UNPKG

dmvic

Version:

A DMVIC NPM package to manage DMVIC certificate requests

github.com/coduori/dmvic

coduori/dmvic

116 lines (94 loc) 3.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
import { createPrivateKey, X509Certificate } from 'node:crypto'; import * as fs from 'node:fs'; import path from 'node:path'; const { existsSync, accessSync, constants } = fs; const getExpectedSubject = (environment) => { const subjectMappings = { sandbox: 'CN=uat-api.dmvic.com', production: 'CN=api.dmvic.com', }; const envKey = environment.toLowerCase(); const expectedSubject = subjectMappings[envKey]; if (!expectedSubject) { throw new Error( `No expected certificate subject defined for environment: "${environment}"` ); } return expectedSubject; }; export function validateCertConfig(config) { if (typeof config !== 'object' || config === null || Array.isArray(config)) { throw new Error('Invalid certificate configuration. Expected a plain object.'); } const allowedKeys = ['sslKey', 'sslCert']; const configKeys = Object.keys(config); const extraKeys = configKeys.filter((key) => !allowedKeys.includes(key)); if (extraKeys.length > 0) { throw new Error( `Configuration errors: Invalid certificate configuration. Unexpected key(s): ${extraKeys.join(', ')}` ); } const errors = []; const sslKey = typeof config.sslKey === 'string' ? config.sslKey.trim() : ''; const sslCert = typeof config.sslCert === 'string' ? config.sslCert.trim() : ''; if (!sslKey) { errors.push('sslKey is required'); } if (!sslCert) { errors.push('sslCert is required'); } if (sslKey && sslCert && sslKey === sslCert) { errors.push('SSL key and SSL cert paths cannot be identical'); } if (errors.length > 0) { throw new Error(`Configuration errors: ${errors.join('; ')}`); } return config; } const validateFilePaths = (resolvedCertConfig) => { const errors = []; for (const [key, certPath] of Object.entries(resolvedCertConfig)) { if (typeof certPath !== 'string') { errors.push(`Invalid path for "${key}". Path must be a string.`); continue; } const sanitizedPath = path.normalize(certPath); if (!['.pem', '.crt'].includes(path.extname(sanitizedPath))) { errors.push(`Invalid file format for "${key}". Only .pem or .crt files are allowed.`); } // eslint-disable-next-line security/detect-non-literal-fs-filename if (!existsSync(sanitizedPath)) { errors.push( `Certificate file not found at: ${sanitizedPath}. Please ensure the path is correct.` ); } try { accessSync(sanitizedPath, constants.R_OK); } catch { errors.push(`The certificate file at "${sanitizedPath}" is not readable.`); } } if (errors.length > 0) { throw new Error(`Multiple validation errors found:\n- ${errors.join('\n- ')}`); } }; const validateCertContents = (fileContents, environment) => { try { const cert = new X509Certificate(fileContents.sslCert); if (environment) { const expectedSubject = getExpectedSubject(environment); if (cert.subject !== expectedSubject) { throw new Error( `Certificate subject "${cert.subject}" does not match the expected subject for environment "${environment}": "${expectedSubject}".` ); } } const privateKeyObject = createPrivateKey(fileContents.sslKey); if (!cert.checkPrivateKey(privateKeyObject)) { throw new Error("Private key does not match the certificate's public key."); } } catch (error) { throw new Error(`Invalid certificate or key content: ${error.message}`); } }; export { validateCertContents, validateFilePaths };