Skip to content

Beginning certificates work. #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Beginning certificates work. #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0ffab67
Changing certificates around a bit.
nicolasnoble Aug 12, 2018
ce80569
Add a route in the auth server to request the CA file.
nicolasnoble Aug 12, 2018
5bc3701
Adding CSR system to auth server.
nicolasnoble Aug 12, 2018
74f4b5f
Fixing typo...
nicolasnoble Aug 12, 2018
8818e9f
Better 500 error support.
nicolasnoble Aug 12, 2018
a0ba52e
Fixing caCrt access.
nicolasnoble Aug 12, 2018
205ad12
Fixing typo.
nicolasnoble Aug 12, 2018
55499b3
Changing URL from /certs/sign to /certs/csr-sign.
nicolasnoble Aug 13, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions certs/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFyTCCA7GgAwIBAgIJAP/ll9Z0JM6ZMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
DjAMBgNVBAoMBVBhcGFuMRYwFAYDVQQLDA1DZXJ0QXV0aG9yaXR5MRowGAYDVQQD
DBFhdXRoLnBhcGFuLm9ubGluZTAgFw0xODA4MTIwODE4MTlaGA80NzU2MDcwOTA4
MTgxOVowejELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNV
BAcMCVN1bm55dmFsZTEOMAwGA1UECgwFUGFwYW4xFjAUBgNVBAsMDUNlcnRBdXRo
b3JpdHkxGjAYBgNVBAMMEWF1dGgucGFwYW4ub25saW5lMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAtSoPebN+sSipjKhpNX1DCObIKIfaeVrQuycgQWSY
PuIwDPBugoVEzBO8OJ2FpzFzdg0Mm+Rj8yTkPqxIBiTnYQDBsaXiGr9+/dYONUlv
quNdGa7dp+h4yGhnY8rEg8ShagP1pROKdOgTXK7v8QSEcM7vT+gCujTG7gKkwO3w
zvNh4LZ9wK7LmUTwGxlfGo1KqzIMLG02E1NH7Zpo1e1ostdaF4dMS4UkAV4mjoZD
kB8Mg3pt6WVgJHLo0NnHr97IuTn8PvmAMzsJE+4XXAKmZ6Hc03CDK66twCDWV7mq
5lYzz3aZCijUnDqZtQAqajdKTse/AVaDHFu/fJjqWis6I6Paxqdz+9vmCFl/uVUj
AtYDK617trupIyzDcb2gsMQexvt9mq64DvOBkUPZZ1a+sRu8ccU0MrfQQzwA4PMl
iPSu3TS4Dwk5s1iOQMsNOBNTMtVmoGrNLpfQumiksI8GnsJOYPQK77W56PkVtrAc
NyduEiIlLzE6ElplQdhjNokWXdSJ9YP1XF++PTeiFMPFXD1h35q7fXZJLPUtB1N9
gkusgc3V4JnvUFo7+fjm36HuvsJbozoRqPdzjLnIX4G9t54S617aKv65REb9ddyW
C2YwITZ77Bot4lSsPmyY4jAwCtn0glO27Kwylcbw6O3MFXNSJ8kOHHxHWFx5+LYp
sXMCAwEAAaNQME4wHQYDVR0OBBYEFOVg1pqfHDVFFJI25yvITGLrB7wlMB8GA1Ud
IwQYMBaAFOVg1pqfHDVFFJI25yvITGLrB7wlMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAGd4PrZF7p3QnLMrgcARNHA4tRmhSFti7ThhQPmeOE8CE3Oo
UwA74w3UA2BgIqIpGEne35une1hiaErJQXvdEOIJ+JsZaXdF73EbKNmQpxrgBkjL
lsTS7Go7ksd2pIJoaq7eqRrH0Sb4F9pox/ecAQ4Y6pFjxf1lNkuTQqPqCd1gSumh
8C+kIL07qShy1ysXluWuy8wV8Yp6VNo/zHkhrPNx8s9hsyD2PN29sxUOrMU2rUYj
vP0Gq2m1nkHasAZt7n0sy2ToopcwUKkEkJXJxzwakdbIQnIIbZCGvO+UNwVObNWL
o2TwRWRZc0AXpdanfhBcWaGbNMrvu20T/6OJkrMKsjMu3Ni3/55VQDjHN5USupau
wxNqQmHpNZL++sYJxS885/pYzms6/uy7Sr3uSTSusoLC8EzqYPyyxdiAGM4tS2Y0
2SaWH43aHaBOQSp1mj3p/sLSNThePCiQ5tPqNR3vJN30FHgbynDM4iMSBCgG8Nek
8VaviP20EPvja1Nd+QiIOhAlSx2RAmxCXYw+dZ/ln/WsL4XK9v1RLLI1nD69Wznd
eu3GR+e9JQOFUEYs7C8cEE8SI9Qx3Z+woo0hrYWZa0T4NT9wZ+rFRDGYR0daY2er
Rg9k+q2Xmo2slckzqLgKbyp9Oc6EO8JfhHADOjmbkafJ9KXHRQRt/YVBlBoQ
-----END CERTIFICATE-----
33 changes: 0 additions & 33 deletions certs/localhost-ca.crt
View file
Open in desktop

This file was deleted.

31 changes: 0 additions & 31 deletions certs/localhost-server.crt
View file
Open in desktop

This file was deleted.

51 changes: 0 additions & 51 deletions certs/localhost-server.key
View file
Open in desktop

This file was deleted.

31 changes: 31 additions & 0 deletions certs/noauth-server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFYjCCA0oCAQEwDQYJKoZIhvcNAQELBQAwejELMAkGA1UEBhMCVVMxEzARBgNV
BAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEOMAwGA1UECgwFUGFw
YW4xFjAUBgNVBAsMDUNlcnRBdXRob3JpdHkxGjAYBgNVBAMMEWF1dGgucGFwYW4u
b25saW5lMCAXDTE4MDgxMjA4MTgyMFoYDzQ3NTYwNzA5MDgxODIwWjByMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl
MQ4wDAYDVQQKDAVQYXBhbjEWMBQGA1UECwwNU2VydmVyLU5vQXV0aDESMBAGA1UE
AwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxKc3
5X9y/vgBTIIZt1mhM4QeLWn8mDy3SPNM8AtuESIcFQG57VBgncVx7xavOg58iBP0
XCCgjl63sd4wWSyLFMIzGwb0U5353IG5koGgHSZgdxpTv0uLL3bh2A8cZXFHXzPc
hwJaCWtmshQZdL8ag8V1MPdfxByX8yYv0k+iJTWPiDm6/YsKy2qZiZ/3PYdOMLzh
trxie5ZWGd5X8S3ffufBTZrWlcs0Ea7CCNtSCCTbWLpMPCdDdenBiMM4qQQem6oB
TdBfGp8eVr0U/wSUhHS3r1V7CsKxQtovu+q8AUzaz2jj0ztx2TSo8H/y/k6iwHFJ
QIKNMVf34uARUT287Dn2olvNZOLH5XxijlWEEYHEV4CECKcAaJ0kA663d8451TIF
pu4yCmcIRPQ/2tmSVW2/nY5MrHuwYxAZRcHzIFmIEQvSUNAcHQkvMbQN032wgpQV
4muJ5MOHHLfFZNaSORv2cSNYZidMehnVeqJ3liozYUeZ8I1D6Wd6WSFianuD9D/t
TUCY0GWkdNPLHrFWBzo50URFa+6c7l4iJITMYZVnpo3rXfUcZQ0t0U7AUtN/bkC6
VFVpMqBBM30DZ5ERoRMFKQJweImz43c8xv3GmQGJ/myrdR0CzUX4CtuAhCMFRyQL
ZdKi+m4Y+8dPXPeB37mrxC2T3NRVPsgy1oYv5/sCAwEAATANBgkqhkiG9w0BAQsF
AAOCAgEACR+TxZpGnxgGzToOfD/4ZYl8bpE6KOR7ISa+Iz/29/cFvaskojVBi1Yp
uKTAr3f5dzZaMNPC5YDbTfvfwPHUBNEfTCjFqtgNvKlzykMApVi9DAN82YAte6Zj
Qpo78WqkdyxjG5VxFXM/gWXTbbywkSVG63k6opA+fNL8oTqlD3xjRPVn+xg6iUdq
9SAGm4BiRhCBDf3qbxo5M4R6su0kjKxX52rFcsHbLrD/63J5K5WYOYqaRzwazm2f
JDkPUfz9Q9URgr7aO5rQ+nVoPcJmW51ycs538DDlgra/qyqWvl2ZN6EtCGuQszoL
XahCxvmaBJdK+igoxMT+5YQ8AtlUmItjdtNBNWfmX7Tpx7L92E1mpLSqBVF1s9Nd
rAAxiW1sbBbqniT9f5BxsJ6tPOfadFjYb9fSoqG7hM6hVTpjroRAmDqv2EAxR6r0
qvyHIOZdVFdkdcgKHL5TeO5kgsXAO47y72py/IQ4PQDCgWta49oj7Xg6O1pMSHtB
MIPXTLJMInzBDKb+y2zpaMtlOyaKxohdYhkW5n0G/jc2xe+TV2TAcHtEo4Kkgmq6
GoQmc8dzofm2NhI4uidHesVk390bdNkdWpDE3fH7+4vS4U7H3WTKDQpaKPW652B6
kydgxNjJh9HdVRvwWHrH4loFXJ+1qz6AOKyzMU6xcxWIy5dE1js=
-----END CERTIFICATE-----
51 changes: 51 additions & 0 deletions certs/noauth-server.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAxKc35X9y/vgBTIIZt1mhM4QeLWn8mDy3SPNM8AtuESIcFQG5
7VBgncVx7xavOg58iBP0XCCgjl63sd4wWSyLFMIzGwb0U5353IG5koGgHSZgdxpT
v0uLL3bh2A8cZXFHXzPchwJaCWtmshQZdL8ag8V1MPdfxByX8yYv0k+iJTWPiDm6
/YsKy2qZiZ/3PYdOMLzhtrxie5ZWGd5X8S3ffufBTZrWlcs0Ea7CCNtSCCTbWLpM
PCdDdenBiMM4qQQem6oBTdBfGp8eVr0U/wSUhHS3r1V7CsKxQtovu+q8AUzaz2jj
0ztx2TSo8H/y/k6iwHFJQIKNMVf34uARUT287Dn2olvNZOLH5XxijlWEEYHEV4CE
CKcAaJ0kA663d8451TIFpu4yCmcIRPQ/2tmSVW2/nY5MrHuwYxAZRcHzIFmIEQvS
UNAcHQkvMbQN032wgpQV4muJ5MOHHLfFZNaSORv2cSNYZidMehnVeqJ3liozYUeZ
8I1D6Wd6WSFianuD9D/tTUCY0GWkdNPLHrFWBzo50URFa+6c7l4iJITMYZVnpo3r
XfUcZQ0t0U7AUtN/bkC6VFVpMqBBM30DZ5ERoRMFKQJweImz43c8xv3GmQGJ/myr
dR0CzUX4CtuAhCMFRyQLZdKi+m4Y+8dPXPeB37mrxC2T3NRVPsgy1oYv5/sCAwEA
AQKCAgEAvoB6/qCTRvn7UCFsRhjWt3ASR843e0a+CzZeXt/DtWdEqvjsIz/NCKmf
8IwaHXSxIKWr/58/ygtpii4CyjADX42tMk5vW51a0kj8+zcFY5estVRUsqi84bMZ
n1MsH/03tbsos8UMcbmQV4xvCJCkX+hl2ZSaOgG1FT/17ZdlLQSQ0deTFFCgmWPf
7tl/CiTMExy2z235PV3qdM7WhHX63xYlRUds/tlFzKdtomTMN8V0k6SNe2xRxqU2
7YSom9q4x/VNpBLqPoDMRByRfWXzdckXtAtr0YW/cFKrETCZBe1svqYOpa8dX9vK
mIhqXf7RXPmhi5OssZNVOHv1aq0TGFUp9sL6MOzSrcCPWsn3YMz8ZW5PFf6me4ng
epxpsvVYGgrQlYsql/hxSsF4NetjMMbPWgKLZ9+FmU7YD7vNex3BM7DsiJ3vvfag
RRap+qxmZIhe69xCgQ5IXSrKt6ZtZ4AYHyf9oNa4foFhVyF0FMS9MUGofZgOrUAW
x5qsC+p9JtisEOUBjn6e4YAN09vtZIDLbGq6hyRywbr1y8c835FWSVBcWOfAAabL
LcvXtSzuXhSgdaa6KZDeVqnzsGEDizlCUgIdUfohNSI14D/pszfHkZaxzaiSnaGz
7rYGxJASbkiCfWwegsEHncZHcALzgcMdyDCo31eXRqDXIoblx4kCggEBAOgvPNJx
1zpMfvh4PNHcDMaAC+G9ShIKLKkSzEL3gqmM5FlU3vIQaji2z9gPcfYMePRbeL5/
ZnfRLh3fKKH8GESlVfJLojj4ES+omUq30f695ToEZbb4ofOLR+ZFdi1qZr5wMH0x
LHR81+9DKRarSLzlvCSpDReFO6bixVfbPrwxHGuF0YAfrDOG/rpp/rh0houCTySg
BT5Cn6MBlI0bvKOl+QBhm1MQYiwBGBtOjNYrrb0YM1Xx7ksKPYuOwuBnfpmp+1uA
9YFBwVOFA+PwcukRhnOIwljsvwp5K43N/7IugElc+ZQjk3qYEqC0lWZenaCLzZjG
P1lYAAsCIOsHrkUCggEBANjS/WbvE4PYkJ6taa7G/Na66ZqOc7gHbmiLeXmMFI0E
AljY6M8aE59DMLgHyFLGMj3dk/BbbWIKdEOS1akbff1gPj4N0rS8kbq3x1skVI9o
Skht2b4LwvsLDjjL0qO7W0r7NoogG+kKWOEdiVJt6sC0NxpkumBeUCSV4ox53arX
2hWgnG3zLn5cWVMjFX04fHW7e7pNTrmSMNYjOYnjJFEFTzfYN1Hmni9tNsmbJiM/
u0KV9EZRjSsnZ+lbeORoW8UlPrUBz2Y5i/ZLLpNDE9G1ToxPRjG2NuzhEdpUp5VG
agjR8JYk/GUYunsravJtcBzLzarkWXDyPnfoapziwT8CggEBALJSxWXjpSfTZJk0
z5FmbjFuWrHPjbn5Mn/QPi0Yp7PMz/yEII7NaKeSUGNiyWXuAl+6eSvl8S8I62Bp
6m0ujvz59t6WlEsoyxpNZR5ru87ozcsXYX97yfag/GGw66jJ1Yth4vvj7n6w+695
Z29PshfSYgPOCo4L99qexG5Lpw0msusp5dN/f+Q7RBysF8RXSpaPSHWaqSw+QxkQ
t6UArosJiApw7LiJFr0xQfCHDcfX2CIpGhRiMWBUxxwOU0HCewtN8A1BKE1T0UVy
HaDNJZQ3r4nAeXOOsNM8aOUKV93jtQejbtQF1tkLPxNKXow3Et0hQpCZgkH+Qloy
ElIwnfkCggEALeT7Hj6cstu0QOIT7JrSCeGmcMCWXe20wQxEuiWcc/zVQlknbi7m
2F8wgMOk82BgYhf0qHuxu37a/TKnZxQapvcoNZpXb0o6znr4B6K5A2Hf11TpMgDr
VJgSepMqEt4lhMmH0dTaE4nNJllKJ9h8SC3dPAj2Kk/MRvIy8ekZsn/d+ZX1hpBi
1vxVK/PRKKA8N+9nURfsAfufurPaCgW6OiwViIyLqRpXgVJstl/QwsVKrd1vxzKb
3vaIWCy0eiRcyG4Jx+aKL+keZxOi2CjqmQj3h1uAUCVxmtJJJR2mG0K8TwGhGybZ
Bc0mK8wU5xujD3VUI0gSZoXgEyFu76ZPoQKCAQAvGnX0H8tkjpuEjQyD9vutY8TW
O0cOtuRYEAGrU6pPiae0CrJXowLAbeHULKjP/ihxBU+yITXlbHLAvGohia8uMR2n
ZH7e+/87oPNCsW58ga/rClIGI3xtJBX8YUzHwhKeei10TAbQsjljNOqcW+I5IF5z
W99rrERuwQxR/ewSv9+itBhIONfX/gaSNPPCfGtT0O07JP4zzDj3KVvdp4X19aun
+lqD5Lgmo1IzJZvwUMcRPeKF9Q4sEx2+xoEk2cXq2ZsJBNPxGp0owpLvWMWTxuRp
LOLCiesbgjLo8potAq317YoFmo8y9/FzttEXLL6ufHMmgZBSo5z4muKF6Yim
-----END RSA PRIVATE KEY-----
2 changes: 2 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@
"ip": "^1.1.5",
"lodash": "^4.17.5",
"nat-upnp": "^1.1.1",
"node-forge": "^0.7.5",
"openid-client": "^2.0.0",
"passport": "^0.4.0",
"passport-facebook": "^2.1.1",
Expand All @@ -104,6 +105,7 @@
"request-promise-native": "^1.0.5",
"seedrandom": "^2.4.3",
"sequelize": "^4.35.2",
"serialize-error": "^2.1.0",
"socket.io": "^2.1.0",
"socket.io-client": "^2.1.0",
"spinkit": "^1.2.5",
Expand Down
92 changes: 90 additions & 2 deletions src/server/auth/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ const session = require('express-session')
const pg = require('pg')
const PGSession = require('connect-pg-simple')(session)
const assert = require('assert')
const forge = require('node-forge')
const pki = forge.pki
const crypto = require('crypto')
const serializeError = require('serialize-error')

const passport = require('passport')

Expand Down Expand Up @@ -42,6 +46,10 @@ exports.registerServer = (app, config) => {
let authentications = []
let users
let registerProvider
let caKey = null
let caCrtBuffer = null
let caCrtSubject = null
let caStore = pki.createCaStore()

if (!config) config = {}
if (!config.pgConfig) config.pgConfig = {}
Expand All @@ -51,6 +59,25 @@ exports.registerServer = (app, config) => {
config.pgConfig.port = config.pgConfig.port || env.PGPORT
config.pgConfig.database = config.pgConfig.database || env.PGDATABASE

if (config.caCrt) {
const caCrt = pki.certificateFromPem(config.caCrt)
do {
if (!caCrt) break
const basicConstraints = caCrt.getExtension('basicConstraints')
if (!basicConstraints || !basicConstraints.cA) break
const subject = caCrt.subject
const O = subject.getField('O')
if (!O || O.value !== 'Papan') break
caStore.addCertificate(caCrt)
caCrtBuffer = config.caCrt
caCrtSubject = caCrt.subject
} while (false)
}

if (config.caKey && caCrtBuffer) {
caKey = pki.privateKeyFromPem(config.caKey)
}

return Promise.resolve(userDB.create(config.pgConfig)).then(createdUsers => {
// We need to create and migrate the database first thing before going on with the rest of the work.
users = createdUsers
Expand Down Expand Up @@ -99,7 +126,7 @@ exports.registerServer = (app, config) => {

// Static files
function sendRoot (res) {
res.sendFile(path.join(root, 'render/auth-index.html'))
res.sendFile(path.join(root, 'render', 'auth-index.html'))
}
app.use('/src/common', express.static(path.join(root, 'src', 'common')))
app.use('/src/client/auth', express.static(path.join(root, 'src', 'client', 'auth')))
Expand All @@ -111,6 +138,14 @@ exports.registerServer = (app, config) => {
app.get('/render/main', (req, res) => sendRoot(res))
app.get('/render/login', (req, res) => sendRoot(res))
app.get('/render/profile', (req, res) => sendRoot(res))
app.get('/certs/ca.crt', (req, res) => {
if (caCrtBuffer) {
res.type('crt')
res.send(caCrtBuffer)
} else {
res.sendFile(path.join(root, 'certs', 'ca.crt'))
}
})

// AJAX
app.get('/profile/data', (req, res) => res.json(
Expand Down Expand Up @@ -150,6 +185,59 @@ exports.registerServer = (app, config) => {
app.get('/info', (req, res) => res.json({
authenticated: req.isAuthenticated()
}))
app.post('/certs/csr-sign', (req, res) => {
const csrString = req.body.csr
let error = null
do {
if (!csrString) {
error = 'No CSR sent'
break
}
const csr = pki.certificationRequestFromPem(csrString)
if (!csr) {
error = 'Unable to parse CSR'
break
}
const subject = csr.subject
const CN = subject.getField('CN')
const O = subject.getField('O')
const OU = subject.getField('OU')
if (!CN || CN.value !== 'localhost') {
error = 'Invalid CN field in CSR'
break
}
if (!O || O.value !== 'Papan') {
error = 'Invalid O field in CSR'
break
}
if (!OU || OU.value !== 'Server-Ad-Hoc') {
error = 'Invalid OU field in CSR'
break
}
if (!csr.verify()) {
error = 'Couldn\'t verify CSR'
}
const cert = pki.createCertificate()
const now = new Date()
cert.validity.notBefore = now
cert.validity.notAfter.setTime(now.getTime() + 5 * 24 * 60 * 60 * 1000)
cert.setSubject(csr.subject.attributes)
cert.setIssuer(caCrtSubject.attributes)
cert.publicKey = csr.publicKey
crypto.randomBytes(20, (err, buffer) => {
if (buffer[0] > 127) {
buffer[0] -= 128
}
cert.serialNumber = [...buffer].map(b => b.toString(16)).join('')
cert.sign(caKey)
res.json({ cert: pki.certificateToPem(cert) })
})
} while (false)
if (error) {
res.status(400)
res.json({ error: error })
}
})

// Auth providers logic
registerProvider = (provider) => {
Expand Down Expand Up @@ -217,7 +305,7 @@ exports.registerServer = (app, config) => {

// And finally, catch-all error 500, for future expansion.
app.use((err, req, res, next) => {
res.status(500).send(err)
res.status(500).send(serializeError(err))
})

resolve()
Expand Down
Loading