71 lines
2.9 KiB
JavaScript
71 lines
2.9 KiB
JavaScript
// Reproduces the bug in @azure/keyvault-certificates:
|
|
// CertificateClient.importCertificate() silently drops policy.contentType,
|
|
// so Azure validates incoming bytes against the existing stored policy.
|
|
// Importing PFX into a certificate previously stored as PEM fails with:
|
|
// "The specified PEM X.509 certificate content is in an unexpected format."
|
|
//
|
|
// Requirements: openssl in PATH
|
|
// Usage: KEYVAULT_NAME=<vault> node docs/bug-reproduce.mjs
|
|
|
|
import { execSync } from 'node:child_process';
|
|
import { mkdtempSync, readFileSync, rmSync } from 'node:fs';
|
|
import { tmpdir } from 'node:os';
|
|
import { join } from 'node:path';
|
|
import { DefaultAzureCredential } from '@azure/identity';
|
|
import { CertificateClient } from '@azure/keyvault-certificates';
|
|
|
|
const vaultName = process.env.KEYVAULT_NAME;
|
|
if (!vaultName) {
|
|
console.error('Set KEYVAULT_NAME');
|
|
process.exit(1);
|
|
}
|
|
const vaultUrl = `https://${vaultName}.vault.azure.net`;
|
|
|
|
const CERT_NAME = 'bug-reproduce-test';
|
|
const PFX_PASSWORD = 'test-password-123';
|
|
|
|
const tmp = mkdtempSync(join(tmpdir(), 'kv-bug-'));
|
|
try {
|
|
console.log('Generating self-signed certificate...');
|
|
execSync(
|
|
`openssl req -x509 -newkey rsa:2048 -keyout "${join(tmp, 'key.pem')}" -out "${join(tmp, 'cert.pem')}" -days 365 -nodes -subj "/CN=bug-reproduce-test"`,
|
|
{ stdio: 'pipe' },
|
|
);
|
|
execSync(
|
|
`openssl pkcs12 -export -out "${join(tmp, 'cert.pfx')}" -inkey "${join(tmp, 'key.pem')}" -in "${join(tmp, 'cert.pem')}" -passout pass:${PFX_PASSWORD}`,
|
|
{ stdio: 'pipe' },
|
|
);
|
|
|
|
const pemBytes = Buffer.concat([readFileSync(join(tmp, 'cert.pem')), readFileSync(join(tmp, 'key.pem'))]);
|
|
const pfxBytes = readFileSync(join(tmp, 'cert.pfx'));
|
|
|
|
const credential = new DefaultAzureCredential();
|
|
const client = new CertificateClient(vaultUrl, credential);
|
|
|
|
console.log(`\nStep 1: importing '${CERT_NAME}' as PEM...`);
|
|
try {
|
|
await client.importCertificate(CERT_NAME, pemBytes, {
|
|
policy: { contentType: 'application/x-pem-file', issuerName: 'Unknown', subject: 'CN=bug-reproduce-test' },
|
|
});
|
|
console.log(' OK — PEM import succeeded.');
|
|
} catch (err) {
|
|
console.error(` FAILED — ${err.message}`);
|
|
process.exit(1);
|
|
}
|
|
|
|
console.log(`\nStep 2: re-importing '${CERT_NAME}' as PFX (policy.contentType should tell Azure to expect PFX)...`);
|
|
try {
|
|
await client.importCertificate(CERT_NAME, pfxBytes, {
|
|
password: PFX_PASSWORD,
|
|
policy: { contentType: 'application/x-pkcs12', issuerName: 'Unknown', subject: 'CN=bug-reproduce-test' },
|
|
});
|
|
console.log(' OK — PFX import succeeded (bug may be fixed in this SDK version).');
|
|
} catch (err) {
|
|
console.error(` FAILED — ${err.message}`);
|
|
console.error('\n This confirms the bug: policy.contentType was silently dropped.');
|
|
console.error(' Azure validated the PFX bytes against the existing PEM policy and rejected them.');
|
|
}
|
|
} finally {
|
|
rmSync(tmp, { recursive: true });
|
|
}
|