@jsenv/https-local 2.0.0 → 2.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jsenv/https-local",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "A programmatic way to generate locally trusted certificates",
   "license": "MIT",
   "author": {

package/src/certificate_authority.js

@@ -231,13 +231,12 @@ export const installCertificateAuthority = async ({
   const rootCertificatePrivateKeyForgeObject = pki.privateKeyFromPem(
     rootCertificatePrivateKey,
   )
-
   const trustInfo = await platformMethods.executeTrustQuery({
     logger,
     certificateCommonName,
     certificateFileUrl: rootCertificateFileInfo.url,
     certificate: rootCertificate,
-    verb: tryToTrust ? "ADD_TRUST" : "CHECK_TRUST",
+    verb: tryToTrust ? "ENSURE_TRUST" : "CHECK_TRUST",
     NSSDynamicInstall,
   })
 

package/src/internal/linux/linux_trust_store.js

@@ -10,6 +10,7 @@ import { createDetailedMessage, UNICODE } from "@jsenv/log"
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 import { exec } from "../exec.js"
@@ -100,7 +101,11 @@ export const executeTrustQueryOnLinux = async ({
   }
 
   logger.info(`${UNICODE.OK} certificate found in linux`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_FOUND_IN_LINUX,

package/src/internal/mac/mac_keychain.js

@@ -8,6 +8,7 @@ import { searchCertificateInCommandOutput } from "../search_certificate_in_comma
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 
@@ -52,6 +53,35 @@ export const executeTrustQueryOnMacKeychain = async ({
     certificate,
   )
 
+  const removeCert = async () => {
+    // https://ss64.com/osx/security-delete-cert.html
+    const removeTrustedCertCommand = `sudo security delete-certificate -c "${certificateCommonName}"`
+    logger.info(`Removing certificate from mac keychain...`)
+    logger.info(`${UNICODE.COMMAND} ${removeTrustedCertCommand}`)
+    try {
+      await exec(removeTrustedCertCommand)
+      logger.info(`${UNICODE.OK} certificate removed from mac keychain`)
+      return {
+        status: "not_trusted",
+        reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_COMPLETED,
+      }
+    } catch (e) {
+      logger.error(
+        createDetailedMessage(
+          `${UNICODE.FAILURE} failed to remove certificate from mac keychain`,
+          {
+            "error stack": e.stack,
+            "certificate file url": certificateFileUrl,
+          },
+        ),
+      )
+      return {
+        status: "not_trusted",
+        reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_FAILED,
+      }
+    }
+  }
+
   if (!certificateFoundInCommandOutput) {
     logger.info(`${UNICODE.INFO} certificate not found in mac keychain`)
     if (verb === VERB_CHECK_TRUST || verb === VERB_REMOVE_TRUST) {
@@ -60,7 +90,13 @@ export const executeTrustQueryOnMacKeychain = async ({
         reason: REASON_NOT_IN_KEYCHAIN,
       }
     }
-
+    if (verb === VERB_ENSURE_TRUST) {
+      // It seems possible for certificate PEM representation to be different
+      // in mackeychain and in the one we have written on the filesystem
+      // When it happens the certificate is not found but actually exists on mackeychain
+      // and must be deleted first
+      await removeCert()
+    }
     const certificateFilePath = fileURLToPath(certificateFileUrl)
     // https://ss64.com/osx/security-cert.html
     const addTrustedCertCommand = `sudo security add-trusted-cert -d -r trustRoot -k ${systemKeychainPath} "${certificateFilePath}"`
@@ -95,37 +131,16 @@ export const executeTrustQueryOnMacKeychain = async ({
   // but they shouldn't and I couldn't find an API to know if the cert is trusted or not
   // just if it's in the keychain
   logger.info(`${UNICODE.OK} certificate found in mac keychain`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_IN_KEYCHAIN,
     }
   }
 
-  // https://ss64.com/osx/security-delete-cert.html
-  const removeTrustedCertCommand = `sudo security delete-certificate -c "${certificateCommonName}"`
-  logger.info(`Removing certificate from mac keychain...`)
-  logger.info(`${UNICODE.COMMAND} ${removeTrustedCertCommand}`)
-  try {
-    await exec(removeTrustedCertCommand)
-    logger.info(`${UNICODE.OK} certificate removed from mac keychain`)
-    return {
-      status: "not_trusted",
-      reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_COMPLETED,
-    }
-  } catch (e) {
-    logger.error(
-      createDetailedMessage(
-        `${UNICODE.FAILURE} failed to remove certificate from mac keychain`,
-        {
-          "error stack": e.stack,
-          "certificate file url": certificateFileUrl,
-        },
-      ),
-    )
-    return {
-      status: "not_trusted",
-      reason: REASON_REMOVE_FROM_KEYCHAIN_COMMAND_FAILED,
-    }
-  }
+  return removeCert()
 }

package/src/internal/nssdb_browser.js

@@ -11,7 +11,11 @@ import { assertAndNormalizeDirectoryUrl, collectFiles } from "@jsenv/filesystem"
 
 import { exec } from "./exec.js"
 import { searchCertificateInCommandOutput } from "./search_certificate_in_command_output.js"
-import { VERB_CHECK_TRUST, VERB_ADD_TRUST } from "./trust_query.js"
+import {
+  VERB_CHECK_TRUST,
+  VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
+} from "./trust_query.js"
 
 export const executeTrustQueryOnBrowserNSSDB = async ({
   logger,
@@ -52,7 +56,7 @@ export const executeTrustQueryOnBrowserNSSDB = async ({
   const nssIsInstalled = await detectIfNSSIsInstalled({ logger })
   const cannotCheckMessage = `${UNICODE.FAILURE} cannot check if certificate is in ${browserName}`
   if (!nssIsInstalled) {
-    if (verb === VERB_ADD_TRUST) {
+    if (verb === VERB_ADD_TRUST || verb === VERB_ENSURE_TRUST) {
       const nssDynamicInstallInfo = await getNSSDynamicInstallInfo({ logger })
       if (!nssDynamicInstallInfo.isInstallable) {
         const reason = `"${nssCommandName}" is not installed and not cannot be installed`
@@ -209,7 +213,7 @@ export const executeTrustQueryOnBrowserNSSDB = async ({
     }
   }
 
-  if (verb === VERB_ADD_TRUST) {
+  if (verb === VERB_ADD_TRUST || verb === VERB_ENSURE_TRUST) {
     if (missingCount === 0 && outdatedCount === 0) {
       logger.info(`${UNICODE.OK} certificate found in ${browserName}`)
       return {

package/src/internal/trust_query.js

@@ -1,5 +1,4 @@
 export const VERB_CHECK_TRUST = "CHECK_TRUST"
-
 export const VERB_ADD_TRUST = "ADD_TRUST"
-
+export const VERB_ENSURE_TRUST = "ENSURE_TRUST"
 export const VERB_REMOVE_TRUST = "REMOVE_TRUST"

package/src/internal/windows/windows_certutil.js

@@ -10,6 +10,7 @@ import { exec } from "../exec.js"
 import {
   VERB_CHECK_TRUST,
   VERB_ADD_TRUST,
+  VERB_ENSURE_TRUST,
   VERB_REMOVE_TRUST,
 } from "../trust_query.js"
 
@@ -93,7 +94,11 @@ export const executeTrustQueryOnWindows = async ({
   }
 
   logger.info(`${UNICODE.OK} certificate found in windows`)
-  if (verb === VERB_CHECK_TRUST || verb === VERB_ADD_TRUST) {
+  if (
+    verb === VERB_CHECK_TRUST ||
+    verb === VERB_ADD_TRUST ||
+    verb === VERB_ENSURE_TRUST
+  ) {
     return {
       status: "trusted",
       reason: REASON_FOUND_IN_WINDOWS,