Add support for ACME-only revoked TLS endpoint

pimterry · pimterry · commit ca5064a67fd1 · 2026-01-21T23:50:06.000+01:00
diff --git a/src/endpoints/http/echo.ts b/src/endpoints/http/echo.ts
@@ -141,8 +141,18 @@ async function handle(req: HttpRequest, res: HttpResponse) {
     }
 
     // HTTP/1.x: return raw request data
+    // Defer briefly to allow other pipelined requests to register
+    await new Promise<void>(resolve => process.nextTick(resolve));
+
+    if (req.socket.pipelining) {
+        res.writeHead(400);
+        res.end('Echo endpoint does not support request pipelining. Send requests sequentially or use HTTP/2 multiplexing instead.');
+        return;
+    }
+
     await streamConsumers.buffer(req);
     const rawData = Buffer.concat(req.socket.receivedData ?? []);
+
     res.writeHead(200, {
         'Content-Length': Buffer.byteLength(rawData)
     });
diff --git a/src/http-handler.ts b/src/http-handler.ts
@@ -143,6 +143,13 @@ export function createHttp1Handler(options: {
 }) {
     const handleRequest = createHttpRequestHandler(options);
     const handler = new http.Server(async (req, res) => {
+        // Track concurrent requests on this socket to detect pipelining
+        const socket = req.socket;
+        socket.requestsInBatch = (socket.requestsInBatch || 0) + 1;
+        if (socket.requestsInBatch > 1) {
+            socket.pipelining = true;
+        }
+
         try {
             console.log(`Handling H1 request to ${req.url}`);
             await handleRequest(req, res);
@@ -159,6 +166,10 @@ export function createHttp1Handler(options: {
         } finally {
             // Reset for next request on keep-alive connections
             req.socket.receivedData = [];
+            req.socket.requestsInBatch!--;
+            if (req.socket.requestsInBatch === 0) {
+                req.socket.pipelining = false;
+            }
         }
     });
 
diff --git a/src/server.ts b/src/server.ts
@@ -11,6 +11,9 @@ import { PersistentCertCache } from './tls-certificates/cert-cache.js';
 declare module 'stream' {
     interface Duplex {
         receivedData?: Buffer[];
+        // Pipelining detection: tracks concurrent requests
+        requestsInBatch?: number;
+        pipelining?: boolean;
     }
 }
 
@@ -48,6 +51,7 @@ async function generateTlsConfig(options: ServerOptions) {
             generateCertificate: (domain: string, mode?: CertMode) => {
                 if (mode === 'self-signed') return ca.generateSelfSignedCertificate(domain);
                 if (mode === 'expired') return ca.generateExpiredCertificate(domain);
+                // 'revoked' mode requires ACME - falls through to normal cert without it
                 return ca.generateCertificate(domain);
             },
             acmeChallenge: () => undefined // Not supported
@@ -82,6 +86,13 @@ async function generateTlsConfig(options: ServerOptions) {
                 return ca.generateExpiredCertificate(domain);
             }
 
+            if (mode === 'revoked') {
+                // Try to get a revoked ACME cert; fall back to normal cert if not yet available
+                const revokedAcmeCert = acmeCA.tryGetRevokedCertificateSync(rootDomain);
+                if (revokedAcmeCert) return revokedAcmeCert;
+                // No LocalCA fallback for revoked - just use normal cert until ACME one is ready
+            }
+
             if (domain === rootDomain || domain.endsWith('.' + rootDomain)) {
                 const cert = acmeCA.tryGetCertificateSync(domain);
                 if (cert) return cert;
diff --git a/src/tls-certificates/acme.ts b/src/tls-certificates/acme.ts
@@ -71,6 +71,60 @@ export class AcmeCA {
         return cachedCert;
     }
 
+    // Returns an ACME cert that has been revoked. Issues once, revokes, never renews.
+    // Returns undefined if no revoked ACME cert is available yet (caller should use LocalCA fallback).
+    tryGetRevokedCertificateSync(domain: string) {
+        const cacheKey = `${domain}:revoked`;
+        const cachedCert = this.certCache.getCert(cacheKey);
+
+        if (cachedCert) {
+            console.log(`Found cached revoked cert for ${domain}`);
+            return cachedCert;
+        }
+
+        // No cached cert - issue and revoke one in the background
+        const attemptId = Math.random().toString(16).slice(2);
+        console.log(`No revoked cert cached for ${domain}, issuing and revoking new one (${attemptId})`);
+        this.issueRevokedCertificate(domain, cacheKey, attemptId);
+
+        return undefined;
+    }
+
+    private async issueRevokedCertificate(domain: string, cacheKey: string, attemptId: string) {
+        if (this.pendingCertRenewals[cacheKey]) {
+            console.log(`Revoked cert already being issued for ${domain} (${attemptId})`);
+            return;
+        }
+
+        const refreshPromise = Object.assign(
+            this.requestAndRevokeCertificate(domain, { attemptId }).then((certData) => {
+                delete this.pendingCertRenewals[cacheKey];
+                this.certCache.cacheCert({ ...certData, domain: cacheKey });
+                console.log(`Revoked cert issued and cached for ${domain} (${attemptId})`);
+                return certData;
+            }).catch((e) => {
+                delete this.pendingCertRenewals[cacheKey];
+                console.log(`Revoked cert generation failed for ${domain} (${attemptId}):`, e.message);
+                throw e;
+            }),
+            { id: attemptId }
+        );
+
+        this.pendingCertRenewals[cacheKey] = refreshPromise;
+    }
+
+    private async requestAndRevokeCertificate(domain: string, options: { attemptId: string }): Promise<AcmeGeneratedCertificate> {
+        console.log(`Requesting certificate to revoke for ${domain} (${options.attemptId})`);
+
+        const certData = await this.requestNewCertificate(domain, options);
+
+        console.log(`Revoking certificate for ${domain} (${options.attemptId})`);
+        await (await this.acmeClient).revokeCertificate(certData.cert);
+        console.log(`Certificate revoked for ${domain} (${options.attemptId})`);
+
+        return certData;
+    }
+
     // Returns an ACME cert only if it has actually expired. Issues once, never renews.
     // Returns undefined if no expired ACME cert is available (caller should use LocalCA fallback).
     tryGetExpiredCertificateSync(domain: string) {
diff --git a/src/tls-handler.ts b/src/tls-handler.ts
@@ -2,11 +2,11 @@ import * as tls from 'tls';
 
 import { ConnectionProcessor } from './process-connection.js';
 
-export const CERT_MODES = ['wrong-host', 'self-signed', 'expired'] as const;
+export const CERT_MODES = ['wrong-host', 'self-signed', 'expired', 'revoked'] as const;
 export type CertMode = typeof CERT_MODES[number];
 
 // Modes that require special certificate generation (vs just domain remapping)
-const CERT_GENERATION_MODES = new Set<CertMode>(['self-signed', 'expired']);
+const CERT_GENERATION_MODES = new Set<CertMode>(['self-signed', 'expired', 'revoked']);
 
 export type CertGenerator = (domain: string, mode?: CertMode) => {
     key: string,
diff --git a/test/echo.spec.ts b/test/echo.spec.ts
@@ -1,4 +1,5 @@
 import * as net from 'net';
+import * as tls from 'tls';
 import * as http2 from 'http2';
 import { expect } from 'chai';
 import { DestroyableServer, makeDestroyable } from 'destroyable-server';
@@ -140,4 +141,157 @@ accept-encoding: gzip, deflate
 
     });
 
+    describe("HTTP/1.1 pipelining", () => {
+
+        it("rejects pipelined echo request when it's the second request", async () => {
+            const host = `localhost:${serverPort}`;
+            const request1 = `GET /status/200 HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
+            const request2 = `GET /echo HTTP/1.1\r\nHost: ${host}\r\nConnection: close\r\n\r\n`;
+
+            const socket = tls.connect({
+                host: 'localhost',
+                port: serverPort,
+                servername: 'http1.localhost',
+                rejectUnauthorized: false
+            });
+
+            await new Promise<void>((resolve) => socket.on('secureConnect', resolve));
+
+            // Send both requests at once (pipelined)
+            socket.write(request1 + request2);
+
+            const response = await new Promise<string>((resolve) => {
+                const chunks: Buffer[] = [];
+                socket.on('data', (chunk) => chunks.push(chunk));
+                socket.on('end', () => resolve(Buffer.concat(chunks).toString()));
+            });
+
+            socket.destroy();
+
+            // Parse the two responses (filter empty strings from split)
+            const responses = response.split(/(?=HTTP\/1\.1)/).filter(r => r.length > 0);
+            expect(responses.length).to.equal(2);
+
+            // First response should be 200 from /status/200
+            expect(responses[0]).to.include('HTTP/1.1 200');
+
+            // Second response (echo) should be 400 because pipelining is detected
+            const echoResponse = responses[1];
+            expect(echoResponse).to.include('HTTP/1.1 400');
+            expect(echoResponse).to.include('pipelining');
+        });
+
+        it("rejects pipelined echo request when it's the first request", async () => {
+            const host = `localhost:${serverPort}`;
+            const request1 = `GET /echo HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
+            const request2 = `GET /status/200 HTTP/1.1\r\nHost: ${host}\r\nConnection: close\r\n\r\n`;
+
+            const socket = tls.connect({
+                host: 'localhost',
+                port: serverPort,
+                servername: 'http1.localhost',
+                rejectUnauthorized: false
+            });
+
+            await new Promise<void>((resolve) => socket.on('secureConnect', resolve));
+
+            // Send both requests at once (pipelined)
+            socket.write(request1 + request2);
+
+            const response = await new Promise<string>((resolve) => {
+                const chunks: Buffer[] = [];
+                socket.on('data', (chunk) => chunks.push(chunk));
+                socket.on('end', () => resolve(Buffer.concat(chunks).toString()));
+            });
+
+            socket.destroy();
+
+            // First response (echo) should be 400 because pipelining is detected
+            expect(response).to.include('HTTP/1.1 400');
+            expect(response).to.include('pipelining');
+        });
+
+        it("rejects both pipelined echo requests", async () => {
+            const host = `localhost:${serverPort}`;
+            const request1 = `GET /echo HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
+            const request2 = `GET /echo HTTP/1.1\r\nHost: ${host}\r\nConnection: close\r\n\r\n`;
+
+            const socket = tls.connect({
+                host: 'localhost',
+                port: serverPort,
+                servername: 'http1.localhost',
+                rejectUnauthorized: false
+            });
+
+            await new Promise<void>((resolve) => socket.on('secureConnect', resolve));
+            socket.write(request1 + request2);
+
+            const response = await new Promise<string>((resolve) => {
+                const chunks: Buffer[] = [];
+                socket.on('data', (chunk) => chunks.push(chunk));
+                socket.on('end', () => resolve(Buffer.concat(chunks).toString()));
+            });
+
+            socket.destroy();
+
+            // Both echo requests should return 400 due to pipelining
+            const responses = response.split(/(?=HTTP\/1\.1)/).filter(r => r.length > 0);
+            expect(responses.length).to.equal(2);
+            expect(responses[0]).to.include('HTTP/1.1 400');
+            expect(responses[0]).to.include('pipelining');
+            expect(responses[1]).to.include('HTTP/1.1 400');
+            expect(responses[1]).to.include('pipelining');
+        });
+
+        it("works correctly with sequential requests on keep-alive connection", async () => {
+            const host = `localhost:${serverPort}`;
+
+            const socket = tls.connect({
+                host: 'localhost',
+                port: serverPort,
+                servername: 'http1.localhost',
+                rejectUnauthorized: false
+            });
+
+            await new Promise<void>((resolve) => socket.on('secureConnect', resolve));
+
+            // Send first request and wait for response
+            const request1 = `GET /status/200 HTTP/1.1\r\nHost: ${host}\r\n\r\n`;
+            socket.write(request1);
+
+            // Wait for first response
+            const response1 = await new Promise<string>((resolve) => {
+                let data = '';
+                const onData = (chunk: Buffer) => {
+                    data += chunk.toString();
+                    // Check if we have a complete response (ends with \r\n\r\n for no body)
+                    if (data.includes('\r\n\r\n')) {
+                        socket.removeListener('data', onData);
+                        resolve(data);
+                    }
+                };
+                socket.on('data', onData);
+            });
+
+            expect(response1).to.include('HTTP/1.1 200');
+
+            // Now send second request (echo)
+            const request2 = `GET /echo HTTP/1.1\r\nHost: ${host}\r\nConnection: close\r\n\r\n`;
+            socket.write(request2);
+
+            const response2 = await new Promise<string>((resolve) => {
+                const chunks: Buffer[] = [];
+                socket.on('data', (chunk) => chunks.push(chunk));
+                socket.on('end', () => resolve(Buffer.concat(chunks).toString()));
+            });
+
+            socket.destroy();
+
+            // Echo should work and return the raw request
+            expect(response2).to.include('HTTP/1.1 200');
+            expect(response2).to.include('GET /echo HTTP/1.1');
+        });
+
+    });
+
 });
