Make ca verity subject and altnames so any user can generate them safely

develop
Thomas Lynch 1 year ago
parent 2cea4955a4
commit da886e3d72
  1. 18
      ca.js
  2. 5
      controllers/certs.js
  3. 5
      server.js

18
ca.js

@ -81,8 +81,24 @@ function generateCertificate(privateKey, publicKey) {
return pki.certificateToPem(cert);
}
function verifyCSR(csrPem) {
function verifyCSR(csrPem, allowedDomains) {
const csr = pki.certificationRequestFromPem(csrPem);
const subject = csr.subject.getField('CN').value;
if (!allowedDomains.includes(subject)) {
throw new Error('No permission for subject');
}
const exts = csr.getAttribute({name: 'extensionRequest'});
if (exts && exts.extensions) {
const altNamesExt = exts.extensions.find(ext => ext.name === 'subjectAltName');
if (altNamesExt) {
const badAltNames = altNamesExt.altNames.some(altName => {
return !allowedDomains.includes(altName.value);
});
if (badAltNames) {
throw new Error('No permission for altnames');
}
}
}
const caCert = RootCACertificate;
const caKey = RootCAPrivateKey;
if (!csr.verify()) {

@ -235,14 +235,11 @@ exports.deleteCert = async (req, res) => {
* Delete the map entries of the body 'domain'
*/
exports.verifyUserCSR = (req, res, next) => {
if (res.locals.user.username !== "admin") {
return dynamicResponse(req, res, 403, { error: 'CA signed origin certs are only supported on enterprise plans' });
}
if(!req.body || !req.body.csr || typeof req.body.csr !== 'string' || req.body.csr.length === 0) {
return dynamicResponse(req, res, 400, { error: 'Invalid csr' });
}
try {
const signedCert = verifyCSR(req.body.csr);
const signedCert = verifyCSR(req.body.csr, res.locals.user.domains);
return dynamicResponse(req, res, 200, `<pre>${signedCert}</pre>`);
} catch (e) {
return next(e);

@ -43,8 +43,9 @@ app.prepare()
});
server.use((err, req, res, next) => {
console.error(err)
return res.end();
const now = Date.now();
console.error('An error occurred', now, err);
return res.send('An error occurred. Please contact support with code: '+now);
});
server.listen(3000, (err) => {

Loading…
Cancel
Save