tls: add "ca" property to certificate object

The objects returned by getPeerCertificate() now have an additional "ca" boolean property that indicates whether the certificate is a Certificate Authority certificate or not. Fixes: https://github.com/nodejs/node/issues/44905 PR-URL: https://github.com/nodejs/node/pull/44935 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <midawson@redhat.com>
2022-11-09 10:29:17 +01:00 · 2022-11-09 10:29:17 +01:00 · 9fe6dcf6cc
commit 9fe6dcf6cc
parent da44fd8002
4 changed files with 12 additions and 1 deletions
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@ -1173,6 +1173,9 @@ certificate.

 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/44935
+    description: Add "ca" property.
  - version:
      - v17.2.0
      - v16.14.0
@ -1186,6 +1189,7 @@ changes:
 A certificate object has properties corresponding to the fields of the
 certificate.

+* `ca` {boolean} `true` if a Certificate Authority (CA), `false` otherwise.
 * `raw` {Buffer} The DER encoded X.509 certificate data.
 * `subject` {Object} The certificate subject, described in terms of
  Country (`C`), StateOrProvince (`ST`), Locality (`L`), Organization (`O`),
--- a/src/crypto/crypto_common.cc
+++ b/src/crypto/crypto_common.cc
@ -27,6 +27,7 @@ namespace node {
 using v8::Array;
 using v8::ArrayBuffer;
 using v8::BackingStore;
+using v8::Boolean;
 using v8::Context;
 using v8::EscapableHandleScope;
 using v8::Integer;
@ -1260,6 +1261,8 @@ MaybeLocal<Object> X509ToObject(
  BIOPointer bio(BIO_new(BIO_s_mem()));
  CHECK(bio);

+  // X509_check_ca() returns a range of values. Only 1 means "is a CA"
+  auto is_ca = Boolean::New(env->isolate(), 1 == X509_check_ca(cert));
  if (!Set<Value>(context,
                  info,
                  env->subject_string(),
@ -1275,7 +1278,8 @@ MaybeLocal<Object> X509ToObject(
      !Set<Value>(context,
                  info,
                  env->infoaccess_string(),
-                  GetInfoAccessString(env, bio, cert))) {
+                  GetInfoAccessString(env, bio, cert)) ||
+      !Set<Boolean>(context, info, env->ca_string(), is_ca)) {
    return MaybeLocal<Object>();
  }

--- a/src/env_properties.h
+++ b/src/env_properties.h
@ -57,6 +57,7 @@
  V(bytes_parsed_string, "bytesParsed")                                        \
  V(bytes_read_string, "bytesRead")                                            \
  V(bytes_written_string, "bytesWritten")                                      \
+  V(ca_string, "ca")                                                           \
  V(cached_data_produced_string, "cachedDataProduced")                         \
  V(cached_data_rejected_string, "cachedDataRejected")                         \
  V(cached_data_string, "cachedData")                                          \
--- a/test/parallel/test-tls-peer-certificate.js
+++ b/test/parallel/test-tls-peer-certificate.js
@ -52,6 +52,8 @@ connect({
  debug('peerCert:\n', peerCert);

  assert.ok(peerCert.issuerCertificate);
+  assert.strictEqual(peerCert.ca, false);
+  assert.strictEqual(peerCert.issuerCertificate.ca, true);
  assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
  assert.strictEqual(peerCert.serialNumber, '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
  assert.strictEqual(peerCert.exponent, '0x10001');