feat: add function to cleanup the trust store

resolves #20

Author: chrisbbreuer

.gitignore

@@ -15,3 +15,4 @@ docs/.vitepress/dist
 docs/.vitepress/cache
 storage
 rp
+.env

README.md

@@ -49,7 +49,7 @@ Given the npm package is installed:
 
 ```ts
 import type { AddCertOptions, CAOptions, CertificateOptions, TlsConfig, TlsOptions } from '@stacksjs/tlsx'
-import { addCertToSystemTrustStoreAndSaveCerts, config, forge, generateCert, pki, storeCertificate, tls } from '@stacksjs/tlsx'
+import { addCertToSystemTrustStoreAndSaveCert, cleanupTrustStore, config, forge, generateCertificate, pki, removeCertFromSystemTrustStore, storeCertificate, tls } from '@stacksjs/tlsx'
 
 // Generate a certificate for a single domain
 const cert = await generateCertificate({
@@ -75,6 +75,18 @@ const combinedCert = await generateCertificate({
 
 // Store and trust the certificate
 await addCertToSystemTrustStoreAndSaveCert(cert, rootCA.certificate)
+
+// Remove a specific certificate
+await removeCertFromSystemTrustStore('example.com')
+
+// Remove a certificate with a specific name
+await removeCertFromSystemTrustStore('example.com', {}, 'My Custom Certificate Name')
+
+// Clean up all TLSX certificates from the system trust store
+await cleanupTrustStore()
+
+// Clean up certificates matching a specific pattern
+await cleanupTrustStore({}, 'My Custom Pattern')
 ```
 
 ### CLI
@@ -92,6 +104,27 @@ tlsx secure example.com -d "api.example.com,*.example.com"
 # Generate certificate with custom validity and organization
 tlsx secure example.com --validity-days 365 --organization-name "My Company"
 
+# Revoke a certificate for a domain
+tlsx revoke example.com
+
+# Revoke a certificate with a specific name
+tlsx revoke example.com --cert-name "My Custom Certificate"
+
+# Clean up all TLSX certificates from the system trust store
+tlsx cleanup
+
+# Clean up certificates matching a specific pattern
+tlsx cleanup --pattern "My Custom Pattern"
+
+# List all certificates
+tlsx list
+
+# Verify a certificate
+tlsx verify path/to/cert.crt
+
+# Show system configuration and paths
+tlsx info
+
 # Show all available options
 tlsx secure --help
 
@@ -159,7 +192,7 @@ For casual chit-chat with others using this package:
 
 ## Postcardware
 
-“Software that is free, but hopes for a postcard.” We love receiving postcards from around the world showing where `tlsx` is being used! We showcase them on our website too.
+"Software that is free, but hopes for a postcard." We love receiving postcards from around the world showing where `tlsx` is being used! We showcase them on our website too.
 
 Our address: Stacks.js, 12665 Village Ln #2306, Playa Vista, CA 90094, United States 🌎
 

package.json

@@ -1,8 +1,8 @@
 {
   "name": "tlsx",
   "type": "module",
-  "private": true,
   "version": "0.11.0",
+  "private": true,
   "description": "A TLS/HTTPS library with automation.",
   "author": "Chris Breuer <chris@stacksjs.org>",
   "license": "MIT",

packages/tlsx/bin/cli.ts

@@ -1,8 +1,9 @@
+import os from 'node:os'
+import process from 'node:process'
 import { CAC } from 'cac'
 import { consola as log } from 'consola'
-import os from 'node:os'
 import { version } from '../package.json'
-import { addCertToSystemTrustStoreAndSaveCert, createRootCA, generateCertificate, removeCertFromSystemTrustStore } from '../src/certificate'
+import { addCertToSystemTrustStoreAndSaveCert, cleanupTrustStore, createRootCA, generateCertificate, removeCertFromSystemTrustStore } from '../src/certificate'
 import { validateCertificate } from '../src/certificate/validation'
 import { config } from '../src/config'
 import { listCertsInDirectory, normalizeCertPaths } from '../src/utils'
@@ -112,11 +113,13 @@ cli
   .option('-ca, --ca-path <ca>', 'CA file path', { default: config.caCertPath })
   .option('-c, --cert-path <cert>', 'Certificate file path', { default: config.certPath })
   .option('-k, --key-path <key>', 'Key file path', { default: config.keyPath })
+  .option('--cert-name <name>', 'Specific certificate name to revoke')
   .option('--verbose', 'Enable verbose logging', { default: config.verbose })
   .usage('tlsx revoke [domain] [options]')
   .example('tlsx revoke example.com')
   .example('tlsx revoke example.com --ca-path /path/to/ca.crt')
-  .action(async (domain?: string, options?: Omit<CliOptions, 'domains'>) => {
+  .example('tlsx revoke example.com --cert-name "My Custom Cert Name"')
+  .action(async (domain?: string, options?: Omit<CliOptions, 'domains'> & { 'cert-name'?: string }) => {
     const cliOptions = options || {}
 
     // Validate that domain is provided
@@ -125,9 +128,10 @@ cli
     }
 
     const domainToRevoke = domain || config.domain
+    const certName = options?.['cert-name']
 
-    log.info(`Revoking certificate for domain: ${domainToRevoke}`)
-    log.debug('Options:', { ...cliOptions, domain: domainToRevoke })
+    log.info(`Revoking certificate for domain: ${domainToRevoke}${certName ? ` with name: ${certName}` : ''}`)
+    log.debug('Options:', { ...cliOptions, domain: domainToRevoke, certName })
 
     try {
       // Call the implemented certificate revocation function
@@ -136,10 +140,11 @@ cli
         certPath: cliOptions.certPath || config.certPath,
         keyPath: cliOptions.keyPath || config.keyPath,
         verbose: cliOptions.verbose,
-      })
+      }, certName)
 
-      log.success(`Certificate for ${domainToRevoke} has been revoked`)
-    } catch (error) {
+      log.success(`Certificate for ${domainToRevoke}${certName ? ` with name: ${certName}` : ''} has been revoked`)
+    }
+    catch (error) {
       log.error(`Failed to revoke certificate for ${domainToRevoke}: ${error}`)
       process.exit(1)
     }
@@ -169,7 +174,8 @@ cli
       certificates.forEach((certPath, index) => {
         log.info(`${index + 1}. ${certPath}`)
       })
-    } catch (error) {
+    }
+    catch (error) {
       log.error(`Failed to list certificates: ${error}`)
       process.exit(1)
     }
@@ -182,7 +188,7 @@ cli
   .usage('tlsx verify [cert-path] [options]')
   .example('tlsx verify /path/to/cert.crt')
   .example('tlsx verify /path/to/cert.crt --ca-path /path/to/ca.crt')
-  .action(async (certPath?: string, options?: { 'ca-path'?: string, verbose?: boolean }) => {
+  .action(async (certPath?: string, options?: { 'ca-path'?: string, 'verbose'?: boolean }) => {
     // If no certificate path is provided, use the default
     const certificatePath = certPath || config.certPath
     const caCertPath = options?.['ca-path'] || config.caCertPath
@@ -282,6 +288,52 @@ cli
     }
   })
 
+cli
+  .command('cleanup', 'Clean up all TLSX certificates from the system trust store')
+  .option('--force', 'Skip confirmation prompt', { default: false })
+  .option('--verbose', 'Enable verbose logging', { default: config.verbose })
+  .option('--pattern <pattern>', 'Certificate name pattern to match for cleanup')
+  .usage('tlsx cleanup [options]')
+  .example('tlsx cleanup')
+  .example('tlsx cleanup --force')
+  .example('tlsx cleanup --pattern "My Custom Cert"')
+  .action(async (options?: { force?: boolean, verbose?: boolean, pattern?: string }) => {
+    const force = options?.force || false
+    const verbose = options?.verbose || config.verbose
+    const pattern = options?.pattern
+
+    if (!force) {
+      log.warn(`This will remove ${pattern ? `certificates matching "${pattern}"` : 'all TLSX certificates'} from your system trust store.`)
+      log.warn('This action cannot be undone.')
+
+      // Simple confirmation prompt
+      process.stdout.write('Are you sure you want to continue? (y/N): ')
+
+      const response = await new Promise<string>((resolve) => {
+        process.stdin.once('data', (data) => {
+          resolve(data.toString().trim().toLowerCase())
+        })
+      })
+
+      if (response !== 'y' && response !== 'yes') {
+        log.info('Operation cancelled.')
+        return
+      }
+    }
+
+    log.info(`Cleaning up ${pattern ? `certificates matching "${pattern}"` : 'all TLSX certificates'} from system trust store...`)
+
+    try {
+      await cleanupTrustStore({ verbose }, pattern)
+
+      log.success(`${pattern ? `Certificates matching "${pattern}"` : 'All TLSX certificates'} have been removed from the system trust store`)
+    }
+    catch (error) {
+      log.error(`Failed to clean up certificates: ${error}`)
+      process.exit(1)
+    }
+  })
+
 cli.version(version)
 cli.help()
 cli.parse()

packages/tlsx/package.json

@@ -74,4 +74,4 @@
   "workspaces": [
     "packages/*"
   ]
-}
+}

packages/tlsx/src/certificate/generate.ts

@@ -1,5 +1,5 @@
-import forge, { pki } from 'node-forge'
 import type { CAOptions, Certificate, CertificateOptions } from '../types'
+import forge, { pki } from 'node-forge'
 import { config } from '../config'
 import { CERT_CONSTANTS } from '../constants'
 import { debugLog, getPrimaryDomain } from '../utils'
@@ -127,4 +127,4 @@ export async function generateCertificate(options: CertificateOptions): Promise<
     notBefore,
     notAfter,
   }
-}
+}

packages/tlsx/src/certificate/index.ts

@@ -1,10 +1,10 @@
 // Re-export all certificate modules
+// Re-export forge for compatibility
+import forge, { pki, tls } from 'node-forge'
+
 export * from './generate'
 export * from './store'
 export * from './trust'
 export * from './utils'
 export * from './validation'
-
-// Re-export forge for compatibility
-import forge, { pki, tls } from 'node-forge'
 export { forge, pki, tls }

packages/tlsx/src/certificate/store.ts

@@ -1,7 +1,6 @@
+import type { Cert, CertPath, TlsOption } from '../types'
 import fs from 'node:fs'
 import path from 'node:path'
-import type { Cert, CertPath, TlsOption } from '../types'
-import { config } from '../config'
 import { LOG_CATEGORIES } from '../constants'
 import { debugLog, normalizeCertPaths } from '../utils'
 
@@ -73,4 +72,4 @@ export function storeCACertificate(caCert: string, options?: TlsOption): CertPat
 
   debugLog(LOG_CATEGORIES.STORAGE, 'CA certificate stored successfully', options?.verbose)
   return caCertPath
-}
+}