1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | import { ConnectionOptions, createSecureContext, PeerCertificate, SecureContext } from 'tls';
|
19 |
|
20 | import { CallCredentials } from './call-credentials';
|
21 | import { CIPHER_SUITES, getDefaultRootsData } from './tls-helpers';
|
22 |
|
23 |
|
24 | function verifyIsBufferOrNull(obj: any, friendlyName: string): void {
|
25 | if (obj && !(obj instanceof Buffer)) {
|
26 | throw new TypeError(`${friendlyName}, if provided, must be a Buffer.`);
|
27 | }
|
28 | }
|
29 |
|
30 |
|
31 |
|
32 |
|
33 |
|
34 |
|
35 |
|
36 | export type CheckServerIdentityCallback = (
|
37 | hostname: string,
|
38 | cert: PeerCertificate
|
39 | ) => Error | undefined;
|
40 |
|
41 | function bufferOrNullEqual(buf1: Buffer | null, buf2: Buffer | null) {
|
42 | if (buf1 === null && buf2 === null) {
|
43 | return true;
|
44 | } else {
|
45 | return buf1 !== null && buf2 !== null && buf1.equals(buf2);
|
46 | }
|
47 | }
|
48 |
|
49 |
|
50 |
|
51 |
|
52 |
|
53 | export interface VerifyOptions {
|
54 | |
55 |
|
56 |
|
57 |
|
58 | checkServerIdentity?: CheckServerIdentityCallback;
|
59 | }
|
60 |
|
61 |
|
62 |
|
63 |
|
64 |
|
65 |
|
66 | export abstract class ChannelCredentials {
|
67 | protected callCredentials: CallCredentials;
|
68 |
|
69 | protected constructor(callCredentials?: CallCredentials) {
|
70 | this.callCredentials = callCredentials || CallCredentials.createEmpty();
|
71 | }
|
72 | |
73 |
|
74 |
|
75 |
|
76 |
|
77 |
|
78 | abstract compose(callCredentials: CallCredentials): ChannelCredentials;
|
79 |
|
80 | |
81 |
|
82 |
|
83 | _getCallCredentials(): CallCredentials {
|
84 | return this.callCredentials;
|
85 | }
|
86 |
|
87 | |
88 |
|
89 |
|
90 |
|
91 |
|
92 | abstract _getConnectionOptions(): ConnectionOptions | null;
|
93 |
|
94 | |
95 |
|
96 |
|
97 | abstract _isSecure(): boolean;
|
98 |
|
99 | |
100 |
|
101 |
|
102 |
|
103 |
|
104 | abstract _equals(other: ChannelCredentials): boolean;
|
105 |
|
106 | |
107 |
|
108 |
|
109 |
|
110 |
|
111 |
|
112 |
|
113 |
|
114 |
|
115 | static createSsl(
|
116 | rootCerts?: Buffer | null,
|
117 | privateKey?: Buffer | null,
|
118 | certChain?: Buffer | null,
|
119 | verifyOptions?: VerifyOptions
|
120 | ): ChannelCredentials {
|
121 | verifyIsBufferOrNull(rootCerts, 'Root certificate');
|
122 | verifyIsBufferOrNull(privateKey, 'Private key');
|
123 | verifyIsBufferOrNull(certChain, 'Certificate chain');
|
124 | if (privateKey && !certChain) {
|
125 | throw new Error(
|
126 | 'Private key must be given with accompanying certificate chain'
|
127 | );
|
128 | }
|
129 | if (!privateKey && certChain) {
|
130 | throw new Error(
|
131 | 'Certificate chain must be given with accompanying private key'
|
132 | );
|
133 | }
|
134 | const secureContext = createSecureContext({
|
135 | ca: rootCerts ?? getDefaultRootsData() ?? undefined,
|
136 | key: privateKey ?? undefined,
|
137 | cert: certChain ?? undefined,
|
138 | ciphers: CIPHER_SUITES,
|
139 | });
|
140 | return new SecureChannelCredentialsImpl(
|
141 | secureContext,
|
142 | verifyOptions ?? {}
|
143 | );
|
144 | }
|
145 |
|
146 | |
147 |
|
148 |
|
149 |
|
150 |
|
151 |
|
152 |
|
153 |
|
154 |
|
155 |
|
156 | static createFromSecureContext(secureContext: SecureContext, verifyOptions?: VerifyOptions): ChannelCredentials {
|
157 | return new SecureChannelCredentialsImpl(
|
158 | secureContext,
|
159 | verifyOptions ?? {}
|
160 | )
|
161 | }
|
162 |
|
163 | |
164 |
|
165 |
|
166 | static createInsecure(): ChannelCredentials {
|
167 | return new InsecureChannelCredentialsImpl();
|
168 | }
|
169 | }
|
170 |
|
171 | class InsecureChannelCredentialsImpl extends ChannelCredentials {
|
172 | constructor(callCredentials?: CallCredentials) {
|
173 | super(callCredentials);
|
174 | }
|
175 |
|
176 | compose(callCredentials: CallCredentials): never {
|
177 | throw new Error('Cannot compose insecure credentials');
|
178 | }
|
179 |
|
180 | _getConnectionOptions(): ConnectionOptions | null {
|
181 | return null;
|
182 | }
|
183 | _isSecure(): boolean {
|
184 | return false;
|
185 | }
|
186 | _equals(other: ChannelCredentials): boolean {
|
187 | return other instanceof InsecureChannelCredentialsImpl;
|
188 | }
|
189 | }
|
190 |
|
191 | class SecureChannelCredentialsImpl extends ChannelCredentials {
|
192 | connectionOptions: ConnectionOptions;
|
193 |
|
194 | constructor(
|
195 | private secureContext: SecureContext,
|
196 | private verifyOptions: VerifyOptions
|
197 | ) {
|
198 | super();
|
199 | this.connectionOptions = {
|
200 | secureContext
|
201 | };
|
202 |
|
203 | if (verifyOptions?.checkServerIdentity) {
|
204 | this.connectionOptions.checkServerIdentity = verifyOptions.checkServerIdentity;
|
205 | }
|
206 | }
|
207 |
|
208 | compose(callCredentials: CallCredentials): ChannelCredentials {
|
209 | const combinedCallCredentials = this.callCredentials.compose(
|
210 | callCredentials
|
211 | );
|
212 | return new ComposedChannelCredentialsImpl(this, combinedCallCredentials);
|
213 | }
|
214 |
|
215 | _getConnectionOptions(): ConnectionOptions | null {
|
216 |
|
217 | return { ...this.connectionOptions };
|
218 | }
|
219 | _isSecure(): boolean {
|
220 | return true;
|
221 | }
|
222 | _equals(other: ChannelCredentials): boolean {
|
223 | if (this === other) {
|
224 | return true;
|
225 | }
|
226 | if (other instanceof SecureChannelCredentialsImpl) {
|
227 | return (
|
228 | this.secureContext === other.secureContext &&
|
229 | this.verifyOptions.checkServerIdentity === other.verifyOptions.checkServerIdentity
|
230 | );
|
231 | } else {
|
232 | return false;
|
233 | }
|
234 | }
|
235 | }
|
236 |
|
237 | class ComposedChannelCredentialsImpl extends ChannelCredentials {
|
238 | constructor(
|
239 | private channelCredentials: SecureChannelCredentialsImpl,
|
240 | callCreds: CallCredentials
|
241 | ) {
|
242 | super(callCreds);
|
243 | }
|
244 | compose(callCredentials: CallCredentials) {
|
245 | const combinedCallCredentials = this.callCredentials.compose(
|
246 | callCredentials
|
247 | );
|
248 | return new ComposedChannelCredentialsImpl(
|
249 | this.channelCredentials,
|
250 | combinedCallCredentials
|
251 | );
|
252 | }
|
253 |
|
254 | _getConnectionOptions(): ConnectionOptions | null {
|
255 | return this.channelCredentials._getConnectionOptions();
|
256 | }
|
257 | _isSecure(): boolean {
|
258 | return true;
|
259 | }
|
260 | _equals(other: ChannelCredentials): boolean {
|
261 | if (this === other) {
|
262 | return true;
|
263 | }
|
264 | if (other instanceof ComposedChannelCredentialsImpl) {
|
265 | return (
|
266 | this.channelCredentials._equals(other.channelCredentials) &&
|
267 | this.callCredentials._equals(other.callCredentials)
|
268 | );
|
269 | } else {
|
270 | return false;
|
271 | }
|
272 | }
|
273 | }
|