tls, https: add passphrase option

Fixes #1925.

9 files changed, 135 insertions, 4 deletions

diff --git a/doc/api/https.markdown b/doc/api/https.markdown
index 0aa6b19fc..475a2895a 100644
--- a/doc/api/https.markdown
+++ b/doc/api/https.markdown
@@ -90,6 +90,7 @@ The following options from [tls.connect()](tls.html#tls.connect) can also be
 specified. However, a [globalAgent](#https.globalAgent) silently ignores these.
 
 - `key`: Private key to use for SSL. Default `null`.
+- `passphrase`: A string of passphrase for the private key. Default `null`.
 - `cert`: Public x509 certificate to use. Default `null`.
 - `ca`: An authority certificate or array of authority certificates to check
   the remote host against.
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index 05a43200f..06c2ea4f8 100644
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -37,6 +37,8 @@ The `options` object has these possibilities:
   - `key`: A string or `Buffer` containing the private key of the server in
     PEM format. (Required)
 
+  - `passphrase`: A string of passphrase for the private key.
+
   - `cert`: A string or `Buffer` containing the certificate key of the server in
     PEM format. (Required)
 
@@ -106,7 +108,9 @@ Creates a new client connection to the given `port` and `host`. (If `host`
 defaults to `localhost`.) `options` should be an object which specifies
 
   - `key`: A string or `Buffer` containing the private key of the client in
-    PEM format. (Required)
+    PEM format.
+
+  - `passphrase`: A string of passphrase for the private key.
 
   - `cert`: A string or `Buffer` containing the certificate key of the client in
     PEM format.
diff --git a/lib/crypto.js b/lib/crypto.js
index 85bbbcd65..6244f2c8d 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -76,7 +76,13 @@ exports.createCredentials = function(options, context) {
 
   if (context) return c;
 
-  if (options.key) c.context.setKey(options.key);
+  if (options.key) {
+    if (options.passphrase) {
+      c.context.setKey(options.key, options.passphrase);
+    } else {
+      c.context.setKey(options.key);
+    }
+  }
 
   if (options.cert) c.context.setCert(options.cert);
 
diff --git a/lib/tls.js b/lib/tls.js
index 35da95bc4..21bb2af07 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -846,6 +846,7 @@ function Server(/* [options], listener */) {
 
   var sharedCreds = crypto.createCredentials({
     key: self.key,
+    passphrase: self.passphrase,
     cert: self.cert,
     ca: self.ca,
     ciphers: self.ciphers,
@@ -928,6 +929,7 @@ Server.prototype.setOptions = function(options) {
   }
 
   if (options.key) this.key = options.key;
+  if (options.passphrase) this.passphrase = options.passphrase;
   if (options.cert) this.cert = options.cert;
   if (options.ca) this.ca = options.ca;
   if (options.secureProtocol) this.secureProtocol = options.secureProtocol;
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index b935aa7f0..5edc6bead 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -223,14 +223,21 @@ Handle<Value> SecureContext::SetKey(const Arguments& args) {
 
   SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
 
-  if (args.Length() != 1) {
+  unsigned int len = args.Length();
+  if (len != 1 && len != 2) {
+    return ThrowException(Exception::TypeError(String::New("Bad parameter")));
+  }
+  if (len == 2 && !args[1]->IsString()) {
     return ThrowException(Exception::TypeError(String::New("Bad parameter")));
   }
 
   BIO *bio = LoadBIO(args[0]);
   if (!bio) return False();
 
-  EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+  String::Utf8Value passphrase(args[1]->ToString());
+
+  EVP_PKEY* key = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+                                          len == 1 ? NULL : *passphrase);
 
   if (!key) {
     BIO_free(bio);
diff --git a/test/fixtures/pass-cert.pem b/test/fixtures/pass-cert.pem
new file mode 100644
index 000000000..b836669d3
--- /dev/null
+++ b/test/fixtures/pass-cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2TCCAUICCQClVOBBLf4XmjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xEjAQBgNVBAoUCW5vZGVqc19qcDAeFw0xMTEwMjYx
+NjA5MjdaFw0xMTExMjUxNjA5MjdaMDExCzAJBgNVBAYTAkpQMQ4wDAYDVQQIEwVU
+b2t5bzESMBAGA1UEChQJbm9kZWpzX2pwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQChmQeFwsaomtQbw9Nm55Dn6KSR9bkY8PDroQUeTNa90BlIbhGsKYm4l7bE
+RaasFgOrkcQpk45fdDVYPjKxraZiGXXKjSIDYeDAIC/+CkwQKrejgCPmJs4gV4g+
+npvwi1gVr2NAg7fkJOyEW2TDp4dsAD8qtG8Aml0C1hJXwFYmBwIDAQABMA0GCSqG
+SIb3DQEBBQUAA4GBABVM2a2srG/MVGQsjYkY96hywSI6jNf2XNHYsB3PuTXOHijT
+PoO6r0u69LgZCxr+Z/3GQ/ZELfKDsbv5IgfoyVnYikybJU9qfApH3B7hxECvw9rv
+gEnYvEu6jsRtw6n5yz+lrDpFUrks0ky6YJ4+dxq0qCyXn7WcjBEcjdNgLTIm
+-----END CERTIFICATE-----
diff --git a/test/fixtures/pass-csr.pem b/test/fixtures/pass-csr.pem
new file mode 100644
index 000000000..8436f5105
--- /dev/null
+++ b/test/fixtures/pass-csr.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBcDCB2gIBADAxMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEjAQBgNV
+BAoUCW5vZGVqc19qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoZkHhcLG
+qJrUG8PTZueQ5+ikkfW5GPDw66EFHkzWvdAZSG4RrCmJuJe2xEWmrBYDq5HEKZOO
+X3Q1WD4ysa2mYhl1yo0iA2HgwCAv/gpMECq3o4Aj5ibOIFeIPp6b8ItYFa9jQIO3
+5CTshFtkw6eHbAA/KrRvAJpdAtYSV8BWJgcCAwEAAaAAMA0GCSqGSIb3DQEBBQUA
+A4GBAC9g7s3rG6G7JSTUOizY1u9Ij6QM9Y6PqQthr4OJHa+Hln5FJQahpgJmA4kC
+WYoWvBMBgFPFBCYAj0yMPohrlAwlbd9MADe4gg3lxuO9UxXDzp/lOVRBAEa4n5i+
+Lw7VEiJtPha4NXgeNzxi5OyBJwxAOPFwsyCdR0SynlifTFHI
+-----END CERTIFICATE REQUEST-----
diff --git a/test/fixtures/pass-key.pem b/test/fixtures/pass-key.pem
new file mode 100644
index 000000000..9a0c5f158
--- /dev/null
+++ b/test/fixtures/pass-key.pem
@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,CE30CF10CDD3C074
+
+A9Vjoxw1Z6pfyxMHXxDi88JVcLN0uWJAjo97nsdzV1cYmEk4bQUe6XVu8UGCzbYX
+1RVeglOwyKfp631l5j5KHNfzA4lEU46uqAkRZbkzaHg6sVK7nuSBamiDqkO+BSEU
+kDCDqImcx+wUXjlFsYc2UO3DJen8QVEVYQthpxqS7UGh6SCGKyb8FzHu+nzOtRrZ
+y2Y9r8vyllH5+qxyGymkJJgPGYd9a/q3uTjxjBsb252SC6JEMt/njXdtlt3zUCQl
+8aEok8xXIyDFsrhkQ1chXYt/neWdgVh+R9HulVvSLKkACSfX19F2ooIIWhoml4C1
+VE9iX7wytbD7LxLK4kWQL0sRi0MQPwBEag6m9K6skcsN8qIRJwJZeevc3xw+08uI
+IqUL4Ouy+eNMYQIxxgKBcgVWV51X1HWCcwjBkDp9x/qU+URKBmGcpTKEiOrKGG/I
+8JN3IreJU5EhtGqE15J4ep/hS4CwJ9+CFysRs0vFCw24GS+O2CXWT9rgza4VX1we
+dUVnGGodJcXgAf0sNECm8zYk2fjy1SICm+fknsN466d2pmCO43/WpBhZyjbLEHsJ
+a5pUVQroZdU2W70eGh2yIGVrMmgVbYPitTBafruW8w03oarG4XWA4caEmJMEVC68
+WZxuQ1Wg1J+fNl+Klq3b+4yImmoFrelh2gBANwYKnE9Z+JLtfv01et9DNOXR2DQM
+6pPzrL0JUHetqko4mJTVNvW8h/Jv+0UVwmxmwm6mR4IBcKwQyY5V5VqeFfnXlvM1
+xpg33AEKNquAPC8G4pIHwG4aBo9fLp+I3cxPuY6dnR6i2tyQ5ONvvw==
+-----END RSA PRIVATE KEY-----
diff --git a/test/simple/test-tls-passphrase.js b/test/simple/test-tls-passphrase.js
new file mode 100644
index 000000000..7dbb1d711
--- /dev/null
+++ b/test/simple/test-tls-passphrase.js
@@ -0,0 +1,71 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+if (!process.versions.openssl) {
+  console.error('Skipping because node compiled without OpenSSL.');
+  process.exit(0);
+}
+
+var common = require('../common');
+var assert = require('assert');
+var tls = require('tls');
+var fs = require('fs');
+var path = require('path');
+
+var key = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem'));
+var cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem'));
+
+var server = tls.Server({
+  key: key,
+  passphrase: 'passphrase',
+  cert: cert,
+  ca: [ cert ],
+  requestCert: true,
+  rejectUnauthorized: true
+}, function(s) {
+  s.end();
+});
+
+var connectCount = 0;
+server.listen(common.PORT, function() {
+  var c = tls.connect(common.PORT, {
+    key: key,
+    passphrase: 'passphrase',
+    cert: cert
+  }, function() {
+    ++connectCount;
+  });
+  c.on('end', function() {
+    server.close();
+  });
+});
+
+assert.throws(function() {
+  tls.connect(common.PORT, {
+    key: key,
+    passphrase: 'invalid',
+    cert: cert
+  });
+});
+
+process.on('exit', function() {
+  assert.equal(connectCount, 1);
+});