diff options
| author | Evan <96965321+0xIchigo@users.noreply.github.com> | 2023-08-14 20:11:12 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-15 00:11:12 +0000 |
| commit | ece2a3de5b19588160634452638aa656218853c5 (patch) | |
| tree | 55a42d0180942300fc22d3fdc70ca0a0c9b92cf8 | |
| parent | 625bd3905047173390eeaffd0ffcbb0bf340bb52 (diff) | |
fix(ext/net): implement a graceful error on an invalid SSL certificate (#20157)
The goal of this PR is to address issue #19520 where Deno panics when
encountering an invalid SSL certificate.
This PR achieves that goal by removing an `.expect()` statement and
implementing a match statement on `tsl_config` (found in
[/ext/net/ops_tsl.rs](https://github.com/denoland/deno/blob/e071382768fa57b5288a6a5ba90e73bf5870b169/ext/net/ops_tls.rs#L1058))
to check whether the desired configuration is valid
---------
Co-authored-by: Matt Mastracci <matthew@mastracci.com>
| -rw-r--r-- | cli/tests/testdata/tls/invalid.crt | 3 | ||||
| -rw-r--r-- | cli/tests/testdata/tls/invalid.key | 3 | ||||
| -rw-r--r-- | cli/tests/unit/tls_test.ts | 28 | ||||
| -rw-r--r-- | ext/net/ops_tls.rs | 8 |
4 files changed, 41 insertions, 1 deletions
diff --git a/cli/tests/testdata/tls/invalid.crt b/cli/tests/testdata/tls/invalid.crt new file mode 100644 index 000000000..688e32ede --- /dev/null +++ b/cli/tests/testdata/tls/invalid.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +INVALID +-----END CERTIFICATE----- diff --git a/cli/tests/testdata/tls/invalid.key b/cli/tests/testdata/tls/invalid.key new file mode 100644 index 000000000..b57bc2f68 --- /dev/null +++ b/cli/tests/testdata/tls/invalid.key @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +INVALID +-----END PRIVATE KEY----- diff --git a/cli/tests/unit/tls_test.ts b/cli/tests/unit/tls_test.ts index 1f0702f62..8162c53b5 100644 --- a/cli/tests/unit/tls_test.ts +++ b/cli/tests/unit/tls_test.ts @@ -1491,3 +1491,31 @@ Deno.test({ }); listener.close(); }); + +Deno.test( + { permissions: { net: true, read: true } }, + function listenTLSInvalidCert() { + assertThrows(() => { + Deno.listenTls({ + hostname: "localhost", + port: 3500, + certFile: "cli/tests/testdata/tls/invalid.crt", + keyFile: "cli/tests/testdata/tls/localhost.key", + }); + }, Deno.errors.InvalidData); + }, +); + +Deno.test( + { permissions: { net: true, read: true } }, + function listenTLSInvalidKey() { + assertThrows(() => { + Deno.listenTls({ + hostname: "localhost", + port: 3500, + certFile: "cli/tests/testdata/tls/localhost.crt", + keyFile: "cli/tests/testdata/tls/invalid.key", + }); + }, Deno.errors.InvalidData); + }, +); diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index ac9c80f7a..7b1cb4e0a 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -1055,7 +1055,13 @@ where .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert_chain, key_der) - .expect("invalid key or certificate"); + .map_err(|e| { + custom_error( + "InvalidData", + format!("Error creating TLS certificate: {:?}", e), + ) + })?; + if let Some(alpn_protocols) = args.alpn_protocols { tls_config.alpn_protocols = alpn_protocols.into_iter().map(|s| s.into_bytes()).collect(); |