crypto: allow adding extra certs to well-known CAs

In closed environments, self-signed or privately signed certificates are
commonly used, and rejected by Node.js since their root CAs are not
well-known. Allow extending the set of well-known compiled-in CAs via
environment, so they can be set as a matter of policy.

PR-URL: https://github.com/nodejs/node/pull/9139
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

1 files changed, 45 insertions, 0 deletions

diff --git a/test/parallel/test-tls-env-extra-ca.js b/test/parallel/test-tls-env-extra-ca.js
new file mode 100644
index 0000000000..12e3272bd4
--- /dev/null
+++ b/test/parallel/test-tls-env-extra-ca.js
@@ -0,0 +1,45 @@
+// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation
+
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+  return;
+}
+
+const assert = require('assert');
+const tls = require('tls');
+const fork = require('child_process').fork;
+const fs = require('fs');
+
+if (process.env.CHILD) {
+  const copts = {
+    port: process.env.PORT,
+    checkServerIdentity: function() {},
+  };
+  const client = tls.connect(copts, function() {
+    client.end('hi');
+  });
+  return;
+}
+
+const options = {
+  key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'),
+};
+
+const server = tls.createServer(options, function(s) {
+  s.end('bye');
+  server.close();
+}).listen(0, common.mustCall(function() {
+  const env = {
+    CHILD: 'yes',
+    PORT: this.address().port,
+    NODE_EXTRA_CA_CERTS: common.fixturesDir + '/keys/ca1-cert.pem',
+  };
+
+  fork(__filename, {env: env}).on('exit', common.mustCall(function(status) {
+    assert.equal(status, 0, 'client did not succeed in connecting');
+  }));
+}));