|
| 1 | +// Flags: --experimental-dtls --no-warnings |
| 2 | + |
| 3 | +// Test: cipher and ECDH-curve selection and validation. |
| 4 | + |
| 5 | +import { hasCrypto, skip, mustCall, mustNotCall } from '../common/index.mjs'; |
| 6 | +import assert from 'node:assert'; |
| 7 | +import * as fixtures from '../common/fixtures.mjs'; |
| 8 | + |
| 9 | +const { strictEqual, throws } = assert; |
| 10 | +const { readKey } = fixtures; |
| 11 | + |
| 12 | +if (!hasCrypto) { |
| 13 | + skip('missing crypto'); |
| 14 | +} |
| 15 | + |
| 16 | +if (!process.features.dtls) { |
| 17 | + skip('DTLS is not enabled'); |
| 18 | +} |
| 19 | + |
| 20 | +const { listen, connect } = await import('node:dtls'); |
| 21 | + |
| 22 | +const cert = readKey('agent1-cert.pem').toString(); |
| 23 | +const key = readKey('agent1-key.pem').toString(); |
| 24 | +const ca = readKey('ca1-cert.pem').toString(); |
| 25 | + |
| 26 | +const CIPHER = 'ECDHE-RSA-AES128-GCM-SHA256'; |
| 27 | + |
| 28 | +// Case 1: a specific cipher is negotiated and reported on both peers. |
| 29 | +{ |
| 30 | + const gotServerSession = Promise.withResolvers(); |
| 31 | + |
| 32 | + const server = listen(mustCall((session) => { |
| 33 | + gotServerSession.resolve(session); |
| 34 | + }), { cert, key, port: 0, host: '127.0.0.1', ciphers: CIPHER }); |
| 35 | + |
| 36 | + const client = connect('127.0.0.1', server.address.port, { |
| 37 | + ca: [ca], |
| 38 | + rejectUnauthorized: false, |
| 39 | + ciphers: CIPHER, |
| 40 | + }); |
| 41 | + |
| 42 | + await client.opened; |
| 43 | + const serverSession = await gotServerSession.promise; |
| 44 | + await serverSession.opened; |
| 45 | + |
| 46 | + strictEqual(client.cipher.name, CIPHER); |
| 47 | + strictEqual(serverSession.cipher.name, CIPHER); |
| 48 | + |
| 49 | + await client.close(); |
| 50 | + await server.close(); |
| 51 | +} |
| 52 | + |
| 53 | +// Case 2: an invalid cipher list is rejected. |
| 54 | +throws(() => listen(mustNotCall(), { |
| 55 | + cert, key, port: 0, host: '127.0.0.1', ciphers: 'THIS-IS-NOT-A-CIPHER', |
| 56 | +}), { code: 'ERR_CRYPTO_OPERATION_FAILED' }); |
| 57 | + |
| 58 | +// Case 3: a valid ECDH curve completes a handshake. |
| 59 | +{ |
| 60 | + const server = listen(mustCall(), { |
| 61 | + cert, key, port: 0, host: '127.0.0.1', ecdhCurve: 'P-256', |
| 62 | + }); |
| 63 | + |
| 64 | + const client = connect('127.0.0.1', server.address.port, { |
| 65 | + ca: [ca], |
| 66 | + rejectUnauthorized: false, |
| 67 | + ecdhCurve: 'P-256', |
| 68 | + }); |
| 69 | + |
| 70 | + await client.opened; |
| 71 | + |
| 72 | + await client.close(); |
| 73 | + await server.close(); |
| 74 | +} |
| 75 | + |
| 76 | +// Case 4: an invalid ECDH curve is rejected. |
| 77 | +throws(() => listen(mustNotCall(), { |
| 78 | + cert, key, port: 0, host: '127.0.0.1', ecdhCurve: 'not-a-curve', |
| 79 | +}), { code: 'ERR_CRYPTO_OPERATION_FAILED' }); |
0 commit comments