diff options
author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2016-11-04 18:19:20 +0900 |
---|---|---|
committer | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2017-02-04 00:19:59 +0900 |
commit | 89217d145097590e37d11db6e98c317d154be689 (patch) | |
tree | cdd75f365b47764c009a7cc7b0e8a22db9fb985f /test/parallel/test-tls-startcom-wosign-whitelist.js | |
parent | 4e259b21a34bb017bd60190451bf555b4c1749a5 (diff) | |
download | android-node-v8-89217d145097590e37d11db6e98c317d154be689.tar.gz android-node-v8-89217d145097590e37d11db6e98c317d154be689.tar.bz2 android-node-v8-89217d145097590e37d11db6e98c317d154be689.zip |
crypto: add cert check issued by StartCom/WoSign
When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.
See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132
Fixes: https://github.com/nodejs/node/issues/9434
PR-URL: https://github.com/nodejs/node/pull/9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Diffstat (limited to 'test/parallel/test-tls-startcom-wosign-whitelist.js')
-rw-r--r-- | test/parallel/test-tls-startcom-wosign-whitelist.js | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/test/parallel/test-tls-startcom-wosign-whitelist.js b/test/parallel/test-tls-startcom-wosign-whitelist.js new file mode 100644 index 0000000000..fd20e0d8e9 --- /dev/null +++ b/test/parallel/test-tls-startcom-wosign-whitelist.js @@ -0,0 +1,91 @@ +'use strict'; +const common = require('../common'); +const assert = require('assert'); + +if (!common.hasCrypto) { + common.skip('missing crypto'); + return; +} + +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); +let finished = 0; + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', n + '.pem'); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const testCases = [ + { // agent8 is signed by fake-startcom-root with notBefore of + // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent8-key'), + cert: loadPEM('agent8-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_OK' + }, + { // agent9 is signed by fake-startcom-root with notBefore of + // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent9-key'), + cert: loadPEM('agent9-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_REVOKED' + } +]; + + +function runNextTest(server, tindex) { + server.close(function() { + finished++; + runTest(tindex + 1); + }); +} + + +function runTest(tindex) { + const tcase = testCases[tindex]; + + if (!tcase) return; + + const server = tls.createServer(tcase.serverOpts, function(s) { + s.resume(); + }).listen(0, function() { + tcase.clientOpts.port = this.address().port; + const client = tls.connect(tcase.clientOpts); + client.on('error', function(e) { + assert.strictEqual(e.code, tcase.errorCode); + runNextTest(server, tindex); + }); + + client.on('secureConnect', function() { + // agent8 can pass StartCom/WoSign check so that the secureConnect + // is established. + assert.strictEqual(tcase.errorCode, 'CERT_OK'); + client.end(); + runNextTest(server, tindex); + }); + }); +} + + +runTest(0); + +process.on('exit', function() { + assert.strictEqual(finished, testCases.length); +}); |