You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

147 lines
5.2 KiB

'use strict';
const common = require('../common');
if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}
const assert = require('assert');
const crypto = require('crypto');
const fs = require('fs');
const tls = require('tls');
crypto.DEFAULT_ENCODING = 'buffer';
// Test Certificates
const caPem = fs.readFileSync(common.fixturesDir + '/test_ca.pem', 'ascii');
const certPem = fs.readFileSync(common.fixturesDir + '/test_cert.pem', 'ascii');
const certPfx = fs.readFileSync(common.fixturesDir + '/test_cert.pfx');
const keyPem = fs.readFileSync(common.fixturesDir + '/test_key.pem', 'ascii');
// 'this' safety
// https://github.com/joyent/node/issues/6690
assert.throws(function() {
const options = {key: keyPem, cert: certPem, ca: caPem};
const credentials = tls.createSecureContext(options);
const context = credentials.context;
const notcontext = { setOptions: context.setOptions, setKey: context.setKey };
tls.createSecureContext({ secureOptions: 1 }, notcontext);
}, /^TypeError: Illegal invocation$/);
// PFX tests
assert.doesNotThrow(function() {
tls.createSecureContext({pfx: certPfx, passphrase: 'sample'});
});
assert.throws(function() {
tls.createSecureContext({pfx: certPfx});
}, /^Error: mac verify failure$/);
assert.throws(function() {
tls.createSecureContext({pfx: certPfx, passphrase: 'test'});
}, /^Error: mac verify failure$/);
assert.throws(function() {
tls.createSecureContext({pfx: 'sample', passphrase: 'test'});
}, /^Error: not enough data$/);
// update() should only take buffers / strings
assert.throws(function() {
crypto.createHash('sha1').update({foo: 'bar'});
}, /^TypeError: Data must be a string or a buffer$/);
function assertSorted(list) {
// Array#sort() modifies the list in place so make a copy.
const sorted = list.slice().sort();
assert.deepStrictEqual(list, sorted);
}
// Assume that we have at least AES-128-CBC.
assert.notStrictEqual(0, crypto.getCiphers().length);
assert(crypto.getCiphers().includes('aes-128-cbc'));
assert(!crypto.getCiphers().includes('AES-128-CBC'));
assertSorted(crypto.getCiphers());
// Assume that we have at least AES256-SHA.
assert.notStrictEqual(0, tls.getCiphers().length);
assert(tls.getCiphers().includes('aes256-sha'));
assert(!tls.getCiphers().includes('AES256-SHA'));
assertSorted(tls.getCiphers());
// Assert that we have sha and sha1 but not SHA and SHA1.
assert.notStrictEqual(0, crypto.getHashes().length);
assert(crypto.getHashes().includes('sha1'));
assert(crypto.getHashes().includes('sha'));
assert(!crypto.getHashes().includes('SHA1'));
assert(!crypto.getHashes().includes('SHA'));
assert(crypto.getHashes().includes('RSA-SHA1'));
assert(!crypto.getHashes().includes('rsa-sha1'));
assertSorted(crypto.getHashes());
// Assume that we have at least secp384r1.
assert.notStrictEqual(0, crypto.getCurves().length);
assert(crypto.getCurves().includes('secp384r1'));
assert(!crypto.getCurves().includes('SECP384R1'));
assertSorted(crypto.getCurves());
// Regression tests for #5725: hex input that's not a power of two should
// throw, not assert in C++ land.
assert.throws(function() {
crypto.createCipher('aes192', 'test').update('0', 'hex');
}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/);
assert.throws(function() {
crypto.createDecipher('aes192', 'test').update('0', 'hex');
}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/);
assert.throws(function() {
crypto.createHash('sha1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
assert.throws(function() {
crypto.createSign('RSA-SHA1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
assert.throws(function() {
crypto.createVerify('RSA-SHA1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
assert.throws(function() {
const priv = [
'-----BEGIN RSA PRIVATE KEY-----',
'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4',
'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy',
'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/',
'Ig6/HueCK/0Jkmp+',
'-----END RSA PRIVATE KEY-----',
''
].join('\n');
crypto.createSign('RSA-SHA256').update('test').sign(priv);
}, /digest too big for rsa key$/);
assert.throws(function() {
// The correct header inside `test_bad_rsa_privkey.pem` should have been
// -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
// instead of
// -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
// It is generated in this way:
// $ openssl genrsa -out mykey.pem 512;
// $ openssl pkcs8 -topk8 -inform PEM -outform PEM -in mykey.pem \
// -out private_key.pem -nocrypt;
// Then open private_key.pem and change its header and footer.
const sha1_privateKey = fs.readFileSync(common.fixturesDir +
'/test_bad_rsa_privkey.pem', 'ascii');
// this would inject errors onto OpenSSL's error stack
crypto.createSign('sha1').sign(sha1_privateKey);
}, /asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag/);
// Make sure memory isn't released before being returned
console.log(crypto.randomBytes(16));
crypto: fix handling of root_cert_store. SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: https://github.com/nodejs/node/pull/9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
8 years ago
assert.throws(function() {
tls.createSecureContext({ crl: 'not a CRL' });
}, /^Error: Failed to parse CRL$/);