From b3e38a258bf19f56f1f2aad39412316c79c6aa7f Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Fri, 5 Feb 2016 23:13:30 -0500
Subject: [PATCH] crypto: add `pfx` certs as CA certs too

According to documentation all certificates specified in `pfx` option
should be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.

Fix: #5100
---
 src/node_crypto.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b4e6662009cd10..92cf0efda1950b 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -982,6 +982,17 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
                                     &sc->cert_,
                                     &sc->issuer_) &&
       SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) {
+    // Add CA certs too
+    for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+      X509* ca = sk_X509_value(extra_certs, i);
+
+      if (!sc->ca_store_) {
+        sc->ca_store_ = X509_STORE_new();
+        SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+      }
+      X509_STORE_add_cert(sc->ca_store_, ca);
+      SSL_CTX_add_client_CA(sc->ctx_, ca);
+    }
     ret = true;
   }