milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add lazy loading for certs

Browse source
This commit is contained in:
Reinier Criel 2025-11-27 13:19:17 -08:00
parent 0ee5106b7a
commit bbbbe4d32a
2 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

24
packages/safe-chain/src/registryProxy/certUtils.js
View file

@ -4,7 +4,19 @@ import fs from "fs";
import os from "os"; import os from "os";
const certFolder = path.join(os.homedir(), ".safe-chain", "certs"); const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
const ca = loadCa(); /** @type {null | {certificate: any, privateKey: any}} */
let ca = null;
/**
* Get the CA certificate, loading it lazily on first access.
* @returns {{certificate: any, privateKey: any}}
*/
function getCa() {
if (!ca) {
ca = loadCa();
}
return ca;
}
const certCache = new Map(); const certCache = new Map();
@ -20,6 +32,8 @@ function createKeyIdentifier(publicKey) {
} }
export function getCaCertPath() { export function getCaCertPath() {
// Ensure CA is loaded when cert path is requested
getCa();
return path.join(certFolder, "ca-cert.pem"); return path.join(certFolder, "ca-cert.pem");
} }
@ -43,8 +57,10 @@ export function generateCertForHost(hostname) {
const attrs = [{ name: "commonName", value: hostname }]; const attrs = [{ name: "commonName", value: hostname }];
cert.setSubject(attrs); cert.setSubject(attrs);
cert.setIssuer(ca.certificate.subject.attributes);
const authorityKeyIdentifier = createKeyIdentifier(ca.certificate.publicKey); const certAuthority = getCa();
cert.setIssuer(certAuthority.certificate.subject.attributes);
const authorityKeyIdentifier = createKeyIdentifier(certAuthority.certificate.publicKey);
cert.setExtensions([ cert.setExtensions([
{ {
name: "subjectAltName", name: "subjectAltName",
@ -99,7 +115,7 @@ export function generateCertForHost(hostname) {
keyIdentifier: authorityKeyIdentifier, keyIdentifier: authorityKeyIdentifier,
}, },
]); ]);
cert.sign(ca.privateKey, forge.md.sha256.create()); cert.sign(certAuthority.privateKey, forge.md.sha256.create());
const result = { const result = {
privateKey: forge.pki.privateKeyToPem(keys.privateKey), privateKey: forge.pki.privateKeyToPem(keys.privateKey),

14
packages/safe-chain/src/registryProxy/registryProxy.mitm.spec.js
View file

@ -1,4 +1,4 @@
import { before, after, describe, it } from "node:test"; import { before, after, describe, it, beforeEach } from "node:test";
import assert from "node:assert"; import assert from "node:assert";
import net from "net"; import net from "net";
import tls from "tls"; import tls from "tls";
@ -9,11 +9,23 @@ import {
import { getCaCertPath } from "./certUtils.js"; import { getCaCertPath } from "./certUtils.js";
import { setEcoSystem, ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js"; import { setEcoSystem, ECOSYSTEM_JS, ECOSYSTEM_PY } from "../config/settings.js";
import fs from "fs"; import fs from "fs";
import path from "path";
import os from "os";
describe("registryProxy.mitm", () => { describe("registryProxy.mitm", () => {
let proxy, proxyHost, proxyPort; let proxy, proxyHost, proxyPort;
before(async () => { before(async () => {
// Clean up any existing CA certificates to ensure fresh generation with new extensions
const certFolder = path.join(os.homedir(), ".safe-chain", "certs");
try {
if (fs.existsSync(certFolder)) {
fs.rmSync(certFolder, { recursive: true, force: true });
}
} catch (error) {
// Ignore errors during cleanup
}
proxy = createSafeChainProxy(); proxy = createSafeChainProxy();
await proxy.startServer(); await proxy.startServer();
const envVars = mergeSafeChainProxyEnvironmentVariables([]); const envVars = mergeSafeChainProxyEnvironmentVariables([]);