Merge pull request #31 from kaleido-io/ca-cert-debugging3

Bug Fix and Other Enhancements to CA Support for mTLS

Author: gabriel-indik

src/app.ts

@@ -24,7 +24,7 @@ import YAML from 'yamljs';
 import { eventEmitter as blobsEventEmitter } from './handlers/blobs';
 import * as eventsHandler from './handlers/events';
 import { eventEmitter as messagesEventEmitter } from './handlers/messages';
-import { genTLSContext, init as initCert, loadCAs } from './lib/cert';
+import { genTLSContext, init as initCert, loadPeerCAs } from './lib/cert';
 import { config, init as initConfig } from './lib/config';
 import { Logger } from './lib/logger';
 import RequestError, { errorHandler } from './lib/request-error';
@@ -43,7 +43,7 @@ let wss : WebSocket.Server
 let delegatedWebSocket: WebSocket | undefined = undefined;
 
 export const refreshCACerts = async () => {
-  await loadCAs()
+  await loadPeerCAs()
   p2pServer.setSecureContext(genTLSContext())
 };
 setRefreshCACerts(refreshCACerts)

src/custom.d.ts

@@ -23,15 +23,9 @@ declare global {
         [s: string]: string,
         0: string,
       },
-      client: {
-        authorized: boolean
-        getCertificate: () => {
-          issuer: {
-            O: string
-          }
-        },
+      socket: {
         getPeerCertificate: () => {
-          issuer: {
+          subject: {
             O: string
             OU: string
           }

src/lib/cert.ts

@@ -23,20 +23,36 @@ const log = new Logger('lib/certs.ts')
 
 export let key: string;
 export let cert: string;
+export let certBundle: string;
 export let ca: string[] = [];
 export let peerID: string;
 
 export const init = async () => {
   log.debug("Reading key file");
   key = (await fs.readFile(path.join(utils.constants.DATA_DIRECTORY, utils.constants.KEY_FILE))).toString();
+  log.debug("Loaded key");
   log.debug("Reading cert file");
   cert = (await fs.readFile(path.join(utils.constants.DATA_DIRECTORY, utils.constants.CERT_FILE))).toString();
+
+  let caCertPath = path.join(utils.constants.DATA_DIRECTORY, utils.constants.CA_FILE);
+  if (await utils.fileExists(caCertPath)) {
+    log.debug("Reading CA file");
+    certBundle = (await fs.readFile(caCertPath)).toString() + cert;
+    log.debug("Loaded CA + cert");
+  } else {
+    certBundle = cert;
+    log.debug("Loaded cert");
+  }
+  log.debug("\n" + certBundle);
+
+  log.debug("Deriving peer ID from cert");
   const certData = utils.getCertData(cert);
   peerID = utils.getPeerID(certData.organization, certData.organizationUnit);
-  await loadCAs();
+
+  await loadPeerCAs();
 };
 
-export const loadCAs = async () => {
+export const loadPeerCAs = async () => {
   const peerCertsPath = path.join(utils.constants.DATA_DIRECTORY, utils.constants.PEER_CERTS_SUBDIRECTORY);
   log.debug(`Reading peer CAs from ${peerCertsPath}`);
   const peerCerts = await fs.readdir(peerCertsPath);
@@ -49,6 +65,10 @@ export const loadCAs = async () => {
     }
   }
   log.debug(`Loaded ${ca.length} peer certificate(s)`);
+  for (const caCert of ca) {
+    log.debug("Outputting CA cert");
+    log.debug(caCert);
+  }
 };
 
 export const genTLSContext = () => {

src/lib/utils.ts

@@ -22,6 +22,7 @@ import { X509 } from 'jsrsasign';
 import { ICertData, IFile } from './interfaces';
 import { Logger } from './logger';
 import RequestError from './request-error';
+import { TLSSocket } from "tls";
 
 export const constants = {
   LOG_LEVEL: process.env.LOG_LEVEL || 'info',
@@ -149,4 +150,9 @@ export const getCertData = (cert: string): ICertData => {
     certData.organizationUnit = ou[1];
   }
   return certData;
-};
+};
+
+export const extractPeerSenderFromRequest = (req: Request): string => {
+  const cert = ((req.socket) as TLSSocket).getPeerCertificate();
+  return getPeerID(cert.subject.O, cert.subject.OU);
+};

src/routers/api.ts

@@ -22,7 +22,7 @@ import { v4 as uuidV4 } from 'uuid';
 import * as blobsHandler from '../handlers/blobs';
 import * as eventsHandler from '../handlers/events';
 import * as messagesHandler from '../handlers/messages';
-import { ca, cert, key, peerID } from '../lib/cert';
+import { ca, cert, certBundle, key, peerID } from '../lib/cert';
 import { config, persistPeers } from '../lib/config';
 import { IStatus } from '../lib/interfaces';
 import RequestError from '../lib/request-error';
@@ -41,7 +41,7 @@ router.get('/id', async (_req, res, next) => {
     res.send({
       id: peerID,
       endpoint: config.p2p.endpoint ?? `https://${config.p2p.hostname}:${config.p2p.port}`,
-      cert 
+      cert: certBundle
     });
   } catch (err) {
     next(err);

src/routers/p2p.ts

@@ -31,8 +31,7 @@ router.head('/ping', (_req, res) => {
 
 router.post('/messages', async (req: Request, res, next) => {
   try {
-    const cert = req.client.getPeerCertificate();
-    const sender = utils.getPeerID(cert.issuer.O, cert.issuer.OU);
+    const sender = utils.extractPeerSenderFromRequest(req);
     const message = await utils.extractMessageFromMultipartForm(req);
     eventEmitter.emit('event', {
       id: uuidV4(),
@@ -48,8 +47,7 @@ router.post('/messages', async (req: Request, res, next) => {
 
 router.put('/blobs/*', async (req: Request, res, next) => {
   try {
-    const cert = req.client.getPeerCertificate();
-    const sender = utils.getPeerID(cert.issuer.O, cert.issuer.OU);
+    const sender = utils.extractPeerSenderFromRequest(req);
     const file = await utils.extractFileFromMultipartForm(req);
     const blobPath = path.join(utils.constants.RECEIVED_BLOBS_SUBDIRECTORY, sender, req.params[0]);
     const metadata = await blobsHandler.storeBlob(file, blobPath);