-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: multiple PFX support in createSecureContext #14793
Conversation
1d13a0b
to
41ca43b
Compare
test/parallel/test-tls-multi-pfx.js
Outdated
buffer: fs.readFileSync(`${common.fixturesDir}/keys/agent1-pfx.pem`), | ||
passphrase: 'sample' | ||
}, | ||
fs.readFileSync(`${common.fixturesDir}/keys/ec-pfx.pem`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add a third case for when an object is supplied with an encrypted key and the passphrase
from options
is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK (partially). Maybe add separate case out of "multi-pfx" test?
test/parallel/test-tls-multi-pfx.js
Outdated
@@ -0,0 +1,71 @@ | |||
// Copyright Joyent, Inc. and other Node contributors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The copyright and license header should not be added to new files
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, removed
41ca43b
to
581acf9
Compare
lib/_tls_common.js
Outdated
for (i = 0; i < options.pfx.length; i++) { | ||
const pfx = options.pfx[i]; | ||
let buf; | ||
if (pfx.buffer instanceof Buffer) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Buffer.isBuffer()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, should this be limited to just Buffer
instances? We likely should allow any Uint8Array
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #14978 (comment) :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK
test/parallel/test-tls-multi-pfx.js
Outdated
const options = { | ||
pfx: [ | ||
{ | ||
buffer: fs.readFileSync(`${common.fixturesDir}/keys/agent1-pfx.pem`), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use the new ../common/fixtures
stuff... e.g.
const fixtures = require('../common/fixtures');
/*... */
{
buffer: fixtures.readKey('agent1-pfx.pem')
}
test/parallel/test-tls-multi-pfx.js
Outdated
const ecdsa = tls.connect(this.address().port, { | ||
ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', | ||
rejectUnauthorized: false | ||
}, function() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
common.mustCall()
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jasnell in listen (L24) also? Or not necessary?
test/parallel/test-tls-multi-pfx.js
Outdated
const rsa = tls.connect(server.address().port, { | ||
ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', | ||
rejectUnauthorized: false | ||
}, function() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
common.mustCall()
here also
78a26e9
to
3465940
Compare
Fixed FIPS failure (actually bad fixture). @jasnell another try? |
ping? |
Hey, sorry @djphoenix ... new CI here! https://ci.nodejs.org/job/node-test-pull-request/9862/ |
lib/_tls_common.js
Outdated
buf = crypto._toBuf(pfx.buffer); | ||
} else { | ||
buf = crypto._toBuf(pfx); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not completely happy with the buffer check here.
I think it would be good to verify that the input is indeed a buffer and that does not happen here.
If the object attribute name would not be buffer
it would be easy to distinguish the object from the buffer and you could write something like:
const raw = pfx.buf ? pfx.buf : pfx;
if (!ArrayBuffer.isView(raw))
throw new Error("foobar");
const buf = crypto._toBuf(raw);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks as a good proposal. ACK.
doc/api/tls.md
Outdated
@@ -932,10 +932,14 @@ changes: | |||
--> | |||
|
|||
* `options` {Object} | |||
* `pfx` {string|Buffer} Optional PFX or PKCS12 encoded private key and | |||
certificate chain. `pfx` is an alternative to providing `key` and `cert` | |||
* `pfx` {Buffer|Buffer[]|Object[]} Optional PFX or PKCS12 encoded private key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How come string
is not supported anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PKCS12 is very rarely stored in PEM format, by default it's DER-encoded. But I forget about binary strings in JS. Will revert it, ACK.
@jasnell CI failures seems like unrelated to changes. |
0e32f76
to
d0b000e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, if it works.
cc @shigeki @bnoordhuis PTAL |
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. Fixes: nodejs#14756
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Still waiting for @shigeki and @bnoordhuis |
Landed in 372dc86 |
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: #14793 Fixes: #14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
@BridgeAR it seems like @djphoenix was still waiting for a review from @shigeki and @bnoordhuis. Was there a reason it landed before? |
Also fwiw I've landed this on v8.x-staging and it is on track to be released in the next 8.x release. Just wanted to confirm that this should be released before doing so |
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: #14793 Fixes: #14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
@MylesBorins not me, but @indutny tagged them before, so I pinged also. Not blocking for me (and for @BridgeAR also as I see). |
@MylesBorins to me it looked like a trivial change that was good to go and there was no response since the review request for a week. And as it did not come from @djphoenix it felt more like a "nice to have" in this case. So I went ahead and landed it. |
Sgtm
Thanks for responding. Was just trying to figure out what was going on.
…On Sep 11, 2017 3:46 AM, "Ruben Bridgewater" ***@***.***> wrote:
@MylesBorins <https://github.com/mylesborins> to me it looked like a
trivial change that was good to go and there was no response since the
review request for a week. And as it did not come from @djphoenix
<https://github.com/djphoenix> it felt more like a "nice to have" in this
case. So I went ahead and landed it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#14793 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAecV-fzYkngjHFw1rNLe5Al16O7ZJxyks5shJD-gaJpZM4O1d65>
.
|
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: #14793 Fixes: #14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: #14793 Fixes: #14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: #14793 Fixes: #14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Notable Changes * build: * Snapshots are now re-enabled in V8 #14875 * console: * Implement minimal `console.group()`. #14910 * deps: * upgrade libuv to 1.14.1 #14866 * update nghttp2 to v1.25.0 #14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. #14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. #15034 * inspector: * Enable async stack traces #13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` #14369 * napi: * implement promise #14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. #14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. #14680 * tls: * multiple PFX in createSecureContext [#14793](#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: #15308
Notable Changes * build: * Snapshots are now re-enabled in V8 #14875 * console: * Implement minimal `console.group()`. #14910 * deps: * upgrade libuv to 1.14.1 #14866 * update nghttp2 to v1.25.0 #14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. #14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. #15034 * inspector: * Enable async stack traces #13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` #14369 * napi: * implement promise #14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. #14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. #14680 * tls: * multiple PFX in createSecureContext [#14793](#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: #15308
Add support for multiple PFX files in tls.createSecureContext. Also added support for object-style PFX pass. PR-URL: nodejs#14793 Fixes: nodejs#14756 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Notable Changes * build: * Snapshots are now re-enabled in V8 nodejs#14875 * console: * Implement minimal `console.group()`. nodejs#14910 * deps: * upgrade libuv to 1.14.1 nodejs#14866 * update nghttp2 to v1.25.0 nodejs#14955 * dns: * Add `verbatim` option to dns.lookup(). When true, results from the DNS resolver are passed on as-is, without the reshuffling that Node.js otherwise does that puts IPv4 addresses before IPv6 addresses. nodejs#14731 * fs: * add fs.copyFile and fs.copyFileSync which allows for more efficient copying of files. nodejs#15034 * inspector: * Enable async stack traces nodejs#13870 * module: * Add support for ESM. This is currently behind the `--experimental-modules` flag and requires the .mjs extension. `node --experimental-modules index.mjs` nodejs#14369 * napi: * implement promise nodejs#14365 * os: * Add support for CIDR notation to the output of the networkInterfaces() method. nodejs#14307 * perf_hooks: * An initial implementation of the Performance Timing API for Node.js. This is the same Performance Timing API implemented by modern browsers with a number of Node.js specific properties. The User Timing mark() and measure() APIs are implemented, as is a Node.js specific flavor of the Frame Timing for measuring event loop duration. nodejs#14680 * tls: * multiple PFX in createSecureContext [nodejs#14793](nodejs#14793) * Added new collaborators: * BridgeAR – Ruben Bridgewater PR-URL: nodejs#15308
Release team were -1 on landing on v6.x, if you disagree let us know. |
@gibfahn I’m not sure, so let NodeJS team decide. For me it’s enough to have this feature in latest versions. |
Fixes: #14756
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
tls