npm - @certd/acme-client - Versions diffs - 1.39.11 → 1.39.13 - Mend

@certd/acme-client 1.39.11 → 1.39.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/dist/api.d.ts +151 -0
package/{src → dist}/api.js +2 -38
package/dist/auto.d.ts +9 -0
package/{src → dist}/auto.js +45 -79
package/dist/axios.d.ts +8 -0
package/{src → dist}/axios.js +3 -31
package/dist/client.d.ts +396 -0
package/{src → dist}/client.js +16 -108
package/dist/crypto/forge.d.ts +174 -0
package/{src → dist}/crypto/forge.js +7 -63
package/dist/crypto/index.d.ts +215 -0
package/{src → dist}/crypto/index.js +2 -87
package/dist/error.d.ts +3 -0
package/{src → dist}/error.js +1 -3
package/dist/http.d.ts +135 -0
package/{src → dist}/http.js +3 -65
package/dist/index.d.ts +58 -0
package/dist/index.js +90 -0
package/dist/logger.d.ts +15 -0
package/{src → dist}/logger.js +4 -9
package/dist/rfc8555.d.ts +106 -0
package/dist/rfc8555.js +25 -0
package/dist/types.d.ts +117 -0
package/dist/types.js +1 -0
package/dist/util.d.ts +85 -0
package/{src → dist}/util.js +11 -76
package/dist/verify.d.ts +14 -0
package/dist/verify.js +214 -0
package/dist/wait.d.ts +1 -0
package/{src → dist}/wait.js +1 -0
package/package.json +18 -12
package/types/index.d.ts +15 -4
package/types/index.test-d.ts +10 -3
package/src/index.js +0 -106
package/src/verify.js +0 -231

package/{src → dist}/crypto/index.js RENAMED Viewed

@@ -1,27 +1,22 @@
+// @ts-nocheck
 /**
  * Native Node.js crypto interface
  *
  * @namespace crypto
  */
-import  net from 'net';
+import net from 'net';
 import { promisify } from 'util';
 import crypto from 'crypto';
 import asn1js from 'asn1js';
 import x509 from '@peculiar/x509';
 const randomInt = promisify(crypto.randomInt);
 const generateKeyPair = promisify(crypto.generateKeyPair);
 /* Use Node.js Web Crypto API */
 x509.cryptoProvider.set(crypto.webcrypto);
 /* id-ce-subjectAltName - https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
 const subjectAltNameOID = '2.5.29.17';
 /* id-pe-acmeIdentifier - https://datatracker.ietf.org/doc/html/rfc8737#section-6.1 */
 const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
 /**
  * Determine key type and info by attempting to derive public key
  *
@@ -29,14 +24,12 @@ const alpnAcmeIdentifierOID = '1.3.6.1.5.5.7.1.31';
  * @param {buffer|string} keyPem PEM encoded private or public key
  * @returns {object}
  */
 function getKeyInfo(keyPem) {
     const result = {
         isRSA: false,
         isECDSA: false,
         publicKey: crypto.createPublicKey(keyPem),
     };
     if (result.publicKey.asymmetricKeyType === 'rsa') {
         result.isRSA = true;
     }
@@ -46,10 +39,8 @@ function getKeyInfo(keyPem) {
     else {
         throw new Error('Unable to parse key information, unknown format');
     }
     return result;
 }
 /**
  * Generate a private RSA key
  *
@@ -66,7 +57,6 @@ function getKeyInfo(keyPem) {
  * const privateKey = await acme.crypto.createPrivateRsaKey(4096);
  * ```
  */
 export async function createPrivateRsaKey(modulusLength = 2048, encodingType = 'pkcs8') {
     const pair = await generateKeyPair('rsa', {
         modulusLength,
@@ -75,19 +65,14 @@ export async function createPrivateRsaKey(modulusLength = 2048, encodingType = '
             format: 'pem',
         },
     });
     return Buffer.from(pair.privateKey);
 }
 /**
  * Alias of `createPrivateRsaKey()`
  *
  * @function
  */
 export const createPrivateKey = createPrivateRsaKey;
 /**
  * Generate a private ECDSA key
  *
@@ -104,7 +89,6 @@ export const createPrivateKey = createPrivateRsaKey;
  * const privateKey = await acme.crypto.createPrivateEcdsaKey('P-384');
  * ```
  */
 export const createPrivateEcdsaKey = async (namedCurve = 'P-256', encodingType = 'pkcs8') => {
     const pair = await generateKeyPair('ec', {
         namedCurve,
@@ -113,10 +97,8 @@ export const createPrivateEcdsaKey = async (namedCurve = 'P-256', encodingType =
             format: 'pem',
         },
     });
     return Buffer.from(pair.privateKey);
 };
 /**
  * Get a public key derived from a RSA or ECDSA key
  *
@@ -128,18 +110,14 @@ export const createPrivateEcdsaKey = async (namedCurve = 'P-256', encodingType =
  * const publicKey = acme.crypto.getPublicKey(privateKey);
  * ```
  */
 export const getPublicKey = (keyPem) => {
     const info = getKeyInfo(keyPem);
     const publicKey = info.publicKey.export({
         type: info.isECDSA ? 'spki' : 'pkcs1',
         format: 'pem',
     });
     return Buffer.from(publicKey);
 };
 /**
  * Get a JSON Web Key derived from a RSA or ECDSA key
  *
@@ -153,20 +131,16 @@ export const getPublicKey = (keyPem) => {
  * const jwk = acme.crypto.getJwk(privateKey);
  * ```
  */
 export function getJwk(keyPem) {
     const jwk = crypto.createPublicKey(keyPem).export({
         format: 'jwk',
     });
     /* Sort keys */
     return Object.keys(jwk).sort().reduce((result, k) => {
         result[k] = jwk[k];
         return result;
     }, {});
 }
 /**
  * Produce CryptoKeyPair and signing algorithm from a PEM encoded private key
  *
@@ -174,56 +148,44 @@ export function getJwk(keyPem) {
  * @param {buffer|string} keyPem PEM encoded private key
  * @returns {Promise<array>} [keyPair, signingAlgorithm]
  */
 async function getWebCryptoKeyPair(keyPem) {
     const info = getKeyInfo(keyPem);
     const jwk = getJwk(keyPem);
     /* Signing algorithm */
     const sigalg = {
         name: 'RSASSA-PKCS1-v1_5',
         hash: { name: 'SHA-256' },
     };
     if (info.isECDSA) {
         sigalg.name = 'ECDSA';
         sigalg.namedCurve = jwk.crv;
         if (jwk.crv === 'P-384') {
             sigalg.hash.name = 'SHA-384';
         }
         if (jwk.crv === 'P-521') {
             sigalg.hash.name = 'SHA-512';
         }
     }
     /* Decode PEM and import into CryptoKeyPair */
     const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
     const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
     const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
     return [{ privateKey, publicKey }, sigalg];
 }
 /**
  * Split chain of PEM encoded objects from string into array
  *
  * @param {buffer|string} chainPem PEM encoded object chain
  * @returns {string[]} Array of PEM objects including headers
  */
 export function splitPemChain(chainPem) {
     if (Buffer.isBuffer(chainPem)) {
         chainPem = chainPem.toString();
     }
     /* Decode into array and re-encode */
     return x509.PemConverter.decodeWithHeaders(chainPem)
         .map((params) => x509.PemConverter.encode([params]));
 }
 /**
  * Parse body of PEM encoded object and return a Base64URL string
  * If multiple objects are chained, the first body will be returned
@@ -231,19 +193,15 @@ export function splitPemChain(chainPem) {
  * @param {buffer|string} pem PEM encoded chain or object
  * @returns {string} Base64URL-encoded body
  */
 export const getPemBodyAsB64u = (pem) => {
     const chain = splitPemChain(pem);
     if (!chain.length) {
         throw new Error('Unable to parse PEM body from string');
     }
     /* Select first object, extract body and convert to b64u */
     const dec = x509.PemConverter.decodeFirst(chain[0]);
     return Buffer.from(dec).toString('base64url');
 };
 /**
  * Parse domains from a certificate or CSR
  *
@@ -251,23 +209,19 @@ export const getPemBodyAsB64u = (pem) => {
  * @param {object} input x509.Certificate or x509.Pkcs10CertificateRequest
  * @returns {object} {commonName, altNames}
  */
 function parseDomains(input) {
     const commonName = input.subjectName.getField('CN').pop() || null;
     const altNamesRaw = input.getExtension(subjectAltNameOID);
     let altNames = [];
     if (altNamesRaw) {
         const altNamesExt = new x509.SubjectAlternativeNameExtension(altNamesRaw.rawData);
         altNames = altNames.concat(altNamesExt.names.items.map((i) => i.value));
     }
     return {
         commonName,
         altNames,
     };
 }
 /**
  * Read domains from a Certificate Signing Request
  *
@@ -282,7 +236,6 @@ function parseDomains(input) {
  * console.log(`Alt names: ${altNames.join(', ')}`);
  * ```
  */
 export const readCsrDomains = (csrPem) => {
     if (Buffer.isBuffer(csrPem)) {
         csrPem = csrPem.toString();
@@ -291,7 +244,6 @@ export const readCsrDomains = (csrPem) => {
     const csr = new x509.Pkcs10CertificateRequest(dec);
     return parseDomains(csr);
 };
 /**
  * Read information from a certificate
  * If multiple certificates are chained, the first will be read
@@ -311,15 +263,12 @@ export const readCsrDomains = (csrPem) => {
  * console.log(`Alt names: ${altNames.join(', ')}`);
  * ```
  */
 export const readCertificateInfo = (certPem) => {
     if (Buffer.isBuffer(certPem)) {
         certPem = certPem.toString();
     }
     const dec = x509.PemConverter.decodeFirst(certPem);
     const cert = new x509.X509Certificate(dec);
     return {
         issuer: {
             commonName: cert.issuerName.getField('CN').pop() || null,
@@ -329,7 +278,6 @@ export const readCertificateInfo = (certPem) => {
         notAfter: cert.notAfter,
     };
 };
 /**
  * Determine ASN.1 character string type for CSR subject field name
  *
@@ -340,7 +288,6 @@ export const readCertificateInfo = (certPem) => {
  * @param {string} field CSR subject field name
  * @returns {string} ASN.1 character string type
  */
 function getCsrAsn1CharStringType(field) {
     switch (field) {
         case 'C':
@@ -351,7 +298,6 @@ function getCsrAsn1CharStringType(field) {
             return 'utf8String';
     }
 }
 /**
  * Create array of subject fields for a Certificate Signing Request
  *
@@ -361,18 +307,15 @@ function getCsrAsn1CharStringType(field) {
  * @param {object} input Key-value of subject fields
  * @returns {object[]} Certificate Signing Request subject array
  */
 function createCsrSubject(input) {
     return Object.entries(input).reduce((result, [type, value]) => {
         if (value) {
             const ds = getCsrAsn1CharStringType(type);
             result.push({ [type]: [{ [ds]: value }] });
         }
         return result;
     }, []);
 }
 /**
  * Create x509 subject alternate name extension
  *
@@ -382,14 +325,12 @@ function createCsrSubject(input) {
  * @param {string[]} altNames Array of alt names
  * @returns {x509.SubjectAlternativeNameExtension} Subject alternate name extension
  */
 function createSubjectAltNameExtension(altNames) {
     return new x509.SubjectAlternativeNameExtension(altNames.map((value) => {
         const type = net.isIP(value) ? 'ip' : 'dns';
         return { type, value };
     }));
 }
 /**
  * Create a Certificate Signing Request
  *
@@ -445,7 +386,6 @@ function createSubjectAltNameExtension(altNames) {
  * }, certificateKey);
  * ```
  */
 export const createCsr = async (data, keyPem = null) => {
     if (!keyPem) {
         keyPem = await createPrivateRsaKey(data.keySize);
@@ -453,27 +393,21 @@ export const createCsr = async (data, keyPem = null) => {
     else if (!Buffer.isBuffer(keyPem)) {
         keyPem = Buffer.from(keyPem);
     }
     if (typeof data.altNames === 'undefined') {
         data.altNames = [];
     }
     /* Ensure subject common name is present in SAN - https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf */
     if (data.commonName && !data.altNames.includes(data.commonName)) {
         data.altNames.unshift(data.commonName);
     }
     /* CryptoKeyPair and signing algorithm from private key */
     const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
     const extensions = [
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
         new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment), // eslint-disable-line no-bitwise
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
         createSubjectAltNameExtension(data.altNames),
     ];
     /* Create CSR */
     const csr = await x509.Pkcs10CertificateRequestGenerator.create({
         keys,
@@ -489,12 +423,10 @@ export const createCsr = async (data, keyPem = null) => {
             E: data.emailAddress,
         }),
     });
     /* Done */
     const pem = csr.toString('pem');
     return [keyPem, Buffer.from(pem)];
 };
 /**
  * Create a self-signed ALPN certificate for TLS-ALPN-01 challenges
  *
@@ -516,7 +448,6 @@ export const createCsr = async (data, keyPem = null) => {
  * const [, alpnCertificate] = await acme.crypto.createAlpnCertificate(authz, keyAuthorization, alpnKey);
  * ```
  */
 export const createAlpnCertificate = async (authz, keyAuthorization, keyPem = null) => {
     if (!keyPem) {
         keyPem = await createPrivateRsaKey();
@@ -524,36 +455,27 @@ export const createAlpnCertificate = async (authz, keyAuthorization, keyPem = nu
     else if (!Buffer.isBuffer(keyPem)) {
         keyPem = Buffer.from(keyPem);
     }
     const now = new Date();
     const commonName = authz.identifier.value;
     /* Pseudo-random serial - max 20 bytes, 11 for epoch (year 5138), 9 random */
     const random = await randomInt(1, 999999999);
     const serialNumber = `${Math.floor(now.getTime() / 1000)}${random}`;
     /* CryptoKeyPair and signing algorithm from private key */
     const [keys, signingAlgorithm] = await getWebCryptoKeyPair(keyPem);
     const extensions = [
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
         new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true), // eslint-disable-line no-bitwise
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9 */
         new x509.BasicConstraintsExtension(true, 2, true),
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 */
         await x509.SubjectKeyIdentifierExtension.create(keys.publicKey),
         /* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 */
         createSubjectAltNameExtension([commonName]),
     ];
     /* ALPN extension */
     const payload = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
     const octstr = new asn1js.OctetString({ valueHex: Buffer.from(payload, 'hex') });
     extensions.push(new x509.Extension(alpnAcmeIdentifierOID, true, octstr.toBER()));
     /* Self-signed ALPN certificate */
     const cert = await x509.X509CertificateGenerator.createSelfSigned({
         keys,
@@ -566,12 +488,10 @@ export const createAlpnCertificate = async (authz, keyAuthorization, keyPem = nu
             CN: commonName,
         }),
     });
     /* Done */
     const pem = cert.toString('pem');
     return [keyPem, Buffer.from(pem)];
 };
 /**
  * Validate that a ALPN certificate contains the expected key authorization
  *
@@ -579,22 +499,17 @@ export const createAlpnCertificate = async (authz, keyAuthorization, keyPem = nu
  * @param {string} keyAuthorization Expected challenge key authorization
  * @returns {boolean} True when valid
  */
 export const isAlpnCertificateAuthorizationValid = (certPem, keyAuthorization) => {
     const expected = crypto.createHash('sha256').update(keyAuthorization).digest('hex');
     /* Attempt to locate ALPN extension */
     const cert = new x509.X509Certificate(certPem);
     const ext = cert.getExtension(alpnAcmeIdentifierOID);
     if (!ext) {
         throw new Error('Unable to locate ALPN extension within parsed certificate');
     }
     /* Decode extension value */
     const parsed = asn1js.fromBER(ext.value);
     const result = Buffer.from(parsed.result.valueBlock.valueHexView).toString('hex');
     /* Return true if match */
     return (result === expected);
 };

package/dist/error.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export declare class CancelError extends Error {
+    constructor(message: any);
+}

package/{src → dist}/error.js RENAMED Viewed

@@ -1,9 +1,7 @@
+// @ts-nocheck
 export class CancelError extends Error {
     constructor(message) {
         super(message);
         this.name = 'CancelError';
     }
 }

package/dist/http.d.ts ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * ACME HTTP client
+ *
+ * @class
+ * @param {string} directoryUrl ACME directory URL
+ * @param {buffer} accountKey PEM encoded account private key
+ * @param {object} [opts.externalAccountBinding]
+ * @param {string} [opts.externalAccountBinding.kid] External account binding KID
+ * @param {string} [opts.externalAccountBinding.hmacKey] External account binding HMAC key
+ */
+declare class HttpClient {
+    constructor(directoryUrl: any, accountKey: any, externalAccountBinding: {}, urlMapping: {}, logger: any, cacheNonce?: boolean);
+    pushNonce(nonce: any): void;
+    popNonce(): any;
+    /**
+     * HTTP request
+     *
+     * @param {string} url HTTP URL
+     * @param {string} method HTTP method
+     * @param {object} [opts] Request options
+     * @returns {Promise<object>} HTTP response
+     */
+    request(url: any, method: any, opts?: {}): Promise<import("axios").AxiosResponse<any, any>>;
+    /**
+     * Get ACME provider directory
+     *
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.1
+     *
+     * @returns {Promise<object>} ACME directory contents
+     */
+    getDirectory(): Promise<any>;
+    /**
+     * Get JSON Web Key
+     *
+     * @returns {object} JSON Web Key
+     */
+    getJwk(): any;
+    /**
+     * Get nonce from directory API endpoint
+     *
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-7.2
+     *
+     * @returns {Promise<string>} Nonce
+     */
+    getNonce(): Promise<any>;
+    /**
+     * Get URL for a directory resource
+     *
+     * @param {string} resource API resource name
+     * @returns {Promise<string>} URL
+     */
+    getResourceUrl(resource: any): Promise<any>;
+    /**
+     * Get directory meta field
+     *
+     * @param {string} field Meta field name
+     * @returns {Promise<string|null>} Meta field value
+     */
+    getMetaField(field: any): Promise<any>;
+    /**
+     * Prepare HTTP request body for signature
+     *
+     * @param {string} alg JWS algorithm
+     * @param {string} url Request URL
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} Signed HTTP request body
+     */
+    prepareSignedBody(alg: any, url: any, payload?: any, { nonce, kid }?: {
+        nonce?: any;
+        kid?: any;
+    }): {
+        payload: string;
+        protected: string;
+    };
+    /**
+     * Create JWS HTTP request body using HMAC
+     *
+     * @param {string} hmacKey HMAC key
+     * @param {string} url Request URL
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} Signed HMAC request body
+     */
+    createSignedHmacBody(hmacKey: any, url: any, payload?: any, { nonce, kid }?: {
+        nonce?: any;
+        kid?: any;
+    }): {
+        payload: string;
+        protected: string;
+    };
+    /**
+     * Create JWS HTTP request body using RSA or ECC
+     *
+     * https://datatracker.ietf.org/doc/html/rfc7515
+     *
+     * @param {string} url Request URL
+     * @param {object} [payload] Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.nonce] JWS nonce
+     * @param {string} [opts.kid] JWS KID
+     * @returns {object} JWS request body
+     */
+    createSignedBody(url: any, payload?: any, { nonce, kid }?: {
+        nonce?: any;
+        kid?: any;
+    }): {
+        payload: string;
+        protected: string;
+    };
+    /**
+     * Signed HTTP request
+     *
+     * https://datatracker.ietf.org/doc/html/rfc8555#section-6.2
+     *
+     * @param {string} url Request URL
+     * @param {object} payload Request payload
+     * @param {object} [opts]
+     * @param {string} [opts.kid] JWS KID
+     * @param {string} [opts.nonce] JWS anti-replay nonce
+     * @param {boolean} [opts.includeExternalAccountBinding] Include EAB in request
+     * @param {number} [attempts] Request attempt counter
+     * @returns {Promise<object>} HTTP response
+     */
+    signedRequest(url: any, payload: any, { kid, nonce, includeExternalAccountBinding }?: {
+        kid?: any;
+        nonce?: any;
+        includeExternalAccountBinding?: boolean;
+    }, attempts?: number): any;
+}
+export default HttpClient;