Add option TRUST_SYSTEM_CA_SIGNED_CERTIFICATES

pontusmelke · pontusmelke · commit 01b76b085686 · 2016-09-05T11:15:31.000+02:00
diff --git a/src/v1/driver.js b/src/v1/driver.js
@@ -201,7 +201,10 @@ let USER_AGENT = "neo4j-javascript/" + VERSION;
  *       // an encryption certificate that is in, or is signed by, a certificate listed
  *       // as trusted. In the web bundle, this list of trusted certificates is maintained
  *       // by the web browser. In NodeJS, you configure the list with the next config option.
- *       trust: "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES",
+ *       //
+ *       // TRUST_SYSTEM_CA_SIGNED_CERTIFICATES meand that you trust whatever certificates
+ *       // are in the default certificate chain of th
+ *       trust: "TRUST_ON_FIRST_USE" | "TRUST_SIGNED_CERTIFICATES" | TRUST_CUSTOM_CA_SIGNED_CERTIFICATES | TRUST_SYSTEM_CA_SIGNED_CERTIFICATES,
  *
  *       // List of one or more paths to trusted encryption certificates. This only
  *       // works in the NodeJS bundle, and only matters if you use "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES".
diff --git a/src/v1/internal/ch-node.js b/src/v1/internal/ch-node.js
@@ -145,6 +145,29 @@ const TrustStrategy = {
     socket.on('error', onFailure);
     return socket;
   },
+  TRUST_SYSTEM_CA_SIGNED_CERTIFICATES : function( opts, onSuccess, onFailure ) {
+
+    let tlsOpts = {
+      // Because we manually check for this in the connect callback, to give
+      // a more helpful error to the user
+      rejectUnauthorized: false
+    };
+    let socket = tls.connect(opts.port, opts.host, tlsOpts, function () {
+      if (!socket.authorized) {
+        onFailure(newError("Server certificate is not trusted. If you trust the database you are connecting to, use " +
+          "TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add" +
+          " the signing certificate, or the server certificate, to the list of certificates trusted by this driver" +
+          " using `neo4j.v1.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This " +
+          " is a security measure to protect against man-in-the-middle attacks. If you are just trying " +
+          " Neo4j out and are not concerned about encryption, simply disable it using `encrypted=false` in the driver" +
+          " options."));
+      } else {
+        onSuccess();
+      }
+    });
+    socket.on('error', onFailure);
+    return socket;
+  },
   TRUST_ON_FIRST_USE : function( opts, onSuccess, onFailure ) {
     let tlsOpts = {
       // Because we manually verify the certificate against known_hosts
diff --git a/test/internal/tls.test.js b/test/internal/tls.test.js
@@ -140,6 +140,31 @@ describe('trust-custom-ca-signed-certificates', function() {
   });
 });
 
+describe('trust-system-ca-signed-certificates', function() {
+
+  var driver;
+
+  fit('should reject unknown certificates', function(done) {
+    // Assuming we only run this test on NodeJS
+    if( !NodeChannel.available ) {
+      done();
+      return;
+    }
+
+    // Given
+    driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("neo4j", "neo4j"), {
+      encrypted: true,
+      trust: "TRUST_SYSTEM_CA_SIGNED_CERTIFICATES"
+    });
+
+    // When
+    driver.session().run( "RETURN 1").catch( function(err) {
+      expect( err.message ).toContain( "Server certificate is not trusted" );
+      done();
+    });
+  });
+});
+
 describe('trust-on-first-use', function() {
 
   var driver;
