Socket.IO TLS requiring key/cert - node.js

I have a CA from an authorized server. I have set up my HTTPS and WebSocket setup as follows:
var httpsOptions = {
cert: fs.readFileSync(config.ssl.server_cert),
key: fs.readFileSync(config.ssl.server_key),
requestCert: true,
rejectUnauthorized: true,
passphrase: config.ssl.server_password
};
httpsServer.listen(config.https_port, function () {
console.info("HTTPS server running on %d", config.https_port);
});
io = io.listen(server);
io.sockets.on('connection', function (socket) {
console.log("connected: " + socket.id);
})
Now, my clients will have to sign up for an account. When they do, I want to create a private/public key for them, and sign it with the CA that I have. They then have to use them for any web socket connection. If these are not provided, I don't want to even allow a connection.
My client at the moment is then:
io.connect(url, {secure: true, 'force new connection': true});
But I cannot figure out how to A) pass the key to the server, and B) If this is even possible?

If you're talking about browsers, then the client certificate and private key has to be installed in the browser or OS certificate store (depending on which browser is being used). Once installed, the browser will automatically send the certificate.
Unfortunately, client certificate installation is not a user-friendly process.
If your client is a node process, a client cert option was (finally) added in socket.io 1.3.
Don't forget to validate that the presented certificate matches a user account in your system. rejectUnauthorized only validates that the client presented a certificate issued by any trusted CA.
Do you mean you have a SSL certificate for your server? You can't sign new certificates with that. No trusted root CA gives out certs that allow third parties to sign certs without a very long process and lots of money.
You can run your own CA that signs client certificates. You have to configure your server to trust your client certificate-issuing CA (via the ca option in createServer) since it will be untrusted by default.

Related

MTLS - generate certificate to nodejs client side

We need to communicate between our ec2 server and our customer server via Mutual TLS.
The requests are sent from our server to our customer server - so we are the client here.
I read this post, talking about how to generate the files.
The first step is to create a certificate authority (CA) that both the
client and server trust. The CA is just a public and private key with
the public key wrapped up in a self-signed X.509 certificate.
Our cert and their cert - should be signed from the same root CA? who should provide it?
The code in my side should be like:
const req = https.request(
{
hostname: 'myserver.internal.net',
port: 443,
path: '/',
method: 'GET',
cert: fs.readFileSync('client.crt'),
key: fs.readFileSync('client.key'),
ca: fs.readFileSync('ca.crt')
},
res => {
res.on('data', function(data) {
// do something with response
});
}
);
So what should we provide each other? We don't exactly understand and they are not providing more details, just asked us to give them a certificate...
Our cert and their cert - should be signed from the same root CA? who should provide it?
Since the control of the client certificate is done at the TLS server side (i.e. at the customer) it depends fully on what they expect. They might require a publicly signed certificate, they might require a certificate signed by their own CA. Or they might simply check that a specific certificate gets used and will also accept self-signed certificates for this.

How to connect with client side certificates using https module on Node.js

In production my website uses a Let's Encrypt certificate, so that the user can see in the browser the valid certificate lock.
If the user navigates to route example.com/dashboard, I would like the login using client side certificate (and not username/password).
I have generated on a server using openssl private & public key. The public key stays on server and the private key is sent to the client.
Using this tutorial, I have created in server.js
const express = require('express')
const https = require('https')
const fs = require('fs')
const masterapp = express()
var options = {
key: fs.readFileSync('/etc/ssl/certs/sslforfree/private.key'),
cert: fs.readFileSync('/etc/ssl/certs/sslforfree/certificate.crt'),
requestCert: true,
rejectUnauthorized: false,
}
And then in the middleware
const cert = req.connection.getPeerCertificate()
if (req.client.authorized) {
if (cert.subject.CN === "Client123" && cert.fingerprint256 === "AA:BB:CC:DD:00..
On Mac OS it shows correctly the prompt in the browser where I select the key (key is stored in Keychain).
Problems:
req.client.authorized is always false
How can I securely check with Node.js that the private key corresponds to public key?
Is it safer to have dashboard.example.com subdomain or route example.com/dashboard (express router)?
According to the medium article you referenced, you need to supply a ca property in the options object. This should be a list of client CAs that you trust:
Finally, we supply a list of CA certificates that we consider valid. For now, we sign client certificates with our own server key, so it will be the same as our server certificate.
, ca: [ fs.readFileSync('server_cert.pem') ]
}
You should use the CA to sign the public key of the client's generated key. To do this, you'll have to generate a CSR with the private key, then sign the CSR with the CA you have in the list. Once you do this, you can send the private key and the resulting certificate to the client in a bundle, and they will be able to authenticate against your system.
This is because you left off the ca property.
This happens between the browser and your server automatically, once you have a trusted ca.
To create a CA, you can use openssl to generate a self-signed certificate and private key.
This depends, and is out of scope for stackoverflow. You might consider asking on serverfault.com or security.stackexchange.com.

How to authenticate user with CAC in Node/Express

I need to allow users to log into my react website using their DoD issued Common Access Card. I am using an express api as an authentication server. I've got the server configured to require a client cert:
const options = {
key: fs.readFileSync(config.ssl.keyPath),
cert: fs.readFileSync(config.ssl.certPath),
ca: [fs.readFileSync(config.ssl.caPath)],
requestCert: true,
rejectUnauthorized: false,
};
https.createServer(options, expressApp).listen(port);
How do I get my react app to request/load/read the certificate from the CAC?
You will need to create a .PFX cert and import it into the browser's certificate store. The certificate generated should be signed by the CA used to start your express server. The certificate imported into your browser should also be enabled for "Client Authentication".

NodeJS forwarding client SSL certificates

I am working on Node.js server application which is SSL enabled and accepts client certificates. I am using following code to create https server.
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem'),
ca: fs.readFileSync('ca.pem'),
requestCert: true,
rejectUnauthorized: true
};
https.createServer(options,app).listen(8090, function(){
console.log("Listening on 8090");
});
Other Node.js based client apps are able to connect using their SSL certficate and get the service response.
However from my sever, I want to make another server call and wish to pass on the same client certificate I received. I simply want to forward the same ceritifcate, I understand I can get the certificate details in request object, but how to retrieve the crt and key from that object?
I am looking to do something like below:
app.get('/myservice', (req,res) => {
//req.socket.getPeerCertificate(true);
var agent = new https.Agent({
cert: somelibrary(req.socket.getPeerCertificate(true).??????),
key: somelibrary(req.socket.getPeerCertificate(true).??????),
});
fetch('http://AnotherServiceURL', { method: 'GET' agent}).then(function(response){
res.json(response);
});
});
Is there any library which can convert request certificate details in a way so as to forward those as key and cert? Or is there any other/better way of doing this?
I understand I can get the certificate details in request object, but how to retrieve the crt and key from that object?
While it would be possible to pass the client certificate itself it is impossible to use it again as client certificate in another TLS connection to the final target. For this you would need to have access to the private key of the client, which as the name says is private to the client. As for getting the client certificate (i.e. the public part) see Node.js: access the client certificate.

node.js: HTTPS client certificate without server validation?

I have a https server and client in node.js.
For 'normal' HTTPS a host lets in any client, and the client authenticates the host.
However in my situation I would like to do the opposite:
I want the host to authenticate the client, but the client to connect to any host without authenticating it. ie: The host does not get a key/crt (but does trust the CA), while the client does gets a key/crt (and also trusts the CA).
The standard way for https with both sides authenticating each other is:
Server options:
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-crt.pem'),
ca: fs.readFileSync('ca-crt.pem'),
requestCert: true,
rejectUnauthorized: true
Client options:
key: fs.readFileSync('client-key.pem'),
cert: fs.readFileSync('client-crt.pem'),
ca: fs.readFileSync('ca-crt.pem') };
I removed key and crt from server, but how to tell the client not to request server/host cert? I can't seem to figure that part out? The documentation claims that for a client rejectUnauthorized must be set to true for the client to validate the server, so I set it to false. But the TLS handshake seems to be failing.

Resources