Openssl clientcertengine support2

[Trott]

This is an attempt to finish #6569 which stalled. First commit is a squashed commit mostly of work done by @joelostrowski with their authorship preserved.

Original PR description:

Added an option 'clientCertEngine' to tls.createSecureContext which gets wired up to OpenSSL function SSL_CTX_set_client_cert_engine. The option is passed through from https.request as well. This allows using a custom OpenSSL engine to provide the client certificate.

PTAL @bnoordhuis @indutny
PTAL @sam-github at the doc changes and anything else you want

@danbev If you have time to look to make sure there aren't any "NOOOOO, this will fail if compiled without OpenSSL!!!!" problems that are super-obvious, that would be great. The stuff in test/addons/openssl-client-cert-engine seems like it needs a common.hasCrypto() check, no? Anything else anywhere in the code that looks like it might be problematic?

Marking as in progress because I can't get the test addon to compile on MacOS. Can someone help me make sense of this output from make test-addons?

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

tls http crypto

[addaleax]

This should get indented like JS objects

[Trott]

Fixed.

[addaleax]

This should typcheck that options.clientCertEngine is a string

[Trott]

@addaleax Fixed (hopefully in a way that is acceptable). Thanks.

[Trott]

I did a CI run to see if it would have the same compilation issues I ran into. The only platform that seems to have the problem is MacOS, which is what my local development environment is. /ping @nodejs/platform-macos I guess.

https://ci.nodejs.org/job/node-test-commit-osx/11890/nodes=osx1010/console:

gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build', '--jobs', 2 ]
  CXX(target) Release/obj.target/testengine/testengine.o
  SOLINK(target) Release/testengine.engine
Undefined symbols for architecture x86_64:
  "_BIO_new_mem_buf", referenced from:
      EngineLoadSSLClientCert(engine_st*, ssl_st*, stack_st_X509_NAME*, x509_st**, evp_pkey_st**, stack_st_X509**, ui_method_st*, void*) in testengine.o
  "_BIO_vfree", referenced from:
      EngineLoadSSLClientCert(engine_st*, ssl_st*, stack_st_X509_NAME*, x509_st**, evp_pkey_st**, stack_st_X509**, ui_method_st*, void*) in testengine.o
  "_CRYPTO_set_add_lock_callback", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_dynlock_create_callback", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_dynlock_destroy_callback", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_dynlock_lock_callback", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_ex_data_implementation", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_locking_callback", referenced from:
      _bind_engine in testengine.o
  "_CRYPTO_set_mem_functions", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_get_static_state", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_destroy_function", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_finish_function", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_id", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_init_function", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_load_ssl_client_cert_function", referenced from:
      _bind_engine in testengine.o
  "_ENGINE_set_name", referenced from:
      _bind_engine in testengine.o
  "_ERR_set_implementation", referenced from:
      _bind_engine in testengine.o
  "_PEM_read_bio_PrivateKey", referenced from:
      EngineLoadSSLClientCert(engine_st*, ssl_st*, stack_st_X509_NAME*, x509_st**, evp_pkey_st**, stack_st_X509**, ui_method_st*, void*) in testengine.o
  "_PEM_read_bio_X509", referenced from:
      EngineLoadSSLClientCert(engine_st*, ssl_st*, stack_st_X509_NAME*, x509_st**, evp_pkey_st**, stack_st_X509**, ui_method_st*, void*) in testengine.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [Release/testengine.engine] Error 1
gyp ERR! build error 
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack     at ChildProcess.onExit (/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010/deps/npm/node_modules/node-gyp/lib/build.js:258:23)
gyp ERR! stack     at emitTwo (events.js:125:13)
gyp ERR! stack     at ChildProcess.emit (events.js:213:7)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:201:12)
gyp ERR! System Darwin 14.5.0
gyp ERR! command "/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010/out/Release/node" "/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010/deps/npm/node_modules/node-gyp/bin/node-gyp" "--loglevel=info" "rebuild" "--python=/usr/bin/python" "--directory=/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010/test/addons/openssl-client-cert-engine/" "--nodedir=/Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010"
gyp ERR! cwd /Users/iojs/build/workspace/node-test-commit-osx/nodes/osx1010/test/addons/openssl-client-cert-engine
gyp ERR! node -v v9.0.0-pre
gyp ERR! node-gyp -v v3.6.2
gyp ERR! not ok 
make[1]: *** [test/addons/.buildstamp] Error 1
make: *** [run-ci] Error 2
Build step 'Execute shell' marked build as failure
Run condition [Always] enabling perform for step [[]]
TAP Reports Processing: START
Looking for TAP results report in workspace using pattern: *.tap
Did not find any matching files. Setting build result to FAILURE.
Checking ^not ok
Jenkins Text Finder: File set '*.tap' is empty
Notifying upstream projects of job completion
Finished: FAILURE

[danbev]

A hasCrypto check should be added (before require('https')) to enable it to pass when --without-ssl is specified:

if (!common.hasCrypto)
  common.skip('missing crypto');

[Trott]

Fixed, thanks!

[danbev]

Nit: indentation

[Trott]

Fixed (I think).

[danbev]

I think this needs to use:

`./build/${common.buildType}/testengine.engine`);

to be able to support debug and release build types.

[Trott]

Ooh, good, thanks, fixed.

[indutny]

LGTM, but I'd split re-ordering of options in documentation into a separate commit. It was pretty hard to review because of this.