diff --git a/lib/tls.js b/lib/tls.js index fe05ff5c74..c8e7fcb1a6 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -492,7 +492,7 @@ function Server(/* [options], listener */) { pair.encrypted.pipe(socket); socket.pipe(pair.encrypted); - pair.on('secure', function(verifyError) { + pair.on('secure', function() { if (!self.requestCert) { self.emit('unauthorized', pair.cleartext); } else { diff --git a/test/fixtures/keys/agent1-cert.pem b/test/fixtures/keys/agent1-cert.pem new file mode 100644 index 0000000000..9796800fa0 --- /dev/null +++ b/test/fixtures/keys/agent1-cert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBvTCCASYCCQCvwklkWmMPbzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTEwMTIwNjA0MTgzMFoXDTExMDEwNTA0MTgzMFowRTELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD9JxFi0amR +7dROTGDs1dUFYWfAp6Z7LvkTnRtFHBBNdk2TCSC1Zz8SLxMVIlfyT08GW/vNVxyH +ExtfhS86o/kdAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT70viMg4+FYnhEAkAISs +uXh8D3SqCGsVqaiQP/6jZGAbLfX1QrbI/SAnaCrLX5pjsb5oBfv1tMbF3MBeYC2q +SJz/tzUc8FaP3l8mUM8UuPNTo1iNBUmR0VfliC4lE5Lvh39EbqGs630mmScHYLCW +WA518TIEw1K8CsrkYu63Ueo= +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent1-csr.pem b/test/fixtures/keys/agent1-csr.pem new file mode 100644 index 0000000000..0c11ae5b7e --- /dev/null +++ b/test/fixtures/keys/agent1-csr.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF +AANLADBIAkEA/ScRYtGpke3UTkxg7NXVBWFnwKemey75E50bRRwQTXZNkwkgtWc/ +Ei8TFSJX8k9PBlv7zVcchxMbX4UvOqP5HQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD +QQC0NPuOJB+Ustg8uBUKq0btzWii2vNWlmcDR5E9gf/egVRndSNMB+KWZtNiBe0g +Z/0TM0zIty4gBCTBahpkd0yw +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent1-key.pem b/test/fixtures/keys/agent1-key.pem new file mode 100644 index 0000000000..70ad689deb --- /dev/null +++ b/test/fixtures/keys/agent1-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOgIBAAJBAP0nEWLRqZHt1E5MYOzV1QVhZ8Cnpnsu+ROdG0UcEE12TZMJILVn +PxIvExUiV/JPTwZb+81XHIcTG1+FLzqj+R0CAwEAAQJAfDTd7+lE1KenAh+xcqJb +2T74Y+sd4NSkOr5bseXaDdai2tBTLg+WFSuNYz6+Ots/22JTcWWMR2J86IfFNiGJ +4QIhAP/44ymsR9QjN0XOfaKI994jlbnGhp4HMN1PFUkhA711AiEA/S4aKosF/NxP +LJeFyFrdJcnclUoe2GByJqpXmkKfEAkCIQC+gfZPpbEv6aXRhoVq2pXf9owQ3/iA +1MlBbQJikve9oQIgBV6q82gLcneBvmJgVgWHVzvWz9vIl7JD+Yn3XbA4C3ECIGjp +eu/FQAYgB5y1DpwWejth/iva2OTg8j65ze524S62 +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent2-cert.pem b/test/fixtures/keys/agent2-cert.pem new file mode 100644 index 0000000000..a2ddf52930 --- /dev/null +++ b/test/fixtures/keys/agent2-cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBfDCCASYCCQCojwzqgiZi4jANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTEwMTIwNjA0MTg0N1oXDTExMDEwNTA0MTg0N1owRTELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDjl3L8IstA +r6OakBtAh9WRpnhqzfdAgbSIAX43jr/uxovu9S9TNc9qK0WyMAbJVePHuRwDtgTr +957EUd4LLGUzAgMBAAEwDQYJKoZIhvcNAQEFBQADQQCN78Y26RpPlfDm5uDSoAgU +hY09yDWKp0he03SH3V5AW/WMwT6Q6K2+ATK4g/W8f8+ZmS3FIff7Atcc6to3Lez7 +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent2-csr.pem b/test/fixtures/keys/agent2-csr.pem new file mode 100644 index 0000000000..8921a1c1de --- /dev/null +++ b/test/fixtures/keys/agent2-csr.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF +AANLADBIAkEA45dy/CLLQK+jmpAbQIfVkaZ4as33QIG0iAF+N46/7saL7vUvUzXP +aitFsjAGyVXjx7kcA7YE6/eexFHeCyxlMwIDAQABoAAwDQYJKoZIhvcNAQEFBQAD +QQC0HpucL+WqX0AkP5y/644GyTjrq1rxsoWm0708pAdInMjBTNQicjVfFWcoTTQA +zPQBqOuEsNtktcJyYfryhtWW +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent2-key.pem b/test/fixtures/keys/agent2-key.pem new file mode 100644 index 0000000000..c6cee34bbf --- /dev/null +++ b/test/fixtures/keys/agent2-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBPAIBAAJBAOOXcvwiy0Cvo5qQG0CH1ZGmeGrN90CBtIgBfjeOv+7Gi+71L1M1 +z2orRbIwBslV48e5HAO2BOv3nsRR3gssZTMCAwEAAQJBAMlC7dEgZ8NNTw1o8GCR +foCtyQESINtvmBlJ0LcKypo4WLb2OkI2T/kG8mnoiUM2GyTf8MMGh7V5DeZskh3L +pNkCIQD89pQtqNsDxC/vujdDIlT/0gHhUOZsnIXHZpYv+fzJfQIhAOZS5ZjkNpvb +YcTqpk2HNgu0wFW0nKJ5bnFaTaPjY6hvAiBoDsrPqYlGmFqbw79d126duXbah9vx +y8VgTDv1ymEJRQIhAJuWHhD1AMqyHM53sFWo4+JufIqo0jKTEv8xgEcYgSazAiEA +hWqzWF/qpQ/JT/QaNE6agQWV6MydGAce56EGcpp22mA= +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent3-cert.pem b/test/fixtures/keys/agent3-cert.pem new file mode 100644 index 0000000000..eb3c248e39 --- /dev/null +++ b/test/fixtures/keys/agent3-cert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBvTCCASYCCQDXXCDdhOcSNTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMB4XDTEwMTIwNjA0NDMwOVoXDTExMDEwNTA0NDMwOVowRTELMAkG +A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 +IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDNOPrBqq2b +/gxs0WELdkSHvAkjJdEjuWia2Q+FI3v5asDXj6w4t+ZY46m6D3PCgTZ9FJmZjUH2 +prGyMbBS3Uf9AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAabTyzBk4tlG08+FTZtdb +5bDELkPVHNCQapQVsKYqnnKzt3xLjIOEoSa67pKXm2gcupiVYOmC0Pz76pZinRhH +IJ8gVp7dhv0sdog6+VMfrMTlR7gUEu7gQHF69ras7oswPV/kNH4YVljqUQpVDs+4 +VgOaivgOfhPZb4H5tz/P1Ms= +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent3-csr.pem b/test/fixtures/keys/agent3-csr.pem new file mode 100644 index 0000000000..4883051dea --- /dev/null +++ b/test/fixtures/keys/agent3-csr.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF +AANLADBIAkEAzTj6waqtm/4MbNFhC3ZEh7wJIyXRI7lomtkPhSN7+WrA14+sOLfm +WOOpug9zwoE2fRSZmY1B9qaxsjGwUt1H/QIDAQABoAAwDQYJKoZIhvcNAQEFBQAD +QQCsta4frzeUIkZrqt3EEG9cAI1FTGphl/5bA0fYpIlZOanR5V6kKPG6mgXiHDaN +r46fwkE/AKS7mnIz6XGzXfCn +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent3-key.pem b/test/fixtures/keys/agent3-key.pem new file mode 100644 index 0000000000..d914912f5b --- /dev/null +++ b/test/fixtures/keys/agent3-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOwIBAAJBAM04+sGqrZv+DGzRYQt2RIe8CSMl0SO5aJrZD4Uje/lqwNePrDi3 +5ljjqboPc8KBNn0UmZmNQfamsbIxsFLdR/0CAwEAAQJAT3v9KxtXCG76Ev95bb4N +xuCeTV2tRf/esvLVHwTiVHRBw3ZcU4VsIwarwQy/CkPwGtWT91AN/xAgvLptwwmE +AQIhAOuymRnLkS795CluenO5ybuF53ro3S9wFBY9jYJX46L9AiEA3uZfEeNTUVYR +dJ56zqUxfakguhF/ibHT/lXRgkpVyQECIQCuRk5h/l0JS/2KjP/J1dPN7kKsZMY3 +Lz4K+9RITkgo2QIgTABs5iKG5DLenM70vMUizOAAIrGYtRCHYi9M0ooaGgECIQDK +nWMUePU/NHBC2AYyp9KzF8ZEBIcItgppTeNtkdF7mw== +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/ca1-cert.pem b/test/fixtures/keys/ca1-cert.pem new file mode 100644 index 0000000000..3d3faa0820 --- /dev/null +++ b/test/fixtures/keys/ca1-cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWDCCAcGgAwIBAgIJAPlzZCsvV/DFMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTAxMjA2MDQxNzA3WhcNMTEwMTA1MDQxNzA3WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQC/HthOlERITtsUA7FJ0l/U4qFNLri6QKLRoHPn8tGRCXDg/jEAh/pwrycIjvA4 +V66RatOhdxC7bGDC2FOjoofMNHTsdXoCoC9f9pNoU5BlLoal12V5gfL+AklJNJny +lL15FnmiQdUThLGDhRM918bWQdJTRJ+dkyVlUink/5wlxQIDAQABo1AwTjAdBgNV +HQ4EFgQU5LAV1SB/xh57MHsWgEwl8MpiDhYwHwYDVR0jBBgwFoAU5LAV1SB/xh57 +MHsWgEwl8MpiDhYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAqgne5 +uBwDiQaCuWkBHDw5WGtcvzqc0HIoQ+qopwfTxGNaLv0dZ7N3wGsGIqSh0OCMYgxA +0Ku7hdL9faEHrq8f2T6yUUMMDcMLOJgFDESl/hip8jRdCZy45CWAJNpQ8PfshSkR +b/oae/TW79lT9Y5uzcV4YRwPFNU6RREuxq++hA== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca1-cert.srl b/test/fixtures/keys/ca1-cert.srl new file mode 100644 index 0000000000..4d1c4b073d --- /dev/null +++ b/test/fixtures/keys/ca1-cert.srl @@ -0,0 +1 @@ +AFC249645A630F6F diff --git a/test/fixtures/keys/ca1-key.pem b/test/fixtures/keys/ca1-key.pem new file mode 100644 index 0000000000..0f6653b11e --- /dev/null +++ b/test/fixtures/keys/ca1-key.pem @@ -0,0 +1,17 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIztmO4Z3hxi4CAggA +MBQGCCqGSIb3DQMHBAgUmHxBmTJBNASCAoCeXNS3EkxMoX4QuAT4BIQF/qgXBiOV +rcO8D5fHCca8kolzxOyk0LduS327TL2CAjKSK9NmpsQzZRQOWlKasmsWHzBD8I34 +AWcSbtAL+GGAgnD7XwFUPYHNzWVad5mmDJPWtsQMkcx6plwvQLFFvUAL5nmRe4vE +5Brp88UvRp8wGzyBiotTzGbITdZEyKFLYVAni0KeApx2rqwAigmmWTqY2jXnUAxG +zS8b9xy+aDya+UYQooFmYRLlQ8PlKl6B/zW/po/DJ38CofaSIR4zRWDs3lJrt4fL +Q0hLJwz6ATRIOwGWxR2oQQ+1qgBr9Y4hhxk5tLSjDd0turiEwgul8cgJdHbshuan +sD7J3k3teo2u/fR0CmYCo42l3hnGkvYPOdoXYfXDz3804a4ZkZhnsRMl5oH66ElZ +MEmCY4t4VhsQTXleV1b6lK43vrKV+pSollrLvBKQhk3k+v0lq2wmBXsm4rB1vVv4 +KDgdOD7ITYte3C+EvaEwbnqaUYfURAYeF+td0212/wiwFIYhicjrwzN2Cq0E29pj +23Vbe0JIwnpG6lfmzKVqmN3NT+e2e9G0zP7g3tDaWE4sUCcHxkgK7kmBryj272+j +S4WClFgtSr/QJ/cNvU6Qlr8oO6EIG1rJuY1eLX/tHtbAwsDREXf612qtnFEXgFTA +5QQmp02BPq2DCSJEOfQIN2LeaYJM0mFrotDCbtdS1Pje791CJq3C/+4h3gOye0br +5QwiKb5IcgS5hAMu2ghhU01zmClDbFa98zIe3D8pjdrYt8zrZVVCTopcWxY6LU3g +wvh9cdSKJ/Hgq3yRrnBwSolHUP9vMyC/EXRJ/T1CQHABjq0HNLOwhXuq +-----END ENCRYPTED PRIVATE KEY----- diff --git a/test/fixtures/keys/ca2-cert.pem b/test/fixtures/keys/ca2-cert.pem new file mode 100644 index 0000000000..055d6d3df5 --- /dev/null +++ b/test/fixtures/keys/ca2-cert.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWDCCAcGgAwIBAgIJAKXrRJ3rkOnNMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTAxMjA2MDQxNzI4WhcNMTEwMTA1MDQxNzI4WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDW5D3i3vuLpsekzkvF+pyZq6YDzESJQh0uGpWTk0oyBe/BCiTwHtZwyPpvO6UQ +wpBPSMfwgmY30HoofXSKSBGW5ixyLvVa+brvJ0etqnNojI0NcNBk0/b+ynOCJ3A8 +O/fFotYdsg9C1sDusW2htymyYvEfyxX7/WR7+u+b5vclCwIDAQABo1AwTjAdBgNV +HQ4EFgQUpKdzYuzbjpcqwWDiB8SgFiy3WxkwHwYDVR0jBBgwFoAUpKdzYuzbjpcq +wWDiB8SgFiy3WxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAkc5++ +vmqCTlTzfNHL0cV24M8FR9Xl/4UOqbxl/pfyXXrGbZleww0B0EPXW5cjRW2Kb3FC +kLznCyLJQ62pcSSvsQeQGayYmrmDiImmw+sfezrte27RNWqmqxl5w/r0Jte4xszC +OP6UKrFcr2XXty/koGlgIQtAU0JenKLZuLhW1A== +-----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca2-cert.srl b/test/fixtures/keys/ca2-cert.srl new file mode 100644 index 0000000000..56dcb19f1a --- /dev/null +++ b/test/fixtures/keys/ca2-cert.srl @@ -0,0 +1 @@ +D75C20DD84E71235 diff --git a/test/fixtures/keys/ca2-key.pem b/test/fixtures/keys/ca2-key.pem new file mode 100644 index 0000000000..fe8fb01ef5 --- /dev/null +++ b/test/fixtures/keys/ca2-key.pem @@ -0,0 +1,17 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIH5Qu64G4EEACAggA +MBQGCCqGSIb3DQMHBAjiP/COBBl6LwSCAoDJ7fSWqLoz0Xv4ASmipwDghszUQDEu +sJyeehMxRNPNqarbvXPR/6GJtfoOyhcaWiCuRvsISL61B4mw90bbgcksscaXqXGU +KsR5H10ut3hfFfDxvy2NYPGiowg2Kvfoe+4ENDqYb1ilWs9YaJ0rFcohweHfUNcV +W5A3WRfZ1zRyfEYlBbCpq45eMkxWCJ2X2YgqaK9itynqYbuBVXgqK+qP6rTSxvDC +GZ+POdiT0GHcPQ2Z79NIEQI7kyzcQkJ0IzWqgIRNyrmIzBP0Et/zH/Z+Y6/5q+vX +2fl0ox4IkDiTWVER8lN8E0u5w1pCBD0NFtwqTXC3HMqnYKJDRAaqK0Fad5qVCwZq +bKjXT7xWB2QqrZ4T3Nf/cLnd/fb1sRE6oYfLG706lY7dYh1RpIITZLavmceMSDfG +emwaSS4RoTJOpuOufUCrrFHW2EB+BgCADBgS4uD5PsrOvRLUj0CekTkJOJV0RFpY +K12Pp5wk3y+69IsD2jlUO50Bx2hZz10snvBCbJhLIDf9VSy9pPunOXqsr+i3MY8v +WdusJYnRxXN6ZbAb4d/Zi3mE3kcTG3YUwAIJiELAhWkZqRpK/O9SMXRb4+EMZ1nT +LSicMzLfhRdY/IqrV5PGvcmyJUffAD2PF4dXX4cEqyODFBet7/6zIEIhivuEATad +qNwE32FJxKpULPsLXgzSeIaZn71KrKiHaBIjRdGmfH7txBHIEwIW+fX2LzreZBqP +LuYPFpTEvDCdJ7mcRLSrSCixyZRAQVqJEXcP2OpTb0lfqPlpE+AoMdpeUEdj9Jci +ndyjWhrC/2emjHoHb1wrVVv4KdGcyz+uHdgFwXjtKugAYGA1Pb5Hq640 +-----END ENCRYPTED PRIVATE KEY----- diff --git a/test/fixtures/keys/cmds.txt b/test/fixtures/keys/cmds.txt new file mode 100644 index 0000000000..2ae9cfcc09 --- /dev/null +++ b/test/fixtures/keys/cmds.txt @@ -0,0 +1,49 @@ +# Create Certificate Authority: ca1 +# +# ('password' is used for the CA password.) +openssl req -new -x509 -extensions v3_ca -keyout ca1-key.pem -out ca1-cert.pem + +# Create Certificate Authority: ca2 +# +# ('password' is used for the CA password.) +openssl req -new -x509 -extensions v3_ca -keyout ca2-key.pem -out ca2-cert.pem + + +# +# agent1 is signed by ca1. +# +# Generate new private key +openssl genrsa -out agent1-key.pem +# Create a Certificate Signing Request for the key +openssl req -new -key agent1-key.pem -out agent1-csr.pem +# Create a Certificate for the agent. +openssl x509 -req -in agent1-csr.pem -CA ca1-cert.pem -CAkey ca1-key.pem -CAcreateserial -out agent1-cert.pem + + + +# +# agent2 has a self signed cert +# +# Generate new private key +openssl genrsa -out agent2-key.pem +# Create a Certificate Signing Request for the key +openssl req -new -key agent2-key.pem -out agent2-csr.pem +# Create a Certificate for the agent. +openssl x509 -req -in agent2-csr.pem -signkey agent2-key.pem -out agent2-cert.pem + + + +# +# agent3 is signed by ca2. +# +# Generate new private key +openssl genrsa -out agent3-key.pem +# Create a Certificate Signing Request for the key +openssl req -new -key agent3-key.pem -out agent3-csr.pem +# Create a Certificate for the agent. +openssl x509 -req -in agent3-csr.pem -CA ca2-cert.pem -CAkey ca2-key.pem -CAcreateserial -out agent3-cert.pem + + +#### TODO: agent on CRL + + diff --git a/test/simple/test-tls-server-verify.js b/test/simple/test-tls-server-verify.js new file mode 100644 index 0000000000..d2a797e071 --- /dev/null +++ b/test/simple/test-tls-server-verify.js @@ -0,0 +1,210 @@ +// This is a rather complex test which sets up various TLS servers with node +// and connects to them using the 'openssl s_client' command line utility +// with various keys. Depending on the certificate authority and other +// parameters given to the server, the various clients are +// - rejected, +// - accepted and "unauthorized", or +// - accepted and "authorized". + +var testCases = + [ { title: "Do not request certs. Everyone is unauthorized.", + requestCert: false, + rejectUnauthorized: false, + CAs: ['ca1-cert'], + clients: + [ { name: 'agent1', shouldReject: false, shouldAuth: false }, + { name: 'agent2', shouldReject: false, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: false }, + { name: 'agent4', shouldReject: false, shouldAuth: false } + ] + }, + + { title: "Allow both authed and unauthed connections with CA1", + requestCert: true, + rejectUnauthorized: false, + CAs: ['ca1-cert'], + clients: + [ { name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: false, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: false }, + { name: 'agent4', shouldReject: false, shouldAuth: false } + ] + }, + + { title: "Allow only authed connections with CA1", + requestCert: true, + rejectUnauthorized: true, + CAs: ['ca1-cert'], + clients: + [ { name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: true }, + { name: 'agent3', shouldReject: true }, + { name: 'agent4', shouldReject: true } + ] + }, + + ]; + + +var common = require('../common'); +var assert = require('assert'); +var fs = require('fs'); +var tls = require('tls'); +var spawn = require('child_process').spawn; + + +function filenamePEM(n) { + return require('path').join(common.fixturesDir, 'keys', n + ".pem"); +} + + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)).toString(); +} + + +var serverKey = loadPEM('agent2-key'); +var serverCert = loadPEM('agent2-cert'); + + +function runClient (options, cb) { + + // Client can connect in three ways: + // - Self-signed cert + // - Certificate, but not signed by CA. + // - Certificate signed by CA. + + var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT]; + + switch (options.name) { + case 'agent1': + // Signed by CA1 + args.push('-key'); + args.push(filenamePEM('agent1-key')); + args.push('-cert'); + args.push(filenamePEM('agent1-cert')); + break; + + case 'agent2': + // Self-signed + // This is also the key-cert pair that the server will use. + args.push('-key'); + args.push(filenamePEM('agent2-key')); + args.push('-cert'); + args.push(filenamePEM('agent2-cert')); + break; + + case 'agent3': + // Signed by CA2 + args.push('-key'); + args.push(filenamePEM('agent3-key')); + args.push('-cert'); + args.push(filenamePEM('agent3-cert')); + break; + + case 'agent4': + // Self-signed + break; + + default: + throw new Error("Unknown agent name"); + } + + // To test use: openssl s_client -connect localhost:8000 + var client = spawn('openssl', args); + //console.error(args); + + var out = ''; + + var rejected = true; + var authed = false; + + client.stdout.setEncoding('utf8'); + client.stdout.on('data', function(d) { + out += d; + + if (/_unauthed/g.test(out)) { + console.error(" * unauthed"); + client.stdin.end('goodbye\n'); + authed = false; + rejected = false; + } + + if (/_authed/g.test(out)) { + console.error(" * authed"); + client.stdin.end('goodbye\n'); + authed = true; + rejected = false; + } + }); + + //client.stdout.pipe(process.stdout); + + client.on('exit', function(code) { + if (options.shouldReject) { + assert.equal(true, rejected); + } else { + assert.equal(false, rejected); + assert.equal(options.shouldAuth, authed); + } + + cb(); + }); +} + + +// Run the tests +var successfulTests = 0; +function runTest (testIndex) { + var tcase = testCases[testIndex]; + if (!tcase) return; + + console.error("Running '%s'", tcase.title); + + var cas = tcase.CAs.map(loadPEM); + + var server = tls.Server({ key: serverKey, + cert: serverCert, + ca: cas, + requestCert: tcase.requestCert, + rejectUnauthorized: tcase.rejectUnauthorized }); + + var connections = 0; + + server.on('authorized', function(c) { + connections++; + console.error('- authed connection'); + c.write('\n_authed\n'); + }); + + server.on('unauthorized', function(c, e) { + connections++; + console.error('- unauthed connection: %s', e); + c.write('\n_unauthed\n'); + }); + + function runNextClient (clientIndex) { + var options = tcase.clients[clientIndex]; + if (options) { + runClient(options, function () { + runNextClient(clientIndex + 1); + }); + } else { + server.close(); + successfulTests++; + runTest(testIndex + 1); + } + } + + server.listen(common.PORT, function() { + runNextClient(0); + }); +} + + +runTest(0); + + +process.on('exit', function() { + assert.equal(successfulTests, testCases.length); +});