Allow CA fingerprints in different formats (#112)

src/connection/BaseConnection.ts

@@ -236,3 +236,12 @@ export function getIssuerCertificate (socket: TLSSocket): DetailedPeerCertificat
   }
   return certificate
 }
+
+export function isCaFingerprintMatch (cert1: string | null, cert2: string | null): boolean {
+  if (typeof cert1 === 'string' && typeof cert2 === 'string') {
+    const c1 = cert1.toLowerCase().replace(/:/g, '')
+    const c2 = cert2.toLowerCase().replace(/:/g, '')
+    return c1 === c2
+  }
+  return cert1 === cert2
+}

src/connection/HttpConnection.ts

@@ -32,7 +32,8 @@ import BaseConnection, {
   ConnectionRequestOptionsAsStream,
   ConnectionRequestResponse,
   ConnectionRequestResponseAsStream,
-  getIssuerCertificate
+  getIssuerCertificate,
+  isCaFingerprintMatch
 } from './BaseConnection'
 import { kCaFingerprint } from '../symbols'
 import { Readable as ReadableStream, pipeline } from 'stream'
@@ -256,7 +257,7 @@ export default class HttpConnection extends BaseConnection {
 
             // Check if fingerprint matches
             /* istanbul ignore else */
-            if (this[kCaFingerprint] !== issuerCertificate.fingerprint256) {
+            if (!isCaFingerprintMatch(this[kCaFingerprint], issuerCertificate.fingerprint256)) {
               onError(new Error('Server certificate CA fingerprint does not match the value configured in caFingerprint'))
               request.once('error', () => {}) // we need to catch the request aborted error
               return request.destroy()

src/connection/UndiciConnection.ts

@@ -30,7 +30,8 @@ import BaseConnection, {
   ConnectionRequestOptionsAsStream,
   ConnectionRequestResponse,
   ConnectionRequestResponseAsStream,
-  getIssuerCertificate
+  getIssuerCertificate,
+  isCaFingerprintMatch
 } from './BaseConnection'
 import { Pool, buildConnector, Dispatcher } from 'undici'
 import {
@@ -95,7 +96,7 @@ export default class Connection extends BaseConnection {
 
             // Check if fingerprint matches
             /* istanbul ignore else */
-            if (caFingerprint !== issuerCertificate.fingerprint256) {
+            if (!isCaFingerprintMatch(caFingerprint, issuerCertificate.fingerprint256)) {
               socket.destroy()
               return cb(new Error('Server certificate CA fingerprint does not match the value configured in caFingerprint'), null)
             }

test/unit/http-connection.test.ts

@@ -1133,6 +1133,29 @@ test('Check server fingerprint (success)', async t => {
   server.stop()
 })
 
+test('Check server fingerprint (different formats)', async t => {
+  t.plan(1)
+
+  function handler (req: http.IncomingMessage, res: http.ServerResponse) {
+    res.end('ok')
+  }
+
+  const [{ port, caFingerprint }, server] = await buildServer(handler, { secure: true })
+
+  let newCaFingerprint = caFingerprint.toLowerCase().replace(/:/g, '')
+
+  const connection = new HttpConnection({
+    url: new URL(`https://localhost:${port}`),
+    caFingerprint: newCaFingerprint,
+  })
+  const res = await connection.request({
+    path: '/hello',
+    method: 'GET'
+  }, options)
+  t.equal(res.body, 'ok')
+  server.stop()
+})
+
 test('Check server fingerprint (failure)', async t => {
   t.plan(2)
 

test/unit/undici-connection.test.ts

@@ -991,6 +991,29 @@ test('Check server fingerprint (success)', async t => {
   server.stop()
 })
 
+test('Check server fingerprint (different formats)', async t => {
+  t.plan(1)
+
+  function handler (_req: http.IncomingMessage, res: http.ServerResponse) {
+    res.end('ok')
+  }
+
+  const [{ port, caFingerprint }, server] = await buildServer(handler, { secure: true })
+
+  let newCaFingerprint = caFingerprint.toLowerCase().replace(/:/g, '')
+
+  const connection = new UndiciConnection({
+    url: new URL(`https://localhost:${port}`),
+    caFingerprint: newCaFingerprint
+  })
+  const res = await connection.request({
+    path: '/hello',
+    method: 'GET'
+  }, options)
+  t.equal(res.body, 'ok')
+  server.stop()
+})
+
 test('Check server fingerprint (failure)', async t => {
   t.plan(2)