aboutsummaryrefslogtreecommitdiff
path: root/test/parallel/test-tls-cnnic-whitelist.js
blob: a33e631ddf74371505a901c300869572a0b97b15 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

// Flags: --use-bundled-ca
'use strict';
const common = require('../common');

if (!common.hasCrypto) {
  common.skip('missing crypto');
  return;
}

const assert = require('assert');
const tls = require('tls');
const fs = require('fs');
const path = require('path');

function filenamePEM(n) {
  return path.join(common.fixturesDir, 'keys', `${n}.pem`);
}

function loadPEM(n) {
  return fs.readFileSync(filenamePEM(n));
}

const testCases = [
  { // Test 0: for the check of a cert not existed in the whitelist.
    // agent7-cert.pem is issued by the fake CNNIC root CA so that its
    // hash is not listed in the whitelist.
    // fake-cnnic-root-cert has the same subject name as the original
    // rootCA.
    serverOpts: {
      key: loadPEM('agent7-key'),
      cert: loadPEM('agent7-cert')
    },
    clientOpts: {
      port: undefined,
      rejectUnauthorized: true,
      ca: [loadPEM('fake-cnnic-root-cert')]
    },
    errorCode: 'CERT_REVOKED'
  },
  // Test 1: for the fix of node#2061
  // agent6-cert.pem is signed by intermidate cert of ca3.
  // The server has a cert chain of agent6->ca3->ca1(root) but
  // tls.connect should be failed with an error of
  // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
  // installed locally.
  {
    serverOpts: {
      ca: loadPEM('ca3-key'),
      key: loadPEM('agent6-key'),
      cert: loadPEM('agent6-cert')
    },
    clientOpts: {
      port: undefined,
      rejectUnauthorized: true
    },
    errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
  }
];

function runTest(tindex) {
  const tcase = testCases[tindex];

  if (!tcase) return;

  const server = tls.createServer(tcase.serverOpts, (s) => {
    s.resume();
  }).listen(0, common.mustCall(function() {
    tcase.clientOpts = this.address().port;
    const client = tls.connect(tcase.clientOpts);
    client.on('error', common.mustCall((e) => {
      assert.strictEqual(e.code, tcase.errorCode);
      server.close(common.mustCall(() => {
        runTest(tindex + 1);
      }));
    }));
  }));
}

runTest(0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-14 02:10:06 +0000