Support creating cert chains (#18)

* Support creating cert chains

Sometimes, certs are signed by untrusted intermediate CAs, and a cert
along with any intermediates needs to be sent during the TLS handshake.
This adds a convenience so you can create a cert chain by using an
array. This is distinct from supporting multiple site certificates,
which can also themselves be served up as chains.

* Remove accidental inclusion of key

Author: jpage-godaddy

README.md

@@ -42,9 +42,62 @@ following properties:
 
 `create-servers` provides some conveniences for `https.ca`, `https.key`, and 
 `https.cert` config properties. You may use PEM data directly (inside a `Buffer`
-or string) or a file name. When using a file name, you may also set an 
-`https.root` config property to enable using relative paths to cert/key files.
-`https.ca` and `https.cert` also support specifying an Array of certs/files.
+or string) or a file name. When using a file name, you must also set an 
+`https.root` config property if using relative paths to cert/key files.
+
+`https.ca`, `https.cert`, and `https.key` also support specifying an Array.
+Given an array for `cert`, you must have a matching array for `key` so each cert
+can be matched with its private key.
+
+```js
+const createServers = require('create-servers');
+
+createServers({
+  https: {
+    root: '/cert/path',
+    cert: ['cert1.crt', 'cert2.crt'],
+    key: ['cert1.key', 'cert2.key']
+  }
+}, err => {
+  // ...
+})
+```
+
+If you have a cert that is signed by an intermediate CA, your server will need
+to append the untrusted parts of the CA chain with your cert. To make this more
+convenient, `create-servers` lets you use an array to automatically create a
+chain.
+
+```js
+const createServers = require('create-servers');
+
+createServers({
+  https: {
+    root: '/cert/path',
+    cert: ['cert.crt', 'intermediate.crt'],
+    key: 'cert.key'
+  }
+}, err => {
+  // ...
+})
+```
+
+If you are specifying multiple certs _and_ you want to create chains for each,
+use an array of arrays.
+
+```js
+const createServers = require('create-servers');
+
+createServers({
+  https: {
+    root: '/cert/path',
+    cert: [['cert1.crt', 'intermediate.crt'], 'cert2.crt'],
+    key: ['cert1.key', 'cert2.key']
+  }
+}, err => {
+  // ...
+})
+```
 
 ## NOTE on Security
 Inspired by [`iojs`][iojs] and a well written [article][article], we have defaulted

index.js

@@ -149,9 +149,9 @@ module.exports = function createServers(options, listening) {
       //
       // Load default SSL key, cert and ca(s).
       //
-      key: normalizeCertFile(ssl.root, ssl.key),
-      cert: normalizeCertFile(ssl.root, ssl.cert),
-      ca: ca && ca.map(normalizeCertFile.bind(null, ssl.root)),
+      key: normalizePEMContent(ssl.root, ssl.key),
+      cert: normalizeCertContent(ssl.root, ssl.cert, ssl.key),
+      ca: ca && ca.map(normalizePEMContent.bind(null, ssl.root)),
       //
       // Properly expose ciphers for an A+ SSL rating:
       // https://certsimple.com/blog/a-plus-node-js-ssl
@@ -183,15 +183,51 @@ module.exports = function createServers(options, listening) {
     .forEach(function (fn) { fn(); });
 };
 
+function normalizeCertContent(root, cert, key) {
+  // Node accepts an array of certs, which must match up with an array of keys.
+  // The user may instead intend for an array passed into cert to represent
+  // a cert chain they want to concatenate. Therefore, if key is not an array,
+  // we'll assume the latter.
+  if (Array.isArray(cert)) {
+    if (Array.isArray(key)) {
+      // This is an array of certs/chains with corresponding keys
+      return normalizeCertChainList(root, cert);
+    } else {
+      // This is a single cert chain
+      return normalizeCertChain(root, cert);
+    }
+  }
+
+  return normalizePEMContent(root, cert);
+}
+
+function normalizeCertChainList(root, data) {
+  // If this is an array, treat like an array of bundles, otherwise a single
+  // bundle
+  return Array.isArray(data)
+    ? data.map(function (item) {
+      return normalizeCertChain(root, item);
+    })
+    : normalizePEMContent(root, data);
+}
+
+function normalizeCertChain(root, data) {
+  // A chain can be an array, which we concatenate together into one PEM,
+  // an already-concatenated chain, or a single PEM
+
+  const content = normalizePEMContent(root, data);
+  return Array.isArray(content) ? content.join('\n') : content;
+}
+
 /**
- * function normalizeCertFile(root, file)
+ * function normalizePEMContent(root, file)
  * Returns the contents of `file` verbatim if it is determined to be
  * certificate material and not a file path. Otherwise, returns the
  * certificate material read from that file path.
  */
-function normalizeCertFile(root, file) {
+function normalizePEMContent(root, file) {
   if (Array.isArray(file)) return file.map(function map(item) {
-    return normalizeCertFile(root, item)
+    return normalizePEMContent(root, item)
   });
 
   //

test/create-servers-test.js

@@ -274,6 +274,33 @@ test('supports cert array instead of strings', function (t) {
   });
 });
 
+test('supports creating certificate chains', function (t) {
+  t.plan(2);
+  var root = path.join(__dirname, 'fixtures');
+  var agent3Cert = fs.readFileSync(path.resolve(root, 'agent3-cert.pem'));
+  var intermediate = fs.readFileSync(path.resolve(root, 'intermediate-cert.pem'));
+  var spy = sinon.spy(https, 'createServer');
+  createServers({
+    log: console.log,
+    https: {
+      port: 3456,
+      root: root,
+      cert: ['agent3-cert.pem', 'intermediate-cert.pem'],
+      key:  'agent3-key.pem'
+    },
+    handler: fend
+  }, function (err, servers) {
+    t.error(err);
+
+    const expectedBundle = [agent3Cert, intermediate].join('\n');
+    const cert = spy.lastCall.args[0].cert;
+    t.equals(cert, expectedBundle, 'should create a cert chain');
+
+    servers.https.close();
+    spy.restore();
+  });
+});
+
 test('supports requestCert https option', function (t) {
   t.plan(2);
   var spy = sinon.spy(https, 'createServer');

test/fixtures/agent3-cert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAggCCQChRDh/XiBF+zANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJ1
+czETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEeMBwGA1UE
+AwwVRHVtbXkgSW50ZXJtZWRpYXRlIENBMB4XDTE4MDYyMjIwMzEwNFoXDTMyMDIy
+OTIwMzEwNFowUDELMAkGA1UEBhMCdXMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAO
+BgNVBAcMB1NlYXR0bGUxGjAYBgNVBAMMEWR1bW15LmV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvSQq3d8AeZMTvtqZ13jWCckikyXJ
+SACvkGCQUCJqOceESbg6IHdRzQdoccE4P3sbvNsf9BlbdJKM+neCxabqKaU1PPje
+4P0tHT57t6yJrMuUh9NxEz3Bgh1srNHVS7saKvwHmcKm79jc+wxlioPmEQvQagjn
+y7oTkyLt0sn4LGxBjrcv2JoHOC9f1pxX7l47MaiN0/ctRau7Nr3PFn+pkB4Yf6Z0
+VyicVJbaUSz39Qo4HQWl1L2hiBP3CS1oKs2Yk0O1aOCMExWrhZQan+ZgHqL1rhgm
+kPpw2/zwwPt5Vf9CSakvHwg198EXuTTXtkzYduuIJAm8yp969iEIiG2xTwIDAQAB
+MA0GCSqGSIb3DQEBCwUAA4ICAQBnMSIo+kujkeXPh+iErFBmNtu/7EA+i/QnFPbN
+lSLngclYYBJAGQI+DhirJI8ghDi6vmlHB2THewDaOJXEKvC1czE8064wioIcA9HJ
+l3QJ3YYOFRctYdSHBU4TWdJbPgkLWDzYP5smjOfw8nDdr4WO/5jh9qRFcFpTFmQf
+DyU3xgWLsQnNK3qXLdJjWG75pEhHR+7TGo+Ob/RUho/1RX/P89Ux7/oVbzdKqqFu
+SErXAsjEIEFzWOM2uDOt6hrxDF6q+8/zudwQNEo422poEcTT9tDEFxMQ391CzZRi
+nozBm4igRn1f5S3YZzLI6VEUns0s76BNy2CzvFWn40DziTqNBExAMfFFj76wiMsX
+6fTIdcvkaTBa0S9SZB0vN99qahBdcG17rt4RssMHVRH1Wn7NXMwe476L0yXZ6gO7
+Z4uNAPxgaI3BRP75EPfslLutCLZ+BC4Zzu6MY0Salbpfl0Go462EhsKCxvYhE2Dg
+T477pICLfETZfA499Fd1tOaIsoLCrILAia/+Yd76uf94MuXUIqykDng/4H7xCc47
+BZhNFJiPC6XHaXzN7NYSEUNX9VOwY8ncxKwtP6TXga96PdMUy/p98KIM8RZlDoxB
+Xy9dcZBFNn/zrqjW7R0CCWCUriDIFSmEP0wDZ91YYa6BVuJMb5uL/USkTLpjZS4/
+HNGvug==
+-----END CERTIFICATE-----

test/fixtures/agent3-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAvSQq3d8AeZMTvtqZ13jWCckikyXJSACvkGCQUCJqOceESbg6
+IHdRzQdoccE4P3sbvNsf9BlbdJKM+neCxabqKaU1PPje4P0tHT57t6yJrMuUh9Nx
+Ez3Bgh1srNHVS7saKvwHmcKm79jc+wxlioPmEQvQagjny7oTkyLt0sn4LGxBjrcv
+2JoHOC9f1pxX7l47MaiN0/ctRau7Nr3PFn+pkB4Yf6Z0VyicVJbaUSz39Qo4HQWl
+1L2hiBP3CS1oKs2Yk0O1aOCMExWrhZQan+ZgHqL1rhgmkPpw2/zwwPt5Vf9CSakv
+Hwg198EXuTTXtkzYduuIJAm8yp969iEIiG2xTwIDAQABAoIBAGPIw/C/qJF7HYyv
+6T+7GTiaa2o0IiehbP3/Y8NTFLWc49a8obXlHTvMr7Zr2I/tE+ojtIzkH9K1SjkN
+eelqsNj9tsOPDI6oIvftsflpxkxqLtclnt8m0oMhoObf4OaONDT/N8dP4SBiSdsM
+ZDmacnMFx5NZVWiup4sVf2CYexx7qks9FhyN2K5PArCQ4S9LHjFhSJVH4DSEpv7E
+Ykbp30rhpqV7wSwjgUsm8ZYvI2NOlmffzLSiPdt3vy2K5Q25S/MVEAicg83rfDgK
+6EluHjeygRI1xU6DJ0hU7tnU7zE9KURoHPUycO3BKzZnzUH26AA36I58Pu4fXWw/
+Cgmbv2ECgYEA+og9E4ziKCEi3p8gqjIfwTRgWZxDLjEzooB/K0UhEearn/xiX29A
+FiSzEHKfCB4uSrw5OENg2ckDs8uy08Qmxx7xFXL7AtufAl5fIYaWa0sNSqCaIk7p
+ebbUmPcaYhKiLzIEd1EYEL38sXVZ62wvSVMRSWvEMq44g1qnoRlDa/8CgYEAwUTt
+talYNwVmR9ZdkVEWm9ZxirdzoM6NaM6u4Tf34ygptpapdmIFSUhfq4iOiEnRGNg/
+tuNqhNCIb3LNpJbhRPEzqN7E7qiF/mp7AcJgbuxLZBm12QuLuJdG3nrisKPFXcY1
+lA4A7CFmNgH3E4THFfgwzyDXsBOxVLXleTqn+rECgYEA9up1P6J3dtOJuV2d5P/3
+ugRz/X173LfTSxJXw36jZDAy8D/feG19/RT4gnplcKvGNhQiVOhbOOnbw0U8n2fQ
+TCmbs+cZqyxnH/+AxNsPvvk+RVHZ93xMsY/XIldP4l65B8jFDA+Zp06IESI2mEeM
+pzi+bd1Phh+dRSCA2865W2MCgYEAlxYsgmQ1WyX0dFpHYU+zzfXRYzDQyrhOYc2Z
+duVK+yCto1iad7pfCY/zgmRJkI+sT7DV9kJIRjXDQuTLkEyHJF8vFGe6KhxCS8aw
+DIsI2g4NTd6vg1J8UryoIUqNpqsQoqNNxUVBQVdG0ReuMGsPO8R/W50AIFz0txVP
+o/rP0LECgYEA7e/mOwCnR+ovmS/CAksmos3oIqvkRkXNKpKe513FVmp3TpTU38ex
+cBkFNU3hEO31FyrX1hGIKp3N5mHYSQ1lyODHM6teHW0OLWWTwIe8rIGvR2jfRLe0
+bbkdj40atYVkfeFmpz9uHHG24CUYxJdPc360jbXTVp4i3q8zqgL5aMY=
+-----END RSA PRIVATE KEY-----

test/fixtures/intermediate-cert.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwQCCQCCsqUfs9TMATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJ1
+czETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEWMBQGA1UE
+AwwNRHVtbXkgUm9vdCBDQTAeFw0xODA2MjIyMDI5MzlaFw0zMjAyMjkyMDI5Mzla
+MFQxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMR4wHAYDVQQDDBVEdW1teSBJbnRlcm1lZGlhdGUgQ0EwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQCoqDdxHsQrj+6wtrK2BhLaCOcpdt6qm5jH
+IGrrustz+gYWzA7Xyc1UqINWKjeEl9/m1K5kP+tc+fHftWmVOYFo639nAlpuXgbH
+jpRX3FplTqeLRm+7rF8Z5bT6KDcyb1b7/W4HfKYaMbV29+nmjWB3tfjT6B3HNAZT
+O4SFnsEERQ+VnoMf8FPPMQM5nwwUvk/9zFs5SkwVT7eM3USD6XQeDrRMb+akhd6f
+KaaDkwzEouwnuIS30PqCRdneb6HmzYEJBedlyp/+lTYzITGqpNVPzXN7emNwJPJV
+GRMlVezkJgxmlO+J2DWZxc3rUKwppYDlAEwrPB5T+zJKTOZd9WLdUS/dEgtsqA0K
+TV18aQBzyBpR0G5braZUUNZq2i2/ObMMDIoK9k56qeVGO07xm3dkcqFlzhvOLxC8
+1ugDBFY6p5a34UIWEg/TWjt5yWdIv5hPtwFulo+B5Y7QVQv0PBD3QhhtL/OgqyZ3
+Mgp3wfG1NeAOpJ0xyTxBNx1EZmW5HKFbNrfjOMM+r9RIA+w6/8RtK06hVJKQnAWC
+yy1zOoz/fzi4UX45UeXonTCEYRal43DkYK2o4ED8PvEMVCTVR93a8fZf9NZv7nLn
+jY+kOYhe7Ik2sf9+UFtOylfTm3vj0Af1hQ4J3eCGW4ShtlXTpQku+wZ82jAOKc8w
++iGoFoH9cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC8XJsX5pvzoT08TdQL+8SR
+3GUYezJjcTyXGpp6chw//L5SoSsEFZjb/gieLe5E/7mSIy2GeQW85ApuNorPWpvl
+L+gAl6OHWEqjoIzIakLYXAe8fyq+j/TdKEg7eRX4DBBILrhHMLyyqGbfWsLJySRk
+OFpPVGJ/xhxPvIt5jtKAEY5E+HSpLSZqDLjinH4CQyhdkZOJ9s5SwzmWTrCSpnWd
+ZRZW/aGlid6HT+1VdwjpL7Gce3kM44P5GVrH7Zix35DAXlUAghY7iZn4kgUW47uj
+SeJ0n//uxkMnb2kLv1RDz9Kgoz0EApgMVr3JKVL/dv2z2NgrfFAtDcS4oMcp8G5p
+-----END CERTIFICATE-----

test/fixtures/rootca-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfwCCQCww2ht6TFNnDANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJ1
+czETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEWMBQGA1UE
+AwwNRHVtbXkgUm9vdCBDQTAeFw0xODA2MjIyMDEzNDdaFw0yMTA0MTEyMDEzNDda
+MEwxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRYwFAYDVQQDDA1EdW1teSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA4Uy7shQKMdYnO1RNBoDUon/AQCdZXI3hBXjEuD3FaquE
+aw2oOvEsgLKPyWHfSsNVHkiqyeFDjHq5qmPdPjOAK3RqRQ0AzNSenzFFc1HEcWft
+bG5YSGVwcK9JVAqgl6TGIBA+L6SMi2nD24kABqkMCWMbUQv0r/88knP/Mpm3arCv
+UgStHAo64Fv1wxXXO9vq2ouKWjpp8OJMC62v50xlwt4cScl7OlJAhXj0K88u6Bce
+YlyJHE+KIMB7Nd8IbCnJ0xXpL0ju05oqvwmp7u3z3iHyj+FB89Zy2CgKW0kqyyT0
+ilDJH2ond9J7O2onqwPS0KYAJrfQVSVcp/teS9rcowIDAQABMA0GCSqGSIb3DQEB
+CwUAA4IBAQArYHB4M3InUcXKuQbhYJ1A8MScjR3kWvaQ9iqIQiNHx4IRNEUFmnYa
+saSjXo8pmW0WYt1gmVGGIk8b52RcAVgKrWIZG2qCh54bxPf2Cc3rQyQffY+YxqhZ
+s7KuJ6TBJnSJC3QnW2lQzc4ZV4clzMd2R9gj6KItG7eRay3Q71L8LG+pYqXi6+D/
+IGopnR9dVT2iVY1I+i60rKqNkR3kh0y0062Xju2TTP/+tBu45Pu/RlHKEiC0tP5E
+Wkso0rfipG45owySkcqINZClm3aGe55IwRcQD8+mE1g2y6mfE52WTZ8P/bnpb9ud
+W4+sed7/uYU1nDVznSZaxHlmjDpWsvqs
+-----END CERTIFICATE-----