Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity
2d167f0dc7
node/lib/_tls_common.js
James M Snell 35274cbddf
src,crypto: refactoring of crypto_context, SecureContext 
Cleaup and improvement of crypto_context and SecureContext.

Signed-off-by: James M Snell <jasnell@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/35665
Reviewed-By: Alba Mendez <me@alba.sh>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
2020-11-11 12:05:32 -08:00

404 lines
12 KiB
JavaScript
Raw Blame History

// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
'use strict';
const {
ArrayIsArray,
ArrayPrototypeFilter,
ArrayPrototypeJoin,
ObjectCreate,
StringPrototypeSplit,
StringPrototypeStartsWith,
} = primordials;
const { parseCertString } = require('internal/tls');
const { isArrayBufferView } = require('internal/util/types');
const tls = require('tls');
const {
ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED,
ERR_INVALID_ARG_TYPE,
ERR_INVALID_ARG_VALUE,
ERR_TLS_INVALID_PROTOCOL_VERSION,
ERR_TLS_PROTOCOL_VERSION_CONFLICT,
} = require('internal/errors').codes;
const {
SSL_OP_CIPHER_SERVER_PREFERENCE,
TLS1_VERSION,
TLS1_1_VERSION,
TLS1_2_VERSION,
TLS1_3_VERSION,
} = internalBinding('constants').crypto;
const {
validateString,
validateInteger,
validateInt32,
} = require('internal/validators');
const {
toBuf
} = require('internal/crypto/util');
function toV(which, v, def) {
if (v == null) v = def;
if (v === 'TLSv1') return TLS1_VERSION;
if (v === 'TLSv1.1') return TLS1_1_VERSION;
if (v === 'TLSv1.2') return TLS1_2_VERSION;
if (v === 'TLSv1.3') return TLS1_3_VERSION;
throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
}
const { SecureContext: NativeSecureContext } = internalBinding('crypto');
function SecureContext(secureProtocol, secureOptions, minVersion, maxVersion) {
if (!(this instanceof SecureContext)) {
return new SecureContext(secureProtocol, secureOptions, minVersion,
maxVersion);
}
if (secureProtocol) {
if (minVersion != null)
throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(minVersion, secureProtocol);
if (maxVersion != null)
throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(maxVersion, secureProtocol);
}
this.context = new NativeSecureContext();
this.context.init(secureProtocol,
toV('minimum', minVersion, tls.DEFAULT_MIN_VERSION),
toV('maximum', maxVersion, tls.DEFAULT_MAX_VERSION));
if (secureOptions) {
validateInteger(secureOptions, 'secureOptions');
this.context.setOptions(secureOptions);
}
}
function validateKeyOrCertOption(name, value) {
if (typeof value !== 'string' && !isArrayBufferView(value)) {
throw new ERR_INVALID_ARG_TYPE(
`options.${name}`,
['string', 'Buffer', 'TypedArray', 'DataView'],
value
);
}
}
exports.SecureContext = SecureContext;
function setKey(context, key, passphrase) {
validateKeyOrCertOption('key', key);
if (passphrase != null)
validateString(passphrase, 'options.passphrase');
context.setKey(key, passphrase);
}
function processCiphers(ciphers) {
ciphers = StringPrototypeSplit(ciphers || tls.DEFAULT_CIPHERS, ':');
const cipherList =
ArrayPrototypeJoin(
ArrayPrototypeFilter(
ciphers,
(cipher) => {
return cipher.length > 0 &&
!StringPrototypeStartsWith(cipher, 'TLS_');
}), ':');
const cipherSuites =
ArrayPrototypeJoin(
ArrayPrototypeFilter(
ciphers,
(cipher) => {
return cipher.length > 0 &&
StringPrototypeStartsWith(cipher, 'TLS_');
}), ':');
// Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
// not possible to handshake with no suites.
if (cipherSuites === '' && cipherList === '')
throw new ERR_INVALID_ARG_VALUE('options.ciphers', ciphers);
return { cipherList, cipherSuites };
}
function addCACerts(context, ...certs) {
for (const cert of certs) {
validateKeyOrCertOption('ca', cert);
context.addCACert(cert);
}
}
function setCerts(context, ...certs) {
for (const cert of certs) {
validateKeyOrCertOption('cert', cert);
context.setCert(cert);
}
}
exports.createSecureContext = function createSecureContext(options) {
if (!options) options = {};
const {
ca,
cert,
ciphers,
clientCertEngine,
crl,
dhparam,
ecdhCurve = tls.DEFAULT_ECDH_CURVE,
honorCipherOrder,
key,
minVersion,
maxVersion,
passphrase,
pfx,
privateKeyIdentifier,
privateKeyEngine,
secureProtocol,
sessionIdContext,
sessionTimeout,
sigalgs,
singleUse,
ticketKeys,
} = options;
let { secureOptions } = options;
if (honorCipherOrder)
secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
const c = new SecureContext(secureProtocol, secureOptions,
minVersion, maxVersion);
// Add CA before the cert to be able to load cert's issuer in C++ code.
// NOTE(@jasnell): ca, cert, and key are permitted to be falsy, so do not
// change the checks to !== undefined checks.
if (ca) {
if (ArrayIsArray(ca))
addCACerts(c.context, ...ca);
else
addCACerts(c.context, ca);
} else {
c.context.addRootCerts();
}
if (cert) {
if (ArrayIsArray(cert))
setCerts(c.context, ...cert);
else
setCerts(c.context, cert);
}
// Set the key after the cert.
// `ssl_set_pkey` returns `0` when the key does not match the cert, but
// `ssl_set_cert` returns `1` and nullifies the key in the SSL structure
// which leads to the crash later on.
if (key) {
if (ArrayIsArray(key)) {
for (const val of key) {
// eslint-disable-next-line eqeqeq
const pem = (val != undefined && val.pem !== undefined ? val.pem : val);
setKey(c.context, pem, val.passphrase || passphrase);
}
} else {
setKey(c.context, key, passphrase);
}
}
if (sigalgs !== undefined) {
if (typeof sigalgs !== 'string')
throw new ERR_INVALID_ARG_TYPE('options.sigalgs', 'string', sigalgs);
if (sigalgs === '')
throw new ERR_INVALID_ARG_VALUE('options.sigalgs', sigalgs);
c.context.setSigalgs(sigalgs);
}
if (privateKeyIdentifier !== undefined) {
if (privateKeyEngine === undefined) {
// Engine is required when privateKeyIdentifier is present
throw new ERR_INVALID_ARG_VALUE('options.privateKeyEngine',
privateKeyEngine);
}
if (key) {
// Both data key and engine key can't be set at the same time
throw new ERR_INVALID_ARG_VALUE('options.privateKeyIdentifier',
privateKeyIdentifier);
}
if (typeof privateKeyIdentifier === 'string' &&
typeof privateKeyEngine === 'string') {
if (c.context.setEngineKey)
c.context.setEngineKey(privateKeyIdentifier, privateKeyEngine);
else
throw new ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED();
} else if (typeof privateKeyIdentifier !== 'string') {
throw new ERR_INVALID_ARG_TYPE('options.privateKeyIdentifier',
['string', 'undefined'],
privateKeyIdentifier);
} else {
throw new ERR_INVALID_ARG_TYPE('options.privateKeyEngine',
['string', 'undefined'],
privateKeyEngine);
}
}
if (ciphers !== undefined)
validateString(ciphers, 'options.ciphers');
// Work around an OpenSSL API quirk. cipherList is for TLSv1.2 and below,
// cipherSuites is for TLSv1.3 (and presumably any later versions). TLSv1.3
// cipher suites all have a standard name format beginning with TLS_, so split
// the ciphers and pass them to the appropriate API.
const { cipherList, cipherSuites } = processCiphers(ciphers);
c.context.setCipherSuites(cipherSuites);
c.context.setCiphers(cipherList);
if (cipherSuites === '' &&
c.context.getMaxProto() > TLS1_2_VERSION &&
c.context.getMinProto() < TLS1_3_VERSION) {
c.context.setMaxProto(TLS1_2_VERSION);
}
if (cipherList === '' &&
c.context.getMinProto() < TLS1_3_VERSION &&
c.context.getMaxProto() > TLS1_2_VERSION) {
c.context.setMinProto(TLS1_3_VERSION);
}
validateString(ecdhCurve, 'options.ecdhCurve');
c.context.setECDHCurve(ecdhCurve);
if (dhparam !== undefined) {
validateKeyOrCertOption('dhparam', dhparam);
const warning = c.context.setDHParam(dhparam);
if (warning)
process.emitWarning(warning, 'SecurityWarning');
}
if (crl !== undefined) {
if (ArrayIsArray(crl)) {
for (const val of crl) {
validateKeyOrCertOption('crl', val);
c.context.addCRL(val);
}
} else {
validateKeyOrCertOption('crl', crl);
c.context.addCRL(crl);
}
}
if (sessionIdContext !== undefined) {
validateString(sessionIdContext, 'options.sessionIdContext');
c.context.setSessionIdContext(sessionIdContext);
}
if (pfx !== undefined) {
if (ArrayIsArray(pfx)) {
for (const val of pfx) {
const raw = val.buf ? val.buf : val;
const pass = val.passphrase || passphrase;
if (pass !== undefined) {
c.context.loadPKCS12(toBuf(raw), toBuf(pass));
} else {
c.context.loadPKCS12(toBuf(raw));
}
}
} else if (passphrase) {
c.context.loadPKCS12(toBuf(pfx), toBuf(passphrase));
} else {
c.context.loadPKCS12(toBuf(pfx));
}
}
// Do not keep read/write buffers in free list for OpenSSL < 1.1.0. (For
// OpenSSL 1.1.0, buffers are malloced and freed without the use of a
// freelist.)
if (singleUse) {
c.singleUse = true;
c.context.setFreeListLength(0);
}
if (clientCertEngine !== undefined) {
if (typeof c.context.setClientCertEngine !== 'function')
throw new ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED();
if (typeof clientCertEngine !== 'string') {
throw new ERR_INVALID_ARG_TYPE('options.clientCertEngine',
['string', 'null', 'undefined'],
clientCertEngine);
}
c.context.setClientCertEngine(clientCertEngine);
}
if (ticketKeys !== undefined) {
if (!isArrayBufferView(ticketKeys)) {
throw new ERR_INVALID_ARG_TYPE(
'options.ticketKeys',
['Buffer', 'TypedArray', 'DataView'],
ticketKeys);
}
if (ticketKeys.byteLength !== 48) {
throw new ERR_INVALID_ARG_VALUE(
'options.ticketKeys',
ticketKeys.byteLenth,
'must be exactly 48 bytes');
}
c.context.setTicketKeys(ticketKeys);
}
if (sessionTimeout !== undefined) {
validateInt32(sessionTimeout, 'options.sessionTimeout');
c.context.setSessionTimeout(sessionTimeout);
}
return c;
};
// Translate some fields from the handle's C-friendly format into more idiomatic
// javascript object representations before passing them back to the user. Can
// be used on any cert object, but changing the name would be semver-major.
exports.translatePeerCertificate = function translatePeerCertificate(c) {
if (!c)
return null;
if (c.issuer != null) c.issuer = parseCertString(c.issuer);
if (c.issuerCertificate != null && c.issuerCertificate !== c) {
c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
}
if (c.subject != null) c.subject = parseCertString(c.subject);
if (c.infoAccess != null) {
const info = c.infoAccess;
c.infoAccess = ObjectCreate(null);
// XXX: More key validation?
info.replace(/([^\n:]*):([^\n]*)(?:\n|$)/g, (all, key, val) => {
if (key in c.infoAccess)
c.infoAccess[key].push(val);
else
c.infoAccess[key] = [val];
});
}
return c;
};
Reference in New Issue View Git Blame Copy Permalink