Add support for self-signed TLS endpoint

pimterry · pimterry · commit 35c97947feab · 2026-01-21T15:00:25.000+01:00
diff --git a/src/server.ts b/src/server.ts
@@ -1,7 +1,7 @@
 import * as net from 'net';
 
 import { createHttp1Handler, createHttp2Handler } from './http-handler.js';
-import { createTlsHandler } from './tls-handler.js';
+import { createTlsHandler, CertMode } from './tls-handler.js';
 import { ConnectionProcessor } from './process-connection.js';
 
 import { AcmeCA, AcmeProvider, ExternalAccessBindingConfig } from './tls-certificates/acme.js';
@@ -45,7 +45,12 @@ async function generateTlsConfig(options: ServerOptions) {
             key: defaultCert.key,
             cert: defaultCert.cert,
             ca: caCert.cert,
-            generateCertificate: (domain: string) => ca.generateCertificate(domain),
+            generateCertificate: (domain: string, mode?: CertMode) => {
+                if (mode === 'self-signed') {
+                    return ca.generateSelfSignedCertificate(domain);
+                }
+                return ca.generateCertificate(domain);
+            },
             acmeChallenge: () => undefined // Not supported
         };
     }
@@ -68,7 +73,11 @@ async function generateTlsConfig(options: ServerOptions) {
         key: defaultCert.key,
         cert: defaultCert.cert,
         ca: caCert.cert,
-        generateCertificate: (domain: string) => {
+        generateCertificate: (domain: string, mode?: CertMode) => {
+            if (mode === 'self-signed') {
+                return ca.generateSelfSignedCertificate(domain);
+            }
+
             if (domain === rootDomain || domain.endsWith('.' + rootDomain)) {
                 const cert = acmeCA.tryGetCertificateSync(domain);
                 if (cert) return cert;
diff --git a/src/tls-certificates/local-ca.ts b/src/tls-certificates/local-ca.ts
@@ -253,4 +253,60 @@ export class LocalCA {
 
         return generatedCertificate;
     }
+
+    generateSelfSignedCertificate(domain: string) {
+        const cacheKey = `${domain}:self-signed`;
+
+        const cachedCert = this.certInMemoryCache[cacheKey];
+        if (cachedCert) return cachedCert;
+
+        const cert = pki.createCertificate();
+
+        cert.publicKey = KEY_PAIR!.publicKey;
+        cert.serialNumber = generateSerialNumber();
+
+        cert.validity.notBefore = new Date();
+        cert.validity.notBefore.setDate(cert.validity.notBefore.getDate() - 1);
+
+        cert.validity.notAfter = new Date();
+        cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
+
+        const subject = [
+            { name: 'commonName', value: domain },
+            { name: 'countryName', value: this.options?.countryName ?? 'XX' },
+            { name: 'localityName', value: this.options?.localityName ?? 'Unknown' },
+            { name: 'organizationName', value: this.options?.organizationName ?? 'Testserver Test Cert' }
+        ];
+
+        cert.setSubject(subject);
+        cert.setIssuer(subject); // Self-signed: issuer = subject
+
+        cert.setExtensions([
+            { name: 'basicConstraints', cA: false, critical: true },
+            { name: 'keyUsage', digitalSignature: true, keyEncipherment: true, critical: true },
+            { name: 'extKeyUsage', serverAuth: true, clientAuth: true },
+            {
+                name: 'subjectAltName',
+                altNames: [{ type: 2, value: domain }]
+            },
+            { name: 'subjectKeyIdentifier' }
+        ]);
+
+        cert.sign(KEY_PAIR!.privateKey, md.sha256.create()); // Self-signed: sign with own key
+
+        const certPem = pki.certificateToPem(cert);
+        const generatedCertificate = {
+            key: pki.privateKeyToPem(KEY_PAIR!.privateKey),
+            cert: certPem,
+            ca: certPem // Self-signed: cert is its own CA
+        };
+
+        this.certInMemoryCache[cacheKey] = generatedCertificate;
+
+        setTimeout(() => {
+            delete this.certInMemoryCache[cacheKey];
+        }, 1000 * 60 * 60 * 24).unref();
+
+        return generatedCertificate;
+    }
 }
diff --git a/src/tls-handler.ts b/src/tls-handler.ts
@@ -2,10 +2,13 @@ import * as tls from 'tls';
 
 import { ConnectionProcessor } from './process-connection.js';
 
-export const CERT_MODES = ['wrong-host'] as const;
+export const CERT_MODES = ['wrong-host', 'self-signed'] as const;
 export type CertMode = typeof CERT_MODES[number];
 
-export type CertGenerator = (domain: string) => {
+// Modes that require special certificate generation (vs just domain remapping)
+const CERT_GENERATION_MODES = new Set<CertMode>(['self-signed']);
+
+export type CertGenerator = (domain: string, mode?: CertMode) => {
     key: string,
     cert: string,
     ca?: string
@@ -117,8 +120,10 @@ export async function createTlsHandler(
                 certDomain = `example.${tlsConfig.rootDomain}`;
             }
 
+            const generationMode = certModeParts.find(mode => CERT_GENERATION_MODES.has(mode));
+
             try {
-                const generatedCert = tlsConfig.generateCertificate(certDomain);
+                const generatedCert = tlsConfig.generateCertificate(certDomain, generationMode);
                 cb(null, tls.createSecureContext({
                     key: generatedCert.key,
                     cert: generatedCert.cert,
diff --git a/test/https.spec.ts b/test/https.spec.ts
@@ -194,4 +194,44 @@ Connection: keep-alive
 
     });
 
+    describe("self-signed certificates", () => {
+
+        it("returns a self-signed certificate where issuer equals subject", async () => {
+            const conn = tls.connect({
+                port: serverPort,
+                servername: 'self-signed.localhost',
+                rejectUnauthorized: false
+            });
+
+            const cert = await new Promise<tls.PeerCertificate>((resolve, reject) => {
+                conn.on('secureConnect', () => resolve(conn.getPeerCertificate()));
+                conn.on('error', reject);
+            });
+            conn.destroy();
+
+            expect(cert.subject.CN).to.equal('self-signed.localhost');
+            expect(cert.issuer.CN).to.equal('self-signed.localhost');
+            expect(cert.subject.O).to.equal(cert.issuer.O);
+        });
+
+        it("can combine self-signed with protocol preferences", async () => {
+            const conn = tls.connect({
+                port: serverPort,
+                servername: 'http2.self-signed.localhost',
+                ALPNProtocols: ['http/1.1', 'h2'],
+                rejectUnauthorized: false
+            });
+
+            const [cert, protocol] = await new Promise<[tls.PeerCertificate, string | false]>((resolve, reject) => {
+                conn.on('secureConnect', () => resolve([conn.getPeerCertificate(), conn.alpnProtocol]));
+                conn.on('error', reject);
+            });
+            conn.destroy();
+
+            expect(cert.subject.CN).to.equal(cert.issuer.CN);
+            expect(protocol).to.equal('h2');
+        });
+
+    });
+
 });
