mirror of
https://github.com/nodejs/node.git
synced 2025-08-15 13:48:44 +02:00
edd66d0130
This API allows dynamically configuring CA certificates that
will be used by the Node.js TLS clients by default.
Once called, the provided certificates will become the default CA
certificate list returned by `tls.getCACertificates('default')` and
used by TLS connections that don't specify their own CA certificates.
This function only affects the current Node.js thread.
PR-URL: https://github.com/nodejs/node/pull/58822
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
71 lines
2.1 KiB
JavaScript
71 lines
2.1 KiB
JavaScript
'use strict';
|
|
|
|
// This tests appending certificates to existing defaults should work correctly
|
|
// with https.request().
|
|
|
|
const common = require('../common');
|
|
if (!common.hasCrypto) common.skip('missing crypto');
|
|
|
|
const assert = require('assert');
|
|
const https = require('https');
|
|
const tls = require('tls');
|
|
const fixtures = require('../common/fixtures');
|
|
const { includesCert } = require('../common/tls');
|
|
|
|
const bundledCerts = tls.getCACertificates('bundled');
|
|
const fixtureCert = fixtures.readKey('fake-startcom-root-cert.pem');
|
|
if (includesCert(bundledCerts, fixtureCert)) {
|
|
common.skip('fake-startcom-root-cert is already in bundled certificates, skipping test');
|
|
}
|
|
|
|
// Test HTTPS connection fails with bundled CA, succeeds after adding custom CA
|
|
const server = https.createServer({
|
|
cert: fixtures.readKey('agent8-cert.pem'),
|
|
key: fixtures.readKey('agent8-key.pem'),
|
|
}, (req, res) => {
|
|
res.writeHead(200);
|
|
res.end('success');
|
|
});
|
|
|
|
server.listen(0, common.mustCall(() => {
|
|
const port = server.address().port;
|
|
|
|
// Set to bundled CA certificates - connection should fail
|
|
tls.setDefaultCACertificates(bundledCerts);
|
|
|
|
const req1 = https.request({
|
|
hostname: 'localhost',
|
|
port: port,
|
|
path: '/',
|
|
method: 'GET'
|
|
}, common.mustNotCall('Should not succeed with bundled CA only'));
|
|
|
|
req1.on('error', common.mustCall((err) => {
|
|
console.log(err);
|
|
// Should fail with certificate verification error
|
|
assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
|
|
|
|
// Now add the fake-startcom-root-cert to bundled certs - connection should succeed
|
|
tls.setDefaultCACertificates([...bundledCerts, fixtureCert]);
|
|
|
|
const req2 = https.request({
|
|
hostname: 'localhost',
|
|
port: port,
|
|
path: '/',
|
|
method: 'GET'
|
|
}, common.mustCall((res) => {
|
|
assert.strictEqual(res.statusCode, 200);
|
|
let data = '';
|
|
res.on('data', (chunk) => data += chunk);
|
|
res.on('end', common.mustCall(() => {
|
|
assert.strictEqual(data, 'success');
|
|
server.close();
|
|
}));
|
|
}));
|
|
|
|
req2.on('error', common.mustNotCall('Should not error with correct CA added'));
|
|
req2.end();
|
|
}));
|
|
|
|
req1.end();
|
|
}));
|