fix: move pki generation to test-tooling

Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>

packages/cactus-cmd-api-server/src/main/typescript/config/self-signed-pki-generator.ts

@@ -1,13 +1,31 @@
+/**
+ * @deprecated Moved to packages/cactus-test-tooling/src/main/typescript/pki/self-signed-pki-generator.ts
+ */
+
 import { pki, md } from "node-forge";
 import { v4 as uuidV4 } from "uuid";
 import { Strings } from "@hyperledger/cactus-common";
 
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeKeyPair = pki.rsa.KeyPair;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgePrivateKey = pki.rsa.PrivateKey;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeCertificate = pki.Certificate;
+/**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ */
 export type ForgeCertificateField = pki.CertificateField;
 
 /**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ *
  * PKI as in public key infrastructure and x509 certificates.
  */
 export interface IPki {
@@ -18,6 +36,8 @@ export interface IPki {
 }
 
 /**
+ * @deprecated Moved to \@hyperledger/cactus-test-tooling
+ *
  * Do not use this for anything in a production deployment. It's meant as a helper
  * class for development and testing purposes (enhancing developer experience).
  *

packages/cactus-plugin-ledger-connector-fabric-socketio/package.json

@@ -35,7 +35,7 @@
   },
   "devDependencies": {
     "@hyperledger/cactus-api-client": "1.0.0",
-    "@hyperledger/cactus-cmd-api-server": "1.0.0",
+    "@hyperledger/cactus-test-tooling": "1.0.0",
     "@types/config": "0.0.41",
     "ts-node": "9.1.1"
   }

packages/cactus-plugin-ledger-connector-fabric-socketio/src/test/typescript/integration/fabric-socketio-connector.test.ts

@@ -24,6 +24,7 @@ const sutLogLevel: LogLevelDesc = "info";
 import {
   FabricTestLedgerV1,
   pruneDockerAllIfGithubAction,
+  SelfSignedPkiGenerator,
 } from "@hyperledger/cactus-test-tooling";
 
 import {
@@ -32,8 +33,6 @@ import {
   Logger,
 } from "@hyperledger/cactus-common";
 
-import { SelfSignedPkiGenerator } from "@hyperledger/cactus-cmd-api-server";
-
 import { SocketIOApiClient } from "@hyperledger/cactus-api-client";
 
 import {

packages/cactus-plugin-ledger-connector-fabric-socketio/tsconfig.json

@@ -17,7 +17,7 @@
       "path": "../cactus-api-client/tsconfig.json"
     },
     {
-      "path": "../cactus-cmd-api-server/tsconfig.json"
+      "path": "../cactus-test-tooling/tsconfig.json"
     }
   ]
 }

packages/cactus-test-tooling/package.json

@@ -76,13 +76,15 @@
     "keycloak-admin": "1.14.21",
     "lodash": "4.17.21",
     "node-ssh": "12.0.0",
+    "node-forge": "1.3.0",
     "p-retry": "4.6.1",
     "run-time-error": "1.4.0",
     "tar-stream": "2.2.0",
     "temp": "0.9.4",
     "typescript-optional": "2.0.1",
     "web3": "1.5.2",
-    "web3-core": "1.5.2"
+    "web3-core": "1.5.2",
+    "uuid": "8.3.2"
   },
   "devDependencies": {
     "@types/dockerode": "3.2.7",

packages/cactus-test-tooling/src/main/typescript/pki/self-signed-pki-generator.ts

@@ -0,0 +1,155 @@
+import { pki, md } from "node-forge";
+import { v4 as uuidV4 } from "uuid";
+import { Strings } from "@hyperledger/cactus-common";
+
+export type ForgeKeyPair = pki.rsa.KeyPair;
+export type ForgePrivateKey = pki.rsa.PrivateKey;
+export type ForgeCertificate = pki.Certificate;
+export type ForgeCertificateField = pki.CertificateField;
+
+/**
+ * PKI as in public key infrastructure and x509 certificates.
+ */
+export interface IPki {
+  keyPair: ForgeKeyPair;
+  certificate: ForgeCertificate;
+  certificatePem: string;
+  privateKeyPem: string;
+}
+
+/**
+ * Do not use this for anything in a production deployment. It's meant as a helper
+ * class for development and testing purposes (enhancing developer experience).
+ *
+ * Secure by default is one of our core design principles and it's much harder to
+ * enforce/implement that it sounds when you also do not want to ruin the ease
+ * of use of the software. Dynamically pre-provisioning PKI is notoriously
+ * complicated and error prone to the average user/developer.
+ *
+ */
+export class SelfSignedPkiGenerator {
+  public create(commonName: string, parent?: IPki): IPki {
+    const keyPair: pki.rsa.KeyPair = pki.rsa.generateKeyPair(4096);
+    const privateKeyPem: string = pki.privateKeyToPem(keyPair.privateKey);
+    const certificate = pki.createCertificate();
+
+    this.configureCertificateParameters(keyPair, certificate, commonName);
+    if (parent) {
+      certificate.setIssuer(parent.certificate.subject.attributes);
+      certificate.publicKey = keyPair.publicKey;
+      // certificate.privateKey = keyPair.privateKey;
+      certificate.sign(parent.keyPair.privateKey, md.sha512.create());
+
+      if (!parent.certificate.verify(certificate)) {
+        throw new Error("Could not verify newly generated certificate");
+      }
+    } else {
+      certificate.sign(keyPair.privateKey, md.sha512.create());
+    }
+
+    const certificatePem = pki.certificateToPem(certificate);
+    return { keyPair, certificate, certificatePem, privateKeyPem };
+  }
+
+  public configureCertificateParameters(
+    keyPair: pki.rsa.KeyPair,
+    certificate: pki.Certificate,
+    commonName: string,
+  ): pki.Certificate {
+    // 20 octets max for serial numbers of certs as per the standard
+    const serialNumber = Strings.replaceAll(uuidV4(), "-", "").substring(0, 19);
+    certificate.serialNumber = serialNumber;
+    certificate.publicKey = keyPair.publicKey;
+    certificate.privateKey = keyPair.privateKey;
+    certificate.validity.notBefore = new Date();
+    certificate.validity.notAfter = new Date();
+
+    const nextYear = certificate.validity.notBefore.getFullYear() + 1;
+    certificate.validity.notAfter.setFullYear(nextYear);
+
+    const certificateFields: ForgeCertificateField[] = [
+      {
+        shortName: "CN",
+        name: "commonName",
+        value: commonName,
+      },
+      {
+        name: "countryName",
+        value: "Universe",
+      },
+      {
+        shortName: "ST",
+        value: "Milky Way",
+      },
+      {
+        shortName: "L",
+        name: "localityName",
+        value: "Planet Earth",
+      },
+      {
+        shortName: "O",
+        name: "organizationName",
+        value: "Hyperledger",
+      },
+      {
+        shortName: "OU",
+        value: "Cactus",
+      },
+      {
+        name: "unstructuredName",
+        value: "Cactus Dummy Self Signed Certificates",
+      },
+    ];
+
+    certificate.setSubject(certificateFields);
+
+    certificate.setIssuer(certificateFields);
+
+    certificate.setExtensions([
+      {
+        name: "basicConstraints",
+        cA: true,
+      },
+      {
+        name: "keyUsage",
+        keyCertSign: true,
+        digitalSignature: true,
+        nonRepudiation: true,
+        keyEncipherment: true,
+        dataEncipherment: true,
+      },
+      {
+        name: "extKeyUsage",
+        serverAuth: true,
+        clientAuth: true,
+        codeSigning: true,
+        emailProtection: true,
+        timeStamping: true,
+      },
+      {
+        name: "nsCertType",
+        client: true,
+        server: true,
+        email: true,
+        objsign: true,
+        sslCA: true,
+        emailCA: true,
+        objCA: true,
+      },
+      {
+        name: "subjectAltName",
+        altNames: [
+          {
+            type: 7, // IP
+            ip: "127.0.0.1",
+          },
+        ],
+      },
+      {
+        name: "subjectKeyIdentifier",
+      },
+    ]);
+
+    return certificate;
+  }
+}

packages/cactus-test-tooling/src/main/typescript/public-api.ts

@@ -129,6 +129,15 @@ export {
   OpenEthereumTestLedger,
 } from "./openethereum/openethereum-test-ledger";
 
+export {
+  SelfSignedPkiGenerator,
+  ForgeCertificateField,
+  ForgeCertificate,
+  ForgeKeyPair,
+  ForgePrivateKey,
+  IPki,
+} from "./pki/self-signed-pki-generator";
+
 export {
   GoIpfsTestContainer,
   IGoIpfsTestContainerOptions,