Merge pull request #103 from BitGo/WP-5522-allow-self-signed-cert

chore: update allowSelfSigned configs

Author: pranavjain97

README.md

@@ -46,6 +46,7 @@ Configuration is managed through environment variables:
 - `BITGO_CUSTOM_BITCOIN_NETWORK` - Custom Bitcoin network (optional)
 - `ADVANCED_WALLET_MANAGER_URL` - Advanced Wallet Manager URL (required)
 - `ADVANCED_WALLET_MANAGER_CERT` - Path to Advanced Wallet Manager certificate (required)
+- `AWM_SERVER_CERT_ALLOW_SELF_SIGNED` - Allow self-signed certificates from Advanced Wallet Manager (default: false)
 
 ### TLS/mTLS Configuration
 
@@ -70,15 +71,16 @@ Both modes use the same TLS configuration variables:
 #### mTLS Settings (when TLS_MODE=mtls)
 
 - `MTLS_REQUEST_CERT` - Request client certificates (default: true)
-- `ALLOW_SELF_SIGNED` - Allow self-signed certificates (default: false)
-- `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed client certificate fingerprints (optional)
+- `CLIENT_CERT_ALLOW_SELF_SIGNED` - Allow self-signed certificates for incoming client connections (default: false)
+- `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed fingerprints for incoming client connections (optional)
 
 #### Outbound mTLS to KMS
 
 - When `TLS_MODE=mtls`, outbound mTLS to KMS is enabled by default.
 - The same `TLS_CERT` and `TLS_KEY` are used as the client certificate and key for outbound mTLS requests to KMS.
 - `KMS_TLS_CERT_PATH` - Path to the CA certificate to verify the KMS server (required when outbound mTLS is enabled).
 - If `TLS_MODE=disabled`, outbound mTLS to KMS is also disabled by default.
+- `KMS_SERVER_CERT_ALLOW_SELF_SIGNED` - Allow self-signed certificates from the KMS (default: false)
 
 > **Note:** If you want to use a different client certificate for KMS, you will need to extend the configuration. By default, the same cert/key is used for both inbound and outbound mTLS.
 
@@ -105,10 +107,11 @@ openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/CN=loca
 ```bash
 export APP_MODE=advanced-wallet-manager
 export KMS_URL=https://your-kms-service
+export KMS_TLS_CERT_PATH=./server.crt
+export KMS_SERVER_CERT_ALLOW_SELF_SIGNED=true
 export TLS_KEY_PATH=./server.key
 export TLS_CERT_PATH=./server.crt
-export MTLS_REQUEST_CERT=true
-export ALLOW_SELF_SIGNED=true
+export CLIENT_CERT_ALLOW_SELF_SIGNED=true
 npm start
 ```
 
@@ -123,8 +126,8 @@ export TLS_KEY_PATH=./server.key
 export TLS_CERT_PATH=./server.crt
 export ADVANCED_WALLET_MANAGER_URL=https://localhost:3080
 export ADVANCED_WALLET_MANAGER_CERT=./server.crt
-export MTLS_REQUEST_CERT=false
-export ALLOW_SELF_SIGNED=true
+export AWM_SERVER_CERT_ALLOW_SELF_SIGNED=true
+export CLIENT_CERT_ALLOW_SELF_SIGNED=true
 npm start
 ```
 
@@ -141,7 +144,7 @@ curl -k -X POST https://localhost:3081/ping/advancedWalletManager
 ### Security Best Practices
 
 1. **Use CA-signed certificates** instead of self-signed
-2. **Set `ALLOW_SELF_SIGNED=false`** in production
+2. **Set `CLIENT_CERT_ALLOW_SELF_SIGNED=false`** in production
 3. **Configure client certificate allowlisting** with `MTLS_ALLOWED_CLIENT_FINGERPRINTS`
 4. **Use separate certificates** for each service
 5. **Regularly rotate certificates**
@@ -157,7 +160,7 @@ export KMS_URL=https://production-kms.example.com
 export TLS_KEY_PATH=/secure/path/advanced-wallet-manager.key
 export TLS_CERT_PATH=/secure/path/advanced-wallet-manager.crt
 export MTLS_REQUEST_CERT=true
-export ALLOW_SELF_SIGNED=false
+export CLIENT_CERT_ALLOW_SELF_SIGNED=false
 export MTLS_ALLOWED_CLIENT_FINGERPRINTS=ABC123...,DEF456...
 npm start
 ```
@@ -172,7 +175,7 @@ export TLS_CERT_PATH=/secure/path/master.crt
 export ADVANCED_WALLET_MANAGER_URL=https://advanced-wallet-manager.internal.example.com:3080
 export ADVANCED_WALLET_MANAGER_CERT=/secure/path/advanced-wallet-manager.crt
 export MTLS_REQUEST_CERT=true
-export ALLOW_SELF_SIGNED=false
+export CLIENT_CERT_ALLOW_SELF_SIGNED=false
 npm start
 ```
 
@@ -202,7 +205,7 @@ podman run -d \
   -e TLS_CERT_PATH=/app/certs/advanced-wallet-manager-cert.pem \
   -e KMS_URL=host.containers.internal:3000 \
   -e NODE_ENV=development \
-  -e ALLOW_SELF_SIGNED=true \
+  -e CLIENT_CERT_ALLOW_SELF_SIGNED=true \
   bitgo-onprem-express
 
 # View logs
@@ -222,7 +225,7 @@ podman run -d \
   -e TLS_CERT_PATH=/app/certs/test-ssl-cert.pem \
   -e ADVANCED_WALLET_MANAGER_URL=https://host.containers.internal:3080 \
   -e ADVANCED_WALLET_MANAGER_CERT=/app/certs/advanced-wallet-manager-cert.pem \
-  -e ALLOW_SELF_SIGNED=true \
+  -e CLIENT_CERT_ALLOW_SELF_SIGNED=true \
   bitgo-onprem-express
 
 # View logs
@@ -276,7 +279,7 @@ openssl x509 -in certificate.crt -text -noout
 #### 2. mTLS Authentication Failures
 
 - Verify client certificates are provided
-- Check `ALLOW_SELF_SIGNED` setting matches certificate type
+- Check `CLIENT_CERT_ALLOW_SELF_SIGNED` setting matches certificate type
 - Confirm client certificate fingerprints are in allowlist
 - Ensure both services use compatible TLS settings
 

src/__tests__/api/advancedWalletManager/kmsClient.test.ts

@@ -30,7 +30,7 @@ describe('postMpcV2Key', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
     };
 
     // app setup

src/__tests__/api/advancedWalletManager/mpcFinalize.test.ts

@@ -29,7 +29,7 @@ describe('MPC Finalize', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
     };
 
     app = enclavedApp(cfg);

src/__tests__/api/advancedWalletManager/mpcInitialize.test.ts

@@ -30,7 +30,7 @@ describe('MPC Initialize', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
     };
 
     // configStub = sinon.stub(configModule, 'initConfig').returns(cfg);

src/__tests__/api/advancedWalletManager/nonRecovery.test.ts

@@ -18,7 +18,7 @@ describe('Non Recovery', () => {
     timeout: 60000,
     tlsMode: TlsMode.DISABLED,
     httpLoggerFile: '',
-    allowSelfSigned: true,
+    clientCertAllowSelfSigned: true,
     kmsUrl: 'kms.example.com',
   };
 

src/__tests__/api/advancedWalletManager/postIndependentKey.test.ts

@@ -36,7 +36,7 @@ describe('postIndependentKey', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
     };
 
     // app setup

src/__tests__/api/advancedWalletManager/postMpcV2Key.test.ts

@@ -38,7 +38,7 @@ describe('postMpcV2Key', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
     };
 
     configStub = sinon.stub(configModule, 'initConfig').returns(cfg);

src/__tests__/api/advancedWalletManager/recoveryMpcV2.test.ts

@@ -62,7 +62,7 @@ describe('recoveryMpcV2', async () => {
       kmsUrl: kmsUrl,
       httpLoggerFile: '',
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
       recoveryMode: true,
     };
 

src/__tests__/api/advancedWalletManager/recoveryMultisigTransaction.test.ts

@@ -20,7 +20,7 @@ describe('UTXO recovery', () => {
     timeout: 60000,
     httpLoggerFile: '',
     tlsMode: TlsMode.DISABLED,
-    allowSelfSigned: true,
+    clientCertAllowSelfSigned: true,
     kmsUrl: 'kms.example.com',
     recoveryMode: true,
   };

src/__tests__/api/advancedWalletManager/recoveryMusigEth.test.ts

@@ -39,7 +39,7 @@ describe('recoveryMultisigTransaction', () => {
       httpLoggerFile: '',
       kmsUrl: kmsUrl,
       tlsMode: TlsMode.DISABLED,
-      allowSelfSigned: true,
+      clientCertAllowSelfSigned: true,
       recoveryMode: true,
     };