remove Chilkat dependency and fix test issie

Author: baoduy

AKS.WP.code-workspace

@@ -1,13 +1,19 @@
 import * as tls from '@pulumi/tls';
+import fs from 'fs';
+import * as pem from './p12';
 import { KeyVaultInfo } from '../types';
 import { addCustomSecret } from '../KeyVault/CustomHelper';
+import forge from 'node-forge';
 
 export const defaultAllowedUses = [
+  'data_encipherment',
+  'digital_signature',
   'cert_signing',
   'client_auth',
   'key_agreement',
   'key_encipherment',
   'server_auth',
+  'timestamping',
 ];
 
 export const defaultCodeSignUses = [
@@ -45,7 +51,7 @@ export const createSelfSignCert = ({
 
   const privateKey = new tls.PrivateKey(`${dnsName}-privateKey`, {
     algorithm: 'RSA',
-    rsaBits: 4096,
+    rsaBits: 2048,
   });
 
   const cert = new tls.SelfSignedCert(`${dnsName}-selfSignedCert`, {
@@ -78,13 +84,41 @@ export const createSelfSignCert = ({
     addCustomSecret({
       name: vaultPrivateKeyName,
       vaultInfo,
-      value: cert.privateKeyPem,
+      value: privateKey.privateKeyPem,
       contentType: `${dnsName} self sign private key.`,
     });
   }
 
   return {
     cert: cert.certPem,
-    privateKey: cert.privateKeyPem,
+    privateKey: privateKey.privateKeyPem,
   };
 };
+
+export const convertPfxFileToPem = async ({
+  certPath,
+  password,
+}: {
+  certPath: string;
+  password?: string;
+}) => {
+  const p12File = await fs.promises.readFile(certPath, { encoding: 'binary' });
+  const cert = pem.convertToPem(p12File, password);
+
+  console.log('Loaded P12 file', certPath);
+  return { cert: cert.pemCertificate, privateKey: cert.pemKey };
+};
+
+export const convertPfxToPem = ({
+  base64Cert,
+  password,
+}: {
+  base64Cert: string;
+  password?: string;
+}) => {
+  const byteArray = Buffer.from(base64Cert, 'base64');
+  const cert = pem.convertToPem(byteArray.toString('binary'), password);
+
+  console.log('Loaded P12 base64');
+  return { cert: cert.pemCertificate, privateKey: cert.pemKey };
+};

Certificate/index.ts

@@ -0,0 +1,46 @@
+import * as forge from 'node-forge';
+import { util } from 'node-forge';
+
+export function convertToPem(
+  p12base64: string | util.ByteBuffer,
+  password: string | undefined
+) {
+  const p12Asn1 = forge.asn1.fromDer(p12base64);
+  const p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, password);
+
+  const pemKey = getKeyFromP12(p12, password);
+  const cert = getCertificateFromP12(p12);
+
+  return { pemKey, pemCertificate: cert.pemCertificate };
+}
+
+function getKeyFromP12(p12: any, password: string | undefined) {
+  const keyData = p12.getBags(
+    { bagType: forge.pki.oids.pkcs8ShroudedKeyBag },
+    password
+  );
+
+  let pkcs8Key = keyData[forge.pki.oids.pkcs8ShroudedKeyBag]![0];
+  if (typeof pkcs8Key === 'undefined') {
+    pkcs8Key = keyData[forge.pki.oids.keyBag]![0];
+  }
+
+  if (typeof pkcs8Key === 'undefined') {
+    throw new Error('Unable to get private key.');
+  }
+
+  let pemKey = forge.pki.privateKeyToPem(pkcs8Key.key!);
+  pemKey = pemKey.replace(/\r\n/g, '');
+
+  return pemKey;
+}
+
+function getCertificateFromP12(p12: forge.pkcs12.Pkcs12Pfx) {
+  const certData = p12.getBags({ bagType: forge.pki.oids.certBag });
+  const certificate = certData[forge.pki.oids.certBag]![0];
+
+  let pemCertificate = forge.pki.certificateToPem(certificate.cert!);
+  pemCertificate = pemCertificate.replace(/\r\n/g, '');
+  //const commonName = certificate.cert.subject.attributes[0].value;
+  return { pemCertificate };
+}

Certificate/p12.ts

@@ -1,114 +1,5 @@
-import * as forge from 'node-forge';
-import * as os from 'os';
 import { replaceAll } from '../Common/Helpers';
 
-const getChilkatTool = () => {
-  const v = process.version.split('.')[0].replace('v', '');
-  const node = v ? `node${v}` : 'node14';
-  const platform = os.platform();
-  const arch = os.arch();
-
-  let name = '';
-
-  if (platform == 'win32') {
-    if (arch == 'ia32') name = 'win-ia32';
-    else name = 'win64';
-  } else if (platform == 'linux') {
-    if (arch == 'arm') name = 'arm';
-    else if (arch == 'x86') name = 'linux32';
-    else name = 'linux64';
-  } else if (platform == 'darwin') {
-    if (arch == 'arm64') name = 'mac-m1';
-    else name = 'macosx';
-  }
-
-  return require(`@chilkat/ck-${node}-${name}`);
-};
-
-interface Props {
-  pfxBase64: string;
-  password: string | undefined;
-  includeAll?: boolean;
-}
-
-export function convertPfxToPem({ pfxBase64, password, includeAll }: Props) {
-  const pfx = getChilkatTool().Pfx();
-
-  const success = pfx.LoadPfxEncoded(pfxBase64, 'Base64', password || '');
-  if (success !== true) {
-    console.log(pfx.LastErrorText);
-    return undefined;
-  }
-
-  const keyCount: number = pfx.NumPrivateKeys;
-  const certCount: number = pfx.NumCerts;
-
-  const keys = new Array<string>();
-  const clientCerts = new Array<string>();
-  const serverCerts = new Array<string>();
-  const caCerts = new Array<string>();
-
-  const originalKeys = new Array<any>();
-  const originalClientCerts = new Array<any>();
-  const originalServerCerts = new Array<any>();
-  const originalCaCerts = new Array<any>();
-
-  //Keys
-  for (let i = 0; i < keyCount; i++) {
-    keys.push(pfx.GetPrivateKey(i).GetPkcs8Pem());
-  }
-
-  for (let i = 0; i < certCount; i++) {
-    const c = pfx.GetCert(i);
-
-    if (includeAll) {
-      clientCerts.push(c.ExportCertPem());
-      originalClientCerts.push(c);
-      continue;
-    }
-
-    if (
-      c.ForClientAuthentication &&
-      !(c.SubjectCN.includes('CA') || c.SubjectCN.includes('Validation'))
-    ) {
-      clientCerts.push(c.ExportCertPem());
-      originalClientCerts.push(c);
-    }
-    if (c.ForServerAuthentication) {
-      //console.log(c);
-      serverCerts.push(c.ExportCertPem());
-      originalServerCerts.push(c);
-    }
-
-    if (
-      (!c.ForClientAuthentication && !c.ForServerAuthentication) ||
-      c.SubjectCN.includes('CA') ||
-      c.SubjectCN.includes('Validation')
-    ) {
-      caCerts.push(c.ExportCertPem());
-      originalCaCerts.push(c);
-    }
-  }
-
-  return {
-    key: keys.join(''),
-    cert: clientCerts.join(''),
-    ca: caCerts.join(''),
-    server: serverCerts.join(''),
-    clientCerts,
-    serverCerts,
-    keys,
-    caCerts,
-    originalCaCerts,
-    originalClientCerts,
-    originalKeys,
-    originalServerCerts,
-  };
-}
-
-export const DecodeBase64Cert = (pfxBase64: string) =>
-  forge.util.decode64(pfxBase64);
-
 export const getTlsName = (domain: string, enableCertIssuer: boolean) =>
   enableCertIssuer
     ? `tls-${replaceAll(domain, '.', '-')}-lets`

KubeX/CertHelper.ts

@@ -1,12 +1,11 @@
-import * as k8s from '@pulumi/kubernetes';
-import { Input } from '@pulumi/pulumi';
 import { getKubeDomainCert } from './Helpers';
-import { convertPfxToPem, getTlsName } from './CertHelper';
+import { getTlsName } from './CertHelper';
 import fs from 'fs';
 import { KeyVaultInfo } from '../types';
 import { getSecret } from '../KeyVault/Helper';
 import { K8sArgs } from './types';
 import ksCertSecret from './Core/KsCertSecret';
+import { convertPfxToPem } from '../Certificate';
 
 export interface FromCertOrderProps extends K8sArgs {
   namespaces: string[];
@@ -28,9 +27,7 @@ export const certImportFromCertOrder = async ({
     ksCertSecret({
       name: `${name}-${i}`,
       namespace: n,
-      cert: cert.cert,
-      ca: cert.ca,
-      privateKey: cert.key,
+      ...cert,
       ...others,
     })
   );
@@ -90,19 +87,16 @@ export const certImportFromVault = async ({
 
       const pems = cert?.value
         ? convertPfxToPem({
-            pfxBase64: cert.value,
+            base64Cert: cert.value,
             password: '',
-            includeAll: false,
           })
         : undefined;
 
       if (pems) {
         ksCertSecret({
           name: `${c}-${i}`,
           namespace,
-          cert: pems.cert,
-          ca: pems.ca,
-          privateKey: pems.key,
+          ...pems,
           ...others,
         });
       }

KubeX/CertImports.ts

@@ -1,15 +1,13 @@
 import { getCertificateForDomain } from '../Web/Helpers';
-import { convertPfxToPem } from '../KubeX/CertHelper';
+import { convertPfxToPem } from '../Certificate';
 
 export const getKubeDomainCert = async (domain: string) => {
   //Get cert from CertOrder.
   const cert = await getCertificateForDomain(domain);
   //Convert to K8s cert
   return cert
     ? convertPfxToPem({
-        pfxBase64: cert.base64CertData,
-        password: '',
-        includeAll: false,
+        base64Cert: cert.base64CertData,
       })
     : undefined;
 };