ability to fetch client certs for p2p

server/api/v1/auth/signup/simple.post.ts

@@ -32,7 +32,7 @@ export default defineEventHandler(async (h3) => {
         responseType: "stream",
       }),
     {},
-    [`anonymous:read`, `${userId}:write`]
+    [`anonymous:read`, `${userId}:write`],
   );
   const user = await prisma.user.create({
     data: {

server/api/v1/client/http/fetch.get.ts

@@ -0,0 +1,24 @@
+import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
+
+export default defineClientEventHandler(async (h3) => {
+  const query = getQuery(h3);
+  const clientId = query.id?.toString();
+  if (!clientId)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing id in query",
+    });
+
+  const certificate = await h3.context.ca.fetchClientCertificate(clientId);
+  if (!certificate) {
+    // Either it doesn't exist or it's blacklisted
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Invalid or blacklisted clientId",
+    });
+  }
+
+  return {
+    certificate: certificate.cert,
+  };
+});

server/internal/clients/ca.ts

@@ -39,7 +39,7 @@ export class CertificateAuthority {
       clientId,
       clientName,
       caCertificate.cert,
-      caCertificate.priv
+      caCertificate.priv,
     );
     const certBundle: CertificateBundle = {
       priv,
@@ -53,6 +53,13 @@ export class CertificateAuthority {
   }
 
   async fetchClientCertificate(clientId: string) {
+    const isBlacklist =
+      await this.certificateStore.checkBlacklistCertificate(clientId);
+    if (isBlacklist) return undefined;
     return await this.certificateStore.fetch(`client:${clientId}`);
   }
+
+  async blacklistClient(clientId: string) {
+    await this.certificateStore.blacklistCertificate(clientId);
+  }
 }

server/internal/clients/store.ts

@@ -5,9 +5,13 @@ import { CertificateBundle } from "./ca";
 export type CertificateStore = {
   store(name: string, data: CertificateBundle): Promise<void>;
   fetch(name: string): Promise<CertificateBundle | undefined>;
+  blacklistCertificate(name: string): Promise<void>;
+  checkBlacklistCertificate(name: string): Promise<boolean>;
 };
 
 export const fsCertificateStore = (base: string) => {
+  const blacklist = path.join(base, ".blacklist");
+  fs.mkdirSync(blacklist, { recursive: true });
   const store: CertificateStore = {
     async store(name: string, data: CertificateBundle) {
       const filepath = path.join(base, name);
@@ -18,6 +22,14 @@ export const fsCertificateStore = (base: string) => {
       if (!fs.existsSync(filepath)) return undefined;
       return JSON.parse(fs.readFileSync(filepath, "utf-8"));
     },
+    async blacklistCertificate(name: string) {
+      const filepath = path.join(blacklist, name);
+      fs.writeFileSync(filepath, Buffer.from([]));
+    },
+    async checkBlacklistCertificate(name: string): Promise<boolean> {
+      const filepath = path.join(blacklist, name);
+      return fs.existsSync(filepath);
+    },
   };
   return store;
 };