tls: deprecate parseCertString & move to internal

`tls.parseCertString()` exposed by accident. Now move this function to
`internal/tls` and mark the original one as deprecated.

Refs: #14193
Refs: af80e7b#diff-cc32376ce1eaf679ec2298cd483f15c7R188

Author: XadillaX

doc/api/deprecations.md

@@ -660,6 +660,28 @@ Type: Runtime
 
 `REPLServer.parseREPLKeyword()` was removed from userland visibility.
 
+<a id="DEP00XX"></a>
+### DEP00XX: tls.parseCertString()
+
+Type: Runtime
+
+`tls.parseCertString()` is a trivial parsing helper that was made public by
+mistake. This function can usually be replaced with
+
+```js
+const querystring = require('querystring');
+querystring.parse(str, '\n', '=');
+```
+
+*Note*: This function is not completely equivalent to `querystring.parse()`, one
+notable difference is that `querystring.parse()` does URLDecoding, e.g.:
+
+```sh
+> querystring.parse("%E5%A5%BD=1", "\n", "=");
+{ '好': '1' }
+> tls.parseCertString("%E5%A5%BD=1");
+{ '%E5%A5%BD': '1' }
+```
 
 [`Buffer.allocUnsafeSlow(size)`]: buffer.html#buffer_class_method_buffer_allocunsafeslow_size
 [`Buffer.from(array)`]: buffer.html#buffer_class_method_buffer_from_array

lib/_tls_common.js

@@ -21,6 +21,7 @@
 
 'use strict';
 
+const internalTLS = require('internal/tls');
 const tls = require('tls');
 
 const SSL_OP_CIPHER_SERVER_PREFERENCE =
@@ -169,11 +170,11 @@ exports.translatePeerCertificate = function translatePeerCertificate(c) {
   if (!c)
     return null;
 
-  if (c.issuer != null) c.issuer = tls.parseCertString(c.issuer);
+  if (c.issuer != null) c.issuer = internalTLS.parseCertString(c.issuer);
   if (c.issuerCertificate != null && c.issuerCertificate !== c) {
     c.issuerCertificate = translatePeerCertificate(c.issuerCertificate);
   }
-  if (c.subject != null) c.subject = tls.parseCertString(c.subject);
+  if (c.subject != null) c.subject = internalTLS.parseCertString(c.subject);
   if (c.infoAccess != null) {
     var info = c.infoAccess;
     c.infoAccess = {};

lib/internal/tls.js

@@ -0,0 +1,28 @@
+'use strict';
+
+// Example:
+// C=US\nST=CA\nL=SF\nO=Joyent\nOU=Node.js\nCN=ca1\[email protected]
+function parseCertString(s) {
+  var out = {};
+  var parts = s.split('\n');
+  for (var i = 0, len = parts.length; i < len; i++) {
+    var sepIndex = parts[i].indexOf('=');
+    if (sepIndex > 0) {
+      var key = parts[i].slice(0, sepIndex);
+      var value = parts[i].slice(sepIndex + 1);
+      if (key in out) {
+        if (!Array.isArray(out[key])) {
+          out[key] = [out[key]];
+        }
+        out[key].push(value);
+      } else {
+        out[key] = value;
+      }
+    }
+  }
+  return out;
+}
+
+module.exports = {
+  parseCertString
+};

lib/tls.js

@@ -23,6 +23,7 @@
 
 const errors = require('internal/errors');
 const internalUtil = require('internal/util');
+const internalTLS = require('internal/tls');
 internalUtil.assertCrypto();
 
 const net = require('net');
@@ -228,28 +229,11 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
   }
 };
 
-// Example:
-// C=US\nST=CA\nL=SF\nO=Joyent\nOU=Node.js\nCN=ca1\[email protected]
-exports.parseCertString = function parseCertString(s) {
-  var out = {};
-  var parts = s.split('\n');
-  for (var i = 0, len = parts.length; i < len; i++) {
-    var sepIndex = parts[i].indexOf('=');
-    if (sepIndex > 0) {
-      var key = parts[i].slice(0, sepIndex);
-      var value = parts[i].slice(sepIndex + 1);
-      if (key in out) {
-        if (!Array.isArray(out[key])) {
-          out[key] = [out[key]];
-        }
-        out[key].push(value);
-      } else {
-        out[key] = value;
-      }
-    }
-  }
-  return out;
-};
+exports.parseCertString = internalUtil.deprecate(
+  internalTLS.parseCertString,
+  'tls.parseCertString() is deprecated. ' +
+  'Please use querystring.parse() instead.',
+  'DEP00XX');
 
 // Public API
 exports.createSecureContext = require('_tls_common').createSecureContext;

node.gyp

@@ -101,6 +101,7 @@
       'lib/internal/repl.js',
       'lib/internal/socket_list.js',
       'lib/internal/test/unicode.js',
+      'lib/internal/tls.js',
       'lib/internal/url.js',
       'lib/internal/util.js',
       'lib/internal/v8_prof_polyfill.js',

test/parallel/test-tls-parse-cert-string.js

@@ -1,15 +1,23 @@
 'use strict';
+
+// Flags: --expose_internals
 const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
 const assert = require('assert');
+const internalTLS = require('internal/tls');
 const tls = require('tls');
 
+const noOutput = common.mustNotCall();
+common.hijackStderr(function() {
+  process.nextTick(noOutput);
+});
+
 {
   const singles = 'C=US\nST=CA\nL=SF\nO=Node.js Foundation\nOU=Node.js\n' +
                   'CN=ca1\[email protected]';
-  const singlesOut = tls.parseCertString(singles);
+  const singlesOut = internalTLS.parseCertString(singles);
   assert.deepStrictEqual(singlesOut, {
     C: 'US',
     ST: 'CA',
@@ -24,7 +32,7 @@ const tls = require('tls');
 {
   const doubles = 'OU=Domain Control Validated\nOU=PositiveSSL Wildcard\n' +
                   'CN=*.nodejs.org';
-  const doublesOut = tls.parseCertString(doubles);
+  const doublesOut = internalTLS.parseCertString(doubles);
   assert.deepStrictEqual(doublesOut, {
     OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ],
     CN: '*.nodejs.org'
@@ -33,6 +41,17 @@ const tls = require('tls');
 
 {
   const invalid = 'fhqwhgads';
-  const invalidOut = tls.parseCertString(invalid);
+  const invalidOut = internalTLS.parseCertString(invalid);
   assert.deepStrictEqual(invalidOut, {});
 }
+
+common.restoreStderr();
+
+{
+  common.expectWarning('DeprecationWarning',
+                       'tls.parseCertString() is deprecated. ' +
+                       'Please use querystring.parse() instead.');
+
+  const ret = tls.parseCertString('foo=bar');
+  assert.deepStrictEqual(ret, { foo: 'bar' });
+}