|
|
|
// Flags: --use-bundled-ca
|
|
|
|
'use strict';
|
|
|
|
const common = require('../common');
|
|
|
|
|
|
|
|
if (!common.hasCrypto) {
|
|
|
|
common.skip('missing crypto');
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
const assert = require('assert');
|
|
|
|
const tls = require('tls');
|
|
|
|
const fs = require('fs');
|
|
|
|
const path = require('path');
|
|
|
|
|
|
|
|
function filenamePEM(n) {
|
|
|
|
return path.join(common.fixturesDir, 'keys', `${n}.pem`);
|
|
|
|
}
|
|
|
|
|
|
|
|
function loadPEM(n) {
|
|
|
|
return fs.readFileSync(filenamePEM(n));
|
|
|
|
}
|
|
|
|
|
|
|
|
const testCases = [
|
|
|
|
{ // Test 0: for the check of a cert not existed in the whitelist.
|
|
|
|
// agent7-cert.pem is issued by the fake CNNIC root CA so that its
|
|
|
|
// hash is not listed in the whitelist.
|
|
|
|
// fake-cnnic-root-cert has the same subject name as the original
|
|
|
|
// rootCA.
|
|
|
|
serverOpts: {
|
|
|
|
key: loadPEM('agent7-key'),
|
|
|
|
cert: loadPEM('agent7-cert')
|
|
|
|
},
|
|
|
|
clientOpts: {
|
|
|
|
port: undefined,
|
|
|
|
rejectUnauthorized: true,
|
|
|
|
ca: [loadPEM('fake-cnnic-root-cert')]
|
|
|
|
},
|
|
|
|
errorCode: 'CERT_REVOKED'
|
|
|
|
},
|
|
|
|
// Test 1: for the fix of node#2061
|
|
|
|
// agent6-cert.pem is signed by intermidate cert of ca3.
|
|
|
|
// The server has a cert chain of agent6->ca3->ca1(root) but
|
|
|
|
// tls.connect should be failed with an error of
|
|
|
|
// UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
|
|
|
|
// installed locally.
|
|
|
|
{
|
|
|
|
serverOpts: {
|
|
|
|
ca: loadPEM('ca3-key'),
|
|
|
|
key: loadPEM('agent6-key'),
|
|
|
|
cert: loadPEM('agent6-cert')
|
|
|
|
},
|
|
|
|
clientOpts: {
|
|
|
|
port: undefined,
|
|
|
|
rejectUnauthorized: true
|
|
|
|
},
|
|
|
|
errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
function runTest(tindex) {
|
|
|
|
const tcase = testCases[tindex];
|
|
|
|
|
|
|
|
if (!tcase) return;
|
|
|
|
|
|
|
|
const server = tls.createServer(tcase.serverOpts, (s) => {
|
|
|
|
s.resume();
|
|
|
|
}).listen(0, common.mustCall(function() {
|
|
|
|
tcase.clientOpts = this.address().port;
|
|
|
|
const client = tls.connect(tcase.clientOpts);
|
|
|
|
client.on('error', common.mustCall((e) => {
|
|
|
|
assert.strictEqual(e.code, tcase.errorCode);
|
|
|
|
server.close(common.mustCall(() => {
|
|
|
|
runTest(tindex + 1);
|
|
|
|
}));
|
|
|
|
}));
|
|
|
|
}));
|
|
|
|
}
|
|
|
|
|
|
|
|
runTest(0);
|