1 | declare module "tls" {
|
2 | import * as crypto from "crypto";
|
3 | import * as dns from "dns";
|
4 | import * as net from "net";
|
5 | import * as stream from "stream";
|
6 |
|
7 | const CLIENT_RENEG_LIMIT: number;
|
8 | const CLIENT_RENEG_WINDOW: number;
|
9 |
|
10 | interface Certificate {
|
11 | |
12 |
|
13 |
|
14 | C: string;
|
15 | |
16 |
|
17 |
|
18 | ST: string;
|
19 | |
20 |
|
21 |
|
22 | L: string;
|
23 | |
24 |
|
25 |
|
26 | O: string;
|
27 | |
28 |
|
29 |
|
30 | OU: string;
|
31 | |
32 |
|
33 |
|
34 | CN: string;
|
35 | }
|
36 |
|
37 | interface PeerCertificate {
|
38 | subject: Certificate;
|
39 | issuer: Certificate;
|
40 | subjectaltname: string;
|
41 | infoAccess: { [index: string]: string[] | undefined };
|
42 | modulus: string;
|
43 | exponent: string;
|
44 | valid_from: string;
|
45 | valid_to: string;
|
46 | fingerprint: string;
|
47 | ext_key_usage: string[];
|
48 | serialNumber: string;
|
49 | raw: Buffer;
|
50 | }
|
51 |
|
52 | interface DetailedPeerCertificate extends PeerCertificate {
|
53 | issuerCertificate: DetailedPeerCertificate;
|
54 | }
|
55 |
|
56 | interface CipherNameAndProtocol {
|
57 | |
58 |
|
59 |
|
60 | name: string;
|
61 | |
62 |
|
63 |
|
64 | version: string;
|
65 | }
|
66 |
|
67 | interface TLSSocketOptions extends SecureContextOptions, CommonConnectionOptions {
|
68 | |
69 |
|
70 |
|
71 |
|
72 | isServer?: boolean;
|
73 | |
74 |
|
75 |
|
76 | server?: net.Server;
|
77 |
|
78 | |
79 |
|
80 |
|
81 | session?: Buffer;
|
82 | |
83 |
|
84 |
|
85 |
|
86 |
|
87 | requestOCSP?: boolean;
|
88 | }
|
89 |
|
90 | class TLSSocket extends net.Socket {
|
91 | |
92 |
|
93 |
|
94 | constructor(socket: net.Socket, options?: TLSSocketOptions);
|
95 |
|
96 | /**
|
97 | * A boolean that is true if the peer certificate was signed by one of the specified CAs, otherwise false.
|
98 | */
|
99 | authorized: boolean;
|
100 | /**
|
101 | * The reason why the peer's certificate has not been verified.
|
102 | * This property becomes available only when tlsSocket.authorized === false.
|
103 | */
|
104 | authorizationError: Error;
|
105 | /**
|
106 | * Static boolean value, always true.
|
107 | * May be used to distinguish TLS sockets from regular ones.
|
108 | */
|
109 | encrypted: boolean;
|
110 |
|
111 | /**
|
112 | * String containing the selected ALPN protocol.
|
113 | * When ALPN has no selected protocol, tlsSocket.alpnProtocol equals false.
|
114 | */
|
115 | alpnProtocol?: string;
|
116 |
|
117 | /**
|
118 | * Returns an object representing the cipher name and the SSL/TLS protocol version of the current connection.
|
119 | * @returns Returns an object representing the cipher name
|
120 | * and the SSL/TLS protocol version of the current connection.
|
121 | */
|
122 | getCipher(): CipherNameAndProtocol;
|
123 | /**
|
124 | * Returns an object representing the peer's certificate.
|
125 | * The returned object has some properties corresponding to the field of the certificate.
|
126 | * If detailed argument is true the full chain with issuer property will be returned,
|
127 | * if false only the top certificate without issuer property.
|
128 | * If the peer does not provide a certificate, it returns null or an empty object.
|
129 | * @param detailed - If true; the full chain with issuer property will be returned.
|
130 | * @returns An object representing the peer's certificate.
|
131 | */
|
132 | getPeerCertificate(detailed: true): DetailedPeerCertificate;
|
133 | getPeerCertificate(detailed?: false): PeerCertificate;
|
134 | getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate;
|
135 | /**
|
136 | * Returns a string containing the negotiated SSL/TLS protocol version of the current connection.
|
137 | * The value `'unknown'` will be returned for connected sockets that have not completed the handshaking process.
|
138 | * The value `null` will be returned for server sockets or disconnected client sockets.
|
139 | * See https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_version.html for more information.
|
140 | * @returns negotiated SSL/TLS protocol version of the current connection
|
141 | */
|
142 | getProtocol(): string | null;
|
143 | /**
|
144 | * Could be used to speed up handshake establishment when reconnecting to the server.
|
145 | * @returns ASN.1 encoded TLS session or undefined if none was negotiated.
|
146 | */
|
147 | getSession(): Buffer | undefined;
|
148 | /**
|
149 | * NOTE: Works only with client TLS sockets.
|
150 | * Useful only for debugging, for session reuse provide session option to tls.connect().
|
151 | * @returns TLS session ticket or undefined if none was negotiated.
|
152 | */
|
153 | getTLSTicket(): Buffer | undefined;
|
154 | /**
|
155 | * Initiate TLS renegotiation process.
|
156 | *
|
157 | * NOTE: Can be used to request peer's certificate after the secure connection has been established.
|
158 | * ANOTHER NOTE: When running as the server, socket will be destroyed with an error after handshakeTimeout timeout.
|
159 | * @param options - The options may contain the following fields: rejectUnauthorized,
|
160 | * requestCert (See tls.createServer() for details).
|
161 | * @param callback - callback(err) will be executed with null as err, once the renegotiation
|
162 | * is successfully completed.
|
163 | * @return `undefined` when socket is destroy, `false` if negotiaion can't be initiated.
|
164 | */
|
165 | renegotiate(options: { rejectUnauthorized?: boolean, requestCert?: boolean }, callback: (err: Error | null) => void): undefined | boolean;
|
166 | /**
|
167 | * Set maximum TLS fragment size (default and maximum value is: 16384, minimum is: 512).
|
168 | * Smaller fragment size decreases buffering latency on the client: large fragments are buffered by
|
169 | * the TLS layer until the entire fragment is received and its integrity is verified;
|
170 | * large fragments can span multiple roundtrips, and their processing can be delayed due to packet
|
171 | * loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead,
|
172 | * which may decrease overall server throughput.
|
173 | * @param size - TLS fragment size (default and maximum value is: 16384, minimum is: 512).
|
174 | * @returns Returns true on success, false otherwise.
|
175 | */
|
176 | setMaxSendFragment(size: number): boolean;
|
177 |
|
178 | /**
|
179 | * When enabled, TLS packet trace information is written to `stderr`. This can be
|
180 | * used to debug TLS connection problems.
|
181 | *
|
182 | * Note: The format of the output is identical to the output of `openssl s_client
|
183 | * -trace` or `openssl s_server -trace`. While it is produced by OpenSSL's
|
184 | * `SSL_trace()` function, the format is undocumented, can change without notice,
|
185 | * and should not be relied on.
|
186 | */
|
187 | enableTrace(): void;
|
188 |
|
189 | addListener(event: string, listener: (...args: any[]) => void): this;
|
190 | addListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
|
191 | addListener(event: "secureConnect", listener: () => void): this;
|
192 | addListener(event: "session", listener: (session: Buffer) => void): this;
|
193 | addListener(event: "keylog", listener: (line: Buffer) => void): this;
|
194 |
|
195 | emit(event: string | symbol, ...args: any[]): boolean;
|
196 | emit(event: "OCSPResponse", response: Buffer): boolean;
|
197 | emit(event: "secureConnect"): boolean;
|
198 | emit(event: "session", session: Buffer): boolean;
|
199 | emit(event: "keylog", line: Buffer): boolean;
|
200 |
|
201 | on(event: string, listener: (...args: any[]) => void): this;
|
202 | on(event: "OCSPResponse", listener: (response: Buffer) => void): this;
|
203 | on(event: "secureConnect", listener: () => void): this;
|
204 | on(event: "session", listener: (session: Buffer) => void): this;
|
205 | on(event: "keylog", listener: (line: Buffer) => void): this;
|
206 |
|
207 | once(event: string, listener: (...args: any[]) => void): this;
|
208 | once(event: "OCSPResponse", listener: (response: Buffer) => void): this;
|
209 | once(event: "secureConnect", listener: () => void): this;
|
210 | once(event: "session", listener: (session: Buffer) => void): this;
|
211 | once(event: "keylog", listener: (line: Buffer) => void): this;
|
212 |
|
213 | prependListener(event: string, listener: (...args: any[]) => void): this;
|
214 | prependListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
|
215 | prependListener(event: "secureConnect", listener: () => void): this;
|
216 | prependListener(event: "session", listener: (session: Buffer) => void): this;
|
217 | prependListener(event: "keylog", listener: (line: Buffer) => void): this;
|
218 |
|
219 | prependOnceListener(event: string, listener: (...args: any[]) => void): this;
|
220 | prependOnceListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
|
221 | prependOnceListener(event: "secureConnect", listener: () => void): this;
|
222 | prependOnceListener(event: "session", listener: (session: Buffer) => void): this;
|
223 | prependOnceListener(event: "keylog", listener: (line: Buffer) => void): this;
|
224 | }
|
225 |
|
226 | interface CommonConnectionOptions {
|
227 | |
228 |
|
229 |
|
230 | secureContext?: SecureContext;
|
231 |
|
232 | |
233 |
|
234 |
|
235 |
|
236 |
|
237 | enableTrace?: boolean;
|
238 | |
239 |
|
240 |
|
241 |
|
242 |
|
243 | requestCert?: boolean;
|
244 | |
245 |
|
246 |
|
247 |
|
248 | ALPNProtocols?: string[] | Uint8Array[] | Uint8Array;
|
249 | |
250 |
|
251 |
|
252 |
|
253 |
|
254 |
|
255 |
|
256 |
|
257 |
|
258 | SNICallback?: (servername: string, cb: (err: Error | null, ctx: SecureContext) => void) => void;
|
259 | |
260 |
|
261 |
|
262 |
|
263 |
|
264 |
|
265 | rejectUnauthorized?: boolean;
|
266 | }
|
267 |
|
268 | interface TlsOptions extends SecureContextOptions, CommonConnectionOptions {
|
269 | handshakeTimeout?: number;
|
270 | sessionTimeout?: number;
|
271 | ticketKeys?: Buffer;
|
272 | }
|
273 |
|
274 | interface ConnectionOptions extends SecureContextOptions, CommonConnectionOptions {
|
275 | host?: string;
|
276 | port?: number;
|
277 | path?: string;
|
278 | socket?: net.Socket;
|
279 | checkServerIdentity?: typeof checkServerIdentity;
|
280 | servername?: string;
|
281 | session?: Buffer;
|
282 | minDHSize?: number;
|
283 | lookup?: net.LookupFunction;
|
284 | timeout?: number;
|
285 | }
|
286 |
|
287 | class Server extends net.Server {
|
288 | addContext(hostName: string, credentials: SecureContextOptions): void;
|
289 |
|
290 | |
291 |
|
292 |
|
293 |
|
294 |
|
295 |
|
296 |
|
297 |
|
298 | addListener(event: string, listener: (...args: any[]) => void): this;
|
299 | addListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
300 | addListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
|
301 | addListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
302 | addListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
|
303 | addListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
|
304 | addListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
305 |
|
306 | emit(event: string | symbol, ...args: any[]): boolean;
|
307 | emit(event: "tlsClientError", err: Error, tlsSocket: TLSSocket): boolean;
|
308 | emit(event: "newSession", sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void): boolean;
|
309 | emit(event: "OCSPRequest", certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
|
310 | emit(event: "resumeSession", sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void): boolean;
|
311 | emit(event: "secureConnection", tlsSocket: TLSSocket): boolean;
|
312 | emit(event: "keylog", line: Buffer, tlsSocket: TLSSocket): boolean;
|
313 |
|
314 | on(event: string, listener: (...args: any[]) => void): this;
|
315 | on(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
316 | on(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
|
317 | on(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
318 | on(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
|
319 | on(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
|
320 | on(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
321 |
|
322 | once(event: string, listener: (...args: any[]) => void): this;
|
323 | once(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
324 | once(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
|
325 | once(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
326 | once(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
|
327 | once(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
|
328 | once(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
329 |
|
330 | prependListener(event: string, listener: (...args: any[]) => void): this;
|
331 | prependListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
332 | prependListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
|
333 | prependListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
334 | prependListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
|
335 | prependListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
|
336 | prependListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
337 |
|
338 | prependOnceListener(event: string, listener: (...args: any[]) => void): this;
|
339 | prependOnceListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
340 | prependOnceListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
|
341 | prependOnceListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
342 | prependOnceListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
|
343 | prependOnceListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
|
344 | prependOnceListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
345 | }
|
346 |
|
347 | interface SecurePair {
|
348 | encrypted: TLSSocket;
|
349 | cleartext: TLSSocket;
|
350 | }
|
351 |
|
352 | type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
|
353 |
|
354 | interface SecureContextOptions {
|
355 | pfx?: string | Buffer | Array<string | Buffer | Object>;
|
356 | key?: string | Buffer | Array<Buffer | Object>;
|
357 | passphrase?: string;
|
358 | cert?: string | Buffer | Array<string | Buffer>;
|
359 | ca?: string | Buffer | Array<string | Buffer>;
|
360 | ciphers?: string;
|
361 | honorCipherOrder?: boolean;
|
362 | ecdhCurve?: string;
|
363 | clientCertEngine?: string;
|
364 | crl?: string | Buffer | Array<string | Buffer>;
|
365 | dhparam?: string | Buffer;
|
366 | secureOptions?: number;
|
367 | secureProtocol?: string;
|
368 | sessionIdContext?: string;
|
369 | |
370 |
|
371 |
|
372 |
|
373 |
|
374 |
|
375 |
|
376 |
|
377 | maxVersion?: SecureVersion;
|
378 | |
379 |
|
380 |
|
381 |
|
382 |
|
383 |
|
384 |
|
385 |
|
386 |
|
387 |
|
388 | minVersion?: SecureVersion;
|
389 | }
|
390 |
|
391 | interface SecureContext {
|
392 | context: any;
|
393 | }
|
394 |
|
395 | |
396 |
|
397 |
|
398 |
|
399 |
|
400 |
|
401 |
|
402 | function checkServerIdentity(host: string, cert: PeerCertificate): Error | undefined;
|
403 | function createServer(secureConnectionListener?: (socket: TLSSocket) => void): Server;
|
404 | function createServer(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void): Server;
|
405 | function connect(options: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
406 | function connect(port: number, host?: string, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
407 | function connect(port: number, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
408 | |
409 |
|
410 |
|
411 | function createSecurePair(credentials?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
|
412 | function createSecureContext(details: SecureContextOptions): SecureContext;
|
413 | function getCiphers(): string[];
|
414 |
|
415 | const DEFAULT_ECDH_CURVE: string;
|
416 |
|
417 | const rootCertificates: ReadonlyArray<string>;
|
418 | }
|