chore(mbe, awm): remove fallback client mtls config

Ticket: WP-5523

Author: pranavjain97

README.md

@@ -76,7 +76,7 @@ Both modes use the same TLS configuration variables:
 - `AWM_SERVER_CA_CERT_PATH` - Path to the CA certificate to verify the AWM server (required when TLS_MODE=mtls)
 - `AWM_SERVER_CA_CERT` - The CA certificate as a string (alternative to `_PATH`)
 - `AWM_SERVER_CERT_ALLOW_SELF_SIGNED` - Allow self-signed certificates from the AWM (default: false)
-- **Fallback:** If client certs are not provided, `SERVER_TLS_KEY_PATH` and `SERVER_TLS_CERT_PATH` are used
+- **Required:** Client certificates must be explicitly provided for outbound mTLS connections
 
 #### Outbound mTLS to KMS (AWM Mode only)
 
@@ -87,7 +87,7 @@ Both modes use the same TLS configuration variables:
 - `KMS_SERVER_CA_CERT_PATH` - Path to the CA certificate to verify the KMS server (required when TLS_MODE=mtls)
 - `KMS_SERVER_CA_CERT` - The CA certificate as a string (alternative to `_PATH`)
 - `KMS_SERVER_CERT_ALLOW_SELF_SIGNED` - Allow self-signed certificates from the KMS (default: false)
-- **Fallback:** If client certs are not provided, `SERVER_TLS_KEY_PATH` and `SERVER_TLS_CERT_PATH` are used
+- **Required:** Client certificates must be explicitly provided for outbound mTLS connections
 
 ### Logging and Debug
 
@@ -175,6 +175,8 @@ export MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123...,DEF456...
 npm start
 ```
 
+**Note:** Client certificates for outbound connections must be separate from server certificates for security reasons.
+
 #### Master Express (Production)
 
 ```bash
@@ -190,6 +192,8 @@ export CLIENT_CERT_ALLOW_SELF_SIGNED=false
 npm start
 ```
 
+**Note:** Client certificates for outbound connections must be separate from server certificates for security reasons.
+
 ## Container Deployment with Podman
 
 First, build the container image:

src/__tests__/config.test.ts

@@ -11,6 +11,10 @@ describe('Configuration', () => {
   const originalEnv = process.env;
   const mockTlsKey = '-----BEGIN PRIVATE KEY-----\nMOCK_KEY\n-----END PRIVATE KEY-----';
   const mockTlsCert = '-----BEGIN CERTIFICATE-----\nMOCK_CERT\n-----END CERTIFICATE-----';
+  const mockClientTlsKey =
+    '-----BEGIN PRIVATE KEY-----\nMOCK_CLIENT_KEY\n-----END PRIVATE KEY-----';
+  const mockClientTlsCert =
+    '-----BEGIN CERTIFICATE-----\nMOCK_CLIENT_CERT\n-----END CERTIFICATE-----';
 
   beforeEach(() => {
     // Reset to original environment and clear all relevant variables
@@ -39,6 +43,16 @@ describe('Configuration', () => {
     delete process.env.BITGO_CUSTOM_BITCOIN_NETWORK;
     delete process.env.SERVER_TLS_KEY_PATH;
     delete process.env.SERVER_TLS_CERT_PATH;
+    delete process.env.KMS_CLIENT_TLS_KEY;
+    delete process.env.KMS_CLIENT_TLS_CERT;
+    delete process.env.KMS_CLIENT_TLS_KEY_PATH;
+    delete process.env.KMS_CLIENT_TLS_CERT_PATH;
+    delete process.env.AWM_CLIENT_TLS_KEY;
+    delete process.env.AWM_CLIENT_TLS_CERT;
+    delete process.env.AWM_CLIENT_TLS_KEY_PATH;
+    delete process.env.AWM_CLIENT_TLS_CERT_PATH;
+    delete process.env.KMS_SERVER_CA_CERT_PATH;
+    delete process.env.RECOVERY_MODE;
   });
 
   after(() => {
@@ -67,6 +81,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
         'mocks/certs/test-ssl-cert.pem',
@@ -89,6 +105,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
         'mocks/certs/test-ssl-cert.pem',
@@ -107,6 +125,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.RECOVERY_MODE = 'true';
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
@@ -120,6 +140,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
         'mocks/certs/test-ssl-cert.pem',
@@ -167,6 +189,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.MTLS_ALLOWED_CLIENT_FINGERPRINTS = 'ABC123,DEF456';
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
@@ -226,6 +250,8 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.SERVER_TLS_KEY = mockTlsKey;
       process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.KMS_CLIENT_TLS_CERT = mockClientTlsCert;
       process.env.HTTP_LOGFILE = '/tmp/test-http-access.log';
       process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
         __dirname,
@@ -246,6 +272,21 @@ describe('Configuration', () => {
         'KMS_SERVER_CA_CERT_PATH is required when TLS mode is MTLS',
       );
     });
+
+    it('should throw error when same certificate is used for server and client TLS', () => {
+      process.env.KMS_URL = 'http://localhost:3000';
+      process.env.SERVER_TLS_KEY = mockTlsKey;
+      process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.KMS_CLIENT_TLS_KEY = mockTlsKey; // Same as server key
+      process.env.KMS_CLIENT_TLS_CERT = mockTlsCert; // Same as server cert
+      process.env.KMS_SERVER_CA_CERT_PATH = path.resolve(
+        __dirname,
+        'mocks/certs/test-ssl-cert.pem',
+      );
+      (() => initConfig()).should.throw(
+        'KMS_CLIENT_TLS_KEY_PATH and KMS_CLIENT_TLS_CERT_PATH (or KMS_CLIENT_TLS_KEY and KMS_CLIENT_TLS_CERT) are required for outbound mTLS connections to KMS. Client certificates cannot reuse server certificates for security reasons.',
+      );
+    });
   });
 
   describe('Master Express Mode', () => {
@@ -258,6 +299,8 @@ describe('Configuration', () => {
       );
       process.env.SERVER_TLS_CERT_PATH = path.resolve(__dirname, 'mocks/certs/test-ssl-cert.pem');
       process.env.SERVER_TLS_KEY_PATH = path.resolve(__dirname, 'mocks/certs/test-ssl-key.pem');
+      process.env.AWM_CLIENT_TLS_KEY = mockClientTlsKey;
+      process.env.AWM_CLIENT_TLS_CERT = mockClientTlsCert;
     });
 
     it('should use default configuration when minimal environment variables are set', () => {
@@ -404,5 +447,15 @@ describe('Configuration', () => {
         cfg.httpLoggerFile.should.equal('/tmp/test-http-access.log');
       }
     });
+
+    it('should throw error when same certificate is used for server and client TLS in Master Express mode', () => {
+      process.env.SERVER_TLS_KEY = mockTlsKey;
+      process.env.SERVER_TLS_CERT = mockTlsCert;
+      process.env.AWM_CLIENT_TLS_KEY = mockTlsKey; // Same as server key
+      process.env.AWM_CLIENT_TLS_CERT = mockTlsCert; // Same as server cert
+      (() => initConfig()).should.throw(
+        'AWM_CLIENT_TLS_KEY_PATH and AWM_CLIENT_TLS_CERT_PATH (or AWM_CLIENT_TLS_KEY and AWM_CLIENT_TLS_CERT) are required for outbound mTLS connections to Advanced Wallet Manager. Client certificates cannot reuse server certificates for security reasons.',
+      );
+    });
   });
 });

src/__tests__/mocks/certs/client.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9TCCAt2gAwIBAgIUKCkJ6fcl2+2EsK0n9v7iqGu1qgIwDQYJKoZIhvcNAQEL
+BQAwgYkxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJPTjEQMA4GA1UEBwwHVG9yb250
+bzEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDDAZQ
+cmFuYXYxJzAlBgkqhkiG9w0BCQEWGHByYW5hdmphaW4xMTk3QGdtYWlsLmNvbTAe
+Fw0yNTA4MDEyMjE4MTVaFw0yNjA4MDEyMjE4MTVaMIGJMQswCQYDVQQGEwJDQTEL
+MAkGA1UECAwCT04xEDAOBgNVBAcMB1Rvcm9udG8xITAfBgNVBAoMGEludGVybmV0
+IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGUHJhbmF2MScwJQYJKoZIhvcNAQkB
+FhhwcmFuYXZqYWluMTE5N0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC+QfWH5GbQidrIawVbjZ7RL/uZtF7wbmacER2wYlOO7Ib+Je1h
+03P3BQlI5bTBE3KkxrwDqycxWk/MA9hj2VT1tL3+bE/yuYVaOgGN4fiibG9Cc8MG
+MrWsZKRvP5Hy/ZUobVfLAPXvpUKM+nf//MaO6x9F/9TEwIb9rqfoD+bynL1s2LhR
+wr2ppYZXoOmdS/yhEiXloX4fO//5ivC/1zpt6bYaqdA2WAkBHyM24LOm02lJvRV+
+oq5dFxH0c0YCAEe05QfVLXgb/S/JTpxfOlabAVomb9+9ESOpEWqCyOo3U3QaSh49
+FdCUGFnaZHXc4324E/La955dSdeziLlDKXrdAgMBAAGjUzBRMB0GA1UdDgQWBBSe
+jCcPNqJHmbsXhsdKaJj9BUIhfTAfBgNVHSMEGDAWgBSejCcPNqJHmbsXhsdKaJj9
+BUIhfTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQARJW7QnfwS
+afy2M9ShDC7mqVa54LOaT6Ics+QYRPvJIRazlkODGm/n49rYZatgUNN1ouK6m7xk
+HuycnsWFZKly+w0/ugoe9fK59KUJCFNtPlTrAmJM4/x2yzSky/XlqEt0n8L8U8N1
+dbWcIC8EWNcUVKCKiS8ecoOm4G34I7YFOc5JwqEPJwfaQ76EHTKwEQe3MtM+wZaQ
+TrSm8WuYwlio53nyoyHHNGnJLKuN9DjOp9VdAtJcgCU8TutlKxAn1aDixrjcuzrk
+cqxn97OnE6eXsHurFY193lFs0HWpIAztXhjdtLjFJy68nVVmPcWAAWbcu4JhbBUX
+jZJ7DNuCDOoV
+-----END CERTIFICATE-----

src/__tests__/mocks/certs/client.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+QfWH5GbQidrI
+awVbjZ7RL/uZtF7wbmacER2wYlOO7Ib+Je1h03P3BQlI5bTBE3KkxrwDqycxWk/M
+A9hj2VT1tL3+bE/yuYVaOgGN4fiibG9Cc8MGMrWsZKRvP5Hy/ZUobVfLAPXvpUKM
++nf//MaO6x9F/9TEwIb9rqfoD+bynL1s2LhRwr2ppYZXoOmdS/yhEiXloX4fO//5
+ivC/1zpt6bYaqdA2WAkBHyM24LOm02lJvRV+oq5dFxH0c0YCAEe05QfVLXgb/S/J
+TpxfOlabAVomb9+9ESOpEWqCyOo3U3QaSh49FdCUGFnaZHXc4324E/La955dSdez
+iLlDKXrdAgMBAAECggEASWNI8eekzxj1xuwdL3EDy14OV34vRt/W/alOgeyTnaRX
+9+2qUNtPNn//Ulqkq/sz9CJigKnC3vMep6vuCqnY70QOK3cdKZvtN937Hn8FOKXK
+DuB3YEssL7jMgssLIac2I1d2D2yp8QwWjSnKIvieoJ9KO2aQ7Gn1SCJYSxfjNj6b
+Z4BBnLgfOZebf2zDnXOnfee35v00zLw6EFyMhdwPNEwy505M32EQLu6qyPllSG4a
+srlqRsOMyo5iWEV7P8EBzquaWDB/B9PZWkG9JTokaXPFQJnX6Kn5ha5wcuoKBdVy
+R0mgPgtfhpvN2Ott4YQdIuo2PTfpc/Y1cTqRTuKWowKBgQDz9F8CmauFHmzrCp6n
+cZcW+Z2kUbjI25qat53G4QHAVIcWhMyQaAi+9dbVAuH9r3f1BWb8TcCJ+ut5fONL
+WR4oJpgeG6UVMaF15HqSj2FDic1JzY2jWtbKKiytRXlPCNGeCftQalZzsJtTI0Bl
+TqFj32flI+ZsfJR3v+9a6Nr14wKBgQDHptlyggV9TCXtSCfLAbaUJeqOVymTymrr
+qMcnYp99jHy7tmZIdmULxkeyF54uAX1/xc+nvSGFIO09rH3nEnZovDnvbFPpiFZb
+bNMxmGahW4//boTFSFRxxecknDBcUin0b8YjQER6i4tHtj3qUUjvW/J1XlWzZo1z
+cPF4oI6oPwKBgQDw9jaGXf0iHrxcqP+uyq7/XY1NSf8oPmmGWsl4MLXHIHbSUlew
+Z2IEJNWPTyqjphbpqO1hVvdQEs1WEXp86Ui1RfHJA2ta9MvTo9tCOmdLC6j/Ng6q
+BMbVpzS77Tx2SXKrFJbshixgV1gElXQ83J7jBD8eAQjPrXoEkku80vW8GwKBgGmC
+SWP0RoZi2aA+A5mK/DvqlbxHX9eUn1COz0CHJBYrSjfBOuiMePXyAS2iwZs6emIt
+3YGdt7stHXL8V0ToQt8yqcNXkjjWLhz+s9V/3qzjQIQSmePQR6Agn/h++iev3DAr
+aaBzdDz2xdJOAwZzkoG8K7PO+KdoSNR7GYFQCFPtAoGAFlvGvoX6WvQ47AwmVLgk
+gBfe1nruqVyz7kubWsy/V2iAkzMcWUUrcvpZgqAy9pRJlWs1wM91SjtFbZ+/UPwQ
+HGCGuclXo89b5uCTYVA0B2PxivY9F+RcQtTJZvTGBGIAC5m1+EqR9pVWY9527WD6
+7/MjOwPWTPT7j0jwBkXTo1w=
+-----END PRIVATE KEY-----

src/__tests__/mocks/certs/test-ssl-cert.pem

@@ -1,19 +1,3 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAfGgAwIBAgIUYN0EUBLwq7uoLwDuTx7gDW0HS2UwDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDUxNDIxMTUzMVoXDTI2MDUx
-NDIxMTUzMVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAmxdCF7xCJcE6yyG+wrdhHMwRiQxbhDLW/hiKQcO/nn7z
-QMM9LAV04+WG5LCmm0ygocbfXXhfWn5D6SSSESKTb8dbSj6AJbLSmYjA5vDSzh9R
-rO9GzNTDCDne+epo+rN4BOjGh7K83naLei/bEfmklMp7x+TyoBC8Ps/3Eq4HOJfd
-UzgV2L3oC/4dCbAnkgK2zanL8KEaH6aM0HytIaqMFYLBs2t8s7HHHcSEadHfjlJu
-GwTmTS0nVhJBWYJvF6Pv/SwLFuSo93TJybaMMUSF3oJK35NEYXg6EtibJLUC9RvX
-FVLytRA5z+x7FBnGBdi4ctMseecokV4u15ePCB3MXwIDAQABo1MwUTAdBgNVHQ4E
-FgQUxHrQZFFBfTfuXeOOoXmHZQ8E6rswHwYDVR0jBBgwFoAUxHrQZFFBfTfuXeOO
-oXmHZQ8E6rswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAj0hy
-bwWh2B26cR0ADhuDC0MtGPBH0BrHypJEZ96nUPTY4oxRrjZusgdq60ooqsNyIW6k
-cZHkajC/O0V6hnV4yMhLE8ZwA+31iyQakonpT5N1OON4Ddv9Bfvx8xOn75x/+RP+
-GlAa31XxivryIi/5y7MEI0PwU34T/6bbMWdBaFRQtbuIXJ/90AZ0fBwIV0vJWjaO
-1DriZAJe7hl63ZUw6CsfutpoyKkanF5GQB2CpolR3t1oeHwuDbZ550p1g2XFB6UI
-9W+zlggQFeAnthzMoi3erO4sQ3j2b15QLZbk1HXHZcn3+89QcvdUcpG0u51bZdFW
-SJ+bnT3TZ9H+szoa1w==
+MOCK_CERT_CONTENT
 -----END CERTIFICATE-----

src/initConfig.ts

@@ -105,6 +105,8 @@ function advancedWalletManagerEnvConfig(): Partial<AdvancedWalletManagerConfig>
     kmsServerCaCertPath: readEnvVar('KMS_SERVER_CA_CERT_PATH'),
     kmsClientTlsKeyPath: readEnvVar('KMS_CLIENT_TLS_KEY_PATH'),
     kmsClientTlsCertPath: readEnvVar('KMS_CLIENT_TLS_CERT_PATH'),
+    kmsClientTlsKey: readEnvVar('KMS_CLIENT_TLS_KEY'),
+    kmsClientTlsCert: readEnvVar('KMS_CLIENT_TLS_CERT'),
     kmsServerCertAllowSelfSigned: readEnvVar('KMS_SERVER_CERT_ALLOW_SELF_SIGNED') === 'true',
     // mTLS server settings
     serverTlsKeyPath: readEnvVar('SERVER_TLS_KEY_PATH'),
@@ -227,12 +229,13 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
       }
     }
 
-    // Fallback to server certs if client certs are not provided
-    if (!config.kmsClientTlsKey) {
-      config.kmsClientTlsKey = config.serverTlsKey;
-    }
-    if (!config.kmsClientTlsCert) {
-      config.kmsClientTlsCert = config.serverTlsCert;
+    // Validate that client certificates are provided for outbound mTLS connections
+    if (config.tlsMode === TlsMode.MTLS) {
+      if (!config.kmsClientTlsKey || !config.kmsClientTlsCert) {
+        throw new Error(
+          'KMS_CLIENT_TLS_KEY_PATH and KMS_CLIENT_TLS_CERT_PATH (or KMS_CLIENT_TLS_KEY and KMS_CLIENT_TLS_CERT) are required for outbound mTLS connections to KMS. Client certificates cannot reuse server certificates for security reasons.',
+        );
+      }
     }
 
     // Validate that certificates are properly loaded when TLS is enabled
@@ -310,6 +313,8 @@ function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
     awmServerCaCertPath: awmServerCaCertPath,
     awmClientTlsKeyPath: readEnvVar('AWM_CLIENT_TLS_KEY_PATH'),
     awmClientTlsCertPath: readEnvVar('AWM_CLIENT_TLS_CERT_PATH'),
+    awmClientTlsKey: readEnvVar('AWM_CLIENT_TLS_KEY'),
+    awmClientTlsCert: readEnvVar('AWM_CLIENT_TLS_CERT'),
     awmServerCertAllowSelfSigned,
     customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK'),
     // mTLS server settings
@@ -468,12 +473,13 @@ export function configureMasterExpressMode(): MasterExpressConfig {
 
   logger.info('==========================');
 
-  // Fallback to server certs if client certs are not provided
-  if (!config.awmClientTlsKey) {
-    config.awmClientTlsKey = config.serverTlsKey;
-  }
-  if (!config.awmClientTlsCert) {
-    config.awmClientTlsCert = config.serverTlsCert;
+  // Validate that client certificates are provided for outbound mTLS connections
+  if (config.tlsMode === TlsMode.MTLS) {
+    if (!config.awmClientTlsKey || !config.awmClientTlsCert) {
+      throw new Error(
+        'AWM_CLIENT_TLS_KEY_PATH and AWM_CLIENT_TLS_CERT_PATH (or AWM_CLIENT_TLS_KEY and AWM_CLIENT_TLS_CERT) are required for outbound mTLS connections to Advanced Wallet Manager. Client certificates cannot reuse server certificates for security reasons.',
+      );
+    }
   }
 
   // Validate Master Express configuration