From 034d0e8645e2edccab3a942a329a13778a06c5c3 Mon Sep 17 00:00:00 2001 From: throwaway96 <68320646+throwaway96@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:22:20 -0500 Subject: [PATCH] service.ts: fix outdated cert issues The ISRG Root X1/X2 certificates are now included. Node.js will also look for CA certs in /etc/ssl/certs. --- package-lock.json | 9 +++++ package.json | 4 ++- services/isrg-roots-x1-x2.pem | 62 +++++++++++++++++++++++++++++++++++ services/service.ts | 4 +++ services/syswide-cas.d.ts | 3 ++ 5 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 services/isrg-roots-x1-x2.pem create mode 100644 services/syswide-cas.d.ts diff --git a/package-lock.json b/package-lock.json index f09da6c..5f13efb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,6 +12,7 @@ "!win32" ], "dependencies": { + "@small-tech/syswide-cas": "^6.0.2", "bluebird": "^3.7.2", "core-js": "^3.12.1", "dompurify": "=3.0.1", @@ -2037,6 +2038,14 @@ "url": "https://opencollective.com/unts" } }, + "node_modules/@small-tech/syswide-cas": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/@small-tech/syswide-cas/-/syswide-cas-6.0.2.tgz", + "integrity": "sha512-G7BbARFvdSEUei6J4sKKrxNZz5xlsV2pV3hU5J+/yF7j7DLesuATBurPLe4pX3HAnVptmUFWykc36OoTv18tmw==", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/@types/bluebird": { "version": "3.5.42", "resolved": "https://registry.npmjs.org/@types/bluebird/-/bluebird-3.5.42.tgz", diff --git a/package.json b/package.json index 82be018..a5a8927 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,8 @@ "services/run-js-service", "services/startup.sh", "services/jumpstart.sh", - "services/elevate-service" + "services/elevate-service", + "services/isrg-roots-x1-x2.pem" ], "styles": [ "frontend/views/DetailsPanel.css" @@ -83,6 +84,7 @@ "webpack-shebang-plugin": "^1.1.8" }, "dependencies": { + "@small-tech/syswide-cas": "^6.0.2", "bluebird": "^3.7.2", "core-js": "^3.12.1", "dompurify": "=3.0.1", diff --git a/services/isrg-roots-x1-x2.pem b/services/isrg-roots-x1-x2.pem new file mode 100644 index 0000000..e93e63b --- /dev/null +++ b/services/isrg-roots-x1-x2.pem @@ -0,0 +1,62 @@ +# ISRG Root Certificates +# (used for Let's Encrypt) + +# Distributed under section 9.5 of the +# Internet Security Research Group (ISRG) +# Combined Certificate Policy and Certification Practice Statement +# version 5.1, 2023-05-16: +# "ISRG grants permission to reproduce and distribute certificates on a +# non-exclusive and royalty-free basis, provided that they are reproduced +# and distributed in full." +# https://letsencrypt.org/documents/isrg-cp-cps-v5.1/ + +# ISRG Root X1 +# https://letsencrypt.org/certs/isrgrootx1.pem +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- + +# ISRG Root X2 +# https://letsencrypt.org/certs/isrg-root-x2.pem +-----BEGIN CERTIFICATE----- +MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw +CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg +R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00 +MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT +ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW ++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9 +ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI +zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW +tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1 +/q4AaOeMSQ+2b1tbFfLn +-----END CERTIFICATE----- diff --git a/services/service.ts b/services/service.ts index b83e30a..848e294 100644 --- a/services/service.ts +++ b/services/service.ts @@ -10,6 +10,8 @@ import child_process from 'child_process'; import { Promise } from 'bluebird'; // eslint-disable-line @typescript-eslint/no-redeclare import progress from 'progress-stream'; import Service, { Message } from 'webos-service'; +import syswideCas from '@small-tech/syswide-cas'; + import fetch from 'node-fetch'; import { asyncStat, @@ -401,6 +403,8 @@ function tryRespond>(runner: (message: Message) => } function runService(): void { + syswideCas.addCAs([path.join(__dirname, 'isrg-roots-x1-x2.pem'), '/etc/ssl/certs']); + const service = new Service(serviceInfo.id, undefined, { idleTimer: 30 }); const serviceRemote = new ServiceRemote(); diff --git a/services/syswide-cas.d.ts b/services/syswide-cas.d.ts new file mode 100644 index 0000000..56a8bc3 --- /dev/null +++ b/services/syswide-cas.d.ts @@ -0,0 +1,3 @@ +declare module '@small-tech/syswide-cas' { + function addCAs(dirs: readonly string[]): void; +}