tls: support reading multiple cas from one input #4099
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| X509_free(x509); | ||
| unsigned cert_count = 0; | ||
| if (BIO* bio = LoadBIO(env, args[0])) { | ||
| while (X509* x509 = // NOLINT(whitespace/if-one-line) |
There was a problem hiding this comment.
Let's do while (true) here, and break in loop if x509 === nullptr. I don't think that this deserves disabling lint rules.
There was a problem hiding this comment.
The NOLINT works around what I suspect is a bug in the lint rule. If you put the while on a single line (and s/nullptr/0/ to keep it < 80 columns) it won't trigger.
There was a problem hiding this comment.
idk, it doesn't look like a good code style to me, splitting while's condition between lines. That's just my opinion, though
There was a problem hiding this comment.
/cc @trevnorris - you can be the arbitrator.
There was a problem hiding this comment.
Is the following not possible?
if (BIO* bio = LoadBIO(env, args[0])) {
X509* x509;
while (x509 = PEM_read_bio_X509(bio, nullptr, CryptoPemCallback, nullptr)) {
// ...If not, I'd say how it is now isn't the prettiest but personally find it easier to logically follow. Which wins for me.
|
LGTM with lint comment. |
|
LGTM |
|
One more CI run: https://ci.nodejs.org/job/node-test-pull-request/954/ |
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
bnoordhuis
added
semver-minor
|
Conservatively tagging this semver-minor. |
bnoordhuis
added a commit
that referenced
this pull request
Dec 9, 2015
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: #4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
bnoordhuis
added a commit
that referenced
this pull request
Dec 9, 2015
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: #4096 PR-URL: #4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
|
@bnoordhuis shouldn't this have a doc change too? |
rvagg
added a commit
that referenced
this pull request
Dec 9, 2015
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: #4181
rvagg
added a commit
that referenced
this pull request
Dec 9, 2015
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: #4181
|
I don't know. The report was from someone who assumed a PEM with multiple certificates would Just Work(TM) and that's what I assumed as well. |
|
But now that I look at tls.markdown, we say different things in different places. vs. I'll try to come up with a PR later today that harmonizes them. |
bnoordhuis
added a commit
to bnoordhuis/io.js
that referenced
this pull request
Dec 9, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <[email protected]>
|
@bnoordhuis if this is semver-minor should it land in lts? |
|
IMO this is not a big enough deal to warrant shipping in v4, it can wait till v6. |
bnoordhuis
added a commit
that referenced
this pull request
Dec 15, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
bnoordhuis
added a commit
that referenced
this pull request
Dec 30, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 19, 2016
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
|
Should this be labeled |
|
@Trott yep |
|
I've taken the liberty/initiative to apply |
|
+1, although |
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) nodejs#3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) nodejs#3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) nodejs#3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) nodejs#4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) nodejs#4021.
PR-URL: nodejs#4181
scovetta
pushed a commit
to scovetta/node
that referenced
this pull request
Apr 2, 2016
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <[email protected]>
3 tasks
suryagh
added a commit
to suryagh/node
that referenced
this pull request
May 6, 2016
if the valid `ca` is the first item within the concatinated string then the bug addressed by nodejs#4099 was not getting exposed. This test makes sure the order of valid `ca` should not effect the expected behavior when multiple `ca` certs are concatinated.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/891/