Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Setting SSL Certs via string instead of just File Path #5810

Closed
Lonniebiz opened this issue May 24, 2020 · 3 comments
Closed

Allow Setting SSL Certs via string instead of just File Path #5810

Lonniebiz opened this issue May 24, 2020 · 3 comments
Labels
cli related to cli/ dir public API related to "Deno" namespace in JS suggestion suggestions for new features (yet to be agreed)

Comments

@Lonniebiz
Copy link

Lonniebiz commented May 24, 2020
edited
Loading

I'm was trying to find documentation about the HTTPSOptions object that can be passed to the serveTLS and listenAndServeTLS functions. I couldn't find much.

From looking at the code, it seems that it is not possible to specify the cert using a string of the cert itself instead of a file path to the cert file.

For example, let's say I have module call ssl.js that looks like this:

export const certificate = `-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIUWViugqw+qOuakEBBBtVmYcqwjV0wDQYJKoZIhvcNAQEL
BQAwbTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRYwFAYDVQQHDA1BcHBs
ZSBTcHJpbmdzMRQwEgYDVQQKDAtDb21wYW55TmFtZTEMMAoGA1UECwwDT3JnMRIw
EAYDVQQDDAlsb2NhbGhvc3QwIBcNMjAwNTI0MDcwMTE5WhgPNzAxNzAxMjgwNzAx
MTlaMG0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UEBwwNQXBw
bGUgU3ByaW5nczEUMBIGA1UECgwLQ29tcGFueU5hbWUxDDAKBgNVBAsMA09yZzES
MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA3fj+JPl78t6uqY+/NzGwKnKskKctHUJos31Xl8uoYa1OkIqHZ5Yqdxmebt/o
2FC85+7J6R8PhUm4GY7oDvuszWKGUsw3fbyh4Wl97scWwJKPIEK6OJJ5F6Morq0N
R5mVRRzakv6fAgQAQaoemDYiRxeXvSWqYzXu9YTQWXIBTOtJavHj2IkaDZ9FKpSc
t42SLbgdt6XYetEInQLDrQz8+6NL1AzIAZF5MiB0+3BaMjGcjBYySXW7IrZ8+cLx
UcTEaZi3PFGUu6gjGJXND9sn0igmLiPYRggnT+CgokYf3Si82WR4dLACCQPXNZp3
Lbfrb5YGscOWhjRxbaN+sOvfuQIDAQABo1MwUTAdBgNVHQ4EFgQUCfvbemsBmpMR
UqOmWwVqt5xLNZMwHwYDVR0jBBgwFoAUCfvbemsBmpMRUqOmWwVqt5xLNZMwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUYzDwuyHEnfk8n2EMKsX
0H6ppCL2FsB3mq/Wu4mHfLc0AmZV2xCaBX7muAKZ4CFwERxEHsuPGoNzvFiTqacn
t6xTDmcoJlob0XvgGzwmBIZi6LyGV+rY4FMkp0xeMwiZPHapvHMSxF4l4lspZ+bC
lz9e3wdWwIzf5dmUaNsubOrcccgIaRsMMdNCpX32QjLqNfuaWs7DSNm6RwWhPhbJ
/ZXJgLH9P7FiAXynCCQ6A8N1vaLv+IhTsGYUw0JgAuP2hHBvKcNJD62Wmk7X619g
/kLtjaURqfF1vKwDTWAKFDpgMaQdeNixC4ULjwgZE7fvP0m32d49NYTCHCNtoP5r
tw==
-----END CERTIFICATE-----`;

export const privateKey = `-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDd+P4k+Xvy3q6p
j783MbAqcqyQpy0dQmizfVeXy6hhrU6Qiodnlip3GZ5u3+jYULzn7snpHw+FSbgZ
jugO+6zNYoZSzDd9vKHhaX3uxxbAko8gQro4knkXoyiurQ1HmZVFHNqS/p8CBABB
qh6YNiJHF5e9JapjNe71hNBZcgFM60lq8ePYiRoNn0UqlJy3jZItuB23pdh60Qid
AsOtDPz7o0vUDMgBkXkyIHT7cFoyMZyMFjJJdbsitnz5wvFRxMRpmLc8UZS7qCMY
lc0P2yfSKCYuI9hGCCdP4KCiRh/dKLzZZHh0sAIJA9c1mnctt+tvlgaxw5aGNHFt
o36w69+5AgMBAAECggEASXeOzjgQsSrIznA4TpFQiEwaF2ptgSCovLeAlUofuex9
c1OWS0+lUHQXPwU28NmQHIepJlJUdb4Xg8YLwmHEKNoyMRdMSn5zacLbnnsgaa5Y
VsofDnhUQeGLpny6R3dqs0xAf6RshmNCnnkq1SAdqkABxeXAhkOkinhh6SjVi1o6
qeUlakx2jTurDuyAWY63ie7cPKQxvUNPIQ9QB4dO0Vz+9UvgZVCKB9MQztdgosRf
mK9FSrFqAPzVVqF/hZRa4Qq3W3HB3/w7pKf+9TcqF+CohTCnryKs8VdW/yM+CNUO
XD3a692RP4g+VnuvMQoAJwIU7Sekxf0AGUUC10m0cQKBgQD44FnjZGSSGRIoP9/y
+E98M3OypGHRX5f7qg5UF8HSR2zv81+pr64BQpnrAcw+UVMdf8ph7JuTh5rn27Fa
pAOW+O+4A+e55VT/7YY9z4SPBZWIzddjgN80fRcAK0XB+BvP9vh2geqCql67FI2A
ESHv8tiSfYie23QR2CuRZYetrQKBgQDkU4DvzrOuTdHndT6LS/5yl9Ir8JL9xvqK
uFEO1Mj8OCB/X//j8bzD5tOETKew7QBpS8gIF8ERJEYmH+90fK7L0eoaxsT5reCp
PeCsnM53q4eZQk6wLz67/ZEmTqKk3zIQeeZSrZ31hQgPev6SDaRg8zgIF/4v9Ki4
i42qR0ojvQKBgQDVntTpDtoYYTapn7Idfq/TPuK3WsuviKsO1Df6TG4MjUxfZfod
z3K/GCi/hEqIzwtVjcPsa8haSJJZI8TGtXNzWfeBbrCvar6b8ohAc+gnTza8N1sC
yLJN/nUIqxv0U3+j8SvxpK/jOlOXpxuR6qLDsCHfE6t6F4o4auFyqsBb/QKBgH8h
y7o7IqscI5M4IiIXp08RH/JdWss5XsmcxW13p41ghx/FSUsXj96YiQ+ySvDllgQL
MQ7ogxTTWMfjokX/IqjUcgCEyqqnWV+C17Xk/cV+WdtJI11QgSLVllt5D3Cz4kFw
ToGcsEZD03AjMNoMBIoDAyDmkx8KoGNZOQEl/q8VAoGATjVM07q6/UQeXP7UMnP7
SbKm28yVfcMIBCtjlqrpxiezGj8T/1kt4026tje3rKVW5H+2kalbinZSf+IcUIwk
O1E+xGJmQimdBGXnb+kTePtICa2ylClZUSMzW1/Rlbk4joHdk7xMA3UwkXzBwFHQ
H0C89A/1pEiHm1HbwXH6kV0=
-----END PRIVATE KEY-----`;

I'd like the ability to import { certificate, privateKey } and use those values to set the HTTPSOptions object. You have this flexibility in node's https.createServer function.

I realize that the developer was trying to eliminate code by accepting a path instead of the cert's actual string. However, this shortcut removes a little flexibility; if the cert is already cached as a string, another read cannot be avoided. This also make it impossible to run the script without the --allow-read permission. If the option accepted the actual string, instead of just the file's path, no read access would be necessary to run the script.

This also prevents you from being able to bundle your app into a totally independent, single standalone file; bare minimum you would have to publish 3 files: the bundle.js, the private key, and the public key.

I'm not sure how you'd address this in a manner that doesn't break existing code. If it is too late to make it accept a cert-string instead of file-path, then perhaps, in addition to the certFile and keyFile properties you could also add certString and keyString properties that get checked when certFile and keyFile are undefined.

Lastly, if you can think of other places in Deno, where it assumes that a string is coming from a file, those places too may also be (inadvertently) sacrificing flexibility for convenience.
@bartlomieju bartlomieju added cli related to cli/ dir public API related to "Deno" namespace in JS suggestion suggestions for new features (yet to be agreed) labels May 24, 2020
@ry
Copy link
Member

ry commented May 24, 2020

Also via ArrayBuffer would probably be useful, for raw certificate data.

@Lonniebiz
Copy link
Author

Lonniebiz commented May 26, 2020
edited
Loading

If 3rd party libraries, such as oak, base their https on serveTLS and listenAndServeTLS, then I assume they too will inherent the same inflexibly of only accepting a path for SSL certificates. @kitsonk

To me, it is very important that the low level standard libraries be flexible, because any rigidness, they have, typically gets inherited by numerous 3rd Party Modules.

@jdiamond jdiamond mentioned this issue Jun 8, 2020
Closed
@erik erik mentioned this issue Feb 7, 2021
Closed
@bartlomieju
Copy link
Member

This is now implemented, see https://deno.com/blog/v1.15#in-memory-ca-certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cli related to cli/ dir public API related to "Deno" namespace in JS suggestion suggestions for new features (yet to be agreed)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ry @Lonniebiz @bartlomieju