chore: log cert validation at app initiations

Ticket: WP-4663

Author: pranavjain97

src/app.ts

@@ -1,21 +1,21 @@
-import { config, isEnclavedConfig, isMasterExpressConfig } from './config';
+import { determineAppMode, AppMode } from './config';
 import * as enclavedApp from './enclavedApp';
 import * as masterExpressApp from './masterExpressApp';
 
 /**
  * Main application entry point that determines the mode and starts the appropriate app
  */
 export async function init(): Promise<void> {
-  const cfg = config();
+  const appMode = determineAppMode();
 
-  if (isEnclavedConfig(cfg)) {
+  if (appMode === AppMode.ENCLAVED) {
     console.log('Starting in Enclaved mode...');
     await enclavedApp.init();
-  } else if (isMasterExpressConfig(cfg)) {
+  } else if (appMode === AppMode.MASTER_EXPRESS) {
     console.log('Starting in Master Express mode...');
     await masterExpressApp.init();
   } else {
-    throw new Error(`Unknown app mode: ${(cfg as any).appMode}`);
+    throw new Error(`Unknown app mode: ${appMode}`);
   }
 }
 

src/config.ts

@@ -8,6 +8,7 @@ import {
   EnvironmentName,
 } from './types';
 import logger from './logger';
+import { validateTlsCertificates, validateMasterExpressConfig } from './shared/appUtils';
 
 export { Config, EnclavedConfig, MasterExpressConfig, TlsMode, AppMode, EnvironmentName };
 
@@ -37,6 +38,8 @@ function determineAppMode(): AppMode {
   throw new Error(`Invalid APP_MODE: ${mode}. Must be either "enclaved" or "master-express"`);
 }
 
+export { determineAppMode };
+
 // ============================================================================
 // ENCLAVED MODE CONFIGURATION
 // ============================================================================
@@ -130,20 +133,30 @@ function configureEnclavedMode(): EnclavedConfig {
   if (!config.tlsKey && config.keyPath) {
     try {
       config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
+      logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
     }
+  } else if (config.tlsKey) {
+    logger.debug('Using TLS private key from environment variable');
   }
+
   if (!config.tlsCert && config.crtPath) {
     try {
       config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
+      logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
     }
+  } else if (config.tlsCert) {
+    logger.debug('Using TLS certificate from environment variable');
   }
 
+  // Validate that certificates are properly loaded when TLS is enabled
+  validateTlsCertificates(config);
+
   return config;
 }
 
@@ -280,18 +293,25 @@ export function configureMasterExpressMode(): MasterExpressConfig {
   if (!config.tlsKey && config.keyPath) {
     try {
       config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
+      logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
     }
+  } else if (config.tlsKey) {
+    logger.debug('Using TLS private key from environment variable');
   }
+
   if (!config.tlsCert && config.crtPath) {
     try {
       config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
+      logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
     }
+  } else if (config.tlsCert) {
+    logger.debug('Using TLS certificate from environment variable');
   }
 
   // Handle cert loading
@@ -302,6 +322,12 @@ export function configureMasterExpressMode(): MasterExpressConfig {
           ...config,
           enclavedExpressCert: fs.readFileSync(config.enclavedExpressCert, 'utf-8'),
         };
+        logger.info(
+          `Successfully loaded Enclaved Express certificate from file: ${config.enclavedExpressCert.substring(
+            0,
+            50,
+          )}...`,
+        );
       } else {
         throw new Error(`Certificate file not found: ${config.enclavedExpressCert}`);
       }
@@ -311,6 +337,12 @@ export function configureMasterExpressMode(): MasterExpressConfig {
     }
   }
 
+  // Validate that certificates are properly loaded when TLS is enabled
+  validateTlsCertificates(config);
+
+  // Validate Master Express configuration
+  validateMasterExpressConfig(config);
+
   return config;
 }
 

src/enclavedApp.ts

@@ -8,13 +8,11 @@ import { EnclavedConfig, config, TlsMode, isEnclavedConfig } from './config';
 import * as routes from './routes';
 import {
   setupLogging,
-  setupDebugNamespaces,
   setupCommonMiddleware,
   createErrorHandler,
   createHttpServer,
   configureServerTimeouts,
   prepareIpc,
-  readCertificates,
   createMtlsMiddleware,
 } from './shared/appUtils';
 import logger from './logger';
@@ -56,27 +54,16 @@ async function createHttpsServer(
   app: express.Application,
   config: EnclavedConfig,
 ): Promise<https.Server> {
-  const { keyPath, crtPath, tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
-  let key: string;
-  let cert: string;
-
-  if (tlsKey && tlsCert) {
-    key = tlsKey;
-    cert = tlsCert;
-    logger.info('Using TLS key and cert from environment variables');
-  } else if (keyPath && crtPath) {
-    const certificates = await readCertificates(keyPath, crtPath);
-    key = certificates.key;
-    cert = certificates.cert;
-    logger.info(`Using TLS key and cert from files: ${keyPath}, ${crtPath}`);
-  } else {
-    throw new Error('Failed to get TLS key and certificate');
+  const { tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
+
+  if (!tlsKey || !tlsCert) {
+    throw new Error('TLS key and certificate must be provided for HTTPS server');
   }
 
   const httpsOptions: https.ServerOptions = {
     secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
-    key,
-    cert,
+    key: tlsKey,
+    cert: tlsCert,
     // Only request cert if mTLS is enabled AND we want to request certs
     // This prevents TLS handshake failures when no cert is provided
     requestCert: tlsMode === TlsMode.MTLS && mtlsRequestCert,
@@ -120,7 +107,6 @@ export function app(cfg: EnclavedConfig): express.Application {
     return (req as any).clientCert ? (req as any).clientCert.subject.CN : 'unknown';
   });
 
-  setupDebugNamespaces(cfg.debugNamespace);
   setupCommonMiddleware(app, cfg);
 
   // Add mTLS middleware before routes if in mTLS mode

src/masterBitgoExpress/enclavedExpressClient.ts

@@ -1,7 +1,7 @@
 import superagent from 'superagent';
 import https from 'https';
 import debug from 'debug';
-import { MasterExpressConfig, TlsMode } from '../types';
+import { MasterExpressConfig } from '../types';
 
 const debugLogger = debug('bitgo:express:enclavedExpressClient');
 
@@ -23,26 +23,43 @@ export interface IndependentKeychainResponse {
 
 export class EnclavedExpressClient {
   private readonly baseUrl: string;
-  private readonly sslCert: string;
-  private readonly tlsMode: TlsMode;
+  private readonly enclavedExpressCert: string;
+  private readonly tlsKey: string;
+  private readonly tlsCert: string;
+  private readonly allowSelfSigned: boolean;
   private readonly coin?: string;
 
   constructor(cfg: MasterExpressConfig, coin?: string) {
     if (!cfg.enclavedExpressUrl || !cfg.enclavedExpressCert) {
       throw new Error('enclavedExpressUrl and enclavedExpressCert are required');
     }
+    if (!cfg.tlsKey || !cfg.tlsCert) {
+      throw new Error('tlsKey and tlsCert are required for mTLS communication');
+    }
 
     this.baseUrl = cfg.enclavedExpressUrl;
-    this.sslCert = cfg.enclavedExpressCert;
-    this.tlsMode = cfg.tlsMode;
+    this.enclavedExpressCert = cfg.enclavedExpressCert;
+    this.tlsKey = cfg.tlsKey;
+    this.tlsCert = cfg.tlsCert;
+    this.allowSelfSigned = cfg.allowSelfSigned ?? false;
     this.coin = coin;
     debugLogger('EnclavedExpressClient initialized with URL: %s', this.baseUrl);
   }
 
+  private createHttpsAgent(): https.Agent {
+    return new https.Agent({
+      rejectUnauthorized: !this.allowSelfSigned,
+      ca: this.enclavedExpressCert,
+      // Use Master Express's own certificate as client cert when connecting to Enclaved Express
+      key: this.tlsKey,
+      cert: this.tlsCert,
+    });
+  }
+
   async ping(): Promise<void> {
     try {
       debugLogger('Pinging enclaved express at %s', this.baseUrl);
-      await superagent.get(`${this.baseUrl}/ping`).ca(this.sslCert).send();
+      await superagent.get(`${this.baseUrl}/ping`).agent(this.createHttpsAgent()).send();
     } catch (error) {
       const err = error as Error;
       debugLogger('Failed to ping enclaved express: %s', err.message);
@@ -64,13 +81,7 @@ export class EnclavedExpressClient {
       debugLogger('Creating independent keychain for coin: %s', this.coin);
       const { body: keychain } = await superagent
         .post(`${this.baseUrl}/api/${this.coin}/key/independent`)
-        .ca(this.sslCert)
-        .agent(
-          new https.Agent({
-            rejectUnauthorized: this.tlsMode === TlsMode.MTLS,
-            ca: this.sslCert,
-          }),
-        )
+        .agent(this.createHttpsAgent())
         .type('json')
         .send(params);
 

src/masterExpressApp.ts

@@ -11,13 +11,11 @@ import { MasterExpressConfig, config, isMasterExpressConfig, TlsMode } from './c
 import { BitGoRequest } from './types/request';
 import {
   setupLogging,
-  setupDebugNamespaces,
   setupCommonMiddleware,
   createErrorHandler,
   createHttpServer,
   configureServerTimeouts,
   prepareIpc,
-  readCertificates,
   setupHealthCheckRoutes,
   createMtlsMiddleware,
 } from './shared/appUtils';
@@ -117,27 +115,16 @@ async function createHttpsServer(
   app: express.Application,
   config: MasterExpressConfig,
 ): Promise<https.Server> {
-  const { keyPath, crtPath, tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
-  let key: string;
-  let cert: string;
-
-  if (tlsKey && tlsCert) {
-    key = tlsKey;
-    cert = tlsCert;
-    logger.info('Using TLS key and cert from environment variables');
-  } else if (keyPath && crtPath) {
-    const certificates = await readCertificates(keyPath, crtPath);
-    key = certificates.key;
-    cert = certificates.cert;
-    logger.info(`Using TLS key and cert from files: ${keyPath}, ${crtPath}`);
-  } else {
-    throw new Error('Failed to get TLS key and certificate');
+  const { tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
+
+  if (!tlsKey || !tlsCert) {
+    throw new Error('TLS key and certificate must be provided for HTTPS server');
   }
 
   const httpsOptions: https.ServerOptions = {
     secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
-    key,
-    cert,
+    key: tlsKey,
+    cert: tlsCert,
     // Only request cert if mTLS is enabled AND we want to request certs
     // This prevents TLS handshake failures when no cert is provided
     requestCert: tlsMode === TlsMode.MTLS && mtlsRequestCert,
@@ -241,7 +228,6 @@ export function app(cfg: MasterExpressConfig): express.Application {
   setupLogging(app, cfg);
   logger.debug('logging setup');
 
-  setupDebugNamespaces(cfg.debugNamespace);
   setupCommonMiddleware(app, cfg);
 
   // Add mTLS middleware before routes if in mTLS mode

src/shared/appUtils.ts

@@ -6,7 +6,6 @@ import morgan from 'morgan';
 import fs from 'fs';
 import timeout from 'connect-timeout';
 import bodyParser from 'body-parser';
-import _ from 'lodash';
 import pjson from '../../package.json';
 import logger from '../logger';
 
@@ -32,19 +31,6 @@ export function setupLogging(app: express.Application, config: Config): void {
   app.use(middleware);
 }
 
-/**
- * Setup debug namespaces
- */
-export function setupDebugNamespaces(debugNamespace?: string[]): void {
-  if (_.isArray(debugNamespace)) {
-    for (const ns of debugNamespace) {
-      if (ns) {
-        logger.debug(`Enabling debug namespace: ${ns}`);
-      }
-    }
-  }
-}
-
 /**
  * Create common Express middleware
  */
@@ -215,3 +201,33 @@ export function createMtlsMiddleware(config: {
     next();
   };
 }
+
+/**
+ * Validate that TLS certificates are properly loaded when TLS is enabled
+ */
+export function validateTlsCertificates(config: {
+  tlsMode: TlsMode;
+  tlsKey?: string;
+  tlsCert?: string;
+}): void {
+  if (config.tlsMode !== TlsMode.DISABLED) {
+    if (!config.tlsKey || !config.tlsCert) {
+      throw new Error('TLS is enabled but certificates are not properly loaded');
+    }
+  }
+}
+
+/**
+ * Validate Master Express configuration
+ */
+export function validateMasterExpressConfig(config: {
+  enclavedExpressUrl: string;
+  enclavedExpressCert: string;
+}): void {
+  if (!config.enclavedExpressUrl) {
+    throw new Error('ENCLAVED_EXPRESS_URL is required for Master Express mode');
+  }
+  if (!config.enclavedExpressCert) {
+    throw new Error('ENCLAVED_EXPRESS_CERT is required for Master Express mode');
+  }
+}