Commitfa2272a

authored

Remove node forge dependency (#648)

Replaced `node-forge` with `@peculiar/x509` (more modern, lightweight, and widely adopted). Node.js's built-in `crypto` module was attempted first, but `keyUsage` returns `undefined`.**Testing in Electron**All vitest tests now run in Electron to mirror VS Code's environment. This adds a few seconds overhead vs Node.js. `electron` was added as dev dependency for BoringSSL compatibility (Node.js uses OpenSSL).

1 parentebbbb9a commitfa2272aCopy full SHA for fa2272a

File tree

6 files changed

+535

-89

lines changed

6 files changed

+535

-89

lines changed

`‎.vscode/settings.json‎`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,9 @@`
`10`	`10`	`},`
`11`	`11`	`"[jsonc]": {`
`12`	`12`	`"editor.defaultFormatter":"esbenp.prettier-vscode"`
`13`		`-}`
	`13`	`+},`
	`14`	`+"vitest.nodeEnv": {`
	`15`	`+"ELECTRON_RUN_AS_NODE":"1"`
	`16`	`+},`
	`17`	`+"vitest.nodeExecutable":"node_modules/.bin/electron"`
`14`	`18`	`}`

`‎package.json‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@`
`25`	`25`	`"package":"webpack --mode production --devtool hidden-source-map",`
`26`	`26`	`"package:prerelease":"npx vsce package --pre-release",`
`27`	`27`	`"pretest":"tsc -p . --outDir out && tsc -p test --outDir out && yarn run build && yarn run lint",`
`28`		`-"test":"vitest",`
	`28`	`+"test":"ELECTRON_RUN_AS_NODE=1 electron node_modules/vitest/vitest.mjs",`
`29`	`29`	`"test:ci":"CI=true yarn test",`
`30`	`30`	`"test:integration":"vscode-test",`
`31`	`31`	`"vscode:prepublish":"yarn package",`
`@@ -343,12 +343,12 @@`
`343`	`343`	`"word-wrap":"1.2.5"`
`344`	`344`	`},`
`345`	`345`	`"dependencies": {`
	`346`	`+"@peculiar/x509":"^1.14.0",`
`346`	`347`	`"axios":"1.12.2",`
`347`	`348`	`"date-fns":"^3.6.0",`
`348`	`349`	`"eventsource":"^3.0.6",`
`349`	`350`	`"find-process":"https://github.com/coder/find-process#fix/sequoia-compat",`
`350`	`351`	`"jsonc-parser":"^3.3.1",`
`351`		`-"node-forge":"^1.3.1",`
`352`	`352`	`"openpgp":"^6.2.2",`
`353`	`353`	`"pretty-bytes":"^7.1.0",`
`354`	`354`	`"proxy-agent":"^6.5.0",`
`@@ -361,7 +361,6 @@`
`361`	`361`	`"@types/eventsource":"^3.0.0",`
`362`	`362`	`"@types/glob":"^7.1.3",`
`363`	`363`	`"@types/node":"^22.14.1",`
`364`		`-"@types/node-forge":"^1.3.14",`
`365`	`364`	`"@types/semver":"^7.7.1",`
`366`	`365`	`"@types/ua-parser-js":"0.7.36",`
`367`	`366`	`"@types/vscode":"^1.73.0",`
`@@ -375,6 +374,7 @@`
`375`	`374`	`"bufferutil":"^4.0.9",`
`376`	`375`	`"coder":"https://github.com/coder/coder#main",`
`377`	`376`	`"dayjs":"^1.11.13",`
	`377`	`+"electron":"^39.1.2",`
`378`	`378`	`"eslint":"^8.57.1",`
`379`	`379`	`"eslint-config-prettier":"^10.1.8",`
`380`	`380`	`"eslint-import-resolver-typescript":"^4.4.4",`

`‎src/error.ts‎`

Lines changed: 23 additions & 25 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,11 @@`
	`1`	`+import{`
	`2`	`+X509Certificate,`
	`3`	`+KeyUsagesExtension,`
	`4`	`+KeyUsageFlags,`
	`5`	`+}from"@peculiar/x509";`
`1`	`6`	`import{isAxiosError}from"axios";`
`2`	`7`	`import{isApiError,isApiErrorResponse}from"coder/site/src/api/errors";`
`3`		`-import*asforgefrom"node-forge";`
`4`		`-import*astlsfrom"tls";`
	`8`	`+import*astlsfrom"node:tls";`
`5`	`9`	`import*asvscodefrom"vscode";`
`6`	`10`
`7`	`11`	`import{typeLogger}from"./logging/logger";`
`@@ -23,10 +27,6 @@ export enum X509_ERR {`
`23`	`27`	`UNTRUSTED_CHAIN="Your Coder deployment's certificate chain does not appear to be trusted by this system. The root of the certificate chain must be added to this system's trust store. ",`
`24`	`28`	`}`
`25`	`29`
`26`		`-interfaceKeyUsage{`
`27`		`-keyCertSign:boolean;`
`28`		`-}`
`29`		`-`
`30`	`30`	`exportclassCertificateErrorextendsError{`
`31`	`31`	`publicstaticActionAllowInsecure="Allow Insecure";`
`32`	`32`	`publicstaticActionOK="OK";`
`@@ -80,7 +80,7 @@ export class CertificateError extends Error {`
`80`	`80`	`consturl=newURL(address);`
`81`	`81`	`constsocket=tls.connect(`
`82`	`82`	`{`
`83`		`-port:parseInt(url.port,10)\|\|443,`
	`83`	`+port:Number.parseInt(url.port,10)\|\|443,`
`84`	`84`	`host:url.hostname,`
`85`	`85`	`rejectUnauthorized:false,`
`86`	`86`	`},`
`@@ -91,29 +91,27 @@ export class CertificateError extends Error {`
`91`	`91`	`thrownewError("no peer certificate");`
`92`	`92`	`}`
`93`	`93`
`94`		`-// We use node-forge for two reasons:`
`95`		`-// 1. Node/Electron only provide extended key usage.`
`96`		`-// 2. Electron's checkIssued() will fail because it suffers from same`
`97`		`-// the key usage bug that we are trying to work around here in the`
`98`		`-// first place.`
`99`		`-constcert=forge.pki.certificateFromPem(x509.toString());`
`100`		`-if(!cert.issued(cert)){`
	`94`	+// We use "@peculiar/x509" because Node's x509 returns an undefined `keyUsage`.
	`95`	`+constcert=newX509Certificate(x509.toString());`
	`96`	`+constisSelfIssued=cert.subject===cert.issuer;`
	`97`	`+if(!isSelfIssued){`
`101`	`98`	`returnresolve(X509_ERR.PARTIAL_CHAIN);`
`102`	`99`	`}`
`103`	`100`
`104`	`101`	`// The key usage needs to exist but not have cert signing to fail.`
`105`		`-constkeyUsage=cert.getExtension({name:"keyUsage"})as`
`106`		`-\|KeyUsage`
`107`		`-\|undefined;`
`108`		`-if(keyUsage&&!keyUsage.keyCertSign){`
`109`		`-returnresolve(X509_ERR.NON_SIGNING);`
`110`		`-}else{`
`111`		`-// This branch is currently untested; it does not appear possible to`
`112`		`-// get the error "unable to verify" with a self-signed certificate`
`113`		`-// unless the key usage was the issue since it would have errored`
`114`		`-// with "self-signed certificate" instead.`
`115`		`-returnresolve(X509_ERR.UNTRUSTED_LEAF);`
	`102`	`+constextension=cert.getExtension(KeyUsagesExtension);`
	`103`	`+if(extension){`
	`104`	`+consthasKeyCertSign=`
	`105`	`+extension.usages&KeyUsageFlags.keyCertSign;`
	`106`	`+if(!hasKeyCertSign){`
	`107`	`+returnresolve(X509_ERR.NON_SIGNING);`
	`108`	`+}`
`116`	`109`	`}`
	`110`	`+// This branch is currently untested; it does not appear possible to`
	`111`	`+// get the error "unable to verify" with a self-signed certificate`
	`112`	`+// unless the key usage was the issue since it would have errored`
	`113`	`+// with "self-signed certificate" instead.`
	`114`	`+returnresolve(X509_ERR.UNTRUSTED_LEAF);`
`117`	`115`	`},`
`118`	`116`	`);`
`119`	`117`	`socket.on("error",reject);`

`‎src/remote/remote.ts‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -344,6 +344,7 @@ export class Remote {`
`344`	`344`	`}catch(error){`
`345`	`345`	`subscription.dispose();`
`346`	`346`	`reject(error);`
	`347`	`+return;`
`347`	`348`	`}finally{`
`348`	`349`	`inProgress=false;`
`349`	`350`	`}`

`‎test/unit/error.test.ts‎`

Lines changed: 41 additions & 32 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,11 @@`
	`1`	`+import{`
	`2`	`+KeyUsagesExtension,`
	`3`	`+X509CertificateasX509CertificatePeculiar,`
	`4`	`+}from"@peculiar/x509";`
`1`	`5`	`importaxiosfrom"axios";`
`2`		`-import*asfsfrom"fs/promises";`
`3`		`-importhttpsfrom"https";`
	`6`	`+import{X509CertificateasX509CertificateNode}from"node:crypto";`
	`7`	`+import*asfsfrom"node:fs/promises";`
	`8`	`+importhttpsfrom"node:https";`
`4`	`9`	`import{afterAll,beforeAll,describe,expect,it,vi}from"vitest";`
`5`	`10`
`6`	`11`	`import{CertificateError,X509_ERR,X509_ERR_CODE}from"@/error";`
`@@ -12,14 +17,11 @@ describe("Certificate errors", () => {`
`12`	`17`	`// Before each test we make a request to sanity check that we really get the`
`13`	`18`	`// error we are expecting, then we run it through CertificateError.`
`14`	`19`
`15`		`-// TODO: These sanity checks need to be ran in an Electron environment to`
`16`		`-// reflect real usage in VS Code. We should either revert back to the standard`
`17`		`-// extension testing framework which I believe runs in a headless VS Code`
`18`		`-// instead of using vitest or at least run the tests through Electron running as`
`19`		`-// Node (for now I do this manually by shimming Node).`
`20`		`-constisElectron=`
`21`		`-(process.versions.electron\|\|process.env.ELECTRON_RUN_AS_NODE)&&`
`22`		`-!process.env.VSCODE_PID;// Running from the test explorer in VS Code`
	`20`	`+// These tests run in Electron (BoringSSL) for accurate certificate validation testing.`
	`21`	`+`
	`22`	`+it("should run in Electron environment",()=>{`
	`23`	`+expect(process.versions.electron).toBeTruthy();`
	`24`	`+});`
`23`	`25`
`24`	`26`	`beforeAll(()=>{`
`25`	`27`	`vi.mock("vscode",()=>{`
`@@ -114,8 +116,7 @@ describe("Certificate errors", () => {`
`114`	`116`	`});`
`115`	`117`
`116`	`118`	`// In Electron a self-issued certificate without the signing capability fails`
`117`		`-// (again with the same "unable to verify" error) but in Node self-issued`
`118`		`-// certificates are not required to have the signing capability.`
	`119`	`+// (again with the same "unable to verify" error)`
`119`	`120`	`it("detects self-signed certificates without signing capability",async()=>{`
`120`	`121`	`constaddress=awaitstartServer("no-signing");`
`121`	`122`	`constrequest=axios.get(address,{`
`@@ -124,26 +125,16 @@ describe("Certificate errors", () => {`
`124`	`125`	`servername:"localhost",`
`125`	`126`	`}),`
`126`	`127`	`});`
`127`		`-if(isElectron){`
`128`		`-awaitexpect(request).rejects.toHaveProperty(`
`129`		`-"code",`
`130`		`-X509_ERR_CODE.UNABLE_TO_VERIFY_LEAF_SIGNATURE,`
`131`		`-);`
`132`		`-try{`
`133`		`-awaitrequest;`
`134`		`-}catch(error){`
`135`		`-constwrapped=awaitCertificateError.maybeWrap(`
`136`		`-error,`
`137`		`-address,`
`138`		`-logger,`
`139`		`-);`
`140`		`-expect(wrappedinstanceofCertificateError).toBeTruthy();`
`141`		`-expect((wrappedasCertificateError).x509Err).toBe(`
`142`		`-X509_ERR.NON_SIGNING,`
`143`		`-);`
`144`		`-}`
`145`		`-}else{`
`146`		`-awaitexpect(request).resolves.toHaveProperty("data","foobar");`
	`128`	`+awaitexpect(request).rejects.toHaveProperty(`
	`129`	`+"code",`
	`130`	`+X509_ERR_CODE.UNABLE_TO_VERIFY_LEAF_SIGNATURE,`
	`131`	`+);`
	`132`	`+try{`
	`133`	`+awaitrequest;`
	`134`	`+}catch(error){`
	`135`	`+constwrapped=awaitCertificateError.maybeWrap(error,address,logger);`
	`136`	`+expect(wrappedinstanceofCertificateError).toBeTruthy();`
	`137`	`+expect((wrappedasCertificateError).x509Err).toBe(X509_ERR.NON_SIGNING);`
`147`	`138`	`}`
`148`	`139`	`});`
`149`	`140`
`@@ -157,6 +148,24 @@ describe("Certificate errors", () => {`
`157`	`148`	`awaitexpect(request).resolves.toHaveProperty("data","foobar");`
`158`	`149`	`});`
`159`	`150`
	`151`	`+// Node's X509Certificate.keyUsage is unreliable, so use a third-party parser`
	`152`	`+it("parses no-signing cert keyUsage with third-party library",async()=>{`
	`153`	`+constcertPem=awaitfs.readFile(`
	`154`	`+getFixturePath("tls","no-signing.crt"),`
	`155`	`+"utf-8",`
	`156`	`+);`
	`157`	`+`
	`158`	+// Node's implementation seems to always return `undefined`
	`159`	`+constnodeCert=newX509CertificateNode(certPem);`
	`160`	`+expect(nodeCert.keyUsage).toBeUndefined();`
	`161`	`+`
	`162`	`+// Here we can correctly get the KeyUsages`
	`163`	`+constpeculiarCert=newX509CertificatePeculiar(certPem);`
	`164`	`+constextension=peculiarCert.getExtension(KeyUsagesExtension);`
	`165`	`+expect(extension).toBeDefined();`
	`166`	`+expect(extension?.usages).toBeTruthy();`
	`167`	`+});`
	`168`	`+`
`160`	`169`	`// Both environments give the same error code when a self-issued certificate is`
`161`	`170`	`// untrusted.`
`162`	`171`	`it("detects self-signed certificates",async()=>{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfa2272a

File tree

6 files changed

6 files changed

`‎.vscode/settings.json‎`

`‎package.json‎`

`‎src/error.ts‎`

`‎src/remote/remote.ts‎`

`‎test/unit/error.test.ts‎`

0 commit comments