fix: deprecate ssl-root-cas and switch to use tls.rootCertificates to… (

#686)
alexa · Mar 16, 2021 · 8217a3f · 8217a3f
1 parent 6eaedc5
commit 8217a3f
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 8 deletions.
diff --git a/ask-sdk-express-adapter/lib/adapter/ExpressAdapter.ts b/ask-sdk-express-adapter/lib/adapter/ExpressAdapter.ts
@@ -55,7 +55,7 @@ export class ExpressAdapter {
     /**
      * Get pre-defined request handlers
      *
-     * This function return an arry of pre-defined request handlers
+     * This function return an array of pre-defined request handlers
      * which are supposed to be registered on users' express application, including:
      * 1: text parser 2: async function to get response envelope after verification, then send result back
      * Example usage: app.post('/', new ExpressAdapter(skill).getASKRequestHandler());

diff --git a/ask-sdk-express-adapter/lib/verifier/index.ts b/ask-sdk-express-adapter/lib/verifier/index.ts
@@ -12,19 +12,22 @@
  */
 
 import { createAskSdkError, getRequestType } from 'ask-sdk-core';
-import { RequestEnvelope, events } from 'ask-sdk-model';
+import { RequestEnvelope } from 'ask-sdk-model';
 import crypto = require ('crypto');
 import { IncomingHttpHeaders } from 'http';
 import * as client from 'https';
 import { pki } from 'node-forge';
 import * as url from 'url';
+import { gte } from 'semver';
 
 import { generateCAStore, generateCertificatesArray } from './helper';
 
 /**
  * Provide constant value
  * For more info, check `link <https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request>
  */
+
+export const REQUIRED_NODE_VERSION = "12.3.0";
 const VALID_SIGNING_CERT_CHAIN_PROTOCOL: string = 'https:';
 const VALID_SIGNING_CERT_CHAIN_URL_HOST_NAME: string = 's3.amazonaws.com';
 const VALID_SIGNING_CERT_CHAIN_URL_PATH_PREFIX: string = '/echo.api/';
@@ -281,11 +284,20 @@ export class SkillRequestSignatureVerifier implements Verifier {
                 `${CERT_CHAIN_DOMAIN} domain missing in Signature Certificate Chain.`,
             );
         }
+
+        // check whether the node version is greater or equal to 12.3.0
+        if (!gte(process.version, REQUIRED_NODE_VERSION)) {
+            throw createAskSdkError(
+                this.constructor.name,
+                `ask-sdk-express-adapter package require node version ${REQUIRED_NODE_VERSION} or later, your current node version is ${process.version}. Please update your node version.`,
+            );
+        }
+
+        const caStore: pki.CAStore = generateCAStore(require('tls').rootCertificates);
+        const certChain: pki.Certificate[] = generateCertificatesArray(pemCert);
         // Use the pki.verifyCertificateChain function from Node-forge to
         // validate that all certificates in the chain combine to create a chain of trust to a trusted root CA certificate
         // TODO: Implement certificate revocation check which is missed in pki.verifyCertificateChain function
-        const certChain: pki.Certificate[] = generateCertificatesArray(pemCert);
-        const caStore: pki.CAStore = generateCAStore(require('ssl-root-cas/latest').create());
         try {
             pki.verifyCertificateChain(caStore, certChain);
         } catch (e) {

diff --git a/ask-sdk-express-adapter/package.json b/ask-sdk-express-adapter/package.json
@@ -30,7 +30,7 @@
   "dependencies": {
     "body-parser": "^1.18.2",
     "node-forge": "^0.10.0",
-    "ssl-root-cas": "^1.3.1"
+    "semver": "^7.3.4"
   },
   "peerDependencies": {
     "ask-sdk-core": "^2.7.0"
@@ -41,6 +41,7 @@
     "@types/mocha": "^5.0.0",
     "@types/node": "^9.6.1",
     "@types/node-forge": "^0.8.0",
+    "@types/semver": "^7.3.4",
     "@types/sinon": "^7.0.13",
     "@types/supertest": "^2.0.7",
     "@typescript-eslint/eslint-plugin": "^3.9.0",
@@ -52,7 +53,7 @@
     "eslint": "^7.6.0",
     "eslint-plugin-tsdoc": "^0.2.6",
     "express": "^4.16.4",
-    "mocha": "^5.0.5",
+    "mocha": "^8.3.2",
     "nock": "^9.2.3",
     "nyc": "^14.1.1",
     "sinon": "^7.0.13",

diff --git a/ask-sdk-express-adapter/tst/verifier/index.spec.ts b/ask-sdk-express-adapter/tst/verifier/index.spec.ts
@@ -6,9 +6,10 @@ import * as nock from 'nock';
 import { pki } from 'node-forge';
 import * as sinon from 'sinon';
 import * as url from 'url';
-import { SkillRequestSignatureVerifier, TimestampVerifier, Verifier } from '../../lib/verifier';
+import { SkillRequestSignatureVerifier, TimestampVerifier, Verifier, REQUIRED_NODE_VERSION } from '../../lib/verifier';
 import * as helper from '../../lib/verifier/helper';
 import { createInvalidCert, DataProvider } from '../mocks/DataProvider';
+import { gte } from "semver";
 
 describe('TimestampVerifier', () => {
     describe('Constructor', () => {
@@ -118,6 +119,13 @@ describe('SkillRequestSignatureVerifier', () => {
         + '/qR3WYIMMfKuk1iEQOQY7jAFCS8zOjCaa4sM373T4mNUAojcgdAaHxzu2smLRzQSttTXfuemCijTigg==';
     const invalidSignature = 'TEST_INVALID_SIGNATURE';
 
+    before(function() {
+        if (!gte(process.version, REQUIRED_NODE_VERSION)) {
+            // skip unit tests when node version is less than required
+            this.skip();
+        }
+    });
+
     beforeEach(() => {
         sinon.useFakeTimers(new Date(2019, 9, 1));
     });
@@ -127,6 +135,7 @@ describe('SkillRequestSignatureVerifier', () => {
         nock.cleanAll();
     });
 
+
     describe('async function verify', () => {
         it('should throw error when cert chain url is not present', async () => {
             const requestBody: RequestEnvelope = DataProvider.requestEnvelope();
@@ -413,7 +422,6 @@ describe('SkillRequestSignatureVerifier', () => {
 
     describe('function _validateCertChain', () => {
         const functionKey: string = '_validateCertChain';
-        const rootCA = require('ssl-root-cas/latest');
 
         it('should throw error when cert expired', () => {
             sinon.useFakeTimers(new Date(2022, 2, 15));
@@ -464,6 +472,19 @@ describe('SkillRequestSignatureVerifier', () => {
             throw new Error('should have thrown an error!');
         });
 
+        it('should throw error when node version is less than 12.3.0', () => {
+            sinon.stub(process, 'version').value('10.0.0');
+            try {
+                verifier[functionKey](validPem);
+            } catch (err) {
+                expect(err.name).equal('AskSdk.SkillRequestSignatureVerifier Error');
+                expect(err.message).equal('ask-sdk-express-adapter package require node version 12.3.0 or later, your current node version is 10.0.0. Please update your node version.');
+
+                return;
+            }
+            throw new Error('should have thrown an error!');
+        });
+
         it('should throw error when cert chain is not valid', () => {
             sinon.useFakeTimers(new Date(2019, 9, 1));
             try {