Skip to content

Commit

Permalink
Use Cert chain when in HA networks
Browse files Browse the repository at this point in the history
  • Loading branch information
rentallect committed Aug 29, 2024
1 parent 55bab1d commit 9a1c95f
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 11 deletions.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"typescript": "^5.2.2"
},
"dependencies": {
"@openziti/libcrypto-js": "^0.20.0",
"@openziti/libcrypto-js": "^0.21.0",
"@openziti/ziti-browzer-edge-client": "^0.6.2",
"asn1js": "^3.0.5",
"assert": "^2.0.0",
Expand Down
58 changes: 52 additions & 6 deletions src/context/context.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ import { http } from '../http/http';
import { ZitiWebSocketWrapperCtor } from '../http/ziti-websocket-wrapper-ctor';
import { ZitiAgentPool } from '../http/ziti-agent-pool';
import { ZitiWASMFD } from './wasmFD';
import {
splitPemChain
} from '../utils/pki';




Expand Down Expand Up @@ -566,12 +570,14 @@ class ZitiContext extends EventEmitter {
this.logger.trace('ZitiContext.ssl_CTX_add_certificate() entered');

// Add client cert
sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEM());
sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEMLeaf());
if (isNull(sslContext)) throw Error("SSL Context failure.");

// Add CAs
sslContext = this._libCrypto.ssl_CTX_add1_to_CA_list(wasmInstance, sslContext, await this.getCasPEM());
if (isNull(sslContext)) throw Error("SSL Context failure.");
// Add remaining certs in the chain
for (const intermediatePEM of await this.getCertPEMIntermediatesArray()) {
sslContext = this._libCrypto.ssl_CTX_add_extra_chain_cert(wasmInstance, sslContext, intermediatePEM);
if (isNull(sslContext)) throw Error("SSL Context failure.");
}

this.logger.trace('ZitiContext.ssl_CTX_add_certificate() exiting');

Expand Down Expand Up @@ -799,7 +805,15 @@ class ZitiContext extends EventEmitter {
delay(time) {
return new Promise(resolve => setTimeout(resolve, time));
}


/**
*
*/
async getAccessTokenEmail() {
var decoded_access_token = jwt_decode(this.access_token);
return decoded_access_token.email;
}

/**
*
*/
Expand Down Expand Up @@ -926,7 +940,9 @@ class ZitiContext extends EventEmitter {
this._casPEM = this._zitiEnroller.casPEM;
this._certPEM = this._zitiEnroller.certPEM;
this._certExpiryTime = this._zitiEnroller.certPEMExpiryTime;

let certPEMArray = splitPemChain(this._certPEM);
this._certPEMLeaf = certPEMArray[0];
this._certPEMIntermediatesArray = certPEMArray.slice(1);
return true;
}

Expand Down Expand Up @@ -962,6 +978,36 @@ class ZitiContext extends EventEmitter {
return this._certPEM;
}

/**
*
*/
async getCertPEMLeaf () {

if (isNull(this._privateKeyPEM)) {
this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
}
if (isNull(this._certPEMLeaf)) {
await this.enroll()
}

return this._certPEMLeaf;
}

/**
*
*/
async getCertPEMIntermediatesArray () {

if (isNull(this._privateKeyPEM)) {
this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
}
if (isNull(this._certPEMLeaf)) {
await this.enroll()
}

return this._certPEMIntermediatesArray;
}

/**
*
*/
Expand Down
3 changes: 3 additions & 0 deletions src/http/request.js
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,9 @@ ZitiHttpRequest.prototype.getServiceConnectAppData = function() {
if (!headers.has('Accept-Encoding')) {
headers.set('Accept-Encoding', 'gzip,deflate');
}

// Automatic SSO for Isaiah
headers.append( 'Remote-User', await this.getZitiContext().getAccessTokenEmail() );

// if (!headers.has('Connection')) {
// headers.set('Connection', 'keep-alive');
Expand Down
1 change: 1 addition & 0 deletions src/utils/pki.js
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ export {
convertPemToBinary,
convertBinaryToCertificate,
convertPemToCertificate,
splitPemChain,
printCertificate,
getExpiryTimeFromCertificate,
getExpiryStringFromCertificate,
Expand Down
8 changes: 4 additions & 4 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -1305,10 +1305,10 @@
portfinder "^1.0.21"
request "^2.88.0"

"@openziti/libcrypto-js@^0.20.0":
version "0.20.0"
resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.20.0.tgz#a4956f81d195476a2c9177e16c9d83d55c0c8daf"
integrity sha512-71rEOlDx1LA8XUk31YxAl72gLlXPi2yiXsXj2nL0+bqdzji6gxGUt0ohRZw5KxxQeqCNIiaeB5BOgseDruicWQ==
"@openziti/libcrypto-js@^0.21.0":
version "0.21.0"
resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.21.0.tgz#a6deb214968a68709b9eb1e877fdace1b72c1a51"
integrity sha512-xRzxG5tw2dPZRmqXmo2rf73uI6gaR/o+nBfbXlL70qnmv8RS3zwC1sdSI6t+ZrYEcsMpytONyYtcRn1J8mIucA==
dependencies:
"@types/emscripten" "^1.39.6"
"@wasmer/wasi" "^1.0.2"
Expand Down

0 comments on commit 9a1c95f

Please sign in to comment.