From d04c1f613e49c8ca529462672708c4256186b12b Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 16:53:30 -0500
Subject: [PATCH 01/11] crypto: load PFX chain the same way as regular one

Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
---
 src/node_crypto.cc | 137 ++++++++++++++++++++++++++++-----------------
 1 file changed, 87 insertions(+), 50 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index bd7314c9db902c..fda9c394cfbbfa 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -530,46 +530,32 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
 }
 
 
-// Read a file that contains our certificate in "PEM" format,
-// possibly followed by a sequence of CA certificates that should be
-// sent to the peer in the Certificate message.
-//
-// Taken from OpenSSL - editted for style.
 int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
-                                  BIO* in,
+                                  X509* x,
+                                  STACK_OF(X509)* extra_certs,
                                   X509** cert,
                                   X509** issuer) {
-  int ret = 0;
-  X509* x = nullptr;
-
-  x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr);
-
-  if (x == nullptr) {
-    SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-    goto end;
-  }
-
-  ret = SSL_CTX_use_certificate(ctx, x);
+  int ret = SSL_CTX_use_certificate(ctx, x);
 
   if (ret) {
     // If we could set up our certificate, now proceed to
     // the CA certificates.
-    X509 *ca;
     int r;
-    unsigned long err;
 
     if (ctx->extra_certs != nullptr) {
       sk_X509_pop_free(ctx->extra_certs, X509_free);
       ctx->extra_certs = nullptr;
     }
 
-    while ((ca = PEM_read_bio_X509(in, nullptr, CryptoPemCallback, nullptr))) {
+    for (int i = 0; i < sk_X509_num(extra_certs); i++) {
+      X509* ca = sk_X509_value(extra_certs, i);
+
       // NOTE: Increments reference count on `ca`
       r = SSL_CTX_add1_chain_cert(ctx, ca);
 
       if (!r) {
-        X509_free(ca);
         ret = 0;
+        *issuer = nullptr;
         goto end;
       }
       // Note that we must not free r if it was successfully
@@ -582,16 +568,6 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
         continue;
       *issuer = ca;
     }
-
-    // When the while loop ends, it's usually just EOF.
-    err = ERR_peek_last_error();
-    if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
-        ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
-      ERR_clear_error();
-    } else  {
-      // some real error
-      ret = 0;
-    }
   }
 
   // Try getting issuer from a cert store
@@ -608,8 +584,74 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
   }
 
  end:
-  if (x != nullptr)
+  if (ret && x != nullptr) {
     *cert = x;
+    CRYPTO_add(&(*cert)->references, 1, CRYPTO_LOCK_X509);
+  }
+  return ret;
+}
+
+
+// Read a file that contains our certificate in "PEM" format,
+// possibly followed by a sequence of CA certificates that should be
+// sent to the peer in the Certificate message.
+//
+// Taken from OpenSSL - editted for style.
+int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
+                                  BIO* in,
+                                  X509** cert,
+                                  X509** issuer) {
+  X509* x = nullptr;
+
+  x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr);
+
+  if (x == nullptr) {
+    SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+    return 0;
+  }
+
+  X509* extra = nullptr;
+  int ret = 0;
+  unsigned long err = 0;
+
+  // Read extra certs
+  STACK_OF(X509)* extra_certs = sk_X509_new_null();
+  if (extra_certs == nullptr) {
+    // XXX(indutny): Is there a need for SSLerr here?
+    goto done;
+  }
+
+  while ((extra = PEM_read_bio_X509(in, nullptr, CryptoPemCallback, nullptr))) {
+    if (sk_X509_push(extra_certs, extra))
+      continue;
+
+    // Failure, free all certs
+    goto done;
+  }
+  extra = nullptr;
+
+  // When the while loop ends, it's usually just EOF.
+  err = ERR_peek_last_error();
+  if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
+      ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
+    ERR_clear_error();
+  } else  {
+    // some real error
+    goto done;
+  }
+
+  ret = SSL_CTX_use_certificate_chain(ctx, x, extra_certs, cert, issuer);
+  if (!ret)
+    goto done;
+
+done:
+  if (extra_certs != nullptr)
+    sk_X509_pop_free(extra_certs, X509_free);
+  if (extra != nullptr)
+    X509_free(extra);
+  if (x != nullptr)
+    X509_free(x);
+
   return ret;
 }
 
@@ -898,7 +940,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
   PKCS12* p12 = nullptr;
   EVP_PKEY* pkey = nullptr;
   X509* cert = nullptr;
-  STACK_OF(X509)* extraCerts = nullptr;
+  STACK_OF(X509)* extra_certs = nullptr;
   char* pass = nullptr;
   bool ret = false;
 
@@ -924,27 +966,22 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
   }
 
   if (d2i_PKCS12_bio(in, &p12) &&
-      PKCS12_parse(p12, pass, &pkey, &cert, &extraCerts) &&
-      SSL_CTX_use_certificate(sc->ctx_, cert) &&
+      PKCS12_parse(p12, pass, &pkey, &cert, &extra_certs) &&
+      SSL_CTX_use_certificate_chain(sc->ctx_,
+                                    cert,
+                                    extra_certs,
+                                    &sc->cert_,
+                                    &sc->issuer_) &&
       SSL_CTX_use_PrivateKey(sc->ctx_, pkey)) {
-    // set extra certs
-    while (X509* x509 = sk_X509_pop(extraCerts)) {
-      if (!sc->ca_store_) {
-        sc->ca_store_ = X509_STORE_new();
-        SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
-      }
-
-      X509_STORE_add_cert(sc->ca_store_, x509);
-      SSL_CTX_add_client_CA(sc->ctx_, x509);
-      X509_free(x509);
-    }
+    ret = true;
+  }
 
+  if (pkey != nullptr)
     EVP_PKEY_free(pkey);
+  if (cert != nullptr)
     X509_free(cert);
-    sk_X509_free(extraCerts);
-
-    ret = true;
-  }
+  if (extra_certs != nullptr)
+    sk_X509_free(extra_certs);
 
   PKCS12_free(p12);
   BIO_free_all(in);

From 564a88be15d4c946707127362fbdc85bdc92a380 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 17:01:48 -0500
Subject: [PATCH 02/11] lint

---
 src/node_crypto.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index fda9c394cfbbfa..b782e317f18f26 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -644,7 +644,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
   if (!ret)
     goto done;
 
-done:
+ done:
   if (extra_certs != nullptr)
     sk_X509_pop_free(extra_certs, X509_free);
   if (extra != nullptr)

From 4e9d541b5b309ce8b952126b8225c998e206b506 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 19:26:45 -0500
Subject: [PATCH 03/11] test: add regression test for #4127

---
 test/fixtures/keys/Makefile             |   3 +++
 test/fixtures/keys/agent1-pfx.pem       | Bin 0 -> 2437 bytes
 test/parallel/test-tls-ocsp-callback.js |  31 ++++++++++++++++++++----
 3 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 test/fixtures/keys/agent1-pfx.pem

diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile
index 143986274a6b93..82bc6bad074a8f 100644
--- a/test/fixtures/keys/Makefile
+++ b/test/fixtures/keys/Makefile
@@ -79,6 +79,9 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
 		-CAcreateserial \
 		-out agent1-cert.pem
 
+agent1-pfx.pem: agent1-cert.pem
+	openssl pkcs12 -export -in agent1-cert.pem -inkey agent1-key.pem -certfile ca1-cert.pem -out agent1-pfx.pem -password pass:sample
+
 agent1-verify: agent1-cert.pem ca1-cert.pem
 	openssl verify -CAfile ca1-cert.pem agent1-cert.pem
 
diff --git a/test/fixtures/keys/agent1-pfx.pem b/test/fixtures/keys/agent1-pfx.pem
new file mode 100644
index 0000000000000000000000000000000000000000..a36e746a72e06e8dd913f335c1e889ae7646513e
GIT binary patch
literal 2437
zcmY+FX*3j!8pq8T!w^H33`WS<Duyg0B8E4zl(Fwpl9BA$w;?hZ%gc<&2(LA3WG9)y
zSQ8a8$nLcyYgx+GIrrZ8-Ve`t&iVb%^L+ZB^F!hwQ9uAA5(l{fhRDR~#eQc8FauuT
zASe(HqIimtNE}%1p9uT{2NpR+LO=k+>Eit-0U(9ItpEOS1^`BKfLNNlr?OJ1>&rkO
z3qvH1X(dN!wDhm`p>`5<xDYNUtxf=>u2ycJP<hKWPV}79C8o;-r+NhhMo0V46`Z@}
z%gFF>%BvjJ|M6vKhd;iYzes8nQ|!joljb<feHY^J+I++ySM%BEV5jS>@5azgeWC}Z
z&F_;+#ve_b0>Q#cx75wAv&P%l*yy0F^DM6)tq0GSx^4ui4Ne&udX}a~CPGT*!kk^U
zl>Euzs|^nx_e+f0$Gk!N9!3~744Dv^U$~`P!0x_Z7g}{4Nq@>w(WzfAaG0;`xpX)O
z;+hNQfx_rI0#h+8m9<Zr<#{g}w|ib@ZY;tj$l~UO$=A0UoT@+Her|qYuH^gA^1Rmt
z^<!)MEYX&jlnaXyRvcDz>pd=)bbrRQ``^A-i43*mHg-#4;<-~*K#5_RS{}2ceqX1v
zEdc9_Pf0sxcZ-pSm?l;2%x>AZ59gDfU$86)c~C`I_SSaI6$}|-uD0)%FUW5F#8~1H
zOe+RPr&*^=Ux`akQ|FS9Sb#p^kjyYC<K_&4iTdT^Ct1Jtn~k$G4sZH|)b1<g$P6Wb
z<o4|zq5Jsaw`Vy)R+PoI+XvI`gdhg5VR7XFq6d&}RL~(Esz!>3cA>asIgTzJno6jl
znyu8@xmgxn24cp?I(1V584w;%%xrI8TMNs-mnm#TvNcQ@KaSTuRxchYM*q4+by67)
zdi}$4(o>ABONd6$JuLNP#<5snxAl_)FE$PYCXNQlrrg?mCyeyAsf=+y-z-i~*h84f
zx+yw};9aZAeRp(f$&K^yHOj)9Gd(3q-dOg~CBKEf6lXpAT`HHMx-hEnHac5x{+sYS
zc=IrWcujqxEsZV!b+R}4XnC@uUF#l{?fhq%foxab+A%*~$z3CPoCa!S@j-m&6@X5k
z+|mED=-a_t3l^zt)Yp3pW3|RgFf`nArD=0rDbII=j=vG$miY=^r^H(GfDrM%;-p5~
zc#^%mG26rS*RH`1*$Q4K)G}}r@xG;KO2stAr6^5txq}oOVLROQckwR^{+)AL#lg>Y
zxE$X(v28SMg5*lWnAr5;jt3$oED)Ij1poDQ-`IMG*)$6*Je2}Z9{f3|xkXZVwi8cT
zSbp0kaSkp;L+<Dv*mrYfo}5wY(^?rDlTyv!DY=`GsZ!@|us(diUWJ)Pht6k6?WV=X
zM?$eyTS>+^o3oUta9nuFjR7%APeWXx>Im)Slg6xdo~z#`qp7*|!eNn<jc*=SS6a(r
zV(4a*=&2XMas5ji0o6Kp*fu@a%Mjz|xi;w^Ki@W07Lzhe7#Zp0xmQj#9h+J9qUMF5
z1f@AfD+t<Rywy(S$qB!#`*`?#hL3%gE)6fkhdw-2^d@Ua4~9X~1WSDPiE>w%6&j3y
zH+)5+Wa`pm>p|RALeA_L5kDqY)jFlIXB7Na#hz$?+aPD2C&hMX6anA?GD90yaX8Im
zn8>A^FJq-u)cW#P>1{X<(GcrK{AsYL?hfefg^?WUTEmwurQHziYYr;xoA<sOrXOSJ
zza}n=^}^C~4Oy*(I}k^$L`+rP_FkDBS139oz`WRyI??l1WoU<YI2*fCIDY6gszoHP
zr>5<E_1F@*KdpK5)g_!g_U$*@VL*Pj^4y|_B(ZONJv2jW9(TU5%OG8nLdIP;T9_$$
zxmQLDUyQ1<$hh-RZ)+9?3?h7SR=a(`X2xNp@L)M(;KA7i1DgB~otfyVd|k?g<76L(
zyHM4A3PA-E&s3dutk@@T#;-qiN^O$+-K7B8{6k5p&I$1!i*crQTg`iVx|k^m4R4YS
zqu0y7URoT!!s0hqoM#d(LLIsrlPuwpEs2-%4aP~6BO2}zKi%`@r*^HPq5E0V;P+o|
zj%DF7_-%n!X*7G=6<ZcGU`^WR{DI<|6aPPb&oL-w)7o}F623cdi8UzruQsQnNoUwz
z(E;2#-f<@3B~G&o*Tw@<2%m4wj$q_zd!`1T58z95orxpL?v;LlFbOQr^tA^X^oBB+
z$}V6HqKh9!;(!PLBZe0^;3^0QTsp;br!x&^`;R7A0l?F+=oIGvpFJ3V+v7D>0hwOY
z<@wtlr{|HmUV6&+uf97gwyDPcDXYNDM?7aEyDAp_GWzcXXlKLLP=s>)WaVbuk(5#Z
zt*(;X^4um%Kf}k;oTojk!!m>X%N>|6DKpqb@kMZaWF<;X33>Ewriz?}BB$%XW%nMI
z+p}9|!Wer5t!Y5hAg2jzhe<izZb|dimzcrJad7lCs^KJ}VjnrDmYFxoWbVhwY1rl;
zSaTGmoLURYB!Wuk@1#8}D6IeLQg3b^e3?&I0ya141AWwMTp*ewF;^i8wL82^RT4Zg
ztX#D>AfejVax5H~D~xsUhXp*ce1%y}K2IN|e1fWsBW#73X~+R&$(GPx^ZuW7+UzLQ
zJzCyeRPsG9Ku*Y_w_F{FI;PJV&3u>h84EOM%nhK*|5@7EtOHe>onbsnajAP|yU*{T
zK_oxkZfb{Ab16u}9s5@FY@=QYKKl{P*=-#e0qL}7vkYf%5v2yUP5C829F3sl7|)2u
zt6GaF;!KUMAORP8fhgt8@xd6~J><qWs;+j&SNWlyhod$EI-}iUqt;}Ya$m|@)eWJo
z_FiKG+;q|(f&0Uo3slP+V#O_#+g=jQZf0QDsny&D<s8q;u)mYf+tdX%;~-6RBnJ0f
ztbim0&S$r4wl1jJowT-)iyIbcnA#iKiB<RyLeDhR=ikiIK$5|t*1Elf0er{G41x)U
zA}l9`@C}yruT(CGqLPyBwJgeNK7yTg*?69^f@<T6O|YPCJW*0oWS#PL+ok1$d(2Kx
zc*AI*JvXd}W&#(Lc)W+6<8wb64$9FE{-78oZoRo<A?!cc?I6?Jo~U8RuPm<i=5e&W
z!p#9AMTBvO8T@7;-n*(SwJTR1fxPhFRzrB@`9M5L;H$NZ2~VVbZiNY&4Q9a9H$BUc
z@<>r61k7}igApje!~o(+nE`3(5W?;=yp=dQhfSj=T3y`$v7kO@dNR67MEq{|zW{xI
BfE@q;

literal 0
HcmV?d00001

diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
index d970b2ab013446..5ebeabc51e7830 100644
--- a/test/parallel/test-tls-ocsp-callback.js
+++ b/test/parallel/test-tls-ocsp-callback.js
@@ -22,11 +22,14 @@ var constants = require('constants');
 var fs = require('fs');
 var join = require('path').join;
 
-test({ response: false }, function() {
-  test({ response: 'hello world' }, function() {
-    test({ ocsp: false });
-  });
-});
+var pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
+
+var tests = [
+  { response: false },
+  { response: 'hello world' },
+  { ocsp: false },
+  { pfx: pfx, passphrase: 'sample', response: 'hello pfx' }
+];
 
 function test(testOptions, cb) {
 
@@ -47,6 +50,13 @@ function test(testOptions, cb) {
   var ocspResponse;
   var session;
 
+  if (testOptions.pfx) {
+    delete options.key;
+    delete options.cert;
+    options.pfx = testOptions.pfx;
+    options.passphrase = testOptions.passphrase;
+  }
+
   var server = tls.createServer(options, function(cleartext) {
     cleartext.on('error', function(er) {
       // We're ok with getting ECONNRESET in this test, but it's
@@ -60,6 +70,7 @@ function test(testOptions, cb) {
   });
   server.on('OCSPRequest', function(cert, issuer, callback) {
     ++ocspCount;
+    console.log(cert, issuer);
     assert.ok(Buffer.isBuffer(cert));
     assert.ok(Buffer.isBuffer(issuer));
 
@@ -106,3 +117,13 @@ function test(testOptions, cb) {
     assert.equal(ocspCount, 1);
   });
 }
+
+function runTests(i) {
+  if (i === tests.length) return;
+
+  test(tests[i], common.mustCall(function() {
+    runTests(i + 1);
+  }));
+}
+
+runTests(0);

From 57d441b95aad0b2bd37c51344ea4d331d6e8a969 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 19:44:57 -0500
Subject: [PATCH 04/11] fix

---
 test/parallel/test-tls-ocsp-callback.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
index 5ebeabc51e7830..7abe83edf68af2 100644
--- a/test/parallel/test-tls-ocsp-callback.js
+++ b/test/parallel/test-tls-ocsp-callback.js
@@ -70,7 +70,6 @@ function test(testOptions, cb) {
   });
   server.on('OCSPRequest', function(cert, issuer, callback) {
     ++ocspCount;
-    console.log(cert, issuer);
     assert.ok(Buffer.isBuffer(cert));
     assert.ok(Buffer.isBuffer(issuer));
 

From e0f6f4ba45728698637e077dede6cdffe37eb705 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 19:45:13 -0500
Subject: [PATCH 05/11] fix

---
 src/node_crypto.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b782e317f18f26..3e0b2547357b89 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -596,7 +596,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
 // possibly followed by a sequence of CA certificates that should be
 // sent to the peer in the Certificate message.
 //
-// Taken from OpenSSL - editted for style.
+// Taken from OpenSSL - edited for style.
 int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
                                   BIO* in,
                                   X509** cert,

From 64ef0909232772a583c6bf028e3d38b0f5983976 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 19:52:04 -0500
Subject: [PATCH 06/11] fix test on fips bot

---
 test/parallel/test-tls-ocsp-callback.js | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
index 7abe83edf68af2..bca00e275897f6 100644
--- a/test/parallel/test-tls-ocsp-callback.js
+++ b/test/parallel/test-tls-ocsp-callback.js
@@ -24,13 +24,6 @@ var join = require('path').join;
 
 var pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
 
-var tests = [
-  { response: false },
-  { response: 'hello world' },
-  { ocsp: false },
-  { pfx: pfx, passphrase: 'sample', response: 'hello pfx' }
-];
-
 function test(testOptions, cb) {
 
   var keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem');
@@ -117,6 +110,16 @@ function test(testOptions, cb) {
   });
 }
 
+var tests = [
+  { response: false },
+  { response: 'hello world' },
+  { ocsp: false }
+];
+
+if (common.hasFipsCrypto) {
+  tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' });
+}
+
 function runTests(i) {
   if (i === tests.length) return;
 

From 3cd0efb65df547e48818e7eb803ca94170f1a83f Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Sat, 5 Dec 2015 20:45:58 -0500
Subject: [PATCH 07/11] fix test

---
 test/parallel/test-tls-ocsp-callback.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
index bca00e275897f6..a11be7ac22d1c5 100644
--- a/test/parallel/test-tls-ocsp-callback.js
+++ b/test/parallel/test-tls-ocsp-callback.js
@@ -116,7 +116,7 @@ var tests = [
   { ocsp: false }
 ];
 
-if (common.hasFipsCrypto) {
+if (!common.hasFipsCrypto) {
   tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' });
 }
 

From 078ff9f10cb5d7b0bf0bbdd422b7efa05d34a903 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Mon, 7 Dec 2015 15:47:54 -0500
Subject: [PATCH 08/11] crypto: fixes

---
 src/node_crypto.cc | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 3e0b2547357b89..71018730346dab 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -535,6 +535,15 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
                                   STACK_OF(X509)* extra_certs,
                                   X509** cert,
                                   X509** issuer) {
+  if (*issuer != nullptr) {
+    X509_free(*issuer);
+    *issuer = nullptr;
+  }
+  if (*cert != nullptr) {
+    X509_free(*cert);
+    *cert = nullptr;
+  }
+
   int ret = SSL_CTX_use_certificate(ctx, x);
 
   if (ret) {
@@ -566,6 +575,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
       // Find issuer
       if (*issuer != nullptr || X509_check_issued(ca, x) != X509_V_OK)
         continue;
+
       *issuer = ca;
     }
   }
@@ -579,14 +589,19 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
       // no need to free `store`
     } else {
       // Increment issuer reference count
-      CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
+      *issuer = X509_dup(*issuer);
+      if (*issuer == nullptr) {
+        ret = 0;
+        goto end;
+      }
     }
   }
 
  end:
   if (ret && x != nullptr) {
-    *cert = x;
-    CRYPTO_add(&(*cert)->references, 1, CRYPTO_LOCK_X509);
+    *cert = X509_dup(x);
+    if (*cert == nullptr)
+      ret = 0;
   }
   return ret;
 }

From 3691db8bdd2b69e6ee6c169c1f545639c601213c Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Thu, 17 Dec 2015 16:07:17 -0500
Subject: [PATCH 09/11] fix

---
 src/node_crypto.cc          | 4 ++++
 test/fixtures/keys/Makefile | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 71018730346dab..b2eaebb0b85956 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -618,6 +618,10 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
                                   X509** issuer) {
   X509* x = nullptr;
 
+  // Just to ensure that `ERR_peek_last_error` below will return only errors
+  // that we are interested in
+  ERR_clear_error();
+
   x = PEM_read_bio_X509_AUX(in, nullptr, CryptoPemCallback, nullptr);
 
   if (x == nullptr) {
diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile
index 82bc6bad074a8f..630a92de46d214 100644
--- a/test/fixtures/keys/Makefile
+++ b/test/fixtures/keys/Makefile
@@ -80,7 +80,12 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
 		-out agent1-cert.pem
 
 agent1-pfx.pem: agent1-cert.pem
-	openssl pkcs12 -export -in agent1-cert.pem -inkey agent1-key.pem -certfile ca1-cert.pem -out agent1-pfx.pem -password pass:sample
+	openssl pkcs12 -export \
+		-in agent1-cert.pem \
+		-inkey agent1-key.pem \
+		-certfile ca1-cert.pem \
+		-out agent1-pfx.pem \
+		-password pass:sample
 
 agent1-verify: agent1-cert.pem ca1-cert.pem
 	openssl verify -CAfile ca1-cert.pem agent1-cert.pem

From 8c17c3c53254f04373f7b20bdd9c6373848f3459 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Thu, 17 Dec 2015 19:37:31 -0500
Subject: [PATCH 10/11] fix

---
 src/node_crypto.cc          | 38 ++++++++++++++++++++++++++++---------
 test/fixtures/keys/Makefile |  2 +-
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b2eaebb0b85956..b27157f33a75ff 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -535,14 +535,8 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
                                   STACK_OF(X509)* extra_certs,
                                   X509** cert,
                                   X509** issuer) {
-  if (*issuer != nullptr) {
-    X509_free(*issuer);
-    *issuer = nullptr;
-  }
-  if (*cert != nullptr) {
-    X509_free(*cert);
-    *cert = nullptr;
-  }
+  CHECK_EQ(*issuer, nullptr);
+  CHECK_EQ(*cert, nullptr);
 
   int ret = SSL_CTX_use_certificate(ctx, x);
 
@@ -636,7 +630,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
   // Read extra certs
   STACK_OF(X509)* extra_certs = sk_X509_new_null();
   if (extra_certs == nullptr) {
-    // XXX(indutny): Is there a need for SSLerr here?
+    SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_MALLOC_FAILURE);
     goto done;
   }
 
@@ -659,6 +653,12 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
     goto done;
   }
 
+  // Free previous certs
+  if (*cert != nullptr) {
+    X509_free(*cert);
+    *cert = nullptr;
+  }
+
   ret = SSL_CTX_use_certificate_chain(ctx, x, extra_certs, cert, issuer);
   if (!ret)
     goto done;
@@ -688,6 +688,16 @@ void SecureContext::SetCert(const FunctionCallbackInfo<Value>& args) {
   if (!bio)
     return;
 
+  // Free previous certs
+  if (sc->issuer_ != nullptr) {
+    X509_free(sc->issuer_);
+    sc->issuer_ = nullptr;
+  }
+  if (sc->cert_ != nullptr) {
+    X509_free(sc->cert_);
+    sc->cert_ = nullptr;
+  }
+
   int rv = SSL_CTX_use_certificate_chain(sc->ctx_,
                                          bio,
                                          &sc->cert_,
@@ -984,6 +994,16 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
     pass[passlen] = '\0';
   }
 
+  // Free previous certs
+  if (sc->issuer_ != nullptr) {
+    X509_free(sc->issuer_);
+    sc->issuer_ = nullptr;
+  }
+  if (sc->cert_ != nullptr) {
+    X509_free(sc->cert_);
+    sc->cert_ = nullptr;
+  }
+
   if (d2i_PKCS12_bio(in, &p12) &&
       PKCS12_parse(p12, pass, &pkey, &cert, &extra_certs) &&
       SSL_CTX_use_certificate_chain(sc->ctx_,
diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile
index 630a92de46d214..1148e529cd9595 100644
--- a/test/fixtures/keys/Makefile
+++ b/test/fixtures/keys/Makefile
@@ -79,7 +79,7 @@ agent1-cert.pem: agent1-csr.pem ca1-cert.pem ca1-key.pem
 		-CAcreateserial \
 		-out agent1-cert.pem
 
-agent1-pfx.pem: agent1-cert.pem
+agent1-pfx.pem: agent1-cert.pem agent1-key.pem ca1-cert.pem
 	openssl pkcs12 -export \
 		-in agent1-cert.pem \
 		-inkey agent1-key.pem \

From 7890de4595e5fc8decbb54e18a29cd4b55ae8dbb Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Thu, 17 Dec 2015 19:59:35 -0500
Subject: [PATCH 11/11] ...

---
 src/node_crypto.cc | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b27157f33a75ff..c48f4e0ca553a2 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -653,12 +653,6 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
     goto done;
   }
 
-  // Free previous certs
-  if (*cert != nullptr) {
-    X509_free(*cert);
-    *cert = nullptr;
-  }
-
   ret = SSL_CTX_use_certificate_chain(ctx, x, extra_certs, cert, issuer);
   if (!ret)
     goto done;