TLS: emit 'secureConnection' instead of two events

14 years ago · 0ea0b921b7
2 changed files with 30 additions and 24 deletions
--- a/lib/tls.js
+++ b/lib/tls.js
@ -438,12 +438,14 @@ SecurePair.prototype.getCipher = function(err) {
 // - cert: string.
 // - ca: string or array of strings.
 //
-// emit 'authorized'
-//   function (cleartext) { }
+// emit 'secureConnection'
+//   function (cleartextStream, encryptedStream) { }
+//
+//   'cleartextStream' has the boolean property 'authorized' to determine if
+//   it was verified by the CA. If 'authorized' is false, a property
+//   'authorizationError' is set on cleartextStream and has the possible
+//   values:
 //
-// emit 'unauthorized'
-//   function (cleartext, verifyError) { }
-//   Possible errors:
 //   "UNABLE_TO_GET_ISSUER_CERT", "UNABLE_TO_GET_CRL",
 //   "UNABLE_TO_DECRYPT_CERT_SIGNATURE", "UNABLE_TO_DECRYPT_CRL_SIGNATURE",
 //   "UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY", "CERT_SIGNATURE_FAILURE",
@ -489,19 +491,23 @@ function Server(/* [options], listener */) {
    socket.pipe(pair.encrypted);

    pair.on('secure', function() {
+      pair.cleartext.authorized = false;
      if (!self.requestCert) {
-        self.emit('unauthorized', pair.cleartext);
+        self.emit('secureConnection', pair.cleartext, pair.encrypted);
      } else {
        var verifyError = pair._ssl.verifyError();
        if (verifyError) {
+          pair.cleartext.authorizationError = verifyError;
+
          if (self.rejectUnauthorized) {
            socket.destroy();
            pair._destroy();
          } else {
-            self.emit('unauthorized', pair.cleartext, verifyError);
+            self.emit('secureConnection', pair.cleartext, pair.encrypted);
          }
        } else {
-          self.emit('authorized', pair.cleartext);
+          pair.cleartext.authorized = true;
+          self.emit('secureConnection', pair.cleartext, pair.encrypted);
        }
      }
    });
@ -521,8 +527,7 @@ function Server(/* [options], listener */) {
  });

  if (listener) {
-    this.on('authorized', listener);
-    this.on('unauthorized', listener);
+    this.on('secureConnection', listener);
  }

  // Handle option defaults:
--- a/test/simple/test-tls-server-verify.js
+++ b/test/simple/test-tls-server-verify.js
@ -177,24 +177,25 @@ function runTest (testIndex) {

  var cas = tcase.CAs.map(loadPEM);

-  var server = tls.Server({ key: serverKey,
-                            cert: serverCert,
-                            ca: cas,
-                            requestCert: tcase.requestCert,
-                            rejectUnauthorized: tcase.rejectUnauthorized });
+  var serverOptions = {
+    key: serverKey,
+    cert: serverCert,
+    ca: cas,
+    requestCert: tcase.requestCert,
+    rejectUnauthorized: tcase.rejectUnauthorized
+  };

  var connections = 0;

-  server.on('authorized', function(c) {
+  var server = tls.Server(serverOptions, function (c) {
    connections++;
-    console.error('- authed connection');
-    c.write('\n_authed\n');
-  });
-
-  server.on('unauthorized', function(c, e) {
-    connections++;
-    console.error('- unauthed connection: %s', e);
-    c.write('\n_unauthed\n');
+    if (c.authorized) {
+      console.error('- authed connection');
+      c.write('\n_authed\n');
+    } else {
+      console.error('- unauthed connection: %s', c.authorizationError);
+      c.write('\n_unauthed\n');
+    }
  });

  function runNextClient (clientIndex) {