denoland-deno/tests/unit/tls_sni_test.ts

// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
import { assertEquals, assertRejects } from "./test_util.ts";
// @ts-expect-error TypeScript (as of 3.7) does not support indexing namespaces by symbol
const { resolverSymbol, serverNameSymbol } = Deno[Deno.internal];

const cert = Deno.readTextFileSync("tests/testdata/tls/localhost.crt");
const key = Deno.readTextFileSync("tests/testdata/tls/localhost.key");
const certEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.crt");
const keyEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.key");

Deno.test(
  { permissions: { net: true, read: true } },
  async function listenResolver() {
    const sniRequests: string[] = [];
    const keys: Record<string, { cert: string; key: string }> = {
      "server-1": { cert, key },
      "server-2": { cert: certEcc, key: keyEcc },
      "fail-server-3": { cert: "(invalid)", key: "(bad)" },
    };
    const opts: unknown = {
      hostname: "localhost",
      port: 0,
      [resolverSymbol]: (sni: string) => {
        sniRequests.push(sni);
        return keys[sni]!;
      },
    };
    // @ts-ignore Trust me
    const listener = Deno.listenTls(opts);

    for (
      const server of ["server-1", "server-2", "fail-server-3", "fail-server-4"]
    ) {
      const conn = await Deno.connectTls({
        hostname: "localhost",
        [serverNameSymbol]: server,
        port: listener.addr.port,
      });
      const serverConn = await listener.accept();
      if (server.startsWith("fail-")) {
        await assertRejects(async () => await conn.handshake());
        await assertRejects(async () => await serverConn.handshake());
      } else {
        await conn.handshake();
        await serverConn.handshake();
      }
      conn.close();
      serverConn.close();
    }

    assertEquals(sniRequests, [
      "server-1",
      "server-2",
      "fail-server-3",
      "fail-server-4",
    ]);
    listener.close();
  },
);
refactor(ext/tls): Implement required functionality for later SNI support (#23686) Precursor to #23236 This implements the SNI features, but uses private symbols to avoid exposing the functionality at this time. Note that to properly test this feature, we need to add a way for `connectTls` to specify a hostname. This is something that should be pushed into that API at a later time as well. ```ts Deno.test( { permissions: { net: true, read: true } }, async function listenResolver() { let sniRequests = []; const listener = Deno.listenTls({ hostname: "localhost", port: 0, [resolverSymbol]: (sni: string) => { sniRequests.push(sni); return { cert, key, }; }, }); { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-1", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-2", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } assertEquals(sniRequests, ["server-1", "server-2"]); listener.close(); }, ); ``` --------- Signed-off-by: Matt Mastracci <matthew@mastracci.com> 2024-05-09 12:54:47 -04:00			`// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.`
			`import { assertEquals, assertRejects } from "./test_util.ts";`
			`// @ts-expect-error TypeScript (as of 3.7) does not support indexing namespaces by symbol`
			`const { resolverSymbol, serverNameSymbol } = Deno[Deno.internal];`

			`const cert = Deno.readTextFileSync("tests/testdata/tls/localhost.crt");`
			`const key = Deno.readTextFileSync("tests/testdata/tls/localhost.key");`
			`const certEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.crt");`
			`const keyEcc = Deno.readTextFileSync("tests/testdata/tls/localhost_ecc.key");`

			`Deno.test(`
			`{ permissions: { net: true, read: true } },`
			`async function listenResolver() {`
			`const sniRequests: string[] = [];`
			`const keys: Record<string, { cert: string; key: string }> = {`
			`"server-1": { cert, key },`
			`"server-2": { cert: certEcc, key: keyEcc },`
			`"fail-server-3": { cert: "(invalid)", key: "(bad)" },`
			`};`
			`const opts: unknown = {`
			`hostname: "localhost",`
			`port: 0,`
			`[resolverSymbol]: (sni: string) => {`
			`sniRequests.push(sni);`
			`return keys[sni]!;`
			`},`
			`};`
BREAKING(net): remove `Deno.ConnectTlsOptions.{certChain,certFile,privateKey}` and `Deno.ListenTlsOptions.certChain,certFile,keyFile}` (#25525) Towards #22079 2024-09-10 17:55:42 -04:00			`// @ts-ignore Trust me`
			`const listener = Deno.listenTls(opts);`
refactor(ext/tls): Implement required functionality for later SNI support (#23686) Precursor to #23236 This implements the SNI features, but uses private symbols to avoid exposing the functionality at this time. Note that to properly test this feature, we need to add a way for `connectTls` to specify a hostname. This is something that should be pushed into that API at a later time as well. ```ts Deno.test( { permissions: { net: true, read: true } }, async function listenResolver() { let sniRequests = []; const listener = Deno.listenTls({ hostname: "localhost", port: 0, [resolverSymbol]: (sni: string) => { sniRequests.push(sni); return { cert, key, }; }, }); { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-1", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } { const conn = await Deno.connectTls({ hostname: "localhost", [serverNameSymbol]: "server-2", port: listener.addr.port, }); const [_handshake, serverConn] = await Promise.all([ conn.handshake(), listener.accept(), ]); conn.close(); serverConn.close(); } assertEquals(sniRequests, ["server-1", "server-2"]); listener.close(); }, ); ``` --------- Signed-off-by: Matt Mastracci <matthew@mastracci.com> 2024-05-09 12:54:47 -04:00
			`for (`
			`const server of ["server-1", "server-2", "fail-server-3", "fail-server-4"]`
			`) {`
			`const conn = await Deno.connectTls({`
			`hostname: "localhost",`
			`[serverNameSymbol]: server,`
			`port: listener.addr.port,`
			`});`
			`const serverConn = await listener.accept();`
			`if (server.startsWith("fail-")) {`
			`await assertRejects(async () => await conn.handshake());`
			`await assertRejects(async () => await serverConn.handshake());`
			`} else {`
			`await conn.handshake();`
			`await serverConn.handshake();`
			`}`
			`conn.close();`
			`serverConn.close();`
			`}`

			`assertEquals(sniRequests, [`
			`"server-1",`
			`"server-2",`
			`"fail-server-3",`
			`"fail-server-4",`
			`]);`
			`listener.close();`
			`},`
			`);`