Get rid of openssl dependency #79
Comments
|
For the record: Official documentation that mentions that the files need to be named according to the |
|
https://stackoverflow.com/a/30265791 has some helpful background info and a snippet of the code that generates the hash in openssl. |
|
I am afraid if I follow through with #44, I'll need openssl as a dependency as well. I don’t think we want to generate keys and certs ourselves… |
We're already depending on PKI.js for iOS. I'm reasonably confident that that should support everything you'll need (e.g. https://pkijs.org/examples/CertificateComplexExample/X509_cert_complex_example.html). The problem here is only that Android uses this esoteric |
|
I pasted https://stackoverflow.com/a/30265791 into Bing Chat and asked it to implement that for Node. After a little bit of back and forth, it produced this code, which produces the correct hash! import { createHash } from 'crypto';
import { readFile } from 'fs/promises';
import { Certificate } from 'pkijs';
// A helper function to convert a buffer to an unsigned long
function bufferToULong(buffer) {
return (buffer[0] | (buffer[1] << 8) | (buffer[2] << 16) | (buffer[3] << 24)) >>> 0;
}
function subjectHashOld(cert) {
// Get the subject name as a DER-encoded buffer
const subject = cert.subject.valueBeforeDecode;
// Create a hash object with MD5 algorithm
const hash = createHash('md5');
// Update the hash with the subject buffer
hash.update(Buffer.from(subject));
// Get the digest as a buffer
const digest = hash.digest();
// Truncate the digest to the first four bytes and convert to an unsigned long
const truncated = digest.slice(0, 4);
const ulong = bufferToULong(truncated);
// Return the unsigned long as a hexadecimal string
return ulong.toString(16);
}
(async () => {
const path = process.argv[2];
const certPem = await readFile(path, 'utf8');
const certBase64 = certPem.replace(/(-----(BEGIN|END) CERTIFICATE-----|[\r\n])/g, '');
const certDer = Buffer.from(certBase64, 'base64');
const c = Certificate.fromBER(certDer);
console.log(subjectHashOld(c));
})();It would have taken me significantly longer to get there myself! Transcript for reference: Conversation.pdf |
|
Ah, yes. You are right! |
|
Simplified and cleaned up version of that: async function subjectHashOld(path: string) {
const { cert } = await parsePemCertificateFromFile(path);
const hash = createHash('md5').update(Buffer.from(cert.subject.valueBeforeDecode)).digest();
const truncated = hash.subarray(0, 4);
const ulong = (truncated[0]! | (truncated[1]! << 8) | (truncated[2]! << 16) | (truncated[3]! << 24)) >>> 0;
return ulong.toString(16);
} |
With #78, our last host dependency for Android is openssl1. We only need that to calculate the
subject_hash_oldfor our CA:appstraction/src/android.ts
Line 173 in f0d5e40
On Linux and macOS, that dependency isn't much of an issue, it's preinstalled almost everywhere anyway. But on Windows, you have to download a random .exe from some weird site.
Footnotes
Apart from the udev rules, but those are only necessary for physical devices, and I really don't think we can do anything about that setup step since I'm pretty sure that requires root. ↩
The text was updated successfully, but these errors were encountered: