Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: get the local certificate after tls handshake #24261

Closed
wants to merge 1 commit into from
Closed

tls: get the local certificate after tls handshake #24261

wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@sam-github build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1549/pipeline

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Nov 8, 2018
@sam-github sam-github mentioned this pull request Nov 8, 2018
Closed
@sam-github sam-github added the semver-minor PRs that contain new features and should be released in the next minor version. label Nov 8, 2018
bnoordhuis
bnoordhuis reviewed Nov 9, 2018
View reviewed changes
doc/api/tls.md
* Returns: {Object}

Returns an object representing the local certificate. The returned object has
some properties corresponding to the fields of the certificate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific than "some"?

Copy link
Contributor Author

@sam-github sam-github Nov 9, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty vague, isn't it! ;-) This is the extent of the current documentation for parsed cert objects, unchanged since 0c42fac51596a68a6be02ea537e5ec03f228844b. Its on my list to fix, but for now I'd like to leave as-is. The wording of these docs are close to identical as possible to the docs for https://nodejs.org/api/tls.html#tls_tlssocket_getpeercertificate_detailed. I'm working on a PR to add EC and DH key info to X509ToObject, and I promise to doc the cert format then, and reorganize the docs, since the cert can show up in a handful of APIs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/to @bnoordhuis as promised, #24358

doc/api/tls.md Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
bnoordhuis
bnoordhuis approved these changes Nov 9, 2018
View reviewed changes
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sam, LGTM.

One thing: you may want to stick in an exports.translatePeerCertificate = exports.translateCertChain to stop it from being semver-major.

@sam-github
Copy link
Contributor Author

I don't want it to be semver-major, I'll put the original name back.

Whats the current way to hide our internal API? Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

@sam-github
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/18470

@bnoordhuis
Copy link
Member

Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

Yep.

@sam-github
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/18475/

addaleax
addaleax approved these changes Nov 10, 2018
View reviewed changes
doc/api/tls.md Outdated Show resolved Hide resolved
jasnell
jasnell reviewed Nov 10, 2018
View reviewed changes
doc/api/tls.md Outdated Show resolved Hide resolved
@sam-github
Copy link
Contributor Author

ci: https://ci.nodejs.org/job/node-test-pull-request/18588/

James, Anna - thanks for catching the typo.

danbev
danbev approved these changes Nov 14, 2018
View reviewed changes
src/node_crypto.cc Outdated Show resolved Hide resolved
@sam-github
tls: get the local certificate after tls handshake
f8f571f 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095
@sam-github
Copy link
Contributor Author

Landed in db35fee

@sam-github sam-github closed this Nov 14, 2018
@sam-github sam-github deleted the tls-get-cert branch November 14, 2018 04:43
sam-github added a commit that referenced this pull request Nov 14, 2018
@sam-github
tls: get the local certificate after tls handshake
db35fee 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 14, 2018
@sam-github @BridgeAR
tls: get the local certificate after tls handshake
30d6f63 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
kiyomizumia pushed a commit to kiyomizumia/node that referenced this pull request Nov 15, 2018
@sam-github @kiyomizumia
tls: get the local certificate after tls handshake
d76674c 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 15, 2018
@sam-github @BridgeAR
tls: get the local certificate after tls handshake
d6f91ba 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@BridgeAR BridgeAR mentioned this pull request Nov 15, 2018
Merged
This was referenced Nov 15, 2018
Closed
Closed
Closed
This was referenced Nov 16, 2018
Closed
Closed
Closed
addaleax added a commit to addaleax/node that referenced this pull request Jan 14, 2019
@addaleax
tls: do not free cert in .getCertificate()
7611f1b 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217
@addaleax addaleax mentioned this pull request Jan 14, 2019
Closed
3 tasks
@addaleax
Copy link
Member

If this is backported to LTS, it should go with #25490.

addaleax added a commit that referenced this pull request Jan 21, 2019
@addaleax
tls: do not free cert in .getCertificate()
e888f66 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
addaleax added a commit that referenced this pull request Jan 23, 2019
@addaleax
tls: do not free cert in .getCertificate()
c3409f5 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
zcbenz pushed a commit to electron/node that referenced this pull request Mar 27, 2019
@addaleax @zcbenz
tls: do not free cert in .getCertificate()
afbc0fd 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs/node#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs/node#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@sam-github sam-github mentioned this pull request Apr 26, 2019
Closed
sam-github added a commit to sam-github/node that referenced this pull request Apr 29, 2019
@sam-github
tls: get the local certificate after tls handshake
5f5d3c9 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
sam-github pushed a commit to sam-github/node that referenced this pull request Apr 29, 2019
@addaleax @sam-github
tls: do not free cert in .getCertificate()
8c7406f 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell left review comments

@addaleax addaleax addaleax approved these changes

@danbev danbev danbev approved these changes

@bnoordhuis bnoordhuis bnoordhuis approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ability to check TLS contexts, servernames, altnames
6 participants
@sam-github @nodejs-github-bot @bnoordhuis @addaleax @danbev @jasnell