feat: Change x509 cert validation to use node-agnostic library

[levi]

app-store-server-api currently doesn't run on platforms like Vercel edge runtime and Cloudflare workers. The blocker was the use of the node crypto package to validate the x509 certificates.

Switched to using jsrsasign, a simple and popular x509 certificate library, to read the pem files into memory and validate date, chain, and fingerprint.

[agisboye]

Hi @levi

Thanks a lot for the effort you've put into this PR. 😊

If possible, I'd really prefer not to add new dependencies every time a new platform pops up and can't be bothered to add proper APIs. I'm wondering if we can do one of two things:

1. Use a packages like jsrsasign conditionally (i.e. only on platforms that don't support X509Certificate natively)
2. Use Web Crypto APIs, which seem to be support universally.

Have you looked into any of these?

[levi]

These runtimes use browser-level APIs like webcrypto, so I doubt they'll ever support node-specific libraries like the X509Certificate class.

I looked into implementing this with webcrypto initially and had it working with the fingerprint verification. However, for the sake of time, I decided not to implement my own public key parser to validate the dates and certificate chain. I'm sure this can be done with pure webcrypto, but I don't think it's really worth the time, given it requires maintaining a X.509 public key parser and libraries like jsrsasign have been doing it well for years.

A conditional import probably makes the most sense, if you want to keep the original X509Certificate implementation. I'm out of time on this PR, but happy to have someone else take over!

[chadacious]

This PR would also allow bun to use this package as it doesn't yet support X509Certificate.