archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 13:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
node/test/parallel/test-tls-set-default-ca-certificates-recovery.js
Joyee Cheung edd66d0130
crypto: add tls.setDefaultCACertificates() 
This API allows dynamically configuring CA certificates that
will be used by the Node.js TLS clients by default.

Once called, the provided certificates will become the default CA
certificate list returned by `tls.getCACertificates('default')` and
used by TLS connections that don't specify their own CA certificates.

This function only affects the current Node.js thread.

PR-URL: https://github.com/nodejs/node/pull/58822
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
2025-07-18 19:57:53 +00:00

43 lines
1.5 KiB
JavaScript
Raw Permalink Blame History

'use strict';
// This tests error recovery and fallback behavior for tls.setDefaultCACertificates()
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');
const assert = require('assert');
const tls = require('tls');
const fixtures = require('../common/fixtures');
const { assertEqualCerts } = require('../common/tls');
const fixtureCert = fixtures.readKey('fake-startcom-root-cert.pem');
// Test recovery from errors when setting default CA certificates.
function testRecovery(expectedCerts) {
{
const invalidCert = 'not a valid certificate';
assert.throws(() => tls.setDefaultCACertificates([invalidCert]), {
code: 'ERR_CRYPTO_OPERATION_FAILED',
message: /No valid certificates found in the provided array/
});
assertEqualCerts(tls.getCACertificates('default'), expectedCerts);
}
// Test with mixed valid and invalid certificate formats.
{
const invalidCert = '-----BEGIN CERTIFICATE-----\nvalid cert content\n-----END CERTIFICATE-----';
assert.throws(() => tls.setDefaultCACertificates([fixtureCert, invalidCert]), {
code: 'ERR_OSSL_PEM_ASN1_LIB',
});
assertEqualCerts(tls.getCACertificates('default'), expectedCerts);
}
}
const originalDefaultCerts = tls.getCACertificates('default');
testRecovery(originalDefaultCerts);
// Check that recovery still works after replacing the default certificates.
const subset = tls.getCACertificates('bundled').slice(0, 3);
tls.setDefaultCACertificates(subset);
assertEqualCerts(tls.getCACertificates('default'), subset);
testRecovery(subset);
Reference in a new issue View git blame Copy permalink