@sysid/sandbox-runtime-improved 0.0.61-sysid.1 → 0.0.64-sysid.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +76 -15
- package/dist/cli.js +12 -18
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +4 -4
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/sandbox/credential-mask-files.d.ts +100 -15
- package/dist/sandbox/credential-mask-files.d.ts.map +1 -1
- package/dist/sandbox/credential-mask-files.js +172 -20
- package/dist/sandbox/credential-mask-files.js.map +1 -1
- package/dist/sandbox/http-proxy.d.ts +1 -1
- package/dist/sandbox/http-proxy.d.ts.map +1 -1
- package/dist/sandbox/http-proxy.js +20 -0
- package/dist/sandbox/http-proxy.js.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.d.ts +5 -0
- package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.js +29 -19
- package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
- package/dist/sandbox/linux-violation-monitor.d.ts +48 -0
- package/dist/sandbox/linux-violation-monitor.d.ts.map +1 -0
- package/dist/sandbox/linux-violation-monitor.js +156 -0
- package/dist/sandbox/linux-violation-monitor.js.map +1 -0
- package/dist/sandbox/macos-sandbox-utils.js +3 -3
- package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
- package/dist/sandbox/mitm-ca.d.ts +52 -1
- package/dist/sandbox/mitm-ca.d.ts.map +1 -1
- package/dist/sandbox/mitm-ca.js +143 -11
- package/dist/sandbox/mitm-ca.js.map +1 -1
- package/dist/sandbox/mitm-leaf.d.ts +1 -1
- package/dist/sandbox/mitm-leaf.d.ts.map +1 -1
- package/dist/sandbox/mitm-leaf.js +21 -32
- package/dist/sandbox/mitm-leaf.js.map +1 -1
- package/dist/sandbox/sandbox-config.d.ts +231 -40
- package/dist/sandbox/sandbox-config.d.ts.map +1 -1
- package/dist/sandbox/sandbox-config.js +161 -32
- package/dist/sandbox/sandbox-config.js.map +1 -1
- package/dist/sandbox/sandbox-manager.d.ts +1 -1
- package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
- package/dist/sandbox/sandbox-manager.js +331 -252
- package/dist/sandbox/sandbox-manager.js.map +1 -1
- package/dist/sandbox/sandbox-utils.d.ts +13 -0
- package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.js +32 -7
- package/dist/sandbox/sandbox-utils.js.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.d.ts +353 -297
- package/dist/sandbox/windows-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.js +516 -396
- package/dist/sandbox/windows-sandbox-utils.js.map +1 -1
- package/dist/utils/shell-quote.d.ts +27 -0
- package/dist/utils/shell-quote.d.ts.map +1 -0
- package/dist/utils/shell-quote.js +47 -0
- package/dist/utils/shell-quote.js.map +1 -0
- package/package.json +1 -3
- package/vendor/seccomp/arm64/apply-seccomp +0 -0
- package/vendor/seccomp/x64/apply-seccomp +0 -0
package/dist/sandbox/mitm-ca.js
CHANGED
|
@@ -14,7 +14,32 @@ import { tmpdir } from 'node:os';
|
|
|
14
14
|
import { join, dirname } from 'node:path';
|
|
15
15
|
import { rootCertificates } from 'node:tls';
|
|
16
16
|
import { logForDebugging } from '../utils/debug.js';
|
|
17
|
-
const { pki, md, random, util } = forge;
|
|
17
|
+
const { asn1, pki, md, random, util } = forge;
|
|
18
|
+
/**
|
|
19
|
+
* Matches one PEM CERTIFICATE block. Used to extract just the certificates
|
|
20
|
+
* out of files listed in tlsTerminate.extraCaCertPaths before they are
|
|
21
|
+
* copied into the (world-readable) trust bundle.
|
|
22
|
+
*/
|
|
23
|
+
const PEM_CERT_BLOCK = /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g;
|
|
24
|
+
/** Origin-form path the HTTP proxy answers with `crlDer`. */
|
|
25
|
+
export const CRL_PATH = '/srt.crl';
|
|
26
|
+
/**
|
|
27
|
+
* Return the CA's Subject Key Identifier as raw bytes for use as an
|
|
28
|
+
* authorityKeyIdentifier.keyIdentifier (leaf certs and the CRL both need it).
|
|
29
|
+
*
|
|
30
|
+
* node-forge stores a cert's subjectKeyIdentifier extension value as a *hex
|
|
31
|
+
* string* (both for in-memory certs and certs parsed from PEM), but expects
|
|
32
|
+
* AKI's keyIdentifier as *raw bytes* — passing the hex through verbatim
|
|
33
|
+
* encodes the ASCII hex chars as the key id and the chain fails to verify.
|
|
34
|
+
* If the CA has no SKI extension (e.g. a v1 user-supplied CA), derive the
|
|
35
|
+
* RFC 5280 method-1 value from its public key.
|
|
36
|
+
*/
|
|
37
|
+
export function caSubjectKeyId(caCert) {
|
|
38
|
+
const ext = caCert.getExtension('subjectKeyIdentifier');
|
|
39
|
+
return ext?.subjectKeyIdentifier
|
|
40
|
+
? util.hexToBytes(ext.subjectKeyIdentifier)
|
|
41
|
+
: caCert.generateSubjectKeyIdentifier().getBytes();
|
|
42
|
+
}
|
|
18
43
|
/**
|
|
19
44
|
* Create a MitmCA. If `caCertPath`/`caKeyPath` are provided, load from disk
|
|
20
45
|
* (throws if either file is missing, unreadable, not PEM, fails to parse, or
|
|
@@ -26,12 +51,12 @@ const { pki, md, random, util } = forge;
|
|
|
26
51
|
*/
|
|
27
52
|
export function createMitmCA(opts) {
|
|
28
53
|
if (opts.caCertPath && opts.caKeyPath) {
|
|
29
|
-
return loadCA(opts.caCertPath, opts.caKeyPath);
|
|
54
|
+
return loadCA(opts.caCertPath, opts.caKeyPath, opts.extraCaCertPaths);
|
|
30
55
|
}
|
|
31
56
|
if (opts.caCertPath || opts.caKeyPath) {
|
|
32
57
|
throw new Error('tlsTerminate: caCertPath and caKeyPath must be provided together');
|
|
33
58
|
}
|
|
34
|
-
return generateEphemeralCA();
|
|
59
|
+
return generateEphemeralCA(opts.extraCaCertPaths);
|
|
35
60
|
}
|
|
36
61
|
/**
|
|
37
62
|
* Remove the SRT-owned temp directories for this CA: the trust-bundle dir
|
|
@@ -60,9 +85,11 @@ export async function disposeMitmCA(ca) {
|
|
|
60
85
|
* clients in the sandbox accept proxy-minted leaves AND can still verify the
|
|
61
86
|
* real certificate of any host SRT tunnels opaquely instead of terminating
|
|
62
87
|
* (tlsTerminate.excludeDomains). Bundling Node's root store is best-effort
|
|
63
|
-
* compatibility — a tool with its own CA file config is unaffected.
|
|
88
|
+
* compatibility — a tool with its own CA file config is unaffected. Extra
|
|
89
|
+
* roots from tlsTerminate.extraCaCertPaths go last, with the same append
|
|
90
|
+
* semantics as NODE_EXTRA_CA_CERTS.
|
|
64
91
|
*/
|
|
65
|
-
function writeTrustBundle(dir, caCertPem) {
|
|
92
|
+
function writeTrustBundle(dir, caCertPem, extraCaCertPaths) {
|
|
66
93
|
const parts = [caCertPem.trim(), ...rootCertificates];
|
|
67
94
|
// Honour extra roots the parent process trusts (e.g. a corporate CA).
|
|
68
95
|
const extra = process.env.NODE_EXTRA_CA_CERTS;
|
|
@@ -74,11 +101,114 @@ function writeTrustBundle(dir, caCertPem) {
|
|
|
74
101
|
// Missing/unreadable NODE_EXTRA_CA_CERTS: ignore, same as Node does.
|
|
75
102
|
}
|
|
76
103
|
}
|
|
104
|
+
// Honour site-local roots from config (tlsTerminate.extraCaCertPaths),
|
|
105
|
+
// e.g. an internal mTLS CA presented by excluded/passthrough hosts. Paths
|
|
106
|
+
// may exist on only some hosts, so a missing file is skipped, not fatal —
|
|
107
|
+
// but log it, or a typo'd path is undiagnosable.
|
|
108
|
+
for (const extraPath of extraCaCertPaths ?? []) {
|
|
109
|
+
let raw;
|
|
110
|
+
try {
|
|
111
|
+
raw = readFileSync(extraPath, 'utf8');
|
|
112
|
+
}
|
|
113
|
+
catch (err) {
|
|
114
|
+
const code = err.code ?? String(err);
|
|
115
|
+
logForDebugging(`[mitm-ca] extraCaCertPaths: cannot read ${extraPath} (${code}); ` +
|
|
116
|
+
`skipping`, { level: 'warn' });
|
|
117
|
+
continue;
|
|
118
|
+
}
|
|
119
|
+
// Append only the CERTIFICATE blocks. The bundle is world-readable
|
|
120
|
+
// (0o644) and handed to the sandboxed child, so anything else the file
|
|
121
|
+
// carries (e.g. the key of a combined cert+key PEM) must not be copied.
|
|
122
|
+
const certs = raw.match(PEM_CERT_BLOCK);
|
|
123
|
+
if (!certs) {
|
|
124
|
+
logForDebugging(`[mitm-ca] extraCaCertPaths: ${extraPath} has no PEM CERTIFICATE ` +
|
|
125
|
+
`block; skipping`, { level: 'warn' });
|
|
126
|
+
continue;
|
|
127
|
+
}
|
|
128
|
+
parts.push(...certs);
|
|
129
|
+
}
|
|
77
130
|
const path = join(dir, 'trust-bundle.crt');
|
|
78
131
|
writeFileSync(path, parts.join('\n') + '\n', { mode: 0o644 });
|
|
79
132
|
return path;
|
|
80
133
|
}
|
|
81
|
-
|
|
134
|
+
/**
|
|
135
|
+
* Build a DER-encoded X.509 v2 CRL, signed by `key`, listing zero revoked
|
|
136
|
+
* certificates. `nextUpdate` is the CA's `notAfter` (or now+1d if the CA is
|
|
137
|
+
* already expired) so a single per-session CRL stays fresh for the CA's
|
|
138
|
+
* lifetime.
|
|
139
|
+
*
|
|
140
|
+
* node-forge has no CRL builder, so this hand-assembles the RFC 5280 §5.1
|
|
141
|
+
* `CertificateList` from asn1 primitives — the same approach the library
|
|
142
|
+
* uses internally for certificates. Carries the two extensions RFC 5280
|
|
143
|
+
* §5.2 says conforming issuers MUST include: `authorityKeyIdentifier`
|
|
144
|
+
* (matching the CA's SKI) and `cRLNumber`.
|
|
145
|
+
*/
|
|
146
|
+
export function generateEmptyCrl(cert, key) {
|
|
147
|
+
const SHA256_RSA = pki.oids.sha256WithRSAEncryption;
|
|
148
|
+
const sigAlg = () => seq([
|
|
149
|
+
asn1.create(C.UNIVERSAL, T.OID, false, asn1.oidToDer(SHA256_RSA).getBytes()),
|
|
150
|
+
asn1.create(C.UNIVERSAL, T.NULL, false, ''),
|
|
151
|
+
]);
|
|
152
|
+
// extnValue is the DER of the extension's own ASN.1, wrapped in an
|
|
153
|
+
// OCTET STRING at the Extension level.
|
|
154
|
+
const ext = (oid, value) => seq([
|
|
155
|
+
asn1.create(C.UNIVERSAL, T.OID, false, asn1.oidToDer(oid).getBytes()),
|
|
156
|
+
asn1.create(C.UNIVERSAL, T.OCTETSTRING, false, asn1.toDer(value).getBytes()),
|
|
157
|
+
]);
|
|
158
|
+
const crlExtensions = asn1.create(C.CONTEXT_SPECIFIC, 0, true, [
|
|
159
|
+
seq([
|
|
160
|
+
// authorityKeyIdentifier ::= SEQUENCE { [0] KeyIdentifier }
|
|
161
|
+
ext(pki.oids.authorityKeyIdentifier, seq([asn1.create(C.CONTEXT_SPECIFIC, 0, false, caSubjectKeyId(cert))])),
|
|
162
|
+
// cRLNumber ::= INTEGER — one CRL per CA per session, so a fixed 1.
|
|
163
|
+
ext('2.5.29.20', asn1.create(C.UNIVERSAL, T.INTEGER, false, '\x01')),
|
|
164
|
+
]),
|
|
165
|
+
]);
|
|
166
|
+
const now = new Date();
|
|
167
|
+
const caEnd = cert.validity.notAfter;
|
|
168
|
+
const nextUpdate = caEnd > now ? caEnd : daysFromNow(1);
|
|
169
|
+
const tbsCertList = seq([
|
|
170
|
+
// version v2 == INTEGER 1 (required when crlExtensions is present)
|
|
171
|
+
asn1.create(C.UNIVERSAL, T.INTEGER, false, '\x01'),
|
|
172
|
+
sigAlg(),
|
|
173
|
+
// Issuer Name: RFC 5280 §5.1.2.3 requires this match the CA subject
|
|
174
|
+
// byte-for-byte. node-forge normalises DN attributes on parse (its
|
|
175
|
+
// certificateFromPem re-encodes via distinguishedNameToAsn1 too, so the
|
|
176
|
+
// "original" DER isn't recoverable via the library), which means a
|
|
177
|
+
// user-supplied CA whose subject uses e.g. multi-valued RDNs or a
|
|
178
|
+
// non-canonical string type could produce a differently-encoded issuer
|
|
179
|
+
// here. Schannel matches on AKI keyid (present above) not issuer DN, and
|
|
180
|
+
// the ephemeral CA is generated by the same encoder, so this holds in
|
|
181
|
+
// practice; noted for completeness.
|
|
182
|
+
pki.distinguishedNameToAsn1(cert.subject),
|
|
183
|
+
asn1Time(now),
|
|
184
|
+
asn1Time(nextUpdate),
|
|
185
|
+
// revokedCertificates: OMITTED. RFC 5280: "When there are no revoked
|
|
186
|
+
// certificates, the revoked certificates list MUST be absent."
|
|
187
|
+
crlExtensions,
|
|
188
|
+
]);
|
|
189
|
+
const digest = md.sha256.create();
|
|
190
|
+
digest.update(asn1.toDer(tbsCertList).getBytes());
|
|
191
|
+
const sig = key.sign(digest);
|
|
192
|
+
const crl = seq([
|
|
193
|
+
tbsCertList,
|
|
194
|
+
sigAlg(),
|
|
195
|
+
// BIT STRING: leading 0x00 = zero unused bits.
|
|
196
|
+
asn1.create(C.UNIVERSAL, T.BITSTRING, false, '\x00' + sig),
|
|
197
|
+
]);
|
|
198
|
+
return Buffer.from(asn1.toDer(crl).getBytes(), 'binary');
|
|
199
|
+
}
|
|
200
|
+
const C = asn1.Class;
|
|
201
|
+
const T = asn1.Type;
|
|
202
|
+
function seq(v) {
|
|
203
|
+
return asn1.create(C.UNIVERSAL, T.SEQUENCE, true, v);
|
|
204
|
+
}
|
|
205
|
+
/** UTCTime for years <2050, GeneralizedTime otherwise (RFC 5280 §4.1.2.5). */
|
|
206
|
+
function asn1Time(d) {
|
|
207
|
+
return d.getUTCFullYear() < 2050
|
|
208
|
+
? asn1.create(C.UNIVERSAL, T.UTCTIME, false, asn1.dateToUtcTime(d))
|
|
209
|
+
: asn1.create(C.UNIVERSAL, T.GENERALIZEDTIME, false, asn1.dateToGeneralizedTime(d));
|
|
210
|
+
}
|
|
211
|
+
function loadCA(certPath, keyPath, extraCaCertPaths) {
|
|
82
212
|
const certPem = readPem(certPath, 'CERTIFICATE', 'tlsTerminate.caCertPath');
|
|
83
213
|
const keyPem = readPem(keyPath, 'PRIVATE KEY', 'tlsTerminate.caKeyPath');
|
|
84
214
|
let cert;
|
|
@@ -98,7 +228,7 @@ function loadCA(certPath, keyPath) {
|
|
|
98
228
|
// The CA files are the user's; the trust bundle still needs an SRT-owned
|
|
99
229
|
// directory of its own.
|
|
100
230
|
const bundleDir = mkdtempSync(join(tmpdir(), 'srt-ca-'));
|
|
101
|
-
const trustBundlePath = writeTrustBundle(bundleDir, certPem);
|
|
231
|
+
const trustBundlePath = writeTrustBundle(bundleDir, certPem, extraCaCertPaths);
|
|
102
232
|
logForDebugging(`[mitm-ca] loaded CA from ${certPath}`);
|
|
103
233
|
return {
|
|
104
234
|
certPath,
|
|
@@ -110,10 +240,11 @@ function loadCA(certPath, keyPath) {
|
|
|
110
240
|
key: key,
|
|
111
241
|
leafCerts: new Map(),
|
|
112
242
|
secureContexts: new Map(),
|
|
243
|
+
crlDer: generateEmptyCrl(cert, key),
|
|
113
244
|
ephemeral: false,
|
|
114
245
|
};
|
|
115
246
|
}
|
|
116
|
-
function generateEphemeralCA() {
|
|
247
|
+
function generateEphemeralCA(extraCaCertPaths) {
|
|
117
248
|
const keys = pki.rsa.generateKeyPair(2048);
|
|
118
249
|
const cert = pki.createCertificate();
|
|
119
250
|
cert.publicKey = keys.publicKey;
|
|
@@ -147,7 +278,7 @@ function generateEphemeralCA() {
|
|
|
147
278
|
const keyPath = join(dir, 'ca.key');
|
|
148
279
|
writeFileSync(certPath, certPem, { mode: 0o644 });
|
|
149
280
|
writeFileSync(keyPath, keyPem, { mode: 0o600 });
|
|
150
|
-
const trustBundlePath = writeTrustBundle(dir, certPem);
|
|
281
|
+
const trustBundlePath = writeTrustBundle(dir, certPem, extraCaCertPaths);
|
|
151
282
|
logForDebugging(`[mitm-ca] generated ephemeral CA at ${certPath}`);
|
|
152
283
|
return {
|
|
153
284
|
certPath,
|
|
@@ -159,6 +290,7 @@ function generateEphemeralCA() {
|
|
|
159
290
|
key: keys.privateKey,
|
|
160
291
|
leafCerts: new Map(),
|
|
161
292
|
secureContexts: new Map(),
|
|
293
|
+
crlDer: generateEmptyCrl(cert, keys.privateKey),
|
|
162
294
|
ephemeral: true,
|
|
163
295
|
};
|
|
164
296
|
}
|
|
@@ -178,14 +310,14 @@ function readPem(path, label, field) {
|
|
|
178
310
|
}
|
|
179
311
|
return pem;
|
|
180
312
|
}
|
|
181
|
-
function randomSerial() {
|
|
313
|
+
export function randomSerial() {
|
|
182
314
|
// 16 random bytes, high bit cleared so the DER INTEGER stays positive.
|
|
183
315
|
const bytes = random.getBytesSync(16);
|
|
184
316
|
const hex = util.bytesToHex(bytes);
|
|
185
317
|
const firstNibble = parseInt(hex[0], 16) & 0x7;
|
|
186
318
|
return firstNibble.toString(16) + hex.slice(1);
|
|
187
319
|
}
|
|
188
|
-
function daysFromNow(days) {
|
|
320
|
+
export function daysFromNow(days) {
|
|
189
321
|
const d = new Date();
|
|
190
322
|
d.setDate(d.getDate() + days);
|
|
191
323
|
return d;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mitm-ca.js","sourceRoot":"","sources":["../../src/sandbox/mitm-ca.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAA;AAC9B,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAClE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAA;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,gBAAgB,EAAsB,MAAM,UAAU,CAAA;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAGnD,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAA;
|
|
1
|
+
{"version":3,"file":"mitm-ca.js","sourceRoot":"","sources":["../../src/sandbox/mitm-ca.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAA;AAC9B,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAClE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAA;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,gBAAgB,EAAsB,MAAM,UAAU,CAAA;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAGnD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAA;AAE7C;;;;GAIG;AACH,MAAM,cAAc,GAClB,+DAA+D,CAAA;AAqDjE,6DAA6D;AAC7D,MAAM,CAAC,MAAM,QAAQ,GAAG,UAAU,CAAA;AAElC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAAC,MAA6B;IAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAEzC,CAAA;IACb,OAAO,GAAG,EAAE,oBAAoB;QAC9B,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,oBAAoB,CAAC;QAC3C,CAAC,CAAC,MAAM,CAAC,4BAA4B,EAAE,CAAC,QAAQ,EAAE,CAAA;AACtD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,IAK5B;IACC,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAA;IACH,CAAC;IACD,OAAO,mBAAmB,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;AACnD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAAU;IAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAA;IACnD,IAAI,EAAE,CAAC,SAAS;QAAE,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAA;IAChD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,6BAA8B,GAAa,CAAC,OAAO,EAAE,EAAE;gBACrE,KAAK,EAAE,MAAM;aACd,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,gBAAgB,CACvB,GAAW,EACX,SAAiB,EACjB,gBAA2B;IAE3B,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,GAAG,gBAAgB,CAAC,CAAA;IACrD,sEAAsE;IACtE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAA;IAC7C,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,qEAAqE;QACvE,CAAC;IACH,CAAC;IACD,uEAAuE;IACvE,0EAA0E;IAC1E,0EAA0E;IAC1E,iDAAiD;IACjD,KAAK,MAAM,SAAS,IAAI,gBAAgB,IAAI,EAAE,EAAE,CAAC;QAC/C,IAAI,GAAW,CAAA;QACf,IAAI,CAAC;YACH,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;QACvC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAA;YAC/D,eAAe,CACb,2CAA2C,SAAS,KAAK,IAAI,KAAK;gBAChE,UAAU,EACZ,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACD,SAAQ;QACV,CAAC;QACD,mEAAmE;QACnE,uEAAuE;QACvE,wEAAwE;QACxE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,eAAe,CACb,+BAA+B,SAAS,0BAA0B;gBAChE,iBAAiB,EACnB,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACD,SAAQ;QACV,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAA;IACtB,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAA;IAC1C,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAC7D,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAA2B,EAC3B,GAA6B;IAE7B,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,CAAC,uBAAuB,CAAA;IACnD,MAAM,MAAM,GAAG,GAAG,EAAE,CAClB,GAAG,CAAC;QACF,IAAI,CAAC,MAAM,CACT,CAAC,CAAC,SAAS,EACX,CAAC,CAAC,GAAG,EACL,KAAK,EACL,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE,CACrC;QACD,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;KAC5C,CAAC,CAAA;IAEJ,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,GAAG,GAAG,CAAC,GAAW,EAAE,KAAsB,EAAE,EAAE,CAClD,GAAG,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;QACrE,IAAI,CAAC,MAAM,CACT,CAAC,CAAC,SAAS,EACX,CAAC,CAAC,WAAW,EACb,KAAK,EACL,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAC7B;KACF,CAAC,CAAA;IACJ,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,EAAE,IAAI,EAAE;QAC7D,GAAG,CAAC;YACF,4DAA4D;YAC5D,GAAG,CACD,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAC/B,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,EAAE,KAAK,EAAE,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CACvE;YACD,oEAAoE;YACpE,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;SACrE,CAAC;KACH,CAAC,CAAA;IAEF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAA;IACpC,MAAM,UAAU,GAAG,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAA;IAEvD,MAAM,WAAW,GAAG,GAAG,CAAC;QACtB,mEAAmE;QACnE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC;QAClD,MAAM,EAAE;QACR,oEAAoE;QACpE,mEAAmE;QACnE,wEAAwE;QACxE,mEAAmE;QACnE,kEAAkE;QAClE,uEAAuE;QACvE,yEAAyE;QACzE,sEAAsE;QACtE,oCAAoC;QACpC,GAAG,CAAC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC;QACzC,QAAQ,CAAC,GAAG,CAAC;QACb,QAAQ,CAAC,UAAU,CAAC;QACpB,qEAAqE;QACrE,+DAA+D;QAC/D,aAAa;KACd,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAA;IACjC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IAE5B,MAAM,GAAG,GAAG,GAAG,CAAC;QACd,WAAW;QACX,MAAM,EAAE;QACR,+CAA+C;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;KAC3D,CAAC,CAAA;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAA;AAC1D,CAAC;AAED,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAA;AACpB,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAA;AACnB,SAAS,GAAG,CAAC,CAAoB;IAC/B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;AACtD,CAAC;AACD,8EAA8E;AAC9E,SAAS,QAAQ,CAAC,CAAO;IACvB,OAAO,CAAC,CAAC,cAAc,EAAE,GAAG,IAAI;QAC9B,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnE,CAAC,CAAC,IAAI,CAAC,MAAM,CACT,CAAC,CAAC,SAAS,EACX,CAAC,CAAC,eAAe,EACjB,KAAK,EACL,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAC9B,CAAA;AACP,CAAC;AAED,SAAS,MAAM,CACb,QAAgB,EAChB,OAAe,EACf,gBAA2B;IAE3B,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,EAAE,aAAa,EAAE,yBAAyB,CAAC,CAAA;IAC3E,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,aAAa,EAAE,wBAAwB,CAAC,CAAA;IAExE,IAAI,IAA2B,CAAA;IAC/B,IAAI,GAAyB,CAAA;IAC7B,IAAI,CAAC;QACH,IAAI,GAAG,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAA;QACtC,GAAG,GAAG,GAAG,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAA;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,yCAAyC,QAAQ,IAAI;YAClD,GAAa,CAAC,OAAO,CACzB,CAAA;IACH,CAAC;IACD,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC;QACnC,kDAAkD;QAClD,MAAM,IAAI,KAAK,CAAC,qCAAqC,OAAO,cAAc,CAAC,CAAA;IAC7E,CAAC;IAED,yEAAyE;IACzE,wBAAwB;IACxB,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,SAAS,CAAC,CAAC,CAAA;IACxD,MAAM,eAAe,GAAG,gBAAgB,CAAC,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAA;IAE9E,eAAe,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAA;IACvD,OAAO;QACL,QAAQ;QACR,OAAO;QACP,eAAe;QACf,OAAO;QACP,MAAM;QACN,IAAI;QACJ,GAAG,EAAE,GAA+B;QACpC,SAAS,EAAE,IAAI,GAAG,EAAE;QACpB,cAAc,EAAE,IAAI,GAAG,EAAE;QACzB,MAAM,EAAE,gBAAgB,CAAC,IAAI,EAAE,GAA+B,CAAC;QAC/D,SAAS,EAAE,KAAK;KACjB,CAAA;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,gBAA2B;IACtD,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;IAC1C,MAAM,IAAI,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAA;IACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;IAC/B,IAAI,CAAC,YAAY,GAAG,YAAY,EAAE,CAAA;IAClC,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAA;IACzC,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,OAAO,GAAG;QACd,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,8BAA8B,EAAE;QAC7D,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,iBAAiB,EAAE;KACvD,CAAA;IACD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;IACxB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACvB,IAAI,CAAC,aAAa,CAAC;QACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;QACtD;YACE,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,IAAI;YACb,gBAAgB,EAAE,IAAI;SACvB;QACD,EAAE,IAAI,EAAE,sBAAsB,EAAE;KACjC,CAAC,CAAA;IACF,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IAE9C,MAAM,OAAO,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAEnD,0EAA0E;IAC1E,sEAAsE;IACtE,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,SAAS,CAAC,CAAC,CAAA;IAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACpC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;IACnC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACjD,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAC/C,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAA;IAExE,eAAe,CAAC,uCAAuC,QAAQ,EAAE,CAAC,CAAA;IAClE,OAAO;QACL,QAAQ;QACR,OAAO;QACP,eAAe;QACf,OAAO;QACP,MAAM;QACN,IAAI;QACJ,GAAG,EAAE,IAAI,CAAC,UAAU;QACpB,SAAS,EAAE,IAAI,GAAG,EAAE;QACpB,cAAc,EAAE,IAAI,GAAG,EAAE;QACzB,MAAM,EAAE,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC;QAC/C,SAAS,EAAE,IAAI;KAChB,CAAA;AACH,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,KAAa,EAAE,KAAa;IACzD,IAAI,GAAW,CAAA;IACf,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,GAAI,GAA6B,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAA;QAC/D,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,iBAAiB,IAAI,KAAK,IAAI,GAAG,CAAC,CAAA;IAC5D,CAAC;IACD,+EAA+E;IAC/E,sCAAsC;IACtC,IAAI,CAAC,IAAI,MAAM,CAAC,qBAAqB,KAAK,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,KAAK,IAAI,iBAAiB,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,uEAAuE;IACvE,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAA;IACrC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;IAClC,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,GAAG,GAAG,CAAA;IAC/C,OAAO,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,CAAC,GAAG,IAAI,IAAI,EAAE,CAAA;IACpB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAA;IAC7B,OAAO,CAAC,CAAA;AACV,CAAC"}
|
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
* so a client that trusts the CA will accept it for that host.
|
|
8
8
|
*/
|
|
9
9
|
import { type SecureContext } from 'node:tls';
|
|
10
|
-
import type
|
|
10
|
+
import { type MitmCA } from './mitm-ca.js';
|
|
11
11
|
export type LeafCert = {
|
|
12
12
|
/** Leaf cert PEM followed by the CA cert PEM (full chain). */
|
|
13
13
|
certPem: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mitm-leaf.d.ts","sourceRoot":"","sources":["../../src/sandbox/mitm-leaf.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,UAAU,CAAA;AAElE,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"mitm-leaf.d.ts","sourceRoot":"","sources":["../../src/sandbox/mitm-leaf.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAuB,KAAK,aAAa,EAAE,MAAM,UAAU,CAAA;AAElE,OAAO,EAIL,KAAK,MAAM,EACZ,MAAM,cAAc,CAAA;AAIrB,MAAM,MAAM,QAAQ,GAAG;IACrB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;IACf,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAyDnE;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,CAO5E"}
|
|
@@ -10,7 +10,8 @@ import forge from 'node-forge';
|
|
|
10
10
|
import { isIP } from 'node:net';
|
|
11
11
|
import { createSecureContext } from 'node:tls';
|
|
12
12
|
import { logForDebugging } from '../utils/debug.js';
|
|
13
|
-
|
|
13
|
+
import { caSubjectKeyId, daysFromNow, randomSerial, } from './mitm-ca.js';
|
|
14
|
+
const { pki, md } = forge;
|
|
14
15
|
/**
|
|
15
16
|
* Mint (or return cached) an RSA-2048 leaf cert for `hostname`, signed by `ca`.
|
|
16
17
|
* The cache lives on `ca.leafCerts`.
|
|
@@ -42,9 +43,26 @@ export function mintLeafCert(ca, hostname) {
|
|
|
42
43
|
// Python ≥3.13 enables ssl.VERIFY_X509_STRICT by default, which enforces
|
|
43
44
|
// RFC 5280's "AKI MUST be present on non-self-signed certs". curl/Go/Node
|
|
44
45
|
// don't enforce this, but requests/urllib3/httpx/google-auth all reject
|
|
45
|
-
// a leaf without AKI under 3.13. See caSubjectKeyId()
|
|
46
|
-
// just pass the CA's stored SKI value through.
|
|
46
|
+
// a leaf without AKI under 3.13. See caSubjectKeyId() in mitm-ca.ts for
|
|
47
|
+
// why we can't just pass the CA's stored SKI value through.
|
|
47
48
|
{ name: 'authorityKeyIdentifier', keyIdentifier: caSubjectKeyId(ca.cert) },
|
|
49
|
+
// Schannel (Windows System32 curl, git's default backend, cargo) checks
|
|
50
|
+
// revocation on the LEAF and hard-fails CRYPT_E_NO_REVOCATION_CHECK when
|
|
51
|
+
// there's no CDP to consult. Point it at the empty CRL the proxy serves
|
|
52
|
+
// on 127.0.0.1 (see MitmCA.crlDer / http-proxy.ts) so the check resolves
|
|
53
|
+
// to "not revoked" instead of "unknown". node-forge encodes CDP with the
|
|
54
|
+
// same {altNames} shape as SAN; type 6 = uniformResourceIdentifier.
|
|
55
|
+
// OpenSSL-backed clients don't check CRLs by default, so a leaf minted
|
|
56
|
+
// before the port is bound (crlUrl unset) works everywhere except
|
|
57
|
+
// Schannel-with-revocation.
|
|
58
|
+
...(ca.crlUrl
|
|
59
|
+
? [
|
|
60
|
+
{
|
|
61
|
+
name: 'cRLDistributionPoints',
|
|
62
|
+
altNames: [{ type: 6, value: ca.crlUrl }],
|
|
63
|
+
},
|
|
64
|
+
]
|
|
65
|
+
: []),
|
|
48
66
|
]);
|
|
49
67
|
cert.sign(ca.key, md.sha256.create());
|
|
50
68
|
const leaf = {
|
|
@@ -69,23 +87,6 @@ export function secureContextFor(ca, hostname) {
|
|
|
69
87
|
ca.secureContexts.set(hostname, ctx);
|
|
70
88
|
return ctx;
|
|
71
89
|
}
|
|
72
|
-
/**
|
|
73
|
-
* Return the CA's Subject Key Identifier as raw bytes for use as the leaf's
|
|
74
|
-
* authorityKeyIdentifier.keyIdentifier.
|
|
75
|
-
*
|
|
76
|
-
* node-forge stores a cert's subjectKeyIdentifier extension value as a *hex
|
|
77
|
-
* string* (both for in-memory certs and certs parsed from PEM), but expects
|
|
78
|
-
* AKI's keyIdentifier as *raw bytes* — passing the hex through verbatim
|
|
79
|
-
* encodes the ASCII hex chars as the key id and the chain fails to verify.
|
|
80
|
-
* If the CA has no SKI extension (e.g. a v1 user-supplied CA), derive the
|
|
81
|
-
* RFC 5280 method-1 value from its public key.
|
|
82
|
-
*/
|
|
83
|
-
function caSubjectKeyId(caCert) {
|
|
84
|
-
const ext = caCert.getExtension('subjectKeyIdentifier');
|
|
85
|
-
return ext?.subjectKeyIdentifier
|
|
86
|
-
? util.hexToBytes(ext.subjectKeyIdentifier)
|
|
87
|
-
: caCert.generateSubjectKeyIdentifier().getBytes();
|
|
88
|
-
}
|
|
89
90
|
function sanFor(hostname) {
|
|
90
91
|
// RFC 5280 GeneralName tags: 2 = dNSName, 7 = iPAddress.
|
|
91
92
|
return isIP(hostname) !== 0
|
|
@@ -110,16 +111,4 @@ function clampValidity(caCert, notBefore) {
|
|
|
110
111
|
max.setDate(max.getDate() + 99);
|
|
111
112
|
return caEnd < max ? new Date(caEnd) : max;
|
|
112
113
|
}
|
|
113
|
-
function randomSerial() {
|
|
114
|
-
// 16 random bytes, high bit cleared so the DER INTEGER stays positive.
|
|
115
|
-
const bytes = random.getBytesSync(16);
|
|
116
|
-
const hex = util.bytesToHex(bytes);
|
|
117
|
-
const firstNibble = parseInt(hex[0], 16) & 0x7;
|
|
118
|
-
return firstNibble.toString(16) + hex.slice(1);
|
|
119
|
-
}
|
|
120
|
-
function daysFromNow(days) {
|
|
121
|
-
const d = new Date();
|
|
122
|
-
d.setDate(d.getDate() + days);
|
|
123
|
-
return d;
|
|
124
|
-
}
|
|
125
114
|
//# sourceMappingURL=mitm-leaf.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"mitm-leaf.js","sourceRoot":"","sources":["../../src/sandbox/mitm-leaf.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAA;AAC9B,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAC/B,OAAO,EAAE,mBAAmB,EAAsB,MAAM,UAAU,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;
|
|
1
|
+
{"version":3,"file":"mitm-leaf.js","sourceRoot":"","sources":["../../src/sandbox/mitm-leaf.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,MAAM,YAAY,CAAA;AAC9B,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAC/B,OAAO,EAAE,mBAAmB,EAAsB,MAAM,UAAU,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EACL,cAAc,EACd,WAAW,EACX,YAAY,GAEb,MAAM,cAAc,CAAA;AAErB,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,KAAK,CAAA;AASzB;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,EAAU,EAAE,QAAgB;IACvD,MAAM,MAAM,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACzC,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IAEzB,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;IAC1C,MAAM,IAAI,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAA;IACpC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAA;IAC/B,IAAI,CAAC,YAAY,GAAG,YAAY,EAAE,CAAA;IAClC,MAAM,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAA;IACjC,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAA;IACnC,IAAI,CAAC,QAAQ,CAAC,QAAQ,GAAG,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;IAC1D,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAA;IAC1D,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IAC1C,IAAI,CAAC,aAAa,CAAC;QACjB,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE;QACvD;YACE,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,IAAI;YACd,gBAAgB,EAAE,IAAI;YACtB,eAAe,EAAE,IAAI;SACtB;QACD,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,IAAI,EAAE;QACzC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE;QACxD,EAAE,IAAI,EAAE,sBAAsB,EAAE;QAChC,yEAAyE;QACzE,0EAA0E;QAC1E,wEAAwE;QACxE,wEAAwE;QACxE,4DAA4D;QAC5D,EAAE,IAAI,EAAE,wBAAwB,EAAE,aAAa,EAAE,cAAc,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE;QAC1E,wEAAwE;QACxE,yEAAyE;QACzE,wEAAwE;QACxE,yEAAyE;QACzE,yEAAyE;QACzE,oEAAoE;QACpE,uEAAuE;QACvE,kEAAkE;QAClE,4BAA4B;QAC5B,GAAG,CAAC,EAAE,CAAC,MAAM;YACX,CAAC,CAAC;gBACE;oBACE,IAAI,EAAE,uBAAuB;oBAC7B,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC;iBAC1C;aACF;YACH,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CAAA;IACF,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IAErC,MAAM,IAAI,GAAa;QACrB,OAAO,EAAE,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO;QAChD,MAAM,EAAE,GAAG,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC;KAC7C,CAAA;IACD,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAChC,eAAe,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAA;IAC9D,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,EAAU,EAAE,QAAgB;IAC3D,MAAM,MAAM,GAAG,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAC9C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IACzB,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAA;IACtD,MAAM,GAAG,GAAG,mBAAmB,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAA;IAC/D,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACpC,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,MAAM,CAAC,QAAgB;IAK9B,yDAAyD;IACzD,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzB,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE;QAC3B,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAA;AAClC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,aAAa,CAAC,MAA6B,EAAE,SAAe;IACnE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAA;IACtC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAA;IAC/B,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,CAAA;IAC/B,OAAO,KAAK,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAA;AAC5C,CAAC"}
|