Add lazy loading for certs

2026-05-26 20:20:49 +00:00 · 2025-11-27 13:19:17 -08:00 · 2025-11-27 13:19:17 -08:00 · bbbbe4d32a
commit bbbbe4d32a
parent 0ee5106b7a
2 changed files with 33 additions and 5 deletions
--- a/packages/safe-chain/src/registryProxy/certUtils.js
+++ b/packages/safe-chain/src/registryProxy/certUtils.js
@ -4,7 +4,19 @@ import fs from "fs";
 import os from "os";

 const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
-const ca = loadCa();
+/** @type {null | {certificate: any, privateKey: any}} */
+let ca = null;
+
+/**
+ * Get the CA certificate, loading it lazily on first access.
+ * @returns {{certificate: any, privateKey: any}}
+ */
+function getCa() {
+  if (!ca) {
+    ca = loadCa();
+  }
+  return ca;
+}

 const certCache = new Map();

@ -20,6 +32,8 @@ function createKeyIdentifier(publicKey) {
 }

 export function getCaCertPath() {
+  // Ensure CA is loaded when cert path is requested
+  getCa();
  return path.join(certFolder, "ca-cert.pem");
 }

@ -43,8 +57,10 @@ export function generateCertForHost(hostname) {

  const attrs = [{ name: "commonName", value: hostname }];
  cert.setSubject(attrs);
-  cert.setIssuer(ca.certificate.subject.attributes);
-  const authorityKeyIdentifier = createKeyIdentifier(ca.certificate.publicKey);
+  
+  const certAuthority = getCa();
+  cert.setIssuer(certAuthority.certificate.subject.attributes);
+  const authorityKeyIdentifier = createKeyIdentifier(certAuthority.certificate.publicKey);
  cert.setExtensions([
    {
      name: "subjectAltName",
@ -99,7 +115,7 @@ export function generateCertForHost(hostname) {
      keyIdentifier: authorityKeyIdentifier,
    },
  ]);
-  cert.sign(ca.privateKey, forge.md.sha256.create());
+  cert.sign(certAuthority.privateKey, forge.md.sha256.create());

  const result = {
    privateKey: forge.pki.privateKeyToPem(keys.privateKey),
--- a/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js
+++ b/packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js
@ -1,4 +1,4 @@
-import { before, after, describe, it } from "node:test";
+import { before, after, describe, it, beforeEach } from "node:test";
 import assert from "node:assert";
 import net from "net";
 import tls from "tls";
@ -9,11 +9,23 @@ import {
 import { getCaCertPath } from "./certUtils.js";
 import { setEcoSystem, ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
 import fs from "fs";
+import path from "path";
+import os from "os";

 describe("registryProxy.mitm", () => {
  let proxy, proxyHost, proxyPort;

  before(async () => {
+    // Clean up any existing CA certificates to ensure fresh generation with new extensions
+    const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
+    try {
+      if (fs.existsSync(certFolder)) {
+        fs.rmSync(certFolder, { recursive: true, force: true });
+      }
+    } catch (error) {
+      // Ignore errors during cleanup
+    }
+    
    proxy = createSafeChainProxy();
    await proxy.startServer();
    const envVars = mergeSafeChainProxyEnvironmentVariables([]);