Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix dev certs for mac #245

Closed
wants to merge 4 commits into from
Closed

Fix dev certs for mac #245

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b5e4bf9
remove expired certs if they exist to address Issue#190
Jan 17, 2020
7c9ebff
revert exported getUninstallCommand method
Jan 17, 2020
81dcf0a
add new uninstallExpiredCaCertificate method; update test to account …
Jan 17, 2020
9984acb
Merge branch 'master' into fix-dev-certs-for-mac
asachin96 Jan 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 24 additions & 9 deletions packages/office-addin-dev-certs/src/uninstall.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT license.

import { execSync } from "child_process";
import * as fsExtra from "fs-extra";
import * as path from "path";
import * as defaults from "./defaults";
import { isCaCertificateInstalled } from "./verify";

function getUninstallCommand(machine: boolean = false): string {
switch (process.platform) {
case "win32":
Expand All @@ -18,34 +18,49 @@ function getUninstallCommand(machine: boolean = false): string {
throw new Error(`Platform not supported: ${process.platform}`);
}
}

// Deletes the generated certificate files and delete the certificate directory if its empty
export function deleteCertificateFiles(certificateDirectory: string = defaults.certificateDirectory): void {
if (fsExtra.existsSync(certificateDirectory)) {
fsExtra.removeSync(path.join(certificateDirectory, defaults.localhostCertificateFileName));
fsExtra.removeSync(path.join(certificateDirectory, defaults.localhostKeyFileName));
fsExtra.removeSync(path.join(certificateDirectory, defaults.caCertificateFileName));

if (fsExtra.readdirSync(certificateDirectory).length === 0) {
fsExtra.removeSync(certificateDirectory);
}
}
}

export async function uninstallCaCertificate(machine: boolean = false, verbose: boolean = true) {
if (isCaCertificateInstalled()) {
const command = getUninstallCommand(machine);

try {
console.log(`Uninstalling CA certificate "Developer CA for Microsoft Office Add-ins"...`);
execSync(command, {stdio : "pipe" });
console.log(`Uninstalling CA certificate "Developer CA for Microsoft Office Add-ins"...`);
execSync(command, { stdio: "pipe" });
console.log(`You no longer have trusted access to https://localhost.`);
} catch (error) {
throw new Error(`Unable to uninstall the CA certificate.\n${error.stderr.toString()}`);
}
} else {
if (verbose) {
console.log(`The CA certificate is not installed.`);
console.log(`The CA certificate is not installed.`);
}
}
}

// Currently this method is only intended to be used for Mac due to problems on Mac that occur when CA certificates expire
export async function uninstallExpiredCaCertificate() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't export this

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually I don't think you need this function at all. The uninstall command is the same and the message doesn't need to say whether it is expired. can't you just use the regular uninstallCaCertificate() function?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't use the regular uninstallCaCertificate because it calls isCaCertificateInstalled, which will then get us in an endless loop.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's why I initially had uninstallCaCertificate take a Boolean expiredCert param so we could bypass the call to isCaCertificateInstalled for the removing of an expired cert

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it help to add an optional param "expiredOnly = false" to uninstallCaCertificate() which could be called with expiredOnly as true for Mac?

if (process.platform === "darwin") {
const command = getUninstallCommand();

try {
console.log(`Uninstalling expired CA certificate "Developer CA for Microsoft Office Add-ins".`);
execSync(command, { stdio: "pipe" });
console.log(`You no longer have trusted access to https://localhost.`);
} catch (error) {
throw new Error(`Unable to uninstall expired the CA certificate.\n${error.stderr.toString()}`);
}
}
}
43 changes: 27 additions & 16 deletions packages/office-addin-dev-certs/src/verify.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,72 +1,83 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT license.

import { execSync } from "child_process";
import * as crypto from "crypto";
import * as fs from "fs";
import * as path from "path";
import * as defaults from "./defaults";

import { uninstallExpiredCaCertificate } from './uninstall'

function getVerifyCommand(): string {
switch (process.platform) {
case "win32":
const script = path.resolve(__dirname, "..\\scripts\\verify.ps1");
return `powershell -ExecutionPolicy Bypass -File "${script}" "${defaults.certificateName}"`;
case "darwin": // macOS
return `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -checkend 86400 -noout`;
return `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -noout`;
default:
throw new Error(`Platform not supported: ${process.platform}`);
}
}

export function isCaCertificateInstalled(): boolean {
const command = getVerifyCommand();

try {
const output = execSync(command, {stdio : "pipe" }).toString();
if (process.platform === "darwin") {
return true;
// Ceritificate exists. Now check and see if it's expired and remove it if is.
asachin96 marked this conversation as resolved.
Show resolved Hide resolved
try {
const command = `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -checkend 86400 -noout`;
Copy link
Contributor

@akrantz akrantz Jan 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move this try/catch into a function isCaCertificateExpired() which returns a boolean, and then have the code here be:

// on Mac, remove certificate if expired
if (process.platform === darwin) {
if (isCaCertificateExpired()) {
uninstallExpiredCertificate();
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My biggest concern with this is that the isCaCertificateInstalled() function is adding a side-effect which removes a cert. That really shouldn't be done inside this function as a side-effect. Is there a way to move this out of this function and call it for mac from another place?

execSync(command, {stdio : "pipe" }).toString();
return true;
}
catch {
uninstallExpiredCaCertificate()
return false;
}

} else if (output.length !== 0) {
return true; // powershell command return empty string if the certificate not-found/expired
}
} catch (error) {
// Mac security command throws error if the certifcate is not-found/expired
// Mac security command throws error if the certifcate is not found
TCourtneyOwen marked this conversation as resolved.
Show resolved Hide resolved
}

return false;
}

function validateCertificateAndKey(certificatePath: string, keyPath: string) {
let certificate: string = "";
let key: string = "";

try {
certificate = fs.readFileSync(certificatePath).toString();
} catch (err) {
throw new Error(`Unable to read the certificate.\n${err}`);
}

try {
key = fs.readFileSync(keyPath).toString();
} catch (err) {
throw new Error(`Unable to read the certificate key.\n${err}`);
}

let encrypted;

try {
encrypted = crypto.publicEncrypt(certificate, Buffer.from("test"));
} catch (err) {
throw new Error(`The certificate is not valid.\n${err}`);
}

try {
crypto.privateDecrypt(key, encrypted);
} catch (err) {
throw new Error(`The certificate key is not valid.\n${err}`);
}
}

export function verifyCertificates(certificatePath: string = defaults.localhostCertificatePath, keyPath: string = defaults.localhostKeyPath): boolean {
let isCertificateValid: boolean = true;
try {
Expand All @@ -75,4 +86,4 @@ export function verifyCertificates(certificatePath: string = defaults.localhostC
isCertificateValid = false;
}
return isCertificateValid && isCaCertificateInstalled();
}
}
2 changes: 1 addition & 1 deletion packages/office-addin-dev-certs/test/test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ describe("office-addin-dev-certs", function() {
sandbox.stub(childProcess, "execSync").callsFake(execSync);
try {
const ret = await verify.isCaCertificateInstalled();
assert.strictEqual(execSync.callCount, 1);
assert.strictEqual(execSync.callCount, (process.platform === "darwin") ? 2 : 1);
assert.strictEqual(ret, true);
} catch (err) {
// not expecting any exception
Expand Down