3 const constants = require('constants');
4 const tls = require('tls');
9 const binding = process.binding('crypto');
10 const NativeSecureContext = binding.SecureContext;
12 function SecureContext(secureProtocol, flags, context) {
13 if (!(this instanceof SecureContext)) {
14 return new SecureContext(secureProtocol, flags, context);
18 this.context = context;
20 this.context = new NativeSecureContext();
23 this.context.init(secureProtocol);
29 if (flags) this.context.setOptions(flags);
32 exports.SecureContext = SecureContext;
35 exports.createSecureContext = function createSecureContext(options, context) {
36 if (!options) options = {};
38 var secureOptions = options.secureOptions;
39 if (options.honorCipherOrder)
40 secureOptions |= constants.SSL_OP_CIPHER_SERVER_PREFERENCE;
42 var c = new SecureContext(options.secureProtocol, secureOptions, context);
44 if (context) return c;
46 // NOTE: It's important to add CA before the cert to be able to load
47 // cert's issuer in C++ code.
49 if (Array.isArray(options.ca)) {
50 for (var i = 0, len = options.ca.length; i < len; i++) {
51 c.context.addCACert(options.ca[i]);
54 c.context.addCACert(options.ca);
57 c.context.addRootCerts();
61 if (Array.isArray(options.cert)) {
62 for (var i = 0; i < options.cert.length; i++)
63 c.context.setCert(options.cert[i]);
65 c.context.setCert(options.cert);
69 // NOTE: It is important to set the key after the cert.
70 // `ssl_set_pkey` returns `0` when the key does not much the cert, but
71 // `ssl_set_cert` returns `1` and nullifies the key in the SSL structure
72 // which leads to the crash later on.
74 if (Array.isArray(options.key)) {
75 for (var i = 0; i < options.key.length; i++) {
76 var key = options.key[i];
79 c.context.setKey(key.pem, key.passphrase);
81 c.context.setKey(key);
84 if (options.passphrase) {
85 c.context.setKey(options.key, options.passphrase);
87 c.context.setKey(options.key);
93 c.context.setCiphers(options.ciphers);
95 c.context.setCiphers(tls.DEFAULT_CIPHERS);
97 if (options.ecdhCurve === undefined)
98 c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
99 else if (options.ecdhCurve)
100 c.context.setECDHCurve(options.ecdhCurve);
102 if (options.dhparam) c.context.setDHParam(options.dhparam);
105 if (Array.isArray(options.crl)) {
106 for (var i = 0, len = options.crl.length; i < len; i++) {
107 c.context.addCRL(options.crl[i]);
110 c.context.addCRL(options.crl);
114 if (options.sessionIdContext) {
115 c.context.setSessionIdContext(options.sessionIdContext);
119 var pfx = options.pfx;
120 var passphrase = options.passphrase;
123 crypto = require('crypto');
125 pfx = crypto._toBuf(pfx);
127 passphrase = crypto._toBuf(passphrase);
130 c.context.loadPKCS12(pfx, passphrase);
132 c.context.loadPKCS12(pfx);
136 // Do not keep read/write buffers in free list
137 if (options.singleUse) {
139 c.context.setFreeListLength(0);
145 exports.translatePeerCertificate = function translatePeerCertificate(c) {
149 if (c.issuer) c.issuer = tls.parseCertString(c.issuer);
150 if (c.issuerCertificate && c.issuerCertificate !== c) {
151 c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
153 if (c.subject) c.subject = tls.parseCertString(c.subject);
155 var info = c.infoAccess;
158 // XXX: More key validation?
159 info.replace(/([^\n:]*):([^\n]*)(?:\n|$)/g, function(all, key, val) {
160 if (key === '__proto__')
163 if (c.infoAccess.hasOwnProperty(key))
164 c.infoAccess[key].push(val);
166 c.infoAccess[key] = [val];