-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dev certs for mac #245
Changes from all commits
b5e4bf9
7c9ebff
81dcf0a
9984acb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,72 +1,83 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT license. | ||
|
||
import { execSync } from "child_process"; | ||
import * as crypto from "crypto"; | ||
import * as fs from "fs"; | ||
import * as path from "path"; | ||
import * as defaults from "./defaults"; | ||
|
||
import { uninstallExpiredCaCertificate } from './uninstall' | ||
|
||
function getVerifyCommand(): string { | ||
switch (process.platform) { | ||
case "win32": | ||
const script = path.resolve(__dirname, "..\\scripts\\verify.ps1"); | ||
return `powershell -ExecutionPolicy Bypass -File "${script}" "${defaults.certificateName}"`; | ||
case "darwin": // macOS | ||
return `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -checkend 86400 -noout`; | ||
return `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -noout`; | ||
default: | ||
throw new Error(`Platform not supported: ${process.platform}`); | ||
} | ||
} | ||
|
||
export function isCaCertificateInstalled(): boolean { | ||
const command = getVerifyCommand(); | ||
|
||
try { | ||
const output = execSync(command, {stdio : "pipe" }).toString(); | ||
if (process.platform === "darwin") { | ||
return true; | ||
// Ceritificate exists. Now check and see if it's expired and remove it if is. | ||
asachin96 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
try { | ||
const command = `security find-certificate -c '${defaults.certificateName}' -p | openssl x509 -checkend 86400 -noout`; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. can you move this try/catch into a function isCaCertificateExpired() which returns a boolean, and then have the code here be: // on Mac, remove certificate if expired There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My biggest concern with this is that the isCaCertificateInstalled() function is adding a side-effect which removes a cert. That really shouldn't be done inside this function as a side-effect. Is there a way to move this out of this function and call it for mac from another place? |
||
execSync(command, {stdio : "pipe" }).toString(); | ||
return true; | ||
} | ||
catch { | ||
uninstallExpiredCaCertificate() | ||
return false; | ||
} | ||
|
||
} else if (output.length !== 0) { | ||
return true; // powershell command return empty string if the certificate not-found/expired | ||
} | ||
} catch (error) { | ||
// Mac security command throws error if the certifcate is not-found/expired | ||
// Mac security command throws error if the certifcate is not found | ||
TCourtneyOwen marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
return false; | ||
} | ||
|
||
function validateCertificateAndKey(certificatePath: string, keyPath: string) { | ||
let certificate: string = ""; | ||
let key: string = ""; | ||
|
||
try { | ||
certificate = fs.readFileSync(certificatePath).toString(); | ||
} catch (err) { | ||
throw new Error(`Unable to read the certificate.\n${err}`); | ||
} | ||
|
||
try { | ||
key = fs.readFileSync(keyPath).toString(); | ||
} catch (err) { | ||
throw new Error(`Unable to read the certificate key.\n${err}`); | ||
} | ||
|
||
let encrypted; | ||
|
||
try { | ||
encrypted = crypto.publicEncrypt(certificate, Buffer.from("test")); | ||
} catch (err) { | ||
throw new Error(`The certificate is not valid.\n${err}`); | ||
} | ||
|
||
try { | ||
crypto.privateDecrypt(key, encrypted); | ||
} catch (err) { | ||
throw new Error(`The certificate key is not valid.\n${err}`); | ||
} | ||
} | ||
|
||
export function verifyCertificates(certificatePath: string = defaults.localhostCertificatePath, keyPath: string = defaults.localhostKeyPath): boolean { | ||
let isCertificateValid: boolean = true; | ||
try { | ||
|
@@ -75,4 +86,4 @@ export function verifyCertificates(certificatePath: string = defaults.localhostC | |
isCertificateValid = false; | ||
} | ||
return isCertificateValid && isCaCertificateInstalled(); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't export this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually I don't think you need this function at all. The uninstall command is the same and the message doesn't need to say whether it is expired. can't you just use the regular uninstallCaCertificate() function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't use the regular uninstallCaCertificate because it calls isCaCertificateInstalled, which will then get us in an endless loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's why I initially had uninstallCaCertificate take a Boolean expiredCert param so we could bypass the call to isCaCertificateInstalled for the removing of an expired cert
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it help to add an optional param "expiredOnly = false" to uninstallCaCertificate() which could be called with expiredOnly as true for Mac?