Extract certificate utils

Summary: Extract utilities for certificate server-side certificate handling

Reviewed By: lawrencelomax

Differential Revision: D33820263

fbshipit-source-id: 21f1a9ed5f3b83b8350151bdf6d8862aa0b18e8f

desktop/flipper-server-core/src/utils/certificateUtils.tsx

@@ -0,0 +1,256 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @format
+ */
+
+import {promisify} from 'util';
+import fs from 'fs-extra';
+import {
+  openssl,
+  isInstalled as opensslInstalled,
+} from './openssl-wrapper-with-promises';
+import path from 'path';
+import tmp, {FileOptions} from 'tmp';
+import {reportPlatformFailures} from 'flipper-common';
+import os from 'os';
+import {isTest} from 'flipper-common';
+
+const tmpFile = promisify(tmp.file) as (
+  options?: FileOptions,
+) => Promise<string>;
+
+const getFilePath = (fileName: string): string => {
+  return path.resolve(os.homedir(), '.flipper', 'certs', fileName);
+};
+
+// Desktop file paths
+export const caKey = getFilePath('ca.key');
+export const caCert = getFilePath('ca.crt');
+export const serverKey = getFilePath('server.key');
+export const serverCsr = getFilePath('server.csr');
+export const serverSrl = getFilePath('server.srl');
+export const serverCert = getFilePath('server.crt');
+
+// Device file paths
+export const csrFileName = 'app.csr';
+export const deviceCAcertFile = 'sonarCA.crt';
+export const deviceClientCertFile = 'device.crt';
+
+const caSubject = '/C=US/ST=CA/L=Menlo Park/O=Sonar/CN=SonarCA';
+const serverSubject = '/C=US/ST=CA/L=Menlo Park/O=Sonar/CN=localhost';
+const minCertExpiryWindowSeconds = 24 * 60 * 60;
+const allowedAppNameRegex = /^[\w.-]+$/;
+
+const logTag = 'certificateUtils';
+/*
+ * RFC2253 specifies the unamiguous x509 subject format.
+ * However, even when specifying this, different openssl implementations
+ * wrap it differently, e.g "subject=X" vs "subject= X".
+ */
+const x509SubjectCNRegex = /[=,]\s*CN=([^,]*)(,.*)?$/;
+
+export type SecureServerConfig = {
+  key: Buffer;
+  cert: Buffer;
+  ca: Buffer;
+  requestCert: boolean;
+  rejectUnauthorized: boolean;
+};
+
+export const ensureOpenSSLIsAvailable = async (): Promise<void> => {
+  if (!(await opensslInstalled())) {
+    throw new Error(
+      "It looks like you don't have OpenSSL installed. Please install it to continue.",
+    );
+  }
+};
+
+export const loadSecureServerConfig = async (): Promise<SecureServerConfig> => {
+  await ensureOpenSSLIsAvailable();
+  await certificateSetup();
+  return {
+    key: await fs.readFile(serverKey),
+    cert: await fs.readFile(serverCert),
+    ca: await fs.readFile(caCert),
+    requestCert: true,
+    rejectUnauthorized: true, // can be false if necessary as we don't strictly need to verify the client
+  };
+};
+
+export const extractAppNameFromCSR = async (csr: string): Promise<string> => {
+  const path = await writeToTempFile(csr);
+  const subject = await openssl('req', {
+    in: path,
+    noout: true,
+    subject: true,
+    nameopt: true,
+    RFC2253: false,
+  });
+  await fs.unlink(path);
+  const matches = subject.trim().match(x509SubjectCNRegex);
+  if (!matches || matches.length < 2) {
+    throw new Error(`Cannot extract CN from ${subject}`);
+  }
+  const appName = matches[1];
+  if (!appName.match(allowedAppNameRegex)) {
+    throw new Error(
+      `Disallowed app name in CSR: ${appName}. Only alphanumeric characters and '.' allowed.`,
+    );
+  }
+  return appName;
+};
+
+export const generateClientCertificate = async (
+  csr: string,
+): Promise<string> => {
+  console.debug('Creating new client cert', logTag);
+
+  return writeToTempFile(csr).then((path) => {
+    return openssl('x509', {
+      req: true,
+      in: path,
+      CA: caCert,
+      CAkey: caKey,
+      CAcreateserial: true,
+      CAserial: serverSrl,
+    });
+  });
+};
+
+export const getCACertificate = async (): Promise<string> => {
+  return fs.readFile(caCert, 'utf-8');
+};
+
+const certificateSetup = async () => {
+  if (isTest()) {
+    throw new Error('Server certificates not available in test');
+  } else {
+    await reportPlatformFailures(
+      ensureServerCertExists(),
+      'ensureServerCertExists',
+    );
+  }
+};
+
+const ensureServerCertExists = async (): Promise<void> => {
+  const allExist = await Promise.all([
+    fs.pathExists(serverKey),
+    fs.pathExists(serverCert),
+    fs.pathExists(caCert),
+  ]).then((exist) => exist.every(Boolean));
+  if (!allExist) {
+    return generateServerCertificate();
+  }
+
+  try {
+    await checkCertIsValid(serverCert);
+    await verifyServerCertWasIssuedByCA();
+  } catch (e) {
+    console.warn('Not all certs are valid, generating new ones', e);
+    await generateServerCertificate();
+  }
+};
+
+const generateServerCertificate = async (): Promise<void> => {
+  await ensureCertificateAuthorityExists();
+  console.warn('Creating new server cert', logTag);
+  await openssl('genrsa', {out: serverKey, '2048': false});
+  await openssl('req', {
+    new: true,
+    key: serverKey,
+    out: serverCsr,
+    subj: serverSubject,
+  });
+  await openssl('x509', {
+    req: true,
+    in: serverCsr,
+    CA: caCert,
+    CAkey: caKey,
+    CAcreateserial: true,
+    CAserial: serverSrl,
+    out: serverCert,
+  });
+};
+
+const ensureCertificateAuthorityExists = async (): Promise<void> => {
+  if (!(await fs.pathExists(caKey))) {
+    return generateCertificateAuthority();
+  }
+  return checkCertIsValid(caCert).catch(() => generateCertificateAuthority());
+};
+
+const generateCertificateAuthority = async (): Promise<void> => {
+  if (!(await fs.pathExists(getFilePath('')))) {
+    await fs.mkdir(getFilePath(''));
+  }
+  console.log('Generating new CA', logTag);
+  await openssl('genrsa', {out: caKey, '2048': false});
+  await openssl('req', {
+    new: true,
+    x509: true,
+    subj: caSubject,
+    key: caKey,
+    out: caCert,
+  });
+};
+
+const checkCertIsValid = async (filename: string): Promise<void> => {
+  if (!(await fs.pathExists(filename))) {
+    throw new Error(`${filename} does not exist`);
+  }
+  // openssl checkend is a nice feature but it only checks for certificates
+  // expiring in the future, not those that have already expired.
+  // So we need a separate check for certificates that have already expired
+  // but since this involves parsing date outputs from openssl, which is less
+  // reliable, keeping both checks for safety.
+  try {
+    await openssl('x509', {
+      checkend: minCertExpiryWindowSeconds,
+      in: filename,
+    });
+  } catch (e) {
+    console.warn(`Checking if certificate expire soon: ${filename}`, logTag, e);
+    const endDateOutput = await openssl('x509', {
+      enddate: true,
+      in: filename,
+      noout: true,
+    });
+    const dateString = endDateOutput.trim().split('=')[1].trim();
+    const expiryDate = Date.parse(dateString);
+    if (isNaN(expiryDate)) {
+      console.error(
+        'Unable to parse certificate expiry date: ' + endDateOutput,
+      );
+      throw new Error(
+        'Cannot parse certificate expiry date. Assuming it has expired.',
+      );
+    }
+    if (expiryDate <= Date.now() + minCertExpiryWindowSeconds * 1000) {
+      throw new Error('Certificate has expired or will expire soon.');
+    }
+  }
+};
+
+const verifyServerCertWasIssuedByCA = async () => {
+  const options: {
+    [key: string]: any;
+  } = {CAfile: caCert};
+  options[serverCert] = false;
+  const output = await openssl('verify', options);
+  const verified = output.match(/[^:]+: OK/);
+  if (!verified) {
+    // This should never happen, but if it does, we need to notice so we can
+    // generate a valid one, or no clients will trust our server.
+    throw new Error('Current server cert was not issued by current CA');
+  }
+};
+
+const writeToTempFile = async (content: string): Promise<string> => {
+  const path = await tmpFile();
+  await fs.writeFile(path, content);
+  return path;
+};