Native SPKAC support

[jas-]

crypto: Native SPKAC support

Implements new class 'Certificate' within crypto object
for working with SPKAC's (signed public key & challenge)
natively.

bool Certificate::verifySpkac(buffer)
buffer Certificate::exportPublicKey(buffer)
buffer Certificate::exportChallenge(buffer)

[Nodejs-Jenkins]

Thank you for contributing this pull request! Here are a few pointers to make sure your submission will be considered for inclusion.

The following commiters were not found in the CLA:

• jas-

You can fix all these things without opening another issue.

Please see CONTRIBUTING.md for more information

[trevnorris]

@jas- ObjectWrap has been removed from core usage on master. I'll write another diff for you to apply and fix this issue.

[trevnorris]

@jas- Assuming your remote's name to joyent/node is upstream, do the following steps:

$ git checkout openssl-spkac
$ git fetch upstream
$ git reset --hard upstream/master
$ curl 'https://gist.github.com/trevnorris/6925027/raw/a6ba4075340a469cca0a1c993c8009991afde1d3/pr6330.patch' | git am
$ git push -f origin openssl-spkac

I've edited your patch to work on latest master. Once this is done, ping me and it should be ready for merge. Also, if you haven't, please sign the CLA as noted above.

[jas-]

@trevnorris how can I pay better attention to core API changes such as this in the future? I used the docs and current usage when creating a new branch based on master while tracking v.0.11.7-release and still missed that change. Thanks for all of your tips and assistance!

[trevnorris]

@jas- master is usually moving quickly, and most of it is internal. The best thing I've found is to do a git log -- <file> on the file I'll be making changes to. That'll let me know what's been going on most recently. Also, helping the community keep up is one reason we're here. :)

[jas-]

@trevnorris That is good information. Again I appreciate your help. Should I close the other open issue for this PR?

My old dev env got wiped out so I rebuilt it from scratch. Although I used the same branch name after forking node core it didn't update the existing PR. There is still quite a bit I need to learn about git.

[bnoordhuis]

s/String::New/FIXED_ONE_BYTE_STRING/

[jas-]

Should I use the node_isolate arg? (ie FIXED_ONE_BYTE_STRING(node_isolate, "Certificate"))

[trevnorris]

yes

[jas-]

Fixed. Thanks.

[bnoordhuis]

i = NETSCAPE_SPKI_verify(spki, pkey) > 0;? Right now, VerifySpkac() returns true when NETSCAPE_SPKI_verify() returns -1.

[jas-]

Doh! Fixed, thanks.

[bnoordhuis]

Last round of comments. If you fix these up, I'm pretty sure we're there. :-)

[bnoordhuis]

Sorry, maybe I didn't make myself clear: the thing is that the len parameter is never < 0, right? So in that case it could (and arguably should) be an unsigned int. The bool return value was perfectly okay, I had no beef with that.

[jas-]

Whoops, fixed. Thanks.

[bnoordhuis]

Thanks Jason, landed in 7f66e44. Feel like writing documentation for it?

[jas-]

@bnoordhuis Sure, example app too?

[isaacs]

This fails its test on OS X and SmartOS. Reverted on d9b4cc3 and a555992.

That being said, I would love to see this functionality in Node, and have no objection to it. Reopening this pull req so we can investigate.

[isaacs]

I'm very rarely getting garbage characters after the result. Added some logging in the test:

console.error('%j', stripLineEndings(certificate.exportPublicKey(spkacValid).toString('utf8')));
console.error('%j', stripLineEndings(spkacPem.toString('utf8')));

and I see this:

"-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcvQh9SKOPv4DwI8LwSaFx02h7l9QCiDs6sF2GfsSTEUG61SnjQ/v4uJiLKBgbVOagj9rkSCwtTez23ATPeGaBj2Zgipv+tv5IXyqUP8ropXJQ5ELtaXPUN/gvw7cO5EbPHr/7eMhbpw8Gl+AfWxW5hLW8MGw/+AwwjHBOwong/QIDAQAB-----END PUBLIC KEY-----�\u0002\u000e\u0010"
"-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcvQh9SKOPv4DwI8LwSaFx02h7l9QCiDs6sF2GfsSTEUG61SnjQ/v4uJiLKBgbVOagj9rkSCwtTez23ATPeGaBj2Zgipv+tv5IXyqUP8ropXJQ5ELtaXPUN/gvw7cO5EbPHr/7eMhbpw8Gl+AfWxW5hLW8MGw/+AwwjHBOwong/QIDAQAB-----END PUBLIC KEY-----"

[jas-]

@isaacs I have come across this in more extensive testing as well. @bnoordhuis I alleviated this problem using the buf[ptr->length - 1] = '\0'; when exporting the public key.

I am trying to track this down in the OpenSSL libs, I believe it to be stemming from the BIO_get_mem_ptr() call possibly leaking extraneous memory. I suppose I could look into possibly removing this call and using the lower level BIO_ctrl().

[isaacs]

@jas- Awesome, thanks for continuing to plug away on it.

[jas-]

@isaacs I think I may be it resolved, can you test? I am not seeing it now.

Architecture: Linux node.dev 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Node: v0.11.8-pre

It seems that using BIO_write(bio, "\0", 1) I can set the pointer referenced within the PEM_write_bio_PUBKEY() return struct vs. attempting to overwrite the last bit using the buf[ptr->length - 1] = '\0'; as to not introduce an underflow problem.

Ah OpenSSL how I love digging through your BIO_ functions.

[trevnorris]

All tests are passing. I'm going to re-merge this and the docs fix. Nice job @jas-.

[jas-]

@trevnorris No problem, hope it solves it. Perhaps I should put together a more robust test case?

[trevnorris]

Was merged again in 7bf46ba

[isaacs]

Thanks!

[jas-]

@isaacs, @bnoordhuis & @trevnorris I realize you have already merged this but as it is my first submission and I already feel like I made a few rookie mistakes and wanted a more robust test case I whipped this up based on SPKAC's generated from multiple private keys of various size as well as various hashing algorithms.

Also I have been lurking on IRC as I wanted to ask if it would be a beneficial feature to generate new SPKAC (useful for OAuth server -> server auth cases) as well as certificate generation (CSR's come to mind).

In any event, thanks for all of the pointers too.

[bnoordhuis]

@jas- If you have a better test case, well, you know, we take patches. ;-)

[jas-]

@bnoordhuis Fair enough.