diff --git a/test/internet/test-tls-add-ca-cert.js b/test/internet/test-tls-add-ca-cert.js new file mode 100644 index 0000000000..d4e8530285 --- /dev/null +++ b/test/internet/test-tls-add-ca-cert.js @@ -0,0 +1,55 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) { + common.skip('missing crypto'); + return; +} + +// Test interaction of compiled-in CAs with user-provided CAs. + +const assert = require('assert'); +const fs = require('fs'); +const tls = require('tls'); + +function filenamePEM(n) { + return require('path').join(common.fixturesDir, 'keys', n + '.pem'); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const caCert = loadPEM('ca1-cert'); + +var opts = { + host: 'www.nodejs.org', + port: 443, + rejectUnauthorized: true +}; + +// Success relies on the compiled in well-known root CAs +tls.connect(opts, common.mustCall(end)); + +// The .ca option replaces the well-known roots, so connection fails. +opts.ca = caCert; +tls.connect(opts, fail).on('error', common.mustCall((err) => { + assert.strictEqual(err.message, 'unable to get local issuer certificate'); +})); + +function fail() { + assert(false, 'should fail to connect'); +} + +// New secure contexts have the well-known root CAs. +opts.secureContext = tls.createSecureContext(); +tls.connect(opts, common.mustCall(end)); + +// Explicit calls to addCACert() add to the default well-known roots, instead +// of replacing, so connection still succeeds. +opts.secureContext.context.addCACert(caCert); +tls.connect(opts, common.mustCall(end)); + +function end() { + this.end(); +}