|
21 | 21 |
|
22 | 22 | 'use strict';
|
23 | 23 | const common = require('../common');
|
| 24 | + |
| 25 | +// Test multi-identity ('key')/multi-algorithm scenarios. |
| 26 | + |
24 | 27 | if (!common.hasCrypto)
|
25 | 28 | common.skip('missing crypto');
|
26 | 29 |
|
27 | 30 | const fixtures = require('../common/fixtures');
|
28 | 31 | const assert = require('assert');
|
29 | 32 | const tls = require('tls');
|
30 | 33 |
|
31 |
| -const options = { |
| 34 | +// Key is ordered as ec, rsa, cert is ordered as rsa, ec. |
| 35 | +test({ |
32 | 36 | key: [
|
33 |
| - fixtures.readKey('ec-key.pem'), |
| 37 | + fixtures.readKey('ec10-key.pem'), |
| 38 | + fixtures.readKey('agent1-key.pem'), |
| 39 | + ], |
| 40 | + cert: [ |
| 41 | + fixtures.readKey('agent1-cert.pem'), |
| 42 | + fixtures.readKey('ec10-cert.pem'), |
| 43 | + ], |
| 44 | + eccCN: 'agent10.example.com', |
| 45 | + client: { ca: [ |
| 46 | + fixtures.readKey('ca5-cert.pem'), |
| 47 | + fixtures.readKey('ca1-cert.pem'), |
| 48 | + ] }, |
| 49 | +}); |
| 50 | + |
| 51 | +// Key and cert are ordered as ec, rsa. |
| 52 | +test({ |
| 53 | + key: [ |
| 54 | + fixtures.readKey('ec10-key.pem'), |
34 | 55 | fixtures.readKey('agent1-key.pem'),
|
35 | 56 | ],
|
36 | 57 | cert: [
|
37 | 58 | fixtures.readKey('agent1-cert.pem'),
|
| 59 | + fixtures.readKey('ec10-cert.pem'), |
| 60 | + ], |
| 61 | + eccCN: 'agent10.example.com', |
| 62 | + client: { ca: [ |
| 63 | + fixtures.readKey('ca5-cert.pem'), |
| 64 | + fixtures.readKey('ca1-cert.pem'), |
| 65 | + ] }, |
| 66 | +}); |
| 67 | + |
| 68 | +// Key, cert, and pfx options can be used simultaneously. |
| 69 | +test({ |
| 70 | + key: [ |
| 71 | + fixtures.readKey('ec-key.pem'), |
| 72 | + ], |
| 73 | + cert: [ |
38 | 74 | fixtures.readKey('ec-cert.pem'),
|
39 |
| - ] |
40 |
| -}; |
| 75 | + ], |
| 76 | + pfx: fixtures.readKey('agent1.pfx'), |
| 77 | + passphrase: 'sample', |
| 78 | + client: { ca: [ |
| 79 | + fixtures.readKey('ec-cert.pem'), |
| 80 | + fixtures.readKey('ca1-cert.pem'), |
| 81 | + ] }, |
| 82 | +}); |
41 | 83 |
|
42 |
| -const ciphers = []; |
| 84 | +// Key and cert with mixed algorithms, and cert chains with intermediate CAs |
| 85 | +test({ |
| 86 | + key: [ |
| 87 | + fixtures.readKey('ec10-key.pem'), |
| 88 | + fixtures.readKey('agent10-key.pem'), |
| 89 | + ], |
| 90 | + cert: [ |
| 91 | + fixtures.readKey('agent10-cert.pem'), |
| 92 | + fixtures.readKey('ec10-cert.pem'), |
| 93 | + ], |
| 94 | + rsaCN: 'agent10.example.com', |
| 95 | + eccCN: 'agent10.example.com', |
| 96 | + client: { ca: [ |
| 97 | + fixtures.readKey('ca2-cert.pem'), |
| 98 | + fixtures.readKey('ca5-cert.pem'), |
| 99 | + ] }, |
| 100 | +}); |
| 101 | + |
| 102 | +// Key and cert with mixed algorithms, and cert chains with intermediate CAs, |
| 103 | +// using PFX for EC. |
| 104 | +test({ |
| 105 | + key: [ |
| 106 | + fixtures.readKey('agent10-key.pem'), |
| 107 | + ], |
| 108 | + cert: [ |
| 109 | + fixtures.readKey('agent10-cert.pem'), |
| 110 | + ], |
| 111 | + pfx: fixtures.readKey('ec10.pfx'), |
| 112 | + passphrase: 'sample', |
| 113 | + rsaCN: 'agent10.example.com', |
| 114 | + eccCN: 'agent10.example.com', |
| 115 | + client: { ca: [ |
| 116 | + fixtures.readKey('ca2-cert.pem'), |
| 117 | + fixtures.readKey('ca5-cert.pem'), |
| 118 | + ] }, |
| 119 | +}); |
| 120 | + |
| 121 | +// Key and cert with mixed algorithms, and cert chains with intermediate CAs, |
| 122 | +// using PFX for RSA. |
| 123 | +test({ |
| 124 | + key: [ |
| 125 | + fixtures.readKey('ec10-key.pem'), |
| 126 | + ], |
| 127 | + cert: [ |
| 128 | + fixtures.readKey('ec10-cert.pem'), |
| 129 | + ], |
| 130 | + pfx: fixtures.readKey('agent10.pfx'), |
| 131 | + passphrase: 'sample', |
| 132 | + rsaCN: 'agent10.example.com', |
| 133 | + eccCN: 'agent10.example.com', |
| 134 | + client: { ca: [ |
| 135 | + fixtures.readKey('ca2-cert.pem'), |
| 136 | + fixtures.readKey('ca5-cert.pem'), |
| 137 | + ] }, |
| 138 | +}); |
| 139 | + |
| 140 | +function test(options) { |
| 141 | + const rsaCN = options.rsaCN || 'agent1'; |
| 142 | + const eccCN = options.eccCN || 'agent2'; |
| 143 | + const clientTrustRoots = options.client.ca; |
| 144 | + delete options.rsaCN; |
| 145 | + delete options.eccCN; |
| 146 | + delete options.client; |
| 147 | + const server = tls.createServer(options, function(conn) { |
| 148 | + conn.end('ok'); |
| 149 | + }).listen(0, common.mustCall(connectWithEcdsa)); |
43 | 150 |
|
44 |
| -const server = tls.createServer(options, function(conn) { |
45 |
| - conn.end('ok'); |
46 |
| -}).listen(0, function() { |
47 |
| - const ecdsa = tls.connect(this.address().port, { |
48 |
| - ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', |
49 |
| - rejectUnauthorized: false |
50 |
| - }, function() { |
51 |
| - ciphers.push(ecdsa.getCipher()); |
| 151 | + function connectWithEcdsa() { |
| 152 | + const ecdsa = tls.connect(this.address().port, { |
| 153 | + ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', |
| 154 | + rejectUnauthorized: true, |
| 155 | + ca: clientTrustRoots, |
| 156 | + checkServerIdentity: (_, c) => assert.strictEqual(c.subject.CN, eccCN), |
| 157 | + }, common.mustCall(function() { |
| 158 | + assert.deepStrictEqual(ecdsa.getCipher(), { |
| 159 | + name: 'ECDHE-ECDSA-AES256-GCM-SHA384', |
| 160 | + version: 'TLSv1/SSLv3' |
| 161 | + }); |
| 162 | + assert.strictEqual(ecdsa.getPeerCertificate().subject.CN, eccCN); |
| 163 | + // XXX(sam) certs don't currently include EC key info, so depend on |
| 164 | + // absence of RSA key info to indicate key is EC. |
| 165 | + assert(!ecdsa.getPeerCertificate().exponent, 'not cert for an RSA key'); |
| 166 | + ecdsa.end(); |
| 167 | + connectWithRsa(); |
| 168 | + })); |
| 169 | + } |
| 170 | + |
| 171 | + function connectWithRsa() { |
52 | 172 | const rsa = tls.connect(server.address().port, {
|
53 | 173 | ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
|
54 |
| - rejectUnauthorized: false |
55 |
| - }, function() { |
56 |
| - ciphers.push(rsa.getCipher()); |
57 |
| - ecdsa.end(); |
| 174 | + rejectUnauthorized: true, |
| 175 | + ca: clientTrustRoots, |
| 176 | + checkServerIdentity: (_, c) => assert.strictEqual(c.subject.CN, rsaCN), |
| 177 | + }, common.mustCall(function() { |
| 178 | + assert.deepStrictEqual(rsa.getCipher(), { |
| 179 | + name: 'ECDHE-RSA-AES256-GCM-SHA384', |
| 180 | + version: 'TLSv1/SSLv3' |
| 181 | + }); |
| 182 | + assert.strictEqual(rsa.getPeerCertificate().subject.CN, rsaCN); |
| 183 | + assert(rsa.getPeerCertificate().exponent, 'cert for an RSA key'); |
58 | 184 | rsa.end();
|
59 | 185 | server.close();
|
60 |
| - }); |
61 |
| - }); |
62 |
| -}); |
63 |
| - |
64 |
| -process.on('exit', function() { |
65 |
| - assert.deepStrictEqual(ciphers, [{ |
66 |
| - name: 'ECDHE-ECDSA-AES256-GCM-SHA384', |
67 |
| - version: 'TLSv1/SSLv3' |
68 |
| - }, { |
69 |
| - name: 'ECDHE-RSA-AES256-GCM-SHA384', |
70 |
| - version: 'TLSv1/SSLv3' |
71 |
| - }]); |
72 |
| -}); |
| 186 | + })); |
| 187 | + } |
| 188 | +} |
0 commit comments