@certd/acme-client 1.39.11 → 1.39.13

package/{src → dist}/crypto/forge.js

@@ -1,3 +1,4 @@
+// @ts-nocheck
 /**
  * Legacy node-forge crypto interface
  *
@@ -10,9 +11,7 @@ import net from 'net';
 import { promisify } from 'util';
 import forge from 'node-forge';
 import { createPrivateEcdsaKey } from './index.js';
-
 const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
-
 /**
  * Attempt to parse forge object from PEM encoded string
  *
@@ -20,39 +19,31 @@ const generateKeyPair = promisify(forge.pki.rsa.generateKeyPair);
  * @param {string} input PEM string
  * @return {object}
  */
-
 function forgeObjectFromPem(input) {
     const msg = forge.pem.decode(input)[0];
     let result;
-
     switch (msg.type) {
         case 'PRIVATE KEY':
         case 'RSA PRIVATE KEY':
             result = forge.pki.privateKeyFromPem(input);
             break;
-
         case 'PUBLIC KEY':
         case 'RSA PUBLIC KEY':
             result = forge.pki.publicKeyFromPem(input);
             break;
-
         case 'CERTIFICATE':
         case 'X509 CERTIFICATE':
         case 'TRUSTED CERTIFICATE':
             result = forge.pki.certificateFromPem(input).publicKey;
             break;
-
         case 'CERTIFICATE REQUEST':
             result = forge.pki.certificationRequestFromPem(input).publicKey;
             break;
-
         default:
             throw new Error('Unable to detect forge message type');
     }
-
     return result;
 }
-
 /**
  * Parse domain names from a certificate or CSR
  *
@@ -60,41 +51,33 @@ function forgeObjectFromPem(input) {
  * @param {object} obj Forge certificate or CSR
  * @returns {object} {commonName, altNames}
  */
-
 function parseDomains(obj) {
     let commonName = null;
     let altNames = [];
     let altNamesDict = [];
-
     const commonNameObject = (obj.subject.attributes || []).find((a) => a.name === 'commonName');
     const rootAltNames = (obj.extensions || []).find((e) => 'altNames' in e);
     const rootExtensions = (obj.attributes || []).find((a) => 'extensions' in a);
-
     if (rootAltNames && rootAltNames.altNames && rootAltNames.altNames.length) {
         altNamesDict = rootAltNames.altNames;
     }
     else if (rootExtensions && rootExtensions.extensions && rootExtensions.extensions.length) {
         const extAltNames = rootExtensions.extensions.find((e) => 'altNames' in e);
-
         if (extAltNames && extAltNames.altNames && extAltNames.altNames.length) {
             altNamesDict = extAltNames.altNames;
         }
     }
-
     if (commonNameObject) {
         commonName = commonNameObject.value;
     }
-
     if (altNamesDict) {
         altNames = altNamesDict.map((a) => a.value);
     }
-
     return {
         commonName,
         altNames,
     };
 }
-
 /**
  * Generate a private RSA key
  *
@@ -111,14 +94,11 @@ function parseDomains(obj) {
  * const privateKey = await acme.forge.createPrivateKey(4096);
  * ```
  */
-
 export async function createPrivateKey(size = 2048) {
     const keyPair = await generateKeyPair({ bits: size });
     const pemKey = forge.pki.privateKeyToPem(keyPair.privateKey);
     return Buffer.from(pemKey);
 }
-
-
 /**
  * Create public key from a private RSA key
  *
@@ -130,14 +110,12 @@ export async function createPrivateKey(size = 2048) {
  * const publicKey = await acme.forge.createPublicKey(privateKey);
  * ```
  */
-
 export const createPublicKey = async (key) => {
     const privateKey = forge.pki.privateKeyFromPem(key);
     const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
     const pemKey = forge.pki.publicKeyToPem(publicKey);
     return Buffer.from(pemKey);
 };
-
 /**
  * Parse body of PEM encoded object from buffer or string
  * If multiple objects are chained, the first body will be returned
@@ -145,21 +123,17 @@ export const createPublicKey = async (key) => {
  * @param {buffer|string} str PEM encoded buffer or string
  * @returns {string} PEM body
  */
-
 export const getPemBody = (str) => {
     const msg = forge.pem.decode(str)[0];
     return forge.util.encode64(msg.body);
 };
-
 /**
  * Split chain of PEM encoded objects from buffer or string into array
  *
  * @param {buffer|string} str PEM encoded buffer or string
  * @returns {string[]} Array of PEM bodies
  */
-
 export const splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode);
-
 /**
  * Get modulus
  *
@@ -173,16 +147,13 @@ export const splitPemChain = (str) => forge.pem.decode(str).map(forge.pem.encode
  * const m3 = await acme.forge.getModulus(certificateRequest);
  * ```
  */
-
 export const getModulus = async (input) => {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
-
     const obj = forgeObjectFromPem(input);
     return Buffer.from(forge.util.hexToBytes(obj.n.toString(16)), 'binary');
 };
-
 /**
  * Get public exponent
  *
@@ -196,16 +167,13 @@ export const getModulus = async (input) => {
  * const e3 = await acme.forge.getPublicExponent(certificateRequest);
  * ```
  */
-
 export const getPublicExponent = async (input) => {
     if (!Buffer.isBuffer(input)) {
         input = Buffer.from(input);
     }
-
     const obj = forgeObjectFromPem(input);
     return Buffer.from(forge.util.hexToBytes(obj.e.toString(16)), 'binary');
 };
-
 /**
  * Read domains from a Certificate Signing Request
  *
@@ -220,16 +188,13 @@ export const getPublicExponent = async (input) => {
  * console.log(`Alt names: ${altNames.join(', ')}`);
  * ```
  */
-
 export const readCsrDomains = async (csr) => {
     if (!Buffer.isBuffer(csr)) {
         csr = Buffer.from(csr);
     }
-
     const obj = forge.pki.certificationRequestFromPem(csr);
     return parseDomains(obj);
 };
-
 /**
  * Read information from a certificate
  *
@@ -248,15 +213,12 @@ export const readCsrDomains = async (csr) => {
  * console.log(`Alt names: ${altNames.join(', ')}`);
  * ```
  */
-
 export const readCertificateInfo = async (cert) => {
     if (!Buffer.isBuffer(cert)) {
         cert = Buffer.from(cert);
     }
-
     const obj = forge.pki.certificateFromPem(cert);
     const issuerCn = (obj.issuer.attributes || []).find((a) => a.name === 'commonName');
-
     return {
         issuer: {
             commonName: issuerCn ? issuerCn.value : null,
@@ -266,7 +228,6 @@ export const readCertificateInfo = async (cert) => {
         notBefore: obj.validity.notBefore,
     };
 };
-
 /**
  * Determine ASN.1 type for CSR subject short name
  * Note: https://datatracker.ietf.org/doc/html/rfc5280
@@ -275,7 +236,6 @@ export const readCertificateInfo = async (cert) => {
  * @param {string} shortName CSR subject short name
  * @returns {forge.asn1.Type} ASN.1 type
  */
-
 function getCsrValueTagClass(shortName) {
     switch (shortName) {
         case 'C':
@@ -286,7 +246,6 @@ function getCsrValueTagClass(shortName) {
             return forge.asn1.Type.UTF8;
     }
 }
-
 /**
  * Create array of short names and values for Certificate Signing Request subjects
  *
@@ -294,18 +253,15 @@ function getCsrValueTagClass(shortName) {
  * @param {object} subjectObj Key-value of short names and values
  * @returns {object[]} Certificate Signing Request subject array
  */
-
 function createCsrSubject(subjectObj) {
     return Object.entries(subjectObj).reduce((result, [shortName, value]) => {
         if (value) {
             const valueTagClass = getCsrValueTagClass(shortName);
             result.push({ shortName, value, valueTagClass });
         }
-
         return result;
     }, []);
 }
-
 /**
  * Create array of alt names for Certificate Signing Requests
  * Note: https://github.com/digitalbazaar/forge/blob/dfdde475677a8a25c851e33e8f81dca60d90cfb9/lib/x509.js#L1444-L1454
@@ -314,14 +270,12 @@ function createCsrSubject(subjectObj) {
  * @param {string[]} altNames Alt names
  * @returns {object[]} Certificate Signing Request alt names array
  */
-
 function formatCsrAltNames(altNames) {
     return altNames.map((value) => {
         const type = net.isIP(value) ? 7 : 2;
         return { type, value };
     });
 }
-
 /**
  * Create a Certificate Signing Request
  *
@@ -376,7 +330,6 @@ function formatCsrAltNames(altNames) {
  *     altNames: ['test.example.com'],
  * }, certificateKey);
  */
-
 export const createCsr = async (data, keyType = null) => {
     let key = null;
     if (keyType === 'ec') {
@@ -388,25 +341,20 @@ export const createCsr = async (data, keyType = null) => {
     // else if (!Buffer.isBuffer(key)) {
     //     key = Buffer.from(key);
     // }
-
     if (typeof data.altNames === 'undefined') {
         data.altNames = [];
     }
-
     const csr = forge.pki.createCertificationRequest();
-
     /* Public key */
     const privateKey = forge.pki.privateKeyFromPem(key);
     const publicKey = forge.pki.rsa.setPublicKey(privateKey.n, privateKey.e);
     csr.publicKey = publicKey;
     // const privateKey = key;
     // csr.publicKey = getPublicKey(key);
-
     /* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
     if (data.commonName && !data.altNames.includes(data.commonName)) {
         data.altNames.unshift(data.commonName);
     }
-
     /* Subject */
     const subject = createCsrSubject({
         CN: data.commonName,
@@ -417,23 +365,19 @@ export const createCsr = async (data, keyType = null) => {
         OU: data.organizationUnit,
         E: data.emailAddress,
     });
-
     csr.setSubject(subject);
-
     /* SAN extension */
     if (data.altNames.length) {
         csr.setAttributes([{
-            name: 'extensionRequest',
-            extensions: [{
-                name: 'subjectAltName',
-                altNames: formatCsrAltNames(data.altNames),
-            }],
-        }]);
+                name: 'extensionRequest',
+                extensions: [{
+                        name: 'subjectAltName',
+                        altNames: formatCsrAltNames(data.altNames),
+                    }],
+            }]);
     }
-
     /* Sign CSR using SHA-256 */
     csr.sign(privateKey, forge.md.sha256.create());
-
     /* Done */
     const pemCsr = forge.pki.certificationRequestToPem(csr);
     return [key, Buffer.from(pemCsr)];

package/dist/crypto/index.d.ts

@@ -0,0 +1,215 @@
+/**
+ * Generate a private RSA key
+ *
+ * @param {number} [modulusLength] Size of the keys modulus in bits, default: `2048`
+ * @returns {Promise<buffer>} PEM encoded private RSA key
+ *
+ * @example Generate private RSA key
+ * ```js
+ * const privateKey = await acme.crypto.createPrivateRsaKey();
+ * ```
+ *
+ * @example Private RSA key with modulus size 4096
+ * ```js
+ * const privateKey = await acme.crypto.createPrivateRsaKey(4096);
+ * ```
+ */
+export declare function createPrivateRsaKey(modulusLength?: number, encodingType?: string): Promise<Buffer>;
+/**
+ * Alias of `createPrivateRsaKey()`
+ *
+ * @function
+ */
+export declare const createPrivateKey: typeof createPrivateRsaKey;
+/**
+ * Generate a private ECDSA key
+ *
+ * @param {string} [namedCurve] ECDSA curve name (P-256, P-384 or P-521), default `P-256`
+ * @returns {Promise<buffer>} PEM encoded private ECDSA key
+ *
+ * @example Generate private ECDSA key
+ * ```js
+ * const privateKey = await acme.crypto.createPrivateEcdsaKey();
+ * ```
+ *
+ * @example Private ECDSA key using P-384 curve
+ * ```js
+ * const privateKey = await acme.crypto.createPrivateEcdsaKey('P-384');
+ * ```
+ */
+export declare const createPrivateEcdsaKey: (namedCurve?: string, encodingType?: string) => Promise<Buffer>;
+/**
+ * Get a public key derived from a RSA or ECDSA key
+ *
+ * @param {buffer|string} keyPem PEM encoded private or public key
+ * @returns {buffer} PEM encoded public key
+ *
+ * @example Get public key
+ * ```js
+ * const publicKey = acme.crypto.getPublicKey(privateKey);
+ * ```
+ */
+export declare const getPublicKey: (keyPem: any) => Buffer;
+/**
+ * Get a JSON Web Key derived from a RSA or ECDSA key
+ *
+ * https://datatracker.ietf.org/doc/html/rfc7517
+ *
+ * @param {buffer|string} keyPem PEM encoded private or public key
+ * @returns {object} JSON Web Key
+ *
+ * @example Get JWK
+ * ```js
+ * const jwk = acme.crypto.getJwk(privateKey);
+ * ```
+ */
+export declare function getJwk(keyPem: any): {};
+/**
+ * Split chain of PEM encoded objects from string into array
+ *
+ * @param {buffer|string} chainPem PEM encoded object chain
+ * @returns {string[]} Array of PEM objects including headers
+ */
+export declare function splitPemChain(chainPem: any): string[];
+/**
+ * Parse body of PEM encoded object and return a Base64URL string
+ * If multiple objects are chained, the first body will be returned
+ *
+ * @param {buffer|string} pem PEM encoded chain or object
+ * @returns {string} Base64URL-encoded body
+ */
+export declare const getPemBodyAsB64u: (pem: any) => string;
+/**
+ * Read domains from a Certificate Signing Request
+ *
+ * @param {buffer|string} csrPem PEM encoded Certificate Signing Request
+ * @returns {object} {commonName, altNames}
+ *
+ * @example Read Certificate Signing Request domains
+ * ```js
+ * const { commonName, altNames } = acme.crypto.readCsrDomains(certificateRequest);
+ *
+ * console.log(`Common name: ${commonName}`);
+ * console.log(`Alt names: ${altNames.join(', ')}`);
+ * ```
+ */
+export declare const readCsrDomains: (csrPem: any) => {
+    commonName: any;
+    altNames: any[];
+};
+/**
+ * Read information from a certificate
+ * If multiple certificates are chained, the first will be read
+ *
+ * @param {buffer|string} certPem PEM encoded certificate or chain
+ * @returns {object} Certificate info
+ *
+ * @example Read certificate information
+ * ```js
+ * const info = acme.crypto.readCertificateInfo(certificate);
+ * const { commonName, altNames } = info.domains;
+ *
+ * console.log(`Not after: ${info.notAfter}`);
+ * console.log(`Not before: ${info.notBefore}`);
+ *
+ * console.log(`Common name: ${commonName}`);
+ * console.log(`Alt names: ${altNames.join(', ')}`);
+ * ```
+ */
+export declare const readCertificateInfo: (certPem: any) => {
+    issuer: {
+        commonName: string;
+    };
+    domains: {
+        commonName: any;
+        altNames: any[];
+    };
+    notBefore: Date;
+    notAfter: Date;
+};
+/**
+ * Create a Certificate Signing Request
+ *
+ * @param {object} data
+ * @param {number} [data.keySize] Size of newly created RSA private key modulus in bits, default: `2048`
+ * @param {string} [data.commonName] FQDN of your server
+ * @param {string[]} [data.altNames] SAN (Subject Alternative Names), default: `[]`
+ * @param {string} [data.country] 2 letter country code
+ * @param {string} [data.state] State or province
+ * @param {string} [data.locality] City
+ * @param {string} [data.organization] Organization name
+ * @param {string} [data.organizationUnit] Organizational unit name
+ * @param {string} [data.emailAddress] Email address
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
+ * @returns {Promise<buffer[]>} [privateKey, certificateSigningRequest]
+ *
+ * @example Create a Certificate Signing Request
+ * ```js
+ * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
+ *     altNames: ['test.example.com'],
+ * });
+ * ```
+ *
+ * @example Certificate Signing Request with both common and alternative names
+ * > *Warning*: Certificate subject common name has been [deprecated](https://letsencrypt.org/docs/glossary/#def-CN) and its use is [discouraged](https://cabforum.org/uploads/BRv1.2.3.pdf).
+ * ```js
+ * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
+ *     keySize: 4096,
+ *     commonName: 'test.example.com',
+ *     altNames: ['foo.example.com', 'bar.example.com'],
+ * });
+ * ```
+ *
+ * @example Certificate Signing Request with additional information
+ * ```js
+ * const [certificateKey, certificateRequest] = await acme.crypto.createCsr({
+ *     altNames: ['test.example.com'],
+ *     country: 'US',
+ *     state: 'California',
+ *     locality: 'Los Angeles',
+ *     organization: 'The Company Inc.',
+ *     organizationUnit: 'IT Department',
+ *     emailAddress: 'contact@example.com',
+ * });
+ * ```
+ *
+ * @example Certificate Signing Request with ECDSA private key
+ * ```js
+ * const certificateKey = await acme.crypto.createPrivateEcdsaKey();
+ *
+ * const [, certificateRequest] = await acme.crypto.createCsr({
+ *     altNames: ['test.example.com'],
+ * }, certificateKey);
+ * ```
+ */
+export declare const createCsr: (data: any, keyPem?: any) => Promise<any[]>;
+/**
+ * Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
+ *
+ * https://datatracker.ietf.org/doc/html/rfc8737
+ *
+ * @param {object} authz Identifier authorization
+ * @param {string} keyAuthorization Challenge key authorization
+ * @param {buffer|string} [keyPem] PEM encoded CSR private key
+ * @returns {Promise<buffer[]>} [privateKey, certificate]
+ *
+ * @example Create a ALPN certificate
+ * ```js
+ * const [alpnKey, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization);
+ * ```
+ *
+ * @example Create a ALPN certificate with ECDSA private key
+ * ```js
+ * const alpnKey = await acme.crypto.createPrivateEcdsaKey();
+ * const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
+ * ```
+ */
+export declare const createAlpnCertificate: (authz: any, keyAuthorization: any, keyPem?: any) => Promise<any[]>;
+/**
+ * Validate that a ALPN certificate contains the expected key authorization
+ *
+ * @param {buffer|string} certPem PEM encoded certificate
+ * @param {string} keyAuthorization Expected challenge key authorization
+ * @returns {boolean} True when valid
+ */
+export declare const isAlpnCertificateAuthorizationValid: (certPem: any, keyAuthorization: any) => boolean;