From 623ae2fd40bbaec450e56052148dd48de7308a87 Mon Sep 17 00:00:00 2001 From: achingbrain Date: Sun, 31 Mar 2024 08:04:07 +0100 Subject: [PATCH] fix: tls serial number causes illegal padding error This is a hack to work around https://github.com/PeculiarVentures/x509/issues/74 until it is addressed upstream. It seems serial numbers starting with `80` cause `@peculiar/x509` to generate invalid certifiates that Node's `TLSSocket` then fails to parse, throwing an `ERR_OSSL_ASN1_ILLEGAL_PADDING` error, so the hack is to generate serial numbers until we get one that doesn't start with `80`. This can be reverted when the upstream issue is fixed. --- packages/connection-encrypter-tls/src/utils.ts | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/connection-encrypter-tls/src/utils.ts b/packages/connection-encrypter-tls/src/utils.ts index c3ea807f62..c0b6005932 100644 --- a/packages/connection-encrypter-tls/src/utils.ts +++ b/packages/connection-encrypter-tls/src/utils.ts @@ -153,8 +153,7 @@ export async function generateCertificate (peerId: PeerId): Promise<{ cert: stri } const selfCert = await x509.X509CertificateGenerator.createSelfSigned({ - serialNumber: uint8ArrayToString(crypto.getRandomValues(new Uint8Array(9)), 'base16'), - name: '', + serialNumber: generateSerialNumber(), notBefore: new Date(now - CERT_VALIDITY_PERIOD_FROM), notAfter: new Date(now + CERT_VALIDITY_PERIOD_TO), signingAlgorithm: alg, @@ -186,6 +185,19 @@ export async function generateCertificate (peerId: PeerId): Promise<{ cert: stri } } +function generateSerialNumber (): string { + // HACK: serial numbers starting with 80 generated by @peculiar/x509 don't + // work with TLSSocket, remove when https://github.com/PeculiarVentures/x509/issues/74 + // is resolved + while (true) { + const serialNumber = (Math.random() * Math.pow(2, 52)).toFixed(0) + + if (!serialNumber.startsWith('80')) { + return serialNumber + } + } +} + /** * @see https://github.com/libp2p/specs/blob/master/tls/tls.md#libp2p-public-key-extension */