@entity-access/server-pages 1.0.30 → 1.0.31

package/src/ssl/ACME.ts

@@ -0,0 +1,247 @@
+import * as forge from "node-forge";
+import * as crypto from "crypto";
+import * as acme from "acme-client";
+import DateTime from "@entity-access/entity-access/dist/types/DateTime.js";
+import cluster from "cluster";
+import { existsSync, writeFileSync, readFileSync, unlinkSync, mkdirSync } from "fs";
+import { join } from "path"
+import ensureDir, { deleteIfExists } from "../core/FileApi.js";
+import Inject, { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import ChallengeStore from "./ChallengeStore.js";
+import * as tls from "node:tls";
+
+export interface IAcmeOptions {
+    sslMode?: string,
+    accountPrivateKeyPath?: string,
+    emailAddress?: string,
+    mode?:  "production" | "self-signed" | "staging",
+    endPoint?: string,
+    eabKid?: string,
+    eabHmac?: string   
+}
+
+export interface ICertOptions extends IAcmeOptions {
+    host: string,
+};
+
+@RegisterSingleton
+export default class ACME {
+
+    @Inject
+    private challengeStore: ChallengeStore;
+
+    private map = new Map<string, tls.SecureContext>();
+
+    public async getSecureContext(options: ICertOptions) {
+        const { host } = options;
+        let sc = this.map.get(host);
+        if (sc) {
+            return sc;
+        }
+        
+        const { key , cert } = await this.setup(options)
+        sc = tls.createSecureContext({ cert, key });
+        this.map.set(host, sc);
+        return sc;
+    }
+
+    public async setup({
+        host,
+        sslMode = "./",
+        accountPrivateKeyPath = "./",
+        emailAddress = "",
+        mode = "production" as "production" | "self-signed" | "staging",
+        endPoint = "",
+        eabKid = "",
+        eabHmac = ""
+    }) {
+
+        if (mode === "self-signed") {
+            return this.setupSelfSigned(sslMode);
+        }
+
+        const hostRoot = join(sslMode, host);
+
+        ensureDir(hostRoot);
+
+        const keyPath = join(hostRoot, "cert.key");
+        const certPath = join(hostRoot, "cert.crt");
+
+        const logs = [];
+
+        try {
+
+            const maintainerEmail = emailAddress;
+
+            let externalAccountBinding;
+
+            if (eabKid) {
+                externalAccountBinding = {
+                    kid: eabKid,
+                    hmacKey: eabHmac
+                };
+            }
+
+            let cert:string;
+            let key:string;
+
+            if (!existsSync(keyPath)) {
+                deleteIfExists(certPath);
+                key = (await acme.crypto.createPrivateRsaKey()).toString();
+                writeFileSync(keyPath, key);
+                console.log(`Creating key at ${keyPath}`);
+            } else {
+                key = readFileSync(keyPath, "utf8");
+            }
+
+            // load cert...
+            if (existsSync(certPath)) {
+                cert = readFileSync(certPath, "utf8");
+                const certificate = new crypto.X509Certificate(cert);
+                const validTo = DateTime.parse(certificate.validTo).diff(DateTime.now);
+                if (validTo.totalDays > 30) {
+                    console.log(`Reusing certificate, valid for ${validTo.totalDays}`);
+                    return { cert , key };
+                }
+                console.log(`Deleting old certificates`);
+                unlinkSync(certPath);
+            }
+
+            if (!cluster.isPrimary) {
+                console.log(`Generating Self Signed SSL Certificate for ${host} in cluster worker. Contact administrator.`);
+                return this.setupSelfSigned();
+            }
+
+            let accountKey;
+            if( existsSync(accountPrivateKeyPath) ) {
+                console.log("Reusing the account private key.");
+                accountKey = readFileSync(accountPrivateKeyPath);
+            } else {
+                console.log("Creating new private key.");
+                accountKey = await acme.crypto.createPrivateKey();
+                writeFileSync(accountPrivateKeyPath, accountKey);
+            }
+
+            acme.setLogger((message) => {
+                // console.log(message);
+                logs.push(message);
+            });
+
+            let altNames;
+
+            // auto renew...
+            const client = new acme.Client({
+                directoryUrl: endPoint || acme.directory.letsencrypt[mode],
+                accountKey,
+                externalAccountBinding,
+            });
+
+            /* Create CSR */
+            const [csrKey, csr] = await acme.crypto.createCsr({
+                commonName: host,
+                altNames
+            }, key);
+
+
+
+            /* Certificate */
+            cert = await client.auto({
+                csr,
+                email: maintainerEmail,
+                termsOfServiceAgreed: true,
+                skipChallengeVerification: true,
+                challengePriority: ["http-01"],
+                challengeCreateFn: (authz, challenge, keyAuthorization) => {
+                    if (challenge.type !== "http-01") {
+                        return;
+                    }
+                    return this.challengeStore.save(challenge.token, keyAuthorization);
+                },
+                challengeRemoveFn: (authz, challenge, keyAuthorization) => {
+                    return this.challengeStore.remove(challenge.token);
+                },
+            });
+
+            writeFileSync(certPath, cert);
+
+            return { cert, key };
+        } catch (error) {
+            console.log(logs.join("\n"));
+            console.error(error);
+            throw error;
+        }
+    }
+
+    public setupSelfSigned(sslMode = "./") {
+
+        const selfSigned = `${sslMode}/self-signed/`;
+
+        ensureDir(selfSigned);
+
+        const certPath  = `${selfSigned}/cert.crt`;
+        const keyPath  = `${selfSigned}/key.pem`;
+
+        let key;
+        let cert;
+
+        if (existsSync(certPath) && existsSync(keyPath)) {
+            key = readFileSync(keyPath);
+            cert = readFileSync(certPath);
+            return { key, cert };
+        }
+
+        const pki = forge.default.pki;
+
+        // generate a key pair or use one you have already
+        const keys = pki.rsa.generateKeyPair(2048);
+
+        // create a new certificate
+        const crt = pki.createCertificate();
+
+        // fill the required fields
+        crt.publicKey = keys.publicKey;
+        crt.serialNumber = '01';
+        crt.validity.notBefore = new Date();
+        crt.validity.notAfter = new Date();
+        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
+
+        // use your own attributes here, or supply a csr (check the docs)
+        const attrs = [
+            {
+                name: 'commonName',
+                value: 'dev.socialmail.in'
+            }, {
+                name: 'countryName',
+                value: 'IN'
+            }, {
+                shortName: 'ST',
+                value: 'Maharashtra'
+            }, {
+                name: 'localityName',
+                value: 'Navi Mumbai'
+            }, {
+                name: 'organizationName',
+                value: 'NeuroSpeech Technologies Pvt Ltd'
+            }, {
+                shortName: 'OU',
+                value: 'Test'
+            }
+        ];
+
+        // here we set subject and issuer as the same one
+        crt.setSubject(attrs);
+        crt.setIssuer(attrs);
+
+        // the actual certificate signing
+        crt.sign(keys.privateKey);
+
+        // now convert the Forge certificate to PEM format
+        cert = pki.certificateToPem(crt);
+        key = pki.privateKeyToPem(keys.privateKey);
+
+        writeFileSync(certPath, cert);
+        writeFileSync(keyPath, key);
+
+        return { key, cert };
+    }
+}

package/src/ssl/ChallengeStore.ts

@@ -0,0 +1,26 @@
+import { RegisterSingleton } from "@entity-access/entity-access/dist/di/di.js";
+import ensureDir from "../core/FileApi.js";
+import { readFileSync, unlinkSync, writeFileSync } from "fs";
+import { join } from "node:path";
+
+const path = "./challenges";
+
+@RegisterSingleton
+export default class ChallengeStore {
+
+    constructor() {
+        ensureDir(path);
+    }
+
+    async get(name: string) {
+        return readFileSync(join(path, name));
+    }
+
+    async save(name: string, value: string) {
+        writeFileSync(join(path, name), value, "utf8");
+    }
+
+    async remove(name: string) {
+        unlinkSync(join(path, name));
+    }
+}

package/dist/ssl/SelfSigned.d.ts

@@ -1,7 +0,0 @@
-export declare class SelfSigned {
-    static setupSelfSigned(sslMode?: string): {
-        key: any;
-        cert: any;
-    };
-}
-//# sourceMappingURL=SelfSigned.d.ts.map

package/dist/ssl/SelfSigned.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"SelfSigned.d.ts","sourceRoot":"","sources":["../../src/ssl/SelfSigned.ts"],"names":[],"mappings":"AAIA,qBAAa,UAAU;WACL,eAAe,CAAC,OAAO,SAAO;;;;CAwE/C"}

package/dist/ssl/SelfSigned.js

@@ -1,62 +0,0 @@
-import * as forge from "node-forge";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-export class SelfSigned {
-    static setupSelfSigned(sslMode = "./") {
-        const selfSigned = `${sslMode}/self-signed/`;
-        mkdirSync(selfSigned, { recursive: true });
-        const certPath = `${selfSigned}/cert.crt`;
-        const keyPath = `${selfSigned}/key.pem`;
-        let key;
-        let cert;
-        if (existsSync(certPath) && existsSync(keyPath)) {
-            key = readFileSync(keyPath);
-            cert = readFileSync(certPath);
-            return { key, cert };
-        }
-        const pki = forge.default.pki;
-        // generate a key pair or use one you have already
-        const keys = pki.rsa.generateKeyPair(2048);
-        // create a new certificate
-        const crt = pki.createCertificate();
-        // fill the required fields
-        crt.publicKey = keys.publicKey;
-        crt.serialNumber = '01';
-        crt.validity.notBefore = new Date();
-        crt.validity.notAfter = new Date();
-        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
-        // use your own attributes here, or supply a csr (check the docs)
-        const attrs = [
-            {
-                name: 'commonName',
-                value: 'dev.socialmail.in'
-            }, {
-                name: 'countryName',
-                value: 'IN'
-            }, {
-                shortName: 'ST',
-                value: 'Maharashtra'
-            }, {
-                name: 'localityName',
-                value: 'Navi Mumbai'
-            }, {
-                name: 'organizationName',
-                value: 'NeuroSpeech Technologies Pvt Ltd'
-            }, {
-                shortName: 'OU',
-                value: 'Test'
-            }
-        ];
-        // here we set subject and issuer as the same one
-        crt.setSubject(attrs);
-        crt.setIssuer(attrs);
-        // the actual certificate signing
-        crt.sign(keys.privateKey);
-        // now convert the Forge certificate to PEM format
-        cert = pki.certificateToPem(crt);
-        key = pki.privateKeyToPem(keys.privateKey);
-        writeFileSync(certPath, cert);
-        writeFileSync(keyPath, key);
-        return { key, cert };
-    }
-}
-//# sourceMappingURL=SelfSigned.js.map

package/dist/ssl/SelfSigned.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"SelfSigned.js","sourceRoot":"","sources":["../../src/ssl/SelfSigned.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,YAAY,CAAC;AAEpC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AAExE,MAAM,OAAO,UAAU;IACZ,MAAM,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI;QAExC,MAAM,UAAU,GAAG,GAAG,OAAO,eAAe,CAAC;QAE7C,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3C,MAAM,QAAQ,GAAI,GAAG,UAAU,WAAW,CAAC;QAC3C,MAAM,OAAO,GAAI,GAAG,UAAU,UAAU,CAAC;QAEzC,IAAI,GAAG,CAAC;QACR,IAAI,IAAI,CAAC;QAET,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9C,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;YAC5B,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC9B,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAE9B,kDAAkD;QAClD,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAE3C,2BAA2B;QAC3B,MAAM,GAAG,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAEpC,2BAA2B;QAC3B,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,GAAG,CAAC,YAAY,GAAG,IAAI,CAAC;QACxB,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,QAAQ,CAAC,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;QACnC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;QAE7E,iEAAiE;QACjE,MAAM,KAAK,GAAG;YACV;gBACI,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,mBAAmB;aAC7B,EAAE;gBACC,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,IAAI;aACd,EAAE;gBACC,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,aAAa;aACvB,EAAE;gBACC,IAAI,EAAE,cAAc;gBACpB,KAAK,EAAE,aAAa;aACvB,EAAE;gBACC,IAAI,EAAE,kBAAkB;gBACxB,KAAK,EAAE,kCAAkC;aAC5C,EAAE;gBACC,SAAS,EAAE,IAAI;gBACf,KAAK,EAAE,MAAM;aAChB;SACJ,CAAC;QAEF,iDAAiD;QACjD,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACtB,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAErB,iCAAiC;QACjC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE1B,kDAAkD;QAClD,IAAI,GAAG,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACjC,GAAG,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE3C,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9B,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE5B,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;CACJ"}

package/src/ssl/SelfSigned.ts

@@ -1,78 +0,0 @@
-import * as forge from "node-forge";
-import * as crypto from "crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-
-export class SelfSigned {
-    public static setupSelfSigned(sslMode = "./") {
-
-        const selfSigned = `${sslMode}/self-signed/`;
-
-        mkdirSync(selfSigned, { recursive: true });
-
-        const certPath  = `${selfSigned}/cert.crt`;
-        const keyPath  = `${selfSigned}/key.pem`;
-
-        let key;
-        let cert;
-
-        if (existsSync(certPath) && existsSync(keyPath)) {
-            key = readFileSync(keyPath);
-            cert = readFileSync(certPath);
-            return { key, cert };
-        }
-
-        const pki = forge.default.pki;
-
-        // generate a key pair or use one you have already
-        const keys = pki.rsa.generateKeyPair(2048);
-
-        // create a new certificate
-        const crt = pki.createCertificate();
-
-        // fill the required fields
-        crt.publicKey = keys.publicKey;
-        crt.serialNumber = '01';
-        crt.validity.notBefore = new Date();
-        crt.validity.notAfter = new Date();
-        crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 40);
-
-        // use your own attributes here, or supply a csr (check the docs)
-        const attrs = [
-            {
-                name: 'commonName',
-                value: 'dev.socialmail.in'
-            }, {
-                name: 'countryName',
-                value: 'IN'
-            }, {
-                shortName: 'ST',
-                value: 'Maharashtra'
-            }, {
-                name: 'localityName',
-                value: 'Navi Mumbai'
-            }, {
-                name: 'organizationName',
-                value: 'NeuroSpeech Technologies Pvt Ltd'
-            }, {
-                shortName: 'OU',
-                value: 'Test'
-            }
-        ];
-
-        // here we set subject and issuer as the same one
-        crt.setSubject(attrs);
-        crt.setIssuer(attrs);
-
-        // the actual certificate signing
-        crt.sign(keys.privateKey);
-
-        // now convert the Forge certificate to PEM format
-        cert = pki.certificateToPem(crt);
-        key = pki.privateKeyToPem(keys.privateKey);
-
-        writeFileSync(certPath, cert);
-        writeFileSync(keyPath, key);
-
-        return { key, cert };
-    }
-}