nodejs/test/parallel/test-tls-pfx-authorizationerror.js

'use strict';
const common = require('../common');
if (!common.hasCrypto)
  common.skip('node compiled without crypto.');
const fixtures = require('../common/fixtures');

// This test ensures that TLS does not fail to read a self-signed certificate
// and thus throw an `authorizationError`.
// https://github.com/nodejs/node/issues/5100

const assert = require('assert');
const tls = require('tls');

const pfx = fixtures.readKey('agent1.pfx');

const server = tls
  .createServer(
    {
      pfx: pfx,
      passphrase: 'sample',
      requestCert: true,
      rejectUnauthorized: false
    },
    common.mustCall(function(c) {
      assert.strictEqual(c.getPeerCertificate().serialNumber,
                         '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
      assert.strictEqual(c.authorizationError, null);
      c.end();
    })
  )
  .listen(0, function() {
    const client = tls.connect(
      {
        port: this.address().port,
        pfx: pfx,
        passphrase: 'sample',
        rejectUnauthorized: false
      },
      function() {
        for (let i = 0; i < 10; ++i) {
          // Calling this repeatedly is a regression test that verifies
          // that .getCertificate() does not accidentally decrease the
          // reference count of the X509* certificate on the native side.
          assert.strictEqual(client.getCertificate().serialNumber,
                             '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
        }
        client.end();
        server.close();
      }
    );
  });
test: rename regression tests file names Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: https://github.com/nodejs/node/pull/19332 Fixes: https://github.com/nodejs/node/issues/19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com> 2018-03-14 03:13:29 +05:30			`'use strict';`
			`const common = require('../common');`
			`if (!common.hasCrypto)`
			`common.skip('node compiled without crypto.');`
			`const fixtures = require('../common/fixtures');`

			`// This test ensures that TLS does not fail to read a self-signed certificate`
			// and thus throw an `authorizationError`.
			`// https://github.com/nodejs/node/issues/5100`

			`const assert = require('assert');`
			`const tls = require('tls');`

test: rename agent1-pfx.pem to agent1.pfx PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does. PR-URL: https://github.com/nodejs/node/pull/24374 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> 2016-12-22 11:04:59 -08:00			`const pfx = fixtures.readKey('agent1.pfx');`
test: rename regression tests file names Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: https://github.com/nodejs/node/pull/19332 Fixes: https://github.com/nodejs/node/issues/19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com> 2018-03-14 03:13:29 +05:30
			`const server = tls`
			`.createServer(`
			`{`
			`pfx: pfx,`
			`passphrase: 'sample',`
			`requestCert: true,`
			`rejectUnauthorized: false`
			`},`
			`common.mustCall(function(c) {`
tls: get the local certificate after tls handshake Add an API to get the local certificate chosen during TLS handshake from the SSL context. Fix: https://github.com/nodejs/node/issues/24095 PR-URL: https://github.com/nodejs/node/pull/24261 Fixes: https://github.com/nodejs/node/issues/24095 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> 2018-11-08 13:40:46 -08:00			`assert.strictEqual(c.getPeerCertificate().serialNumber,`
test: upgrade all 1024 bit RSA keys to 2048 bits Ubuntu 22.04 Jammy rejects 1024 bit RSA Keys PR-URL: https://github.com/nodejs/node/pull/44498 Refs: https://github.com/nodejs/node/issues/44497 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> 2022-09-03 14:46:47 +00:00			`'147D36C1C2F74206DE9FAB5F2226D78ADB00A426');`
test: rename regression tests file names Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: https://github.com/nodejs/node/pull/19332 Fixes: https://github.com/nodejs/node/issues/19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com> 2018-03-14 03:13:29 +05:30			`assert.strictEqual(c.authorizationError, null);`
			`c.end();`
			`})`
			`)`
			`.listen(0, function() {`
			`const client = tls.connect(`
			`{`
			`port: this.address().port,`
			`pfx: pfx,`
			`passphrase: 'sample',`
			`rejectUnauthorized: false`
			`},`
			`function() {`
tls: do not free cert in `.getCertificate()` The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: https://github.com/nodejs/node/pull/24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: https://github.com/nodejs/node/pull/25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2019-01-14 12:08:55 +01:00			`for (let i = 0; i < 10; ++i) {`
			`// Calling this repeatedly is a regression test that verifies`
			`// that .getCertificate() does not accidentally decrease the`
			`// reference count of the X509* certificate on the native side.`
			`assert.strictEqual(client.getCertificate().serialNumber,`
test: upgrade all 1024 bit RSA keys to 2048 bits Ubuntu 22.04 Jammy rejects 1024 bit RSA Keys PR-URL: https://github.com/nodejs/node/pull/44498 Refs: https://github.com/nodejs/node/issues/44497 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> 2022-09-03 14:46:47 +00:00			`'147D36C1C2F74206DE9FAB5F2226D78ADB00A426');`
tls: do not free cert in `.getCertificate()` The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: https://github.com/nodejs/node/pull/24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: https://github.com/nodejs/node/pull/25490 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2019-01-14 12:08:55 +01:00			`}`
test: rename regression tests file names Rename the tests appropriately alongside mentioning the subsystem. Also, make a few basic changes to make sure the tests conform to the standard test structure. - Rename test-regress-GH-io-1068 to test-tty-stdin-end - Rename test-regress-GH-io-1811 to test-zlib-kmaxlength-rangeerror - Rename test-regress-GH-node-9326 to test-kill-segfault-freebsd - Rename test-timers-regress-GH-9765 to test-timers-setimmediate-infinite-loop - Rename test-tls-pfx-gh-5100-regr to test-tls-pfx-authorizationerror - Rename test-tls-regr-gh-5108 to test-tls-tlswrap-segfault PR-URL: https://github.com/nodejs/node/pull/19332 Fixes: https://github.com/nodejs/node/issues/19105 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Yuta Hiroto <hello@hiroppy.me> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Shingo Inoue <leko.noor@gmail.com> 2018-03-14 03:13:29 +05:30			`client.end();`
			`server.close();`
			`}`
			`);`
			`});`