mirror of
https://github.com/nodejs/node.git
synced 2025-05-17 12:24:41 +00:00
3cf88a45e8
If configued with --openssl-use-def-ca-store --shared-openssl the
following error might be thrown:
assert.js:86
throw new assert.AssertionError({
^
AssertionError: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' === 'CERT_REVOKED'
at TLSSocket.client.on.common.mustCall
(/Users/danielbevenius/work/nodejs/node/test/parallel/test-tls-cnnic-whitelist.js:71:14)
at TLSSocket.<anonymous>
(/Users/danielbevenius/work/nodejs/node/test/common.js:461:15)
at emitOne (events.js:115:13)
at TLSSocket.emit (events.js:210:7)
at emitErrorNT (net.js:1305:8)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickCallback (internal/process/next_tick.js:104:9)
In this case the CA's used will be the ones shipped with OpenSSL. For
tests though we should be able to specify --use-bundled-ca as a fix for
the above error, but this functionality was broken by me in commit
be98f26917
("src: exclude node_root_certs when use-def-ca-store").
That commit removed the abilty to use --use-bundled-ca if the build was
configured --openssl-use-def-ca-store.
PR-URL: https://github.com/nodejs/node/pull/12394
Reviewed-By: thefourtheye - Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
80 lines
2.0 KiB
JavaScript
80 lines
2.0 KiB
JavaScript
// Flags: --use-bundled-ca
|
|
'use strict';
|
|
const common = require('../common');
|
|
|
|
if (!common.hasCrypto) {
|
|
common.skip('missing crypto');
|
|
return;
|
|
}
|
|
|
|
const assert = require('assert');
|
|
const tls = require('tls');
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
function filenamePEM(n) {
|
|
return path.join(common.fixturesDir, 'keys', n + '.pem');
|
|
}
|
|
|
|
function loadPEM(n) {
|
|
return fs.readFileSync(filenamePEM(n));
|
|
}
|
|
|
|
const testCases = [
|
|
{ // Test 0: for the check of a cert not existed in the whitelist.
|
|
// agent7-cert.pem is issued by the fake CNNIC root CA so that its
|
|
// hash is not listed in the whitelist.
|
|
// fake-cnnic-root-cert has the same subject name as the original
|
|
// rootCA.
|
|
serverOpts: {
|
|
key: loadPEM('agent7-key'),
|
|
cert: loadPEM('agent7-cert')
|
|
},
|
|
clientOpts: {
|
|
port: undefined,
|
|
rejectUnauthorized: true,
|
|
ca: [loadPEM('fake-cnnic-root-cert')]
|
|
},
|
|
errorCode: 'CERT_REVOKED'
|
|
},
|
|
// Test 1: for the fix of node#2061
|
|
// agent6-cert.pem is signed by intermidate cert of ca3.
|
|
// The server has a cert chain of agent6->ca3->ca1(root) but
|
|
// tls.connect should be failed with an error of
|
|
// UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
|
|
// installed locally.
|
|
{
|
|
serverOpts: {
|
|
ca: loadPEM('ca3-key'),
|
|
key: loadPEM('agent6-key'),
|
|
cert: loadPEM('agent6-cert')
|
|
},
|
|
clientOpts: {
|
|
port: undefined,
|
|
rejectUnauthorized: true
|
|
},
|
|
errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
|
|
}
|
|
];
|
|
|
|
function runTest(tindex) {
|
|
const tcase = testCases[tindex];
|
|
|
|
if (!tcase) return;
|
|
|
|
const server = tls.createServer(tcase.serverOpts, (s) => {
|
|
s.resume();
|
|
}).listen(0, common.mustCall(function() {
|
|
tcase.clientOpts = this.address().port;
|
|
const client = tls.connect(tcase.clientOpts);
|
|
client.on('error', common.mustCall((e) => {
|
|
assert.strictEqual(e.code, tcase.errorCode);
|
|
server.close(common.mustCall(() => {
|
|
runTest(tindex + 1);
|
|
}));
|
|
}));
|
|
}));
|
|
}
|
|
|
|
runTest(0);
|