Browse Source

Add broken, but detailed TLS verify test

Plus a bunch of keys.
v0.7.4-release
Ryan Dahl 14 years ago
parent
commit
5b8c62f7d1
  1. 2
      lib/tls.js
  2. 12
      test/fixtures/keys/agent1-cert.pem
  3. 8
      test/fixtures/keys/agent1-csr.pem
  4. 9
      test/fixtures/keys/agent1-key.pem
  5. 10
      test/fixtures/keys/agent2-cert.pem
  6. 8
      test/fixtures/keys/agent2-csr.pem
  7. 9
      test/fixtures/keys/agent2-key.pem
  8. 12
      test/fixtures/keys/agent3-cert.pem
  9. 8
      test/fixtures/keys/agent3-csr.pem
  10. 9
      test/fixtures/keys/agent3-key.pem
  11. 15
      test/fixtures/keys/ca1-cert.pem
  12. 1
      test/fixtures/keys/ca1-cert.srl
  13. 17
      test/fixtures/keys/ca1-key.pem
  14. 15
      test/fixtures/keys/ca2-cert.pem
  15. 1
      test/fixtures/keys/ca2-cert.srl
  16. 17
      test/fixtures/keys/ca2-key.pem
  17. 49
      test/fixtures/keys/cmds.txt
  18. 210
      test/simple/test-tls-server-verify.js

2
lib/tls.js

@ -492,7 +492,7 @@ function Server(/* [options], listener */) {
pair.encrypted.pipe(socket);
socket.pipe(pair.encrypted);
pair.on('secure', function(verifyError) {
pair.on('secure', function() {
if (!self.requestCert) {
self.emit('unauthorized', pair.cleartext);
} else {

12
test/fixtures/keys/agent1-cert.pem

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBvTCCASYCCQCvwklkWmMPbzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTEwMTIwNjA0MTgzMFoXDTExMDEwNTA0MTgzMFowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD9JxFi0amR
7dROTGDs1dUFYWfAp6Z7LvkTnRtFHBBNdk2TCSC1Zz8SLxMVIlfyT08GW/vNVxyH
ExtfhS86o/kdAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT70viMg4+FYnhEAkAISs
uXh8D3SqCGsVqaiQP/6jZGAbLfX1QrbI/SAnaCrLX5pjsb5oBfv1tMbF3MBeYC2q
SJz/tzUc8FaP3l8mUM8UuPNTo1iNBUmR0VfliC4lE5Lvh39EbqGs630mmScHYLCW
WA518TIEw1K8CsrkYu63Ueo=
-----END CERTIFICATE-----

8
test/fixtures/keys/agent1-csr.pem

@ -0,0 +1,8 @@
-----BEGIN CERTIFICATE REQUEST-----
MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF
AANLADBIAkEA/ScRYtGpke3UTkxg7NXVBWFnwKemey75E50bRRwQTXZNkwkgtWc/
Ei8TFSJX8k9PBlv7zVcchxMbX4UvOqP5HQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
QQC0NPuOJB+Ustg8uBUKq0btzWii2vNWlmcDR5E9gf/egVRndSNMB+KWZtNiBe0g
Z/0TM0zIty4gBCTBahpkd0yw
-----END CERTIFICATE REQUEST-----

9
test/fixtures/keys/agent1-key.pem

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAP0nEWLRqZHt1E5MYOzV1QVhZ8Cnpnsu+ROdG0UcEE12TZMJILVn
PxIvExUiV/JPTwZb+81XHIcTG1+FLzqj+R0CAwEAAQJAfDTd7+lE1KenAh+xcqJb
2T74Y+sd4NSkOr5bseXaDdai2tBTLg+WFSuNYz6+Ots/22JTcWWMR2J86IfFNiGJ
4QIhAP/44ymsR9QjN0XOfaKI994jlbnGhp4HMN1PFUkhA711AiEA/S4aKosF/NxP
LJeFyFrdJcnclUoe2GByJqpXmkKfEAkCIQC+gfZPpbEv6aXRhoVq2pXf9owQ3/iA
1MlBbQJikve9oQIgBV6q82gLcneBvmJgVgWHVzvWz9vIl7JD+Yn3XbA4C3ECIGjp
eu/FQAYgB5y1DpwWejth/iva2OTg8j65ze524S62
-----END RSA PRIVATE KEY-----

10
test/fixtures/keys/agent2-cert.pem

@ -0,0 +1,10 @@
-----BEGIN CERTIFICATE-----
MIIBfDCCASYCCQCojwzqgiZi4jANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTEwMTIwNjA0MTg0N1oXDTExMDEwNTA0MTg0N1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDjl3L8IstA
r6OakBtAh9WRpnhqzfdAgbSIAX43jr/uxovu9S9TNc9qK0WyMAbJVePHuRwDtgTr
957EUd4LLGUzAgMBAAEwDQYJKoZIhvcNAQEFBQADQQCN78Y26RpPlfDm5uDSoAgU
hY09yDWKp0he03SH3V5AW/WMwT6Q6K2+ATK4g/W8f8+ZmS3FIff7Atcc6to3Lez7
-----END CERTIFICATE-----

8
test/fixtures/keys/agent2-csr.pem

@ -0,0 +1,8 @@
-----BEGIN CERTIFICATE REQUEST-----
MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF
AANLADBIAkEA45dy/CLLQK+jmpAbQIfVkaZ4as33QIG0iAF+N46/7saL7vUvUzXP
aitFsjAGyVXjx7kcA7YE6/eexFHeCyxlMwIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
QQC0HpucL+WqX0AkP5y/644GyTjrq1rxsoWm0708pAdInMjBTNQicjVfFWcoTTQA
zPQBqOuEsNtktcJyYfryhtWW
-----END CERTIFICATE REQUEST-----

9
test/fixtures/keys/agent2-key.pem

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAOOXcvwiy0Cvo5qQG0CH1ZGmeGrN90CBtIgBfjeOv+7Gi+71L1M1
z2orRbIwBslV48e5HAO2BOv3nsRR3gssZTMCAwEAAQJBAMlC7dEgZ8NNTw1o8GCR
foCtyQESINtvmBlJ0LcKypo4WLb2OkI2T/kG8mnoiUM2GyTf8MMGh7V5DeZskh3L
pNkCIQD89pQtqNsDxC/vujdDIlT/0gHhUOZsnIXHZpYv+fzJfQIhAOZS5ZjkNpvb
YcTqpk2HNgu0wFW0nKJ5bnFaTaPjY6hvAiBoDsrPqYlGmFqbw79d126duXbah9vx
y8VgTDv1ymEJRQIhAJuWHhD1AMqyHM53sFWo4+JufIqo0jKTEv8xgEcYgSazAiEA
hWqzWF/qpQ/JT/QaNE6agQWV6MydGAce56EGcpp22mA=
-----END RSA PRIVATE KEY-----

12
test/fixtures/keys/agent3-cert.pem

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBvTCCASYCCQDXXCDdhOcSNTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTEwMTIwNjA0NDMwOVoXDTExMDEwNTA0NDMwOVowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDNOPrBqq2b
/gxs0WELdkSHvAkjJdEjuWia2Q+FI3v5asDXj6w4t+ZY46m6D3PCgTZ9FJmZjUH2
prGyMbBS3Uf9AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAabTyzBk4tlG08+FTZtdb
5bDELkPVHNCQapQVsKYqnnKzt3xLjIOEoSa67pKXm2gcupiVYOmC0Pz76pZinRhH
IJ8gVp7dhv0sdog6+VMfrMTlR7gUEu7gQHF69ras7oswPV/kNH4YVljqUQpVDs+4
VgOaivgOfhPZb4H5tz/P1Ms=
-----END CERTIFICATE-----

8
test/fixtures/keys/agent3-csr.pem

@ -0,0 +1,8 @@
-----BEGIN CERTIFICATE REQUEST-----
MIH/MIGqAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwXDANBgkqhkiG9w0BAQEF
AANLADBIAkEAzTj6waqtm/4MbNFhC3ZEh7wJIyXRI7lomtkPhSN7+WrA14+sOLfm
WOOpug9zwoE2fRSZmY1B9qaxsjGwUt1H/QIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
QQCsta4frzeUIkZrqt3EEG9cAI1FTGphl/5bA0fYpIlZOanR5V6kKPG6mgXiHDaN
r46fwkE/AKS7mnIz6XGzXfCn
-----END CERTIFICATE REQUEST-----

9
test/fixtures/keys/agent3-key.pem

@ -0,0 +1,9 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAM04+sGqrZv+DGzRYQt2RIe8CSMl0SO5aJrZD4Uje/lqwNePrDi3
5ljjqboPc8KBNn0UmZmNQfamsbIxsFLdR/0CAwEAAQJAT3v9KxtXCG76Ev95bb4N
xuCeTV2tRf/esvLVHwTiVHRBw3ZcU4VsIwarwQy/CkPwGtWT91AN/xAgvLptwwmE
AQIhAOuymRnLkS795CluenO5ybuF53ro3S9wFBY9jYJX46L9AiEA3uZfEeNTUVYR
dJ56zqUxfakguhF/ibHT/lXRgkpVyQECIQCuRk5h/l0JS/2KjP/J1dPN7kKsZMY3
Lz4K+9RITkgo2QIgTABs5iKG5DLenM70vMUizOAAIrGYtRCHYi9M0ooaGgECIQDK
nWMUePU/NHBC2AYyp9KzF8ZEBIcItgppTeNtkdF7mw==
-----END RSA PRIVATE KEY-----

15
test/fixtures/keys/ca1-cert.pem

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJAPlzZCsvV/DFMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTAxMjA2MDQxNzA3WhcNMTEwMTA1MDQxNzA3WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC/HthOlERITtsUA7FJ0l/U4qFNLri6QKLRoHPn8tGRCXDg/jEAh/pwrycIjvA4
V66RatOhdxC7bGDC2FOjoofMNHTsdXoCoC9f9pNoU5BlLoal12V5gfL+AklJNJny
lL15FnmiQdUThLGDhRM918bWQdJTRJ+dkyVlUink/5wlxQIDAQABo1AwTjAdBgNV
HQ4EFgQU5LAV1SB/xh57MHsWgEwl8MpiDhYwHwYDVR0jBBgwFoAU5LAV1SB/xh57
MHsWgEwl8MpiDhYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAqgne5
uBwDiQaCuWkBHDw5WGtcvzqc0HIoQ+qopwfTxGNaLv0dZ7N3wGsGIqSh0OCMYgxA
0Ku7hdL9faEHrq8f2T6yUUMMDcMLOJgFDESl/hip8jRdCZy45CWAJNpQ8PfshSkR
b/oae/TW79lT9Y5uzcV4YRwPFNU6RREuxq++hA==
-----END CERTIFICATE-----

1
test/fixtures/keys/ca1-cert.srl

@ -0,0 +1 @@
AFC249645A630F6F

17
test/fixtures/keys/ca1-key.pem

@ -0,0 +1,17 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIztmO4Z3hxi4CAggA
MBQGCCqGSIb3DQMHBAgUmHxBmTJBNASCAoCeXNS3EkxMoX4QuAT4BIQF/qgXBiOV
rcO8D5fHCca8kolzxOyk0LduS327TL2CAjKSK9NmpsQzZRQOWlKasmsWHzBD8I34
AWcSbtAL+GGAgnD7XwFUPYHNzWVad5mmDJPWtsQMkcx6plwvQLFFvUAL5nmRe4vE
5Brp88UvRp8wGzyBiotTzGbITdZEyKFLYVAni0KeApx2rqwAigmmWTqY2jXnUAxG
zS8b9xy+aDya+UYQooFmYRLlQ8PlKl6B/zW/po/DJ38CofaSIR4zRWDs3lJrt4fL
Q0hLJwz6ATRIOwGWxR2oQQ+1qgBr9Y4hhxk5tLSjDd0turiEwgul8cgJdHbshuan
sD7J3k3teo2u/fR0CmYCo42l3hnGkvYPOdoXYfXDz3804a4ZkZhnsRMl5oH66ElZ
MEmCY4t4VhsQTXleV1b6lK43vrKV+pSollrLvBKQhk3k+v0lq2wmBXsm4rB1vVv4
KDgdOD7ITYte3C+EvaEwbnqaUYfURAYeF+td0212/wiwFIYhicjrwzN2Cq0E29pj
23Vbe0JIwnpG6lfmzKVqmN3NT+e2e9G0zP7g3tDaWE4sUCcHxkgK7kmBryj272+j
S4WClFgtSr/QJ/cNvU6Qlr8oO6EIG1rJuY1eLX/tHtbAwsDREXf612qtnFEXgFTA
5QQmp02BPq2DCSJEOfQIN2LeaYJM0mFrotDCbtdS1Pje791CJq3C/+4h3gOye0br
5QwiKb5IcgS5hAMu2ghhU01zmClDbFa98zIe3D8pjdrYt8zrZVVCTopcWxY6LU3g
wvh9cdSKJ/Hgq3yRrnBwSolHUP9vMyC/EXRJ/T1CQHABjq0HNLOwhXuq
-----END ENCRYPTED PRIVATE KEY-----

15
test/fixtures/keys/ca2-cert.pem

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAcGgAwIBAgIJAKXrRJ3rkOnNMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTAxMjA2MDQxNzI4WhcNMTEwMTA1MDQxNzI4WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDW5D3i3vuLpsekzkvF+pyZq6YDzESJQh0uGpWTk0oyBe/BCiTwHtZwyPpvO6UQ
wpBPSMfwgmY30HoofXSKSBGW5ixyLvVa+brvJ0etqnNojI0NcNBk0/b+ynOCJ3A8
O/fFotYdsg9C1sDusW2htymyYvEfyxX7/WR7+u+b5vclCwIDAQABo1AwTjAdBgNV
HQ4EFgQUpKdzYuzbjpcqwWDiB8SgFiy3WxkwHwYDVR0jBBgwFoAUpKdzYuzbjpcq
wWDiB8SgFiy3WxkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAkc5++
vmqCTlTzfNHL0cV24M8FR9Xl/4UOqbxl/pfyXXrGbZleww0B0EPXW5cjRW2Kb3FC
kLznCyLJQ62pcSSvsQeQGayYmrmDiImmw+sfezrte27RNWqmqxl5w/r0Jte4xszC
OP6UKrFcr2XXty/koGlgIQtAU0JenKLZuLhW1A==
-----END CERTIFICATE-----

1
test/fixtures/keys/ca2-cert.srl

@ -0,0 +1 @@
D75C20DD84E71235

17
test/fixtures/keys/ca2-key.pem

@ -0,0 +1,17 @@
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIH5Qu64G4EEACAggA
MBQGCCqGSIb3DQMHBAjiP/COBBl6LwSCAoDJ7fSWqLoz0Xv4ASmipwDghszUQDEu
sJyeehMxRNPNqarbvXPR/6GJtfoOyhcaWiCuRvsISL61B4mw90bbgcksscaXqXGU
KsR5H10ut3hfFfDxvy2NYPGiowg2Kvfoe+4ENDqYb1ilWs9YaJ0rFcohweHfUNcV
W5A3WRfZ1zRyfEYlBbCpq45eMkxWCJ2X2YgqaK9itynqYbuBVXgqK+qP6rTSxvDC
GZ+POdiT0GHcPQ2Z79NIEQI7kyzcQkJ0IzWqgIRNyrmIzBP0Et/zH/Z+Y6/5q+vX
2fl0ox4IkDiTWVER8lN8E0u5w1pCBD0NFtwqTXC3HMqnYKJDRAaqK0Fad5qVCwZq
bKjXT7xWB2QqrZ4T3Nf/cLnd/fb1sRE6oYfLG706lY7dYh1RpIITZLavmceMSDfG
emwaSS4RoTJOpuOufUCrrFHW2EB+BgCADBgS4uD5PsrOvRLUj0CekTkJOJV0RFpY
K12Pp5wk3y+69IsD2jlUO50Bx2hZz10snvBCbJhLIDf9VSy9pPunOXqsr+i3MY8v
WdusJYnRxXN6ZbAb4d/Zi3mE3kcTG3YUwAIJiELAhWkZqRpK/O9SMXRb4+EMZ1nT
LSicMzLfhRdY/IqrV5PGvcmyJUffAD2PF4dXX4cEqyODFBet7/6zIEIhivuEATad
qNwE32FJxKpULPsLXgzSeIaZn71KrKiHaBIjRdGmfH7txBHIEwIW+fX2LzreZBqP
LuYPFpTEvDCdJ7mcRLSrSCixyZRAQVqJEXcP2OpTb0lfqPlpE+AoMdpeUEdj9Jci
ndyjWhrC/2emjHoHb1wrVVv4KdGcyz+uHdgFwXjtKugAYGA1Pb5Hq640
-----END ENCRYPTED PRIVATE KEY-----

49
test/fixtures/keys/cmds.txt

@ -0,0 +1,49 @@
# Create Certificate Authority: ca1
#
# ('password' is used for the CA password.)
openssl req -new -x509 -extensions v3_ca -keyout ca1-key.pem -out ca1-cert.pem
# Create Certificate Authority: ca2
#
# ('password' is used for the CA password.)
openssl req -new -x509 -extensions v3_ca -keyout ca2-key.pem -out ca2-cert.pem
#
# agent1 is signed by ca1.
#
# Generate new private key
openssl genrsa -out agent1-key.pem
# Create a Certificate Signing Request for the key
openssl req -new -key agent1-key.pem -out agent1-csr.pem
# Create a Certificate for the agent.
openssl x509 -req -in agent1-csr.pem -CA ca1-cert.pem -CAkey ca1-key.pem -CAcreateserial -out agent1-cert.pem
#
# agent2 has a self signed cert
#
# Generate new private key
openssl genrsa -out agent2-key.pem
# Create a Certificate Signing Request for the key
openssl req -new -key agent2-key.pem -out agent2-csr.pem
# Create a Certificate for the agent.
openssl x509 -req -in agent2-csr.pem -signkey agent2-key.pem -out agent2-cert.pem
#
# agent3 is signed by ca2.
#
# Generate new private key
openssl genrsa -out agent3-key.pem
# Create a Certificate Signing Request for the key
openssl req -new -key agent3-key.pem -out agent3-csr.pem
# Create a Certificate for the agent.
openssl x509 -req -in agent3-csr.pem -CA ca2-cert.pem -CAkey ca2-key.pem -CAcreateserial -out agent3-cert.pem
#### TODO: agent on CRL

210
test/simple/test-tls-server-verify.js

@ -0,0 +1,210 @@
// This is a rather complex test which sets up various TLS servers with node
// and connects to them using the 'openssl s_client' command line utility
// with various keys. Depending on the certificate authority and other
// parameters given to the server, the various clients are
// - rejected,
// - accepted and "unauthorized", or
// - accepted and "authorized".
var testCases =
[ { title: "Do not request certs. Everyone is unauthorized.",
requestCert: false,
rejectUnauthorized: false,
CAs: ['ca1-cert'],
clients:
[ { name: 'agent1', shouldReject: false, shouldAuth: false },
{ name: 'agent2', shouldReject: false, shouldAuth: false },
{ name: 'agent3', shouldReject: false, shouldAuth: false },
{ name: 'agent4', shouldReject: false, shouldAuth: false }
]
},
{ title: "Allow both authed and unauthed connections with CA1",
requestCert: true,
rejectUnauthorized: false,
CAs: ['ca1-cert'],
clients:
[ { name: 'agent1', shouldReject: false, shouldAuth: true },
{ name: 'agent2', shouldReject: false, shouldAuth: false },
{ name: 'agent3', shouldReject: false, shouldAuth: false },
{ name: 'agent4', shouldReject: false, shouldAuth: false }
]
},
{ title: "Allow only authed connections with CA1",
requestCert: true,
rejectUnauthorized: true,
CAs: ['ca1-cert'],
clients:
[ { name: 'agent1', shouldReject: false, shouldAuth: true },
{ name: 'agent2', shouldReject: true },
{ name: 'agent3', shouldReject: true },
{ name: 'agent4', shouldReject: true }
]
},
];
var common = require('../common');
var assert = require('assert');
var fs = require('fs');
var tls = require('tls');
var spawn = require('child_process').spawn;
function filenamePEM(n) {
return require('path').join(common.fixturesDir, 'keys', n + ".pem");
}
function loadPEM(n) {
return fs.readFileSync(filenamePEM(n)).toString();
}
var serverKey = loadPEM('agent2-key');
var serverCert = loadPEM('agent2-cert');
function runClient (options, cb) {
// Client can connect in three ways:
// - Self-signed cert
// - Certificate, but not signed by CA.
// - Certificate signed by CA.
var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT];
switch (options.name) {
case 'agent1':
// Signed by CA1
args.push('-key');
args.push(filenamePEM('agent1-key'));
args.push('-cert');
args.push(filenamePEM('agent1-cert'));
break;
case 'agent2':
// Self-signed
// This is also the key-cert pair that the server will use.
args.push('-key');
args.push(filenamePEM('agent2-key'));
args.push('-cert');
args.push(filenamePEM('agent2-cert'));
break;
case 'agent3':
// Signed by CA2
args.push('-key');
args.push(filenamePEM('agent3-key'));
args.push('-cert');
args.push(filenamePEM('agent3-cert'));
break;
case 'agent4':
// Self-signed
break;
default:
throw new Error("Unknown agent name");
}
// To test use: openssl s_client -connect localhost:8000
var client = spawn('openssl', args);
//console.error(args);
var out = '';
var rejected = true;
var authed = false;
client.stdout.setEncoding('utf8');
client.stdout.on('data', function(d) {
out += d;
if (/_unauthed/g.test(out)) {
console.error(" * unauthed");
client.stdin.end('goodbye\n');
authed = false;
rejected = false;
}
if (/_authed/g.test(out)) {
console.error(" * authed");
client.stdin.end('goodbye\n');
authed = true;
rejected = false;
}
});
//client.stdout.pipe(process.stdout);
client.on('exit', function(code) {
if (options.shouldReject) {
assert.equal(true, rejected);
} else {
assert.equal(false, rejected);
assert.equal(options.shouldAuth, authed);
}
cb();
});
}
// Run the tests
var successfulTests = 0;
function runTest (testIndex) {
var tcase = testCases[testIndex];
if (!tcase) return;
console.error("Running '%s'", tcase.title);
var cas = tcase.CAs.map(loadPEM);
var server = tls.Server({ key: serverKey,
cert: serverCert,
ca: cas,
requestCert: tcase.requestCert,
rejectUnauthorized: tcase.rejectUnauthorized });
var connections = 0;
server.on('authorized', function(c) {
connections++;
console.error('- authed connection');
c.write('\n_authed\n');
});
server.on('unauthorized', function(c, e) {
connections++;
console.error('- unauthed connection: %s', e);
c.write('\n_unauthed\n');
});
function runNextClient (clientIndex) {
var options = tcase.clients[clientIndex];
if (options) {
runClient(options, function () {
runNextClient(clientIndex + 1);
});
} else {
server.close();
successfulTests++;
runTest(testIndex + 1);
}
}
server.listen(common.PORT, function() {
runNextClient(0);
});
}
runTest(0);
process.on('exit', function() {
assert.equal(successfulTests, testCases.length);
});
Loading…
Cancel
Save