Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 4207bce

Browse filesBrowse files
sam-githubMylesBorins
sam-github
authored and
MylesBorins
committed
test: check tls server verification with addCACert
SecureContext.addCACert() adds to the existing root store, preserving root cert entries. option.ca is applied without calling SecureContext.addRootCerts() so should add to the default, empty, root store. This test confirms that the built-in root CAs are not included when options.ca is used. Based on: shigeki@acd5837 Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
1 parent cbfc3fc commit 4207bce
Copy full SHA for 4207bce

File tree

Expand file treeCollapse file tree

1 file changed

+55
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+55
-0
lines changed
Open diff view settings
Collapse file

‎test/internet/test-tls-add-ca-cert.js‎

Copy file name to clipboard
+55Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
'use strict';
2+
const common = require('../common');
3+
4+
if (!common.hasCrypto) {
5+
common.skip('missing crypto');
6+
return;
7+
}
8+
9+
// Test interaction of compiled-in CAs with user-provided CAs.
10+
11+
const assert = require('assert');
12+
const fs = require('fs');
13+
const tls = require('tls');
14+
15+
function filenamePEM(n) {
16+
return require('path').join(common.fixturesDir, 'keys', n + '.pem');
17+
}
18+
19+
function loadPEM(n) {
20+
return fs.readFileSync(filenamePEM(n));
21+
}
22+
23+
const caCert = loadPEM('ca1-cert');
24+
25+
const opts = {
26+
host: 'www.nodejs.org',
27+
port: 443,
28+
rejectUnauthorized: true
29+
};
30+
31+
// Success relies on the compiled in well-known root CAs
32+
tls.connect(opts, common.mustCall(end));
33+
34+
// The .ca option replaces the well-known roots, so connection fails.
35+
opts.ca = caCert;
36+
tls.connect(opts, fail).on('error', common.mustCall((err) => {
37+
assert.strictEqual(err.message, 'unable to get local issuer certificate');
38+
}));
39+
40+
function fail() {
41+
assert(false, 'should fail to connect');
42+
}
43+
44+
// New secure contexts have the well-known root CAs.
45+
opts.secureContext = tls.createSecureContext();
46+
tls.connect(opts, common.mustCall(end));
47+
48+
// Explicit calls to addCACert() add to the default well-known roots, instead
49+
// of replacing, so connection still succeeds.
50+
opts.secureContext.context.addCACert(caCert);
51+
tls.connect(opts, common.mustCall(end));
52+
53+
function end() {
54+
this.end();
55+
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.