From 7e9f540194762801d1e2751b373104fa6ba2e4d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Sat, 15 Mar 2014 02:54:16 +0100 Subject: [PATCH 1/9] Pass `requestCert` to `https.createServer` --- lib/app.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/app.js b/lib/app.js index ef7e7c86..ab0d8ce2 100755 --- a/lib/app.js +++ b/lib/app.js @@ -57,8 +57,14 @@ config.load(function(err, conf) { var testkeys = path.join(__dirname, '..', 'testkeys'); var privateKey = fs.readFileSync(path.join(testkeys, 'privatekey.pem')); var certificate = fs.readFileSync(path.join(testkeys, 'certificate.pem')); - var credentials = {key: privateKey, cert: certificate}; - https.createServer(credentials, app).listen(port, function () { + + var options = { + key: privateKey, + cert: certificate, + requestCert: true + }; + + https.createServer(options, app).listen(port, function () { console.log('Express server listening on port ' + port + ' (https)'); }); } From 802ca190ee5cee5baac366e7eb23210776d60400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Mon, 17 Mar 2014 16:47:09 +0100 Subject: [PATCH 2/9] Implement client certificate middleware --- lib/app.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/app.js b/lib/app.js index ab0d8ce2..2d23eb32 100755 --- a/lib/app.js +++ b/lib/app.js @@ -28,6 +28,7 @@ var argv = require('optimist').argv; var LamassuConfig = require('lamassu-config'); var atm = require('lamassu-atm-protocol'); var format = require('util').format; +var clientCertificateAuth = require('client-certificate-auth'); var conString, dbConfig, config; @@ -54,6 +55,17 @@ config.load(function(err, conf) { atm.init(app, conf.config); if (argv.https) { + app.use(clientCertificateAuth({ rejectUnauthorized: false }, function(cert, done) { + config.isAuthorized(cert.fingerprint, function(err, authorized) { + if (err) { + console.error('Client certificate authorization failed', err.message); + return done(false); + } + + done(authorized); + }); + })); + var testkeys = path.join(__dirname, '..', 'testkeys'); var privateKey = fs.readFileSync(path.join(testkeys, 'privatekey.pem')); var certificate = fs.readFileSync(path.join(testkeys, 'certificate.pem')); From 1f73f8a42d739f21d7073a63479ecbc20b34fe4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Mon, 17 Mar 2014 16:48:07 +0100 Subject: [PATCH 3/9] Depend on `next` branch --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index c2c47740..9d516216 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "optimist": "~0.6.0", "lamassu-config": "~0.1.1", "lamassu-atm-protocol": "~0.1.0", - "client-certificate-auth": "git+https://github.com/mmalecki/client-certificate-auth.git#async-authorization" + "client-certificate-auth": "git+https://github.com/mmalecki/client-certificate-auth.git#next" }, "repository": { "type": "git", From 784914be7a99e496ad4c68157925c6e40177bb40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Mon, 17 Mar 2014 21:49:31 +0100 Subject: [PATCH 4/9] Add ciphers --- lib/app.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/app.js b/lib/app.js index 2d23eb32..43421253 100755 --- a/lib/app.js +++ b/lib/app.js @@ -73,7 +73,10 @@ config.load(function(err, conf) { var options = { key: privateKey, cert: certificate, - requestCert: true + requestCert: true, + secureProtocol: 'TLSv1_method', + ciphers: 'AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH', + honorCipherOrder: true }; https.createServer(options, app).listen(port, function () { From 9f32dddf193569b3b8f54a69c72b5c8ade99206a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Mon, 17 Mar 2014 21:55:14 +0100 Subject: [PATCH 5/9] Use HTTPS by default and accept `--key` and `--cert` --- lib/app.js | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/lib/app.js b/lib/app.js index 43421253..12f8cc77 100755 --- a/lib/app.js +++ b/lib/app.js @@ -54,7 +54,12 @@ config.load(function(err, conf) { if (err) { console.log(err); process.exit(1); } atm.init(app, conf.config); - if (argv.https) { + if (argv.http) { + http.createServer(app).listen(port, function () { + console.log('Express server listening on port ' + port + ' (http)'); + }); + } + else { app.use(clientCertificateAuth({ rejectUnauthorized: false }, function(cert, done) { config.isAuthorized(cert.fingerprint, function(err, authorized) { if (err) { @@ -66,13 +71,9 @@ config.load(function(err, conf) { }); })); - var testkeys = path.join(__dirname, '..', 'testkeys'); - var privateKey = fs.readFileSync(path.join(testkeys, 'privatekey.pem')); - var certificate = fs.readFileSync(path.join(testkeys, 'certificate.pem')); - var options = { - key: privateKey, - cert: certificate, + key: fs.readFileSync(argv.key), + cert: fs.readFileSync(argv.cert), requestCert: true, secureProtocol: 'TLSv1_method', ciphers: 'AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH', @@ -83,9 +84,4 @@ config.load(function(err, conf) { console.log('Express server listening on port ' + port + ' (https)'); }); } - else { - http.createServer(app).listen(port, function () { - console.log('Express server listening on port ' + port + ' (http)'); - }); - } }); From 3a4fe7738e8e9310dec782b0e55cdc1bf88e1ef4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Ma=C5=82ecki?= Date: Tue, 18 Mar 2014 02:24:40 +0100 Subject: [PATCH 6/9] Pass `authMiddleware` and `config` to `lamassu-atm-protocol` --- lib/app.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/app.js b/lib/app.js index 12f8cc77..c1c4e278 100755 --- a/lib/app.js +++ b/lib/app.js @@ -52,7 +52,8 @@ app.use(express.session()); config.load(function(err, conf) { if (err) { console.log(err); process.exit(1); } - atm.init(app, conf.config); + + var authMiddleware = function (req, res, next) { return next(); }; if (argv.http) { http.createServer(app).listen(port, function () { @@ -60,7 +61,7 @@ config.load(function(err, conf) { }); } else { - app.use(clientCertificateAuth({ rejectUnauthorized: false }, function(cert, done) { + authMiddleware = clientCertificateAuth({ rejectUnauthorized: false }, function(cert, done) { config.isAuthorized(cert.fingerprint, function(err, authorized) { if (err) { console.error('Client certificate authorization failed', err.message); @@ -69,7 +70,7 @@ config.load(function(err, conf) { done(authorized); }); - })); + }); var options = { key: fs.readFileSync(argv.key), @@ -84,4 +85,7 @@ config.load(function(err, conf) { console.log('Express server listening on port ' + port + ' (https)'); }); } + + atm.init(app, conf.config, config, authMiddleware); + }); From f8c507bb1cf629b7d7f55ce6d2eb8c2346c6f161 Mon Sep 17 00:00:00 2001 From: Josh Harvey Date: Thu, 20 Mar 2014 17:00:44 -0400 Subject: [PATCH 7/9] fixed dependency --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9d516216..f7ddbaee 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "optimist": "~0.6.0", "lamassu-config": "~0.1.1", "lamassu-atm-protocol": "~0.1.0", - "client-certificate-auth": "git+https://github.com/mmalecki/client-certificate-auth.git#next" + "client-certificate-auth": "git+https://github.com/mmalecki/client-certificate-auth.git#reject-unauthorized" }, "repository": { "type": "git", From c6db15b154b64803051f9f6db826fa9e81e0e5a7 Mon Sep 17 00:00:00 2001 From: Josh Harvey Date: Mon, 24 Mar 2014 01:01:48 -0400 Subject: [PATCH 8/9] fixed ATM authorizing --- lib/app.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/app.js b/lib/app.js index c1c4e278..f84fb102 100755 --- a/lib/app.js +++ b/lib/app.js @@ -28,7 +28,6 @@ var argv = require('optimist').argv; var LamassuConfig = require('lamassu-config'); var atm = require('lamassu-atm-protocol'); var format = require('util').format; -var clientCertificateAuth = require('client-certificate-auth'); var conString, dbConfig, config; @@ -61,16 +60,17 @@ config.load(function(err, conf) { }); } else { - authMiddleware = clientCertificateAuth({ rejectUnauthorized: false }, function(cert, done) { - config.isAuthorized(cert.fingerprint, function(err, authorized) { - if (err) { - console.error('Client certificate authorization failed', err.message); - return done(false); - } + authMiddleware = function(req, res, next) { + var fingerprint = req.connection.getPeerCertificate().fingerprint; + var e = new Error('Unauthorized'); + e.status = 401; - done(authorized); + config.isAuthorized(fingerprint, function (err, authorized) { + if (err) { return next(e); } + if (!authorized) { return next(e); } + next(); }); - }); + }; var options = { key: fs.readFileSync(argv.key), From cf520a331eb0952cb1c6156280d2701652afe5bb Mon Sep 17 00:00:00 2001 From: Josh Harvey Date: Mon, 24 Mar 2014 01:10:50 -0400 Subject: [PATCH 9/9] removed client-certificate-auth --- package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/package.json b/package.json index f7ddbaee..27c7a5bd 100644 --- a/package.json +++ b/package.json @@ -15,8 +15,7 @@ "express": "~3.4.7", "optimist": "~0.6.0", "lamassu-config": "~0.1.1", - "lamassu-atm-protocol": "~0.1.0", - "client-certificate-auth": "git+https://github.com/mmalecki/client-certificate-auth.git#reject-unauthorized" + "lamassu-atm-protocol": "~0.1.0" }, "repository": { "type": "git",