fix(certificates): improve validation and prevent crash (#2910)

packages/api/src/router/certificates/certificate-router.ts

@@ -1,3 +1,5 @@
+import { X509Certificate } from "node:crypto";
+import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { zfd } from "zod-form-data";
 
@@ -16,6 +18,17 @@ export const certificateRouter = createTRPCRouter({
     )
     .mutation(async ({ input }) => {
       const content = await input.file.text();
+
+      // Validate the certificate
+      try {
+        new X509Certificate(content);
+      } catch {
+        throw new TRPCError({
+          code: "BAD_REQUEST",
+          message: "Invalid certificate",
+        });
+      }
+
       await addCustomRootCertificateAsync(input.file.name, content);
     }),
   removeCertificate: permissionRequiredProcedure

packages/certificates/src/server.ts

@@ -29,7 +29,7 @@ export const loadCustomRootCertificatesAsync = async () => {
   const dirContent = await fs.readdir(folder);
   return await Promise.all(
     dirContent
-      .filter((file) => file.endsWith(".crt"))
+      .filter((file) => file.endsWith(".crt") || file.endsWith(".pem"))
       .map(async (file) => ({
         content: await fs.readFile(path.join(folder, file), "utf8"),
         fileName: file,

packages/translation/src/lang/en.json

@@ -3800,6 +3800,10 @@
         "noResults": {
           "title": "There are no certificates yet"
         },
+        "invalid": {
+          "title": "Invalid certificate",
+          "description": "Failed to parse certificate"
+        },
         "expires": "Expires {when}"
       }
     },

packages/validation/src/certificates.ts

@@ -24,7 +24,7 @@ export const superRefineCertificateFile = (value: File | null, context: z.Refine
     });
   }
 
-  if (value.type !== "application/x-x509-ca-cert" && value.type !== "application/pkix-cert") {
+  if (!value.name.endsWith(".crt") && !value.name.endsWith(".pem")) {
     return context.addIssue({
       code: "custom",
       params: createCustomErrorParams({