tls: support reading multiple cas from one input#4099
Merged
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Member
There was a problem hiding this comment.
Let's do while (true) here, and break in loop if x509 === nullptr. I don't think that this deserves disabling lint rules.
MemberAuthor
There was a problem hiding this comment.
The NOLINT works around what I suspect is a bug in the lint rule. If you put the while on a single line (and s/nullptr/0/ to keep it < 80 columns) it won't trigger.
Member
There was a problem hiding this comment.
idk, it doesn't look like a good code style to me, splitting while's condition between lines. That's just my opinion, though
Contributor
There was a problem hiding this comment.
Is the following not possible?
if (BIO* bio = LoadBIO(env, args[0])){X509* x509; while (x509 = PEM_read_bio_X509(bio, nullptr, CryptoPemCallback, nullptr)){// ...If not, I'd say how it is now isn't the prettiest but personally find it easier to logically follow. Which wins for me.
Member
indutny commented Dec 1, 2015
LGTM with lint comment. |
Member
jasnell commented Dec 3, 2015
LGTM |
MemberAuthor
bnoordhuis commented Dec 8, 2015
One more CI run: https://ci.nodejs.org/job/node-test-pull-request/954/ |
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
bnoordhuis added semver-minor MemberAuthor
bnoordhuis commented Dec 8, 2015
Conservatively tagging this semver-minor. |
bnoordhuis added a commit that referenced this pull request Dec 9, 2015
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: #4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
bnoordhuis added a commit that referenced this pull request Dec 9, 2015
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: #4096 PR-URL: #4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
Member
rvagg commented Dec 9, 2015
@bnoordhuis shouldn't this have a doc change too? |
rvagg added a commit that referenced this pull request Dec 9, 2015
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
rvagg added a commit that referenced this pull request Dec 9, 2015
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) #3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) #3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) #3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) #4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) #4021. PR-URL: #4181
MemberAuthor
bnoordhuis commented Dec 9, 2015
I don't know. The report was from someone who assumed a PEM with multiple certificates would Just Work(TM) and that's what I assumed as well. |
MemberAuthor
bnoordhuis commented Dec 9, 2015
But now that I look at tls.markdown, we say different things in different places. vs. I'll try to come up with a PR later today that harmonizes them. |
bnoordhuis added a commit to bnoordhuis/io.js that referenced this pull request Dec 9, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <[email protected]>
Contributor
MylesBorins commented Dec 15, 2015
@bnoordhuis if this is semver-minor should it land in lts? |
Member
rvagg commented Dec 15, 2015
IMO this is not a big enough deal to warrant shipping in v4, it can wait till v6. |
bnoordhuis added a commit that referenced this pull request Dec 15, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
Contributor
MylesBorins commented Dec 29, 2015
bnoordhuis added a commit that referenced this pull request Dec 30, 2015
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
MylesBorins pushed a commit that referenced this pull request Jan 19, 2016
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: #4099 PR-URL: #4213 Reviewed-By: Roman Reiss <[email protected]>
Member
Trott commented Feb 18, 2016
Should this be labeled |
Member
indutny commented Feb 18, 2016
@Trott yep |
Member
Trott commented Feb 18, 2016
I've taken the liberty/initiative to apply |
Member
rvagg commented Feb 18, 2016
+1, although |
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Writing `// NOLINT(whitespace/if-one-line)` was not possible because the directive was not listed in the list of known lint rules. You can now. PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Before this commit you had to pass multiple CA certificates as an array of strings. For convenience you can now pass them as a single string. Fixes: nodejs#4096 PR-URL: nodejs#4099 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Notable changes: * build: - Add support for Intel's VTune JIT profiling when compiled with --enable-vtune-profiling. For more information about VTune, see https://software.intel.com/en-us/node/544211. (Chunyang Dai) nodejs#3785. - Properly enable V8 snapshots by default. Due to a configuration error, snapshots have been kept off by default when the intention is for the feature to be enabled. (Fedor Indutny) nodejs#3962. * crypto: - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects (created via crypto.createECDH(curve_name)) with private keys that are not dynamically generated via generateKeys(). The public key is now computed when explicitly setting a private key. Added validity checks to reduce the possibility of computing weak or invalid shared secrets. Also, deprecated the setPublicKey() method for ECDH objects as its usage is unnecessary and can lead to inconsistent state. (Michael Ruddy) nodejs#3511. - Update root certificates from the current list stored maintained by Mozilla NSS. (Ben Noordhuis) nodejs#3951. - Multiple CA certificates can now be passed with the ca option to TLS methods as an array of strings or in a single new-line separated string. (Ben Noordhuis) nodejs#4099 * tools: Include a tick processor in core, exposed via the --prof-process command-line argument which can be used to process V8 profiling output files generated when using the --prof command-line argument. (Matt Loring) nodejs#4021. PR-URL: nodejs#4181
scovetta pushed a commit to scovetta/node that referenced this pull request Apr 2, 2016
Different sections said different things about what the `ca` argument should look like. This commit harmonizes them. Ref: nodejs#4099 PR-URL: nodejs#4213 Reviewed-By: Roman Reiss <[email protected]>
3 tasks
suryagh added a commit to suryagh/node that referenced this pull request May 6, 2016
if the valid `ca` is the first item within the concatinated string then the bug addressed by nodejs#4099 was not getting exposed. This test makes sure the order of valid `ca` should not effect the expected behavior when multiple `ca` certs are concatinated.
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/891/