From f53d092a2a981bebc0cf07d00709dd1433453d7d Mon Sep 17 00:00:00 2001 From: koichik Date: Thu, 27 Oct 2011 02:34:56 +0900 Subject: [PATCH] tls, https: add passphrase option Fixes #1925. --- doc/api/https.markdown | 1 + doc/api/tls.markdown | 6 ++- lib/crypto.js | 8 +++- lib/tls.js | 2 + src/node_crypto.cc | 11 ++++- test/fixtures/pass-cert.pem | 12 +++++ test/fixtures/pass-csr.pem | 10 +++++ test/fixtures/pass-key.pem | 18 ++++++++ test/simple/test-tls-passphrase.js | 71 ++++++++++++++++++++++++++++++ 9 files changed, 135 insertions(+), 4 deletions(-) create mode 100644 test/fixtures/pass-cert.pem create mode 100644 test/fixtures/pass-csr.pem create mode 100644 test/fixtures/pass-key.pem create mode 100644 test/simple/test-tls-passphrase.js diff --git a/doc/api/https.markdown b/doc/api/https.markdown index 0aa6b19fc1..475a2895a1 100644 --- a/doc/api/https.markdown +++ b/doc/api/https.markdown @@ -90,6 +90,7 @@ The following options from [tls.connect()](tls.html#tls.connect) can also be specified. However, a [globalAgent](#https.globalAgent) silently ignores these. - `key`: Private key to use for SSL. Default `null`. +- `passphrase`: A string of passphrase for the private key. Default `null`. - `cert`: Public x509 certificate to use. Default `null`. - `ca`: An authority certificate or array of authority certificates to check the remote host against. diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 05a43200f6..06c2ea4f81 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -37,6 +37,8 @@ The `options` object has these possibilities: - `key`: A string or `Buffer` containing the private key of the server in PEM format. (Required) + - `passphrase`: A string of passphrase for the private key. + - `cert`: A string or `Buffer` containing the certificate key of the server in PEM format. (Required) @@ -106,7 +108,9 @@ Creates a new client connection to the given `port` and `host`. (If `host` defaults to `localhost`.) `options` should be an object which specifies - `key`: A string or `Buffer` containing the private key of the client in - PEM format. (Required) + PEM format. + + - `passphrase`: A string of passphrase for the private key. - `cert`: A string or `Buffer` containing the certificate key of the client in PEM format. diff --git a/lib/crypto.js b/lib/crypto.js index 85bbbcd65c..6244f2c8d4 100644 --- a/lib/crypto.js +++ b/lib/crypto.js @@ -76,7 +76,13 @@ exports.createCredentials = function(options, context) { if (context) return c; - if (options.key) c.context.setKey(options.key); + if (options.key) { + if (options.passphrase) { + c.context.setKey(options.key, options.passphrase); + } else { + c.context.setKey(options.key); + } + } if (options.cert) c.context.setCert(options.cert); diff --git a/lib/tls.js b/lib/tls.js index 35da95bc43..21bb2af072 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -846,6 +846,7 @@ function Server(/* [options], listener */) { var sharedCreds = crypto.createCredentials({ key: self.key, + passphrase: self.passphrase, cert: self.cert, ca: self.ca, ciphers: self.ciphers, @@ -928,6 +929,7 @@ Server.prototype.setOptions = function(options) { } if (options.key) this.key = options.key; + if (options.passphrase) this.passphrase = options.passphrase; if (options.cert) this.cert = options.cert; if (options.ca) this.ca = options.ca; if (options.secureProtocol) this.secureProtocol = options.secureProtocol; diff --git a/src/node_crypto.cc b/src/node_crypto.cc index b935aa7f0c..5edc6beada 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -223,14 +223,21 @@ Handle SecureContext::SetKey(const Arguments& args) { SecureContext *sc = ObjectWrap::Unwrap(args.Holder()); - if (args.Length() != 1) { + unsigned int len = args.Length(); + if (len != 1 && len != 2) { + return ThrowException(Exception::TypeError(String::New("Bad parameter"))); + } + if (len == 2 && !args[1]->IsString()) { return ThrowException(Exception::TypeError(String::New("Bad parameter"))); } BIO *bio = LoadBIO(args[0]); if (!bio) return False(); - EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + String::Utf8Value passphrase(args[1]->ToString()); + + EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL, + len == 1 ? NULL : *passphrase); if (!key) { BIO_free(bio); diff --git a/test/fixtures/pass-cert.pem b/test/fixtures/pass-cert.pem new file mode 100644 index 0000000000..b836669d3b --- /dev/null +++ b/test/fixtures/pass-cert.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2TCCAUICCQClVOBBLf4XmjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJK +UDEOMAwGA1UECBMFVG9reW8xEjAQBgNVBAoUCW5vZGVqc19qcDAeFw0xMTEwMjYx +NjA5MjdaFw0xMTExMjUxNjA5MjdaMDExCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVU +b2t5bzESMBAGA1UEChQJbm9kZWpzX2pwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +iQKBgQChmQeFwsaomtQbw9Nm55Dn6KSR9bkY8PDroQUeTNa90BlIbhGsKYm4l7bE +RaasFgOrkcQpk45fdDVYPjKxraZiGXXKjSIDYeDAIC/+CkwQKrejgCPmJs4gV4g+ +npvwi1gVr2NAg7fkJOyEW2TDp4dsAD8qtG8Aml0C1hJXwFYmBwIDAQABMA0GCSqG +SIb3DQEBBQUAA4GBABVM2a2srG/MVGQsjYkY96hywSI6jNf2XNHYsB3PuTXOHijT +PoO6r0u69LgZCxr+Z/3GQ/ZELfKDsbv5IgfoyVnYikybJU9qfApH3B7hxECvw9rv +gEnYvEu6jsRtw6n5yz+lrDpFUrks0ky6YJ4+dxq0qCyXn7WcjBEcjdNgLTIm +-----END CERTIFICATE----- diff --git a/test/fixtures/pass-csr.pem b/test/fixtures/pass-csr.pem new file mode 100644 index 0000000000..8436f51054 --- /dev/null +++ b/test/fixtures/pass-csr.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBcDCB2gIBADAxMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEjAQBgNV +BAoUCW5vZGVqc19qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoZkHhcLG +qJrUG8PTZueQ5+ikkfW5GPDw66EFHkzWvdAZSG4RrCmJuJe2xEWmrBYDq5HEKZOO +X3Q1WD4ysa2mYhl1yo0iA2HgwCAv/gpMECq3o4Aj5ibOIFeIPp6b8ItYFa9jQIO3 +5CTshFtkw6eHbAA/KrRvAJpdAtYSV8BWJgcCAwEAAaAAMA0GCSqGSIb3DQEBBQUA +A4GBAC9g7s3rG6G7JSTUOizY1u9Ij6QM9Y6PqQthr4OJHa+Hln5FJQahpgJmA4kC +WYoWvBMBgFPFBCYAj0yMPohrlAwlbd9MADe4gg3lxuO9UxXDzp/lOVRBAEa4n5i+ +Lw7VEiJtPha4NXgeNzxi5OyBJwxAOPFwsyCdR0SynlifTFHI +-----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/pass-key.pem b/test/fixtures/pass-key.pem new file mode 100644 index 0000000000..9a0c5f158d --- /dev/null +++ b/test/fixtures/pass-key.pem @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,CE30CF10CDD3C074 + +A9Vjoxw1Z6pfyxMHXxDi88JVcLN0uWJAjo97nsdzV1cYmEk4bQUe6XVu8UGCzbYX +1RVeglOwyKfp631l5j5KHNfzA4lEU46uqAkRZbkzaHg6sVK7nuSBamiDqkO+BSEU +kDCDqImcx+wUXjlFsYc2UO3DJen8QVEVYQthpxqS7UGh6SCGKyb8FzHu+nzOtRrZ +y2Y9r8vyllH5+qxyGymkJJgPGYd9a/q3uTjxjBsb252SC6JEMt/njXdtlt3zUCQl +8aEok8xXIyDFsrhkQ1chXYt/neWdgVh+R9HulVvSLKkACSfX19F2ooIIWhoml4C1 +VE9iX7wytbD7LxLK4kWQL0sRi0MQPwBEag6m9K6skcsN8qIRJwJZeevc3xw+08uI +IqUL4Ouy+eNMYQIxxgKBcgVWV51X1HWCcwjBkDp9x/qU+URKBmGcpTKEiOrKGG/I +8JN3IreJU5EhtGqE15J4ep/hS4CwJ9+CFysRs0vFCw24GS+O2CXWT9rgza4VX1we +dUVnGGodJcXgAf0sNECm8zYk2fjy1SICm+fknsN466d2pmCO43/WpBhZyjbLEHsJ +a5pUVQroZdU2W70eGh2yIGVrMmgVbYPitTBafruW8w03oarG4XWA4caEmJMEVC68 +WZxuQ1Wg1J+fNl+Klq3b+4yImmoFrelh2gBANwYKnE9Z+JLtfv01et9DNOXR2DQM +6pPzrL0JUHetqko4mJTVNvW8h/Jv+0UVwmxmwm6mR4IBcKwQyY5V5VqeFfnXlvM1 +xpg33AEKNquAPC8G4pIHwG4aBo9fLp+I3cxPuY6dnR6i2tyQ5ONvvw== +-----END RSA PRIVATE KEY----- diff --git a/test/simple/test-tls-passphrase.js b/test/simple/test-tls-passphrase.js new file mode 100644 index 0000000000..7dbb1d711f --- /dev/null +++ b/test/simple/test-tls-passphrase.js @@ -0,0 +1,71 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +if (!process.versions.openssl) { + console.error('Skipping because node compiled without OpenSSL.'); + process.exit(0); +} + +var common = require('../common'); +var assert = require('assert'); +var tls = require('tls'); +var fs = require('fs'); +var path = require('path'); + +var key = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem')); +var cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem')); + +var server = tls.Server({ + key: key, + passphrase: 'passphrase', + cert: cert, + ca: [ cert ], + requestCert: true, + rejectUnauthorized: true +}, function(s) { + s.end(); +}); + +var connectCount = 0; +server.listen(common.PORT, function() { + var c = tls.connect(common.PORT, { + key: key, + passphrase: 'passphrase', + cert: cert + }, function() { + ++connectCount; + }); + c.on('end', function() { + server.close(); + }); +}); + +assert.throws(function() { + tls.connect(common.PORT, { + key: key, + passphrase: 'invalid', + cert: cert + }); +}); + +process.on('exit', function() { + assert.equal(connectCount, 1); +});