feat: Use Cert chain when in HA networks (#176)

openziti · Aug 29, 2024 · c1ffa1b · c1ffa1b
1 parent 55bab1d
commit c1ffa1b
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 11 deletions.
diff --git a/package.json b/package.json
@@ -59,7 +59,7 @@
     "typescript": "^5.2.2"
   },
   "dependencies": {
-    "@openziti/libcrypto-js": "^0.20.0",
+    "@openziti/libcrypto-js": "^0.21.0",
     "@openziti/ziti-browzer-edge-client": "^0.6.2",
     "asn1js": "^3.0.5",
     "assert": "^2.0.0",

diff --git a/src/context/context.js b/src/context/context.js
@@ -39,6 +39,10 @@ import { http } from '../http/http';
 import { ZitiWebSocketWrapperCtor } from '../http/ziti-websocket-wrapper-ctor';
 import { ZitiAgentPool } from '../http/ziti-agent-pool';
 import { ZitiWASMFD } from './wasmFD';
+import {
+  splitPemChain
+} from '../utils/pki';
+
 
 
 
@@ -566,12 +570,14 @@ class ZitiContext extends EventEmitter {
     this.logger.trace('ZitiContext.ssl_CTX_add_certificate() entered');
 
     // Add client cert
-    sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEM());
+    sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEMLeaf());
     if (isNull(sslContext)) throw Error("SSL Context failure.");
 
-    // Add CAs
-    sslContext = this._libCrypto.ssl_CTX_add1_to_CA_list(wasmInstance, sslContext, await this.getCasPEM());
-    if (isNull(sslContext)) throw Error("SSL Context failure.");
+    // Add remaining certs in the chain
+    for (const intermediatePEM of await this.getCertPEMIntermediatesArray()) {
+      sslContext = this._libCrypto.ssl_CTX_add_extra_chain_cert(wasmInstance, sslContext, intermediatePEM);
+      if (isNull(sslContext)) throw Error("SSL Context failure.");
+    }
 
     this.logger.trace('ZitiContext.ssl_CTX_add_certificate() exiting');
 
@@ -799,7 +805,15 @@ class ZitiContext extends EventEmitter {
   delay(time) {
     return new Promise(resolve => setTimeout(resolve, time));
   }
-
+
+  /**
+   * 
+   */
+  async getAccessTokenEmail() {
+    var decoded_access_token = jwt_decode(this.access_token);
+    return decoded_access_token.email;
+  }
+
   /**
    * 
    */
@@ -926,7 +940,9 @@ class ZitiContext extends EventEmitter {
       this._casPEM = this._zitiEnroller.casPEM;
       this._certPEM = this._zitiEnroller.certPEM;
       this._certExpiryTime = this._zitiEnroller.certPEMExpiryTime;
-
+      let certPEMArray = splitPemChain(this._certPEM);
+      this._certPEMLeaf = certPEMArray[0];
+      this._certPEMIntermediatesArray = certPEMArray.slice(1);
       return true;
     }
 
@@ -962,6 +978,36 @@ class ZitiContext extends EventEmitter {
     return this._certPEM;
   }
 
+  /**
+   * 
+   */
+  async getCertPEMLeaf () {
+
+    if (isNull(this._privateKeyPEM)) {
+      this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
+    }
+    if (isNull(this._certPEMLeaf)) {
+      await this.enroll()
+    }
+
+    return this._certPEMLeaf;
+  }
+
+  /**
+   * 
+   */
+  async getCertPEMIntermediatesArray () {
+
+    if (isNull(this._privateKeyPEM)) {
+      this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
+    }
+    if (isNull(this._certPEMLeaf)) {
+      await this.enroll()
+    }
+
+    return this._certPEMIntermediatesArray;
+  }
+
   /**
    * 
    */

diff --git a/src/http/request.js b/src/http/request.js
@@ -384,6 +384,9 @@ ZitiHttpRequest.prototype.getServiceConnectAppData = function() {
 	 if (!headers.has('Accept-Encoding')) {
 		headers.set('Accept-Encoding', 'gzip,deflate');
 	 }
+
+	 // Automatic SSO for Isaiah
+	 headers.append( 'Remote-User', await this.getZitiContext().getAccessTokenEmail() );
 
 	 // if (!headers.has('Connection')) {
 	 // 	headers.set('Connection', 'keep-alive');

diff --git a/src/utils/pki.js b/src/utils/pki.js
@@ -186,6 +186,7 @@ export {
     convertPemToBinary,
     convertBinaryToCertificate,
     convertPemToCertificate,
+    splitPemChain,
     printCertificate,
     getExpiryTimeFromCertificate,
     getExpiryStringFromCertificate,

diff --git a/yarn.lock b/yarn.lock
@@ -1305,10 +1305,10 @@
     portfinder "^1.0.21"
     request "^2.88.0"
 
-"@openziti/libcrypto-js@^0.20.0":
-  version "0.20.0"
-  resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.20.0.tgz#a4956f81d195476a2c9177e16c9d83d55c0c8daf"
-  integrity sha512-71rEOlDx1LA8XUk31YxAl72gLlXPi2yiXsXj2nL0+bqdzji6gxGUt0ohRZw5KxxQeqCNIiaeB5BOgseDruicWQ==
+"@openziti/libcrypto-js@^0.21.0":
+  version "0.21.0"
+  resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.21.0.tgz#a6deb214968a68709b9eb1e877fdace1b72c1a51"
+  integrity sha512-xRzxG5tw2dPZRmqXmo2rf73uI6gaR/o+nBfbXlL70qnmv8RS3zwC1sdSI6t+ZrYEcsMpytONyYtcRn1J8mIucA==
   dependencies:
     "@types/emscripten" "^1.39.6"
     "@wasmer/wasi" "^1.0.2"