Build a proper framework for TLS endpoints

Author: pimterry

src/endpoints/endpoint-index.ts

@@ -1,4 +1,8 @@
 import * as httpIndex from './http-index.js';
+import * as tlsIndex from './tls-index.js';
 
 export const httpEndpoints: Array<httpIndex.HttpEndpoint & { name: string }> = Object.entries(httpIndex)
     .map(([key, value]) => ({ ...value, name: key }));
+
+export const tlsEndpoints: Array<tlsIndex.TlsEndpoint & { name: string }> = Object.entries(tlsIndex)
+    .map(([key, value]) => ({ ...value, name: key }));

src/endpoints/tls-index.ts

@@ -0,0 +1,14 @@
+import * as tls from 'tls';
+import { CertOptions } from '../tls-certificates/cert-definitions.js';
+
+export interface TlsEndpoint {
+    sniPart: string;
+    configureCertOptions?(): CertOptions;
+    configureTlsOptions?(tlsOptions: tls.SecureContextOptions): tls.SecureContextOptions;
+    configureAlpnPreferences?(preferences: string[]): string[];
+}
+
+export * from './tls/alpn-specifiers.js';
+export * from './tls/cert-modes.js';
+export * from './tls/example.js';
+export * from './tls/no-tls.js';

src/endpoints/tls/alpn-specifiers.ts

@@ -0,0 +1,17 @@
+import { TlsEndpoint } from '../tls-index.js';
+
+export const http2: TlsEndpoint = {
+    sniPart: 'http2',
+    configureAlpnPreferences(alpnList) {
+        alpnList.push('h2');
+        return alpnList;
+    }
+};
+
+export const http1: TlsEndpoint = {
+    sniPart: 'http1',
+    configureAlpnPreferences(alpnList) {
+        alpnList.push('http/1.1');
+        return alpnList;
+    }
+};

src/endpoints/tls/cert-modes.ts

@@ -0,0 +1,47 @@
+import { TlsEndpoint } from '../tls-index.js';
+
+export const expired: TlsEndpoint = {
+    sniPart: 'expired',
+    configureCertOptions() {
+        return {
+            expired: true
+        };
+    }
+};
+
+export const revoked: TlsEndpoint = {
+    sniPart: 'revoked',
+    configureCertOptions() {
+        return {
+            revoked: true
+        };
+    }
+};
+
+export const selfSigned: TlsEndpoint = {
+    sniPart: 'self-signed',
+    configureCertOptions() {
+        return {
+            requiredType: 'local',
+            selfSigned: true
+        };
+    }
+};
+
+export const untrustedRoot: TlsEndpoint = {
+    sniPart: 'untrusted-root',
+    configureCertOptions() {
+        return {
+            requiredType: 'local'
+        };
+    }
+};
+
+export const wrongHost: TlsEndpoint = {
+    sniPart: 'wrong-host',
+    configureCertOptions() {
+        return {
+            overridePrefix: 'example'
+        };
+    }
+};

src/endpoints/tls/example.ts

@@ -0,0 +1,5 @@
+import { TlsEndpoint } from '../tls-index.js';
+
+export const example: TlsEndpoint = {
+    sniPart: 'example'
+};

src/endpoints/tls/no-tls.ts

@@ -0,0 +1,8 @@
+import { TlsEndpoint } from '../tls-index.js';
+
+export const noTls: TlsEndpoint = {
+    sniPart: 'no-tls',
+    configureTlsOptions() {
+        throw new Error('Intentionally rejecting TLS connection');
+    },
+};

src/server.ts

@@ -8,7 +8,8 @@ import {
 } from 'read-tls-client-hello';
 
 import { createHttp1Handler, createHttp2Handler } from './http-handler.js';
-import { createTlsHandler, CertMode } from './tls-handler.js';
+import { createTlsHandler } from './tls-handler.js';
+import { CertOptions } from './tls-certificates/cert-definitions.js';
 import { ConnectionProcessor } from './process-connection.js';
 
 import { AcmeCA, AcmeProvider } from './tls-certificates/acme.js';
@@ -60,8 +61,8 @@ async function generateTlsConfig(options: ServerOptions) {
         await certCache.loadCache();
     }
 
-    const ca = await LocalCA.create(caCert);
-    const defaultCert = await ca.generateCertificate(rootDomain);
+    const localCA = await LocalCA.create(caCert);
+    const defaultCert = await localCA.generateCertificate(rootDomain, {});
 
     if (!options.acmeProvider) {
         console.log('Using self signed certificates');
@@ -70,12 +71,13 @@ async function generateTlsConfig(options: ServerOptions) {
             key: defaultCert.key,
             cert: defaultCert.cert,
             ca: caCert.cert,
-            localCA: ca,
-            generateCertificate: async (domain: string, mode?: CertMode) => {
-                if (mode === 'self-signed') return await ca.generateSelfSignedCertificate(domain);
-                if (mode === 'expired') return await ca.generateExpiredCertificate(domain);
-                if (mode === 'revoked') return await ca.generateRevokedCertificate(domain);
-                return await ca.generateCertificate(domain);
+            localCA,
+            generateCertificate: async (domain: string, options: CertOptions) => {
+                if (options.requiredType === 'acme') {
+                    throw new Error(`Can't generate cert for ${domain} without ACME`);
+                }
+
+                return await localCA.generateCertificate(domain, options);
             },
             acmeChallenge: () => undefined // Not supported
         };
@@ -94,40 +96,30 @@ async function generateTlsConfig(options: ServerOptions) {
     }
 
     const acmeCA = new AcmeCA(certCache!, options.acmeProvider, options.acmeAccountKey);
-    acmeCA.tryGetCertificateSync(rootDomain); // Preload the root domain every time
+    acmeCA.tryGetCertificateSync(rootDomain, {}); // Preload the root domain every time
 
     return {
         rootDomain,
         proactiveCertDomains: options.proactiveCertDomains,
         key: defaultCert.key,
         cert: defaultCert.cert,
         ca: caCert.cert,
-        localCA: ca,
-        generateCertificate: async (domain: string, mode?: CertMode) => {
-            if (mode === 'self-signed') return await ca.generateSelfSignedCertificate(domain);
-
-            if (mode === 'expired') {
-                // Try to get an actually-expired ACME cert; fall back to LocalCA if not expired yet
-                const expiredAcmeCert = acmeCA.tryGetExpiredCertificateSync(domain);
-                if (expiredAcmeCert) return expiredAcmeCert;
-                return await ca.generateExpiredCertificate(domain);
+        localCA,
+        generateCertificate: async (domain: string, options: CertOptions) => {
+            if (options.requiredType === 'local') {
+                return await localCA.generateCertificate(domain, options);
             }
 
-            if (mode === 'revoked') {
-                // Try to get a revoked ACME cert; fall back to LocalCA revoked cert
-                const revokedAcmeCert = acmeCA.tryGetRevokedCertificateSync(domain);
-                if (revokedAcmeCert) return revokedAcmeCert;
-                return await ca.generateRevokedCertificate(domain);
-            }
+            const cert = acmeCA.tryGetCertificateSync(domain, options);
 
-            if (domain === rootDomain || domain.endsWith('.' + rootDomain)) {
-                const cert = acmeCA.tryGetCertificateSync(domain);
-                if (cert) return cert;
+            if (cert) {
+                return cert;
+            } else {
+                if (options.requiredType === 'acme') {
+                    return await acmeCA.waitForCertificate(domain, options);
+                }
+                return await localCA.generateCertificate(domain, options);
             }
-
-            // If you use some other domain or the cert isn't immediately available, we fall back
-            // to self-signed certs for now:
-            return await ca.generateCertificate(domain);
         },
         acmeChallenge: (token: string) => acmeCA.getChallengeResponse(token)
     }