UNPKG

spartan-shield

Version:

nodejs project to package and configure common security middleware.

github.com/darkmsph1t/_spartan

darkmsph1t/_spartan

128 lines (121 loc) 4.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
'use strict' require('dotenv').config() const secJson = require('../security.json') // const validInput = require('./validation').validInput() const fs = require('fs') const https = require('https') const http = require('http') const cert = require('./secrets').fetchSecret('CERTIFICATE') const key = require('./secrets').fetchSecret('PRIV_KEY') // const ca = require('./secrets').fetchSecret('CERT_AUTH') const { constants } = require('crypto') // const ciphers => use default node ciphers for now. See node docs if you want to change this const port = require('./secrets').fetchSecret('PORT') || 8080 // this module is concerned with the establishment and maintenance of https connections to the server && provides redirect for any attempted connections to non-secure port(s) /* NOTE: this module assumes you have already created certificates required. Be sure to add their absolute paths to your .env file as CERTIFICATE and PEM respectively */ function cb (err, c, p) { if (c instanceof Error) return console.log(`${ err }: ${ c } `) else return console.log(`${ err }: ${ p } `) } const secureServer = function (app, callback) { if (cert instanceof Error || key instanceof Error) { const error = new Error(`Could not create a secure server`) cb(error, cert, key) } if (callback && typeof callback === 'function') { callback() } const options = { secureOptions: constants.SSL_OP_NO_TLSv1, key: fs.readFileSync(key), cert: fs.readFileSync(cert), // ca: fs.readFileSync(ca), // ciphers: ciphers => using default node ciphers honorCipherOrder: true } if (app) { return https.createServer(options, app).listen(port) } else { callback = function (request, response) { console.log(`I'm listening on port ${request.port}`) response.send('Hello') } return https.createServer(options, callback).listen(port) } } const redirectHttp = (app, callback) => { if (secJson.connectionPolicy.redirectSecure) { if (callback) { callback() } if (app) { return http.createServer(app, function (request, response) { response.writeHead(307, { Location: `https://${secJson.hostname}:${port}${request.url}` }) response.end() }).listen(3000) } else { return http.createServer(function (request, response) { response.writeHead(307, { Location: `https://${secJson.hostname}:${port}${request.url}` }) response.end() }).listen(3000) } } else { let err = new Error('Redirection not configured by security policy') return err } } // future release => /* const certPin(cert) { function sha256(s) { return crypto.createHash('sha256').update(s).digest('base64'); } const options = { hostname: 'github.com', port: 443, path: '/', method: 'GET', checkServerIdentity: function(host, cert) { // Make sure the certificate is issued to the host we are connected to const err = tls.checkServerIdentity(host, cert); if (err) { return err; } // Pin the public key, similar to HPKP pin-sha25 pinning const pubkey256 = 'pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU='; if (sha256(cert.pubkey) !== pubkey256) { const msg = 'Certificate verification error: ' + `The public key of '${cert.subject.CN}' ` + 'does not match our pinned fingerprint'; return new Error(msg); } // Pin the exact certificate, rather then the pub key const cert256 = '25:FE:39:32:D9:63:8C:8A:FC:A1:9A:29:87:' + 'D8:3E:4C:1D:98:DB:71:E4:1A:48:03:98:EA:22:6A:BD:8B:93:16'; if (cert.fingerprint256 !== cert256) { const msg = 'Certificate verification error: ' + `The certificate of '${cert.subject.CN}' ` + 'does not match our pinned fingerprint'; return new Error(msg); } // This loop is informational only. // Print the certificate and public key fingerprints of all certs in the // chain. Its common to pin the public key of the issuer on the public // internet, while pinning the public key of the service in sensitive // environments. do { console.log('Subject Common Name:', cert.subject.CN); console.log(' Certificate SHA256 fingerprint:', cert.fingerprint256); hash = crypto.createHash('sha256'); console.log(' Public key ping-sha256:', sha256(cert.pubkey)); lastprint256 = cert.fingerprint256; cert = cert.issuerCertificate; } while (cert.fingerprint256 !== lastprint256); }, } } */ module.exports = { secureServer: secureServer, redirectHttp: redirectHttp }