Doc and test cert apis #10389
Doc and test cert apis #10389
Conversation
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
2 times, most recently
from
2a6e9a6
to
95c5769
Compare
|
That last, |
mscdex
added
doc
|
/cc @nodejs/crypto |
| @@ -621,7 +623,7 @@ For example: | |||
| ``` | |||
|
|
|||
| If the peer does not provide a certificate, `null` or an empty object will be | |||
| returned. | |||
| returned. XXX uh, which one is it? | |||
There was a problem hiding this comment.
Just marking this so this doesn't accidentally get merged without this being resolved.
There was a problem hiding this comment.
good catch, I'll investigate
|
|
||
| Returns an object representing the peer's certificate. The returned object has | ||
| some properties corresponding to the fields of the certificate. | ||
|
|
||
| If the chain was requested, each certificate will include a `issuerCertificate` |
There was a problem hiding this comment.
If the chain was requested
Maybe use the detailed chain or the full certificate chain? It's already unambiguous, but this might be clearer.
| chain must be signed by a trusted CA for the connection to be authenticated. | ||
| When using certificates that are not signed by a well-known CA, the | ||
| certificate's root CA or the self-signed certificate must be specified as a | ||
| trusted CA or the connection will fail to authenticate. |
There was a problem hiding this comment.
The peer's certificate chain must be signed by a trusted CA
the certificate's root CA or the self-signed certificate must be specified as a trusted CA
I don't really understand this, are you saying that one of these three things must be true? Aren't these sentences contradictory?
What's the difference between trusted and well-known? Do they mean the same thing?
the certificate's root CA
Should this be the certificate chain's root CA?
There was a problem hiding this comment.
I attempted to clarify, by using less terminology, trying to use the terminology more consistently, and breaking out the self-signed clause as its own special case/sententce.
PTAL to see if your questions above are answered. I don't want to answer them inline in github, because if the documentation doesn't answer the questions, its not suceeding as documentation.
| // of the connection. | ||
|
|
||
| const common = require('../common'); | ||
| const fs = require('fs'); |
There was a problem hiding this comment.
According to the test writing guide, the order should be:
- use strict
- require common
- comment explaining test purpose (not required)
- other requires.
1 'use strict';
2 const common = require('../common');
3
4 // This test ensures that the http-parser can handle UTF-8 characters
5 // in the http header.
6
7 const http = require('http');
8 const assert = require('assert');There was a problem hiding this comment.
reorganized as above, except that I always sort require statements lexicographically, I'm a bit surprised the test guide doesn't.
There was a problem hiding this comment.
@sam-github Why not submit a PR 😉
| // Test interaction of compiled-in CAs with user-provided CAs. | ||
| 'use strict'; | ||
|
|
||
| const common = require('../common'); |
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
from
95c5769
to
a70f9e0
Compare
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
from
a70f9e0
to
8a9a532
Compare
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
from
8a9a532
to
8506566
Compare
|
@gibfahn ... are you good with this now? |
| // tls.createServer() and tls.connect(), so assertions can be made on both ends | ||
| // of the connection. | ||
|
|
||
| const common = require('../common'); |
There was a problem hiding this comment.
I think the order is still wrong here (also doesn't it need a 'use strict'?)
There was a problem hiding this comment.
Order is consistent with test/fixtures/*.js, the folder its in, and also with lib/**/*.js
This is not a unit test, notice - and I'm not sure why unit tests don't put their descriptive comment as the first lines, seems more useful. Maybe existing practice?
I added a use strict, thanks.
| authenticated. When using certificates that are not chainable to a | ||
| well-known CA, the certificate's CA must be explicitly specified as a | ||
| trusted or the connection will fail to authenticate. For self-signed | ||
| certificates, the certificate is it's own CA, and must be explicitly |
| certificates. Default is to trust the well-known CAs curated by Mozilla. | ||
| Mozilla's CAs are completely replaced when CAs are explicitly specified | ||
| using this option. | ||
| Multiple CAs can be provided using an array, and any string or Buffer can |
There was a problem hiding this comment.
and any string or Buffer can contain -> or a string or Buffer containing
any is confusing here (for me)
There was a problem hiding this comment.
"and" is intended, its not an "or". broke the sentence up into two.
| using this option. | ||
| Multiple CAs can be provided using an array, and any string or Buffer can | ||
| contain multiple PEM CAs concatenated together. The peer's certificate must | ||
| be chainable to a CA trusted by the server for the connection to be |
There was a problem hiding this comment.
The peer's certificate must be chainable to a CA trusted by the server
Does a CA trusted by the server mean one of the CAs provided in this option? If so maybe:
to a CA trusted by the server -> to one of the provided CAs
There was a problem hiding this comment.
@gibfahn Can you please re-read the first two sentences in the paragraph again? They define a trusted CA, and they define the defaults. Your suggested replacement ignores that there are defaults, it appears to me.
|
@gibfahn PTAL |
| certificates. Default is to trust the well-known CAs curated by Mozilla. | ||
| Mozilla's CAs are completely replaced when CAs are explicitly specified | ||
| using this option. The value can be a string or Buffer, or an Array of | ||
| strings and Buffers. Any string or Buffer can contain multiple PEM CAs |
There was a problem hiding this comment.
strings and Buffers -> strings and/or Buffers
| Default is the well-known CAs from Mozilla. When connecting to peers that | ||
| use certificates issued privately, or self-signed, the private root CA or | ||
| self-signed certificate must be provided to verify the peer. | ||
| * `ca` {string|string[]|Buffer|Buffer[]} Optionally specify the trusted CA |
| certificates that are not chainable to a well-known CA, the certificate's CA | ||
| must be explicitly specified as a trusted or the connection will fail to | ||
| authenticate. For self-signed certificates, the certificate is its own CA, | ||
| and must be explicitly specified as trusted. |
There was a problem hiding this comment.
Suggestion:
When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. For self-signed certificates, the certificate is its own CA, and must be explicitly specified as trusted.
If a connection uses a certificate that doesn't match or chain to one of the default CAs, you need to use the ca option to provide an alternate CA that the connection certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided.
I don't love the wording I'm suggesting, but I think it's a little clearer.
There was a problem hiding this comment.
@gibfahn PTAL, I replaced use of "you" (not allowed by our doc style), and also "connection certificate" with "peer certificate", because there are up to two certs in a connection, and the .ca option should be used for the peers cert, not the local cert.
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
from
6d3f850
to
d62a8a0
Compare
sam-github
force-pushed
the
doc-and-test-cert-apis
branch
from
d62a8a0
to
1873c84
Compare
Some systems may have multiple group names with the same group ID, in which case getgroups() returns duplicate values, where `id -G` will filter the duplicates. Unique and sort the arrays so they can be compared. PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Docs referred to an `issuer` property being optionally present, when it should have referred to the `issuerCertificate` property. PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
SecureContext.addCACert() adds to the existing root store, preserving root cert entries. option.ca is applied without calling SecureContext.addRootCerts() so should add to the default, empty, root store. This test confirms that the built-in root CAs are not included when options.ca is used. Based on: shigeki@acd5837 PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
TLS connection setup boilerplate is common to many TLS tests, factor it into a test fixture so tests are clearer to read and faster to write. PR-URL: nodejs#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
|
sorry @MylesBorins , it did not, see #12468 |
Some systems may have multiple group names with the same group ID, in which case getgroups() returns duplicate values, where `id -G` will filter the duplicates. Unique and sort the arrays so they can be compared. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Docs referred to an `issuer` property being optionally present, when it should have referred to the `issuerCertificate` property. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
SecureContext.addCACert() adds to the existing root store, preserving root cert entries. option.ca is applied without calling SecureContext.addRootCerts() so should add to the default, empty, root store. This test confirms that the built-in root CAs are not included when options.ca is used. Based on: shigeki@acd5837 Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
TLS connection setup boilerplate is common to many TLS tests, factor it into a test fixture so tests are clearer to read and faster to write. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Some systems may have multiple group names with the same group ID, in which case getgroups() returns duplicate values, where `id -G` will filter the duplicates. Unique and sort the arrays so they can be compared. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Docs referred to an `issuer` property being optionally present, when it should have referred to the `issuerCertificate` property. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
SecureContext.addCACert() adds to the existing root store, preserving root cert entries. option.ca is applied without calling SecureContext.addRootCerts() so should add to the default, empty, root store. This test confirms that the built-in root CAs are not included when options.ca is used. Based on: shigeki@acd5837 Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
TLS connection setup boilerplate is common to many TLS tests, factor it into a test fixture so tests are clearer to read and faster to write. Backport-PR-URL: #12468 PR-URL: #10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Some systems may have multiple group names with the same group ID, in which case getgroups() returns duplicate values, where `id -G` will filter the duplicates. Unique and sort the arrays so they can be compared. Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Docs referred to an `issuer` property being optionally present, when it should have referred to the `issuerCertificate` property. Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
SecureContext.addCACert() adds to the existing root store, preserving root cert entries. option.ca is applied without calling SecureContext.addRootCerts() so should add to the default, empty, root store. This test confirms that the built-in root CAs are not included when options.ca is used. Based on: shigeki/node@acd5837 Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
TLS connection setup boilerplate is common to many TLS tests, factor it into a test fixture so tests are clearer to read and faster to write. Backport-PR-URL: nodejs/node#12468 PR-URL: nodejs/node#10389 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
doc,test,tls
Description of change