Merge pull request #265 from garden-io/no-native-openssl

refactor: get rid of native OpenSSL dependency
garden-io · Sep 10, 2018 · fa1fd9d · fa1fd9d
2 parents 734d252 + 64e962a
commit fa1fd9d
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 18 deletions.
diff --git a/garden-cli/package-lock.json b/garden-cli/package-lock.json
diff --git a/garden-cli/package.json b/garden-cli/package.json
@@ -28,6 +28,7 @@
     "async-lock": "^1.1.3",
     "axios": "^0.18.0",
     "bluebird": "^3.5.1",
+    "certpem": "^1.1.2",
     "chalk": "^2.4.1",
     "child-process-promise": "^2.2.1",
     "chokidar": "^2.0.4",
@@ -70,8 +71,7 @@
     "uniqid": "^5.0.3",
     "uuid": "^3.3.2",
     "winston": "^3.0.0",
-    "wrap-ansi": "^3.0.1",
-    "x509": "github:stormwin/node-x509"
+    "wrap-ansi": "^3.0.1"
   },
   "devDependencies": {
     "@commitlint/cli": "^7.0.0",

diff --git a/garden-cli/src/plugins/kubernetes/ingress.ts b/garden-cli/src/plugins/kubernetes/ingress.ts
@@ -7,15 +7,15 @@
  */
 
 import { V1Secret } from "@kubernetes/client-node"
-import { groupBy, uniq, omit } from "lodash"
+import { groupBy, omit, find } from "lodash"
 import { findByName } from "../../util/util"
 import { ContainerService, ContainerEndpointSpec } from "../container"
 import { SecretRef, IngressTlsCertificate } from "./kubernetes"
 import { ServiceEndpoint, ServiceProtocol } from "../../types/service"
 import * as Bluebird from "bluebird"
 import { KubeApi } from "./api"
 import { ConfigurationError, PluginError } from "../../exceptions"
-const x509 = require("x509")
+import { certpem } from "certpem"
 
 interface ServiceEndpointWithCert extends ServiceEndpoint {
   spec: ContainerEndpointSpec
@@ -181,14 +181,28 @@ async function getCertificateHostnames(api: KubeApi, cert: IngressTlsCertificate
       )
     }
 
-    const crt = Buffer.from(secret.data["tls.crt"], "base64").toString()
+    const crtData = Buffer.from(secret.data["tls.crt"], "base64").toString()
 
     try {
-      const subject = x509.getSubject(crt)
-      const hostnames = uniq([
-        ...(subject.commonName ? [subject.commonName] : []),
-        ...x509.getAltNames(crt),
-      ])
+      // Note: Can't use the certpem.info() method here because of multiple bugs.
+      // And yes, this API is insane. Crypto people are bonkers. Seriously. - JE
+      const certInfo = certpem.debug(crtData)
+
+      const hostnames: string[] = []
+
+      const commonNameField = find(certInfo.subject.types_and_values, ["type", "2.5.4.3"])
+      if (commonNameField) {
+        hostnames.push(commonNameField.value.value_block.value)
+      }
+
+      for (const ext of certInfo.extensions || []) {
+        if (ext.parsedValue && ext.parsedValue.altNames) {
+          for (const alt of ext.parsedValue.altNames) {
+            hostnames.push(alt.Name)
+          }
+        }
+      }
+
       certificateHostnames[cert.name] = hostnames
 
       return hostnames