@certd/acme-client 1.20.2 → 1.20.6

package/src/crypto/index.js

@@ -7,10 +7,21 @@
 const net = require('net');
 const { promisify } = require('util');
 const crypto = require('crypto');
-const jsrsasign = require('jsrsasign');
+const asn1js = require('asn1js');
+const x509 = require('@peculiar/x509');
 
+const randomInt = promisify(crypto.randomInt);
 const generateKeyPair = promisify(crypto.generateKeyPair);
 
+/* Use Node.js Web Crypto API */
+x509.cryptoProvider.set(crypto.webcrypto);
+
+/* id-ce-subjectAltName - https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+const subjectAltNameOID = '2.5.29.17';
+
+/* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
+const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
+
 
 /**
  * Determine key type and info by attempting to derive public key
@@ -24,17 +35,14 @@ function getKeyInfo(keyPem) {
     const result = {
         isRSA: false,
         isECDSA: false,
-        signatureAlgorithm: null,
         publicKey: crypto.createPublicKey(keyPem)
     };
 
     if (result.publicKey.asymmetricKeyType === 'rsa') {
         result.isRSA = true;
-        result.signatureAlgorithm = 'SHA256withRSA';
     }
     else if (result.publicKey.asymmetricKeyType === 'ec') {
         result.isECDSA = true;
-        result.signatureAlgorithm = 'SHA256withECDSA';
     }
     else {
         throw new Error('Unable to parse key information, unknown format');
@@ -169,24 +177,42 @@ exports.getJwk = getJwk;
 
 
 /**
- * Fix missing support for NIST curve names in jsrsasign
+ * Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
  *
  * @private
- * @param {string} crv NIST curve name
- * @returns {string} SECG curve name
+ * @param {buffer|string} keyPem PEM encoded private key
+ * @returns {Promise<array>} [keyPair, signingAlgorithm]
  */
 
-function convertNistCurveNameToSecg(nistName) {
-    switch (nistName) {
-        case 'P-256':
-            return 'secp256r1';
-        case 'P-384':
-            return 'secp384r1';
-        case 'P-521':
-            return 'secp521r1';
-        default:
-            return nistName;
+async function getWebCryptoKeyPair(keyPem) {
+    const info = getKeyInfo(keyPem);
+    const jwk = getJwk(keyPem);
+
+    /* Signing algorithm */
+    const sigalg = {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: { name: 'SHA-256' }
+    };
+
+    if (info.isECDSA) {
+        sigalg.name = 'ECDSA';
+        sigalg.namedCurve = jwk.crv;
+
+        if (jwk.crv === 'P-384') {
+            sigalg.hash.name = 'SHA-384';
+        }
+
+        if (jwk.crv === 'P-521') {
+            sigalg.hash.name = 'SHA-512';
+        }
     }
+
+    /* Decode PEM and import into CryptoKeyPair */
+    const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
+    const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
+    const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
+
+    return [{ privateKey, publicKey }, sigalg];
 }
 
 
@@ -194,7 +220,7 @@ function convertNistCurveNameToSecg(nistName) {
  * Split chain of PEM encoded objects from string into array
  *
  * @param {buffer|string} chainPem PEM encoded object chain
- * @returns {array} Array of PEM objects including headers
+ * @returns {string[]} Array of PEM objects including headers
  */
 
 function splitPemChain(chainPem) {
@@ -202,15 +228,9 @@ function splitPemChain(chainPem) {
         chainPem = chainPem.toString();
     }
 
-    return chainPem
-        /* Split chain into chunks, starting at every header */
-        .split(/\s*(?=-----BEGIN [A-Z0-9- ]+-----\r?\n?)/g)
-        /* Match header, PEM body and footer */
-        .map((pem) => pem.match(/\s*-----BEGIN ([A-Z0-9- ]+)-----\r?\n?([\S\s]+)\r?\n?-----END \1-----/))
-        /* Filter out non-matches or empty bodies */
-        .filter((pem) => pem && pem[2] && pem[2].replace(/[\r\n]+/g, '').trim())
-        /* Decode to hex, and back to PEM for formatting etc */
-        .map(([pem, header]) => jsrsasign.hextopem(jsrsasign.pemtohex(pem, header), header));
+    /* Decode into array and re-encode */
+    return x509.PemConverter.decodeWithHeaders(chainPem)
+        .map((params) => x509.PemConverter.encode([params]));
 }
 
 exports.splitPemChain = splitPemChain;
@@ -231,43 +251,28 @@ exports.getPemBodyAsB64u = (pem) => {
         throw new Error('Unable to parse PEM body from string');
     }
 
-    /* First object, hex and back to b64 without new lines */
-    return jsrsasign.hextob64u(jsrsasign.pemtohex(chain[0]));
+    /* Select first object, extract body and convert to b64u */
+    const dec = x509.PemConverter.decodeFirst(chain[0]);
+    return Buffer.from(dec).toString('base64url');
 };
 
 
-/**
- * Parse common name from a subject object
- *
- * @private
- * @param {object} subj Subject returned from jsrsasign
- * @returns {string} Common name value
- */
-
-function parseCommonName(subj) {
-    const subjectArr = (subj && subj.array) ? subj.array : [];
-    const cnArr = subjectArr.find((s) => (s[0] && s[0].type && s[0].value && (s[0].type === 'CN')));
-    return (cnArr && cnArr.length && cnArr[0].value) ? cnArr[0].value : null;
-}
-
-
 /**
  * Parse domains from a certificate or CSR
  *
  * @private
- * @param {object} params Certificate or CSR params returned from jsrsasign
+ * @param {object} input x509.Certificate or x509.Pkcs10CertificateRequest
  * @returns {object} {commonName, altNames}
  */
 
-function parseDomains(params) {
-    const commonName = parseCommonName(params.subject);
-    const extensionArr = (params.ext || params.extreq || []);
+function parseDomains(input) {
+    const commonName = input.subjectName.getField('CN').pop() || null;
+    const altNamesRaw = input.getExtension(subjectAltNameOID);
     let altNames = [];
 
-    if (extensionArr && extensionArr.length) {
-        const altNameExt = extensionArr.find((e) => (e.extname && (e.extname === 'subjectAltName')));
-        const altNameArr = (altNameExt && altNameExt.array && altNameExt.array.length) ? altNameExt.array : [];
-        altNames = altNameArr.map((a) => Object.values(a)[0] || null).filter((a) => a);
+    if (altNamesRaw) {
+        const altNamesExt = new x509.SubjectAlternativeNameExtension(altNamesRaw.rawData);
+        altNames = altNames.concat(altNamesExt.names.items.map((i) => i.value));
     }
 
     return {
@@ -297,9 +302,9 @@ exports.readCsrDomains = (csrPem) => {
         csrPem = csrPem.toString();
     }
 
-    /* Parse CSR */
-    const params = jsrsasign.KJUR.asn1.csr.CSRUtil.getParam(csrPem);
-    return parseDomains(params);
+    const dec = x509.PemConverter.decodeFirst(csrPem);
+    const csr = new x509.Pkcs10CertificateRequest(dec);
+    return parseDomains(csr);
 };
 
 
@@ -324,48 +329,43 @@ exports.readCsrDomains = (csrPem) => {
  */
 
 exports.readCertificateInfo = (certPem) => {
-    const chain = splitPemChain(certPem);
-
-    if (!chain.length) {
-        throw new Error('Unable to parse PEM body from string');
+    if (Buffer.isBuffer(certPem)) {
+        certPem = certPem.toString();
     }
 
-    /* Parse certificate */
-    const obj = new jsrsasign.X509();
-    obj.readCertPEM(chain[0]);
-    const params = obj.getParam();
+    const dec = x509.PemConverter.decodeFirst(certPem);
+    const cert = new x509.X509Certificate(dec);
 
     return {
         issuer: {
-            commonName: parseCommonName(params.issuer)
+            commonName: cert.issuerName.getField('CN').pop() || null
         },
-        domains: parseDomains(params),
-        notBefore: jsrsasign.zulutodate(params.notbefore),
-        notAfter: jsrsasign.zulutodate(params.notafter)
+        domains: parseDomains(cert),
+        notBefore: cert.notBefore,
+        notAfter: cert.notAfter
     };
 };
 
 
 /**
- * Determine ASN.1 character string type for CSR subject field
+ * Determine ASN.1 character string type for CSR subject field name
  *
- * https://tools.ietf.org/html/rfc5280
- * https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/x509-1.1.js#L2404-L2412
- * https://github.com/kjur/jsrsasign/blob/2613c64559768b91dde9793dfa318feacb7c3b8a/src/asn1x509-1.0.js#L3526-L3535
+ * https://datatracker.ietf.org/doc/html/rfc5280
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
  *
  * @private
- * @param {string} field CSR subject field
- * @returns {string} ASN.1 jsrsasign character string type
+ * @param {string} field CSR subject field name
+ * @returns {string} ASN.1 character string type
  */
 
 function getCsrAsn1CharStringType(field) {
     switch (field) {
         case 'C':
-            return 'prn';
+            return 'printableString';
         case 'E':
-            return 'ia5';
+            return 'ia5String';
         default:
-            return 'utf8';
+            return 'utf8String';
     }
 }
 
@@ -373,6 +373,8 @@ function getCsrAsn1CharStringType(field) {
 /**
  * Create array of subject fields for a Certificate Signing Request
  *
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/name.ts#L65-L71
+ *
  * @private
  * @param {object} input Key-value of subject fields
  * @returns {object[]} Certificate Signing Request subject array
@@ -382,7 +384,7 @@ function createCsrSubject(input) {
     return Object.entries(input).reduce((result, [type, value]) => {
         if (value) {
             const ds = getCsrAsn1CharStringType(type);
-            result.push([{ type, value, ds }]);
+            result.push({ [type]: [{ [ds]: value }] });
         }
 
         return result;
@@ -391,20 +393,20 @@ function createCsrSubject(input) {
 
 
 /**
- * Create array of alt names for Certificate Signing Requests
+ * Create x509 subject alternate name extension
  *
- * https://github.com/kjur/jsrsasign/blob/3edc0070846922daea98d9588978e91d855577ec/src/x509-1.1.js#L1355-L1410
+ * https://github.com/PeculiarVentures/x509/blob/ecf78224fd594abbc2fa83c41565d79874f88e00/src/extensions/subject_alt_name.ts
  *
  * @private
  * @param {string[]} altNames Array of alt names
- * @returns {object[]} Certificate Signing Request alt names array
+ * @returns {x509.SubjectAlternativeNameExtension} Subject alternate name extension
  */
 
-function formatCsrAltNames(altNames) {
-    return altNames.map((value) => {
-        const key = net.isIP(value) ? 'ip' : 'dns';
-        return { [key]: value };
-    });
+function createSubjectAltNameExtension(altNames) {
+    return new x509.SubjectAlternativeNameExtension(altNames.map((value) => {
+        const type = net.isIP(value) ? 'ip' : 'dns';
+        return { type, value };
+    }));
 }
 
 
@@ -414,14 +416,14 @@ function formatCsrAltNames(altNames) {
  * @param {object} data
  * @param {number} [data.keySize] Size of newly created RSA private key modulus in bits, default: `2048`
  * @param {string} [data.commonName] FQDN of your server
- * @param {array} [data.altNames] SAN (Subject Alternative Names), default: `[]`
+ * @param {string[]} [data.altNames] SAN (Subject Alternative Names), default: `[]`
  * @param {string} [data.country] 2 letter country code
  * @param {string} [data.state] State or province
  * @param {string} [data.locality] City
  * @param {string} [data.organization] Organization name
  * @param {string} [data.organizationUnit] Organizational unit name
  * @param {string} [data.emailAddress] Email address
- * @param {string} [keyPem] PEM encoded CSR private key
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
  * @returns {Promise<buffer[]>} [privateKey, certificateSigningRequest]
  *
  * @example Create a Certificate Signing Request
@@ -474,53 +476,144 @@ exports.createCsr = async (data, keyPem = null) => {
         data.altNames = [];
     }
 
-    /* Get key info and JWK */
-    const info = getKeyInfo(keyPem);
-    const jwk = getJwk(keyPem);
-    const extensionRequests = [];
-
-    /* Missing support for NIST curve names in jsrsasign - https://github.com/kjur/jsrsasign/blob/master/src/asn1x509-1.0.js#L4388-L4393 */
-    if (jwk.crv && (jwk.kty === 'EC')) {
-        jwk.crv = convertNistCurveNameToSecg(jwk.crv);
-    }
-
     /* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
     if (data.commonName && !data.altNames.includes(data.commonName)) {
         data.altNames.unshift(data.commonName);
     }
 
-    /* Subject */
-    const subject = createCsrSubject({
-        CN: data.commonName,
-        C: data.country,
-        ST: data.state,
-        L: data.locality,
-        O: data.organization,
-        OU: data.organizationUnit,
-        E: data.emailAddress
-    });
+    /* CryptoKeyPair and signing algorithm from private key */
+    const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
 
-    /* SAN extension */
-    if (data.altNames.length) {
-        extensionRequests.push({
-            extname: 'subjectAltName',
-            array: formatCsrAltNames(data.altNames)
-        });
-    }
+    const extensions = [
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+        createSubjectAltNameExtension(data.altNames)
+    ];
 
     /* Create CSR */
-    const csr = new jsrsasign.KJUR.asn1.csr.CertificationRequest({
-        subject: { array: subject },
-        sigalg: info.signatureAlgorithm,
-        sbjprvkey: keyPem.toString(),
-        sbjpubkey: jwk,
-        extreq: extensionRequests
+    const csr = await x509.Pkcs10CertificateRequestGenerator.create({
+        keys,
+        extensions,
+        signingAlgorithm,
+        name: createCsrSubject({
+            CN: data.commonName,
+            C: data.country,
+            ST: data.state,
+            L: data.locality,
+            O: data.organization,
+            OU: data.organizationUnit,
+            E: data.emailAddress
+        })
     });
 
-    /* Sign CSR, get PEM */
-    csr.sign();
-    const pem = csr.getPEM();
+    /* Done */
+    const pem = csr.toString('pem');
+    return [keyPem, Buffer.from(pem)];
+};
+
+
+/**
+ * Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8737
+ *
+ * @param {object} authz Identifier authorization
+ * @param {string} keyAuthorization Challenge key authorization
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
+ * @returns {Promise<buffer[]>} [privateKey, certificate]
+ *
+ * @example Create a ALPN certificate
+ * ```js
+ * const [alpnKey, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
+ * ```
+ *
+ * @example Create a ALPN certificate with ECDSA private key
+ * ```js
+ * const alpnKey = await acme.crypto.createPrivateEcdsaKey();
+ * const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
+ */
+
+exports.createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
+    if (!keyPem) {
+        keyPem = await createPrivateRsaKey();
+    }
+    else if (!Buffer.isBuffer(keyPem)) {
+        keyPem = Buffer.from(keyPem);
+    }
+
+    const now = new Date();
+    const commonName = authz.identifier.value;
+
+    /* Pseudo-random serial - max 20 bytes, 11 for epoch (year 5138), 9 random */
+    const random = await randomInt(1, 999999999);
+    const serialNumber = `${Math.floor(now.getTime() / 1000)}${random}`;
+
+    /* CryptoKeyPair and signing algorithm from private key */
+    const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
+
+    const extensions = [
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+        new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), // eslint-disable-line no-bitwise
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 */
+        new x509.BasicConstraintsExtension(true, 2, true),
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 */
+        await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
+
+        /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
+        createSubjectAltNameExtension([commonName])
+    ];
+
+    /* ALPN extension */
+    const payload = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
+    const octstr = new asn1js.OctetString({ valueHex: Buffer.from(payload, 'hex') });
+    extensions.push(new x509.Extension(alpnAcmeIdentifierOID, true, octstr.toBER()));
+
+    /* Self-signed ALPN certificate */
+    const cert = await x509.X509CertificateGenerator.createSelfSigned({
+        keys,
+        signingAlgorithm,
+        extensions,
+        serialNumber,
+        notBefore: now,
+        notAfter: now,
+        name: createCsrSubject({
+            CN: commonName
+        })
+    });
 
     /* Done */
+    const pem = cert.toString('pem');
     return [keyPem, Buffer.from(pem)];
 };
+
+
+/**
+ * Validate that a ALPN certificate contains the expected key authorization
+ *
+ * @param {buffer|string} certPem PEM encoded certificate
+ * @param {string} keyAuthorization Expected challenge key authorization
+ * @returns {boolean} True when valid
+ */
+
+exports.isAlpnCertificateAuthorizationValid = (certPem, keyAuthorization) => {
+    const expected = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
+
+    /* Attempt to locate ALPN extension */
+    const cert = new x509.X509Certificate(certPem);
+    const ext = cert.getExtension(alpnAcmeIdentifierOID);
+
+    if (!ext) {
+        throw new Error('Unable to locate ALPN extension within parsed certificate');
+    }
+
+    /* Decode extension value */
+    const parsed = asn1js.fromBER(ext.value);
+    const result = Buffer.from(parsed.result.valueBlock.valueHexView).toString('hex');
+
+    /* Return true if match */
+    return (result === expected);
+};

package/src/http.js

@@ -3,10 +3,20 @@
  */
 
 const { createHmac, createSign, constants: { RSA_PKCS1_PADDING } } = require('crypto');
+const { HttpsProxyAgent } = require('https-proxy-agent');
 const { getJwk } = require('./crypto');
 const { log } = require('./logger');
-const axios = require('./axios');
+const axios1 = require('./axios');
 
+const httpsProxy = process.env.HTTPS_PROXY || process.env.https_proxy;
+let httpsAgent = null;
+if (httpsProxy) {
+    httpsAgent = new HttpsProxyAgent(httpsProxy);
+}
+const axios = axios1.create({
+    proxy: false,
+    httpsAgent
+});
 
 /**
  * ACME HTTP client
@@ -64,7 +74,7 @@ class HttpClient {
     /**
      * Ensure provider directory exists
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.1.1
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
      *
      * @returns {Promise}
      */
@@ -104,7 +114,7 @@ class HttpClient {
     /**
      * Get nonce from directory API endpoint
      *
-     * https://tools.ietf.org/html/rfc8555#section-7.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
      *
      * @returns {Promise<string>} nonce
      */
@@ -267,7 +277,7 @@ class HttpClient {
     /**
      * Signed HTTP request
      *
-     * https://tools.ietf.org/html/rfc8555#section-6.2
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-6.2
      *
      * @param {string} url Request URL
      * @param {object} payload Request payload
@@ -299,7 +309,7 @@ class HttpClient {
         const data = this.createSignedBody(url, payload, { nonce, kid });
         const resp = await this.request(url, 'post', { data });
 
-        /* Retry on bad nonce - https://tools.ietf.org/html/draft-ietf-acme-acme-10#section-6.4 */
+        /* Retry on bad nonce - https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme-10#section-6.4 */
         if (resp.data && resp.data.type && (resp.status === 400) && (resp.data.type === 'urn:ietf:params:acme:error:badNonce') && (attempts < this.maxBadNonceRetries)) {
             nonce = resp.headers['replay-nonce'] || null;
             attempts += 1;

package/src/util.js

@@ -2,6 +2,7 @@
  * Utility methods
  */
 
+const tls = require('tls');
 const dns = require('dns').promises;
 const { readCertificateInfo, splitPemChain } = require('./crypto');
 const { log } = require('./logger');
@@ -92,7 +93,7 @@ function retry(fn, { attempts = 5, min = 5000, max = 30000 } = {}) {
  *
  * @param {string} header Link header contents
  * @param {string} rel Link relation, default: `alternate`
- * @returns {array} Array of URLs
+ * @returns {string[]} Array of URLs
  */
 
 function parseLinkHeader(header, rel = 'alternate') {
@@ -112,7 +113,7 @@ function parseLinkHeader(header, rel = 'alternate') {
  *  - If issuer is found in multiple chains, the closest to root wins
  *  - If issuer can not be located, the first chain will be returned
  *
- * @param {array} certificates Array of PEM encoded certificate chains
+ * @param {string[]} certificates Array of PEM encoded certificate chains
  * @param {string} issuer Preferred certificate issuer
  * @returns {string} PEM encoded certificate chain
  */
@@ -245,6 +246,60 @@ async function getAuthoritativeDnsResolver(recordName) {
 }
 
 
+/**
+ * Attempt to retrieve TLS ALPN certificate from peer
+ *
+ * https://nodejs.org/api/tls.html#tlsconnectoptions-callback
+ *
+ * @param {string} host Host the TLS client should connect to
+ * @param {number} port Port the client should connect to
+ * @param {string} servername Server name for the SNI (Server Name Indication)
+ * @returns {Promise<string>} PEM encoded certificate
+ */
+
+async function retrieveTlsAlpnCertificate(host, port, timeout = 30000) {
+    return new Promise((resolve, reject) => {
+        let result;
+
+        /* TLS connection */
+        const socket = tls.connect({
+            host,
+            port,
+            servername: host,
+            rejectUnauthorized: false,
+            ALPNProtocols: ['acme-tls/1']
+        });
+
+        socket.setTimeout(timeout);
+        socket.setEncoding('utf-8');
+
+        /* Grab certificate once connected and close */
+        socket.on('secureConnect', () => {
+            result = socket.getPeerX509Certificate();
+            socket.end();
+        });
+
+        /* Errors */
+        socket.on('error', (err) => {
+            reject(err);
+        });
+
+        socket.on('timeout', () => {
+            socket.destroy(new Error('TLS ALPN certificate lookup request timed out'));
+        });
+
+        /* Done, return cert as PEM if found */
+        socket.on('end', () => {
+            if (result) {
+                return resolve(result.toString());
+            }
+
+            return reject(new Error('TLS ALPN lookup failed to retrieve certificate'));
+        });
+    });
+}
+
+
 /**
  * Export utils
  */
@@ -254,5 +309,6 @@ module.exports = {
     parseLinkHeader,
     findCertificateChainForIssuer,
     formatResponseError,
-    getAuthoritativeDnsResolver
+    getAuthoritativeDnsResolver,
+    retrieveTlsAlpnCertificate
 };