crypto: load PFX chain the same way as regular one

[indutny]

Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127

[indutny]

cc @nodejs/crypto

[indutny]

Actually just added the test that demonstrates the problem, feel free to review it now ;)

[indutny]

CI: https://ci.nodejs.org/job/node-test-pull-request/934/

[mscdex]

s/editted/edited/

[indutny]

Ack.

[indutny]

There was failure on CI FIPS bot, fixed in latest commit. Running CI again: https://ci.nodejs.org/job/node-test-pull-request/935/

[indutny]

Gosh, messed it up. New CI: https://ci.nodejs.org/job/node-test-pull-request/936/

[indutny]

CI seems to be green, failures are completely unrelated.

[bnoordhuis]

Can you add a CHECK_EQ(*issuer, nullptr) and maybe a CHECK_EQ(*cert, nullptr) while you're here?

[indutny]

You are totally right. It needs something more complex though, since we don't prevent people from passing in both cert+key and pfx for TLS server.

[indutny]

@bnoordhuis PTAL, should be better now.

[indutny]

@bnoordhuis ping ;)

[indutny]

erm @bnoordhuis or @nodejs/crypto : I need your LGTM ;)

[indutny]

Anyone?

[indutny]

ping @bnoordhuis @nodejs/crypto

[bnoordhuis]

I realize it's not new code but I believe PEM_read_bio_X509_AUX() also registers an error, but with tag ERR_LIB_PEM, not ERR_LIB_SSL.

[indutny]

I would keep it as it is right now, just because it may make this PR a semver-major. Let's reconsider it later.

[paddybyers]

Is it planned that this will be be included in 4.2.x as well as 5.x? The reason I ask is that I believe a side-effect of this change is to fix a memory leak which is relevant to production stability. I can raise an issue/PR against 4.2.x with a fix only for the memory leak if necessary.

[indutny]

@paddybyers yep, it has lts-watch tag ;)

[paddybyers]

it has lts-watch tag ;)

I see, thanks :)