// This is a rather complex test which sets up various TLS servers with node // and connects to them using the 'openssl s_client' command line utility // with various keys. Depending on the certificate authority and other // parameters given to the server, the various clients are // - rejected, // - accepted and "unauthorized", or // - accepted and "authorized". var testCases = [ { title: "Do not request certs. Everyone is unauthorized.", requestCert: false, rejectUnauthorized: false, CAs: ['ca1-cert'], clients: [ { name: 'agent1', shouldReject: false, shouldAuth: false }, { name: 'agent2', shouldReject: false, shouldAuth: false }, { name: 'agent3', shouldReject: false, shouldAuth: false }, { name: 'nocert', shouldReject: false, shouldAuth: false } ] }, { title: "Allow both authed and unauthed connections with CA1", requestCert: true, rejectUnauthorized: false, CAs: ['ca1-cert'], clients: [ { name: 'agent1', shouldReject: false, shouldAuth: true }, { name: 'agent2', shouldReject: false, shouldAuth: false }, { name: 'agent3', shouldReject: false, shouldAuth: false }, { name: 'nocert', shouldReject: false, shouldAuth: false } ] }, { title: "Allow only authed connections with CA1", requestCert: true, rejectUnauthorized: true, CAs: ['ca1-cert'], clients: [ { name: 'agent1', shouldReject: false, shouldAuth: true }, { name: 'agent2', shouldReject: true }, { name: 'agent3', shouldReject: true }, { name: 'nocert', shouldReject: true } ] }, { title: "Allow only authed connections with CA1 and CA2", requestCert: true, rejectUnauthorized: true, CAs: ['ca1-cert', 'ca2-cert'], clients: [ { name: 'agent1', shouldReject: false, shouldAuth: true }, { name: 'agent2', shouldReject: true }, { name: 'agent3', shouldReject: false, shouldAuth: true }, { name: 'nocert', shouldReject: true } ] }, ]; var common = require('../common'); var assert = require('assert'); var fs = require('fs'); var tls = require('tls'); var spawn = require('child_process').spawn; function filenamePEM(n) { return require('path').join(common.fixturesDir, 'keys', n + ".pem"); } function loadPEM(n) { return fs.readFileSync(filenamePEM(n)); } var serverKey = loadPEM('agent2-key'); var serverCert = loadPEM('agent2-cert'); function runClient (options, cb) { // Client can connect in three ways: // - Self-signed cert // - Certificate, but not signed by CA. // - Certificate signed by CA. var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT]; switch (options.name) { case 'agent1': // Signed by CA1 args.push('-key'); args.push(filenamePEM('agent1-key')); args.push('-cert'); args.push(filenamePEM('agent1-cert')); break; case 'agent2': // Self-signed // This is also the key-cert pair that the server will use. args.push('-key'); args.push(filenamePEM('agent2-key')); args.push('-cert'); args.push(filenamePEM('agent2-cert')); break; case 'agent3': // Signed by CA2 args.push('-key'); args.push(filenamePEM('agent3-key')); args.push('-cert'); args.push(filenamePEM('agent3-cert')); break; case 'nocert': // Do not send certificate break; default: throw new Error("Unknown agent name"); } // To test use: openssl s_client -connect localhost:8000 var client = spawn('openssl', args); var out = ''; var rejected = true; var authed = false; client.stdout.setEncoding('utf8'); client.stdout.on('data', function(d) { out += d; if (/_unauthed/g.test(out)) { console.error(" * unauthed"); client.stdin.end('goodbye\n'); authed = false; rejected = false; } if (/_authed/g.test(out)) { console.error(" * authed"); client.stdin.end('goodbye\n'); authed = true; rejected = false; } }); //client.stdout.pipe(process.stdout); client.on('exit', function(code) { //assert.equal(0, code, options.name + // ": s_client exited with error code " + code); if (options.shouldReject) { assert.equal(true, rejected, options.name + " NOT rejected, but should have been"); } else { assert.equal(false, rejected, options.name + " rejected, but should NOT have been"); assert.equal(options.shouldAuth, authed); } cb(); }); } // Run the tests var successfulTests = 0; function runTest (testIndex) { var tcase = testCases[testIndex]; if (!tcase) return; console.error("Running '%s'", tcase.title); var cas = tcase.CAs.map(loadPEM); var serverOptions = { key: serverKey, cert: serverCert, ca: cas, requestCert: tcase.requestCert, rejectUnauthorized: tcase.rejectUnauthorized }; var connections = 0; var server = tls.Server(serverOptions, function (c) { connections++; if (c.authorized) { console.error('- authed connection: ' + c.getPeerCertificate().subject.CN); c.write('\n_authed\n'); } else { console.error('- unauthed connection: %s', c.authorizationError); c.write('\n_unauthed\n'); } }); function runNextClient (clientIndex) { var options = tcase.clients[clientIndex]; if (options) { runClient(options, function () { runNextClient(clientIndex + 1); }); } else { server.close(); successfulTests++; runTest(testIndex + 1); } } server.listen(common.PORT, function() { if (tcase.debug) { console.error("TLS server running on port " + common.PORT); } else { runNextClient(0); } }); } runTest(0); process.on('exit', function() { assert.equal(successfulTests, testCases.length); });