Skip to content

tls: get the local certificate after tls handshake#24261

Closed
sam-github wants to merge 1 commit intonodejs:masterfrom
sam-github:tls-get-cert
Closed

tls: get the local certificate after tls handshake#24261
sam-github wants to merge 1 commit intonodejs:masterfrom
sam-github:tls-get-cert

Conversation

@sam-github
Copy link
Contributor

@sam-github sam-github commented Nov 8, 2018

Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 8, 2018

@sam-github build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1549/pipeline

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Nov 8, 2018
@sam-github sam-github mentioned this pull request Nov 8, 2018
Closed
@sam-github sam-github added the semver-minor PRs that contain new features and should be released in the next minor version. label Nov 8, 2018
bnoordhuis
bnoordhuis reviewed Nov 9, 2018
View reviewed changes
doc/api/tls.md Outdated
Copy link
Member

@bnoordhuis bnoordhuis Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific than "some"?

Copy link
Contributor Author

@sam-github sam-github Nov 9, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty vague, isn't it! ;-) This is the extent of the current documentation for parsed cert objects, unchanged since 0c42fac51596a68a6be02ea537e5ec03f228844b. Its on my list to fix, but for now I'd like to leave as-is. The wording of these docs are close to identical as possible to the docs for https://nodejs.org/api/tls.html#tls_tlssocket_getpeercertificate_detailed. I'm working on a PR to add EC and DH key info to X509ToObject, and I promise to doc the cert format then, and reorganize the docs, since the cert can show up in a handful of APIs.

Copy link
Contributor Author

@sam-github sam-github Nov 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/to @bnoordhuis as promised, #24358

bnoordhuis
bnoordhuis approved these changes Nov 9, 2018
View reviewed changes
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sam, LGTM.

One thing: you may want to stick in an exports.translatePeerCertificate = exports.translateCertChain to stop it from being semver-major.

@sam-github
Copy link
Contributor Author

sam-github commented Nov 9, 2018

I don't want it to be semver-major, I'll put the original name back.

Whats the current way to hide our internal API? Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

@sam-github
Copy link
Contributor Author

sam-github commented Nov 9, 2018

ci: https://ci.nodejs.org/job/node-test-pull-request/18470

@bnoordhuis
Copy link
Member

bnoordhuis commented Nov 9, 2018

Could I move translatePeerCert into internal/ with a better name, and export a deprecated wrapper from _tls_common?

Yep.

@sam-github
Copy link
Contributor Author

sam-github commented Nov 10, 2018

ci: https://ci.nodejs.org/job/node-test-pull-request/18475/

addaleax
addaleax approved these changes Nov 10, 2018
View reviewed changes
jasnell
jasnell reviewed Nov 10, 2018
View reviewed changes
@sam-github
Copy link
Contributor Author

sam-github commented Nov 13, 2018

ci: https://ci.nodejs.org/job/node-test-pull-request/18588/

James, Anna - thanks for catching the typo.

danbev
danbev approved these changes Nov 14, 2018
View reviewed changes
@sam-github
tls: get the local certificate after tls handshake
f8f571f 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095
@sam-github
Copy link
Contributor Author

sam-github commented Nov 14, 2018

Landed in db35fee

@sam-github sam-github closed this Nov 14, 2018
@sam-github sam-github deleted the tls-get-cert branch November 14, 2018 04:43
sam-github added a commit that referenced this pull request Nov 14, 2018
@sam-github
tls: get the local certificate after tls handshake
db35fee 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 14, 2018
@sam-github @BridgeAR
tls: get the local certificate after tls handshake
30d6f63 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
kiyomizumia pushed a commit to kiyomizumia/node that referenced this pull request Nov 15, 2018
@sam-github @kiyomizumia
tls: get the local certificate after tls handshake
d76674c 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
BridgeAR pushed a commit that referenced this pull request Nov 15, 2018
@sam-github @BridgeAR
tls: get the local certificate after tls handshake
d6f91ba 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: #24095

PR-URL: #24261
Fixes: #24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@BridgeAR BridgeAR mentioned this pull request Nov 15, 2018
Merged
This was referenced Nov 15, 2018
Closed
Closed
Closed
This was referenced Nov 16, 2018
Closed
Closed
Closed
addaleax added a commit to addaleax/node that referenced this pull request Jan 14, 2019
@addaleax
tls: do not free cert in .getCertificate()
7611f1b 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217
@addaleax addaleax mentioned this pull request Jan 14, 2019
Closed
3 tasks
@addaleax
Copy link
Member

addaleax commented Jan 14, 2019

If this is backported to LTS, it should go with #25490.

addaleax added a commit that referenced this pull request Jan 21, 2019
@addaleax
tls: do not free cert in .getCertificate()
e888f66 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
addaleax added a commit that referenced this pull request Jan 23, 2019
@addaleax
tls: do not free cert in .getCertificate()
c3409f5 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: #24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: #25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
zcbenz pushed a commit to electron/node that referenced this pull request Mar 27, 2019
@addaleax @zcbenz
tls: do not free cert in .getCertificate()
afbc0fd 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs/node#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs/node#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@sam-github sam-github mentioned this pull request Apr 26, 2019
Closed
sam-github added a commit to sam-github/node that referenced this pull request Apr 29, 2019
@sam-github
tls: get the local certificate after tls handshake
5f5d3c9 
Add an API to get the local certificate chosen during TLS handshake from
the SSL context.

Fix: nodejs#24095

PR-URL: nodejs#24261
Fixes: nodejs#24095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
sam-github pushed a commit to sam-github/node that referenced this pull request Apr 29, 2019
@addaleax @sam-github
tls: do not free cert in .getCertificate()
8c7406f 
The documentation of `SSL_get_certificate` states that it returns
an internal pointer that must not be freed by the caller.

Therefore, using a smart pointer to take ownership is incorrect.

Refs: https://man.openbsd.org/SSL_get_certificate.3
Refs: nodejs#24261
Fixes: https://github.com/nodejs-private/security/issues/217

PR-URL: nodejs#25490
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell left review comments

@bnoordhuis bnoordhuis bnoordhuis approved these changes

@addaleax addaleax addaleax approved these changes

+1 more reviewer

@danbev danbev danbev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ability to check TLS contexts, servernames, altnames

6 participants

@sam-github @nodejs-github-bot @bnoordhuis @addaleax @danbev @jasnell