You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

80 lines
2.0 KiB

// Flags: --use-bundled-ca
'use strict';
const common = require('../common');
if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}
const assert = require('assert');
const tls = require('tls');
const fs = require('fs');
const path = require('path');
function filenamePEM(n) {
return path.join(common.fixturesDir, 'keys', `${n}.pem`);
}
function loadPEM(n) {
return fs.readFileSync(filenamePEM(n));
}
const testCases = [
{ // Test 0: for the check of a cert not existed in the whitelist.
// agent7-cert.pem is issued by the fake CNNIC root CA so that its
// hash is not listed in the whitelist.
// fake-cnnic-root-cert has the same subject name as the original
// rootCA.
serverOpts: {
key: loadPEM('agent7-key'),
cert: loadPEM('agent7-cert')
},
clientOpts: {
port: undefined,
rejectUnauthorized: true,
ca: [loadPEM('fake-cnnic-root-cert')]
},
errorCode: 'CERT_REVOKED'
},
// Test 1: for the fix of node#2061
// agent6-cert.pem is signed by intermidate cert of ca3.
// The server has a cert chain of agent6->ca3->ca1(root) but
// tls.connect should be failed with an error of
// UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
// installed locally.
{
serverOpts: {
ca: loadPEM('ca3-key'),
key: loadPEM('agent6-key'),
cert: loadPEM('agent6-cert')
},
clientOpts: {
port: undefined,
rejectUnauthorized: true
},
errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
];
function runTest(tindex) {
const tcase = testCases[tindex];
if (!tcase) return;
const server = tls.createServer(tcase.serverOpts, (s) => {
s.resume();
}).listen(0, common.mustCall(function() {
tcase.clientOpts = this.address().port;
const client = tls.connect(tcase.clientOpts);
client.on('error', common.mustCall((e) => {
assert.strictEqual(e.code, tcase.errorCode);
server.close(common.mustCall(() => {
runTest(tindex + 1);
}));
}));
}));
}
runTest(0);