feat: support client certificates for connectTls (#11598)

Co-authored-by: Daniel Lamando <dan@danopia.net> Co-authored-by: Erik Price <github@erikprice.net>
2025-08-04 10:59:13 +00:00 · 2021-08-09 15:55:00 +02:00 · 2021-08-09 15:55:00 +02:00 · 3ab50b3551
commit 3ab50b3551
parent f402904e6e
6 changed files with 262 additions and 36 deletions
--- a/cli/tests/unit/tls_test.ts
+++ b/cli/tests/unit/tls_test.ts
@ -11,6 +11,7 @@ import {
  unitTest,
 } from "./test_util.ts";
 import { BufReader, BufWriter } from "../../../test_util/std/io/bufio.ts";
+import { readAll } from "../../../test_util/std/io/util.ts";
 import { TextProtoReader } from "../../../test_util/std/textproto/mod.ts";

 const encoder = new TextEncoder();
@ -26,7 +27,7 @@ function unreachable(): never {

 unitTest(async function connectTLSNoPerm() {
  await assertThrowsAsync(async () => {
-    await Deno.connectTls({ hostname: "github.com", port: 443 });
+    await Deno.connectTls({ hostname: "deno.land", port: 443 });
  }, Deno.errors.PermissionDenied);
 });

@ -51,7 +52,7 @@ unitTest(
 unitTest(async function connectTLSCertFileNoReadPerm() {
  await assertThrowsAsync(async () => {
    await Deno.connectTls({
-      hostname: "github.com",
+      hostname: "deno.land",
      port: 443,
      certFile: "cli/tests/tls/RootCA.crt",
    });
@ -985,3 +986,66 @@ unitTest(
    conn.close();
  },
 );
+
+unitTest(
+  { perms: { read: true, net: true } },
+  async function connectTLSBadClientCertPrivateKey(): Promise<void> {
+    await assertThrowsAsync(async () => {
+      await Deno.connectTls({
+        hostname: "deno.land",
+        port: 443,
+        certChain: "bad data",
+        privateKey: await Deno.readTextFile("cli/tests/tls/localhost.key"),
+      });
+    }, Deno.errors.InvalidData);
+  },
+);
+
+unitTest(
+  { perms: { read: true, net: true } },
+  async function connectTLSBadPrivateKey(): Promise<void> {
+    await assertThrowsAsync(async () => {
+      await Deno.connectTls({
+        hostname: "deno.land",
+        port: 443,
+        certChain: await Deno.readTextFile("cli/tests/tls/localhost.crt"),
+        privateKey: "bad data",
+      });
+    }, Deno.errors.InvalidData);
+  },
+);
+
+unitTest(
+  { perms: { read: true, net: true } },
+  async function connectTLSNotPrivateKey(): Promise<void> {
+    await assertThrowsAsync(async () => {
+      await Deno.connectTls({
+        hostname: "deno.land",
+        port: 443,
+        certChain: await Deno.readTextFile("cli/tests/tls/localhost.crt"),
+        privateKey: "",
+      });
+    }, Deno.errors.InvalidData);
+  },
+);
+
+unitTest(
+  { perms: { read: true, net: true } },
+  async function connectWithClientCert() {
+    // The test_server running on port 4552 responds with 'PASS' if client
+    // authentication was successful. Try it by running test_server and
+    //   curl --key cli/tests/tls/localhost.key \
+    //        --cert cli/tests/tls/localhost.crt \
+    //        --cacert cli/tests/tls/RootCA.crt https://localhost:4552/
+    const conn = await Deno.connectTls({
+      hostname: "localhost",
+      port: 4552,
+      certChain: await Deno.readTextFile("cli/tests/tls/localhost.crt"),
+      privateKey: await Deno.readTextFile("cli/tests/tls/localhost.key"),
+      certFile: "cli/tests/tls/RootCA.crt",
+    });
+    const result = decoder.decode(await readAll(conn));
+    assertEquals(result, "PASS");
+    conn.close();
+  },
+);