Convert node-forge CA to @peculiar, matching Mockttp

Author: pimterry

package-lock.json

@@ -31,10 +31,12 @@
   "homepage": "https://github.com/httptoolkit/testserver#readme",
   "dependencies": {
     "@httptoolkit/util": "^0.1.2",
+    "@peculiar/asn1-schema": "^2.6.0",
+    "@peculiar/asn1-x509": "^2.6.0",
+    "@peculiar/x509": "^1.14.3",
     "acme-client": "^5.4.0",
     "cookie": "^1.0.2",
     "lodash": "^4.17.21",
-    "node-forge": "^1.3.2",
     "parse-multipart-data": "^1.5.0",
     "tsx": "^4.19.3"
   },
@@ -43,7 +45,6 @@
     "@types/lodash": "^4.17.0",
     "@types/mocha": "^10.0.6",
     "@types/node": "^22.15.30",
-    "@types/node-forge": "^1.3.11",
     "chai": "^5.1.0",
     "destroyable-server": "^1.0.1",
     "mocha": "^10.8.2",

package.json

@@ -38,8 +38,8 @@ async function generateTlsConfig(options: ServerOptions) {
         certCache ? certCache.loadCache() : null
     ]);
 
-    const ca = new LocalCA(caCert, certCache);
-    const defaultCert = ca.generateCertificate(rootDomain);
+    const ca = await LocalCA.create(caCert);
+    const defaultCert = await ca.generateCertificate(rootDomain);
 
     if (!options.acmeProvider) {
         console.log('Using self signed certificates');
@@ -48,11 +48,11 @@ async function generateTlsConfig(options: ServerOptions) {
             key: defaultCert.key,
             cert: defaultCert.cert,
             ca: caCert.cert,
-            generateCertificate: (domain: string, mode?: CertMode) => {
-                if (mode === 'self-signed') return ca.generateSelfSignedCertificate(domain);
-                if (mode === 'expired') return ca.generateExpiredCertificate(domain);
+            generateCertificate: async (domain: string, mode?: CertMode) => {
+                if (mode === 'self-signed') return await ca.generateSelfSignedCertificate(domain);
+                if (mode === 'expired') return await ca.generateExpiredCertificate(domain);
                 // 'revoked' mode requires ACME - falls through to normal cert without it
-                return ca.generateCertificate(domain);
+                return await ca.generateCertificate(domain);
             },
             acmeChallenge: () => undefined // Not supported
         };
@@ -76,14 +76,14 @@ async function generateTlsConfig(options: ServerOptions) {
         key: defaultCert.key,
         cert: defaultCert.cert,
         ca: caCert.cert,
-        generateCertificate: (domain: string, mode?: CertMode) => {
-            if (mode === 'self-signed') return ca.generateSelfSignedCertificate(domain);
+        generateCertificate: async (domain: string, mode?: CertMode) => {
+            if (mode === 'self-signed') return await ca.generateSelfSignedCertificate(domain);
 
             if (mode === 'expired') {
                 // Try to get an actually-expired ACME cert; fall back to LocalCA if not expired yet
                 const expiredAcmeCert = acmeCA.tryGetExpiredCertificateSync(rootDomain);
                 if (expiredAcmeCert) return expiredAcmeCert;
-                return ca.generateExpiredCertificate(domain);
+                return await ca.generateExpiredCertificate(domain);
             }
 
             if (mode === 'revoked') {
@@ -100,7 +100,7 @@ async function generateTlsConfig(options: ServerOptions) {
 
             // If you use some other domain or the cert isn't immediately available, we fall back
             // to self-signed certs for now:
-            return ca.generateCertificate(domain);
+            return await ca.generateCertificate(domain);
         },
         acmeChallenge: (token: string) => acmeCA.getChallengeResponse(token)
     }