Doc and test cert apis

[sam-github]

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

doc,test,tls

Description of change

• doc,test: tls .ca option supports multi-PEM files
• test: tls cert chain completion scenarios
• doc: use correct tls certificate property name
• test: check tls server verification with addCACert
• test: move common tls connect setup into fixtures

[sam-github]

That last, test: getgroups() may contain duplicate GIDs is technically unrelated, though I need it for make test to pass on my system, I could move it to another PR. @Trott

[sam-github]

/cc @nodejs/crypto

[jasnell]

Just marking this so this doesn't accidentally get merged without this being resolved.

[sam-github]

good catch, I'll investigate

[gibfahn]

Mostly looks great. Couple of issues, and if you could add a comment explaining purpose to the tests that don't have them that'd be great (not required).

[gibfahn]

If the chain was requested

Maybe use the detailed chain or the full certificate chain? It's already unambiguous, but this might be clearer.

[sam-github]

done

[gibfahn]

The peer's certificate chain must be signed by a trusted CA

the certificate's root CA or the self-signed certificate must be specified as a trusted CA

I don't really understand this, are you saying that one of these three things must be true? Aren't these sentences contradictory?

What's the difference between trusted and well-known? Do they mean the same thing?

the certificate's root CA

Should this be the certificate chain's root CA?

[sam-github]

I attempted to clarify, by using less terminology, trying to use the terminology more consistently, and breaking out the self-signed clause as its own special case/sententce.

PTAL to see if your questions above are answered. I don't want to answer them inline in github, because if the documentation doesn't answer the questions, its not suceeding as documentation.

[gibfahn]

According to the test writing guide, the order should be:

• use strict
• require common
• comment explaining test purpose (not required)
• other requires.

1   'use strict';
2   const common = require('../common');
3
4   // This test ensures that the http-parser can handle UTF-8 characters
5   // in the http header.
6
7   const http = require('http');
8   const assert = require('assert');

[sam-github]

reorganized as above, except that I always sort require statements lexicographically, I'm a bit surprised the test guide doesn't.

[gibfahn]

@sam-github Why not submit a PR 😉

[sam-github]

#10716

[gibfahn]

Order (as above)

[sam-github]

@gibfahn @jasnell addressed your comments, thanks, PTAL

[mhdawson]

LGTM

[jasnell]

@gibfahn ... are you good with this now?

[gibfahn]

Some more nits

I don't know much about how this stuff works, so can provide new user feedback!

[gibfahn]

I think the order is still wrong here (also doesn't it need a 'use strict'?)

[sam-github]

Order is consistent with test/fixtures/*.js, the folder its in, and also with lib/**/*.js

This is not a unit test, notice - and I'm not sure why unit tests don't put their descriptive comment as the first lines, seems more useful. Maybe existing practice?

I added a use strict, thanks.

[gibfahn]

it's -> its

[gibfahn]

and any string or Buffer can contain -> or a string or Buffer containing

any is confusing here (for me)

[sam-github]

"and" is intended, its not an "or". broke the sentence up into two.

[gibfahn]

The peer's certificate must be chainable to a CA trusted by the server

Does a CA trusted by the server mean one of the CAs provided in this option? If so maybe:

to a CA trusted by the server -> to one of the provided CAs

[sam-github]

@gibfahn Can you please re-read the first two sentences in the paragraph again? They define a trusted CA, and they define the defaults. Your suggested replacement ignores that there are defaults, it appears to me.

[sam-github]

@gibfahn PTAL

[gibfahn]

strings and Buffers -> strings and/or Buffers

[gibfahn]

specify->override

[gibfahn]

Suggestion:

When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. For self-signed certificates, the certificate is its own CA, and must be explicitly specified as trusted.

If a connection uses a certificate that doesn't match or chain to one of the default CAs, you need to use the ca option to provide an alternate CA that the connection certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided.

I don't love the wording I'm suggesting, but I think it's a little clearer.

[sam-github]

@gibfahn PTAL, I replaced use of "you" (not allowed by our doc style), and also "connection certificate" with "peer certificate", because there are up to two certs in a connection, and the .ca option should be used for the peers cert, not the local cert.

[sam-github]

sorry @MylesBorins , it did not, see #12468