crypto: add cert check issued by StartCom/WoSign

When tls client connects to the server with certification issued by
either StartCom or WoSign listed in StartComAndWoSignData.inc, check
notBefore of the server certificate and CERT_REVOKED error returns if
it is after 00:00:00 on October 21, 2016.

See for details in
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/,
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
and
https://support.apple.com/en-us/HT204132

Fixes: https://github.com/nodejs/node/issues/9434
PR-URL: https://github.com/nodejs/node/pull/9469
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

1 files changed, 91 insertions, 0 deletions

diff --git a/test/parallel/test-tls-startcom-wosign-whitelist.js b/test/parallel/test-tls-startcom-wosign-whitelist.js
new file mode 100644
index 0000000000..fd20e0d8e9
--- /dev/null
+++ b/test/parallel/test-tls-startcom-wosign-whitelist.js
@@ -0,0 +1,91 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+  return;
+}
+
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+let finished = 0;
+
+function filenamePEM(n) {
+  return path.join(common.fixturesDir, 'keys', n + '.pem');
+}
+
+function loadPEM(n) {
+  return fs.readFileSync(filenamePEM(n));
+}
+
+const testCases = [
+  { // agent8 is signed by fake-startcom-root with notBefore of
+    // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check.
+    serverOpts: {
+      key: loadPEM('agent8-key'),
+      cert: loadPEM('agent8-cert')
+    },
+    clientOpts: {
+      ca: loadPEM('fake-startcom-root-cert'),
+      port: undefined,
+      rejectUnauthorized: true
+    },
+    errorCode: 'CERT_OK'
+  },
+  { // agent9 is signed by fake-startcom-root with notBefore of
+    // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check.
+    serverOpts: {
+      key: loadPEM('agent9-key'),
+      cert: loadPEM('agent9-cert')
+    },
+    clientOpts: {
+      ca: loadPEM('fake-startcom-root-cert'),
+      port: undefined,
+      rejectUnauthorized: true
+    },
+    errorCode: 'CERT_REVOKED'
+  }
+];
+
+
+function runNextTest(server, tindex) {
+  server.close(function() {
+    finished++;
+    runTest(tindex + 1);
+  });
+}
+
+
+function runTest(tindex) {
+  const tcase = testCases[tindex];
+
+  if (!tcase) return;
+
+  const server = tls.createServer(tcase.serverOpts, function(s) {
+    s.resume();
+  }).listen(0, function() {
+    tcase.clientOpts.port = this.address().port;
+    const client = tls.connect(tcase.clientOpts);
+    client.on('error', function(e) {
+      assert.strictEqual(e.code, tcase.errorCode);
+      runNextTest(server, tindex);
+    });
+
+    client.on('secureConnect', function() {
+      // agent8 can pass StartCom/WoSign check so that the secureConnect
+      // is established.
+      assert.strictEqual(tcase.errorCode, 'CERT_OK');
+      client.end();
+      runNextTest(server, tindex);
+    });
+  });
+}
+
+
+runTest(0);
+
+process.on('exit', function() {
+  assert.strictEqual(finished, testCases.length);
+});