From 01a864a29d64119054401784cd9255c3a813bdbc Mon Sep 17 00:00:00 2001 From: Theo Schlossnagle Date: Tue, 23 Nov 2010 13:00:42 -0500 Subject: [PATCH] TLS: CRL support Needs more tests. --- lib/crypto.js | 10 +++++++++ lib/tls.js | 9 ++++++-- src/node_crypto.cc | 32 +++++++++++++++++++++++++++ src/node_crypto.h | 1 + test/fixtures/keys/Makefile | 23 ++++++++++++++----- test/fixtures/keys/agent3-cert.pem | 14 ++++++------ test/fixtures/keys/agent3-csr.pem | 8 +++---- test/fixtures/keys/agent3-key.pem | 14 ++++++------ test/fixtures/keys/agent4-cert.pem | 18 +++++++-------- test/fixtures/keys/agent4-csr.pem | 8 +++---- test/fixtures/keys/agent4-key.pem | 14 ++++++------ test/fixtures/keys/ca2-cert.pem | 16 +++++++------- test/fixtures/keys/ca2-cert.srl | 2 +- test/fixtures/keys/ca2-crl.pem | 10 +++++++++ test/fixtures/keys/ca2-database.txt | 1 + test/fixtures/keys/ca2-key.pem | 30 ++++++++++++------------- test/fixtures/keys/ca2-serial | 1 + test/fixtures/keys/ca2.cnf | 13 +++++++++++ test/simple/test-tls-server-verify.js | 32 ++++++++++++++++++++++++++- 19 files changed, 186 insertions(+), 70 deletions(-) create mode 100644 test/fixtures/keys/ca2-crl.pem create mode 100644 test/fixtures/keys/ca2-database.txt create mode 100644 test/fixtures/keys/ca2-serial diff --git a/lib/crypto.js b/lib/crypto.js index 2b6fc0e1d5cc75..9c644c3c6e8262 100644 --- a/lib/crypto.js +++ b/lib/crypto.js @@ -57,6 +57,16 @@ exports.createCredentials = function(options) { c.context.addRootCerts(); } + if (options.crl) { + if (Array.isArray(options.crl)) { + for(var i = 0, len = options.crl.length; i < len; i++) { + c.context.addCRL(options.crl[i]); + } + } else { + c.context.addCRL(options.crl); + } + } + return c; }; diff --git a/lib/tls.js b/lib/tls.js index a39c7a6659a85e..3c39c0868b16ab 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -656,8 +656,12 @@ function Server(/* [options], listener */) { // constructor call net.Server.call(this, function(socket) { - var creds = crypto.createCredentials( - { key: self.key, cert: self.cert, ca: self.ca }); + var creds = crypto.createCredentials({ + key: self.key, + cert: self.cert, + ca: self.ca, + crl: self.crl + }); //creds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); var pair = new SecurePair(creds, @@ -725,6 +729,7 @@ Server.prototype.setOptions = function(options) { if (options.key) this.key = options.key; if (options.cert) this.cert = options.cert; if (options.ca) this.ca = options.ca; + if (options.crl) this.crl = options.crl; }; diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 6fe302a51ec42d..22147806fd8202 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -44,6 +44,7 @@ void SecureContext::Initialize(Handle target) { NODE_SET_PROTOTYPE_METHOD(t, "setKey", SecureContext::SetKey); NODE_SET_PROTOTYPE_METHOD(t, "setCert", SecureContext::SetCert); NODE_SET_PROTOTYPE_METHOD(t, "addCACert", SecureContext::AddCACert); + NODE_SET_PROTOTYPE_METHOD(t, "addCRL", SecureContext::AddCRL); NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts); NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers); NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close); @@ -303,6 +304,37 @@ Handle SecureContext::AddCACert(const Arguments& args) { } +Handle SecureContext::AddCRL(const Arguments& args) { + HandleScope scope; + + SecureContext *sc = ObjectWrap::Unwrap(args.Holder()); + + if (args.Length() != 1) { + return ThrowException(Exception::TypeError(String::New("Bad parameter"))); + } + + BIO *bio = LoadBIO(args[0]); + if (!bio) return False(); + + X509_CRL *x509 = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); + + if (x509 == NULL) { + BIO_free(bio); + return False(); + } + + X509_STORE_add_crl(sc->ca_store_, x509); + + X509_STORE_set_flags(sc->ca_store_, X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + + BIO_free(bio); + X509_CRL_free(x509); + + return True(); +} + + Handle SecureContext::AddRootCerts(const Arguments& args) { HandleScope scope; diff --git a/src/node_crypto.h b/src/node_crypto.h index a8032f2d055e36..4b019463aed43e 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -31,6 +31,7 @@ class SecureContext : ObjectWrap { static v8::Handle SetKey(const v8::Arguments& args); static v8::Handle SetCert(const v8::Arguments& args); static v8::Handle AddCACert(const v8::Arguments& args); + static v8::Handle AddCRL(const v8::Arguments& args); static v8::Handle AddRootCerts(const v8::Arguments& args); static v8::Handle SetCiphers(const v8::Arguments& args); static v8::Handle Close(const v8::Arguments& args); diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index 798ee895051ca6..e94665fd399709 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -1,4 +1,4 @@ -all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem +all: agent1-cert.pem agent2-cert.pem agent3-cert.pem agent4-cert.pem ca2-crl.pem # @@ -14,6 +14,8 @@ ca1-cert.pem: ca1.cnf # ca2-cert.pem: ca2.cnf openssl req -new -x509 -config ca2.cnf -keyout ca2-key.pem -out ca2-cert.pem + echo '01' > ca2-serial + touch ca2-database.txt # @@ -111,12 +113,23 @@ agent4-cert.pem: agent4-csr.pem ca2-cert.pem ca2-key.pem agent4-verify: agent4-cert.pem ca2-cert.pem openssl verify -CAfile ca2-cert.pem agent4-cert.pem - -# TODO: agent on CRL - +# +# Make CRL with agent4 being rejected +# +ca2-crl.pem: ca2-key.pem ca2-cert.pem ca2.cnf + openssl ca -revoke agent4-cert.pem \ + -keyfile ca2-key.pem \ + -cert ca2-cert.pem \ + -config ca2.cnf + openssl ca \ + -keyfile ca2-key.pem \ + -cert ca2-cert.pem \ + -config ca2.cnf \ + -gencrl \ + -out ca2-crl.pem clean: - rm -f *.pem *.srl + rm -f *.pem *.srl ca2-database.txt ca2-serial test: agent1-verify agent2-verify agent3-verify agent4-verify diff --git a/test/fixtures/keys/agent3-cert.pem b/test/fixtures/keys/agent3-cert.pem index beb158476a5c8d..26dbe5e00a3d64 100644 --- a/test/fixtures/keys/agent3-cert.pem +++ b/test/fixtures/keys/agent3-cert.pem @@ -1,14 +1,14 @@ -----BEGIN CERTIFICATE----- -MIICKjCCAZMCCQC9jzMlG+W8DDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV +MIICKjCCAZMCCQDMRmF28ReZjTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA -dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDIzMDIwWhcNMTMxMTA1MDIzMDIwWjB9 +dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDc1NjU1WhcNMTMxMTA1MDc1NjU1WjB9 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDzANBgNVBAMTBmFnZW50MzEgMB4G CSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwXDANBgkqhkiG9w0BAQEFAANL -ADBIAkEAy6zp21WUvCB8XknL2c6TggDtXj34e+jr7CvUU+PmoFJYzITeRWCx84kP -8VhXkz6nbG/7vpjT9sT/SDFxt0T3/wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBANrA -du9DMhBACSm8dlQVIHxwR2rsScKeY/RigOJ1nkDSHHSLjnIZ2UEzAwd6JsfMmApt -d4DE3PNjSFpLP7pGlCOV9DxFUk/PSzSmQOMn7+t5n6tjCGGfXwvOYNwuI8L65Kqz -Q8c9vXcICBLs7EN0/6NDHWcYuWvpi/UzhLmoQsEW +ADBIAkEAvo97SurQMLbB62avPWW7KZQ4Xw1jhXZ9uoQ+3A+RZoZ7MRkLYT8R+8l/ +r3ZZo6uYVMrlP14YPZ35qXGs2i7vqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAHde +DjVjyBmqHJFkZ1bhGOUisChHxg90SX+X9aCxpS7PPWJks56HDlQWMIeU4LmFDX+B +1dF8TKSiWb7XHWLChrMaRdF01wDUuM/lgnJvK+YikiHdAz3dndUT93JQwWv8skg1 +6pHpYaK3A5AsHH+bogz+/sCCuoVwp8hPwcVWJkXK -----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent3-csr.pem b/test/fixtures/keys/agent3-csr.pem index 907a93876668fa..f4c46d93840a08 100644 --- a/test/fixtures/keys/agent3-csr.pem +++ b/test/fixtures/keys/agent3-csr.pem @@ -2,9 +2,9 @@ MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD EwZhZ2VudDMxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ -KoZIhvcNAQEBBQADSwAwSAJBAMus6dtVlLwgfF5Jy9nOk4IA7V49+Hvo6+wr1FPj -5qBSWMyE3kVgsfOJD/FYV5M+p2xv+76Y0/bE/0gxcbdE9/8CAwEAAaAlMCMGCSqG +KoZIhvcNAQEBBQADSwAwSAJBAL6Pe0rq0DC2wetmrz1luymUOF8NY4V2fbqEPtwP +kWaGezEZC2E/EfvJf692WaOrmFTK5T9eGD2d+alxrNou76sCAwEAAaAlMCMGCSqG SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB -AGK5j9t+2Owk6r5h3My5kBpRkCUMZdU57Wlpcm6G8tZ3kz65pvarWOFFwPQzWC40 -tR/Fd1a61L20G9KGzB3zjik= +AJ0eUoKBgimALry2MLT3VktNJQwD8OorIIvnUz0BjG86F0fVX+FWZEqw1aXmblAZ +WTPvnqq//bzzi2PwvoEJ4Lc= -----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent3-key.pem b/test/fixtures/keys/agent3-key.pem index d0b42c5566baf7..bc2a5b72b6ce5c 100644 --- a/test/fixtures/keys/agent3-key.pem +++ b/test/fixtures/keys/agent3-key.pem @@ -1,9 +1,9 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAMus6dtVlLwgfF5Jy9nOk4IA7V49+Hvo6+wr1FPj5qBSWMyE3kVg -sfOJD/FYV5M+p2xv+76Y0/bE/0gxcbdE9/8CAwEAAQJAWRD1dx/WmeoO2OCmj0nB -waEMLCEnb3As8ys7f6/yo3p2ZjRIMgOPZys7dTEmEx5m62uI21EMUQOL9jN+nWPs -MQIhAP1bkf9NaNqHUgQM4/hcKWyhKlNVwXelGEli3xjn0K5XAiEAzcyy0gymOrYS -vRpW9FV+hu2onGfJvdza5HRx6pwRqpkCIDq/6in2bFMIQAd6ab6kuGJdOPBcGWHC -IdCaobsnvic/AiEAqh+tMzaBs8cPdoNvnkuObLvJxoGFpA4OZQxdnzOk5wECIAEy -7T0nAmXRYTCJhdt4NbET+tmktA8N24Q39c2yZLX9 +MIIBOQIBAAJBAL6Pe0rq0DC2wetmrz1luymUOF8NY4V2fbqEPtwPkWaGezEZC2E/ +EfvJf692WaOrmFTK5T9eGD2d+alxrNou76sCAwEAAQJAcT7Nk4kWLkz900pTzBX/ +80a9dWd8hF0VfNmIjbjGvPkaCW6th6N5TuSJbrwrKcSqyxB9fG8/oY42IsGe+Tj8 +MQIhAN3VnmNLml9/w6ksMfulhddGPKEi7RpNvTe+rq3vVsfTAiEA2+jOzgkA3Vn0 +riBRt7jAH+8OTh9Qxu23akW77nj/6ckCIChCeqpesDegwmvTf4bCNZYqQxqjchCS +B0M0shMTGtbNAiAFEtHynvKOKM0kV0qLWo/ULMe/tak/bayVnxY+4jvFQQIgSToA +tCzu09vpDbkH5oXgZbLKSznShbYWpAng1XMJlYI= -----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/agent4-cert.pem b/test/fixtures/keys/agent4-cert.pem index 4e63b76a5e406b..3d3bda403093db 100644 --- a/test/fixtures/keys/agent4-cert.pem +++ b/test/fixtures/keys/agent4-cert.pem @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICSDCCAbGgAwIBAgIJAL2PMyUb5bwNMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV +MIICSDCCAbGgAwIBAgIJAMxGYXbxF5mOMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzANBgNVBAoTBkpveWVu dDEQMA4GA1UECxMHTm9kZS5qczEMMAoGA1UEAxMDY2EyMSAwHgYJKoZIhvcNAQkB -FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMTAyMTAwMjMwMjBaFw0xMzExMDUwMjMw -MjBaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN +FhFyeUB0aW55Y2xvdWRzLm9yZzAeFw0xMTAyMTAwNzU2NTVaFw0xMzExMDUwNzU2 +NTVaMH0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU0YxDzAN BgNVBAoTBkpveWVudDEQMA4GA1UECxMHTm9kZS5qczEPMA0GA1UEAxMGYWdlbnQ0 MSAwHgYJKoZIhvcNAQkBFhFyeUB0aW55Y2xvdWRzLm9yZzBcMA0GCSqGSIb3DQEB -AQUAA0sAMEgCQQDGlJNGU61zPQE5+KynnUpFSKLNR7hebT+MXf+/JtCMZh4oE26M -iVVxgR+3+g7FDcYsI/pjh4VUT/SYE7wcg3x1AgMBAAGjFzAVMBMGA1UdJQQMMAoG -CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAH5NOqmgyD/ZCezX/VGTNeYMXhIj -vaKDBsxoSWCLMA3zzr7ixmeFyYgI1Lt1jZXnQkMCL/K9QrmQxpsEJAiirYNvS9vW -n0kS5K0it878yAza5pfGNSosFK5ZdJvJOplrzOL10l+JZglPsU30apqydYc1BOq2 -dAqSyneuVANFbzUE +AQUAA0sAMEgCQQC+eEnKdt2AHzGMt1EkALMiSHk6MLnHLxigi6CCM3jxxNz/lw7Y +uZfAWyTBr6jjCZsa/SC8DpE7caRZED//F4tFAgMBAAGjFzAVMBMGA1UdJQQMMAoG +CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAKJu+RhRDKkzVn9BrS8r3hPlJUdS +ybHfZpsOHpltmzO+PkWaio7jEXT7nnKBjV4VP8ld6wDa4mk+tRyhgt91+nmvrIeT +yw7I9UBY7RCCDIXy755zSkT3OitOTk7besU70Am8/P3Srg7IyHeYBnJVLqn4FIlz +/apIKko90U+bEgk2 -----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent4-csr.pem b/test/fixtures/keys/agent4-csr.pem index beb61f27121809..26cfaa28712c75 100644 --- a/test/fixtures/keys/agent4-csr.pem +++ b/test/fixtures/keys/agent4-csr.pem @@ -2,9 +2,9 @@ MIIBXTCCAQcCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQH EwJTRjEPMA0GA1UEChMGSm95ZW50MRAwDgYDVQQLEwdOb2RlLmpzMQ8wDQYDVQQD EwZhZ2VudDQxIDAeBgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMFwwDQYJ -KoZIhvcNAQEBBQADSwAwSAJBAMaUk0ZTrXM9ATn4rKedSkVIos1HuF5tP4xd/78m -0IxmHigTboyJVXGBH7f6DsUNxiwj+mOHhVRP9JgTvByDfHUCAwEAAaAlMCMGCSqG +KoZIhvcNAQEBBQADSwAwSAJBAL54Scp23YAfMYy3USQAsyJIeTowuccvGKCLoIIz +ePHE3P+XDti5l8BbJMGvqOMJmxr9ILwOkTtxpFkQP/8Xi0UCAwEAAaAlMCMGCSqG SIb3DQEJBzEWExRBIGNoYWxsZW5nZSBwYXNzd29yZDANBgkqhkiG9w0BAQUFAANB -ALUeDCFkwYvz9/uFAl7oK6tPpeEl1EuPxWfvgP9ldggAIjSVsVfdI3Ailm3OcZ5Y -dzVJ/VZyyK5iZfovMoW8APc= +AJc7y8DLaJ+j9wdEmjPV+mt6NuFQ3MHVuTzteMAsdASiJ9ce5U/vNMvS0UXdjzkd +y4uuWOqLyZaajVCqDDk5JvE= -----END CERTIFICATE REQUEST----- diff --git a/test/fixtures/keys/agent4-key.pem b/test/fixtures/keys/agent4-key.pem index 99fd7b9f24874b..68610f81b805ee 100644 --- a/test/fixtures/keys/agent4-key.pem +++ b/test/fixtures/keys/agent4-key.pem @@ -1,9 +1,9 @@ -----BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAMaUk0ZTrXM9ATn4rKedSkVIos1HuF5tP4xd/78m0IxmHigTboyJ -VXGBH7f6DsUNxiwj+mOHhVRP9JgTvByDfHUCAwEAAQJBAL8mk6G1uJfeGEkiW6g4 -2x5YLgZmTE3w4aQPc7gf9828aJzlGWgN7KcedGAzhlhsrj+MLDPjNvTWGHUY+gP7 -RwECIQDkWhHV+L+KrOuH/LAVg1HsNHtG28dxOrN3GVovtLkLwQIhAN6ft7TXPDaN -fw+CaYXEDH1XngFf/gIwEGgBzREq7W21AiBGEAyg5i1+0weBNdqg/yXHn2KjnxNW -fnhJ9pFhScXtAQIgDQU4YFpKSkKCUOzmsQ0jUd1i/1+W4pffDcY1MTDajBUCIGqr -8kxP5se+Y9ihqzMwvvP0/nOtciGeJjEzKlGDrC28 +MIIBPQIBAAJBAL54Scp23YAfMYy3USQAsyJIeTowuccvGKCLoIIzePHE3P+XDti5 +l8BbJMGvqOMJmxr9ILwOkTtxpFkQP/8Xi0UCAwEAAQJBALq4g2ZnBpfOfK29HF9W +DEZElAs2rzkT82mX198sBJnFOFfdo0GdGkA8LlQVwXEv2yWKlzN5zrkJPK/I/Z6A +vxUCIQDxRDPGSV0nfnFH5mcs7pnWNIi7tRZecsAhaj2gGBNCfwIhAMoZ94XYslXl +2eHUDPvVYhzNqdRWXfgD8N89lYXXTMg7AiEAnPwmwCeuYGtKpGEL01WxbYqjSZfr +5Sq/Tz7EuG3R4lsCIQDIz/pprUKuJUBUqt3n0UO2uQgZq2Odj1TkjQ2oOqDZhwIh +AIydKQ6a35hFleOih3yiHvFPUEE7jOAIhGTOAd3s31LN -----END RSA PRIVATE KEY----- diff --git a/test/fixtures/keys/ca2-cert.pem b/test/fixtures/keys/ca2-cert.pem index 931a7801025fe9..5e3e221e8b4470 100644 --- a/test/fixtures/keys/ca2-cert.pem +++ b/test/fixtures/keys/ca2-cert.pem @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICazCCAdQCCQC7OMCdtvshmTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV +MIICazCCAdQCCQDzyKZgsfidNjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJV UzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAO BgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlA -dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDIzMDIwWhcNMTEwMzEyMDIzMDIwWjB6 +dGlueWNsb3Vkcy5vcmcwHhcNMTEwMjEwMDc1NjU1WhcNMTEwMzEyMDc1NjU1WjB6 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQK EwZKb3llbnQxEDAOBgNVBAsTB05vZGUuanMxDDAKBgNVBAMTA2NhMjEgMB4GCSqG SIb3DQEJARYRcnlAdGlueWNsb3Vkcy5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A -MIGJAoGBAONi4yMjv8R0hfjVtvEM8PoXvPP24e0NQZeJs+mFqVVt4JaRxYbX8qXx -9KiEwCAYdS5FSl1mcotATeKLp2vlCXaG2Fb4xCn0ollFe+ubA2Ud8RiOhw2Pbc3D -I40LekBKJsZfns6vftRGlwb7URt55Efx9QbBbONwMWHDKbGYA5GPAgMBAAEwDQYJ -KoZIhvcNAQEFBQADgYEAeQzT6q8xuxUuQ9tmZEjq6vHaUaU2gq5Zp48XBJg3XjNI -sxQEy1LreOR48THhS7QrKFELDGfr4bd6gPE0IvEpwAVu6eNNX/ZkrkiE2480W7CY -8hJMtYGXRi09BOSXnpSy0qMh63wjA3v5tTs+DPSwfi3xPsx8RyIz/hBXazoAKAM= +MIGJAoGBAMf9gxkjRyoHsgvya+jMlHRRds6qwt43t6tB6tkB6dW/23HBvXOCuHe0 +Ryn2EofWtNaLg6IfJg8JwM6k39/EvGgjr730WeI2iQt2b7+OmBBLiEr+Xkrkeskp +Wv+3TdbwF08Vh4pV34kPQhD+q2d0PBZUGgBUVhVzcwZ4XWWJDq1DAgMBAAEwDQYJ +KoZIhvcNAQEFBQADgYEArEYmxp6S+LRE6Nu7ULVElCXL1ouR+srM03j25D/2G/6O +lryRDHGTsNUytBhQFghwi1vPB8mHTVLpWV9NgTbQrQF4qjQHY6CzcM2gnNfkmWql +mpR3x4hs25a86KR3OzrAx4JOkpvzEf1PJgWOLaKt38JoPxehvhgNMx1sd+MR8kw= -----END CERTIFICATE----- diff --git a/test/fixtures/keys/ca2-cert.srl b/test/fixtures/keys/ca2-cert.srl index f96ef24bb0caa6..707df7c58e93d6 100644 --- a/test/fixtures/keys/ca2-cert.srl +++ b/test/fixtures/keys/ca2-cert.srl @@ -1 +1 @@ -BD8F33251BE5BC0D +CC466176F117998E diff --git a/test/fixtures/keys/ca2-crl.pem b/test/fixtures/keys/ca2-crl.pem new file mode 100644 index 00000000000000..cdbf2da045eab9 --- /dev/null +++ b/test/fixtures/keys/ca2-crl.pem @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBXTCBxzANBgkqhkiG9w0BAQQFADB6MQswCQYDVQQGEwJVUzELMAkGA1UECBMC +Q0ExCzAJBgNVBAcTAlNGMQ8wDQYDVQQKEwZKb3llbnQxEDAOBgNVBAsTB05vZGUu +anMxDDAKBgNVBAMTA2NhMjEgMB4GCSqGSIb3DQEJARYRcnlAdGlueWNsb3Vkcy5v +cmcXDTExMDIxMDA3NTcxMVoXDTEzMTEwNTA3NTcxMVowHDAaAgkAzEZhdvEXmY4X +DTExMDIxMDA3NTY1N1owDQYJKoZIhvcNAQEEBQADgYEAgH9u/zWn48ycNmJezW57 +E54QQI2KqwqmnO1S0lt6EDhjktCAxgljoEhjb3rS3221jddbb9FckYVVMKVX3rPP +cUPXF1jLJ8I/jF0mETK4sZQPjA/PIzPQOnUzzQmszfr42b+5x6HQ0gg2RTqN1TC2 +wLLY7ihxVXUzhVIHlGIp9Hk= +-----END X509 CRL----- diff --git a/test/fixtures/keys/ca2-database.txt b/test/fixtures/keys/ca2-database.txt new file mode 100644 index 00000000000000..422d22c6f780b4 --- /dev/null +++ b/test/fixtures/keys/ca2-database.txt @@ -0,0 +1 @@ +R 131105075655Z 110210075657Z CC466176F117998E unknown /C=US/ST=CA/L=SF/O=Joyent/OU=Node.js/CN=agent4/emailAddress=ry@tinyclouds.org diff --git a/test/fixtures/keys/ca2-key.pem b/test/fixtures/keys/ca2-key.pem index 9a22bd7bb5b7db..a118535f3be82d 100644 --- a/test/fixtures/keys/ca2-key.pem +++ b/test/fixtures/keys/ca2-key.pem @@ -1,17 +1,17 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIg0hLO3eutNQCAggA -MBQGCCqGSIb3DQMHBAiRtZu32UxWpwSCAoCud1+Lak/kkrYxcdTeNh4RBQwpuEjv -fdoshPagoLVkp8hHWVPfIVJWI3AwjyPtQShusGZwTyjiDF7k6ycTZSNH6+nuc8K2 -ZNGwPFWMEaO510tcraDf/H8yNbeThTvYkudQLwTRseZw3NmuBBkPEThYkJrBibsJ -Z8BsZ0y9FWgF+ufx7sGCC0Dq/Dd/JBGV7Kx75Vm65CpKkTV7W3tMXWa38yER8dBE -1vCexF95ih5zXbsRMlBoA0p45QD+0LrHssCSe+iuNAowvX/YHdfrcFRuvHkazzql -5j4sxs4647F+U1CTsb2+7C0LlijZBuP0x9GUsJck8M9Zh0s9sfwPbSofjZWhFcdR -liy7lxfyFdIbLav1cTfilT06BoyLLRUFp5Zu1XPCdxrf0pHoDjgXO/ToEjhStctM -RyVigOIQY+2yvgnzE/cw5niQlXDWDAnsSibYpjU8lJ1k97Iqx/qogqNSTIim8ml4 -h7aDPHEBlGG9wmTkPV5L18/wI7iGom9rroQFrkgrqQ2JoIAKCXrocDKUjFAVB7QA -mreUdYowm6ee/AUdtsYQpn5hasIa/A/fD/Ia9E41rkplZZS43r9YyyQCTdJFF9Hm -TROxSlKrpEoap9RZyFEfhr9hrnw6uQyl3EY5wvRzsTe6KLN60DkUOkLjJVBLx4iE -QlwMeAknMNBqJS1Uqivw94Pi1yYLlKCY0I0/cf97HCwx8j+97XWEUAQehXvYRwdd -E6/mC/GGH/cT7A6TF8mN0i0UOmAQ9EjEqlOQXR9tmlhafbOoorFXjGelSILsFnV2 -oxN9847cjGQbGh6wytJYP4fpvJr1xt21SzzctK5h3mqmfHmCXi0Duea0 +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzqCAnqkKV5sCAggA +MBQGCCqGSIb3DQMHBAgvE1MWZKV5tgSCAoAe0ygwlrXz3uIDRw2hKhgG28XFZaG0 +Py/8vORZ6JknZF/ucZE4ZsJW0OLhLRe0VmoVIErgLQ6bl6ZhlGq7oZ0DCyiHo3TV +2uUTn3DXQ9d4aSE2cMlA3wSzYihm1up9PUYvWhrhC90/Sc0fB81OA1Hhv2jS36hY +c4rSVfCkSgaziWy77x9XqbEnxpdVRkngbVnVG4UWFfoBTsza+j+C/ysxR/nXDlei +5KKe87V9AcdzFKI+qJP52CQBac1DQCg8EQ51v40BllfK/8JB/45tAETqAiu80COI +zSFs56p4UIsQiXUaToZxA9SsLOPJJHrOL9/IQe5aMRrG0ro5u0/CbIYN0uSbR6Om +iUAXXk/6Oni8C07qO4VLIjG0NKnnIhDgtGGkyn8XDhtNBKsFLhGzAbmOLOZKKko6 +GgxzY7o52I5bOu8oDN9KLrMZKC9Sow9J+xEf65jCIK40HjpoYiKDiDY/xaSOUL9b +ig0WkxwMzWCA0RIsA/958ZBzv+R2Ag90iPDz9xF5vMNucvGHqOPuKo56JcM0SGev +Xr1KxZAOVJcP9It3Yv8Of+DLilwo56O9md2Su0HKNxM0wyanowPw2PcGCK5rtu87 +YDSOHfmg05Bt0F3LC2dU5ak1YJfu/DpVj69hQ5/g/c5JMMVYAjmZGyc6IPKWXHYr +P+ECSDdICBrDLkVeCClhKkNgAw1n8xepdgCE0rWSkbxoCmoKDXQDl1kOfs5TWIvL +JRqrVYz2yoPAa1Q9gTM3iDtBL3RJwF2jXk4IDySR/1YDf+BbnyhiisIRSMp8GeQS +uX1Ke+bu3QWwFVqa0eYScVPZZzNUADHzviMweRX9l+1aCw0R31po7Fwl -----END ENCRYPTED PRIVATE KEY----- diff --git a/test/fixtures/keys/ca2-serial b/test/fixtures/keys/ca2-serial new file mode 100644 index 00000000000000..8a0f05e166aa61 --- /dev/null +++ b/test/fixtures/keys/ca2-serial @@ -0,0 +1 @@ +01 diff --git a/test/fixtures/keys/ca2.cnf b/test/fixtures/keys/ca2.cnf index b37c8ffbd94d39..7af9f8c97aa4b4 100644 --- a/test/fixtures/keys/ca2.cnf +++ b/test/fixtures/keys/ca2.cnf @@ -1,3 +1,16 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +serial = ca2-serial +crl = ca2-crl.pem +database = ca2-database.txt +name_opt = CA_default +cert_opt = CA_default +default_crl_days = 999 +default_md = md5 + + [ req ] default_bits = 1024 days = 999 diff --git a/test/simple/test-tls-server-verify.js b/test/simple/test-tls-server-verify.js index 914c50f476df67..2836da12ffb0a6 100644 --- a/test/simple/test-tls-server-verify.js +++ b/test/simple/test-tls-server-verify.js @@ -59,6 +59,22 @@ var testCases = { name: 'nocert', shouldReject: true } ] }, + + + { title: "Allow only certs signed by CA2 but not in the CRL", + requestCert: true, + rejectUnauthorized: true, + CAs: ['ca2-cert'], + crl: 'ca2-crl', + clients: + [ { name: 'agent1', shouldReject: true, shouldAuth: false }, + { name: 'agent2', shouldReject: true, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: true }, + // Agent4 has a cert in the CRL. + { name: 'agent4', shouldReject: true, shouldAuth: false }, + { name: 'nocert', shouldReject: true } + ] + }, ]; @@ -92,6 +108,9 @@ function runClient (options, cb) { var args = ['s_client', '-connect', '127.0.0.1:' + common.PORT]; + + console.log(" connecting with", options.name); + switch (options.name) { case 'agent1': // Signed by CA1 @@ -118,6 +137,14 @@ function runClient (options, cb) { args.push(filenamePEM('agent3-cert')); break; + case 'agent4': + // Signed by CA2 (rejected by ca2-crl) + args.push('-key'); + args.push(filenamePEM('agent4-key')); + args.push('-cert'); + args.push(filenamePEM('agent4-cert')); + break; + case 'nocert': // Do not send certificate break; @@ -182,10 +209,13 @@ function runTest (testIndex) { var cas = tcase.CAs.map(loadPEM); + var crl = tcase.crl ? loadPEM(tcase.crl) : null; + var serverOptions = { key: serverKey, cert: serverCert, ca: cas, + crl: crl, requestCert: tcase.requestCert, rejectUnauthorized: tcase.rejectUnauthorized }; @@ -204,7 +234,7 @@ function runTest (testIndex) { } }); - function runNextClient (clientIndex) { + function runNextClient(clientIndex) { var options = tcase.clients[clientIndex]; if (options) { runClient(options, function () {