app-store-server-api icon indicating copy to clipboard operation
app-store-server-api copied to clipboard
verified publisher icon agisboye

feat: Change x509 cert validation to use node-agnostic library

Open levi opened this issue 1 year ago • 3 comments

app-store-server-api currently doesn't run on platforms like Vercel edge runtime and Cloudflare workers. The blocker was the use of the node crypto package to validate the x509 certificates.

Switched to using jsrsasign, a simple and popular x509 certificate library, to read the pem files into memory and validate date, chain, and fingerprint.

levi avatar Feb 20 '24 23:02 levi

Hi @levi

Thanks a lot for the effort you've put into this PR. 😊

If possible, I'd really prefer not to add new dependencies every time a new platform pops up and can't be bothered to add proper APIs. I'm wondering if we can do one of two things:

  1. Use a packages like jsrsasign conditionally (i.e. only on platforms that don't support X509Certificate natively)
  2. Use Web Crypto APIs, which seem to be support universally.

Have you looked into any of these?

agisboye avatar Feb 21 '24 18:02 agisboye

These runtimes use browser-level APIs like webcrypto, so I doubt they'll ever support node-specific libraries like the X509Certificate class.

I looked into implementing this with webcrypto initially and had it working with the fingerprint verification. However, for the sake of time, I decided not to implement my own public key parser to validate the dates and certificate chain. I'm sure this can be done with pure webcrypto, but I don't think it's really worth the time, given it requires maintaining a X.509 public key parser and libraries like jsrsasign have been doing it well for years.

A conditional import probably makes the most sense, if you want to keep the original X509Certificate implementation. I'm out of time on this PR, but happy to have someone else take over!

levi avatar Feb 21 '24 18:02 levi

This PR would also allow bun to use this package as it doesn't yet support X509Certificate.

chadacious avatar Feb 24 '24 15:02 chadacious

It looks like Cloudflare added support for X509Certificate (https://github.com/cloudflare/workerd/issues/1304). Deno also supports it.

Bun support is being discussed here: https://github.com/oven-sh/bun/issues/13802

I'll go ahead and close this PR. If we need to make changes to support other platforms and can do it in a way that retains Node.js compatibility and doesn't introduce new dependencies, feel free to open a PR. 🙏🏼

agisboye avatar Oct 31 '24 12:10 agisboye