fix: new ca & server certs, bundle in .js file and unpack for testing

bundling in certs.js rather than including the raw files should avoid some false positives that low-quality security scanners keep on complaining about.
nodejs · May 12, 2022 · 147e3d3 · 147e3d3
1 parent bf81cd4
commit 147e3d3
Show file tree

Hide file tree

Showing 6 changed files with 167 additions and 116 deletions.
diff --git a/test/fixtures/ca-bundle.crt b/test/fixtures/ca-bundle.crt
diff --git a/test/fixtures/ca.crt b/test/fixtures/ca.crt
diff --git a/test/fixtures/certs.js b/test/fixtures/certs.js
@@ -0,0 +1,150 @@
+module.exports['ca.key'] = `
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAtTbG0k2UFUyCdZuip0TTEtXRHh57qosegrpHPBreSNTxt7OT
+KfOUZp2rToTHeN9w0ZbV2eKRI5AuFx8Cmlm73/KIHKzSNTBATGMeeHnGaxvL/W/s
+KJdTDRNf7/qCXHQ+gsuEWWCFzOZuHmmAQa2IBX2HAQTqXJI8+2iJ9gytFfJLxjqy
+6O4u9ugZVHSyQJWs49tGRcWMlNm7EMStADFvJn3S11xe/kwIA2mSI/eddDnzL0Mx
+AkR9dQBL66xOABLL5v3QQdhipfHluX6HLbDd/1YsFTuOpgvLRlr72rTAFrQZCokV
+hXPiqstn5zJFW5arHakvMR0+OPaICF5feh/4qQIDAQABAoIBAHWg6exnWUF+GY0Y
+CrwDS/QFASpI5UNt7M809bqJQlMKjyEMmvF3YJQ/soxUWlsWx1f1TjmR/V6VX6W4
+hmsE5pRXDY13jTfja0lqacQQYAD02TRY63XpzIpHUlYnSWmUN2OVkgKmShQYW9C3
+8P4xE4Nk2TaLJ0oRzy3uzOb/kXcVaJfknBRUnOhuaTSs+w4l4pPXueYA7xuHgVsL
+Qq0S4kK+PmdwCMB7gzlAAQhCM3vQ1U4cjC9JIIKSmPy7BcvD0kBfVPIFQ2byGpA1
+VkWBLSyeig0YxA5oIshK5cLiDIfBIiCSEzm4AMhVhGf0tbGEwiPljxKjbarYUUIi
+ATMk83UCgYEA7kKeOveuPbMqxmT42swfa9OU5jLUjH+VExU0Kv3BbEjv/OGt0fac
+/cs1Ze3vnrtCHudVajocFjydb8B4c62DbA4/T+LcUw/HaMaORbOoICQidi/zZ1Lj
+gjg8Ip2WKXEhSAwqUpaFd6w16NZOxiTh+NDaRKywwbe8j57eDH4uR6MCgYEAwrTS
+q5ra6+WDGUFMs0y3GMbL8j14PGhxBQBYSTM//NysI+EM6eeKn1cV3BbphEw//jgE
+0pVokkjvLAQWWEG2dZyRxRE3YAMgOAIPx5zbJCim3iBVuoqY9ckLg2jF8Fqqubsb
+3Rf2/Xzn/rFqsXdhsjGcJpdN66T9aEjwEkAnc0MCgYA5cOYk4UGormFJo147oaqR
+nFjxhp+nn7qY9yu0kajoKk1xchct337J0Qv2nv5+DjdKrArzqT7MPaDXKFfhy5s7
+mdO5tr/XZp50rCnws/d8iDmmtLjB2EHxSw10avmg1B1p+UTa1F8pEuOMVt529r1j
+9zYoCFo02c8j8PEnoeQWcQKBgQCVBCuQZu5SSM/zTkTTnU0sy0lf1qflI9IMD92B
++JVqg8HDnAR0KF+x38a9MVP7ixgXCuy19t+XxfY269HmLjTlArWV671D4GCSPRGy
+plwZ6nr72ieCo3y57+q94jxL3jh3+bozlpnUG/q6tTKBLGs7JDjsWDSsuxOu8tO6
+RBttXQKBgB6LQFOTjDMfsFHKsnQXFUZId3GG/iLg3WCWxEo88T5Rq3JIR0zDpW8H
+cKhl/sPY+JVHsxizNCMPtp7Hn7GrB6D/v9LbO0jpG2U0BFiJ6zhiDopbP9B0EAW4
+5JJ+JGKRKoCxs3DmSVyns0gU4j4rVte97UWyVy5TZ8Acr/qrgOA1
+-----END RSA PRIVATE KEY-----
+`
+
+module.exports['ca.crt'] = `
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIUDA0GrvcnG41XT6LYFeNwvq8YV1UwDQYJKoZIhvcNAQEL
+BQAwXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRAwDgYDVQQKDAdOb2RlLmpz
+MREwDwYDVQQLDAhub2RlLWd5cDEcMBoGA1UEAwwTbm9kZS1neXAubm9kZWpzLm9y
+ZzAeFw0yMjA1MTEwNDIyMjRaFw00OTA5MjUwNDIyMjRaMF0xCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJDQTEQMA4GA1UECgwHTm9kZS5qczERMA8GA1UECwwIbm9kZS1n
+eXAxHDAaBgNVBAMME25vZGUtZ3lwLm5vZGVqcy5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC1NsbSTZQVTIJ1m6KnRNMS1dEeHnuqix6Cukc8Gt5I
+1PG3s5Mp85RmnatOhMd433DRltXZ4pEjkC4XHwKaWbvf8ogcrNI1MEBMYx54ecZr
+G8v9b+wol1MNE1/v+oJcdD6Cy4RZYIXM5m4eaYBBrYgFfYcBBOpckjz7aIn2DK0V
+8kvGOrLo7i726BlUdLJAlazj20ZFxYyU2bsQxK0AMW8mfdLXXF7+TAgDaZIj9510
+OfMvQzECRH11AEvrrE4AEsvm/dBB2GKl8eW5foctsN3/ViwVO46mC8tGWvvatMAW
+tBkKiRWFc+Kqy2fnMkVblqsdqS8xHT449ogIXl96H/ipAgMBAAGjUzBRMB0GA1Ud
+DgQWBBT6LcYYABEOAMv4hI/5bC82rGlD/DAfBgNVHSMEGDAWgBT6LcYYABEOAMv4
+hI/5bC82rGlD/DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9
+D+qoKw0njub+NaFRS2DFbSiKb5JKTxVjU5aNusFONFLSXBuRpnYyjjkXpJy8JMWz
+g8GFDEPP6kiSb8xaPNrFcUzb4PFzJabNTuaLJpBpd2gNBj5AeYwwpRa2DPv/b4yw
+y2mfULuCWS09ZAguI2OcaARlAsFxYN0IuQ6pN1AvGFGee67ve9l2VF/hhwEi4lCk
+MM0CWlP6COJ8TX7X0MTtexVOgo9m3hBuTSYEZClYFIdSOk10xkPl8Y3Iz/x6mzfK
+Uu2l2ZtYvSdAX1CQMds3ZWt0ChNNEjOKPv4g2QSDhGkiqrmi4wUS81g68wKqOpqn
+GbN8uKxIfyMjqZKaujPR
+-----END CERTIFICATE-----
+`
+
+module.exports['server.key'] = `
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvPM99BkYrBcTM355dhz4XzhSDRGxa9qttUlBSgEsbu2UjsRm
+XjDS+60XXd66tWpPwLeUd2uvlC/ltv5ekv+EBu35j1KfA1+K1rtFzb1i40kMCsns
+OoXjgpsN2wvkxMdFkT2bkqKCS6X0xzlWea1t4poKh9iG7n3otk4RzPNawfwQ9W5n
+o9/8i6AUwDbuK4dhAId/Inw2aKrMyQ+AiSvsDM2wUMq+pV7nP46f7MhR4xiGz14z
+ATFdjM3Oo/1NKrr0WgVM6i0eNAtuIDqIs8YE7SfODe/SzpJySxewutfYi62OaLh/
+hmWByj/pF5SoNMLyJHxn4GyKK+Qle9NJAThLiwIDAQABAoIBAQCZs4h/Cvct7etZ
+pRUqxnAoDQl5xh28LXvGj1uD1qaNacfBxvO6xR6rSedLHcZlkqBjlTI5XqjJ85h6
+njrSevWsKWMrejsNpGetO1OSA+/wEVixYgY+qPEkKftAZ1Fl3O+zMRlfU8CHxuzy
+Lqsweap8fW/5h2JjmJp3ydPjE0aNqpQ+0LtYBBawKDIe2zPNOmTPwz3D8qJNQJKU
+Qdj08dO/vPZncllPagGvpqhfv4hMyNChr71eBbEFsi3O5VJxfZyj+fQG0DGocr/y
+sV54HtYk5j06wMxZFLQtaJn+1pOXquZMNwodSPnbrR/+CI1SZeB8N6VyqqOdmrDz
+5NbfGJiRAoGBAPrCuQxJwgc2MzpEtrXA4+1uuV8QWGy3+wNKxKw4lgyC7peXXrVK
+l9FkOOAPr8puPRABgDS9t6vo59BAP3Wrx0oJ9PA/Qn03WYLfJMepWqlK7ni9kS04
+5owRTduK7P190sp0m6iicsnchGSSOchECwB5UmtHysEFiuY0T+0pdNbjAoGBAMDl
+57lwZDfNTGGDxLQYVzbrXgKcD60DW9MhvH3uso6cw5NYs3tmENCh9D6YrCNN4PmL
+zdp4dKbOFoGJdy22TK31nrezUuNKSK+QKH2gsmNVI+a5QokNO1Cfk+PMLoOR5du2
+nwyVvzdaBwuXU4fhmwvLv/SCFNEJ0EgUILeMETE5AoGBAIwLXf9v3e3bJkb/gy8E
+mAbNVLez0D5/ja9r/WTVgW9hXFDLF/iVvS4TE/SGrj2WzYF35RsPbVmUDIrwpsBX
+/EfsQaA/JCn8VIBTkR31Bg4QLBjAfijMY22MaHgZIXv83lF1SE2o1ATKpCHqzFx9
+K8vK9e22PZUJPGaOhqjEA13TAoGAEPipSJFw38/6NmInfkjd84EFxmkAoBI5k/vV
+36aOoyl7s40MTYEPXavCF3fLPVfuwUXhmKUcbkiXhlIX4De3y15e1n66fjDc8EVY
+qqTmzQKCpBwMlI5Ld65yjoo6VW0SsiABIlRSfIY5NHXd7YiV4ZXNj6+aMUIRxyWu
+Mzfpk1ECgYBZw8lML+F8XbcmCLGYuicf0V/wgFaJr8nnPeW7AiQrv13Ju1ItEaC8
+Tz8F7OfC+FoUb0MGjXHKquDVBDs4xSuS+Ol+rlZEK68ALpm8sUgp6YjARYiXlprs
+6o4kN0P5F+DVU2SP6fo9zKLCxaTH9VAQ9C3VUViGAFLBt4DVDmj77g==
+-----END RSA PRIVATE KEY-----
+`
+
+module.exports['server.crt'] = `
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh8CFBg1Ph5t5rBlAbCrEn/PexNy9WunMA0GCSqGSIb3DQEBCwUAMF0x
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEQMA4GA1UECgwHTm9kZS5qczERMA8G
+A1UECwwIbm9kZS1neXAxHDAaBgNVBAMME25vZGUtZ3lwLm5vZGVqcy5vcmcwHhcN
+MjIwNTExMDQyMjI0WhcNMjMwOTIzMDQyMjI0WjBTMQswCQYDVQQGEwJVUzELMAkG
+A1UECAwCQ0ExEDAOBgNVBAoMB05vZGUuanMxETAPBgNVBAsMCG5vZGUtZ3lwMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC88z30GRisFxMzfnl2HPhfOFINEbFr2q21SUFKASxu7ZSOxGZeMNL7rRdd3rq1
+ak/At5R3a6+UL+W2/l6S/4QG7fmPUp8DX4rWu0XNvWLjSQwKyew6heOCmw3bC+TE
+x0WRPZuSooJLpfTHOVZ5rW3imgqH2Ibufei2ThHM81rB/BD1bmej3/yLoBTANu4r
+h2EAh38ifDZoqszJD4CJK+wMzbBQyr6lXuc/jp/syFHjGIbPXjMBMV2Mzc6j/U0q
+uvRaBUzqLR40C24gOoizxgTtJ84N79LOknJLF7C619iLrY5ouH+GZYHKP+kXlKg0
+wvIkfGfgbIor5CV700kBOEuLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhaNEye
+JsE4eG1xaGmHq7w9eV0neOaZ58XCuF1sSEMIy9uMnl3aOdctxh/1SYkqJyMct79q
+Ra2UZ6mauRlOeqdHb+HZKrFYYUOtd1HOWWJ44Gaya2EQMiTbd/Ns9Th2KTbTOCbL
+CHFNska9Ty2ioT7VcrVuIEXFPMua5T4lnCkNJQla800pHHOak2baN/c66Io+8XI2
+xiqaVrLT3qvpzdiiEjo4POeRnWMIgJJshy77Am5JlhaJiAqP1AHfh/tYpliGkjXF
+8DSgSoLHSQfalJ4VQvP4XLc/XnmF5Zt6bvwUxCllEBFRneU74bW7/euYX/TpYobr
+Y+YM7fGiCqwHdUs=
+-----END CERTIFICATE-----
+`
+
+module.exports['ca-bundle.crt'] = `
+-----BEGIN CERTIFICATE-----
+MIIDJjCCAg4CAhnOMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
+VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZMBcGA1UECgwQU3Ryb25n
+TG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRowGAYDVQQDDBFjYS5zdHJv
+bmdsb29wLmNvbTAeFw0xNTEyMDgyMzM1MzNaFw00MzA0MjQyMzM1MzNaMBkxFzAV
+BgNVBAMMDnN0cm9uZ2xvb3AuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAwOYI7OZ2FX/YjRgLZoDQlbPc5UZXU/j0e1wwiJNPtPEax9Y5Uoza0Pnt
+Ikzkc2SfvQ+IJrhXo385tI0W5juuqbHnE7UrjUuPjUX6NHevkxcs/flmjan5wnZM
+cPsGhH71WDuUEEflvZihf2Se2x+xgZtMhc5XGmVmRuZFYKvkgUhA2/w8/QrK+jPT
+n9QRJxZjWNh2RBdC1B7u4jffSmOSUljYFH1I2eTeY+Rdi6YUIYSU9gEoZxsv3Tia
+SomfMF5jt2Mouo6MzA+IhLvvFjcrcph1Qxgi9RkfdCMMd+Ipm9YWELkyG1bDRpQy
+0iyHD4gvVsAqz1Y2KdRSdc3Kt+nTqwIDAQABoxkwFzAVBgNVHREEDjAMhwQAAAAA
+hwR/AAABMA0GCSqGSIb3DQEBBQUAA4IBAQAhy4J0hML3NgmDRHdL5/iTucBe22Mf
+jJjg2aifD1S187dHm+Il4qZNO2plWwAhN0h704f+8wpsaALxUvBIu6nvlvcMP5PH
+jGN5JLe2Km3UaPvYOQU2SgacLilu+uBcIo2JSHLV6O7ziqUj5Gior6YxDLCtEZie
+Ea8aX5/YjuACtEMJ1JjRqjgkM66XAoUe0E8onOK3FgTIO3tGoTJwRp0zS50pFuP0
+PsZtT04ck6mmXEXXknNoAyBCvPypfms9OHqcUIW9fiQnrGbS/Ri4QSQYj0DtFk/1
+na4fY1gf3zTHxH8259b/TOOaPfTnCEsOQtjUrWNR4xhmVZ+HJy4yytUW
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlcCAmm6MA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
+VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZMBcGA1UECgwQU3Ryb25n
+TG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRowGAYDVQQDDBFjYS5zdHJv
+bmdsb29wLmNvbTAeFw0xNTEyMDgyMzM1MzNaFw00MzA0MjQyMzM1MzNaMH0xCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEZ
+MBcGA1UECgwQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECwwJU3Ryb25nT3BzMRow
+GAYDVQQDDBFjYS5zdHJvbmdsb29wLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANfj86jkvvYDjHBgiqWhk9Cj+bqiMq3MqnV0CBO4iuK33Fo6XssE
+H+yVdXlIBFbFe6t655MdBVOR2Sfj7WqNh96vhu6PyDHiwcQlTaiLU6nhIed1J4Wv
+lvnJHFmp8Wbtx5AgLT4UYu03ftvXEl2DLi3vhSL2tRM1ebXHB/KPbRWkb25DPX0P
+foOHot3f2dgNe2x6kponf7E/QDmAu3s7Nlkfh+ryDhgGU7wocXEhXbprNqRqOGNo
+xbXgUI+/9XDxYT/7Gn5LF/fPjtN+aB0SKMnTsDhprVlZie83mlqJ46fOOrR+vrsQ
+mi/1m/TadrARtZoIExC/cQRdVM05EK4tUa8CAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAQ7k5WhyhDTIGYCNzRnrMHWSzGqa1y4tJMW06wafJNRqTm1cthq1ibc6Hfq5a
+K10K0qMcgauRTfQ1MWrVCTW/KnJ1vkhiTOH+RvxapGn84gSaRmV6KZen0+gMsgae
+KEGe/3Hn+PmDVV+PTamHgPACfpTww38WHIe/7Ce9gHfG7MZ8cKHNZhDy0IAYPln+
+YRwMLd7JNQffHAbWb2CE1mcea4H/12U8JZW5tHCF6y9V+7IuDzqwIrLKcW3lG17n
+VUG6ODF/Ryqn3V5X+TL91YyXi6c34y34IpC7MQDV/67U7+5Bp5CfeDPWW2wVSrW+
+uGZtfEvhbNm6m2i4UNmpCXxUZQ==
+-----END CERTIFICATE-----
+`
diff --git a/test/fixtures/server.crt b/test/fixtures/server.crt
diff --git a/test/fixtures/server.key b/test/fixtures/server.key
diff --git a/test/test-download.js b/test/test-download.js
@@ -12,6 +12,7 @@ const devDir = require('./common').devDir()
 const rimraf = require('rimraf')
 const gyp = require('../lib/node-gyp')
 const log = require('npmlog')
+const certs = require('./fixtures/certs')
 
 log.level = 'warn'
 
@@ -40,12 +41,12 @@ test('download over http', async (t) => {
 test('download over https with custom ca', async (t) => {
   t.plan(3)
 
-  const cafile = path.join(__dirname, '/fixtures/ca.crt')
-  const [cert, key, ca] = await Promise.all([
-    fs.promises.readFile(path.join(__dirname, 'fixtures/server.crt'), 'utf8'),
-    fs.promises.readFile(path.join(__dirname, 'fixtures/server.key'), 'utf8'),
-    install.test.readCAFile(cafile)
-  ])
+  const cafile = path.join(__dirname, 'fixtures/ca.crt')
+  const cacontents = certs['ca.crt']
+  const cert = certs['server.crt']
+  const key = certs['server.key']
+  await fs.promises.writeFile(cafile, cacontents, 'utf8')
+  const ca = await install.test.readCAFile(cafile)
 
   t.strictEqual(ca.length, 1)
 
@@ -55,7 +56,10 @@ test('download over https with custom ca', async (t) => {
     res.end('ok')
   })
 
-  t.tearDown(() => new Promise((resolve) => server.close(resolve)))
+  t.tearDown(async () => {
+    await new Promise((resolve) => server.close(resolve))
+    await fs.promises.unlink(cafile)
+  })
 
   server.on('clientError', (err) => { throw err })
 
@@ -150,6 +154,12 @@ test('download with missing cafile', async (t) => {
 })
 
 test('check certificate splitting', async (t) => {
+  const cafile = path.join(__dirname, 'fixtures/ca-bundle.crt')
+  const cacontents = certs['ca-bundle.crt']
+  await fs.promises.writeFile(cafile, cacontents, 'utf8')
+  t.tearDown(async () => {
+    await fs.promises.unlink(cafile)
+  })
   const cas = await install.test.readCAFile(path.join(__dirname, 'fixtures/ca-bundle.crt'))
   t.plan(2)
   t.strictEqual(cas.length, 2)