search

agisboye / app-store-server-api

A Node.js client for the App Store Server API
MIT License
218 stars 36 forks source link

feat: Change x509 cert validation to use node-agnostic library #47

Closed levi closed 1 month ago

levi commented 9 months ago

app-store-server-api currently doesn't run on platforms like Vercel edge runtime and Cloudflare workers. The blocker was the use of the node crypto package to validate the x509 certificates.

Switched to using jsrsasign, a simple and popular x509 certificate library, to read the pem files into memory and validate date, chain, and fingerprint.

agisboye commented 9 months ago

Hi @levi

Thanks a lot for the effort you've put into this PR. 😊

If possible, I'd really prefer not to add new dependencies every time a new platform pops up and can't be bothered to add proper APIs. I'm wondering if we can do one of two things:

  1. Use a packages like jsrsasign conditionally (i.e. only on platforms that don't support X509Certificate natively)
  2. Use Web Crypto APIs, which seem to be support universally.

Have you looked into any of these?

levi commented 9 months ago

These runtimes use browser-level APIs like webcrypto, so I doubt they'll ever support node-specific libraries like the X509Certificate class.

I looked into implementing this with webcrypto initially and had it working with the fingerprint verification. However, for the sake of time, I decided not to implement my own public key parser to validate the dates and certificate chain. I'm sure this can be done with pure webcrypto, but I don't think it's really worth the time, given it requires maintaining a X.509 public key parser and libraries like jsrsasign have been doing it well for years.

A conditional import probably makes the most sense, if you want to keep the original X509Certificate implementation. I'm out of time on this PR, but happy to have someone else take over!

chadacious commented 9 months ago

This PR would also allow bun to use this package as it doesn't yet support X509Certificate.

agisboye commented 1 month ago

It looks like Cloudflare added support for X509Certificate (https://github.com/cloudflare/workerd/issues/1304). Deno also supports it.

Bun support is being discussed here: https://github.com/oven-sh/bun/issues/13802

I'll go ahead and close this PR. If we need to make changes to support other platforms and can do it in a way that retains Node.js compatibility and doesn't introduce new dependencies, feel free to open a PR. 🙏🏼