jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add proper cert validator

Browse Source
This commit is contained in:
Johannes Zellner
2015-10-28 14:20:25 +01:00
parent 22dcc787b5
commit 04eb2a982f
2 changed files with 110 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/apps.js
+32 -5
View File
@@ -40,7 +40,8 @@ exports = module.exports = {
// exported for testing
_validateHostname: validateHostname,
_validatePortBindings: validatePortBindings,
_validateAccessRestriction: validateAccessRestriction
_validateAccessRestriction: validateAccessRestriction,
_validateCertificate: validateCertificate
};
var addons = require('./addons.js'),
@@ -65,7 +66,8 @@ var addons = require('./addons.js'),
superagent = require('superagent'),
taskmanager = require('./taskmanager.js'),
util = require('util'),
validator = require('validator');
validator = require('validator'),
x509 = require('x509');
var BACKUP_APP_CMD = path.join(__dirname, 'scripts/backupapp.sh'),
RESTORE_APP_CMD = path.join(__dirname, 'scripts/restoreapp.sh'),
@@ -203,10 +205,35 @@ function validateCertificate(cert, key, fqdn) {
assert.strictEqual(typeof fqdn, 'string');
if (cert === null && key === null) return null;
if (cert === null && !key) return new Error('missing key');
if (!cert && key === null) return new Error('missing cert');
if (!cert && key) return new Error('missing cert');
if (cert && !key) return new Error('missing key');
var content;
try {
content = x509.parseCert(cert);
} catch (e) {
return new Error('invalid cert');
}
// check expiration
if (content.notAfter < new Date()) return new Error('cert expired');
function matchesDomain(domain) {
if (domain === fqdn) return true;
if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
return false;
}
// check domain
var domains = content.altNames.concat(content.subject.commonName);
if (!domains.some(matchesDomain)) return new Error('cert is not valid for this domain');
// http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
if (certModulus !== keyModulus) return new Error('key does not match the cert');
// TODO more actual cert validation
return null;
}