test/document TLS authentication, then add support for TRUSTED CERTIFICATE pem headers

doc/api/tls.md

@@ -1054,6 +1054,9 @@ argument.
 <!-- YAML
 added: v0.11.13
 changes:
+  - version: REPLACEME
+    pr-url: REPLACEME
+    description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
   - version: v11.4.0
     pr-url: https://github.com/nodejs/node/pull/24405
     description: The `minVersion` and `maxVersion` can be used to restrict
@@ -1092,6 +1095,8 @@ changes:
     certificate can match or chain to.
     For self-signed certificates, the certificate is its own CA, and must be
     provided.
+    For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
+    "X509 CERTIFICATE", and "CERTIFICATE".
   * `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
     chain should be provided per private key. Each cert chain should consist of
     the PEM formatted certificate for a provided private `key`, followed by the

src/node_crypto.cc

@@ -819,7 +819,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
     return;
 
   X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
-  while (X509* x509 = PEM_read_bio_X509(
+  while (X509* x509 = PEM_read_bio_X509_AUX(
       bio.get(), nullptr, NoPasswordCallback, nullptr)) {
     if (cert_store == root_cert_store) {
       cert_store = NewRootCertStore();

test/fixtures/tls-connect.js

@@ -26,15 +26,18 @@ const keys = exports.keys = {
   agent5: load('agent5', 'ca2'),
   agent6: load('agent6', 'ca1'),
   agent7: load('agent7', 'fake-cnnic-root'),
+  agent10: load('agent10', 'ca2'),
+  ec10: load('ec10', 'ca5'),
   ec: load('ec', 'ec'),
 };
 
-function load(cert, issuer) {
-  issuer = issuer || cert; // Assume self-signed if no issuer
+// root is the self-signed root of the trust chain, not an intermediate ca.
+function load(cert, root) {
+  root = root || cert; // Assume self-signed if no issuer
   const id = {
     key: fixtures.readKey(cert + '-key.pem', 'binary'),
     cert: fixtures.readKey(cert + '-cert.pem', 'binary'),
-    ca: fixtures.readKey(issuer + '-cert.pem', 'binary'),
+    ca: fixtures.readKey(root + '-cert.pem', 'binary'),
   };
   return id;
 }

test/parallel/test-tls-client-auth.js

@@ -0,0 +1,331 @@
+'use strict';
+
+require('../common');
+const fixtures = require('../common/fixtures');
+
+const {
+  assert, connect, keys
+} = require(fixtures.path('tls-connect'));
+
+// Use ec10 and agent10, they are the only identities with intermediate CAs.
+const client = keys.ec10;
+const server = keys.agent10;
+
+// The certificates aren't for "localhost", so override the identity check.
+function checkServerIdentity(hostname, cert) {
+  assert.strictEqual(hostname, 'localhost');
+  assert.strictEqual(cert.subject.CN, 'agent10.example.com');
+}
+
+// Split out the single end-entity cert and the subordinate CA for later use.
+split(client.cert, client);
+split(server.cert, server);
+
+function split(file, into) {
+  const certs = /([^]*END CERTIFICATE-----\r?\n)(-----BEGIN[^]*)/.exec(file);
+  assert.strictEqual(certs.length, 3);
+  into.single = certs[1];
+  into.subca = certs[2];
+}
+
+// Typical setup, nothing special, complete cert chains sent to peer.
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// As above, but without requesting client's cert.
+connect({
+  client: {
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Request cert from client that doesn't have one.
+connect({
+  client: {
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'ECONNRESET');
+  return cleanup();
+});
+
+// Typical configuration error, incomplete cert chains sent, we have to know the
+// peer's subordinate CAs in order to verify the peer.
+connect({
+  client: {
+    key: client.key,
+    cert: client.single,
+    ca: [server.ca, server.subca],
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.single,
+    ca: [client.ca, client.subca],
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Like above, but provide root CA and subordinate CA as multi-PEM.
+connect({
+  client: {
+    key: client.key,
+    cert: client.single,
+    ca: server.ca + '\n' + server.subca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.single,
+    ca: client.ca + '\n' + client.subca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Like above, but provide multi-PEM in an array.
+connect({
+  client: {
+    key: client.key,
+    cert: client.single,
+    ca: [server.ca + '\n' + server.subca],
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.single,
+    ca: [client.ca + '\n' + client.subca],
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Fail to complete server's chain
+connect({
+  client: {
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.single,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
+  return cleanup();
+});
+
+// Fail to complete client's chain.
+connect({
+  client: {
+    key: client.key,
+    cert: client.single,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(pair.client.error);
+  assert.ifError(pair.server.error);
+  assert.strictEqual(err.code, 'ECONNRESET');
+  return cleanup();
+});
+
+// Fail to find CA for server.
+connect({
+  client: {
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
+  return cleanup();
+});
+
+// Server sent their CA, but CA cannot be trusted if it is not locally known.
+connect({
+  client: {
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert + '\n' + server.ca,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'SELF_SIGNED_CERT_IN_CHAIN');
+  return cleanup();
+});
+
+// Server sent their CA, wrongly, but its OK since we know the CA locally.
+connect({
+  client: {
+    checkServerIdentity,
+    ca: server.ca,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert + '\n' + server.ca,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Fail to complete client's chain.
+connect({
+  client: {
+    key: client.key,
+    cert: client.single,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'ECONNRESET');
+  return cleanup();
+});
+
+// Fail to find CA for client.
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(err.code, 'ECONNRESET');
+  return cleanup();
+});
+
+// Confirm support for "BEGIN TRUSTED CERTIFICATE".
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca.replace(/CERTIFICATE/g, 'TRUSTED CERTIFICATE'),
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Confirm support for "BEGIN TRUSTED CERTIFICATE".
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca.replace(/CERTIFICATE/g, 'TRUSTED CERTIFICATE'),
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Confirm support for "BEGIN X509 CERTIFICATE".
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca.replace(/CERTIFICATE/g, 'X509 CERTIFICATE'),
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});
+
+// Confirm support for "BEGIN X509 CERTIFICATE".
+connect({
+  client: {
+    key: client.key,
+    cert: client.cert,
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca.replace(/CERTIFICATE/g, 'X509 CERTIFICATE'),
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+  return cleanup();
+});