chore: improve self signed tls cert checks

Ticket: WP-6407

Author: pranavjain97

src/__tests__/appUtils.test.ts

@@ -182,5 +182,92 @@ describe('appUtils', () => {
         mockRes.statusCode.should.equal(0); // No rejection when TLS is disabled
       });
     });
+
+    describe('Self-signed certificate checks', () => {
+      it('should reject self-signed certificate when not allowed (all fields match)', () => {
+        const middleware = createMtlsMiddleware({
+          tlsMode: TlsMode.MTLS,
+          clientCertAllowSelfSigned: false,
+          mtlsAllowedClientFingerprints: ['ABCDEF1234567890ABCDEF1234567890'],
+        });
+
+        const mockReq = {
+          socket: {
+            getPeerCertificate: () => ({
+              subject: { CN: 'test-client', O: 'Test Org', OU: 'Test Unit' },
+              issuer: { CN: 'test-client', O: 'Test Org', OU: 'Test Unit' },
+              fingerprint256: 'AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90',
+            }),
+          },
+        } as any;
+
+        const mockRes = {
+          status: function (code: number) {
+            this.statusCode = code;
+            return this;
+          },
+          json: function (body: any) {
+            this.body = body;
+            return this;
+          },
+          statusCode: 0,
+          body: {},
+        } as any;
+
+        let nextCalled = false;
+        const mockNext = () => {
+          nextCalled = true;
+        };
+
+        middleware(mockReq, mockRes, mockNext);
+
+        nextCalled.should.be.false();
+        mockRes.statusCode.should.equal(403);
+        mockRes.body.should.have.property('error', 'mTLS Authentication Failed');
+        mockRes.body.should.have.property('message', 'Self-signed certificates are not allowed');
+        mockRes.body.should.have.property('details').match(/CLIENT_CERT_ALLOW_SELF_SIGNED=true/);
+      });
+
+      it('should accept self-signed certificate when allowed', () => {
+        const middleware = createMtlsMiddleware({
+          tlsMode: TlsMode.MTLS,
+          clientCertAllowSelfSigned: true,
+          mtlsAllowedClientFingerprints: ['ABCDEF1234567890ABCDEF1234567890'],
+        });
+
+        const mockReq = {
+          socket: {
+            getPeerCertificate: () => ({
+              subject: { CN: 'test-client', O: 'Test Org', OU: 'Test Unit' },
+              issuer: { CN: 'test-client', O: 'Test Org', OU: 'Test Unit' },
+              fingerprint256: 'AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90',
+            }),
+          },
+        } as any;
+
+        const mockRes = {
+          status: function (code: number) {
+            this.statusCode = code;
+            return this;
+          },
+          json: function (body: any) {
+            this.body = body;
+            return this;
+          },
+          statusCode: 0,
+          body: {},
+        } as any;
+
+        let nextCalled = false;
+        const mockNext = () => {
+          nextCalled = true;
+        };
+
+        middleware(mockReq, mockRes, mockNext);
+
+        nextCalled.should.be.true();
+        mockRes.statusCode.should.equal(0);
+      });
+    });
   });
 });

src/shared/appUtils.ts

@@ -160,12 +160,17 @@ export function createMtlsMiddleware(config: {
         }
       }
 
-      // Check if self-signed certificates are allowed
-      if (!config.clientCertAllowSelfSigned && clientCert.issuer.CN === clientCert.subject.CN) {
+      const isSelfSigned =
+        clientCert.issuer.CN === clientCert.subject.CN &&
+        clientCert.issuer.O === clientCert.subject.O &&
+        clientCert.issuer.OU === clientCert.subject.OU;
+
+      if (!config.clientCertAllowSelfSigned && isSelfSigned) {
         return res.status(403).json({
           error: 'mTLS Authentication Failed',
           message: 'Self-signed certificates are not allowed',
-          details: 'Please use a certificate issued by a trusted CA',
+          details:
+            'Please use a certificate issued by a trusted CA, or set CLIENT_CERT_ALLOW_SELF_SIGNED=true for testing',
         });
       }