From c1ffa1be79a49254b704e536143df845501fb4c0 Mon Sep 17 00:00:00 2001
From: Curt Tudor <curt@rentallect.com>
Date: Thu, 29 Aug 2024 12:43:09 -0600
Subject: [PATCH] feat: Use Cert chain when in HA networks (#176)

---
 package.json           |  2 +-
 src/context/context.js | 58 +++++++++++++++++++++++++++++++++++++-----
 src/http/request.js    |  3 +++
 src/utils/pki.js       |  1 +
 yarn.lock              |  8 +++---
 5 files changed, 61 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index a4a5243..a3a02d8 100644
--- a/package.json
+++ b/package.json
@@ -59,7 +59,7 @@
     "typescript": "^5.2.2"
   },
   "dependencies": {
-    "@openziti/libcrypto-js": "^0.20.0",
+    "@openziti/libcrypto-js": "^0.21.0",
     "@openziti/ziti-browzer-edge-client": "^0.6.2",
     "asn1js": "^3.0.5",
     "assert": "^2.0.0",
diff --git a/src/context/context.js b/src/context/context.js
index 24329d5..46cf98e 100644
--- a/src/context/context.js
+++ b/src/context/context.js
@@ -39,6 +39,10 @@ import { http } from '../http/http';
 import { ZitiWebSocketWrapperCtor } from '../http/ziti-websocket-wrapper-ctor';
 import { ZitiAgentPool } from '../http/ziti-agent-pool';
 import { ZitiWASMFD } from './wasmFD';
+import {
+  splitPemChain
+} from '../utils/pki';
+
 
 
 
@@ -566,12 +570,14 @@ class ZitiContext extends EventEmitter {
     this.logger.trace('ZitiContext.ssl_CTX_add_certificate() entered');
 
     // Add client cert
-    sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEM());
+    sslContext = this._libCrypto.ssl_CTX_add_certificate(wasmInstance, sslContext, await this.getCertPEMLeaf());
     if (isNull(sslContext)) throw Error("SSL Context failure.");
 
-    // Add CAs
-    sslContext = this._libCrypto.ssl_CTX_add1_to_CA_list(wasmInstance, sslContext, await this.getCasPEM());
-    if (isNull(sslContext)) throw Error("SSL Context failure.");
+    // Add remaining certs in the chain
+    for (const intermediatePEM of await this.getCertPEMIntermediatesArray()) {
+      sslContext = this._libCrypto.ssl_CTX_add_extra_chain_cert(wasmInstance, sslContext, intermediatePEM);
+      if (isNull(sslContext)) throw Error("SSL Context failure.");
+    }
 
     this.logger.trace('ZitiContext.ssl_CTX_add_certificate() exiting');
 
@@ -799,7 +805,15 @@ class ZitiContext extends EventEmitter {
   delay(time) {
     return new Promise(resolve => setTimeout(resolve, time));
   }
-  
+
+  /**
+   * 
+   */
+  async getAccessTokenEmail() {
+    var decoded_access_token = jwt_decode(this.access_token);
+    return decoded_access_token.email;
+  }
+
   /**
    * 
    */
@@ -926,7 +940,9 @@ class ZitiContext extends EventEmitter {
       this._casPEM = this._zitiEnroller.casPEM;
       this._certPEM = this._zitiEnroller.certPEM;
       this._certExpiryTime = this._zitiEnroller.certPEMExpiryTime;
-
+      let certPEMArray = splitPemChain(this._certPEM);
+      this._certPEMLeaf = certPEMArray[0];
+      this._certPEMIntermediatesArray = certPEMArray.slice(1);
       return true;
     }
 
@@ -962,6 +978,36 @@ class ZitiContext extends EventEmitter {
     return this._certPEM;
   }
 
+  /**
+   * 
+   */
+  async getCertPEMLeaf () {
+
+    if (isNull(this._privateKeyPEM)) {
+      this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
+    }
+    if (isNull(this._certPEMLeaf)) {
+      await this.enroll()
+    }
+
+    return this._certPEMLeaf;
+  }
+
+  /**
+   * 
+   */
+  async getCertPEMIntermediatesArray () {
+
+    if (isNull(this._privateKeyPEM)) {
+      this._privateKeyPEM = await this.getPrivateKeyPEM(this._pkey)
+    }
+    if (isNull(this._certPEMLeaf)) {
+      await this.enroll()
+    }
+
+    return this._certPEMIntermediatesArray;
+  }
+
   /**
    * 
    */
diff --git a/src/http/request.js b/src/http/request.js
index 6e99b6b..dba33eb 100644
--- a/src/http/request.js
+++ b/src/http/request.js
@@ -384,6 +384,9 @@ ZitiHttpRequest.prototype.getServiceConnectAppData = function() {
 	 if (!headers.has('Accept-Encoding')) {
 		headers.set('Accept-Encoding', 'gzip,deflate');
 	 }
+
+	 // Automatic SSO for Isaiah
+	 headers.append( 'Remote-User', await this.getZitiContext().getAccessTokenEmail() );
  
 	 // if (!headers.has('Connection')) {
 	 // 	headers.set('Connection', 'keep-alive');
diff --git a/src/utils/pki.js b/src/utils/pki.js
index b154373..c0d1f61 100644
--- a/src/utils/pki.js
+++ b/src/utils/pki.js
@@ -186,6 +186,7 @@ export {
     convertPemToBinary,
     convertBinaryToCertificate,
     convertPemToCertificate,
+    splitPemChain,
     printCertificate,
     getExpiryTimeFromCertificate,
     getExpiryStringFromCertificate,
diff --git a/yarn.lock b/yarn.lock
index 9925caa..e3f0e9b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1305,10 +1305,10 @@
     portfinder "^1.0.21"
     request "^2.88.0"
 
-"@openziti/libcrypto-js@^0.20.0":
-  version "0.20.0"
-  resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.20.0.tgz#a4956f81d195476a2c9177e16c9d83d55c0c8daf"
-  integrity sha512-71rEOlDx1LA8XUk31YxAl72gLlXPi2yiXsXj2nL0+bqdzji6gxGUt0ohRZw5KxxQeqCNIiaeB5BOgseDruicWQ==
+"@openziti/libcrypto-js@^0.21.0":
+  version "0.21.0"
+  resolved "https://registry.yarnpkg.com/@openziti/libcrypto-js/-/libcrypto-js-0.21.0.tgz#a6deb214968a68709b9eb1e877fdace1b72c1a51"
+  integrity sha512-xRzxG5tw2dPZRmqXmo2rf73uI6gaR/o+nBfbXlL70qnmv8RS3zwC1sdSI6t+ZrYEcsMpytONyYtcRn1J8mIucA==
   dependencies:
     "@types/emscripten" "^1.39.6"
     "@wasmer/wasi" "^1.0.2"