213 lines
6.8 KiB
Haxe
213 lines
6.8 KiB
Haxe
/*
|
|
* Copyright (C)2014-2020 Haxe Foundation
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a
|
|
* copy of this software and associated documentation files (the "Software"),
|
|
* to deal in the Software without restriction, including without limitation
|
|
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
* and/or sell copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
|
|
* DEALINGS IN THE SOFTWARE.
|
|
*/
|
|
|
|
package js.node;
|
|
|
|
import haxe.extern.EitherType;
|
|
import js.node.Buffer;
|
|
import js.node.tls.SecureContext;
|
|
import js.node.tls.SecurePair;
|
|
import js.node.tls.Server;
|
|
import js.node.tls.TLSSocket;
|
|
#if haxe4
|
|
import js.lib.Error;
|
|
#else
|
|
import js.Error;
|
|
#end
|
|
|
|
typedef TlsOptionsBase = {
|
|
/**
|
|
If true the server will reject any connection which is not authorized with the list of supplied CAs.
|
|
This option only has an effect if `requestCert` is true.
|
|
Default: false.
|
|
**/
|
|
@:optional var rejectUnauthorized:Bool;
|
|
|
|
/**
|
|
possible NPN protocols. (Protocols should be ordered by their priority).
|
|
**/
|
|
@:optional var NPNProtocols:EitherType<Array<String>, Buffer>;
|
|
}
|
|
|
|
typedef TlsServerOptionsBase = {
|
|
> TlsOptionsBase,
|
|
|
|
/**
|
|
If true the server will request a certificate from clients that connect
|
|
and attempt to verify that certificate.
|
|
Default: false.
|
|
**/
|
|
@:optional var requestCert:Bool;
|
|
|
|
/**
|
|
A function that will be called if client supports SNI TLS extension.
|
|
Two argument will be passed to it: `servername`, and `cb`.
|
|
SNICallback should invoke `cb(null, ctx)`, where `ctx` is a SecureContext instance.
|
|
(You can use tls.createSecureContext(...) to get proper `SecureContext`).
|
|
If `SNICallback` wasn't provided - default callback with high-level API will be used.
|
|
**/
|
|
@:optional var SNICallback:#if (haxe_ver >= 4)(servername:String, cb:(Error->SecureContext)) -> Void #else String->(Error->SecureContext)->Void #end;
|
|
}
|
|
|
|
typedef TlsClientOptionsBase = {
|
|
> TlsOptionsBase,
|
|
|
|
/**
|
|
A Buffer instance, containing TLS session.
|
|
**/
|
|
@:optional var session:Buffer;
|
|
|
|
/**
|
|
If true - OCSP status request extension would be added to client hello,
|
|
and OCSPResponse event will be emitted on socket before establishing secure communication
|
|
**/
|
|
@:optional var requestOCSP:Bool;
|
|
}
|
|
|
|
/**
|
|
Base structure for options object used in tls methods.
|
|
**/
|
|
typedef TlsCreateServerOptions = {
|
|
> TlsServerOptionsBase,
|
|
> SecureContextOptions,
|
|
|
|
/**
|
|
Abort the connection if the SSL/TLS handshake does not finish in this many milliseconds.
|
|
The default is 120 seconds.
|
|
A 'clientError' is emitted on the `tls.Server` object whenever a handshake times out.
|
|
**/
|
|
@:optional var handshakeTimeout:Int;
|
|
|
|
/**
|
|
An integer specifying the seconds after which TLS session identifiers
|
|
and TLS session tickets created by the server are timed out.
|
|
See SSL_CTX_set_timeout for more details.
|
|
**/
|
|
@:optional var sessionTimeout:Int;
|
|
|
|
/**
|
|
A 48-byte `Buffer` instance consisting of 16-byte prefix, 16-byte hmac key, 16-byte AES key.
|
|
You could use it to accept tls session tickets on multiple instances of tls server.
|
|
|
|
NOTE: Automatically shared between cluster module workers.
|
|
**/
|
|
@:optional var ticketKeys:Buffer;
|
|
}
|
|
|
|
typedef TlsConnectOptions = {
|
|
> TlsClientOptionsBase,
|
|
> SecureContextOptions,
|
|
|
|
/**
|
|
Host the client should connect to.
|
|
Defaults to 'localhost'
|
|
**/
|
|
@:optional var host:String;
|
|
|
|
/**
|
|
Port the client should connect to
|
|
**/
|
|
@:optional var port:Int;
|
|
|
|
/**
|
|
Establish secure connection on a given socket rather than creating a new socket.
|
|
If this option is specified, `host` and `port` are ignored.
|
|
**/
|
|
@:optional var socket:js.node.net.Socket;
|
|
|
|
/**
|
|
Creates unix socket connection to path.
|
|
If this option is specified, host and port are ignored.
|
|
**/
|
|
@:optional var path:String;
|
|
|
|
/**
|
|
Servername for SNI (Server Name Indication) TLS extension.
|
|
**/
|
|
@:optional var servername:String;
|
|
|
|
/**
|
|
An override for checking server's hostname against the certificate.
|
|
Should return an error if verification fails. Return `js.Lib.undefined` if passing.
|
|
**/
|
|
@:optional var checkServerIdentity:String -> {}->Dynamic; // TODO: peer cerficicate structure
|
|
|
|
}
|
|
|
|
/**
|
|
The tls module uses OpenSSL to provide Transport Layer Security
|
|
and/or Secure Socket Layer: encrypted stream communication.
|
|
**/
|
|
@:jsRequire("tls")
|
|
extern class Tls {
|
|
/**
|
|
renegotiation limit, default is 3.
|
|
**/
|
|
static var CLIENT_RENEG_LIMIT:Int;
|
|
|
|
/**
|
|
renegotiation window in seconds, default is 10 minutes.
|
|
**/
|
|
static var CLIENT_RENEG_WINDOW:Int;
|
|
|
|
/**
|
|
Size of slab buffer used by all tls servers and clients. Default: 10 * 1024 * 1024.
|
|
|
|
Don't change the defaults unless you know what you are doing.
|
|
**/
|
|
static var SLAB_BUFFER_SIZE:Int;
|
|
|
|
/**
|
|
Returns an array with the names of the supported SSL ciphers.
|
|
**/
|
|
static function getCiphers():Array<String>;
|
|
|
|
/**
|
|
Creates a new `Server`.
|
|
The `connectionListener` argument is automatically set as a listener for the 'secureConnection' event.
|
|
**/
|
|
static function createServer(options:TlsCreateServerOptions, ?secureConnectionListener:TLSSocket->Void):Server;
|
|
|
|
/**
|
|
Creates a new client connection to the given `port` and `host` (old API) or `options.port` and `options.host`.
|
|
If `host` is omitted, it defaults to 'localhost'.
|
|
**/
|
|
@:overload(function(port:Int, ?callback:Void->Void):TLSSocket {})
|
|
@:overload(function(port:Int, options:TlsConnectOptions, ?callback:Void->Void):TLSSocket {})
|
|
@:overload(function(port:Int, host:String, ?callback:Void->Void):TLSSocket {})
|
|
@:overload(function(port:Int, host:String, options:TlsConnectOptions, ?callback:Void->Void):TLSSocket {})
|
|
static function connect(options:TlsConnectOptions, ?callback:Void->Void):TLSSocket;
|
|
|
|
/**
|
|
Creates a credentials object.
|
|
**/
|
|
static function createSecureContext(?details:SecureContextOptions):SecureContext;
|
|
|
|
/**
|
|
Creates a new secure pair object with two streams, one of which reads/writes encrypted data,
|
|
and one reads/writes cleartext data.
|
|
Generally the encrypted one is piped to/from an incoming encrypted data stream,
|
|
and the cleartext one is used as a replacement for the initial encrypted stream.
|
|
**/
|
|
static function createSecurePair(?context:SecureContext, ?isServer:Bool, ?requestCert:Bool, ?rejectUnauthorized:Bool):SecurePair;
|
|
}
|