0
0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 21:19:50 +01:00
nodejs/test/parallel/test-tls-client-allow-partial-trust-chain.js
Anna Henningsen c3a7b29e56 tls: add allowPartialTrustChain flag
This commit exposes the `X509_V_FLAG_PARTIAL_CHAIN` OpenSSL flag to
users. This is behavior that has been requested repeatedly in the
Github issues, and allows aligning behavior with other TLS libraries
and commonly used applications (e.g. `curl`).

As a drive-by, simplify the `SecureContext` source by deduplicating
call sites at which a new custom certificate store was created for the
`secureContext` in question.

Fixes: https://github.com/nodejs/node/issues/36453
PR-URL: https://github.com/nodejs/node/pull/54790
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2024-09-09 17:24:10 +02:00

54 lines
1.6 KiB
JavaScript

'use strict';
const common = require('../common');
if (!common.hasCrypto) { common.skip('missing crypto'); };
const assert = require('assert');
const { once } = require('events');
const fixtures = require('../common/fixtures');
// agent6-cert.pem is signed by intermediate cert of ca3.
// The server has a cert chain of agent6->ca3->ca1(root).
const { it, beforeEach, afterEach, describe } = require('node:test');
describe('allowPartialTrustChain', { skip: !common.hasCrypto }, function() {
const tls = require('tls');
let server;
let client;
let opts;
beforeEach(async function() {
server = tls.createServer({
ca: fixtures.readKey('ca3-cert.pem'),
key: fixtures.readKey('agent6-key.pem'),
cert: fixtures.readKey('agent6-cert.pem'),
}, (socket) => socket.resume());
server.listen(0);
await once(server, 'listening');
opts = {
port: server.address().port,
ca: fixtures.readKey('ca3-cert.pem'),
checkServerIdentity() {}
};
});
afterEach(async function() {
client?.destroy();
server?.close();
});
it('can connect successfully with allowPartialTrustChain: true', async function() {
client = tls.connect({ ...opts, allowPartialTrustChain: true });
await once(client, 'secureConnect'); // Should not throw
});
it('fails without with allowPartialTrustChain: true for an intermediate cert in the CA', async function() {
// Consistency check: Connecting fails without allowPartialTrustChain: true
await assert.rejects(async () => {
const client = tls.connect(opts);
await once(client, 'secureConnect');
}, { code: 'UNABLE_TO_GET_ISSUER_CERT' });
});
});