chore: consolidate all configs to mTLS

Ticket: WP=4663

Author: pranavjain97

.gitignore

@@ -1,4 +1,5 @@
 dist/
 node_modules/
 coverage/
-.idea/
+.idea/
+logs/

README.md

@@ -1,14 +1,13 @@
 # Enclaved Express
 
-Enclaved Express is a secure signer implementation for cryptocurrency operations. It's designed to run in a secure enclave environment with flexible security options.
+Enclaved Express is a secure signer implementation for cryptocurrency operations. It's designed to run in a secure enclave environment with mTLS security.
 
 ## Overview
 
 This module provides a lightweight, dedicated signing server with these features:
 
 - Focused on signing operations only - no BitGo API dependencies
-- Optional TLS security for secure connections
-- Client certificate validation when operating in mTLS mode
+- mTLS security for secure connections with client certificate validation
 - Simple configuration and deployment
 
 ## Supported Operations
@@ -39,22 +38,39 @@ Configuration is done via environment variables:
 - `BITGO_BIND` - Address to bind to (default: localhost)
 - `BITGO_TIMEOUT` - Request timeout in milliseconds (default: 305000)
 
-### TLS Settings
+### mTLS Settings
 
-- `MASTER_BITGO_EXPRESS_KEYPATH` - Path to server key file (required for TLS)
-- `MASTER_BITGO_EXPRESS_CRTPATH` - Path to server certificate file (required for TLS)
-- `MTLS_ENABLED` - Enable mTLS mode (default: false)
-- `MTLS_REQUEST_CERT` - Whether to request client certificates (default: false)
-- `MTLS_REJECT_UNAUTHORIZED` - Whether to reject unauthorized connections (default: false)
+#### Enclaved Mode
+
+- `MASTER_BITGO_EXPRESS_KEYPATH` - Path to server key file (required)
+- `MASTER_BITGO_EXPRESS_CRTPATH` - Path to server certificate file (required)
+- `MASTER_BITGO_EXPRESS_TLS_KEY` - Server key content (alternative to keyPath)
+- `MASTER_BITGO_EXPRESS_TLS_CERT` - Server certificate content (alternative to crtPath)
+- `MTLS_REQUEST_CERT` - Whether to request client certificates (default: true)
+- `MTLS_REJECT_UNAUTHORIZED` - Whether to reject unauthorized connections (default: true)
+- `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed client certificate fingerprints (optional)
+- `MASTER_BITGO_EXPRESS_DISABLE_TLS` - Disable TLS completely (default: false)
+
+#### Master Express Mode
+
+- `BITGO_KEYPATH` - Path to server key file (required)
+- `BITGO_CRTPATH` - Path to server certificate file (required)
+- `BITGO_TLS_KEY` - Server key content (alternative to keyPath)
+- `BITGO_TLS_CERT` - Server certificate content (alternative to crtPath)
+- `MTLS_REQUEST_CERT` - Whether to request client certificates (default: true)
+- `MTLS_REJECT_UNAUTHORIZED` - Whether to reject unauthorized connections (default: true)
 - `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed client certificate fingerprints (optional)
+- `MASTER_BITGO_EXPRESS_DISABLE_TLS` - Disable TLS completely (default: false)
 
 ### Master Express Settings
 
 - `BITGO_ENV` - Environment name (default: test)
-- `BITGO_ENABLE_SSL` - Enable SSL and certificate verification (default: true)
-- `BITGO_ENABLE_PROXY` - Enable proxy (default: true)
+- `BITGO_DISABLE_ENV_CHECK` - Disable environment check (default: true)
+- `BITGO_AUTH_VERSION` - Authentication version (default: 2)
 - `ENCLAVED_EXPRESS_URL` - URL of the enclaved express server (required)
 - `ENCLAVED_EXPRESS_SSL_CERT` - Path to the enclaved express server's SSL certificate (required)
+- `BITGO_CUSTOM_ROOT_URI` - Custom root URI for BitGo API
+- `BITGO_CUSTOM_BITCOIN_NETWORK` - Custom Bitcoin network
 
 ### Other Settings
 
@@ -63,25 +79,16 @@ Configuration is done via environment variables:
 
 ## Running Enclaved Express
 
-### Basic Setup (HTTP only)
-
-```bash
-yarn start --port 3080
-```
-
-### TLS Setup (with mTLS)
-
-For testing purposes, you can use self-signed certificates with relaxed verification:
+### Basic Setup (mTLS)
 
 ```bash
 APP_MODE=enclaved \
 ENCLAVED_EXPRESS_PORT=3080 \
 MASTER_BITGO_EXPRESS_BIND=localhost \
 MASTER_BITGO_EXPRESS_KEYPATH=./test-ssl-key.pem \
 MASTER_BITGO_EXPRESS_CRTPATH=./test-ssl-cert.pem \
-MTLS_ENABLED=true \
 MTLS_REQUEST_CERT=true \
-MTLS_REJECT_UNAUTHORIZED=false \
+MTLS_REJECT_UNAUTHORIZED=true \
 yarn start
 ```
 
@@ -98,7 +105,6 @@ BITGO_KEYPATH=./test-ssl-key.pem \
 BITGO_CRTPATH=./test-ssl-cert.pem \
 ENCLAVED_EXPRESS_URL=https://localhost:3080 \
 ENCLAVED_EXPRESS_SSL_CERT=./enclaved-express-cert.pem \
-BITGO_ENABLE_SSL=false \
 yarn start
 ```
 
@@ -109,22 +115,23 @@ yarn start
 - Uses both certificate and key files
 - The key file (`test-ssl-key.pem`) is used to prove the server's identity
 - The certificate file (`test-ssl-cert.pem`) is what the server presents to clients
+- Client certificates are required by default
+- Unauthorized connections are rejected by default
 
-### Client Side (Regular Express)
+### Client Side (Master Express)
 
-- For testing, only needs the server's certificate
-- `rejectUnauthorized: false` allows testing without strict certificate verification
-- In production, proper client certificates should be used
+- Must provide a valid client certificate
+- Server certificate must be trusted
+- Client certificate must be in the allowed fingerprints list (if specified)
 
 ## Security Considerations
 
-- The testing configuration (`MTLS_REJECT_UNAUTHORIZED=false`) should only be used in development
-- In production:
-  - Use proper CA-signed certificates
-  - Enable strict certificate verification
-  - Use client certificate allowlisting
-  - Keep private keys secure
-  - Regularly rotate certificates
+- Always use proper CA-signed certificates in production
+- Keep private keys secure
+- Regularly rotate certificates
+- Use client certificate allowlisting
+- Enable strict certificate verification
+- Never disable TLS in production
 
 ## Troubleshooting
 
@@ -135,17 +142,20 @@ yarn start
    - Ensure paths to certificate files are correct
    - Check file permissions on certificate files
    - Verify certificate format is correct
+   - Check that client certificates are valid and trusted
 
 2. **Connection Issues**
 
    - Verify ports are not in use
    - Check firewall settings
    - Ensure URLs are correct (including https:// prefix)
+   - Verify client certificates are properly configured
 
 3. **mTLS Errors**
-   - Verify mTLS is enabled on both sides
+   - Verify client certificates are valid
    - Check certificate configuration
    - Ensure client certificate is trusted by server
+   - Check that client certificate fingerprint is in allowlist (if specified)
 
 ## License
 

src/config.ts

@@ -47,22 +47,15 @@ const defaultEnclavedConfig: EnclavedConfig = {
   timeout: 305 * 1000,
   logFile: '',
   kmsUrl: '', // Will be overridden by environment variable
-  tlsMode: TlsMode.ENABLED,
-  mtlsRequestCert: false,
-  mtlsRejectUnauthorized: false,
+  tlsMode: TlsMode.MTLS,
+  mtlsRequestCert: true,
+  allowSelfSigned: false,
 };
 
 function determineTlsMode(): TlsMode {
   const disableTls = readEnvVar('MASTER_BITGO_EXPRESS_DISABLE_TLS') === 'true';
-  const mtlsEnabled = readEnvVar('MTLS_ENABLED') === 'true';
-
-  if (disableTls && mtlsEnabled) {
-    throw new Error('Cannot have both TLS disabled and mTLS enabled');
-  }
-
   if (disableTls) return TlsMode.DISABLED;
-  if (mtlsEnabled) return TlsMode.MTLS;
-  return TlsMode.ENABLED;
+  return TlsMode.MTLS;
 }
 
 function enclavedEnvConfig(): Partial<EnclavedConfig> {
@@ -86,16 +79,15 @@ function enclavedEnvConfig(): Partial<EnclavedConfig> {
     headersTimeout: Number(readEnvVar('MASTER_BITGO_EXPRESS_HEADERS_TIMEOUT')),
     // KMS settings
     kmsUrl,
-    // TLS settings
+    // mTLS settings
     keyPath: readEnvVar('MASTER_BITGO_EXPRESS_KEYPATH'),
     crtPath: readEnvVar('MASTER_BITGO_EXPRESS_CRTPATH'),
     tlsKey: readEnvVar('MASTER_BITGO_EXPRESS_TLS_KEY'),
     tlsCert: readEnvVar('MASTER_BITGO_EXPRESS_TLS_CERT'),
     tlsMode: determineTlsMode(),
-    // mTLS settings
-    mtlsRequestCert: readEnvVar('MTLS_REQUEST_CERT') === 'true',
-    mtlsRejectUnauthorized: readEnvVar('MTLS_REJECT_UNAUTHORIZED') === 'true',
+    mtlsRequestCert: readEnvVar('MTLS_REQUEST_CERT') !== 'false',
     mtlsAllowedClientFingerprints: readEnvVar('MTLS_ALLOWED_CLIENT_FINGERPRINTS')?.split(','),
+    allowSelfSigned: readEnvVar('ALLOW_SELF_SIGNED') === 'true',
   };
 }
 
@@ -125,8 +117,8 @@ function mergeEnclavedConfigs(...configs: Partial<EnclavedConfig>[]): EnclavedCo
     tlsCert: get('tlsCert'),
     tlsMode: get('tlsMode'),
     mtlsRequestCert: get('mtlsRequestCert'),
-    mtlsRejectUnauthorized: get('mtlsRejectUnauthorized'),
     mtlsAllowedClientFingerprints: get('mtlsAllowedClientFingerprints'),
+    allowSelfSigned: get('allowSelfSigned'),
   };
 }
 
@@ -166,12 +158,13 @@ const defaultMasterExpressConfig: MasterExpressConfig = {
   timeout: 305 * 1000,
   logFile: '',
   env: 'test',
-  enableSSL: true,
-  enableProxy: true,
   disableEnvCheck: true,
   authVersion: 2,
   enclavedExpressUrl: '', // Will be overridden by environment variable
-  enclavedExpressSSLCert: '', // Will be overridden by environment variable
+  enclavedExpressCert: '', // Will be overridden by environment variable
+  tlsMode: TlsMode.MTLS,
+  mtlsRequestCert: true,
+  allowSelfSigned: false,
 };
 
 function forceSecureUrl(url: string): string {
@@ -184,16 +177,14 @@ function forceSecureUrl(url: string): string {
 
 function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
   const enclavedExpressUrl = readEnvVar('ENCLAVED_EXPRESS_URL');
-  const enclavedExpressSSLCert = readEnvVar('ENCLAVED_EXPRESS_SSL_CERT');
+  const enclavedExpressCert = readEnvVar('ENCLAVED_EXPRESS_CERT');
 
   if (!enclavedExpressUrl) {
     throw new Error('ENCLAVED_EXPRESS_URL environment variable is required and cannot be empty');
   }
 
-  if (!enclavedExpressSSLCert) {
-    throw new Error(
-      'ENCLAVED_EXPRESS_SSL_CERT environment variable is required and cannot be empty',
-    );
+  if (!enclavedExpressCert) {
+    throw new Error('ENCLAVED_EXPRESS_CERT environment variable is required and cannot be empty');
   }
 
   return {
@@ -209,18 +200,20 @@ function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
     // BitGo API settings
     env: readEnvVar('BITGO_ENV') as EnvironmentName,
     customRootUri: readEnvVar('BITGO_CUSTOM_ROOT_URI'),
-    enableSSL: readEnvVar('BITGO_ENABLE_SSL') !== 'false', // Default to true unless explicitly set to false
-    enableProxy: readEnvVar('BITGO_ENABLE_PROXY') !== 'false', // Default to true unless explicitly set to false
     disableEnvCheck: readEnvVar('BITGO_DISABLE_ENV_CHECK') === 'true',
     authVersion: Number(readEnvVar('BITGO_AUTH_VERSION')),
     enclavedExpressUrl,
-    enclavedExpressSSLCert,
+    enclavedExpressCert,
     customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK'),
-    // SSL settings
+    // mTLS settings
     keyPath: readEnvVar('BITGO_KEYPATH'),
     crtPath: readEnvVar('BITGO_CRTPATH'),
-    sslKey: readEnvVar('BITGO_SSL_KEY'),
-    sslCert: readEnvVar('BITGO_SSL_CERT'),
+    tlsKey: readEnvVar('BITGO_TLS_KEY'),
+    tlsCert: readEnvVar('BITGO_TLS_CERT'),
+    tlsMode: determineTlsMode(),
+    mtlsRequestCert: readEnvVar('MTLS_REQUEST_CERT') !== 'false',
+    mtlsAllowedClientFingerprints: readEnvVar('MTLS_ALLOWED_CLIENT_FINGERPRINTS')?.split(','),
+    allowSelfSigned: readEnvVar('ALLOW_SELF_SIGNED') === 'true',
   };
 }
 
@@ -247,50 +240,50 @@ function mergeMasterExpressConfigs(
     headersTimeout: get('headersTimeout'),
     env: get('env'),
     customRootUri: get('customRootUri'),
-    enableSSL: get('enableSSL'),
-    enableProxy: get('enableProxy'),
     disableEnvCheck: get('disableEnvCheck'),
     authVersion: get('authVersion'),
     enclavedExpressUrl: get('enclavedExpressUrl'),
-    enclavedExpressSSLCert: get('enclavedExpressSSLCert'),
+    enclavedExpressCert: get('enclavedExpressCert'),
     customBitcoinNetwork: get('customBitcoinNetwork'),
     keyPath: get('keyPath'),
     crtPath: get('crtPath'),
-    sslKey: get('sslKey'),
-    sslCert: get('sslCert'),
+    tlsKey: get('tlsKey'),
+    tlsCert: get('tlsCert'),
+    tlsMode: get('tlsMode'),
+    mtlsRequestCert: get('mtlsRequestCert'),
+    mtlsAllowedClientFingerprints: get('mtlsAllowedClientFingerprints'),
+    allowSelfSigned: get('allowSelfSigned'),
   };
 }
 
-function configureMasterExpressMode(): MasterExpressConfig {
+export function configureMasterExpressMode(): MasterExpressConfig {
   const env = masterExpressEnvConfig();
   let config = mergeMasterExpressConfigs(env);
 
-  // Post-process URLs if SSL is enabled
-  if (config.enableSSL) {
-    const updates: Partial<MasterExpressConfig> = {};
-    if (config.customRootUri) {
-      updates.customRootUri = forceSecureUrl(config.customRootUri);
-    }
-    if (config.enclavedExpressUrl) {
-      updates.enclavedExpressUrl = forceSecureUrl(config.enclavedExpressUrl);
-    }
-    config = { ...config, ...updates };
+  // Post-process URLs to ensure they use HTTPS
+  const updates: Partial<MasterExpressConfig> = {};
+  if (config.customRootUri) {
+    updates.customRootUri = forceSecureUrl(config.customRootUri);
+  }
+  if (config.enclavedExpressUrl) {
+    updates.enclavedExpressUrl = forceSecureUrl(config.enclavedExpressUrl);
   }
+  config = { ...config, ...updates };
 
-  // Handle SSL cert loading
-  if (config.enclavedExpressSSLCert) {
+  // Handle cert loading
+  if (config.enclavedExpressCert) {
     try {
-      if (fs.existsSync(config.enclavedExpressSSLCert)) {
+      if (fs.existsSync(config.enclavedExpressCert)) {
         config = {
           ...config,
-          enclavedExpressSSLCert: fs.readFileSync(config.enclavedExpressSSLCert, 'utf-8'),
+          enclavedExpressCert: fs.readFileSync(config.enclavedExpressCert, 'utf-8'),
         };
       } else {
-        throw new Error(`Certificate file not found: ${config.enclavedExpressSSLCert}`);
+        throw new Error(`Certificate file not found: ${config.enclavedExpressCert}`);
       }
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
-      throw new Error(`Failed to read enclaved express SSL cert: ${err.message}`);
+      throw new Error(`Failed to read enclaved express cert: ${err.message}`);
     }
   }