diff --git a/deps/openssl/openssl/apps/apps.c b/deps/openssl/openssl/apps/apps.c index 3e18289a4b5b89..45263ca5e44bd4 100644 --- a/deps/openssl/openssl/apps/apps.c +++ b/deps/openssl/openssl/apps/apps.c @@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; + else if (!strcmp(arg, "-trusted_first")) + flags |= X509_V_FLAG_TRUSTED_FIRST; else return 0; diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index 920066aeba3b0a..605b0f14b8f34c 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -206,6 +206,22 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If we are self signed, we break */ if (ctx->check_issued(ctx, x,x)) break; + /* If asked see if we can find issuer in trusted store first */ + if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) + return ok; + /* If successful for now free up cert so it + * will be picked up again later. + */ + if (ok > 0) + { + X509_free(xtmp); + break; + } + } + /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.h b/deps/openssl/openssl/crypto/x509/x509_vfy.h index fe09b30aaa62df..d53f3e38695031 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.h +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.h @@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +/* Use trusted store first */ +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 #define X509_VP_FLAG_DEFAULT 0x1 diff --git a/src/node_crypto.cc b/src/node_crypto.cc index c088fe25db0d98..23a18a77a40621 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -350,6 +350,12 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { SSL_CTX_sess_set_get_cb(sc->ctx_, SSLWrap::GetSessionCallback); SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap::NewSessionCallback); + if (sc->verify_param_ == nullptr) { + sc->verify_param_ = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(sc->verify_param_, X509_V_FLAG_TRUSTED_FIRST); + } + SSL_CTX_set1_param(sc->ctx_, sc->verify_param_); + sc->ca_store_ = nullptr; } diff --git a/src/node_crypto.h b/src/node_crypto.h index 4aa9a9e00ba79e..b9ad580cb2cf9f 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -56,6 +56,7 @@ class SecureContext : public BaseObject { static void Initialize(Environment* env, v8::Handle target); + X509_VERIFY_PARAM* verify_param_; X509_STORE* ca_store_; SSL_CTX* ctx_; X509* cert_; @@ -92,6 +93,7 @@ class SecureContext : public BaseObject { SecureContext(Environment* env, v8::Local wrap) : BaseObject(env, wrap), + verify_param_(nullptr), ca_store_(nullptr), ctx_(nullptr), cert_(nullptr), @@ -113,10 +115,13 @@ class SecureContext : public BaseObject { X509_free(cert_); if (issuer_ != nullptr) X509_free(issuer_); + if (verify_param_ != nullptr) + X509_VERIFY_PARAM_free(verify_param_); ctx_ = nullptr; ca_store_ = nullptr; cert_ = nullptr; issuer_ = nullptr; + verify_param_ = nullptr; } else { CHECK_EQ(ca_store_, nullptr); } diff --git a/src/node_root_certs.h b/src/node_root_certs.h index 6af5e9c97dfb8d..67bf765fe0bc94 100644 --- a/src/node_root_certs.h +++ b/src/node_root_certs.h @@ -88,21 +88,6 @@ "2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4\n" "-----END CERTIFICATE-----\n", -/* Verisign Class 3 Public Primary Certification Authority */ -"-----BEGIN CERTIFICATE-----\n" -"MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMC\n" -"VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQ\n" -"cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgw\n" -"MTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYD\n" -"VQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGf\n" -"MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ\n" -"2RHP7gJYHyX3KqhEBarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaO\n" -"IG+YD/isI19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G\n" -"CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2ws\n" -"qFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzk\n" -"uxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k\n" -"-----END CERTIFICATE-----\n", - /* Verisign Class 3 Public Primary Certification Authority - G2 */ "-----BEGIN CERTIFICATE-----\n" "MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNVBAYT\n"