Merge 5e82ae6 into 5c076b5

node-opcua · Jan 19, 2018 · bad745e · bad745e
2 parents 5c076b5 + 5e82ae6
commit bad745e
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 21 deletions.
diff --git a/lib/crypto_create_CA.js b/lib/crypto_create_CA.js
@@ -501,6 +501,7 @@ var commands = require('yargs')
         }
 
         var tasks = [];
+        tasks.push(toolbox.ensure_openssl_installed)
         tasks.push(displayChapter.bind(null, "Create Demo certificates"));
         tasks.push(displayTitle.bind(null, "reading configuration"));
         tasks.push(readConfiguration.bind(null, local_argv));
@@ -573,6 +574,7 @@ var commands = require('yargs')
     function command_new_certificate_authority(local_argv,done) {
 
         var tasks = [];
+        tasks.push(toolbox.ensure_openssl_installed);
         tasks.push(readConfiguration.bind(null, local_argv));
         tasks.push(construct_CertificateAuthority.bind(null));
         async.series(tasks, on_completion.bind(null, done));

diff --git a/lib/pki/certificate_authority.js b/lib/pki/certificate_authority.js
@@ -126,7 +126,9 @@ function construct_CertificateAuthority(done) {
     var subject = "/C=FR/ST=IDF/L=Paris/O=Local NODE-OPCUA Certificate Authority/CN=NodeOPCUA-CA";
 
     //xx toolbox.setEnv("OPENSSL_CONF", toolbox.make_path(self.configFile));
-    var configOption = " -config conf/caconfig.cnf ";
+    var configFile = "conf/caconfig.cnf";
+    var configOutput = configFile + ".tmp";
+    var configOption = " -config " + configOutput;
     toolbox.processAltNames({});
 
     var options = { cwd: ca_rootDir };
@@ -136,12 +138,13 @@ function construct_CertificateAuthority(done) {
     var tasks = [
 
         displayTitle.bind(null, "Generate the CA private Key - " + keySize),
+        toolbox.generateStaticConfig.bind(null, configFile, configOutput, options),
         // The first step is to create your RSA Private Key. This key is a 1025,2048,3072 or 2038 bit RSA key which is encrypted using
         // Triple-DES and stored in a PEM format so that it is readable as ASCII text.
         execute_openssl.bind(null, "genrsa " +
             " -out  private/cakey.pem" +
-            " -rand random.rnd" +
-            " " + keySize,options),
+            (toolbox.useRandFile() ? " -rand random.rnd" : '') +
+            " " + keySize, options),
 
         displayTitle.bind(null, "Generate a certificate request for the CA key"),
 
@@ -166,7 +169,7 @@ function construct_CertificateAuthority(done) {
         execute_openssl.bind(null, " x509 -sha256 -req -days 3650 " +
             " -text " +
             " -extensions v3_ca" +
-            " -extfile conf/caconfig.cnf" +
+            " -extfile " + configOutput +
             " -in private/cakey.csr " +
             " -signkey private/cakey.pem " +
             " -out public/cacert.pem", options),
@@ -284,7 +287,8 @@ CertificateAuthority.prototype.createSelfSignedCertificate = function(certificat
     var csr_file = certificate_file + "_csr";
     assert(csr_file);
 
-    var options = {cwd: self.rootDir , openssl_conf:toolbox.make_path(self.configFile) };
+    var configOutput = self.configFile + '.tmp';
+    var options = {cwd: self.rootDir , openssl_conf: toolbox.make_path(configOutput) };
     //xx this require OPENSSL_CONF to be set
     //xx assert(fs.existsSync(process.env.OPENSSL_CONF));
 
@@ -293,6 +297,7 @@ CertificateAuthority.prototype.createSelfSignedCertificate = function(certificat
 
     var tasks = [];
     tasks.push(displaySubtitle.bind(null, "- the certificate signing request"));
+    tasks.push(toolbox.generateStaticConfig.bind(null, self.configFile, configOutput));
     tasks.push(execute_openssl.bind(null, "req " +
         " -new -sha256 -text " + configOption +
         " -batch -key " + q(n(private_key)) + " -out " + q(n(csr_file)), options));
@@ -345,7 +350,9 @@ CertificateAuthority.prototype.revokeCertificate = function(certificate,params,c
     //xx toolbox.setEnv("OPENSSL_CONF", toolbox.make_path(self.configFile));
 
     assert(fs.existsSync(process.env.OPENSSL_CONF));
-    var configOption = " -config conf/caconfig.cnf ";
+    var configFile = "conf/caconfig.cnf";
+    var configOutput = configFile + ".tmp";
+    var configOption = " -config " + configOutput;
     // this require OPENSSL_CONF to be set
 
 
@@ -417,7 +424,9 @@ CertificateAuthority.prototype.signCertificateRequest = function (certificate, c
     toolbox.processAltNames(params);
 
     var options = {cwd: self.rootDir};
-    var configOption = " -config conf/caconfig.cnf ";
+    var configFile = "conf/caconfig.cnf";
+    var configOutput = configFile + ".tmp";
+    var configOption = " -config " + configOutput;
     //xx  this require OPENSSL_CONF to be set
     //xx toolbox.setEnv("OPENSSL_CONF", toolbox.make_path(self.configFile));
     //xx assert(fs.existsSync(process.env.OPENSSL_CONF));
@@ -469,7 +478,9 @@ CertificateAuthority.prototype.verifyCertificate = function(certificate_file,cal
 
         var options = {cwd: self.rootDir};
         toolbox.setEnv("OPENSSL_CONF", toolbox.make_path(self.configFile));
-        var configOption = " -config conf/caconfig.cnf ";
+        var configFile = "conf/caconfig.cnf";
+        var configOutput = configFile + ".tmp";
+        var configOption = " -config " + configOutput;
 //xx    configOption +
 
         toolbox.execute_openssl_no_failure(

diff --git a/lib/pki/toolbox.js b/lib/pki/toolbox.js
@@ -143,6 +143,15 @@ function execute(cmd, options, callback) {
 
 exports.execute = execute;
 
+function useRandFile() {
+    if (toolbox.openssl_version && toolbox.openssl_version.toLowerCase().indexOf('libressl') > -1) {
+        return false;
+    }
+    return true;
+}
+
+exports.useRandFile = useRandFile;
+
 function openssl_require2DigitYearInDate() {
     if (!toolbox.openssl_version) {
         throw new Error("openssl_require2DigitYearInDate : please call ensure_openssl_installed(callback)");
@@ -264,6 +273,33 @@ function displaySubtitle(str, option_callback) {
 
 exports.displaySubtitle = displaySubtitle;
 
+function getEnvironmentVarNames() {
+    return Object.keys(process.env).map(function(varName) { return { key: varName, pattern: '\\$ENV\\:\\:' + varName }; });
+}
+
+exports.getEnvironmentVarNames = getEnvironmentVarNames;
+
+function generateStaticConfig(configPath, configOutputPath, options, option_callback) {
+    if (typeof options === 'function') {
+        option_callback = options;
+        options = {};
+    }
+    var prePath = options && options.cwd || '';
+
+    var staticConfig = fs.readFileSync(path.join(prePath, configPath), { encoding: 'utf8' });
+    for (var envVar of getEnvironmentVarNames()) {
+        staticConfig = staticConfig.replace(new RegExp(envVar.pattern, 'gi'), process.env[envVar.key]);
+    }
+
+    fs.writeFileSync(path.join(prePath, configOutputPath), staticConfig);
+
+    if (option_callback) {
+        option_callback();
+    }
+}
+
+exports.generateStaticConfig = generateStaticConfig;
+
 var q = quote;
 
 exports.make_path = function make_path(folder_name, file_name) {
@@ -318,12 +354,13 @@ exports.getPublicKeyFromCertificate = function getPublicKeyFromCertificate(certi
  * @param callback {Function}
  */
 function createPrivateKey(private_key_filename, key_length, callback) {
-
-    assert(process.env.hasOwnProperty("RANDFILE"));
+    if (useRandFile()) {
+        assert(process.env.hasOwnProperty("RANDFILE"));
+    }
     assert([1024, 2048, 3072, 4096].indexOf(key_length) >= 0);
     execute_openssl("genrsa " +
       " -out " + q(n(private_key_filename)) +
-      " -rand " + q(n(process.env.RANDFILE)) +
+      (useRandFile() ? " -rand " + q(n(process.env.RANDFILE)) : '') +
       " " + key_length, {}, callback);
 }
 
@@ -350,14 +387,16 @@ exports.createCertificateSigningRequest = function createCertificateSigningReque
 
 
     // note : this openssl command requires a config file
-    var options = {cwd: params.rootDir, openssl_conf: params.configFile};
+    var configOutput = params.configFile + '.tmp';
+    var options = {cwd: params.rootDir, openssl_conf: configOutput};
 
-    var configOption = " -config " + q(n(params.configFile));
+    var configOption = " -config " + q(n(configOutput));
 
     //process.env.OPENSSL_CONF  ="";
     toolbox.processAltNames(params);
     async.series([
         displaySubtitle.bind(null, "- Creating a Certificate Signing Request"),
+        generateStaticConfig.bind(null, params.configFile, configOutput),
         execute_openssl.bind(null, "req -new" +
           "  -sha256 " +
           " -batch " +
@@ -511,11 +550,13 @@ exports.createSelfSignCertificate = function createSelfSignCertificate(certifica
 
     var certificate_request = certificate + ".csr";
 
-    var configOption = " -config " + q(n(params.configFile));
+    var configOutput = params.configFile + '.tmp';
+    var configOption = " -config " + q(n(configOutput));
 
     var tasks = [
 
         displayTitle.bind(null, "Generate a certificate request"),
+        generateStaticConfig.bind(null, params.configFile, configOutput),
 
         // Once the private key is generated a Certificate Signing Request can be generated.
         // The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as
@@ -538,7 +579,7 @@ exports.createSelfSignCertificate = function createSelfSignCertificate(certifica
         execute_openssl.bind(null, " x509 -req " +
           " -days " + params.validity +
           " -extensions v3_ca" +
-          " -extfile " + q(n(params.configFile)) +
+          " -extfile " + q(n(configOutput)) +
           " -in " + q(n(certificate_request)) +
           " -signkey " + q(n(params.privateKey)) +
           " -text " +

diff --git a/package-lock.json b/package-lock.json
diff --git a/test/test_certificate_manager.js b/test/test_certificate_manager.js
@@ -148,7 +148,10 @@ describe("CertificateManager managing certificate", function () {
 
     function createSampleCertificateDer(certificate,callback) {
 
-        var default_openssl_conf = q(n(path.join(__dirname,"../tmp/PKI2/own/openssl.cnf")));
+        var default_openssl_conf_path = path.join(__dirname,"../tmp/PKI2/own/openssl.cnf");
+        var default_openssl_conf = q(n(default_openssl_conf_path));
+        var default_openssl_conf_output = default_openssl_conf_path + '.tmp';
+        toolbox.generateStaticConfig(default_openssl_conf_path, default_openssl_conf_output);
         assert(_.isFunction(callback));
 
         certificate = toolbox.make_path(certificate);
@@ -158,7 +161,7 @@ describe("CertificateManager managing certificate", function () {
             "-x509 -days 365 -nodes -newkey rsa:1024 " +
             "-batch -keyout private_key.pem " +
             "-outform der -out " + q(n(certificate)) +
-            " -config " + default_openssl_conf,{},function(err){
+            " -config " + default_openssl_conf_output,{},function(err){
             assert(fs.existsSync(certificate));
 
             callback(err);

diff --git a/test/test_toolbox.js b/test/test_toolbox.js
@@ -22,9 +22,11 @@ describe("toolbox",function(){
 
     before(function(done) {
         toolbox.mkdir(tmpFolder);
-        toolbox.createPrivateKey(private_key,2048,function() {
-            fs.existsSync(private_key).should.eql(true);
-            done();
+        toolbox.ensure_openssl_installed(function() {
+            toolbox.createPrivateKey(private_key,2048,function() {
+                fs.existsSync(private_key).should.eql(true);
+                done();
+            });
         });
     });