milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix certUtils

Browse source
This commit is contained in:
Reinier Criel 2025-11-27 13:34:34 -08:00
parent 2810a87cd0
commit 7ddeb9025b
1 changed files with 22 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

36
packages/safe-chain/src/registryProxy/certUtils.js
View file

@ -138,12 +138,16 @@ function loadCa() {
const keyPath = path.join(certFolder, "ca-key.pem"); const keyPath = path.join(certFolder, "ca-key.pem");
const certPath = path.join(certFolder, "ca-cert.pem"); const certPath = path.join(certFolder, "ca-cert.pem");
let existingPrivateKey = null;
if (fs.existsSync(keyPath) && fs.existsSync(certPath)) { if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
const privateKeyPem = fs.readFileSync(keyPath, "utf8"); const privateKeyPem = fs.readFileSync(keyPath, "utf8");
const certPem = fs.readFileSync(certPath, "utf8"); const certPem = fs.readFileSync(certPath, "utf8");
const privateKey = forge.pki.privateKeyFromPem(privateKeyPem); const privateKey = forge.pki.privateKeyFromPem(privateKeyPem);
const certificate = forge.pki.certificateFromPem(certPem); const certificate = forge.pki.certificateFromPem(certPem);
existingPrivateKey = privateKey;
// Don't return a cert that is valid for less than 1 hour // Don't return a cert that is valid for less than 1 hour
const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000); const oneHourFromNow = new Date(Date.now() + 60 * 60 * 1000);
/** @type {any} */ /** @type {any} */
@ -167,7 +171,7 @@ function loadCa() {
} }
} }
const { privateKey, certificate } = generateCa(); const { privateKey, certificate } = generateCa(existingPrivateKey || undefined);
// Ensure directory exists before writing files // Ensure directory exists before writing files
try { try {
@ -179,22 +183,26 @@ function loadCa() {
} }
} }
// Write files and ensure they're flushed to disk fs.writeFileSync(keyPath, forge.pki.privateKeyToPem(privateKey));
const keyFd = fs.openSync(keyPath, 'w'); fs.writeFileSync(certPath, forge.pki.certificateToPem(certificate));
fs.writeSync(keyFd, forge.pki.privateKeyToPem(privateKey));
fs.fsyncSync(keyFd);
fs.closeSync(keyFd);
const certFd = fs.openSync(certPath, 'w');
fs.writeSync(certFd, forge.pki.certificateToPem(certificate));
fs.fsyncSync(certFd);
fs.closeSync(certFd);
return { privateKey, certificate }; return { privateKey, certificate };
} }
function generateCa() { /**
const keys = forge.pki.rsa.generateKeyPair(2048); * @param {forge.pki.PrivateKey} [existingPrivateKey]
*/
function generateCa(existingPrivateKey) {
const keys = existingPrivateKey
? {
privateKey: existingPrivateKey,
publicKey: forge.pki.setRsaPublicKey(
/** @type {any} */(existingPrivateKey).n,
/** @type {any} */(existingPrivateKey).e
)
}
: forge.pki.rsa.generateKeyPair(2048);
const cert = forge.pki.createCertificate(); const cert = forge.pki.createCertificate();
cert.publicKey = keys.publicKey; cert.publicKey = keys.publicKey;
cert.serialNumber = "01"; cert.serialNumber = "01";
@ -245,7 +253,7 @@ function generateCa() {
keyIdentifier, keyIdentifier,
}, },
]); ]);
cert.sign(keys.privateKey, forge.md.sha256.create()); cert.sign(/** @type {any} */(keys.privateKey), forge.md.sha256.create());
return { return {
privateKey: keys.privateKey, privateKey: keys.privateKey,