Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: load PFX chain the same way as regular one #4165

Closed
wants to merge 11 commits into from

Conversation

indutny
Copy link
Member

@indutny indutny commented Dec 5, 2015

Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127

Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
@indutny
Copy link
Member Author

indutny commented Dec 5, 2015

cc @nodejs/crypto

@indutny indutny added tls Issues and PRs related to the tls subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. lts-watch-v4.x labels Dec 5, 2015
@indutny
Copy link
Member Author

indutny commented Dec 6, 2015

Actually just added the test that demonstrates the problem, feel free to review it now ;)

@indutny
Copy link
Member Author

indutny commented Dec 6, 2015

// possibly followed by a sequence of CA certificates that should be
// sent to the peer in the Certificate message.
//
// Taken from OpenSSL - editted for style.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/editted/edited/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack.

@indutny
Copy link
Member Author

indutny commented Dec 6, 2015

There was failure on CI FIPS bot, fixed in latest commit. Running CI again: https://ci.nodejs.org/job/node-test-pull-request/935/

@indutny
Copy link
Member Author

indutny commented Dec 6, 2015

Gosh, messed it up. New CI: https://ci.nodejs.org/job/node-test-pull-request/936/

@indutny
Copy link
Member Author

indutny commented Dec 6, 2015

CI seems to be green, failures are completely unrelated.

int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
BIO* in,
X509* x,
STACK_OF(X509)* extra_certs,
X509** cert,
X509** issuer) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a CHECK_EQ(*issuer, nullptr) and maybe a CHECK_EQ(*cert, nullptr) while you're here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are totally right. It needs something more complex though, since we don't prevent people from passing in both cert+key and pfx for TLS server.

@indutny
Copy link
Member Author

indutny commented Dec 7, 2015

@bnoordhuis PTAL, should be better now.

@indutny
Copy link
Member Author

indutny commented Dec 9, 2015

@bnoordhuis ping ;)

@indutny
Copy link
Member Author

indutny commented Dec 11, 2015

erm @bnoordhuis or @nodejs/crypto : I need your LGTM ;)

@indutny
Copy link
Member Author

indutny commented Dec 14, 2015

Anyone?

@indutny
Copy link
Member Author

indutny commented Dec 17, 2015

ping @bnoordhuis @nodejs/crypto

x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr);

if (x == nullptr) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize it's not new code but I believe PEM_read_bio_X509_AUX() also registers an error, but with tag ERR_LIB_PEM, not ERR_LIB_SSL.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep it as it is right now, just because it may make this PR a semver-major. Let's reconsider it later.

@paddybyers
Copy link
Contributor

Is it planned that this will be be included in 4.2.x as well as 5.x? The reason I ask is that I believe a side-effect of this change is to fix a memory leak which is relevant to production stability. I can raise an issue/PR against 4.2.x with a fix only for the memory leak if necessary.

@indutny
Copy link
Member Author

indutny commented Jan 4, 2016

@paddybyers yep, it has lts-watch tag ;)

@paddybyers
Copy link
Contributor

it has lts-watch tag ;)

I see, thanks :)

Fishrock123 pushed a commit to Fishrock123/node that referenced this pull request Jan 6, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
PR-URL: nodejs#4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins pushed a commit that referenced this pull request Jan 13, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
PR-URL: #4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
MylesBorins pushed a commit that referenced this pull request Jan 19, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
PR-URL: #4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
@MylesBorins MylesBorins mentioned this pull request Jan 19, 2016
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: nodejs#4127
PR-URL: nodejs#4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants