtACF09DpbxC
5iOWo5r7CbGrNVvdFF4yDfOsv2N93gCAJP0g3scwHQWRDKzLvwRQdrXbCUmTMfPP
03z5CO3TnfsuMOkG5QGCc+ftSS/PWTMPqrxr91sHZEht9UrujQj8/2Em5c+FGllB
4NFCYO35AgMBAAECggEACIfP4A0WPZaEjWhus+cLJ+rCp+qzxcb6KPAWUBkq4lvh
tv2neOGKhgzZhlVqgoFST+PgGZUeDWMD8FCx4hIMDahMSSP0SEK29SJgizHxDEsv
bDHyOKzq4g9vsmnJfij+F0w/GDINj2pqy9sl+p5YNII5+HhWpmGRwlQQw4vlXSZq
hcubO1DyL/3FL0gVMHUZex86QJ9cYXkf++omaFNPaOsiKbZu7Whtg4rxJOBw38FD
/fX4U6SQwSxI6ffxFbmGvSBAQW4333Qvbs0xZnusKrcaKNQ3kCoQ7+cgyDogwSAE
TQN1mqPynGlMmTW4KyyR1/W0jpQEW+pll2DNCqHb8QKBgQDONX8QXu2mp/5qjXJK
Sa1orgqneadbWiUfq+6vWEIwAWbcUYGqgzUNa9OeK8jV5hEsCJOrfPvhKYdyVrfr
cu8mLtQFQLZzTlaEyX4a8Euk2xlHIYG7/giEnBugdHcHu9MV7TLRFzunc5Y4cA4W
3crScf/gl+LDO3TZ5E3ZHu4u8QKBgQDEuIagHlhcuyEfHUPRJk6ZXexlkQ383f3/
g1aqWQxxPnlZuo/wFyxVl7YP5VNELOsiCQHm2efk+8dx0Fc8jzuafp8iSnSOJnNM
7C9K5JcbkxsJxArx1Z2ZMPfFM40Nw5kFYNCPhsuzZ/w+/eOe2EyFEZMkWdH5lMpw
Y6GvxiS/iQKBgB6WLs/F1OhoeMNjUbWVMiSZ1Di9Qca6G1GUViYqKD8ophI+AMbD
CYaBHPWUNwkLRDbM2uKP+miOmWmrVUKWXMTEI2zYCXgXAZxWqt7iD8ZXPWugm7a/
2pGY+jwVqmY6RPg2o9gB4zZWXcznSh+4LFKE2Fh/DwK4ef+r7qQrA1dxAoGAdIEI
EfoGwNx+cCvnxw0VzZSndTtj+lcKn3GMORTF3qduPOrVZg6DTimsRFu/ZYfotV56
RtrUkHNgmhIWKCJ33TaSTj+kKa+x52OVWphouYb0o2L8TF8Dl/89LggqyHUHwfyl
Z+sf5p9172RzktZs8v4Gk6eySEqLXeZTkoMZrmkCgYEAg8QV0rE1GprYoL02DiMT
/KlRyOUGawz559Rr5Ufdrm/SA37Yhyp/eADq1jrkpoL0uBd4YsqOFAtkCofxnI9i
BonK/T1JV1+wDnXYCU9Tis/d043/vCR4RVXQGfucmrPxjuObXCu5c8Q0DzpzLG3u
HmotaQ9Z3Wdd9PaX4le87R8=
-----END PRIVATE KEY-----
62 changes: 49 additions & 13 deletions test/parallel/test-native-certs.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,28 @@ if (!common.hasCrypto) {
// $ security add-trusted-cert \
// -k /Users/$USER/Library/Keychains/login.keychain-db \
// test/fixtures/keys/fake-startcom-root-cert.pem
// $ security add-certificates \
// -k /Users/$USER/Library/Keychains/login.keychain-db \
// test/fixtures/keys/intermediate-ca.pem
// 2. To remove the certificate:
// $ security delete-certificate -c 'StartCom Certification Authority' \
// -t /Users/$USER/Library/Keychains/login.keychain-db
// $ security delete-certificate -c 'NodeJS-Test-Intermediate-CA' \
// -t /Users/$USER/Library/Keychains/login.keychain-db
//
// On Windows:
// 1. To add the certificate in PowerShell (remember the thumbprint printed):
// $ Import-Certificate -FilePath .\test\fixtures\keys\fake-startcom-root-cert.cer \
// -CertStoreLocation Cert:\CurrentUser\Root
// $ Import-Certificate -FilePath .\test\fixtures\keys\intermediate-ca.pem \
// -CertStoreLocation Cert:\CurrentUser\CA
// 2. To remove the certificate by the thumbprint:
// $ $thumbprint = (Get-ChildItem -Path Cert:\CurrentUser\Root | \
// Where-Object { $_.Subject -match "StartCom Certification Authority" }).Thumbprint
// $ Remove-Item -Path "Cert:\CurrentUser\Root\$thumbprint"
// $ $thumbprint = (Get-ChildItem -Path Cert:\CurrentUser\CA | \
// Where-Object { $_.Subject -match "NodeJS-Test-Intermediate-CA" }).Thumbprint
// $ Remove-Item -Path "Cert:\CurrentUser\CA\$thumbprint"
//
// On Debian/Ubuntu:
// 1. To add the certificate:
Expand All @@ -56,22 +66,48 @@ const handleRequest = (req, res) => {
};

describe('use-system-ca', function() {
let server;

beforeEach(async function() {
server = https.createServer({
key: fixtures.readKey('agent8-key.pem'),
cert: fixtures.readKey('agent8-cert.pem'),

async function setupServer(key, cert) {
Comment thread
timja marked this conversation as resolved.
Outdated
const theServer = https.createServer({
key: fixtures.readKey(key),
cert: fixtures.readKey(cert),
}, handleRequest);
server.listen(0);
await once(server, 'listening');
});
theServer.listen(0);
await once(theServer, 'listening');

return theServer
}

describe('signed with a root certificate', () => {
let server;

it('can connect successfully with a trusted certificate', async function() {
await fetch(`https://localhost:${server.address().port}/hello-world`);
beforeEach(async function() {
server = await setupServer('agent8-key.pem', 'agent8-cert.pem');
});

it('can connect successfully', async function() {
await fetch(`https://localhost:${server.address().port}/hello-world`);
});

afterEach(async function() {
server?.close();
});
});

afterEach(async function() {
server?.close();
describe('signed with an intermediate CA certificate', () => {
let server;

beforeEach(async function() {
server = await setupServer('leaf-from-intermediate-key.pem', 'leaf-from-intermediate-cert.pem');
});

it('can connect successfully', async function() {
await fetch(`https://localhost:${server.address().port}/hello-world`);
});

afterEach(async function() {
server?.close();
});
});

});