From 1f65f18eea290311ac4db598809361e526b2c0ec Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Fri, 30 Nov 2018 11:20:55 -0800
Subject: [PATCH] tls: support "BEGIN TRUSTED CERTIFICATE" for ca:

Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: https://github.com/nodejs/node/issues/24761

PR-URL: https://github.com/nodejs/node/pull/24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 doc/api/tls.md                        | 7 +++++--
 src/node_crypto.cc                    | 2 +-
 test/parallel/test-tls-client-auth.js | 8 ++++----
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/doc/api/tls.md b/doc/api/tls.md
index 877653cbddb06b..fc2bffdc01348d 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1184,6 +1184,9 @@ argument.
 added: v0.11.13
 changes:
   - version: REPLACEME
+    pr-url: REPLACEME
+    description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
+  - version: v11.4.0
     pr-url: https://github.com/nodejs/node/pull/24405
     description: The `minVersion` and `maxVersion` can be used to restrict
                  the allowed TLS protocol versions.
@@ -1225,8 +1228,8 @@ changes:
     certificate can match or chain to.
     For self-signed certificates, the certificate is its own CA, and must be
     provided.
-    For PEM encoded certificates, supported types are "X509 CERTIFICATE", and
-    "CERTIFICATE".
+    For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE",
+    "X509 CERTIFICATE", and "CERTIFICATE".
   * `cert` {string|string[]|Buffer|Buffer[]} Cert chains in PEM format. One cert
     chain should be provided per private key. Each cert chain should consist of
     the PEM formatted certificate for a provided private `key`, followed by the
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index f399096d4f4e8e..ebab773b1b47d5 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -800,7 +800,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {
     return;
 
   X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_.get());
-  while (X509* x509 = PEM_read_bio_X509(
+  while (X509* x509 = PEM_read_bio_X509_AUX(
       bio.get(), nullptr, NoPasswordCallback, nullptr)) {
     if (cert_store == root_cert_store) {
       cert_store = NewRootCertStore();
diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js
index 1701981692280e..1f8c7e6096ff11 100644
--- a/test/parallel/test-tls-client-auth.js
+++ b/test/parallel/test-tls-client-auth.js
@@ -254,7 +254,7 @@ connect({
   return cleanup();
 });
 
-// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
+// Confirm support for "BEGIN TRUSTED CERTIFICATE".
 connect({
   client: {
     key: client.key,
@@ -269,11 +269,11 @@ connect({
     requestCert: true,
   },
 }, function(err, pair, cleanup) {
-  assert.strictEqual(err.code, 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY');
+  assert.ifError(err);
   return cleanup();
 });
 
-// Confirm lack of support for "BEGIN TRUSTED CERTIFICATE".
+// Confirm support for "BEGIN TRUSTED CERTIFICATE".
 connect({
   client: {
     key: client.key,
@@ -288,7 +288,7 @@ connect({
     requestCert: true,
   },
 }, function(err, pair, cleanup) {
-  assert.strictEqual(err.code, 'ECONNRESET');
+  assert.ifError(err);
   return cleanup();
 });