chore: adding dev API endpoint to test client certificates

Author: jarrodek

dev-api/api-es.js

@@ -1,7 +1,10 @@
 import express from 'express';
 import session from 'express-session';
+import fs from 'fs';
+import path from 'path';
+import http from 'http';
+import https from 'https';
 import apiRouter from './routes.js';
-
 /* eslint-disable no-console */
 
 const app = express();
@@ -21,17 +24,25 @@ const sessionConfig = {
 app.use(session(sessionConfig));
 app.use('/v1', apiRouter);
 
-const portStr = process.argv.slice(2).find((arg) => arg.indexOf('--PORT') === 0);
-let port;
-if (!isNaN(portStr)) {
-  port = Number(portStr);
-} else {
-  port = 8080;
-}
+const findOpt = (name) => process.argv.slice(2).find((arg) => arg.indexOf(`--${name}`) === 0);
+const findPortValue = (name, defaultValue) => {
+  const str = findOpt(name);
+  if (isNaN(str)) {
+    return defaultValue;
+  }
+  return Number(str);
+};
+
+const port = findPortValue('PORT', 3080);
+const portSsl = findPortValue('SSLPORT', 3443);
+
 
 // Basic 404 handler
 app.use((req, res) => {
-  res.status(404).send('Not Found');
+  res.status(404).send({
+    error: true,
+    message: `Route ${req.url} not found`
+  });
 });
 
 // Basic error handler
@@ -43,7 +54,17 @@ app.use((err, req, res) => {
   });
 });
 
-const server = app.listen(port, () => {
-  const port = server.address().port;
-  console.info(`App listening on port ${port}`);
+const options = {
+  key: fs.readFileSync(path.join(__dirname, 'cc', 'server_key.pem')),
+  cert: fs.readFileSync(path.join(__dirname, 'cc', 'server_cert.pem')),
+  requestCert: true,
+  rejectUnauthorized: false,
+  ca: [fs.readFileSync(path.join(__dirname, 'cc', 'server_cert.pem'))],
+};
+
+http.createServer(app).listen(port, () => {
+  console.info(`HTTP listening on port ${port}`);
+});
+https.createServer(options, app).listen(portSsl, () => {
+  console.info(`HTTPS listening on port ${portSsl}`);
 });

dev-api/auth-basic.route.js

@@ -4,7 +4,7 @@ import { BaseApi } from './base-api.js';
 const router = express.Router();
 export default router;
 
-class AuthBaiscRoute extends BaseApi {
+class AuthBasicRoute extends BaseApi {
   sendUnauthorized(res) {
     res.status(401);
     res.set('WWW-Authenticate', 'Basic realm="This resource is protected"');
@@ -35,7 +35,7 @@ class AuthBaiscRoute extends BaseApi {
   }
 }
 
-const api = new AuthBaiscRoute();
+const api = new AuthBasicRoute();
 api.setCors(router);
 api.wrapApi(router, [
   ['/:username/:password', 'requireAuthorized'],

dev-api/auth-cc.route.js

@@ -0,0 +1,55 @@
+import express from 'express';
+import { BaseApi } from './base-api.js';
+
+const router = express.Router();
+export default router;
+
+class AuthCcRoute extends BaseApi {
+  sendUnauthorized(res) {
+    res.status(401);
+    res.set('WWW-Authenticate', 'Basic realm="This resource is protected"');
+    res.send('Auth required');
+  }
+
+  requireAuthorized(req, res) {
+    if (typeof req.socket.getPeerCertificate !== 'function') {
+      this.sendError(res, 'SSL connection is required.');
+      return;
+    }
+    const cert = req.socket.getPeerCertificate();
+    let status;
+    let message;
+    if (req.client.authorized) {
+      status = 200;
+      message = {
+        authenticated: true,
+        name: cert.subject.CN,
+        issuer: cert.issuer.CN,
+      };
+    } else if (cert.subject) {
+      status = 403;
+      message = {
+        authenticated: false,
+        name: cert.subject.CN,
+        issuer: cert.issuer.CN,
+      };
+    } else {
+      status = 401;
+      message = {
+        authenticated: false,
+        name: 'Unknown',
+        issuer: 'Unknown',
+      };
+    }
+    res.writeHead(status, {
+      'Content-Type': 'application/json; charset=UTF-8',
+    });
+    res.end(JSON.stringify(message));
+  }
+}
+
+const api = new AuthCcRoute();
+api.setCors(router);
+api.wrapApi(router, [
+  ['/', 'requireAuthorized'],
+]);

dev-api/cc/bob.p12

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEmDCCAoACCQDQPRzVnOSbujANBgkqhkiG9w0BAQUFADAOMQwwCgYDVQQDDANC
+b2IwHhcNMjAwMTMwMjIxNDE4WhcNMzAwMTI3MjIxNDE4WjAOMQwwCgYDVQQDDANC
+b2IwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDhVwZJi8R2LfQhvP7q
+TXNl76Y8aaMagBpgYoVwOhkIcZYlsr5Yq5tkUSOh9VB+TXNwG44mjpv3bUZHGTJ9
+R2aB5rFj/m+bkVWDwnl1eStbXEoKx4va004KWML9vAO76RxlhZu64tWfSgROrB5K
+jCKMuNwUUNPJOOAoQB91i0SE3LunDVKN6U01PPkyIAy4X63ImWDrQzXd8D9NN1Qq
+9ZmM4ovMqTwndZV1YkY3ZiZf4HFmGZzq8LwkpgObYqGLUeFXM0nueNulSs6TzN/o
+bmV7LiZ8sWsRHozzeaVfNIlAg4V1A5RY/K0H+HT2ySqRVUbHpns6aVbmRk+v646y
+95zJKIeeeWB4zjyD6wp2l8bO4GZe4knF9UFlHHrCDHrjIlzvtHpZlHXPOIo/y7zs
+AJLzmwduHFbid2rzQj5ObqSH5QrEvhvx2i2PAgHGhPWVyu+ESNFa5RnXYTkYN0OS
+cBCnr3qaiHHUnZZECwU/m+b7djyqmfFGmHTj/a7M6E500xlhFR9X468FXU/6cIn1
+9kIxkbHf4QsOaviH79Axxw5fQvx8PCx+qMQahhCk+vrDYZzCrCPyJhE2vkKPdEIH
+4YhvGyiwc1cR1XPCjeuQsQMhjRa2kBlz20TEUnhcZPQ2/5TX+rSy0IpeuG2ZknnH
+ruP8viYHWn2dPK2cZVjXITpeQQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAytQcL
+BcZvujS18/0s1p6mhlhdpSCqMmeFie8aFTvWsdPiC4RCgtEefGuKqg6VRkSPxTSW
+nkBZ3haSkYBhSUqhGGYUgmftLBb10QUb3FEX4FDZipj8g3qkZ/JBMMDtJaqVpMqN
+mFjkFgVW41nJmeVd1J+XLn+BygfW9cdlBF1E0QlgS1W0apKwzR57jw5rRJnasAdZ
+hWA/4K9sMkGThvakDFOcSMiUGsJyiNy9kXHnreqOSUzGbyYiryKWv8Mc9oGSysyH
+eA37/cVJKrzou2Tpq42AGQZVZFkc+kcYf4WbX5VnyAUUyZzkwZDFvHSOdt7d2quh
+zEnxJjPSms1DxMOVFCeJD2rcFnAtt2iDXjJT47x1zsN6rI2GAgSfS0G1vWIuc/A1
+FgbQQwS+AgD1YJmRIw41gq0rcVMtwZ4xZEGPRrvypuKcudY6aWvEnANHQfPnWfCC
+acPnPZ3mstzIsdCXKboRmppUQCFfVcst/JxPQO0luPRncujds5pEJhQBsw0WXApJ
+ITNg/cK/HSCg2uKGp1Z5OBkyiH8t0QEpLoB11KxSXaCJRbKquDabFTNvkTHZ8/Q6
+5NOhx9ioIPhRtwe5Hppq+BDZQk4dLE5Z++iehCDCzBhc7vUWH+T8LLWa3UrrI/9z
+QAmhJhQOHauxMLW2iW4GdWZ/AvK2ZiZKcAKkKA==
+-----END CERTIFICATE-----

dev-api/cc/bob_cert.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEUzCCAjsCAQAwDjEMMAoGA1UEAwwDQm9iMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEA4VcGSYvEdi30Ibz+6k1zZe+mPGmjGoAaYGKFcDoZCHGWJbK+
+WKubZFEjofVQfk1zcBuOJo6b921GRxkyfUdmgeaxY/5vm5FVg8J5dXkrW1xKCseL
+2tNOCljC/bwDu+kcZYWbuuLVn0oETqweSowijLjcFFDTyTjgKEAfdYtEhNy7pw1S
+jelNNTz5MiAMuF+tyJlg60M13fA/TTdUKvWZjOKLzKk8J3WVdWJGN2YmX+BxZhmc
+6vC8JKYDm2Khi1HhVzNJ7njbpUrOk8zf6G5ley4mfLFrER6M83mlXzSJQIOFdQOU
+WPytB/h09skqkVVGx6Z7OmlW5kZPr+uOsvecySiHnnlgeM48g+sKdpfGzuBmXuJJ
+xfVBZRx6wgx64yJc77R6WZR1zziKP8u87ACS85sHbhxW4ndq80I+Tm6kh+UKxL4b
+8dotjwIBxoT1lcrvhEjRWuUZ12E5GDdDknAQp696mohx1J2WRAsFP5vm+3Y8qpnx
+Rph04/2uzOhOdNMZYRUfV+OvBV1P+nCJ9fZCMZGx3+ELDmr4h+/QMccOX0L8fDws
+fqjEGoYQpPr6w2Gcwqwj8iYRNr5Cj3RCB+GIbxsosHNXEdVzwo3rkLEDIY0WtpAZ
+c9tExFJ4XGT0Nv+U1/q0stCKXrhtmZJ5x67j/L4mB1p9nTytnGVY1yE6XkECAwEA
+AaAAMA0GCSqGSIb3DQEBCwUAA4ICAQCQunBCVTlO7OaQmO+Nv8rRuKHDRJwEx7dv
+UC+YKViW85fo3+/vE6OKUEnc2Z2ol3pRSQxTVLlQO/SxLEB/bCa8+ghd11clHH3X
+n3aBD31eTBF9TUBBp6ng72NQDHno5KrQd0aW/rDbejy7RGqK2uKimvf9MhqXCcUk
+WUCTe2LM4tpkn2rxC27WaIVTUNYFrqNxXoII/rcWXxlYDHdUsxYC1iNy/9YNeKut
+mHYH7AzEI7PKEYGdlOhOSCT/HmeJ+4Kdy6ZPbSELdTZAy2QJcwT1VU2bap7WsDPC
+QlJnSkJo6B+lSd4LnwMFKSuTWKKhw27QJlRPDsjqlyHsbigK6SftzdToBjnYMSET
+RRIHyc1Caqo6CQrPRzD6qzFXgTyi/hLiMml2/ArQj7vtkP5Rj4ZUt63bD1lySUiu
+AfySW8amy6UU224Htir4lHX76R/uB2bdh8g1z2lo8dS0Mzn8a64CH/8xKWFnc6ey
+qBOI5sucInOYjUZpIIs4UxrRz9LQhuARMSGO4GOF3WeqsHbxU3qnWDA5Bt6epbnb
+BxGg9GS8XLT+rDFKY1ZZ0l3EzPQKClTc5OGYROvRYbZDpx/kI/66InNn/me+IGnC
+02P+/dxblgnTDj+T0X6scGqvptw6ze2u58t4q/LjN2lCGvNsqWY44dVAAnBC0MRc
+E7GjggNetA==
+-----END CERTIFICATE REQUEST-----

dev-api/cc/bob_csr.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDhVwZJi8R2LfQh
+vP7qTXNl76Y8aaMagBpgYoVwOhkIcZYlsr5Yq5tkUSOh9VB+TXNwG44mjpv3bUZH
+GTJ9R2aB5rFj/m+bkVWDwnl1eStbXEoKx4va004KWML9vAO76RxlhZu64tWfSgRO
+rB5KjCKMuNwUUNPJOOAoQB91i0SE3LunDVKN6U01PPkyIAy4X63ImWDrQzXd8D9N
+N1Qq9ZmM4ovMqTwndZV1YkY3ZiZf4HFmGZzq8LwkpgObYqGLUeFXM0nueNulSs6T
+zN/obmV7LiZ8sWsRHozzeaVfNIlAg4V1A5RY/K0H+HT2ySqRVUbHpns6aVbmRk+v
+646y95zJKIeeeWB4zjyD6wp2l8bO4GZe4knF9UFlHHrCDHrjIlzvtHpZlHXPOIo/
+y7zsAJLzmwduHFbid2rzQj5ObqSH5QrEvhvx2i2PAgHGhPWVyu+ESNFa5RnXYTkY
+N0OScBCnr3qaiHHUnZZECwU/m+b7djyqmfFGmHTj/a7M6E500xlhFR9X468FXU/6
+cIn19kIxkbHf4QsOaviH79Axxw5fQvx8PCx+qMQahhCk+vrDYZzCrCPyJhE2vkKP
+dEIH4YhvGyiwc1cR1XPCjeuQsQMhjRa2kBlz20TEUnhcZPQ2/5TX+rSy0IpeuG2Z
+knnHruP8viYHWn2dPK2cZVjXITpeQQIDAQABAoICAQC/B01XL9ue7BoYN+ZKrtnz
+QpREhrE0mADEUQEaQMZT+Cb3Um43MVOMWZTBiftw9yuzkEiTuzXRLZv0ThIVTmBC
+I1WilWH8GdrK1iStR8lPrA9A0CVpntR7xP+YprjrphTio79/USkT3mWEZDlRrTbk
+4RoBRvwji8nLlYCV3zh5Ab87QPoJQAyp40TGD5F5A/OJKS2Wg+W4fiDLzunVeVtw
+qeUl3RoXwYCwgF1SPZCumtDHY1M5gFefIfXQ1m5oc0N67wnv1hkuKRqzBW2T13LE
+WD1cW/OOEb4f8bIV4a2xOU38AsrSHXJ6XVCanbMufYKBYkr5G7AFivmnAyR3553K
++wxsCTmdrpxiXieSeTiKI05PI2uJheahHofmN1/TuuopvSJiGsj4irXRVqiyPot6
+XcsHurH+baL4QPCz/vRKtscEKRmH1eCSHjNV0ehajUVXWC9VaYEWlCpcCmjolIih
+eK/a3o4Kxtrs9qKq1EwdR7ClwDfOxp1gfzNE4Pg6RB+5u/VWk0aez/sJ6ISQtzxp
+c13Bhzm097P6j7yNaYDNFPRXjpsQbKKvqY//7TRUMWK0BFBBZuroHuWDO1wxidG2
+vez945xgo0/y0Df/eYEMtaGk3yw0A/iKzsfnlVBKvGAfmXsIcylvAAm7WJV7MwBJ
+sA4YcR17BvUauOPMHx84AQKCAQEA8P34LwK9jXkNVzrZT+YRTdaC3dTKV3GWUKbY
+QPYsCvrLT1SpV1xKBgd52G2rdGV4Bu3CwuKfGr63lqEZB3ZDSKcnjQXyLgMN12Vr
+pkmYVrzoEQl2k0raW8kCYu+RDW8ofRb/9G55nbqYONAv/9RrpInreLg69gHBtcqN
+/1Vl1J5tNpUIIqbBYS+vGhy7/lM7W3jESS1CWqGtJ7wkikhSmFZJSAD0hMV7T+wD
+g+k79MCmCqqfAjP49gZ5s9qw2twFG3t2kasvf5l+9eCwK4FxMHyjdu+GsruoTYex
+MdZNcKqwYEXkL381L19lulBd5o7/BrZN67X7C2G0aw5Sns3T4QKCAQEA71+FJMSj
+SDywmKZC2DB+xzVlqavInrR4OpEf2QmZVwk1a2dvnRDhEayMHHUBF6znDdwHRrha
+G5hT8dUf4IMNkggzQgjq4CryadBXDIAMSJSuA/CiyJq+qaokf0EuvzuXPlONY4aR
+92GQvQ8mhj7hrEYnEYfcohI6EEkn+Kl1MYHPRo+bqPldESNtmBExnr1elrIRS322
+5fiIIy22O5MaXLJ4y16puUzxonb5czcV2CchKP9IsYQFN76+OiA6cHG+uCfZguNH
+JWwEbfEhTNsdtfkafqG5QVwdhklzOk46vpxR5TufwfZVkeYp4YCogsjFy3QlQkJ3
+sotr6H5N+f/WYQKCAQEAx9RgImMsWI4jEMzce5MzkA6qz1TuP5oRYWkn8p3uIWCa
+i3qRPL5rJxq130/5Fvg4kc4/bChMc/nm88E7puNaoXjxo89lZN/lb1FK9UUbS/ky
+mUX2i+ZKsEc6cl1iMviUYz1aGg4tTCv4o0uGMaWraHFwztY9FdaZEKwYGLxwRuDj
+gJoNd+Y8feDzWjyvahEMLCo04NTlq49arJMm3X9g9a6+7zTTjPDP8pKqy4vvymCg
+jkGyvjnoW+E8s3VIpwJAPeyfgeSn6y+Vhj689iZMfD8tsKanU7eltDwrIz8nUaBH
+xlzN/NCHgnOhP9/6LP8v2xn5/NUWiPaIiykCO2pDIQKCAQBc/vomF7Lr3JArLeSo
+QubuE8OkUFXHuos/DaSW2FDXbH9xc6T8G1OlXyir4ZUEEqtNSh8VjYeMUvjB6i/R
+NHjwM/ld/ULqxiSZkVRQSer7w697XmCPmPbbyXsWaUd1CfyvPRyf/ub0edYWbS1l
+WEaqfDKvb936pSQjsZgy1fruueTCIAa0dfR/NQld28gwSJfX6eQoNPX6kDyrlhXH
+PVYvjzK4p9U+ZTM3EAvHhC4bZNBQMiWWuZihWJxkzqKFjtsuhmTNoejBFB8Aa36p
+cjMvwFBXxBLJ3rSluCFpFH1kEi0K5sghPcduwEGjFy3gaYnWig/zlwkTt3C7yV4X
+8xnhAoIBAQDjwYY/liAjWxu1YfJYv5bMZP5ESgFbeux5h9Drb2O1l7aW0fvA0Ccz
+ZjRVjASMlw7VS4sDsEhgJEXKQyWTK8umApZr5q8bCh6fvbSizzU6ijO2HLIRrQ3M
+RCzaYv51/6a3YND8Dy7zgZIcZe7BCHu/R+1tMUD6lzVfDddmfj6EIFw6MTYj+lIn
+5mFmi78JnLLiLEeJFBXAlNUFiMBM+1ClgrgEYIj7Uu9KzWePda3P+ElK6F1dbAqc
+x8XoiwFghZJLBWexEBdb14+li6LJsKrHj1Y/zB24saE0StReyEFcMOQoyT5GRP7v
+YUx6IfWP4P+GB5wLp93d5Ul1MjADJ6E+
+-----END PRIVATE KEY-----

dev-api/cc/bob_key.pem

@@ -0,0 +1,29 @@
+# Note, all certificates are valid for 10 years so I don't have to redo this every now and then
+
+# Server self signed certificate for demo purposes
+echo "Generating server certificate..."
+openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 3650 -subj "/CN=localhost/O=Client\ Certificate\ Demo"
+
+# Client certificates
+
+# Pawel has a valid certificate
+echo "Generating certificate for Pawel"
+openssl req -newkey rsa:4096 -keyout pawel_key.pem -out pawel_csr.pem -nodes -days 3650 -subj "/CN=Pawel"
+
+# Bob has self signed certificate
+echo "Generating certificate for Bob"
+openssl req -newkey rsa:4096 -keyout bob_key.pem -out bob_csr.pem -nodes -days 3650 -subj "/CN=Bob"
+
+# Pawel's CSR is signed with server key
+echo "Signing Pawel's certificate with server's key"
+openssl x509 -req -in pawel_csr.pem -CA server_cert.pem -CAkey server_key.pem -out pawel_cert.pem -set_serial 01 -days 3650
+
+# Bob signs his own certificate
+echo "Signing Bob's certificate with Bob's key"
+openssl x509 -req -in bob_csr.pem -signkey bob_key.pem -out bob_cert.pem -days 3650
+
+# Create P12 format certificate that can be importend in a web browser or in ARC, obviously
+echo "Creating Pawel's P12 certificate"
+openssl pkcs12 -export -clcerts -in pawel_cert.pem -inkey pawel_key.pem -out pawel.p12
+echo "Creating Bob's P12 certificate"
+openssl pkcs12 -export -in bob_cert.pem -inkey bob_key.pem -out bob.p12

dev-api/cc/cert-instructions.sh

@@ -0,0 +1,2 @@
+All certs are protected by a password:
+secret