Canary (#481)

* fix: fix window render freeze

* chore: align changelog

* chore(deps): upgrade "@webcrypto-local" to "1.6.11"

* chore(ci): upgrade "microsoft/setup-msbuild" to "v1.1"

* chore(ci): remove "nuget/setup-nuget" step

* chore(ci): use windows-2019 and node v14

* Fix-macos-ca (#479)

* fix: Use User keychain instead of System

* fix(ssl): Error on CA adding into Firefox

* refactor(ssl): Change MacOS CA log message

* chore: remove unused "fortify-setup" folder

Co-authored-by: donskov <[email protected]>

* chore(deps): use `nanoid` instead of `uuid`

* chore(deps): update electron version to "13.6.9"

Co-authored-by: microshine <[email protected]>

.github/workflows/pipeline.yml

@@ -23,6 +23,7 @@ jobs:
         env:
           APP_REPO_FOLDER: ../
           RELEASE_FOLDER: ../release
+          ELECTRON_VERSION: '13.6.9'
       - name: Sign data
         run: yarn sign_data
         env:
@@ -55,24 +56,26 @@ jobs:
         env:
           APP_REPO_FOLDER: ../
           RELEASE_FOLDER: ../release
+          ELECTRON_VERSION: '13.6.9'
       - name: Archive build artifacts
         uses: actions/upload-artifact@v2
         with:
           name: artifacts
           path: ./release/*.deb
 
   windows:
-    runs-on: windows-latest
+    runs-on: windows-2019
     strategy:
       matrix:
         platform: [x86, x64]
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '14.x'
       - name: Setup msbuild
-        uses: microsoft/setup-msbuild@v1
-      - name: Setup NuGet.exe for use with actions
-        uses: nuget/[email protected]
+        uses: microsoft/[email protected]
       - name: Prepare app repository
         uses: ./.github/actions/prepare-app-repo
       - name: Prepare fortify-setup repository
@@ -85,6 +88,7 @@ jobs:
           Platform: ${{ matrix.platform }}
           APP_REPO_FOLDER: ../
           RELEASE_FOLDER: ../release
+          ELECTRON_VERSION: '13.6.9'
       - name: Archive build artifacts
         uses: actions/upload-artifact@v2
         with:

.yarnrc

@@ -1,4 +1,4 @@
 runtime "electron"
-target "11.5.0"
+target "13.6.9"
 target_arch "x64"
 disturl "https://atom.io/download/atom-shell"

CHANGELOG.md

@@ -1,3 +1,18 @@
+## [1.8.4](https://github.com/PeculiarVentures/fortify/releases/tag/1.8.4) (5.04.2022)
+
+### Features
+- Update `electron` dependency to `13.6.9`.
+- Update `minimist ` dependency to `1.2.6`.
+- Update `@webcrypto-local/* ` dependency to `1.6.11`.
+- Use `nanoid` instead of `uuid`.
+
+### Bug Fixes
+
+- Fix ERR_CERT_AUTHORITY_INVALID exception on Mac ([#475](https://github.com/PeculiarVentures/fortify/issues/475)).
+- Fix Firefox in Ubuntu can't communicate with Fortify ([#461](https://github.com/PeculiarVentures/fortify/issues/461)).
+- Fix Unable to open fortify tools in Chrome ([#409](https://github.com/PeculiarVentures/fortify/issues/409)).
+- Fix App doesn't install CA certificate to Firefox ([#327](https://github.com/PeculiarVentures/fortify/issues/327)).
+
 ## [1.8.3](https://github.com/PeculiarVentures/fortify/releases/tag/1.8.3) (27.10.2021)
 
 ### Features

package.json

@@ -1,7 +1,7 @@
 {
   "name": "fortify",
   "productName": "Fortify",
-  "version": "1.8.3",
+  "version": "1.8.4",
   "description": "Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment",
   "main": "out/main.js",
   "scripts": {
@@ -36,15 +36,14 @@
     "@types/request": "^2.48.5",
     "@types/rimraf": "^2.0.4",
     "@types/semver": "^6.2.1",
-    "@types/uuid": "^8.3.0",
     "@types/websocket": "^0.0.40",
     "@types/ws": "^7.2.6",
     "@types/xmldom": "^0.1.30",
     "@typescript-eslint/eslint-plugin": "^2.34.0",
     "colors": "^1.4.0",
     "cross-env": "^7.0.2",
     "css-loader": "^5.2.6",
-    "electron": "^11.5.0",
+    "electron": "^13.6.9",
     "eslint": "^6.8.0",
     "eslint-config-airbnb-typescript": "^7.2.1",
     "eslint-plugin-import": "^2.22.0",
@@ -83,6 +82,7 @@
     "jose-jwe-jws": "github:microshine/js-jose",
     "lib-react-components": "^3.0.1",
     "mixpanel": "^0.13.0",
+    "nanoid": "^3.3.2",
     "pkcs11js": "^1.2.6",
     "pkijs": "^2.2.1",
     "public-ip": "^4.0.3",
@@ -92,9 +92,7 @@
     "reflect-metadata": "^0.1.13",
     "request": "^2.88.2",
     "semver": "^6.3.0",
-    "sudo-prompt": "^9.2.1",
     "tsyringe": "^4.3.0",
-    "uuid": "^8.3.1",
     "webcrypto-core": "^1.3.0",
     "winston": "^3.3.3",
     "winston-transport": "^4.4.0"

src/main/config.ts

@@ -1,10 +1,10 @@
 import * as fs from 'fs';
 import * as path from 'path';
-import { v4 as uuidv4 } from 'uuid';
+import { nanoid } from 'nanoid';
 import { APP_CONFIG_FILE } from './constants';
 
 const defaultConfig: IConfigure = {
-  userId: uuidv4(),
+  userId: nanoid(36),
   providers: [],
   cards: [],
   disableCardUpdate: false,

src/main/services/ssl/firefox.ts

@@ -27,10 +27,8 @@ export class Firefox {
       const profiles = fs.readdirSync(profilesFolder);
       // eslint-disable-next-line no-restricted-syntax
       for (const profile of profiles) {
-        if (/default/.test(profile)) {
-          const profileFolder = path.normalize(path.join(profilesFolder, profile));
-          res.push(profileFolder);
-        }
+        const profileFolder = path.normalize(path.join(profilesFolder, profile));
+        res.push(profileFolder);
       }
     } else {
       logger.info('firefox', 'Profiles folder does not exist', { path: profilesFolder });

src/main/services/ssl/installer.ts

@@ -5,7 +5,7 @@
 import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
-import * as sudo from 'sudo-prompt';
+import * as childProcess from 'child_process';
 import { PemConverter } from 'webcrypto-core';
 import { Firefox } from './firefox';
 import { NssCertUtils } from './nss';
@@ -92,23 +92,19 @@ export class SslCertInstaller {
   private async installDarwin(certPath: string) {
     await new Promise((resolve, reject) => {
       const certName = this.policy.nssCertName;
-      const options = {
-        name: this.policy.osxAppName || 'Fortify application',
-        icons: this.policy.osxAppIcons || '/Applications/Fortify.app/Contents/Resources/static/icons/tray/mac/icon.icns',
-      };
       const { username } = os.userInfo();
 
       logger.info('ssl-installer', 'Adding CA certificate to System KeyChain');
 
-      sudo.exec(`certPath="${certPath}" certName="${certName}" userDir="${os.homedir()}" USER="${username}" bash ${SRC_DIR}/resources/osx-ssl.sh`, options, (err) => {
+      childProcess.exec(`certPath="${certPath}" certName="${certName}" userDir="${os.homedir()}" USER="${username}" bash ${SRC_DIR}/resources/osx-ssl.sh`, (err) => {
         if (err) {
           reject(err);
         } else {
           resolve();
         }
       });
 
-      logger.info('ssl-installer', 'SSL certificate added to System KeyChain', {
+      logger.info('ssl-installer', 'SSL certificate added to User KeyChain', {
         certName,
       });
     });

src/main/services/ssl/nss.ts

@@ -3,8 +3,8 @@
 import { execSync } from 'child_process';
 import * as os from 'os';
 import { BufferSourceConverter, Convert } from 'pvtsutils';
-import { PemConverter } from 'webcrypto-core';
 import logger from '../../logger';
+import { PemConverter } from './pem_converter';
 
 export interface INssCertUtilArguments {
   [key: string]: string | undefined;
@@ -433,9 +433,10 @@ export class NssCertUtils {
     if (ok && cert) {
       const derCert = BufferSourceConverter.toArrayBuffer(cert);
       const nssCertPem = this.get(certName);
-      const nssCertDer = PemConverter.toArrayBuffer(nssCertPem);
+      const nssCertDerList = PemConverter.decode(nssCertPem);
 
-      return Convert.ToHex(derCert) === Convert.ToHex(nssCertDer);
+      return nssCertDerList
+        .some((nssCertDer) => Convert.ToHex(derCert) === Convert.ToHex(nssCertDer));
     }
 
     return ok;

src/main/services/ssl/pem_converter.ts

@@ -0,0 +1,97 @@
+import { Convert } from 'pvtsutils';
+
+/**
+ * Represents PEM Converter.
+ */
+export class PemConverter {
+  public CertificateTag = 'CERTIFICATE';
+
+  public CertificateRequestTag = 'CERTIFICATE REQUEST';
+
+  public PublicKeyTag = 'PUBLIC KEY';
+
+  public PrivateKeyTag = 'PRIVATE KEY';
+
+  static isPem(data: any): data is string {
+    return typeof data === 'string'
+      && /-{5}BEGIN [A-Z0-9 ]+-{5}([a-zA-Z0-9=+/\n\r]+)-{5}END [A-Z0-9 ]+-{5}/g.test(data);
+  }
+
+  /**
+   * Decodes PEM to a list of raws
+   * @param pem message in PEM format
+   */
+  public static decode(pem: string) {
+    const pattern = /-{5}BEGIN [A-Z0-9 ]+-{5}([a-zA-Z0-9=+/\n\r]+)-{5}END [A-Z0-9 ]+-{5}/g;
+
+    const res: ArrayBuffer[] = [];
+    let matches: RegExpExecArray | null = null;
+    // eslint-disable-next-line no-cond-assign
+    while (matches = pattern.exec(pem)) {
+      const base64 = matches[1]
+        .replace(/\r/g, '')
+        .replace(/\n/g, '');
+      res.push(Convert.FromBase64(base64));
+    }
+
+    return res;
+  }
+
+  /**
+   * Encodes a raw data to PEM format
+   * @param rawData Raw data
+   * @param tag PEM tag
+   */
+  public static encode(rawData: BufferSource, tag: string): string;
+
+  /**
+   * Encodes a list of raws to PEM format
+   * @param raws A list of raws
+   * @param tag PEM tag
+   */
+  public static encode(rawData: BufferSource[], tag: string): string;
+
+  public static encode(rawData: BufferSource | BufferSource[], tag: string) {
+    if (Array.isArray(rawData)) {
+      const raws = new Array<string>();
+      rawData.forEach((element) => {
+        raws.push(this.encodeBuffer(element, tag));
+      });
+
+      return raws.join('\n');
+    }
+
+    return this.encodeBuffer(rawData, tag);
+  }
+
+  /**
+   * Encodes a raw data to PEM format
+   * @param rawData Raw data
+   * @param tag PEM tag
+   */
+  private static encodeBuffer(rawData: BufferSource, tag: string) {
+    const base64 = Convert.ToBase64(rawData);
+    let sliced: string;
+    let offset = 0;
+    const rows = Array<string>();
+    while (offset < base64.length) {
+      if (base64.length - offset < 64) {
+        sliced = base64.substring(offset);
+      } else {
+        sliced = base64.substring(offset, offset + 64);
+        offset += 64;
+      }
+      if (sliced.length !== 0) {
+        rows.push(sliced);
+        if (sliced.length < 64) {
+          break;
+        }
+      } else {
+        break;
+      }
+    }
+    const upperCaseTag = tag.toLocaleUpperCase();
+
+    return `-----BEGIN ${upperCaseTag}-----\n${rows.join('\n')}\n-----END ${upperCaseTag}-----`;
+  }
+}

src/main/type.d.ts

@@ -31,11 +31,3 @@ interface IConfigure {
   telemetry?: boolean;
   theme: ('system' | 'dark' | 'light');
 }
-
-declare module 'sudo-prompt' {
-  export function exec(
-    script: string,
-    options: any,
-    cb: (err: Error, stdout: Buffer) => void,
-  ): void;
-}

src/main/windows/browser_window.ts

@@ -126,6 +126,7 @@ export class BrowserWindow {
         enableRemoteModule: true,
         // https://github.com/PeculiarVentures/fortify/issues/453
         backgroundThrottling: false,
+        contextIsolation: false,
       },
     };
   }

src/resources/osx-ssl.sh

@@ -1,11 +1,17 @@
 # Add certificate to system key chain
 
 certPath=${certPath}
-certificateName="${certName}" 
+certificateName=${certName}
 
 echo -e "certificateName: ${certificateName}"
 echo -e "certPath: ${certPath}"
 
 # keychain
-security delete-certificate -c ${certificateName} /Library/Keychains/System.keychain
-security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${certPath}
+keychain=$(security default-keychain -d user | sed 's/"//g')
+security delete-certificate -c ${certificateName} ${keychain}
+security add-trusted-cert -r trustRoot -k ${keychain} ${certPath}
+certDir=$(dirname ${certPath})
+echo -e "certDir: ${certDir}"
+mkdir "$certDir/mkcert"
+cp ${certPath} "$certDir/mkcert/rootCA.pem"
+CAROOT="$certDir/mkcert" TRUST_STORES=system mkcert -install